1 /* SPDX-License-Identifier: GPL-2.0+ */
3 * MACsec netdev header, used for h/w accelerated implementations.
5 * Copyright (c) 2015 Sabrina Dubroca <sd@queasysnail.net>
10 #include <linux/u64_stats_sync.h>
11 #include <uapi/linux/if_link.h>
12 #include <uapi/linux/if_macsec.h>
14 #define MACSEC_DEFAULT_PN_LEN 4
15 #define MACSEC_XPN_PN_LEN 8
17 #define MACSEC_NUM_AN 4 /* 2 bits for the association number */
19 typedef u64 __bitwise sci_t;
20 typedef u32 __bitwise ssci_t;
27 u8 bytes[MACSEC_SALT_LEN];
32 #if defined(__LITTLE_ENDIAN_BITFIELD)
35 #elif defined(__BIG_ENDIAN_BITFIELD)
39 #error "Please fix <asm/byteorder.h>"
46 * struct macsec_key - SA key
47 * @id: user-provided key identifier
48 * @tfm: crypto struct, key storage
49 * @salt: salt used to generate IV in XPN cipher suites
52 u8 id[MACSEC_KEYID_LEN];
53 struct crypto_aead *tfm;
57 struct macsec_rx_sc_stats {
58 __u64 InOctetsValidated;
59 __u64 InOctetsDecrypted;
60 __u64 InPktsUnchecked;
66 __u64 InPktsNotUsingSA;
70 struct macsec_rx_sa_stats {
74 __u32 InPktsNotUsingSA;
78 struct macsec_tx_sa_stats {
79 __u32 OutPktsProtected;
80 __u32 OutPktsEncrypted;
83 struct macsec_tx_sc_stats {
84 __u64 OutPktsProtected;
85 __u64 OutPktsEncrypted;
86 __u64 OutOctetsProtected;
87 __u64 OutOctetsEncrypted;
90 struct macsec_dev_stats {
91 __u64 OutPktsUntagged;
96 __u64 InPktsUnknownSCI;
102 * struct macsec_rx_sa - receive secure association
104 * @next_pn: packet number expected for the next packet
105 * @lock: protects next_pn manipulations
106 * @key: key structure
107 * @ssci: short secure channel identifier
108 * @stats: per-SA stats
110 struct macsec_rx_sa {
111 struct macsec_key key;
120 struct macsec_rx_sa_stats __percpu *stats;
121 struct macsec_rx_sc *sc;
125 struct pcpu_rx_sc_stats {
126 struct macsec_rx_sc_stats stats;
127 struct u64_stats_sync syncp;
130 struct pcpu_tx_sc_stats {
131 struct macsec_tx_sc_stats stats;
132 struct u64_stats_sync syncp;
136 * struct macsec_rx_sc - receive secure channel
137 * @sci: secure channel identifier for this SC
138 * @active: channel is active
139 * @sa: array of secure associations
140 * @stats: per-SC stats
142 struct macsec_rx_sc {
143 struct macsec_rx_sc __rcu *next;
146 struct macsec_rx_sa __rcu *sa[MACSEC_NUM_AN];
147 struct pcpu_rx_sc_stats __percpu *stats;
149 struct rcu_head rcu_head;
153 * struct macsec_tx_sa - transmit secure association
155 * @next_pn: packet number to use for the next packet
156 * @lock: protects next_pn manipulations
157 * @key: key structure
158 * @ssci: short secure channel identifier
159 * @stats: per-SA stats
161 struct macsec_tx_sa {
162 struct macsec_key key;
171 struct macsec_tx_sa_stats __percpu *stats;
176 * struct macsec_tx_sc - transmit secure channel
178 * @encoding_sa: association number of the SA currently in use
179 * @encrypt: encrypt packets on transmit, or authenticate only
180 * @send_sci: always include the SCI in the SecTAG
182 * @scb: single copy broadcast flag
183 * @sa: array of secure associations
184 * @stats: stats for this TXSC
186 struct macsec_tx_sc {
193 struct macsec_tx_sa __rcu *sa[MACSEC_NUM_AN];
194 struct pcpu_tx_sc_stats __percpu *stats;
198 * struct macsec_secy - MACsec Security Entity
199 * @netdev: netdevice for this SecY
200 * @n_rx_sc: number of receive secure channels configured on this SecY
201 * @sci: secure channel identifier used for tx
202 * @key_len: length of keys used by the cipher suite
203 * @icv_len: length of ICV used by the cipher suite
204 * @validate_frames: validation mode
205 * @xpn: enable XPN for this SecY
206 * @operational: MAC_Operational flag
207 * @protect_frames: enable protection for this SecY
208 * @replay_protect: enable packet number checks on receive
209 * @replay_window: size of the replay window
210 * @tx_sc: transmit secure channel
211 * @rx_sc: linked list of receive secure channels
214 struct net_device *netdev;
215 unsigned int n_rx_sc;
219 enum macsec_validation_type validate_frames;
225 struct macsec_tx_sc tx_sc;
226 struct macsec_rx_sc __rcu *rx_sc;
230 * struct macsec_context - MACsec context for hardware offloading
232 struct macsec_context {
234 struct net_device *netdev;
235 struct phy_device *phydev;
237 enum macsec_offload offload;
239 struct macsec_secy *secy;
240 struct macsec_rx_sc *rx_sc;
242 unsigned char assoc_num;
243 u8 key[MACSEC_MAX_KEY_LEN];
245 struct macsec_rx_sa *rx_sa;
246 struct macsec_tx_sa *tx_sa;
250 struct macsec_tx_sc_stats *tx_sc_stats;
251 struct macsec_tx_sa_stats *tx_sa_stats;
252 struct macsec_rx_sc_stats *rx_sc_stats;
253 struct macsec_rx_sa_stats *rx_sa_stats;
254 struct macsec_dev_stats *dev_stats;
261 * struct macsec_ops - MACsec offloading operations
265 int (*mdo_dev_open)(struct macsec_context *ctx);
266 int (*mdo_dev_stop)(struct macsec_context *ctx);
268 int (*mdo_add_secy)(struct macsec_context *ctx);
269 int (*mdo_upd_secy)(struct macsec_context *ctx);
270 int (*mdo_del_secy)(struct macsec_context *ctx);
271 /* Security channels */
272 int (*mdo_add_rxsc)(struct macsec_context *ctx);
273 int (*mdo_upd_rxsc)(struct macsec_context *ctx);
274 int (*mdo_del_rxsc)(struct macsec_context *ctx);
275 /* Security associations */
276 int (*mdo_add_rxsa)(struct macsec_context *ctx);
277 int (*mdo_upd_rxsa)(struct macsec_context *ctx);
278 int (*mdo_del_rxsa)(struct macsec_context *ctx);
279 int (*mdo_add_txsa)(struct macsec_context *ctx);
280 int (*mdo_upd_txsa)(struct macsec_context *ctx);
281 int (*mdo_del_txsa)(struct macsec_context *ctx);
283 int (*mdo_get_dev_stats)(struct macsec_context *ctx);
284 int (*mdo_get_tx_sc_stats)(struct macsec_context *ctx);
285 int (*mdo_get_tx_sa_stats)(struct macsec_context *ctx);
286 int (*mdo_get_rx_sc_stats)(struct macsec_context *ctx);
287 int (*mdo_get_rx_sa_stats)(struct macsec_context *ctx);
290 void macsec_pn_wrapped(struct macsec_secy *secy, struct macsec_tx_sa *tx_sa);
292 #endif /* _NET_MACSEC_H_ */