From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 1178AA00C4; Wed, 28 Sep 2022 20:24:44 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 95AE642802; Wed, 28 Sep 2022 20:24:37 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) by mails.dpdk.org (Postfix) with ESMTP id 506B8427F5 for ; Wed, 28 Sep 2022 20:24:36 +0200 (CEST) Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 28SFPZU3029114; Wed, 28 Sep 2022 11:24:34 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=DWm8wJwUdfKTRP8edZm2iXUNha2GetF91wfHGSFVnRM=; b=A8cOSVc9BjE8g/h7Ev+1/liko+GExSzWD96L0ssb0UUdFpaXhF6BrbsOoGeAGjKgNlLa Wix6UobhXMT7qr3SS/Z2NMTYBoK8u886InKqvAH753KuaWwY0kA7n/8MLOdaVqkKdU9o CnSB5Fx0aUX/UPB1gzxW9+fz+NHwEgsYh5Vdf1DQ2gf3ZMlskN7cxVEot5i+DljXYwTp pAwXgQmNvV9I5OQIL3FYbExeQdyeNmrFX6/XR+3sGvdsssiZUgkqPCHo/JIjnCpPu955 hacdlP6nyedj276nXOciFWmV7bsMxfYbjj2IXdmqaABmBlSN8h5R8fj1DqyViLdw49yS WQ== Received: from dc5-exch02.marvell.com ([199.233.59.182]) by mx0a-0016f401.pphosted.com (PPS) with ESMTPS id 3jvrvjgu56-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Wed, 28 Sep 2022 11:24:34 -0700 Received: from DC5-EXCH01.marvell.com (10.69.176.38) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server (TLS) id 15.0.1497.18; Wed, 28 Sep 2022 11:24:32 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server id 15.0.1497.2 via Frontend Transport; Wed, 28 Sep 2022 11:24:32 -0700 Received: from localhost.localdomain (unknown [10.28.36.102]) by maili.marvell.com (Postfix) with ESMTP id 1E44F3F70FE; Wed, 28 Sep 2022 11:24:27 -0700 (PDT) From: Akhil Goyal To: CC: , , , , , , , , , , , , , , , Akhil Goyal Subject: [PATCH v3 3/3] security: support MACsec Date: Wed, 28 Sep 2022 23:54:10 +0530 Message-ID: <20220928182410.309053-4-gakhil@marvell.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220928182410.309053-1-gakhil@marvell.com> References: <20220928122253.23108-1-gakhil@marvell.com> <20220928182410.309053-1-gakhil@marvell.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-Proofpoint-GUID: nqxhUMDWNb9U9wHcqdm1d2d_Ect8PiW2 X-Proofpoint-ORIG-GUID: nqxhUMDWNb9U9wHcqdm1d2d_Ect8PiW2 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.895,Hydra:6.0.528,FMLib:17.11.122.1 definitions=2022-09-28_07,2022-09-28_01,2022-06-22_01 X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Added support for MACsec in rte_security for offloading MACsec Protocol operation to inline NIC device or a crypto device. To support MACsec we cannot just make one security session and send with the packet to process it. MACsec specifications suggest, it has 3 different entities - SECY Entity, SC (secure channel) and SA (security association). And same SA can be used by multiple SCs and similarly many SECY can have same SCs. Hence, in order to support this many to one relationships between all entities, 2 new APIs are created - rte_security_macsec_sc_create and rte_security_macsec_sa_create. Flow of execution of the APIs would be as - rte_security_macsec_sa_create - rte_security_macsec_sc_create - rte_security_session_create (for secy) And in case of inline protocol processing rte_flow can be created with rte_security action. A new flow item will be added for MACsec header. New APIs are also created for getting SC and SA stats. Signed-off-by: Akhil Goyal --- doc/guides/prog_guide/rte_security.rst | 107 ++++++- doc/guides/rel_notes/deprecation.rst | 5 - doc/guides/rel_notes/release_22_11.rst | 10 + lib/security/rte_security.c | 86 ++++++ lib/security/rte_security.h | 370 ++++++++++++++++++++++++- lib/security/rte_security_driver.h | 86 ++++++ lib/security/version.map | 6 + 7 files changed, 652 insertions(+), 18 deletions(-) diff --git a/doc/guides/prog_guide/rte_security.rst b/doc/guides/prog_guide/rte_security.rst index 277169a335..f6c4a49983 100644 --- a/doc/guides/prog_guide/rte_security.rst +++ b/doc/guides/prog_guide/rte_security.rst @@ -347,6 +347,55 @@ The CRC is Ethernet CRC-32 as specified in Ethernet/[ISO/IEC 8802-3]. * Other DOCSIS protocol functionality such as Header Checksum (HCS) calculation may be added in the future. +MACSEC Protocol +~~~~~~~~~~~~~~~ + +Media Access Control security (MACsec) provides point-to-point security on Ethernet +links and is defined by IEEE standard 802.1AE. MACsec secures an Ethernet link for +almost all traffic, including frames from the Link Layer Discovery Protocol (LLDP), +Link Aggregation Control Protocol (LACP), Dynamic Host Configuration Protocol (DHCP), +Address Resolution Protocol (ARP), and other protocols that are not typically secured +on an Ethernet link because of limitations with other security solutions. + +.. code-block:: c + + Receive Transmit + ------- -------- + + Ethernet frame Ethernet frame + from network towards network + | ^ + ~ | + | ~ + V | + +-----------------------+ +------------------+ +-------------------------+ + | Secure frame verify | | Cipher Suite(SA) | | Secure Frame Generation | + +-----------------------+<-----+------------------+----->+-------------------------+ + | SecTAG + ICV remove | | SECY | SC | | SecTAG + ICV Added | + +---+-------------------+ +------------------+ +-------------------------+ + | ^ + | | + V | + Packet to Core/App Packet from core/App + + + +To configure MACsec on an inline NIC device or a lookaside crypto device, a security +association (SA) and a secure channel (SC) are created before creating rte_security +session. + +SA is created using API ``rte_security_macsec_sa_create`` which allows setting +SA keys, salt, SSCI, packet number (PN) into the PMD and the API returns a handle +which can be used to map it with a secure channel using the API +``rte_security_macsec_sc_create``. Same SAs can be used for multiple SCs. +The Rx SC will need a set of 4 SAs for each of the association numbers (AN). +For Tx SC a single SA is set which will be used by hardware to process the packet. + +The API ``rte_security_macsec_sc_create`` returns a handle for SC and this handle +is set in ``rte_security_macsec_xform`` to create a MACsec session using +``rte_security_session_create``. + + Device Features and Capabilities --------------------------------- @@ -519,6 +568,35 @@ protocol. RTE_CRYPTODEV_END_OF_CAPABILITIES_LIST() }; +Below is the example PMD capability for MACsec + +.. code-block:: c + + static const struct rte_security_capability pmd_security_capabilities[] = { + { + .action = RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL, + .protocol = RTE_SECURITY_PROTOCOL_MACSEC, + .macsec = { + .mtu = 1500, + .alg = RTE_SECURITY_MACSEC_ALG_GCM_128, + .max_nb_sc = 64, + .max_nb_sa = 128, + .max_nb_sess = 64, + .replay_win_sz = 4096, + .relative_sectag_insert = 1, + .fixed_sectag_insert = 1, + .icv_include_da_sa = 1, + .ctrl_port_enable = 1, + .preserve_sectag = 1, + .preserve_icv = 1, + .validate_frames = 1, + .re_key = 1, + .anti_replay = 1, + }, + .crypto_capabilities = NULL, + }, + }; + Capabilities Discovery ~~~~~~~~~~~~~~~~~~~~~~ @@ -658,6 +736,8 @@ which will be updated in the future. IPsec related configuration parameters are defined in ``rte_security_ipsec_xform`` +MACsec related configuration parameters are defined in ``rte_security_macsec_xform`` + PDCP related configuration parameters are defined in ``rte_security_pdcp_xform`` DOCSIS related configuration parameters are defined in ``rte_security_docsis_xform`` @@ -679,7 +759,7 @@ The ingress/egress flow attribute should match that specified in the security session if the security session supports the definition of the direction. Multiple flows can be configured to use the same security session. For -example if the security session specifies an egress IPsec SA, then multiple +example if the security session specifies an egress IPsec/MACsec SA, then multiple flows can be specified to that SA. In the case of an ingress IPsec SA then it is only valid to have a single flow to map to that security session. @@ -689,8 +769,8 @@ it is only valid to have a single flow to map to that security session. | +--------|--------+ | Add/Remove | - | IPsec SA | <------ Build security flow action of - | | | ipsec transform + | IPsec/MACsec SA | <------ Build security flow action of + | | | IPsec/MACsec transform |--------|--------| | +--------V--------+ @@ -709,9 +789,9 @@ it is only valid to have a single flow to map to that security session. | | +--------|--------+ -* Add/Delete SA flow: +* Add/Delete IPsec SA flow: To add a new inline SA construct a rte_flow_item for Ethernet + IP + ESP - using the SA selectors and the ``rte_crypto_ipsec_xform`` as the ``rte_flow_action``. + using the SA selectors and the ``rte_security_ipsec_xform`` as the ``rte_flow_action``. Note that any rte_flow_items may be empty, which means it is not checked. .. code-block:: console @@ -726,6 +806,23 @@ it is only valid to have a single flow to map to that security session. | Eth | -> ... -> | ESP | -> | END | +-------+ +--------+ +-----+ +* Add/Delete MACsec SA flow: + To add a new inline SA construct a rte_flow_item for Ethernet + SecTAG + using the SA selectors and the ``rte_security_macsec_xform`` as the ``rte_flow_action``. + Note that any rte_flow_items may be empty, which means it is not checked. + +.. code-block:: console + + In its most basic form, MACsec flow specification is as follows: + +-------+ +----------+ +-----+ + | Eth | -> | SecTag | -> | END | + +-------+ +----------+ +-----+ + + However, the API can represent, MACsec offload with any encapsulation: + +-------+ +--------+ +-----+ + | Eth | -> ... -> | SecTag | -> | END | + +-------+ +--------+ +-----+ + Telemetry support ----------------- diff --git a/doc/guides/rel_notes/deprecation.rst b/doc/guides/rel_notes/deprecation.rst index e83bc648fc..3915644501 100644 --- a/doc/guides/rel_notes/deprecation.rst +++ b/doc/guides/rel_notes/deprecation.rst @@ -151,11 +151,6 @@ Deprecation Notices pointer for the private data to the application which can be attached to the packet while enqueuing. -* security: MACsec support is planned to be added in DPDK 22.11, - which would result in updates to structures ``rte_security_macsec_xform``, - ``rte_security_macsec_stats`` and security capability structure - ``rte_security_capability`` to accommodate MACsec capabilities. - * eventdev: The function ``rte_event_crypto_adapter_queue_pair_add`` will accept configuration of type ``rte_event_crypto_adapter_queue_conf`` instead of ``rte_event``, similar to ``rte_event_eth_rx_adapter_queue_add`` signature. diff --git a/doc/guides/rel_notes/release_22_11.rst b/doc/guides/rel_notes/release_22_11.rst index 510485017d..c106ec2b18 100644 --- a/doc/guides/rel_notes/release_22_11.rst +++ b/doc/guides/rel_notes/release_22_11.rst @@ -72,6 +72,11 @@ New Features * Added AES-CCM support in lookaside protocol (IPsec) for CN9K & CN10K. * Added AES & DES DOCSIS algorithm support in lookaside crypto for CN9K. +* **Added support for MACsec in rte_security.** + + * Added MACsec transform for rte_security session and added new APIs to configure + security associations (SA) and secure channels (SC). + * **Added eventdev adapter instance get API.** * Added ``rte_event_eth_rx_adapter_instance_get`` to get Rx adapter @@ -209,6 +214,11 @@ API Changes * ethdev: Promoted ``rte_flow_pick_transfer_proxy()`` from experimental to stable. +* security: MACsec support is added which resulted in updates to + structures ``rte_security_macsec_xform``, ``rte_security_macsec_stats`` + and security capability structure ``rte_security_capability`` to + accommodate MACsec capabilities. + * telemetry: The allowed characters in names for dictionary values are now limited to alphanumeric characters and a small subset of additional printable characters. diff --git a/lib/security/rte_security.c b/lib/security/rte_security.c index 22d6269d93..f94ed9ca43 100644 --- a/lib/security/rte_security.c +++ b/lib/security/rte_security.c @@ -124,6 +124,92 @@ rte_security_session_destroy(struct rte_security_ctx *instance, return 0; } +int +rte_security_macsec_sc_create(struct rte_security_ctx *instance, + struct rte_security_macsec_sc *conf) +{ + int sc_id; + + RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, macsec_sc_create, -EINVAL, -ENOTSUP); + RTE_PTR_OR_ERR_RET(conf, -EINVAL); + + sc_id = instance->ops->macsec_sc_create(instance->device, conf); + if (sc_id >= 0) + instance->macsec_sc_cnt++; + + return sc_id; +} + +int +rte_security_macsec_sa_create(struct rte_security_ctx *instance, + struct rte_security_macsec_sa *conf) +{ + int sa_id; + + RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, macsec_sa_create, -EINVAL, -ENOTSUP); + RTE_PTR_OR_ERR_RET(conf, -EINVAL); + + sa_id = instance->ops->macsec_sa_create(instance->device, conf); + if (sa_id >= 0) + instance->macsec_sa_cnt++; + + return sa_id; +} + +int +rte_security_macsec_sc_destroy(struct rte_security_ctx *instance, uint16_t sc_id) +{ + int ret; + + RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, macsec_sc_destroy, -EINVAL, -ENOTSUP); + + ret = instance->ops->macsec_sc_destroy(instance->device, sc_id); + if (ret != 0) + return ret; + + if (instance->macsec_sc_cnt) + instance->macsec_sc_cnt--; + + return 0; +} + +int +rte_security_macsec_sa_destroy(struct rte_security_ctx *instance, uint16_t sa_id) +{ + int ret; + + RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, macsec_sa_destroy, -EINVAL, -ENOTSUP); + + ret = instance->ops->macsec_sa_destroy(instance->device, sa_id); + if (ret != 0) + return ret; + + if (instance->macsec_sa_cnt) + instance->macsec_sa_cnt--; + + return 0; +} + +int +rte_security_macsec_sc_stats_get(struct rte_security_ctx *instance, uint16_t sc_id, + struct rte_security_macsec_sc_stats *stats) +{ + RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, macsec_sc_stats_get, -EINVAL, -ENOTSUP); + RTE_PTR_OR_ERR_RET(stats, -EINVAL); + + return instance->ops->macsec_sc_stats_get(instance->device, sc_id, stats); +} + +int +rte_security_macsec_sa_stats_get(struct rte_security_ctx *instance, uint16_t sa_id, + struct rte_security_macsec_sa_stats *stats) +{ + RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, macsec_sa_stats_get, -EINVAL, -ENOTSUP); + RTE_PTR_OR_ERR_RET(stats, -EINVAL); + + return instance->ops->macsec_sa_stats_get(instance->device, sa_id, stats); +} + int __rte_security_set_pkt_metadata(struct rte_security_ctx *instance, struct rte_security_session *sess, diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h index 3e8cd29082..74fe3ef5d7 100644 --- a/lib/security/rte_security.h +++ b/lib/security/rte_security.h @@ -73,6 +73,10 @@ struct rte_security_ctx { /**< Pointer to security ops for the device */ uint16_t sess_cnt; /**< Number of sessions attached to this context */ + uint16_t macsec_sc_cnt; + /**< Number of MACsec SC attached to this context */ + uint16_t macsec_sa_cnt; + /**< Number of MACsec SA attached to this context */ uint32_t flags; /**< Flags for security context */ }; @@ -351,12 +355,166 @@ struct rte_security_ipsec_xform { /**< UDP parameters, ignored when udp_encap option not specified */ }; +/** + * MACSec packet flow direction + */ +enum rte_security_macsec_direction { + /** Generate SecTag and encrypt/authenticate */ + RTE_SECURITY_MACSEC_DIR_TX, + /** Remove SecTag and decrypt/verify */ + RTE_SECURITY_MACSEC_DIR_RX, +}; + +/** Maximum number of association numbers for a secure channel. */ +#define RTE_SECURITY_MACSEC_NUM_AN 4 +/** Salt length for MACsec SA. */ +#define RTE_SECURITY_MACSEC_SALT_LEN 12 + +/** + * MACsec secure association(SA) configuration structure. + */ +struct rte_security_macsec_sa { + /** Direction of SA */ + enum rte_security_macsec_direction dir; + /** MACsec SA key for AES-GCM 128/256 */ + struct { + const uint8_t *data; /**< pointer to key data */ + uint16_t length; /**< key length in bytes */ + } key; + /** 96-bit value distributed by key agreement protocol */ + uint8_t salt[RTE_SECURITY_MACSEC_SALT_LEN]; + /** Association number to be used */ + uint8_t an : 2; + /** Short Secure Channel Identifier, to be used for XPN cases */ + uint32_t ssci; + /** Extended packet number */ + uint32_t xpn; + /** Packet number expected/ to be used for next packet of this SA */ + uint32_t next_pn; +}; + +/** + * MACsec Secure Channel configuration parameters. + */ +struct rte_security_macsec_sc { + /** Direction of SC */ + enum rte_security_macsec_direction dir; + union { + struct { + /** SAs for each association number */ + uint16_t sa_id[RTE_SECURITY_MACSEC_NUM_AN]; + /** flag to denote which all SAs are in use for each association number */ + uint8_t sa_in_use[RTE_SECURITY_MACSEC_NUM_AN]; + /** Channel is active */ + uint8_t active : 1; + /** Reserved bitfields for future */ + uint8_t reserved : 7; + } sc_rx; + struct { + uint16_t sa_id; /**< SA id to be used for encryption */ + uint16_t sa_id_rekey; /**< Rekeying SA id to be used for encryption */ + uint64_t sci; /**< SCI value to be used if send_sci is set */ + uint8_t active : 1; /**< Channel is active */ + uint8_t re_key_en : 1; /**< Enable Rekeying */ + /** Reserved bitfields for future */ + uint8_t reserved : 6; + } sc_tx; + }; +}; + +/** + * MACsec Supported Algorithm list as per IEEE Std 802.1AE + */ +enum rte_security_macsec_alg { + RTE_SECURITY_MACSEC_ALG_GCM_128, /**< AES-GCM 128 bit block cipher */ + RTE_SECURITY_MACSEC_ALG_GCM_256, /**< AES-GCM 256 bit block cipher */ + RTE_SECURITY_MACSEC_ALG_GCM_XPN_128, /**< AES-GCM 128 bit block cipher with unique SSCI */ + RTE_SECURITY_MACSEC_ALG_GCM_XPN_256, /**< AES-GCM 256 bit block cipher with unique SSCI */ +}; + +/** Disable Validation of MACsec frame */ +#define RTE_SECURITY_MACSEC_VALIDATE_DISABLE 0 +/** Validate MACsec frame but do not discard invalid frame */ +#define RTE_SECURITY_MACSEC_VALIDATE_NO_DISCARD 1 +/** Validate MACsec frame and discart invalid frame */ +#define RTE_SECURITY_MACSEC_VALIDATE_STRICT 2 +/** Do not perform any MACsec operation */ +#define RTE_SECURITY_MACSEC_VALIDATE_NO_OP 3 + /** * MACsec security session configuration */ struct rte_security_macsec_xform { - /** To be Filled */ - int dummy; + /** Direction of flow/secure channel */ + enum rte_security_macsec_direction dir; + /** MACsec algorithm to be used */ + enum rte_security_macsec_alg alg; + /** cipher offset from start of ethernet header */ + uint8_t cipher_off; + /** + * SCI to be used for RX flow identification or + * to set SCI in packet for TX when send_sci is set + */ + uint64_t sci; + /** Receive/transmit secure channel id created by *rte_security_macsec_sc_create* */ + uint16_t sc_id; + union { + struct { + /** MTU for transmit frame (Valid for inline processing) */ + uint16_t mtu; + /** + * Offset to insert sectag from start of ethernet header or + * from a matching VLAN tag + */ + uint8_t sectag_off; + /** Enable MACsec protection of frames */ + uint16_t protect_frames : 1; + /** + * Sectag insertion mode + * If 1, Sectag is inserted at fixed sectag_off set above. + * If 0, Sectag is inserted at relative sectag_off from a matching + * VLAN tag set. + */ + uint16_t sectag_insert_mode : 1; + /** ICV includes source and destination MAC addresses */ + uint16_t icv_include_da_sa : 1; + /** Control port is enabled */ + uint16_t ctrl_port_enable : 1; + /** Version of MACsec header. Should be 0 */ + uint16_t sectag_version : 1; + /** Enable end station. SCI is not valid */ + uint16_t end_station : 1; + /** Send SCI along with sectag */ + uint16_t send_sci : 1; + /** enable secure channel support EPON - single copy broadcast */ + uint16_t scb : 1; + /** + * Enable packet encryption and set RTE_MACSEC_TCI_C and + * RTE_MACSEC_TCI_E in sectag + */ + uint16_t encrypt : 1; + /** Reserved bitfields for future */ + uint16_t reserved : 7; + } tx_secy; + struct { + /** Replay Window size to be supported */ + uint32_t replay_win_sz; + /** Set bits as per RTE_SECURITY_MACSEC_VALIDATE_* */ + uint16_t validate_frames : 2; + /** ICV includes source and destination MAC addresses */ + uint16_t icv_include_da_sa : 1; + /** Control port is enabled */ + uint16_t ctrl_port_enable : 1; + /** Do not strip SecTAG after processing */ + uint16_t preserve_sectag : 1; + /** Do not strip ICV from the packet after processing */ + uint16_t preserve_icv : 1; + /** Enable anti-replay protection */ + uint16_t replay_protect : 1; + /** Reserved bitfields for future */ + uint16_t reserved : 9; + } rx_secy; + }; }; /** @@ -510,7 +668,7 @@ struct rte_security_session_conf { }; /**< Configuration parameters for security session */ struct rte_crypto_sym_xform *crypto_xform; - /**< Security Session Crypto Transformations */ + /**< Security Session Crypto Transformations. NULL in case of MACsec */ void *userdata; /**< Application specific userdata to be saved with session */ }; @@ -585,6 +743,80 @@ int rte_security_session_destroy(struct rte_security_ctx *instance, struct rte_security_session *sess); +/** + * @warning + * @b EXPERIMENTAL: this API may change without prior notice + * + * Create MACsec security channel(SC) + * + * @param instance security instance + * @param conf MACsec SC configuration params + * @return + * - secure channel id if successful + * - -EINVAL if configuration params are invalid of instance is NULL. + * - -ENOTSUP if device does not support MACsec. + * - -ENOMEM if PMD is not capable to create more SC. + * - other negative value for other errors. + */ +__rte_experimental +int +rte_security_macsec_sc_create(struct rte_security_ctx *instance, + struct rte_security_macsec_sc *conf); + +/** + * @warning + * @b EXPERIMENTAL: this API may change without prior notice + * + * Destroy MACsec security channel(SC) + * + * @param instance security instance + * @param sc_id SC id to be destroyed + * @return + * - 0 if successful + * - -EINVAL if sc_id is invalid or instance is NULL. + * - -EBUSY if sc is being used by some session. + */ +__rte_experimental +int +rte_security_macsec_sc_destroy(struct rte_security_ctx *instance, uint16_t sc_id); + +/** + * @warning + * @b EXPERIMENTAL: this API may change without prior notice + * + * Create MACsec security association(SA) + * + * @param instance security instance + * @param conf MACsec SA configuration params + * @return + * - positive SA id if successful + * - -EINVAL if configuration params are invalid of instance is NULL. + * - -ENOTSUP if device does not support MACsec. + * - -ENOMEM if PMD is not capable to create more SAs. + * - other negative value for other errors. + */ +__rte_experimental +int +rte_security_macsec_sa_create(struct rte_security_ctx *instance, + struct rte_security_macsec_sa *conf); + +/** + * @warning + * @b EXPERIMENTAL: this API may change without prior notice + * + * Destroy MACsec security association(SA) + * + * @param instance security instance + * @param sa_id SA id to be destroyed + * @return + * - 0 if successful + * - -EINVAL if sa_id is invalid or instance is NULL. + * - -EBUSY if sa is being used by some session. + */ +__rte_experimental +int +rte_security_macsec_sa_destroy(struct rte_security_ctx *instance, uint16_t sa_id); + /** Device-specific metadata field type */ typedef uint64_t rte_security_dynfield_t; /** Dynamic mbuf field for device-specific metadata */ @@ -710,8 +942,62 @@ rte_security_attach_session(struct rte_crypto_op *op, return __rte_security_attach_session(op->sym, sess); } -struct rte_security_macsec_stats { - uint64_t reserved; +struct rte_security_macsec_secy_stats { + uint64_t ctl_pkt_bcast_cnt; + uint64_t ctl_pkt_mcast_cnt; + uint64_t ctl_pkt_ucast_cnt; + uint64_t ctl_octet_cnt; + uint64_t unctl_pkt_bcast_cnt; + uint64_t unctl_pkt_mcast_cnt; + uint64_t unctl_pkt_ucast_cnt; + uint64_t unctl_octet_cnt; + /* Valid only for RX */ + uint64_t octet_decrypted_cnt; + uint64_t octet_validated_cnt; + uint64_t pkt_port_disabled_cnt; + uint64_t pkt_badtag_cnt; + uint64_t pkt_nosa_cnt; + uint64_t pkt_nosaerror_cnt; + uint64_t pkt_tagged_ctl_cnt; + uint64_t pkt_untaged_cnt; + uint64_t pkt_ctl_cnt; + uint64_t pkt_notag_cnt; + /* Valid only for TX */ + uint64_t octet_encrypted_cnt; + uint64_t octet_protected_cnt; + uint64_t pkt_noactivesa_cnt; + uint64_t pkt_toolong_cnt; + uint64_t pkt_untagged_cnt; +}; + +struct rte_security_macsec_sc_stats { + /* RX */ + uint64_t hit_cnt; + uint64_t pkt_invalid_cnt; + uint64_t pkt_late_cnt; + uint64_t pkt_notvalid_cnt; + uint64_t pkt_unchecked_cnt; + uint64_t pkt_delay_cnt; + uint64_t pkt_ok_cnt; + uint64_t octet_decrypt_cnt; + uint64_t octet_validate_cnt; + /* TX */ + uint64_t pkt_encrypt_cnt; + uint64_t pkt_protected_cnt; + uint64_t octet_encrypt_cnt; + uint64_t octet_protected_cnt; +}; + +struct rte_security_macsec_sa_stats { + /* RX */ + uint64_t pkt_invalid_cnt; + uint64_t pkt_nosaerror_cnt; + uint64_t pkt_notvalid_cnt; + uint64_t pkt_ok_cnt; + uint64_t pkt_nosa_cnt; + /* TX */ + uint64_t pkt_encrypt_cnt; + uint64_t pkt_protected_cnt; }; struct rte_security_ipsec_stats { @@ -739,7 +1025,7 @@ struct rte_security_stats { RTE_STD_C11 union { - struct rte_security_macsec_stats macsec; + struct rte_security_macsec_secy_stats macsec; struct rte_security_ipsec_stats ipsec; struct rte_security_pdcp_stats pdcp; struct rte_security_docsis_stats docsis; @@ -765,6 +1051,44 @@ rte_security_session_stats_get(struct rte_security_ctx *instance, struct rte_security_session *sess, struct rte_security_stats *stats); +/** + * @warning + * @b EXPERIMENTAL: this API may change without prior notice + * + * Get MACsec SA statistics + * + * @param instance security instance + * @param sa_id SA id for which stats are needed + * @param stats statistics + * @return + * - On success, return 0 + * - On failure, a negative value + */ +__rte_experimental +int +rte_security_macsec_sa_stats_get(struct rte_security_ctx *instance, + uint16_t sa_id, + struct rte_security_macsec_sa_stats *stats); + +/** + * @warning + * @b EXPERIMENTAL: this API may change without prior notice + * + * Get MACsec SC statistics + * + * @param instance security instance + * @param sc_id SC id for which stats are needed + * @param stats SC statistics + * @return + * - On success, return 0 + * - On failure, a negative value + */ +__rte_experimental +int +rte_security_macsec_sc_stats_get(struct rte_security_ctx *instance, + uint16_t sc_id, + struct rte_security_macsec_sc_stats *stats); + /** * Security capability definition */ @@ -791,8 +1115,38 @@ struct rte_security_capability { } ipsec; /**< IPsec capability */ struct { - /* To be Filled */ - int dummy; + /** MTU supported for inline TX */ + uint16_t mtu; + /** MACsec algorithm to be used */ + enum rte_security_macsec_alg alg; + /** Maximum number of secure channels supported. */ + uint16_t max_nb_sc; + /** Maximum number of SAs supported. */ + uint16_t max_nb_sa; + /** Maximum number of SAs supported. */ + uint16_t max_nb_sess; + /** MACsec Anti Replay Window Size. */ + uint32_t replay_win_sz; + /** Support Sectag insertion at relative offset. */ + uint16_t relative_sectag_insert : 1; + /** Support Sectag insertion at fixed offset. */ + uint16_t fixed_sectag_insert : 1; + /** ICV includes source and destination MAC addresses */ + uint16_t icv_include_da_sa : 1; + /** Control port traffic is supported */ + uint16_t ctrl_port_enable : 1; + /** Do not strip SecTAG after processing */ + uint16_t preserve_sectag : 1; + /** Do not strip ICV from the packet after processing */ + uint16_t preserve_icv : 1; + /** Support frame validation as per RTE_SECURITY_MACSEC_VALIDATE_* */ + uint16_t validate_frames : 1; + /** support re-keying on SA expiry */ + uint16_t re_key : 1; + /** support Anti replay */ + uint16_t anti_replay : 1; + /** Reserved bitfields for future capabilities */ + uint16_t reserved : 7; } macsec; /**< MACsec capability */ struct { diff --git a/lib/security/rte_security_driver.h b/lib/security/rte_security_driver.h index 0063a66524..1da286dad4 100644 --- a/lib/security/rte_security_driver.h +++ b/lib/security/rte_security_driver.h @@ -63,6 +63,50 @@ typedef int (*security_session_update_t)(void *device, struct rte_security_session *sess, struct rte_security_session_conf *conf); +/** + * Configure a MACsec secure channel(SC) on a device. + * + * @param device Crypto/eth device pointer + * @param conf MACsec SC configuration params + * + * @return + * - positive sc_id if SC is created successfully. + * - -EINVAL if input parameters are invalid. + * - -ENOTSUP if device does not support MACsec. + * - -ENOMEM if the SC cannot be created. + */ +typedef int (*security_macsec_sc_create_t)(void *device, struct rte_security_macsec_sc *conf); + +/** + * Free MACsec secure channel(SC). + * + * @param device Crypto/eth device pointer + * @param sc_id MACsec SC id + */ +typedef int (*security_macsec_sc_destroy_t)(void *device, uint16_t sc_id); + +/** + * Configure a MACsec security Association(SA) on a device. + * + * @param device Crypto/eth device pointer + * @param conf MACsec SA configuration params + * + * @return + * - positive sa_id if SA is created successfully. + * - -EINVAL if input parameters are invalid. + * - -ENOTSUP if device does not support MACsec. + * - -ENOMEM if the SA cannot be created. + */ +typedef int (*security_macsec_sa_create_t)(void *device, struct rte_security_macsec_sa *conf); + +/** + * Free MACsec security association(SA). + * + * @param device Crypto/eth device pointer + * @param sa_id MACsec SA id + */ +typedef int (*security_macsec_sa_destroy_t)(void *device, uint16_t sa_id); + /** * Get the size of a security session * @@ -89,6 +133,36 @@ typedef int (*security_session_stats_get_t)(void *device, struct rte_security_session *sess, struct rte_security_stats *stats); +/** + * Get MACsec secure channel stats from the PMD. + * + * @param device Crypto/eth device pointer + * @param sc_id secure channel id created by rte_security_macsec_sc_create() + * @param stats SC stats of the driver + * + * @return + * - 0 if success. + * - -EINVAL if sc_id or device is invalid. + */ +typedef int (*security_macsec_sc_stats_get_t)(void *device, uint16_t sc_id, + struct rte_security_macsec_sc_stats *stats); + +/** + * Get MACsec SA stats from the PMD. + * + * @param device Crypto/eth device pointer + * @param sa_id secure channel id created by rte_security_macsec_sc_create() + * @param stats SC stats of the driver + * + * @return + * - 0 if success. + * - -EINVAL if sa_id or device is invalid. + */ +typedef int (*security_macsec_sa_stats_get_t)(void *device, uint16_t sa_id, + struct rte_security_macsec_sa_stats *stats); + + + __rte_internal int rte_security_dynfield_register(void); @@ -136,6 +210,18 @@ struct rte_security_ops { /**< Update mbuf metadata. */ security_capabilities_get_t capabilities_get; /**< Get security capabilities. */ + security_macsec_sc_create_t macsec_sc_create; + /**< Configure a MACsec security channel(SC). */ + security_macsec_sc_destroy_t macsec_sc_destroy; + /**< Free a MACsec security channel(SC). */ + security_macsec_sa_create_t macsec_sa_create; + /**< Configure a MACsec security association(SA). */ + security_macsec_sa_destroy_t macsec_sa_destroy; + /**< Free a MACsec security association(SA). */ + security_macsec_sc_stats_get_t macsec_sc_stats_get; + /**< Get MACsec SC statistics. */ + security_macsec_sa_stats_get_t macsec_sa_stats_get; + /**< Get MACsec SA statistics. */ }; #ifdef __cplusplus diff --git a/lib/security/version.map b/lib/security/version.map index 85ca7921e7..07dcce9ffb 100644 --- a/lib/security/version.map +++ b/lib/security/version.map @@ -15,6 +15,12 @@ EXPERIMENTAL { __rte_security_set_pkt_metadata; rte_security_dynfield_offset; + rte_security_macsec_sa_create; + rte_security_macsec_sa_destroy; + rte_security_macsec_sa_stats_get; + rte_security_macsec_sc_create; + rte_security_macsec_sc_destroy; + rte_security_macsec_sc_stats_get; rte_security_session_stats_get; rte_security_session_update; }; -- 2.25.1