From: Pavel Belous <Pavel.Belous@aquantia.com>
To: "dev@dpdk.org" <dev@dpdk.org>
Cc: Ferruh Yigit <ferruh.yigit@intel.com>,
Akhil Goyal <akhil.goyal@nxp.com>,
John McNamara <john.mcnamara@intel.com>,
Declan Doherty <declan.doherty@intel.com>,
Konstantin Ananyev <konstantin.ananyev@intel.com>,
Thomas Monjalon <thomas@monjalon.net>,
Igor Russkikh <Igor.Russkikh@aquantia.com>,
Fenilkumar Patel <fenpatel@cisco.com>,
Hitesh K Maisheri <hmaisher@cisco.com>,
Pavel Belous <Pavel.Belous@aquantia.com>,
Pavel Belous <Pavel.Belous@aquantia.com>
Subject: [dpdk-dev] [RFC v2 1/7] security: MACSEC infrastructure data declarations
Date: Fri, 25 Oct 2019 17:53:52 +0000 [thread overview]
Message-ID: <23d01b87ab0b6628fab4480c731930bf82eec91d.1571928488.git.Pavel.Belous@aquantia.com> (raw)
In-Reply-To: <cover.1571928488.git.Pavel.Belous@aquantia.com>
From: Pavel Belous <Pavel.Belous@aquantia.com>
This patch extends rte_security framework to support MACSEC operations.
Signed-off-by: Igor Russkikh <igor.russkikh@aquantia.com>
Signed-off-by: Pavel Belous <pavel.belous@aquantia.com>
---
lib/librte_security/rte_security.h | 143 +++++++++++++++++++++++++++++++++++--
1 file changed, 138 insertions(+), 5 deletions(-)
diff --git a/lib/librte_security/rte_security.h b/lib/librte_security/rte_security.h
index aaafdfc..201319f 100644
--- a/lib/librte_security/rte_security.h
+++ b/lib/librte_security/rte_security.h
@@ -29,6 +29,7 @@ extern "C" {
#include <rte_mbuf.h>
#include <rte_memory.h>
#include <rte_mempool.h>
+#include <rte_ether.h>
/** IPSec protocol mode */
enum rte_security_ipsec_sa_mode {
@@ -215,11 +216,109 @@ struct rte_security_ipsec_xform {
};
/**
+ * MACSEC global configuration parameters
+ *
+ */
+struct rte_security_macsec_param {
+ uint8_t enabled;
+ uint32_t ingress_pn_threshold;
+ uint32_t egress_pn_threshold;
+ uint8_t interrupts_enabled;
+ /**< List of bypassed ethertypes */
+ uint32_t ctl_ether_types[8];
+};
+
+/**
+ * MACSEC SC (Secure Connection) parameters
+ *
+ */
+struct rte_security_macsec_txsc_param {
+ struct rte_ether_addr s_mac;
+ /**< local side mac address */
+ struct rte_ether_addr d_mac;
+ /**< remote side mac address */
+ uint64_t sci;
+ uint32_t tci;
+ uint32_t sa_num;
+ uint8_t encrypt;
+ uint8_t protect;
+ uint8_t key_len;
+ uint8_t auto_rollover_enabled;
+
+ uint32_t index;
+ uint32_t curr_an;
+};
+
+struct rte_security_macsec_rxsc_param {
+ struct rte_ether_addr s_mac;
+ struct rte_ether_addr d_mac;
+ uint64_t sci;
+ uint32_t tci;
+ uint32_t sa_num;
+ /**< remote side mac address */
+ uint8_t replay_protection;
+ /**< replay protection */
+ uint32_t anti_replay_window;
+ /**< anti replay window */
+ uint16_t port_ident;
+ /**< remote side port identifier */
+ uint8_t auto_rollover_enabled;
+ uint8_t validate_frames;
+
+ uint32_t index;
+};
+
+struct rte_security_macsec_sa_param {
+ uint8_t sa_idx;
+ uint8_t an;
+ uint32_t packet_number;
+ uint8_t key_len;
+ uint8_t key[32];
+};
+
+struct rte_security_macsec_capabilities {
+ /** Extended Packet Numbers (XPN)
+ *
+ * * 1: Extended (64 bit) packet numbers supported
+ * * 0: Extended (64 bit) packet numbers not supported
+ */
+ uint32_t xpn : 1;
+};
+
+/**
+ * Available operations over MACSEC instance
+ */
+enum rte_security_macsec_op {
+ RTE_SECURITY_MACSEC_OP_CONFIG = 0,
+
+ RTE_SECURITY_MACSEC_OP_ADD_TXSC,
+ RTE_SECURITY_MACSEC_OP_DEL_TXSC,
+ RTE_SECURITY_MACSEC_OP_UPD_TXSC,
+
+ RTE_SECURITY_MACSEC_OP_ADD_RXSC,
+ RTE_SECURITY_MACSEC_OP_DEL_RXSC,
+ RTE_SECURITY_MACSEC_OP_UPD_RXSC,
+
+ RTE_SECURITY_MACSEC_OP_ADD_TXSA,
+ RTE_SECURITY_MACSEC_OP_DEL_TXSA,
+ RTE_SECURITY_MACSEC_OP_UPD_TXSA,
+
+ RTE_SECURITY_MACSEC_OP_ADD_RXSA,
+ RTE_SECURITY_MACSEC_OP_DEL_RXSA,
+ RTE_SECURITY_MACSEC_OP_UPD_RXSA,
+};
+
+/**
* MACsec security session configuration
*/
struct rte_security_macsec_xform {
- /** To be Filled */
- int dummy;
+ enum rte_security_macsec_op op;
+ union {
+ struct rte_security_macsec_param config_options;
+ struct rte_security_macsec_txsc_param txsc_options;
+ struct rte_security_macsec_rxsc_param rxsc_options;
+ struct rte_security_macsec_sa_param sa_options;
+ };
};
/**
@@ -495,7 +594,42 @@ rte_security_attach_session(struct rte_crypto_op *op,
}
struct rte_security_macsec_stats {
- uint64_t reserved;
+ /* Ingress Counters */
+ uint64_t in_ctl_pkts;
+ uint64_t in_tagged_miss_pkts;
+ uint64_t in_untagged_miss_pkts;
+ uint64_t in_notag_pkts;
+ uint64_t in_untagged_pkts;
+ uint64_t in_bad_tag_pkts;
+ uint64_t in_no_sci_pkts;
+ uint64_t in_unknown_sci_pkts;
+
+ /* Egress Counters */
+ uint64_t out_ctl_pkts;
+ uint64_t out_unknown_sa_pkts;
+ uint64_t out_untagged_pkts;
+ uint64_t out_too_long;
+
+ /* Ingress SA Counters */
+ uint64_t in_untagged_hit_pkts;
+ uint64_t in_not_using_sa;
+ uint64_t in_unused_sa;
+ uint64_t in_not_valid_pkts;
+ uint64_t in_invalid_pkts;
+ uint64_t in_ok_pkts;
+ uint64_t in_unchecked_pkts;
+ uint64_t in_validated_octets;
+ uint64_t in_decrypted_octets;
+ /* Egress SC Counters */
+ uint64_t out_sc_protected_pkts;
+ uint64_t out_sc_encrypted_pkts;
+ uint64_t out_sc_protected_octets;
+ uint64_t out_sc_encrypted_octets;
+ /* Egress SA Counters */
+ uint64_t out_sa_hit_drop_redirect;
+ uint64_t out_sa_protected2_pkts;
+ uint64_t out_sa_protected_pkts;
+ uint64_t out_sa_encrypted_pkts;
};
struct rte_security_ipsec_stats {
@@ -566,8 +700,7 @@ struct rte_security_capability {
} ipsec;
/**< IPsec capability */
struct {
- /* To be Filled */
- int dummy;
+ struct rte_security_macsec_capabilities caps;
} macsec;
/**< MACsec capability */
struct {
--
2.7.4
next prev parent reply other threads:[~2019-10-25 17:54 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-25 17:53 [dpdk-dev] [RFC v2 0/7] RFC: Support MACSEC offload in the RTE_SECURITY infrastructure Pavel Belous
2019-10-25 17:53 ` Pavel Belous [this message]
2019-10-25 17:53 ` [dpdk-dev] [RFC v2 2/7] security: Update rte_security documentation Pavel Belous
2019-10-25 17:53 ` [dpdk-dev] [RFC v2 3/7] net/atlantic: Add helper functions for PHY access Pavel Belous
2019-10-25 17:54 ` [dpdk-dev] [RFC v2 4/7] net/atlantic: add MACSEC internal HW data declaration and functions Pavel Belous
2019-10-25 17:54 ` [dpdk-dev] [RFC v2 5/7] net/atlantic: implementation of the MACSEC using rte_security interface Pavel Belous
2019-10-25 17:54 ` [dpdk-dev] [RFC v2 6/7] app/testpmd: macsec on/off commands " Pavel Belous
2019-10-25 19:01 ` Stephen Hemminger
2019-10-25 19:02 ` Stephen Hemminger
2019-10-25 17:54 ` [dpdk-dev] [RFC v2 7/7] app/testpmd: macsec adding RX/TX SC " Pavel Belous
2020-01-27 11:25 ` [dpdk-dev] [RFC v2 0/7] RFC: Support MACSEC offload in the RTE_SECURITY infrastructure Akhil Goyal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=23d01b87ab0b6628fab4480c731930bf82eec91d.1571928488.git.Pavel.Belous@aquantia.com \
--to=pavel.belous@aquantia.com \
--cc=Igor.Russkikh@aquantia.com \
--cc=akhil.goyal@nxp.com \
--cc=declan.doherty@intel.com \
--cc=dev@dpdk.org \
--cc=fenpatel@cisco.com \
--cc=ferruh.yigit@intel.com \
--cc=hmaisher@cisco.com \
--cc=john.mcnamara@intel.com \
--cc=konstantin.ananyev@intel.com \
--cc=thomas@monjalon.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).