[PATCH 0/3] security: support MACsec

[PATCH 0/3] security: support MACsec

[Akhil Goyal]

Added support for MACsec in rte_security for offloading
MACsec Protocol operation to inline NIC device or a crypto device.

To support MACsec we cannot just make one security session and
send with the packet to process it. MACsec specifications suggest,
it can have 3 different entities - SECY Entity, SC(secure channel) and
SA(security association). And same SA can be used by multiple SCs and
similarly many SECY can have same SCs. Hence, in order to support this
many to one relationships between all entities, 2 new APIs are created -
rte_security_macsec_sc_create and rte_security_sa_create.
Flow of execution of the APIs would be as
- rte_security_macsec_sa_create
- rte_security_macsec_sc_create
- rte_security_session_create(for secy)
And in case of inline protocol processing rte_flow can be created with
rte_security action similar to IPsec flows except that the flow item
will be MACsec instead of IPsec.

A new flow item is added for MACsec header and a set of events are added
to specify the errors occurred during inline protocol processing.

New APIs are also created for getting SC and SA stats.



Akhil Goyal (3):
  net: add MACsec header
  security: support MACsec
  ethdev: add MACsec flow item

 doc/api/doxy-api-index.md              |   3 +-
 doc/guides/prog_guide/rte_security.rst | 107 +++++++-
 lib/ethdev/rte_ethdev.h                |  55 ++++
 lib/ethdev/rte_flow.h                  |  18 ++
 lib/net/meson.build                    |   1 +
 lib/net/rte_macsec.h                   |  56 ++++
 lib/security/rte_security.c            |  86 ++++++
 lib/security/rte_security.h            | 362 ++++++++++++++++++++++++-
 lib/security/rte_security_driver.h     |  86 ++++++
 lib/security/version.map               |   6 +
 10 files changed, 766 insertions(+), 14 deletions(-)
 create mode 100644 lib/net/rte_macsec.h

-- 
2.25.1

[PATCH 1/3] net: add MACsec header

[Akhil Goyal]

Added MACsec protocol header to be used for supporting
MACsec protocol offload in hardware or directly in the application.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 doc/api/doxy-api-index.md |  3 ++-
 lib/net/meson.build       |  1 +
 lib/net/rte_macsec.h      | 56 +++++++++++++++++++++++++++++++++++++++
 3 files changed, 59 insertions(+), 1 deletion(-)
 create mode 100644 lib/net/rte_macsec.h

diff --git a/doc/api/doxy-api-index.md b/doc/api/doxy-api-index.md
index 186a258be4..99e49340d3 100644
--- a/doc/api/doxy-api-index.md
+++ b/doc/api/doxy-api-index.md
@@ -126,7 +126,8 @@ The public API headers are grouped by topics:
   [Geneve](@ref rte_geneve.h),
   [eCPRI](@ref rte_ecpri.h),
   [L2TPv2](@ref rte_l2tpv2.h),
-  [PPP](@ref rte_ppp.h)
+  [PPP](@ref rte_ppp.h),
+  [MACsec](@ref rte_macsec.h)
 
 - **QoS**:
   [metering](@ref rte_meter.h),
diff --git a/lib/net/meson.build b/lib/net/meson.build
index e899846578..3e63abaca8 100644
--- a/lib/net/meson.build
+++ b/lib/net/meson.build
@@ -21,6 +21,7 @@ headers = files(
         'rte_geneve.h',
         'rte_l2tpv2.h',
         'rte_ppp.h',
+        'rte_macsec.h',
 )
 
 sources = files(
diff --git a/lib/net/rte_macsec.h b/lib/net/rte_macsec.h
new file mode 100644
index 0000000000..f1b59253f6
--- /dev/null
+++ b/lib/net/rte_macsec.h
@@ -0,0 +1,56 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2022 Marvell.
+ */
+
+#ifndef _RTE_MACSEC_H_
+#define _RTE_MACSEC_H_
+
+/**
+ * @file
+ *
+ * MACsec-related defines
+ */
+
+#include <rte_byteorder.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+
+/* SecTAG length = macsec ether header without the optional SCI */
+#define RTE_MACSEC_TAG_LEN 6
+#define RTE_MACSEC_SCI_LEN 8
+
+#define RTE_MACSEC_TCI_VERSION	0x80 /**< Version mask for MACsec. Should be 0. */
+#define RTE_MACSEC_TCI_ES	0x40 /**< End station - SCI is not valid */
+#define RTE_MACSEC_TCI_SC	0x20 /**< SCI present */
+#define RTE_MACSEC_TCI_SCB	0x10 /**< Secure channel support EPON single copy broadcast */
+#define RTE_MACSEC_TCI_E	0x08 /**< User data is encrypted */
+#define RTE_MACSEC_TCI_C	0x04 /**< User data was changed (because of encryption) */
+#define RTE_MACSEC_AN_MASK	0x03 /**< Association number mask in tci_an */
+#define RTE_MACSEC_NUM_AN	4    /**< 2 bits for the association number */
+#define RTE_MACSEC_SALT_LEN	12   /**< Salt length for MACsec SA */
+
+/**
+ * MACsec Header
+ */
+struct rte_macsec_hdr {
+	/* SecTAG */
+	uint8_t  tci_an;	/**< Tag control information and Association number of SC */
+#if RTE_BYTE_ORDER == RTE_LITTLE_ENDIAN
+	uint8_t short_length : 6; /**< Short Length */
+	uint8_t unused : 2;
+#elif RTE_BYTE_ORDER == RTE_BIG_ENDIAN
+	uint8_t unused : 2;
+	uint8_t short_length : 6;
+#endif
+	rte_be32_t packet_number; /**< Packet number to support replay protection */
+	uint8_t secure_channel_id[8]; /* optional */
+} __rte_packed;
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* RTE_MACSEC_H_ */
-- 
2.25.1

[PATCH 2/3] security: support MACsec

[Akhil Goyal]

Added support for MACsec in rte_security for offloading
MACsec Protocol operation to inline NIC device or a crypto device.

To support MACsec we cannot just make one security session and
send with the packet to process it. MACsec specifications suggest,
it has 3 different entities - SECY Entity, SC(secure channel) and
SA(security association). And same SA can be used by multiple SCs and
similarly many SECY can have same SCs. Hence, in order to support this
many to one relationships between all entities, 2 new APIs are created -
rte_security_macsec_sc_create and rte_security_macsec_sa_create.
Flow of execution of the APIs would be as
- rte_security_macsec_sa_create
- rte_security_macsec_sc_create
- rte_security_session_create(for secy)
And in case of inline protocol processing rte_flow can be created with
rte_security action. A new flow item will be added for MACsec header.
New APIs are also created for getting SC and SA stats.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 doc/guides/prog_guide/rte_security.rst | 107 +++++++-
 lib/security/rte_security.c            |  86 ++++++
 lib/security/rte_security.h            | 362 ++++++++++++++++++++++++-
 lib/security/rte_security_driver.h     |  86 ++++++
 lib/security/version.map               |   6 +
 5 files changed, 634 insertions(+), 13 deletions(-)

diff --git a/doc/guides/prog_guide/rte_security.rst b/doc/guides/prog_guide/rte_security.rst
index 72ca0bd330..1af4d60c75 100644
--- a/doc/guides/prog_guide/rte_security.rst
+++ b/doc/guides/prog_guide/rte_security.rst
@@ -345,6 +345,55 @@ The CRC is Ethernet CRC-32 as specified in Ethernet/[ISO/IEC 8802-3].
     * Other DOCSIS protocol functionality such as Header Checksum (HCS)
       calculation may be added in the future.
 
+MACSEC Protocol
+~~~~~~~~~~~~~~~
+
+Media Access Control security (MACsec) provides point-to-point security on Ethernet
+links and is defined by IEEE standard 802.1AE. MACsec secures an Ethernet link for
+almost all traffic, including frames from the Link Layer Discovery Protocol (LLDP),
+Link Aggregation Control Protocol (LACP), Dynamic Host Configuration Protocol (DHCP),
+Address Resolution Protocol (ARP), and other protocols that are not typically secured
+on an Ethernet link because of limitations with other security solutions.
+
+.. code-block:: c
+
+             Receive                                                Transmit
+             -------                                                --------
+
+         Ethernet frame                                          Ethernet frame
+         from  network                                           towards network
+                |                                                      ^
+                ~                                                      |
+                |                                                      ~
+                V                                                      |
+    +-----------------------+      +------------------+      +-------------------------+
+    | Secure frame verify   |      | Cipher Suite(SA) |      | Secure Frame Generation |
+    +-----------------------+<-----+------------------+----->+-------------------------+
+    | SecTAG + ICV remove   |      |  SECY   |   SC   |      | SecTAG + ICV Added      |
+    +---+-------------------+      +------------------+      +-------------------------+
+                |                                                      ^
+                |                                                      |
+                V                                                      |
+        Packet to Core/App                                     Packet from core/App
+
+
+
+To configure MACsec on an inline NIC device or a lookaside crypto device, a security
+association(SA) and a secure channel(SC) are created before creating rte_security
+session.
+
+SA is created using API ``rte_security_macsec_sa_create`` which allows setting
+SA keys, salt, SSCI, packet number(PN) into the PMD and the API returns a handle
+which can be used to map it with a secure channel using the API
+``rte_security_macsec_sc_create``. Same SAs can be used for multiple SCs.
+The Rx SC will need a set of 4 SAs for each of the association numbers(AN).
+For Tx SC a single SA is set which will be used by hardware to process the packet.
+
+The API ``rte_security_macsec_sc_create`` returns a handle for SC and this handle
+is set in ``rte_security_macsec_xform`` to create a MACsec session using
+``rte_security_session_create``.
+
+
 Device Features and Capabilities
 ---------------------------------
 
@@ -517,6 +566,35 @@ protocol.
         RTE_CRYPTODEV_END_OF_CAPABILITIES_LIST()
     };
 
+Below is the example PMD capability for MACsec
+
+.. code-block:: c
+
+    static const struct rte_security_capability pmd_security_capabilities[] = {
+        { /* DOCSIS Uplink */
+                .action = RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL,
+                .protocol = RTE_SECURITY_PROTOCOL_MACSEC,
+                .macsec = {
+                        .mtu = 1500,
+                        .alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+                        .max_nb_sc = 64,
+                        .max_nb_sa = 128,
+                        .max_nb_sess = 64,
+                        .replay_win_sz = 4096,
+                        .relative_sectag_insert = 1,
+                        .fixed_sectag_insert = 1,
+                        .icv_include_da_sa = 1,
+                        .ctrl_port_enable = 1,
+                        .preserve_sectag = 1,
+                        .preserve_icv = 1,
+                        .validate_frames = 1,
+                        .re_key = 1,
+                        .anti_replay = 1,
+                },
+                .crypto_capabilities = NULL,
+        },
+    };
+
 Capabilities Discovery
 ~~~~~~~~~~~~~~~~~~~~~~
 
@@ -661,6 +739,8 @@ which will be updated in the future.
 
 IPsec related configuration parameters are defined in ``rte_security_ipsec_xform``
 
+MACsec related configuration parameters are defined in ``rte_security_macsec_xform``
+
 PDCP related configuration parameters are defined in ``rte_security_pdcp_xform``
 
 DOCSIS related configuration parameters are defined in ``rte_security_docsis_xform``
@@ -682,7 +762,7 @@ The ingress/egress flow attribute should match that specified in the security
 session if the security session supports the definition of the direction.
 
 Multiple flows can be configured to use the same security session. For
-example if the security session specifies an egress IPsec SA, then multiple
+example if the security session specifies an egress IPsec/MACsec SA, then multiple
 flows can be specified to that SA. In the case of an ingress IPsec SA then
 it is only valid to have a single flow to map to that security session.
 
@@ -692,8 +772,8 @@ it is only valid to have a single flow to map to that security session.
                  |
         +--------|--------+
         |    Add/Remove   |
-        |     IPsec SA    |   <------ Build security flow action of
-        |        |        |           ipsec transform
+        | IPsec/MACsec SA |   <------ Build security flow action of
+        |        |        |           IPsec/MACsec transform
         |--------|--------|
                  |
         +--------V--------+
@@ -712,9 +792,9 @@ it is only valid to have a single flow to map to that security session.
         |                 |
         +--------|--------+
 
-* Add/Delete SA flow:
+* Add/Delete IPsec SA flow:
   To add a new inline SA construct a rte_flow_item for Ethernet + IP + ESP
-  using the SA selectors and the ``rte_crypto_ipsec_xform`` as the ``rte_flow_action``.
+  using the SA selectors and the ``rte_security_ipsec_xform`` as the ``rte_flow_action``.
   Note that any rte_flow_items may be empty, which means it is not checked.
 
 .. code-block:: console
@@ -729,6 +809,23 @@ it is only valid to have a single flow to map to that security session.
         |  Eth  | ->  ... -> |   ESP  | -> | END |
         +-------+            +--------+    +-----+
 
+* Add/Delete MACsec SA flow:
+  To add a new inline SA construct a rte_flow_item for Ethernet + SecTAG
+  using the SA selectors and the ``rte_security_macsec_xform`` as the ``rte_flow_action``.
+  Note that any rte_flow_items may be empty, which means it is not checked.
+
+.. code-block:: console
+
+    In its most basic form, MACsec flow specification is as follows:
+        +-------+     +----------+     +-----+
+        |  Eth  | ->  |  SecTag  |  -> | END |
+        +-------+     +----------+     +-----+
+
+    However, the API can represent, MACsec offload with any encapsulation:
+        +-------+            +--------+    +-----+
+        |  Eth  | ->  ... -> | SecTag | -> | END |
+        +-------+            +--------+    +-----+
+
 
 Telemetry support
 -----------------
diff --git a/lib/security/rte_security.c b/lib/security/rte_security.c
index 4f5e4b4d49..45f8827d78 100644
--- a/lib/security/rte_security.c
+++ b/lib/security/rte_security.c
@@ -121,6 +121,92 @@ rte_security_session_destroy(struct rte_security_ctx *instance,
 	return 0;
 }
 
+int
+rte_security_macsec_sc_create(struct rte_security_ctx *instance,
+			      struct rte_security_macsec_sc *conf)
+{
+	int sc_id;
+
+	RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, macsec_sc_create, -EINVAL, -ENOTSUP);
+	RTE_PTR_OR_ERR_RET(conf, -EINVAL);
+
+	sc_id = instance->ops->macsec_sc_create(instance->device, conf);
+	if (sc_id >= 0)
+		instance->macsec_sc_cnt++;
+
+	return sc_id;
+}
+
+int
+rte_security_macsec_sa_create(struct rte_security_ctx *instance,
+			      struct rte_security_macsec_sa *conf)
+{
+	int sa_id;
+
+	RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, macsec_sa_create, -EINVAL, -ENOTSUP);
+	RTE_PTR_OR_ERR_RET(conf, -EINVAL);
+
+	sa_id = instance->ops->macsec_sa_create(instance->device, conf);
+	if (sa_id >= 0)
+		instance->macsec_sa_cnt++;
+
+	return sa_id;
+}
+
+int
+rte_security_macsec_sc_destroy(struct rte_security_ctx *instance, uint16_t sc_id)
+{
+	int ret;
+
+	RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, macsec_sc_destroy, -EINVAL, -ENOTSUP);
+
+	ret = instance->ops->macsec_sc_destroy(instance->device, sc_id);
+	if (ret != 0)
+		return ret;
+
+	if (instance->macsec_sc_cnt)
+		instance->macsec_sc_cnt--;
+
+	return 0;
+}
+
+int
+rte_security_macsec_sa_destroy(struct rte_security_ctx *instance, uint16_t sa_id)
+{
+	int ret;
+
+	RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, macsec_sa_destroy, -EINVAL, -ENOTSUP);
+
+	ret = instance->ops->macsec_sa_destroy(instance->device, sa_id);
+	if (ret != 0)
+		return ret;
+
+	if (instance->macsec_sa_cnt)
+		instance->macsec_sa_cnt--;
+
+	return 0;
+}
+
+int
+rte_security_macsec_sc_stats_get(struct rte_security_ctx *instance, uint16_t sc_id,
+			         struct rte_security_macsec_sc_stats *stats)
+{
+	RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, macsec_sc_stats_get, -EINVAL, -ENOTSUP);
+	RTE_PTR_OR_ERR_RET(stats, -EINVAL);
+
+	return instance->ops->macsec_sc_stats_get(instance->device, sc_id, stats);
+}
+
+int
+rte_security_macsec_sa_stats_get(struct rte_security_ctx *instance, uint16_t sa_id,
+			         struct rte_security_macsec_sa_stats *stats)
+{
+	RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, macsec_sa_stats_get, -EINVAL, -ENOTSUP);
+	RTE_PTR_OR_ERR_RET(stats, -EINVAL);
+
+	return instance->ops->macsec_sa_stats_get(instance->device, sa_id, stats);
+}
+
 int
 __rte_security_set_pkt_metadata(struct rte_security_ctx *instance,
 				struct rte_security_session *sess,
diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h
index 675db940eb..1ae2a5627d 100644
--- a/lib/security/rte_security.h
+++ b/lib/security/rte_security.h
@@ -23,6 +23,7 @@ extern "C" {
 #include <rte_common.h>
 #include <rte_crypto.h>
 #include <rte_ip.h>
+#include <rte_macsec.h>
 #include <rte_mbuf_dyn.h>
 
 /** IPSec protocol mode */
@@ -73,6 +74,10 @@ struct rte_security_ctx {
 	/**< Pointer to security ops for the device */
 	uint16_t sess_cnt;
 	/**< Number of sessions attached to this context */
+	uint16_t macsec_sc_cnt;
+	/**< Number of MACsec SC attached to this context */
+	uint16_t macsec_sa_cnt;
+	/**< Number of MACsec SA attached to this context */
 	uint32_t flags;
 	/**< Flags for security context */
 };
@@ -354,12 +359,157 @@ struct rte_security_ipsec_xform {
 	/**< UDP parameters, ignored when udp_encap option not specified */
 };
 
+/**
+ * MACsec secure association(SA) configuration structure.
+ */
+struct rte_security_macsec_sa {
+	/** MACsec SA key for AES-GCM 128/256 */
+	struct {
+		const uint8_t *data;	/**< pointer to key data */
+		uint16_t length;	/**< key length in bytes */
+	} key;
+	/** 96-bit value distributed by key agreement protocol */
+	uint8_t salt[RTE_MACSEC_SALT_LEN];
+	/** Association number to be used */
+	uint8_t an : 2;
+	/** Short Secure Channel Identifier, to be used for XPN cases */
+	uint32_t ssci;
+	/** Packet number expected/ to be used for next packet of this SA */
+	uint32_t next_pn;
+};
+
+/**
+ * MACSec packet flow direction
+ */
+enum rte_security_macsec_direction {
+	/** Generate SecTag and encrypt/authenticate */
+	RTE_SECURITY_MACSEC_DIR_TX,
+	/** Remove SecTag and decrypt/verify */
+	RTE_SECURITY_MACSEC_DIR_RX,
+};
+
+/**
+ * MACsec Secure Channel configuration parameters.
+ */
+struct rte_security_macsec_sc {
+	/** Direction of SC */
+	enum rte_security_macsec_direction dir;
+	union {
+		struct {
+			/** SAs for each association number */
+			uint16_t sa_id[RTE_MACSEC_NUM_AN];
+			/** flag to denote which all SAs are in use for each association number */
+			uint16_t sa_in_use[RTE_MACSEC_NUM_AN];
+			/** Channel is active */
+			uint8_t active : 1;
+			/** Reserved bitfields for future */
+			uint8_t reserved : 7;
+		} sc_rx;
+		struct {
+			uint16_t sa_id; /**< SA id to be used for encryption */
+			uint16_t sa_id_rekey; /**< Rekeying SA id to be used for encryption */
+			uint64_t sci; /**< SCI value to be used if send_sci is set */
+			uint8_t active : 1; /**< Channel is active */
+			uint8_t re_key_en : 1; /**< Enable Rekeying */
+			/** Reserved bitfields for future */
+			uint8_t reserved : 6;
+		} sc_tx;
+	};
+};
+
+/**
+ * MACsec Supported Algorithm list as per IEEE Std 802.1AE
+ */
+enum rte_security_macsec_alg {
+	RTE_SECURITY_MACSEC_ALG_GCM_128, /**< AES-GCM 128 bit block cipher */
+	RTE_SECURITY_MACSEC_ALG_GCM_256, /**< AES-GCM 256 bit block cipher */
+	RTE_SECURITY_MACSEC_ALG_GCM_XPN_128, /**< AES-GCM 128 bit block cipher with unique SSCI */
+	RTE_SECURITY_MACSEC_ALG_GCM_XPN_256, /**< AES-GCM 256 bit block cipher with unique SSCI */
+};
+
+/** Disable Validation of MACsec frame */
+#define RTE_SECURITY_MACSEC_VALIDATE_DISABLE	0
+/** Validate MACsec frame but do not discard invalid frame */
+#define RTE_SECURITY_MACSEC_VALIDATE_NO_DISCARD	1
+/** Validate MACsec frame and discart invalid frame */
+#define RTE_SECURITY_MACSEC_VALIDATE_STRICT	2
+/** Do not perform any MACsec operation */
+#define RTE_SECURITY_MACSEC_VALIDATE_NO_OP	3
+
 /**
  * MACsec security session configuration
  */
 struct rte_security_macsec_xform {
-	/** To be Filled */
-	int dummy;
+	/** Direction of flow/secure channel */
+	enum rte_security_macsec_direction dir;
+	/** MACsec algorithm to be used */
+	enum rte_security_macsec_alg alg;
+	/** cipher offset from start of ethernet header */
+	uint8_t cipher_off;
+	/**
+	 * SCI to be used for RX flow identification or
+	 * to set SCI in packet for TX when send_sci is set
+	 */
+	uint64_t sci;
+	/** Receive/transmit secure channel id created by *rte_security_macsec_sc_create* */
+	uint16_t sc_id;
+	union {
+		struct {
+			/** MTU for transmit frame (Valid for inline processing) */
+			uint16_t mtu;
+			/**
+			 * Offset to insert sectag from start of ethernet header or
+			 * from a matching VLAN tag
+			 */
+			uint8_t sectag_off;
+			/** Enable MACsec protection of frames */
+			uint16_t protect_frames : 1;
+			/**
+			 * Sectag insertion mode
+			 * If 1, Sectag is inserted at fixed sectag_off set above.
+			 * If 0, Sectag is inserted at relative sectag_off from a matching
+			 * VLAN tag set.
+			 */
+			uint16_t sectag_insert_mode : 1;
+			/** ICV includes source and destination MAC addresses */
+			uint16_t icv_include_da_sa : 1;
+			/** Control port is enabled */
+			uint16_t ctrl_port_enable : 1;
+			/** Version of MACsec header. Should be 0 */
+			uint16_t sectag_version : 1;
+			/** Enable end station. SCI is not valid */
+			uint16_t end_station : 1;
+			/** Send SCI along with sectag */
+			uint16_t send_sci : 1;
+			/** enable secure channel support EPON - single copy broadcast */
+			uint16_t scb : 1;
+			/**
+			 * Enable packet encryption and set RTE_MACSEC_TCI_C and
+			 * RTE_MACSEC_TCI_E in sectag
+			 */
+			uint16_t encrypt : 1;
+			/** Reserved bitfields for future */
+			uint16_t reserved : 7;
+		} tx_secy;
+		struct {
+			/** Replay Window size to be supported */
+			uint32_t replay_win_sz;
+			/** Set bits as per RTE_SECURITY_MACSEC_VALIDATE_* */
+			uint16_t validate_frames : 2;
+			/** ICV includes source and destination MAC addresses */
+			uint16_t icv_include_da_sa : 1;
+			/** Control port is enabled */
+			uint16_t ctrl_port_enable : 1;
+			/** Do not strip SecTAG after processing */
+			uint16_t preserve_sectag : 1;
+			/** Do not strip ICV from the packet after processing */
+			uint16_t preserve_icv : 1;
+			/** Enable anti-replay protection */
+			uint16_t replay_protect : 1;
+			/** Reserved bitfields for future */
+			uint16_t reserved : 9;
+		} rx_secy;
+	};
 };
 
 /**
@@ -513,7 +663,7 @@ struct rte_security_session_conf {
 	};
 	/**< Configuration parameters for security session */
 	struct rte_crypto_sym_xform *crypto_xform;
-	/**< Security Session Crypto Transformations */
+	/**< Security Session Crypto Transformations. NULL in case of MACsec */
 	void *userdata;
 	/**< Application specific userdata to be saved with session */
 };
@@ -588,6 +738,80 @@ int
 rte_security_session_destroy(struct rte_security_ctx *instance,
 			     struct rte_security_session *sess);
 
+/**
+ * @warning
+ * @b EXPERIMENTAL: this API may change without prior notice
+ *
+ * Create MACsec security channel(SC)
+ *
+ * @param   instance	security instance
+ * @param   conf	MACsec SC configuration params
+ * @return
+ *  - secure channel id if successful
+ *  - -EINVAL if configuration params are invalid of instance is NULL.
+ *  - -ENOTSUP if device does not support MACsec.
+ *  - -ENOMEM if PMD is not capable to create more SC.
+ *  - other negative value for other errors.
+ */
+__rte_experimental
+int
+rte_security_macsec_sc_create(struct rte_security_ctx *instance,
+			      struct rte_security_macsec_sc *conf);
+
+/**
+ * @warning
+ * @b EXPERIMENTAL: this API may change without prior notice
+ *
+ * Destroy MACsec security channel(SC)
+ *
+ * @param   instance	security instance
+ * @param   sc_id	SC id to be destroyed
+ * @return
+ *  - 0 if successful
+ *  - -EINVAL if sc_id is invalid or instance is NULL.
+ *  - -EBUSY if sc is being used by some session.
+ */
+__rte_experimental
+int
+rte_security_macsec_sc_destroy(struct rte_security_ctx *instance, uint16_t sc_id);
+
+/**
+ * @warning
+ * @b EXPERIMENTAL: this API may change without prior notice
+ *
+ * Create MACsec security association(SA)
+ *
+ * @param   instance	security instance
+ * @param   conf	MACsec SA configuration params
+ * @return
+ *  - positive SA id if successful
+ *  - -EINVAL if configuration params are invalid of instance is NULL.
+ *  - -ENOTSUP if device does not support MACsec.
+ *  - -ENOMEM if PMD is not capable to create more SAs.
+ *  - other negative value for other errors.
+ */
+__rte_experimental
+int
+rte_security_macsec_sa_create(struct rte_security_ctx *instance,
+			      struct rte_security_macsec_sa *conf);
+
+/**
+ * @warning
+ * @b EXPERIMENTAL: this API may change without prior notice
+ *
+ * Destroy MACsec security association(SA)
+ *
+ * @param   instance	security instance
+ * @param   sa_id	SA id to be destroyed
+ * @return
+ *  - 0 if successful
+ *  - -EINVAL if sa_id is invalid or instance is NULL.
+ *  - -EBUSY if sa is being used by some session.
+ */
+__rte_experimental
+int
+rte_security_macsec_sa_destroy(struct rte_security_ctx *instance, uint16_t sa_id);
+
 /** Device-specific metadata field type */
 typedef uint64_t rte_security_dynfield_t;
 /** Dynamic mbuf field for device-specific metadata */
@@ -747,8 +971,62 @@ rte_security_attach_session(struct rte_crypto_op *op,
 	return __rte_security_attach_session(op->sym, sess);
 }
 
-struct rte_security_macsec_stats {
-	uint64_t reserved;
+struct rte_security_macsec_secy_stats {
+	uint64_t ctl_pkt_bcast_cnt;
+	uint64_t ctl_pkt_mcast_cnt;
+	uint64_t ctl_pkt_ucast_cnt;
+	uint64_t ctl_octet_cnt;
+	uint64_t unctl_pkt_bcast_cnt;
+	uint64_t unctl_pkt_mcast_cnt;
+	uint64_t unctl_pkt_ucast_cnt;
+	uint64_t unctl_octet_cnt;
+	/* Valid only for RX */
+	uint64_t octet_decrypted_cnt;
+	uint64_t octet_validated_cnt;
+	uint64_t pkt_port_disabled_cnt;
+	uint64_t pkt_badtag_cnt;
+	uint64_t pkt_nosa_cnt;
+	uint64_t pkt_nosaerror_cnt;
+	uint64_t pkt_tagged_ctl_cnt;
+	uint64_t pkt_untaged_cnt;
+	uint64_t pkt_ctl_cnt;
+	uint64_t pkt_notag_cnt;
+	/* Valid only for TX */
+	uint64_t octet_encrypted_cnt;
+	uint64_t octet_protected_cnt;
+	uint64_t pkt_noactivesa_cnt;
+	uint64_t pkt_toolong_cnt;
+	uint64_t pkt_untagged_cnt;
+};
+
+struct rte_security_macsec_sc_stats {
+	/* RX */
+	uint64_t hit_cnt;
+	uint64_t pkt_invalid_cnt;
+	uint64_t pkt_late_cnt;
+	uint64_t pkt_notvalid_cnt;
+	uint64_t pkt_unchecked_cnt;
+	uint64_t pkt_delay_cnt;
+	uint64_t pkt_ok_cnt;
+	uint64_t octet_decrypt_cnt;
+	uint64_t octet_validate_cnt;
+	/* TX */
+	uint64_t pkt_encrypt_cnt;
+	uint64_t pkt_protected_cnt;
+	uint64_t octet_encrypt_cnt;
+	uint64_t octet_protected_cnt;
+};
+
+struct rte_security_macsec_sa_stats {
+	/* RX */
+	uint64_t pkt_invalid_cnt;
+	uint64_t pkt_nosaerror_cnt;
+	uint64_t pkt_notvalid_cnt;
+	uint64_t pkt_ok_cnt;
+	uint64_t pkt_nosa_cnt;
+	/* TX */
+	uint64_t pkt_encrypt_cnt;
+	uint64_t pkt_protected_cnt;
 };
 
 struct rte_security_ipsec_stats {
@@ -776,7 +1054,7 @@ struct rte_security_stats {
 
 	RTE_STD_C11
 	union {
-		struct rte_security_macsec_stats macsec;
+		struct rte_security_macsec_secy_stats macsec;
 		struct rte_security_ipsec_stats ipsec;
 		struct rte_security_pdcp_stats pdcp;
 		struct rte_security_docsis_stats docsis;
@@ -802,6 +1080,44 @@ rte_security_session_stats_get(struct rte_security_ctx *instance,
 			       struct rte_security_session *sess,
 			       struct rte_security_stats *stats);
 
+/**
+ * @warning
+ * @b EXPERIMENTAL: this API may change without prior notice
+ *
+ * Get MACsec SA statistics
+ *
+ * @param	instance	security instance
+ * @param	sa_id		SA id for which stats are needed
+ * @param	stats		statistics
+ * @return
+ *  - On success, return 0
+ *  - On failure, a negative value
+ */
+__rte_experimental
+int
+rte_security_macsec_sa_stats_get(struct rte_security_ctx *instance,
+				 uint16_t sa_id,
+				 struct rte_security_macsec_sa_stats *stats);
+
+/**
+ * @warning
+ * @b EXPERIMENTAL: this API may change without prior notice
+ *
+ * Get MACsec SC statistics
+ *
+ * @param	instance	security instance
+ * @param	sc_id		SC id for which stats are needed
+ * @param	stats		SC statistics
+ * @return
+ *  - On success, return 0
+ *  - On failure, a negative value
+ */
+__rte_experimental
+int
+rte_security_macsec_sc_stats_get(struct rte_security_ctx *instance,
+				 uint16_t sc_id,
+				 struct rte_security_macsec_sc_stats *stats);
+
 /**
  * Security capability definition
  */
@@ -828,8 +1144,38 @@ struct rte_security_capability {
 		} ipsec;
 		/**< IPsec capability */
 		struct {
-			/* To be Filled */
-			int dummy;
+			/** MTU supported for inline TX */
+			uint16_t mtu;
+			/** MACsec algorithm to be used */
+			enum rte_security_macsec_alg alg;
+			/** Maximum number of secure channels supported. */
+			uint16_t max_nb_sc;
+			/** Maximum number of SAs supported. */
+			uint16_t max_nb_sa;
+			/** Maximum number of SAs supported. */
+			uint16_t max_nb_sess;
+			/** MACsec Anti Replay Window Size. */
+			uint32_t replay_win_sz;
+			/** Support Sectag insertion at relative offset. */
+			uint16_t relative_sectag_insert : 1;
+			/** Support Sectag insertion at fixed offset. */
+			uint16_t fixed_sectag_insert : 1;
+			/** ICV includes source and destination MAC addresses */
+			uint16_t icv_include_da_sa : 1;
+			/** Control port traffic is supported */
+			uint16_t ctrl_port_enable : 1;
+			/** Do not strip SecTAG after processing */
+			uint16_t preserve_sectag : 1;
+			/** Do not strip ICV from the packet after processing */
+			uint16_t preserve_icv : 1;
+			/** Support frame validation as per RTE_SECURITY_MACSEC_VALIDATE_* */
+			uint16_t validate_frames : 1;
+			/** support re-keying on SA expiry */
+			uint16_t re_key : 1;
+			/** support Anti replay */
+			uint16_t anti_replay : 1;
+			/** Reserved bitfields for future capabilities */
+			uint16_t reserved : 7;
 		} macsec;
 		/**< MACsec capability */
 		struct {
diff --git a/lib/security/rte_security_driver.h b/lib/security/rte_security_driver.h
index b0253e962e..c4098d0f8a 100644
--- a/lib/security/rte_security_driver.h
+++ b/lib/security/rte_security_driver.h
@@ -63,6 +63,50 @@ typedef int (*security_session_update_t)(void *device,
 		struct rte_security_session *sess,
 		struct rte_security_session_conf *conf);
 
+/**
+ * Configure a MACsec secure channel(SC) on a device.
+ *
+ * @param	device		Crypto/eth device pointer
+ * @param	conf		MACsec SC configuration params
+ *
+ * @return
+ *  - positive sc_id if SC is created successfully.
+ *  - -EINVAL if input parameters are invalid.
+ *  - -ENOTSUP if device does not support MACsec.
+ *  - -ENOMEM if the SC cannot be created.
+ */
+typedef int (*security_macsec_sc_create_t)(void *device, struct rte_security_macsec_sc *conf);
+
+/**
+ * Free MACsec secure channel(SC).
+ *
+ * @param	device		Crypto/eth device pointer
+ * @param	sc_id		MACsec SC id
+ */
+typedef int (*security_macsec_sc_destroy_t)(void *device, uint16_t sc_id);
+
+/**
+ * Configure a MACsec security Association(SA) on a device.
+ *
+ * @param	device		Crypto/eth device pointer
+ * @param	conf		MACsec SA configuration params
+ *
+ * @return
+ *  - positive sa_id if SA is created successfully.
+ *  - -EINVAL if input parameters are invalid.
+ *  - -ENOTSUP if device does not support MACsec.
+ *  - -ENOMEM if the SA cannot be created.
+ */
+typedef int (*security_macsec_sa_create_t)(void *device, struct rte_security_macsec_sa *conf);
+
+/**
+ * Free MACsec security association(SA).
+ *
+ * @param	device		Crypto/eth device pointer
+ * @param	sa_id		MACsec SA id
+ */
+typedef int (*security_macsec_sa_destroy_t)(void *device, uint16_t sa_id);
+
 /**
  * Get the size of a security session
  *
@@ -89,6 +133,36 @@ typedef int (*security_session_stats_get_t)(void *device,
 		struct rte_security_session *sess,
 		struct rte_security_stats *stats);
 
+/**
+ * Get MACsec secure channel stats from the PMD.
+ *
+ * @param	device		Crypto/eth device pointer
+ * @param	sc_id		secure channel id created by rte_security_macsec_sc_create()
+ * @param	stats		SC stats of the driver
+ *
+ * @return
+ *  - 0 if success.
+ *  - -EINVAL if sc_id or device is invalid.
+ */
+typedef int (*security_macsec_sc_stats_get_t)(void *device, uint16_t sc_id,
+		struct rte_security_macsec_sc_stats *stats);
+
+/**
+ * Get MACsec SA stats from the PMD.
+ *
+ * @param	device		Crypto/eth device pointer
+ * @param	sa_id		secure channel id created by rte_security_macsec_sc_create()
+ * @param	stats		SC stats of the driver
+ *
+ * @return
+ *  - 0 if success.
+ *  - -EINVAL if sa_id or device is invalid.
+ */
+typedef int (*security_macsec_sa_stats_get_t)(void *device, uint16_t sa_id,
+		struct rte_security_macsec_sa_stats *stats);
+
+
+
 __rte_internal
 int rte_security_dynfield_register(void);
 
@@ -154,6 +228,18 @@ struct rte_security_ops {
 	/**< Get userdata associated with session which processed the packet. */
 	security_capabilities_get_t capabilities_get;
 	/**< Get security capabilities. */
+	security_macsec_sc_create_t macsec_sc_create;
+	/**< Configure a MACsec security channel(SC). */
+	security_macsec_sc_destroy_t macsec_sc_destroy;
+	/**< Free a MACsec security channel(SC). */
+	security_macsec_sa_create_t macsec_sa_create;
+	/**< Configure a MACsec security association(SA). */
+	security_macsec_sa_destroy_t macsec_sa_destroy;
+	/**< Free a MACsec security association(SA). */
+	security_macsec_sc_stats_get_t macsec_sc_stats_get;
+	/**< Get MACsec SC statistics. */
+	security_macsec_sa_stats_get_t macsec_sa_stats_get;
+	/**< Get MACsec SA statistics. */
 };
 
 #ifdef __cplusplus
diff --git a/lib/security/version.map b/lib/security/version.map
index c770b2e8f8..c0c3574dca 100644
--- a/lib/security/version.map
+++ b/lib/security/version.map
@@ -16,6 +16,12 @@ EXPERIMENTAL {
 	__rte_security_get_userdata;
 	__rte_security_set_pkt_metadata;
 	rte_security_dynfield_offset;
+	rte_security_macsec_sa_create;
+	rte_security_macsec_sa_destroy;
+	rte_security_macsec_sa_stats_get;
+	rte_security_macsec_sc_create;
+	rte_security_macsec_sc_destroy;
+	rte_security_macsec_sc_stats_get;
 	rte_security_session_stats_get;
 	rte_security_session_update;
 };
-- 
2.25.1

[PATCH 3/3] ethdev: add MACsec flow item

[Akhil Goyal]

A new flow item is defined for MACsec flows which can be
offloaded to an inline device. If the flow matches with
MACsec header, device will process as per the security
session created using rte_security APIs.
If an error comes while MACsec processing in HW, PMD will
notify with the events defined in this patch.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 lib/ethdev/rte_ethdev.h | 55 +++++++++++++++++++++++++++++++++++++++++
 lib/ethdev/rte_flow.h   | 18 ++++++++++++++
 2 files changed, 73 insertions(+)

diff --git a/lib/ethdev/rte_ethdev.h b/lib/ethdev/rte_ethdev.h
index de9e970d4d..24661b01e9 100644
--- a/lib/ethdev/rte_ethdev.h
+++ b/lib/ethdev/rte_ethdev.h
@@ -3864,6 +3864,61 @@ rte_eth_tx_buffer_count_callback(struct rte_mbuf **pkts, uint16_t unsent,
 int
 rte_eth_tx_done_cleanup(uint16_t port_id, uint16_t queue_id, uint32_t free_cnt);
 
+/**
+ * Subtypes for MACsec offload event(@ref RTE_ETH_EVENT_MACSEC) raised by
+ * Ethernet device.
+ */
+enum rte_eth_macsec_event_subtype {
+	RTE_ETH_MACSEC_SUBEVENT_UNKNOWN,
+	/* subevents of RTE_ETH_MACSEC_EVENT_SECTAG_VAL_ERR sectag validation events
+	 * RTE_ETH_MACSEC_EVENT_RX_SECTAG_V_EQ1
+	 *	Validation check: SecTag.TCI.V = 1
+	 * RTE_ETH_MACSEC_EVENT_RX_SECTAG_E_EQ0_C_EQ1
+	 *	Validation check: SecTag.TCI.E = 0 && SecTag.TCI.C = 1
+	 * RTE_ETH_MACSEC_EVENT_RX_SECTAG_SL_GTE48
+	 *	Validation check: SecTag.SL >= 'd48
+	 * RTE_ETH_MACSEC_EVENT_RX_SECTAG_ES_EQ1_SC_EQ1
+	 *	Validation check: SecTag.TCI.ES = 1 && SecTag.TCI.SC = 1
+	 * RTE_ETH_MACSEC_EVENT_RX_SECTAG_SC_EQ1_SCB_EQ1
+	 *	Validation check: SecTag.TCI.SC = 1 && SecTag.TCI.SCB = 1
+	 */
+	RTE_ETH_MACSEC_SUBEVENT_RX_SECTAG_V_EQ1,
+	RTE_ETH_MACSEC_SUBEVENT_RX_SECTAG_E_EQ0_C_EQ1,
+	RTE_ETH_MACSEC_SUBEVENT_RX_SECTAG_SL_GTE48,
+	RTE_ETH_MACSEC_SUBEVENT_RX_SECTAG_ES_EQ1_SC_EQ1,
+	RTE_ETH_MACSEC_SUBEVENT_RX_SECTAG_SC_EQ1_SCB_EQ1,
+};
+
+enum rte_eth_macsec_event_type {
+	RTE_ETH_MACSEC_EVENT_UNKNOWN,
+	RTE_ETH_MACSEC_EVENT_SECTAG_VAL_ERR,
+	RTE_ETH_MACSEC_EVENT_RX_SA_PN_HARD_EXP,
+	RTE_ETH_MACSEC_EVENT_RX_SA_PN_SOFT_EXP,
+	RTE_ETH_MACSEC_EVENT_TX_SA_PN_HARD_EXP,
+	RTE_ETH_MACSEC_EVENT_TX_SA_PN_SOFT_EXP,
+	/* Notifies Invalid SA event */
+	RTE_ETH_MACSEC_EVENT_SA_NOT_VALID,
+};
+
+/**
+ * Descriptor for @ref RTE_ETH_EVENT_MACSEC event. Used by eth dev to send extra
+ * information of the MACsec offload event.
+ */
+struct rte_eth_event_macsec_desc {
+	enum rte_eth_macsec_event_type type;
+	enum rte_eth_macsec_event_subtype subtype;
+	/**
+	 * Event specific metadata.
+	 *
+	 * For the following events, *userdata* registered
+	 * with the *rte_security_session* would be returned
+	 * as metadata,
+	 *
+	 * @see struct rte_security_session_conf
+	 */
+	uint64_t metadata;
+};
+
 /**
  * Subtypes for IPsec offload event(@ref RTE_ETH_EVENT_IPSEC) raised by
  * eth device.
diff --git a/lib/ethdev/rte_flow.h b/lib/ethdev/rte_flow.h
index a79f1e7ef0..4114c84a02 100644
--- a/lib/ethdev/rte_flow.h
+++ b/lib/ethdev/rte_flow.h
@@ -35,6 +35,7 @@
 #include <rte_l2tpv2.h>
 #include <rte_ppp.h>
 #include <rte_gre.h>
+#include <rte_macsec.h>
 
 #ifdef __cplusplus
 extern "C" {
@@ -668,6 +669,13 @@ enum rte_flow_item_type {
 	 * See struct rte_flow_item_gre_opt.
 	 */
 	RTE_FLOW_ITEM_TYPE_GRE_OPTION,
+
+	/**
+	 * Matches MACsec Ethernet Header.
+	 *
+	 * See struct rte_flow_item_macsec.
+	 */
+	RTE_FLOW_ITEM_TYPE_MACSEC,
 };
 
 /**
@@ -1214,6 +1222,16 @@ struct rte_flow_item_gre_opt {
 	struct rte_gre_hdr_opt_sequence sequence;
 };
 
+/**
+ * RTE_FLOW_ITEM_TYPE_MACSEC.
+ *
+ * Matches MACsec header.
+ */
+struct rte_flow_item_macsec {
+	struct rte_macsec_hdr macsec_hdr;
+};
+
+
 /**
  * RTE_FLOW_ITEM_TYPE_FUZZY
  *
-- 
2.25.1

RE: [PATCH 3/3] ethdev: add MACsec flow item

[Ori Kam]

> -----Original Message-----
> From: Akhil Goyal <gakhil@marvell.com>
> Sent: Sunday, 14 August 2022 21:46
> 
> A new flow item is defined for MACsec flows which can be
> offloaded to an inline device. If the flow matches with
> MACsec header, device will process as per the security
> session created using rte_security APIs.
> If an error comes while MACsec processing in HW, PMD will
> notify with the events defined in this patch.
> 
> Signed-off-by: Akhil Goyal <gakhil@marvell.com>
> ---
>  lib/ethdev/rte_ethdev.h | 55
> +++++++++++++++++++++++++++++++++++++++++
>  lib/ethdev/rte_flow.h   | 18 ++++++++++++++
>  2 files changed, 73 insertions(+)
> 
> diff --git a/lib/ethdev/rte_ethdev.h b/lib/ethdev/rte_ethdev.h
> index de9e970d4d..24661b01e9 100644
> --- a/lib/ethdev/rte_ethdev.h
> +++ b/lib/ethdev/rte_ethdev.h
> @@ -3864,6 +3864,61 @@ rte_eth_tx_buffer_count_callback(struct
> rte_mbuf **pkts, uint16_t unsent,
>  int
>  rte_eth_tx_done_cleanup(uint16_t port_id, uint16_t queue_id, uint32_t
> free_cnt);
> 
> +/**
> + * Subtypes for MACsec offload event(@ref RTE_ETH_EVENT_MACSEC)
> raised by
> + * Ethernet device.
> + */
> +enum rte_eth_macsec_event_subtype {
> +	RTE_ETH_MACSEC_SUBEVENT_UNKNOWN,
> +	/* subevents of RTE_ETH_MACSEC_EVENT_SECTAG_VAL_ERR sectag
> validation events
> +	 * RTE_ETH_MACSEC_EVENT_RX_SECTAG_V_EQ1
> +	 *	Validation check: SecTag.TCI.V = 1
> +	 * RTE_ETH_MACSEC_EVENT_RX_SECTAG_E_EQ0_C_EQ1
> +	 *	Validation check: SecTag.TCI.E = 0 && SecTag.TCI.C = 1
> +	 * RTE_ETH_MACSEC_EVENT_RX_SECTAG_SL_GTE48
> +	 *	Validation check: SecTag.SL >= 'd48
> +	 * RTE_ETH_MACSEC_EVENT_RX_SECTAG_ES_EQ1_SC_EQ1
> +	 *	Validation check: SecTag.TCI.ES = 1 && SecTag.TCI.SC = 1
> +	 * RTE_ETH_MACSEC_EVENT_RX_SECTAG_SC_EQ1_SCB_EQ1
> +	 *	Validation check: SecTag.TCI.SC = 1 && SecTag.TCI.SCB = 1
> +	 */
> +	RTE_ETH_MACSEC_SUBEVENT_RX_SECTAG_V_EQ1,
> +	RTE_ETH_MACSEC_SUBEVENT_RX_SECTAG_E_EQ0_C_EQ1,
> +	RTE_ETH_MACSEC_SUBEVENT_RX_SECTAG_SL_GTE48,
> +	RTE_ETH_MACSEC_SUBEVENT_RX_SECTAG_ES_EQ1_SC_EQ1,
> +	RTE_ETH_MACSEC_SUBEVENT_RX_SECTAG_SC_EQ1_SCB_EQ1,
> +};
> +
> +enum rte_eth_macsec_event_type {
> +	RTE_ETH_MACSEC_EVENT_UNKNOWN,
> +	RTE_ETH_MACSEC_EVENT_SECTAG_VAL_ERR,
> +	RTE_ETH_MACSEC_EVENT_RX_SA_PN_HARD_EXP,
> +	RTE_ETH_MACSEC_EVENT_RX_SA_PN_SOFT_EXP,
> +	RTE_ETH_MACSEC_EVENT_TX_SA_PN_HARD_EXP,
> +	RTE_ETH_MACSEC_EVENT_TX_SA_PN_SOFT_EXP,
> +	/* Notifies Invalid SA event */
> +	RTE_ETH_MACSEC_EVENT_SA_NOT_VALID,
> +};
> +
> +/**
> + * Descriptor for @ref RTE_ETH_EVENT_MACSEC event. Used by eth dev to
> send extra
> + * information of the MACsec offload event.
> + */
> +struct rte_eth_event_macsec_desc {
> +	enum rte_eth_macsec_event_type type;
> +	enum rte_eth_macsec_event_subtype subtype;
> +	/**
> +	 * Event specific metadata.
> +	 *
> +	 * For the following events, *userdata* registered
> +	 * with the *rte_security_session* would be returned
> +	 * as metadata,
> +	 *
> +	 * @see struct rte_security_session_conf
> +	 */
> +	uint64_t metadata;
> +};
> +
>  /**
>   * Subtypes for IPsec offload event(@ref RTE_ETH_EVENT_IPSEC) raised by
>   * eth device.
> diff --git a/lib/ethdev/rte_flow.h b/lib/ethdev/rte_flow.h
> index a79f1e7ef0..4114c84a02 100644
> --- a/lib/ethdev/rte_flow.h
> +++ b/lib/ethdev/rte_flow.h
> @@ -35,6 +35,7 @@
>  #include <rte_l2tpv2.h>
>  #include <rte_ppp.h>
>  #include <rte_gre.h>
> +#include <rte_macsec.h>
> 
>  #ifdef __cplusplus
>  extern "C" {
> @@ -668,6 +669,13 @@ enum rte_flow_item_type {
>  	 * See struct rte_flow_item_gre_opt.
>  	 */
>  	RTE_FLOW_ITEM_TYPE_GRE_OPTION,
> +
> +	/**
> +	 * Matches MACsec Ethernet Header.
> +	 *
> +	 * See struct rte_flow_item_macsec.
> +	 */
> +	RTE_FLOW_ITEM_TYPE_MACSEC,
>  };
> 
>  /**
> @@ -1214,6 +1222,16 @@ struct rte_flow_item_gre_opt {
>  	struct rte_gre_hdr_opt_sequence sequence;
>  };
> 
> +/**
> + * RTE_FLOW_ITEM_TYPE_MACSEC.
> + *
> + * Matches MACsec header.
> + */
> +struct rte_flow_item_macsec {
> +	struct rte_macsec_hdr macsec_hdr;
> +};
> +
> +
>  /**
>   * RTE_FLOW_ITEM_TYPE_FUZZY
>   *
> --
> 2.25.1

Acked-by: Ori Kam <orika@nvidia.com>
Best,
Ori

RE: [PATCH 1/3] net: add MACsec header

[Akhil Goyal]

Hi Olivier,

Could you please review this patch? 
Apologies. I missed to add you earlier.

Regards,
Akhil

> Subject: [PATCH 1/3] net: add MACsec header
> 
> Added MACsec protocol header to be used for supporting
> MACsec protocol offload in hardware or directly in the application.
> 
> Signed-off-by: Akhil Goyal <gakhil@marvell.com>
> ---
>  doc/api/doxy-api-index.md |  3 ++-
>  lib/net/meson.build       |  1 +
>  lib/net/rte_macsec.h      | 56 +++++++++++++++++++++++++++++++++++++++
>  3 files changed, 59 insertions(+), 1 deletion(-)
>  create mode 100644 lib/net/rte_macsec.h
> 
> diff --git a/doc/api/doxy-api-index.md b/doc/api/doxy-api-index.md
> index 186a258be4..99e49340d3 100644
> --- a/doc/api/doxy-api-index.md
> +++ b/doc/api/doxy-api-index.md
> @@ -126,7 +126,8 @@ The public API headers are grouped by topics:
>    [Geneve](@ref rte_geneve.h),
>    [eCPRI](@ref rte_ecpri.h),
>    [L2TPv2](@ref rte_l2tpv2.h),
> -  [PPP](@ref rte_ppp.h)
> +  [PPP](@ref rte_ppp.h),
> +  [MACsec](@ref rte_macsec.h)
> 
>  - **QoS**:
>    [metering](@ref rte_meter.h),
> diff --git a/lib/net/meson.build b/lib/net/meson.build
> index e899846578..3e63abaca8 100644
> --- a/lib/net/meson.build
> +++ b/lib/net/meson.build
> @@ -21,6 +21,7 @@ headers = files(
>          'rte_geneve.h',
>          'rte_l2tpv2.h',
>          'rte_ppp.h',
> +        'rte_macsec.h',
>  )
> 
>  sources = files(
> diff --git a/lib/net/rte_macsec.h b/lib/net/rte_macsec.h
> new file mode 100644
> index 0000000000..f1b59253f6
> --- /dev/null
> +++ b/lib/net/rte_macsec.h
> @@ -0,0 +1,56 @@
> +/* SPDX-License-Identifier: BSD-3-Clause
> + * Copyright(C) 2022 Marvell.
> + */
> +
> +#ifndef _RTE_MACSEC_H_
> +#define _RTE_MACSEC_H_
> +
> +/**
> + * @file
> + *
> + * MACsec-related defines
> + */
> +
> +#include <rte_byteorder.h>
> +
> +#ifdef __cplusplus
> +extern "C" {
> +#endif
> +
> +
> +/* SecTAG length = macsec ether header without the optional SCI */
> +#define RTE_MACSEC_TAG_LEN 6
> +#define RTE_MACSEC_SCI_LEN 8
> +
> +#define RTE_MACSEC_TCI_VERSION	0x80 /**< Version mask for MACsec.
> Should be 0. */
> +#define RTE_MACSEC_TCI_ES	0x40 /**< End station - SCI is not valid */
> +#define RTE_MACSEC_TCI_SC	0x20 /**< SCI present */
> +#define RTE_MACSEC_TCI_SCB	0x10 /**< Secure channel support EPON single
> copy broadcast */
> +#define RTE_MACSEC_TCI_E	0x08 /**< User data is encrypted */
> +#define RTE_MACSEC_TCI_C	0x04 /**< User data was changed (because of
> encryption) */
> +#define RTE_MACSEC_AN_MASK	0x03 /**< Association number mask in
> tci_an */
> +#define RTE_MACSEC_NUM_AN	4    /**< 2 bits for the association
> number */
> +#define RTE_MACSEC_SALT_LEN	12   /**< Salt length for MACsec SA */
> +
> +/**
> + * MACsec Header
> + */
> +struct rte_macsec_hdr {
> +	/* SecTAG */
> +	uint8_t  tci_an;	/**< Tag control information and Association number
> of SC */
> +#if RTE_BYTE_ORDER == RTE_LITTLE_ENDIAN
> +	uint8_t short_length : 6; /**< Short Length */
> +	uint8_t unused : 2;
> +#elif RTE_BYTE_ORDER == RTE_BIG_ENDIAN
> +	uint8_t unused : 2;
> +	uint8_t short_length : 6;
> +#endif
> +	rte_be32_t packet_number; /**< Packet number to support replay
> protection */
> +	uint8_t secure_channel_id[8]; /* optional */
> +} __rte_packed;
> +
> +#ifdef __cplusplus
> +}
> +#endif
> +
> +#endif /* RTE_MACSEC_H_ */
> --
> 2.25.1

RE: [PATCH 2/3] security: support MACsec

[Akhil Goyal]

Hi txgbe/ixgbe maintainers,

I see that MACsec is supported by ixgbe and txgbe PMDs.
Could you please review this patch?

Regards,
Akhil

> Subject: [PATCH 2/3] security: support MACsec
> 
> Added support for MACsec in rte_security for offloading
> MACsec Protocol operation to inline NIC device or a crypto device.
> 
> To support MACsec we cannot just make one security session and
> send with the packet to process it. MACsec specifications suggest,
> it has 3 different entities - SECY Entity, SC(secure channel) and
> SA(security association). And same SA can be used by multiple SCs and
> similarly many SECY can have same SCs. Hence, in order to support this
> many to one relationships between all entities, 2 new APIs are created -
> rte_security_macsec_sc_create and rte_security_macsec_sa_create.
> Flow of execution of the APIs would be as
> - rte_security_macsec_sa_create
> - rte_security_macsec_sc_create
> - rte_security_session_create(for secy)
> And in case of inline protocol processing rte_flow can be created with
> rte_security action. A new flow item will be added for MACsec header.
> New APIs are also created for getting SC and SA stats.
> 
> Signed-off-by: Akhil Goyal <gakhil@marvell.com>
> ---

Re: [PATCH 1/3] net: add MACsec header

[Olivier Matz]

Hi Akhil,

Few comments below.

On Mon, Aug 15, 2022 at 12:16:18AM +0530, Akhil Goyal wrote:
> Added MACsec protocol header to be used for supporting
> MACsec protocol offload in hardware or directly in the application.
> 
> Signed-off-by: Akhil Goyal <gakhil@marvell.com>
> ---
>  doc/api/doxy-api-index.md |  3 ++-
>  lib/net/meson.build       |  1 +
>  lib/net/rte_macsec.h      | 56 +++++++++++++++++++++++++++++++++++++++
>  3 files changed, 59 insertions(+), 1 deletion(-)
>  create mode 100644 lib/net/rte_macsec.h
> 
> diff --git a/doc/api/doxy-api-index.md b/doc/api/doxy-api-index.md
> index 186a258be4..99e49340d3 100644
> --- a/doc/api/doxy-api-index.md
> +++ b/doc/api/doxy-api-index.md
> @@ -126,7 +126,8 @@ The public API headers are grouped by topics:
>    [Geneve](@ref rte_geneve.h),
>    [eCPRI](@ref rte_ecpri.h),
>    [L2TPv2](@ref rte_l2tpv2.h),
> -  [PPP](@ref rte_ppp.h)
> +  [PPP](@ref rte_ppp.h),
> +  [MACsec](@ref rte_macsec.h)
>  
>  - **QoS**:
>    [metering](@ref rte_meter.h),
> diff --git a/lib/net/meson.build b/lib/net/meson.build
> index e899846578..3e63abaca8 100644
> --- a/lib/net/meson.build
> +++ b/lib/net/meson.build
> @@ -21,6 +21,7 @@ headers = files(
>          'rte_geneve.h',
>          'rte_l2tpv2.h',
>          'rte_ppp.h',
> +        'rte_macsec.h',
>  )
>  
>  sources = files(
> diff --git a/lib/net/rte_macsec.h b/lib/net/rte_macsec.h
> new file mode 100644
> index 0000000000..f1b59253f6
> --- /dev/null
> +++ b/lib/net/rte_macsec.h
> @@ -0,0 +1,56 @@
> +/* SPDX-License-Identifier: BSD-3-Clause
> + * Copyright(C) 2022 Marvell.
> + */
> +
> +#ifndef _RTE_MACSEC_H_
> +#define _RTE_MACSEC_H_
> +
> +/**
> + * @file
> + *
> + * MACsec-related defines
> + */
> +
> +#include <rte_byteorder.h>
> +
> +#ifdef __cplusplus
> +extern "C" {
> +#endif
> +
> +
> +/* SecTAG length = macsec ether header without the optional SCI */
> +#define RTE_MACSEC_TAG_LEN 6

Use a doxygen-like comment.

Is this define required? In my understanding, it is the same as
sizeof(struct rte_macsec_hdr).

> +#define RTE_MACSEC_SCI_LEN 8

Missing doxygen doc.

> +
> +#define RTE_MACSEC_TCI_VERSION	0x80 /**< Version mask for MACsec. Should be 0. */
> +#define RTE_MACSEC_TCI_ES	0x40 /**< End station - SCI is not valid */
> +#define RTE_MACSEC_TCI_SC	0x20 /**< SCI present */
> +#define RTE_MACSEC_TCI_SCB	0x10 /**< Secure channel support EPON single copy broadcast */

support -> supports?

> +#define RTE_MACSEC_TCI_E	0x08 /**< User data is encrypted */
> +#define RTE_MACSEC_TCI_C	0x04 /**< User data was changed (because of encryption) */


In [1], I can read the following, which is not similar:

E and C bits used to determine if packet is encrypted
• E, C = 1, 1 – Encrypted
• E, C = 0, 0 – Authenticated-Only

Is there any reference paper for macsec header?

[1] https://www.marvell.com/content/dam/marvell/en/public-collateral/automotive-solutions/marvell-macsec-security-in-ethernet-based-vehicle-white-paper.pdf


> +#define RTE_MACSEC_AN_MASK	0x03 /**< Association number mask in tci_an */

nit: all comments should end with a dot.


>
> +#define RTE_MACSEC_NUM_AN	4    /**< 2 bits for the association number */

I don't get how this defined is used. Can the comment be clarified?

> +#define RTE_MACSEC_SALT_LEN	12   /**< Salt length for MACsec SA */

Same here.

> +
> +/**
> + * MACsec Header
> + */
> +struct rte_macsec_hdr {
> +	/* SecTAG */

Is the SecTAG comment required? Or maybe it should be moved
above the struct?

> +	uint8_t  tci_an;	/**< Tag control information and Association number of SC */

nit: duplicated spaces after uint8_t

Can we use a bitfield here for tci and an, like you did for short_length?

Like this:

	uint8_t tci:6;
	uint8_t an:2;

Or:

	uint8_t tci_version:1;
	uint8_t tci_es:1;
	uint8_t tci_sc:1;
	uint8_t tci_scb:1;
	uint8_t tci_e:1;
	uint8_t tci_c:1;
	uint8_t an:2;

I think the 2nd one is easier to use.

> +#if RTE_BYTE_ORDER == RTE_LITTLE_ENDIAN
> +	uint8_t short_length : 6; /**< Short Length */
> +	uint8_t unused : 2;

nit: no spaces around ':'

> +#elif RTE_BYTE_ORDER == RTE_BIG_ENDIAN
> +	uint8_t unused : 2;
> +	uint8_t short_length : 6;
> +#endif
> +	rte_be32_t packet_number; /**< Packet number to support replay protection */
> +	uint8_t secure_channel_id[8]; /* optional */

8 -> RTE_MACSEC_SCI_LEN ?

I think it would be more convenient to have another struct
for the secure_channel_id.

For instance, this pseudo code:

	struct struct rte_macsec_hdr *hdr = NULL;
	struct struct rte_macsec_sci_hdr *hdr_sci = NULL;

	if (seg_len(mbuf) < sizeof(*hdr))
		return -1;
	if (hdr.tci_sc) {
		if (seg_len(mbuf) < sizeof(*hdr_sci))
			return -1;
		hdr_sci = hdr;
	}

With only one struct, it is difficult to properly do the length check.


> +} __rte_packed;
> +
> +#ifdef __cplusplus
> +}
> +#endif
> +
> +#endif /* RTE_MACSEC_H_ */
> -- 
> 2.25.1
> 

Thanks,
Olivier

RE: [EXT] Re: [PATCH 1/3] net: add MACsec header

[Akhil Goyal]

Hi Olivier,

Thanks for your review. I will fix the issues in next version.

> Hi Akhil,
> 
> Few comments below.
> 
> On Mon, Aug 15, 2022 at 12:16:18AM +0530, Akhil Goyal wrote:
> > Added MACsec protocol header to be used for supporting
> > MACsec protocol offload in hardware or directly in the application.
> >
> > Signed-off-by: Akhil Goyal <gakhil@marvell.com>
> > ---
> >  doc/api/doxy-api-index.md |  3 ++-
> >  lib/net/meson.build       |  1 +
> >  lib/net/rte_macsec.h      | 56 +++++++++++++++++++++++++++++++++++++++
> >  3 files changed, 59 insertions(+), 1 deletion(-)
> >  create mode 100644 lib/net/rte_macsec.h
> >
> > diff --git a/doc/api/doxy-api-index.md b/doc/api/doxy-api-index.md
> > index 186a258be4..99e49340d3 100644
> > --- a/doc/api/doxy-api-index.md
> > +++ b/doc/api/doxy-api-index.md
> > @@ -126,7 +126,8 @@ The public API headers are grouped by topics:
> >    [Geneve](@ref rte_geneve.h),
> >    [eCPRI](@ref rte_ecpri.h),
> >    [L2TPv2](@ref rte_l2tpv2.h),
> > -  [PPP](@ref rte_ppp.h)
> > +  [PPP](@ref rte_ppp.h),
> > +  [MACsec](@ref rte_macsec.h)
> >
> >  - **QoS**:
> >    [metering](@ref rte_meter.h),
> > diff --git a/lib/net/meson.build b/lib/net/meson.build
> > index e899846578..3e63abaca8 100644
> > --- a/lib/net/meson.build
> > +++ b/lib/net/meson.build
> > @@ -21,6 +21,7 @@ headers = files(
> >          'rte_geneve.h',
> >          'rte_l2tpv2.h',
> >          'rte_ppp.h',
> > +        'rte_macsec.h',
> >  )
> >
> >  sources = files(
> > diff --git a/lib/net/rte_macsec.h b/lib/net/rte_macsec.h
> > new file mode 100644
> > index 0000000000..f1b59253f6
> > --- /dev/null
> > +++ b/lib/net/rte_macsec.h
> > @@ -0,0 +1,56 @@
> > +/* SPDX-License-Identifier: BSD-3-Clause
> > + * Copyright(C) 2022 Marvell.
> > + */
> > +
> > +#ifndef _RTE_MACSEC_H_
> > +#define _RTE_MACSEC_H_
> > +
> > +/**
> > + * @file
> > + *
> > + * MACsec-related defines
> > + */
> > +
> > +#include <rte_byteorder.h>
> > +
> > +#ifdef __cplusplus
> > +extern "C" {
> > +#endif
> > +
> > +
> > +/* SecTAG length = macsec ether header without the optional SCI */
> > +#define RTE_MACSEC_TAG_LEN 6
> 
> Use a doxygen-like comment.
> 
> Is this define required? In my understanding, it is the same as
> sizeof(struct rte_macsec_hdr).
> 
> > +#define RTE_MACSEC_SCI_LEN 8
> 
> Missing doxygen doc.
> 
> > +
> > +#define RTE_MACSEC_TCI_VERSION	0x80 /**< Version mask for MACsec.
> Should be 0. */
> > +#define RTE_MACSEC_TCI_ES	0x40 /**< End station - SCI is not valid
> */
> > +#define RTE_MACSEC_TCI_SC	0x20 /**< SCI present */
> > +#define RTE_MACSEC_TCI_SCB	0x10 /**< Secure channel support
> EPON single copy broadcast */
> 
> support -> supports?
> 
> > +#define RTE_MACSEC_TCI_E	0x08 /**< User data is encrypted */
> > +#define RTE_MACSEC_TCI_C	0x04 /**< User data was changed (because of
> encryption) */
> 
> 
> In [1], I can read the following, which is not similar:
> 
> E and C bits used to determine if packet is encrypted
> • E, C = 1, 1 – Encrypted
> • E, C = 0, 0 – Authenticated-Only
> 
> Is there any reference paper for macsec header?
> 
> [1] https://www.marvell.com/content/dam/marvell/en/public-
> collateral/automotive-solutions/marvell-macsec-security-in-ethernet-based-
> vehicle-white-paper.pdf
> 
> 
> > +#define RTE_MACSEC_AN_MASK	0x03 /**< Association number mask in
> tci_an */
> 
> nit: all comments should end with a dot.
> 
> 
> >
> > +#define RTE_MACSEC_NUM_AN	4    /**< 2 bits for the association
> number */
> 
> I don't get how this defined is used. Can the comment be clarified?
> 
> > +#define RTE_MACSEC_SALT_LEN	12   /**< Salt length for MACsec SA */
> 
> Same here.
> 
> > +
> > +/**
> > + * MACsec Header
> > + */
> > +struct rte_macsec_hdr {
> > +	/* SecTAG */
> 
> Is the SecTAG comment required? Or maybe it should be moved
> above the struct?
> 
> > +	uint8_t  tci_an;	/**< Tag control information and Association number
> of SC */
> 
> nit: duplicated spaces after uint8_t
> 
> Can we use a bitfield here for tci and an, like you did for short_length?
> 
> Like this:
> 
> 	uint8_t tci:6;
> 	uint8_t an:2;
> 
> Or:
> 
> 	uint8_t tci_version:1;
> 	uint8_t tci_es:1;
> 	uint8_t tci_sc:1;
> 	uint8_t tci_scb:1;
> 	uint8_t tci_e:1;
> 	uint8_t tci_c:1;
> 	uint8_t an:2;
> 
> I think the 2nd one is easier to use.
> 
> > +#if RTE_BYTE_ORDER == RTE_LITTLE_ENDIAN
> > +	uint8_t short_length : 6; /**< Short Length */
> > +	uint8_t unused : 2;
> 
> nit: no spaces around ':'
> 
> > +#elif RTE_BYTE_ORDER == RTE_BIG_ENDIAN
> > +	uint8_t unused : 2;
> > +	uint8_t short_length : 6;
> > +#endif
> > +	rte_be32_t packet_number; /**< Packet number to support replay
> protection */
> > +	uint8_t secure_channel_id[8]; /* optional */
> 
> 8 -> RTE_MACSEC_SCI_LEN ?
> 
> I think it would be more convenient to have another struct
> for the secure_channel_id.
> 
> For instance, this pseudo code:
> 
> 	struct struct rte_macsec_hdr *hdr = NULL;
> 	struct struct rte_macsec_sci_hdr *hdr_sci = NULL;
> 
> 	if (seg_len(mbuf) < sizeof(*hdr))
> 		return -1;
> 	if (hdr.tci_sc) {
> 		if (seg_len(mbuf) < sizeof(*hdr_sci))
> 			return -1;
> 		hdr_sci = hdr;
> 	}
> 
> With only one struct, it is difficult to properly do the length check.
> 
> 
> > +} __rte_packed;
> > +
> > +#ifdef __cplusplus
> > +}
> > +#endif
> > +
> > +#endif /* RTE_MACSEC_H_ */
> > --
> > 2.25.1
> >
> 
> Thanks,
> Olivier

RE: [EXT] Re: [PATCH 1/3] net: add MACsec header

[Akhil Goyal]

Hi Olivier,

> > +#define RTE_MACSEC_TCI_E	0x08 /**< User data is encrypted */
> > +#define RTE_MACSEC_TCI_C	0x04 /**< User data was changed (because of
> encryption) */
> 
E bit means the user data is encrypted if set. Above defines are mask to each of the fields in tci_an.
I would add a comment that these are masks to each of the fields.

C bit means the user data is changed (because of encryption)

> 
> In [1], I can read the following, which is not similar:
> 
> E and C bits used to determine if packet is encrypted
> • E, C = 1, 1 – Encrypted
> • E, C = 0, 0 – Authenticated-Only
> 
> Is there any reference paper for macsec header?

The reference is IEEE802.1AE standard.
https://ieeexplore.ieee.org/document/8585421

> 
> [1] https://www.marvell.com/content/dam/marvell/en/public-
> collateral/automotive-solutions/marvell-macsec-security-in-ethernet-based-
> vehicle-white-paper.pdf
> 
> 


> >
> > +#define RTE_MACSEC_NUM_AN	4    /**< 2 bits for the association
> number */
> 
> I don't get how this defined is used. Can the comment be clarified?

In case of MACsec we can have 4 different SAs for each of the secure channel
Based on the AN field.
RTE_MACSEC_NUM_AN is basically added to make an upper limit to the array of SAs.
I will re-write the comment as
#define RTE_MACSEC_NUM_AN	4    /**< Max number of association numbers. */

Or shall I move it to rte_security?


> 
> > +#define RTE_MACSEC_SALT_LEN	12   /**< Salt length for MACsec SA */
For MACsec SA configuration, Salt is used which has a fixed size of 12 bytes.
Do you want me to move it to rte_security?

> 
> Same here.
> 
> > +
> > +/**
> > + * MACsec Header
> > + */
> > +struct rte_macsec_hdr {
> > +	/* SecTAG */
> 
> Is the SecTAG comment required? Or maybe it should be moved
> above the struct?
> 
> > +	uint8_t  tci_an;	/**< Tag control information and Association number
> of SC */
> 
> nit: duplicated spaces after uint8_t
> 
> Can we use a bitfield here for tci and an, like you did for short_length?

Would it be really necessary to split it to bitfields.
Can we not use it like vtc_flow in rte_ipv6_hdr?

> 
> Like this:
> 
> 	uint8_t tci:6;
> 	uint8_t an:2;
> 
> Or:
> 
> 	uint8_t tci_version:1;
> 	uint8_t tci_es:1;
> 	uint8_t tci_sc:1;
> 	uint8_t tci_scb:1;
> 	uint8_t tci_e:1;
> 	uint8_t tci_c:1;
> 	uint8_t an:2;
> 
> I think the 2nd one is easier to use.
> 
> > +#if RTE_BYTE_ORDER == RTE_LITTLE_ENDIAN
> > +	uint8_t short_length : 6; /**< Short Length */
> > +	uint8_t unused : 2;
> 
> nit: no spaces around ':'
> 
> > +#elif RTE_BYTE_ORDER == RTE_BIG_ENDIAN
> > +	uint8_t unused : 2;
> > +	uint8_t short_length : 6;
> > +#endif
> > +	rte_be32_t packet_number; /**< Packet number to support replay
> protection */
> > +	uint8_t secure_channel_id[8]; /* optional */
> 
> 8 -> RTE_MACSEC_SCI_LEN ?
> 
> I think it would be more convenient to have another struct
> for the secure_channel_id.

Ok Can we use it like this

struct rte_macsec_sci_hdr {
        uint8_t sci[RTE_MACSEC_SCI_LEN]; /**< Optional secure channel id. */
} __rte_packed;

struct rte_macsec_hdr {
        uint8_t tci_an; /**< Tag control information and Association number of SC. */
#if RTE_BYTE_ORDER == RTE_LITTLE_ENDIAN
        uint8_t short_length:6; /**< Short Length. */
        uint8_t unused:2;
#elif RTE_BYTE_ORDER == RTE_BIG_ENDIAN
        uint8_t unused:2;
        uint8_t short_length:6; /**< Short Length. */
#endif
        rte_be32_t packet_number; /**< Packet number to support replay protection. */
        union {
                uint8_t payload[0];
                struct rte_macsec_sci_hdr sci[0];
        };
} __rte_packed;

[PATCH v2 0/3] security: support MACsec

[Akhil Goyal]

Added support for MACsec in rte_security for offloading
MACsec Protocol operation to inline NIC device or a crypto device.

To support MACsec we cannot just make one security session and
send with the packet to process it. MACsec specifications suggest,
it can have 3 different entities - SECY Entity, SC(secure channel) and
SA(security association). And same SA can be used by multiple SCs and
similarly many SECY can have same SCs. Hence, in order to support this
many to one relationships between all entities, 2 new APIs are created -
rte_security_macsec_sc_create and rte_security_sa_create.
Flow of execution of the APIs would be as
- rte_security_macsec_sa_create
- rte_security_macsec_sc_create
- rte_security_session_create(for secy)
And in case of inline protocol processing rte_flow can be created with
rte_security action similar to IPsec flows except that the flow item
will be MACsec instead of IPsec.

A new flow item is added for MACsec header and a set of events are added
to specify the errors occurred during inline protocol processing.

New APIs are also created for getting SC and SA stats.

Patches for PMD implementation and test app are submitted separately
which can be separately applied after RC1.

Changes in v2:
- Incorporated comments from Olivier except the one to split tci_an into
  bitfields.
- added release notes and removed deprecation notice.
- added some missing fields in rte_security patch.


Akhil Goyal (3):
  net: add MACsec header
  ethdev: add MACsec flow item
  security: support MACsec

 doc/api/doxy-api-index.md              |   3 +-
 doc/guides/prog_guide/rte_security.rst | 107 ++++++-
 doc/guides/rel_notes/deprecation.rst   |   5 -
 doc/guides/rel_notes/release_22_11.rst |  10 +
 lib/ethdev/rte_ethdev.h                |  55 ++++
 lib/ethdev/rte_flow.h                  |  18 ++
 lib/net/meson.build                    |   1 +
 lib/net/rte_macsec.h                   |  61 ++++
 lib/security/rte_security.c            |  86 ++++++
 lib/security/rte_security.h            | 370 ++++++++++++++++++++++++-
 lib/security/rte_security_driver.h     |  86 ++++++
 lib/security/version.map               |   6 +
 12 files changed, 789 insertions(+), 19 deletions(-)
 create mode 100644 lib/net/rte_macsec.h

-- 
2.25.1

[PATCH v2 1/3] net: add MACsec header

[Akhil Goyal]

Added MACsec protocol header to be used for supporting
MACsec protocol offload in hardware or directly in the application.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 doc/api/doxy-api-index.md |  3 +-
 lib/net/meson.build       |  1 +
 lib/net/rte_macsec.h      | 61 +++++++++++++++++++++++++++++++++++++++
 3 files changed, 64 insertions(+), 1 deletion(-)
 create mode 100644 lib/net/rte_macsec.h

diff --git a/doc/api/doxy-api-index.md b/doc/api/doxy-api-index.md
index 186a258be4..99e49340d3 100644
--- a/doc/api/doxy-api-index.md
+++ b/doc/api/doxy-api-index.md
@@ -126,7 +126,8 @@ The public API headers are grouped by topics:
   [Geneve](@ref rte_geneve.h),
   [eCPRI](@ref rte_ecpri.h),
   [L2TPv2](@ref rte_l2tpv2.h),
-  [PPP](@ref rte_ppp.h)
+  [PPP](@ref rte_ppp.h),
+  [MACsec](@ref rte_macsec.h)
 
 - **QoS**:
   [metering](@ref rte_meter.h),
diff --git a/lib/net/meson.build b/lib/net/meson.build
index e899846578..3e63abaca8 100644
--- a/lib/net/meson.build
+++ b/lib/net/meson.build
@@ -21,6 +21,7 @@ headers = files(
         'rte_geneve.h',
         'rte_l2tpv2.h',
         'rte_ppp.h',
+        'rte_macsec.h',
 )
 
 sources = files(
diff --git a/lib/net/rte_macsec.h b/lib/net/rte_macsec.h
new file mode 100644
index 0000000000..b391d21ecd
--- /dev/null
+++ b/lib/net/rte_macsec.h
@@ -0,0 +1,61 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2022 Marvell.
+ */
+
+#ifndef _RTE_MACSEC_H_
+#define _RTE_MACSEC_H_
+
+/**
+ * @file
+ *
+ * MACsec-related defines
+ */
+
+#include <rte_byteorder.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#define RTE_MACSEC_TCI_VER_MASK	0x80 /**< Version mask for MACsec. Should be 0. */
+#define RTE_MACSEC_TCI_ES	0x40 /**< Mask for End station(ES) bit - SCI is not valid. */
+#define RTE_MACSEC_TCI_SC	0x20 /**< Mask for SCI present bit. */
+#define RTE_MACSEC_TCI_SCB	0x10 /**< Mask for EPON single copy broadcast bit. */
+#define RTE_MACSEC_TCI_E	0x08 /**< Mask for encrypted user data bit. */
+#define RTE_MACSEC_TCI_C	0x04 /**< Mask for changed user data bit (because of encryption). */
+#define RTE_MACSEC_AN_MASK	0x03 /**< Association number mask in tci_an. */
+
+/**
+ * MACsec Header(SecTAG)
+ */
+struct rte_macsec_hdr {
+	/**
+	 * Tag control information and Association number of secure channel.
+	 * Various bits of TCI and AN are masked using RTE_MACSEC_TCI_* and RTE_MACSEC_AN_MASK.
+	 */
+	uint8_t tci_an;
+#if RTE_BYTE_ORDER == RTE_LITTLE_ENDIAN
+	uint8_t short_length:6; /**< Short Length. */
+	uint8_t unused:2;
+#elif RTE_BYTE_ORDER == RTE_BIG_ENDIAN
+	uint8_t unused:2;
+	uint8_t short_length:6; /**< Short Length. */
+#endif
+	rte_be32_t packet_number; /**< Packet number to support replay protection. */
+} __rte_packed;
+
+/** SCI length in MACsec header if present. */
+#define RTE_MACSEC_SCI_LEN 8
+
+/**
+ * MACsec SCI header(8 bytes) after the MACsec header which is present if SC bit is set in tci_an.
+ */
+struct rte_macsec_sci_hdr {
+	uint8_t sci[RTE_MACSEC_SCI_LEN]; /**< Optional secure channel id. */
+} __rte_packed;
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* RTE_MACSEC_H_ */
-- 
2.25.1

[PATCH v2 2/3] ethdev: add MACsec flow item

[Akhil Goyal]

A new flow item is defined for MACsec flows which can be
offloaded to an inline device. If the flow matches with
MACsec header, device will process as per the security
session created using rte_security APIs.
If an error comes while MACsec processing in HW, PMD will
notify with the events defined in this patch.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
Acked-by: Ori Kam <orika@nvidia.com>
---
 lib/ethdev/rte_ethdev.h | 55 +++++++++++++++++++++++++++++++++++++++++
 lib/ethdev/rte_flow.h   | 18 ++++++++++++++
 2 files changed, 73 insertions(+)

diff --git a/lib/ethdev/rte_ethdev.h b/lib/ethdev/rte_ethdev.h
index 19e2a8eb3f..733165ec6d 100644
--- a/lib/ethdev/rte_ethdev.h
+++ b/lib/ethdev/rte_ethdev.h
@@ -3579,6 +3579,61 @@ rte_eth_tx_buffer_count_callback(struct rte_mbuf **pkts, uint16_t unsent,
 int
 rte_eth_tx_done_cleanup(uint16_t port_id, uint16_t queue_id, uint32_t free_cnt);
 
+/**
+ * Subtypes for MACsec offload event(@ref RTE_ETH_EVENT_MACSEC) raised by
+ * Ethernet device.
+ */
+enum rte_eth_macsec_event_subtype {
+	RTE_ETH_MACSEC_SUBEVENT_UNKNOWN,
+	/* subevents of RTE_ETH_MACSEC_EVENT_SECTAG_VAL_ERR sectag validation events
+	 * RTE_ETH_MACSEC_EVENT_RX_SECTAG_V_EQ1
+	 *	Validation check: SecTag.TCI.V = 1
+	 * RTE_ETH_MACSEC_EVENT_RX_SECTAG_E_EQ0_C_EQ1
+	 *	Validation check: SecTag.TCI.E = 0 && SecTag.TCI.C = 1
+	 * RTE_ETH_MACSEC_EVENT_RX_SECTAG_SL_GTE48
+	 *	Validation check: SecTag.SL >= 'd48
+	 * RTE_ETH_MACSEC_EVENT_RX_SECTAG_ES_EQ1_SC_EQ1
+	 *	Validation check: SecTag.TCI.ES = 1 && SecTag.TCI.SC = 1
+	 * RTE_ETH_MACSEC_EVENT_RX_SECTAG_SC_EQ1_SCB_EQ1
+	 *	Validation check: SecTag.TCI.SC = 1 && SecTag.TCI.SCB = 1
+	 */
+	RTE_ETH_MACSEC_SUBEVENT_RX_SECTAG_V_EQ1,
+	RTE_ETH_MACSEC_SUBEVENT_RX_SECTAG_E_EQ0_C_EQ1,
+	RTE_ETH_MACSEC_SUBEVENT_RX_SECTAG_SL_GTE48,
+	RTE_ETH_MACSEC_SUBEVENT_RX_SECTAG_ES_EQ1_SC_EQ1,
+	RTE_ETH_MACSEC_SUBEVENT_RX_SECTAG_SC_EQ1_SCB_EQ1,
+};
+
+enum rte_eth_macsec_event_type {
+	RTE_ETH_MACSEC_EVENT_UNKNOWN,
+	RTE_ETH_MACSEC_EVENT_SECTAG_VAL_ERR,
+	RTE_ETH_MACSEC_EVENT_RX_SA_PN_HARD_EXP,
+	RTE_ETH_MACSEC_EVENT_RX_SA_PN_SOFT_EXP,
+	RTE_ETH_MACSEC_EVENT_TX_SA_PN_HARD_EXP,
+	RTE_ETH_MACSEC_EVENT_TX_SA_PN_SOFT_EXP,
+	/* Notifies Invalid SA event */
+	RTE_ETH_MACSEC_EVENT_SA_NOT_VALID,
+};
+
+/**
+ * Descriptor for @ref RTE_ETH_EVENT_MACSEC event. Used by eth dev to send extra
+ * information of the MACsec offload event.
+ */
+struct rte_eth_event_macsec_desc {
+	enum rte_eth_macsec_event_type type;
+	enum rte_eth_macsec_event_subtype subtype;
+	/**
+	 * Event specific metadata.
+	 *
+	 * For the following events, *userdata* registered
+	 * with the *rte_security_session* would be returned
+	 * as metadata,
+	 *
+	 * @see struct rte_security_session_conf
+	 */
+	uint64_t metadata;
+};
+
 /**
  * Subtypes for IPsec offload event(@ref RTE_ETH_EVENT_IPSEC) raised by
  * eth device.
diff --git a/lib/ethdev/rte_flow.h b/lib/ethdev/rte_flow.h
index 96147a149a..e966488965 100644
--- a/lib/ethdev/rte_flow.h
+++ b/lib/ethdev/rte_flow.h
@@ -35,6 +35,7 @@
 #include <rte_l2tpv2.h>
 #include <rte_ppp.h>
 #include <rte_gre.h>
+#include <rte_macsec.h>
 
 #ifdef __cplusplus
 extern "C" {
@@ -626,6 +627,13 @@ enum rte_flow_item_type {
 	 * See struct rte_flow_item_gre_opt.
 	 */
 	RTE_FLOW_ITEM_TYPE_GRE_OPTION,
+
+	/**
+	 * Matches MACsec Ethernet Header.
+	 *
+	 * See struct rte_flow_item_macsec.
+	 */
+	RTE_FLOW_ITEM_TYPE_MACSEC,
 };
 
 /**
@@ -1099,6 +1107,16 @@ struct rte_flow_item_gre_opt {
 	struct rte_gre_hdr_opt_sequence sequence;
 };
 
+/**
+ * RTE_FLOW_ITEM_TYPE_MACSEC.
+ *
+ * Matches MACsec header.
+ */
+struct rte_flow_item_macsec {
+	struct rte_macsec_hdr macsec_hdr;
+};
+
+
 /**
  * RTE_FLOW_ITEM_TYPE_FUZZY
  *
-- 
2.25.1

[PATCH v2 3/3] security: support MACsec

[Akhil Goyal]

Added support for MACsec in rte_security for offloading
MACsec Protocol operation to inline NIC device or a crypto device.

To support MACsec we cannot just make one security session and
send with the packet to process it. MACsec specifications suggest,
it has 3 different entities - SECY Entity, SC(secure channel) and
SA(security association). And same SA can be used by multiple SCs and
similarly many SECY can have same SCs. Hence, in order to support this
many to one relationships between all entities, 2 new APIs are created -
rte_security_macsec_sc_create and rte_security_macsec_sa_create.
Flow of execution of the APIs would be as
- rte_security_macsec_sa_create
- rte_security_macsec_sc_create
- rte_security_session_create(for secy)
And in case of inline protocol processing rte_flow can be created with
rte_security action. A new flow item will be added for MACsec header.
New APIs are also created for getting SC and SA stats.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 doc/guides/prog_guide/rte_security.rst | 107 ++++++-
 doc/guides/rel_notes/deprecation.rst   |   5 -
 doc/guides/rel_notes/release_22_11.rst |  10 +
 lib/security/rte_security.c            |  86 ++++++
 lib/security/rte_security.h            | 370 ++++++++++++++++++++++++-
 lib/security/rte_security_driver.h     |  86 ++++++
 lib/security/version.map               |   6 +
 7 files changed, 652 insertions(+), 18 deletions(-)

diff --git a/doc/guides/prog_guide/rte_security.rst b/doc/guides/prog_guide/rte_security.rst
index 277169a335..62e7b8d72e 100644
--- a/doc/guides/prog_guide/rte_security.rst
+++ b/doc/guides/prog_guide/rte_security.rst
@@ -347,6 +347,55 @@ The CRC is Ethernet CRC-32 as specified in Ethernet/[ISO/IEC 8802-3].
     * Other DOCSIS protocol functionality such as Header Checksum (HCS)
       calculation may be added in the future.
 
+MACSEC Protocol
+~~~~~~~~~~~~~~~
+
+Media Access Control security (MACsec) provides point-to-point security on Ethernet
+links and is defined by IEEE standard 802.1AE. MACsec secures an Ethernet link for
+almost all traffic, including frames from the Link Layer Discovery Protocol (LLDP),
+Link Aggregation Control Protocol (LACP), Dynamic Host Configuration Protocol (DHCP),
+Address Resolution Protocol (ARP), and other protocols that are not typically secured
+on an Ethernet link because of limitations with other security solutions.
+
+.. code-block:: c
+
+             Receive                                                Transmit
+             -------                                                --------
+
+         Ethernet frame                                          Ethernet frame
+         from  network                                           towards network
+                |                                                      ^
+                ~                                                      |
+                |                                                      ~
+                V                                                      |
+    +-----------------------+      +------------------+      +-------------------------+
+    | Secure frame verify   |      | Cipher Suite(SA) |      | Secure Frame Generation |
+    +-----------------------+<-----+------------------+----->+-------------------------+
+    | SecTAG + ICV remove   |      |  SECY   |   SC   |      | SecTAG + ICV Added      |
+    +---+-------------------+      +------------------+      +-------------------------+
+                |                                                      ^
+                |                                                      |
+                V                                                      |
+        Packet to Core/App                                     Packet from core/App
+
+
+
+To configure MACsec on an inline NIC device or a lookaside crypto device, a security
+association(SA) and a secure channel(SC) are created before creating rte_security
+session.
+
+SA is created using API ``rte_security_macsec_sa_create`` which allows setting
+SA keys, salt, SSCI, packet number(PN) into the PMD and the API returns a handle
+which can be used to map it with a secure channel using the API
+``rte_security_macsec_sc_create``. Same SAs can be used for multiple SCs.
+The Rx SC will need a set of 4 SAs for each of the association numbers(AN).
+For Tx SC a single SA is set which will be used by hardware to process the packet.
+
+The API ``rte_security_macsec_sc_create`` returns a handle for SC and this handle
+is set in ``rte_security_macsec_xform`` to create a MACsec session using
+``rte_security_session_create``.
+
+
 Device Features and Capabilities
 ---------------------------------
 
@@ -519,6 +568,35 @@ protocol.
         RTE_CRYPTODEV_END_OF_CAPABILITIES_LIST()
     };
 
+Below is the example PMD capability for MACsec
+
+.. code-block:: c
+
+    static const struct rte_security_capability pmd_security_capabilities[] = {
+        {
+                .action = RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL,
+                .protocol = RTE_SECURITY_PROTOCOL_MACSEC,
+                .macsec = {
+                        .mtu = 1500,
+                        .alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+                        .max_nb_sc = 64,
+                        .max_nb_sa = 128,
+                        .max_nb_sess = 64,
+                        .replay_win_sz = 4096,
+                        .relative_sectag_insert = 1,
+                        .fixed_sectag_insert = 1,
+                        .icv_include_da_sa = 1,
+                        .ctrl_port_enable = 1,
+                        .preserve_sectag = 1,
+                        .preserve_icv = 1,
+                        .validate_frames = 1,
+                        .re_key = 1,
+                        .anti_replay = 1,
+                },
+                .crypto_capabilities = NULL,
+        },
+    };
+
 Capabilities Discovery
 ~~~~~~~~~~~~~~~~~~~~~~
 
@@ -658,6 +736,8 @@ which will be updated in the future.
 
 IPsec related configuration parameters are defined in ``rte_security_ipsec_xform``
 
+MACsec related configuration parameters are defined in ``rte_security_macsec_xform``
+
 PDCP related configuration parameters are defined in ``rte_security_pdcp_xform``
 
 DOCSIS related configuration parameters are defined in ``rte_security_docsis_xform``
@@ -679,7 +759,7 @@ The ingress/egress flow attribute should match that specified in the security
 session if the security session supports the definition of the direction.
 
 Multiple flows can be configured to use the same security session. For
-example if the security session specifies an egress IPsec SA, then multiple
+example if the security session specifies an egress IPsec/MACsec SA, then multiple
 flows can be specified to that SA. In the case of an ingress IPsec SA then
 it is only valid to have a single flow to map to that security session.
 
@@ -689,8 +769,8 @@ it is only valid to have a single flow to map to that security session.
                  |
         +--------|--------+
         |    Add/Remove   |
-        |     IPsec SA    |   <------ Build security flow action of
-        |        |        |           ipsec transform
+        | IPsec/MACsec SA |   <------ Build security flow action of
+        |        |        |           IPsec/MACsec transform
         |--------|--------|
                  |
         +--------V--------+
@@ -709,9 +789,9 @@ it is only valid to have a single flow to map to that security session.
         |                 |
         +--------|--------+
 
-* Add/Delete SA flow:
+* Add/Delete IPsec SA flow:
   To add a new inline SA construct a rte_flow_item for Ethernet + IP + ESP
-  using the SA selectors and the ``rte_crypto_ipsec_xform`` as the ``rte_flow_action``.
+  using the SA selectors and the ``rte_security_ipsec_xform`` as the ``rte_flow_action``.
   Note that any rte_flow_items may be empty, which means it is not checked.
 
 .. code-block:: console
@@ -726,6 +806,23 @@ it is only valid to have a single flow to map to that security session.
         |  Eth  | ->  ... -> |   ESP  | -> | END |
         +-------+            +--------+    +-----+
 
+* Add/Delete MACsec SA flow:
+  To add a new inline SA construct a rte_flow_item for Ethernet + SecTAG
+  using the SA selectors and the ``rte_security_macsec_xform`` as the ``rte_flow_action``.
+  Note that any rte_flow_items may be empty, which means it is not checked.
+
+.. code-block:: console
+
+    In its most basic form, MACsec flow specification is as follows:
+        +-------+     +----------+     +-----+
+        |  Eth  | ->  |  SecTag  |  -> | END |
+        +-------+     +----------+     +-----+
+
+    However, the API can represent, MACsec offload with any encapsulation:
+        +-------+            +--------+    +-----+
+        |  Eth  | ->  ... -> | SecTag | -> | END |
+        +-------+            +--------+    +-----+
+
 
 Telemetry support
 -----------------
diff --git a/doc/guides/rel_notes/deprecation.rst b/doc/guides/rel_notes/deprecation.rst
index e83bc648fc..3915644501 100644
--- a/doc/guides/rel_notes/deprecation.rst
+++ b/doc/guides/rel_notes/deprecation.rst
@@ -151,11 +151,6 @@ Deprecation Notices
   pointer for the private data to the application which can be attached
   to the packet while enqueuing.
 
-* security: MACsec support is planned to be added in DPDK 22.11,
-  which would result in updates to structures ``rte_security_macsec_xform``,
-  ``rte_security_macsec_stats`` and security capability structure
-  ``rte_security_capability`` to accommodate MACsec capabilities.
-
 * eventdev: The function ``rte_event_crypto_adapter_queue_pair_add`` will
   accept configuration of type ``rte_event_crypto_adapter_queue_conf`` instead
   of ``rte_event``, similar to ``rte_event_eth_rx_adapter_queue_add`` signature.
diff --git a/doc/guides/rel_notes/release_22_11.rst b/doc/guides/rel_notes/release_22_11.rst
index 510485017d..701d25ffda 100644
--- a/doc/guides/rel_notes/release_22_11.rst
+++ b/doc/guides/rel_notes/release_22_11.rst
@@ -72,6 +72,11 @@ New Features
   * Added AES-CCM support in lookaside protocol (IPsec) for CN9K & CN10K.
   * Added AES & DES DOCSIS algorithm support in lookaside crypto for CN9K.
 
+* **Added support for MACsec in rte_security.**
+
+  * Added MACsec transform for rte_security session and added new APIs to configure
+    security associations(SA) and secure channels(SC).
+
 * **Added eventdev adapter instance get API.**
 
   * Added ``rte_event_eth_rx_adapter_instance_get`` to get Rx adapter
@@ -209,6 +214,11 @@ API Changes
 * ethdev: Promoted ``rte_flow_pick_transfer_proxy()``
   from experimental to stable.
 
+* security: MACsec support is added which resulted in updates to
+  structures ``rte_security_macsec_xform``, ``rte_security_macsec_stats``
+  and security capability structure ``rte_security_capability`` to
+  accommodate MACsec capabilities.
+
 * telemetry: The allowed characters in names for dictionary values
   are now limited to alphanumeric characters and a small subset of additional
   printable characters.
diff --git a/lib/security/rte_security.c b/lib/security/rte_security.c
index 22d6269d93..f0bbc9d147 100644
--- a/lib/security/rte_security.c
+++ b/lib/security/rte_security.c
@@ -124,6 +124,92 @@ rte_security_session_destroy(struct rte_security_ctx *instance,
 	return 0;
 }
 
+int
+rte_security_macsec_sc_create(struct rte_security_ctx *instance,
+			      struct rte_security_macsec_sc *conf)
+{
+	int sc_id;
+
+	RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, macsec_sc_create, -EINVAL, -ENOTSUP);
+	RTE_PTR_OR_ERR_RET(conf, -EINVAL);
+
+	sc_id = instance->ops->macsec_sc_create(instance->device, conf);
+	if (sc_id >= 0)
+		instance->macsec_sc_cnt++;
+
+	return sc_id;
+}
+
+int
+rte_security_macsec_sa_create(struct rte_security_ctx *instance,
+			      struct rte_security_macsec_sa *conf)
+{
+	int sa_id;
+
+	RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, macsec_sa_create, -EINVAL, -ENOTSUP);
+	RTE_PTR_OR_ERR_RET(conf, -EINVAL);
+
+	sa_id = instance->ops->macsec_sa_create(instance->device, conf);
+	if (sa_id >= 0)
+		instance->macsec_sa_cnt++;
+
+	return sa_id;
+}
+
+int
+rte_security_macsec_sc_destroy(struct rte_security_ctx *instance, uint16_t sc_id)
+{
+	int ret;
+
+	RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, macsec_sc_destroy, -EINVAL, -ENOTSUP);
+
+	ret = instance->ops->macsec_sc_destroy(instance->device, sc_id);
+	if (ret != 0)
+		return ret;
+
+	if (instance->macsec_sc_cnt)
+		instance->macsec_sc_cnt--;
+
+	return 0;
+}
+
+int
+rte_security_macsec_sa_destroy(struct rte_security_ctx *instance, uint16_t sa_id)
+{
+	int ret;
+
+	RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, macsec_sa_destroy, -EINVAL, -ENOTSUP);
+
+	ret = instance->ops->macsec_sa_destroy(instance->device, sa_id);
+	if (ret != 0)
+		return ret;
+
+	if (instance->macsec_sa_cnt)
+		instance->macsec_sa_cnt--;
+
+	return 0;
+}
+
+int
+rte_security_macsec_sc_stats_get(struct rte_security_ctx *instance, uint16_t sc_id,
+			         struct rte_security_macsec_sc_stats *stats)
+{
+	RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, macsec_sc_stats_get, -EINVAL, -ENOTSUP);
+	RTE_PTR_OR_ERR_RET(stats, -EINVAL);
+
+	return instance->ops->macsec_sc_stats_get(instance->device, sc_id, stats);
+}
+
+int
+rte_security_macsec_sa_stats_get(struct rte_security_ctx *instance, uint16_t sa_id,
+			         struct rte_security_macsec_sa_stats *stats)
+{
+	RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, macsec_sa_stats_get, -EINVAL, -ENOTSUP);
+	RTE_PTR_OR_ERR_RET(stats, -EINVAL);
+
+	return instance->ops->macsec_sa_stats_get(instance->device, sa_id, stats);
+}
+
 int
 __rte_security_set_pkt_metadata(struct rte_security_ctx *instance,
 				struct rte_security_session *sess,
diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h
index 3e8cd29082..74fe3ef5d7 100644
--- a/lib/security/rte_security.h
+++ b/lib/security/rte_security.h
@@ -73,6 +73,10 @@ struct rte_security_ctx {
 	/**< Pointer to security ops for the device */
 	uint16_t sess_cnt;
 	/**< Number of sessions attached to this context */
+	uint16_t macsec_sc_cnt;
+	/**< Number of MACsec SC attached to this context */
+	uint16_t macsec_sa_cnt;
+	/**< Number of MACsec SA attached to this context */
 	uint32_t flags;
 	/**< Flags for security context */
 };
@@ -351,12 +355,166 @@ struct rte_security_ipsec_xform {
 	/**< UDP parameters, ignored when udp_encap option not specified */
 };
 
+/**
+ * MACSec packet flow direction
+ */
+enum rte_security_macsec_direction {
+	/** Generate SecTag and encrypt/authenticate */
+	RTE_SECURITY_MACSEC_DIR_TX,
+	/** Remove SecTag and decrypt/verify */
+	RTE_SECURITY_MACSEC_DIR_RX,
+};
+
+/** Maximum number of association numbers for a secure channel. */
+#define RTE_SECURITY_MACSEC_NUM_AN	4
+/** Salt length for MACsec SA. */
+#define RTE_SECURITY_MACSEC_SALT_LEN	12
+
+/**
+ * MACsec secure association(SA) configuration structure.
+ */
+struct rte_security_macsec_sa {
+	/** Direction of SA */
+	enum rte_security_macsec_direction dir;
+	/** MACsec SA key for AES-GCM 128/256 */
+	struct {
+		const uint8_t *data;	/**< pointer to key data */
+		uint16_t length;	/**< key length in bytes */
+	} key;
+	/** 96-bit value distributed by key agreement protocol */
+	uint8_t salt[RTE_SECURITY_MACSEC_SALT_LEN];
+	/** Association number to be used */
+	uint8_t an : 2;
+	/** Short Secure Channel Identifier, to be used for XPN cases */
+	uint32_t ssci;
+	/** Extended packet number */
+	uint32_t xpn;
+	/** Packet number expected/ to be used for next packet of this SA */
+	uint32_t next_pn;
+};
+
+/**
+ * MACsec Secure Channel configuration parameters.
+ */
+struct rte_security_macsec_sc {
+	/** Direction of SC */
+	enum rte_security_macsec_direction dir;
+	union {
+		struct {
+			/** SAs for each association number */
+			uint16_t sa_id[RTE_SECURITY_MACSEC_NUM_AN];
+			/** flag to denote which all SAs are in use for each association number */
+			uint8_t sa_in_use[RTE_SECURITY_MACSEC_NUM_AN];
+			/** Channel is active */
+			uint8_t active : 1;
+			/** Reserved bitfields for future */
+			uint8_t reserved : 7;
+		} sc_rx;
+		struct {
+			uint16_t sa_id; /**< SA id to be used for encryption */
+			uint16_t sa_id_rekey; /**< Rekeying SA id to be used for encryption */
+			uint64_t sci; /**< SCI value to be used if send_sci is set */
+			uint8_t active : 1; /**< Channel is active */
+			uint8_t re_key_en : 1; /**< Enable Rekeying */
+			/** Reserved bitfields for future */
+			uint8_t reserved : 6;
+		} sc_tx;
+	};
+};
+
+/**
+ * MACsec Supported Algorithm list as per IEEE Std 802.1AE
+ */
+enum rte_security_macsec_alg {
+	RTE_SECURITY_MACSEC_ALG_GCM_128, /**< AES-GCM 128 bit block cipher */
+	RTE_SECURITY_MACSEC_ALG_GCM_256, /**< AES-GCM 256 bit block cipher */
+	RTE_SECURITY_MACSEC_ALG_GCM_XPN_128, /**< AES-GCM 128 bit block cipher with unique SSCI */
+	RTE_SECURITY_MACSEC_ALG_GCM_XPN_256, /**< AES-GCM 256 bit block cipher with unique SSCI */
+};
+
+/** Disable Validation of MACsec frame */
+#define RTE_SECURITY_MACSEC_VALIDATE_DISABLE	0
+/** Validate MACsec frame but do not discard invalid frame */
+#define RTE_SECURITY_MACSEC_VALIDATE_NO_DISCARD	1
+/** Validate MACsec frame and discart invalid frame */
+#define RTE_SECURITY_MACSEC_VALIDATE_STRICT	2
+/** Do not perform any MACsec operation */
+#define RTE_SECURITY_MACSEC_VALIDATE_NO_OP	3
+
 /**
  * MACsec security session configuration
  */
 struct rte_security_macsec_xform {
-	/** To be Filled */
-	int dummy;
+	/** Direction of flow/secure channel */
+	enum rte_security_macsec_direction dir;
+	/** MACsec algorithm to be used */
+	enum rte_security_macsec_alg alg;
+	/** cipher offset from start of ethernet header */
+	uint8_t cipher_off;
+	/**
+	 * SCI to be used for RX flow identification or
+	 * to set SCI in packet for TX when send_sci is set
+	 */
+	uint64_t sci;
+	/** Receive/transmit secure channel id created by *rte_security_macsec_sc_create* */
+	uint16_t sc_id;
+	union {
+		struct {
+			/** MTU for transmit frame (Valid for inline processing) */
+			uint16_t mtu;
+			/**
+			 * Offset to insert sectag from start of ethernet header or
+			 * from a matching VLAN tag
+			 */
+			uint8_t sectag_off;
+			/** Enable MACsec protection of frames */
+			uint16_t protect_frames : 1;
+			/**
+			 * Sectag insertion mode
+			 * If 1, Sectag is inserted at fixed sectag_off set above.
+			 * If 0, Sectag is inserted at relative sectag_off from a matching
+			 * VLAN tag set.
+			 */
+			uint16_t sectag_insert_mode : 1;
+			/** ICV includes source and destination MAC addresses */
+			uint16_t icv_include_da_sa : 1;
+			/** Control port is enabled */
+			uint16_t ctrl_port_enable : 1;
+			/** Version of MACsec header. Should be 0 */
+			uint16_t sectag_version : 1;
+			/** Enable end station. SCI is not valid */
+			uint16_t end_station : 1;
+			/** Send SCI along with sectag */
+			uint16_t send_sci : 1;
+			/** enable secure channel support EPON - single copy broadcast */
+			uint16_t scb : 1;
+			/**
+			 * Enable packet encryption and set RTE_MACSEC_TCI_C and
+			 * RTE_MACSEC_TCI_E in sectag
+			 */
+			uint16_t encrypt : 1;
+			/** Reserved bitfields for future */
+			uint16_t reserved : 7;
+		} tx_secy;
+		struct {
+			/** Replay Window size to be supported */
+			uint32_t replay_win_sz;
+			/** Set bits as per RTE_SECURITY_MACSEC_VALIDATE_* */
+			uint16_t validate_frames : 2;
+			/** ICV includes source and destination MAC addresses */
+			uint16_t icv_include_da_sa : 1;
+			/** Control port is enabled */
+			uint16_t ctrl_port_enable : 1;
+			/** Do not strip SecTAG after processing */
+			uint16_t preserve_sectag : 1;
+			/** Do not strip ICV from the packet after processing */
+			uint16_t preserve_icv : 1;
+			/** Enable anti-replay protection */
+			uint16_t replay_protect : 1;
+			/** Reserved bitfields for future */
+			uint16_t reserved : 9;
+		} rx_secy;
+	};
 };
 
 /**
@@ -510,7 +668,7 @@ struct rte_security_session_conf {
 	};
 	/**< Configuration parameters for security session */
 	struct rte_crypto_sym_xform *crypto_xform;
-	/**< Security Session Crypto Transformations */
+	/**< Security Session Crypto Transformations. NULL in case of MACsec */
 	void *userdata;
 	/**< Application specific userdata to be saved with session */
 };
@@ -585,6 +743,80 @@ int
 rte_security_session_destroy(struct rte_security_ctx *instance,
 			     struct rte_security_session *sess);
 
+/**
+ * @warning
+ * @b EXPERIMENTAL: this API may change without prior notice
+ *
+ * Create MACsec security channel(SC)
+ *
+ * @param   instance	security instance
+ * @param   conf	MACsec SC configuration params
+ * @return
+ *  - secure channel id if successful
+ *  - -EINVAL if configuration params are invalid of instance is NULL.
+ *  - -ENOTSUP if device does not support MACsec.
+ *  - -ENOMEM if PMD is not capable to create more SC.
+ *  - other negative value for other errors.
+ */
+__rte_experimental
+int
+rte_security_macsec_sc_create(struct rte_security_ctx *instance,
+			      struct rte_security_macsec_sc *conf);
+
+/**
+ * @warning
+ * @b EXPERIMENTAL: this API may change without prior notice
+ *
+ * Destroy MACsec security channel(SC)
+ *
+ * @param   instance	security instance
+ * @param   sc_id	SC id to be destroyed
+ * @return
+ *  - 0 if successful
+ *  - -EINVAL if sc_id is invalid or instance is NULL.
+ *  - -EBUSY if sc is being used by some session.
+ */
+__rte_experimental
+int
+rte_security_macsec_sc_destroy(struct rte_security_ctx *instance, uint16_t sc_id);
+
+/**
+ * @warning
+ * @b EXPERIMENTAL: this API may change without prior notice
+ *
+ * Create MACsec security association(SA)
+ *
+ * @param   instance	security instance
+ * @param   conf	MACsec SA configuration params
+ * @return
+ *  - positive SA id if successful
+ *  - -EINVAL if configuration params are invalid of instance is NULL.
+ *  - -ENOTSUP if device does not support MACsec.
+ *  - -ENOMEM if PMD is not capable to create more SAs.
+ *  - other negative value for other errors.
+ */
+__rte_experimental
+int
+rte_security_macsec_sa_create(struct rte_security_ctx *instance,
+			      struct rte_security_macsec_sa *conf);
+
+/**
+ * @warning
+ * @b EXPERIMENTAL: this API may change without prior notice
+ *
+ * Destroy MACsec security association(SA)
+ *
+ * @param   instance	security instance
+ * @param   sa_id	SA id to be destroyed
+ * @return
+ *  - 0 if successful
+ *  - -EINVAL if sa_id is invalid or instance is NULL.
+ *  - -EBUSY if sa is being used by some session.
+ */
+__rte_experimental
+int
+rte_security_macsec_sa_destroy(struct rte_security_ctx *instance, uint16_t sa_id);
+
 /** Device-specific metadata field type */
 typedef uint64_t rte_security_dynfield_t;
 /** Dynamic mbuf field for device-specific metadata */
@@ -710,8 +942,62 @@ rte_security_attach_session(struct rte_crypto_op *op,
 	return __rte_security_attach_session(op->sym, sess);
 }
 
-struct rte_security_macsec_stats {
-	uint64_t reserved;
+struct rte_security_macsec_secy_stats {
+	uint64_t ctl_pkt_bcast_cnt;
+	uint64_t ctl_pkt_mcast_cnt;
+	uint64_t ctl_pkt_ucast_cnt;
+	uint64_t ctl_octet_cnt;
+	uint64_t unctl_pkt_bcast_cnt;
+	uint64_t unctl_pkt_mcast_cnt;
+	uint64_t unctl_pkt_ucast_cnt;
+	uint64_t unctl_octet_cnt;
+	/* Valid only for RX */
+	uint64_t octet_decrypted_cnt;
+	uint64_t octet_validated_cnt;
+	uint64_t pkt_port_disabled_cnt;
+	uint64_t pkt_badtag_cnt;
+	uint64_t pkt_nosa_cnt;
+	uint64_t pkt_nosaerror_cnt;
+	uint64_t pkt_tagged_ctl_cnt;
+	uint64_t pkt_untaged_cnt;
+	uint64_t pkt_ctl_cnt;
+	uint64_t pkt_notag_cnt;
+	/* Valid only for TX */
+	uint64_t octet_encrypted_cnt;
+	uint64_t octet_protected_cnt;
+	uint64_t pkt_noactivesa_cnt;
+	uint64_t pkt_toolong_cnt;
+	uint64_t pkt_untagged_cnt;
+};
+
+struct rte_security_macsec_sc_stats {
+	/* RX */
+	uint64_t hit_cnt;
+	uint64_t pkt_invalid_cnt;
+	uint64_t pkt_late_cnt;
+	uint64_t pkt_notvalid_cnt;
+	uint64_t pkt_unchecked_cnt;
+	uint64_t pkt_delay_cnt;
+	uint64_t pkt_ok_cnt;
+	uint64_t octet_decrypt_cnt;
+	uint64_t octet_validate_cnt;
+	/* TX */
+	uint64_t pkt_encrypt_cnt;
+	uint64_t pkt_protected_cnt;
+	uint64_t octet_encrypt_cnt;
+	uint64_t octet_protected_cnt;
+};
+
+struct rte_security_macsec_sa_stats {
+	/* RX */
+	uint64_t pkt_invalid_cnt;
+	uint64_t pkt_nosaerror_cnt;
+	uint64_t pkt_notvalid_cnt;
+	uint64_t pkt_ok_cnt;
+	uint64_t pkt_nosa_cnt;
+	/* TX */
+	uint64_t pkt_encrypt_cnt;
+	uint64_t pkt_protected_cnt;
 };
 
 struct rte_security_ipsec_stats {
@@ -739,7 +1025,7 @@ struct rte_security_stats {
 
 	RTE_STD_C11
 	union {
-		struct rte_security_macsec_stats macsec;
+		struct rte_security_macsec_secy_stats macsec;
 		struct rte_security_ipsec_stats ipsec;
 		struct rte_security_pdcp_stats pdcp;
 		struct rte_security_docsis_stats docsis;
@@ -765,6 +1051,44 @@ rte_security_session_stats_get(struct rte_security_ctx *instance,
 			       struct rte_security_session *sess,
 			       struct rte_security_stats *stats);
 
+/**
+ * @warning
+ * @b EXPERIMENTAL: this API may change without prior notice
+ *
+ * Get MACsec SA statistics
+ *
+ * @param	instance	security instance
+ * @param	sa_id		SA id for which stats are needed
+ * @param	stats		statistics
+ * @return
+ *  - On success, return 0
+ *  - On failure, a negative value
+ */
+__rte_experimental
+int
+rte_security_macsec_sa_stats_get(struct rte_security_ctx *instance,
+				 uint16_t sa_id,
+				 struct rte_security_macsec_sa_stats *stats);
+
+/**
+ * @warning
+ * @b EXPERIMENTAL: this API may change without prior notice
+ *
+ * Get MACsec SC statistics
+ *
+ * @param	instance	security instance
+ * @param	sc_id		SC id for which stats are needed
+ * @param	stats		SC statistics
+ * @return
+ *  - On success, return 0
+ *  - On failure, a negative value
+ */
+__rte_experimental
+int
+rte_security_macsec_sc_stats_get(struct rte_security_ctx *instance,
+				 uint16_t sc_id,
+				 struct rte_security_macsec_sc_stats *stats);
+
 /**
  * Security capability definition
  */
@@ -791,8 +1115,38 @@ struct rte_security_capability {
 		} ipsec;
 		/**< IPsec capability */
 		struct {
-			/* To be Filled */
-			int dummy;
+			/** MTU supported for inline TX */
+			uint16_t mtu;
+			/** MACsec algorithm to be used */
+			enum rte_security_macsec_alg alg;
+			/** Maximum number of secure channels supported. */
+			uint16_t max_nb_sc;
+			/** Maximum number of SAs supported. */
+			uint16_t max_nb_sa;
+			/** Maximum number of SAs supported. */
+			uint16_t max_nb_sess;
+			/** MACsec Anti Replay Window Size. */
+			uint32_t replay_win_sz;
+			/** Support Sectag insertion at relative offset. */
+			uint16_t relative_sectag_insert : 1;
+			/** Support Sectag insertion at fixed offset. */
+			uint16_t fixed_sectag_insert : 1;
+			/** ICV includes source and destination MAC addresses */
+			uint16_t icv_include_da_sa : 1;
+			/** Control port traffic is supported */
+			uint16_t ctrl_port_enable : 1;
+			/** Do not strip SecTAG after processing */
+			uint16_t preserve_sectag : 1;
+			/** Do not strip ICV from the packet after processing */
+			uint16_t preserve_icv : 1;
+			/** Support frame validation as per RTE_SECURITY_MACSEC_VALIDATE_* */
+			uint16_t validate_frames : 1;
+			/** support re-keying on SA expiry */
+			uint16_t re_key : 1;
+			/** support Anti replay */
+			uint16_t anti_replay : 1;
+			/** Reserved bitfields for future capabilities */
+			uint16_t reserved : 7;
 		} macsec;
 		/**< MACsec capability */
 		struct {
diff --git a/lib/security/rte_security_driver.h b/lib/security/rte_security_driver.h
index 0063a66524..1da286dad4 100644
--- a/lib/security/rte_security_driver.h
+++ b/lib/security/rte_security_driver.h
@@ -63,6 +63,50 @@ typedef int (*security_session_update_t)(void *device,
 		struct rte_security_session *sess,
 		struct rte_security_session_conf *conf);
 
+/**
+ * Configure a MACsec secure channel(SC) on a device.
+ *
+ * @param	device		Crypto/eth device pointer
+ * @param	conf		MACsec SC configuration params
+ *
+ * @return
+ *  - positive sc_id if SC is created successfully.
+ *  - -EINVAL if input parameters are invalid.
+ *  - -ENOTSUP if device does not support MACsec.
+ *  - -ENOMEM if the SC cannot be created.
+ */
+typedef int (*security_macsec_sc_create_t)(void *device, struct rte_security_macsec_sc *conf);
+
+/**
+ * Free MACsec secure channel(SC).
+ *
+ * @param	device		Crypto/eth device pointer
+ * @param	sc_id		MACsec SC id
+ */
+typedef int (*security_macsec_sc_destroy_t)(void *device, uint16_t sc_id);
+
+/**
+ * Configure a MACsec security Association(SA) on a device.
+ *
+ * @param	device		Crypto/eth device pointer
+ * @param	conf		MACsec SA configuration params
+ *
+ * @return
+ *  - positive sa_id if SA is created successfully.
+ *  - -EINVAL if input parameters are invalid.
+ *  - -ENOTSUP if device does not support MACsec.
+ *  - -ENOMEM if the SA cannot be created.
+ */
+typedef int (*security_macsec_sa_create_t)(void *device, struct rte_security_macsec_sa *conf);
+
+/**
+ * Free MACsec security association(SA).
+ *
+ * @param	device		Crypto/eth device pointer
+ * @param	sa_id		MACsec SA id
+ */
+typedef int (*security_macsec_sa_destroy_t)(void *device, uint16_t sa_id);
+
 /**
  * Get the size of a security session
  *
@@ -89,6 +133,36 @@ typedef int (*security_session_stats_get_t)(void *device,
 		struct rte_security_session *sess,
 		struct rte_security_stats *stats);
 
+/**
+ * Get MACsec secure channel stats from the PMD.
+ *
+ * @param	device		Crypto/eth device pointer
+ * @param	sc_id		secure channel id created by rte_security_macsec_sc_create()
+ * @param	stats		SC stats of the driver
+ *
+ * @return
+ *  - 0 if success.
+ *  - -EINVAL if sc_id or device is invalid.
+ */
+typedef int (*security_macsec_sc_stats_get_t)(void *device, uint16_t sc_id,
+		struct rte_security_macsec_sc_stats *stats);
+
+/**
+ * Get MACsec SA stats from the PMD.
+ *
+ * @param	device		Crypto/eth device pointer
+ * @param	sa_id		secure channel id created by rte_security_macsec_sc_create()
+ * @param	stats		SC stats of the driver
+ *
+ * @return
+ *  - 0 if success.
+ *  - -EINVAL if sa_id or device is invalid.
+ */
+typedef int (*security_macsec_sa_stats_get_t)(void *device, uint16_t sa_id,
+		struct rte_security_macsec_sa_stats *stats);
+
+
+
 __rte_internal
 int rte_security_dynfield_register(void);
 
@@ -136,6 +210,18 @@ struct rte_security_ops {
 	/**< Update mbuf metadata. */
 	security_capabilities_get_t capabilities_get;
 	/**< Get security capabilities. */
+	security_macsec_sc_create_t macsec_sc_create;
+	/**< Configure a MACsec security channel(SC). */
+	security_macsec_sc_destroy_t macsec_sc_destroy;
+	/**< Free a MACsec security channel(SC). */
+	security_macsec_sa_create_t macsec_sa_create;
+	/**< Configure a MACsec security association(SA). */
+	security_macsec_sa_destroy_t macsec_sa_destroy;
+	/**< Free a MACsec security association(SA). */
+	security_macsec_sc_stats_get_t macsec_sc_stats_get;
+	/**< Get MACsec SC statistics. */
+	security_macsec_sa_stats_get_t macsec_sa_stats_get;
+	/**< Get MACsec SA statistics. */
 };
 
 #ifdef __cplusplus
diff --git a/lib/security/version.map b/lib/security/version.map
index 85ca7921e7..07dcce9ffb 100644
--- a/lib/security/version.map
+++ b/lib/security/version.map
@@ -15,6 +15,12 @@ EXPERIMENTAL {
 
 	__rte_security_set_pkt_metadata;
 	rte_security_dynfield_offset;
+	rte_security_macsec_sa_create;
+	rte_security_macsec_sa_destroy;
+	rte_security_macsec_sa_stats_get;
+	rte_security_macsec_sc_create;
+	rte_security_macsec_sc_destroy;
+	rte_security_macsec_sc_stats_get;
 	rte_security_session_stats_get;
 	rte_security_session_update;
 };
-- 
2.25.1

[PATCH 0/5] Support and test inline MACsec for cnxk

[Akhil Goyal]

These patches implement the rte_security MACsec APIs for net/cnxk
and also add test cases to test functionality.

MACsec APIs are introduced in http://patches.dpdk.org/project/dpdk/list/?series=24878

depends-on: http://patches.dpdk.org/project/dpdk/list/?series=24878

The patches are sent to showcase sample implementation and are not
complete. Final patches will be sent in next few weeks.

Akhil Goyal (5):
  common/cnxk: add ROC APIs for MACsec
  common/cnxk: derive hash key for MACsec
  net/cnxk: support MACsec
  test/security: add inline MACsec cases
  test/security: add more MACsec cases

 app/test/meson.build                          |    1 +
 app/test/test_security_inline_macsec.c        | 1126 +++++++
 .../test_security_inline_macsec_vectors.h     | 2639 +++++++++++++++++
 drivers/common/cnxk/meson.build               |    3 +
 drivers/common/cnxk/roc_aes.c                 |   17 +
 drivers/common/cnxk/roc_aes.h                 |    2 +
 drivers/common/cnxk/roc_api.h                 |    3 +
 drivers/common/cnxk/roc_dev.c                 |   86 +
 drivers/common/cnxk/roc_mbox.h                |  361 ++-
 drivers/common/cnxk/roc_mcs.c                 |  347 +++
 drivers/common/cnxk/roc_mcs.h                 |  431 +++
 drivers/common/cnxk/roc_mcs_priv.h            |   52 +
 drivers/common/cnxk/roc_mcs_sec_cfg.c         |  425 +++
 drivers/common/cnxk/roc_mcs_stats.c           |  230 ++
 drivers/common/cnxk/roc_priv.h                |    3 +
 drivers/common/cnxk/version.map               |   34 +
 drivers/net/cnxk/cn10k_ethdev_mcs.c           |  407 +++
 drivers/net/cnxk/cn10k_ethdev_mcs.h           |   59 +
 drivers/net/cnxk/cn10k_ethdev_sec.c           |   11 +-
 drivers/net/cnxk/cn10k_flow.c                 |   14 +
 drivers/net/cnxk/cnxk_ethdev.h                |   31 +
 drivers/net/cnxk/cnxk_ethdev_sec.c            |    2 +-
 drivers/net/cnxk/meson.build                  |    1 +
 23 files changed, 6280 insertions(+), 5 deletions(-)
 create mode 100644 app/test/test_security_inline_macsec.c
 create mode 100644 app/test/test_security_inline_macsec_vectors.h
 create mode 100644 drivers/common/cnxk/roc_mcs.c
 create mode 100644 drivers/common/cnxk/roc_mcs.h
 create mode 100644 drivers/common/cnxk/roc_mcs_priv.h
 create mode 100644 drivers/common/cnxk/roc_mcs_sec_cfg.c
 create mode 100644 drivers/common/cnxk/roc_mcs_stats.c
 create mode 100644 drivers/net/cnxk/cn10k_ethdev_mcs.c
 create mode 100644 drivers/net/cnxk/cn10k_ethdev_mcs.h

-- 
2.25.1

[PATCH 1/5] common/cnxk: add ROC APIs for MACsec

[Akhil Goyal]

Added mbox related to configuration of MACsec.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/common/cnxk/meson.build       |   3 +
 drivers/common/cnxk/roc_api.h         |   3 +
 drivers/common/cnxk/roc_dev.c         |  86 +++++
 drivers/common/cnxk/roc_mbox.h        | 361 ++++++++++++++++++++-
 drivers/common/cnxk/roc_mcs.c         | 347 +++++++++++++++++++++
 drivers/common/cnxk/roc_mcs.h         | 431 ++++++++++++++++++++++++++
 drivers/common/cnxk/roc_mcs_priv.h    |  52 ++++
 drivers/common/cnxk/roc_mcs_sec_cfg.c | 425 +++++++++++++++++++++++++
 drivers/common/cnxk/roc_mcs_stats.c   | 230 ++++++++++++++
 drivers/common/cnxk/roc_priv.h        |   3 +
 drivers/common/cnxk/version.map       |  33 ++
 11 files changed, 1971 insertions(+), 3 deletions(-)
 create mode 100644 drivers/common/cnxk/roc_mcs.c
 create mode 100644 drivers/common/cnxk/roc_mcs.h
 create mode 100644 drivers/common/cnxk/roc_mcs_priv.h
 create mode 100644 drivers/common/cnxk/roc_mcs_sec_cfg.c
 create mode 100644 drivers/common/cnxk/roc_mcs_stats.c

diff --git a/drivers/common/cnxk/meson.build b/drivers/common/cnxk/meson.build
index 127fcbcdc5..02264016e3 100644
--- a/drivers/common/cnxk/meson.build
+++ b/drivers/common/cnxk/meson.build
@@ -26,6 +26,9 @@ sources = files(
         'roc_irq.c',
         'roc_ie_ot.c',
         'roc_mbox.c',
+        'roc_mcs.c',
+	'roc_mcs_sec_cfg.c',
+        'roc_mcs_stats.c',
         'roc_model.c',
         'roc_nix.c',
         'roc_nix_bpf.c',
diff --git a/drivers/common/cnxk/roc_api.h b/drivers/common/cnxk/roc_api.h
index 072f16d77d..bcc8746927 100644
--- a/drivers/common/cnxk/roc_api.h
+++ b/drivers/common/cnxk/roc_api.h
@@ -106,4 +106,7 @@
 /* NIX Inline dev */
 #include "roc_nix_inl.h"
 
+/* MACsec */
+#include "roc_mcs.h"
+
 #endif /* _ROC_API_H_ */
diff --git a/drivers/common/cnxk/roc_dev.c b/drivers/common/cnxk/roc_dev.c
index 59128a3552..b4d492ed08 100644
--- a/drivers/common/cnxk/roc_dev.c
+++ b/drivers/common/cnxk/roc_dev.c
@@ -501,6 +501,91 @@ pf_vf_mbox_send_up_msg(struct dev *dev, void *rec_msg)
 	}
 }
 
+static int
+mbox_up_handler_mcs_intr_notify(struct dev *dev, struct mcs_intr_info *info, struct msg_rsp *rsp)
+{
+	struct roc_mcs_event_desc desc = {0};
+	struct roc_mcs *mcs;
+
+	plt_base_dbg("pf:%d/vf:%d msg id 0x%x (%s) from: pf:%d/vf:%d", dev_get_pf(dev->pf_func),
+		     dev_get_vf(dev->pf_func), info->hdr.id, mbox_id2name(info->hdr.id),
+		     dev_get_pf(info->hdr.pcifunc), dev_get_vf(info->hdr.pcifunc));
+
+	mcs = roc_mcs_dev_get(info->mcs_id);
+	if (!mcs)
+		goto exit;
+
+	if (info->intr_mask) {
+		switch (info->intr_mask) {
+		case MCS_CPM_RX_SECTAG_V_EQ1_INT:
+			desc.type = ROC_MCS_EVENT_SECTAG_VAL_ERR;
+			desc.subtype = ROC_MCS_EVENT_RX_SECTAG_V_EQ1;
+			break;
+		case MCS_CPM_RX_SECTAG_E_EQ0_C_EQ1_INT:
+			desc.type = ROC_MCS_EVENT_SECTAG_VAL_ERR;
+			desc.subtype = ROC_MCS_EVENT_RX_SECTAG_E_EQ0_C_EQ1;
+			break;
+		case MCS_CPM_RX_SECTAG_SL_GTE48_INT:
+			desc.type = ROC_MCS_EVENT_SECTAG_VAL_ERR;
+			desc.subtype = ROC_MCS_EVENT_RX_SECTAG_SL_GTE48;
+			break;
+		case MCS_CPM_RX_SECTAG_ES_EQ1_SC_EQ1_INT:
+			desc.type = ROC_MCS_EVENT_SECTAG_VAL_ERR;
+			desc.subtype = ROC_MCS_EVENT_RX_SECTAG_ES_EQ1_SC_EQ1;
+			break;
+		case MCS_CPM_RX_SECTAG_SC_EQ1_SCB_EQ1_INT:
+			desc.type = ROC_MCS_EVENT_SECTAG_VAL_ERR;
+			desc.subtype = ROC_MCS_EVENT_RX_SECTAG_SC_EQ1_SCB_EQ1;
+			break;
+		case MCS_CPM_RX_PACKET_XPN_EQ0_INT:
+			desc.type = ROC_MCS_EVENT_RX_SA_PN_HARD_EXP;
+			desc.metadata.sa_idx = info->sa_id;
+			break;
+		case MCS_CPM_RX_PN_THRESH_REACHED_INT:
+			desc.type = ROC_MCS_EVENT_RX_SA_PN_SOFT_EXP;
+			desc.metadata.sa_idx = info->sa_id;
+			break;
+		case MCS_CPM_TX_PACKET_XPN_EQ0_INT:
+			desc.type = ROC_MCS_EVENT_TX_SA_PN_HARD_EXP;
+			desc.metadata.sa_idx = info->sa_id;
+			break;
+		case MCS_CPM_TX_PN_THRESH_REACHED_INT:
+			desc.type = ROC_MCS_EVENT_TX_SA_PN_SOFT_EXP;
+			desc.metadata.sa_idx = info->sa_id;
+			break;
+		case MCS_CPM_TX_SA_NOT_VALID_INT:
+			desc.type = ROC_MCS_EVENT_SA_NOT_VALID;
+			break;
+		case MCS_BBE_RX_DFIFO_OVERFLOW_INT:
+		case MCS_BBE_TX_DFIFO_OVERFLOW_INT:
+			desc.type = ROC_MCS_EVENT_FIFO_OVERFLOW;
+			desc.subtype = ROC_MCS_EVENT_DATA_FIFO_OVERFLOW;
+			desc.metadata.lmac_id = info->lmac_id;
+			break;
+		case MCS_BBE_RX_PLFIFO_OVERFLOW_INT:
+		case MCS_BBE_TX_PLFIFO_OVERFLOW_INT:
+			desc.type = ROC_MCS_EVENT_FIFO_OVERFLOW;
+			desc.subtype = ROC_MCS_EVENT_POLICY_FIFO_OVERFLOW;
+			desc.metadata.lmac_id = info->lmac_id;
+			break;
+		case MCS_PAB_RX_CHAN_OVERFLOW_INT:
+		case MCS_PAB_TX_CHAN_OVERFLOW_INT:
+			desc.type = ROC_MCS_EVENT_FIFO_OVERFLOW;
+			desc.subtype = ROC_MCS_EVENT_PKT_ASSM_FIFO_OVERFLOW;
+			desc.metadata.lmac_id = info->lmac_id;
+			break;
+		default:
+			goto exit;
+		}
+
+		mcs_event_cb_process(mcs, &desc);
+	}
+
+exit:
+	rsp->hdr.rc = 0;
+	return 0;
+}
+
 static int
 mbox_up_handler_cgx_link_event(struct dev *dev, struct cgx_link_info_msg *msg,
 			       struct msg_rsp *rsp)
@@ -589,6 +674,7 @@ mbox_process_msgs_up(struct dev *dev, struct mbox_msghdr *req)
 		return err;                                                    \
 	}
 		MBOX_UP_CGX_MESSAGES
+		MBOX_UP_MCS_MESSAGES
 #undef M
 	}
 
diff --git a/drivers/common/cnxk/roc_mbox.h b/drivers/common/cnxk/roc_mbox.h
index 688c70b4ee..05f96ce192 100644
--- a/drivers/common/cnxk/roc_mbox.h
+++ b/drivers/common/cnxk/roc_mbox.h
@@ -267,16 +267,56 @@ struct mbox_msghdr {
 	M(NIX_READ_INLINE_IPSEC_CFG, 0x8023, nix_read_inline_ipsec_cfg,        \
 	  msg_req, nix_inline_ipsec_cfg)				       \
 	M(NIX_LF_INLINE_RQ_CFG, 0x8024, nix_lf_inline_rq_cfg,                  \
-	  nix_rq_cpt_field_mask_cfg_req, msg_rsp)
-
+	  nix_rq_cpt_field_mask_cfg_req, msg_rsp)                              \
+	M(MCS_ALLOC_RESOURCES, 0xa000, mcs_alloc_resources, mcs_alloc_rsrc_req,\
+	 mcs_alloc_rsrc_rsp)                                                   \
+	M(MCS_FREE_RESOURCES,  0xa001, mcs_free_resources, mcs_free_rsrc_req,  \
+	 msg_rsp)                                                              \
+	M(MCS_FLOWID_ENTRY_WRITE, 0xa002, mcs_flowid_entry_write,              \
+	 mcs_flowid_entry_write_req, msg_rsp)                                  \
+	M(MCS_SECY_PLCY_WRITE, 0xa003, mcs_secy_plcy_write,                    \
+	 mcs_secy_plcy_write_req, msg_rsp)                                     \
+	M(MCS_RX_SC_CAM_WRITE, 0xa004, mcs_rx_sc_cam_write,                    \
+	 mcs_rx_sc_cam_write_req, msg_rsp)                                     \
+	M(MCS_SA_PLCY_WRITE, 0xa005, mcs_sa_plcy_write,                        \
+	 mcs_sa_plcy_write_req, msg_rsp)                                       \
+	M(MCS_TX_SC_SA_MAP_WRITE, 0xa006, mcs_tx_sc_sa_map_write,              \
+	 mcs_tx_sc_sa_map, msg_rsp)                                            \
+	M(MCS_RX_SC_SA_MAP_WRITE, 0xa007, mcs_rx_sc_sa_map_write,              \
+	 mcs_rx_sc_sa_map, msg_rsp)                                            \
+	M(MCS_FLOWID_ENA_ENTRY, 0xa008, mcs_flowid_ena_entry,                  \
+	 mcs_flowid_ena_dis_entry, msg_rsp)                                    \
+	M(MCS_PN_TABLE_WRITE, 0xa009, mcs_pn_table_write,                      \
+	 mcs_pn_table_write_req, msg_rsp)                                      \
+	M(MCS_SET_ACTIVE_LMAC, 0xa00a, mcs_set_active_lmac,                    \
+	 mcs_set_active_lmac, msg_rsp)                                         \
+	M(MCS_GET_HW_INFO, 0xa00b, mcs_get_hw_info, msg_req, mcs_hw_info)      \
+	M(MCS_GET_FLOWID_STATS, 0xa00c, mcs_get_flowid_stats, mcs_stats_req,   \
+	 mcs_flowid_stats)                                                     \
+	M(MCS_GET_SECY_STATS, 0xa00d, mcs_get_secy_stats, mcs_stats_req,       \
+	 mcs_secy_stats)                                                       \
+	M(MCS_GET_SC_STATS, 0xa00e, mcs_get_sc_stats, mcs_stats_req,           \
+	 mcs_sc_stats)                                                         \
+	M(MCS_GET_SA_STATS, 0xa00f, mcs_get_sa_stats, mcs_stats_req,           \
+	 mcs_sa_stats)                                                         \
+	M(MCS_GET_PORT_STATS, 0xa010, mcs_get_port_stats, mcs_stats_req,       \
+	 mcs_port_stats)                                                       \
+	M(MCS_CLEAR_STATS, 0xa011, mcs_clear_stats, mcs_clear_stats, msg_rsp)  \
+	M(MCS_INTR_CFG, 0xa012, mcs_intr_cfg, mcs_intr_cfg, msg_rsp)           \
+	M(MCS_SET_LMAC_MODE, 0xa013, mcs_set_lmac_mode, mcs_set_lmac_mode,     \
+	 msg_rsp)                                                              \
+ 
 /* Messages initiated by AF (range 0xC00 - 0xDFF) */
 #define MBOX_UP_CGX_MESSAGES                                                   \
 	M(CGX_LINK_EVENT, 0xC00, cgx_link_event, cgx_link_info_msg, msg_rsp)   \
 	M(CGX_PTP_RX_INFO, 0xC01, cgx_ptp_rx_info, cgx_ptp_rx_info_msg, msg_rsp)
 
+#define MBOX_UP_MCS_MESSAGES                                                   \
+	M(MCS_INTR_NOTIFY, 0xE00, mcs_intr_notify, mcs_intr_info, msg_rsp)
+
 enum {
 #define M(_name, _id, _1, _2, _3) MBOX_MSG_##_name = _id,
-	MBOX_MESSAGES MBOX_UP_CGX_MESSAGES
+	MBOX_MESSAGES MBOX_UP_CGX_MESSAGES MBOX_UP_MCS_MESSAGES
 #undef M
 };
 
@@ -645,6 +685,321 @@ struct cgx_set_link_mode_rsp {
 	int __io status;
 };
 
+/* MCS mbox structures */
+enum mcs_direction {
+	MCS_RX,
+	MCS_TX,
+};
+
+enum mcs_rsrc_type {
+	MCS_RSRC_TYPE_FLOWID,
+	MCS_RSRC_TYPE_SECY,
+	MCS_RSRC_TYPE_SC,
+	MCS_RSRC_TYPE_SA,
+};
+
+struct mcs_alloc_rsrc_req {
+	struct mbox_msghdr hdr;
+	uint8_t __io rsrc_type;
+	uint8_t __io rsrc_cnt; /* Resources count */
+	uint8_t __io mcs_id;   /* MCS block ID */
+	uint8_t __io dir;      /* Macsec ingress or egress side */
+	uint8_t __io all;      /* Allocate all resource type one each */
+	uint64_t __io rsvd;
+};
+
+struct mcs_alloc_rsrc_rsp {
+	struct mbox_msghdr hdr;
+	uint8_t __io flow_ids[128]; /* Index of reserved entries */
+	uint8_t __io secy_ids[128];
+	uint8_t __io sc_ids[128];
+	uint8_t __io sa_ids[256];
+	uint8_t __io rsrc_type;
+	uint8_t __io rsrc_cnt; /* No of entries reserved */
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint8_t __io all;
+	uint8_t __io rsvd[256];
+};
+
+struct mcs_free_rsrc_req {
+	struct mbox_msghdr hdr;
+	uint8_t __io rsrc_id; /* Index of the entry to be freed */
+	uint8_t __io rsrc_type;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint8_t __io all; /* Free all the cam resources */
+	uint64_t __io rsvd;
+};
+
+struct mcs_flowid_entry_write_req {
+	struct mbox_msghdr hdr;
+	uint64_t __io data[4];
+	uint64_t __io mask[4];
+	uint64_t __io sci; /* CNF10K-B for tx_secy_mem_map */
+	uint8_t __io flow_id;
+	uint8_t __io secy_id; /* secyid for which flowid is mapped */
+	/* sc_id is Valid if dir = MCS_TX, SC_CAM id mapped to flowid */
+	uint8_t __io sc_id;
+	uint8_t __io ena; /* Enable tcam entry */
+	uint8_t __io ctr_pkt;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
+
+struct mcs_secy_plcy_write_req {
+	struct mbox_msghdr hdr;
+	uint64_t __io plcy;
+	uint8_t __io secy_id;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
+
+/* RX SC_CAM mapping */
+struct mcs_rx_sc_cam_write_req {
+	struct mbox_msghdr hdr;
+	uint64_t __io sci;     /* SCI */
+	uint64_t __io secy_id; /* secy index mapped to SC */
+	uint8_t __io sc_id;    /* SC CAM entry index */
+	uint8_t __io mcs_id;
+	uint64_t __io rsvd;
+};
+
+struct mcs_sa_plcy_write_req {
+	struct mbox_msghdr hdr;
+	uint64_t __io plcy[2][9]; /* Support 2 SA policy */
+	uint8_t __io sa_index[2];
+	uint8_t __io sa_cnt;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
+
+struct mcs_tx_sc_sa_map {
+	struct mbox_msghdr hdr;
+	uint8_t __io sa_index0;
+	uint8_t __io sa_index1;
+	uint8_t __io rekey_ena;
+	uint8_t __io sa_index0_vld;
+	uint8_t __io sa_index1_vld;
+	uint8_t __io tx_sa_active;
+	uint64_t __io sectag_sci;
+	uint8_t __io sc_id; /* used as index for SA_MEM_MAP */
+	uint8_t __io mcs_id;
+	uint64_t __io rsvd;
+};
+
+struct mcs_rx_sc_sa_map {
+	struct mbox_msghdr hdr;
+	uint8_t __io sa_index;
+	uint8_t __io sa_in_use;
+	uint8_t __io sc_id;
+	/* an range is 0-3, sc_id + an used as index SA_MEM_MAP */
+	uint8_t __io an;
+	uint8_t __io mcs_id;
+	uint64_t __io rsvd;
+};
+
+struct mcs_flowid_ena_dis_entry {
+	struct mbox_msghdr hdr;
+	uint8_t __io flow_id;
+	uint8_t __io ena;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
+
+struct mcs_pn_table_write_req {
+	struct mbox_msghdr hdr;
+	uint64_t __io next_pn;
+	uint8_t __io pn_id;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
+
+struct mcs_cam_entry_read_req {
+	struct mbox_msghdr hdr;
+	uint8_t __io rsrc_type; /* TCAM/SECY/SC/SA/PN */
+	uint8_t __io rsrc_id;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
+
+struct mcs_cam_entry_read_rsp {
+	struct mbox_msghdr hdr;
+	uint64_t __io reg_val[10];
+	uint8_t __io rsrc_type;
+	uint8_t __io rsrc_id;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
+
+struct mcs_hw_info {
+	struct mbox_msghdr hdr;
+	uint8_t __io num_mcs_blks; /* Number of MCS blocks */
+	uint8_t __io tcam_entries; /* RX/TX Tcam entries per mcs block */
+	uint8_t __io secy_entries; /* RX/TX SECY entries per mcs block */
+	uint8_t __io sc_entries;   /* RX/TX SC CAM entries per mcs block */
+	uint8_t __io sa_entries;   /* PN table entries = SA entries */
+	uint64_t __io rsvd[16];
+};
+
+struct mcs_set_active_lmac {
+	struct mbox_msghdr hdr;
+	uint32_t __io lmac_bmap; /* bitmap of active lmac per mcs block */
+	uint8_t __io mcs_id;
+	uint16_t channel_base; /* MCS channel base */
+	uint64_t __io rsvd;
+};
+
+#define MCS_CPM_RX_SECTAG_V_EQ1_INT		 BIT_ULL(0)
+#define MCS_CPM_RX_SECTAG_E_EQ0_C_EQ1_INT	 BIT_ULL(1)
+#define MCS_CPM_RX_SECTAG_SL_GTE48_INT		 BIT_ULL(2)
+#define MCS_CPM_RX_SECTAG_ES_EQ1_SC_EQ1_INT	 BIT_ULL(3)
+#define MCS_CPM_RX_SECTAG_SC_EQ1_SCB_EQ1_INT	 BIT_ULL(4)
+#define MCS_CPM_RX_PACKET_XPN_EQ0_INT		 BIT_ULL(5)
+#define MCS_CPM_RX_PN_THRESH_REACHED_INT	 BIT_ULL(6)
+#define MCS_CPM_TX_PACKET_XPN_EQ0_INT		 BIT_ULL(7)
+#define MCS_CPM_TX_PN_THRESH_REACHED_INT	 BIT_ULL(8)
+#define MCS_CPM_TX_SA_NOT_VALID_INT		 BIT_ULL(9)
+#define MCS_BBE_RX_DFIFO_OVERFLOW_INT		 BIT_ULL(10)
+#define MCS_BBE_RX_PLFIFO_OVERFLOW_INT		 BIT_ULL(11)
+#define MCS_BBE_TX_DFIFO_OVERFLOW_INT		 BIT_ULL(12)
+#define MCS_BBE_TX_PLFIFO_OVERFLOW_INT		 BIT_ULL(13)
+#define MCS_PAB_RX_CHAN_OVERFLOW_INT		 BIT_ULL(14)
+#define MCS_PAB_TX_CHAN_OVERFLOW_INT		 BIT_ULL(15)
+
+struct mcs_intr_cfg {
+	struct mbox_msghdr hdr;
+	uint64_t __io intr_mask; /* Interrupt enable mask */
+	uint8_t __io mcs_id;
+};
+
+struct mcs_intr_info {
+	struct mbox_msghdr hdr;
+	uint64_t __io intr_mask;
+	int __io sa_id;
+	uint8_t __io mcs_id;
+	uint8_t __io lmac_id;
+	uint64_t __io rsvd[4];
+};
+
+struct mcs_set_lmac_mode {
+	struct mbox_msghdr hdr;
+	uint8_t __io mode; /* '1' for internal bypass mode (passthrough), '0' for MCS processing */
+	uint8_t __io lmac_id;
+	uint8_t __io mcs_id;
+	uint64_t __io rsvd;
+};
+
+struct mcs_stats_req {
+	struct mbox_msghdr hdr;
+	uint8_t __io id;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
+
+struct mcs_flowid_stats {
+	struct mbox_msghdr hdr;
+	uint64_t __io tcam_hit_cnt;
+	uint64_t __io rsvd;
+};
+
+struct mcs_secy_stats {
+	struct mbox_msghdr hdr;
+	uint64_t __io ctl_pkt_bcast_cnt;
+	uint64_t __io ctl_pkt_mcast_cnt;
+	uint64_t __io ctl_pkt_ucast_cnt;
+	uint64_t __io ctl_octet_cnt;
+	uint64_t __io unctl_pkt_bcast_cnt;
+	uint64_t __io unctl_pkt_mcast_cnt;
+	uint64_t __io unctl_pkt_ucast_cnt;
+	uint64_t __io unctl_octet_cnt;
+	/* Valid only for RX */
+	uint64_t __io octet_decrypted_cnt;
+	uint64_t __io octet_validated_cnt;
+	uint64_t __io pkt_port_disabled_cnt;
+	uint64_t __io pkt_badtag_cnt;
+	uint64_t __io pkt_nosa_cnt;
+	uint64_t __io pkt_nosaerror_cnt;
+	uint64_t __io pkt_tagged_ctl_cnt;
+	uint64_t __io pkt_untaged_cnt;
+	uint64_t __io pkt_ctl_cnt;   /* CN10K-B */
+	uint64_t __io pkt_notag_cnt; /* CNF10K-B */
+	/* Valid only for TX */
+	uint64_t __io octet_encrypted_cnt;
+	uint64_t __io octet_protected_cnt;
+	uint64_t __io pkt_noactivesa_cnt;
+	uint64_t __io pkt_toolong_cnt;
+	uint64_t __io pkt_untagged_cnt;
+	uint64_t __io rsvd[4];
+};
+
+struct mcs_port_stats {
+	struct mbox_msghdr hdr;
+	uint64_t __io tcam_miss_cnt;
+	uint64_t __io parser_err_cnt;
+	uint64_t __io preempt_err_cnt; /* CNF10K-B */
+	uint64_t __io sectag_insert_err_cnt;
+	uint64_t __io rsvd[4];
+};
+
+/* Only for CN10K-B */
+struct mcs_sa_stats {
+	struct mbox_msghdr hdr;
+	/* RX */
+	uint64_t __io pkt_invalid_cnt;
+	uint64_t __io pkt_nosaerror_cnt;
+	uint64_t __io pkt_notvalid_cnt;
+	uint64_t __io pkt_ok_cnt;
+	uint64_t __io pkt_nosa_cnt;
+	/* TX */
+	uint64_t __io pkt_encrypt_cnt;
+	uint64_t __io pkt_protected_cnt;
+	uint64_t __io rsvd[4];
+};
+
+struct mcs_sc_stats {
+	struct mbox_msghdr hdr;
+	/* RX */
+	uint64_t __io hit_cnt;
+	uint64_t __io pkt_invalid_cnt;
+	uint64_t __io pkt_late_cnt;
+	uint64_t __io pkt_notvalid_cnt;
+	uint64_t __io pkt_unchecked_cnt;
+	uint64_t __io pkt_delay_cnt;	  /* CNF10K-B */
+	uint64_t __io pkt_ok_cnt;	  /* CNF10K-B */
+	uint64_t __io octet_decrypt_cnt;  /* CN10K-B */
+	uint64_t __io octet_validate_cnt; /* CN10K-B */
+	/* TX */
+	uint64_t __io pkt_encrypt_cnt;
+	uint64_t __io pkt_protected_cnt;
+	uint64_t __io octet_encrypt_cnt;   /* CN10K-B */
+	uint64_t __io octet_protected_cnt; /* CN10K-B */
+	uint64_t __io rsvd[4];
+};
+
+struct mcs_clear_stats {
+	struct mbox_msghdr hdr;
+#define MCS_FLOWID_STATS 0
+#define MCS_SECY_STATS	1
+#define MCS_SC_STATS	2
+#define MCS_SA_STATS	3
+#define MCS_PORT_STATS	4
+	uint8_t __io type; /* FLOWID, SECY, SC, SA, PORT */
+	/* type = PORT, If id = FF(invalid) port no is derived from pcifunc */
+	uint8_t __io id;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint8_t __io all; /* All resources stats mapped to PF are cleared */
+};
+
 /* NPA mbox message formats */
 
 /* NPA mailbox error codes
diff --git a/drivers/common/cnxk/roc_mcs.c b/drivers/common/cnxk/roc_mcs.c
new file mode 100644
index 0000000000..769f74a512
--- /dev/null
+++ b/drivers/common/cnxk/roc_mcs.c
@@ -0,0 +1,347 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2022 Marvell.
+ */
+
+#include "roc_api.h"
+#include "roc_priv.h"
+
+struct mcs_event_cb {
+	TAILQ_ENTRY(mcs_event_cb) next;
+	enum roc_mcs_event_type event;
+	roc_mcs_dev_cb_fn cb_fn;
+	void *cb_arg;
+	void *ret_param;
+	uint32_t active;
+};
+TAILQ_HEAD(mcs_event_cb_list, mcs_event_cb);
+
+PLT_STATIC_ASSERT(ROC_MCS_MEM_SZ >= (sizeof(struct mcs_priv) + sizeof(struct mcs_event_cb_list)));
+
+TAILQ_HEAD(roc_mcs_head, roc_mcs);
+/* Local mcs tailq list */
+static struct roc_mcs_head roc_mcs_head = TAILQ_HEAD_INITIALIZER(roc_mcs_head);
+
+int
+roc_mcs_hw_info_get(struct roc_mcs_hw_info *hw_info)
+{
+	struct mcs_hw_info *hw;
+	struct npa_lf *npa;
+	int rc;
+
+	MCS_SUPPORT_CHECK;
+
+	if (hw_info == NULL)
+		return -EINVAL;
+
+	/* Use mbox handler of first probed pci_func for
+	 * initial mcs mbox communication.
+	 */
+	npa = idev_npa_obj_get();
+	if (!npa)
+		return MCS_ERR_DEVICE_NOT_FOUND;
+
+	mbox_alloc_msg_mcs_get_hw_info(npa->mbox);
+	rc = mbox_process_msg(npa->mbox, (void *)&hw);
+	if (rc)
+		return rc;
+
+	hw_info->num_mcs_blks = hw->num_mcs_blks;
+	hw_info->tcam_entries = hw->tcam_entries;
+	hw_info->secy_entries = hw->secy_entries;
+	hw_info->sc_entries = hw->sc_entries;
+	hw_info->sa_entries = hw->sa_entries;
+
+	return rc;
+}
+
+int
+roc_mcs_active_lmac_set(struct roc_mcs *mcs, struct roc_mcs_set_active_lmac *lmac)
+{
+	struct mcs_set_active_lmac *req;
+	struct msg_rsp *rsp;
+
+	/* Only needed for 105N */
+	if (!roc_model_is_cnf10kb())
+		return 0;
+
+	if (lmac == NULL)
+		return -EINVAL;
+
+	MCS_SUPPORT_CHECK;
+
+	req = mbox_alloc_msg_mcs_set_active_lmac(mcs->mbox);
+	if (req == NULL)
+		return -ENOMEM;
+
+	req->lmac_bmap = lmac->lmac_bmap;
+	req->channel_base = lmac->channel_base;
+	req->mcs_id = mcs->idx;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
+
+int
+roc_mcs_lmac_mode_set(struct roc_mcs *mcs, struct roc_mcs_set_lmac_mode *port)
+{
+	struct mcs_set_lmac_mode *req;
+	struct msg_rsp *rsp;
+
+	if (port == NULL)
+		return -EINVAL;
+
+	MCS_SUPPORT_CHECK;
+
+	req = mbox_alloc_msg_mcs_set_lmac_mode(mcs->mbox);
+	if (req == NULL)
+		return -ENOMEM;
+
+	req->lmac_id = port->lmac_id;
+	req->mcs_id = mcs->idx;
+	req->mode = port->mode;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
+
+int
+roc_mcs_intr_configure(struct roc_mcs *mcs, struct roc_mcs_intr_cfg *config)
+{
+	struct mcs_intr_cfg *req;
+	struct msg_rsp *rsp;
+
+	if (config == NULL)
+		return -EINVAL;
+
+	MCS_SUPPORT_CHECK;
+
+	req = mbox_alloc_msg_mcs_intr_cfg(mcs->mbox);
+	if (req == NULL)
+		return -ENOMEM;
+
+	req->intr_mask = config->intr_mask;
+	req->mcs_id = mcs->idx;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
+
+int
+roc_mcs_event_cb_register(struct roc_mcs *mcs, enum roc_mcs_event_type event,
+			  roc_mcs_dev_cb_fn cb_fn, void *cb_arg, void *userdata)
+{
+	struct mcs_event_cb_list *cb_list = (struct mcs_event_cb_list *)roc_mcs_to_mcs_cb_list(mcs);
+	struct mcs_event_cb *cb;
+
+	if (cb_fn == NULL || cb_arg == NULL || userdata == NULL)
+		return -EINVAL;
+
+	MCS_SUPPORT_CHECK;
+
+	TAILQ_FOREACH(cb, cb_list, next) {
+		if (cb->cb_fn == cb_fn && cb->cb_arg == cb_arg && cb->event == event)
+			break;
+	}
+
+	if (cb == NULL) {
+		cb = plt_zmalloc(sizeof(struct mcs_event_cb), 0);
+		if (!cb)
+			return -ENOMEM;
+
+		cb->cb_fn = cb_fn;
+		cb->cb_arg = cb_arg;
+		cb->event = event;
+		mcs->userdata = userdata;
+		TAILQ_INSERT_TAIL(cb_list, cb, next);
+	}
+
+	return 0;
+}
+
+int
+roc_mcs_event_cb_unregister(struct roc_mcs *mcs, enum roc_mcs_event_type event)
+{
+	struct mcs_event_cb_list *cb_list = (struct mcs_event_cb_list *)roc_mcs_to_mcs_cb_list(mcs);
+	struct mcs_event_cb *cb, *next;
+
+	MCS_SUPPORT_CHECK;
+
+	for (cb = TAILQ_FIRST(cb_list); cb != NULL; cb = next) {
+		next = TAILQ_NEXT(cb, next);
+
+		if (cb->event != event)
+			continue;
+
+		if (cb->active == 0) {
+			TAILQ_REMOVE(cb_list, cb, next);
+			plt_free(cb);
+		} else {
+			return -EAGAIN;
+		}
+	}
+
+	return 0;
+}
+
+int
+mcs_event_cb_process(struct roc_mcs *mcs, struct roc_mcs_event_desc *desc)
+{
+	struct mcs_event_cb_list *cb_list = (struct mcs_event_cb_list *)roc_mcs_to_mcs_cb_list(mcs);
+	struct mcs_event_cb mcs_cb;
+	struct mcs_event_cb *cb;
+	int rc = 0;
+
+	TAILQ_FOREACH(cb, cb_list, next) {
+		if (cb->cb_fn == NULL || cb->event != desc->type)
+			continue;
+
+		mcs_cb = *cb;
+		cb->active = 1;
+		mcs_cb.ret_param = desc;
+
+		rc = mcs_cb.cb_fn(mcs->userdata, mcs_cb.ret_param, mcs_cb.cb_arg);
+		cb->active = 0;
+	}
+
+	return rc;
+}
+
+static int
+mcs_alloc_bmap(uint16_t entries, void **mem, struct plt_bitmap **bmap)
+{
+	size_t bmap_sz;
+	int rc = 0;
+
+	bmap_sz = plt_bitmap_get_memory_footprint(entries);
+	*mem = plt_zmalloc(bmap_sz, PLT_CACHE_LINE_SIZE);
+	if (*mem == NULL)
+		rc = -ENOMEM;
+
+	*bmap = plt_bitmap_init(entries, *mem, bmap_sz);
+	if (!*bmap) {
+		plt_free(*mem);
+		*mem = NULL;
+		rc = -ENOMEM;
+	}
+
+	return rc;
+}
+
+static int
+mcs_alloc_rsrc_bmap(struct roc_mcs *mcs)
+{
+	struct mcs_priv *priv = roc_mcs_to_mcs_priv(mcs);
+	struct mcs_hw_info *hw;
+	int rc;
+
+	mbox_alloc_msg_mcs_get_hw_info(mcs->mbox);
+	rc = mbox_process_msg(mcs->mbox, (void *)&hw);
+	if (rc)
+		return rc;
+
+	priv->num_mcs_blks = hw->num_mcs_blks;
+	priv->tcam_entries = hw->tcam_entries;
+	priv->secy_entries = hw->secy_entries;
+	priv->sc_entries = hw->sc_entries;
+	priv->sa_entries = hw->sa_entries;
+
+	/* Allocate double the resources to accommodate both Tx & Rx */
+	rc = mcs_alloc_bmap(priv->tcam_entries << 1, &priv->tcam_bmap_mem, &priv->tcam_bmap);
+	if (rc)
+		goto exit;
+
+	rc = mcs_alloc_bmap(priv->secy_entries << 1, &priv->secy_bmap_mem, &priv->secy_bmap);
+	if (rc)
+		goto exit;
+
+	rc = mcs_alloc_bmap(priv->sc_entries << 1, &priv->sc_bmap_mem, &priv->sc_bmap);
+	if (rc)
+		goto exit;
+
+	rc = mcs_alloc_bmap(priv->sa_entries << 1, &priv->sa_bmap_mem, &priv->sa_bmap);
+	if (rc)
+		goto exit;
+
+	return rc;
+
+exit:
+	plt_bitmap_free(priv->tcam_bmap);
+	plt_free(priv->tcam_bmap_mem);
+	plt_bitmap_free(priv->secy_bmap);
+	plt_free(priv->secy_bmap_mem);
+	plt_bitmap_free(priv->sc_bmap);
+	plt_free(priv->sc_bmap_mem);
+	plt_bitmap_free(priv->sa_bmap);
+	plt_free(priv->sa_bmap_mem);
+
+	return rc;
+}
+
+struct roc_mcs *
+roc_mcs_dev_get(uint8_t mcs_idx)
+{
+	struct roc_mcs *mcs = NULL;
+
+	TAILQ_FOREACH (mcs, &roc_mcs_head, next) {
+		if (mcs->idx == mcs_idx)
+			break;
+	}
+
+	return mcs;
+}
+
+struct roc_mcs *
+roc_mcs_dev_init(uint8_t mcs_idx)
+{
+	struct mcs_event_cb_list *cb_list;
+	struct roc_mcs *mcs;
+	struct npa_lf *npa;
+
+	mcs = plt_zmalloc(sizeof(struct roc_mcs), PLT_CACHE_LINE_SIZE);
+	if (!mcs)
+		return NULL;
+
+	if (roc_model_is_cnf10kb()) {
+		npa = idev_npa_obj_get();
+		if (!npa)
+			goto exit;
+
+		mcs->mbox = npa->mbox;
+	} else {
+		/* Retrieve mbox handler for other roc models */
+		;
+	}
+
+	mcs->idx = mcs_idx;
+
+	/* Add any per mcsv initialization */
+	if (mcs_alloc_rsrc_bmap(mcs))
+		goto exit;
+
+	TAILQ_INSERT_TAIL(&roc_mcs_head, mcs, next);
+
+	cb_list = (struct mcs_event_cb_list *)roc_mcs_to_mcs_cb_list(mcs);
+	TAILQ_INIT(cb_list);
+
+	return mcs;
+
+exit:
+	plt_free(mcs);
+	return NULL;
+}
+
+void
+roc_mcs_dev_fini(struct roc_mcs *mcs)
+{
+	struct mcs_priv *priv = roc_mcs_to_mcs_priv(mcs);
+
+	TAILQ_REMOVE(&roc_mcs_head, mcs, next);
+
+	plt_bitmap_free(priv->tcam_bmap);
+	plt_free(priv->tcam_bmap_mem);
+	plt_bitmap_free(priv->secy_bmap);
+	plt_free(priv->secy_bmap_mem);
+	plt_bitmap_free(priv->sc_bmap);
+	plt_free(priv->sc_bmap_mem);
+	plt_bitmap_free(priv->sa_bmap);
+	plt_free(priv->sa_bmap_mem);
+
+	plt_free(mcs);
+}
diff --git a/drivers/common/cnxk/roc_mcs.h b/drivers/common/cnxk/roc_mcs.h
new file mode 100644
index 0000000000..f2c8b3ae06
--- /dev/null
+++ b/drivers/common/cnxk/roc_mcs.h
@@ -0,0 +1,431 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2022 Marvell.
+ */
+
+#ifndef _ROC_MCS_H_
+#define _ROC_MCS_H_
+
+struct roc_mcs_alloc_rsrc_req {
+	uint8_t rsrc_type;
+	uint8_t rsrc_cnt; /* Resources count */
+	uint8_t mcs_id;	  /* MCS block ID */
+	uint8_t dir;	  /* Macsec ingress or egress side */
+	uint8_t all;	  /* Allocate all resource type one each */
+};
+
+struct roc_mcs_alloc_rsrc_rsp {
+	uint8_t flow_ids[128]; /* Index of reserved entries */
+	uint8_t secy_ids[128];
+	uint8_t sc_ids[128];
+	uint8_t sa_ids[256];
+	uint8_t rsrc_type;
+	uint8_t rsrc_cnt; /* No of entries reserved */
+	uint8_t mcs_id;
+	uint8_t dir;
+	uint8_t all;
+};
+
+struct roc_mcs_free_rsrc_req {
+	uint8_t rsrc_id; /* Index of the entry to be freed */
+	uint8_t rsrc_type;
+	uint8_t mcs_id;
+	uint8_t dir;
+	uint8_t all; /* Free all the cam resources */
+};
+
+struct roc_mcs_flowid_entry_write_req {
+	uint64_t data[4];
+	uint64_t mask[4];
+	uint64_t sci; /* 105N for tx_secy_mem_map */
+	uint8_t flow_id;
+	uint8_t secy_id; /* secyid for which flowid is mapped */
+	uint8_t sc_id;	 /* Valid if dir = MCS_TX, SC_CAM id mapped to flowid */
+	uint8_t ena;	 /* Enable tcam entry */
+	uint8_t ctr_pkt;
+	uint8_t mcs_id;
+	uint8_t dir;
+};
+
+struct roc_mcs_secy_plcy_write_req {
+	uint64_t plcy;
+	uint8_t secy_id;
+	uint8_t mcs_id;
+	uint8_t dir;
+};
+
+/* RX SC_CAM mapping */
+struct roc_mcs_rx_sc_cam_write_req {
+	uint64_t sci;	  /* SCI */
+	uint64_t secy_id; /* secy index mapped to SC */
+	uint8_t sc_id;	  /* SC CAM entry index */
+	uint8_t mcs_id;
+};
+
+struct roc_mcs_sa_plcy_write_req {
+	uint64_t plcy[2][9];
+	uint8_t sa_index[2];
+	uint8_t sa_cnt;
+	uint8_t mcs_id;
+	uint8_t dir;
+};
+
+struct roc_mcs_tx_sc_sa_map {
+	uint8_t sa_index0;
+	uint8_t sa_index1;
+	uint8_t rekey_ena;
+	uint8_t sa_index0_vld;
+	uint8_t sa_index1_vld;
+	uint8_t tx_sa_active;
+	uint64_t sectag_sci;
+	uint8_t sc_id; /* used as index for SA_MEM_MAP */
+	uint8_t mcs_id;
+};
+
+struct roc_mcs_rx_sc_sa_map {
+	uint8_t sa_index;
+	uint8_t sa_in_use;
+	uint8_t sc_id;
+	uint8_t an; /* value range 0-3, sc_id + an used as index SA_MEM_MAP */
+	uint8_t mcs_id;
+};
+
+struct roc_mcs_flowid_ena_dis_entry {
+	uint8_t flow_id;
+	uint8_t ena;
+	uint8_t mcs_id;
+	uint8_t dir;
+};
+
+struct roc_mcs_pn_table_write_req {
+	uint64_t next_pn;
+	uint8_t pn_id;
+	uint8_t mcs_id;
+	uint8_t dir;
+};
+
+struct roc_mcs_cam_entry_read_req {
+	uint8_t rsrc_type; /* TCAM/SECY/SC/SA/PN */
+	uint8_t rsrc_id;
+	uint8_t mcs_id;
+	uint8_t dir;
+};
+
+struct roc_mcs_cam_entry_read_rsp {
+	uint64_t reg_val[10];
+	uint8_t rsrc_type;
+	uint8_t rsrc_id;
+	uint8_t mcs_id;
+	uint8_t dir;
+};
+
+struct roc_mcs_hw_info {
+	uint8_t num_mcs_blks; /* Number of MCS blocks */
+	uint8_t tcam_entries; /* RX/TX Tcam entries per mcs block */
+	uint8_t secy_entries; /* RX/TX SECY entries per mcs block */
+	uint8_t sc_entries;   /* RX/TX SC CAM entries per mcs block */
+	uint8_t sa_entries;   /* PN table entries = SA entries */
+	uint64_t rsvd[16];
+};
+
+#define ROC_MCS_CPM_RX_SECTAG_V_EQ1_INT		 BIT_ULL(0)
+#define ROC_MCS_CPM_RX_SECTAG_E_EQ0_C_EQ1_INT	 BIT_ULL(1)
+#define ROC_MCS_CPM_RX_SECTAG_SL_GTE48_INT	 BIT_ULL(2)
+#define ROC_MCS_CPM_RX_SECTAG_ES_EQ1_SC_EQ1_INT	 BIT_ULL(3)
+#define ROC_MCS_CPM_RX_SECTAG_SC_EQ1_SCB_EQ1_INT BIT_ULL(4)
+#define ROC_MCS_CPM_RX_PACKET_XPN_EQ0_INT	 BIT_ULL(5)
+#define ROC_MCS_CPM_RX_PN_THRESH_REACHED_INT	 BIT_ULL(6)
+#define ROC_MCS_CPM_TX_PACKET_XPN_EQ0_INT	 BIT_ULL(7)
+#define ROC_MCS_CPM_TX_PN_THRESH_REACHED_INT	 BIT_ULL(8)
+#define ROC_MCS_CPM_TX_SA_NOT_VALID_INT		 BIT_ULL(9)
+#define ROC_MCS_BBE_RX_DFIFO_OVERFLOW_INT	 BIT_ULL(10)
+#define ROC_MCS_BBE_RX_PLFIFO_OVERFLOW_INT	 BIT_ULL(11)
+#define ROC_MCS_BBE_TX_DFIFO_OVERFLOW_INT	 BIT_ULL(12)
+#define ROC_MCS_BBE_TX_PLFIFO_OVERFLOW_INT	 BIT_ULL(13)
+#define ROC_MCS_PAB_RX_CHAN_OVERFLOW_INT	 BIT_ULL(14)
+#define ROC_MCS_PAB_TX_CHAN_OVERFLOW_INT	 BIT_ULL(15)
+
+struct roc_mcs_intr_cfg {
+	uint64_t intr_mask; /* Interrupt enable mask */
+	uint8_t mcs_id;
+};
+
+struct roc_mcs_intr_info {
+	uint64_t intr_mask;
+	int sa_id;
+	uint8_t mcs_id;
+	uint8_t lmac_id;
+	uint64_t rsvd[4];
+};
+
+struct roc_mcs_set_lmac_mode {
+	uint8_t mode; /* '1' for internal bypass mode (passthrough), '0' for MCS processing */
+	uint8_t lmac_id;
+	uint8_t mcs_id;
+	uint64_t rsvd;
+};
+
+struct roc_mcs_set_active_lmac {
+	uint32_t lmac_bmap; /* bitmap of active lmac per mcs block */
+	uint8_t mcs_id;
+	uint16_t channel_base; /* MCS channel base */
+	uint64_t rsvd;
+};
+
+struct roc_mcs_stats_req {
+	uint8_t id;
+	uint8_t mcs_id;
+	uint8_t dir;
+};
+
+struct roc_mcs_flowid_stats {
+	uint64_t tcam_hit_cnt;
+};
+
+struct roc_mcs_secy_stats {
+	uint64_t ctl_pkt_bcast_cnt;
+	uint64_t ctl_pkt_mcast_cnt;
+	uint64_t ctl_pkt_ucast_cnt;
+	uint64_t ctl_octet_cnt;
+	uint64_t unctl_pkt_bcast_cnt;
+	uint64_t unctl_pkt_mcast_cnt;
+	uint64_t unctl_pkt_ucast_cnt;
+	uint64_t unctl_octet_cnt;
+	/* Valid only for RX */
+	uint64_t octet_decrypted_cnt;
+	uint64_t octet_validated_cnt;
+	uint64_t pkt_port_disabled_cnt;
+	uint64_t pkt_badtag_cnt;
+	uint64_t pkt_nosa_cnt;
+	uint64_t pkt_nosaerror_cnt;
+	uint64_t pkt_tagged_ctl_cnt;
+	uint64_t pkt_untaged_cnt;
+	uint64_t pkt_ctl_cnt;	/* CN10K-B */
+	uint64_t pkt_notag_cnt; /* CNF10K-B */
+	/* Valid only for TX */
+	uint64_t octet_encrypted_cnt;
+	uint64_t octet_protected_cnt;
+	uint64_t pkt_noactivesa_cnt;
+	uint64_t pkt_toolong_cnt;
+	uint64_t pkt_untagged_cnt;
+};
+
+struct roc_mcs_sc_stats {
+	/* RX */
+	uint64_t hit_cnt;
+	uint64_t pkt_invalid_cnt;
+	uint64_t pkt_late_cnt;
+	uint64_t pkt_notvalid_cnt;
+	uint64_t pkt_unchecked_cnt;
+	uint64_t pkt_delay_cnt;	     /* CNF10K-B */
+	uint64_t pkt_ok_cnt;	     /* CNF10K-B */
+	uint64_t octet_decrypt_cnt;  /* CN10K-B */
+	uint64_t octet_validate_cnt; /* CN10K-B */
+	/* TX */
+	uint64_t pkt_encrypt_cnt;
+	uint64_t pkt_protected_cnt;
+	uint64_t octet_encrypt_cnt;   /* CN10K-B */
+	uint64_t octet_protected_cnt; /* CN10K-B */
+};
+
+/* Only for CN10K-B */
+struct roc_mcs_sa_stats {
+	/* RX */
+	uint64_t pkt_invalid_cnt;
+	uint64_t pkt_nosaerror_cnt;
+	uint64_t pkt_notvalid_cnt;
+	uint64_t pkt_ok_cnt;
+	uint64_t pkt_nosa_cnt;
+	/* TX */
+	uint64_t pkt_encrypt_cnt;
+	uint64_t pkt_protected_cnt;
+};
+
+struct roc_mcs_port_stats {
+	uint64_t tcam_miss_cnt;
+	uint64_t parser_err_cnt;
+	uint64_t preempt_err_cnt; /* CNF10K-B */
+	uint64_t sectag_insert_err_cnt;
+};
+
+struct roc_mcs_clear_stats {
+	uint8_t type; /* FLOWID, SECY, SC, SA, PORT */
+	/* type = PORT, If id = FF(invalid) port no is derived from pcifunc */
+	uint8_t id;
+	uint8_t mcs_id;
+	uint8_t dir;
+	uint8_t all; /* All resources stats mapped to PF are cleared */
+};
+
+enum roc_mcs_event_subtype {
+	ROC_MCS_SUBEVENT_UNKNOWN,
+
+	/* subevents of ROC_MCS_EVENT_SECTAG_VAL_ERR sectag validation events
+	 * ROC_MCS_EVENT_RX_SECTAG_V_EQ1
+	 *	Validation check: SecTag.TCI.V = 1
+	 * ROC_MCS_EVENT_RX_SECTAG_E_EQ0_C_EQ1
+	 *	Validation check: SecTag.TCI.E = 0 && SecTag.TCI.C = 1
+	 * ROC_MCS_EVENT_RX_SECTAG_SL_GTE48
+	 *	Validation check: SecTag.SL >= 'd48
+	 * ROC_MCS_EVENT_RX_SECTAG_ES_EQ1_SC_EQ1
+	 *	Validation check: SecTag.TCI.ES = 1 && SecTag.TCI.SC = 1
+	 * ROC_MCS_EVENT_RX_SECTAG_SC_EQ1_SCB_EQ1
+	 *	Validation check: SecTag.TCI.SC = 1 && SecTag.TCI.SCB = 1
+	 */
+	ROC_MCS_EVENT_RX_SECTAG_V_EQ1,
+	ROC_MCS_EVENT_RX_SECTAG_E_EQ0_C_EQ1,
+	ROC_MCS_EVENT_RX_SECTAG_SL_GTE48,
+	ROC_MCS_EVENT_RX_SECTAG_ES_EQ1_SC_EQ1,
+	ROC_MCS_EVENT_RX_SECTAG_SC_EQ1_SCB_EQ1,
+
+	/* subevents of ROC_MCS_EVENT_FIFO_OVERFLOW error event
+	 * ROC_MCS_EVENT_DATA_FIFO_OVERFLOW:
+	 *	Notifies data FIFO overflow fatal error in BBE unit.
+	 * ROC_MCS_EVENT_POLICY_FIFO_OVERFLOW
+	 *	Notifies policy FIFO overflow fatal error in BBE unit.
+	 * ROC_MCS_EVENT_PKT_ASSM_FIFO_OVERFLOW,
+	 *	Notifies output FIFO overflow fatal error in PAB unit.
+	 */
+	ROC_MCS_EVENT_DATA_FIFO_OVERFLOW,
+	ROC_MCS_EVENT_POLICY_FIFO_OVERFLOW,
+	ROC_MCS_EVENT_PKT_ASSM_FIFO_OVERFLOW,
+};
+
+enum roc_mcs_event_type {
+	ROC_MCS_EVENT_UNKNOWN,
+
+	/* Notifies BBE_INT_DFIFO/PLFIFO_OVERFLOW or PAB_INT_OVERFLOW
+	 * interrupts, it's a fatal error that causes packet corruption.
+	 */
+	ROC_MCS_EVENT_FIFO_OVERFLOW,
+
+	/* Notifies CPM_RX_SECTAG_X validation error interrupt */
+	ROC_MCS_EVENT_SECTAG_VAL_ERR,
+	/* Notifies CPM_RX_PACKET_XPN_EQ0 (SecTag.PN == 0 in ingress) interrupt */
+	ROC_MCS_EVENT_RX_SA_PN_HARD_EXP,
+	/* Notifies CPM_RX_PN_THRESH_REACHED interrupt */
+	ROC_MCS_EVENT_RX_SA_PN_SOFT_EXP,
+	/* Notifies CPM_TX_PACKET_XPN_EQ0 (PN wrapped in egress) interrupt */
+	ROC_MCS_EVENT_TX_SA_PN_HARD_EXP,
+	/* Notifies CPM_TX_PN_THRESH_REACHED interrupt */
+	ROC_MCS_EVENT_TX_SA_PN_SOFT_EXP,
+	/* Notifies CPM_TX_SA_NOT_VALID interrupt */
+	ROC_MCS_EVENT_SA_NOT_VALID,
+};
+
+union roc_mcs_event_data {
+	/* Valid for below events
+	 * - ROC_MCS_EVENT_RX_SA_PN_SOFT_EXP
+	 * - ROC_MCS_EVENT_TX_SA_PN_SOFT_EXP
+	 */
+	struct {
+		uint8_t secy_idx;
+		uint8_t sc_idx;
+		uint8_t sa_idx;
+		uint8_t lmac_id;
+	};
+};
+
+struct roc_mcs_event_desc {
+	enum roc_mcs_event_type type;
+	enum roc_mcs_event_subtype subtype;
+	union roc_mcs_event_data metadata;
+};
+
+/** User application callback to be registered for any notifications from
+ * driver. */
+typedef int (*roc_mcs_dev_cb_fn)(void *userdata, struct roc_mcs_event_desc *desc, void *cb_arg);
+
+struct roc_mcs {
+	TAILQ_ENTRY(roc_mcs) next;
+	struct plt_pci_device *pci_dev;
+	struct mbox *mbox;
+	void *userdata;
+	uint8_t idx;
+
+#define ROC_MCS_MEM_SZ (1 * 1024)
+	uint8_t reserved[ROC_MCS_MEM_SZ] __plt_cache_aligned;
+} __plt_cache_aligned;
+
+/* Initialization */
+__roc_api struct roc_mcs *roc_mcs_dev_init(uint8_t mcs_idx);
+__roc_api void roc_mcs_dev_fini(struct roc_mcs *mcs);
+/* Get roc mcs dev structure */
+__roc_api struct roc_mcs *roc_mcs_dev_get(uint8_t mcs_idx);
+/* HW info get */
+__roc_api int roc_mcs_hw_info_get(struct roc_mcs_hw_info *hw_info);
+/* Active lmac bmap set */
+__roc_api int roc_mcs_active_lmac_set(struct roc_mcs *mcs, struct roc_mcs_set_active_lmac *lmac);
+/* Port bypass mode set */
+__roc_api int roc_mcs_lmac_mode_set(struct roc_mcs *mcs, struct roc_mcs_set_lmac_mode *port);
+
+/* Resource allocation and free */
+__roc_api int roc_mcs_alloc_rsrc(struct roc_mcs *mcs, struct roc_mcs_alloc_rsrc_req *req,
+				 struct roc_mcs_alloc_rsrc_rsp *rsp);
+__roc_api int roc_mcs_free_rsrc(struct roc_mcs *mcs, struct roc_mcs_free_rsrc_req *req);
+/* SA policy read and write */
+__roc_api int roc_mcs_sa_policy_write(struct roc_mcs *mcs,
+				      struct roc_mcs_sa_plcy_write_req *sa_plcy);
+__roc_api int roc_mcs_sa_policy_read(struct roc_mcs *mcs,
+				     struct roc_mcs_sa_plcy_write_req *sa_plcy);
+/* PN Table read and write */
+__roc_api int roc_mcs_pn_table_write(struct roc_mcs *mcs,
+				     struct roc_mcs_pn_table_write_req *pn_table);
+__roc_api int roc_mcs_pn_table_read(struct roc_mcs *mcs,
+				    struct roc_mcs_pn_table_write_req *pn_table);
+/* RX SC read, write and enable */
+__roc_api int roc_mcs_rx_sc_cam_write(struct roc_mcs *mcs,
+				      struct roc_mcs_rx_sc_cam_write_req *rx_sc_cam);
+__roc_api int roc_mcs_rx_sc_cam_read(struct roc_mcs *mcs,
+				     struct roc_mcs_rx_sc_cam_write_req *rx_sc_cam);
+__roc_api int roc_mcs_rx_sc_cam_enable(struct roc_mcs *mcs,
+				       struct roc_mcs_rx_sc_cam_write_req *rx_sc_cam);
+/* SECY policy read and write */
+__roc_api int roc_mcs_secy_policy_write(struct roc_mcs *mcs,
+					struct roc_mcs_secy_plcy_write_req *secy_plcy);
+__roc_api int roc_mcs_secy_policy_read(struct roc_mcs *mcs,
+				       struct roc_mcs_rx_sc_cam_write_req *rx_sc_cam);
+/* RX SC-SA MAP read and write */
+__roc_api int roc_mcs_rx_sc_sa_map_write(struct roc_mcs *mcs,
+					 struct roc_mcs_rx_sc_sa_map *rx_sc_sa_map);
+__roc_api int roc_mcs_rx_sc_sa_map_read(struct roc_mcs *mcs,
+					struct roc_mcs_rx_sc_sa_map *rx_sc_sa_map);
+/* TX SC-SA MAP read and write */
+__roc_api int roc_mcs_tx_sc_sa_map_write(struct roc_mcs *mcs,
+					 struct roc_mcs_tx_sc_sa_map *tx_sc_sa_map);
+__roc_api int roc_mcs_tx_sc_sa_map_read(struct roc_mcs *mcs,
+					struct roc_mcs_tx_sc_sa_map *tx_sc_sa_map);
+/* Flow entry read, write and enable */
+__roc_api int roc_mcs_flowid_entry_write(struct roc_mcs *mcs,
+					 struct roc_mcs_flowid_entry_write_req *flowid_req);
+__roc_api int roc_mcs_flowid_entry_read(struct roc_mcs *mcs,
+					struct roc_mcs_flowid_entry_write_req *flowid_rsp);
+__roc_api int roc_mcs_flowid_entry_enable(struct roc_mcs *mcs,
+					  struct roc_mcs_flowid_ena_dis_entry *entry);
+
+/* Flow id stats get */
+__roc_api int roc_mcs_flowid_stats_get(struct roc_mcs *mcs, struct roc_mcs_stats_req *mcs_req,
+				       struct roc_mcs_flowid_stats *stats);
+/* Secy stats get */
+__roc_api int roc_mcs_secy_stats_get(struct roc_mcs *mcs, struct roc_mcs_stats_req *mcs_req,
+				     struct roc_mcs_secy_stats *stats);
+/* SC stats get */
+__roc_api int roc_mcs_sc_stats_get(struct roc_mcs *mcs, struct roc_mcs_stats_req *mcs_req,
+				   struct roc_mcs_sc_stats *stats);
+/* SA stats get */
+__roc_api int roc_mcs_sa_stats_get(struct roc_mcs *mcs, struct roc_mcs_stats_req *mcs_req,
+				   struct roc_mcs_sa_stats *stats);
+/* Port stats get */
+__roc_api int roc_mcs_port_stats_get(struct roc_mcs *mcs, struct roc_mcs_stats_req *mcs_req,
+				     struct roc_mcs_port_stats *stats);
+/* Clear stats */
+__roc_api int roc_mcs_stats_clear(struct roc_mcs *mcs, struct roc_mcs_clear_stats *mcs_req);
+
+/* Register user callback routines */
+__roc_api int roc_mcs_event_cb_register(struct roc_mcs *mcs, enum roc_mcs_event_type event,
+					roc_mcs_dev_cb_fn cb_fn, void *cb_arg, void *userdata);
+/* Unregister user callback routines */
+__roc_api int roc_mcs_event_cb_unregister(struct roc_mcs *mcs, enum roc_mcs_event_type event);
+
+/* Configure interrupts */
+__roc_api int roc_mcs_intr_configure(struct roc_mcs *mcs, struct roc_mcs_intr_cfg *config);
+#endif /* _ROC_MCS_H_ */
diff --git a/drivers/common/cnxk/roc_mcs_priv.h b/drivers/common/cnxk/roc_mcs_priv.h
new file mode 100644
index 0000000000..c5199d3722
--- /dev/null
+++ b/drivers/common/cnxk/roc_mcs_priv.h
@@ -0,0 +1,52 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2022 Marvell.
+ */
+
+#ifndef _ROC_MCS_PRIV_H_
+#define _ROC_MCS_PRIV_H_
+
+enum mcs_error_status {
+	MCS_ERR_PARAM = -900,
+	MCS_ERR_HW_NOTSUP = -901,
+	MCS_ERR_DEVICE_NOT_FOUND = -902,
+};
+
+#define MCS_SUPPORT_CHECK                                                                          \
+	do {                                                                                       \
+		if (!(roc_model_is_cnf10kb() || roc_model_is_cn10kb_a0()))                         \
+			return MCS_ERR_HW_NOTSUP;                                                  \
+	} while (0)
+
+struct mcs_priv {
+	struct plt_bitmap *tcam_bmap;
+	void *tcam_bmap_mem;
+	struct plt_bitmap *secy_bmap;
+	void *secy_bmap_mem;
+	struct plt_bitmap *sc_bmap;
+	void *sc_bmap_mem;
+	struct plt_bitmap *sa_bmap;
+	void *sa_bmap_mem;
+	uint64_t default_sci;
+	uint32_t lmac_bmap;
+	uint8_t num_mcs_blks;
+	uint8_t tcam_entries;
+	uint8_t secy_entries;
+	uint8_t sc_entries;
+	uint8_t sa_entries;
+};
+
+static inline struct mcs_priv *
+roc_mcs_to_mcs_priv(struct roc_mcs *roc_mcs)
+{
+	return (struct mcs_priv *)&roc_mcs->reserved[0];
+}
+
+static inline void *
+roc_mcs_to_mcs_cb_list(struct roc_mcs *roc_mcs)
+{
+	return (void *)((uintptr_t)roc_mcs->reserved + sizeof(struct mcs_priv));
+}
+
+int mcs_event_cb_process(struct roc_mcs *mcs, struct roc_mcs_event_desc *desc);
+
+#endif /* _ROC_MCS_PRIV_H_ */
diff --git a/drivers/common/cnxk/roc_mcs_sec_cfg.c b/drivers/common/cnxk/roc_mcs_sec_cfg.c
new file mode 100644
index 0000000000..fabc174308
--- /dev/null
+++ b/drivers/common/cnxk/roc_mcs_sec_cfg.c
@@ -0,0 +1,425 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2022 Marvell.
+ */
+
+#include "roc_api.h"
+#include "roc_priv.h"
+
+int
+roc_mcs_alloc_rsrc(struct roc_mcs *mcs, struct roc_mcs_alloc_rsrc_req *req,
+		   struct roc_mcs_alloc_rsrc_rsp *rsp)
+{
+	struct mcs_priv *priv = roc_mcs_to_mcs_priv(mcs);
+	struct mcs_alloc_rsrc_req *rsrc_req;
+	struct mcs_alloc_rsrc_rsp *rsrc_rsp;
+	int rc, i;
+
+	MCS_SUPPORT_CHECK;
+
+	if (req == NULL || rsp == NULL)
+		return -EINVAL;
+
+	rsrc_req = mbox_alloc_msg_mcs_alloc_resources(mcs->mbox);
+	if (rsrc_req == NULL)
+		return -ENOMEM;
+
+	rsrc_req->rsrc_type = req->rsrc_type;
+	rsrc_req->rsrc_cnt = req->rsrc_cnt;
+	rsrc_req->mcs_id = req->mcs_id;
+	rsrc_req->dir = req->dir;
+	rsrc_req->all = req->all;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&rsrc_rsp);
+	if (rc)
+		return rc;
+
+	if (rsrc_rsp->all) {
+		rsrc_rsp->rsrc_cnt = 1;
+		rsrc_rsp->rsrc_type = 0xFF;
+	}
+
+	for (i = 0; i < rsrc_rsp->rsrc_cnt; i++) {
+		switch (rsrc_rsp->rsrc_type) {
+		case MCS_RSRC_TYPE_FLOWID:
+			rsp->flow_ids[i] = rsrc_rsp->flow_ids[i];
+			plt_bitmap_set(priv->tcam_bmap,
+				       rsp->flow_ids[i] +
+					       ((req->dir == MCS_TX) ? priv->tcam_entries : 0));
+			break;
+		case MCS_RSRC_TYPE_SECY:
+			rsp->secy_ids[i] = rsrc_rsp->secy_ids[i];
+			plt_bitmap_set(priv->secy_bmap,
+				       rsp->secy_ids[i] +
+					       ((req->dir == MCS_TX) ? priv->secy_entries : 0));
+			break;
+		case MCS_RSRC_TYPE_SC:
+			rsp->sc_ids[i] = rsrc_rsp->sc_ids[i];
+			plt_bitmap_set(priv->sc_bmap,
+				       rsp->sc_ids[i] +
+					       ((req->dir == MCS_TX) ? priv->sc_entries : 0));
+			break;
+		case MCS_RSRC_TYPE_SA:
+			rsp->sa_ids[2 * i] = rsrc_rsp->sa_ids[2 * i];
+			rsp->sa_ids[2 * i + 1] = rsrc_rsp->sa_ids[2 * i + 1];
+			plt_bitmap_set(priv->sa_bmap,
+				       rsp->sa_ids[i] +
+					       ((req->dir == MCS_TX) ? priv->sa_entries : 0));
+			plt_bitmap_set(priv->sa_bmap,
+				       rsp->sa_ids[2 * i + 1] +
+					       ((req->dir == MCS_TX) ? priv->sa_entries : 0));
+			break;
+		default:
+			rsp->flow_ids[i] = rsrc_rsp->flow_ids[i];
+			rsp->secy_ids[i] = rsrc_rsp->secy_ids[i];
+			rsp->sc_ids[i] = rsrc_rsp->sc_ids[i];
+			rsp->sa_ids[2 * i] = rsrc_rsp->sa_ids[2 * i];
+			rsp->sa_ids[2 * i + 1] = rsrc_rsp->sa_ids[2 * i + 1];
+			plt_bitmap_set(priv->tcam_bmap,
+				       rsp->flow_ids[i] +
+					       ((req->dir == MCS_TX) ? priv->tcam_entries : 0));
+			plt_bitmap_set(priv->secy_bmap,
+				       rsp->secy_ids[i] +
+					       ((req->dir == MCS_TX) ? priv->secy_entries : 0));
+			plt_bitmap_set(priv->sc_bmap,
+				       rsp->sc_ids[i] +
+					       ((req->dir == MCS_TX) ? priv->sc_entries : 0));
+			plt_bitmap_set(priv->sa_bmap,
+				       rsp->sa_ids[i] +
+					       ((req->dir == MCS_TX) ? priv->sa_entries : 0));
+			plt_bitmap_set(priv->sa_bmap,
+				       rsp->sa_ids[2 * i + 1] +
+					       ((req->dir == MCS_TX) ? priv->sa_entries : 0));
+			break;
+		}
+	}
+	rsp->rsrc_type = rsrc_rsp->rsrc_type;
+	rsp->rsrc_cnt = rsrc_rsp->rsrc_cnt;
+	rsp->mcs_id = rsrc_rsp->mcs_id;
+	rsp->dir = rsrc_rsp->dir;
+	rsp->all = rsrc_rsp->all;
+
+	return 0;
+}
+
+int
+roc_mcs_free_rsrc(struct roc_mcs *mcs, struct roc_mcs_free_rsrc_req *free_req)
+{
+	struct mcs_priv *priv = roc_mcs_to_mcs_priv(mcs);
+	struct mcs_free_rsrc_req *req;
+	struct msg_rsp *rsp;
+	int rc;
+
+	MCS_SUPPORT_CHECK;
+
+	if (free_req == NULL)
+		return -EINVAL;
+
+	req = mbox_alloc_msg_mcs_free_resources(mcs->mbox);
+	if (req == NULL)
+		return -ENOMEM;
+
+	req->rsrc_id = free_req->rsrc_id;
+	req->rsrc_type = free_req->rsrc_type;
+	req->mcs_id = free_req->mcs_id;
+	req->dir = free_req->dir;
+	req->all = free_req->all;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&rsp);
+	if (rc)
+		return rc;
+
+	switch (free_req->rsrc_type) {
+	case MCS_RSRC_TYPE_FLOWID:
+		plt_bitmap_clear(priv->tcam_bmap,
+				 free_req->rsrc_id +
+					 ((req->dir == MCS_TX) ? priv->tcam_entries : 0));
+		break;
+	case MCS_RSRC_TYPE_SECY:
+		plt_bitmap_clear(priv->secy_bmap,
+				 free_req->rsrc_id +
+					 ((req->dir == MCS_TX) ? priv->secy_entries : 0));
+		break;
+	case MCS_RSRC_TYPE_SC:
+		plt_bitmap_clear(priv->sc_bmap,
+				 free_req->rsrc_id + ((req->dir == MCS_TX) ? priv->sc_entries : 0));
+		break;
+	case MCS_RSRC_TYPE_SA:
+		plt_bitmap_clear(priv->sa_bmap,
+				 free_req->rsrc_id + ((req->dir == MCS_TX) ? priv->sa_entries : 0));
+		break;
+	default:
+		break;
+	}
+
+	return rc;
+}
+
+int
+roc_mcs_sa_policy_write(struct roc_mcs *mcs, struct roc_mcs_sa_plcy_write_req *sa_plcy)
+{
+	struct mcs_sa_plcy_write_req *sa;
+	struct msg_rsp *rsp;
+
+	MCS_SUPPORT_CHECK;
+
+	if (sa_plcy == NULL)
+		return -EINVAL;
+
+	sa = mbox_alloc_msg_mcs_sa_plcy_write(mcs->mbox);
+	if (sa == NULL)
+		return -ENOMEM;
+
+	mbox_memcpy(sa->plcy, sa_plcy->plcy, sizeof(uint64_t) * 2 * 9);
+	sa->sa_index[0] = sa_plcy->sa_index[0];
+	sa->sa_index[1] = sa_plcy->sa_index[1];
+	sa->sa_cnt = sa_plcy->sa_cnt;
+	sa->mcs_id = sa_plcy->mcs_id;
+	sa->dir = sa_plcy->dir;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
+
+int
+roc_mcs_sa_policy_read(struct roc_mcs *mcs __plt_unused,
+		       struct roc_mcs_sa_plcy_write_req *sa __plt_unused)
+{
+	MCS_SUPPORT_CHECK;
+
+	return -ENOTSUP;
+}
+
+int
+roc_mcs_pn_table_write(struct roc_mcs *mcs, struct roc_mcs_pn_table_write_req *pn_table)
+{
+	struct mcs_pn_table_write_req *pn;
+	struct msg_rsp *rsp;
+
+	MCS_SUPPORT_CHECK;
+
+	if (pn_table == NULL)
+		return -EINVAL;
+
+	pn = mbox_alloc_msg_mcs_pn_table_write(mcs->mbox);
+	if (pn == NULL)
+		return -ENOMEM;
+
+	pn->next_pn = pn_table->next_pn;
+	pn->pn_id = pn_table->pn_id;
+	pn->mcs_id = pn_table->mcs_id;
+	pn->dir = pn_table->dir;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
+
+int
+roc_mcs_pn_table_read(struct roc_mcs *mcs __plt_unused,
+		      struct roc_mcs_pn_table_write_req *sa __plt_unused)
+{
+	MCS_SUPPORT_CHECK;
+
+	return -ENOTSUP;
+}
+
+int
+roc_mcs_rx_sc_cam_write(struct roc_mcs *mcs, struct roc_mcs_rx_sc_cam_write_req *rx_sc_cam)
+{
+	struct mcs_rx_sc_cam_write_req *rx_sc;
+	struct msg_rsp *rsp;
+
+	MCS_SUPPORT_CHECK;
+
+	if (rx_sc_cam == NULL)
+		return -EINVAL;
+
+	rx_sc = mbox_alloc_msg_mcs_rx_sc_cam_write(mcs->mbox);
+	if (rx_sc == NULL)
+		return -ENOMEM;
+
+	rx_sc->sci = rx_sc_cam->sci;
+	rx_sc->secy_id = rx_sc_cam->secy_id;
+	rx_sc->sc_id = rx_sc_cam->sc_id;
+	rx_sc->mcs_id = rx_sc_cam->mcs_id;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
+
+int
+roc_mcs_rx_sc_cam_read(struct roc_mcs *mcs __plt_unused,
+		       struct roc_mcs_rx_sc_cam_write_req *rx_sc_cam __plt_unused)
+{
+	MCS_SUPPORT_CHECK;
+
+	return -ENOTSUP;
+}
+
+int
+roc_mcs_rx_sc_cam_enable(struct roc_mcs *mcs __plt_unused,
+			 struct roc_mcs_rx_sc_cam_write_req *rx_sc_cam __plt_unused)
+{
+	MCS_SUPPORT_CHECK;
+
+	return -ENOTSUP;
+}
+
+int
+roc_mcs_secy_policy_write(struct roc_mcs *mcs, struct roc_mcs_secy_plcy_write_req *secy_plcy)
+{
+	struct mcs_secy_plcy_write_req *secy;
+	struct msg_rsp *rsp;
+
+	MCS_SUPPORT_CHECK;
+
+	if (secy_plcy == NULL)
+		return -EINVAL;
+
+	secy = mbox_alloc_msg_mcs_secy_plcy_write(mcs->mbox);
+	if (secy == NULL)
+		return -ENOMEM;
+
+	secy->plcy = secy_plcy->plcy;
+	secy->secy_id = secy_plcy->secy_id;
+	secy->mcs_id = secy_plcy->mcs_id;
+	secy->dir = secy_plcy->dir;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
+
+int
+roc_mcs_secy_policy_read(struct roc_mcs *mcs __plt_unused,
+			 struct roc_mcs_rx_sc_cam_write_req *rx_sc_cam __plt_unused)
+{
+	MCS_SUPPORT_CHECK;
+
+	return -ENOTSUP;
+}
+
+int
+roc_mcs_rx_sc_sa_map_write(struct roc_mcs *mcs, struct roc_mcs_rx_sc_sa_map *rx_sc_sa_map)
+{
+	struct mcs_rx_sc_sa_map *sa_map;
+	struct msg_rsp *rsp;
+
+	MCS_SUPPORT_CHECK;
+
+	if (rx_sc_sa_map == NULL)
+		return -EINVAL;
+
+	sa_map = mbox_alloc_msg_mcs_rx_sc_sa_map_write(mcs->mbox);
+	if (sa_map == NULL)
+		return -ENOMEM;
+
+	sa_map->sa_index = rx_sc_sa_map->sa_index;
+	sa_map->sa_in_use = rx_sc_sa_map->sa_in_use;
+	sa_map->sc_id = rx_sc_sa_map->sc_id;
+	sa_map->an = rx_sc_sa_map->an;
+	sa_map->mcs_id = rx_sc_sa_map->mcs_id;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
+
+int
+roc_mcs_rx_sc_sa_map_read(struct roc_mcs *mcs __plt_unused,
+			  struct roc_mcs_rx_sc_sa_map *rx_sc_sa_map __plt_unused)
+{
+	MCS_SUPPORT_CHECK;
+
+	return -ENOTSUP;
+}
+
+int
+roc_mcs_tx_sc_sa_map_write(struct roc_mcs *mcs, struct roc_mcs_tx_sc_sa_map *tx_sc_sa_map)
+{
+	struct mcs_tx_sc_sa_map *sa_map;
+	struct msg_rsp *rsp;
+
+	MCS_SUPPORT_CHECK;
+
+	if (tx_sc_sa_map == NULL)
+		return -EINVAL;
+
+	sa_map = mbox_alloc_msg_mcs_tx_sc_sa_map_write(mcs->mbox);
+	if (sa_map == NULL)
+		return -ENOMEM;
+
+	sa_map->sa_index0 = tx_sc_sa_map->sa_index0;
+	sa_map->sa_index1 = tx_sc_sa_map->sa_index1;
+	sa_map->rekey_ena = tx_sc_sa_map->rekey_ena;
+	sa_map->sa_index0_vld = tx_sc_sa_map->sa_index0_vld;
+	sa_map->sa_index1_vld = tx_sc_sa_map->sa_index1_vld;
+	sa_map->tx_sa_active = tx_sc_sa_map->tx_sa_active;
+	sa_map->sectag_sci = tx_sc_sa_map->sectag_sci;
+	sa_map->sc_id = tx_sc_sa_map->sc_id;
+	sa_map->mcs_id = tx_sc_sa_map->mcs_id;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
+
+int
+roc_mcs_tx_sc_sa_map_read(struct roc_mcs *mcs __plt_unused,
+			  struct roc_mcs_tx_sc_sa_map *tx_sc_sa_map __plt_unused)
+{
+	MCS_SUPPORT_CHECK;
+
+	return -ENOTSUP;
+}
+
+int
+roc_mcs_flowid_entry_write(struct roc_mcs *mcs, struct roc_mcs_flowid_entry_write_req *flowid_req)
+{
+	struct mcs_flowid_entry_write_req *flow_req;
+	struct msg_rsp *rsp;
+
+	MCS_SUPPORT_CHECK;
+
+	if (flowid_req == NULL)
+		return -EINVAL;
+
+	flow_req = mbox_alloc_msg_mcs_flowid_entry_write(mcs->mbox);
+	if (flow_req == NULL)
+		return -ENOMEM;
+
+	mbox_memcpy(flow_req->data, flowid_req->data, sizeof(uint64_t) * 4);
+	mbox_memcpy(flow_req->mask, flowid_req->mask, sizeof(uint64_t) * 4);
+	flow_req->sci = flowid_req->sci;
+	flow_req->flow_id = flowid_req->flow_id;
+	flow_req->secy_id = flowid_req->secy_id;
+	flow_req->sc_id = flowid_req->sc_id;
+	flow_req->ena = flowid_req->ena;
+	flow_req->ctr_pkt = flowid_req->ctr_pkt;
+	flow_req->mcs_id = flowid_req->mcs_id;
+	flow_req->dir = flowid_req->dir;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
+
+int
+roc_mcs_flowid_entry_read(struct roc_mcs *mcs __plt_unused,
+			  struct roc_mcs_flowid_entry_write_req *flowid_rsp __plt_unused)
+{
+	MCS_SUPPORT_CHECK;
+
+	return -ENOTSUP;
+}
+
+int
+roc_mcs_flowid_entry_enable(struct roc_mcs *mcs, struct roc_mcs_flowid_ena_dis_entry *entry)
+{
+	struct mcs_flowid_ena_dis_entry *flow_entry;
+	struct msg_rsp *rsp;
+
+	MCS_SUPPORT_CHECK;
+
+	if (entry == NULL)
+		return -EINVAL;
+
+	flow_entry = mbox_alloc_msg_mcs_flowid_ena_entry(mcs->mbox);
+	if (flow_entry == NULL)
+		return -ENOMEM;
+
+	flow_entry->flow_id = entry->flow_id;
+	flow_entry->ena = entry->ena;
+	flow_entry->mcs_id = entry->mcs_id;
+	flow_entry->dir = entry->dir;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
diff --git a/drivers/common/cnxk/roc_mcs_stats.c b/drivers/common/cnxk/roc_mcs_stats.c
new file mode 100644
index 0000000000..bd65826611
--- /dev/null
+++ b/drivers/common/cnxk/roc_mcs_stats.c
@@ -0,0 +1,230 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2022 Marvell.
+ */
+
+#include "roc_api.h"
+#include "roc_priv.h"
+
+int
+roc_mcs_flowid_stats_get(struct roc_mcs *mcs, struct roc_mcs_stats_req *mcs_req,
+			 struct roc_mcs_flowid_stats *stats)
+{
+	struct mcs_flowid_stats *rsp;
+	struct mcs_stats_req *req;
+	int rc;
+
+	MCS_SUPPORT_CHECK;
+
+	req = mbox_alloc_msg_mcs_get_flowid_stats(mcs->mbox);
+	if (req == NULL)
+		return -ENOSPC;
+
+	req->id = mcs_req->id;
+	req->mcs_id = mcs_req->mcs_id;
+	req->dir = mcs_req->dir;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&rsp);
+	if (rc)
+		return rc;
+
+	stats->tcam_hit_cnt = rsp->tcam_hit_cnt;
+
+	return rc;
+}
+
+int
+roc_mcs_secy_stats_get(struct roc_mcs *mcs, struct roc_mcs_stats_req *mcs_req,
+		       struct roc_mcs_secy_stats *stats)
+{
+	struct mcs_secy_stats *rsp;
+	struct mcs_stats_req *req;
+	int rc;
+
+	MCS_SUPPORT_CHECK;
+
+	req = mbox_alloc_msg_mcs_get_secy_stats(mcs->mbox);
+	if (req == NULL)
+		return -ENOSPC;
+
+	req->id = mcs_req->id;
+	req->mcs_id = mcs_req->mcs_id;
+	req->dir = mcs_req->dir;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&rsp);
+	if (rc)
+		return rc;
+
+	stats->ctl_pkt_bcast_cnt = rsp->ctl_pkt_bcast_cnt;
+	stats->ctl_pkt_mcast_cnt = rsp->ctl_pkt_mcast_cnt;
+	stats->ctl_pkt_ucast_cnt = rsp->ctl_pkt_ucast_cnt;
+	stats->ctl_octet_cnt = rsp->ctl_octet_cnt;
+	stats->unctl_pkt_bcast_cnt = rsp->unctl_pkt_bcast_cnt;
+	stats->unctl_pkt_mcast_cnt = rsp->unctl_pkt_mcast_cnt;
+	stats->unctl_pkt_ucast_cnt = rsp->unctl_pkt_ucast_cnt;
+	stats->unctl_octet_cnt = rsp->unctl_octet_cnt;
+
+	if (mcs_req->dir == MCS_RX) {
+		stats->octet_decrypted_cnt = rsp->octet_decrypted_cnt;
+		stats->octet_validated_cnt = rsp->octet_validated_cnt;
+		stats->pkt_port_disabled_cnt = rsp->pkt_port_disabled_cnt;
+		stats->pkt_badtag_cnt = rsp->pkt_badtag_cnt;
+		stats->pkt_nosa_cnt = rsp->pkt_nosa_cnt;
+		stats->pkt_nosaerror_cnt = rsp->pkt_nosaerror_cnt;
+		stats->pkt_tagged_ctl_cnt = rsp->pkt_tagged_ctl_cnt;
+		stats->pkt_untaged_cnt = rsp->pkt_untaged_cnt;
+		if (roc_model_is_cn10kb_a0())
+			/* CN10K-B */
+			stats->pkt_ctl_cnt = rsp->pkt_ctl_cnt;
+		else
+			/* CNF10K-B */
+			stats->pkt_notag_cnt = rsp->pkt_notag_cnt;
+	} else {
+		stats->octet_encrypted_cnt = rsp->octet_encrypted_cnt;
+		stats->octet_protected_cnt = rsp->octet_protected_cnt;
+		stats->pkt_noactivesa_cnt = rsp->pkt_noactivesa_cnt;
+		stats->pkt_toolong_cnt = rsp->pkt_toolong_cnt;
+		stats->pkt_untagged_cnt = rsp->pkt_untagged_cnt;
+	}
+
+	return rc;
+}
+
+int
+roc_mcs_sc_stats_get(struct roc_mcs *mcs, struct roc_mcs_stats_req *mcs_req,
+		     struct roc_mcs_sc_stats *stats)
+{
+	struct mcs_stats_req *req;
+	struct mcs_sc_stats *rsp;
+	int rc;
+
+	MCS_SUPPORT_CHECK;
+
+	req = mbox_alloc_msg_mcs_get_sc_stats(mcs->mbox);
+	if (req == NULL)
+		return -ENOSPC;
+
+	req->id = mcs_req->id;
+	req->mcs_id = mcs_req->mcs_id;
+	req->dir = mcs_req->dir;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&rsp);
+	if (rc)
+		return rc;
+
+	if (mcs_req->dir == MCS_RX) {
+		stats->hit_cnt = rsp->hit_cnt;
+		stats->pkt_invalid_cnt = rsp->pkt_invalid_cnt;
+		stats->pkt_late_cnt = rsp->pkt_late_cnt;
+		stats->pkt_notvalid_cnt = rsp->pkt_notvalid_cnt;
+		stats->pkt_unchecked_cnt = rsp->pkt_unchecked_cnt;
+		if (roc_model_is_cn10kb_a0()) {
+			stats->octet_decrypt_cnt = rsp->octet_decrypt_cnt;
+			stats->octet_validate_cnt = rsp->octet_validate_cnt;
+		} else {
+			stats->pkt_delay_cnt = rsp->pkt_delay_cnt;
+			stats->pkt_ok_cnt = rsp->pkt_ok_cnt;
+		}
+	} else {
+		stats->pkt_encrypt_cnt = rsp->pkt_encrypt_cnt;
+		stats->pkt_protected_cnt = rsp->pkt_protected_cnt;
+		if (roc_model_is_cn10kb_a0()) {
+			stats->octet_encrypt_cnt = rsp->octet_encrypt_cnt;
+			stats->octet_protected_cnt = rsp->octet_protected_cnt;
+		}
+	}
+
+	return rc;
+}
+
+int
+roc_mcs_sa_stats_get(struct roc_mcs *mcs, struct roc_mcs_stats_req *mcs_req,
+		     struct roc_mcs_sa_stats *stats)
+{
+	struct mcs_stats_req *req;
+	struct mcs_sa_stats *rsp;
+	int rc;
+
+	if (!roc_model_is_cn10kb_a0())
+		return MCS_ERR_HW_NOTSUP;
+
+	req = mbox_alloc_msg_mcs_get_sa_stats(mcs->mbox);
+	if (req == NULL)
+		return -ENOSPC;
+
+	req->id = mcs_req->id;
+	req->mcs_id = mcs_req->mcs_id;
+	req->dir = mcs_req->dir;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&rsp);
+	if (rc)
+		return rc;
+
+	if (mcs_req->dir == MCS_RX) {
+		stats->pkt_invalid_cnt = rsp->pkt_invalid_cnt;
+		stats->pkt_nosaerror_cnt = rsp->pkt_nosaerror_cnt;
+		stats->pkt_notvalid_cnt = rsp->pkt_notvalid_cnt;
+		stats->pkt_ok_cnt = rsp->pkt_ok_cnt;
+		stats->pkt_nosa_cnt = rsp->pkt_nosa_cnt;
+	} else {
+		stats->pkt_encrypt_cnt = rsp->pkt_encrypt_cnt;
+		stats->pkt_protected_cnt = rsp->pkt_protected_cnt;
+	}
+
+	return rc;
+}
+
+int
+roc_mcs_port_stats_get(struct roc_mcs *mcs, struct roc_mcs_stats_req *mcs_req,
+		       struct roc_mcs_port_stats *stats)
+{
+	struct mcs_port_stats *rsp;
+	struct mcs_stats_req *req;
+	int rc;
+
+	MCS_SUPPORT_CHECK;
+
+	req = mbox_alloc_msg_mcs_get_port_stats(mcs->mbox);
+	if (req == NULL)
+		return -ENOSPC;
+
+	req->id = mcs_req->id;
+	req->mcs_id = mcs_req->mcs_id;
+	req->dir = mcs_req->dir;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&rsp);
+	if (rc)
+		return rc;
+
+	stats->tcam_miss_cnt = rsp->tcam_miss_cnt;
+	stats->parser_err_cnt = rsp->parser_err_cnt;
+	if (roc_model_is_cnf10kb())
+		stats->preempt_err_cnt = rsp->preempt_err_cnt;
+
+	stats->sectag_insert_err_cnt = rsp->sectag_insert_err_cnt;
+
+	return rc;
+}
+
+int
+roc_mcs_stats_clear(struct roc_mcs *mcs, struct roc_mcs_clear_stats *mcs_req)
+{
+	struct mcs_clear_stats *req;
+	struct msg_rsp *rsp;
+
+	MCS_SUPPORT_CHECK;
+
+	if (!roc_model_is_cn10kb_a0() && mcs_req->type == MCS_SA_STATS)
+		return MCS_ERR_HW_NOTSUP;
+
+	req = mbox_alloc_msg_mcs_clear_stats(mcs->mbox);
+	if (req == NULL)
+		return -ENOSPC;
+
+	req->type = mcs_req->type;
+	req->id = mcs_req->id;
+	req->mcs_id = mcs_req->mcs_id;
+	req->dir = mcs_req->dir;
+	req->all = mcs_req->all;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
diff --git a/drivers/common/cnxk/roc_priv.h b/drivers/common/cnxk/roc_priv.h
index 122d411fe7..b2b4aecedc 100644
--- a/drivers/common/cnxk/roc_priv.h
+++ b/drivers/common/cnxk/roc_priv.h
@@ -44,6 +44,9 @@
 /* DPI */
 #include "roc_dpi_priv.h"
 
+/* MCS */
+#include "roc_mcs_priv.h"
+
 /* REE */
 #include "roc_ree_priv.h"
 
diff --git a/drivers/common/cnxk/version.map b/drivers/common/cnxk/version.map
index 276fec3660..5cdc70e0e0 100644
--- a/drivers/common/cnxk/version.map
+++ b/drivers/common/cnxk/version.map
@@ -99,6 +99,39 @@ INTERNAL {
 	roc_model;
 	roc_se_auth_key_set;
 	roc_se_ciph_key_set;
+	roc_mcs_active_lmac_set;
+	roc_mcs_alloc_rsrc;
+	roc_mcs_dev_init;
+	roc_mcs_dev_fini;
+	roc_mcs_dev_get;
+	roc_mcs_event_cb_register;
+	roc_mcs_event_cb_unregister;
+	roc_mcs_flowid_entry_enable;
+	roc_mcs_flowid_entry_read;
+	roc_mcs_flowid_entry_write;
+	roc_mcs_flowid_stats_get;
+	roc_mcs_free_rsrc;
+	roc_mcs_hw_info_get;
+	roc_mcs_intr_configure;
+	roc_mcs_lmac_mode_set;
+	roc_mcs_pn_table_write;
+	roc_mcs_pn_table_read;
+	roc_mcs_port_stats_get;
+	roc_mcs_rx_sc_cam_enable;
+	roc_mcs_rx_sc_cam_read;
+	roc_mcs_rx_sc_cam_write;
+	roc_mcs_rx_sc_sa_map_read;
+	roc_mcs_rx_sc_sa_map_write;
+	roc_mcs_sa_policy_read;
+	roc_mcs_sa_policy_write;
+	roc_mcs_sa_stats_get;
+	roc_mcs_sc_stats_get;
+	roc_mcs_secy_policy_read;
+	roc_mcs_secy_policy_write;
+	roc_mcs_secy_stats_get;
+	roc_mcs_stats_clear;
+	roc_mcs_tx_sc_sa_map_read;
+	roc_mcs_tx_sc_sa_map_write;
 	roc_nix_bpf_alloc;
 	roc_nix_bpf_config;
 	roc_nix_bpf_connect;
-- 
2.25.1

[PATCH 2/5] common/cnxk: derive hash key for MACsec

[Akhil Goyal]

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/common/cnxk/roc_aes.c   | 17 +++++++++++++++++
 drivers/common/cnxk/roc_aes.h   |  2 ++
 drivers/common/cnxk/version.map |  1 +
 3 files changed, 20 insertions(+)

diff --git a/drivers/common/cnxk/roc_aes.c b/drivers/common/cnxk/roc_aes.c
index f821c8b710..f69ecc1d58 100644
--- a/drivers/common/cnxk/roc_aes.c
+++ b/drivers/common/cnxk/roc_aes.c
@@ -206,3 +206,20 @@ roc_aes_xcbc_key_derive(const uint8_t *auth_key, uint8_t *derived_key)
 
 	cipher(k3, derived_key, aes_ks);
 }
+
+void
+roc_aes_hash_key_derive(const uint8_t *key, uint16_t len, uint8_t hash_key[])
+{
+	uint32_t aes_ks[KEY_SCHEDULE_LEN] = {0};
+	uint8_t data[16] = {0x0};
+	int i;
+
+	if (len == 16) {
+		aes_key_expand(key, aes_ks);
+		cipher(data, hash_key, aes_ks);
+		for (i = 0; i < 16; i++)
+			plt_info(" 0x%x", hash_key[i]);
+	} else {
+		plt_err("\n AES-256 key conversion not supported");
+	}
+}
diff --git a/drivers/common/cnxk/roc_aes.h b/drivers/common/cnxk/roc_aes.h
index 954039139f..e3f6160e7c 100644
--- a/drivers/common/cnxk/roc_aes.h
+++ b/drivers/common/cnxk/roc_aes.h
@@ -10,5 +10,7 @@
  */
 void __roc_api roc_aes_xcbc_key_derive(const uint8_t *auth_key,
 				       uint8_t *derived_key);
+void __roc_api roc_aes_hash_key_derive(const uint8_t *key, uint16_t len,
+				       uint8_t *hash_key);
 
 #endif /* _ROC_AES_H_ */
diff --git a/drivers/common/cnxk/version.map b/drivers/common/cnxk/version.map
index 5cdc70e0e0..38bf832388 100644
--- a/drivers/common/cnxk/version.map
+++ b/drivers/common/cnxk/version.map
@@ -29,6 +29,7 @@ INTERNAL {
 	roc_ae_ec_grp_put;
 	roc_ae_fpm_get;
 	roc_ae_fpm_put;
+	roc_aes_hash_key_derive;
 	roc_aes_xcbc_key_derive;
 	roc_bphy_cgx_cpri_mode_change;
 	roc_bphy_cgx_cpri_mode_misc;
-- 
2.25.1

[PATCH 3/5] net/cnxk: support MACsec

[Akhil Goyal]

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/net/cnxk/cn10k_ethdev_mcs.c | 407 ++++++++++++++++++++++++++++
 drivers/net/cnxk/cn10k_ethdev_mcs.h |  59 ++++
 drivers/net/cnxk/cn10k_ethdev_sec.c |  11 +-
 drivers/net/cnxk/cn10k_flow.c       |  14 +
 drivers/net/cnxk/cnxk_ethdev.h      |  31 +++
 drivers/net/cnxk/cnxk_ethdev_sec.c  |   2 +-
 drivers/net/cnxk/meson.build        |   1 +
 7 files changed, 523 insertions(+), 2 deletions(-)
 create mode 100644 drivers/net/cnxk/cn10k_ethdev_mcs.c
 create mode 100644 drivers/net/cnxk/cn10k_ethdev_mcs.h

diff --git a/drivers/net/cnxk/cn10k_ethdev_mcs.c b/drivers/net/cnxk/cn10k_ethdev_mcs.c
new file mode 100644
index 0000000000..90363f8e17
--- /dev/null
+++ b/drivers/net/cnxk/cn10k_ethdev_mcs.c
@@ -0,0 +1,407 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2022 Marvell.
+ */
+
+#include <cnxk_ethdev.h>
+#include <cn10k_ethdev_mcs.h>
+#include <roc_mcs.h>
+
+static int
+mcs_resource_alloc(struct cnxk_mcs_dev *mcs_dev, enum rte_security_macsec_direction dir,
+		   uint8_t rsrc_id[], uint8_t rsrc_cnt, enum cnxk_mcs_rsrc_type type)
+{
+	struct roc_mcs_alloc_rsrc_req req = {0};
+	struct roc_mcs_alloc_rsrc_rsp rsp = {0};
+	int i;
+
+	req.rsrc_type = type;
+	req.rsrc_cnt = rsrc_cnt;
+	req.mcs_id = mcs_dev->idx;
+	req.dir = dir;
+
+	if (roc_mcs_alloc_rsrc(mcs_dev->mdev, &req, &rsp)) {
+		printf("error: Cannot allocate mcs resource.\n");
+		return -1;
+	}
+
+	for (i = 0; i < rsrc_cnt; i++) {
+		switch (rsp.rsrc_type) {
+		case CNXK_MCS_RSRC_TYPE_FLOWID:
+			rsrc_id[i] = rsp.flow_ids[i];
+			break;
+		case CNXK_MCS_RSRC_TYPE_SECY:
+			rsrc_id[i] = rsp.secy_ids[i];
+			break;
+		case CNXK_MCS_RSRC_TYPE_SC:
+			rsrc_id[i] = rsp.sc_ids[i];
+			break;
+		case CNXK_MCS_RSRC_TYPE_SA:
+			rsrc_id[i] = rsp.sa_ids[i];
+			break;
+		default :
+			printf("error: Invalid mcs resource allocated.\n");
+			return -1;
+		}
+	}
+	return 0;
+}
+
+int
+cn10k_eth_macsec_sa_create(void *device, struct rte_security_macsec_sa *conf)
+{
+	struct rte_eth_dev *eth_dev = (struct rte_eth_dev *)device;
+	struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev);
+	struct cnxk_mcs_dev *mcs_dev = dev->mcs_dev;
+	struct roc_mcs_pn_table_write_req pn_req = {0};
+	struct roc_mcs_sa_plcy_write_req req = {0};
+	uint8_t hash_key[16] = {0};
+	uint8_t sa_id = 0;
+	int ret = 0;
+
+	ret = mcs_resource_alloc(mcs_dev, conf->dir, &sa_id, 1, CNXK_MCS_RSRC_TYPE_SA);
+	if (ret) {
+		printf("Failed to allocate SA id.\n");
+		return -ENOMEM;
+	}
+	req.sa_index[0] = sa_id;
+	req.sa_cnt = 1;
+	req.mcs_id = mcs_dev->idx;
+	req.dir = conf->dir;
+
+	if (conf->key.length != 16 || conf->key.length != 32)
+		return -EINVAL;
+
+	memcpy(&req.plcy[0][0], conf->key.data, conf->key.length);
+	roc_aes_hash_key_derive(conf->key.data, conf->key.length, hash_key);
+	memcpy(&req.plcy[0][4], hash_key, CNXK_MACSEC_HASH_KEY);
+	memcpy(&req.plcy[0][6], conf->salt, RTE_SECURITY_MACSEC_SALT_LEN);
+	req.plcy[0][7] |= (uint64_t)conf->ssci << 32;
+	req.plcy[0][8] = conf->an & 0x3;
+
+	ret = roc_mcs_sa_policy_write(mcs_dev->mdev, &req);
+	if (ret) {
+		printf("Failed to write SA policy.\n");
+		return -EINVAL;
+	}
+
+	pn_req.next_pn = conf->next_pn;
+	pn_req.pn_id = sa_id;
+	pn_req.mcs_id = mcs_dev->idx;
+	pn_req.dir = conf->dir;
+
+	ret = roc_mcs_pn_table_write(mcs_dev->mdev, &pn_req);
+	if (ret) {
+		printf("Failed to write PN table.\n");
+		return -EINVAL;
+	}
+
+	return sa_id;
+}
+
+int
+cn10k_eth_macsec_sa_destroy(void *device, uint16_t sa_id)
+{
+	RTE_SET_USED(device);
+	RTE_SET_USED(sa_id);
+
+	return 0;
+}
+
+int
+cn10k_eth_macsec_sc_create(void *device, struct rte_security_macsec_sc *conf)
+{
+	struct rte_eth_dev *eth_dev = (struct rte_eth_dev *)device;
+	struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev);
+	struct cnxk_mcs_dev *mcs_dev = dev->mcs_dev;
+	uint8_t sc_id = 0;
+	int i, ret = 0;
+
+	ret = mcs_resource_alloc(mcs_dev, conf->dir, &sc_id, 1, CNXK_MCS_RSRC_TYPE_SC);
+	if (ret) {
+		printf("Failed to allocate SC id.\n");
+		return -ENOMEM;
+	}
+
+	if (conf->dir == RTE_SECURITY_MACSEC_DIR_TX) {
+		struct roc_mcs_tx_sc_sa_map req = {0};
+
+		req.mcs_id = mcs_dev->idx;
+		req.sa_index0 = conf->sc_tx.sa_id & 0x7F;
+		req.sa_index1 = conf->sc_tx.sa_id_rekey & 0x7F;
+		req.rekey_ena = conf->sc_tx.re_key_en;
+		req.sa_index0_vld = conf->sc_tx.active;
+		req.sa_index1_vld = conf->sc_tx.re_key_en && conf->sc_tx.active;
+		req.tx_sa_active = conf->sc_tx.active;
+		req.sectag_sci = conf->sc_tx.sci;
+		req.sc_id = sc_id;
+		req.mcs_id = mcs_dev->idx;
+
+		ret = roc_mcs_tx_sc_sa_map_write(mcs_dev->mdev, &req);
+		if (ret) {
+			printf("Failed to map TX SC-SA");
+			return -EINVAL;
+		}
+	} else {
+		for (i = 0; i < RTE_SECURITY_MACSEC_NUM_AN; i++) {
+			struct roc_mcs_rx_sc_sa_map req = {0};
+
+			req.mcs_id = mcs_dev->idx;
+			req.sa_index = conf->sc_rx.sa_id[i] & 0x7F;
+			req.sa_in_use = conf->sc_rx.sa_in_use[i];
+			req.sc_id = sc_id;
+			req.an = i & 0x3;
+			req.mcs_id = mcs_dev->idx;
+			ret = roc_mcs_rx_sc_sa_map_write(mcs_dev->mdev, &req);
+			if (ret) {
+				printf("Failed to map RX SC-SA");
+				return -EINVAL;
+			}
+		}
+	}
+	return sc_id;
+}
+
+int
+cn10k_eth_macsec_sc_destroy(void *device, uint16_t sc_id)
+{
+	RTE_SET_USED(device);
+	RTE_SET_USED(sc_id);
+
+	return 0;
+}
+
+struct cnxk_macsec_sess *
+cnxk_eth_macsec_sess_get_by_sess(struct cnxk_eth_dev *dev,
+				 const struct rte_security_session *sess)
+{
+	struct cnxk_macsec_sess *macsec_sess = NULL;
+
+	TAILQ_FOREACH(macsec_sess, &dev->mcs_list, entry) {
+		if (macsec_sess->sess == sess)
+			return macsec_sess;
+	}
+
+	return NULL;
+}
+
+int
+cn10k_eth_macsec_session_create(struct cnxk_eth_dev *dev,
+				struct rte_security_session_conf *conf,
+				struct rte_security_session *sess,
+				struct rte_mempool *mempool)
+{
+	struct rte_security_macsec_xform *xform = &conf->macsec;
+	struct cnxk_macsec_sess *macsec_sess_priv;
+	struct roc_mcs_secy_plcy_write_req req;
+	struct cnxk_mcs_dev *mcs_dev = dev->mcs_dev;
+	uint8_t secy_id = 0;
+	uint8_t sectag_tci = 0;
+	int ret = 0;
+
+	ret = mcs_resource_alloc(mcs_dev, xform->dir, &secy_id, 1, CNXK_MCS_RSRC_TYPE_SECY);
+	if (ret) {
+		printf("Failed to allocate SECY id.\n");
+		return -ENOMEM;
+	}
+
+	req.secy_id = secy_id;
+	req.mcs_id = mcs_dev->idx;
+	req.dir = xform->dir;
+	req.plcy = 0L;
+
+	if (xform->dir == RTE_SECURITY_MACSEC_DIR_TX) {
+		sectag_tci = ((uint8_t)xform->tx_secy.sectag_version << 5) |
+				((uint8_t)xform->tx_secy.end_station << 4) |
+				((uint8_t)xform->tx_secy.send_sci << 3) |
+				((uint8_t)xform->tx_secy.scb << 2) |
+				((uint8_t)xform->tx_secy.encrypt << 1) |
+				(uint8_t)xform->tx_secy.encrypt;
+		req.plcy = ((uint64_t)xform->tx_secy.mtu << 48) |
+			   (((uint64_t)sectag_tci & 0x3F) << 40) |
+			   (((uint64_t)xform->tx_secy.sectag_off & 0x7F) << 32) |
+			   ((uint64_t)xform->tx_secy.sectag_insert_mode << 30) |
+			   ((uint64_t)xform->tx_secy.icv_include_da_sa << 28) |
+			   (((uint64_t)xform->cipher_off & 0x7F) << 20) |
+			   ((uint64_t)xform->alg << 12) |
+			   ((uint64_t)xform->tx_secy.protect_frames << 4) |
+			   (uint64_t)xform->tx_secy.ctrl_port_enable;
+	} else {
+		req.plcy = ((uint64_t)xform->rx_secy.replay_win_sz << 32) |
+			   ((uint64_t)xform->rx_secy.replay_protect << 30) |
+			   ((uint64_t)xform->rx_secy.icv_include_da_sa << 28) |
+			   (((uint64_t)xform->cipher_off & 0x7F) << 20) |
+			   ((uint64_t)xform->alg << 12) |
+			   ((uint64_t)xform->rx_secy.preserve_sectag << 9) |
+			   ((uint64_t)xform->rx_secy.preserve_icv << 8) |
+			   ((uint64_t)xform->rx_secy.validate_frames << 4) |
+			   (uint64_t)xform->rx_secy.ctrl_port_enable;
+	}
+
+	ret = roc_mcs_secy_policy_write(mcs_dev->mdev, &req);
+	if (ret) {
+		printf("\n Failed to configure SECY");
+		return -EINVAL;
+	}
+
+	/*get session priv*/
+	if (rte_mempool_get(mempool, (void **)&macsec_sess_priv)) {
+		plt_err("Could not allocate security session private data");
+		return -ENOMEM;
+	}
+
+	macsec_sess_priv->sci = xform->sci;
+	macsec_sess_priv->sc_id = xform->sc_id;
+	macsec_sess_priv->secy_id = secy_id;
+	macsec_sess_priv->dir = xform->dir;
+
+	TAILQ_INSERT_TAIL(&dev->mcs_list, macsec_sess_priv, entry);
+	set_sec_session_private_data(sess, (void *)macsec_sess_priv);
+
+	return 0;
+}
+
+int
+cn10k_eth_macsec_session_destroy(void *device, struct rte_security_session *sess)
+{
+	RTE_SET_USED(device);
+	RTE_SET_USED(sess);
+
+	return 0;
+}
+
+int
+cn10k_mcs_flow_configure(struct rte_eth_dev *eth_dev,
+			 const struct rte_flow_attr *attr __rte_unused,
+			 const struct rte_flow_item pattern[],
+			 const struct rte_flow_action actions[],
+			 struct rte_flow_error *error __rte_unused,
+			 void **mcs_flow)
+{
+	struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev);
+	struct roc_mcs_flowid_entry_write_req req = {0};
+	struct cnxk_mcs_dev *mcs_dev = dev->mcs_dev;
+	struct cnxk_mcs_flow_opts opts = {0};
+	struct cnxk_macsec_sess *sess = cnxk_eth_macsec_sess_get_by_sess(dev,
+			(const struct rte_security_session *)actions->conf);
+	const struct rte_flow_item_eth *eth_item = NULL;
+	struct rte_ether_addr src;
+	struct rte_ether_addr dst;
+	int ret;
+	int i = 0;
+
+	ret = mcs_resource_alloc(mcs_dev, sess->dir, &(sess->flow_id), 1, CNXK_MCS_RSRC_TYPE_FLOWID);
+	if (ret) {
+		printf("Failed to allocate FLow id.\n");
+		return -ENOMEM;
+	}
+	req.sci = sess->sci;
+	req.flow_id = sess->flow_id;
+	req.secy_id = sess->secy_id;
+	req.sc_id = sess->sc_id;
+	req.ena = 1;
+	req.ctr_pkt = 0; /* TBD */
+	req.mcs_id = mcs_dev->idx;
+	req.dir = sess->dir;
+
+	while (pattern[i].type != RTE_FLOW_ITEM_TYPE_END) {
+		if (pattern[i].type == RTE_FLOW_ITEM_TYPE_ETH)
+			eth_item = pattern[i].spec;
+		else
+			printf("%s:%d unhandled flow item : %d", __func__, __LINE__,
+					pattern[i].type);
+		i++;
+	}
+	if (eth_item) {
+		dst = eth_item->hdr.dst_addr;
+		src = eth_item->hdr.src_addr;
+
+		/* Find ways to fill opts */
+
+		req.data[0] = (uint64_t)dst.addr_bytes[0] << 40 | (uint64_t)dst.addr_bytes[1] << 32 |
+			      (uint64_t)dst.addr_bytes[2] << 24 | (uint64_t)dst.addr_bytes[3] << 16 |
+			      (uint64_t)dst.addr_bytes[4] << 8 | (uint64_t)dst.addr_bytes[5] |
+			      (uint64_t)src.addr_bytes[5] << 48 | (uint64_t)src.addr_bytes[4] << 56;
+		req.data[1] = (uint64_t)src.addr_bytes[3] | (uint64_t)src.addr_bytes[2] << 8 |
+			      (uint64_t)src.addr_bytes[1] << 16 | (uint64_t)src.addr_bytes[0] << 24 |
+			      (uint64_t)eth_item->hdr.ether_type << 32 |
+			      ((uint64_t)opts.outer_tag_id & 0xFFFF) << 48;
+		req.data[2] = ((uint64_t)opts.outer_tag_id & 0xF0000) |
+			      ((uint64_t)opts.outer_priority & 0xF) << 4 |
+			      ((uint64_t)opts.second_outer_tag_id & 0xFFFFF) << 8 |
+			      ((uint64_t)opts.second_outer_priority & 0xF) << 28 |
+			      ((uint64_t)opts.bonus_data << 32) |
+			      ((uint64_t)opts.tag_match_bitmap << 48) |
+			      ((uint64_t)opts.packet_type & 0xF) << 56 |
+			      ((uint64_t)opts.outer_vlan_type & 0x7) << 60 |
+			      ((uint64_t)opts.inner_vlan_type & 0x1) << 63;
+		req.data[3] = ((uint64_t)opts.inner_vlan_type & 0x6) |
+			      ((uint64_t)opts.num_tags & 0x7F) << 2 | ((uint64_t)opts.express & 1) << 9 |
+			      ((uint64_t)opts.port & 0x3) << 10 |
+			      ((uint64_t)opts.flowid_user & 0xF) << 12;
+
+		req.mask[0] = 0x0;
+		req.mask[1] = 0xFFFFFFFF00000000;
+		req.mask[2] = 0xFFFFFFFFFFFFFFFF;
+		req.mask[3] = 0xFFFFFFFFFFFFF3FF;
+
+		ret = roc_mcs_flowid_entry_write(mcs_dev->mdev, &req);
+		if (ret)
+			return ret;
+
+		*mcs_flow = &req;
+	} else {
+		printf("\nFlow not confirured");
+		return -EINVAL;
+	}
+	return 0;
+}
+
+int
+cn10k_eth_macsec_sa_stats_get(void *device, uint16_t sa_id,
+			    struct rte_security_macsec_sa_stats *stats)
+{
+	RTE_SET_USED(device);
+	RTE_SET_USED(sa_id);
+	RTE_SET_USED(stats);
+
+	return 0;
+}
+
+int
+cn10k_eth_macsec_sc_stats_get(void *device, uint16_t sc_id,
+			    struct rte_security_macsec_sc_stats *stats)
+{
+	RTE_SET_USED(device);
+	RTE_SET_USED(sc_id);
+	RTE_SET_USED(stats);
+
+	return 0;
+}
+
+void
+cnxk_mcs_dev_fini(struct cnxk_mcs_dev *mcs_dev)
+{
+	/* Cleanup MACsec dev */
+	roc_mcs_dev_fini(mcs_dev->mdev);
+
+	plt_free(mcs_dev);
+}
+
+struct cnxk_mcs_dev *
+cnxk_mcs_dev_init(uint8_t mcs_idx)
+{
+	struct cnxk_mcs_dev *mcs_dev;
+
+	mcs_dev = plt_zmalloc(sizeof(struct cnxk_mcs_dev), PLT_CACHE_LINE_SIZE);
+	if (!mcs_dev)
+		return NULL;
+
+	mcs_dev->mdev = roc_mcs_dev_init(mcs_dev->idx);
+	if (!mcs_dev->mdev) {
+		plt_free(mcs_dev);
+		return NULL;
+	}
+	mcs_dev->idx = mcs_idx;
+
+	return mcs_dev;
+}
diff --git a/drivers/net/cnxk/cn10k_ethdev_mcs.h b/drivers/net/cnxk/cn10k_ethdev_mcs.h
new file mode 100644
index 0000000000..b905f4402a
--- /dev/null
+++ b/drivers/net/cnxk/cn10k_ethdev_mcs.h
@@ -0,0 +1,59 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2022 Marvell.
+ */
+
+#include <cnxk_ethdev.h>
+
+#define CNXK_MACSEC_HASH_KEY	16
+
+struct cnxk_mcs_dev {
+	uint64_t default_sci;
+	void *mdev;
+	uint8_t port_id;
+	uint8_t idx;
+};
+
+enum cnxk_mcs_rsrc_type {
+	CNXK_MCS_RSRC_TYPE_FLOWID,
+	CNXK_MCS_RSRC_TYPE_SECY,
+	CNXK_MCS_RSRC_TYPE_SC,
+	CNXK_MCS_RSRC_TYPE_SA,
+};
+
+struct cnxk_mcs_flow_opts {
+	uint32_t outer_tag_id;
+	/**< {VLAN_ID[11:0]}, or 20-bit MPLS label*/
+	uint8_t outer_priority;
+	/**< {PCP/Pbits, DE/CFI} or {1'b0, EXP} for MPLS.*/
+	uint32_t second_outer_tag_id;
+	/**< {VLAN_ID[11:0]}, or 20-bit MPLS label*/
+	uint8_t second_outer_priority;
+	/**< {PCP/Pbits, DE/CFI} or {1'b0, EXP} for MPLS. */
+	uint16_t bonus_data;
+	/**< 2 bytes of additional bonus data extracted from one of the custom tags*/
+	uint8_t tag_match_bitmap;
+	uint8_t packet_type;
+	uint8_t outer_vlan_type;
+	uint8_t inner_vlan_type;
+	uint8_t num_tags;
+	bool express;
+	uint8_t port; /**< port 0-3 */
+	uint8_t flowid_user;
+};
+
+int cn10k_eth_macsec_sa_create(void *device, struct rte_security_macsec_sa *conf);
+int cn10k_eth_macsec_sc_create(void *device, struct rte_security_macsec_sc *conf);
+
+int cn10k_eth_macsec_sa_destroy(void *device, uint16_t sa_id);
+int cn10k_eth_macsec_sc_destroy(void *device, uint16_t sc_id);
+
+int cn10k_eth_macsec_sa_stats_get(void *device, uint16_t sa_id,
+			    struct rte_security_macsec_sa_stats *stats);
+int cn10k_eth_macsec_sc_stats_get(void *device, uint16_t sa_id,
+			    struct rte_security_macsec_sc_stats *stats);
+
+int cn10k_eth_macsec_session_create(struct cnxk_eth_dev *dev,
+			     struct rte_security_session_conf *conf,
+			     struct rte_security_session *sess,
+			     struct rte_mempool *mempool);
+int cn10k_eth_macsec_session_destroy(void *device, struct rte_security_session *sess);
diff --git a/drivers/net/cnxk/cn10k_ethdev_sec.c b/drivers/net/cnxk/cn10k_ethdev_sec.c
index 3795b0c78b..70fb1eb39a 100644
--- a/drivers/net/cnxk/cn10k_ethdev_sec.c
+++ b/drivers/net/cnxk/cn10k_ethdev_sec.c
@@ -9,6 +9,7 @@
 #include <rte_pmd_cnxk.h>
 
 #include <cn10k_ethdev.h>
+#include <cn10k_ethdev_mcs.h>
 #include <cnxk_security.h>
 #include <roc_priv.h>
 
@@ -601,7 +602,9 @@ cn10k_eth_sec_session_create(void *device,
 	if (conf->action_type != RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL)
 		return -ENOTSUP;
 
-	if (conf->protocol != RTE_SECURITY_PROTOCOL_IPSEC)
+	if (conf->protocol == RTE_SECURITY_PROTOCOL_MACSEC)
+		return cn10k_eth_macsec_session_create(dev, conf, sess, mempool);
+	else if (conf->protocol != RTE_SECURITY_PROTOCOL_IPSEC)
 		return -ENOTSUP;
 
 	if (rte_security_dynfield_register() < 0)
@@ -1058,9 +1061,15 @@ cn10k_eth_sec_ops_override(void)
 	init_once = 1;
 
 	/* Update platform specific ops */
+	cnxk_eth_sec_ops.macsec_sa_create = cn10k_eth_macsec_sa_create;
+	cnxk_eth_sec_ops.macsec_sc_create = cn10k_eth_macsec_sc_create;
+	cnxk_eth_sec_ops.macsec_sa_destroy = cn10k_eth_macsec_sa_destroy;
+	cnxk_eth_sec_ops.macsec_sc_destroy = cn10k_eth_macsec_sc_destroy;
 	cnxk_eth_sec_ops.session_create = cn10k_eth_sec_session_create;
 	cnxk_eth_sec_ops.session_destroy = cn10k_eth_sec_session_destroy;
 	cnxk_eth_sec_ops.capabilities_get = cn10k_eth_sec_capabilities_get;
 	cnxk_eth_sec_ops.session_update = cn10k_eth_sec_session_update;
 	cnxk_eth_sec_ops.session_stats_get = cn10k_eth_sec_session_stats_get;
+	cnxk_eth_sec_ops.macsec_sc_stats_get = cn10k_eth_macsec_sc_stats_get;
+	cnxk_eth_sec_ops.macsec_sa_stats_get = cn10k_eth_macsec_sa_stats_get;
 }
diff --git a/drivers/net/cnxk/cn10k_flow.c b/drivers/net/cnxk/cn10k_flow.c
index 7df879a2bb..e95a73ec55 100644
--- a/drivers/net/cnxk/cn10k_flow.c
+++ b/drivers/net/cnxk/cn10k_flow.c
@@ -2,6 +2,7 @@
  * Copyright(C) 2020 Marvell.
  */
 #include <cnxk_flow.h>
+#include "cn10k_ethdev_mcs.h"
 #include "cn10k_flow.h"
 #include "cn10k_ethdev.h"
 #include "cn10k_rx.h"
@@ -133,6 +134,7 @@ cn10k_flow_create(struct rte_eth_dev *eth_dev, const struct rte_flow_attr *attr,
 	const struct rte_flow_action *act_q = NULL;
 	struct roc_npc *npc = &dev->npc;
 	struct roc_npc_flow *flow;
+	void *mcs_flow = NULL;
 	int vtag_actions = 0;
 	uint32_t req_act = 0;
 	int i, rc;
@@ -186,6 +188,18 @@ cn10k_flow_create(struct rte_eth_dev *eth_dev, const struct rte_flow_attr *attr,
 		}
 	}
 
+	if (actions[0].type == RTE_FLOW_ACTION_TYPE_SECURITY &&
+			cnxk_eth_macsec_sess_get_by_sess(dev, actions[0].conf) != NULL) {
+		rc = cn10k_mcs_flow_configure(eth_dev, attr, pattern, actions, error, &mcs_flow);
+		if (rc) {
+			rte_flow_error_set(error, rc,
+					RTE_FLOW_ERROR_TYPE_ACTION, NULL,
+					"Failed to configure mcs flow");
+			return NULL;
+		}
+		return (struct rte_flow *)mcs_flow;
+	}
+
 	flow = cnxk_flow_create(eth_dev, attr, pattern, actions, error);
 	if (!flow) {
 		if (mtr)
diff --git a/drivers/net/cnxk/cnxk_ethdev.h b/drivers/net/cnxk/cnxk_ethdev.h
index c09e9bff8e..4ae64060f1 100644
--- a/drivers/net/cnxk/cnxk_ethdev.h
+++ b/drivers/net/cnxk/cnxk_ethdev.h
@@ -337,6 +337,21 @@ struct cnxk_eth_dev_sec_outb {
 	rte_spinlock_t lock;
 };
 
+/* MACsec session private data */
+struct cnxk_macsec_sess {
+	/* List entry */
+	TAILQ_ENTRY(cnxk_macsec_sess) entry;
+
+	/* Back pointer to session */
+	struct rte_security_session *sess;
+	enum rte_security_macsec_direction dir;
+	uint64_t sci;
+	uint8_t secy_id;
+	uint8_t sc_id;
+	uint8_t flow_id;
+};
+TAILQ_HEAD(cnxk_macsec_sess_list, cnxk_macsec_sess);
+
 struct cnxk_eth_dev {
 	/* ROC NIX */
 	struct roc_nix nix;
@@ -437,6 +452,10 @@ struct cnxk_eth_dev {
 	/* Reassembly dynfield/flag offsets */
 	int reass_dynfield_off;
 	int reass_dynflag_bit;
+
+	/* MCS device */
+	struct cnxk_mcs_dev *mcs_dev;
+	struct cnxk_macsec_sess_list mcs_list;
 };
 
 struct cnxk_eth_rxq_sp {
@@ -649,6 +668,18 @@ cnxk_eth_sec_sess_get_by_sess(struct cnxk_eth_dev *dev,
 int cnxk_nix_inl_meta_pool_cb(uint64_t *aura_handle, uint32_t buf_sz, uint32_t nb_bufs,
 			      bool destroy);
 
+struct cnxk_mcs_dev * cnxk_mcs_dev_init(uint8_t mcs_idx);
+void cnxk_mcs_dev_fini(struct cnxk_mcs_dev *mcs_dev);
+
+struct cnxk_macsec_sess *
+cnxk_eth_macsec_sess_get_by_sess(struct cnxk_eth_dev *dev,
+				 const struct rte_security_session *sess);
+int cn10k_mcs_flow_configure(struct rte_eth_dev *eth_dev,
+			     const struct rte_flow_attr *attr,
+			     const struct rte_flow_item pattern[],
+			     const struct rte_flow_action actions[],
+			     struct rte_flow_error *error, void **mcs_flow);
+
 /* Other private functions */
 int nix_recalc_mtu(struct rte_eth_dev *eth_dev);
 int nix_mtr_validate(struct rte_eth_dev *dev, uint32_t id);
diff --git a/drivers/net/cnxk/cnxk_ethdev_sec.c b/drivers/net/cnxk/cnxk_ethdev_sec.c
index 9304b1465d..56fb2733a4 100644
--- a/drivers/net/cnxk/cnxk_ethdev_sec.c
+++ b/drivers/net/cnxk/cnxk_ethdev_sec.c
@@ -203,7 +203,7 @@ cnxk_eth_sec_sess_get_by_sess(struct cnxk_eth_dev *dev,
 static unsigned int
 cnxk_eth_sec_session_get_size(void *device __rte_unused)
 {
-	return sizeof(struct cnxk_eth_sec_sess);
+	return RTE_MAX(sizeof(struct cnxk_macsec_sess), sizeof(struct cnxk_eth_sec_sess));
 }
 
 struct rte_security_ops cnxk_eth_sec_ops = {
diff --git a/drivers/net/cnxk/meson.build b/drivers/net/cnxk/meson.build
index f347e98fce..34bba3fb23 100644
--- a/drivers/net/cnxk/meson.build
+++ b/drivers/net/cnxk/meson.build
@@ -106,6 +106,7 @@ sources += files(
 # CN10K
 sources += files(
         'cn10k_ethdev.c',
+        'cn10k_ethdev_mcs.c',
         'cn10k_ethdev_sec.c',
         'cn10k_flow.c',
         'cn10k_rx_select.c',
-- 
2.25.1

[PATCH 4/5] test/security: add inline MACsec cases

[Akhil Goyal]

Added MACsec inline cases for encryption cases.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 app/test/meson.build                          |    1 +
 app/test/test_security_inline_macsec.c        |  821 ++++++
 .../test_security_inline_macsec_vectors.h     | 2318 +++++++++++++++++
 3 files changed, 3140 insertions(+)
 create mode 100644 app/test/test_security_inline_macsec.c
 create mode 100644 app/test/test_security_inline_macsec_vectors.h

diff --git a/app/test/meson.build b/app/test/meson.build
index d5cad72116..928df22014 100644
--- a/app/test/meson.build
+++ b/app/test/meson.build
@@ -126,6 +126,7 @@ test_sources = files(
         'test_rwlock.c',
         'test_sched.c',
         'test_security.c',
+        'test_security_inline_macsec.c',
         'test_security_inline_proto.c',
         'test_seqlock.c',
         'test_service_cores.c',
diff --git a/app/test/test_security_inline_macsec.c b/app/test/test_security_inline_macsec.c
new file mode 100644
index 0000000000..dec7cb20df
--- /dev/null
+++ b/app/test/test_security_inline_macsec.c
@@ -0,0 +1,821 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2022 Marvell.
+ */
+
+
+#include <stdio.h>
+#include <inttypes.h>
+
+#include <rte_ethdev.h>
+#include <rte_malloc.h>
+#include <rte_security.h>
+
+#include "test.h"
+#include "test_security_inline_macsec_vectors.h"
+
+#ifdef RTE_EXEC_ENV_WINDOWS
+static int
+test_inline_macsec(void)
+{
+	printf("Inline MACsec not supported on Windows, skipping test\n");
+	return TEST_SKIPPED;
+}
+
+#else
+
+#define NB_ETHPORTS_USED		1
+#define MEMPOOL_CACHE_SIZE		32
+#define MAX_PKT_BURST			32
+#define RTE_TEST_RX_DESC_DEFAULT	1024
+#define RTE_TEST_TX_DESC_DEFAULT	1024
+#define RTE_PORT_ALL		(~(uint16_t)0x0)
+
+#define RX_PTHRESH 8 /**< Default values of RX prefetch threshold reg. */
+#define RX_HTHRESH 8 /**< Default values of RX host threshold reg. */
+#define RX_WTHRESH 0 /**< Default values of RX write-back threshold reg. */
+
+#define TX_PTHRESH 32 /**< Default values of TX prefetch threshold reg. */
+#define TX_HTHRESH 0  /**< Default values of TX host threshold reg. */
+#define TX_WTHRESH 0  /**< Default values of TX write-back threshold reg. */
+
+#define MAX_TRAFFIC_BURST		2048
+#define NB_MBUF				10240
+
+#define MCS_INVALID_SA			0xFFFF
+#define MCS_MAX_FLOWS			63
+
+static struct rte_mempool *mbufpool;
+static struct rte_mempool *sess_pool;
+static struct rte_mempool *sess_priv_pool;
+/* ethernet addresses of ports */
+static struct rte_ether_addr ports_eth_addr[RTE_MAX_ETHPORTS];
+
+struct mcs_test_opts {
+	int val_frames;
+	int nb_td;
+	uint16_t mtu;
+	uint8_t sa_in_use;
+	bool protect_frames;
+	uint8_t sectag_insert_mode;
+	uint8_t nb_vlan;
+	uint16_t replay_win_sz;
+	uint8_t replay_protect;
+	uint8_t rekey_en;
+};
+
+static struct rte_eth_conf port_conf = {
+	.rxmode = {
+		.mq_mode = RTE_ETH_MQ_RX_NONE,
+		.split_hdr_size = 0,
+		.offloads = RTE_ETH_RX_OFFLOAD_CHECKSUM |
+			    RTE_ETH_RX_OFFLOAD_SECURITY,
+	},
+	.txmode = {
+		.mq_mode = RTE_ETH_MQ_TX_NONE,
+		.offloads = RTE_ETH_TX_OFFLOAD_SECURITY |
+			    RTE_ETH_TX_OFFLOAD_MBUF_FAST_FREE,
+	},
+	.lpbk_mode = 1,  /* enable loopback */
+};
+
+static struct rte_eth_rxconf rx_conf = {
+	.rx_thresh = {
+		.pthresh = RX_PTHRESH,
+		.hthresh = RX_HTHRESH,
+		.wthresh = RX_WTHRESH,
+	},
+	.rx_free_thresh = 32,
+};
+
+static struct rte_eth_txconf tx_conf = {
+	.tx_thresh = {
+		.pthresh = TX_PTHRESH,
+		.hthresh = TX_HTHRESH,
+		.wthresh = TX_WTHRESH,
+	},
+	.tx_free_thresh = 32, /* Use PMD default values */
+	.tx_rs_thresh = 32, /* Use PMD default values */
+};
+
+static uint16_t port_id;
+
+static uint64_t link_mbps;
+
+static struct rte_flow *default_flow[RTE_MAX_ETHPORTS];
+
+static struct rte_mbuf **tx_pkts_burst;
+static struct rte_mbuf **rx_pkts_burst;
+
+static inline struct rte_mbuf *
+init_packet(struct rte_mempool *mp, const uint8_t *data, unsigned int len)
+{
+	struct rte_mbuf *pkt;
+
+	pkt = rte_pktmbuf_alloc(mp);
+	if (pkt == NULL)
+		return NULL;
+
+	rte_memcpy(rte_pktmbuf_append(pkt, len), data, len);
+
+	return pkt;
+}
+
+static int
+init_mempools(unsigned int nb_mbuf)
+{
+	struct rte_security_ctx *sec_ctx;
+	uint16_t nb_sess = 512;
+	uint32_t sess_sz;
+	char s[64];
+
+	if (mbufpool == NULL) {
+		snprintf(s, sizeof(s), "mbuf_pool");
+		mbufpool = rte_pktmbuf_pool_create(s, nb_mbuf,
+				MEMPOOL_CACHE_SIZE, 0,
+				RTE_MBUF_DEFAULT_BUF_SIZE, SOCKET_ID_ANY);
+		if (mbufpool == NULL) {
+			printf("Cannot init mbuf pool\n");
+			return TEST_FAILED;
+		}
+		printf("Allocated mbuf pool\n");
+	}
+
+	sec_ctx = rte_eth_dev_get_sec_ctx(port_id);
+	if (sec_ctx == NULL) {
+		printf("Device does not support Security ctx\n");
+		return TEST_SKIPPED;
+	}
+	sess_sz = rte_security_session_get_size(sec_ctx);
+	if (sess_pool == NULL) {
+		snprintf(s, sizeof(s), "sess_pool");
+		sess_pool = rte_mempool_create(s, nb_sess, sess_sz,
+				MEMPOOL_CACHE_SIZE, 0,
+				NULL, NULL, NULL, NULL,
+				SOCKET_ID_ANY, 0);
+		if (sess_pool == NULL) {
+			printf("Cannot init sess pool\n");
+			return TEST_FAILED;
+		}
+		printf("Allocated sess pool\n");
+	}
+	if (sess_priv_pool == NULL) {
+		snprintf(s, sizeof(s), "sess_priv_pool");
+		sess_priv_pool = rte_mempool_create(s, nb_sess, sess_sz,
+				MEMPOOL_CACHE_SIZE, 0,
+				NULL, NULL, NULL, NULL,
+				SOCKET_ID_ANY, 0);
+		if (sess_priv_pool == NULL) {
+			printf("Cannot init sess_priv pool\n");
+			return TEST_FAILED;
+		}
+		printf("Allocated sess_priv pool\n");
+	}
+
+	return 0;
+}
+
+static void
+fill_macsec_sa_conf(const struct mcs_test_vector *td, struct rte_security_macsec_sa *sa,
+			enum rte_security_macsec_direction dir, uint8_t an, uint8_t tci_off)
+{
+	sa->dir = dir;
+
+	sa->key.data = td->sa_key.data;
+	sa->key.length = td->sa_key.len;
+
+	memcpy((uint8_t *)sa->salt, (const uint8_t *)td->salt, RTE_SECURITY_MACSEC_SALT_LEN);
+
+	/* AN is set as per the value in secure packet in test vector */
+	sa->an = an & RTE_MACSEC_AN_MASK;
+
+	sa->xpn = td->xpn;
+	/* Starting packet number which is expected to come next. It is taken
+	 * from the test vector so that we can match the out packet. */
+	sa->next_pn = td->secure_pkt.data[tci_off + 2];
+}
+
+static void
+fill_macsec_sc_conf(const struct mcs_test_vector *td, struct rte_security_macsec_sc *sc_conf,
+			enum rte_security_macsec_direction dir, uint16_t sa_id[], uint8_t tci_off)
+{
+	int i;
+
+	if (dir == RTE_SECURITY_MACSEC_DIR_TX) {
+		sc_conf->sc_tx.sa_id = sa_id[0];
+		if (sa_id[1] != MCS_INVALID_SA) {
+			sc_conf->sc_tx.sa_id_rekey = sa_id[1];
+			sc_conf->sc_tx.re_key_en = 1;
+		}
+		sc_conf->sc_tx.active = 1;
+		/* is SCI valid */
+		if (td->secure_pkt.data[tci_off] & RTE_MACSEC_TCI_SC) {
+			memcpy(&sc_conf->sc_tx.sci, &td->secure_pkt.data[tci_off + 6],
+					sizeof(sc_conf->sc_tx.sci));
+			sc_conf->sc_tx.sci = rte_be_to_cpu_64(sc_conf->sc_tx.sci);
+		} else if (td->secure_pkt.data[tci_off] & RTE_MACSEC_TCI_ES) {
+			/* sci = source_mac + port_id when ES.bit = 1 & SC.bit = 0 */
+			const uint8_t *smac = td->plain_pkt.data + RTE_ETHER_ADDR_LEN;
+			uint8_t *ptr = (uint8_t *)&sc_conf->sc_tx.sci;
+
+			ptr[0] = 0x01; /*TODO: port_id */
+			ptr[1] = 0;
+			for (uint8_t j = 0; j < RTE_ETHER_ADDR_LEN; j++)
+				ptr[2 + j] = smac[RTE_ETHER_ADDR_LEN - 1 - j];
+		} else {
+			/* use some default SCI */
+			sc_conf->sc_tx.sci = 0xf1341e023a2b1c5d;
+		}
+	} else {
+		for (i = 0; i < RTE_SECURITY_MACSEC_NUM_AN; i++) {
+			sc_conf->sc_rx.sa_id[i] = sa_id[i];
+			sc_conf->sc_rx.sa_in_use[i] = 1;
+		}
+		sc_conf->sc_rx.active = 1;
+	}
+}
+
+
+/* Create Inline MACsec session */
+static int
+fill_session_conf(const struct mcs_test_vector *td, uint16_t portid __rte_unused,
+		const struct mcs_test_opts *opts,
+		struct rte_security_session_conf *sess_conf,
+		enum rte_security_macsec_direction dir,
+		uint16_t sc_id,
+		uint8_t tci_off)
+{
+//	struct rte_security_capability_idx sec_cap_idx;
+//	const struct rte_security_capability *sec_cap;
+
+	sess_conf->action_type = RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL;
+	sess_conf->protocol = RTE_SECURITY_PROTOCOL_MACSEC;
+	sess_conf->macsec.dir = dir;
+	sess_conf->macsec.alg = td->alg;
+	sess_conf->macsec.cipher_off = 0;
+	sess_conf->macsec.sci = (uint64_t)td->secure_pkt.data[tci_off + 6];
+	sess_conf->macsec.sc_id = sc_id;
+	if (dir == RTE_SECURITY_MACSEC_DIR_TX) {
+		sess_conf->macsec.tx_secy.mtu = opts->mtu;
+		sess_conf->macsec.tx_secy.sectag_off = (opts->sectag_insert_mode == 1) ?
+							2 * RTE_ETHER_ADDR_LEN :
+							RTE_VLAN_HLEN;
+		sess_conf->macsec.tx_secy.sectag_insert_mode = opts->sectag_insert_mode;
+		sess_conf->macsec.tx_secy.icv_include_da_sa = 1;
+		sess_conf->macsec.tx_secy.ctrl_port_enable = 1;
+		sess_conf->macsec.tx_secy.sectag_version = 0;
+		sess_conf->macsec.tx_secy.end_station =
+					td->secure_pkt.data[tci_off] & RTE_MACSEC_TCI_ES;
+		sess_conf->macsec.tx_secy.send_sci =
+					td->secure_pkt.data[tci_off] & RTE_MACSEC_TCI_SC;
+		sess_conf->macsec.tx_secy.scb =
+					td->secure_pkt.data[tci_off] & RTE_MACSEC_TCI_SCB;
+		sess_conf->macsec.tx_secy.encrypt = 1;
+	} else {
+		sess_conf->macsec.rx_secy.replay_win_sz = opts->replay_win_sz;
+		sess_conf->macsec.rx_secy.replay_protect = opts->replay_protect;
+		sess_conf->macsec.rx_secy.validate_frames = opts->val_frames;
+		sess_conf->macsec.rx_secy.icv_include_da_sa = 1;
+		sess_conf->macsec.rx_secy.ctrl_port_enable = 1;
+		sess_conf->macsec.rx_secy.preserve_sectag = 0;
+		sess_conf->macsec.rx_secy.preserve_icv = 0;
+	}
+//	sec_cap = rte_security_capability_get(sec_ctx, &sec_cap_idx);
+//	if (sec_cap == NULL) {
+//		printf("No capabilities registered\n");
+//		return TEST_SKIPPED;
+//	}
+
+	return 0;
+}
+static int
+create_default_flow(const struct mcs_test_vector *td, uint16_t portid,
+		    enum rte_security_macsec_direction dir, void *sess)
+{
+	struct rte_flow_action action[2];
+	struct rte_flow_item pattern[2];
+	struct rte_flow_attr attr = {0};
+	struct rte_flow_error err;
+	struct rte_flow *flow;
+	struct rte_flow_item_eth eth = {0};
+	int ret;
+
+	eth.has_vlan = 0;
+	if (dir == RTE_SECURITY_MACSEC_DIR_TX)
+		memcpy(&eth.hdr, td->plain_pkt.data, RTE_ETHER_HDR_LEN);
+	else
+		memcpy(&eth.hdr, td->secure_pkt.data, RTE_ETHER_HDR_LEN);
+
+	pattern[0].type = RTE_FLOW_ITEM_TYPE_ETH;
+	pattern[0].spec = &eth;
+	pattern[0].mask = &rte_flow_item_eth_mask;
+	pattern[0].last = &eth;
+	pattern[1].type = RTE_FLOW_ITEM_TYPE_END;
+
+	action[0].type = RTE_FLOW_ACTION_TYPE_SECURITY;
+	action[0].conf = sess;
+	action[1].type = RTE_FLOW_ACTION_TYPE_END;
+	action[1].conf = NULL;
+
+	attr.ingress = dir;
+
+	ret = rte_flow_validate(portid, &attr, pattern, action, &err);
+	if (ret) {
+		printf("\nValidate flow failed, ret = %d\n", ret);
+		return -1;
+	}
+	flow = rte_flow_create(portid, &attr, pattern, action, &err);
+	if (flow == NULL) {
+		printf("\nDefault flow rule create failed\n");
+		return -1;
+	}
+
+	default_flow[portid] = flow;
+
+	return 0;
+}
+
+static void
+destroy_default_flow(uint16_t portid)
+{
+	struct rte_flow_error err;
+	int ret;
+
+	if (!default_flow[portid])
+		return;
+	ret = rte_flow_destroy(portid, default_flow[portid], &err);
+	if (ret) {
+		printf("\nDefault flow rule destroy failed\n");
+		return;
+	}
+	default_flow[portid] = NULL;
+}
+
+static void
+print_ethaddr(const char *name, const struct rte_ether_addr *eth_addr)
+{
+	char buf[RTE_ETHER_ADDR_FMT_SIZE];
+	rte_ether_format_addr(buf, RTE_ETHER_ADDR_FMT_SIZE, eth_addr);
+	printf("%s%s", name, buf);
+}
+
+/* Check the link status of all ports in up to 3s, and print them finally */
+static void
+check_all_ports_link_status(uint16_t port_num, uint32_t port_mask)
+{
+#define CHECK_INTERVAL 100 /* 100ms */
+#define MAX_CHECK_TIME 30 /* 3s (30 * 100ms) in total */
+	uint16_t portid;
+	uint8_t count, all_ports_up, print_flag = 0;
+	struct rte_eth_link link;
+	int ret;
+	char link_status[RTE_ETH_LINK_MAX_STR_LEN];
+
+	printf("Checking link statuses...\n");
+	fflush(stdout);
+	for (count = 0; count <= MAX_CHECK_TIME; count++) {
+		all_ports_up = 1;
+		for (portid = 0; portid < port_num; portid++) {
+			if ((port_mask & (1 << portid)) == 0)
+				continue;
+			memset(&link, 0, sizeof(link));
+			ret = rte_eth_link_get_nowait(portid, &link);
+			if (ret < 0) {
+				all_ports_up = 0;
+				if (print_flag == 1)
+					printf("Port %u link get failed: %s\n",
+						portid, rte_strerror(-ret));
+				continue;
+			}
+
+			/* print link status if flag set */
+			if (print_flag == 1) {
+				if (link.link_status && link_mbps == 0)
+					link_mbps = link.link_speed;
+
+				rte_eth_link_to_str(link_status,
+					sizeof(link_status), &link);
+				printf("Port %d %s\n", portid, link_status);
+				continue;
+			}
+			/* clear all_ports_up flag if any link down */
+			if (link.link_status == RTE_ETH_LINK_DOWN) {
+				all_ports_up = 0;
+				break;
+			}
+		}
+		/* after finally printing all link status, get out */
+		if (print_flag == 1)
+			break;
+
+		if (all_ports_up == 0) {
+			fflush(stdout);
+			rte_delay_ms(CHECK_INTERVAL);
+		}
+
+		/* set the print_flag if all ports up or timeout */
+		if (all_ports_up == 1 || count == (MAX_CHECK_TIME - 1))
+			print_flag = 1;
+	}
+}
+
+static int
+test_macsec_post_process(struct rte_mbuf *m, const struct mcs_test_vector *td,
+			enum mcs_op op)
+{
+	const uint8_t *dptr;
+	uint16_t pkt_len;
+
+	if (op == MCS_DECAP || op == MCS_ENCAP_DECAP ||
+			op == MCS_VERIFY_ONLY || op == MCS_AUTH_VERIFY) {
+		dptr = td->plain_pkt.data;
+		pkt_len = td->plain_pkt.len;
+	} else {
+		dptr = td->secure_pkt.data;
+		pkt_len = td->secure_pkt.len;
+	}
+
+	if (memcmp(rte_pktmbuf_mtod(m, uint8_t *), dptr, pkt_len)) {
+		printf("\nData comparison failed for td.");
+		rte_pktmbuf_dump(stdout, m, m->pkt_len);
+		rte_hexdump(stdout, "expected_data", dptr, pkt_len);
+		return TEST_FAILED;
+	}
+
+	return TEST_SUCCESS;
+}
+
+static int
+test_macsec(const struct mcs_test_vector *td[], enum mcs_op op, const struct mcs_test_opts *opts)
+{
+	uint16_t rx_sa_id[MCS_MAX_FLOWS][RTE_SECURITY_MACSEC_NUM_AN] = {0};
+	uint16_t tx_sa_id[MCS_MAX_FLOWS][2] = {0};
+	uint16_t rx_sc_id[MCS_MAX_FLOWS] = {0};
+	uint16_t tx_sc_id[MCS_MAX_FLOWS] = {0};
+	struct rte_security_session *rx_sess[MCS_MAX_FLOWS];
+	struct rte_security_session *tx_sess[MCS_MAX_FLOWS];
+	struct rte_security_session_conf sess_conf = {0};
+	struct rte_security_macsec_sa sa_conf = {0};
+	struct rte_security_macsec_sc sc_conf = {0};
+	struct rte_security_ctx *ctx;
+	int nb_rx = 0, nb_sent;
+	int i, j = 0, ret;
+	uint8_t tci_off;
+
+	memset(rx_pkts_burst, 0, sizeof(rx_pkts_burst[0]) * opts->nb_td);
+
+	ctx = (struct rte_security_ctx *)rte_eth_dev_get_sec_ctx(port_id);
+	if (ctx == NULL) {
+		printf("Ethernet device doesn't support security features.\n");
+		return TEST_SKIPPED;
+	}
+
+	tci_off = (opts->sectag_insert_mode == 1) ? RTE_ETHER_HDR_LEN :
+			RTE_ETHER_HDR_LEN + (opts->nb_vlan * RTE_VLAN_HLEN);
+
+	for (i = 0; i < opts->nb_td; i++) {
+		tx_pkts_burst[i] = init_packet(mbufpool, td[i]->plain_pkt.data,
+						td[i]->plain_pkt.len);
+		if (tx_pkts_burst[i] == NULL) {
+			while (i--)
+				rte_pktmbuf_free(tx_pkts_burst[i]);
+			ret = TEST_FAILED;
+			goto out;
+		}
+
+		if (op == MCS_DECAP || op == MCS_ENCAP_DECAP ||
+				op == MCS_VERIFY_ONLY || op == MCS_AUTH_VERIFY) {
+			for (j = 0; j < RTE_SECURITY_MACSEC_NUM_AN; j++) {
+				/* For simplicity, using same SA conf for all AN */
+				fill_macsec_sa_conf(td[i], &sa_conf,
+						RTE_SECURITY_MACSEC_DIR_RX, j, tci_off);
+				rx_sa_id[i][j] = rte_security_macsec_sa_create(ctx, &sa_conf);
+			}
+			fill_macsec_sc_conf(td[i], &sc_conf,
+					RTE_SECURITY_MACSEC_DIR_RX, rx_sa_id[i], tci_off);
+			rx_sc_id[i] = rte_security_macsec_sc_create(ctx, &sc_conf);
+
+			/* Create Inline IPsec session. */
+			ret = fill_session_conf(td[i], port_id, opts, &sess_conf,
+					RTE_SECURITY_MACSEC_DIR_RX, rx_sc_id[i], tci_off);
+			if (ret)
+				return TEST_FAILED;
+
+			rx_sess[i] = rte_security_session_create(ctx, &sess_conf,
+					sess_pool, sess_priv_pool);
+			if (rx_sess[i] == NULL) {
+				printf("SEC Session init failed.\n");
+				return TEST_FAILED;
+			}
+			ret = create_default_flow(td[i], port_id,
+					RTE_SECURITY_MACSEC_DIR_RX, rx_sess[i]);
+			if (ret)
+				goto out;
+		}
+		if (op == MCS_ENCAP || op == MCS_ENCAP_DECAP ||
+				op == MCS_AUTH_ONLY || op == MCS_AUTH_VERIFY) {
+			fill_macsec_sa_conf(td[i], &sa_conf,
+					RTE_SECURITY_MACSEC_DIR_TX,
+					td[i]->secure_pkt.data[tci_off] & RTE_MACSEC_AN_MASK,
+					tci_off);
+			tx_sa_id[i][0] = rte_security_macsec_sa_create(ctx, &sa_conf);
+			tx_sa_id[i][1] = MCS_INVALID_SA;
+			if (opts->rekey_en) {
+				/* Creating SA with same sa_conf for now. */
+				tx_sa_id[i][1] = rte_security_macsec_sa_create(ctx, &sa_conf);
+			}
+			fill_macsec_sc_conf(td[i], &sc_conf,
+					RTE_SECURITY_MACSEC_DIR_TX, tx_sa_id[i], tci_off);
+			tx_sc_id[i] = rte_security_macsec_sc_create(ctx, &sc_conf);
+
+			/* Create Inline IPsec session. */
+			ret = fill_session_conf(td[i], port_id, opts, &sess_conf,
+					RTE_SECURITY_MACSEC_DIR_TX, tx_sc_id[i], tci_off);
+			if (ret)
+				return TEST_FAILED;
+
+			tx_sess[i] = rte_security_session_create(ctx, &sess_conf,
+					sess_pool, sess_priv_pool);
+			if (tx_sess[i] == NULL) {
+				printf("SEC Session init failed.\n");
+				return TEST_FAILED;
+			}
+			ret = create_default_flow(td[i], port_id,
+					RTE_SECURITY_MACSEC_DIR_TX, tx_sess[i]);
+			if (ret)
+				goto out;
+
+			tx_pkts_burst[i]->ol_flags |= RTE_MBUF_F_TX_SEC_OFFLOAD;
+		}
+	}
+
+	/* Send packet to ethdev for inline MACsec processing. */
+	nb_sent = rte_eth_tx_burst(port_id, 0, tx_pkts_burst, opts->nb_td);
+
+	if (nb_sent != opts->nb_td) {
+		printf("\nUnable to TX %d packets, sent: %i", opts->nb_td, nb_sent);
+		for ( ; nb_sent < opts->nb_td; nb_sent++)
+			rte_pktmbuf_free(tx_pkts_burst[nb_sent]);
+		ret = TEST_FAILED;
+		goto out;
+	}
+
+	rte_pause();
+
+	/* Receive back packet on loopback interface. */
+	do {
+		rte_delay_ms(1);
+		nb_rx += rte_eth_rx_burst(port_id, 0,
+				&rx_pkts_burst[nb_rx],
+				nb_sent - nb_rx);
+		if (nb_rx >= nb_sent)
+			break;
+	} while (j++ < 5 || nb_rx == 0);
+
+	if (nb_rx != nb_sent) {
+		printf("\nUnable to RX all %d packets, received(%i)",
+				nb_sent, nb_rx);
+		while (--nb_rx >= 0)
+			rte_pktmbuf_free(rx_pkts_burst[nb_rx]);
+		ret = TEST_FAILED;
+		goto out;
+	}
+
+	for (i = 0; i < nb_rx; i++) {
+		rte_pktmbuf_adj(rx_pkts_burst[i], RTE_ETHER_HDR_LEN);
+
+		ret = test_macsec_post_process(rx_pkts_burst[i], td[i], op);
+		if (ret != TEST_SUCCESS) {
+			for ( ; i < nb_rx; i++)
+				rte_pktmbuf_free(rx_pkts_burst[i]);
+			goto out;
+		}
+
+		rte_pktmbuf_free(rx_pkts_burst[i]);
+		rx_pkts_burst[i] = NULL;
+	}
+
+out:
+	destroy_default_flow(port_id);
+
+	/* Destroy session so that other cases can create the session again */
+	for (i = 0; i < opts->nb_td; i++) {
+		if (op == MCS_ENCAP || op == MCS_ENCAP_DECAP ||
+				op == MCS_AUTH_ONLY || op == MCS_AUTH_VERIFY) {
+			rte_security_session_destroy(ctx, tx_sess[i]);
+			tx_sess[i] = NULL;
+			rte_security_macsec_sc_destroy(ctx, tx_sc_id[i]);
+			for (j = 0; j < 2; j++)
+				rte_security_macsec_sa_destroy(ctx, tx_sa_id[i][j]);
+		}
+		if (op == MCS_DECAP || op == MCS_ENCAP_DECAP ||
+				op == MCS_VERIFY_ONLY || op == MCS_AUTH_VERIFY) {
+			rte_security_session_destroy(ctx, rx_sess[i]);
+			rx_sess[i] = NULL;
+			rte_security_macsec_sc_destroy(ctx, rx_sc_id[i]);
+			for (j = 0; j < RTE_SECURITY_MACSEC_NUM_AN; j++)
+				rte_security_macsec_sa_destroy(ctx, rx_sa_id[i][j]);
+		}
+
+	}
+
+	return ret;
+}
+
+static int
+test_inline_macsec_encap_all(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.protect_frames = true;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+
+	size = (sizeof(list_mcs_cipher_vectors) / sizeof((list_mcs_cipher_vectors)[0]));
+
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_cipher_vectors[i];
+		err = test_macsec(&cur_td, MCS_ENCAP, &opts);
+		if (err) {
+			printf("\nCipher Auth Encryption case %d failed", cur_td->test_idx);
+			err = -1;
+		} else {
+			printf("\nCipher Auth Encryption case %d Passed", cur_td->test_idx);
+			err = 0;
+		}
+		all_err += err;
+	}
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+
+	return all_err;
+}
+
+static int
+ut_setup_inline_macsec(void)
+{
+	int ret;
+
+	/* Start device */
+	ret = rte_eth_dev_start(port_id);
+	if (ret < 0) {
+		printf("rte_eth_dev_start: err=%d, port=%d\n",
+			ret, port_id);
+		return ret;
+	}
+	/* always enable promiscuous */
+	ret = rte_eth_promiscuous_enable(port_id);
+	if (ret != 0) {
+		printf("rte_eth_promiscuous_enable: err=%s, port=%d\n",
+			rte_strerror(-ret), port_id);
+		return ret;
+	}
+
+	check_all_ports_link_status(1, RTE_PORT_ALL);
+
+	return 0;
+}
+
+static void
+ut_teardown_inline_macsec(void)
+{
+	uint16_t portid;
+	int ret;
+
+	/* port tear down */
+	RTE_ETH_FOREACH_DEV(portid) {
+		ret = rte_eth_dev_stop(portid);
+		if (ret != 0)
+			printf("rte_eth_dev_stop: err=%s, port=%u\n",
+			       rte_strerror(-ret), portid);
+
+	}
+}
+
+static int
+inline_macsec_testsuite_setup(void)
+{
+	uint16_t nb_rxd;
+	uint16_t nb_txd;
+	uint16_t nb_ports;
+	int ret;
+	uint16_t nb_rx_queue = 1, nb_tx_queue = 1;
+
+	printf("Start inline IPsec test.\n");
+
+	nb_ports = rte_eth_dev_count_avail();
+	if (nb_ports < NB_ETHPORTS_USED) {
+		printf("At least %u port(s) used for test\n",
+		       NB_ETHPORTS_USED);
+		return TEST_SKIPPED;
+	}
+
+	ret = init_mempools(NB_MBUF);
+	if (ret)
+		return ret;
+
+	if (tx_pkts_burst == NULL) {
+		tx_pkts_burst = (struct rte_mbuf **)rte_calloc("tx_buff",
+					  MAX_TRAFFIC_BURST,
+					  sizeof(void *),
+					  RTE_CACHE_LINE_SIZE);
+		if (!tx_pkts_burst)
+			return TEST_FAILED;
+
+		rx_pkts_burst = (struct rte_mbuf **)rte_calloc("rx_buff",
+					  MAX_TRAFFIC_BURST,
+					  sizeof(void *),
+					  RTE_CACHE_LINE_SIZE);
+		if (!rx_pkts_burst)
+			return TEST_FAILED;
+	}
+
+	printf("Generate %d packets\n", MAX_TRAFFIC_BURST);
+
+	nb_rxd = RTE_TEST_RX_DESC_DEFAULT;
+	nb_txd = RTE_TEST_TX_DESC_DEFAULT;
+
+	/* configuring port 0 for the test is enough */
+	port_id = 0;
+	/* port configure */
+	ret = rte_eth_dev_configure(port_id, nb_rx_queue,
+				    nb_tx_queue, &port_conf);
+	if (ret < 0) {
+		printf("Cannot configure device: err=%d, port=%d\n",
+			 ret, port_id);
+		return ret;
+	}
+	ret = rte_eth_macaddr_get(port_id, &ports_eth_addr[port_id]);
+	if (ret < 0) {
+		printf("Cannot get mac address: err=%d, port=%d\n",
+			 ret, port_id);
+		return ret;
+	}
+	printf("Port %u ", port_id);
+	print_ethaddr("Address:", &ports_eth_addr[port_id]);
+	printf("\n");
+
+	/* tx queue setup */
+	ret = rte_eth_tx_queue_setup(port_id, 0, nb_txd,
+				     SOCKET_ID_ANY, &tx_conf);
+	if (ret < 0) {
+		printf("rte_eth_tx_queue_setup: err=%d, port=%d\n",
+				ret, port_id);
+		return ret;
+	}
+	/* rx queue steup */
+	ret = rte_eth_rx_queue_setup(port_id, 0, nb_rxd, SOCKET_ID_ANY,
+				     &rx_conf, mbufpool);
+	if (ret < 0) {
+		printf("rte_eth_rx_queue_setup: err=%d, port=%d\n",
+				ret, port_id);
+		return ret;
+	}
+
+	return 0;
+}
+
+static void
+inline_macsec_testsuite_teardown(void)
+{
+	uint16_t portid;
+	int ret;
+
+	/* port tear down */
+	RTE_ETH_FOREACH_DEV(portid) {
+		ret = rte_eth_dev_reset(portid);
+		if (ret != 0)
+			printf("rte_eth_dev_reset: err=%s, port=%u\n",
+			       rte_strerror(-ret), port_id);
+	}
+	rte_free(tx_pkts_burst);
+	rte_free(rx_pkts_burst);
+}
+
+
+static struct unit_test_suite inline_macsec_testsuite  = {
+	.suite_name = "Inline MACsec Ethernet Device Unit Test Suite",
+	.unit_test_cases = {
+		TEST_CASE_NAMED_ST(
+			"MACsec encap(Cipher+Auth) known vector",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_encap_all),
+
+		TEST_CASES_END() /**< NULL terminate unit test array */
+	},
+};
+static int
+test_inline_macsec(void)
+{
+	inline_macsec_testsuite.setup = inline_macsec_testsuite_setup;
+	inline_macsec_testsuite.teardown = inline_macsec_testsuite_teardown;
+	return unit_test_suite_runner(&inline_macsec_testsuite);
+}
+
+#endif /* !RTE_EXEC_ENV_WINDOWS */
+
+REGISTER_TEST_COMMAND(inline_macsec_autotest, test_inline_macsec);
diff --git a/app/test/test_security_inline_macsec_vectors.h b/app/test/test_security_inline_macsec_vectors.h
new file mode 100644
index 0000000000..c7cbc79e3b
--- /dev/null
+++ b/app/test/test_security_inline_macsec_vectors.h
@@ -0,0 +1,2318 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2022 Marvell.
+ */
+#ifndef _TEST_INLINE_MACSEC_VECTORS_H_
+#define _TEST_INLINE_MACSEC_VECTORS_H_
+
+#define MCS_MAX_DATA_SZ 256
+#define MCS_MAX_KEY_LEN 32
+#define MCS_IV_LEN	12
+#define MCS_SALT_LEN	12
+
+enum mcs_op {
+	MCS_NO_OP,
+	MCS_ENCAP,
+	MCS_DECAP,
+	MCS_ENCAP_DECAP,
+	MCS_AUTH_ONLY,
+	MCS_VERIFY_ONLY,
+	MCS_AUTH_VERIFY,
+};
+
+struct mcs_test_vector {
+	uint32_t test_idx;
+	enum rte_security_macsec_alg alg;
+	uint32_t ssci;
+	uint32_t xpn;
+	uint8_t salt[MCS_SALT_LEN];
+	struct {
+		uint8_t data[MCS_MAX_KEY_LEN];
+		uint16_t len;
+	} sa_key;
+	struct {
+		uint8_t data[MCS_MAX_KEY_LEN];
+		uint16_t len;
+	} hash_key;
+	struct {
+		uint8_t data[MCS_MAX_DATA_SZ];
+		uint16_t len;
+	} plain_pkt;
+	struct {
+		uint8_t data[MCS_MAX_DATA_SZ];
+		uint16_t len;
+	} secure_pkt;
+};
+
+static const struct mcs_test_vector list_mcs_cipher_vectors[] = {
+/* gcm_128_64B_cipher */
+{
+	.test_idx = 0,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82
+		},
+		.len = 16,
+	},
+	.hash_key = {
+		.data = {
+			0xE4, 0xE0, 0x17, 0x25, 0xD7, 0x24, 0xC1, 0x21,
+			0x5C, 0x73, 0x09, 0xAD, 0x34, 0x53, 0x92, 0x57,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x40, 0x41, 0x42,
+			0x43, 0x44, 0x45, 0x46,
+		},
+		.len = 64,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x2C,
+			/* SL */
+			0x0,
+			/* PN */
+			0x0, 0x0, 0x0, 0x2,
+			/* SCI */
+			0xFE, 0x2F, 0xCD, 0x14, 0x24, 0x1B, 0x88, 0x2C,
+			/* Secure Data */
+			0x39, 0x38, 0x97, 0x44, 0xA2, 0x6D, 0x71, 0x3D,
+			0x14, 0x27, 0xC7, 0x3E, 0x02, 0x96, 0x81, 0xAD,
+			0x47, 0x82, 0x2A, 0xCF, 0x19, 0x79, 0x12, 0x49,
+			0x0F, 0x93, 0x5A, 0x32, 0x43, 0x79, 0xEF, 0x9D,
+			0x70, 0xF8, 0xA9, 0xBE, 0x3D, 0x00, 0x5D, 0x22,
+			0xDA, 0x87, 0x3D, 0xC1, 0xBE, 0x1B, 0x13, 0xD9,
+			0x99, 0xDB, 0xF1, 0xC8,
+			/* ICV */
+			0x4B, 0xC4, 0xF8, 0xC6,	0x09, 0x78, 0xB9, 0xBB,
+			0x5D, 0xC0, 0x04, 0xF3,	0x20, 0x7D, 0x14, 0x87,
+		},
+		.len = 96,
+	},
+},
+/* gcm_128_54B_cipher */
+{
+	.test_idx = 1,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.xpn = 0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82,
+		},
+		.len = 16,
+	},
+	.hash_key = {
+		.data = {
+			0xE4, 0xE0, 0x17, 0x25, 0xD7, 0x24, 0xC1, 0x21,
+			0x5C, 0x73, 0x09, 0xAD, 0x34, 0x53, 0x92, 0x57,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x00, 0x04,
+		},
+		.len = 54,
+	},
+
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x4C,
+			/* SL */
+			0x2A,
+			/* PN */
+			0x76, 0xD4, 0x57, 0xED,
+			/* Secure Data */
+			0x13, 0xB4, 0xC7, 0x2B, 0x38, 0x9D, 0xC5, 0x01,
+			0x8E, 0x72, 0xA1, 0x71, 0xDD, 0x85, 0xA5, 0xD3,
+			0x75, 0x22, 0x74, 0xD3, 0xA0, 0x19, 0xFB, 0xCA,
+			0xED, 0x09, 0xA4, 0x25, 0xCD, 0x9B, 0x2E, 0x1C,
+			0x9B, 0x72, 0xEE, 0xE7, 0xC9, 0xDE, 0x7D, 0x52,
+			0xB3, 0xF3,
+			/* ICV */
+			0xD6, 0xA5, 0x28, 0x4F, 0x4A, 0x6D, 0x3F, 0xE2,
+			0x2A, 0x5D, 0x6C, 0x2B, 0x96, 0x04, 0x94, 0xC3,
+		},
+		.len = 78,
+	},
+},
+/* gcm_256_54B_cipher */
+{
+	.test_idx = 2,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_256,
+	.ssci = 0x0,
+	.xpn = 0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x69, 0x1D, 0x3E, 0xE9, 0x09, 0xD7, 0xF5, 0x41,
+			0x67, 0xFD, 0x1C, 0xA0, 0xB5, 0xD7, 0x69, 0x08,
+			0x1F, 0x2B, 0xDE, 0x1A, 0xEE, 0x65, 0x5F, 0xDB,
+			0xAB, 0x80, 0xBD, 0x52, 0x95, 0xAE, 0x6B, 0xE7,
+		},
+		.len = 32,
+	},
+	.hash_key = {
+		.data = {
+			0x1E, 0x69, 0x3C, 0x48, 0x4A, 0xB8, 0x94, 0xB2,
+			0x66, 0x69, 0xBC, 0x12, 0xE6, 0xD5, 0xD7, 0x76,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x00, 0x04,
+		},
+		.len = 54,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x4C,
+			/* SL */
+			0x2A,
+			/* PN */
+			0x76, 0xD4, 0x57, 0xED,
+			/* Secure Data */
+			0xC1, 0x62, 0x3F, 0x55, 0x73, 0x0C, 0x93, 0x53,
+			0x30, 0x97, 0xAD, 0xDA, 0xD2, 0x56, 0x64, 0x96,
+			0x61, 0x25, 0x35, 0x2B, 0x43, 0xAD, 0xAC, 0xBD,
+			0x61, 0xC5, 0xEF, 0x3A, 0xC9, 0x0B, 0x5B, 0xEE,
+			0x92, 0x9C, 0xE4, 0x63, 0x0E, 0xA7, 0x9F, 0x6C,
+			0xE5, 0x19,
+			/* ICV */
+			0x12, 0xAF, 0x39, 0xC2, 0xD1, 0xFD, 0xC2, 0x05,
+			0x1F, 0x8B, 0x7B, 0x3C, 0x9D, 0x39, 0x7E, 0xF2,
+		},
+		.len = 78,
+	},
+},
+/* gcm_128_xpn_54B_cipher */
+{
+	.test_idx = 3,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_128,
+	.ssci = 0x7A30C118,
+	.xpn = 0xB0DF459C, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE,
+		0x86, 0xA2, 0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82,
+		},
+		.len = 16,
+	},
+	.hash_key = {
+		.data = {
+			0xE4, 0xE0, 0x17, 0x25, 0xD7, 0x24, 0xC1, 0x21,
+			0x5C, 0x73, 0x09, 0xAD, 0x34, 0x53, 0x92, 0x57,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x00, 0x04,
+		},
+		.len = 54,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x4C,
+			/* SL */
+			0x2A,
+			/* PN */
+			0x76, 0xD4, 0x57, 0xED,
+			/* Secure Data */
+			0x9C, 0xA4, 0x69, 0x84, 0x43, 0x02, 0x03, 0xED,
+			0x41, 0x6E, 0xBD, 0xC2, 0xFE, 0x26, 0x22, 0xBA,
+			0x3E, 0x5E, 0xAB, 0x69, 0x61, 0xC3, 0x63, 0x83,
+			0x00, 0x9E, 0x18, 0x7E, 0x9B, 0x0C, 0x88, 0x56,
+			0x46, 0x53, 0xB9, 0xAB, 0xD2, 0x16, 0x44, 0x1C,
+			0x6A, 0xB6,
+			/* ICV */
+			0xF0, 0xA2, 0x32, 0xE9, 0xE4, 0x4C, 0x97, 0x8C,
+			0xF7, 0xCD, 0x84, 0xD4, 0x34, 0x84, 0xD1, 0x01,
+		},
+		.len = 78,
+	},
+},
+/* gcm_256_xpn_54B_cipher */
+{
+	.test_idx = 4,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_256,
+	.ssci = 0x7A30C118,
+	.xpn = 0xB0DF459C, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE,
+		0x86, 0xA2, 0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0x69, 0x1D, 0x3E, 0xE9, 0x09, 0xD7, 0xF5, 0x41,
+			0x67, 0xFD, 0x1C, 0xA0, 0xB5, 0xD7, 0x69, 0x08,
+			0x1F, 0x2B, 0xDE, 0x1A, 0xEE, 0x65, 0x5F, 0xDB,
+			0xAB, 0x80, 0xBD, 0x52, 0x95, 0xAE, 0x6B, 0xE7,
+		},
+		.len = 32,
+	},
+	.hash_key = {
+		.data = {
+			0x1E, 0x69, 0x3C, 0x48, 0x4A, 0xB8, 0x94, 0xB2,
+			0x66, 0x69, 0xBC, 0x12, 0xE6, 0xD5, 0xD7, 0x76,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x00, 0x04,
+		},
+		.len = 54,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x4C,
+			/* SL */
+			0x2A,
+			/* PN */
+			0x76, 0xD4, 0x57, 0xED,
+			/* Secure Data */
+			0x88, 0xD9, 0xF7, 0xD1, 0xF1, 0x57, 0x8E, 0xE3,
+			0x4B, 0xA7, 0xB1, 0xAB, 0xC8, 0x98, 0x93, 0xEF,
+			0x1D, 0x33, 0x98, 0xC9, 0xF1, 0xDD, 0x3E, 0x47,
+			0xFB, 0xD8, 0x55, 0x3E, 0x0F, 0xF7, 0x86, 0xEF,
+			0x56, 0x99, 0xEB, 0x01, 0xEA, 0x10, 0x42, 0x0D,
+			0x0E, 0xBD,
+			/* ICV */
+			0x39, 0xA0, 0xE2, 0x73, 0xC4, 0xC7, 0xF9, 0x5E,
+			0xD8, 0x43, 0x20, 0x7D, 0x7A, 0x49, 0x7D, 0xFA,
+		},
+		.len = 78,
+	},
+},
+/* gcm_128_60B_cipher */
+{
+	.test_idx = 5,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.xpn = 0x0, /* Most significant 32 bits */
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0xAD, 0x7A, 0x2B, 0xD0, 0x3E, 0xAC, 0x83, 0x5A,
+			0x6F, 0x62, 0x0F, 0xDC, 0xB5, 0x06, 0xB3, 0x45,
+		},
+		.len = 16,
+	},
+	.hash_key = {
+		.data = {
+			0x73, 0xA2, 0x3D, 0x80, 0x12, 0x1D, 0xE2, 0xD5,
+			0xA8, 0x50, 0x25, 0x3F, 0xCF, 0x43, 0x12, 0x0E,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xD6, 0x09, 0xB1, 0xF0, 0x56, 0x63,
+			/* MAC SA */
+			0x7A, 0x0D, 0x46, 0xDF, 0x99, 0x8D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x00, 0x02,
+		},
+		.len = 60,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xD6, 0x09, 0xB1, 0xF0, 0x56, 0x63,
+			/* MAC SA */
+			0x7A, 0x0D, 0x46, 0xDF, 0x99, 0x8D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x2E,
+			/* SL */
+			0x00,
+			/* PN */
+			0xB2, 0xC2, 0x84, 0x65,
+			/* SCI */
+			0x12, 0x15, 0x35, 0x24, 0xC0, 0x89, 0x5E, 0x81,
+			/* Secure Data */
+			0x70, 0x1A, 0xFA, 0x1C, 0xC0, 0x39, 0xC0, 0xD7,
+			0x65, 0x12, 0x8A, 0x66, 0x5D, 0xAB, 0x69, 0x24,
+			0x38, 0x99, 0xBF, 0x73, 0x18, 0xCC, 0xDC, 0x81,
+			0xC9, 0x93, 0x1D, 0xA1, 0x7F, 0xBE, 0x8E, 0xDD,
+			0x7D, 0x17, 0xCB, 0x8B, 0x4C, 0x26, 0xFC, 0x81,
+			0xE3, 0x28, 0x4F, 0x2B, 0x7F, 0xBA, 0x71, 0x3D,
+			/* ICV */
+			0x4F, 0x8D, 0x55, 0xE7, 0xD3, 0xF0, 0x6F, 0xD5,
+			0xA1, 0x3C, 0x0C, 0x29, 0xB9, 0xD5, 0xB8, 0x80,
+		},
+		.len = 92,
+	},
+},
+/* gcm_256_60B_cipher */
+{
+	.test_idx = 6,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_256,
+	.ssci = 0x0,
+	.xpn = 0x0, /* Most significant 32 bits */
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0xE3, 0xC0, 0x8A, 0x8F, 0x06, 0xC6, 0xE3, 0xAD,
+			0x95, 0xA7, 0x05, 0x57, 0xB2, 0x3F, 0x75, 0x48,
+			0x3C, 0xE3, 0x30, 0x21, 0xA9, 0xC7, 0x2B, 0x70,
+			0x25, 0x66, 0x62, 0x04, 0xC6, 0x9C, 0x0B, 0x72,
+		},
+		.len = 32,
+	},
+	.hash_key = {
+		.data = {
+			0x28, 0x6D, 0x73, 0x99, 0x4E, 0xA0, 0xBA, 0x3C,
+			0xFD, 0x1F, 0x52, 0xBF, 0x06, 0xA8, 0xAC, 0xF2,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xD6, 0x09, 0xB1, 0xF0, 0x56, 0x63,
+			/* MAC SA */
+			0x7A, 0x0D, 0x46, 0xDF, 0x99, 0x8D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x00, 0x02,
+		},
+		.len = 60,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xD6, 0x09, 0xB1, 0xF0, 0x56, 0x63,
+			/* MAC SA */
+			0x7A, 0x0D, 0x46, 0xDF, 0x99, 0x8D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x2E,
+			/* SL */
+			0x00,
+			/* PN */
+			0xB2, 0xC2, 0x84, 0x65,
+			/* SCI */
+			0x12, 0x15, 0x35, 0x24, 0xC0, 0x89, 0x5E, 0x81,
+			/* Secure Data */
+			0xE2, 0x00, 0x6E, 0xB4, 0x2F, 0x52, 0x77, 0x02,
+			0x2D, 0x9B, 0x19, 0x92, 0x5B, 0xC4, 0x19, 0xD7,
+			0xA5, 0x92, 0x66, 0x6C, 0x92, 0x5F, 0xE2, 0xEF,
+			0x71, 0x8E, 0xB4, 0xE3, 0x08, 0xEF, 0xEA, 0xA7,
+			0xC5, 0x27, 0x3B, 0x39, 0x41, 0x18, 0x86, 0x0A,
+			0x5B, 0xE2, 0xA9, 0x7F, 0x56, 0xAB, 0x78, 0x36,
+			/* ICV */
+			0x5C, 0xA5, 0x97, 0xCD, 0xBB, 0x3E, 0xDB, 0x8D,
+			0x1A, 0x11, 0x51, 0xEA, 0x0A, 0xF7, 0xB4, 0x36,
+		},
+		.len = 92,
+	},
+},
+/* gcm_128_xpn_60B_cipher */
+{
+	.test_idx = 7,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_128,
+	.ssci = 0x7A30C118,
+	.xpn = 0xB0DF459C, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE,
+		0x86, 0xA2, 0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0xAD, 0x7A, 0x2B, 0xD0, 0x3E, 0xAC, 0x83, 0x5A,
+			0x6F, 0x62, 0x0F, 0xDC, 0xB5, 0x06, 0xB3, 0x45,
+		},
+		.len = 16,
+	},
+	.hash_key = {
+		.data = {
+			0x73, 0xA2, 0x3D, 0x80, 0x12, 0x1D, 0xE2, 0xD5,
+			0xA8, 0x50, 0x25, 0x3F, 0xCF, 0x43, 0x12, 0x0E,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xD6, 0x09, 0xB1, 0xF0, 0x56, 0x63,
+			/* MAC SA */
+			0x7A, 0x0D, 0x46, 0xDF, 0x99, 0x8D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x00, 0x02,
+		},
+		.len = 60,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xD6, 0x09, 0xB1, 0xF0, 0x56, 0x63,
+			/* MAC SA */
+			0x7A, 0x0D, 0x46, 0xDF, 0x99, 0x8D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x2E,
+			/* SL */
+			0x00,
+			/* PN */
+			0xB2, 0xC2, 0x84, 0x65,
+			/* SCI */
+			0x12, 0x15, 0x35, 0x24, 0xC0, 0x89, 0x5E, 0x81,
+			/* Secure Data */
+			0x07, 0x12, 0xD9, 0x80, 0xCA, 0x50, 0xBB, 0xED,
+			0x35, 0xA0, 0xFA, 0x56, 0x63, 0x38, 0x72, 0x9F,
+			0xFA, 0x16, 0xD1, 0x9F, 0xFC, 0xF0, 0x7B, 0x3A,
+			0x1E, 0x79, 0x19, 0xB3, 0x77, 0x6A, 0xAC, 0xEC,
+			0x8A, 0x59, 0x37, 0x20, 0x8B, 0x48, 0x3A, 0x76,
+			0x91, 0x98, 0x4D, 0x38, 0x07, 0x92, 0xE0, 0x7F,
+			/* ICV */
+			0xC2, 0xC3, 0xC7, 0x9F, 0x26, 0x3F, 0xA6, 0xBF,
+			0xF8, 0xE7, 0x58, 0x1E, 0x2C, 0xE4, 0x5A, 0xF8,
+		},
+		.len = 92,
+	},
+},
+/* gcm_256_xpn_60B_cipher */
+{
+	.test_idx = 8,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_256,
+	.ssci = 0x7A30C118,
+	.xpn = 0xB0DF459C, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE,
+		0x86, 0xA2, 0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0xE3, 0xC0, 0x8A, 0x8F, 0x06, 0xC6, 0xE3, 0xAD,
+			0x95, 0xA7, 0x05, 0x57, 0xB2, 0x3F, 0x75, 0x48,
+			0x3C, 0xE3, 0x30, 0x21, 0xA9, 0xC7, 0x2B, 0x70,
+			0x25, 0x66, 0x62, 0x04, 0xC6, 0x9C, 0x0B, 0x72,
+		},
+		.len = 32,
+	},
+	.hash_key = {
+		.data = {
+			0x28, 0x6D, 0x73, 0x99, 0x4E, 0xA0, 0xBA, 0x3C,
+			0xFD, 0x1F, 0x52, 0xBF, 0x06, 0xA8, 0xAC, 0xF2,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xD6, 0x09, 0xB1, 0xF0, 0x56, 0x63,
+			/* MAC SA */
+			0x7A, 0x0D, 0x46, 0xDF, 0x99, 0x8D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x00, 0x02,
+		},
+		.len = 60,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xD6, 0x09, 0xB1, 0xF0, 0x56, 0x63,
+			/* MAC SA */
+			0x7A, 0x0D, 0x46, 0xDF, 0x99, 0x8D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x2E,
+			/* SL */
+			0x00,
+			/* PN */
+			0xB2, 0xC2, 0x84, 0x65,
+			/* SCI */
+			0x12, 0x15, 0x35, 0x24, 0xC0, 0x89, 0x5E, 0x81,
+			/* Secure Data */
+			0x3E, 0xB0, 0x4A, 0x4B, 0xBF, 0x54, 0xC6, 0xEB,
+			0x12, 0x22, 0xA9, 0xAE, 0xA0, 0x0C, 0x38, 0x68,
+			0x7F, 0x6C, 0x35, 0x20, 0xD9, 0x76, 0xA3, 0xB6,
+			0x94, 0x80, 0x06, 0x50, 0xCE, 0x65, 0x85, 0xE6,
+			0x20, 0xA4, 0x19, 0x19, 0x17, 0xD2, 0xA6, 0x05,
+			0xD8, 0x70, 0xC7, 0x8D, 0x27, 0x52, 0xCE, 0x49,
+			/* ICV */
+			0x3B, 0x44, 0x2A, 0xC0, 0xC8, 0x16, 0xD7, 0xAB,
+			0xD7, 0x0A, 0xD6, 0x5C, 0x25, 0xD4, 0x64, 0x13,
+		},
+		.len = 92,
+	},
+},
+/* gcm_128_61B_cipher */
+{
+	.test_idx = 9,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.xpn = 0x0, /* Most significant 32 bits */
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x01, 0x3F, 0xE0, 0x0B, 0x5F, 0x11, 0xBE, 0x7F,
+			0x86, 0x6D, 0x0C, 0xBB, 0xC5, 0x5A, 0x7A, 0x90,
+		},
+		.len = 16,
+	},
+	.hash_key = {
+		.data = {
+			0xEB, 0x28, 0xDC, 0xB3, 0x61, 0xEE, 0x11, 0x10,
+			0xF9, 0x8C, 0xA0, 0xC9, 0xA0, 0x7C, 0x88, 0xF7,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0x84, 0xC5, 0xD5, 0x13, 0xD2, 0xAA,
+			/* MAC SA */
+			0xF6, 0xE5, 0xBB, 0xD2, 0x72, 0x77,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x00,
+			0x06,
+		},
+		.len = 61,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0x84, 0xC5, 0xD5, 0x13, 0xD2, 0xAA,
+			/* MAC SA */
+			0xF6, 0xE5, 0xBB, 0xD2, 0x72, 0x77,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x2F,
+			/* SL */
+			0x00,
+			/* PN */
+			0x89, 0x32, 0xD6, 0x12,
+			/* SCI */
+			0x7C, 0xFD, 0xE9, 0xF9, 0xE3, 0x37, 0x24, 0xC6,
+			/* Secure Data */
+			0x3A, 0x4D, 0xE6, 0xFA, 0x32, 0x19, 0x10, 0x14,
+			0xDB, 0xB3, 0x03, 0xD9, 0x2E, 0xE3, 0xA9, 0xE8,
+			0xA1, 0xB5, 0x99, 0xC1, 0x4D, 0x22, 0xFB, 0x08,
+			0x00, 0x96, 0xE1, 0x38, 0x11, 0x81, 0x6A, 0x3C,
+			0x9C, 0x9B, 0xCF, 0x7C, 0x1B, 0x9B, 0x96, 0xDA,
+			0x80, 0x92, 0x04, 0xE2, 0x9D, 0x0E, 0x2A, 0x76,
+			0x42,
+			/* ICV */
+			0xBF, 0xD3, 0x10, 0xA4, 0x83, 0x7C, 0x81, 0x6C,
+			0xCF, 0xA5, 0xAC, 0x23, 0xAB, 0x00, 0x39, 0x88,
+		},
+		.len = 93,
+	},
+},
+/* gcm_256_61B_cipher */
+{
+	.test_idx = 10,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_256,
+	.ssci = 0x0,
+	.xpn = 0x0, /* Most significant 32 bits */
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x83, 0xC0, 0x93, 0xB5, 0x8D, 0xE7, 0xFF, 0xE1,
+			0xC0, 0xDA, 0x92, 0x6A, 0xC4, 0x3F, 0xB3, 0x60,
+			0x9A, 0xC1, 0xC8, 0x0F, 0xEE, 0x1B, 0x62, 0x44,
+			0x97, 0xEF, 0x94, 0x2E, 0x2F, 0x79, 0xA8, 0x23,
+		},
+		.len = 32,
+	},
+	.hash_key = {
+		.data = {
+			0xD0, 0x3D, 0x3B, 0x51, 0xFD, 0xF2, 0xAA, 0xCB,
+			0x3A, 0x16, 0x5D, 0x7D, 0xC3, 0x62, 0xD9, 0x29,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0x84, 0xC5, 0xD5, 0x13, 0xD2, 0xAA,
+			/* MAC SA */
+			0xF6, 0xE5, 0xBB, 0xD2, 0x72, 0x77,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x00,
+			0x06,
+		},
+		.len = 61,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0x84, 0xC5, 0xD5, 0x13, 0xD2, 0xAA,
+			/* MAC SA */
+			0xF6, 0xE5, 0xBB, 0xD2, 0x72, 0x77,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x2F,
+			/* SL */
+			0x00,
+			/* PN */
+			0x89, 0x32, 0xD6, 0x12,
+			/* SCI */
+			0x7C, 0xFD, 0xE9, 0xF9, 0xE3, 0x37, 0x24, 0xC6,
+			/* Secure Data */
+			0x11, 0x02, 0x22, 0xFF, 0x80, 0x50, 0xCB, 0xEC,
+			0xE6, 0x6A, 0x81, 0x3A, 0xD0, 0x9A, 0x73, 0xED,
+			0x7A, 0x9A, 0x08, 0x9C, 0x10, 0x6B, 0x95, 0x93,
+			0x89, 0x16, 0x8E, 0xD6, 0xE8, 0x69, 0x8E, 0xA9,
+			0x02, 0xEB, 0x12, 0x77, 0xDB, 0xEC, 0x2E, 0x68,
+			0xE4, 0x73, 0x15, 0x5A, 0x15, 0xA7, 0xDA, 0xEE,
+			0xD4,
+			/* ICV */
+			0xA1, 0x0F, 0x4E, 0x05, 0x13, 0x9C, 0x23, 0xDF,
+			0x00, 0xB3, 0xAA, 0xDC, 0x71, 0xF0, 0x59, 0x6A,
+		},
+		.len = 93,
+	},
+},
+/* gcm_128_xpn_61B_cipher */
+{
+	.test_idx = 11,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_128,
+	.ssci = 0x7A30C118,
+	.xpn = 0xB0DF459C, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE,
+		0x86, 0xA2, 0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0x01, 0x3F, 0xE0, 0x0B, 0x5F, 0x11, 0xBE, 0x7F,
+			0x86, 0x6D, 0x0C, 0xBB, 0xC5, 0x5A, 0x7A, 0x90,
+		},
+		.len = 16,
+	},
+	.hash_key = {
+		.data = {
+			0xEB, 0x28, 0xDC, 0xB3, 0x61, 0xEE, 0x11, 0x10,
+			0xF9, 0x8C, 0xA0, 0xC9, 0xA0, 0x7C, 0x88, 0xF7,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0x84, 0xC5, 0xD5, 0x13, 0xD2, 0xAA,
+			/* MAC SA */
+			0xF6, 0xE5, 0xBB, 0xD2, 0x72, 0x77,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x00,
+			0x06,
+		},
+		.len = 61,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0x84, 0xC5, 0xD5, 0x13, 0xD2, 0xAA,
+			/* MAC SA */
+			0xF6, 0xE5, 0xBB, 0xD2, 0x72, 0x77,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x2F,
+			/* SL */
+			0x00,
+			/* PN */
+			0x89, 0x32, 0xD6, 0x12,
+			/* SCI */
+			0x7C, 0xFD, 0xE9, 0xF9, 0xE3, 0x37, 0x24, 0xC6,
+			/* Secure Data */
+			0x14, 0xC1, 0x76, 0x93, 0xBC, 0x82, 0x97, 0xEE,
+			0x6C, 0x47, 0xC5, 0x65, 0xCB, 0xE0, 0x67, 0x9E,
+			0x80, 0xF0, 0x0F, 0xCA, 0xF5, 0x92, 0xC9, 0xAA,
+			0x04, 0x73, 0x92, 0x8E, 0x7F, 0x2F, 0x21, 0x6F,
+			0xF5, 0xA0, 0x33, 0xDE, 0xC7, 0x51, 0x3F, 0x45,
+			0xD3, 0x4C, 0xBB, 0x98, 0x1C, 0x5B, 0xD6, 0x4E,
+			0x8B,
+			/* ICV */
+			0xD8, 0x4B, 0x8E, 0x2A, 0x78, 0xE7, 0x4D, 0xAF,
+			0xEA, 0xA0, 0x38, 0x46, 0xFE, 0x93, 0x0C, 0x0E,
+		},
+		.len = 93,
+	},
+},
+/* gcm_256_xpn_61B_cipher */
+{
+	.test_idx = 12,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_256,
+	.ssci = 0x7A30C118,
+	.xpn = 0xB0DF459C, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE,
+		0x86, 0xA2, 0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0x83, 0xC0, 0x93, 0xB5, 0x8D, 0xE7, 0xFF, 0xE1,
+			0xC0, 0xDA, 0x92, 0x6A, 0xC4, 0x3F, 0xB3, 0x60,
+			0x9A, 0xC1, 0xC8, 0x0F, 0xEE, 0x1B, 0x62, 0x44,
+			0x97, 0xEF, 0x94, 0x2E, 0x2F, 0x79, 0xA8, 0x23,
+		},
+		.len = 32,
+	},
+	.hash_key = {
+		.data = {
+			0xD0, 0x3D, 0x3B, 0x51, 0xFD, 0xF2, 0xAA, 0xCB,
+			0x3A, 0x16, 0x5D, 0x7D, 0xC3, 0x62, 0xD9, 0x29,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0x84, 0xC5, 0xD5, 0x13, 0xD2, 0xAA,
+			/* MAC SA */
+			0xF6, 0xE5, 0xBB, 0xD2, 0x72, 0x77,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x00,
+			0x06,
+		},
+		.len = 61,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0x84, 0xC5, 0xD5, 0x13, 0xD2, 0xAA,
+			/* MAC SA */
+			0xF6, 0xE5, 0xBB, 0xD2, 0x72, 0x77,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x2F,
+			/* SL */
+			0x00,
+			/* PN */
+			0x89, 0x32, 0xD6, 0x12,
+			/* SCI */
+			0x7C, 0xFD, 0xE9, 0xF9, 0xE3, 0x37, 0x24, 0xC6,
+			/* Secure Data */
+			0x09, 0x96, 0xE0, 0xC9, 0xA5, 0x57, 0x74, 0xE0,
+			0xA7, 0x92, 0x30, 0x4E, 0x7D, 0xC1, 0x50, 0xBD,
+			0x67, 0xFD, 0x74, 0x7D, 0xD1, 0xB9, 0x41, 0x95,
+			0x94, 0xBF, 0x37, 0x3D, 0x4A, 0xCE, 0x8F, 0x87,
+			0xF5, 0xC1, 0x34, 0x9A, 0xFA, 0xC4, 0x91, 0xAA,
+			0x0A, 0x40, 0xD3, 0x19, 0x90, 0x87, 0xB2, 0x9F,
+			0xDF,
+			/* ICV */
+			0x80, 0x2F, 0x05, 0x0E, 0x69, 0x1F, 0x11, 0xA2,
+			0xD9, 0xB3, 0x58, 0xF6, 0x99, 0x41, 0x84, 0xF5,
+		},
+		.len = 93,
+	},
+},
+/* gcm_128_75B_cipher */
+{
+	.test_idx = 13,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0,
+	.xpn = 0, /* Most significant 32 bits */
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x88, 0xEE, 0x08, 0x7F, 0xD9, 0x5D, 0xA9, 0xFB,
+			0xF6, 0x72, 0x5A, 0xA9, 0xD7, 0x57, 0xB0, 0xCD,
+		},
+		.len = 16,
+	},
+	.hash_key = {
+		.data = {
+			0xAE, 0x19, 0x11, 0x8C, 0x3B, 0x70, 0x4F, 0xCE,
+			0x42, 0xAE, 0x0D, 0x15, 0xD2, 0xC1, 0x5C, 0x7A,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0x68, 0xF2, 0xE7, 0x76, 0x96, 0xCE,
+			/* MAC SA */
+			0x7A, 0xE8, 0xE2, 0xCA, 0x4E, 0xC5,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x40, 0x41, 0x42, 0x43, 0x44,
+			0x45, 0x46, 0x47, 0x48, 0x49, 0x00, 0x08,
+		},
+		.len = 75,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0x68, 0xF2, 0xE7, 0x76, 0x96, 0xCE,
+			/* MAC SA */
+			0x7A, 0xE8, 0xE2, 0xCA, 0x4E, 0xC5,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x4D,
+			/* SL */
+			0x00,
+			/* PN */
+			0x2E, 0x58, 0x49, 0x5C,
+			/* SCI */
+			/* Secure Data */
+			0xC3, 0x1F, 0x53, 0xD9, 0x9E, 0x56, 0x87, 0xF7,
+			0x36, 0x51, 0x19, 0xB8, 0x32, 0xD2, 0xAA, 0xE7,
+			0x07, 0x41, 0xD5, 0x93, 0xF1, 0xF9, 0xE2, 0xAB,
+			0x34, 0x55, 0x77, 0x9B, 0x07, 0x8E, 0xB8, 0xFE,
+			0xAC, 0xDF, 0xEC, 0x1F, 0x8E, 0x3E, 0x52, 0x77,
+			0xF8, 0x18, 0x0B, 0x43, 0x36, 0x1F, 0x65, 0x12,
+			0xAD, 0xB1, 0x6D, 0x2E, 0x38, 0x54, 0x8A, 0x2C,
+			0x71, 0x9D, 0xBA, 0x72, 0x28, 0xD8, 0x40,
+			/* ICV */
+			0x88, 0xF8, 0x75, 0x7A, 0xDB, 0x8A, 0xA7, 0x88,
+			0xD8, 0xF6, 0x5A, 0xD6, 0x68, 0xBE, 0x70, 0xE7,
+		},
+		.len = 99,
+	},
+},
+/* gcm_256_75B_cipher */
+{
+	.test_idx = 14,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_256,
+	.ssci = 0,
+	.xpn = 0, /* Most significant 32 bits */
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x4C, 0x97, 0x3D, 0xBC, 0x73, 0x64, 0x62, 0x16,
+			0x74, 0xF8, 0xB5, 0xB8, 0x9E, 0x5C, 0x15, 0x51,
+			0x1F, 0xCE, 0xD9, 0x21, 0x64, 0x90, 0xFB, 0x1C,
+			0x1A, 0x2C, 0xAA, 0x0F, 0xFE, 0x04, 0x07, 0xE5,
+		},
+		.len = 32,
+	},
+	.hash_key = {
+		.data = {
+			0x9A, 0x5E, 0x55, 0x9A, 0x96, 0x45, 0x9C, 0x21,
+			0xE4, 0x3C, 0x0D, 0xFF, 0x0F, 0xA4, 0x26, 0xF3,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0x68, 0xF2, 0xE7, 0x76, 0x96, 0xCE,
+			/* MAC SA */
+			0x7A, 0xE8, 0xE2, 0xCA, 0x4E, 0xC5,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x40, 0x41, 0x42, 0x43, 0x44,
+			0x45, 0x46, 0x47, 0x48, 0x49, 0x00, 0x08,
+		},
+		.len = 75,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0x68, 0xF2, 0xE7, 0x76, 0x96, 0xCE,
+			/* MAC SA */
+			0x7A, 0xE8, 0xE2, 0xCA, 0x4E, 0xC5,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x4D,
+			/* SL */
+			0x00,
+			/* PN */
+			0x2E, 0x58, 0x49, 0x5C,
+			/* SCI */
+			/* Secure Data */
+			0xBA, 0x8A, 0xE3, 0x1B, 0xC5, 0x06, 0x48, 0x6D,
+			0x68, 0x73, 0xE4, 0xFC, 0xE4, 0x60, 0xE7, 0xDC,
+			0x57, 0x59, 0x1F, 0xF0, 0x06, 0x11, 0xF3, 0x1C,
+			0x38, 0x34, 0xFE, 0x1C, 0x04, 0xAD, 0x80, 0xB6,
+			0x68, 0x03, 0xAF, 0xCF, 0x5B, 0x27, 0xE6, 0x33,
+			0x3F, 0xA6, 0x7C, 0x99, 0xDA, 0x47, 0xC2, 0xF0,
+			0xCE, 0xD6, 0x8D, 0x53, 0x1B, 0xD7, 0x41, 0xA9,
+			0x43, 0xCF, 0xF7, 0xA6, 0x71, 0x3B, 0xD0,
+			/* ICV */
+			0x26, 0x11, 0xCD, 0x7D, 0xAA, 0x01, 0xD6, 0x1C,
+			0x5C, 0x88, 0x6D, 0xC1, 0xA8, 0x17, 0x01, 0x07,
+		},
+		.len = 99,
+	},
+},
+/* gcm_128_xpn_75B_cipher */
+{
+	.test_idx = 15,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_128,
+	.ssci = 0x7A30C118,
+	.xpn = 0xB0DF459C, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE, 0x86, 0xA2,
+		0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0x88, 0xEE, 0x08, 0x7F, 0xD9, 0x5D, 0xA9, 0xFB,
+			0xF6, 0x72, 0x5A, 0xA9, 0xD7, 0x57, 0xB0, 0xCD,
+		},
+		.len = 16,
+	},
+	.hash_key = {
+		.data = {
+			0xAE, 0x19, 0x11, 0x8C, 0x3B, 0x70, 0x4F, 0xCE,
+			0x42, 0xAE, 0x0D, 0x15, 0xD2, 0xC1, 0x5C, 0x7A,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0x68, 0xF2, 0xE7, 0x76, 0x96, 0xCE,
+			/* MAC SA */
+			0x7A, 0xE8, 0xE2, 0xCA, 0x4E, 0xC5,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x40, 0x41, 0x42, 0x43, 0x44,
+			0x45, 0x46, 0x47, 0x48, 0x49, 0x00, 0x08,
+		},
+		.len = 75,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0x68, 0xF2, 0xE7, 0x76, 0x96, 0xCE,
+			/* MAC SA */
+			0x7A, 0xE8, 0xE2, 0xCA, 0x4E, 0xC5,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x4D,
+			/* SL */
+			0x00,
+			/* PN */
+			0x2E, 0x58, 0x49, 0x5C,
+			/* SCI */
+			/* Secure Data */
+			0xEA, 0xEC, 0xC6, 0xAF, 0x65, 0x12, 0xFC, 0x8B,
+			0x6C, 0x8C, 0x43, 0xBC, 0x55, 0xB1, 0x90, 0xB2,
+			0x62, 0x6D, 0x07, 0xD3, 0xD2, 0x18, 0xFA, 0xF5,
+			0xDA, 0xA7, 0xD8, 0xF8, 0x00, 0xA5, 0x73, 0x31,
+			0xEB, 0x43, 0xB5, 0xA1, 0x7A, 0x37, 0xE5, 0xB1,
+			0xD6, 0x0D, 0x27, 0x5C, 0xCA, 0xF7, 0xAC, 0xD7,
+			0x04, 0xCC, 0x9A, 0xCE, 0x2B, 0xF8, 0xBC, 0x8B,
+			0x9B, 0x23, 0xB9, 0xAD, 0xF0, 0x2F, 0x87,
+			/* ICV */
+			0x34, 0x6B, 0x96, 0xD1, 0x13, 0x6A, 0x75, 0x4D,
+			0xF0, 0xA6, 0xCD, 0xE1, 0x26, 0xC1, 0x07, 0xF8,
+		},
+		.len = 99,
+	},
+},
+/* gcm_256_xpn_75B_cipher */
+{
+	.test_idx = 16,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_256,
+	.ssci = 0x7A30C118,
+	.xpn = 0xB0DF459C, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE, 0x86, 0xA2,
+		0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0x4C, 0x97, 0x3D, 0xBC, 0x73, 0x64, 0x62, 0x16,
+			0x74, 0xF8, 0xB5, 0xB8, 0x9E, 0x5C, 0x15, 0x51,
+			0x1F, 0xCE, 0xD9, 0x21, 0x64, 0x90, 0xFB, 0x1C,
+			0x1A, 0x2C, 0xAA, 0x0F, 0xFE, 0x04, 0x07, 0xE5,
+		},
+		.len = 32,
+	},
+	.hash_key = {
+		.data = {
+			0x9A, 0x5E, 0x55, 0x9A, 0x96, 0x45, 0x9C, 0x21,
+			0xE4, 0x3C, 0x0D, 0xFF, 0x0F, 0xA4, 0x26, 0xF3,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0x68, 0xF2, 0xE7, 0x76, 0x96, 0xCE,
+			/* MAC SA */
+			0x7A, 0xE8, 0xE2, 0xCA, 0x4E, 0xC5,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x40, 0x41, 0x42, 0x43, 0x44,
+			0x45, 0x46, 0x47, 0x48, 0x49, 0x00, 0x08,
+		},
+		.len = 75,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0x68, 0xF2, 0xE7, 0x76, 0x96, 0xCE,
+			/* MAC SA */
+			0x7A, 0xE8, 0xE2, 0xCA, 0x4E, 0xC5,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x4D,
+			/* SL */
+			0x00,
+			/* PN */
+			0x2E, 0x58, 0x49, 0x5C,
+			/* SCI */
+			/* Secure Data */
+			0xB0, 0xFE, 0xA3, 0x63, 0x18, 0xB9, 0xB3, 0x64,
+			0x66, 0xC4, 0x6E, 0x9E, 0x1B, 0xDA, 0x1A, 0x26,
+			0x68, 0x58, 0x19, 0x6E, 0x7E, 0x70, 0xD8, 0x82,
+			0xAE, 0x70, 0x47, 0x56, 0x68, 0xCD, 0xE4, 0xEC,
+			0x88, 0x3F, 0x6A, 0xC2, 0x36, 0x9F, 0x28, 0x4B,
+			0xED, 0x1F, 0xE3, 0x2F, 0x42, 0x09, 0x2F, 0xDF,
+			0xF5, 0x86, 0x8A, 0x3C, 0x64, 0xE5, 0x61, 0x51,
+			0x92, 0xA7, 0xA3, 0x76, 0x0B, 0x34, 0xBC,
+			/* ICV */
+			0x85, 0x69, 0x2C, 0xD8, 0x15, 0xB6, 0x64, 0x71,
+			0x1A, 0xEF, 0x91, 0x1D, 0xF7, 0x8D, 0x7F, 0x46,
+		},
+		.len = 99,
+	},
+},
+};
+
+static const struct mcs_test_vector list_mcs_integrity_vectors[] = {
+/* gcm_128_54B_integrity */
+{
+	.test_idx = 1,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0,
+	.xpn = 0, /* Most significant 32 bits */
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0xAD, 0x7A, 0x2B, 0xD0, 0x3E, 0xAC, 0x83, 0x5A,
+			0x6F, 0x62, 0x0F, 0xDC, 0xB5, 0x06, 0xB3, 0x45,
+		},
+		.len = 16,
+	},
+	.hash_key = {
+		.data = {
+			0x73, 0xA2, 0x3D, 0x80, 0x12, 0x1D, 0xE2, 0xD5,
+			0xA8, 0x50, 0x25, 0x3F, 0xCF, 0x43, 0x12, 0x0E,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xD6, 0x09, 0xB1, 0xF0, 0x56, 0x63,
+			/* MAC SA */
+			0x7A, 0x0D, 0x46, 0xDF, 0x99, 0x8D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x00, 0x01,
+		},
+		.len = 54,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xD6, 0x09, 0xB1, 0xF0, 0x56, 0x63,
+			/* MAC SA */
+			0x7A, 0x0D, 0x46, 0xDF, 0x99, 0x8D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x22,
+			/* SL */
+			0x2A,
+			/* PN */
+			0xB2, 0xC2, 0x84, 0x65,
+			/* SCI */
+			0x12, 0x15, 0x35, 0x24, 0xC0, 0x89, 0x5E, 0x81,
+			/* Secure Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x00, 0x01,
+			/* ICV */
+			0xF0, 0x94, 0x78, 0xA9, 0xB0, 0x90, 0x07, 0xD0,
+			0x6F, 0x46, 0xE9, 0xB6, 0xA1, 0xDA, 0x25, 0xDD,
+		},
+		.len = 86,
+	},
+},
+/* gcm_256_54B_integrity */
+{
+	.test_idx = 2,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_256,
+	.ssci = 0,
+	.xpn = 0, /* Most significant 32 bits */
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0xE3, 0xC0, 0x8A, 0x8F, 0x06, 0xC6, 0xE3, 0xAD,
+			0x95, 0xA7, 0x05, 0x57, 0xB2, 0x3F, 0x75, 0x48,
+			0x3C, 0xE3, 0x30, 0x21, 0xA9, 0xC7, 0x2B, 0x70,
+			0x25, 0x66, 0x62, 0x04, 0xC6, 0x9C, 0x0B, 0x72,
+		},
+		.len = 32,
+	},
+	.hash_key = {
+		.data = {
+			0x28, 0x6D, 0x73, 0x99, 0x4E, 0xA0, 0xBA, 0x3C,
+			0xFD, 0x1F, 0x52, 0xBF, 0x06, 0xA8, 0xAC, 0xF2,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xD6, 0x09, 0xB1, 0xF0, 0x56, 0x63,
+			/* MAC SA */
+			0x7A, 0x0D, 0x46, 0xDF, 0x99, 0x8D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x00, 0x01,
+		},
+		.len = 54,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xD6, 0x09, 0xB1, 0xF0, 0x56, 0x63,
+			/* MAC SA */
+			0x7A, 0x0D, 0x46, 0xDF, 0x99, 0x8D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x22,
+			/* SL */
+			0x2A,
+			/* PN */
+			0xB2, 0xC2, 0x84, 0x65,
+			/* SCI */
+			0x12, 0x15, 0x35, 0x24, 0xC0, 0x89, 0x5E, 0x81,
+			/* Secure Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x00, 0x01,
+			/* ICV */
+			0x2F, 0x0B, 0xC5, 0xAF, 0x40, 0x9E, 0x06, 0xD6,
+			0x09, 0xEA, 0x8B, 0x7D, 0x0F, 0xA5, 0xEA, 0x50,
+		},
+		.len = 86,
+	},
+},
+/* gcm_128_xpn_54B_integrity */
+{
+	.test_idx = 3,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_128,
+	.ssci = 0x7A30C118,
+	.xpn = 0xB0DF459C, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE, 0x86, 0xA2,
+		0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0xAD, 0x7A, 0x2B, 0xD0, 0x3E, 0xAC, 0x83, 0x5A,
+			0x6F, 0x62, 0x0F, 0xDC, 0xB5, 0x06, 0xB3, 0x45,
+		},
+		.len = 16,
+	},
+	.hash_key = {
+		.data = {
+			0x73, 0xA2, 0x3D, 0x80, 0x12, 0x1D, 0xE2, 0xD5,
+			0xA8, 0x50, 0x25, 0x3F, 0xCF, 0x43, 0x12, 0x0E,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xD6, 0x09, 0xB1, 0xF0, 0x56, 0x63,
+			/* MAC SA */
+			0x7A, 0x0D, 0x46, 0xDF, 0x99, 0x8D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x00, 0x01,
+		},
+		.len = 54,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xD6, 0x09, 0xB1, 0xF0, 0x56, 0x63,
+			/* MAC SA */
+			0x7A, 0x0D, 0x46, 0xDF, 0x99, 0x8D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x22,
+			/* SL */
+			0x2A,
+			/* PN */
+			0xB2, 0xC2, 0x84, 0x65,
+			/* SCI */
+			0x12, 0x15, 0x35, 0x24, 0xC0, 0x89, 0x5E, 0x81,
+			/* Secure Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x00, 0x01,
+			/* ICV */
+			0x17, 0xFE, 0x19, 0x81, 0xEB, 0xDD, 0x4A, 0xFC,
+			0x50, 0x62, 0x69, 0x7E, 0x8B, 0xAA, 0x0C, 0x23,
+		},
+		.len = 86,
+	},
+},
+/* gcm_256_xpn_54B_integrity */
+{
+	.test_idx = 4,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_256,
+	.ssci = 0x7A30C118,
+	.xpn = 0xB0DF459C, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE, 0x86, 0xA2,
+		0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0xE3, 0xC0, 0x8A, 0x8F, 0x06, 0xC6, 0xE3, 0xAD,
+			0x95, 0xA7, 0x05, 0x57, 0xB2, 0x3F, 0x75, 0x48,
+			0x3C, 0xE3, 0x30, 0x21, 0xA9, 0xC7, 0x2B, 0x70,
+			0x25, 0x66, 0x62, 0x04, 0xC6, 0x9C, 0x0B, 0x72,
+		},
+		.len = 32,
+	},
+	.hash_key = {
+		.data = {
+			0x28, 0x6D, 0x73, 0x99, 0x4E, 0xA0, 0xBA, 0x3C,
+			0xFD, 0x1F, 0x52, 0xBF, 0x06, 0xA8, 0xAC, 0xF2,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xD6, 0x09, 0xB1, 0xF0, 0x56, 0x63,
+			/* MAC SA */
+			0x7A, 0x0D, 0x46, 0xDF, 0x99, 0x8D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x00, 0x01,
+		},
+		.len = 54,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xD6, 0x09, 0xB1, 0xF0, 0x56, 0x63,
+			/* MAC SA */
+			0x7A, 0x0D, 0x46, 0xDF, 0x99, 0x8D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x22,
+			/* SL */
+			0x2A,
+			/* PN */
+			0xB2, 0xC2, 0x84, 0x65,
+			/* SCI */
+			0x12, 0x15, 0x35, 0x24, 0xC0, 0x89, 0x5E, 0x81,
+			/* Secure Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x00, 0x01,
+			/* ICV */
+			0x4D, 0xBD, 0x2F, 0x6A, 0x75, 0x4A, 0x6C, 0xF7,
+			0x28, 0xCC, 0x12, 0x9B, 0xA6, 0x93, 0x15, 0x77,
+		},
+		.len = 86,
+	},
+},
+/* gcm_128_60B_integrity */
+{
+	.test_idx = 5,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0,
+	.xpn = 0, /* Most significant 32 bits */
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82,
+		},
+		.len = 16,
+	},
+	.hash_key = {
+		.data = {
+			0xE4, 0xE0, 0x17, 0x25, 0xD7, 0x24, 0xC1, 0x21,
+			0x5C, 0x73, 0x09, 0xAD, 0x34, 0x53, 0x92, 0x57,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x00, 0x03,
+		},
+		.len = 60,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x40,
+			/* SL */
+			0x00,
+			/* PN */
+			0x76, 0xD4, 0x57, 0xED,
+			/* SCI */
+			/* Secure Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x00, 0x03,
+			/* ICV */
+			0x0C, 0x01, 0x7B, 0xC7, 0x3B, 0x22, 0x7D, 0xFC,
+			0xC9, 0xBA, 0xFA, 0x1C, 0x41, 0xAC, 0xC3, 0x53,
+		},
+		.len = 84,
+	},
+},
+/* gcm_256_60B_integrity */
+{
+	.test_idx = 6,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_256,
+	.ssci = 0,
+	.xpn = 0, /* Most significant 32 bits */
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x69, 0x1D, 0x3E, 0xE9, 0x09, 0xD7, 0xF5, 0x41,
+			0x67, 0xFD, 0x1C, 0xA0, 0xB5, 0xD7, 0x69, 0x08,
+			0x1F, 0x2B, 0xDE, 0x1A, 0xEE, 0x65, 0x5F, 0xDB,
+			0xAB, 0x80, 0xBD, 0x52, 0x95, 0xAE, 0x6B, 0xE7,
+		},
+		.len = 32,
+	},
+	.hash_key = {
+		.data = {
+			0x1E, 0x69, 0x3C, 0x48, 0x4A, 0xB8, 0x94, 0xB2,
+			0x66, 0x69, 0xBC, 0x12, 0xE6, 0xD5, 0xD7, 0x76,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x00, 0x03,
+		},
+		.len = 60,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x40,
+			/* SL */
+			0x00,
+			/* PN */
+			0x76, 0xD4, 0x57, 0xED,
+			/* SCI */
+			/* Secure Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x00, 0x03,
+			/* ICV */
+			0x35, 0x21, 0x7C, 0x77, 0x4B, 0xBC, 0x31, 0xB6,
+			0x31, 0x66, 0xBC, 0xF9, 0xD4, 0xAB, 0xED, 0x07,
+		},
+		.len = 84,
+	},
+},
+/* gcm_128_xpn_60B_integrity */
+{
+	.test_idx = 7,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_128,
+	.ssci = 0x7A30C118,
+	.xpn = 0xB0DF459C, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE, 0x86, 0xA2,
+		0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82,
+		},
+		.len = 16,
+	},
+	.hash_key = {
+		.data = {
+			0xE4, 0xE0, 0x17, 0x25, 0xD7, 0x24, 0xC1, 0x21,
+			0x5C, 0x73, 0x09, 0xAD, 0x34, 0x53, 0x92, 0x57,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x00, 0x03,
+		},
+		.len = 60,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x40,
+			/* SL */
+			0x00,
+			/* PN */
+			0x76, 0xD4, 0x57, 0xED,
+			/* SCI */
+			/* Secure Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x00, 0x03,
+			/* ICV */
+			0xAB, 0xC4, 0x06, 0x85, 0xA3, 0xCF, 0x91, 0x1D,
+			0x37, 0x87, 0xE4, 0x9D, 0xB6, 0xA7, 0x26, 0x5E,
+		},
+		.len = 84,
+	},
+},
+/* gcm_256_xpn_60B_integrity */
+{
+	.test_idx = 8,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_256,
+	.ssci = 0x7A30C118,
+	.xpn = 0xB0DF459C, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE, 0x86, 0xA2,
+		0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0x69, 0x1D, 0x3E, 0xE9, 0x09, 0xD7, 0xF5, 0x41,
+			0x67, 0xFD, 0x1C, 0xA0, 0xB5, 0xD7, 0x69, 0x08,
+			0x1F, 0x2B, 0xDE, 0x1A, 0xEE, 0x65, 0x5F, 0xDB,
+			0xAB, 0x80, 0xBD, 0x52, 0x95, 0xAE, 0x6B, 0xE7,
+		},
+		.len = 32,
+	},
+	.hash_key = {
+		.data = {
+			0x1E, 0x69, 0x3C, 0x48, 0x4A, 0xB8, 0x94, 0xB2,
+			0x66, 0x69, 0xBC, 0x12, 0xE6, 0xD5, 0xD7, 0x76,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x00, 0x03,
+		},
+		.len = 60,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x40,
+			/* SL */
+			0x00,
+			/* PN */
+			0x76, 0xD4, 0x57, 0xED,
+			/* SCI */
+			/* Secure Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x00, 0x03,
+			/* ICV */
+			0xAC, 0x21, 0x95, 0x7B, 0x83, 0x12, 0xAB, 0x3C,
+			0x99, 0xAB, 0x46, 0x84, 0x98, 0x79, 0xC3, 0xF3,
+		},
+		.len = 84,
+	},
+},
+/* gcm_128_65B_integrity */
+{
+	.test_idx = 9,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0,
+	.xpn = 0, /* Most significant 32 bits */
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x01, 0x3F, 0xE0, 0x0B, 0x5F, 0x11, 0xBE, 0x7F,
+			0x86, 0x6D, 0x0C, 0xBB, 0xC5, 0x5A, 0x7A, 0x90,
+		},
+		.len = 16,
+	},
+	.hash_key = {
+		.data = {
+			0xEB, 0x28, 0xDC, 0xB3, 0x61, 0xEE, 0x11, 0x10,
+			0xF9, 0x8C, 0xA0, 0xC9, 0xA0, 0x7C, 0x88, 0xF7,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0x84, 0xC5, 0xD5, 0x13, 0xD2, 0xAA,
+			/* MAC SA */
+			0xF6, 0xE5, 0xBB, 0xD2, 0x72, 0x77,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x00, 0x05,
+		},
+		.len = 65,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0x84, 0xC5, 0xD5, 0x13, 0xD2, 0xAA,
+			/* MAC SA */
+			0xF6, 0xE5, 0xBB, 0xD2, 0x72, 0x77,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x23,
+			/* SL */
+			0x00,
+			/* PN */
+			0x89, 0x32, 0xD6, 0x12,
+			/* SCI */
+			0x7C, 0xFD, 0xE9, 0xF9, 0xE3, 0x37, 0x24, 0xC6,
+			/* Secure Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x00, 0x05,
+			/* ICV */
+			0x21, 0x78, 0x67, 0xE5, 0x0C, 0x2D, 0xAD, 0x74,
+			0xC2, 0x8C, 0x3B, 0x50, 0xAB, 0xDF, 0x69, 0x5A,
+		},
+		.len = 97,
+	},
+},
+/* gcm_256_65B_integrity */
+{
+	.test_idx = 10,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_256,
+	.ssci = 0,
+	.xpn = 0, /* Most significant 32 bits */
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x83, 0xC0, 0x93, 0xB5, 0x8D, 0xE7, 0xFF, 0xE1,
+			0xC0, 0xDA, 0x92, 0x6A, 0xC4, 0x3F, 0xB3, 0x60,
+			0x9A, 0xC1, 0xC8, 0x0F, 0xEE, 0x1B, 0x62, 0x44,
+			0x97, 0xEF, 0x94, 0x2E, 0x2F, 0x79, 0xA8, 0x23,
+		},
+		.len = 32,
+	},
+	.hash_key = {
+		.data = {
+			0xD0, 0x3D, 0x3B, 0x51, 0xFD, 0xF2, 0xAA, 0xCB,
+			0x3A, 0x16, 0x5D, 0x7D, 0xC3, 0x62, 0xD9, 0x29,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0x84, 0xC5, 0xD5, 0x13, 0xD2, 0xAA,
+			/* MAC SA */
+			0xF6, 0xE5, 0xBB, 0xD2, 0x72, 0x77,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x00, 0x05,
+		},
+		.len = 65,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0x84, 0xC5, 0xD5, 0x13, 0xD2, 0xAA,
+			/* MAC SA */
+			0xF6, 0xE5, 0xBB, 0xD2, 0x72, 0x77,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x23,
+			/* SL */
+			0x00,
+			/* PN */
+			0x89, 0x32, 0xD6, 0x12,
+			/* SCI */
+			0x7C, 0xFD, 0xE9, 0xF9, 0xE3, 0x37, 0x24, 0xC6,
+			/* Secure Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x00, 0x05,
+			/* ICV */
+			0x6E, 0xE1, 0x60, 0xE8, 0xFA, 0xEC, 0xA4, 0xB3,
+			0x6C, 0x86, 0xB2, 0x34, 0x92, 0x0C, 0xA9, 0x75,
+		},
+		.len = 97,
+	},
+},
+/* gcm_128_xpn_65B_integrity */
+{
+	.test_idx = 11,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_128,
+	.ssci = 0x7A30C118,
+	.xpn = 0xB0DF459C, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE, 0x86, 0xA2,
+		0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0x01, 0x3F, 0xE0, 0x0B, 0x5F, 0x11, 0xBE, 0x7F,
+			0x86, 0x6D, 0x0C, 0xBB, 0xC5, 0x5A, 0x7A, 0x90,
+		},
+		.len = 16,
+	},
+	.hash_key = {
+		.data = {
+			0xEB, 0x28, 0xDC, 0xB3, 0x61, 0xEE, 0x11, 0x10,
+			0xF9, 0x8C, 0xA0, 0xC9, 0xA0, 0x7C, 0x88, 0xF7,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0x84, 0xC5, 0xD5, 0x13, 0xD2, 0xAA,
+			/* MAC SA */
+			0xF6, 0xE5, 0xBB, 0xD2, 0x72, 0x77,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x00, 0x05,
+		},
+		.len = 65,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0x84, 0xC5, 0xD5, 0x13, 0xD2, 0xAA,
+			/* MAC SA */
+			0xF6, 0xE5, 0xBB, 0xD2, 0x72, 0x77,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x23,
+			/* SL */
+			0x00,
+			/* PN */
+			0x89, 0x32, 0xD6, 0x12,
+			/* SCI */
+			0x7C, 0xFD, 0xE9, 0xF9, 0xE3, 0x37, 0x24, 0xC6,
+			/* Secure Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x00, 0x05,
+			/* ICV */
+			0x67, 0x85, 0x59, 0xB7, 0xE5, 0x2D, 0xB0, 0x06,
+			0x82, 0xE3, 0xB8, 0x30, 0x34, 0xCE, 0xBE, 0x59,
+		},
+		.len = 97,
+	},
+},
+/* gcm_256_xpn_65B_integrity */
+{
+	.test_idx = 12,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_256,
+	.ssci = 0x7A30C118,
+	.xpn = 0xB0DF459C, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE, 0x86, 0xA2,
+		0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.hash_key = {
+		.data = {
+			0xD0, 0x3D, 0x3B, 0x51, 0xFD, 0xF2, 0xAA, 0xCB,
+			0x3A, 0x16, 0x5D, 0x7D, 0xC3, 0x62, 0xD9, 0x29,
+		},
+		.len = 16,
+	},
+	.sa_key = {
+		.data = {
+			0x83, 0xC0, 0x93, 0xB5, 0x8D, 0xE7, 0xFF, 0xE1,
+			0xC0, 0xDA, 0x92, 0x6A, 0xC4, 0x3F, 0xB3, 0x60,
+			0x9A, 0xC1, 0xC8, 0x0F, 0xEE, 0x1B, 0x62, 0x44,
+			0x97, 0xEF, 0x94, 0x2E, 0x2F, 0x79, 0xA8, 0x23,
+		},
+		.len = 32,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0x84, 0xC5, 0xD5, 0x13, 0xD2, 0xAA,
+			/* MAC SA */
+			0xF6, 0xE5, 0xBB, 0xD2, 0x72, 0x77,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x00, 0x05,
+		},
+		.len = 65,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0x84, 0xC5, 0xD5, 0x13, 0xD2, 0xAA,
+			/* MAC SA */
+			0xF6, 0xE5, 0xBB, 0xD2, 0x72, 0x77,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x23,
+			/* SL */
+			0x00,
+			/* PN */
+			0x89, 0x32, 0xD6, 0x12,
+			/* SCI */
+			0x7C, 0xFD, 0xE9, 0xF9, 0xE3, 0x37, 0x24, 0xC6,
+			/* Secure Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x00, 0x05,
+			/* ICV */
+			0x84, 0xBA, 0xC8, 0xE5, 0x3D, 0x1E, 0xA3, 0x55,
+			0xA5, 0xC7, 0xD3, 0x34, 0x84, 0x0A, 0xE9, 0x62,
+		},
+		.len = 97,
+	},
+},
+/* gcm_128_79B_integrity */
+{
+	.test_idx = 13,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0,
+	.xpn = 0, /* Most significant 32 bits */
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x88, 0xEE, 0x08, 0x7F, 0xD9, 0x5D, 0xA9, 0xFB,
+			0xF6, 0x72, 0x5A, 0xA9, 0xD7, 0x57, 0xB0, 0xCD,
+		},
+		.len = 16,
+	},
+	.hash_key = {
+		.data = {
+			0xAE, 0x19, 0x11, 0x8C, 0x3B, 0x70, 0x4F, 0xCE,
+			0x42, 0xAE, 0x0D, 0x15, 0xD2, 0xC1, 0x5C, 0x7A,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0x68, 0xF2, 0xE7, 0x76, 0x96, 0xCE,
+			/* MAC SA */
+			0x7A, 0xE8, 0xE2, 0xCA, 0x4E, 0xC5,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x40, 0x41, 0x42, 0x43, 0x44,
+			0x45, 0x46, 0x47, 0x48, 0x49, 0x4A, 0x4B, 0x4C,
+			0x4D, 0x00, 0x07,
+		},
+		.len = 79,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0x68, 0xF2, 0xE7, 0x76, 0x96, 0xCE,
+			/* MAC SA */
+			0x7A, 0xE8, 0xE2, 0xCA, 0x4E, 0xC5,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x41,
+			/* SL */
+			0x00,
+			/* PN */
+			0x2E, 0x58, 0x49, 0x5C,
+			/* SCI */
+			/* Secure Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x40, 0x41, 0x42, 0x43, 0x44,
+			0x45, 0x46, 0x47, 0x48, 0x49, 0x4A, 0x4B, 0x4C,
+			0x4D, 0x00, 0x07,
+			/* ICV */
+			0x07, 0x92, 0x2B, 0x8E, 0xBC, 0xF1, 0x0B, 0xB2,
+			0x29, 0x75, 0x88, 0xCA, 0x4C, 0x61, 0x45, 0x23,
+		},
+		.len = 103,
+	},
+},
+/* gcm_256_79B_integrity */
+{
+	.test_idx = 14,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_256,
+	.ssci = 0,
+	.xpn = 0, /* Most significant 32 bits */
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x4C, 0x97, 0x3D, 0xBC, 0x73, 0x64, 0x62, 0x16,
+			0x74, 0xF8, 0xB5, 0xB8, 0x9E, 0x5C, 0x15, 0x51,
+			0x1F, 0xCE, 0xD9, 0x21, 0x64, 0x90, 0xFB, 0x1C,
+			0x1A, 0x2C, 0xAA, 0x0F, 0xFE, 0x04, 0x07, 0xE5,
+		},
+		.len = 32,
+	},
+	.hash_key = {
+		.data = {
+			0x9A, 0x5E, 0x55, 0x9A, 0x96, 0x45, 0x9C, 0x21,
+			0xE4, 0x3C, 0x0D, 0xFF, 0x0F, 0xA4, 0x26, 0xF3,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0x68, 0xF2, 0xE7, 0x76, 0x96, 0xCE,
+			/* MAC SA */
+			0x7A, 0xE8, 0xE2, 0xCA, 0x4E, 0xC5,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x40, 0x41, 0x42, 0x43, 0x44,
+			0x45, 0x46, 0x47, 0x48, 0x49, 0x4A, 0x4B, 0x4C,
+			0x4D, 0x00, 0x07,
+		},
+		.len = 79,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0x68, 0xF2, 0xE7, 0x76, 0x96, 0xCE,
+			/* MAC SA */
+			0x7A, 0xE8, 0xE2, 0xCA, 0x4E, 0xC5,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x41,
+			/* SL */
+			0x00,
+			/* PN */
+			0x2E, 0x58, 0x49, 0x5C,
+			/* SCI */
+			/* Secure Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x40, 0x41, 0x42, 0x43, 0x44,
+			0x45, 0x46, 0x47, 0x48, 0x49, 0x4A, 0x4B, 0x4C,
+			0x4D, 0x00, 0x07,
+			/* ICV */
+			0x00, 0xBD, 0xA1, 0xB7, 0xE8, 0x76, 0x08, 0xBC,
+			0xBF, 0x47, 0x0F, 0x12, 0x15, 0x7F, 0x4C, 0x07,
+		},
+		.len = 103,
+	},
+},
+/* gcm_128_xpn_79B_integrity */
+{
+	.test_idx = 15,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_128,
+	.ssci = 0x7A30C118,
+	.xpn = 0xB0DF459C, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE, 0x86, 0xA2,
+		0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0x88, 0xEE, 0x08, 0x7F, 0xD9, 0x5D, 0xA9, 0xFB,
+			0xF6, 0x72, 0x5A, 0xA9, 0xD7, 0x57, 0xB0, 0xCD,
+		},
+		.len = 16,
+	},
+	.hash_key = {
+		.data = {
+			0xAE, 0x19, 0x11, 0x8C, 0x3B, 0x70, 0x4F, 0xCE,
+			0x42, 0xAE, 0x0D, 0x15, 0xD2, 0xC1, 0x5C, 0x7A,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0x68, 0xF2, 0xE7, 0x76, 0x96, 0xCE,
+			/* MAC SA */
+			0x7A, 0xE8, 0xE2, 0xCA, 0x4E, 0xC5,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x40, 0x41, 0x42, 0x43, 0x44,
+			0x45, 0x46, 0x47, 0x48, 0x49, 0x4A, 0x4B, 0x4C,
+			0x4D, 0x00, 0x07,
+		},
+		.len = 79,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0x68, 0xF2, 0xE7, 0x76, 0x96, 0xCE,
+			/* MAC SA */
+			0x7A, 0xE8, 0xE2, 0xCA, 0x4E, 0xC5,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x41,
+			/* SL */
+			0x00,
+			/* PN */
+			0x2E, 0x58, 0x49, 0x5C,
+			/* SCI */
+			/* Secure Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x40, 0x41, 0x42, 0x43, 0x44,
+			0x45, 0x46, 0x47, 0x48, 0x49, 0x4A, 0x4B, 0x4C,
+			0x4D, 0x00, 0x07,
+			/* ICV */
+			0xD0, 0xDC, 0x89, 0x6D, 0xC8, 0x37, 0x98, 0xA7,
+			0x9F, 0x3C, 0x5A, 0x95, 0xBA, 0x3C, 0xDF, 0x9A,
+		},
+		.len = 103,
+	},
+},
+/* gcm_256_xpn_79B_integrity */
+{
+	.test_idx = 16,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_256,
+	.ssci = 0x7A30C118,
+	.xpn = 0xB0DF459C, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE, 0x86, 0xA2,
+		0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0x4C, 0x97, 0x3D, 0xBC, 0x73, 0x64, 0x62, 0x16,
+			0x74, 0xF8, 0xB5, 0xB8, 0x9E, 0x5C, 0x15, 0x51,
+			0x1F, 0xCE, 0xD9, 0x21, 0x64, 0x90, 0xFB, 0x1C,
+			0x1A, 0x2C, 0xAA, 0x0F, 0xFE, 0x04, 0x07, 0xE5,
+		},
+		.len = 32,
+	},
+	.hash_key = {
+		.data = {
+			0x9A, 0x5E, 0x55, 0x9A, 0x96, 0x45, 0x9C, 0x21,
+			0xE4, 0x3C, 0x0D, 0xFF, 0x0F, 0xA4, 0x26, 0xF3,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0x68, 0xF2, 0xE7, 0x76, 0x96, 0xCE,
+			/* MAC SA */
+			0x7A, 0xE8, 0xE2, 0xCA, 0x4E, 0xC5,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x40, 0x41, 0x42, 0x43, 0x44,
+			0x45, 0x46, 0x47, 0x48, 0x49, 0x4A, 0x4B, 0x4C,
+			0x4D, 0x00, 0x07,
+		},
+		.len = 79,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0x68, 0xF2, 0xE7, 0x76, 0x96, 0xCE,
+			/* MAC SA */
+			0x7A, 0xE8, 0xE2, 0xCA, 0x4E, 0xC5,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x41,
+			/* SL */
+			0x00,
+			/* PN */
+			0x2E, 0x58, 0x49, 0x5C,
+			/* SCI */
+			/* Secure Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x40, 0x41, 0x42, 0x43, 0x44,
+			0x45, 0x46, 0x47, 0x48, 0x49, 0x4A, 0x4B, 0x4C,
+			0x4D, 0x00, 0x07,
+			/* ICV */
+			0x04, 0x24, 0x9A, 0x20, 0x8A, 0x65, 0xB9, 0x6B,
+			0x3F, 0x32, 0x63, 0x00, 0x4C, 0xFD, 0x86, 0x7D,
+		},
+		.len = 103,
+	},
+},
+};
+
+
+
+
+#endif
-- 
2.25.1

[PATCH 5/5] test/security: add more MACsec cases

[Akhil Goyal]

Added more cases related to decap and auth + cipher.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 app/test/test_security_inline_macsec.c        | 305 +++++++++++++++++
 .../test_security_inline_macsec_vectors.h     | 321 ++++++++++++++++++
 2 files changed, 626 insertions(+)

diff --git a/app/test/test_security_inline_macsec.c b/app/test/test_security_inline_macsec.c
index dec7cb20df..6d19a9377d 100644
--- a/app/test/test_security_inline_macsec.c
+++ b/app/test/test_security_inline_macsec.c
@@ -655,6 +655,283 @@ test_inline_macsec_encap_all(const void *data __rte_unused)
 	return all_err;
 }
 
+static int
+test_inline_macsec_decap_all(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+
+	size = (sizeof(list_mcs_cipher_vectors) / sizeof((list_mcs_cipher_vectors)[0]));
+
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_cipher_vectors[i];
+		err = test_macsec(&cur_td, MCS_DECAP, &opts);
+		if (err) {
+			printf("\nCipher Auth Decryption case %d failed", cur_td->test_idx);
+			err = -1;
+		} else {
+			printf("\nCipher Auth Decryption case %d Passed", cur_td->test_idx);
+			err = 0;
+		}
+		all_err += err;
+	}
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+
+	return all_err;
+}
+
+static int
+test_inline_macsec_auth_only_all(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.protect_frames = true;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+
+	size = (sizeof(list_mcs_integrity_vectors) / sizeof((list_mcs_integrity_vectors)[0]));
+
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_integrity_vectors[i];
+		err = test_macsec(&cur_td, MCS_AUTH_ONLY, &opts);
+		if (err) {
+			printf("\nAuth Generate case %d failed", cur_td->test_idx);
+			err = -1;
+		} else {
+			printf("\nAuth Generate case %d Passed", cur_td->test_idx);
+			err = 0;
+		}
+		all_err += err;
+	}
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+
+	return all_err;
+}
+
+static int
+test_inline_macsec_verify_only_all(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+
+	size = (sizeof(list_mcs_integrity_vectors) / sizeof((list_mcs_integrity_vectors)[0]));
+
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_integrity_vectors[i];
+		err = test_macsec(&cur_td, MCS_VERIFY_ONLY, &opts);
+		if (err) {
+			printf("\nAuth Verify case %d failed", cur_td->test_idx);
+			err = -1;
+		} else {
+			printf("\nAuth Verify case %d Passed", cur_td->test_idx);
+			err = 0;
+		}
+		all_err += err;
+	}
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+
+	return all_err;
+}
+
+static int
+test_inline_macsec_encap_decap_all(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.protect_frames = true;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+
+	size = (sizeof(list_mcs_cipher_vectors) / sizeof((list_mcs_cipher_vectors)[0]));
+
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_cipher_vectors[i];
+		err = test_macsec(&cur_td, MCS_ENCAP_DECAP, &opts);
+		if (err) {
+			printf("\nCipher Auth Encap-decap case %d failed", cur_td->test_idx);
+			err = -1;
+		} else {
+			printf("\nCipher Auth Encap-decap case %d Passed", cur_td->test_idx);
+			err = 0;
+		}
+		all_err += err;
+	}
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+
+	return all_err;
+}
+
+
+static int
+test_inline_macsec_auth_verify_all(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.protect_frames = true;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+
+	size = (sizeof(list_mcs_integrity_vectors) / sizeof((list_mcs_integrity_vectors)[0]));
+
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_integrity_vectors[i];
+		err = test_macsec(&cur_td, MCS_AUTH_VERIFY, &opts);
+		if (err) {
+			printf("\nAuth Generate + Verify case %d failed", cur_td->test_idx);
+			err = -1;
+		} else {
+			printf("\nAuth Generate + Verify case %d Passed", cur_td->test_idx);
+			err = 0;
+		}
+		all_err += err;
+	}
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+
+	return all_err;
+}
+
+static int
+test_inline_macsec_multi_flow(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *tv[MCS_MAX_FLOWS];
+	struct mcs_test_vector iter[MCS_MAX_FLOWS];
+	struct mcs_test_opts opts = {0};
+	int i, err;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.protect_frames = true;
+	opts.sa_in_use = 1;
+	opts.nb_td = MCS_MAX_FLOWS;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+
+	for (i = 0; i < MCS_MAX_FLOWS; i++) {
+		memcpy(&iter[i].sa_key.data, sa_key, MCS_MULTI_FLOW_TD_KEY_SZ);
+		memcpy(&iter[i].plain_pkt.data, eth_addrs[i], 2 * RTE_ETHER_ADDR_LEN);
+		memcpy(&iter[i].plain_pkt.data[2 * RTE_ETHER_ADDR_LEN], plain_user_data,
+		       MCS_MULTI_FLOW_TD_PLAIN_DATA_SZ);
+		memcpy(&iter[i].secure_pkt.data, eth_addrs[i], 2 * RTE_ETHER_ADDR_LEN);
+		memcpy(&iter[i].secure_pkt.data[2 * RTE_ETHER_ADDR_LEN], secure_user_data,
+		       MCS_MULTI_FLOW_TD_SECURE_DATA_SZ);
+		iter[i].sa_key.len = MCS_MULTI_FLOW_TD_KEY_SZ;
+		iter[i].hash_key.len = MCS_MULTI_FLOW_TD_KEY_SZ;
+		iter[i].plain_pkt.len = MCS_MULTI_FLOW_TD_PLAIN_DATA_SZ +
+					(2 * RTE_ETHER_ADDR_LEN);
+		iter[i].secure_pkt.len = MCS_MULTI_FLOW_TD_SECURE_DATA_SZ +
+					(2 * RTE_ETHER_ADDR_LEN);
+		iter[i].alg = RTE_SECURITY_MACSEC_ALG_GCM_128;
+		iter[i].ssci = 0x0;
+		iter[i].xpn = 0x0;
+		tv[i] = (const struct mcs_test_vector *)&iter[i];
+	}
+	err = test_macsec(tv, MCS_ENCAP_DECAP, &opts);
+	if (err) {
+		printf("\nCipher Auth Encryption multi flow failed");
+		err = -1;
+	} else {
+		printf("\nCipher Auth Encryption multi flow Passed");
+		err = 0;
+	}
+	return err;
+}
+
+static int
+test_inline_macsec_with_vlan(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.protect_frames = true;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.mtu = RTE_ETHER_MTU;
+
+	size = (sizeof(list_mcs_vlan_vectors) / sizeof((list_mcs_vlan_vectors)[0]));
+
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_vlan_vectors[i];
+		if (i == 0) {
+			opts.sectag_insert_mode = 1;
+		} else if (i == 1) {
+			opts.sectag_insert_mode = 0; /* offset from special E-type */
+			opts.nb_vlan = 1;
+		} else if (i == 2) {
+			opts.sectag_insert_mode = 0; /* offset from special E-type */
+			opts.nb_vlan = 2;
+		}
+		err = test_macsec(&cur_td, MCS_ENCAP, &opts);
+		if (err) {
+			printf("\n VLAN Encap case %d failed", cur_td->test_idx);
+			err = -1;
+		} else {
+			printf("\n VLAN Encap case %d passed", cur_td->test_idx);
+			err = 0;
+		}
+		all_err += err;
+	}
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_vlan_vectors[i];
+		if (i == 0) {
+			opts.sectag_insert_mode = 1;
+		} else if (i == 1) {
+			opts.sectag_insert_mode = 0; /* offset from special E-type */
+			opts.nb_vlan = 1;
+		} else if (i == 2) {
+			opts.sectag_insert_mode = 0; /* offset from special E-type */
+			opts.nb_vlan = 2;
+		}
+		err = test_macsec(&cur_td, MCS_DECAP, &opts);
+		if (err) {
+			printf("\n VLAN Decap case %d failed", cur_td->test_idx);
+			err = -1;
+		} else {
+			printf("\n VLAN Decap case %d passed", cur_td->test_idx);
+			err = 0;
+		}
+		all_err += err;
+	}
+
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, (2 * size) + all_err, -all_err);
+	return all_err;
+}
+
 static int
 ut_setup_inline_macsec(void)
 {
@@ -804,6 +1081,34 @@ static struct unit_test_suite inline_macsec_testsuite  = {
 			"MACsec encap(Cipher+Auth) known vector",
 			ut_setup_inline_macsec, ut_teardown_inline_macsec,
 			test_inline_macsec_encap_all),
+		TEST_CASE_NAMED_ST(
+			"MACsec decap(De-cipher+verify) known vector",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_decap_all),
+		TEST_CASE_NAMED_ST(
+			"MACsec auth only known vector",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_auth_only_all),
+		TEST_CASE_NAMED_ST(
+			"MACsec verify only known vector",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_verify_only_all),
+		TEST_CASE_NAMED_ST(
+			"MACsec encap + decap known vector",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_encap_decap_all),
+		TEST_CASE_NAMED_ST(
+			"MACsec auth + verify known vector",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_auth_verify_all),
+		TEST_CASE_NAMED_ST(
+			"MACsec Encap + decap Multi flow",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_multi_flow),
+		TEST_CASE_NAMED_ST(
+			"MACsec Encap and decap with VLAN",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_with_vlan),
 
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	},
diff --git a/app/test/test_security_inline_macsec_vectors.h b/app/test/test_security_inline_macsec_vectors.h
index c7cbc79e3b..36a5631aff 100644
--- a/app/test/test_security_inline_macsec_vectors.h
+++ b/app/test/test_security_inline_macsec_vectors.h
@@ -2312,7 +2312,328 @@ static const struct mcs_test_vector list_mcs_integrity_vectors[] = {
 },
 };
 
+#define MCS_MULTI_FLOW_TD_KEY_SZ		16
+#define MCS_MULTI_FLOW_TD_PLAIN_DATA_SZ		42
+#define MCS_MULTI_FLOW_TD_SECURE_DATA_SZ	66
+#define MCS_MULTI_FLOW_TD_KEY_SZ		16
+#define MCS_MAX_FLOWS				63
 
+uint8_t sa_key[MCS_MULTI_FLOW_TD_KEY_SZ] = {
+		0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+		0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82,
+};
 
+uint8_t eth_addrs[MCS_MAX_FLOWS][2 * RTE_ETHER_ADDR_LEN] = {
+		{0xE2, 0x00, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x02, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x03, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x04, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x05, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x06, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x07, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x08, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x09, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x0A, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x0B, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x0C, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x0D, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x0E, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x0F, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x10, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x11, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x12, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x13, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x14, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x15, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x16, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x17, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x18, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x19, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x1A, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x1B, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x1C, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x1D, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x1E, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x1F, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x20, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x21, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x22, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x23, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x24, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x25, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x26, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x27, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x28, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x29, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x2A, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x2B, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x2C, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x2D, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x2E, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x2F, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x30, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x31, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x32, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x33, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x34, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x35, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x36, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x37, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x38, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x39, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x3A, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x3B, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x3C, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x3D, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x3E, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+};
+
+uint8_t plain_user_data[MCS_MULTI_FLOW_TD_PLAIN_DATA_SZ] = {
+		/* User Data with Ethertype */
+		0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+		0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+		0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+		0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+		0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+		0x00, 0x04,
+};
+
+uint8_t secure_user_data[MCS_MULTI_FLOW_TD_SECURE_DATA_SZ] = {
+		/* MACsec EtherType */
+		0x88, 0xE5,
+		/* TCI and AN */
+		0x4C,
+		/* SL */
+		0x2A,
+		/* PN */
+		0x76, 0xD4, 0x57, 0xED,
+		/* Secure Data */
+		0x13, 0xB4, 0xC7, 0x2B, 0x38, 0x9D, 0xC5, 0x01,
+		0x8E, 0x72, 0xA1, 0x71, 0xDD, 0x85, 0xA5, 0xD3,
+		0x75, 0x22, 0x74, 0xD3, 0xA0, 0x19, 0xFB, 0xCA,
+		0xED, 0x09, 0xA4, 0x25, 0xCD, 0x9B, 0x2E, 0x1C,
+		0x9B, 0x72, 0xEE, 0xE7, 0xC9, 0xDE, 0x7D, 0x52,
+		0xB3, 0xF3,
+		/* ICV */
+		0xD6, 0xA5, 0x28, 0x4F, 0x4A, 0x6D, 0x3F, 0xE2,
+		0x2A, 0x5D, 0x6C, 0x2B, 0x96, 0x04, 0x94, 0xC3,
+};
+
+static const struct mcs_test_vector list_mcs_vlan_vectors[] = {
+/* No clear tag, VLAN after macsec header */
+{
+	.test_idx = 1,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0,
+	.xpn = 0, /* Most significant 32 bits */
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
+			0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xCA, 0xCB, 0xCD, 0x41, 0x42, 0x43,
+			/* MAC SA */
+			0xCA, 0xCB, 0xCD, 0x21, 0x22, 0x23,
+			/* User Data with VLAN Tag */
+			0x81, 0x00, 0x00, 0x02, 0x08, 0x00, 0x45, 0x00,
+			0x00, 0x54, 0xF2, 0xFA, 0x40, 0x00, 0x40, 0x01,
+			0xF7, 0x83, 0x14, 0x14, 0x14, 0x02, 0x14, 0x14,
+			0x14, 0x01, 0x08, 0x00, 0xE9, 0xC5, 0x02, 0xAF,
+			0x00, 0x01, 0xCB, 0x51, 0x6D, 0x38, 0x00, 0x00,
+			0x00, 0x00, 0x13, 0x2D, 0x01, 0x00, 0x00, 0x00,
+			0x00, 0x00, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
+			0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D,
+			0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24, 0x25,
+			0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C, 0x2D,
+			0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35,
+			0x36, 0x37,
+		},
+		.len = 102,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xCA, 0xCB, 0xCD, 0x41, 0x42, 0x43,
+			/* MAC SA */
+			0xCA, 0xCB, 0xCD, 0x21, 0x22, 0x23,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x20,
+			/* SL */
+			0x00,
+			/* PN */
+			0x00, 0x00, 0x00, 0x06,
+			/* SCI */
+			0xCA, 0xCB, 0xCD, 0x21, 0x22, 0x23, 0x00, 0x01,
+			/* Secure Data */
+			0x81, 0x00, 0x00, 0x02, 0x08, 0x00, 0x45, 0x00,
+			0x00, 0x54, 0xF2, 0xFA, 0x40, 0x00, 0x40, 0x01,
+			0xF7, 0x83, 0x14, 0x14, 0x14, 0x02, 0x14, 0x14,
+			0x14, 0x01, 0x08, 0x00, 0xE9, 0xC5, 0x02, 0xAF,
+			0x00, 0x01, 0xCB, 0x51, 0x6D, 0x38, 0x00, 0x00,
+			0x00, 0x00, 0x13, 0x2D, 0x01, 0x00, 0x00, 0x00,
+			0x00, 0x00, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
+			0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D,
+			0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24, 0x25,
+			0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C, 0x2D,
+			0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35,
+			0x36, 0x37,
+			/* ICV */
+			0x21, 0x68, 0xF1, 0x21, 0x19, 0xB7, 0xDF, 0x73,
+			0x6F, 0x2A, 0x11, 0xEA, 0x8A, 0xBC, 0x8A, 0x79,
+		},
+		.len = 134,
+	},
+},
+/* 1 vlan tag followed by MACsec */
+{
+	.test_idx = 2,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0,
+	.xpn = 0, /* Most significant 32 bits */
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
+			0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xCA, 0xCB, 0xCD, 0x41, 0x42, 0x43,
+			/* MAC SA */
+			0xCA, 0xCB, 0xCD, 0x21, 0x22, 0x23,
+			/* User Data */
+			0x81, 0x00, 0x00, 0x02,
+			0x08, 0x00, 0x45, 0x00, 0x00, 0x54, 0x88, 0x71,
+			0x40, 0x00, 0x40, 0x01, 0x62, 0x0D, 0x14, 0x14,
+			0x14, 0x02, 0x14, 0x14, 0x14, 0x01, 0x08, 0x00,
+			0x77, 0xA6, 0x02, 0xB3, 0x00, 0x01, 0xBE, 0x52,
+			0x6D, 0x38, 0x00, 0x00, 0x00, 0x00, 0x8C, 0x47,
+			0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x11,
+			0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19,
+			0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 0x20, 0x21,
+			0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
+			0x2A, 0x2B, 0x2C, 0x2D, 0x2E, 0x2F, 0x30, 0x31,
+			0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+		},
+		.len = 102,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xCA, 0xCB, 0xCD, 0x41, 0x42, 0x43,
+			/* MAC SA */
+			0xCA, 0xCB, 0xCD, 0x21, 0x22, 0x23,
+			/* VLAN Tag before MACsec */
+			0x81, 0x00, 0x00, 0x02,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x20,
+			/* SL */
+			0x00,
+			/* PN */
+			0x00, 0x00, 0x00, 0x07,
+			/* SCI */
+			0xCA, 0xCB, 0xCD, 0x21, 0x22, 0x23, 0x00, 0x01,
+			/* Secure Data */
+			0x08, 0x00, 0x45, 0x00, 0x00, 0x54, 0x88, 0x71,
+			0x40, 0x00, 0x40, 0x01, 0x62, 0x0D, 0x14, 0x14,
+			0x14, 0x02, 0x14, 0x14, 0x14, 0x01, 0x08, 0x00,
+			0x77, 0xA6, 0x02, 0xB3, 0x00, 0x01, 0xBE, 0x52,
+			0x6D, 0x38, 0x00, 0x00, 0x00, 0x00, 0x8C, 0x47,
+			0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x11,
+			0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19,
+			0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 0x20, 0x21,
+			0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
+			0x2A, 0x2B, 0x2C, 0x2D, 0x2E, 0x2F, 0x30, 0x31,
+			0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+			/* ICV */
+			0xF1, 0xC0, 0xA2, 0x6E, 0x99, 0xE5, 0xAB, 0x97,
+			0x78, 0x79, 0x7D, 0x13, 0x35, 0x5E, 0x39, 0x4F,
+		},
+		.len = 134,
+	},
+},
+/* 2 vlan tag followed by MACsec */
+{
+	.test_idx = 3,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0,
+	.xpn = 0, /* Most significant 32 bits */
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
+			0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xCA, 0xCB, 0xCD, 0x41, 0x42, 0x43,
+			/* MAC SA */
+			0xCA, 0xCB, 0xCD, 0x21, 0x22, 0x23,
+			/* User Data */
+			0x88, 0xA8, 0x00, 0x04, 0x81, 0x00, 0x00, 0x02,
+			0x08, 0x00, 0x45, 0x00, 0x00, 0x54, 0x70, 0x5B,
+			0x40, 0x00, 0x40, 0x01, 0x29, 0xF9, 0x28, 0x28,
+			0x28, 0x04, 0x28, 0x28, 0x28, 0x01, 0x08, 0x00,
+			0x08, 0x02, 0x02, 0xE2, 0x00, 0x01, 0x60, 0x58,
+			0x6D, 0x38, 0x00, 0x00, 0x00, 0x00, 0x5C, 0xB7,
+			0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x11,
+			0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19,
+			0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 0x20, 0x21,
+			0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
+			0x2A, 0x2B, 0x2C, 0x2D, 0x2E, 0x2F, 0x30, 0x31,
+			0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+		},
+		.len = 106,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xCA, 0xCB, 0xCD, 0x41, 0x42, 0x43,
+			/* MAC SA */
+			0xCA, 0xCB, 0xCD, 0x21, 0x22, 0x23,
+			/* VLAN Tags before MACsec */
+			0x88, 0xA8, 0x00, 0x04,
+			0x81, 0x00, 0x00, 0x02,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x20,
+			/* SL */
+			0x00,
+			/* PN */
+			0x00, 0x00, 0x00, 0x0E,
+			/* SCI */
+			0xCA, 0xCB, 0xCD, 0x21, 0x22, 0x23, 0x00, 0x01,
+			/* Secure Data */
+			0x08, 0x00, 0x45, 0x00, 0x00, 0x54, 0x70, 0x5B,
+			0x40, 0x00, 0x40, 0x01, 0x29, 0xF9, 0x28, 0x28,
+			0x28, 0x04, 0x28, 0x28, 0x28, 0x01, 0x08, 0x00,
+			0x08, 0x02, 0x02, 0xE2, 0x00, 0x01, 0x60, 0x58,
+			0x6D, 0x38, 0x00, 0x00, 0x00, 0x00, 0x5C, 0xB7,
+			0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x11,
+			0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19,
+			0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 0x20, 0x21,
+			0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
+			0x2A, 0x2B, 0x2C, 0x2D, 0x2E, 0x2F, 0x30, 0x31,
+			0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+			/* ICV */
+			0xCC, 0x38, 0x21, 0x3A, 0xEE, 0x5F, 0xE3, 0x7F,
+			0xA1, 0xBA, 0xBD, 0xBD, 0x65, 0x5B, 0xB3, 0xE5,
+		},
+		.len = 138,
+	},
+},
+};
 
 #endif
-- 
2.25.1

RE: [PATCH v2 0/3] security: support MACsec

[Akhil Goyal]

> Subject: [PATCH v2 0/3] security: support MACsec
> 
> Added support for MACsec in rte_security for offloading
> MACsec Protocol operation to inline NIC device or a crypto device.
> 
> To support MACsec we cannot just make one security session and
> send with the packet to process it. MACsec specifications suggest,
> it can have 3 different entities - SECY Entity, SC(secure channel) and
> SA(security association). And same SA can be used by multiple SCs and
> similarly many SECY can have same SCs. Hence, in order to support this
> many to one relationships between all entities, 2 new APIs are created -
> rte_security_macsec_sc_create and rte_security_sa_create.
> Flow of execution of the APIs would be as
> - rte_security_macsec_sa_create
> - rte_security_macsec_sc_create
> - rte_security_session_create(for secy)
> And in case of inline protocol processing rte_flow can be created with
> rte_security action similar to IPsec flows except that the flow item
> will be MACsec instead of IPsec.
> 
> A new flow item is added for MACsec header and a set of events are added
> to specify the errors occurred during inline protocol processing.
> 
> New APIs are also created for getting SC and SA stats.
> 
> Patches for PMD implementation and test app are submitted separately
> which can be separately applied after RC1.

WIP Patches are sent to support this series to be merged in RC1.
http://patches.dpdk.org/project/dpdk/list/?series=24879

> 
> Changes in v2:
> - Incorporated comments from Olivier except the one to split tci_an into
>   bitfields.
> - added release notes and removed deprecation notice.
> - added some missing fields in rte_security patch.
> 
> 
> Akhil Goyal (3):
>   net: add MACsec header
>   ethdev: add MACsec flow item
>   security: support MACsec
> 
>  doc/api/doxy-api-index.md              |   3 +-
>  doc/guides/prog_guide/rte_security.rst | 107 ++++++-
>  doc/guides/rel_notes/deprecation.rst   |   5 -
>  doc/guides/rel_notes/release_22_11.rst |  10 +
>  lib/ethdev/rte_ethdev.h                |  55 ++++
>  lib/ethdev/rte_flow.h                  |  18 ++
>  lib/net/meson.build                    |   1 +
>  lib/net/rte_macsec.h                   |  61 ++++
>  lib/security/rte_security.c            |  86 ++++++
>  lib/security/rte_security.h            | 370 ++++++++++++++++++++++++-
>  lib/security/rte_security_driver.h     |  86 ++++++
>  lib/security/version.map               |   6 +
>  12 files changed, 789 insertions(+), 19 deletions(-)
>  create mode 100644 lib/net/rte_macsec.h
> 
> --
> 2.25.1

Re: [PATCH v2 1/3] net: add MACsec header

[Olivier Matz]

On Wed, Sep 28, 2022 at 05:52:51PM +0530, Akhil Goyal wrote:
> Added MACsec protocol header to be used for supporting
> MACsec protocol offload in hardware or directly in the application.
> 
> Signed-off-by: Akhil Goyal <gakhil@marvell.com>

Acked-by: Olivier Matz <olivier.matz@6wind.com>

Thanks

Re: [PATCH v2 1/3] net: add MACsec header

[Thomas Monjalon]

28/09/2022 14:22, Akhil Goyal:
> --- /dev/null
> +++ b/lib/net/rte_macsec.h
> +#ifndef _RTE_MACSEC_H_
> +#define _RTE_MACSEC_H_
[...]
> +#endif /* RTE_MACSEC_H_ */

Discrepancy spotted here. Anyway no need of underscores at all.
I'll rename to RTE_MACSEC_H while merging.

RE: [PATCH v2 1/3] net: add MACsec header

[Ori Kam]

> -----Original Message-----
> From: Akhil Goyal <gakhil@marvell.com>
> Sent: Wednesday, 28 September 2022 15:23
> To: dev@dpdk.org

Acked-by: Ori Kam <orika@nvidia.com>
Thanks,
Ori

[PATCH v3 0/3] security: support MACsec

[Akhil Goyal]

Added support for MACsec in rte_security for offloading
MACsec Protocol operation to inline NIC device or a crypto device.

To support MACsec we cannot just make one security session and
send with the packet to process it. MACsec specifications suggest,
it can have 3 different entities - SECY Entity, SC(secure channel) and
SA(security association). And same SA can be used by multiple SCs and
similarly many SECY can have same SCs. Hence, in order to support this
many to one relationships between all entities, 2 new APIs are created -
rte_security_macsec_sc_create and rte_security_sa_create.
Flow of execution of the APIs would be as
- rte_security_macsec_sa_create
- rte_security_macsec_sc_create
- rte_security_session_create(for secy)
And in case of inline protocol processing rte_flow can be created with
rte_security action similar to IPsec flows except that the flow item
will be MACsec instead of IPsec.

A new flow item is added for MACsec header and a set of events are added
to specify the errors occurred during inline protocol processing.

New APIs are also created for getting SC and SA stats.

Patches for PMD implementation and test app are submitted separately
which can be separately applied after RC1.

Changes in v3:
- fix doc build in documentation of patch 2/3
- fix checkpatch in patch 3/3
- fix comments
- fix namespace in MACsec ethdev events

Changes in v2:
- Incorporated comments from Olivier except the one to split tci_an into
  bitfields.
- added release notes and removed deprecation notice.
- added some missing fields in rte_security patch.


Akhil Goyal (3):
  net: add MACsec header
  ethdev: add MACsec flow item
  security: support MACsec

 doc/api/doxy-api-index.md              |   3 +-
 doc/guides/prog_guide/rte_security.rst | 107 ++++++-
 doc/guides/rel_notes/deprecation.rst   |   5 -
 doc/guides/rel_notes/release_22_11.rst |  10 +
 lib/ethdev/rte_ethdev.h                |  76 +++++
 lib/ethdev/rte_flow.h                  |  18 ++
 lib/net/meson.build                    |   1 +
 lib/net/rte_macsec.h                   |  61 ++++
 lib/security/rte_security.c            |  86 ++++++
 lib/security/rte_security.h            | 370 ++++++++++++++++++++++++-
 lib/security/rte_security_driver.h     |  86 ++++++
 lib/security/version.map               |   6 +
 12 files changed, 810 insertions(+), 19 deletions(-)
 create mode 100644 lib/net/rte_macsec.h

-- 
2.25.1

[PATCH v3 1/3] net: add MACsec header

[Akhil Goyal]

Added MACsec protocol header to be used for supporting
MACsec protocol offload in hardware or directly in the application.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
Acked-by: Olivier Matz <olivier.matz@6wind.com>
Acked-by: Ori Kam <orika@nvidia.com>

---
 doc/api/doxy-api-index.md |  3 +-
 lib/net/meson.build       |  1 +
 lib/net/rte_macsec.h      | 61 +++++++++++++++++++++++++++++++++++++++
 3 files changed, 64 insertions(+), 1 deletion(-)
 create mode 100644 lib/net/rte_macsec.h

diff --git a/doc/api/doxy-api-index.md b/doc/api/doxy-api-index.md
index 186a258be4..99e49340d3 100644
--- a/doc/api/doxy-api-index.md
+++ b/doc/api/doxy-api-index.md
@@ -126,7 +126,8 @@ The public API headers are grouped by topics:
   [Geneve](@ref rte_geneve.h),
   [eCPRI](@ref rte_ecpri.h),
   [L2TPv2](@ref rte_l2tpv2.h),
-  [PPP](@ref rte_ppp.h)
+  [PPP](@ref rte_ppp.h),
+  [MACsec](@ref rte_macsec.h)
 
 - **QoS**:
   [metering](@ref rte_meter.h),
diff --git a/lib/net/meson.build b/lib/net/meson.build
index e899846578..3e63abaca8 100644
--- a/lib/net/meson.build
+++ b/lib/net/meson.build
@@ -21,6 +21,7 @@ headers = files(
         'rte_geneve.h',
         'rte_l2tpv2.h',
         'rte_ppp.h',
+        'rte_macsec.h',
 )
 
 sources = files(
diff --git a/lib/net/rte_macsec.h b/lib/net/rte_macsec.h
new file mode 100644
index 0000000000..c92b5fef48
--- /dev/null
+++ b/lib/net/rte_macsec.h
@@ -0,0 +1,61 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2022 Marvell.
+ */
+
+#ifndef _RTE_MACSEC_H_
+#define _RTE_MACSEC_H_
+
+/**
+ * @file
+ *
+ * MACsec-related defines
+ */
+
+#include <rte_byteorder.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#define RTE_MACSEC_TCI_VER_MASK	0x80 /**< Version mask for MACsec. Should be 0. */
+#define RTE_MACSEC_TCI_ES	0x40 /**< Mask for End station (ES) bit - SCI is not valid. */
+#define RTE_MACSEC_TCI_SC	0x20 /**< Mask for SCI present bit. */
+#define RTE_MACSEC_TCI_SCB	0x10 /**< Mask for EPON single copy broadcast bit. */
+#define RTE_MACSEC_TCI_E	0x08 /**< Mask for encrypted user data bit. */
+#define RTE_MACSEC_TCI_C	0x04 /**< Mask for changed user data bit (because of encryption). */
+#define RTE_MACSEC_AN_MASK	0x03 /**< Association number mask in tci_an. */
+
+/**
+ * MACsec Header(SecTAG)
+ */
+struct rte_macsec_hdr {
+	/**
+	 * Tag control information and Association number of secure channel.
+	 * Various bits of TCI and AN are masked using RTE_MACSEC_TCI_* and RTE_MACSEC_AN_MASK.
+	 */
+	uint8_t tci_an;
+#if RTE_BYTE_ORDER == RTE_LITTLE_ENDIAN
+	uint8_t short_length:6; /**< Short Length. */
+	uint8_t unused:2;
+#elif RTE_BYTE_ORDER == RTE_BIG_ENDIAN
+	uint8_t unused:2;
+	uint8_t short_length:6; /**< Short Length. */
+#endif
+	rte_be32_t packet_number; /**< Packet number to support replay protection. */
+} __rte_packed;
+
+/** SCI length in MACsec header if present. */
+#define RTE_MACSEC_SCI_LEN 8
+
+/**
+ * MACsec SCI header(8 bytes) after the MACsec header which is present if SC bit is set in tci_an.
+ */
+struct rte_macsec_sci_hdr {
+	uint8_t sci[RTE_MACSEC_SCI_LEN]; /**< Optional secure channel id. */
+} __rte_packed;
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _RTE_MACSEC_H_ */
-- 
2.25.1

[PATCH v3 2/3] ethdev: add MACsec flow item

[Akhil Goyal]

A new flow item is defined for MACsec flows which can be
offloaded to an inline device. If the flow matches with
MACsec header, device will process as per the security
session created using rte_security APIs.
If an error comes while MACsec processing in HW, PMD will
notify with the events defined in this patch.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
Acked-by: Ori Kam <orika@nvidia.com>
---
 lib/ethdev/rte_ethdev.h | 76 +++++++++++++++++++++++++++++++++++++++++
 lib/ethdev/rte_flow.h   | 18 ++++++++++
 2 files changed, 94 insertions(+)

diff --git a/lib/ethdev/rte_ethdev.h b/lib/ethdev/rte_ethdev.h
index 19e2a8eb3f..8082d5e9e2 100644
--- a/lib/ethdev/rte_ethdev.h
+++ b/lib/ethdev/rte_ethdev.h
@@ -3579,6 +3579,82 @@ rte_eth_tx_buffer_count_callback(struct rte_mbuf **pkts, uint16_t unsent,
 int
 rte_eth_tx_done_cleanup(uint16_t port_id, uint16_t queue_id, uint32_t free_cnt);
 
+/**
+ * Subtypes for MACsec offload event(@ref RTE_ETH_EVENT_MACSEC) raised by
+ * Ethernet device.
+ */
+enum rte_eth_event_macsec_subtype {
+	/** Notifies unknown MACsec subevent. */
+	RTE_ETH_SUBEVENT_MACSEC_UNKNOWN,
+	/**
+	 * Subevent of RTE_ETH_EVENT_MACSEC_SECTAG_VAL_ERR sectag validation events
+	 *	Validation check: SecTag.TCI.V = 1
+	 */
+	RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_V_EQ1,
+	/**
+	 * Subevent of RTE_ETH_EVENT_MACSEC_SECTAG_VAL_ERR sectag validation events
+	 *	Validation check: SecTag.TCI.E = 0 && SecTag.TCI.C = 1
+	 */
+	RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_E_EQ0_C_EQ1,
+	/**
+	 * Subevent of RTE_ETH_EVENT_MACSEC_SECTAG_VAL_ERR sectag validation events
+	 *	Validation check: SecTag.SL >= 'd48
+	 */
+	RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_SL_GTE48,
+	/**
+	 * Subevent of RTE_ETH_EVENT_MACSEC_SECTAG_VAL_ERR sectag validation events
+	 *	Validation check: SecTag.TCI.ES = 1 && SecTag.TCI.SC = 1
+	 */
+	RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_ES_EQ1_SC_EQ1,
+	/**
+	 * Subevent of RTE_ETH_EVENT_MACSEC_SECTAG_VAL_ERR sectag validation events
+	 *	Validation check: SecTag.TCI.SC = 1 && SecTag.TCI.SCB = 1
+	 */
+	RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_SC_EQ1_SCB_EQ1,
+};
+
+/**
+ * Event types for MACsec offload event(@ref RTE_ETH_EVENT_MACSEC) raised by
+ * eth device.
+ */
+enum rte_eth_event_macsec_type {
+	/** Notifies unknown MACsec event. */
+	RTE_ETH_EVENT_MACSEC_UNKNOWN,
+	/** Notifies Sectag validation failure events. */
+	RTE_ETH_EVENT_MACSEC_SECTAG_VAL_ERR,
+	/** Notifies Rx SA hard expiry events. */
+	RTE_ETH_EVENT_MACSEC_RX_SA_PN_HARD_EXP,
+	/** Notifies Rx SA soft expiry events. */
+	RTE_ETH_EVENT_MACSEC_RX_SA_PN_SOFT_EXP,
+	/** Notifies Tx SA hard expiry events. */
+	RTE_ETH_EVENT_MACSEC_TX_SA_PN_HARD_EXP,
+	/** Notifies Tx SA soft events. */
+	RTE_ETH_EVENT_MACSEC_TX_SA_PN_SOFT_EXP,
+	/** Notifies Invalid SA event. */
+	RTE_ETH_EVENT_MACSEC_SA_NOT_VALID,
+};
+
+/**
+ * Descriptor for @ref RTE_ETH_EVENT_MACSEC event. Used by eth dev to send extra
+ * information of the MACsec offload event.
+ */
+struct rte_eth_event_macsec_desc {
+	/** Type of RTE_ETH_EVENT_MACSEC_* event. */
+	enum rte_eth_event_macsec_type type;
+	/** Type of RTE_ETH_SUBEVENT_MACSEC_* subevent. */
+	enum rte_eth_event_macsec_subtype subtype;
+	/**
+	 * Event specific metadata.
+	 *
+	 * For the following events, *userdata* registered
+	 * with the *rte_security_session* would be returned
+	 * as metadata,
+	 *
+	 * @see struct rte_security_session_conf.
+	 */
+	uint64_t metadata;
+};
+
 /**
  * Subtypes for IPsec offload event(@ref RTE_ETH_EVENT_IPSEC) raised by
  * eth device.
diff --git a/lib/ethdev/rte_flow.h b/lib/ethdev/rte_flow.h
index 96147a149a..e966488965 100644
--- a/lib/ethdev/rte_flow.h
+++ b/lib/ethdev/rte_flow.h
@@ -35,6 +35,7 @@
 #include <rte_l2tpv2.h>
 #include <rte_ppp.h>
 #include <rte_gre.h>
+#include <rte_macsec.h>
 
 #ifdef __cplusplus
 extern "C" {
@@ -626,6 +627,13 @@ enum rte_flow_item_type {
 	 * See struct rte_flow_item_gre_opt.
 	 */
 	RTE_FLOW_ITEM_TYPE_GRE_OPTION,
+
+	/**
+	 * Matches MACsec Ethernet Header.
+	 *
+	 * See struct rte_flow_item_macsec.
+	 */
+	RTE_FLOW_ITEM_TYPE_MACSEC,
 };
 
 /**
@@ -1099,6 +1107,16 @@ struct rte_flow_item_gre_opt {
 	struct rte_gre_hdr_opt_sequence sequence;
 };
 
+/**
+ * RTE_FLOW_ITEM_TYPE_MACSEC.
+ *
+ * Matches MACsec header.
+ */
+struct rte_flow_item_macsec {
+	struct rte_macsec_hdr macsec_hdr;
+};
+
+
 /**
  * RTE_FLOW_ITEM_TYPE_FUZZY
  *
-- 
2.25.1

[PATCH v3 3/3] security: support MACsec

[Akhil Goyal]

Added support for MACsec in rte_security for offloading
MACsec Protocol operation to inline NIC device or a crypto device.

To support MACsec we cannot just make one security session and
send with the packet to process it. MACsec specifications suggest,
it has 3 different entities - SECY Entity, SC (secure channel) and
SA (security association). And same SA can be used by multiple SCs and
similarly many SECY can have same SCs. Hence, in order to support this
many to one relationships between all entities, 2 new APIs are created -
rte_security_macsec_sc_create and rte_security_macsec_sa_create.
Flow of execution of the APIs would be as
- rte_security_macsec_sa_create
- rte_security_macsec_sc_create
- rte_security_session_create (for secy)
And in case of inline protocol processing rte_flow can be created with
rte_security action. A new flow item will be added for MACsec header.
New APIs are also created for getting SC and SA stats.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 doc/guides/prog_guide/rte_security.rst | 107 ++++++-
 doc/guides/rel_notes/deprecation.rst   |   5 -
 doc/guides/rel_notes/release_22_11.rst |  10 +
 lib/security/rte_security.c            |  86 ++++++
 lib/security/rte_security.h            | 370 ++++++++++++++++++++++++-
 lib/security/rte_security_driver.h     |  86 ++++++
 lib/security/version.map               |   6 +
 7 files changed, 652 insertions(+), 18 deletions(-)

diff --git a/doc/guides/prog_guide/rte_security.rst b/doc/guides/prog_guide/rte_security.rst
index 277169a335..f6c4a49983 100644
--- a/doc/guides/prog_guide/rte_security.rst
+++ b/doc/guides/prog_guide/rte_security.rst
@@ -347,6 +347,55 @@ The CRC is Ethernet CRC-32 as specified in Ethernet/[ISO/IEC 8802-3].
     * Other DOCSIS protocol functionality such as Header Checksum (HCS)
       calculation may be added in the future.
 
+MACSEC Protocol
+~~~~~~~~~~~~~~~
+
+Media Access Control security (MACsec) provides point-to-point security on Ethernet
+links and is defined by IEEE standard 802.1AE. MACsec secures an Ethernet link for
+almost all traffic, including frames from the Link Layer Discovery Protocol (LLDP),
+Link Aggregation Control Protocol (LACP), Dynamic Host Configuration Protocol (DHCP),
+Address Resolution Protocol (ARP), and other protocols that are not typically secured
+on an Ethernet link because of limitations with other security solutions.
+
+.. code-block:: c
+
+             Receive                                                Transmit
+             -------                                                --------
+
+         Ethernet frame                                          Ethernet frame
+         from  network                                           towards network
+                |                                                      ^
+                ~                                                      |
+                |                                                      ~
+                V                                                      |
+    +-----------------------+      +------------------+      +-------------------------+
+    | Secure frame verify   |      | Cipher Suite(SA) |      | Secure Frame Generation |
+    +-----------------------+<-----+------------------+----->+-------------------------+
+    | SecTAG + ICV remove   |      |  SECY   |   SC   |      | SecTAG + ICV Added      |
+    +---+-------------------+      +------------------+      +-------------------------+
+                |                                                      ^
+                |                                                      |
+                V                                                      |
+        Packet to Core/App                                     Packet from core/App
+
+
+
+To configure MACsec on an inline NIC device or a lookaside crypto device, a security
+association (SA) and a secure channel (SC) are created before creating rte_security
+session.
+
+SA is created using API ``rte_security_macsec_sa_create`` which allows setting
+SA keys, salt, SSCI, packet number (PN) into the PMD and the API returns a handle
+which can be used to map it with a secure channel using the API
+``rte_security_macsec_sc_create``. Same SAs can be used for multiple SCs.
+The Rx SC will need a set of 4 SAs for each of the association numbers (AN).
+For Tx SC a single SA is set which will be used by hardware to process the packet.
+
+The API ``rte_security_macsec_sc_create`` returns a handle for SC and this handle
+is set in ``rte_security_macsec_xform`` to create a MACsec session using
+``rte_security_session_create``.
+
+
 Device Features and Capabilities
 ---------------------------------
 
@@ -519,6 +568,35 @@ protocol.
         RTE_CRYPTODEV_END_OF_CAPABILITIES_LIST()
     };
 
+Below is the example PMD capability for MACsec
+
+.. code-block:: c
+
+    static const struct rte_security_capability pmd_security_capabilities[] = {
+        {
+                .action = RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL,
+                .protocol = RTE_SECURITY_PROTOCOL_MACSEC,
+                .macsec = {
+                        .mtu = 1500,
+                        .alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+                        .max_nb_sc = 64,
+                        .max_nb_sa = 128,
+                        .max_nb_sess = 64,
+                        .replay_win_sz = 4096,
+                        .relative_sectag_insert = 1,
+                        .fixed_sectag_insert = 1,
+                        .icv_include_da_sa = 1,
+                        .ctrl_port_enable = 1,
+                        .preserve_sectag = 1,
+                        .preserve_icv = 1,
+                        .validate_frames = 1,
+                        .re_key = 1,
+                        .anti_replay = 1,
+                },
+                .crypto_capabilities = NULL,
+        },
+    };
+
 Capabilities Discovery
 ~~~~~~~~~~~~~~~~~~~~~~
 
@@ -658,6 +736,8 @@ which will be updated in the future.
 
 IPsec related configuration parameters are defined in ``rte_security_ipsec_xform``
 
+MACsec related configuration parameters are defined in ``rte_security_macsec_xform``
+
 PDCP related configuration parameters are defined in ``rte_security_pdcp_xform``
 
 DOCSIS related configuration parameters are defined in ``rte_security_docsis_xform``
@@ -679,7 +759,7 @@ The ingress/egress flow attribute should match that specified in the security
 session if the security session supports the definition of the direction.
 
 Multiple flows can be configured to use the same security session. For
-example if the security session specifies an egress IPsec SA, then multiple
+example if the security session specifies an egress IPsec/MACsec SA, then multiple
 flows can be specified to that SA. In the case of an ingress IPsec SA then
 it is only valid to have a single flow to map to that security session.
 
@@ -689,8 +769,8 @@ it is only valid to have a single flow to map to that security session.
                  |
         +--------|--------+
         |    Add/Remove   |
-        |     IPsec SA    |   <------ Build security flow action of
-        |        |        |           ipsec transform
+        | IPsec/MACsec SA |   <------ Build security flow action of
+        |        |        |           IPsec/MACsec transform
         |--------|--------|
                  |
         +--------V--------+
@@ -709,9 +789,9 @@ it is only valid to have a single flow to map to that security session.
         |                 |
         +--------|--------+
 
-* Add/Delete SA flow:
+* Add/Delete IPsec SA flow:
   To add a new inline SA construct a rte_flow_item for Ethernet + IP + ESP
-  using the SA selectors and the ``rte_crypto_ipsec_xform`` as the ``rte_flow_action``.
+  using the SA selectors and the ``rte_security_ipsec_xform`` as the ``rte_flow_action``.
   Note that any rte_flow_items may be empty, which means it is not checked.
 
 .. code-block:: console
@@ -726,6 +806,23 @@ it is only valid to have a single flow to map to that security session.
         |  Eth  | ->  ... -> |   ESP  | -> | END |
         +-------+            +--------+    +-----+
 
+* Add/Delete MACsec SA flow:
+  To add a new inline SA construct a rte_flow_item for Ethernet + SecTAG
+  using the SA selectors and the ``rte_security_macsec_xform`` as the ``rte_flow_action``.
+  Note that any rte_flow_items may be empty, which means it is not checked.
+
+.. code-block:: console
+
+    In its most basic form, MACsec flow specification is as follows:
+        +-------+     +----------+     +-----+
+        |  Eth  | ->  |  SecTag  |  -> | END |
+        +-------+     +----------+     +-----+
+
+    However, the API can represent, MACsec offload with any encapsulation:
+        +-------+            +--------+    +-----+
+        |  Eth  | ->  ... -> | SecTag | -> | END |
+        +-------+            +--------+    +-----+
+
 
 Telemetry support
 -----------------
diff --git a/doc/guides/rel_notes/deprecation.rst b/doc/guides/rel_notes/deprecation.rst
index e83bc648fc..3915644501 100644
--- a/doc/guides/rel_notes/deprecation.rst
+++ b/doc/guides/rel_notes/deprecation.rst
@@ -151,11 +151,6 @@ Deprecation Notices
   pointer for the private data to the application which can be attached
   to the packet while enqueuing.
 
-* security: MACsec support is planned to be added in DPDK 22.11,
-  which would result in updates to structures ``rte_security_macsec_xform``,
-  ``rte_security_macsec_stats`` and security capability structure
-  ``rte_security_capability`` to accommodate MACsec capabilities.
-
 * eventdev: The function ``rte_event_crypto_adapter_queue_pair_add`` will
   accept configuration of type ``rte_event_crypto_adapter_queue_conf`` instead
   of ``rte_event``, similar to ``rte_event_eth_rx_adapter_queue_add`` signature.
diff --git a/doc/guides/rel_notes/release_22_11.rst b/doc/guides/rel_notes/release_22_11.rst
index 510485017d..c106ec2b18 100644
--- a/doc/guides/rel_notes/release_22_11.rst
+++ b/doc/guides/rel_notes/release_22_11.rst
@@ -72,6 +72,11 @@ New Features
   * Added AES-CCM support in lookaside protocol (IPsec) for CN9K & CN10K.
   * Added AES & DES DOCSIS algorithm support in lookaside crypto for CN9K.
 
+* **Added support for MACsec in rte_security.**
+
+  * Added MACsec transform for rte_security session and added new APIs to configure
+    security associations (SA) and secure channels (SC).
+
 * **Added eventdev adapter instance get API.**
 
   * Added ``rte_event_eth_rx_adapter_instance_get`` to get Rx adapter
@@ -209,6 +214,11 @@ API Changes
 * ethdev: Promoted ``rte_flow_pick_transfer_proxy()``
   from experimental to stable.
 
+* security: MACsec support is added which resulted in updates to
+  structures ``rte_security_macsec_xform``, ``rte_security_macsec_stats``
+  and security capability structure ``rte_security_capability`` to
+  accommodate MACsec capabilities.
+
 * telemetry: The allowed characters in names for dictionary values
   are now limited to alphanumeric characters and a small subset of additional
   printable characters.
diff --git a/lib/security/rte_security.c b/lib/security/rte_security.c
index 22d6269d93..f94ed9ca43 100644
--- a/lib/security/rte_security.c
+++ b/lib/security/rte_security.c
@@ -124,6 +124,92 @@ rte_security_session_destroy(struct rte_security_ctx *instance,
 	return 0;
 }
 
+int
+rte_security_macsec_sc_create(struct rte_security_ctx *instance,
+			      struct rte_security_macsec_sc *conf)
+{
+	int sc_id;
+
+	RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, macsec_sc_create, -EINVAL, -ENOTSUP);
+	RTE_PTR_OR_ERR_RET(conf, -EINVAL);
+
+	sc_id = instance->ops->macsec_sc_create(instance->device, conf);
+	if (sc_id >= 0)
+		instance->macsec_sc_cnt++;
+
+	return sc_id;
+}
+
+int
+rte_security_macsec_sa_create(struct rte_security_ctx *instance,
+			      struct rte_security_macsec_sa *conf)
+{
+	int sa_id;
+
+	RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, macsec_sa_create, -EINVAL, -ENOTSUP);
+	RTE_PTR_OR_ERR_RET(conf, -EINVAL);
+
+	sa_id = instance->ops->macsec_sa_create(instance->device, conf);
+	if (sa_id >= 0)
+		instance->macsec_sa_cnt++;
+
+	return sa_id;
+}
+
+int
+rte_security_macsec_sc_destroy(struct rte_security_ctx *instance, uint16_t sc_id)
+{
+	int ret;
+
+	RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, macsec_sc_destroy, -EINVAL, -ENOTSUP);
+
+	ret = instance->ops->macsec_sc_destroy(instance->device, sc_id);
+	if (ret != 0)
+		return ret;
+
+	if (instance->macsec_sc_cnt)
+		instance->macsec_sc_cnt--;
+
+	return 0;
+}
+
+int
+rte_security_macsec_sa_destroy(struct rte_security_ctx *instance, uint16_t sa_id)
+{
+	int ret;
+
+	RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, macsec_sa_destroy, -EINVAL, -ENOTSUP);
+
+	ret = instance->ops->macsec_sa_destroy(instance->device, sa_id);
+	if (ret != 0)
+		return ret;
+
+	if (instance->macsec_sa_cnt)
+		instance->macsec_sa_cnt--;
+
+	return 0;
+}
+
+int
+rte_security_macsec_sc_stats_get(struct rte_security_ctx *instance, uint16_t sc_id,
+				 struct rte_security_macsec_sc_stats *stats)
+{
+	RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, macsec_sc_stats_get, -EINVAL, -ENOTSUP);
+	RTE_PTR_OR_ERR_RET(stats, -EINVAL);
+
+	return instance->ops->macsec_sc_stats_get(instance->device, sc_id, stats);
+}
+
+int
+rte_security_macsec_sa_stats_get(struct rte_security_ctx *instance, uint16_t sa_id,
+				 struct rte_security_macsec_sa_stats *stats)
+{
+	RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, macsec_sa_stats_get, -EINVAL, -ENOTSUP);
+	RTE_PTR_OR_ERR_RET(stats, -EINVAL);
+
+	return instance->ops->macsec_sa_stats_get(instance->device, sa_id, stats);
+}
+
 int
 __rte_security_set_pkt_metadata(struct rte_security_ctx *instance,
 				struct rte_security_session *sess,
diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h
index 3e8cd29082..74fe3ef5d7 100644
--- a/lib/security/rte_security.h
+++ b/lib/security/rte_security.h
@@ -73,6 +73,10 @@ struct rte_security_ctx {
 	/**< Pointer to security ops for the device */
 	uint16_t sess_cnt;
 	/**< Number of sessions attached to this context */
+	uint16_t macsec_sc_cnt;
+	/**< Number of MACsec SC attached to this context */
+	uint16_t macsec_sa_cnt;
+	/**< Number of MACsec SA attached to this context */
 	uint32_t flags;
 	/**< Flags for security context */
 };
@@ -351,12 +355,166 @@ struct rte_security_ipsec_xform {
 	/**< UDP parameters, ignored when udp_encap option not specified */
 };
 
+/**
+ * MACSec packet flow direction
+ */
+enum rte_security_macsec_direction {
+	/** Generate SecTag and encrypt/authenticate */
+	RTE_SECURITY_MACSEC_DIR_TX,
+	/** Remove SecTag and decrypt/verify */
+	RTE_SECURITY_MACSEC_DIR_RX,
+};
+
+/** Maximum number of association numbers for a secure channel. */
+#define RTE_SECURITY_MACSEC_NUM_AN	4
+/** Salt length for MACsec SA. */
+#define RTE_SECURITY_MACSEC_SALT_LEN	12
+
+/**
+ * MACsec secure association(SA) configuration structure.
+ */
+struct rte_security_macsec_sa {
+	/** Direction of SA */
+	enum rte_security_macsec_direction dir;
+	/** MACsec SA key for AES-GCM 128/256 */
+	struct {
+		const uint8_t *data;	/**< pointer to key data */
+		uint16_t length;	/**< key length in bytes */
+	} key;
+	/** 96-bit value distributed by key agreement protocol */
+	uint8_t salt[RTE_SECURITY_MACSEC_SALT_LEN];
+	/** Association number to be used */
+	uint8_t an : 2;
+	/** Short Secure Channel Identifier, to be used for XPN cases */
+	uint32_t ssci;
+	/** Extended packet number */
+	uint32_t xpn;
+	/** Packet number expected/ to be used for next packet of this SA */
+	uint32_t next_pn;
+};
+
+/**
+ * MACsec Secure Channel configuration parameters.
+ */
+struct rte_security_macsec_sc {
+	/** Direction of SC */
+	enum rte_security_macsec_direction dir;
+	union {
+		struct {
+			/** SAs for each association number */
+			uint16_t sa_id[RTE_SECURITY_MACSEC_NUM_AN];
+			/** flag to denote which all SAs are in use for each association number */
+			uint8_t sa_in_use[RTE_SECURITY_MACSEC_NUM_AN];
+			/** Channel is active */
+			uint8_t active : 1;
+			/** Reserved bitfields for future */
+			uint8_t reserved : 7;
+		} sc_rx;
+		struct {
+			uint16_t sa_id; /**< SA id to be used for encryption */
+			uint16_t sa_id_rekey; /**< Rekeying SA id to be used for encryption */
+			uint64_t sci; /**< SCI value to be used if send_sci is set */
+			uint8_t active : 1; /**< Channel is active */
+			uint8_t re_key_en : 1; /**< Enable Rekeying */
+			/** Reserved bitfields for future */
+			uint8_t reserved : 6;
+		} sc_tx;
+	};
+};
+
+/**
+ * MACsec Supported Algorithm list as per IEEE Std 802.1AE
+ */
+enum rte_security_macsec_alg {
+	RTE_SECURITY_MACSEC_ALG_GCM_128, /**< AES-GCM 128 bit block cipher */
+	RTE_SECURITY_MACSEC_ALG_GCM_256, /**< AES-GCM 256 bit block cipher */
+	RTE_SECURITY_MACSEC_ALG_GCM_XPN_128, /**< AES-GCM 128 bit block cipher with unique SSCI */
+	RTE_SECURITY_MACSEC_ALG_GCM_XPN_256, /**< AES-GCM 256 bit block cipher with unique SSCI */
+};
+
+/** Disable Validation of MACsec frame */
+#define RTE_SECURITY_MACSEC_VALIDATE_DISABLE	0
+/** Validate MACsec frame but do not discard invalid frame */
+#define RTE_SECURITY_MACSEC_VALIDATE_NO_DISCARD	1
+/** Validate MACsec frame and discart invalid frame */
+#define RTE_SECURITY_MACSEC_VALIDATE_STRICT	2
+/** Do not perform any MACsec operation */
+#define RTE_SECURITY_MACSEC_VALIDATE_NO_OP	3
+
 /**
  * MACsec security session configuration
  */
 struct rte_security_macsec_xform {
-	/** To be Filled */
-	int dummy;
+	/** Direction of flow/secure channel */
+	enum rte_security_macsec_direction dir;
+	/** MACsec algorithm to be used */
+	enum rte_security_macsec_alg alg;
+	/** cipher offset from start of ethernet header */
+	uint8_t cipher_off;
+	/**
+	 * SCI to be used for RX flow identification or
+	 * to set SCI in packet for TX when send_sci is set
+	 */
+	uint64_t sci;
+	/** Receive/transmit secure channel id created by *rte_security_macsec_sc_create* */
+	uint16_t sc_id;
+	union {
+		struct {
+			/** MTU for transmit frame (Valid for inline processing) */
+			uint16_t mtu;
+			/**
+			 * Offset to insert sectag from start of ethernet header or
+			 * from a matching VLAN tag
+			 */
+			uint8_t sectag_off;
+			/** Enable MACsec protection of frames */
+			uint16_t protect_frames : 1;
+			/**
+			 * Sectag insertion mode
+			 * If 1, Sectag is inserted at fixed sectag_off set above.
+			 * If 0, Sectag is inserted at relative sectag_off from a matching
+			 * VLAN tag set.
+			 */
+			uint16_t sectag_insert_mode : 1;
+			/** ICV includes source and destination MAC addresses */
+			uint16_t icv_include_da_sa : 1;
+			/** Control port is enabled */
+			uint16_t ctrl_port_enable : 1;
+			/** Version of MACsec header. Should be 0 */
+			uint16_t sectag_version : 1;
+			/** Enable end station. SCI is not valid */
+			uint16_t end_station : 1;
+			/** Send SCI along with sectag */
+			uint16_t send_sci : 1;
+			/** enable secure channel support EPON - single copy broadcast */
+			uint16_t scb : 1;
+			/**
+			 * Enable packet encryption and set RTE_MACSEC_TCI_C and
+			 * RTE_MACSEC_TCI_E in sectag
+			 */
+			uint16_t encrypt : 1;
+			/** Reserved bitfields for future */
+			uint16_t reserved : 7;
+		} tx_secy;
+		struct {
+			/** Replay Window size to be supported */
+			uint32_t replay_win_sz;
+			/** Set bits as per RTE_SECURITY_MACSEC_VALIDATE_* */
+			uint16_t validate_frames : 2;
+			/** ICV includes source and destination MAC addresses */
+			uint16_t icv_include_da_sa : 1;
+			/** Control port is enabled */
+			uint16_t ctrl_port_enable : 1;
+			/** Do not strip SecTAG after processing */
+			uint16_t preserve_sectag : 1;
+			/** Do not strip ICV from the packet after processing */
+			uint16_t preserve_icv : 1;
+			/** Enable anti-replay protection */
+			uint16_t replay_protect : 1;
+			/** Reserved bitfields for future */
+			uint16_t reserved : 9;
+		} rx_secy;
+	};
 };
 
 /**
@@ -510,7 +668,7 @@ struct rte_security_session_conf {
 	};
 	/**< Configuration parameters for security session */
 	struct rte_crypto_sym_xform *crypto_xform;
-	/**< Security Session Crypto Transformations */
+	/**< Security Session Crypto Transformations. NULL in case of MACsec */
 	void *userdata;
 	/**< Application specific userdata to be saved with session */
 };
@@ -585,6 +743,80 @@ int
 rte_security_session_destroy(struct rte_security_ctx *instance,
 			     struct rte_security_session *sess);
 
+/**
+ * @warning
+ * @b EXPERIMENTAL: this API may change without prior notice
+ *
+ * Create MACsec security channel(SC)
+ *
+ * @param   instance	security instance
+ * @param   conf	MACsec SC configuration params
+ * @return
+ *  - secure channel id if successful
+ *  - -EINVAL if configuration params are invalid of instance is NULL.
+ *  - -ENOTSUP if device does not support MACsec.
+ *  - -ENOMEM if PMD is not capable to create more SC.
+ *  - other negative value for other errors.
+ */
+__rte_experimental
+int
+rte_security_macsec_sc_create(struct rte_security_ctx *instance,
+			      struct rte_security_macsec_sc *conf);
+
+/**
+ * @warning
+ * @b EXPERIMENTAL: this API may change without prior notice
+ *
+ * Destroy MACsec security channel(SC)
+ *
+ * @param   instance	security instance
+ * @param   sc_id	SC id to be destroyed
+ * @return
+ *  - 0 if successful
+ *  - -EINVAL if sc_id is invalid or instance is NULL.
+ *  - -EBUSY if sc is being used by some session.
+ */
+__rte_experimental
+int
+rte_security_macsec_sc_destroy(struct rte_security_ctx *instance, uint16_t sc_id);
+
+/**
+ * @warning
+ * @b EXPERIMENTAL: this API may change without prior notice
+ *
+ * Create MACsec security association(SA)
+ *
+ * @param   instance	security instance
+ * @param   conf	MACsec SA configuration params
+ * @return
+ *  - positive SA id if successful
+ *  - -EINVAL if configuration params are invalid of instance is NULL.
+ *  - -ENOTSUP if device does not support MACsec.
+ *  - -ENOMEM if PMD is not capable to create more SAs.
+ *  - other negative value for other errors.
+ */
+__rte_experimental
+int
+rte_security_macsec_sa_create(struct rte_security_ctx *instance,
+			      struct rte_security_macsec_sa *conf);
+
+/**
+ * @warning
+ * @b EXPERIMENTAL: this API may change without prior notice
+ *
+ * Destroy MACsec security association(SA)
+ *
+ * @param   instance	security instance
+ * @param   sa_id	SA id to be destroyed
+ * @return
+ *  - 0 if successful
+ *  - -EINVAL if sa_id is invalid or instance is NULL.
+ *  - -EBUSY if sa is being used by some session.
+ */
+__rte_experimental
+int
+rte_security_macsec_sa_destroy(struct rte_security_ctx *instance, uint16_t sa_id);
+
 /** Device-specific metadata field type */
 typedef uint64_t rte_security_dynfield_t;
 /** Dynamic mbuf field for device-specific metadata */
@@ -710,8 +942,62 @@ rte_security_attach_session(struct rte_crypto_op *op,
 	return __rte_security_attach_session(op->sym, sess);
 }
 
-struct rte_security_macsec_stats {
-	uint64_t reserved;
+struct rte_security_macsec_secy_stats {
+	uint64_t ctl_pkt_bcast_cnt;
+	uint64_t ctl_pkt_mcast_cnt;
+	uint64_t ctl_pkt_ucast_cnt;
+	uint64_t ctl_octet_cnt;
+	uint64_t unctl_pkt_bcast_cnt;
+	uint64_t unctl_pkt_mcast_cnt;
+	uint64_t unctl_pkt_ucast_cnt;
+	uint64_t unctl_octet_cnt;
+	/* Valid only for RX */
+	uint64_t octet_decrypted_cnt;
+	uint64_t octet_validated_cnt;
+	uint64_t pkt_port_disabled_cnt;
+	uint64_t pkt_badtag_cnt;
+	uint64_t pkt_nosa_cnt;
+	uint64_t pkt_nosaerror_cnt;
+	uint64_t pkt_tagged_ctl_cnt;
+	uint64_t pkt_untaged_cnt;
+	uint64_t pkt_ctl_cnt;
+	uint64_t pkt_notag_cnt;
+	/* Valid only for TX */
+	uint64_t octet_encrypted_cnt;
+	uint64_t octet_protected_cnt;
+	uint64_t pkt_noactivesa_cnt;
+	uint64_t pkt_toolong_cnt;
+	uint64_t pkt_untagged_cnt;
+};
+
+struct rte_security_macsec_sc_stats {
+	/* RX */
+	uint64_t hit_cnt;
+	uint64_t pkt_invalid_cnt;
+	uint64_t pkt_late_cnt;
+	uint64_t pkt_notvalid_cnt;
+	uint64_t pkt_unchecked_cnt;
+	uint64_t pkt_delay_cnt;
+	uint64_t pkt_ok_cnt;
+	uint64_t octet_decrypt_cnt;
+	uint64_t octet_validate_cnt;
+	/* TX */
+	uint64_t pkt_encrypt_cnt;
+	uint64_t pkt_protected_cnt;
+	uint64_t octet_encrypt_cnt;
+	uint64_t octet_protected_cnt;
+};
+
+struct rte_security_macsec_sa_stats {
+	/* RX */
+	uint64_t pkt_invalid_cnt;
+	uint64_t pkt_nosaerror_cnt;
+	uint64_t pkt_notvalid_cnt;
+	uint64_t pkt_ok_cnt;
+	uint64_t pkt_nosa_cnt;
+	/* TX */
+	uint64_t pkt_encrypt_cnt;
+	uint64_t pkt_protected_cnt;
 };
 
 struct rte_security_ipsec_stats {
@@ -739,7 +1025,7 @@ struct rte_security_stats {
 
 	RTE_STD_C11
 	union {
-		struct rte_security_macsec_stats macsec;
+		struct rte_security_macsec_secy_stats macsec;
 		struct rte_security_ipsec_stats ipsec;
 		struct rte_security_pdcp_stats pdcp;
 		struct rte_security_docsis_stats docsis;
@@ -765,6 +1051,44 @@ rte_security_session_stats_get(struct rte_security_ctx *instance,
 			       struct rte_security_session *sess,
 			       struct rte_security_stats *stats);
 
+/**
+ * @warning
+ * @b EXPERIMENTAL: this API may change without prior notice
+ *
+ * Get MACsec SA statistics
+ *
+ * @param	instance	security instance
+ * @param	sa_id		SA id for which stats are needed
+ * @param	stats		statistics
+ * @return
+ *  - On success, return 0
+ *  - On failure, a negative value
+ */
+__rte_experimental
+int
+rte_security_macsec_sa_stats_get(struct rte_security_ctx *instance,
+				 uint16_t sa_id,
+				 struct rte_security_macsec_sa_stats *stats);
+
+/**
+ * @warning
+ * @b EXPERIMENTAL: this API may change without prior notice
+ *
+ * Get MACsec SC statistics
+ *
+ * @param	instance	security instance
+ * @param	sc_id		SC id for which stats are needed
+ * @param	stats		SC statistics
+ * @return
+ *  - On success, return 0
+ *  - On failure, a negative value
+ */
+__rte_experimental
+int
+rte_security_macsec_sc_stats_get(struct rte_security_ctx *instance,
+				 uint16_t sc_id,
+				 struct rte_security_macsec_sc_stats *stats);
+
 /**
  * Security capability definition
  */
@@ -791,8 +1115,38 @@ struct rte_security_capability {
 		} ipsec;
 		/**< IPsec capability */
 		struct {
-			/* To be Filled */
-			int dummy;
+			/** MTU supported for inline TX */
+			uint16_t mtu;
+			/** MACsec algorithm to be used */
+			enum rte_security_macsec_alg alg;
+			/** Maximum number of secure channels supported. */
+			uint16_t max_nb_sc;
+			/** Maximum number of SAs supported. */
+			uint16_t max_nb_sa;
+			/** Maximum number of SAs supported. */
+			uint16_t max_nb_sess;
+			/** MACsec Anti Replay Window Size. */
+			uint32_t replay_win_sz;
+			/** Support Sectag insertion at relative offset. */
+			uint16_t relative_sectag_insert : 1;
+			/** Support Sectag insertion at fixed offset. */
+			uint16_t fixed_sectag_insert : 1;
+			/** ICV includes source and destination MAC addresses */
+			uint16_t icv_include_da_sa : 1;
+			/** Control port traffic is supported */
+			uint16_t ctrl_port_enable : 1;
+			/** Do not strip SecTAG after processing */
+			uint16_t preserve_sectag : 1;
+			/** Do not strip ICV from the packet after processing */
+			uint16_t preserve_icv : 1;
+			/** Support frame validation as per RTE_SECURITY_MACSEC_VALIDATE_* */
+			uint16_t validate_frames : 1;
+			/** support re-keying on SA expiry */
+			uint16_t re_key : 1;
+			/** support Anti replay */
+			uint16_t anti_replay : 1;
+			/** Reserved bitfields for future capabilities */
+			uint16_t reserved : 7;
 		} macsec;
 		/**< MACsec capability */
 		struct {
diff --git a/lib/security/rte_security_driver.h b/lib/security/rte_security_driver.h
index 0063a66524..1da286dad4 100644
--- a/lib/security/rte_security_driver.h
+++ b/lib/security/rte_security_driver.h
@@ -63,6 +63,50 @@ typedef int (*security_session_update_t)(void *device,
 		struct rte_security_session *sess,
 		struct rte_security_session_conf *conf);
 
+/**
+ * Configure a MACsec secure channel(SC) on a device.
+ *
+ * @param	device		Crypto/eth device pointer
+ * @param	conf		MACsec SC configuration params
+ *
+ * @return
+ *  - positive sc_id if SC is created successfully.
+ *  - -EINVAL if input parameters are invalid.
+ *  - -ENOTSUP if device does not support MACsec.
+ *  - -ENOMEM if the SC cannot be created.
+ */
+typedef int (*security_macsec_sc_create_t)(void *device, struct rte_security_macsec_sc *conf);
+
+/**
+ * Free MACsec secure channel(SC).
+ *
+ * @param	device		Crypto/eth device pointer
+ * @param	sc_id		MACsec SC id
+ */
+typedef int (*security_macsec_sc_destroy_t)(void *device, uint16_t sc_id);
+
+/**
+ * Configure a MACsec security Association(SA) on a device.
+ *
+ * @param	device		Crypto/eth device pointer
+ * @param	conf		MACsec SA configuration params
+ *
+ * @return
+ *  - positive sa_id if SA is created successfully.
+ *  - -EINVAL if input parameters are invalid.
+ *  - -ENOTSUP if device does not support MACsec.
+ *  - -ENOMEM if the SA cannot be created.
+ */
+typedef int (*security_macsec_sa_create_t)(void *device, struct rte_security_macsec_sa *conf);
+
+/**
+ * Free MACsec security association(SA).
+ *
+ * @param	device		Crypto/eth device pointer
+ * @param	sa_id		MACsec SA id
+ */
+typedef int (*security_macsec_sa_destroy_t)(void *device, uint16_t sa_id);
+
 /**
  * Get the size of a security session
  *
@@ -89,6 +133,36 @@ typedef int (*security_session_stats_get_t)(void *device,
 		struct rte_security_session *sess,
 		struct rte_security_stats *stats);
 
+/**
+ * Get MACsec secure channel stats from the PMD.
+ *
+ * @param	device		Crypto/eth device pointer
+ * @param	sc_id		secure channel id created by rte_security_macsec_sc_create()
+ * @param	stats		SC stats of the driver
+ *
+ * @return
+ *  - 0 if success.
+ *  - -EINVAL if sc_id or device is invalid.
+ */
+typedef int (*security_macsec_sc_stats_get_t)(void *device, uint16_t sc_id,
+		struct rte_security_macsec_sc_stats *stats);
+
+/**
+ * Get MACsec SA stats from the PMD.
+ *
+ * @param	device		Crypto/eth device pointer
+ * @param	sa_id		secure channel id created by rte_security_macsec_sc_create()
+ * @param	stats		SC stats of the driver
+ *
+ * @return
+ *  - 0 if success.
+ *  - -EINVAL if sa_id or device is invalid.
+ */
+typedef int (*security_macsec_sa_stats_get_t)(void *device, uint16_t sa_id,
+		struct rte_security_macsec_sa_stats *stats);
+
+
+
 __rte_internal
 int rte_security_dynfield_register(void);
 
@@ -136,6 +210,18 @@ struct rte_security_ops {
 	/**< Update mbuf metadata. */
 	security_capabilities_get_t capabilities_get;
 	/**< Get security capabilities. */
+	security_macsec_sc_create_t macsec_sc_create;
+	/**< Configure a MACsec security channel(SC). */
+	security_macsec_sc_destroy_t macsec_sc_destroy;
+	/**< Free a MACsec security channel(SC). */
+	security_macsec_sa_create_t macsec_sa_create;
+	/**< Configure a MACsec security association(SA). */
+	security_macsec_sa_destroy_t macsec_sa_destroy;
+	/**< Free a MACsec security association(SA). */
+	security_macsec_sc_stats_get_t macsec_sc_stats_get;
+	/**< Get MACsec SC statistics. */
+	security_macsec_sa_stats_get_t macsec_sa_stats_get;
+	/**< Get MACsec SA statistics. */
 };
 
 #ifdef __cplusplus
diff --git a/lib/security/version.map b/lib/security/version.map
index 85ca7921e7..07dcce9ffb 100644
--- a/lib/security/version.map
+++ b/lib/security/version.map
@@ -15,6 +15,12 @@ EXPERIMENTAL {
 
 	__rte_security_set_pkt_metadata;
 	rte_security_dynfield_offset;
+	rte_security_macsec_sa_create;
+	rte_security_macsec_sa_destroy;
+	rte_security_macsec_sa_stats_get;
+	rte_security_macsec_sc_create;
+	rte_security_macsec_sc_destroy;
+	rte_security_macsec_sc_stats_get;
 	rte_security_session_stats_get;
 	rte_security_session_update;
 };
-- 
2.25.1

Re: [PATCH v3 0/3] security: support MACsec

[Thomas Monjalon]

> Akhil Goyal (3):
>   net: add MACsec header
>   ethdev: add MACsec flow item
>   security: support MACsec

Applied with some formatting changes, thanks.

[PATCH 00/13] Add MACsec unit test cases

[Akhil Goyal]

Inline MACsec offload was supported in DPDK 22.11
using rte_security APIs.
This patchset adds few minor changes in the rte_security APIs
to specify the direction of SA/SC and update the SC configuration
to set packet number threshold.

The patchset also add functional test cases in dpdk-test app
to verify MACsec functionality.

This patchset is pending from last release [1] due to lack of
hardware to test. Now the test cases are verified on Marvell cnxk PMD
and the pmd support is added as a separate patchset.


Akhil Goyal (10):
  security: add direction in SA/SC configuration
  security: add MACsec packet number threshold
  test/security: add inline MACsec cases
  test/security: add MACsec integrity cases
  test/security: verify multi flow MACsec
  test/security: add MACsec VLAN cases
  test/security: add MACsec negative cases
  test/security: verify MACsec stats
  test/security: verify MACsec Tx HW rekey
  test/security: remove no MACsec support case

Ankur Dwivedi (3):
  test/security: verify MACsec interrupts
  test/security: verify MACsec Rx rekey
  test/security: verify MACsec anti replay

 app/test/meson.build                          |    1 +
 app/test/test_security.c                      |   37 -
 app/test/test_security_inline_macsec.c        | 2332 ++++++++++
 .../test_security_inline_macsec_vectors.h     | 3895 +++++++++++++++++
 lib/security/rte_security.c                   |   16 +-
 lib/security/rte_security.h                   |   24 +-
 lib/security/rte_security_driver.h            |   12 +-
 7 files changed, 6266 insertions(+), 51 deletions(-)
 create mode 100644 app/test/test_security_inline_macsec.c
 create mode 100644 app/test/test_security_inline_macsec_vectors.h

-- 
2.25.1

[PATCH 01/13] security: add direction in SA/SC configuration

[Akhil Goyal]

MACsec SC/SA ids are created based on direction of the flow.
Hence, added the missing field for configuration and cleanup
of the SCs and SAs.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 lib/security/rte_security.c        | 16 ++++++++++------
 lib/security/rte_security.h        | 14 ++++++++++----
 lib/security/rte_security_driver.h | 12 ++++++++++--
 3 files changed, 30 insertions(+), 12 deletions(-)

diff --git a/lib/security/rte_security.c b/lib/security/rte_security.c
index e102c55e55..c4d64bb8e9 100644
--- a/lib/security/rte_security.c
+++ b/lib/security/rte_security.c
@@ -164,13 +164,14 @@ rte_security_macsec_sa_create(struct rte_security_ctx *instance,
 }
 
 int
-rte_security_macsec_sc_destroy(struct rte_security_ctx *instance, uint16_t sc_id)
+rte_security_macsec_sc_destroy(struct rte_security_ctx *instance, uint16_t sc_id,
+			       enum rte_security_macsec_direction dir)
 {
 	int ret;
 
 	RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, macsec_sc_destroy, -EINVAL, -ENOTSUP);
 
-	ret = instance->ops->macsec_sc_destroy(instance->device, sc_id);
+	ret = instance->ops->macsec_sc_destroy(instance->device, sc_id, dir);
 	if (ret != 0)
 		return ret;
 
@@ -181,13 +182,14 @@ rte_security_macsec_sc_destroy(struct rte_security_ctx *instance, uint16_t sc_id
 }
 
 int
-rte_security_macsec_sa_destroy(struct rte_security_ctx *instance, uint16_t sa_id)
+rte_security_macsec_sa_destroy(struct rte_security_ctx *instance, uint16_t sa_id,
+			       enum rte_security_macsec_direction dir)
 {
 	int ret;
 
 	RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, macsec_sa_destroy, -EINVAL, -ENOTSUP);
 
-	ret = instance->ops->macsec_sa_destroy(instance->device, sa_id);
+	ret = instance->ops->macsec_sa_destroy(instance->device, sa_id, dir);
 	if (ret != 0)
 		return ret;
 
@@ -199,22 +201,24 @@ rte_security_macsec_sa_destroy(struct rte_security_ctx *instance, uint16_t sa_id
 
 int
 rte_security_macsec_sc_stats_get(struct rte_security_ctx *instance, uint16_t sc_id,
+				 enum rte_security_macsec_direction dir,
 				 struct rte_security_macsec_sc_stats *stats)
 {
 	RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, macsec_sc_stats_get, -EINVAL, -ENOTSUP);
 	RTE_PTR_OR_ERR_RET(stats, -EINVAL);
 
-	return instance->ops->macsec_sc_stats_get(instance->device, sc_id, stats);
+	return instance->ops->macsec_sc_stats_get(instance->device, sc_id, dir, stats);
 }
 
 int
 rte_security_macsec_sa_stats_get(struct rte_security_ctx *instance, uint16_t sa_id,
+				 enum rte_security_macsec_direction dir,
 				 struct rte_security_macsec_sa_stats *stats)
 {
 	RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, macsec_sa_stats_get, -EINVAL, -ENOTSUP);
 	RTE_PTR_OR_ERR_RET(stats, -EINVAL);
 
-	return instance->ops->macsec_sa_stats_get(instance->device, sa_id, stats);
+	return instance->ops->macsec_sa_stats_get(instance->device, sa_id, dir, stats);
 }
 
 int
diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h
index 4bacf9fcd9..c7a523b6d6 100644
--- a/lib/security/rte_security.h
+++ b/lib/security/rte_security.h
@@ -761,6 +761,7 @@ rte_security_macsec_sc_create(struct rte_security_ctx *instance,
  *
  * @param   instance	security instance
  * @param   sc_id	SC ID to be destroyed
+ * @param   dir		direction of the SC
  * @return
  *  - 0 if successful.
  *  - -EINVAL if sc_id is invalid or instance is NULL.
@@ -768,7 +769,8 @@ rte_security_macsec_sc_create(struct rte_security_ctx *instance,
  */
 __rte_experimental
 int
-rte_security_macsec_sc_destroy(struct rte_security_ctx *instance, uint16_t sc_id);
+rte_security_macsec_sc_destroy(struct rte_security_ctx *instance, uint16_t sc_id,
+			       enum rte_security_macsec_direction dir);
 
 /**
  * @warning
@@ -798,6 +800,7 @@ rte_security_macsec_sa_create(struct rte_security_ctx *instance,
  *
  * @param   instance	security instance
  * @param   sa_id	SA ID to be destroyed
+ * @param   dir		direction of the SA
  * @return
  *  - 0 if successful.
  *  - -EINVAL if sa_id is invalid or instance is NULL.
@@ -805,7 +808,8 @@ rte_security_macsec_sa_create(struct rte_security_ctx *instance,
  */
 __rte_experimental
 int
-rte_security_macsec_sa_destroy(struct rte_security_ctx *instance, uint16_t sa_id);
+rte_security_macsec_sa_destroy(struct rte_security_ctx *instance, uint16_t sa_id,
+			       enum rte_security_macsec_direction dir);
 
 /** Device-specific metadata field type */
 typedef uint64_t rte_security_dynfield_t;
@@ -1077,6 +1081,7 @@ rte_security_session_stats_get(struct rte_security_ctx *instance,
  *
  * @param	instance	security instance
  * @param	sa_id		SA ID for which stats are needed
+ * @param	dir		direction of the SA
  * @param	stats		statistics
  * @return
  *  - On success, return 0.
@@ -1085,7 +1090,7 @@ rte_security_session_stats_get(struct rte_security_ctx *instance,
 __rte_experimental
 int
 rte_security_macsec_sa_stats_get(struct rte_security_ctx *instance,
-				 uint16_t sa_id,
+				 uint16_t sa_id, enum rte_security_macsec_direction dir,
 				 struct rte_security_macsec_sa_stats *stats);
 
 /**
@@ -1096,6 +1101,7 @@ rte_security_macsec_sa_stats_get(struct rte_security_ctx *instance,
  *
  * @param	instance	security instance
  * @param	sc_id		SC ID for which stats are needed
+ * @param	dir		direction of the SC
  * @param	stats		SC statistics
  * @return
  *  - On success, return 0.
@@ -1104,7 +1110,7 @@ rte_security_macsec_sa_stats_get(struct rte_security_ctx *instance,
 __rte_experimental
 int
 rte_security_macsec_sc_stats_get(struct rte_security_ctx *instance,
-				 uint16_t sc_id,
+				 uint16_t sc_id, enum rte_security_macsec_direction dir,
 				 struct rte_security_macsec_sc_stats *stats);
 
 /**
diff --git a/lib/security/rte_security_driver.h b/lib/security/rte_security_driver.h
index 421e6f7780..677c7d1f91 100644
--- a/lib/security/rte_security_driver.h
+++ b/lib/security/rte_security_driver.h
@@ -106,8 +106,10 @@ typedef int (*security_macsec_sc_create_t)(void *device, struct rte_security_mac
  *
  * @param	device		Crypto/eth device pointer
  * @param	sc_id		MACsec SC ID
+ * @param	dir		Direction of SC
  */
-typedef int (*security_macsec_sc_destroy_t)(void *device, uint16_t sc_id);
+typedef int (*security_macsec_sc_destroy_t)(void *device, uint16_t sc_id,
+		enum rte_security_macsec_direction dir);
 
 /**
  * Configure a MACsec security Association (SA) on a device.
@@ -128,8 +130,10 @@ typedef int (*security_macsec_sa_create_t)(void *device, struct rte_security_mac
  *
  * @param	device		Crypto/eth device pointer
  * @param	sa_id		MACsec SA ID
+ * @param	dir		Direction of SA
  */
-typedef int (*security_macsec_sa_destroy_t)(void *device, uint16_t sa_id);
+typedef int (*security_macsec_sa_destroy_t)(void *device, uint16_t sa_id,
+		enum rte_security_macsec_direction dir);
 
 /**
  * Get the size of a security session
@@ -162,6 +166,7 @@ typedef int (*security_session_stats_get_t)(void *device,
  *
  * @param	device		Crypto/eth device pointer
  * @param	sc_id		secure channel ID created by rte_security_macsec_sc_create()
+ * @param	dir		direction of SC
  * @param	stats		SC stats of the driver
  *
  * @return
@@ -169,6 +174,7 @@ typedef int (*security_session_stats_get_t)(void *device,
  *  - -EINVAL if sc_id or device is invalid.
  */
 typedef int (*security_macsec_sc_stats_get_t)(void *device, uint16_t sc_id,
+		enum rte_security_macsec_direction dir,
 		struct rte_security_macsec_sc_stats *stats);
 
 /**
@@ -176,6 +182,7 @@ typedef int (*security_macsec_sc_stats_get_t)(void *device, uint16_t sc_id,
  *
  * @param	device		Crypto/eth device pointer
  * @param	sa_id		secure channel ID created by rte_security_macsec_sc_create()
+ * @param	dir		direction of SA
  * @param	stats		SC stats of the driver
  *
  * @return
@@ -183,6 +190,7 @@ typedef int (*security_macsec_sc_stats_get_t)(void *device, uint16_t sc_id,
  *  - -EINVAL if sa_id or device is invalid.
  */
 typedef int (*security_macsec_sa_stats_get_t)(void *device, uint16_t sa_id,
+		enum rte_security_macsec_direction dir,
 		struct rte_security_macsec_sa_stats *stats);
 
 
-- 
2.25.1

[PATCH 02/13] security: add MACsec packet number threshold

[Akhil Goyal]

Added Packet number threshold parameter in MACsec SC
configuration to identify the maximum allowed threshold
for packet number field in the packet.
A field is_xpn is also added to identify if the SAs are
configured for extended packet number or not so that
packet number threshold can be configured accordingly.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 lib/security/rte_security.h | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h
index c7a523b6d6..30bac4e25a 100644
--- a/lib/security/rte_security.h
+++ b/lib/security/rte_security.h
@@ -399,6 +399,8 @@ struct rte_security_macsec_sa {
 struct rte_security_macsec_sc {
 	/** Direction of SC */
 	enum rte_security_macsec_direction dir;
+	/** Packet number threshold */
+	uint64_t pn_threshold;
 	union {
 		struct {
 			/** SAs for each association number */
@@ -407,8 +409,10 @@ struct rte_security_macsec_sc {
 			uint8_t sa_in_use[RTE_SECURITY_MACSEC_NUM_AN];
 			/** Channel is active */
 			uint8_t active : 1;
+			/** Extended packet number is enabled for SAs */
+			uint8_t is_xpn : 1;
 			/** Reserved bitfields for future */
-			uint8_t reserved : 7;
+			uint8_t reserved : 6;
 		} sc_rx;
 		struct {
 			uint16_t sa_id; /**< SA ID to be used for encryption */
@@ -416,8 +420,10 @@ struct rte_security_macsec_sc {
 			uint64_t sci; /**< SCI value to be used if send_sci is set */
 			uint8_t active : 1; /**< Channel is active */
 			uint8_t re_key_en : 1; /**< Enable Rekeying */
+			/** Extended packet number is enabled for SAs */
+			uint8_t is_xpn : 1;
 			/** Reserved bitfields for future */
-			uint8_t reserved : 6;
+			uint8_t reserved : 5;
 		} sc_tx;
 	};
 };
-- 
2.25.1

[PATCH 03/13] test/security: add inline MACsec cases

[Akhil Goyal]

Updated test app to verify Inline MACsec offload using
rte_security APIs.
A couple of test cases are added to verify encap only
and decap only of some known test vectors from MACsec
specification.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 app/test/meson.build                          |    1 +
 app/test/test_security_inline_macsec.c        | 1108 +++++++++++++++++
 .../test_security_inline_macsec_vectors.h     | 1086 ++++++++++++++++
 3 files changed, 2195 insertions(+)
 create mode 100644 app/test/test_security_inline_macsec.c
 create mode 100644 app/test/test_security_inline_macsec_vectors.h

diff --git a/app/test/meson.build b/app/test/meson.build
index b9b5432496..69c1d19f7b 100644
--- a/app/test/meson.build
+++ b/app/test/meson.build
@@ -128,6 +128,7 @@ test_sources = files(
         'test_rwlock.c',
         'test_sched.c',
         'test_security.c',
+        'test_security_inline_macsec.c',
         'test_security_inline_proto.c',
         'test_seqlock.c',
         'test_service_cores.c',
diff --git a/app/test/test_security_inline_macsec.c b/app/test/test_security_inline_macsec.c
new file mode 100644
index 0000000000..22a54dd65b
--- /dev/null
+++ b/app/test/test_security_inline_macsec.c
@@ -0,0 +1,1108 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2023 Marvell.
+ */
+
+
+#include <stdio.h>
+#include <inttypes.h>
+
+#include <rte_ethdev.h>
+#include <rte_malloc.h>
+#include <rte_security.h>
+
+#include "test.h"
+#include "test_security_inline_macsec_vectors.h"
+
+#ifdef RTE_EXEC_ENV_WINDOWS
+static int
+test_inline_macsec(void)
+{
+	printf("Inline MACsec not supported on Windows, skipping test\n");
+	return TEST_SKIPPED;
+}
+
+#else
+
+#define NB_ETHPORTS_USED		1
+#define MEMPOOL_CACHE_SIZE		32
+#define RTE_TEST_RX_DESC_DEFAULT	1024
+#define RTE_TEST_TX_DESC_DEFAULT	1024
+#define RTE_PORT_ALL		(~(uint16_t)0x0)
+
+#define RX_PTHRESH 8 /**< Default values of RX prefetch threshold reg. */
+#define RX_HTHRESH 8 /**< Default values of RX host threshold reg. */
+#define RX_WTHRESH 0 /**< Default values of RX write-back threshold reg. */
+
+#define TX_PTHRESH 32 /**< Default values of TX prefetch threshold reg. */
+#define TX_HTHRESH 0  /**< Default values of TX host threshold reg. */
+#define TX_WTHRESH 0  /**< Default values of TX write-back threshold reg. */
+
+#define MAX_TRAFFIC_BURST		2048
+#define NB_MBUF				10240
+
+#define MCS_INVALID_SA			0xFFFF
+#define MCS_DEFAULT_PN_THRESHOLD	0xFFFFF
+
+static struct rte_mempool *mbufpool;
+static struct rte_mempool *sess_pool;
+/* ethernet addresses of ports */
+static struct rte_ether_addr ports_eth_addr[RTE_MAX_ETHPORTS];
+
+struct mcs_test_opts {
+	int val_frames;
+	int nb_td;
+	uint16_t mtu;
+	uint8_t sa_in_use;
+	bool encrypt;
+	bool protect_frames;
+	uint8_t sectag_insert_mode;
+	uint8_t nb_vlan;
+	uint32_t replay_win_sz;
+	uint8_t replay_protect;
+	uint8_t rekey_en;
+	const struct mcs_test_vector *rekey_td;
+	bool dump_all_stats;
+	uint8_t check_untagged_rx;
+	uint8_t check_bad_tag_cnt;
+	uint8_t check_sa_not_in_use;
+	uint8_t check_decap_stats;
+	uint8_t check_verify_only_stats;
+	uint8_t check_pkts_invalid_stats;
+	uint8_t check_pkts_unchecked_stats;
+	uint8_t check_out_pkts_untagged;
+	uint8_t check_out_pkts_toolong;
+	uint8_t check_encap_stats;
+	uint8_t check_auth_only_stats;
+	uint8_t check_sectag_interrupts;
+};
+
+static struct rte_eth_conf port_conf = {
+	.rxmode = {
+		.mq_mode = RTE_ETH_MQ_RX_NONE,
+		.offloads = RTE_ETH_RX_OFFLOAD_CHECKSUM |
+			    RTE_ETH_RX_OFFLOAD_MACSEC_STRIP,
+	},
+	.txmode = {
+		.mq_mode = RTE_ETH_MQ_TX_NONE,
+		.offloads = RTE_ETH_TX_OFFLOAD_MBUF_FAST_FREE |
+			    RTE_ETH_TX_OFFLOAD_MACSEC_INSERT,
+	},
+	.lpbk_mode = 1,  /* enable loopback */
+};
+
+static struct rte_eth_rxconf rx_conf = {
+	.rx_thresh = {
+		.pthresh = RX_PTHRESH,
+		.hthresh = RX_HTHRESH,
+		.wthresh = RX_WTHRESH,
+	},
+	.rx_free_thresh = 32,
+};
+
+static struct rte_eth_txconf tx_conf = {
+	.tx_thresh = {
+		.pthresh = TX_PTHRESH,
+		.hthresh = TX_HTHRESH,
+		.wthresh = TX_WTHRESH,
+	},
+	.tx_free_thresh = 32, /* Use PMD default values */
+	.tx_rs_thresh = 32, /* Use PMD default values */
+};
+
+static uint16_t port_id;
+
+static uint64_t link_mbps;
+
+static struct rte_flow *default_tx_flow[RTE_MAX_ETHPORTS];
+static struct rte_flow *default_rx_flow[RTE_MAX_ETHPORTS];
+
+static struct rte_mbuf **tx_pkts_burst;
+static struct rte_mbuf **rx_pkts_burst;
+
+static inline struct rte_mbuf *
+init_packet(struct rte_mempool *mp, const uint8_t *data, unsigned int len)
+{
+	struct rte_mbuf *pkt;
+
+	pkt = rte_pktmbuf_alloc(mp);
+	if (pkt == NULL)
+		return NULL;
+
+	rte_memcpy(rte_pktmbuf_append(pkt, len), data, len);
+
+	return pkt;
+}
+
+static int
+init_mempools(unsigned int nb_mbuf)
+{
+	struct rte_security_ctx *sec_ctx;
+	uint16_t nb_sess = 512;
+	uint32_t sess_sz;
+	char s[64];
+
+	if (mbufpool == NULL) {
+		snprintf(s, sizeof(s), "mbuf_pool");
+		mbufpool = rte_pktmbuf_pool_create(s, nb_mbuf,
+				MEMPOOL_CACHE_SIZE, 0,
+				RTE_MBUF_DEFAULT_BUF_SIZE, SOCKET_ID_ANY);
+		if (mbufpool == NULL) {
+			printf("Cannot init mbuf pool\n");
+			return TEST_FAILED;
+		}
+		printf("Allocated mbuf pool\n");
+	}
+
+	sec_ctx = rte_eth_dev_get_sec_ctx(port_id);
+	if (sec_ctx == NULL) {
+		printf("Device does not support Security ctx\n");
+		return TEST_SKIPPED;
+	}
+	sess_sz = rte_security_session_get_size(sec_ctx);
+	if (sess_pool == NULL) {
+		snprintf(s, sizeof(s), "sess_pool");
+		sess_pool = rte_mempool_create(s, nb_sess, sess_sz,
+				MEMPOOL_CACHE_SIZE, 0,
+				NULL, NULL, NULL, NULL,
+				SOCKET_ID_ANY, 0);
+		if (sess_pool == NULL) {
+			printf("Cannot init sess pool\n");
+			return TEST_FAILED;
+		}
+		printf("Allocated sess pool\n");
+	}
+
+	return 0;
+}
+
+static void
+fill_macsec_sa_conf(const struct mcs_test_vector *td, struct rte_security_macsec_sa *sa,
+			enum rte_security_macsec_direction dir, uint8_t an, uint8_t tci_off)
+{
+	sa->dir = dir;
+
+	sa->key.data = td->sa_key.data;
+	sa->key.length = td->sa_key.len;
+
+	memcpy((uint8_t *)sa->salt, (const uint8_t *)td->salt, RTE_SECURITY_MACSEC_SALT_LEN);
+
+	/* AN is set as per the value in secure packet in test vector */
+	sa->an = an & RTE_MACSEC_AN_MASK;
+
+	sa->ssci = td->ssci;
+	sa->xpn = td->xpn;
+	/* Starting packet number which is expected to come next.
+	 * It is take from the test vector so that we can match the out packet.
+	 */
+	sa->next_pn = *(const uint32_t *)(&td->secure_pkt.data[tci_off + 2]);
+}
+
+static void
+fill_macsec_sc_conf(const struct mcs_test_vector *td,
+		    struct rte_security_macsec_sc *sc_conf,
+		    const struct mcs_test_opts *opts,
+		    enum rte_security_macsec_direction dir,
+		    uint16_t sa_id[], uint8_t tci_off)
+{
+	uint8_t i;
+
+	sc_conf->dir = dir;
+	if (dir == RTE_SECURITY_MACSEC_DIR_TX) {
+		sc_conf->sc_tx.sa_id = sa_id[0];
+		if (sa_id[1] != MCS_INVALID_SA) {
+			sc_conf->sc_tx.sa_id_rekey = sa_id[1];
+			sc_conf->sc_tx.re_key_en = 1;
+		}
+		sc_conf->sc_tx.active = 1;
+		/* is SCI valid */
+		if (td->secure_pkt.data[tci_off] & RTE_MACSEC_TCI_SC) {
+			memcpy(&sc_conf->sc_tx.sci, &td->secure_pkt.data[tci_off + 6],
+					sizeof(sc_conf->sc_tx.sci));
+			sc_conf->sc_tx.sci = rte_be_to_cpu_64(sc_conf->sc_tx.sci);
+		} else if (td->secure_pkt.data[tci_off] & RTE_MACSEC_TCI_ES) {
+			/* sci = source_mac + port_id when ES.bit = 1 & SC.bit = 0 */
+			const uint8_t *smac = td->plain_pkt.data + RTE_ETHER_ADDR_LEN;
+			uint8_t *ptr = (uint8_t *)&sc_conf->sc_tx.sci;
+
+			ptr[0] = 0x01;
+			ptr[1] = 0;
+			for (i = 0; i < RTE_ETHER_ADDR_LEN; i++)
+				ptr[2 + i] = smac[RTE_ETHER_ADDR_LEN - 1 - i];
+		} else {
+			/* use some default SCI */
+			sc_conf->sc_tx.sci = 0xf1341e023a2b1c5d;
+		}
+	} else {
+		for (i = 0; i < RTE_SECURITY_MACSEC_NUM_AN; i++) {
+			sc_conf->sc_rx.sa_id[i] = sa_id[i];
+			sc_conf->sc_rx.sa_in_use[i] = opts->sa_in_use;
+		}
+		sc_conf->sc_rx.active = 1;
+	}
+}
+
+
+/* Create Inline MACsec session */
+static int
+fill_session_conf(const struct mcs_test_vector *td, uint16_t portid __rte_unused,
+		const struct mcs_test_opts *opts,
+		struct rte_security_session_conf *sess_conf,
+		enum rte_security_macsec_direction dir,
+		uint16_t sc_id,
+		uint8_t tci_off)
+{
+	sess_conf->action_type = RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL;
+	sess_conf->protocol = RTE_SECURITY_PROTOCOL_MACSEC;
+	sess_conf->macsec.dir = dir;
+	sess_conf->macsec.alg = td->alg;
+	sess_conf->macsec.cipher_off = 0;
+	if (td->secure_pkt.data[tci_off] & RTE_MACSEC_TCI_SC) {
+		sess_conf->macsec.sci = rte_be_to_cpu_64(*(const uint64_t *)
+					(&td->secure_pkt.data[tci_off + 6]));
+	} else if (td->secure_pkt.data[tci_off] & RTE_MACSEC_TCI_ES) {
+		/* sci = source_mac + port_id when ES.bit = 1 & SC.bit = 0 */
+		const uint8_t *smac = td->plain_pkt.data + RTE_ETHER_ADDR_LEN;
+		uint8_t *ptr = (uint8_t *)&sess_conf->macsec.sci;
+		uint8_t j;
+
+		ptr[0] = 0x01;
+		ptr[1] = 0;
+		for (j = 0; j < RTE_ETHER_ADDR_LEN; j++)
+			ptr[2 + j] = smac[RTE_ETHER_ADDR_LEN - 1 - j];
+	}
+	sess_conf->macsec.sc_id = sc_id;
+	if (dir == RTE_SECURITY_MACSEC_DIR_TX) {
+		sess_conf->macsec.tx_secy.mtu = opts->mtu;
+		sess_conf->macsec.tx_secy.sectag_off = (opts->sectag_insert_mode == 1) ?
+							2 * RTE_ETHER_ADDR_LEN :
+							RTE_VLAN_HLEN;
+		sess_conf->macsec.tx_secy.sectag_insert_mode = opts->sectag_insert_mode;
+		sess_conf->macsec.tx_secy.ctrl_port_enable = 1;
+		sess_conf->macsec.tx_secy.sectag_version = 0;
+		sess_conf->macsec.tx_secy.end_station =
+					(td->secure_pkt.data[tci_off] & RTE_MACSEC_TCI_ES) >> 6;
+		sess_conf->macsec.tx_secy.send_sci =
+					(td->secure_pkt.data[tci_off] & RTE_MACSEC_TCI_SC) >> 5;
+		sess_conf->macsec.tx_secy.scb =
+					(td->secure_pkt.data[tci_off] & RTE_MACSEC_TCI_SCB) >> 4;
+		sess_conf->macsec.tx_secy.encrypt = opts->encrypt;
+		sess_conf->macsec.tx_secy.protect_frames = opts->protect_frames;
+		sess_conf->macsec.tx_secy.icv_include_da_sa = 1;
+	} else {
+		sess_conf->macsec.rx_secy.replay_win_sz = opts->replay_win_sz;
+		sess_conf->macsec.rx_secy.replay_protect = opts->replay_protect;
+		sess_conf->macsec.rx_secy.icv_include_da_sa = 1;
+		sess_conf->macsec.rx_secy.ctrl_port_enable = 1;
+		sess_conf->macsec.rx_secy.preserve_sectag = 0;
+		sess_conf->macsec.rx_secy.preserve_icv = 0;
+		sess_conf->macsec.rx_secy.validate_frames = opts->val_frames;
+	}
+
+	return 0;
+}
+
+static int
+create_default_flow(const struct mcs_test_vector *td, uint16_t portid,
+		    enum rte_security_macsec_direction dir, void *sess)
+{
+	struct rte_flow_action action[2];
+	struct rte_flow_item pattern[2];
+	struct rte_flow_attr attr = {0};
+	struct rte_flow_error err;
+	struct rte_flow *flow;
+	struct rte_flow_item_eth eth = {0};
+	static const struct rte_flow_item_eth eth_mask = {
+		.hdr.dst_addr.addr_bytes = "\x00\x00\x00\x00\x00\x00",
+		.hdr.src_addr.addr_bytes = "\x00\x00\x00\x00\x00\x00",
+		.hdr.ether_type = RTE_BE16(0x0000),
+	};
+
+	int ret;
+
+	eth.has_vlan = 0;
+	if (dir == RTE_SECURITY_MACSEC_DIR_TX)
+		memcpy(&eth.hdr, td->plain_pkt.data, RTE_ETHER_HDR_LEN);
+	else
+		memcpy(&eth.hdr, td->secure_pkt.data, RTE_ETHER_HDR_LEN);
+
+	pattern[0].type = RTE_FLOW_ITEM_TYPE_ETH;
+	pattern[0].spec = &eth;
+	pattern[0].mask = &eth_mask;
+	pattern[0].last = NULL;
+	pattern[1].type = RTE_FLOW_ITEM_TYPE_END;
+
+	action[0].type = RTE_FLOW_ACTION_TYPE_SECURITY;
+	action[0].conf = sess;
+	action[1].type = RTE_FLOW_ACTION_TYPE_END;
+	action[1].conf = NULL;
+
+	attr.ingress = (dir == RTE_SECURITY_MACSEC_DIR_RX) ? 1 : 0;
+	attr.egress = (dir == RTE_SECURITY_MACSEC_DIR_TX) ? 1 : 0;
+
+	ret = rte_flow_validate(portid, &attr, pattern, action, &err);
+	if (ret) {
+		printf("\nValidate flow failed, ret = %d\n", ret);
+		return -1;
+	}
+	flow = rte_flow_create(portid, &attr, pattern, action, &err);
+	if (flow == NULL) {
+		printf("\nDefault flow rule create failed\n");
+		return -1;
+	}
+
+	if (dir == RTE_SECURITY_MACSEC_DIR_TX)
+		default_tx_flow[portid] = flow;
+	else
+		default_rx_flow[portid] = flow;
+
+	return 0;
+}
+
+static void
+destroy_default_flow(uint16_t portid)
+{
+	struct rte_flow_error err;
+	int ret;
+
+	if (default_tx_flow[portid]) {
+		ret = rte_flow_destroy(portid, default_tx_flow[portid], &err);
+		if (ret) {
+			printf("\nDefault Tx flow rule destroy failed\n");
+			return;
+		}
+		default_tx_flow[portid] = NULL;
+	}
+	if (default_rx_flow[portid]) {
+		ret = rte_flow_destroy(portid, default_rx_flow[portid], &err);
+		if (ret) {
+			printf("\nDefault Rx flow rule destroy failed\n");
+			return;
+		}
+		default_rx_flow[portid] = NULL;
+	}
+}
+
+static void
+print_ethaddr(const char *name, const struct rte_ether_addr *eth_addr)
+{
+	char buf[RTE_ETHER_ADDR_FMT_SIZE];
+	rte_ether_format_addr(buf, RTE_ETHER_ADDR_FMT_SIZE, eth_addr);
+	printf("%s%s", name, buf);
+}
+
+/* Check the link status of all ports in up to 3s, and print them finally */
+static void
+check_all_ports_link_status(uint16_t port_num, uint32_t port_mask)
+{
+#define CHECK_INTERVAL 100 /* 100ms */
+#define MAX_CHECK_TIME 30 /* 3s (30 * 100ms) in total */
+	uint16_t portid;
+	uint8_t count, all_ports_up, print_flag = 0;
+	struct rte_eth_link link;
+	int ret;
+	char link_status[RTE_ETH_LINK_MAX_STR_LEN];
+
+	printf("Checking link statuses...\n");
+	fflush(stdout);
+	for (count = 0; count <= MAX_CHECK_TIME; count++) {
+		all_ports_up = 1;
+		for (portid = 0; portid < port_num; portid++) {
+			if ((port_mask & (1 << portid)) == 0)
+				continue;
+			memset(&link, 0, sizeof(link));
+			ret = rte_eth_link_get_nowait(portid, &link);
+			if (ret < 0) {
+				all_ports_up = 0;
+				if (print_flag == 1)
+					printf("Port %u link get failed: %s\n",
+						portid, rte_strerror(-ret));
+				continue;
+			}
+
+			/* print link status if flag set */
+			if (print_flag == 1) {
+				if (link.link_status && link_mbps == 0)
+					link_mbps = link.link_speed;
+
+				rte_eth_link_to_str(link_status,
+					sizeof(link_status), &link);
+				printf("Port %d %s\n", portid, link_status);
+				continue;
+			}
+			/* clear all_ports_up flag if any link down */
+			if (link.link_status == RTE_ETH_LINK_DOWN) {
+				all_ports_up = 0;
+				break;
+			}
+		}
+		/* after finally printing all link status, get out */
+		if (print_flag == 1)
+			break;
+
+		if (all_ports_up == 0)
+			fflush(stdout);
+
+		/* set the print_flag if all ports up or timeout */
+		if (all_ports_up == 1 || count == (MAX_CHECK_TIME - 1))
+			print_flag = 1;
+	}
+}
+
+static int
+test_macsec_post_process(struct rte_mbuf *m, const struct mcs_test_vector *td,
+			enum mcs_op op, uint8_t check_out_pkts_untagged)
+{
+	const uint8_t *dptr;
+	uint16_t pkt_len;
+
+	if (op == MCS_DECAP || op == MCS_ENCAP_DECAP ||
+			op == MCS_VERIFY_ONLY || op == MCS_AUTH_VERIFY ||
+			check_out_pkts_untagged == 1) {
+		dptr = td->plain_pkt.data;
+		pkt_len = td->plain_pkt.len;
+	} else {
+		dptr = td->secure_pkt.data;
+		pkt_len = td->secure_pkt.len;
+	}
+
+	if (memcmp(rte_pktmbuf_mtod(m, uint8_t *), dptr, pkt_len)) {
+		printf("\nData comparison failed for td.");
+		rte_pktmbuf_dump(stdout, m, m->pkt_len);
+		rte_hexdump(stdout, "expected_data", dptr, pkt_len);
+		return TEST_FAILED;
+	}
+
+	return TEST_SUCCESS;
+}
+
+static void
+mcs_stats_dump(struct rte_security_ctx *ctx, enum mcs_op op,
+	       void *rx_sess, void *tx_sess,
+	       uint8_t rx_sc_id, uint8_t tx_sc_id,
+	       uint16_t rx_sa_id[], uint16_t tx_sa_id[])
+{
+	struct rte_security_stats sess_stats = {0};
+	struct rte_security_macsec_secy_stats *secy_stat;
+	struct rte_security_macsec_sc_stats sc_stat = {0};
+	struct rte_security_macsec_sa_stats sa_stat = {0};
+	int i;
+
+	if (op == MCS_DECAP || op == MCS_ENCAP_DECAP ||
+			op == MCS_VERIFY_ONLY || op == MCS_AUTH_VERIFY) {
+		printf("\n********* RX SECY STATS ************\n");
+		rte_security_session_stats_get(ctx, rx_sess, &sess_stats);
+		secy_stat = &sess_stats.macsec;
+
+		if (secy_stat->ctl_pkt_bcast_cnt)
+			printf("RX: ctl_pkt_bcast_cnt: 0x%" PRIx64 "\n",
+					secy_stat->ctl_pkt_bcast_cnt);
+		if (secy_stat->ctl_pkt_mcast_cnt)
+			printf("RX: ctl_pkt_mcast_cnt: 0x%" PRIx64 "\n",
+					secy_stat->ctl_pkt_mcast_cnt);
+		if (secy_stat->ctl_pkt_ucast_cnt)
+			printf("RX: ctl_pkt_ucast_cnt: 0x%" PRIx64 "\n",
+					secy_stat->ctl_pkt_ucast_cnt);
+		if (secy_stat->ctl_octet_cnt)
+			printf("RX: ctl_octet_cnt: 0x%" PRIx64 "\n", secy_stat->ctl_octet_cnt);
+		if (secy_stat->unctl_pkt_bcast_cnt)
+			printf("RX: unctl_pkt_bcast_cnt: 0x%" PRIx64 "\n",
+					secy_stat->unctl_pkt_bcast_cnt);
+		if (secy_stat->unctl_pkt_mcast_cnt)
+			printf("RX: unctl_pkt_mcast_cnt: 0x%" PRIx64 "\n",
+					secy_stat->unctl_pkt_mcast_cnt);
+		if (secy_stat->unctl_pkt_ucast_cnt)
+			printf("RX: unctl_pkt_ucast_cnt: 0x%" PRIx64 "\n",
+					secy_stat->unctl_pkt_ucast_cnt);
+		if (secy_stat->unctl_octet_cnt)
+			printf("RX: unctl_octet_cnt: 0x%" PRIx64 "\n", secy_stat->unctl_octet_cnt);
+		/* Valid only for RX */
+		if (secy_stat->octet_decrypted_cnt)
+			printf("RX: octet_decrypted_cnt: 0x%" PRIx64 "\n",
+					secy_stat->octet_decrypted_cnt);
+		if (secy_stat->octet_validated_cnt)
+			printf("RX: octet_validated_cnt: 0x%" PRIx64 "\n",
+					secy_stat->octet_validated_cnt);
+		if (secy_stat->pkt_port_disabled_cnt)
+			printf("RX: pkt_port_disabled_cnt: 0x%" PRIx64 "\n",
+					secy_stat->pkt_port_disabled_cnt);
+		if (secy_stat->pkt_badtag_cnt)
+			printf("RX: pkt_badtag_cnt: 0x%" PRIx64 "\n", secy_stat->pkt_badtag_cnt);
+		if (secy_stat->pkt_nosa_cnt)
+			printf("RX: pkt_nosa_cnt: 0x%" PRIx64 "\n", secy_stat->pkt_nosa_cnt);
+		if (secy_stat->pkt_nosaerror_cnt)
+			printf("RX: pkt_nosaerror_cnt: 0x%" PRIx64 "\n",
+					secy_stat->pkt_nosaerror_cnt);
+		if (secy_stat->pkt_tagged_ctl_cnt)
+			printf("RX: pkt_tagged_ctl_cnt: 0x%" PRIx64 "\n",
+					secy_stat->pkt_tagged_ctl_cnt);
+		if (secy_stat->pkt_untaged_cnt)
+			printf("RX: pkt_untaged_cnt: 0x%" PRIx64 "\n", secy_stat->pkt_untaged_cnt);
+		if (secy_stat->pkt_ctl_cnt)
+			printf("RX: pkt_ctl_cnt: 0x%" PRIx64 "\n", secy_stat->pkt_ctl_cnt);
+		if (secy_stat->pkt_notag_cnt)
+			printf("RX: pkt_notag_cnt: 0x%" PRIx64 "\n", secy_stat->pkt_notag_cnt);
+		printf("\n");
+		printf("\n********** RX SC[%u] STATS **************\n", rx_sc_id);
+
+		rte_security_macsec_sc_stats_get(ctx, rx_sc_id, RTE_SECURITY_MACSEC_DIR_RX,
+						 &sc_stat);
+		/* RX */
+		if (sc_stat.hit_cnt)
+			printf("RX hit_cnt: 0x%" PRIx64 "\n", sc_stat.hit_cnt);
+		if (sc_stat.pkt_invalid_cnt)
+			printf("RX pkt_invalid_cnt: 0x%" PRIx64 "\n", sc_stat.pkt_invalid_cnt);
+		if (sc_stat.pkt_late_cnt)
+			printf("RX pkt_late_cnt: 0x%" PRIx64 "\n", sc_stat.pkt_late_cnt);
+		if (sc_stat.pkt_notvalid_cnt)
+			printf("RX pkt_notvalid_cnt: 0x%" PRIx64 "\n", sc_stat.pkt_notvalid_cnt);
+		if (sc_stat.pkt_unchecked_cnt)
+			printf("RX pkt_unchecked_cnt: 0x%" PRIx64 "\n", sc_stat.pkt_unchecked_cnt);
+		if (sc_stat.pkt_delay_cnt)
+			printf("RX pkt_delay_cnt: 0x%" PRIx64 "\n", sc_stat.pkt_delay_cnt);
+		if (sc_stat.pkt_ok_cnt)
+			printf("RX pkt_ok_cnt: 0x%" PRIx64 "\n", sc_stat.pkt_ok_cnt);
+		if (sc_stat.octet_decrypt_cnt)
+			printf("RX octet_decrypt_cnt: 0x%" PRIx64 "\n", sc_stat.octet_decrypt_cnt);
+		if (sc_stat.octet_validate_cnt)
+			printf("RX octet_validate_cnt: 0x%" PRIx64 "\n",
+					sc_stat.octet_validate_cnt);
+		printf("\n");
+		for (i = 0; i < RTE_SECURITY_MACSEC_NUM_AN; i++) {
+			printf("\n********** RX SA[%u] STATS ****************\n", rx_sa_id[i]);
+			memset(&sa_stat, 0, sizeof(struct rte_security_macsec_sa_stats));
+			rte_security_macsec_sa_stats_get(ctx, rx_sa_id[i],
+					RTE_SECURITY_MACSEC_DIR_RX, &sa_stat);
+
+			/* RX */
+			if (sa_stat.pkt_invalid_cnt)
+				printf("RX pkt_invalid_cnt: 0x%" PRIx64 "\n",
+						sa_stat.pkt_invalid_cnt);
+			if (sa_stat.pkt_nosaerror_cnt)
+				printf("RX pkt_nosaerror_cnt: 0x%" PRIx64 "\n",
+						sa_stat.pkt_nosaerror_cnt);
+			if (sa_stat.pkt_notvalid_cnt)
+				printf("RX pkt_notvalid_cnt: 0x%" PRIx64 "\n",
+						sa_stat.pkt_notvalid_cnt);
+			if (sa_stat.pkt_ok_cnt)
+				printf("RX pkt_ok_cnt: 0x%" PRIx64 "\n", sa_stat.pkt_ok_cnt);
+			if (sa_stat.pkt_nosa_cnt)
+				printf("RX pkt_nosa_cnt: 0x%" PRIx64 "\n", sa_stat.pkt_nosa_cnt);
+			printf("\n");
+		}
+	}
+
+	if (op == MCS_ENCAP || op == MCS_ENCAP_DECAP ||
+			op == MCS_AUTH_ONLY || op == MCS_AUTH_VERIFY) {
+		memset(&sess_stats, 0, sizeof(struct rte_security_stats));
+		rte_security_session_stats_get(ctx, tx_sess, &sess_stats);
+		secy_stat = &sess_stats.macsec;
+
+		printf("\n********* TX SECY STATS ************\n");
+		if (secy_stat->ctl_pkt_bcast_cnt)
+			printf("TX: ctl_pkt_bcast_cnt: 0x%" PRIx64 "\n",
+					secy_stat->ctl_pkt_bcast_cnt);
+		if (secy_stat->ctl_pkt_mcast_cnt)
+			printf("TX: ctl_pkt_mcast_cnt: 0x%" PRIx64 "\n",
+					secy_stat->ctl_pkt_mcast_cnt);
+		if (secy_stat->ctl_pkt_ucast_cnt)
+			printf("TX: ctl_pkt_ucast_cnt: 0x%" PRIx64 "\n",
+					secy_stat->ctl_pkt_ucast_cnt);
+		if (secy_stat->ctl_octet_cnt)
+			printf("TX: ctl_octet_cnt: 0x%" PRIx64 "\n", secy_stat->ctl_octet_cnt);
+		if (secy_stat->unctl_pkt_bcast_cnt)
+			printf("TX: unctl_pkt_bcast_cnt: 0x%" PRIx64 "\n",
+					secy_stat->unctl_pkt_bcast_cnt);
+		if (secy_stat->unctl_pkt_mcast_cnt)
+			printf("TX: unctl_pkt_mcast_cnt: 0x%" PRIx64 "\n",
+					secy_stat->unctl_pkt_mcast_cnt);
+		if (secy_stat->unctl_pkt_ucast_cnt)
+			printf("TX: unctl_pkt_ucast_cnt: 0x%" PRIx64 "\n",
+					secy_stat->unctl_pkt_ucast_cnt);
+		if (secy_stat->unctl_octet_cnt)
+			printf("TX: unctl_octet_cnt: 0x%" PRIx64 "\n",
+					secy_stat->unctl_octet_cnt);
+		/* Valid only for TX */
+		if (secy_stat->octet_encrypted_cnt)
+			printf("TX: octet_encrypted_cnt: 0x%" PRIx64 "\n",
+					secy_stat->octet_encrypted_cnt);
+		if (secy_stat->octet_protected_cnt)
+			printf("TX: octet_protected_cnt: 0x%" PRIx64 "\n",
+					secy_stat->octet_protected_cnt);
+		if (secy_stat->pkt_noactivesa_cnt)
+			printf("TX: pkt_noactivesa_cnt: 0x%" PRIx64 "\n",
+					secy_stat->pkt_noactivesa_cnt);
+		if (secy_stat->pkt_toolong_cnt)
+			printf("TX: pkt_toolong_cnt: 0x%" PRIx64 "\n", secy_stat->pkt_toolong_cnt);
+		if (secy_stat->pkt_untagged_cnt)
+			printf("TX: pkt_untagged_cnt: 0x%" PRIx64 "\n",
+					secy_stat->pkt_untagged_cnt);
+
+
+		memset(&sc_stat, 0, sizeof(struct rte_security_macsec_sc_stats));
+		rte_security_macsec_sc_stats_get(ctx, tx_sc_id, RTE_SECURITY_MACSEC_DIR_TX,
+						 &sc_stat);
+		printf("\n********** TX SC[%u] STATS **************\n", tx_sc_id);
+		if (sc_stat.pkt_encrypt_cnt)
+			printf("TX pkt_encrypt_cnt: 0x%" PRIx64 "\n", sc_stat.pkt_encrypt_cnt);
+		if (sc_stat.pkt_protected_cnt)
+			printf("TX pkt_protected_cnt: 0x%" PRIx64 "\n", sc_stat.pkt_protected_cnt);
+		if (sc_stat.octet_encrypt_cnt)
+			printf("TX octet_encrypt_cnt: 0x%" PRIx64 "\n", sc_stat.octet_encrypt_cnt);
+
+		memset(&sa_stat, 0, sizeof(struct rte_security_macsec_sa_stats));
+		rte_security_macsec_sa_stats_get(ctx, tx_sa_id[0],
+				RTE_SECURITY_MACSEC_DIR_TX, &sa_stat);
+		printf("\n********** TX SA[%u] STATS ****************\n", tx_sa_id[0]);
+		if (sa_stat.pkt_encrypt_cnt)
+			printf("TX pkt_encrypt_cnt: 0x%" PRIx64 "\n", sa_stat.pkt_encrypt_cnt);
+		if (sa_stat.pkt_protected_cnt)
+			printf("TX pkt_protected_cnt: 0x%" PRIx64 "\n", sa_stat.pkt_protected_cnt);
+	}
+}
+
+static int
+test_macsec(const struct mcs_test_vector *td[], enum mcs_op op, const struct mcs_test_opts *opts)
+{
+	uint16_t rx_sa_id[MCS_MAX_FLOWS][RTE_SECURITY_MACSEC_NUM_AN] = {0};
+	uint16_t tx_sa_id[MCS_MAX_FLOWS][2] = {0};
+	uint16_t rx_sc_id[MCS_MAX_FLOWS] = {0};
+	uint16_t tx_sc_id[MCS_MAX_FLOWS] = {0};
+	void *rx_sess[MCS_MAX_FLOWS];
+	void *tx_sess[MCS_MAX_FLOWS];
+	struct rte_security_session_conf sess_conf = {0};
+	struct rte_security_macsec_sa sa_conf = {0};
+	struct rte_security_macsec_sc sc_conf = {0};
+	struct rte_security_ctx *ctx;
+	int nb_rx = 0, nb_sent;
+	int i, j = 0, ret, id, an = 0;
+	uint8_t tci_off;
+
+	memset(rx_pkts_burst, 0, sizeof(rx_pkts_burst[0]) * opts->nb_td);
+
+	ctx = (struct rte_security_ctx *)rte_eth_dev_get_sec_ctx(port_id);
+	if (ctx == NULL) {
+		printf("Ethernet device doesn't support security features.\n");
+		return TEST_SKIPPED;
+	}
+
+	tci_off = (opts->sectag_insert_mode == 1) ? RTE_ETHER_HDR_LEN :
+			RTE_ETHER_HDR_LEN + (opts->nb_vlan * RTE_VLAN_HLEN);
+
+	for (i = 0, j = 0; i < opts->nb_td; i++) {
+		if (op == MCS_DECAP || op == MCS_VERIFY_ONLY)
+			tx_pkts_burst[j] = init_packet(mbufpool, td[i]->secure_pkt.data,
+							td[i]->secure_pkt.len);
+		else {
+			tx_pkts_burst[j] = init_packet(mbufpool, td[i]->plain_pkt.data,
+							td[i]->plain_pkt.len);
+
+			tx_pkts_burst[j]->ol_flags |= RTE_MBUF_F_TX_MACSEC;
+		}
+		if (tx_pkts_burst[j] == NULL) {
+			while (j--)
+				rte_pktmbuf_free(tx_pkts_burst[j]);
+			ret = TEST_FAILED;
+			goto out;
+		}
+		j++;
+
+		if (op == MCS_DECAP || op == MCS_ENCAP_DECAP ||
+				op == MCS_VERIFY_ONLY || op == MCS_AUTH_VERIFY) {
+			for (an = 0; an < RTE_SECURITY_MACSEC_NUM_AN; an++) {
+				/* For simplicity, using same SA conf for all AN */
+				fill_macsec_sa_conf(td[i], &sa_conf,
+						RTE_SECURITY_MACSEC_DIR_RX, an, tci_off);
+				id = rte_security_macsec_sa_create(ctx, &sa_conf);
+				if (id < 0) {
+					printf("MACsec SA create failed : %d.\n", id);
+					return TEST_FAILED;
+				}
+				rx_sa_id[i][an] = (uint16_t)id;
+			}
+			fill_macsec_sc_conf(td[i], &sc_conf, opts,
+					RTE_SECURITY_MACSEC_DIR_RX, rx_sa_id[i], tci_off);
+			id = rte_security_macsec_sc_create(ctx, &sc_conf);
+			if (id < 0) {
+				printf("MACsec SC create failed : %d.\n", id);
+				goto out;
+			}
+			rx_sc_id[i] = (uint16_t)id;
+
+			/* Create Inline IPsec session. */
+			ret = fill_session_conf(td[i], port_id, opts, &sess_conf,
+					RTE_SECURITY_MACSEC_DIR_RX, rx_sc_id[i], tci_off);
+			if (ret)
+				return TEST_FAILED;
+
+			rx_sess[i] = rte_security_session_create(ctx, &sess_conf,
+					sess_pool);
+			if (rx_sess[i] == NULL) {
+				printf("SEC Session init failed.\n");
+				return TEST_FAILED;
+			}
+			ret = create_default_flow(td[i], port_id,
+					RTE_SECURITY_MACSEC_DIR_RX, rx_sess[i]);
+			if (ret)
+				goto out;
+		}
+		if (op == MCS_ENCAP || op == MCS_ENCAP_DECAP ||
+				op == MCS_AUTH_ONLY || op == MCS_AUTH_VERIFY) {
+			int id;
+
+			fill_macsec_sa_conf(td[i], &sa_conf,
+					RTE_SECURITY_MACSEC_DIR_TX,
+					td[i]->secure_pkt.data[tci_off] & RTE_MACSEC_AN_MASK,
+					tci_off);
+			id = rte_security_macsec_sa_create(ctx, &sa_conf);
+			if (id < 0) {
+				printf("MACsec SA create failed : %d.\n", id);
+				return TEST_FAILED;
+			}
+			tx_sa_id[i][0] = (uint16_t)id;
+			tx_sa_id[i][1] = MCS_INVALID_SA;
+			fill_macsec_sc_conf(td[i], &sc_conf, opts,
+					RTE_SECURITY_MACSEC_DIR_TX, tx_sa_id[i], tci_off);
+			id = rte_security_macsec_sc_create(ctx, &sc_conf);
+			if (id < 0) {
+				printf("MACsec SC create failed : %d.\n", id);
+				goto out;
+			}
+			tx_sc_id[i] = (uint16_t)id;
+
+			/* Create Inline IPsec session. */
+			ret = fill_session_conf(td[i], port_id, opts, &sess_conf,
+					RTE_SECURITY_MACSEC_DIR_TX, tx_sc_id[i], tci_off);
+			if (ret)
+				return TEST_FAILED;
+
+			tx_sess[i] = rte_security_session_create(ctx, &sess_conf,
+					sess_pool);
+			if (tx_sess[i] == NULL) {
+				printf("SEC Session init failed.\n");
+				return TEST_FAILED;
+			}
+			ret = create_default_flow(td[i], port_id,
+					RTE_SECURITY_MACSEC_DIR_TX, tx_sess[i]);
+			if (ret)
+				goto out;
+		}
+	}
+
+	/* Send packet to ethdev for inline MACsec processing. */
+	nb_sent = rte_eth_tx_burst(port_id, 0, tx_pkts_burst, j);
+
+	if (nb_sent != j) {
+		printf("\nUnable to TX %d packets, sent: %i", j, nb_sent);
+		for ( ; nb_sent < j; nb_sent++)
+			rte_pktmbuf_free(tx_pkts_burst[nb_sent]);
+		ret = TEST_FAILED;
+		goto out;
+	}
+
+	rte_pause();
+
+	/* Receive back packet on loopback interface. */
+	do {
+		nb_rx += rte_eth_rx_burst(port_id, 0,
+				&rx_pkts_burst[nb_rx],
+				nb_sent - nb_rx);
+		if (nb_rx >= nb_sent)
+			break;
+		rte_delay_ms(1);
+	} while (j++ < 5 && nb_rx == 0);
+
+	if (nb_rx != nb_sent) {
+		printf("\nUnable to RX all %d packets, received(%i)",
+				nb_sent, nb_rx);
+		while (--nb_rx >= 0)
+			rte_pktmbuf_free(rx_pkts_burst[nb_rx]);
+		ret = TEST_FAILED;
+		goto out;
+	}
+
+	for (i = 0; i < nb_rx; i++) {
+		ret = test_macsec_post_process(rx_pkts_burst[i], td[i], op,
+				opts->check_out_pkts_untagged);
+		if (ret != TEST_SUCCESS) {
+			for ( ; i < nb_rx; i++)
+				rte_pktmbuf_free(rx_pkts_burst[i]);
+			goto out;
+		}
+
+		rte_pktmbuf_free(rx_pkts_burst[i]);
+		rx_pkts_burst[i] = NULL;
+	}
+out:
+	for (i = 0; i < opts->nb_td; i++) {
+		if (opts->dump_all_stats) {
+			mcs_stats_dump(ctx, op,
+					rx_sess[i], tx_sess[i],
+					rx_sc_id[i], tx_sc_id[i],
+					rx_sa_id[i], tx_sa_id[i]);
+		}
+	}
+
+	destroy_default_flow(port_id);
+
+	/* Destroy session so that other cases can create the session again */
+	for (i = 0; i < opts->nb_td; i++) {
+		if (op == MCS_ENCAP || op == MCS_ENCAP_DECAP ||
+				op == MCS_AUTH_ONLY || op == MCS_AUTH_VERIFY) {
+			rte_security_session_destroy(ctx, tx_sess[i]);
+			tx_sess[i] = NULL;
+			rte_security_macsec_sc_destroy(ctx, tx_sc_id[i],
+						RTE_SECURITY_MACSEC_DIR_TX);
+			rte_security_macsec_sa_destroy(ctx, tx_sa_id[i][0],
+						RTE_SECURITY_MACSEC_DIR_TX);
+		}
+		if (op == MCS_DECAP || op == MCS_ENCAP_DECAP ||
+				op == MCS_VERIFY_ONLY || op == MCS_AUTH_VERIFY) {
+			rte_security_session_destroy(ctx, rx_sess[i]);
+			rx_sess[i] = NULL;
+			rte_security_macsec_sc_destroy(ctx, rx_sc_id[i],
+						RTE_SECURITY_MACSEC_DIR_RX);
+			for (j = 0; j < RTE_SECURITY_MACSEC_NUM_AN; j++) {
+				rte_security_macsec_sa_destroy(ctx, rx_sa_id[i][j],
+						RTE_SECURITY_MACSEC_DIR_RX);
+			}
+		}
+	}
+
+	return ret;
+}
+
+static int
+test_inline_macsec_encap_all(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.encrypt = true;
+	opts.protect_frames = true;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+
+	size = (sizeof(list_mcs_cipher_vectors) / sizeof((list_mcs_cipher_vectors)[0]));
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_cipher_vectors[i];
+		err = test_macsec(&cur_td, MCS_ENCAP, &opts);
+		if (err) {
+			printf("\nCipher Auth Encryption case %d failed", cur_td->test_idx);
+			err = -1;
+		} else {
+			printf("\nCipher Auth Encryption case %d Passed", cur_td->test_idx);
+			err = 0;
+		}
+		all_err += err;
+	}
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+
+	return all_err;
+}
+
+static int
+test_inline_macsec_decap_all(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+
+	size = (sizeof(list_mcs_cipher_vectors) / sizeof((list_mcs_cipher_vectors)[0]));
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_cipher_vectors[i];
+		err = test_macsec(&cur_td, MCS_DECAP, &opts);
+		if (err) {
+			printf("\nCipher Auth Decryption case %d failed", cur_td->test_idx);
+			err = -1;
+		} else {
+			printf("\nCipher Auth Decryption case %d Passed", cur_td->test_idx);
+			err = 0;
+		}
+		all_err += err;
+	}
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+
+	return all_err;
+}
+
+static int
+ut_setup_inline_macsec(void)
+{
+	int ret;
+
+	/* Start device */
+	ret = rte_eth_dev_start(port_id);
+	if (ret < 0) {
+		printf("rte_eth_dev_start: err=%d, port=%d\n",
+			ret, port_id);
+		return ret;
+	}
+	/* always enable promiscuous */
+	ret = rte_eth_promiscuous_enable(port_id);
+	if (ret != 0) {
+		printf("rte_eth_promiscuous_enable: err=%s, port=%d\n",
+			rte_strerror(-ret), port_id);
+		return ret;
+	}
+
+	check_all_ports_link_status(1, RTE_PORT_ALL);
+
+	return 0;
+}
+
+static void
+ut_teardown_inline_macsec(void)
+{
+	uint16_t portid;
+	int ret;
+
+	/* port tear down */
+	RTE_ETH_FOREACH_DEV(portid) {
+		ret = rte_eth_dev_stop(portid);
+		if (ret != 0)
+			printf("rte_eth_dev_stop: err=%s, port=%u\n",
+			       rte_strerror(-ret), portid);
+
+	}
+}
+
+static int
+inline_macsec_testsuite_setup(void)
+{
+	uint16_t nb_rxd;
+	uint16_t nb_txd;
+	uint16_t nb_ports;
+	int ret;
+	uint16_t nb_rx_queue = 1, nb_tx_queue = 1;
+
+	printf("Start inline MACsec test.\n");
+
+	nb_ports = rte_eth_dev_count_avail();
+	if (nb_ports < NB_ETHPORTS_USED) {
+		printf("At least %u port(s) used for test\n",
+		       NB_ETHPORTS_USED);
+		return TEST_SKIPPED;
+	}
+
+	ret = init_mempools(NB_MBUF);
+	if (ret)
+		return ret;
+
+	if (tx_pkts_burst == NULL) {
+		tx_pkts_burst = (struct rte_mbuf **)rte_calloc("tx_buff",
+					  MAX_TRAFFIC_BURST,
+					  sizeof(void *),
+					  RTE_CACHE_LINE_SIZE);
+		if (!tx_pkts_burst)
+			return TEST_FAILED;
+
+		rx_pkts_burst = (struct rte_mbuf **)rte_calloc("rx_buff",
+					  MAX_TRAFFIC_BURST,
+					  sizeof(void *),
+					  RTE_CACHE_LINE_SIZE);
+		if (!rx_pkts_burst)
+			return TEST_FAILED;
+	}
+
+	printf("Generate %d packets\n", MAX_TRAFFIC_BURST);
+
+	nb_rxd = RTE_TEST_RX_DESC_DEFAULT;
+	nb_txd = RTE_TEST_TX_DESC_DEFAULT;
+
+	/* configuring port 0 for the test is enough */
+	port_id = 0;
+	/* port configure */
+	ret = rte_eth_dev_configure(port_id, nb_rx_queue,
+				    nb_tx_queue, &port_conf);
+	if (ret < 0) {
+		printf("Cannot configure device: err=%d, port=%d\n",
+			 ret, port_id);
+		return ret;
+	}
+	ret = rte_eth_macaddr_get(port_id, &ports_eth_addr[port_id]);
+	if (ret < 0) {
+		printf("Cannot get mac address: err=%d, port=%d\n",
+			 ret, port_id);
+		return ret;
+	}
+	printf("Port %u ", port_id);
+	print_ethaddr("Address:", &ports_eth_addr[port_id]);
+	printf("\n");
+
+	/* tx queue setup */
+	ret = rte_eth_tx_queue_setup(port_id, 0, nb_txd,
+				     SOCKET_ID_ANY, &tx_conf);
+	if (ret < 0) {
+		printf("rte_eth_tx_queue_setup: err=%d, port=%d\n",
+				ret, port_id);
+		return ret;
+	}
+	/* rx queue steup */
+	ret = rte_eth_rx_queue_setup(port_id, 0, nb_rxd, SOCKET_ID_ANY,
+				     &rx_conf, mbufpool);
+	if (ret < 0) {
+		printf("rte_eth_rx_queue_setup: err=%d, port=%d\n",
+				ret, port_id);
+		return ret;
+	}
+
+	return 0;
+}
+
+static void
+inline_macsec_testsuite_teardown(void)
+{
+	uint16_t portid;
+	int ret;
+
+	/* port tear down */
+	RTE_ETH_FOREACH_DEV(portid) {
+		ret = rte_eth_dev_reset(portid);
+		if (ret != 0)
+			printf("rte_eth_dev_reset: err=%s, port=%u\n",
+			       rte_strerror(-ret), port_id);
+	}
+	rte_free(tx_pkts_burst);
+	rte_free(rx_pkts_burst);
+}
+
+
+static struct unit_test_suite inline_macsec_testsuite  = {
+	.suite_name = "Inline MACsec Ethernet Device Unit Test Suite",
+	.unit_test_cases = {
+		TEST_CASE_NAMED_ST(
+			"MACsec encap(Cipher+Auth) known vector",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_encap_all),
+		TEST_CASE_NAMED_ST(
+			"MACsec decap(De-cipher+verify) known vector",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_decap_all),
+
+		TEST_CASES_END() /**< NULL terminate unit test array */
+	},
+};
+
+static int
+test_inline_macsec(void)
+{
+	inline_macsec_testsuite.setup = inline_macsec_testsuite_setup;
+	inline_macsec_testsuite.teardown = inline_macsec_testsuite_teardown;
+	return unit_test_suite_runner(&inline_macsec_testsuite);
+}
+
+#endif /* !RTE_EXEC_ENV_WINDOWS */
+
+REGISTER_TEST_COMMAND(inline_macsec_autotest, test_inline_macsec);
diff --git a/app/test/test_security_inline_macsec_vectors.h b/app/test/test_security_inline_macsec_vectors.h
new file mode 100644
index 0000000000..68bd485419
--- /dev/null
+++ b/app/test/test_security_inline_macsec_vectors.h
@@ -0,0 +1,1086 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2023 Marvell.
+ */
+#ifndef _TEST_INLINE_MACSEC_VECTORS_H_
+#define _TEST_INLINE_MACSEC_VECTORS_H_
+
+#define MCS_MAX_DATA_SZ				256
+#define MCS_MAX_KEY_LEN				32
+#define MCS_IV_LEN				12
+#define MCS_SALT_LEN				12
+#define MCS_MAX_FLOWS				63
+
+enum mcs_op {
+	MCS_NO_OP,
+	MCS_ENCAP,
+	MCS_DECAP,
+	MCS_ENCAP_DECAP,
+	MCS_AUTH_ONLY,
+	MCS_VERIFY_ONLY,
+	MCS_AUTH_VERIFY,
+};
+
+struct mcs_test_vector {
+	uint32_t test_idx;
+	enum rte_security_macsec_alg alg;
+	uint32_t ssci;
+	uint32_t xpn;
+	uint8_t salt[MCS_SALT_LEN];
+	struct {
+		uint8_t data[MCS_MAX_KEY_LEN];
+		uint16_t len;
+	} sa_key;
+	struct {
+		uint8_t data[MCS_MAX_DATA_SZ];
+		uint16_t len;
+	} plain_pkt;
+	struct {
+		uint8_t data[MCS_MAX_DATA_SZ];
+		uint16_t len;
+	} secure_pkt;
+};
+
+static const struct mcs_test_vector list_mcs_cipher_vectors[] = {
+/* gcm_128_64B_cipher */
+{
+	.test_idx = 0,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x40, 0x41, 0x42,
+			0x43, 0x44, 0x45, 0x46,
+		},
+		.len = 64,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x2C,
+			/* SL */
+			0x0,
+			/* PN */
+			0x0, 0x0, 0x0, 0x2,
+			/* SCI */
+			0xFE, 0x2F, 0xCD, 0x14, 0x24, 0x1B, 0x88, 0x2C,
+			/* Secure Data */
+			0x39, 0x38, 0x97, 0x44, 0xA2, 0x6D, 0x71, 0x3D,
+			0x14, 0x27, 0xC7, 0x3E, 0x02, 0x96, 0x81, 0xAD,
+			0x47, 0x82, 0x2A, 0xCF, 0x19, 0x79, 0x12, 0x49,
+			0x0F, 0x93, 0x5A, 0x32, 0x43, 0x79, 0xEF, 0x9D,
+			0x70, 0xF8, 0xA9, 0xBE, 0x3D, 0x00, 0x5D, 0x22,
+			0xDA, 0x87, 0x3D, 0xC1, 0xBE, 0x1B, 0x13, 0xD9,
+			0x99, 0xDB, 0xF1, 0xC8,
+			/* ICV */
+			0x4B, 0xC4, 0xF8, 0xC6,	0x09, 0x78, 0xB9, 0xBB,
+			0x5D, 0xC0, 0x04, 0xF3,	0x20, 0x7D, 0x14, 0x87,
+		},
+		.len = 96,
+	},
+},
+/* gcm_128_54B_cipher */
+{
+	.test_idx = 1,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.xpn = 0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x00, 0x04,
+		},
+		.len = 54,
+	},
+
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x4C,
+			/* SL */
+			0x2A,
+			/* PN */
+			0x76, 0xD4, 0x57, 0xED,
+			/* Secure Data */
+			0x13, 0xB4, 0xC7, 0x2B, 0x38, 0x9D, 0xC5, 0x01,
+			0x8E, 0x72, 0xA1, 0x71, 0xDD, 0x85, 0xA5, 0xD3,
+			0x75, 0x22, 0x74, 0xD3, 0xA0, 0x19, 0xFB, 0xCA,
+			0xED, 0x09, 0xA4, 0x25, 0xCD, 0x9B, 0x2E, 0x1C,
+			0x9B, 0x72, 0xEE, 0xE7, 0xC9, 0xDE, 0x7D, 0x52,
+			0xB3, 0xF3,
+			/* ICV */
+			0xD6, 0xA5, 0x28, 0x4F, 0x4A, 0x6D, 0x3F, 0xE2,
+			0x2A, 0x5D, 0x6C, 0x2B, 0x96, 0x04, 0x94, 0xC3,
+		},
+		.len = 78,
+	},
+},
+/* gcm_256_54B_cipher */
+{
+	.test_idx = 2,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_256,
+	.ssci = 0x0,
+	.xpn = 0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x69, 0x1D, 0x3E, 0xE9, 0x09, 0xD7, 0xF5, 0x41,
+			0x67, 0xFD, 0x1C, 0xA0, 0xB5, 0xD7, 0x69, 0x08,
+			0x1F, 0x2B, 0xDE, 0x1A, 0xEE, 0x65, 0x5F, 0xDB,
+			0xAB, 0x80, 0xBD, 0x52, 0x95, 0xAE, 0x6B, 0xE7,
+		},
+		.len = 32,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x00, 0x04,
+		},
+		.len = 54,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x4C,
+			/* SL */
+			0x2A,
+			/* PN */
+			0x76, 0xD4, 0x57, 0xED,
+			/* Secure Data */
+			0xC1, 0x62, 0x3F, 0x55, 0x73, 0x0C, 0x93, 0x53,
+			0x30, 0x97, 0xAD, 0xDA, 0xD2, 0x56, 0x64, 0x96,
+			0x61, 0x25, 0x35, 0x2B, 0x43, 0xAD, 0xAC, 0xBD,
+			0x61, 0xC5, 0xEF, 0x3A, 0xC9, 0x0B, 0x5B, 0xEE,
+			0x92, 0x9C, 0xE4, 0x63, 0x0E, 0xA7, 0x9F, 0x6C,
+			0xE5, 0x19,
+			/* ICV */
+			0x12, 0xAF, 0x39, 0xC2, 0xD1, 0xFD, 0xC2, 0x05,
+			0x1F, 0x8B, 0x7B, 0x3C, 0x9D, 0x39, 0x7E, 0xF2,
+		},
+		.len = 78,
+	},
+},
+/* gcm_128_xpn_54B_cipher */
+{
+	.test_idx = 3,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_128,
+	.ssci = 0x7A30C118,
+	.xpn = 0xB0DF459C, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE,
+		0x86, 0xA2, 0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x00, 0x04,
+		},
+		.len = 54,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x4C,
+			/* SL */
+			0x2A,
+			/* PN */
+			0x76, 0xD4, 0x57, 0xED,
+			/* Secure Data */
+			0x9C, 0xA4, 0x69, 0x84, 0x43, 0x02, 0x03, 0xED,
+			0x41, 0x6E, 0xBD, 0xC2, 0xFE, 0x26, 0x22, 0xBA,
+			0x3E, 0x5E, 0xAB, 0x69, 0x61, 0xC3, 0x63, 0x83,
+			0x00, 0x9E, 0x18, 0x7E, 0x9B, 0x0C, 0x88, 0x56,
+			0x46, 0x53, 0xB9, 0xAB, 0xD2, 0x16, 0x44, 0x1C,
+			0x6A, 0xB6,
+			/* ICV */
+			0xF0, 0xA2, 0x32, 0xE9, 0xE4, 0x4C, 0x97, 0x8C,
+			0xF7, 0xCD, 0x84, 0xD4, 0x34, 0x84, 0xD1, 0x01,
+		},
+		.len = 78,
+	},
+},
+/* gcm_256_xpn_54B_cipher */
+{
+	.test_idx = 4,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_256,
+	.ssci = 0x7A30C118,
+	.xpn = 0xB0DF459C, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE,
+		0x86, 0xA2, 0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0x69, 0x1D, 0x3E, 0xE9, 0x09, 0xD7, 0xF5, 0x41,
+			0x67, 0xFD, 0x1C, 0xA0, 0xB5, 0xD7, 0x69, 0x08,
+			0x1F, 0x2B, 0xDE, 0x1A, 0xEE, 0x65, 0x5F, 0xDB,
+			0xAB, 0x80, 0xBD, 0x52, 0x95, 0xAE, 0x6B, 0xE7,
+		},
+		.len = 32,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x00, 0x04,
+		},
+		.len = 54,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x4C,
+			/* SL */
+			0x2A,
+			/* PN */
+			0x76, 0xD4, 0x57, 0xED,
+			/* Secure Data */
+			0x88, 0xD9, 0xF7, 0xD1, 0xF1, 0x57, 0x8E, 0xE3,
+			0x4B, 0xA7, 0xB1, 0xAB, 0xC8, 0x98, 0x93, 0xEF,
+			0x1D, 0x33, 0x98, 0xC9, 0xF1, 0xDD, 0x3E, 0x47,
+			0xFB, 0xD8, 0x55, 0x3E, 0x0F, 0xF7, 0x86, 0xEF,
+			0x56, 0x99, 0xEB, 0x01, 0xEA, 0x10, 0x42, 0x0D,
+			0x0E, 0xBD,
+			/* ICV */
+			0x39, 0xA0, 0xE2, 0x73, 0xC4, 0xC7, 0xF9, 0x5E,
+			0xD8, 0x43, 0x20, 0x7D, 0x7A, 0x49, 0x7D, 0xFA,
+		},
+		.len = 78,
+	},
+},
+/* gcm_128_60B_cipher */
+{
+	.test_idx = 5,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.xpn = 0x0, /* Most significant 32 bits */
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0xAD, 0x7A, 0x2B, 0xD0, 0x3E, 0xAC, 0x83, 0x5A,
+			0x6F, 0x62, 0x0F, 0xDC, 0xB5, 0x06, 0xB3, 0x45,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xD6, 0x09, 0xB1, 0xF0, 0x56, 0x63,
+			/* MAC SA */
+			0x7A, 0x0D, 0x46, 0xDF, 0x99, 0x8D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x00, 0x02,
+		},
+		.len = 60,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xD6, 0x09, 0xB1, 0xF0, 0x56, 0x63,
+			/* MAC SA */
+			0x7A, 0x0D, 0x46, 0xDF, 0x99, 0x8D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x2E,
+			/* SL */
+			0x00,
+			/* PN */
+			0xB2, 0xC2, 0x84, 0x65,
+			/* SCI */
+			0x12, 0x15, 0x35, 0x24, 0xC0, 0x89, 0x5E, 0x81,
+			/* Secure Data */
+			0x70, 0x1A, 0xFA, 0x1C, 0xC0, 0x39, 0xC0, 0xD7,
+			0x65, 0x12, 0x8A, 0x66, 0x5D, 0xAB, 0x69, 0x24,
+			0x38, 0x99, 0xBF, 0x73, 0x18, 0xCC, 0xDC, 0x81,
+			0xC9, 0x93, 0x1D, 0xA1, 0x7F, 0xBE, 0x8E, 0xDD,
+			0x7D, 0x17, 0xCB, 0x8B, 0x4C, 0x26, 0xFC, 0x81,
+			0xE3, 0x28, 0x4F, 0x2B, 0x7F, 0xBA, 0x71, 0x3D,
+			/* ICV */
+			0x4F, 0x8D, 0x55, 0xE7, 0xD3, 0xF0, 0x6F, 0xD5,
+			0xA1, 0x3C, 0x0C, 0x29, 0xB9, 0xD5, 0xB8, 0x80,
+		},
+		.len = 92,
+	},
+},
+/* gcm_256_60B_cipher */
+{
+	.test_idx = 6,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_256,
+	.ssci = 0x0,
+	.xpn = 0x0, /* Most significant 32 bits */
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0xE3, 0xC0, 0x8A, 0x8F, 0x06, 0xC6, 0xE3, 0xAD,
+			0x95, 0xA7, 0x05, 0x57, 0xB2, 0x3F, 0x75, 0x48,
+			0x3C, 0xE3, 0x30, 0x21, 0xA9, 0xC7, 0x2B, 0x70,
+			0x25, 0x66, 0x62, 0x04, 0xC6, 0x9C, 0x0B, 0x72,
+		},
+		.len = 32,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xD6, 0x09, 0xB1, 0xF0, 0x56, 0x63,
+			/* MAC SA */
+			0x7A, 0x0D, 0x46, 0xDF, 0x99, 0x8D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x00, 0x02,
+		},
+		.len = 60,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xD6, 0x09, 0xB1, 0xF0, 0x56, 0x63,
+			/* MAC SA */
+			0x7A, 0x0D, 0x46, 0xDF, 0x99, 0x8D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x2E,
+			/* SL */
+			0x00,
+			/* PN */
+			0xB2, 0xC2, 0x84, 0x65,
+			/* SCI */
+			0x12, 0x15, 0x35, 0x24, 0xC0, 0x89, 0x5E, 0x81,
+			/* Secure Data */
+			0xE2, 0x00, 0x6E, 0xB4, 0x2F, 0x52, 0x77, 0x02,
+			0x2D, 0x9B, 0x19, 0x92, 0x5B, 0xC4, 0x19, 0xD7,
+			0xA5, 0x92, 0x66, 0x6C, 0x92, 0x5F, 0xE2, 0xEF,
+			0x71, 0x8E, 0xB4, 0xE3, 0x08, 0xEF, 0xEA, 0xA7,
+			0xC5, 0x27, 0x3B, 0x39, 0x41, 0x18, 0x86, 0x0A,
+			0x5B, 0xE2, 0xA9, 0x7F, 0x56, 0xAB, 0x78, 0x36,
+			/* ICV */
+			0x5C, 0xA5, 0x97, 0xCD, 0xBB, 0x3E, 0xDB, 0x8D,
+			0x1A, 0x11, 0x51, 0xEA, 0x0A, 0xF7, 0xB4, 0x36,
+		},
+		.len = 92,
+	},
+},
+/* gcm_128_xpn_60B_cipher */
+{
+	.test_idx = 7,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_128,
+	.ssci = 0x7A30C118,
+	.xpn = 0xB0DF459C, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE,
+		0x86, 0xA2, 0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0xAD, 0x7A, 0x2B, 0xD0, 0x3E, 0xAC, 0x83, 0x5A,
+			0x6F, 0x62, 0x0F, 0xDC, 0xB5, 0x06, 0xB3, 0x45,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xD6, 0x09, 0xB1, 0xF0, 0x56, 0x63,
+			/* MAC SA */
+			0x7A, 0x0D, 0x46, 0xDF, 0x99, 0x8D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x00, 0x02,
+		},
+		.len = 60,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xD6, 0x09, 0xB1, 0xF0, 0x56, 0x63,
+			/* MAC SA */
+			0x7A, 0x0D, 0x46, 0xDF, 0x99, 0x8D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x2E,
+			/* SL */
+			0x00,
+			/* PN */
+			0xB2, 0xC2, 0x84, 0x65,
+			/* SCI */
+			0x12, 0x15, 0x35, 0x24, 0xC0, 0x89, 0x5E, 0x81,
+			/* Secure Data */
+			0x07, 0x12, 0xD9, 0x80, 0xCA, 0x50, 0xBB, 0xED,
+			0x35, 0xA0, 0xFA, 0x56, 0x63, 0x38, 0x72, 0x9F,
+			0xFA, 0x16, 0xD1, 0x9F, 0xFC, 0xF0, 0x7B, 0x3A,
+			0x1E, 0x79, 0x19, 0xB3, 0x77, 0x6A, 0xAC, 0xEC,
+			0x8A, 0x59, 0x37, 0x20, 0x8B, 0x48, 0x3A, 0x76,
+			0x91, 0x98, 0x4D, 0x38, 0x07, 0x92, 0xE0, 0x7F,
+			/* ICV */
+			0xC2, 0xC3, 0xC7, 0x9F, 0x26, 0x3F, 0xA6, 0xBF,
+			0xF8, 0xE7, 0x58, 0x1E, 0x2C, 0xE4, 0x5A, 0xF8,
+		},
+		.len = 92,
+	},
+},
+/* gcm_256_xpn_60B_cipher */
+{
+	.test_idx = 8,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_256,
+	.ssci = 0x7A30C118,
+	.xpn = 0xB0DF459C, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE,
+		0x86, 0xA2, 0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0xE3, 0xC0, 0x8A, 0x8F, 0x06, 0xC6, 0xE3, 0xAD,
+			0x95, 0xA7, 0x05, 0x57, 0xB2, 0x3F, 0x75, 0x48,
+			0x3C, 0xE3, 0x30, 0x21, 0xA9, 0xC7, 0x2B, 0x70,
+			0x25, 0x66, 0x62, 0x04, 0xC6, 0x9C, 0x0B, 0x72,
+		},
+		.len = 32,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xD6, 0x09, 0xB1, 0xF0, 0x56, 0x63,
+			/* MAC SA */
+			0x7A, 0x0D, 0x46, 0xDF, 0x99, 0x8D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x00, 0x02,
+		},
+		.len = 60,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xD6, 0x09, 0xB1, 0xF0, 0x56, 0x63,
+			/* MAC SA */
+			0x7A, 0x0D, 0x46, 0xDF, 0x99, 0x8D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x2E,
+			/* SL */
+			0x00,
+			/* PN */
+			0xB2, 0xC2, 0x84, 0x65,
+			/* SCI */
+			0x12, 0x15, 0x35, 0x24, 0xC0, 0x89, 0x5E, 0x81,
+			/* Secure Data */
+			0x3E, 0xB0, 0x4A, 0x4B, 0xBF, 0x54, 0xC6, 0xEB,
+			0x12, 0x22, 0xA9, 0xAE, 0xA0, 0x0C, 0x38, 0x68,
+			0x7F, 0x6C, 0x35, 0x20, 0xD9, 0x76, 0xA3, 0xB6,
+			0x94, 0x80, 0x06, 0x50, 0xCE, 0x65, 0x85, 0xE6,
+			0x20, 0xA4, 0x19, 0x19, 0x17, 0xD2, 0xA6, 0x05,
+			0xD8, 0x70, 0xC7, 0x8D, 0x27, 0x52, 0xCE, 0x49,
+			/* ICV */
+			0x3B, 0x44, 0x2A, 0xC0, 0xC8, 0x16, 0xD7, 0xAB,
+			0xD7, 0x0A, 0xD6, 0x5C, 0x25, 0xD4, 0x64, 0x13,
+		},
+		.len = 92,
+	},
+},
+/* gcm_128_61B_cipher */
+{
+	.test_idx = 9,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.xpn = 0x0, /* Most significant 32 bits */
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x01, 0x3F, 0xE0, 0x0B, 0x5F, 0x11, 0xBE, 0x7F,
+			0x86, 0x6D, 0x0C, 0xBB, 0xC5, 0x5A, 0x7A, 0x90,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0x84, 0xC5, 0xD5, 0x13, 0xD2, 0xAA,
+			/* MAC SA */
+			0xF6, 0xE5, 0xBB, 0xD2, 0x72, 0x77,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x00,
+			0x06,
+		},
+		.len = 61,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0x84, 0xC5, 0xD5, 0x13, 0xD2, 0xAA,
+			/* MAC SA */
+			0xF6, 0xE5, 0xBB, 0xD2, 0x72, 0x77,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x2F,
+			/* SL */
+			0x00,
+			/* PN */
+			0x89, 0x32, 0xD6, 0x12,
+			/* SCI */
+			0x7C, 0xFD, 0xE9, 0xF9, 0xE3, 0x37, 0x24, 0xC6,
+			/* Secure Data */
+			0x3A, 0x4D, 0xE6, 0xFA, 0x32, 0x19, 0x10, 0x14,
+			0xDB, 0xB3, 0x03, 0xD9, 0x2E, 0xE3, 0xA9, 0xE8,
+			0xA1, 0xB5, 0x99, 0xC1, 0x4D, 0x22, 0xFB, 0x08,
+			0x00, 0x96, 0xE1, 0x38, 0x11, 0x81, 0x6A, 0x3C,
+			0x9C, 0x9B, 0xCF, 0x7C, 0x1B, 0x9B, 0x96, 0xDA,
+			0x80, 0x92, 0x04, 0xE2, 0x9D, 0x0E, 0x2A, 0x76,
+			0x42,
+			/* ICV */
+			0xBF, 0xD3, 0x10, 0xA4, 0x83, 0x7C, 0x81, 0x6C,
+			0xCF, 0xA5, 0xAC, 0x23, 0xAB, 0x00, 0x39, 0x88,
+		},
+		.len = 93,
+	},
+},
+/* gcm_256_61B_cipher */
+{
+	.test_idx = 10,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_256,
+	.ssci = 0x0,
+	.xpn = 0x0, /* Most significant 32 bits */
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x83, 0xC0, 0x93, 0xB5, 0x8D, 0xE7, 0xFF, 0xE1,
+			0xC0, 0xDA, 0x92, 0x6A, 0xC4, 0x3F, 0xB3, 0x60,
+			0x9A, 0xC1, 0xC8, 0x0F, 0xEE, 0x1B, 0x62, 0x44,
+			0x97, 0xEF, 0x94, 0x2E, 0x2F, 0x79, 0xA8, 0x23,
+		},
+		.len = 32,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0x84, 0xC5, 0xD5, 0x13, 0xD2, 0xAA,
+			/* MAC SA */
+			0xF6, 0xE5, 0xBB, 0xD2, 0x72, 0x77,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x00,
+			0x06,
+		},
+		.len = 61,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0x84, 0xC5, 0xD5, 0x13, 0xD2, 0xAA,
+			/* MAC SA */
+			0xF6, 0xE5, 0xBB, 0xD2, 0x72, 0x77,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x2F,
+			/* SL */
+			0x00,
+			/* PN */
+			0x89, 0x32, 0xD6, 0x12,
+			/* SCI */
+			0x7C, 0xFD, 0xE9, 0xF9, 0xE3, 0x37, 0x24, 0xC6,
+			/* Secure Data */
+			0x11, 0x02, 0x22, 0xFF, 0x80, 0x50, 0xCB, 0xEC,
+			0xE6, 0x6A, 0x81, 0x3A, 0xD0, 0x9A, 0x73, 0xED,
+			0x7A, 0x9A, 0x08, 0x9C, 0x10, 0x6B, 0x95, 0x93,
+			0x89, 0x16, 0x8E, 0xD6, 0xE8, 0x69, 0x8E, 0xA9,
+			0x02, 0xEB, 0x12, 0x77, 0xDB, 0xEC, 0x2E, 0x68,
+			0xE4, 0x73, 0x15, 0x5A, 0x15, 0xA7, 0xDA, 0xEE,
+			0xD4,
+			/* ICV */
+			0xA1, 0x0F, 0x4E, 0x05, 0x13, 0x9C, 0x23, 0xDF,
+			0x00, 0xB3, 0xAA, 0xDC, 0x71, 0xF0, 0x59, 0x6A,
+		},
+		.len = 93,
+	},
+},
+/* gcm_128_xpn_61B_cipher */
+{
+	.test_idx = 11,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_128,
+	.ssci = 0x7A30C118,
+	.xpn = 0xB0DF459C, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE,
+		0x86, 0xA2, 0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0x01, 0x3F, 0xE0, 0x0B, 0x5F, 0x11, 0xBE, 0x7F,
+			0x86, 0x6D, 0x0C, 0xBB, 0xC5, 0x5A, 0x7A, 0x90,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0x84, 0xC5, 0xD5, 0x13, 0xD2, 0xAA,
+			/* MAC SA */
+			0xF6, 0xE5, 0xBB, 0xD2, 0x72, 0x77,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x00,
+			0x06,
+		},
+		.len = 61,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0x84, 0xC5, 0xD5, 0x13, 0xD2, 0xAA,
+			/* MAC SA */
+			0xF6, 0xE5, 0xBB, 0xD2, 0x72, 0x77,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x2F,
+			/* SL */
+			0x00,
+			/* PN */
+			0x89, 0x32, 0xD6, 0x12,
+			/* SCI */
+			0x7C, 0xFD, 0xE9, 0xF9, 0xE3, 0x37, 0x24, 0xC6,
+			/* Secure Data */
+			0x14, 0xC1, 0x76, 0x93, 0xBC, 0x82, 0x97, 0xEE,
+			0x6C, 0x47, 0xC5, 0x65, 0xCB, 0xE0, 0x67, 0x9E,
+			0x80, 0xF0, 0x0F, 0xCA, 0xF5, 0x92, 0xC9, 0xAA,
+			0x04, 0x73, 0x92, 0x8E, 0x7F, 0x2F, 0x21, 0x6F,
+			0xF5, 0xA0, 0x33, 0xDE, 0xC7, 0x51, 0x3F, 0x45,
+			0xD3, 0x4C, 0xBB, 0x98, 0x1C, 0x5B, 0xD6, 0x4E,
+			0x8B,
+			/* ICV */
+			0xD8, 0x4B, 0x8E, 0x2A, 0x78, 0xE7, 0x4D, 0xAF,
+			0xEA, 0xA0, 0x38, 0x46, 0xFE, 0x93, 0x0C, 0x0E,
+		},
+		.len = 93,
+	},
+},
+/* gcm_256_xpn_61B_cipher */
+{
+	.test_idx = 12,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_256,
+	.ssci = 0x7A30C118,
+	.xpn = 0xB0DF459C, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE,
+		0x86, 0xA2, 0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0x83, 0xC0, 0x93, 0xB5, 0x8D, 0xE7, 0xFF, 0xE1,
+			0xC0, 0xDA, 0x92, 0x6A, 0xC4, 0x3F, 0xB3, 0x60,
+			0x9A, 0xC1, 0xC8, 0x0F, 0xEE, 0x1B, 0x62, 0x44,
+			0x97, 0xEF, 0x94, 0x2E, 0x2F, 0x79, 0xA8, 0x23,
+		},
+		.len = 32,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0x84, 0xC5, 0xD5, 0x13, 0xD2, 0xAA,
+			/* MAC SA */
+			0xF6, 0xE5, 0xBB, 0xD2, 0x72, 0x77,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x00,
+			0x06,
+		},
+		.len = 61,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0x84, 0xC5, 0xD5, 0x13, 0xD2, 0xAA,
+			/* MAC SA */
+			0xF6, 0xE5, 0xBB, 0xD2, 0x72, 0x77,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x2F,
+			/* SL */
+			0x00,
+			/* PN */
+			0x89, 0x32, 0xD6, 0x12,
+			/* SCI */
+			0x7C, 0xFD, 0xE9, 0xF9, 0xE3, 0x37, 0x24, 0xC6,
+			/* Secure Data */
+			0x09, 0x96, 0xE0, 0xC9, 0xA5, 0x57, 0x74, 0xE0,
+			0xA7, 0x92, 0x30, 0x4E, 0x7D, 0xC1, 0x50, 0xBD,
+			0x67, 0xFD, 0x74, 0x7D, 0xD1, 0xB9, 0x41, 0x95,
+			0x94, 0xBF, 0x37, 0x3D, 0x4A, 0xCE, 0x8F, 0x87,
+			0xF5, 0xC1, 0x34, 0x9A, 0xFA, 0xC4, 0x91, 0xAA,
+			0x0A, 0x40, 0xD3, 0x19, 0x90, 0x87, 0xB2, 0x9F,
+			0xDF,
+			/* ICV */
+			0x80, 0x2F, 0x05, 0x0E, 0x69, 0x1F, 0x11, 0xA2,
+			0xD9, 0xB3, 0x58, 0xF6, 0x99, 0x41, 0x84, 0xF5,
+		},
+		.len = 93,
+	},
+},
+/* gcm_128_75B_cipher */
+{
+	.test_idx = 13,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0,
+	.xpn = 0, /* Most significant 32 bits */
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x88, 0xEE, 0x08, 0x7F, 0xD9, 0x5D, 0xA9, 0xFB,
+			0xF6, 0x72, 0x5A, 0xA9, 0xD7, 0x57, 0xB0, 0xCD,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0x68, 0xF2, 0xE7, 0x76, 0x96, 0xCE,
+			/* MAC SA */
+			0x7A, 0xE8, 0xE2, 0xCA, 0x4E, 0xC5,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x40, 0x41, 0x42, 0x43, 0x44,
+			0x45, 0x46, 0x47, 0x48, 0x49, 0x00, 0x08,
+		},
+		.len = 75,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0x68, 0xF2, 0xE7, 0x76, 0x96, 0xCE,
+			/* MAC SA */
+			0x7A, 0xE8, 0xE2, 0xCA, 0x4E, 0xC5,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x4D,
+			/* SL */
+			0x00,
+			/* PN */
+			0x2E, 0x58, 0x49, 0x5C,
+			/* SCI */
+			/* Secure Data */
+			0xC3, 0x1F, 0x53, 0xD9, 0x9E, 0x56, 0x87, 0xF7,
+			0x36, 0x51, 0x19, 0xB8, 0x32, 0xD2, 0xAA, 0xE7,
+			0x07, 0x41, 0xD5, 0x93, 0xF1, 0xF9, 0xE2, 0xAB,
+			0x34, 0x55, 0x77, 0x9B, 0x07, 0x8E, 0xB8, 0xFE,
+			0xAC, 0xDF, 0xEC, 0x1F, 0x8E, 0x3E, 0x52, 0x77,
+			0xF8, 0x18, 0x0B, 0x43, 0x36, 0x1F, 0x65, 0x12,
+			0xAD, 0xB1, 0x6D, 0x2E, 0x38, 0x54, 0x8A, 0x2C,
+			0x71, 0x9D, 0xBA, 0x72, 0x28, 0xD8, 0x40,
+			/* ICV */
+			0x88, 0xF8, 0x75, 0x7A, 0xDB, 0x8A, 0xA7, 0x88,
+			0xD8, 0xF6, 0x5A, 0xD6, 0x68, 0xBE, 0x70, 0xE7,
+		},
+		.len = 99,
+	},
+},
+/* gcm_256_75B_cipher */
+{
+	.test_idx = 14,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_256,
+	.ssci = 0,
+	.xpn = 0, /* Most significant 32 bits */
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x4C, 0x97, 0x3D, 0xBC, 0x73, 0x64, 0x62, 0x16,
+			0x74, 0xF8, 0xB5, 0xB8, 0x9E, 0x5C, 0x15, 0x51,
+			0x1F, 0xCE, 0xD9, 0x21, 0x64, 0x90, 0xFB, 0x1C,
+			0x1A, 0x2C, 0xAA, 0x0F, 0xFE, 0x04, 0x07, 0xE5,
+		},
+		.len = 32,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0x68, 0xF2, 0xE7, 0x76, 0x96, 0xCE,
+			/* MAC SA */
+			0x7A, 0xE8, 0xE2, 0xCA, 0x4E, 0xC5,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x40, 0x41, 0x42, 0x43, 0x44,
+			0x45, 0x46, 0x47, 0x48, 0x49, 0x00, 0x08,
+		},
+		.len = 75,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0x68, 0xF2, 0xE7, 0x76, 0x96, 0xCE,
+			/* MAC SA */
+			0x7A, 0xE8, 0xE2, 0xCA, 0x4E, 0xC5,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x4D,
+			/* SL */
+			0x00,
+			/* PN */
+			0x2E, 0x58, 0x49, 0x5C,
+			/* SCI */
+			/* Secure Data */
+			0xBA, 0x8A, 0xE3, 0x1B, 0xC5, 0x06, 0x48, 0x6D,
+			0x68, 0x73, 0xE4, 0xFC, 0xE4, 0x60, 0xE7, 0xDC,
+			0x57, 0x59, 0x1F, 0xF0, 0x06, 0x11, 0xF3, 0x1C,
+			0x38, 0x34, 0xFE, 0x1C, 0x04, 0xAD, 0x80, 0xB6,
+			0x68, 0x03, 0xAF, 0xCF, 0x5B, 0x27, 0xE6, 0x33,
+			0x3F, 0xA6, 0x7C, 0x99, 0xDA, 0x47, 0xC2, 0xF0,
+			0xCE, 0xD6, 0x8D, 0x53, 0x1B, 0xD7, 0x41, 0xA9,
+			0x43, 0xCF, 0xF7, 0xA6, 0x71, 0x3B, 0xD0,
+			/* ICV */
+			0x26, 0x11, 0xCD, 0x7D, 0xAA, 0x01, 0xD6, 0x1C,
+			0x5C, 0x88, 0x6D, 0xC1, 0xA8, 0x17, 0x01, 0x07,
+		},
+		.len = 99,
+	},
+},
+/* gcm_128_xpn_75B_cipher */
+{
+	.test_idx = 15,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_128,
+	.ssci = 0x7A30C118,
+	.xpn = 0xB0DF459C, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE, 0x86, 0xA2,
+		0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0x88, 0xEE, 0x08, 0x7F, 0xD9, 0x5D, 0xA9, 0xFB,
+			0xF6, 0x72, 0x5A, 0xA9, 0xD7, 0x57, 0xB0, 0xCD,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0x68, 0xF2, 0xE7, 0x76, 0x96, 0xCE,
+			/* MAC SA */
+			0x7A, 0xE8, 0xE2, 0xCA, 0x4E, 0xC5,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x40, 0x41, 0x42, 0x43, 0x44,
+			0x45, 0x46, 0x47, 0x48, 0x49, 0x00, 0x08,
+		},
+		.len = 75,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0x68, 0xF2, 0xE7, 0x76, 0x96, 0xCE,
+			/* MAC SA */
+			0x7A, 0xE8, 0xE2, 0xCA, 0x4E, 0xC5,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x4D,
+			/* SL */
+			0x00,
+			/* PN */
+			0x2E, 0x58, 0x49, 0x5C,
+			/* SCI */
+			/* Secure Data */
+			0xEA, 0xEC, 0xC6, 0xAF, 0x65, 0x12, 0xFC, 0x8B,
+			0x6C, 0x8C, 0x43, 0xBC, 0x55, 0xB1, 0x90, 0xB2,
+			0x62, 0x6D, 0x07, 0xD3, 0xD2, 0x18, 0xFA, 0xF5,
+			0xDA, 0xA7, 0xD8, 0xF8, 0x00, 0xA5, 0x73, 0x31,
+			0xEB, 0x43, 0xB5, 0xA1, 0x7A, 0x37, 0xE5, 0xB1,
+			0xD6, 0x0D, 0x27, 0x5C, 0xCA, 0xF7, 0xAC, 0xD7,
+			0x04, 0xCC, 0x9A, 0xCE, 0x2B, 0xF8, 0xBC, 0x8B,
+			0x9B, 0x23, 0xB9, 0xAD, 0xF0, 0x2F, 0x87,
+			/* ICV */
+			0x34, 0x6B, 0x96, 0xD1, 0x13, 0x6A, 0x75, 0x4D,
+			0xF0, 0xA6, 0xCD, 0xE1, 0x26, 0xC1, 0x07, 0xF8,
+		},
+		.len = 99,
+	},
+},
+/* gcm_256_xpn_75B_cipher */
+{
+	.test_idx = 16,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_256,
+	.ssci = 0x7A30C118,
+	.xpn = 0xB0DF459C, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE, 0x86, 0xA2,
+		0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0x4C, 0x97, 0x3D, 0xBC, 0x73, 0x64, 0x62, 0x16,
+			0x74, 0xF8, 0xB5, 0xB8, 0x9E, 0x5C, 0x15, 0x51,
+			0x1F, 0xCE, 0xD9, 0x21, 0x64, 0x90, 0xFB, 0x1C,
+			0x1A, 0x2C, 0xAA, 0x0F, 0xFE, 0x04, 0x07, 0xE5,
+		},
+		.len = 32,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0x68, 0xF2, 0xE7, 0x76, 0x96, 0xCE,
+			/* MAC SA */
+			0x7A, 0xE8, 0xE2, 0xCA, 0x4E, 0xC5,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x40, 0x41, 0x42, 0x43, 0x44,
+			0x45, 0x46, 0x47, 0x48, 0x49, 0x00, 0x08,
+		},
+		.len = 75,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0x68, 0xF2, 0xE7, 0x76, 0x96, 0xCE,
+			/* MAC SA */
+			0x7A, 0xE8, 0xE2, 0xCA, 0x4E, 0xC5,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x4D,
+			/* SL */
+			0x00,
+			/* PN */
+			0x2E, 0x58, 0x49, 0x5C,
+			/* SCI */
+			/* Secure Data */
+			0xB0, 0xFE, 0xA3, 0x63, 0x18, 0xB9, 0xB3, 0x64,
+			0x66, 0xC4, 0x6E, 0x9E, 0x1B, 0xDA, 0x1A, 0x26,
+			0x68, 0x58, 0x19, 0x6E, 0x7E, 0x70, 0xD8, 0x82,
+			0xAE, 0x70, 0x47, 0x56, 0x68, 0xCD, 0xE4, 0xEC,
+			0x88, 0x3F, 0x6A, 0xC2, 0x36, 0x9F, 0x28, 0x4B,
+			0xED, 0x1F, 0xE3, 0x2F, 0x42, 0x09, 0x2F, 0xDF,
+			0xF5, 0x86, 0x8A, 0x3C, 0x64, 0xE5, 0x61, 0x51,
+			0x92, 0xA7, 0xA3, 0x76, 0x0B, 0x34, 0xBC,
+			/* ICV */
+			0x85, 0x69, 0x2C, 0xD8, 0x15, 0xB6, 0x64, 0x71,
+			0x1A, 0xEF, 0x91, 0x1D, 0xF7, 0x8D, 0x7F, 0x46,
+		},
+		.len = 99,
+	},
+},
+};
+
+#endif
-- 
2.25.1

[PATCH 04/13] test/security: add MACsec integrity cases

[Akhil Goyal]

Added test vectors and test cases to verify
auth_only/verify_only and encap-decap/auth-verify
to verify the complete TX-RX path using the loopback
mode of ethdev.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 app/test/test_security_inline_macsec.c        | 153 +++
 .../test_security_inline_macsec_vectors.h     | 995 ++++++++++++++++++
 2 files changed, 1148 insertions(+)

diff --git a/app/test/test_security_inline_macsec.c b/app/test/test_security_inline_macsec.c
index 22a54dd65b..9047b7adff 100644
--- a/app/test/test_security_inline_macsec.c
+++ b/app/test/test_security_inline_macsec.c
@@ -937,6 +937,143 @@ test_inline_macsec_decap_all(const void *data __rte_unused)
 	return all_err;
 }
 
+static int
+test_inline_macsec_auth_only_all(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.protect_frames = true;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+
+	size = (sizeof(list_mcs_integrity_vectors) / sizeof((list_mcs_integrity_vectors)[0]));
+
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_integrity_vectors[i];
+		err = test_macsec(&cur_td, MCS_AUTH_ONLY, &opts);
+		if (err) {
+			printf("\nAuth Generate case %d failed", cur_td->test_idx);
+			err = -1;
+		} else {
+			printf("\nAuth Generate case %d Passed", cur_td->test_idx);
+			err = 0;
+		}
+		all_err += err;
+	}
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+
+	return all_err;
+}
+
+static int
+test_inline_macsec_verify_only_all(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+
+	size = (sizeof(list_mcs_integrity_vectors) / sizeof((list_mcs_integrity_vectors)[0]));
+
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_integrity_vectors[i];
+		err = test_macsec(&cur_td, MCS_VERIFY_ONLY, &opts);
+		if (err) {
+			printf("\nAuth Verify case %d failed", cur_td->test_idx);
+			err = -1;
+		} else {
+			printf("\nAuth Verify case %d Passed", cur_td->test_idx);
+			err = 0;
+		}
+		all_err += err;
+	}
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+
+	return all_err;
+}
+
+static int
+test_inline_macsec_encap_decap_all(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.encrypt = true;
+	opts.protect_frames = true;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+
+	size = (sizeof(list_mcs_cipher_vectors) / sizeof((list_mcs_cipher_vectors)[0]));
+
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_cipher_vectors[i];
+		err = test_macsec(&cur_td, MCS_ENCAP_DECAP, &opts);
+		if (err) {
+			printf("\nCipher Auth Encap-decap case %d failed", cur_td->test_idx);
+			err = -1;
+		} else {
+			printf("\nCipher Auth Encap-decap case %d Passed", cur_td->test_idx);
+			err = 0;
+		}
+		all_err += err;
+	}
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+
+	return all_err;
+}
+
+
+static int
+test_inline_macsec_auth_verify_all(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.protect_frames = true;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+
+	size = (sizeof(list_mcs_integrity_vectors) / sizeof((list_mcs_integrity_vectors)[0]));
+
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_integrity_vectors[i];
+		err = test_macsec(&cur_td, MCS_AUTH_VERIFY, &opts);
+		if (err) {
+			printf("\nAuth Generate + Verify case %d failed", cur_td->test_idx);
+			err = -1;
+		} else {
+			printf("\nAuth Generate + Verify case %d Passed", cur_td->test_idx);
+			err = 0;
+		}
+		all_err += err;
+	}
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+
+	return all_err;
+}
+
 static int
 ut_setup_inline_macsec(void)
 {
@@ -1090,6 +1227,22 @@ static struct unit_test_suite inline_macsec_testsuite  = {
 			"MACsec decap(De-cipher+verify) known vector",
 			ut_setup_inline_macsec, ut_teardown_inline_macsec,
 			test_inline_macsec_decap_all),
+		TEST_CASE_NAMED_ST(
+			"MACsec auth only known vector",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_auth_only_all),
+		TEST_CASE_NAMED_ST(
+			"MACsec verify only known vector",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_verify_only_all),
+		TEST_CASE_NAMED_ST(
+			"MACsec encap + decap known vector",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_encap_decap_all),
+		TEST_CASE_NAMED_ST(
+			"MACsec auth + verify known vector",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_auth_verify_all),
 
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	},
diff --git a/app/test/test_security_inline_macsec_vectors.h b/app/test/test_security_inline_macsec_vectors.h
index 68bd485419..f6c668c281 100644
--- a/app/test/test_security_inline_macsec_vectors.h
+++ b/app/test/test_security_inline_macsec_vectors.h
@@ -1083,4 +1083,999 @@ static const struct mcs_test_vector list_mcs_cipher_vectors[] = {
 },
 };
 
+static const struct mcs_test_vector list_mcs_integrity_vectors[] = {
+/* gcm_128_54B_integrity */
+{
+	.test_idx = 1,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0,
+	.xpn = 0, /* Most significant 32 bits */
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0xAD, 0x7A, 0x2B, 0xD0, 0x3E, 0xAC, 0x83, 0x5A,
+			0x6F, 0x62, 0x0F, 0xDC, 0xB5, 0x06, 0xB3, 0x45,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xD6, 0x09, 0xB1, 0xF0, 0x56, 0x63,
+			/* MAC SA */
+			0x7A, 0x0D, 0x46, 0xDF, 0x99, 0x8D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x00, 0x01,
+		},
+		.len = 54,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xD6, 0x09, 0xB1, 0xF0, 0x56, 0x63,
+			/* MAC SA */
+			0x7A, 0x0D, 0x46, 0xDF, 0x99, 0x8D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x22,
+			/* SL */
+			0x2A,
+			/* PN */
+			0xB2, 0xC2, 0x84, 0x65,
+			/* SCI */
+			0x12, 0x15, 0x35, 0x24, 0xC0, 0x89, 0x5E, 0x81,
+			/* Secure Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x00, 0x01,
+			/* ICV */
+			0xF0, 0x94, 0x78, 0xA9, 0xB0, 0x90, 0x07, 0xD0,
+			0x6F, 0x46, 0xE9, 0xB6, 0xA1, 0xDA, 0x25, 0xDD,
+		},
+		.len = 86,
+	},
+},
+/* gcm_256_54B_integrity */
+{
+	.test_idx = 2,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_256,
+	.ssci = 0,
+	.xpn = 0, /* Most significant 32 bits */
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0xE3, 0xC0, 0x8A, 0x8F, 0x06, 0xC6, 0xE3, 0xAD,
+			0x95, 0xA7, 0x05, 0x57, 0xB2, 0x3F, 0x75, 0x48,
+			0x3C, 0xE3, 0x30, 0x21, 0xA9, 0xC7, 0x2B, 0x70,
+			0x25, 0x66, 0x62, 0x04, 0xC6, 0x9C, 0x0B, 0x72,
+		},
+		.len = 32,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xD6, 0x09, 0xB1, 0xF0, 0x56, 0x63,
+			/* MAC SA */
+			0x7A, 0x0D, 0x46, 0xDF, 0x99, 0x8D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x00, 0x01,
+		},
+		.len = 54,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xD6, 0x09, 0xB1, 0xF0, 0x56, 0x63,
+			/* MAC SA */
+			0x7A, 0x0D, 0x46, 0xDF, 0x99, 0x8D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x22,
+			/* SL */
+			0x2A,
+			/* PN */
+			0xB2, 0xC2, 0x84, 0x65,
+			/* SCI */
+			0x12, 0x15, 0x35, 0x24, 0xC0, 0x89, 0x5E, 0x81,
+			/* Secure Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x00, 0x01,
+			/* ICV */
+			0x2F, 0x0B, 0xC5, 0xAF, 0x40, 0x9E, 0x06, 0xD6,
+			0x09, 0xEA, 0x8B, 0x7D, 0x0F, 0xA5, 0xEA, 0x50,
+		},
+		.len = 86,
+	},
+},
+/* gcm_128_xpn_54B_integrity */
+{
+	.test_idx = 3,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_128,
+	.ssci = 0x7A30C118,
+	.xpn = 0xB0DF459C, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE, 0x86, 0xA2,
+		0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0xAD, 0x7A, 0x2B, 0xD0, 0x3E, 0xAC, 0x83, 0x5A,
+			0x6F, 0x62, 0x0F, 0xDC, 0xB5, 0x06, 0xB3, 0x45,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xD6, 0x09, 0xB1, 0xF0, 0x56, 0x63,
+			/* MAC SA */
+			0x7A, 0x0D, 0x46, 0xDF, 0x99, 0x8D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x00, 0x01,
+		},
+		.len = 54,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xD6, 0x09, 0xB1, 0xF0, 0x56, 0x63,
+			/* MAC SA */
+			0x7A, 0x0D, 0x46, 0xDF, 0x99, 0x8D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x22,
+			/* SL */
+			0x2A,
+			/* PN */
+			0xB2, 0xC2, 0x84, 0x65,
+			/* SCI */
+			0x12, 0x15, 0x35, 0x24, 0xC0, 0x89, 0x5E, 0x81,
+			/* Secure Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x00, 0x01,
+			/* ICV */
+			0x17, 0xFE, 0x19, 0x81, 0xEB, 0xDD, 0x4A, 0xFC,
+			0x50, 0x62, 0x69, 0x7E, 0x8B, 0xAA, 0x0C, 0x23,
+		},
+		.len = 86,
+	},
+},
+/* gcm_256_xpn_54B_integrity */
+{
+	.test_idx = 4,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_256,
+	.ssci = 0x7A30C118,
+	.xpn = 0xB0DF459C, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE, 0x86, 0xA2,
+		0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0xE3, 0xC0, 0x8A, 0x8F, 0x06, 0xC6, 0xE3, 0xAD,
+			0x95, 0xA7, 0x05, 0x57, 0xB2, 0x3F, 0x75, 0x48,
+			0x3C, 0xE3, 0x30, 0x21, 0xA9, 0xC7, 0x2B, 0x70,
+			0x25, 0x66, 0x62, 0x04, 0xC6, 0x9C, 0x0B, 0x72,
+		},
+		.len = 32,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xD6, 0x09, 0xB1, 0xF0, 0x56, 0x63,
+			/* MAC SA */
+			0x7A, 0x0D, 0x46, 0xDF, 0x99, 0x8D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x00, 0x01,
+		},
+		.len = 54,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xD6, 0x09, 0xB1, 0xF0, 0x56, 0x63,
+			/* MAC SA */
+			0x7A, 0x0D, 0x46, 0xDF, 0x99, 0x8D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x22,
+			/* SL */
+			0x2A,
+			/* PN */
+			0xB2, 0xC2, 0x84, 0x65,
+			/* SCI */
+			0x12, 0x15, 0x35, 0x24, 0xC0, 0x89, 0x5E, 0x81,
+			/* Secure Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x00, 0x01,
+			/* ICV */
+			0x4D, 0xBD, 0x2F, 0x6A, 0x75, 0x4A, 0x6C, 0xF7,
+			0x28, 0xCC, 0x12, 0x9B, 0xA6, 0x93, 0x15, 0x77,
+		},
+		.len = 86,
+	},
+},
+/* gcm_128_60B_integrity */
+{
+	.test_idx = 5,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0,
+	.xpn = 0, /* Most significant 32 bits */
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x00, 0x03,
+		},
+		.len = 60,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x40,
+			/* SL */
+			0x00,
+			/* PN */
+			0x76, 0xD4, 0x57, 0xED,
+			/* SCI */
+			/* Secure Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x00, 0x03,
+			/* ICV */
+			0x0C, 0x01, 0x7B, 0xC7, 0x3B, 0x22, 0x7D, 0xFC,
+			0xC9, 0xBA, 0xFA, 0x1C, 0x41, 0xAC, 0xC3, 0x53,
+		},
+		.len = 84,
+	},
+},
+/* gcm_256_60B_integrity */
+{
+	.test_idx = 6,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_256,
+	.ssci = 0,
+	.xpn = 0, /* Most significant 32 bits */
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x69, 0x1D, 0x3E, 0xE9, 0x09, 0xD7, 0xF5, 0x41,
+			0x67, 0xFD, 0x1C, 0xA0, 0xB5, 0xD7, 0x69, 0x08,
+			0x1F, 0x2B, 0xDE, 0x1A, 0xEE, 0x65, 0x5F, 0xDB,
+			0xAB, 0x80, 0xBD, 0x52, 0x95, 0xAE, 0x6B, 0xE7,
+		},
+		.len = 32,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x00, 0x03,
+		},
+		.len = 60,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x40,
+			/* SL */
+			0x00,
+			/* PN */
+			0x76, 0xD4, 0x57, 0xED,
+			/* SCI */
+			/* Secure Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x00, 0x03,
+			/* ICV */
+			0x35, 0x21, 0x7C, 0x77, 0x4B, 0xBC, 0x31, 0xB6,
+			0x31, 0x66, 0xBC, 0xF9, 0xD4, 0xAB, 0xED, 0x07,
+		},
+		.len = 84,
+	},
+},
+/* gcm_128_xpn_60B_integrity */
+{
+	.test_idx = 7,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_128,
+	.ssci = 0x7A30C118,
+	.xpn = 0xB0DF459C, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE, 0x86, 0xA2,
+		0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x00, 0x03,
+		},
+		.len = 60,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x40,
+			/* SL */
+			0x00,
+			/* PN */
+			0x76, 0xD4, 0x57, 0xED,
+			/* SCI */
+			/* Secure Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x00, 0x03,
+			/* ICV */
+			0xAB, 0xC4, 0x06, 0x85, 0xA3, 0xCF, 0x91, 0x1D,
+			0x37, 0x87, 0xE4, 0x9D, 0xB6, 0xA7, 0x26, 0x5E,
+		},
+		.len = 84,
+	},
+},
+/* gcm_256_xpn_60B_integrity */
+{
+	.test_idx = 8,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_256,
+	.ssci = 0x7A30C118,
+	.xpn = 0xB0DF459C, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE, 0x86, 0xA2,
+		0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0x69, 0x1D, 0x3E, 0xE9, 0x09, 0xD7, 0xF5, 0x41,
+			0x67, 0xFD, 0x1C, 0xA0, 0xB5, 0xD7, 0x69, 0x08,
+			0x1F, 0x2B, 0xDE, 0x1A, 0xEE, 0x65, 0x5F, 0xDB,
+			0xAB, 0x80, 0xBD, 0x52, 0x95, 0xAE, 0x6B, 0xE7,
+		},
+		.len = 32,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x00, 0x03,
+		},
+		.len = 60,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x40,
+			/* SL */
+			0x00,
+			/* PN */
+			0x76, 0xD4, 0x57, 0xED,
+			/* SCI */
+			/* Secure Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x00, 0x03,
+			/* ICV */
+			0xAC, 0x21, 0x95, 0x7B, 0x83, 0x12, 0xAB, 0x3C,
+			0x99, 0xAB, 0x46, 0x84, 0x98, 0x79, 0xC3, 0xF3,
+		},
+		.len = 84,
+	},
+},
+/* gcm_128_65B_integrity */
+{
+	.test_idx = 9,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0,
+	.xpn = 0, /* Most significant 32 bits */
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x01, 0x3F, 0xE0, 0x0B, 0x5F, 0x11, 0xBE, 0x7F,
+			0x86, 0x6D, 0x0C, 0xBB, 0xC5, 0x5A, 0x7A, 0x90,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0x84, 0xC5, 0xD5, 0x13, 0xD2, 0xAA,
+			/* MAC SA */
+			0xF6, 0xE5, 0xBB, 0xD2, 0x72, 0x77,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x00, 0x05,
+		},
+		.len = 65,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0x84, 0xC5, 0xD5, 0x13, 0xD2, 0xAA,
+			/* MAC SA */
+			0xF6, 0xE5, 0xBB, 0xD2, 0x72, 0x77,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x23,
+			/* SL */
+			0x00,
+			/* PN */
+			0x89, 0x32, 0xD6, 0x12,
+			/* SCI */
+			0x7C, 0xFD, 0xE9, 0xF9, 0xE3, 0x37, 0x24, 0xC6,
+			/* Secure Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x00, 0x05,
+			/* ICV */
+			0x21, 0x78, 0x67, 0xE5, 0x0C, 0x2D, 0xAD, 0x74,
+			0xC2, 0x8C, 0x3B, 0x50, 0xAB, 0xDF, 0x69, 0x5A,
+		},
+		.len = 97,
+	},
+},
+/* gcm_256_65B_integrity */
+{
+	.test_idx = 10,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_256,
+	.ssci = 0,
+	.xpn = 0, /* Most significant 32 bits */
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x83, 0xC0, 0x93, 0xB5, 0x8D, 0xE7, 0xFF, 0xE1,
+			0xC0, 0xDA, 0x92, 0x6A, 0xC4, 0x3F, 0xB3, 0x60,
+			0x9A, 0xC1, 0xC8, 0x0F, 0xEE, 0x1B, 0x62, 0x44,
+			0x97, 0xEF, 0x94, 0x2E, 0x2F, 0x79, 0xA8, 0x23,
+		},
+		.len = 32,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0x84, 0xC5, 0xD5, 0x13, 0xD2, 0xAA,
+			/* MAC SA */
+			0xF6, 0xE5, 0xBB, 0xD2, 0x72, 0x77,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x00, 0x05,
+		},
+		.len = 65,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0x84, 0xC5, 0xD5, 0x13, 0xD2, 0xAA,
+			/* MAC SA */
+			0xF6, 0xE5, 0xBB, 0xD2, 0x72, 0x77,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x23,
+			/* SL */
+			0x00,
+			/* PN */
+			0x89, 0x32, 0xD6, 0x12,
+			/* SCI */
+			0x7C, 0xFD, 0xE9, 0xF9, 0xE3, 0x37, 0x24, 0xC6,
+			/* Secure Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x00, 0x05,
+			/* ICV */
+			0x6E, 0xE1, 0x60, 0xE8, 0xFA, 0xEC, 0xA4, 0xB3,
+			0x6C, 0x86, 0xB2, 0x34, 0x92, 0x0C, 0xA9, 0x75,
+		},
+		.len = 97,
+	},
+},
+/* gcm_128_xpn_65B_integrity */
+{
+	.test_idx = 11,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_128,
+	.ssci = 0x7A30C118,
+	.xpn = 0xB0DF459C, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE, 0x86, 0xA2,
+		0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0x01, 0x3F, 0xE0, 0x0B, 0x5F, 0x11, 0xBE, 0x7F,
+			0x86, 0x6D, 0x0C, 0xBB, 0xC5, 0x5A, 0x7A, 0x90,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0x84, 0xC5, 0xD5, 0x13, 0xD2, 0xAA,
+			/* MAC SA */
+			0xF6, 0xE5, 0xBB, 0xD2, 0x72, 0x77,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x00, 0x05,
+		},
+		.len = 65,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0x84, 0xC5, 0xD5, 0x13, 0xD2, 0xAA,
+			/* MAC SA */
+			0xF6, 0xE5, 0xBB, 0xD2, 0x72, 0x77,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x23,
+			/* SL */
+			0x00,
+			/* PN */
+			0x89, 0x32, 0xD6, 0x12,
+			/* SCI */
+			0x7C, 0xFD, 0xE9, 0xF9, 0xE3, 0x37, 0x24, 0xC6,
+			/* Secure Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x00, 0x05,
+			/* ICV */
+			0x67, 0x85, 0x59, 0xB7, 0xE5, 0x2D, 0xB0, 0x06,
+			0x82, 0xE3, 0xB8, 0x30, 0x34, 0xCE, 0xBE, 0x59,
+		},
+		.len = 97,
+	},
+},
+/* gcm_256_xpn_65B_integrity */
+{
+	.test_idx = 12,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_256,
+	.ssci = 0x7A30C118,
+	.xpn = 0xB0DF459C, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE, 0x86, 0xA2,
+		0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0x83, 0xC0, 0x93, 0xB5, 0x8D, 0xE7, 0xFF, 0xE1,
+			0xC0, 0xDA, 0x92, 0x6A, 0xC4, 0x3F, 0xB3, 0x60,
+			0x9A, 0xC1, 0xC8, 0x0F, 0xEE, 0x1B, 0x62, 0x44,
+			0x97, 0xEF, 0x94, 0x2E, 0x2F, 0x79, 0xA8, 0x23,
+		},
+		.len = 32,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0x84, 0xC5, 0xD5, 0x13, 0xD2, 0xAA,
+			/* MAC SA */
+			0xF6, 0xE5, 0xBB, 0xD2, 0x72, 0x77,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x00, 0x05,
+		},
+		.len = 65,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0x84, 0xC5, 0xD5, 0x13, 0xD2, 0xAA,
+			/* MAC SA */
+			0xF6, 0xE5, 0xBB, 0xD2, 0x72, 0x77,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x23,
+			/* SL */
+			0x00,
+			/* PN */
+			0x89, 0x32, 0xD6, 0x12,
+			/* SCI */
+			0x7C, 0xFD, 0xE9, 0xF9, 0xE3, 0x37, 0x24, 0xC6,
+			/* Secure Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x00, 0x05,
+			/* ICV */
+			0x84, 0xBA, 0xC8, 0xE5, 0x3D, 0x1E, 0xA3, 0x55,
+			0xA5, 0xC7, 0xD3, 0x34, 0x84, 0x0A, 0xE9, 0x62,
+		},
+		.len = 97,
+	},
+},
+/* gcm_128_79B_integrity */
+{
+	.test_idx = 13,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0,
+	.xpn = 0, /* Most significant 32 bits */
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x88, 0xEE, 0x08, 0x7F, 0xD9, 0x5D, 0xA9, 0xFB,
+			0xF6, 0x72, 0x5A, 0xA9, 0xD7, 0x57, 0xB0, 0xCD,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0x68, 0xF2, 0xE7, 0x76, 0x96, 0xCE,
+			/* MAC SA */
+			0x7A, 0xE8, 0xE2, 0xCA, 0x4E, 0xC5,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x40, 0x41, 0x42, 0x43, 0x44,
+			0x45, 0x46, 0x47, 0x48, 0x49, 0x4A, 0x4B, 0x4C,
+			0x4D, 0x00, 0x07,
+		},
+		.len = 79,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0x68, 0xF2, 0xE7, 0x76, 0x96, 0xCE,
+			/* MAC SA */
+			0x7A, 0xE8, 0xE2, 0xCA, 0x4E, 0xC5,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x41,
+			/* SL */
+			0x00,
+			/* PN */
+			0x2E, 0x58, 0x49, 0x5C,
+			/* SCI */
+			/* Secure Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x40, 0x41, 0x42, 0x43, 0x44,
+			0x45, 0x46, 0x47, 0x48, 0x49, 0x4A, 0x4B, 0x4C,
+			0x4D, 0x00, 0x07,
+			/* ICV */
+			0x07, 0x92, 0x2B, 0x8E, 0xBC, 0xF1, 0x0B, 0xB2,
+			0x29, 0x75, 0x88, 0xCA, 0x4C, 0x61, 0x45, 0x23,
+		},
+		.len = 103,
+	},
+},
+/* gcm_256_79B_integrity */
+{
+	.test_idx = 14,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_256,
+	.ssci = 0,
+	.xpn = 0, /* Most significant 32 bits */
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x4C, 0x97, 0x3D, 0xBC, 0x73, 0x64, 0x62, 0x16,
+			0x74, 0xF8, 0xB5, 0xB8, 0x9E, 0x5C, 0x15, 0x51,
+			0x1F, 0xCE, 0xD9, 0x21, 0x64, 0x90, 0xFB, 0x1C,
+			0x1A, 0x2C, 0xAA, 0x0F, 0xFE, 0x04, 0x07, 0xE5,
+		},
+		.len = 32,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0x68, 0xF2, 0xE7, 0x76, 0x96, 0xCE,
+			/* MAC SA */
+			0x7A, 0xE8, 0xE2, 0xCA, 0x4E, 0xC5,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x40, 0x41, 0x42, 0x43, 0x44,
+			0x45, 0x46, 0x47, 0x48, 0x49, 0x4A, 0x4B, 0x4C,
+			0x4D, 0x00, 0x07,
+		},
+		.len = 79,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0x68, 0xF2, 0xE7, 0x76, 0x96, 0xCE,
+			/* MAC SA */
+			0x7A, 0xE8, 0xE2, 0xCA, 0x4E, 0xC5,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x41,
+			/* SL */
+			0x00,
+			/* PN */
+			0x2E, 0x58, 0x49, 0x5C,
+			/* SCI */
+			/* Secure Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x40, 0x41, 0x42, 0x43, 0x44,
+			0x45, 0x46, 0x47, 0x48, 0x49, 0x4A, 0x4B, 0x4C,
+			0x4D, 0x00, 0x07,
+			/* ICV */
+			0x00, 0xBD, 0xA1, 0xB7, 0xE8, 0x76, 0x08, 0xBC,
+			0xBF, 0x47, 0x0F, 0x12, 0x15, 0x7F, 0x4C, 0x07,
+		},
+		.len = 103,
+	},
+},
+/* gcm_128_xpn_79B_integrity */
+{
+	.test_idx = 15,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_128,
+	.ssci = 0x7A30C118,
+	.xpn = 0xB0DF459C, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE, 0x86, 0xA2,
+		0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0x88, 0xEE, 0x08, 0x7F, 0xD9, 0x5D, 0xA9, 0xFB,
+			0xF6, 0x72, 0x5A, 0xA9, 0xD7, 0x57, 0xB0, 0xCD,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0x68, 0xF2, 0xE7, 0x76, 0x96, 0xCE,
+			/* MAC SA */
+			0x7A, 0xE8, 0xE2, 0xCA, 0x4E, 0xC5,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x40, 0x41, 0x42, 0x43, 0x44,
+			0x45, 0x46, 0x47, 0x48, 0x49, 0x4A, 0x4B, 0x4C,
+			0x4D, 0x00, 0x07,
+		},
+		.len = 79,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0x68, 0xF2, 0xE7, 0x76, 0x96, 0xCE,
+			/* MAC SA */
+			0x7A, 0xE8, 0xE2, 0xCA, 0x4E, 0xC5,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x41,
+			/* SL */
+			0x00,
+			/* PN */
+			0x2E, 0x58, 0x49, 0x5C,
+			/* SCI */
+			/* Secure Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x40, 0x41, 0x42, 0x43, 0x44,
+			0x45, 0x46, 0x47, 0x48, 0x49, 0x4A, 0x4B, 0x4C,
+			0x4D, 0x00, 0x07,
+			/* ICV */
+			0xD0, 0xDC, 0x89, 0x6D, 0xC8, 0x37, 0x98, 0xA7,
+			0x9F, 0x3C, 0x5A, 0x95, 0xBA, 0x3C, 0xDF, 0x9A,
+		},
+		.len = 103,
+	},
+},
+/* gcm_256_xpn_79B_integrity */
+{
+	.test_idx = 16,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_256,
+	.ssci = 0x7A30C118,
+	.xpn = 0xB0DF459C, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE, 0x86, 0xA2,
+		0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0x4C, 0x97, 0x3D, 0xBC, 0x73, 0x64, 0x62, 0x16,
+			0x74, 0xF8, 0xB5, 0xB8, 0x9E, 0x5C, 0x15, 0x51,
+			0x1F, 0xCE, 0xD9, 0x21, 0x64, 0x90, 0xFB, 0x1C,
+			0x1A, 0x2C, 0xAA, 0x0F, 0xFE, 0x04, 0x07, 0xE5,
+		},
+		.len = 32,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0x68, 0xF2, 0xE7, 0x76, 0x96, 0xCE,
+			/* MAC SA */
+			0x7A, 0xE8, 0xE2, 0xCA, 0x4E, 0xC5,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x40, 0x41, 0x42, 0x43, 0x44,
+			0x45, 0x46, 0x47, 0x48, 0x49, 0x4A, 0x4B, 0x4C,
+			0x4D, 0x00, 0x07,
+		},
+		.len = 79,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0x68, 0xF2, 0xE7, 0x76, 0x96, 0xCE,
+			/* MAC SA */
+			0x7A, 0xE8, 0xE2, 0xCA, 0x4E, 0xC5,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x41,
+			/* SL */
+			0x00,
+			/* PN */
+			0x2E, 0x58, 0x49, 0x5C,
+			/* SCI */
+			/* Secure Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x40, 0x41, 0x42, 0x43, 0x44,
+			0x45, 0x46, 0x47, 0x48, 0x49, 0x4A, 0x4B, 0x4C,
+			0x4D, 0x00, 0x07,
+			/* ICV */
+			0x04, 0x24, 0x9A, 0x20, 0x8A, 0x65, 0xB9, 0x6B,
+			0x3F, 0x32, 0x63, 0x00, 0x4C, 0xFD, 0x86, 0x7D,
+		},
+		.len = 103,
+	},
+},
+};
+
 #endif
-- 
2.25.1

[PATCH 05/13] test/security: verify multi flow MACsec

[Akhil Goyal]

Added test case and test vectors to verify multiple
flows of MACsec.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 app/test/test_security_inline_macsec.c        |  49 ++++++++
 .../test_security_inline_macsec_vectors.h     | 110 +++++++++++++++++-
 2 files changed, 158 insertions(+), 1 deletion(-)

diff --git a/app/test/test_security_inline_macsec.c b/app/test/test_security_inline_macsec.c
index 9047b7adff..c32f747961 100644
--- a/app/test/test_security_inline_macsec.c
+++ b/app/test/test_security_inline_macsec.c
@@ -1074,6 +1074,51 @@ test_inline_macsec_auth_verify_all(const void *data __rte_unused)
 	return all_err;
 }
 
+static int
+test_inline_macsec_multi_flow(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *tv[MCS_MAX_FLOWS];
+	struct mcs_test_vector iter[MCS_MAX_FLOWS];
+	struct mcs_test_opts opts = {0};
+	int i, err;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.encrypt = true;
+	opts.protect_frames = true;
+	opts.sa_in_use = 1;
+	opts.nb_td = MCS_MAX_FLOWS;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+
+	for (i = 0; i < MCS_MAX_FLOWS; i++) {
+		memcpy(&iter[i].sa_key.data, sa_key, MCS_MULTI_FLOW_TD_KEY_SZ);
+		memcpy(&iter[i].plain_pkt.data, eth_addrs[i], 2 * RTE_ETHER_ADDR_LEN);
+		memcpy(&iter[i].plain_pkt.data[2 * RTE_ETHER_ADDR_LEN], plain_user_data,
+		       MCS_MULTI_FLOW_TD_PLAIN_DATA_SZ);
+		memcpy(&iter[i].secure_pkt.data, eth_addrs[i], 2 * RTE_ETHER_ADDR_LEN);
+		memcpy(&iter[i].secure_pkt.data[2 * RTE_ETHER_ADDR_LEN], secure_user_data,
+		       MCS_MULTI_FLOW_TD_SECURE_DATA_SZ);
+		iter[i].sa_key.len = MCS_MULTI_FLOW_TD_KEY_SZ;
+		iter[i].plain_pkt.len = MCS_MULTI_FLOW_TD_PLAIN_DATA_SZ +
+					(2 * RTE_ETHER_ADDR_LEN);
+		iter[i].secure_pkt.len = MCS_MULTI_FLOW_TD_SECURE_DATA_SZ +
+					(2 * RTE_ETHER_ADDR_LEN);
+		iter[i].alg = RTE_SECURITY_MACSEC_ALG_GCM_128;
+		iter[i].ssci = 0x0;
+		iter[i].xpn = 0x0;
+		tv[i] = (const struct mcs_test_vector *)&iter[i];
+	}
+	err = test_macsec(tv, MCS_ENCAP_DECAP, &opts);
+	if (err) {
+		printf("\nCipher Auth Encryption multi flow failed");
+		err = -1;
+	} else {
+		printf("\nCipher Auth Encryption multi flow Passed");
+		err = 0;
+	}
+	return err;
+}
+
 static int
 ut_setup_inline_macsec(void)
 {
@@ -1219,6 +1264,10 @@ inline_macsec_testsuite_teardown(void)
 static struct unit_test_suite inline_macsec_testsuite  = {
 	.suite_name = "Inline MACsec Ethernet Device Unit Test Suite",
 	.unit_test_cases = {
+		TEST_CASE_NAMED_ST(
+			"MACsec Encap + decap Multi flow",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_multi_flow),
 		TEST_CASE_NAMED_ST(
 			"MACsec encap(Cipher+Auth) known vector",
 			ut_setup_inline_macsec, ut_teardown_inline_macsec,
diff --git a/app/test/test_security_inline_macsec_vectors.h b/app/test/test_security_inline_macsec_vectors.h
index f6c668c281..8d9c2cae77 100644
--- a/app/test/test_security_inline_macsec_vectors.h
+++ b/app/test/test_security_inline_macsec_vectors.h
@@ -8,7 +8,6 @@
 #define MCS_MAX_KEY_LEN				32
 #define MCS_IV_LEN				12
 #define MCS_SALT_LEN				12
-#define MCS_MAX_FLOWS				63
 
 enum mcs_op {
 	MCS_NO_OP,
@@ -2078,4 +2077,113 @@ static const struct mcs_test_vector list_mcs_integrity_vectors[] = {
 },
 };
 
+#define MCS_MULTI_FLOW_TD_KEY_SZ		16
+#define MCS_MULTI_FLOW_TD_PLAIN_DATA_SZ		42
+#define MCS_MULTI_FLOW_TD_SECURE_DATA_SZ	66
+#define MCS_MULTI_FLOW_TD_KEY_SZ		16
+#define MCS_MAX_FLOWS				63
+
+uint8_t sa_key[MCS_MULTI_FLOW_TD_KEY_SZ] = {
+		0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+		0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82,
+};
+
+uint8_t eth_addrs[MCS_MAX_FLOWS][2 * RTE_ETHER_ADDR_LEN] = {
+		{0xE2, 0x00, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x02, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x03, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x04, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x05, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x06, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x07, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x08, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x09, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x0A, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x0B, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x0C, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x0D, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x0E, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x0F, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x10, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x11, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x12, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x13, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x14, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x15, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x16, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x17, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x18, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x19, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x1A, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x1B, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x1C, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x1D, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x1E, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x1F, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x20, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x21, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x22, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x23, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x24, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x25, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x26, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x27, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x28, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x29, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x2A, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x2B, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x2C, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x2D, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x2E, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x2F, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x30, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x31, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x32, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x33, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x34, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x35, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x36, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x37, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x38, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x39, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x3A, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x3B, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x3C, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x3D, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x3E, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+};
+
+uint8_t plain_user_data[MCS_MULTI_FLOW_TD_PLAIN_DATA_SZ] = {
+		/* User Data with Ethertype */
+		0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+		0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+		0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+		0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+		0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+		0x00, 0x04,
+};
+
+uint8_t secure_user_data[MCS_MULTI_FLOW_TD_SECURE_DATA_SZ] = {
+		/* MACsec EtherType */
+		0x88, 0xE5,
+		/* TCI and AN */
+		0x4C,
+		/* SL */
+		0x2A,
+		/* PN */
+		0x76, 0xD4, 0x57, 0xED,
+		/* Secure Data */
+		0x13, 0xB4, 0xC7, 0x2B, 0x38, 0x9D, 0xC5, 0x01,
+		0x8E, 0x72, 0xA1, 0x71, 0xDD, 0x85, 0xA5, 0xD3,
+		0x75, 0x22, 0x74, 0xD3, 0xA0, 0x19, 0xFB, 0xCA,
+		0xED, 0x09, 0xA4, 0x25, 0xCD, 0x9B, 0x2E, 0x1C,
+		0x9B, 0x72, 0xEE, 0xE7, 0xC9, 0xDE, 0x7D, 0x52,
+		0xB3, 0xF3,
+		/* ICV */
+		0xD6, 0xA5, 0x28, 0x4F, 0x4A, 0x6D, 0x3F, 0xE2,
+		0x2A, 0x5D, 0x6C, 0x2B, 0x96, 0x04, 0x94, 0xC3,
+};
+
+
 #endif
-- 
2.25.1

[PATCH 06/13] test/security: add MACsec VLAN cases

[Akhil Goyal]

Added cases to verify MACsec processing with VLAN
tags inserted. Vectors are added to verify 1/2/3
VLAN tags in clear or encrypted data.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 app/test/test_security_inline_macsec.c        |  67 ++++++
 .../test_security_inline_macsec_vectors.h     | 217 ++++++++++++++++++
 2 files changed, 284 insertions(+)

diff --git a/app/test/test_security_inline_macsec.c b/app/test/test_security_inline_macsec.c
index c32f747961..353b07477e 100644
--- a/app/test/test_security_inline_macsec.c
+++ b/app/test/test_security_inline_macsec.c
@@ -1119,6 +1119,69 @@ test_inline_macsec_multi_flow(const void *data __rte_unused)
 	return err;
 }
 
+static int
+test_inline_macsec_with_vlan(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.protect_frames = true;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.mtu = RTE_ETHER_MTU;
+
+	size = (sizeof(list_mcs_vlan_vectors) / sizeof((list_mcs_vlan_vectors)[0]));
+
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_vlan_vectors[i];
+		if (i == 0) {
+			opts.sectag_insert_mode = 1;
+		} else if (i == 1) {
+			opts.sectag_insert_mode = 0; /* offset from special E-type */
+			opts.nb_vlan = 1;
+		} else if (i == 2) {
+			opts.sectag_insert_mode = 0; /* offset from special E-type */
+			opts.nb_vlan = 2;
+		}
+		err = test_macsec(&cur_td, MCS_ENCAP, &opts);
+		if (err) {
+			printf("\n VLAN Encap case %d failed", cur_td->test_idx);
+			err = -1;
+		} else {
+			printf("\n VLAN Encap case %d passed", cur_td->test_idx);
+			err = 0;
+		}
+		all_err += err;
+	}
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_vlan_vectors[i];
+		if (i == 0) {
+			opts.sectag_insert_mode = 1;
+		} else if (i == 1) {
+			opts.sectag_insert_mode = 0; /* offset from special E-type */
+			opts.nb_vlan = 1;
+		} else if (i == 2) {
+			opts.sectag_insert_mode = 0; /* offset from special E-type */
+			opts.nb_vlan = 2;
+		}
+		err = test_macsec(&cur_td, MCS_DECAP, &opts);
+		if (err) {
+			printf("\n VLAN Decap case %d failed", cur_td->test_idx);
+			err = -1;
+		} else {
+			printf("\n VLAN Decap case %d passed", cur_td->test_idx);
+			err = 0;
+		}
+		all_err += err;
+	}
+
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, (2 * size) + all_err, -all_err);
+	return all_err;
+}
+
 static int
 ut_setup_inline_macsec(void)
 {
@@ -1292,6 +1355,10 @@ static struct unit_test_suite inline_macsec_testsuite  = {
 			"MACsec auth + verify known vector",
 			ut_setup_inline_macsec, ut_teardown_inline_macsec,
 			test_inline_macsec_auth_verify_all),
+		TEST_CASE_NAMED_ST(
+			"MACsec Encap and decap with VLAN",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_with_vlan),
 
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	},
diff --git a/app/test/test_security_inline_macsec_vectors.h b/app/test/test_security_inline_macsec_vectors.h
index 8d9c2cae77..4bcb82783c 100644
--- a/app/test/test_security_inline_macsec_vectors.h
+++ b/app/test/test_security_inline_macsec_vectors.h
@@ -2185,5 +2185,222 @@ uint8_t secure_user_data[MCS_MULTI_FLOW_TD_SECURE_DATA_SZ] = {
 		0x2A, 0x5D, 0x6C, 0x2B, 0x96, 0x04, 0x94, 0xC3,
 };
 
+static const struct mcs_test_vector list_mcs_vlan_vectors[] = {
+/* No clear tag, VLAN after macsec header */
+{
+	.test_idx = 1,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0,
+	.xpn = 0, /* Most significant 32 bits */
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
+			0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xCA, 0xCB, 0xCD, 0x41, 0x42, 0x43,
+			/* MAC SA */
+			0xCA, 0xCB, 0xCD, 0x21, 0x22, 0x23,
+			/* User Data with VLAN Tag */
+			0x81, 0x00, 0x00, 0x02, 0x08, 0x00, 0x45, 0x00,
+			0x00, 0x54, 0xF2, 0xFA, 0x40, 0x00, 0x40, 0x01,
+			0xF7, 0x83, 0x14, 0x14, 0x14, 0x02, 0x14, 0x14,
+			0x14, 0x01, 0x08, 0x00, 0xE9, 0xC5, 0x02, 0xAF,
+			0x00, 0x01, 0xCB, 0x51, 0x6D, 0x38, 0x00, 0x00,
+			0x00, 0x00, 0x13, 0x2D, 0x01, 0x00, 0x00, 0x00,
+			0x00, 0x00, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
+			0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D,
+			0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24, 0x25,
+			0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C, 0x2D,
+			0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35,
+			0x36, 0x37,
+		},
+		.len = 102,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xCA, 0xCB, 0xCD, 0x41, 0x42, 0x43,
+			/* MAC SA */
+			0xCA, 0xCB, 0xCD, 0x21, 0x22, 0x23,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x20,
+			/* SL */
+			0x00,
+			/* PN */
+			0x00, 0x00, 0x00, 0x06,
+			/* SCI */
+			0xCA, 0xCB, 0xCD, 0x21, 0x22, 0x23, 0x00, 0x01,
+			/* Secure Data */
+			0x81, 0x00, 0x00, 0x02, 0x08, 0x00, 0x45, 0x00,
+			0x00, 0x54, 0xF2, 0xFA, 0x40, 0x00, 0x40, 0x01,
+			0xF7, 0x83, 0x14, 0x14, 0x14, 0x02, 0x14, 0x14,
+			0x14, 0x01, 0x08, 0x00, 0xE9, 0xC5, 0x02, 0xAF,
+			0x00, 0x01, 0xCB, 0x51, 0x6D, 0x38, 0x00, 0x00,
+			0x00, 0x00, 0x13, 0x2D, 0x01, 0x00, 0x00, 0x00,
+			0x00, 0x00, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
+			0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D,
+			0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24, 0x25,
+			0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C, 0x2D,
+			0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35,
+			0x36, 0x37,
+			/* ICV */
+			0x21, 0x68, 0xF1, 0x21, 0x19, 0xB7, 0xDF, 0x73,
+			0x6F, 0x2A, 0x11, 0xEA, 0x8A, 0xBC, 0x8A, 0x79,
+		},
+		.len = 134,
+	},
+},
+/* 1 vlan tag followed by MACsec */
+{
+	.test_idx = 2,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0,
+	.xpn = 0, /* Most significant 32 bits */
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
+			0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xCA, 0xCB, 0xCD, 0x41, 0x42, 0x43,
+			/* MAC SA */
+			0xCA, 0xCB, 0xCD, 0x21, 0x22, 0x23,
+			/* User Data */
+			0x81, 0x00, 0x00, 0x02,
+			0x08, 0x00, 0x45, 0x00, 0x00, 0x54, 0x88, 0x71,
+			0x40, 0x00, 0x40, 0x01, 0x62, 0x0D, 0x14, 0x14,
+			0x14, 0x02, 0x14, 0x14, 0x14, 0x01, 0x08, 0x00,
+			0x77, 0xA6, 0x02, 0xB3, 0x00, 0x01, 0xBE, 0x52,
+			0x6D, 0x38, 0x00, 0x00, 0x00, 0x00, 0x8C, 0x47,
+			0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x11,
+			0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19,
+			0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 0x20, 0x21,
+			0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
+			0x2A, 0x2B, 0x2C, 0x2D, 0x2E, 0x2F, 0x30, 0x31,
+			0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+		},
+		.len = 102,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xCA, 0xCB, 0xCD, 0x41, 0x42, 0x43,
+			/* MAC SA */
+			0xCA, 0xCB, 0xCD, 0x21, 0x22, 0x23,
+			/* VLAN Tag before MACsec */
+			0x81, 0x00, 0x00, 0x02,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x20,
+			/* SL */
+			0x00,
+			/* PN */
+			0x00, 0x00, 0x00, 0x07,
+			/* SCI */
+			0xCA, 0xCB, 0xCD, 0x21, 0x22, 0x23, 0x00, 0x01,
+			/* Secure Data */
+			0x08, 0x00, 0x45, 0x00, 0x00, 0x54, 0x88, 0x71,
+			0x40, 0x00, 0x40, 0x01, 0x62, 0x0D, 0x14, 0x14,
+			0x14, 0x02, 0x14, 0x14, 0x14, 0x01, 0x08, 0x00,
+			0x77, 0xA6, 0x02, 0xB3, 0x00, 0x01, 0xBE, 0x52,
+			0x6D, 0x38, 0x00, 0x00, 0x00, 0x00, 0x8C, 0x47,
+			0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x11,
+			0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19,
+			0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 0x20, 0x21,
+			0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
+			0x2A, 0x2B, 0x2C, 0x2D, 0x2E, 0x2F, 0x30, 0x31,
+			0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+			/* ICV */
+			0xF1, 0xC0, 0xA2, 0x6E, 0x99, 0xE5, 0xAB, 0x97,
+			0x78, 0x79, 0x7D, 0x13, 0x35, 0x5E, 0x39, 0x4F,
+		},
+		.len = 134,
+	},
+},
+/* 2 vlan tag followed by MACsec */
+{
+	.test_idx = 3,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0,
+	.xpn = 0, /* Most significant 32 bits */
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
+			0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xCA, 0xCB, 0xCD, 0x41, 0x42, 0x43,
+			/* MAC SA */
+			0xCA, 0xCB, 0xCD, 0x21, 0x22, 0x23,
+			/* User Data */
+			0x88, 0xA8, 0x00, 0x04, 0x81, 0x00, 0x00, 0x02,
+			0x08, 0x00, 0x45, 0x00, 0x00, 0x54, 0x70, 0x5B,
+			0x40, 0x00, 0x40, 0x01, 0x29, 0xF9, 0x28, 0x28,
+			0x28, 0x04, 0x28, 0x28, 0x28, 0x01, 0x08, 0x00,
+			0x08, 0x02, 0x02, 0xE2, 0x00, 0x01, 0x60, 0x58,
+			0x6D, 0x38, 0x00, 0x00, 0x00, 0x00, 0x5C, 0xB7,
+			0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x11,
+			0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19,
+			0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 0x20, 0x21,
+			0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
+			0x2A, 0x2B, 0x2C, 0x2D, 0x2E, 0x2F, 0x30, 0x31,
+			0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+		},
+		.len = 106,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xCA, 0xCB, 0xCD, 0x41, 0x42, 0x43,
+			/* MAC SA */
+			0xCA, 0xCB, 0xCD, 0x21, 0x22, 0x23,
+			/* VLAN Tags before MACsec */
+			0x88, 0xA8, 0x00, 0x04,
+			0x81, 0x00, 0x00, 0x02,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x20,
+			/* SL */
+			0x00,
+			/* PN */
+			0x00, 0x00, 0x00, 0x0E,
+			/* SCI */
+			0xCA, 0xCB, 0xCD, 0x21, 0x22, 0x23, 0x00, 0x01,
+			/* Secure Data */
+			0x08, 0x00, 0x45, 0x00, 0x00, 0x54, 0x70, 0x5B,
+			0x40, 0x00, 0x40, 0x01, 0x29, 0xF9, 0x28, 0x28,
+			0x28, 0x04, 0x28, 0x28, 0x28, 0x01, 0x08, 0x00,
+			0x08, 0x02, 0x02, 0xE2, 0x00, 0x01, 0x60, 0x58,
+			0x6D, 0x38, 0x00, 0x00, 0x00, 0x00, 0x5C, 0xB7,
+			0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x11,
+			0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19,
+			0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 0x20, 0x21,
+			0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
+			0x2A, 0x2B, 0x2C, 0x2D, 0x2E, 0x2F, 0x30, 0x31,
+			0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+			/* ICV */
+			0xCC, 0x38, 0x21, 0x3A, 0xEE, 0x5F, 0xE3, 0x7F,
+			0xA1, 0xBA, 0xBD, 0xBD, 0x65, 0x5B, 0xB3, 0xE5,
+		},
+		.len = 138,
+	},
+},
+};
+
+
 
 #endif
-- 
2.25.1

[PATCH 07/13] test/security: add MACsec negative cases

[Akhil Goyal]

Added MACsec negative test cases to verify
pkt drop, untagged rx, bad tag rx, sa not in use,
out packets untagged, pkts too long.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 app/test/test_security_inline_macsec.c        | 346 +++++++++++++
 .../test_security_inline_macsec_vectors.h     | 475 ++++++++++++++++++
 2 files changed, 821 insertions(+)

diff --git a/app/test/test_security_inline_macsec.c b/app/test/test_security_inline_macsec.c
index 353b07477e..9c4546fa38 100644
--- a/app/test/test_security_inline_macsec.c
+++ b/app/test/test_security_inline_macsec.c
@@ -660,6 +660,103 @@ mcs_stats_dump(struct rte_security_ctx *ctx, enum mcs_op op,
 	}
 }
 
+static int
+mcs_stats_check(struct rte_security_ctx *ctx, enum mcs_op op,
+		const struct mcs_test_opts *opts,
+		const struct mcs_test_vector *td,
+		void *rx_sess, void *tx_sess,
+		uint8_t rx_sc_id, uint8_t tx_sc_id,
+		uint16_t rx_sa_id[], uint16_t tx_sa_id[])
+{
+	struct rte_security_stats sess_stats = {0};
+	struct rte_security_macsec_secy_stats *secy_stat;
+	struct rte_security_macsec_sc_stats sc_stat = {0};
+	struct rte_security_macsec_sa_stats sa_stat = {0};
+	int i;
+
+	if (op == MCS_DECAP || op == MCS_ENCAP_DECAP ||
+			op == MCS_VERIFY_ONLY || op == MCS_AUTH_VERIFY) {
+		rte_security_session_stats_get(ctx, rx_sess, &sess_stats);
+		secy_stat = &sess_stats.macsec;
+
+		if ((opts->check_untagged_rx && secy_stat->pkt_notag_cnt != 1) ||
+				(opts->check_untagged_rx && secy_stat->pkt_untaged_cnt != 1))
+			return TEST_FAILED;
+
+		if (opts->check_bad_tag_cnt && secy_stat->pkt_badtag_cnt != 1)
+			return TEST_FAILED;
+
+		if (opts->check_sa_not_in_use && secy_stat->pkt_nosaerror_cnt != 1)
+			return TEST_FAILED;
+
+		if (opts->check_decap_stats && secy_stat->octet_decrypted_cnt !=
+				(uint16_t)(td->plain_pkt.len - 2 * RTE_ETHER_ADDR_LEN))
+			return TEST_FAILED;
+
+		if (opts->check_verify_only_stats && secy_stat->octet_validated_cnt !=
+				(uint16_t)(td->plain_pkt.len - 2 * RTE_ETHER_ADDR_LEN))
+			return TEST_FAILED;
+
+		rte_security_macsec_sc_stats_get(ctx, rx_sc_id,
+				RTE_SECURITY_MACSEC_DIR_RX, &sc_stat);
+
+		if ((opts->check_decap_stats || opts->check_verify_only_stats) &&
+				sc_stat.pkt_ok_cnt != 1)
+			return TEST_FAILED;
+
+		if (opts->check_pkts_invalid_stats && sc_stat.pkt_notvalid_cnt != 1)
+			return TEST_FAILED;
+
+		if (opts->check_pkts_unchecked_stats && sc_stat.pkt_unchecked_cnt != 1)
+			return TEST_FAILED;
+
+		for (i = 0; i < RTE_SECURITY_MACSEC_NUM_AN; i++) {
+			memset(&sa_stat, 0, sizeof(struct rte_security_macsec_sa_stats));
+			rte_security_macsec_sa_stats_get(ctx, rx_sa_id[i],
+					RTE_SECURITY_MACSEC_DIR_RX, &sa_stat);
+
+		}
+	}
+
+	if (op == MCS_ENCAP || op == MCS_ENCAP_DECAP ||
+			op == MCS_AUTH_ONLY || op == MCS_AUTH_VERIFY) {
+		memset(&sess_stats, 0, sizeof(struct rte_security_stats));
+		rte_security_session_stats_get(ctx, tx_sess, &sess_stats);
+		secy_stat = &sess_stats.macsec;
+
+		if (opts->check_out_pkts_untagged && secy_stat->pkt_untagged_cnt != 1)
+			return TEST_FAILED;
+
+		if (opts->check_out_pkts_toolong && secy_stat->pkt_toolong_cnt != 1)
+			return TEST_FAILED;
+
+		if (opts->check_encap_stats && secy_stat->octet_encrypted_cnt !=
+				(uint16_t)(td->plain_pkt.len - 2 * RTE_ETHER_ADDR_LEN))
+			return TEST_FAILED;
+
+		if (opts->check_auth_only_stats && secy_stat->octet_protected_cnt !=
+				(uint16_t)(td->plain_pkt.len - 2 * RTE_ETHER_ADDR_LEN))
+			return TEST_FAILED;
+
+
+		memset(&sc_stat, 0, sizeof(struct rte_security_macsec_sc_stats));
+		rte_security_macsec_sc_stats_get(ctx, tx_sc_id, RTE_SECURITY_MACSEC_DIR_TX,
+						 &sc_stat);
+
+		if (opts->check_encap_stats && sc_stat.pkt_encrypt_cnt != 1)
+			return TEST_FAILED;
+
+		if (opts->check_auth_only_stats && sc_stat.pkt_protected_cnt != 1)
+			return TEST_FAILED;
+
+		memset(&sa_stat, 0, sizeof(struct rte_security_macsec_sa_stats));
+		rte_security_macsec_sa_stats_get(ctx, tx_sa_id[0],
+				RTE_SECURITY_MACSEC_DIR_TX, &sa_stat);
+	}
+
+	return 0;
+}
+
 static int
 test_macsec(const struct mcs_test_vector *td[], enum mcs_op op, const struct mcs_test_opts *opts)
 {
@@ -833,12 +930,23 @@ test_macsec(const struct mcs_test_vector *td[], enum mcs_op op, const struct mcs
 		rx_pkts_burst[i] = NULL;
 	}
 out:
+	if (opts->check_out_pkts_toolong == 1 ||
+			opts->check_sa_not_in_use == 1 ||
+			opts->check_bad_tag_cnt == 1)
+		ret = TEST_SUCCESS;
+
 	for (i = 0; i < opts->nb_td; i++) {
 		if (opts->dump_all_stats) {
 			mcs_stats_dump(ctx, op,
 					rx_sess[i], tx_sess[i],
 					rx_sc_id[i], tx_sc_id[i],
 					rx_sa_id[i], tx_sa_id[i]);
+		} else {
+			if (ret == TEST_SUCCESS)
+				ret = mcs_stats_check(ctx, op, opts, td[i],
+					rx_sess[i], tx_sess[i],
+					rx_sc_id[i], tx_sc_id[i],
+					rx_sa_id[i], tx_sa_id[i]);
 		}
 	}
 
@@ -1182,6 +1290,220 @@ test_inline_macsec_with_vlan(const void *data __rte_unused)
 	return all_err;
 }
 
+static int
+test_inline_macsec_pkt_drop(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.encrypt = true;
+	opts.protect_frames = true;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+
+	size = (sizeof(list_mcs_err_cipher_vectors) / sizeof((list_mcs_err_cipher_vectors)[0]));
+
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_err_cipher_vectors[i];
+		err = test_macsec(&cur_td, MCS_DECAP, &opts);
+		if (err) {
+			printf("\nPacket drop case %d passed", cur_td->test_idx);
+			err = 0;
+		} else {
+			printf("\nPacket drop case %d failed", cur_td->test_idx);
+			err = -1;
+		}
+		all_err += err;
+	}
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+
+	return all_err;
+}
+
+static int
+test_inline_macsec_untagged_rx(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+	opts.check_untagged_rx = 1;
+
+	size = (sizeof(list_mcs_untagged_cipher_vectors) /
+		sizeof((list_mcs_untagged_cipher_vectors)[0]));
+
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_untagged_cipher_vectors[i];
+		err = test_macsec(&cur_td, MCS_DECAP, &opts);
+		if (err)
+			err = 0;
+		else
+			err = -1;
+
+		all_err += err;
+	}
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_NO_DISCARD;
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_untagged_cipher_vectors[i];
+		err = test_macsec(&cur_td, MCS_DECAP, &opts);
+		if (err)
+			err = 0;
+		else
+			err = -1;
+
+		all_err += err;
+	}
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+
+	return all_err;
+}
+
+static int
+test_inline_macsec_bad_tag_rx(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.protect_frames = true;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+	opts.check_bad_tag_cnt = 1;
+
+	size = (sizeof(list_mcs_bad_tag_vectors) / sizeof((list_mcs_bad_tag_vectors)[0]));
+
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_bad_tag_vectors[i];
+		err = test_macsec(&cur_td, MCS_DECAP, &opts);
+		if (err)
+			err = -1;
+		else
+			err = 0;
+
+		all_err += err;
+	}
+
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+
+	return all_err;
+}
+
+static int
+test_inline_macsec_sa_not_in_use(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.protect_frames = true;
+	opts.sa_in_use = 0;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+	opts.check_sa_not_in_use = 1;
+
+	size = (sizeof(list_mcs_cipher_vectors) / sizeof((list_mcs_cipher_vectors)[0]));
+
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_cipher_vectors[i];
+		err = test_macsec(&cur_td, MCS_DECAP, &opts);
+		if (err)
+			err = -1;
+		else
+			err = 0;
+
+		all_err += err;
+	}
+
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+
+	return all_err;
+}
+
+static int
+test_inline_macsec_out_pkts_untagged(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.encrypt = false;
+	opts.protect_frames = false;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+	opts.check_out_pkts_untagged = 1;
+
+	size = (sizeof(list_mcs_cipher_vectors) / sizeof((list_mcs_cipher_vectors)[0]));
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_cipher_vectors[i];
+		err = test_macsec(&cur_td, MCS_ENCAP, &opts);
+		if (err)
+			err = -1;
+		else
+			err = 0;
+
+		all_err += err;
+	}
+
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+	return all_err;
+}
+
+static int
+test_inline_macsec_out_pkts_toolong(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_NO_DISCARD;
+	opts.encrypt = true;
+	opts.protect_frames = true;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = 50;
+	opts.check_out_pkts_toolong = 1;
+
+	size = (sizeof(list_mcs_cipher_vectors) / sizeof((list_mcs_cipher_vectors)[0]));
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_cipher_vectors[i];
+		err = test_macsec(&cur_td, MCS_ENCAP, &opts);
+		if (err)
+			err = -1;
+		else
+			err = 0;
+
+		all_err += err;
+	}
+
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+	return all_err;
+}
+
 static int
 ut_setup_inline_macsec(void)
 {
@@ -1359,6 +1681,30 @@ static struct unit_test_suite inline_macsec_testsuite  = {
 			"MACsec Encap and decap with VLAN",
 			ut_setup_inline_macsec, ut_teardown_inline_macsec,
 			test_inline_macsec_with_vlan),
+		TEST_CASE_NAMED_ST(
+			"MACsec packet drop",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_pkt_drop),
+		TEST_CASE_NAMED_ST(
+			"MACsec untagged Rx",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_untagged_rx),
+		TEST_CASE_NAMED_ST(
+			"MACsec bad tag Rx",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_bad_tag_rx),
+		TEST_CASE_NAMED_ST(
+			"MACsec SA not in use",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_sa_not_in_use),
+		TEST_CASE_NAMED_ST(
+			"MACsec out pkts untagged",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_out_pkts_untagged),
+		TEST_CASE_NAMED_ST(
+			"MACsec out pkts too long",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_out_pkts_toolong),
 
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	},
diff --git a/app/test/test_security_inline_macsec_vectors.h b/app/test/test_security_inline_macsec_vectors.h
index 4bcb82783c..2b200c1d89 100644
--- a/app/test/test_security_inline_macsec_vectors.h
+++ b/app/test/test_security_inline_macsec_vectors.h
@@ -2077,6 +2077,481 @@ static const struct mcs_test_vector list_mcs_integrity_vectors[] = {
 },
 };
 
+static const struct mcs_test_vector list_mcs_err_cipher_vectors[] = {
+/* gcm_128_64B_cipher */
+{
+	.test_idx = 0,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x40, 0x41, 0x42,
+			0x43, 0x44, 0x45, 0x46,
+		},
+		.len = 64,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x2C,
+			/* SL */
+			0x0,
+			/* PN */
+			0x0, 0x0, 0x0, 0x2,
+			/* SCI */
+			0xFE, 0x2F, 0xCD, 0x14, 0x24, 0x1B, 0x88, 0x2C,
+			/* Secure Data */
+			0x38, 0x38, 0x97, 0x44, 0xA2, 0x6D, 0x71, 0x3D,
+			0x14, 0x27, 0xC7, 0x3E, 0x02, 0x96, 0x81, 0xAD,
+			0x47, 0x82, 0x2A, 0xCF, 0x19, 0x79, 0x12, 0x49,
+			0x0F, 0x93, 0x5A, 0x32, 0x43, 0x79, 0xEF, 0x9D,
+			0x70, 0xF8, 0xA9, 0xBE, 0x3D, 0x00, 0x5D, 0x22,
+			0xDA, 0x87, 0x3D, 0xC1, 0xBE, 0x1B, 0x13, 0xD9,
+			0x99, 0xDB, 0xF1, 0xC8,
+			/* ICV */
+			0x4B, 0xC4, 0xF8, 0xC6,	0x09, 0x78, 0xB9, 0xBB,
+			0x5D, 0xC0, 0x04, 0xF3,	0x20, 0x7D, 0x14, 0x87,
+		},
+		.len = 96,
+	}
+}
+};
+
+static const struct mcs_test_vector list_mcs_untagged_cipher_vectors[] = {
+{
+	.test_idx = 0,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x40, 0x41, 0x42,
+			0x43, 0x44, 0x45, 0x46,
+		},
+		.len = 64,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* Wrong MACsec EtherType */
+			0x88, 0xD7,
+			/* TCI and AN */
+			0x2C,
+			/* SL */
+			0x0,
+			/* PN */
+			0x0, 0x0, 0x0, 0x2,
+			/* SCI */
+			0xFE, 0x2F, 0xCD, 0x14, 0x24, 0x1B, 0x88, 0x2C,
+			/* Secure Data */
+			0x39, 0x38, 0x97, 0x44, 0xA2, 0x6D, 0x71, 0x3D,
+			0x14, 0x27, 0xC7, 0x3E, 0x02, 0x96, 0x81, 0xAD,
+			0x47, 0x82, 0x2A, 0xCF, 0x19, 0x79, 0x12, 0x49,
+			0x0F, 0x93, 0x5A, 0x32, 0x43, 0x79, 0xEF, 0x9D,
+			0x70, 0xF8, 0xA9, 0xBE, 0x3D, 0x00, 0x5D, 0x22,
+			0xDA, 0x87, 0x3D, 0xC1, 0xBE, 0x1B, 0x13, 0xD9,
+			0x99, 0xDB, 0xF1, 0xC8,
+			/* ICV */
+			0x4B, 0xC4, 0xF8, 0xC6,	0x09, 0x78, 0xB9, 0xBB,
+			0x5D, 0xC0, 0x04, 0xF3,	0x20, 0x7D, 0x14, 0x87,
+		},
+		.len = 96,
+	},
+},
+};
+
+static const struct mcs_test_vector list_mcs_bad_tag_vectors[] = {
+{
+	.test_idx = 0,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x40, 0x41, 0x42,
+			0x43, 0x44, 0x45, 0x46,
+		},
+		.len = 64,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI{V = 1} and AN */
+			0xAC,
+			/* SL */
+			0x0,
+			/* PN */
+			0x0, 0x0, 0x0, 0x2,
+			/* SCI */
+			0xFE, 0x2F, 0xCD, 0x14, 0x24, 0x1B, 0x88, 0x2C,
+			/* Secure Data */
+			0x39, 0x38, 0x97, 0x44, 0xA2, 0x6D, 0x71, 0x3D,
+			0x14, 0x27, 0xC7, 0x3E, 0x02, 0x96, 0x81, 0xAD,
+			0x47, 0x82, 0x2A, 0xCF, 0x19, 0x79, 0x12, 0x49,
+			0x0F, 0x93, 0x5A, 0x32, 0x43, 0x79, 0xEF, 0x9D,
+			0x70, 0xF8, 0xA9, 0xBE, 0x3D, 0x00, 0x5D, 0x22,
+			0xDA, 0x87, 0x3D, 0xC1, 0xBE, 0x1B, 0x13, 0xD9,
+			0x99, 0xDB, 0xF1, 0xC8,
+			/* ICV */
+			0x4B, 0xC4, 0xF8, 0xC6,	0x09, 0x78, 0xB9, 0xBB,
+			0x5D, 0xC0, 0x04, 0xF3,	0x20, 0x7D, 0x14, 0x87,
+		},
+		.len = 96,
+	},
+},
+{
+	.test_idx = 1,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x40, 0x41, 0x42,
+			0x43, 0x44, 0x45, 0x46,
+		},
+		.len = 64,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI{E,C = 2'b01} and AN */
+			0x24,
+			/* SL */
+			0x0,
+			/* PN */
+			0x0, 0x0, 0x0, 0x2,
+			/* SCI */
+			0xFE, 0x2F, 0xCD, 0x14, 0x24, 0x1B, 0x88, 0x2C,
+			/* Secure Data */
+			0x39, 0x38, 0x97, 0x44, 0xA2, 0x6D, 0x71, 0x3D,
+			0x14, 0x27, 0xC7, 0x3E, 0x02, 0x96, 0x81, 0xAD,
+			0x47, 0x82, 0x2A, 0xCF, 0x19, 0x79, 0x12, 0x49,
+			0x0F, 0x93, 0x5A, 0x32, 0x43, 0x79, 0xEF, 0x9D,
+			0x70, 0xF8, 0xA9, 0xBE, 0x3D, 0x00, 0x5D, 0x22,
+			0xDA, 0x87, 0x3D, 0xC1, 0xBE, 0x1B, 0x13, 0xD9,
+			0x99, 0xDB, 0xF1, 0xC8,
+			/* ICV */
+			0x4B, 0xC4, 0xF8, 0xC6,	0x09, 0x78, 0xB9, 0xBB,
+			0x5D, 0xC0, 0x04, 0xF3,	0x20, 0x7D, 0x14, 0x87,
+		},
+		.len = 96,
+	},
+},
+{
+	.test_idx = 2,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x40, 0x41, 0x42,
+			0x43, 0x44, 0x45, 0x46,
+		},
+		.len = 64,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI{ES = 1 && SC = 1} and AN */
+			0x6C,
+			/* SL */
+			0x0,
+			/* PN */
+			0x0, 0x0, 0x0, 0x2,
+			/* SCI */
+			0xFE, 0x2F, 0xCD, 0x14, 0x24, 0x1B, 0x88, 0x2C,
+			/* Secure Data */
+			0x39, 0x38, 0x97, 0x44, 0xA2, 0x6D, 0x71, 0x3D,
+			0x14, 0x27, 0xC7, 0x3E, 0x02, 0x96, 0x81, 0xAD,
+			0x47, 0x82, 0x2A, 0xCF, 0x19, 0x79, 0x12, 0x49,
+			0x0F, 0x93, 0x5A, 0x32, 0x43, 0x79, 0xEF, 0x9D,
+			0x70, 0xF8, 0xA9, 0xBE, 0x3D, 0x00, 0x5D, 0x22,
+			0xDA, 0x87, 0x3D, 0xC1, 0xBE, 0x1B, 0x13, 0xD9,
+			0x99, 0xDB, 0xF1, 0xC8,
+			/* ICV */
+			0x4B, 0xC4, 0xF8, 0xC6,	0x09, 0x78, 0xB9, 0xBB,
+			0x5D, 0xC0, 0x04, 0xF3,	0x20, 0x7D, 0x14, 0x87,
+		},
+		.len = 96,
+	},
+},
+{
+	.test_idx = 3,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x40, 0x41, 0x42,
+			0x43, 0x44, 0x45, 0x46,
+		},
+		.len = 64,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI{SCB = 1 && SC = 1} and AN */
+			0x3C,
+			/* SL */
+			0x0,
+			/* PN */
+			0x0, 0x0, 0x0, 0x2,
+			/* SCI */
+			0xFE, 0x2F, 0xCD, 0x14, 0x24, 0x1B, 0x88, 0x2C,
+			/* Secure Data */
+			0x39, 0x38, 0x97, 0x44, 0xA2, 0x6D, 0x71, 0x3D,
+			0x14, 0x27, 0xC7, 0x3E, 0x02, 0x96, 0x81, 0xAD,
+			0x47, 0x82, 0x2A, 0xCF, 0x19, 0x79, 0x12, 0x49,
+			0x0F, 0x93, 0x5A, 0x32, 0x43, 0x79, 0xEF, 0x9D,
+			0x70, 0xF8, 0xA9, 0xBE, 0x3D, 0x00, 0x5D, 0x22,
+			0xDA, 0x87, 0x3D, 0xC1, 0xBE, 0x1B, 0x13, 0xD9,
+			0x99, 0xDB, 0xF1, 0xC8,
+			/* ICV */
+			0x4B, 0xC4, 0xF8, 0xC6,	0x09, 0x78, 0xB9, 0xBB,
+			0x5D, 0xC0, 0x04, 0xF3,	0x20, 0x7D, 0x14, 0x87,
+		},
+		.len = 96,
+	},
+},
+{
+	.test_idx = 4,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.xpn = 0x0, /* Most significant 32 bits */
+	.ssci = 0x0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x40, 0x41, 0x42,
+			0x43, 0x44, 0x45, 0x46,
+		},
+		.len = 64,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x2C,
+			/* SL */
+			0x0,
+			/* PN = 0 */
+			0x0, 0x0, 0x0, 0x0,
+			/* SCI */
+			0xFE, 0x2F, 0xCD, 0x14, 0x24, 0x1B, 0x88, 0x2C,
+			/* Secure Data */
+			0x39, 0x38, 0x97, 0x44, 0xA2, 0x6D, 0x71, 0x3D,
+			0x14, 0x27, 0xC7, 0x3E, 0x02, 0x96, 0x81, 0xAD,
+			0x47, 0x82, 0x2A, 0xCF, 0x19, 0x79, 0x12, 0x49,
+			0x0F, 0x93, 0x5A, 0x32, 0x43, 0x79, 0xEF, 0x9D,
+			0x70, 0xF8, 0xA9, 0xBE, 0x3D, 0x00, 0x5D, 0x22,
+			0xDA, 0x87, 0x3D, 0xC1, 0xBE, 0x1B, 0x13, 0xD9,
+			0x99, 0xDB, 0xF1, 0xC8,
+			/* ICV */
+			0x4B, 0xC4, 0xF8, 0xC6,	0x09, 0x78, 0xB9, 0xBB,
+			0x5D, 0xC0, 0x04, 0xF3,	0x20, 0x7D, 0x14, 0x87,
+		},
+		.len = 96,
+	},
+},
+{
+	.test_idx = 5,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x40, 0x41, 0x42,
+			0x43, 0x44, 0x45, 0x46,
+		},
+		.len = 64,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x2C,
+			/* SL */
+			0x80,
+			/* PN = 0 */
+			0x0, 0x0, 0x0, 0x2,
+			/* SCI */
+			0xFE, 0x2F, 0xCD, 0x14, 0x24, 0x1B, 0x88, 0x2C,
+			/* Secure Data */
+			0x39, 0x38, 0x97, 0x44, 0xA2, 0x6D, 0x71, 0x3D,
+			0x14, 0x27, 0xC7, 0x3E, 0x02, 0x96, 0x81, 0xAD,
+			0x47, 0x82, 0x2A, 0xCF, 0x19, 0x79, 0x12, 0x49,
+			0x0F, 0x93, 0x5A, 0x32, 0x43, 0x79, 0xEF, 0x9D,
+			0x70, 0xF8, 0xA9, 0xBE, 0x3D, 0x00, 0x5D, 0x22,
+			0xDA, 0x87, 0x3D, 0xC1, 0xBE, 0x1B, 0x13, 0xD9,
+			0x99, 0xDB, 0xF1, 0xC8,
+			/* ICV */
+			0x4B, 0xC4, 0xF8, 0xC6,	0x09, 0x78, 0xB9, 0xBB,
+			0x5D, 0xC0, 0x04, 0xF3,	0x20, 0x7D, 0x14, 0x87,
+		},
+		.len = 96,
+	},
+},
+};
+
 #define MCS_MULTI_FLOW_TD_KEY_SZ		16
 #define MCS_MULTI_FLOW_TD_PLAIN_DATA_SZ		42
 #define MCS_MULTI_FLOW_TD_SECURE_DATA_SZ	66
-- 
2.25.1

[PATCH 08/13] test/security: verify MACsec stats

[Akhil Goyal]

Added cases to verify various stats of MACsec.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 app/test/test_security_inline_macsec.c | 222 +++++++++++++++++++++++++
 1 file changed, 222 insertions(+)

diff --git a/app/test/test_security_inline_macsec.c b/app/test/test_security_inline_macsec.c
index 9c4546fa38..a6d23f2769 100644
--- a/app/test/test_security_inline_macsec.c
+++ b/app/test/test_security_inline_macsec.c
@@ -1438,6 +1438,140 @@ test_inline_macsec_sa_not_in_use(const void *data __rte_unused)
 	return all_err;
 }
 
+static int
+test_inline_macsec_decap_stats(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.protect_frames = true;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+	opts.check_decap_stats = 1;
+
+	size = (sizeof(list_mcs_cipher_vectors) / sizeof((list_mcs_cipher_vectors)[0]));
+
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_cipher_vectors[i];
+		err = test_macsec(&cur_td, MCS_DECAP, &opts);
+		if (err) {
+			printf("\nDecap stats case %d failed", cur_td->test_idx);
+			err = -1;
+		} else {
+			printf("\nDecap stats case %d passed", cur_td->test_idx);
+			err = 0;
+		}
+		all_err += err;
+	}
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+
+	return all_err;
+}
+
+static int
+test_inline_macsec_verify_only_stats(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.protect_frames = true;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+	opts.check_verify_only_stats = 1;
+
+	size = (sizeof(list_mcs_integrity_vectors) / sizeof((list_mcs_integrity_vectors)[0]));
+
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_integrity_vectors[i];
+		err = test_macsec(&cur_td, MCS_VERIFY_ONLY, &opts);
+		if (err) {
+			printf("\nVerify only stats case %d failed", cur_td->test_idx);
+			err = -1;
+		} else {
+			printf("\nVerify only stats case %d Passed", cur_td->test_idx);
+			err = 0;
+		}
+		all_err += err;
+	}
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+
+	return all_err;
+}
+
+static int
+test_inline_macsec_pkts_invalid_stats(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.protect_frames = true;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+
+	size = (sizeof(list_mcs_err_cipher_vectors) / sizeof((list_mcs_err_cipher_vectors)[0]));
+
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_err_cipher_vectors[i];
+		err = test_macsec(&cur_td, MCS_DECAP, &opts);
+		if (err)
+			err = 0;
+		else
+			err = -1;
+
+		all_err += err;
+	}
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+	return all_err;
+}
+
+static int
+test_inline_macsec_pkts_unchecked_stats(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_DISABLE;
+	opts.protect_frames = true;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+	opts.check_pkts_unchecked_stats = 1;
+
+	size = (sizeof(list_mcs_integrity_vectors) / sizeof((list_mcs_integrity_vectors)[0]));
+
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_integrity_vectors[i];
+		err = test_macsec(&cur_td, MCS_VERIFY_ONLY, &opts);
+		if (err)
+			err = -1;
+		else
+			err = 0;
+
+		all_err += err;
+	}
+
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+	return all_err;
+}
+
 static int
 test_inline_macsec_out_pkts_untagged(const void *data __rte_unused)
 {
@@ -1504,6 +1638,70 @@ test_inline_macsec_out_pkts_toolong(const void *data __rte_unused)
 	return all_err;
 }
 
+static int
+test_inline_macsec_encap_stats(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.encrypt = true;
+	opts.protect_frames = true;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+	opts.check_encap_stats = 1;
+
+	size = (sizeof(list_mcs_cipher_vectors) / sizeof((list_mcs_cipher_vectors)[0]));
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_cipher_vectors[i];
+		err = test_macsec(&cur_td, MCS_ENCAP, &opts);
+		if (err)
+			err = -1;
+		else
+			err = 0;
+		all_err += err;
+	}
+
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+	return all_err;
+}
+
+static int
+test_inline_macsec_auth_only_stats(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.protect_frames = true;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+	opts.check_auth_only_stats = 1;
+
+	size = (sizeof(list_mcs_integrity_vectors) / sizeof((list_mcs_integrity_vectors)[0]));
+
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_integrity_vectors[i];
+		err = test_macsec(&cur_td, MCS_AUTH_ONLY, &opts);
+		if (err)
+			err = -1;
+		else
+			err = 0;
+		all_err += err;
+	}
+
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+	return all_err;
+}
+
 static int
 ut_setup_inline_macsec(void)
 {
@@ -1697,6 +1895,22 @@ static struct unit_test_suite inline_macsec_testsuite  = {
 			"MACsec SA not in use",
 			ut_setup_inline_macsec, ut_teardown_inline_macsec,
 			test_inline_macsec_sa_not_in_use),
+		TEST_CASE_NAMED_ST(
+			"MACsec decap stats",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_decap_stats),
+		TEST_CASE_NAMED_ST(
+			"MACsec verify only stats",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_verify_only_stats),
+		TEST_CASE_NAMED_ST(
+			"MACsec pkts invalid stats",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_pkts_invalid_stats),
+		TEST_CASE_NAMED_ST(
+			"MACsec pkts unchecked stats",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_pkts_unchecked_stats),
 		TEST_CASE_NAMED_ST(
 			"MACsec out pkts untagged",
 			ut_setup_inline_macsec, ut_teardown_inline_macsec,
@@ -1705,6 +1919,14 @@ static struct unit_test_suite inline_macsec_testsuite  = {
 			"MACsec out pkts too long",
 			ut_setup_inline_macsec, ut_teardown_inline_macsec,
 			test_inline_macsec_out_pkts_toolong),
+		TEST_CASE_NAMED_ST(
+			"MACsec Encap stats",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_encap_stats),
+		TEST_CASE_NAMED_ST(
+			"MACsec auth only stats",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_auth_only_stats),
 
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	},
-- 
2.25.1

[PATCH 09/13] test/security: verify MACsec interrupts

[Akhil Goyal]

From: Ankur Dwivedi <adwivedi@marvell.com>

This patch enables the test_inline_macsec_interrupts_all
test case for MACSEC.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 app/test/test_security_inline_macsec.c        | 124 +++++++
 .../test_security_inline_macsec_vectors.h     | 306 +++++++++++++++++-
 2 files changed, 429 insertions(+), 1 deletion(-)

diff --git a/app/test/test_security_inline_macsec.c b/app/test/test_security_inline_macsec.c
index a6d23f2769..4cb184b62c 100644
--- a/app/test/test_security_inline_macsec.c
+++ b/app/test/test_security_inline_macsec.c
@@ -757,6 +757,71 @@ mcs_stats_check(struct rte_security_ctx *ctx, enum mcs_op op,
 	return 0;
 }
 
+static int
+test_macsec_event_callback(uint16_t port_id, enum rte_eth_event_type type,
+			   void *param, void *ret_param)
+{
+	struct mcs_err_vector *vector = (struct mcs_err_vector *)param;
+	struct rte_eth_event_macsec_desc *event_desc = NULL;
+
+	RTE_SET_USED(port_id);
+
+	if (type != RTE_ETH_EVENT_MACSEC)
+		return -1;
+
+	event_desc = ret_param;
+	if (event_desc == NULL) {
+		printf("Event descriptor not set\n");
+		return -1;
+	}
+	vector->notify_event = true;
+
+	switch (event_desc->type) {
+	case RTE_ETH_EVENT_MACSEC_SECTAG_VAL_ERR:
+		vector->event = RTE_ETH_EVENT_MACSEC_SECTAG_VAL_ERR;
+		switch (event_desc->subtype) {
+		case RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_V_EQ1:
+			vector->event_subtype = RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_V_EQ1;
+			break;
+		case RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_E_EQ0_C_EQ1:
+			vector->event_subtype = RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_E_EQ0_C_EQ1;
+			break;
+		case RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_SL_GTE48:
+			vector->event_subtype = RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_SL_GTE48;
+			break;
+		case RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_ES_EQ1_SC_EQ1:
+			vector->event_subtype = RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_ES_EQ1_SC_EQ1;
+			break;
+		case RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_SC_EQ1_SCB_EQ1:
+			vector->event_subtype = RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_SC_EQ1_SCB_EQ1;
+			break;
+		default:
+			printf("\nUnknown Macsec event subtype: %d", event_desc->subtype);
+		}
+		break;
+	case RTE_ETH_EVENT_MACSEC_RX_SA_PN_HARD_EXP:
+		vector->event = RTE_ETH_EVENT_MACSEC_RX_SA_PN_HARD_EXP;
+		break;
+	case RTE_ETH_EVENT_MACSEC_RX_SA_PN_SOFT_EXP:
+		vector->event = RTE_ETH_EVENT_MACSEC_RX_SA_PN_SOFT_EXP;
+		break;
+	case RTE_ETH_EVENT_MACSEC_TX_SA_PN_HARD_EXP:
+		vector->event = RTE_ETH_EVENT_MACSEC_TX_SA_PN_HARD_EXP;
+		break;
+	case RTE_ETH_EVENT_MACSEC_TX_SA_PN_SOFT_EXP:
+		vector->event = RTE_ETH_EVENT_MACSEC_TX_SA_PN_SOFT_EXP;
+		break;
+	case RTE_ETH_EVENT_MACSEC_SA_NOT_VALID:
+		vector->event = RTE_ETH_EVENT_MACSEC_SA_NOT_VALID;
+		break;
+	default:
+		printf("Invalid MACsec event reported\n");
+		return -1;
+	}
+
+	return 0;
+}
+
 static int
 test_macsec(const struct mcs_test_vector *td[], enum mcs_op op, const struct mcs_test_opts *opts)
 {
@@ -914,6 +979,8 @@ test_macsec(const struct mcs_test_vector *td[], enum mcs_op op, const struct mcs
 		while (--nb_rx >= 0)
 			rte_pktmbuf_free(rx_pkts_burst[nb_rx]);
 		ret = TEST_FAILED;
+		if (opts->check_sectag_interrupts == 1)
+			ret = TEST_SUCCESS;
 		goto out;
 	}
 
@@ -1702,6 +1769,59 @@ test_inline_macsec_auth_only_stats(const void *data __rte_unused)
 	return all_err;
 }
 
+static int
+test_inline_macsec_interrupts_all(const void *data __rte_unused)
+{
+	struct mcs_err_vector err_vector = {0};
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int i, size;
+	int err, all_err = 0;
+	enum rte_eth_event_macsec_subtype subtype[] =  {
+		RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_V_EQ1,
+		RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_E_EQ0_C_EQ1,
+		RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_SL_GTE48,
+		RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_ES_EQ1_SC_EQ1,
+		RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_SC_EQ1_SCB_EQ1,
+	};
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.protect_frames = true;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+	opts.check_sectag_interrupts = 1;
+
+	err_vector.event = RTE_ETH_EVENT_MACSEC_UNKNOWN;
+	err_vector.event_subtype = RTE_ETH_SUBEVENT_MACSEC_UNKNOWN;
+	rte_eth_dev_callback_register(port_id, RTE_ETH_EVENT_MACSEC,
+			test_macsec_event_callback, &err_vector);
+
+	size = (sizeof(list_mcs_intr_test_vectors) / sizeof((list_mcs_intr_test_vectors)[0]));
+
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_intr_test_vectors[i];
+		err = test_macsec(&cur_td, MCS_DECAP, &opts);
+		if ((err_vector.event == RTE_ETH_EVENT_MACSEC_SECTAG_VAL_ERR) &&
+		    (err_vector.event_subtype == subtype[i])) {
+			printf("\nSectag val err interrupt test case %d passed",
+			       cur_td->test_idx);
+			err = 0;
+		} else {
+			printf("\nSectag val err interrupt test case %d failed",
+			       cur_td->test_idx);
+			err = -1;
+		}
+		all_err += err;
+	}
+	rte_eth_dev_callback_unregister(port_id, RTE_ETH_EVENT_MACSEC,
+			test_macsec_event_callback, &err_vector);
+
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+	return all_err;
+}
+
 static int
 ut_setup_inline_macsec(void)
 {
@@ -1927,6 +2047,10 @@ static struct unit_test_suite inline_macsec_testsuite  = {
 			"MACsec auth only stats",
 			ut_setup_inline_macsec, ut_teardown_inline_macsec,
 			test_inline_macsec_auth_only_stats),
+		TEST_CASE_NAMED_ST(
+			"MACsec interrupts all",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_interrupts_all),
 
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	},
diff --git a/app/test/test_security_inline_macsec_vectors.h b/app/test/test_security_inline_macsec_vectors.h
index 2b200c1d89..d861004e8e 100644
--- a/app/test/test_security_inline_macsec_vectors.h
+++ b/app/test/test_security_inline_macsec_vectors.h
@@ -39,6 +39,13 @@ struct mcs_test_vector {
 	} secure_pkt;
 };
 
+struct mcs_err_vector {
+	const struct mcs_test_vector *td;
+	enum rte_eth_event_macsec_type event;
+	enum rte_eth_event_macsec_subtype event_subtype;
+	bool notify_event;
+};
+
 static const struct mcs_test_vector list_mcs_cipher_vectors[] = {
 /* gcm_128_64B_cipher */
 {
@@ -2876,6 +2883,303 @@ static const struct mcs_test_vector list_mcs_vlan_vectors[] = {
 },
 };
 
-
+static const struct mcs_test_vector list_mcs_intr_test_vectors[] = {
+/* gcm_128_64B_cipher */
+/* SECTAG_V_EQ1 */
+{
+	.test_idx = 0,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x40, 0x41, 0x42,
+			0x43, 0x44, 0x45, 0x46,
+		},
+		.len = 64,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0xAC,
+			/* SL */
+			0x0,
+			/* PN */
+			0x0, 0x0, 0x0, 0x2,
+			/* SCI */
+			0xFE, 0x2F, 0xCD, 0x14, 0x24, 0x1B, 0x88, 0x2C,
+			/* Secure Data */
+			0x39, 0x38, 0x97, 0x44, 0xA2, 0x6D, 0x71, 0x3D,
+			0x14, 0x27, 0xC7, 0x3E, 0x02, 0x96, 0x81, 0xAD,
+			0x47, 0x82, 0x2A, 0xCF, 0x19, 0x79, 0x12, 0x49,
+			0x0F, 0x93, 0x5A, 0x32, 0x43, 0x79, 0xEF, 0x9D,
+			0x70, 0xF8, 0xA9, 0xBE, 0x3D, 0x00, 0x5D, 0x22,
+			0xDA, 0x87, 0x3D, 0xC1, 0xBE, 0x1B, 0x13, 0xD9,
+			0x99, 0xDB, 0xF1, 0xC8,
+			/* ICV */
+			0x4B, 0xC4, 0xF8, 0xC6,	0x09, 0x78, 0xB9, 0xBB,
+			0x5D, 0xC0, 0x04, 0xF3,	0x20, 0x7D, 0x14, 0x87,
+		},
+		.len = 96,
+	},
+},
+/* SECTAG_E_EQ0_C_EQ1 */
+{
+	.test_idx = 1,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x40, 0x41, 0x42,
+			0x43, 0x44, 0x45, 0x46,
+		},
+		.len = 64,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x24,
+			/* SL */
+			0x0,
+			/* PN */
+			0x0, 0x0, 0x0, 0x2,
+			/* SCI */
+			0xFE, 0x2F, 0xCD, 0x14, 0x24, 0x1B, 0x88, 0x2C,
+			/* Secure Data */
+			0x39, 0x38, 0x97, 0x44, 0xA2, 0x6D, 0x71, 0x3D,
+			0x14, 0x27, 0xC7, 0x3E, 0x02, 0x96, 0x81, 0xAD,
+			0x47, 0x82, 0x2A, 0xCF, 0x19, 0x79, 0x12, 0x49,
+			0x0F, 0x93, 0x5A, 0x32, 0x43, 0x79, 0xEF, 0x9D,
+			0x70, 0xF8, 0xA9, 0xBE, 0x3D, 0x00, 0x5D, 0x22,
+			0xDA, 0x87, 0x3D, 0xC1, 0xBE, 0x1B, 0x13, 0xD9,
+			0x99, 0xDB, 0xF1, 0xC8,
+			/* ICV */
+			0x4B, 0xC4, 0xF8, 0xC6,	0x09, 0x78, 0xB9, 0xBB,
+			0x5D, 0xC0, 0x04, 0xF3,	0x20, 0x7D, 0x14, 0x87,
+		},
+		.len = 96,
+	},
+},
+/* SECTAG_SL_GTE48 */
+{
+	.test_idx = 2,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x40, 0x41, 0x42,
+			0x43, 0x44, 0x45, 0x46,
+		},
+		.len = 64,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x2C,
+			/* SL */
+			0x31,
+			/* PN */
+			0x0, 0x0, 0x0, 0x2,
+			/* SCI */
+			0xFE, 0x2F, 0xCD, 0x14, 0x24, 0x1B, 0x88, 0x2C,
+			/* Secure Data */
+			0x39, 0x38, 0x97, 0x44, 0xA2, 0x6D, 0x71, 0x3D,
+			0x14, 0x27, 0xC7, 0x3E, 0x02, 0x96, 0x81, 0xAD,
+			0x47, 0x82, 0x2A, 0xCF, 0x19, 0x79, 0x12, 0x49,
+			0x0F, 0x93, 0x5A, 0x32, 0x43, 0x79, 0xEF, 0x9D,
+			0x70, 0xF8, 0xA9, 0xBE, 0x3D, 0x00, 0x5D, 0x22,
+			0xDA, 0x87, 0x3D, 0xC1, 0xBE, 0x1B, 0x13, 0xD9,
+			0x99, 0xDB, 0xF1, 0xC8,
+			/* ICV */
+			0x4B, 0xC4, 0xF8, 0xC6,	0x09, 0x78, 0xB9, 0xBB,
+			0x5D, 0xC0, 0x04, 0xF3,	0x20, 0x7D, 0x14, 0x87,
+		},
+		.len = 96,
+	},
+},
+/* SECTAG_ES_EQ1_SC_EQ1 */
+{
+	.test_idx = 3,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x40, 0x41, 0x42,
+			0x43, 0x44, 0x45, 0x46,
+		},
+		.len = 64,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x6C,
+			/* SL */
+			0x0,
+			/* PN */
+			0x0, 0x0, 0x0, 0x2,
+			/* SCI */
+			0xFE, 0x2F, 0xCD, 0x14, 0x24, 0x1B, 0x88, 0x2C,
+			/* Secure Data */
+			0x39, 0x38, 0x97, 0x44, 0xA2, 0x6D, 0x71, 0x3D,
+			0x14, 0x27, 0xC7, 0x3E, 0x02, 0x96, 0x81, 0xAD,
+			0x47, 0x82, 0x2A, 0xCF, 0x19, 0x79, 0x12, 0x49,
+			0x0F, 0x93, 0x5A, 0x32, 0x43, 0x79, 0xEF, 0x9D,
+			0x70, 0xF8, 0xA9, 0xBE, 0x3D, 0x00, 0x5D, 0x22,
+			0xDA, 0x87, 0x3D, 0xC1, 0xBE, 0x1B, 0x13, 0xD9,
+			0x99, 0xDB, 0xF1, 0xC8,
+			/* ICV */
+			0x4B, 0xC4, 0xF8, 0xC6,	0x09, 0x78, 0xB9, 0xBB,
+			0x5D, 0xC0, 0x04, 0xF3,	0x20, 0x7D, 0x14, 0x87,
+		},
+		.len = 96,
+	},
+},
+/* SECTAG_SC_EQ1_SCB_EQ1 */
+{
+	.test_idx = 4,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x40, 0x41, 0x42,
+			0x43, 0x44, 0x45, 0x46,
+		},
+		.len = 64,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x3C,
+			/* SL */
+			0x0,
+			/* PN */
+			0x0, 0x0, 0x0, 0x2,
+			/* SCI */
+			0xFE, 0x2F, 0xCD, 0x14, 0x24, 0x1B, 0x88, 0x2C,
+			/* Secure Data */
+			0x39, 0x38, 0x97, 0x44, 0xA2, 0x6D, 0x71, 0x3D,
+			0x14, 0x27, 0xC7, 0x3E, 0x02, 0x96, 0x81, 0xAD,
+			0x47, 0x82, 0x2A, 0xCF, 0x19, 0x79, 0x12, 0x49,
+			0x0F, 0x93, 0x5A, 0x32, 0x43, 0x79, 0xEF, 0x9D,
+			0x70, 0xF8, 0xA9, 0xBE, 0x3D, 0x00, 0x5D, 0x22,
+			0xDA, 0x87, 0x3D, 0xC1, 0xBE, 0x1B, 0x13, 0xD9,
+			0x99, 0xDB, 0xF1, 0xC8,
+			/* ICV */
+			0x4B, 0xC4, 0xF8, 0xC6,	0x09, 0x78, 0xB9, 0xBB,
+			0x5D, 0xC0, 0x04, 0xF3,	0x20, 0x7D, 0x14, 0x87,
+		},
+		.len = 96,
+	},
+},
+};
 
 #endif
-- 
2.25.1

[PATCH 10/13] test/security: verify MACsec Tx HW rekey

[Akhil Goyal]

This patch enables the Tx HW rekey test case for MACSEC.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 app/test/test_security_inline_macsec.c        | 137 +++++++++-
 .../test_security_inline_macsec_vectors.h     | 243 ++++++++++++++++++
 2 files changed, 378 insertions(+), 2 deletions(-)

diff --git a/app/test/test_security_inline_macsec.c b/app/test/test_security_inline_macsec.c
index 4cb184b62c..a4c64429b3 100644
--- a/app/test/test_security_inline_macsec.c
+++ b/app/test/test_security_inline_macsec.c
@@ -207,6 +207,8 @@ fill_macsec_sc_conf(const struct mcs_test_vector *td,
 	uint8_t i;
 
 	sc_conf->dir = dir;
+	sc_conf->pn_threshold = ((uint64_t)td->xpn << 32) |
+		rte_be_to_cpu_32(*(const uint32_t *)(&td->secure_pkt.data[tci_off + 2]));
 	if (dir == RTE_SECURITY_MACSEC_DIR_TX) {
 		sc_conf->sc_tx.sa_id = sa_id[0];
 		if (sa_id[1] != MCS_INVALID_SA) {
@@ -232,12 +234,16 @@ fill_macsec_sc_conf(const struct mcs_test_vector *td,
 			/* use some default SCI */
 			sc_conf->sc_tx.sci = 0xf1341e023a2b1c5d;
 		}
+		if (td->xpn > 0)
+			sc_conf->sc_tx.is_xpn = 1;
 	} else {
 		for (i = 0; i < RTE_SECURITY_MACSEC_NUM_AN; i++) {
 			sc_conf->sc_rx.sa_id[i] = sa_id[i];
 			sc_conf->sc_rx.sa_in_use[i] = opts->sa_in_use;
 		}
 		sc_conf->sc_rx.active = 1;
+		if (td->xpn > 0)
+			sc_conf->sc_rx.is_xpn = 1;
 	}
 }
 
@@ -834,6 +840,7 @@ test_macsec(const struct mcs_test_vector *td[], enum mcs_op op, const struct mcs
 	struct rte_security_session_conf sess_conf = {0};
 	struct rte_security_macsec_sa sa_conf = {0};
 	struct rte_security_macsec_sc sc_conf = {0};
+	struct mcs_err_vector err_vector = {0};
 	struct rte_security_ctx *ctx;
 	int nb_rx = 0, nb_sent;
 	int i, j = 0, ret, id, an = 0;
@@ -868,6 +875,34 @@ test_macsec(const struct mcs_test_vector *td[], enum mcs_op op, const struct mcs
 		}
 		j++;
 
+		if (opts->rekey_en) {
+
+			err_vector.td = td[i];
+			err_vector.rekey_td = opts->rekey_td;
+			err_vector.event = RTE_ETH_EVENT_MACSEC_UNKNOWN;
+			err_vector.event_subtype = RTE_ETH_SUBEVENT_MACSEC_UNKNOWN;
+			rte_eth_dev_callback_register(port_id, RTE_ETH_EVENT_MACSEC,
+					test_macsec_event_callback, &err_vector);
+			if (op == MCS_DECAP || op == MCS_VERIFY_ONLY)
+				tx_pkts_burst[j] = init_packet(mbufpool,
+						opts->rekey_td->secure_pkt.data,
+						opts->rekey_td->secure_pkt.len);
+			else {
+				tx_pkts_burst[j] = init_packet(mbufpool,
+						opts->rekey_td->plain_pkt.data,
+						opts->rekey_td->plain_pkt.len);
+
+				tx_pkts_burst[j]->ol_flags |= RTE_MBUF_F_TX_MACSEC;
+			}
+			if (tx_pkts_burst[j] == NULL) {
+				while (j--)
+					rte_pktmbuf_free(tx_pkts_burst[j]);
+				ret = TEST_FAILED;
+				goto out;
+			}
+			j++;
+		}
+
 		if (op == MCS_DECAP || op == MCS_ENCAP_DECAP ||
 				op == MCS_VERIFY_ONLY || op == MCS_AUTH_VERIFY) {
 			for (an = 0; an < RTE_SECURITY_MACSEC_NUM_AN; an++) {
@@ -922,6 +957,20 @@ test_macsec(const struct mcs_test_vector *td[], enum mcs_op op, const struct mcs
 			}
 			tx_sa_id[i][0] = (uint16_t)id;
 			tx_sa_id[i][1] = MCS_INVALID_SA;
+			if (opts->rekey_en) {
+				memset(&sa_conf, 0, sizeof(struct rte_security_macsec_sa));
+				fill_macsec_sa_conf(opts->rekey_td, &sa_conf,
+					RTE_SECURITY_MACSEC_DIR_TX,
+					opts->rekey_td->secure_pkt.data[tci_off] &
+						RTE_MACSEC_AN_MASK,
+					tci_off);
+				id = rte_security_macsec_sa_create(ctx, &sa_conf);
+				if (id < 0) {
+					printf("MACsec rekey SA create failed : %d.\n", id);
+					goto out;
+				}
+				tx_sa_id[i][1] = (uint16_t)id;
+			}
 			fill_macsec_sc_conf(td[i], &sc_conf, opts,
 					RTE_SECURITY_MACSEC_DIR_TX, tx_sa_id[i], tci_off);
 			id = rte_security_macsec_sc_create(ctx, &sc_conf);
@@ -984,9 +1033,44 @@ test_macsec(const struct mcs_test_vector *td[], enum mcs_op op, const struct mcs
 		goto out;
 	}
 
+	if (opts->rekey_en) {
+		switch (err_vector.event) {
+		case RTE_ETH_EVENT_MACSEC_TX_SA_PN_SOFT_EXP:
+			printf("Received RTE_ETH_EVENT_MACSEC_TX_SA_PN_SOFT_EXP event\n");
+			/* The first sa is active now, so the 0th sa can be
+			 * reconfigured. Using the same key as zeroeth sa, but
+			 * other key can also be configured.
+			 */
+			rte_security_macsec_sa_destroy(ctx, tx_sa_id[0][0],
+					RTE_SECURITY_MACSEC_DIR_TX);
+			fill_macsec_sa_conf(td[0], &sa_conf,
+					RTE_SECURITY_MACSEC_DIR_TX,
+					td[0]->secure_pkt.data[tci_off] &
+					RTE_MACSEC_AN_MASK, tci_off);
+			id = rte_security_macsec_sa_create(ctx, &sa_conf);
+			if (id < 0) {
+				printf("MACsec SA create failed : %d.\n", id);
+				return TEST_FAILED;
+			}
+			tx_sa_id[0][0] = (uint16_t)id;
+			break;
+		default:
+			printf("Received unsupported event\n");
+		}
+	}
+
 	for (i = 0; i < nb_rx; i++) {
-		ret = test_macsec_post_process(rx_pkts_burst[i], td[i], op,
-				opts->check_out_pkts_untagged);
+		if (opts->rekey_en && i == 1) {
+			/* The second received packet is matched with
+			 * rekey td
+			 */
+			ret = test_macsec_post_process(rx_pkts_burst[i],
+					opts->rekey_td, op,
+					opts->check_out_pkts_untagged);
+		} else {
+			ret = test_macsec_post_process(rx_pkts_burst[i], td[i],
+					op, opts->check_out_pkts_untagged);
+		}
 		if (ret != TEST_SUCCESS) {
 			for ( ; i < nb_rx; i++)
 				rte_pktmbuf_free(rx_pkts_burst[i]);
@@ -1019,6 +1103,10 @@ test_macsec(const struct mcs_test_vector *td[], enum mcs_op op, const struct mcs
 
 	destroy_default_flow(port_id);
 
+	if (opts->rekey_en)
+		rte_eth_dev_callback_unregister(port_id, RTE_ETH_EVENT_MACSEC,
+					test_macsec_event_callback, &err_vector);
+
 	/* Destroy session so that other cases can create the session again */
 	for (i = 0; i < opts->nb_td; i++) {
 		if (op == MCS_ENCAP || op == MCS_ENCAP_DECAP ||
@@ -1029,6 +1117,10 @@ test_macsec(const struct mcs_test_vector *td[], enum mcs_op op, const struct mcs
 						RTE_SECURITY_MACSEC_DIR_TX);
 			rte_security_macsec_sa_destroy(ctx, tx_sa_id[i][0],
 						RTE_SECURITY_MACSEC_DIR_TX);
+			if (opts->rekey_en) {
+				rte_security_macsec_sa_destroy(ctx, tx_sa_id[i][1],
+						RTE_SECURITY_MACSEC_DIR_TX);
+			}
 		}
 		if (op == MCS_DECAP || op == MCS_ENCAP_DECAP ||
 				op == MCS_VERIFY_ONLY || op == MCS_AUTH_VERIFY) {
@@ -1822,6 +1914,43 @@ test_inline_macsec_interrupts_all(const void *data __rte_unused)
 	return all_err;
 }
 
+static int
+test_inline_macsec_rekey_tx(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.protect_frames = true;
+	opts.encrypt = true;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+	opts.rekey_en = 1;
+
+	size = (sizeof(list_mcs_rekey_vectors) / sizeof((list_mcs_rekey_vectors)[0]));
+
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_rekey_vectors[i];
+		opts.rekey_td = &list_mcs_rekey_vectors[++i];
+		err = test_macsec(&cur_td, MCS_ENCAP, &opts);
+		if (err) {
+			printf("Tx hw rekey test case %d failed\n", i);
+			err = -1;
+		} else {
+			printf("Tx hw rekey test case %d passed\n", i);
+			err = 0;
+		}
+		all_err += err;
+	}
+
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+	return all_err;
+}
+
 static int
 ut_setup_inline_macsec(void)
 {
@@ -2051,6 +2180,10 @@ static struct unit_test_suite inline_macsec_testsuite  = {
 			"MACsec interrupts all",
 			ut_setup_inline_macsec, ut_teardown_inline_macsec,
 			test_inline_macsec_interrupts_all),
+		TEST_CASE_NAMED_ST(
+			"MACsec re-key Tx",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_rekey_tx),
 
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	},
diff --git a/app/test/test_security_inline_macsec_vectors.h b/app/test/test_security_inline_macsec_vectors.h
index d861004e8e..80425b0b71 100644
--- a/app/test/test_security_inline_macsec_vectors.h
+++ b/app/test/test_security_inline_macsec_vectors.h
@@ -41,6 +41,7 @@ struct mcs_test_vector {
 
 struct mcs_err_vector {
 	const struct mcs_test_vector *td;
+	const struct mcs_test_vector *rekey_td;
 	enum rte_eth_event_macsec_type event;
 	enum rte_eth_event_macsec_subtype event_subtype;
 	bool notify_event;
@@ -3182,4 +3183,246 @@ static const struct mcs_test_vector list_mcs_intr_test_vectors[] = {
 },
 };
 
+static const struct mcs_test_vector list_mcs_rekey_vectors[] = {
+/* Initial SA, AN = 0 and PN = 2 */
+{
+	.test_idx = 0,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x40, 0x41, 0x42,
+			0x43, 0x44, 0x45, 0x46,
+		},
+		.len = 64,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x2C,
+			/* SL */
+			0x0,
+			/* PN */
+			0x0, 0x0, 0x0, 0x2,
+			/* SCI */
+			0xFE, 0x2F, 0xCD, 0x14, 0x24, 0x1B, 0x88, 0x2C,
+			/* Secure Data */
+			0x39, 0x38, 0x97, 0x44, 0xA2, 0x6D, 0x71, 0x3D,
+			0x14, 0x27, 0xC7, 0x3E, 0x02, 0x96, 0x81, 0xAD,
+			0x47, 0x82, 0x2A, 0xCF, 0x19, 0x79, 0x12, 0x49,
+			0x0F, 0x93, 0x5A, 0x32, 0x43, 0x79, 0xEF, 0x9D,
+			0x70, 0xF8, 0xA9, 0xBE, 0x3D, 0x00, 0x5D, 0x22,
+			0xDA, 0x87, 0x3D, 0xC1, 0xBE, 0x1B, 0x13, 0xD9,
+			0x99, 0xDB, 0xF1, 0xC8,
+			/* ICV */
+			0x4B, 0xC4, 0xF8, 0xC6,	0x09, 0x78, 0xB9, 0xBB,
+			0x5D, 0xC0, 0x04, 0xF3,	0x20, 0x7D, 0x14, 0x87,
+		},
+		.len = 96,
+	},
+},
+/* Rekeyed SA. sa_key is different from the initial sa.
+ * Also, AN = 1 and PN = 1.
+ */
+{
+	.test_idx = 1,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0xAD, 0x7A, 0x2B, 0xD0, 0x3E, 0xAC, 0x83, 0x5A,
+			0x6F, 0x62, 0x0F, 0xDC, 0xB5, 0x06, 0xB3, 0x45,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x40, 0x41, 0x42,
+			0x43, 0x44, 0x45, 0x46,
+		},
+		.len = 64,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x2D,
+			/* SL */
+			0x00,
+			/* PN */
+			0x00, 0x00, 0x00, 0x01,
+			/* SCI */
+			0xFE, 0x2F, 0xCD, 0x14, 0x24, 0x1B, 0x88, 0x2C,
+			/* Secure Data */
+			0x17, 0x66, 0xEF, 0xD9, 0x06, 0xDC, 0x15, 0xAF,
+			0xE9, 0x06, 0xB1, 0xE6, 0x26, 0x22, 0xC8, 0x78,
+			0x27, 0xE1, 0xED, 0x76, 0xF5, 0xC8, 0x16, 0xA1,
+			0x6B, 0x0D, 0xA0, 0x8E, 0x24, 0x2A, 0x9D, 0x34,
+			0xD0, 0xE0, 0x5F, 0xBA, 0x08, 0xF0, 0xE3, 0x7D,
+			0x17, 0xC0, 0x2C, 0xCD, 0x8A, 0x44, 0xC9, 0xB9,
+			0x28, 0xC0, 0xE8, 0x22,
+			/* ICV */
+			0x1B, 0x16, 0x68, 0x5F, 0x14, 0x8A, 0x51, 0x29,
+			0xB5, 0x3D, 0x61, 0x0E, 0x49, 0x20, 0x60, 0x09,
+		},
+		.len = 96,
+	},
+},
+{
+	.test_idx = 2,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_128,
+	.ssci = 0x7A30C118,
+	.xpn = 0xB0DF459C, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE,
+		0x86, 0xA2, 0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x00, 0x04,
+		},
+		.len = 54,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x4C,
+			/* SL */
+			0x2A,
+			/* PN */
+			0x76, 0xD4, 0x57, 0xED,
+			/* Secure Data */
+			0x9C, 0xA4, 0x69, 0x84, 0x43, 0x02, 0x03, 0xED,
+			0x41, 0x6E, 0xBD, 0xC2, 0xFE, 0x26, 0x22, 0xBA,
+			0x3E, 0x5E, 0xAB, 0x69, 0x61, 0xC3, 0x63, 0x83,
+			0x00, 0x9E, 0x18, 0x7E, 0x9B, 0x0C, 0x88, 0x56,
+			0x46, 0x53, 0xB9, 0xAB, 0xD2, 0x16, 0x44, 0x1C,
+			0x6A, 0xB6,
+			/* ICV */
+			0xF0, 0xA2, 0x32, 0xE9, 0xE4, 0x4C, 0x97, 0x8C,
+			0xF7, 0xCD, 0x84, 0xD4, 0x34, 0x84, 0xD1, 0x01,
+		},
+		.len = 78,
+	},
+},
+/* Rekeyed SA. sa_key is different from the initial sa.
+ * Also, AN = 1, XPN = 0 and PN = 1.
+ */
+{
+	.test_idx = 3,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_128,
+	.ssci = 0x7A30C118,
+	.xpn = 0x0, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE,
+		0x86, 0xA2, 0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0xAD, 0x7A, 0x2B, 0xD0, 0x3E, 0xAC, 0x83, 0x5A,
+			0x6F, 0x62, 0x0F, 0xDC, 0xB5, 0x06, 0xB3, 0x45,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x00, 0x04,
+		},
+		.len = 54,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x4D,
+			/* SL */
+			0x2A,
+			/* PN */
+			0x0, 0x0, 0x0, 0x1,
+			/* Secure Data */
+			0x91, 0x00, 0xC0, 0xE4, 0xB9, 0x4E, 0x2C, 0x1C,
+			0x86, 0xDF, 0xE1, 0x8F, 0xDD, 0xB6, 0xE6, 0x79,
+			0x65, 0x87, 0x80, 0xE7, 0x9C, 0x5D, 0x8A, 0xB7,
+			0x68, 0xFD, 0xE1, 0x6E, 0x3F, 0xF1, 0xDE, 0x20,
+			0x4A, 0xF6, 0xBA, 0xE6, 0x14, 0xDB, 0x6A, 0x05,
+			0xE9, 0xB6,
+			/* ICV */
+			0x2D, 0xDF, 0x59, 0x27, 0x25, 0x41, 0x68, 0x1D,
+			0x74, 0x1A, 0xAA, 0xC4, 0x18, 0x49, 0xB4, 0x22,
+		},
+		.len = 78,
+	},
+},
+};
+
 #endif
-- 
2.25.1

[PATCH 11/13] test/security: verify MACsec Rx rekey

[Akhil Goyal]

From: Ankur Dwivedi <adwivedi@marvell.com>

This patch enables the Rx rekey test case for MACSEC.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
---
 app/test/test_security_inline_macsec.c | 50 +++++++++++++++++++++++++-
 1 file changed, 49 insertions(+), 1 deletion(-)

diff --git a/app/test/test_security_inline_macsec.c b/app/test/test_security_inline_macsec.c
index a4c64429b3..6f9cec333d 100644
--- a/app/test/test_security_inline_macsec.c
+++ b/app/test/test_security_inline_macsec.c
@@ -906,8 +906,14 @@ test_macsec(const struct mcs_test_vector *td[], enum mcs_op op, const struct mcs
 		if (op == MCS_DECAP || op == MCS_ENCAP_DECAP ||
 				op == MCS_VERIFY_ONLY || op == MCS_AUTH_VERIFY) {
 			for (an = 0; an < RTE_SECURITY_MACSEC_NUM_AN; an++) {
+				if (opts->rekey_en && an ==
+						(opts->rekey_td->secure_pkt.data[tci_off] &
+						RTE_MACSEC_AN_MASK))
+					fill_macsec_sa_conf(opts->rekey_td, &sa_conf,
+						RTE_SECURITY_MACSEC_DIR_RX, an, tci_off);
+				else
 				/* For simplicity, using same SA conf for all AN */
-				fill_macsec_sa_conf(td[i], &sa_conf,
+					fill_macsec_sa_conf(td[i], &sa_conf,
 						RTE_SECURITY_MACSEC_DIR_RX, an, tci_off);
 				id = rte_security_macsec_sa_create(ctx, &sa_conf);
 				if (id < 0) {
@@ -1054,6 +1060,9 @@ test_macsec(const struct mcs_test_vector *td[], enum mcs_op op, const struct mcs
 			}
 			tx_sa_id[0][0] = (uint16_t)id;
 			break;
+		case RTE_ETH_EVENT_MACSEC_RX_SA_PN_SOFT_EXP:
+			printf("Received RTE_ETH_EVENT_MACSEC_RX_SA_PN_SOFT_EXP event\n");
+			break;
 		default:
 			printf("Received unsupported event\n");
 		}
@@ -1951,6 +1960,41 @@ test_inline_macsec_rekey_tx(const void *data __rte_unused)
 	return all_err;
 }
 
+static int
+test_inline_macsec_rekey_rx(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.protect_frames = true;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+	opts.rekey_en = 1;
+
+	size = (sizeof(list_mcs_rekey_vectors) / sizeof((list_mcs_rekey_vectors)[0]));
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_rekey_vectors[i];
+		opts.rekey_td = &list_mcs_rekey_vectors[++i];
+		err = test_macsec(&cur_td, MCS_DECAP, &opts);
+		if (err) {
+			printf("Rx rekey test case %d failed\n", i);
+			err = -1;
+		} else {
+			printf("Rx rekey test case %d passed\n", i);
+			err = 0;
+		}
+		all_err += err;
+	}
+
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+	return all_err;
+}
+
 static int
 ut_setup_inline_macsec(void)
 {
@@ -2184,6 +2228,10 @@ static struct unit_test_suite inline_macsec_testsuite  = {
 			"MACsec re-key Tx",
 			ut_setup_inline_macsec, ut_teardown_inline_macsec,
 			test_inline_macsec_rekey_tx),
+		TEST_CASE_NAMED_ST(
+			"MACsec re-key Rx",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_rekey_rx),
 
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	},
-- 
2.25.1

[PATCH 12/13] test/security: verify MACsec anti replay

[Akhil Goyal]

From: Ankur Dwivedi <adwivedi@marvell.com>

This patch enables anti replay test case for MACsec.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 app/test/test_security_inline_macsec.c        |  82 +++
 .../test_security_inline_macsec_vectors.h     | 467 ++++++++++++++++++
 2 files changed, 549 insertions(+)

diff --git a/app/test/test_security_inline_macsec.c b/app/test/test_security_inline_macsec.c
index 6f9cec333d..de67744f78 100644
--- a/app/test/test_security_inline_macsec.c
+++ b/app/test/test_security_inline_macsec.c
@@ -61,6 +61,7 @@ struct mcs_test_opts {
 	uint8_t replay_protect;
 	uint8_t rekey_en;
 	const struct mcs_test_vector *rekey_td;
+	const struct mcs_test_vector *ar_td[3];
 	bool dump_all_stats;
 	uint8_t check_untagged_rx;
 	uint8_t check_bad_tag_cnt;
@@ -716,6 +717,15 @@ mcs_stats_check(struct rte_security_ctx *ctx, enum mcs_op op,
 		if (opts->check_pkts_unchecked_stats && sc_stat.pkt_unchecked_cnt != 1)
 			return TEST_FAILED;
 
+		if (opts->replay_protect) {
+			if (opts->replay_win_sz == 0 &&
+					sc_stat.pkt_late_cnt != 2)
+				return TEST_FAILED;
+			else if (opts->replay_win_sz == 32 &&
+					sc_stat.pkt_late_cnt != 1)
+				return TEST_FAILED;
+		}
+
 		for (i = 0; i < RTE_SECURITY_MACSEC_NUM_AN; i++) {
 			memset(&sa_stat, 0, sizeof(struct rte_security_macsec_sa_stats));
 			rte_security_macsec_sa_stats_get(ctx, rx_sa_id[i],
@@ -845,6 +855,7 @@ test_macsec(const struct mcs_test_vector *td[], enum mcs_op op, const struct mcs
 	int nb_rx = 0, nb_sent;
 	int i, j = 0, ret, id, an = 0;
 	uint8_t tci_off;
+	int k;
 
 	memset(rx_pkts_burst, 0, sizeof(rx_pkts_burst[0]) * opts->nb_td);
 
@@ -875,6 +886,20 @@ test_macsec(const struct mcs_test_vector *td[], enum mcs_op op, const struct mcs
 		}
 		j++;
 
+		if (opts->replay_protect) {
+			for (k = 0; k < 3; k++, j++) {
+				tx_pkts_burst[j] = init_packet(mbufpool,
+					opts->ar_td[k]->secure_pkt.data,
+					opts->ar_td[k]->secure_pkt.len);
+				if (tx_pkts_burst[j] == NULL) {
+					while (j--)
+						rte_pktmbuf_free(tx_pkts_burst[j]);
+					ret = TEST_FAILED;
+					goto out;
+				}
+			}
+		}
+
 		if (opts->rekey_en) {
 
 			err_vector.td = td[i];
@@ -1068,6 +1093,15 @@ test_macsec(const struct mcs_test_vector *td[], enum mcs_op op, const struct mcs
 		}
 	}
 
+	if (opts->replay_protect) {
+		for (i = 0; i < nb_rx; i++) {
+			rte_pktmbuf_free(rx_pkts_burst[i]);
+			rx_pkts_burst[i] = NULL;
+		}
+		ret = TEST_SUCCESS;
+		goto out;
+	}
+
 	for (i = 0; i < nb_rx; i++) {
 		if (opts->rekey_en && i == 1) {
 			/* The second received packet is matched with
@@ -1995,6 +2029,50 @@ test_inline_macsec_rekey_rx(const void *data __rte_unused)
 	return all_err;
 }
 
+static int
+test_inline_macsec_anti_replay(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	uint16_t replay_win_sz[2] = {32, 0};
+	int err, all_err = 0;
+	int i, size;
+	int j;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.replay_protect = 1;
+
+	size = (sizeof(list_mcs_anti_replay_vectors) / sizeof((list_mcs_anti_replay_vectors)[0]));
+
+	for (j = 0; j < 2; j++) {
+		opts.replay_win_sz = replay_win_sz[j];
+
+		for (i = 0; i < size; i++) {
+			cur_td = &list_mcs_anti_replay_vectors[i];
+			opts.ar_td[0] = &list_mcs_anti_replay_vectors[++i];
+			opts.ar_td[1] = &list_mcs_anti_replay_vectors[++i];
+			opts.ar_td[2] = &list_mcs_anti_replay_vectors[++i];
+			err = test_macsec(&cur_td, MCS_DECAP, &opts);
+			if (err) {
+				printf("Replay window: %u, Anti replay test case %d failed\n",
+				       opts.replay_win_sz, i);
+				err = -1;
+			} else {
+				printf("Replay window: %u, Anti replay test case %d passed\n",
+				       opts.replay_win_sz, i);
+				err = 0;
+			}
+			all_err += err;
+		}
+	}
+
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+	return all_err;
+}
+
 static int
 ut_setup_inline_macsec(void)
 {
@@ -2232,6 +2310,10 @@ static struct unit_test_suite inline_macsec_testsuite  = {
 			"MACsec re-key Rx",
 			ut_setup_inline_macsec, ut_teardown_inline_macsec,
 			test_inline_macsec_rekey_rx),
+		TEST_CASE_NAMED_ST(
+			"MACsec anti-replay",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_anti_replay),
 
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	},
diff --git a/app/test/test_security_inline_macsec_vectors.h b/app/test/test_security_inline_macsec_vectors.h
index 80425b0b71..ddaa8043e7 100644
--- a/app/test/test_security_inline_macsec_vectors.h
+++ b/app/test/test_security_inline_macsec_vectors.h
@@ -3425,4 +3425,471 @@ static const struct mcs_test_vector list_mcs_rekey_vectors[] = {
 },
 };
 
+static const struct mcs_test_vector list_mcs_anti_replay_vectors[] = {
+{
+	.test_idx = 0,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x40, 0x41, 0x42,
+			0x43, 0x44, 0x45, 0x46,
+		},
+		.len = 64,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x2C,
+			/* SL */
+			0x0,
+			/* PN */
+			0x0, 0x0, 0x0, 0x2,
+			/* SCI */
+			0xFE, 0x2F, 0xCD, 0x14, 0x24, 0x1B, 0x88, 0x2C,
+			/* Secure Data */
+			0x39, 0x38, 0x97, 0x44, 0xA2, 0x6D, 0x71, 0x3D,
+			0x14, 0x27, 0xC7, 0x3E, 0x02, 0x96, 0x81, 0xAD,
+			0x47, 0x82, 0x2A, 0xCF, 0x19, 0x79, 0x12, 0x49,
+			0x0F, 0x93, 0x5A, 0x32, 0x43, 0x79, 0xEF, 0x9D,
+			0x70, 0xF8, 0xA9, 0xBE, 0x3D, 0x00, 0x5D, 0x22,
+			0xDA, 0x87, 0x3D, 0xC1, 0xBE, 0x1B, 0x13, 0xD9,
+			0x99, 0xDB, 0xF1, 0xC8,
+			/* ICV */
+			0x4B, 0xC4, 0xF8, 0xC6,	0x09, 0x78, 0xB9, 0xBB,
+			0x5D, 0xC0, 0x04, 0xF3,	0x20, 0x7D, 0x14, 0x87,
+		},
+		.len = 96,
+	},
+},
+{
+	.test_idx = 1,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x40, 0x41, 0x42,
+			0x43, 0x44, 0x45, 0x46,
+		},
+		.len = 64,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x2C,
+			/* SL */
+			0x0,
+			/* PN */
+			0x0, 0x0, 0x0, 0x4B,
+			/* SCI */
+			0xFE, 0x2F, 0xCD, 0x14, 0x24, 0x1B, 0x88, 0x2C,
+			/* Secure Data */
+			0x51, 0xC9, 0xBB, 0xF3, 0x24, 0x38, 0xF9, 0x06,
+			0x76, 0x9E, 0x61, 0xCE, 0xB8, 0x65, 0xA7, 0xE4,
+			0x1F, 0x16, 0x5D, 0x59, 0xB8, 0x44, 0x0F, 0x94,
+			0x50, 0xF0, 0x4C, 0x35, 0x7D, 0x91, 0x53, 0xC6,
+			0x28, 0x4D, 0xA8, 0xAB, 0x13, 0x3B, 0xC0, 0x2D,
+			0x11, 0x8E, 0xCC, 0x75, 0xC9, 0xD8, 0x8F, 0x60,
+			0x67, 0xE1, 0x03, 0x2C,
+			/* ICV */
+			0xA5, 0xF1, 0x2C, 0x85, 0x10, 0xEE, 0x67, 0x7E,
+			0xDB, 0x4E, 0xF6, 0x0A, 0xA1, 0x0F, 0x15, 0x69,
+		},
+		.len = 96,
+	},
+},
+{
+	.test_idx = 2,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x40, 0x41, 0x42,
+			0x43, 0x44, 0x45, 0x46,
+		},
+		.len = 64,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x2C,
+			/* SL */
+			0x0,
+			/* PN */
+			0x0, 0x0, 0x0, 0x32,
+			/* SCI */
+			0xFE, 0x2F, 0xCD, 0x14, 0x24, 0x1B, 0x88, 0x2C,
+			/* Secure Data */
+			0x6F, 0xB6, 0xF8, 0x54, 0x67, 0x23, 0x3C, 0xE8,
+			0x67, 0x54, 0x8B, 0xAD, 0x31, 0xC3, 0x2B, 0xAA,
+			0x70, 0x1A, 0xC8, 0x0D, 0x3C, 0x31, 0x54, 0x0F,
+			0xDD, 0x8F, 0x23, 0x0F, 0x86, 0xF3, 0x80, 0x31,
+			0x8B, 0x30, 0xD9, 0x15, 0xF9, 0x3B, 0xD6, 0x00,
+			0x95, 0xBD, 0xF3, 0x7F, 0xD2, 0x41, 0x28, 0xFC,
+			0x52, 0x27, 0xB5, 0x88,
+			/* ICV */
+			0x64, 0x3C, 0x67, 0xD7, 0xB8, 0xC1, 0xAF, 0x15,
+			0x82, 0x5F, 0x06, 0x4F, 0x5A, 0xED, 0x47, 0xC1,
+		},
+		.len = 96,
+	},
+},
+{
+	.test_idx = 3,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x40, 0x41, 0x42,
+			0x43, 0x44, 0x45, 0x46,
+		},
+		.len = 64,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x2C,
+			/* SL */
+			0x0,
+			/* PN */
+			0x0, 0x0, 0x0, 0x3,
+			/* SCI */
+			0xFE, 0x2F, 0xCD, 0x14, 0x24, 0x1B, 0x88, 0x2C,
+			/* Secure Data */
+			0x16, 0x6E, 0x74, 0xE5, 0xF7, 0x49, 0xCC, 0x42,
+			0x06, 0x30, 0x99, 0x60, 0x10, 0xAA, 0xB3, 0xEC,
+			0x3C, 0xEF, 0x6C, 0x7D, 0x72, 0x93, 0x61, 0x28,
+			0x39, 0x8E, 0x6B, 0x5C, 0x6C, 0x9E, 0xCA, 0x86,
+			0x70, 0x5A, 0x95, 0x98, 0x0F, 0xB2, 0xC8, 0x05,
+			0xD6, 0xC9, 0xBA, 0x9A, 0xCF, 0x7B, 0x5F, 0xD0,
+			0xAE, 0x50, 0x66, 0x7D,
+			/* ICV */
+			0xC8, 0xF1, 0x4A, 0x10, 0x8A, 0xFF, 0x64, 0x6C,
+			0xC7, 0x18, 0xC2, 0x7A, 0x16, 0x1A, 0x0D, 0xCA,
+		},
+		.len = 96,
+	},
+},
+{
+	.test_idx = 4,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_128,
+	.ssci = 0x7A30C118,
+	.xpn = 0x0, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE,
+		0x86, 0xA2, 0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x00, 0x04,
+		},
+		.len = 54,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x4C,
+			/* SL */
+			0x2A,
+			/* PN */
+			0xFF, 0xFF, 0xFF, 0xFE,
+			/* Secure Data */
+			0xA4, 0x80, 0xA4, 0x24, 0xD3, 0xCB, 0x3B, 0x05,
+			0xD5, 0x5B, 0x48, 0xE0, 0x23, 0xEA, 0x8C, 0x11,
+			0xE2, 0xB6, 0xE9, 0x69, 0x39, 0x40, 0xA6, 0xEA,
+			0xC9, 0xCD, 0xF9, 0xD8, 0x85, 0x8C, 0xD6, 0xFA,
+			0xB6, 0x9A, 0xE2, 0x37, 0xAA, 0x0C, 0x02, 0x2C,
+			0xB8, 0xC1,
+			/* ICV */
+			0xE3, 0x36, 0x34, 0x7A, 0x7C, 0x00, 0x71, 0x1F,
+			0xAC, 0x04, 0x48, 0x82, 0x64, 0xD2, 0xDF, 0x58,
+		},
+		.len = 78,
+	},
+},
+{
+	.test_idx = 5,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_128,
+	.ssci = 0x7A30C118,
+	.xpn = 0x1, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE,
+		0x86, 0xA2, 0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x00, 0x04,
+		},
+		.len = 54,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x4C,
+			/* SL */
+			0x2A,
+			/* PN */
+			0x00, 0x00, 0x00, 0x62,
+			/* Secure Data */
+			0x62, 0x62, 0x9E, 0x43, 0x59, 0x0C, 0xC6, 0x33,
+			0x26, 0x3C, 0xBF, 0x93, 0x5D, 0xE2, 0x8A, 0x7F,
+			0x96, 0xB4, 0xF7, 0x08, 0xEA, 0x9A, 0xA8, 0x88,
+			0xB4, 0xE8, 0xBE, 0x8D, 0x28, 0x84, 0xE0, 0x16,
+			0x08, 0x92, 0xB0, 0xAB, 0x76, 0x60, 0xEA, 0x05,
+			0x74, 0x79,
+			/* ICV */
+			0x8E, 0x5D, 0x81, 0xA6, 0x3F, 0xDF, 0x39, 0xB8,
+			0x19, 0x33, 0x73, 0x09, 0xCE, 0xC1, 0xAF, 0x85,
+		},
+		.len = 78,
+	},
+},
+{
+	.test_idx = 6,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_128,
+	.ssci = 0x7A30C118,
+	.xpn = 0x1, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE,
+		0x86, 0xA2, 0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x00, 0x04,
+		},
+		.len = 54,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x4C,
+			/* SL */
+			0x2A,
+			/* PN */
+			0x00, 0x00, 0x00, 0x58,
+			/* Secure Data */
+			0xC7, 0xDC, 0xF4, 0xC9, 0x8C, 0x59, 0x6E, 0x96,
+			0x3D, 0x4B, 0x89, 0xB3, 0xF3, 0x8D, 0x5D, 0x99,
+			0x4E, 0xDF, 0x48, 0x74, 0x02, 0x25, 0x93, 0xB4,
+			0x12, 0xFB, 0x0F, 0x28, 0xA5, 0x02, 0x78, 0xAC,
+			0x0B, 0x14, 0xF1, 0xAC, 0x1C, 0x0C, 0x80, 0x37,
+			0x6B, 0x44,
+			/* ICV */
+			0x47, 0x5A, 0xEE, 0x37, 0xFC, 0x6E, 0xDE, 0xB9,
+			0x14, 0x0E, 0xBD, 0x22, 0x05, 0x12, 0x00, 0x52,
+		},
+		.len = 78,
+	},
+},
+{
+	.test_idx = 7,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_128,
+	.ssci = 0x7A30C118,
+	.xpn = 0x1, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE,
+		0x86, 0xA2, 0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x00, 0x04,
+		},
+		.len = 54,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x4C,
+			/* SL */
+			0x2A,
+			/* PN */
+			0x00, 0x00, 0x00, 0x02,
+			/* Secure Data */
+			0xDD, 0x86, 0x37, 0x48, 0x11, 0xF3, 0xA8, 0x96,
+			0x25, 0x3A, 0xD9, 0xBE, 0x7C, 0x62, 0x72, 0xD6,
+			0x43, 0x70, 0xB6, 0x92, 0x04, 0x25, 0x46, 0xC1,
+			0x17, 0xBC, 0x14, 0xE1, 0x09, 0x4C, 0x04, 0x94,
+			0x51, 0x1F, 0x6E, 0x89, 0x32, 0x13, 0x4B, 0xAC,
+			0x2A, 0x60,
+			/* ICV */
+			0x96, 0xC0, 0xB4, 0xA4, 0xC7, 0xEC, 0xF5, 0xEF,
+			0x5E, 0x51, 0x22, 0x14, 0xF8, 0x70, 0xA0, 0x22,
+		},
+		.len = 78,
+	},
+},
+};
+
 #endif
-- 
2.25.1

[PATCH 13/13] test/security: remove no MACsec support case

[Akhil Goyal]

Removed the test_capability_get_no_support_for_macsec case
as MACsec is now supported and capability can have valid
MACsec support.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 app/test/test_security.c | 37 -------------------------------------
 1 file changed, 37 deletions(-)

diff --git a/app/test/test_security.c b/app/test/test_security.c
index e4ddcefe40..4783cd0663 100644
--- a/app/test/test_security.c
+++ b/app/test/test_security.c
@@ -1828,41 +1828,6 @@ test_capability_get_no_matching_protocol(void)
 	return TEST_SUCCESS;
 }
 
-/**
- * Test execution of rte_security_capability_get when macsec protocol
- * is searched and capabilities table contain proper entry.
- * However macsec records search is not supported in rte_security.
- */
-static int
-test_capability_get_no_support_for_macsec(void)
-{
-	struct security_unittest_params *ut_params = &unittest_params;
-	struct rte_security_capability_idx idx = {
-		.action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
-		.protocol = RTE_SECURITY_PROTOCOL_MACSEC,
-	};
-	struct rte_security_capability capabilities[] = {
-		{
-			.action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
-			.protocol = RTE_SECURITY_PROTOCOL_MACSEC,
-		},
-		{
-			.action = RTE_SECURITY_ACTION_TYPE_NONE,
-		},
-	};
-
-	mock_capabilities_get_exp.device = NULL;
-	mock_capabilities_get_exp.ret = capabilities;
-
-	const struct rte_security_capability *ret;
-	ret = rte_security_capability_get(&ut_params->ctx, &idx);
-	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_capability_get,
-			ret, NULL, "%p");
-	TEST_ASSERT_MOCK_CALLS(mock_capabilities_get_exp, 1);
-
-	return TEST_SUCCESS;
-}
-
 /**
  * Test execution of rte_security_capability_get when capabilities table
  * does not contain entry with matching ipsec proto field
@@ -2319,8 +2284,6 @@ static struct unit_test_suite security_testsuite  = {
 				test_capability_get_no_matching_action),
 		TEST_CASE_ST(ut_setup_with_session, ut_teardown,
 				test_capability_get_no_matching_protocol),
-		TEST_CASE_ST(ut_setup_with_session, ut_teardown,
-				test_capability_get_no_support_for_macsec),
 		TEST_CASE_ST(ut_setup_with_session, ut_teardown,
 				test_capability_get_ipsec_mismatch_proto),
 		TEST_CASE_ST(ut_setup_with_session, ut_teardown,
-- 
2.25.1

[PATCH 00/15] net/cnxk: add MACsec support

[Akhil Goyal]

Added MACsec support in Marvell cnxk PMD.
The patchset is pending from last release [1]
Sending as a new series as the functionality is now
complete and tested on hardware.

Depends-on: https://patches.dpdk.org/project/dpdk/list/?series=28140

[1] https://patches.dpdk.org/project/dpdk/cover/20220928124516.93050-1-gakhil@marvell.com/

Akhil Goyal (15):
  common/cnxk: add ROC MACsec initialization
  common/cnxk: add MACsec SA configuration
  common/cnxk: add MACsec SC configuration APIs
  common/cnxk: add MACsec secy and flow configuration
  common/cnxk: add MACsec PN and LMAC mode configuration
  common/cnxk: add MACsec stats
  common/cnxk: add MACsec interrupt APIs
  common/cnxk: add MACsec port configuration
  common/cnxk: add MACsec control port configuration
  common/cnxk: add MACsec FIPS mbox
  common/cnxk: derive hash key for MACsec
  net/cnxk: add MACsec initialization
  net/cnxk: create/destroy MACsec SC/SA
  net/cnxk: add MACsec session and flow configuration
  net/cnxk: add MACsec stats

 drivers/common/cnxk/meson.build       |   3 +
 drivers/common/cnxk/roc_aes.c         |  86 ++-
 drivers/common/cnxk/roc_aes.h         |   4 +-
 drivers/common/cnxk/roc_api.h         |   3 +
 drivers/common/cnxk/roc_dev.c         |  86 +++
 drivers/common/cnxk/roc_features.h    |   6 +
 drivers/common/cnxk/roc_idev.c        |  21 +
 drivers/common/cnxk/roc_idev.h        |   2 +
 drivers/common/cnxk/roc_idev_priv.h   |   1 +
 drivers/common/cnxk/roc_mbox.h        | 524 ++++++++++++++-
 drivers/common/cnxk/roc_mcs.c         | 895 ++++++++++++++++++++++++++
 drivers/common/cnxk/roc_mcs.h         | 619 ++++++++++++++++++
 drivers/common/cnxk/roc_mcs_priv.h    |  73 +++
 drivers/common/cnxk/roc_mcs_sec_cfg.c | 528 +++++++++++++++
 drivers/common/cnxk/roc_mcs_stats.c   | 193 ++++++
 drivers/common/cnxk/roc_priv.h        |   3 +
 drivers/common/cnxk/roc_utils.c       |   5 +
 drivers/common/cnxk/version.map       |  44 ++
 drivers/net/cnxk/cn10k_ethdev_sec.c   |  25 +-
 drivers/net/cnxk/cn10k_flow.c         |  22 +-
 drivers/net/cnxk/cnxk_ethdev.c        |  15 +
 drivers/net/cnxk/cnxk_ethdev.h        |  30 +
 drivers/net/cnxk/cnxk_ethdev_mcs.c    | 726 +++++++++++++++++++++
 drivers/net/cnxk/cnxk_ethdev_mcs.h    | 111 ++++
 drivers/net/cnxk/cnxk_ethdev_sec.c    |   2 +-
 drivers/net/cnxk/cnxk_flow.c          |   5 +
 drivers/net/cnxk/meson.build          |   1 +
 27 files changed, 3995 insertions(+), 38 deletions(-)
 create mode 100644 drivers/common/cnxk/roc_mcs.c
 create mode 100644 drivers/common/cnxk/roc_mcs.h
 create mode 100644 drivers/common/cnxk/roc_mcs_priv.h
 create mode 100644 drivers/common/cnxk/roc_mcs_sec_cfg.c
 create mode 100644 drivers/common/cnxk/roc_mcs_stats.c
 create mode 100644 drivers/net/cnxk/cnxk_ethdev_mcs.c
 create mode 100644 drivers/net/cnxk/cnxk_ethdev_mcs.h

-- 
2.25.1

[PATCH 01/15] common/cnxk: add ROC MACsec initialization

[Akhil Goyal]

Added ROC init and fini APIs for supporting MACsec.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/common/cnxk/meson.build     |   1 +
 drivers/common/cnxk/roc_api.h       |   3 +
 drivers/common/cnxk/roc_features.h  |   6 +
 drivers/common/cnxk/roc_idev.c      |  21 +++
 drivers/common/cnxk/roc_idev.h      |   2 +
 drivers/common/cnxk/roc_idev_priv.h |   1 +
 drivers/common/cnxk/roc_mbox.h      |  65 +++++++-
 drivers/common/cnxk/roc_mcs.c       | 245 ++++++++++++++++++++++++++++
 drivers/common/cnxk/roc_mcs.h       |  39 +++++
 drivers/common/cnxk/roc_mcs_priv.h  |  65 ++++++++
 drivers/common/cnxk/roc_priv.h      |   3 +
 drivers/common/cnxk/roc_utils.c     |   5 +
 drivers/common/cnxk/version.map     |   6 +
 13 files changed, 461 insertions(+), 1 deletion(-)
 create mode 100644 drivers/common/cnxk/roc_mcs.c
 create mode 100644 drivers/common/cnxk/roc_mcs.h
 create mode 100644 drivers/common/cnxk/roc_mcs_priv.h

diff --git a/drivers/common/cnxk/meson.build b/drivers/common/cnxk/meson.build
index 631b594f32..e33c002676 100644
--- a/drivers/common/cnxk/meson.build
+++ b/drivers/common/cnxk/meson.build
@@ -26,6 +26,7 @@ sources = files(
         'roc_irq.c',
         'roc_ie_ot.c',
         'roc_mbox.c',
+        'roc_mcs.c',
         'roc_ml.c',
         'roc_model.c',
         'roc_nix.c',
diff --git a/drivers/common/cnxk/roc_api.h b/drivers/common/cnxk/roc_api.h
index bbc94ab48e..f630853088 100644
--- a/drivers/common/cnxk/roc_api.h
+++ b/drivers/common/cnxk/roc_api.h
@@ -114,4 +114,7 @@
 /* ML */
 #include "roc_ml.h"
 
+/* MACsec */
+#include "roc_mcs.h"
+
 #endif /* _ROC_API_H_ */
diff --git a/drivers/common/cnxk/roc_features.h b/drivers/common/cnxk/roc_features.h
index 252f306a86..dd39259c81 100644
--- a/drivers/common/cnxk/roc_features.h
+++ b/drivers/common/cnxk/roc_features.h
@@ -40,4 +40,10 @@ roc_feature_nix_has_reass(void)
 	return roc_model_is_cn10ka();
 }
 
+static inline bool
+roc_feature_nix_has_macsec(void)
+{
+	return roc_model_is_cn10kb();
+}
+
 #endif
diff --git a/drivers/common/cnxk/roc_idev.c b/drivers/common/cnxk/roc_idev.c
index 62a4fd8880..f9b94f3ca0 100644
--- a/drivers/common/cnxk/roc_idev.c
+++ b/drivers/common/cnxk/roc_idev.c
@@ -38,6 +38,7 @@ idev_set_defaults(struct idev_cfg *idev)
 	idev->num_lmtlines = 0;
 	idev->bphy = NULL;
 	idev->cpt = NULL;
+	idev->mcs = NULL;
 	idev->nix_inl_dev = NULL;
 	plt_spinlock_init(&idev->nix_inl_dev_lock);
 	plt_spinlock_init(&idev->npa_dev_lock);
@@ -186,6 +187,26 @@ roc_idev_cpt_get(void)
 	return NULL;
 }
 
+struct roc_mcs *
+roc_idev_mcs_get(void)
+{
+	struct idev_cfg *idev = idev_get_cfg();
+
+	if (idev != NULL)
+		return idev->mcs;
+
+	return NULL;
+}
+
+void
+roc_idev_mcs_set(struct roc_mcs *mcs)
+{
+	struct idev_cfg *idev = idev_get_cfg();
+
+	if (idev != NULL)
+		__atomic_store_n(&idev->mcs, mcs, __ATOMIC_RELEASE);
+}
+
 uint64_t *
 roc_nix_inl_outb_ring_base_get(struct roc_nix *roc_nix)
 {
diff --git a/drivers/common/cnxk/roc_idev.h b/drivers/common/cnxk/roc_idev.h
index 926aac0634..dbf1f46335 100644
--- a/drivers/common/cnxk/roc_idev.h
+++ b/drivers/common/cnxk/roc_idev.h
@@ -18,4 +18,6 @@ void __roc_api roc_idev_cpt_set(struct roc_cpt *cpt);
 struct roc_nix *__roc_api roc_idev_npa_nix_get(void);
 uint64_t __roc_api roc_idev_nix_inl_meta_aura_get(void);
 
+struct roc_mcs *__roc_api roc_idev_mcs_get(void);
+void __roc_api roc_idev_mcs_set(struct roc_mcs *mcs);
 #endif /* _ROC_IDEV_H_ */
diff --git a/drivers/common/cnxk/roc_idev_priv.h b/drivers/common/cnxk/roc_idev_priv.h
index b97d2936a2..ce26caa062 100644
--- a/drivers/common/cnxk/roc_idev_priv.h
+++ b/drivers/common/cnxk/roc_idev_priv.h
@@ -30,6 +30,7 @@ struct idev_cfg {
 	struct roc_bphy *bphy;
 	struct roc_cpt *cpt;
 	struct roc_sso *sso;
+	struct roc_mcs *mcs;
 	struct nix_inl_dev *nix_inl_dev;
 	struct idev_nix_inl_cfg inl_cfg;
 	plt_spinlock_t nix_inl_dev_lock;
diff --git a/drivers/common/cnxk/roc_mbox.h b/drivers/common/cnxk/roc_mbox.h
index af3c10b0b0..2ba35377da 100644
--- a/drivers/common/cnxk/roc_mbox.h
+++ b/drivers/common/cnxk/roc_mbox.h
@@ -275,7 +275,12 @@ struct mbox_msghdr {
 	M(NIX_SPI_TO_SA_ADD, 0x8026, nix_spi_to_sa_add, nix_spi_to_sa_add_req, \
 	  nix_spi_to_sa_add_rsp)                                               \
 	M(NIX_SPI_TO_SA_DELETE, 0x8027, nix_spi_to_sa_delete,                  \
-	  nix_spi_to_sa_delete_req, msg_rsp)
+	  nix_spi_to_sa_delete_req, msg_rsp)                                   \
+	/* MCS mbox IDs (range 0xa000 - 0xbFFF) */                                                 \
+	M(MCS_ALLOC_RESOURCES, 0xa000, mcs_alloc_resources, mcs_alloc_rsrc_req,                    \
+	  mcs_alloc_rsrc_rsp)                                                                      \
+	M(MCS_FREE_RESOURCES, 0xa001, mcs_free_resources, mcs_free_rsrc_req, msg_rsp)              \
+	M(MCS_GET_HW_INFO, 0xa00b, mcs_get_hw_info, msg_req, mcs_hw_info)                          \
 
 /* Messages initiated by AF (range 0xC00 - 0xDFF) */
 #define MBOX_UP_CGX_MESSAGES                                                   \
@@ -653,6 +658,64 @@ struct cgx_set_link_mode_rsp {
 	int __io status;
 };
 
+/* MCS mbox structures */
+enum mcs_direction {
+	MCS_RX,
+	MCS_TX,
+};
+
+enum mcs_rsrc_type {
+	MCS_RSRC_TYPE_FLOWID,
+	MCS_RSRC_TYPE_SECY,
+	MCS_RSRC_TYPE_SC,
+	MCS_RSRC_TYPE_SA,
+};
+
+struct mcs_alloc_rsrc_req {
+	struct mbox_msghdr hdr;
+	uint8_t __io rsrc_type;
+	uint8_t __io rsrc_cnt; /* Resources count */
+	uint8_t __io mcs_id;   /* MCS block ID */
+	uint8_t __io dir;      /* Macsec ingress or egress side */
+	uint8_t __io all;      /* Allocate all resource type one each */
+	uint64_t __io rsvd;
+};
+
+struct mcs_alloc_rsrc_rsp {
+	struct mbox_msghdr hdr;
+	uint8_t __io flow_ids[128]; /* Index of reserved entries */
+	uint8_t __io secy_ids[128];
+	uint8_t __io sc_ids[128];
+	uint8_t __io sa_ids[256];
+	uint8_t __io rsrc_type;
+	uint8_t __io rsrc_cnt; /* No of entries reserved */
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint8_t __io all;
+	uint8_t __io rsvd[256];
+};
+
+struct mcs_free_rsrc_req {
+	struct mbox_msghdr hdr;
+	uint8_t __io rsrc_id; /* Index of the entry to be freed */
+	uint8_t __io rsrc_type;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint8_t __io all; /* Free all the cam resources */
+	uint64_t __io rsvd;
+};
+
+struct mcs_hw_info {
+	struct mbox_msghdr hdr;
+	uint8_t __io num_mcs_blks; /* Number of MCS blocks */
+	uint8_t __io tcam_entries; /* RX/TX Tcam entries per mcs block */
+	uint8_t __io secy_entries; /* RX/TX SECY entries per mcs block */
+	uint8_t __io sc_entries;   /* RX/TX SC CAM entries per mcs block */
+	uint16_t __io sa_entries;  /* PN table entries = SA entries */
+	uint64_t __io rsvd[16];
+};
+
+
 /* NPA mbox message formats */
 
 /* NPA mailbox error codes
diff --git a/drivers/common/cnxk/roc_mcs.c b/drivers/common/cnxk/roc_mcs.c
new file mode 100644
index 0000000000..ce92a6cd47
--- /dev/null
+++ b/drivers/common/cnxk/roc_mcs.c
@@ -0,0 +1,245 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2022 Marvell.
+ */
+
+#include "roc_api.h"
+#include "roc_priv.h"
+
+TAILQ_HEAD(roc_mcs_head, roc_mcs);
+/* Local mcs tailq list */
+static struct roc_mcs_head roc_mcs_head = TAILQ_HEAD_INITIALIZER(roc_mcs_head);
+
+int
+roc_mcs_hw_info_get(struct roc_mcs_hw_info *hw_info)
+{
+	struct mcs_hw_info *hw;
+	struct npa_lf *npa;
+	int rc;
+
+	MCS_SUPPORT_CHECK;
+
+	if (hw_info == NULL)
+		return -EINVAL;
+
+	/* Use mbox handler of first probed pci_func for
+	 * initial mcs mbox communication.
+	 */
+	npa = idev_npa_obj_get();
+	if (!npa)
+		return MCS_ERR_DEVICE_NOT_FOUND;
+
+	mbox_alloc_msg_mcs_get_hw_info(npa->mbox);
+	rc = mbox_process_msg(npa->mbox, (void *)&hw);
+	if (rc)
+		return rc;
+
+	hw_info->num_mcs_blks = hw->num_mcs_blks;
+	hw_info->tcam_entries = hw->tcam_entries;
+	hw_info->secy_entries = hw->secy_entries;
+	hw_info->sc_entries = hw->sc_entries;
+	hw_info->sa_entries = hw->sa_entries;
+
+	return rc;
+}
+
+static int
+mcs_alloc_bmap(uint16_t entries, void **mem, struct plt_bitmap **bmap)
+{
+	size_t bmap_sz;
+	int rc = 0;
+
+	bmap_sz = plt_bitmap_get_memory_footprint(entries);
+	*mem = plt_zmalloc(bmap_sz, PLT_CACHE_LINE_SIZE);
+	if (*mem == NULL)
+		rc = -ENOMEM;
+
+	*bmap = plt_bitmap_init(entries, *mem, bmap_sz);
+	if (!*bmap) {
+		plt_free(*mem);
+		*mem = NULL;
+		rc = -ENOMEM;
+	}
+
+	return rc;
+}
+
+static void
+rsrc_bmap_free(struct mcs_rsrc *rsrc)
+{
+	plt_bitmap_free(rsrc->tcam_bmap);
+	plt_free(rsrc->tcam_bmap_mem);
+	plt_bitmap_free(rsrc->secy_bmap);
+	plt_free(rsrc->secy_bmap_mem);
+	plt_bitmap_free(rsrc->sc_bmap);
+	plt_free(rsrc->sc_bmap_mem);
+	plt_bitmap_free(rsrc->sa_bmap);
+	plt_free(rsrc->sa_bmap_mem);
+}
+
+static int
+rsrc_bmap_alloc(struct mcs_priv *priv, struct mcs_rsrc *rsrc)
+{
+	int rc;
+
+	rc = mcs_alloc_bmap(priv->tcam_entries << 1, &rsrc->tcam_bmap_mem, &rsrc->tcam_bmap);
+	if (rc)
+		goto exit;
+
+	rc = mcs_alloc_bmap(priv->secy_entries << 1, &rsrc->secy_bmap_mem, &rsrc->secy_bmap);
+	if (rc)
+		goto exit;
+
+	rc = mcs_alloc_bmap(priv->sc_entries << 1, &rsrc->sc_bmap_mem, &rsrc->sc_bmap);
+	if (rc)
+		goto exit;
+
+	rc = mcs_alloc_bmap(priv->sa_entries << 1, &rsrc->sa_bmap_mem, &rsrc->sa_bmap);
+	if (rc)
+		goto exit;
+
+	return rc;
+exit:
+	rsrc_bmap_free(rsrc);
+
+	return rc;
+}
+
+static int
+mcs_alloc_rsrc_bmap(struct roc_mcs *mcs)
+{
+	struct mcs_priv *priv = roc_mcs_to_mcs_priv(mcs);
+	struct mcs_hw_info *hw;
+	int i, rc;
+
+	mbox_alloc_msg_mcs_get_hw_info(mcs->mbox);
+	rc = mbox_process_msg(mcs->mbox, (void *)&hw);
+	if (rc)
+		return rc;
+
+	priv->num_mcs_blks = hw->num_mcs_blks;
+	priv->tcam_entries = hw->tcam_entries;
+	priv->secy_entries = hw->secy_entries;
+	priv->sc_entries = hw->sc_entries;
+	priv->sa_entries = hw->sa_entries;
+
+	rc = rsrc_bmap_alloc(priv, &priv->dev_rsrc);
+	if (rc)
+		return rc;
+
+	priv->port_rsrc = plt_zmalloc(sizeof(struct mcs_rsrc) * 4, 0);
+	if (priv->port_rsrc == NULL) {
+		rsrc_bmap_free(&priv->dev_rsrc);
+		return -ENOMEM;
+	}
+
+	for (i = 0; i < MAX_PORTS_PER_MCS; i++) {
+		rc = rsrc_bmap_alloc(priv, &priv->port_rsrc[i]);
+		if (rc)
+			goto exit;
+
+		priv->port_rsrc[i].sc_conf =
+			plt_zmalloc(priv->sc_entries * sizeof(struct mcs_sc_conf), 0);
+		if (priv->port_rsrc[i].sc_conf == NULL) {
+			rsrc_bmap_free(&priv->port_rsrc[i]);
+			goto exit;
+		}
+	}
+
+	return rc;
+
+exit:
+	while (i--) {
+		rsrc_bmap_free(&priv->port_rsrc[i]);
+		plt_free(priv->port_rsrc[i].sc_conf);
+	}
+	plt_free(priv->port_rsrc);
+
+	return -ENOMEM;
+}
+
+struct roc_mcs *
+roc_mcs_dev_get(uint8_t mcs_idx)
+{
+	struct roc_mcs *mcs = NULL;
+
+	TAILQ_FOREACH(mcs, &roc_mcs_head, next) {
+		if (mcs->idx == mcs_idx)
+			break;
+	}
+
+	return mcs;
+}
+
+struct roc_mcs *
+roc_mcs_dev_init(uint8_t mcs_idx)
+{
+	struct roc_mcs *mcs;
+	struct npa_lf *npa;
+
+	if (roc_model_is_cn10kb()) {
+		mcs = roc_idev_mcs_get();
+		if (mcs) {
+			plt_info("Skipping device, mcs device already probed");
+			mcs->refcount++;
+			return mcs;
+		}
+	}
+
+	mcs = plt_zmalloc(sizeof(struct roc_mcs), PLT_CACHE_LINE_SIZE);
+	if (!mcs)
+		return NULL;
+
+	if (roc_model_is_cnf10kb() || roc_model_is_cn10kb()) {
+		npa = idev_npa_obj_get();
+		if (!npa)
+			goto exit;
+
+		mcs->mbox = npa->mbox;
+	} else {
+		/* Retrieve mbox handler for other roc models */
+		;
+	}
+
+	mcs->idx = mcs_idx;
+
+	/* Add any per mcsv initialization */
+	if (mcs_alloc_rsrc_bmap(mcs))
+		goto exit;
+
+	TAILQ_INSERT_TAIL(&roc_mcs_head, mcs, next);
+
+	roc_idev_mcs_set(mcs);
+	mcs->refcount++;
+
+	return mcs;
+exit:
+	plt_free(mcs);
+	return NULL;
+}
+
+void
+roc_mcs_dev_fini(struct roc_mcs *mcs)
+{
+	struct mcs_priv *priv;
+
+	mcs->refcount--;
+	if (mcs->refcount > 0)
+		return;
+
+	priv = roc_mcs_to_mcs_priv(mcs);
+
+	TAILQ_REMOVE(&roc_mcs_head, mcs, next);
+
+	rsrc_bmap_free(&priv->dev_rsrc);
+
+	for (int i = 0; i < MAX_PORTS_PER_MCS; i++) {
+		rsrc_bmap_free(&priv->port_rsrc[i]);
+		plt_free(priv->port_rsrc[i].sc_conf);
+	}
+
+	plt_free(priv->port_rsrc);
+
+	plt_free(mcs);
+
+	roc_idev_mcs_set(NULL);
+}
diff --git a/drivers/common/cnxk/roc_mcs.h b/drivers/common/cnxk/roc_mcs.h
new file mode 100644
index 0000000000..504671a833
--- /dev/null
+++ b/drivers/common/cnxk/roc_mcs.h
@@ -0,0 +1,39 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2022 Marvell.
+ */
+
+#ifndef _ROC_MCS_H_
+#define _ROC_MCS_H_
+
+#define MCS_AES_GCM_256_KEYLEN 32
+
+struct roc_mcs_hw_info {
+	uint8_t num_mcs_blks; /* Number of MCS blocks */
+	uint8_t tcam_entries; /* RX/TX Tcam entries per mcs block */
+	uint8_t secy_entries; /* RX/TX SECY entries per mcs block */
+	uint8_t sc_entries;   /* RX/TX SC CAM entries per mcs block */
+	uint16_t sa_entries;  /* PN table entries = SA entries */
+	uint64_t rsvd[16];
+};
+
+
+struct roc_mcs {
+	TAILQ_ENTRY(roc_mcs) next;
+	struct plt_pci_device *pci_dev;
+	struct mbox *mbox;
+	void *userdata;
+	uint8_t idx;
+	uint8_t refcount;
+
+#define ROC_MCS_MEM_SZ (1 * 1024)
+	uint8_t reserved[ROC_MCS_MEM_SZ] __plt_cache_aligned;
+} __plt_cache_aligned;
+
+/* Initialization */
+__roc_api struct roc_mcs *roc_mcs_dev_init(uint8_t mcs_idx);
+__roc_api void roc_mcs_dev_fini(struct roc_mcs *mcs);
+/* Get roc mcs dev structure */
+__roc_api struct roc_mcs *roc_mcs_dev_get(uint8_t mcs_idx);
+/* HW info get */
+__roc_api int roc_mcs_hw_info_get(struct roc_mcs_hw_info *hw_info);
+#endif /* _ROC_MCS_H_ */
diff --git a/drivers/common/cnxk/roc_mcs_priv.h b/drivers/common/cnxk/roc_mcs_priv.h
new file mode 100644
index 0000000000..22915d206f
--- /dev/null
+++ b/drivers/common/cnxk/roc_mcs_priv.h
@@ -0,0 +1,65 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2022 Marvell.
+ */
+
+#ifndef _ROC_MCS_PRIV_H_
+#define _ROC_MCS_PRIV_H_
+
+#define MAX_PORTS_PER_MCS 4
+
+enum mcs_error_status {
+	MCS_ERR_PARAM = -900,
+	MCS_ERR_HW_NOTSUP = -901,
+	MCS_ERR_DEVICE_NOT_FOUND = -902,
+};
+
+#define MCS_SUPPORT_CHECK                                                                          \
+	do {                                                                                       \
+		if (!(roc_model_is_cnf10kb() || roc_model_is_cn10kb_a0()))                         \
+			return MCS_ERR_HW_NOTSUP;                                                  \
+	} while (0)
+
+struct mcs_sc_conf {
+	struct {
+		uint64_t sci;
+		uint16_t sa_idx0;
+		uint16_t sa_idx1;
+		uint8_t rekey_enb;
+	} tx;
+	struct {
+		uint16_t sa_idx;
+		uint8_t an;
+	} rx;
+};
+
+struct mcs_rsrc {
+	struct plt_bitmap *tcam_bmap;
+	void *tcam_bmap_mem;
+	struct plt_bitmap *secy_bmap;
+	void *secy_bmap_mem;
+	struct plt_bitmap *sc_bmap;
+	void *sc_bmap_mem;
+	struct plt_bitmap *sa_bmap;
+	void *sa_bmap_mem;
+	struct mcs_sc_conf *sc_conf;
+};
+
+struct mcs_priv {
+	struct mcs_rsrc *port_rsrc;
+	struct mcs_rsrc dev_rsrc;
+	uint64_t default_sci;
+	uint32_t lmac_bmap;
+	uint8_t num_mcs_blks;
+	uint8_t tcam_entries;
+	uint8_t secy_entries;
+	uint8_t sc_entries;
+	uint16_t sa_entries;
+};
+
+static inline struct mcs_priv *
+roc_mcs_to_mcs_priv(struct roc_mcs *roc_mcs)
+{
+	return (struct mcs_priv *)&roc_mcs->reserved[0];
+}
+
+#endif /* _ROC_MCS_PRIV_H_ */
diff --git a/drivers/common/cnxk/roc_priv.h b/drivers/common/cnxk/roc_priv.h
index 14fe2e452a..254a2d3310 100644
--- a/drivers/common/cnxk/roc_priv.h
+++ b/drivers/common/cnxk/roc_priv.h
@@ -44,6 +44,9 @@
 /* DPI */
 #include "roc_dpi_priv.h"
 
+/* MCS */
+#include "roc_mcs_priv.h"
+
 /* REE */
 #include "roc_ree_priv.h"
 
diff --git a/drivers/common/cnxk/roc_utils.c b/drivers/common/cnxk/roc_utils.c
index fe291fce96..9af2ae9b69 100644
--- a/drivers/common/cnxk/roc_utils.c
+++ b/drivers/common/cnxk/roc_utils.c
@@ -16,6 +16,7 @@ roc_error_msg_get(int errorcode)
 	case NPA_ERR_PARAM:
 	case NPC_ERR_PARAM:
 	case SSO_ERR_PARAM:
+	case MCS_ERR_PARAM:
 	case UTIL_ERR_PARAM:
 		err_msg = "Invalid parameter";
 		break;
@@ -35,6 +36,7 @@ roc_error_msg_get(int errorcode)
 		err_msg = "Operation not supported";
 		break;
 	case NIX_ERR_HW_NOTSUP:
+	case MCS_ERR_HW_NOTSUP:
 		err_msg = "Hardware does not support";
 		break;
 	case NIX_ERR_QUEUE_INVALID_RANGE:
@@ -223,6 +225,9 @@ roc_error_msg_get(int errorcode)
 	case SSO_ERR_DEVICE_NOT_BOUNDED:
 		err_msg = "SSO pf/vf not found";
 		break;
+	case MCS_ERR_DEVICE_NOT_FOUND:
+		err_msg = "MCS device not found";
+		break;
 	case UTIL_ERR_FS:
 		err_msg = "file operation failed";
 		break;
diff --git a/drivers/common/cnxk/version.map b/drivers/common/cnxk/version.map
index b298a21b84..7593c7c890 100644
--- a/drivers/common/cnxk/version.map
+++ b/drivers/common/cnxk/version.map
@@ -94,6 +94,8 @@ INTERNAL {
 	roc_idev_cpt_get;
 	roc_idev_cpt_set;
 	roc_idev_lmt_base_addr_get;
+	roc_idev_mcs_get;
+	roc_idev_mcs_set;
 	roc_idev_npa_maxpools_get;
 	roc_idev_npa_maxpools_set;
 	roc_idev_npa_nix_get;
@@ -131,6 +133,10 @@ INTERNAL {
 	roc_se_auth_key_set;
 	roc_se_ciph_key_set;
 	roc_se_ctx_init;
+	roc_mcs_dev_init;
+	roc_mcs_dev_fini;
+	roc_mcs_dev_get;
+	roc_mcs_hw_info_get;
 	roc_nix_bpf_alloc;
 	roc_nix_bpf_config;
 	roc_nix_bpf_connect;
-- 
2.25.1

[PATCH 02/15] common/cnxk: add MACsec SA configuration

[Akhil Goyal]

Added ROC APIs to allocate/free MACsec resources
and APIs to write SA policy.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/common/cnxk/meson.build       |   1 +
 drivers/common/cnxk/roc_mbox.h        |  12 ++
 drivers/common/cnxk/roc_mcs.h         |  43 ++++++
 drivers/common/cnxk/roc_mcs_sec_cfg.c | 211 ++++++++++++++++++++++++++
 drivers/common/cnxk/version.map       |   4 +
 5 files changed, 271 insertions(+)
 create mode 100644 drivers/common/cnxk/roc_mcs_sec_cfg.c

diff --git a/drivers/common/cnxk/meson.build b/drivers/common/cnxk/meson.build
index e33c002676..589baf74fe 100644
--- a/drivers/common/cnxk/meson.build
+++ b/drivers/common/cnxk/meson.build
@@ -27,6 +27,7 @@ sources = files(
         'roc_ie_ot.c',
         'roc_mbox.c',
         'roc_mcs.c',
+        'roc_mcs_sec_cfg.c',
         'roc_ml.c',
         'roc_model.c',
         'roc_nix.c',
diff --git a/drivers/common/cnxk/roc_mbox.h b/drivers/common/cnxk/roc_mbox.h
index 2ba35377da..66a6de2cd2 100644
--- a/drivers/common/cnxk/roc_mbox.h
+++ b/drivers/common/cnxk/roc_mbox.h
@@ -280,6 +280,7 @@ struct mbox_msghdr {
 	M(MCS_ALLOC_RESOURCES, 0xa000, mcs_alloc_resources, mcs_alloc_rsrc_req,                    \
 	  mcs_alloc_rsrc_rsp)                                                                      \
 	M(MCS_FREE_RESOURCES, 0xa001, mcs_free_resources, mcs_free_rsrc_req, msg_rsp)              \
+	M(MCS_SA_PLCY_WRITE, 0xa005, mcs_sa_plcy_write, mcs_sa_plcy_write_req, msg_rsp)            \
 	M(MCS_GET_HW_INFO, 0xa00b, mcs_get_hw_info, msg_req, mcs_hw_info)                          \
 
 /* Messages initiated by AF (range 0xC00 - 0xDFF) */
@@ -705,6 +706,17 @@ struct mcs_free_rsrc_req {
 	uint64_t __io rsvd;
 };
 
+struct mcs_sa_plcy_write_req {
+	struct mbox_msghdr hdr;
+	uint64_t __io plcy[2][9]; /* Support 2 SA policy */
+	uint8_t __io sa_index[2];
+	uint8_t __io sa_cnt;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
+
+
 struct mcs_hw_info {
 	struct mbox_msghdr hdr;
 	uint8_t __io num_mcs_blks; /* Number of MCS blocks */
diff --git a/drivers/common/cnxk/roc_mcs.h b/drivers/common/cnxk/roc_mcs.h
index 504671a833..a345d2a880 100644
--- a/drivers/common/cnxk/roc_mcs.h
+++ b/drivers/common/cnxk/roc_mcs.h
@@ -7,6 +7,39 @@
 
 #define MCS_AES_GCM_256_KEYLEN 32
 
+struct roc_mcs_alloc_rsrc_req {
+	uint8_t rsrc_type;
+	uint8_t rsrc_cnt; /* Resources count */
+	uint8_t dir;	  /* Macsec ingress or egress side */
+	uint8_t all;	  /* Allocate all resource type one each */
+};
+
+struct roc_mcs_alloc_rsrc_rsp {
+	uint8_t flow_ids[128]; /* Index of reserved entries */
+	uint8_t secy_ids[128];
+	uint8_t sc_ids[128];
+	uint8_t sa_ids[256];
+	uint8_t rsrc_type;
+	uint8_t rsrc_cnt; /* No of entries reserved */
+	uint8_t dir;
+	uint8_t all;
+};
+
+struct roc_mcs_free_rsrc_req {
+	uint8_t rsrc_id; /* Index of the entry to be freed */
+	uint8_t rsrc_type;
+	uint8_t dir;
+	uint8_t all; /* Free all the cam resources */
+};
+
+
+struct roc_mcs_sa_plcy_write_req {
+	uint64_t plcy[2][9];
+	uint8_t sa_index[2];
+	uint8_t sa_cnt;
+	uint8_t dir;
+};
+
 struct roc_mcs_hw_info {
 	uint8_t num_mcs_blks; /* Number of MCS blocks */
 	uint8_t tcam_entries; /* RX/TX Tcam entries per mcs block */
@@ -36,4 +69,14 @@ __roc_api void roc_mcs_dev_fini(struct roc_mcs *mcs);
 __roc_api struct roc_mcs *roc_mcs_dev_get(uint8_t mcs_idx);
 /* HW info get */
 __roc_api int roc_mcs_hw_info_get(struct roc_mcs_hw_info *hw_info);
+
+/* Resource allocation and free */
+__roc_api int roc_mcs_alloc_rsrc(struct roc_mcs *mcs, struct roc_mcs_alloc_rsrc_req *req,
+				 struct roc_mcs_alloc_rsrc_rsp *rsp);
+__roc_api int roc_mcs_free_rsrc(struct roc_mcs *mcs, struct roc_mcs_free_rsrc_req *req);
+/* SA policy read and write */
+__roc_api int roc_mcs_sa_policy_write(struct roc_mcs *mcs,
+				      struct roc_mcs_sa_plcy_write_req *sa_plcy);
+__roc_api int roc_mcs_sa_policy_read(struct roc_mcs *mcs,
+				     struct roc_mcs_sa_plcy_write_req *sa_plcy);
 #endif /* _ROC_MCS_H_ */
diff --git a/drivers/common/cnxk/roc_mcs_sec_cfg.c b/drivers/common/cnxk/roc_mcs_sec_cfg.c
new file mode 100644
index 0000000000..50f2352c20
--- /dev/null
+++ b/drivers/common/cnxk/roc_mcs_sec_cfg.c
@@ -0,0 +1,211 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2023 Marvell.
+ */
+
+#include "roc_api.h"
+#include "roc_priv.h"
+
+int
+roc_mcs_alloc_rsrc(struct roc_mcs *mcs, struct roc_mcs_alloc_rsrc_req *req,
+		   struct roc_mcs_alloc_rsrc_rsp *rsp)
+{
+	struct mcs_priv *priv = roc_mcs_to_mcs_priv(mcs);
+	struct mcs_alloc_rsrc_req *rsrc_req;
+	struct mcs_alloc_rsrc_rsp *rsrc_rsp;
+	int rc, i;
+
+	MCS_SUPPORT_CHECK;
+
+	if (req == NULL || rsp == NULL)
+		return -EINVAL;
+
+	rsrc_req = mbox_alloc_msg_mcs_alloc_resources(mcs->mbox);
+	if (rsrc_req == NULL)
+		return -ENOMEM;
+
+	rsrc_req->rsrc_type = req->rsrc_type;
+	rsrc_req->rsrc_cnt = req->rsrc_cnt;
+	rsrc_req->mcs_id = mcs->idx;
+	rsrc_req->dir = req->dir;
+	rsrc_req->all = req->all;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&rsrc_rsp);
+	if (rc)
+		return rc;
+
+	if (rsrc_rsp->all) {
+		rsrc_rsp->rsrc_cnt = 1;
+		rsrc_rsp->rsrc_type = 0xFF;
+	}
+
+	for (i = 0; i < rsrc_rsp->rsrc_cnt; i++) {
+		switch (rsrc_rsp->rsrc_type) {
+		case MCS_RSRC_TYPE_FLOWID:
+			rsp->flow_ids[i] = rsrc_rsp->flow_ids[i];
+			plt_bitmap_set(priv->dev_rsrc.tcam_bmap,
+				       rsp->flow_ids[i] +
+					       ((req->dir == MCS_TX) ? priv->tcam_entries : 0));
+			break;
+		case MCS_RSRC_TYPE_SECY:
+			rsp->secy_ids[i] = rsrc_rsp->secy_ids[i];
+			plt_bitmap_set(priv->dev_rsrc.secy_bmap,
+				       rsp->secy_ids[i] +
+					       ((req->dir == MCS_TX) ? priv->secy_entries : 0));
+			break;
+		case MCS_RSRC_TYPE_SC:
+			rsp->sc_ids[i] = rsrc_rsp->sc_ids[i];
+			plt_bitmap_set(priv->dev_rsrc.sc_bmap,
+				       rsp->sc_ids[i] +
+					       ((req->dir == MCS_TX) ? priv->sc_entries : 0));
+			break;
+		case MCS_RSRC_TYPE_SA:
+			rsp->sa_ids[i] = rsrc_rsp->sa_ids[i];
+			plt_bitmap_set(priv->dev_rsrc.sa_bmap,
+				       rsp->sa_ids[i] +
+					       ((req->dir == MCS_TX) ? priv->sa_entries : 0));
+			break;
+		default:
+			rsp->flow_ids[i] = rsrc_rsp->flow_ids[i];
+			rsp->secy_ids[i] = rsrc_rsp->secy_ids[i];
+			rsp->sc_ids[i] = rsrc_rsp->sc_ids[i];
+			rsp->sa_ids[i] = rsrc_rsp->sa_ids[i];
+			plt_bitmap_set(priv->dev_rsrc.tcam_bmap,
+				       rsp->flow_ids[i] +
+					       ((req->dir == MCS_TX) ? priv->tcam_entries : 0));
+			plt_bitmap_set(priv->dev_rsrc.secy_bmap,
+				       rsp->secy_ids[i] +
+					       ((req->dir == MCS_TX) ? priv->secy_entries : 0));
+			plt_bitmap_set(priv->dev_rsrc.sc_bmap,
+				       rsp->sc_ids[i] +
+					       ((req->dir == MCS_TX) ? priv->sc_entries : 0));
+			plt_bitmap_set(priv->dev_rsrc.sa_bmap,
+				       rsp->sa_ids[i] +
+					       ((req->dir == MCS_TX) ? priv->sa_entries : 0));
+			break;
+		}
+	}
+	rsp->rsrc_type = rsrc_rsp->rsrc_type;
+	rsp->rsrc_cnt = rsrc_rsp->rsrc_cnt;
+	rsp->dir = rsrc_rsp->dir;
+	rsp->all = rsrc_rsp->all;
+
+	return 0;
+}
+
+int
+roc_mcs_free_rsrc(struct roc_mcs *mcs, struct roc_mcs_free_rsrc_req *free_req)
+{
+	struct mcs_priv *priv = roc_mcs_to_mcs_priv(mcs);
+	struct mcs_free_rsrc_req *req;
+	struct msg_rsp *rsp;
+	uint32_t pos;
+	int rc;
+
+	MCS_SUPPORT_CHECK;
+
+	if (free_req == NULL)
+		return -EINVAL;
+
+	req = mbox_alloc_msg_mcs_free_resources(mcs->mbox);
+	if (req == NULL)
+		return -ENOMEM;
+
+	req->rsrc_id = free_req->rsrc_id;
+	req->rsrc_type = free_req->rsrc_type;
+	req->mcs_id = mcs->idx;
+	req->dir = free_req->dir;
+	req->all = free_req->all;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&rsp);
+	if (rc)
+		return rc;
+
+	switch (free_req->rsrc_type) {
+	case MCS_RSRC_TYPE_FLOWID:
+		pos = free_req->rsrc_id + ((req->dir == MCS_TX) ? priv->tcam_entries : 0);
+		plt_bitmap_clear(priv->dev_rsrc.tcam_bmap, pos);
+		for (int i = 0; i < MAX_PORTS_PER_MCS; i++) {
+			uint32_t set = plt_bitmap_get(priv->port_rsrc[i].tcam_bmap, pos);
+
+			if (set) {
+				plt_bitmap_clear(priv->port_rsrc[i].tcam_bmap, pos);
+				break;
+			}
+		}
+		break;
+	case MCS_RSRC_TYPE_SECY:
+		pos = free_req->rsrc_id + ((req->dir == MCS_TX) ? priv->secy_entries : 0);
+		plt_bitmap_clear(priv->dev_rsrc.secy_bmap, pos);
+		for (int i = 0; i < MAX_PORTS_PER_MCS; i++) {
+			uint32_t set = plt_bitmap_get(priv->port_rsrc[i].secy_bmap, pos);
+
+			if (set) {
+				plt_bitmap_clear(priv->port_rsrc[i].secy_bmap, pos);
+				break;
+			}
+		}
+		break;
+	case MCS_RSRC_TYPE_SC:
+		pos = free_req->rsrc_id + ((req->dir == MCS_TX) ? priv->sc_entries : 0);
+		plt_bitmap_clear(priv->dev_rsrc.sc_bmap, pos);
+		for (int i = 0; i < MAX_PORTS_PER_MCS; i++) {
+			uint32_t set = plt_bitmap_get(priv->port_rsrc[i].sc_bmap, pos);
+
+			if (set) {
+				plt_bitmap_clear(priv->port_rsrc[i].sc_bmap, pos);
+				break;
+			}
+		}
+		break;
+	case MCS_RSRC_TYPE_SA:
+		pos = free_req->rsrc_id + ((req->dir == MCS_TX) ? priv->sa_entries : 0);
+		plt_bitmap_clear(priv->dev_rsrc.sa_bmap, pos);
+		for (int i = 0; i < MAX_PORTS_PER_MCS; i++) {
+			uint32_t set = plt_bitmap_get(priv->port_rsrc[i].sa_bmap, pos);
+
+			if (set) {
+				plt_bitmap_clear(priv->port_rsrc[i].sa_bmap, pos);
+				break;
+			}
+		}
+		break;
+	default:
+		break;
+	}
+
+	return rc;
+}
+
+int
+roc_mcs_sa_policy_write(struct roc_mcs *mcs, struct roc_mcs_sa_plcy_write_req *sa_plcy)
+{
+	struct mcs_sa_plcy_write_req *sa;
+	struct msg_rsp *rsp;
+
+	MCS_SUPPORT_CHECK;
+
+	if (sa_plcy == NULL)
+		return -EINVAL;
+
+	sa = mbox_alloc_msg_mcs_sa_plcy_write(mcs->mbox);
+	if (sa == NULL)
+		return -ENOMEM;
+
+	mbox_memcpy(sa->plcy, sa_plcy->plcy, sizeof(uint64_t) * 2 * 9);
+	sa->sa_index[0] = sa_plcy->sa_index[0];
+	sa->sa_index[1] = sa_plcy->sa_index[1];
+	sa->sa_cnt = sa_plcy->sa_cnt;
+	sa->mcs_id = mcs->idx;
+	sa->dir = sa_plcy->dir;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
+
+int
+roc_mcs_sa_policy_read(struct roc_mcs *mcs __plt_unused,
+		       struct roc_mcs_sa_plcy_write_req *sa __plt_unused)
+{
+	MCS_SUPPORT_CHECK;
+
+	return -ENOTSUP;
+}
diff --git a/drivers/common/cnxk/version.map b/drivers/common/cnxk/version.map
index 7593c7c890..9266edd9a1 100644
--- a/drivers/common/cnxk/version.map
+++ b/drivers/common/cnxk/version.map
@@ -133,10 +133,14 @@ INTERNAL {
 	roc_se_auth_key_set;
 	roc_se_ciph_key_set;
 	roc_se_ctx_init;
+	roc_mcs_alloc_rsrc;
 	roc_mcs_dev_init;
 	roc_mcs_dev_fini;
 	roc_mcs_dev_get;
+	roc_mcs_free_rsrc;
 	roc_mcs_hw_info_get;
+	roc_mcs_sa_policy_read;
+	roc_mcs_sa_policy_write;
 	roc_nix_bpf_alloc;
 	roc_nix_bpf_config;
 	roc_nix_bpf_connect;
-- 
2.25.1

[PATCH 03/15] common/cnxk: add MACsec SC configuration APIs

[Akhil Goyal]

Added ROC APIs to configure MACsec secure channel(SC)
and its mapping with SAs for both Rx and Tx.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/common/cnxk/roc_mbox.h        |  37 ++++++
 drivers/common/cnxk/roc_mcs.h         |  41 ++++++
 drivers/common/cnxk/roc_mcs_sec_cfg.c | 171 ++++++++++++++++++++++++++
 drivers/common/cnxk/version.map       |   7 ++
 4 files changed, 256 insertions(+)

diff --git a/drivers/common/cnxk/roc_mbox.h b/drivers/common/cnxk/roc_mbox.h
index 66a6de2cd2..0673c31389 100644
--- a/drivers/common/cnxk/roc_mbox.h
+++ b/drivers/common/cnxk/roc_mbox.h
@@ -280,7 +280,10 @@ struct mbox_msghdr {
 	M(MCS_ALLOC_RESOURCES, 0xa000, mcs_alloc_resources, mcs_alloc_rsrc_req,                    \
 	  mcs_alloc_rsrc_rsp)                                                                      \
 	M(MCS_FREE_RESOURCES, 0xa001, mcs_free_resources, mcs_free_rsrc_req, msg_rsp)              \
+	M(MCS_RX_SC_CAM_WRITE, 0xa004, mcs_rx_sc_cam_write, mcs_rx_sc_cam_write_req, msg_rsp)      \
 	M(MCS_SA_PLCY_WRITE, 0xa005, mcs_sa_plcy_write, mcs_sa_plcy_write_req, msg_rsp)            \
+	M(MCS_TX_SC_SA_MAP_WRITE, 0xa006, mcs_tx_sc_sa_map_write, mcs_tx_sc_sa_map, msg_rsp)       \
+	M(MCS_RX_SC_SA_MAP_WRITE, 0xa007, mcs_rx_sc_sa_map_write, mcs_rx_sc_sa_map, msg_rsp)       \
 	M(MCS_GET_HW_INFO, 0xa00b, mcs_get_hw_info, msg_req, mcs_hw_info)                          \
 
 /* Messages initiated by AF (range 0xC00 - 0xDFF) */
@@ -706,6 +709,16 @@ struct mcs_free_rsrc_req {
 	uint64_t __io rsvd;
 };
 
+/* RX SC_CAM mapping */
+struct mcs_rx_sc_cam_write_req {
+	struct mbox_msghdr hdr;
+	uint64_t __io sci;     /* SCI */
+	uint64_t __io secy_id; /* secy index mapped to SC */
+	uint8_t __io sc_id;    /* SC CAM entry index */
+	uint8_t __io mcs_id;
+	uint64_t __io rsvd;
+};
+
 struct mcs_sa_plcy_write_req {
 	struct mbox_msghdr hdr;
 	uint64_t __io plcy[2][9]; /* Support 2 SA policy */
@@ -716,6 +729,30 @@ struct mcs_sa_plcy_write_req {
 	uint64_t __io rsvd;
 };
 
+struct mcs_tx_sc_sa_map {
+	struct mbox_msghdr hdr;
+	uint8_t __io sa_index0;
+	uint8_t __io sa_index1;
+	uint8_t __io rekey_ena;
+	uint8_t __io sa_index0_vld;
+	uint8_t __io sa_index1_vld;
+	uint8_t __io tx_sa_active;
+	uint64_t __io sectag_sci;
+	uint8_t __io sc_id; /* used as index for SA_MEM_MAP */
+	uint8_t __io mcs_id;
+	uint64_t __io rsvd;
+};
+
+struct mcs_rx_sc_sa_map {
+	struct mbox_msghdr hdr;
+	uint8_t __io sa_index;
+	uint8_t __io sa_in_use;
+	uint8_t __io sc_id;
+	/* an range is 0-3, sc_id + an used as index SA_MEM_MAP */
+	uint8_t __io an;
+	uint8_t __io mcs_id;
+	uint64_t __io rsvd;
+};
 
 struct mcs_hw_info {
 	struct mbox_msghdr hdr;
diff --git a/drivers/common/cnxk/roc_mcs.h b/drivers/common/cnxk/roc_mcs.h
index a345d2a880..2787d6a940 100644
--- a/drivers/common/cnxk/roc_mcs.h
+++ b/drivers/common/cnxk/roc_mcs.h
@@ -32,6 +32,12 @@ struct roc_mcs_free_rsrc_req {
 	uint8_t all; /* Free all the cam resources */
 };
 
+/* RX SC_CAM mapping */
+struct roc_mcs_rx_sc_cam_write_req {
+	uint64_t sci;	  /* SCI */
+	uint64_t secy_id; /* secy index mapped to SC */
+	uint8_t sc_id;	  /* SC CAM entry index */
+};
 
 struct roc_mcs_sa_plcy_write_req {
 	uint64_t plcy[2][9];
@@ -40,6 +46,24 @@ struct roc_mcs_sa_plcy_write_req {
 	uint8_t dir;
 };
 
+struct roc_mcs_tx_sc_sa_map {
+	uint8_t sa_index0;
+	uint8_t sa_index1;
+	uint8_t rekey_ena;
+	uint8_t sa_index0_vld;
+	uint8_t sa_index1_vld;
+	uint8_t tx_sa_active;
+	uint64_t sectag_sci;
+	uint8_t sc_id; /* used as index for SA_MEM_MAP */
+};
+
+struct roc_mcs_rx_sc_sa_map {
+	uint8_t sa_index;
+	uint8_t sa_in_use;
+	uint8_t sc_id;
+	uint8_t an; /* value range 0-3, sc_id + an used as index SA_MEM_MAP */
+};
+
 struct roc_mcs_hw_info {
 	uint8_t num_mcs_blks; /* Number of MCS blocks */
 	uint8_t tcam_entries; /* RX/TX Tcam entries per mcs block */
@@ -79,4 +103,21 @@ __roc_api int roc_mcs_sa_policy_write(struct roc_mcs *mcs,
 				      struct roc_mcs_sa_plcy_write_req *sa_plcy);
 __roc_api int roc_mcs_sa_policy_read(struct roc_mcs *mcs,
 				     struct roc_mcs_sa_plcy_write_req *sa_plcy);
+/* RX SC read, write and enable */
+__roc_api int roc_mcs_rx_sc_cam_write(struct roc_mcs *mcs,
+				      struct roc_mcs_rx_sc_cam_write_req *rx_sc_cam);
+__roc_api int roc_mcs_rx_sc_cam_read(struct roc_mcs *mcs,
+				     struct roc_mcs_rx_sc_cam_write_req *rx_sc_cam);
+__roc_api int roc_mcs_rx_sc_cam_enable(struct roc_mcs *mcs,
+				       struct roc_mcs_rx_sc_cam_write_req *rx_sc_cam);
+/* RX SC-SA MAP read and write */
+__roc_api int roc_mcs_rx_sc_sa_map_write(struct roc_mcs *mcs,
+					 struct roc_mcs_rx_sc_sa_map *rx_sc_sa_map);
+__roc_api int roc_mcs_rx_sc_sa_map_read(struct roc_mcs *mcs,
+					struct roc_mcs_rx_sc_sa_map *rx_sc_sa_map);
+/* TX SC-SA MAP read and write */
+__roc_api int roc_mcs_tx_sc_sa_map_write(struct roc_mcs *mcs,
+					 struct roc_mcs_tx_sc_sa_map *tx_sc_sa_map);
+__roc_api int roc_mcs_tx_sc_sa_map_read(struct roc_mcs *mcs,
+					struct roc_mcs_tx_sc_sa_map *tx_sc_sa_map);
 #endif /* _ROC_MCS_H_ */
diff --git a/drivers/common/cnxk/roc_mcs_sec_cfg.c b/drivers/common/cnxk/roc_mcs_sec_cfg.c
index 50f2352c20..04bbbbfda0 100644
--- a/drivers/common/cnxk/roc_mcs_sec_cfg.c
+++ b/drivers/common/cnxk/roc_mcs_sec_cfg.c
@@ -209,3 +209,174 @@ roc_mcs_sa_policy_read(struct roc_mcs *mcs __plt_unused,
 
 	return -ENOTSUP;
 }
+
+
+int
+roc_mcs_rx_sc_cam_write(struct roc_mcs *mcs, struct roc_mcs_rx_sc_cam_write_req *rx_sc_cam)
+{
+	struct mcs_priv *priv = roc_mcs_to_mcs_priv(mcs);
+	struct mcs_rx_sc_cam_write_req *rx_sc;
+	struct msg_rsp *rsp;
+	int rc;
+
+	MCS_SUPPORT_CHECK;
+
+	if (rx_sc_cam == NULL)
+		return -EINVAL;
+
+	rx_sc = mbox_alloc_msg_mcs_rx_sc_cam_write(mcs->mbox);
+	if (rx_sc == NULL)
+		return -ENOMEM;
+
+	rx_sc->sci = rx_sc_cam->sci;
+	rx_sc->secy_id = rx_sc_cam->secy_id;
+	rx_sc->sc_id = rx_sc_cam->sc_id;
+	rx_sc->mcs_id = mcs->idx;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&rsp);
+	if (rc)
+		return rc;
+
+	for (int i = 0; i < MAX_PORTS_PER_MCS; i++) {
+		uint32_t set = plt_bitmap_get(priv->port_rsrc[i].secy_bmap, rx_sc_cam->secy_id);
+
+		if (set) {
+			plt_bitmap_set(priv->port_rsrc[i].sc_bmap, rx_sc_cam->sc_id);
+			break;
+		}
+	}
+
+	return 0;
+}
+
+int
+roc_mcs_rx_sc_cam_read(struct roc_mcs *mcs __plt_unused,
+		       struct roc_mcs_rx_sc_cam_write_req *rx_sc_cam __plt_unused)
+{
+	MCS_SUPPORT_CHECK;
+
+	return -ENOTSUP;
+}
+
+int
+roc_mcs_rx_sc_cam_enable(struct roc_mcs *mcs __plt_unused,
+			 struct roc_mcs_rx_sc_cam_write_req *rx_sc_cam __plt_unused)
+{
+	MCS_SUPPORT_CHECK;
+
+	return -ENOTSUP;
+}
+
+int
+roc_mcs_rx_sc_sa_map_write(struct roc_mcs *mcs, struct roc_mcs_rx_sc_sa_map *rx_sc_sa_map)
+{
+	struct mcs_priv *priv = roc_mcs_to_mcs_priv(mcs);
+	struct mcs_rx_sc_sa_map *sa_map;
+	struct msg_rsp *rsp;
+	uint16_t sc_id;
+	int rc;
+
+	MCS_SUPPORT_CHECK;
+
+	if (rx_sc_sa_map == NULL)
+		return -EINVAL;
+
+	sc_id = rx_sc_sa_map->sc_id;
+	sa_map = mbox_alloc_msg_mcs_rx_sc_sa_map_write(mcs->mbox);
+	if (sa_map == NULL)
+		return -ENOMEM;
+
+	sa_map->sa_index = rx_sc_sa_map->sa_index;
+	sa_map->sa_in_use = rx_sc_sa_map->sa_in_use;
+	sa_map->sc_id = rx_sc_sa_map->sc_id;
+	sa_map->an = rx_sc_sa_map->an;
+	sa_map->mcs_id = mcs->idx;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&rsp);
+	if (rc)
+		return rc;
+
+	for (int i = 0; i < MAX_PORTS_PER_MCS; i++) {
+		uint32_t set = plt_bitmap_get(priv->port_rsrc[i].sc_bmap, sc_id);
+
+		if (set) {
+			plt_bitmap_set(priv->port_rsrc[i].sa_bmap, rx_sc_sa_map->sa_index);
+			priv->port_rsrc[i].sc_conf[sc_id].rx.sa_idx = rx_sc_sa_map->sa_index;
+			priv->port_rsrc[i].sc_conf[sc_id].rx.an = rx_sc_sa_map->an;
+			break;
+		}
+	}
+
+	return 0;
+}
+
+int
+roc_mcs_rx_sc_sa_map_read(struct roc_mcs *mcs __plt_unused,
+			  struct roc_mcs_rx_sc_sa_map *rx_sc_sa_map __plt_unused)
+{
+	MCS_SUPPORT_CHECK;
+
+	return -ENOTSUP;
+}
+
+int
+roc_mcs_tx_sc_sa_map_write(struct roc_mcs *mcs, struct roc_mcs_tx_sc_sa_map *tx_sc_sa_map)
+{
+	struct mcs_priv *priv = roc_mcs_to_mcs_priv(mcs);
+	struct mcs_tx_sc_sa_map *sa_map;
+	struct msg_rsp *rsp;
+	uint16_t sc_id;
+	int rc;
+
+	MCS_SUPPORT_CHECK;
+
+	if (tx_sc_sa_map == NULL)
+		return -EINVAL;
+
+	sa_map = mbox_alloc_msg_mcs_tx_sc_sa_map_write(mcs->mbox);
+	if (sa_map == NULL)
+		return -ENOMEM;
+
+	sa_map->sa_index0 = tx_sc_sa_map->sa_index0;
+	sa_map->sa_index1 = tx_sc_sa_map->sa_index1;
+	sa_map->rekey_ena = tx_sc_sa_map->rekey_ena;
+	sa_map->sa_index0_vld = tx_sc_sa_map->sa_index0_vld;
+	sa_map->sa_index1_vld = tx_sc_sa_map->sa_index1_vld;
+	sa_map->tx_sa_active = tx_sc_sa_map->tx_sa_active;
+	sa_map->sectag_sci = tx_sc_sa_map->sectag_sci;
+	sa_map->sc_id = tx_sc_sa_map->sc_id;
+	sa_map->mcs_id = mcs->idx;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&rsp);
+	if (rc)
+		return rc;
+
+	sc_id = tx_sc_sa_map->sc_id;
+	for (int i = 0; i < MAX_PORTS_PER_MCS; i++) {
+		uint32_t set = plt_bitmap_get(priv->port_rsrc[i].sc_bmap, sc_id + priv->sc_entries);
+
+		if (set) {
+			uint32_t pos = priv->sa_entries + tx_sc_sa_map->sa_index0;
+
+			plt_bitmap_set(priv->port_rsrc[i].sa_bmap, pos);
+			priv->port_rsrc[i].sc_conf[sc_id].tx.sa_idx0 = tx_sc_sa_map->sa_index0;
+			pos = priv->sa_entries + tx_sc_sa_map->sa_index1;
+			plt_bitmap_set(priv->port_rsrc[i].sa_bmap, pos);
+			priv->port_rsrc[i].sc_conf[sc_id].tx.sa_idx1 = tx_sc_sa_map->sa_index1;
+			priv->port_rsrc[i].sc_conf[sc_id].tx.sci = tx_sc_sa_map->sectag_sci;
+			priv->port_rsrc[i].sc_conf[sc_id].tx.rekey_enb = tx_sc_sa_map->rekey_ena;
+			break;
+		}
+	}
+
+	return 0;
+}
+
+int
+roc_mcs_tx_sc_sa_map_read(struct roc_mcs *mcs __plt_unused,
+			  struct roc_mcs_tx_sc_sa_map *tx_sc_sa_map __plt_unused)
+{
+	MCS_SUPPORT_CHECK;
+
+	return -ENOTSUP;
+}
diff --git a/drivers/common/cnxk/version.map b/drivers/common/cnxk/version.map
index 9266edd9a1..a1af736a07 100644
--- a/drivers/common/cnxk/version.map
+++ b/drivers/common/cnxk/version.map
@@ -139,8 +139,15 @@ INTERNAL {
 	roc_mcs_dev_get;
 	roc_mcs_free_rsrc;
 	roc_mcs_hw_info_get;
+	roc_mcs_rx_sc_cam_enable;
+	roc_mcs_rx_sc_cam_read;
+	roc_mcs_rx_sc_cam_write;
+	roc_mcs_rx_sc_sa_map_read;
+	roc_mcs_rx_sc_sa_map_write;
 	roc_mcs_sa_policy_read;
 	roc_mcs_sa_policy_write;
+	roc_mcs_tx_sc_sa_map_read;
+	roc_mcs_tx_sc_sa_map_write;
 	roc_nix_bpf_alloc;
 	roc_nix_bpf_config;
 	roc_nix_bpf_connect;
-- 
2.25.1

[PATCH 04/15] common/cnxk: add MACsec secy and flow configuration

[Akhil Goyal]

Added ROC APIs to configure MACsec secy policy and
flow entries.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/common/cnxk/roc_mbox.h        |  38 +++++++++
 drivers/common/cnxk/roc_mcs.h         |  37 +++++++++
 drivers/common/cnxk/roc_mcs_sec_cfg.c | 115 ++++++++++++++++++++++++++
 drivers/common/cnxk/version.map       |   5 ++
 4 files changed, 195 insertions(+)

diff --git a/drivers/common/cnxk/roc_mbox.h b/drivers/common/cnxk/roc_mbox.h
index 0673c31389..2f6ce958d8 100644
--- a/drivers/common/cnxk/roc_mbox.h
+++ b/drivers/common/cnxk/roc_mbox.h
@@ -280,10 +280,14 @@ struct mbox_msghdr {
 	M(MCS_ALLOC_RESOURCES, 0xa000, mcs_alloc_resources, mcs_alloc_rsrc_req,                    \
 	  mcs_alloc_rsrc_rsp)                                                                      \
 	M(MCS_FREE_RESOURCES, 0xa001, mcs_free_resources, mcs_free_rsrc_req, msg_rsp)              \
+	M(MCS_FLOWID_ENTRY_WRITE, 0xa002, mcs_flowid_entry_write, mcs_flowid_entry_write_req,      \
+	  msg_rsp)                                                                                 \
+	M(MCS_SECY_PLCY_WRITE, 0xa003, mcs_secy_plcy_write, mcs_secy_plcy_write_req, msg_rsp)      \
 	M(MCS_RX_SC_CAM_WRITE, 0xa004, mcs_rx_sc_cam_write, mcs_rx_sc_cam_write_req, msg_rsp)      \
 	M(MCS_SA_PLCY_WRITE, 0xa005, mcs_sa_plcy_write, mcs_sa_plcy_write_req, msg_rsp)            \
 	M(MCS_TX_SC_SA_MAP_WRITE, 0xa006, mcs_tx_sc_sa_map_write, mcs_tx_sc_sa_map, msg_rsp)       \
 	M(MCS_RX_SC_SA_MAP_WRITE, 0xa007, mcs_rx_sc_sa_map_write, mcs_rx_sc_sa_map, msg_rsp)       \
+	M(MCS_FLOWID_ENA_ENTRY, 0xa008, mcs_flowid_ena_entry, mcs_flowid_ena_dis_entry, msg_rsp)   \
 	M(MCS_GET_HW_INFO, 0xa00b, mcs_get_hw_info, msg_req, mcs_hw_info)                          \
 
 /* Messages initiated by AF (range 0xC00 - 0xDFF) */
@@ -709,6 +713,31 @@ struct mcs_free_rsrc_req {
 	uint64_t __io rsvd;
 };
 
+struct mcs_flowid_entry_write_req {
+	struct mbox_msghdr hdr;
+	uint64_t __io data[4];
+	uint64_t __io mask[4];
+	uint64_t __io sci; /* CNF10K-B for tx_secy_mem_map */
+	uint8_t __io flow_id;
+	uint8_t __io secy_id; /* secyid for which flowid is mapped */
+	/* sc_id is Valid if dir = MCS_TX, SC_CAM id mapped to flowid */
+	uint8_t __io sc_id;
+	uint8_t __io ena; /* Enable tcam entry */
+	uint8_t __io ctr_pkt;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
+
+struct mcs_secy_plcy_write_req {
+	struct mbox_msghdr hdr;
+	uint64_t __io plcy;
+	uint8_t __io secy_id;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
+
 /* RX SC_CAM mapping */
 struct mcs_rx_sc_cam_write_req {
 	struct mbox_msghdr hdr;
@@ -754,6 +783,15 @@ struct mcs_rx_sc_sa_map {
 	uint64_t __io rsvd;
 };
 
+struct mcs_flowid_ena_dis_entry {
+	struct mbox_msghdr hdr;
+	uint8_t __io flow_id;
+	uint8_t __io ena;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
+
 struct mcs_hw_info {
 	struct mbox_msghdr hdr;
 	uint8_t __io num_mcs_blks; /* Number of MCS blocks */
diff --git a/drivers/common/cnxk/roc_mcs.h b/drivers/common/cnxk/roc_mcs.h
index 2787d6a940..7e0a98e91a 100644
--- a/drivers/common/cnxk/roc_mcs.h
+++ b/drivers/common/cnxk/roc_mcs.h
@@ -32,6 +32,24 @@ struct roc_mcs_free_rsrc_req {
 	uint8_t all; /* Free all the cam resources */
 };
 
+struct roc_mcs_flowid_entry_write_req {
+	uint64_t data[4];
+	uint64_t mask[4];
+	uint64_t sci; /* 105N for tx_secy_mem_map */
+	uint8_t flow_id;
+	uint8_t secy_id; /* secyid for which flowid is mapped */
+	uint8_t sc_id;	 /* Valid if dir = MCS_TX, SC_CAM id mapped to flowid */
+	uint8_t ena;	 /* Enable tcam entry */
+	uint8_t ctr_pkt;
+	uint8_t dir;
+};
+
+struct roc_mcs_secy_plcy_write_req {
+	uint64_t plcy;
+	uint8_t secy_id;
+	uint8_t dir;
+};
+
 /* RX SC_CAM mapping */
 struct roc_mcs_rx_sc_cam_write_req {
 	uint64_t sci;	  /* SCI */
@@ -64,6 +82,12 @@ struct roc_mcs_rx_sc_sa_map {
 	uint8_t an; /* value range 0-3, sc_id + an used as index SA_MEM_MAP */
 };
 
+struct roc_mcs_flowid_ena_dis_entry {
+	uint8_t flow_id;
+	uint8_t ena;
+	uint8_t dir;
+};
+
 struct roc_mcs_hw_info {
 	uint8_t num_mcs_blks; /* Number of MCS blocks */
 	uint8_t tcam_entries; /* RX/TX Tcam entries per mcs block */
@@ -110,6 +134,11 @@ __roc_api int roc_mcs_rx_sc_cam_read(struct roc_mcs *mcs,
 				     struct roc_mcs_rx_sc_cam_write_req *rx_sc_cam);
 __roc_api int roc_mcs_rx_sc_cam_enable(struct roc_mcs *mcs,
 				       struct roc_mcs_rx_sc_cam_write_req *rx_sc_cam);
+/* SECY policy read and write */
+__roc_api int roc_mcs_secy_policy_write(struct roc_mcs *mcs,
+					struct roc_mcs_secy_plcy_write_req *secy_plcy);
+__roc_api int roc_mcs_secy_policy_read(struct roc_mcs *mcs,
+				       struct roc_mcs_rx_sc_cam_write_req *rx_sc_cam);
 /* RX SC-SA MAP read and write */
 __roc_api int roc_mcs_rx_sc_sa_map_write(struct roc_mcs *mcs,
 					 struct roc_mcs_rx_sc_sa_map *rx_sc_sa_map);
@@ -120,4 +149,12 @@ __roc_api int roc_mcs_tx_sc_sa_map_write(struct roc_mcs *mcs,
 					 struct roc_mcs_tx_sc_sa_map *tx_sc_sa_map);
 __roc_api int roc_mcs_tx_sc_sa_map_read(struct roc_mcs *mcs,
 					struct roc_mcs_tx_sc_sa_map *tx_sc_sa_map);
+/* Flow entry read, write and enable */
+__roc_api int roc_mcs_flowid_entry_write(struct roc_mcs *mcs,
+					 struct roc_mcs_flowid_entry_write_req *flowid_req);
+__roc_api int roc_mcs_flowid_entry_read(struct roc_mcs *mcs,
+					struct roc_mcs_flowid_entry_write_req *flowid_rsp);
+__roc_api int roc_mcs_flowid_entry_enable(struct roc_mcs *mcs,
+					  struct roc_mcs_flowid_ena_dis_entry *entry);
+
 #endif /* _ROC_MCS_H_ */
diff --git a/drivers/common/cnxk/roc_mcs_sec_cfg.c b/drivers/common/cnxk/roc_mcs_sec_cfg.c
index 04bbbbfda0..50369c73d7 100644
--- a/drivers/common/cnxk/roc_mcs_sec_cfg.c
+++ b/drivers/common/cnxk/roc_mcs_sec_cfg.c
@@ -267,6 +267,38 @@ roc_mcs_rx_sc_cam_enable(struct roc_mcs *mcs __plt_unused,
 	return -ENOTSUP;
 }
 
+int
+roc_mcs_secy_policy_write(struct roc_mcs *mcs, struct roc_mcs_secy_plcy_write_req *secy_plcy)
+{
+	struct mcs_secy_plcy_write_req *secy;
+	struct msg_rsp *rsp;
+
+	MCS_SUPPORT_CHECK;
+
+	if (secy_plcy == NULL)
+		return -EINVAL;
+
+	secy = mbox_alloc_msg_mcs_secy_plcy_write(mcs->mbox);
+	if (secy == NULL)
+		return -ENOMEM;
+
+	secy->plcy = secy_plcy->plcy;
+	secy->secy_id = secy_plcy->secy_id;
+	secy->mcs_id = mcs->idx;
+	secy->dir = secy_plcy->dir;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
+
+int
+roc_mcs_secy_policy_read(struct roc_mcs *mcs __plt_unused,
+			 struct roc_mcs_rx_sc_cam_write_req *rx_sc_cam __plt_unused)
+{
+	MCS_SUPPORT_CHECK;
+
+	return -ENOTSUP;
+}
+
 int
 roc_mcs_rx_sc_sa_map_write(struct roc_mcs *mcs, struct roc_mcs_rx_sc_sa_map *rx_sc_sa_map)
 {
@@ -380,3 +412,86 @@ roc_mcs_tx_sc_sa_map_read(struct roc_mcs *mcs __plt_unused,
 
 	return -ENOTSUP;
 }
+
+int
+roc_mcs_flowid_entry_write(struct roc_mcs *mcs, struct roc_mcs_flowid_entry_write_req *flowid_req)
+{
+	struct mcs_priv *priv = roc_mcs_to_mcs_priv(mcs);
+	struct mcs_flowid_entry_write_req *flow_req;
+	struct msg_rsp *rsp;
+	uint8_t port;
+	int rc;
+
+	MCS_SUPPORT_CHECK;
+
+	if (flowid_req == NULL)
+		return -EINVAL;
+
+	flow_req = mbox_alloc_msg_mcs_flowid_entry_write(mcs->mbox);
+	if (flow_req == NULL)
+		return -ENOMEM;
+
+	mbox_memcpy(flow_req->data, flowid_req->data, sizeof(uint64_t) * 4);
+	mbox_memcpy(flow_req->mask, flowid_req->mask, sizeof(uint64_t) * 4);
+	flow_req->sci = flowid_req->sci;
+	flow_req->flow_id = flowid_req->flow_id;
+	flow_req->secy_id = flowid_req->secy_id;
+	flow_req->sc_id = flowid_req->sc_id;
+	flow_req->ena = flowid_req->ena;
+	flow_req->ctr_pkt = flowid_req->ctr_pkt;
+	flow_req->mcs_id = mcs->idx;
+	flow_req->dir = flowid_req->dir;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&rsp);
+	if (rc)
+		return rc;
+
+	if (flow_req->mask[3] & (BIT_ULL(10) | BIT_ULL(11)))
+		return rc;
+
+	port = (flow_req->data[3] >> 10) & 0x3;
+
+	plt_bitmap_set(priv->port_rsrc[port].tcam_bmap,
+		       flowid_req->flow_id +
+			       ((flowid_req->dir == MCS_TX) ? priv->tcam_entries : 0));
+	plt_bitmap_set(priv->port_rsrc[port].secy_bmap,
+		       flowid_req->secy_id +
+			       ((flowid_req->dir == MCS_TX) ? priv->secy_entries : 0));
+
+	if (flowid_req->dir == MCS_TX)
+		plt_bitmap_set(priv->port_rsrc[port].sc_bmap, priv->sc_entries + flowid_req->sc_id);
+
+	return 0;
+}
+
+int
+roc_mcs_flowid_entry_read(struct roc_mcs *mcs __plt_unused,
+			  struct roc_mcs_flowid_entry_write_req *flowid_rsp __plt_unused)
+{
+	MCS_SUPPORT_CHECK;
+
+	return -ENOTSUP;
+}
+
+int
+roc_mcs_flowid_entry_enable(struct roc_mcs *mcs, struct roc_mcs_flowid_ena_dis_entry *entry)
+{
+	struct mcs_flowid_ena_dis_entry *flow_entry;
+	struct msg_rsp *rsp;
+
+	MCS_SUPPORT_CHECK;
+
+	if (entry == NULL)
+		return -EINVAL;
+
+	flow_entry = mbox_alloc_msg_mcs_flowid_ena_entry(mcs->mbox);
+	if (flow_entry == NULL)
+		return -ENOMEM;
+
+	flow_entry->flow_id = entry->flow_id;
+	flow_entry->ena = entry->ena;
+	flow_entry->mcs_id = mcs->idx;
+	flow_entry->dir = entry->dir;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
diff --git a/drivers/common/cnxk/version.map b/drivers/common/cnxk/version.map
index a1af736a07..cb821de9ac 100644
--- a/drivers/common/cnxk/version.map
+++ b/drivers/common/cnxk/version.map
@@ -137,6 +137,9 @@ INTERNAL {
 	roc_mcs_dev_init;
 	roc_mcs_dev_fini;
 	roc_mcs_dev_get;
+	roc_mcs_flowid_entry_enable;
+	roc_mcs_flowid_entry_read;
+	roc_mcs_flowid_entry_write;
 	roc_mcs_free_rsrc;
 	roc_mcs_hw_info_get;
 	roc_mcs_rx_sc_cam_enable;
@@ -146,6 +149,8 @@ INTERNAL {
 	roc_mcs_rx_sc_sa_map_write;
 	roc_mcs_sa_policy_read;
 	roc_mcs_sa_policy_write;
+	roc_mcs_secy_policy_read;
+	roc_mcs_secy_policy_write;
 	roc_mcs_tx_sc_sa_map_read;
 	roc_mcs_tx_sc_sa_map_write;
 	roc_nix_bpf_alloc;
-- 
2.25.1

[PATCH 05/15] common/cnxk: add MACsec PN and LMAC mode configuration

[Akhil Goyal]

Added ROC APIs for setting packet number and LMAC
related configurations.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/common/cnxk/roc_mbox.h        | 56 +++++++++++++++++++++
 drivers/common/cnxk/roc_mcs.c         | 71 +++++++++++++++++++++++++++
 drivers/common/cnxk/roc_mcs.h         | 48 ++++++++++++++++++
 drivers/common/cnxk/roc_mcs_sec_cfg.c | 31 ++++++++++++
 drivers/common/cnxk/version.map       |  5 ++
 5 files changed, 211 insertions(+)

diff --git a/drivers/common/cnxk/roc_mbox.h b/drivers/common/cnxk/roc_mbox.h
index 2f6ce958d8..9f9783ec92 100644
--- a/drivers/common/cnxk/roc_mbox.h
+++ b/drivers/common/cnxk/roc_mbox.h
@@ -288,7 +288,11 @@ struct mbox_msghdr {
 	M(MCS_TX_SC_SA_MAP_WRITE, 0xa006, mcs_tx_sc_sa_map_write, mcs_tx_sc_sa_map, msg_rsp)       \
 	M(MCS_RX_SC_SA_MAP_WRITE, 0xa007, mcs_rx_sc_sa_map_write, mcs_rx_sc_sa_map, msg_rsp)       \
 	M(MCS_FLOWID_ENA_ENTRY, 0xa008, mcs_flowid_ena_entry, mcs_flowid_ena_dis_entry, msg_rsp)   \
+	M(MCS_PN_TABLE_WRITE, 0xa009, mcs_pn_table_write, mcs_pn_table_write_req, msg_rsp)         \
+	M(MCS_SET_ACTIVE_LMAC, 0xa00a, mcs_set_active_lmac, mcs_set_active_lmac, msg_rsp)          \
 	M(MCS_GET_HW_INFO, 0xa00b, mcs_get_hw_info, msg_req, mcs_hw_info)                          \
+	M(MCS_SET_LMAC_MODE, 0xa013, mcs_set_lmac_mode, mcs_set_lmac_mode, msg_rsp)                \
+	M(MCS_SET_PN_THRESHOLD, 0xa014, mcs_set_pn_threshold, mcs_set_pn_threshold, msg_rsp)       \
 
 /* Messages initiated by AF (range 0xC00 - 0xDFF) */
 #define MBOX_UP_CGX_MESSAGES                                                   \
@@ -792,6 +796,34 @@ struct mcs_flowid_ena_dis_entry {
 	uint64_t __io rsvd;
 };
 
+struct mcs_pn_table_write_req {
+	struct mbox_msghdr hdr;
+	uint64_t __io next_pn;
+	uint8_t __io pn_id;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
+
+struct mcs_cam_entry_read_req {
+	struct mbox_msghdr hdr;
+	uint8_t __io rsrc_type; /* TCAM/SECY/SC/SA/PN */
+	uint8_t __io rsrc_id;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
+
+struct mcs_cam_entry_read_rsp {
+	struct mbox_msghdr hdr;
+	uint64_t __io reg_val[10];
+	uint8_t __io rsrc_type;
+	uint8_t __io rsrc_id;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
+
 struct mcs_hw_info {
 	struct mbox_msghdr hdr;
 	uint8_t __io num_mcs_blks; /* Number of MCS blocks */
@@ -802,6 +834,30 @@ struct mcs_hw_info {
 	uint64_t __io rsvd[16];
 };
 
+struct mcs_set_active_lmac {
+	struct mbox_msghdr hdr;
+	uint32_t __io lmac_bmap; /* bitmap of active lmac per mcs block */
+	uint8_t __io mcs_id;
+	uint16_t channel_base; /* MCS channel base */
+	uint64_t __io rsvd;
+};
+
+struct mcs_set_lmac_mode {
+	struct mbox_msghdr hdr;
+	uint8_t __io mode; /* '1' for internal bypass mode (passthrough), '0' for MCS processing */
+	uint8_t __io lmac_id;
+	uint8_t __io mcs_id;
+	uint64_t __io rsvd;
+};
+
+struct mcs_set_pn_threshold {
+	struct mbox_msghdr hdr;
+	uint64_t __io threshold;
+	uint8_t __io xpn; /* '1' for setting xpn threshold */
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
 
 /* NPA mbox message formats */
 
diff --git a/drivers/common/cnxk/roc_mcs.c b/drivers/common/cnxk/roc_mcs.c
index ce92a6cd47..b15933d362 100644
--- a/drivers/common/cnxk/roc_mcs.c
+++ b/drivers/common/cnxk/roc_mcs.c
@@ -42,6 +42,77 @@ roc_mcs_hw_info_get(struct roc_mcs_hw_info *hw_info)
 	return rc;
 }
 
+int
+roc_mcs_active_lmac_set(struct roc_mcs *mcs, struct roc_mcs_set_active_lmac *lmac)
+{
+	struct mcs_set_active_lmac *req;
+	struct msg_rsp *rsp;
+
+	/* Only needed for 105N */
+	if (!roc_model_is_cnf10kb())
+		return 0;
+
+	if (lmac == NULL)
+		return -EINVAL;
+
+	MCS_SUPPORT_CHECK;
+
+	req = mbox_alloc_msg_mcs_set_active_lmac(mcs->mbox);
+	if (req == NULL)
+		return -ENOMEM;
+
+	req->lmac_bmap = lmac->lmac_bmap;
+	req->channel_base = lmac->channel_base;
+	req->mcs_id = mcs->idx;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
+
+int
+roc_mcs_lmac_mode_set(struct roc_mcs *mcs, struct roc_mcs_set_lmac_mode *port)
+{
+	struct mcs_set_lmac_mode *req;
+	struct msg_rsp *rsp;
+
+	if (port == NULL)
+		return -EINVAL;
+
+	MCS_SUPPORT_CHECK;
+
+	req = mbox_alloc_msg_mcs_set_lmac_mode(mcs->mbox);
+	if (req == NULL)
+		return -ENOMEM;
+
+	req->lmac_id = port->lmac_id;
+	req->mcs_id = mcs->idx;
+	req->mode = port->mode;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
+
+int
+roc_mcs_pn_threshold_set(struct roc_mcs *mcs, struct roc_mcs_set_pn_threshold *pn)
+{
+	struct mcs_set_pn_threshold *req;
+	struct msg_rsp *rsp;
+
+	if (pn == NULL)
+		return -EINVAL;
+
+	MCS_SUPPORT_CHECK;
+
+	req = mbox_alloc_msg_mcs_set_pn_threshold(mcs->mbox);
+	if (req == NULL)
+		return -ENOMEM;
+
+	req->threshold = pn->threshold;
+	req->mcs_id = mcs->idx;
+	req->dir = pn->dir;
+	req->xpn = pn->xpn;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
+
 static int
 mcs_alloc_bmap(uint16_t entries, void **mem, struct plt_bitmap **bmap)
 {
diff --git a/drivers/common/cnxk/roc_mcs.h b/drivers/common/cnxk/roc_mcs.h
index 7e0a98e91a..a51ee21278 100644
--- a/drivers/common/cnxk/roc_mcs.h
+++ b/drivers/common/cnxk/roc_mcs.h
@@ -88,6 +88,25 @@ struct roc_mcs_flowid_ena_dis_entry {
 	uint8_t dir;
 };
 
+struct roc_mcs_pn_table_write_req {
+	uint64_t next_pn;
+	uint8_t pn_id;
+	uint8_t dir;
+};
+
+struct roc_mcs_cam_entry_read_req {
+	uint8_t rsrc_type; /* TCAM/SECY/SC/SA/PN */
+	uint8_t rsrc_id;
+	uint8_t dir;
+};
+
+struct roc_mcs_cam_entry_read_rsp {
+	uint64_t reg_val[10];
+	uint8_t rsrc_type;
+	uint8_t rsrc_id;
+	uint8_t dir;
+};
+
 struct roc_mcs_hw_info {
 	uint8_t num_mcs_blks; /* Number of MCS blocks */
 	uint8_t tcam_entries; /* RX/TX Tcam entries per mcs block */
@@ -97,6 +116,24 @@ struct roc_mcs_hw_info {
 	uint64_t rsvd[16];
 };
 
+struct roc_mcs_set_lmac_mode {
+	uint8_t mode; /* '1' for internal bypass mode (passthrough), '0' for MCS processing */
+	uint8_t lmac_id;
+	uint64_t rsvd;
+};
+
+struct roc_mcs_set_active_lmac {
+	uint32_t lmac_bmap;    /* bitmap of active lmac per mcs block */
+	uint16_t channel_base; /* MCS channel base */
+	uint64_t rsvd;
+};
+
+struct roc_mcs_set_pn_threshold {
+	uint64_t threshold;
+	uint8_t xpn; /* '1' for setting xpn threshold */
+	uint8_t dir;
+	uint64_t rsvd;
+};
 
 struct roc_mcs {
 	TAILQ_ENTRY(roc_mcs) next;
@@ -117,6 +154,12 @@ __roc_api void roc_mcs_dev_fini(struct roc_mcs *mcs);
 __roc_api struct roc_mcs *roc_mcs_dev_get(uint8_t mcs_idx);
 /* HW info get */
 __roc_api int roc_mcs_hw_info_get(struct roc_mcs_hw_info *hw_info);
+/* Active lmac bmap set */
+__roc_api int roc_mcs_active_lmac_set(struct roc_mcs *mcs, struct roc_mcs_set_active_lmac *lmac);
+/* Port bypass mode set */
+__roc_api int roc_mcs_lmac_mode_set(struct roc_mcs *mcs, struct roc_mcs_set_lmac_mode *port);
+/* (X)PN threshold set */
+__roc_api int roc_mcs_pn_threshold_set(struct roc_mcs *mcs, struct roc_mcs_set_pn_threshold *pn);
 
 /* Resource allocation and free */
 __roc_api int roc_mcs_alloc_rsrc(struct roc_mcs *mcs, struct roc_mcs_alloc_rsrc_req *req,
@@ -127,6 +170,11 @@ __roc_api int roc_mcs_sa_policy_write(struct roc_mcs *mcs,
 				      struct roc_mcs_sa_plcy_write_req *sa_plcy);
 __roc_api int roc_mcs_sa_policy_read(struct roc_mcs *mcs,
 				     struct roc_mcs_sa_plcy_write_req *sa_plcy);
+/* PN Table read and write */
+__roc_api int roc_mcs_pn_table_write(struct roc_mcs *mcs,
+				     struct roc_mcs_pn_table_write_req *pn_table);
+__roc_api int roc_mcs_pn_table_read(struct roc_mcs *mcs,
+				    struct roc_mcs_pn_table_write_req *pn_table);
 /* RX SC read, write and enable */
 __roc_api int roc_mcs_rx_sc_cam_write(struct roc_mcs *mcs,
 				      struct roc_mcs_rx_sc_cam_write_req *rx_sc_cam);
diff --git a/drivers/common/cnxk/roc_mcs_sec_cfg.c b/drivers/common/cnxk/roc_mcs_sec_cfg.c
index 50369c73d7..99afb63904 100644
--- a/drivers/common/cnxk/roc_mcs_sec_cfg.c
+++ b/drivers/common/cnxk/roc_mcs_sec_cfg.c
@@ -210,6 +210,37 @@ roc_mcs_sa_policy_read(struct roc_mcs *mcs __plt_unused,
 	return -ENOTSUP;
 }
 
+int
+roc_mcs_pn_table_write(struct roc_mcs *mcs, struct roc_mcs_pn_table_write_req *pn_table)
+{
+	struct mcs_pn_table_write_req *pn;
+	struct msg_rsp *rsp;
+
+	MCS_SUPPORT_CHECK;
+
+	if (pn_table == NULL)
+		return -EINVAL;
+
+	pn = mbox_alloc_msg_mcs_pn_table_write(mcs->mbox);
+	if (pn == NULL)
+		return -ENOMEM;
+
+	pn->next_pn = pn_table->next_pn;
+	pn->pn_id = pn_table->pn_id;
+	pn->mcs_id = mcs->idx;
+	pn->dir = pn_table->dir;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
+
+int
+roc_mcs_pn_table_read(struct roc_mcs *mcs __plt_unused,
+		      struct roc_mcs_pn_table_write_req *sa __plt_unused)
+{
+	MCS_SUPPORT_CHECK;
+
+	return -ENOTSUP;
+}
 
 int
 roc_mcs_rx_sc_cam_write(struct roc_mcs *mcs, struct roc_mcs_rx_sc_cam_write_req *rx_sc_cam)
diff --git a/drivers/common/cnxk/version.map b/drivers/common/cnxk/version.map
index cb821de9ac..9be7887967 100644
--- a/drivers/common/cnxk/version.map
+++ b/drivers/common/cnxk/version.map
@@ -133,6 +133,7 @@ INTERNAL {
 	roc_se_auth_key_set;
 	roc_se_ciph_key_set;
 	roc_se_ctx_init;
+	roc_mcs_active_lmac_set;
 	roc_mcs_alloc_rsrc;
 	roc_mcs_dev_init;
 	roc_mcs_dev_fini;
@@ -142,6 +143,10 @@ INTERNAL {
 	roc_mcs_flowid_entry_write;
 	roc_mcs_free_rsrc;
 	roc_mcs_hw_info_get;
+	roc_mcs_lmac_mode_set;
+	roc_mcs_pn_table_write;
+	roc_mcs_pn_table_read;
+	roc_mcs_pn_threshold_set;
 	roc_mcs_rx_sc_cam_enable;
 	roc_mcs_rx_sc_cam_read;
 	roc_mcs_rx_sc_cam_write;
-- 
2.25.1

[PATCH 06/15] common/cnxk: add MACsec stats

[Akhil Goyal]

Added ROC APIs for MACsec stats for SC/SECY/FLOW/PORT

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/common/cnxk/meson.build     |   1 +
 drivers/common/cnxk/roc_mbox.h      |  93 ++++++++++++++
 drivers/common/cnxk/roc_mcs.h       |  85 ++++++++++++
 drivers/common/cnxk/roc_mcs_stats.c | 193 ++++++++++++++++++++++++++++
 drivers/common/cnxk/version.map     |   5 +
 5 files changed, 377 insertions(+)
 create mode 100644 drivers/common/cnxk/roc_mcs_stats.c

diff --git a/drivers/common/cnxk/meson.build b/drivers/common/cnxk/meson.build
index 589baf74fe..79e10bac74 100644
--- a/drivers/common/cnxk/meson.build
+++ b/drivers/common/cnxk/meson.build
@@ -28,6 +28,7 @@ sources = files(
         'roc_mbox.c',
         'roc_mcs.c',
         'roc_mcs_sec_cfg.c',
+        'roc_mcs_stats.c',
         'roc_ml.c',
         'roc_model.c',
         'roc_nix.c',
diff --git a/drivers/common/cnxk/roc_mbox.h b/drivers/common/cnxk/roc_mbox.h
index 9f9783ec92..1cbe66cc0c 100644
--- a/drivers/common/cnxk/roc_mbox.h
+++ b/drivers/common/cnxk/roc_mbox.h
@@ -291,6 +291,11 @@ struct mbox_msghdr {
 	M(MCS_PN_TABLE_WRITE, 0xa009, mcs_pn_table_write, mcs_pn_table_write_req, msg_rsp)         \
 	M(MCS_SET_ACTIVE_LMAC, 0xa00a, mcs_set_active_lmac, mcs_set_active_lmac, msg_rsp)          \
 	M(MCS_GET_HW_INFO, 0xa00b, mcs_get_hw_info, msg_req, mcs_hw_info)                          \
+	M(MCS_GET_FLOWID_STATS, 0xa00c, mcs_get_flowid_stats, mcs_stats_req, mcs_flowid_stats)     \
+	M(MCS_GET_SECY_STATS, 0xa00d, mcs_get_secy_stats, mcs_stats_req, mcs_secy_stats)           \
+	M(MCS_GET_SC_STATS, 0xa00e, mcs_get_sc_stats, mcs_stats_req, mcs_sc_stats)                 \
+	M(MCS_GET_PORT_STATS, 0xa010, mcs_get_port_stats, mcs_stats_req, mcs_port_stats)           \
+	M(MCS_CLEAR_STATS, 0xa011, mcs_clear_stats, mcs_clear_stats, msg_rsp)                      \
 	M(MCS_SET_LMAC_MODE, 0xa013, mcs_set_lmac_mode, mcs_set_lmac_mode, msg_rsp)                \
 	M(MCS_SET_PN_THRESHOLD, 0xa014, mcs_set_pn_threshold, mcs_set_pn_threshold, msg_rsp)       \
 
@@ -859,6 +864,94 @@ struct mcs_set_pn_threshold {
 	uint64_t __io rsvd;
 };
 
+struct mcs_stats_req {
+	struct mbox_msghdr hdr;
+	uint8_t __io id;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
+
+struct mcs_flowid_stats {
+	struct mbox_msghdr hdr;
+	uint64_t __io tcam_hit_cnt;
+	uint64_t __io rsvd;
+};
+
+struct mcs_secy_stats {
+	struct mbox_msghdr hdr;
+	uint64_t __io ctl_pkt_bcast_cnt;
+	uint64_t __io ctl_pkt_mcast_cnt;
+	uint64_t __io ctl_pkt_ucast_cnt;
+	uint64_t __io ctl_octet_cnt;
+	uint64_t __io unctl_pkt_bcast_cnt;
+	uint64_t __io unctl_pkt_mcast_cnt;
+	uint64_t __io unctl_pkt_ucast_cnt;
+	uint64_t __io unctl_octet_cnt;
+	/* Valid only for RX */
+	uint64_t __io octet_decrypted_cnt;
+	uint64_t __io octet_validated_cnt;
+	uint64_t __io pkt_port_disabled_cnt;
+	uint64_t __io pkt_badtag_cnt;
+	uint64_t __io pkt_nosa_cnt;
+	uint64_t __io pkt_nosaerror_cnt;
+	uint64_t __io pkt_tagged_ctl_cnt;
+	uint64_t __io pkt_untaged_cnt;
+	uint64_t __io pkt_ctl_cnt;   /* CN10K-B */
+	uint64_t __io pkt_notag_cnt; /* CNF10K-B */
+	/* Valid only for TX */
+	uint64_t __io octet_encrypted_cnt;
+	uint64_t __io octet_protected_cnt;
+	uint64_t __io pkt_noactivesa_cnt;
+	uint64_t __io pkt_toolong_cnt;
+	uint64_t __io pkt_untagged_cnt;
+	uint64_t __io rsvd[4];
+};
+
+struct mcs_port_stats {
+	struct mbox_msghdr hdr;
+	uint64_t __io tcam_miss_cnt;
+	uint64_t __io parser_err_cnt;
+	uint64_t __io preempt_err_cnt; /* CNF10K-B */
+	uint64_t __io sectag_insert_err_cnt;
+	uint64_t __io rsvd[4];
+};
+
+struct mcs_sc_stats {
+	struct mbox_msghdr hdr;
+	/* RX */
+	uint64_t __io hit_cnt;
+	uint64_t __io pkt_invalid_cnt;
+	uint64_t __io pkt_late_cnt;
+	uint64_t __io pkt_notvalid_cnt;
+	uint64_t __io pkt_unchecked_cnt;
+	uint64_t __io pkt_delay_cnt;	  /* CNF10K-B */
+	uint64_t __io pkt_ok_cnt;	  /* CNF10K-B */
+	uint64_t __io octet_decrypt_cnt;  /* CN10K-B */
+	uint64_t __io octet_validate_cnt; /* CN10K-B */
+	/* TX */
+	uint64_t __io pkt_encrypt_cnt;
+	uint64_t __io pkt_protected_cnt;
+	uint64_t __io octet_encrypt_cnt;   /* CN10K-B */
+	uint64_t __io octet_protected_cnt; /* CN10K-B */
+	uint64_t __io rsvd[4];
+};
+
+struct mcs_clear_stats {
+	struct mbox_msghdr hdr;
+#define MCS_FLOWID_STATS 0
+#define MCS_SECY_STATS	 1
+#define MCS_SC_STATS	 2
+#define MCS_SA_STATS	 3
+#define MCS_PORT_STATS	 4
+	uint8_t __io type; /* FLOWID, SECY, SC, SA, PORT */
+	/* type = PORT, If id = FF(invalid) port no is derived from pcifunc */
+	uint8_t __io id;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint8_t __io all; /* All resources stats mapped to PF are cleared */
+};
+
 /* NPA mbox message formats */
 
 /* NPA mailbox error codes
diff --git a/drivers/common/cnxk/roc_mcs.h b/drivers/common/cnxk/roc_mcs.h
index a51ee21278..0157a7b26a 100644
--- a/drivers/common/cnxk/roc_mcs.h
+++ b/drivers/common/cnxk/roc_mcs.h
@@ -135,6 +135,76 @@ struct roc_mcs_set_pn_threshold {
 	uint64_t rsvd;
 };
 
+struct roc_mcs_stats_req {
+	uint8_t id;
+	uint8_t dir;
+};
+
+struct roc_mcs_flowid_stats {
+	uint64_t tcam_hit_cnt;
+};
+
+struct roc_mcs_secy_stats {
+	uint64_t ctl_pkt_bcast_cnt;
+	uint64_t ctl_pkt_mcast_cnt;
+	uint64_t ctl_pkt_ucast_cnt;
+	uint64_t ctl_octet_cnt;
+	uint64_t unctl_pkt_bcast_cnt;
+	uint64_t unctl_pkt_mcast_cnt;
+	uint64_t unctl_pkt_ucast_cnt;
+	uint64_t unctl_octet_cnt;
+	/* Valid only for RX */
+	uint64_t octet_decrypted_cnt;
+	uint64_t octet_validated_cnt;
+	uint64_t pkt_port_disabled_cnt;
+	uint64_t pkt_badtag_cnt;
+	uint64_t pkt_nosa_cnt;
+	uint64_t pkt_nosaerror_cnt;
+	uint64_t pkt_tagged_ctl_cnt;
+	uint64_t pkt_untaged_cnt;
+	uint64_t pkt_ctl_cnt;	/* CN10K-B */
+	uint64_t pkt_notag_cnt; /* CNF10K-B */
+	/* Valid only for TX */
+	uint64_t octet_encrypted_cnt;
+	uint64_t octet_protected_cnt;
+	uint64_t pkt_noactivesa_cnt;
+	uint64_t pkt_toolong_cnt;
+	uint64_t pkt_untagged_cnt;
+};
+
+struct roc_mcs_sc_stats {
+	/* RX */
+	uint64_t hit_cnt;
+	uint64_t pkt_invalid_cnt;
+	uint64_t pkt_late_cnt;
+	uint64_t pkt_notvalid_cnt;
+	uint64_t pkt_unchecked_cnt;
+	uint64_t pkt_delay_cnt;	     /* CNF10K-B */
+	uint64_t pkt_ok_cnt;	     /* CNF10K-B */
+	uint64_t octet_decrypt_cnt;  /* CN10K-B */
+	uint64_t octet_validate_cnt; /* CN10K-B */
+	/* TX */
+	uint64_t pkt_encrypt_cnt;
+	uint64_t pkt_protected_cnt;
+	uint64_t octet_encrypt_cnt;   /* CN10K-B */
+	uint64_t octet_protected_cnt; /* CN10K-B */
+};
+
+struct roc_mcs_port_stats {
+	uint64_t tcam_miss_cnt;
+	uint64_t parser_err_cnt;
+	uint64_t preempt_err_cnt; /* CNF10K-B */
+	uint64_t sectag_insert_err_cnt;
+};
+
+struct roc_mcs_clear_stats {
+	uint8_t type; /* FLOWID, SECY, SC, SA, PORT */
+	/* type = PORT, If id = FF(invalid) port no is derived from pcifunc */
+	uint8_t id;
+	uint8_t dir;
+	uint8_t all; /* All resources stats mapped to PF are cleared */
+};
+
 struct roc_mcs {
 	TAILQ_ENTRY(roc_mcs) next;
 	struct plt_pci_device *pci_dev;
@@ -205,4 +275,19 @@ __roc_api int roc_mcs_flowid_entry_read(struct roc_mcs *mcs,
 __roc_api int roc_mcs_flowid_entry_enable(struct roc_mcs *mcs,
 					  struct roc_mcs_flowid_ena_dis_entry *entry);
 
+/* Flow id stats get */
+__roc_api int roc_mcs_flowid_stats_get(struct roc_mcs *mcs, struct roc_mcs_stats_req *mcs_req,
+				       struct roc_mcs_flowid_stats *stats);
+/* Secy stats get */
+__roc_api int roc_mcs_secy_stats_get(struct roc_mcs *mcs, struct roc_mcs_stats_req *mcs_req,
+				     struct roc_mcs_secy_stats *stats);
+/* SC stats get */
+__roc_api int roc_mcs_sc_stats_get(struct roc_mcs *mcs, struct roc_mcs_stats_req *mcs_req,
+				   struct roc_mcs_sc_stats *stats);
+/* Port stats get */
+__roc_api int roc_mcs_port_stats_get(struct roc_mcs *mcs, struct roc_mcs_stats_req *mcs_req,
+				     struct roc_mcs_port_stats *stats);
+/* Clear stats */
+__roc_api int roc_mcs_stats_clear(struct roc_mcs *mcs, struct roc_mcs_clear_stats *mcs_req);
+
 #endif /* _ROC_MCS_H_ */
diff --git a/drivers/common/cnxk/roc_mcs_stats.c b/drivers/common/cnxk/roc_mcs_stats.c
new file mode 100644
index 0000000000..24ac8a31cd
--- /dev/null
+++ b/drivers/common/cnxk/roc_mcs_stats.c
@@ -0,0 +1,193 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2022 Marvell.
+ */
+
+#include "roc_api.h"
+#include "roc_priv.h"
+
+int
+roc_mcs_flowid_stats_get(struct roc_mcs *mcs, struct roc_mcs_stats_req *mcs_req,
+			 struct roc_mcs_flowid_stats *stats)
+{
+	struct mcs_flowid_stats *rsp;
+	struct mcs_stats_req *req;
+	int rc;
+
+	MCS_SUPPORT_CHECK;
+
+	req = mbox_alloc_msg_mcs_get_flowid_stats(mcs->mbox);
+	if (req == NULL)
+		return -ENOSPC;
+
+	req->id = mcs_req->id;
+	req->mcs_id = mcs->idx;
+	req->dir = mcs_req->dir;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&rsp);
+	if (rc)
+		return rc;
+
+	stats->tcam_hit_cnt = rsp->tcam_hit_cnt;
+
+	return rc;
+}
+
+int
+roc_mcs_secy_stats_get(struct roc_mcs *mcs, struct roc_mcs_stats_req *mcs_req,
+		       struct roc_mcs_secy_stats *stats)
+{
+	struct mcs_secy_stats *rsp;
+	struct mcs_stats_req *req;
+	int rc;
+
+	MCS_SUPPORT_CHECK;
+
+	req = mbox_alloc_msg_mcs_get_secy_stats(mcs->mbox);
+	if (req == NULL)
+		return -ENOSPC;
+
+	req->id = mcs_req->id;
+	req->mcs_id = mcs->idx;
+	req->dir = mcs_req->dir;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&rsp);
+	if (rc)
+		return rc;
+
+	stats->ctl_pkt_bcast_cnt = rsp->ctl_pkt_bcast_cnt;
+	stats->ctl_pkt_mcast_cnt = rsp->ctl_pkt_mcast_cnt;
+	stats->ctl_pkt_ucast_cnt = rsp->ctl_pkt_ucast_cnt;
+	stats->ctl_octet_cnt = rsp->ctl_octet_cnt;
+	stats->unctl_pkt_bcast_cnt = rsp->unctl_pkt_bcast_cnt;
+	stats->unctl_pkt_mcast_cnt = rsp->unctl_pkt_mcast_cnt;
+	stats->unctl_pkt_ucast_cnt = rsp->unctl_pkt_ucast_cnt;
+	stats->unctl_octet_cnt = rsp->unctl_octet_cnt;
+
+	if (mcs_req->dir == MCS_RX) {
+		stats->octet_decrypted_cnt = rsp->octet_decrypted_cnt;
+		stats->octet_validated_cnt = rsp->octet_validated_cnt;
+		stats->pkt_port_disabled_cnt = rsp->pkt_port_disabled_cnt;
+		stats->pkt_badtag_cnt = rsp->pkt_badtag_cnt;
+		stats->pkt_nosa_cnt = rsp->pkt_nosa_cnt;
+		stats->pkt_nosaerror_cnt = rsp->pkt_nosaerror_cnt;
+		stats->pkt_tagged_ctl_cnt = rsp->pkt_tagged_ctl_cnt;
+		stats->pkt_untaged_cnt = rsp->pkt_untaged_cnt;
+		if (roc_model_is_cn10kb_a0())
+			/* CN10K-B */
+			stats->pkt_ctl_cnt = rsp->pkt_ctl_cnt;
+		else
+			/* CNF10K-B */
+			stats->pkt_notag_cnt = rsp->pkt_notag_cnt;
+	} else {
+		stats->octet_encrypted_cnt = rsp->octet_encrypted_cnt;
+		stats->octet_protected_cnt = rsp->octet_protected_cnt;
+		stats->pkt_noactivesa_cnt = rsp->pkt_noactivesa_cnt;
+		stats->pkt_toolong_cnt = rsp->pkt_toolong_cnt;
+		stats->pkt_untagged_cnt = rsp->pkt_untagged_cnt;
+	}
+
+	return rc;
+}
+
+int
+roc_mcs_sc_stats_get(struct roc_mcs *mcs, struct roc_mcs_stats_req *mcs_req,
+		     struct roc_mcs_sc_stats *stats)
+{
+	struct mcs_stats_req *req;
+	struct mcs_sc_stats *rsp;
+	int rc;
+
+	MCS_SUPPORT_CHECK;
+
+	req = mbox_alloc_msg_mcs_get_sc_stats(mcs->mbox);
+	if (req == NULL)
+		return -ENOSPC;
+
+	req->id = mcs_req->id;
+	req->mcs_id = mcs->idx;
+	req->dir = mcs_req->dir;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&rsp);
+	if (rc)
+		return rc;
+
+	if (mcs_req->dir == MCS_RX) {
+		stats->hit_cnt = rsp->hit_cnt;
+		stats->pkt_invalid_cnt = rsp->pkt_invalid_cnt;
+		stats->pkt_late_cnt = rsp->pkt_late_cnt;
+		stats->pkt_notvalid_cnt = rsp->pkt_notvalid_cnt;
+		stats->pkt_unchecked_cnt = rsp->pkt_unchecked_cnt;
+		if (roc_model_is_cn10kb_a0()) {
+			stats->octet_decrypt_cnt = rsp->octet_decrypt_cnt;
+			stats->octet_validate_cnt = rsp->octet_validate_cnt;
+		} else {
+			stats->pkt_delay_cnt = rsp->pkt_delay_cnt;
+			stats->pkt_ok_cnt = rsp->pkt_ok_cnt;
+		}
+	} else {
+		stats->pkt_encrypt_cnt = rsp->pkt_encrypt_cnt;
+		stats->pkt_protected_cnt = rsp->pkt_protected_cnt;
+		if (roc_model_is_cn10kb_a0()) {
+			stats->octet_encrypt_cnt = rsp->octet_encrypt_cnt;
+			stats->octet_protected_cnt = rsp->octet_protected_cnt;
+		}
+	}
+
+	return rc;
+}
+
+int
+roc_mcs_port_stats_get(struct roc_mcs *mcs, struct roc_mcs_stats_req *mcs_req,
+		       struct roc_mcs_port_stats *stats)
+{
+	struct mcs_port_stats *rsp;
+	struct mcs_stats_req *req;
+	int rc;
+
+	MCS_SUPPORT_CHECK;
+
+	req = mbox_alloc_msg_mcs_get_port_stats(mcs->mbox);
+	if (req == NULL)
+		return -ENOSPC;
+
+	req->id = mcs_req->id;
+	req->mcs_id = mcs->idx;
+	req->dir = mcs_req->dir;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&rsp);
+	if (rc)
+		return rc;
+
+	stats->tcam_miss_cnt = rsp->tcam_miss_cnt;
+	stats->parser_err_cnt = rsp->parser_err_cnt;
+	if (roc_model_is_cnf10kb())
+		stats->preempt_err_cnt = rsp->preempt_err_cnt;
+
+	stats->sectag_insert_err_cnt = rsp->sectag_insert_err_cnt;
+
+	return rc;
+}
+
+int
+roc_mcs_stats_clear(struct roc_mcs *mcs, struct roc_mcs_clear_stats *mcs_req)
+{
+	struct mcs_clear_stats *req;
+	struct msg_rsp *rsp;
+
+	MCS_SUPPORT_CHECK;
+
+	if (!roc_model_is_cn10kb_a0() && mcs_req->type == MCS_SA_STATS)
+		return MCS_ERR_HW_NOTSUP;
+
+	req = mbox_alloc_msg_mcs_clear_stats(mcs->mbox);
+	if (req == NULL)
+		return -ENOSPC;
+
+	req->type = mcs_req->type;
+	req->id = mcs_req->id;
+	req->mcs_id = mcs->idx;
+	req->dir = mcs_req->dir;
+	req->all = mcs_req->all;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
diff --git a/drivers/common/cnxk/version.map b/drivers/common/cnxk/version.map
index 9be7887967..4b832f2303 100644
--- a/drivers/common/cnxk/version.map
+++ b/drivers/common/cnxk/version.map
@@ -141,12 +141,14 @@ INTERNAL {
 	roc_mcs_flowid_entry_enable;
 	roc_mcs_flowid_entry_read;
 	roc_mcs_flowid_entry_write;
+	roc_mcs_flowid_stats_get;
 	roc_mcs_free_rsrc;
 	roc_mcs_hw_info_get;
 	roc_mcs_lmac_mode_set;
 	roc_mcs_pn_table_write;
 	roc_mcs_pn_table_read;
 	roc_mcs_pn_threshold_set;
+	roc_mcs_port_stats_get;
 	roc_mcs_rx_sc_cam_enable;
 	roc_mcs_rx_sc_cam_read;
 	roc_mcs_rx_sc_cam_write;
@@ -154,8 +156,11 @@ INTERNAL {
 	roc_mcs_rx_sc_sa_map_write;
 	roc_mcs_sa_policy_read;
 	roc_mcs_sa_policy_write;
+	roc_mcs_sc_stats_get;
 	roc_mcs_secy_policy_read;
 	roc_mcs_secy_policy_write;
+	roc_mcs_secy_stats_get;
+	roc_mcs_stats_clear;
 	roc_mcs_tx_sc_sa_map_read;
 	roc_mcs_tx_sc_sa_map_write;
 	roc_nix_bpf_alloc;
-- 
2.25.1

[PATCH 07/15] common/cnxk: add MACsec interrupt APIs

[Akhil Goyal]

Added ROC APIs to support various MACsec interrupts.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/common/cnxk/roc_dev.c      |  86 +++++++++++++++++
 drivers/common/cnxk/roc_mbox.h     |  37 +++++++-
 drivers/common/cnxk/roc_mcs.c      | 117 +++++++++++++++++++++++
 drivers/common/cnxk/roc_mcs.h      | 144 +++++++++++++++++++++++++++++
 drivers/common/cnxk/roc_mcs_priv.h |   8 ++
 drivers/common/cnxk/version.map    |   3 +
 6 files changed, 394 insertions(+), 1 deletion(-)

diff --git a/drivers/common/cnxk/roc_dev.c b/drivers/common/cnxk/roc_dev.c
index 2388237186..199d37d703 100644
--- a/drivers/common/cnxk/roc_dev.c
+++ b/drivers/common/cnxk/roc_dev.c
@@ -500,6 +500,91 @@ pf_vf_mbox_send_up_msg(struct dev *dev, void *rec_msg)
 	}
 }
 
+static int
+mbox_up_handler_mcs_intr_notify(struct dev *dev, struct mcs_intr_info *info, struct msg_rsp *rsp)
+{
+	struct roc_mcs_event_desc desc = {0};
+	struct roc_mcs *mcs;
+
+	plt_base_dbg("pf:%d/vf:%d msg id 0x%x (%s) from: pf:%d/vf:%d", dev_get_pf(dev->pf_func),
+		     dev_get_vf(dev->pf_func), info->hdr.id, mbox_id2name(info->hdr.id),
+		     dev_get_pf(info->hdr.pcifunc), dev_get_vf(info->hdr.pcifunc));
+
+	mcs = roc_mcs_dev_get(info->mcs_id);
+	if (!mcs)
+		goto exit;
+
+	if (info->intr_mask) {
+		switch (info->intr_mask) {
+		case MCS_CPM_RX_SECTAG_V_EQ1_INT:
+			desc.type = ROC_MCS_EVENT_SECTAG_VAL_ERR;
+			desc.subtype = ROC_MCS_EVENT_RX_SECTAG_V_EQ1;
+			break;
+		case MCS_CPM_RX_SECTAG_E_EQ0_C_EQ1_INT:
+			desc.type = ROC_MCS_EVENT_SECTAG_VAL_ERR;
+			desc.subtype = ROC_MCS_EVENT_RX_SECTAG_E_EQ0_C_EQ1;
+			break;
+		case MCS_CPM_RX_SECTAG_SL_GTE48_INT:
+			desc.type = ROC_MCS_EVENT_SECTAG_VAL_ERR;
+			desc.subtype = ROC_MCS_EVENT_RX_SECTAG_SL_GTE48;
+			break;
+		case MCS_CPM_RX_SECTAG_ES_EQ1_SC_EQ1_INT:
+			desc.type = ROC_MCS_EVENT_SECTAG_VAL_ERR;
+			desc.subtype = ROC_MCS_EVENT_RX_SECTAG_ES_EQ1_SC_EQ1;
+			break;
+		case MCS_CPM_RX_SECTAG_SC_EQ1_SCB_EQ1_INT:
+			desc.type = ROC_MCS_EVENT_SECTAG_VAL_ERR;
+			desc.subtype = ROC_MCS_EVENT_RX_SECTAG_SC_EQ1_SCB_EQ1;
+			break;
+		case MCS_CPM_RX_PACKET_XPN_EQ0_INT:
+			desc.type = ROC_MCS_EVENT_RX_SA_PN_HARD_EXP;
+			desc.metadata.sa_idx = info->sa_id;
+			break;
+		case MCS_CPM_RX_PN_THRESH_REACHED_INT:
+			desc.type = ROC_MCS_EVENT_RX_SA_PN_SOFT_EXP;
+			desc.metadata.sa_idx = info->sa_id;
+			break;
+		case MCS_CPM_TX_PACKET_XPN_EQ0_INT:
+			desc.type = ROC_MCS_EVENT_TX_SA_PN_HARD_EXP;
+			desc.metadata.sa_idx = info->sa_id;
+			break;
+		case MCS_CPM_TX_PN_THRESH_REACHED_INT:
+			desc.type = ROC_MCS_EVENT_TX_SA_PN_SOFT_EXP;
+			desc.metadata.sa_idx = info->sa_id;
+			break;
+		case MCS_CPM_TX_SA_NOT_VALID_INT:
+			desc.type = ROC_MCS_EVENT_SA_NOT_VALID;
+			break;
+		case MCS_BBE_RX_DFIFO_OVERFLOW_INT:
+		case MCS_BBE_TX_DFIFO_OVERFLOW_INT:
+			desc.type = ROC_MCS_EVENT_FIFO_OVERFLOW;
+			desc.subtype = ROC_MCS_EVENT_DATA_FIFO_OVERFLOW;
+			desc.metadata.lmac_id = info->lmac_id;
+			break;
+		case MCS_BBE_RX_PLFIFO_OVERFLOW_INT:
+		case MCS_BBE_TX_PLFIFO_OVERFLOW_INT:
+			desc.type = ROC_MCS_EVENT_FIFO_OVERFLOW;
+			desc.subtype = ROC_MCS_EVENT_POLICY_FIFO_OVERFLOW;
+			desc.metadata.lmac_id = info->lmac_id;
+			break;
+		case MCS_PAB_RX_CHAN_OVERFLOW_INT:
+		case MCS_PAB_TX_CHAN_OVERFLOW_INT:
+			desc.type = ROC_MCS_EVENT_FIFO_OVERFLOW;
+			desc.subtype = ROC_MCS_EVENT_PKT_ASSM_FIFO_OVERFLOW;
+			desc.metadata.lmac_id = info->lmac_id;
+			break;
+		default:
+			goto exit;
+		}
+
+		mcs_event_cb_process(mcs, &desc);
+	}
+
+exit:
+	rsp->hdr.rc = 0;
+	return 0;
+}
+
 static int
 mbox_up_handler_cgx_link_event(struct dev *dev, struct cgx_link_info_msg *msg,
 			       struct msg_rsp *rsp)
@@ -588,6 +673,7 @@ mbox_process_msgs_up(struct dev *dev, struct mbox_msghdr *req)
 		return err;                                                    \
 	}
 		MBOX_UP_CGX_MESSAGES
+		MBOX_UP_MCS_MESSAGES
 #undef M
 	}
 
diff --git a/drivers/common/cnxk/roc_mbox.h b/drivers/common/cnxk/roc_mbox.h
index 1cbe66cc0c..6e2b32a43f 100644
--- a/drivers/common/cnxk/roc_mbox.h
+++ b/drivers/common/cnxk/roc_mbox.h
@@ -296,6 +296,7 @@ struct mbox_msghdr {
 	M(MCS_GET_SC_STATS, 0xa00e, mcs_get_sc_stats, mcs_stats_req, mcs_sc_stats)                 \
 	M(MCS_GET_PORT_STATS, 0xa010, mcs_get_port_stats, mcs_stats_req, mcs_port_stats)           \
 	M(MCS_CLEAR_STATS, 0xa011, mcs_clear_stats, mcs_clear_stats, msg_rsp)                      \
+	M(MCS_INTR_CFG, 0xa012, mcs_intr_cfg, mcs_intr_cfg, msg_rsp)                               \
 	M(MCS_SET_LMAC_MODE, 0xa013, mcs_set_lmac_mode, mcs_set_lmac_mode, msg_rsp)                \
 	M(MCS_SET_PN_THRESHOLD, 0xa014, mcs_set_pn_threshold, mcs_set_pn_threshold, msg_rsp)       \
 
@@ -304,9 +305,11 @@ struct mbox_msghdr {
 	M(CGX_LINK_EVENT, 0xC00, cgx_link_event, cgx_link_info_msg, msg_rsp)   \
 	M(CGX_PTP_RX_INFO, 0xC01, cgx_ptp_rx_info, cgx_ptp_rx_info_msg, msg_rsp)
 
+#define MBOX_UP_MCS_MESSAGES M(MCS_INTR_NOTIFY, 0xE00, mcs_intr_notify, mcs_intr_info, msg_rsp)
+
 enum {
 #define M(_name, _id, _1, _2, _3) MBOX_MSG_##_name = _id,
-	MBOX_MESSAGES MBOX_UP_CGX_MESSAGES
+	MBOX_MESSAGES MBOX_UP_CGX_MESSAGES MBOX_UP_MCS_MESSAGES
 #undef M
 };
 
@@ -847,6 +850,38 @@ struct mcs_set_active_lmac {
 	uint64_t __io rsvd;
 };
 
+#define MCS_CPM_RX_SECTAG_V_EQ1_INT	     BIT_ULL(0)
+#define MCS_CPM_RX_SECTAG_E_EQ0_C_EQ1_INT    BIT_ULL(1)
+#define MCS_CPM_RX_SECTAG_SL_GTE48_INT	     BIT_ULL(2)
+#define MCS_CPM_RX_SECTAG_ES_EQ1_SC_EQ1_INT  BIT_ULL(3)
+#define MCS_CPM_RX_SECTAG_SC_EQ1_SCB_EQ1_INT BIT_ULL(4)
+#define MCS_CPM_RX_PACKET_XPN_EQ0_INT	     BIT_ULL(5)
+#define MCS_CPM_RX_PN_THRESH_REACHED_INT     BIT_ULL(6)
+#define MCS_CPM_TX_PACKET_XPN_EQ0_INT	     BIT_ULL(7)
+#define MCS_CPM_TX_PN_THRESH_REACHED_INT     BIT_ULL(8)
+#define MCS_CPM_TX_SA_NOT_VALID_INT	     BIT_ULL(9)
+#define MCS_BBE_RX_DFIFO_OVERFLOW_INT	     BIT_ULL(10)
+#define MCS_BBE_RX_PLFIFO_OVERFLOW_INT	     BIT_ULL(11)
+#define MCS_BBE_TX_DFIFO_OVERFLOW_INT	     BIT_ULL(12)
+#define MCS_BBE_TX_PLFIFO_OVERFLOW_INT	     BIT_ULL(13)
+#define MCS_PAB_RX_CHAN_OVERFLOW_INT	     BIT_ULL(14)
+#define MCS_PAB_TX_CHAN_OVERFLOW_INT	     BIT_ULL(15)
+
+struct mcs_intr_cfg {
+	struct mbox_msghdr hdr;
+	uint64_t __io intr_mask; /* Interrupt enable mask */
+	uint8_t __io mcs_id;
+};
+
+struct mcs_intr_info {
+	struct mbox_msghdr hdr;
+	uint64_t __io intr_mask;
+	int __io sa_id;
+	uint8_t __io mcs_id;
+	uint8_t __io lmac_id;
+	uint64_t __io rsvd;
+};
+
 struct mcs_set_lmac_mode {
 	struct mbox_msghdr hdr;
 	uint8_t __io mode; /* '1' for internal bypass mode (passthrough), '0' for MCS processing */
diff --git a/drivers/common/cnxk/roc_mcs.c b/drivers/common/cnxk/roc_mcs.c
index b15933d362..c2f0a46f23 100644
--- a/drivers/common/cnxk/roc_mcs.c
+++ b/drivers/common/cnxk/roc_mcs.c
@@ -5,6 +5,18 @@
 #include "roc_api.h"
 #include "roc_priv.h"
 
+struct mcs_event_cb {
+	TAILQ_ENTRY(mcs_event_cb) next;
+	enum roc_mcs_event_type event;
+	roc_mcs_dev_cb_fn cb_fn;
+	void *cb_arg;
+	void *ret_param;
+	uint32_t active;
+};
+TAILQ_HEAD(mcs_event_cb_list, mcs_event_cb);
+
+PLT_STATIC_ASSERT(ROC_MCS_MEM_SZ >= (sizeof(struct mcs_priv) + sizeof(struct mcs_event_cb_list)));
+
 TAILQ_HEAD(roc_mcs_head, roc_mcs);
 /* Local mcs tailq list */
 static struct roc_mcs_head roc_mcs_head = TAILQ_HEAD_INITIALIZER(roc_mcs_head);
@@ -113,6 +125,107 @@ roc_mcs_pn_threshold_set(struct roc_mcs *mcs, struct roc_mcs_set_pn_threshold *p
 	return mbox_process_msg(mcs->mbox, (void *)&rsp);
 }
 
+int
+roc_mcs_intr_configure(struct roc_mcs *mcs, struct roc_mcs_intr_cfg *config)
+{
+	struct mcs_intr_cfg *req;
+	struct msg_rsp *rsp;
+
+	if (config == NULL)
+		return -EINVAL;
+
+	MCS_SUPPORT_CHECK;
+
+	req = mbox_alloc_msg_mcs_intr_cfg(mcs->mbox);
+	if (req == NULL)
+		return -ENOMEM;
+
+	req->intr_mask = config->intr_mask;
+	req->mcs_id = mcs->idx;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
+
+int
+roc_mcs_event_cb_register(struct roc_mcs *mcs, enum roc_mcs_event_type event,
+			  roc_mcs_dev_cb_fn cb_fn, void *cb_arg, void *userdata)
+{
+	struct mcs_event_cb_list *cb_list = (struct mcs_event_cb_list *)roc_mcs_to_mcs_cb_list(mcs);
+	struct mcs_event_cb *cb;
+
+	if (cb_fn == NULL || cb_arg == NULL || userdata == NULL)
+		return -EINVAL;
+
+	MCS_SUPPORT_CHECK;
+
+	TAILQ_FOREACH (cb, cb_list, next) {
+		if (cb->cb_fn == cb_fn && cb->cb_arg == cb_arg && cb->event == event)
+			break;
+	}
+
+	if (cb == NULL) {
+		cb = plt_zmalloc(sizeof(struct mcs_event_cb), 0);
+		if (!cb)
+			return -ENOMEM;
+
+		cb->cb_fn = cb_fn;
+		cb->cb_arg = cb_arg;
+		cb->event = event;
+		mcs->userdata = userdata;
+		TAILQ_INSERT_TAIL(cb_list, cb, next);
+	}
+
+	return 0;
+}
+
+int
+roc_mcs_event_cb_unregister(struct roc_mcs *mcs, enum roc_mcs_event_type event)
+{
+	struct mcs_event_cb_list *cb_list = (struct mcs_event_cb_list *)roc_mcs_to_mcs_cb_list(mcs);
+	struct mcs_event_cb *cb, *next;
+
+	MCS_SUPPORT_CHECK;
+
+	for (cb = TAILQ_FIRST(cb_list); cb != NULL; cb = next) {
+		next = TAILQ_NEXT(cb, next);
+
+		if (cb->event != event)
+			continue;
+
+		if (cb->active == 0) {
+			TAILQ_REMOVE(cb_list, cb, next);
+			plt_free(cb);
+		} else {
+			return -EAGAIN;
+		}
+	}
+
+	return 0;
+}
+
+int
+mcs_event_cb_process(struct roc_mcs *mcs, struct roc_mcs_event_desc *desc)
+{
+	struct mcs_event_cb_list *cb_list = (struct mcs_event_cb_list *)roc_mcs_to_mcs_cb_list(mcs);
+	struct mcs_event_cb mcs_cb;
+	struct mcs_event_cb *cb;
+	int rc = 0;
+
+	TAILQ_FOREACH (cb, cb_list, next) {
+		if (cb->cb_fn == NULL || cb->event != desc->type)
+			continue;
+
+		mcs_cb = *cb;
+		cb->active = 1;
+		mcs_cb.ret_param = desc;
+
+		rc = mcs_cb.cb_fn(mcs->userdata, mcs_cb.ret_param, mcs_cb.cb_arg);
+		cb->active = 0;
+	}
+
+	return rc;
+}
+
 static int
 mcs_alloc_bmap(uint16_t entries, void **mem, struct plt_bitmap **bmap)
 {
@@ -244,6 +357,7 @@ roc_mcs_dev_get(uint8_t mcs_idx)
 struct roc_mcs *
 roc_mcs_dev_init(uint8_t mcs_idx)
 {
+	struct mcs_event_cb_list *cb_list;
 	struct roc_mcs *mcs;
 	struct npa_lf *npa;
 
@@ -279,6 +393,9 @@ roc_mcs_dev_init(uint8_t mcs_idx)
 
 	TAILQ_INSERT_TAIL(&roc_mcs_head, mcs, next);
 
+	cb_list = (struct mcs_event_cb_list *)roc_mcs_to_mcs_cb_list(mcs);
+	TAILQ_INIT(cb_list);
+
 	roc_idev_mcs_set(mcs);
 	mcs->refcount++;
 
diff --git a/drivers/common/cnxk/roc_mcs.h b/drivers/common/cnxk/roc_mcs.h
index 0157a7b26a..d53aeb6b1e 100644
--- a/drivers/common/cnxk/roc_mcs.h
+++ b/drivers/common/cnxk/roc_mcs.h
@@ -116,6 +116,34 @@ struct roc_mcs_hw_info {
 	uint64_t rsvd[16];
 };
 
+#define ROC_MCS_CPM_RX_SECTAG_V_EQ1_INT		 BIT_ULL(0)
+#define ROC_MCS_CPM_RX_SECTAG_E_EQ0_C_EQ1_INT	 BIT_ULL(1)
+#define ROC_MCS_CPM_RX_SECTAG_SL_GTE48_INT	 BIT_ULL(2)
+#define ROC_MCS_CPM_RX_SECTAG_ES_EQ1_SC_EQ1_INT	 BIT_ULL(3)
+#define ROC_MCS_CPM_RX_SECTAG_SC_EQ1_SCB_EQ1_INT BIT_ULL(4)
+#define ROC_MCS_CPM_RX_PACKET_XPN_EQ0_INT	 BIT_ULL(5)
+#define ROC_MCS_CPM_RX_PN_THRESH_REACHED_INT	 BIT_ULL(6)
+#define ROC_MCS_CPM_TX_PACKET_XPN_EQ0_INT	 BIT_ULL(7)
+#define ROC_MCS_CPM_TX_PN_THRESH_REACHED_INT	 BIT_ULL(8)
+#define ROC_MCS_CPM_TX_SA_NOT_VALID_INT		 BIT_ULL(9)
+#define ROC_MCS_BBE_RX_DFIFO_OVERFLOW_INT	 BIT_ULL(10)
+#define ROC_MCS_BBE_RX_PLFIFO_OVERFLOW_INT	 BIT_ULL(11)
+#define ROC_MCS_BBE_TX_DFIFO_OVERFLOW_INT	 BIT_ULL(12)
+#define ROC_MCS_BBE_TX_PLFIFO_OVERFLOW_INT	 BIT_ULL(13)
+#define ROC_MCS_PAB_RX_CHAN_OVERFLOW_INT	 BIT_ULL(14)
+#define ROC_MCS_PAB_TX_CHAN_OVERFLOW_INT	 BIT_ULL(15)
+
+struct roc_mcs_intr_cfg {
+	uint64_t intr_mask; /* Interrupt enable mask */
+};
+
+struct roc_mcs_intr_info {
+	uint64_t intr_mask;
+	int sa_id;
+	uint8_t lmac_id;
+	uint64_t rsvd;
+};
+
 struct roc_mcs_set_lmac_mode {
 	uint8_t mode; /* '1' for internal bypass mode (passthrough), '0' for MCS processing */
 	uint8_t lmac_id;
@@ -205,6 +233,113 @@ struct roc_mcs_clear_stats {
 	uint8_t all; /* All resources stats mapped to PF are cleared */
 };
 
+enum roc_mcs_event_subtype {
+	ROC_MCS_SUBEVENT_UNKNOWN,
+
+	/* subevents of ROC_MCS_EVENT_SECTAG_VAL_ERR sectag validation events
+	 * ROC_MCS_EVENT_RX_SECTAG_V_EQ1
+	 *	Validation check: SecTag.TCI.V = 1
+	 * ROC_MCS_EVENT_RX_SECTAG_E_EQ0_C_EQ1
+	 *	Validation check: SecTag.TCI.E = 0 && SecTag.TCI.C = 1
+	 * ROC_MCS_EVENT_RX_SECTAG_SL_GTE48
+	 *	Validation check: SecTag.SL >= 'd48
+	 * ROC_MCS_EVENT_RX_SECTAG_ES_EQ1_SC_EQ1
+	 *	Validation check: SecTag.TCI.ES = 1 && SecTag.TCI.SC = 1
+	 * ROC_MCS_EVENT_RX_SECTAG_SC_EQ1_SCB_EQ1
+	 *	Validation check: SecTag.TCI.SC = 1 && SecTag.TCI.SCB = 1
+	 */
+	ROC_MCS_EVENT_RX_SECTAG_V_EQ1,
+	ROC_MCS_EVENT_RX_SECTAG_E_EQ0_C_EQ1,
+	ROC_MCS_EVENT_RX_SECTAG_SL_GTE48,
+	ROC_MCS_EVENT_RX_SECTAG_ES_EQ1_SC_EQ1,
+	ROC_MCS_EVENT_RX_SECTAG_SC_EQ1_SCB_EQ1,
+
+	/* subevents of ROC_MCS_EVENT_FIFO_OVERFLOW error event
+	 * ROC_MCS_EVENT_DATA_FIFO_OVERFLOW:
+	 *	Notifies data FIFO overflow fatal error in BBE unit.
+	 * ROC_MCS_EVENT_POLICY_FIFO_OVERFLOW
+	 *	Notifies policy FIFO overflow fatal error in BBE unit.
+	 * ROC_MCS_EVENT_PKT_ASSM_FIFO_OVERFLOW,
+	 *	Notifies output FIFO overflow fatal error in PAB unit.
+	 */
+	ROC_MCS_EVENT_DATA_FIFO_OVERFLOW,
+	ROC_MCS_EVENT_POLICY_FIFO_OVERFLOW,
+	ROC_MCS_EVENT_PKT_ASSM_FIFO_OVERFLOW,
+};
+
+enum roc_mcs_event_type {
+	ROC_MCS_EVENT_UNKNOWN,
+
+	/* Notifies BBE_INT_DFIFO/PLFIFO_OVERFLOW or PAB_INT_OVERFLOW
+	 * interrupts, it's a fatal error that causes packet corruption.
+	 */
+	ROC_MCS_EVENT_FIFO_OVERFLOW,
+
+	/* Notifies CPM_RX_SECTAG_X validation error interrupt */
+	ROC_MCS_EVENT_SECTAG_VAL_ERR,
+	/* Notifies CPM_RX_PACKET_XPN_EQ0 (SecTag.PN == 0 in ingress) interrupt */
+	ROC_MCS_EVENT_RX_SA_PN_HARD_EXP,
+	/* Notifies CPM_RX_PN_THRESH_REACHED interrupt */
+	ROC_MCS_EVENT_RX_SA_PN_SOFT_EXP,
+	/* Notifies CPM_TX_PACKET_XPN_EQ0 (PN wrapped in egress) interrupt */
+	ROC_MCS_EVENT_TX_SA_PN_HARD_EXP,
+	/* Notifies CPM_TX_PN_THRESH_REACHED interrupt */
+	ROC_MCS_EVENT_TX_SA_PN_SOFT_EXP,
+	/* Notifies CPM_TX_SA_NOT_VALID interrupt */
+	ROC_MCS_EVENT_SA_NOT_VALID,
+	/* Notifies recovery of software driven port reset */
+	ROC_MCS_EVENT_PORT_RESET_RECOVERY,
+};
+
+union roc_mcs_event_data {
+	/* Valid for below events
+	 * - ROC_MCS_EVENT_RX_SA_PN_SOFT_EXP
+	 * - ROC_MCS_EVENT_TX_SA_PN_SOFT_EXP
+	 */
+	struct {
+		uint8_t secy_idx;
+		uint8_t sc_idx;
+		uint8_t sa_idx;
+	};
+	/* Valid for below event
+	 * - ROC_MCS_EVENT_FIFO_OVERFLOW
+	 *
+	 * Upon fatal error notification on a MCS port, ROC driver resets below attributes of active
+	 * flow entities(sc & sa) and than resets the port.
+	 * - Reset NEXT_PN of active SAs to 1.
+	 * - Reset TX active SA for each SC, TX_SA_ACTIVE = 0, SA_INDEX0_VLD = 1.
+	 * - Clear SA_IN_USE for active ANs in RX_SA_MAP_MEM.
+	 * - Clear all stats mapping to this port.
+	 * - Reactivate SA_IN_USE for active ANs in RX_SA_MAP_MEM.
+	 *
+	 *  ROC driver notifies the following flow entity(sc & sa) details in application callback,
+	 *  application is expected to exchange the Tx/Rx NEXT_PN, TX_SA_ACTIVE, active RX SC AN
+	 *  details with peer device so that peer device can resets it's MACsec flow states and than
+	 *  resume packet transfers.
+	 */
+	struct {
+		uint16_t *tx_sa_array; /* Tx SAs whose PN memories were reset (NEXT_PN=1) */
+		uint16_t *rx_sa_array; /* Rx SAs whose PN memories were reset (NEXT_PN=1) */
+		uint16_t *tx_sc_array; /* Tx SCs whose active SAs were reset (TX_SA_ACTIVE=0) */
+		uint16_t *rx_sc_array; /* Rx SCs whose state was reset */
+		uint8_t *sc_an_array;  /* AN of Rx SCs(in rx_sc_array) which were reactivated */
+		uint8_t num_tx_sa;     /* num entries in tx_sa_array */
+		uint8_t num_rx_sa;     /* num entries in rx_sa_array */
+		uint8_t num_tx_sc;     /* num entries in tx_sc_array */
+		uint8_t num_rx_sc;     /* num entries in rx_sc_array */
+		uint8_t lmac_id;       /* lmac_id/port which was recovered from fatal error */
+	};
+};
+
+struct roc_mcs_event_desc {
+	enum roc_mcs_event_type type;
+	enum roc_mcs_event_subtype subtype;
+	union roc_mcs_event_data metadata;
+};
+
+/** User application callback to be registered for any notifications from driver. */
+typedef int (*roc_mcs_dev_cb_fn)(void *userdata, struct roc_mcs_event_desc *desc, void *cb_arg);
+
 struct roc_mcs {
 	TAILQ_ENTRY(roc_mcs) next;
 	struct plt_pci_device *pci_dev;
@@ -290,4 +425,13 @@ __roc_api int roc_mcs_port_stats_get(struct roc_mcs *mcs, struct roc_mcs_stats_r
 /* Clear stats */
 __roc_api int roc_mcs_stats_clear(struct roc_mcs *mcs, struct roc_mcs_clear_stats *mcs_req);
 
+/* Register user callback routines */
+__roc_api int roc_mcs_event_cb_register(struct roc_mcs *mcs, enum roc_mcs_event_type event,
+					roc_mcs_dev_cb_fn cb_fn, void *cb_arg, void *userdata);
+/* Unregister user callback routines */
+__roc_api int roc_mcs_event_cb_unregister(struct roc_mcs *mcs, enum roc_mcs_event_type event);
+
+/* Configure interrupts */
+__roc_api int roc_mcs_intr_configure(struct roc_mcs *mcs, struct roc_mcs_intr_cfg *config);
+
 #endif /* _ROC_MCS_H_ */
diff --git a/drivers/common/cnxk/roc_mcs_priv.h b/drivers/common/cnxk/roc_mcs_priv.h
index 22915d206f..2c40f71d1d 100644
--- a/drivers/common/cnxk/roc_mcs_priv.h
+++ b/drivers/common/cnxk/roc_mcs_priv.h
@@ -62,4 +62,12 @@ roc_mcs_to_mcs_priv(struct roc_mcs *roc_mcs)
 	return (struct mcs_priv *)&roc_mcs->reserved[0];
 }
 
+static inline void *
+roc_mcs_to_mcs_cb_list(struct roc_mcs *roc_mcs)
+{
+	return (void *)((uintptr_t)roc_mcs->reserved + sizeof(struct mcs_priv));
+}
+
+int mcs_event_cb_process(struct roc_mcs *mcs, struct roc_mcs_event_desc *desc);
+
 #endif /* _ROC_MCS_PRIV_H_ */
diff --git a/drivers/common/cnxk/version.map b/drivers/common/cnxk/version.map
index 4b832f2303..97f107dd05 100644
--- a/drivers/common/cnxk/version.map
+++ b/drivers/common/cnxk/version.map
@@ -138,12 +138,15 @@ INTERNAL {
 	roc_mcs_dev_init;
 	roc_mcs_dev_fini;
 	roc_mcs_dev_get;
+	roc_mcs_event_cb_register;
+	roc_mcs_event_cb_unregister;
 	roc_mcs_flowid_entry_enable;
 	roc_mcs_flowid_entry_read;
 	roc_mcs_flowid_entry_write;
 	roc_mcs_flowid_stats_get;
 	roc_mcs_free_rsrc;
 	roc_mcs_hw_info_get;
+	roc_mcs_intr_configure;
 	roc_mcs_lmac_mode_set;
 	roc_mcs_pn_table_write;
 	roc_mcs_pn_table_read;
-- 
2.25.1

[PATCH 08/15] common/cnxk: add MACsec port configuration

[Akhil Goyal]

Added ROC APIs for MACsec port configurations

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/common/cnxk/roc_mbox.h  |  40 ++++
 drivers/common/cnxk/roc_mcs.c   | 345 ++++++++++++++++++++++++++++++++
 drivers/common/cnxk/roc_mcs.h   |  48 +++++
 drivers/common/cnxk/version.map |   4 +
 4 files changed, 437 insertions(+)

diff --git a/drivers/common/cnxk/roc_mbox.h b/drivers/common/cnxk/roc_mbox.h
index 6e2b32a43f..96515deafd 100644
--- a/drivers/common/cnxk/roc_mbox.h
+++ b/drivers/common/cnxk/roc_mbox.h
@@ -299,6 +299,9 @@ struct mbox_msghdr {
 	M(MCS_INTR_CFG, 0xa012, mcs_intr_cfg, mcs_intr_cfg, msg_rsp)                               \
 	M(MCS_SET_LMAC_MODE, 0xa013, mcs_set_lmac_mode, mcs_set_lmac_mode, msg_rsp)                \
 	M(MCS_SET_PN_THRESHOLD, 0xa014, mcs_set_pn_threshold, mcs_set_pn_threshold, msg_rsp)       \
+	M(MCS_PORT_RESET, 0xa018, mcs_port_reset, mcs_port_reset_req, msg_rsp)                     \
+	M(MCS_PORT_CFG_SET, 0xa019, mcs_port_cfg_set, mcs_port_cfg_set_req, msg_rsp)               \
+	M(MCS_PORT_CFG_GET, 0xa020, mcs_port_cfg_get, mcs_port_cfg_get_req, mcs_port_cfg_get_rsp)  \
 
 /* Messages initiated by AF (range 0xC00 - 0xDFF) */
 #define MBOX_UP_CGX_MESSAGES                                                   \
@@ -899,6 +902,43 @@ struct mcs_set_pn_threshold {
 	uint64_t __io rsvd;
 };
 
+struct mcs_port_cfg_set_req {
+	struct mbox_msghdr hdr;
+	uint8_t __io cstm_tag_rel_mode_sel;
+	uint8_t __io custom_hdr_enb;
+	uint8_t __io fifo_skid;
+	uint8_t __io lmac_mode;
+	uint8_t __io lmac_id;
+	uint8_t __io mcs_id;
+	uint64_t __io rsvd;
+};
+
+struct mcs_port_cfg_get_req {
+	struct mbox_msghdr hdr;
+	uint8_t __io lmac_id;
+	uint8_t __io mcs_id;
+	uint64_t __io rsvd;
+};
+
+struct mcs_port_cfg_get_rsp {
+	struct mbox_msghdr hdr;
+	uint8_t __io cstm_tag_rel_mode_sel;
+	uint8_t __io custom_hdr_enb;
+	uint8_t __io fifo_skid;
+	uint8_t __io lmac_mode;
+	uint8_t __io lmac_id;
+	uint8_t __io mcs_id;
+	uint64_t __io rsvd;
+};
+
+struct mcs_port_reset_req {
+	struct mbox_msghdr hdr;
+	uint8_t __io reset;
+	uint8_t __io mcs_id;
+	uint8_t __io lmac_id;
+	uint64_t __io rsvd;
+};
+
 struct mcs_stats_req {
 	struct mbox_msghdr hdr;
 	uint8_t __io id;
diff --git a/drivers/common/cnxk/roc_mcs.c b/drivers/common/cnxk/roc_mcs.c
index c2f0a46f23..32cb8d106d 100644
--- a/drivers/common/cnxk/roc_mcs.c
+++ b/drivers/common/cnxk/roc_mcs.c
@@ -80,6 +80,25 @@ roc_mcs_active_lmac_set(struct roc_mcs *mcs, struct roc_mcs_set_active_lmac *lma
 	return mbox_process_msg(mcs->mbox, (void *)&rsp);
 }
 
+static int
+mcs_port_reset_set(struct roc_mcs *mcs, struct roc_mcs_port_reset_req *port, uint8_t reset)
+{
+	struct mcs_port_reset_req *req;
+	struct msg_rsp *rsp;
+
+	MCS_SUPPORT_CHECK;
+
+	req = mbox_alloc_msg_mcs_port_reset(mcs->mbox);
+	if (req == NULL)
+		return -ENOMEM;
+
+	req->reset = reset;
+	req->lmac_id = port->port_id;
+	req->mcs_id = mcs->idx;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
+
 int
 roc_mcs_lmac_mode_set(struct roc_mcs *mcs, struct roc_mcs_set_lmac_mode *port)
 {
@@ -125,6 +144,64 @@ roc_mcs_pn_threshold_set(struct roc_mcs *mcs, struct roc_mcs_set_pn_threshold *p
 	return mbox_process_msg(mcs->mbox, (void *)&rsp);
 }
 
+int
+roc_mcs_port_cfg_set(struct roc_mcs *mcs, struct roc_mcs_port_cfg_set_req *req)
+{
+	struct mcs_port_cfg_set_req *set_req;
+	struct msg_rsp *rsp;
+
+	MCS_SUPPORT_CHECK;
+
+	if (req == NULL)
+		return -EINVAL;
+
+	set_req = mbox_alloc_msg_mcs_port_cfg_set(mcs->mbox);
+	if (set_req == NULL)
+		return -ENOMEM;
+
+	set_req->cstm_tag_rel_mode_sel = req->cstm_tag_rel_mode_sel;
+	set_req->custom_hdr_enb = req->custom_hdr_enb;
+	set_req->fifo_skid = req->fifo_skid;
+	set_req->lmac_mode = req->port_mode;
+	set_req->lmac_id = req->port_id;
+	set_req->mcs_id = mcs->idx;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
+
+int
+roc_mcs_port_cfg_get(struct roc_mcs *mcs, struct roc_mcs_port_cfg_get_req *req,
+		     struct roc_mcs_port_cfg_get_rsp *rsp)
+{
+	struct mcs_port_cfg_get_req *get_req;
+	struct mcs_port_cfg_get_rsp *get_rsp;
+	int rc;
+
+	MCS_SUPPORT_CHECK;
+
+	if (req == NULL)
+		return -EINVAL;
+
+	get_req = mbox_alloc_msg_mcs_port_cfg_get(mcs->mbox);
+	if (get_req == NULL)
+		return -ENOMEM;
+
+	get_req->lmac_id = req->port_id;
+	get_req->mcs_id = mcs->idx;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&get_rsp);
+	if (rc)
+		return rc;
+
+	rsp->cstm_tag_rel_mode_sel = get_rsp->cstm_tag_rel_mode_sel;
+	rsp->custom_hdr_enb = get_rsp->custom_hdr_enb;
+	rsp->fifo_skid = get_rsp->fifo_skid;
+	rsp->port_mode = get_rsp->lmac_mode;
+	rsp->port_id = get_rsp->lmac_id;
+
+	return 0;
+}
+
 int
 roc_mcs_intr_configure(struct roc_mcs *mcs, struct roc_mcs_intr_cfg *config)
 {
@@ -146,6 +223,274 @@ roc_mcs_intr_configure(struct roc_mcs *mcs, struct roc_mcs_intr_cfg *config)
 	return mbox_process_msg(mcs->mbox, (void *)&rsp);
 }
 
+int
+roc_mcs_port_recovery(struct roc_mcs *mcs, union roc_mcs_event_data *mdata, uint8_t port_id)
+{
+	struct mcs_priv *priv = roc_mcs_to_mcs_priv(mcs);
+	struct roc_mcs_pn_table_write_req pn_table = {0};
+	struct roc_mcs_rx_sc_sa_map rx_map = {0};
+	struct roc_mcs_tx_sc_sa_map tx_map = {0};
+	struct roc_mcs_port_reset_req port = {0};
+	struct roc_mcs_clear_stats stats = {0};
+	int tx_cnt = 0, rx_cnt = 0, rc = 0;
+	uint64_t set;
+
+	port.port_id = port_id;
+	rc = mcs_port_reset_set(mcs, &port, 1);
+
+	/* Reset TX/RX PN tables */
+	for (int i = 0; i < (priv->sa_entries << 1); i++) {
+		set = plt_bitmap_get(priv->port_rsrc[port_id].sa_bmap, i);
+		if (set) {
+			pn_table.pn_id = i;
+			pn_table.next_pn = 1;
+			pn_table.dir = MCS_RX;
+			if (i >= priv->sa_entries) {
+				pn_table.dir = MCS_TX;
+				pn_table.pn_id -= priv->sa_entries;
+			}
+			rc = roc_mcs_pn_table_write(mcs, &pn_table);
+			if (rc)
+				return rc;
+
+			if (i >= priv->sa_entries)
+				tx_cnt++;
+			else
+				rx_cnt++;
+		}
+	}
+
+	if (tx_cnt || rx_cnt) {
+		mdata->tx_sa_array = plt_zmalloc(tx_cnt * sizeof(uint16_t), 0);
+		if (tx_cnt && (mdata->tx_sa_array == NULL)) {
+			rc = -ENOMEM;
+			goto exit;
+		}
+		mdata->rx_sa_array = plt_zmalloc(rx_cnt * sizeof(uint16_t), 0);
+		if (rx_cnt && (mdata->rx_sa_array == NULL)) {
+			rc = -ENOMEM;
+			goto exit;
+		}
+
+		mdata->num_tx_sa = tx_cnt;
+		mdata->num_rx_sa = rx_cnt;
+		for (int i = 0; i < (priv->sa_entries << 1); i++) {
+			set = plt_bitmap_get(priv->port_rsrc[port_id].sa_bmap, i);
+			if (set) {
+				if (i >= priv->sa_entries)
+					mdata->tx_sa_array[--tx_cnt] = i - priv->sa_entries;
+				else
+					mdata->rx_sa_array[--rx_cnt] = i;
+			}
+		}
+	}
+	tx_cnt = 0;
+	rx_cnt = 0;
+
+	/* Reset Tx active SA to index:0 */
+	for (int i = priv->sc_entries; i < (priv->sc_entries << 1); i++) {
+		set = plt_bitmap_get(priv->port_rsrc[port_id].sc_bmap, i);
+		if (set) {
+			uint16_t sc_id = i - priv->sc_entries;
+
+			tx_map.sa_index0 = priv->port_rsrc[port_id].sc_conf[sc_id].tx.sa_idx0;
+			tx_map.sa_index1 = priv->port_rsrc[port_id].sc_conf[sc_id].tx.sa_idx1;
+			tx_map.rekey_ena = priv->port_rsrc[port_id].sc_conf[sc_id].tx.rekey_enb;
+			tx_map.sectag_sci = priv->port_rsrc[port_id].sc_conf[sc_id].tx.sci;
+			tx_map.sa_index0_vld = 1;
+			tx_map.sa_index1_vld = 0;
+			tx_map.tx_sa_active = 0;
+			tx_map.sc_id = sc_id;
+			rc = roc_mcs_tx_sc_sa_map_write(mcs, &tx_map);
+			if (rc)
+				return rc;
+
+			tx_cnt++;
+		}
+	}
+
+	if (tx_cnt) {
+		mdata->tx_sc_array = plt_zmalloc(tx_cnt * sizeof(uint16_t), 0);
+		if (tx_cnt && (mdata->tx_sc_array == NULL)) {
+			rc = -ENOMEM;
+			goto exit;
+		}
+
+		mdata->num_tx_sc = tx_cnt;
+		for (int i = priv->sc_entries; i < (priv->sc_entries << 1); i++) {
+			set = plt_bitmap_get(priv->port_rsrc[port_id].sc_bmap, i);
+			if (set)
+				mdata->tx_sc_array[--tx_cnt] = i - priv->sc_entries;
+		}
+	}
+
+	/* Clear SA_IN_USE for active ANs in RX CPM */
+	for (int i = 0; i < priv->sc_entries; i++) {
+		set = plt_bitmap_get(priv->port_rsrc[port_id].sc_bmap, i);
+		if (set) {
+			rx_map.sa_index = priv->port_rsrc[port_id].sc_conf[i].rx.sa_idx;
+			rx_map.an = priv->port_rsrc[port_id].sc_conf[i].rx.an;
+			rx_map.sa_in_use = 0;
+			rx_map.sc_id = i;
+			rc = roc_mcs_rx_sc_sa_map_write(mcs, &rx_map);
+			if (rc)
+				return rc;
+
+			rx_cnt++;
+		}
+	}
+
+	/* Reset flow(flow/secy/sc/sa) stats mapped to this PORT */
+	for (int i = 0; i < (priv->tcam_entries << 1); i++) {
+		set = plt_bitmap_get(priv->port_rsrc[port_id].tcam_bmap, i);
+		if (set) {
+			stats.type = MCS_FLOWID_STATS;
+			stats.id = i;
+			stats.dir = MCS_RX;
+			if (i >= priv->sa_entries) {
+				stats.dir = MCS_TX;
+				stats.id -= priv->tcam_entries;
+			}
+			rc = roc_mcs_stats_clear(mcs, &stats);
+			if (rc)
+				return rc;
+		}
+	}
+	for (int i = 0; i < (priv->secy_entries << 1); i++) {
+		set = plt_bitmap_get(priv->port_rsrc[port_id].secy_bmap, i);
+		if (set) {
+			stats.type = MCS_SECY_STATS;
+			stats.id = i;
+			stats.dir = MCS_RX;
+			if (i >= priv->sa_entries) {
+				stats.dir = MCS_TX;
+				stats.id -= priv->secy_entries;
+			}
+			rc = roc_mcs_stats_clear(mcs, &stats);
+			if (rc)
+				return rc;
+		}
+	}
+	for (int i = 0; i < (priv->sc_entries << 1); i++) {
+		set = plt_bitmap_get(priv->port_rsrc[port_id].sc_bmap, i);
+		if (set) {
+			stats.type = MCS_SC_STATS;
+			stats.id = i;
+			stats.dir = MCS_RX;
+			if (i >= priv->sa_entries) {
+				stats.dir = MCS_TX;
+				stats.id -= priv->sc_entries;
+			}
+			rc = roc_mcs_stats_clear(mcs, &stats);
+			if (rc)
+				return rc;
+		}
+	}
+	if (roc_model_is_cn10kb_a0()) {
+		for (int i = 0; i < (priv->sa_entries << 1); i++) {
+			set = plt_bitmap_get(priv->port_rsrc[port_id].sa_bmap, i);
+			if (set) {
+				stats.type = MCS_SA_STATS;
+				stats.id = i;
+				stats.dir = MCS_RX;
+				if (i >= priv->sa_entries) {
+					stats.dir = MCS_TX;
+					stats.id -= priv->sa_entries;
+				}
+				rc = roc_mcs_stats_clear(mcs, &stats);
+				if (rc)
+					return rc;
+			}
+		}
+	}
+	{
+		stats.type = MCS_PORT_STATS;
+		stats.id = port_id;
+		rc = roc_mcs_stats_clear(mcs, &stats);
+		if (rc)
+			return rc;
+	}
+
+	if (rx_cnt) {
+		mdata->rx_sc_array = plt_zmalloc(rx_cnt * sizeof(uint16_t), 0);
+		if (mdata->rx_sc_array == NULL) {
+			rc = -ENOMEM;
+			goto exit;
+		}
+		mdata->sc_an_array = plt_zmalloc(rx_cnt * sizeof(uint8_t), 0);
+		if (mdata->sc_an_array == NULL) {
+			rc = -ENOMEM;
+			goto exit;
+		}
+
+		mdata->num_rx_sc = rx_cnt;
+	}
+
+	/* Reactivate in-use ANs for active SCs in RX CPM */
+	for (int i = 0; i < priv->sc_entries; i++) {
+		set = plt_bitmap_get(priv->port_rsrc[port_id].sc_bmap, i);
+		if (set) {
+			rx_map.sa_index = priv->port_rsrc[port_id].sc_conf[i].rx.sa_idx;
+			rx_map.an = priv->port_rsrc[port_id].sc_conf[i].rx.an;
+			rx_map.sa_in_use = 1;
+			rx_map.sc_id = i;
+			rc = roc_mcs_rx_sc_sa_map_write(mcs, &rx_map);
+			if (rc)
+				return rc;
+
+			mdata->rx_sc_array[--rx_cnt] = i;
+			mdata->sc_an_array[rx_cnt] = priv->port_rsrc[port_id].sc_conf[i].rx.an;
+		}
+	}
+
+	port.port_id = port_id;
+	rc = mcs_port_reset_set(mcs, &port, 0);
+
+	return rc;
+exit:
+	if (mdata->num_tx_sa)
+		plt_free(mdata->tx_sa_array);
+	if (mdata->num_rx_sa)
+		plt_free(mdata->rx_sa_array);
+	if (mdata->num_tx_sc)
+		plt_free(mdata->tx_sc_array);
+	if (mdata->num_rx_sc) {
+		plt_free(mdata->rx_sc_array);
+		plt_free(mdata->sc_an_array);
+	}
+	return rc;
+}
+
+int
+roc_mcs_port_reset(struct roc_mcs *mcs, struct roc_mcs_port_reset_req *port)
+{
+	struct roc_mcs_event_desc desc = {0};
+	int rc;
+
+	/* Initiate port reset and software recovery */
+	rc = roc_mcs_port_recovery(mcs, &desc.metadata, port->port_id);
+	if (rc)
+		goto exit;
+
+	desc.type = ROC_MCS_EVENT_PORT_RESET_RECOVERY;
+	/* Notify the entity details to the application which are recovered */
+	mcs_event_cb_process(mcs, &desc);
+
+exit:
+	if (desc.metadata.num_tx_sa)
+		plt_free(desc.metadata.tx_sa_array);
+	if (desc.metadata.num_rx_sa)
+		plt_free(desc.metadata.rx_sa_array);
+	if (desc.metadata.num_tx_sc)
+		plt_free(desc.metadata.tx_sc_array);
+	if (desc.metadata.num_rx_sc) {
+		plt_free(desc.metadata.rx_sc_array);
+		plt_free(desc.metadata.sc_an_array);
+	}
+
+	return rc;
+}
+
 int
 roc_mcs_event_cb_register(struct roc_mcs *mcs, enum roc_mcs_event_type event,
 			  roc_mcs_dev_cb_fn cb_fn, void *cb_arg, void *userdata)
diff --git a/drivers/common/cnxk/roc_mcs.h b/drivers/common/cnxk/roc_mcs.h
index d53aeb6b1e..77f2cee681 100644
--- a/drivers/common/cnxk/roc_mcs.h
+++ b/drivers/common/cnxk/roc_mcs.h
@@ -163,6 +163,43 @@ struct roc_mcs_set_pn_threshold {
 	uint64_t rsvd;
 };
 
+struct roc_mcs_port_cfg_set_req {
+	/* Index of custom tag (= cstm_indx[x] in roc_mcs_custom_tag_cfg_get_rsp struct) to use
+	 * when TX SECY_PLCY_MEMX[SECTAG_INSERT_MODE] = 0 (relative offset mode)
+	 */
+	uint8_t cstm_tag_rel_mode_sel;
+	/* In ingress path, custom_hdr_enb = 1 when the port is expected to receive pkts
+	 * that have 8B custom header before DMAC
+	 */
+	uint8_t custom_hdr_enb;
+	/* Valid fifo skid values are 14,28,56 for 25G,50G,100G respectively
+	 * FIFOs need to be configured based on the port_mode, valid only for 105N
+	 */
+	uint8_t fifo_skid;
+	uint8_t port_mode; /* 2'b00 - 25G or less, 2'b01 - 50G, 2'b10 - 100G */
+	uint8_t port_id;
+	uint64_t rsvd;
+};
+
+struct roc_mcs_port_cfg_get_req {
+	uint8_t port_id;
+	uint64_t rsvd;
+};
+
+struct roc_mcs_port_cfg_get_rsp {
+	uint8_t cstm_tag_rel_mode_sel;
+	uint8_t custom_hdr_enb;
+	uint8_t fifo_skid;
+	uint8_t port_mode;
+	uint8_t port_id;
+	uint64_t rsvd;
+};
+
+struct roc_mcs_port_reset_req {
+	uint8_t port_id;
+	uint64_t rsvd;
+};
+
 struct roc_mcs_stats_req {
 	uint8_t id;
 	uint8_t dir;
@@ -365,6 +402,13 @@ __roc_api int roc_mcs_active_lmac_set(struct roc_mcs *mcs, struct roc_mcs_set_ac
 __roc_api int roc_mcs_lmac_mode_set(struct roc_mcs *mcs, struct roc_mcs_set_lmac_mode *port);
 /* (X)PN threshold set */
 __roc_api int roc_mcs_pn_threshold_set(struct roc_mcs *mcs, struct roc_mcs_set_pn_threshold *pn);
+/* Reset port */
+__roc_api int roc_mcs_port_reset(struct roc_mcs *mcs, struct roc_mcs_port_reset_req *port);
+/* Get port config */
+__roc_api int roc_mcs_port_cfg_set(struct roc_mcs *mcs, struct roc_mcs_port_cfg_set_req *req);
+/* Set port config */
+__roc_api int roc_mcs_port_cfg_get(struct roc_mcs *mcs, struct roc_mcs_port_cfg_get_req *req,
+				   struct roc_mcs_port_cfg_get_rsp *rsp);
 
 /* Resource allocation and free */
 __roc_api int roc_mcs_alloc_rsrc(struct roc_mcs *mcs, struct roc_mcs_alloc_rsrc_req *req,
@@ -434,4 +478,8 @@ __roc_api int roc_mcs_event_cb_unregister(struct roc_mcs *mcs, enum roc_mcs_even
 /* Configure interrupts */
 __roc_api int roc_mcs_intr_configure(struct roc_mcs *mcs, struct roc_mcs_intr_cfg *config);
 
+/* Port recovery from fatal errors */
+__roc_api int roc_mcs_port_recovery(struct roc_mcs *mcs, union roc_mcs_event_data *mdata,
+				    uint8_t port_id);
+
 #endif /* _ROC_MCS_H_ */
diff --git a/drivers/common/cnxk/version.map b/drivers/common/cnxk/version.map
index 97f107dd05..9ba804a04f 100644
--- a/drivers/common/cnxk/version.map
+++ b/drivers/common/cnxk/version.map
@@ -151,6 +151,10 @@ INTERNAL {
 	roc_mcs_pn_table_write;
 	roc_mcs_pn_table_read;
 	roc_mcs_pn_threshold_set;
+	roc_mcs_port_cfg_get;
+	roc_mcs_port_cfg_set;
+	roc_mcs_port_recovery;
+	roc_mcs_port_reset;
 	roc_mcs_port_stats_get;
 	roc_mcs_rx_sc_cam_enable;
 	roc_mcs_rx_sc_cam_read;
-- 
2.25.1

[PATCH 09/15] common/cnxk: add MACsec control port configuration

[Akhil Goyal]

Added ROC APIs to configure MACsec control port.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/common/cnxk/roc_mbox.h  |  72 ++++++++++++++++++++
 drivers/common/cnxk/roc_mcs.c   | 117 ++++++++++++++++++++++++++++++++
 drivers/common/cnxk/roc_mcs.h   |  65 ++++++++++++++++++
 drivers/common/cnxk/version.map |   4 ++
 4 files changed, 258 insertions(+)

diff --git a/drivers/common/cnxk/roc_mbox.h b/drivers/common/cnxk/roc_mbox.h
index 96515deafd..ad97ceffb8 100644
--- a/drivers/common/cnxk/roc_mbox.h
+++ b/drivers/common/cnxk/roc_mbox.h
@@ -299,9 +299,17 @@ struct mbox_msghdr {
 	M(MCS_INTR_CFG, 0xa012, mcs_intr_cfg, mcs_intr_cfg, msg_rsp)                               \
 	M(MCS_SET_LMAC_MODE, 0xa013, mcs_set_lmac_mode, mcs_set_lmac_mode, msg_rsp)                \
 	M(MCS_SET_PN_THRESHOLD, 0xa014, mcs_set_pn_threshold, mcs_set_pn_threshold, msg_rsp)       \
+	M(MCS_ALLOC_CTRL_PKT_RULE, 0xa015, mcs_alloc_ctrl_pkt_rule, mcs_alloc_ctrl_pkt_rule_req,   \
+	  mcs_alloc_ctrl_pkt_rule_rsp)                                                             \
+	M(MCS_FREE_CTRL_PKT_RULE, 0xa016, mcs_free_ctrl_pkt_rule, mcs_free_ctrl_pkt_rule_req,      \
+	  msg_rsp)                                                                                 \
+	M(MCS_CTRL_PKT_RULE_WRITE, 0xa017, mcs_ctrl_pkt_rule_write, mcs_ctrl_pkt_rule_write_req,   \
+	  msg_rsp)                                                                                 \
 	M(MCS_PORT_RESET, 0xa018, mcs_port_reset, mcs_port_reset_req, msg_rsp)                     \
 	M(MCS_PORT_CFG_SET, 0xa019, mcs_port_cfg_set, mcs_port_cfg_set_req, msg_rsp)               \
 	M(MCS_PORT_CFG_GET, 0xa020, mcs_port_cfg_get, mcs_port_cfg_get_req, mcs_port_cfg_get_rsp)  \
+	M(MCS_CUSTOM_TAG_CFG_GET, 0xa021, mcs_custom_tag_cfg_get, mcs_custom_tag_cfg_get_req,      \
+	  mcs_custom_tag_cfg_get_rsp)                                                              \
 
 /* Messages initiated by AF (range 0xC00 - 0xDFF) */
 #define MBOX_UP_CGX_MESSAGES                                                   \
@@ -902,6 +910,53 @@ struct mcs_set_pn_threshold {
 	uint64_t __io rsvd;
 };
 
+enum mcs_ctrl_pkt_rule_type {
+	MCS_CTRL_PKT_RULE_TYPE_ETH,
+	MCS_CTRL_PKT_RULE_TYPE_DA,
+	MCS_CTRL_PKT_RULE_TYPE_RANGE,
+	MCS_CTRL_PKT_RULE_TYPE_COMBO,
+	MCS_CTRL_PKT_RULE_TYPE_MAC,
+};
+
+struct mcs_alloc_ctrl_pkt_rule_req {
+	struct mbox_msghdr hdr;
+	uint8_t __io rule_type;
+	uint8_t __io mcs_id; /* MCS block ID */
+	uint8_t __io dir;    /* Macsec ingress or egress side */
+	uint64_t __io rsvd;
+};
+
+struct mcs_alloc_ctrl_pkt_rule_rsp {
+	struct mbox_msghdr hdr;
+	uint8_t __io rule_idx;
+	uint8_t __io rule_type;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
+
+struct mcs_free_ctrl_pkt_rule_req {
+	struct mbox_msghdr hdr;
+	uint8_t __io rule_idx;
+	uint8_t __io rule_type;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint8_t __io all; /* Free all the rule resources */
+	uint64_t __io rsvd;
+};
+
+struct mcs_ctrl_pkt_rule_write_req {
+	struct mbox_msghdr hdr;
+	uint64_t __io data0;
+	uint64_t __io data1;
+	uint64_t __io data2;
+	uint8_t __io rule_idx;
+	uint8_t __io rule_type;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
+
 struct mcs_port_cfg_set_req {
 	struct mbox_msghdr hdr;
 	uint8_t __io cstm_tag_rel_mode_sel;
@@ -931,6 +986,23 @@ struct mcs_port_cfg_get_rsp {
 	uint64_t __io rsvd;
 };
 
+struct mcs_custom_tag_cfg_get_req {
+	struct mbox_msghdr hdr;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
+
+struct mcs_custom_tag_cfg_get_rsp {
+	struct mbox_msghdr hdr;
+	uint16_t __io cstm_etype[8];
+	uint8_t __io cstm_indx[8];
+	uint8_t __io cstm_etype_en;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
+
 struct mcs_port_reset_req {
 	struct mbox_msghdr hdr;
 	uint8_t __io reset;
diff --git a/drivers/common/cnxk/roc_mcs.c b/drivers/common/cnxk/roc_mcs.c
index 32cb8d106d..6536ca7fb7 100644
--- a/drivers/common/cnxk/roc_mcs.c
+++ b/drivers/common/cnxk/roc_mcs.c
@@ -144,6 +144,88 @@ roc_mcs_pn_threshold_set(struct roc_mcs *mcs, struct roc_mcs_set_pn_threshold *p
 	return mbox_process_msg(mcs->mbox, (void *)&rsp);
 }
 
+int
+roc_mcs_alloc_ctrl_pkt_rule(struct roc_mcs *mcs, struct roc_mcs_alloc_ctrl_pkt_rule_req *req,
+			    struct roc_mcs_alloc_ctrl_pkt_rule_rsp *rsp)
+{
+	struct mcs_alloc_ctrl_pkt_rule_req *rule_req;
+	struct mcs_alloc_ctrl_pkt_rule_rsp *rule_rsp;
+	int rc;
+
+	MCS_SUPPORT_CHECK;
+
+	if (req == NULL || rsp == NULL)
+		return -EINVAL;
+
+	rule_req = mbox_alloc_msg_mcs_alloc_ctrl_pkt_rule(mcs->mbox);
+	if (rule_req == NULL)
+		return -ENOMEM;
+
+	rule_req->rule_type = req->rule_type;
+	rule_req->mcs_id = mcs->idx;
+	rule_req->dir = req->dir;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&rule_rsp);
+	if (rc)
+		return rc;
+
+	rsp->rule_type = rule_rsp->rule_type;
+	rsp->rule_idx = rule_rsp->rule_idx;
+	rsp->dir = rule_rsp->dir;
+
+	return 0;
+}
+
+int
+roc_mcs_free_ctrl_pkt_rule(struct roc_mcs *mcs, struct roc_mcs_free_ctrl_pkt_rule_req *req)
+{
+	struct mcs_free_ctrl_pkt_rule_req *rule_req;
+	struct msg_rsp *rsp;
+
+	MCS_SUPPORT_CHECK;
+
+	if (req == NULL)
+		return -EINVAL;
+
+	rule_req = mbox_alloc_msg_mcs_free_ctrl_pkt_rule(mcs->mbox);
+	if (rule_req == NULL)
+		return -ENOMEM;
+
+	rule_req->rule_type = req->rule_type;
+	rule_req->rule_idx = req->rule_idx;
+	rule_req->mcs_id = mcs->idx;
+	rule_req->dir = req->dir;
+	rule_req->all = req->all;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
+
+int
+roc_mcs_ctrl_pkt_rule_write(struct roc_mcs *mcs, struct roc_mcs_ctrl_pkt_rule_write_req *req)
+{
+	struct mcs_ctrl_pkt_rule_write_req *rule_req;
+	struct msg_rsp *rsp;
+
+	MCS_SUPPORT_CHECK;
+
+	if (req == NULL)
+		return -EINVAL;
+
+	rule_req = mbox_alloc_msg_mcs_ctrl_pkt_rule_write(mcs->mbox);
+	if (rule_req == NULL)
+		return -ENOMEM;
+
+	rule_req->rule_type = req->rule_type;
+	rule_req->rule_idx = req->rule_idx;
+	rule_req->mcs_id = mcs->idx;
+	rule_req->dir = req->dir;
+	rule_req->data0 = req->data0;
+	rule_req->data1 = req->data1;
+	rule_req->data2 = req->data2;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
+
 int
 roc_mcs_port_cfg_set(struct roc_mcs *mcs, struct roc_mcs_port_cfg_set_req *req)
 {
@@ -202,6 +284,41 @@ roc_mcs_port_cfg_get(struct roc_mcs *mcs, struct roc_mcs_port_cfg_get_req *req,
 	return 0;
 }
 
+int
+roc_mcs_custom_tag_cfg_get(struct roc_mcs *mcs, struct roc_mcs_custom_tag_cfg_get_req *req,
+			   struct roc_mcs_custom_tag_cfg_get_rsp *rsp)
+{
+	struct mcs_custom_tag_cfg_get_req *get_req;
+	struct mcs_custom_tag_cfg_get_rsp *get_rsp;
+	int rc;
+
+	MCS_SUPPORT_CHECK;
+
+	if (req == NULL)
+		return -EINVAL;
+
+	get_req = mbox_alloc_msg_mcs_custom_tag_cfg_get(mcs->mbox);
+	if (get_req == NULL)
+		return -ENOMEM;
+
+	get_req->dir = req->dir;
+	get_req->mcs_id = mcs->idx;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&get_rsp);
+	if (rc)
+		return rc;
+
+	for (int i = 0; i < 8; i++) {
+		rsp->cstm_etype[i] = get_rsp->cstm_etype[i];
+		rsp->cstm_indx[i] = get_rsp->cstm_indx[i];
+	}
+
+	rsp->cstm_etype_en = get_rsp->cstm_etype_en;
+	rsp->dir = get_rsp->dir;
+
+	return 0;
+}
+
 int
 roc_mcs_intr_configure(struct roc_mcs *mcs, struct roc_mcs_intr_cfg *config)
 {
diff --git a/drivers/common/cnxk/roc_mcs.h b/drivers/common/cnxk/roc_mcs.h
index 77f2cee681..c9b57ed1df 100644
--- a/drivers/common/cnxk/roc_mcs.h
+++ b/drivers/common/cnxk/roc_mcs.h
@@ -163,6 +163,45 @@ struct roc_mcs_set_pn_threshold {
 	uint64_t rsvd;
 };
 
+enum roc_mcs_ctrl_pkt_rule_type {
+	ROC_MCS_CTRL_PKT_RULE_TYPE_ETH,
+	ROC_MCS_CTRL_PKT_RULE_TYPE_DA,
+	ROC_MCS_CTRL_PKT_RULE_TYPE_RANGE,
+	ROC_MCS_CTRL_PKT_RULE_TYPE_COMBO,
+	ROC_MCS_CTRL_PKT_RULE_TYPE_MAC,
+};
+
+struct roc_mcs_alloc_ctrl_pkt_rule_req {
+	uint8_t rule_type;
+	uint8_t dir; /* Macsec ingress or egress side */
+	uint64_t rsvd;
+};
+
+struct roc_mcs_alloc_ctrl_pkt_rule_rsp {
+	uint8_t rule_idx;
+	uint8_t rule_type;
+	uint8_t dir;
+	uint64_t rsvd;
+};
+
+struct roc_mcs_free_ctrl_pkt_rule_req {
+	uint8_t rule_idx;
+	uint8_t rule_type;
+	uint8_t dir;
+	uint8_t all; /* Free all the rule resources */
+	uint64_t rsvd;
+};
+
+struct roc_mcs_ctrl_pkt_rule_write_req {
+	uint64_t data0;
+	uint64_t data1;
+	uint64_t data2;
+	uint8_t rule_idx;
+	uint8_t rule_type;
+	uint8_t dir;
+	uint64_t rsvd;
+};
+
 struct roc_mcs_port_cfg_set_req {
 	/* Index of custom tag (= cstm_indx[x] in roc_mcs_custom_tag_cfg_get_rsp struct) to use
 	 * when TX SECY_PLCY_MEMX[SECTAG_INSERT_MODE] = 0 (relative offset mode)
@@ -195,6 +234,19 @@ struct roc_mcs_port_cfg_get_rsp {
 	uint64_t rsvd;
 };
 
+struct roc_mcs_custom_tag_cfg_get_req {
+	uint8_t dir;
+	uint64_t rsvd;
+};
+
+struct roc_mcs_custom_tag_cfg_get_rsp {
+	uint16_t cstm_etype[8]; /* EthType/TPID */
+	uint8_t cstm_indx[8];	/* Custom tag index used to identify the VLAN etype */
+	uint8_t cstm_etype_en;	/* bitmap of enabled custom tags */
+	uint8_t dir;
+	uint64_t rsvd;
+};
+
 struct roc_mcs_port_reset_req {
 	uint8_t port_id;
 	uint64_t rsvd;
@@ -409,6 +461,10 @@ __roc_api int roc_mcs_port_cfg_set(struct roc_mcs *mcs, struct roc_mcs_port_cfg_
 /* Set port config */
 __roc_api int roc_mcs_port_cfg_get(struct roc_mcs *mcs, struct roc_mcs_port_cfg_get_req *req,
 				   struct roc_mcs_port_cfg_get_rsp *rsp);
+/* Get custom tag config */
+__roc_api int roc_mcs_custom_tag_cfg_get(struct roc_mcs *mcs,
+					 struct roc_mcs_custom_tag_cfg_get_req *req,
+					 struct roc_mcs_custom_tag_cfg_get_rsp *rsp);
 
 /* Resource allocation and free */
 __roc_api int roc_mcs_alloc_rsrc(struct roc_mcs *mcs, struct roc_mcs_alloc_rsrc_req *req,
@@ -454,6 +510,15 @@ __roc_api int roc_mcs_flowid_entry_read(struct roc_mcs *mcs,
 __roc_api int roc_mcs_flowid_entry_enable(struct roc_mcs *mcs,
 					  struct roc_mcs_flowid_ena_dis_entry *entry);
 
+/* Control packet rule alloc, free and write */
+__roc_api int roc_mcs_alloc_ctrl_pkt_rule(struct roc_mcs *mcs,
+					  struct roc_mcs_alloc_ctrl_pkt_rule_req *req,
+					  struct roc_mcs_alloc_ctrl_pkt_rule_rsp *rsp);
+__roc_api int roc_mcs_free_ctrl_pkt_rule(struct roc_mcs *mcs,
+					 struct roc_mcs_free_ctrl_pkt_rule_req *req);
+__roc_api int roc_mcs_ctrl_pkt_rule_write(struct roc_mcs *mcs,
+					  struct roc_mcs_ctrl_pkt_rule_write_req *req);
+
 /* Flow id stats get */
 __roc_api int roc_mcs_flowid_stats_get(struct roc_mcs *mcs, struct roc_mcs_stats_req *mcs_req,
 				       struct roc_mcs_flowid_stats *stats);
diff --git a/drivers/common/cnxk/version.map b/drivers/common/cnxk/version.map
index 9ba804a04f..e501cdd4d9 100644
--- a/drivers/common/cnxk/version.map
+++ b/drivers/common/cnxk/version.map
@@ -134,7 +134,10 @@ INTERNAL {
 	roc_se_ciph_key_set;
 	roc_se_ctx_init;
 	roc_mcs_active_lmac_set;
+	roc_mcs_alloc_ctrl_pkt_rule;
 	roc_mcs_alloc_rsrc;
+	roc_mcs_ctrl_pkt_rule_write;
+	roc_mcs_custom_tag_cfg_get;
 	roc_mcs_dev_init;
 	roc_mcs_dev_fini;
 	roc_mcs_dev_get;
@@ -144,6 +147,7 @@ INTERNAL {
 	roc_mcs_flowid_entry_read;
 	roc_mcs_flowid_entry_write;
 	roc_mcs_flowid_stats_get;
+	roc_mcs_free_ctrl_pkt_rule;
 	roc_mcs_free_rsrc;
 	roc_mcs_hw_info_get;
 	roc_mcs_intr_configure;
-- 
2.25.1

[PATCH 10/15] common/cnxk: add MACsec FIPS mbox

[Akhil Goyal]

Added MACsec FIPS configuration mbox

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/common/cnxk/roc_mbox.h | 74 ++++++++++++++++++++++++++++++++++
 drivers/common/cnxk/roc_mcs.h  | 69 +++++++++++++++++++++++++++++++
 2 files changed, 143 insertions(+)

diff --git a/drivers/common/cnxk/roc_mbox.h b/drivers/common/cnxk/roc_mbox.h
index ad97ceffb8..7057823112 100644
--- a/drivers/common/cnxk/roc_mbox.h
+++ b/drivers/common/cnxk/roc_mbox.h
@@ -310,6 +310,15 @@ struct mbox_msghdr {
 	M(MCS_PORT_CFG_GET, 0xa020, mcs_port_cfg_get, mcs_port_cfg_get_req, mcs_port_cfg_get_rsp)  \
 	M(MCS_CUSTOM_TAG_CFG_GET, 0xa021, mcs_custom_tag_cfg_get, mcs_custom_tag_cfg_get_req,      \
 	  mcs_custom_tag_cfg_get_rsp)                                                              \
+	M(MCS_FIPS_RESET, 0xa040, mcs_fips_reset, mcs_fips_req, msg_rsp)                           \
+	M(MCS_FIPS_MODE_SET, 0xa041, mcs_fips_mode_set, mcs_fips_mode_req, msg_rsp)                \
+	M(MCS_FIPS_CTL_SET, 0xa042, mcs_fips_ctl_set, mcs_fips_ctl_req, msg_rsp)                   \
+	M(MCS_FIPS_IV_SET, 0xa043, mcs_fips_iv_set, mcs_fips_iv_req, msg_rsp)                      \
+	M(MCS_FIPS_CTR_SET, 0xa044, mcs_fips_ctr_set, mcs_fips_ctr_req, msg_rsp)                   \
+	M(MCS_FIPS_KEY_SET, 0xa045, mcs_fips_key_set, mcs_fips_key_req, msg_rsp)                   \
+	M(MCS_FIPS_BLOCK_SET, 0xa046, mcs_fips_block_set, mcs_fips_block_req, msg_rsp)             \
+	M(MCS_FIPS_START, 0xa047, mcs_fips_start, mcs_fips_req, msg_rsp)                           \
+	M(MCS_FIPS_RESULT_GET, 0xa048, mcs_fips_result_get, mcs_fips_req, mcs_fips_result_rsp)
 
 /* Messages initiated by AF (range 0xC00 - 0xDFF) */
 #define MBOX_UP_CGX_MESSAGES                                                   \
@@ -1099,6 +1108,71 @@ struct mcs_clear_stats {
 	uint8_t __io all; /* All resources stats mapped to PF are cleared */
 };
 
+struct mcs_fips_req {
+	struct mbox_msghdr hdr;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+};
+
+struct mcs_fips_mode_req {
+	struct mbox_msghdr hdr;
+	uint64_t __io mode;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+};
+
+struct mcs_fips_ctl_req {
+	struct mbox_msghdr hdr;
+	uint64_t __io ctl;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+};
+
+struct mcs_fips_iv_req {
+	struct mbox_msghdr hdr;
+	uint32_t __io iv_bits95_64;
+	uint64_t __io iv_bits63_0;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+};
+
+struct mcs_fips_ctr_req {
+	struct mbox_msghdr hdr;
+	uint32_t __io fips_ctr;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+};
+
+struct mcs_fips_key_req {
+	struct mbox_msghdr hdr;
+	uint64_t __io sak_bits255_192;
+	uint64_t __io sak_bits191_128;
+	uint64_t __io sak_bits127_64;
+	uint64_t __io sak_bits63_0;
+	uint64_t __io hashkey_bits127_64;
+	uint64_t __io hashkey_bits63_0;
+	uint8_t __io sak_len;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+};
+
+struct mcs_fips_block_req {
+	struct mbox_msghdr hdr;
+	uint64_t __io blk_bits127_64;
+	uint64_t __io blk_bits63_0;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+};
+
+struct mcs_fips_result_rsp {
+	struct mbox_msghdr hdr;
+	uint64_t __io blk_bits127_64;
+	uint64_t __io blk_bits63_0;
+	uint64_t __io icv_bits127_64;
+	uint64_t __io icv_bits63_0;
+	uint8_t __io result_pass;
+};
+
 /* NPA mbox message formats */
 
 /* NPA mailbox error codes
diff --git a/drivers/common/cnxk/roc_mcs.h b/drivers/common/cnxk/roc_mcs.h
index c9b57ed1df..88c8f3da27 100644
--- a/drivers/common/cnxk/roc_mcs.h
+++ b/drivers/common/cnxk/roc_mcs.h
@@ -426,6 +426,56 @@ struct roc_mcs_event_desc {
 	union roc_mcs_event_data metadata;
 };
 
+struct roc_mcs_fips_req {
+	uint8_t dir;
+};
+
+struct roc_mcs_fips_mode {
+	uint64_t mode;
+	uint8_t dir;
+};
+
+struct roc_mcs_fips_ctl {
+	uint64_t ctl;
+	uint8_t dir;
+};
+
+struct roc_mcs_fips_iv {
+	uint32_t iv_bits95_64;
+	uint64_t iv_bits63_0;
+	uint8_t dir;
+};
+
+struct roc_mcs_fips_ctr {
+	uint32_t fips_ctr;
+	uint8_t dir;
+};
+
+struct roc_mcs_fips_key {
+	uint64_t sak_bits255_192;
+	uint64_t sak_bits191_128;
+	uint64_t sak_bits127_64;
+	uint64_t sak_bits63_0;
+	uint64_t hashkey_bits127_64;
+	uint64_t hashkey_bits63_0;
+	uint8_t sak_len;
+	uint8_t dir;
+};
+
+struct roc_mcs_fips_block {
+	uint64_t blk_bits127_64;
+	uint64_t blk_bits63_0;
+	uint8_t dir;
+};
+
+struct roc_mcs_fips_result_rsp {
+	uint64_t blk_bits127_64;
+	uint64_t blk_bits63_0;
+	uint64_t icv_bits127_64;
+	uint64_t icv_bits63_0;
+	uint8_t result_pass;
+};
+
 /** User application callback to be registered for any notifications from driver. */
 typedef int (*roc_mcs_dev_cb_fn)(void *userdata, struct roc_mcs_event_desc *desc, void *cb_arg);
 
@@ -547,4 +597,23 @@ __roc_api int roc_mcs_intr_configure(struct roc_mcs *mcs, struct roc_mcs_intr_cf
 __roc_api int roc_mcs_port_recovery(struct roc_mcs *mcs, union roc_mcs_event_data *mdata,
 				    uint8_t port_id);
 
+/* FIPS reset */
+__roc_api int roc_mcs_fips_reset(struct roc_mcs *mcs, struct roc_mcs_fips_req *req);
+/* FIPS mode set */
+__roc_api int roc_mcs_fips_mode_set(struct roc_mcs *mcs, struct roc_mcs_fips_mode *req);
+/* FIPS ctl set */
+__roc_api int roc_mcs_fips_ctl_set(struct roc_mcs *mcs, struct roc_mcs_fips_ctl *req);
+/* FIPS iv set */
+__roc_api int roc_mcs_fips_iv_set(struct roc_mcs *mcs, struct roc_mcs_fips_iv *req);
+/* FIPS ctr set */
+__roc_api int roc_mcs_fips_ctr_set(struct roc_mcs *mcs, struct roc_mcs_fips_ctr *req);
+/* FIPS key set */
+__roc_api int roc_mcs_fips_key_set(struct roc_mcs *mcs, struct roc_mcs_fips_key *req);
+/* FIPS block set */
+__roc_api int roc_mcs_fips_block_set(struct roc_mcs *mcs, struct roc_mcs_fips_block *req);
+/* FIPS start */
+__roc_api int roc_mcs_fips_start(struct roc_mcs *mcs, struct roc_mcs_fips_req *req);
+/* FIPS result */
+__roc_api int roc_mcs_fips_result_get(struct roc_mcs *mcs, struct roc_mcs_fips_req *req,
+				      struct roc_mcs_fips_result_rsp *rsp);
 #endif /* _ROC_MCS_H_ */
-- 
2.25.1

[PATCH 11/15] common/cnxk: derive hash key for MACsec

[Akhil Goyal]

MACsec hardware configuration need hash key to be generated
from the cipher key of AES-GCM-128/256.
Added an ROC API to derive the hash key and extend the case
for AES-256 as well.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/common/cnxk/roc_aes.c   | 86 ++++++++++++++++++++++-----------
 drivers/common/cnxk/roc_aes.h   |  4 +-
 drivers/common/cnxk/version.map |  1 +
 3 files changed, 60 insertions(+), 31 deletions(-)

diff --git a/drivers/common/cnxk/roc_aes.c b/drivers/common/cnxk/roc_aes.c
index f821c8b710..d84feb546a 100644
--- a/drivers/common/cnxk/roc_aes.c
+++ b/drivers/common/cnxk/roc_aes.c
@@ -4,9 +4,10 @@
 
 #include "roc_api.h"
 
-#define KEY_WORD_LEN	 (ROC_CPT_AES_XCBC_KEY_LENGTH / sizeof(uint32_t))
-#define KEY_ROUNDS	 10			/* (Nr+1)*Nb */
-#define KEY_SCHEDULE_LEN ((KEY_ROUNDS + 1) * 4) /* (Nr+1)*Nb words */
+#define KEY128_ROUNDS		10		/* (Nr+1)*Nb */
+#define KEY256_ROUNDS		14		/* (Nr+1)*Nb */
+#define KEY_SCHEDULE_LEN(nr)	((nr + 1) * 4)	/* (Nr+1)*Nb words */
+#define AES_HASH_KEY_LEN	16
 
 /*
  * AES 128 implementation based on NIST FIPS 197 suitable for LittleEndian
@@ -93,22 +94,30 @@ GF8mul(uint8_t byte, uint32_t mp)
 }
 
 static void
-aes_key_expand(const uint8_t *key, uint32_t *ks)
+aes_key_expand(const uint8_t *key, uint32_t len, uint32_t *ks)
 {
-	unsigned int i = 4;
+	uint32_t len_words = len / sizeof(uint32_t);
+	unsigned int schedule_len;
+	unsigned int i = len_words;
 	uint32_t temp;
 
+	schedule_len = (len == ROC_CPT_AES128_KEY_LEN) ? KEY_SCHEDULE_LEN(KEY128_ROUNDS) :
+							 KEY_SCHEDULE_LEN(KEY256_ROUNDS);
 	/* Skip key in ks */
-	memcpy(ks, key, KEY_WORD_LEN * sizeof(uint32_t));
+	memcpy(ks, key, len);
 
-	while (i < KEY_SCHEDULE_LEN) {
+	while (i < schedule_len) {
 		temp = ks[i - 1];
-		if ((i & 0x3) == 0) {
+		if ((i & (len_words - 1)) == 0) {
 			temp = rot_word(temp);
 			temp = sub_word(temp);
-			temp ^= (uint32_t)GF8mul(1, 1 << ((i >> 2) - 1));
+			temp ^= (uint32_t)GF8mul(1, 1 << ((i / len_words) - 1));
 		}
-		ks[i] = ks[i - 4] ^ temp;
+		if (len == ROC_CPT_AES256_KEY_LEN) {
+			if ((i % len_words) == 4)
+				temp = sub_word(temp);
+		}
+		ks[i] = ks[i - len_words] ^ temp;
 		i++;
 	}
 }
@@ -145,64 +154,83 @@ mix_columns(uint8_t *sRc)
 }
 
 static void
-cipher(uint8_t *in, uint8_t *out, uint32_t *ks)
+cipher(uint8_t *in, uint8_t *out, uint32_t *ks, uint32_t key_rounds, uint8_t in_len)
 {
-	uint32_t state[KEY_WORD_LEN];
+	uint8_t data_word_len = in_len / sizeof(uint32_t);
+	uint32_t state[data_word_len];
 	unsigned int i, round;
 
 	memcpy(state, in, sizeof(state));
 
 	/* AddRoundKey(state, w[0, Nb-1]) // See Sec. 5.1.4 */
-	for (i = 0; i < KEY_WORD_LEN; i++)
+	for (i = 0; i < data_word_len; i++)
 		state[i] ^= ks[i];
 
-	for (round = 1; round < KEY_ROUNDS; round++) {
+	for (round = 1; round < key_rounds; round++) {
 		/* SubBytes(state) // See Sec. 5.1.1 */
-		for (i = 0; i < KEY_WORD_LEN; i++)
+		for (i = 0; i < data_word_len; i++)
 			state[i] = sub_word(state[i]);
 
 		/* ShiftRows(state) // See Sec. 5.1.2 */
-		for (i = 0; i < KEY_WORD_LEN; i++)
+		for (i = 0; i < data_word_len; i++)
 			shift_word((uint8_t *)state, i, i);
 
 		/* MixColumns(state) // See Sec. 5.1.3 */
-		for (i = 0; i < KEY_WORD_LEN; i++)
+		for (i = 0; i < data_word_len; i++)
 			mix_columns((uint8_t *)&state[i]);
 
 		/* AddRoundKey(state, w[round*Nb, (round+1)*Nb-1]) */
-		for (i = 0; i < KEY_WORD_LEN; i++)
-			state[i] ^= ks[round * 4 + i];
+		for (i = 0; i < data_word_len; i++)
+			state[i] ^= ks[round * data_word_len + i];
 	}
 
 	/* SubBytes(state) */
-	for (i = 0; i < KEY_WORD_LEN; i++)
+	for (i = 0; i < data_word_len; i++)
 		state[i] = sub_word(state[i]);
 
 	/* ShiftRows(state) */
-	for (i = 0; i < KEY_WORD_LEN; i++)
+	for (i = 0; i < data_word_len; i++)
 		shift_word((uint8_t *)state, i, i);
 
 	/* AddRoundKey(state, w[Nr*Nb, (Nr+1)*Nb-1]) */
-	for (i = 0; i < KEY_WORD_LEN; i++)
-		state[i] ^= ks[KEY_ROUNDS * 4 + i];
-	memcpy(out, state, KEY_WORD_LEN * sizeof(uint32_t));
+	for (i = 0; i < data_word_len; i++)
+		state[i] ^= ks[key_rounds * data_word_len + i];
+	memcpy(out, state, data_word_len * sizeof(uint32_t));
 }
 
 void
 roc_aes_xcbc_key_derive(const uint8_t *auth_key, uint8_t *derived_key)
 {
-	uint32_t aes_ks[KEY_SCHEDULE_LEN] = {0};
+	uint32_t aes_ks[KEY_SCHEDULE_LEN(KEY128_ROUNDS)] = {0};
 	uint8_t k1[16] = {[0 ... 15] = 0x01};
 	uint8_t k2[16] = {[0 ... 15] = 0x02};
 	uint8_t k3[16] = {[0 ... 15] = 0x03};
 
-	aes_key_expand(auth_key, aes_ks);
+	aes_key_expand(auth_key, ROC_CPT_AES_XCBC_KEY_LENGTH, aes_ks);
 
-	cipher(k1, derived_key, aes_ks);
+	cipher(k1, derived_key, aes_ks, KEY128_ROUNDS, sizeof(k1));
 	derived_key += sizeof(k1);
 
-	cipher(k2, derived_key, aes_ks);
+	cipher(k2, derived_key, aes_ks, KEY128_ROUNDS, sizeof(k2));
 	derived_key += sizeof(k2);
 
-	cipher(k3, derived_key, aes_ks);
+	cipher(k3, derived_key, aes_ks, KEY128_ROUNDS, sizeof(k3));
+}
+
+void
+roc_aes_hash_key_derive(const uint8_t *key, uint16_t len, uint8_t hash_key[])
+{
+	uint8_t data[AES_HASH_KEY_LEN] = {0x0};
+
+	if (len == ROC_CPT_AES128_KEY_LEN) {
+		uint32_t aes_ks[KEY_SCHEDULE_LEN(KEY128_ROUNDS)] = {0};
+
+		aes_key_expand(key, ROC_CPT_AES128_KEY_LEN, aes_ks);
+		cipher(data, hash_key, aes_ks, KEY128_ROUNDS, sizeof(data));
+	} else {
+		uint32_t aes_ks[KEY_SCHEDULE_LEN(KEY256_ROUNDS)] = {0};
+
+		aes_key_expand(key, ROC_CPT_AES256_KEY_LEN, aes_ks);
+		cipher(data, hash_key, aes_ks, KEY256_ROUNDS, sizeof(data));
+	}
 }
diff --git a/drivers/common/cnxk/roc_aes.h b/drivers/common/cnxk/roc_aes.h
index 954039139f..3b4b921bcd 100644
--- a/drivers/common/cnxk/roc_aes.h
+++ b/drivers/common/cnxk/roc_aes.h
@@ -8,7 +8,7 @@
 /*
  * Derive k1, k2, k3 from 128 bit AES key
  */
-void __roc_api roc_aes_xcbc_key_derive(const uint8_t *auth_key,
-				       uint8_t *derived_key);
+void __roc_api roc_aes_xcbc_key_derive(const uint8_t *auth_key, uint8_t *derived_key);
+void __roc_api roc_aes_hash_key_derive(const uint8_t *key, uint16_t len, uint8_t *hash_key);
 
 #endif /* _ROC_AES_H_ */
diff --git a/drivers/common/cnxk/version.map b/drivers/common/cnxk/version.map
index e501cdd4d9..3e8f65f91a 100644
--- a/drivers/common/cnxk/version.map
+++ b/drivers/common/cnxk/version.map
@@ -30,6 +30,7 @@ INTERNAL {
 	roc_ae_ec_grp_put;
 	roc_ae_fpm_get;
 	roc_ae_fpm_put;
+	roc_aes_hash_key_derive;
 	roc_aes_xcbc_key_derive;
 	roc_bphy_cgx_cpri_mode_change;
 	roc_bphy_cgx_cpri_mode_misc;
-- 
2.25.1

[PATCH 12/15] net/cnxk: add MACsec initialization

[Akhil Goyal]

Added initialization routines for MACsec for
cn10kb platform.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/net/cnxk/cn10k_ethdev_sec.c |   6 ++
 drivers/net/cnxk/cnxk_ethdev.c      |  13 +++
 drivers/net/cnxk/cnxk_ethdev.h      |  14 +++
 drivers/net/cnxk/cnxk_ethdev_mcs.c  | 151 ++++++++++++++++++++++++++++
 drivers/net/cnxk/cnxk_ethdev_mcs.h  |  61 +++++++++++
 drivers/net/cnxk/meson.build        |   1 +
 6 files changed, 246 insertions(+)
 create mode 100644 drivers/net/cnxk/cnxk_ethdev_mcs.c
 create mode 100644 drivers/net/cnxk/cnxk_ethdev_mcs.h

diff --git a/drivers/net/cnxk/cn10k_ethdev_sec.c b/drivers/net/cnxk/cn10k_ethdev_sec.c
index 3c32de0f94..655389b5ca 100644
--- a/drivers/net/cnxk/cn10k_ethdev_sec.c
+++ b/drivers/net/cnxk/cn10k_ethdev_sec.c
@@ -1059,9 +1059,15 @@ cn10k_eth_sec_ops_override(void)
 	init_once = 1;
 
 	/* Update platform specific ops */
+	cnxk_eth_sec_ops.macsec_sa_create = NULL;
+	cnxk_eth_sec_ops.macsec_sc_create = NULL;
+	cnxk_eth_sec_ops.macsec_sa_destroy = NULL;
+	cnxk_eth_sec_ops.macsec_sc_destroy = NULL;
 	cnxk_eth_sec_ops.session_create = cn10k_eth_sec_session_create;
 	cnxk_eth_sec_ops.session_destroy = cn10k_eth_sec_session_destroy;
 	cnxk_eth_sec_ops.capabilities_get = cn10k_eth_sec_capabilities_get;
 	cnxk_eth_sec_ops.session_update = cn10k_eth_sec_session_update;
 	cnxk_eth_sec_ops.session_stats_get = cn10k_eth_sec_session_stats_get;
+	cnxk_eth_sec_ops.macsec_sc_stats_get = NULL;
+	cnxk_eth_sec_ops.macsec_sa_stats_get = NULL;
 }
diff --git a/drivers/net/cnxk/cnxk_ethdev.c b/drivers/net/cnxk/cnxk_ethdev.c
index 42a52ed0ca..7a792937b7 100644
--- a/drivers/net/cnxk/cnxk_ethdev.c
+++ b/drivers/net/cnxk/cnxk_ethdev.c
@@ -1945,6 +1945,16 @@ cnxk_eth_dev_init(struct rte_eth_dev *eth_dev)
 	if (rc)
 		goto free_mac_addrs;
 
+	if (roc_feature_nix_has_macsec()) {
+		rc = cnxk_mcs_dev_init(dev, 0);
+		if (rc) {
+			plt_err("Failed to init MCS");
+			goto free_mac_addrs;
+		}
+		dev->rx_offload_capa |= RTE_ETH_RX_OFFLOAD_MACSEC_STRIP;
+		dev->tx_offload_capa |= RTE_ETH_TX_OFFLOAD_MACSEC_INSERT;
+	}
+
 	plt_nix_dbg("Port=%d pf=%d vf=%d ver=%s hwcap=0x%" PRIx64
 		    " rxoffload_capa=0x%" PRIx64 " txoffload_capa=0x%" PRIx64,
 		    eth_dev->data->port_id, roc_nix_get_pf(nix),
@@ -2042,6 +2052,9 @@ cnxk_eth_dev_uninit(struct rte_eth_dev *eth_dev, bool reset)
 	}
 	eth_dev->data->nb_rx_queues = 0;
 
+	if (roc_feature_nix_has_macsec())
+		cnxk_mcs_dev_fini(dev);
+
 	/* Free security resources */
 	nix_security_release(dev);
 
diff --git a/drivers/net/cnxk/cnxk_ethdev.h b/drivers/net/cnxk/cnxk_ethdev.h
index 97537de17a..6fde682344 100644
--- a/drivers/net/cnxk/cnxk_ethdev.h
+++ b/drivers/net/cnxk/cnxk_ethdev.h
@@ -392,6 +392,9 @@ struct cnxk_eth_dev {
 	/* Reassembly dynfield/flag offsets */
 	int reass_dynfield_off;
 	int reass_dynflag_bit;
+
+	/* MCS device */
+	struct cnxk_mcs_dev *mcs_dev;
 };
 
 struct cnxk_eth_rxq_sp {
@@ -617,6 +620,17 @@ int cnxk_nix_cman_config_set(struct rte_eth_dev *dev, const struct rte_eth_cman_
 
 int cnxk_nix_cman_config_get(struct rte_eth_dev *dev, struct rte_eth_cman_config *config);
 
+int cnxk_mcs_dev_init(struct cnxk_eth_dev *dev, uint8_t mcs_idx);
+void cnxk_mcs_dev_fini(struct cnxk_eth_dev *dev);
+
+struct cnxk_macsec_sess *cnxk_eth_macsec_sess_get_by_sess(struct cnxk_eth_dev *dev,
+							  const struct rte_security_session *sess);
+int cnxk_mcs_flow_configure(struct rte_eth_dev *eth_dev, const struct rte_flow_attr *attr,
+			     const struct rte_flow_item pattern[],
+			     const struct rte_flow_action actions[], struct rte_flow_error *error,
+			     void **mcs_flow);
+int cnxk_mcs_flow_destroy(struct cnxk_eth_dev *eth_dev, void *mcs_flow);
+
 /* Other private functions */
 int nix_recalc_mtu(struct rte_eth_dev *eth_dev);
 int nix_mtr_validate(struct rte_eth_dev *dev, uint32_t id);
diff --git a/drivers/net/cnxk/cnxk_ethdev_mcs.c b/drivers/net/cnxk/cnxk_ethdev_mcs.c
new file mode 100644
index 0000000000..b0205f45c5
--- /dev/null
+++ b/drivers/net/cnxk/cnxk_ethdev_mcs.c
@@ -0,0 +1,151 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2023 Marvell.
+ */
+
+#include <cnxk_ethdev.h>
+#include <cnxk_ethdev_mcs.h>
+#include <roc_mcs.h>
+
+static int
+cnxk_mcs_event_cb(void *userdata, struct roc_mcs_event_desc *desc, void *cb_arg)
+{
+	struct rte_eth_event_macsec_desc d = {0};
+
+	d.metadata = (uint64_t)userdata;
+
+	switch (desc->type) {
+	case ROC_MCS_EVENT_SECTAG_VAL_ERR:
+		d.type = RTE_ETH_EVENT_MACSEC_SECTAG_VAL_ERR;
+		switch (desc->subtype) {
+		case ROC_MCS_EVENT_RX_SECTAG_V_EQ1:
+			d.subtype = RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_V_EQ1;
+			break;
+		case ROC_MCS_EVENT_RX_SECTAG_E_EQ0_C_EQ1:
+			d.subtype = RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_E_EQ0_C_EQ1;
+			break;
+		case ROC_MCS_EVENT_RX_SECTAG_SL_GTE48:
+			d.subtype = RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_SL_GTE48;
+			break;
+		case ROC_MCS_EVENT_RX_SECTAG_ES_EQ1_SC_EQ1:
+			d.subtype = RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_ES_EQ1_SC_EQ1;
+			break;
+		case ROC_MCS_EVENT_RX_SECTAG_SC_EQ1_SCB_EQ1:
+			d.subtype = RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_SC_EQ1_SCB_EQ1;
+			break;
+		default:
+			plt_err("Unknown MACsec sub event : %d", desc->subtype);
+		}
+		break;
+	case ROC_MCS_EVENT_RX_SA_PN_HARD_EXP:
+		d.type = RTE_ETH_EVENT_MACSEC_RX_SA_PN_HARD_EXP;
+		break;
+	case ROC_MCS_EVENT_RX_SA_PN_SOFT_EXP:
+		d.type = RTE_ETH_EVENT_MACSEC_RX_SA_PN_SOFT_EXP;
+		break;
+	case ROC_MCS_EVENT_TX_SA_PN_HARD_EXP:
+		d.type = RTE_ETH_EVENT_MACSEC_TX_SA_PN_HARD_EXP;
+		break;
+	case ROC_MCS_EVENT_TX_SA_PN_SOFT_EXP:
+		d.type = RTE_ETH_EVENT_MACSEC_TX_SA_PN_SOFT_EXP;
+		break;
+	default:
+		plt_err("Unknown MACsec event type: %d", desc->type);
+	}
+
+	rte_eth_dev_callback_process(cb_arg, RTE_ETH_EVENT_MACSEC, &d);
+
+	return 0;
+}
+
+void
+cnxk_mcs_dev_fini(struct cnxk_eth_dev *dev)
+{
+	struct cnxk_mcs_dev *mcs_dev = dev->mcs_dev;
+	int rc;
+
+	rc = roc_mcs_event_cb_unregister(mcs_dev->mdev, ROC_MCS_EVENT_SECTAG_VAL_ERR);
+	if (rc)
+		plt_err("Failed to unregister MCS event callback: rc: %d", rc);
+
+	rc = roc_mcs_event_cb_unregister(mcs_dev->mdev, ROC_MCS_EVENT_TX_SA_PN_SOFT_EXP);
+	if (rc)
+		plt_err("Failed to unregister MCS event callback: rc: %d", rc);
+
+	rc = roc_mcs_event_cb_unregister(mcs_dev->mdev, ROC_MCS_EVENT_RX_SA_PN_SOFT_EXP);
+	if (rc)
+		plt_err("Failed to unregister MCS event callback: rc: %d", rc);
+
+	/* Cleanup MACsec dev */
+	roc_mcs_dev_fini(mcs_dev->mdev);
+
+	plt_free(mcs_dev);
+}
+
+int
+cnxk_mcs_dev_init(struct cnxk_eth_dev *dev, uint8_t mcs_idx)
+{
+	struct roc_mcs_intr_cfg intr_cfg = {0};
+	struct roc_mcs_hw_info hw_info = {0};
+	struct cnxk_mcs_dev *mcs_dev;
+	int rc;
+
+	rc = roc_mcs_hw_info_get(&hw_info);
+	if (rc) {
+		plt_err("MCS HW info get failed: rc: %d ", rc);
+		return rc;
+	}
+
+	mcs_dev = plt_zmalloc(sizeof(struct cnxk_mcs_dev), PLT_CACHE_LINE_SIZE);
+	if (!mcs_dev)
+		return -ENOMEM;
+
+	mcs_dev->idx = mcs_idx;
+	mcs_dev->mdev = roc_mcs_dev_init(mcs_dev->idx);
+	if (!mcs_dev->mdev) {
+		plt_free(mcs_dev);
+		return rc;
+	}
+	mcs_dev->port_id = dev->eth_dev->data->port_id;
+
+	intr_cfg.intr_mask =
+		ROC_MCS_CPM_RX_SECTAG_V_EQ1_INT | ROC_MCS_CPM_RX_SECTAG_E_EQ0_C_EQ1_INT |
+		ROC_MCS_CPM_RX_SECTAG_SL_GTE48_INT | ROC_MCS_CPM_RX_SECTAG_ES_EQ1_SC_EQ1_INT |
+		ROC_MCS_CPM_RX_SECTAG_SC_EQ1_SCB_EQ1_INT | ROC_MCS_CPM_RX_PACKET_XPN_EQ0_INT |
+		ROC_MCS_CPM_RX_PN_THRESH_REACHED_INT | ROC_MCS_CPM_TX_PACKET_XPN_EQ0_INT |
+		ROC_MCS_CPM_TX_PN_THRESH_REACHED_INT | ROC_MCS_CPM_TX_SA_NOT_VALID_INT |
+		ROC_MCS_BBE_RX_DFIFO_OVERFLOW_INT | ROC_MCS_BBE_RX_PLFIFO_OVERFLOW_INT |
+		ROC_MCS_BBE_TX_DFIFO_OVERFLOW_INT | ROC_MCS_BBE_TX_PLFIFO_OVERFLOW_INT |
+		ROC_MCS_PAB_RX_CHAN_OVERFLOW_INT | ROC_MCS_PAB_TX_CHAN_OVERFLOW_INT;
+
+	rc = roc_mcs_intr_configure(mcs_dev->mdev, &intr_cfg);
+	if (rc) {
+		plt_err("Failed to configure MCS interrupts: rc: %d", rc);
+		plt_free(mcs_dev);
+		return rc;
+	}
+
+	rc = roc_mcs_event_cb_register(mcs_dev->mdev, ROC_MCS_EVENT_SECTAG_VAL_ERR,
+				       cnxk_mcs_event_cb, dev->eth_dev, mcs_dev);
+	if (rc) {
+		plt_err("Failed to register MCS event callback: rc: %d", rc);
+		plt_free(mcs_dev);
+		return rc;
+	}
+	rc = roc_mcs_event_cb_register(mcs_dev->mdev, ROC_MCS_EVENT_TX_SA_PN_SOFT_EXP,
+				       cnxk_mcs_event_cb, dev->eth_dev, mcs_dev);
+	if (rc) {
+		plt_err("Failed to register MCS event callback: rc: %d", rc);
+		plt_free(mcs_dev);
+		return rc;
+	}
+	rc = roc_mcs_event_cb_register(mcs_dev->mdev, ROC_MCS_EVENT_RX_SA_PN_SOFT_EXP,
+				       cnxk_mcs_event_cb, dev->eth_dev, mcs_dev);
+	if (rc) {
+		plt_err("Failed to register MCS event callback: rc: %d", rc);
+		plt_free(mcs_dev);
+		return rc;
+	}
+	dev->mcs_dev = mcs_dev;
+
+	return 0;
+}
diff --git a/drivers/net/cnxk/cnxk_ethdev_mcs.h b/drivers/net/cnxk/cnxk_ethdev_mcs.h
new file mode 100644
index 0000000000..762c299fb8
--- /dev/null
+++ b/drivers/net/cnxk/cnxk_ethdev_mcs.h
@@ -0,0 +1,61 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2023 Marvell.
+ */
+
+#include <cnxk_ethdev.h>
+
+#define CNXK_MACSEC_HASH_KEY 16
+
+struct cnxk_mcs_dev {
+	uint64_t default_sci;
+	void *mdev;
+	uint8_t port_id;
+	uint8_t idx;
+};
+
+struct cnxk_mcs_event_data {
+	/* Valid for below events
+	 * - ROC_MCS_EVENT_RX_SA_PN_SOFT_EXP
+	 * - ROC_MCS_EVENT_TX_SA_PN_SOFT_EXP
+	 */
+	struct {
+		uint8_t secy_idx;
+		uint8_t sc_idx;
+		uint8_t sa_idx;
+	};
+	/* Valid for below event
+	 * - ROC_MCS_EVENT_FIFO_OVERFLOW
+	 *
+	 * Upon fatal error notification on a MCS port, driver resets below attributes of active
+	 * flow entities(sc & sa) and then resets the port.
+	 * - Reset NEXT_PN of active SAs to 1.
+	 * - Reset TX active SA for each SC, TX_SA_ACTIVE = 0, SA_INDEX0_VLD = 1.
+	 * - Clear SA_IN_USE for active ANs in RX_SA_MAP_MEM.
+	 * - Clear all stats mapping to this port.
+	 * - Reactivate SA_IN_USE for active ANs in RX_SA_MAP_MEM.
+	 *
+	 *  UMD driver notifies the following flow entity(sc & sa) details in application callback,
+	 *  application is expected to exchange the Tx/Rx NEXT_PN, TX_SA_ACTIVE, active RX SC AN
+	 *  details with peer device so that peer device can resets it's MACsec flow states and than
+	 *  resume packet transfers.
+	 */
+	struct {
+		uint16_t *tx_sa_array; /* Tx SAs whose PN memories were reset (NEXT_PN=1) */
+		uint16_t *rx_sa_array; /* Rx SAs whose PN memories were reset (NEXT_PN=1) */
+		uint16_t *tx_sc_array; /* Tx SCs whose active SAs were reset (TX_SA_ACTIVE=0) */
+		uint16_t *rx_sc_array; /* Rx SCs whose state was reset */
+		uint8_t *sc_an_array;  /* AN of Rx SCs(in rx_sc_array) which were reactivated */
+		uint8_t num_tx_sa;     /* num entries in tx_sa_array */
+		uint8_t num_rx_sa;     /* num entries in rx_sa_array */
+		uint8_t num_tx_sc;     /* num entries in tx_sc_array */
+		uint8_t num_rx_sc;     /* num entries in rx_sc_array */
+		uint8_t lmac_id;       /* lmac_id/port which was recovered from fatal error */
+	};
+};
+
+struct cnxk_mcs_event_desc {
+	struct rte_eth_dev *eth_dev;
+	enum roc_mcs_event_type type;
+	enum roc_mcs_event_subtype subtype;
+	struct cnxk_mcs_event_data metadata;
+};
diff --git a/drivers/net/cnxk/meson.build b/drivers/net/cnxk/meson.build
index 62b8bb90fb..ae6a7d9aac 100644
--- a/drivers/net/cnxk/meson.build
+++ b/drivers/net/cnxk/meson.build
@@ -22,6 +22,7 @@ sources = files(
         'cnxk_ethdev.c',
         'cnxk_ethdev_cman.c',
         'cnxk_ethdev_devargs.c',
+        'cnxk_ethdev_mcs.c',
         'cnxk_ethdev_mtr.c',
         'cnxk_ethdev_ops.c',
         'cnxk_ethdev_sec.c',
-- 
2.25.1

[PATCH 13/15] net/cnxk: create/destroy MACsec SC/SA

[Akhil Goyal]

Added support to create/destroy MACsec SA and SC.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/net/cnxk/cn10k_ethdev_sec.c |   9 +-
 drivers/net/cnxk/cnxk_ethdev_mcs.c  | 250 ++++++++++++++++++++++++++++
 drivers/net/cnxk/cnxk_ethdev_mcs.h  |  16 ++
 3 files changed, 271 insertions(+), 4 deletions(-)

diff --git a/drivers/net/cnxk/cn10k_ethdev_sec.c b/drivers/net/cnxk/cn10k_ethdev_sec.c
index 655389b5ca..e9bc05027f 100644
--- a/drivers/net/cnxk/cn10k_ethdev_sec.c
+++ b/drivers/net/cnxk/cn10k_ethdev_sec.c
@@ -9,6 +9,7 @@
 #include <rte_pmd_cnxk.h>
 
 #include <cn10k_ethdev.h>
+#include <cnxk_ethdev_mcs.h>
 #include <cnxk_security.h>
 #include <roc_priv.h>
 
@@ -1059,10 +1060,10 @@ cn10k_eth_sec_ops_override(void)
 	init_once = 1;
 
 	/* Update platform specific ops */
-	cnxk_eth_sec_ops.macsec_sa_create = NULL;
-	cnxk_eth_sec_ops.macsec_sc_create = NULL;
-	cnxk_eth_sec_ops.macsec_sa_destroy = NULL;
-	cnxk_eth_sec_ops.macsec_sc_destroy = NULL;
+	cnxk_eth_sec_ops.macsec_sa_create = cnxk_eth_macsec_sa_create;
+	cnxk_eth_sec_ops.macsec_sc_create = cnxk_eth_macsec_sc_create;
+	cnxk_eth_sec_ops.macsec_sa_destroy = cnxk_eth_macsec_sa_destroy;
+	cnxk_eth_sec_ops.macsec_sc_destroy = cnxk_eth_macsec_sc_destroy;
 	cnxk_eth_sec_ops.session_create = cn10k_eth_sec_session_create;
 	cnxk_eth_sec_ops.session_destroy = cn10k_eth_sec_session_destroy;
 	cnxk_eth_sec_ops.capabilities_get = cn10k_eth_sec_capabilities_get;
diff --git a/drivers/net/cnxk/cnxk_ethdev_mcs.c b/drivers/net/cnxk/cnxk_ethdev_mcs.c
index b0205f45c5..73c5cd486f 100644
--- a/drivers/net/cnxk/cnxk_ethdev_mcs.c
+++ b/drivers/net/cnxk/cnxk_ethdev_mcs.c
@@ -6,6 +6,256 @@
 #include <cnxk_ethdev_mcs.h>
 #include <roc_mcs.h>
 
+static int
+mcs_resource_alloc(struct cnxk_mcs_dev *mcs_dev, enum mcs_direction dir, uint8_t rsrc_id[],
+		   uint8_t rsrc_cnt, enum cnxk_mcs_rsrc_type type)
+{
+	struct roc_mcs_alloc_rsrc_req req = {0};
+	struct roc_mcs_alloc_rsrc_rsp rsp = {0};
+	int i;
+
+	req.rsrc_type = type;
+	req.rsrc_cnt = rsrc_cnt;
+	req.dir = dir;
+
+	if (roc_mcs_alloc_rsrc(mcs_dev->mdev, &req, &rsp)) {
+		plt_err("Cannot allocate mcs resource.");
+		return -1;
+	}
+
+	for (i = 0; i < rsrc_cnt; i++) {
+		switch (rsp.rsrc_type) {
+		case CNXK_MCS_RSRC_TYPE_FLOWID:
+			rsrc_id[i] = rsp.flow_ids[i];
+			break;
+		case CNXK_MCS_RSRC_TYPE_SECY:
+			rsrc_id[i] = rsp.secy_ids[i];
+			break;
+		case CNXK_MCS_RSRC_TYPE_SC:
+			rsrc_id[i] = rsp.sc_ids[i];
+			break;
+		case CNXK_MCS_RSRC_TYPE_SA:
+			rsrc_id[i] = rsp.sa_ids[i];
+			break;
+		default:
+			plt_err("Invalid mcs resource allocated.");
+			return -1;
+		}
+	}
+	return 0;
+}
+
+int
+cnxk_eth_macsec_sa_create(void *device, struct rte_security_macsec_sa *conf)
+{
+	struct rte_eth_dev *eth_dev = (struct rte_eth_dev *)device;
+	struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev);
+	uint8_t salt[RTE_SECURITY_MACSEC_SALT_LEN] = {0};
+	struct roc_mcs_pn_table_write_req pn_req = {0};
+	uint8_t hash_key_rev[CNXK_MACSEC_HASH_KEY] = {0};
+	uint8_t hash_key[CNXK_MACSEC_HASH_KEY] = {0};
+	struct cnxk_mcs_dev *mcs_dev = dev->mcs_dev;
+	struct roc_mcs_sa_plcy_write_req req = {0};
+	uint8_t ciph_key[32] = {0};
+	enum mcs_direction dir;
+	uint8_t sa_id = 0;
+	int i, ret = 0;
+
+	if (!roc_feature_nix_has_macsec())
+		return -ENOTSUP;
+
+	dir = (conf->dir == RTE_SECURITY_MACSEC_DIR_TX) ? MCS_TX : MCS_RX;
+	ret = mcs_resource_alloc(mcs_dev, dir, &sa_id, 1, CNXK_MCS_RSRC_TYPE_SA);
+	if (ret) {
+		plt_err("Failed to allocate SA id.");
+		return -ENOMEM;
+	}
+	req.sa_index[0] = sa_id;
+	req.sa_cnt = 1;
+	req.dir = dir;
+
+	if (conf->key.length != 16 && conf->key.length != 32)
+		return -EINVAL;
+
+	for (i = 0; i < conf->key.length; i++)
+		ciph_key[i] = conf->key.data[conf->key.length - 1 - i];
+
+	memcpy(&req.plcy[0][0], ciph_key, conf->key.length);
+
+	roc_aes_hash_key_derive(conf->key.data, conf->key.length, hash_key);
+	for (i = 0; i < CNXK_MACSEC_HASH_KEY; i++)
+		hash_key_rev[i] = hash_key[CNXK_MACSEC_HASH_KEY - 1 - i];
+
+	memcpy(&req.plcy[0][4], hash_key_rev, CNXK_MACSEC_HASH_KEY);
+
+	for (i = 0; i < RTE_SECURITY_MACSEC_SALT_LEN; i++)
+		salt[i] = conf->salt[RTE_SECURITY_MACSEC_SALT_LEN - 1 - i];
+	memcpy(&req.plcy[0][6], salt, RTE_SECURITY_MACSEC_SALT_LEN);
+
+	req.plcy[0][7] |= (uint64_t)conf->ssci << 32;
+	req.plcy[0][8] = (conf->dir == RTE_SECURITY_MACSEC_DIR_TX) ? (conf->an & 0x3) : 0;
+
+	ret = roc_mcs_sa_policy_write(mcs_dev->mdev, &req);
+	if (ret) {
+		plt_err("Failed to write SA policy.");
+		return -EINVAL;
+	}
+	pn_req.next_pn = ((uint64_t)conf->xpn << 32) | rte_be_to_cpu_32(conf->next_pn);
+	pn_req.pn_id = sa_id;
+	pn_req.dir = dir;
+
+	ret = roc_mcs_pn_table_write(mcs_dev->mdev, &pn_req);
+	if (ret) {
+		plt_err("Failed to write PN table.");
+		return -EINVAL;
+	}
+
+	return sa_id;
+}
+
+int
+cnxk_eth_macsec_sa_destroy(void *device, uint16_t sa_id, enum rte_security_macsec_direction dir)
+{
+	struct rte_eth_dev *eth_dev = (struct rte_eth_dev *)device;
+	struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev);
+	struct cnxk_mcs_dev *mcs_dev = dev->mcs_dev;
+	struct roc_mcs_clear_stats stats_req = {0};
+	struct roc_mcs_free_rsrc_req req = {0};
+	int ret = 0;
+
+	if (!roc_feature_nix_has_macsec())
+		return -ENOTSUP;
+
+	stats_req.type = CNXK_MCS_RSRC_TYPE_SA;
+	stats_req.id = sa_id;
+	stats_req.dir = (dir == RTE_SECURITY_MACSEC_DIR_TX) ? MCS_TX : MCS_RX;
+	stats_req.all = 0;
+
+	ret = roc_mcs_stats_clear(mcs_dev->mdev, &stats_req);
+	if (ret)
+		plt_err("Failed to clear stats for SA id %u, dir %u.", sa_id, dir);
+
+	req.rsrc_id = sa_id;
+	req.dir = (dir == RTE_SECURITY_MACSEC_DIR_TX) ? MCS_TX : MCS_RX;
+	req.rsrc_type = CNXK_MCS_RSRC_TYPE_SA;
+
+	ret = roc_mcs_free_rsrc(mcs_dev->mdev, &req);
+	if (ret)
+		plt_err("Failed to free SA id %u, dir %u.", sa_id, dir);
+
+	return ret;
+}
+
+int
+cnxk_eth_macsec_sc_create(void *device, struct rte_security_macsec_sc *conf)
+{
+	struct rte_eth_dev *eth_dev = (struct rte_eth_dev *)device;
+	struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev);
+	struct roc_mcs_set_pn_threshold pn_thresh = {0};
+	struct cnxk_mcs_dev *mcs_dev = dev->mcs_dev;
+	enum mcs_direction dir;
+	uint8_t sc_id = 0;
+	int i, ret = 0;
+
+	if (!roc_feature_nix_has_macsec())
+		return -ENOTSUP;
+
+	dir = (conf->dir == RTE_SECURITY_MACSEC_DIR_TX) ? MCS_TX : MCS_RX;
+	ret = mcs_resource_alloc(mcs_dev, dir, &sc_id, 1, CNXK_MCS_RSRC_TYPE_SC);
+	if (ret) {
+		plt_err("Failed to allocate SC id.");
+		return -ENOMEM;
+	}
+
+	if (conf->dir == RTE_SECURITY_MACSEC_DIR_TX) {
+		struct roc_mcs_tx_sc_sa_map req = {0};
+
+		req.sa_index0 = conf->sc_tx.sa_id & 0xFF;
+		req.sa_index1 = conf->sc_tx.sa_id_rekey & 0xFF;
+		req.rekey_ena = conf->sc_tx.re_key_en;
+		req.sa_index0_vld = conf->sc_tx.active;
+		req.sa_index1_vld = conf->sc_tx.re_key_en && conf->sc_tx.active;
+		req.tx_sa_active = 0;
+		req.sectag_sci = conf->sc_tx.sci;
+		req.sc_id = sc_id;
+
+		ret = roc_mcs_tx_sc_sa_map_write(mcs_dev->mdev, &req);
+		if (ret) {
+			plt_err("Failed to map TX SC-SA");
+			return -EINVAL;
+		}
+		pn_thresh.xpn = conf->sc_tx.is_xpn;
+	} else {
+		for (i = 0; i < RTE_SECURITY_MACSEC_NUM_AN; i++) {
+			struct roc_mcs_rx_sc_sa_map req = {0};
+
+			req.sa_index = conf->sc_rx.sa_id[i] & 0x7F;
+			req.sc_id = sc_id;
+			req.an = i & 0x3;
+			req.sa_in_use = 0;
+			/* Clearing the sa_in_use bit automatically clears
+			 * the corresponding pn_thresh_reached bit
+			 */
+			ret = roc_mcs_rx_sc_sa_map_write(mcs_dev->mdev, &req);
+			if (ret) {
+				plt_err("Failed to map RX SC-SA");
+				return -EINVAL;
+			}
+			req.sa_in_use = conf->sc_rx.sa_in_use[i];
+			ret = roc_mcs_rx_sc_sa_map_write(mcs_dev->mdev, &req);
+			if (ret) {
+				plt_err("Failed to map RX SC-SA");
+				return -EINVAL;
+			}
+		}
+		pn_thresh.xpn = conf->sc_rx.is_xpn;
+	}
+
+	pn_thresh.threshold = conf->pn_threshold;
+	pn_thresh.dir = dir;
+
+	ret = roc_mcs_pn_threshold_set(mcs_dev->mdev, &pn_thresh);
+	if (ret) {
+		plt_err("Failed to write PN threshold.");
+		return -EINVAL;
+	}
+
+	return sc_id;
+}
+
+int
+cnxk_eth_macsec_sc_destroy(void *device, uint16_t sc_id, enum rte_security_macsec_direction dir)
+{
+	struct rte_eth_dev *eth_dev = (struct rte_eth_dev *)device;
+	struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev);
+	struct cnxk_mcs_dev *mcs_dev = dev->mcs_dev;
+	struct roc_mcs_clear_stats stats_req = {0};
+	struct roc_mcs_free_rsrc_req req = {0};
+	int ret = 0;
+
+	if (!roc_feature_nix_has_macsec())
+		return -ENOTSUP;
+
+	stats_req.type = CNXK_MCS_RSRC_TYPE_SC;
+	stats_req.id = sc_id;
+	stats_req.dir = (dir == RTE_SECURITY_MACSEC_DIR_TX) ? MCS_TX : MCS_RX;
+	stats_req.all = 0;
+
+	ret = roc_mcs_stats_clear(mcs_dev->mdev, &stats_req);
+	if (ret)
+		plt_err("Failed to clear stats for SC id %u, dir %u.", sc_id, dir);
+
+	req.rsrc_id = sc_id;
+	req.dir = (dir == RTE_SECURITY_MACSEC_DIR_TX) ? MCS_TX : MCS_RX;
+	req.rsrc_type = CNXK_MCS_RSRC_TYPE_SC;
+
+	ret = roc_mcs_free_rsrc(mcs_dev->mdev, &req);
+	if (ret)
+		plt_err("Failed to free SC id.");
+
+	return ret;
+}
+
 static int
 cnxk_mcs_event_cb(void *userdata, struct roc_mcs_event_desc *desc, void *cb_arg)
 {
diff --git a/drivers/net/cnxk/cnxk_ethdev_mcs.h b/drivers/net/cnxk/cnxk_ethdev_mcs.h
index 762c299fb8..68c6493169 100644
--- a/drivers/net/cnxk/cnxk_ethdev_mcs.h
+++ b/drivers/net/cnxk/cnxk_ethdev_mcs.h
@@ -13,6 +13,14 @@ struct cnxk_mcs_dev {
 	uint8_t idx;
 };
 
+enum cnxk_mcs_rsrc_type {
+	CNXK_MCS_RSRC_TYPE_FLOWID,
+	CNXK_MCS_RSRC_TYPE_SECY,
+	CNXK_MCS_RSRC_TYPE_SC,
+	CNXK_MCS_RSRC_TYPE_SA,
+	CNXK_MCS_RSRC_TYPE_PORT,
+};
+
 struct cnxk_mcs_event_data {
 	/* Valid for below events
 	 * - ROC_MCS_EVENT_RX_SA_PN_SOFT_EXP
@@ -59,3 +67,11 @@ struct cnxk_mcs_event_desc {
 	enum roc_mcs_event_subtype subtype;
 	struct cnxk_mcs_event_data metadata;
 };
+
+int cnxk_eth_macsec_sa_create(void *device, struct rte_security_macsec_sa *conf);
+int cnxk_eth_macsec_sc_create(void *device, struct rte_security_macsec_sc *conf);
+
+int cnxk_eth_macsec_sa_destroy(void *device, uint16_t sa_id,
+			       enum rte_security_macsec_direction dir);
+int cnxk_eth_macsec_sc_destroy(void *device, uint16_t sc_id,
+			       enum rte_security_macsec_direction dir);
-- 
2.25.1

[PATCH 14/15] net/cnxk: add MACsec session and flow configuration

[Akhil Goyal]

Added support for MACsec session/flow create/destroy.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/net/cnxk/cn10k_ethdev_sec.c |  11 +-
 drivers/net/cnxk/cn10k_flow.c       |  22 ++-
 drivers/net/cnxk/cnxk_ethdev.c      |   2 +
 drivers/net/cnxk/cnxk_ethdev.h      |  16 ++
 drivers/net/cnxk/cnxk_ethdev_mcs.c  | 261 ++++++++++++++++++++++++++++
 drivers/net/cnxk/cnxk_ethdev_mcs.h  |  25 +++
 drivers/net/cnxk/cnxk_ethdev_sec.c  |   2 +-
 drivers/net/cnxk/cnxk_flow.c        |   5 +
 8 files changed, 340 insertions(+), 4 deletions(-)

diff --git a/drivers/net/cnxk/cn10k_ethdev_sec.c b/drivers/net/cnxk/cn10k_ethdev_sec.c
index e9bc05027f..0a8e7ae6fd 100644
--- a/drivers/net/cnxk/cn10k_ethdev_sec.c
+++ b/drivers/net/cnxk/cn10k_ethdev_sec.c
@@ -612,7 +612,9 @@ cn10k_eth_sec_session_create(void *device,
 	if (conf->action_type != RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL)
 		return -ENOTSUP;
 
-	if (conf->protocol != RTE_SECURITY_PROTOCOL_IPSEC)
+	if (conf->protocol == RTE_SECURITY_PROTOCOL_MACSEC)
+		return cnxk_eth_macsec_session_create(dev, conf, sess);
+	else if (conf->protocol != RTE_SECURITY_PROTOCOL_IPSEC)
 		return -ENOTSUP;
 
 	if (rte_security_dynfield_register() < 0)
@@ -856,13 +858,18 @@ cn10k_eth_sec_session_destroy(void *device, struct rte_security_session *sess)
 {
 	struct rte_eth_dev *eth_dev = (struct rte_eth_dev *)device;
 	struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev);
+	struct cnxk_macsec_sess *macsec_sess;
 	struct cnxk_eth_sec_sess *eth_sec;
 	rte_spinlock_t *lock;
 	void *sa_dptr;
 
 	eth_sec = cnxk_eth_sec_sess_get_by_sess(dev, sess);
-	if (!eth_sec)
+	if (!eth_sec) {
+		macsec_sess = cnxk_eth_macsec_sess_get_by_sess(dev, sess);
+		if (macsec_sess)
+			return cnxk_eth_macsec_session_destroy(dev, sess);
 		return -ENOENT;
+	}
 
 	lock = eth_sec->inb ? &dev->inb.lock : &dev->outb.lock;
 	rte_spinlock_lock(lock);
diff --git a/drivers/net/cnxk/cn10k_flow.c b/drivers/net/cnxk/cn10k_flow.c
index d7a3442c5f..9fa8e15d74 100644
--- a/drivers/net/cnxk/cn10k_flow.c
+++ b/drivers/net/cnxk/cn10k_flow.c
@@ -1,10 +1,11 @@
 /* SPDX-License-Identifier: BSD-3-Clause
  * Copyright(C) 2020 Marvell.
  */
-#include <cnxk_flow.h>
 #include "cn10k_flow.h"
 #include "cn10k_ethdev.h"
 #include "cn10k_rx.h"
+#include "cnxk_ethdev_mcs.h"
+#include <cnxk_flow.h>
 
 static int
 cn10k_mtr_connect(struct rte_eth_dev *eth_dev, uint32_t mtr_id)
@@ -133,6 +134,7 @@ cn10k_flow_create(struct rte_eth_dev *eth_dev, const struct rte_flow_attr *attr,
 	const struct rte_flow_action *act_q = NULL;
 	struct roc_npc *npc = &dev->npc;
 	struct roc_npc_flow *flow;
+	void *mcs_flow = NULL;
 	int vtag_actions = 0;
 	uint32_t req_act = 0;
 	int mark_actions;
@@ -187,6 +189,17 @@ cn10k_flow_create(struct rte_eth_dev *eth_dev, const struct rte_flow_attr *attr,
 		}
 	}
 
+	if (actions[0].type == RTE_FLOW_ACTION_TYPE_SECURITY &&
+	    cnxk_eth_macsec_sess_get_by_sess(dev, actions[0].conf) != NULL) {
+		rc = cnxk_mcs_flow_configure(eth_dev, attr, pattern, actions, error, &mcs_flow);
+		if (rc) {
+			rte_flow_error_set(error, rc, RTE_FLOW_ERROR_TYPE_ACTION, NULL,
+					   "Failed to configure mcs flow");
+			return NULL;
+		}
+		return (struct rte_flow *)mcs_flow;
+	}
+
 	flow = cnxk_flow_create(eth_dev, attr, pattern, actions, error);
 	if (!flow) {
 		if (mtr)
@@ -253,6 +266,13 @@ cn10k_flow_destroy(struct rte_eth_dev *eth_dev, struct rte_flow *rte_flow,
 		}
 	}
 
+	rc = cnxk_mcs_flow_destroy(dev, (void *)flow);
+	if (rc < 0) {
+		rte_flow_error_set(error, rc, RTE_FLOW_ERROR_TYPE_UNSPECIFIED, NULL,
+					   "Failed to free mcs flow");
+		return rc;
+	}
+
 	vtag_actions = roc_npc_vtag_actions_get(npc);
 	if (vtag_actions) {
 		if (flow->nix_intf == ROC_NPC_INTF_RX) {
diff --git a/drivers/net/cnxk/cnxk_ethdev.c b/drivers/net/cnxk/cnxk_ethdev.c
index 7a792937b7..c137c2a7c4 100644
--- a/drivers/net/cnxk/cnxk_ethdev.c
+++ b/drivers/net/cnxk/cnxk_ethdev.c
@@ -1953,6 +1953,8 @@ cnxk_eth_dev_init(struct rte_eth_dev *eth_dev)
 		}
 		dev->rx_offload_capa |= RTE_ETH_RX_OFFLOAD_MACSEC_STRIP;
 		dev->tx_offload_capa |= RTE_ETH_TX_OFFLOAD_MACSEC_INSERT;
+
+		TAILQ_INIT(&dev->mcs_list);
 	}
 
 	plt_nix_dbg("Port=%d pf=%d vf=%d ver=%s hwcap=0x%" PRIx64
diff --git a/drivers/net/cnxk/cnxk_ethdev.h b/drivers/net/cnxk/cnxk_ethdev.h
index 6fde682344..327c737673 100644
--- a/drivers/net/cnxk/cnxk_ethdev.h
+++ b/drivers/net/cnxk/cnxk_ethdev.h
@@ -289,6 +289,21 @@ struct cnxk_eth_dev_sec_outb {
 	rte_spinlock_t lock;
 };
 
+/* MACsec session private data */
+struct cnxk_macsec_sess {
+	/* List entry */
+	TAILQ_ENTRY(cnxk_macsec_sess) entry;
+
+	/* Back pointer to session */
+	struct rte_security_session *sess;
+	enum mcs_direction dir;
+	uint64_t sci;
+	uint8_t secy_id;
+	uint8_t sc_id;
+	uint8_t flow_id;
+};
+TAILQ_HEAD(cnxk_macsec_sess_list, cnxk_macsec_sess);
+
 struct cnxk_eth_dev {
 	/* ROC NIX */
 	struct roc_nix nix;
@@ -395,6 +410,7 @@ struct cnxk_eth_dev {
 
 	/* MCS device */
 	struct cnxk_mcs_dev *mcs_dev;
+	struct cnxk_macsec_sess_list mcs_list;
 };
 
 struct cnxk_eth_rxq_sp {
diff --git a/drivers/net/cnxk/cnxk_ethdev_mcs.c b/drivers/net/cnxk/cnxk_ethdev_mcs.c
index 73c5cd486f..c5ac5bafbb 100644
--- a/drivers/net/cnxk/cnxk_ethdev_mcs.c
+++ b/drivers/net/cnxk/cnxk_ethdev_mcs.c
@@ -256,6 +256,267 @@ cnxk_eth_macsec_sc_destroy(void *device, uint16_t sc_id, enum rte_security_macse
 	return ret;
 }
 
+struct cnxk_macsec_sess *
+cnxk_eth_macsec_sess_get_by_sess(struct cnxk_eth_dev *dev, const struct rte_security_session *sess)
+{
+	struct cnxk_macsec_sess *macsec_sess = NULL;
+
+	TAILQ_FOREACH(macsec_sess, &dev->mcs_list, entry) {
+		if (macsec_sess->sess == sess)
+			return macsec_sess;
+	}
+
+	return NULL;
+}
+
+int
+cnxk_eth_macsec_session_create(struct cnxk_eth_dev *dev, struct rte_security_session_conf *conf,
+			       struct rte_security_session *sess)
+{
+	struct cnxk_macsec_sess *macsec_sess_priv = SECURITY_GET_SESS_PRIV(sess);
+	struct rte_security_macsec_xform *xform = &conf->macsec;
+	struct cnxk_mcs_dev *mcs_dev = dev->mcs_dev;
+	struct roc_mcs_secy_plcy_write_req req;
+	enum mcs_direction dir;
+	uint8_t secy_id = 0;
+	uint8_t sectag_tci = 0;
+	int ret = 0;
+
+	if (!roc_feature_nix_has_macsec())
+		return -ENOTSUP;
+
+	dir = (xform->dir == RTE_SECURITY_MACSEC_DIR_TX) ? MCS_TX : MCS_RX;
+	ret = mcs_resource_alloc(mcs_dev, dir, &secy_id, 1, CNXK_MCS_RSRC_TYPE_SECY);
+	if (ret) {
+		plt_err("Failed to allocate SECY id.");
+		return -ENOMEM;
+	}
+
+	req.secy_id = secy_id;
+	req.dir = dir;
+	req.plcy = 0L;
+
+	if (xform->dir == RTE_SECURITY_MACSEC_DIR_TX) {
+		sectag_tci = ((uint8_t)xform->tx_secy.sectag_version << 5) |
+			     ((uint8_t)xform->tx_secy.end_station << 4) |
+			     ((uint8_t)xform->tx_secy.send_sci << 3) |
+			     ((uint8_t)xform->tx_secy.scb << 2) |
+			     ((uint8_t)xform->tx_secy.encrypt << 1) |
+			     (uint8_t)xform->tx_secy.encrypt;
+		req.plcy = (((uint64_t)xform->tx_secy.mtu & 0xFFFF) << 28) |
+			   (((uint64_t)sectag_tci & 0x3F) << 22) |
+			   (((uint64_t)xform->tx_secy.sectag_off & 0x7F) << 15) |
+			   ((uint64_t)xform->tx_secy.sectag_insert_mode << 14) |
+			   ((uint64_t)xform->tx_secy.icv_include_da_sa << 13) |
+			   (((uint64_t)xform->cipher_off & 0x7F) << 6) |
+			   ((uint64_t)xform->alg << 2) |
+			   ((uint64_t)xform->tx_secy.protect_frames << 1) |
+			   (uint64_t)xform->tx_secy.ctrl_port_enable;
+	} else {
+		req.plcy = ((uint64_t)xform->rx_secy.replay_win_sz << 18) |
+			   ((uint64_t)xform->rx_secy.replay_protect << 17) |
+			   ((uint64_t)xform->rx_secy.icv_include_da_sa << 16) |
+			   (((uint64_t)xform->cipher_off & 0x7F) << 9) |
+			   ((uint64_t)xform->alg << 5) |
+			   ((uint64_t)xform->rx_secy.preserve_sectag << 4) |
+			   ((uint64_t)xform->rx_secy.preserve_icv << 3) |
+			   ((uint64_t)xform->rx_secy.validate_frames << 1) |
+			   (uint64_t)xform->rx_secy.ctrl_port_enable;
+	}
+
+	ret = roc_mcs_secy_policy_write(mcs_dev->mdev, &req);
+	if (ret) {
+		plt_err(" Failed to configure Tx SECY");
+		return -EINVAL;
+	}
+
+	if (xform->dir == RTE_SECURITY_MACSEC_DIR_RX) {
+		struct roc_mcs_rx_sc_cam_write_req rx_sc_cam = {0};
+
+		rx_sc_cam.sci = xform->sci;
+		rx_sc_cam.secy_id = secy_id & 0x3F;
+		rx_sc_cam.sc_id = xform->sc_id;
+		ret = roc_mcs_rx_sc_cam_write(mcs_dev->mdev, &rx_sc_cam);
+		if (ret) {
+			plt_err(" Failed to write rx_sc_cam");
+			return -EINVAL;
+		}
+	}
+	macsec_sess_priv->sci = xform->sci;
+	macsec_sess_priv->sc_id = xform->sc_id;
+	macsec_sess_priv->secy_id = secy_id;
+	macsec_sess_priv->dir = dir;
+	macsec_sess_priv->sess = sess;
+
+	TAILQ_INSERT_TAIL(&dev->mcs_list, macsec_sess_priv, entry);
+
+	return 0;
+}
+
+int
+cnxk_eth_macsec_session_destroy(struct cnxk_eth_dev *dev, struct rte_security_session *sess)
+{
+	struct cnxk_mcs_dev *mcs_dev = dev->mcs_dev;
+	struct roc_mcs_clear_stats stats_req = {0};
+	struct roc_mcs_free_rsrc_req req = {0};
+	struct cnxk_macsec_sess *s;
+	int ret = 0;
+
+	if (!roc_feature_nix_has_macsec())
+		return -ENOTSUP;
+
+	s = SECURITY_GET_SESS_PRIV(sess);
+
+	stats_req.type = CNXK_MCS_RSRC_TYPE_SECY;
+	stats_req.id = s->secy_id;
+	stats_req.dir = s->dir;
+	stats_req.all = 0;
+
+	ret = roc_mcs_stats_clear(mcs_dev->mdev, &stats_req);
+	if (ret)
+		plt_err("Failed to clear stats for SECY id %u, dir %u.", s->secy_id, s->dir);
+
+	req.rsrc_id = s->secy_id;
+	req.dir = s->dir;
+	req.rsrc_type = CNXK_MCS_RSRC_TYPE_SECY;
+
+	ret = roc_mcs_free_rsrc(mcs_dev->mdev, &req);
+	if (ret)
+		plt_err("Failed to free SC id.");
+
+	TAILQ_REMOVE(&dev->mcs_list, s, entry);
+
+	return ret;
+}
+
+int
+cnxk_mcs_flow_configure(struct rte_eth_dev *eth_dev, const struct rte_flow_attr *attr __rte_unused,
+			 const struct rte_flow_item pattern[],
+			 const struct rte_flow_action actions[],
+			 struct rte_flow_error *error __rte_unused, void **mcs_flow)
+{
+	struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev);
+	struct roc_mcs_flowid_entry_write_req req = {0};
+	const struct rte_flow_item_eth *eth_item = NULL;
+	struct cnxk_mcs_dev *mcs_dev = dev->mcs_dev;
+	struct cnxk_mcs_flow_opts opts = {0};
+	struct cnxk_macsec_sess *sess;
+	struct rte_ether_addr src;
+	struct rte_ether_addr dst;
+	int ret;
+	int i = 0;
+
+	if (!roc_feature_nix_has_macsec())
+		return -ENOTSUP;
+
+	sess = cnxk_eth_macsec_sess_get_by_sess(dev,
+			(const struct rte_security_session *)actions->conf);
+	if (sess == NULL)
+		return -EINVAL;
+
+	ret = mcs_resource_alloc(mcs_dev, sess->dir, &sess->flow_id, 1,
+				 CNXK_MCS_RSRC_TYPE_FLOWID);
+	if (ret) {
+		plt_err("Failed to allocate FLow id.");
+		return -ENOMEM;
+	}
+	req.sci = sess->sci;
+	req.flow_id = sess->flow_id;
+	req.secy_id = sess->secy_id;
+	req.sc_id = sess->sc_id;
+	req.ena = 1;
+	req.ctr_pkt = 0;
+	req.dir = sess->dir;
+
+	while (pattern[i].type != RTE_FLOW_ITEM_TYPE_END) {
+		if (pattern[i].type == RTE_FLOW_ITEM_TYPE_ETH)
+			eth_item = pattern[i].spec;
+		else
+			plt_err("Unhandled flow item : %d", pattern[i].type);
+		i++;
+	}
+	if (eth_item) {
+		dst = eth_item->hdr.dst_addr;
+		src = eth_item->hdr.src_addr;
+
+		/* Find ways to fill opts */
+
+		req.data[0] =
+			(uint64_t)dst.addr_bytes[0] << 40 | (uint64_t)dst.addr_bytes[1] << 32 |
+			(uint64_t)dst.addr_bytes[2] << 24 | (uint64_t)dst.addr_bytes[3] << 16 |
+			(uint64_t)dst.addr_bytes[4] << 8 | (uint64_t)dst.addr_bytes[5] |
+			(uint64_t)src.addr_bytes[5] << 48 | (uint64_t)src.addr_bytes[4] << 56;
+		req.data[1] = (uint64_t)src.addr_bytes[3] | (uint64_t)src.addr_bytes[2] << 8 |
+			      (uint64_t)src.addr_bytes[1] << 16 |
+			      (uint64_t)src.addr_bytes[0] << 24 |
+			      (uint64_t)eth_item->hdr.ether_type << 32 |
+			      ((uint64_t)opts.outer_tag_id & 0xFFFF) << 48;
+		req.data[2] = ((uint64_t)opts.outer_tag_id & 0xF0000) |
+			      ((uint64_t)opts.outer_priority & 0xF) << 4 |
+			      ((uint64_t)opts.second_outer_tag_id & 0xFFFFF) << 8 |
+			      ((uint64_t)opts.second_outer_priority & 0xF) << 28 |
+			      ((uint64_t)opts.bonus_data << 32) |
+			      ((uint64_t)opts.tag_match_bitmap << 48) |
+			      ((uint64_t)opts.packet_type & 0xF) << 56 |
+			      ((uint64_t)opts.outer_vlan_type & 0x7) << 60 |
+			      ((uint64_t)opts.inner_vlan_type & 0x1) << 63;
+		req.data[3] = ((uint64_t)opts.inner_vlan_type & 0x6) >> 1 |
+			      ((uint64_t)opts.num_tags & 0x7F) << 2 |
+			      ((uint64_t)opts.flowid_user & 0x1F) << 9 |
+			      ((uint64_t)opts.express & 1) << 14 |
+			      ((uint64_t)opts.lmac_id & 0x1F) << 15;
+
+		req.mask[0] = 0x0;
+		req.mask[1] = 0xFFFFFFFF00000000;
+		req.mask[2] = 0xFFFFFFFFFFFFFFFF;
+		req.mask[3] = 0xFFFFFFFFFFFFFFFF;
+
+		ret = roc_mcs_flowid_entry_write(mcs_dev->mdev, &req);
+		if (ret)
+			return ret;
+		*mcs_flow = (void *)(uintptr_t)actions->conf;
+	} else {
+		plt_err("Flow not confirured");
+		return -EINVAL;
+	}
+	return 0;
+}
+
+int
+cnxk_mcs_flow_destroy(struct cnxk_eth_dev *dev, void *flow)
+{
+	const struct cnxk_macsec_sess *s = cnxk_eth_macsec_sess_get_by_sess(dev, flow);
+	struct cnxk_mcs_dev *mcs_dev = dev->mcs_dev;
+	struct roc_mcs_clear_stats stats_req = {0};
+	struct roc_mcs_free_rsrc_req req = {0};
+	int ret = 0;
+
+	if (!roc_feature_nix_has_macsec())
+		return -ENOTSUP;
+
+	if (s == NULL)
+		return 0;
+
+	stats_req.type = CNXK_MCS_RSRC_TYPE_FLOWID;
+	stats_req.id = s->flow_id;
+	stats_req.dir = s->dir;
+	stats_req.all = 0;
+
+	ret = roc_mcs_stats_clear(mcs_dev->mdev, &stats_req);
+	if (ret)
+		plt_err("Failed to clear stats for Flow id %u, dir %u.", s->flow_id, s->dir);
+
+	req.rsrc_id = s->flow_id;
+	req.dir = s->dir;
+	req.rsrc_type = CNXK_MCS_RSRC_TYPE_FLOWID;
+
+	ret = roc_mcs_free_rsrc(mcs_dev->mdev, &req);
+	if (ret)
+		plt_err("Failed to free SC id.");
+
+	return (ret == 0) ? 1 : ret;
+}
+
 static int
 cnxk_mcs_event_cb(void *userdata, struct roc_mcs_event_desc *desc, void *cb_arg)
 {
diff --git a/drivers/net/cnxk/cnxk_ethdev_mcs.h b/drivers/net/cnxk/cnxk_ethdev_mcs.h
index 68c6493169..2b1a6f2c90 100644
--- a/drivers/net/cnxk/cnxk_ethdev_mcs.h
+++ b/drivers/net/cnxk/cnxk_ethdev_mcs.h
@@ -21,6 +21,27 @@ enum cnxk_mcs_rsrc_type {
 	CNXK_MCS_RSRC_TYPE_PORT,
 };
 
+struct cnxk_mcs_flow_opts {
+	uint32_t outer_tag_id;
+	/**< {VLAN_ID[11:0]}, or 20-bit MPLS label*/
+	uint8_t outer_priority;
+	/**< {PCP/Pbits, DE/CFI} or {1'b0, EXP} for MPLS.*/
+	uint32_t second_outer_tag_id;
+	/**< {VLAN_ID[11:0]}, or 20-bit MPLS label*/
+	uint8_t second_outer_priority;
+	/**< {PCP/Pbits, DE/CFI} or {1'b0, EXP} for MPLS. */
+	uint16_t bonus_data;
+	/**< 2 bytes of additional bonus data extracted from one of the custom tags*/
+	uint8_t tag_match_bitmap;
+	uint8_t packet_type;
+	uint8_t outer_vlan_type;
+	uint8_t inner_vlan_type;
+	uint8_t num_tags;
+	bool express;
+	uint8_t lmac_id;
+	uint8_t flowid_user;
+};
+
 struct cnxk_mcs_event_data {
 	/* Valid for below events
 	 * - ROC_MCS_EVENT_RX_SA_PN_SOFT_EXP
@@ -75,3 +96,7 @@ int cnxk_eth_macsec_sa_destroy(void *device, uint16_t sa_id,
 			       enum rte_security_macsec_direction dir);
 int cnxk_eth_macsec_sc_destroy(void *device, uint16_t sc_id,
 			       enum rte_security_macsec_direction dir);
+
+int cnxk_eth_macsec_session_create(struct cnxk_eth_dev *dev, struct rte_security_session_conf *conf,
+				   struct rte_security_session *sess);
+int cnxk_eth_macsec_session_destroy(struct cnxk_eth_dev *dev, struct rte_security_session *sess);
diff --git a/drivers/net/cnxk/cnxk_ethdev_sec.c b/drivers/net/cnxk/cnxk_ethdev_sec.c
index aa8a378a00..59924a36c9 100644
--- a/drivers/net/cnxk/cnxk_ethdev_sec.c
+++ b/drivers/net/cnxk/cnxk_ethdev_sec.c
@@ -235,7 +235,7 @@ cnxk_eth_sec_sess_get_by_sess(struct cnxk_eth_dev *dev,
 static unsigned int
 cnxk_eth_sec_session_get_size(void *device __rte_unused)
 {
-	return sizeof(struct cnxk_eth_sec_sess);
+	return RTE_MAX(sizeof(struct cnxk_macsec_sess), sizeof(struct cnxk_eth_sec_sess));
 }
 
 struct rte_security_ops cnxk_eth_sec_ops = {
diff --git a/drivers/net/cnxk/cnxk_flow.c b/drivers/net/cnxk/cnxk_flow.c
index f13d8e5582..05858d377a 100644
--- a/drivers/net/cnxk/cnxk_flow.c
+++ b/drivers/net/cnxk/cnxk_flow.c
@@ -298,6 +298,11 @@ cnxk_flow_validate(struct rte_eth_dev *eth_dev,
 	uint32_t flowkey_cfg = 0;
 	int rc;
 
+	/* Skip flow validation for MACsec. */
+	if (actions[0].type == RTE_FLOW_ACTION_TYPE_SECURITY &&
+	    cnxk_eth_macsec_sess_get_by_sess(dev, actions[0].conf) != NULL)
+		return 0;
+
 	memset(&flow, 0, sizeof(flow));
 	flow.is_validate = true;
 
-- 
2.25.1

[PATCH 15/15] net/cnxk: add MACsec stats

[Akhil Goyal]

Added support for MACsec SC/flow/session stats.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/net/cnxk/cn10k_ethdev_sec.c | 11 +++--
 drivers/net/cnxk/cnxk_ethdev_mcs.c  | 64 +++++++++++++++++++++++++++++
 drivers/net/cnxk/cnxk_ethdev_mcs.h  |  9 ++++
 3 files changed, 81 insertions(+), 3 deletions(-)

diff --git a/drivers/net/cnxk/cn10k_ethdev_sec.c b/drivers/net/cnxk/cn10k_ethdev_sec.c
index 0a8e7ae6fd..cd0fd1744f 100644
--- a/drivers/net/cnxk/cn10k_ethdev_sec.c
+++ b/drivers/net/cnxk/cn10k_ethdev_sec.c
@@ -1027,12 +1027,17 @@ cn10k_eth_sec_session_stats_get(void *device, struct rte_security_session *sess,
 {
 	struct rte_eth_dev *eth_dev = (struct rte_eth_dev *)device;
 	struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev);
+	struct cnxk_macsec_sess *macsec_sess;
 	struct cnxk_eth_sec_sess *eth_sec;
 	int rc;
 
 	eth_sec = cnxk_eth_sec_sess_get_by_sess(dev, sess);
-	if (eth_sec == NULL)
+	if (eth_sec == NULL) {
+		macsec_sess = cnxk_eth_macsec_sess_get_by_sess(dev, sess);
+		if (macsec_sess)
+			return cnxk_eth_macsec_session_stats_get(dev, macsec_sess, stats);
 		return -EINVAL;
+	}
 
 	rc = roc_nix_inl_sa_sync(&dev->nix, eth_sec->sa, eth_sec->inb,
 			    ROC_NIX_INL_SA_OP_FLUSH);
@@ -1076,6 +1081,6 @@ cn10k_eth_sec_ops_override(void)
 	cnxk_eth_sec_ops.capabilities_get = cn10k_eth_sec_capabilities_get;
 	cnxk_eth_sec_ops.session_update = cn10k_eth_sec_session_update;
 	cnxk_eth_sec_ops.session_stats_get = cn10k_eth_sec_session_stats_get;
-	cnxk_eth_sec_ops.macsec_sc_stats_get = NULL;
-	cnxk_eth_sec_ops.macsec_sa_stats_get = NULL;
+	cnxk_eth_sec_ops.macsec_sc_stats_get = cnxk_eth_macsec_sc_stats_get;
+	cnxk_eth_sec_ops.macsec_sa_stats_get = cnxk_eth_macsec_sa_stats_get;
 }
diff --git a/drivers/net/cnxk/cnxk_ethdev_mcs.c b/drivers/net/cnxk/cnxk_ethdev_mcs.c
index c5ac5bafbb..e79b8279a7 100644
--- a/drivers/net/cnxk/cnxk_ethdev_mcs.c
+++ b/drivers/net/cnxk/cnxk_ethdev_mcs.c
@@ -517,6 +517,70 @@ cnxk_mcs_flow_destroy(struct cnxk_eth_dev *dev, void *flow)
 	return (ret == 0) ? 1 : ret;
 }
 
+int
+cnxk_eth_macsec_sa_stats_get(void *device, uint16_t sa_id, enum rte_security_macsec_direction dir,
+			     struct rte_security_macsec_sa_stats *stats)
+{
+	RTE_SET_USED(device);
+	RTE_SET_USED(sa_id);
+	RTE_SET_USED(dir);
+	RTE_SET_USED(stats);
+
+	return 0;
+}
+
+int
+cnxk_eth_macsec_sc_stats_get(void *device, uint16_t sc_id, enum rte_security_macsec_direction dir,
+			     struct rte_security_macsec_sc_stats *stats)
+{
+	struct rte_eth_dev *eth_dev = (struct rte_eth_dev *)device;
+	struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev);
+	struct cnxk_mcs_dev *mcs_dev = dev->mcs_dev;
+	struct roc_mcs_stats_req req = {0};
+
+	if (!roc_feature_nix_has_macsec())
+		return -ENOTSUP;
+
+	req.id = sc_id;
+	req.dir = (dir == RTE_SECURITY_MACSEC_DIR_RX) ? MCS_RX : MCS_TX;
+
+	return roc_mcs_sc_stats_get(mcs_dev->mdev, &req, (struct roc_mcs_sc_stats *)stats);
+}
+
+int
+cnxk_eth_macsec_session_stats_get(struct cnxk_eth_dev *dev, struct cnxk_macsec_sess *sess,
+				  struct rte_security_stats *stats)
+{
+	struct cnxk_mcs_dev *mcs_dev = dev->mcs_dev;
+	struct roc_mcs_flowid_stats flow_stats = {0};
+	struct roc_mcs_port_stats port_stats = {0};
+	struct roc_mcs_stats_req req = {0};
+
+	if (!roc_feature_nix_has_macsec())
+		return -ENOTSUP;
+
+	req.id = sess->flow_id;
+	req.dir = sess->dir;
+	roc_mcs_flowid_stats_get(mcs_dev->mdev, &req, &flow_stats);
+	plt_nix_dbg("\n******* FLOW_ID IDX[%u] STATS dir: %u********\n", sess->flow_id, sess->dir);
+	plt_nix_dbg("TX: tcam_hit_cnt: 0x%lx\n", flow_stats.tcam_hit_cnt);
+
+	req.id = mcs_dev->port_id;
+	req.dir = sess->dir;
+	roc_mcs_port_stats_get(mcs_dev->mdev, &req, &port_stats);
+	plt_nix_dbg("\n********** PORT[0] STATS ****************\n");
+	plt_nix_dbg("RX tcam_miss_cnt: 0x%lx\n", port_stats.tcam_miss_cnt);
+	plt_nix_dbg("RX parser_err_cnt: 0x%lx\n", port_stats.parser_err_cnt);
+	plt_nix_dbg("RX preempt_err_cnt: 0x%lx\n", port_stats.preempt_err_cnt);
+	plt_nix_dbg("RX sectag_insert_err_cnt: 0x%lx\n", port_stats.sectag_insert_err_cnt);
+
+	req.id = sess->secy_id;
+	req.dir = sess->dir;
+
+	return roc_mcs_secy_stats_get(mcs_dev->mdev, &req,
+				      (struct roc_mcs_secy_stats *)(&stats->macsec));
+}
+
 static int
 cnxk_mcs_event_cb(void *userdata, struct roc_mcs_event_desc *desc, void *cb_arg)
 {
diff --git a/drivers/net/cnxk/cnxk_ethdev_mcs.h b/drivers/net/cnxk/cnxk_ethdev_mcs.h
index 2b1a6f2c90..4a59dd3df9 100644
--- a/drivers/net/cnxk/cnxk_ethdev_mcs.h
+++ b/drivers/net/cnxk/cnxk_ethdev_mcs.h
@@ -97,6 +97,15 @@ int cnxk_eth_macsec_sa_destroy(void *device, uint16_t sa_id,
 int cnxk_eth_macsec_sc_destroy(void *device, uint16_t sc_id,
 			       enum rte_security_macsec_direction dir);
 
+int cnxk_eth_macsec_sa_stats_get(void *device, uint16_t sa_id,
+				 enum rte_security_macsec_direction dir,
+				 struct rte_security_macsec_sa_stats *stats);
+int cnxk_eth_macsec_sc_stats_get(void *device, uint16_t sa_id,
+				 enum rte_security_macsec_direction dir,
+				 struct rte_security_macsec_sc_stats *stats);
+int cnxk_eth_macsec_session_stats_get(struct cnxk_eth_dev *dev, struct cnxk_macsec_sess *sess,
+				      struct rte_security_stats *stats);
+
 int cnxk_eth_macsec_session_create(struct cnxk_eth_dev *dev, struct rte_security_session_conf *conf,
 				   struct rte_security_session *sess);
 int cnxk_eth_macsec_session_destroy(struct cnxk_eth_dev *dev, struct rte_security_session *sess);
-- 
2.25.1

Re: [PATCH 02/13] security: add MACsec packet number threshold

[Stephen Hemminger]

On Wed, 24 May 2023 01:19:07 +0530
Akhil Goyal <gakhil@marvell.com> wrote:

> diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h
> index c7a523b6d6..30bac4e25a 100644
> --- a/lib/security/rte_security.h
> +++ b/lib/security/rte_security.h
> @@ -399,6 +399,8 @@ struct rte_security_macsec_sa {
>  struct rte_security_macsec_sc {
>  	/** Direction of SC */
>  	enum rte_security_macsec_direction dir;
> +	/** Packet number threshold */
> +	uint64_t pn_threshold;
>  	union {
>  		struct {
>  			/** SAs for each association number */
> @@ -407,8 +409,10 @@ struct rte_security_macsec_sc {
>  			uint8_t sa_in_use[RTE_SECURITY_MACSEC_NUM_AN];
>  			/** Channel is active */
>  			uint8_t active : 1;
> +			/** Extended packet number is enabled for SAs */
> +			uint8_t is_xpn : 1;
>  			/** Reserved bitfields for future */
> -			uint8_t reserved : 7;
> +			uint8

Is this an ABI change? If so needs to wait for 23.11 release

RE: [EXT] Re: [PATCH 02/13] security: add MACsec packet number threshold

[Akhil Goyal]

> On Wed, 24 May 2023 01:19:07 +0530
> Akhil Goyal <gakhil@marvell.com> wrote:
> 
> > diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h
> > index c7a523b6d6..30bac4e25a 100644
> > --- a/lib/security/rte_security.h
> > +++ b/lib/security/rte_security.h
> > @@ -399,6 +399,8 @@ struct rte_security_macsec_sa {
> >  struct rte_security_macsec_sc {
> >  	/** Direction of SC */
> >  	enum rte_security_macsec_direction dir;
> > +	/** Packet number threshold */
> > +	uint64_t pn_threshold;
> >  	union {
> >  		struct {
> >  			/** SAs for each association number */
> > @@ -407,8 +409,10 @@ struct rte_security_macsec_sc {
> >  			uint8_t sa_in_use[RTE_SECURITY_MACSEC_NUM_AN];
> >  			/** Channel is active */
> >  			uint8_t active : 1;
> > +			/** Extended packet number is enabled for SAs */
> > +			uint8_t is_xpn : 1;
> >  			/** Reserved bitfields for future */
> > -			uint8_t reserved : 7;
> > +			uint8
> 
> Is this an ABI change? If so needs to wait for 23.11 release
rte_security_macsec_sc/sa_create are experimental APIs. So, it won't be an issue I believe.

RE: [EXT] Re: [PATCH 02/13] security: add MACsec packet number threshold

[Akhil Goyal]

> Subject: RE: [EXT] Re: [PATCH 02/13] security: add MACsec packet number
> threshold
> 
> > On Wed, 24 May 2023 01:19:07 +0530
> > Akhil Goyal <gakhil@marvell.com> wrote:
> >
> > > diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h
> > > index c7a523b6d6..30bac4e25a 100644
> > > --- a/lib/security/rte_security.h
> > > +++ b/lib/security/rte_security.h
> > > @@ -399,6 +399,8 @@ struct rte_security_macsec_sa {
> > >  struct rte_security_macsec_sc {
> > >  	/** Direction of SC */
> > >  	enum rte_security_macsec_direction dir;
> > > +	/** Packet number threshold */
> > > +	uint64_t pn_threshold;
> > >  	union {
> > >  		struct {
> > >  			/** SAs for each association number */
> > > @@ -407,8 +409,10 @@ struct rte_security_macsec_sc {
> > >  			uint8_t sa_in_use[RTE_SECURITY_MACSEC_NUM_AN];
> > >  			/** Channel is active */
> > >  			uint8_t active : 1;
> > > +			/** Extended packet number is enabled for SAs */
> > > +			uint8_t is_xpn : 1;
> > >  			/** Reserved bitfields for future */
> > > -			uint8_t reserved : 7;
> > > +			uint8
> >
> > Is this an ABI change? If so needs to wait for 23.11 release
> rte_security_macsec_sc/sa_create are experimental APIs. So, it won't be an
> issue I believe.
Looking at the ABI issues reported for this patchset.
Even if these APIs are experimental, we cannot really change them.
As all are part of rte_security_ctx which is exposed.
But, user is not required to know its contents and it should not be exposed.
In next release I would make it internal like rte_security_session.
For now, I would defer this MACsec support to next release.

Re: [PATCH 01/15] common/cnxk: add ROC MACsec initialization

[Jerin Jacob]

On Wed, May 24, 2023 at 1:34 AM Akhil Goyal <gakhil@marvell.com> wrote:
>
> Added ROC init and fini APIs for supporting MACsec.
>
> Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
> Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
> Signed-off-by: Akhil Goyal <gakhil@marvell.com>
> ---
> +
> +TAILQ_HEAD(roc_mcs_head, roc_mcs);
> +/* Local mcs tailq list */
> +static struct roc_mcs_head roc_mcs_head = TAILQ_HEAD_INITIALIZER(roc_mcs_head);

Can we remove this global variable by moving? This is to avoid
breaking multiprocess,


> +struct roc_mcs *
> +roc_mcs_dev_init(uint8_t mcs_idx)
> +{
> +       struct roc_mcs *mcs;
> +       struct npa_lf *npa;
> +
> +       if (roc_model_is_cn10kb()) {


Use roc_feature_nix_has_macsec()

> +               mcs = roc_idev_mcs_get();
> +               if (mcs) {
> +                       plt_info("Skipping device, mcs device already probed");
> +                       mcs->refcount++;
> +                       return mcs;
> +               }
> +       }
> +
> +       mcs = plt_zmalloc(sizeof(struct roc_mcs), PLT_CACHE_LINE_SIZE);
> +       if (!mcs)
> +               return NULL;
> +
> +       if (roc_model_is_cnf10kb() || roc_model_is_cn10kb()) {

Use roc_feature_nix_has_macsec()


> +       MCS_ERR_PARAM = -900,
> +       MCS_ERR_HW_NOTSUP = -901,
> +       MCS_ERR_DEVICE_NOT_FOUND = -902,
> +};
> +
> +#define MCS_SUPPORT_CHECK                                                                          \
> +       do {                                                                                       \
> +               if (!(roc_model_is_cnf10kb() || roc_model_is_cn10kb_a0()))                         \

Use roc_feature_nix_has_macsec()

Re: [PATCH 02/15] common/cnxk: add MACsec SA configuration

[Jerin Jacob]

On Wed, May 24, 2023 at 1:34 AM Akhil Goyal <gakhil@marvell.com> wrote:
>
> Added ROC APIs to allocate/free MACsec resources
> and APIs to write SA policy.
>
> Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
> Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
> Signed-off-by: Akhil Goyal <gakhil@marvell.com>
> ---

> index 7593c7c890..9266edd9a1 100644
> --- a/drivers/common/cnxk/version.map
> +++ b/drivers/common/cnxk/version.map
> @@ -133,10 +133,14 @@ INTERNAL {
>         roc_se_auth_key_set;
>         roc_se_ciph_key_set;
>         roc_se_ctx_init;
> +       roc_mcs_alloc_rsrc;

Please change to roc_mcs_rsrc_alloc
i.e keeping action as last


>         roc_mcs_dev_init;
>         roc_mcs_dev_fini;
>         roc_mcs_dev_get;
> +       roc_mcs_free_rsrc;

Same as above.

>         roc_mcs_hw_info_get;
> +       roc_mcs_sa_policy_read;
> +       roc_mcs_sa_policy_write;
>         roc_nix_bpf_alloc;
>         roc_nix_bpf_config;
>         roc_nix_bpf_connect;
> --
> 2.25.1
>

Re: [PATCH 05/15] common/cnxk: add MACsec PN and LMAC mode configuration

[Jerin Jacob]

On Wed, May 24, 2023 at 1:34 AM Akhil Goyal <gakhil@marvell.com> wrote:
>
> Added ROC APIs for setting packet number and LMAC
> related configurations.
>
> Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
> Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
> Signed-off-by: Akhil Goyal <gakhil@marvell.com>
> +struct mcs_set_active_lmac {
> +       struct mbox_msghdr hdr;
> +       uint32_t __io lmac_bmap; /* bitmap of active lmac per mcs block */
> +       uint8_t __io mcs_id;
> +       uint16_t channel_base; /* MCS channel base */

Gotcha . Found a missing __io

> +       uint64_t __io rsvd;
> +};
> +

Re: [PATCH 09/15] common/cnxk: add MACsec control port configuration

[Jerin Jacob]

On Wed, May 24, 2023 at 1:35 AM Akhil Goyal <gakhil@marvell.com> wrote:
>
> Added ROC APIs to configure MACsec control port.
>
> Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
> Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
> Signed-off-by: Akhil Goyal <gakhil@marvell.com>
> ---

>  __roc_api int roc_mcs_flowid_stats_get(struct roc_mcs *mcs, struct roc_mcs_stats_req *mcs_req,
>                                        struct roc_mcs_flowid_stats *stats);
> diff --git a/drivers/common/cnxk/version.map b/drivers/common/cnxk/version.map
> index 9ba804a04f..e501cdd4d9 100644
> --- a/drivers/common/cnxk/version.map
> +++ b/drivers/common/cnxk/version.map
> @@ -134,7 +134,10 @@ INTERNAL {
>         roc_se_ciph_key_set;
>         roc_se_ctx_init;
>         roc_mcs_active_lmac_set;
> +       roc_mcs_alloc_ctrl_pkt_rule;

roc_mcs_ctrl_pkt_rule_alloc

>         roc_mcs_alloc_rsrc;
> +       roc_mcs_ctrl_pkt_rule_write;
> +       roc_mcs_custom_tag_cfg_get;
>         roc_mcs_dev_init;
>         roc_mcs_dev_fini;
>         roc_mcs_dev_get;
> @@ -144,6 +147,7 @@ INTERNAL {
>         roc_mcs_flowid_entry_read;
>         roc_mcs_flowid_entry_write;
>         roc_mcs_flowid_stats_get;
> +       roc_mcs_free_ctrl_pkt_rule;

roc_mcs_ctrl_pkt_rule_free

>         roc_mcs_free_rsrc;
>         roc_mcs_hw_info_get;
>         roc_mcs_intr_configure;
> --
> 2.25.1
>

[PATCH v2 00/13] Add MACsec unit test cases

[Akhil Goyal]

Inline MACsec offload was supported in DPDK 22.11
using rte_security APIs.
This patchset adds few minor changes in the rte_security APIs
to specify the direction of SA/SC and update the SC configuration
to set packet number threshold.

The patchset also add functional test cases in dpdk-test app
to verify MACsec functionality.

This patchset is pending from last release [1] due to lack of
hardware to test. Now the test cases are verified on Marvell cnxk PMD
and the pmd support is added as a separate patchset.

[1] https://patches.dpdk.org/project/dpdk/cover/20220928124516.93050-1-gakhil@marvell.com/

Changes in v2:
- Added abignore for experimental APIs
- Fixed build

Akhil Goyal (10):
  security: add direction in SA/SC configuration
  security: add MACsec packet number threshold
  test/security: add inline MACsec cases
  test/security: add MACsec integrity cases
  test/security: verify multi flow MACsec
  test/security: add MACsec VLAN cases
  test/security: add MACsec negative cases
  test/security: verify MACsec stats
  test/security: verify MACsec Tx HW rekey
  test/security: remove no MACsec support case

Ankur Dwivedi (3):
  test/security: verify MACsec interrupts
  test/security: verify MACsec Rx rekey
  test/security: verify MACsec anti replay

 app/test/meson.build                          |    1 +
 app/test/test_security.c                      |   37 -
 app/test/test_security_inline_macsec.c        | 2332 ++++++++++
 .../test_security_inline_macsec_vectors.h     | 3895 +++++++++++++++++
 devtools/libabigail.abignore                  |    7 +
 lib/security/rte_security.c                   |   16 +-
 lib/security/rte_security.h                   |   24 +-
 lib/security/rte_security_driver.h            |   12 +-
 8 files changed, 6273 insertions(+), 51 deletions(-)
 create mode 100644 app/test/test_security_inline_macsec.c
 create mode 100644 app/test/test_security_inline_macsec_vectors.h

-- 
2.25.1

[PATCH v2 01/13] security: add direction in SA/SC configuration

[Akhil Goyal]

MACsec SC/SA ids are created based on direction of the flow.
Hence, added the missing field for configuration and cleanup
of the SCs and SAs.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 devtools/libabigail.abignore       |  7 +++++++
 lib/security/rte_security.c        | 16 ++++++++++------
 lib/security/rte_security.h        | 14 ++++++++++----
 lib/security/rte_security_driver.h | 12 ++++++++++--
 4 files changed, 37 insertions(+), 12 deletions(-)

diff --git a/devtools/libabigail.abignore b/devtools/libabigail.abignore
index c0361bfc7b..14d8fa4293 100644
--- a/devtools/libabigail.abignore
+++ b/devtools/libabigail.abignore
@@ -37,6 +37,13 @@
 [suppress_type]
         type_kind = enum
         changed_enumerators = RTE_CRYPTO_ASYM_XFORM_ECPM, RTE_CRYPTO_ASYM_XFORM_TYPE_LIST_END
+; Ignore changes to rte_security_ops MACsec APIs which are experimental
+[suppress_type]
+        name = rte_security_ops
+        has_data_member_inserted_between =
+        {
+                offset_of(security_macsec_sc_create_t), offset_of(security_macsec_sa_stats_get_t)
+        }
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ; Temporary exceptions till next major ABI version ;
diff --git a/lib/security/rte_security.c b/lib/security/rte_security.c
index e102c55e55..c4d64bb8e9 100644
--- a/lib/security/rte_security.c
+++ b/lib/security/rte_security.c
@@ -164,13 +164,14 @@ rte_security_macsec_sa_create(struct rte_security_ctx *instance,
 }
 
 int
-rte_security_macsec_sc_destroy(struct rte_security_ctx *instance, uint16_t sc_id)
+rte_security_macsec_sc_destroy(struct rte_security_ctx *instance, uint16_t sc_id,
+			       enum rte_security_macsec_direction dir)
 {
 	int ret;
 
 	RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, macsec_sc_destroy, -EINVAL, -ENOTSUP);
 
-	ret = instance->ops->macsec_sc_destroy(instance->device, sc_id);
+	ret = instance->ops->macsec_sc_destroy(instance->device, sc_id, dir);
 	if (ret != 0)
 		return ret;
 
@@ -181,13 +182,14 @@ rte_security_macsec_sc_destroy(struct rte_security_ctx *instance, uint16_t sc_id
 }
 
 int
-rte_security_macsec_sa_destroy(struct rte_security_ctx *instance, uint16_t sa_id)
+rte_security_macsec_sa_destroy(struct rte_security_ctx *instance, uint16_t sa_id,
+			       enum rte_security_macsec_direction dir)
 {
 	int ret;
 
 	RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, macsec_sa_destroy, -EINVAL, -ENOTSUP);
 
-	ret = instance->ops->macsec_sa_destroy(instance->device, sa_id);
+	ret = instance->ops->macsec_sa_destroy(instance->device, sa_id, dir);
 	if (ret != 0)
 		return ret;
 
@@ -199,22 +201,24 @@ rte_security_macsec_sa_destroy(struct rte_security_ctx *instance, uint16_t sa_id
 
 int
 rte_security_macsec_sc_stats_get(struct rte_security_ctx *instance, uint16_t sc_id,
+				 enum rte_security_macsec_direction dir,
 				 struct rte_security_macsec_sc_stats *stats)
 {
 	RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, macsec_sc_stats_get, -EINVAL, -ENOTSUP);
 	RTE_PTR_OR_ERR_RET(stats, -EINVAL);
 
-	return instance->ops->macsec_sc_stats_get(instance->device, sc_id, stats);
+	return instance->ops->macsec_sc_stats_get(instance->device, sc_id, dir, stats);
 }
 
 int
 rte_security_macsec_sa_stats_get(struct rte_security_ctx *instance, uint16_t sa_id,
+				 enum rte_security_macsec_direction dir,
 				 struct rte_security_macsec_sa_stats *stats)
 {
 	RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, macsec_sa_stats_get, -EINVAL, -ENOTSUP);
 	RTE_PTR_OR_ERR_RET(stats, -EINVAL);
 
-	return instance->ops->macsec_sa_stats_get(instance->device, sa_id, stats);
+	return instance->ops->macsec_sa_stats_get(instance->device, sa_id, dir, stats);
 }
 
 int
diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h
index 4bacf9fcd9..c7a523b6d6 100644
--- a/lib/security/rte_security.h
+++ b/lib/security/rte_security.h
@@ -761,6 +761,7 @@ rte_security_macsec_sc_create(struct rte_security_ctx *instance,
  *
  * @param   instance	security instance
  * @param   sc_id	SC ID to be destroyed
+ * @param   dir		direction of the SC
  * @return
  *  - 0 if successful.
  *  - -EINVAL if sc_id is invalid or instance is NULL.
@@ -768,7 +769,8 @@ rte_security_macsec_sc_create(struct rte_security_ctx *instance,
  */
 __rte_experimental
 int
-rte_security_macsec_sc_destroy(struct rte_security_ctx *instance, uint16_t sc_id);
+rte_security_macsec_sc_destroy(struct rte_security_ctx *instance, uint16_t sc_id,
+			       enum rte_security_macsec_direction dir);
 
 /**
  * @warning
@@ -798,6 +800,7 @@ rte_security_macsec_sa_create(struct rte_security_ctx *instance,
  *
  * @param   instance	security instance
  * @param   sa_id	SA ID to be destroyed
+ * @param   dir		direction of the SA
  * @return
  *  - 0 if successful.
  *  - -EINVAL if sa_id is invalid or instance is NULL.
@@ -805,7 +808,8 @@ rte_security_macsec_sa_create(struct rte_security_ctx *instance,
  */
 __rte_experimental
 int
-rte_security_macsec_sa_destroy(struct rte_security_ctx *instance, uint16_t sa_id);
+rte_security_macsec_sa_destroy(struct rte_security_ctx *instance, uint16_t sa_id,
+			       enum rte_security_macsec_direction dir);
 
 /** Device-specific metadata field type */
 typedef uint64_t rte_security_dynfield_t;
@@ -1077,6 +1081,7 @@ rte_security_session_stats_get(struct rte_security_ctx *instance,
  *
  * @param	instance	security instance
  * @param	sa_id		SA ID for which stats are needed
+ * @param	dir		direction of the SA
  * @param	stats		statistics
  * @return
  *  - On success, return 0.
@@ -1085,7 +1090,7 @@ rte_security_session_stats_get(struct rte_security_ctx *instance,
 __rte_experimental
 int
 rte_security_macsec_sa_stats_get(struct rte_security_ctx *instance,
-				 uint16_t sa_id,
+				 uint16_t sa_id, enum rte_security_macsec_direction dir,
 				 struct rte_security_macsec_sa_stats *stats);
 
 /**
@@ -1096,6 +1101,7 @@ rte_security_macsec_sa_stats_get(struct rte_security_ctx *instance,
  *
  * @param	instance	security instance
  * @param	sc_id		SC ID for which stats are needed
+ * @param	dir		direction of the SC
  * @param	stats		SC statistics
  * @return
  *  - On success, return 0.
@@ -1104,7 +1110,7 @@ rte_security_macsec_sa_stats_get(struct rte_security_ctx *instance,
 __rte_experimental
 int
 rte_security_macsec_sc_stats_get(struct rte_security_ctx *instance,
-				 uint16_t sc_id,
+				 uint16_t sc_id, enum rte_security_macsec_direction dir,
 				 struct rte_security_macsec_sc_stats *stats);
 
 /**
diff --git a/lib/security/rte_security_driver.h b/lib/security/rte_security_driver.h
index 421e6f7780..677c7d1f91 100644
--- a/lib/security/rte_security_driver.h
+++ b/lib/security/rte_security_driver.h
@@ -106,8 +106,10 @@ typedef int (*security_macsec_sc_create_t)(void *device, struct rte_security_mac
  *
  * @param	device		Crypto/eth device pointer
  * @param	sc_id		MACsec SC ID
+ * @param	dir		Direction of SC
  */
-typedef int (*security_macsec_sc_destroy_t)(void *device, uint16_t sc_id);
+typedef int (*security_macsec_sc_destroy_t)(void *device, uint16_t sc_id,
+		enum rte_security_macsec_direction dir);
 
 /**
  * Configure a MACsec security Association (SA) on a device.
@@ -128,8 +130,10 @@ typedef int (*security_macsec_sa_create_t)(void *device, struct rte_security_mac
  *
  * @param	device		Crypto/eth device pointer
  * @param	sa_id		MACsec SA ID
+ * @param	dir		Direction of SA
  */
-typedef int (*security_macsec_sa_destroy_t)(void *device, uint16_t sa_id);
+typedef int (*security_macsec_sa_destroy_t)(void *device, uint16_t sa_id,
+		enum rte_security_macsec_direction dir);
 
 /**
  * Get the size of a security session
@@ -162,6 +166,7 @@ typedef int (*security_session_stats_get_t)(void *device,
  *
  * @param	device		Crypto/eth device pointer
  * @param	sc_id		secure channel ID created by rte_security_macsec_sc_create()
+ * @param	dir		direction of SC
  * @param	stats		SC stats of the driver
  *
  * @return
@@ -169,6 +174,7 @@ typedef int (*security_session_stats_get_t)(void *device,
  *  - -EINVAL if sc_id or device is invalid.
  */
 typedef int (*security_macsec_sc_stats_get_t)(void *device, uint16_t sc_id,
+		enum rte_security_macsec_direction dir,
 		struct rte_security_macsec_sc_stats *stats);
 
 /**
@@ -176,6 +182,7 @@ typedef int (*security_macsec_sc_stats_get_t)(void *device, uint16_t sc_id,
  *
  * @param	device		Crypto/eth device pointer
  * @param	sa_id		secure channel ID created by rte_security_macsec_sc_create()
+ * @param	dir		direction of SA
  * @param	stats		SC stats of the driver
  *
  * @return
@@ -183,6 +190,7 @@ typedef int (*security_macsec_sc_stats_get_t)(void *device, uint16_t sc_id,
  *  - -EINVAL if sa_id or device is invalid.
  */
 typedef int (*security_macsec_sa_stats_get_t)(void *device, uint16_t sa_id,
+		enum rte_security_macsec_direction dir,
 		struct rte_security_macsec_sa_stats *stats);
 
 
-- 
2.25.1

[PATCH v2 02/13] security: add MACsec packet number threshold

[Akhil Goyal]

Added Packet number threshold parameter in MACsec SC
configuration to identify the maximum allowed threshold
for packet number field in the packet.
A field is_xpn is also added to identify if the SAs are
configured for extended packet number or not so that
packet number threshold can be configured accordingly.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 lib/security/rte_security.h | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h
index c7a523b6d6..30bac4e25a 100644
--- a/lib/security/rte_security.h
+++ b/lib/security/rte_security.h
@@ -399,6 +399,8 @@ struct rte_security_macsec_sa {
 struct rte_security_macsec_sc {
 	/** Direction of SC */
 	enum rte_security_macsec_direction dir;
+	/** Packet number threshold */
+	uint64_t pn_threshold;
 	union {
 		struct {
 			/** SAs for each association number */
@@ -407,8 +409,10 @@ struct rte_security_macsec_sc {
 			uint8_t sa_in_use[RTE_SECURITY_MACSEC_NUM_AN];
 			/** Channel is active */
 			uint8_t active : 1;
+			/** Extended packet number is enabled for SAs */
+			uint8_t is_xpn : 1;
 			/** Reserved bitfields for future */
-			uint8_t reserved : 7;
+			uint8_t reserved : 6;
 		} sc_rx;
 		struct {
 			uint16_t sa_id; /**< SA ID to be used for encryption */
@@ -416,8 +420,10 @@ struct rte_security_macsec_sc {
 			uint64_t sci; /**< SCI value to be used if send_sci is set */
 			uint8_t active : 1; /**< Channel is active */
 			uint8_t re_key_en : 1; /**< Enable Rekeying */
+			/** Extended packet number is enabled for SAs */
+			uint8_t is_xpn : 1;
 			/** Reserved bitfields for future */
-			uint8_t reserved : 6;
+			uint8_t reserved : 5;
 		} sc_tx;
 	};
 };
-- 
2.25.1

[PATCH v2 03/13] test/security: add inline MACsec cases

[Akhil Goyal]

Updated test app to verify Inline MACsec offload using
rte_security APIs.
A couple of test cases are added to verify encap only
and decap only of some known test vectors from MACsec
specification.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 app/test/meson.build                          |    1 +
 app/test/test_security_inline_macsec.c        | 1108 +++++++++++++++++
 .../test_security_inline_macsec_vectors.h     | 1086 ++++++++++++++++
 3 files changed, 2195 insertions(+)
 create mode 100644 app/test/test_security_inline_macsec.c
 create mode 100644 app/test/test_security_inline_macsec_vectors.h

diff --git a/app/test/meson.build b/app/test/meson.build
index b9b5432496..69c1d19f7b 100644
--- a/app/test/meson.build
+++ b/app/test/meson.build
@@ -128,6 +128,7 @@ test_sources = files(
         'test_rwlock.c',
         'test_sched.c',
         'test_security.c',
+        'test_security_inline_macsec.c',
         'test_security_inline_proto.c',
         'test_seqlock.c',
         'test_service_cores.c',
diff --git a/app/test/test_security_inline_macsec.c b/app/test/test_security_inline_macsec.c
new file mode 100644
index 0000000000..9ef967597b
--- /dev/null
+++ b/app/test/test_security_inline_macsec.c
@@ -0,0 +1,1108 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2023 Marvell.
+ */
+
+
+#include <stdio.h>
+#include <inttypes.h>
+
+#include <rte_ethdev.h>
+#include <rte_malloc.h>
+#include <rte_security.h>
+
+#include "test.h"
+#include "test_security_inline_macsec_vectors.h"
+
+#ifdef RTE_EXEC_ENV_WINDOWS
+static int
+test_inline_macsec(void)
+{
+	printf("Inline MACsec not supported on Windows, skipping test\n");
+	return TEST_SKIPPED;
+}
+
+#else
+
+#define NB_ETHPORTS_USED		1
+#define MEMPOOL_CACHE_SIZE		32
+#define RTE_TEST_RX_DESC_DEFAULT	1024
+#define RTE_TEST_TX_DESC_DEFAULT	1024
+#define RTE_PORT_ALL		(~(uint16_t)0x0)
+
+#define RX_PTHRESH 8 /**< Default values of RX prefetch threshold reg. */
+#define RX_HTHRESH 8 /**< Default values of RX host threshold reg. */
+#define RX_WTHRESH 0 /**< Default values of RX write-back threshold reg. */
+
+#define TX_PTHRESH 32 /**< Default values of TX prefetch threshold reg. */
+#define TX_HTHRESH 0  /**< Default values of TX host threshold reg. */
+#define TX_WTHRESH 0  /**< Default values of TX write-back threshold reg. */
+
+#define MAX_TRAFFIC_BURST		2048
+#define NB_MBUF				10240
+
+#define MCS_INVALID_SA			0xFFFF
+#define MCS_DEFAULT_PN_THRESHOLD	0xFFFFF
+
+static struct rte_mempool *mbufpool;
+static struct rte_mempool *sess_pool;
+/* ethernet addresses of ports */
+static struct rte_ether_addr ports_eth_addr[RTE_MAX_ETHPORTS];
+
+struct mcs_test_opts {
+	int val_frames;
+	int nb_td;
+	uint16_t mtu;
+	uint8_t sa_in_use;
+	bool encrypt;
+	bool protect_frames;
+	uint8_t sectag_insert_mode;
+	uint8_t nb_vlan;
+	uint32_t replay_win_sz;
+	uint8_t replay_protect;
+	uint8_t rekey_en;
+	const struct mcs_test_vector *rekey_td;
+	bool dump_all_stats;
+	uint8_t check_untagged_rx;
+	uint8_t check_bad_tag_cnt;
+	uint8_t check_sa_not_in_use;
+	uint8_t check_decap_stats;
+	uint8_t check_verify_only_stats;
+	uint8_t check_pkts_invalid_stats;
+	uint8_t check_pkts_unchecked_stats;
+	uint8_t check_out_pkts_untagged;
+	uint8_t check_out_pkts_toolong;
+	uint8_t check_encap_stats;
+	uint8_t check_auth_only_stats;
+	uint8_t check_sectag_interrupts;
+};
+
+static struct rte_eth_conf port_conf = {
+	.rxmode = {
+		.mq_mode = RTE_ETH_MQ_RX_NONE,
+		.offloads = RTE_ETH_RX_OFFLOAD_CHECKSUM |
+			    RTE_ETH_RX_OFFLOAD_MACSEC_STRIP,
+	},
+	.txmode = {
+		.mq_mode = RTE_ETH_MQ_TX_NONE,
+		.offloads = RTE_ETH_TX_OFFLOAD_MBUF_FAST_FREE |
+			    RTE_ETH_TX_OFFLOAD_MACSEC_INSERT,
+	},
+	.lpbk_mode = 1,  /* enable loopback */
+};
+
+static struct rte_eth_rxconf rx_conf = {
+	.rx_thresh = {
+		.pthresh = RX_PTHRESH,
+		.hthresh = RX_HTHRESH,
+		.wthresh = RX_WTHRESH,
+	},
+	.rx_free_thresh = 32,
+};
+
+static struct rte_eth_txconf tx_conf = {
+	.tx_thresh = {
+		.pthresh = TX_PTHRESH,
+		.hthresh = TX_HTHRESH,
+		.wthresh = TX_WTHRESH,
+	},
+	.tx_free_thresh = 32, /* Use PMD default values */
+	.tx_rs_thresh = 32, /* Use PMD default values */
+};
+
+static uint16_t port_id;
+
+static uint64_t link_mbps;
+
+static struct rte_flow *default_tx_flow[RTE_MAX_ETHPORTS];
+static struct rte_flow *default_rx_flow[RTE_MAX_ETHPORTS];
+
+static struct rte_mbuf **tx_pkts_burst;
+static struct rte_mbuf **rx_pkts_burst;
+
+static inline struct rte_mbuf *
+init_packet(struct rte_mempool *mp, const uint8_t *data, unsigned int len)
+{
+	struct rte_mbuf *pkt;
+
+	pkt = rte_pktmbuf_alloc(mp);
+	if (pkt == NULL)
+		return NULL;
+
+	rte_memcpy(rte_pktmbuf_append(pkt, len), data, len);
+
+	return pkt;
+}
+
+static int
+init_mempools(unsigned int nb_mbuf)
+{
+	struct rte_security_ctx *sec_ctx;
+	uint16_t nb_sess = 512;
+	uint32_t sess_sz;
+	char s[64];
+
+	if (mbufpool == NULL) {
+		snprintf(s, sizeof(s), "mbuf_pool");
+		mbufpool = rte_pktmbuf_pool_create(s, nb_mbuf,
+				MEMPOOL_CACHE_SIZE, 0,
+				RTE_MBUF_DEFAULT_BUF_SIZE, SOCKET_ID_ANY);
+		if (mbufpool == NULL) {
+			printf("Cannot init mbuf pool\n");
+			return TEST_FAILED;
+		}
+		printf("Allocated mbuf pool\n");
+	}
+
+	sec_ctx = rte_eth_dev_get_sec_ctx(port_id);
+	if (sec_ctx == NULL) {
+		printf("Device does not support Security ctx\n");
+		return TEST_SKIPPED;
+	}
+	sess_sz = rte_security_session_get_size(sec_ctx);
+	if (sess_pool == NULL) {
+		snprintf(s, sizeof(s), "sess_pool");
+		sess_pool = rte_mempool_create(s, nb_sess, sess_sz,
+				MEMPOOL_CACHE_SIZE, 0,
+				NULL, NULL, NULL, NULL,
+				SOCKET_ID_ANY, 0);
+		if (sess_pool == NULL) {
+			printf("Cannot init sess pool\n");
+			return TEST_FAILED;
+		}
+		printf("Allocated sess pool\n");
+	}
+
+	return 0;
+}
+
+static void
+fill_macsec_sa_conf(const struct mcs_test_vector *td, struct rte_security_macsec_sa *sa,
+			enum rte_security_macsec_direction dir, uint8_t an, uint8_t tci_off)
+{
+	sa->dir = dir;
+
+	sa->key.data = td->sa_key.data;
+	sa->key.length = td->sa_key.len;
+
+	memcpy((uint8_t *)sa->salt, (const uint8_t *)td->salt, RTE_SECURITY_MACSEC_SALT_LEN);
+
+	/* AN is set as per the value in secure packet in test vector */
+	sa->an = an & RTE_MACSEC_AN_MASK;
+
+	sa->ssci = td->ssci;
+	sa->xpn = td->xpn;
+	/* Starting packet number which is expected to come next.
+	 * It is take from the test vector so that we can match the out packet.
+	 */
+	sa->next_pn = *(const uint32_t *)(&td->secure_pkt.data[tci_off + 2]);
+}
+
+static void
+fill_macsec_sc_conf(const struct mcs_test_vector *td,
+		    struct rte_security_macsec_sc *sc_conf,
+		    const struct mcs_test_opts *opts,
+		    enum rte_security_macsec_direction dir,
+		    uint16_t sa_id[], uint8_t tci_off)
+{
+	uint8_t i;
+
+	sc_conf->dir = dir;
+	if (dir == RTE_SECURITY_MACSEC_DIR_TX) {
+		sc_conf->sc_tx.sa_id = sa_id[0];
+		if (sa_id[1] != MCS_INVALID_SA) {
+			sc_conf->sc_tx.sa_id_rekey = sa_id[1];
+			sc_conf->sc_tx.re_key_en = 1;
+		}
+		sc_conf->sc_tx.active = 1;
+		/* is SCI valid */
+		if (td->secure_pkt.data[tci_off] & RTE_MACSEC_TCI_SC) {
+			memcpy(&sc_conf->sc_tx.sci, &td->secure_pkt.data[tci_off + 6],
+					sizeof(sc_conf->sc_tx.sci));
+			sc_conf->sc_tx.sci = rte_be_to_cpu_64(sc_conf->sc_tx.sci);
+		} else if (td->secure_pkt.data[tci_off] & RTE_MACSEC_TCI_ES) {
+			/* sci = source_mac + port_id when ES.bit = 1 & SC.bit = 0 */
+			const uint8_t *smac = td->plain_pkt.data + RTE_ETHER_ADDR_LEN;
+			uint8_t *ptr = (uint8_t *)&sc_conf->sc_tx.sci;
+
+			ptr[0] = 0x01;
+			ptr[1] = 0;
+			for (i = 0; i < RTE_ETHER_ADDR_LEN; i++)
+				ptr[2 + i] = smac[RTE_ETHER_ADDR_LEN - 1 - i];
+		} else {
+			/* use some default SCI */
+			sc_conf->sc_tx.sci = 0xf1341e023a2b1c5d;
+		}
+	} else {
+		for (i = 0; i < RTE_SECURITY_MACSEC_NUM_AN; i++) {
+			sc_conf->sc_rx.sa_id[i] = sa_id[i];
+			sc_conf->sc_rx.sa_in_use[i] = opts->sa_in_use;
+		}
+		sc_conf->sc_rx.active = 1;
+	}
+}
+
+
+/* Create Inline MACsec session */
+static int
+fill_session_conf(const struct mcs_test_vector *td, uint16_t portid __rte_unused,
+		const struct mcs_test_opts *opts,
+		struct rte_security_session_conf *sess_conf,
+		enum rte_security_macsec_direction dir,
+		uint16_t sc_id,
+		uint8_t tci_off)
+{
+	sess_conf->action_type = RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL;
+	sess_conf->protocol = RTE_SECURITY_PROTOCOL_MACSEC;
+	sess_conf->macsec.dir = dir;
+	sess_conf->macsec.alg = td->alg;
+	sess_conf->macsec.cipher_off = 0;
+	if (td->secure_pkt.data[tci_off] & RTE_MACSEC_TCI_SC) {
+		sess_conf->macsec.sci = rte_be_to_cpu_64(*(const uint64_t *)
+					(&td->secure_pkt.data[tci_off + 6]));
+	} else if (td->secure_pkt.data[tci_off] & RTE_MACSEC_TCI_ES) {
+		/* sci = source_mac + port_id when ES.bit = 1 & SC.bit = 0 */
+		const uint8_t *smac = td->plain_pkt.data + RTE_ETHER_ADDR_LEN;
+		uint8_t *ptr = (uint8_t *)&sess_conf->macsec.sci;
+		uint8_t j;
+
+		ptr[0] = 0x01;
+		ptr[1] = 0;
+		for (j = 0; j < RTE_ETHER_ADDR_LEN; j++)
+			ptr[2 + j] = smac[RTE_ETHER_ADDR_LEN - 1 - j];
+	}
+	sess_conf->macsec.sc_id = sc_id;
+	if (dir == RTE_SECURITY_MACSEC_DIR_TX) {
+		sess_conf->macsec.tx_secy.mtu = opts->mtu;
+		sess_conf->macsec.tx_secy.sectag_off = (opts->sectag_insert_mode == 1) ?
+							2 * RTE_ETHER_ADDR_LEN :
+							RTE_VLAN_HLEN;
+		sess_conf->macsec.tx_secy.sectag_insert_mode = opts->sectag_insert_mode;
+		sess_conf->macsec.tx_secy.ctrl_port_enable = 1;
+		sess_conf->macsec.tx_secy.sectag_version = 0;
+		sess_conf->macsec.tx_secy.end_station =
+					(td->secure_pkt.data[tci_off] & RTE_MACSEC_TCI_ES) >> 6;
+		sess_conf->macsec.tx_secy.send_sci =
+					(td->secure_pkt.data[tci_off] & RTE_MACSEC_TCI_SC) >> 5;
+		sess_conf->macsec.tx_secy.scb =
+					(td->secure_pkt.data[tci_off] & RTE_MACSEC_TCI_SCB) >> 4;
+		sess_conf->macsec.tx_secy.encrypt = opts->encrypt;
+		sess_conf->macsec.tx_secy.protect_frames = opts->protect_frames;
+		sess_conf->macsec.tx_secy.icv_include_da_sa = 1;
+	} else {
+		sess_conf->macsec.rx_secy.replay_win_sz = opts->replay_win_sz;
+		sess_conf->macsec.rx_secy.replay_protect = opts->replay_protect;
+		sess_conf->macsec.rx_secy.icv_include_da_sa = 1;
+		sess_conf->macsec.rx_secy.ctrl_port_enable = 1;
+		sess_conf->macsec.rx_secy.preserve_sectag = 0;
+		sess_conf->macsec.rx_secy.preserve_icv = 0;
+		sess_conf->macsec.rx_secy.validate_frames = opts->val_frames;
+	}
+
+	return 0;
+}
+
+static int
+create_default_flow(const struct mcs_test_vector *td, uint16_t portid,
+		    enum rte_security_macsec_direction dir, void *sess)
+{
+	struct rte_flow_action action[2];
+	struct rte_flow_item pattern[2];
+	struct rte_flow_attr attr = {0};
+	struct rte_flow_error err;
+	struct rte_flow *flow;
+	struct rte_flow_item_eth eth = { .hdr.ether_type = 0, };
+	static const struct rte_flow_item_eth eth_mask = {
+		.hdr.dst_addr.addr_bytes = "\x00\x00\x00\x00\x00\x00",
+		.hdr.src_addr.addr_bytes = "\x00\x00\x00\x00\x00\x00",
+		.hdr.ether_type = RTE_BE16(0x0000),
+	};
+
+	int ret;
+
+	eth.has_vlan = 0;
+	if (dir == RTE_SECURITY_MACSEC_DIR_TX)
+		memcpy(&eth.hdr, td->plain_pkt.data, RTE_ETHER_HDR_LEN);
+	else
+		memcpy(&eth.hdr, td->secure_pkt.data, RTE_ETHER_HDR_LEN);
+
+	pattern[0].type = RTE_FLOW_ITEM_TYPE_ETH;
+	pattern[0].spec = &eth;
+	pattern[0].mask = &eth_mask;
+	pattern[0].last = NULL;
+	pattern[1].type = RTE_FLOW_ITEM_TYPE_END;
+
+	action[0].type = RTE_FLOW_ACTION_TYPE_SECURITY;
+	action[0].conf = sess;
+	action[1].type = RTE_FLOW_ACTION_TYPE_END;
+	action[1].conf = NULL;
+
+	attr.ingress = (dir == RTE_SECURITY_MACSEC_DIR_RX) ? 1 : 0;
+	attr.egress = (dir == RTE_SECURITY_MACSEC_DIR_TX) ? 1 : 0;
+
+	ret = rte_flow_validate(portid, &attr, pattern, action, &err);
+	if (ret) {
+		printf("\nValidate flow failed, ret = %d\n", ret);
+		return -1;
+	}
+	flow = rte_flow_create(portid, &attr, pattern, action, &err);
+	if (flow == NULL) {
+		printf("\nDefault flow rule create failed\n");
+		return -1;
+	}
+
+	if (dir == RTE_SECURITY_MACSEC_DIR_TX)
+		default_tx_flow[portid] = flow;
+	else
+		default_rx_flow[portid] = flow;
+
+	return 0;
+}
+
+static void
+destroy_default_flow(uint16_t portid)
+{
+	struct rte_flow_error err;
+	int ret;
+
+	if (default_tx_flow[portid]) {
+		ret = rte_flow_destroy(portid, default_tx_flow[portid], &err);
+		if (ret) {
+			printf("\nDefault Tx flow rule destroy failed\n");
+			return;
+		}
+		default_tx_flow[portid] = NULL;
+	}
+	if (default_rx_flow[portid]) {
+		ret = rte_flow_destroy(portid, default_rx_flow[portid], &err);
+		if (ret) {
+			printf("\nDefault Rx flow rule destroy failed\n");
+			return;
+		}
+		default_rx_flow[portid] = NULL;
+	}
+}
+
+static void
+print_ethaddr(const char *name, const struct rte_ether_addr *eth_addr)
+{
+	char buf[RTE_ETHER_ADDR_FMT_SIZE];
+	rte_ether_format_addr(buf, RTE_ETHER_ADDR_FMT_SIZE, eth_addr);
+	printf("%s%s", name, buf);
+}
+
+/* Check the link status of all ports in up to 3s, and print them finally */
+static void
+check_all_ports_link_status(uint16_t port_num, uint32_t port_mask)
+{
+#define CHECK_INTERVAL 100 /* 100ms */
+#define MAX_CHECK_TIME 30 /* 3s (30 * 100ms) in total */
+	uint16_t portid;
+	uint8_t count, all_ports_up, print_flag = 0;
+	struct rte_eth_link link;
+	int ret;
+	char link_status[RTE_ETH_LINK_MAX_STR_LEN];
+
+	printf("Checking link statuses...\n");
+	fflush(stdout);
+	for (count = 0; count <= MAX_CHECK_TIME; count++) {
+		all_ports_up = 1;
+		for (portid = 0; portid < port_num; portid++) {
+			if ((port_mask & (1 << portid)) == 0)
+				continue;
+			memset(&link, 0, sizeof(link));
+			ret = rte_eth_link_get_nowait(portid, &link);
+			if (ret < 0) {
+				all_ports_up = 0;
+				if (print_flag == 1)
+					printf("Port %u link get failed: %s\n",
+						portid, rte_strerror(-ret));
+				continue;
+			}
+
+			/* print link status if flag set */
+			if (print_flag == 1) {
+				if (link.link_status && link_mbps == 0)
+					link_mbps = link.link_speed;
+
+				rte_eth_link_to_str(link_status,
+					sizeof(link_status), &link);
+				printf("Port %d %s\n", portid, link_status);
+				continue;
+			}
+			/* clear all_ports_up flag if any link down */
+			if (link.link_status == RTE_ETH_LINK_DOWN) {
+				all_ports_up = 0;
+				break;
+			}
+		}
+		/* after finally printing all link status, get out */
+		if (print_flag == 1)
+			break;
+
+		if (all_ports_up == 0)
+			fflush(stdout);
+
+		/* set the print_flag if all ports up or timeout */
+		if (all_ports_up == 1 || count == (MAX_CHECK_TIME - 1))
+			print_flag = 1;
+	}
+}
+
+static int
+test_macsec_post_process(struct rte_mbuf *m, const struct mcs_test_vector *td,
+			enum mcs_op op, uint8_t check_out_pkts_untagged)
+{
+	const uint8_t *dptr;
+	uint16_t pkt_len;
+
+	if (op == MCS_DECAP || op == MCS_ENCAP_DECAP ||
+			op == MCS_VERIFY_ONLY || op == MCS_AUTH_VERIFY ||
+			check_out_pkts_untagged == 1) {
+		dptr = td->plain_pkt.data;
+		pkt_len = td->plain_pkt.len;
+	} else {
+		dptr = td->secure_pkt.data;
+		pkt_len = td->secure_pkt.len;
+	}
+
+	if (memcmp(rte_pktmbuf_mtod(m, uint8_t *), dptr, pkt_len)) {
+		printf("\nData comparison failed for td.");
+		rte_pktmbuf_dump(stdout, m, m->pkt_len);
+		rte_hexdump(stdout, "expected_data", dptr, pkt_len);
+		return TEST_FAILED;
+	}
+
+	return TEST_SUCCESS;
+}
+
+static void
+mcs_stats_dump(struct rte_security_ctx *ctx, enum mcs_op op,
+	       void *rx_sess, void *tx_sess,
+	       uint8_t rx_sc_id, uint8_t tx_sc_id,
+	       uint16_t rx_sa_id[], uint16_t tx_sa_id[])
+{
+	struct rte_security_stats sess_stats = {0};
+	struct rte_security_macsec_secy_stats *secy_stat;
+	struct rte_security_macsec_sc_stats sc_stat = {0};
+	struct rte_security_macsec_sa_stats sa_stat = {0};
+	int i;
+
+	if (op == MCS_DECAP || op == MCS_ENCAP_DECAP ||
+			op == MCS_VERIFY_ONLY || op == MCS_AUTH_VERIFY) {
+		printf("\n********* RX SECY STATS ************\n");
+		rte_security_session_stats_get(ctx, rx_sess, &sess_stats);
+		secy_stat = &sess_stats.macsec;
+
+		if (secy_stat->ctl_pkt_bcast_cnt)
+			printf("RX: ctl_pkt_bcast_cnt: 0x%" PRIx64 "\n",
+					secy_stat->ctl_pkt_bcast_cnt);
+		if (secy_stat->ctl_pkt_mcast_cnt)
+			printf("RX: ctl_pkt_mcast_cnt: 0x%" PRIx64 "\n",
+					secy_stat->ctl_pkt_mcast_cnt);
+		if (secy_stat->ctl_pkt_ucast_cnt)
+			printf("RX: ctl_pkt_ucast_cnt: 0x%" PRIx64 "\n",
+					secy_stat->ctl_pkt_ucast_cnt);
+		if (secy_stat->ctl_octet_cnt)
+			printf("RX: ctl_octet_cnt: 0x%" PRIx64 "\n", secy_stat->ctl_octet_cnt);
+		if (secy_stat->unctl_pkt_bcast_cnt)
+			printf("RX: unctl_pkt_bcast_cnt: 0x%" PRIx64 "\n",
+					secy_stat->unctl_pkt_bcast_cnt);
+		if (secy_stat->unctl_pkt_mcast_cnt)
+			printf("RX: unctl_pkt_mcast_cnt: 0x%" PRIx64 "\n",
+					secy_stat->unctl_pkt_mcast_cnt);
+		if (secy_stat->unctl_pkt_ucast_cnt)
+			printf("RX: unctl_pkt_ucast_cnt: 0x%" PRIx64 "\n",
+					secy_stat->unctl_pkt_ucast_cnt);
+		if (secy_stat->unctl_octet_cnt)
+			printf("RX: unctl_octet_cnt: 0x%" PRIx64 "\n", secy_stat->unctl_octet_cnt);
+		/* Valid only for RX */
+		if (secy_stat->octet_decrypted_cnt)
+			printf("RX: octet_decrypted_cnt: 0x%" PRIx64 "\n",
+					secy_stat->octet_decrypted_cnt);
+		if (secy_stat->octet_validated_cnt)
+			printf("RX: octet_validated_cnt: 0x%" PRIx64 "\n",
+					secy_stat->octet_validated_cnt);
+		if (secy_stat->pkt_port_disabled_cnt)
+			printf("RX: pkt_port_disabled_cnt: 0x%" PRIx64 "\n",
+					secy_stat->pkt_port_disabled_cnt);
+		if (secy_stat->pkt_badtag_cnt)
+			printf("RX: pkt_badtag_cnt: 0x%" PRIx64 "\n", secy_stat->pkt_badtag_cnt);
+		if (secy_stat->pkt_nosa_cnt)
+			printf("RX: pkt_nosa_cnt: 0x%" PRIx64 "\n", secy_stat->pkt_nosa_cnt);
+		if (secy_stat->pkt_nosaerror_cnt)
+			printf("RX: pkt_nosaerror_cnt: 0x%" PRIx64 "\n",
+					secy_stat->pkt_nosaerror_cnt);
+		if (secy_stat->pkt_tagged_ctl_cnt)
+			printf("RX: pkt_tagged_ctl_cnt: 0x%" PRIx64 "\n",
+					secy_stat->pkt_tagged_ctl_cnt);
+		if (secy_stat->pkt_untaged_cnt)
+			printf("RX: pkt_untaged_cnt: 0x%" PRIx64 "\n", secy_stat->pkt_untaged_cnt);
+		if (secy_stat->pkt_ctl_cnt)
+			printf("RX: pkt_ctl_cnt: 0x%" PRIx64 "\n", secy_stat->pkt_ctl_cnt);
+		if (secy_stat->pkt_notag_cnt)
+			printf("RX: pkt_notag_cnt: 0x%" PRIx64 "\n", secy_stat->pkt_notag_cnt);
+		printf("\n");
+		printf("\n********** RX SC[%u] STATS **************\n", rx_sc_id);
+
+		rte_security_macsec_sc_stats_get(ctx, rx_sc_id, RTE_SECURITY_MACSEC_DIR_RX,
+						 &sc_stat);
+		/* RX */
+		if (sc_stat.hit_cnt)
+			printf("RX hit_cnt: 0x%" PRIx64 "\n", sc_stat.hit_cnt);
+		if (sc_stat.pkt_invalid_cnt)
+			printf("RX pkt_invalid_cnt: 0x%" PRIx64 "\n", sc_stat.pkt_invalid_cnt);
+		if (sc_stat.pkt_late_cnt)
+			printf("RX pkt_late_cnt: 0x%" PRIx64 "\n", sc_stat.pkt_late_cnt);
+		if (sc_stat.pkt_notvalid_cnt)
+			printf("RX pkt_notvalid_cnt: 0x%" PRIx64 "\n", sc_stat.pkt_notvalid_cnt);
+		if (sc_stat.pkt_unchecked_cnt)
+			printf("RX pkt_unchecked_cnt: 0x%" PRIx64 "\n", sc_stat.pkt_unchecked_cnt);
+		if (sc_stat.pkt_delay_cnt)
+			printf("RX pkt_delay_cnt: 0x%" PRIx64 "\n", sc_stat.pkt_delay_cnt);
+		if (sc_stat.pkt_ok_cnt)
+			printf("RX pkt_ok_cnt: 0x%" PRIx64 "\n", sc_stat.pkt_ok_cnt);
+		if (sc_stat.octet_decrypt_cnt)
+			printf("RX octet_decrypt_cnt: 0x%" PRIx64 "\n", sc_stat.octet_decrypt_cnt);
+		if (sc_stat.octet_validate_cnt)
+			printf("RX octet_validate_cnt: 0x%" PRIx64 "\n",
+					sc_stat.octet_validate_cnt);
+		printf("\n");
+		for (i = 0; i < RTE_SECURITY_MACSEC_NUM_AN; i++) {
+			printf("\n********** RX SA[%u] STATS ****************\n", rx_sa_id[i]);
+			memset(&sa_stat, 0, sizeof(struct rte_security_macsec_sa_stats));
+			rte_security_macsec_sa_stats_get(ctx, rx_sa_id[i],
+					RTE_SECURITY_MACSEC_DIR_RX, &sa_stat);
+
+			/* RX */
+			if (sa_stat.pkt_invalid_cnt)
+				printf("RX pkt_invalid_cnt: 0x%" PRIx64 "\n",
+						sa_stat.pkt_invalid_cnt);
+			if (sa_stat.pkt_nosaerror_cnt)
+				printf("RX pkt_nosaerror_cnt: 0x%" PRIx64 "\n",
+						sa_stat.pkt_nosaerror_cnt);
+			if (sa_stat.pkt_notvalid_cnt)
+				printf("RX pkt_notvalid_cnt: 0x%" PRIx64 "\n",
+						sa_stat.pkt_notvalid_cnt);
+			if (sa_stat.pkt_ok_cnt)
+				printf("RX pkt_ok_cnt: 0x%" PRIx64 "\n", sa_stat.pkt_ok_cnt);
+			if (sa_stat.pkt_nosa_cnt)
+				printf("RX pkt_nosa_cnt: 0x%" PRIx64 "\n", sa_stat.pkt_nosa_cnt);
+			printf("\n");
+		}
+	}
+
+	if (op == MCS_ENCAP || op == MCS_ENCAP_DECAP ||
+			op == MCS_AUTH_ONLY || op == MCS_AUTH_VERIFY) {
+		memset(&sess_stats, 0, sizeof(struct rte_security_stats));
+		rte_security_session_stats_get(ctx, tx_sess, &sess_stats);
+		secy_stat = &sess_stats.macsec;
+
+		printf("\n********* TX SECY STATS ************\n");
+		if (secy_stat->ctl_pkt_bcast_cnt)
+			printf("TX: ctl_pkt_bcast_cnt: 0x%" PRIx64 "\n",
+					secy_stat->ctl_pkt_bcast_cnt);
+		if (secy_stat->ctl_pkt_mcast_cnt)
+			printf("TX: ctl_pkt_mcast_cnt: 0x%" PRIx64 "\n",
+					secy_stat->ctl_pkt_mcast_cnt);
+		if (secy_stat->ctl_pkt_ucast_cnt)
+			printf("TX: ctl_pkt_ucast_cnt: 0x%" PRIx64 "\n",
+					secy_stat->ctl_pkt_ucast_cnt);
+		if (secy_stat->ctl_octet_cnt)
+			printf("TX: ctl_octet_cnt: 0x%" PRIx64 "\n", secy_stat->ctl_octet_cnt);
+		if (secy_stat->unctl_pkt_bcast_cnt)
+			printf("TX: unctl_pkt_bcast_cnt: 0x%" PRIx64 "\n",
+					secy_stat->unctl_pkt_bcast_cnt);
+		if (secy_stat->unctl_pkt_mcast_cnt)
+			printf("TX: unctl_pkt_mcast_cnt: 0x%" PRIx64 "\n",
+					secy_stat->unctl_pkt_mcast_cnt);
+		if (secy_stat->unctl_pkt_ucast_cnt)
+			printf("TX: unctl_pkt_ucast_cnt: 0x%" PRIx64 "\n",
+					secy_stat->unctl_pkt_ucast_cnt);
+		if (secy_stat->unctl_octet_cnt)
+			printf("TX: unctl_octet_cnt: 0x%" PRIx64 "\n",
+					secy_stat->unctl_octet_cnt);
+		/* Valid only for TX */
+		if (secy_stat->octet_encrypted_cnt)
+			printf("TX: octet_encrypted_cnt: 0x%" PRIx64 "\n",
+					secy_stat->octet_encrypted_cnt);
+		if (secy_stat->octet_protected_cnt)
+			printf("TX: octet_protected_cnt: 0x%" PRIx64 "\n",
+					secy_stat->octet_protected_cnt);
+		if (secy_stat->pkt_noactivesa_cnt)
+			printf("TX: pkt_noactivesa_cnt: 0x%" PRIx64 "\n",
+					secy_stat->pkt_noactivesa_cnt);
+		if (secy_stat->pkt_toolong_cnt)
+			printf("TX: pkt_toolong_cnt: 0x%" PRIx64 "\n", secy_stat->pkt_toolong_cnt);
+		if (secy_stat->pkt_untagged_cnt)
+			printf("TX: pkt_untagged_cnt: 0x%" PRIx64 "\n",
+					secy_stat->pkt_untagged_cnt);
+
+
+		memset(&sc_stat, 0, sizeof(struct rte_security_macsec_sc_stats));
+		rte_security_macsec_sc_stats_get(ctx, tx_sc_id, RTE_SECURITY_MACSEC_DIR_TX,
+						 &sc_stat);
+		printf("\n********** TX SC[%u] STATS **************\n", tx_sc_id);
+		if (sc_stat.pkt_encrypt_cnt)
+			printf("TX pkt_encrypt_cnt: 0x%" PRIx64 "\n", sc_stat.pkt_encrypt_cnt);
+		if (sc_stat.pkt_protected_cnt)
+			printf("TX pkt_protected_cnt: 0x%" PRIx64 "\n", sc_stat.pkt_protected_cnt);
+		if (sc_stat.octet_encrypt_cnt)
+			printf("TX octet_encrypt_cnt: 0x%" PRIx64 "\n", sc_stat.octet_encrypt_cnt);
+
+		memset(&sa_stat, 0, sizeof(struct rte_security_macsec_sa_stats));
+		rte_security_macsec_sa_stats_get(ctx, tx_sa_id[0],
+				RTE_SECURITY_MACSEC_DIR_TX, &sa_stat);
+		printf("\n********** TX SA[%u] STATS ****************\n", tx_sa_id[0]);
+		if (sa_stat.pkt_encrypt_cnt)
+			printf("TX pkt_encrypt_cnt: 0x%" PRIx64 "\n", sa_stat.pkt_encrypt_cnt);
+		if (sa_stat.pkt_protected_cnt)
+			printf("TX pkt_protected_cnt: 0x%" PRIx64 "\n", sa_stat.pkt_protected_cnt);
+	}
+}
+
+static int
+test_macsec(const struct mcs_test_vector *td[], enum mcs_op op, const struct mcs_test_opts *opts)
+{
+	uint16_t rx_sa_id[MCS_MAX_FLOWS][RTE_SECURITY_MACSEC_NUM_AN] = {{0}};
+	uint16_t tx_sa_id[MCS_MAX_FLOWS][2] = {{0}};
+	uint16_t rx_sc_id[MCS_MAX_FLOWS] = {0};
+	uint16_t tx_sc_id[MCS_MAX_FLOWS] = {0};
+	void *rx_sess[MCS_MAX_FLOWS] = {0};
+	void *tx_sess[MCS_MAX_FLOWS] = {0};
+	struct rte_security_session_conf sess_conf = {0};
+	struct rte_security_macsec_sa sa_conf = {0};
+	struct rte_security_macsec_sc sc_conf = {0};
+	struct rte_security_ctx *ctx;
+	int nb_rx = 0, nb_sent;
+	int i, j = 0, ret, id, an = 0;
+	uint8_t tci_off;
+
+	memset(rx_pkts_burst, 0, sizeof(rx_pkts_burst[0]) * opts->nb_td);
+
+	ctx = (struct rte_security_ctx *)rte_eth_dev_get_sec_ctx(port_id);
+	if (ctx == NULL) {
+		printf("Ethernet device doesn't support security features.\n");
+		return TEST_SKIPPED;
+	}
+
+	tci_off = (opts->sectag_insert_mode == 1) ? RTE_ETHER_HDR_LEN :
+			RTE_ETHER_HDR_LEN + (opts->nb_vlan * RTE_VLAN_HLEN);
+
+	for (i = 0, j = 0; i < opts->nb_td; i++) {
+		if (op == MCS_DECAP || op == MCS_VERIFY_ONLY)
+			tx_pkts_burst[j] = init_packet(mbufpool, td[i]->secure_pkt.data,
+							td[i]->secure_pkt.len);
+		else {
+			tx_pkts_burst[j] = init_packet(mbufpool, td[i]->plain_pkt.data,
+							td[i]->plain_pkt.len);
+
+			tx_pkts_burst[j]->ol_flags |= RTE_MBUF_F_TX_MACSEC;
+		}
+		if (tx_pkts_burst[j] == NULL) {
+			while (j--)
+				rte_pktmbuf_free(tx_pkts_burst[j]);
+			ret = TEST_FAILED;
+			goto out;
+		}
+		j++;
+
+		if (op == MCS_DECAP || op == MCS_ENCAP_DECAP ||
+				op == MCS_VERIFY_ONLY || op == MCS_AUTH_VERIFY) {
+			for (an = 0; an < RTE_SECURITY_MACSEC_NUM_AN; an++) {
+				/* For simplicity, using same SA conf for all AN */
+				fill_macsec_sa_conf(td[i], &sa_conf,
+						RTE_SECURITY_MACSEC_DIR_RX, an, tci_off);
+				id = rte_security_macsec_sa_create(ctx, &sa_conf);
+				if (id < 0) {
+					printf("MACsec SA create failed : %d.\n", id);
+					return TEST_FAILED;
+				}
+				rx_sa_id[i][an] = (uint16_t)id;
+			}
+			fill_macsec_sc_conf(td[i], &sc_conf, opts,
+					RTE_SECURITY_MACSEC_DIR_RX, rx_sa_id[i], tci_off);
+			id = rte_security_macsec_sc_create(ctx, &sc_conf);
+			if (id < 0) {
+				printf("MACsec SC create failed : %d.\n", id);
+				goto out;
+			}
+			rx_sc_id[i] = (uint16_t)id;
+
+			/* Create Inline IPsec session. */
+			ret = fill_session_conf(td[i], port_id, opts, &sess_conf,
+					RTE_SECURITY_MACSEC_DIR_RX, rx_sc_id[i], tci_off);
+			if (ret)
+				return TEST_FAILED;
+
+			rx_sess[i] = rte_security_session_create(ctx, &sess_conf,
+					sess_pool);
+			if (rx_sess[i] == NULL) {
+				printf("SEC Session init failed.\n");
+				return TEST_FAILED;
+			}
+			ret = create_default_flow(td[i], port_id,
+					RTE_SECURITY_MACSEC_DIR_RX, rx_sess[i]);
+			if (ret)
+				goto out;
+		}
+		if (op == MCS_ENCAP || op == MCS_ENCAP_DECAP ||
+				op == MCS_AUTH_ONLY || op == MCS_AUTH_VERIFY) {
+			int id;
+
+			fill_macsec_sa_conf(td[i], &sa_conf,
+					RTE_SECURITY_MACSEC_DIR_TX,
+					td[i]->secure_pkt.data[tci_off] & RTE_MACSEC_AN_MASK,
+					tci_off);
+			id = rte_security_macsec_sa_create(ctx, &sa_conf);
+			if (id < 0) {
+				printf("MACsec SA create failed : %d.\n", id);
+				return TEST_FAILED;
+			}
+			tx_sa_id[i][0] = (uint16_t)id;
+			tx_sa_id[i][1] = MCS_INVALID_SA;
+			fill_macsec_sc_conf(td[i], &sc_conf, opts,
+					RTE_SECURITY_MACSEC_DIR_TX, tx_sa_id[i], tci_off);
+			id = rte_security_macsec_sc_create(ctx, &sc_conf);
+			if (id < 0) {
+				printf("MACsec SC create failed : %d.\n", id);
+				goto out;
+			}
+			tx_sc_id[i] = (uint16_t)id;
+
+			/* Create Inline IPsec session. */
+			ret = fill_session_conf(td[i], port_id, opts, &sess_conf,
+					RTE_SECURITY_MACSEC_DIR_TX, tx_sc_id[i], tci_off);
+			if (ret)
+				return TEST_FAILED;
+
+			tx_sess[i] = rte_security_session_create(ctx, &sess_conf,
+					sess_pool);
+			if (tx_sess[i] == NULL) {
+				printf("SEC Session init failed.\n");
+				return TEST_FAILED;
+			}
+			ret = create_default_flow(td[i], port_id,
+					RTE_SECURITY_MACSEC_DIR_TX, tx_sess[i]);
+			if (ret)
+				goto out;
+		}
+	}
+
+	/* Send packet to ethdev for inline MACsec processing. */
+	nb_sent = rte_eth_tx_burst(port_id, 0, tx_pkts_burst, j);
+
+	if (nb_sent != j) {
+		printf("\nUnable to TX %d packets, sent: %i", j, nb_sent);
+		for ( ; nb_sent < j; nb_sent++)
+			rte_pktmbuf_free(tx_pkts_burst[nb_sent]);
+		ret = TEST_FAILED;
+		goto out;
+	}
+
+	rte_pause();
+
+	/* Receive back packet on loopback interface. */
+	do {
+		nb_rx += rte_eth_rx_burst(port_id, 0,
+				&rx_pkts_burst[nb_rx],
+				nb_sent - nb_rx);
+		if (nb_rx >= nb_sent)
+			break;
+		rte_delay_ms(1);
+	} while (j++ < 5 && nb_rx == 0);
+
+	if (nb_rx != nb_sent) {
+		printf("\nUnable to RX all %d packets, received(%i)",
+				nb_sent, nb_rx);
+		while (--nb_rx >= 0)
+			rte_pktmbuf_free(rx_pkts_burst[nb_rx]);
+		ret = TEST_FAILED;
+		goto out;
+	}
+
+	for (i = 0; i < nb_rx; i++) {
+		ret = test_macsec_post_process(rx_pkts_burst[i], td[i], op,
+				opts->check_out_pkts_untagged);
+		if (ret != TEST_SUCCESS) {
+			for ( ; i < nb_rx; i++)
+				rte_pktmbuf_free(rx_pkts_burst[i]);
+			goto out;
+		}
+
+		rte_pktmbuf_free(rx_pkts_burst[i]);
+		rx_pkts_burst[i] = NULL;
+	}
+out:
+	for (i = 0; i < opts->nb_td; i++) {
+		if (opts->dump_all_stats) {
+			mcs_stats_dump(ctx, op,
+					rx_sess[i], tx_sess[i],
+					rx_sc_id[i], tx_sc_id[i],
+					rx_sa_id[i], tx_sa_id[i]);
+		}
+	}
+
+	destroy_default_flow(port_id);
+
+	/* Destroy session so that other cases can create the session again */
+	for (i = 0; i < opts->nb_td; i++) {
+		if (op == MCS_ENCAP || op == MCS_ENCAP_DECAP ||
+				op == MCS_AUTH_ONLY || op == MCS_AUTH_VERIFY) {
+			rte_security_session_destroy(ctx, tx_sess[i]);
+			tx_sess[i] = NULL;
+			rte_security_macsec_sc_destroy(ctx, tx_sc_id[i],
+						RTE_SECURITY_MACSEC_DIR_TX);
+			rte_security_macsec_sa_destroy(ctx, tx_sa_id[i][0],
+						RTE_SECURITY_MACSEC_DIR_TX);
+		}
+		if (op == MCS_DECAP || op == MCS_ENCAP_DECAP ||
+				op == MCS_VERIFY_ONLY || op == MCS_AUTH_VERIFY) {
+			rte_security_session_destroy(ctx, rx_sess[i]);
+			rx_sess[i] = NULL;
+			rte_security_macsec_sc_destroy(ctx, rx_sc_id[i],
+						RTE_SECURITY_MACSEC_DIR_RX);
+			for (j = 0; j < RTE_SECURITY_MACSEC_NUM_AN; j++) {
+				rte_security_macsec_sa_destroy(ctx, rx_sa_id[i][j],
+						RTE_SECURITY_MACSEC_DIR_RX);
+			}
+		}
+	}
+
+	return ret;
+}
+
+static int
+test_inline_macsec_encap_all(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.encrypt = true;
+	opts.protect_frames = true;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+
+	size = (sizeof(list_mcs_cipher_vectors) / sizeof((list_mcs_cipher_vectors)[0]));
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_cipher_vectors[i];
+		err = test_macsec(&cur_td, MCS_ENCAP, &opts);
+		if (err) {
+			printf("\nCipher Auth Encryption case %d failed", cur_td->test_idx);
+			err = -1;
+		} else {
+			printf("\nCipher Auth Encryption case %d Passed", cur_td->test_idx);
+			err = 0;
+		}
+		all_err += err;
+	}
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+
+	return all_err;
+}
+
+static int
+test_inline_macsec_decap_all(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+
+	size = (sizeof(list_mcs_cipher_vectors) / sizeof((list_mcs_cipher_vectors)[0]));
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_cipher_vectors[i];
+		err = test_macsec(&cur_td, MCS_DECAP, &opts);
+		if (err) {
+			printf("\nCipher Auth Decryption case %d failed", cur_td->test_idx);
+			err = -1;
+		} else {
+			printf("\nCipher Auth Decryption case %d Passed", cur_td->test_idx);
+			err = 0;
+		}
+		all_err += err;
+	}
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+
+	return all_err;
+}
+
+static int
+ut_setup_inline_macsec(void)
+{
+	int ret;
+
+	/* Start device */
+	ret = rte_eth_dev_start(port_id);
+	if (ret < 0) {
+		printf("rte_eth_dev_start: err=%d, port=%d\n",
+			ret, port_id);
+		return ret;
+	}
+	/* always enable promiscuous */
+	ret = rte_eth_promiscuous_enable(port_id);
+	if (ret != 0) {
+		printf("rte_eth_promiscuous_enable: err=%s, port=%d\n",
+			rte_strerror(-ret), port_id);
+		return ret;
+	}
+
+	check_all_ports_link_status(1, RTE_PORT_ALL);
+
+	return 0;
+}
+
+static void
+ut_teardown_inline_macsec(void)
+{
+	uint16_t portid;
+	int ret;
+
+	/* port tear down */
+	RTE_ETH_FOREACH_DEV(portid) {
+		ret = rte_eth_dev_stop(portid);
+		if (ret != 0)
+			printf("rte_eth_dev_stop: err=%s, port=%u\n",
+			       rte_strerror(-ret), portid);
+
+	}
+}
+
+static int
+inline_macsec_testsuite_setup(void)
+{
+	uint16_t nb_rxd;
+	uint16_t nb_txd;
+	uint16_t nb_ports;
+	int ret;
+	uint16_t nb_rx_queue = 1, nb_tx_queue = 1;
+
+	printf("Start inline MACsec test.\n");
+
+	nb_ports = rte_eth_dev_count_avail();
+	if (nb_ports < NB_ETHPORTS_USED) {
+		printf("At least %u port(s) used for test\n",
+		       NB_ETHPORTS_USED);
+		return TEST_SKIPPED;
+	}
+
+	ret = init_mempools(NB_MBUF);
+	if (ret)
+		return ret;
+
+	if (tx_pkts_burst == NULL) {
+		tx_pkts_burst = (struct rte_mbuf **)rte_calloc("tx_buff",
+					  MAX_TRAFFIC_BURST,
+					  sizeof(void *),
+					  RTE_CACHE_LINE_SIZE);
+		if (!tx_pkts_burst)
+			return TEST_FAILED;
+
+		rx_pkts_burst = (struct rte_mbuf **)rte_calloc("rx_buff",
+					  MAX_TRAFFIC_BURST,
+					  sizeof(void *),
+					  RTE_CACHE_LINE_SIZE);
+		if (!rx_pkts_burst)
+			return TEST_FAILED;
+	}
+
+	printf("Generate %d packets\n", MAX_TRAFFIC_BURST);
+
+	nb_rxd = RTE_TEST_RX_DESC_DEFAULT;
+	nb_txd = RTE_TEST_TX_DESC_DEFAULT;
+
+	/* configuring port 0 for the test is enough */
+	port_id = 0;
+	/* port configure */
+	ret = rte_eth_dev_configure(port_id, nb_rx_queue,
+				    nb_tx_queue, &port_conf);
+	if (ret < 0) {
+		printf("Cannot configure device: err=%d, port=%d\n",
+			 ret, port_id);
+		return ret;
+	}
+	ret = rte_eth_macaddr_get(port_id, &ports_eth_addr[port_id]);
+	if (ret < 0) {
+		printf("Cannot get mac address: err=%d, port=%d\n",
+			 ret, port_id);
+		return ret;
+	}
+	printf("Port %u ", port_id);
+	print_ethaddr("Address:", &ports_eth_addr[port_id]);
+	printf("\n");
+
+	/* tx queue setup */
+	ret = rte_eth_tx_queue_setup(port_id, 0, nb_txd,
+				     SOCKET_ID_ANY, &tx_conf);
+	if (ret < 0) {
+		printf("rte_eth_tx_queue_setup: err=%d, port=%d\n",
+				ret, port_id);
+		return ret;
+	}
+	/* rx queue steup */
+	ret = rte_eth_rx_queue_setup(port_id, 0, nb_rxd, SOCKET_ID_ANY,
+				     &rx_conf, mbufpool);
+	if (ret < 0) {
+		printf("rte_eth_rx_queue_setup: err=%d, port=%d\n",
+				ret, port_id);
+		return ret;
+	}
+
+	return 0;
+}
+
+static void
+inline_macsec_testsuite_teardown(void)
+{
+	uint16_t portid;
+	int ret;
+
+	/* port tear down */
+	RTE_ETH_FOREACH_DEV(portid) {
+		ret = rte_eth_dev_reset(portid);
+		if (ret != 0)
+			printf("rte_eth_dev_reset: err=%s, port=%u\n",
+			       rte_strerror(-ret), port_id);
+	}
+	rte_free(tx_pkts_burst);
+	rte_free(rx_pkts_burst);
+}
+
+
+static struct unit_test_suite inline_macsec_testsuite  = {
+	.suite_name = "Inline MACsec Ethernet Device Unit Test Suite",
+	.unit_test_cases = {
+		TEST_CASE_NAMED_ST(
+			"MACsec encap(Cipher+Auth) known vector",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_encap_all),
+		TEST_CASE_NAMED_ST(
+			"MACsec decap(De-cipher+verify) known vector",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_decap_all),
+
+		TEST_CASES_END() /**< NULL terminate unit test array */
+	},
+};
+
+static int
+test_inline_macsec(void)
+{
+	inline_macsec_testsuite.setup = inline_macsec_testsuite_setup;
+	inline_macsec_testsuite.teardown = inline_macsec_testsuite_teardown;
+	return unit_test_suite_runner(&inline_macsec_testsuite);
+}
+
+#endif /* !RTE_EXEC_ENV_WINDOWS */
+
+REGISTER_TEST_COMMAND(inline_macsec_autotest, test_inline_macsec);
diff --git a/app/test/test_security_inline_macsec_vectors.h b/app/test/test_security_inline_macsec_vectors.h
new file mode 100644
index 0000000000..68bd485419
--- /dev/null
+++ b/app/test/test_security_inline_macsec_vectors.h
@@ -0,0 +1,1086 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2023 Marvell.
+ */
+#ifndef _TEST_INLINE_MACSEC_VECTORS_H_
+#define _TEST_INLINE_MACSEC_VECTORS_H_
+
+#define MCS_MAX_DATA_SZ				256
+#define MCS_MAX_KEY_LEN				32
+#define MCS_IV_LEN				12
+#define MCS_SALT_LEN				12
+#define MCS_MAX_FLOWS				63
+
+enum mcs_op {
+	MCS_NO_OP,
+	MCS_ENCAP,
+	MCS_DECAP,
+	MCS_ENCAP_DECAP,
+	MCS_AUTH_ONLY,
+	MCS_VERIFY_ONLY,
+	MCS_AUTH_VERIFY,
+};
+
+struct mcs_test_vector {
+	uint32_t test_idx;
+	enum rte_security_macsec_alg alg;
+	uint32_t ssci;
+	uint32_t xpn;
+	uint8_t salt[MCS_SALT_LEN];
+	struct {
+		uint8_t data[MCS_MAX_KEY_LEN];
+		uint16_t len;
+	} sa_key;
+	struct {
+		uint8_t data[MCS_MAX_DATA_SZ];
+		uint16_t len;
+	} plain_pkt;
+	struct {
+		uint8_t data[MCS_MAX_DATA_SZ];
+		uint16_t len;
+	} secure_pkt;
+};
+
+static const struct mcs_test_vector list_mcs_cipher_vectors[] = {
+/* gcm_128_64B_cipher */
+{
+	.test_idx = 0,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x40, 0x41, 0x42,
+			0x43, 0x44, 0x45, 0x46,
+		},
+		.len = 64,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x2C,
+			/* SL */
+			0x0,
+			/* PN */
+			0x0, 0x0, 0x0, 0x2,
+			/* SCI */
+			0xFE, 0x2F, 0xCD, 0x14, 0x24, 0x1B, 0x88, 0x2C,
+			/* Secure Data */
+			0x39, 0x38, 0x97, 0x44, 0xA2, 0x6D, 0x71, 0x3D,
+			0x14, 0x27, 0xC7, 0x3E, 0x02, 0x96, 0x81, 0xAD,
+			0x47, 0x82, 0x2A, 0xCF, 0x19, 0x79, 0x12, 0x49,
+			0x0F, 0x93, 0x5A, 0x32, 0x43, 0x79, 0xEF, 0x9D,
+			0x70, 0xF8, 0xA9, 0xBE, 0x3D, 0x00, 0x5D, 0x22,
+			0xDA, 0x87, 0x3D, 0xC1, 0xBE, 0x1B, 0x13, 0xD9,
+			0x99, 0xDB, 0xF1, 0xC8,
+			/* ICV */
+			0x4B, 0xC4, 0xF8, 0xC6,	0x09, 0x78, 0xB9, 0xBB,
+			0x5D, 0xC0, 0x04, 0xF3,	0x20, 0x7D, 0x14, 0x87,
+		},
+		.len = 96,
+	},
+},
+/* gcm_128_54B_cipher */
+{
+	.test_idx = 1,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.xpn = 0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x00, 0x04,
+		},
+		.len = 54,
+	},
+
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x4C,
+			/* SL */
+			0x2A,
+			/* PN */
+			0x76, 0xD4, 0x57, 0xED,
+			/* Secure Data */
+			0x13, 0xB4, 0xC7, 0x2B, 0x38, 0x9D, 0xC5, 0x01,
+			0x8E, 0x72, 0xA1, 0x71, 0xDD, 0x85, 0xA5, 0xD3,
+			0x75, 0x22, 0x74, 0xD3, 0xA0, 0x19, 0xFB, 0xCA,
+			0xED, 0x09, 0xA4, 0x25, 0xCD, 0x9B, 0x2E, 0x1C,
+			0x9B, 0x72, 0xEE, 0xE7, 0xC9, 0xDE, 0x7D, 0x52,
+			0xB3, 0xF3,
+			/* ICV */
+			0xD6, 0xA5, 0x28, 0x4F, 0x4A, 0x6D, 0x3F, 0xE2,
+			0x2A, 0x5D, 0x6C, 0x2B, 0x96, 0x04, 0x94, 0xC3,
+		},
+		.len = 78,
+	},
+},
+/* gcm_256_54B_cipher */
+{
+	.test_idx = 2,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_256,
+	.ssci = 0x0,
+	.xpn = 0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x69, 0x1D, 0x3E, 0xE9, 0x09, 0xD7, 0xF5, 0x41,
+			0x67, 0xFD, 0x1C, 0xA0, 0xB5, 0xD7, 0x69, 0x08,
+			0x1F, 0x2B, 0xDE, 0x1A, 0xEE, 0x65, 0x5F, 0xDB,
+			0xAB, 0x80, 0xBD, 0x52, 0x95, 0xAE, 0x6B, 0xE7,
+		},
+		.len = 32,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x00, 0x04,
+		},
+		.len = 54,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x4C,
+			/* SL */
+			0x2A,
+			/* PN */
+			0x76, 0xD4, 0x57, 0xED,
+			/* Secure Data */
+			0xC1, 0x62, 0x3F, 0x55, 0x73, 0x0C, 0x93, 0x53,
+			0x30, 0x97, 0xAD, 0xDA, 0xD2, 0x56, 0x64, 0x96,
+			0x61, 0x25, 0x35, 0x2B, 0x43, 0xAD, 0xAC, 0xBD,
+			0x61, 0xC5, 0xEF, 0x3A, 0xC9, 0x0B, 0x5B, 0xEE,
+			0x92, 0x9C, 0xE4, 0x63, 0x0E, 0xA7, 0x9F, 0x6C,
+			0xE5, 0x19,
+			/* ICV */
+			0x12, 0xAF, 0x39, 0xC2, 0xD1, 0xFD, 0xC2, 0x05,
+			0x1F, 0x8B, 0x7B, 0x3C, 0x9D, 0x39, 0x7E, 0xF2,
+		},
+		.len = 78,
+	},
+},
+/* gcm_128_xpn_54B_cipher */
+{
+	.test_idx = 3,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_128,
+	.ssci = 0x7A30C118,
+	.xpn = 0xB0DF459C, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE,
+		0x86, 0xA2, 0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x00, 0x04,
+		},
+		.len = 54,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x4C,
+			/* SL */
+			0x2A,
+			/* PN */
+			0x76, 0xD4, 0x57, 0xED,
+			/* Secure Data */
+			0x9C, 0xA4, 0x69, 0x84, 0x43, 0x02, 0x03, 0xED,
+			0x41, 0x6E, 0xBD, 0xC2, 0xFE, 0x26, 0x22, 0xBA,
+			0x3E, 0x5E, 0xAB, 0x69, 0x61, 0xC3, 0x63, 0x83,
+			0x00, 0x9E, 0x18, 0x7E, 0x9B, 0x0C, 0x88, 0x56,
+			0x46, 0x53, 0xB9, 0xAB, 0xD2, 0x16, 0x44, 0x1C,
+			0x6A, 0xB6,
+			/* ICV */
+			0xF0, 0xA2, 0x32, 0xE9, 0xE4, 0x4C, 0x97, 0x8C,
+			0xF7, 0xCD, 0x84, 0xD4, 0x34, 0x84, 0xD1, 0x01,
+		},
+		.len = 78,
+	},
+},
+/* gcm_256_xpn_54B_cipher */
+{
+	.test_idx = 4,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_256,
+	.ssci = 0x7A30C118,
+	.xpn = 0xB0DF459C, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE,
+		0x86, 0xA2, 0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0x69, 0x1D, 0x3E, 0xE9, 0x09, 0xD7, 0xF5, 0x41,
+			0x67, 0xFD, 0x1C, 0xA0, 0xB5, 0xD7, 0x69, 0x08,
+			0x1F, 0x2B, 0xDE, 0x1A, 0xEE, 0x65, 0x5F, 0xDB,
+			0xAB, 0x80, 0xBD, 0x52, 0x95, 0xAE, 0x6B, 0xE7,
+		},
+		.len = 32,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x00, 0x04,
+		},
+		.len = 54,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x4C,
+			/* SL */
+			0x2A,
+			/* PN */
+			0x76, 0xD4, 0x57, 0xED,
+			/* Secure Data */
+			0x88, 0xD9, 0xF7, 0xD1, 0xF1, 0x57, 0x8E, 0xE3,
+			0x4B, 0xA7, 0xB1, 0xAB, 0xC8, 0x98, 0x93, 0xEF,
+			0x1D, 0x33, 0x98, 0xC9, 0xF1, 0xDD, 0x3E, 0x47,
+			0xFB, 0xD8, 0x55, 0x3E, 0x0F, 0xF7, 0x86, 0xEF,
+			0x56, 0x99, 0xEB, 0x01, 0xEA, 0x10, 0x42, 0x0D,
+			0x0E, 0xBD,
+			/* ICV */
+			0x39, 0xA0, 0xE2, 0x73, 0xC4, 0xC7, 0xF9, 0x5E,
+			0xD8, 0x43, 0x20, 0x7D, 0x7A, 0x49, 0x7D, 0xFA,
+		},
+		.len = 78,
+	},
+},
+/* gcm_128_60B_cipher */
+{
+	.test_idx = 5,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.xpn = 0x0, /* Most significant 32 bits */
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0xAD, 0x7A, 0x2B, 0xD0, 0x3E, 0xAC, 0x83, 0x5A,
+			0x6F, 0x62, 0x0F, 0xDC, 0xB5, 0x06, 0xB3, 0x45,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xD6, 0x09, 0xB1, 0xF0, 0x56, 0x63,
+			/* MAC SA */
+			0x7A, 0x0D, 0x46, 0xDF, 0x99, 0x8D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x00, 0x02,
+		},
+		.len = 60,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xD6, 0x09, 0xB1, 0xF0, 0x56, 0x63,
+			/* MAC SA */
+			0x7A, 0x0D, 0x46, 0xDF, 0x99, 0x8D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x2E,
+			/* SL */
+			0x00,
+			/* PN */
+			0xB2, 0xC2, 0x84, 0x65,
+			/* SCI */
+			0x12, 0x15, 0x35, 0x24, 0xC0, 0x89, 0x5E, 0x81,
+			/* Secure Data */
+			0x70, 0x1A, 0xFA, 0x1C, 0xC0, 0x39, 0xC0, 0xD7,
+			0x65, 0x12, 0x8A, 0x66, 0x5D, 0xAB, 0x69, 0x24,
+			0x38, 0x99, 0xBF, 0x73, 0x18, 0xCC, 0xDC, 0x81,
+			0xC9, 0x93, 0x1D, 0xA1, 0x7F, 0xBE, 0x8E, 0xDD,
+			0x7D, 0x17, 0xCB, 0x8B, 0x4C, 0x26, 0xFC, 0x81,
+			0xE3, 0x28, 0x4F, 0x2B, 0x7F, 0xBA, 0x71, 0x3D,
+			/* ICV */
+			0x4F, 0x8D, 0x55, 0xE7, 0xD3, 0xF0, 0x6F, 0xD5,
+			0xA1, 0x3C, 0x0C, 0x29, 0xB9, 0xD5, 0xB8, 0x80,
+		},
+		.len = 92,
+	},
+},
+/* gcm_256_60B_cipher */
+{
+	.test_idx = 6,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_256,
+	.ssci = 0x0,
+	.xpn = 0x0, /* Most significant 32 bits */
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0xE3, 0xC0, 0x8A, 0x8F, 0x06, 0xC6, 0xE3, 0xAD,
+			0x95, 0xA7, 0x05, 0x57, 0xB2, 0x3F, 0x75, 0x48,
+			0x3C, 0xE3, 0x30, 0x21, 0xA9, 0xC7, 0x2B, 0x70,
+			0x25, 0x66, 0x62, 0x04, 0xC6, 0x9C, 0x0B, 0x72,
+		},
+		.len = 32,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xD6, 0x09, 0xB1, 0xF0, 0x56, 0x63,
+			/* MAC SA */
+			0x7A, 0x0D, 0x46, 0xDF, 0x99, 0x8D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x00, 0x02,
+		},
+		.len = 60,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xD6, 0x09, 0xB1, 0xF0, 0x56, 0x63,
+			/* MAC SA */
+			0x7A, 0x0D, 0x46, 0xDF, 0x99, 0x8D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x2E,
+			/* SL */
+			0x00,
+			/* PN */
+			0xB2, 0xC2, 0x84, 0x65,
+			/* SCI */
+			0x12, 0x15, 0x35, 0x24, 0xC0, 0x89, 0x5E, 0x81,
+			/* Secure Data */
+			0xE2, 0x00, 0x6E, 0xB4, 0x2F, 0x52, 0x77, 0x02,
+			0x2D, 0x9B, 0x19, 0x92, 0x5B, 0xC4, 0x19, 0xD7,
+			0xA5, 0x92, 0x66, 0x6C, 0x92, 0x5F, 0xE2, 0xEF,
+			0x71, 0x8E, 0xB4, 0xE3, 0x08, 0xEF, 0xEA, 0xA7,
+			0xC5, 0x27, 0x3B, 0x39, 0x41, 0x18, 0x86, 0x0A,
+			0x5B, 0xE2, 0xA9, 0x7F, 0x56, 0xAB, 0x78, 0x36,
+			/* ICV */
+			0x5C, 0xA5, 0x97, 0xCD, 0xBB, 0x3E, 0xDB, 0x8D,
+			0x1A, 0x11, 0x51, 0xEA, 0x0A, 0xF7, 0xB4, 0x36,
+		},
+		.len = 92,
+	},
+},
+/* gcm_128_xpn_60B_cipher */
+{
+	.test_idx = 7,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_128,
+	.ssci = 0x7A30C118,
+	.xpn = 0xB0DF459C, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE,
+		0x86, 0xA2, 0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0xAD, 0x7A, 0x2B, 0xD0, 0x3E, 0xAC, 0x83, 0x5A,
+			0x6F, 0x62, 0x0F, 0xDC, 0xB5, 0x06, 0xB3, 0x45,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xD6, 0x09, 0xB1, 0xF0, 0x56, 0x63,
+			/* MAC SA */
+			0x7A, 0x0D, 0x46, 0xDF, 0x99, 0x8D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x00, 0x02,
+		},
+		.len = 60,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xD6, 0x09, 0xB1, 0xF0, 0x56, 0x63,
+			/* MAC SA */
+			0x7A, 0x0D, 0x46, 0xDF, 0x99, 0x8D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x2E,
+			/* SL */
+			0x00,
+			/* PN */
+			0xB2, 0xC2, 0x84, 0x65,
+			/* SCI */
+			0x12, 0x15, 0x35, 0x24, 0xC0, 0x89, 0x5E, 0x81,
+			/* Secure Data */
+			0x07, 0x12, 0xD9, 0x80, 0xCA, 0x50, 0xBB, 0xED,
+			0x35, 0xA0, 0xFA, 0x56, 0x63, 0x38, 0x72, 0x9F,
+			0xFA, 0x16, 0xD1, 0x9F, 0xFC, 0xF0, 0x7B, 0x3A,
+			0x1E, 0x79, 0x19, 0xB3, 0x77, 0x6A, 0xAC, 0xEC,
+			0x8A, 0x59, 0x37, 0x20, 0x8B, 0x48, 0x3A, 0x76,
+			0x91, 0x98, 0x4D, 0x38, 0x07, 0x92, 0xE0, 0x7F,
+			/* ICV */
+			0xC2, 0xC3, 0xC7, 0x9F, 0x26, 0x3F, 0xA6, 0xBF,
+			0xF8, 0xE7, 0x58, 0x1E, 0x2C, 0xE4, 0x5A, 0xF8,
+		},
+		.len = 92,
+	},
+},
+/* gcm_256_xpn_60B_cipher */
+{
+	.test_idx = 8,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_256,
+	.ssci = 0x7A30C118,
+	.xpn = 0xB0DF459C, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE,
+		0x86, 0xA2, 0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0xE3, 0xC0, 0x8A, 0x8F, 0x06, 0xC6, 0xE3, 0xAD,
+			0x95, 0xA7, 0x05, 0x57, 0xB2, 0x3F, 0x75, 0x48,
+			0x3C, 0xE3, 0x30, 0x21, 0xA9, 0xC7, 0x2B, 0x70,
+			0x25, 0x66, 0x62, 0x04, 0xC6, 0x9C, 0x0B, 0x72,
+		},
+		.len = 32,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xD6, 0x09, 0xB1, 0xF0, 0x56, 0x63,
+			/* MAC SA */
+			0x7A, 0x0D, 0x46, 0xDF, 0x99, 0x8D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x00, 0x02,
+		},
+		.len = 60,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xD6, 0x09, 0xB1, 0xF0, 0x56, 0x63,
+			/* MAC SA */
+			0x7A, 0x0D, 0x46, 0xDF, 0x99, 0x8D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x2E,
+			/* SL */
+			0x00,
+			/* PN */
+			0xB2, 0xC2, 0x84, 0x65,
+			/* SCI */
+			0x12, 0x15, 0x35, 0x24, 0xC0, 0x89, 0x5E, 0x81,
+			/* Secure Data */
+			0x3E, 0xB0, 0x4A, 0x4B, 0xBF, 0x54, 0xC6, 0xEB,
+			0x12, 0x22, 0xA9, 0xAE, 0xA0, 0x0C, 0x38, 0x68,
+			0x7F, 0x6C, 0x35, 0x20, 0xD9, 0x76, 0xA3, 0xB6,
+			0x94, 0x80, 0x06, 0x50, 0xCE, 0x65, 0x85, 0xE6,
+			0x20, 0xA4, 0x19, 0x19, 0x17, 0xD2, 0xA6, 0x05,
+			0xD8, 0x70, 0xC7, 0x8D, 0x27, 0x52, 0xCE, 0x49,
+			/* ICV */
+			0x3B, 0x44, 0x2A, 0xC0, 0xC8, 0x16, 0xD7, 0xAB,
+			0xD7, 0x0A, 0xD6, 0x5C, 0x25, 0xD4, 0x64, 0x13,
+		},
+		.len = 92,
+	},
+},
+/* gcm_128_61B_cipher */
+{
+	.test_idx = 9,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.xpn = 0x0, /* Most significant 32 bits */
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x01, 0x3F, 0xE0, 0x0B, 0x5F, 0x11, 0xBE, 0x7F,
+			0x86, 0x6D, 0x0C, 0xBB, 0xC5, 0x5A, 0x7A, 0x90,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0x84, 0xC5, 0xD5, 0x13, 0xD2, 0xAA,
+			/* MAC SA */
+			0xF6, 0xE5, 0xBB, 0xD2, 0x72, 0x77,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x00,
+			0x06,
+		},
+		.len = 61,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0x84, 0xC5, 0xD5, 0x13, 0xD2, 0xAA,
+			/* MAC SA */
+			0xF6, 0xE5, 0xBB, 0xD2, 0x72, 0x77,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x2F,
+			/* SL */
+			0x00,
+			/* PN */
+			0x89, 0x32, 0xD6, 0x12,
+			/* SCI */
+			0x7C, 0xFD, 0xE9, 0xF9, 0xE3, 0x37, 0x24, 0xC6,
+			/* Secure Data */
+			0x3A, 0x4D, 0xE6, 0xFA, 0x32, 0x19, 0x10, 0x14,
+			0xDB, 0xB3, 0x03, 0xD9, 0x2E, 0xE3, 0xA9, 0xE8,
+			0xA1, 0xB5, 0x99, 0xC1, 0x4D, 0x22, 0xFB, 0x08,
+			0x00, 0x96, 0xE1, 0x38, 0x11, 0x81, 0x6A, 0x3C,
+			0x9C, 0x9B, 0xCF, 0x7C, 0x1B, 0x9B, 0x96, 0xDA,
+			0x80, 0x92, 0x04, 0xE2, 0x9D, 0x0E, 0x2A, 0x76,
+			0x42,
+			/* ICV */
+			0xBF, 0xD3, 0x10, 0xA4, 0x83, 0x7C, 0x81, 0x6C,
+			0xCF, 0xA5, 0xAC, 0x23, 0xAB, 0x00, 0x39, 0x88,
+		},
+		.len = 93,
+	},
+},
+/* gcm_256_61B_cipher */
+{
+	.test_idx = 10,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_256,
+	.ssci = 0x0,
+	.xpn = 0x0, /* Most significant 32 bits */
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x83, 0xC0, 0x93, 0xB5, 0x8D, 0xE7, 0xFF, 0xE1,
+			0xC0, 0xDA, 0x92, 0x6A, 0xC4, 0x3F, 0xB3, 0x60,
+			0x9A, 0xC1, 0xC8, 0x0F, 0xEE, 0x1B, 0x62, 0x44,
+			0x97, 0xEF, 0x94, 0x2E, 0x2F, 0x79, 0xA8, 0x23,
+		},
+		.len = 32,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0x84, 0xC5, 0xD5, 0x13, 0xD2, 0xAA,
+			/* MAC SA */
+			0xF6, 0xE5, 0xBB, 0xD2, 0x72, 0x77,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x00,
+			0x06,
+		},
+		.len = 61,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0x84, 0xC5, 0xD5, 0x13, 0xD2, 0xAA,
+			/* MAC SA */
+			0xF6, 0xE5, 0xBB, 0xD2, 0x72, 0x77,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x2F,
+			/* SL */
+			0x00,
+			/* PN */
+			0x89, 0x32, 0xD6, 0x12,
+			/* SCI */
+			0x7C, 0xFD, 0xE9, 0xF9, 0xE3, 0x37, 0x24, 0xC6,
+			/* Secure Data */
+			0x11, 0x02, 0x22, 0xFF, 0x80, 0x50, 0xCB, 0xEC,
+			0xE6, 0x6A, 0x81, 0x3A, 0xD0, 0x9A, 0x73, 0xED,
+			0x7A, 0x9A, 0x08, 0x9C, 0x10, 0x6B, 0x95, 0x93,
+			0x89, 0x16, 0x8E, 0xD6, 0xE8, 0x69, 0x8E, 0xA9,
+			0x02, 0xEB, 0x12, 0x77, 0xDB, 0xEC, 0x2E, 0x68,
+			0xE4, 0x73, 0x15, 0x5A, 0x15, 0xA7, 0xDA, 0xEE,
+			0xD4,
+			/* ICV */
+			0xA1, 0x0F, 0x4E, 0x05, 0x13, 0x9C, 0x23, 0xDF,
+			0x00, 0xB3, 0xAA, 0xDC, 0x71, 0xF0, 0x59, 0x6A,
+		},
+		.len = 93,
+	},
+},
+/* gcm_128_xpn_61B_cipher */
+{
+	.test_idx = 11,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_128,
+	.ssci = 0x7A30C118,
+	.xpn = 0xB0DF459C, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE,
+		0x86, 0xA2, 0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0x01, 0x3F, 0xE0, 0x0B, 0x5F, 0x11, 0xBE, 0x7F,
+			0x86, 0x6D, 0x0C, 0xBB, 0xC5, 0x5A, 0x7A, 0x90,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0x84, 0xC5, 0xD5, 0x13, 0xD2, 0xAA,
+			/* MAC SA */
+			0xF6, 0xE5, 0xBB, 0xD2, 0x72, 0x77,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x00,
+			0x06,
+		},
+		.len = 61,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0x84, 0xC5, 0xD5, 0x13, 0xD2, 0xAA,
+			/* MAC SA */
+			0xF6, 0xE5, 0xBB, 0xD2, 0x72, 0x77,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x2F,
+			/* SL */
+			0x00,
+			/* PN */
+			0x89, 0x32, 0xD6, 0x12,
+			/* SCI */
+			0x7C, 0xFD, 0xE9, 0xF9, 0xE3, 0x37, 0x24, 0xC6,
+			/* Secure Data */
+			0x14, 0xC1, 0x76, 0x93, 0xBC, 0x82, 0x97, 0xEE,
+			0x6C, 0x47, 0xC5, 0x65, 0xCB, 0xE0, 0x67, 0x9E,
+			0x80, 0xF0, 0x0F, 0xCA, 0xF5, 0x92, 0xC9, 0xAA,
+			0x04, 0x73, 0x92, 0x8E, 0x7F, 0x2F, 0x21, 0x6F,
+			0xF5, 0xA0, 0x33, 0xDE, 0xC7, 0x51, 0x3F, 0x45,
+			0xD3, 0x4C, 0xBB, 0x98, 0x1C, 0x5B, 0xD6, 0x4E,
+			0x8B,
+			/* ICV */
+			0xD8, 0x4B, 0x8E, 0x2A, 0x78, 0xE7, 0x4D, 0xAF,
+			0xEA, 0xA0, 0x38, 0x46, 0xFE, 0x93, 0x0C, 0x0E,
+		},
+		.len = 93,
+	},
+},
+/* gcm_256_xpn_61B_cipher */
+{
+	.test_idx = 12,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_256,
+	.ssci = 0x7A30C118,
+	.xpn = 0xB0DF459C, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE,
+		0x86, 0xA2, 0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0x83, 0xC0, 0x93, 0xB5, 0x8D, 0xE7, 0xFF, 0xE1,
+			0xC0, 0xDA, 0x92, 0x6A, 0xC4, 0x3F, 0xB3, 0x60,
+			0x9A, 0xC1, 0xC8, 0x0F, 0xEE, 0x1B, 0x62, 0x44,
+			0x97, 0xEF, 0x94, 0x2E, 0x2F, 0x79, 0xA8, 0x23,
+		},
+		.len = 32,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0x84, 0xC5, 0xD5, 0x13, 0xD2, 0xAA,
+			/* MAC SA */
+			0xF6, 0xE5, 0xBB, 0xD2, 0x72, 0x77,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x00,
+			0x06,
+		},
+		.len = 61,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0x84, 0xC5, 0xD5, 0x13, 0xD2, 0xAA,
+			/* MAC SA */
+			0xF6, 0xE5, 0xBB, 0xD2, 0x72, 0x77,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x2F,
+			/* SL */
+			0x00,
+			/* PN */
+			0x89, 0x32, 0xD6, 0x12,
+			/* SCI */
+			0x7C, 0xFD, 0xE9, 0xF9, 0xE3, 0x37, 0x24, 0xC6,
+			/* Secure Data */
+			0x09, 0x96, 0xE0, 0xC9, 0xA5, 0x57, 0x74, 0xE0,
+			0xA7, 0x92, 0x30, 0x4E, 0x7D, 0xC1, 0x50, 0xBD,
+			0x67, 0xFD, 0x74, 0x7D, 0xD1, 0xB9, 0x41, 0x95,
+			0x94, 0xBF, 0x37, 0x3D, 0x4A, 0xCE, 0x8F, 0x87,
+			0xF5, 0xC1, 0x34, 0x9A, 0xFA, 0xC4, 0x91, 0xAA,
+			0x0A, 0x40, 0xD3, 0x19, 0x90, 0x87, 0xB2, 0x9F,
+			0xDF,
+			/* ICV */
+			0x80, 0x2F, 0x05, 0x0E, 0x69, 0x1F, 0x11, 0xA2,
+			0xD9, 0xB3, 0x58, 0xF6, 0x99, 0x41, 0x84, 0xF5,
+		},
+		.len = 93,
+	},
+},
+/* gcm_128_75B_cipher */
+{
+	.test_idx = 13,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0,
+	.xpn = 0, /* Most significant 32 bits */
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x88, 0xEE, 0x08, 0x7F, 0xD9, 0x5D, 0xA9, 0xFB,
+			0xF6, 0x72, 0x5A, 0xA9, 0xD7, 0x57, 0xB0, 0xCD,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0x68, 0xF2, 0xE7, 0x76, 0x96, 0xCE,
+			/* MAC SA */
+			0x7A, 0xE8, 0xE2, 0xCA, 0x4E, 0xC5,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x40, 0x41, 0x42, 0x43, 0x44,
+			0x45, 0x46, 0x47, 0x48, 0x49, 0x00, 0x08,
+		},
+		.len = 75,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0x68, 0xF2, 0xE7, 0x76, 0x96, 0xCE,
+			/* MAC SA */
+			0x7A, 0xE8, 0xE2, 0xCA, 0x4E, 0xC5,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x4D,
+			/* SL */
+			0x00,
+			/* PN */
+			0x2E, 0x58, 0x49, 0x5C,
+			/* SCI */
+			/* Secure Data */
+			0xC3, 0x1F, 0x53, 0xD9, 0x9E, 0x56, 0x87, 0xF7,
+			0x36, 0x51, 0x19, 0xB8, 0x32, 0xD2, 0xAA, 0xE7,
+			0x07, 0x41, 0xD5, 0x93, 0xF1, 0xF9, 0xE2, 0xAB,
+			0x34, 0x55, 0x77, 0x9B, 0x07, 0x8E, 0xB8, 0xFE,
+			0xAC, 0xDF, 0xEC, 0x1F, 0x8E, 0x3E, 0x52, 0x77,
+			0xF8, 0x18, 0x0B, 0x43, 0x36, 0x1F, 0x65, 0x12,
+			0xAD, 0xB1, 0x6D, 0x2E, 0x38, 0x54, 0x8A, 0x2C,
+			0x71, 0x9D, 0xBA, 0x72, 0x28, 0xD8, 0x40,
+			/* ICV */
+			0x88, 0xF8, 0x75, 0x7A, 0xDB, 0x8A, 0xA7, 0x88,
+			0xD8, 0xF6, 0x5A, 0xD6, 0x68, 0xBE, 0x70, 0xE7,
+		},
+		.len = 99,
+	},
+},
+/* gcm_256_75B_cipher */
+{
+	.test_idx = 14,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_256,
+	.ssci = 0,
+	.xpn = 0, /* Most significant 32 bits */
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x4C, 0x97, 0x3D, 0xBC, 0x73, 0x64, 0x62, 0x16,
+			0x74, 0xF8, 0xB5, 0xB8, 0x9E, 0x5C, 0x15, 0x51,
+			0x1F, 0xCE, 0xD9, 0x21, 0x64, 0x90, 0xFB, 0x1C,
+			0x1A, 0x2C, 0xAA, 0x0F, 0xFE, 0x04, 0x07, 0xE5,
+		},
+		.len = 32,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0x68, 0xF2, 0xE7, 0x76, 0x96, 0xCE,
+			/* MAC SA */
+			0x7A, 0xE8, 0xE2, 0xCA, 0x4E, 0xC5,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x40, 0x41, 0x42, 0x43, 0x44,
+			0x45, 0x46, 0x47, 0x48, 0x49, 0x00, 0x08,
+		},
+		.len = 75,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0x68, 0xF2, 0xE7, 0x76, 0x96, 0xCE,
+			/* MAC SA */
+			0x7A, 0xE8, 0xE2, 0xCA, 0x4E, 0xC5,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x4D,
+			/* SL */
+			0x00,
+			/* PN */
+			0x2E, 0x58, 0x49, 0x5C,
+			/* SCI */
+			/* Secure Data */
+			0xBA, 0x8A, 0xE3, 0x1B, 0xC5, 0x06, 0x48, 0x6D,
+			0x68, 0x73, 0xE4, 0xFC, 0xE4, 0x60, 0xE7, 0xDC,
+			0x57, 0x59, 0x1F, 0xF0, 0x06, 0x11, 0xF3, 0x1C,
+			0x38, 0x34, 0xFE, 0x1C, 0x04, 0xAD, 0x80, 0xB6,
+			0x68, 0x03, 0xAF, 0xCF, 0x5B, 0x27, 0xE6, 0x33,
+			0x3F, 0xA6, 0x7C, 0x99, 0xDA, 0x47, 0xC2, 0xF0,
+			0xCE, 0xD6, 0x8D, 0x53, 0x1B, 0xD7, 0x41, 0xA9,
+			0x43, 0xCF, 0xF7, 0xA6, 0x71, 0x3B, 0xD0,
+			/* ICV */
+			0x26, 0x11, 0xCD, 0x7D, 0xAA, 0x01, 0xD6, 0x1C,
+			0x5C, 0x88, 0x6D, 0xC1, 0xA8, 0x17, 0x01, 0x07,
+		},
+		.len = 99,
+	},
+},
+/* gcm_128_xpn_75B_cipher */
+{
+	.test_idx = 15,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_128,
+	.ssci = 0x7A30C118,
+	.xpn = 0xB0DF459C, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE, 0x86, 0xA2,
+		0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0x88, 0xEE, 0x08, 0x7F, 0xD9, 0x5D, 0xA9, 0xFB,
+			0xF6, 0x72, 0x5A, 0xA9, 0xD7, 0x57, 0xB0, 0xCD,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0x68, 0xF2, 0xE7, 0x76, 0x96, 0xCE,
+			/* MAC SA */
+			0x7A, 0xE8, 0xE2, 0xCA, 0x4E, 0xC5,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x40, 0x41, 0x42, 0x43, 0x44,
+			0x45, 0x46, 0x47, 0x48, 0x49, 0x00, 0x08,
+		},
+		.len = 75,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0x68, 0xF2, 0xE7, 0x76, 0x96, 0xCE,
+			/* MAC SA */
+			0x7A, 0xE8, 0xE2, 0xCA, 0x4E, 0xC5,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x4D,
+			/* SL */
+			0x00,
+			/* PN */
+			0x2E, 0x58, 0x49, 0x5C,
+			/* SCI */
+			/* Secure Data */
+			0xEA, 0xEC, 0xC6, 0xAF, 0x65, 0x12, 0xFC, 0x8B,
+			0x6C, 0x8C, 0x43, 0xBC, 0x55, 0xB1, 0x90, 0xB2,
+			0x62, 0x6D, 0x07, 0xD3, 0xD2, 0x18, 0xFA, 0xF5,
+			0xDA, 0xA7, 0xD8, 0xF8, 0x00, 0xA5, 0x73, 0x31,
+			0xEB, 0x43, 0xB5, 0xA1, 0x7A, 0x37, 0xE5, 0xB1,
+			0xD6, 0x0D, 0x27, 0x5C, 0xCA, 0xF7, 0xAC, 0xD7,
+			0x04, 0xCC, 0x9A, 0xCE, 0x2B, 0xF8, 0xBC, 0x8B,
+			0x9B, 0x23, 0xB9, 0xAD, 0xF0, 0x2F, 0x87,
+			/* ICV */
+			0x34, 0x6B, 0x96, 0xD1, 0x13, 0x6A, 0x75, 0x4D,
+			0xF0, 0xA6, 0xCD, 0xE1, 0x26, 0xC1, 0x07, 0xF8,
+		},
+		.len = 99,
+	},
+},
+/* gcm_256_xpn_75B_cipher */
+{
+	.test_idx = 16,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_256,
+	.ssci = 0x7A30C118,
+	.xpn = 0xB0DF459C, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE, 0x86, 0xA2,
+		0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0x4C, 0x97, 0x3D, 0xBC, 0x73, 0x64, 0x62, 0x16,
+			0x74, 0xF8, 0xB5, 0xB8, 0x9E, 0x5C, 0x15, 0x51,
+			0x1F, 0xCE, 0xD9, 0x21, 0x64, 0x90, 0xFB, 0x1C,
+			0x1A, 0x2C, 0xAA, 0x0F, 0xFE, 0x04, 0x07, 0xE5,
+		},
+		.len = 32,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0x68, 0xF2, 0xE7, 0x76, 0x96, 0xCE,
+			/* MAC SA */
+			0x7A, 0xE8, 0xE2, 0xCA, 0x4E, 0xC5,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x40, 0x41, 0x42, 0x43, 0x44,
+			0x45, 0x46, 0x47, 0x48, 0x49, 0x00, 0x08,
+		},
+		.len = 75,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0x68, 0xF2, 0xE7, 0x76, 0x96, 0xCE,
+			/* MAC SA */
+			0x7A, 0xE8, 0xE2, 0xCA, 0x4E, 0xC5,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x4D,
+			/* SL */
+			0x00,
+			/* PN */
+			0x2E, 0x58, 0x49, 0x5C,
+			/* SCI */
+			/* Secure Data */
+			0xB0, 0xFE, 0xA3, 0x63, 0x18, 0xB9, 0xB3, 0x64,
+			0x66, 0xC4, 0x6E, 0x9E, 0x1B, 0xDA, 0x1A, 0x26,
+			0x68, 0x58, 0x19, 0x6E, 0x7E, 0x70, 0xD8, 0x82,
+			0xAE, 0x70, 0x47, 0x56, 0x68, 0xCD, 0xE4, 0xEC,
+			0x88, 0x3F, 0x6A, 0xC2, 0x36, 0x9F, 0x28, 0x4B,
+			0xED, 0x1F, 0xE3, 0x2F, 0x42, 0x09, 0x2F, 0xDF,
+			0xF5, 0x86, 0x8A, 0x3C, 0x64, 0xE5, 0x61, 0x51,
+			0x92, 0xA7, 0xA3, 0x76, 0x0B, 0x34, 0xBC,
+			/* ICV */
+			0x85, 0x69, 0x2C, 0xD8, 0x15, 0xB6, 0x64, 0x71,
+			0x1A, 0xEF, 0x91, 0x1D, 0xF7, 0x8D, 0x7F, 0x46,
+		},
+		.len = 99,
+	},
+},
+};
+
+#endif
-- 
2.25.1

[PATCH v2 04/13] test/security: add MACsec integrity cases

[Akhil Goyal]

Added test vectors and test cases to verify
auth_only/verify_only and encap-decap/auth-verify
to verify the complete TX-RX path using the loopback
mode of ethdev.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 app/test/test_security_inline_macsec.c        | 153 +++
 .../test_security_inline_macsec_vectors.h     | 995 ++++++++++++++++++
 2 files changed, 1148 insertions(+)

diff --git a/app/test/test_security_inline_macsec.c b/app/test/test_security_inline_macsec.c
index 9ef967597b..7445b667e4 100644
--- a/app/test/test_security_inline_macsec.c
+++ b/app/test/test_security_inline_macsec.c
@@ -937,6 +937,143 @@ test_inline_macsec_decap_all(const void *data __rte_unused)
 	return all_err;
 }
 
+static int
+test_inline_macsec_auth_only_all(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.protect_frames = true;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+
+	size = (sizeof(list_mcs_integrity_vectors) / sizeof((list_mcs_integrity_vectors)[0]));
+
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_integrity_vectors[i];
+		err = test_macsec(&cur_td, MCS_AUTH_ONLY, &opts);
+		if (err) {
+			printf("\nAuth Generate case %d failed", cur_td->test_idx);
+			err = -1;
+		} else {
+			printf("\nAuth Generate case %d Passed", cur_td->test_idx);
+			err = 0;
+		}
+		all_err += err;
+	}
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+
+	return all_err;
+}
+
+static int
+test_inline_macsec_verify_only_all(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+
+	size = (sizeof(list_mcs_integrity_vectors) / sizeof((list_mcs_integrity_vectors)[0]));
+
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_integrity_vectors[i];
+		err = test_macsec(&cur_td, MCS_VERIFY_ONLY, &opts);
+		if (err) {
+			printf("\nAuth Verify case %d failed", cur_td->test_idx);
+			err = -1;
+		} else {
+			printf("\nAuth Verify case %d Passed", cur_td->test_idx);
+			err = 0;
+		}
+		all_err += err;
+	}
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+
+	return all_err;
+}
+
+static int
+test_inline_macsec_encap_decap_all(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.encrypt = true;
+	opts.protect_frames = true;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+
+	size = (sizeof(list_mcs_cipher_vectors) / sizeof((list_mcs_cipher_vectors)[0]));
+
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_cipher_vectors[i];
+		err = test_macsec(&cur_td, MCS_ENCAP_DECAP, &opts);
+		if (err) {
+			printf("\nCipher Auth Encap-decap case %d failed", cur_td->test_idx);
+			err = -1;
+		} else {
+			printf("\nCipher Auth Encap-decap case %d Passed", cur_td->test_idx);
+			err = 0;
+		}
+		all_err += err;
+	}
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+
+	return all_err;
+}
+
+
+static int
+test_inline_macsec_auth_verify_all(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.protect_frames = true;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+
+	size = (sizeof(list_mcs_integrity_vectors) / sizeof((list_mcs_integrity_vectors)[0]));
+
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_integrity_vectors[i];
+		err = test_macsec(&cur_td, MCS_AUTH_VERIFY, &opts);
+		if (err) {
+			printf("\nAuth Generate + Verify case %d failed", cur_td->test_idx);
+			err = -1;
+		} else {
+			printf("\nAuth Generate + Verify case %d Passed", cur_td->test_idx);
+			err = 0;
+		}
+		all_err += err;
+	}
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+
+	return all_err;
+}
+
 static int
 ut_setup_inline_macsec(void)
 {
@@ -1090,6 +1227,22 @@ static struct unit_test_suite inline_macsec_testsuite  = {
 			"MACsec decap(De-cipher+verify) known vector",
 			ut_setup_inline_macsec, ut_teardown_inline_macsec,
 			test_inline_macsec_decap_all),
+		TEST_CASE_NAMED_ST(
+			"MACsec auth only known vector",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_auth_only_all),
+		TEST_CASE_NAMED_ST(
+			"MACsec verify only known vector",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_verify_only_all),
+		TEST_CASE_NAMED_ST(
+			"MACsec encap + decap known vector",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_encap_decap_all),
+		TEST_CASE_NAMED_ST(
+			"MACsec auth + verify known vector",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_auth_verify_all),
 
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	},
diff --git a/app/test/test_security_inline_macsec_vectors.h b/app/test/test_security_inline_macsec_vectors.h
index 68bd485419..f6c668c281 100644
--- a/app/test/test_security_inline_macsec_vectors.h
+++ b/app/test/test_security_inline_macsec_vectors.h
@@ -1083,4 +1083,999 @@ static const struct mcs_test_vector list_mcs_cipher_vectors[] = {
 },
 };
 
+static const struct mcs_test_vector list_mcs_integrity_vectors[] = {
+/* gcm_128_54B_integrity */
+{
+	.test_idx = 1,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0,
+	.xpn = 0, /* Most significant 32 bits */
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0xAD, 0x7A, 0x2B, 0xD0, 0x3E, 0xAC, 0x83, 0x5A,
+			0x6F, 0x62, 0x0F, 0xDC, 0xB5, 0x06, 0xB3, 0x45,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xD6, 0x09, 0xB1, 0xF0, 0x56, 0x63,
+			/* MAC SA */
+			0x7A, 0x0D, 0x46, 0xDF, 0x99, 0x8D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x00, 0x01,
+		},
+		.len = 54,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xD6, 0x09, 0xB1, 0xF0, 0x56, 0x63,
+			/* MAC SA */
+			0x7A, 0x0D, 0x46, 0xDF, 0x99, 0x8D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x22,
+			/* SL */
+			0x2A,
+			/* PN */
+			0xB2, 0xC2, 0x84, 0x65,
+			/* SCI */
+			0x12, 0x15, 0x35, 0x24, 0xC0, 0x89, 0x5E, 0x81,
+			/* Secure Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x00, 0x01,
+			/* ICV */
+			0xF0, 0x94, 0x78, 0xA9, 0xB0, 0x90, 0x07, 0xD0,
+			0x6F, 0x46, 0xE9, 0xB6, 0xA1, 0xDA, 0x25, 0xDD,
+		},
+		.len = 86,
+	},
+},
+/* gcm_256_54B_integrity */
+{
+	.test_idx = 2,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_256,
+	.ssci = 0,
+	.xpn = 0, /* Most significant 32 bits */
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0xE3, 0xC0, 0x8A, 0x8F, 0x06, 0xC6, 0xE3, 0xAD,
+			0x95, 0xA7, 0x05, 0x57, 0xB2, 0x3F, 0x75, 0x48,
+			0x3C, 0xE3, 0x30, 0x21, 0xA9, 0xC7, 0x2B, 0x70,
+			0x25, 0x66, 0x62, 0x04, 0xC6, 0x9C, 0x0B, 0x72,
+		},
+		.len = 32,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xD6, 0x09, 0xB1, 0xF0, 0x56, 0x63,
+			/* MAC SA */
+			0x7A, 0x0D, 0x46, 0xDF, 0x99, 0x8D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x00, 0x01,
+		},
+		.len = 54,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xD6, 0x09, 0xB1, 0xF0, 0x56, 0x63,
+			/* MAC SA */
+			0x7A, 0x0D, 0x46, 0xDF, 0x99, 0x8D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x22,
+			/* SL */
+			0x2A,
+			/* PN */
+			0xB2, 0xC2, 0x84, 0x65,
+			/* SCI */
+			0x12, 0x15, 0x35, 0x24, 0xC0, 0x89, 0x5E, 0x81,
+			/* Secure Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x00, 0x01,
+			/* ICV */
+			0x2F, 0x0B, 0xC5, 0xAF, 0x40, 0x9E, 0x06, 0xD6,
+			0x09, 0xEA, 0x8B, 0x7D, 0x0F, 0xA5, 0xEA, 0x50,
+		},
+		.len = 86,
+	},
+},
+/* gcm_128_xpn_54B_integrity */
+{
+	.test_idx = 3,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_128,
+	.ssci = 0x7A30C118,
+	.xpn = 0xB0DF459C, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE, 0x86, 0xA2,
+		0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0xAD, 0x7A, 0x2B, 0xD0, 0x3E, 0xAC, 0x83, 0x5A,
+			0x6F, 0x62, 0x0F, 0xDC, 0xB5, 0x06, 0xB3, 0x45,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xD6, 0x09, 0xB1, 0xF0, 0x56, 0x63,
+			/* MAC SA */
+			0x7A, 0x0D, 0x46, 0xDF, 0x99, 0x8D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x00, 0x01,
+		},
+		.len = 54,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xD6, 0x09, 0xB1, 0xF0, 0x56, 0x63,
+			/* MAC SA */
+			0x7A, 0x0D, 0x46, 0xDF, 0x99, 0x8D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x22,
+			/* SL */
+			0x2A,
+			/* PN */
+			0xB2, 0xC2, 0x84, 0x65,
+			/* SCI */
+			0x12, 0x15, 0x35, 0x24, 0xC0, 0x89, 0x5E, 0x81,
+			/* Secure Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x00, 0x01,
+			/* ICV */
+			0x17, 0xFE, 0x19, 0x81, 0xEB, 0xDD, 0x4A, 0xFC,
+			0x50, 0x62, 0x69, 0x7E, 0x8B, 0xAA, 0x0C, 0x23,
+		},
+		.len = 86,
+	},
+},
+/* gcm_256_xpn_54B_integrity */
+{
+	.test_idx = 4,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_256,
+	.ssci = 0x7A30C118,
+	.xpn = 0xB0DF459C, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE, 0x86, 0xA2,
+		0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0xE3, 0xC0, 0x8A, 0x8F, 0x06, 0xC6, 0xE3, 0xAD,
+			0x95, 0xA7, 0x05, 0x57, 0xB2, 0x3F, 0x75, 0x48,
+			0x3C, 0xE3, 0x30, 0x21, 0xA9, 0xC7, 0x2B, 0x70,
+			0x25, 0x66, 0x62, 0x04, 0xC6, 0x9C, 0x0B, 0x72,
+		},
+		.len = 32,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xD6, 0x09, 0xB1, 0xF0, 0x56, 0x63,
+			/* MAC SA */
+			0x7A, 0x0D, 0x46, 0xDF, 0x99, 0x8D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x00, 0x01,
+		},
+		.len = 54,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xD6, 0x09, 0xB1, 0xF0, 0x56, 0x63,
+			/* MAC SA */
+			0x7A, 0x0D, 0x46, 0xDF, 0x99, 0x8D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x22,
+			/* SL */
+			0x2A,
+			/* PN */
+			0xB2, 0xC2, 0x84, 0x65,
+			/* SCI */
+			0x12, 0x15, 0x35, 0x24, 0xC0, 0x89, 0x5E, 0x81,
+			/* Secure Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x00, 0x01,
+			/* ICV */
+			0x4D, 0xBD, 0x2F, 0x6A, 0x75, 0x4A, 0x6C, 0xF7,
+			0x28, 0xCC, 0x12, 0x9B, 0xA6, 0x93, 0x15, 0x77,
+		},
+		.len = 86,
+	},
+},
+/* gcm_128_60B_integrity */
+{
+	.test_idx = 5,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0,
+	.xpn = 0, /* Most significant 32 bits */
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x00, 0x03,
+		},
+		.len = 60,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x40,
+			/* SL */
+			0x00,
+			/* PN */
+			0x76, 0xD4, 0x57, 0xED,
+			/* SCI */
+			/* Secure Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x00, 0x03,
+			/* ICV */
+			0x0C, 0x01, 0x7B, 0xC7, 0x3B, 0x22, 0x7D, 0xFC,
+			0xC9, 0xBA, 0xFA, 0x1C, 0x41, 0xAC, 0xC3, 0x53,
+		},
+		.len = 84,
+	},
+},
+/* gcm_256_60B_integrity */
+{
+	.test_idx = 6,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_256,
+	.ssci = 0,
+	.xpn = 0, /* Most significant 32 bits */
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x69, 0x1D, 0x3E, 0xE9, 0x09, 0xD7, 0xF5, 0x41,
+			0x67, 0xFD, 0x1C, 0xA0, 0xB5, 0xD7, 0x69, 0x08,
+			0x1F, 0x2B, 0xDE, 0x1A, 0xEE, 0x65, 0x5F, 0xDB,
+			0xAB, 0x80, 0xBD, 0x52, 0x95, 0xAE, 0x6B, 0xE7,
+		},
+		.len = 32,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x00, 0x03,
+		},
+		.len = 60,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x40,
+			/* SL */
+			0x00,
+			/* PN */
+			0x76, 0xD4, 0x57, 0xED,
+			/* SCI */
+			/* Secure Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x00, 0x03,
+			/* ICV */
+			0x35, 0x21, 0x7C, 0x77, 0x4B, 0xBC, 0x31, 0xB6,
+			0x31, 0x66, 0xBC, 0xF9, 0xD4, 0xAB, 0xED, 0x07,
+		},
+		.len = 84,
+	},
+},
+/* gcm_128_xpn_60B_integrity */
+{
+	.test_idx = 7,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_128,
+	.ssci = 0x7A30C118,
+	.xpn = 0xB0DF459C, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE, 0x86, 0xA2,
+		0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x00, 0x03,
+		},
+		.len = 60,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x40,
+			/* SL */
+			0x00,
+			/* PN */
+			0x76, 0xD4, 0x57, 0xED,
+			/* SCI */
+			/* Secure Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x00, 0x03,
+			/* ICV */
+			0xAB, 0xC4, 0x06, 0x85, 0xA3, 0xCF, 0x91, 0x1D,
+			0x37, 0x87, 0xE4, 0x9D, 0xB6, 0xA7, 0x26, 0x5E,
+		},
+		.len = 84,
+	},
+},
+/* gcm_256_xpn_60B_integrity */
+{
+	.test_idx = 8,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_256,
+	.ssci = 0x7A30C118,
+	.xpn = 0xB0DF459C, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE, 0x86, 0xA2,
+		0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0x69, 0x1D, 0x3E, 0xE9, 0x09, 0xD7, 0xF5, 0x41,
+			0x67, 0xFD, 0x1C, 0xA0, 0xB5, 0xD7, 0x69, 0x08,
+			0x1F, 0x2B, 0xDE, 0x1A, 0xEE, 0x65, 0x5F, 0xDB,
+			0xAB, 0x80, 0xBD, 0x52, 0x95, 0xAE, 0x6B, 0xE7,
+		},
+		.len = 32,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x00, 0x03,
+		},
+		.len = 60,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x40,
+			/* SL */
+			0x00,
+			/* PN */
+			0x76, 0xD4, 0x57, 0xED,
+			/* SCI */
+			/* Secure Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x00, 0x03,
+			/* ICV */
+			0xAC, 0x21, 0x95, 0x7B, 0x83, 0x12, 0xAB, 0x3C,
+			0x99, 0xAB, 0x46, 0x84, 0x98, 0x79, 0xC3, 0xF3,
+		},
+		.len = 84,
+	},
+},
+/* gcm_128_65B_integrity */
+{
+	.test_idx = 9,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0,
+	.xpn = 0, /* Most significant 32 bits */
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x01, 0x3F, 0xE0, 0x0B, 0x5F, 0x11, 0xBE, 0x7F,
+			0x86, 0x6D, 0x0C, 0xBB, 0xC5, 0x5A, 0x7A, 0x90,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0x84, 0xC5, 0xD5, 0x13, 0xD2, 0xAA,
+			/* MAC SA */
+			0xF6, 0xE5, 0xBB, 0xD2, 0x72, 0x77,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x00, 0x05,
+		},
+		.len = 65,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0x84, 0xC5, 0xD5, 0x13, 0xD2, 0xAA,
+			/* MAC SA */
+			0xF6, 0xE5, 0xBB, 0xD2, 0x72, 0x77,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x23,
+			/* SL */
+			0x00,
+			/* PN */
+			0x89, 0x32, 0xD6, 0x12,
+			/* SCI */
+			0x7C, 0xFD, 0xE9, 0xF9, 0xE3, 0x37, 0x24, 0xC6,
+			/* Secure Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x00, 0x05,
+			/* ICV */
+			0x21, 0x78, 0x67, 0xE5, 0x0C, 0x2D, 0xAD, 0x74,
+			0xC2, 0x8C, 0x3B, 0x50, 0xAB, 0xDF, 0x69, 0x5A,
+		},
+		.len = 97,
+	},
+},
+/* gcm_256_65B_integrity */
+{
+	.test_idx = 10,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_256,
+	.ssci = 0,
+	.xpn = 0, /* Most significant 32 bits */
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x83, 0xC0, 0x93, 0xB5, 0x8D, 0xE7, 0xFF, 0xE1,
+			0xC0, 0xDA, 0x92, 0x6A, 0xC4, 0x3F, 0xB3, 0x60,
+			0x9A, 0xC1, 0xC8, 0x0F, 0xEE, 0x1B, 0x62, 0x44,
+			0x97, 0xEF, 0x94, 0x2E, 0x2F, 0x79, 0xA8, 0x23,
+		},
+		.len = 32,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0x84, 0xC5, 0xD5, 0x13, 0xD2, 0xAA,
+			/* MAC SA */
+			0xF6, 0xE5, 0xBB, 0xD2, 0x72, 0x77,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x00, 0x05,
+		},
+		.len = 65,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0x84, 0xC5, 0xD5, 0x13, 0xD2, 0xAA,
+			/* MAC SA */
+			0xF6, 0xE5, 0xBB, 0xD2, 0x72, 0x77,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x23,
+			/* SL */
+			0x00,
+			/* PN */
+			0x89, 0x32, 0xD6, 0x12,
+			/* SCI */
+			0x7C, 0xFD, 0xE9, 0xF9, 0xE3, 0x37, 0x24, 0xC6,
+			/* Secure Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x00, 0x05,
+			/* ICV */
+			0x6E, 0xE1, 0x60, 0xE8, 0xFA, 0xEC, 0xA4, 0xB3,
+			0x6C, 0x86, 0xB2, 0x34, 0x92, 0x0C, 0xA9, 0x75,
+		},
+		.len = 97,
+	},
+},
+/* gcm_128_xpn_65B_integrity */
+{
+	.test_idx = 11,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_128,
+	.ssci = 0x7A30C118,
+	.xpn = 0xB0DF459C, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE, 0x86, 0xA2,
+		0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0x01, 0x3F, 0xE0, 0x0B, 0x5F, 0x11, 0xBE, 0x7F,
+			0x86, 0x6D, 0x0C, 0xBB, 0xC5, 0x5A, 0x7A, 0x90,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0x84, 0xC5, 0xD5, 0x13, 0xD2, 0xAA,
+			/* MAC SA */
+			0xF6, 0xE5, 0xBB, 0xD2, 0x72, 0x77,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x00, 0x05,
+		},
+		.len = 65,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0x84, 0xC5, 0xD5, 0x13, 0xD2, 0xAA,
+			/* MAC SA */
+			0xF6, 0xE5, 0xBB, 0xD2, 0x72, 0x77,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x23,
+			/* SL */
+			0x00,
+			/* PN */
+			0x89, 0x32, 0xD6, 0x12,
+			/* SCI */
+			0x7C, 0xFD, 0xE9, 0xF9, 0xE3, 0x37, 0x24, 0xC6,
+			/* Secure Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x00, 0x05,
+			/* ICV */
+			0x67, 0x85, 0x59, 0xB7, 0xE5, 0x2D, 0xB0, 0x06,
+			0x82, 0xE3, 0xB8, 0x30, 0x34, 0xCE, 0xBE, 0x59,
+		},
+		.len = 97,
+	},
+},
+/* gcm_256_xpn_65B_integrity */
+{
+	.test_idx = 12,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_256,
+	.ssci = 0x7A30C118,
+	.xpn = 0xB0DF459C, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE, 0x86, 0xA2,
+		0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0x83, 0xC0, 0x93, 0xB5, 0x8D, 0xE7, 0xFF, 0xE1,
+			0xC0, 0xDA, 0x92, 0x6A, 0xC4, 0x3F, 0xB3, 0x60,
+			0x9A, 0xC1, 0xC8, 0x0F, 0xEE, 0x1B, 0x62, 0x44,
+			0x97, 0xEF, 0x94, 0x2E, 0x2F, 0x79, 0xA8, 0x23,
+		},
+		.len = 32,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0x84, 0xC5, 0xD5, 0x13, 0xD2, 0xAA,
+			/* MAC SA */
+			0xF6, 0xE5, 0xBB, 0xD2, 0x72, 0x77,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x00, 0x05,
+		},
+		.len = 65,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0x84, 0xC5, 0xD5, 0x13, 0xD2, 0xAA,
+			/* MAC SA */
+			0xF6, 0xE5, 0xBB, 0xD2, 0x72, 0x77,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x23,
+			/* SL */
+			0x00,
+			/* PN */
+			0x89, 0x32, 0xD6, 0x12,
+			/* SCI */
+			0x7C, 0xFD, 0xE9, 0xF9, 0xE3, 0x37, 0x24, 0xC6,
+			/* Secure Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x00, 0x05,
+			/* ICV */
+			0x84, 0xBA, 0xC8, 0xE5, 0x3D, 0x1E, 0xA3, 0x55,
+			0xA5, 0xC7, 0xD3, 0x34, 0x84, 0x0A, 0xE9, 0x62,
+		},
+		.len = 97,
+	},
+},
+/* gcm_128_79B_integrity */
+{
+	.test_idx = 13,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0,
+	.xpn = 0, /* Most significant 32 bits */
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x88, 0xEE, 0x08, 0x7F, 0xD9, 0x5D, 0xA9, 0xFB,
+			0xF6, 0x72, 0x5A, 0xA9, 0xD7, 0x57, 0xB0, 0xCD,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0x68, 0xF2, 0xE7, 0x76, 0x96, 0xCE,
+			/* MAC SA */
+			0x7A, 0xE8, 0xE2, 0xCA, 0x4E, 0xC5,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x40, 0x41, 0x42, 0x43, 0x44,
+			0x45, 0x46, 0x47, 0x48, 0x49, 0x4A, 0x4B, 0x4C,
+			0x4D, 0x00, 0x07,
+		},
+		.len = 79,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0x68, 0xF2, 0xE7, 0x76, 0x96, 0xCE,
+			/* MAC SA */
+			0x7A, 0xE8, 0xE2, 0xCA, 0x4E, 0xC5,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x41,
+			/* SL */
+			0x00,
+			/* PN */
+			0x2E, 0x58, 0x49, 0x5C,
+			/* SCI */
+			/* Secure Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x40, 0x41, 0x42, 0x43, 0x44,
+			0x45, 0x46, 0x47, 0x48, 0x49, 0x4A, 0x4B, 0x4C,
+			0x4D, 0x00, 0x07,
+			/* ICV */
+			0x07, 0x92, 0x2B, 0x8E, 0xBC, 0xF1, 0x0B, 0xB2,
+			0x29, 0x75, 0x88, 0xCA, 0x4C, 0x61, 0x45, 0x23,
+		},
+		.len = 103,
+	},
+},
+/* gcm_256_79B_integrity */
+{
+	.test_idx = 14,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_256,
+	.ssci = 0,
+	.xpn = 0, /* Most significant 32 bits */
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x4C, 0x97, 0x3D, 0xBC, 0x73, 0x64, 0x62, 0x16,
+			0x74, 0xF8, 0xB5, 0xB8, 0x9E, 0x5C, 0x15, 0x51,
+			0x1F, 0xCE, 0xD9, 0x21, 0x64, 0x90, 0xFB, 0x1C,
+			0x1A, 0x2C, 0xAA, 0x0F, 0xFE, 0x04, 0x07, 0xE5,
+		},
+		.len = 32,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0x68, 0xF2, 0xE7, 0x76, 0x96, 0xCE,
+			/* MAC SA */
+			0x7A, 0xE8, 0xE2, 0xCA, 0x4E, 0xC5,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x40, 0x41, 0x42, 0x43, 0x44,
+			0x45, 0x46, 0x47, 0x48, 0x49, 0x4A, 0x4B, 0x4C,
+			0x4D, 0x00, 0x07,
+		},
+		.len = 79,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0x68, 0xF2, 0xE7, 0x76, 0x96, 0xCE,
+			/* MAC SA */
+			0x7A, 0xE8, 0xE2, 0xCA, 0x4E, 0xC5,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x41,
+			/* SL */
+			0x00,
+			/* PN */
+			0x2E, 0x58, 0x49, 0x5C,
+			/* SCI */
+			/* Secure Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x40, 0x41, 0x42, 0x43, 0x44,
+			0x45, 0x46, 0x47, 0x48, 0x49, 0x4A, 0x4B, 0x4C,
+			0x4D, 0x00, 0x07,
+			/* ICV */
+			0x00, 0xBD, 0xA1, 0xB7, 0xE8, 0x76, 0x08, 0xBC,
+			0xBF, 0x47, 0x0F, 0x12, 0x15, 0x7F, 0x4C, 0x07,
+		},
+		.len = 103,
+	},
+},
+/* gcm_128_xpn_79B_integrity */
+{
+	.test_idx = 15,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_128,
+	.ssci = 0x7A30C118,
+	.xpn = 0xB0DF459C, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE, 0x86, 0xA2,
+		0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0x88, 0xEE, 0x08, 0x7F, 0xD9, 0x5D, 0xA9, 0xFB,
+			0xF6, 0x72, 0x5A, 0xA9, 0xD7, 0x57, 0xB0, 0xCD,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0x68, 0xF2, 0xE7, 0x76, 0x96, 0xCE,
+			/* MAC SA */
+			0x7A, 0xE8, 0xE2, 0xCA, 0x4E, 0xC5,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x40, 0x41, 0x42, 0x43, 0x44,
+			0x45, 0x46, 0x47, 0x48, 0x49, 0x4A, 0x4B, 0x4C,
+			0x4D, 0x00, 0x07,
+		},
+		.len = 79,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0x68, 0xF2, 0xE7, 0x76, 0x96, 0xCE,
+			/* MAC SA */
+			0x7A, 0xE8, 0xE2, 0xCA, 0x4E, 0xC5,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x41,
+			/* SL */
+			0x00,
+			/* PN */
+			0x2E, 0x58, 0x49, 0x5C,
+			/* SCI */
+			/* Secure Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x40, 0x41, 0x42, 0x43, 0x44,
+			0x45, 0x46, 0x47, 0x48, 0x49, 0x4A, 0x4B, 0x4C,
+			0x4D, 0x00, 0x07,
+			/* ICV */
+			0xD0, 0xDC, 0x89, 0x6D, 0xC8, 0x37, 0x98, 0xA7,
+			0x9F, 0x3C, 0x5A, 0x95, 0xBA, 0x3C, 0xDF, 0x9A,
+		},
+		.len = 103,
+	},
+},
+/* gcm_256_xpn_79B_integrity */
+{
+	.test_idx = 16,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_256,
+	.ssci = 0x7A30C118,
+	.xpn = 0xB0DF459C, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE, 0x86, 0xA2,
+		0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0x4C, 0x97, 0x3D, 0xBC, 0x73, 0x64, 0x62, 0x16,
+			0x74, 0xF8, 0xB5, 0xB8, 0x9E, 0x5C, 0x15, 0x51,
+			0x1F, 0xCE, 0xD9, 0x21, 0x64, 0x90, 0xFB, 0x1C,
+			0x1A, 0x2C, 0xAA, 0x0F, 0xFE, 0x04, 0x07, 0xE5,
+		},
+		.len = 32,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0x68, 0xF2, 0xE7, 0x76, 0x96, 0xCE,
+			/* MAC SA */
+			0x7A, 0xE8, 0xE2, 0xCA, 0x4E, 0xC5,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x40, 0x41, 0x42, 0x43, 0x44,
+			0x45, 0x46, 0x47, 0x48, 0x49, 0x4A, 0x4B, 0x4C,
+			0x4D, 0x00, 0x07,
+		},
+		.len = 79,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0x68, 0xF2, 0xE7, 0x76, 0x96, 0xCE,
+			/* MAC SA */
+			0x7A, 0xE8, 0xE2, 0xCA, 0x4E, 0xC5,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x41,
+			/* SL */
+			0x00,
+			/* PN */
+			0x2E, 0x58, 0x49, 0x5C,
+			/* SCI */
+			/* Secure Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x40, 0x41, 0x42, 0x43, 0x44,
+			0x45, 0x46, 0x47, 0x48, 0x49, 0x4A, 0x4B, 0x4C,
+			0x4D, 0x00, 0x07,
+			/* ICV */
+			0x04, 0x24, 0x9A, 0x20, 0x8A, 0x65, 0xB9, 0x6B,
+			0x3F, 0x32, 0x63, 0x00, 0x4C, 0xFD, 0x86, 0x7D,
+		},
+		.len = 103,
+	},
+},
+};
+
 #endif
-- 
2.25.1

[PATCH v2 05/13] test/security: verify multi flow MACsec

[Akhil Goyal]

Added test case and test vectors to verify multiple
flows of MACsec.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 app/test/test_security_inline_macsec.c        |  49 ++++++++
 .../test_security_inline_macsec_vectors.h     | 110 +++++++++++++++++-
 2 files changed, 158 insertions(+), 1 deletion(-)

diff --git a/app/test/test_security_inline_macsec.c b/app/test/test_security_inline_macsec.c
index 7445b667e4..621074a928 100644
--- a/app/test/test_security_inline_macsec.c
+++ b/app/test/test_security_inline_macsec.c
@@ -1074,6 +1074,51 @@ test_inline_macsec_auth_verify_all(const void *data __rte_unused)
 	return all_err;
 }
 
+static int
+test_inline_macsec_multi_flow(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *tv[MCS_MAX_FLOWS];
+	struct mcs_test_vector iter[MCS_MAX_FLOWS];
+	struct mcs_test_opts opts = {0};
+	int i, err;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.encrypt = true;
+	opts.protect_frames = true;
+	opts.sa_in_use = 1;
+	opts.nb_td = MCS_MAX_FLOWS;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+
+	for (i = 0; i < MCS_MAX_FLOWS; i++) {
+		memcpy(&iter[i].sa_key.data, sa_key, MCS_MULTI_FLOW_TD_KEY_SZ);
+		memcpy(&iter[i].plain_pkt.data, eth_addrs[i], 2 * RTE_ETHER_ADDR_LEN);
+		memcpy(&iter[i].plain_pkt.data[2 * RTE_ETHER_ADDR_LEN], plain_user_data,
+		       MCS_MULTI_FLOW_TD_PLAIN_DATA_SZ);
+		memcpy(&iter[i].secure_pkt.data, eth_addrs[i], 2 * RTE_ETHER_ADDR_LEN);
+		memcpy(&iter[i].secure_pkt.data[2 * RTE_ETHER_ADDR_LEN], secure_user_data,
+		       MCS_MULTI_FLOW_TD_SECURE_DATA_SZ);
+		iter[i].sa_key.len = MCS_MULTI_FLOW_TD_KEY_SZ;
+		iter[i].plain_pkt.len = MCS_MULTI_FLOW_TD_PLAIN_DATA_SZ +
+					(2 * RTE_ETHER_ADDR_LEN);
+		iter[i].secure_pkt.len = MCS_MULTI_FLOW_TD_SECURE_DATA_SZ +
+					(2 * RTE_ETHER_ADDR_LEN);
+		iter[i].alg = RTE_SECURITY_MACSEC_ALG_GCM_128;
+		iter[i].ssci = 0x0;
+		iter[i].xpn = 0x0;
+		tv[i] = (const struct mcs_test_vector *)&iter[i];
+	}
+	err = test_macsec(tv, MCS_ENCAP_DECAP, &opts);
+	if (err) {
+		printf("\nCipher Auth Encryption multi flow failed");
+		err = -1;
+	} else {
+		printf("\nCipher Auth Encryption multi flow Passed");
+		err = 0;
+	}
+	return err;
+}
+
 static int
 ut_setup_inline_macsec(void)
 {
@@ -1219,6 +1264,10 @@ inline_macsec_testsuite_teardown(void)
 static struct unit_test_suite inline_macsec_testsuite  = {
 	.suite_name = "Inline MACsec Ethernet Device Unit Test Suite",
 	.unit_test_cases = {
+		TEST_CASE_NAMED_ST(
+			"MACsec Encap + decap Multi flow",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_multi_flow),
 		TEST_CASE_NAMED_ST(
 			"MACsec encap(Cipher+Auth) known vector",
 			ut_setup_inline_macsec, ut_teardown_inline_macsec,
diff --git a/app/test/test_security_inline_macsec_vectors.h b/app/test/test_security_inline_macsec_vectors.h
index f6c668c281..8d9c2cae77 100644
--- a/app/test/test_security_inline_macsec_vectors.h
+++ b/app/test/test_security_inline_macsec_vectors.h
@@ -8,7 +8,6 @@
 #define MCS_MAX_KEY_LEN				32
 #define MCS_IV_LEN				12
 #define MCS_SALT_LEN				12
-#define MCS_MAX_FLOWS				63
 
 enum mcs_op {
 	MCS_NO_OP,
@@ -2078,4 +2077,113 @@ static const struct mcs_test_vector list_mcs_integrity_vectors[] = {
 },
 };
 
+#define MCS_MULTI_FLOW_TD_KEY_SZ		16
+#define MCS_MULTI_FLOW_TD_PLAIN_DATA_SZ		42
+#define MCS_MULTI_FLOW_TD_SECURE_DATA_SZ	66
+#define MCS_MULTI_FLOW_TD_KEY_SZ		16
+#define MCS_MAX_FLOWS				63
+
+uint8_t sa_key[MCS_MULTI_FLOW_TD_KEY_SZ] = {
+		0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+		0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82,
+};
+
+uint8_t eth_addrs[MCS_MAX_FLOWS][2 * RTE_ETHER_ADDR_LEN] = {
+		{0xE2, 0x00, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x02, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x03, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x04, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x05, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x06, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x07, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x08, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x09, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x0A, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x0B, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x0C, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x0D, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x0E, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x0F, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x10, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x11, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x12, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x13, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x14, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x15, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x16, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x17, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x18, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x19, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x1A, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x1B, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x1C, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x1D, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x1E, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x1F, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x20, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x21, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x22, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x23, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x24, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x25, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x26, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x27, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x28, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x29, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x2A, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x2B, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x2C, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x2D, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x2E, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x2F, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x30, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x31, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x32, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x33, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x34, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x35, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x36, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x37, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x38, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x39, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x3A, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x3B, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x3C, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x3D, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x3E, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+};
+
+uint8_t plain_user_data[MCS_MULTI_FLOW_TD_PLAIN_DATA_SZ] = {
+		/* User Data with Ethertype */
+		0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+		0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+		0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+		0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+		0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+		0x00, 0x04,
+};
+
+uint8_t secure_user_data[MCS_MULTI_FLOW_TD_SECURE_DATA_SZ] = {
+		/* MACsec EtherType */
+		0x88, 0xE5,
+		/* TCI and AN */
+		0x4C,
+		/* SL */
+		0x2A,
+		/* PN */
+		0x76, 0xD4, 0x57, 0xED,
+		/* Secure Data */
+		0x13, 0xB4, 0xC7, 0x2B, 0x38, 0x9D, 0xC5, 0x01,
+		0x8E, 0x72, 0xA1, 0x71, 0xDD, 0x85, 0xA5, 0xD3,
+		0x75, 0x22, 0x74, 0xD3, 0xA0, 0x19, 0xFB, 0xCA,
+		0xED, 0x09, 0xA4, 0x25, 0xCD, 0x9B, 0x2E, 0x1C,
+		0x9B, 0x72, 0xEE, 0xE7, 0xC9, 0xDE, 0x7D, 0x52,
+		0xB3, 0xF3,
+		/* ICV */
+		0xD6, 0xA5, 0x28, 0x4F, 0x4A, 0x6D, 0x3F, 0xE2,
+		0x2A, 0x5D, 0x6C, 0x2B, 0x96, 0x04, 0x94, 0xC3,
+};
+
+
 #endif
-- 
2.25.1

[PATCH v2 06/13] test/security: add MACsec VLAN cases

[Akhil Goyal]

Added cases to verify MACsec processing with VLAN
tags inserted. Vectors are added to verify 1/2/3
VLAN tags in clear or encrypted data.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 app/test/test_security_inline_macsec.c        |  67 ++++++
 .../test_security_inline_macsec_vectors.h     | 217 ++++++++++++++++++
 2 files changed, 284 insertions(+)

diff --git a/app/test/test_security_inline_macsec.c b/app/test/test_security_inline_macsec.c
index 621074a928..854ead75a0 100644
--- a/app/test/test_security_inline_macsec.c
+++ b/app/test/test_security_inline_macsec.c
@@ -1119,6 +1119,69 @@ test_inline_macsec_multi_flow(const void *data __rte_unused)
 	return err;
 }
 
+static int
+test_inline_macsec_with_vlan(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.protect_frames = true;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.mtu = RTE_ETHER_MTU;
+
+	size = (sizeof(list_mcs_vlan_vectors) / sizeof((list_mcs_vlan_vectors)[0]));
+
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_vlan_vectors[i];
+		if (i == 0) {
+			opts.sectag_insert_mode = 1;
+		} else if (i == 1) {
+			opts.sectag_insert_mode = 0; /* offset from special E-type */
+			opts.nb_vlan = 1;
+		} else if (i == 2) {
+			opts.sectag_insert_mode = 0; /* offset from special E-type */
+			opts.nb_vlan = 2;
+		}
+		err = test_macsec(&cur_td, MCS_ENCAP, &opts);
+		if (err) {
+			printf("\n VLAN Encap case %d failed", cur_td->test_idx);
+			err = -1;
+		} else {
+			printf("\n VLAN Encap case %d passed", cur_td->test_idx);
+			err = 0;
+		}
+		all_err += err;
+	}
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_vlan_vectors[i];
+		if (i == 0) {
+			opts.sectag_insert_mode = 1;
+		} else if (i == 1) {
+			opts.sectag_insert_mode = 0; /* offset from special E-type */
+			opts.nb_vlan = 1;
+		} else if (i == 2) {
+			opts.sectag_insert_mode = 0; /* offset from special E-type */
+			opts.nb_vlan = 2;
+		}
+		err = test_macsec(&cur_td, MCS_DECAP, &opts);
+		if (err) {
+			printf("\n VLAN Decap case %d failed", cur_td->test_idx);
+			err = -1;
+		} else {
+			printf("\n VLAN Decap case %d passed", cur_td->test_idx);
+			err = 0;
+		}
+		all_err += err;
+	}
+
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, (2 * size) + all_err, -all_err);
+	return all_err;
+}
+
 static int
 ut_setup_inline_macsec(void)
 {
@@ -1292,6 +1355,10 @@ static struct unit_test_suite inline_macsec_testsuite  = {
 			"MACsec auth + verify known vector",
 			ut_setup_inline_macsec, ut_teardown_inline_macsec,
 			test_inline_macsec_auth_verify_all),
+		TEST_CASE_NAMED_ST(
+			"MACsec Encap and decap with VLAN",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_with_vlan),
 
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	},
diff --git a/app/test/test_security_inline_macsec_vectors.h b/app/test/test_security_inline_macsec_vectors.h
index 8d9c2cae77..4bcb82783c 100644
--- a/app/test/test_security_inline_macsec_vectors.h
+++ b/app/test/test_security_inline_macsec_vectors.h
@@ -2185,5 +2185,222 @@ uint8_t secure_user_data[MCS_MULTI_FLOW_TD_SECURE_DATA_SZ] = {
 		0x2A, 0x5D, 0x6C, 0x2B, 0x96, 0x04, 0x94, 0xC3,
 };
 
+static const struct mcs_test_vector list_mcs_vlan_vectors[] = {
+/* No clear tag, VLAN after macsec header */
+{
+	.test_idx = 1,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0,
+	.xpn = 0, /* Most significant 32 bits */
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
+			0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xCA, 0xCB, 0xCD, 0x41, 0x42, 0x43,
+			/* MAC SA */
+			0xCA, 0xCB, 0xCD, 0x21, 0x22, 0x23,
+			/* User Data with VLAN Tag */
+			0x81, 0x00, 0x00, 0x02, 0x08, 0x00, 0x45, 0x00,
+			0x00, 0x54, 0xF2, 0xFA, 0x40, 0x00, 0x40, 0x01,
+			0xF7, 0x83, 0x14, 0x14, 0x14, 0x02, 0x14, 0x14,
+			0x14, 0x01, 0x08, 0x00, 0xE9, 0xC5, 0x02, 0xAF,
+			0x00, 0x01, 0xCB, 0x51, 0x6D, 0x38, 0x00, 0x00,
+			0x00, 0x00, 0x13, 0x2D, 0x01, 0x00, 0x00, 0x00,
+			0x00, 0x00, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
+			0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D,
+			0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24, 0x25,
+			0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C, 0x2D,
+			0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35,
+			0x36, 0x37,
+		},
+		.len = 102,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xCA, 0xCB, 0xCD, 0x41, 0x42, 0x43,
+			/* MAC SA */
+			0xCA, 0xCB, 0xCD, 0x21, 0x22, 0x23,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x20,
+			/* SL */
+			0x00,
+			/* PN */
+			0x00, 0x00, 0x00, 0x06,
+			/* SCI */
+			0xCA, 0xCB, 0xCD, 0x21, 0x22, 0x23, 0x00, 0x01,
+			/* Secure Data */
+			0x81, 0x00, 0x00, 0x02, 0x08, 0x00, 0x45, 0x00,
+			0x00, 0x54, 0xF2, 0xFA, 0x40, 0x00, 0x40, 0x01,
+			0xF7, 0x83, 0x14, 0x14, 0x14, 0x02, 0x14, 0x14,
+			0x14, 0x01, 0x08, 0x00, 0xE9, 0xC5, 0x02, 0xAF,
+			0x00, 0x01, 0xCB, 0x51, 0x6D, 0x38, 0x00, 0x00,
+			0x00, 0x00, 0x13, 0x2D, 0x01, 0x00, 0x00, 0x00,
+			0x00, 0x00, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
+			0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D,
+			0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24, 0x25,
+			0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C, 0x2D,
+			0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35,
+			0x36, 0x37,
+			/* ICV */
+			0x21, 0x68, 0xF1, 0x21, 0x19, 0xB7, 0xDF, 0x73,
+			0x6F, 0x2A, 0x11, 0xEA, 0x8A, 0xBC, 0x8A, 0x79,
+		},
+		.len = 134,
+	},
+},
+/* 1 vlan tag followed by MACsec */
+{
+	.test_idx = 2,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0,
+	.xpn = 0, /* Most significant 32 bits */
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
+			0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xCA, 0xCB, 0xCD, 0x41, 0x42, 0x43,
+			/* MAC SA */
+			0xCA, 0xCB, 0xCD, 0x21, 0x22, 0x23,
+			/* User Data */
+			0x81, 0x00, 0x00, 0x02,
+			0x08, 0x00, 0x45, 0x00, 0x00, 0x54, 0x88, 0x71,
+			0x40, 0x00, 0x40, 0x01, 0x62, 0x0D, 0x14, 0x14,
+			0x14, 0x02, 0x14, 0x14, 0x14, 0x01, 0x08, 0x00,
+			0x77, 0xA6, 0x02, 0xB3, 0x00, 0x01, 0xBE, 0x52,
+			0x6D, 0x38, 0x00, 0x00, 0x00, 0x00, 0x8C, 0x47,
+			0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x11,
+			0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19,
+			0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 0x20, 0x21,
+			0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
+			0x2A, 0x2B, 0x2C, 0x2D, 0x2E, 0x2F, 0x30, 0x31,
+			0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+		},
+		.len = 102,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xCA, 0xCB, 0xCD, 0x41, 0x42, 0x43,
+			/* MAC SA */
+			0xCA, 0xCB, 0xCD, 0x21, 0x22, 0x23,
+			/* VLAN Tag before MACsec */
+			0x81, 0x00, 0x00, 0x02,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x20,
+			/* SL */
+			0x00,
+			/* PN */
+			0x00, 0x00, 0x00, 0x07,
+			/* SCI */
+			0xCA, 0xCB, 0xCD, 0x21, 0x22, 0x23, 0x00, 0x01,
+			/* Secure Data */
+			0x08, 0x00, 0x45, 0x00, 0x00, 0x54, 0x88, 0x71,
+			0x40, 0x00, 0x40, 0x01, 0x62, 0x0D, 0x14, 0x14,
+			0x14, 0x02, 0x14, 0x14, 0x14, 0x01, 0x08, 0x00,
+			0x77, 0xA6, 0x02, 0xB3, 0x00, 0x01, 0xBE, 0x52,
+			0x6D, 0x38, 0x00, 0x00, 0x00, 0x00, 0x8C, 0x47,
+			0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x11,
+			0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19,
+			0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 0x20, 0x21,
+			0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
+			0x2A, 0x2B, 0x2C, 0x2D, 0x2E, 0x2F, 0x30, 0x31,
+			0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+			/* ICV */
+			0xF1, 0xC0, 0xA2, 0x6E, 0x99, 0xE5, 0xAB, 0x97,
+			0x78, 0x79, 0x7D, 0x13, 0x35, 0x5E, 0x39, 0x4F,
+		},
+		.len = 134,
+	},
+},
+/* 2 vlan tag followed by MACsec */
+{
+	.test_idx = 3,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0,
+	.xpn = 0, /* Most significant 32 bits */
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
+			0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xCA, 0xCB, 0xCD, 0x41, 0x42, 0x43,
+			/* MAC SA */
+			0xCA, 0xCB, 0xCD, 0x21, 0x22, 0x23,
+			/* User Data */
+			0x88, 0xA8, 0x00, 0x04, 0x81, 0x00, 0x00, 0x02,
+			0x08, 0x00, 0x45, 0x00, 0x00, 0x54, 0x70, 0x5B,
+			0x40, 0x00, 0x40, 0x01, 0x29, 0xF9, 0x28, 0x28,
+			0x28, 0x04, 0x28, 0x28, 0x28, 0x01, 0x08, 0x00,
+			0x08, 0x02, 0x02, 0xE2, 0x00, 0x01, 0x60, 0x58,
+			0x6D, 0x38, 0x00, 0x00, 0x00, 0x00, 0x5C, 0xB7,
+			0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x11,
+			0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19,
+			0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 0x20, 0x21,
+			0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
+			0x2A, 0x2B, 0x2C, 0x2D, 0x2E, 0x2F, 0x30, 0x31,
+			0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+		},
+		.len = 106,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xCA, 0xCB, 0xCD, 0x41, 0x42, 0x43,
+			/* MAC SA */
+			0xCA, 0xCB, 0xCD, 0x21, 0x22, 0x23,
+			/* VLAN Tags before MACsec */
+			0x88, 0xA8, 0x00, 0x04,
+			0x81, 0x00, 0x00, 0x02,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x20,
+			/* SL */
+			0x00,
+			/* PN */
+			0x00, 0x00, 0x00, 0x0E,
+			/* SCI */
+			0xCA, 0xCB, 0xCD, 0x21, 0x22, 0x23, 0x00, 0x01,
+			/* Secure Data */
+			0x08, 0x00, 0x45, 0x00, 0x00, 0x54, 0x70, 0x5B,
+			0x40, 0x00, 0x40, 0x01, 0x29, 0xF9, 0x28, 0x28,
+			0x28, 0x04, 0x28, 0x28, 0x28, 0x01, 0x08, 0x00,
+			0x08, 0x02, 0x02, 0xE2, 0x00, 0x01, 0x60, 0x58,
+			0x6D, 0x38, 0x00, 0x00, 0x00, 0x00, 0x5C, 0xB7,
+			0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x11,
+			0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19,
+			0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 0x20, 0x21,
+			0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
+			0x2A, 0x2B, 0x2C, 0x2D, 0x2E, 0x2F, 0x30, 0x31,
+			0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+			/* ICV */
+			0xCC, 0x38, 0x21, 0x3A, 0xEE, 0x5F, 0xE3, 0x7F,
+			0xA1, 0xBA, 0xBD, 0xBD, 0x65, 0x5B, 0xB3, 0xE5,
+		},
+		.len = 138,
+	},
+},
+};
+
+
 
 #endif
-- 
2.25.1

[PATCH v2 07/13] test/security: add MACsec negative cases

[Akhil Goyal]

Added MACsec negative test cases to verify
pkt drop, untagged rx, bad tag rx, sa not in use,
out packets untagged, pkts too long.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 app/test/test_security_inline_macsec.c        | 346 +++++++++++++
 .../test_security_inline_macsec_vectors.h     | 475 ++++++++++++++++++
 2 files changed, 821 insertions(+)

diff --git a/app/test/test_security_inline_macsec.c b/app/test/test_security_inline_macsec.c
index 854ead75a0..2a06f31f37 100644
--- a/app/test/test_security_inline_macsec.c
+++ b/app/test/test_security_inline_macsec.c
@@ -660,6 +660,103 @@ mcs_stats_dump(struct rte_security_ctx *ctx, enum mcs_op op,
 	}
 }
 
+static int
+mcs_stats_check(struct rte_security_ctx *ctx, enum mcs_op op,
+		const struct mcs_test_opts *opts,
+		const struct mcs_test_vector *td,
+		void *rx_sess, void *tx_sess,
+		uint8_t rx_sc_id, uint8_t tx_sc_id,
+		uint16_t rx_sa_id[], uint16_t tx_sa_id[])
+{
+	struct rte_security_stats sess_stats = {0};
+	struct rte_security_macsec_secy_stats *secy_stat;
+	struct rte_security_macsec_sc_stats sc_stat = {0};
+	struct rte_security_macsec_sa_stats sa_stat = {0};
+	int i;
+
+	if (op == MCS_DECAP || op == MCS_ENCAP_DECAP ||
+			op == MCS_VERIFY_ONLY || op == MCS_AUTH_VERIFY) {
+		rte_security_session_stats_get(ctx, rx_sess, &sess_stats);
+		secy_stat = &sess_stats.macsec;
+
+		if ((opts->check_untagged_rx && secy_stat->pkt_notag_cnt != 1) ||
+				(opts->check_untagged_rx && secy_stat->pkt_untaged_cnt != 1))
+			return TEST_FAILED;
+
+		if (opts->check_bad_tag_cnt && secy_stat->pkt_badtag_cnt != 1)
+			return TEST_FAILED;
+
+		if (opts->check_sa_not_in_use && secy_stat->pkt_nosaerror_cnt != 1)
+			return TEST_FAILED;
+
+		if (opts->check_decap_stats && secy_stat->octet_decrypted_cnt !=
+				(uint16_t)(td->plain_pkt.len - 2 * RTE_ETHER_ADDR_LEN))
+			return TEST_FAILED;
+
+		if (opts->check_verify_only_stats && secy_stat->octet_validated_cnt !=
+				(uint16_t)(td->plain_pkt.len - 2 * RTE_ETHER_ADDR_LEN))
+			return TEST_FAILED;
+
+		rte_security_macsec_sc_stats_get(ctx, rx_sc_id,
+				RTE_SECURITY_MACSEC_DIR_RX, &sc_stat);
+
+		if ((opts->check_decap_stats || opts->check_verify_only_stats) &&
+				sc_stat.pkt_ok_cnt != 1)
+			return TEST_FAILED;
+
+		if (opts->check_pkts_invalid_stats && sc_stat.pkt_notvalid_cnt != 1)
+			return TEST_FAILED;
+
+		if (opts->check_pkts_unchecked_stats && sc_stat.pkt_unchecked_cnt != 1)
+			return TEST_FAILED;
+
+		for (i = 0; i < RTE_SECURITY_MACSEC_NUM_AN; i++) {
+			memset(&sa_stat, 0, sizeof(struct rte_security_macsec_sa_stats));
+			rte_security_macsec_sa_stats_get(ctx, rx_sa_id[i],
+					RTE_SECURITY_MACSEC_DIR_RX, &sa_stat);
+
+		}
+	}
+
+	if (op == MCS_ENCAP || op == MCS_ENCAP_DECAP ||
+			op == MCS_AUTH_ONLY || op == MCS_AUTH_VERIFY) {
+		memset(&sess_stats, 0, sizeof(struct rte_security_stats));
+		rte_security_session_stats_get(ctx, tx_sess, &sess_stats);
+		secy_stat = &sess_stats.macsec;
+
+		if (opts->check_out_pkts_untagged && secy_stat->pkt_untagged_cnt != 1)
+			return TEST_FAILED;
+
+		if (opts->check_out_pkts_toolong && secy_stat->pkt_toolong_cnt != 1)
+			return TEST_FAILED;
+
+		if (opts->check_encap_stats && secy_stat->octet_encrypted_cnt !=
+				(uint16_t)(td->plain_pkt.len - 2 * RTE_ETHER_ADDR_LEN))
+			return TEST_FAILED;
+
+		if (opts->check_auth_only_stats && secy_stat->octet_protected_cnt !=
+				(uint16_t)(td->plain_pkt.len - 2 * RTE_ETHER_ADDR_LEN))
+			return TEST_FAILED;
+
+
+		memset(&sc_stat, 0, sizeof(struct rte_security_macsec_sc_stats));
+		rte_security_macsec_sc_stats_get(ctx, tx_sc_id, RTE_SECURITY_MACSEC_DIR_TX,
+						 &sc_stat);
+
+		if (opts->check_encap_stats && sc_stat.pkt_encrypt_cnt != 1)
+			return TEST_FAILED;
+
+		if (opts->check_auth_only_stats && sc_stat.pkt_protected_cnt != 1)
+			return TEST_FAILED;
+
+		memset(&sa_stat, 0, sizeof(struct rte_security_macsec_sa_stats));
+		rte_security_macsec_sa_stats_get(ctx, tx_sa_id[0],
+				RTE_SECURITY_MACSEC_DIR_TX, &sa_stat);
+	}
+
+	return 0;
+}
+
 static int
 test_macsec(const struct mcs_test_vector *td[], enum mcs_op op, const struct mcs_test_opts *opts)
 {
@@ -833,12 +930,23 @@ test_macsec(const struct mcs_test_vector *td[], enum mcs_op op, const struct mcs
 		rx_pkts_burst[i] = NULL;
 	}
 out:
+	if (opts->check_out_pkts_toolong == 1 ||
+			opts->check_sa_not_in_use == 1 ||
+			opts->check_bad_tag_cnt == 1)
+		ret = TEST_SUCCESS;
+
 	for (i = 0; i < opts->nb_td; i++) {
 		if (opts->dump_all_stats) {
 			mcs_stats_dump(ctx, op,
 					rx_sess[i], tx_sess[i],
 					rx_sc_id[i], tx_sc_id[i],
 					rx_sa_id[i], tx_sa_id[i]);
+		} else {
+			if (ret == TEST_SUCCESS)
+				ret = mcs_stats_check(ctx, op, opts, td[i],
+					rx_sess[i], tx_sess[i],
+					rx_sc_id[i], tx_sc_id[i],
+					rx_sa_id[i], tx_sa_id[i]);
 		}
 	}
 
@@ -1182,6 +1290,220 @@ test_inline_macsec_with_vlan(const void *data __rte_unused)
 	return all_err;
 }
 
+static int
+test_inline_macsec_pkt_drop(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.encrypt = true;
+	opts.protect_frames = true;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+
+	size = (sizeof(list_mcs_err_cipher_vectors) / sizeof((list_mcs_err_cipher_vectors)[0]));
+
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_err_cipher_vectors[i];
+		err = test_macsec(&cur_td, MCS_DECAP, &opts);
+		if (err) {
+			printf("\nPacket drop case %d passed", cur_td->test_idx);
+			err = 0;
+		} else {
+			printf("\nPacket drop case %d failed", cur_td->test_idx);
+			err = -1;
+		}
+		all_err += err;
+	}
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+
+	return all_err;
+}
+
+static int
+test_inline_macsec_untagged_rx(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+	opts.check_untagged_rx = 1;
+
+	size = (sizeof(list_mcs_untagged_cipher_vectors) /
+		sizeof((list_mcs_untagged_cipher_vectors)[0]));
+
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_untagged_cipher_vectors[i];
+		err = test_macsec(&cur_td, MCS_DECAP, &opts);
+		if (err)
+			err = 0;
+		else
+			err = -1;
+
+		all_err += err;
+	}
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_NO_DISCARD;
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_untagged_cipher_vectors[i];
+		err = test_macsec(&cur_td, MCS_DECAP, &opts);
+		if (err)
+			err = 0;
+		else
+			err = -1;
+
+		all_err += err;
+	}
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+
+	return all_err;
+}
+
+static int
+test_inline_macsec_bad_tag_rx(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.protect_frames = true;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+	opts.check_bad_tag_cnt = 1;
+
+	size = (sizeof(list_mcs_bad_tag_vectors) / sizeof((list_mcs_bad_tag_vectors)[0]));
+
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_bad_tag_vectors[i];
+		err = test_macsec(&cur_td, MCS_DECAP, &opts);
+		if (err)
+			err = -1;
+		else
+			err = 0;
+
+		all_err += err;
+	}
+
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+
+	return all_err;
+}
+
+static int
+test_inline_macsec_sa_not_in_use(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.protect_frames = true;
+	opts.sa_in_use = 0;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+	opts.check_sa_not_in_use = 1;
+
+	size = (sizeof(list_mcs_cipher_vectors) / sizeof((list_mcs_cipher_vectors)[0]));
+
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_cipher_vectors[i];
+		err = test_macsec(&cur_td, MCS_DECAP, &opts);
+		if (err)
+			err = -1;
+		else
+			err = 0;
+
+		all_err += err;
+	}
+
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+
+	return all_err;
+}
+
+static int
+test_inline_macsec_out_pkts_untagged(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.encrypt = false;
+	opts.protect_frames = false;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+	opts.check_out_pkts_untagged = 1;
+
+	size = (sizeof(list_mcs_cipher_vectors) / sizeof((list_mcs_cipher_vectors)[0]));
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_cipher_vectors[i];
+		err = test_macsec(&cur_td, MCS_ENCAP, &opts);
+		if (err)
+			err = -1;
+		else
+			err = 0;
+
+		all_err += err;
+	}
+
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+	return all_err;
+}
+
+static int
+test_inline_macsec_out_pkts_toolong(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_NO_DISCARD;
+	opts.encrypt = true;
+	opts.protect_frames = true;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = 50;
+	opts.check_out_pkts_toolong = 1;
+
+	size = (sizeof(list_mcs_cipher_vectors) / sizeof((list_mcs_cipher_vectors)[0]));
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_cipher_vectors[i];
+		err = test_macsec(&cur_td, MCS_ENCAP, &opts);
+		if (err)
+			err = -1;
+		else
+			err = 0;
+
+		all_err += err;
+	}
+
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+	return all_err;
+}
+
 static int
 ut_setup_inline_macsec(void)
 {
@@ -1359,6 +1681,30 @@ static struct unit_test_suite inline_macsec_testsuite  = {
 			"MACsec Encap and decap with VLAN",
 			ut_setup_inline_macsec, ut_teardown_inline_macsec,
 			test_inline_macsec_with_vlan),
+		TEST_CASE_NAMED_ST(
+			"MACsec packet drop",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_pkt_drop),
+		TEST_CASE_NAMED_ST(
+			"MACsec untagged Rx",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_untagged_rx),
+		TEST_CASE_NAMED_ST(
+			"MACsec bad tag Rx",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_bad_tag_rx),
+		TEST_CASE_NAMED_ST(
+			"MACsec SA not in use",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_sa_not_in_use),
+		TEST_CASE_NAMED_ST(
+			"MACsec out pkts untagged",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_out_pkts_untagged),
+		TEST_CASE_NAMED_ST(
+			"MACsec out pkts too long",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_out_pkts_toolong),
 
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	},
diff --git a/app/test/test_security_inline_macsec_vectors.h b/app/test/test_security_inline_macsec_vectors.h
index 4bcb82783c..2b200c1d89 100644
--- a/app/test/test_security_inline_macsec_vectors.h
+++ b/app/test/test_security_inline_macsec_vectors.h
@@ -2077,6 +2077,481 @@ static const struct mcs_test_vector list_mcs_integrity_vectors[] = {
 },
 };
 
+static const struct mcs_test_vector list_mcs_err_cipher_vectors[] = {
+/* gcm_128_64B_cipher */
+{
+	.test_idx = 0,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x40, 0x41, 0x42,
+			0x43, 0x44, 0x45, 0x46,
+		},
+		.len = 64,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x2C,
+			/* SL */
+			0x0,
+			/* PN */
+			0x0, 0x0, 0x0, 0x2,
+			/* SCI */
+			0xFE, 0x2F, 0xCD, 0x14, 0x24, 0x1B, 0x88, 0x2C,
+			/* Secure Data */
+			0x38, 0x38, 0x97, 0x44, 0xA2, 0x6D, 0x71, 0x3D,
+			0x14, 0x27, 0xC7, 0x3E, 0x02, 0x96, 0x81, 0xAD,
+			0x47, 0x82, 0x2A, 0xCF, 0x19, 0x79, 0x12, 0x49,
+			0x0F, 0x93, 0x5A, 0x32, 0x43, 0x79, 0xEF, 0x9D,
+			0x70, 0xF8, 0xA9, 0xBE, 0x3D, 0x00, 0x5D, 0x22,
+			0xDA, 0x87, 0x3D, 0xC1, 0xBE, 0x1B, 0x13, 0xD9,
+			0x99, 0xDB, 0xF1, 0xC8,
+			/* ICV */
+			0x4B, 0xC4, 0xF8, 0xC6,	0x09, 0x78, 0xB9, 0xBB,
+			0x5D, 0xC0, 0x04, 0xF3,	0x20, 0x7D, 0x14, 0x87,
+		},
+		.len = 96,
+	}
+}
+};
+
+static const struct mcs_test_vector list_mcs_untagged_cipher_vectors[] = {
+{
+	.test_idx = 0,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x40, 0x41, 0x42,
+			0x43, 0x44, 0x45, 0x46,
+		},
+		.len = 64,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* Wrong MACsec EtherType */
+			0x88, 0xD7,
+			/* TCI and AN */
+			0x2C,
+			/* SL */
+			0x0,
+			/* PN */
+			0x0, 0x0, 0x0, 0x2,
+			/* SCI */
+			0xFE, 0x2F, 0xCD, 0x14, 0x24, 0x1B, 0x88, 0x2C,
+			/* Secure Data */
+			0x39, 0x38, 0x97, 0x44, 0xA2, 0x6D, 0x71, 0x3D,
+			0x14, 0x27, 0xC7, 0x3E, 0x02, 0x96, 0x81, 0xAD,
+			0x47, 0x82, 0x2A, 0xCF, 0x19, 0x79, 0x12, 0x49,
+			0x0F, 0x93, 0x5A, 0x32, 0x43, 0x79, 0xEF, 0x9D,
+			0x70, 0xF8, 0xA9, 0xBE, 0x3D, 0x00, 0x5D, 0x22,
+			0xDA, 0x87, 0x3D, 0xC1, 0xBE, 0x1B, 0x13, 0xD9,
+			0x99, 0xDB, 0xF1, 0xC8,
+			/* ICV */
+			0x4B, 0xC4, 0xF8, 0xC6,	0x09, 0x78, 0xB9, 0xBB,
+			0x5D, 0xC0, 0x04, 0xF3,	0x20, 0x7D, 0x14, 0x87,
+		},
+		.len = 96,
+	},
+},
+};
+
+static const struct mcs_test_vector list_mcs_bad_tag_vectors[] = {
+{
+	.test_idx = 0,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x40, 0x41, 0x42,
+			0x43, 0x44, 0x45, 0x46,
+		},
+		.len = 64,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI{V = 1} and AN */
+			0xAC,
+			/* SL */
+			0x0,
+			/* PN */
+			0x0, 0x0, 0x0, 0x2,
+			/* SCI */
+			0xFE, 0x2F, 0xCD, 0x14, 0x24, 0x1B, 0x88, 0x2C,
+			/* Secure Data */
+			0x39, 0x38, 0x97, 0x44, 0xA2, 0x6D, 0x71, 0x3D,
+			0x14, 0x27, 0xC7, 0x3E, 0x02, 0x96, 0x81, 0xAD,
+			0x47, 0x82, 0x2A, 0xCF, 0x19, 0x79, 0x12, 0x49,
+			0x0F, 0x93, 0x5A, 0x32, 0x43, 0x79, 0xEF, 0x9D,
+			0x70, 0xF8, 0xA9, 0xBE, 0x3D, 0x00, 0x5D, 0x22,
+			0xDA, 0x87, 0x3D, 0xC1, 0xBE, 0x1B, 0x13, 0xD9,
+			0x99, 0xDB, 0xF1, 0xC8,
+			/* ICV */
+			0x4B, 0xC4, 0xF8, 0xC6,	0x09, 0x78, 0xB9, 0xBB,
+			0x5D, 0xC0, 0x04, 0xF3,	0x20, 0x7D, 0x14, 0x87,
+		},
+		.len = 96,
+	},
+},
+{
+	.test_idx = 1,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x40, 0x41, 0x42,
+			0x43, 0x44, 0x45, 0x46,
+		},
+		.len = 64,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI{E,C = 2'b01} and AN */
+			0x24,
+			/* SL */
+			0x0,
+			/* PN */
+			0x0, 0x0, 0x0, 0x2,
+			/* SCI */
+			0xFE, 0x2F, 0xCD, 0x14, 0x24, 0x1B, 0x88, 0x2C,
+			/* Secure Data */
+			0x39, 0x38, 0x97, 0x44, 0xA2, 0x6D, 0x71, 0x3D,
+			0x14, 0x27, 0xC7, 0x3E, 0x02, 0x96, 0x81, 0xAD,
+			0x47, 0x82, 0x2A, 0xCF, 0x19, 0x79, 0x12, 0x49,
+			0x0F, 0x93, 0x5A, 0x32, 0x43, 0x79, 0xEF, 0x9D,
+			0x70, 0xF8, 0xA9, 0xBE, 0x3D, 0x00, 0x5D, 0x22,
+			0xDA, 0x87, 0x3D, 0xC1, 0xBE, 0x1B, 0x13, 0xD9,
+			0x99, 0xDB, 0xF1, 0xC8,
+			/* ICV */
+			0x4B, 0xC4, 0xF8, 0xC6,	0x09, 0x78, 0xB9, 0xBB,
+			0x5D, 0xC0, 0x04, 0xF3,	0x20, 0x7D, 0x14, 0x87,
+		},
+		.len = 96,
+	},
+},
+{
+	.test_idx = 2,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x40, 0x41, 0x42,
+			0x43, 0x44, 0x45, 0x46,
+		},
+		.len = 64,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI{ES = 1 && SC = 1} and AN */
+			0x6C,
+			/* SL */
+			0x0,
+			/* PN */
+			0x0, 0x0, 0x0, 0x2,
+			/* SCI */
+			0xFE, 0x2F, 0xCD, 0x14, 0x24, 0x1B, 0x88, 0x2C,
+			/* Secure Data */
+			0x39, 0x38, 0x97, 0x44, 0xA2, 0x6D, 0x71, 0x3D,
+			0x14, 0x27, 0xC7, 0x3E, 0x02, 0x96, 0x81, 0xAD,
+			0x47, 0x82, 0x2A, 0xCF, 0x19, 0x79, 0x12, 0x49,
+			0x0F, 0x93, 0x5A, 0x32, 0x43, 0x79, 0xEF, 0x9D,
+			0x70, 0xF8, 0xA9, 0xBE, 0x3D, 0x00, 0x5D, 0x22,
+			0xDA, 0x87, 0x3D, 0xC1, 0xBE, 0x1B, 0x13, 0xD9,
+			0x99, 0xDB, 0xF1, 0xC8,
+			/* ICV */
+			0x4B, 0xC4, 0xF8, 0xC6,	0x09, 0x78, 0xB9, 0xBB,
+			0x5D, 0xC0, 0x04, 0xF3,	0x20, 0x7D, 0x14, 0x87,
+		},
+		.len = 96,
+	},
+},
+{
+	.test_idx = 3,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x40, 0x41, 0x42,
+			0x43, 0x44, 0x45, 0x46,
+		},
+		.len = 64,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI{SCB = 1 && SC = 1} and AN */
+			0x3C,
+			/* SL */
+			0x0,
+			/* PN */
+			0x0, 0x0, 0x0, 0x2,
+			/* SCI */
+			0xFE, 0x2F, 0xCD, 0x14, 0x24, 0x1B, 0x88, 0x2C,
+			/* Secure Data */
+			0x39, 0x38, 0x97, 0x44, 0xA2, 0x6D, 0x71, 0x3D,
+			0x14, 0x27, 0xC7, 0x3E, 0x02, 0x96, 0x81, 0xAD,
+			0x47, 0x82, 0x2A, 0xCF, 0x19, 0x79, 0x12, 0x49,
+			0x0F, 0x93, 0x5A, 0x32, 0x43, 0x79, 0xEF, 0x9D,
+			0x70, 0xF8, 0xA9, 0xBE, 0x3D, 0x00, 0x5D, 0x22,
+			0xDA, 0x87, 0x3D, 0xC1, 0xBE, 0x1B, 0x13, 0xD9,
+			0x99, 0xDB, 0xF1, 0xC8,
+			/* ICV */
+			0x4B, 0xC4, 0xF8, 0xC6,	0x09, 0x78, 0xB9, 0xBB,
+			0x5D, 0xC0, 0x04, 0xF3,	0x20, 0x7D, 0x14, 0x87,
+		},
+		.len = 96,
+	},
+},
+{
+	.test_idx = 4,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.xpn = 0x0, /* Most significant 32 bits */
+	.ssci = 0x0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x40, 0x41, 0x42,
+			0x43, 0x44, 0x45, 0x46,
+		},
+		.len = 64,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x2C,
+			/* SL */
+			0x0,
+			/* PN = 0 */
+			0x0, 0x0, 0x0, 0x0,
+			/* SCI */
+			0xFE, 0x2F, 0xCD, 0x14, 0x24, 0x1B, 0x88, 0x2C,
+			/* Secure Data */
+			0x39, 0x38, 0x97, 0x44, 0xA2, 0x6D, 0x71, 0x3D,
+			0x14, 0x27, 0xC7, 0x3E, 0x02, 0x96, 0x81, 0xAD,
+			0x47, 0x82, 0x2A, 0xCF, 0x19, 0x79, 0x12, 0x49,
+			0x0F, 0x93, 0x5A, 0x32, 0x43, 0x79, 0xEF, 0x9D,
+			0x70, 0xF8, 0xA9, 0xBE, 0x3D, 0x00, 0x5D, 0x22,
+			0xDA, 0x87, 0x3D, 0xC1, 0xBE, 0x1B, 0x13, 0xD9,
+			0x99, 0xDB, 0xF1, 0xC8,
+			/* ICV */
+			0x4B, 0xC4, 0xF8, 0xC6,	0x09, 0x78, 0xB9, 0xBB,
+			0x5D, 0xC0, 0x04, 0xF3,	0x20, 0x7D, 0x14, 0x87,
+		},
+		.len = 96,
+	},
+},
+{
+	.test_idx = 5,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x40, 0x41, 0x42,
+			0x43, 0x44, 0x45, 0x46,
+		},
+		.len = 64,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x2C,
+			/* SL */
+			0x80,
+			/* PN = 0 */
+			0x0, 0x0, 0x0, 0x2,
+			/* SCI */
+			0xFE, 0x2F, 0xCD, 0x14, 0x24, 0x1B, 0x88, 0x2C,
+			/* Secure Data */
+			0x39, 0x38, 0x97, 0x44, 0xA2, 0x6D, 0x71, 0x3D,
+			0x14, 0x27, 0xC7, 0x3E, 0x02, 0x96, 0x81, 0xAD,
+			0x47, 0x82, 0x2A, 0xCF, 0x19, 0x79, 0x12, 0x49,
+			0x0F, 0x93, 0x5A, 0x32, 0x43, 0x79, 0xEF, 0x9D,
+			0x70, 0xF8, 0xA9, 0xBE, 0x3D, 0x00, 0x5D, 0x22,
+			0xDA, 0x87, 0x3D, 0xC1, 0xBE, 0x1B, 0x13, 0xD9,
+			0x99, 0xDB, 0xF1, 0xC8,
+			/* ICV */
+			0x4B, 0xC4, 0xF8, 0xC6,	0x09, 0x78, 0xB9, 0xBB,
+			0x5D, 0xC0, 0x04, 0xF3,	0x20, 0x7D, 0x14, 0x87,
+		},
+		.len = 96,
+	},
+},
+};
+
 #define MCS_MULTI_FLOW_TD_KEY_SZ		16
 #define MCS_MULTI_FLOW_TD_PLAIN_DATA_SZ		42
 #define MCS_MULTI_FLOW_TD_SECURE_DATA_SZ	66
-- 
2.25.1

[PATCH v2 08/13] test/security: verify MACsec stats

[Akhil Goyal]

Added cases to verify various stats of MACsec.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 app/test/test_security_inline_macsec.c | 222 +++++++++++++++++++++++++
 1 file changed, 222 insertions(+)

diff --git a/app/test/test_security_inline_macsec.c b/app/test/test_security_inline_macsec.c
index 2a06f31f37..9cab3253f4 100644
--- a/app/test/test_security_inline_macsec.c
+++ b/app/test/test_security_inline_macsec.c
@@ -1438,6 +1438,140 @@ test_inline_macsec_sa_not_in_use(const void *data __rte_unused)
 	return all_err;
 }
 
+static int
+test_inline_macsec_decap_stats(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.protect_frames = true;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+	opts.check_decap_stats = 1;
+
+	size = (sizeof(list_mcs_cipher_vectors) / sizeof((list_mcs_cipher_vectors)[0]));
+
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_cipher_vectors[i];
+		err = test_macsec(&cur_td, MCS_DECAP, &opts);
+		if (err) {
+			printf("\nDecap stats case %d failed", cur_td->test_idx);
+			err = -1;
+		} else {
+			printf("\nDecap stats case %d passed", cur_td->test_idx);
+			err = 0;
+		}
+		all_err += err;
+	}
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+
+	return all_err;
+}
+
+static int
+test_inline_macsec_verify_only_stats(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.protect_frames = true;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+	opts.check_verify_only_stats = 1;
+
+	size = (sizeof(list_mcs_integrity_vectors) / sizeof((list_mcs_integrity_vectors)[0]));
+
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_integrity_vectors[i];
+		err = test_macsec(&cur_td, MCS_VERIFY_ONLY, &opts);
+		if (err) {
+			printf("\nVerify only stats case %d failed", cur_td->test_idx);
+			err = -1;
+		} else {
+			printf("\nVerify only stats case %d Passed", cur_td->test_idx);
+			err = 0;
+		}
+		all_err += err;
+	}
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+
+	return all_err;
+}
+
+static int
+test_inline_macsec_pkts_invalid_stats(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.protect_frames = true;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+
+	size = (sizeof(list_mcs_err_cipher_vectors) / sizeof((list_mcs_err_cipher_vectors)[0]));
+
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_err_cipher_vectors[i];
+		err = test_macsec(&cur_td, MCS_DECAP, &opts);
+		if (err)
+			err = 0;
+		else
+			err = -1;
+
+		all_err += err;
+	}
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+	return all_err;
+}
+
+static int
+test_inline_macsec_pkts_unchecked_stats(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_DISABLE;
+	opts.protect_frames = true;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+	opts.check_pkts_unchecked_stats = 1;
+
+	size = (sizeof(list_mcs_integrity_vectors) / sizeof((list_mcs_integrity_vectors)[0]));
+
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_integrity_vectors[i];
+		err = test_macsec(&cur_td, MCS_VERIFY_ONLY, &opts);
+		if (err)
+			err = -1;
+		else
+			err = 0;
+
+		all_err += err;
+	}
+
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+	return all_err;
+}
+
 static int
 test_inline_macsec_out_pkts_untagged(const void *data __rte_unused)
 {
@@ -1504,6 +1638,70 @@ test_inline_macsec_out_pkts_toolong(const void *data __rte_unused)
 	return all_err;
 }
 
+static int
+test_inline_macsec_encap_stats(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.encrypt = true;
+	opts.protect_frames = true;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+	opts.check_encap_stats = 1;
+
+	size = (sizeof(list_mcs_cipher_vectors) / sizeof((list_mcs_cipher_vectors)[0]));
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_cipher_vectors[i];
+		err = test_macsec(&cur_td, MCS_ENCAP, &opts);
+		if (err)
+			err = -1;
+		else
+			err = 0;
+		all_err += err;
+	}
+
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+	return all_err;
+}
+
+static int
+test_inline_macsec_auth_only_stats(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.protect_frames = true;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+	opts.check_auth_only_stats = 1;
+
+	size = (sizeof(list_mcs_integrity_vectors) / sizeof((list_mcs_integrity_vectors)[0]));
+
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_integrity_vectors[i];
+		err = test_macsec(&cur_td, MCS_AUTH_ONLY, &opts);
+		if (err)
+			err = -1;
+		else
+			err = 0;
+		all_err += err;
+	}
+
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+	return all_err;
+}
+
 static int
 ut_setup_inline_macsec(void)
 {
@@ -1697,6 +1895,22 @@ static struct unit_test_suite inline_macsec_testsuite  = {
 			"MACsec SA not in use",
 			ut_setup_inline_macsec, ut_teardown_inline_macsec,
 			test_inline_macsec_sa_not_in_use),
+		TEST_CASE_NAMED_ST(
+			"MACsec decap stats",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_decap_stats),
+		TEST_CASE_NAMED_ST(
+			"MACsec verify only stats",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_verify_only_stats),
+		TEST_CASE_NAMED_ST(
+			"MACsec pkts invalid stats",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_pkts_invalid_stats),
+		TEST_CASE_NAMED_ST(
+			"MACsec pkts unchecked stats",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_pkts_unchecked_stats),
 		TEST_CASE_NAMED_ST(
 			"MACsec out pkts untagged",
 			ut_setup_inline_macsec, ut_teardown_inline_macsec,
@@ -1705,6 +1919,14 @@ static struct unit_test_suite inline_macsec_testsuite  = {
 			"MACsec out pkts too long",
 			ut_setup_inline_macsec, ut_teardown_inline_macsec,
 			test_inline_macsec_out_pkts_toolong),
+		TEST_CASE_NAMED_ST(
+			"MACsec Encap stats",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_encap_stats),
+		TEST_CASE_NAMED_ST(
+			"MACsec auth only stats",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_auth_only_stats),
 
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	},
-- 
2.25.1

[PATCH v2 09/13] test/security: verify MACsec interrupts

[Akhil Goyal]

From: Ankur Dwivedi <adwivedi@marvell.com>

This patch enables the test_inline_macsec_interrupts_all
test case for MACSEC.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 app/test/test_security_inline_macsec.c        | 124 +++++++
 .../test_security_inline_macsec_vectors.h     | 306 +++++++++++++++++-
 2 files changed, 429 insertions(+), 1 deletion(-)

diff --git a/app/test/test_security_inline_macsec.c b/app/test/test_security_inline_macsec.c
index 9cab3253f4..12e3234cfb 100644
--- a/app/test/test_security_inline_macsec.c
+++ b/app/test/test_security_inline_macsec.c
@@ -757,6 +757,71 @@ mcs_stats_check(struct rte_security_ctx *ctx, enum mcs_op op,
 	return 0;
 }
 
+static int
+test_macsec_event_callback(uint16_t port_id, enum rte_eth_event_type type,
+			   void *param, void *ret_param)
+{
+	struct mcs_err_vector *vector = (struct mcs_err_vector *)param;
+	struct rte_eth_event_macsec_desc *event_desc = NULL;
+
+	RTE_SET_USED(port_id);
+
+	if (type != RTE_ETH_EVENT_MACSEC)
+		return -1;
+
+	event_desc = ret_param;
+	if (event_desc == NULL) {
+		printf("Event descriptor not set\n");
+		return -1;
+	}
+	vector->notify_event = true;
+
+	switch (event_desc->type) {
+	case RTE_ETH_EVENT_MACSEC_SECTAG_VAL_ERR:
+		vector->event = RTE_ETH_EVENT_MACSEC_SECTAG_VAL_ERR;
+		switch (event_desc->subtype) {
+		case RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_V_EQ1:
+			vector->event_subtype = RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_V_EQ1;
+			break;
+		case RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_E_EQ0_C_EQ1:
+			vector->event_subtype = RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_E_EQ0_C_EQ1;
+			break;
+		case RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_SL_GTE48:
+			vector->event_subtype = RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_SL_GTE48;
+			break;
+		case RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_ES_EQ1_SC_EQ1:
+			vector->event_subtype = RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_ES_EQ1_SC_EQ1;
+			break;
+		case RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_SC_EQ1_SCB_EQ1:
+			vector->event_subtype = RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_SC_EQ1_SCB_EQ1;
+			break;
+		default:
+			printf("\nUnknown Macsec event subtype: %d", event_desc->subtype);
+		}
+		break;
+	case RTE_ETH_EVENT_MACSEC_RX_SA_PN_HARD_EXP:
+		vector->event = RTE_ETH_EVENT_MACSEC_RX_SA_PN_HARD_EXP;
+		break;
+	case RTE_ETH_EVENT_MACSEC_RX_SA_PN_SOFT_EXP:
+		vector->event = RTE_ETH_EVENT_MACSEC_RX_SA_PN_SOFT_EXP;
+		break;
+	case RTE_ETH_EVENT_MACSEC_TX_SA_PN_HARD_EXP:
+		vector->event = RTE_ETH_EVENT_MACSEC_TX_SA_PN_HARD_EXP;
+		break;
+	case RTE_ETH_EVENT_MACSEC_TX_SA_PN_SOFT_EXP:
+		vector->event = RTE_ETH_EVENT_MACSEC_TX_SA_PN_SOFT_EXP;
+		break;
+	case RTE_ETH_EVENT_MACSEC_SA_NOT_VALID:
+		vector->event = RTE_ETH_EVENT_MACSEC_SA_NOT_VALID;
+		break;
+	default:
+		printf("Invalid MACsec event reported\n");
+		return -1;
+	}
+
+	return 0;
+}
+
 static int
 test_macsec(const struct mcs_test_vector *td[], enum mcs_op op, const struct mcs_test_opts *opts)
 {
@@ -914,6 +979,8 @@ test_macsec(const struct mcs_test_vector *td[], enum mcs_op op, const struct mcs
 		while (--nb_rx >= 0)
 			rte_pktmbuf_free(rx_pkts_burst[nb_rx]);
 		ret = TEST_FAILED;
+		if (opts->check_sectag_interrupts == 1)
+			ret = TEST_SUCCESS;
 		goto out;
 	}
 
@@ -1702,6 +1769,59 @@ test_inline_macsec_auth_only_stats(const void *data __rte_unused)
 	return all_err;
 }
 
+static int
+test_inline_macsec_interrupts_all(const void *data __rte_unused)
+{
+	struct mcs_err_vector err_vector = {0};
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int i, size;
+	int err, all_err = 0;
+	enum rte_eth_event_macsec_subtype subtype[] =  {
+		RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_V_EQ1,
+		RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_E_EQ0_C_EQ1,
+		RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_SL_GTE48,
+		RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_ES_EQ1_SC_EQ1,
+		RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_SC_EQ1_SCB_EQ1,
+	};
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.protect_frames = true;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+	opts.check_sectag_interrupts = 1;
+
+	err_vector.event = RTE_ETH_EVENT_MACSEC_UNKNOWN;
+	err_vector.event_subtype = RTE_ETH_SUBEVENT_MACSEC_UNKNOWN;
+	rte_eth_dev_callback_register(port_id, RTE_ETH_EVENT_MACSEC,
+			test_macsec_event_callback, &err_vector);
+
+	size = (sizeof(list_mcs_intr_test_vectors) / sizeof((list_mcs_intr_test_vectors)[0]));
+
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_intr_test_vectors[i];
+		err = test_macsec(&cur_td, MCS_DECAP, &opts);
+		if ((err_vector.event == RTE_ETH_EVENT_MACSEC_SECTAG_VAL_ERR) &&
+		    (err_vector.event_subtype == subtype[i])) {
+			printf("\nSectag val err interrupt test case %d passed",
+			       cur_td->test_idx);
+			err = 0;
+		} else {
+			printf("\nSectag val err interrupt test case %d failed",
+			       cur_td->test_idx);
+			err = -1;
+		}
+		all_err += err;
+	}
+	rte_eth_dev_callback_unregister(port_id, RTE_ETH_EVENT_MACSEC,
+			test_macsec_event_callback, &err_vector);
+
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+	return all_err;
+}
+
 static int
 ut_setup_inline_macsec(void)
 {
@@ -1927,6 +2047,10 @@ static struct unit_test_suite inline_macsec_testsuite  = {
 			"MACsec auth only stats",
 			ut_setup_inline_macsec, ut_teardown_inline_macsec,
 			test_inline_macsec_auth_only_stats),
+		TEST_CASE_NAMED_ST(
+			"MACsec interrupts all",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_interrupts_all),
 
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	},
diff --git a/app/test/test_security_inline_macsec_vectors.h b/app/test/test_security_inline_macsec_vectors.h
index 2b200c1d89..d861004e8e 100644
--- a/app/test/test_security_inline_macsec_vectors.h
+++ b/app/test/test_security_inline_macsec_vectors.h
@@ -39,6 +39,13 @@ struct mcs_test_vector {
 	} secure_pkt;
 };
 
+struct mcs_err_vector {
+	const struct mcs_test_vector *td;
+	enum rte_eth_event_macsec_type event;
+	enum rte_eth_event_macsec_subtype event_subtype;
+	bool notify_event;
+};
+
 static const struct mcs_test_vector list_mcs_cipher_vectors[] = {
 /* gcm_128_64B_cipher */
 {
@@ -2876,6 +2883,303 @@ static const struct mcs_test_vector list_mcs_vlan_vectors[] = {
 },
 };
 
-
+static const struct mcs_test_vector list_mcs_intr_test_vectors[] = {
+/* gcm_128_64B_cipher */
+/* SECTAG_V_EQ1 */
+{
+	.test_idx = 0,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x40, 0x41, 0x42,
+			0x43, 0x44, 0x45, 0x46,
+		},
+		.len = 64,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0xAC,
+			/* SL */
+			0x0,
+			/* PN */
+			0x0, 0x0, 0x0, 0x2,
+			/* SCI */
+			0xFE, 0x2F, 0xCD, 0x14, 0x24, 0x1B, 0x88, 0x2C,
+			/* Secure Data */
+			0x39, 0x38, 0x97, 0x44, 0xA2, 0x6D, 0x71, 0x3D,
+			0x14, 0x27, 0xC7, 0x3E, 0x02, 0x96, 0x81, 0xAD,
+			0x47, 0x82, 0x2A, 0xCF, 0x19, 0x79, 0x12, 0x49,
+			0x0F, 0x93, 0x5A, 0x32, 0x43, 0x79, 0xEF, 0x9D,
+			0x70, 0xF8, 0xA9, 0xBE, 0x3D, 0x00, 0x5D, 0x22,
+			0xDA, 0x87, 0x3D, 0xC1, 0xBE, 0x1B, 0x13, 0xD9,
+			0x99, 0xDB, 0xF1, 0xC8,
+			/* ICV */
+			0x4B, 0xC4, 0xF8, 0xC6,	0x09, 0x78, 0xB9, 0xBB,
+			0x5D, 0xC0, 0x04, 0xF3,	0x20, 0x7D, 0x14, 0x87,
+		},
+		.len = 96,
+	},
+},
+/* SECTAG_E_EQ0_C_EQ1 */
+{
+	.test_idx = 1,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x40, 0x41, 0x42,
+			0x43, 0x44, 0x45, 0x46,
+		},
+		.len = 64,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x24,
+			/* SL */
+			0x0,
+			/* PN */
+			0x0, 0x0, 0x0, 0x2,
+			/* SCI */
+			0xFE, 0x2F, 0xCD, 0x14, 0x24, 0x1B, 0x88, 0x2C,
+			/* Secure Data */
+			0x39, 0x38, 0x97, 0x44, 0xA2, 0x6D, 0x71, 0x3D,
+			0x14, 0x27, 0xC7, 0x3E, 0x02, 0x96, 0x81, 0xAD,
+			0x47, 0x82, 0x2A, 0xCF, 0x19, 0x79, 0x12, 0x49,
+			0x0F, 0x93, 0x5A, 0x32, 0x43, 0x79, 0xEF, 0x9D,
+			0x70, 0xF8, 0xA9, 0xBE, 0x3D, 0x00, 0x5D, 0x22,
+			0xDA, 0x87, 0x3D, 0xC1, 0xBE, 0x1B, 0x13, 0xD9,
+			0x99, 0xDB, 0xF1, 0xC8,
+			/* ICV */
+			0x4B, 0xC4, 0xF8, 0xC6,	0x09, 0x78, 0xB9, 0xBB,
+			0x5D, 0xC0, 0x04, 0xF3,	0x20, 0x7D, 0x14, 0x87,
+		},
+		.len = 96,
+	},
+},
+/* SECTAG_SL_GTE48 */
+{
+	.test_idx = 2,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x40, 0x41, 0x42,
+			0x43, 0x44, 0x45, 0x46,
+		},
+		.len = 64,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x2C,
+			/* SL */
+			0x31,
+			/* PN */
+			0x0, 0x0, 0x0, 0x2,
+			/* SCI */
+			0xFE, 0x2F, 0xCD, 0x14, 0x24, 0x1B, 0x88, 0x2C,
+			/* Secure Data */
+			0x39, 0x38, 0x97, 0x44, 0xA2, 0x6D, 0x71, 0x3D,
+			0x14, 0x27, 0xC7, 0x3E, 0x02, 0x96, 0x81, 0xAD,
+			0x47, 0x82, 0x2A, 0xCF, 0x19, 0x79, 0x12, 0x49,
+			0x0F, 0x93, 0x5A, 0x32, 0x43, 0x79, 0xEF, 0x9D,
+			0x70, 0xF8, 0xA9, 0xBE, 0x3D, 0x00, 0x5D, 0x22,
+			0xDA, 0x87, 0x3D, 0xC1, 0xBE, 0x1B, 0x13, 0xD9,
+			0x99, 0xDB, 0xF1, 0xC8,
+			/* ICV */
+			0x4B, 0xC4, 0xF8, 0xC6,	0x09, 0x78, 0xB9, 0xBB,
+			0x5D, 0xC0, 0x04, 0xF3,	0x20, 0x7D, 0x14, 0x87,
+		},
+		.len = 96,
+	},
+},
+/* SECTAG_ES_EQ1_SC_EQ1 */
+{
+	.test_idx = 3,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x40, 0x41, 0x42,
+			0x43, 0x44, 0x45, 0x46,
+		},
+		.len = 64,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x6C,
+			/* SL */
+			0x0,
+			/* PN */
+			0x0, 0x0, 0x0, 0x2,
+			/* SCI */
+			0xFE, 0x2F, 0xCD, 0x14, 0x24, 0x1B, 0x88, 0x2C,
+			/* Secure Data */
+			0x39, 0x38, 0x97, 0x44, 0xA2, 0x6D, 0x71, 0x3D,
+			0x14, 0x27, 0xC7, 0x3E, 0x02, 0x96, 0x81, 0xAD,
+			0x47, 0x82, 0x2A, 0xCF, 0x19, 0x79, 0x12, 0x49,
+			0x0F, 0x93, 0x5A, 0x32, 0x43, 0x79, 0xEF, 0x9D,
+			0x70, 0xF8, 0xA9, 0xBE, 0x3D, 0x00, 0x5D, 0x22,
+			0xDA, 0x87, 0x3D, 0xC1, 0xBE, 0x1B, 0x13, 0xD9,
+			0x99, 0xDB, 0xF1, 0xC8,
+			/* ICV */
+			0x4B, 0xC4, 0xF8, 0xC6,	0x09, 0x78, 0xB9, 0xBB,
+			0x5D, 0xC0, 0x04, 0xF3,	0x20, 0x7D, 0x14, 0x87,
+		},
+		.len = 96,
+	},
+},
+/* SECTAG_SC_EQ1_SCB_EQ1 */
+{
+	.test_idx = 4,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x40, 0x41, 0x42,
+			0x43, 0x44, 0x45, 0x46,
+		},
+		.len = 64,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x3C,
+			/* SL */
+			0x0,
+			/* PN */
+			0x0, 0x0, 0x0, 0x2,
+			/* SCI */
+			0xFE, 0x2F, 0xCD, 0x14, 0x24, 0x1B, 0x88, 0x2C,
+			/* Secure Data */
+			0x39, 0x38, 0x97, 0x44, 0xA2, 0x6D, 0x71, 0x3D,
+			0x14, 0x27, 0xC7, 0x3E, 0x02, 0x96, 0x81, 0xAD,
+			0x47, 0x82, 0x2A, 0xCF, 0x19, 0x79, 0x12, 0x49,
+			0x0F, 0x93, 0x5A, 0x32, 0x43, 0x79, 0xEF, 0x9D,
+			0x70, 0xF8, 0xA9, 0xBE, 0x3D, 0x00, 0x5D, 0x22,
+			0xDA, 0x87, 0x3D, 0xC1, 0xBE, 0x1B, 0x13, 0xD9,
+			0x99, 0xDB, 0xF1, 0xC8,
+			/* ICV */
+			0x4B, 0xC4, 0xF8, 0xC6,	0x09, 0x78, 0xB9, 0xBB,
+			0x5D, 0xC0, 0x04, 0xF3,	0x20, 0x7D, 0x14, 0x87,
+		},
+		.len = 96,
+	},
+},
+};
 
 #endif
-- 
2.25.1

[PATCH v2 10/13] test/security: verify MACsec Tx HW rekey

[Akhil Goyal]

This patch enables the Tx HW rekey test case for MACSEC.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 app/test/test_security_inline_macsec.c        | 137 +++++++++-
 .../test_security_inline_macsec_vectors.h     | 243 ++++++++++++++++++
 2 files changed, 378 insertions(+), 2 deletions(-)

diff --git a/app/test/test_security_inline_macsec.c b/app/test/test_security_inline_macsec.c
index 12e3234cfb..2172f61199 100644
--- a/app/test/test_security_inline_macsec.c
+++ b/app/test/test_security_inline_macsec.c
@@ -207,6 +207,8 @@ fill_macsec_sc_conf(const struct mcs_test_vector *td,
 	uint8_t i;
 
 	sc_conf->dir = dir;
+	sc_conf->pn_threshold = ((uint64_t)td->xpn << 32) |
+		rte_be_to_cpu_32(*(const uint32_t *)(&td->secure_pkt.data[tci_off + 2]));
 	if (dir == RTE_SECURITY_MACSEC_DIR_TX) {
 		sc_conf->sc_tx.sa_id = sa_id[0];
 		if (sa_id[1] != MCS_INVALID_SA) {
@@ -232,12 +234,16 @@ fill_macsec_sc_conf(const struct mcs_test_vector *td,
 			/* use some default SCI */
 			sc_conf->sc_tx.sci = 0xf1341e023a2b1c5d;
 		}
+		if (td->xpn > 0)
+			sc_conf->sc_tx.is_xpn = 1;
 	} else {
 		for (i = 0; i < RTE_SECURITY_MACSEC_NUM_AN; i++) {
 			sc_conf->sc_rx.sa_id[i] = sa_id[i];
 			sc_conf->sc_rx.sa_in_use[i] = opts->sa_in_use;
 		}
 		sc_conf->sc_rx.active = 1;
+		if (td->xpn > 0)
+			sc_conf->sc_rx.is_xpn = 1;
 	}
 }
 
@@ -834,6 +840,7 @@ test_macsec(const struct mcs_test_vector *td[], enum mcs_op op, const struct mcs
 	struct rte_security_session_conf sess_conf = {0};
 	struct rte_security_macsec_sa sa_conf = {0};
 	struct rte_security_macsec_sc sc_conf = {0};
+	struct mcs_err_vector err_vector = {0};
 	struct rte_security_ctx *ctx;
 	int nb_rx = 0, nb_sent;
 	int i, j = 0, ret, id, an = 0;
@@ -868,6 +875,34 @@ test_macsec(const struct mcs_test_vector *td[], enum mcs_op op, const struct mcs
 		}
 		j++;
 
+		if (opts->rekey_en) {
+
+			err_vector.td = td[i];
+			err_vector.rekey_td = opts->rekey_td;
+			err_vector.event = RTE_ETH_EVENT_MACSEC_UNKNOWN;
+			err_vector.event_subtype = RTE_ETH_SUBEVENT_MACSEC_UNKNOWN;
+			rte_eth_dev_callback_register(port_id, RTE_ETH_EVENT_MACSEC,
+					test_macsec_event_callback, &err_vector);
+			if (op == MCS_DECAP || op == MCS_VERIFY_ONLY)
+				tx_pkts_burst[j] = init_packet(mbufpool,
+						opts->rekey_td->secure_pkt.data,
+						opts->rekey_td->secure_pkt.len);
+			else {
+				tx_pkts_burst[j] = init_packet(mbufpool,
+						opts->rekey_td->plain_pkt.data,
+						opts->rekey_td->plain_pkt.len);
+
+				tx_pkts_burst[j]->ol_flags |= RTE_MBUF_F_TX_MACSEC;
+			}
+			if (tx_pkts_burst[j] == NULL) {
+				while (j--)
+					rte_pktmbuf_free(tx_pkts_burst[j]);
+				ret = TEST_FAILED;
+				goto out;
+			}
+			j++;
+		}
+
 		if (op == MCS_DECAP || op == MCS_ENCAP_DECAP ||
 				op == MCS_VERIFY_ONLY || op == MCS_AUTH_VERIFY) {
 			for (an = 0; an < RTE_SECURITY_MACSEC_NUM_AN; an++) {
@@ -922,6 +957,20 @@ test_macsec(const struct mcs_test_vector *td[], enum mcs_op op, const struct mcs
 			}
 			tx_sa_id[i][0] = (uint16_t)id;
 			tx_sa_id[i][1] = MCS_INVALID_SA;
+			if (opts->rekey_en) {
+				memset(&sa_conf, 0, sizeof(struct rte_security_macsec_sa));
+				fill_macsec_sa_conf(opts->rekey_td, &sa_conf,
+					RTE_SECURITY_MACSEC_DIR_TX,
+					opts->rekey_td->secure_pkt.data[tci_off] &
+						RTE_MACSEC_AN_MASK,
+					tci_off);
+				id = rte_security_macsec_sa_create(ctx, &sa_conf);
+				if (id < 0) {
+					printf("MACsec rekey SA create failed : %d.\n", id);
+					goto out;
+				}
+				tx_sa_id[i][1] = (uint16_t)id;
+			}
 			fill_macsec_sc_conf(td[i], &sc_conf, opts,
 					RTE_SECURITY_MACSEC_DIR_TX, tx_sa_id[i], tci_off);
 			id = rte_security_macsec_sc_create(ctx, &sc_conf);
@@ -984,9 +1033,44 @@ test_macsec(const struct mcs_test_vector *td[], enum mcs_op op, const struct mcs
 		goto out;
 	}
 
+	if (opts->rekey_en) {
+		switch (err_vector.event) {
+		case RTE_ETH_EVENT_MACSEC_TX_SA_PN_SOFT_EXP:
+			printf("Received RTE_ETH_EVENT_MACSEC_TX_SA_PN_SOFT_EXP event\n");
+			/* The first sa is active now, so the 0th sa can be
+			 * reconfigured. Using the same key as zeroeth sa, but
+			 * other key can also be configured.
+			 */
+			rte_security_macsec_sa_destroy(ctx, tx_sa_id[0][0],
+					RTE_SECURITY_MACSEC_DIR_TX);
+			fill_macsec_sa_conf(td[0], &sa_conf,
+					RTE_SECURITY_MACSEC_DIR_TX,
+					td[0]->secure_pkt.data[tci_off] &
+					RTE_MACSEC_AN_MASK, tci_off);
+			id = rte_security_macsec_sa_create(ctx, &sa_conf);
+			if (id < 0) {
+				printf("MACsec SA create failed : %d.\n", id);
+				return TEST_FAILED;
+			}
+			tx_sa_id[0][0] = (uint16_t)id;
+			break;
+		default:
+			printf("Received unsupported event\n");
+		}
+	}
+
 	for (i = 0; i < nb_rx; i++) {
-		ret = test_macsec_post_process(rx_pkts_burst[i], td[i], op,
-				opts->check_out_pkts_untagged);
+		if (opts->rekey_en && i == 1) {
+			/* The second received packet is matched with
+			 * rekey td
+			 */
+			ret = test_macsec_post_process(rx_pkts_burst[i],
+					opts->rekey_td, op,
+					opts->check_out_pkts_untagged);
+		} else {
+			ret = test_macsec_post_process(rx_pkts_burst[i], td[i],
+					op, opts->check_out_pkts_untagged);
+		}
 		if (ret != TEST_SUCCESS) {
 			for ( ; i < nb_rx; i++)
 				rte_pktmbuf_free(rx_pkts_burst[i]);
@@ -1019,6 +1103,10 @@ test_macsec(const struct mcs_test_vector *td[], enum mcs_op op, const struct mcs
 
 	destroy_default_flow(port_id);
 
+	if (opts->rekey_en)
+		rte_eth_dev_callback_unregister(port_id, RTE_ETH_EVENT_MACSEC,
+					test_macsec_event_callback, &err_vector);
+
 	/* Destroy session so that other cases can create the session again */
 	for (i = 0; i < opts->nb_td; i++) {
 		if (op == MCS_ENCAP || op == MCS_ENCAP_DECAP ||
@@ -1029,6 +1117,10 @@ test_macsec(const struct mcs_test_vector *td[], enum mcs_op op, const struct mcs
 						RTE_SECURITY_MACSEC_DIR_TX);
 			rte_security_macsec_sa_destroy(ctx, tx_sa_id[i][0],
 						RTE_SECURITY_MACSEC_DIR_TX);
+			if (opts->rekey_en) {
+				rte_security_macsec_sa_destroy(ctx, tx_sa_id[i][1],
+						RTE_SECURITY_MACSEC_DIR_TX);
+			}
 		}
 		if (op == MCS_DECAP || op == MCS_ENCAP_DECAP ||
 				op == MCS_VERIFY_ONLY || op == MCS_AUTH_VERIFY) {
@@ -1822,6 +1914,43 @@ test_inline_macsec_interrupts_all(const void *data __rte_unused)
 	return all_err;
 }
 
+static int
+test_inline_macsec_rekey_tx(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.protect_frames = true;
+	opts.encrypt = true;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+	opts.rekey_en = 1;
+
+	size = (sizeof(list_mcs_rekey_vectors) / sizeof((list_mcs_rekey_vectors)[0]));
+
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_rekey_vectors[i];
+		opts.rekey_td = &list_mcs_rekey_vectors[++i];
+		err = test_macsec(&cur_td, MCS_ENCAP, &opts);
+		if (err) {
+			printf("Tx hw rekey test case %d failed\n", i);
+			err = -1;
+		} else {
+			printf("Tx hw rekey test case %d passed\n", i);
+			err = 0;
+		}
+		all_err += err;
+	}
+
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+	return all_err;
+}
+
 static int
 ut_setup_inline_macsec(void)
 {
@@ -2051,6 +2180,10 @@ static struct unit_test_suite inline_macsec_testsuite  = {
 			"MACsec interrupts all",
 			ut_setup_inline_macsec, ut_teardown_inline_macsec,
 			test_inline_macsec_interrupts_all),
+		TEST_CASE_NAMED_ST(
+			"MACsec re-key Tx",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_rekey_tx),
 
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	},
diff --git a/app/test/test_security_inline_macsec_vectors.h b/app/test/test_security_inline_macsec_vectors.h
index d861004e8e..80425b0b71 100644
--- a/app/test/test_security_inline_macsec_vectors.h
+++ b/app/test/test_security_inline_macsec_vectors.h
@@ -41,6 +41,7 @@ struct mcs_test_vector {
 
 struct mcs_err_vector {
 	const struct mcs_test_vector *td;
+	const struct mcs_test_vector *rekey_td;
 	enum rte_eth_event_macsec_type event;
 	enum rte_eth_event_macsec_subtype event_subtype;
 	bool notify_event;
@@ -3182,4 +3183,246 @@ static const struct mcs_test_vector list_mcs_intr_test_vectors[] = {
 },
 };
 
+static const struct mcs_test_vector list_mcs_rekey_vectors[] = {
+/* Initial SA, AN = 0 and PN = 2 */
+{
+	.test_idx = 0,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x40, 0x41, 0x42,
+			0x43, 0x44, 0x45, 0x46,
+		},
+		.len = 64,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x2C,
+			/* SL */
+			0x0,
+			/* PN */
+			0x0, 0x0, 0x0, 0x2,
+			/* SCI */
+			0xFE, 0x2F, 0xCD, 0x14, 0x24, 0x1B, 0x88, 0x2C,
+			/* Secure Data */
+			0x39, 0x38, 0x97, 0x44, 0xA2, 0x6D, 0x71, 0x3D,
+			0x14, 0x27, 0xC7, 0x3E, 0x02, 0x96, 0x81, 0xAD,
+			0x47, 0x82, 0x2A, 0xCF, 0x19, 0x79, 0x12, 0x49,
+			0x0F, 0x93, 0x5A, 0x32, 0x43, 0x79, 0xEF, 0x9D,
+			0x70, 0xF8, 0xA9, 0xBE, 0x3D, 0x00, 0x5D, 0x22,
+			0xDA, 0x87, 0x3D, 0xC1, 0xBE, 0x1B, 0x13, 0xD9,
+			0x99, 0xDB, 0xF1, 0xC8,
+			/* ICV */
+			0x4B, 0xC4, 0xF8, 0xC6,	0x09, 0x78, 0xB9, 0xBB,
+			0x5D, 0xC0, 0x04, 0xF3,	0x20, 0x7D, 0x14, 0x87,
+		},
+		.len = 96,
+	},
+},
+/* Rekeyed SA. sa_key is different from the initial sa.
+ * Also, AN = 1 and PN = 1.
+ */
+{
+	.test_idx = 1,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0xAD, 0x7A, 0x2B, 0xD0, 0x3E, 0xAC, 0x83, 0x5A,
+			0x6F, 0x62, 0x0F, 0xDC, 0xB5, 0x06, 0xB3, 0x45,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x40, 0x41, 0x42,
+			0x43, 0x44, 0x45, 0x46,
+		},
+		.len = 64,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x2D,
+			/* SL */
+			0x00,
+			/* PN */
+			0x00, 0x00, 0x00, 0x01,
+			/* SCI */
+			0xFE, 0x2F, 0xCD, 0x14, 0x24, 0x1B, 0x88, 0x2C,
+			/* Secure Data */
+			0x17, 0x66, 0xEF, 0xD9, 0x06, 0xDC, 0x15, 0xAF,
+			0xE9, 0x06, 0xB1, 0xE6, 0x26, 0x22, 0xC8, 0x78,
+			0x27, 0xE1, 0xED, 0x76, 0xF5, 0xC8, 0x16, 0xA1,
+			0x6B, 0x0D, 0xA0, 0x8E, 0x24, 0x2A, 0x9D, 0x34,
+			0xD0, 0xE0, 0x5F, 0xBA, 0x08, 0xF0, 0xE3, 0x7D,
+			0x17, 0xC0, 0x2C, 0xCD, 0x8A, 0x44, 0xC9, 0xB9,
+			0x28, 0xC0, 0xE8, 0x22,
+			/* ICV */
+			0x1B, 0x16, 0x68, 0x5F, 0x14, 0x8A, 0x51, 0x29,
+			0xB5, 0x3D, 0x61, 0x0E, 0x49, 0x20, 0x60, 0x09,
+		},
+		.len = 96,
+	},
+},
+{
+	.test_idx = 2,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_128,
+	.ssci = 0x7A30C118,
+	.xpn = 0xB0DF459C, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE,
+		0x86, 0xA2, 0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x00, 0x04,
+		},
+		.len = 54,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x4C,
+			/* SL */
+			0x2A,
+			/* PN */
+			0x76, 0xD4, 0x57, 0xED,
+			/* Secure Data */
+			0x9C, 0xA4, 0x69, 0x84, 0x43, 0x02, 0x03, 0xED,
+			0x41, 0x6E, 0xBD, 0xC2, 0xFE, 0x26, 0x22, 0xBA,
+			0x3E, 0x5E, 0xAB, 0x69, 0x61, 0xC3, 0x63, 0x83,
+			0x00, 0x9E, 0x18, 0x7E, 0x9B, 0x0C, 0x88, 0x56,
+			0x46, 0x53, 0xB9, 0xAB, 0xD2, 0x16, 0x44, 0x1C,
+			0x6A, 0xB6,
+			/* ICV */
+			0xF0, 0xA2, 0x32, 0xE9, 0xE4, 0x4C, 0x97, 0x8C,
+			0xF7, 0xCD, 0x84, 0xD4, 0x34, 0x84, 0xD1, 0x01,
+		},
+		.len = 78,
+	},
+},
+/* Rekeyed SA. sa_key is different from the initial sa.
+ * Also, AN = 1, XPN = 0 and PN = 1.
+ */
+{
+	.test_idx = 3,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_128,
+	.ssci = 0x7A30C118,
+	.xpn = 0x0, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE,
+		0x86, 0xA2, 0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0xAD, 0x7A, 0x2B, 0xD0, 0x3E, 0xAC, 0x83, 0x5A,
+			0x6F, 0x62, 0x0F, 0xDC, 0xB5, 0x06, 0xB3, 0x45,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x00, 0x04,
+		},
+		.len = 54,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x4D,
+			/* SL */
+			0x2A,
+			/* PN */
+			0x0, 0x0, 0x0, 0x1,
+			/* Secure Data */
+			0x91, 0x00, 0xC0, 0xE4, 0xB9, 0x4E, 0x2C, 0x1C,
+			0x86, 0xDF, 0xE1, 0x8F, 0xDD, 0xB6, 0xE6, 0x79,
+			0x65, 0x87, 0x80, 0xE7, 0x9C, 0x5D, 0x8A, 0xB7,
+			0x68, 0xFD, 0xE1, 0x6E, 0x3F, 0xF1, 0xDE, 0x20,
+			0x4A, 0xF6, 0xBA, 0xE6, 0x14, 0xDB, 0x6A, 0x05,
+			0xE9, 0xB6,
+			/* ICV */
+			0x2D, 0xDF, 0x59, 0x27, 0x25, 0x41, 0x68, 0x1D,
+			0x74, 0x1A, 0xAA, 0xC4, 0x18, 0x49, 0xB4, 0x22,
+		},
+		.len = 78,
+	},
+},
+};
+
 #endif
-- 
2.25.1

[PATCH v2 11/13] test/security: verify MACsec Rx rekey

[Akhil Goyal]

From: Ankur Dwivedi <adwivedi@marvell.com>

This patch enables the Rx rekey test case for MACSEC.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
---
 app/test/test_security_inline_macsec.c | 50 +++++++++++++++++++++++++-
 1 file changed, 49 insertions(+), 1 deletion(-)

diff --git a/app/test/test_security_inline_macsec.c b/app/test/test_security_inline_macsec.c
index 2172f61199..d832dfc170 100644
--- a/app/test/test_security_inline_macsec.c
+++ b/app/test/test_security_inline_macsec.c
@@ -906,8 +906,14 @@ test_macsec(const struct mcs_test_vector *td[], enum mcs_op op, const struct mcs
 		if (op == MCS_DECAP || op == MCS_ENCAP_DECAP ||
 				op == MCS_VERIFY_ONLY || op == MCS_AUTH_VERIFY) {
 			for (an = 0; an < RTE_SECURITY_MACSEC_NUM_AN; an++) {
+				if (opts->rekey_en && an ==
+						(opts->rekey_td->secure_pkt.data[tci_off] &
+						RTE_MACSEC_AN_MASK))
+					fill_macsec_sa_conf(opts->rekey_td, &sa_conf,
+						RTE_SECURITY_MACSEC_DIR_RX, an, tci_off);
+				else
 				/* For simplicity, using same SA conf for all AN */
-				fill_macsec_sa_conf(td[i], &sa_conf,
+					fill_macsec_sa_conf(td[i], &sa_conf,
 						RTE_SECURITY_MACSEC_DIR_RX, an, tci_off);
 				id = rte_security_macsec_sa_create(ctx, &sa_conf);
 				if (id < 0) {
@@ -1054,6 +1060,9 @@ test_macsec(const struct mcs_test_vector *td[], enum mcs_op op, const struct mcs
 			}
 			tx_sa_id[0][0] = (uint16_t)id;
 			break;
+		case RTE_ETH_EVENT_MACSEC_RX_SA_PN_SOFT_EXP:
+			printf("Received RTE_ETH_EVENT_MACSEC_RX_SA_PN_SOFT_EXP event\n");
+			break;
 		default:
 			printf("Received unsupported event\n");
 		}
@@ -1951,6 +1960,41 @@ test_inline_macsec_rekey_tx(const void *data __rte_unused)
 	return all_err;
 }
 
+static int
+test_inline_macsec_rekey_rx(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.protect_frames = true;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+	opts.rekey_en = 1;
+
+	size = (sizeof(list_mcs_rekey_vectors) / sizeof((list_mcs_rekey_vectors)[0]));
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_rekey_vectors[i];
+		opts.rekey_td = &list_mcs_rekey_vectors[++i];
+		err = test_macsec(&cur_td, MCS_DECAP, &opts);
+		if (err) {
+			printf("Rx rekey test case %d failed\n", i);
+			err = -1;
+		} else {
+			printf("Rx rekey test case %d passed\n", i);
+			err = 0;
+		}
+		all_err += err;
+	}
+
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+	return all_err;
+}
+
 static int
 ut_setup_inline_macsec(void)
 {
@@ -2184,6 +2228,10 @@ static struct unit_test_suite inline_macsec_testsuite  = {
 			"MACsec re-key Tx",
 			ut_setup_inline_macsec, ut_teardown_inline_macsec,
 			test_inline_macsec_rekey_tx),
+		TEST_CASE_NAMED_ST(
+			"MACsec re-key Rx",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_rekey_rx),
 
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	},
-- 
2.25.1

[PATCH v2 12/13] test/security: verify MACsec anti replay

[Akhil Goyal]

From: Ankur Dwivedi <adwivedi@marvell.com>

This patch enables anti replay test case for MACsec.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 app/test/test_security_inline_macsec.c        |  82 +++
 .../test_security_inline_macsec_vectors.h     | 467 ++++++++++++++++++
 2 files changed, 549 insertions(+)

diff --git a/app/test/test_security_inline_macsec.c b/app/test/test_security_inline_macsec.c
index d832dfc170..f7fb1b6fd6 100644
--- a/app/test/test_security_inline_macsec.c
+++ b/app/test/test_security_inline_macsec.c
@@ -61,6 +61,7 @@ struct mcs_test_opts {
 	uint8_t replay_protect;
 	uint8_t rekey_en;
 	const struct mcs_test_vector *rekey_td;
+	const struct mcs_test_vector *ar_td[3];
 	bool dump_all_stats;
 	uint8_t check_untagged_rx;
 	uint8_t check_bad_tag_cnt;
@@ -716,6 +717,15 @@ mcs_stats_check(struct rte_security_ctx *ctx, enum mcs_op op,
 		if (opts->check_pkts_unchecked_stats && sc_stat.pkt_unchecked_cnt != 1)
 			return TEST_FAILED;
 
+		if (opts->replay_protect) {
+			if (opts->replay_win_sz == 0 &&
+					sc_stat.pkt_late_cnt != 2)
+				return TEST_FAILED;
+			else if (opts->replay_win_sz == 32 &&
+					sc_stat.pkt_late_cnt != 1)
+				return TEST_FAILED;
+		}
+
 		for (i = 0; i < RTE_SECURITY_MACSEC_NUM_AN; i++) {
 			memset(&sa_stat, 0, sizeof(struct rte_security_macsec_sa_stats));
 			rte_security_macsec_sa_stats_get(ctx, rx_sa_id[i],
@@ -845,6 +855,7 @@ test_macsec(const struct mcs_test_vector *td[], enum mcs_op op, const struct mcs
 	int nb_rx = 0, nb_sent;
 	int i, j = 0, ret, id, an = 0;
 	uint8_t tci_off;
+	int k;
 
 	memset(rx_pkts_burst, 0, sizeof(rx_pkts_burst[0]) * opts->nb_td);
 
@@ -875,6 +886,20 @@ test_macsec(const struct mcs_test_vector *td[], enum mcs_op op, const struct mcs
 		}
 		j++;
 
+		if (opts->replay_protect) {
+			for (k = 0; k < 3; k++, j++) {
+				tx_pkts_burst[j] = init_packet(mbufpool,
+					opts->ar_td[k]->secure_pkt.data,
+					opts->ar_td[k]->secure_pkt.len);
+				if (tx_pkts_burst[j] == NULL) {
+					while (j--)
+						rte_pktmbuf_free(tx_pkts_burst[j]);
+					ret = TEST_FAILED;
+					goto out;
+				}
+			}
+		}
+
 		if (opts->rekey_en) {
 
 			err_vector.td = td[i];
@@ -1068,6 +1093,15 @@ test_macsec(const struct mcs_test_vector *td[], enum mcs_op op, const struct mcs
 		}
 	}
 
+	if (opts->replay_protect) {
+		for (i = 0; i < nb_rx; i++) {
+			rte_pktmbuf_free(rx_pkts_burst[i]);
+			rx_pkts_burst[i] = NULL;
+		}
+		ret = TEST_SUCCESS;
+		goto out;
+	}
+
 	for (i = 0; i < nb_rx; i++) {
 		if (opts->rekey_en && i == 1) {
 			/* The second received packet is matched with
@@ -1995,6 +2029,50 @@ test_inline_macsec_rekey_rx(const void *data __rte_unused)
 	return all_err;
 }
 
+static int
+test_inline_macsec_anti_replay(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	uint16_t replay_win_sz[2] = {32, 0};
+	int err, all_err = 0;
+	int i, size;
+	int j;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.replay_protect = 1;
+
+	size = (sizeof(list_mcs_anti_replay_vectors) / sizeof((list_mcs_anti_replay_vectors)[0]));
+
+	for (j = 0; j < 2; j++) {
+		opts.replay_win_sz = replay_win_sz[j];
+
+		for (i = 0; i < size; i++) {
+			cur_td = &list_mcs_anti_replay_vectors[i];
+			opts.ar_td[0] = &list_mcs_anti_replay_vectors[++i];
+			opts.ar_td[1] = &list_mcs_anti_replay_vectors[++i];
+			opts.ar_td[2] = &list_mcs_anti_replay_vectors[++i];
+			err = test_macsec(&cur_td, MCS_DECAP, &opts);
+			if (err) {
+				printf("Replay window: %u, Anti replay test case %d failed\n",
+				       opts.replay_win_sz, i);
+				err = -1;
+			} else {
+				printf("Replay window: %u, Anti replay test case %d passed\n",
+				       opts.replay_win_sz, i);
+				err = 0;
+			}
+			all_err += err;
+		}
+	}
+
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+	return all_err;
+}
+
 static int
 ut_setup_inline_macsec(void)
 {
@@ -2232,6 +2310,10 @@ static struct unit_test_suite inline_macsec_testsuite  = {
 			"MACsec re-key Rx",
 			ut_setup_inline_macsec, ut_teardown_inline_macsec,
 			test_inline_macsec_rekey_rx),
+		TEST_CASE_NAMED_ST(
+			"MACsec anti-replay",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_anti_replay),
 
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	},
diff --git a/app/test/test_security_inline_macsec_vectors.h b/app/test/test_security_inline_macsec_vectors.h
index 80425b0b71..ddaa8043e7 100644
--- a/app/test/test_security_inline_macsec_vectors.h
+++ b/app/test/test_security_inline_macsec_vectors.h
@@ -3425,4 +3425,471 @@ static const struct mcs_test_vector list_mcs_rekey_vectors[] = {
 },
 };
 
+static const struct mcs_test_vector list_mcs_anti_replay_vectors[] = {
+{
+	.test_idx = 0,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x40, 0x41, 0x42,
+			0x43, 0x44, 0x45, 0x46,
+		},
+		.len = 64,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x2C,
+			/* SL */
+			0x0,
+			/* PN */
+			0x0, 0x0, 0x0, 0x2,
+			/* SCI */
+			0xFE, 0x2F, 0xCD, 0x14, 0x24, 0x1B, 0x88, 0x2C,
+			/* Secure Data */
+			0x39, 0x38, 0x97, 0x44, 0xA2, 0x6D, 0x71, 0x3D,
+			0x14, 0x27, 0xC7, 0x3E, 0x02, 0x96, 0x81, 0xAD,
+			0x47, 0x82, 0x2A, 0xCF, 0x19, 0x79, 0x12, 0x49,
+			0x0F, 0x93, 0x5A, 0x32, 0x43, 0x79, 0xEF, 0x9D,
+			0x70, 0xF8, 0xA9, 0xBE, 0x3D, 0x00, 0x5D, 0x22,
+			0xDA, 0x87, 0x3D, 0xC1, 0xBE, 0x1B, 0x13, 0xD9,
+			0x99, 0xDB, 0xF1, 0xC8,
+			/* ICV */
+			0x4B, 0xC4, 0xF8, 0xC6,	0x09, 0x78, 0xB9, 0xBB,
+			0x5D, 0xC0, 0x04, 0xF3,	0x20, 0x7D, 0x14, 0x87,
+		},
+		.len = 96,
+	},
+},
+{
+	.test_idx = 1,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x40, 0x41, 0x42,
+			0x43, 0x44, 0x45, 0x46,
+		},
+		.len = 64,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x2C,
+			/* SL */
+			0x0,
+			/* PN */
+			0x0, 0x0, 0x0, 0x4B,
+			/* SCI */
+			0xFE, 0x2F, 0xCD, 0x14, 0x24, 0x1B, 0x88, 0x2C,
+			/* Secure Data */
+			0x51, 0xC9, 0xBB, 0xF3, 0x24, 0x38, 0xF9, 0x06,
+			0x76, 0x9E, 0x61, 0xCE, 0xB8, 0x65, 0xA7, 0xE4,
+			0x1F, 0x16, 0x5D, 0x59, 0xB8, 0x44, 0x0F, 0x94,
+			0x50, 0xF0, 0x4C, 0x35, 0x7D, 0x91, 0x53, 0xC6,
+			0x28, 0x4D, 0xA8, 0xAB, 0x13, 0x3B, 0xC0, 0x2D,
+			0x11, 0x8E, 0xCC, 0x75, 0xC9, 0xD8, 0x8F, 0x60,
+			0x67, 0xE1, 0x03, 0x2C,
+			/* ICV */
+			0xA5, 0xF1, 0x2C, 0x85, 0x10, 0xEE, 0x67, 0x7E,
+			0xDB, 0x4E, 0xF6, 0x0A, 0xA1, 0x0F, 0x15, 0x69,
+		},
+		.len = 96,
+	},
+},
+{
+	.test_idx = 2,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x40, 0x41, 0x42,
+			0x43, 0x44, 0x45, 0x46,
+		},
+		.len = 64,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x2C,
+			/* SL */
+			0x0,
+			/* PN */
+			0x0, 0x0, 0x0, 0x32,
+			/* SCI */
+			0xFE, 0x2F, 0xCD, 0x14, 0x24, 0x1B, 0x88, 0x2C,
+			/* Secure Data */
+			0x6F, 0xB6, 0xF8, 0x54, 0x67, 0x23, 0x3C, 0xE8,
+			0x67, 0x54, 0x8B, 0xAD, 0x31, 0xC3, 0x2B, 0xAA,
+			0x70, 0x1A, 0xC8, 0x0D, 0x3C, 0x31, 0x54, 0x0F,
+			0xDD, 0x8F, 0x23, 0x0F, 0x86, 0xF3, 0x80, 0x31,
+			0x8B, 0x30, 0xD9, 0x15, 0xF9, 0x3B, 0xD6, 0x00,
+			0x95, 0xBD, 0xF3, 0x7F, 0xD2, 0x41, 0x28, 0xFC,
+			0x52, 0x27, 0xB5, 0x88,
+			/* ICV */
+			0x64, 0x3C, 0x67, 0xD7, 0xB8, 0xC1, 0xAF, 0x15,
+			0x82, 0x5F, 0x06, 0x4F, 0x5A, 0xED, 0x47, 0xC1,
+		},
+		.len = 96,
+	},
+},
+{
+	.test_idx = 3,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x40, 0x41, 0x42,
+			0x43, 0x44, 0x45, 0x46,
+		},
+		.len = 64,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x2C,
+			/* SL */
+			0x0,
+			/* PN */
+			0x0, 0x0, 0x0, 0x3,
+			/* SCI */
+			0xFE, 0x2F, 0xCD, 0x14, 0x24, 0x1B, 0x88, 0x2C,
+			/* Secure Data */
+			0x16, 0x6E, 0x74, 0xE5, 0xF7, 0x49, 0xCC, 0x42,
+			0x06, 0x30, 0x99, 0x60, 0x10, 0xAA, 0xB3, 0xEC,
+			0x3C, 0xEF, 0x6C, 0x7D, 0x72, 0x93, 0x61, 0x28,
+			0x39, 0x8E, 0x6B, 0x5C, 0x6C, 0x9E, 0xCA, 0x86,
+			0x70, 0x5A, 0x95, 0x98, 0x0F, 0xB2, 0xC8, 0x05,
+			0xD6, 0xC9, 0xBA, 0x9A, 0xCF, 0x7B, 0x5F, 0xD0,
+			0xAE, 0x50, 0x66, 0x7D,
+			/* ICV */
+			0xC8, 0xF1, 0x4A, 0x10, 0x8A, 0xFF, 0x64, 0x6C,
+			0xC7, 0x18, 0xC2, 0x7A, 0x16, 0x1A, 0x0D, 0xCA,
+		},
+		.len = 96,
+	},
+},
+{
+	.test_idx = 4,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_128,
+	.ssci = 0x7A30C118,
+	.xpn = 0x0, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE,
+		0x86, 0xA2, 0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x00, 0x04,
+		},
+		.len = 54,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x4C,
+			/* SL */
+			0x2A,
+			/* PN */
+			0xFF, 0xFF, 0xFF, 0xFE,
+			/* Secure Data */
+			0xA4, 0x80, 0xA4, 0x24, 0xD3, 0xCB, 0x3B, 0x05,
+			0xD5, 0x5B, 0x48, 0xE0, 0x23, 0xEA, 0x8C, 0x11,
+			0xE2, 0xB6, 0xE9, 0x69, 0x39, 0x40, 0xA6, 0xEA,
+			0xC9, 0xCD, 0xF9, 0xD8, 0x85, 0x8C, 0xD6, 0xFA,
+			0xB6, 0x9A, 0xE2, 0x37, 0xAA, 0x0C, 0x02, 0x2C,
+			0xB8, 0xC1,
+			/* ICV */
+			0xE3, 0x36, 0x34, 0x7A, 0x7C, 0x00, 0x71, 0x1F,
+			0xAC, 0x04, 0x48, 0x82, 0x64, 0xD2, 0xDF, 0x58,
+		},
+		.len = 78,
+	},
+},
+{
+	.test_idx = 5,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_128,
+	.ssci = 0x7A30C118,
+	.xpn = 0x1, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE,
+		0x86, 0xA2, 0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x00, 0x04,
+		},
+		.len = 54,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x4C,
+			/* SL */
+			0x2A,
+			/* PN */
+			0x00, 0x00, 0x00, 0x62,
+			/* Secure Data */
+			0x62, 0x62, 0x9E, 0x43, 0x59, 0x0C, 0xC6, 0x33,
+			0x26, 0x3C, 0xBF, 0x93, 0x5D, 0xE2, 0x8A, 0x7F,
+			0x96, 0xB4, 0xF7, 0x08, 0xEA, 0x9A, 0xA8, 0x88,
+			0xB4, 0xE8, 0xBE, 0x8D, 0x28, 0x84, 0xE0, 0x16,
+			0x08, 0x92, 0xB0, 0xAB, 0x76, 0x60, 0xEA, 0x05,
+			0x74, 0x79,
+			/* ICV */
+			0x8E, 0x5D, 0x81, 0xA6, 0x3F, 0xDF, 0x39, 0xB8,
+			0x19, 0x33, 0x73, 0x09, 0xCE, 0xC1, 0xAF, 0x85,
+		},
+		.len = 78,
+	},
+},
+{
+	.test_idx = 6,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_128,
+	.ssci = 0x7A30C118,
+	.xpn = 0x1, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE,
+		0x86, 0xA2, 0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x00, 0x04,
+		},
+		.len = 54,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x4C,
+			/* SL */
+			0x2A,
+			/* PN */
+			0x00, 0x00, 0x00, 0x58,
+			/* Secure Data */
+			0xC7, 0xDC, 0xF4, 0xC9, 0x8C, 0x59, 0x6E, 0x96,
+			0x3D, 0x4B, 0x89, 0xB3, 0xF3, 0x8D, 0x5D, 0x99,
+			0x4E, 0xDF, 0x48, 0x74, 0x02, 0x25, 0x93, 0xB4,
+			0x12, 0xFB, 0x0F, 0x28, 0xA5, 0x02, 0x78, 0xAC,
+			0x0B, 0x14, 0xF1, 0xAC, 0x1C, 0x0C, 0x80, 0x37,
+			0x6B, 0x44,
+			/* ICV */
+			0x47, 0x5A, 0xEE, 0x37, 0xFC, 0x6E, 0xDE, 0xB9,
+			0x14, 0x0E, 0xBD, 0x22, 0x05, 0x12, 0x00, 0x52,
+		},
+		.len = 78,
+	},
+},
+{
+	.test_idx = 7,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_128,
+	.ssci = 0x7A30C118,
+	.xpn = 0x1, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE,
+		0x86, 0xA2, 0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x00, 0x04,
+		},
+		.len = 54,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x4C,
+			/* SL */
+			0x2A,
+			/* PN */
+			0x00, 0x00, 0x00, 0x02,
+			/* Secure Data */
+			0xDD, 0x86, 0x37, 0x48, 0x11, 0xF3, 0xA8, 0x96,
+			0x25, 0x3A, 0xD9, 0xBE, 0x7C, 0x62, 0x72, 0xD6,
+			0x43, 0x70, 0xB6, 0x92, 0x04, 0x25, 0x46, 0xC1,
+			0x17, 0xBC, 0x14, 0xE1, 0x09, 0x4C, 0x04, 0x94,
+			0x51, 0x1F, 0x6E, 0x89, 0x32, 0x13, 0x4B, 0xAC,
+			0x2A, 0x60,
+			/* ICV */
+			0x96, 0xC0, 0xB4, 0xA4, 0xC7, 0xEC, 0xF5, 0xEF,
+			0x5E, 0x51, 0x22, 0x14, 0xF8, 0x70, 0xA0, 0x22,
+		},
+		.len = 78,
+	},
+},
+};
+
 #endif
-- 
2.25.1

[PATCH v2 13/13] test/security: remove no MACsec support case

[Akhil Goyal]

Removed the test_capability_get_no_support_for_macsec case
as MACsec is now supported and capability can have valid
MACsec support.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 app/test/test_security.c | 37 -------------------------------------
 1 file changed, 37 deletions(-)

diff --git a/app/test/test_security.c b/app/test/test_security.c
index e4ddcefe40..4783cd0663 100644
--- a/app/test/test_security.c
+++ b/app/test/test_security.c
@@ -1828,41 +1828,6 @@ test_capability_get_no_matching_protocol(void)
 	return TEST_SUCCESS;
 }
 
-/**
- * Test execution of rte_security_capability_get when macsec protocol
- * is searched and capabilities table contain proper entry.
- * However macsec records search is not supported in rte_security.
- */
-static int
-test_capability_get_no_support_for_macsec(void)
-{
-	struct security_unittest_params *ut_params = &unittest_params;
-	struct rte_security_capability_idx idx = {
-		.action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
-		.protocol = RTE_SECURITY_PROTOCOL_MACSEC,
-	};
-	struct rte_security_capability capabilities[] = {
-		{
-			.action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
-			.protocol = RTE_SECURITY_PROTOCOL_MACSEC,
-		},
-		{
-			.action = RTE_SECURITY_ACTION_TYPE_NONE,
-		},
-	};
-
-	mock_capabilities_get_exp.device = NULL;
-	mock_capabilities_get_exp.ret = capabilities;
-
-	const struct rte_security_capability *ret;
-	ret = rte_security_capability_get(&ut_params->ctx, &idx);
-	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_capability_get,
-			ret, NULL, "%p");
-	TEST_ASSERT_MOCK_CALLS(mock_capabilities_get_exp, 1);
-
-	return TEST_SUCCESS;
-}
-
 /**
  * Test execution of rte_security_capability_get when capabilities table
  * does not contain entry with matching ipsec proto field
@@ -2319,8 +2284,6 @@ static struct unit_test_suite security_testsuite  = {
 				test_capability_get_no_matching_action),
 		TEST_CASE_ST(ut_setup_with_session, ut_teardown,
 				test_capability_get_no_matching_protocol),
-		TEST_CASE_ST(ut_setup_with_session, ut_teardown,
-				test_capability_get_no_support_for_macsec),
 		TEST_CASE_ST(ut_setup_with_session, ut_teardown,
 				test_capability_get_ipsec_mismatch_proto),
 		TEST_CASE_ST(ut_setup_with_session, ut_teardown,
-- 
2.25.1

RE: [PATCH v2 01/13] security: add direction in SA/SC configuration

[Akhil Goyal]

> Subject: [PATCH v2 01/13] security: add direction in SA/SC configuration
> 
> MACsec SC/SA ids are created based on direction of the flow.
> Hence, added the missing field for configuration and cleanup
> of the SCs and SAs.
> 
> Signed-off-by: Akhil Goyal <gakhil@marvell.com>
> ---
>  devtools/libabigail.abignore       |  7 +++++++
>  lib/security/rte_security.c        | 16 ++++++++++------
>  lib/security/rte_security.h        | 14 ++++++++++----
>  lib/security/rte_security_driver.h | 12 ++++++++++--
>  4 files changed, 37 insertions(+), 12 deletions(-)
> 
> diff --git a/devtools/libabigail.abignore b/devtools/libabigail.abignore
> index c0361bfc7b..14d8fa4293 100644
> --- a/devtools/libabigail.abignore
> +++ b/devtools/libabigail.abignore
> @@ -37,6 +37,13 @@
>  [suppress_type]
>          type_kind = enum
>          changed_enumerators = RTE_CRYPTO_ASYM_XFORM_ECPM,
> RTE_CRYPTO_ASYM_XFORM_TYPE_LIST_END
> +; Ignore changes to rte_security_ops MACsec APIs which are experimental
> +[suppress_type]
> +        name = rte_security_ops
> +        has_data_member_inserted_between =
> +        {
> +                offset_of(security_macsec_sc_create_t),
> offset_of(security_macsec_sa_stats_get_t)
> +        }


Thomas/David,

Please review the exception added for MACsec rte_security APIs.

Regards,
Akhil

[PATCH v2 00/15] net/cnxk: add MACsec support

[Akhil Goyal]

Added MACsec support in Marvell cnxk PMD.
The patchset is pending from last release [1]
Sending as a new series as the functionality is now
complete and tested on hardware.

Depends-on: http://patches.dpdk.org/project/dpdk/list/?series=28391

[1] https://patches.dpdk.org/project/dpdk/cover/20220928124516.93050-1-gakhil@marvell.com/

Changes in v2:
- Addressed review comments from Jerin.


Akhil Goyal (15):
  common/cnxk: add ROC MACsec initialization
  common/cnxk: add MACsec SA configuration
  common/cnxk: add MACsec SC configuration APIs
  common/cnxk: add MACsec secy and flow configuration
  common/cnxk: add MACsec PN and LMAC mode configuration
  common/cnxk: add MACsec stats
  common/cnxk: add MACsec interrupt APIs
  common/cnxk: add MACsec port configuration
  common/cnxk: add MACsec control port configuration
  common/cnxk: add MACsec FIPS mbox
  common/cnxk: derive hash key for MACsec
  net/cnxk: add MACsec initialization
  net/cnxk: create/destroy MACsec SC/SA
  net/cnxk: add MACsec session and flow configuration
  net/cnxk: add MACsec stats

 drivers/common/cnxk/meson.build       |   3 +
 drivers/common/cnxk/roc_aes.c         |  86 ++-
 drivers/common/cnxk/roc_aes.h         |   4 +-
 drivers/common/cnxk/roc_api.h         |   3 +
 drivers/common/cnxk/roc_dev.c         |  86 +++
 drivers/common/cnxk/roc_features.h    |  12 +
 drivers/common/cnxk/roc_idev.c        |  46 ++
 drivers/common/cnxk/roc_idev.h        |   3 +
 drivers/common/cnxk/roc_idev_priv.h   |   1 +
 drivers/common/cnxk/roc_mbox.h        | 524 +++++++++++++++-
 drivers/common/cnxk/roc_mcs.c         | 871 ++++++++++++++++++++++++++
 drivers/common/cnxk/roc_mcs.h         | 621 ++++++++++++++++++
 drivers/common/cnxk/roc_mcs_priv.h    |  73 +++
 drivers/common/cnxk/roc_mcs_sec_cfg.c | 528 ++++++++++++++++
 drivers/common/cnxk/roc_mcs_stats.c   | 193 ++++++
 drivers/common/cnxk/roc_priv.h        |   3 +
 drivers/common/cnxk/roc_utils.c       |   5 +
 drivers/common/cnxk/version.map       |  45 ++
 drivers/net/cnxk/cn10k_ethdev_sec.c   |  25 +-
 drivers/net/cnxk/cn10k_flow.c         |  23 +-
 drivers/net/cnxk/cnxk_ethdev.c        |  15 +
 drivers/net/cnxk/cnxk_ethdev.h        |  30 +
 drivers/net/cnxk/cnxk_ethdev_mcs.c    | 726 +++++++++++++++++++++
 drivers/net/cnxk/cnxk_ethdev_mcs.h    | 111 ++++
 drivers/net/cnxk/cnxk_ethdev_sec.c    |   2 +-
 drivers/net/cnxk/cnxk_flow.c          |   5 +
 drivers/net/cnxk/meson.build          |   1 +
 27 files changed, 4007 insertions(+), 38 deletions(-)
 create mode 100644 drivers/common/cnxk/roc_mcs.c
 create mode 100644 drivers/common/cnxk/roc_mcs.h
 create mode 100644 drivers/common/cnxk/roc_mcs_priv.h
 create mode 100644 drivers/common/cnxk/roc_mcs_sec_cfg.c
 create mode 100644 drivers/common/cnxk/roc_mcs_stats.c
 create mode 100644 drivers/net/cnxk/cnxk_ethdev_mcs.c
 create mode 100644 drivers/net/cnxk/cnxk_ethdev_mcs.h

-- 
2.25.1

[PATCH v2 01/15] common/cnxk: add ROC MACsec initialization

[Akhil Goyal]

Added ROC init and fini APIs for supporting MACsec.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/common/cnxk/meson.build     |   1 +
 drivers/common/cnxk/roc_api.h       |   3 +
 drivers/common/cnxk/roc_features.h  |  12 ++
 drivers/common/cnxk/roc_idev.c      |  46 ++++++
 drivers/common/cnxk/roc_idev.h      |   3 +
 drivers/common/cnxk/roc_idev_priv.h |   1 +
 drivers/common/cnxk/roc_mbox.h      |  65 +++++++-
 drivers/common/cnxk/roc_mcs.c       | 220 ++++++++++++++++++++++++++++
 drivers/common/cnxk/roc_mcs.h       |  41 ++++++
 drivers/common/cnxk/roc_mcs_priv.h  |  65 ++++++++
 drivers/common/cnxk/roc_priv.h      |   3 +
 drivers/common/cnxk/roc_utils.c     |   5 +
 drivers/common/cnxk/version.map     |   7 +
 13 files changed, 471 insertions(+), 1 deletion(-)
 create mode 100644 drivers/common/cnxk/roc_mcs.c
 create mode 100644 drivers/common/cnxk/roc_mcs.h
 create mode 100644 drivers/common/cnxk/roc_mcs_priv.h

diff --git a/drivers/common/cnxk/meson.build b/drivers/common/cnxk/meson.build
index 631b594f32..e33c002676 100644
--- a/drivers/common/cnxk/meson.build
+++ b/drivers/common/cnxk/meson.build
@@ -26,6 +26,7 @@ sources = files(
         'roc_irq.c',
         'roc_ie_ot.c',
         'roc_mbox.c',
+        'roc_mcs.c',
         'roc_ml.c',
         'roc_model.c',
         'roc_nix.c',
diff --git a/drivers/common/cnxk/roc_api.h b/drivers/common/cnxk/roc_api.h
index bbc94ab48e..f630853088 100644
--- a/drivers/common/cnxk/roc_api.h
+++ b/drivers/common/cnxk/roc_api.h
@@ -114,4 +114,7 @@
 /* ML */
 #include "roc_ml.h"
 
+/* MACsec */
+#include "roc_mcs.h"
+
 #endif /* _ROC_API_H_ */
diff --git a/drivers/common/cnxk/roc_features.h b/drivers/common/cnxk/roc_features.h
index 36ef315f5a..815f800e7a 100644
--- a/drivers/common/cnxk/roc_features.h
+++ b/drivers/common/cnxk/roc_features.h
@@ -59,4 +59,16 @@ roc_feature_nix_has_age_drop_stats(void)
 {
 	return (roc_model_is_cn10kb() || roc_model_is_cn10ka_b0());
 }
+
+static inline bool
+roc_feature_nix_has_macsec(void)
+{
+	return roc_model_is_cn10kb();
+}
+
+static inline bool
+roc_feature_bphy_has_macsec(void)
+{
+	return roc_model_is_cnf10kb();
+}
 #endif
diff --git a/drivers/common/cnxk/roc_idev.c b/drivers/common/cnxk/roc_idev.c
index f420f0158d..e6c6b34d78 100644
--- a/drivers/common/cnxk/roc_idev.c
+++ b/drivers/common/cnxk/roc_idev.c
@@ -38,6 +38,7 @@ idev_set_defaults(struct idev_cfg *idev)
 	idev->num_lmtlines = 0;
 	idev->bphy = NULL;
 	idev->cpt = NULL;
+	TAILQ_INIT(&idev->mcs_list);
 	idev->nix_inl_dev = NULL;
 	TAILQ_INIT(&idev->roc_nix_list);
 	plt_spinlock_init(&idev->nix_inl_dev_lock);
@@ -187,6 +188,51 @@ roc_idev_cpt_get(void)
 	return NULL;
 }
 
+struct roc_mcs *
+roc_idev_mcs_get(uint8_t mcs_idx)
+{
+	struct idev_cfg *idev = idev_get_cfg();
+	struct roc_mcs *mcs = NULL;
+
+	if (idev != NULL) {
+		TAILQ_FOREACH(mcs, &idev->mcs_list, next) {
+			if (mcs->idx == mcs_idx)
+				return mcs;
+		}
+	}
+
+	return NULL;
+}
+
+void
+roc_idev_mcs_set(struct roc_mcs *mcs)
+{
+	struct idev_cfg *idev = idev_get_cfg();
+	struct roc_mcs *mcs_iter = NULL;
+
+	if (idev != NULL) {
+		TAILQ_FOREACH(mcs_iter, &idev->mcs_list, next) {
+			if (mcs_iter->idx == mcs->idx)
+				return;
+		}
+		TAILQ_INSERT_TAIL(&idev->mcs_list, mcs, next);
+	}
+}
+
+void
+roc_idev_mcs_free(struct roc_mcs *mcs)
+{
+	struct idev_cfg *idev = idev_get_cfg();
+	struct roc_mcs *mcs_iter = NULL;
+
+	if (idev != NULL) {
+		TAILQ_FOREACH(mcs_iter, &idev->mcs_list, next) {
+			if (mcs_iter->idx == mcs->idx)
+				TAILQ_REMOVE(&idev->mcs_list, mcs, next);
+		}
+	}
+}
+
 uint64_t *
 roc_nix_inl_outb_ring_base_get(struct roc_nix *roc_nix)
 {
diff --git a/drivers/common/cnxk/roc_idev.h b/drivers/common/cnxk/roc_idev.h
index 640ca97708..aea7f5279d 100644
--- a/drivers/common/cnxk/roc_idev.h
+++ b/drivers/common/cnxk/roc_idev.h
@@ -19,4 +19,7 @@ struct roc_nix *__roc_api roc_idev_npa_nix_get(void);
 uint64_t __roc_api roc_idev_nix_inl_meta_aura_get(void);
 struct roc_nix_list *__roc_api roc_idev_nix_list_get(void);
 
+struct roc_mcs *__roc_api roc_idev_mcs_get(uint8_t mcs_idx);
+void __roc_api roc_idev_mcs_set(struct roc_mcs *mcs);
+void __roc_api roc_idev_mcs_free(struct roc_mcs *mcs);
 #endif /* _ROC_IDEV_H_ */
diff --git a/drivers/common/cnxk/roc_idev_priv.h b/drivers/common/cnxk/roc_idev_priv.h
index 4983578fc6..80f8465e1c 100644
--- a/drivers/common/cnxk/roc_idev_priv.h
+++ b/drivers/common/cnxk/roc_idev_priv.h
@@ -31,6 +31,7 @@ struct idev_cfg {
 	struct roc_bphy *bphy;
 	struct roc_cpt *cpt;
 	struct roc_sso *sso;
+	struct roc_mcs_head mcs_list;
 	struct nix_inl_dev *nix_inl_dev;
 	struct idev_nix_inl_cfg inl_cfg;
 	struct roc_nix_list roc_nix_list;
diff --git a/drivers/common/cnxk/roc_mbox.h b/drivers/common/cnxk/roc_mbox.h
index 93c5451c0f..ef7a7d6513 100644
--- a/drivers/common/cnxk/roc_mbox.h
+++ b/drivers/common/cnxk/roc_mbox.h
@@ -295,7 +295,12 @@ struct mbox_msghdr {
 	  nix_bpids)                                                           \
 	M(NIX_FREE_BPIDS, 0x8029, nix_free_bpids, nix_bpids, msg_rsp)          \
 	M(NIX_RX_CHAN_CFG, 0x802a, nix_rx_chan_cfg, nix_rx_chan_cfg,           \
-	  nix_rx_chan_cfg)
+	  nix_rx_chan_cfg)                                                     \
+	/* MCS mbox IDs (range 0xa000 - 0xbFFF) */                                                 \
+	M(MCS_ALLOC_RESOURCES, 0xa000, mcs_alloc_resources, mcs_alloc_rsrc_req,                    \
+	  mcs_alloc_rsrc_rsp)                                                                      \
+	M(MCS_FREE_RESOURCES, 0xa001, mcs_free_resources, mcs_free_rsrc_req, msg_rsp)              \
+	M(MCS_GET_HW_INFO, 0xa00b, mcs_get_hw_info, msg_req, mcs_hw_info)                          \
 
 /* Messages initiated by AF (range 0xC00 - 0xDFF) */
 #define MBOX_UP_CGX_MESSAGES                                                   \
@@ -673,6 +678,64 @@ struct cgx_set_link_mode_rsp {
 	int __io status;
 };
 
+/* MCS mbox structures */
+enum mcs_direction {
+	MCS_RX,
+	MCS_TX,
+};
+
+enum mcs_rsrc_type {
+	MCS_RSRC_TYPE_FLOWID,
+	MCS_RSRC_TYPE_SECY,
+	MCS_RSRC_TYPE_SC,
+	MCS_RSRC_TYPE_SA,
+};
+
+struct mcs_alloc_rsrc_req {
+	struct mbox_msghdr hdr;
+	uint8_t __io rsrc_type;
+	uint8_t __io rsrc_cnt; /* Resources count */
+	uint8_t __io mcs_id;   /* MCS block ID */
+	uint8_t __io dir;      /* Macsec ingress or egress side */
+	uint8_t __io all;      /* Allocate all resource type one each */
+	uint64_t __io rsvd;
+};
+
+struct mcs_alloc_rsrc_rsp {
+	struct mbox_msghdr hdr;
+	uint8_t __io flow_ids[128]; /* Index of reserved entries */
+	uint8_t __io secy_ids[128];
+	uint8_t __io sc_ids[128];
+	uint8_t __io sa_ids[256];
+	uint8_t __io rsrc_type;
+	uint8_t __io rsrc_cnt; /* No of entries reserved */
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint8_t __io all;
+	uint8_t __io rsvd[256];
+};
+
+struct mcs_free_rsrc_req {
+	struct mbox_msghdr hdr;
+	uint8_t __io rsrc_id; /* Index of the entry to be freed */
+	uint8_t __io rsrc_type;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint8_t __io all; /* Free all the cam resources */
+	uint64_t __io rsvd;
+};
+
+struct mcs_hw_info {
+	struct mbox_msghdr hdr;
+	uint8_t __io num_mcs_blks; /* Number of MCS blocks */
+	uint8_t __io tcam_entries; /* RX/TX Tcam entries per mcs block */
+	uint8_t __io secy_entries; /* RX/TX SECY entries per mcs block */
+	uint8_t __io sc_entries;   /* RX/TX SC CAM entries per mcs block */
+	uint16_t __io sa_entries;  /* PN table entries = SA entries */
+	uint64_t __io rsvd[16];
+};
+
+
 /* NPA mbox message formats */
 
 /* NPA mailbox error codes
diff --git a/drivers/common/cnxk/roc_mcs.c b/drivers/common/cnxk/roc_mcs.c
new file mode 100644
index 0000000000..20433eae83
--- /dev/null
+++ b/drivers/common/cnxk/roc_mcs.c
@@ -0,0 +1,220 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2022 Marvell.
+ */
+
+#include "roc_api.h"
+#include "roc_priv.h"
+
+int
+roc_mcs_hw_info_get(struct roc_mcs_hw_info *hw_info)
+{
+	struct mcs_hw_info *hw;
+	struct npa_lf *npa;
+	int rc;
+
+	MCS_SUPPORT_CHECK;
+
+	if (hw_info == NULL)
+		return -EINVAL;
+
+	/* Use mbox handler of first probed pci_func for
+	 * initial mcs mbox communication.
+	 */
+	npa = idev_npa_obj_get();
+	if (!npa)
+		return MCS_ERR_DEVICE_NOT_FOUND;
+
+	mbox_alloc_msg_mcs_get_hw_info(npa->mbox);
+	rc = mbox_process_msg(npa->mbox, (void *)&hw);
+	if (rc)
+		return rc;
+
+	hw_info->num_mcs_blks = hw->num_mcs_blks;
+	hw_info->tcam_entries = hw->tcam_entries;
+	hw_info->secy_entries = hw->secy_entries;
+	hw_info->sc_entries = hw->sc_entries;
+	hw_info->sa_entries = hw->sa_entries;
+
+	return rc;
+}
+
+static int
+mcs_alloc_bmap(uint16_t entries, void **mem, struct plt_bitmap **bmap)
+{
+	size_t bmap_sz;
+	int rc = 0;
+
+	bmap_sz = plt_bitmap_get_memory_footprint(entries);
+	*mem = plt_zmalloc(bmap_sz, PLT_CACHE_LINE_SIZE);
+	if (*mem == NULL)
+		rc = -ENOMEM;
+
+	*bmap = plt_bitmap_init(entries, *mem, bmap_sz);
+	if (!*bmap) {
+		plt_free(*mem);
+		*mem = NULL;
+		rc = -ENOMEM;
+	}
+
+	return rc;
+}
+
+static void
+rsrc_bmap_free(struct mcs_rsrc *rsrc)
+{
+	plt_bitmap_free(rsrc->tcam_bmap);
+	plt_free(rsrc->tcam_bmap_mem);
+	plt_bitmap_free(rsrc->secy_bmap);
+	plt_free(rsrc->secy_bmap_mem);
+	plt_bitmap_free(rsrc->sc_bmap);
+	plt_free(rsrc->sc_bmap_mem);
+	plt_bitmap_free(rsrc->sa_bmap);
+	plt_free(rsrc->sa_bmap_mem);
+}
+
+static int
+rsrc_bmap_alloc(struct mcs_priv *priv, struct mcs_rsrc *rsrc)
+{
+	int rc;
+
+	rc = mcs_alloc_bmap(priv->tcam_entries << 1, &rsrc->tcam_bmap_mem, &rsrc->tcam_bmap);
+	if (rc)
+		goto exit;
+
+	rc = mcs_alloc_bmap(priv->secy_entries << 1, &rsrc->secy_bmap_mem, &rsrc->secy_bmap);
+	if (rc)
+		goto exit;
+
+	rc = mcs_alloc_bmap(priv->sc_entries << 1, &rsrc->sc_bmap_mem, &rsrc->sc_bmap);
+	if (rc)
+		goto exit;
+
+	rc = mcs_alloc_bmap(priv->sa_entries << 1, &rsrc->sa_bmap_mem, &rsrc->sa_bmap);
+	if (rc)
+		goto exit;
+
+	return rc;
+exit:
+	rsrc_bmap_free(rsrc);
+
+	return rc;
+}
+
+static int
+mcs_alloc_rsrc_bmap(struct roc_mcs *mcs)
+{
+	struct mcs_priv *priv = roc_mcs_to_mcs_priv(mcs);
+	struct mcs_hw_info *hw;
+	int i, rc;
+
+	mbox_alloc_msg_mcs_get_hw_info(mcs->mbox);
+	rc = mbox_process_msg(mcs->mbox, (void *)&hw);
+	if (rc)
+		return rc;
+
+	priv->num_mcs_blks = hw->num_mcs_blks;
+	priv->tcam_entries = hw->tcam_entries;
+	priv->secy_entries = hw->secy_entries;
+	priv->sc_entries = hw->sc_entries;
+	priv->sa_entries = hw->sa_entries;
+
+	rc = rsrc_bmap_alloc(priv, &priv->dev_rsrc);
+	if (rc)
+		return rc;
+
+	priv->port_rsrc = plt_zmalloc(sizeof(struct mcs_rsrc) * 4, 0);
+	if (priv->port_rsrc == NULL) {
+		rsrc_bmap_free(&priv->dev_rsrc);
+		return -ENOMEM;
+	}
+
+	for (i = 0; i < MAX_PORTS_PER_MCS; i++) {
+		rc = rsrc_bmap_alloc(priv, &priv->port_rsrc[i]);
+		if (rc)
+			goto exit;
+
+		priv->port_rsrc[i].sc_conf =
+			plt_zmalloc(priv->sc_entries * sizeof(struct mcs_sc_conf), 0);
+		if (priv->port_rsrc[i].sc_conf == NULL) {
+			rsrc_bmap_free(&priv->port_rsrc[i]);
+			goto exit;
+		}
+	}
+
+	return rc;
+
+exit:
+	while (i--) {
+		rsrc_bmap_free(&priv->port_rsrc[i]);
+		plt_free(priv->port_rsrc[i].sc_conf);
+	}
+	plt_free(priv->port_rsrc);
+
+	return -ENOMEM;
+}
+
+struct roc_mcs *
+roc_mcs_dev_init(uint8_t mcs_idx)
+{
+	struct roc_mcs *mcs;
+	struct npa_lf *npa;
+
+	if (!(roc_feature_bphy_has_macsec() || roc_feature_nix_has_macsec()))
+		return NULL;
+
+	mcs = roc_idev_mcs_get(mcs_idx);
+	if (mcs) {
+		plt_info("Skipping device, mcs device already probed");
+		mcs->refcount++;
+		return mcs;
+	}
+
+	mcs = plt_zmalloc(sizeof(struct roc_mcs), PLT_CACHE_LINE_SIZE);
+	if (!mcs)
+		return NULL;
+
+	npa = idev_npa_obj_get();
+	if (!npa)
+		goto exit;
+
+	mcs->mbox = npa->mbox;
+	mcs->idx = mcs_idx;
+
+	/* Add any per mcsv initialization */
+	if (mcs_alloc_rsrc_bmap(mcs))
+		goto exit;
+
+	roc_idev_mcs_set(mcs);
+	mcs->refcount++;
+
+	return mcs;
+exit:
+	plt_free(mcs);
+	return NULL;
+}
+
+void
+roc_mcs_dev_fini(struct roc_mcs *mcs)
+{
+	struct mcs_priv *priv;
+	int i;
+
+	mcs->refcount--;
+	if (mcs->refcount > 0)
+		return;
+
+	priv = roc_mcs_to_mcs_priv(mcs);
+
+	rsrc_bmap_free(&priv->dev_rsrc);
+
+	for (i = 0; i < MAX_PORTS_PER_MCS; i++) {
+		rsrc_bmap_free(&priv->port_rsrc[i]);
+		plt_free(priv->port_rsrc[i].sc_conf);
+	}
+
+	plt_free(priv->port_rsrc);
+
+	roc_idev_mcs_free(mcs);
+
+	plt_free(mcs);
+}
diff --git a/drivers/common/cnxk/roc_mcs.h b/drivers/common/cnxk/roc_mcs.h
new file mode 100644
index 0000000000..2f06ce2659
--- /dev/null
+++ b/drivers/common/cnxk/roc_mcs.h
@@ -0,0 +1,41 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2022 Marvell.
+ */
+
+#ifndef _ROC_MCS_H_
+#define _ROC_MCS_H_
+
+#define MCS_AES_GCM_256_KEYLEN 32
+
+struct roc_mcs_hw_info {
+	uint8_t num_mcs_blks; /* Number of MCS blocks */
+	uint8_t tcam_entries; /* RX/TX Tcam entries per mcs block */
+	uint8_t secy_entries; /* RX/TX SECY entries per mcs block */
+	uint8_t sc_entries;   /* RX/TX SC CAM entries per mcs block */
+	uint16_t sa_entries;  /* PN table entries = SA entries */
+	uint64_t rsvd[16];
+};
+
+
+struct roc_mcs {
+	TAILQ_ENTRY(roc_mcs) next;
+	struct plt_pci_device *pci_dev;
+	struct mbox *mbox;
+	void *userdata;
+	uint8_t idx;
+	uint8_t refcount;
+
+#define ROC_MCS_MEM_SZ (1 * 1024)
+	uint8_t reserved[ROC_MCS_MEM_SZ] __plt_cache_aligned;
+} __plt_cache_aligned;
+
+TAILQ_HEAD(roc_mcs_head, roc_mcs);
+
+/* Initialization */
+__roc_api struct roc_mcs *roc_mcs_dev_init(uint8_t mcs_idx);
+__roc_api void roc_mcs_dev_fini(struct roc_mcs *mcs);
+/* Get roc mcs dev structure */
+__roc_api struct roc_mcs *roc_mcs_dev_get(uint8_t mcs_idx);
+/* HW info get */
+__roc_api int roc_mcs_hw_info_get(struct roc_mcs_hw_info *hw_info);
+#endif /* _ROC_MCS_H_ */
diff --git a/drivers/common/cnxk/roc_mcs_priv.h b/drivers/common/cnxk/roc_mcs_priv.h
new file mode 100644
index 0000000000..9e0bbe4392
--- /dev/null
+++ b/drivers/common/cnxk/roc_mcs_priv.h
@@ -0,0 +1,65 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2022 Marvell.
+ */
+
+#ifndef _ROC_MCS_PRIV_H_
+#define _ROC_MCS_PRIV_H_
+
+#define MAX_PORTS_PER_MCS 4
+
+enum mcs_error_status {
+	MCS_ERR_PARAM = -900,
+	MCS_ERR_HW_NOTSUP = -901,
+	MCS_ERR_DEVICE_NOT_FOUND = -902,
+};
+
+#define MCS_SUPPORT_CHECK                                                                          \
+	do {                                                                                       \
+		if (!(roc_feature_bphy_has_macsec() || roc_feature_nix_has_macsec()))              \
+			return MCS_ERR_HW_NOTSUP;                                                  \
+	} while (0)
+
+struct mcs_sc_conf {
+	struct {
+		uint64_t sci;
+		uint16_t sa_idx0;
+		uint16_t sa_idx1;
+		uint8_t rekey_enb;
+	} tx;
+	struct {
+		uint16_t sa_idx;
+		uint8_t an;
+	} rx;
+};
+
+struct mcs_rsrc {
+	struct plt_bitmap *tcam_bmap;
+	void *tcam_bmap_mem;
+	struct plt_bitmap *secy_bmap;
+	void *secy_bmap_mem;
+	struct plt_bitmap *sc_bmap;
+	void *sc_bmap_mem;
+	struct plt_bitmap *sa_bmap;
+	void *sa_bmap_mem;
+	struct mcs_sc_conf *sc_conf;
+};
+
+struct mcs_priv {
+	struct mcs_rsrc *port_rsrc;
+	struct mcs_rsrc dev_rsrc;
+	uint64_t default_sci;
+	uint32_t lmac_bmap;
+	uint8_t num_mcs_blks;
+	uint8_t tcam_entries;
+	uint8_t secy_entries;
+	uint8_t sc_entries;
+	uint16_t sa_entries;
+};
+
+static inline struct mcs_priv *
+roc_mcs_to_mcs_priv(struct roc_mcs *roc_mcs)
+{
+	return (struct mcs_priv *)&roc_mcs->reserved[0];
+}
+
+#endif /* _ROC_MCS_PRIV_H_ */
diff --git a/drivers/common/cnxk/roc_priv.h b/drivers/common/cnxk/roc_priv.h
index 14fe2e452a..254a2d3310 100644
--- a/drivers/common/cnxk/roc_priv.h
+++ b/drivers/common/cnxk/roc_priv.h
@@ -44,6 +44,9 @@
 /* DPI */
 #include "roc_dpi_priv.h"
 
+/* MCS */
+#include "roc_mcs_priv.h"
+
 /* REE */
 #include "roc_ree_priv.h"
 
diff --git a/drivers/common/cnxk/roc_utils.c b/drivers/common/cnxk/roc_utils.c
index fe291fce96..9af2ae9b69 100644
--- a/drivers/common/cnxk/roc_utils.c
+++ b/drivers/common/cnxk/roc_utils.c
@@ -16,6 +16,7 @@ roc_error_msg_get(int errorcode)
 	case NPA_ERR_PARAM:
 	case NPC_ERR_PARAM:
 	case SSO_ERR_PARAM:
+	case MCS_ERR_PARAM:
 	case UTIL_ERR_PARAM:
 		err_msg = "Invalid parameter";
 		break;
@@ -35,6 +36,7 @@ roc_error_msg_get(int errorcode)
 		err_msg = "Operation not supported";
 		break;
 	case NIX_ERR_HW_NOTSUP:
+	case MCS_ERR_HW_NOTSUP:
 		err_msg = "Hardware does not support";
 		break;
 	case NIX_ERR_QUEUE_INVALID_RANGE:
@@ -223,6 +225,9 @@ roc_error_msg_get(int errorcode)
 	case SSO_ERR_DEVICE_NOT_BOUNDED:
 		err_msg = "SSO pf/vf not found";
 		break;
+	case MCS_ERR_DEVICE_NOT_FOUND:
+		err_msg = "MCS device not found";
+		break;
 	case UTIL_ERR_FS:
 		err_msg = "file operation failed";
 		break;
diff --git a/drivers/common/cnxk/version.map b/drivers/common/cnxk/version.map
index e1335e9068..900290b866 100644
--- a/drivers/common/cnxk/version.map
+++ b/drivers/common/cnxk/version.map
@@ -94,6 +94,9 @@ INTERNAL {
 	roc_idev_cpt_get;
 	roc_idev_cpt_set;
 	roc_idev_lmt_base_addr_get;
+	roc_idev_mcs_free;
+	roc_idev_mcs_get;
+	roc_idev_mcs_set;
 	roc_idev_npa_maxpools_get;
 	roc_idev_npa_maxpools_set;
 	roc_idev_npa_nix_get;
@@ -132,6 +135,10 @@ INTERNAL {
 	roc_se_auth_key_set;
 	roc_se_ciph_key_set;
 	roc_se_ctx_init;
+	roc_mcs_dev_init;
+	roc_mcs_dev_fini;
+	roc_mcs_dev_get;
+	roc_mcs_hw_info_get;
 	roc_nix_bpf_alloc;
 	roc_nix_bpf_config;
 	roc_nix_bpf_connect;
-- 
2.25.1

[PATCH v2 02/15] common/cnxk: add MACsec SA configuration

[Akhil Goyal]

Added ROC APIs to allocate/free MACsec resources
and APIs to write SA policy.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/common/cnxk/meson.build       |   1 +
 drivers/common/cnxk/roc_mbox.h        |  12 ++
 drivers/common/cnxk/roc_mcs.h         |  43 ++++++
 drivers/common/cnxk/roc_mcs_sec_cfg.c | 211 ++++++++++++++++++++++++++
 drivers/common/cnxk/version.map       |   4 +
 5 files changed, 271 insertions(+)
 create mode 100644 drivers/common/cnxk/roc_mcs_sec_cfg.c

diff --git a/drivers/common/cnxk/meson.build b/drivers/common/cnxk/meson.build
index e33c002676..589baf74fe 100644
--- a/drivers/common/cnxk/meson.build
+++ b/drivers/common/cnxk/meson.build
@@ -27,6 +27,7 @@ sources = files(
         'roc_ie_ot.c',
         'roc_mbox.c',
         'roc_mcs.c',
+        'roc_mcs_sec_cfg.c',
         'roc_ml.c',
         'roc_model.c',
         'roc_nix.c',
diff --git a/drivers/common/cnxk/roc_mbox.h b/drivers/common/cnxk/roc_mbox.h
index ef7a7d6513..ab1173e805 100644
--- a/drivers/common/cnxk/roc_mbox.h
+++ b/drivers/common/cnxk/roc_mbox.h
@@ -300,6 +300,7 @@ struct mbox_msghdr {
 	M(MCS_ALLOC_RESOURCES, 0xa000, mcs_alloc_resources, mcs_alloc_rsrc_req,                    \
 	  mcs_alloc_rsrc_rsp)                                                                      \
 	M(MCS_FREE_RESOURCES, 0xa001, mcs_free_resources, mcs_free_rsrc_req, msg_rsp)              \
+	M(MCS_SA_PLCY_WRITE, 0xa005, mcs_sa_plcy_write, mcs_sa_plcy_write_req, msg_rsp)            \
 	M(MCS_GET_HW_INFO, 0xa00b, mcs_get_hw_info, msg_req, mcs_hw_info)                          \
 
 /* Messages initiated by AF (range 0xC00 - 0xDFF) */
@@ -725,6 +726,17 @@ struct mcs_free_rsrc_req {
 	uint64_t __io rsvd;
 };
 
+struct mcs_sa_plcy_write_req {
+	struct mbox_msghdr hdr;
+	uint64_t __io plcy[2][9]; /* Support 2 SA policy */
+	uint8_t __io sa_index[2];
+	uint8_t __io sa_cnt;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
+
+
 struct mcs_hw_info {
 	struct mbox_msghdr hdr;
 	uint8_t __io num_mcs_blks; /* Number of MCS blocks */
diff --git a/drivers/common/cnxk/roc_mcs.h b/drivers/common/cnxk/roc_mcs.h
index 2f06ce2659..ea4c6ddc05 100644
--- a/drivers/common/cnxk/roc_mcs.h
+++ b/drivers/common/cnxk/roc_mcs.h
@@ -7,6 +7,39 @@
 
 #define MCS_AES_GCM_256_KEYLEN 32
 
+struct roc_mcs_alloc_rsrc_req {
+	uint8_t rsrc_type;
+	uint8_t rsrc_cnt; /* Resources count */
+	uint8_t dir;	  /* Macsec ingress or egress side */
+	uint8_t all;	  /* Allocate all resource type one each */
+};
+
+struct roc_mcs_alloc_rsrc_rsp {
+	uint8_t flow_ids[128]; /* Index of reserved entries */
+	uint8_t secy_ids[128];
+	uint8_t sc_ids[128];
+	uint8_t sa_ids[256];
+	uint8_t rsrc_type;
+	uint8_t rsrc_cnt; /* No of entries reserved */
+	uint8_t dir;
+	uint8_t all;
+};
+
+struct roc_mcs_free_rsrc_req {
+	uint8_t rsrc_id; /* Index of the entry to be freed */
+	uint8_t rsrc_type;
+	uint8_t dir;
+	uint8_t all; /* Free all the cam resources */
+};
+
+
+struct roc_mcs_sa_plcy_write_req {
+	uint64_t plcy[2][9];
+	uint8_t sa_index[2];
+	uint8_t sa_cnt;
+	uint8_t dir;
+};
+
 struct roc_mcs_hw_info {
 	uint8_t num_mcs_blks; /* Number of MCS blocks */
 	uint8_t tcam_entries; /* RX/TX Tcam entries per mcs block */
@@ -38,4 +71,14 @@ __roc_api void roc_mcs_dev_fini(struct roc_mcs *mcs);
 __roc_api struct roc_mcs *roc_mcs_dev_get(uint8_t mcs_idx);
 /* HW info get */
 __roc_api int roc_mcs_hw_info_get(struct roc_mcs_hw_info *hw_info);
+
+/* Resource allocation and free */
+__roc_api int roc_mcs_rsrc_alloc(struct roc_mcs *mcs, struct roc_mcs_alloc_rsrc_req *req,
+				 struct roc_mcs_alloc_rsrc_rsp *rsp);
+__roc_api int roc_mcs_rsrc_free(struct roc_mcs *mcs, struct roc_mcs_free_rsrc_req *req);
+/* SA policy read and write */
+__roc_api int roc_mcs_sa_policy_write(struct roc_mcs *mcs,
+				      struct roc_mcs_sa_plcy_write_req *sa_plcy);
+__roc_api int roc_mcs_sa_policy_read(struct roc_mcs *mcs,
+				     struct roc_mcs_sa_plcy_write_req *sa_plcy);
 #endif /* _ROC_MCS_H_ */
diff --git a/drivers/common/cnxk/roc_mcs_sec_cfg.c b/drivers/common/cnxk/roc_mcs_sec_cfg.c
new file mode 100644
index 0000000000..041be51b4b
--- /dev/null
+++ b/drivers/common/cnxk/roc_mcs_sec_cfg.c
@@ -0,0 +1,211 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2023 Marvell.
+ */
+
+#include "roc_api.h"
+#include "roc_priv.h"
+
+int
+roc_mcs_rsrc_alloc(struct roc_mcs *mcs, struct roc_mcs_alloc_rsrc_req *req,
+		   struct roc_mcs_alloc_rsrc_rsp *rsp)
+{
+	struct mcs_priv *priv = roc_mcs_to_mcs_priv(mcs);
+	struct mcs_alloc_rsrc_req *rsrc_req;
+	struct mcs_alloc_rsrc_rsp *rsrc_rsp;
+	int rc, i;
+
+	MCS_SUPPORT_CHECK;
+
+	if (req == NULL || rsp == NULL)
+		return -EINVAL;
+
+	rsrc_req = mbox_alloc_msg_mcs_alloc_resources(mcs->mbox);
+	if (rsrc_req == NULL)
+		return -ENOMEM;
+
+	rsrc_req->rsrc_type = req->rsrc_type;
+	rsrc_req->rsrc_cnt = req->rsrc_cnt;
+	rsrc_req->mcs_id = mcs->idx;
+	rsrc_req->dir = req->dir;
+	rsrc_req->all = req->all;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&rsrc_rsp);
+	if (rc)
+		return rc;
+
+	if (rsrc_rsp->all) {
+		rsrc_rsp->rsrc_cnt = 1;
+		rsrc_rsp->rsrc_type = 0xFF;
+	}
+
+	for (i = 0; i < rsrc_rsp->rsrc_cnt; i++) {
+		switch (rsrc_rsp->rsrc_type) {
+		case MCS_RSRC_TYPE_FLOWID:
+			rsp->flow_ids[i] = rsrc_rsp->flow_ids[i];
+			plt_bitmap_set(priv->dev_rsrc.tcam_bmap,
+				       rsp->flow_ids[i] +
+					       ((req->dir == MCS_TX) ? priv->tcam_entries : 0));
+			break;
+		case MCS_RSRC_TYPE_SECY:
+			rsp->secy_ids[i] = rsrc_rsp->secy_ids[i];
+			plt_bitmap_set(priv->dev_rsrc.secy_bmap,
+				       rsp->secy_ids[i] +
+					       ((req->dir == MCS_TX) ? priv->secy_entries : 0));
+			break;
+		case MCS_RSRC_TYPE_SC:
+			rsp->sc_ids[i] = rsrc_rsp->sc_ids[i];
+			plt_bitmap_set(priv->dev_rsrc.sc_bmap,
+				       rsp->sc_ids[i] +
+					       ((req->dir == MCS_TX) ? priv->sc_entries : 0));
+			break;
+		case MCS_RSRC_TYPE_SA:
+			rsp->sa_ids[i] = rsrc_rsp->sa_ids[i];
+			plt_bitmap_set(priv->dev_rsrc.sa_bmap,
+				       rsp->sa_ids[i] +
+					       ((req->dir == MCS_TX) ? priv->sa_entries : 0));
+			break;
+		default:
+			rsp->flow_ids[i] = rsrc_rsp->flow_ids[i];
+			rsp->secy_ids[i] = rsrc_rsp->secy_ids[i];
+			rsp->sc_ids[i] = rsrc_rsp->sc_ids[i];
+			rsp->sa_ids[i] = rsrc_rsp->sa_ids[i];
+			plt_bitmap_set(priv->dev_rsrc.tcam_bmap,
+				       rsp->flow_ids[i] +
+					       ((req->dir == MCS_TX) ? priv->tcam_entries : 0));
+			plt_bitmap_set(priv->dev_rsrc.secy_bmap,
+				       rsp->secy_ids[i] +
+					       ((req->dir == MCS_TX) ? priv->secy_entries : 0));
+			plt_bitmap_set(priv->dev_rsrc.sc_bmap,
+				       rsp->sc_ids[i] +
+					       ((req->dir == MCS_TX) ? priv->sc_entries : 0));
+			plt_bitmap_set(priv->dev_rsrc.sa_bmap,
+				       rsp->sa_ids[i] +
+					       ((req->dir == MCS_TX) ? priv->sa_entries : 0));
+			break;
+		}
+	}
+	rsp->rsrc_type = rsrc_rsp->rsrc_type;
+	rsp->rsrc_cnt = rsrc_rsp->rsrc_cnt;
+	rsp->dir = rsrc_rsp->dir;
+	rsp->all = rsrc_rsp->all;
+
+	return 0;
+}
+
+int
+roc_mcs_rsrc_free(struct roc_mcs *mcs, struct roc_mcs_free_rsrc_req *free_req)
+{
+	struct mcs_priv *priv = roc_mcs_to_mcs_priv(mcs);
+	struct mcs_free_rsrc_req *req;
+	struct msg_rsp *rsp;
+	uint32_t pos;
+	int i, rc;
+
+	MCS_SUPPORT_CHECK;
+
+	if (free_req == NULL)
+		return -EINVAL;
+
+	req = mbox_alloc_msg_mcs_free_resources(mcs->mbox);
+	if (req == NULL)
+		return -ENOMEM;
+
+	req->rsrc_id = free_req->rsrc_id;
+	req->rsrc_type = free_req->rsrc_type;
+	req->mcs_id = mcs->idx;
+	req->dir = free_req->dir;
+	req->all = free_req->all;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&rsp);
+	if (rc)
+		return rc;
+
+	switch (free_req->rsrc_type) {
+	case MCS_RSRC_TYPE_FLOWID:
+		pos = free_req->rsrc_id + ((req->dir == MCS_TX) ? priv->tcam_entries : 0);
+		plt_bitmap_clear(priv->dev_rsrc.tcam_bmap, pos);
+		for (i = 0; i < MAX_PORTS_PER_MCS; i++) {
+			uint32_t set = plt_bitmap_get(priv->port_rsrc[i].tcam_bmap, pos);
+
+			if (set) {
+				plt_bitmap_clear(priv->port_rsrc[i].tcam_bmap, pos);
+				break;
+			}
+		}
+		break;
+	case MCS_RSRC_TYPE_SECY:
+		pos = free_req->rsrc_id + ((req->dir == MCS_TX) ? priv->secy_entries : 0);
+		plt_bitmap_clear(priv->dev_rsrc.secy_bmap, pos);
+		for (i = 0; i < MAX_PORTS_PER_MCS; i++) {
+			uint32_t set = plt_bitmap_get(priv->port_rsrc[i].secy_bmap, pos);
+
+			if (set) {
+				plt_bitmap_clear(priv->port_rsrc[i].secy_bmap, pos);
+				break;
+			}
+		}
+		break;
+	case MCS_RSRC_TYPE_SC:
+		pos = free_req->rsrc_id + ((req->dir == MCS_TX) ? priv->sc_entries : 0);
+		plt_bitmap_clear(priv->dev_rsrc.sc_bmap, pos);
+		for (i = 0; i < MAX_PORTS_PER_MCS; i++) {
+			uint32_t set = plt_bitmap_get(priv->port_rsrc[i].sc_bmap, pos);
+
+			if (set) {
+				plt_bitmap_clear(priv->port_rsrc[i].sc_bmap, pos);
+				break;
+			}
+		}
+		break;
+	case MCS_RSRC_TYPE_SA:
+		pos = free_req->rsrc_id + ((req->dir == MCS_TX) ? priv->sa_entries : 0);
+		plt_bitmap_clear(priv->dev_rsrc.sa_bmap, pos);
+		for (i = 0; i < MAX_PORTS_PER_MCS; i++) {
+			uint32_t set = plt_bitmap_get(priv->port_rsrc[i].sa_bmap, pos);
+
+			if (set) {
+				plt_bitmap_clear(priv->port_rsrc[i].sa_bmap, pos);
+				break;
+			}
+		}
+		break;
+	default:
+		break;
+	}
+
+	return rc;
+}
+
+int
+roc_mcs_sa_policy_write(struct roc_mcs *mcs, struct roc_mcs_sa_plcy_write_req *sa_plcy)
+{
+	struct mcs_sa_plcy_write_req *sa;
+	struct msg_rsp *rsp;
+
+	MCS_SUPPORT_CHECK;
+
+	if (sa_plcy == NULL)
+		return -EINVAL;
+
+	sa = mbox_alloc_msg_mcs_sa_plcy_write(mcs->mbox);
+	if (sa == NULL)
+		return -ENOMEM;
+
+	mbox_memcpy(sa->plcy, sa_plcy->plcy, sizeof(uint64_t) * 2 * 9);
+	sa->sa_index[0] = sa_plcy->sa_index[0];
+	sa->sa_index[1] = sa_plcy->sa_index[1];
+	sa->sa_cnt = sa_plcy->sa_cnt;
+	sa->mcs_id = mcs->idx;
+	sa->dir = sa_plcy->dir;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
+
+int
+roc_mcs_sa_policy_read(struct roc_mcs *mcs __plt_unused,
+		       struct roc_mcs_sa_plcy_write_req *sa __plt_unused)
+{
+	MCS_SUPPORT_CHECK;
+
+	return -ENOTSUP;
+}
diff --git a/drivers/common/cnxk/version.map b/drivers/common/cnxk/version.map
index 900290b866..bd8a3095f9 100644
--- a/drivers/common/cnxk/version.map
+++ b/drivers/common/cnxk/version.map
@@ -139,6 +139,10 @@ INTERNAL {
 	roc_mcs_dev_fini;
 	roc_mcs_dev_get;
 	roc_mcs_hw_info_get;
+	roc_mcs_rsrc_alloc;
+	roc_mcs_rsrc_free;
+	roc_mcs_sa_policy_read;
+	roc_mcs_sa_policy_write;
 	roc_nix_bpf_alloc;
 	roc_nix_bpf_config;
 	roc_nix_bpf_connect;
-- 
2.25.1

[PATCH v2 03/15] common/cnxk: add MACsec SC configuration APIs

[Akhil Goyal]

Added ROC APIs to configure MACsec secure channel(SC)
and its mapping with SAs for both Rx and Tx.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/common/cnxk/roc_mbox.h        |  37 ++++++
 drivers/common/cnxk/roc_mcs.h         |  41 ++++++
 drivers/common/cnxk/roc_mcs_sec_cfg.c | 171 ++++++++++++++++++++++++++
 drivers/common/cnxk/version.map       |   7 ++
 4 files changed, 256 insertions(+)

diff --git a/drivers/common/cnxk/roc_mbox.h b/drivers/common/cnxk/roc_mbox.h
index ab1173e805..40b761ee99 100644
--- a/drivers/common/cnxk/roc_mbox.h
+++ b/drivers/common/cnxk/roc_mbox.h
@@ -300,7 +300,10 @@ struct mbox_msghdr {
 	M(MCS_ALLOC_RESOURCES, 0xa000, mcs_alloc_resources, mcs_alloc_rsrc_req,                    \
 	  mcs_alloc_rsrc_rsp)                                                                      \
 	M(MCS_FREE_RESOURCES, 0xa001, mcs_free_resources, mcs_free_rsrc_req, msg_rsp)              \
+	M(MCS_RX_SC_CAM_WRITE, 0xa004, mcs_rx_sc_cam_write, mcs_rx_sc_cam_write_req, msg_rsp)      \
 	M(MCS_SA_PLCY_WRITE, 0xa005, mcs_sa_plcy_write, mcs_sa_plcy_write_req, msg_rsp)            \
+	M(MCS_TX_SC_SA_MAP_WRITE, 0xa006, mcs_tx_sc_sa_map_write, mcs_tx_sc_sa_map, msg_rsp)       \
+	M(MCS_RX_SC_SA_MAP_WRITE, 0xa007, mcs_rx_sc_sa_map_write, mcs_rx_sc_sa_map, msg_rsp)       \
 	M(MCS_GET_HW_INFO, 0xa00b, mcs_get_hw_info, msg_req, mcs_hw_info)                          \
 
 /* Messages initiated by AF (range 0xC00 - 0xDFF) */
@@ -726,6 +729,16 @@ struct mcs_free_rsrc_req {
 	uint64_t __io rsvd;
 };
 
+/* RX SC_CAM mapping */
+struct mcs_rx_sc_cam_write_req {
+	struct mbox_msghdr hdr;
+	uint64_t __io sci;     /* SCI */
+	uint64_t __io secy_id; /* secy index mapped to SC */
+	uint8_t __io sc_id;    /* SC CAM entry index */
+	uint8_t __io mcs_id;
+	uint64_t __io rsvd;
+};
+
 struct mcs_sa_plcy_write_req {
 	struct mbox_msghdr hdr;
 	uint64_t __io plcy[2][9]; /* Support 2 SA policy */
@@ -736,6 +749,30 @@ struct mcs_sa_plcy_write_req {
 	uint64_t __io rsvd;
 };
 
+struct mcs_tx_sc_sa_map {
+	struct mbox_msghdr hdr;
+	uint8_t __io sa_index0;
+	uint8_t __io sa_index1;
+	uint8_t __io rekey_ena;
+	uint8_t __io sa_index0_vld;
+	uint8_t __io sa_index1_vld;
+	uint8_t __io tx_sa_active;
+	uint64_t __io sectag_sci;
+	uint8_t __io sc_id; /* used as index for SA_MEM_MAP */
+	uint8_t __io mcs_id;
+	uint64_t __io rsvd;
+};
+
+struct mcs_rx_sc_sa_map {
+	struct mbox_msghdr hdr;
+	uint8_t __io sa_index;
+	uint8_t __io sa_in_use;
+	uint8_t __io sc_id;
+	/* an range is 0-3, sc_id + an used as index SA_MEM_MAP */
+	uint8_t __io an;
+	uint8_t __io mcs_id;
+	uint64_t __io rsvd;
+};
 
 struct mcs_hw_info {
 	struct mbox_msghdr hdr;
diff --git a/drivers/common/cnxk/roc_mcs.h b/drivers/common/cnxk/roc_mcs.h
index ea4c6ddc05..e947f93460 100644
--- a/drivers/common/cnxk/roc_mcs.h
+++ b/drivers/common/cnxk/roc_mcs.h
@@ -32,6 +32,12 @@ struct roc_mcs_free_rsrc_req {
 	uint8_t all; /* Free all the cam resources */
 };
 
+/* RX SC_CAM mapping */
+struct roc_mcs_rx_sc_cam_write_req {
+	uint64_t sci;	  /* SCI */
+	uint64_t secy_id; /* secy index mapped to SC */
+	uint8_t sc_id;	  /* SC CAM entry index */
+};
 
 struct roc_mcs_sa_plcy_write_req {
 	uint64_t plcy[2][9];
@@ -40,6 +46,24 @@ struct roc_mcs_sa_plcy_write_req {
 	uint8_t dir;
 };
 
+struct roc_mcs_tx_sc_sa_map {
+	uint8_t sa_index0;
+	uint8_t sa_index1;
+	uint8_t rekey_ena;
+	uint8_t sa_index0_vld;
+	uint8_t sa_index1_vld;
+	uint8_t tx_sa_active;
+	uint64_t sectag_sci;
+	uint8_t sc_id; /* used as index for SA_MEM_MAP */
+};
+
+struct roc_mcs_rx_sc_sa_map {
+	uint8_t sa_index;
+	uint8_t sa_in_use;
+	uint8_t sc_id;
+	uint8_t an; /* value range 0-3, sc_id + an used as index SA_MEM_MAP */
+};
+
 struct roc_mcs_hw_info {
 	uint8_t num_mcs_blks; /* Number of MCS blocks */
 	uint8_t tcam_entries; /* RX/TX Tcam entries per mcs block */
@@ -81,4 +105,21 @@ __roc_api int roc_mcs_sa_policy_write(struct roc_mcs *mcs,
 				      struct roc_mcs_sa_plcy_write_req *sa_plcy);
 __roc_api int roc_mcs_sa_policy_read(struct roc_mcs *mcs,
 				     struct roc_mcs_sa_plcy_write_req *sa_plcy);
+/* RX SC read, write and enable */
+__roc_api int roc_mcs_rx_sc_cam_write(struct roc_mcs *mcs,
+				      struct roc_mcs_rx_sc_cam_write_req *rx_sc_cam);
+__roc_api int roc_mcs_rx_sc_cam_read(struct roc_mcs *mcs,
+				     struct roc_mcs_rx_sc_cam_write_req *rx_sc_cam);
+__roc_api int roc_mcs_rx_sc_cam_enable(struct roc_mcs *mcs,
+				       struct roc_mcs_rx_sc_cam_write_req *rx_sc_cam);
+/* RX SC-SA MAP read and write */
+__roc_api int roc_mcs_rx_sc_sa_map_write(struct roc_mcs *mcs,
+					 struct roc_mcs_rx_sc_sa_map *rx_sc_sa_map);
+__roc_api int roc_mcs_rx_sc_sa_map_read(struct roc_mcs *mcs,
+					struct roc_mcs_rx_sc_sa_map *rx_sc_sa_map);
+/* TX SC-SA MAP read and write */
+__roc_api int roc_mcs_tx_sc_sa_map_write(struct roc_mcs *mcs,
+					 struct roc_mcs_tx_sc_sa_map *tx_sc_sa_map);
+__roc_api int roc_mcs_tx_sc_sa_map_read(struct roc_mcs *mcs,
+					struct roc_mcs_tx_sc_sa_map *tx_sc_sa_map);
 #endif /* _ROC_MCS_H_ */
diff --git a/drivers/common/cnxk/roc_mcs_sec_cfg.c b/drivers/common/cnxk/roc_mcs_sec_cfg.c
index 041be51b4b..9b87952112 100644
--- a/drivers/common/cnxk/roc_mcs_sec_cfg.c
+++ b/drivers/common/cnxk/roc_mcs_sec_cfg.c
@@ -209,3 +209,174 @@ roc_mcs_sa_policy_read(struct roc_mcs *mcs __plt_unused,
 
 	return -ENOTSUP;
 }
+
+
+int
+roc_mcs_rx_sc_cam_write(struct roc_mcs *mcs, struct roc_mcs_rx_sc_cam_write_req *rx_sc_cam)
+{
+	struct mcs_priv *priv = roc_mcs_to_mcs_priv(mcs);
+	struct mcs_rx_sc_cam_write_req *rx_sc;
+	struct msg_rsp *rsp;
+	int i, rc;
+
+	MCS_SUPPORT_CHECK;
+
+	if (rx_sc_cam == NULL)
+		return -EINVAL;
+
+	rx_sc = mbox_alloc_msg_mcs_rx_sc_cam_write(mcs->mbox);
+	if (rx_sc == NULL)
+		return -ENOMEM;
+
+	rx_sc->sci = rx_sc_cam->sci;
+	rx_sc->secy_id = rx_sc_cam->secy_id;
+	rx_sc->sc_id = rx_sc_cam->sc_id;
+	rx_sc->mcs_id = mcs->idx;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&rsp);
+	if (rc)
+		return rc;
+
+	for (i = 0; i < MAX_PORTS_PER_MCS; i++) {
+		uint32_t set = plt_bitmap_get(priv->port_rsrc[i].secy_bmap, rx_sc_cam->secy_id);
+
+		if (set) {
+			plt_bitmap_set(priv->port_rsrc[i].sc_bmap, rx_sc_cam->sc_id);
+			break;
+		}
+	}
+
+	return 0;
+}
+
+int
+roc_mcs_rx_sc_cam_read(struct roc_mcs *mcs __plt_unused,
+		       struct roc_mcs_rx_sc_cam_write_req *rx_sc_cam __plt_unused)
+{
+	MCS_SUPPORT_CHECK;
+
+	return -ENOTSUP;
+}
+
+int
+roc_mcs_rx_sc_cam_enable(struct roc_mcs *mcs __plt_unused,
+			 struct roc_mcs_rx_sc_cam_write_req *rx_sc_cam __plt_unused)
+{
+	MCS_SUPPORT_CHECK;
+
+	return -ENOTSUP;
+}
+
+int
+roc_mcs_rx_sc_sa_map_write(struct roc_mcs *mcs, struct roc_mcs_rx_sc_sa_map *rx_sc_sa_map)
+{
+	struct mcs_priv *priv = roc_mcs_to_mcs_priv(mcs);
+	struct mcs_rx_sc_sa_map *sa_map;
+	struct msg_rsp *rsp;
+	uint16_t sc_id;
+	int i, rc;
+
+	MCS_SUPPORT_CHECK;
+
+	if (rx_sc_sa_map == NULL)
+		return -EINVAL;
+
+	sc_id = rx_sc_sa_map->sc_id;
+	sa_map = mbox_alloc_msg_mcs_rx_sc_sa_map_write(mcs->mbox);
+	if (sa_map == NULL)
+		return -ENOMEM;
+
+	sa_map->sa_index = rx_sc_sa_map->sa_index;
+	sa_map->sa_in_use = rx_sc_sa_map->sa_in_use;
+	sa_map->sc_id = rx_sc_sa_map->sc_id;
+	sa_map->an = rx_sc_sa_map->an;
+	sa_map->mcs_id = mcs->idx;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&rsp);
+	if (rc)
+		return rc;
+
+	for (i = 0; i < MAX_PORTS_PER_MCS; i++) {
+		uint32_t set = plt_bitmap_get(priv->port_rsrc[i].sc_bmap, sc_id);
+
+		if (set) {
+			plt_bitmap_set(priv->port_rsrc[i].sa_bmap, rx_sc_sa_map->sa_index);
+			priv->port_rsrc[i].sc_conf[sc_id].rx.sa_idx = rx_sc_sa_map->sa_index;
+			priv->port_rsrc[i].sc_conf[sc_id].rx.an = rx_sc_sa_map->an;
+			break;
+		}
+	}
+
+	return 0;
+}
+
+int
+roc_mcs_rx_sc_sa_map_read(struct roc_mcs *mcs __plt_unused,
+			  struct roc_mcs_rx_sc_sa_map *rx_sc_sa_map __plt_unused)
+{
+	MCS_SUPPORT_CHECK;
+
+	return -ENOTSUP;
+}
+
+int
+roc_mcs_tx_sc_sa_map_write(struct roc_mcs *mcs, struct roc_mcs_tx_sc_sa_map *tx_sc_sa_map)
+{
+	struct mcs_priv *priv = roc_mcs_to_mcs_priv(mcs);
+	struct mcs_tx_sc_sa_map *sa_map;
+	struct msg_rsp *rsp;
+	uint16_t sc_id;
+	int i, rc;
+
+	MCS_SUPPORT_CHECK;
+
+	if (tx_sc_sa_map == NULL)
+		return -EINVAL;
+
+	sa_map = mbox_alloc_msg_mcs_tx_sc_sa_map_write(mcs->mbox);
+	if (sa_map == NULL)
+		return -ENOMEM;
+
+	sa_map->sa_index0 = tx_sc_sa_map->sa_index0;
+	sa_map->sa_index1 = tx_sc_sa_map->sa_index1;
+	sa_map->rekey_ena = tx_sc_sa_map->rekey_ena;
+	sa_map->sa_index0_vld = tx_sc_sa_map->sa_index0_vld;
+	sa_map->sa_index1_vld = tx_sc_sa_map->sa_index1_vld;
+	sa_map->tx_sa_active = tx_sc_sa_map->tx_sa_active;
+	sa_map->sectag_sci = tx_sc_sa_map->sectag_sci;
+	sa_map->sc_id = tx_sc_sa_map->sc_id;
+	sa_map->mcs_id = mcs->idx;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&rsp);
+	if (rc)
+		return rc;
+
+	sc_id = tx_sc_sa_map->sc_id;
+	for (i = 0; i < MAX_PORTS_PER_MCS; i++) {
+		uint32_t set = plt_bitmap_get(priv->port_rsrc[i].sc_bmap, sc_id + priv->sc_entries);
+
+		if (set) {
+			uint32_t pos = priv->sa_entries + tx_sc_sa_map->sa_index0;
+
+			plt_bitmap_set(priv->port_rsrc[i].sa_bmap, pos);
+			priv->port_rsrc[i].sc_conf[sc_id].tx.sa_idx0 = tx_sc_sa_map->sa_index0;
+			pos = priv->sa_entries + tx_sc_sa_map->sa_index1;
+			plt_bitmap_set(priv->port_rsrc[i].sa_bmap, pos);
+			priv->port_rsrc[i].sc_conf[sc_id].tx.sa_idx1 = tx_sc_sa_map->sa_index1;
+			priv->port_rsrc[i].sc_conf[sc_id].tx.sci = tx_sc_sa_map->sectag_sci;
+			priv->port_rsrc[i].sc_conf[sc_id].tx.rekey_enb = tx_sc_sa_map->rekey_ena;
+			break;
+		}
+	}
+
+	return 0;
+}
+
+int
+roc_mcs_tx_sc_sa_map_read(struct roc_mcs *mcs __plt_unused,
+			  struct roc_mcs_tx_sc_sa_map *tx_sc_sa_map __plt_unused)
+{
+	MCS_SUPPORT_CHECK;
+
+	return -ENOTSUP;
+}
diff --git a/drivers/common/cnxk/version.map b/drivers/common/cnxk/version.map
index bd8a3095f9..dbfda62ad1 100644
--- a/drivers/common/cnxk/version.map
+++ b/drivers/common/cnxk/version.map
@@ -141,8 +141,15 @@ INTERNAL {
 	roc_mcs_hw_info_get;
 	roc_mcs_rsrc_alloc;
 	roc_mcs_rsrc_free;
+	roc_mcs_rx_sc_cam_enable;
+	roc_mcs_rx_sc_cam_read;
+	roc_mcs_rx_sc_cam_write;
+	roc_mcs_rx_sc_sa_map_read;
+	roc_mcs_rx_sc_sa_map_write;
 	roc_mcs_sa_policy_read;
 	roc_mcs_sa_policy_write;
+	roc_mcs_tx_sc_sa_map_read;
+	roc_mcs_tx_sc_sa_map_write;
 	roc_nix_bpf_alloc;
 	roc_nix_bpf_config;
 	roc_nix_bpf_connect;
-- 
2.25.1

[PATCH v2 04/15] common/cnxk: add MACsec secy and flow configuration

[Akhil Goyal]

Added ROC APIs to configure MACsec secy policy and
flow entries.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/common/cnxk/roc_mbox.h        |  38 +++++++++
 drivers/common/cnxk/roc_mcs.h         |  37 +++++++++
 drivers/common/cnxk/roc_mcs_sec_cfg.c | 115 ++++++++++++++++++++++++++
 drivers/common/cnxk/version.map       |   5 ++
 4 files changed, 195 insertions(+)

diff --git a/drivers/common/cnxk/roc_mbox.h b/drivers/common/cnxk/roc_mbox.h
index 40b761ee99..fcfcc90f6c 100644
--- a/drivers/common/cnxk/roc_mbox.h
+++ b/drivers/common/cnxk/roc_mbox.h
@@ -300,10 +300,14 @@ struct mbox_msghdr {
 	M(MCS_ALLOC_RESOURCES, 0xa000, mcs_alloc_resources, mcs_alloc_rsrc_req,                    \
 	  mcs_alloc_rsrc_rsp)                                                                      \
 	M(MCS_FREE_RESOURCES, 0xa001, mcs_free_resources, mcs_free_rsrc_req, msg_rsp)              \
+	M(MCS_FLOWID_ENTRY_WRITE, 0xa002, mcs_flowid_entry_write, mcs_flowid_entry_write_req,      \
+	  msg_rsp)                                                                                 \
+	M(MCS_SECY_PLCY_WRITE, 0xa003, mcs_secy_plcy_write, mcs_secy_plcy_write_req, msg_rsp)      \
 	M(MCS_RX_SC_CAM_WRITE, 0xa004, mcs_rx_sc_cam_write, mcs_rx_sc_cam_write_req, msg_rsp)      \
 	M(MCS_SA_PLCY_WRITE, 0xa005, mcs_sa_plcy_write, mcs_sa_plcy_write_req, msg_rsp)            \
 	M(MCS_TX_SC_SA_MAP_WRITE, 0xa006, mcs_tx_sc_sa_map_write, mcs_tx_sc_sa_map, msg_rsp)       \
 	M(MCS_RX_SC_SA_MAP_WRITE, 0xa007, mcs_rx_sc_sa_map_write, mcs_rx_sc_sa_map, msg_rsp)       \
+	M(MCS_FLOWID_ENA_ENTRY, 0xa008, mcs_flowid_ena_entry, mcs_flowid_ena_dis_entry, msg_rsp)   \
 	M(MCS_GET_HW_INFO, 0xa00b, mcs_get_hw_info, msg_req, mcs_hw_info)                          \
 
 /* Messages initiated by AF (range 0xC00 - 0xDFF) */
@@ -729,6 +733,31 @@ struct mcs_free_rsrc_req {
 	uint64_t __io rsvd;
 };
 
+struct mcs_flowid_entry_write_req {
+	struct mbox_msghdr hdr;
+	uint64_t __io data[4];
+	uint64_t __io mask[4];
+	uint64_t __io sci; /* CNF10K-B for tx_secy_mem_map */
+	uint8_t __io flow_id;
+	uint8_t __io secy_id; /* secyid for which flowid is mapped */
+	/* sc_id is Valid if dir = MCS_TX, SC_CAM id mapped to flowid */
+	uint8_t __io sc_id;
+	uint8_t __io ena; /* Enable tcam entry */
+	uint8_t __io ctr_pkt;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
+
+struct mcs_secy_plcy_write_req {
+	struct mbox_msghdr hdr;
+	uint64_t __io plcy;
+	uint8_t __io secy_id;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
+
 /* RX SC_CAM mapping */
 struct mcs_rx_sc_cam_write_req {
 	struct mbox_msghdr hdr;
@@ -774,6 +803,15 @@ struct mcs_rx_sc_sa_map {
 	uint64_t __io rsvd;
 };
 
+struct mcs_flowid_ena_dis_entry {
+	struct mbox_msghdr hdr;
+	uint8_t __io flow_id;
+	uint8_t __io ena;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
+
 struct mcs_hw_info {
 	struct mbox_msghdr hdr;
 	uint8_t __io num_mcs_blks; /* Number of MCS blocks */
diff --git a/drivers/common/cnxk/roc_mcs.h b/drivers/common/cnxk/roc_mcs.h
index e947f93460..38c2d5626a 100644
--- a/drivers/common/cnxk/roc_mcs.h
+++ b/drivers/common/cnxk/roc_mcs.h
@@ -32,6 +32,24 @@ struct roc_mcs_free_rsrc_req {
 	uint8_t all; /* Free all the cam resources */
 };
 
+struct roc_mcs_flowid_entry_write_req {
+	uint64_t data[4];
+	uint64_t mask[4];
+	uint64_t sci; /* 105N for tx_secy_mem_map */
+	uint8_t flow_id;
+	uint8_t secy_id; /* secyid for which flowid is mapped */
+	uint8_t sc_id;	 /* Valid if dir = MCS_TX, SC_CAM id mapped to flowid */
+	uint8_t ena;	 /* Enable tcam entry */
+	uint8_t ctr_pkt;
+	uint8_t dir;
+};
+
+struct roc_mcs_secy_plcy_write_req {
+	uint64_t plcy;
+	uint8_t secy_id;
+	uint8_t dir;
+};
+
 /* RX SC_CAM mapping */
 struct roc_mcs_rx_sc_cam_write_req {
 	uint64_t sci;	  /* SCI */
@@ -64,6 +82,12 @@ struct roc_mcs_rx_sc_sa_map {
 	uint8_t an; /* value range 0-3, sc_id + an used as index SA_MEM_MAP */
 };
 
+struct roc_mcs_flowid_ena_dis_entry {
+	uint8_t flow_id;
+	uint8_t ena;
+	uint8_t dir;
+};
+
 struct roc_mcs_hw_info {
 	uint8_t num_mcs_blks; /* Number of MCS blocks */
 	uint8_t tcam_entries; /* RX/TX Tcam entries per mcs block */
@@ -112,6 +136,11 @@ __roc_api int roc_mcs_rx_sc_cam_read(struct roc_mcs *mcs,
 				     struct roc_mcs_rx_sc_cam_write_req *rx_sc_cam);
 __roc_api int roc_mcs_rx_sc_cam_enable(struct roc_mcs *mcs,
 				       struct roc_mcs_rx_sc_cam_write_req *rx_sc_cam);
+/* SECY policy read and write */
+__roc_api int roc_mcs_secy_policy_write(struct roc_mcs *mcs,
+					struct roc_mcs_secy_plcy_write_req *secy_plcy);
+__roc_api int roc_mcs_secy_policy_read(struct roc_mcs *mcs,
+				       struct roc_mcs_rx_sc_cam_write_req *rx_sc_cam);
 /* RX SC-SA MAP read and write */
 __roc_api int roc_mcs_rx_sc_sa_map_write(struct roc_mcs *mcs,
 					 struct roc_mcs_rx_sc_sa_map *rx_sc_sa_map);
@@ -122,4 +151,12 @@ __roc_api int roc_mcs_tx_sc_sa_map_write(struct roc_mcs *mcs,
 					 struct roc_mcs_tx_sc_sa_map *tx_sc_sa_map);
 __roc_api int roc_mcs_tx_sc_sa_map_read(struct roc_mcs *mcs,
 					struct roc_mcs_tx_sc_sa_map *tx_sc_sa_map);
+/* Flow entry read, write and enable */
+__roc_api int roc_mcs_flowid_entry_write(struct roc_mcs *mcs,
+					 struct roc_mcs_flowid_entry_write_req *flowid_req);
+__roc_api int roc_mcs_flowid_entry_read(struct roc_mcs *mcs,
+					struct roc_mcs_flowid_entry_write_req *flowid_rsp);
+__roc_api int roc_mcs_flowid_entry_enable(struct roc_mcs *mcs,
+					  struct roc_mcs_flowid_ena_dis_entry *entry);
+
 #endif /* _ROC_MCS_H_ */
diff --git a/drivers/common/cnxk/roc_mcs_sec_cfg.c b/drivers/common/cnxk/roc_mcs_sec_cfg.c
index 9b87952112..44b4919bbc 100644
--- a/drivers/common/cnxk/roc_mcs_sec_cfg.c
+++ b/drivers/common/cnxk/roc_mcs_sec_cfg.c
@@ -267,6 +267,38 @@ roc_mcs_rx_sc_cam_enable(struct roc_mcs *mcs __plt_unused,
 	return -ENOTSUP;
 }
 
+int
+roc_mcs_secy_policy_write(struct roc_mcs *mcs, struct roc_mcs_secy_plcy_write_req *secy_plcy)
+{
+	struct mcs_secy_plcy_write_req *secy;
+	struct msg_rsp *rsp;
+
+	MCS_SUPPORT_CHECK;
+
+	if (secy_plcy == NULL)
+		return -EINVAL;
+
+	secy = mbox_alloc_msg_mcs_secy_plcy_write(mcs->mbox);
+	if (secy == NULL)
+		return -ENOMEM;
+
+	secy->plcy = secy_plcy->plcy;
+	secy->secy_id = secy_plcy->secy_id;
+	secy->mcs_id = mcs->idx;
+	secy->dir = secy_plcy->dir;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
+
+int
+roc_mcs_secy_policy_read(struct roc_mcs *mcs __plt_unused,
+			 struct roc_mcs_rx_sc_cam_write_req *rx_sc_cam __plt_unused)
+{
+	MCS_SUPPORT_CHECK;
+
+	return -ENOTSUP;
+}
+
 int
 roc_mcs_rx_sc_sa_map_write(struct roc_mcs *mcs, struct roc_mcs_rx_sc_sa_map *rx_sc_sa_map)
 {
@@ -380,3 +412,86 @@ roc_mcs_tx_sc_sa_map_read(struct roc_mcs *mcs __plt_unused,
 
 	return -ENOTSUP;
 }
+
+int
+roc_mcs_flowid_entry_write(struct roc_mcs *mcs, struct roc_mcs_flowid_entry_write_req *flowid_req)
+{
+	struct mcs_priv *priv = roc_mcs_to_mcs_priv(mcs);
+	struct mcs_flowid_entry_write_req *flow_req;
+	struct msg_rsp *rsp;
+	uint8_t port;
+	int rc;
+
+	MCS_SUPPORT_CHECK;
+
+	if (flowid_req == NULL)
+		return -EINVAL;
+
+	flow_req = mbox_alloc_msg_mcs_flowid_entry_write(mcs->mbox);
+	if (flow_req == NULL)
+		return -ENOMEM;
+
+	mbox_memcpy(flow_req->data, flowid_req->data, sizeof(uint64_t) * 4);
+	mbox_memcpy(flow_req->mask, flowid_req->mask, sizeof(uint64_t) * 4);
+	flow_req->sci = flowid_req->sci;
+	flow_req->flow_id = flowid_req->flow_id;
+	flow_req->secy_id = flowid_req->secy_id;
+	flow_req->sc_id = flowid_req->sc_id;
+	flow_req->ena = flowid_req->ena;
+	flow_req->ctr_pkt = flowid_req->ctr_pkt;
+	flow_req->mcs_id = mcs->idx;
+	flow_req->dir = flowid_req->dir;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&rsp);
+	if (rc)
+		return rc;
+
+	if (flow_req->mask[3] & (BIT_ULL(10) | BIT_ULL(11)))
+		return rc;
+
+	port = (flow_req->data[3] >> 10) & 0x3;
+
+	plt_bitmap_set(priv->port_rsrc[port].tcam_bmap,
+		       flowid_req->flow_id +
+			       ((flowid_req->dir == MCS_TX) ? priv->tcam_entries : 0));
+	plt_bitmap_set(priv->port_rsrc[port].secy_bmap,
+		       flowid_req->secy_id +
+			       ((flowid_req->dir == MCS_TX) ? priv->secy_entries : 0));
+
+	if (flowid_req->dir == MCS_TX)
+		plt_bitmap_set(priv->port_rsrc[port].sc_bmap, priv->sc_entries + flowid_req->sc_id);
+
+	return 0;
+}
+
+int
+roc_mcs_flowid_entry_read(struct roc_mcs *mcs __plt_unused,
+			  struct roc_mcs_flowid_entry_write_req *flowid_rsp __plt_unused)
+{
+	MCS_SUPPORT_CHECK;
+
+	return -ENOTSUP;
+}
+
+int
+roc_mcs_flowid_entry_enable(struct roc_mcs *mcs, struct roc_mcs_flowid_ena_dis_entry *entry)
+{
+	struct mcs_flowid_ena_dis_entry *flow_entry;
+	struct msg_rsp *rsp;
+
+	MCS_SUPPORT_CHECK;
+
+	if (entry == NULL)
+		return -EINVAL;
+
+	flow_entry = mbox_alloc_msg_mcs_flowid_ena_entry(mcs->mbox);
+	if (flow_entry == NULL)
+		return -ENOMEM;
+
+	flow_entry->flow_id = entry->flow_id;
+	flow_entry->ena = entry->ena;
+	flow_entry->mcs_id = mcs->idx;
+	flow_entry->dir = entry->dir;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
diff --git a/drivers/common/cnxk/version.map b/drivers/common/cnxk/version.map
index dbfda62ad1..3d9da3b187 100644
--- a/drivers/common/cnxk/version.map
+++ b/drivers/common/cnxk/version.map
@@ -138,6 +138,9 @@ INTERNAL {
 	roc_mcs_dev_init;
 	roc_mcs_dev_fini;
 	roc_mcs_dev_get;
+	roc_mcs_flowid_entry_enable;
+	roc_mcs_flowid_entry_read;
+	roc_mcs_flowid_entry_write;
 	roc_mcs_hw_info_get;
 	roc_mcs_rsrc_alloc;
 	roc_mcs_rsrc_free;
@@ -148,6 +151,8 @@ INTERNAL {
 	roc_mcs_rx_sc_sa_map_write;
 	roc_mcs_sa_policy_read;
 	roc_mcs_sa_policy_write;
+	roc_mcs_secy_policy_read;
+	roc_mcs_secy_policy_write;
 	roc_mcs_tx_sc_sa_map_read;
 	roc_mcs_tx_sc_sa_map_write;
 	roc_nix_bpf_alloc;
-- 
2.25.1

[PATCH v2 05/15] common/cnxk: add MACsec PN and LMAC mode configuration

[Akhil Goyal]

Added ROC APIs for setting packet number and LMAC
related configurations.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/common/cnxk/roc_mbox.h        | 56 +++++++++++++++++++++
 drivers/common/cnxk/roc_mcs.c         | 71 +++++++++++++++++++++++++++
 drivers/common/cnxk/roc_mcs.h         | 48 ++++++++++++++++++
 drivers/common/cnxk/roc_mcs_sec_cfg.c | 31 ++++++++++++
 drivers/common/cnxk/version.map       |  5 ++
 5 files changed, 211 insertions(+)

diff --git a/drivers/common/cnxk/roc_mbox.h b/drivers/common/cnxk/roc_mbox.h
index fcfcc90f6c..62c5c3a3ce 100644
--- a/drivers/common/cnxk/roc_mbox.h
+++ b/drivers/common/cnxk/roc_mbox.h
@@ -308,7 +308,11 @@ struct mbox_msghdr {
 	M(MCS_TX_SC_SA_MAP_WRITE, 0xa006, mcs_tx_sc_sa_map_write, mcs_tx_sc_sa_map, msg_rsp)       \
 	M(MCS_RX_SC_SA_MAP_WRITE, 0xa007, mcs_rx_sc_sa_map_write, mcs_rx_sc_sa_map, msg_rsp)       \
 	M(MCS_FLOWID_ENA_ENTRY, 0xa008, mcs_flowid_ena_entry, mcs_flowid_ena_dis_entry, msg_rsp)   \
+	M(MCS_PN_TABLE_WRITE, 0xa009, mcs_pn_table_write, mcs_pn_table_write_req, msg_rsp)         \
+	M(MCS_SET_ACTIVE_LMAC, 0xa00a, mcs_set_active_lmac, mcs_set_active_lmac, msg_rsp)          \
 	M(MCS_GET_HW_INFO, 0xa00b, mcs_get_hw_info, msg_req, mcs_hw_info)                          \
+	M(MCS_SET_LMAC_MODE, 0xa013, mcs_set_lmac_mode, mcs_set_lmac_mode, msg_rsp)                \
+	M(MCS_SET_PN_THRESHOLD, 0xa014, mcs_set_pn_threshold, mcs_set_pn_threshold, msg_rsp)       \
 
 /* Messages initiated by AF (range 0xC00 - 0xDFF) */
 #define MBOX_UP_CGX_MESSAGES                                                   \
@@ -812,6 +816,34 @@ struct mcs_flowid_ena_dis_entry {
 	uint64_t __io rsvd;
 };
 
+struct mcs_pn_table_write_req {
+	struct mbox_msghdr hdr;
+	uint64_t __io next_pn;
+	uint8_t __io pn_id;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
+
+struct mcs_cam_entry_read_req {
+	struct mbox_msghdr hdr;
+	uint8_t __io rsrc_type; /* TCAM/SECY/SC/SA/PN */
+	uint8_t __io rsrc_id;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
+
+struct mcs_cam_entry_read_rsp {
+	struct mbox_msghdr hdr;
+	uint64_t __io reg_val[10];
+	uint8_t __io rsrc_type;
+	uint8_t __io rsrc_id;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
+
 struct mcs_hw_info {
 	struct mbox_msghdr hdr;
 	uint8_t __io num_mcs_blks; /* Number of MCS blocks */
@@ -822,6 +854,30 @@ struct mcs_hw_info {
 	uint64_t __io rsvd[16];
 };
 
+struct mcs_set_active_lmac {
+	struct mbox_msghdr hdr;
+	uint32_t __io lmac_bmap; /* bitmap of active lmac per mcs block */
+	uint8_t __io mcs_id;
+	uint16_t __io channel_base; /* MCS channel base */
+	uint64_t __io rsvd;
+};
+
+struct mcs_set_lmac_mode {
+	struct mbox_msghdr hdr;
+	uint8_t __io mode; /* '1' for internal bypass mode (passthrough), '0' for MCS processing */
+	uint8_t __io lmac_id;
+	uint8_t __io mcs_id;
+	uint64_t __io rsvd;
+};
+
+struct mcs_set_pn_threshold {
+	struct mbox_msghdr hdr;
+	uint64_t __io threshold;
+	uint8_t __io xpn; /* '1' for setting xpn threshold */
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
 
 /* NPA mbox message formats */
 
diff --git a/drivers/common/cnxk/roc_mcs.c b/drivers/common/cnxk/roc_mcs.c
index 20433eae83..38f1e9b2f7 100644
--- a/drivers/common/cnxk/roc_mcs.c
+++ b/drivers/common/cnxk/roc_mcs.c
@@ -38,6 +38,77 @@ roc_mcs_hw_info_get(struct roc_mcs_hw_info *hw_info)
 	return rc;
 }
 
+int
+roc_mcs_active_lmac_set(struct roc_mcs *mcs, struct roc_mcs_set_active_lmac *lmac)
+{
+	struct mcs_set_active_lmac *req;
+	struct msg_rsp *rsp;
+
+	/* Only needed for 105N */
+	if (!roc_model_is_cnf10kb())
+		return 0;
+
+	if (lmac == NULL)
+		return -EINVAL;
+
+	MCS_SUPPORT_CHECK;
+
+	req = mbox_alloc_msg_mcs_set_active_lmac(mcs->mbox);
+	if (req == NULL)
+		return -ENOMEM;
+
+	req->lmac_bmap = lmac->lmac_bmap;
+	req->channel_base = lmac->channel_base;
+	req->mcs_id = mcs->idx;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
+
+int
+roc_mcs_lmac_mode_set(struct roc_mcs *mcs, struct roc_mcs_set_lmac_mode *port)
+{
+	struct mcs_set_lmac_mode *req;
+	struct msg_rsp *rsp;
+
+	if (port == NULL)
+		return -EINVAL;
+
+	MCS_SUPPORT_CHECK;
+
+	req = mbox_alloc_msg_mcs_set_lmac_mode(mcs->mbox);
+	if (req == NULL)
+		return -ENOMEM;
+
+	req->lmac_id = port->lmac_id;
+	req->mcs_id = mcs->idx;
+	req->mode = port->mode;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
+
+int
+roc_mcs_pn_threshold_set(struct roc_mcs *mcs, struct roc_mcs_set_pn_threshold *pn)
+{
+	struct mcs_set_pn_threshold *req;
+	struct msg_rsp *rsp;
+
+	if (pn == NULL)
+		return -EINVAL;
+
+	MCS_SUPPORT_CHECK;
+
+	req = mbox_alloc_msg_mcs_set_pn_threshold(mcs->mbox);
+	if (req == NULL)
+		return -ENOMEM;
+
+	req->threshold = pn->threshold;
+	req->mcs_id = mcs->idx;
+	req->dir = pn->dir;
+	req->xpn = pn->xpn;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
+
 static int
 mcs_alloc_bmap(uint16_t entries, void **mem, struct plt_bitmap **bmap)
 {
diff --git a/drivers/common/cnxk/roc_mcs.h b/drivers/common/cnxk/roc_mcs.h
index 38c2d5626a..bedae3bf42 100644
--- a/drivers/common/cnxk/roc_mcs.h
+++ b/drivers/common/cnxk/roc_mcs.h
@@ -88,6 +88,25 @@ struct roc_mcs_flowid_ena_dis_entry {
 	uint8_t dir;
 };
 
+struct roc_mcs_pn_table_write_req {
+	uint64_t next_pn;
+	uint8_t pn_id;
+	uint8_t dir;
+};
+
+struct roc_mcs_cam_entry_read_req {
+	uint8_t rsrc_type; /* TCAM/SECY/SC/SA/PN */
+	uint8_t rsrc_id;
+	uint8_t dir;
+};
+
+struct roc_mcs_cam_entry_read_rsp {
+	uint64_t reg_val[10];
+	uint8_t rsrc_type;
+	uint8_t rsrc_id;
+	uint8_t dir;
+};
+
 struct roc_mcs_hw_info {
 	uint8_t num_mcs_blks; /* Number of MCS blocks */
 	uint8_t tcam_entries; /* RX/TX Tcam entries per mcs block */
@@ -97,6 +116,24 @@ struct roc_mcs_hw_info {
 	uint64_t rsvd[16];
 };
 
+struct roc_mcs_set_lmac_mode {
+	uint8_t mode; /* '1' for internal bypass mode (passthrough), '0' for MCS processing */
+	uint8_t lmac_id;
+	uint64_t rsvd;
+};
+
+struct roc_mcs_set_active_lmac {
+	uint32_t lmac_bmap;    /* bitmap of active lmac per mcs block */
+	uint16_t channel_base; /* MCS channel base */
+	uint64_t rsvd;
+};
+
+struct roc_mcs_set_pn_threshold {
+	uint64_t threshold;
+	uint8_t xpn; /* '1' for setting xpn threshold */
+	uint8_t dir;
+	uint64_t rsvd;
+};
 
 struct roc_mcs {
 	TAILQ_ENTRY(roc_mcs) next;
@@ -119,6 +156,12 @@ __roc_api void roc_mcs_dev_fini(struct roc_mcs *mcs);
 __roc_api struct roc_mcs *roc_mcs_dev_get(uint8_t mcs_idx);
 /* HW info get */
 __roc_api int roc_mcs_hw_info_get(struct roc_mcs_hw_info *hw_info);
+/* Active lmac bmap set */
+__roc_api int roc_mcs_active_lmac_set(struct roc_mcs *mcs, struct roc_mcs_set_active_lmac *lmac);
+/* Port bypass mode set */
+__roc_api int roc_mcs_lmac_mode_set(struct roc_mcs *mcs, struct roc_mcs_set_lmac_mode *port);
+/* (X)PN threshold set */
+__roc_api int roc_mcs_pn_threshold_set(struct roc_mcs *mcs, struct roc_mcs_set_pn_threshold *pn);
 
 /* Resource allocation and free */
 __roc_api int roc_mcs_rsrc_alloc(struct roc_mcs *mcs, struct roc_mcs_alloc_rsrc_req *req,
@@ -129,6 +172,11 @@ __roc_api int roc_mcs_sa_policy_write(struct roc_mcs *mcs,
 				      struct roc_mcs_sa_plcy_write_req *sa_plcy);
 __roc_api int roc_mcs_sa_policy_read(struct roc_mcs *mcs,
 				     struct roc_mcs_sa_plcy_write_req *sa_plcy);
+/* PN Table read and write */
+__roc_api int roc_mcs_pn_table_write(struct roc_mcs *mcs,
+				     struct roc_mcs_pn_table_write_req *pn_table);
+__roc_api int roc_mcs_pn_table_read(struct roc_mcs *mcs,
+				    struct roc_mcs_pn_table_write_req *pn_table);
 /* RX SC read, write and enable */
 __roc_api int roc_mcs_rx_sc_cam_write(struct roc_mcs *mcs,
 				      struct roc_mcs_rx_sc_cam_write_req *rx_sc_cam);
diff --git a/drivers/common/cnxk/roc_mcs_sec_cfg.c b/drivers/common/cnxk/roc_mcs_sec_cfg.c
index 44b4919bbc..7b3a4c91e8 100644
--- a/drivers/common/cnxk/roc_mcs_sec_cfg.c
+++ b/drivers/common/cnxk/roc_mcs_sec_cfg.c
@@ -210,6 +210,37 @@ roc_mcs_sa_policy_read(struct roc_mcs *mcs __plt_unused,
 	return -ENOTSUP;
 }
 
+int
+roc_mcs_pn_table_write(struct roc_mcs *mcs, struct roc_mcs_pn_table_write_req *pn_table)
+{
+	struct mcs_pn_table_write_req *pn;
+	struct msg_rsp *rsp;
+
+	MCS_SUPPORT_CHECK;
+
+	if (pn_table == NULL)
+		return -EINVAL;
+
+	pn = mbox_alloc_msg_mcs_pn_table_write(mcs->mbox);
+	if (pn == NULL)
+		return -ENOMEM;
+
+	pn->next_pn = pn_table->next_pn;
+	pn->pn_id = pn_table->pn_id;
+	pn->mcs_id = mcs->idx;
+	pn->dir = pn_table->dir;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
+
+int
+roc_mcs_pn_table_read(struct roc_mcs *mcs __plt_unused,
+		      struct roc_mcs_pn_table_write_req *sa __plt_unused)
+{
+	MCS_SUPPORT_CHECK;
+
+	return -ENOTSUP;
+}
 
 int
 roc_mcs_rx_sc_cam_write(struct roc_mcs *mcs, struct roc_mcs_rx_sc_cam_write_req *rx_sc_cam)
diff --git a/drivers/common/cnxk/version.map b/drivers/common/cnxk/version.map
index 3d9da3b187..0591747961 100644
--- a/drivers/common/cnxk/version.map
+++ b/drivers/common/cnxk/version.map
@@ -135,6 +135,7 @@ INTERNAL {
 	roc_se_auth_key_set;
 	roc_se_ciph_key_set;
 	roc_se_ctx_init;
+	roc_mcs_active_lmac_set;
 	roc_mcs_dev_init;
 	roc_mcs_dev_fini;
 	roc_mcs_dev_get;
@@ -142,6 +143,10 @@ INTERNAL {
 	roc_mcs_flowid_entry_read;
 	roc_mcs_flowid_entry_write;
 	roc_mcs_hw_info_get;
+	roc_mcs_lmac_mode_set;
+	roc_mcs_pn_table_write;
+	roc_mcs_pn_table_read;
+	roc_mcs_pn_threshold_set;
 	roc_mcs_rsrc_alloc;
 	roc_mcs_rsrc_free;
 	roc_mcs_rx_sc_cam_enable;
-- 
2.25.1

[PATCH v2 06/15] common/cnxk: add MACsec stats

[Akhil Goyal]

Added ROC APIs for MACsec stats for SC/SECY/FLOW/PORT

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/common/cnxk/meson.build     |   1 +
 drivers/common/cnxk/roc_mbox.h      |  93 ++++++++++++++
 drivers/common/cnxk/roc_mcs.h       |  85 ++++++++++++
 drivers/common/cnxk/roc_mcs_stats.c | 193 ++++++++++++++++++++++++++++
 drivers/common/cnxk/version.map     |   5 +
 5 files changed, 377 insertions(+)
 create mode 100644 drivers/common/cnxk/roc_mcs_stats.c

diff --git a/drivers/common/cnxk/meson.build b/drivers/common/cnxk/meson.build
index 589baf74fe..79e10bac74 100644
--- a/drivers/common/cnxk/meson.build
+++ b/drivers/common/cnxk/meson.build
@@ -28,6 +28,7 @@ sources = files(
         'roc_mbox.c',
         'roc_mcs.c',
         'roc_mcs_sec_cfg.c',
+        'roc_mcs_stats.c',
         'roc_ml.c',
         'roc_model.c',
         'roc_nix.c',
diff --git a/drivers/common/cnxk/roc_mbox.h b/drivers/common/cnxk/roc_mbox.h
index 62c5c3a3ce..3f3a6aadc8 100644
--- a/drivers/common/cnxk/roc_mbox.h
+++ b/drivers/common/cnxk/roc_mbox.h
@@ -311,6 +311,11 @@ struct mbox_msghdr {
 	M(MCS_PN_TABLE_WRITE, 0xa009, mcs_pn_table_write, mcs_pn_table_write_req, msg_rsp)         \
 	M(MCS_SET_ACTIVE_LMAC, 0xa00a, mcs_set_active_lmac, mcs_set_active_lmac, msg_rsp)          \
 	M(MCS_GET_HW_INFO, 0xa00b, mcs_get_hw_info, msg_req, mcs_hw_info)                          \
+	M(MCS_GET_FLOWID_STATS, 0xa00c, mcs_get_flowid_stats, mcs_stats_req, mcs_flowid_stats)     \
+	M(MCS_GET_SECY_STATS, 0xa00d, mcs_get_secy_stats, mcs_stats_req, mcs_secy_stats)           \
+	M(MCS_GET_SC_STATS, 0xa00e, mcs_get_sc_stats, mcs_stats_req, mcs_sc_stats)                 \
+	M(MCS_GET_PORT_STATS, 0xa010, mcs_get_port_stats, mcs_stats_req, mcs_port_stats)           \
+	M(MCS_CLEAR_STATS, 0xa011, mcs_clear_stats, mcs_clear_stats, msg_rsp)                      \
 	M(MCS_SET_LMAC_MODE, 0xa013, mcs_set_lmac_mode, mcs_set_lmac_mode, msg_rsp)                \
 	M(MCS_SET_PN_THRESHOLD, 0xa014, mcs_set_pn_threshold, mcs_set_pn_threshold, msg_rsp)       \
 
@@ -879,6 +884,94 @@ struct mcs_set_pn_threshold {
 	uint64_t __io rsvd;
 };
 
+struct mcs_stats_req {
+	struct mbox_msghdr hdr;
+	uint8_t __io id;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
+
+struct mcs_flowid_stats {
+	struct mbox_msghdr hdr;
+	uint64_t __io tcam_hit_cnt;
+	uint64_t __io rsvd;
+};
+
+struct mcs_secy_stats {
+	struct mbox_msghdr hdr;
+	uint64_t __io ctl_pkt_bcast_cnt;
+	uint64_t __io ctl_pkt_mcast_cnt;
+	uint64_t __io ctl_pkt_ucast_cnt;
+	uint64_t __io ctl_octet_cnt;
+	uint64_t __io unctl_pkt_bcast_cnt;
+	uint64_t __io unctl_pkt_mcast_cnt;
+	uint64_t __io unctl_pkt_ucast_cnt;
+	uint64_t __io unctl_octet_cnt;
+	/* Valid only for RX */
+	uint64_t __io octet_decrypted_cnt;
+	uint64_t __io octet_validated_cnt;
+	uint64_t __io pkt_port_disabled_cnt;
+	uint64_t __io pkt_badtag_cnt;
+	uint64_t __io pkt_nosa_cnt;
+	uint64_t __io pkt_nosaerror_cnt;
+	uint64_t __io pkt_tagged_ctl_cnt;
+	uint64_t __io pkt_untaged_cnt;
+	uint64_t __io pkt_ctl_cnt;   /* CN10K-B */
+	uint64_t __io pkt_notag_cnt; /* CNF10K-B */
+	/* Valid only for TX */
+	uint64_t __io octet_encrypted_cnt;
+	uint64_t __io octet_protected_cnt;
+	uint64_t __io pkt_noactivesa_cnt;
+	uint64_t __io pkt_toolong_cnt;
+	uint64_t __io pkt_untagged_cnt;
+	uint64_t __io rsvd[4];
+};
+
+struct mcs_port_stats {
+	struct mbox_msghdr hdr;
+	uint64_t __io tcam_miss_cnt;
+	uint64_t __io parser_err_cnt;
+	uint64_t __io preempt_err_cnt; /* CNF10K-B */
+	uint64_t __io sectag_insert_err_cnt;
+	uint64_t __io rsvd[4];
+};
+
+struct mcs_sc_stats {
+	struct mbox_msghdr hdr;
+	/* RX */
+	uint64_t __io hit_cnt;
+	uint64_t __io pkt_invalid_cnt;
+	uint64_t __io pkt_late_cnt;
+	uint64_t __io pkt_notvalid_cnt;
+	uint64_t __io pkt_unchecked_cnt;
+	uint64_t __io pkt_delay_cnt;	  /* CNF10K-B */
+	uint64_t __io pkt_ok_cnt;	  /* CNF10K-B */
+	uint64_t __io octet_decrypt_cnt;  /* CN10K-B */
+	uint64_t __io octet_validate_cnt; /* CN10K-B */
+	/* TX */
+	uint64_t __io pkt_encrypt_cnt;
+	uint64_t __io pkt_protected_cnt;
+	uint64_t __io octet_encrypt_cnt;   /* CN10K-B */
+	uint64_t __io octet_protected_cnt; /* CN10K-B */
+	uint64_t __io rsvd[4];
+};
+
+struct mcs_clear_stats {
+	struct mbox_msghdr hdr;
+#define MCS_FLOWID_STATS 0
+#define MCS_SECY_STATS	 1
+#define MCS_SC_STATS	 2
+#define MCS_SA_STATS	 3
+#define MCS_PORT_STATS	 4
+	uint8_t __io type; /* FLOWID, SECY, SC, SA, PORT */
+	/* type = PORT, If id = FF(invalid) port no is derived from pcifunc */
+	uint8_t __io id;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint8_t __io all; /* All resources stats mapped to PF are cleared */
+};
+
 /* NPA mbox message formats */
 
 /* NPA mailbox error codes
diff --git a/drivers/common/cnxk/roc_mcs.h b/drivers/common/cnxk/roc_mcs.h
index bedae3bf42..3fbeee13fa 100644
--- a/drivers/common/cnxk/roc_mcs.h
+++ b/drivers/common/cnxk/roc_mcs.h
@@ -135,6 +135,76 @@ struct roc_mcs_set_pn_threshold {
 	uint64_t rsvd;
 };
 
+struct roc_mcs_stats_req {
+	uint8_t id;
+	uint8_t dir;
+};
+
+struct roc_mcs_flowid_stats {
+	uint64_t tcam_hit_cnt;
+};
+
+struct roc_mcs_secy_stats {
+	uint64_t ctl_pkt_bcast_cnt;
+	uint64_t ctl_pkt_mcast_cnt;
+	uint64_t ctl_pkt_ucast_cnt;
+	uint64_t ctl_octet_cnt;
+	uint64_t unctl_pkt_bcast_cnt;
+	uint64_t unctl_pkt_mcast_cnt;
+	uint64_t unctl_pkt_ucast_cnt;
+	uint64_t unctl_octet_cnt;
+	/* Valid only for RX */
+	uint64_t octet_decrypted_cnt;
+	uint64_t octet_validated_cnt;
+	uint64_t pkt_port_disabled_cnt;
+	uint64_t pkt_badtag_cnt;
+	uint64_t pkt_nosa_cnt;
+	uint64_t pkt_nosaerror_cnt;
+	uint64_t pkt_tagged_ctl_cnt;
+	uint64_t pkt_untaged_cnt;
+	uint64_t pkt_ctl_cnt;	/* CN10K-B */
+	uint64_t pkt_notag_cnt; /* CNF10K-B */
+	/* Valid only for TX */
+	uint64_t octet_encrypted_cnt;
+	uint64_t octet_protected_cnt;
+	uint64_t pkt_noactivesa_cnt;
+	uint64_t pkt_toolong_cnt;
+	uint64_t pkt_untagged_cnt;
+};
+
+struct roc_mcs_sc_stats {
+	/* RX */
+	uint64_t hit_cnt;
+	uint64_t pkt_invalid_cnt;
+	uint64_t pkt_late_cnt;
+	uint64_t pkt_notvalid_cnt;
+	uint64_t pkt_unchecked_cnt;
+	uint64_t pkt_delay_cnt;	     /* CNF10K-B */
+	uint64_t pkt_ok_cnt;	     /* CNF10K-B */
+	uint64_t octet_decrypt_cnt;  /* CN10K-B */
+	uint64_t octet_validate_cnt; /* CN10K-B */
+	/* TX */
+	uint64_t pkt_encrypt_cnt;
+	uint64_t pkt_protected_cnt;
+	uint64_t octet_encrypt_cnt;   /* CN10K-B */
+	uint64_t octet_protected_cnt; /* CN10K-B */
+};
+
+struct roc_mcs_port_stats {
+	uint64_t tcam_miss_cnt;
+	uint64_t parser_err_cnt;
+	uint64_t preempt_err_cnt; /* CNF10K-B */
+	uint64_t sectag_insert_err_cnt;
+};
+
+struct roc_mcs_clear_stats {
+	uint8_t type; /* FLOWID, SECY, SC, SA, PORT */
+	/* type = PORT, If id = FF(invalid) port no is derived from pcifunc */
+	uint8_t id;
+	uint8_t dir;
+	uint8_t all; /* All resources stats mapped to PF are cleared */
+};
+
 struct roc_mcs {
 	TAILQ_ENTRY(roc_mcs) next;
 	struct plt_pci_device *pci_dev;
@@ -207,4 +277,19 @@ __roc_api int roc_mcs_flowid_entry_read(struct roc_mcs *mcs,
 __roc_api int roc_mcs_flowid_entry_enable(struct roc_mcs *mcs,
 					  struct roc_mcs_flowid_ena_dis_entry *entry);
 
+/* Flow id stats get */
+__roc_api int roc_mcs_flowid_stats_get(struct roc_mcs *mcs, struct roc_mcs_stats_req *mcs_req,
+				       struct roc_mcs_flowid_stats *stats);
+/* Secy stats get */
+__roc_api int roc_mcs_secy_stats_get(struct roc_mcs *mcs, struct roc_mcs_stats_req *mcs_req,
+				     struct roc_mcs_secy_stats *stats);
+/* SC stats get */
+__roc_api int roc_mcs_sc_stats_get(struct roc_mcs *mcs, struct roc_mcs_stats_req *mcs_req,
+				   struct roc_mcs_sc_stats *stats);
+/* Port stats get */
+__roc_api int roc_mcs_port_stats_get(struct roc_mcs *mcs, struct roc_mcs_stats_req *mcs_req,
+				     struct roc_mcs_port_stats *stats);
+/* Clear stats */
+__roc_api int roc_mcs_stats_clear(struct roc_mcs *mcs, struct roc_mcs_clear_stats *mcs_req);
+
 #endif /* _ROC_MCS_H_ */
diff --git a/drivers/common/cnxk/roc_mcs_stats.c b/drivers/common/cnxk/roc_mcs_stats.c
new file mode 100644
index 0000000000..24ac8a31cd
--- /dev/null
+++ b/drivers/common/cnxk/roc_mcs_stats.c
@@ -0,0 +1,193 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2022 Marvell.
+ */
+
+#include "roc_api.h"
+#include "roc_priv.h"
+
+int
+roc_mcs_flowid_stats_get(struct roc_mcs *mcs, struct roc_mcs_stats_req *mcs_req,
+			 struct roc_mcs_flowid_stats *stats)
+{
+	struct mcs_flowid_stats *rsp;
+	struct mcs_stats_req *req;
+	int rc;
+
+	MCS_SUPPORT_CHECK;
+
+	req = mbox_alloc_msg_mcs_get_flowid_stats(mcs->mbox);
+	if (req == NULL)
+		return -ENOSPC;
+
+	req->id = mcs_req->id;
+	req->mcs_id = mcs->idx;
+	req->dir = mcs_req->dir;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&rsp);
+	if (rc)
+		return rc;
+
+	stats->tcam_hit_cnt = rsp->tcam_hit_cnt;
+
+	return rc;
+}
+
+int
+roc_mcs_secy_stats_get(struct roc_mcs *mcs, struct roc_mcs_stats_req *mcs_req,
+		       struct roc_mcs_secy_stats *stats)
+{
+	struct mcs_secy_stats *rsp;
+	struct mcs_stats_req *req;
+	int rc;
+
+	MCS_SUPPORT_CHECK;
+
+	req = mbox_alloc_msg_mcs_get_secy_stats(mcs->mbox);
+	if (req == NULL)
+		return -ENOSPC;
+
+	req->id = mcs_req->id;
+	req->mcs_id = mcs->idx;
+	req->dir = mcs_req->dir;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&rsp);
+	if (rc)
+		return rc;
+
+	stats->ctl_pkt_bcast_cnt = rsp->ctl_pkt_bcast_cnt;
+	stats->ctl_pkt_mcast_cnt = rsp->ctl_pkt_mcast_cnt;
+	stats->ctl_pkt_ucast_cnt = rsp->ctl_pkt_ucast_cnt;
+	stats->ctl_octet_cnt = rsp->ctl_octet_cnt;
+	stats->unctl_pkt_bcast_cnt = rsp->unctl_pkt_bcast_cnt;
+	stats->unctl_pkt_mcast_cnt = rsp->unctl_pkt_mcast_cnt;
+	stats->unctl_pkt_ucast_cnt = rsp->unctl_pkt_ucast_cnt;
+	stats->unctl_octet_cnt = rsp->unctl_octet_cnt;
+
+	if (mcs_req->dir == MCS_RX) {
+		stats->octet_decrypted_cnt = rsp->octet_decrypted_cnt;
+		stats->octet_validated_cnt = rsp->octet_validated_cnt;
+		stats->pkt_port_disabled_cnt = rsp->pkt_port_disabled_cnt;
+		stats->pkt_badtag_cnt = rsp->pkt_badtag_cnt;
+		stats->pkt_nosa_cnt = rsp->pkt_nosa_cnt;
+		stats->pkt_nosaerror_cnt = rsp->pkt_nosaerror_cnt;
+		stats->pkt_tagged_ctl_cnt = rsp->pkt_tagged_ctl_cnt;
+		stats->pkt_untaged_cnt = rsp->pkt_untaged_cnt;
+		if (roc_model_is_cn10kb_a0())
+			/* CN10K-B */
+			stats->pkt_ctl_cnt = rsp->pkt_ctl_cnt;
+		else
+			/* CNF10K-B */
+			stats->pkt_notag_cnt = rsp->pkt_notag_cnt;
+	} else {
+		stats->octet_encrypted_cnt = rsp->octet_encrypted_cnt;
+		stats->octet_protected_cnt = rsp->octet_protected_cnt;
+		stats->pkt_noactivesa_cnt = rsp->pkt_noactivesa_cnt;
+		stats->pkt_toolong_cnt = rsp->pkt_toolong_cnt;
+		stats->pkt_untagged_cnt = rsp->pkt_untagged_cnt;
+	}
+
+	return rc;
+}
+
+int
+roc_mcs_sc_stats_get(struct roc_mcs *mcs, struct roc_mcs_stats_req *mcs_req,
+		     struct roc_mcs_sc_stats *stats)
+{
+	struct mcs_stats_req *req;
+	struct mcs_sc_stats *rsp;
+	int rc;
+
+	MCS_SUPPORT_CHECK;
+
+	req = mbox_alloc_msg_mcs_get_sc_stats(mcs->mbox);
+	if (req == NULL)
+		return -ENOSPC;
+
+	req->id = mcs_req->id;
+	req->mcs_id = mcs->idx;
+	req->dir = mcs_req->dir;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&rsp);
+	if (rc)
+		return rc;
+
+	if (mcs_req->dir == MCS_RX) {
+		stats->hit_cnt = rsp->hit_cnt;
+		stats->pkt_invalid_cnt = rsp->pkt_invalid_cnt;
+		stats->pkt_late_cnt = rsp->pkt_late_cnt;
+		stats->pkt_notvalid_cnt = rsp->pkt_notvalid_cnt;
+		stats->pkt_unchecked_cnt = rsp->pkt_unchecked_cnt;
+		if (roc_model_is_cn10kb_a0()) {
+			stats->octet_decrypt_cnt = rsp->octet_decrypt_cnt;
+			stats->octet_validate_cnt = rsp->octet_validate_cnt;
+		} else {
+			stats->pkt_delay_cnt = rsp->pkt_delay_cnt;
+			stats->pkt_ok_cnt = rsp->pkt_ok_cnt;
+		}
+	} else {
+		stats->pkt_encrypt_cnt = rsp->pkt_encrypt_cnt;
+		stats->pkt_protected_cnt = rsp->pkt_protected_cnt;
+		if (roc_model_is_cn10kb_a0()) {
+			stats->octet_encrypt_cnt = rsp->octet_encrypt_cnt;
+			stats->octet_protected_cnt = rsp->octet_protected_cnt;
+		}
+	}
+
+	return rc;
+}
+
+int
+roc_mcs_port_stats_get(struct roc_mcs *mcs, struct roc_mcs_stats_req *mcs_req,
+		       struct roc_mcs_port_stats *stats)
+{
+	struct mcs_port_stats *rsp;
+	struct mcs_stats_req *req;
+	int rc;
+
+	MCS_SUPPORT_CHECK;
+
+	req = mbox_alloc_msg_mcs_get_port_stats(mcs->mbox);
+	if (req == NULL)
+		return -ENOSPC;
+
+	req->id = mcs_req->id;
+	req->mcs_id = mcs->idx;
+	req->dir = mcs_req->dir;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&rsp);
+	if (rc)
+		return rc;
+
+	stats->tcam_miss_cnt = rsp->tcam_miss_cnt;
+	stats->parser_err_cnt = rsp->parser_err_cnt;
+	if (roc_model_is_cnf10kb())
+		stats->preempt_err_cnt = rsp->preempt_err_cnt;
+
+	stats->sectag_insert_err_cnt = rsp->sectag_insert_err_cnt;
+
+	return rc;
+}
+
+int
+roc_mcs_stats_clear(struct roc_mcs *mcs, struct roc_mcs_clear_stats *mcs_req)
+{
+	struct mcs_clear_stats *req;
+	struct msg_rsp *rsp;
+
+	MCS_SUPPORT_CHECK;
+
+	if (!roc_model_is_cn10kb_a0() && mcs_req->type == MCS_SA_STATS)
+		return MCS_ERR_HW_NOTSUP;
+
+	req = mbox_alloc_msg_mcs_clear_stats(mcs->mbox);
+	if (req == NULL)
+		return -ENOSPC;
+
+	req->type = mcs_req->type;
+	req->id = mcs_req->id;
+	req->mcs_id = mcs->idx;
+	req->dir = mcs_req->dir;
+	req->all = mcs_req->all;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
diff --git a/drivers/common/cnxk/version.map b/drivers/common/cnxk/version.map
index 0591747961..d8890e3538 100644
--- a/drivers/common/cnxk/version.map
+++ b/drivers/common/cnxk/version.map
@@ -142,11 +142,13 @@ INTERNAL {
 	roc_mcs_flowid_entry_enable;
 	roc_mcs_flowid_entry_read;
 	roc_mcs_flowid_entry_write;
+	roc_mcs_flowid_stats_get;
 	roc_mcs_hw_info_get;
 	roc_mcs_lmac_mode_set;
 	roc_mcs_pn_table_write;
 	roc_mcs_pn_table_read;
 	roc_mcs_pn_threshold_set;
+	roc_mcs_port_stats_get;
 	roc_mcs_rsrc_alloc;
 	roc_mcs_rsrc_free;
 	roc_mcs_rx_sc_cam_enable;
@@ -156,8 +158,11 @@ INTERNAL {
 	roc_mcs_rx_sc_sa_map_write;
 	roc_mcs_sa_policy_read;
 	roc_mcs_sa_policy_write;
+	roc_mcs_sc_stats_get;
 	roc_mcs_secy_policy_read;
 	roc_mcs_secy_policy_write;
+	roc_mcs_secy_stats_get;
+	roc_mcs_stats_clear;
 	roc_mcs_tx_sc_sa_map_read;
 	roc_mcs_tx_sc_sa_map_write;
 	roc_nix_bpf_alloc;
-- 
2.25.1

[PATCH v2 07/15] common/cnxk: add MACsec interrupt APIs

[Akhil Goyal]

Added ROC APIs to support various MACsec interrupts.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/common/cnxk/roc_dev.c      |  86 +++++++++++++++++
 drivers/common/cnxk/roc_mbox.h     |  37 +++++++-
 drivers/common/cnxk/roc_mcs.c      | 117 +++++++++++++++++++++++
 drivers/common/cnxk/roc_mcs.h      | 144 +++++++++++++++++++++++++++++
 drivers/common/cnxk/roc_mcs_priv.h |   8 ++
 drivers/common/cnxk/version.map    |   3 +
 6 files changed, 394 insertions(+), 1 deletion(-)

diff --git a/drivers/common/cnxk/roc_dev.c b/drivers/common/cnxk/roc_dev.c
index d87b00e7e8..875bfc59e4 100644
--- a/drivers/common/cnxk/roc_dev.c
+++ b/drivers/common/cnxk/roc_dev.c
@@ -514,6 +514,91 @@ pf_vf_mbox_send_up_msg(struct dev *dev, void *rec_msg)
 	}
 }
 
+static int
+mbox_up_handler_mcs_intr_notify(struct dev *dev, struct mcs_intr_info *info, struct msg_rsp *rsp)
+{
+	struct roc_mcs_event_desc desc = {0};
+	struct roc_mcs *mcs;
+
+	plt_base_dbg("pf:%d/vf:%d msg id 0x%x (%s) from: pf:%d/vf:%d", dev_get_pf(dev->pf_func),
+		     dev_get_vf(dev->pf_func), info->hdr.id, mbox_id2name(info->hdr.id),
+		     dev_get_pf(info->hdr.pcifunc), dev_get_vf(info->hdr.pcifunc));
+
+	mcs = roc_idev_mcs_get(info->mcs_id);
+	if (!mcs)
+		goto exit;
+
+	if (info->intr_mask) {
+		switch (info->intr_mask) {
+		case MCS_CPM_RX_SECTAG_V_EQ1_INT:
+			desc.type = ROC_MCS_EVENT_SECTAG_VAL_ERR;
+			desc.subtype = ROC_MCS_EVENT_RX_SECTAG_V_EQ1;
+			break;
+		case MCS_CPM_RX_SECTAG_E_EQ0_C_EQ1_INT:
+			desc.type = ROC_MCS_EVENT_SECTAG_VAL_ERR;
+			desc.subtype = ROC_MCS_EVENT_RX_SECTAG_E_EQ0_C_EQ1;
+			break;
+		case MCS_CPM_RX_SECTAG_SL_GTE48_INT:
+			desc.type = ROC_MCS_EVENT_SECTAG_VAL_ERR;
+			desc.subtype = ROC_MCS_EVENT_RX_SECTAG_SL_GTE48;
+			break;
+		case MCS_CPM_RX_SECTAG_ES_EQ1_SC_EQ1_INT:
+			desc.type = ROC_MCS_EVENT_SECTAG_VAL_ERR;
+			desc.subtype = ROC_MCS_EVENT_RX_SECTAG_ES_EQ1_SC_EQ1;
+			break;
+		case MCS_CPM_RX_SECTAG_SC_EQ1_SCB_EQ1_INT:
+			desc.type = ROC_MCS_EVENT_SECTAG_VAL_ERR;
+			desc.subtype = ROC_MCS_EVENT_RX_SECTAG_SC_EQ1_SCB_EQ1;
+			break;
+		case MCS_CPM_RX_PACKET_XPN_EQ0_INT:
+			desc.type = ROC_MCS_EVENT_RX_SA_PN_HARD_EXP;
+			desc.metadata.sa_idx = info->sa_id;
+			break;
+		case MCS_CPM_RX_PN_THRESH_REACHED_INT:
+			desc.type = ROC_MCS_EVENT_RX_SA_PN_SOFT_EXP;
+			desc.metadata.sa_idx = info->sa_id;
+			break;
+		case MCS_CPM_TX_PACKET_XPN_EQ0_INT:
+			desc.type = ROC_MCS_EVENT_TX_SA_PN_HARD_EXP;
+			desc.metadata.sa_idx = info->sa_id;
+			break;
+		case MCS_CPM_TX_PN_THRESH_REACHED_INT:
+			desc.type = ROC_MCS_EVENT_TX_SA_PN_SOFT_EXP;
+			desc.metadata.sa_idx = info->sa_id;
+			break;
+		case MCS_CPM_TX_SA_NOT_VALID_INT:
+			desc.type = ROC_MCS_EVENT_SA_NOT_VALID;
+			break;
+		case MCS_BBE_RX_DFIFO_OVERFLOW_INT:
+		case MCS_BBE_TX_DFIFO_OVERFLOW_INT:
+			desc.type = ROC_MCS_EVENT_FIFO_OVERFLOW;
+			desc.subtype = ROC_MCS_EVENT_DATA_FIFO_OVERFLOW;
+			desc.metadata.lmac_id = info->lmac_id;
+			break;
+		case MCS_BBE_RX_PLFIFO_OVERFLOW_INT:
+		case MCS_BBE_TX_PLFIFO_OVERFLOW_INT:
+			desc.type = ROC_MCS_EVENT_FIFO_OVERFLOW;
+			desc.subtype = ROC_MCS_EVENT_POLICY_FIFO_OVERFLOW;
+			desc.metadata.lmac_id = info->lmac_id;
+			break;
+		case MCS_PAB_RX_CHAN_OVERFLOW_INT:
+		case MCS_PAB_TX_CHAN_OVERFLOW_INT:
+			desc.type = ROC_MCS_EVENT_FIFO_OVERFLOW;
+			desc.subtype = ROC_MCS_EVENT_PKT_ASSM_FIFO_OVERFLOW;
+			desc.metadata.lmac_id = info->lmac_id;
+			break;
+		default:
+			goto exit;
+		}
+
+		mcs_event_cb_process(mcs, &desc);
+	}
+
+exit:
+	rsp->hdr.rc = 0;
+	return 0;
+}
+
 static int
 mbox_up_handler_cgx_link_event(struct dev *dev, struct cgx_link_info_msg *msg,
 			       struct msg_rsp *rsp)
@@ -602,6 +687,7 @@ mbox_process_msgs_up(struct dev *dev, struct mbox_msghdr *req)
 		return err;                                                    \
 	}
 		MBOX_UP_CGX_MESSAGES
+		MBOX_UP_MCS_MESSAGES
 #undef M
 	}
 
diff --git a/drivers/common/cnxk/roc_mbox.h b/drivers/common/cnxk/roc_mbox.h
index 3f3a6aadc8..d964ba9f9d 100644
--- a/drivers/common/cnxk/roc_mbox.h
+++ b/drivers/common/cnxk/roc_mbox.h
@@ -316,6 +316,7 @@ struct mbox_msghdr {
 	M(MCS_GET_SC_STATS, 0xa00e, mcs_get_sc_stats, mcs_stats_req, mcs_sc_stats)                 \
 	M(MCS_GET_PORT_STATS, 0xa010, mcs_get_port_stats, mcs_stats_req, mcs_port_stats)           \
 	M(MCS_CLEAR_STATS, 0xa011, mcs_clear_stats, mcs_clear_stats, msg_rsp)                      \
+	M(MCS_INTR_CFG, 0xa012, mcs_intr_cfg, mcs_intr_cfg, msg_rsp)                               \
 	M(MCS_SET_LMAC_MODE, 0xa013, mcs_set_lmac_mode, mcs_set_lmac_mode, msg_rsp)                \
 	M(MCS_SET_PN_THRESHOLD, 0xa014, mcs_set_pn_threshold, mcs_set_pn_threshold, msg_rsp)       \
 
@@ -324,9 +325,11 @@ struct mbox_msghdr {
 	M(CGX_LINK_EVENT, 0xC00, cgx_link_event, cgx_link_info_msg, msg_rsp)   \
 	M(CGX_PTP_RX_INFO, 0xC01, cgx_ptp_rx_info, cgx_ptp_rx_info_msg, msg_rsp)
 
+#define MBOX_UP_MCS_MESSAGES M(MCS_INTR_NOTIFY, 0xE00, mcs_intr_notify, mcs_intr_info, msg_rsp)
+
 enum {
 #define M(_name, _id, _1, _2, _3) MBOX_MSG_##_name = _id,
-	MBOX_MESSAGES MBOX_UP_CGX_MESSAGES
+	MBOX_MESSAGES MBOX_UP_CGX_MESSAGES MBOX_UP_MCS_MESSAGES
 #undef M
 };
 
@@ -867,6 +870,38 @@ struct mcs_set_active_lmac {
 	uint64_t __io rsvd;
 };
 
+#define MCS_CPM_RX_SECTAG_V_EQ1_INT	     BIT_ULL(0)
+#define MCS_CPM_RX_SECTAG_E_EQ0_C_EQ1_INT    BIT_ULL(1)
+#define MCS_CPM_RX_SECTAG_SL_GTE48_INT	     BIT_ULL(2)
+#define MCS_CPM_RX_SECTAG_ES_EQ1_SC_EQ1_INT  BIT_ULL(3)
+#define MCS_CPM_RX_SECTAG_SC_EQ1_SCB_EQ1_INT BIT_ULL(4)
+#define MCS_CPM_RX_PACKET_XPN_EQ0_INT	     BIT_ULL(5)
+#define MCS_CPM_RX_PN_THRESH_REACHED_INT     BIT_ULL(6)
+#define MCS_CPM_TX_PACKET_XPN_EQ0_INT	     BIT_ULL(7)
+#define MCS_CPM_TX_PN_THRESH_REACHED_INT     BIT_ULL(8)
+#define MCS_CPM_TX_SA_NOT_VALID_INT	     BIT_ULL(9)
+#define MCS_BBE_RX_DFIFO_OVERFLOW_INT	     BIT_ULL(10)
+#define MCS_BBE_RX_PLFIFO_OVERFLOW_INT	     BIT_ULL(11)
+#define MCS_BBE_TX_DFIFO_OVERFLOW_INT	     BIT_ULL(12)
+#define MCS_BBE_TX_PLFIFO_OVERFLOW_INT	     BIT_ULL(13)
+#define MCS_PAB_RX_CHAN_OVERFLOW_INT	     BIT_ULL(14)
+#define MCS_PAB_TX_CHAN_OVERFLOW_INT	     BIT_ULL(15)
+
+struct mcs_intr_cfg {
+	struct mbox_msghdr hdr;
+	uint64_t __io intr_mask; /* Interrupt enable mask */
+	uint8_t __io mcs_id;
+};
+
+struct mcs_intr_info {
+	struct mbox_msghdr hdr;
+	uint64_t __io intr_mask;
+	int __io sa_id;
+	uint8_t __io mcs_id;
+	uint8_t __io lmac_id;
+	uint64_t __io rsvd;
+};
+
 struct mcs_set_lmac_mode {
 	struct mbox_msghdr hdr;
 	uint8_t __io mode; /* '1' for internal bypass mode (passthrough), '0' for MCS processing */
diff --git a/drivers/common/cnxk/roc_mcs.c b/drivers/common/cnxk/roc_mcs.c
index 38f1e9b2f7..e9090da575 100644
--- a/drivers/common/cnxk/roc_mcs.c
+++ b/drivers/common/cnxk/roc_mcs.c
@@ -5,6 +5,18 @@
 #include "roc_api.h"
 #include "roc_priv.h"
 
+struct mcs_event_cb {
+	TAILQ_ENTRY(mcs_event_cb) next;
+	enum roc_mcs_event_type event;
+	roc_mcs_dev_cb_fn cb_fn;
+	void *cb_arg;
+	void *ret_param;
+	uint32_t active;
+};
+TAILQ_HEAD(mcs_event_cb_list, mcs_event_cb);
+
+PLT_STATIC_ASSERT(ROC_MCS_MEM_SZ >= (sizeof(struct mcs_priv) + sizeof(struct mcs_event_cb_list)));
+
 int
 roc_mcs_hw_info_get(struct roc_mcs_hw_info *hw_info)
 {
@@ -109,6 +121,107 @@ roc_mcs_pn_threshold_set(struct roc_mcs *mcs, struct roc_mcs_set_pn_threshold *p
 	return mbox_process_msg(mcs->mbox, (void *)&rsp);
 }
 
+int
+roc_mcs_intr_configure(struct roc_mcs *mcs, struct roc_mcs_intr_cfg *config)
+{
+	struct mcs_intr_cfg *req;
+	struct msg_rsp *rsp;
+
+	if (config == NULL)
+		return -EINVAL;
+
+	MCS_SUPPORT_CHECK;
+
+	req = mbox_alloc_msg_mcs_intr_cfg(mcs->mbox);
+	if (req == NULL)
+		return -ENOMEM;
+
+	req->intr_mask = config->intr_mask;
+	req->mcs_id = mcs->idx;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
+
+int
+roc_mcs_event_cb_register(struct roc_mcs *mcs, enum roc_mcs_event_type event,
+			  roc_mcs_dev_cb_fn cb_fn, void *cb_arg, void *userdata)
+{
+	struct mcs_event_cb_list *cb_list = (struct mcs_event_cb_list *)roc_mcs_to_mcs_cb_list(mcs);
+	struct mcs_event_cb *cb;
+
+	if (cb_fn == NULL || cb_arg == NULL || userdata == NULL)
+		return -EINVAL;
+
+	MCS_SUPPORT_CHECK;
+
+	TAILQ_FOREACH (cb, cb_list, next) {
+		if (cb->cb_fn == cb_fn && cb->cb_arg == cb_arg && cb->event == event)
+			break;
+	}
+
+	if (cb == NULL) {
+		cb = plt_zmalloc(sizeof(struct mcs_event_cb), 0);
+		if (!cb)
+			return -ENOMEM;
+
+		cb->cb_fn = cb_fn;
+		cb->cb_arg = cb_arg;
+		cb->event = event;
+		mcs->userdata = userdata;
+		TAILQ_INSERT_TAIL(cb_list, cb, next);
+	}
+
+	return 0;
+}
+
+int
+roc_mcs_event_cb_unregister(struct roc_mcs *mcs, enum roc_mcs_event_type event)
+{
+	struct mcs_event_cb_list *cb_list = (struct mcs_event_cb_list *)roc_mcs_to_mcs_cb_list(mcs);
+	struct mcs_event_cb *cb, *next;
+
+	MCS_SUPPORT_CHECK;
+
+	for (cb = TAILQ_FIRST(cb_list); cb != NULL; cb = next) {
+		next = TAILQ_NEXT(cb, next);
+
+		if (cb->event != event)
+			continue;
+
+		if (cb->active == 0) {
+			TAILQ_REMOVE(cb_list, cb, next);
+			plt_free(cb);
+		} else {
+			return -EAGAIN;
+		}
+	}
+
+	return 0;
+}
+
+int
+mcs_event_cb_process(struct roc_mcs *mcs, struct roc_mcs_event_desc *desc)
+{
+	struct mcs_event_cb_list *cb_list = (struct mcs_event_cb_list *)roc_mcs_to_mcs_cb_list(mcs);
+	struct mcs_event_cb mcs_cb;
+	struct mcs_event_cb *cb;
+	int rc = 0;
+
+	TAILQ_FOREACH (cb, cb_list, next) {
+		if (cb->cb_fn == NULL || cb->event != desc->type)
+			continue;
+
+		mcs_cb = *cb;
+		cb->active = 1;
+		mcs_cb.ret_param = desc;
+
+		rc = mcs_cb.cb_fn(mcs->userdata, mcs_cb.ret_param, mcs_cb.cb_arg);
+		cb->active = 0;
+	}
+
+	return rc;
+}
+
 static int
 mcs_alloc_bmap(uint16_t entries, void **mem, struct plt_bitmap **bmap)
 {
@@ -227,6 +340,7 @@ mcs_alloc_rsrc_bmap(struct roc_mcs *mcs)
 struct roc_mcs *
 roc_mcs_dev_init(uint8_t mcs_idx)
 {
+	struct mcs_event_cb_list *cb_list;
 	struct roc_mcs *mcs;
 	struct npa_lf *npa;
 
@@ -255,6 +369,9 @@ roc_mcs_dev_init(uint8_t mcs_idx)
 	if (mcs_alloc_rsrc_bmap(mcs))
 		goto exit;
 
+	cb_list = (struct mcs_event_cb_list *)roc_mcs_to_mcs_cb_list(mcs);
+	TAILQ_INIT(cb_list);
+
 	roc_idev_mcs_set(mcs);
 	mcs->refcount++;
 
diff --git a/drivers/common/cnxk/roc_mcs.h b/drivers/common/cnxk/roc_mcs.h
index 3fbeee13fa..b2ca6ee51b 100644
--- a/drivers/common/cnxk/roc_mcs.h
+++ b/drivers/common/cnxk/roc_mcs.h
@@ -116,6 +116,34 @@ struct roc_mcs_hw_info {
 	uint64_t rsvd[16];
 };
 
+#define ROC_MCS_CPM_RX_SECTAG_V_EQ1_INT		 BIT_ULL(0)
+#define ROC_MCS_CPM_RX_SECTAG_E_EQ0_C_EQ1_INT	 BIT_ULL(1)
+#define ROC_MCS_CPM_RX_SECTAG_SL_GTE48_INT	 BIT_ULL(2)
+#define ROC_MCS_CPM_RX_SECTAG_ES_EQ1_SC_EQ1_INT	 BIT_ULL(3)
+#define ROC_MCS_CPM_RX_SECTAG_SC_EQ1_SCB_EQ1_INT BIT_ULL(4)
+#define ROC_MCS_CPM_RX_PACKET_XPN_EQ0_INT	 BIT_ULL(5)
+#define ROC_MCS_CPM_RX_PN_THRESH_REACHED_INT	 BIT_ULL(6)
+#define ROC_MCS_CPM_TX_PACKET_XPN_EQ0_INT	 BIT_ULL(7)
+#define ROC_MCS_CPM_TX_PN_THRESH_REACHED_INT	 BIT_ULL(8)
+#define ROC_MCS_CPM_TX_SA_NOT_VALID_INT		 BIT_ULL(9)
+#define ROC_MCS_BBE_RX_DFIFO_OVERFLOW_INT	 BIT_ULL(10)
+#define ROC_MCS_BBE_RX_PLFIFO_OVERFLOW_INT	 BIT_ULL(11)
+#define ROC_MCS_BBE_TX_DFIFO_OVERFLOW_INT	 BIT_ULL(12)
+#define ROC_MCS_BBE_TX_PLFIFO_OVERFLOW_INT	 BIT_ULL(13)
+#define ROC_MCS_PAB_RX_CHAN_OVERFLOW_INT	 BIT_ULL(14)
+#define ROC_MCS_PAB_TX_CHAN_OVERFLOW_INT	 BIT_ULL(15)
+
+struct roc_mcs_intr_cfg {
+	uint64_t intr_mask; /* Interrupt enable mask */
+};
+
+struct roc_mcs_intr_info {
+	uint64_t intr_mask;
+	int sa_id;
+	uint8_t lmac_id;
+	uint64_t rsvd;
+};
+
 struct roc_mcs_set_lmac_mode {
 	uint8_t mode; /* '1' for internal bypass mode (passthrough), '0' for MCS processing */
 	uint8_t lmac_id;
@@ -205,6 +233,113 @@ struct roc_mcs_clear_stats {
 	uint8_t all; /* All resources stats mapped to PF are cleared */
 };
 
+enum roc_mcs_event_subtype {
+	ROC_MCS_SUBEVENT_UNKNOWN,
+
+	/* subevents of ROC_MCS_EVENT_SECTAG_VAL_ERR sectag validation events
+	 * ROC_MCS_EVENT_RX_SECTAG_V_EQ1
+	 *	Validation check: SecTag.TCI.V = 1
+	 * ROC_MCS_EVENT_RX_SECTAG_E_EQ0_C_EQ1
+	 *	Validation check: SecTag.TCI.E = 0 && SecTag.TCI.C = 1
+	 * ROC_MCS_EVENT_RX_SECTAG_SL_GTE48
+	 *	Validation check: SecTag.SL >= 'd48
+	 * ROC_MCS_EVENT_RX_SECTAG_ES_EQ1_SC_EQ1
+	 *	Validation check: SecTag.TCI.ES = 1 && SecTag.TCI.SC = 1
+	 * ROC_MCS_EVENT_RX_SECTAG_SC_EQ1_SCB_EQ1
+	 *	Validation check: SecTag.TCI.SC = 1 && SecTag.TCI.SCB = 1
+	 */
+	ROC_MCS_EVENT_RX_SECTAG_V_EQ1,
+	ROC_MCS_EVENT_RX_SECTAG_E_EQ0_C_EQ1,
+	ROC_MCS_EVENT_RX_SECTAG_SL_GTE48,
+	ROC_MCS_EVENT_RX_SECTAG_ES_EQ1_SC_EQ1,
+	ROC_MCS_EVENT_RX_SECTAG_SC_EQ1_SCB_EQ1,
+
+	/* subevents of ROC_MCS_EVENT_FIFO_OVERFLOW error event
+	 * ROC_MCS_EVENT_DATA_FIFO_OVERFLOW:
+	 *	Notifies data FIFO overflow fatal error in BBE unit.
+	 * ROC_MCS_EVENT_POLICY_FIFO_OVERFLOW
+	 *	Notifies policy FIFO overflow fatal error in BBE unit.
+	 * ROC_MCS_EVENT_PKT_ASSM_FIFO_OVERFLOW,
+	 *	Notifies output FIFO overflow fatal error in PAB unit.
+	 */
+	ROC_MCS_EVENT_DATA_FIFO_OVERFLOW,
+	ROC_MCS_EVENT_POLICY_FIFO_OVERFLOW,
+	ROC_MCS_EVENT_PKT_ASSM_FIFO_OVERFLOW,
+};
+
+enum roc_mcs_event_type {
+	ROC_MCS_EVENT_UNKNOWN,
+
+	/* Notifies BBE_INT_DFIFO/PLFIFO_OVERFLOW or PAB_INT_OVERFLOW
+	 * interrupts, it's a fatal error that causes packet corruption.
+	 */
+	ROC_MCS_EVENT_FIFO_OVERFLOW,
+
+	/* Notifies CPM_RX_SECTAG_X validation error interrupt */
+	ROC_MCS_EVENT_SECTAG_VAL_ERR,
+	/* Notifies CPM_RX_PACKET_XPN_EQ0 (SecTag.PN == 0 in ingress) interrupt */
+	ROC_MCS_EVENT_RX_SA_PN_HARD_EXP,
+	/* Notifies CPM_RX_PN_THRESH_REACHED interrupt */
+	ROC_MCS_EVENT_RX_SA_PN_SOFT_EXP,
+	/* Notifies CPM_TX_PACKET_XPN_EQ0 (PN wrapped in egress) interrupt */
+	ROC_MCS_EVENT_TX_SA_PN_HARD_EXP,
+	/* Notifies CPM_TX_PN_THRESH_REACHED interrupt */
+	ROC_MCS_EVENT_TX_SA_PN_SOFT_EXP,
+	/* Notifies CPM_TX_SA_NOT_VALID interrupt */
+	ROC_MCS_EVENT_SA_NOT_VALID,
+	/* Notifies recovery of software driven port reset */
+	ROC_MCS_EVENT_PORT_RESET_RECOVERY,
+};
+
+union roc_mcs_event_data {
+	/* Valid for below events
+	 * - ROC_MCS_EVENT_RX_SA_PN_SOFT_EXP
+	 * - ROC_MCS_EVENT_TX_SA_PN_SOFT_EXP
+	 */
+	struct {
+		uint8_t secy_idx;
+		uint8_t sc_idx;
+		uint8_t sa_idx;
+	};
+	/* Valid for below event
+	 * - ROC_MCS_EVENT_FIFO_OVERFLOW
+	 *
+	 * Upon fatal error notification on a MCS port, ROC driver resets below attributes of active
+	 * flow entities(sc & sa) and than resets the port.
+	 * - Reset NEXT_PN of active SAs to 1.
+	 * - Reset TX active SA for each SC, TX_SA_ACTIVE = 0, SA_INDEX0_VLD = 1.
+	 * - Clear SA_IN_USE for active ANs in RX_SA_MAP_MEM.
+	 * - Clear all stats mapping to this port.
+	 * - Reactivate SA_IN_USE for active ANs in RX_SA_MAP_MEM.
+	 *
+	 *  ROC driver notifies the following flow entity(sc & sa) details in application callback,
+	 *  application is expected to exchange the Tx/Rx NEXT_PN, TX_SA_ACTIVE, active RX SC AN
+	 *  details with peer device so that peer device can resets it's MACsec flow states and than
+	 *  resume packet transfers.
+	 */
+	struct {
+		uint16_t *tx_sa_array; /* Tx SAs whose PN memories were reset (NEXT_PN=1) */
+		uint16_t *rx_sa_array; /* Rx SAs whose PN memories were reset (NEXT_PN=1) */
+		uint16_t *tx_sc_array; /* Tx SCs whose active SAs were reset (TX_SA_ACTIVE=0) */
+		uint16_t *rx_sc_array; /* Rx SCs whose state was reset */
+		uint8_t *sc_an_array;  /* AN of Rx SCs(in rx_sc_array) which were reactivated */
+		uint8_t num_tx_sa;     /* num entries in tx_sa_array */
+		uint8_t num_rx_sa;     /* num entries in rx_sa_array */
+		uint8_t num_tx_sc;     /* num entries in tx_sc_array */
+		uint8_t num_rx_sc;     /* num entries in rx_sc_array */
+		uint8_t lmac_id;       /* lmac_id/port which was recovered from fatal error */
+	};
+};
+
+struct roc_mcs_event_desc {
+	enum roc_mcs_event_type type;
+	enum roc_mcs_event_subtype subtype;
+	union roc_mcs_event_data metadata;
+};
+
+/** User application callback to be registered for any notifications from driver. */
+typedef int (*roc_mcs_dev_cb_fn)(void *userdata, struct roc_mcs_event_desc *desc, void *cb_arg);
+
 struct roc_mcs {
 	TAILQ_ENTRY(roc_mcs) next;
 	struct plt_pci_device *pci_dev;
@@ -292,4 +427,13 @@ __roc_api int roc_mcs_port_stats_get(struct roc_mcs *mcs, struct roc_mcs_stats_r
 /* Clear stats */
 __roc_api int roc_mcs_stats_clear(struct roc_mcs *mcs, struct roc_mcs_clear_stats *mcs_req);
 
+/* Register user callback routines */
+__roc_api int roc_mcs_event_cb_register(struct roc_mcs *mcs, enum roc_mcs_event_type event,
+					roc_mcs_dev_cb_fn cb_fn, void *cb_arg, void *userdata);
+/* Unregister user callback routines */
+__roc_api int roc_mcs_event_cb_unregister(struct roc_mcs *mcs, enum roc_mcs_event_type event);
+
+/* Configure interrupts */
+__roc_api int roc_mcs_intr_configure(struct roc_mcs *mcs, struct roc_mcs_intr_cfg *config);
+
 #endif /* _ROC_MCS_H_ */
diff --git a/drivers/common/cnxk/roc_mcs_priv.h b/drivers/common/cnxk/roc_mcs_priv.h
index 9e0bbe4392..8da03f4295 100644
--- a/drivers/common/cnxk/roc_mcs_priv.h
+++ b/drivers/common/cnxk/roc_mcs_priv.h
@@ -62,4 +62,12 @@ roc_mcs_to_mcs_priv(struct roc_mcs *roc_mcs)
 	return (struct mcs_priv *)&roc_mcs->reserved[0];
 }
 
+static inline void *
+roc_mcs_to_mcs_cb_list(struct roc_mcs *roc_mcs)
+{
+	return (void *)((uintptr_t)roc_mcs->reserved + sizeof(struct mcs_priv));
+}
+
+int mcs_event_cb_process(struct roc_mcs *mcs, struct roc_mcs_event_desc *desc);
+
 #endif /* _ROC_MCS_PRIV_H_ */
diff --git a/drivers/common/cnxk/version.map b/drivers/common/cnxk/version.map
index d8890e3538..d10dfcd84e 100644
--- a/drivers/common/cnxk/version.map
+++ b/drivers/common/cnxk/version.map
@@ -139,11 +139,14 @@ INTERNAL {
 	roc_mcs_dev_init;
 	roc_mcs_dev_fini;
 	roc_mcs_dev_get;
+	roc_mcs_event_cb_register;
+	roc_mcs_event_cb_unregister;
 	roc_mcs_flowid_entry_enable;
 	roc_mcs_flowid_entry_read;
 	roc_mcs_flowid_entry_write;
 	roc_mcs_flowid_stats_get;
 	roc_mcs_hw_info_get;
+	roc_mcs_intr_configure;
 	roc_mcs_lmac_mode_set;
 	roc_mcs_pn_table_write;
 	roc_mcs_pn_table_read;
-- 
2.25.1

[PATCH v2 08/15] common/cnxk: add MACsec port configuration

[Akhil Goyal]

Added ROC APIs for MACsec port configurations

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/common/cnxk/roc_mbox.h  |  40 ++++
 drivers/common/cnxk/roc_mcs.c   | 346 ++++++++++++++++++++++++++++++++
 drivers/common/cnxk/roc_mcs.h   |  48 +++++
 drivers/common/cnxk/version.map |   4 +
 4 files changed, 438 insertions(+)

diff --git a/drivers/common/cnxk/roc_mbox.h b/drivers/common/cnxk/roc_mbox.h
index d964ba9f9d..d7c0385a8b 100644
--- a/drivers/common/cnxk/roc_mbox.h
+++ b/drivers/common/cnxk/roc_mbox.h
@@ -319,6 +319,9 @@ struct mbox_msghdr {
 	M(MCS_INTR_CFG, 0xa012, mcs_intr_cfg, mcs_intr_cfg, msg_rsp)                               \
 	M(MCS_SET_LMAC_MODE, 0xa013, mcs_set_lmac_mode, mcs_set_lmac_mode, msg_rsp)                \
 	M(MCS_SET_PN_THRESHOLD, 0xa014, mcs_set_pn_threshold, mcs_set_pn_threshold, msg_rsp)       \
+	M(MCS_PORT_RESET, 0xa018, mcs_port_reset, mcs_port_reset_req, msg_rsp)                     \
+	M(MCS_PORT_CFG_SET, 0xa019, mcs_port_cfg_set, mcs_port_cfg_set_req, msg_rsp)               \
+	M(MCS_PORT_CFG_GET, 0xa020, mcs_port_cfg_get, mcs_port_cfg_get_req, mcs_port_cfg_get_rsp)  \
 
 /* Messages initiated by AF (range 0xC00 - 0xDFF) */
 #define MBOX_UP_CGX_MESSAGES                                                   \
@@ -919,6 +922,43 @@ struct mcs_set_pn_threshold {
 	uint64_t __io rsvd;
 };
 
+struct mcs_port_cfg_set_req {
+	struct mbox_msghdr hdr;
+	uint8_t __io cstm_tag_rel_mode_sel;
+	uint8_t __io custom_hdr_enb;
+	uint8_t __io fifo_skid;
+	uint8_t __io lmac_mode;
+	uint8_t __io lmac_id;
+	uint8_t __io mcs_id;
+	uint64_t __io rsvd;
+};
+
+struct mcs_port_cfg_get_req {
+	struct mbox_msghdr hdr;
+	uint8_t __io lmac_id;
+	uint8_t __io mcs_id;
+	uint64_t __io rsvd;
+};
+
+struct mcs_port_cfg_get_rsp {
+	struct mbox_msghdr hdr;
+	uint8_t __io cstm_tag_rel_mode_sel;
+	uint8_t __io custom_hdr_enb;
+	uint8_t __io fifo_skid;
+	uint8_t __io lmac_mode;
+	uint8_t __io lmac_id;
+	uint8_t __io mcs_id;
+	uint64_t __io rsvd;
+};
+
+struct mcs_port_reset_req {
+	struct mbox_msghdr hdr;
+	uint8_t __io reset;
+	uint8_t __io mcs_id;
+	uint8_t __io lmac_id;
+	uint64_t __io rsvd;
+};
+
 struct mcs_stats_req {
 	struct mbox_msghdr hdr;
 	uint8_t __io id;
diff --git a/drivers/common/cnxk/roc_mcs.c b/drivers/common/cnxk/roc_mcs.c
index e9090da575..e6e6197a49 100644
--- a/drivers/common/cnxk/roc_mcs.c
+++ b/drivers/common/cnxk/roc_mcs.c
@@ -76,6 +76,25 @@ roc_mcs_active_lmac_set(struct roc_mcs *mcs, struct roc_mcs_set_active_lmac *lma
 	return mbox_process_msg(mcs->mbox, (void *)&rsp);
 }
 
+static int
+mcs_port_reset_set(struct roc_mcs *mcs, struct roc_mcs_port_reset_req *port, uint8_t reset)
+{
+	struct mcs_port_reset_req *req;
+	struct msg_rsp *rsp;
+
+	MCS_SUPPORT_CHECK;
+
+	req = mbox_alloc_msg_mcs_port_reset(mcs->mbox);
+	if (req == NULL)
+		return -ENOMEM;
+
+	req->reset = reset;
+	req->lmac_id = port->port_id;
+	req->mcs_id = mcs->idx;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
+
 int
 roc_mcs_lmac_mode_set(struct roc_mcs *mcs, struct roc_mcs_set_lmac_mode *port)
 {
@@ -121,6 +140,64 @@ roc_mcs_pn_threshold_set(struct roc_mcs *mcs, struct roc_mcs_set_pn_threshold *p
 	return mbox_process_msg(mcs->mbox, (void *)&rsp);
 }
 
+int
+roc_mcs_port_cfg_set(struct roc_mcs *mcs, struct roc_mcs_port_cfg_set_req *req)
+{
+	struct mcs_port_cfg_set_req *set_req;
+	struct msg_rsp *rsp;
+
+	MCS_SUPPORT_CHECK;
+
+	if (req == NULL)
+		return -EINVAL;
+
+	set_req = mbox_alloc_msg_mcs_port_cfg_set(mcs->mbox);
+	if (set_req == NULL)
+		return -ENOMEM;
+
+	set_req->cstm_tag_rel_mode_sel = req->cstm_tag_rel_mode_sel;
+	set_req->custom_hdr_enb = req->custom_hdr_enb;
+	set_req->fifo_skid = req->fifo_skid;
+	set_req->lmac_mode = req->port_mode;
+	set_req->lmac_id = req->port_id;
+	set_req->mcs_id = mcs->idx;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
+
+int
+roc_mcs_port_cfg_get(struct roc_mcs *mcs, struct roc_mcs_port_cfg_get_req *req,
+		     struct roc_mcs_port_cfg_get_rsp *rsp)
+{
+	struct mcs_port_cfg_get_req *get_req;
+	struct mcs_port_cfg_get_rsp *get_rsp;
+	int rc;
+
+	MCS_SUPPORT_CHECK;
+
+	if (req == NULL)
+		return -EINVAL;
+
+	get_req = mbox_alloc_msg_mcs_port_cfg_get(mcs->mbox);
+	if (get_req == NULL)
+		return -ENOMEM;
+
+	get_req->lmac_id = req->port_id;
+	get_req->mcs_id = mcs->idx;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&get_rsp);
+	if (rc)
+		return rc;
+
+	rsp->cstm_tag_rel_mode_sel = get_rsp->cstm_tag_rel_mode_sel;
+	rsp->custom_hdr_enb = get_rsp->custom_hdr_enb;
+	rsp->fifo_skid = get_rsp->fifo_skid;
+	rsp->port_mode = get_rsp->lmac_mode;
+	rsp->port_id = get_rsp->lmac_id;
+
+	return 0;
+}
+
 int
 roc_mcs_intr_configure(struct roc_mcs *mcs, struct roc_mcs_intr_cfg *config)
 {
@@ -142,6 +219,275 @@ roc_mcs_intr_configure(struct roc_mcs *mcs, struct roc_mcs_intr_cfg *config)
 	return mbox_process_msg(mcs->mbox, (void *)&rsp);
 }
 
+int
+roc_mcs_port_recovery(struct roc_mcs *mcs, union roc_mcs_event_data *mdata, uint8_t port_id)
+{
+	struct mcs_priv *priv = roc_mcs_to_mcs_priv(mcs);
+	struct roc_mcs_pn_table_write_req pn_table = {0};
+	struct roc_mcs_rx_sc_sa_map rx_map = {0};
+	struct roc_mcs_tx_sc_sa_map tx_map = {0};
+	struct roc_mcs_port_reset_req port = {0};
+	struct roc_mcs_clear_stats stats = {0};
+	int tx_cnt = 0, rx_cnt = 0, rc = 0;
+	uint64_t set;
+	int i;
+
+	port.port_id = port_id;
+	rc = mcs_port_reset_set(mcs, &port, 1);
+
+	/* Reset TX/RX PN tables */
+	for (i = 0; i < (priv->sa_entries << 1); i++) {
+		set = plt_bitmap_get(priv->port_rsrc[port_id].sa_bmap, i);
+		if (set) {
+			pn_table.pn_id = i;
+			pn_table.next_pn = 1;
+			pn_table.dir = MCS_RX;
+			if (i >= priv->sa_entries) {
+				pn_table.dir = MCS_TX;
+				pn_table.pn_id -= priv->sa_entries;
+			}
+			rc = roc_mcs_pn_table_write(mcs, &pn_table);
+			if (rc)
+				return rc;
+
+			if (i >= priv->sa_entries)
+				tx_cnt++;
+			else
+				rx_cnt++;
+		}
+	}
+
+	if (tx_cnt || rx_cnt) {
+		mdata->tx_sa_array = plt_zmalloc(tx_cnt * sizeof(uint16_t), 0);
+		if (tx_cnt && (mdata->tx_sa_array == NULL)) {
+			rc = -ENOMEM;
+			goto exit;
+		}
+		mdata->rx_sa_array = plt_zmalloc(rx_cnt * sizeof(uint16_t), 0);
+		if (rx_cnt && (mdata->rx_sa_array == NULL)) {
+			rc = -ENOMEM;
+			goto exit;
+		}
+
+		mdata->num_tx_sa = tx_cnt;
+		mdata->num_rx_sa = rx_cnt;
+		for (i = 0; i < (priv->sa_entries << 1); i++) {
+			set = plt_bitmap_get(priv->port_rsrc[port_id].sa_bmap, i);
+			if (set) {
+				if (i >= priv->sa_entries)
+					mdata->tx_sa_array[--tx_cnt] = i - priv->sa_entries;
+				else
+					mdata->rx_sa_array[--rx_cnt] = i;
+			}
+		}
+	}
+	tx_cnt = 0;
+	rx_cnt = 0;
+
+	/* Reset Tx active SA to index:0 */
+	for (i = priv->sc_entries; i < (priv->sc_entries << 1); i++) {
+		set = plt_bitmap_get(priv->port_rsrc[port_id].sc_bmap, i);
+		if (set) {
+			uint16_t sc_id = i - priv->sc_entries;
+
+			tx_map.sa_index0 = priv->port_rsrc[port_id].sc_conf[sc_id].tx.sa_idx0;
+			tx_map.sa_index1 = priv->port_rsrc[port_id].sc_conf[sc_id].tx.sa_idx1;
+			tx_map.rekey_ena = priv->port_rsrc[port_id].sc_conf[sc_id].tx.rekey_enb;
+			tx_map.sectag_sci = priv->port_rsrc[port_id].sc_conf[sc_id].tx.sci;
+			tx_map.sa_index0_vld = 1;
+			tx_map.sa_index1_vld = 0;
+			tx_map.tx_sa_active = 0;
+			tx_map.sc_id = sc_id;
+			rc = roc_mcs_tx_sc_sa_map_write(mcs, &tx_map);
+			if (rc)
+				return rc;
+
+			tx_cnt++;
+		}
+	}
+
+	if (tx_cnt) {
+		mdata->tx_sc_array = plt_zmalloc(tx_cnt * sizeof(uint16_t), 0);
+		if (tx_cnt && (mdata->tx_sc_array == NULL)) {
+			rc = -ENOMEM;
+			goto exit;
+		}
+
+		mdata->num_tx_sc = tx_cnt;
+		for (i = priv->sc_entries; i < (priv->sc_entries << 1); i++) {
+			set = plt_bitmap_get(priv->port_rsrc[port_id].sc_bmap, i);
+			if (set)
+				mdata->tx_sc_array[--tx_cnt] = i - priv->sc_entries;
+		}
+	}
+
+	/* Clear SA_IN_USE for active ANs in RX CPM */
+	for (i = 0; i < priv->sc_entries; i++) {
+		set = plt_bitmap_get(priv->port_rsrc[port_id].sc_bmap, i);
+		if (set) {
+			rx_map.sa_index = priv->port_rsrc[port_id].sc_conf[i].rx.sa_idx;
+			rx_map.an = priv->port_rsrc[port_id].sc_conf[i].rx.an;
+			rx_map.sa_in_use = 0;
+			rx_map.sc_id = i;
+			rc = roc_mcs_rx_sc_sa_map_write(mcs, &rx_map);
+			if (rc)
+				return rc;
+
+			rx_cnt++;
+		}
+	}
+
+	/* Reset flow(flow/secy/sc/sa) stats mapped to this PORT */
+	for (i = 0; i < (priv->tcam_entries << 1); i++) {
+		set = plt_bitmap_get(priv->port_rsrc[port_id].tcam_bmap, i);
+		if (set) {
+			stats.type = MCS_FLOWID_STATS;
+			stats.id = i;
+			stats.dir = MCS_RX;
+			if (i >= priv->sa_entries) {
+				stats.dir = MCS_TX;
+				stats.id -= priv->tcam_entries;
+			}
+			rc = roc_mcs_stats_clear(mcs, &stats);
+			if (rc)
+				return rc;
+		}
+	}
+	for (i = 0; i < (priv->secy_entries << 1); i++) {
+		set = plt_bitmap_get(priv->port_rsrc[port_id].secy_bmap, i);
+		if (set) {
+			stats.type = MCS_SECY_STATS;
+			stats.id = i;
+			stats.dir = MCS_RX;
+			if (i >= priv->sa_entries) {
+				stats.dir = MCS_TX;
+				stats.id -= priv->secy_entries;
+			}
+			rc = roc_mcs_stats_clear(mcs, &stats);
+			if (rc)
+				return rc;
+		}
+	}
+	for (i = 0; i < (priv->sc_entries << 1); i++) {
+		set = plt_bitmap_get(priv->port_rsrc[port_id].sc_bmap, i);
+		if (set) {
+			stats.type = MCS_SC_STATS;
+			stats.id = i;
+			stats.dir = MCS_RX;
+			if (i >= priv->sa_entries) {
+				stats.dir = MCS_TX;
+				stats.id -= priv->sc_entries;
+			}
+			rc = roc_mcs_stats_clear(mcs, &stats);
+			if (rc)
+				return rc;
+		}
+	}
+	if (roc_model_is_cn10kb_a0()) {
+		for (i = 0; i < (priv->sa_entries << 1); i++) {
+			set = plt_bitmap_get(priv->port_rsrc[port_id].sa_bmap, i);
+			if (set) {
+				stats.type = MCS_SA_STATS;
+				stats.id = i;
+				stats.dir = MCS_RX;
+				if (i >= priv->sa_entries) {
+					stats.dir = MCS_TX;
+					stats.id -= priv->sa_entries;
+				}
+				rc = roc_mcs_stats_clear(mcs, &stats);
+				if (rc)
+					return rc;
+			}
+		}
+	}
+	{
+		stats.type = MCS_PORT_STATS;
+		stats.id = port_id;
+		rc = roc_mcs_stats_clear(mcs, &stats);
+		if (rc)
+			return rc;
+	}
+
+	if (rx_cnt) {
+		mdata->rx_sc_array = plt_zmalloc(rx_cnt * sizeof(uint16_t), 0);
+		if (mdata->rx_sc_array == NULL) {
+			rc = -ENOMEM;
+			goto exit;
+		}
+		mdata->sc_an_array = plt_zmalloc(rx_cnt * sizeof(uint8_t), 0);
+		if (mdata->sc_an_array == NULL) {
+			rc = -ENOMEM;
+			goto exit;
+		}
+
+		mdata->num_rx_sc = rx_cnt;
+	}
+
+	/* Reactivate in-use ANs for active SCs in RX CPM */
+	for (i = 0; i < priv->sc_entries; i++) {
+		set = plt_bitmap_get(priv->port_rsrc[port_id].sc_bmap, i);
+		if (set) {
+			rx_map.sa_index = priv->port_rsrc[port_id].sc_conf[i].rx.sa_idx;
+			rx_map.an = priv->port_rsrc[port_id].sc_conf[i].rx.an;
+			rx_map.sa_in_use = 1;
+			rx_map.sc_id = i;
+			rc = roc_mcs_rx_sc_sa_map_write(mcs, &rx_map);
+			if (rc)
+				return rc;
+
+			mdata->rx_sc_array[--rx_cnt] = i;
+			mdata->sc_an_array[rx_cnt] = priv->port_rsrc[port_id].sc_conf[i].rx.an;
+		}
+	}
+
+	port.port_id = port_id;
+	rc = mcs_port_reset_set(mcs, &port, 0);
+
+	return rc;
+exit:
+	if (mdata->num_tx_sa)
+		plt_free(mdata->tx_sa_array);
+	if (mdata->num_rx_sa)
+		plt_free(mdata->rx_sa_array);
+	if (mdata->num_tx_sc)
+		plt_free(mdata->tx_sc_array);
+	if (mdata->num_rx_sc) {
+		plt_free(mdata->rx_sc_array);
+		plt_free(mdata->sc_an_array);
+	}
+	return rc;
+}
+
+int
+roc_mcs_port_reset(struct roc_mcs *mcs, struct roc_mcs_port_reset_req *port)
+{
+	struct roc_mcs_event_desc desc = {0};
+	int rc;
+
+	/* Initiate port reset and software recovery */
+	rc = roc_mcs_port_recovery(mcs, &desc.metadata, port->port_id);
+	if (rc)
+		goto exit;
+
+	desc.type = ROC_MCS_EVENT_PORT_RESET_RECOVERY;
+	/* Notify the entity details to the application which are recovered */
+	mcs_event_cb_process(mcs, &desc);
+
+exit:
+	if (desc.metadata.num_tx_sa)
+		plt_free(desc.metadata.tx_sa_array);
+	if (desc.metadata.num_rx_sa)
+		plt_free(desc.metadata.rx_sa_array);
+	if (desc.metadata.num_tx_sc)
+		plt_free(desc.metadata.tx_sc_array);
+	if (desc.metadata.num_rx_sc) {
+		plt_free(desc.metadata.rx_sc_array);
+		plt_free(desc.metadata.sc_an_array);
+	}
+
+	return rc;
+}
+
 int
 roc_mcs_event_cb_register(struct roc_mcs *mcs, enum roc_mcs_event_type event,
 			  roc_mcs_dev_cb_fn cb_fn, void *cb_arg, void *userdata)
diff --git a/drivers/common/cnxk/roc_mcs.h b/drivers/common/cnxk/roc_mcs.h
index b2ca6ee51b..d06057726f 100644
--- a/drivers/common/cnxk/roc_mcs.h
+++ b/drivers/common/cnxk/roc_mcs.h
@@ -163,6 +163,43 @@ struct roc_mcs_set_pn_threshold {
 	uint64_t rsvd;
 };
 
+struct roc_mcs_port_cfg_set_req {
+	/* Index of custom tag (= cstm_indx[x] in roc_mcs_custom_tag_cfg_get_rsp struct) to use
+	 * when TX SECY_PLCY_MEMX[SECTAG_INSERT_MODE] = 0 (relative offset mode)
+	 */
+	uint8_t cstm_tag_rel_mode_sel;
+	/* In ingress path, custom_hdr_enb = 1 when the port is expected to receive pkts
+	 * that have 8B custom header before DMAC
+	 */
+	uint8_t custom_hdr_enb;
+	/* Valid fifo skid values are 14,28,56 for 25G,50G,100G respectively
+	 * FIFOs need to be configured based on the port_mode, valid only for 105N
+	 */
+	uint8_t fifo_skid;
+	uint8_t port_mode; /* 2'b00 - 25G or less, 2'b01 - 50G, 2'b10 - 100G */
+	uint8_t port_id;
+	uint64_t rsvd;
+};
+
+struct roc_mcs_port_cfg_get_req {
+	uint8_t port_id;
+	uint64_t rsvd;
+};
+
+struct roc_mcs_port_cfg_get_rsp {
+	uint8_t cstm_tag_rel_mode_sel;
+	uint8_t custom_hdr_enb;
+	uint8_t fifo_skid;
+	uint8_t port_mode;
+	uint8_t port_id;
+	uint64_t rsvd;
+};
+
+struct roc_mcs_port_reset_req {
+	uint8_t port_id;
+	uint64_t rsvd;
+};
+
 struct roc_mcs_stats_req {
 	uint8_t id;
 	uint8_t dir;
@@ -367,6 +404,13 @@ __roc_api int roc_mcs_active_lmac_set(struct roc_mcs *mcs, struct roc_mcs_set_ac
 __roc_api int roc_mcs_lmac_mode_set(struct roc_mcs *mcs, struct roc_mcs_set_lmac_mode *port);
 /* (X)PN threshold set */
 __roc_api int roc_mcs_pn_threshold_set(struct roc_mcs *mcs, struct roc_mcs_set_pn_threshold *pn);
+/* Reset port */
+__roc_api int roc_mcs_port_reset(struct roc_mcs *mcs, struct roc_mcs_port_reset_req *port);
+/* Get port config */
+__roc_api int roc_mcs_port_cfg_set(struct roc_mcs *mcs, struct roc_mcs_port_cfg_set_req *req);
+/* Set port config */
+__roc_api int roc_mcs_port_cfg_get(struct roc_mcs *mcs, struct roc_mcs_port_cfg_get_req *req,
+				   struct roc_mcs_port_cfg_get_rsp *rsp);
 
 /* Resource allocation and free */
 __roc_api int roc_mcs_rsrc_alloc(struct roc_mcs *mcs, struct roc_mcs_alloc_rsrc_req *req,
@@ -436,4 +480,8 @@ __roc_api int roc_mcs_event_cb_unregister(struct roc_mcs *mcs, enum roc_mcs_even
 /* Configure interrupts */
 __roc_api int roc_mcs_intr_configure(struct roc_mcs *mcs, struct roc_mcs_intr_cfg *config);
 
+/* Port recovery from fatal errors */
+__roc_api int roc_mcs_port_recovery(struct roc_mcs *mcs, union roc_mcs_event_data *mdata,
+				    uint8_t port_id);
+
 #endif /* _ROC_MCS_H_ */
diff --git a/drivers/common/cnxk/version.map b/drivers/common/cnxk/version.map
index d10dfcd84e..6c0defa27e 100644
--- a/drivers/common/cnxk/version.map
+++ b/drivers/common/cnxk/version.map
@@ -151,6 +151,10 @@ INTERNAL {
 	roc_mcs_pn_table_write;
 	roc_mcs_pn_table_read;
 	roc_mcs_pn_threshold_set;
+	roc_mcs_port_cfg_get;
+	roc_mcs_port_cfg_set;
+	roc_mcs_port_recovery;
+	roc_mcs_port_reset;
 	roc_mcs_port_stats_get;
 	roc_mcs_rsrc_alloc;
 	roc_mcs_rsrc_free;
-- 
2.25.1

[PATCH v2 09/15] common/cnxk: add MACsec control port configuration

[Akhil Goyal]

Added ROC APIs to configure MACsec control port.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/common/cnxk/roc_mbox.h  |  72 ++++++++++++++++++++
 drivers/common/cnxk/roc_mcs.c   | 117 ++++++++++++++++++++++++++++++++
 drivers/common/cnxk/roc_mcs.h   |  65 ++++++++++++++++++
 drivers/common/cnxk/version.map |   4 ++
 4 files changed, 258 insertions(+)

diff --git a/drivers/common/cnxk/roc_mbox.h b/drivers/common/cnxk/roc_mbox.h
index d7c0385a8b..446f49aeaf 100644
--- a/drivers/common/cnxk/roc_mbox.h
+++ b/drivers/common/cnxk/roc_mbox.h
@@ -319,9 +319,17 @@ struct mbox_msghdr {
 	M(MCS_INTR_CFG, 0xa012, mcs_intr_cfg, mcs_intr_cfg, msg_rsp)                               \
 	M(MCS_SET_LMAC_MODE, 0xa013, mcs_set_lmac_mode, mcs_set_lmac_mode, msg_rsp)                \
 	M(MCS_SET_PN_THRESHOLD, 0xa014, mcs_set_pn_threshold, mcs_set_pn_threshold, msg_rsp)       \
+	M(MCS_ALLOC_CTRL_PKT_RULE, 0xa015, mcs_alloc_ctrl_pkt_rule, mcs_alloc_ctrl_pkt_rule_req,   \
+	  mcs_alloc_ctrl_pkt_rule_rsp)                                                             \
+	M(MCS_FREE_CTRL_PKT_RULE, 0xa016, mcs_free_ctrl_pkt_rule, mcs_free_ctrl_pkt_rule_req,      \
+	  msg_rsp)                                                                                 \
+	M(MCS_CTRL_PKT_RULE_WRITE, 0xa017, mcs_ctrl_pkt_rule_write, mcs_ctrl_pkt_rule_write_req,   \
+	  msg_rsp)                                                                                 \
 	M(MCS_PORT_RESET, 0xa018, mcs_port_reset, mcs_port_reset_req, msg_rsp)                     \
 	M(MCS_PORT_CFG_SET, 0xa019, mcs_port_cfg_set, mcs_port_cfg_set_req, msg_rsp)               \
 	M(MCS_PORT_CFG_GET, 0xa020, mcs_port_cfg_get, mcs_port_cfg_get_req, mcs_port_cfg_get_rsp)  \
+	M(MCS_CUSTOM_TAG_CFG_GET, 0xa021, mcs_custom_tag_cfg_get, mcs_custom_tag_cfg_get_req,      \
+	  mcs_custom_tag_cfg_get_rsp)                                                              \
 
 /* Messages initiated by AF (range 0xC00 - 0xDFF) */
 #define MBOX_UP_CGX_MESSAGES                                                   \
@@ -922,6 +930,53 @@ struct mcs_set_pn_threshold {
 	uint64_t __io rsvd;
 };
 
+enum mcs_ctrl_pkt_rule_type {
+	MCS_CTRL_PKT_RULE_TYPE_ETH,
+	MCS_CTRL_PKT_RULE_TYPE_DA,
+	MCS_CTRL_PKT_RULE_TYPE_RANGE,
+	MCS_CTRL_PKT_RULE_TYPE_COMBO,
+	MCS_CTRL_PKT_RULE_TYPE_MAC,
+};
+
+struct mcs_alloc_ctrl_pkt_rule_req {
+	struct mbox_msghdr hdr;
+	uint8_t __io rule_type;
+	uint8_t __io mcs_id; /* MCS block ID */
+	uint8_t __io dir;    /* Macsec ingress or egress side */
+	uint64_t __io rsvd;
+};
+
+struct mcs_alloc_ctrl_pkt_rule_rsp {
+	struct mbox_msghdr hdr;
+	uint8_t __io rule_idx;
+	uint8_t __io rule_type;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
+
+struct mcs_free_ctrl_pkt_rule_req {
+	struct mbox_msghdr hdr;
+	uint8_t __io rule_idx;
+	uint8_t __io rule_type;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint8_t __io all; /* Free all the rule resources */
+	uint64_t __io rsvd;
+};
+
+struct mcs_ctrl_pkt_rule_write_req {
+	struct mbox_msghdr hdr;
+	uint64_t __io data0;
+	uint64_t __io data1;
+	uint64_t __io data2;
+	uint8_t __io rule_idx;
+	uint8_t __io rule_type;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
+
 struct mcs_port_cfg_set_req {
 	struct mbox_msghdr hdr;
 	uint8_t __io cstm_tag_rel_mode_sel;
@@ -951,6 +1006,23 @@ struct mcs_port_cfg_get_rsp {
 	uint64_t __io rsvd;
 };
 
+struct mcs_custom_tag_cfg_get_req {
+	struct mbox_msghdr hdr;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
+
+struct mcs_custom_tag_cfg_get_rsp {
+	struct mbox_msghdr hdr;
+	uint16_t __io cstm_etype[8];
+	uint8_t __io cstm_indx[8];
+	uint8_t __io cstm_etype_en;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
+
 struct mcs_port_reset_req {
 	struct mbox_msghdr hdr;
 	uint8_t __io reset;
diff --git a/drivers/common/cnxk/roc_mcs.c b/drivers/common/cnxk/roc_mcs.c
index e6e6197a49..1e3235ad73 100644
--- a/drivers/common/cnxk/roc_mcs.c
+++ b/drivers/common/cnxk/roc_mcs.c
@@ -140,6 +140,88 @@ roc_mcs_pn_threshold_set(struct roc_mcs *mcs, struct roc_mcs_set_pn_threshold *p
 	return mbox_process_msg(mcs->mbox, (void *)&rsp);
 }
 
+int
+roc_mcs_ctrl_pkt_rule_alloc(struct roc_mcs *mcs, struct roc_mcs_alloc_ctrl_pkt_rule_req *req,
+			    struct roc_mcs_alloc_ctrl_pkt_rule_rsp *rsp)
+{
+	struct mcs_alloc_ctrl_pkt_rule_req *rule_req;
+	struct mcs_alloc_ctrl_pkt_rule_rsp *rule_rsp;
+	int rc;
+
+	MCS_SUPPORT_CHECK;
+
+	if (req == NULL || rsp == NULL)
+		return -EINVAL;
+
+	rule_req = mbox_alloc_msg_mcs_alloc_ctrl_pkt_rule(mcs->mbox);
+	if (rule_req == NULL)
+		return -ENOMEM;
+
+	rule_req->rule_type = req->rule_type;
+	rule_req->mcs_id = mcs->idx;
+	rule_req->dir = req->dir;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&rule_rsp);
+	if (rc)
+		return rc;
+
+	rsp->rule_type = rule_rsp->rule_type;
+	rsp->rule_idx = rule_rsp->rule_idx;
+	rsp->dir = rule_rsp->dir;
+
+	return 0;
+}
+
+int
+roc_mcs_ctrl_pkt_rule_free(struct roc_mcs *mcs, struct roc_mcs_free_ctrl_pkt_rule_req *req)
+{
+	struct mcs_free_ctrl_pkt_rule_req *rule_req;
+	struct msg_rsp *rsp;
+
+	MCS_SUPPORT_CHECK;
+
+	if (req == NULL)
+		return -EINVAL;
+
+	rule_req = mbox_alloc_msg_mcs_free_ctrl_pkt_rule(mcs->mbox);
+	if (rule_req == NULL)
+		return -ENOMEM;
+
+	rule_req->rule_type = req->rule_type;
+	rule_req->rule_idx = req->rule_idx;
+	rule_req->mcs_id = mcs->idx;
+	rule_req->dir = req->dir;
+	rule_req->all = req->all;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
+
+int
+roc_mcs_ctrl_pkt_rule_write(struct roc_mcs *mcs, struct roc_mcs_ctrl_pkt_rule_write_req *req)
+{
+	struct mcs_ctrl_pkt_rule_write_req *rule_req;
+	struct msg_rsp *rsp;
+
+	MCS_SUPPORT_CHECK;
+
+	if (req == NULL)
+		return -EINVAL;
+
+	rule_req = mbox_alloc_msg_mcs_ctrl_pkt_rule_write(mcs->mbox);
+	if (rule_req == NULL)
+		return -ENOMEM;
+
+	rule_req->rule_type = req->rule_type;
+	rule_req->rule_idx = req->rule_idx;
+	rule_req->mcs_id = mcs->idx;
+	rule_req->dir = req->dir;
+	rule_req->data0 = req->data0;
+	rule_req->data1 = req->data1;
+	rule_req->data2 = req->data2;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
+
 int
 roc_mcs_port_cfg_set(struct roc_mcs *mcs, struct roc_mcs_port_cfg_set_req *req)
 {
@@ -198,6 +280,41 @@ roc_mcs_port_cfg_get(struct roc_mcs *mcs, struct roc_mcs_port_cfg_get_req *req,
 	return 0;
 }
 
+int
+roc_mcs_custom_tag_cfg_get(struct roc_mcs *mcs, struct roc_mcs_custom_tag_cfg_get_req *req,
+			   struct roc_mcs_custom_tag_cfg_get_rsp *rsp)
+{
+	struct mcs_custom_tag_cfg_get_req *get_req;
+	struct mcs_custom_tag_cfg_get_rsp *get_rsp;
+	int i, rc;
+
+	MCS_SUPPORT_CHECK;
+
+	if (req == NULL)
+		return -EINVAL;
+
+	get_req = mbox_alloc_msg_mcs_custom_tag_cfg_get(mcs->mbox);
+	if (get_req == NULL)
+		return -ENOMEM;
+
+	get_req->dir = req->dir;
+	get_req->mcs_id = mcs->idx;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&get_rsp);
+	if (rc)
+		return rc;
+
+	for (i = 0; i < 8; i++) {
+		rsp->cstm_etype[i] = get_rsp->cstm_etype[i];
+		rsp->cstm_indx[i] = get_rsp->cstm_indx[i];
+	}
+
+	rsp->cstm_etype_en = get_rsp->cstm_etype_en;
+	rsp->dir = get_rsp->dir;
+
+	return 0;
+}
+
 int
 roc_mcs_intr_configure(struct roc_mcs *mcs, struct roc_mcs_intr_cfg *config)
 {
diff --git a/drivers/common/cnxk/roc_mcs.h b/drivers/common/cnxk/roc_mcs.h
index d06057726f..e8d6b070db 100644
--- a/drivers/common/cnxk/roc_mcs.h
+++ b/drivers/common/cnxk/roc_mcs.h
@@ -163,6 +163,45 @@ struct roc_mcs_set_pn_threshold {
 	uint64_t rsvd;
 };
 
+enum roc_mcs_ctrl_pkt_rule_type {
+	ROC_MCS_CTRL_PKT_RULE_TYPE_ETH,
+	ROC_MCS_CTRL_PKT_RULE_TYPE_DA,
+	ROC_MCS_CTRL_PKT_RULE_TYPE_RANGE,
+	ROC_MCS_CTRL_PKT_RULE_TYPE_COMBO,
+	ROC_MCS_CTRL_PKT_RULE_TYPE_MAC,
+};
+
+struct roc_mcs_alloc_ctrl_pkt_rule_req {
+	uint8_t rule_type;
+	uint8_t dir; /* Macsec ingress or egress side */
+	uint64_t rsvd;
+};
+
+struct roc_mcs_alloc_ctrl_pkt_rule_rsp {
+	uint8_t rule_idx;
+	uint8_t rule_type;
+	uint8_t dir;
+	uint64_t rsvd;
+};
+
+struct roc_mcs_free_ctrl_pkt_rule_req {
+	uint8_t rule_idx;
+	uint8_t rule_type;
+	uint8_t dir;
+	uint8_t all; /* Free all the rule resources */
+	uint64_t rsvd;
+};
+
+struct roc_mcs_ctrl_pkt_rule_write_req {
+	uint64_t data0;
+	uint64_t data1;
+	uint64_t data2;
+	uint8_t rule_idx;
+	uint8_t rule_type;
+	uint8_t dir;
+	uint64_t rsvd;
+};
+
 struct roc_mcs_port_cfg_set_req {
 	/* Index of custom tag (= cstm_indx[x] in roc_mcs_custom_tag_cfg_get_rsp struct) to use
 	 * when TX SECY_PLCY_MEMX[SECTAG_INSERT_MODE] = 0 (relative offset mode)
@@ -195,6 +234,19 @@ struct roc_mcs_port_cfg_get_rsp {
 	uint64_t rsvd;
 };
 
+struct roc_mcs_custom_tag_cfg_get_req {
+	uint8_t dir;
+	uint64_t rsvd;
+};
+
+struct roc_mcs_custom_tag_cfg_get_rsp {
+	uint16_t cstm_etype[8]; /* EthType/TPID */
+	uint8_t cstm_indx[8];	/* Custom tag index used to identify the VLAN etype */
+	uint8_t cstm_etype_en;	/* bitmap of enabled custom tags */
+	uint8_t dir;
+	uint64_t rsvd;
+};
+
 struct roc_mcs_port_reset_req {
 	uint8_t port_id;
 	uint64_t rsvd;
@@ -411,6 +463,10 @@ __roc_api int roc_mcs_port_cfg_set(struct roc_mcs *mcs, struct roc_mcs_port_cfg_
 /* Set port config */
 __roc_api int roc_mcs_port_cfg_get(struct roc_mcs *mcs, struct roc_mcs_port_cfg_get_req *req,
 				   struct roc_mcs_port_cfg_get_rsp *rsp);
+/* Get custom tag config */
+__roc_api int roc_mcs_custom_tag_cfg_get(struct roc_mcs *mcs,
+					 struct roc_mcs_custom_tag_cfg_get_req *req,
+					 struct roc_mcs_custom_tag_cfg_get_rsp *rsp);
 
 /* Resource allocation and free */
 __roc_api int roc_mcs_rsrc_alloc(struct roc_mcs *mcs, struct roc_mcs_alloc_rsrc_req *req,
@@ -456,6 +512,15 @@ __roc_api int roc_mcs_flowid_entry_read(struct roc_mcs *mcs,
 __roc_api int roc_mcs_flowid_entry_enable(struct roc_mcs *mcs,
 					  struct roc_mcs_flowid_ena_dis_entry *entry);
 
+/* Control packet rule alloc, free and write */
+__roc_api int roc_mcs_ctrl_pkt_rule_alloc(struct roc_mcs *mcs,
+					  struct roc_mcs_alloc_ctrl_pkt_rule_req *req,
+					  struct roc_mcs_alloc_ctrl_pkt_rule_rsp *rsp);
+__roc_api int roc_mcs_ctrl_pkt_rule_free(struct roc_mcs *mcs,
+					 struct roc_mcs_free_ctrl_pkt_rule_req *req);
+__roc_api int roc_mcs_ctrl_pkt_rule_write(struct roc_mcs *mcs,
+					  struct roc_mcs_ctrl_pkt_rule_write_req *req);
+
 /* Flow id stats get */
 __roc_api int roc_mcs_flowid_stats_get(struct roc_mcs *mcs, struct roc_mcs_stats_req *mcs_req,
 				       struct roc_mcs_flowid_stats *stats);
diff --git a/drivers/common/cnxk/version.map b/drivers/common/cnxk/version.map
index 6c0defa27e..914d0d2caa 100644
--- a/drivers/common/cnxk/version.map
+++ b/drivers/common/cnxk/version.map
@@ -136,6 +136,10 @@ INTERNAL {
 	roc_se_ciph_key_set;
 	roc_se_ctx_init;
 	roc_mcs_active_lmac_set;
+	roc_mcs_ctrl_pkt_rule_alloc;
+	roc_mcs_ctrl_pkt_rule_free;
+	roc_mcs_ctrl_pkt_rule_write;
+	roc_mcs_custom_tag_cfg_get;
 	roc_mcs_dev_init;
 	roc_mcs_dev_fini;
 	roc_mcs_dev_get;
-- 
2.25.1

[PATCH v2 10/15] common/cnxk: add MACsec FIPS mbox

[Akhil Goyal]

Added MACsec FIPS configuration mbox

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/common/cnxk/roc_mbox.h | 74 ++++++++++++++++++++++++++++++++++
 drivers/common/cnxk/roc_mcs.h  | 69 +++++++++++++++++++++++++++++++
 2 files changed, 143 insertions(+)

diff --git a/drivers/common/cnxk/roc_mbox.h b/drivers/common/cnxk/roc_mbox.h
index 446f49aeaf..2f85b2f755 100644
--- a/drivers/common/cnxk/roc_mbox.h
+++ b/drivers/common/cnxk/roc_mbox.h
@@ -330,6 +330,15 @@ struct mbox_msghdr {
 	M(MCS_PORT_CFG_GET, 0xa020, mcs_port_cfg_get, mcs_port_cfg_get_req, mcs_port_cfg_get_rsp)  \
 	M(MCS_CUSTOM_TAG_CFG_GET, 0xa021, mcs_custom_tag_cfg_get, mcs_custom_tag_cfg_get_req,      \
 	  mcs_custom_tag_cfg_get_rsp)                                                              \
+	M(MCS_FIPS_RESET, 0xa040, mcs_fips_reset, mcs_fips_req, msg_rsp)                           \
+	M(MCS_FIPS_MODE_SET, 0xa041, mcs_fips_mode_set, mcs_fips_mode_req, msg_rsp)                \
+	M(MCS_FIPS_CTL_SET, 0xa042, mcs_fips_ctl_set, mcs_fips_ctl_req, msg_rsp)                   \
+	M(MCS_FIPS_IV_SET, 0xa043, mcs_fips_iv_set, mcs_fips_iv_req, msg_rsp)                      \
+	M(MCS_FIPS_CTR_SET, 0xa044, mcs_fips_ctr_set, mcs_fips_ctr_req, msg_rsp)                   \
+	M(MCS_FIPS_KEY_SET, 0xa045, mcs_fips_key_set, mcs_fips_key_req, msg_rsp)                   \
+	M(MCS_FIPS_BLOCK_SET, 0xa046, mcs_fips_block_set, mcs_fips_block_req, msg_rsp)             \
+	M(MCS_FIPS_START, 0xa047, mcs_fips_start, mcs_fips_req, msg_rsp)                           \
+	M(MCS_FIPS_RESULT_GET, 0xa048, mcs_fips_result_get, mcs_fips_req, mcs_fips_result_rsp)
 
 /* Messages initiated by AF (range 0xC00 - 0xDFF) */
 #define MBOX_UP_CGX_MESSAGES                                                   \
@@ -1119,6 +1128,71 @@ struct mcs_clear_stats {
 	uint8_t __io all; /* All resources stats mapped to PF are cleared */
 };
 
+struct mcs_fips_req {
+	struct mbox_msghdr hdr;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+};
+
+struct mcs_fips_mode_req {
+	struct mbox_msghdr hdr;
+	uint64_t __io mode;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+};
+
+struct mcs_fips_ctl_req {
+	struct mbox_msghdr hdr;
+	uint64_t __io ctl;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+};
+
+struct mcs_fips_iv_req {
+	struct mbox_msghdr hdr;
+	uint32_t __io iv_bits95_64;
+	uint64_t __io iv_bits63_0;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+};
+
+struct mcs_fips_ctr_req {
+	struct mbox_msghdr hdr;
+	uint32_t __io fips_ctr;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+};
+
+struct mcs_fips_key_req {
+	struct mbox_msghdr hdr;
+	uint64_t __io sak_bits255_192;
+	uint64_t __io sak_bits191_128;
+	uint64_t __io sak_bits127_64;
+	uint64_t __io sak_bits63_0;
+	uint64_t __io hashkey_bits127_64;
+	uint64_t __io hashkey_bits63_0;
+	uint8_t __io sak_len;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+};
+
+struct mcs_fips_block_req {
+	struct mbox_msghdr hdr;
+	uint64_t __io blk_bits127_64;
+	uint64_t __io blk_bits63_0;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+};
+
+struct mcs_fips_result_rsp {
+	struct mbox_msghdr hdr;
+	uint64_t __io blk_bits127_64;
+	uint64_t __io blk_bits63_0;
+	uint64_t __io icv_bits127_64;
+	uint64_t __io icv_bits63_0;
+	uint8_t __io result_pass;
+};
+
 /* NPA mbox message formats */
 
 /* NPA mailbox error codes
diff --git a/drivers/common/cnxk/roc_mcs.h b/drivers/common/cnxk/roc_mcs.h
index e8d6b070db..5b1423ac8f 100644
--- a/drivers/common/cnxk/roc_mcs.h
+++ b/drivers/common/cnxk/roc_mcs.h
@@ -426,6 +426,56 @@ struct roc_mcs_event_desc {
 	union roc_mcs_event_data metadata;
 };
 
+struct roc_mcs_fips_req {
+	uint8_t dir;
+};
+
+struct roc_mcs_fips_mode {
+	uint64_t mode;
+	uint8_t dir;
+};
+
+struct roc_mcs_fips_ctl {
+	uint64_t ctl;
+	uint8_t dir;
+};
+
+struct roc_mcs_fips_iv {
+	uint32_t iv_bits95_64;
+	uint64_t iv_bits63_0;
+	uint8_t dir;
+};
+
+struct roc_mcs_fips_ctr {
+	uint32_t fips_ctr;
+	uint8_t dir;
+};
+
+struct roc_mcs_fips_key {
+	uint64_t sak_bits255_192;
+	uint64_t sak_bits191_128;
+	uint64_t sak_bits127_64;
+	uint64_t sak_bits63_0;
+	uint64_t hashkey_bits127_64;
+	uint64_t hashkey_bits63_0;
+	uint8_t sak_len;
+	uint8_t dir;
+};
+
+struct roc_mcs_fips_block {
+	uint64_t blk_bits127_64;
+	uint64_t blk_bits63_0;
+	uint8_t dir;
+};
+
+struct roc_mcs_fips_result_rsp {
+	uint64_t blk_bits127_64;
+	uint64_t blk_bits63_0;
+	uint64_t icv_bits127_64;
+	uint64_t icv_bits63_0;
+	uint8_t result_pass;
+};
+
 /** User application callback to be registered for any notifications from driver. */
 typedef int (*roc_mcs_dev_cb_fn)(void *userdata, struct roc_mcs_event_desc *desc, void *cb_arg);
 
@@ -549,4 +599,23 @@ __roc_api int roc_mcs_intr_configure(struct roc_mcs *mcs, struct roc_mcs_intr_cf
 __roc_api int roc_mcs_port_recovery(struct roc_mcs *mcs, union roc_mcs_event_data *mdata,
 				    uint8_t port_id);
 
+/* FIPS reset */
+__roc_api int roc_mcs_fips_reset(struct roc_mcs *mcs, struct roc_mcs_fips_req *req);
+/* FIPS mode set */
+__roc_api int roc_mcs_fips_mode_set(struct roc_mcs *mcs, struct roc_mcs_fips_mode *req);
+/* FIPS ctl set */
+__roc_api int roc_mcs_fips_ctl_set(struct roc_mcs *mcs, struct roc_mcs_fips_ctl *req);
+/* FIPS iv set */
+__roc_api int roc_mcs_fips_iv_set(struct roc_mcs *mcs, struct roc_mcs_fips_iv *req);
+/* FIPS ctr set */
+__roc_api int roc_mcs_fips_ctr_set(struct roc_mcs *mcs, struct roc_mcs_fips_ctr *req);
+/* FIPS key set */
+__roc_api int roc_mcs_fips_key_set(struct roc_mcs *mcs, struct roc_mcs_fips_key *req);
+/* FIPS block set */
+__roc_api int roc_mcs_fips_block_set(struct roc_mcs *mcs, struct roc_mcs_fips_block *req);
+/* FIPS start */
+__roc_api int roc_mcs_fips_start(struct roc_mcs *mcs, struct roc_mcs_fips_req *req);
+/* FIPS result */
+__roc_api int roc_mcs_fips_result_get(struct roc_mcs *mcs, struct roc_mcs_fips_req *req,
+				      struct roc_mcs_fips_result_rsp *rsp);
 #endif /* _ROC_MCS_H_ */
-- 
2.25.1

[PATCH v2 11/15] common/cnxk: derive hash key for MACsec

[Akhil Goyal]

MACsec hardware configuration need hash key to be generated
from the cipher key of AES-GCM-128/256.
Added an ROC API to derive the hash key and extend the case
for AES-256 as well.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/common/cnxk/roc_aes.c   | 86 ++++++++++++++++++++++-----------
 drivers/common/cnxk/roc_aes.h   |  4 +-
 drivers/common/cnxk/version.map |  1 +
 3 files changed, 60 insertions(+), 31 deletions(-)

diff --git a/drivers/common/cnxk/roc_aes.c b/drivers/common/cnxk/roc_aes.c
index f821c8b710..d84feb546a 100644
--- a/drivers/common/cnxk/roc_aes.c
+++ b/drivers/common/cnxk/roc_aes.c
@@ -4,9 +4,10 @@
 
 #include "roc_api.h"
 
-#define KEY_WORD_LEN	 (ROC_CPT_AES_XCBC_KEY_LENGTH / sizeof(uint32_t))
-#define KEY_ROUNDS	 10			/* (Nr+1)*Nb */
-#define KEY_SCHEDULE_LEN ((KEY_ROUNDS + 1) * 4) /* (Nr+1)*Nb words */
+#define KEY128_ROUNDS		10		/* (Nr+1)*Nb */
+#define KEY256_ROUNDS		14		/* (Nr+1)*Nb */
+#define KEY_SCHEDULE_LEN(nr)	((nr + 1) * 4)	/* (Nr+1)*Nb words */
+#define AES_HASH_KEY_LEN	16
 
 /*
  * AES 128 implementation based on NIST FIPS 197 suitable for LittleEndian
@@ -93,22 +94,30 @@ GF8mul(uint8_t byte, uint32_t mp)
 }
 
 static void
-aes_key_expand(const uint8_t *key, uint32_t *ks)
+aes_key_expand(const uint8_t *key, uint32_t len, uint32_t *ks)
 {
-	unsigned int i = 4;
+	uint32_t len_words = len / sizeof(uint32_t);
+	unsigned int schedule_len;
+	unsigned int i = len_words;
 	uint32_t temp;
 
+	schedule_len = (len == ROC_CPT_AES128_KEY_LEN) ? KEY_SCHEDULE_LEN(KEY128_ROUNDS) :
+							 KEY_SCHEDULE_LEN(KEY256_ROUNDS);
 	/* Skip key in ks */
-	memcpy(ks, key, KEY_WORD_LEN * sizeof(uint32_t));
+	memcpy(ks, key, len);
 
-	while (i < KEY_SCHEDULE_LEN) {
+	while (i < schedule_len) {
 		temp = ks[i - 1];
-		if ((i & 0x3) == 0) {
+		if ((i & (len_words - 1)) == 0) {
 			temp = rot_word(temp);
 			temp = sub_word(temp);
-			temp ^= (uint32_t)GF8mul(1, 1 << ((i >> 2) - 1));
+			temp ^= (uint32_t)GF8mul(1, 1 << ((i / len_words) - 1));
 		}
-		ks[i] = ks[i - 4] ^ temp;
+		if (len == ROC_CPT_AES256_KEY_LEN) {
+			if ((i % len_words) == 4)
+				temp = sub_word(temp);
+		}
+		ks[i] = ks[i - len_words] ^ temp;
 		i++;
 	}
 }
@@ -145,64 +154,83 @@ mix_columns(uint8_t *sRc)
 }
 
 static void
-cipher(uint8_t *in, uint8_t *out, uint32_t *ks)
+cipher(uint8_t *in, uint8_t *out, uint32_t *ks, uint32_t key_rounds, uint8_t in_len)
 {
-	uint32_t state[KEY_WORD_LEN];
+	uint8_t data_word_len = in_len / sizeof(uint32_t);
+	uint32_t state[data_word_len];
 	unsigned int i, round;
 
 	memcpy(state, in, sizeof(state));
 
 	/* AddRoundKey(state, w[0, Nb-1]) // See Sec. 5.1.4 */
-	for (i = 0; i < KEY_WORD_LEN; i++)
+	for (i = 0; i < data_word_len; i++)
 		state[i] ^= ks[i];
 
-	for (round = 1; round < KEY_ROUNDS; round++) {
+	for (round = 1; round < key_rounds; round++) {
 		/* SubBytes(state) // See Sec. 5.1.1 */
-		for (i = 0; i < KEY_WORD_LEN; i++)
+		for (i = 0; i < data_word_len; i++)
 			state[i] = sub_word(state[i]);
 
 		/* ShiftRows(state) // See Sec. 5.1.2 */
-		for (i = 0; i < KEY_WORD_LEN; i++)
+		for (i = 0; i < data_word_len; i++)
 			shift_word((uint8_t *)state, i, i);
 
 		/* MixColumns(state) // See Sec. 5.1.3 */
-		for (i = 0; i < KEY_WORD_LEN; i++)
+		for (i = 0; i < data_word_len; i++)
 			mix_columns((uint8_t *)&state[i]);
 
 		/* AddRoundKey(state, w[round*Nb, (round+1)*Nb-1]) */
-		for (i = 0; i < KEY_WORD_LEN; i++)
-			state[i] ^= ks[round * 4 + i];
+		for (i = 0; i < data_word_len; i++)
+			state[i] ^= ks[round * data_word_len + i];
 	}
 
 	/* SubBytes(state) */
-	for (i = 0; i < KEY_WORD_LEN; i++)
+	for (i = 0; i < data_word_len; i++)
 		state[i] = sub_word(state[i]);
 
 	/* ShiftRows(state) */
-	for (i = 0; i < KEY_WORD_LEN; i++)
+	for (i = 0; i < data_word_len; i++)
 		shift_word((uint8_t *)state, i, i);
 
 	/* AddRoundKey(state, w[Nr*Nb, (Nr+1)*Nb-1]) */
-	for (i = 0; i < KEY_WORD_LEN; i++)
-		state[i] ^= ks[KEY_ROUNDS * 4 + i];
-	memcpy(out, state, KEY_WORD_LEN * sizeof(uint32_t));
+	for (i = 0; i < data_word_len; i++)
+		state[i] ^= ks[key_rounds * data_word_len + i];
+	memcpy(out, state, data_word_len * sizeof(uint32_t));
 }
 
 void
 roc_aes_xcbc_key_derive(const uint8_t *auth_key, uint8_t *derived_key)
 {
-	uint32_t aes_ks[KEY_SCHEDULE_LEN] = {0};
+	uint32_t aes_ks[KEY_SCHEDULE_LEN(KEY128_ROUNDS)] = {0};
 	uint8_t k1[16] = {[0 ... 15] = 0x01};
 	uint8_t k2[16] = {[0 ... 15] = 0x02};
 	uint8_t k3[16] = {[0 ... 15] = 0x03};
 
-	aes_key_expand(auth_key, aes_ks);
+	aes_key_expand(auth_key, ROC_CPT_AES_XCBC_KEY_LENGTH, aes_ks);
 
-	cipher(k1, derived_key, aes_ks);
+	cipher(k1, derived_key, aes_ks, KEY128_ROUNDS, sizeof(k1));
 	derived_key += sizeof(k1);
 
-	cipher(k2, derived_key, aes_ks);
+	cipher(k2, derived_key, aes_ks, KEY128_ROUNDS, sizeof(k2));
 	derived_key += sizeof(k2);
 
-	cipher(k3, derived_key, aes_ks);
+	cipher(k3, derived_key, aes_ks, KEY128_ROUNDS, sizeof(k3));
+}
+
+void
+roc_aes_hash_key_derive(const uint8_t *key, uint16_t len, uint8_t hash_key[])
+{
+	uint8_t data[AES_HASH_KEY_LEN] = {0x0};
+
+	if (len == ROC_CPT_AES128_KEY_LEN) {
+		uint32_t aes_ks[KEY_SCHEDULE_LEN(KEY128_ROUNDS)] = {0};
+
+		aes_key_expand(key, ROC_CPT_AES128_KEY_LEN, aes_ks);
+		cipher(data, hash_key, aes_ks, KEY128_ROUNDS, sizeof(data));
+	} else {
+		uint32_t aes_ks[KEY_SCHEDULE_LEN(KEY256_ROUNDS)] = {0};
+
+		aes_key_expand(key, ROC_CPT_AES256_KEY_LEN, aes_ks);
+		cipher(data, hash_key, aes_ks, KEY256_ROUNDS, sizeof(data));
+	}
 }
diff --git a/drivers/common/cnxk/roc_aes.h b/drivers/common/cnxk/roc_aes.h
index 954039139f..3b4b921bcd 100644
--- a/drivers/common/cnxk/roc_aes.h
+++ b/drivers/common/cnxk/roc_aes.h
@@ -8,7 +8,7 @@
 /*
  * Derive k1, k2, k3 from 128 bit AES key
  */
-void __roc_api roc_aes_xcbc_key_derive(const uint8_t *auth_key,
-				       uint8_t *derived_key);
+void __roc_api roc_aes_xcbc_key_derive(const uint8_t *auth_key, uint8_t *derived_key);
+void __roc_api roc_aes_hash_key_derive(const uint8_t *key, uint16_t len, uint8_t *hash_key);
 
 #endif /* _ROC_AES_H_ */
diff --git a/drivers/common/cnxk/version.map b/drivers/common/cnxk/version.map
index 914d0d2caa..8c71497df8 100644
--- a/drivers/common/cnxk/version.map
+++ b/drivers/common/cnxk/version.map
@@ -30,6 +30,7 @@ INTERNAL {
 	roc_ae_ec_grp_put;
 	roc_ae_fpm_get;
 	roc_ae_fpm_put;
+	roc_aes_hash_key_derive;
 	roc_aes_xcbc_key_derive;
 	roc_bphy_cgx_cpri_mode_change;
 	roc_bphy_cgx_cpri_mode_misc;
-- 
2.25.1

[PATCH v2 12/15] net/cnxk: add MACsec initialization

[Akhil Goyal]

Added initialization routines for MACsec for
cn10kb platform.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/net/cnxk/cn10k_ethdev_sec.c |   6 ++
 drivers/net/cnxk/cnxk_ethdev.c      |  13 +++
 drivers/net/cnxk/cnxk_ethdev.h      |  14 +++
 drivers/net/cnxk/cnxk_ethdev_mcs.c  | 151 ++++++++++++++++++++++++++++
 drivers/net/cnxk/cnxk_ethdev_mcs.h  |  61 +++++++++++
 drivers/net/cnxk/meson.build        |   1 +
 6 files changed, 246 insertions(+)
 create mode 100644 drivers/net/cnxk/cnxk_ethdev_mcs.c
 create mode 100644 drivers/net/cnxk/cnxk_ethdev_mcs.h

diff --git a/drivers/net/cnxk/cn10k_ethdev_sec.c b/drivers/net/cnxk/cn10k_ethdev_sec.c
index 5bc547051d..8dd2c8b7a5 100644
--- a/drivers/net/cnxk/cn10k_ethdev_sec.c
+++ b/drivers/net/cnxk/cn10k_ethdev_sec.c
@@ -1090,9 +1090,15 @@ cn10k_eth_sec_ops_override(void)
 	init_once = 1;
 
 	/* Update platform specific ops */
+	cnxk_eth_sec_ops.macsec_sa_create = NULL;
+	cnxk_eth_sec_ops.macsec_sc_create = NULL;
+	cnxk_eth_sec_ops.macsec_sa_destroy = NULL;
+	cnxk_eth_sec_ops.macsec_sc_destroy = NULL;
 	cnxk_eth_sec_ops.session_create = cn10k_eth_sec_session_create;
 	cnxk_eth_sec_ops.session_destroy = cn10k_eth_sec_session_destroy;
 	cnxk_eth_sec_ops.capabilities_get = cn10k_eth_sec_capabilities_get;
 	cnxk_eth_sec_ops.session_update = cn10k_eth_sec_session_update;
 	cnxk_eth_sec_ops.session_stats_get = cn10k_eth_sec_session_stats_get;
+	cnxk_eth_sec_ops.macsec_sc_stats_get = NULL;
+	cnxk_eth_sec_ops.macsec_sa_stats_get = NULL;
 }
diff --git a/drivers/net/cnxk/cnxk_ethdev.c b/drivers/net/cnxk/cnxk_ethdev.c
index 916198d802..5368f0777d 100644
--- a/drivers/net/cnxk/cnxk_ethdev.c
+++ b/drivers/net/cnxk/cnxk_ethdev.c
@@ -1961,6 +1961,16 @@ cnxk_eth_dev_init(struct rte_eth_dev *eth_dev)
 	if (rc)
 		goto free_mac_addrs;
 
+	if (roc_feature_nix_has_macsec()) {
+		rc = cnxk_mcs_dev_init(dev, 0);
+		if (rc) {
+			plt_err("Failed to init MCS");
+			goto free_mac_addrs;
+		}
+		dev->rx_offload_capa |= RTE_ETH_RX_OFFLOAD_MACSEC_STRIP;
+		dev->tx_offload_capa |= RTE_ETH_TX_OFFLOAD_MACSEC_INSERT;
+	}
+
 	plt_nix_dbg("Port=%d pf=%d vf=%d ver=%s hwcap=0x%" PRIx64
 		    " rxoffload_capa=0x%" PRIx64 " txoffload_capa=0x%" PRIx64,
 		    eth_dev->data->port_id, roc_nix_get_pf(nix),
@@ -2058,6 +2068,9 @@ cnxk_eth_dev_uninit(struct rte_eth_dev *eth_dev, bool reset)
 	}
 	eth_dev->data->nb_rx_queues = 0;
 
+	if (roc_feature_nix_has_macsec())
+		cnxk_mcs_dev_fini(dev);
+
 	/* Free security resources */
 	nix_security_release(dev);
 
diff --git a/drivers/net/cnxk/cnxk_ethdev.h b/drivers/net/cnxk/cnxk_ethdev.h
index e280d6c05e..d5bb06b823 100644
--- a/drivers/net/cnxk/cnxk_ethdev.h
+++ b/drivers/net/cnxk/cnxk_ethdev.h
@@ -395,6 +395,9 @@ struct cnxk_eth_dev {
 	/* Reassembly dynfield/flag offsets */
 	int reass_dynfield_off;
 	int reass_dynflag_bit;
+
+	/* MCS device */
+	struct cnxk_mcs_dev *mcs_dev;
 };
 
 struct cnxk_eth_rxq_sp {
@@ -623,6 +626,17 @@ int cnxk_nix_cman_config_set(struct rte_eth_dev *dev, const struct rte_eth_cman_
 
 int cnxk_nix_cman_config_get(struct rte_eth_dev *dev, struct rte_eth_cman_config *config);
 
+int cnxk_mcs_dev_init(struct cnxk_eth_dev *dev, uint8_t mcs_idx);
+void cnxk_mcs_dev_fini(struct cnxk_eth_dev *dev);
+
+struct cnxk_macsec_sess *cnxk_eth_macsec_sess_get_by_sess(struct cnxk_eth_dev *dev,
+							  const struct rte_security_session *sess);
+int cnxk_mcs_flow_configure(struct rte_eth_dev *eth_dev, const struct rte_flow_attr *attr,
+			     const struct rte_flow_item pattern[],
+			     const struct rte_flow_action actions[], struct rte_flow_error *error,
+			     void **mcs_flow);
+int cnxk_mcs_flow_destroy(struct cnxk_eth_dev *eth_dev, void *mcs_flow);
+
 /* Other private functions */
 int nix_recalc_mtu(struct rte_eth_dev *eth_dev);
 int nix_mtr_validate(struct rte_eth_dev *dev, uint32_t id);
diff --git a/drivers/net/cnxk/cnxk_ethdev_mcs.c b/drivers/net/cnxk/cnxk_ethdev_mcs.c
new file mode 100644
index 0000000000..b0205f45c5
--- /dev/null
+++ b/drivers/net/cnxk/cnxk_ethdev_mcs.c
@@ -0,0 +1,151 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2023 Marvell.
+ */
+
+#include <cnxk_ethdev.h>
+#include <cnxk_ethdev_mcs.h>
+#include <roc_mcs.h>
+
+static int
+cnxk_mcs_event_cb(void *userdata, struct roc_mcs_event_desc *desc, void *cb_arg)
+{
+	struct rte_eth_event_macsec_desc d = {0};
+
+	d.metadata = (uint64_t)userdata;
+
+	switch (desc->type) {
+	case ROC_MCS_EVENT_SECTAG_VAL_ERR:
+		d.type = RTE_ETH_EVENT_MACSEC_SECTAG_VAL_ERR;
+		switch (desc->subtype) {
+		case ROC_MCS_EVENT_RX_SECTAG_V_EQ1:
+			d.subtype = RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_V_EQ1;
+			break;
+		case ROC_MCS_EVENT_RX_SECTAG_E_EQ0_C_EQ1:
+			d.subtype = RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_E_EQ0_C_EQ1;
+			break;
+		case ROC_MCS_EVENT_RX_SECTAG_SL_GTE48:
+			d.subtype = RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_SL_GTE48;
+			break;
+		case ROC_MCS_EVENT_RX_SECTAG_ES_EQ1_SC_EQ1:
+			d.subtype = RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_ES_EQ1_SC_EQ1;
+			break;
+		case ROC_MCS_EVENT_RX_SECTAG_SC_EQ1_SCB_EQ1:
+			d.subtype = RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_SC_EQ1_SCB_EQ1;
+			break;
+		default:
+			plt_err("Unknown MACsec sub event : %d", desc->subtype);
+		}
+		break;
+	case ROC_MCS_EVENT_RX_SA_PN_HARD_EXP:
+		d.type = RTE_ETH_EVENT_MACSEC_RX_SA_PN_HARD_EXP;
+		break;
+	case ROC_MCS_EVENT_RX_SA_PN_SOFT_EXP:
+		d.type = RTE_ETH_EVENT_MACSEC_RX_SA_PN_SOFT_EXP;
+		break;
+	case ROC_MCS_EVENT_TX_SA_PN_HARD_EXP:
+		d.type = RTE_ETH_EVENT_MACSEC_TX_SA_PN_HARD_EXP;
+		break;
+	case ROC_MCS_EVENT_TX_SA_PN_SOFT_EXP:
+		d.type = RTE_ETH_EVENT_MACSEC_TX_SA_PN_SOFT_EXP;
+		break;
+	default:
+		plt_err("Unknown MACsec event type: %d", desc->type);
+	}
+
+	rte_eth_dev_callback_process(cb_arg, RTE_ETH_EVENT_MACSEC, &d);
+
+	return 0;
+}
+
+void
+cnxk_mcs_dev_fini(struct cnxk_eth_dev *dev)
+{
+	struct cnxk_mcs_dev *mcs_dev = dev->mcs_dev;
+	int rc;
+
+	rc = roc_mcs_event_cb_unregister(mcs_dev->mdev, ROC_MCS_EVENT_SECTAG_VAL_ERR);
+	if (rc)
+		plt_err("Failed to unregister MCS event callback: rc: %d", rc);
+
+	rc = roc_mcs_event_cb_unregister(mcs_dev->mdev, ROC_MCS_EVENT_TX_SA_PN_SOFT_EXP);
+	if (rc)
+		plt_err("Failed to unregister MCS event callback: rc: %d", rc);
+
+	rc = roc_mcs_event_cb_unregister(mcs_dev->mdev, ROC_MCS_EVENT_RX_SA_PN_SOFT_EXP);
+	if (rc)
+		plt_err("Failed to unregister MCS event callback: rc: %d", rc);
+
+	/* Cleanup MACsec dev */
+	roc_mcs_dev_fini(mcs_dev->mdev);
+
+	plt_free(mcs_dev);
+}
+
+int
+cnxk_mcs_dev_init(struct cnxk_eth_dev *dev, uint8_t mcs_idx)
+{
+	struct roc_mcs_intr_cfg intr_cfg = {0};
+	struct roc_mcs_hw_info hw_info = {0};
+	struct cnxk_mcs_dev *mcs_dev;
+	int rc;
+
+	rc = roc_mcs_hw_info_get(&hw_info);
+	if (rc) {
+		plt_err("MCS HW info get failed: rc: %d ", rc);
+		return rc;
+	}
+
+	mcs_dev = plt_zmalloc(sizeof(struct cnxk_mcs_dev), PLT_CACHE_LINE_SIZE);
+	if (!mcs_dev)
+		return -ENOMEM;
+
+	mcs_dev->idx = mcs_idx;
+	mcs_dev->mdev = roc_mcs_dev_init(mcs_dev->idx);
+	if (!mcs_dev->mdev) {
+		plt_free(mcs_dev);
+		return rc;
+	}
+	mcs_dev->port_id = dev->eth_dev->data->port_id;
+
+	intr_cfg.intr_mask =
+		ROC_MCS_CPM_RX_SECTAG_V_EQ1_INT | ROC_MCS_CPM_RX_SECTAG_E_EQ0_C_EQ1_INT |
+		ROC_MCS_CPM_RX_SECTAG_SL_GTE48_INT | ROC_MCS_CPM_RX_SECTAG_ES_EQ1_SC_EQ1_INT |
+		ROC_MCS_CPM_RX_SECTAG_SC_EQ1_SCB_EQ1_INT | ROC_MCS_CPM_RX_PACKET_XPN_EQ0_INT |
+		ROC_MCS_CPM_RX_PN_THRESH_REACHED_INT | ROC_MCS_CPM_TX_PACKET_XPN_EQ0_INT |
+		ROC_MCS_CPM_TX_PN_THRESH_REACHED_INT | ROC_MCS_CPM_TX_SA_NOT_VALID_INT |
+		ROC_MCS_BBE_RX_DFIFO_OVERFLOW_INT | ROC_MCS_BBE_RX_PLFIFO_OVERFLOW_INT |
+		ROC_MCS_BBE_TX_DFIFO_OVERFLOW_INT | ROC_MCS_BBE_TX_PLFIFO_OVERFLOW_INT |
+		ROC_MCS_PAB_RX_CHAN_OVERFLOW_INT | ROC_MCS_PAB_TX_CHAN_OVERFLOW_INT;
+
+	rc = roc_mcs_intr_configure(mcs_dev->mdev, &intr_cfg);
+	if (rc) {
+		plt_err("Failed to configure MCS interrupts: rc: %d", rc);
+		plt_free(mcs_dev);
+		return rc;
+	}
+
+	rc = roc_mcs_event_cb_register(mcs_dev->mdev, ROC_MCS_EVENT_SECTAG_VAL_ERR,
+				       cnxk_mcs_event_cb, dev->eth_dev, mcs_dev);
+	if (rc) {
+		plt_err("Failed to register MCS event callback: rc: %d", rc);
+		plt_free(mcs_dev);
+		return rc;
+	}
+	rc = roc_mcs_event_cb_register(mcs_dev->mdev, ROC_MCS_EVENT_TX_SA_PN_SOFT_EXP,
+				       cnxk_mcs_event_cb, dev->eth_dev, mcs_dev);
+	if (rc) {
+		plt_err("Failed to register MCS event callback: rc: %d", rc);
+		plt_free(mcs_dev);
+		return rc;
+	}
+	rc = roc_mcs_event_cb_register(mcs_dev->mdev, ROC_MCS_EVENT_RX_SA_PN_SOFT_EXP,
+				       cnxk_mcs_event_cb, dev->eth_dev, mcs_dev);
+	if (rc) {
+		plt_err("Failed to register MCS event callback: rc: %d", rc);
+		plt_free(mcs_dev);
+		return rc;
+	}
+	dev->mcs_dev = mcs_dev;
+
+	return 0;
+}
diff --git a/drivers/net/cnxk/cnxk_ethdev_mcs.h b/drivers/net/cnxk/cnxk_ethdev_mcs.h
new file mode 100644
index 0000000000..762c299fb8
--- /dev/null
+++ b/drivers/net/cnxk/cnxk_ethdev_mcs.h
@@ -0,0 +1,61 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2023 Marvell.
+ */
+
+#include <cnxk_ethdev.h>
+
+#define CNXK_MACSEC_HASH_KEY 16
+
+struct cnxk_mcs_dev {
+	uint64_t default_sci;
+	void *mdev;
+	uint8_t port_id;
+	uint8_t idx;
+};
+
+struct cnxk_mcs_event_data {
+	/* Valid for below events
+	 * - ROC_MCS_EVENT_RX_SA_PN_SOFT_EXP
+	 * - ROC_MCS_EVENT_TX_SA_PN_SOFT_EXP
+	 */
+	struct {
+		uint8_t secy_idx;
+		uint8_t sc_idx;
+		uint8_t sa_idx;
+	};
+	/* Valid for below event
+	 * - ROC_MCS_EVENT_FIFO_OVERFLOW
+	 *
+	 * Upon fatal error notification on a MCS port, driver resets below attributes of active
+	 * flow entities(sc & sa) and then resets the port.
+	 * - Reset NEXT_PN of active SAs to 1.
+	 * - Reset TX active SA for each SC, TX_SA_ACTIVE = 0, SA_INDEX0_VLD = 1.
+	 * - Clear SA_IN_USE for active ANs in RX_SA_MAP_MEM.
+	 * - Clear all stats mapping to this port.
+	 * - Reactivate SA_IN_USE for active ANs in RX_SA_MAP_MEM.
+	 *
+	 *  UMD driver notifies the following flow entity(sc & sa) details in application callback,
+	 *  application is expected to exchange the Tx/Rx NEXT_PN, TX_SA_ACTIVE, active RX SC AN
+	 *  details with peer device so that peer device can resets it's MACsec flow states and than
+	 *  resume packet transfers.
+	 */
+	struct {
+		uint16_t *tx_sa_array; /* Tx SAs whose PN memories were reset (NEXT_PN=1) */
+		uint16_t *rx_sa_array; /* Rx SAs whose PN memories were reset (NEXT_PN=1) */
+		uint16_t *tx_sc_array; /* Tx SCs whose active SAs were reset (TX_SA_ACTIVE=0) */
+		uint16_t *rx_sc_array; /* Rx SCs whose state was reset */
+		uint8_t *sc_an_array;  /* AN of Rx SCs(in rx_sc_array) which were reactivated */
+		uint8_t num_tx_sa;     /* num entries in tx_sa_array */
+		uint8_t num_rx_sa;     /* num entries in rx_sa_array */
+		uint8_t num_tx_sc;     /* num entries in tx_sc_array */
+		uint8_t num_rx_sc;     /* num entries in rx_sc_array */
+		uint8_t lmac_id;       /* lmac_id/port which was recovered from fatal error */
+	};
+};
+
+struct cnxk_mcs_event_desc {
+	struct rte_eth_dev *eth_dev;
+	enum roc_mcs_event_type type;
+	enum roc_mcs_event_subtype subtype;
+	struct cnxk_mcs_event_data metadata;
+};
diff --git a/drivers/net/cnxk/meson.build b/drivers/net/cnxk/meson.build
index 62b8bb90fb..ae6a7d9aac 100644
--- a/drivers/net/cnxk/meson.build
+++ b/drivers/net/cnxk/meson.build
@@ -22,6 +22,7 @@ sources = files(
         'cnxk_ethdev.c',
         'cnxk_ethdev_cman.c',
         'cnxk_ethdev_devargs.c',
+        'cnxk_ethdev_mcs.c',
         'cnxk_ethdev_mtr.c',
         'cnxk_ethdev_ops.c',
         'cnxk_ethdev_sec.c',
-- 
2.25.1

[PATCH v2 13/15] net/cnxk: create/destroy MACsec SC/SA

[Akhil Goyal]

Added support to create/destroy MACsec SA and SC.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/net/cnxk/cn10k_ethdev_sec.c |   9 +-
 drivers/net/cnxk/cnxk_ethdev_mcs.c  | 250 ++++++++++++++++++++++++++++
 drivers/net/cnxk/cnxk_ethdev_mcs.h  |  16 ++
 3 files changed, 271 insertions(+), 4 deletions(-)

diff --git a/drivers/net/cnxk/cn10k_ethdev_sec.c b/drivers/net/cnxk/cn10k_ethdev_sec.c
index 8dd2c8b7a5..1db29a0b55 100644
--- a/drivers/net/cnxk/cn10k_ethdev_sec.c
+++ b/drivers/net/cnxk/cn10k_ethdev_sec.c
@@ -9,6 +9,7 @@
 #include <rte_pmd_cnxk.h>
 
 #include <cn10k_ethdev.h>
+#include <cnxk_ethdev_mcs.h>
 #include <cnxk_security.h>
 #include <roc_priv.h>
 
@@ -1090,10 +1091,10 @@ cn10k_eth_sec_ops_override(void)
 	init_once = 1;
 
 	/* Update platform specific ops */
-	cnxk_eth_sec_ops.macsec_sa_create = NULL;
-	cnxk_eth_sec_ops.macsec_sc_create = NULL;
-	cnxk_eth_sec_ops.macsec_sa_destroy = NULL;
-	cnxk_eth_sec_ops.macsec_sc_destroy = NULL;
+	cnxk_eth_sec_ops.macsec_sa_create = cnxk_eth_macsec_sa_create;
+	cnxk_eth_sec_ops.macsec_sc_create = cnxk_eth_macsec_sc_create;
+	cnxk_eth_sec_ops.macsec_sa_destroy = cnxk_eth_macsec_sa_destroy;
+	cnxk_eth_sec_ops.macsec_sc_destroy = cnxk_eth_macsec_sc_destroy;
 	cnxk_eth_sec_ops.session_create = cn10k_eth_sec_session_create;
 	cnxk_eth_sec_ops.session_destroy = cn10k_eth_sec_session_destroy;
 	cnxk_eth_sec_ops.capabilities_get = cn10k_eth_sec_capabilities_get;
diff --git a/drivers/net/cnxk/cnxk_ethdev_mcs.c b/drivers/net/cnxk/cnxk_ethdev_mcs.c
index b0205f45c5..89876abc57 100644
--- a/drivers/net/cnxk/cnxk_ethdev_mcs.c
+++ b/drivers/net/cnxk/cnxk_ethdev_mcs.c
@@ -6,6 +6,256 @@
 #include <cnxk_ethdev_mcs.h>
 #include <roc_mcs.h>
 
+static int
+mcs_resource_alloc(struct cnxk_mcs_dev *mcs_dev, enum mcs_direction dir, uint8_t rsrc_id[],
+		   uint8_t rsrc_cnt, enum cnxk_mcs_rsrc_type type)
+{
+	struct roc_mcs_alloc_rsrc_req req = {0};
+	struct roc_mcs_alloc_rsrc_rsp rsp = {0};
+	int i;
+
+	req.rsrc_type = type;
+	req.rsrc_cnt = rsrc_cnt;
+	req.dir = dir;
+
+	if (roc_mcs_rsrc_alloc(mcs_dev->mdev, &req, &rsp)) {
+		plt_err("Cannot allocate mcs resource.");
+		return -1;
+	}
+
+	for (i = 0; i < rsrc_cnt; i++) {
+		switch (rsp.rsrc_type) {
+		case CNXK_MCS_RSRC_TYPE_FLOWID:
+			rsrc_id[i] = rsp.flow_ids[i];
+			break;
+		case CNXK_MCS_RSRC_TYPE_SECY:
+			rsrc_id[i] = rsp.secy_ids[i];
+			break;
+		case CNXK_MCS_RSRC_TYPE_SC:
+			rsrc_id[i] = rsp.sc_ids[i];
+			break;
+		case CNXK_MCS_RSRC_TYPE_SA:
+			rsrc_id[i] = rsp.sa_ids[i];
+			break;
+		default:
+			plt_err("Invalid mcs resource allocated.");
+			return -1;
+		}
+	}
+	return 0;
+}
+
+int
+cnxk_eth_macsec_sa_create(void *device, struct rte_security_macsec_sa *conf)
+{
+	struct rte_eth_dev *eth_dev = (struct rte_eth_dev *)device;
+	struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev);
+	uint8_t salt[RTE_SECURITY_MACSEC_SALT_LEN] = {0};
+	struct roc_mcs_pn_table_write_req pn_req = {0};
+	uint8_t hash_key_rev[CNXK_MACSEC_HASH_KEY] = {0};
+	uint8_t hash_key[CNXK_MACSEC_HASH_KEY] = {0};
+	struct cnxk_mcs_dev *mcs_dev = dev->mcs_dev;
+	struct roc_mcs_sa_plcy_write_req req = {0};
+	uint8_t ciph_key[32] = {0};
+	enum mcs_direction dir;
+	uint8_t sa_id = 0;
+	int i, ret = 0;
+
+	if (!roc_feature_nix_has_macsec())
+		return -ENOTSUP;
+
+	dir = (conf->dir == RTE_SECURITY_MACSEC_DIR_TX) ? MCS_TX : MCS_RX;
+	ret = mcs_resource_alloc(mcs_dev, dir, &sa_id, 1, CNXK_MCS_RSRC_TYPE_SA);
+	if (ret) {
+		plt_err("Failed to allocate SA id.");
+		return -ENOMEM;
+	}
+	req.sa_index[0] = sa_id;
+	req.sa_cnt = 1;
+	req.dir = dir;
+
+	if (conf->key.length != 16 && conf->key.length != 32)
+		return -EINVAL;
+
+	for (i = 0; i < conf->key.length; i++)
+		ciph_key[i] = conf->key.data[conf->key.length - 1 - i];
+
+	memcpy(&req.plcy[0][0], ciph_key, conf->key.length);
+
+	roc_aes_hash_key_derive(conf->key.data, conf->key.length, hash_key);
+	for (i = 0; i < CNXK_MACSEC_HASH_KEY; i++)
+		hash_key_rev[i] = hash_key[CNXK_MACSEC_HASH_KEY - 1 - i];
+
+	memcpy(&req.plcy[0][4], hash_key_rev, CNXK_MACSEC_HASH_KEY);
+
+	for (i = 0; i < RTE_SECURITY_MACSEC_SALT_LEN; i++)
+		salt[i] = conf->salt[RTE_SECURITY_MACSEC_SALT_LEN - 1 - i];
+	memcpy(&req.plcy[0][6], salt, RTE_SECURITY_MACSEC_SALT_LEN);
+
+	req.plcy[0][7] |= (uint64_t)conf->ssci << 32;
+	req.plcy[0][8] = (conf->dir == RTE_SECURITY_MACSEC_DIR_TX) ? (conf->an & 0x3) : 0;
+
+	ret = roc_mcs_sa_policy_write(mcs_dev->mdev, &req);
+	if (ret) {
+		plt_err("Failed to write SA policy.");
+		return -EINVAL;
+	}
+	pn_req.next_pn = ((uint64_t)conf->xpn << 32) | rte_be_to_cpu_32(conf->next_pn);
+	pn_req.pn_id = sa_id;
+	pn_req.dir = dir;
+
+	ret = roc_mcs_pn_table_write(mcs_dev->mdev, &pn_req);
+	if (ret) {
+		plt_err("Failed to write PN table.");
+		return -EINVAL;
+	}
+
+	return sa_id;
+}
+
+int
+cnxk_eth_macsec_sa_destroy(void *device, uint16_t sa_id, enum rte_security_macsec_direction dir)
+{
+	struct rte_eth_dev *eth_dev = (struct rte_eth_dev *)device;
+	struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev);
+	struct cnxk_mcs_dev *mcs_dev = dev->mcs_dev;
+	struct roc_mcs_clear_stats stats_req = {0};
+	struct roc_mcs_free_rsrc_req req = {0};
+	int ret = 0;
+
+	if (!roc_feature_nix_has_macsec())
+		return -ENOTSUP;
+
+	stats_req.type = CNXK_MCS_RSRC_TYPE_SA;
+	stats_req.id = sa_id;
+	stats_req.dir = (dir == RTE_SECURITY_MACSEC_DIR_TX) ? MCS_TX : MCS_RX;
+	stats_req.all = 0;
+
+	ret = roc_mcs_stats_clear(mcs_dev->mdev, &stats_req);
+	if (ret)
+		plt_err("Failed to clear stats for SA id %u, dir %u.", sa_id, dir);
+
+	req.rsrc_id = sa_id;
+	req.dir = (dir == RTE_SECURITY_MACSEC_DIR_TX) ? MCS_TX : MCS_RX;
+	req.rsrc_type = CNXK_MCS_RSRC_TYPE_SA;
+
+	ret = roc_mcs_rsrc_free(mcs_dev->mdev, &req);
+	if (ret)
+		plt_err("Failed to free SA id %u, dir %u.", sa_id, dir);
+
+	return ret;
+}
+
+int
+cnxk_eth_macsec_sc_create(void *device, struct rte_security_macsec_sc *conf)
+{
+	struct rte_eth_dev *eth_dev = (struct rte_eth_dev *)device;
+	struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev);
+	struct roc_mcs_set_pn_threshold pn_thresh = {0};
+	struct cnxk_mcs_dev *mcs_dev = dev->mcs_dev;
+	enum mcs_direction dir;
+	uint8_t sc_id = 0;
+	int i, ret = 0;
+
+	if (!roc_feature_nix_has_macsec())
+		return -ENOTSUP;
+
+	dir = (conf->dir == RTE_SECURITY_MACSEC_DIR_TX) ? MCS_TX : MCS_RX;
+	ret = mcs_resource_alloc(mcs_dev, dir, &sc_id, 1, CNXK_MCS_RSRC_TYPE_SC);
+	if (ret) {
+		plt_err("Failed to allocate SC id.");
+		return -ENOMEM;
+	}
+
+	if (conf->dir == RTE_SECURITY_MACSEC_DIR_TX) {
+		struct roc_mcs_tx_sc_sa_map req = {0};
+
+		req.sa_index0 = conf->sc_tx.sa_id & 0xFF;
+		req.sa_index1 = conf->sc_tx.sa_id_rekey & 0xFF;
+		req.rekey_ena = conf->sc_tx.re_key_en;
+		req.sa_index0_vld = conf->sc_tx.active;
+		req.sa_index1_vld = conf->sc_tx.re_key_en && conf->sc_tx.active;
+		req.tx_sa_active = 0;
+		req.sectag_sci = conf->sc_tx.sci;
+		req.sc_id = sc_id;
+
+		ret = roc_mcs_tx_sc_sa_map_write(mcs_dev->mdev, &req);
+		if (ret) {
+			plt_err("Failed to map TX SC-SA");
+			return -EINVAL;
+		}
+		pn_thresh.xpn = conf->sc_tx.is_xpn;
+	} else {
+		for (i = 0; i < RTE_SECURITY_MACSEC_NUM_AN; i++) {
+			struct roc_mcs_rx_sc_sa_map req = {0};
+
+			req.sa_index = conf->sc_rx.sa_id[i] & 0x7F;
+			req.sc_id = sc_id;
+			req.an = i & 0x3;
+			req.sa_in_use = 0;
+			/* Clearing the sa_in_use bit automatically clears
+			 * the corresponding pn_thresh_reached bit
+			 */
+			ret = roc_mcs_rx_sc_sa_map_write(mcs_dev->mdev, &req);
+			if (ret) {
+				plt_err("Failed to map RX SC-SA");
+				return -EINVAL;
+			}
+			req.sa_in_use = conf->sc_rx.sa_in_use[i];
+			ret = roc_mcs_rx_sc_sa_map_write(mcs_dev->mdev, &req);
+			if (ret) {
+				plt_err("Failed to map RX SC-SA");
+				return -EINVAL;
+			}
+		}
+		pn_thresh.xpn = conf->sc_rx.is_xpn;
+	}
+
+	pn_thresh.threshold = conf->pn_threshold;
+	pn_thresh.dir = dir;
+
+	ret = roc_mcs_pn_threshold_set(mcs_dev->mdev, &pn_thresh);
+	if (ret) {
+		plt_err("Failed to write PN threshold.");
+		return -EINVAL;
+	}
+
+	return sc_id;
+}
+
+int
+cnxk_eth_macsec_sc_destroy(void *device, uint16_t sc_id, enum rte_security_macsec_direction dir)
+{
+	struct rte_eth_dev *eth_dev = (struct rte_eth_dev *)device;
+	struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev);
+	struct cnxk_mcs_dev *mcs_dev = dev->mcs_dev;
+	struct roc_mcs_clear_stats stats_req = {0};
+	struct roc_mcs_free_rsrc_req req = {0};
+	int ret = 0;
+
+	if (!roc_feature_nix_has_macsec())
+		return -ENOTSUP;
+
+	stats_req.type = CNXK_MCS_RSRC_TYPE_SC;
+	stats_req.id = sc_id;
+	stats_req.dir = (dir == RTE_SECURITY_MACSEC_DIR_TX) ? MCS_TX : MCS_RX;
+	stats_req.all = 0;
+
+	ret = roc_mcs_stats_clear(mcs_dev->mdev, &stats_req);
+	if (ret)
+		plt_err("Failed to clear stats for SC id %u, dir %u.", sc_id, dir);
+
+	req.rsrc_id = sc_id;
+	req.dir = (dir == RTE_SECURITY_MACSEC_DIR_TX) ? MCS_TX : MCS_RX;
+	req.rsrc_type = CNXK_MCS_RSRC_TYPE_SC;
+
+	ret = roc_mcs_rsrc_free(mcs_dev->mdev, &req);
+	if (ret)
+		plt_err("Failed to free SC id.");
+
+	return ret;
+}
+
 static int
 cnxk_mcs_event_cb(void *userdata, struct roc_mcs_event_desc *desc, void *cb_arg)
 {
diff --git a/drivers/net/cnxk/cnxk_ethdev_mcs.h b/drivers/net/cnxk/cnxk_ethdev_mcs.h
index 762c299fb8..68c6493169 100644
--- a/drivers/net/cnxk/cnxk_ethdev_mcs.h
+++ b/drivers/net/cnxk/cnxk_ethdev_mcs.h
@@ -13,6 +13,14 @@ struct cnxk_mcs_dev {
 	uint8_t idx;
 };
 
+enum cnxk_mcs_rsrc_type {
+	CNXK_MCS_RSRC_TYPE_FLOWID,
+	CNXK_MCS_RSRC_TYPE_SECY,
+	CNXK_MCS_RSRC_TYPE_SC,
+	CNXK_MCS_RSRC_TYPE_SA,
+	CNXK_MCS_RSRC_TYPE_PORT,
+};
+
 struct cnxk_mcs_event_data {
 	/* Valid for below events
 	 * - ROC_MCS_EVENT_RX_SA_PN_SOFT_EXP
@@ -59,3 +67,11 @@ struct cnxk_mcs_event_desc {
 	enum roc_mcs_event_subtype subtype;
 	struct cnxk_mcs_event_data metadata;
 };
+
+int cnxk_eth_macsec_sa_create(void *device, struct rte_security_macsec_sa *conf);
+int cnxk_eth_macsec_sc_create(void *device, struct rte_security_macsec_sc *conf);
+
+int cnxk_eth_macsec_sa_destroy(void *device, uint16_t sa_id,
+			       enum rte_security_macsec_direction dir);
+int cnxk_eth_macsec_sc_destroy(void *device, uint16_t sc_id,
+			       enum rte_security_macsec_direction dir);
-- 
2.25.1

[PATCH v2 14/15] net/cnxk: add MACsec session and flow configuration

[Akhil Goyal]

Added support for MACsec session/flow create/destroy.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/net/cnxk/cn10k_ethdev_sec.c |  11 +-
 drivers/net/cnxk/cn10k_flow.c       |  23 ++-
 drivers/net/cnxk/cnxk_ethdev.c      |   2 +
 drivers/net/cnxk/cnxk_ethdev.h      |  16 ++
 drivers/net/cnxk/cnxk_ethdev_mcs.c  | 261 ++++++++++++++++++++++++++++
 drivers/net/cnxk/cnxk_ethdev_mcs.h  |  25 +++
 drivers/net/cnxk/cnxk_ethdev_sec.c  |   2 +-
 drivers/net/cnxk/cnxk_flow.c        |   5 +
 8 files changed, 341 insertions(+), 4 deletions(-)

diff --git a/drivers/net/cnxk/cn10k_ethdev_sec.c b/drivers/net/cnxk/cn10k_ethdev_sec.c
index 1db29a0b55..f20e573338 100644
--- a/drivers/net/cnxk/cn10k_ethdev_sec.c
+++ b/drivers/net/cnxk/cn10k_ethdev_sec.c
@@ -642,7 +642,9 @@ cn10k_eth_sec_session_create(void *device,
 	if (conf->action_type != RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL)
 		return -ENOTSUP;
 
-	if (conf->protocol != RTE_SECURITY_PROTOCOL_IPSEC)
+	if (conf->protocol == RTE_SECURITY_PROTOCOL_MACSEC)
+		return cnxk_eth_macsec_session_create(dev, conf, sess);
+	else if (conf->protocol != RTE_SECURITY_PROTOCOL_IPSEC)
 		return -ENOTSUP;
 
 	if (rte_security_dynfield_register() < 0)
@@ -887,13 +889,18 @@ cn10k_eth_sec_session_destroy(void *device, struct rte_security_session *sess)
 {
 	struct rte_eth_dev *eth_dev = (struct rte_eth_dev *)device;
 	struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev);
+	struct cnxk_macsec_sess *macsec_sess;
 	struct cnxk_eth_sec_sess *eth_sec;
 	rte_spinlock_t *lock;
 	void *sa_dptr;
 
 	eth_sec = cnxk_eth_sec_sess_get_by_sess(dev, sess);
-	if (!eth_sec)
+	if (!eth_sec) {
+		macsec_sess = cnxk_eth_macsec_sess_get_by_sess(dev, sess);
+		if (macsec_sess)
+			return cnxk_eth_macsec_session_destroy(dev, sess);
 		return -ENOENT;
+	}
 
 	lock = eth_sec->inb ? &dev->inb.lock : &dev->outb.lock;
 	rte_spinlock_lock(lock);
diff --git a/drivers/net/cnxk/cn10k_flow.c b/drivers/net/cnxk/cn10k_flow.c
index d7a3442c5f..db5e427362 100644
--- a/drivers/net/cnxk/cn10k_flow.c
+++ b/drivers/net/cnxk/cn10k_flow.c
@@ -1,10 +1,11 @@
 /* SPDX-License-Identifier: BSD-3-Clause
  * Copyright(C) 2020 Marvell.
  */
-#include <cnxk_flow.h>
 #include "cn10k_flow.h"
 #include "cn10k_ethdev.h"
 #include "cn10k_rx.h"
+#include "cnxk_ethdev_mcs.h"
+#include <cnxk_flow.h>
 
 static int
 cn10k_mtr_connect(struct rte_eth_dev *eth_dev, uint32_t mtr_id)
@@ -133,6 +134,7 @@ cn10k_flow_create(struct rte_eth_dev *eth_dev, const struct rte_flow_attr *attr,
 	const struct rte_flow_action *act_q = NULL;
 	struct roc_npc *npc = &dev->npc;
 	struct roc_npc_flow *flow;
+	void *mcs_flow = NULL;
 	int vtag_actions = 0;
 	uint32_t req_act = 0;
 	int mark_actions;
@@ -187,6 +189,17 @@ cn10k_flow_create(struct rte_eth_dev *eth_dev, const struct rte_flow_attr *attr,
 		}
 	}
 
+	if (actions[0].type == RTE_FLOW_ACTION_TYPE_SECURITY &&
+	    cnxk_eth_macsec_sess_get_by_sess(dev, actions[0].conf) != NULL) {
+		rc = cnxk_mcs_flow_configure(eth_dev, attr, pattern, actions, error, &mcs_flow);
+		if (rc) {
+			rte_flow_error_set(error, rc, RTE_FLOW_ERROR_TYPE_ACTION, NULL,
+					   "Failed to configure mcs flow");
+			return NULL;
+		}
+		return (struct rte_flow *)mcs_flow;
+	}
+
 	flow = cnxk_flow_create(eth_dev, attr, pattern, actions, error);
 	if (!flow) {
 		if (mtr)
@@ -265,6 +278,14 @@ cn10k_flow_destroy(struct rte_eth_dev *eth_dev, struct rte_flow *rte_flow,
 		}
 	}
 
+	if (cnxk_eth_macsec_sess_get_by_sess(dev, (void *)flow) != NULL) {
+		rc = cnxk_mcs_flow_destroy(dev, (void *)flow);
+		if (rc < 0)
+			rte_flow_error_set(error, rc, RTE_FLOW_ERROR_TYPE_UNSPECIFIED,
+					NULL, "Failed to free mcs flow");
+		return rc;
+	}
+
 	mtr_id = flow->mtr_id;
 	rc = cnxk_flow_destroy(eth_dev, flow, error);
 	if (!rc && mtr_id != ROC_NIX_MTR_ID_INVALID) {
diff --git a/drivers/net/cnxk/cnxk_ethdev.c b/drivers/net/cnxk/cnxk_ethdev.c
index 5368f0777d..4b98faa729 100644
--- a/drivers/net/cnxk/cnxk_ethdev.c
+++ b/drivers/net/cnxk/cnxk_ethdev.c
@@ -1969,6 +1969,8 @@ cnxk_eth_dev_init(struct rte_eth_dev *eth_dev)
 		}
 		dev->rx_offload_capa |= RTE_ETH_RX_OFFLOAD_MACSEC_STRIP;
 		dev->tx_offload_capa |= RTE_ETH_TX_OFFLOAD_MACSEC_INSERT;
+
+		TAILQ_INIT(&dev->mcs_list);
 	}
 
 	plt_nix_dbg("Port=%d pf=%d vf=%d ver=%s hwcap=0x%" PRIx64
diff --git a/drivers/net/cnxk/cnxk_ethdev.h b/drivers/net/cnxk/cnxk_ethdev.h
index d5bb06b823..45dc72b609 100644
--- a/drivers/net/cnxk/cnxk_ethdev.h
+++ b/drivers/net/cnxk/cnxk_ethdev.h
@@ -292,6 +292,21 @@ struct cnxk_eth_dev_sec_outb {
 	uint64_t cpt_eng_caps;
 };
 
+/* MACsec session private data */
+struct cnxk_macsec_sess {
+	/* List entry */
+	TAILQ_ENTRY(cnxk_macsec_sess) entry;
+
+	/* Back pointer to session */
+	struct rte_security_session *sess;
+	enum mcs_direction dir;
+	uint64_t sci;
+	uint8_t secy_id;
+	uint8_t sc_id;
+	uint8_t flow_id;
+};
+TAILQ_HEAD(cnxk_macsec_sess_list, cnxk_macsec_sess);
+
 struct cnxk_eth_dev {
 	/* ROC NIX */
 	struct roc_nix nix;
@@ -398,6 +413,7 @@ struct cnxk_eth_dev {
 
 	/* MCS device */
 	struct cnxk_mcs_dev *mcs_dev;
+	struct cnxk_macsec_sess_list mcs_list;
 };
 
 struct cnxk_eth_rxq_sp {
diff --git a/drivers/net/cnxk/cnxk_ethdev_mcs.c b/drivers/net/cnxk/cnxk_ethdev_mcs.c
index 89876abc57..b47991e259 100644
--- a/drivers/net/cnxk/cnxk_ethdev_mcs.c
+++ b/drivers/net/cnxk/cnxk_ethdev_mcs.c
@@ -256,6 +256,267 @@ cnxk_eth_macsec_sc_destroy(void *device, uint16_t sc_id, enum rte_security_macse
 	return ret;
 }
 
+struct cnxk_macsec_sess *
+cnxk_eth_macsec_sess_get_by_sess(struct cnxk_eth_dev *dev, const struct rte_security_session *sess)
+{
+	struct cnxk_macsec_sess *macsec_sess = NULL;
+
+	TAILQ_FOREACH(macsec_sess, &dev->mcs_list, entry) {
+		if (macsec_sess->sess == sess)
+			return macsec_sess;
+	}
+
+	return NULL;
+}
+
+int
+cnxk_eth_macsec_session_create(struct cnxk_eth_dev *dev, struct rte_security_session_conf *conf,
+			       struct rte_security_session *sess)
+{
+	struct cnxk_macsec_sess *macsec_sess_priv = SECURITY_GET_SESS_PRIV(sess);
+	struct rte_security_macsec_xform *xform = &conf->macsec;
+	struct cnxk_mcs_dev *mcs_dev = dev->mcs_dev;
+	struct roc_mcs_secy_plcy_write_req req;
+	enum mcs_direction dir;
+	uint8_t secy_id = 0;
+	uint8_t sectag_tci = 0;
+	int ret = 0;
+
+	if (!roc_feature_nix_has_macsec())
+		return -ENOTSUP;
+
+	dir = (xform->dir == RTE_SECURITY_MACSEC_DIR_TX) ? MCS_TX : MCS_RX;
+	ret = mcs_resource_alloc(mcs_dev, dir, &secy_id, 1, CNXK_MCS_RSRC_TYPE_SECY);
+	if (ret) {
+		plt_err("Failed to allocate SECY id.");
+		return -ENOMEM;
+	}
+
+	req.secy_id = secy_id;
+	req.dir = dir;
+	req.plcy = 0L;
+
+	if (xform->dir == RTE_SECURITY_MACSEC_DIR_TX) {
+		sectag_tci = ((uint8_t)xform->tx_secy.sectag_version << 5) |
+			     ((uint8_t)xform->tx_secy.end_station << 4) |
+			     ((uint8_t)xform->tx_secy.send_sci << 3) |
+			     ((uint8_t)xform->tx_secy.scb << 2) |
+			     ((uint8_t)xform->tx_secy.encrypt << 1) |
+			     (uint8_t)xform->tx_secy.encrypt;
+		req.plcy = (((uint64_t)xform->tx_secy.mtu & 0xFFFF) << 28) |
+			   (((uint64_t)sectag_tci & 0x3F) << 22) |
+			   (((uint64_t)xform->tx_secy.sectag_off & 0x7F) << 15) |
+			   ((uint64_t)xform->tx_secy.sectag_insert_mode << 14) |
+			   ((uint64_t)xform->tx_secy.icv_include_da_sa << 13) |
+			   (((uint64_t)xform->cipher_off & 0x7F) << 6) |
+			   ((uint64_t)xform->alg << 2) |
+			   ((uint64_t)xform->tx_secy.protect_frames << 1) |
+			   (uint64_t)xform->tx_secy.ctrl_port_enable;
+	} else {
+		req.plcy = ((uint64_t)xform->rx_secy.replay_win_sz << 18) |
+			   ((uint64_t)xform->rx_secy.replay_protect << 17) |
+			   ((uint64_t)xform->rx_secy.icv_include_da_sa << 16) |
+			   (((uint64_t)xform->cipher_off & 0x7F) << 9) |
+			   ((uint64_t)xform->alg << 5) |
+			   ((uint64_t)xform->rx_secy.preserve_sectag << 4) |
+			   ((uint64_t)xform->rx_secy.preserve_icv << 3) |
+			   ((uint64_t)xform->rx_secy.validate_frames << 1) |
+			   (uint64_t)xform->rx_secy.ctrl_port_enable;
+	}
+
+	ret = roc_mcs_secy_policy_write(mcs_dev->mdev, &req);
+	if (ret) {
+		plt_err(" Failed to configure Tx SECY");
+		return -EINVAL;
+	}
+
+	if (xform->dir == RTE_SECURITY_MACSEC_DIR_RX) {
+		struct roc_mcs_rx_sc_cam_write_req rx_sc_cam = {0};
+
+		rx_sc_cam.sci = xform->sci;
+		rx_sc_cam.secy_id = secy_id & 0x3F;
+		rx_sc_cam.sc_id = xform->sc_id;
+		ret = roc_mcs_rx_sc_cam_write(mcs_dev->mdev, &rx_sc_cam);
+		if (ret) {
+			plt_err(" Failed to write rx_sc_cam");
+			return -EINVAL;
+		}
+	}
+	macsec_sess_priv->sci = xform->sci;
+	macsec_sess_priv->sc_id = xform->sc_id;
+	macsec_sess_priv->secy_id = secy_id;
+	macsec_sess_priv->dir = dir;
+	macsec_sess_priv->sess = sess;
+
+	TAILQ_INSERT_TAIL(&dev->mcs_list, macsec_sess_priv, entry);
+
+	return 0;
+}
+
+int
+cnxk_eth_macsec_session_destroy(struct cnxk_eth_dev *dev, struct rte_security_session *sess)
+{
+	struct cnxk_mcs_dev *mcs_dev = dev->mcs_dev;
+	struct roc_mcs_clear_stats stats_req = {0};
+	struct roc_mcs_free_rsrc_req req = {0};
+	struct cnxk_macsec_sess *s;
+	int ret = 0;
+
+	if (!roc_feature_nix_has_macsec())
+		return -ENOTSUP;
+
+	s = SECURITY_GET_SESS_PRIV(sess);
+
+	stats_req.type = CNXK_MCS_RSRC_TYPE_SECY;
+	stats_req.id = s->secy_id;
+	stats_req.dir = s->dir;
+	stats_req.all = 0;
+
+	ret = roc_mcs_stats_clear(mcs_dev->mdev, &stats_req);
+	if (ret)
+		plt_err("Failed to clear stats for SECY id %u, dir %u.", s->secy_id, s->dir);
+
+	req.rsrc_id = s->secy_id;
+	req.dir = s->dir;
+	req.rsrc_type = CNXK_MCS_RSRC_TYPE_SECY;
+
+	ret = roc_mcs_rsrc_free(mcs_dev->mdev, &req);
+	if (ret)
+		plt_err("Failed to free SC id.");
+
+	TAILQ_REMOVE(&dev->mcs_list, s, entry);
+
+	return ret;
+}
+
+int
+cnxk_mcs_flow_configure(struct rte_eth_dev *eth_dev, const struct rte_flow_attr *attr __rte_unused,
+			 const struct rte_flow_item pattern[],
+			 const struct rte_flow_action actions[],
+			 struct rte_flow_error *error __rte_unused, void **mcs_flow)
+{
+	struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev);
+	struct roc_mcs_flowid_entry_write_req req = {0};
+	const struct rte_flow_item_eth *eth_item = NULL;
+	struct cnxk_mcs_dev *mcs_dev = dev->mcs_dev;
+	struct cnxk_mcs_flow_opts opts = {0};
+	struct cnxk_macsec_sess *sess;
+	struct rte_ether_addr src;
+	struct rte_ether_addr dst;
+	int ret;
+	int i = 0;
+
+	if (!roc_feature_nix_has_macsec())
+		return -ENOTSUP;
+
+	sess = cnxk_eth_macsec_sess_get_by_sess(dev,
+			(const struct rte_security_session *)actions->conf);
+	if (sess == NULL)
+		return -EINVAL;
+
+	ret = mcs_resource_alloc(mcs_dev, sess->dir, &sess->flow_id, 1,
+				 CNXK_MCS_RSRC_TYPE_FLOWID);
+	if (ret) {
+		plt_err("Failed to allocate FLow id.");
+		return -ENOMEM;
+	}
+	req.sci = sess->sci;
+	req.flow_id = sess->flow_id;
+	req.secy_id = sess->secy_id;
+	req.sc_id = sess->sc_id;
+	req.ena = 1;
+	req.ctr_pkt = 0;
+	req.dir = sess->dir;
+
+	while (pattern[i].type != RTE_FLOW_ITEM_TYPE_END) {
+		if (pattern[i].type == RTE_FLOW_ITEM_TYPE_ETH)
+			eth_item = pattern[i].spec;
+		else
+			plt_err("Unhandled flow item : %d", pattern[i].type);
+		i++;
+	}
+	if (eth_item) {
+		dst = eth_item->hdr.dst_addr;
+		src = eth_item->hdr.src_addr;
+
+		/* Find ways to fill opts */
+
+		req.data[0] =
+			(uint64_t)dst.addr_bytes[0] << 40 | (uint64_t)dst.addr_bytes[1] << 32 |
+			(uint64_t)dst.addr_bytes[2] << 24 | (uint64_t)dst.addr_bytes[3] << 16 |
+			(uint64_t)dst.addr_bytes[4] << 8 | (uint64_t)dst.addr_bytes[5] |
+			(uint64_t)src.addr_bytes[5] << 48 | (uint64_t)src.addr_bytes[4] << 56;
+		req.data[1] = (uint64_t)src.addr_bytes[3] | (uint64_t)src.addr_bytes[2] << 8 |
+			      (uint64_t)src.addr_bytes[1] << 16 |
+			      (uint64_t)src.addr_bytes[0] << 24 |
+			      (uint64_t)eth_item->hdr.ether_type << 32 |
+			      ((uint64_t)opts.outer_tag_id & 0xFFFF) << 48;
+		req.data[2] = ((uint64_t)opts.outer_tag_id & 0xF0000) |
+			      ((uint64_t)opts.outer_priority & 0xF) << 4 |
+			      ((uint64_t)opts.second_outer_tag_id & 0xFFFFF) << 8 |
+			      ((uint64_t)opts.second_outer_priority & 0xF) << 28 |
+			      ((uint64_t)opts.bonus_data << 32) |
+			      ((uint64_t)opts.tag_match_bitmap << 48) |
+			      ((uint64_t)opts.packet_type & 0xF) << 56 |
+			      ((uint64_t)opts.outer_vlan_type & 0x7) << 60 |
+			      ((uint64_t)opts.inner_vlan_type & 0x1) << 63;
+		req.data[3] = ((uint64_t)opts.inner_vlan_type & 0x6) >> 1 |
+			      ((uint64_t)opts.num_tags & 0x7F) << 2 |
+			      ((uint64_t)opts.flowid_user & 0x1F) << 9 |
+			      ((uint64_t)opts.express & 1) << 14 |
+			      ((uint64_t)opts.lmac_id & 0x1F) << 15;
+
+		req.mask[0] = 0x0;
+		req.mask[1] = 0xFFFFFFFF00000000;
+		req.mask[2] = 0xFFFFFFFFFFFFFFFF;
+		req.mask[3] = 0xFFFFFFFFFFFFFFFF;
+
+		ret = roc_mcs_flowid_entry_write(mcs_dev->mdev, &req);
+		if (ret)
+			return ret;
+		*mcs_flow = (void *)(uintptr_t)actions->conf;
+	} else {
+		plt_err("Flow not confirured");
+		return -EINVAL;
+	}
+	return 0;
+}
+
+int
+cnxk_mcs_flow_destroy(struct cnxk_eth_dev *dev, void *flow)
+{
+	const struct cnxk_macsec_sess *s = cnxk_eth_macsec_sess_get_by_sess(dev, flow);
+	struct cnxk_mcs_dev *mcs_dev = dev->mcs_dev;
+	struct roc_mcs_clear_stats stats_req = {0};
+	struct roc_mcs_free_rsrc_req req = {0};
+	int ret = 0;
+
+	if (!roc_feature_nix_has_macsec())
+		return -ENOTSUP;
+
+	if (s == NULL)
+		return 0;
+
+	stats_req.type = CNXK_MCS_RSRC_TYPE_FLOWID;
+	stats_req.id = s->flow_id;
+	stats_req.dir = s->dir;
+	stats_req.all = 0;
+
+	ret = roc_mcs_stats_clear(mcs_dev->mdev, &stats_req);
+	if (ret)
+		plt_err("Failed to clear stats for Flow id %u, dir %u.", s->flow_id, s->dir);
+
+	req.rsrc_id = s->flow_id;
+	req.dir = s->dir;
+	req.rsrc_type = CNXK_MCS_RSRC_TYPE_FLOWID;
+
+	ret = roc_mcs_rsrc_free(mcs_dev->mdev, &req);
+	if (ret)
+		plt_err("Failed to free flow_id: %d.", s->flow_id);
+
+	return ret;
+}
+
 static int
 cnxk_mcs_event_cb(void *userdata, struct roc_mcs_event_desc *desc, void *cb_arg)
 {
diff --git a/drivers/net/cnxk/cnxk_ethdev_mcs.h b/drivers/net/cnxk/cnxk_ethdev_mcs.h
index 68c6493169..2b1a6f2c90 100644
--- a/drivers/net/cnxk/cnxk_ethdev_mcs.h
+++ b/drivers/net/cnxk/cnxk_ethdev_mcs.h
@@ -21,6 +21,27 @@ enum cnxk_mcs_rsrc_type {
 	CNXK_MCS_RSRC_TYPE_PORT,
 };
 
+struct cnxk_mcs_flow_opts {
+	uint32_t outer_tag_id;
+	/**< {VLAN_ID[11:0]}, or 20-bit MPLS label*/
+	uint8_t outer_priority;
+	/**< {PCP/Pbits, DE/CFI} or {1'b0, EXP} for MPLS.*/
+	uint32_t second_outer_tag_id;
+	/**< {VLAN_ID[11:0]}, or 20-bit MPLS label*/
+	uint8_t second_outer_priority;
+	/**< {PCP/Pbits, DE/CFI} or {1'b0, EXP} for MPLS. */
+	uint16_t bonus_data;
+	/**< 2 bytes of additional bonus data extracted from one of the custom tags*/
+	uint8_t tag_match_bitmap;
+	uint8_t packet_type;
+	uint8_t outer_vlan_type;
+	uint8_t inner_vlan_type;
+	uint8_t num_tags;
+	bool express;
+	uint8_t lmac_id;
+	uint8_t flowid_user;
+};
+
 struct cnxk_mcs_event_data {
 	/* Valid for below events
 	 * - ROC_MCS_EVENT_RX_SA_PN_SOFT_EXP
@@ -75,3 +96,7 @@ int cnxk_eth_macsec_sa_destroy(void *device, uint16_t sa_id,
 			       enum rte_security_macsec_direction dir);
 int cnxk_eth_macsec_sc_destroy(void *device, uint16_t sc_id,
 			       enum rte_security_macsec_direction dir);
+
+int cnxk_eth_macsec_session_create(struct cnxk_eth_dev *dev, struct rte_security_session_conf *conf,
+				   struct rte_security_session *sess);
+int cnxk_eth_macsec_session_destroy(struct cnxk_eth_dev *dev, struct rte_security_session *sess);
diff --git a/drivers/net/cnxk/cnxk_ethdev_sec.c b/drivers/net/cnxk/cnxk_ethdev_sec.c
index a66d58ca61..dc17c128de 100644
--- a/drivers/net/cnxk/cnxk_ethdev_sec.c
+++ b/drivers/net/cnxk/cnxk_ethdev_sec.c
@@ -284,7 +284,7 @@ cnxk_eth_sec_sess_get_by_sess(struct cnxk_eth_dev *dev,
 static unsigned int
 cnxk_eth_sec_session_get_size(void *device __rte_unused)
 {
-	return sizeof(struct cnxk_eth_sec_sess);
+	return RTE_MAX(sizeof(struct cnxk_macsec_sess), sizeof(struct cnxk_eth_sec_sess));
 }
 
 struct rte_security_ops cnxk_eth_sec_ops = {
diff --git a/drivers/net/cnxk/cnxk_flow.c b/drivers/net/cnxk/cnxk_flow.c
index 9595fe9386..1bacb20784 100644
--- a/drivers/net/cnxk/cnxk_flow.c
+++ b/drivers/net/cnxk/cnxk_flow.c
@@ -300,6 +300,11 @@ cnxk_flow_validate(struct rte_eth_dev *eth_dev,
 	uint32_t flowkey_cfg = 0;
 	int rc;
 
+	/* Skip flow validation for MACsec. */
+	if (actions[0].type == RTE_FLOW_ACTION_TYPE_SECURITY &&
+	    cnxk_eth_macsec_sess_get_by_sess(dev, actions[0].conf) != NULL)
+		return 0;
+
 	memset(&flow, 0, sizeof(flow));
 	flow.is_validate = true;
 
-- 
2.25.1

[PATCH v2 15/15] net/cnxk: add MACsec stats

[Akhil Goyal]

Added support for MACsec SC/flow/session stats.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/net/cnxk/cn10k_ethdev_sec.c | 11 +++--
 drivers/net/cnxk/cnxk_ethdev_mcs.c  | 64 +++++++++++++++++++++++++++++
 drivers/net/cnxk/cnxk_ethdev_mcs.h  |  9 ++++
 3 files changed, 81 insertions(+), 3 deletions(-)

diff --git a/drivers/net/cnxk/cn10k_ethdev_sec.c b/drivers/net/cnxk/cn10k_ethdev_sec.c
index f20e573338..b98fc9378e 100644
--- a/drivers/net/cnxk/cn10k_ethdev_sec.c
+++ b/drivers/net/cnxk/cn10k_ethdev_sec.c
@@ -1058,12 +1058,17 @@ cn10k_eth_sec_session_stats_get(void *device, struct rte_security_session *sess,
 {
 	struct rte_eth_dev *eth_dev = (struct rte_eth_dev *)device;
 	struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev);
+	struct cnxk_macsec_sess *macsec_sess;
 	struct cnxk_eth_sec_sess *eth_sec;
 	int rc;
 
 	eth_sec = cnxk_eth_sec_sess_get_by_sess(dev, sess);
-	if (eth_sec == NULL)
+	if (eth_sec == NULL) {
+		macsec_sess = cnxk_eth_macsec_sess_get_by_sess(dev, sess);
+		if (macsec_sess)
+			return cnxk_eth_macsec_session_stats_get(dev, macsec_sess, stats);
 		return -EINVAL;
+	}
 
 	rc = roc_nix_inl_sa_sync(&dev->nix, eth_sec->sa, eth_sec->inb,
 			    ROC_NIX_INL_SA_OP_FLUSH);
@@ -1107,6 +1112,6 @@ cn10k_eth_sec_ops_override(void)
 	cnxk_eth_sec_ops.capabilities_get = cn10k_eth_sec_capabilities_get;
 	cnxk_eth_sec_ops.session_update = cn10k_eth_sec_session_update;
 	cnxk_eth_sec_ops.session_stats_get = cn10k_eth_sec_session_stats_get;
-	cnxk_eth_sec_ops.macsec_sc_stats_get = NULL;
-	cnxk_eth_sec_ops.macsec_sa_stats_get = NULL;
+	cnxk_eth_sec_ops.macsec_sc_stats_get = cnxk_eth_macsec_sc_stats_get;
+	cnxk_eth_sec_ops.macsec_sa_stats_get = cnxk_eth_macsec_sa_stats_get;
 }
diff --git a/drivers/net/cnxk/cnxk_ethdev_mcs.c b/drivers/net/cnxk/cnxk_ethdev_mcs.c
index b47991e259..851c83ff3f 100644
--- a/drivers/net/cnxk/cnxk_ethdev_mcs.c
+++ b/drivers/net/cnxk/cnxk_ethdev_mcs.c
@@ -517,6 +517,70 @@ cnxk_mcs_flow_destroy(struct cnxk_eth_dev *dev, void *flow)
 	return ret;
 }
 
+int
+cnxk_eth_macsec_sa_stats_get(void *device, uint16_t sa_id, enum rte_security_macsec_direction dir,
+			     struct rte_security_macsec_sa_stats *stats)
+{
+	RTE_SET_USED(device);
+	RTE_SET_USED(sa_id);
+	RTE_SET_USED(dir);
+	RTE_SET_USED(stats);
+
+	return 0;
+}
+
+int
+cnxk_eth_macsec_sc_stats_get(void *device, uint16_t sc_id, enum rte_security_macsec_direction dir,
+			     struct rte_security_macsec_sc_stats *stats)
+{
+	struct rte_eth_dev *eth_dev = (struct rte_eth_dev *)device;
+	struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev);
+	struct cnxk_mcs_dev *mcs_dev = dev->mcs_dev;
+	struct roc_mcs_stats_req req = {0};
+
+	if (!roc_feature_nix_has_macsec())
+		return -ENOTSUP;
+
+	req.id = sc_id;
+	req.dir = (dir == RTE_SECURITY_MACSEC_DIR_RX) ? MCS_RX : MCS_TX;
+
+	return roc_mcs_sc_stats_get(mcs_dev->mdev, &req, (struct roc_mcs_sc_stats *)stats);
+}
+
+int
+cnxk_eth_macsec_session_stats_get(struct cnxk_eth_dev *dev, struct cnxk_macsec_sess *sess,
+				  struct rte_security_stats *stats)
+{
+	struct cnxk_mcs_dev *mcs_dev = dev->mcs_dev;
+	struct roc_mcs_flowid_stats flow_stats = {0};
+	struct roc_mcs_port_stats port_stats = {0};
+	struct roc_mcs_stats_req req = {0};
+
+	if (!roc_feature_nix_has_macsec())
+		return -ENOTSUP;
+
+	req.id = sess->flow_id;
+	req.dir = sess->dir;
+	roc_mcs_flowid_stats_get(mcs_dev->mdev, &req, &flow_stats);
+	plt_nix_dbg("\n******* FLOW_ID IDX[%u] STATS dir: %u********\n", sess->flow_id, sess->dir);
+	plt_nix_dbg("TX: tcam_hit_cnt: 0x%lx\n", flow_stats.tcam_hit_cnt);
+
+	req.id = mcs_dev->port_id;
+	req.dir = sess->dir;
+	roc_mcs_port_stats_get(mcs_dev->mdev, &req, &port_stats);
+	plt_nix_dbg("\n********** PORT[0] STATS ****************\n");
+	plt_nix_dbg("RX tcam_miss_cnt: 0x%lx\n", port_stats.tcam_miss_cnt);
+	plt_nix_dbg("RX parser_err_cnt: 0x%lx\n", port_stats.parser_err_cnt);
+	plt_nix_dbg("RX preempt_err_cnt: 0x%lx\n", port_stats.preempt_err_cnt);
+	plt_nix_dbg("RX sectag_insert_err_cnt: 0x%lx\n", port_stats.sectag_insert_err_cnt);
+
+	req.id = sess->secy_id;
+	req.dir = sess->dir;
+
+	return roc_mcs_secy_stats_get(mcs_dev->mdev, &req,
+				      (struct roc_mcs_secy_stats *)(&stats->macsec));
+}
+
 static int
 cnxk_mcs_event_cb(void *userdata, struct roc_mcs_event_desc *desc, void *cb_arg)
 {
diff --git a/drivers/net/cnxk/cnxk_ethdev_mcs.h b/drivers/net/cnxk/cnxk_ethdev_mcs.h
index 2b1a6f2c90..4a59dd3df9 100644
--- a/drivers/net/cnxk/cnxk_ethdev_mcs.h
+++ b/drivers/net/cnxk/cnxk_ethdev_mcs.h
@@ -97,6 +97,15 @@ int cnxk_eth_macsec_sa_destroy(void *device, uint16_t sa_id,
 int cnxk_eth_macsec_sc_destroy(void *device, uint16_t sc_id,
 			       enum rte_security_macsec_direction dir);
 
+int cnxk_eth_macsec_sa_stats_get(void *device, uint16_t sa_id,
+				 enum rte_security_macsec_direction dir,
+				 struct rte_security_macsec_sa_stats *stats);
+int cnxk_eth_macsec_sc_stats_get(void *device, uint16_t sa_id,
+				 enum rte_security_macsec_direction dir,
+				 struct rte_security_macsec_sc_stats *stats);
+int cnxk_eth_macsec_session_stats_get(struct cnxk_eth_dev *dev, struct cnxk_macsec_sess *sess,
+				      struct rte_security_stats *stats);
+
 int cnxk_eth_macsec_session_create(struct cnxk_eth_dev *dev, struct rte_security_session_conf *conf,
 				   struct rte_security_session *sess);
 int cnxk_eth_macsec_session_destroy(struct cnxk_eth_dev *dev, struct rte_security_session *sess);
-- 
2.25.1

Re: [PATCH v2 01/13] security: add direction in SA/SC configuration

[David Marchand]

On Wed, Jun 7, 2023 at 5:20 PM Akhil Goyal <gakhil@marvell.com> wrote:
>
> MACsec SC/SA ids are created based on direction of the flow.
> Hence, added the missing field for configuration and cleanup
> of the SCs and SAs.
>
> Signed-off-by: Akhil Goyal <gakhil@marvell.com>
> ---
>  devtools/libabigail.abignore       |  7 +++++++
>  lib/security/rte_security.c        | 16 ++++++++++------
>  lib/security/rte_security.h        | 14 ++++++++++----
>  lib/security/rte_security_driver.h | 12 ++++++++++--
>  4 files changed, 37 insertions(+), 12 deletions(-)
>

Looking at the report with no supression rule:
$ abidiff --suppr .../next-cryptodev/devtools/libabigail.abignore
--no-added-syms --headers-dir1
.../abi/v23.03/build-gcc-shared/usr/local/include --headers-dir2
.../next-cryptodev/build-gcc-shared/install/usr/local/include
.../abi/v23.03/build-gcc-shared/usr/local/lib64/librte_security.so.23.1
.../next-cryptodev/build-gcc-shared/install/usr/local/lib64/librte_security.so.23.2
Functions changes summary: 0 Removed, 1 Changed (13 filtered out), 0
Added functions
Variables changes summary: 0 Removed, 0 Changed, 0 Added variable

1 function with some indirect sub-type change:

  [C] 'function const rte_security_capability*
rte_security_capabilities_get(rte_security_ctx*)' at
rte_security.c:241:1 has some indirect sub-type changes:
    parameter 1 of type 'rte_security_ctx*' has sub-type changes:
      in pointed to type 'struct rte_security_ctx' at rte_security.h:69:1:
        type size hasn't changed
        1 data member change:
          type of 'const rte_security_ops* ops' changed:
            in pointed to type 'const rte_security_ops':
              in unqualified underlying type 'struct rte_security_ops'
at rte_security_driver.h:230:1:
                type size hasn't changed
                4 data member changes (4 filtered):
                  type of 'security_macsec_sc_create_t
macsec_sc_create' changed:
                    underlying type 'int (void*,
rte_security_macsec_sc*)*' changed:
                      in pointed to type 'function type int (void*,
rte_security_macsec_sc*)':
                        parameter 2 of type 'rte_security_macsec_sc*'
has sub-type changes:
                          in pointed to type 'struct
rte_security_macsec_sc' at rte_security.h:399:1:
                            type size changed from 256 to 320 (in bits)
                            1 data member insertion:
                              'union {struct {uint16_t sa_id[4];
uint8_t sa_in_use[4]; uint8_t active; uint8_t is_xpn; uint8_t
reserved;} sc_rx; struct {uint16_t sa_id; uint16_t sa_id_rekey;
uint64_t sci; uint8_t active; uint8_t re_key_en; uint8_t is_xpn;
uint8_t reserved;} sc_tx;}', at offset 128 (in bits)
                            1 data member change:
                              anonymous data member union {struct
{uint16_t sa_id[4]; uint8_t sa_in_use[4]; uint8_t active; uint8_t
reserved;} sc_rx; struct {uint16_t sa_id; uint16_t sa_id_rekey;
uint64_t sci; uint8_t active; uint8_t re_key_en; uint8_t reserved;}
sc_tx;} at offset 64 (in bits) became data member 'uint64_t
pn_threshold'
                              and size changed from 192 to 64 (in
bits) (by -128 bits)
                  type of 'security_macsec_sc_destroy_t
macsec_sc_destroy' changed:
                    underlying type 'int (void*, typedef uint16_t)*' changed:
                      in pointed to type 'function type int (void*,
typedef uint16_t)':
                        parameter 3 of type 'enum
rte_security_macsec_direction' was added
                  type of 'security_macsec_sc_stats_get_t
macsec_sc_stats_get' changed:
                    underlying type 'int (void*, typedef uint16_t,
rte_security_macsec_sc_stats*)*' changed:
                      in pointed to type 'function type int (void*,
typedef uint16_t, rte_security_macsec_sc_stats*)':
                        parameter 3 of type
'rte_security_macsec_sc_stats*' changed:
                          entity changed from
'rte_security_macsec_sc_stats*' to 'enum
rte_security_macsec_direction' at rte_security.h:361:1
                          type size changed from 64 to 32 (in bits)
                          type alignment changed from 0 to 32
                        parameter 4 of type
'rte_security_macsec_sc_stats*' was added
                  type of 'security_macsec_sa_stats_get_t
macsec_sa_stats_get' changed:
                    underlying type 'int (void*, typedef uint16_t,
rte_security_macsec_sa_stats*)*' changed:
                      in pointed to type 'function type int (void*,
typedef uint16_t, rte_security_macsec_sa_stats*)':
                        parameter 3 of type
'rte_security_macsec_sa_stats*' changed:
                          entity changed from
'rte_security_macsec_sa_stats*' to 'enum
rte_security_macsec_direction' at rte_security.h:361:1
                          type size changed from 64 to 32 (in bits)
                          type alignment changed from 0 to 32
                        parameter 4 of type
'rte_security_macsec_sa_stats*' was added

The report complains about the macsec ops type changes.

> diff --git a/devtools/libabigail.abignore b/devtools/libabigail.abignore
> index c0361bfc7b..14d8fa4293 100644
> --- a/devtools/libabigail.abignore
> +++ b/devtools/libabigail.abignore
> @@ -37,6 +37,13 @@
>  [suppress_type]
>          type_kind = enum
>          changed_enumerators = RTE_CRYPTO_ASYM_XFORM_ECPM, RTE_CRYPTO_ASYM_XFORM_TYPE_LIST_END
> +; Ignore changes to rte_security_ops MACsec APIs which are experimental
> +[suppress_type]
> +        name = rte_security_ops
> +        has_data_member_inserted_between =
> +        {
> +                offset_of(security_macsec_sc_create_t), offset_of(security_macsec_sa_stats_get_t)
> +        }

So I don't get the intent with this rule.
There is no field named neither security_macsec_sc_create_t nor
security_macsec_sa_stats_get_t in the rte_security_ops struct.

Now.. why is this rule making the check pass... it is a mystery to me.
I already hit a case when libabigail ignored statements that are
invalid or make no sense, so my guess is that this rule is actually
applied as a simple:
[suppress_type]
        name = rte_security_ops

And well, this rule is ok from my pov: this rte_security_ops struct
does not change in size.
An application is not supposed to know about its content (that is
defined in a driver header) and all accesses to those ops are supposed
to be through symbols from the security library.
So I would go with this "larger" and simpler rule.


Just a small addition to this, as discussed offlist, this is going to
be reworked in v23.11 and this rule on rte_security_ops will be
unneccesary, so please move it in the relevant block (at the end) of
the libabigail.abignore file.


-- 
David Marchand

[PATCH v3 00/13] Add MACsec unit test cases

[Akhil Goyal]

Inline MACsec offload was supported in DPDK 22.11
using rte_security APIs.
This patchset adds few minor changes in the rte_security APIs
to specify the direction of SA/SC and update the SC configuration
to set packet number threshold.

The patchset also add functional test cases in dpdk-test app
to verify MACsec functionality.

This patchset is pending from last release [1] due to lack of
hardware to test. Now the test cases are verified on Marvell cnxk PMD
and the pmd support is added as a separate patchset.

[1] https://patches.dpdk.org/project/dpdk/cover/20220928124516.93050-1-gakhil@marvell.com/

Changes in v3:
- updated libabigail.abignore exception as suggested by David.

Changes in v2:
- Added abignore for experimental APIs
- Fixed build


Akhil Goyal (10):
  security: add direction in SA/SC configuration
  security: add MACsec packet number threshold
  test/security: add inline MACsec cases
  test/security: add MACsec integrity cases
  test/security: verify multi flow MACsec
  test/security: add MACsec VLAN cases
  test/security: add MACsec negative cases
  test/security: verify MACsec stats
  test/security: verify MACsec Tx HW rekey
  test/security: remove no MACsec support case

Ankur Dwivedi (3):
  test/security: verify MACsec interrupts
  test/security: verify MACsec Rx rekey
  test/security: verify MACsec anti replay

 app/test/meson.build                          |    1 +
 app/test/test_security.c                      |   37 -
 app/test/test_security_inline_macsec.c        | 2332 ++++++++++
 .../test_security_inline_macsec_vectors.h     | 3895 +++++++++++++++++
 devtools/libabigail.abignore                  |    4 +
 lib/security/rte_security.c                   |   16 +-
 lib/security/rte_security.h                   |   24 +-
 lib/security/rte_security_driver.h            |   12 +-
 8 files changed, 6270 insertions(+), 51 deletions(-)
 create mode 100644 app/test/test_security_inline_macsec.c
 create mode 100644 app/test/test_security_inline_macsec_vectors.h

-- 
2.25.1

[PATCH v3 01/13] security: add direction in SA/SC configuration

[Akhil Goyal]

MACsec SC/SA ids are created based on direction of the flow.
Hence, added the missing field for configuration and cleanup
of the SCs and SAs.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 devtools/libabigail.abignore       |  4 ++++
 lib/security/rte_security.c        | 16 ++++++++++------
 lib/security/rte_security.h        | 14 ++++++++++----
 lib/security/rte_security_driver.h | 12 ++++++++++--
 4 files changed, 34 insertions(+), 12 deletions(-)

diff --git a/devtools/libabigail.abignore b/devtools/libabigail.abignore
index c0361bfc7b..03bfbce259 100644
--- a/devtools/libabigail.abignore
+++ b/devtools/libabigail.abignore
@@ -41,3 +41,7 @@
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ; Temporary exceptions till next major ABI version ;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+; Ignore changes to rte_security_ops which are internal to PMD.
+[suppress_type]
+        name = rte_security_ops
diff --git a/lib/security/rte_security.c b/lib/security/rte_security.c
index e102c55e55..c4d64bb8e9 100644
--- a/lib/security/rte_security.c
+++ b/lib/security/rte_security.c
@@ -164,13 +164,14 @@ rte_security_macsec_sa_create(struct rte_security_ctx *instance,
 }
 
 int
-rte_security_macsec_sc_destroy(struct rte_security_ctx *instance, uint16_t sc_id)
+rte_security_macsec_sc_destroy(struct rte_security_ctx *instance, uint16_t sc_id,
+			       enum rte_security_macsec_direction dir)
 {
 	int ret;
 
 	RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, macsec_sc_destroy, -EINVAL, -ENOTSUP);
 
-	ret = instance->ops->macsec_sc_destroy(instance->device, sc_id);
+	ret = instance->ops->macsec_sc_destroy(instance->device, sc_id, dir);
 	if (ret != 0)
 		return ret;
 
@@ -181,13 +182,14 @@ rte_security_macsec_sc_destroy(struct rte_security_ctx *instance, uint16_t sc_id
 }
 
 int
-rte_security_macsec_sa_destroy(struct rte_security_ctx *instance, uint16_t sa_id)
+rte_security_macsec_sa_destroy(struct rte_security_ctx *instance, uint16_t sa_id,
+			       enum rte_security_macsec_direction dir)
 {
 	int ret;
 
 	RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, macsec_sa_destroy, -EINVAL, -ENOTSUP);
 
-	ret = instance->ops->macsec_sa_destroy(instance->device, sa_id);
+	ret = instance->ops->macsec_sa_destroy(instance->device, sa_id, dir);
 	if (ret != 0)
 		return ret;
 
@@ -199,22 +201,24 @@ rte_security_macsec_sa_destroy(struct rte_security_ctx *instance, uint16_t sa_id
 
 int
 rte_security_macsec_sc_stats_get(struct rte_security_ctx *instance, uint16_t sc_id,
+				 enum rte_security_macsec_direction dir,
 				 struct rte_security_macsec_sc_stats *stats)
 {
 	RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, macsec_sc_stats_get, -EINVAL, -ENOTSUP);
 	RTE_PTR_OR_ERR_RET(stats, -EINVAL);
 
-	return instance->ops->macsec_sc_stats_get(instance->device, sc_id, stats);
+	return instance->ops->macsec_sc_stats_get(instance->device, sc_id, dir, stats);
 }
 
 int
 rte_security_macsec_sa_stats_get(struct rte_security_ctx *instance, uint16_t sa_id,
+				 enum rte_security_macsec_direction dir,
 				 struct rte_security_macsec_sa_stats *stats)
 {
 	RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, macsec_sa_stats_get, -EINVAL, -ENOTSUP);
 	RTE_PTR_OR_ERR_RET(stats, -EINVAL);
 
-	return instance->ops->macsec_sa_stats_get(instance->device, sa_id, stats);
+	return instance->ops->macsec_sa_stats_get(instance->device, sa_id, dir, stats);
 }
 
 int
diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h
index 4bacf9fcd9..c7a523b6d6 100644
--- a/lib/security/rte_security.h
+++ b/lib/security/rte_security.h
@@ -761,6 +761,7 @@ rte_security_macsec_sc_create(struct rte_security_ctx *instance,
  *
  * @param   instance	security instance
  * @param   sc_id	SC ID to be destroyed
+ * @param   dir		direction of the SC
  * @return
  *  - 0 if successful.
  *  - -EINVAL if sc_id is invalid or instance is NULL.
@@ -768,7 +769,8 @@ rte_security_macsec_sc_create(struct rte_security_ctx *instance,
  */
 __rte_experimental
 int
-rte_security_macsec_sc_destroy(struct rte_security_ctx *instance, uint16_t sc_id);
+rte_security_macsec_sc_destroy(struct rte_security_ctx *instance, uint16_t sc_id,
+			       enum rte_security_macsec_direction dir);
 
 /**
  * @warning
@@ -798,6 +800,7 @@ rte_security_macsec_sa_create(struct rte_security_ctx *instance,
  *
  * @param   instance	security instance
  * @param   sa_id	SA ID to be destroyed
+ * @param   dir		direction of the SA
  * @return
  *  - 0 if successful.
  *  - -EINVAL if sa_id is invalid or instance is NULL.
@@ -805,7 +808,8 @@ rte_security_macsec_sa_create(struct rte_security_ctx *instance,
  */
 __rte_experimental
 int
-rte_security_macsec_sa_destroy(struct rte_security_ctx *instance, uint16_t sa_id);
+rte_security_macsec_sa_destroy(struct rte_security_ctx *instance, uint16_t sa_id,
+			       enum rte_security_macsec_direction dir);
 
 /** Device-specific metadata field type */
 typedef uint64_t rte_security_dynfield_t;
@@ -1077,6 +1081,7 @@ rte_security_session_stats_get(struct rte_security_ctx *instance,
  *
  * @param	instance	security instance
  * @param	sa_id		SA ID for which stats are needed
+ * @param	dir		direction of the SA
  * @param	stats		statistics
  * @return
  *  - On success, return 0.
@@ -1085,7 +1090,7 @@ rte_security_session_stats_get(struct rte_security_ctx *instance,
 __rte_experimental
 int
 rte_security_macsec_sa_stats_get(struct rte_security_ctx *instance,
-				 uint16_t sa_id,
+				 uint16_t sa_id, enum rte_security_macsec_direction dir,
 				 struct rte_security_macsec_sa_stats *stats);
 
 /**
@@ -1096,6 +1101,7 @@ rte_security_macsec_sa_stats_get(struct rte_security_ctx *instance,
  *
  * @param	instance	security instance
  * @param	sc_id		SC ID for which stats are needed
+ * @param	dir		direction of the SC
  * @param	stats		SC statistics
  * @return
  *  - On success, return 0.
@@ -1104,7 +1110,7 @@ rte_security_macsec_sa_stats_get(struct rte_security_ctx *instance,
 __rte_experimental
 int
 rte_security_macsec_sc_stats_get(struct rte_security_ctx *instance,
-				 uint16_t sc_id,
+				 uint16_t sc_id, enum rte_security_macsec_direction dir,
 				 struct rte_security_macsec_sc_stats *stats);
 
 /**
diff --git a/lib/security/rte_security_driver.h b/lib/security/rte_security_driver.h
index 421e6f7780..677c7d1f91 100644
--- a/lib/security/rte_security_driver.h
+++ b/lib/security/rte_security_driver.h
@@ -106,8 +106,10 @@ typedef int (*security_macsec_sc_create_t)(void *device, struct rte_security_mac
  *
  * @param	device		Crypto/eth device pointer
  * @param	sc_id		MACsec SC ID
+ * @param	dir		Direction of SC
  */
-typedef int (*security_macsec_sc_destroy_t)(void *device, uint16_t sc_id);
+typedef int (*security_macsec_sc_destroy_t)(void *device, uint16_t sc_id,
+		enum rte_security_macsec_direction dir);
 
 /**
  * Configure a MACsec security Association (SA) on a device.
@@ -128,8 +130,10 @@ typedef int (*security_macsec_sa_create_t)(void *device, struct rte_security_mac
  *
  * @param	device		Crypto/eth device pointer
  * @param	sa_id		MACsec SA ID
+ * @param	dir		Direction of SA
  */
-typedef int (*security_macsec_sa_destroy_t)(void *device, uint16_t sa_id);
+typedef int (*security_macsec_sa_destroy_t)(void *device, uint16_t sa_id,
+		enum rte_security_macsec_direction dir);
 
 /**
  * Get the size of a security session
@@ -162,6 +166,7 @@ typedef int (*security_session_stats_get_t)(void *device,
  *
  * @param	device		Crypto/eth device pointer
  * @param	sc_id		secure channel ID created by rte_security_macsec_sc_create()
+ * @param	dir		direction of SC
  * @param	stats		SC stats of the driver
  *
  * @return
@@ -169,6 +174,7 @@ typedef int (*security_session_stats_get_t)(void *device,
  *  - -EINVAL if sc_id or device is invalid.
  */
 typedef int (*security_macsec_sc_stats_get_t)(void *device, uint16_t sc_id,
+		enum rte_security_macsec_direction dir,
 		struct rte_security_macsec_sc_stats *stats);
 
 /**
@@ -176,6 +182,7 @@ typedef int (*security_macsec_sc_stats_get_t)(void *device, uint16_t sc_id,
  *
  * @param	device		Crypto/eth device pointer
  * @param	sa_id		secure channel ID created by rte_security_macsec_sc_create()
+ * @param	dir		direction of SA
  * @param	stats		SC stats of the driver
  *
  * @return
@@ -183,6 +190,7 @@ typedef int (*security_macsec_sc_stats_get_t)(void *device, uint16_t sc_id,
  *  - -EINVAL if sa_id or device is invalid.
  */
 typedef int (*security_macsec_sa_stats_get_t)(void *device, uint16_t sa_id,
+		enum rte_security_macsec_direction dir,
 		struct rte_security_macsec_sa_stats *stats);
 
 
-- 
2.25.1

[PATCH v3 02/13] security: add MACsec packet number threshold

[Akhil Goyal]

Added Packet number threshold parameter in MACsec SC
configuration to identify the maximum allowed threshold
for packet number field in the packet.
A field is_xpn is also added to identify if the SAs are
configured for extended packet number or not so that
packet number threshold can be configured accordingly.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 lib/security/rte_security.h | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h
index c7a523b6d6..30bac4e25a 100644
--- a/lib/security/rte_security.h
+++ b/lib/security/rte_security.h
@@ -399,6 +399,8 @@ struct rte_security_macsec_sa {
 struct rte_security_macsec_sc {
 	/** Direction of SC */
 	enum rte_security_macsec_direction dir;
+	/** Packet number threshold */
+	uint64_t pn_threshold;
 	union {
 		struct {
 			/** SAs for each association number */
@@ -407,8 +409,10 @@ struct rte_security_macsec_sc {
 			uint8_t sa_in_use[RTE_SECURITY_MACSEC_NUM_AN];
 			/** Channel is active */
 			uint8_t active : 1;
+			/** Extended packet number is enabled for SAs */
+			uint8_t is_xpn : 1;
 			/** Reserved bitfields for future */
-			uint8_t reserved : 7;
+			uint8_t reserved : 6;
 		} sc_rx;
 		struct {
 			uint16_t sa_id; /**< SA ID to be used for encryption */
@@ -416,8 +420,10 @@ struct rte_security_macsec_sc {
 			uint64_t sci; /**< SCI value to be used if send_sci is set */
 			uint8_t active : 1; /**< Channel is active */
 			uint8_t re_key_en : 1; /**< Enable Rekeying */
+			/** Extended packet number is enabled for SAs */
+			uint8_t is_xpn : 1;
 			/** Reserved bitfields for future */
-			uint8_t reserved : 6;
+			uint8_t reserved : 5;
 		} sc_tx;
 	};
 };
-- 
2.25.1

[PATCH v3 03/13] test/security: add inline MACsec cases

[Akhil Goyal]

Updated test app to verify Inline MACsec offload using
rte_security APIs.
A couple of test cases are added to verify encap only
and decap only of some known test vectors from MACsec
specification.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 app/test/meson.build                          |    1 +
 app/test/test_security_inline_macsec.c        | 1108 +++++++++++++++++
 .../test_security_inline_macsec_vectors.h     | 1086 ++++++++++++++++
 3 files changed, 2195 insertions(+)
 create mode 100644 app/test/test_security_inline_macsec.c
 create mode 100644 app/test/test_security_inline_macsec_vectors.h

diff --git a/app/test/meson.build b/app/test/meson.build
index b9b5432496..69c1d19f7b 100644
--- a/app/test/meson.build
+++ b/app/test/meson.build
@@ -128,6 +128,7 @@ test_sources = files(
         'test_rwlock.c',
         'test_sched.c',
         'test_security.c',
+        'test_security_inline_macsec.c',
         'test_security_inline_proto.c',
         'test_seqlock.c',
         'test_service_cores.c',
diff --git a/app/test/test_security_inline_macsec.c b/app/test/test_security_inline_macsec.c
new file mode 100644
index 0000000000..9ef967597b
--- /dev/null
+++ b/app/test/test_security_inline_macsec.c
@@ -0,0 +1,1108 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2023 Marvell.
+ */
+
+
+#include <stdio.h>
+#include <inttypes.h>
+
+#include <rte_ethdev.h>
+#include <rte_malloc.h>
+#include <rte_security.h>
+
+#include "test.h"
+#include "test_security_inline_macsec_vectors.h"
+
+#ifdef RTE_EXEC_ENV_WINDOWS
+static int
+test_inline_macsec(void)
+{
+	printf("Inline MACsec not supported on Windows, skipping test\n");
+	return TEST_SKIPPED;
+}
+
+#else
+
+#define NB_ETHPORTS_USED		1
+#define MEMPOOL_CACHE_SIZE		32
+#define RTE_TEST_RX_DESC_DEFAULT	1024
+#define RTE_TEST_TX_DESC_DEFAULT	1024
+#define RTE_PORT_ALL		(~(uint16_t)0x0)
+
+#define RX_PTHRESH 8 /**< Default values of RX prefetch threshold reg. */
+#define RX_HTHRESH 8 /**< Default values of RX host threshold reg. */
+#define RX_WTHRESH 0 /**< Default values of RX write-back threshold reg. */
+
+#define TX_PTHRESH 32 /**< Default values of TX prefetch threshold reg. */
+#define TX_HTHRESH 0  /**< Default values of TX host threshold reg. */
+#define TX_WTHRESH 0  /**< Default values of TX write-back threshold reg. */
+
+#define MAX_TRAFFIC_BURST		2048
+#define NB_MBUF				10240
+
+#define MCS_INVALID_SA			0xFFFF
+#define MCS_DEFAULT_PN_THRESHOLD	0xFFFFF
+
+static struct rte_mempool *mbufpool;
+static struct rte_mempool *sess_pool;
+/* ethernet addresses of ports */
+static struct rte_ether_addr ports_eth_addr[RTE_MAX_ETHPORTS];
+
+struct mcs_test_opts {
+	int val_frames;
+	int nb_td;
+	uint16_t mtu;
+	uint8_t sa_in_use;
+	bool encrypt;
+	bool protect_frames;
+	uint8_t sectag_insert_mode;
+	uint8_t nb_vlan;
+	uint32_t replay_win_sz;
+	uint8_t replay_protect;
+	uint8_t rekey_en;
+	const struct mcs_test_vector *rekey_td;
+	bool dump_all_stats;
+	uint8_t check_untagged_rx;
+	uint8_t check_bad_tag_cnt;
+	uint8_t check_sa_not_in_use;
+	uint8_t check_decap_stats;
+	uint8_t check_verify_only_stats;
+	uint8_t check_pkts_invalid_stats;
+	uint8_t check_pkts_unchecked_stats;
+	uint8_t check_out_pkts_untagged;
+	uint8_t check_out_pkts_toolong;
+	uint8_t check_encap_stats;
+	uint8_t check_auth_only_stats;
+	uint8_t check_sectag_interrupts;
+};
+
+static struct rte_eth_conf port_conf = {
+	.rxmode = {
+		.mq_mode = RTE_ETH_MQ_RX_NONE,
+		.offloads = RTE_ETH_RX_OFFLOAD_CHECKSUM |
+			    RTE_ETH_RX_OFFLOAD_MACSEC_STRIP,
+	},
+	.txmode = {
+		.mq_mode = RTE_ETH_MQ_TX_NONE,
+		.offloads = RTE_ETH_TX_OFFLOAD_MBUF_FAST_FREE |
+			    RTE_ETH_TX_OFFLOAD_MACSEC_INSERT,
+	},
+	.lpbk_mode = 1,  /* enable loopback */
+};
+
+static struct rte_eth_rxconf rx_conf = {
+	.rx_thresh = {
+		.pthresh = RX_PTHRESH,
+		.hthresh = RX_HTHRESH,
+		.wthresh = RX_WTHRESH,
+	},
+	.rx_free_thresh = 32,
+};
+
+static struct rte_eth_txconf tx_conf = {
+	.tx_thresh = {
+		.pthresh = TX_PTHRESH,
+		.hthresh = TX_HTHRESH,
+		.wthresh = TX_WTHRESH,
+	},
+	.tx_free_thresh = 32, /* Use PMD default values */
+	.tx_rs_thresh = 32, /* Use PMD default values */
+};
+
+static uint16_t port_id;
+
+static uint64_t link_mbps;
+
+static struct rte_flow *default_tx_flow[RTE_MAX_ETHPORTS];
+static struct rte_flow *default_rx_flow[RTE_MAX_ETHPORTS];
+
+static struct rte_mbuf **tx_pkts_burst;
+static struct rte_mbuf **rx_pkts_burst;
+
+static inline struct rte_mbuf *
+init_packet(struct rte_mempool *mp, const uint8_t *data, unsigned int len)
+{
+	struct rte_mbuf *pkt;
+
+	pkt = rte_pktmbuf_alloc(mp);
+	if (pkt == NULL)
+		return NULL;
+
+	rte_memcpy(rte_pktmbuf_append(pkt, len), data, len);
+
+	return pkt;
+}
+
+static int
+init_mempools(unsigned int nb_mbuf)
+{
+	struct rte_security_ctx *sec_ctx;
+	uint16_t nb_sess = 512;
+	uint32_t sess_sz;
+	char s[64];
+
+	if (mbufpool == NULL) {
+		snprintf(s, sizeof(s), "mbuf_pool");
+		mbufpool = rte_pktmbuf_pool_create(s, nb_mbuf,
+				MEMPOOL_CACHE_SIZE, 0,
+				RTE_MBUF_DEFAULT_BUF_SIZE, SOCKET_ID_ANY);
+		if (mbufpool == NULL) {
+			printf("Cannot init mbuf pool\n");
+			return TEST_FAILED;
+		}
+		printf("Allocated mbuf pool\n");
+	}
+
+	sec_ctx = rte_eth_dev_get_sec_ctx(port_id);
+	if (sec_ctx == NULL) {
+		printf("Device does not support Security ctx\n");
+		return TEST_SKIPPED;
+	}
+	sess_sz = rte_security_session_get_size(sec_ctx);
+	if (sess_pool == NULL) {
+		snprintf(s, sizeof(s), "sess_pool");
+		sess_pool = rte_mempool_create(s, nb_sess, sess_sz,
+				MEMPOOL_CACHE_SIZE, 0,
+				NULL, NULL, NULL, NULL,
+				SOCKET_ID_ANY, 0);
+		if (sess_pool == NULL) {
+			printf("Cannot init sess pool\n");
+			return TEST_FAILED;
+		}
+		printf("Allocated sess pool\n");
+	}
+
+	return 0;
+}
+
+static void
+fill_macsec_sa_conf(const struct mcs_test_vector *td, struct rte_security_macsec_sa *sa,
+			enum rte_security_macsec_direction dir, uint8_t an, uint8_t tci_off)
+{
+	sa->dir = dir;
+
+	sa->key.data = td->sa_key.data;
+	sa->key.length = td->sa_key.len;
+
+	memcpy((uint8_t *)sa->salt, (const uint8_t *)td->salt, RTE_SECURITY_MACSEC_SALT_LEN);
+
+	/* AN is set as per the value in secure packet in test vector */
+	sa->an = an & RTE_MACSEC_AN_MASK;
+
+	sa->ssci = td->ssci;
+	sa->xpn = td->xpn;
+	/* Starting packet number which is expected to come next.
+	 * It is take from the test vector so that we can match the out packet.
+	 */
+	sa->next_pn = *(const uint32_t *)(&td->secure_pkt.data[tci_off + 2]);
+}
+
+static void
+fill_macsec_sc_conf(const struct mcs_test_vector *td,
+		    struct rte_security_macsec_sc *sc_conf,
+		    const struct mcs_test_opts *opts,
+		    enum rte_security_macsec_direction dir,
+		    uint16_t sa_id[], uint8_t tci_off)
+{
+	uint8_t i;
+
+	sc_conf->dir = dir;
+	if (dir == RTE_SECURITY_MACSEC_DIR_TX) {
+		sc_conf->sc_tx.sa_id = sa_id[0];
+		if (sa_id[1] != MCS_INVALID_SA) {
+			sc_conf->sc_tx.sa_id_rekey = sa_id[1];
+			sc_conf->sc_tx.re_key_en = 1;
+		}
+		sc_conf->sc_tx.active = 1;
+		/* is SCI valid */
+		if (td->secure_pkt.data[tci_off] & RTE_MACSEC_TCI_SC) {
+			memcpy(&sc_conf->sc_tx.sci, &td->secure_pkt.data[tci_off + 6],
+					sizeof(sc_conf->sc_tx.sci));
+			sc_conf->sc_tx.sci = rte_be_to_cpu_64(sc_conf->sc_tx.sci);
+		} else if (td->secure_pkt.data[tci_off] & RTE_MACSEC_TCI_ES) {
+			/* sci = source_mac + port_id when ES.bit = 1 & SC.bit = 0 */
+			const uint8_t *smac = td->plain_pkt.data + RTE_ETHER_ADDR_LEN;
+			uint8_t *ptr = (uint8_t *)&sc_conf->sc_tx.sci;
+
+			ptr[0] = 0x01;
+			ptr[1] = 0;
+			for (i = 0; i < RTE_ETHER_ADDR_LEN; i++)
+				ptr[2 + i] = smac[RTE_ETHER_ADDR_LEN - 1 - i];
+		} else {
+			/* use some default SCI */
+			sc_conf->sc_tx.sci = 0xf1341e023a2b1c5d;
+		}
+	} else {
+		for (i = 0; i < RTE_SECURITY_MACSEC_NUM_AN; i++) {
+			sc_conf->sc_rx.sa_id[i] = sa_id[i];
+			sc_conf->sc_rx.sa_in_use[i] = opts->sa_in_use;
+		}
+		sc_conf->sc_rx.active = 1;
+	}
+}
+
+
+/* Create Inline MACsec session */
+static int
+fill_session_conf(const struct mcs_test_vector *td, uint16_t portid __rte_unused,
+		const struct mcs_test_opts *opts,
+		struct rte_security_session_conf *sess_conf,
+		enum rte_security_macsec_direction dir,
+		uint16_t sc_id,
+		uint8_t tci_off)
+{
+	sess_conf->action_type = RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL;
+	sess_conf->protocol = RTE_SECURITY_PROTOCOL_MACSEC;
+	sess_conf->macsec.dir = dir;
+	sess_conf->macsec.alg = td->alg;
+	sess_conf->macsec.cipher_off = 0;
+	if (td->secure_pkt.data[tci_off] & RTE_MACSEC_TCI_SC) {
+		sess_conf->macsec.sci = rte_be_to_cpu_64(*(const uint64_t *)
+					(&td->secure_pkt.data[tci_off + 6]));
+	} else if (td->secure_pkt.data[tci_off] & RTE_MACSEC_TCI_ES) {
+		/* sci = source_mac + port_id when ES.bit = 1 & SC.bit = 0 */
+		const uint8_t *smac = td->plain_pkt.data + RTE_ETHER_ADDR_LEN;
+		uint8_t *ptr = (uint8_t *)&sess_conf->macsec.sci;
+		uint8_t j;
+
+		ptr[0] = 0x01;
+		ptr[1] = 0;
+		for (j = 0; j < RTE_ETHER_ADDR_LEN; j++)
+			ptr[2 + j] = smac[RTE_ETHER_ADDR_LEN - 1 - j];
+	}
+	sess_conf->macsec.sc_id = sc_id;
+	if (dir == RTE_SECURITY_MACSEC_DIR_TX) {
+		sess_conf->macsec.tx_secy.mtu = opts->mtu;
+		sess_conf->macsec.tx_secy.sectag_off = (opts->sectag_insert_mode == 1) ?
+							2 * RTE_ETHER_ADDR_LEN :
+							RTE_VLAN_HLEN;
+		sess_conf->macsec.tx_secy.sectag_insert_mode = opts->sectag_insert_mode;
+		sess_conf->macsec.tx_secy.ctrl_port_enable = 1;
+		sess_conf->macsec.tx_secy.sectag_version = 0;
+		sess_conf->macsec.tx_secy.end_station =
+					(td->secure_pkt.data[tci_off] & RTE_MACSEC_TCI_ES) >> 6;
+		sess_conf->macsec.tx_secy.send_sci =
+					(td->secure_pkt.data[tci_off] & RTE_MACSEC_TCI_SC) >> 5;
+		sess_conf->macsec.tx_secy.scb =
+					(td->secure_pkt.data[tci_off] & RTE_MACSEC_TCI_SCB) >> 4;
+		sess_conf->macsec.tx_secy.encrypt = opts->encrypt;
+		sess_conf->macsec.tx_secy.protect_frames = opts->protect_frames;
+		sess_conf->macsec.tx_secy.icv_include_da_sa = 1;
+	} else {
+		sess_conf->macsec.rx_secy.replay_win_sz = opts->replay_win_sz;
+		sess_conf->macsec.rx_secy.replay_protect = opts->replay_protect;
+		sess_conf->macsec.rx_secy.icv_include_da_sa = 1;
+		sess_conf->macsec.rx_secy.ctrl_port_enable = 1;
+		sess_conf->macsec.rx_secy.preserve_sectag = 0;
+		sess_conf->macsec.rx_secy.preserve_icv = 0;
+		sess_conf->macsec.rx_secy.validate_frames = opts->val_frames;
+	}
+
+	return 0;
+}
+
+static int
+create_default_flow(const struct mcs_test_vector *td, uint16_t portid,
+		    enum rte_security_macsec_direction dir, void *sess)
+{
+	struct rte_flow_action action[2];
+	struct rte_flow_item pattern[2];
+	struct rte_flow_attr attr = {0};
+	struct rte_flow_error err;
+	struct rte_flow *flow;
+	struct rte_flow_item_eth eth = { .hdr.ether_type = 0, };
+	static const struct rte_flow_item_eth eth_mask = {
+		.hdr.dst_addr.addr_bytes = "\x00\x00\x00\x00\x00\x00",
+		.hdr.src_addr.addr_bytes = "\x00\x00\x00\x00\x00\x00",
+		.hdr.ether_type = RTE_BE16(0x0000),
+	};
+
+	int ret;
+
+	eth.has_vlan = 0;
+	if (dir == RTE_SECURITY_MACSEC_DIR_TX)
+		memcpy(&eth.hdr, td->plain_pkt.data, RTE_ETHER_HDR_LEN);
+	else
+		memcpy(&eth.hdr, td->secure_pkt.data, RTE_ETHER_HDR_LEN);
+
+	pattern[0].type = RTE_FLOW_ITEM_TYPE_ETH;
+	pattern[0].spec = &eth;
+	pattern[0].mask = &eth_mask;
+	pattern[0].last = NULL;
+	pattern[1].type = RTE_FLOW_ITEM_TYPE_END;
+
+	action[0].type = RTE_FLOW_ACTION_TYPE_SECURITY;
+	action[0].conf = sess;
+	action[1].type = RTE_FLOW_ACTION_TYPE_END;
+	action[1].conf = NULL;
+
+	attr.ingress = (dir == RTE_SECURITY_MACSEC_DIR_RX) ? 1 : 0;
+	attr.egress = (dir == RTE_SECURITY_MACSEC_DIR_TX) ? 1 : 0;
+
+	ret = rte_flow_validate(portid, &attr, pattern, action, &err);
+	if (ret) {
+		printf("\nValidate flow failed, ret = %d\n", ret);
+		return -1;
+	}
+	flow = rte_flow_create(portid, &attr, pattern, action, &err);
+	if (flow == NULL) {
+		printf("\nDefault flow rule create failed\n");
+		return -1;
+	}
+
+	if (dir == RTE_SECURITY_MACSEC_DIR_TX)
+		default_tx_flow[portid] = flow;
+	else
+		default_rx_flow[portid] = flow;
+
+	return 0;
+}
+
+static void
+destroy_default_flow(uint16_t portid)
+{
+	struct rte_flow_error err;
+	int ret;
+
+	if (default_tx_flow[portid]) {
+		ret = rte_flow_destroy(portid, default_tx_flow[portid], &err);
+		if (ret) {
+			printf("\nDefault Tx flow rule destroy failed\n");
+			return;
+		}
+		default_tx_flow[portid] = NULL;
+	}
+	if (default_rx_flow[portid]) {
+		ret = rte_flow_destroy(portid, default_rx_flow[portid], &err);
+		if (ret) {
+			printf("\nDefault Rx flow rule destroy failed\n");
+			return;
+		}
+		default_rx_flow[portid] = NULL;
+	}
+}
+
+static void
+print_ethaddr(const char *name, const struct rte_ether_addr *eth_addr)
+{
+	char buf[RTE_ETHER_ADDR_FMT_SIZE];
+	rte_ether_format_addr(buf, RTE_ETHER_ADDR_FMT_SIZE, eth_addr);
+	printf("%s%s", name, buf);
+}
+
+/* Check the link status of all ports in up to 3s, and print them finally */
+static void
+check_all_ports_link_status(uint16_t port_num, uint32_t port_mask)
+{
+#define CHECK_INTERVAL 100 /* 100ms */
+#define MAX_CHECK_TIME 30 /* 3s (30 * 100ms) in total */
+	uint16_t portid;
+	uint8_t count, all_ports_up, print_flag = 0;
+	struct rte_eth_link link;
+	int ret;
+	char link_status[RTE_ETH_LINK_MAX_STR_LEN];
+
+	printf("Checking link statuses...\n");
+	fflush(stdout);
+	for (count = 0; count <= MAX_CHECK_TIME; count++) {
+		all_ports_up = 1;
+		for (portid = 0; portid < port_num; portid++) {
+			if ((port_mask & (1 << portid)) == 0)
+				continue;
+			memset(&link, 0, sizeof(link));
+			ret = rte_eth_link_get_nowait(portid, &link);
+			if (ret < 0) {
+				all_ports_up = 0;
+				if (print_flag == 1)
+					printf("Port %u link get failed: %s\n",
+						portid, rte_strerror(-ret));
+				continue;
+			}
+
+			/* print link status if flag set */
+			if (print_flag == 1) {
+				if (link.link_status && link_mbps == 0)
+					link_mbps = link.link_speed;
+
+				rte_eth_link_to_str(link_status,
+					sizeof(link_status), &link);
+				printf("Port %d %s\n", portid, link_status);
+				continue;
+			}
+			/* clear all_ports_up flag if any link down */
+			if (link.link_status == RTE_ETH_LINK_DOWN) {
+				all_ports_up = 0;
+				break;
+			}
+		}
+		/* after finally printing all link status, get out */
+		if (print_flag == 1)
+			break;
+
+		if (all_ports_up == 0)
+			fflush(stdout);
+
+		/* set the print_flag if all ports up or timeout */
+		if (all_ports_up == 1 || count == (MAX_CHECK_TIME - 1))
+			print_flag = 1;
+	}
+}
+
+static int
+test_macsec_post_process(struct rte_mbuf *m, const struct mcs_test_vector *td,
+			enum mcs_op op, uint8_t check_out_pkts_untagged)
+{
+	const uint8_t *dptr;
+	uint16_t pkt_len;
+
+	if (op == MCS_DECAP || op == MCS_ENCAP_DECAP ||
+			op == MCS_VERIFY_ONLY || op == MCS_AUTH_VERIFY ||
+			check_out_pkts_untagged == 1) {
+		dptr = td->plain_pkt.data;
+		pkt_len = td->plain_pkt.len;
+	} else {
+		dptr = td->secure_pkt.data;
+		pkt_len = td->secure_pkt.len;
+	}
+
+	if (memcmp(rte_pktmbuf_mtod(m, uint8_t *), dptr, pkt_len)) {
+		printf("\nData comparison failed for td.");
+		rte_pktmbuf_dump(stdout, m, m->pkt_len);
+		rte_hexdump(stdout, "expected_data", dptr, pkt_len);
+		return TEST_FAILED;
+	}
+
+	return TEST_SUCCESS;
+}
+
+static void
+mcs_stats_dump(struct rte_security_ctx *ctx, enum mcs_op op,
+	       void *rx_sess, void *tx_sess,
+	       uint8_t rx_sc_id, uint8_t tx_sc_id,
+	       uint16_t rx_sa_id[], uint16_t tx_sa_id[])
+{
+	struct rte_security_stats sess_stats = {0};
+	struct rte_security_macsec_secy_stats *secy_stat;
+	struct rte_security_macsec_sc_stats sc_stat = {0};
+	struct rte_security_macsec_sa_stats sa_stat = {0};
+	int i;
+
+	if (op == MCS_DECAP || op == MCS_ENCAP_DECAP ||
+			op == MCS_VERIFY_ONLY || op == MCS_AUTH_VERIFY) {
+		printf("\n********* RX SECY STATS ************\n");
+		rte_security_session_stats_get(ctx, rx_sess, &sess_stats);
+		secy_stat = &sess_stats.macsec;
+
+		if (secy_stat->ctl_pkt_bcast_cnt)
+			printf("RX: ctl_pkt_bcast_cnt: 0x%" PRIx64 "\n",
+					secy_stat->ctl_pkt_bcast_cnt);
+		if (secy_stat->ctl_pkt_mcast_cnt)
+			printf("RX: ctl_pkt_mcast_cnt: 0x%" PRIx64 "\n",
+					secy_stat->ctl_pkt_mcast_cnt);
+		if (secy_stat->ctl_pkt_ucast_cnt)
+			printf("RX: ctl_pkt_ucast_cnt: 0x%" PRIx64 "\n",
+					secy_stat->ctl_pkt_ucast_cnt);
+		if (secy_stat->ctl_octet_cnt)
+			printf("RX: ctl_octet_cnt: 0x%" PRIx64 "\n", secy_stat->ctl_octet_cnt);
+		if (secy_stat->unctl_pkt_bcast_cnt)
+			printf("RX: unctl_pkt_bcast_cnt: 0x%" PRIx64 "\n",
+					secy_stat->unctl_pkt_bcast_cnt);
+		if (secy_stat->unctl_pkt_mcast_cnt)
+			printf("RX: unctl_pkt_mcast_cnt: 0x%" PRIx64 "\n",
+					secy_stat->unctl_pkt_mcast_cnt);
+		if (secy_stat->unctl_pkt_ucast_cnt)
+			printf("RX: unctl_pkt_ucast_cnt: 0x%" PRIx64 "\n",
+					secy_stat->unctl_pkt_ucast_cnt);
+		if (secy_stat->unctl_octet_cnt)
+			printf("RX: unctl_octet_cnt: 0x%" PRIx64 "\n", secy_stat->unctl_octet_cnt);
+		/* Valid only for RX */
+		if (secy_stat->octet_decrypted_cnt)
+			printf("RX: octet_decrypted_cnt: 0x%" PRIx64 "\n",
+					secy_stat->octet_decrypted_cnt);
+		if (secy_stat->octet_validated_cnt)
+			printf("RX: octet_validated_cnt: 0x%" PRIx64 "\n",
+					secy_stat->octet_validated_cnt);
+		if (secy_stat->pkt_port_disabled_cnt)
+			printf("RX: pkt_port_disabled_cnt: 0x%" PRIx64 "\n",
+					secy_stat->pkt_port_disabled_cnt);
+		if (secy_stat->pkt_badtag_cnt)
+			printf("RX: pkt_badtag_cnt: 0x%" PRIx64 "\n", secy_stat->pkt_badtag_cnt);
+		if (secy_stat->pkt_nosa_cnt)
+			printf("RX: pkt_nosa_cnt: 0x%" PRIx64 "\n", secy_stat->pkt_nosa_cnt);
+		if (secy_stat->pkt_nosaerror_cnt)
+			printf("RX: pkt_nosaerror_cnt: 0x%" PRIx64 "\n",
+					secy_stat->pkt_nosaerror_cnt);
+		if (secy_stat->pkt_tagged_ctl_cnt)
+			printf("RX: pkt_tagged_ctl_cnt: 0x%" PRIx64 "\n",
+					secy_stat->pkt_tagged_ctl_cnt);
+		if (secy_stat->pkt_untaged_cnt)
+			printf("RX: pkt_untaged_cnt: 0x%" PRIx64 "\n", secy_stat->pkt_untaged_cnt);
+		if (secy_stat->pkt_ctl_cnt)
+			printf("RX: pkt_ctl_cnt: 0x%" PRIx64 "\n", secy_stat->pkt_ctl_cnt);
+		if (secy_stat->pkt_notag_cnt)
+			printf("RX: pkt_notag_cnt: 0x%" PRIx64 "\n", secy_stat->pkt_notag_cnt);
+		printf("\n");
+		printf("\n********** RX SC[%u] STATS **************\n", rx_sc_id);
+
+		rte_security_macsec_sc_stats_get(ctx, rx_sc_id, RTE_SECURITY_MACSEC_DIR_RX,
+						 &sc_stat);
+		/* RX */
+		if (sc_stat.hit_cnt)
+			printf("RX hit_cnt: 0x%" PRIx64 "\n", sc_stat.hit_cnt);
+		if (sc_stat.pkt_invalid_cnt)
+			printf("RX pkt_invalid_cnt: 0x%" PRIx64 "\n", sc_stat.pkt_invalid_cnt);
+		if (sc_stat.pkt_late_cnt)
+			printf("RX pkt_late_cnt: 0x%" PRIx64 "\n", sc_stat.pkt_late_cnt);
+		if (sc_stat.pkt_notvalid_cnt)
+			printf("RX pkt_notvalid_cnt: 0x%" PRIx64 "\n", sc_stat.pkt_notvalid_cnt);
+		if (sc_stat.pkt_unchecked_cnt)
+			printf("RX pkt_unchecked_cnt: 0x%" PRIx64 "\n", sc_stat.pkt_unchecked_cnt);
+		if (sc_stat.pkt_delay_cnt)
+			printf("RX pkt_delay_cnt: 0x%" PRIx64 "\n", sc_stat.pkt_delay_cnt);
+		if (sc_stat.pkt_ok_cnt)
+			printf("RX pkt_ok_cnt: 0x%" PRIx64 "\n", sc_stat.pkt_ok_cnt);
+		if (sc_stat.octet_decrypt_cnt)
+			printf("RX octet_decrypt_cnt: 0x%" PRIx64 "\n", sc_stat.octet_decrypt_cnt);
+		if (sc_stat.octet_validate_cnt)
+			printf("RX octet_validate_cnt: 0x%" PRIx64 "\n",
+					sc_stat.octet_validate_cnt);
+		printf("\n");
+		for (i = 0; i < RTE_SECURITY_MACSEC_NUM_AN; i++) {
+			printf("\n********** RX SA[%u] STATS ****************\n", rx_sa_id[i]);
+			memset(&sa_stat, 0, sizeof(struct rte_security_macsec_sa_stats));
+			rte_security_macsec_sa_stats_get(ctx, rx_sa_id[i],
+					RTE_SECURITY_MACSEC_DIR_RX, &sa_stat);
+
+			/* RX */
+			if (sa_stat.pkt_invalid_cnt)
+				printf("RX pkt_invalid_cnt: 0x%" PRIx64 "\n",
+						sa_stat.pkt_invalid_cnt);
+			if (sa_stat.pkt_nosaerror_cnt)
+				printf("RX pkt_nosaerror_cnt: 0x%" PRIx64 "\n",
+						sa_stat.pkt_nosaerror_cnt);
+			if (sa_stat.pkt_notvalid_cnt)
+				printf("RX pkt_notvalid_cnt: 0x%" PRIx64 "\n",
+						sa_stat.pkt_notvalid_cnt);
+			if (sa_stat.pkt_ok_cnt)
+				printf("RX pkt_ok_cnt: 0x%" PRIx64 "\n", sa_stat.pkt_ok_cnt);
+			if (sa_stat.pkt_nosa_cnt)
+				printf("RX pkt_nosa_cnt: 0x%" PRIx64 "\n", sa_stat.pkt_nosa_cnt);
+			printf("\n");
+		}
+	}
+
+	if (op == MCS_ENCAP || op == MCS_ENCAP_DECAP ||
+			op == MCS_AUTH_ONLY || op == MCS_AUTH_VERIFY) {
+		memset(&sess_stats, 0, sizeof(struct rte_security_stats));
+		rte_security_session_stats_get(ctx, tx_sess, &sess_stats);
+		secy_stat = &sess_stats.macsec;
+
+		printf("\n********* TX SECY STATS ************\n");
+		if (secy_stat->ctl_pkt_bcast_cnt)
+			printf("TX: ctl_pkt_bcast_cnt: 0x%" PRIx64 "\n",
+					secy_stat->ctl_pkt_bcast_cnt);
+		if (secy_stat->ctl_pkt_mcast_cnt)
+			printf("TX: ctl_pkt_mcast_cnt: 0x%" PRIx64 "\n",
+					secy_stat->ctl_pkt_mcast_cnt);
+		if (secy_stat->ctl_pkt_ucast_cnt)
+			printf("TX: ctl_pkt_ucast_cnt: 0x%" PRIx64 "\n",
+					secy_stat->ctl_pkt_ucast_cnt);
+		if (secy_stat->ctl_octet_cnt)
+			printf("TX: ctl_octet_cnt: 0x%" PRIx64 "\n", secy_stat->ctl_octet_cnt);
+		if (secy_stat->unctl_pkt_bcast_cnt)
+			printf("TX: unctl_pkt_bcast_cnt: 0x%" PRIx64 "\n",
+					secy_stat->unctl_pkt_bcast_cnt);
+		if (secy_stat->unctl_pkt_mcast_cnt)
+			printf("TX: unctl_pkt_mcast_cnt: 0x%" PRIx64 "\n",
+					secy_stat->unctl_pkt_mcast_cnt);
+		if (secy_stat->unctl_pkt_ucast_cnt)
+			printf("TX: unctl_pkt_ucast_cnt: 0x%" PRIx64 "\n",
+					secy_stat->unctl_pkt_ucast_cnt);
+		if (secy_stat->unctl_octet_cnt)
+			printf("TX: unctl_octet_cnt: 0x%" PRIx64 "\n",
+					secy_stat->unctl_octet_cnt);
+		/* Valid only for TX */
+		if (secy_stat->octet_encrypted_cnt)
+			printf("TX: octet_encrypted_cnt: 0x%" PRIx64 "\n",
+					secy_stat->octet_encrypted_cnt);
+		if (secy_stat->octet_protected_cnt)
+			printf("TX: octet_protected_cnt: 0x%" PRIx64 "\n",
+					secy_stat->octet_protected_cnt);
+		if (secy_stat->pkt_noactivesa_cnt)
+			printf("TX: pkt_noactivesa_cnt: 0x%" PRIx64 "\n",
+					secy_stat->pkt_noactivesa_cnt);
+		if (secy_stat->pkt_toolong_cnt)
+			printf("TX: pkt_toolong_cnt: 0x%" PRIx64 "\n", secy_stat->pkt_toolong_cnt);
+		if (secy_stat->pkt_untagged_cnt)
+			printf("TX: pkt_untagged_cnt: 0x%" PRIx64 "\n",
+					secy_stat->pkt_untagged_cnt);
+
+
+		memset(&sc_stat, 0, sizeof(struct rte_security_macsec_sc_stats));
+		rte_security_macsec_sc_stats_get(ctx, tx_sc_id, RTE_SECURITY_MACSEC_DIR_TX,
+						 &sc_stat);
+		printf("\n********** TX SC[%u] STATS **************\n", tx_sc_id);
+		if (sc_stat.pkt_encrypt_cnt)
+			printf("TX pkt_encrypt_cnt: 0x%" PRIx64 "\n", sc_stat.pkt_encrypt_cnt);
+		if (sc_stat.pkt_protected_cnt)
+			printf("TX pkt_protected_cnt: 0x%" PRIx64 "\n", sc_stat.pkt_protected_cnt);
+		if (sc_stat.octet_encrypt_cnt)
+			printf("TX octet_encrypt_cnt: 0x%" PRIx64 "\n", sc_stat.octet_encrypt_cnt);
+
+		memset(&sa_stat, 0, sizeof(struct rte_security_macsec_sa_stats));
+		rte_security_macsec_sa_stats_get(ctx, tx_sa_id[0],
+				RTE_SECURITY_MACSEC_DIR_TX, &sa_stat);
+		printf("\n********** TX SA[%u] STATS ****************\n", tx_sa_id[0]);
+		if (sa_stat.pkt_encrypt_cnt)
+			printf("TX pkt_encrypt_cnt: 0x%" PRIx64 "\n", sa_stat.pkt_encrypt_cnt);
+		if (sa_stat.pkt_protected_cnt)
+			printf("TX pkt_protected_cnt: 0x%" PRIx64 "\n", sa_stat.pkt_protected_cnt);
+	}
+}
+
+static int
+test_macsec(const struct mcs_test_vector *td[], enum mcs_op op, const struct mcs_test_opts *opts)
+{
+	uint16_t rx_sa_id[MCS_MAX_FLOWS][RTE_SECURITY_MACSEC_NUM_AN] = {{0}};
+	uint16_t tx_sa_id[MCS_MAX_FLOWS][2] = {{0}};
+	uint16_t rx_sc_id[MCS_MAX_FLOWS] = {0};
+	uint16_t tx_sc_id[MCS_MAX_FLOWS] = {0};
+	void *rx_sess[MCS_MAX_FLOWS] = {0};
+	void *tx_sess[MCS_MAX_FLOWS] = {0};
+	struct rte_security_session_conf sess_conf = {0};
+	struct rte_security_macsec_sa sa_conf = {0};
+	struct rte_security_macsec_sc sc_conf = {0};
+	struct rte_security_ctx *ctx;
+	int nb_rx = 0, nb_sent;
+	int i, j = 0, ret, id, an = 0;
+	uint8_t tci_off;
+
+	memset(rx_pkts_burst, 0, sizeof(rx_pkts_burst[0]) * opts->nb_td);
+
+	ctx = (struct rte_security_ctx *)rte_eth_dev_get_sec_ctx(port_id);
+	if (ctx == NULL) {
+		printf("Ethernet device doesn't support security features.\n");
+		return TEST_SKIPPED;
+	}
+
+	tci_off = (opts->sectag_insert_mode == 1) ? RTE_ETHER_HDR_LEN :
+			RTE_ETHER_HDR_LEN + (opts->nb_vlan * RTE_VLAN_HLEN);
+
+	for (i = 0, j = 0; i < opts->nb_td; i++) {
+		if (op == MCS_DECAP || op == MCS_VERIFY_ONLY)
+			tx_pkts_burst[j] = init_packet(mbufpool, td[i]->secure_pkt.data,
+							td[i]->secure_pkt.len);
+		else {
+			tx_pkts_burst[j] = init_packet(mbufpool, td[i]->plain_pkt.data,
+							td[i]->plain_pkt.len);
+
+			tx_pkts_burst[j]->ol_flags |= RTE_MBUF_F_TX_MACSEC;
+		}
+		if (tx_pkts_burst[j] == NULL) {
+			while (j--)
+				rte_pktmbuf_free(tx_pkts_burst[j]);
+			ret = TEST_FAILED;
+			goto out;
+		}
+		j++;
+
+		if (op == MCS_DECAP || op == MCS_ENCAP_DECAP ||
+				op == MCS_VERIFY_ONLY || op == MCS_AUTH_VERIFY) {
+			for (an = 0; an < RTE_SECURITY_MACSEC_NUM_AN; an++) {
+				/* For simplicity, using same SA conf for all AN */
+				fill_macsec_sa_conf(td[i], &sa_conf,
+						RTE_SECURITY_MACSEC_DIR_RX, an, tci_off);
+				id = rte_security_macsec_sa_create(ctx, &sa_conf);
+				if (id < 0) {
+					printf("MACsec SA create failed : %d.\n", id);
+					return TEST_FAILED;
+				}
+				rx_sa_id[i][an] = (uint16_t)id;
+			}
+			fill_macsec_sc_conf(td[i], &sc_conf, opts,
+					RTE_SECURITY_MACSEC_DIR_RX, rx_sa_id[i], tci_off);
+			id = rte_security_macsec_sc_create(ctx, &sc_conf);
+			if (id < 0) {
+				printf("MACsec SC create failed : %d.\n", id);
+				goto out;
+			}
+			rx_sc_id[i] = (uint16_t)id;
+
+			/* Create Inline IPsec session. */
+			ret = fill_session_conf(td[i], port_id, opts, &sess_conf,
+					RTE_SECURITY_MACSEC_DIR_RX, rx_sc_id[i], tci_off);
+			if (ret)
+				return TEST_FAILED;
+
+			rx_sess[i] = rte_security_session_create(ctx, &sess_conf,
+					sess_pool);
+			if (rx_sess[i] == NULL) {
+				printf("SEC Session init failed.\n");
+				return TEST_FAILED;
+			}
+			ret = create_default_flow(td[i], port_id,
+					RTE_SECURITY_MACSEC_DIR_RX, rx_sess[i]);
+			if (ret)
+				goto out;
+		}
+		if (op == MCS_ENCAP || op == MCS_ENCAP_DECAP ||
+				op == MCS_AUTH_ONLY || op == MCS_AUTH_VERIFY) {
+			int id;
+
+			fill_macsec_sa_conf(td[i], &sa_conf,
+					RTE_SECURITY_MACSEC_DIR_TX,
+					td[i]->secure_pkt.data[tci_off] & RTE_MACSEC_AN_MASK,
+					tci_off);
+			id = rte_security_macsec_sa_create(ctx, &sa_conf);
+			if (id < 0) {
+				printf("MACsec SA create failed : %d.\n", id);
+				return TEST_FAILED;
+			}
+			tx_sa_id[i][0] = (uint16_t)id;
+			tx_sa_id[i][1] = MCS_INVALID_SA;
+			fill_macsec_sc_conf(td[i], &sc_conf, opts,
+					RTE_SECURITY_MACSEC_DIR_TX, tx_sa_id[i], tci_off);
+			id = rte_security_macsec_sc_create(ctx, &sc_conf);
+			if (id < 0) {
+				printf("MACsec SC create failed : %d.\n", id);
+				goto out;
+			}
+			tx_sc_id[i] = (uint16_t)id;
+
+			/* Create Inline IPsec session. */
+			ret = fill_session_conf(td[i], port_id, opts, &sess_conf,
+					RTE_SECURITY_MACSEC_DIR_TX, tx_sc_id[i], tci_off);
+			if (ret)
+				return TEST_FAILED;
+
+			tx_sess[i] = rte_security_session_create(ctx, &sess_conf,
+					sess_pool);
+			if (tx_sess[i] == NULL) {
+				printf("SEC Session init failed.\n");
+				return TEST_FAILED;
+			}
+			ret = create_default_flow(td[i], port_id,
+					RTE_SECURITY_MACSEC_DIR_TX, tx_sess[i]);
+			if (ret)
+				goto out;
+		}
+	}
+
+	/* Send packet to ethdev for inline MACsec processing. */
+	nb_sent = rte_eth_tx_burst(port_id, 0, tx_pkts_burst, j);
+
+	if (nb_sent != j) {
+		printf("\nUnable to TX %d packets, sent: %i", j, nb_sent);
+		for ( ; nb_sent < j; nb_sent++)
+			rte_pktmbuf_free(tx_pkts_burst[nb_sent]);
+		ret = TEST_FAILED;
+		goto out;
+	}
+
+	rte_pause();
+
+	/* Receive back packet on loopback interface. */
+	do {
+		nb_rx += rte_eth_rx_burst(port_id, 0,
+				&rx_pkts_burst[nb_rx],
+				nb_sent - nb_rx);
+		if (nb_rx >= nb_sent)
+			break;
+		rte_delay_ms(1);
+	} while (j++ < 5 && nb_rx == 0);
+
+	if (nb_rx != nb_sent) {
+		printf("\nUnable to RX all %d packets, received(%i)",
+				nb_sent, nb_rx);
+		while (--nb_rx >= 0)
+			rte_pktmbuf_free(rx_pkts_burst[nb_rx]);
+		ret = TEST_FAILED;
+		goto out;
+	}
+
+	for (i = 0; i < nb_rx; i++) {
+		ret = test_macsec_post_process(rx_pkts_burst[i], td[i], op,
+				opts->check_out_pkts_untagged);
+		if (ret != TEST_SUCCESS) {
+			for ( ; i < nb_rx; i++)
+				rte_pktmbuf_free(rx_pkts_burst[i]);
+			goto out;
+		}
+
+		rte_pktmbuf_free(rx_pkts_burst[i]);
+		rx_pkts_burst[i] = NULL;
+	}
+out:
+	for (i = 0; i < opts->nb_td; i++) {
+		if (opts->dump_all_stats) {
+			mcs_stats_dump(ctx, op,
+					rx_sess[i], tx_sess[i],
+					rx_sc_id[i], tx_sc_id[i],
+					rx_sa_id[i], tx_sa_id[i]);
+		}
+	}
+
+	destroy_default_flow(port_id);
+
+	/* Destroy session so that other cases can create the session again */
+	for (i = 0; i < opts->nb_td; i++) {
+		if (op == MCS_ENCAP || op == MCS_ENCAP_DECAP ||
+				op == MCS_AUTH_ONLY || op == MCS_AUTH_VERIFY) {
+			rte_security_session_destroy(ctx, tx_sess[i]);
+			tx_sess[i] = NULL;
+			rte_security_macsec_sc_destroy(ctx, tx_sc_id[i],
+						RTE_SECURITY_MACSEC_DIR_TX);
+			rte_security_macsec_sa_destroy(ctx, tx_sa_id[i][0],
+						RTE_SECURITY_MACSEC_DIR_TX);
+		}
+		if (op == MCS_DECAP || op == MCS_ENCAP_DECAP ||
+				op == MCS_VERIFY_ONLY || op == MCS_AUTH_VERIFY) {
+			rte_security_session_destroy(ctx, rx_sess[i]);
+			rx_sess[i] = NULL;
+			rte_security_macsec_sc_destroy(ctx, rx_sc_id[i],
+						RTE_SECURITY_MACSEC_DIR_RX);
+			for (j = 0; j < RTE_SECURITY_MACSEC_NUM_AN; j++) {
+				rte_security_macsec_sa_destroy(ctx, rx_sa_id[i][j],
+						RTE_SECURITY_MACSEC_DIR_RX);
+			}
+		}
+	}
+
+	return ret;
+}
+
+static int
+test_inline_macsec_encap_all(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.encrypt = true;
+	opts.protect_frames = true;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+
+	size = (sizeof(list_mcs_cipher_vectors) / sizeof((list_mcs_cipher_vectors)[0]));
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_cipher_vectors[i];
+		err = test_macsec(&cur_td, MCS_ENCAP, &opts);
+		if (err) {
+			printf("\nCipher Auth Encryption case %d failed", cur_td->test_idx);
+			err = -1;
+		} else {
+			printf("\nCipher Auth Encryption case %d Passed", cur_td->test_idx);
+			err = 0;
+		}
+		all_err += err;
+	}
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+
+	return all_err;
+}
+
+static int
+test_inline_macsec_decap_all(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+
+	size = (sizeof(list_mcs_cipher_vectors) / sizeof((list_mcs_cipher_vectors)[0]));
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_cipher_vectors[i];
+		err = test_macsec(&cur_td, MCS_DECAP, &opts);
+		if (err) {
+			printf("\nCipher Auth Decryption case %d failed", cur_td->test_idx);
+			err = -1;
+		} else {
+			printf("\nCipher Auth Decryption case %d Passed", cur_td->test_idx);
+			err = 0;
+		}
+		all_err += err;
+	}
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+
+	return all_err;
+}
+
+static int
+ut_setup_inline_macsec(void)
+{
+	int ret;
+
+	/* Start device */
+	ret = rte_eth_dev_start(port_id);
+	if (ret < 0) {
+		printf("rte_eth_dev_start: err=%d, port=%d\n",
+			ret, port_id);
+		return ret;
+	}
+	/* always enable promiscuous */
+	ret = rte_eth_promiscuous_enable(port_id);
+	if (ret != 0) {
+		printf("rte_eth_promiscuous_enable: err=%s, port=%d\n",
+			rte_strerror(-ret), port_id);
+		return ret;
+	}
+
+	check_all_ports_link_status(1, RTE_PORT_ALL);
+
+	return 0;
+}
+
+static void
+ut_teardown_inline_macsec(void)
+{
+	uint16_t portid;
+	int ret;
+
+	/* port tear down */
+	RTE_ETH_FOREACH_DEV(portid) {
+		ret = rte_eth_dev_stop(portid);
+		if (ret != 0)
+			printf("rte_eth_dev_stop: err=%s, port=%u\n",
+			       rte_strerror(-ret), portid);
+
+	}
+}
+
+static int
+inline_macsec_testsuite_setup(void)
+{
+	uint16_t nb_rxd;
+	uint16_t nb_txd;
+	uint16_t nb_ports;
+	int ret;
+	uint16_t nb_rx_queue = 1, nb_tx_queue = 1;
+
+	printf("Start inline MACsec test.\n");
+
+	nb_ports = rte_eth_dev_count_avail();
+	if (nb_ports < NB_ETHPORTS_USED) {
+		printf("At least %u port(s) used for test\n",
+		       NB_ETHPORTS_USED);
+		return TEST_SKIPPED;
+	}
+
+	ret = init_mempools(NB_MBUF);
+	if (ret)
+		return ret;
+
+	if (tx_pkts_burst == NULL) {
+		tx_pkts_burst = (struct rte_mbuf **)rte_calloc("tx_buff",
+					  MAX_TRAFFIC_BURST,
+					  sizeof(void *),
+					  RTE_CACHE_LINE_SIZE);
+		if (!tx_pkts_burst)
+			return TEST_FAILED;
+
+		rx_pkts_burst = (struct rte_mbuf **)rte_calloc("rx_buff",
+					  MAX_TRAFFIC_BURST,
+					  sizeof(void *),
+					  RTE_CACHE_LINE_SIZE);
+		if (!rx_pkts_burst)
+			return TEST_FAILED;
+	}
+
+	printf("Generate %d packets\n", MAX_TRAFFIC_BURST);
+
+	nb_rxd = RTE_TEST_RX_DESC_DEFAULT;
+	nb_txd = RTE_TEST_TX_DESC_DEFAULT;
+
+	/* configuring port 0 for the test is enough */
+	port_id = 0;
+	/* port configure */
+	ret = rte_eth_dev_configure(port_id, nb_rx_queue,
+				    nb_tx_queue, &port_conf);
+	if (ret < 0) {
+		printf("Cannot configure device: err=%d, port=%d\n",
+			 ret, port_id);
+		return ret;
+	}
+	ret = rte_eth_macaddr_get(port_id, &ports_eth_addr[port_id]);
+	if (ret < 0) {
+		printf("Cannot get mac address: err=%d, port=%d\n",
+			 ret, port_id);
+		return ret;
+	}
+	printf("Port %u ", port_id);
+	print_ethaddr("Address:", &ports_eth_addr[port_id]);
+	printf("\n");
+
+	/* tx queue setup */
+	ret = rte_eth_tx_queue_setup(port_id, 0, nb_txd,
+				     SOCKET_ID_ANY, &tx_conf);
+	if (ret < 0) {
+		printf("rte_eth_tx_queue_setup: err=%d, port=%d\n",
+				ret, port_id);
+		return ret;
+	}
+	/* rx queue steup */
+	ret = rte_eth_rx_queue_setup(port_id, 0, nb_rxd, SOCKET_ID_ANY,
+				     &rx_conf, mbufpool);
+	if (ret < 0) {
+		printf("rte_eth_rx_queue_setup: err=%d, port=%d\n",
+				ret, port_id);
+		return ret;
+	}
+
+	return 0;
+}
+
+static void
+inline_macsec_testsuite_teardown(void)
+{
+	uint16_t portid;
+	int ret;
+
+	/* port tear down */
+	RTE_ETH_FOREACH_DEV(portid) {
+		ret = rte_eth_dev_reset(portid);
+		if (ret != 0)
+			printf("rte_eth_dev_reset: err=%s, port=%u\n",
+			       rte_strerror(-ret), port_id);
+	}
+	rte_free(tx_pkts_burst);
+	rte_free(rx_pkts_burst);
+}
+
+
+static struct unit_test_suite inline_macsec_testsuite  = {
+	.suite_name = "Inline MACsec Ethernet Device Unit Test Suite",
+	.unit_test_cases = {
+		TEST_CASE_NAMED_ST(
+			"MACsec encap(Cipher+Auth) known vector",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_encap_all),
+		TEST_CASE_NAMED_ST(
+			"MACsec decap(De-cipher+verify) known vector",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_decap_all),
+
+		TEST_CASES_END() /**< NULL terminate unit test array */
+	},
+};
+
+static int
+test_inline_macsec(void)
+{
+	inline_macsec_testsuite.setup = inline_macsec_testsuite_setup;
+	inline_macsec_testsuite.teardown = inline_macsec_testsuite_teardown;
+	return unit_test_suite_runner(&inline_macsec_testsuite);
+}
+
+#endif /* !RTE_EXEC_ENV_WINDOWS */
+
+REGISTER_TEST_COMMAND(inline_macsec_autotest, test_inline_macsec);
diff --git a/app/test/test_security_inline_macsec_vectors.h b/app/test/test_security_inline_macsec_vectors.h
new file mode 100644
index 0000000000..68bd485419
--- /dev/null
+++ b/app/test/test_security_inline_macsec_vectors.h
@@ -0,0 +1,1086 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2023 Marvell.
+ */
+#ifndef _TEST_INLINE_MACSEC_VECTORS_H_
+#define _TEST_INLINE_MACSEC_VECTORS_H_
+
+#define MCS_MAX_DATA_SZ				256
+#define MCS_MAX_KEY_LEN				32
+#define MCS_IV_LEN				12
+#define MCS_SALT_LEN				12
+#define MCS_MAX_FLOWS				63
+
+enum mcs_op {
+	MCS_NO_OP,
+	MCS_ENCAP,
+	MCS_DECAP,
+	MCS_ENCAP_DECAP,
+	MCS_AUTH_ONLY,
+	MCS_VERIFY_ONLY,
+	MCS_AUTH_VERIFY,
+};
+
+struct mcs_test_vector {
+	uint32_t test_idx;
+	enum rte_security_macsec_alg alg;
+	uint32_t ssci;
+	uint32_t xpn;
+	uint8_t salt[MCS_SALT_LEN];
+	struct {
+		uint8_t data[MCS_MAX_KEY_LEN];
+		uint16_t len;
+	} sa_key;
+	struct {
+		uint8_t data[MCS_MAX_DATA_SZ];
+		uint16_t len;
+	} plain_pkt;
+	struct {
+		uint8_t data[MCS_MAX_DATA_SZ];
+		uint16_t len;
+	} secure_pkt;
+};
+
+static const struct mcs_test_vector list_mcs_cipher_vectors[] = {
+/* gcm_128_64B_cipher */
+{
+	.test_idx = 0,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x40, 0x41, 0x42,
+			0x43, 0x44, 0x45, 0x46,
+		},
+		.len = 64,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x2C,
+			/* SL */
+			0x0,
+			/* PN */
+			0x0, 0x0, 0x0, 0x2,
+			/* SCI */
+			0xFE, 0x2F, 0xCD, 0x14, 0x24, 0x1B, 0x88, 0x2C,
+			/* Secure Data */
+			0x39, 0x38, 0x97, 0x44, 0xA2, 0x6D, 0x71, 0x3D,
+			0x14, 0x27, 0xC7, 0x3E, 0x02, 0x96, 0x81, 0xAD,
+			0x47, 0x82, 0x2A, 0xCF, 0x19, 0x79, 0x12, 0x49,
+			0x0F, 0x93, 0x5A, 0x32, 0x43, 0x79, 0xEF, 0x9D,
+			0x70, 0xF8, 0xA9, 0xBE, 0x3D, 0x00, 0x5D, 0x22,
+			0xDA, 0x87, 0x3D, 0xC1, 0xBE, 0x1B, 0x13, 0xD9,
+			0x99, 0xDB, 0xF1, 0xC8,
+			/* ICV */
+			0x4B, 0xC4, 0xF8, 0xC6,	0x09, 0x78, 0xB9, 0xBB,
+			0x5D, 0xC0, 0x04, 0xF3,	0x20, 0x7D, 0x14, 0x87,
+		},
+		.len = 96,
+	},
+},
+/* gcm_128_54B_cipher */
+{
+	.test_idx = 1,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.xpn = 0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x00, 0x04,
+		},
+		.len = 54,
+	},
+
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x4C,
+			/* SL */
+			0x2A,
+			/* PN */
+			0x76, 0xD4, 0x57, 0xED,
+			/* Secure Data */
+			0x13, 0xB4, 0xC7, 0x2B, 0x38, 0x9D, 0xC5, 0x01,
+			0x8E, 0x72, 0xA1, 0x71, 0xDD, 0x85, 0xA5, 0xD3,
+			0x75, 0x22, 0x74, 0xD3, 0xA0, 0x19, 0xFB, 0xCA,
+			0xED, 0x09, 0xA4, 0x25, 0xCD, 0x9B, 0x2E, 0x1C,
+			0x9B, 0x72, 0xEE, 0xE7, 0xC9, 0xDE, 0x7D, 0x52,
+			0xB3, 0xF3,
+			/* ICV */
+			0xD6, 0xA5, 0x28, 0x4F, 0x4A, 0x6D, 0x3F, 0xE2,
+			0x2A, 0x5D, 0x6C, 0x2B, 0x96, 0x04, 0x94, 0xC3,
+		},
+		.len = 78,
+	},
+},
+/* gcm_256_54B_cipher */
+{
+	.test_idx = 2,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_256,
+	.ssci = 0x0,
+	.xpn = 0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x69, 0x1D, 0x3E, 0xE9, 0x09, 0xD7, 0xF5, 0x41,
+			0x67, 0xFD, 0x1C, 0xA0, 0xB5, 0xD7, 0x69, 0x08,
+			0x1F, 0x2B, 0xDE, 0x1A, 0xEE, 0x65, 0x5F, 0xDB,
+			0xAB, 0x80, 0xBD, 0x52, 0x95, 0xAE, 0x6B, 0xE7,
+		},
+		.len = 32,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x00, 0x04,
+		},
+		.len = 54,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x4C,
+			/* SL */
+			0x2A,
+			/* PN */
+			0x76, 0xD4, 0x57, 0xED,
+			/* Secure Data */
+			0xC1, 0x62, 0x3F, 0x55, 0x73, 0x0C, 0x93, 0x53,
+			0x30, 0x97, 0xAD, 0xDA, 0xD2, 0x56, 0x64, 0x96,
+			0x61, 0x25, 0x35, 0x2B, 0x43, 0xAD, 0xAC, 0xBD,
+			0x61, 0xC5, 0xEF, 0x3A, 0xC9, 0x0B, 0x5B, 0xEE,
+			0x92, 0x9C, 0xE4, 0x63, 0x0E, 0xA7, 0x9F, 0x6C,
+			0xE5, 0x19,
+			/* ICV */
+			0x12, 0xAF, 0x39, 0xC2, 0xD1, 0xFD, 0xC2, 0x05,
+			0x1F, 0x8B, 0x7B, 0x3C, 0x9D, 0x39, 0x7E, 0xF2,
+		},
+		.len = 78,
+	},
+},
+/* gcm_128_xpn_54B_cipher */
+{
+	.test_idx = 3,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_128,
+	.ssci = 0x7A30C118,
+	.xpn = 0xB0DF459C, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE,
+		0x86, 0xA2, 0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x00, 0x04,
+		},
+		.len = 54,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x4C,
+			/* SL */
+			0x2A,
+			/* PN */
+			0x76, 0xD4, 0x57, 0xED,
+			/* Secure Data */
+			0x9C, 0xA4, 0x69, 0x84, 0x43, 0x02, 0x03, 0xED,
+			0x41, 0x6E, 0xBD, 0xC2, 0xFE, 0x26, 0x22, 0xBA,
+			0x3E, 0x5E, 0xAB, 0x69, 0x61, 0xC3, 0x63, 0x83,
+			0x00, 0x9E, 0x18, 0x7E, 0x9B, 0x0C, 0x88, 0x56,
+			0x46, 0x53, 0xB9, 0xAB, 0xD2, 0x16, 0x44, 0x1C,
+			0x6A, 0xB6,
+			/* ICV */
+			0xF0, 0xA2, 0x32, 0xE9, 0xE4, 0x4C, 0x97, 0x8C,
+			0xF7, 0xCD, 0x84, 0xD4, 0x34, 0x84, 0xD1, 0x01,
+		},
+		.len = 78,
+	},
+},
+/* gcm_256_xpn_54B_cipher */
+{
+	.test_idx = 4,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_256,
+	.ssci = 0x7A30C118,
+	.xpn = 0xB0DF459C, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE,
+		0x86, 0xA2, 0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0x69, 0x1D, 0x3E, 0xE9, 0x09, 0xD7, 0xF5, 0x41,
+			0x67, 0xFD, 0x1C, 0xA0, 0xB5, 0xD7, 0x69, 0x08,
+			0x1F, 0x2B, 0xDE, 0x1A, 0xEE, 0x65, 0x5F, 0xDB,
+			0xAB, 0x80, 0xBD, 0x52, 0x95, 0xAE, 0x6B, 0xE7,
+		},
+		.len = 32,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x00, 0x04,
+		},
+		.len = 54,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x4C,
+			/* SL */
+			0x2A,
+			/* PN */
+			0x76, 0xD4, 0x57, 0xED,
+			/* Secure Data */
+			0x88, 0xD9, 0xF7, 0xD1, 0xF1, 0x57, 0x8E, 0xE3,
+			0x4B, 0xA7, 0xB1, 0xAB, 0xC8, 0x98, 0x93, 0xEF,
+			0x1D, 0x33, 0x98, 0xC9, 0xF1, 0xDD, 0x3E, 0x47,
+			0xFB, 0xD8, 0x55, 0x3E, 0x0F, 0xF7, 0x86, 0xEF,
+			0x56, 0x99, 0xEB, 0x01, 0xEA, 0x10, 0x42, 0x0D,
+			0x0E, 0xBD,
+			/* ICV */
+			0x39, 0xA0, 0xE2, 0x73, 0xC4, 0xC7, 0xF9, 0x5E,
+			0xD8, 0x43, 0x20, 0x7D, 0x7A, 0x49, 0x7D, 0xFA,
+		},
+		.len = 78,
+	},
+},
+/* gcm_128_60B_cipher */
+{
+	.test_idx = 5,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.xpn = 0x0, /* Most significant 32 bits */
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0xAD, 0x7A, 0x2B, 0xD0, 0x3E, 0xAC, 0x83, 0x5A,
+			0x6F, 0x62, 0x0F, 0xDC, 0xB5, 0x06, 0xB3, 0x45,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xD6, 0x09, 0xB1, 0xF0, 0x56, 0x63,
+			/* MAC SA */
+			0x7A, 0x0D, 0x46, 0xDF, 0x99, 0x8D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x00, 0x02,
+		},
+		.len = 60,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xD6, 0x09, 0xB1, 0xF0, 0x56, 0x63,
+			/* MAC SA */
+			0x7A, 0x0D, 0x46, 0xDF, 0x99, 0x8D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x2E,
+			/* SL */
+			0x00,
+			/* PN */
+			0xB2, 0xC2, 0x84, 0x65,
+			/* SCI */
+			0x12, 0x15, 0x35, 0x24, 0xC0, 0x89, 0x5E, 0x81,
+			/* Secure Data */
+			0x70, 0x1A, 0xFA, 0x1C, 0xC0, 0x39, 0xC0, 0xD7,
+			0x65, 0x12, 0x8A, 0x66, 0x5D, 0xAB, 0x69, 0x24,
+			0x38, 0x99, 0xBF, 0x73, 0x18, 0xCC, 0xDC, 0x81,
+			0xC9, 0x93, 0x1D, 0xA1, 0x7F, 0xBE, 0x8E, 0xDD,
+			0x7D, 0x17, 0xCB, 0x8B, 0x4C, 0x26, 0xFC, 0x81,
+			0xE3, 0x28, 0x4F, 0x2B, 0x7F, 0xBA, 0x71, 0x3D,
+			/* ICV */
+			0x4F, 0x8D, 0x55, 0xE7, 0xD3, 0xF0, 0x6F, 0xD5,
+			0xA1, 0x3C, 0x0C, 0x29, 0xB9, 0xD5, 0xB8, 0x80,
+		},
+		.len = 92,
+	},
+},
+/* gcm_256_60B_cipher */
+{
+	.test_idx = 6,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_256,
+	.ssci = 0x0,
+	.xpn = 0x0, /* Most significant 32 bits */
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0xE3, 0xC0, 0x8A, 0x8F, 0x06, 0xC6, 0xE3, 0xAD,
+			0x95, 0xA7, 0x05, 0x57, 0xB2, 0x3F, 0x75, 0x48,
+			0x3C, 0xE3, 0x30, 0x21, 0xA9, 0xC7, 0x2B, 0x70,
+			0x25, 0x66, 0x62, 0x04, 0xC6, 0x9C, 0x0B, 0x72,
+		},
+		.len = 32,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xD6, 0x09, 0xB1, 0xF0, 0x56, 0x63,
+			/* MAC SA */
+			0x7A, 0x0D, 0x46, 0xDF, 0x99, 0x8D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x00, 0x02,
+		},
+		.len = 60,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xD6, 0x09, 0xB1, 0xF0, 0x56, 0x63,
+			/* MAC SA */
+			0x7A, 0x0D, 0x46, 0xDF, 0x99, 0x8D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x2E,
+			/* SL */
+			0x00,
+			/* PN */
+			0xB2, 0xC2, 0x84, 0x65,
+			/* SCI */
+			0x12, 0x15, 0x35, 0x24, 0xC0, 0x89, 0x5E, 0x81,
+			/* Secure Data */
+			0xE2, 0x00, 0x6E, 0xB4, 0x2F, 0x52, 0x77, 0x02,
+			0x2D, 0x9B, 0x19, 0x92, 0x5B, 0xC4, 0x19, 0xD7,
+			0xA5, 0x92, 0x66, 0x6C, 0x92, 0x5F, 0xE2, 0xEF,
+			0x71, 0x8E, 0xB4, 0xE3, 0x08, 0xEF, 0xEA, 0xA7,
+			0xC5, 0x27, 0x3B, 0x39, 0x41, 0x18, 0x86, 0x0A,
+			0x5B, 0xE2, 0xA9, 0x7F, 0x56, 0xAB, 0x78, 0x36,
+			/* ICV */
+			0x5C, 0xA5, 0x97, 0xCD, 0xBB, 0x3E, 0xDB, 0x8D,
+			0x1A, 0x11, 0x51, 0xEA, 0x0A, 0xF7, 0xB4, 0x36,
+		},
+		.len = 92,
+	},
+},
+/* gcm_128_xpn_60B_cipher */
+{
+	.test_idx = 7,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_128,
+	.ssci = 0x7A30C118,
+	.xpn = 0xB0DF459C, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE,
+		0x86, 0xA2, 0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0xAD, 0x7A, 0x2B, 0xD0, 0x3E, 0xAC, 0x83, 0x5A,
+			0x6F, 0x62, 0x0F, 0xDC, 0xB5, 0x06, 0xB3, 0x45,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xD6, 0x09, 0xB1, 0xF0, 0x56, 0x63,
+			/* MAC SA */
+			0x7A, 0x0D, 0x46, 0xDF, 0x99, 0x8D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x00, 0x02,
+		},
+		.len = 60,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xD6, 0x09, 0xB1, 0xF0, 0x56, 0x63,
+			/* MAC SA */
+			0x7A, 0x0D, 0x46, 0xDF, 0x99, 0x8D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x2E,
+			/* SL */
+			0x00,
+			/* PN */
+			0xB2, 0xC2, 0x84, 0x65,
+			/* SCI */
+			0x12, 0x15, 0x35, 0x24, 0xC0, 0x89, 0x5E, 0x81,
+			/* Secure Data */
+			0x07, 0x12, 0xD9, 0x80, 0xCA, 0x50, 0xBB, 0xED,
+			0x35, 0xA0, 0xFA, 0x56, 0x63, 0x38, 0x72, 0x9F,
+			0xFA, 0x16, 0xD1, 0x9F, 0xFC, 0xF0, 0x7B, 0x3A,
+			0x1E, 0x79, 0x19, 0xB3, 0x77, 0x6A, 0xAC, 0xEC,
+			0x8A, 0x59, 0x37, 0x20, 0x8B, 0x48, 0x3A, 0x76,
+			0x91, 0x98, 0x4D, 0x38, 0x07, 0x92, 0xE0, 0x7F,
+			/* ICV */
+			0xC2, 0xC3, 0xC7, 0x9F, 0x26, 0x3F, 0xA6, 0xBF,
+			0xF8, 0xE7, 0x58, 0x1E, 0x2C, 0xE4, 0x5A, 0xF8,
+		},
+		.len = 92,
+	},
+},
+/* gcm_256_xpn_60B_cipher */
+{
+	.test_idx = 8,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_256,
+	.ssci = 0x7A30C118,
+	.xpn = 0xB0DF459C, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE,
+		0x86, 0xA2, 0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0xE3, 0xC0, 0x8A, 0x8F, 0x06, 0xC6, 0xE3, 0xAD,
+			0x95, 0xA7, 0x05, 0x57, 0xB2, 0x3F, 0x75, 0x48,
+			0x3C, 0xE3, 0x30, 0x21, 0xA9, 0xC7, 0x2B, 0x70,
+			0x25, 0x66, 0x62, 0x04, 0xC6, 0x9C, 0x0B, 0x72,
+		},
+		.len = 32,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xD6, 0x09, 0xB1, 0xF0, 0x56, 0x63,
+			/* MAC SA */
+			0x7A, 0x0D, 0x46, 0xDF, 0x99, 0x8D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x00, 0x02,
+		},
+		.len = 60,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xD6, 0x09, 0xB1, 0xF0, 0x56, 0x63,
+			/* MAC SA */
+			0x7A, 0x0D, 0x46, 0xDF, 0x99, 0x8D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x2E,
+			/* SL */
+			0x00,
+			/* PN */
+			0xB2, 0xC2, 0x84, 0x65,
+			/* SCI */
+			0x12, 0x15, 0x35, 0x24, 0xC0, 0x89, 0x5E, 0x81,
+			/* Secure Data */
+			0x3E, 0xB0, 0x4A, 0x4B, 0xBF, 0x54, 0xC6, 0xEB,
+			0x12, 0x22, 0xA9, 0xAE, 0xA0, 0x0C, 0x38, 0x68,
+			0x7F, 0x6C, 0x35, 0x20, 0xD9, 0x76, 0xA3, 0xB6,
+			0x94, 0x80, 0x06, 0x50, 0xCE, 0x65, 0x85, 0xE6,
+			0x20, 0xA4, 0x19, 0x19, 0x17, 0xD2, 0xA6, 0x05,
+			0xD8, 0x70, 0xC7, 0x8D, 0x27, 0x52, 0xCE, 0x49,
+			/* ICV */
+			0x3B, 0x44, 0x2A, 0xC0, 0xC8, 0x16, 0xD7, 0xAB,
+			0xD7, 0x0A, 0xD6, 0x5C, 0x25, 0xD4, 0x64, 0x13,
+		},
+		.len = 92,
+	},
+},
+/* gcm_128_61B_cipher */
+{
+	.test_idx = 9,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.xpn = 0x0, /* Most significant 32 bits */
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x01, 0x3F, 0xE0, 0x0B, 0x5F, 0x11, 0xBE, 0x7F,
+			0x86, 0x6D, 0x0C, 0xBB, 0xC5, 0x5A, 0x7A, 0x90,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0x84, 0xC5, 0xD5, 0x13, 0xD2, 0xAA,
+			/* MAC SA */
+			0xF6, 0xE5, 0xBB, 0xD2, 0x72, 0x77,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x00,
+			0x06,
+		},
+		.len = 61,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0x84, 0xC5, 0xD5, 0x13, 0xD2, 0xAA,
+			/* MAC SA */
+			0xF6, 0xE5, 0xBB, 0xD2, 0x72, 0x77,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x2F,
+			/* SL */
+			0x00,
+			/* PN */
+			0x89, 0x32, 0xD6, 0x12,
+			/* SCI */
+			0x7C, 0xFD, 0xE9, 0xF9, 0xE3, 0x37, 0x24, 0xC6,
+			/* Secure Data */
+			0x3A, 0x4D, 0xE6, 0xFA, 0x32, 0x19, 0x10, 0x14,
+			0xDB, 0xB3, 0x03, 0xD9, 0x2E, 0xE3, 0xA9, 0xE8,
+			0xA1, 0xB5, 0x99, 0xC1, 0x4D, 0x22, 0xFB, 0x08,
+			0x00, 0x96, 0xE1, 0x38, 0x11, 0x81, 0x6A, 0x3C,
+			0x9C, 0x9B, 0xCF, 0x7C, 0x1B, 0x9B, 0x96, 0xDA,
+			0x80, 0x92, 0x04, 0xE2, 0x9D, 0x0E, 0x2A, 0x76,
+			0x42,
+			/* ICV */
+			0xBF, 0xD3, 0x10, 0xA4, 0x83, 0x7C, 0x81, 0x6C,
+			0xCF, 0xA5, 0xAC, 0x23, 0xAB, 0x00, 0x39, 0x88,
+		},
+		.len = 93,
+	},
+},
+/* gcm_256_61B_cipher */
+{
+	.test_idx = 10,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_256,
+	.ssci = 0x0,
+	.xpn = 0x0, /* Most significant 32 bits */
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x83, 0xC0, 0x93, 0xB5, 0x8D, 0xE7, 0xFF, 0xE1,
+			0xC0, 0xDA, 0x92, 0x6A, 0xC4, 0x3F, 0xB3, 0x60,
+			0x9A, 0xC1, 0xC8, 0x0F, 0xEE, 0x1B, 0x62, 0x44,
+			0x97, 0xEF, 0x94, 0x2E, 0x2F, 0x79, 0xA8, 0x23,
+		},
+		.len = 32,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0x84, 0xC5, 0xD5, 0x13, 0xD2, 0xAA,
+			/* MAC SA */
+			0xF6, 0xE5, 0xBB, 0xD2, 0x72, 0x77,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x00,
+			0x06,
+		},
+		.len = 61,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0x84, 0xC5, 0xD5, 0x13, 0xD2, 0xAA,
+			/* MAC SA */
+			0xF6, 0xE5, 0xBB, 0xD2, 0x72, 0x77,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x2F,
+			/* SL */
+			0x00,
+			/* PN */
+			0x89, 0x32, 0xD6, 0x12,
+			/* SCI */
+			0x7C, 0xFD, 0xE9, 0xF9, 0xE3, 0x37, 0x24, 0xC6,
+			/* Secure Data */
+			0x11, 0x02, 0x22, 0xFF, 0x80, 0x50, 0xCB, 0xEC,
+			0xE6, 0x6A, 0x81, 0x3A, 0xD0, 0x9A, 0x73, 0xED,
+			0x7A, 0x9A, 0x08, 0x9C, 0x10, 0x6B, 0x95, 0x93,
+			0x89, 0x16, 0x8E, 0xD6, 0xE8, 0x69, 0x8E, 0xA9,
+			0x02, 0xEB, 0x12, 0x77, 0xDB, 0xEC, 0x2E, 0x68,
+			0xE4, 0x73, 0x15, 0x5A, 0x15, 0xA7, 0xDA, 0xEE,
+			0xD4,
+			/* ICV */
+			0xA1, 0x0F, 0x4E, 0x05, 0x13, 0x9C, 0x23, 0xDF,
+			0x00, 0xB3, 0xAA, 0xDC, 0x71, 0xF0, 0x59, 0x6A,
+		},
+		.len = 93,
+	},
+},
+/* gcm_128_xpn_61B_cipher */
+{
+	.test_idx = 11,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_128,
+	.ssci = 0x7A30C118,
+	.xpn = 0xB0DF459C, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE,
+		0x86, 0xA2, 0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0x01, 0x3F, 0xE0, 0x0B, 0x5F, 0x11, 0xBE, 0x7F,
+			0x86, 0x6D, 0x0C, 0xBB, 0xC5, 0x5A, 0x7A, 0x90,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0x84, 0xC5, 0xD5, 0x13, 0xD2, 0xAA,
+			/* MAC SA */
+			0xF6, 0xE5, 0xBB, 0xD2, 0x72, 0x77,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x00,
+			0x06,
+		},
+		.len = 61,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0x84, 0xC5, 0xD5, 0x13, 0xD2, 0xAA,
+			/* MAC SA */
+			0xF6, 0xE5, 0xBB, 0xD2, 0x72, 0x77,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x2F,
+			/* SL */
+			0x00,
+			/* PN */
+			0x89, 0x32, 0xD6, 0x12,
+			/* SCI */
+			0x7C, 0xFD, 0xE9, 0xF9, 0xE3, 0x37, 0x24, 0xC6,
+			/* Secure Data */
+			0x14, 0xC1, 0x76, 0x93, 0xBC, 0x82, 0x97, 0xEE,
+			0x6C, 0x47, 0xC5, 0x65, 0xCB, 0xE0, 0x67, 0x9E,
+			0x80, 0xF0, 0x0F, 0xCA, 0xF5, 0x92, 0xC9, 0xAA,
+			0x04, 0x73, 0x92, 0x8E, 0x7F, 0x2F, 0x21, 0x6F,
+			0xF5, 0xA0, 0x33, 0xDE, 0xC7, 0x51, 0x3F, 0x45,
+			0xD3, 0x4C, 0xBB, 0x98, 0x1C, 0x5B, 0xD6, 0x4E,
+			0x8B,
+			/* ICV */
+			0xD8, 0x4B, 0x8E, 0x2A, 0x78, 0xE7, 0x4D, 0xAF,
+			0xEA, 0xA0, 0x38, 0x46, 0xFE, 0x93, 0x0C, 0x0E,
+		},
+		.len = 93,
+	},
+},
+/* gcm_256_xpn_61B_cipher */
+{
+	.test_idx = 12,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_256,
+	.ssci = 0x7A30C118,
+	.xpn = 0xB0DF459C, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE,
+		0x86, 0xA2, 0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0x83, 0xC0, 0x93, 0xB5, 0x8D, 0xE7, 0xFF, 0xE1,
+			0xC0, 0xDA, 0x92, 0x6A, 0xC4, 0x3F, 0xB3, 0x60,
+			0x9A, 0xC1, 0xC8, 0x0F, 0xEE, 0x1B, 0x62, 0x44,
+			0x97, 0xEF, 0x94, 0x2E, 0x2F, 0x79, 0xA8, 0x23,
+		},
+		.len = 32,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0x84, 0xC5, 0xD5, 0x13, 0xD2, 0xAA,
+			/* MAC SA */
+			0xF6, 0xE5, 0xBB, 0xD2, 0x72, 0x77,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x00,
+			0x06,
+		},
+		.len = 61,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0x84, 0xC5, 0xD5, 0x13, 0xD2, 0xAA,
+			/* MAC SA */
+			0xF6, 0xE5, 0xBB, 0xD2, 0x72, 0x77,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x2F,
+			/* SL */
+			0x00,
+			/* PN */
+			0x89, 0x32, 0xD6, 0x12,
+			/* SCI */
+			0x7C, 0xFD, 0xE9, 0xF9, 0xE3, 0x37, 0x24, 0xC6,
+			/* Secure Data */
+			0x09, 0x96, 0xE0, 0xC9, 0xA5, 0x57, 0x74, 0xE0,
+			0xA7, 0x92, 0x30, 0x4E, 0x7D, 0xC1, 0x50, 0xBD,
+			0x67, 0xFD, 0x74, 0x7D, 0xD1, 0xB9, 0x41, 0x95,
+			0x94, 0xBF, 0x37, 0x3D, 0x4A, 0xCE, 0x8F, 0x87,
+			0xF5, 0xC1, 0x34, 0x9A, 0xFA, 0xC4, 0x91, 0xAA,
+			0x0A, 0x40, 0xD3, 0x19, 0x90, 0x87, 0xB2, 0x9F,
+			0xDF,
+			/* ICV */
+			0x80, 0x2F, 0x05, 0x0E, 0x69, 0x1F, 0x11, 0xA2,
+			0xD9, 0xB3, 0x58, 0xF6, 0x99, 0x41, 0x84, 0xF5,
+		},
+		.len = 93,
+	},
+},
+/* gcm_128_75B_cipher */
+{
+	.test_idx = 13,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0,
+	.xpn = 0, /* Most significant 32 bits */
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x88, 0xEE, 0x08, 0x7F, 0xD9, 0x5D, 0xA9, 0xFB,
+			0xF6, 0x72, 0x5A, 0xA9, 0xD7, 0x57, 0xB0, 0xCD,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0x68, 0xF2, 0xE7, 0x76, 0x96, 0xCE,
+			/* MAC SA */
+			0x7A, 0xE8, 0xE2, 0xCA, 0x4E, 0xC5,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x40, 0x41, 0x42, 0x43, 0x44,
+			0x45, 0x46, 0x47, 0x48, 0x49, 0x00, 0x08,
+		},
+		.len = 75,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0x68, 0xF2, 0xE7, 0x76, 0x96, 0xCE,
+			/* MAC SA */
+			0x7A, 0xE8, 0xE2, 0xCA, 0x4E, 0xC5,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x4D,
+			/* SL */
+			0x00,
+			/* PN */
+			0x2E, 0x58, 0x49, 0x5C,
+			/* SCI */
+			/* Secure Data */
+			0xC3, 0x1F, 0x53, 0xD9, 0x9E, 0x56, 0x87, 0xF7,
+			0x36, 0x51, 0x19, 0xB8, 0x32, 0xD2, 0xAA, 0xE7,
+			0x07, 0x41, 0xD5, 0x93, 0xF1, 0xF9, 0xE2, 0xAB,
+			0x34, 0x55, 0x77, 0x9B, 0x07, 0x8E, 0xB8, 0xFE,
+			0xAC, 0xDF, 0xEC, 0x1F, 0x8E, 0x3E, 0x52, 0x77,
+			0xF8, 0x18, 0x0B, 0x43, 0x36, 0x1F, 0x65, 0x12,
+			0xAD, 0xB1, 0x6D, 0x2E, 0x38, 0x54, 0x8A, 0x2C,
+			0x71, 0x9D, 0xBA, 0x72, 0x28, 0xD8, 0x40,
+			/* ICV */
+			0x88, 0xF8, 0x75, 0x7A, 0xDB, 0x8A, 0xA7, 0x88,
+			0xD8, 0xF6, 0x5A, 0xD6, 0x68, 0xBE, 0x70, 0xE7,
+		},
+		.len = 99,
+	},
+},
+/* gcm_256_75B_cipher */
+{
+	.test_idx = 14,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_256,
+	.ssci = 0,
+	.xpn = 0, /* Most significant 32 bits */
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x4C, 0x97, 0x3D, 0xBC, 0x73, 0x64, 0x62, 0x16,
+			0x74, 0xF8, 0xB5, 0xB8, 0x9E, 0x5C, 0x15, 0x51,
+			0x1F, 0xCE, 0xD9, 0x21, 0x64, 0x90, 0xFB, 0x1C,
+			0x1A, 0x2C, 0xAA, 0x0F, 0xFE, 0x04, 0x07, 0xE5,
+		},
+		.len = 32,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0x68, 0xF2, 0xE7, 0x76, 0x96, 0xCE,
+			/* MAC SA */
+			0x7A, 0xE8, 0xE2, 0xCA, 0x4E, 0xC5,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x40, 0x41, 0x42, 0x43, 0x44,
+			0x45, 0x46, 0x47, 0x48, 0x49, 0x00, 0x08,
+		},
+		.len = 75,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0x68, 0xF2, 0xE7, 0x76, 0x96, 0xCE,
+			/* MAC SA */
+			0x7A, 0xE8, 0xE2, 0xCA, 0x4E, 0xC5,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x4D,
+			/* SL */
+			0x00,
+			/* PN */
+			0x2E, 0x58, 0x49, 0x5C,
+			/* SCI */
+			/* Secure Data */
+			0xBA, 0x8A, 0xE3, 0x1B, 0xC5, 0x06, 0x48, 0x6D,
+			0x68, 0x73, 0xE4, 0xFC, 0xE4, 0x60, 0xE7, 0xDC,
+			0x57, 0x59, 0x1F, 0xF0, 0x06, 0x11, 0xF3, 0x1C,
+			0x38, 0x34, 0xFE, 0x1C, 0x04, 0xAD, 0x80, 0xB6,
+			0x68, 0x03, 0xAF, 0xCF, 0x5B, 0x27, 0xE6, 0x33,
+			0x3F, 0xA6, 0x7C, 0x99, 0xDA, 0x47, 0xC2, 0xF0,
+			0xCE, 0xD6, 0x8D, 0x53, 0x1B, 0xD7, 0x41, 0xA9,
+			0x43, 0xCF, 0xF7, 0xA6, 0x71, 0x3B, 0xD0,
+			/* ICV */
+			0x26, 0x11, 0xCD, 0x7D, 0xAA, 0x01, 0xD6, 0x1C,
+			0x5C, 0x88, 0x6D, 0xC1, 0xA8, 0x17, 0x01, 0x07,
+		},
+		.len = 99,
+	},
+},
+/* gcm_128_xpn_75B_cipher */
+{
+	.test_idx = 15,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_128,
+	.ssci = 0x7A30C118,
+	.xpn = 0xB0DF459C, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE, 0x86, 0xA2,
+		0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0x88, 0xEE, 0x08, 0x7F, 0xD9, 0x5D, 0xA9, 0xFB,
+			0xF6, 0x72, 0x5A, 0xA9, 0xD7, 0x57, 0xB0, 0xCD,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0x68, 0xF2, 0xE7, 0x76, 0x96, 0xCE,
+			/* MAC SA */
+			0x7A, 0xE8, 0xE2, 0xCA, 0x4E, 0xC5,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x40, 0x41, 0x42, 0x43, 0x44,
+			0x45, 0x46, 0x47, 0x48, 0x49, 0x00, 0x08,
+		},
+		.len = 75,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0x68, 0xF2, 0xE7, 0x76, 0x96, 0xCE,
+			/* MAC SA */
+			0x7A, 0xE8, 0xE2, 0xCA, 0x4E, 0xC5,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x4D,
+			/* SL */
+			0x00,
+			/* PN */
+			0x2E, 0x58, 0x49, 0x5C,
+			/* SCI */
+			/* Secure Data */
+			0xEA, 0xEC, 0xC6, 0xAF, 0x65, 0x12, 0xFC, 0x8B,
+			0x6C, 0x8C, 0x43, 0xBC, 0x55, 0xB1, 0x90, 0xB2,
+			0x62, 0x6D, 0x07, 0xD3, 0xD2, 0x18, 0xFA, 0xF5,
+			0xDA, 0xA7, 0xD8, 0xF8, 0x00, 0xA5, 0x73, 0x31,
+			0xEB, 0x43, 0xB5, 0xA1, 0x7A, 0x37, 0xE5, 0xB1,
+			0xD6, 0x0D, 0x27, 0x5C, 0xCA, 0xF7, 0xAC, 0xD7,
+			0x04, 0xCC, 0x9A, 0xCE, 0x2B, 0xF8, 0xBC, 0x8B,
+			0x9B, 0x23, 0xB9, 0xAD, 0xF0, 0x2F, 0x87,
+			/* ICV */
+			0x34, 0x6B, 0x96, 0xD1, 0x13, 0x6A, 0x75, 0x4D,
+			0xF0, 0xA6, 0xCD, 0xE1, 0x26, 0xC1, 0x07, 0xF8,
+		},
+		.len = 99,
+	},
+},
+/* gcm_256_xpn_75B_cipher */
+{
+	.test_idx = 16,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_256,
+	.ssci = 0x7A30C118,
+	.xpn = 0xB0DF459C, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE, 0x86, 0xA2,
+		0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0x4C, 0x97, 0x3D, 0xBC, 0x73, 0x64, 0x62, 0x16,
+			0x74, 0xF8, 0xB5, 0xB8, 0x9E, 0x5C, 0x15, 0x51,
+			0x1F, 0xCE, 0xD9, 0x21, 0x64, 0x90, 0xFB, 0x1C,
+			0x1A, 0x2C, 0xAA, 0x0F, 0xFE, 0x04, 0x07, 0xE5,
+		},
+		.len = 32,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0x68, 0xF2, 0xE7, 0x76, 0x96, 0xCE,
+			/* MAC SA */
+			0x7A, 0xE8, 0xE2, 0xCA, 0x4E, 0xC5,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x40, 0x41, 0x42, 0x43, 0x44,
+			0x45, 0x46, 0x47, 0x48, 0x49, 0x00, 0x08,
+		},
+		.len = 75,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0x68, 0xF2, 0xE7, 0x76, 0x96, 0xCE,
+			/* MAC SA */
+			0x7A, 0xE8, 0xE2, 0xCA, 0x4E, 0xC5,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x4D,
+			/* SL */
+			0x00,
+			/* PN */
+			0x2E, 0x58, 0x49, 0x5C,
+			/* SCI */
+			/* Secure Data */
+			0xB0, 0xFE, 0xA3, 0x63, 0x18, 0xB9, 0xB3, 0x64,
+			0x66, 0xC4, 0x6E, 0x9E, 0x1B, 0xDA, 0x1A, 0x26,
+			0x68, 0x58, 0x19, 0x6E, 0x7E, 0x70, 0xD8, 0x82,
+			0xAE, 0x70, 0x47, 0x56, 0x68, 0xCD, 0xE4, 0xEC,
+			0x88, 0x3F, 0x6A, 0xC2, 0x36, 0x9F, 0x28, 0x4B,
+			0xED, 0x1F, 0xE3, 0x2F, 0x42, 0x09, 0x2F, 0xDF,
+			0xF5, 0x86, 0x8A, 0x3C, 0x64, 0xE5, 0x61, 0x51,
+			0x92, 0xA7, 0xA3, 0x76, 0x0B, 0x34, 0xBC,
+			/* ICV */
+			0x85, 0x69, 0x2C, 0xD8, 0x15, 0xB6, 0x64, 0x71,
+			0x1A, 0xEF, 0x91, 0x1D, 0xF7, 0x8D, 0x7F, 0x46,
+		},
+		.len = 99,
+	},
+},
+};
+
+#endif
-- 
2.25.1

[PATCH v3 04/13] test/security: add MACsec integrity cases

[Akhil Goyal]

Added test vectors and test cases to verify
auth_only/verify_only and encap-decap/auth-verify
to verify the complete TX-RX path using the loopback
mode of ethdev.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 app/test/test_security_inline_macsec.c        | 153 +++
 .../test_security_inline_macsec_vectors.h     | 995 ++++++++++++++++++
 2 files changed, 1148 insertions(+)

diff --git a/app/test/test_security_inline_macsec.c b/app/test/test_security_inline_macsec.c
index 9ef967597b..7445b667e4 100644
--- a/app/test/test_security_inline_macsec.c
+++ b/app/test/test_security_inline_macsec.c
@@ -937,6 +937,143 @@ test_inline_macsec_decap_all(const void *data __rte_unused)
 	return all_err;
 }
 
+static int
+test_inline_macsec_auth_only_all(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.protect_frames = true;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+
+	size = (sizeof(list_mcs_integrity_vectors) / sizeof((list_mcs_integrity_vectors)[0]));
+
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_integrity_vectors[i];
+		err = test_macsec(&cur_td, MCS_AUTH_ONLY, &opts);
+		if (err) {
+			printf("\nAuth Generate case %d failed", cur_td->test_idx);
+			err = -1;
+		} else {
+			printf("\nAuth Generate case %d Passed", cur_td->test_idx);
+			err = 0;
+		}
+		all_err += err;
+	}
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+
+	return all_err;
+}
+
+static int
+test_inline_macsec_verify_only_all(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+
+	size = (sizeof(list_mcs_integrity_vectors) / sizeof((list_mcs_integrity_vectors)[0]));
+
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_integrity_vectors[i];
+		err = test_macsec(&cur_td, MCS_VERIFY_ONLY, &opts);
+		if (err) {
+			printf("\nAuth Verify case %d failed", cur_td->test_idx);
+			err = -1;
+		} else {
+			printf("\nAuth Verify case %d Passed", cur_td->test_idx);
+			err = 0;
+		}
+		all_err += err;
+	}
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+
+	return all_err;
+}
+
+static int
+test_inline_macsec_encap_decap_all(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.encrypt = true;
+	opts.protect_frames = true;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+
+	size = (sizeof(list_mcs_cipher_vectors) / sizeof((list_mcs_cipher_vectors)[0]));
+
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_cipher_vectors[i];
+		err = test_macsec(&cur_td, MCS_ENCAP_DECAP, &opts);
+		if (err) {
+			printf("\nCipher Auth Encap-decap case %d failed", cur_td->test_idx);
+			err = -1;
+		} else {
+			printf("\nCipher Auth Encap-decap case %d Passed", cur_td->test_idx);
+			err = 0;
+		}
+		all_err += err;
+	}
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+
+	return all_err;
+}
+
+
+static int
+test_inline_macsec_auth_verify_all(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.protect_frames = true;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+
+	size = (sizeof(list_mcs_integrity_vectors) / sizeof((list_mcs_integrity_vectors)[0]));
+
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_integrity_vectors[i];
+		err = test_macsec(&cur_td, MCS_AUTH_VERIFY, &opts);
+		if (err) {
+			printf("\nAuth Generate + Verify case %d failed", cur_td->test_idx);
+			err = -1;
+		} else {
+			printf("\nAuth Generate + Verify case %d Passed", cur_td->test_idx);
+			err = 0;
+		}
+		all_err += err;
+	}
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+
+	return all_err;
+}
+
 static int
 ut_setup_inline_macsec(void)
 {
@@ -1090,6 +1227,22 @@ static struct unit_test_suite inline_macsec_testsuite  = {
 			"MACsec decap(De-cipher+verify) known vector",
 			ut_setup_inline_macsec, ut_teardown_inline_macsec,
 			test_inline_macsec_decap_all),
+		TEST_CASE_NAMED_ST(
+			"MACsec auth only known vector",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_auth_only_all),
+		TEST_CASE_NAMED_ST(
+			"MACsec verify only known vector",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_verify_only_all),
+		TEST_CASE_NAMED_ST(
+			"MACsec encap + decap known vector",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_encap_decap_all),
+		TEST_CASE_NAMED_ST(
+			"MACsec auth + verify known vector",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_auth_verify_all),
 
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	},
diff --git a/app/test/test_security_inline_macsec_vectors.h b/app/test/test_security_inline_macsec_vectors.h
index 68bd485419..f6c668c281 100644
--- a/app/test/test_security_inline_macsec_vectors.h
+++ b/app/test/test_security_inline_macsec_vectors.h
@@ -1083,4 +1083,999 @@ static const struct mcs_test_vector list_mcs_cipher_vectors[] = {
 },
 };
 
+static const struct mcs_test_vector list_mcs_integrity_vectors[] = {
+/* gcm_128_54B_integrity */
+{
+	.test_idx = 1,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0,
+	.xpn = 0, /* Most significant 32 bits */
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0xAD, 0x7A, 0x2B, 0xD0, 0x3E, 0xAC, 0x83, 0x5A,
+			0x6F, 0x62, 0x0F, 0xDC, 0xB5, 0x06, 0xB3, 0x45,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xD6, 0x09, 0xB1, 0xF0, 0x56, 0x63,
+			/* MAC SA */
+			0x7A, 0x0D, 0x46, 0xDF, 0x99, 0x8D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x00, 0x01,
+		},
+		.len = 54,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xD6, 0x09, 0xB1, 0xF0, 0x56, 0x63,
+			/* MAC SA */
+			0x7A, 0x0D, 0x46, 0xDF, 0x99, 0x8D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x22,
+			/* SL */
+			0x2A,
+			/* PN */
+			0xB2, 0xC2, 0x84, 0x65,
+			/* SCI */
+			0x12, 0x15, 0x35, 0x24, 0xC0, 0x89, 0x5E, 0x81,
+			/* Secure Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x00, 0x01,
+			/* ICV */
+			0xF0, 0x94, 0x78, 0xA9, 0xB0, 0x90, 0x07, 0xD0,
+			0x6F, 0x46, 0xE9, 0xB6, 0xA1, 0xDA, 0x25, 0xDD,
+		},
+		.len = 86,
+	},
+},
+/* gcm_256_54B_integrity */
+{
+	.test_idx = 2,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_256,
+	.ssci = 0,
+	.xpn = 0, /* Most significant 32 bits */
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0xE3, 0xC0, 0x8A, 0x8F, 0x06, 0xC6, 0xE3, 0xAD,
+			0x95, 0xA7, 0x05, 0x57, 0xB2, 0x3F, 0x75, 0x48,
+			0x3C, 0xE3, 0x30, 0x21, 0xA9, 0xC7, 0x2B, 0x70,
+			0x25, 0x66, 0x62, 0x04, 0xC6, 0x9C, 0x0B, 0x72,
+		},
+		.len = 32,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xD6, 0x09, 0xB1, 0xF0, 0x56, 0x63,
+			/* MAC SA */
+			0x7A, 0x0D, 0x46, 0xDF, 0x99, 0x8D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x00, 0x01,
+		},
+		.len = 54,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xD6, 0x09, 0xB1, 0xF0, 0x56, 0x63,
+			/* MAC SA */
+			0x7A, 0x0D, 0x46, 0xDF, 0x99, 0x8D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x22,
+			/* SL */
+			0x2A,
+			/* PN */
+			0xB2, 0xC2, 0x84, 0x65,
+			/* SCI */
+			0x12, 0x15, 0x35, 0x24, 0xC0, 0x89, 0x5E, 0x81,
+			/* Secure Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x00, 0x01,
+			/* ICV */
+			0x2F, 0x0B, 0xC5, 0xAF, 0x40, 0x9E, 0x06, 0xD6,
+			0x09, 0xEA, 0x8B, 0x7D, 0x0F, 0xA5, 0xEA, 0x50,
+		},
+		.len = 86,
+	},
+},
+/* gcm_128_xpn_54B_integrity */
+{
+	.test_idx = 3,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_128,
+	.ssci = 0x7A30C118,
+	.xpn = 0xB0DF459C, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE, 0x86, 0xA2,
+		0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0xAD, 0x7A, 0x2B, 0xD0, 0x3E, 0xAC, 0x83, 0x5A,
+			0x6F, 0x62, 0x0F, 0xDC, 0xB5, 0x06, 0xB3, 0x45,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xD6, 0x09, 0xB1, 0xF0, 0x56, 0x63,
+			/* MAC SA */
+			0x7A, 0x0D, 0x46, 0xDF, 0x99, 0x8D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x00, 0x01,
+		},
+		.len = 54,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xD6, 0x09, 0xB1, 0xF0, 0x56, 0x63,
+			/* MAC SA */
+			0x7A, 0x0D, 0x46, 0xDF, 0x99, 0x8D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x22,
+			/* SL */
+			0x2A,
+			/* PN */
+			0xB2, 0xC2, 0x84, 0x65,
+			/* SCI */
+			0x12, 0x15, 0x35, 0x24, 0xC0, 0x89, 0x5E, 0x81,
+			/* Secure Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x00, 0x01,
+			/* ICV */
+			0x17, 0xFE, 0x19, 0x81, 0xEB, 0xDD, 0x4A, 0xFC,
+			0x50, 0x62, 0x69, 0x7E, 0x8B, 0xAA, 0x0C, 0x23,
+		},
+		.len = 86,
+	},
+},
+/* gcm_256_xpn_54B_integrity */
+{
+	.test_idx = 4,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_256,
+	.ssci = 0x7A30C118,
+	.xpn = 0xB0DF459C, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE, 0x86, 0xA2,
+		0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0xE3, 0xC0, 0x8A, 0x8F, 0x06, 0xC6, 0xE3, 0xAD,
+			0x95, 0xA7, 0x05, 0x57, 0xB2, 0x3F, 0x75, 0x48,
+			0x3C, 0xE3, 0x30, 0x21, 0xA9, 0xC7, 0x2B, 0x70,
+			0x25, 0x66, 0x62, 0x04, 0xC6, 0x9C, 0x0B, 0x72,
+		},
+		.len = 32,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xD6, 0x09, 0xB1, 0xF0, 0x56, 0x63,
+			/* MAC SA */
+			0x7A, 0x0D, 0x46, 0xDF, 0x99, 0x8D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x00, 0x01,
+		},
+		.len = 54,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xD6, 0x09, 0xB1, 0xF0, 0x56, 0x63,
+			/* MAC SA */
+			0x7A, 0x0D, 0x46, 0xDF, 0x99, 0x8D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x22,
+			/* SL */
+			0x2A,
+			/* PN */
+			0xB2, 0xC2, 0x84, 0x65,
+			/* SCI */
+			0x12, 0x15, 0x35, 0x24, 0xC0, 0x89, 0x5E, 0x81,
+			/* Secure Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x00, 0x01,
+			/* ICV */
+			0x4D, 0xBD, 0x2F, 0x6A, 0x75, 0x4A, 0x6C, 0xF7,
+			0x28, 0xCC, 0x12, 0x9B, 0xA6, 0x93, 0x15, 0x77,
+		},
+		.len = 86,
+	},
+},
+/* gcm_128_60B_integrity */
+{
+	.test_idx = 5,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0,
+	.xpn = 0, /* Most significant 32 bits */
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x00, 0x03,
+		},
+		.len = 60,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x40,
+			/* SL */
+			0x00,
+			/* PN */
+			0x76, 0xD4, 0x57, 0xED,
+			/* SCI */
+			/* Secure Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x00, 0x03,
+			/* ICV */
+			0x0C, 0x01, 0x7B, 0xC7, 0x3B, 0x22, 0x7D, 0xFC,
+			0xC9, 0xBA, 0xFA, 0x1C, 0x41, 0xAC, 0xC3, 0x53,
+		},
+		.len = 84,
+	},
+},
+/* gcm_256_60B_integrity */
+{
+	.test_idx = 6,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_256,
+	.ssci = 0,
+	.xpn = 0, /* Most significant 32 bits */
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x69, 0x1D, 0x3E, 0xE9, 0x09, 0xD7, 0xF5, 0x41,
+			0x67, 0xFD, 0x1C, 0xA0, 0xB5, 0xD7, 0x69, 0x08,
+			0x1F, 0x2B, 0xDE, 0x1A, 0xEE, 0x65, 0x5F, 0xDB,
+			0xAB, 0x80, 0xBD, 0x52, 0x95, 0xAE, 0x6B, 0xE7,
+		},
+		.len = 32,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x00, 0x03,
+		},
+		.len = 60,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x40,
+			/* SL */
+			0x00,
+			/* PN */
+			0x76, 0xD4, 0x57, 0xED,
+			/* SCI */
+			/* Secure Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x00, 0x03,
+			/* ICV */
+			0x35, 0x21, 0x7C, 0x77, 0x4B, 0xBC, 0x31, 0xB6,
+			0x31, 0x66, 0xBC, 0xF9, 0xD4, 0xAB, 0xED, 0x07,
+		},
+		.len = 84,
+	},
+},
+/* gcm_128_xpn_60B_integrity */
+{
+	.test_idx = 7,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_128,
+	.ssci = 0x7A30C118,
+	.xpn = 0xB0DF459C, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE, 0x86, 0xA2,
+		0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x00, 0x03,
+		},
+		.len = 60,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x40,
+			/* SL */
+			0x00,
+			/* PN */
+			0x76, 0xD4, 0x57, 0xED,
+			/* SCI */
+			/* Secure Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x00, 0x03,
+			/* ICV */
+			0xAB, 0xC4, 0x06, 0x85, 0xA3, 0xCF, 0x91, 0x1D,
+			0x37, 0x87, 0xE4, 0x9D, 0xB6, 0xA7, 0x26, 0x5E,
+		},
+		.len = 84,
+	},
+},
+/* gcm_256_xpn_60B_integrity */
+{
+	.test_idx = 8,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_256,
+	.ssci = 0x7A30C118,
+	.xpn = 0xB0DF459C, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE, 0x86, 0xA2,
+		0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0x69, 0x1D, 0x3E, 0xE9, 0x09, 0xD7, 0xF5, 0x41,
+			0x67, 0xFD, 0x1C, 0xA0, 0xB5, 0xD7, 0x69, 0x08,
+			0x1F, 0x2B, 0xDE, 0x1A, 0xEE, 0x65, 0x5F, 0xDB,
+			0xAB, 0x80, 0xBD, 0x52, 0x95, 0xAE, 0x6B, 0xE7,
+		},
+		.len = 32,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x00, 0x03,
+		},
+		.len = 60,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x40,
+			/* SL */
+			0x00,
+			/* PN */
+			0x76, 0xD4, 0x57, 0xED,
+			/* SCI */
+			/* Secure Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x00, 0x03,
+			/* ICV */
+			0xAC, 0x21, 0x95, 0x7B, 0x83, 0x12, 0xAB, 0x3C,
+			0x99, 0xAB, 0x46, 0x84, 0x98, 0x79, 0xC3, 0xF3,
+		},
+		.len = 84,
+	},
+},
+/* gcm_128_65B_integrity */
+{
+	.test_idx = 9,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0,
+	.xpn = 0, /* Most significant 32 bits */
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x01, 0x3F, 0xE0, 0x0B, 0x5F, 0x11, 0xBE, 0x7F,
+			0x86, 0x6D, 0x0C, 0xBB, 0xC5, 0x5A, 0x7A, 0x90,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0x84, 0xC5, 0xD5, 0x13, 0xD2, 0xAA,
+			/* MAC SA */
+			0xF6, 0xE5, 0xBB, 0xD2, 0x72, 0x77,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x00, 0x05,
+		},
+		.len = 65,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0x84, 0xC5, 0xD5, 0x13, 0xD2, 0xAA,
+			/* MAC SA */
+			0xF6, 0xE5, 0xBB, 0xD2, 0x72, 0x77,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x23,
+			/* SL */
+			0x00,
+			/* PN */
+			0x89, 0x32, 0xD6, 0x12,
+			/* SCI */
+			0x7C, 0xFD, 0xE9, 0xF9, 0xE3, 0x37, 0x24, 0xC6,
+			/* Secure Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x00, 0x05,
+			/* ICV */
+			0x21, 0x78, 0x67, 0xE5, 0x0C, 0x2D, 0xAD, 0x74,
+			0xC2, 0x8C, 0x3B, 0x50, 0xAB, 0xDF, 0x69, 0x5A,
+		},
+		.len = 97,
+	},
+},
+/* gcm_256_65B_integrity */
+{
+	.test_idx = 10,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_256,
+	.ssci = 0,
+	.xpn = 0, /* Most significant 32 bits */
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x83, 0xC0, 0x93, 0xB5, 0x8D, 0xE7, 0xFF, 0xE1,
+			0xC0, 0xDA, 0x92, 0x6A, 0xC4, 0x3F, 0xB3, 0x60,
+			0x9A, 0xC1, 0xC8, 0x0F, 0xEE, 0x1B, 0x62, 0x44,
+			0x97, 0xEF, 0x94, 0x2E, 0x2F, 0x79, 0xA8, 0x23,
+		},
+		.len = 32,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0x84, 0xC5, 0xD5, 0x13, 0xD2, 0xAA,
+			/* MAC SA */
+			0xF6, 0xE5, 0xBB, 0xD2, 0x72, 0x77,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x00, 0x05,
+		},
+		.len = 65,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0x84, 0xC5, 0xD5, 0x13, 0xD2, 0xAA,
+			/* MAC SA */
+			0xF6, 0xE5, 0xBB, 0xD2, 0x72, 0x77,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x23,
+			/* SL */
+			0x00,
+			/* PN */
+			0x89, 0x32, 0xD6, 0x12,
+			/* SCI */
+			0x7C, 0xFD, 0xE9, 0xF9, 0xE3, 0x37, 0x24, 0xC6,
+			/* Secure Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x00, 0x05,
+			/* ICV */
+			0x6E, 0xE1, 0x60, 0xE8, 0xFA, 0xEC, 0xA4, 0xB3,
+			0x6C, 0x86, 0xB2, 0x34, 0x92, 0x0C, 0xA9, 0x75,
+		},
+		.len = 97,
+	},
+},
+/* gcm_128_xpn_65B_integrity */
+{
+	.test_idx = 11,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_128,
+	.ssci = 0x7A30C118,
+	.xpn = 0xB0DF459C, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE, 0x86, 0xA2,
+		0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0x01, 0x3F, 0xE0, 0x0B, 0x5F, 0x11, 0xBE, 0x7F,
+			0x86, 0x6D, 0x0C, 0xBB, 0xC5, 0x5A, 0x7A, 0x90,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0x84, 0xC5, 0xD5, 0x13, 0xD2, 0xAA,
+			/* MAC SA */
+			0xF6, 0xE5, 0xBB, 0xD2, 0x72, 0x77,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x00, 0x05,
+		},
+		.len = 65,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0x84, 0xC5, 0xD5, 0x13, 0xD2, 0xAA,
+			/* MAC SA */
+			0xF6, 0xE5, 0xBB, 0xD2, 0x72, 0x77,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x23,
+			/* SL */
+			0x00,
+			/* PN */
+			0x89, 0x32, 0xD6, 0x12,
+			/* SCI */
+			0x7C, 0xFD, 0xE9, 0xF9, 0xE3, 0x37, 0x24, 0xC6,
+			/* Secure Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x00, 0x05,
+			/* ICV */
+			0x67, 0x85, 0x59, 0xB7, 0xE5, 0x2D, 0xB0, 0x06,
+			0x82, 0xE3, 0xB8, 0x30, 0x34, 0xCE, 0xBE, 0x59,
+		},
+		.len = 97,
+	},
+},
+/* gcm_256_xpn_65B_integrity */
+{
+	.test_idx = 12,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_256,
+	.ssci = 0x7A30C118,
+	.xpn = 0xB0DF459C, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE, 0x86, 0xA2,
+		0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0x83, 0xC0, 0x93, 0xB5, 0x8D, 0xE7, 0xFF, 0xE1,
+			0xC0, 0xDA, 0x92, 0x6A, 0xC4, 0x3F, 0xB3, 0x60,
+			0x9A, 0xC1, 0xC8, 0x0F, 0xEE, 0x1B, 0x62, 0x44,
+			0x97, 0xEF, 0x94, 0x2E, 0x2F, 0x79, 0xA8, 0x23,
+		},
+		.len = 32,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0x84, 0xC5, 0xD5, 0x13, 0xD2, 0xAA,
+			/* MAC SA */
+			0xF6, 0xE5, 0xBB, 0xD2, 0x72, 0x77,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x00, 0x05,
+		},
+		.len = 65,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0x84, 0xC5, 0xD5, 0x13, 0xD2, 0xAA,
+			/* MAC SA */
+			0xF6, 0xE5, 0xBB, 0xD2, 0x72, 0x77,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x23,
+			/* SL */
+			0x00,
+			/* PN */
+			0x89, 0x32, 0xD6, 0x12,
+			/* SCI */
+			0x7C, 0xFD, 0xE9, 0xF9, 0xE3, 0x37, 0x24, 0xC6,
+			/* Secure Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x00, 0x05,
+			/* ICV */
+			0x84, 0xBA, 0xC8, 0xE5, 0x3D, 0x1E, 0xA3, 0x55,
+			0xA5, 0xC7, 0xD3, 0x34, 0x84, 0x0A, 0xE9, 0x62,
+		},
+		.len = 97,
+	},
+},
+/* gcm_128_79B_integrity */
+{
+	.test_idx = 13,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0,
+	.xpn = 0, /* Most significant 32 bits */
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x88, 0xEE, 0x08, 0x7F, 0xD9, 0x5D, 0xA9, 0xFB,
+			0xF6, 0x72, 0x5A, 0xA9, 0xD7, 0x57, 0xB0, 0xCD,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0x68, 0xF2, 0xE7, 0x76, 0x96, 0xCE,
+			/* MAC SA */
+			0x7A, 0xE8, 0xE2, 0xCA, 0x4E, 0xC5,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x40, 0x41, 0x42, 0x43, 0x44,
+			0x45, 0x46, 0x47, 0x48, 0x49, 0x4A, 0x4B, 0x4C,
+			0x4D, 0x00, 0x07,
+		},
+		.len = 79,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0x68, 0xF2, 0xE7, 0x76, 0x96, 0xCE,
+			/* MAC SA */
+			0x7A, 0xE8, 0xE2, 0xCA, 0x4E, 0xC5,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x41,
+			/* SL */
+			0x00,
+			/* PN */
+			0x2E, 0x58, 0x49, 0x5C,
+			/* SCI */
+			/* Secure Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x40, 0x41, 0x42, 0x43, 0x44,
+			0x45, 0x46, 0x47, 0x48, 0x49, 0x4A, 0x4B, 0x4C,
+			0x4D, 0x00, 0x07,
+			/* ICV */
+			0x07, 0x92, 0x2B, 0x8E, 0xBC, 0xF1, 0x0B, 0xB2,
+			0x29, 0x75, 0x88, 0xCA, 0x4C, 0x61, 0x45, 0x23,
+		},
+		.len = 103,
+	},
+},
+/* gcm_256_79B_integrity */
+{
+	.test_idx = 14,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_256,
+	.ssci = 0,
+	.xpn = 0, /* Most significant 32 bits */
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x4C, 0x97, 0x3D, 0xBC, 0x73, 0x64, 0x62, 0x16,
+			0x74, 0xF8, 0xB5, 0xB8, 0x9E, 0x5C, 0x15, 0x51,
+			0x1F, 0xCE, 0xD9, 0x21, 0x64, 0x90, 0xFB, 0x1C,
+			0x1A, 0x2C, 0xAA, 0x0F, 0xFE, 0x04, 0x07, 0xE5,
+		},
+		.len = 32,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0x68, 0xF2, 0xE7, 0x76, 0x96, 0xCE,
+			/* MAC SA */
+			0x7A, 0xE8, 0xE2, 0xCA, 0x4E, 0xC5,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x40, 0x41, 0x42, 0x43, 0x44,
+			0x45, 0x46, 0x47, 0x48, 0x49, 0x4A, 0x4B, 0x4C,
+			0x4D, 0x00, 0x07,
+		},
+		.len = 79,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0x68, 0xF2, 0xE7, 0x76, 0x96, 0xCE,
+			/* MAC SA */
+			0x7A, 0xE8, 0xE2, 0xCA, 0x4E, 0xC5,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x41,
+			/* SL */
+			0x00,
+			/* PN */
+			0x2E, 0x58, 0x49, 0x5C,
+			/* SCI */
+			/* Secure Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x40, 0x41, 0x42, 0x43, 0x44,
+			0x45, 0x46, 0x47, 0x48, 0x49, 0x4A, 0x4B, 0x4C,
+			0x4D, 0x00, 0x07,
+			/* ICV */
+			0x00, 0xBD, 0xA1, 0xB7, 0xE8, 0x76, 0x08, 0xBC,
+			0xBF, 0x47, 0x0F, 0x12, 0x15, 0x7F, 0x4C, 0x07,
+		},
+		.len = 103,
+	},
+},
+/* gcm_128_xpn_79B_integrity */
+{
+	.test_idx = 15,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_128,
+	.ssci = 0x7A30C118,
+	.xpn = 0xB0DF459C, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE, 0x86, 0xA2,
+		0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0x88, 0xEE, 0x08, 0x7F, 0xD9, 0x5D, 0xA9, 0xFB,
+			0xF6, 0x72, 0x5A, 0xA9, 0xD7, 0x57, 0xB0, 0xCD,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0x68, 0xF2, 0xE7, 0x76, 0x96, 0xCE,
+			/* MAC SA */
+			0x7A, 0xE8, 0xE2, 0xCA, 0x4E, 0xC5,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x40, 0x41, 0x42, 0x43, 0x44,
+			0x45, 0x46, 0x47, 0x48, 0x49, 0x4A, 0x4B, 0x4C,
+			0x4D, 0x00, 0x07,
+		},
+		.len = 79,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0x68, 0xF2, 0xE7, 0x76, 0x96, 0xCE,
+			/* MAC SA */
+			0x7A, 0xE8, 0xE2, 0xCA, 0x4E, 0xC5,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x41,
+			/* SL */
+			0x00,
+			/* PN */
+			0x2E, 0x58, 0x49, 0x5C,
+			/* SCI */
+			/* Secure Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x40, 0x41, 0x42, 0x43, 0x44,
+			0x45, 0x46, 0x47, 0x48, 0x49, 0x4A, 0x4B, 0x4C,
+			0x4D, 0x00, 0x07,
+			/* ICV */
+			0xD0, 0xDC, 0x89, 0x6D, 0xC8, 0x37, 0x98, 0xA7,
+			0x9F, 0x3C, 0x5A, 0x95, 0xBA, 0x3C, 0xDF, 0x9A,
+		},
+		.len = 103,
+	},
+},
+/* gcm_256_xpn_79B_integrity */
+{
+	.test_idx = 16,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_256,
+	.ssci = 0x7A30C118,
+	.xpn = 0xB0DF459C, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE, 0x86, 0xA2,
+		0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0x4C, 0x97, 0x3D, 0xBC, 0x73, 0x64, 0x62, 0x16,
+			0x74, 0xF8, 0xB5, 0xB8, 0x9E, 0x5C, 0x15, 0x51,
+			0x1F, 0xCE, 0xD9, 0x21, 0x64, 0x90, 0xFB, 0x1C,
+			0x1A, 0x2C, 0xAA, 0x0F, 0xFE, 0x04, 0x07, 0xE5,
+		},
+		.len = 32,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0x68, 0xF2, 0xE7, 0x76, 0x96, 0xCE,
+			/* MAC SA */
+			0x7A, 0xE8, 0xE2, 0xCA, 0x4E, 0xC5,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x40, 0x41, 0x42, 0x43, 0x44,
+			0x45, 0x46, 0x47, 0x48, 0x49, 0x4A, 0x4B, 0x4C,
+			0x4D, 0x00, 0x07,
+		},
+		.len = 79,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0x68, 0xF2, 0xE7, 0x76, 0x96, 0xCE,
+			/* MAC SA */
+			0x7A, 0xE8, 0xE2, 0xCA, 0x4E, 0xC5,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x41,
+			/* SL */
+			0x00,
+			/* PN */
+			0x2E, 0x58, 0x49, 0x5C,
+			/* SCI */
+			/* Secure Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C,
+			0x3D, 0x3E, 0x3F, 0x40, 0x41, 0x42, 0x43, 0x44,
+			0x45, 0x46, 0x47, 0x48, 0x49, 0x4A, 0x4B, 0x4C,
+			0x4D, 0x00, 0x07,
+			/* ICV */
+			0x04, 0x24, 0x9A, 0x20, 0x8A, 0x65, 0xB9, 0x6B,
+			0x3F, 0x32, 0x63, 0x00, 0x4C, 0xFD, 0x86, 0x7D,
+		},
+		.len = 103,
+	},
+},
+};
+
 #endif
-- 
2.25.1

[PATCH v3 05/13] test/security: verify multi flow MACsec

[Akhil Goyal]

Added test case and test vectors to verify multiple
flows of MACsec.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 app/test/test_security_inline_macsec.c        |  49 ++++++++
 .../test_security_inline_macsec_vectors.h     | 110 +++++++++++++++++-
 2 files changed, 158 insertions(+), 1 deletion(-)

diff --git a/app/test/test_security_inline_macsec.c b/app/test/test_security_inline_macsec.c
index 7445b667e4..621074a928 100644
--- a/app/test/test_security_inline_macsec.c
+++ b/app/test/test_security_inline_macsec.c
@@ -1074,6 +1074,51 @@ test_inline_macsec_auth_verify_all(const void *data __rte_unused)
 	return all_err;
 }
 
+static int
+test_inline_macsec_multi_flow(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *tv[MCS_MAX_FLOWS];
+	struct mcs_test_vector iter[MCS_MAX_FLOWS];
+	struct mcs_test_opts opts = {0};
+	int i, err;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.encrypt = true;
+	opts.protect_frames = true;
+	opts.sa_in_use = 1;
+	opts.nb_td = MCS_MAX_FLOWS;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+
+	for (i = 0; i < MCS_MAX_FLOWS; i++) {
+		memcpy(&iter[i].sa_key.data, sa_key, MCS_MULTI_FLOW_TD_KEY_SZ);
+		memcpy(&iter[i].plain_pkt.data, eth_addrs[i], 2 * RTE_ETHER_ADDR_LEN);
+		memcpy(&iter[i].plain_pkt.data[2 * RTE_ETHER_ADDR_LEN], plain_user_data,
+		       MCS_MULTI_FLOW_TD_PLAIN_DATA_SZ);
+		memcpy(&iter[i].secure_pkt.data, eth_addrs[i], 2 * RTE_ETHER_ADDR_LEN);
+		memcpy(&iter[i].secure_pkt.data[2 * RTE_ETHER_ADDR_LEN], secure_user_data,
+		       MCS_MULTI_FLOW_TD_SECURE_DATA_SZ);
+		iter[i].sa_key.len = MCS_MULTI_FLOW_TD_KEY_SZ;
+		iter[i].plain_pkt.len = MCS_MULTI_FLOW_TD_PLAIN_DATA_SZ +
+					(2 * RTE_ETHER_ADDR_LEN);
+		iter[i].secure_pkt.len = MCS_MULTI_FLOW_TD_SECURE_DATA_SZ +
+					(2 * RTE_ETHER_ADDR_LEN);
+		iter[i].alg = RTE_SECURITY_MACSEC_ALG_GCM_128;
+		iter[i].ssci = 0x0;
+		iter[i].xpn = 0x0;
+		tv[i] = (const struct mcs_test_vector *)&iter[i];
+	}
+	err = test_macsec(tv, MCS_ENCAP_DECAP, &opts);
+	if (err) {
+		printf("\nCipher Auth Encryption multi flow failed");
+		err = -1;
+	} else {
+		printf("\nCipher Auth Encryption multi flow Passed");
+		err = 0;
+	}
+	return err;
+}
+
 static int
 ut_setup_inline_macsec(void)
 {
@@ -1219,6 +1264,10 @@ inline_macsec_testsuite_teardown(void)
 static struct unit_test_suite inline_macsec_testsuite  = {
 	.suite_name = "Inline MACsec Ethernet Device Unit Test Suite",
 	.unit_test_cases = {
+		TEST_CASE_NAMED_ST(
+			"MACsec Encap + decap Multi flow",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_multi_flow),
 		TEST_CASE_NAMED_ST(
 			"MACsec encap(Cipher+Auth) known vector",
 			ut_setup_inline_macsec, ut_teardown_inline_macsec,
diff --git a/app/test/test_security_inline_macsec_vectors.h b/app/test/test_security_inline_macsec_vectors.h
index f6c668c281..8d9c2cae77 100644
--- a/app/test/test_security_inline_macsec_vectors.h
+++ b/app/test/test_security_inline_macsec_vectors.h
@@ -8,7 +8,6 @@
 #define MCS_MAX_KEY_LEN				32
 #define MCS_IV_LEN				12
 #define MCS_SALT_LEN				12
-#define MCS_MAX_FLOWS				63
 
 enum mcs_op {
 	MCS_NO_OP,
@@ -2078,4 +2077,113 @@ static const struct mcs_test_vector list_mcs_integrity_vectors[] = {
 },
 };
 
+#define MCS_MULTI_FLOW_TD_KEY_SZ		16
+#define MCS_MULTI_FLOW_TD_PLAIN_DATA_SZ		42
+#define MCS_MULTI_FLOW_TD_SECURE_DATA_SZ	66
+#define MCS_MULTI_FLOW_TD_KEY_SZ		16
+#define MCS_MAX_FLOWS				63
+
+uint8_t sa_key[MCS_MULTI_FLOW_TD_KEY_SZ] = {
+		0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+		0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82,
+};
+
+uint8_t eth_addrs[MCS_MAX_FLOWS][2 * RTE_ETHER_ADDR_LEN] = {
+		{0xE2, 0x00, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x02, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x03, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x04, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x05, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x06, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x07, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x08, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x09, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x0A, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x0B, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x0C, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x0D, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x0E, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x0F, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x10, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x11, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x12, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x13, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x14, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x15, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x16, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x17, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x18, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x19, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x1A, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x1B, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x1C, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x1D, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x1E, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x1F, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x20, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x21, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x22, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x23, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x24, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x25, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x26, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x27, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x28, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x29, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x2A, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x2B, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x2C, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x2D, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x2E, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x2F, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x30, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x31, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x32, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x33, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x34, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x35, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x36, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x37, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x38, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x39, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x3A, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x3B, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x3C, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x3D, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+		{0xE2, 0x3E, 0x06, 0xD7, 0xCD, 0x0D, 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,},
+};
+
+uint8_t plain_user_data[MCS_MULTI_FLOW_TD_PLAIN_DATA_SZ] = {
+		/* User Data with Ethertype */
+		0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+		0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+		0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+		0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+		0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+		0x00, 0x04,
+};
+
+uint8_t secure_user_data[MCS_MULTI_FLOW_TD_SECURE_DATA_SZ] = {
+		/* MACsec EtherType */
+		0x88, 0xE5,
+		/* TCI and AN */
+		0x4C,
+		/* SL */
+		0x2A,
+		/* PN */
+		0x76, 0xD4, 0x57, 0xED,
+		/* Secure Data */
+		0x13, 0xB4, 0xC7, 0x2B, 0x38, 0x9D, 0xC5, 0x01,
+		0x8E, 0x72, 0xA1, 0x71, 0xDD, 0x85, 0xA5, 0xD3,
+		0x75, 0x22, 0x74, 0xD3, 0xA0, 0x19, 0xFB, 0xCA,
+		0xED, 0x09, 0xA4, 0x25, 0xCD, 0x9B, 0x2E, 0x1C,
+		0x9B, 0x72, 0xEE, 0xE7, 0xC9, 0xDE, 0x7D, 0x52,
+		0xB3, 0xF3,
+		/* ICV */
+		0xD6, 0xA5, 0x28, 0x4F, 0x4A, 0x6D, 0x3F, 0xE2,
+		0x2A, 0x5D, 0x6C, 0x2B, 0x96, 0x04, 0x94, 0xC3,
+};
+
+
 #endif
-- 
2.25.1

[PATCH v3 06/13] test/security: add MACsec VLAN cases

[Akhil Goyal]

Added cases to verify MACsec processing with VLAN
tags inserted. Vectors are added to verify 1/2/3
VLAN tags in clear or encrypted data.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 app/test/test_security_inline_macsec.c        |  67 ++++++
 .../test_security_inline_macsec_vectors.h     | 217 ++++++++++++++++++
 2 files changed, 284 insertions(+)

diff --git a/app/test/test_security_inline_macsec.c b/app/test/test_security_inline_macsec.c
index 621074a928..854ead75a0 100644
--- a/app/test/test_security_inline_macsec.c
+++ b/app/test/test_security_inline_macsec.c
@@ -1119,6 +1119,69 @@ test_inline_macsec_multi_flow(const void *data __rte_unused)
 	return err;
 }
 
+static int
+test_inline_macsec_with_vlan(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.protect_frames = true;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.mtu = RTE_ETHER_MTU;
+
+	size = (sizeof(list_mcs_vlan_vectors) / sizeof((list_mcs_vlan_vectors)[0]));
+
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_vlan_vectors[i];
+		if (i == 0) {
+			opts.sectag_insert_mode = 1;
+		} else if (i == 1) {
+			opts.sectag_insert_mode = 0; /* offset from special E-type */
+			opts.nb_vlan = 1;
+		} else if (i == 2) {
+			opts.sectag_insert_mode = 0; /* offset from special E-type */
+			opts.nb_vlan = 2;
+		}
+		err = test_macsec(&cur_td, MCS_ENCAP, &opts);
+		if (err) {
+			printf("\n VLAN Encap case %d failed", cur_td->test_idx);
+			err = -1;
+		} else {
+			printf("\n VLAN Encap case %d passed", cur_td->test_idx);
+			err = 0;
+		}
+		all_err += err;
+	}
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_vlan_vectors[i];
+		if (i == 0) {
+			opts.sectag_insert_mode = 1;
+		} else if (i == 1) {
+			opts.sectag_insert_mode = 0; /* offset from special E-type */
+			opts.nb_vlan = 1;
+		} else if (i == 2) {
+			opts.sectag_insert_mode = 0; /* offset from special E-type */
+			opts.nb_vlan = 2;
+		}
+		err = test_macsec(&cur_td, MCS_DECAP, &opts);
+		if (err) {
+			printf("\n VLAN Decap case %d failed", cur_td->test_idx);
+			err = -1;
+		} else {
+			printf("\n VLAN Decap case %d passed", cur_td->test_idx);
+			err = 0;
+		}
+		all_err += err;
+	}
+
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, (2 * size) + all_err, -all_err);
+	return all_err;
+}
+
 static int
 ut_setup_inline_macsec(void)
 {
@@ -1292,6 +1355,10 @@ static struct unit_test_suite inline_macsec_testsuite  = {
 			"MACsec auth + verify known vector",
 			ut_setup_inline_macsec, ut_teardown_inline_macsec,
 			test_inline_macsec_auth_verify_all),
+		TEST_CASE_NAMED_ST(
+			"MACsec Encap and decap with VLAN",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_with_vlan),
 
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	},
diff --git a/app/test/test_security_inline_macsec_vectors.h b/app/test/test_security_inline_macsec_vectors.h
index 8d9c2cae77..4bcb82783c 100644
--- a/app/test/test_security_inline_macsec_vectors.h
+++ b/app/test/test_security_inline_macsec_vectors.h
@@ -2185,5 +2185,222 @@ uint8_t secure_user_data[MCS_MULTI_FLOW_TD_SECURE_DATA_SZ] = {
 		0x2A, 0x5D, 0x6C, 0x2B, 0x96, 0x04, 0x94, 0xC3,
 };
 
+static const struct mcs_test_vector list_mcs_vlan_vectors[] = {
+/* No clear tag, VLAN after macsec header */
+{
+	.test_idx = 1,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0,
+	.xpn = 0, /* Most significant 32 bits */
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
+			0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xCA, 0xCB, 0xCD, 0x41, 0x42, 0x43,
+			/* MAC SA */
+			0xCA, 0xCB, 0xCD, 0x21, 0x22, 0x23,
+			/* User Data with VLAN Tag */
+			0x81, 0x00, 0x00, 0x02, 0x08, 0x00, 0x45, 0x00,
+			0x00, 0x54, 0xF2, 0xFA, 0x40, 0x00, 0x40, 0x01,
+			0xF7, 0x83, 0x14, 0x14, 0x14, 0x02, 0x14, 0x14,
+			0x14, 0x01, 0x08, 0x00, 0xE9, 0xC5, 0x02, 0xAF,
+			0x00, 0x01, 0xCB, 0x51, 0x6D, 0x38, 0x00, 0x00,
+			0x00, 0x00, 0x13, 0x2D, 0x01, 0x00, 0x00, 0x00,
+			0x00, 0x00, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
+			0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D,
+			0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24, 0x25,
+			0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C, 0x2D,
+			0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35,
+			0x36, 0x37,
+		},
+		.len = 102,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xCA, 0xCB, 0xCD, 0x41, 0x42, 0x43,
+			/* MAC SA */
+			0xCA, 0xCB, 0xCD, 0x21, 0x22, 0x23,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x20,
+			/* SL */
+			0x00,
+			/* PN */
+			0x00, 0x00, 0x00, 0x06,
+			/* SCI */
+			0xCA, 0xCB, 0xCD, 0x21, 0x22, 0x23, 0x00, 0x01,
+			/* Secure Data */
+			0x81, 0x00, 0x00, 0x02, 0x08, 0x00, 0x45, 0x00,
+			0x00, 0x54, 0xF2, 0xFA, 0x40, 0x00, 0x40, 0x01,
+			0xF7, 0x83, 0x14, 0x14, 0x14, 0x02, 0x14, 0x14,
+			0x14, 0x01, 0x08, 0x00, 0xE9, 0xC5, 0x02, 0xAF,
+			0x00, 0x01, 0xCB, 0x51, 0x6D, 0x38, 0x00, 0x00,
+			0x00, 0x00, 0x13, 0x2D, 0x01, 0x00, 0x00, 0x00,
+			0x00, 0x00, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
+			0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D,
+			0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24, 0x25,
+			0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C, 0x2D,
+			0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35,
+			0x36, 0x37,
+			/* ICV */
+			0x21, 0x68, 0xF1, 0x21, 0x19, 0xB7, 0xDF, 0x73,
+			0x6F, 0x2A, 0x11, 0xEA, 0x8A, 0xBC, 0x8A, 0x79,
+		},
+		.len = 134,
+	},
+},
+/* 1 vlan tag followed by MACsec */
+{
+	.test_idx = 2,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0,
+	.xpn = 0, /* Most significant 32 bits */
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
+			0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xCA, 0xCB, 0xCD, 0x41, 0x42, 0x43,
+			/* MAC SA */
+			0xCA, 0xCB, 0xCD, 0x21, 0x22, 0x23,
+			/* User Data */
+			0x81, 0x00, 0x00, 0x02,
+			0x08, 0x00, 0x45, 0x00, 0x00, 0x54, 0x88, 0x71,
+			0x40, 0x00, 0x40, 0x01, 0x62, 0x0D, 0x14, 0x14,
+			0x14, 0x02, 0x14, 0x14, 0x14, 0x01, 0x08, 0x00,
+			0x77, 0xA6, 0x02, 0xB3, 0x00, 0x01, 0xBE, 0x52,
+			0x6D, 0x38, 0x00, 0x00, 0x00, 0x00, 0x8C, 0x47,
+			0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x11,
+			0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19,
+			0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 0x20, 0x21,
+			0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
+			0x2A, 0x2B, 0x2C, 0x2D, 0x2E, 0x2F, 0x30, 0x31,
+			0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+		},
+		.len = 102,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xCA, 0xCB, 0xCD, 0x41, 0x42, 0x43,
+			/* MAC SA */
+			0xCA, 0xCB, 0xCD, 0x21, 0x22, 0x23,
+			/* VLAN Tag before MACsec */
+			0x81, 0x00, 0x00, 0x02,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x20,
+			/* SL */
+			0x00,
+			/* PN */
+			0x00, 0x00, 0x00, 0x07,
+			/* SCI */
+			0xCA, 0xCB, 0xCD, 0x21, 0x22, 0x23, 0x00, 0x01,
+			/* Secure Data */
+			0x08, 0x00, 0x45, 0x00, 0x00, 0x54, 0x88, 0x71,
+			0x40, 0x00, 0x40, 0x01, 0x62, 0x0D, 0x14, 0x14,
+			0x14, 0x02, 0x14, 0x14, 0x14, 0x01, 0x08, 0x00,
+			0x77, 0xA6, 0x02, 0xB3, 0x00, 0x01, 0xBE, 0x52,
+			0x6D, 0x38, 0x00, 0x00, 0x00, 0x00, 0x8C, 0x47,
+			0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x11,
+			0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19,
+			0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 0x20, 0x21,
+			0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
+			0x2A, 0x2B, 0x2C, 0x2D, 0x2E, 0x2F, 0x30, 0x31,
+			0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+			/* ICV */
+			0xF1, 0xC0, 0xA2, 0x6E, 0x99, 0xE5, 0xAB, 0x97,
+			0x78, 0x79, 0x7D, 0x13, 0x35, 0x5E, 0x39, 0x4F,
+		},
+		.len = 134,
+	},
+},
+/* 2 vlan tag followed by MACsec */
+{
+	.test_idx = 3,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0,
+	.xpn = 0, /* Most significant 32 bits */
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
+			0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xCA, 0xCB, 0xCD, 0x41, 0x42, 0x43,
+			/* MAC SA */
+			0xCA, 0xCB, 0xCD, 0x21, 0x22, 0x23,
+			/* User Data */
+			0x88, 0xA8, 0x00, 0x04, 0x81, 0x00, 0x00, 0x02,
+			0x08, 0x00, 0x45, 0x00, 0x00, 0x54, 0x70, 0x5B,
+			0x40, 0x00, 0x40, 0x01, 0x29, 0xF9, 0x28, 0x28,
+			0x28, 0x04, 0x28, 0x28, 0x28, 0x01, 0x08, 0x00,
+			0x08, 0x02, 0x02, 0xE2, 0x00, 0x01, 0x60, 0x58,
+			0x6D, 0x38, 0x00, 0x00, 0x00, 0x00, 0x5C, 0xB7,
+			0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x11,
+			0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19,
+			0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 0x20, 0x21,
+			0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
+			0x2A, 0x2B, 0x2C, 0x2D, 0x2E, 0x2F, 0x30, 0x31,
+			0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+		},
+		.len = 106,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xCA, 0xCB, 0xCD, 0x41, 0x42, 0x43,
+			/* MAC SA */
+			0xCA, 0xCB, 0xCD, 0x21, 0x22, 0x23,
+			/* VLAN Tags before MACsec */
+			0x88, 0xA8, 0x00, 0x04,
+			0x81, 0x00, 0x00, 0x02,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x20,
+			/* SL */
+			0x00,
+			/* PN */
+			0x00, 0x00, 0x00, 0x0E,
+			/* SCI */
+			0xCA, 0xCB, 0xCD, 0x21, 0x22, 0x23, 0x00, 0x01,
+			/* Secure Data */
+			0x08, 0x00, 0x45, 0x00, 0x00, 0x54, 0x70, 0x5B,
+			0x40, 0x00, 0x40, 0x01, 0x29, 0xF9, 0x28, 0x28,
+			0x28, 0x04, 0x28, 0x28, 0x28, 0x01, 0x08, 0x00,
+			0x08, 0x02, 0x02, 0xE2, 0x00, 0x01, 0x60, 0x58,
+			0x6D, 0x38, 0x00, 0x00, 0x00, 0x00, 0x5C, 0xB7,
+			0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x11,
+			0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19,
+			0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 0x20, 0x21,
+			0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
+			0x2A, 0x2B, 0x2C, 0x2D, 0x2E, 0x2F, 0x30, 0x31,
+			0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+			/* ICV */
+			0xCC, 0x38, 0x21, 0x3A, 0xEE, 0x5F, 0xE3, 0x7F,
+			0xA1, 0xBA, 0xBD, 0xBD, 0x65, 0x5B, 0xB3, 0xE5,
+		},
+		.len = 138,
+	},
+},
+};
+
+
 
 #endif
-- 
2.25.1

[PATCH v3 07/13] test/security: add MACsec negative cases

[Akhil Goyal]

Added MACsec negative test cases to verify
pkt drop, untagged rx, bad tag rx, sa not in use,
out packets untagged, pkts too long.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 app/test/test_security_inline_macsec.c        | 346 +++++++++++++
 .../test_security_inline_macsec_vectors.h     | 475 ++++++++++++++++++
 2 files changed, 821 insertions(+)

diff --git a/app/test/test_security_inline_macsec.c b/app/test/test_security_inline_macsec.c
index 854ead75a0..2a06f31f37 100644
--- a/app/test/test_security_inline_macsec.c
+++ b/app/test/test_security_inline_macsec.c
@@ -660,6 +660,103 @@ mcs_stats_dump(struct rte_security_ctx *ctx, enum mcs_op op,
 	}
 }
 
+static int
+mcs_stats_check(struct rte_security_ctx *ctx, enum mcs_op op,
+		const struct mcs_test_opts *opts,
+		const struct mcs_test_vector *td,
+		void *rx_sess, void *tx_sess,
+		uint8_t rx_sc_id, uint8_t tx_sc_id,
+		uint16_t rx_sa_id[], uint16_t tx_sa_id[])
+{
+	struct rte_security_stats sess_stats = {0};
+	struct rte_security_macsec_secy_stats *secy_stat;
+	struct rte_security_macsec_sc_stats sc_stat = {0};
+	struct rte_security_macsec_sa_stats sa_stat = {0};
+	int i;
+
+	if (op == MCS_DECAP || op == MCS_ENCAP_DECAP ||
+			op == MCS_VERIFY_ONLY || op == MCS_AUTH_VERIFY) {
+		rte_security_session_stats_get(ctx, rx_sess, &sess_stats);
+		secy_stat = &sess_stats.macsec;
+
+		if ((opts->check_untagged_rx && secy_stat->pkt_notag_cnt != 1) ||
+				(opts->check_untagged_rx && secy_stat->pkt_untaged_cnt != 1))
+			return TEST_FAILED;
+
+		if (opts->check_bad_tag_cnt && secy_stat->pkt_badtag_cnt != 1)
+			return TEST_FAILED;
+
+		if (opts->check_sa_not_in_use && secy_stat->pkt_nosaerror_cnt != 1)
+			return TEST_FAILED;
+
+		if (opts->check_decap_stats && secy_stat->octet_decrypted_cnt !=
+				(uint16_t)(td->plain_pkt.len - 2 * RTE_ETHER_ADDR_LEN))
+			return TEST_FAILED;
+
+		if (opts->check_verify_only_stats && secy_stat->octet_validated_cnt !=
+				(uint16_t)(td->plain_pkt.len - 2 * RTE_ETHER_ADDR_LEN))
+			return TEST_FAILED;
+
+		rte_security_macsec_sc_stats_get(ctx, rx_sc_id,
+				RTE_SECURITY_MACSEC_DIR_RX, &sc_stat);
+
+		if ((opts->check_decap_stats || opts->check_verify_only_stats) &&
+				sc_stat.pkt_ok_cnt != 1)
+			return TEST_FAILED;
+
+		if (opts->check_pkts_invalid_stats && sc_stat.pkt_notvalid_cnt != 1)
+			return TEST_FAILED;
+
+		if (opts->check_pkts_unchecked_stats && sc_stat.pkt_unchecked_cnt != 1)
+			return TEST_FAILED;
+
+		for (i = 0; i < RTE_SECURITY_MACSEC_NUM_AN; i++) {
+			memset(&sa_stat, 0, sizeof(struct rte_security_macsec_sa_stats));
+			rte_security_macsec_sa_stats_get(ctx, rx_sa_id[i],
+					RTE_SECURITY_MACSEC_DIR_RX, &sa_stat);
+
+		}
+	}
+
+	if (op == MCS_ENCAP || op == MCS_ENCAP_DECAP ||
+			op == MCS_AUTH_ONLY || op == MCS_AUTH_VERIFY) {
+		memset(&sess_stats, 0, sizeof(struct rte_security_stats));
+		rte_security_session_stats_get(ctx, tx_sess, &sess_stats);
+		secy_stat = &sess_stats.macsec;
+
+		if (opts->check_out_pkts_untagged && secy_stat->pkt_untagged_cnt != 1)
+			return TEST_FAILED;
+
+		if (opts->check_out_pkts_toolong && secy_stat->pkt_toolong_cnt != 1)
+			return TEST_FAILED;
+
+		if (opts->check_encap_stats && secy_stat->octet_encrypted_cnt !=
+				(uint16_t)(td->plain_pkt.len - 2 * RTE_ETHER_ADDR_LEN))
+			return TEST_FAILED;
+
+		if (opts->check_auth_only_stats && secy_stat->octet_protected_cnt !=
+				(uint16_t)(td->plain_pkt.len - 2 * RTE_ETHER_ADDR_LEN))
+			return TEST_FAILED;
+
+
+		memset(&sc_stat, 0, sizeof(struct rte_security_macsec_sc_stats));
+		rte_security_macsec_sc_stats_get(ctx, tx_sc_id, RTE_SECURITY_MACSEC_DIR_TX,
+						 &sc_stat);
+
+		if (opts->check_encap_stats && sc_stat.pkt_encrypt_cnt != 1)
+			return TEST_FAILED;
+
+		if (opts->check_auth_only_stats && sc_stat.pkt_protected_cnt != 1)
+			return TEST_FAILED;
+
+		memset(&sa_stat, 0, sizeof(struct rte_security_macsec_sa_stats));
+		rte_security_macsec_sa_stats_get(ctx, tx_sa_id[0],
+				RTE_SECURITY_MACSEC_DIR_TX, &sa_stat);
+	}
+
+	return 0;
+}
+
 static int
 test_macsec(const struct mcs_test_vector *td[], enum mcs_op op, const struct mcs_test_opts *opts)
 {
@@ -833,12 +930,23 @@ test_macsec(const struct mcs_test_vector *td[], enum mcs_op op, const struct mcs
 		rx_pkts_burst[i] = NULL;
 	}
 out:
+	if (opts->check_out_pkts_toolong == 1 ||
+			opts->check_sa_not_in_use == 1 ||
+			opts->check_bad_tag_cnt == 1)
+		ret = TEST_SUCCESS;
+
 	for (i = 0; i < opts->nb_td; i++) {
 		if (opts->dump_all_stats) {
 			mcs_stats_dump(ctx, op,
 					rx_sess[i], tx_sess[i],
 					rx_sc_id[i], tx_sc_id[i],
 					rx_sa_id[i], tx_sa_id[i]);
+		} else {
+			if (ret == TEST_SUCCESS)
+				ret = mcs_stats_check(ctx, op, opts, td[i],
+					rx_sess[i], tx_sess[i],
+					rx_sc_id[i], tx_sc_id[i],
+					rx_sa_id[i], tx_sa_id[i]);
 		}
 	}
 
@@ -1182,6 +1290,220 @@ test_inline_macsec_with_vlan(const void *data __rte_unused)
 	return all_err;
 }
 
+static int
+test_inline_macsec_pkt_drop(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.encrypt = true;
+	opts.protect_frames = true;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+
+	size = (sizeof(list_mcs_err_cipher_vectors) / sizeof((list_mcs_err_cipher_vectors)[0]));
+
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_err_cipher_vectors[i];
+		err = test_macsec(&cur_td, MCS_DECAP, &opts);
+		if (err) {
+			printf("\nPacket drop case %d passed", cur_td->test_idx);
+			err = 0;
+		} else {
+			printf("\nPacket drop case %d failed", cur_td->test_idx);
+			err = -1;
+		}
+		all_err += err;
+	}
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+
+	return all_err;
+}
+
+static int
+test_inline_macsec_untagged_rx(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+	opts.check_untagged_rx = 1;
+
+	size = (sizeof(list_mcs_untagged_cipher_vectors) /
+		sizeof((list_mcs_untagged_cipher_vectors)[0]));
+
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_untagged_cipher_vectors[i];
+		err = test_macsec(&cur_td, MCS_DECAP, &opts);
+		if (err)
+			err = 0;
+		else
+			err = -1;
+
+		all_err += err;
+	}
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_NO_DISCARD;
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_untagged_cipher_vectors[i];
+		err = test_macsec(&cur_td, MCS_DECAP, &opts);
+		if (err)
+			err = 0;
+		else
+			err = -1;
+
+		all_err += err;
+	}
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+
+	return all_err;
+}
+
+static int
+test_inline_macsec_bad_tag_rx(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.protect_frames = true;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+	opts.check_bad_tag_cnt = 1;
+
+	size = (sizeof(list_mcs_bad_tag_vectors) / sizeof((list_mcs_bad_tag_vectors)[0]));
+
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_bad_tag_vectors[i];
+		err = test_macsec(&cur_td, MCS_DECAP, &opts);
+		if (err)
+			err = -1;
+		else
+			err = 0;
+
+		all_err += err;
+	}
+
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+
+	return all_err;
+}
+
+static int
+test_inline_macsec_sa_not_in_use(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.protect_frames = true;
+	opts.sa_in_use = 0;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+	opts.check_sa_not_in_use = 1;
+
+	size = (sizeof(list_mcs_cipher_vectors) / sizeof((list_mcs_cipher_vectors)[0]));
+
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_cipher_vectors[i];
+		err = test_macsec(&cur_td, MCS_DECAP, &opts);
+		if (err)
+			err = -1;
+		else
+			err = 0;
+
+		all_err += err;
+	}
+
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+
+	return all_err;
+}
+
+static int
+test_inline_macsec_out_pkts_untagged(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.encrypt = false;
+	opts.protect_frames = false;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+	opts.check_out_pkts_untagged = 1;
+
+	size = (sizeof(list_mcs_cipher_vectors) / sizeof((list_mcs_cipher_vectors)[0]));
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_cipher_vectors[i];
+		err = test_macsec(&cur_td, MCS_ENCAP, &opts);
+		if (err)
+			err = -1;
+		else
+			err = 0;
+
+		all_err += err;
+	}
+
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+	return all_err;
+}
+
+static int
+test_inline_macsec_out_pkts_toolong(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_NO_DISCARD;
+	opts.encrypt = true;
+	opts.protect_frames = true;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = 50;
+	opts.check_out_pkts_toolong = 1;
+
+	size = (sizeof(list_mcs_cipher_vectors) / sizeof((list_mcs_cipher_vectors)[0]));
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_cipher_vectors[i];
+		err = test_macsec(&cur_td, MCS_ENCAP, &opts);
+		if (err)
+			err = -1;
+		else
+			err = 0;
+
+		all_err += err;
+	}
+
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+	return all_err;
+}
+
 static int
 ut_setup_inline_macsec(void)
 {
@@ -1359,6 +1681,30 @@ static struct unit_test_suite inline_macsec_testsuite  = {
 			"MACsec Encap and decap with VLAN",
 			ut_setup_inline_macsec, ut_teardown_inline_macsec,
 			test_inline_macsec_with_vlan),
+		TEST_CASE_NAMED_ST(
+			"MACsec packet drop",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_pkt_drop),
+		TEST_CASE_NAMED_ST(
+			"MACsec untagged Rx",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_untagged_rx),
+		TEST_CASE_NAMED_ST(
+			"MACsec bad tag Rx",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_bad_tag_rx),
+		TEST_CASE_NAMED_ST(
+			"MACsec SA not in use",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_sa_not_in_use),
+		TEST_CASE_NAMED_ST(
+			"MACsec out pkts untagged",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_out_pkts_untagged),
+		TEST_CASE_NAMED_ST(
+			"MACsec out pkts too long",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_out_pkts_toolong),
 
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	},
diff --git a/app/test/test_security_inline_macsec_vectors.h b/app/test/test_security_inline_macsec_vectors.h
index 4bcb82783c..2b200c1d89 100644
--- a/app/test/test_security_inline_macsec_vectors.h
+++ b/app/test/test_security_inline_macsec_vectors.h
@@ -2077,6 +2077,481 @@ static const struct mcs_test_vector list_mcs_integrity_vectors[] = {
 },
 };
 
+static const struct mcs_test_vector list_mcs_err_cipher_vectors[] = {
+/* gcm_128_64B_cipher */
+{
+	.test_idx = 0,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x40, 0x41, 0x42,
+			0x43, 0x44, 0x45, 0x46,
+		},
+		.len = 64,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x2C,
+			/* SL */
+			0x0,
+			/* PN */
+			0x0, 0x0, 0x0, 0x2,
+			/* SCI */
+			0xFE, 0x2F, 0xCD, 0x14, 0x24, 0x1B, 0x88, 0x2C,
+			/* Secure Data */
+			0x38, 0x38, 0x97, 0x44, 0xA2, 0x6D, 0x71, 0x3D,
+			0x14, 0x27, 0xC7, 0x3E, 0x02, 0x96, 0x81, 0xAD,
+			0x47, 0x82, 0x2A, 0xCF, 0x19, 0x79, 0x12, 0x49,
+			0x0F, 0x93, 0x5A, 0x32, 0x43, 0x79, 0xEF, 0x9D,
+			0x70, 0xF8, 0xA9, 0xBE, 0x3D, 0x00, 0x5D, 0x22,
+			0xDA, 0x87, 0x3D, 0xC1, 0xBE, 0x1B, 0x13, 0xD9,
+			0x99, 0xDB, 0xF1, 0xC8,
+			/* ICV */
+			0x4B, 0xC4, 0xF8, 0xC6,	0x09, 0x78, 0xB9, 0xBB,
+			0x5D, 0xC0, 0x04, 0xF3,	0x20, 0x7D, 0x14, 0x87,
+		},
+		.len = 96,
+	}
+}
+};
+
+static const struct mcs_test_vector list_mcs_untagged_cipher_vectors[] = {
+{
+	.test_idx = 0,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x40, 0x41, 0x42,
+			0x43, 0x44, 0x45, 0x46,
+		},
+		.len = 64,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* Wrong MACsec EtherType */
+			0x88, 0xD7,
+			/* TCI and AN */
+			0x2C,
+			/* SL */
+			0x0,
+			/* PN */
+			0x0, 0x0, 0x0, 0x2,
+			/* SCI */
+			0xFE, 0x2F, 0xCD, 0x14, 0x24, 0x1B, 0x88, 0x2C,
+			/* Secure Data */
+			0x39, 0x38, 0x97, 0x44, 0xA2, 0x6D, 0x71, 0x3D,
+			0x14, 0x27, 0xC7, 0x3E, 0x02, 0x96, 0x81, 0xAD,
+			0x47, 0x82, 0x2A, 0xCF, 0x19, 0x79, 0x12, 0x49,
+			0x0F, 0x93, 0x5A, 0x32, 0x43, 0x79, 0xEF, 0x9D,
+			0x70, 0xF8, 0xA9, 0xBE, 0x3D, 0x00, 0x5D, 0x22,
+			0xDA, 0x87, 0x3D, 0xC1, 0xBE, 0x1B, 0x13, 0xD9,
+			0x99, 0xDB, 0xF1, 0xC8,
+			/* ICV */
+			0x4B, 0xC4, 0xF8, 0xC6,	0x09, 0x78, 0xB9, 0xBB,
+			0x5D, 0xC0, 0x04, 0xF3,	0x20, 0x7D, 0x14, 0x87,
+		},
+		.len = 96,
+	},
+},
+};
+
+static const struct mcs_test_vector list_mcs_bad_tag_vectors[] = {
+{
+	.test_idx = 0,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x40, 0x41, 0x42,
+			0x43, 0x44, 0x45, 0x46,
+		},
+		.len = 64,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI{V = 1} and AN */
+			0xAC,
+			/* SL */
+			0x0,
+			/* PN */
+			0x0, 0x0, 0x0, 0x2,
+			/* SCI */
+			0xFE, 0x2F, 0xCD, 0x14, 0x24, 0x1B, 0x88, 0x2C,
+			/* Secure Data */
+			0x39, 0x38, 0x97, 0x44, 0xA2, 0x6D, 0x71, 0x3D,
+			0x14, 0x27, 0xC7, 0x3E, 0x02, 0x96, 0x81, 0xAD,
+			0x47, 0x82, 0x2A, 0xCF, 0x19, 0x79, 0x12, 0x49,
+			0x0F, 0x93, 0x5A, 0x32, 0x43, 0x79, 0xEF, 0x9D,
+			0x70, 0xF8, 0xA9, 0xBE, 0x3D, 0x00, 0x5D, 0x22,
+			0xDA, 0x87, 0x3D, 0xC1, 0xBE, 0x1B, 0x13, 0xD9,
+			0x99, 0xDB, 0xF1, 0xC8,
+			/* ICV */
+			0x4B, 0xC4, 0xF8, 0xC6,	0x09, 0x78, 0xB9, 0xBB,
+			0x5D, 0xC0, 0x04, 0xF3,	0x20, 0x7D, 0x14, 0x87,
+		},
+		.len = 96,
+	},
+},
+{
+	.test_idx = 1,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x40, 0x41, 0x42,
+			0x43, 0x44, 0x45, 0x46,
+		},
+		.len = 64,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI{E,C = 2'b01} and AN */
+			0x24,
+			/* SL */
+			0x0,
+			/* PN */
+			0x0, 0x0, 0x0, 0x2,
+			/* SCI */
+			0xFE, 0x2F, 0xCD, 0x14, 0x24, 0x1B, 0x88, 0x2C,
+			/* Secure Data */
+			0x39, 0x38, 0x97, 0x44, 0xA2, 0x6D, 0x71, 0x3D,
+			0x14, 0x27, 0xC7, 0x3E, 0x02, 0x96, 0x81, 0xAD,
+			0x47, 0x82, 0x2A, 0xCF, 0x19, 0x79, 0x12, 0x49,
+			0x0F, 0x93, 0x5A, 0x32, 0x43, 0x79, 0xEF, 0x9D,
+			0x70, 0xF8, 0xA9, 0xBE, 0x3D, 0x00, 0x5D, 0x22,
+			0xDA, 0x87, 0x3D, 0xC1, 0xBE, 0x1B, 0x13, 0xD9,
+			0x99, 0xDB, 0xF1, 0xC8,
+			/* ICV */
+			0x4B, 0xC4, 0xF8, 0xC6,	0x09, 0x78, 0xB9, 0xBB,
+			0x5D, 0xC0, 0x04, 0xF3,	0x20, 0x7D, 0x14, 0x87,
+		},
+		.len = 96,
+	},
+},
+{
+	.test_idx = 2,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x40, 0x41, 0x42,
+			0x43, 0x44, 0x45, 0x46,
+		},
+		.len = 64,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI{ES = 1 && SC = 1} and AN */
+			0x6C,
+			/* SL */
+			0x0,
+			/* PN */
+			0x0, 0x0, 0x0, 0x2,
+			/* SCI */
+			0xFE, 0x2F, 0xCD, 0x14, 0x24, 0x1B, 0x88, 0x2C,
+			/* Secure Data */
+			0x39, 0x38, 0x97, 0x44, 0xA2, 0x6D, 0x71, 0x3D,
+			0x14, 0x27, 0xC7, 0x3E, 0x02, 0x96, 0x81, 0xAD,
+			0x47, 0x82, 0x2A, 0xCF, 0x19, 0x79, 0x12, 0x49,
+			0x0F, 0x93, 0x5A, 0x32, 0x43, 0x79, 0xEF, 0x9D,
+			0x70, 0xF8, 0xA9, 0xBE, 0x3D, 0x00, 0x5D, 0x22,
+			0xDA, 0x87, 0x3D, 0xC1, 0xBE, 0x1B, 0x13, 0xD9,
+			0x99, 0xDB, 0xF1, 0xC8,
+			/* ICV */
+			0x4B, 0xC4, 0xF8, 0xC6,	0x09, 0x78, 0xB9, 0xBB,
+			0x5D, 0xC0, 0x04, 0xF3,	0x20, 0x7D, 0x14, 0x87,
+		},
+		.len = 96,
+	},
+},
+{
+	.test_idx = 3,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x40, 0x41, 0x42,
+			0x43, 0x44, 0x45, 0x46,
+		},
+		.len = 64,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI{SCB = 1 && SC = 1} and AN */
+			0x3C,
+			/* SL */
+			0x0,
+			/* PN */
+			0x0, 0x0, 0x0, 0x2,
+			/* SCI */
+			0xFE, 0x2F, 0xCD, 0x14, 0x24, 0x1B, 0x88, 0x2C,
+			/* Secure Data */
+			0x39, 0x38, 0x97, 0x44, 0xA2, 0x6D, 0x71, 0x3D,
+			0x14, 0x27, 0xC7, 0x3E, 0x02, 0x96, 0x81, 0xAD,
+			0x47, 0x82, 0x2A, 0xCF, 0x19, 0x79, 0x12, 0x49,
+			0x0F, 0x93, 0x5A, 0x32, 0x43, 0x79, 0xEF, 0x9D,
+			0x70, 0xF8, 0xA9, 0xBE, 0x3D, 0x00, 0x5D, 0x22,
+			0xDA, 0x87, 0x3D, 0xC1, 0xBE, 0x1B, 0x13, 0xD9,
+			0x99, 0xDB, 0xF1, 0xC8,
+			/* ICV */
+			0x4B, 0xC4, 0xF8, 0xC6,	0x09, 0x78, 0xB9, 0xBB,
+			0x5D, 0xC0, 0x04, 0xF3,	0x20, 0x7D, 0x14, 0x87,
+		},
+		.len = 96,
+	},
+},
+{
+	.test_idx = 4,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.xpn = 0x0, /* Most significant 32 bits */
+	.ssci = 0x0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x40, 0x41, 0x42,
+			0x43, 0x44, 0x45, 0x46,
+		},
+		.len = 64,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x2C,
+			/* SL */
+			0x0,
+			/* PN = 0 */
+			0x0, 0x0, 0x0, 0x0,
+			/* SCI */
+			0xFE, 0x2F, 0xCD, 0x14, 0x24, 0x1B, 0x88, 0x2C,
+			/* Secure Data */
+			0x39, 0x38, 0x97, 0x44, 0xA2, 0x6D, 0x71, 0x3D,
+			0x14, 0x27, 0xC7, 0x3E, 0x02, 0x96, 0x81, 0xAD,
+			0x47, 0x82, 0x2A, 0xCF, 0x19, 0x79, 0x12, 0x49,
+			0x0F, 0x93, 0x5A, 0x32, 0x43, 0x79, 0xEF, 0x9D,
+			0x70, 0xF8, 0xA9, 0xBE, 0x3D, 0x00, 0x5D, 0x22,
+			0xDA, 0x87, 0x3D, 0xC1, 0xBE, 0x1B, 0x13, 0xD9,
+			0x99, 0xDB, 0xF1, 0xC8,
+			/* ICV */
+			0x4B, 0xC4, 0xF8, 0xC6,	0x09, 0x78, 0xB9, 0xBB,
+			0x5D, 0xC0, 0x04, 0xF3,	0x20, 0x7D, 0x14, 0x87,
+		},
+		.len = 96,
+	},
+},
+{
+	.test_idx = 5,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x40, 0x41, 0x42,
+			0x43, 0x44, 0x45, 0x46,
+		},
+		.len = 64,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x2C,
+			/* SL */
+			0x80,
+			/* PN = 0 */
+			0x0, 0x0, 0x0, 0x2,
+			/* SCI */
+			0xFE, 0x2F, 0xCD, 0x14, 0x24, 0x1B, 0x88, 0x2C,
+			/* Secure Data */
+			0x39, 0x38, 0x97, 0x44, 0xA2, 0x6D, 0x71, 0x3D,
+			0x14, 0x27, 0xC7, 0x3E, 0x02, 0x96, 0x81, 0xAD,
+			0x47, 0x82, 0x2A, 0xCF, 0x19, 0x79, 0x12, 0x49,
+			0x0F, 0x93, 0x5A, 0x32, 0x43, 0x79, 0xEF, 0x9D,
+			0x70, 0xF8, 0xA9, 0xBE, 0x3D, 0x00, 0x5D, 0x22,
+			0xDA, 0x87, 0x3D, 0xC1, 0xBE, 0x1B, 0x13, 0xD9,
+			0x99, 0xDB, 0xF1, 0xC8,
+			/* ICV */
+			0x4B, 0xC4, 0xF8, 0xC6,	0x09, 0x78, 0xB9, 0xBB,
+			0x5D, 0xC0, 0x04, 0xF3,	0x20, 0x7D, 0x14, 0x87,
+		},
+		.len = 96,
+	},
+},
+};
+
 #define MCS_MULTI_FLOW_TD_KEY_SZ		16
 #define MCS_MULTI_FLOW_TD_PLAIN_DATA_SZ		42
 #define MCS_MULTI_FLOW_TD_SECURE_DATA_SZ	66
-- 
2.25.1

[PATCH v3 08/13] test/security: verify MACsec stats

[Akhil Goyal]

Added cases to verify various stats of MACsec.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 app/test/test_security_inline_macsec.c | 222 +++++++++++++++++++++++++
 1 file changed, 222 insertions(+)

diff --git a/app/test/test_security_inline_macsec.c b/app/test/test_security_inline_macsec.c
index 2a06f31f37..9cab3253f4 100644
--- a/app/test/test_security_inline_macsec.c
+++ b/app/test/test_security_inline_macsec.c
@@ -1438,6 +1438,140 @@ test_inline_macsec_sa_not_in_use(const void *data __rte_unused)
 	return all_err;
 }
 
+static int
+test_inline_macsec_decap_stats(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.protect_frames = true;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+	opts.check_decap_stats = 1;
+
+	size = (sizeof(list_mcs_cipher_vectors) / sizeof((list_mcs_cipher_vectors)[0]));
+
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_cipher_vectors[i];
+		err = test_macsec(&cur_td, MCS_DECAP, &opts);
+		if (err) {
+			printf("\nDecap stats case %d failed", cur_td->test_idx);
+			err = -1;
+		} else {
+			printf("\nDecap stats case %d passed", cur_td->test_idx);
+			err = 0;
+		}
+		all_err += err;
+	}
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+
+	return all_err;
+}
+
+static int
+test_inline_macsec_verify_only_stats(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.protect_frames = true;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+	opts.check_verify_only_stats = 1;
+
+	size = (sizeof(list_mcs_integrity_vectors) / sizeof((list_mcs_integrity_vectors)[0]));
+
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_integrity_vectors[i];
+		err = test_macsec(&cur_td, MCS_VERIFY_ONLY, &opts);
+		if (err) {
+			printf("\nVerify only stats case %d failed", cur_td->test_idx);
+			err = -1;
+		} else {
+			printf("\nVerify only stats case %d Passed", cur_td->test_idx);
+			err = 0;
+		}
+		all_err += err;
+	}
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+
+	return all_err;
+}
+
+static int
+test_inline_macsec_pkts_invalid_stats(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.protect_frames = true;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+
+	size = (sizeof(list_mcs_err_cipher_vectors) / sizeof((list_mcs_err_cipher_vectors)[0]));
+
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_err_cipher_vectors[i];
+		err = test_macsec(&cur_td, MCS_DECAP, &opts);
+		if (err)
+			err = 0;
+		else
+			err = -1;
+
+		all_err += err;
+	}
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+	return all_err;
+}
+
+static int
+test_inline_macsec_pkts_unchecked_stats(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_DISABLE;
+	opts.protect_frames = true;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+	opts.check_pkts_unchecked_stats = 1;
+
+	size = (sizeof(list_mcs_integrity_vectors) / sizeof((list_mcs_integrity_vectors)[0]));
+
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_integrity_vectors[i];
+		err = test_macsec(&cur_td, MCS_VERIFY_ONLY, &opts);
+		if (err)
+			err = -1;
+		else
+			err = 0;
+
+		all_err += err;
+	}
+
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+	return all_err;
+}
+
 static int
 test_inline_macsec_out_pkts_untagged(const void *data __rte_unused)
 {
@@ -1504,6 +1638,70 @@ test_inline_macsec_out_pkts_toolong(const void *data __rte_unused)
 	return all_err;
 }
 
+static int
+test_inline_macsec_encap_stats(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.encrypt = true;
+	opts.protect_frames = true;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+	opts.check_encap_stats = 1;
+
+	size = (sizeof(list_mcs_cipher_vectors) / sizeof((list_mcs_cipher_vectors)[0]));
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_cipher_vectors[i];
+		err = test_macsec(&cur_td, MCS_ENCAP, &opts);
+		if (err)
+			err = -1;
+		else
+			err = 0;
+		all_err += err;
+	}
+
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+	return all_err;
+}
+
+static int
+test_inline_macsec_auth_only_stats(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.protect_frames = true;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+	opts.check_auth_only_stats = 1;
+
+	size = (sizeof(list_mcs_integrity_vectors) / sizeof((list_mcs_integrity_vectors)[0]));
+
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_integrity_vectors[i];
+		err = test_macsec(&cur_td, MCS_AUTH_ONLY, &opts);
+		if (err)
+			err = -1;
+		else
+			err = 0;
+		all_err += err;
+	}
+
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+	return all_err;
+}
+
 static int
 ut_setup_inline_macsec(void)
 {
@@ -1697,6 +1895,22 @@ static struct unit_test_suite inline_macsec_testsuite  = {
 			"MACsec SA not in use",
 			ut_setup_inline_macsec, ut_teardown_inline_macsec,
 			test_inline_macsec_sa_not_in_use),
+		TEST_CASE_NAMED_ST(
+			"MACsec decap stats",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_decap_stats),
+		TEST_CASE_NAMED_ST(
+			"MACsec verify only stats",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_verify_only_stats),
+		TEST_CASE_NAMED_ST(
+			"MACsec pkts invalid stats",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_pkts_invalid_stats),
+		TEST_CASE_NAMED_ST(
+			"MACsec pkts unchecked stats",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_pkts_unchecked_stats),
 		TEST_CASE_NAMED_ST(
 			"MACsec out pkts untagged",
 			ut_setup_inline_macsec, ut_teardown_inline_macsec,
@@ -1705,6 +1919,14 @@ static struct unit_test_suite inline_macsec_testsuite  = {
 			"MACsec out pkts too long",
 			ut_setup_inline_macsec, ut_teardown_inline_macsec,
 			test_inline_macsec_out_pkts_toolong),
+		TEST_CASE_NAMED_ST(
+			"MACsec Encap stats",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_encap_stats),
+		TEST_CASE_NAMED_ST(
+			"MACsec auth only stats",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_auth_only_stats),
 
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	},
-- 
2.25.1

[PATCH v3 09/13] test/security: verify MACsec interrupts

[Akhil Goyal]

From: Ankur Dwivedi <adwivedi@marvell.com>

This patch enables the test_inline_macsec_interrupts_all
test case for MACSEC.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 app/test/test_security_inline_macsec.c        | 124 +++++++
 .../test_security_inline_macsec_vectors.h     | 306 +++++++++++++++++-
 2 files changed, 429 insertions(+), 1 deletion(-)

diff --git a/app/test/test_security_inline_macsec.c b/app/test/test_security_inline_macsec.c
index 9cab3253f4..12e3234cfb 100644
--- a/app/test/test_security_inline_macsec.c
+++ b/app/test/test_security_inline_macsec.c
@@ -757,6 +757,71 @@ mcs_stats_check(struct rte_security_ctx *ctx, enum mcs_op op,
 	return 0;
 }
 
+static int
+test_macsec_event_callback(uint16_t port_id, enum rte_eth_event_type type,
+			   void *param, void *ret_param)
+{
+	struct mcs_err_vector *vector = (struct mcs_err_vector *)param;
+	struct rte_eth_event_macsec_desc *event_desc = NULL;
+
+	RTE_SET_USED(port_id);
+
+	if (type != RTE_ETH_EVENT_MACSEC)
+		return -1;
+
+	event_desc = ret_param;
+	if (event_desc == NULL) {
+		printf("Event descriptor not set\n");
+		return -1;
+	}
+	vector->notify_event = true;
+
+	switch (event_desc->type) {
+	case RTE_ETH_EVENT_MACSEC_SECTAG_VAL_ERR:
+		vector->event = RTE_ETH_EVENT_MACSEC_SECTAG_VAL_ERR;
+		switch (event_desc->subtype) {
+		case RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_V_EQ1:
+			vector->event_subtype = RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_V_EQ1;
+			break;
+		case RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_E_EQ0_C_EQ1:
+			vector->event_subtype = RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_E_EQ0_C_EQ1;
+			break;
+		case RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_SL_GTE48:
+			vector->event_subtype = RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_SL_GTE48;
+			break;
+		case RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_ES_EQ1_SC_EQ1:
+			vector->event_subtype = RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_ES_EQ1_SC_EQ1;
+			break;
+		case RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_SC_EQ1_SCB_EQ1:
+			vector->event_subtype = RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_SC_EQ1_SCB_EQ1;
+			break;
+		default:
+			printf("\nUnknown Macsec event subtype: %d", event_desc->subtype);
+		}
+		break;
+	case RTE_ETH_EVENT_MACSEC_RX_SA_PN_HARD_EXP:
+		vector->event = RTE_ETH_EVENT_MACSEC_RX_SA_PN_HARD_EXP;
+		break;
+	case RTE_ETH_EVENT_MACSEC_RX_SA_PN_SOFT_EXP:
+		vector->event = RTE_ETH_EVENT_MACSEC_RX_SA_PN_SOFT_EXP;
+		break;
+	case RTE_ETH_EVENT_MACSEC_TX_SA_PN_HARD_EXP:
+		vector->event = RTE_ETH_EVENT_MACSEC_TX_SA_PN_HARD_EXP;
+		break;
+	case RTE_ETH_EVENT_MACSEC_TX_SA_PN_SOFT_EXP:
+		vector->event = RTE_ETH_EVENT_MACSEC_TX_SA_PN_SOFT_EXP;
+		break;
+	case RTE_ETH_EVENT_MACSEC_SA_NOT_VALID:
+		vector->event = RTE_ETH_EVENT_MACSEC_SA_NOT_VALID;
+		break;
+	default:
+		printf("Invalid MACsec event reported\n");
+		return -1;
+	}
+
+	return 0;
+}
+
 static int
 test_macsec(const struct mcs_test_vector *td[], enum mcs_op op, const struct mcs_test_opts *opts)
 {
@@ -914,6 +979,8 @@ test_macsec(const struct mcs_test_vector *td[], enum mcs_op op, const struct mcs
 		while (--nb_rx >= 0)
 			rte_pktmbuf_free(rx_pkts_burst[nb_rx]);
 		ret = TEST_FAILED;
+		if (opts->check_sectag_interrupts == 1)
+			ret = TEST_SUCCESS;
 		goto out;
 	}
 
@@ -1702,6 +1769,59 @@ test_inline_macsec_auth_only_stats(const void *data __rte_unused)
 	return all_err;
 }
 
+static int
+test_inline_macsec_interrupts_all(const void *data __rte_unused)
+{
+	struct mcs_err_vector err_vector = {0};
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int i, size;
+	int err, all_err = 0;
+	enum rte_eth_event_macsec_subtype subtype[] =  {
+		RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_V_EQ1,
+		RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_E_EQ0_C_EQ1,
+		RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_SL_GTE48,
+		RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_ES_EQ1_SC_EQ1,
+		RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_SC_EQ1_SCB_EQ1,
+	};
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.protect_frames = true;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+	opts.check_sectag_interrupts = 1;
+
+	err_vector.event = RTE_ETH_EVENT_MACSEC_UNKNOWN;
+	err_vector.event_subtype = RTE_ETH_SUBEVENT_MACSEC_UNKNOWN;
+	rte_eth_dev_callback_register(port_id, RTE_ETH_EVENT_MACSEC,
+			test_macsec_event_callback, &err_vector);
+
+	size = (sizeof(list_mcs_intr_test_vectors) / sizeof((list_mcs_intr_test_vectors)[0]));
+
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_intr_test_vectors[i];
+		err = test_macsec(&cur_td, MCS_DECAP, &opts);
+		if ((err_vector.event == RTE_ETH_EVENT_MACSEC_SECTAG_VAL_ERR) &&
+		    (err_vector.event_subtype == subtype[i])) {
+			printf("\nSectag val err interrupt test case %d passed",
+			       cur_td->test_idx);
+			err = 0;
+		} else {
+			printf("\nSectag val err interrupt test case %d failed",
+			       cur_td->test_idx);
+			err = -1;
+		}
+		all_err += err;
+	}
+	rte_eth_dev_callback_unregister(port_id, RTE_ETH_EVENT_MACSEC,
+			test_macsec_event_callback, &err_vector);
+
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+	return all_err;
+}
+
 static int
 ut_setup_inline_macsec(void)
 {
@@ -1927,6 +2047,10 @@ static struct unit_test_suite inline_macsec_testsuite  = {
 			"MACsec auth only stats",
 			ut_setup_inline_macsec, ut_teardown_inline_macsec,
 			test_inline_macsec_auth_only_stats),
+		TEST_CASE_NAMED_ST(
+			"MACsec interrupts all",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_interrupts_all),
 
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	},
diff --git a/app/test/test_security_inline_macsec_vectors.h b/app/test/test_security_inline_macsec_vectors.h
index 2b200c1d89..d861004e8e 100644
--- a/app/test/test_security_inline_macsec_vectors.h
+++ b/app/test/test_security_inline_macsec_vectors.h
@@ -39,6 +39,13 @@ struct mcs_test_vector {
 	} secure_pkt;
 };
 
+struct mcs_err_vector {
+	const struct mcs_test_vector *td;
+	enum rte_eth_event_macsec_type event;
+	enum rte_eth_event_macsec_subtype event_subtype;
+	bool notify_event;
+};
+
 static const struct mcs_test_vector list_mcs_cipher_vectors[] = {
 /* gcm_128_64B_cipher */
 {
@@ -2876,6 +2883,303 @@ static const struct mcs_test_vector list_mcs_vlan_vectors[] = {
 },
 };
 
-
+static const struct mcs_test_vector list_mcs_intr_test_vectors[] = {
+/* gcm_128_64B_cipher */
+/* SECTAG_V_EQ1 */
+{
+	.test_idx = 0,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x40, 0x41, 0x42,
+			0x43, 0x44, 0x45, 0x46,
+		},
+		.len = 64,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0xAC,
+			/* SL */
+			0x0,
+			/* PN */
+			0x0, 0x0, 0x0, 0x2,
+			/* SCI */
+			0xFE, 0x2F, 0xCD, 0x14, 0x24, 0x1B, 0x88, 0x2C,
+			/* Secure Data */
+			0x39, 0x38, 0x97, 0x44, 0xA2, 0x6D, 0x71, 0x3D,
+			0x14, 0x27, 0xC7, 0x3E, 0x02, 0x96, 0x81, 0xAD,
+			0x47, 0x82, 0x2A, 0xCF, 0x19, 0x79, 0x12, 0x49,
+			0x0F, 0x93, 0x5A, 0x32, 0x43, 0x79, 0xEF, 0x9D,
+			0x70, 0xF8, 0xA9, 0xBE, 0x3D, 0x00, 0x5D, 0x22,
+			0xDA, 0x87, 0x3D, 0xC1, 0xBE, 0x1B, 0x13, 0xD9,
+			0x99, 0xDB, 0xF1, 0xC8,
+			/* ICV */
+			0x4B, 0xC4, 0xF8, 0xC6,	0x09, 0x78, 0xB9, 0xBB,
+			0x5D, 0xC0, 0x04, 0xF3,	0x20, 0x7D, 0x14, 0x87,
+		},
+		.len = 96,
+	},
+},
+/* SECTAG_E_EQ0_C_EQ1 */
+{
+	.test_idx = 1,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x40, 0x41, 0x42,
+			0x43, 0x44, 0x45, 0x46,
+		},
+		.len = 64,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x24,
+			/* SL */
+			0x0,
+			/* PN */
+			0x0, 0x0, 0x0, 0x2,
+			/* SCI */
+			0xFE, 0x2F, 0xCD, 0x14, 0x24, 0x1B, 0x88, 0x2C,
+			/* Secure Data */
+			0x39, 0x38, 0x97, 0x44, 0xA2, 0x6D, 0x71, 0x3D,
+			0x14, 0x27, 0xC7, 0x3E, 0x02, 0x96, 0x81, 0xAD,
+			0x47, 0x82, 0x2A, 0xCF, 0x19, 0x79, 0x12, 0x49,
+			0x0F, 0x93, 0x5A, 0x32, 0x43, 0x79, 0xEF, 0x9D,
+			0x70, 0xF8, 0xA9, 0xBE, 0x3D, 0x00, 0x5D, 0x22,
+			0xDA, 0x87, 0x3D, 0xC1, 0xBE, 0x1B, 0x13, 0xD9,
+			0x99, 0xDB, 0xF1, 0xC8,
+			/* ICV */
+			0x4B, 0xC4, 0xF8, 0xC6,	0x09, 0x78, 0xB9, 0xBB,
+			0x5D, 0xC0, 0x04, 0xF3,	0x20, 0x7D, 0x14, 0x87,
+		},
+		.len = 96,
+	},
+},
+/* SECTAG_SL_GTE48 */
+{
+	.test_idx = 2,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x40, 0x41, 0x42,
+			0x43, 0x44, 0x45, 0x46,
+		},
+		.len = 64,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x2C,
+			/* SL */
+			0x31,
+			/* PN */
+			0x0, 0x0, 0x0, 0x2,
+			/* SCI */
+			0xFE, 0x2F, 0xCD, 0x14, 0x24, 0x1B, 0x88, 0x2C,
+			/* Secure Data */
+			0x39, 0x38, 0x97, 0x44, 0xA2, 0x6D, 0x71, 0x3D,
+			0x14, 0x27, 0xC7, 0x3E, 0x02, 0x96, 0x81, 0xAD,
+			0x47, 0x82, 0x2A, 0xCF, 0x19, 0x79, 0x12, 0x49,
+			0x0F, 0x93, 0x5A, 0x32, 0x43, 0x79, 0xEF, 0x9D,
+			0x70, 0xF8, 0xA9, 0xBE, 0x3D, 0x00, 0x5D, 0x22,
+			0xDA, 0x87, 0x3D, 0xC1, 0xBE, 0x1B, 0x13, 0xD9,
+			0x99, 0xDB, 0xF1, 0xC8,
+			/* ICV */
+			0x4B, 0xC4, 0xF8, 0xC6,	0x09, 0x78, 0xB9, 0xBB,
+			0x5D, 0xC0, 0x04, 0xF3,	0x20, 0x7D, 0x14, 0x87,
+		},
+		.len = 96,
+	},
+},
+/* SECTAG_ES_EQ1_SC_EQ1 */
+{
+	.test_idx = 3,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x40, 0x41, 0x42,
+			0x43, 0x44, 0x45, 0x46,
+		},
+		.len = 64,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x6C,
+			/* SL */
+			0x0,
+			/* PN */
+			0x0, 0x0, 0x0, 0x2,
+			/* SCI */
+			0xFE, 0x2F, 0xCD, 0x14, 0x24, 0x1B, 0x88, 0x2C,
+			/* Secure Data */
+			0x39, 0x38, 0x97, 0x44, 0xA2, 0x6D, 0x71, 0x3D,
+			0x14, 0x27, 0xC7, 0x3E, 0x02, 0x96, 0x81, 0xAD,
+			0x47, 0x82, 0x2A, 0xCF, 0x19, 0x79, 0x12, 0x49,
+			0x0F, 0x93, 0x5A, 0x32, 0x43, 0x79, 0xEF, 0x9D,
+			0x70, 0xF8, 0xA9, 0xBE, 0x3D, 0x00, 0x5D, 0x22,
+			0xDA, 0x87, 0x3D, 0xC1, 0xBE, 0x1B, 0x13, 0xD9,
+			0x99, 0xDB, 0xF1, 0xC8,
+			/* ICV */
+			0x4B, 0xC4, 0xF8, 0xC6,	0x09, 0x78, 0xB9, 0xBB,
+			0x5D, 0xC0, 0x04, 0xF3,	0x20, 0x7D, 0x14, 0x87,
+		},
+		.len = 96,
+	},
+},
+/* SECTAG_SC_EQ1_SCB_EQ1 */
+{
+	.test_idx = 4,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x40, 0x41, 0x42,
+			0x43, 0x44, 0x45, 0x46,
+		},
+		.len = 64,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x3C,
+			/* SL */
+			0x0,
+			/* PN */
+			0x0, 0x0, 0x0, 0x2,
+			/* SCI */
+			0xFE, 0x2F, 0xCD, 0x14, 0x24, 0x1B, 0x88, 0x2C,
+			/* Secure Data */
+			0x39, 0x38, 0x97, 0x44, 0xA2, 0x6D, 0x71, 0x3D,
+			0x14, 0x27, 0xC7, 0x3E, 0x02, 0x96, 0x81, 0xAD,
+			0x47, 0x82, 0x2A, 0xCF, 0x19, 0x79, 0x12, 0x49,
+			0x0F, 0x93, 0x5A, 0x32, 0x43, 0x79, 0xEF, 0x9D,
+			0x70, 0xF8, 0xA9, 0xBE, 0x3D, 0x00, 0x5D, 0x22,
+			0xDA, 0x87, 0x3D, 0xC1, 0xBE, 0x1B, 0x13, 0xD9,
+			0x99, 0xDB, 0xF1, 0xC8,
+			/* ICV */
+			0x4B, 0xC4, 0xF8, 0xC6,	0x09, 0x78, 0xB9, 0xBB,
+			0x5D, 0xC0, 0x04, 0xF3,	0x20, 0x7D, 0x14, 0x87,
+		},
+		.len = 96,
+	},
+},
+};
 
 #endif
-- 
2.25.1

[PATCH v3 10/13] test/security: verify MACsec Tx HW rekey

[Akhil Goyal]

This patch enables the Tx HW rekey test case for MACSEC.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 app/test/test_security_inline_macsec.c        | 137 +++++++++-
 .../test_security_inline_macsec_vectors.h     | 243 ++++++++++++++++++
 2 files changed, 378 insertions(+), 2 deletions(-)

diff --git a/app/test/test_security_inline_macsec.c b/app/test/test_security_inline_macsec.c
index 12e3234cfb..2172f61199 100644
--- a/app/test/test_security_inline_macsec.c
+++ b/app/test/test_security_inline_macsec.c
@@ -207,6 +207,8 @@ fill_macsec_sc_conf(const struct mcs_test_vector *td,
 	uint8_t i;
 
 	sc_conf->dir = dir;
+	sc_conf->pn_threshold = ((uint64_t)td->xpn << 32) |
+		rte_be_to_cpu_32(*(const uint32_t *)(&td->secure_pkt.data[tci_off + 2]));
 	if (dir == RTE_SECURITY_MACSEC_DIR_TX) {
 		sc_conf->sc_tx.sa_id = sa_id[0];
 		if (sa_id[1] != MCS_INVALID_SA) {
@@ -232,12 +234,16 @@ fill_macsec_sc_conf(const struct mcs_test_vector *td,
 			/* use some default SCI */
 			sc_conf->sc_tx.sci = 0xf1341e023a2b1c5d;
 		}
+		if (td->xpn > 0)
+			sc_conf->sc_tx.is_xpn = 1;
 	} else {
 		for (i = 0; i < RTE_SECURITY_MACSEC_NUM_AN; i++) {
 			sc_conf->sc_rx.sa_id[i] = sa_id[i];
 			sc_conf->sc_rx.sa_in_use[i] = opts->sa_in_use;
 		}
 		sc_conf->sc_rx.active = 1;
+		if (td->xpn > 0)
+			sc_conf->sc_rx.is_xpn = 1;
 	}
 }
 
@@ -834,6 +840,7 @@ test_macsec(const struct mcs_test_vector *td[], enum mcs_op op, const struct mcs
 	struct rte_security_session_conf sess_conf = {0};
 	struct rte_security_macsec_sa sa_conf = {0};
 	struct rte_security_macsec_sc sc_conf = {0};
+	struct mcs_err_vector err_vector = {0};
 	struct rte_security_ctx *ctx;
 	int nb_rx = 0, nb_sent;
 	int i, j = 0, ret, id, an = 0;
@@ -868,6 +875,34 @@ test_macsec(const struct mcs_test_vector *td[], enum mcs_op op, const struct mcs
 		}
 		j++;
 
+		if (opts->rekey_en) {
+
+			err_vector.td = td[i];
+			err_vector.rekey_td = opts->rekey_td;
+			err_vector.event = RTE_ETH_EVENT_MACSEC_UNKNOWN;
+			err_vector.event_subtype = RTE_ETH_SUBEVENT_MACSEC_UNKNOWN;
+			rte_eth_dev_callback_register(port_id, RTE_ETH_EVENT_MACSEC,
+					test_macsec_event_callback, &err_vector);
+			if (op == MCS_DECAP || op == MCS_VERIFY_ONLY)
+				tx_pkts_burst[j] = init_packet(mbufpool,
+						opts->rekey_td->secure_pkt.data,
+						opts->rekey_td->secure_pkt.len);
+			else {
+				tx_pkts_burst[j] = init_packet(mbufpool,
+						opts->rekey_td->plain_pkt.data,
+						opts->rekey_td->plain_pkt.len);
+
+				tx_pkts_burst[j]->ol_flags |= RTE_MBUF_F_TX_MACSEC;
+			}
+			if (tx_pkts_burst[j] == NULL) {
+				while (j--)
+					rte_pktmbuf_free(tx_pkts_burst[j]);
+				ret = TEST_FAILED;
+				goto out;
+			}
+			j++;
+		}
+
 		if (op == MCS_DECAP || op == MCS_ENCAP_DECAP ||
 				op == MCS_VERIFY_ONLY || op == MCS_AUTH_VERIFY) {
 			for (an = 0; an < RTE_SECURITY_MACSEC_NUM_AN; an++) {
@@ -922,6 +957,20 @@ test_macsec(const struct mcs_test_vector *td[], enum mcs_op op, const struct mcs
 			}
 			tx_sa_id[i][0] = (uint16_t)id;
 			tx_sa_id[i][1] = MCS_INVALID_SA;
+			if (opts->rekey_en) {
+				memset(&sa_conf, 0, sizeof(struct rte_security_macsec_sa));
+				fill_macsec_sa_conf(opts->rekey_td, &sa_conf,
+					RTE_SECURITY_MACSEC_DIR_TX,
+					opts->rekey_td->secure_pkt.data[tci_off] &
+						RTE_MACSEC_AN_MASK,
+					tci_off);
+				id = rte_security_macsec_sa_create(ctx, &sa_conf);
+				if (id < 0) {
+					printf("MACsec rekey SA create failed : %d.\n", id);
+					goto out;
+				}
+				tx_sa_id[i][1] = (uint16_t)id;
+			}
 			fill_macsec_sc_conf(td[i], &sc_conf, opts,
 					RTE_SECURITY_MACSEC_DIR_TX, tx_sa_id[i], tci_off);
 			id = rte_security_macsec_sc_create(ctx, &sc_conf);
@@ -984,9 +1033,44 @@ test_macsec(const struct mcs_test_vector *td[], enum mcs_op op, const struct mcs
 		goto out;
 	}
 
+	if (opts->rekey_en) {
+		switch (err_vector.event) {
+		case RTE_ETH_EVENT_MACSEC_TX_SA_PN_SOFT_EXP:
+			printf("Received RTE_ETH_EVENT_MACSEC_TX_SA_PN_SOFT_EXP event\n");
+			/* The first sa is active now, so the 0th sa can be
+			 * reconfigured. Using the same key as zeroeth sa, but
+			 * other key can also be configured.
+			 */
+			rte_security_macsec_sa_destroy(ctx, tx_sa_id[0][0],
+					RTE_SECURITY_MACSEC_DIR_TX);
+			fill_macsec_sa_conf(td[0], &sa_conf,
+					RTE_SECURITY_MACSEC_DIR_TX,
+					td[0]->secure_pkt.data[tci_off] &
+					RTE_MACSEC_AN_MASK, tci_off);
+			id = rte_security_macsec_sa_create(ctx, &sa_conf);
+			if (id < 0) {
+				printf("MACsec SA create failed : %d.\n", id);
+				return TEST_FAILED;
+			}
+			tx_sa_id[0][0] = (uint16_t)id;
+			break;
+		default:
+			printf("Received unsupported event\n");
+		}
+	}
+
 	for (i = 0; i < nb_rx; i++) {
-		ret = test_macsec_post_process(rx_pkts_burst[i], td[i], op,
-				opts->check_out_pkts_untagged);
+		if (opts->rekey_en && i == 1) {
+			/* The second received packet is matched with
+			 * rekey td
+			 */
+			ret = test_macsec_post_process(rx_pkts_burst[i],
+					opts->rekey_td, op,
+					opts->check_out_pkts_untagged);
+		} else {
+			ret = test_macsec_post_process(rx_pkts_burst[i], td[i],
+					op, opts->check_out_pkts_untagged);
+		}
 		if (ret != TEST_SUCCESS) {
 			for ( ; i < nb_rx; i++)
 				rte_pktmbuf_free(rx_pkts_burst[i]);
@@ -1019,6 +1103,10 @@ test_macsec(const struct mcs_test_vector *td[], enum mcs_op op, const struct mcs
 
 	destroy_default_flow(port_id);
 
+	if (opts->rekey_en)
+		rte_eth_dev_callback_unregister(port_id, RTE_ETH_EVENT_MACSEC,
+					test_macsec_event_callback, &err_vector);
+
 	/* Destroy session so that other cases can create the session again */
 	for (i = 0; i < opts->nb_td; i++) {
 		if (op == MCS_ENCAP || op == MCS_ENCAP_DECAP ||
@@ -1029,6 +1117,10 @@ test_macsec(const struct mcs_test_vector *td[], enum mcs_op op, const struct mcs
 						RTE_SECURITY_MACSEC_DIR_TX);
 			rte_security_macsec_sa_destroy(ctx, tx_sa_id[i][0],
 						RTE_SECURITY_MACSEC_DIR_TX);
+			if (opts->rekey_en) {
+				rte_security_macsec_sa_destroy(ctx, tx_sa_id[i][1],
+						RTE_SECURITY_MACSEC_DIR_TX);
+			}
 		}
 		if (op == MCS_DECAP || op == MCS_ENCAP_DECAP ||
 				op == MCS_VERIFY_ONLY || op == MCS_AUTH_VERIFY) {
@@ -1822,6 +1914,43 @@ test_inline_macsec_interrupts_all(const void *data __rte_unused)
 	return all_err;
 }
 
+static int
+test_inline_macsec_rekey_tx(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.protect_frames = true;
+	opts.encrypt = true;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+	opts.rekey_en = 1;
+
+	size = (sizeof(list_mcs_rekey_vectors) / sizeof((list_mcs_rekey_vectors)[0]));
+
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_rekey_vectors[i];
+		opts.rekey_td = &list_mcs_rekey_vectors[++i];
+		err = test_macsec(&cur_td, MCS_ENCAP, &opts);
+		if (err) {
+			printf("Tx hw rekey test case %d failed\n", i);
+			err = -1;
+		} else {
+			printf("Tx hw rekey test case %d passed\n", i);
+			err = 0;
+		}
+		all_err += err;
+	}
+
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+	return all_err;
+}
+
 static int
 ut_setup_inline_macsec(void)
 {
@@ -2051,6 +2180,10 @@ static struct unit_test_suite inline_macsec_testsuite  = {
 			"MACsec interrupts all",
 			ut_setup_inline_macsec, ut_teardown_inline_macsec,
 			test_inline_macsec_interrupts_all),
+		TEST_CASE_NAMED_ST(
+			"MACsec re-key Tx",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_rekey_tx),
 
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	},
diff --git a/app/test/test_security_inline_macsec_vectors.h b/app/test/test_security_inline_macsec_vectors.h
index d861004e8e..80425b0b71 100644
--- a/app/test/test_security_inline_macsec_vectors.h
+++ b/app/test/test_security_inline_macsec_vectors.h
@@ -41,6 +41,7 @@ struct mcs_test_vector {
 
 struct mcs_err_vector {
 	const struct mcs_test_vector *td;
+	const struct mcs_test_vector *rekey_td;
 	enum rte_eth_event_macsec_type event;
 	enum rte_eth_event_macsec_subtype event_subtype;
 	bool notify_event;
@@ -3182,4 +3183,246 @@ static const struct mcs_test_vector list_mcs_intr_test_vectors[] = {
 },
 };
 
+static const struct mcs_test_vector list_mcs_rekey_vectors[] = {
+/* Initial SA, AN = 0 and PN = 2 */
+{
+	.test_idx = 0,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x40, 0x41, 0x42,
+			0x43, 0x44, 0x45, 0x46,
+		},
+		.len = 64,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x2C,
+			/* SL */
+			0x0,
+			/* PN */
+			0x0, 0x0, 0x0, 0x2,
+			/* SCI */
+			0xFE, 0x2F, 0xCD, 0x14, 0x24, 0x1B, 0x88, 0x2C,
+			/* Secure Data */
+			0x39, 0x38, 0x97, 0x44, 0xA2, 0x6D, 0x71, 0x3D,
+			0x14, 0x27, 0xC7, 0x3E, 0x02, 0x96, 0x81, 0xAD,
+			0x47, 0x82, 0x2A, 0xCF, 0x19, 0x79, 0x12, 0x49,
+			0x0F, 0x93, 0x5A, 0x32, 0x43, 0x79, 0xEF, 0x9D,
+			0x70, 0xF8, 0xA9, 0xBE, 0x3D, 0x00, 0x5D, 0x22,
+			0xDA, 0x87, 0x3D, 0xC1, 0xBE, 0x1B, 0x13, 0xD9,
+			0x99, 0xDB, 0xF1, 0xC8,
+			/* ICV */
+			0x4B, 0xC4, 0xF8, 0xC6,	0x09, 0x78, 0xB9, 0xBB,
+			0x5D, 0xC0, 0x04, 0xF3,	0x20, 0x7D, 0x14, 0x87,
+		},
+		.len = 96,
+	},
+},
+/* Rekeyed SA. sa_key is different from the initial sa.
+ * Also, AN = 1 and PN = 1.
+ */
+{
+	.test_idx = 1,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0xAD, 0x7A, 0x2B, 0xD0, 0x3E, 0xAC, 0x83, 0x5A,
+			0x6F, 0x62, 0x0F, 0xDC, 0xB5, 0x06, 0xB3, 0x45,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x40, 0x41, 0x42,
+			0x43, 0x44, 0x45, 0x46,
+		},
+		.len = 64,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x2D,
+			/* SL */
+			0x00,
+			/* PN */
+			0x00, 0x00, 0x00, 0x01,
+			/* SCI */
+			0xFE, 0x2F, 0xCD, 0x14, 0x24, 0x1B, 0x88, 0x2C,
+			/* Secure Data */
+			0x17, 0x66, 0xEF, 0xD9, 0x06, 0xDC, 0x15, 0xAF,
+			0xE9, 0x06, 0xB1, 0xE6, 0x26, 0x22, 0xC8, 0x78,
+			0x27, 0xE1, 0xED, 0x76, 0xF5, 0xC8, 0x16, 0xA1,
+			0x6B, 0x0D, 0xA0, 0x8E, 0x24, 0x2A, 0x9D, 0x34,
+			0xD0, 0xE0, 0x5F, 0xBA, 0x08, 0xF0, 0xE3, 0x7D,
+			0x17, 0xC0, 0x2C, 0xCD, 0x8A, 0x44, 0xC9, 0xB9,
+			0x28, 0xC0, 0xE8, 0x22,
+			/* ICV */
+			0x1B, 0x16, 0x68, 0x5F, 0x14, 0x8A, 0x51, 0x29,
+			0xB5, 0x3D, 0x61, 0x0E, 0x49, 0x20, 0x60, 0x09,
+		},
+		.len = 96,
+	},
+},
+{
+	.test_idx = 2,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_128,
+	.ssci = 0x7A30C118,
+	.xpn = 0xB0DF459C, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE,
+		0x86, 0xA2, 0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x00, 0x04,
+		},
+		.len = 54,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x4C,
+			/* SL */
+			0x2A,
+			/* PN */
+			0x76, 0xD4, 0x57, 0xED,
+			/* Secure Data */
+			0x9C, 0xA4, 0x69, 0x84, 0x43, 0x02, 0x03, 0xED,
+			0x41, 0x6E, 0xBD, 0xC2, 0xFE, 0x26, 0x22, 0xBA,
+			0x3E, 0x5E, 0xAB, 0x69, 0x61, 0xC3, 0x63, 0x83,
+			0x00, 0x9E, 0x18, 0x7E, 0x9B, 0x0C, 0x88, 0x56,
+			0x46, 0x53, 0xB9, 0xAB, 0xD2, 0x16, 0x44, 0x1C,
+			0x6A, 0xB6,
+			/* ICV */
+			0xF0, 0xA2, 0x32, 0xE9, 0xE4, 0x4C, 0x97, 0x8C,
+			0xF7, 0xCD, 0x84, 0xD4, 0x34, 0x84, 0xD1, 0x01,
+		},
+		.len = 78,
+	},
+},
+/* Rekeyed SA. sa_key is different from the initial sa.
+ * Also, AN = 1, XPN = 0 and PN = 1.
+ */
+{
+	.test_idx = 3,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_128,
+	.ssci = 0x7A30C118,
+	.xpn = 0x0, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE,
+		0x86, 0xA2, 0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0xAD, 0x7A, 0x2B, 0xD0, 0x3E, 0xAC, 0x83, 0x5A,
+			0x6F, 0x62, 0x0F, 0xDC, 0xB5, 0x06, 0xB3, 0x45,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x00, 0x04,
+		},
+		.len = 54,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x4D,
+			/* SL */
+			0x2A,
+			/* PN */
+			0x0, 0x0, 0x0, 0x1,
+			/* Secure Data */
+			0x91, 0x00, 0xC0, 0xE4, 0xB9, 0x4E, 0x2C, 0x1C,
+			0x86, 0xDF, 0xE1, 0x8F, 0xDD, 0xB6, 0xE6, 0x79,
+			0x65, 0x87, 0x80, 0xE7, 0x9C, 0x5D, 0x8A, 0xB7,
+			0x68, 0xFD, 0xE1, 0x6E, 0x3F, 0xF1, 0xDE, 0x20,
+			0x4A, 0xF6, 0xBA, 0xE6, 0x14, 0xDB, 0x6A, 0x05,
+			0xE9, 0xB6,
+			/* ICV */
+			0x2D, 0xDF, 0x59, 0x27, 0x25, 0x41, 0x68, 0x1D,
+			0x74, 0x1A, 0xAA, 0xC4, 0x18, 0x49, 0xB4, 0x22,
+		},
+		.len = 78,
+	},
+},
+};
+
 #endif
-- 
2.25.1

[PATCH v3 11/13] test/security: verify MACsec Rx rekey

[Akhil Goyal]

From: Ankur Dwivedi <adwivedi@marvell.com>

This patch enables the Rx rekey test case for MACSEC.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
---
 app/test/test_security_inline_macsec.c | 50 +++++++++++++++++++++++++-
 1 file changed, 49 insertions(+), 1 deletion(-)

diff --git a/app/test/test_security_inline_macsec.c b/app/test/test_security_inline_macsec.c
index 2172f61199..d832dfc170 100644
--- a/app/test/test_security_inline_macsec.c
+++ b/app/test/test_security_inline_macsec.c
@@ -906,8 +906,14 @@ test_macsec(const struct mcs_test_vector *td[], enum mcs_op op, const struct mcs
 		if (op == MCS_DECAP || op == MCS_ENCAP_DECAP ||
 				op == MCS_VERIFY_ONLY || op == MCS_AUTH_VERIFY) {
 			for (an = 0; an < RTE_SECURITY_MACSEC_NUM_AN; an++) {
+				if (opts->rekey_en && an ==
+						(opts->rekey_td->secure_pkt.data[tci_off] &
+						RTE_MACSEC_AN_MASK))
+					fill_macsec_sa_conf(opts->rekey_td, &sa_conf,
+						RTE_SECURITY_MACSEC_DIR_RX, an, tci_off);
+				else
 				/* For simplicity, using same SA conf for all AN */
-				fill_macsec_sa_conf(td[i], &sa_conf,
+					fill_macsec_sa_conf(td[i], &sa_conf,
 						RTE_SECURITY_MACSEC_DIR_RX, an, tci_off);
 				id = rte_security_macsec_sa_create(ctx, &sa_conf);
 				if (id < 0) {
@@ -1054,6 +1060,9 @@ test_macsec(const struct mcs_test_vector *td[], enum mcs_op op, const struct mcs
 			}
 			tx_sa_id[0][0] = (uint16_t)id;
 			break;
+		case RTE_ETH_EVENT_MACSEC_RX_SA_PN_SOFT_EXP:
+			printf("Received RTE_ETH_EVENT_MACSEC_RX_SA_PN_SOFT_EXP event\n");
+			break;
 		default:
 			printf("Received unsupported event\n");
 		}
@@ -1951,6 +1960,41 @@ test_inline_macsec_rekey_tx(const void *data __rte_unused)
 	return all_err;
 }
 
+static int
+test_inline_macsec_rekey_rx(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	int err, all_err = 0;
+	int i, size;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.protect_frames = true;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.mtu = RTE_ETHER_MTU;
+	opts.rekey_en = 1;
+
+	size = (sizeof(list_mcs_rekey_vectors) / sizeof((list_mcs_rekey_vectors)[0]));
+	for (i = 0; i < size; i++) {
+		cur_td = &list_mcs_rekey_vectors[i];
+		opts.rekey_td = &list_mcs_rekey_vectors[++i];
+		err = test_macsec(&cur_td, MCS_DECAP, &opts);
+		if (err) {
+			printf("Rx rekey test case %d failed\n", i);
+			err = -1;
+		} else {
+			printf("Rx rekey test case %d passed\n", i);
+			err = 0;
+		}
+		all_err += err;
+	}
+
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+	return all_err;
+}
+
 static int
 ut_setup_inline_macsec(void)
 {
@@ -2184,6 +2228,10 @@ static struct unit_test_suite inline_macsec_testsuite  = {
 			"MACsec re-key Tx",
 			ut_setup_inline_macsec, ut_teardown_inline_macsec,
 			test_inline_macsec_rekey_tx),
+		TEST_CASE_NAMED_ST(
+			"MACsec re-key Rx",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_rekey_rx),
 
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	},
-- 
2.25.1

[PATCH v3 12/13] test/security: verify MACsec anti replay

[Akhil Goyal]

From: Ankur Dwivedi <adwivedi@marvell.com>

This patch enables anti replay test case for MACsec.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 app/test/test_security_inline_macsec.c        |  82 +++
 .../test_security_inline_macsec_vectors.h     | 467 ++++++++++++++++++
 2 files changed, 549 insertions(+)

diff --git a/app/test/test_security_inline_macsec.c b/app/test/test_security_inline_macsec.c
index d832dfc170..f7fb1b6fd6 100644
--- a/app/test/test_security_inline_macsec.c
+++ b/app/test/test_security_inline_macsec.c
@@ -61,6 +61,7 @@ struct mcs_test_opts {
 	uint8_t replay_protect;
 	uint8_t rekey_en;
 	const struct mcs_test_vector *rekey_td;
+	const struct mcs_test_vector *ar_td[3];
 	bool dump_all_stats;
 	uint8_t check_untagged_rx;
 	uint8_t check_bad_tag_cnt;
@@ -716,6 +717,15 @@ mcs_stats_check(struct rte_security_ctx *ctx, enum mcs_op op,
 		if (opts->check_pkts_unchecked_stats && sc_stat.pkt_unchecked_cnt != 1)
 			return TEST_FAILED;
 
+		if (opts->replay_protect) {
+			if (opts->replay_win_sz == 0 &&
+					sc_stat.pkt_late_cnt != 2)
+				return TEST_FAILED;
+			else if (opts->replay_win_sz == 32 &&
+					sc_stat.pkt_late_cnt != 1)
+				return TEST_FAILED;
+		}
+
 		for (i = 0; i < RTE_SECURITY_MACSEC_NUM_AN; i++) {
 			memset(&sa_stat, 0, sizeof(struct rte_security_macsec_sa_stats));
 			rte_security_macsec_sa_stats_get(ctx, rx_sa_id[i],
@@ -845,6 +855,7 @@ test_macsec(const struct mcs_test_vector *td[], enum mcs_op op, const struct mcs
 	int nb_rx = 0, nb_sent;
 	int i, j = 0, ret, id, an = 0;
 	uint8_t tci_off;
+	int k;
 
 	memset(rx_pkts_burst, 0, sizeof(rx_pkts_burst[0]) * opts->nb_td);
 
@@ -875,6 +886,20 @@ test_macsec(const struct mcs_test_vector *td[], enum mcs_op op, const struct mcs
 		}
 		j++;
 
+		if (opts->replay_protect) {
+			for (k = 0; k < 3; k++, j++) {
+				tx_pkts_burst[j] = init_packet(mbufpool,
+					opts->ar_td[k]->secure_pkt.data,
+					opts->ar_td[k]->secure_pkt.len);
+				if (tx_pkts_burst[j] == NULL) {
+					while (j--)
+						rte_pktmbuf_free(tx_pkts_burst[j]);
+					ret = TEST_FAILED;
+					goto out;
+				}
+			}
+		}
+
 		if (opts->rekey_en) {
 
 			err_vector.td = td[i];
@@ -1068,6 +1093,15 @@ test_macsec(const struct mcs_test_vector *td[], enum mcs_op op, const struct mcs
 		}
 	}
 
+	if (opts->replay_protect) {
+		for (i = 0; i < nb_rx; i++) {
+			rte_pktmbuf_free(rx_pkts_burst[i]);
+			rx_pkts_burst[i] = NULL;
+		}
+		ret = TEST_SUCCESS;
+		goto out;
+	}
+
 	for (i = 0; i < nb_rx; i++) {
 		if (opts->rekey_en && i == 1) {
 			/* The second received packet is matched with
@@ -1995,6 +2029,50 @@ test_inline_macsec_rekey_rx(const void *data __rte_unused)
 	return all_err;
 }
 
+static int
+test_inline_macsec_anti_replay(const void *data __rte_unused)
+{
+	const struct mcs_test_vector *cur_td;
+	struct mcs_test_opts opts = {0};
+	uint16_t replay_win_sz[2] = {32, 0};
+	int err, all_err = 0;
+	int i, size;
+	int j;
+
+	opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+	opts.sa_in_use = 1;
+	opts.nb_td = 1;
+	opts.sectag_insert_mode = 1;
+	opts.replay_protect = 1;
+
+	size = (sizeof(list_mcs_anti_replay_vectors) / sizeof((list_mcs_anti_replay_vectors)[0]));
+
+	for (j = 0; j < 2; j++) {
+		opts.replay_win_sz = replay_win_sz[j];
+
+		for (i = 0; i < size; i++) {
+			cur_td = &list_mcs_anti_replay_vectors[i];
+			opts.ar_td[0] = &list_mcs_anti_replay_vectors[++i];
+			opts.ar_td[1] = &list_mcs_anti_replay_vectors[++i];
+			opts.ar_td[2] = &list_mcs_anti_replay_vectors[++i];
+			err = test_macsec(&cur_td, MCS_DECAP, &opts);
+			if (err) {
+				printf("Replay window: %u, Anti replay test case %d failed\n",
+				       opts.replay_win_sz, i);
+				err = -1;
+			} else {
+				printf("Replay window: %u, Anti replay test case %d passed\n",
+				       opts.replay_win_sz, i);
+				err = 0;
+			}
+			all_err += err;
+		}
+	}
+
+	printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+	return all_err;
+}
+
 static int
 ut_setup_inline_macsec(void)
 {
@@ -2232,6 +2310,10 @@ static struct unit_test_suite inline_macsec_testsuite  = {
 			"MACsec re-key Rx",
 			ut_setup_inline_macsec, ut_teardown_inline_macsec,
 			test_inline_macsec_rekey_rx),
+		TEST_CASE_NAMED_ST(
+			"MACsec anti-replay",
+			ut_setup_inline_macsec, ut_teardown_inline_macsec,
+			test_inline_macsec_anti_replay),
 
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	},
diff --git a/app/test/test_security_inline_macsec_vectors.h b/app/test/test_security_inline_macsec_vectors.h
index 80425b0b71..ddaa8043e7 100644
--- a/app/test/test_security_inline_macsec_vectors.h
+++ b/app/test/test_security_inline_macsec_vectors.h
@@ -3425,4 +3425,471 @@ static const struct mcs_test_vector list_mcs_rekey_vectors[] = {
 },
 };
 
+static const struct mcs_test_vector list_mcs_anti_replay_vectors[] = {
+{
+	.test_idx = 0,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x40, 0x41, 0x42,
+			0x43, 0x44, 0x45, 0x46,
+		},
+		.len = 64,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x2C,
+			/* SL */
+			0x0,
+			/* PN */
+			0x0, 0x0, 0x0, 0x2,
+			/* SCI */
+			0xFE, 0x2F, 0xCD, 0x14, 0x24, 0x1B, 0x88, 0x2C,
+			/* Secure Data */
+			0x39, 0x38, 0x97, 0x44, 0xA2, 0x6D, 0x71, 0x3D,
+			0x14, 0x27, 0xC7, 0x3E, 0x02, 0x96, 0x81, 0xAD,
+			0x47, 0x82, 0x2A, 0xCF, 0x19, 0x79, 0x12, 0x49,
+			0x0F, 0x93, 0x5A, 0x32, 0x43, 0x79, 0xEF, 0x9D,
+			0x70, 0xF8, 0xA9, 0xBE, 0x3D, 0x00, 0x5D, 0x22,
+			0xDA, 0x87, 0x3D, 0xC1, 0xBE, 0x1B, 0x13, 0xD9,
+			0x99, 0xDB, 0xF1, 0xC8,
+			/* ICV */
+			0x4B, 0xC4, 0xF8, 0xC6,	0x09, 0x78, 0xB9, 0xBB,
+			0x5D, 0xC0, 0x04, 0xF3,	0x20, 0x7D, 0x14, 0x87,
+		},
+		.len = 96,
+	},
+},
+{
+	.test_idx = 1,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x40, 0x41, 0x42,
+			0x43, 0x44, 0x45, 0x46,
+		},
+		.len = 64,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x2C,
+			/* SL */
+			0x0,
+			/* PN */
+			0x0, 0x0, 0x0, 0x4B,
+			/* SCI */
+			0xFE, 0x2F, 0xCD, 0x14, 0x24, 0x1B, 0x88, 0x2C,
+			/* Secure Data */
+			0x51, 0xC9, 0xBB, 0xF3, 0x24, 0x38, 0xF9, 0x06,
+			0x76, 0x9E, 0x61, 0xCE, 0xB8, 0x65, 0xA7, 0xE4,
+			0x1F, 0x16, 0x5D, 0x59, 0xB8, 0x44, 0x0F, 0x94,
+			0x50, 0xF0, 0x4C, 0x35, 0x7D, 0x91, 0x53, 0xC6,
+			0x28, 0x4D, 0xA8, 0xAB, 0x13, 0x3B, 0xC0, 0x2D,
+			0x11, 0x8E, 0xCC, 0x75, 0xC9, 0xD8, 0x8F, 0x60,
+			0x67, 0xE1, 0x03, 0x2C,
+			/* ICV */
+			0xA5, 0xF1, 0x2C, 0x85, 0x10, 0xEE, 0x67, 0x7E,
+			0xDB, 0x4E, 0xF6, 0x0A, 0xA1, 0x0F, 0x15, 0x69,
+		},
+		.len = 96,
+	},
+},
+{
+	.test_idx = 2,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x40, 0x41, 0x42,
+			0x43, 0x44, 0x45, 0x46,
+		},
+		.len = 64,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x2C,
+			/* SL */
+			0x0,
+			/* PN */
+			0x0, 0x0, 0x0, 0x32,
+			/* SCI */
+			0xFE, 0x2F, 0xCD, 0x14, 0x24, 0x1B, 0x88, 0x2C,
+			/* Secure Data */
+			0x6F, 0xB6, 0xF8, 0x54, 0x67, 0x23, 0x3C, 0xE8,
+			0x67, 0x54, 0x8B, 0xAD, 0x31, 0xC3, 0x2B, 0xAA,
+			0x70, 0x1A, 0xC8, 0x0D, 0x3C, 0x31, 0x54, 0x0F,
+			0xDD, 0x8F, 0x23, 0x0F, 0x86, 0xF3, 0x80, 0x31,
+			0x8B, 0x30, 0xD9, 0x15, 0xF9, 0x3B, 0xD6, 0x00,
+			0x95, 0xBD, 0xF3, 0x7F, 0xD2, 0x41, 0x28, 0xFC,
+			0x52, 0x27, 0xB5, 0x88,
+			/* ICV */
+			0x64, 0x3C, 0x67, 0xD7, 0xB8, 0xC1, 0xAF, 0x15,
+			0x82, 0x5F, 0x06, 0x4F, 0x5A, 0xED, 0x47, 0xC1,
+		},
+		.len = 96,
+	},
+},
+{
+	.test_idx = 3,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+	.ssci = 0x0,
+	.salt = {0},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x35, 0x36, 0x37, 0x38, 0x39, 0x40, 0x41, 0x42,
+			0x43, 0x44, 0x45, 0x46,
+		},
+		.len = 64,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x2C,
+			/* SL */
+			0x0,
+			/* PN */
+			0x0, 0x0, 0x0, 0x3,
+			/* SCI */
+			0xFE, 0x2F, 0xCD, 0x14, 0x24, 0x1B, 0x88, 0x2C,
+			/* Secure Data */
+			0x16, 0x6E, 0x74, 0xE5, 0xF7, 0x49, 0xCC, 0x42,
+			0x06, 0x30, 0x99, 0x60, 0x10, 0xAA, 0xB3, 0xEC,
+			0x3C, 0xEF, 0x6C, 0x7D, 0x72, 0x93, 0x61, 0x28,
+			0x39, 0x8E, 0x6B, 0x5C, 0x6C, 0x9E, 0xCA, 0x86,
+			0x70, 0x5A, 0x95, 0x98, 0x0F, 0xB2, 0xC8, 0x05,
+			0xD6, 0xC9, 0xBA, 0x9A, 0xCF, 0x7B, 0x5F, 0xD0,
+			0xAE, 0x50, 0x66, 0x7D,
+			/* ICV */
+			0xC8, 0xF1, 0x4A, 0x10, 0x8A, 0xFF, 0x64, 0x6C,
+			0xC7, 0x18, 0xC2, 0x7A, 0x16, 0x1A, 0x0D, 0xCA,
+		},
+		.len = 96,
+	},
+},
+{
+	.test_idx = 4,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_128,
+	.ssci = 0x7A30C118,
+	.xpn = 0x0, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE,
+		0x86, 0xA2, 0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x00, 0x04,
+		},
+		.len = 54,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x4C,
+			/* SL */
+			0x2A,
+			/* PN */
+			0xFF, 0xFF, 0xFF, 0xFE,
+			/* Secure Data */
+			0xA4, 0x80, 0xA4, 0x24, 0xD3, 0xCB, 0x3B, 0x05,
+			0xD5, 0x5B, 0x48, 0xE0, 0x23, 0xEA, 0x8C, 0x11,
+			0xE2, 0xB6, 0xE9, 0x69, 0x39, 0x40, 0xA6, 0xEA,
+			0xC9, 0xCD, 0xF9, 0xD8, 0x85, 0x8C, 0xD6, 0xFA,
+			0xB6, 0x9A, 0xE2, 0x37, 0xAA, 0x0C, 0x02, 0x2C,
+			0xB8, 0xC1,
+			/* ICV */
+			0xE3, 0x36, 0x34, 0x7A, 0x7C, 0x00, 0x71, 0x1F,
+			0xAC, 0x04, 0x48, 0x82, 0x64, 0xD2, 0xDF, 0x58,
+		},
+		.len = 78,
+	},
+},
+{
+	.test_idx = 5,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_128,
+	.ssci = 0x7A30C118,
+	.xpn = 0x1, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE,
+		0x86, 0xA2, 0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x00, 0x04,
+		},
+		.len = 54,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x4C,
+			/* SL */
+			0x2A,
+			/* PN */
+			0x00, 0x00, 0x00, 0x62,
+			/* Secure Data */
+			0x62, 0x62, 0x9E, 0x43, 0x59, 0x0C, 0xC6, 0x33,
+			0x26, 0x3C, 0xBF, 0x93, 0x5D, 0xE2, 0x8A, 0x7F,
+			0x96, 0xB4, 0xF7, 0x08, 0xEA, 0x9A, 0xA8, 0x88,
+			0xB4, 0xE8, 0xBE, 0x8D, 0x28, 0x84, 0xE0, 0x16,
+			0x08, 0x92, 0xB0, 0xAB, 0x76, 0x60, 0xEA, 0x05,
+			0x74, 0x79,
+			/* ICV */
+			0x8E, 0x5D, 0x81, 0xA6, 0x3F, 0xDF, 0x39, 0xB8,
+			0x19, 0x33, 0x73, 0x09, 0xCE, 0xC1, 0xAF, 0x85,
+		},
+		.len = 78,
+	},
+},
+{
+	.test_idx = 6,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_128,
+	.ssci = 0x7A30C118,
+	.xpn = 0x1, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE,
+		0x86, 0xA2, 0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x00, 0x04,
+		},
+		.len = 54,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x4C,
+			/* SL */
+			0x2A,
+			/* PN */
+			0x00, 0x00, 0x00, 0x58,
+			/* Secure Data */
+			0xC7, 0xDC, 0xF4, 0xC9, 0x8C, 0x59, 0x6E, 0x96,
+			0x3D, 0x4B, 0x89, 0xB3, 0xF3, 0x8D, 0x5D, 0x99,
+			0x4E, 0xDF, 0x48, 0x74, 0x02, 0x25, 0x93, 0xB4,
+			0x12, 0xFB, 0x0F, 0x28, 0xA5, 0x02, 0x78, 0xAC,
+			0x0B, 0x14, 0xF1, 0xAC, 0x1C, 0x0C, 0x80, 0x37,
+			0x6B, 0x44,
+			/* ICV */
+			0x47, 0x5A, 0xEE, 0x37, 0xFC, 0x6E, 0xDE, 0xB9,
+			0x14, 0x0E, 0xBD, 0x22, 0x05, 0x12, 0x00, 0x52,
+		},
+		.len = 78,
+	},
+},
+{
+	.test_idx = 7,
+	.alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_128,
+	.ssci = 0x7A30C118,
+	.xpn = 0x1, /* Most significant 32 bits */
+	.salt = {
+		0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE,
+		0x86, 0xA2, 0x1C, 0x66, 0xFA, 0x6D,
+	},
+	.sa_key = {
+		.data = {
+			0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+			0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82,
+		},
+		.len = 16,
+	},
+	.plain_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* User Data */
+			0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+			0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+			0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+			0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+			0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+			0x00, 0x04,
+		},
+		.len = 54,
+	},
+	.secure_pkt = {
+		.data = {/* MAC DA */
+			0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+			/* MAC SA */
+			0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+			/* MACsec EtherType */
+			0x88, 0xE5,
+			/* TCI and AN */
+			0x4C,
+			/* SL */
+			0x2A,
+			/* PN */
+			0x00, 0x00, 0x00, 0x02,
+			/* Secure Data */
+			0xDD, 0x86, 0x37, 0x48, 0x11, 0xF3, 0xA8, 0x96,
+			0x25, 0x3A, 0xD9, 0xBE, 0x7C, 0x62, 0x72, 0xD6,
+			0x43, 0x70, 0xB6, 0x92, 0x04, 0x25, 0x46, 0xC1,
+			0x17, 0xBC, 0x14, 0xE1, 0x09, 0x4C, 0x04, 0x94,
+			0x51, 0x1F, 0x6E, 0x89, 0x32, 0x13, 0x4B, 0xAC,
+			0x2A, 0x60,
+			/* ICV */
+			0x96, 0xC0, 0xB4, 0xA4, 0xC7, 0xEC, 0xF5, 0xEF,
+			0x5E, 0x51, 0x22, 0x14, 0xF8, 0x70, 0xA0, 0x22,
+		},
+		.len = 78,
+	},
+},
+};
+
 #endif
-- 
2.25.1

[PATCH v3 13/13] test/security: remove no MACsec support case

[Akhil Goyal]

Removed the test_capability_get_no_support_for_macsec case
as MACsec is now supported and capability can have valid
MACsec support.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 app/test/test_security.c | 37 -------------------------------------
 1 file changed, 37 deletions(-)

diff --git a/app/test/test_security.c b/app/test/test_security.c
index e4ddcefe40..4783cd0663 100644
--- a/app/test/test_security.c
+++ b/app/test/test_security.c
@@ -1828,41 +1828,6 @@ test_capability_get_no_matching_protocol(void)
 	return TEST_SUCCESS;
 }
 
-/**
- * Test execution of rte_security_capability_get when macsec protocol
- * is searched and capabilities table contain proper entry.
- * However macsec records search is not supported in rte_security.
- */
-static int
-test_capability_get_no_support_for_macsec(void)
-{
-	struct security_unittest_params *ut_params = &unittest_params;
-	struct rte_security_capability_idx idx = {
-		.action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
-		.protocol = RTE_SECURITY_PROTOCOL_MACSEC,
-	};
-	struct rte_security_capability capabilities[] = {
-		{
-			.action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
-			.protocol = RTE_SECURITY_PROTOCOL_MACSEC,
-		},
-		{
-			.action = RTE_SECURITY_ACTION_TYPE_NONE,
-		},
-	};
-
-	mock_capabilities_get_exp.device = NULL;
-	mock_capabilities_get_exp.ret = capabilities;
-
-	const struct rte_security_capability *ret;
-	ret = rte_security_capability_get(&ut_params->ctx, &idx);
-	TEST_ASSERT_MOCK_FUNCTION_CALL_RET(rte_security_capability_get,
-			ret, NULL, "%p");
-	TEST_ASSERT_MOCK_CALLS(mock_capabilities_get_exp, 1);
-
-	return TEST_SUCCESS;
-}
-
 /**
  * Test execution of rte_security_capability_get when capabilities table
  * does not contain entry with matching ipsec proto field
@@ -2319,8 +2284,6 @@ static struct unit_test_suite security_testsuite  = {
 				test_capability_get_no_matching_action),
 		TEST_CASE_ST(ut_setup_with_session, ut_teardown,
 				test_capability_get_no_matching_protocol),
-		TEST_CASE_ST(ut_setup_with_session, ut_teardown,
-				test_capability_get_no_support_for_macsec),
 		TEST_CASE_ST(ut_setup_with_session, ut_teardown,
 				test_capability_get_ipsec_mismatch_proto),
 		TEST_CASE_ST(ut_setup_with_session, ut_teardown,
-- 
2.25.1

RE: [EXT] Re: [PATCH v2 01/13] security: add direction in SA/SC configuration

[Akhil Goyal]

> On Wed, Jun 7, 2023 at 5:20 PM Akhil Goyal <gakhil@marvell.com> wrote:
> >
> > MACsec SC/SA ids are created based on direction of the flow.
> > Hence, added the missing field for configuration and cleanup
> > of the SCs and SAs.
> >
> > Signed-off-by: Akhil Goyal <gakhil@marvell.com>
> > ---
> >  devtools/libabigail.abignore       |  7 +++++++
> >  lib/security/rte_security.c        | 16 ++++++++++------
> >  lib/security/rte_security.h        | 14 ++++++++++----
> >  lib/security/rte_security_driver.h | 12 ++++++++++--
> >  4 files changed, 37 insertions(+), 12 deletions(-)
> >
> 
> Looking at the report with no supression rule:
> $ abidiff --suppr .../next-cryptodev/devtools/libabigail.abignore
> --no-added-syms --headers-dir1
> .../abi/v23.03/build-gcc-shared/usr/local/include --headers-dir2
> .../next-cryptodev/build-gcc-shared/install/usr/local/include
> .../abi/v23.03/build-gcc-shared/usr/local/lib64/librte_security.so.23.1
> .../next-cryptodev/build-gcc-
> shared/install/usr/local/lib64/librte_security.so.23.2
> Functions changes summary: 0 Removed, 1 Changed (13 filtered out), 0
> Added functions
> Variables changes summary: 0 Removed, 0 Changed, 0 Added variable
> 
> 1 function with some indirect sub-type change:
> 
>   [C] 'function const rte_security_capability*
> rte_security_capabilities_get(rte_security_ctx*)' at
> rte_security.c:241:1 has some indirect sub-type changes:
>     parameter 1 of type 'rte_security_ctx*' has sub-type changes:
>       in pointed to type 'struct rte_security_ctx' at rte_security.h:69:1:
>         type size hasn't changed
>         1 data member change:
>           type of 'const rte_security_ops* ops' changed:
>             in pointed to type 'const rte_security_ops':
>               in unqualified underlying type 'struct rte_security_ops'
> at rte_security_driver.h:230:1:
>                 type size hasn't changed
>                 4 data member changes (4 filtered):
>                   type of 'security_macsec_sc_create_t
> macsec_sc_create' changed:
>                     underlying type 'int (void*,
> rte_security_macsec_sc*)*' changed:
>                       in pointed to type 'function type int (void*,
> rte_security_macsec_sc*)':
>                         parameter 2 of type 'rte_security_macsec_sc*'
> has sub-type changes:
>                           in pointed to type 'struct
> rte_security_macsec_sc' at rte_security.h:399:1:
>                             type size changed from 256 to 320 (in bits)
>                             1 data member insertion:
>                               'union {struct {uint16_t sa_id[4];
> uint8_t sa_in_use[4]; uint8_t active; uint8_t is_xpn; uint8_t
> reserved;} sc_rx; struct {uint16_t sa_id; uint16_t sa_id_rekey;
> uint64_t sci; uint8_t active; uint8_t re_key_en; uint8_t is_xpn;
> uint8_t reserved;} sc_tx;}', at offset 128 (in bits)
>                             1 data member change:
>                               anonymous data member union {struct
> {uint16_t sa_id[4]; uint8_t sa_in_use[4]; uint8_t active; uint8_t
> reserved;} sc_rx; struct {uint16_t sa_id; uint16_t sa_id_rekey;
> uint64_t sci; uint8_t active; uint8_t re_key_en; uint8_t reserved;}
> sc_tx;} at offset 64 (in bits) became data member 'uint64_t
> pn_threshold'
>                               and size changed from 192 to 64 (in
> bits) (by -128 bits)
>                   type of 'security_macsec_sc_destroy_t
> macsec_sc_destroy' changed:
>                     underlying type 'int (void*, typedef uint16_t)*' changed:
>                       in pointed to type 'function type int (void*,
> typedef uint16_t)':
>                         parameter 3 of type 'enum
> rte_security_macsec_direction' was added
>                   type of 'security_macsec_sc_stats_get_t
> macsec_sc_stats_get' changed:
>                     underlying type 'int (void*, typedef uint16_t,
> rte_security_macsec_sc_stats*)*' changed:
>                       in pointed to type 'function type int (void*,
> typedef uint16_t, rte_security_macsec_sc_stats*)':
>                         parameter 3 of type
> 'rte_security_macsec_sc_stats*' changed:
>                           entity changed from
> 'rte_security_macsec_sc_stats*' to 'enum
> rte_security_macsec_direction' at rte_security.h:361:1
>                           type size changed from 64 to 32 (in bits)
>                           type alignment changed from 0 to 32
>                         parameter 4 of type
> 'rte_security_macsec_sc_stats*' was added
>                   type of 'security_macsec_sa_stats_get_t
> macsec_sa_stats_get' changed:
>                     underlying type 'int (void*, typedef uint16_t,
> rte_security_macsec_sa_stats*)*' changed:
>                       in pointed to type 'function type int (void*,
> typedef uint16_t, rte_security_macsec_sa_stats*)':
>                         parameter 3 of type
> 'rte_security_macsec_sa_stats*' changed:
>                           entity changed from
> 'rte_security_macsec_sa_stats*' to 'enum
> rte_security_macsec_direction' at rte_security.h:361:1
>                           type size changed from 64 to 32 (in bits)
>                           type alignment changed from 0 to 32
>                         parameter 4 of type
> 'rte_security_macsec_sa_stats*' was added
> 
> The report complains about the macsec ops type changes.
> 
> > diff --git a/devtools/libabigail.abignore b/devtools/libabigail.abignore
> > index c0361bfc7b..14d8fa4293 100644
> > --- a/devtools/libabigail.abignore
> > +++ b/devtools/libabigail.abignore
> > @@ -37,6 +37,13 @@
> >  [suppress_type]
> >          type_kind = enum
> >          changed_enumerators = RTE_CRYPTO_ASYM_XFORM_ECPM,
> RTE_CRYPTO_ASYM_XFORM_TYPE_LIST_END
> > +; Ignore changes to rte_security_ops MACsec APIs which are experimental
> > +[suppress_type]
> > +        name = rte_security_ops
> > +        has_data_member_inserted_between =
> > +        {
> > +                offset_of(security_macsec_sc_create_t),
> offset_of(security_macsec_sa_stats_get_t)
> > +        }
> 
> So I don't get the intent with this rule.
> There is no field named neither security_macsec_sc_create_t nor
> security_macsec_sa_stats_get_t in the rte_security_ops struct.
> 
> Now.. why is this rule making the check pass... it is a mystery to me.
> I already hit a case when libabigail ignored statements that are
> invalid or make no sense, so my guess is that this rule is actually
> applied as a simple:
> [suppress_type]
>         name = rte_security_ops
> 
> And well, this rule is ok from my pov: this rte_security_ops struct
> does not change in size.
> An application is not supposed to know about its content (that is
> defined in a driver header) and all accesses to those ops are supposed
> to be through symbols from the security library.
> So I would go with this "larger" and simpler rule.

The intent was to make it specific to MACsec APIs only.
I am ok with both as these are internal thing and would change it in next release.
Updated the v3 as per your suggestion.

> 
> 
> Just a small addition to this, as discussed offlist, this is going to
> be reworked in v23.11 and this rule on rte_security_ops will be
> unneccesary, so please move it in the relevant block (at the end) of
> the libabigail.abignore file.
Ack

RE: [PATCH v3 00/13] Add MACsec unit test cases

[Akhil Goyal]

> Subject: [PATCH v3 00/13] Add MACsec unit test cases
> 
> Inline MACsec offload was supported in DPDK 22.11
> using rte_security APIs.
> This patchset adds few minor changes in the rte_security APIs
> to specify the direction of SA/SC and update the SC configuration
> to set packet number threshold.
> 
> The patchset also add functional test cases in dpdk-test app
> to verify MACsec functionality.
> 
> This patchset is pending from last release [1] due to lack of
> hardware to test. Now the test cases are verified on Marvell cnxk PMD
> and the pmd support is added as a separate patchset.
> 
> [1] https://patches.dpdk.org/project/dpdk/cover/20220928124516.93050-1-
> gakhil@marvell.com/
> 
Patchset applied to dpdk-next-crypto

Re: [PATCH v2 01/15] common/cnxk: add ROC MACsec initialization

[Jerin Jacob]

On Wed, Jun 7, 2023 at 8:58 PM Akhil Goyal <gakhil@marvell.com> wrote:
>
> Added ROC init and fini APIs for supporting MACsec.
>
> Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
> Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
> Signed-off-by: Akhil Goyal <gakhil@marvell.com>

Please update the release note in the last patch.

> ---
>  drivers/common/cnxk/meson.build     |   1 +
>  drivers/common/cnxk/roc_api.h       |   3 +
>  drivers/common/cnxk/roc_features.h  |  12 ++
>  drivers/common/cnxk/roc_idev.c      |  46 ++++++
>  drivers/common/cnxk/roc_idev.h      |   3 +
>  drivers/common/cnxk/roc_idev_priv.h |   1 +
>  drivers/common/cnxk/roc_mbox.h      |  65 +++++++-
>  drivers/common/cnxk/roc_mcs.c       | 220 ++++++++++++++++++++++++++++
>  drivers/common/cnxk/roc_mcs.h       |  41 ++++++
>  drivers/common/cnxk/roc_mcs_priv.h  |  65 ++++++++
>  drivers/common/cnxk/roc_priv.h      |   3 +
>  drivers/common/cnxk/roc_utils.c     |   5 +
>  drivers/common/cnxk/version.map     |   7 +
>  13 files changed, 471 insertions(+), 1 deletion(-)
>  create mode 100644 drivers/common/cnxk/roc_mcs.c
>  create mode 100644 drivers/common/cnxk/roc_mcs.h
>  create mode 100644 drivers/common/cnxk/roc_mcs_priv.h
>
> diff --git a/drivers/common/cnxk/meson.build b/drivers/common/cnxk/meson.build
> index 631b594f32..e33c002676 100644
> --- a/drivers/common/cnxk/meson.build
> +++ b/drivers/common/cnxk/meson.build
> @@ -26,6 +26,7 @@ sources = files(
>          'roc_irq.c',
>          'roc_ie_ot.c',
>          'roc_mbox.c',
> +        'roc_mcs.c',
>          'roc_ml.c',
>          'roc_model.c',
>          'roc_nix.c',
> diff --git a/drivers/common/cnxk/roc_api.h b/drivers/common/cnxk/roc_api.h
> index bbc94ab48e..f630853088 100644
> --- a/drivers/common/cnxk/roc_api.h
> +++ b/drivers/common/cnxk/roc_api.h
> @@ -114,4 +114,7 @@
>  /* ML */
>  #include "roc_ml.h"
>
> +/* MACsec */
> +#include "roc_mcs.h"
> +
>  #endif /* _ROC_API_H_ */
> diff --git a/drivers/common/cnxk/roc_features.h b/drivers/common/cnxk/roc_features.h
> index 36ef315f5a..815f800e7a 100644
> --- a/drivers/common/cnxk/roc_features.h
> +++ b/drivers/common/cnxk/roc_features.h
> @@ -59,4 +59,16 @@ roc_feature_nix_has_age_drop_stats(void)
>  {
>         return (roc_model_is_cn10kb() || roc_model_is_cn10ka_b0());
>  }
> +
> +static inline bool
> +roc_feature_nix_has_macsec(void)
> +{
> +       return roc_model_is_cn10kb();
> +}
> +
> +static inline bool
> +roc_feature_bphy_has_macsec(void)
> +{
> +       return roc_model_is_cnf10kb();
> +}
>  #endif
> diff --git a/drivers/common/cnxk/roc_idev.c b/drivers/common/cnxk/roc_idev.c
> index f420f0158d..e6c6b34d78 100644
> --- a/drivers/common/cnxk/roc_idev.c
> +++ b/drivers/common/cnxk/roc_idev.c
> @@ -38,6 +38,7 @@ idev_set_defaults(struct idev_cfg *idev)
>         idev->num_lmtlines = 0;
>         idev->bphy = NULL;
>         idev->cpt = NULL;
> +       TAILQ_INIT(&idev->mcs_list);
>         idev->nix_inl_dev = NULL;
>         TAILQ_INIT(&idev->roc_nix_list);
>         plt_spinlock_init(&idev->nix_inl_dev_lock);
> @@ -187,6 +188,51 @@ roc_idev_cpt_get(void)
>         return NULL;
>  }
>
> +struct roc_mcs *
> +roc_idev_mcs_get(uint8_t mcs_idx)
> +{
> +       struct idev_cfg *idev = idev_get_cfg();
> +       struct roc_mcs *mcs = NULL;
> +
> +       if (idev != NULL) {
> +               TAILQ_FOREACH(mcs, &idev->mcs_list, next) {
> +                       if (mcs->idx == mcs_idx)
> +                               return mcs;
> +               }
> +       }
> +
> +       return NULL;
> +}
> +
> +void
> +roc_idev_mcs_set(struct roc_mcs *mcs)
> +{
> +       struct idev_cfg *idev = idev_get_cfg();
> +       struct roc_mcs *mcs_iter = NULL;
> +
> +       if (idev != NULL) {
> +               TAILQ_FOREACH(mcs_iter, &idev->mcs_list, next) {
> +                       if (mcs_iter->idx == mcs->idx)
> +                               return;
> +               }
> +               TAILQ_INSERT_TAIL(&idev->mcs_list, mcs, next);
> +       }
> +}
> +
> +void
> +roc_idev_mcs_free(struct roc_mcs *mcs)
> +{
> +       struct idev_cfg *idev = idev_get_cfg();
> +       struct roc_mcs *mcs_iter = NULL;
> +
> +       if (idev != NULL) {
> +               TAILQ_FOREACH(mcs_iter, &idev->mcs_list, next) {
> +                       if (mcs_iter->idx == mcs->idx)
> +                               TAILQ_REMOVE(&idev->mcs_list, mcs, next);
> +               }
> +       }
> +}
> +
>  uint64_t *
>  roc_nix_inl_outb_ring_base_get(struct roc_nix *roc_nix)
>  {
> diff --git a/drivers/common/cnxk/roc_idev.h b/drivers/common/cnxk/roc_idev.h
> index 640ca97708..aea7f5279d 100644
> --- a/drivers/common/cnxk/roc_idev.h
> +++ b/drivers/common/cnxk/roc_idev.h
> @@ -19,4 +19,7 @@ struct roc_nix *__roc_api roc_idev_npa_nix_get(void);
>  uint64_t __roc_api roc_idev_nix_inl_meta_aura_get(void);
>  struct roc_nix_list *__roc_api roc_idev_nix_list_get(void);
>
> +struct roc_mcs *__roc_api roc_idev_mcs_get(uint8_t mcs_idx);
> +void __roc_api roc_idev_mcs_set(struct roc_mcs *mcs);
> +void __roc_api roc_idev_mcs_free(struct roc_mcs *mcs);
>  #endif /* _ROC_IDEV_H_ */
> diff --git a/drivers/common/cnxk/roc_idev_priv.h b/drivers/common/cnxk/roc_idev_priv.h
> index 4983578fc6..80f8465e1c 100644
> --- a/drivers/common/cnxk/roc_idev_priv.h
> +++ b/drivers/common/cnxk/roc_idev_priv.h
> @@ -31,6 +31,7 @@ struct idev_cfg {
>         struct roc_bphy *bphy;
>         struct roc_cpt *cpt;
>         struct roc_sso *sso;
> +       struct roc_mcs_head mcs_list;
>         struct nix_inl_dev *nix_inl_dev;
>         struct idev_nix_inl_cfg inl_cfg;
>         struct roc_nix_list roc_nix_list;
> diff --git a/drivers/common/cnxk/roc_mbox.h b/drivers/common/cnxk/roc_mbox.h
> index 93c5451c0f..ef7a7d6513 100644
> --- a/drivers/common/cnxk/roc_mbox.h
> +++ b/drivers/common/cnxk/roc_mbox.h
> @@ -295,7 +295,12 @@ struct mbox_msghdr {
>           nix_bpids)                                                           \
>         M(NIX_FREE_BPIDS, 0x8029, nix_free_bpids, nix_bpids, msg_rsp)          \
>         M(NIX_RX_CHAN_CFG, 0x802a, nix_rx_chan_cfg, nix_rx_chan_cfg,           \
> -         nix_rx_chan_cfg)
> +         nix_rx_chan_cfg)                                                     \
> +       /* MCS mbox IDs (range 0xa000 - 0xbFFF) */                                                 \
> +       M(MCS_ALLOC_RESOURCES, 0xa000, mcs_alloc_resources, mcs_alloc_rsrc_req,                    \
> +         mcs_alloc_rsrc_rsp)                                                                      \
> +       M(MCS_FREE_RESOURCES, 0xa001, mcs_free_resources, mcs_free_rsrc_req, msg_rsp)              \
> +       M(MCS_GET_HW_INFO, 0xa00b, mcs_get_hw_info, msg_req, mcs_hw_info)                          \
>
>  /* Messages initiated by AF (range 0xC00 - 0xDFF) */
>  #define MBOX_UP_CGX_MESSAGES                                                   \
> @@ -673,6 +678,64 @@ struct cgx_set_link_mode_rsp {
>         int __io status;
>  };
>
> +/* MCS mbox structures */
> +enum mcs_direction {
> +       MCS_RX,
> +       MCS_TX,
> +};
> +
> +enum mcs_rsrc_type {
> +       MCS_RSRC_TYPE_FLOWID,
> +       MCS_RSRC_TYPE_SECY,
> +       MCS_RSRC_TYPE_SC,
> +       MCS_RSRC_TYPE_SA,
> +};
> +
> +struct mcs_alloc_rsrc_req {
> +       struct mbox_msghdr hdr;
> +       uint8_t __io rsrc_type;
> +       uint8_t __io rsrc_cnt; /* Resources count */
> +       uint8_t __io mcs_id;   /* MCS block ID */
> +       uint8_t __io dir;      /* Macsec ingress or egress side */
> +       uint8_t __io all;      /* Allocate all resource type one each */
> +       uint64_t __io rsvd;
> +};
> +
> +struct mcs_alloc_rsrc_rsp {
> +       struct mbox_msghdr hdr;
> +       uint8_t __io flow_ids[128]; /* Index of reserved entries */
> +       uint8_t __io secy_ids[128];
> +       uint8_t __io sc_ids[128];
> +       uint8_t __io sa_ids[256];
> +       uint8_t __io rsrc_type;
> +       uint8_t __io rsrc_cnt; /* No of entries reserved */
> +       uint8_t __io mcs_id;
> +       uint8_t __io dir;
> +       uint8_t __io all;
> +       uint8_t __io rsvd[256];
> +};
> +
> +struct mcs_free_rsrc_req {
> +       struct mbox_msghdr hdr;
> +       uint8_t __io rsrc_id; /* Index of the entry to be freed */
> +       uint8_t __io rsrc_type;
> +       uint8_t __io mcs_id;
> +       uint8_t __io dir;
> +       uint8_t __io all; /* Free all the cam resources */
> +       uint64_t __io rsvd;
> +};
> +
> +struct mcs_hw_info {
> +       struct mbox_msghdr hdr;
> +       uint8_t __io num_mcs_blks; /* Number of MCS blocks */
> +       uint8_t __io tcam_entries; /* RX/TX Tcam entries per mcs block */
> +       uint8_t __io secy_entries; /* RX/TX SECY entries per mcs block */
> +       uint8_t __io sc_entries;   /* RX/TX SC CAM entries per mcs block */
> +       uint16_t __io sa_entries;  /* PN table entries = SA entries */
> +       uint64_t __io rsvd[16];
> +};
> +
> +
>  /* NPA mbox message formats */
>
>  /* NPA mailbox error codes
> diff --git a/drivers/common/cnxk/roc_mcs.c b/drivers/common/cnxk/roc_mcs.c
> new file mode 100644
> index 0000000000..20433eae83
> --- /dev/null
> +++ b/drivers/common/cnxk/roc_mcs.c
> @@ -0,0 +1,220 @@
> +/* SPDX-License-Identifier: BSD-3-Clause
> + * Copyright(C) 2022 Marvell.
> + */
> +
> +#include "roc_api.h"
> +#include "roc_priv.h"
> +
> +int
> +roc_mcs_hw_info_get(struct roc_mcs_hw_info *hw_info)
> +{
> +       struct mcs_hw_info *hw;
> +       struct npa_lf *npa;
> +       int rc;
> +
> +       MCS_SUPPORT_CHECK;
> +
> +       if (hw_info == NULL)
> +               return -EINVAL;
> +
> +       /* Use mbox handler of first probed pci_func for
> +        * initial mcs mbox communication.
> +        */
> +       npa = idev_npa_obj_get();
> +       if (!npa)
> +               return MCS_ERR_DEVICE_NOT_FOUND;
> +
> +       mbox_alloc_msg_mcs_get_hw_info(npa->mbox);
> +       rc = mbox_process_msg(npa->mbox, (void *)&hw);
> +       if (rc)
> +               return rc;
> +
> +       hw_info->num_mcs_blks = hw->num_mcs_blks;
> +       hw_info->tcam_entries = hw->tcam_entries;
> +       hw_info->secy_entries = hw->secy_entries;
> +       hw_info->sc_entries = hw->sc_entries;
> +       hw_info->sa_entries = hw->sa_entries;
> +
> +       return rc;
> +}
> +
> +static int
> +mcs_alloc_bmap(uint16_t entries, void **mem, struct plt_bitmap **bmap)
> +{
> +       size_t bmap_sz;
> +       int rc = 0;
> +
> +       bmap_sz = plt_bitmap_get_memory_footprint(entries);
> +       *mem = plt_zmalloc(bmap_sz, PLT_CACHE_LINE_SIZE);
> +       if (*mem == NULL)
> +               rc = -ENOMEM;
> +
> +       *bmap = plt_bitmap_init(entries, *mem, bmap_sz);
> +       if (!*bmap) {
> +               plt_free(*mem);
> +               *mem = NULL;
> +               rc = -ENOMEM;
> +       }
> +
> +       return rc;
> +}
> +
> +static void
> +rsrc_bmap_free(struct mcs_rsrc *rsrc)
> +{
> +       plt_bitmap_free(rsrc->tcam_bmap);
> +       plt_free(rsrc->tcam_bmap_mem);
> +       plt_bitmap_free(rsrc->secy_bmap);
> +       plt_free(rsrc->secy_bmap_mem);
> +       plt_bitmap_free(rsrc->sc_bmap);
> +       plt_free(rsrc->sc_bmap_mem);
> +       plt_bitmap_free(rsrc->sa_bmap);
> +       plt_free(rsrc->sa_bmap_mem);
> +}
> +
> +static int
> +rsrc_bmap_alloc(struct mcs_priv *priv, struct mcs_rsrc *rsrc)
> +{
> +       int rc;
> +
> +       rc = mcs_alloc_bmap(priv->tcam_entries << 1, &rsrc->tcam_bmap_mem, &rsrc->tcam_bmap);
> +       if (rc)
> +               goto exit;
> +
> +       rc = mcs_alloc_bmap(priv->secy_entries << 1, &rsrc->secy_bmap_mem, &rsrc->secy_bmap);
> +       if (rc)
> +               goto exit;
> +
> +       rc = mcs_alloc_bmap(priv->sc_entries << 1, &rsrc->sc_bmap_mem, &rsrc->sc_bmap);
> +       if (rc)
> +               goto exit;
> +
> +       rc = mcs_alloc_bmap(priv->sa_entries << 1, &rsrc->sa_bmap_mem, &rsrc->sa_bmap);
> +       if (rc)
> +               goto exit;
> +
> +       return rc;
> +exit:
> +       rsrc_bmap_free(rsrc);
> +
> +       return rc;
> +}
> +
> +static int
> +mcs_alloc_rsrc_bmap(struct roc_mcs *mcs)
> +{
> +       struct mcs_priv *priv = roc_mcs_to_mcs_priv(mcs);
> +       struct mcs_hw_info *hw;
> +       int i, rc;
> +
> +       mbox_alloc_msg_mcs_get_hw_info(mcs->mbox);
> +       rc = mbox_process_msg(mcs->mbox, (void *)&hw);
> +       if (rc)
> +               return rc;
> +
> +       priv->num_mcs_blks = hw->num_mcs_blks;
> +       priv->tcam_entries = hw->tcam_entries;
> +       priv->secy_entries = hw->secy_entries;
> +       priv->sc_entries = hw->sc_entries;
> +       priv->sa_entries = hw->sa_entries;
> +
> +       rc = rsrc_bmap_alloc(priv, &priv->dev_rsrc);
> +       if (rc)
> +               return rc;
> +
> +       priv->port_rsrc = plt_zmalloc(sizeof(struct mcs_rsrc) * 4, 0);
> +       if (priv->port_rsrc == NULL) {
> +               rsrc_bmap_free(&priv->dev_rsrc);
> +               return -ENOMEM;
> +       }
> +
> +       for (i = 0; i < MAX_PORTS_PER_MCS; i++) {
> +               rc = rsrc_bmap_alloc(priv, &priv->port_rsrc[i]);
> +               if (rc)
> +                       goto exit;
> +
> +               priv->port_rsrc[i].sc_conf =
> +                       plt_zmalloc(priv->sc_entries * sizeof(struct mcs_sc_conf), 0);
> +               if (priv->port_rsrc[i].sc_conf == NULL) {
> +                       rsrc_bmap_free(&priv->port_rsrc[i]);
> +                       goto exit;
> +               }
> +       }
> +
> +       return rc;
> +
> +exit:
> +       while (i--) {
> +               rsrc_bmap_free(&priv->port_rsrc[i]);
> +               plt_free(priv->port_rsrc[i].sc_conf);
> +       }
> +       plt_free(priv->port_rsrc);
> +
> +       return -ENOMEM;
> +}
> +
> +struct roc_mcs *
> +roc_mcs_dev_init(uint8_t mcs_idx)
> +{
> +       struct roc_mcs *mcs;
> +       struct npa_lf *npa;
> +
> +       if (!(roc_feature_bphy_has_macsec() || roc_feature_nix_has_macsec()))
> +               return NULL;
> +
> +       mcs = roc_idev_mcs_get(mcs_idx);
> +       if (mcs) {
> +               plt_info("Skipping device, mcs device already probed");
> +               mcs->refcount++;
> +               return mcs;
> +       }
> +
> +       mcs = plt_zmalloc(sizeof(struct roc_mcs), PLT_CACHE_LINE_SIZE);
> +       if (!mcs)
> +               return NULL;
> +
> +       npa = idev_npa_obj_get();
> +       if (!npa)
> +               goto exit;
> +
> +       mcs->mbox = npa->mbox;
> +       mcs->idx = mcs_idx;
> +
> +       /* Add any per mcsv initialization */
> +       if (mcs_alloc_rsrc_bmap(mcs))
> +               goto exit;
> +
> +       roc_idev_mcs_set(mcs);
> +       mcs->refcount++;
> +
> +       return mcs;
> +exit:
> +       plt_free(mcs);
> +       return NULL;
> +}
> +
> +void
> +roc_mcs_dev_fini(struct roc_mcs *mcs)
> +{
> +       struct mcs_priv *priv;
> +       int i;
> +
> +       mcs->refcount--;
> +       if (mcs->refcount > 0)
> +               return;
> +
> +       priv = roc_mcs_to_mcs_priv(mcs);
> +
> +       rsrc_bmap_free(&priv->dev_rsrc);
> +
> +       for (i = 0; i < MAX_PORTS_PER_MCS; i++) {
> +               rsrc_bmap_free(&priv->port_rsrc[i]);
> +               plt_free(priv->port_rsrc[i].sc_conf);
> +       }
> +
> +       plt_free(priv->port_rsrc);
> +
> +       roc_idev_mcs_free(mcs);
> +
> +       plt_free(mcs);
> +}
> diff --git a/drivers/common/cnxk/roc_mcs.h b/drivers/common/cnxk/roc_mcs.h
> new file mode 100644
> index 0000000000..2f06ce2659
> --- /dev/null
> +++ b/drivers/common/cnxk/roc_mcs.h
> @@ -0,0 +1,41 @@
> +/* SPDX-License-Identifier: BSD-3-Clause
> + * Copyright(C) 2022 Marvell.
> + */
> +
> +#ifndef _ROC_MCS_H_
> +#define _ROC_MCS_H_
> +
> +#define MCS_AES_GCM_256_KEYLEN 32
> +
> +struct roc_mcs_hw_info {
> +       uint8_t num_mcs_blks; /* Number of MCS blocks */
> +       uint8_t tcam_entries; /* RX/TX Tcam entries per mcs block */
> +       uint8_t secy_entries; /* RX/TX SECY entries per mcs block */
> +       uint8_t sc_entries;   /* RX/TX SC CAM entries per mcs block */
> +       uint16_t sa_entries;  /* PN table entries = SA entries */
> +       uint64_t rsvd[16];
> +};
> +
> +
> +struct roc_mcs {
> +       TAILQ_ENTRY(roc_mcs) next;
> +       struct plt_pci_device *pci_dev;
> +       struct mbox *mbox;
> +       void *userdata;
> +       uint8_t idx;
> +       uint8_t refcount;
> +
> +#define ROC_MCS_MEM_SZ (1 * 1024)
> +       uint8_t reserved[ROC_MCS_MEM_SZ] __plt_cache_aligned;
> +} __plt_cache_aligned;
> +
> +TAILQ_HEAD(roc_mcs_head, roc_mcs);
> +
> +/* Initialization */
> +__roc_api struct roc_mcs *roc_mcs_dev_init(uint8_t mcs_idx);
> +__roc_api void roc_mcs_dev_fini(struct roc_mcs *mcs);
> +/* Get roc mcs dev structure */
> +__roc_api struct roc_mcs *roc_mcs_dev_get(uint8_t mcs_idx);
> +/* HW info get */
> +__roc_api int roc_mcs_hw_info_get(struct roc_mcs_hw_info *hw_info);
> +#endif /* _ROC_MCS_H_ */
> diff --git a/drivers/common/cnxk/roc_mcs_priv.h b/drivers/common/cnxk/roc_mcs_priv.h
> new file mode 100644
> index 0000000000..9e0bbe4392
> --- /dev/null
> +++ b/drivers/common/cnxk/roc_mcs_priv.h
> @@ -0,0 +1,65 @@
> +/* SPDX-License-Identifier: BSD-3-Clause
> + * Copyright(C) 2022 Marvell.
> + */
> +
> +#ifndef _ROC_MCS_PRIV_H_
> +#define _ROC_MCS_PRIV_H_
> +
> +#define MAX_PORTS_PER_MCS 4
> +
> +enum mcs_error_status {
> +       MCS_ERR_PARAM = -900,
> +       MCS_ERR_HW_NOTSUP = -901,
> +       MCS_ERR_DEVICE_NOT_FOUND = -902,
> +};
> +
> +#define MCS_SUPPORT_CHECK                                                                          \
> +       do {                                                                                       \
> +               if (!(roc_feature_bphy_has_macsec() || roc_feature_nix_has_macsec()))              \
> +                       return MCS_ERR_HW_NOTSUP;                                                  \
> +       } while (0)
> +
> +struct mcs_sc_conf {
> +       struct {
> +               uint64_t sci;
> +               uint16_t sa_idx0;
> +               uint16_t sa_idx1;
> +               uint8_t rekey_enb;
> +       } tx;
> +       struct {
> +               uint16_t sa_idx;
> +               uint8_t an;
> +       } rx;
> +};
> +
> +struct mcs_rsrc {
> +       struct plt_bitmap *tcam_bmap;
> +       void *tcam_bmap_mem;
> +       struct plt_bitmap *secy_bmap;
> +       void *secy_bmap_mem;
> +       struct plt_bitmap *sc_bmap;
> +       void *sc_bmap_mem;
> +       struct plt_bitmap *sa_bmap;
> +       void *sa_bmap_mem;
> +       struct mcs_sc_conf *sc_conf;
> +};
> +
> +struct mcs_priv {
> +       struct mcs_rsrc *port_rsrc;
> +       struct mcs_rsrc dev_rsrc;
> +       uint64_t default_sci;
> +       uint32_t lmac_bmap;
> +       uint8_t num_mcs_blks;
> +       uint8_t tcam_entries;
> +       uint8_t secy_entries;
> +       uint8_t sc_entries;
> +       uint16_t sa_entries;
> +};
> +
> +static inline struct mcs_priv *
> +roc_mcs_to_mcs_priv(struct roc_mcs *roc_mcs)
> +{
> +       return (struct mcs_priv *)&roc_mcs->reserved[0];
> +}
> +
> +#endif /* _ROC_MCS_PRIV_H_ */
> diff --git a/drivers/common/cnxk/roc_priv.h b/drivers/common/cnxk/roc_priv.h
> index 14fe2e452a..254a2d3310 100644
> --- a/drivers/common/cnxk/roc_priv.h
> +++ b/drivers/common/cnxk/roc_priv.h
> @@ -44,6 +44,9 @@
>  /* DPI */
>  #include "roc_dpi_priv.h"
>
> +/* MCS */
> +#include "roc_mcs_priv.h"
> +
>  /* REE */
>  #include "roc_ree_priv.h"
>
> diff --git a/drivers/common/cnxk/roc_utils.c b/drivers/common/cnxk/roc_utils.c
> index fe291fce96..9af2ae9b69 100644
> --- a/drivers/common/cnxk/roc_utils.c
> +++ b/drivers/common/cnxk/roc_utils.c
> @@ -16,6 +16,7 @@ roc_error_msg_get(int errorcode)
>         case NPA_ERR_PARAM:
>         case NPC_ERR_PARAM:
>         case SSO_ERR_PARAM:
> +       case MCS_ERR_PARAM:
>         case UTIL_ERR_PARAM:
>                 err_msg = "Invalid parameter";
>                 break;
> @@ -35,6 +36,7 @@ roc_error_msg_get(int errorcode)
>                 err_msg = "Operation not supported";
>                 break;
>         case NIX_ERR_HW_NOTSUP:
> +       case MCS_ERR_HW_NOTSUP:
>                 err_msg = "Hardware does not support";
>                 break;
>         case NIX_ERR_QUEUE_INVALID_RANGE:
> @@ -223,6 +225,9 @@ roc_error_msg_get(int errorcode)
>         case SSO_ERR_DEVICE_NOT_BOUNDED:
>                 err_msg = "SSO pf/vf not found";
>                 break;
> +       case MCS_ERR_DEVICE_NOT_FOUND:
> +               err_msg = "MCS device not found";
> +               break;
>         case UTIL_ERR_FS:
>                 err_msg = "file operation failed";
>                 break;
> diff --git a/drivers/common/cnxk/version.map b/drivers/common/cnxk/version.map
> index e1335e9068..900290b866 100644
> --- a/drivers/common/cnxk/version.map
> +++ b/drivers/common/cnxk/version.map
> @@ -94,6 +94,9 @@ INTERNAL {
>         roc_idev_cpt_get;
>         roc_idev_cpt_set;
>         roc_idev_lmt_base_addr_get;
> +       roc_idev_mcs_free;
> +       roc_idev_mcs_get;
> +       roc_idev_mcs_set;
>         roc_idev_npa_maxpools_get;
>         roc_idev_npa_maxpools_set;
>         roc_idev_npa_nix_get;
> @@ -132,6 +135,10 @@ INTERNAL {
>         roc_se_auth_key_set;
>         roc_se_ciph_key_set;
>         roc_se_ctx_init;
> +       roc_mcs_dev_init;
> +       roc_mcs_dev_fini;
> +       roc_mcs_dev_get;
> +       roc_mcs_hw_info_get;
>         roc_nix_bpf_alloc;
>         roc_nix_bpf_config;
>         roc_nix_bpf_connect;
> --
> 2.25.1
>

[PATCH v3 00/15] net/cnxk: add MACsec support

[Akhil Goyal]

Added MACsec support in Marvell cnxk PMD.
The patchset is pending from last release [1]
Sending as a new series as the functionality is now
complete and tested on hardware.

[1] https://patches.dpdk.org/project/dpdk/cover/20220928124516.93050-1-gakhil@marvell.com/

Changes in v3:
- rebased
- fixed warning PRI*64
- added release notes

Changes in v2:
- Addressed review comments from Jerin.


Akhil Goyal (15):
  common/cnxk: add ROC MACsec initialization
  common/cnxk: add MACsec SA configuration
  common/cnxk: add MACsec SC configuration APIs
  common/cnxk: add MACsec secy and flow configuration
  common/cnxk: add MACsec PN and LMAC mode configuration
  common/cnxk: add MACsec stats
  common/cnxk: add MACsec interrupt APIs
  common/cnxk: add MACsec port configuration
  common/cnxk: add MACsec control port configuration
  common/cnxk: add MACsec FIPS mbox
  common/cnxk: derive hash key for MACsec
  net/cnxk: add MACsec initialization
  net/cnxk: create/destroy MACsec SC/SA
  net/cnxk: add MACsec session and flow configuration
  net/cnxk: add MACsec stats

 doc/guides/rel_notes/release_23_07.rst |   5 +
 drivers/common/cnxk/meson.build        |   3 +
 drivers/common/cnxk/roc_aes.c          |  86 ++-
 drivers/common/cnxk/roc_aes.h          |   4 +-
 drivers/common/cnxk/roc_api.h          |   3 +
 drivers/common/cnxk/roc_dev.c          |  86 +++
 drivers/common/cnxk/roc_features.h     |  12 +
 drivers/common/cnxk/roc_idev.c         |  46 ++
 drivers/common/cnxk/roc_idev.h         |   3 +
 drivers/common/cnxk/roc_idev_priv.h    |   1 +
 drivers/common/cnxk/roc_mbox.h         | 524 ++++++++++++++-
 drivers/common/cnxk/roc_mcs.c          | 871 +++++++++++++++++++++++++
 drivers/common/cnxk/roc_mcs.h          | 621 ++++++++++++++++++
 drivers/common/cnxk/roc_mcs_priv.h     |  73 +++
 drivers/common/cnxk/roc_mcs_sec_cfg.c  | 528 +++++++++++++++
 drivers/common/cnxk/roc_mcs_stats.c    | 193 ++++++
 drivers/common/cnxk/roc_priv.h         |   3 +
 drivers/common/cnxk/roc_utils.c        |   5 +
 drivers/common/cnxk/version.map        |  45 ++
 drivers/net/cnxk/cn10k_ethdev_sec.c    |  25 +-
 drivers/net/cnxk/cn10k_flow.c          |  23 +-
 drivers/net/cnxk/cnxk_ethdev.c         |  15 +
 drivers/net/cnxk/cnxk_ethdev.h         |  30 +
 drivers/net/cnxk/cnxk_ethdev_mcs.c     | 726 +++++++++++++++++++++
 drivers/net/cnxk/cnxk_ethdev_mcs.h     | 111 ++++
 drivers/net/cnxk/cnxk_ethdev_sec.c     |   2 +-
 drivers/net/cnxk/cnxk_flow.c           |   5 +
 drivers/net/cnxk/meson.build           |   1 +
 28 files changed, 4012 insertions(+), 38 deletions(-)
 create mode 100644 drivers/common/cnxk/roc_mcs.c
 create mode 100644 drivers/common/cnxk/roc_mcs.h
 create mode 100644 drivers/common/cnxk/roc_mcs_priv.h
 create mode 100644 drivers/common/cnxk/roc_mcs_sec_cfg.c
 create mode 100644 drivers/common/cnxk/roc_mcs_stats.c
 create mode 100644 drivers/net/cnxk/cnxk_ethdev_mcs.c
 create mode 100644 drivers/net/cnxk/cnxk_ethdev_mcs.h

-- 
2.25.1

[PATCH v3 01/15] common/cnxk: add ROC MACsec initialization

[Akhil Goyal]

Added ROC init and fini APIs for supporting MACsec.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/common/cnxk/meson.build     |   1 +
 drivers/common/cnxk/roc_api.h       |   3 +
 drivers/common/cnxk/roc_features.h  |  12 ++
 drivers/common/cnxk/roc_idev.c      |  46 ++++++
 drivers/common/cnxk/roc_idev.h      |   3 +
 drivers/common/cnxk/roc_idev_priv.h |   1 +
 drivers/common/cnxk/roc_mbox.h      |  65 +++++++-
 drivers/common/cnxk/roc_mcs.c       | 220 ++++++++++++++++++++++++++++
 drivers/common/cnxk/roc_mcs.h       |  41 ++++++
 drivers/common/cnxk/roc_mcs_priv.h  |  65 ++++++++
 drivers/common/cnxk/roc_priv.h      |   3 +
 drivers/common/cnxk/roc_utils.c     |   5 +
 drivers/common/cnxk/version.map     |   7 +
 13 files changed, 471 insertions(+), 1 deletion(-)
 create mode 100644 drivers/common/cnxk/roc_mcs.c
 create mode 100644 drivers/common/cnxk/roc_mcs.h
 create mode 100644 drivers/common/cnxk/roc_mcs_priv.h

diff --git a/drivers/common/cnxk/meson.build b/drivers/common/cnxk/meson.build
index 631b594f32..e33c002676 100644
--- a/drivers/common/cnxk/meson.build
+++ b/drivers/common/cnxk/meson.build
@@ -26,6 +26,7 @@ sources = files(
         'roc_irq.c',
         'roc_ie_ot.c',
         'roc_mbox.c',
+        'roc_mcs.c',
         'roc_ml.c',
         'roc_model.c',
         'roc_nix.c',
diff --git a/drivers/common/cnxk/roc_api.h b/drivers/common/cnxk/roc_api.h
index bbc94ab48e..f630853088 100644
--- a/drivers/common/cnxk/roc_api.h
+++ b/drivers/common/cnxk/roc_api.h
@@ -114,4 +114,7 @@
 /* ML */
 #include "roc_ml.h"
 
+/* MACsec */
+#include "roc_mcs.h"
+
 #endif /* _ROC_API_H_ */
diff --git a/drivers/common/cnxk/roc_features.h b/drivers/common/cnxk/roc_features.h
index 36ef315f5a..815f800e7a 100644
--- a/drivers/common/cnxk/roc_features.h
+++ b/drivers/common/cnxk/roc_features.h
@@ -59,4 +59,16 @@ roc_feature_nix_has_age_drop_stats(void)
 {
 	return (roc_model_is_cn10kb() || roc_model_is_cn10ka_b0());
 }
+
+static inline bool
+roc_feature_nix_has_macsec(void)
+{
+	return roc_model_is_cn10kb();
+}
+
+static inline bool
+roc_feature_bphy_has_macsec(void)
+{
+	return roc_model_is_cnf10kb();
+}
 #endif
diff --git a/drivers/common/cnxk/roc_idev.c b/drivers/common/cnxk/roc_idev.c
index f420f0158d..e6c6b34d78 100644
--- a/drivers/common/cnxk/roc_idev.c
+++ b/drivers/common/cnxk/roc_idev.c
@@ -38,6 +38,7 @@ idev_set_defaults(struct idev_cfg *idev)
 	idev->num_lmtlines = 0;
 	idev->bphy = NULL;
 	idev->cpt = NULL;
+	TAILQ_INIT(&idev->mcs_list);
 	idev->nix_inl_dev = NULL;
 	TAILQ_INIT(&idev->roc_nix_list);
 	plt_spinlock_init(&idev->nix_inl_dev_lock);
@@ -187,6 +188,51 @@ roc_idev_cpt_get(void)
 	return NULL;
 }
 
+struct roc_mcs *
+roc_idev_mcs_get(uint8_t mcs_idx)
+{
+	struct idev_cfg *idev = idev_get_cfg();
+	struct roc_mcs *mcs = NULL;
+
+	if (idev != NULL) {
+		TAILQ_FOREACH(mcs, &idev->mcs_list, next) {
+			if (mcs->idx == mcs_idx)
+				return mcs;
+		}
+	}
+
+	return NULL;
+}
+
+void
+roc_idev_mcs_set(struct roc_mcs *mcs)
+{
+	struct idev_cfg *idev = idev_get_cfg();
+	struct roc_mcs *mcs_iter = NULL;
+
+	if (idev != NULL) {
+		TAILQ_FOREACH(mcs_iter, &idev->mcs_list, next) {
+			if (mcs_iter->idx == mcs->idx)
+				return;
+		}
+		TAILQ_INSERT_TAIL(&idev->mcs_list, mcs, next);
+	}
+}
+
+void
+roc_idev_mcs_free(struct roc_mcs *mcs)
+{
+	struct idev_cfg *idev = idev_get_cfg();
+	struct roc_mcs *mcs_iter = NULL;
+
+	if (idev != NULL) {
+		TAILQ_FOREACH(mcs_iter, &idev->mcs_list, next) {
+			if (mcs_iter->idx == mcs->idx)
+				TAILQ_REMOVE(&idev->mcs_list, mcs, next);
+		}
+	}
+}
+
 uint64_t *
 roc_nix_inl_outb_ring_base_get(struct roc_nix *roc_nix)
 {
diff --git a/drivers/common/cnxk/roc_idev.h b/drivers/common/cnxk/roc_idev.h
index 640ca97708..aea7f5279d 100644
--- a/drivers/common/cnxk/roc_idev.h
+++ b/drivers/common/cnxk/roc_idev.h
@@ -19,4 +19,7 @@ struct roc_nix *__roc_api roc_idev_npa_nix_get(void);
 uint64_t __roc_api roc_idev_nix_inl_meta_aura_get(void);
 struct roc_nix_list *__roc_api roc_idev_nix_list_get(void);
 
+struct roc_mcs *__roc_api roc_idev_mcs_get(uint8_t mcs_idx);
+void __roc_api roc_idev_mcs_set(struct roc_mcs *mcs);
+void __roc_api roc_idev_mcs_free(struct roc_mcs *mcs);
 #endif /* _ROC_IDEV_H_ */
diff --git a/drivers/common/cnxk/roc_idev_priv.h b/drivers/common/cnxk/roc_idev_priv.h
index 4983578fc6..80f8465e1c 100644
--- a/drivers/common/cnxk/roc_idev_priv.h
+++ b/drivers/common/cnxk/roc_idev_priv.h
@@ -31,6 +31,7 @@ struct idev_cfg {
 	struct roc_bphy *bphy;
 	struct roc_cpt *cpt;
 	struct roc_sso *sso;
+	struct roc_mcs_head mcs_list;
 	struct nix_inl_dev *nix_inl_dev;
 	struct idev_nix_inl_cfg inl_cfg;
 	struct roc_nix_list roc_nix_list;
diff --git a/drivers/common/cnxk/roc_mbox.h b/drivers/common/cnxk/roc_mbox.h
index 93c5451c0f..ef7a7d6513 100644
--- a/drivers/common/cnxk/roc_mbox.h
+++ b/drivers/common/cnxk/roc_mbox.h
@@ -295,7 +295,12 @@ struct mbox_msghdr {
 	  nix_bpids)                                                           \
 	M(NIX_FREE_BPIDS, 0x8029, nix_free_bpids, nix_bpids, msg_rsp)          \
 	M(NIX_RX_CHAN_CFG, 0x802a, nix_rx_chan_cfg, nix_rx_chan_cfg,           \
-	  nix_rx_chan_cfg)
+	  nix_rx_chan_cfg)                                                     \
+	/* MCS mbox IDs (range 0xa000 - 0xbFFF) */                                                 \
+	M(MCS_ALLOC_RESOURCES, 0xa000, mcs_alloc_resources, mcs_alloc_rsrc_req,                    \
+	  mcs_alloc_rsrc_rsp)                                                                      \
+	M(MCS_FREE_RESOURCES, 0xa001, mcs_free_resources, mcs_free_rsrc_req, msg_rsp)              \
+	M(MCS_GET_HW_INFO, 0xa00b, mcs_get_hw_info, msg_req, mcs_hw_info)                          \
 
 /* Messages initiated by AF (range 0xC00 - 0xDFF) */
 #define MBOX_UP_CGX_MESSAGES                                                   \
@@ -673,6 +678,64 @@ struct cgx_set_link_mode_rsp {
 	int __io status;
 };
 
+/* MCS mbox structures */
+enum mcs_direction {
+	MCS_RX,
+	MCS_TX,
+};
+
+enum mcs_rsrc_type {
+	MCS_RSRC_TYPE_FLOWID,
+	MCS_RSRC_TYPE_SECY,
+	MCS_RSRC_TYPE_SC,
+	MCS_RSRC_TYPE_SA,
+};
+
+struct mcs_alloc_rsrc_req {
+	struct mbox_msghdr hdr;
+	uint8_t __io rsrc_type;
+	uint8_t __io rsrc_cnt; /* Resources count */
+	uint8_t __io mcs_id;   /* MCS block ID */
+	uint8_t __io dir;      /* Macsec ingress or egress side */
+	uint8_t __io all;      /* Allocate all resource type one each */
+	uint64_t __io rsvd;
+};
+
+struct mcs_alloc_rsrc_rsp {
+	struct mbox_msghdr hdr;
+	uint8_t __io flow_ids[128]; /* Index of reserved entries */
+	uint8_t __io secy_ids[128];
+	uint8_t __io sc_ids[128];
+	uint8_t __io sa_ids[256];
+	uint8_t __io rsrc_type;
+	uint8_t __io rsrc_cnt; /* No of entries reserved */
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint8_t __io all;
+	uint8_t __io rsvd[256];
+};
+
+struct mcs_free_rsrc_req {
+	struct mbox_msghdr hdr;
+	uint8_t __io rsrc_id; /* Index of the entry to be freed */
+	uint8_t __io rsrc_type;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint8_t __io all; /* Free all the cam resources */
+	uint64_t __io rsvd;
+};
+
+struct mcs_hw_info {
+	struct mbox_msghdr hdr;
+	uint8_t __io num_mcs_blks; /* Number of MCS blocks */
+	uint8_t __io tcam_entries; /* RX/TX Tcam entries per mcs block */
+	uint8_t __io secy_entries; /* RX/TX SECY entries per mcs block */
+	uint8_t __io sc_entries;   /* RX/TX SC CAM entries per mcs block */
+	uint16_t __io sa_entries;  /* PN table entries = SA entries */
+	uint64_t __io rsvd[16];
+};
+
+
 /* NPA mbox message formats */
 
 /* NPA mailbox error codes
diff --git a/drivers/common/cnxk/roc_mcs.c b/drivers/common/cnxk/roc_mcs.c
new file mode 100644
index 0000000000..20433eae83
--- /dev/null
+++ b/drivers/common/cnxk/roc_mcs.c
@@ -0,0 +1,220 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2022 Marvell.
+ */
+
+#include "roc_api.h"
+#include "roc_priv.h"
+
+int
+roc_mcs_hw_info_get(struct roc_mcs_hw_info *hw_info)
+{
+	struct mcs_hw_info *hw;
+	struct npa_lf *npa;
+	int rc;
+
+	MCS_SUPPORT_CHECK;
+
+	if (hw_info == NULL)
+		return -EINVAL;
+
+	/* Use mbox handler of first probed pci_func for
+	 * initial mcs mbox communication.
+	 */
+	npa = idev_npa_obj_get();
+	if (!npa)
+		return MCS_ERR_DEVICE_NOT_FOUND;
+
+	mbox_alloc_msg_mcs_get_hw_info(npa->mbox);
+	rc = mbox_process_msg(npa->mbox, (void *)&hw);
+	if (rc)
+		return rc;
+
+	hw_info->num_mcs_blks = hw->num_mcs_blks;
+	hw_info->tcam_entries = hw->tcam_entries;
+	hw_info->secy_entries = hw->secy_entries;
+	hw_info->sc_entries = hw->sc_entries;
+	hw_info->sa_entries = hw->sa_entries;
+
+	return rc;
+}
+
+static int
+mcs_alloc_bmap(uint16_t entries, void **mem, struct plt_bitmap **bmap)
+{
+	size_t bmap_sz;
+	int rc = 0;
+
+	bmap_sz = plt_bitmap_get_memory_footprint(entries);
+	*mem = plt_zmalloc(bmap_sz, PLT_CACHE_LINE_SIZE);
+	if (*mem == NULL)
+		rc = -ENOMEM;
+
+	*bmap = plt_bitmap_init(entries, *mem, bmap_sz);
+	if (!*bmap) {
+		plt_free(*mem);
+		*mem = NULL;
+		rc = -ENOMEM;
+	}
+
+	return rc;
+}
+
+static void
+rsrc_bmap_free(struct mcs_rsrc *rsrc)
+{
+	plt_bitmap_free(rsrc->tcam_bmap);
+	plt_free(rsrc->tcam_bmap_mem);
+	plt_bitmap_free(rsrc->secy_bmap);
+	plt_free(rsrc->secy_bmap_mem);
+	plt_bitmap_free(rsrc->sc_bmap);
+	plt_free(rsrc->sc_bmap_mem);
+	plt_bitmap_free(rsrc->sa_bmap);
+	plt_free(rsrc->sa_bmap_mem);
+}
+
+static int
+rsrc_bmap_alloc(struct mcs_priv *priv, struct mcs_rsrc *rsrc)
+{
+	int rc;
+
+	rc = mcs_alloc_bmap(priv->tcam_entries << 1, &rsrc->tcam_bmap_mem, &rsrc->tcam_bmap);
+	if (rc)
+		goto exit;
+
+	rc = mcs_alloc_bmap(priv->secy_entries << 1, &rsrc->secy_bmap_mem, &rsrc->secy_bmap);
+	if (rc)
+		goto exit;
+
+	rc = mcs_alloc_bmap(priv->sc_entries << 1, &rsrc->sc_bmap_mem, &rsrc->sc_bmap);
+	if (rc)
+		goto exit;
+
+	rc = mcs_alloc_bmap(priv->sa_entries << 1, &rsrc->sa_bmap_mem, &rsrc->sa_bmap);
+	if (rc)
+		goto exit;
+
+	return rc;
+exit:
+	rsrc_bmap_free(rsrc);
+
+	return rc;
+}
+
+static int
+mcs_alloc_rsrc_bmap(struct roc_mcs *mcs)
+{
+	struct mcs_priv *priv = roc_mcs_to_mcs_priv(mcs);
+	struct mcs_hw_info *hw;
+	int i, rc;
+
+	mbox_alloc_msg_mcs_get_hw_info(mcs->mbox);
+	rc = mbox_process_msg(mcs->mbox, (void *)&hw);
+	if (rc)
+		return rc;
+
+	priv->num_mcs_blks = hw->num_mcs_blks;
+	priv->tcam_entries = hw->tcam_entries;
+	priv->secy_entries = hw->secy_entries;
+	priv->sc_entries = hw->sc_entries;
+	priv->sa_entries = hw->sa_entries;
+
+	rc = rsrc_bmap_alloc(priv, &priv->dev_rsrc);
+	if (rc)
+		return rc;
+
+	priv->port_rsrc = plt_zmalloc(sizeof(struct mcs_rsrc) * 4, 0);
+	if (priv->port_rsrc == NULL) {
+		rsrc_bmap_free(&priv->dev_rsrc);
+		return -ENOMEM;
+	}
+
+	for (i = 0; i < MAX_PORTS_PER_MCS; i++) {
+		rc = rsrc_bmap_alloc(priv, &priv->port_rsrc[i]);
+		if (rc)
+			goto exit;
+
+		priv->port_rsrc[i].sc_conf =
+			plt_zmalloc(priv->sc_entries * sizeof(struct mcs_sc_conf), 0);
+		if (priv->port_rsrc[i].sc_conf == NULL) {
+			rsrc_bmap_free(&priv->port_rsrc[i]);
+			goto exit;
+		}
+	}
+
+	return rc;
+
+exit:
+	while (i--) {
+		rsrc_bmap_free(&priv->port_rsrc[i]);
+		plt_free(priv->port_rsrc[i].sc_conf);
+	}
+	plt_free(priv->port_rsrc);
+
+	return -ENOMEM;
+}
+
+struct roc_mcs *
+roc_mcs_dev_init(uint8_t mcs_idx)
+{
+	struct roc_mcs *mcs;
+	struct npa_lf *npa;
+
+	if (!(roc_feature_bphy_has_macsec() || roc_feature_nix_has_macsec()))
+		return NULL;
+
+	mcs = roc_idev_mcs_get(mcs_idx);
+	if (mcs) {
+		plt_info("Skipping device, mcs device already probed");
+		mcs->refcount++;
+		return mcs;
+	}
+
+	mcs = plt_zmalloc(sizeof(struct roc_mcs), PLT_CACHE_LINE_SIZE);
+	if (!mcs)
+		return NULL;
+
+	npa = idev_npa_obj_get();
+	if (!npa)
+		goto exit;
+
+	mcs->mbox = npa->mbox;
+	mcs->idx = mcs_idx;
+
+	/* Add any per mcsv initialization */
+	if (mcs_alloc_rsrc_bmap(mcs))
+		goto exit;
+
+	roc_idev_mcs_set(mcs);
+	mcs->refcount++;
+
+	return mcs;
+exit:
+	plt_free(mcs);
+	return NULL;
+}
+
+void
+roc_mcs_dev_fini(struct roc_mcs *mcs)
+{
+	struct mcs_priv *priv;
+	int i;
+
+	mcs->refcount--;
+	if (mcs->refcount > 0)
+		return;
+
+	priv = roc_mcs_to_mcs_priv(mcs);
+
+	rsrc_bmap_free(&priv->dev_rsrc);
+
+	for (i = 0; i < MAX_PORTS_PER_MCS; i++) {
+		rsrc_bmap_free(&priv->port_rsrc[i]);
+		plt_free(priv->port_rsrc[i].sc_conf);
+	}
+
+	plt_free(priv->port_rsrc);
+
+	roc_idev_mcs_free(mcs);
+
+	plt_free(mcs);
+}
diff --git a/drivers/common/cnxk/roc_mcs.h b/drivers/common/cnxk/roc_mcs.h
new file mode 100644
index 0000000000..2f06ce2659
--- /dev/null
+++ b/drivers/common/cnxk/roc_mcs.h
@@ -0,0 +1,41 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2022 Marvell.
+ */
+
+#ifndef _ROC_MCS_H_
+#define _ROC_MCS_H_
+
+#define MCS_AES_GCM_256_KEYLEN 32
+
+struct roc_mcs_hw_info {
+	uint8_t num_mcs_blks; /* Number of MCS blocks */
+	uint8_t tcam_entries; /* RX/TX Tcam entries per mcs block */
+	uint8_t secy_entries; /* RX/TX SECY entries per mcs block */
+	uint8_t sc_entries;   /* RX/TX SC CAM entries per mcs block */
+	uint16_t sa_entries;  /* PN table entries = SA entries */
+	uint64_t rsvd[16];
+};
+
+
+struct roc_mcs {
+	TAILQ_ENTRY(roc_mcs) next;
+	struct plt_pci_device *pci_dev;
+	struct mbox *mbox;
+	void *userdata;
+	uint8_t idx;
+	uint8_t refcount;
+
+#define ROC_MCS_MEM_SZ (1 * 1024)
+	uint8_t reserved[ROC_MCS_MEM_SZ] __plt_cache_aligned;
+} __plt_cache_aligned;
+
+TAILQ_HEAD(roc_mcs_head, roc_mcs);
+
+/* Initialization */
+__roc_api struct roc_mcs *roc_mcs_dev_init(uint8_t mcs_idx);
+__roc_api void roc_mcs_dev_fini(struct roc_mcs *mcs);
+/* Get roc mcs dev structure */
+__roc_api struct roc_mcs *roc_mcs_dev_get(uint8_t mcs_idx);
+/* HW info get */
+__roc_api int roc_mcs_hw_info_get(struct roc_mcs_hw_info *hw_info);
+#endif /* _ROC_MCS_H_ */
diff --git a/drivers/common/cnxk/roc_mcs_priv.h b/drivers/common/cnxk/roc_mcs_priv.h
new file mode 100644
index 0000000000..9e0bbe4392
--- /dev/null
+++ b/drivers/common/cnxk/roc_mcs_priv.h
@@ -0,0 +1,65 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2022 Marvell.
+ */
+
+#ifndef _ROC_MCS_PRIV_H_
+#define _ROC_MCS_PRIV_H_
+
+#define MAX_PORTS_PER_MCS 4
+
+enum mcs_error_status {
+	MCS_ERR_PARAM = -900,
+	MCS_ERR_HW_NOTSUP = -901,
+	MCS_ERR_DEVICE_NOT_FOUND = -902,
+};
+
+#define MCS_SUPPORT_CHECK                                                                          \
+	do {                                                                                       \
+		if (!(roc_feature_bphy_has_macsec() || roc_feature_nix_has_macsec()))              \
+			return MCS_ERR_HW_NOTSUP;                                                  \
+	} while (0)
+
+struct mcs_sc_conf {
+	struct {
+		uint64_t sci;
+		uint16_t sa_idx0;
+		uint16_t sa_idx1;
+		uint8_t rekey_enb;
+	} tx;
+	struct {
+		uint16_t sa_idx;
+		uint8_t an;
+	} rx;
+};
+
+struct mcs_rsrc {
+	struct plt_bitmap *tcam_bmap;
+	void *tcam_bmap_mem;
+	struct plt_bitmap *secy_bmap;
+	void *secy_bmap_mem;
+	struct plt_bitmap *sc_bmap;
+	void *sc_bmap_mem;
+	struct plt_bitmap *sa_bmap;
+	void *sa_bmap_mem;
+	struct mcs_sc_conf *sc_conf;
+};
+
+struct mcs_priv {
+	struct mcs_rsrc *port_rsrc;
+	struct mcs_rsrc dev_rsrc;
+	uint64_t default_sci;
+	uint32_t lmac_bmap;
+	uint8_t num_mcs_blks;
+	uint8_t tcam_entries;
+	uint8_t secy_entries;
+	uint8_t sc_entries;
+	uint16_t sa_entries;
+};
+
+static inline struct mcs_priv *
+roc_mcs_to_mcs_priv(struct roc_mcs *roc_mcs)
+{
+	return (struct mcs_priv *)&roc_mcs->reserved[0];
+}
+
+#endif /* _ROC_MCS_PRIV_H_ */
diff --git a/drivers/common/cnxk/roc_priv.h b/drivers/common/cnxk/roc_priv.h
index 14fe2e452a..254a2d3310 100644
--- a/drivers/common/cnxk/roc_priv.h
+++ b/drivers/common/cnxk/roc_priv.h
@@ -44,6 +44,9 @@
 /* DPI */
 #include "roc_dpi_priv.h"
 
+/* MCS */
+#include "roc_mcs_priv.h"
+
 /* REE */
 #include "roc_ree_priv.h"
 
diff --git a/drivers/common/cnxk/roc_utils.c b/drivers/common/cnxk/roc_utils.c
index fe291fce96..9af2ae9b69 100644
--- a/drivers/common/cnxk/roc_utils.c
+++ b/drivers/common/cnxk/roc_utils.c
@@ -16,6 +16,7 @@ roc_error_msg_get(int errorcode)
 	case NPA_ERR_PARAM:
 	case NPC_ERR_PARAM:
 	case SSO_ERR_PARAM:
+	case MCS_ERR_PARAM:
 	case UTIL_ERR_PARAM:
 		err_msg = "Invalid parameter";
 		break;
@@ -35,6 +36,7 @@ roc_error_msg_get(int errorcode)
 		err_msg = "Operation not supported";
 		break;
 	case NIX_ERR_HW_NOTSUP:
+	case MCS_ERR_HW_NOTSUP:
 		err_msg = "Hardware does not support";
 		break;
 	case NIX_ERR_QUEUE_INVALID_RANGE:
@@ -223,6 +225,9 @@ roc_error_msg_get(int errorcode)
 	case SSO_ERR_DEVICE_NOT_BOUNDED:
 		err_msg = "SSO pf/vf not found";
 		break;
+	case MCS_ERR_DEVICE_NOT_FOUND:
+		err_msg = "MCS device not found";
+		break;
 	case UTIL_ERR_FS:
 		err_msg = "file operation failed";
 		break;
diff --git a/drivers/common/cnxk/version.map b/drivers/common/cnxk/version.map
index e1335e9068..900290b866 100644
--- a/drivers/common/cnxk/version.map
+++ b/drivers/common/cnxk/version.map
@@ -94,6 +94,9 @@ INTERNAL {
 	roc_idev_cpt_get;
 	roc_idev_cpt_set;
 	roc_idev_lmt_base_addr_get;
+	roc_idev_mcs_free;
+	roc_idev_mcs_get;
+	roc_idev_mcs_set;
 	roc_idev_npa_maxpools_get;
 	roc_idev_npa_maxpools_set;
 	roc_idev_npa_nix_get;
@@ -132,6 +135,10 @@ INTERNAL {
 	roc_se_auth_key_set;
 	roc_se_ciph_key_set;
 	roc_se_ctx_init;
+	roc_mcs_dev_init;
+	roc_mcs_dev_fini;
+	roc_mcs_dev_get;
+	roc_mcs_hw_info_get;
 	roc_nix_bpf_alloc;
 	roc_nix_bpf_config;
 	roc_nix_bpf_connect;
-- 
2.25.1

[PATCH v3 02/15] common/cnxk: add MACsec SA configuration

[Akhil Goyal]

Added ROC APIs to allocate/free MACsec resources
and APIs to write SA policy.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/common/cnxk/meson.build       |   1 +
 drivers/common/cnxk/roc_mbox.h        |  12 ++
 drivers/common/cnxk/roc_mcs.h         |  43 ++++++
 drivers/common/cnxk/roc_mcs_sec_cfg.c | 211 ++++++++++++++++++++++++++
 drivers/common/cnxk/version.map       |   4 +
 5 files changed, 271 insertions(+)
 create mode 100644 drivers/common/cnxk/roc_mcs_sec_cfg.c

diff --git a/drivers/common/cnxk/meson.build b/drivers/common/cnxk/meson.build
index e33c002676..589baf74fe 100644
--- a/drivers/common/cnxk/meson.build
+++ b/drivers/common/cnxk/meson.build
@@ -27,6 +27,7 @@ sources = files(
         'roc_ie_ot.c',
         'roc_mbox.c',
         'roc_mcs.c',
+        'roc_mcs_sec_cfg.c',
         'roc_ml.c',
         'roc_model.c',
         'roc_nix.c',
diff --git a/drivers/common/cnxk/roc_mbox.h b/drivers/common/cnxk/roc_mbox.h
index ef7a7d6513..ab1173e805 100644
--- a/drivers/common/cnxk/roc_mbox.h
+++ b/drivers/common/cnxk/roc_mbox.h
@@ -300,6 +300,7 @@ struct mbox_msghdr {
 	M(MCS_ALLOC_RESOURCES, 0xa000, mcs_alloc_resources, mcs_alloc_rsrc_req,                    \
 	  mcs_alloc_rsrc_rsp)                                                                      \
 	M(MCS_FREE_RESOURCES, 0xa001, mcs_free_resources, mcs_free_rsrc_req, msg_rsp)              \
+	M(MCS_SA_PLCY_WRITE, 0xa005, mcs_sa_plcy_write, mcs_sa_plcy_write_req, msg_rsp)            \
 	M(MCS_GET_HW_INFO, 0xa00b, mcs_get_hw_info, msg_req, mcs_hw_info)                          \
 
 /* Messages initiated by AF (range 0xC00 - 0xDFF) */
@@ -725,6 +726,17 @@ struct mcs_free_rsrc_req {
 	uint64_t __io rsvd;
 };
 
+struct mcs_sa_plcy_write_req {
+	struct mbox_msghdr hdr;
+	uint64_t __io plcy[2][9]; /* Support 2 SA policy */
+	uint8_t __io sa_index[2];
+	uint8_t __io sa_cnt;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
+
+
 struct mcs_hw_info {
 	struct mbox_msghdr hdr;
 	uint8_t __io num_mcs_blks; /* Number of MCS blocks */
diff --git a/drivers/common/cnxk/roc_mcs.h b/drivers/common/cnxk/roc_mcs.h
index 2f06ce2659..ea4c6ddc05 100644
--- a/drivers/common/cnxk/roc_mcs.h
+++ b/drivers/common/cnxk/roc_mcs.h
@@ -7,6 +7,39 @@
 
 #define MCS_AES_GCM_256_KEYLEN 32
 
+struct roc_mcs_alloc_rsrc_req {
+	uint8_t rsrc_type;
+	uint8_t rsrc_cnt; /* Resources count */
+	uint8_t dir;	  /* Macsec ingress or egress side */
+	uint8_t all;	  /* Allocate all resource type one each */
+};
+
+struct roc_mcs_alloc_rsrc_rsp {
+	uint8_t flow_ids[128]; /* Index of reserved entries */
+	uint8_t secy_ids[128];
+	uint8_t sc_ids[128];
+	uint8_t sa_ids[256];
+	uint8_t rsrc_type;
+	uint8_t rsrc_cnt; /* No of entries reserved */
+	uint8_t dir;
+	uint8_t all;
+};
+
+struct roc_mcs_free_rsrc_req {
+	uint8_t rsrc_id; /* Index of the entry to be freed */
+	uint8_t rsrc_type;
+	uint8_t dir;
+	uint8_t all; /* Free all the cam resources */
+};
+
+
+struct roc_mcs_sa_plcy_write_req {
+	uint64_t plcy[2][9];
+	uint8_t sa_index[2];
+	uint8_t sa_cnt;
+	uint8_t dir;
+};
+
 struct roc_mcs_hw_info {
 	uint8_t num_mcs_blks; /* Number of MCS blocks */
 	uint8_t tcam_entries; /* RX/TX Tcam entries per mcs block */
@@ -38,4 +71,14 @@ __roc_api void roc_mcs_dev_fini(struct roc_mcs *mcs);
 __roc_api struct roc_mcs *roc_mcs_dev_get(uint8_t mcs_idx);
 /* HW info get */
 __roc_api int roc_mcs_hw_info_get(struct roc_mcs_hw_info *hw_info);
+
+/* Resource allocation and free */
+__roc_api int roc_mcs_rsrc_alloc(struct roc_mcs *mcs, struct roc_mcs_alloc_rsrc_req *req,
+				 struct roc_mcs_alloc_rsrc_rsp *rsp);
+__roc_api int roc_mcs_rsrc_free(struct roc_mcs *mcs, struct roc_mcs_free_rsrc_req *req);
+/* SA policy read and write */
+__roc_api int roc_mcs_sa_policy_write(struct roc_mcs *mcs,
+				      struct roc_mcs_sa_plcy_write_req *sa_plcy);
+__roc_api int roc_mcs_sa_policy_read(struct roc_mcs *mcs,
+				     struct roc_mcs_sa_plcy_write_req *sa_plcy);
 #endif /* _ROC_MCS_H_ */
diff --git a/drivers/common/cnxk/roc_mcs_sec_cfg.c b/drivers/common/cnxk/roc_mcs_sec_cfg.c
new file mode 100644
index 0000000000..041be51b4b
--- /dev/null
+++ b/drivers/common/cnxk/roc_mcs_sec_cfg.c
@@ -0,0 +1,211 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2023 Marvell.
+ */
+
+#include "roc_api.h"
+#include "roc_priv.h"
+
+int
+roc_mcs_rsrc_alloc(struct roc_mcs *mcs, struct roc_mcs_alloc_rsrc_req *req,
+		   struct roc_mcs_alloc_rsrc_rsp *rsp)
+{
+	struct mcs_priv *priv = roc_mcs_to_mcs_priv(mcs);
+	struct mcs_alloc_rsrc_req *rsrc_req;
+	struct mcs_alloc_rsrc_rsp *rsrc_rsp;
+	int rc, i;
+
+	MCS_SUPPORT_CHECK;
+
+	if (req == NULL || rsp == NULL)
+		return -EINVAL;
+
+	rsrc_req = mbox_alloc_msg_mcs_alloc_resources(mcs->mbox);
+	if (rsrc_req == NULL)
+		return -ENOMEM;
+
+	rsrc_req->rsrc_type = req->rsrc_type;
+	rsrc_req->rsrc_cnt = req->rsrc_cnt;
+	rsrc_req->mcs_id = mcs->idx;
+	rsrc_req->dir = req->dir;
+	rsrc_req->all = req->all;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&rsrc_rsp);
+	if (rc)
+		return rc;
+
+	if (rsrc_rsp->all) {
+		rsrc_rsp->rsrc_cnt = 1;
+		rsrc_rsp->rsrc_type = 0xFF;
+	}
+
+	for (i = 0; i < rsrc_rsp->rsrc_cnt; i++) {
+		switch (rsrc_rsp->rsrc_type) {
+		case MCS_RSRC_TYPE_FLOWID:
+			rsp->flow_ids[i] = rsrc_rsp->flow_ids[i];
+			plt_bitmap_set(priv->dev_rsrc.tcam_bmap,
+				       rsp->flow_ids[i] +
+					       ((req->dir == MCS_TX) ? priv->tcam_entries : 0));
+			break;
+		case MCS_RSRC_TYPE_SECY:
+			rsp->secy_ids[i] = rsrc_rsp->secy_ids[i];
+			plt_bitmap_set(priv->dev_rsrc.secy_bmap,
+				       rsp->secy_ids[i] +
+					       ((req->dir == MCS_TX) ? priv->secy_entries : 0));
+			break;
+		case MCS_RSRC_TYPE_SC:
+			rsp->sc_ids[i] = rsrc_rsp->sc_ids[i];
+			plt_bitmap_set(priv->dev_rsrc.sc_bmap,
+				       rsp->sc_ids[i] +
+					       ((req->dir == MCS_TX) ? priv->sc_entries : 0));
+			break;
+		case MCS_RSRC_TYPE_SA:
+			rsp->sa_ids[i] = rsrc_rsp->sa_ids[i];
+			plt_bitmap_set(priv->dev_rsrc.sa_bmap,
+				       rsp->sa_ids[i] +
+					       ((req->dir == MCS_TX) ? priv->sa_entries : 0));
+			break;
+		default:
+			rsp->flow_ids[i] = rsrc_rsp->flow_ids[i];
+			rsp->secy_ids[i] = rsrc_rsp->secy_ids[i];
+			rsp->sc_ids[i] = rsrc_rsp->sc_ids[i];
+			rsp->sa_ids[i] = rsrc_rsp->sa_ids[i];
+			plt_bitmap_set(priv->dev_rsrc.tcam_bmap,
+				       rsp->flow_ids[i] +
+					       ((req->dir == MCS_TX) ? priv->tcam_entries : 0));
+			plt_bitmap_set(priv->dev_rsrc.secy_bmap,
+				       rsp->secy_ids[i] +
+					       ((req->dir == MCS_TX) ? priv->secy_entries : 0));
+			plt_bitmap_set(priv->dev_rsrc.sc_bmap,
+				       rsp->sc_ids[i] +
+					       ((req->dir == MCS_TX) ? priv->sc_entries : 0));
+			plt_bitmap_set(priv->dev_rsrc.sa_bmap,
+				       rsp->sa_ids[i] +
+					       ((req->dir == MCS_TX) ? priv->sa_entries : 0));
+			break;
+		}
+	}
+	rsp->rsrc_type = rsrc_rsp->rsrc_type;
+	rsp->rsrc_cnt = rsrc_rsp->rsrc_cnt;
+	rsp->dir = rsrc_rsp->dir;
+	rsp->all = rsrc_rsp->all;
+
+	return 0;
+}
+
+int
+roc_mcs_rsrc_free(struct roc_mcs *mcs, struct roc_mcs_free_rsrc_req *free_req)
+{
+	struct mcs_priv *priv = roc_mcs_to_mcs_priv(mcs);
+	struct mcs_free_rsrc_req *req;
+	struct msg_rsp *rsp;
+	uint32_t pos;
+	int i, rc;
+
+	MCS_SUPPORT_CHECK;
+
+	if (free_req == NULL)
+		return -EINVAL;
+
+	req = mbox_alloc_msg_mcs_free_resources(mcs->mbox);
+	if (req == NULL)
+		return -ENOMEM;
+
+	req->rsrc_id = free_req->rsrc_id;
+	req->rsrc_type = free_req->rsrc_type;
+	req->mcs_id = mcs->idx;
+	req->dir = free_req->dir;
+	req->all = free_req->all;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&rsp);
+	if (rc)
+		return rc;
+
+	switch (free_req->rsrc_type) {
+	case MCS_RSRC_TYPE_FLOWID:
+		pos = free_req->rsrc_id + ((req->dir == MCS_TX) ? priv->tcam_entries : 0);
+		plt_bitmap_clear(priv->dev_rsrc.tcam_bmap, pos);
+		for (i = 0; i < MAX_PORTS_PER_MCS; i++) {
+			uint32_t set = plt_bitmap_get(priv->port_rsrc[i].tcam_bmap, pos);
+
+			if (set) {
+				plt_bitmap_clear(priv->port_rsrc[i].tcam_bmap, pos);
+				break;
+			}
+		}
+		break;
+	case MCS_RSRC_TYPE_SECY:
+		pos = free_req->rsrc_id + ((req->dir == MCS_TX) ? priv->secy_entries : 0);
+		plt_bitmap_clear(priv->dev_rsrc.secy_bmap, pos);
+		for (i = 0; i < MAX_PORTS_PER_MCS; i++) {
+			uint32_t set = plt_bitmap_get(priv->port_rsrc[i].secy_bmap, pos);
+
+			if (set) {
+				plt_bitmap_clear(priv->port_rsrc[i].secy_bmap, pos);
+				break;
+			}
+		}
+		break;
+	case MCS_RSRC_TYPE_SC:
+		pos = free_req->rsrc_id + ((req->dir == MCS_TX) ? priv->sc_entries : 0);
+		plt_bitmap_clear(priv->dev_rsrc.sc_bmap, pos);
+		for (i = 0; i < MAX_PORTS_PER_MCS; i++) {
+			uint32_t set = plt_bitmap_get(priv->port_rsrc[i].sc_bmap, pos);
+
+			if (set) {
+				plt_bitmap_clear(priv->port_rsrc[i].sc_bmap, pos);
+				break;
+			}
+		}
+		break;
+	case MCS_RSRC_TYPE_SA:
+		pos = free_req->rsrc_id + ((req->dir == MCS_TX) ? priv->sa_entries : 0);
+		plt_bitmap_clear(priv->dev_rsrc.sa_bmap, pos);
+		for (i = 0; i < MAX_PORTS_PER_MCS; i++) {
+			uint32_t set = plt_bitmap_get(priv->port_rsrc[i].sa_bmap, pos);
+
+			if (set) {
+				plt_bitmap_clear(priv->port_rsrc[i].sa_bmap, pos);
+				break;
+			}
+		}
+		break;
+	default:
+		break;
+	}
+
+	return rc;
+}
+
+int
+roc_mcs_sa_policy_write(struct roc_mcs *mcs, struct roc_mcs_sa_plcy_write_req *sa_plcy)
+{
+	struct mcs_sa_plcy_write_req *sa;
+	struct msg_rsp *rsp;
+
+	MCS_SUPPORT_CHECK;
+
+	if (sa_plcy == NULL)
+		return -EINVAL;
+
+	sa = mbox_alloc_msg_mcs_sa_plcy_write(mcs->mbox);
+	if (sa == NULL)
+		return -ENOMEM;
+
+	mbox_memcpy(sa->plcy, sa_plcy->plcy, sizeof(uint64_t) * 2 * 9);
+	sa->sa_index[0] = sa_plcy->sa_index[0];
+	sa->sa_index[1] = sa_plcy->sa_index[1];
+	sa->sa_cnt = sa_plcy->sa_cnt;
+	sa->mcs_id = mcs->idx;
+	sa->dir = sa_plcy->dir;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
+
+int
+roc_mcs_sa_policy_read(struct roc_mcs *mcs __plt_unused,
+		       struct roc_mcs_sa_plcy_write_req *sa __plt_unused)
+{
+	MCS_SUPPORT_CHECK;
+
+	return -ENOTSUP;
+}
diff --git a/drivers/common/cnxk/version.map b/drivers/common/cnxk/version.map
index 900290b866..bd8a3095f9 100644
--- a/drivers/common/cnxk/version.map
+++ b/drivers/common/cnxk/version.map
@@ -139,6 +139,10 @@ INTERNAL {
 	roc_mcs_dev_fini;
 	roc_mcs_dev_get;
 	roc_mcs_hw_info_get;
+	roc_mcs_rsrc_alloc;
+	roc_mcs_rsrc_free;
+	roc_mcs_sa_policy_read;
+	roc_mcs_sa_policy_write;
 	roc_nix_bpf_alloc;
 	roc_nix_bpf_config;
 	roc_nix_bpf_connect;
-- 
2.25.1

[PATCH v3 03/15] common/cnxk: add MACsec SC configuration APIs

[Akhil Goyal]

Added ROC APIs to configure MACsec secure channel(SC)
and its mapping with SAs for both Rx and Tx.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/common/cnxk/roc_mbox.h        |  37 ++++++
 drivers/common/cnxk/roc_mcs.h         |  41 ++++++
 drivers/common/cnxk/roc_mcs_sec_cfg.c | 171 ++++++++++++++++++++++++++
 drivers/common/cnxk/version.map       |   7 ++
 4 files changed, 256 insertions(+)

diff --git a/drivers/common/cnxk/roc_mbox.h b/drivers/common/cnxk/roc_mbox.h
index ab1173e805..40b761ee99 100644
--- a/drivers/common/cnxk/roc_mbox.h
+++ b/drivers/common/cnxk/roc_mbox.h
@@ -300,7 +300,10 @@ struct mbox_msghdr {
 	M(MCS_ALLOC_RESOURCES, 0xa000, mcs_alloc_resources, mcs_alloc_rsrc_req,                    \
 	  mcs_alloc_rsrc_rsp)                                                                      \
 	M(MCS_FREE_RESOURCES, 0xa001, mcs_free_resources, mcs_free_rsrc_req, msg_rsp)              \
+	M(MCS_RX_SC_CAM_WRITE, 0xa004, mcs_rx_sc_cam_write, mcs_rx_sc_cam_write_req, msg_rsp)      \
 	M(MCS_SA_PLCY_WRITE, 0xa005, mcs_sa_plcy_write, mcs_sa_plcy_write_req, msg_rsp)            \
+	M(MCS_TX_SC_SA_MAP_WRITE, 0xa006, mcs_tx_sc_sa_map_write, mcs_tx_sc_sa_map, msg_rsp)       \
+	M(MCS_RX_SC_SA_MAP_WRITE, 0xa007, mcs_rx_sc_sa_map_write, mcs_rx_sc_sa_map, msg_rsp)       \
 	M(MCS_GET_HW_INFO, 0xa00b, mcs_get_hw_info, msg_req, mcs_hw_info)                          \
 
 /* Messages initiated by AF (range 0xC00 - 0xDFF) */
@@ -726,6 +729,16 @@ struct mcs_free_rsrc_req {
 	uint64_t __io rsvd;
 };
 
+/* RX SC_CAM mapping */
+struct mcs_rx_sc_cam_write_req {
+	struct mbox_msghdr hdr;
+	uint64_t __io sci;     /* SCI */
+	uint64_t __io secy_id; /* secy index mapped to SC */
+	uint8_t __io sc_id;    /* SC CAM entry index */
+	uint8_t __io mcs_id;
+	uint64_t __io rsvd;
+};
+
 struct mcs_sa_plcy_write_req {
 	struct mbox_msghdr hdr;
 	uint64_t __io plcy[2][9]; /* Support 2 SA policy */
@@ -736,6 +749,30 @@ struct mcs_sa_plcy_write_req {
 	uint64_t __io rsvd;
 };
 
+struct mcs_tx_sc_sa_map {
+	struct mbox_msghdr hdr;
+	uint8_t __io sa_index0;
+	uint8_t __io sa_index1;
+	uint8_t __io rekey_ena;
+	uint8_t __io sa_index0_vld;
+	uint8_t __io sa_index1_vld;
+	uint8_t __io tx_sa_active;
+	uint64_t __io sectag_sci;
+	uint8_t __io sc_id; /* used as index for SA_MEM_MAP */
+	uint8_t __io mcs_id;
+	uint64_t __io rsvd;
+};
+
+struct mcs_rx_sc_sa_map {
+	struct mbox_msghdr hdr;
+	uint8_t __io sa_index;
+	uint8_t __io sa_in_use;
+	uint8_t __io sc_id;
+	/* an range is 0-3, sc_id + an used as index SA_MEM_MAP */
+	uint8_t __io an;
+	uint8_t __io mcs_id;
+	uint64_t __io rsvd;
+};
 
 struct mcs_hw_info {
 	struct mbox_msghdr hdr;
diff --git a/drivers/common/cnxk/roc_mcs.h b/drivers/common/cnxk/roc_mcs.h
index ea4c6ddc05..e947f93460 100644
--- a/drivers/common/cnxk/roc_mcs.h
+++ b/drivers/common/cnxk/roc_mcs.h
@@ -32,6 +32,12 @@ struct roc_mcs_free_rsrc_req {
 	uint8_t all; /* Free all the cam resources */
 };
 
+/* RX SC_CAM mapping */
+struct roc_mcs_rx_sc_cam_write_req {
+	uint64_t sci;	  /* SCI */
+	uint64_t secy_id; /* secy index mapped to SC */
+	uint8_t sc_id;	  /* SC CAM entry index */
+};
 
 struct roc_mcs_sa_plcy_write_req {
 	uint64_t plcy[2][9];
@@ -40,6 +46,24 @@ struct roc_mcs_sa_plcy_write_req {
 	uint8_t dir;
 };
 
+struct roc_mcs_tx_sc_sa_map {
+	uint8_t sa_index0;
+	uint8_t sa_index1;
+	uint8_t rekey_ena;
+	uint8_t sa_index0_vld;
+	uint8_t sa_index1_vld;
+	uint8_t tx_sa_active;
+	uint64_t sectag_sci;
+	uint8_t sc_id; /* used as index for SA_MEM_MAP */
+};
+
+struct roc_mcs_rx_sc_sa_map {
+	uint8_t sa_index;
+	uint8_t sa_in_use;
+	uint8_t sc_id;
+	uint8_t an; /* value range 0-3, sc_id + an used as index SA_MEM_MAP */
+};
+
 struct roc_mcs_hw_info {
 	uint8_t num_mcs_blks; /* Number of MCS blocks */
 	uint8_t tcam_entries; /* RX/TX Tcam entries per mcs block */
@@ -81,4 +105,21 @@ __roc_api int roc_mcs_sa_policy_write(struct roc_mcs *mcs,
 				      struct roc_mcs_sa_plcy_write_req *sa_plcy);
 __roc_api int roc_mcs_sa_policy_read(struct roc_mcs *mcs,
 				     struct roc_mcs_sa_plcy_write_req *sa_plcy);
+/* RX SC read, write and enable */
+__roc_api int roc_mcs_rx_sc_cam_write(struct roc_mcs *mcs,
+				      struct roc_mcs_rx_sc_cam_write_req *rx_sc_cam);
+__roc_api int roc_mcs_rx_sc_cam_read(struct roc_mcs *mcs,
+				     struct roc_mcs_rx_sc_cam_write_req *rx_sc_cam);
+__roc_api int roc_mcs_rx_sc_cam_enable(struct roc_mcs *mcs,
+				       struct roc_mcs_rx_sc_cam_write_req *rx_sc_cam);
+/* RX SC-SA MAP read and write */
+__roc_api int roc_mcs_rx_sc_sa_map_write(struct roc_mcs *mcs,
+					 struct roc_mcs_rx_sc_sa_map *rx_sc_sa_map);
+__roc_api int roc_mcs_rx_sc_sa_map_read(struct roc_mcs *mcs,
+					struct roc_mcs_rx_sc_sa_map *rx_sc_sa_map);
+/* TX SC-SA MAP read and write */
+__roc_api int roc_mcs_tx_sc_sa_map_write(struct roc_mcs *mcs,
+					 struct roc_mcs_tx_sc_sa_map *tx_sc_sa_map);
+__roc_api int roc_mcs_tx_sc_sa_map_read(struct roc_mcs *mcs,
+					struct roc_mcs_tx_sc_sa_map *tx_sc_sa_map);
 #endif /* _ROC_MCS_H_ */
diff --git a/drivers/common/cnxk/roc_mcs_sec_cfg.c b/drivers/common/cnxk/roc_mcs_sec_cfg.c
index 041be51b4b..9b87952112 100644
--- a/drivers/common/cnxk/roc_mcs_sec_cfg.c
+++ b/drivers/common/cnxk/roc_mcs_sec_cfg.c
@@ -209,3 +209,174 @@ roc_mcs_sa_policy_read(struct roc_mcs *mcs __plt_unused,
 
 	return -ENOTSUP;
 }
+
+
+int
+roc_mcs_rx_sc_cam_write(struct roc_mcs *mcs, struct roc_mcs_rx_sc_cam_write_req *rx_sc_cam)
+{
+	struct mcs_priv *priv = roc_mcs_to_mcs_priv(mcs);
+	struct mcs_rx_sc_cam_write_req *rx_sc;
+	struct msg_rsp *rsp;
+	int i, rc;
+
+	MCS_SUPPORT_CHECK;
+
+	if (rx_sc_cam == NULL)
+		return -EINVAL;
+
+	rx_sc = mbox_alloc_msg_mcs_rx_sc_cam_write(mcs->mbox);
+	if (rx_sc == NULL)
+		return -ENOMEM;
+
+	rx_sc->sci = rx_sc_cam->sci;
+	rx_sc->secy_id = rx_sc_cam->secy_id;
+	rx_sc->sc_id = rx_sc_cam->sc_id;
+	rx_sc->mcs_id = mcs->idx;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&rsp);
+	if (rc)
+		return rc;
+
+	for (i = 0; i < MAX_PORTS_PER_MCS; i++) {
+		uint32_t set = plt_bitmap_get(priv->port_rsrc[i].secy_bmap, rx_sc_cam->secy_id);
+
+		if (set) {
+			plt_bitmap_set(priv->port_rsrc[i].sc_bmap, rx_sc_cam->sc_id);
+			break;
+		}
+	}
+
+	return 0;
+}
+
+int
+roc_mcs_rx_sc_cam_read(struct roc_mcs *mcs __plt_unused,
+		       struct roc_mcs_rx_sc_cam_write_req *rx_sc_cam __plt_unused)
+{
+	MCS_SUPPORT_CHECK;
+
+	return -ENOTSUP;
+}
+
+int
+roc_mcs_rx_sc_cam_enable(struct roc_mcs *mcs __plt_unused,
+			 struct roc_mcs_rx_sc_cam_write_req *rx_sc_cam __plt_unused)
+{
+	MCS_SUPPORT_CHECK;
+
+	return -ENOTSUP;
+}
+
+int
+roc_mcs_rx_sc_sa_map_write(struct roc_mcs *mcs, struct roc_mcs_rx_sc_sa_map *rx_sc_sa_map)
+{
+	struct mcs_priv *priv = roc_mcs_to_mcs_priv(mcs);
+	struct mcs_rx_sc_sa_map *sa_map;
+	struct msg_rsp *rsp;
+	uint16_t sc_id;
+	int i, rc;
+
+	MCS_SUPPORT_CHECK;
+
+	if (rx_sc_sa_map == NULL)
+		return -EINVAL;
+
+	sc_id = rx_sc_sa_map->sc_id;
+	sa_map = mbox_alloc_msg_mcs_rx_sc_sa_map_write(mcs->mbox);
+	if (sa_map == NULL)
+		return -ENOMEM;
+
+	sa_map->sa_index = rx_sc_sa_map->sa_index;
+	sa_map->sa_in_use = rx_sc_sa_map->sa_in_use;
+	sa_map->sc_id = rx_sc_sa_map->sc_id;
+	sa_map->an = rx_sc_sa_map->an;
+	sa_map->mcs_id = mcs->idx;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&rsp);
+	if (rc)
+		return rc;
+
+	for (i = 0; i < MAX_PORTS_PER_MCS; i++) {
+		uint32_t set = plt_bitmap_get(priv->port_rsrc[i].sc_bmap, sc_id);
+
+		if (set) {
+			plt_bitmap_set(priv->port_rsrc[i].sa_bmap, rx_sc_sa_map->sa_index);
+			priv->port_rsrc[i].sc_conf[sc_id].rx.sa_idx = rx_sc_sa_map->sa_index;
+			priv->port_rsrc[i].sc_conf[sc_id].rx.an = rx_sc_sa_map->an;
+			break;
+		}
+	}
+
+	return 0;
+}
+
+int
+roc_mcs_rx_sc_sa_map_read(struct roc_mcs *mcs __plt_unused,
+			  struct roc_mcs_rx_sc_sa_map *rx_sc_sa_map __plt_unused)
+{
+	MCS_SUPPORT_CHECK;
+
+	return -ENOTSUP;
+}
+
+int
+roc_mcs_tx_sc_sa_map_write(struct roc_mcs *mcs, struct roc_mcs_tx_sc_sa_map *tx_sc_sa_map)
+{
+	struct mcs_priv *priv = roc_mcs_to_mcs_priv(mcs);
+	struct mcs_tx_sc_sa_map *sa_map;
+	struct msg_rsp *rsp;
+	uint16_t sc_id;
+	int i, rc;
+
+	MCS_SUPPORT_CHECK;
+
+	if (tx_sc_sa_map == NULL)
+		return -EINVAL;
+
+	sa_map = mbox_alloc_msg_mcs_tx_sc_sa_map_write(mcs->mbox);
+	if (sa_map == NULL)
+		return -ENOMEM;
+
+	sa_map->sa_index0 = tx_sc_sa_map->sa_index0;
+	sa_map->sa_index1 = tx_sc_sa_map->sa_index1;
+	sa_map->rekey_ena = tx_sc_sa_map->rekey_ena;
+	sa_map->sa_index0_vld = tx_sc_sa_map->sa_index0_vld;
+	sa_map->sa_index1_vld = tx_sc_sa_map->sa_index1_vld;
+	sa_map->tx_sa_active = tx_sc_sa_map->tx_sa_active;
+	sa_map->sectag_sci = tx_sc_sa_map->sectag_sci;
+	sa_map->sc_id = tx_sc_sa_map->sc_id;
+	sa_map->mcs_id = mcs->idx;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&rsp);
+	if (rc)
+		return rc;
+
+	sc_id = tx_sc_sa_map->sc_id;
+	for (i = 0; i < MAX_PORTS_PER_MCS; i++) {
+		uint32_t set = plt_bitmap_get(priv->port_rsrc[i].sc_bmap, sc_id + priv->sc_entries);
+
+		if (set) {
+			uint32_t pos = priv->sa_entries + tx_sc_sa_map->sa_index0;
+
+			plt_bitmap_set(priv->port_rsrc[i].sa_bmap, pos);
+			priv->port_rsrc[i].sc_conf[sc_id].tx.sa_idx0 = tx_sc_sa_map->sa_index0;
+			pos = priv->sa_entries + tx_sc_sa_map->sa_index1;
+			plt_bitmap_set(priv->port_rsrc[i].sa_bmap, pos);
+			priv->port_rsrc[i].sc_conf[sc_id].tx.sa_idx1 = tx_sc_sa_map->sa_index1;
+			priv->port_rsrc[i].sc_conf[sc_id].tx.sci = tx_sc_sa_map->sectag_sci;
+			priv->port_rsrc[i].sc_conf[sc_id].tx.rekey_enb = tx_sc_sa_map->rekey_ena;
+			break;
+		}
+	}
+
+	return 0;
+}
+
+int
+roc_mcs_tx_sc_sa_map_read(struct roc_mcs *mcs __plt_unused,
+			  struct roc_mcs_tx_sc_sa_map *tx_sc_sa_map __plt_unused)
+{
+	MCS_SUPPORT_CHECK;
+
+	return -ENOTSUP;
+}
diff --git a/drivers/common/cnxk/version.map b/drivers/common/cnxk/version.map
index bd8a3095f9..dbfda62ad1 100644
--- a/drivers/common/cnxk/version.map
+++ b/drivers/common/cnxk/version.map
@@ -141,8 +141,15 @@ INTERNAL {
 	roc_mcs_hw_info_get;
 	roc_mcs_rsrc_alloc;
 	roc_mcs_rsrc_free;
+	roc_mcs_rx_sc_cam_enable;
+	roc_mcs_rx_sc_cam_read;
+	roc_mcs_rx_sc_cam_write;
+	roc_mcs_rx_sc_sa_map_read;
+	roc_mcs_rx_sc_sa_map_write;
 	roc_mcs_sa_policy_read;
 	roc_mcs_sa_policy_write;
+	roc_mcs_tx_sc_sa_map_read;
+	roc_mcs_tx_sc_sa_map_write;
 	roc_nix_bpf_alloc;
 	roc_nix_bpf_config;
 	roc_nix_bpf_connect;
-- 
2.25.1

[PATCH v3 04/15] common/cnxk: add MACsec secy and flow configuration

[Akhil Goyal]

Added ROC APIs to configure MACsec secy policy and
flow entries.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/common/cnxk/roc_mbox.h        |  38 +++++++++
 drivers/common/cnxk/roc_mcs.h         |  37 +++++++++
 drivers/common/cnxk/roc_mcs_sec_cfg.c | 115 ++++++++++++++++++++++++++
 drivers/common/cnxk/version.map       |   5 ++
 4 files changed, 195 insertions(+)

diff --git a/drivers/common/cnxk/roc_mbox.h b/drivers/common/cnxk/roc_mbox.h
index 40b761ee99..fcfcc90f6c 100644
--- a/drivers/common/cnxk/roc_mbox.h
+++ b/drivers/common/cnxk/roc_mbox.h
@@ -300,10 +300,14 @@ struct mbox_msghdr {
 	M(MCS_ALLOC_RESOURCES, 0xa000, mcs_alloc_resources, mcs_alloc_rsrc_req,                    \
 	  mcs_alloc_rsrc_rsp)                                                                      \
 	M(MCS_FREE_RESOURCES, 0xa001, mcs_free_resources, mcs_free_rsrc_req, msg_rsp)              \
+	M(MCS_FLOWID_ENTRY_WRITE, 0xa002, mcs_flowid_entry_write, mcs_flowid_entry_write_req,      \
+	  msg_rsp)                                                                                 \
+	M(MCS_SECY_PLCY_WRITE, 0xa003, mcs_secy_plcy_write, mcs_secy_plcy_write_req, msg_rsp)      \
 	M(MCS_RX_SC_CAM_WRITE, 0xa004, mcs_rx_sc_cam_write, mcs_rx_sc_cam_write_req, msg_rsp)      \
 	M(MCS_SA_PLCY_WRITE, 0xa005, mcs_sa_plcy_write, mcs_sa_plcy_write_req, msg_rsp)            \
 	M(MCS_TX_SC_SA_MAP_WRITE, 0xa006, mcs_tx_sc_sa_map_write, mcs_tx_sc_sa_map, msg_rsp)       \
 	M(MCS_RX_SC_SA_MAP_WRITE, 0xa007, mcs_rx_sc_sa_map_write, mcs_rx_sc_sa_map, msg_rsp)       \
+	M(MCS_FLOWID_ENA_ENTRY, 0xa008, mcs_flowid_ena_entry, mcs_flowid_ena_dis_entry, msg_rsp)   \
 	M(MCS_GET_HW_INFO, 0xa00b, mcs_get_hw_info, msg_req, mcs_hw_info)                          \
 
 /* Messages initiated by AF (range 0xC00 - 0xDFF) */
@@ -729,6 +733,31 @@ struct mcs_free_rsrc_req {
 	uint64_t __io rsvd;
 };
 
+struct mcs_flowid_entry_write_req {
+	struct mbox_msghdr hdr;
+	uint64_t __io data[4];
+	uint64_t __io mask[4];
+	uint64_t __io sci; /* CNF10K-B for tx_secy_mem_map */
+	uint8_t __io flow_id;
+	uint8_t __io secy_id; /* secyid for which flowid is mapped */
+	/* sc_id is Valid if dir = MCS_TX, SC_CAM id mapped to flowid */
+	uint8_t __io sc_id;
+	uint8_t __io ena; /* Enable tcam entry */
+	uint8_t __io ctr_pkt;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
+
+struct mcs_secy_plcy_write_req {
+	struct mbox_msghdr hdr;
+	uint64_t __io plcy;
+	uint8_t __io secy_id;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
+
 /* RX SC_CAM mapping */
 struct mcs_rx_sc_cam_write_req {
 	struct mbox_msghdr hdr;
@@ -774,6 +803,15 @@ struct mcs_rx_sc_sa_map {
 	uint64_t __io rsvd;
 };
 
+struct mcs_flowid_ena_dis_entry {
+	struct mbox_msghdr hdr;
+	uint8_t __io flow_id;
+	uint8_t __io ena;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
+
 struct mcs_hw_info {
 	struct mbox_msghdr hdr;
 	uint8_t __io num_mcs_blks; /* Number of MCS blocks */
diff --git a/drivers/common/cnxk/roc_mcs.h b/drivers/common/cnxk/roc_mcs.h
index e947f93460..38c2d5626a 100644
--- a/drivers/common/cnxk/roc_mcs.h
+++ b/drivers/common/cnxk/roc_mcs.h
@@ -32,6 +32,24 @@ struct roc_mcs_free_rsrc_req {
 	uint8_t all; /* Free all the cam resources */
 };
 
+struct roc_mcs_flowid_entry_write_req {
+	uint64_t data[4];
+	uint64_t mask[4];
+	uint64_t sci; /* 105N for tx_secy_mem_map */
+	uint8_t flow_id;
+	uint8_t secy_id; /* secyid for which flowid is mapped */
+	uint8_t sc_id;	 /* Valid if dir = MCS_TX, SC_CAM id mapped to flowid */
+	uint8_t ena;	 /* Enable tcam entry */
+	uint8_t ctr_pkt;
+	uint8_t dir;
+};
+
+struct roc_mcs_secy_plcy_write_req {
+	uint64_t plcy;
+	uint8_t secy_id;
+	uint8_t dir;
+};
+
 /* RX SC_CAM mapping */
 struct roc_mcs_rx_sc_cam_write_req {
 	uint64_t sci;	  /* SCI */
@@ -64,6 +82,12 @@ struct roc_mcs_rx_sc_sa_map {
 	uint8_t an; /* value range 0-3, sc_id + an used as index SA_MEM_MAP */
 };
 
+struct roc_mcs_flowid_ena_dis_entry {
+	uint8_t flow_id;
+	uint8_t ena;
+	uint8_t dir;
+};
+
 struct roc_mcs_hw_info {
 	uint8_t num_mcs_blks; /* Number of MCS blocks */
 	uint8_t tcam_entries; /* RX/TX Tcam entries per mcs block */
@@ -112,6 +136,11 @@ __roc_api int roc_mcs_rx_sc_cam_read(struct roc_mcs *mcs,
 				     struct roc_mcs_rx_sc_cam_write_req *rx_sc_cam);
 __roc_api int roc_mcs_rx_sc_cam_enable(struct roc_mcs *mcs,
 				       struct roc_mcs_rx_sc_cam_write_req *rx_sc_cam);
+/* SECY policy read and write */
+__roc_api int roc_mcs_secy_policy_write(struct roc_mcs *mcs,
+					struct roc_mcs_secy_plcy_write_req *secy_plcy);
+__roc_api int roc_mcs_secy_policy_read(struct roc_mcs *mcs,
+				       struct roc_mcs_rx_sc_cam_write_req *rx_sc_cam);
 /* RX SC-SA MAP read and write */
 __roc_api int roc_mcs_rx_sc_sa_map_write(struct roc_mcs *mcs,
 					 struct roc_mcs_rx_sc_sa_map *rx_sc_sa_map);
@@ -122,4 +151,12 @@ __roc_api int roc_mcs_tx_sc_sa_map_write(struct roc_mcs *mcs,
 					 struct roc_mcs_tx_sc_sa_map *tx_sc_sa_map);
 __roc_api int roc_mcs_tx_sc_sa_map_read(struct roc_mcs *mcs,
 					struct roc_mcs_tx_sc_sa_map *tx_sc_sa_map);
+/* Flow entry read, write and enable */
+__roc_api int roc_mcs_flowid_entry_write(struct roc_mcs *mcs,
+					 struct roc_mcs_flowid_entry_write_req *flowid_req);
+__roc_api int roc_mcs_flowid_entry_read(struct roc_mcs *mcs,
+					struct roc_mcs_flowid_entry_write_req *flowid_rsp);
+__roc_api int roc_mcs_flowid_entry_enable(struct roc_mcs *mcs,
+					  struct roc_mcs_flowid_ena_dis_entry *entry);
+
 #endif /* _ROC_MCS_H_ */
diff --git a/drivers/common/cnxk/roc_mcs_sec_cfg.c b/drivers/common/cnxk/roc_mcs_sec_cfg.c
index 9b87952112..44b4919bbc 100644
--- a/drivers/common/cnxk/roc_mcs_sec_cfg.c
+++ b/drivers/common/cnxk/roc_mcs_sec_cfg.c
@@ -267,6 +267,38 @@ roc_mcs_rx_sc_cam_enable(struct roc_mcs *mcs __plt_unused,
 	return -ENOTSUP;
 }
 
+int
+roc_mcs_secy_policy_write(struct roc_mcs *mcs, struct roc_mcs_secy_plcy_write_req *secy_plcy)
+{
+	struct mcs_secy_plcy_write_req *secy;
+	struct msg_rsp *rsp;
+
+	MCS_SUPPORT_CHECK;
+
+	if (secy_plcy == NULL)
+		return -EINVAL;
+
+	secy = mbox_alloc_msg_mcs_secy_plcy_write(mcs->mbox);
+	if (secy == NULL)
+		return -ENOMEM;
+
+	secy->plcy = secy_plcy->plcy;
+	secy->secy_id = secy_plcy->secy_id;
+	secy->mcs_id = mcs->idx;
+	secy->dir = secy_plcy->dir;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
+
+int
+roc_mcs_secy_policy_read(struct roc_mcs *mcs __plt_unused,
+			 struct roc_mcs_rx_sc_cam_write_req *rx_sc_cam __plt_unused)
+{
+	MCS_SUPPORT_CHECK;
+
+	return -ENOTSUP;
+}
+
 int
 roc_mcs_rx_sc_sa_map_write(struct roc_mcs *mcs, struct roc_mcs_rx_sc_sa_map *rx_sc_sa_map)
 {
@@ -380,3 +412,86 @@ roc_mcs_tx_sc_sa_map_read(struct roc_mcs *mcs __plt_unused,
 
 	return -ENOTSUP;
 }
+
+int
+roc_mcs_flowid_entry_write(struct roc_mcs *mcs, struct roc_mcs_flowid_entry_write_req *flowid_req)
+{
+	struct mcs_priv *priv = roc_mcs_to_mcs_priv(mcs);
+	struct mcs_flowid_entry_write_req *flow_req;
+	struct msg_rsp *rsp;
+	uint8_t port;
+	int rc;
+
+	MCS_SUPPORT_CHECK;
+
+	if (flowid_req == NULL)
+		return -EINVAL;
+
+	flow_req = mbox_alloc_msg_mcs_flowid_entry_write(mcs->mbox);
+	if (flow_req == NULL)
+		return -ENOMEM;
+
+	mbox_memcpy(flow_req->data, flowid_req->data, sizeof(uint64_t) * 4);
+	mbox_memcpy(flow_req->mask, flowid_req->mask, sizeof(uint64_t) * 4);
+	flow_req->sci = flowid_req->sci;
+	flow_req->flow_id = flowid_req->flow_id;
+	flow_req->secy_id = flowid_req->secy_id;
+	flow_req->sc_id = flowid_req->sc_id;
+	flow_req->ena = flowid_req->ena;
+	flow_req->ctr_pkt = flowid_req->ctr_pkt;
+	flow_req->mcs_id = mcs->idx;
+	flow_req->dir = flowid_req->dir;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&rsp);
+	if (rc)
+		return rc;
+
+	if (flow_req->mask[3] & (BIT_ULL(10) | BIT_ULL(11)))
+		return rc;
+
+	port = (flow_req->data[3] >> 10) & 0x3;
+
+	plt_bitmap_set(priv->port_rsrc[port].tcam_bmap,
+		       flowid_req->flow_id +
+			       ((flowid_req->dir == MCS_TX) ? priv->tcam_entries : 0));
+	plt_bitmap_set(priv->port_rsrc[port].secy_bmap,
+		       flowid_req->secy_id +
+			       ((flowid_req->dir == MCS_TX) ? priv->secy_entries : 0));
+
+	if (flowid_req->dir == MCS_TX)
+		plt_bitmap_set(priv->port_rsrc[port].sc_bmap, priv->sc_entries + flowid_req->sc_id);
+
+	return 0;
+}
+
+int
+roc_mcs_flowid_entry_read(struct roc_mcs *mcs __plt_unused,
+			  struct roc_mcs_flowid_entry_write_req *flowid_rsp __plt_unused)
+{
+	MCS_SUPPORT_CHECK;
+
+	return -ENOTSUP;
+}
+
+int
+roc_mcs_flowid_entry_enable(struct roc_mcs *mcs, struct roc_mcs_flowid_ena_dis_entry *entry)
+{
+	struct mcs_flowid_ena_dis_entry *flow_entry;
+	struct msg_rsp *rsp;
+
+	MCS_SUPPORT_CHECK;
+
+	if (entry == NULL)
+		return -EINVAL;
+
+	flow_entry = mbox_alloc_msg_mcs_flowid_ena_entry(mcs->mbox);
+	if (flow_entry == NULL)
+		return -ENOMEM;
+
+	flow_entry->flow_id = entry->flow_id;
+	flow_entry->ena = entry->ena;
+	flow_entry->mcs_id = mcs->idx;
+	flow_entry->dir = entry->dir;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
diff --git a/drivers/common/cnxk/version.map b/drivers/common/cnxk/version.map
index dbfda62ad1..3d9da3b187 100644
--- a/drivers/common/cnxk/version.map
+++ b/drivers/common/cnxk/version.map
@@ -138,6 +138,9 @@ INTERNAL {
 	roc_mcs_dev_init;
 	roc_mcs_dev_fini;
 	roc_mcs_dev_get;
+	roc_mcs_flowid_entry_enable;
+	roc_mcs_flowid_entry_read;
+	roc_mcs_flowid_entry_write;
 	roc_mcs_hw_info_get;
 	roc_mcs_rsrc_alloc;
 	roc_mcs_rsrc_free;
@@ -148,6 +151,8 @@ INTERNAL {
 	roc_mcs_rx_sc_sa_map_write;
 	roc_mcs_sa_policy_read;
 	roc_mcs_sa_policy_write;
+	roc_mcs_secy_policy_read;
+	roc_mcs_secy_policy_write;
 	roc_mcs_tx_sc_sa_map_read;
 	roc_mcs_tx_sc_sa_map_write;
 	roc_nix_bpf_alloc;
-- 
2.25.1

[PATCH v3 05/15] common/cnxk: add MACsec PN and LMAC mode configuration

[Akhil Goyal]

Added ROC APIs for setting packet number and LMAC
related configurations.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/common/cnxk/roc_mbox.h        | 56 +++++++++++++++++++++
 drivers/common/cnxk/roc_mcs.c         | 71 +++++++++++++++++++++++++++
 drivers/common/cnxk/roc_mcs.h         | 48 ++++++++++++++++++
 drivers/common/cnxk/roc_mcs_sec_cfg.c | 31 ++++++++++++
 drivers/common/cnxk/version.map       |  5 ++
 5 files changed, 211 insertions(+)

diff --git a/drivers/common/cnxk/roc_mbox.h b/drivers/common/cnxk/roc_mbox.h
index fcfcc90f6c..62c5c3a3ce 100644
--- a/drivers/common/cnxk/roc_mbox.h
+++ b/drivers/common/cnxk/roc_mbox.h
@@ -308,7 +308,11 @@ struct mbox_msghdr {
 	M(MCS_TX_SC_SA_MAP_WRITE, 0xa006, mcs_tx_sc_sa_map_write, mcs_tx_sc_sa_map, msg_rsp)       \
 	M(MCS_RX_SC_SA_MAP_WRITE, 0xa007, mcs_rx_sc_sa_map_write, mcs_rx_sc_sa_map, msg_rsp)       \
 	M(MCS_FLOWID_ENA_ENTRY, 0xa008, mcs_flowid_ena_entry, mcs_flowid_ena_dis_entry, msg_rsp)   \
+	M(MCS_PN_TABLE_WRITE, 0xa009, mcs_pn_table_write, mcs_pn_table_write_req, msg_rsp)         \
+	M(MCS_SET_ACTIVE_LMAC, 0xa00a, mcs_set_active_lmac, mcs_set_active_lmac, msg_rsp)          \
 	M(MCS_GET_HW_INFO, 0xa00b, mcs_get_hw_info, msg_req, mcs_hw_info)                          \
+	M(MCS_SET_LMAC_MODE, 0xa013, mcs_set_lmac_mode, mcs_set_lmac_mode, msg_rsp)                \
+	M(MCS_SET_PN_THRESHOLD, 0xa014, mcs_set_pn_threshold, mcs_set_pn_threshold, msg_rsp)       \
 
 /* Messages initiated by AF (range 0xC00 - 0xDFF) */
 #define MBOX_UP_CGX_MESSAGES                                                   \
@@ -812,6 +816,34 @@ struct mcs_flowid_ena_dis_entry {
 	uint64_t __io rsvd;
 };
 
+struct mcs_pn_table_write_req {
+	struct mbox_msghdr hdr;
+	uint64_t __io next_pn;
+	uint8_t __io pn_id;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
+
+struct mcs_cam_entry_read_req {
+	struct mbox_msghdr hdr;
+	uint8_t __io rsrc_type; /* TCAM/SECY/SC/SA/PN */
+	uint8_t __io rsrc_id;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
+
+struct mcs_cam_entry_read_rsp {
+	struct mbox_msghdr hdr;
+	uint64_t __io reg_val[10];
+	uint8_t __io rsrc_type;
+	uint8_t __io rsrc_id;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
+
 struct mcs_hw_info {
 	struct mbox_msghdr hdr;
 	uint8_t __io num_mcs_blks; /* Number of MCS blocks */
@@ -822,6 +854,30 @@ struct mcs_hw_info {
 	uint64_t __io rsvd[16];
 };
 
+struct mcs_set_active_lmac {
+	struct mbox_msghdr hdr;
+	uint32_t __io lmac_bmap; /* bitmap of active lmac per mcs block */
+	uint8_t __io mcs_id;
+	uint16_t __io channel_base; /* MCS channel base */
+	uint64_t __io rsvd;
+};
+
+struct mcs_set_lmac_mode {
+	struct mbox_msghdr hdr;
+	uint8_t __io mode; /* '1' for internal bypass mode (passthrough), '0' for MCS processing */
+	uint8_t __io lmac_id;
+	uint8_t __io mcs_id;
+	uint64_t __io rsvd;
+};
+
+struct mcs_set_pn_threshold {
+	struct mbox_msghdr hdr;
+	uint64_t __io threshold;
+	uint8_t __io xpn; /* '1' for setting xpn threshold */
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
 
 /* NPA mbox message formats */
 
diff --git a/drivers/common/cnxk/roc_mcs.c b/drivers/common/cnxk/roc_mcs.c
index 20433eae83..38f1e9b2f7 100644
--- a/drivers/common/cnxk/roc_mcs.c
+++ b/drivers/common/cnxk/roc_mcs.c
@@ -38,6 +38,77 @@ roc_mcs_hw_info_get(struct roc_mcs_hw_info *hw_info)
 	return rc;
 }
 
+int
+roc_mcs_active_lmac_set(struct roc_mcs *mcs, struct roc_mcs_set_active_lmac *lmac)
+{
+	struct mcs_set_active_lmac *req;
+	struct msg_rsp *rsp;
+
+	/* Only needed for 105N */
+	if (!roc_model_is_cnf10kb())
+		return 0;
+
+	if (lmac == NULL)
+		return -EINVAL;
+
+	MCS_SUPPORT_CHECK;
+
+	req = mbox_alloc_msg_mcs_set_active_lmac(mcs->mbox);
+	if (req == NULL)
+		return -ENOMEM;
+
+	req->lmac_bmap = lmac->lmac_bmap;
+	req->channel_base = lmac->channel_base;
+	req->mcs_id = mcs->idx;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
+
+int
+roc_mcs_lmac_mode_set(struct roc_mcs *mcs, struct roc_mcs_set_lmac_mode *port)
+{
+	struct mcs_set_lmac_mode *req;
+	struct msg_rsp *rsp;
+
+	if (port == NULL)
+		return -EINVAL;
+
+	MCS_SUPPORT_CHECK;
+
+	req = mbox_alloc_msg_mcs_set_lmac_mode(mcs->mbox);
+	if (req == NULL)
+		return -ENOMEM;
+
+	req->lmac_id = port->lmac_id;
+	req->mcs_id = mcs->idx;
+	req->mode = port->mode;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
+
+int
+roc_mcs_pn_threshold_set(struct roc_mcs *mcs, struct roc_mcs_set_pn_threshold *pn)
+{
+	struct mcs_set_pn_threshold *req;
+	struct msg_rsp *rsp;
+
+	if (pn == NULL)
+		return -EINVAL;
+
+	MCS_SUPPORT_CHECK;
+
+	req = mbox_alloc_msg_mcs_set_pn_threshold(mcs->mbox);
+	if (req == NULL)
+		return -ENOMEM;
+
+	req->threshold = pn->threshold;
+	req->mcs_id = mcs->idx;
+	req->dir = pn->dir;
+	req->xpn = pn->xpn;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
+
 static int
 mcs_alloc_bmap(uint16_t entries, void **mem, struct plt_bitmap **bmap)
 {
diff --git a/drivers/common/cnxk/roc_mcs.h b/drivers/common/cnxk/roc_mcs.h
index 38c2d5626a..bedae3bf42 100644
--- a/drivers/common/cnxk/roc_mcs.h
+++ b/drivers/common/cnxk/roc_mcs.h
@@ -88,6 +88,25 @@ struct roc_mcs_flowid_ena_dis_entry {
 	uint8_t dir;
 };
 
+struct roc_mcs_pn_table_write_req {
+	uint64_t next_pn;
+	uint8_t pn_id;
+	uint8_t dir;
+};
+
+struct roc_mcs_cam_entry_read_req {
+	uint8_t rsrc_type; /* TCAM/SECY/SC/SA/PN */
+	uint8_t rsrc_id;
+	uint8_t dir;
+};
+
+struct roc_mcs_cam_entry_read_rsp {
+	uint64_t reg_val[10];
+	uint8_t rsrc_type;
+	uint8_t rsrc_id;
+	uint8_t dir;
+};
+
 struct roc_mcs_hw_info {
 	uint8_t num_mcs_blks; /* Number of MCS blocks */
 	uint8_t tcam_entries; /* RX/TX Tcam entries per mcs block */
@@ -97,6 +116,24 @@ struct roc_mcs_hw_info {
 	uint64_t rsvd[16];
 };
 
+struct roc_mcs_set_lmac_mode {
+	uint8_t mode; /* '1' for internal bypass mode (passthrough), '0' for MCS processing */
+	uint8_t lmac_id;
+	uint64_t rsvd;
+};
+
+struct roc_mcs_set_active_lmac {
+	uint32_t lmac_bmap;    /* bitmap of active lmac per mcs block */
+	uint16_t channel_base; /* MCS channel base */
+	uint64_t rsvd;
+};
+
+struct roc_mcs_set_pn_threshold {
+	uint64_t threshold;
+	uint8_t xpn; /* '1' for setting xpn threshold */
+	uint8_t dir;
+	uint64_t rsvd;
+};
 
 struct roc_mcs {
 	TAILQ_ENTRY(roc_mcs) next;
@@ -119,6 +156,12 @@ __roc_api void roc_mcs_dev_fini(struct roc_mcs *mcs);
 __roc_api struct roc_mcs *roc_mcs_dev_get(uint8_t mcs_idx);
 /* HW info get */
 __roc_api int roc_mcs_hw_info_get(struct roc_mcs_hw_info *hw_info);
+/* Active lmac bmap set */
+__roc_api int roc_mcs_active_lmac_set(struct roc_mcs *mcs, struct roc_mcs_set_active_lmac *lmac);
+/* Port bypass mode set */
+__roc_api int roc_mcs_lmac_mode_set(struct roc_mcs *mcs, struct roc_mcs_set_lmac_mode *port);
+/* (X)PN threshold set */
+__roc_api int roc_mcs_pn_threshold_set(struct roc_mcs *mcs, struct roc_mcs_set_pn_threshold *pn);
 
 /* Resource allocation and free */
 __roc_api int roc_mcs_rsrc_alloc(struct roc_mcs *mcs, struct roc_mcs_alloc_rsrc_req *req,
@@ -129,6 +172,11 @@ __roc_api int roc_mcs_sa_policy_write(struct roc_mcs *mcs,
 				      struct roc_mcs_sa_plcy_write_req *sa_plcy);
 __roc_api int roc_mcs_sa_policy_read(struct roc_mcs *mcs,
 				     struct roc_mcs_sa_plcy_write_req *sa_plcy);
+/* PN Table read and write */
+__roc_api int roc_mcs_pn_table_write(struct roc_mcs *mcs,
+				     struct roc_mcs_pn_table_write_req *pn_table);
+__roc_api int roc_mcs_pn_table_read(struct roc_mcs *mcs,
+				    struct roc_mcs_pn_table_write_req *pn_table);
 /* RX SC read, write and enable */
 __roc_api int roc_mcs_rx_sc_cam_write(struct roc_mcs *mcs,
 				      struct roc_mcs_rx_sc_cam_write_req *rx_sc_cam);
diff --git a/drivers/common/cnxk/roc_mcs_sec_cfg.c b/drivers/common/cnxk/roc_mcs_sec_cfg.c
index 44b4919bbc..7b3a4c91e8 100644
--- a/drivers/common/cnxk/roc_mcs_sec_cfg.c
+++ b/drivers/common/cnxk/roc_mcs_sec_cfg.c
@@ -210,6 +210,37 @@ roc_mcs_sa_policy_read(struct roc_mcs *mcs __plt_unused,
 	return -ENOTSUP;
 }
 
+int
+roc_mcs_pn_table_write(struct roc_mcs *mcs, struct roc_mcs_pn_table_write_req *pn_table)
+{
+	struct mcs_pn_table_write_req *pn;
+	struct msg_rsp *rsp;
+
+	MCS_SUPPORT_CHECK;
+
+	if (pn_table == NULL)
+		return -EINVAL;
+
+	pn = mbox_alloc_msg_mcs_pn_table_write(mcs->mbox);
+	if (pn == NULL)
+		return -ENOMEM;
+
+	pn->next_pn = pn_table->next_pn;
+	pn->pn_id = pn_table->pn_id;
+	pn->mcs_id = mcs->idx;
+	pn->dir = pn_table->dir;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
+
+int
+roc_mcs_pn_table_read(struct roc_mcs *mcs __plt_unused,
+		      struct roc_mcs_pn_table_write_req *sa __plt_unused)
+{
+	MCS_SUPPORT_CHECK;
+
+	return -ENOTSUP;
+}
 
 int
 roc_mcs_rx_sc_cam_write(struct roc_mcs *mcs, struct roc_mcs_rx_sc_cam_write_req *rx_sc_cam)
diff --git a/drivers/common/cnxk/version.map b/drivers/common/cnxk/version.map
index 3d9da3b187..0591747961 100644
--- a/drivers/common/cnxk/version.map
+++ b/drivers/common/cnxk/version.map
@@ -135,6 +135,7 @@ INTERNAL {
 	roc_se_auth_key_set;
 	roc_se_ciph_key_set;
 	roc_se_ctx_init;
+	roc_mcs_active_lmac_set;
 	roc_mcs_dev_init;
 	roc_mcs_dev_fini;
 	roc_mcs_dev_get;
@@ -142,6 +143,10 @@ INTERNAL {
 	roc_mcs_flowid_entry_read;
 	roc_mcs_flowid_entry_write;
 	roc_mcs_hw_info_get;
+	roc_mcs_lmac_mode_set;
+	roc_mcs_pn_table_write;
+	roc_mcs_pn_table_read;
+	roc_mcs_pn_threshold_set;
 	roc_mcs_rsrc_alloc;
 	roc_mcs_rsrc_free;
 	roc_mcs_rx_sc_cam_enable;
-- 
2.25.1

[PATCH v3 06/15] common/cnxk: add MACsec stats

[Akhil Goyal]

Added ROC APIs for MACsec stats for SC/SECY/FLOW/PORT

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/common/cnxk/meson.build     |   1 +
 drivers/common/cnxk/roc_mbox.h      |  93 ++++++++++++++
 drivers/common/cnxk/roc_mcs.h       |  85 ++++++++++++
 drivers/common/cnxk/roc_mcs_stats.c | 193 ++++++++++++++++++++++++++++
 drivers/common/cnxk/version.map     |   5 +
 5 files changed, 377 insertions(+)
 create mode 100644 drivers/common/cnxk/roc_mcs_stats.c

diff --git a/drivers/common/cnxk/meson.build b/drivers/common/cnxk/meson.build
index 589baf74fe..79e10bac74 100644
--- a/drivers/common/cnxk/meson.build
+++ b/drivers/common/cnxk/meson.build
@@ -28,6 +28,7 @@ sources = files(
         'roc_mbox.c',
         'roc_mcs.c',
         'roc_mcs_sec_cfg.c',
+        'roc_mcs_stats.c',
         'roc_ml.c',
         'roc_model.c',
         'roc_nix.c',
diff --git a/drivers/common/cnxk/roc_mbox.h b/drivers/common/cnxk/roc_mbox.h
index 62c5c3a3ce..3f3a6aadc8 100644
--- a/drivers/common/cnxk/roc_mbox.h
+++ b/drivers/common/cnxk/roc_mbox.h
@@ -311,6 +311,11 @@ struct mbox_msghdr {
 	M(MCS_PN_TABLE_WRITE, 0xa009, mcs_pn_table_write, mcs_pn_table_write_req, msg_rsp)         \
 	M(MCS_SET_ACTIVE_LMAC, 0xa00a, mcs_set_active_lmac, mcs_set_active_lmac, msg_rsp)          \
 	M(MCS_GET_HW_INFO, 0xa00b, mcs_get_hw_info, msg_req, mcs_hw_info)                          \
+	M(MCS_GET_FLOWID_STATS, 0xa00c, mcs_get_flowid_stats, mcs_stats_req, mcs_flowid_stats)     \
+	M(MCS_GET_SECY_STATS, 0xa00d, mcs_get_secy_stats, mcs_stats_req, mcs_secy_stats)           \
+	M(MCS_GET_SC_STATS, 0xa00e, mcs_get_sc_stats, mcs_stats_req, mcs_sc_stats)                 \
+	M(MCS_GET_PORT_STATS, 0xa010, mcs_get_port_stats, mcs_stats_req, mcs_port_stats)           \
+	M(MCS_CLEAR_STATS, 0xa011, mcs_clear_stats, mcs_clear_stats, msg_rsp)                      \
 	M(MCS_SET_LMAC_MODE, 0xa013, mcs_set_lmac_mode, mcs_set_lmac_mode, msg_rsp)                \
 	M(MCS_SET_PN_THRESHOLD, 0xa014, mcs_set_pn_threshold, mcs_set_pn_threshold, msg_rsp)       \
 
@@ -879,6 +884,94 @@ struct mcs_set_pn_threshold {
 	uint64_t __io rsvd;
 };
 
+struct mcs_stats_req {
+	struct mbox_msghdr hdr;
+	uint8_t __io id;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
+
+struct mcs_flowid_stats {
+	struct mbox_msghdr hdr;
+	uint64_t __io tcam_hit_cnt;
+	uint64_t __io rsvd;
+};
+
+struct mcs_secy_stats {
+	struct mbox_msghdr hdr;
+	uint64_t __io ctl_pkt_bcast_cnt;
+	uint64_t __io ctl_pkt_mcast_cnt;
+	uint64_t __io ctl_pkt_ucast_cnt;
+	uint64_t __io ctl_octet_cnt;
+	uint64_t __io unctl_pkt_bcast_cnt;
+	uint64_t __io unctl_pkt_mcast_cnt;
+	uint64_t __io unctl_pkt_ucast_cnt;
+	uint64_t __io unctl_octet_cnt;
+	/* Valid only for RX */
+	uint64_t __io octet_decrypted_cnt;
+	uint64_t __io octet_validated_cnt;
+	uint64_t __io pkt_port_disabled_cnt;
+	uint64_t __io pkt_badtag_cnt;
+	uint64_t __io pkt_nosa_cnt;
+	uint64_t __io pkt_nosaerror_cnt;
+	uint64_t __io pkt_tagged_ctl_cnt;
+	uint64_t __io pkt_untaged_cnt;
+	uint64_t __io pkt_ctl_cnt;   /* CN10K-B */
+	uint64_t __io pkt_notag_cnt; /* CNF10K-B */
+	/* Valid only for TX */
+	uint64_t __io octet_encrypted_cnt;
+	uint64_t __io octet_protected_cnt;
+	uint64_t __io pkt_noactivesa_cnt;
+	uint64_t __io pkt_toolong_cnt;
+	uint64_t __io pkt_untagged_cnt;
+	uint64_t __io rsvd[4];
+};
+
+struct mcs_port_stats {
+	struct mbox_msghdr hdr;
+	uint64_t __io tcam_miss_cnt;
+	uint64_t __io parser_err_cnt;
+	uint64_t __io preempt_err_cnt; /* CNF10K-B */
+	uint64_t __io sectag_insert_err_cnt;
+	uint64_t __io rsvd[4];
+};
+
+struct mcs_sc_stats {
+	struct mbox_msghdr hdr;
+	/* RX */
+	uint64_t __io hit_cnt;
+	uint64_t __io pkt_invalid_cnt;
+	uint64_t __io pkt_late_cnt;
+	uint64_t __io pkt_notvalid_cnt;
+	uint64_t __io pkt_unchecked_cnt;
+	uint64_t __io pkt_delay_cnt;	  /* CNF10K-B */
+	uint64_t __io pkt_ok_cnt;	  /* CNF10K-B */
+	uint64_t __io octet_decrypt_cnt;  /* CN10K-B */
+	uint64_t __io octet_validate_cnt; /* CN10K-B */
+	/* TX */
+	uint64_t __io pkt_encrypt_cnt;
+	uint64_t __io pkt_protected_cnt;
+	uint64_t __io octet_encrypt_cnt;   /* CN10K-B */
+	uint64_t __io octet_protected_cnt; /* CN10K-B */
+	uint64_t __io rsvd[4];
+};
+
+struct mcs_clear_stats {
+	struct mbox_msghdr hdr;
+#define MCS_FLOWID_STATS 0
+#define MCS_SECY_STATS	 1
+#define MCS_SC_STATS	 2
+#define MCS_SA_STATS	 3
+#define MCS_PORT_STATS	 4
+	uint8_t __io type; /* FLOWID, SECY, SC, SA, PORT */
+	/* type = PORT, If id = FF(invalid) port no is derived from pcifunc */
+	uint8_t __io id;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint8_t __io all; /* All resources stats mapped to PF are cleared */
+};
+
 /* NPA mbox message formats */
 
 /* NPA mailbox error codes
diff --git a/drivers/common/cnxk/roc_mcs.h b/drivers/common/cnxk/roc_mcs.h
index bedae3bf42..3fbeee13fa 100644
--- a/drivers/common/cnxk/roc_mcs.h
+++ b/drivers/common/cnxk/roc_mcs.h
@@ -135,6 +135,76 @@ struct roc_mcs_set_pn_threshold {
 	uint64_t rsvd;
 };
 
+struct roc_mcs_stats_req {
+	uint8_t id;
+	uint8_t dir;
+};
+
+struct roc_mcs_flowid_stats {
+	uint64_t tcam_hit_cnt;
+};
+
+struct roc_mcs_secy_stats {
+	uint64_t ctl_pkt_bcast_cnt;
+	uint64_t ctl_pkt_mcast_cnt;
+	uint64_t ctl_pkt_ucast_cnt;
+	uint64_t ctl_octet_cnt;
+	uint64_t unctl_pkt_bcast_cnt;
+	uint64_t unctl_pkt_mcast_cnt;
+	uint64_t unctl_pkt_ucast_cnt;
+	uint64_t unctl_octet_cnt;
+	/* Valid only for RX */
+	uint64_t octet_decrypted_cnt;
+	uint64_t octet_validated_cnt;
+	uint64_t pkt_port_disabled_cnt;
+	uint64_t pkt_badtag_cnt;
+	uint64_t pkt_nosa_cnt;
+	uint64_t pkt_nosaerror_cnt;
+	uint64_t pkt_tagged_ctl_cnt;
+	uint64_t pkt_untaged_cnt;
+	uint64_t pkt_ctl_cnt;	/* CN10K-B */
+	uint64_t pkt_notag_cnt; /* CNF10K-B */
+	/* Valid only for TX */
+	uint64_t octet_encrypted_cnt;
+	uint64_t octet_protected_cnt;
+	uint64_t pkt_noactivesa_cnt;
+	uint64_t pkt_toolong_cnt;
+	uint64_t pkt_untagged_cnt;
+};
+
+struct roc_mcs_sc_stats {
+	/* RX */
+	uint64_t hit_cnt;
+	uint64_t pkt_invalid_cnt;
+	uint64_t pkt_late_cnt;
+	uint64_t pkt_notvalid_cnt;
+	uint64_t pkt_unchecked_cnt;
+	uint64_t pkt_delay_cnt;	     /* CNF10K-B */
+	uint64_t pkt_ok_cnt;	     /* CNF10K-B */
+	uint64_t octet_decrypt_cnt;  /* CN10K-B */
+	uint64_t octet_validate_cnt; /* CN10K-B */
+	/* TX */
+	uint64_t pkt_encrypt_cnt;
+	uint64_t pkt_protected_cnt;
+	uint64_t octet_encrypt_cnt;   /* CN10K-B */
+	uint64_t octet_protected_cnt; /* CN10K-B */
+};
+
+struct roc_mcs_port_stats {
+	uint64_t tcam_miss_cnt;
+	uint64_t parser_err_cnt;
+	uint64_t preempt_err_cnt; /* CNF10K-B */
+	uint64_t sectag_insert_err_cnt;
+};
+
+struct roc_mcs_clear_stats {
+	uint8_t type; /* FLOWID, SECY, SC, SA, PORT */
+	/* type = PORT, If id = FF(invalid) port no is derived from pcifunc */
+	uint8_t id;
+	uint8_t dir;
+	uint8_t all; /* All resources stats mapped to PF are cleared */
+};
+
 struct roc_mcs {
 	TAILQ_ENTRY(roc_mcs) next;
 	struct plt_pci_device *pci_dev;
@@ -207,4 +277,19 @@ __roc_api int roc_mcs_flowid_entry_read(struct roc_mcs *mcs,
 __roc_api int roc_mcs_flowid_entry_enable(struct roc_mcs *mcs,
 					  struct roc_mcs_flowid_ena_dis_entry *entry);
 
+/* Flow id stats get */
+__roc_api int roc_mcs_flowid_stats_get(struct roc_mcs *mcs, struct roc_mcs_stats_req *mcs_req,
+				       struct roc_mcs_flowid_stats *stats);
+/* Secy stats get */
+__roc_api int roc_mcs_secy_stats_get(struct roc_mcs *mcs, struct roc_mcs_stats_req *mcs_req,
+				     struct roc_mcs_secy_stats *stats);
+/* SC stats get */
+__roc_api int roc_mcs_sc_stats_get(struct roc_mcs *mcs, struct roc_mcs_stats_req *mcs_req,
+				   struct roc_mcs_sc_stats *stats);
+/* Port stats get */
+__roc_api int roc_mcs_port_stats_get(struct roc_mcs *mcs, struct roc_mcs_stats_req *mcs_req,
+				     struct roc_mcs_port_stats *stats);
+/* Clear stats */
+__roc_api int roc_mcs_stats_clear(struct roc_mcs *mcs, struct roc_mcs_clear_stats *mcs_req);
+
 #endif /* _ROC_MCS_H_ */
diff --git a/drivers/common/cnxk/roc_mcs_stats.c b/drivers/common/cnxk/roc_mcs_stats.c
new file mode 100644
index 0000000000..24ac8a31cd
--- /dev/null
+++ b/drivers/common/cnxk/roc_mcs_stats.c
@@ -0,0 +1,193 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2022 Marvell.
+ */
+
+#include "roc_api.h"
+#include "roc_priv.h"
+
+int
+roc_mcs_flowid_stats_get(struct roc_mcs *mcs, struct roc_mcs_stats_req *mcs_req,
+			 struct roc_mcs_flowid_stats *stats)
+{
+	struct mcs_flowid_stats *rsp;
+	struct mcs_stats_req *req;
+	int rc;
+
+	MCS_SUPPORT_CHECK;
+
+	req = mbox_alloc_msg_mcs_get_flowid_stats(mcs->mbox);
+	if (req == NULL)
+		return -ENOSPC;
+
+	req->id = mcs_req->id;
+	req->mcs_id = mcs->idx;
+	req->dir = mcs_req->dir;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&rsp);
+	if (rc)
+		return rc;
+
+	stats->tcam_hit_cnt = rsp->tcam_hit_cnt;
+
+	return rc;
+}
+
+int
+roc_mcs_secy_stats_get(struct roc_mcs *mcs, struct roc_mcs_stats_req *mcs_req,
+		       struct roc_mcs_secy_stats *stats)
+{
+	struct mcs_secy_stats *rsp;
+	struct mcs_stats_req *req;
+	int rc;
+
+	MCS_SUPPORT_CHECK;
+
+	req = mbox_alloc_msg_mcs_get_secy_stats(mcs->mbox);
+	if (req == NULL)
+		return -ENOSPC;
+
+	req->id = mcs_req->id;
+	req->mcs_id = mcs->idx;
+	req->dir = mcs_req->dir;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&rsp);
+	if (rc)
+		return rc;
+
+	stats->ctl_pkt_bcast_cnt = rsp->ctl_pkt_bcast_cnt;
+	stats->ctl_pkt_mcast_cnt = rsp->ctl_pkt_mcast_cnt;
+	stats->ctl_pkt_ucast_cnt = rsp->ctl_pkt_ucast_cnt;
+	stats->ctl_octet_cnt = rsp->ctl_octet_cnt;
+	stats->unctl_pkt_bcast_cnt = rsp->unctl_pkt_bcast_cnt;
+	stats->unctl_pkt_mcast_cnt = rsp->unctl_pkt_mcast_cnt;
+	stats->unctl_pkt_ucast_cnt = rsp->unctl_pkt_ucast_cnt;
+	stats->unctl_octet_cnt = rsp->unctl_octet_cnt;
+
+	if (mcs_req->dir == MCS_RX) {
+		stats->octet_decrypted_cnt = rsp->octet_decrypted_cnt;
+		stats->octet_validated_cnt = rsp->octet_validated_cnt;
+		stats->pkt_port_disabled_cnt = rsp->pkt_port_disabled_cnt;
+		stats->pkt_badtag_cnt = rsp->pkt_badtag_cnt;
+		stats->pkt_nosa_cnt = rsp->pkt_nosa_cnt;
+		stats->pkt_nosaerror_cnt = rsp->pkt_nosaerror_cnt;
+		stats->pkt_tagged_ctl_cnt = rsp->pkt_tagged_ctl_cnt;
+		stats->pkt_untaged_cnt = rsp->pkt_untaged_cnt;
+		if (roc_model_is_cn10kb_a0())
+			/* CN10K-B */
+			stats->pkt_ctl_cnt = rsp->pkt_ctl_cnt;
+		else
+			/* CNF10K-B */
+			stats->pkt_notag_cnt = rsp->pkt_notag_cnt;
+	} else {
+		stats->octet_encrypted_cnt = rsp->octet_encrypted_cnt;
+		stats->octet_protected_cnt = rsp->octet_protected_cnt;
+		stats->pkt_noactivesa_cnt = rsp->pkt_noactivesa_cnt;
+		stats->pkt_toolong_cnt = rsp->pkt_toolong_cnt;
+		stats->pkt_untagged_cnt = rsp->pkt_untagged_cnt;
+	}
+
+	return rc;
+}
+
+int
+roc_mcs_sc_stats_get(struct roc_mcs *mcs, struct roc_mcs_stats_req *mcs_req,
+		     struct roc_mcs_sc_stats *stats)
+{
+	struct mcs_stats_req *req;
+	struct mcs_sc_stats *rsp;
+	int rc;
+
+	MCS_SUPPORT_CHECK;
+
+	req = mbox_alloc_msg_mcs_get_sc_stats(mcs->mbox);
+	if (req == NULL)
+		return -ENOSPC;
+
+	req->id = mcs_req->id;
+	req->mcs_id = mcs->idx;
+	req->dir = mcs_req->dir;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&rsp);
+	if (rc)
+		return rc;
+
+	if (mcs_req->dir == MCS_RX) {
+		stats->hit_cnt = rsp->hit_cnt;
+		stats->pkt_invalid_cnt = rsp->pkt_invalid_cnt;
+		stats->pkt_late_cnt = rsp->pkt_late_cnt;
+		stats->pkt_notvalid_cnt = rsp->pkt_notvalid_cnt;
+		stats->pkt_unchecked_cnt = rsp->pkt_unchecked_cnt;
+		if (roc_model_is_cn10kb_a0()) {
+			stats->octet_decrypt_cnt = rsp->octet_decrypt_cnt;
+			stats->octet_validate_cnt = rsp->octet_validate_cnt;
+		} else {
+			stats->pkt_delay_cnt = rsp->pkt_delay_cnt;
+			stats->pkt_ok_cnt = rsp->pkt_ok_cnt;
+		}
+	} else {
+		stats->pkt_encrypt_cnt = rsp->pkt_encrypt_cnt;
+		stats->pkt_protected_cnt = rsp->pkt_protected_cnt;
+		if (roc_model_is_cn10kb_a0()) {
+			stats->octet_encrypt_cnt = rsp->octet_encrypt_cnt;
+			stats->octet_protected_cnt = rsp->octet_protected_cnt;
+		}
+	}
+
+	return rc;
+}
+
+int
+roc_mcs_port_stats_get(struct roc_mcs *mcs, struct roc_mcs_stats_req *mcs_req,
+		       struct roc_mcs_port_stats *stats)
+{
+	struct mcs_port_stats *rsp;
+	struct mcs_stats_req *req;
+	int rc;
+
+	MCS_SUPPORT_CHECK;
+
+	req = mbox_alloc_msg_mcs_get_port_stats(mcs->mbox);
+	if (req == NULL)
+		return -ENOSPC;
+
+	req->id = mcs_req->id;
+	req->mcs_id = mcs->idx;
+	req->dir = mcs_req->dir;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&rsp);
+	if (rc)
+		return rc;
+
+	stats->tcam_miss_cnt = rsp->tcam_miss_cnt;
+	stats->parser_err_cnt = rsp->parser_err_cnt;
+	if (roc_model_is_cnf10kb())
+		stats->preempt_err_cnt = rsp->preempt_err_cnt;
+
+	stats->sectag_insert_err_cnt = rsp->sectag_insert_err_cnt;
+
+	return rc;
+}
+
+int
+roc_mcs_stats_clear(struct roc_mcs *mcs, struct roc_mcs_clear_stats *mcs_req)
+{
+	struct mcs_clear_stats *req;
+	struct msg_rsp *rsp;
+
+	MCS_SUPPORT_CHECK;
+
+	if (!roc_model_is_cn10kb_a0() && mcs_req->type == MCS_SA_STATS)
+		return MCS_ERR_HW_NOTSUP;
+
+	req = mbox_alloc_msg_mcs_clear_stats(mcs->mbox);
+	if (req == NULL)
+		return -ENOSPC;
+
+	req->type = mcs_req->type;
+	req->id = mcs_req->id;
+	req->mcs_id = mcs->idx;
+	req->dir = mcs_req->dir;
+	req->all = mcs_req->all;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
diff --git a/drivers/common/cnxk/version.map b/drivers/common/cnxk/version.map
index 0591747961..d8890e3538 100644
--- a/drivers/common/cnxk/version.map
+++ b/drivers/common/cnxk/version.map
@@ -142,11 +142,13 @@ INTERNAL {
 	roc_mcs_flowid_entry_enable;
 	roc_mcs_flowid_entry_read;
 	roc_mcs_flowid_entry_write;
+	roc_mcs_flowid_stats_get;
 	roc_mcs_hw_info_get;
 	roc_mcs_lmac_mode_set;
 	roc_mcs_pn_table_write;
 	roc_mcs_pn_table_read;
 	roc_mcs_pn_threshold_set;
+	roc_mcs_port_stats_get;
 	roc_mcs_rsrc_alloc;
 	roc_mcs_rsrc_free;
 	roc_mcs_rx_sc_cam_enable;
@@ -156,8 +158,11 @@ INTERNAL {
 	roc_mcs_rx_sc_sa_map_write;
 	roc_mcs_sa_policy_read;
 	roc_mcs_sa_policy_write;
+	roc_mcs_sc_stats_get;
 	roc_mcs_secy_policy_read;
 	roc_mcs_secy_policy_write;
+	roc_mcs_secy_stats_get;
+	roc_mcs_stats_clear;
 	roc_mcs_tx_sc_sa_map_read;
 	roc_mcs_tx_sc_sa_map_write;
 	roc_nix_bpf_alloc;
-- 
2.25.1

[PATCH v3 07/15] common/cnxk: add MACsec interrupt APIs

[Akhil Goyal]

Added ROC APIs to support various MACsec interrupts.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/common/cnxk/roc_dev.c      |  86 +++++++++++++++++
 drivers/common/cnxk/roc_mbox.h     |  37 +++++++-
 drivers/common/cnxk/roc_mcs.c      | 117 +++++++++++++++++++++++
 drivers/common/cnxk/roc_mcs.h      | 144 +++++++++++++++++++++++++++++
 drivers/common/cnxk/roc_mcs_priv.h |   8 ++
 drivers/common/cnxk/version.map    |   3 +
 6 files changed, 394 insertions(+), 1 deletion(-)

diff --git a/drivers/common/cnxk/roc_dev.c b/drivers/common/cnxk/roc_dev.c
index 571679c968..4b0ba218ed 100644
--- a/drivers/common/cnxk/roc_dev.c
+++ b/drivers/common/cnxk/roc_dev.c
@@ -527,6 +527,91 @@ pf_vf_mbox_send_up_msg(struct dev *dev, void *rec_msg)
 	}
 }
 
+static int
+mbox_up_handler_mcs_intr_notify(struct dev *dev, struct mcs_intr_info *info, struct msg_rsp *rsp)
+{
+	struct roc_mcs_event_desc desc = {0};
+	struct roc_mcs *mcs;
+
+	plt_base_dbg("pf:%d/vf:%d msg id 0x%x (%s) from: pf:%d/vf:%d", dev_get_pf(dev->pf_func),
+		     dev_get_vf(dev->pf_func), info->hdr.id, mbox_id2name(info->hdr.id),
+		     dev_get_pf(info->hdr.pcifunc), dev_get_vf(info->hdr.pcifunc));
+
+	mcs = roc_idev_mcs_get(info->mcs_id);
+	if (!mcs)
+		goto exit;
+
+	if (info->intr_mask) {
+		switch (info->intr_mask) {
+		case MCS_CPM_RX_SECTAG_V_EQ1_INT:
+			desc.type = ROC_MCS_EVENT_SECTAG_VAL_ERR;
+			desc.subtype = ROC_MCS_EVENT_RX_SECTAG_V_EQ1;
+			break;
+		case MCS_CPM_RX_SECTAG_E_EQ0_C_EQ1_INT:
+			desc.type = ROC_MCS_EVENT_SECTAG_VAL_ERR;
+			desc.subtype = ROC_MCS_EVENT_RX_SECTAG_E_EQ0_C_EQ1;
+			break;
+		case MCS_CPM_RX_SECTAG_SL_GTE48_INT:
+			desc.type = ROC_MCS_EVENT_SECTAG_VAL_ERR;
+			desc.subtype = ROC_MCS_EVENT_RX_SECTAG_SL_GTE48;
+			break;
+		case MCS_CPM_RX_SECTAG_ES_EQ1_SC_EQ1_INT:
+			desc.type = ROC_MCS_EVENT_SECTAG_VAL_ERR;
+			desc.subtype = ROC_MCS_EVENT_RX_SECTAG_ES_EQ1_SC_EQ1;
+			break;
+		case MCS_CPM_RX_SECTAG_SC_EQ1_SCB_EQ1_INT:
+			desc.type = ROC_MCS_EVENT_SECTAG_VAL_ERR;
+			desc.subtype = ROC_MCS_EVENT_RX_SECTAG_SC_EQ1_SCB_EQ1;
+			break;
+		case MCS_CPM_RX_PACKET_XPN_EQ0_INT:
+			desc.type = ROC_MCS_EVENT_RX_SA_PN_HARD_EXP;
+			desc.metadata.sa_idx = info->sa_id;
+			break;
+		case MCS_CPM_RX_PN_THRESH_REACHED_INT:
+			desc.type = ROC_MCS_EVENT_RX_SA_PN_SOFT_EXP;
+			desc.metadata.sa_idx = info->sa_id;
+			break;
+		case MCS_CPM_TX_PACKET_XPN_EQ0_INT:
+			desc.type = ROC_MCS_EVENT_TX_SA_PN_HARD_EXP;
+			desc.metadata.sa_idx = info->sa_id;
+			break;
+		case MCS_CPM_TX_PN_THRESH_REACHED_INT:
+			desc.type = ROC_MCS_EVENT_TX_SA_PN_SOFT_EXP;
+			desc.metadata.sa_idx = info->sa_id;
+			break;
+		case MCS_CPM_TX_SA_NOT_VALID_INT:
+			desc.type = ROC_MCS_EVENT_SA_NOT_VALID;
+			break;
+		case MCS_BBE_RX_DFIFO_OVERFLOW_INT:
+		case MCS_BBE_TX_DFIFO_OVERFLOW_INT:
+			desc.type = ROC_MCS_EVENT_FIFO_OVERFLOW;
+			desc.subtype = ROC_MCS_EVENT_DATA_FIFO_OVERFLOW;
+			desc.metadata.lmac_id = info->lmac_id;
+			break;
+		case MCS_BBE_RX_PLFIFO_OVERFLOW_INT:
+		case MCS_BBE_TX_PLFIFO_OVERFLOW_INT:
+			desc.type = ROC_MCS_EVENT_FIFO_OVERFLOW;
+			desc.subtype = ROC_MCS_EVENT_POLICY_FIFO_OVERFLOW;
+			desc.metadata.lmac_id = info->lmac_id;
+			break;
+		case MCS_PAB_RX_CHAN_OVERFLOW_INT:
+		case MCS_PAB_TX_CHAN_OVERFLOW_INT:
+			desc.type = ROC_MCS_EVENT_FIFO_OVERFLOW;
+			desc.subtype = ROC_MCS_EVENT_PKT_ASSM_FIFO_OVERFLOW;
+			desc.metadata.lmac_id = info->lmac_id;
+			break;
+		default:
+			goto exit;
+		}
+
+		mcs_event_cb_process(mcs, &desc);
+	}
+
+exit:
+	rsp->hdr.rc = 0;
+	return 0;
+}
+
 static int
 mbox_up_handler_cgx_link_event(struct dev *dev, struct cgx_link_info_msg *msg,
 			       struct msg_rsp *rsp)
@@ -615,6 +700,7 @@ mbox_process_msgs_up(struct dev *dev, struct mbox_msghdr *req)
 		return err;                                                    \
 	}
 		MBOX_UP_CGX_MESSAGES
+		MBOX_UP_MCS_MESSAGES
 #undef M
 	}
 
diff --git a/drivers/common/cnxk/roc_mbox.h b/drivers/common/cnxk/roc_mbox.h
index 3f3a6aadc8..d964ba9f9d 100644
--- a/drivers/common/cnxk/roc_mbox.h
+++ b/drivers/common/cnxk/roc_mbox.h
@@ -316,6 +316,7 @@ struct mbox_msghdr {
 	M(MCS_GET_SC_STATS, 0xa00e, mcs_get_sc_stats, mcs_stats_req, mcs_sc_stats)                 \
 	M(MCS_GET_PORT_STATS, 0xa010, mcs_get_port_stats, mcs_stats_req, mcs_port_stats)           \
 	M(MCS_CLEAR_STATS, 0xa011, mcs_clear_stats, mcs_clear_stats, msg_rsp)                      \
+	M(MCS_INTR_CFG, 0xa012, mcs_intr_cfg, mcs_intr_cfg, msg_rsp)                               \
 	M(MCS_SET_LMAC_MODE, 0xa013, mcs_set_lmac_mode, mcs_set_lmac_mode, msg_rsp)                \
 	M(MCS_SET_PN_THRESHOLD, 0xa014, mcs_set_pn_threshold, mcs_set_pn_threshold, msg_rsp)       \
 
@@ -324,9 +325,11 @@ struct mbox_msghdr {
 	M(CGX_LINK_EVENT, 0xC00, cgx_link_event, cgx_link_info_msg, msg_rsp)   \
 	M(CGX_PTP_RX_INFO, 0xC01, cgx_ptp_rx_info, cgx_ptp_rx_info_msg, msg_rsp)
 
+#define MBOX_UP_MCS_MESSAGES M(MCS_INTR_NOTIFY, 0xE00, mcs_intr_notify, mcs_intr_info, msg_rsp)
+
 enum {
 #define M(_name, _id, _1, _2, _3) MBOX_MSG_##_name = _id,
-	MBOX_MESSAGES MBOX_UP_CGX_MESSAGES
+	MBOX_MESSAGES MBOX_UP_CGX_MESSAGES MBOX_UP_MCS_MESSAGES
 #undef M
 };
 
@@ -867,6 +870,38 @@ struct mcs_set_active_lmac {
 	uint64_t __io rsvd;
 };
 
+#define MCS_CPM_RX_SECTAG_V_EQ1_INT	     BIT_ULL(0)
+#define MCS_CPM_RX_SECTAG_E_EQ0_C_EQ1_INT    BIT_ULL(1)
+#define MCS_CPM_RX_SECTAG_SL_GTE48_INT	     BIT_ULL(2)
+#define MCS_CPM_RX_SECTAG_ES_EQ1_SC_EQ1_INT  BIT_ULL(3)
+#define MCS_CPM_RX_SECTAG_SC_EQ1_SCB_EQ1_INT BIT_ULL(4)
+#define MCS_CPM_RX_PACKET_XPN_EQ0_INT	     BIT_ULL(5)
+#define MCS_CPM_RX_PN_THRESH_REACHED_INT     BIT_ULL(6)
+#define MCS_CPM_TX_PACKET_XPN_EQ0_INT	     BIT_ULL(7)
+#define MCS_CPM_TX_PN_THRESH_REACHED_INT     BIT_ULL(8)
+#define MCS_CPM_TX_SA_NOT_VALID_INT	     BIT_ULL(9)
+#define MCS_BBE_RX_DFIFO_OVERFLOW_INT	     BIT_ULL(10)
+#define MCS_BBE_RX_PLFIFO_OVERFLOW_INT	     BIT_ULL(11)
+#define MCS_BBE_TX_DFIFO_OVERFLOW_INT	     BIT_ULL(12)
+#define MCS_BBE_TX_PLFIFO_OVERFLOW_INT	     BIT_ULL(13)
+#define MCS_PAB_RX_CHAN_OVERFLOW_INT	     BIT_ULL(14)
+#define MCS_PAB_TX_CHAN_OVERFLOW_INT	     BIT_ULL(15)
+
+struct mcs_intr_cfg {
+	struct mbox_msghdr hdr;
+	uint64_t __io intr_mask; /* Interrupt enable mask */
+	uint8_t __io mcs_id;
+};
+
+struct mcs_intr_info {
+	struct mbox_msghdr hdr;
+	uint64_t __io intr_mask;
+	int __io sa_id;
+	uint8_t __io mcs_id;
+	uint8_t __io lmac_id;
+	uint64_t __io rsvd;
+};
+
 struct mcs_set_lmac_mode {
 	struct mbox_msghdr hdr;
 	uint8_t __io mode; /* '1' for internal bypass mode (passthrough), '0' for MCS processing */
diff --git a/drivers/common/cnxk/roc_mcs.c b/drivers/common/cnxk/roc_mcs.c
index 38f1e9b2f7..e9090da575 100644
--- a/drivers/common/cnxk/roc_mcs.c
+++ b/drivers/common/cnxk/roc_mcs.c
@@ -5,6 +5,18 @@
 #include "roc_api.h"
 #include "roc_priv.h"
 
+struct mcs_event_cb {
+	TAILQ_ENTRY(mcs_event_cb) next;
+	enum roc_mcs_event_type event;
+	roc_mcs_dev_cb_fn cb_fn;
+	void *cb_arg;
+	void *ret_param;
+	uint32_t active;
+};
+TAILQ_HEAD(mcs_event_cb_list, mcs_event_cb);
+
+PLT_STATIC_ASSERT(ROC_MCS_MEM_SZ >= (sizeof(struct mcs_priv) + sizeof(struct mcs_event_cb_list)));
+
 int
 roc_mcs_hw_info_get(struct roc_mcs_hw_info *hw_info)
 {
@@ -109,6 +121,107 @@ roc_mcs_pn_threshold_set(struct roc_mcs *mcs, struct roc_mcs_set_pn_threshold *p
 	return mbox_process_msg(mcs->mbox, (void *)&rsp);
 }
 
+int
+roc_mcs_intr_configure(struct roc_mcs *mcs, struct roc_mcs_intr_cfg *config)
+{
+	struct mcs_intr_cfg *req;
+	struct msg_rsp *rsp;
+
+	if (config == NULL)
+		return -EINVAL;
+
+	MCS_SUPPORT_CHECK;
+
+	req = mbox_alloc_msg_mcs_intr_cfg(mcs->mbox);
+	if (req == NULL)
+		return -ENOMEM;
+
+	req->intr_mask = config->intr_mask;
+	req->mcs_id = mcs->idx;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
+
+int
+roc_mcs_event_cb_register(struct roc_mcs *mcs, enum roc_mcs_event_type event,
+			  roc_mcs_dev_cb_fn cb_fn, void *cb_arg, void *userdata)
+{
+	struct mcs_event_cb_list *cb_list = (struct mcs_event_cb_list *)roc_mcs_to_mcs_cb_list(mcs);
+	struct mcs_event_cb *cb;
+
+	if (cb_fn == NULL || cb_arg == NULL || userdata == NULL)
+		return -EINVAL;
+
+	MCS_SUPPORT_CHECK;
+
+	TAILQ_FOREACH (cb, cb_list, next) {
+		if (cb->cb_fn == cb_fn && cb->cb_arg == cb_arg && cb->event == event)
+			break;
+	}
+
+	if (cb == NULL) {
+		cb = plt_zmalloc(sizeof(struct mcs_event_cb), 0);
+		if (!cb)
+			return -ENOMEM;
+
+		cb->cb_fn = cb_fn;
+		cb->cb_arg = cb_arg;
+		cb->event = event;
+		mcs->userdata = userdata;
+		TAILQ_INSERT_TAIL(cb_list, cb, next);
+	}
+
+	return 0;
+}
+
+int
+roc_mcs_event_cb_unregister(struct roc_mcs *mcs, enum roc_mcs_event_type event)
+{
+	struct mcs_event_cb_list *cb_list = (struct mcs_event_cb_list *)roc_mcs_to_mcs_cb_list(mcs);
+	struct mcs_event_cb *cb, *next;
+
+	MCS_SUPPORT_CHECK;
+
+	for (cb = TAILQ_FIRST(cb_list); cb != NULL; cb = next) {
+		next = TAILQ_NEXT(cb, next);
+
+		if (cb->event != event)
+			continue;
+
+		if (cb->active == 0) {
+			TAILQ_REMOVE(cb_list, cb, next);
+			plt_free(cb);
+		} else {
+			return -EAGAIN;
+		}
+	}
+
+	return 0;
+}
+
+int
+mcs_event_cb_process(struct roc_mcs *mcs, struct roc_mcs_event_desc *desc)
+{
+	struct mcs_event_cb_list *cb_list = (struct mcs_event_cb_list *)roc_mcs_to_mcs_cb_list(mcs);
+	struct mcs_event_cb mcs_cb;
+	struct mcs_event_cb *cb;
+	int rc = 0;
+
+	TAILQ_FOREACH (cb, cb_list, next) {
+		if (cb->cb_fn == NULL || cb->event != desc->type)
+			continue;
+
+		mcs_cb = *cb;
+		cb->active = 1;
+		mcs_cb.ret_param = desc;
+
+		rc = mcs_cb.cb_fn(mcs->userdata, mcs_cb.ret_param, mcs_cb.cb_arg);
+		cb->active = 0;
+	}
+
+	return rc;
+}
+
 static int
 mcs_alloc_bmap(uint16_t entries, void **mem, struct plt_bitmap **bmap)
 {
@@ -227,6 +340,7 @@ mcs_alloc_rsrc_bmap(struct roc_mcs *mcs)
 struct roc_mcs *
 roc_mcs_dev_init(uint8_t mcs_idx)
 {
+	struct mcs_event_cb_list *cb_list;
 	struct roc_mcs *mcs;
 	struct npa_lf *npa;
 
@@ -255,6 +369,9 @@ roc_mcs_dev_init(uint8_t mcs_idx)
 	if (mcs_alloc_rsrc_bmap(mcs))
 		goto exit;
 
+	cb_list = (struct mcs_event_cb_list *)roc_mcs_to_mcs_cb_list(mcs);
+	TAILQ_INIT(cb_list);
+
 	roc_idev_mcs_set(mcs);
 	mcs->refcount++;
 
diff --git a/drivers/common/cnxk/roc_mcs.h b/drivers/common/cnxk/roc_mcs.h
index 3fbeee13fa..b2ca6ee51b 100644
--- a/drivers/common/cnxk/roc_mcs.h
+++ b/drivers/common/cnxk/roc_mcs.h
@@ -116,6 +116,34 @@ struct roc_mcs_hw_info {
 	uint64_t rsvd[16];
 };
 
+#define ROC_MCS_CPM_RX_SECTAG_V_EQ1_INT		 BIT_ULL(0)
+#define ROC_MCS_CPM_RX_SECTAG_E_EQ0_C_EQ1_INT	 BIT_ULL(1)
+#define ROC_MCS_CPM_RX_SECTAG_SL_GTE48_INT	 BIT_ULL(2)
+#define ROC_MCS_CPM_RX_SECTAG_ES_EQ1_SC_EQ1_INT	 BIT_ULL(3)
+#define ROC_MCS_CPM_RX_SECTAG_SC_EQ1_SCB_EQ1_INT BIT_ULL(4)
+#define ROC_MCS_CPM_RX_PACKET_XPN_EQ0_INT	 BIT_ULL(5)
+#define ROC_MCS_CPM_RX_PN_THRESH_REACHED_INT	 BIT_ULL(6)
+#define ROC_MCS_CPM_TX_PACKET_XPN_EQ0_INT	 BIT_ULL(7)
+#define ROC_MCS_CPM_TX_PN_THRESH_REACHED_INT	 BIT_ULL(8)
+#define ROC_MCS_CPM_TX_SA_NOT_VALID_INT		 BIT_ULL(9)
+#define ROC_MCS_BBE_RX_DFIFO_OVERFLOW_INT	 BIT_ULL(10)
+#define ROC_MCS_BBE_RX_PLFIFO_OVERFLOW_INT	 BIT_ULL(11)
+#define ROC_MCS_BBE_TX_DFIFO_OVERFLOW_INT	 BIT_ULL(12)
+#define ROC_MCS_BBE_TX_PLFIFO_OVERFLOW_INT	 BIT_ULL(13)
+#define ROC_MCS_PAB_RX_CHAN_OVERFLOW_INT	 BIT_ULL(14)
+#define ROC_MCS_PAB_TX_CHAN_OVERFLOW_INT	 BIT_ULL(15)
+
+struct roc_mcs_intr_cfg {
+	uint64_t intr_mask; /* Interrupt enable mask */
+};
+
+struct roc_mcs_intr_info {
+	uint64_t intr_mask;
+	int sa_id;
+	uint8_t lmac_id;
+	uint64_t rsvd;
+};
+
 struct roc_mcs_set_lmac_mode {
 	uint8_t mode; /* '1' for internal bypass mode (passthrough), '0' for MCS processing */
 	uint8_t lmac_id;
@@ -205,6 +233,113 @@ struct roc_mcs_clear_stats {
 	uint8_t all; /* All resources stats mapped to PF are cleared */
 };
 
+enum roc_mcs_event_subtype {
+	ROC_MCS_SUBEVENT_UNKNOWN,
+
+	/* subevents of ROC_MCS_EVENT_SECTAG_VAL_ERR sectag validation events
+	 * ROC_MCS_EVENT_RX_SECTAG_V_EQ1
+	 *	Validation check: SecTag.TCI.V = 1
+	 * ROC_MCS_EVENT_RX_SECTAG_E_EQ0_C_EQ1
+	 *	Validation check: SecTag.TCI.E = 0 && SecTag.TCI.C = 1
+	 * ROC_MCS_EVENT_RX_SECTAG_SL_GTE48
+	 *	Validation check: SecTag.SL >= 'd48
+	 * ROC_MCS_EVENT_RX_SECTAG_ES_EQ1_SC_EQ1
+	 *	Validation check: SecTag.TCI.ES = 1 && SecTag.TCI.SC = 1
+	 * ROC_MCS_EVENT_RX_SECTAG_SC_EQ1_SCB_EQ1
+	 *	Validation check: SecTag.TCI.SC = 1 && SecTag.TCI.SCB = 1
+	 */
+	ROC_MCS_EVENT_RX_SECTAG_V_EQ1,
+	ROC_MCS_EVENT_RX_SECTAG_E_EQ0_C_EQ1,
+	ROC_MCS_EVENT_RX_SECTAG_SL_GTE48,
+	ROC_MCS_EVENT_RX_SECTAG_ES_EQ1_SC_EQ1,
+	ROC_MCS_EVENT_RX_SECTAG_SC_EQ1_SCB_EQ1,
+
+	/* subevents of ROC_MCS_EVENT_FIFO_OVERFLOW error event
+	 * ROC_MCS_EVENT_DATA_FIFO_OVERFLOW:
+	 *	Notifies data FIFO overflow fatal error in BBE unit.
+	 * ROC_MCS_EVENT_POLICY_FIFO_OVERFLOW
+	 *	Notifies policy FIFO overflow fatal error in BBE unit.
+	 * ROC_MCS_EVENT_PKT_ASSM_FIFO_OVERFLOW,
+	 *	Notifies output FIFO overflow fatal error in PAB unit.
+	 */
+	ROC_MCS_EVENT_DATA_FIFO_OVERFLOW,
+	ROC_MCS_EVENT_POLICY_FIFO_OVERFLOW,
+	ROC_MCS_EVENT_PKT_ASSM_FIFO_OVERFLOW,
+};
+
+enum roc_mcs_event_type {
+	ROC_MCS_EVENT_UNKNOWN,
+
+	/* Notifies BBE_INT_DFIFO/PLFIFO_OVERFLOW or PAB_INT_OVERFLOW
+	 * interrupts, it's a fatal error that causes packet corruption.
+	 */
+	ROC_MCS_EVENT_FIFO_OVERFLOW,
+
+	/* Notifies CPM_RX_SECTAG_X validation error interrupt */
+	ROC_MCS_EVENT_SECTAG_VAL_ERR,
+	/* Notifies CPM_RX_PACKET_XPN_EQ0 (SecTag.PN == 0 in ingress) interrupt */
+	ROC_MCS_EVENT_RX_SA_PN_HARD_EXP,
+	/* Notifies CPM_RX_PN_THRESH_REACHED interrupt */
+	ROC_MCS_EVENT_RX_SA_PN_SOFT_EXP,
+	/* Notifies CPM_TX_PACKET_XPN_EQ0 (PN wrapped in egress) interrupt */
+	ROC_MCS_EVENT_TX_SA_PN_HARD_EXP,
+	/* Notifies CPM_TX_PN_THRESH_REACHED interrupt */
+	ROC_MCS_EVENT_TX_SA_PN_SOFT_EXP,
+	/* Notifies CPM_TX_SA_NOT_VALID interrupt */
+	ROC_MCS_EVENT_SA_NOT_VALID,
+	/* Notifies recovery of software driven port reset */
+	ROC_MCS_EVENT_PORT_RESET_RECOVERY,
+};
+
+union roc_mcs_event_data {
+	/* Valid for below events
+	 * - ROC_MCS_EVENT_RX_SA_PN_SOFT_EXP
+	 * - ROC_MCS_EVENT_TX_SA_PN_SOFT_EXP
+	 */
+	struct {
+		uint8_t secy_idx;
+		uint8_t sc_idx;
+		uint8_t sa_idx;
+	};
+	/* Valid for below event
+	 * - ROC_MCS_EVENT_FIFO_OVERFLOW
+	 *
+	 * Upon fatal error notification on a MCS port, ROC driver resets below attributes of active
+	 * flow entities(sc & sa) and than resets the port.
+	 * - Reset NEXT_PN of active SAs to 1.
+	 * - Reset TX active SA for each SC, TX_SA_ACTIVE = 0, SA_INDEX0_VLD = 1.
+	 * - Clear SA_IN_USE for active ANs in RX_SA_MAP_MEM.
+	 * - Clear all stats mapping to this port.
+	 * - Reactivate SA_IN_USE for active ANs in RX_SA_MAP_MEM.
+	 *
+	 *  ROC driver notifies the following flow entity(sc & sa) details in application callback,
+	 *  application is expected to exchange the Tx/Rx NEXT_PN, TX_SA_ACTIVE, active RX SC AN
+	 *  details with peer device so that peer device can resets it's MACsec flow states and than
+	 *  resume packet transfers.
+	 */
+	struct {
+		uint16_t *tx_sa_array; /* Tx SAs whose PN memories were reset (NEXT_PN=1) */
+		uint16_t *rx_sa_array; /* Rx SAs whose PN memories were reset (NEXT_PN=1) */
+		uint16_t *tx_sc_array; /* Tx SCs whose active SAs were reset (TX_SA_ACTIVE=0) */
+		uint16_t *rx_sc_array; /* Rx SCs whose state was reset */
+		uint8_t *sc_an_array;  /* AN of Rx SCs(in rx_sc_array) which were reactivated */
+		uint8_t num_tx_sa;     /* num entries in tx_sa_array */
+		uint8_t num_rx_sa;     /* num entries in rx_sa_array */
+		uint8_t num_tx_sc;     /* num entries in tx_sc_array */
+		uint8_t num_rx_sc;     /* num entries in rx_sc_array */
+		uint8_t lmac_id;       /* lmac_id/port which was recovered from fatal error */
+	};
+};
+
+struct roc_mcs_event_desc {
+	enum roc_mcs_event_type type;
+	enum roc_mcs_event_subtype subtype;
+	union roc_mcs_event_data metadata;
+};
+
+/** User application callback to be registered for any notifications from driver. */
+typedef int (*roc_mcs_dev_cb_fn)(void *userdata, struct roc_mcs_event_desc *desc, void *cb_arg);
+
 struct roc_mcs {
 	TAILQ_ENTRY(roc_mcs) next;
 	struct plt_pci_device *pci_dev;
@@ -292,4 +427,13 @@ __roc_api int roc_mcs_port_stats_get(struct roc_mcs *mcs, struct roc_mcs_stats_r
 /* Clear stats */
 __roc_api int roc_mcs_stats_clear(struct roc_mcs *mcs, struct roc_mcs_clear_stats *mcs_req);
 
+/* Register user callback routines */
+__roc_api int roc_mcs_event_cb_register(struct roc_mcs *mcs, enum roc_mcs_event_type event,
+					roc_mcs_dev_cb_fn cb_fn, void *cb_arg, void *userdata);
+/* Unregister user callback routines */
+__roc_api int roc_mcs_event_cb_unregister(struct roc_mcs *mcs, enum roc_mcs_event_type event);
+
+/* Configure interrupts */
+__roc_api int roc_mcs_intr_configure(struct roc_mcs *mcs, struct roc_mcs_intr_cfg *config);
+
 #endif /* _ROC_MCS_H_ */
diff --git a/drivers/common/cnxk/roc_mcs_priv.h b/drivers/common/cnxk/roc_mcs_priv.h
index 9e0bbe4392..8da03f4295 100644
--- a/drivers/common/cnxk/roc_mcs_priv.h
+++ b/drivers/common/cnxk/roc_mcs_priv.h
@@ -62,4 +62,12 @@ roc_mcs_to_mcs_priv(struct roc_mcs *roc_mcs)
 	return (struct mcs_priv *)&roc_mcs->reserved[0];
 }
 
+static inline void *
+roc_mcs_to_mcs_cb_list(struct roc_mcs *roc_mcs)
+{
+	return (void *)((uintptr_t)roc_mcs->reserved + sizeof(struct mcs_priv));
+}
+
+int mcs_event_cb_process(struct roc_mcs *mcs, struct roc_mcs_event_desc *desc);
+
 #endif /* _ROC_MCS_PRIV_H_ */
diff --git a/drivers/common/cnxk/version.map b/drivers/common/cnxk/version.map
index d8890e3538..d10dfcd84e 100644
--- a/drivers/common/cnxk/version.map
+++ b/drivers/common/cnxk/version.map
@@ -139,11 +139,14 @@ INTERNAL {
 	roc_mcs_dev_init;
 	roc_mcs_dev_fini;
 	roc_mcs_dev_get;
+	roc_mcs_event_cb_register;
+	roc_mcs_event_cb_unregister;
 	roc_mcs_flowid_entry_enable;
 	roc_mcs_flowid_entry_read;
 	roc_mcs_flowid_entry_write;
 	roc_mcs_flowid_stats_get;
 	roc_mcs_hw_info_get;
+	roc_mcs_intr_configure;
 	roc_mcs_lmac_mode_set;
 	roc_mcs_pn_table_write;
 	roc_mcs_pn_table_read;
-- 
2.25.1

[PATCH v3 08/15] common/cnxk: add MACsec port configuration

[Akhil Goyal]

Added ROC APIs for MACsec port configurations

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/common/cnxk/roc_mbox.h  |  40 ++++
 drivers/common/cnxk/roc_mcs.c   | 346 ++++++++++++++++++++++++++++++++
 drivers/common/cnxk/roc_mcs.h   |  48 +++++
 drivers/common/cnxk/version.map |   4 +
 4 files changed, 438 insertions(+)

diff --git a/drivers/common/cnxk/roc_mbox.h b/drivers/common/cnxk/roc_mbox.h
index d964ba9f9d..d7c0385a8b 100644
--- a/drivers/common/cnxk/roc_mbox.h
+++ b/drivers/common/cnxk/roc_mbox.h
@@ -319,6 +319,9 @@ struct mbox_msghdr {
 	M(MCS_INTR_CFG, 0xa012, mcs_intr_cfg, mcs_intr_cfg, msg_rsp)                               \
 	M(MCS_SET_LMAC_MODE, 0xa013, mcs_set_lmac_mode, mcs_set_lmac_mode, msg_rsp)                \
 	M(MCS_SET_PN_THRESHOLD, 0xa014, mcs_set_pn_threshold, mcs_set_pn_threshold, msg_rsp)       \
+	M(MCS_PORT_RESET, 0xa018, mcs_port_reset, mcs_port_reset_req, msg_rsp)                     \
+	M(MCS_PORT_CFG_SET, 0xa019, mcs_port_cfg_set, mcs_port_cfg_set_req, msg_rsp)               \
+	M(MCS_PORT_CFG_GET, 0xa020, mcs_port_cfg_get, mcs_port_cfg_get_req, mcs_port_cfg_get_rsp)  \
 
 /* Messages initiated by AF (range 0xC00 - 0xDFF) */
 #define MBOX_UP_CGX_MESSAGES                                                   \
@@ -919,6 +922,43 @@ struct mcs_set_pn_threshold {
 	uint64_t __io rsvd;
 };
 
+struct mcs_port_cfg_set_req {
+	struct mbox_msghdr hdr;
+	uint8_t __io cstm_tag_rel_mode_sel;
+	uint8_t __io custom_hdr_enb;
+	uint8_t __io fifo_skid;
+	uint8_t __io lmac_mode;
+	uint8_t __io lmac_id;
+	uint8_t __io mcs_id;
+	uint64_t __io rsvd;
+};
+
+struct mcs_port_cfg_get_req {
+	struct mbox_msghdr hdr;
+	uint8_t __io lmac_id;
+	uint8_t __io mcs_id;
+	uint64_t __io rsvd;
+};
+
+struct mcs_port_cfg_get_rsp {
+	struct mbox_msghdr hdr;
+	uint8_t __io cstm_tag_rel_mode_sel;
+	uint8_t __io custom_hdr_enb;
+	uint8_t __io fifo_skid;
+	uint8_t __io lmac_mode;
+	uint8_t __io lmac_id;
+	uint8_t __io mcs_id;
+	uint64_t __io rsvd;
+};
+
+struct mcs_port_reset_req {
+	struct mbox_msghdr hdr;
+	uint8_t __io reset;
+	uint8_t __io mcs_id;
+	uint8_t __io lmac_id;
+	uint64_t __io rsvd;
+};
+
 struct mcs_stats_req {
 	struct mbox_msghdr hdr;
 	uint8_t __io id;
diff --git a/drivers/common/cnxk/roc_mcs.c b/drivers/common/cnxk/roc_mcs.c
index e9090da575..e6e6197a49 100644
--- a/drivers/common/cnxk/roc_mcs.c
+++ b/drivers/common/cnxk/roc_mcs.c
@@ -76,6 +76,25 @@ roc_mcs_active_lmac_set(struct roc_mcs *mcs, struct roc_mcs_set_active_lmac *lma
 	return mbox_process_msg(mcs->mbox, (void *)&rsp);
 }
 
+static int
+mcs_port_reset_set(struct roc_mcs *mcs, struct roc_mcs_port_reset_req *port, uint8_t reset)
+{
+	struct mcs_port_reset_req *req;
+	struct msg_rsp *rsp;
+
+	MCS_SUPPORT_CHECK;
+
+	req = mbox_alloc_msg_mcs_port_reset(mcs->mbox);
+	if (req == NULL)
+		return -ENOMEM;
+
+	req->reset = reset;
+	req->lmac_id = port->port_id;
+	req->mcs_id = mcs->idx;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
+
 int
 roc_mcs_lmac_mode_set(struct roc_mcs *mcs, struct roc_mcs_set_lmac_mode *port)
 {
@@ -121,6 +140,64 @@ roc_mcs_pn_threshold_set(struct roc_mcs *mcs, struct roc_mcs_set_pn_threshold *p
 	return mbox_process_msg(mcs->mbox, (void *)&rsp);
 }
 
+int
+roc_mcs_port_cfg_set(struct roc_mcs *mcs, struct roc_mcs_port_cfg_set_req *req)
+{
+	struct mcs_port_cfg_set_req *set_req;
+	struct msg_rsp *rsp;
+
+	MCS_SUPPORT_CHECK;
+
+	if (req == NULL)
+		return -EINVAL;
+
+	set_req = mbox_alloc_msg_mcs_port_cfg_set(mcs->mbox);
+	if (set_req == NULL)
+		return -ENOMEM;
+
+	set_req->cstm_tag_rel_mode_sel = req->cstm_tag_rel_mode_sel;
+	set_req->custom_hdr_enb = req->custom_hdr_enb;
+	set_req->fifo_skid = req->fifo_skid;
+	set_req->lmac_mode = req->port_mode;
+	set_req->lmac_id = req->port_id;
+	set_req->mcs_id = mcs->idx;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
+
+int
+roc_mcs_port_cfg_get(struct roc_mcs *mcs, struct roc_mcs_port_cfg_get_req *req,
+		     struct roc_mcs_port_cfg_get_rsp *rsp)
+{
+	struct mcs_port_cfg_get_req *get_req;
+	struct mcs_port_cfg_get_rsp *get_rsp;
+	int rc;
+
+	MCS_SUPPORT_CHECK;
+
+	if (req == NULL)
+		return -EINVAL;
+
+	get_req = mbox_alloc_msg_mcs_port_cfg_get(mcs->mbox);
+	if (get_req == NULL)
+		return -ENOMEM;
+
+	get_req->lmac_id = req->port_id;
+	get_req->mcs_id = mcs->idx;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&get_rsp);
+	if (rc)
+		return rc;
+
+	rsp->cstm_tag_rel_mode_sel = get_rsp->cstm_tag_rel_mode_sel;
+	rsp->custom_hdr_enb = get_rsp->custom_hdr_enb;
+	rsp->fifo_skid = get_rsp->fifo_skid;
+	rsp->port_mode = get_rsp->lmac_mode;
+	rsp->port_id = get_rsp->lmac_id;
+
+	return 0;
+}
+
 int
 roc_mcs_intr_configure(struct roc_mcs *mcs, struct roc_mcs_intr_cfg *config)
 {
@@ -142,6 +219,275 @@ roc_mcs_intr_configure(struct roc_mcs *mcs, struct roc_mcs_intr_cfg *config)
 	return mbox_process_msg(mcs->mbox, (void *)&rsp);
 }
 
+int
+roc_mcs_port_recovery(struct roc_mcs *mcs, union roc_mcs_event_data *mdata, uint8_t port_id)
+{
+	struct mcs_priv *priv = roc_mcs_to_mcs_priv(mcs);
+	struct roc_mcs_pn_table_write_req pn_table = {0};
+	struct roc_mcs_rx_sc_sa_map rx_map = {0};
+	struct roc_mcs_tx_sc_sa_map tx_map = {0};
+	struct roc_mcs_port_reset_req port = {0};
+	struct roc_mcs_clear_stats stats = {0};
+	int tx_cnt = 0, rx_cnt = 0, rc = 0;
+	uint64_t set;
+	int i;
+
+	port.port_id = port_id;
+	rc = mcs_port_reset_set(mcs, &port, 1);
+
+	/* Reset TX/RX PN tables */
+	for (i = 0; i < (priv->sa_entries << 1); i++) {
+		set = plt_bitmap_get(priv->port_rsrc[port_id].sa_bmap, i);
+		if (set) {
+			pn_table.pn_id = i;
+			pn_table.next_pn = 1;
+			pn_table.dir = MCS_RX;
+			if (i >= priv->sa_entries) {
+				pn_table.dir = MCS_TX;
+				pn_table.pn_id -= priv->sa_entries;
+			}
+			rc = roc_mcs_pn_table_write(mcs, &pn_table);
+			if (rc)
+				return rc;
+
+			if (i >= priv->sa_entries)
+				tx_cnt++;
+			else
+				rx_cnt++;
+		}
+	}
+
+	if (tx_cnt || rx_cnt) {
+		mdata->tx_sa_array = plt_zmalloc(tx_cnt * sizeof(uint16_t), 0);
+		if (tx_cnt && (mdata->tx_sa_array == NULL)) {
+			rc = -ENOMEM;
+			goto exit;
+		}
+		mdata->rx_sa_array = plt_zmalloc(rx_cnt * sizeof(uint16_t), 0);
+		if (rx_cnt && (mdata->rx_sa_array == NULL)) {
+			rc = -ENOMEM;
+			goto exit;
+		}
+
+		mdata->num_tx_sa = tx_cnt;
+		mdata->num_rx_sa = rx_cnt;
+		for (i = 0; i < (priv->sa_entries << 1); i++) {
+			set = plt_bitmap_get(priv->port_rsrc[port_id].sa_bmap, i);
+			if (set) {
+				if (i >= priv->sa_entries)
+					mdata->tx_sa_array[--tx_cnt] = i - priv->sa_entries;
+				else
+					mdata->rx_sa_array[--rx_cnt] = i;
+			}
+		}
+	}
+	tx_cnt = 0;
+	rx_cnt = 0;
+
+	/* Reset Tx active SA to index:0 */
+	for (i = priv->sc_entries; i < (priv->sc_entries << 1); i++) {
+		set = plt_bitmap_get(priv->port_rsrc[port_id].sc_bmap, i);
+		if (set) {
+			uint16_t sc_id = i - priv->sc_entries;
+
+			tx_map.sa_index0 = priv->port_rsrc[port_id].sc_conf[sc_id].tx.sa_idx0;
+			tx_map.sa_index1 = priv->port_rsrc[port_id].sc_conf[sc_id].tx.sa_idx1;
+			tx_map.rekey_ena = priv->port_rsrc[port_id].sc_conf[sc_id].tx.rekey_enb;
+			tx_map.sectag_sci = priv->port_rsrc[port_id].sc_conf[sc_id].tx.sci;
+			tx_map.sa_index0_vld = 1;
+			tx_map.sa_index1_vld = 0;
+			tx_map.tx_sa_active = 0;
+			tx_map.sc_id = sc_id;
+			rc = roc_mcs_tx_sc_sa_map_write(mcs, &tx_map);
+			if (rc)
+				return rc;
+
+			tx_cnt++;
+		}
+	}
+
+	if (tx_cnt) {
+		mdata->tx_sc_array = plt_zmalloc(tx_cnt * sizeof(uint16_t), 0);
+		if (tx_cnt && (mdata->tx_sc_array == NULL)) {
+			rc = -ENOMEM;
+			goto exit;
+		}
+
+		mdata->num_tx_sc = tx_cnt;
+		for (i = priv->sc_entries; i < (priv->sc_entries << 1); i++) {
+			set = plt_bitmap_get(priv->port_rsrc[port_id].sc_bmap, i);
+			if (set)
+				mdata->tx_sc_array[--tx_cnt] = i - priv->sc_entries;
+		}
+	}
+
+	/* Clear SA_IN_USE for active ANs in RX CPM */
+	for (i = 0; i < priv->sc_entries; i++) {
+		set = plt_bitmap_get(priv->port_rsrc[port_id].sc_bmap, i);
+		if (set) {
+			rx_map.sa_index = priv->port_rsrc[port_id].sc_conf[i].rx.sa_idx;
+			rx_map.an = priv->port_rsrc[port_id].sc_conf[i].rx.an;
+			rx_map.sa_in_use = 0;
+			rx_map.sc_id = i;
+			rc = roc_mcs_rx_sc_sa_map_write(mcs, &rx_map);
+			if (rc)
+				return rc;
+
+			rx_cnt++;
+		}
+	}
+
+	/* Reset flow(flow/secy/sc/sa) stats mapped to this PORT */
+	for (i = 0; i < (priv->tcam_entries << 1); i++) {
+		set = plt_bitmap_get(priv->port_rsrc[port_id].tcam_bmap, i);
+		if (set) {
+			stats.type = MCS_FLOWID_STATS;
+			stats.id = i;
+			stats.dir = MCS_RX;
+			if (i >= priv->sa_entries) {
+				stats.dir = MCS_TX;
+				stats.id -= priv->tcam_entries;
+			}
+			rc = roc_mcs_stats_clear(mcs, &stats);
+			if (rc)
+				return rc;
+		}
+	}
+	for (i = 0; i < (priv->secy_entries << 1); i++) {
+		set = plt_bitmap_get(priv->port_rsrc[port_id].secy_bmap, i);
+		if (set) {
+			stats.type = MCS_SECY_STATS;
+			stats.id = i;
+			stats.dir = MCS_RX;
+			if (i >= priv->sa_entries) {
+				stats.dir = MCS_TX;
+				stats.id -= priv->secy_entries;
+			}
+			rc = roc_mcs_stats_clear(mcs, &stats);
+			if (rc)
+				return rc;
+		}
+	}
+	for (i = 0; i < (priv->sc_entries << 1); i++) {
+		set = plt_bitmap_get(priv->port_rsrc[port_id].sc_bmap, i);
+		if (set) {
+			stats.type = MCS_SC_STATS;
+			stats.id = i;
+			stats.dir = MCS_RX;
+			if (i >= priv->sa_entries) {
+				stats.dir = MCS_TX;
+				stats.id -= priv->sc_entries;
+			}
+			rc = roc_mcs_stats_clear(mcs, &stats);
+			if (rc)
+				return rc;
+		}
+	}
+	if (roc_model_is_cn10kb_a0()) {
+		for (i = 0; i < (priv->sa_entries << 1); i++) {
+			set = plt_bitmap_get(priv->port_rsrc[port_id].sa_bmap, i);
+			if (set) {
+				stats.type = MCS_SA_STATS;
+				stats.id = i;
+				stats.dir = MCS_RX;
+				if (i >= priv->sa_entries) {
+					stats.dir = MCS_TX;
+					stats.id -= priv->sa_entries;
+				}
+				rc = roc_mcs_stats_clear(mcs, &stats);
+				if (rc)
+					return rc;
+			}
+		}
+	}
+	{
+		stats.type = MCS_PORT_STATS;
+		stats.id = port_id;
+		rc = roc_mcs_stats_clear(mcs, &stats);
+		if (rc)
+			return rc;
+	}
+
+	if (rx_cnt) {
+		mdata->rx_sc_array = plt_zmalloc(rx_cnt * sizeof(uint16_t), 0);
+		if (mdata->rx_sc_array == NULL) {
+			rc = -ENOMEM;
+			goto exit;
+		}
+		mdata->sc_an_array = plt_zmalloc(rx_cnt * sizeof(uint8_t), 0);
+		if (mdata->sc_an_array == NULL) {
+			rc = -ENOMEM;
+			goto exit;
+		}
+
+		mdata->num_rx_sc = rx_cnt;
+	}
+
+	/* Reactivate in-use ANs for active SCs in RX CPM */
+	for (i = 0; i < priv->sc_entries; i++) {
+		set = plt_bitmap_get(priv->port_rsrc[port_id].sc_bmap, i);
+		if (set) {
+			rx_map.sa_index = priv->port_rsrc[port_id].sc_conf[i].rx.sa_idx;
+			rx_map.an = priv->port_rsrc[port_id].sc_conf[i].rx.an;
+			rx_map.sa_in_use = 1;
+			rx_map.sc_id = i;
+			rc = roc_mcs_rx_sc_sa_map_write(mcs, &rx_map);
+			if (rc)
+				return rc;
+
+			mdata->rx_sc_array[--rx_cnt] = i;
+			mdata->sc_an_array[rx_cnt] = priv->port_rsrc[port_id].sc_conf[i].rx.an;
+		}
+	}
+
+	port.port_id = port_id;
+	rc = mcs_port_reset_set(mcs, &port, 0);
+
+	return rc;
+exit:
+	if (mdata->num_tx_sa)
+		plt_free(mdata->tx_sa_array);
+	if (mdata->num_rx_sa)
+		plt_free(mdata->rx_sa_array);
+	if (mdata->num_tx_sc)
+		plt_free(mdata->tx_sc_array);
+	if (mdata->num_rx_sc) {
+		plt_free(mdata->rx_sc_array);
+		plt_free(mdata->sc_an_array);
+	}
+	return rc;
+}
+
+int
+roc_mcs_port_reset(struct roc_mcs *mcs, struct roc_mcs_port_reset_req *port)
+{
+	struct roc_mcs_event_desc desc = {0};
+	int rc;
+
+	/* Initiate port reset and software recovery */
+	rc = roc_mcs_port_recovery(mcs, &desc.metadata, port->port_id);
+	if (rc)
+		goto exit;
+
+	desc.type = ROC_MCS_EVENT_PORT_RESET_RECOVERY;
+	/* Notify the entity details to the application which are recovered */
+	mcs_event_cb_process(mcs, &desc);
+
+exit:
+	if (desc.metadata.num_tx_sa)
+		plt_free(desc.metadata.tx_sa_array);
+	if (desc.metadata.num_rx_sa)
+		plt_free(desc.metadata.rx_sa_array);
+	if (desc.metadata.num_tx_sc)
+		plt_free(desc.metadata.tx_sc_array);
+	if (desc.metadata.num_rx_sc) {
+		plt_free(desc.metadata.rx_sc_array);
+		plt_free(desc.metadata.sc_an_array);
+	}
+
+	return rc;
+}
+
 int
 roc_mcs_event_cb_register(struct roc_mcs *mcs, enum roc_mcs_event_type event,
 			  roc_mcs_dev_cb_fn cb_fn, void *cb_arg, void *userdata)
diff --git a/drivers/common/cnxk/roc_mcs.h b/drivers/common/cnxk/roc_mcs.h
index b2ca6ee51b..d06057726f 100644
--- a/drivers/common/cnxk/roc_mcs.h
+++ b/drivers/common/cnxk/roc_mcs.h
@@ -163,6 +163,43 @@ struct roc_mcs_set_pn_threshold {
 	uint64_t rsvd;
 };
 
+struct roc_mcs_port_cfg_set_req {
+	/* Index of custom tag (= cstm_indx[x] in roc_mcs_custom_tag_cfg_get_rsp struct) to use
+	 * when TX SECY_PLCY_MEMX[SECTAG_INSERT_MODE] = 0 (relative offset mode)
+	 */
+	uint8_t cstm_tag_rel_mode_sel;
+	/* In ingress path, custom_hdr_enb = 1 when the port is expected to receive pkts
+	 * that have 8B custom header before DMAC
+	 */
+	uint8_t custom_hdr_enb;
+	/* Valid fifo skid values are 14,28,56 for 25G,50G,100G respectively
+	 * FIFOs need to be configured based on the port_mode, valid only for 105N
+	 */
+	uint8_t fifo_skid;
+	uint8_t port_mode; /* 2'b00 - 25G or less, 2'b01 - 50G, 2'b10 - 100G */
+	uint8_t port_id;
+	uint64_t rsvd;
+};
+
+struct roc_mcs_port_cfg_get_req {
+	uint8_t port_id;
+	uint64_t rsvd;
+};
+
+struct roc_mcs_port_cfg_get_rsp {
+	uint8_t cstm_tag_rel_mode_sel;
+	uint8_t custom_hdr_enb;
+	uint8_t fifo_skid;
+	uint8_t port_mode;
+	uint8_t port_id;
+	uint64_t rsvd;
+};
+
+struct roc_mcs_port_reset_req {
+	uint8_t port_id;
+	uint64_t rsvd;
+};
+
 struct roc_mcs_stats_req {
 	uint8_t id;
 	uint8_t dir;
@@ -367,6 +404,13 @@ __roc_api int roc_mcs_active_lmac_set(struct roc_mcs *mcs, struct roc_mcs_set_ac
 __roc_api int roc_mcs_lmac_mode_set(struct roc_mcs *mcs, struct roc_mcs_set_lmac_mode *port);
 /* (X)PN threshold set */
 __roc_api int roc_mcs_pn_threshold_set(struct roc_mcs *mcs, struct roc_mcs_set_pn_threshold *pn);
+/* Reset port */
+__roc_api int roc_mcs_port_reset(struct roc_mcs *mcs, struct roc_mcs_port_reset_req *port);
+/* Get port config */
+__roc_api int roc_mcs_port_cfg_set(struct roc_mcs *mcs, struct roc_mcs_port_cfg_set_req *req);
+/* Set port config */
+__roc_api int roc_mcs_port_cfg_get(struct roc_mcs *mcs, struct roc_mcs_port_cfg_get_req *req,
+				   struct roc_mcs_port_cfg_get_rsp *rsp);
 
 /* Resource allocation and free */
 __roc_api int roc_mcs_rsrc_alloc(struct roc_mcs *mcs, struct roc_mcs_alloc_rsrc_req *req,
@@ -436,4 +480,8 @@ __roc_api int roc_mcs_event_cb_unregister(struct roc_mcs *mcs, enum roc_mcs_even
 /* Configure interrupts */
 __roc_api int roc_mcs_intr_configure(struct roc_mcs *mcs, struct roc_mcs_intr_cfg *config);
 
+/* Port recovery from fatal errors */
+__roc_api int roc_mcs_port_recovery(struct roc_mcs *mcs, union roc_mcs_event_data *mdata,
+				    uint8_t port_id);
+
 #endif /* _ROC_MCS_H_ */
diff --git a/drivers/common/cnxk/version.map b/drivers/common/cnxk/version.map
index d10dfcd84e..6c0defa27e 100644
--- a/drivers/common/cnxk/version.map
+++ b/drivers/common/cnxk/version.map
@@ -151,6 +151,10 @@ INTERNAL {
 	roc_mcs_pn_table_write;
 	roc_mcs_pn_table_read;
 	roc_mcs_pn_threshold_set;
+	roc_mcs_port_cfg_get;
+	roc_mcs_port_cfg_set;
+	roc_mcs_port_recovery;
+	roc_mcs_port_reset;
 	roc_mcs_port_stats_get;
 	roc_mcs_rsrc_alloc;
 	roc_mcs_rsrc_free;
-- 
2.25.1

[PATCH v3 09/15] common/cnxk: add MACsec control port configuration

[Akhil Goyal]

Added ROC APIs to configure MACsec control port.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/common/cnxk/roc_mbox.h  |  72 ++++++++++++++++++++
 drivers/common/cnxk/roc_mcs.c   | 117 ++++++++++++++++++++++++++++++++
 drivers/common/cnxk/roc_mcs.h   |  65 ++++++++++++++++++
 drivers/common/cnxk/version.map |   4 ++
 4 files changed, 258 insertions(+)

diff --git a/drivers/common/cnxk/roc_mbox.h b/drivers/common/cnxk/roc_mbox.h
index d7c0385a8b..446f49aeaf 100644
--- a/drivers/common/cnxk/roc_mbox.h
+++ b/drivers/common/cnxk/roc_mbox.h
@@ -319,9 +319,17 @@ struct mbox_msghdr {
 	M(MCS_INTR_CFG, 0xa012, mcs_intr_cfg, mcs_intr_cfg, msg_rsp)                               \
 	M(MCS_SET_LMAC_MODE, 0xa013, mcs_set_lmac_mode, mcs_set_lmac_mode, msg_rsp)                \
 	M(MCS_SET_PN_THRESHOLD, 0xa014, mcs_set_pn_threshold, mcs_set_pn_threshold, msg_rsp)       \
+	M(MCS_ALLOC_CTRL_PKT_RULE, 0xa015, mcs_alloc_ctrl_pkt_rule, mcs_alloc_ctrl_pkt_rule_req,   \
+	  mcs_alloc_ctrl_pkt_rule_rsp)                                                             \
+	M(MCS_FREE_CTRL_PKT_RULE, 0xa016, mcs_free_ctrl_pkt_rule, mcs_free_ctrl_pkt_rule_req,      \
+	  msg_rsp)                                                                                 \
+	M(MCS_CTRL_PKT_RULE_WRITE, 0xa017, mcs_ctrl_pkt_rule_write, mcs_ctrl_pkt_rule_write_req,   \
+	  msg_rsp)                                                                                 \
 	M(MCS_PORT_RESET, 0xa018, mcs_port_reset, mcs_port_reset_req, msg_rsp)                     \
 	M(MCS_PORT_CFG_SET, 0xa019, mcs_port_cfg_set, mcs_port_cfg_set_req, msg_rsp)               \
 	M(MCS_PORT_CFG_GET, 0xa020, mcs_port_cfg_get, mcs_port_cfg_get_req, mcs_port_cfg_get_rsp)  \
+	M(MCS_CUSTOM_TAG_CFG_GET, 0xa021, mcs_custom_tag_cfg_get, mcs_custom_tag_cfg_get_req,      \
+	  mcs_custom_tag_cfg_get_rsp)                                                              \
 
 /* Messages initiated by AF (range 0xC00 - 0xDFF) */
 #define MBOX_UP_CGX_MESSAGES                                                   \
@@ -922,6 +930,53 @@ struct mcs_set_pn_threshold {
 	uint64_t __io rsvd;
 };
 
+enum mcs_ctrl_pkt_rule_type {
+	MCS_CTRL_PKT_RULE_TYPE_ETH,
+	MCS_CTRL_PKT_RULE_TYPE_DA,
+	MCS_CTRL_PKT_RULE_TYPE_RANGE,
+	MCS_CTRL_PKT_RULE_TYPE_COMBO,
+	MCS_CTRL_PKT_RULE_TYPE_MAC,
+};
+
+struct mcs_alloc_ctrl_pkt_rule_req {
+	struct mbox_msghdr hdr;
+	uint8_t __io rule_type;
+	uint8_t __io mcs_id; /* MCS block ID */
+	uint8_t __io dir;    /* Macsec ingress or egress side */
+	uint64_t __io rsvd;
+};
+
+struct mcs_alloc_ctrl_pkt_rule_rsp {
+	struct mbox_msghdr hdr;
+	uint8_t __io rule_idx;
+	uint8_t __io rule_type;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
+
+struct mcs_free_ctrl_pkt_rule_req {
+	struct mbox_msghdr hdr;
+	uint8_t __io rule_idx;
+	uint8_t __io rule_type;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint8_t __io all; /* Free all the rule resources */
+	uint64_t __io rsvd;
+};
+
+struct mcs_ctrl_pkt_rule_write_req {
+	struct mbox_msghdr hdr;
+	uint64_t __io data0;
+	uint64_t __io data1;
+	uint64_t __io data2;
+	uint8_t __io rule_idx;
+	uint8_t __io rule_type;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
+
 struct mcs_port_cfg_set_req {
 	struct mbox_msghdr hdr;
 	uint8_t __io cstm_tag_rel_mode_sel;
@@ -951,6 +1006,23 @@ struct mcs_port_cfg_get_rsp {
 	uint64_t __io rsvd;
 };
 
+struct mcs_custom_tag_cfg_get_req {
+	struct mbox_msghdr hdr;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
+
+struct mcs_custom_tag_cfg_get_rsp {
+	struct mbox_msghdr hdr;
+	uint16_t __io cstm_etype[8];
+	uint8_t __io cstm_indx[8];
+	uint8_t __io cstm_etype_en;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
+
 struct mcs_port_reset_req {
 	struct mbox_msghdr hdr;
 	uint8_t __io reset;
diff --git a/drivers/common/cnxk/roc_mcs.c b/drivers/common/cnxk/roc_mcs.c
index e6e6197a49..1e3235ad73 100644
--- a/drivers/common/cnxk/roc_mcs.c
+++ b/drivers/common/cnxk/roc_mcs.c
@@ -140,6 +140,88 @@ roc_mcs_pn_threshold_set(struct roc_mcs *mcs, struct roc_mcs_set_pn_threshold *p
 	return mbox_process_msg(mcs->mbox, (void *)&rsp);
 }
 
+int
+roc_mcs_ctrl_pkt_rule_alloc(struct roc_mcs *mcs, struct roc_mcs_alloc_ctrl_pkt_rule_req *req,
+			    struct roc_mcs_alloc_ctrl_pkt_rule_rsp *rsp)
+{
+	struct mcs_alloc_ctrl_pkt_rule_req *rule_req;
+	struct mcs_alloc_ctrl_pkt_rule_rsp *rule_rsp;
+	int rc;
+
+	MCS_SUPPORT_CHECK;
+
+	if (req == NULL || rsp == NULL)
+		return -EINVAL;
+
+	rule_req = mbox_alloc_msg_mcs_alloc_ctrl_pkt_rule(mcs->mbox);
+	if (rule_req == NULL)
+		return -ENOMEM;
+
+	rule_req->rule_type = req->rule_type;
+	rule_req->mcs_id = mcs->idx;
+	rule_req->dir = req->dir;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&rule_rsp);
+	if (rc)
+		return rc;
+
+	rsp->rule_type = rule_rsp->rule_type;
+	rsp->rule_idx = rule_rsp->rule_idx;
+	rsp->dir = rule_rsp->dir;
+
+	return 0;
+}
+
+int
+roc_mcs_ctrl_pkt_rule_free(struct roc_mcs *mcs, struct roc_mcs_free_ctrl_pkt_rule_req *req)
+{
+	struct mcs_free_ctrl_pkt_rule_req *rule_req;
+	struct msg_rsp *rsp;
+
+	MCS_SUPPORT_CHECK;
+
+	if (req == NULL)
+		return -EINVAL;
+
+	rule_req = mbox_alloc_msg_mcs_free_ctrl_pkt_rule(mcs->mbox);
+	if (rule_req == NULL)
+		return -ENOMEM;
+
+	rule_req->rule_type = req->rule_type;
+	rule_req->rule_idx = req->rule_idx;
+	rule_req->mcs_id = mcs->idx;
+	rule_req->dir = req->dir;
+	rule_req->all = req->all;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
+
+int
+roc_mcs_ctrl_pkt_rule_write(struct roc_mcs *mcs, struct roc_mcs_ctrl_pkt_rule_write_req *req)
+{
+	struct mcs_ctrl_pkt_rule_write_req *rule_req;
+	struct msg_rsp *rsp;
+
+	MCS_SUPPORT_CHECK;
+
+	if (req == NULL)
+		return -EINVAL;
+
+	rule_req = mbox_alloc_msg_mcs_ctrl_pkt_rule_write(mcs->mbox);
+	if (rule_req == NULL)
+		return -ENOMEM;
+
+	rule_req->rule_type = req->rule_type;
+	rule_req->rule_idx = req->rule_idx;
+	rule_req->mcs_id = mcs->idx;
+	rule_req->dir = req->dir;
+	rule_req->data0 = req->data0;
+	rule_req->data1 = req->data1;
+	rule_req->data2 = req->data2;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
+
 int
 roc_mcs_port_cfg_set(struct roc_mcs *mcs, struct roc_mcs_port_cfg_set_req *req)
 {
@@ -198,6 +280,41 @@ roc_mcs_port_cfg_get(struct roc_mcs *mcs, struct roc_mcs_port_cfg_get_req *req,
 	return 0;
 }
 
+int
+roc_mcs_custom_tag_cfg_get(struct roc_mcs *mcs, struct roc_mcs_custom_tag_cfg_get_req *req,
+			   struct roc_mcs_custom_tag_cfg_get_rsp *rsp)
+{
+	struct mcs_custom_tag_cfg_get_req *get_req;
+	struct mcs_custom_tag_cfg_get_rsp *get_rsp;
+	int i, rc;
+
+	MCS_SUPPORT_CHECK;
+
+	if (req == NULL)
+		return -EINVAL;
+
+	get_req = mbox_alloc_msg_mcs_custom_tag_cfg_get(mcs->mbox);
+	if (get_req == NULL)
+		return -ENOMEM;
+
+	get_req->dir = req->dir;
+	get_req->mcs_id = mcs->idx;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&get_rsp);
+	if (rc)
+		return rc;
+
+	for (i = 0; i < 8; i++) {
+		rsp->cstm_etype[i] = get_rsp->cstm_etype[i];
+		rsp->cstm_indx[i] = get_rsp->cstm_indx[i];
+	}
+
+	rsp->cstm_etype_en = get_rsp->cstm_etype_en;
+	rsp->dir = get_rsp->dir;
+
+	return 0;
+}
+
 int
 roc_mcs_intr_configure(struct roc_mcs *mcs, struct roc_mcs_intr_cfg *config)
 {
diff --git a/drivers/common/cnxk/roc_mcs.h b/drivers/common/cnxk/roc_mcs.h
index d06057726f..e8d6b070db 100644
--- a/drivers/common/cnxk/roc_mcs.h
+++ b/drivers/common/cnxk/roc_mcs.h
@@ -163,6 +163,45 @@ struct roc_mcs_set_pn_threshold {
 	uint64_t rsvd;
 };
 
+enum roc_mcs_ctrl_pkt_rule_type {
+	ROC_MCS_CTRL_PKT_RULE_TYPE_ETH,
+	ROC_MCS_CTRL_PKT_RULE_TYPE_DA,
+	ROC_MCS_CTRL_PKT_RULE_TYPE_RANGE,
+	ROC_MCS_CTRL_PKT_RULE_TYPE_COMBO,
+	ROC_MCS_CTRL_PKT_RULE_TYPE_MAC,
+};
+
+struct roc_mcs_alloc_ctrl_pkt_rule_req {
+	uint8_t rule_type;
+	uint8_t dir; /* Macsec ingress or egress side */
+	uint64_t rsvd;
+};
+
+struct roc_mcs_alloc_ctrl_pkt_rule_rsp {
+	uint8_t rule_idx;
+	uint8_t rule_type;
+	uint8_t dir;
+	uint64_t rsvd;
+};
+
+struct roc_mcs_free_ctrl_pkt_rule_req {
+	uint8_t rule_idx;
+	uint8_t rule_type;
+	uint8_t dir;
+	uint8_t all; /* Free all the rule resources */
+	uint64_t rsvd;
+};
+
+struct roc_mcs_ctrl_pkt_rule_write_req {
+	uint64_t data0;
+	uint64_t data1;
+	uint64_t data2;
+	uint8_t rule_idx;
+	uint8_t rule_type;
+	uint8_t dir;
+	uint64_t rsvd;
+};
+
 struct roc_mcs_port_cfg_set_req {
 	/* Index of custom tag (= cstm_indx[x] in roc_mcs_custom_tag_cfg_get_rsp struct) to use
 	 * when TX SECY_PLCY_MEMX[SECTAG_INSERT_MODE] = 0 (relative offset mode)
@@ -195,6 +234,19 @@ struct roc_mcs_port_cfg_get_rsp {
 	uint64_t rsvd;
 };
 
+struct roc_mcs_custom_tag_cfg_get_req {
+	uint8_t dir;
+	uint64_t rsvd;
+};
+
+struct roc_mcs_custom_tag_cfg_get_rsp {
+	uint16_t cstm_etype[8]; /* EthType/TPID */
+	uint8_t cstm_indx[8];	/* Custom tag index used to identify the VLAN etype */
+	uint8_t cstm_etype_en;	/* bitmap of enabled custom tags */
+	uint8_t dir;
+	uint64_t rsvd;
+};
+
 struct roc_mcs_port_reset_req {
 	uint8_t port_id;
 	uint64_t rsvd;
@@ -411,6 +463,10 @@ __roc_api int roc_mcs_port_cfg_set(struct roc_mcs *mcs, struct roc_mcs_port_cfg_
 /* Set port config */
 __roc_api int roc_mcs_port_cfg_get(struct roc_mcs *mcs, struct roc_mcs_port_cfg_get_req *req,
 				   struct roc_mcs_port_cfg_get_rsp *rsp);
+/* Get custom tag config */
+__roc_api int roc_mcs_custom_tag_cfg_get(struct roc_mcs *mcs,
+					 struct roc_mcs_custom_tag_cfg_get_req *req,
+					 struct roc_mcs_custom_tag_cfg_get_rsp *rsp);
 
 /* Resource allocation and free */
 __roc_api int roc_mcs_rsrc_alloc(struct roc_mcs *mcs, struct roc_mcs_alloc_rsrc_req *req,
@@ -456,6 +512,15 @@ __roc_api int roc_mcs_flowid_entry_read(struct roc_mcs *mcs,
 __roc_api int roc_mcs_flowid_entry_enable(struct roc_mcs *mcs,
 					  struct roc_mcs_flowid_ena_dis_entry *entry);
 
+/* Control packet rule alloc, free and write */
+__roc_api int roc_mcs_ctrl_pkt_rule_alloc(struct roc_mcs *mcs,
+					  struct roc_mcs_alloc_ctrl_pkt_rule_req *req,
+					  struct roc_mcs_alloc_ctrl_pkt_rule_rsp *rsp);
+__roc_api int roc_mcs_ctrl_pkt_rule_free(struct roc_mcs *mcs,
+					 struct roc_mcs_free_ctrl_pkt_rule_req *req);
+__roc_api int roc_mcs_ctrl_pkt_rule_write(struct roc_mcs *mcs,
+					  struct roc_mcs_ctrl_pkt_rule_write_req *req);
+
 /* Flow id stats get */
 __roc_api int roc_mcs_flowid_stats_get(struct roc_mcs *mcs, struct roc_mcs_stats_req *mcs_req,
 				       struct roc_mcs_flowid_stats *stats);
diff --git a/drivers/common/cnxk/version.map b/drivers/common/cnxk/version.map
index 6c0defa27e..914d0d2caa 100644
--- a/drivers/common/cnxk/version.map
+++ b/drivers/common/cnxk/version.map
@@ -136,6 +136,10 @@ INTERNAL {
 	roc_se_ciph_key_set;
 	roc_se_ctx_init;
 	roc_mcs_active_lmac_set;
+	roc_mcs_ctrl_pkt_rule_alloc;
+	roc_mcs_ctrl_pkt_rule_free;
+	roc_mcs_ctrl_pkt_rule_write;
+	roc_mcs_custom_tag_cfg_get;
 	roc_mcs_dev_init;
 	roc_mcs_dev_fini;
 	roc_mcs_dev_get;
-- 
2.25.1

[PATCH v3 10/15] common/cnxk: add MACsec FIPS mbox

[Akhil Goyal]

Added MACsec FIPS configuration mbox

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/common/cnxk/roc_mbox.h | 74 ++++++++++++++++++++++++++++++++++
 drivers/common/cnxk/roc_mcs.h  | 69 +++++++++++++++++++++++++++++++
 2 files changed, 143 insertions(+)

diff --git a/drivers/common/cnxk/roc_mbox.h b/drivers/common/cnxk/roc_mbox.h
index 446f49aeaf..2f85b2f755 100644
--- a/drivers/common/cnxk/roc_mbox.h
+++ b/drivers/common/cnxk/roc_mbox.h
@@ -330,6 +330,15 @@ struct mbox_msghdr {
 	M(MCS_PORT_CFG_GET, 0xa020, mcs_port_cfg_get, mcs_port_cfg_get_req, mcs_port_cfg_get_rsp)  \
 	M(MCS_CUSTOM_TAG_CFG_GET, 0xa021, mcs_custom_tag_cfg_get, mcs_custom_tag_cfg_get_req,      \
 	  mcs_custom_tag_cfg_get_rsp)                                                              \
+	M(MCS_FIPS_RESET, 0xa040, mcs_fips_reset, mcs_fips_req, msg_rsp)                           \
+	M(MCS_FIPS_MODE_SET, 0xa041, mcs_fips_mode_set, mcs_fips_mode_req, msg_rsp)                \
+	M(MCS_FIPS_CTL_SET, 0xa042, mcs_fips_ctl_set, mcs_fips_ctl_req, msg_rsp)                   \
+	M(MCS_FIPS_IV_SET, 0xa043, mcs_fips_iv_set, mcs_fips_iv_req, msg_rsp)                      \
+	M(MCS_FIPS_CTR_SET, 0xa044, mcs_fips_ctr_set, mcs_fips_ctr_req, msg_rsp)                   \
+	M(MCS_FIPS_KEY_SET, 0xa045, mcs_fips_key_set, mcs_fips_key_req, msg_rsp)                   \
+	M(MCS_FIPS_BLOCK_SET, 0xa046, mcs_fips_block_set, mcs_fips_block_req, msg_rsp)             \
+	M(MCS_FIPS_START, 0xa047, mcs_fips_start, mcs_fips_req, msg_rsp)                           \
+	M(MCS_FIPS_RESULT_GET, 0xa048, mcs_fips_result_get, mcs_fips_req, mcs_fips_result_rsp)
 
 /* Messages initiated by AF (range 0xC00 - 0xDFF) */
 #define MBOX_UP_CGX_MESSAGES                                                   \
@@ -1119,6 +1128,71 @@ struct mcs_clear_stats {
 	uint8_t __io all; /* All resources stats mapped to PF are cleared */
 };
 
+struct mcs_fips_req {
+	struct mbox_msghdr hdr;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+};
+
+struct mcs_fips_mode_req {
+	struct mbox_msghdr hdr;
+	uint64_t __io mode;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+};
+
+struct mcs_fips_ctl_req {
+	struct mbox_msghdr hdr;
+	uint64_t __io ctl;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+};
+
+struct mcs_fips_iv_req {
+	struct mbox_msghdr hdr;
+	uint32_t __io iv_bits95_64;
+	uint64_t __io iv_bits63_0;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+};
+
+struct mcs_fips_ctr_req {
+	struct mbox_msghdr hdr;
+	uint32_t __io fips_ctr;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+};
+
+struct mcs_fips_key_req {
+	struct mbox_msghdr hdr;
+	uint64_t __io sak_bits255_192;
+	uint64_t __io sak_bits191_128;
+	uint64_t __io sak_bits127_64;
+	uint64_t __io sak_bits63_0;
+	uint64_t __io hashkey_bits127_64;
+	uint64_t __io hashkey_bits63_0;
+	uint8_t __io sak_len;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+};
+
+struct mcs_fips_block_req {
+	struct mbox_msghdr hdr;
+	uint64_t __io blk_bits127_64;
+	uint64_t __io blk_bits63_0;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+};
+
+struct mcs_fips_result_rsp {
+	struct mbox_msghdr hdr;
+	uint64_t __io blk_bits127_64;
+	uint64_t __io blk_bits63_0;
+	uint64_t __io icv_bits127_64;
+	uint64_t __io icv_bits63_0;
+	uint8_t __io result_pass;
+};
+
 /* NPA mbox message formats */
 
 /* NPA mailbox error codes
diff --git a/drivers/common/cnxk/roc_mcs.h b/drivers/common/cnxk/roc_mcs.h
index e8d6b070db..5b1423ac8f 100644
--- a/drivers/common/cnxk/roc_mcs.h
+++ b/drivers/common/cnxk/roc_mcs.h
@@ -426,6 +426,56 @@ struct roc_mcs_event_desc {
 	union roc_mcs_event_data metadata;
 };
 
+struct roc_mcs_fips_req {
+	uint8_t dir;
+};
+
+struct roc_mcs_fips_mode {
+	uint64_t mode;
+	uint8_t dir;
+};
+
+struct roc_mcs_fips_ctl {
+	uint64_t ctl;
+	uint8_t dir;
+};
+
+struct roc_mcs_fips_iv {
+	uint32_t iv_bits95_64;
+	uint64_t iv_bits63_0;
+	uint8_t dir;
+};
+
+struct roc_mcs_fips_ctr {
+	uint32_t fips_ctr;
+	uint8_t dir;
+};
+
+struct roc_mcs_fips_key {
+	uint64_t sak_bits255_192;
+	uint64_t sak_bits191_128;
+	uint64_t sak_bits127_64;
+	uint64_t sak_bits63_0;
+	uint64_t hashkey_bits127_64;
+	uint64_t hashkey_bits63_0;
+	uint8_t sak_len;
+	uint8_t dir;
+};
+
+struct roc_mcs_fips_block {
+	uint64_t blk_bits127_64;
+	uint64_t blk_bits63_0;
+	uint8_t dir;
+};
+
+struct roc_mcs_fips_result_rsp {
+	uint64_t blk_bits127_64;
+	uint64_t blk_bits63_0;
+	uint64_t icv_bits127_64;
+	uint64_t icv_bits63_0;
+	uint8_t result_pass;
+};
+
 /** User application callback to be registered for any notifications from driver. */
 typedef int (*roc_mcs_dev_cb_fn)(void *userdata, struct roc_mcs_event_desc *desc, void *cb_arg);
 
@@ -549,4 +599,23 @@ __roc_api int roc_mcs_intr_configure(struct roc_mcs *mcs, struct roc_mcs_intr_cf
 __roc_api int roc_mcs_port_recovery(struct roc_mcs *mcs, union roc_mcs_event_data *mdata,
 				    uint8_t port_id);
 
+/* FIPS reset */
+__roc_api int roc_mcs_fips_reset(struct roc_mcs *mcs, struct roc_mcs_fips_req *req);
+/* FIPS mode set */
+__roc_api int roc_mcs_fips_mode_set(struct roc_mcs *mcs, struct roc_mcs_fips_mode *req);
+/* FIPS ctl set */
+__roc_api int roc_mcs_fips_ctl_set(struct roc_mcs *mcs, struct roc_mcs_fips_ctl *req);
+/* FIPS iv set */
+__roc_api int roc_mcs_fips_iv_set(struct roc_mcs *mcs, struct roc_mcs_fips_iv *req);
+/* FIPS ctr set */
+__roc_api int roc_mcs_fips_ctr_set(struct roc_mcs *mcs, struct roc_mcs_fips_ctr *req);
+/* FIPS key set */
+__roc_api int roc_mcs_fips_key_set(struct roc_mcs *mcs, struct roc_mcs_fips_key *req);
+/* FIPS block set */
+__roc_api int roc_mcs_fips_block_set(struct roc_mcs *mcs, struct roc_mcs_fips_block *req);
+/* FIPS start */
+__roc_api int roc_mcs_fips_start(struct roc_mcs *mcs, struct roc_mcs_fips_req *req);
+/* FIPS result */
+__roc_api int roc_mcs_fips_result_get(struct roc_mcs *mcs, struct roc_mcs_fips_req *req,
+				      struct roc_mcs_fips_result_rsp *rsp);
 #endif /* _ROC_MCS_H_ */
-- 
2.25.1

[PATCH v3 11/15] common/cnxk: derive hash key for MACsec

[Akhil Goyal]

MACsec hardware configuration need hash key to be generated
from the cipher key of AES-GCM-128/256.
Added an ROC API to derive the hash key and extend the case
for AES-256 as well.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/common/cnxk/roc_aes.c   | 86 ++++++++++++++++++++++-----------
 drivers/common/cnxk/roc_aes.h   |  4 +-
 drivers/common/cnxk/version.map |  1 +
 3 files changed, 60 insertions(+), 31 deletions(-)

diff --git a/drivers/common/cnxk/roc_aes.c b/drivers/common/cnxk/roc_aes.c
index f821c8b710..d84feb546a 100644
--- a/drivers/common/cnxk/roc_aes.c
+++ b/drivers/common/cnxk/roc_aes.c
@@ -4,9 +4,10 @@
 
 #include "roc_api.h"
 
-#define KEY_WORD_LEN	 (ROC_CPT_AES_XCBC_KEY_LENGTH / sizeof(uint32_t))
-#define KEY_ROUNDS	 10			/* (Nr+1)*Nb */
-#define KEY_SCHEDULE_LEN ((KEY_ROUNDS + 1) * 4) /* (Nr+1)*Nb words */
+#define KEY128_ROUNDS		10		/* (Nr+1)*Nb */
+#define KEY256_ROUNDS		14		/* (Nr+1)*Nb */
+#define KEY_SCHEDULE_LEN(nr)	((nr + 1) * 4)	/* (Nr+1)*Nb words */
+#define AES_HASH_KEY_LEN	16
 
 /*
  * AES 128 implementation based on NIST FIPS 197 suitable for LittleEndian
@@ -93,22 +94,30 @@ GF8mul(uint8_t byte, uint32_t mp)
 }
 
 static void
-aes_key_expand(const uint8_t *key, uint32_t *ks)
+aes_key_expand(const uint8_t *key, uint32_t len, uint32_t *ks)
 {
-	unsigned int i = 4;
+	uint32_t len_words = len / sizeof(uint32_t);
+	unsigned int schedule_len;
+	unsigned int i = len_words;
 	uint32_t temp;
 
+	schedule_len = (len == ROC_CPT_AES128_KEY_LEN) ? KEY_SCHEDULE_LEN(KEY128_ROUNDS) :
+							 KEY_SCHEDULE_LEN(KEY256_ROUNDS);
 	/* Skip key in ks */
-	memcpy(ks, key, KEY_WORD_LEN * sizeof(uint32_t));
+	memcpy(ks, key, len);
 
-	while (i < KEY_SCHEDULE_LEN) {
+	while (i < schedule_len) {
 		temp = ks[i - 1];
-		if ((i & 0x3) == 0) {
+		if ((i & (len_words - 1)) == 0) {
 			temp = rot_word(temp);
 			temp = sub_word(temp);
-			temp ^= (uint32_t)GF8mul(1, 1 << ((i >> 2) - 1));
+			temp ^= (uint32_t)GF8mul(1, 1 << ((i / len_words) - 1));
 		}
-		ks[i] = ks[i - 4] ^ temp;
+		if (len == ROC_CPT_AES256_KEY_LEN) {
+			if ((i % len_words) == 4)
+				temp = sub_word(temp);
+		}
+		ks[i] = ks[i - len_words] ^ temp;
 		i++;
 	}
 }
@@ -145,64 +154,83 @@ mix_columns(uint8_t *sRc)
 }
 
 static void
-cipher(uint8_t *in, uint8_t *out, uint32_t *ks)
+cipher(uint8_t *in, uint8_t *out, uint32_t *ks, uint32_t key_rounds, uint8_t in_len)
 {
-	uint32_t state[KEY_WORD_LEN];
+	uint8_t data_word_len = in_len / sizeof(uint32_t);
+	uint32_t state[data_word_len];
 	unsigned int i, round;
 
 	memcpy(state, in, sizeof(state));
 
 	/* AddRoundKey(state, w[0, Nb-1]) // See Sec. 5.1.4 */
-	for (i = 0; i < KEY_WORD_LEN; i++)
+	for (i = 0; i < data_word_len; i++)
 		state[i] ^= ks[i];
 
-	for (round = 1; round < KEY_ROUNDS; round++) {
+	for (round = 1; round < key_rounds; round++) {
 		/* SubBytes(state) // See Sec. 5.1.1 */
-		for (i = 0; i < KEY_WORD_LEN; i++)
+		for (i = 0; i < data_word_len; i++)
 			state[i] = sub_word(state[i]);
 
 		/* ShiftRows(state) // See Sec. 5.1.2 */
-		for (i = 0; i < KEY_WORD_LEN; i++)
+		for (i = 0; i < data_word_len; i++)
 			shift_word((uint8_t *)state, i, i);
 
 		/* MixColumns(state) // See Sec. 5.1.3 */
-		for (i = 0; i < KEY_WORD_LEN; i++)
+		for (i = 0; i < data_word_len; i++)
 			mix_columns((uint8_t *)&state[i]);
 
 		/* AddRoundKey(state, w[round*Nb, (round+1)*Nb-1]) */
-		for (i = 0; i < KEY_WORD_LEN; i++)
-			state[i] ^= ks[round * 4 + i];
+		for (i = 0; i < data_word_len; i++)
+			state[i] ^= ks[round * data_word_len + i];
 	}
 
 	/* SubBytes(state) */
-	for (i = 0; i < KEY_WORD_LEN; i++)
+	for (i = 0; i < data_word_len; i++)
 		state[i] = sub_word(state[i]);
 
 	/* ShiftRows(state) */
-	for (i = 0; i < KEY_WORD_LEN; i++)
+	for (i = 0; i < data_word_len; i++)
 		shift_word((uint8_t *)state, i, i);
 
 	/* AddRoundKey(state, w[Nr*Nb, (Nr+1)*Nb-1]) */
-	for (i = 0; i < KEY_WORD_LEN; i++)
-		state[i] ^= ks[KEY_ROUNDS * 4 + i];
-	memcpy(out, state, KEY_WORD_LEN * sizeof(uint32_t));
+	for (i = 0; i < data_word_len; i++)
+		state[i] ^= ks[key_rounds * data_word_len + i];
+	memcpy(out, state, data_word_len * sizeof(uint32_t));
 }
 
 void
 roc_aes_xcbc_key_derive(const uint8_t *auth_key, uint8_t *derived_key)
 {
-	uint32_t aes_ks[KEY_SCHEDULE_LEN] = {0};
+	uint32_t aes_ks[KEY_SCHEDULE_LEN(KEY128_ROUNDS)] = {0};
 	uint8_t k1[16] = {[0 ... 15] = 0x01};
 	uint8_t k2[16] = {[0 ... 15] = 0x02};
 	uint8_t k3[16] = {[0 ... 15] = 0x03};
 
-	aes_key_expand(auth_key, aes_ks);
+	aes_key_expand(auth_key, ROC_CPT_AES_XCBC_KEY_LENGTH, aes_ks);
 
-	cipher(k1, derived_key, aes_ks);
+	cipher(k1, derived_key, aes_ks, KEY128_ROUNDS, sizeof(k1));
 	derived_key += sizeof(k1);
 
-	cipher(k2, derived_key, aes_ks);
+	cipher(k2, derived_key, aes_ks, KEY128_ROUNDS, sizeof(k2));
 	derived_key += sizeof(k2);
 
-	cipher(k3, derived_key, aes_ks);
+	cipher(k3, derived_key, aes_ks, KEY128_ROUNDS, sizeof(k3));
+}
+
+void
+roc_aes_hash_key_derive(const uint8_t *key, uint16_t len, uint8_t hash_key[])
+{
+	uint8_t data[AES_HASH_KEY_LEN] = {0x0};
+
+	if (len == ROC_CPT_AES128_KEY_LEN) {
+		uint32_t aes_ks[KEY_SCHEDULE_LEN(KEY128_ROUNDS)] = {0};
+
+		aes_key_expand(key, ROC_CPT_AES128_KEY_LEN, aes_ks);
+		cipher(data, hash_key, aes_ks, KEY128_ROUNDS, sizeof(data));
+	} else {
+		uint32_t aes_ks[KEY_SCHEDULE_LEN(KEY256_ROUNDS)] = {0};
+
+		aes_key_expand(key, ROC_CPT_AES256_KEY_LEN, aes_ks);
+		cipher(data, hash_key, aes_ks, KEY256_ROUNDS, sizeof(data));
+	}
 }
diff --git a/drivers/common/cnxk/roc_aes.h b/drivers/common/cnxk/roc_aes.h
index 954039139f..3b4b921bcd 100644
--- a/drivers/common/cnxk/roc_aes.h
+++ b/drivers/common/cnxk/roc_aes.h
@@ -8,7 +8,7 @@
 /*
  * Derive k1, k2, k3 from 128 bit AES key
  */
-void __roc_api roc_aes_xcbc_key_derive(const uint8_t *auth_key,
-				       uint8_t *derived_key);
+void __roc_api roc_aes_xcbc_key_derive(const uint8_t *auth_key, uint8_t *derived_key);
+void __roc_api roc_aes_hash_key_derive(const uint8_t *key, uint16_t len, uint8_t *hash_key);
 
 #endif /* _ROC_AES_H_ */
diff --git a/drivers/common/cnxk/version.map b/drivers/common/cnxk/version.map
index 914d0d2caa..8c71497df8 100644
--- a/drivers/common/cnxk/version.map
+++ b/drivers/common/cnxk/version.map
@@ -30,6 +30,7 @@ INTERNAL {
 	roc_ae_ec_grp_put;
 	roc_ae_fpm_get;
 	roc_ae_fpm_put;
+	roc_aes_hash_key_derive;
 	roc_aes_xcbc_key_derive;
 	roc_bphy_cgx_cpri_mode_change;
 	roc_bphy_cgx_cpri_mode_misc;
-- 
2.25.1

[PATCH v3 12/15] net/cnxk: add MACsec initialization

[Akhil Goyal]

Added initialization routines for MACsec for
cn10kb platform.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/net/cnxk/cn10k_ethdev_sec.c |   6 ++
 drivers/net/cnxk/cnxk_ethdev.c      |  13 +++
 drivers/net/cnxk/cnxk_ethdev.h      |  14 +++
 drivers/net/cnxk/cnxk_ethdev_mcs.c  | 151 ++++++++++++++++++++++++++++
 drivers/net/cnxk/cnxk_ethdev_mcs.h  |  61 +++++++++++
 drivers/net/cnxk/meson.build        |   1 +
 6 files changed, 246 insertions(+)
 create mode 100644 drivers/net/cnxk/cnxk_ethdev_mcs.c
 create mode 100644 drivers/net/cnxk/cnxk_ethdev_mcs.h

diff --git a/drivers/net/cnxk/cn10k_ethdev_sec.c b/drivers/net/cnxk/cn10k_ethdev_sec.c
index 5bc547051d..8dd2c8b7a5 100644
--- a/drivers/net/cnxk/cn10k_ethdev_sec.c
+++ b/drivers/net/cnxk/cn10k_ethdev_sec.c
@@ -1090,9 +1090,15 @@ cn10k_eth_sec_ops_override(void)
 	init_once = 1;
 
 	/* Update platform specific ops */
+	cnxk_eth_sec_ops.macsec_sa_create = NULL;
+	cnxk_eth_sec_ops.macsec_sc_create = NULL;
+	cnxk_eth_sec_ops.macsec_sa_destroy = NULL;
+	cnxk_eth_sec_ops.macsec_sc_destroy = NULL;
 	cnxk_eth_sec_ops.session_create = cn10k_eth_sec_session_create;
 	cnxk_eth_sec_ops.session_destroy = cn10k_eth_sec_session_destroy;
 	cnxk_eth_sec_ops.capabilities_get = cn10k_eth_sec_capabilities_get;
 	cnxk_eth_sec_ops.session_update = cn10k_eth_sec_session_update;
 	cnxk_eth_sec_ops.session_stats_get = cn10k_eth_sec_session_stats_get;
+	cnxk_eth_sec_ops.macsec_sc_stats_get = NULL;
+	cnxk_eth_sec_ops.macsec_sa_stats_get = NULL;
 }
diff --git a/drivers/net/cnxk/cnxk_ethdev.c b/drivers/net/cnxk/cnxk_ethdev.c
index 916198d802..5368f0777d 100644
--- a/drivers/net/cnxk/cnxk_ethdev.c
+++ b/drivers/net/cnxk/cnxk_ethdev.c
@@ -1961,6 +1961,16 @@ cnxk_eth_dev_init(struct rte_eth_dev *eth_dev)
 	if (rc)
 		goto free_mac_addrs;
 
+	if (roc_feature_nix_has_macsec()) {
+		rc = cnxk_mcs_dev_init(dev, 0);
+		if (rc) {
+			plt_err("Failed to init MCS");
+			goto free_mac_addrs;
+		}
+		dev->rx_offload_capa |= RTE_ETH_RX_OFFLOAD_MACSEC_STRIP;
+		dev->tx_offload_capa |= RTE_ETH_TX_OFFLOAD_MACSEC_INSERT;
+	}
+
 	plt_nix_dbg("Port=%d pf=%d vf=%d ver=%s hwcap=0x%" PRIx64
 		    " rxoffload_capa=0x%" PRIx64 " txoffload_capa=0x%" PRIx64,
 		    eth_dev->data->port_id, roc_nix_get_pf(nix),
@@ -2058,6 +2068,9 @@ cnxk_eth_dev_uninit(struct rte_eth_dev *eth_dev, bool reset)
 	}
 	eth_dev->data->nb_rx_queues = 0;
 
+	if (roc_feature_nix_has_macsec())
+		cnxk_mcs_dev_fini(dev);
+
 	/* Free security resources */
 	nix_security_release(dev);
 
diff --git a/drivers/net/cnxk/cnxk_ethdev.h b/drivers/net/cnxk/cnxk_ethdev.h
index e280d6c05e..d5bb06b823 100644
--- a/drivers/net/cnxk/cnxk_ethdev.h
+++ b/drivers/net/cnxk/cnxk_ethdev.h
@@ -395,6 +395,9 @@ struct cnxk_eth_dev {
 	/* Reassembly dynfield/flag offsets */
 	int reass_dynfield_off;
 	int reass_dynflag_bit;
+
+	/* MCS device */
+	struct cnxk_mcs_dev *mcs_dev;
 };
 
 struct cnxk_eth_rxq_sp {
@@ -623,6 +626,17 @@ int cnxk_nix_cman_config_set(struct rte_eth_dev *dev, const struct rte_eth_cman_
 
 int cnxk_nix_cman_config_get(struct rte_eth_dev *dev, struct rte_eth_cman_config *config);
 
+int cnxk_mcs_dev_init(struct cnxk_eth_dev *dev, uint8_t mcs_idx);
+void cnxk_mcs_dev_fini(struct cnxk_eth_dev *dev);
+
+struct cnxk_macsec_sess *cnxk_eth_macsec_sess_get_by_sess(struct cnxk_eth_dev *dev,
+							  const struct rte_security_session *sess);
+int cnxk_mcs_flow_configure(struct rte_eth_dev *eth_dev, const struct rte_flow_attr *attr,
+			     const struct rte_flow_item pattern[],
+			     const struct rte_flow_action actions[], struct rte_flow_error *error,
+			     void **mcs_flow);
+int cnxk_mcs_flow_destroy(struct cnxk_eth_dev *eth_dev, void *mcs_flow);
+
 /* Other private functions */
 int nix_recalc_mtu(struct rte_eth_dev *eth_dev);
 int nix_mtr_validate(struct rte_eth_dev *dev, uint32_t id);
diff --git a/drivers/net/cnxk/cnxk_ethdev_mcs.c b/drivers/net/cnxk/cnxk_ethdev_mcs.c
new file mode 100644
index 0000000000..b0205f45c5
--- /dev/null
+++ b/drivers/net/cnxk/cnxk_ethdev_mcs.c
@@ -0,0 +1,151 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2023 Marvell.
+ */
+
+#include <cnxk_ethdev.h>
+#include <cnxk_ethdev_mcs.h>
+#include <roc_mcs.h>
+
+static int
+cnxk_mcs_event_cb(void *userdata, struct roc_mcs_event_desc *desc, void *cb_arg)
+{
+	struct rte_eth_event_macsec_desc d = {0};
+
+	d.metadata = (uint64_t)userdata;
+
+	switch (desc->type) {
+	case ROC_MCS_EVENT_SECTAG_VAL_ERR:
+		d.type = RTE_ETH_EVENT_MACSEC_SECTAG_VAL_ERR;
+		switch (desc->subtype) {
+		case ROC_MCS_EVENT_RX_SECTAG_V_EQ1:
+			d.subtype = RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_V_EQ1;
+			break;
+		case ROC_MCS_EVENT_RX_SECTAG_E_EQ0_C_EQ1:
+			d.subtype = RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_E_EQ0_C_EQ1;
+			break;
+		case ROC_MCS_EVENT_RX_SECTAG_SL_GTE48:
+			d.subtype = RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_SL_GTE48;
+			break;
+		case ROC_MCS_EVENT_RX_SECTAG_ES_EQ1_SC_EQ1:
+			d.subtype = RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_ES_EQ1_SC_EQ1;
+			break;
+		case ROC_MCS_EVENT_RX_SECTAG_SC_EQ1_SCB_EQ1:
+			d.subtype = RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_SC_EQ1_SCB_EQ1;
+			break;
+		default:
+			plt_err("Unknown MACsec sub event : %d", desc->subtype);
+		}
+		break;
+	case ROC_MCS_EVENT_RX_SA_PN_HARD_EXP:
+		d.type = RTE_ETH_EVENT_MACSEC_RX_SA_PN_HARD_EXP;
+		break;
+	case ROC_MCS_EVENT_RX_SA_PN_SOFT_EXP:
+		d.type = RTE_ETH_EVENT_MACSEC_RX_SA_PN_SOFT_EXP;
+		break;
+	case ROC_MCS_EVENT_TX_SA_PN_HARD_EXP:
+		d.type = RTE_ETH_EVENT_MACSEC_TX_SA_PN_HARD_EXP;
+		break;
+	case ROC_MCS_EVENT_TX_SA_PN_SOFT_EXP:
+		d.type = RTE_ETH_EVENT_MACSEC_TX_SA_PN_SOFT_EXP;
+		break;
+	default:
+		plt_err("Unknown MACsec event type: %d", desc->type);
+	}
+
+	rte_eth_dev_callback_process(cb_arg, RTE_ETH_EVENT_MACSEC, &d);
+
+	return 0;
+}
+
+void
+cnxk_mcs_dev_fini(struct cnxk_eth_dev *dev)
+{
+	struct cnxk_mcs_dev *mcs_dev = dev->mcs_dev;
+	int rc;
+
+	rc = roc_mcs_event_cb_unregister(mcs_dev->mdev, ROC_MCS_EVENT_SECTAG_VAL_ERR);
+	if (rc)
+		plt_err("Failed to unregister MCS event callback: rc: %d", rc);
+
+	rc = roc_mcs_event_cb_unregister(mcs_dev->mdev, ROC_MCS_EVENT_TX_SA_PN_SOFT_EXP);
+	if (rc)
+		plt_err("Failed to unregister MCS event callback: rc: %d", rc);
+
+	rc = roc_mcs_event_cb_unregister(mcs_dev->mdev, ROC_MCS_EVENT_RX_SA_PN_SOFT_EXP);
+	if (rc)
+		plt_err("Failed to unregister MCS event callback: rc: %d", rc);
+
+	/* Cleanup MACsec dev */
+	roc_mcs_dev_fini(mcs_dev->mdev);
+
+	plt_free(mcs_dev);
+}
+
+int
+cnxk_mcs_dev_init(struct cnxk_eth_dev *dev, uint8_t mcs_idx)
+{
+	struct roc_mcs_intr_cfg intr_cfg = {0};
+	struct roc_mcs_hw_info hw_info = {0};
+	struct cnxk_mcs_dev *mcs_dev;
+	int rc;
+
+	rc = roc_mcs_hw_info_get(&hw_info);
+	if (rc) {
+		plt_err("MCS HW info get failed: rc: %d ", rc);
+		return rc;
+	}
+
+	mcs_dev = plt_zmalloc(sizeof(struct cnxk_mcs_dev), PLT_CACHE_LINE_SIZE);
+	if (!mcs_dev)
+		return -ENOMEM;
+
+	mcs_dev->idx = mcs_idx;
+	mcs_dev->mdev = roc_mcs_dev_init(mcs_dev->idx);
+	if (!mcs_dev->mdev) {
+		plt_free(mcs_dev);
+		return rc;
+	}
+	mcs_dev->port_id = dev->eth_dev->data->port_id;
+
+	intr_cfg.intr_mask =
+		ROC_MCS_CPM_RX_SECTAG_V_EQ1_INT | ROC_MCS_CPM_RX_SECTAG_E_EQ0_C_EQ1_INT |
+		ROC_MCS_CPM_RX_SECTAG_SL_GTE48_INT | ROC_MCS_CPM_RX_SECTAG_ES_EQ1_SC_EQ1_INT |
+		ROC_MCS_CPM_RX_SECTAG_SC_EQ1_SCB_EQ1_INT | ROC_MCS_CPM_RX_PACKET_XPN_EQ0_INT |
+		ROC_MCS_CPM_RX_PN_THRESH_REACHED_INT | ROC_MCS_CPM_TX_PACKET_XPN_EQ0_INT |
+		ROC_MCS_CPM_TX_PN_THRESH_REACHED_INT | ROC_MCS_CPM_TX_SA_NOT_VALID_INT |
+		ROC_MCS_BBE_RX_DFIFO_OVERFLOW_INT | ROC_MCS_BBE_RX_PLFIFO_OVERFLOW_INT |
+		ROC_MCS_BBE_TX_DFIFO_OVERFLOW_INT | ROC_MCS_BBE_TX_PLFIFO_OVERFLOW_INT |
+		ROC_MCS_PAB_RX_CHAN_OVERFLOW_INT | ROC_MCS_PAB_TX_CHAN_OVERFLOW_INT;
+
+	rc = roc_mcs_intr_configure(mcs_dev->mdev, &intr_cfg);
+	if (rc) {
+		plt_err("Failed to configure MCS interrupts: rc: %d", rc);
+		plt_free(mcs_dev);
+		return rc;
+	}
+
+	rc = roc_mcs_event_cb_register(mcs_dev->mdev, ROC_MCS_EVENT_SECTAG_VAL_ERR,
+				       cnxk_mcs_event_cb, dev->eth_dev, mcs_dev);
+	if (rc) {
+		plt_err("Failed to register MCS event callback: rc: %d", rc);
+		plt_free(mcs_dev);
+		return rc;
+	}
+	rc = roc_mcs_event_cb_register(mcs_dev->mdev, ROC_MCS_EVENT_TX_SA_PN_SOFT_EXP,
+				       cnxk_mcs_event_cb, dev->eth_dev, mcs_dev);
+	if (rc) {
+		plt_err("Failed to register MCS event callback: rc: %d", rc);
+		plt_free(mcs_dev);
+		return rc;
+	}
+	rc = roc_mcs_event_cb_register(mcs_dev->mdev, ROC_MCS_EVENT_RX_SA_PN_SOFT_EXP,
+				       cnxk_mcs_event_cb, dev->eth_dev, mcs_dev);
+	if (rc) {
+		plt_err("Failed to register MCS event callback: rc: %d", rc);
+		plt_free(mcs_dev);
+		return rc;
+	}
+	dev->mcs_dev = mcs_dev;
+
+	return 0;
+}
diff --git a/drivers/net/cnxk/cnxk_ethdev_mcs.h b/drivers/net/cnxk/cnxk_ethdev_mcs.h
new file mode 100644
index 0000000000..762c299fb8
--- /dev/null
+++ b/drivers/net/cnxk/cnxk_ethdev_mcs.h
@@ -0,0 +1,61 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2023 Marvell.
+ */
+
+#include <cnxk_ethdev.h>
+
+#define CNXK_MACSEC_HASH_KEY 16
+
+struct cnxk_mcs_dev {
+	uint64_t default_sci;
+	void *mdev;
+	uint8_t port_id;
+	uint8_t idx;
+};
+
+struct cnxk_mcs_event_data {
+	/* Valid for below events
+	 * - ROC_MCS_EVENT_RX_SA_PN_SOFT_EXP
+	 * - ROC_MCS_EVENT_TX_SA_PN_SOFT_EXP
+	 */
+	struct {
+		uint8_t secy_idx;
+		uint8_t sc_idx;
+		uint8_t sa_idx;
+	};
+	/* Valid for below event
+	 * - ROC_MCS_EVENT_FIFO_OVERFLOW
+	 *
+	 * Upon fatal error notification on a MCS port, driver resets below attributes of active
+	 * flow entities(sc & sa) and then resets the port.
+	 * - Reset NEXT_PN of active SAs to 1.
+	 * - Reset TX active SA for each SC, TX_SA_ACTIVE = 0, SA_INDEX0_VLD = 1.
+	 * - Clear SA_IN_USE for active ANs in RX_SA_MAP_MEM.
+	 * - Clear all stats mapping to this port.
+	 * - Reactivate SA_IN_USE for active ANs in RX_SA_MAP_MEM.
+	 *
+	 *  UMD driver notifies the following flow entity(sc & sa) details in application callback,
+	 *  application is expected to exchange the Tx/Rx NEXT_PN, TX_SA_ACTIVE, active RX SC AN
+	 *  details with peer device so that peer device can resets it's MACsec flow states and than
+	 *  resume packet transfers.
+	 */
+	struct {
+		uint16_t *tx_sa_array; /* Tx SAs whose PN memories were reset (NEXT_PN=1) */
+		uint16_t *rx_sa_array; /* Rx SAs whose PN memories were reset (NEXT_PN=1) */
+		uint16_t *tx_sc_array; /* Tx SCs whose active SAs were reset (TX_SA_ACTIVE=0) */
+		uint16_t *rx_sc_array; /* Rx SCs whose state was reset */
+		uint8_t *sc_an_array;  /* AN of Rx SCs(in rx_sc_array) which were reactivated */
+		uint8_t num_tx_sa;     /* num entries in tx_sa_array */
+		uint8_t num_rx_sa;     /* num entries in rx_sa_array */
+		uint8_t num_tx_sc;     /* num entries in tx_sc_array */
+		uint8_t num_rx_sc;     /* num entries in rx_sc_array */
+		uint8_t lmac_id;       /* lmac_id/port which was recovered from fatal error */
+	};
+};
+
+struct cnxk_mcs_event_desc {
+	struct rte_eth_dev *eth_dev;
+	enum roc_mcs_event_type type;
+	enum roc_mcs_event_subtype subtype;
+	struct cnxk_mcs_event_data metadata;
+};
diff --git a/drivers/net/cnxk/meson.build b/drivers/net/cnxk/meson.build
index 62b8bb90fb..ae6a7d9aac 100644
--- a/drivers/net/cnxk/meson.build
+++ b/drivers/net/cnxk/meson.build
@@ -22,6 +22,7 @@ sources = files(
         'cnxk_ethdev.c',
         'cnxk_ethdev_cman.c',
         'cnxk_ethdev_devargs.c',
+        'cnxk_ethdev_mcs.c',
         'cnxk_ethdev_mtr.c',
         'cnxk_ethdev_ops.c',
         'cnxk_ethdev_sec.c',
-- 
2.25.1

[PATCH v3 13/15] net/cnxk: create/destroy MACsec SC/SA

[Akhil Goyal]

Added support to create/destroy MACsec SA and SC.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/net/cnxk/cn10k_ethdev_sec.c |   9 +-
 drivers/net/cnxk/cnxk_ethdev_mcs.c  | 250 ++++++++++++++++++++++++++++
 drivers/net/cnxk/cnxk_ethdev_mcs.h  |  16 ++
 3 files changed, 271 insertions(+), 4 deletions(-)

diff --git a/drivers/net/cnxk/cn10k_ethdev_sec.c b/drivers/net/cnxk/cn10k_ethdev_sec.c
index 8dd2c8b7a5..1db29a0b55 100644
--- a/drivers/net/cnxk/cn10k_ethdev_sec.c
+++ b/drivers/net/cnxk/cn10k_ethdev_sec.c
@@ -9,6 +9,7 @@
 #include <rte_pmd_cnxk.h>
 
 #include <cn10k_ethdev.h>
+#include <cnxk_ethdev_mcs.h>
 #include <cnxk_security.h>
 #include <roc_priv.h>
 
@@ -1090,10 +1091,10 @@ cn10k_eth_sec_ops_override(void)
 	init_once = 1;
 
 	/* Update platform specific ops */
-	cnxk_eth_sec_ops.macsec_sa_create = NULL;
-	cnxk_eth_sec_ops.macsec_sc_create = NULL;
-	cnxk_eth_sec_ops.macsec_sa_destroy = NULL;
-	cnxk_eth_sec_ops.macsec_sc_destroy = NULL;
+	cnxk_eth_sec_ops.macsec_sa_create = cnxk_eth_macsec_sa_create;
+	cnxk_eth_sec_ops.macsec_sc_create = cnxk_eth_macsec_sc_create;
+	cnxk_eth_sec_ops.macsec_sa_destroy = cnxk_eth_macsec_sa_destroy;
+	cnxk_eth_sec_ops.macsec_sc_destroy = cnxk_eth_macsec_sc_destroy;
 	cnxk_eth_sec_ops.session_create = cn10k_eth_sec_session_create;
 	cnxk_eth_sec_ops.session_destroy = cn10k_eth_sec_session_destroy;
 	cnxk_eth_sec_ops.capabilities_get = cn10k_eth_sec_capabilities_get;
diff --git a/drivers/net/cnxk/cnxk_ethdev_mcs.c b/drivers/net/cnxk/cnxk_ethdev_mcs.c
index b0205f45c5..89876abc57 100644
--- a/drivers/net/cnxk/cnxk_ethdev_mcs.c
+++ b/drivers/net/cnxk/cnxk_ethdev_mcs.c
@@ -6,6 +6,256 @@
 #include <cnxk_ethdev_mcs.h>
 #include <roc_mcs.h>
 
+static int
+mcs_resource_alloc(struct cnxk_mcs_dev *mcs_dev, enum mcs_direction dir, uint8_t rsrc_id[],
+		   uint8_t rsrc_cnt, enum cnxk_mcs_rsrc_type type)
+{
+	struct roc_mcs_alloc_rsrc_req req = {0};
+	struct roc_mcs_alloc_rsrc_rsp rsp = {0};
+	int i;
+
+	req.rsrc_type = type;
+	req.rsrc_cnt = rsrc_cnt;
+	req.dir = dir;
+
+	if (roc_mcs_rsrc_alloc(mcs_dev->mdev, &req, &rsp)) {
+		plt_err("Cannot allocate mcs resource.");
+		return -1;
+	}
+
+	for (i = 0; i < rsrc_cnt; i++) {
+		switch (rsp.rsrc_type) {
+		case CNXK_MCS_RSRC_TYPE_FLOWID:
+			rsrc_id[i] = rsp.flow_ids[i];
+			break;
+		case CNXK_MCS_RSRC_TYPE_SECY:
+			rsrc_id[i] = rsp.secy_ids[i];
+			break;
+		case CNXK_MCS_RSRC_TYPE_SC:
+			rsrc_id[i] = rsp.sc_ids[i];
+			break;
+		case CNXK_MCS_RSRC_TYPE_SA:
+			rsrc_id[i] = rsp.sa_ids[i];
+			break;
+		default:
+			plt_err("Invalid mcs resource allocated.");
+			return -1;
+		}
+	}
+	return 0;
+}
+
+int
+cnxk_eth_macsec_sa_create(void *device, struct rte_security_macsec_sa *conf)
+{
+	struct rte_eth_dev *eth_dev = (struct rte_eth_dev *)device;
+	struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev);
+	uint8_t salt[RTE_SECURITY_MACSEC_SALT_LEN] = {0};
+	struct roc_mcs_pn_table_write_req pn_req = {0};
+	uint8_t hash_key_rev[CNXK_MACSEC_HASH_KEY] = {0};
+	uint8_t hash_key[CNXK_MACSEC_HASH_KEY] = {0};
+	struct cnxk_mcs_dev *mcs_dev = dev->mcs_dev;
+	struct roc_mcs_sa_plcy_write_req req = {0};
+	uint8_t ciph_key[32] = {0};
+	enum mcs_direction dir;
+	uint8_t sa_id = 0;
+	int i, ret = 0;
+
+	if (!roc_feature_nix_has_macsec())
+		return -ENOTSUP;
+
+	dir = (conf->dir == RTE_SECURITY_MACSEC_DIR_TX) ? MCS_TX : MCS_RX;
+	ret = mcs_resource_alloc(mcs_dev, dir, &sa_id, 1, CNXK_MCS_RSRC_TYPE_SA);
+	if (ret) {
+		plt_err("Failed to allocate SA id.");
+		return -ENOMEM;
+	}
+	req.sa_index[0] = sa_id;
+	req.sa_cnt = 1;
+	req.dir = dir;
+
+	if (conf->key.length != 16 && conf->key.length != 32)
+		return -EINVAL;
+
+	for (i = 0; i < conf->key.length; i++)
+		ciph_key[i] = conf->key.data[conf->key.length - 1 - i];
+
+	memcpy(&req.plcy[0][0], ciph_key, conf->key.length);
+
+	roc_aes_hash_key_derive(conf->key.data, conf->key.length, hash_key);
+	for (i = 0; i < CNXK_MACSEC_HASH_KEY; i++)
+		hash_key_rev[i] = hash_key[CNXK_MACSEC_HASH_KEY - 1 - i];
+
+	memcpy(&req.plcy[0][4], hash_key_rev, CNXK_MACSEC_HASH_KEY);
+
+	for (i = 0; i < RTE_SECURITY_MACSEC_SALT_LEN; i++)
+		salt[i] = conf->salt[RTE_SECURITY_MACSEC_SALT_LEN - 1 - i];
+	memcpy(&req.plcy[0][6], salt, RTE_SECURITY_MACSEC_SALT_LEN);
+
+	req.plcy[0][7] |= (uint64_t)conf->ssci << 32;
+	req.plcy[0][8] = (conf->dir == RTE_SECURITY_MACSEC_DIR_TX) ? (conf->an & 0x3) : 0;
+
+	ret = roc_mcs_sa_policy_write(mcs_dev->mdev, &req);
+	if (ret) {
+		plt_err("Failed to write SA policy.");
+		return -EINVAL;
+	}
+	pn_req.next_pn = ((uint64_t)conf->xpn << 32) | rte_be_to_cpu_32(conf->next_pn);
+	pn_req.pn_id = sa_id;
+	pn_req.dir = dir;
+
+	ret = roc_mcs_pn_table_write(mcs_dev->mdev, &pn_req);
+	if (ret) {
+		plt_err("Failed to write PN table.");
+		return -EINVAL;
+	}
+
+	return sa_id;
+}
+
+int
+cnxk_eth_macsec_sa_destroy(void *device, uint16_t sa_id, enum rte_security_macsec_direction dir)
+{
+	struct rte_eth_dev *eth_dev = (struct rte_eth_dev *)device;
+	struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev);
+	struct cnxk_mcs_dev *mcs_dev = dev->mcs_dev;
+	struct roc_mcs_clear_stats stats_req = {0};
+	struct roc_mcs_free_rsrc_req req = {0};
+	int ret = 0;
+
+	if (!roc_feature_nix_has_macsec())
+		return -ENOTSUP;
+
+	stats_req.type = CNXK_MCS_RSRC_TYPE_SA;
+	stats_req.id = sa_id;
+	stats_req.dir = (dir == RTE_SECURITY_MACSEC_DIR_TX) ? MCS_TX : MCS_RX;
+	stats_req.all = 0;
+
+	ret = roc_mcs_stats_clear(mcs_dev->mdev, &stats_req);
+	if (ret)
+		plt_err("Failed to clear stats for SA id %u, dir %u.", sa_id, dir);
+
+	req.rsrc_id = sa_id;
+	req.dir = (dir == RTE_SECURITY_MACSEC_DIR_TX) ? MCS_TX : MCS_RX;
+	req.rsrc_type = CNXK_MCS_RSRC_TYPE_SA;
+
+	ret = roc_mcs_rsrc_free(mcs_dev->mdev, &req);
+	if (ret)
+		plt_err("Failed to free SA id %u, dir %u.", sa_id, dir);
+
+	return ret;
+}
+
+int
+cnxk_eth_macsec_sc_create(void *device, struct rte_security_macsec_sc *conf)
+{
+	struct rte_eth_dev *eth_dev = (struct rte_eth_dev *)device;
+	struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev);
+	struct roc_mcs_set_pn_threshold pn_thresh = {0};
+	struct cnxk_mcs_dev *mcs_dev = dev->mcs_dev;
+	enum mcs_direction dir;
+	uint8_t sc_id = 0;
+	int i, ret = 0;
+
+	if (!roc_feature_nix_has_macsec())
+		return -ENOTSUP;
+
+	dir = (conf->dir == RTE_SECURITY_MACSEC_DIR_TX) ? MCS_TX : MCS_RX;
+	ret = mcs_resource_alloc(mcs_dev, dir, &sc_id, 1, CNXK_MCS_RSRC_TYPE_SC);
+	if (ret) {
+		plt_err("Failed to allocate SC id.");
+		return -ENOMEM;
+	}
+
+	if (conf->dir == RTE_SECURITY_MACSEC_DIR_TX) {
+		struct roc_mcs_tx_sc_sa_map req = {0};
+
+		req.sa_index0 = conf->sc_tx.sa_id & 0xFF;
+		req.sa_index1 = conf->sc_tx.sa_id_rekey & 0xFF;
+		req.rekey_ena = conf->sc_tx.re_key_en;
+		req.sa_index0_vld = conf->sc_tx.active;
+		req.sa_index1_vld = conf->sc_tx.re_key_en && conf->sc_tx.active;
+		req.tx_sa_active = 0;
+		req.sectag_sci = conf->sc_tx.sci;
+		req.sc_id = sc_id;
+
+		ret = roc_mcs_tx_sc_sa_map_write(mcs_dev->mdev, &req);
+		if (ret) {
+			plt_err("Failed to map TX SC-SA");
+			return -EINVAL;
+		}
+		pn_thresh.xpn = conf->sc_tx.is_xpn;
+	} else {
+		for (i = 0; i < RTE_SECURITY_MACSEC_NUM_AN; i++) {
+			struct roc_mcs_rx_sc_sa_map req = {0};
+
+			req.sa_index = conf->sc_rx.sa_id[i] & 0x7F;
+			req.sc_id = sc_id;
+			req.an = i & 0x3;
+			req.sa_in_use = 0;
+			/* Clearing the sa_in_use bit automatically clears
+			 * the corresponding pn_thresh_reached bit
+			 */
+			ret = roc_mcs_rx_sc_sa_map_write(mcs_dev->mdev, &req);
+			if (ret) {
+				plt_err("Failed to map RX SC-SA");
+				return -EINVAL;
+			}
+			req.sa_in_use = conf->sc_rx.sa_in_use[i];
+			ret = roc_mcs_rx_sc_sa_map_write(mcs_dev->mdev, &req);
+			if (ret) {
+				plt_err("Failed to map RX SC-SA");
+				return -EINVAL;
+			}
+		}
+		pn_thresh.xpn = conf->sc_rx.is_xpn;
+	}
+
+	pn_thresh.threshold = conf->pn_threshold;
+	pn_thresh.dir = dir;
+
+	ret = roc_mcs_pn_threshold_set(mcs_dev->mdev, &pn_thresh);
+	if (ret) {
+		plt_err("Failed to write PN threshold.");
+		return -EINVAL;
+	}
+
+	return sc_id;
+}
+
+int
+cnxk_eth_macsec_sc_destroy(void *device, uint16_t sc_id, enum rte_security_macsec_direction dir)
+{
+	struct rte_eth_dev *eth_dev = (struct rte_eth_dev *)device;
+	struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev);
+	struct cnxk_mcs_dev *mcs_dev = dev->mcs_dev;
+	struct roc_mcs_clear_stats stats_req = {0};
+	struct roc_mcs_free_rsrc_req req = {0};
+	int ret = 0;
+
+	if (!roc_feature_nix_has_macsec())
+		return -ENOTSUP;
+
+	stats_req.type = CNXK_MCS_RSRC_TYPE_SC;
+	stats_req.id = sc_id;
+	stats_req.dir = (dir == RTE_SECURITY_MACSEC_DIR_TX) ? MCS_TX : MCS_RX;
+	stats_req.all = 0;
+
+	ret = roc_mcs_stats_clear(mcs_dev->mdev, &stats_req);
+	if (ret)
+		plt_err("Failed to clear stats for SC id %u, dir %u.", sc_id, dir);
+
+	req.rsrc_id = sc_id;
+	req.dir = (dir == RTE_SECURITY_MACSEC_DIR_TX) ? MCS_TX : MCS_RX;
+	req.rsrc_type = CNXK_MCS_RSRC_TYPE_SC;
+
+	ret = roc_mcs_rsrc_free(mcs_dev->mdev, &req);
+	if (ret)
+		plt_err("Failed to free SC id.");
+
+	return ret;
+}
+
 static int
 cnxk_mcs_event_cb(void *userdata, struct roc_mcs_event_desc *desc, void *cb_arg)
 {
diff --git a/drivers/net/cnxk/cnxk_ethdev_mcs.h b/drivers/net/cnxk/cnxk_ethdev_mcs.h
index 762c299fb8..68c6493169 100644
--- a/drivers/net/cnxk/cnxk_ethdev_mcs.h
+++ b/drivers/net/cnxk/cnxk_ethdev_mcs.h
@@ -13,6 +13,14 @@ struct cnxk_mcs_dev {
 	uint8_t idx;
 };
 
+enum cnxk_mcs_rsrc_type {
+	CNXK_MCS_RSRC_TYPE_FLOWID,
+	CNXK_MCS_RSRC_TYPE_SECY,
+	CNXK_MCS_RSRC_TYPE_SC,
+	CNXK_MCS_RSRC_TYPE_SA,
+	CNXK_MCS_RSRC_TYPE_PORT,
+};
+
 struct cnxk_mcs_event_data {
 	/* Valid for below events
 	 * - ROC_MCS_EVENT_RX_SA_PN_SOFT_EXP
@@ -59,3 +67,11 @@ struct cnxk_mcs_event_desc {
 	enum roc_mcs_event_subtype subtype;
 	struct cnxk_mcs_event_data metadata;
 };
+
+int cnxk_eth_macsec_sa_create(void *device, struct rte_security_macsec_sa *conf);
+int cnxk_eth_macsec_sc_create(void *device, struct rte_security_macsec_sc *conf);
+
+int cnxk_eth_macsec_sa_destroy(void *device, uint16_t sa_id,
+			       enum rte_security_macsec_direction dir);
+int cnxk_eth_macsec_sc_destroy(void *device, uint16_t sc_id,
+			       enum rte_security_macsec_direction dir);
-- 
2.25.1

[PATCH v3 14/15] net/cnxk: add MACsec session and flow configuration

[Akhil Goyal]

Added support for MACsec session/flow create/destroy.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/net/cnxk/cn10k_ethdev_sec.c |  11 +-
 drivers/net/cnxk/cn10k_flow.c       |  23 ++-
 drivers/net/cnxk/cnxk_ethdev.c      |   2 +
 drivers/net/cnxk/cnxk_ethdev.h      |  16 ++
 drivers/net/cnxk/cnxk_ethdev_mcs.c  | 261 ++++++++++++++++++++++++++++
 drivers/net/cnxk/cnxk_ethdev_mcs.h  |  25 +++
 drivers/net/cnxk/cnxk_ethdev_sec.c  |   2 +-
 drivers/net/cnxk/cnxk_flow.c        |   5 +
 8 files changed, 341 insertions(+), 4 deletions(-)

diff --git a/drivers/net/cnxk/cn10k_ethdev_sec.c b/drivers/net/cnxk/cn10k_ethdev_sec.c
index 1db29a0b55..f20e573338 100644
--- a/drivers/net/cnxk/cn10k_ethdev_sec.c
+++ b/drivers/net/cnxk/cn10k_ethdev_sec.c
@@ -642,7 +642,9 @@ cn10k_eth_sec_session_create(void *device,
 	if (conf->action_type != RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL)
 		return -ENOTSUP;
 
-	if (conf->protocol != RTE_SECURITY_PROTOCOL_IPSEC)
+	if (conf->protocol == RTE_SECURITY_PROTOCOL_MACSEC)
+		return cnxk_eth_macsec_session_create(dev, conf, sess);
+	else if (conf->protocol != RTE_SECURITY_PROTOCOL_IPSEC)
 		return -ENOTSUP;
 
 	if (rte_security_dynfield_register() < 0)
@@ -887,13 +889,18 @@ cn10k_eth_sec_session_destroy(void *device, struct rte_security_session *sess)
 {
 	struct rte_eth_dev *eth_dev = (struct rte_eth_dev *)device;
 	struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev);
+	struct cnxk_macsec_sess *macsec_sess;
 	struct cnxk_eth_sec_sess *eth_sec;
 	rte_spinlock_t *lock;
 	void *sa_dptr;
 
 	eth_sec = cnxk_eth_sec_sess_get_by_sess(dev, sess);
-	if (!eth_sec)
+	if (!eth_sec) {
+		macsec_sess = cnxk_eth_macsec_sess_get_by_sess(dev, sess);
+		if (macsec_sess)
+			return cnxk_eth_macsec_session_destroy(dev, sess);
 		return -ENOENT;
+	}
 
 	lock = eth_sec->inb ? &dev->inb.lock : &dev->outb.lock;
 	rte_spinlock_lock(lock);
diff --git a/drivers/net/cnxk/cn10k_flow.c b/drivers/net/cnxk/cn10k_flow.c
index d7a3442c5f..db5e427362 100644
--- a/drivers/net/cnxk/cn10k_flow.c
+++ b/drivers/net/cnxk/cn10k_flow.c
@@ -1,10 +1,11 @@
 /* SPDX-License-Identifier: BSD-3-Clause
  * Copyright(C) 2020 Marvell.
  */
-#include <cnxk_flow.h>
 #include "cn10k_flow.h"
 #include "cn10k_ethdev.h"
 #include "cn10k_rx.h"
+#include "cnxk_ethdev_mcs.h"
+#include <cnxk_flow.h>
 
 static int
 cn10k_mtr_connect(struct rte_eth_dev *eth_dev, uint32_t mtr_id)
@@ -133,6 +134,7 @@ cn10k_flow_create(struct rte_eth_dev *eth_dev, const struct rte_flow_attr *attr,
 	const struct rte_flow_action *act_q = NULL;
 	struct roc_npc *npc = &dev->npc;
 	struct roc_npc_flow *flow;
+	void *mcs_flow = NULL;
 	int vtag_actions = 0;
 	uint32_t req_act = 0;
 	int mark_actions;
@@ -187,6 +189,17 @@ cn10k_flow_create(struct rte_eth_dev *eth_dev, const struct rte_flow_attr *attr,
 		}
 	}
 
+	if (actions[0].type == RTE_FLOW_ACTION_TYPE_SECURITY &&
+	    cnxk_eth_macsec_sess_get_by_sess(dev, actions[0].conf) != NULL) {
+		rc = cnxk_mcs_flow_configure(eth_dev, attr, pattern, actions, error, &mcs_flow);
+		if (rc) {
+			rte_flow_error_set(error, rc, RTE_FLOW_ERROR_TYPE_ACTION, NULL,
+					   "Failed to configure mcs flow");
+			return NULL;
+		}
+		return (struct rte_flow *)mcs_flow;
+	}
+
 	flow = cnxk_flow_create(eth_dev, attr, pattern, actions, error);
 	if (!flow) {
 		if (mtr)
@@ -265,6 +278,14 @@ cn10k_flow_destroy(struct rte_eth_dev *eth_dev, struct rte_flow *rte_flow,
 		}
 	}
 
+	if (cnxk_eth_macsec_sess_get_by_sess(dev, (void *)flow) != NULL) {
+		rc = cnxk_mcs_flow_destroy(dev, (void *)flow);
+		if (rc < 0)
+			rte_flow_error_set(error, rc, RTE_FLOW_ERROR_TYPE_UNSPECIFIED,
+					NULL, "Failed to free mcs flow");
+		return rc;
+	}
+
 	mtr_id = flow->mtr_id;
 	rc = cnxk_flow_destroy(eth_dev, flow, error);
 	if (!rc && mtr_id != ROC_NIX_MTR_ID_INVALID) {
diff --git a/drivers/net/cnxk/cnxk_ethdev.c b/drivers/net/cnxk/cnxk_ethdev.c
index 5368f0777d..4b98faa729 100644
--- a/drivers/net/cnxk/cnxk_ethdev.c
+++ b/drivers/net/cnxk/cnxk_ethdev.c
@@ -1969,6 +1969,8 @@ cnxk_eth_dev_init(struct rte_eth_dev *eth_dev)
 		}
 		dev->rx_offload_capa |= RTE_ETH_RX_OFFLOAD_MACSEC_STRIP;
 		dev->tx_offload_capa |= RTE_ETH_TX_OFFLOAD_MACSEC_INSERT;
+
+		TAILQ_INIT(&dev->mcs_list);
 	}
 
 	plt_nix_dbg("Port=%d pf=%d vf=%d ver=%s hwcap=0x%" PRIx64
diff --git a/drivers/net/cnxk/cnxk_ethdev.h b/drivers/net/cnxk/cnxk_ethdev.h
index d5bb06b823..45dc72b609 100644
--- a/drivers/net/cnxk/cnxk_ethdev.h
+++ b/drivers/net/cnxk/cnxk_ethdev.h
@@ -292,6 +292,21 @@ struct cnxk_eth_dev_sec_outb {
 	uint64_t cpt_eng_caps;
 };
 
+/* MACsec session private data */
+struct cnxk_macsec_sess {
+	/* List entry */
+	TAILQ_ENTRY(cnxk_macsec_sess) entry;
+
+	/* Back pointer to session */
+	struct rte_security_session *sess;
+	enum mcs_direction dir;
+	uint64_t sci;
+	uint8_t secy_id;
+	uint8_t sc_id;
+	uint8_t flow_id;
+};
+TAILQ_HEAD(cnxk_macsec_sess_list, cnxk_macsec_sess);
+
 struct cnxk_eth_dev {
 	/* ROC NIX */
 	struct roc_nix nix;
@@ -398,6 +413,7 @@ struct cnxk_eth_dev {
 
 	/* MCS device */
 	struct cnxk_mcs_dev *mcs_dev;
+	struct cnxk_macsec_sess_list mcs_list;
 };
 
 struct cnxk_eth_rxq_sp {
diff --git a/drivers/net/cnxk/cnxk_ethdev_mcs.c b/drivers/net/cnxk/cnxk_ethdev_mcs.c
index 89876abc57..b47991e259 100644
--- a/drivers/net/cnxk/cnxk_ethdev_mcs.c
+++ b/drivers/net/cnxk/cnxk_ethdev_mcs.c
@@ -256,6 +256,267 @@ cnxk_eth_macsec_sc_destroy(void *device, uint16_t sc_id, enum rte_security_macse
 	return ret;
 }
 
+struct cnxk_macsec_sess *
+cnxk_eth_macsec_sess_get_by_sess(struct cnxk_eth_dev *dev, const struct rte_security_session *sess)
+{
+	struct cnxk_macsec_sess *macsec_sess = NULL;
+
+	TAILQ_FOREACH(macsec_sess, &dev->mcs_list, entry) {
+		if (macsec_sess->sess == sess)
+			return macsec_sess;
+	}
+
+	return NULL;
+}
+
+int
+cnxk_eth_macsec_session_create(struct cnxk_eth_dev *dev, struct rte_security_session_conf *conf,
+			       struct rte_security_session *sess)
+{
+	struct cnxk_macsec_sess *macsec_sess_priv = SECURITY_GET_SESS_PRIV(sess);
+	struct rte_security_macsec_xform *xform = &conf->macsec;
+	struct cnxk_mcs_dev *mcs_dev = dev->mcs_dev;
+	struct roc_mcs_secy_plcy_write_req req;
+	enum mcs_direction dir;
+	uint8_t secy_id = 0;
+	uint8_t sectag_tci = 0;
+	int ret = 0;
+
+	if (!roc_feature_nix_has_macsec())
+		return -ENOTSUP;
+
+	dir = (xform->dir == RTE_SECURITY_MACSEC_DIR_TX) ? MCS_TX : MCS_RX;
+	ret = mcs_resource_alloc(mcs_dev, dir, &secy_id, 1, CNXK_MCS_RSRC_TYPE_SECY);
+	if (ret) {
+		plt_err("Failed to allocate SECY id.");
+		return -ENOMEM;
+	}
+
+	req.secy_id = secy_id;
+	req.dir = dir;
+	req.plcy = 0L;
+
+	if (xform->dir == RTE_SECURITY_MACSEC_DIR_TX) {
+		sectag_tci = ((uint8_t)xform->tx_secy.sectag_version << 5) |
+			     ((uint8_t)xform->tx_secy.end_station << 4) |
+			     ((uint8_t)xform->tx_secy.send_sci << 3) |
+			     ((uint8_t)xform->tx_secy.scb << 2) |
+			     ((uint8_t)xform->tx_secy.encrypt << 1) |
+			     (uint8_t)xform->tx_secy.encrypt;
+		req.plcy = (((uint64_t)xform->tx_secy.mtu & 0xFFFF) << 28) |
+			   (((uint64_t)sectag_tci & 0x3F) << 22) |
+			   (((uint64_t)xform->tx_secy.sectag_off & 0x7F) << 15) |
+			   ((uint64_t)xform->tx_secy.sectag_insert_mode << 14) |
+			   ((uint64_t)xform->tx_secy.icv_include_da_sa << 13) |
+			   (((uint64_t)xform->cipher_off & 0x7F) << 6) |
+			   ((uint64_t)xform->alg << 2) |
+			   ((uint64_t)xform->tx_secy.protect_frames << 1) |
+			   (uint64_t)xform->tx_secy.ctrl_port_enable;
+	} else {
+		req.plcy = ((uint64_t)xform->rx_secy.replay_win_sz << 18) |
+			   ((uint64_t)xform->rx_secy.replay_protect << 17) |
+			   ((uint64_t)xform->rx_secy.icv_include_da_sa << 16) |
+			   (((uint64_t)xform->cipher_off & 0x7F) << 9) |
+			   ((uint64_t)xform->alg << 5) |
+			   ((uint64_t)xform->rx_secy.preserve_sectag << 4) |
+			   ((uint64_t)xform->rx_secy.preserve_icv << 3) |
+			   ((uint64_t)xform->rx_secy.validate_frames << 1) |
+			   (uint64_t)xform->rx_secy.ctrl_port_enable;
+	}
+
+	ret = roc_mcs_secy_policy_write(mcs_dev->mdev, &req);
+	if (ret) {
+		plt_err(" Failed to configure Tx SECY");
+		return -EINVAL;
+	}
+
+	if (xform->dir == RTE_SECURITY_MACSEC_DIR_RX) {
+		struct roc_mcs_rx_sc_cam_write_req rx_sc_cam = {0};
+
+		rx_sc_cam.sci = xform->sci;
+		rx_sc_cam.secy_id = secy_id & 0x3F;
+		rx_sc_cam.sc_id = xform->sc_id;
+		ret = roc_mcs_rx_sc_cam_write(mcs_dev->mdev, &rx_sc_cam);
+		if (ret) {
+			plt_err(" Failed to write rx_sc_cam");
+			return -EINVAL;
+		}
+	}
+	macsec_sess_priv->sci = xform->sci;
+	macsec_sess_priv->sc_id = xform->sc_id;
+	macsec_sess_priv->secy_id = secy_id;
+	macsec_sess_priv->dir = dir;
+	macsec_sess_priv->sess = sess;
+
+	TAILQ_INSERT_TAIL(&dev->mcs_list, macsec_sess_priv, entry);
+
+	return 0;
+}
+
+int
+cnxk_eth_macsec_session_destroy(struct cnxk_eth_dev *dev, struct rte_security_session *sess)
+{
+	struct cnxk_mcs_dev *mcs_dev = dev->mcs_dev;
+	struct roc_mcs_clear_stats stats_req = {0};
+	struct roc_mcs_free_rsrc_req req = {0};
+	struct cnxk_macsec_sess *s;
+	int ret = 0;
+
+	if (!roc_feature_nix_has_macsec())
+		return -ENOTSUP;
+
+	s = SECURITY_GET_SESS_PRIV(sess);
+
+	stats_req.type = CNXK_MCS_RSRC_TYPE_SECY;
+	stats_req.id = s->secy_id;
+	stats_req.dir = s->dir;
+	stats_req.all = 0;
+
+	ret = roc_mcs_stats_clear(mcs_dev->mdev, &stats_req);
+	if (ret)
+		plt_err("Failed to clear stats for SECY id %u, dir %u.", s->secy_id, s->dir);
+
+	req.rsrc_id = s->secy_id;
+	req.dir = s->dir;
+	req.rsrc_type = CNXK_MCS_RSRC_TYPE_SECY;
+
+	ret = roc_mcs_rsrc_free(mcs_dev->mdev, &req);
+	if (ret)
+		plt_err("Failed to free SC id.");
+
+	TAILQ_REMOVE(&dev->mcs_list, s, entry);
+
+	return ret;
+}
+
+int
+cnxk_mcs_flow_configure(struct rte_eth_dev *eth_dev, const struct rte_flow_attr *attr __rte_unused,
+			 const struct rte_flow_item pattern[],
+			 const struct rte_flow_action actions[],
+			 struct rte_flow_error *error __rte_unused, void **mcs_flow)
+{
+	struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev);
+	struct roc_mcs_flowid_entry_write_req req = {0};
+	const struct rte_flow_item_eth *eth_item = NULL;
+	struct cnxk_mcs_dev *mcs_dev = dev->mcs_dev;
+	struct cnxk_mcs_flow_opts opts = {0};
+	struct cnxk_macsec_sess *sess;
+	struct rte_ether_addr src;
+	struct rte_ether_addr dst;
+	int ret;
+	int i = 0;
+
+	if (!roc_feature_nix_has_macsec())
+		return -ENOTSUP;
+
+	sess = cnxk_eth_macsec_sess_get_by_sess(dev,
+			(const struct rte_security_session *)actions->conf);
+	if (sess == NULL)
+		return -EINVAL;
+
+	ret = mcs_resource_alloc(mcs_dev, sess->dir, &sess->flow_id, 1,
+				 CNXK_MCS_RSRC_TYPE_FLOWID);
+	if (ret) {
+		plt_err("Failed to allocate FLow id.");
+		return -ENOMEM;
+	}
+	req.sci = sess->sci;
+	req.flow_id = sess->flow_id;
+	req.secy_id = sess->secy_id;
+	req.sc_id = sess->sc_id;
+	req.ena = 1;
+	req.ctr_pkt = 0;
+	req.dir = sess->dir;
+
+	while (pattern[i].type != RTE_FLOW_ITEM_TYPE_END) {
+		if (pattern[i].type == RTE_FLOW_ITEM_TYPE_ETH)
+			eth_item = pattern[i].spec;
+		else
+			plt_err("Unhandled flow item : %d", pattern[i].type);
+		i++;
+	}
+	if (eth_item) {
+		dst = eth_item->hdr.dst_addr;
+		src = eth_item->hdr.src_addr;
+
+		/* Find ways to fill opts */
+
+		req.data[0] =
+			(uint64_t)dst.addr_bytes[0] << 40 | (uint64_t)dst.addr_bytes[1] << 32 |
+			(uint64_t)dst.addr_bytes[2] << 24 | (uint64_t)dst.addr_bytes[3] << 16 |
+			(uint64_t)dst.addr_bytes[4] << 8 | (uint64_t)dst.addr_bytes[5] |
+			(uint64_t)src.addr_bytes[5] << 48 | (uint64_t)src.addr_bytes[4] << 56;
+		req.data[1] = (uint64_t)src.addr_bytes[3] | (uint64_t)src.addr_bytes[2] << 8 |
+			      (uint64_t)src.addr_bytes[1] << 16 |
+			      (uint64_t)src.addr_bytes[0] << 24 |
+			      (uint64_t)eth_item->hdr.ether_type << 32 |
+			      ((uint64_t)opts.outer_tag_id & 0xFFFF) << 48;
+		req.data[2] = ((uint64_t)opts.outer_tag_id & 0xF0000) |
+			      ((uint64_t)opts.outer_priority & 0xF) << 4 |
+			      ((uint64_t)opts.second_outer_tag_id & 0xFFFFF) << 8 |
+			      ((uint64_t)opts.second_outer_priority & 0xF) << 28 |
+			      ((uint64_t)opts.bonus_data << 32) |
+			      ((uint64_t)opts.tag_match_bitmap << 48) |
+			      ((uint64_t)opts.packet_type & 0xF) << 56 |
+			      ((uint64_t)opts.outer_vlan_type & 0x7) << 60 |
+			      ((uint64_t)opts.inner_vlan_type & 0x1) << 63;
+		req.data[3] = ((uint64_t)opts.inner_vlan_type & 0x6) >> 1 |
+			      ((uint64_t)opts.num_tags & 0x7F) << 2 |
+			      ((uint64_t)opts.flowid_user & 0x1F) << 9 |
+			      ((uint64_t)opts.express & 1) << 14 |
+			      ((uint64_t)opts.lmac_id & 0x1F) << 15;
+
+		req.mask[0] = 0x0;
+		req.mask[1] = 0xFFFFFFFF00000000;
+		req.mask[2] = 0xFFFFFFFFFFFFFFFF;
+		req.mask[3] = 0xFFFFFFFFFFFFFFFF;
+
+		ret = roc_mcs_flowid_entry_write(mcs_dev->mdev, &req);
+		if (ret)
+			return ret;
+		*mcs_flow = (void *)(uintptr_t)actions->conf;
+	} else {
+		plt_err("Flow not confirured");
+		return -EINVAL;
+	}
+	return 0;
+}
+
+int
+cnxk_mcs_flow_destroy(struct cnxk_eth_dev *dev, void *flow)
+{
+	const struct cnxk_macsec_sess *s = cnxk_eth_macsec_sess_get_by_sess(dev, flow);
+	struct cnxk_mcs_dev *mcs_dev = dev->mcs_dev;
+	struct roc_mcs_clear_stats stats_req = {0};
+	struct roc_mcs_free_rsrc_req req = {0};
+	int ret = 0;
+
+	if (!roc_feature_nix_has_macsec())
+		return -ENOTSUP;
+
+	if (s == NULL)
+		return 0;
+
+	stats_req.type = CNXK_MCS_RSRC_TYPE_FLOWID;
+	stats_req.id = s->flow_id;
+	stats_req.dir = s->dir;
+	stats_req.all = 0;
+
+	ret = roc_mcs_stats_clear(mcs_dev->mdev, &stats_req);
+	if (ret)
+		plt_err("Failed to clear stats for Flow id %u, dir %u.", s->flow_id, s->dir);
+
+	req.rsrc_id = s->flow_id;
+	req.dir = s->dir;
+	req.rsrc_type = CNXK_MCS_RSRC_TYPE_FLOWID;
+
+	ret = roc_mcs_rsrc_free(mcs_dev->mdev, &req);
+	if (ret)
+		plt_err("Failed to free flow_id: %d.", s->flow_id);
+
+	return ret;
+}
+
 static int
 cnxk_mcs_event_cb(void *userdata, struct roc_mcs_event_desc *desc, void *cb_arg)
 {
diff --git a/drivers/net/cnxk/cnxk_ethdev_mcs.h b/drivers/net/cnxk/cnxk_ethdev_mcs.h
index 68c6493169..2b1a6f2c90 100644
--- a/drivers/net/cnxk/cnxk_ethdev_mcs.h
+++ b/drivers/net/cnxk/cnxk_ethdev_mcs.h
@@ -21,6 +21,27 @@ enum cnxk_mcs_rsrc_type {
 	CNXK_MCS_RSRC_TYPE_PORT,
 };
 
+struct cnxk_mcs_flow_opts {
+	uint32_t outer_tag_id;
+	/**< {VLAN_ID[11:0]}, or 20-bit MPLS label*/
+	uint8_t outer_priority;
+	/**< {PCP/Pbits, DE/CFI} or {1'b0, EXP} for MPLS.*/
+	uint32_t second_outer_tag_id;
+	/**< {VLAN_ID[11:0]}, or 20-bit MPLS label*/
+	uint8_t second_outer_priority;
+	/**< {PCP/Pbits, DE/CFI} or {1'b0, EXP} for MPLS. */
+	uint16_t bonus_data;
+	/**< 2 bytes of additional bonus data extracted from one of the custom tags*/
+	uint8_t tag_match_bitmap;
+	uint8_t packet_type;
+	uint8_t outer_vlan_type;
+	uint8_t inner_vlan_type;
+	uint8_t num_tags;
+	bool express;
+	uint8_t lmac_id;
+	uint8_t flowid_user;
+};
+
 struct cnxk_mcs_event_data {
 	/* Valid for below events
 	 * - ROC_MCS_EVENT_RX_SA_PN_SOFT_EXP
@@ -75,3 +96,7 @@ int cnxk_eth_macsec_sa_destroy(void *device, uint16_t sa_id,
 			       enum rte_security_macsec_direction dir);
 int cnxk_eth_macsec_sc_destroy(void *device, uint16_t sc_id,
 			       enum rte_security_macsec_direction dir);
+
+int cnxk_eth_macsec_session_create(struct cnxk_eth_dev *dev, struct rte_security_session_conf *conf,
+				   struct rte_security_session *sess);
+int cnxk_eth_macsec_session_destroy(struct cnxk_eth_dev *dev, struct rte_security_session *sess);
diff --git a/drivers/net/cnxk/cnxk_ethdev_sec.c b/drivers/net/cnxk/cnxk_ethdev_sec.c
index a66d58ca61..dc17c128de 100644
--- a/drivers/net/cnxk/cnxk_ethdev_sec.c
+++ b/drivers/net/cnxk/cnxk_ethdev_sec.c
@@ -284,7 +284,7 @@ cnxk_eth_sec_sess_get_by_sess(struct cnxk_eth_dev *dev,
 static unsigned int
 cnxk_eth_sec_session_get_size(void *device __rte_unused)
 {
-	return sizeof(struct cnxk_eth_sec_sess);
+	return RTE_MAX(sizeof(struct cnxk_macsec_sess), sizeof(struct cnxk_eth_sec_sess));
 }
 
 struct rte_security_ops cnxk_eth_sec_ops = {
diff --git a/drivers/net/cnxk/cnxk_flow.c b/drivers/net/cnxk/cnxk_flow.c
index 9595fe9386..1bacb20784 100644
--- a/drivers/net/cnxk/cnxk_flow.c
+++ b/drivers/net/cnxk/cnxk_flow.c
@@ -300,6 +300,11 @@ cnxk_flow_validate(struct rte_eth_dev *eth_dev,
 	uint32_t flowkey_cfg = 0;
 	int rc;
 
+	/* Skip flow validation for MACsec. */
+	if (actions[0].type == RTE_FLOW_ACTION_TYPE_SECURITY &&
+	    cnxk_eth_macsec_sess_get_by_sess(dev, actions[0].conf) != NULL)
+		return 0;
+
 	memset(&flow, 0, sizeof(flow));
 	flow.is_validate = true;
 
-- 
2.25.1

[PATCH v3 15/15] net/cnxk: add MACsec stats

[Akhil Goyal]

Added support for MACsec SC/flow/session stats.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 doc/guides/rel_notes/release_23_07.rst |  5 ++
 drivers/net/cnxk/cn10k_ethdev_sec.c    | 11 +++--
 drivers/net/cnxk/cnxk_ethdev_mcs.c     | 64 ++++++++++++++++++++++++++
 drivers/net/cnxk/cnxk_ethdev_mcs.h     |  9 ++++
 4 files changed, 86 insertions(+), 3 deletions(-)

diff --git a/doc/guides/rel_notes/release_23_07.rst b/doc/guides/rel_notes/release_23_07.rst
index 027ae7bd2d..619ccba0f1 100644
--- a/doc/guides/rel_notes/release_23_07.rst
+++ b/doc/guides/rel_notes/release_23_07.rst
@@ -139,6 +139,11 @@ New Features
   for new capability registers, large passthrough BAR and some
   performance enhancements for UPT.
 
+* **Updated Marvell cnxk ethdev driver.**
+
+  Added support for Inline MACsec processing using rte_security framework
+  for CN103 platform.
+
 * **Added new algorithms to cryptodev.**
 
   * Added asymmetric algorithm ShangMi 2 (SM2) along with prime field curve support.
diff --git a/drivers/net/cnxk/cn10k_ethdev_sec.c b/drivers/net/cnxk/cn10k_ethdev_sec.c
index f20e573338..b98fc9378e 100644
--- a/drivers/net/cnxk/cn10k_ethdev_sec.c
+++ b/drivers/net/cnxk/cn10k_ethdev_sec.c
@@ -1058,12 +1058,17 @@ cn10k_eth_sec_session_stats_get(void *device, struct rte_security_session *sess,
 {
 	struct rte_eth_dev *eth_dev = (struct rte_eth_dev *)device;
 	struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev);
+	struct cnxk_macsec_sess *macsec_sess;
 	struct cnxk_eth_sec_sess *eth_sec;
 	int rc;
 
 	eth_sec = cnxk_eth_sec_sess_get_by_sess(dev, sess);
-	if (eth_sec == NULL)
+	if (eth_sec == NULL) {
+		macsec_sess = cnxk_eth_macsec_sess_get_by_sess(dev, sess);
+		if (macsec_sess)
+			return cnxk_eth_macsec_session_stats_get(dev, macsec_sess, stats);
 		return -EINVAL;
+	}
 
 	rc = roc_nix_inl_sa_sync(&dev->nix, eth_sec->sa, eth_sec->inb,
 			    ROC_NIX_INL_SA_OP_FLUSH);
@@ -1107,6 +1112,6 @@ cn10k_eth_sec_ops_override(void)
 	cnxk_eth_sec_ops.capabilities_get = cn10k_eth_sec_capabilities_get;
 	cnxk_eth_sec_ops.session_update = cn10k_eth_sec_session_update;
 	cnxk_eth_sec_ops.session_stats_get = cn10k_eth_sec_session_stats_get;
-	cnxk_eth_sec_ops.macsec_sc_stats_get = NULL;
-	cnxk_eth_sec_ops.macsec_sa_stats_get = NULL;
+	cnxk_eth_sec_ops.macsec_sc_stats_get = cnxk_eth_macsec_sc_stats_get;
+	cnxk_eth_sec_ops.macsec_sa_stats_get = cnxk_eth_macsec_sa_stats_get;
 }
diff --git a/drivers/net/cnxk/cnxk_ethdev_mcs.c b/drivers/net/cnxk/cnxk_ethdev_mcs.c
index b47991e259..2ad19fbb86 100644
--- a/drivers/net/cnxk/cnxk_ethdev_mcs.c
+++ b/drivers/net/cnxk/cnxk_ethdev_mcs.c
@@ -517,6 +517,70 @@ cnxk_mcs_flow_destroy(struct cnxk_eth_dev *dev, void *flow)
 	return ret;
 }
 
+int
+cnxk_eth_macsec_sa_stats_get(void *device, uint16_t sa_id, enum rte_security_macsec_direction dir,
+			     struct rte_security_macsec_sa_stats *stats)
+{
+	RTE_SET_USED(device);
+	RTE_SET_USED(sa_id);
+	RTE_SET_USED(dir);
+	RTE_SET_USED(stats);
+
+	return 0;
+}
+
+int
+cnxk_eth_macsec_sc_stats_get(void *device, uint16_t sc_id, enum rte_security_macsec_direction dir,
+			     struct rte_security_macsec_sc_stats *stats)
+{
+	struct rte_eth_dev *eth_dev = (struct rte_eth_dev *)device;
+	struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev);
+	struct cnxk_mcs_dev *mcs_dev = dev->mcs_dev;
+	struct roc_mcs_stats_req req = {0};
+
+	if (!roc_feature_nix_has_macsec())
+		return -ENOTSUP;
+
+	req.id = sc_id;
+	req.dir = (dir == RTE_SECURITY_MACSEC_DIR_RX) ? MCS_RX : MCS_TX;
+
+	return roc_mcs_sc_stats_get(mcs_dev->mdev, &req, (struct roc_mcs_sc_stats *)stats);
+}
+
+int
+cnxk_eth_macsec_session_stats_get(struct cnxk_eth_dev *dev, struct cnxk_macsec_sess *sess,
+				  struct rte_security_stats *stats)
+{
+	struct cnxk_mcs_dev *mcs_dev = dev->mcs_dev;
+	struct roc_mcs_flowid_stats flow_stats = {0};
+	struct roc_mcs_port_stats port_stats = {0};
+	struct roc_mcs_stats_req req = {0};
+
+	if (!roc_feature_nix_has_macsec())
+		return -ENOTSUP;
+
+	req.id = sess->flow_id;
+	req.dir = sess->dir;
+	roc_mcs_flowid_stats_get(mcs_dev->mdev, &req, &flow_stats);
+	plt_nix_dbg("\n******* FLOW_ID IDX[%u] STATS dir: %u********\n", sess->flow_id, sess->dir);
+	plt_nix_dbg("TX: tcam_hit_cnt: 0x%" PRIx64 "\n", flow_stats.tcam_hit_cnt);
+
+	req.id = mcs_dev->port_id;
+	req.dir = sess->dir;
+	roc_mcs_port_stats_get(mcs_dev->mdev, &req, &port_stats);
+	plt_nix_dbg("\n********** PORT[0] STATS ****************\n");
+	plt_nix_dbg("RX tcam_miss_cnt: 0x%" PRIx64 "\n", port_stats.tcam_miss_cnt);
+	plt_nix_dbg("RX parser_err_cnt: 0x%" PRIx64 "\n", port_stats.parser_err_cnt);
+	plt_nix_dbg("RX preempt_err_cnt: 0x%" PRIx64 "\n", port_stats.preempt_err_cnt);
+	plt_nix_dbg("RX sectag_insert_err_cnt: 0x%" PRIx64 "\n", port_stats.sectag_insert_err_cnt);
+
+	req.id = sess->secy_id;
+	req.dir = sess->dir;
+
+	return roc_mcs_secy_stats_get(mcs_dev->mdev, &req,
+				      (struct roc_mcs_secy_stats *)(&stats->macsec));
+}
+
 static int
 cnxk_mcs_event_cb(void *userdata, struct roc_mcs_event_desc *desc, void *cb_arg)
 {
diff --git a/drivers/net/cnxk/cnxk_ethdev_mcs.h b/drivers/net/cnxk/cnxk_ethdev_mcs.h
index 2b1a6f2c90..4a59dd3df9 100644
--- a/drivers/net/cnxk/cnxk_ethdev_mcs.h
+++ b/drivers/net/cnxk/cnxk_ethdev_mcs.h
@@ -97,6 +97,15 @@ int cnxk_eth_macsec_sa_destroy(void *device, uint16_t sa_id,
 int cnxk_eth_macsec_sc_destroy(void *device, uint16_t sc_id,
 			       enum rte_security_macsec_direction dir);
 
+int cnxk_eth_macsec_sa_stats_get(void *device, uint16_t sa_id,
+				 enum rte_security_macsec_direction dir,
+				 struct rte_security_macsec_sa_stats *stats);
+int cnxk_eth_macsec_sc_stats_get(void *device, uint16_t sa_id,
+				 enum rte_security_macsec_direction dir,
+				 struct rte_security_macsec_sc_stats *stats);
+int cnxk_eth_macsec_session_stats_get(struct cnxk_eth_dev *dev, struct cnxk_macsec_sess *sess,
+				      struct rte_security_stats *stats);
+
 int cnxk_eth_macsec_session_create(struct cnxk_eth_dev *dev, struct rte_security_session_conf *conf,
 				   struct rte_security_session *sess);
 int cnxk_eth_macsec_session_destroy(struct cnxk_eth_dev *dev, struct rte_security_session *sess);
-- 
2.25.1

Re: [PATCH 15/15] net/cnxk: add MACsec stats

[Jerin Jacob]

On Wed, May 24, 2023 at 1:35 AM Akhil Goyal <gakhil@marvell.com> wrote:
>
> Added support for MACsec SC/flow/session stats.
>
> Signed-off-by: Akhil Goyal <gakhil@marvell.com>


# Please fix the the build issue
http://mails.dpdk.org/archives/test-report/2023-June/410104.html
# Please rebase to dpdk-next-mrvl as doc is updated in
https://patches.dpdk.org/project/dpdk/patch/20230613045652.228319-1-psatheesh@marvell.com/


> ---
>  drivers/net/cnxk/cn10k_ethdev_sec.c | 11 +++--
>  drivers/net/cnxk/cnxk_ethdev_mcs.c  | 64 +++++++++++++++++++++++++++++
>  drivers/net/cnxk/cnxk_ethdev_mcs.h  |  9 ++++
>  3 files changed, 81 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/net/cnxk/cn10k_ethdev_sec.c b/drivers/net/cnxk/cn10k_ethdev_sec.c
> index 0a8e7ae6fd..cd0fd1744f 100644
> --- a/drivers/net/cnxk/cn10k_ethdev_sec.c
> +++ b/drivers/net/cnxk/cn10k_ethdev_sec.c
> @@ -1027,12 +1027,17 @@ cn10k_eth_sec_session_stats_get(void *device, struct rte_security_session *sess,
>  {
>         struct rte_eth_dev *eth_dev = (struct rte_eth_dev *)device;
>         struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev);
> +       struct cnxk_macsec_sess *macsec_sess;
>         struct cnxk_eth_sec_sess *eth_sec;
>         int rc;
>
>         eth_sec = cnxk_eth_sec_sess_get_by_sess(dev, sess);
> -       if (eth_sec == NULL)
> +       if (eth_sec == NULL) {
> +               macsec_sess = cnxk_eth_macsec_sess_get_by_sess(dev, sess);
> +               if (macsec_sess)
> +                       return cnxk_eth_macsec_session_stats_get(dev, macsec_sess, stats);
>                 return -EINVAL;
> +       }
>
>         rc = roc_nix_inl_sa_sync(&dev->nix, eth_sec->sa, eth_sec->inb,
>                             ROC_NIX_INL_SA_OP_FLUSH);
> @@ -1076,6 +1081,6 @@ cn10k_eth_sec_ops_override(void)
>         cnxk_eth_sec_ops.capabilities_get = cn10k_eth_sec_capabilities_get;
>         cnxk_eth_sec_ops.session_update = cn10k_eth_sec_session_update;
>         cnxk_eth_sec_ops.session_stats_get = cn10k_eth_sec_session_stats_get;
> -       cnxk_eth_sec_ops.macsec_sc_stats_get = NULL;
> -       cnxk_eth_sec_ops.macsec_sa_stats_get = NULL;
> +       cnxk_eth_sec_ops.macsec_sc_stats_get = cnxk_eth_macsec_sc_stats_get;
> +       cnxk_eth_sec_ops.macsec_sa_stats_get = cnxk_eth_macsec_sa_stats_get;
>  }
> diff --git a/drivers/net/cnxk/cnxk_ethdev_mcs.c b/drivers/net/cnxk/cnxk_ethdev_mcs.c
> index c5ac5bafbb..e79b8279a7 100644
> --- a/drivers/net/cnxk/cnxk_ethdev_mcs.c
> +++ b/drivers/net/cnxk/cnxk_ethdev_mcs.c
> @@ -517,6 +517,70 @@ cnxk_mcs_flow_destroy(struct cnxk_eth_dev *dev, void *flow)
>         return (ret == 0) ? 1 : ret;
>  }
>
> +int
> +cnxk_eth_macsec_sa_stats_get(void *device, uint16_t sa_id, enum rte_security_macsec_direction dir,
> +                            struct rte_security_macsec_sa_stats *stats)
> +{
> +       RTE_SET_USED(device);
> +       RTE_SET_USED(sa_id);
> +       RTE_SET_USED(dir);
> +       RTE_SET_USED(stats);
> +
> +       return 0;
> +}
> +
> +int
> +cnxk_eth_macsec_sc_stats_get(void *device, uint16_t sc_id, enum rte_security_macsec_direction dir,
> +                            struct rte_security_macsec_sc_stats *stats)
> +{
> +       struct rte_eth_dev *eth_dev = (struct rte_eth_dev *)device;
> +       struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev);
> +       struct cnxk_mcs_dev *mcs_dev = dev->mcs_dev;
> +       struct roc_mcs_stats_req req = {0};
> +
> +       if (!roc_feature_nix_has_macsec())
> +               return -ENOTSUP;
> +
> +       req.id = sc_id;
> +       req.dir = (dir == RTE_SECURITY_MACSEC_DIR_RX) ? MCS_RX : MCS_TX;
> +
> +       return roc_mcs_sc_stats_get(mcs_dev->mdev, &req, (struct roc_mcs_sc_stats *)stats);
> +}
> +
> +int
> +cnxk_eth_macsec_session_stats_get(struct cnxk_eth_dev *dev, struct cnxk_macsec_sess *sess,
> +                                 struct rte_security_stats *stats)
> +{
> +       struct cnxk_mcs_dev *mcs_dev = dev->mcs_dev;
> +       struct roc_mcs_flowid_stats flow_stats = {0};
> +       struct roc_mcs_port_stats port_stats = {0};
> +       struct roc_mcs_stats_req req = {0};
> +
> +       if (!roc_feature_nix_has_macsec())
> +               return -ENOTSUP;
> +
> +       req.id = sess->flow_id;
> +       req.dir = sess->dir;
> +       roc_mcs_flowid_stats_get(mcs_dev->mdev, &req, &flow_stats);
> +       plt_nix_dbg("\n******* FLOW_ID IDX[%u] STATS dir: %u********\n", sess->flow_id, sess->dir);
> +       plt_nix_dbg("TX: tcam_hit_cnt: 0x%lx\n", flow_stats.tcam_hit_cnt);
> +
> +       req.id = mcs_dev->port_id;
> +       req.dir = sess->dir;
> +       roc_mcs_port_stats_get(mcs_dev->mdev, &req, &port_stats);
> +       plt_nix_dbg("\n********** PORT[0] STATS ****************\n");
> +       plt_nix_dbg("RX tcam_miss_cnt: 0x%lx\n", port_stats.tcam_miss_cnt);
> +       plt_nix_dbg("RX parser_err_cnt: 0x%lx\n", port_stats.parser_err_cnt);
> +       plt_nix_dbg("RX preempt_err_cnt: 0x%lx\n", port_stats.preempt_err_cnt);
> +       plt_nix_dbg("RX sectag_insert_err_cnt: 0x%lx\n", port_stats.sectag_insert_err_cnt);
> +
> +       req.id = sess->secy_id;
> +       req.dir = sess->dir;
> +
> +       return roc_mcs_secy_stats_get(mcs_dev->mdev, &req,
> +                                     (struct roc_mcs_secy_stats *)(&stats->macsec));
> +}
> +
>  static int
>  cnxk_mcs_event_cb(void *userdata, struct roc_mcs_event_desc *desc, void *cb_arg)
>  {
> diff --git a/drivers/net/cnxk/cnxk_ethdev_mcs.h b/drivers/net/cnxk/cnxk_ethdev_mcs.h
> index 2b1a6f2c90..4a59dd3df9 100644
> --- a/drivers/net/cnxk/cnxk_ethdev_mcs.h
> +++ b/drivers/net/cnxk/cnxk_ethdev_mcs.h
> @@ -97,6 +97,15 @@ int cnxk_eth_macsec_sa_destroy(void *device, uint16_t sa_id,
>  int cnxk_eth_macsec_sc_destroy(void *device, uint16_t sc_id,
>                                enum rte_security_macsec_direction dir);
>
> +int cnxk_eth_macsec_sa_stats_get(void *device, uint16_t sa_id,
> +                                enum rte_security_macsec_direction dir,
> +                                struct rte_security_macsec_sa_stats *stats);
> +int cnxk_eth_macsec_sc_stats_get(void *device, uint16_t sa_id,
> +                                enum rte_security_macsec_direction dir,
> +                                struct rte_security_macsec_sc_stats *stats);
> +int cnxk_eth_macsec_session_stats_get(struct cnxk_eth_dev *dev, struct cnxk_macsec_sess *sess,
> +                                     struct rte_security_stats *stats);
> +
>  int cnxk_eth_macsec_session_create(struct cnxk_eth_dev *dev, struct rte_security_session_conf *conf,
>                                    struct rte_security_session *sess);
>  int cnxk_eth_macsec_session_destroy(struct cnxk_eth_dev *dev, struct rte_security_session *sess);
> --
> 2.25.1
>

[PATCH v4 00/15] net/cnxk: add MACsec support

[Akhil Goyal]

Added MACsec support in Marvell cnxk PMD.
The patchset is pending from last release [1]
Sending as a new series as the functionality is now
complete and tested on hardware.

[1] https://patches.dpdk.org/project/dpdk/cover/20220928124516.93050-1-gakhil@marvell.com/

Changes in v4:
Fix build with RHEL/CentOS

Changes in v3:
- rebased
- fixed warning PRI*64
- added release notes

Changes in v2:
- Addressed review comments from Jerin.


Akhil Goyal (15):
  common/cnxk: add ROC MACsec initialization
  common/cnxk: add MACsec SA configuration
  common/cnxk: add MACsec SC configuration APIs
  common/cnxk: add MACsec secy and flow configuration
  common/cnxk: add MACsec PN and LMAC mode configuration
  common/cnxk: add MACsec stats
  common/cnxk: add MACsec interrupt APIs
  common/cnxk: add MACsec port configuration
  common/cnxk: add MACsec control port configuration
  common/cnxk: add MACsec FIPS mbox
  common/cnxk: derive hash key for MACsec
  net/cnxk: add MACsec initialization
  net/cnxk: create/destroy MACsec SC/SA
  net/cnxk: add MACsec session and flow configuration
  net/cnxk: add MACsec stats

 doc/guides/rel_notes/release_23_07.rst |   5 +
 drivers/common/cnxk/meson.build        |   3 +
 drivers/common/cnxk/roc_aes.c          |  86 ++-
 drivers/common/cnxk/roc_aes.h          |   4 +-
 drivers/common/cnxk/roc_api.h          |   3 +
 drivers/common/cnxk/roc_dev.c          |  86 +++
 drivers/common/cnxk/roc_features.h     |  12 +
 drivers/common/cnxk/roc_idev.c         |  46 ++
 drivers/common/cnxk/roc_idev.h         |   3 +
 drivers/common/cnxk/roc_idev_priv.h    |   1 +
 drivers/common/cnxk/roc_mbox.h         | 524 ++++++++++++++-
 drivers/common/cnxk/roc_mcs.c          | 871 +++++++++++++++++++++++++
 drivers/common/cnxk/roc_mcs.h          | 621 ++++++++++++++++++
 drivers/common/cnxk/roc_mcs_priv.h     |  73 +++
 drivers/common/cnxk/roc_mcs_sec_cfg.c  | 528 +++++++++++++++
 drivers/common/cnxk/roc_mcs_stats.c    | 193 ++++++
 drivers/common/cnxk/roc_priv.h         |   3 +
 drivers/common/cnxk/roc_utils.c        |   5 +
 drivers/common/cnxk/version.map        |  45 ++
 drivers/net/cnxk/cn10k_ethdev_sec.c    |  25 +-
 drivers/net/cnxk/cn10k_flow.c          |  23 +-
 drivers/net/cnxk/cnxk_ethdev.c         |  15 +
 drivers/net/cnxk/cnxk_ethdev.h         |  30 +
 drivers/net/cnxk/cnxk_ethdev_mcs.c     | 730 +++++++++++++++++++++
 drivers/net/cnxk/cnxk_ethdev_mcs.h     | 111 ++++
 drivers/net/cnxk/cnxk_ethdev_sec.c     |   2 +-
 drivers/net/cnxk/cnxk_flow.c           |   5 +
 drivers/net/cnxk/meson.build           |   1 +
 28 files changed, 4016 insertions(+), 38 deletions(-)
 create mode 100644 drivers/common/cnxk/roc_mcs.c
 create mode 100644 drivers/common/cnxk/roc_mcs.h
 create mode 100644 drivers/common/cnxk/roc_mcs_priv.h
 create mode 100644 drivers/common/cnxk/roc_mcs_sec_cfg.c
 create mode 100644 drivers/common/cnxk/roc_mcs_stats.c
 create mode 100644 drivers/net/cnxk/cnxk_ethdev_mcs.c
 create mode 100644 drivers/net/cnxk/cnxk_ethdev_mcs.h

-- 
2.25.1

[PATCH v4 01/15] common/cnxk: add ROC MACsec initialization

[Akhil Goyal]

Added ROC init and fini APIs for supporting MACsec.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/common/cnxk/meson.build     |   1 +
 drivers/common/cnxk/roc_api.h       |   3 +
 drivers/common/cnxk/roc_features.h  |  12 ++
 drivers/common/cnxk/roc_idev.c      |  46 ++++++
 drivers/common/cnxk/roc_idev.h      |   3 +
 drivers/common/cnxk/roc_idev_priv.h |   1 +
 drivers/common/cnxk/roc_mbox.h      |  65 +++++++-
 drivers/common/cnxk/roc_mcs.c       | 220 ++++++++++++++++++++++++++++
 drivers/common/cnxk/roc_mcs.h       |  41 ++++++
 drivers/common/cnxk/roc_mcs_priv.h  |  65 ++++++++
 drivers/common/cnxk/roc_priv.h      |   3 +
 drivers/common/cnxk/roc_utils.c     |   5 +
 drivers/common/cnxk/version.map     |   7 +
 13 files changed, 471 insertions(+), 1 deletion(-)
 create mode 100644 drivers/common/cnxk/roc_mcs.c
 create mode 100644 drivers/common/cnxk/roc_mcs.h
 create mode 100644 drivers/common/cnxk/roc_mcs_priv.h

diff --git a/drivers/common/cnxk/meson.build b/drivers/common/cnxk/meson.build
index 631b594f32..e33c002676 100644
--- a/drivers/common/cnxk/meson.build
+++ b/drivers/common/cnxk/meson.build
@@ -26,6 +26,7 @@ sources = files(
         'roc_irq.c',
         'roc_ie_ot.c',
         'roc_mbox.c',
+        'roc_mcs.c',
         'roc_ml.c',
         'roc_model.c',
         'roc_nix.c',
diff --git a/drivers/common/cnxk/roc_api.h b/drivers/common/cnxk/roc_api.h
index bbc94ab48e..f630853088 100644
--- a/drivers/common/cnxk/roc_api.h
+++ b/drivers/common/cnxk/roc_api.h
@@ -114,4 +114,7 @@
 /* ML */
 #include "roc_ml.h"
 
+/* MACsec */
+#include "roc_mcs.h"
+
 #endif /* _ROC_API_H_ */
diff --git a/drivers/common/cnxk/roc_features.h b/drivers/common/cnxk/roc_features.h
index 36ef315f5a..815f800e7a 100644
--- a/drivers/common/cnxk/roc_features.h
+++ b/drivers/common/cnxk/roc_features.h
@@ -59,4 +59,16 @@ roc_feature_nix_has_age_drop_stats(void)
 {
 	return (roc_model_is_cn10kb() || roc_model_is_cn10ka_b0());
 }
+
+static inline bool
+roc_feature_nix_has_macsec(void)
+{
+	return roc_model_is_cn10kb();
+}
+
+static inline bool
+roc_feature_bphy_has_macsec(void)
+{
+	return roc_model_is_cnf10kb();
+}
 #endif
diff --git a/drivers/common/cnxk/roc_idev.c b/drivers/common/cnxk/roc_idev.c
index f420f0158d..e6c6b34d78 100644
--- a/drivers/common/cnxk/roc_idev.c
+++ b/drivers/common/cnxk/roc_idev.c
@@ -38,6 +38,7 @@ idev_set_defaults(struct idev_cfg *idev)
 	idev->num_lmtlines = 0;
 	idev->bphy = NULL;
 	idev->cpt = NULL;
+	TAILQ_INIT(&idev->mcs_list);
 	idev->nix_inl_dev = NULL;
 	TAILQ_INIT(&idev->roc_nix_list);
 	plt_spinlock_init(&idev->nix_inl_dev_lock);
@@ -187,6 +188,51 @@ roc_idev_cpt_get(void)
 	return NULL;
 }
 
+struct roc_mcs *
+roc_idev_mcs_get(uint8_t mcs_idx)
+{
+	struct idev_cfg *idev = idev_get_cfg();
+	struct roc_mcs *mcs = NULL;
+
+	if (idev != NULL) {
+		TAILQ_FOREACH(mcs, &idev->mcs_list, next) {
+			if (mcs->idx == mcs_idx)
+				return mcs;
+		}
+	}
+
+	return NULL;
+}
+
+void
+roc_idev_mcs_set(struct roc_mcs *mcs)
+{
+	struct idev_cfg *idev = idev_get_cfg();
+	struct roc_mcs *mcs_iter = NULL;
+
+	if (idev != NULL) {
+		TAILQ_FOREACH(mcs_iter, &idev->mcs_list, next) {
+			if (mcs_iter->idx == mcs->idx)
+				return;
+		}
+		TAILQ_INSERT_TAIL(&idev->mcs_list, mcs, next);
+	}
+}
+
+void
+roc_idev_mcs_free(struct roc_mcs *mcs)
+{
+	struct idev_cfg *idev = idev_get_cfg();
+	struct roc_mcs *mcs_iter = NULL;
+
+	if (idev != NULL) {
+		TAILQ_FOREACH(mcs_iter, &idev->mcs_list, next) {
+			if (mcs_iter->idx == mcs->idx)
+				TAILQ_REMOVE(&idev->mcs_list, mcs, next);
+		}
+	}
+}
+
 uint64_t *
 roc_nix_inl_outb_ring_base_get(struct roc_nix *roc_nix)
 {
diff --git a/drivers/common/cnxk/roc_idev.h b/drivers/common/cnxk/roc_idev.h
index 640ca97708..aea7f5279d 100644
--- a/drivers/common/cnxk/roc_idev.h
+++ b/drivers/common/cnxk/roc_idev.h
@@ -19,4 +19,7 @@ struct roc_nix *__roc_api roc_idev_npa_nix_get(void);
 uint64_t __roc_api roc_idev_nix_inl_meta_aura_get(void);
 struct roc_nix_list *__roc_api roc_idev_nix_list_get(void);
 
+struct roc_mcs *__roc_api roc_idev_mcs_get(uint8_t mcs_idx);
+void __roc_api roc_idev_mcs_set(struct roc_mcs *mcs);
+void __roc_api roc_idev_mcs_free(struct roc_mcs *mcs);
 #endif /* _ROC_IDEV_H_ */
diff --git a/drivers/common/cnxk/roc_idev_priv.h b/drivers/common/cnxk/roc_idev_priv.h
index 4983578fc6..80f8465e1c 100644
--- a/drivers/common/cnxk/roc_idev_priv.h
+++ b/drivers/common/cnxk/roc_idev_priv.h
@@ -31,6 +31,7 @@ struct idev_cfg {
 	struct roc_bphy *bphy;
 	struct roc_cpt *cpt;
 	struct roc_sso *sso;
+	struct roc_mcs_head mcs_list;
 	struct nix_inl_dev *nix_inl_dev;
 	struct idev_nix_inl_cfg inl_cfg;
 	struct roc_nix_list roc_nix_list;
diff --git a/drivers/common/cnxk/roc_mbox.h b/drivers/common/cnxk/roc_mbox.h
index 93c5451c0f..ef7a7d6513 100644
--- a/drivers/common/cnxk/roc_mbox.h
+++ b/drivers/common/cnxk/roc_mbox.h
@@ -295,7 +295,12 @@ struct mbox_msghdr {
 	  nix_bpids)                                                           \
 	M(NIX_FREE_BPIDS, 0x8029, nix_free_bpids, nix_bpids, msg_rsp)          \
 	M(NIX_RX_CHAN_CFG, 0x802a, nix_rx_chan_cfg, nix_rx_chan_cfg,           \
-	  nix_rx_chan_cfg)
+	  nix_rx_chan_cfg)                                                     \
+	/* MCS mbox IDs (range 0xa000 - 0xbFFF) */                                                 \
+	M(MCS_ALLOC_RESOURCES, 0xa000, mcs_alloc_resources, mcs_alloc_rsrc_req,                    \
+	  mcs_alloc_rsrc_rsp)                                                                      \
+	M(MCS_FREE_RESOURCES, 0xa001, mcs_free_resources, mcs_free_rsrc_req, msg_rsp)              \
+	M(MCS_GET_HW_INFO, 0xa00b, mcs_get_hw_info, msg_req, mcs_hw_info)                          \
 
 /* Messages initiated by AF (range 0xC00 - 0xDFF) */
 #define MBOX_UP_CGX_MESSAGES                                                   \
@@ -673,6 +678,64 @@ struct cgx_set_link_mode_rsp {
 	int __io status;
 };
 
+/* MCS mbox structures */
+enum mcs_direction {
+	MCS_RX,
+	MCS_TX,
+};
+
+enum mcs_rsrc_type {
+	MCS_RSRC_TYPE_FLOWID,
+	MCS_RSRC_TYPE_SECY,
+	MCS_RSRC_TYPE_SC,
+	MCS_RSRC_TYPE_SA,
+};
+
+struct mcs_alloc_rsrc_req {
+	struct mbox_msghdr hdr;
+	uint8_t __io rsrc_type;
+	uint8_t __io rsrc_cnt; /* Resources count */
+	uint8_t __io mcs_id;   /* MCS block ID */
+	uint8_t __io dir;      /* Macsec ingress or egress side */
+	uint8_t __io all;      /* Allocate all resource type one each */
+	uint64_t __io rsvd;
+};
+
+struct mcs_alloc_rsrc_rsp {
+	struct mbox_msghdr hdr;
+	uint8_t __io flow_ids[128]; /* Index of reserved entries */
+	uint8_t __io secy_ids[128];
+	uint8_t __io sc_ids[128];
+	uint8_t __io sa_ids[256];
+	uint8_t __io rsrc_type;
+	uint8_t __io rsrc_cnt; /* No of entries reserved */
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint8_t __io all;
+	uint8_t __io rsvd[256];
+};
+
+struct mcs_free_rsrc_req {
+	struct mbox_msghdr hdr;
+	uint8_t __io rsrc_id; /* Index of the entry to be freed */
+	uint8_t __io rsrc_type;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint8_t __io all; /* Free all the cam resources */
+	uint64_t __io rsvd;
+};
+
+struct mcs_hw_info {
+	struct mbox_msghdr hdr;
+	uint8_t __io num_mcs_blks; /* Number of MCS blocks */
+	uint8_t __io tcam_entries; /* RX/TX Tcam entries per mcs block */
+	uint8_t __io secy_entries; /* RX/TX SECY entries per mcs block */
+	uint8_t __io sc_entries;   /* RX/TX SC CAM entries per mcs block */
+	uint16_t __io sa_entries;  /* PN table entries = SA entries */
+	uint64_t __io rsvd[16];
+};
+
+
 /* NPA mbox message formats */
 
 /* NPA mailbox error codes
diff --git a/drivers/common/cnxk/roc_mcs.c b/drivers/common/cnxk/roc_mcs.c
new file mode 100644
index 0000000000..20433eae83
--- /dev/null
+++ b/drivers/common/cnxk/roc_mcs.c
@@ -0,0 +1,220 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2022 Marvell.
+ */
+
+#include "roc_api.h"
+#include "roc_priv.h"
+
+int
+roc_mcs_hw_info_get(struct roc_mcs_hw_info *hw_info)
+{
+	struct mcs_hw_info *hw;
+	struct npa_lf *npa;
+	int rc;
+
+	MCS_SUPPORT_CHECK;
+
+	if (hw_info == NULL)
+		return -EINVAL;
+
+	/* Use mbox handler of first probed pci_func for
+	 * initial mcs mbox communication.
+	 */
+	npa = idev_npa_obj_get();
+	if (!npa)
+		return MCS_ERR_DEVICE_NOT_FOUND;
+
+	mbox_alloc_msg_mcs_get_hw_info(npa->mbox);
+	rc = mbox_process_msg(npa->mbox, (void *)&hw);
+	if (rc)
+		return rc;
+
+	hw_info->num_mcs_blks = hw->num_mcs_blks;
+	hw_info->tcam_entries = hw->tcam_entries;
+	hw_info->secy_entries = hw->secy_entries;
+	hw_info->sc_entries = hw->sc_entries;
+	hw_info->sa_entries = hw->sa_entries;
+
+	return rc;
+}
+
+static int
+mcs_alloc_bmap(uint16_t entries, void **mem, struct plt_bitmap **bmap)
+{
+	size_t bmap_sz;
+	int rc = 0;
+
+	bmap_sz = plt_bitmap_get_memory_footprint(entries);
+	*mem = plt_zmalloc(bmap_sz, PLT_CACHE_LINE_SIZE);
+	if (*mem == NULL)
+		rc = -ENOMEM;
+
+	*bmap = plt_bitmap_init(entries, *mem, bmap_sz);
+	if (!*bmap) {
+		plt_free(*mem);
+		*mem = NULL;
+		rc = -ENOMEM;
+	}
+
+	return rc;
+}
+
+static void
+rsrc_bmap_free(struct mcs_rsrc *rsrc)
+{
+	plt_bitmap_free(rsrc->tcam_bmap);
+	plt_free(rsrc->tcam_bmap_mem);
+	plt_bitmap_free(rsrc->secy_bmap);
+	plt_free(rsrc->secy_bmap_mem);
+	plt_bitmap_free(rsrc->sc_bmap);
+	plt_free(rsrc->sc_bmap_mem);
+	plt_bitmap_free(rsrc->sa_bmap);
+	plt_free(rsrc->sa_bmap_mem);
+}
+
+static int
+rsrc_bmap_alloc(struct mcs_priv *priv, struct mcs_rsrc *rsrc)
+{
+	int rc;
+
+	rc = mcs_alloc_bmap(priv->tcam_entries << 1, &rsrc->tcam_bmap_mem, &rsrc->tcam_bmap);
+	if (rc)
+		goto exit;
+
+	rc = mcs_alloc_bmap(priv->secy_entries << 1, &rsrc->secy_bmap_mem, &rsrc->secy_bmap);
+	if (rc)
+		goto exit;
+
+	rc = mcs_alloc_bmap(priv->sc_entries << 1, &rsrc->sc_bmap_mem, &rsrc->sc_bmap);
+	if (rc)
+		goto exit;
+
+	rc = mcs_alloc_bmap(priv->sa_entries << 1, &rsrc->sa_bmap_mem, &rsrc->sa_bmap);
+	if (rc)
+		goto exit;
+
+	return rc;
+exit:
+	rsrc_bmap_free(rsrc);
+
+	return rc;
+}
+
+static int
+mcs_alloc_rsrc_bmap(struct roc_mcs *mcs)
+{
+	struct mcs_priv *priv = roc_mcs_to_mcs_priv(mcs);
+	struct mcs_hw_info *hw;
+	int i, rc;
+
+	mbox_alloc_msg_mcs_get_hw_info(mcs->mbox);
+	rc = mbox_process_msg(mcs->mbox, (void *)&hw);
+	if (rc)
+		return rc;
+
+	priv->num_mcs_blks = hw->num_mcs_blks;
+	priv->tcam_entries = hw->tcam_entries;
+	priv->secy_entries = hw->secy_entries;
+	priv->sc_entries = hw->sc_entries;
+	priv->sa_entries = hw->sa_entries;
+
+	rc = rsrc_bmap_alloc(priv, &priv->dev_rsrc);
+	if (rc)
+		return rc;
+
+	priv->port_rsrc = plt_zmalloc(sizeof(struct mcs_rsrc) * 4, 0);
+	if (priv->port_rsrc == NULL) {
+		rsrc_bmap_free(&priv->dev_rsrc);
+		return -ENOMEM;
+	}
+
+	for (i = 0; i < MAX_PORTS_PER_MCS; i++) {
+		rc = rsrc_bmap_alloc(priv, &priv->port_rsrc[i]);
+		if (rc)
+			goto exit;
+
+		priv->port_rsrc[i].sc_conf =
+			plt_zmalloc(priv->sc_entries * sizeof(struct mcs_sc_conf), 0);
+		if (priv->port_rsrc[i].sc_conf == NULL) {
+			rsrc_bmap_free(&priv->port_rsrc[i]);
+			goto exit;
+		}
+	}
+
+	return rc;
+
+exit:
+	while (i--) {
+		rsrc_bmap_free(&priv->port_rsrc[i]);
+		plt_free(priv->port_rsrc[i].sc_conf);
+	}
+	plt_free(priv->port_rsrc);
+
+	return -ENOMEM;
+}
+
+struct roc_mcs *
+roc_mcs_dev_init(uint8_t mcs_idx)
+{
+	struct roc_mcs *mcs;
+	struct npa_lf *npa;
+
+	if (!(roc_feature_bphy_has_macsec() || roc_feature_nix_has_macsec()))
+		return NULL;
+
+	mcs = roc_idev_mcs_get(mcs_idx);
+	if (mcs) {
+		plt_info("Skipping device, mcs device already probed");
+		mcs->refcount++;
+		return mcs;
+	}
+
+	mcs = plt_zmalloc(sizeof(struct roc_mcs), PLT_CACHE_LINE_SIZE);
+	if (!mcs)
+		return NULL;
+
+	npa = idev_npa_obj_get();
+	if (!npa)
+		goto exit;
+
+	mcs->mbox = npa->mbox;
+	mcs->idx = mcs_idx;
+
+	/* Add any per mcsv initialization */
+	if (mcs_alloc_rsrc_bmap(mcs))
+		goto exit;
+
+	roc_idev_mcs_set(mcs);
+	mcs->refcount++;
+
+	return mcs;
+exit:
+	plt_free(mcs);
+	return NULL;
+}
+
+void
+roc_mcs_dev_fini(struct roc_mcs *mcs)
+{
+	struct mcs_priv *priv;
+	int i;
+
+	mcs->refcount--;
+	if (mcs->refcount > 0)
+		return;
+
+	priv = roc_mcs_to_mcs_priv(mcs);
+
+	rsrc_bmap_free(&priv->dev_rsrc);
+
+	for (i = 0; i < MAX_PORTS_PER_MCS; i++) {
+		rsrc_bmap_free(&priv->port_rsrc[i]);
+		plt_free(priv->port_rsrc[i].sc_conf);
+	}
+
+	plt_free(priv->port_rsrc);
+
+	roc_idev_mcs_free(mcs);
+
+	plt_free(mcs);
+}
diff --git a/drivers/common/cnxk/roc_mcs.h b/drivers/common/cnxk/roc_mcs.h
new file mode 100644
index 0000000000..2f06ce2659
--- /dev/null
+++ b/drivers/common/cnxk/roc_mcs.h
@@ -0,0 +1,41 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2022 Marvell.
+ */
+
+#ifndef _ROC_MCS_H_
+#define _ROC_MCS_H_
+
+#define MCS_AES_GCM_256_KEYLEN 32
+
+struct roc_mcs_hw_info {
+	uint8_t num_mcs_blks; /* Number of MCS blocks */
+	uint8_t tcam_entries; /* RX/TX Tcam entries per mcs block */
+	uint8_t secy_entries; /* RX/TX SECY entries per mcs block */
+	uint8_t sc_entries;   /* RX/TX SC CAM entries per mcs block */
+	uint16_t sa_entries;  /* PN table entries = SA entries */
+	uint64_t rsvd[16];
+};
+
+
+struct roc_mcs {
+	TAILQ_ENTRY(roc_mcs) next;
+	struct plt_pci_device *pci_dev;
+	struct mbox *mbox;
+	void *userdata;
+	uint8_t idx;
+	uint8_t refcount;
+
+#define ROC_MCS_MEM_SZ (1 * 1024)
+	uint8_t reserved[ROC_MCS_MEM_SZ] __plt_cache_aligned;
+} __plt_cache_aligned;
+
+TAILQ_HEAD(roc_mcs_head, roc_mcs);
+
+/* Initialization */
+__roc_api struct roc_mcs *roc_mcs_dev_init(uint8_t mcs_idx);
+__roc_api void roc_mcs_dev_fini(struct roc_mcs *mcs);
+/* Get roc mcs dev structure */
+__roc_api struct roc_mcs *roc_mcs_dev_get(uint8_t mcs_idx);
+/* HW info get */
+__roc_api int roc_mcs_hw_info_get(struct roc_mcs_hw_info *hw_info);
+#endif /* _ROC_MCS_H_ */
diff --git a/drivers/common/cnxk/roc_mcs_priv.h b/drivers/common/cnxk/roc_mcs_priv.h
new file mode 100644
index 0000000000..9e0bbe4392
--- /dev/null
+++ b/drivers/common/cnxk/roc_mcs_priv.h
@@ -0,0 +1,65 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2022 Marvell.
+ */
+
+#ifndef _ROC_MCS_PRIV_H_
+#define _ROC_MCS_PRIV_H_
+
+#define MAX_PORTS_PER_MCS 4
+
+enum mcs_error_status {
+	MCS_ERR_PARAM = -900,
+	MCS_ERR_HW_NOTSUP = -901,
+	MCS_ERR_DEVICE_NOT_FOUND = -902,
+};
+
+#define MCS_SUPPORT_CHECK                                                                          \
+	do {                                                                                       \
+		if (!(roc_feature_bphy_has_macsec() || roc_feature_nix_has_macsec()))              \
+			return MCS_ERR_HW_NOTSUP;                                                  \
+	} while (0)
+
+struct mcs_sc_conf {
+	struct {
+		uint64_t sci;
+		uint16_t sa_idx0;
+		uint16_t sa_idx1;
+		uint8_t rekey_enb;
+	} tx;
+	struct {
+		uint16_t sa_idx;
+		uint8_t an;
+	} rx;
+};
+
+struct mcs_rsrc {
+	struct plt_bitmap *tcam_bmap;
+	void *tcam_bmap_mem;
+	struct plt_bitmap *secy_bmap;
+	void *secy_bmap_mem;
+	struct plt_bitmap *sc_bmap;
+	void *sc_bmap_mem;
+	struct plt_bitmap *sa_bmap;
+	void *sa_bmap_mem;
+	struct mcs_sc_conf *sc_conf;
+};
+
+struct mcs_priv {
+	struct mcs_rsrc *port_rsrc;
+	struct mcs_rsrc dev_rsrc;
+	uint64_t default_sci;
+	uint32_t lmac_bmap;
+	uint8_t num_mcs_blks;
+	uint8_t tcam_entries;
+	uint8_t secy_entries;
+	uint8_t sc_entries;
+	uint16_t sa_entries;
+};
+
+static inline struct mcs_priv *
+roc_mcs_to_mcs_priv(struct roc_mcs *roc_mcs)
+{
+	return (struct mcs_priv *)&roc_mcs->reserved[0];
+}
+
+#endif /* _ROC_MCS_PRIV_H_ */
diff --git a/drivers/common/cnxk/roc_priv.h b/drivers/common/cnxk/roc_priv.h
index 14fe2e452a..254a2d3310 100644
--- a/drivers/common/cnxk/roc_priv.h
+++ b/drivers/common/cnxk/roc_priv.h
@@ -44,6 +44,9 @@
 /* DPI */
 #include "roc_dpi_priv.h"
 
+/* MCS */
+#include "roc_mcs_priv.h"
+
 /* REE */
 #include "roc_ree_priv.h"
 
diff --git a/drivers/common/cnxk/roc_utils.c b/drivers/common/cnxk/roc_utils.c
index fe291fce96..9af2ae9b69 100644
--- a/drivers/common/cnxk/roc_utils.c
+++ b/drivers/common/cnxk/roc_utils.c
@@ -16,6 +16,7 @@ roc_error_msg_get(int errorcode)
 	case NPA_ERR_PARAM:
 	case NPC_ERR_PARAM:
 	case SSO_ERR_PARAM:
+	case MCS_ERR_PARAM:
 	case UTIL_ERR_PARAM:
 		err_msg = "Invalid parameter";
 		break;
@@ -35,6 +36,7 @@ roc_error_msg_get(int errorcode)
 		err_msg = "Operation not supported";
 		break;
 	case NIX_ERR_HW_NOTSUP:
+	case MCS_ERR_HW_NOTSUP:
 		err_msg = "Hardware does not support";
 		break;
 	case NIX_ERR_QUEUE_INVALID_RANGE:
@@ -223,6 +225,9 @@ roc_error_msg_get(int errorcode)
 	case SSO_ERR_DEVICE_NOT_BOUNDED:
 		err_msg = "SSO pf/vf not found";
 		break;
+	case MCS_ERR_DEVICE_NOT_FOUND:
+		err_msg = "MCS device not found";
+		break;
 	case UTIL_ERR_FS:
 		err_msg = "file operation failed";
 		break;
diff --git a/drivers/common/cnxk/version.map b/drivers/common/cnxk/version.map
index e1335e9068..900290b866 100644
--- a/drivers/common/cnxk/version.map
+++ b/drivers/common/cnxk/version.map
@@ -94,6 +94,9 @@ INTERNAL {
 	roc_idev_cpt_get;
 	roc_idev_cpt_set;
 	roc_idev_lmt_base_addr_get;
+	roc_idev_mcs_free;
+	roc_idev_mcs_get;
+	roc_idev_mcs_set;
 	roc_idev_npa_maxpools_get;
 	roc_idev_npa_maxpools_set;
 	roc_idev_npa_nix_get;
@@ -132,6 +135,10 @@ INTERNAL {
 	roc_se_auth_key_set;
 	roc_se_ciph_key_set;
 	roc_se_ctx_init;
+	roc_mcs_dev_init;
+	roc_mcs_dev_fini;
+	roc_mcs_dev_get;
+	roc_mcs_hw_info_get;
 	roc_nix_bpf_alloc;
 	roc_nix_bpf_config;
 	roc_nix_bpf_connect;
-- 
2.25.1

[PATCH v4 02/15] common/cnxk: add MACsec SA configuration

[Akhil Goyal]

Added ROC APIs to allocate/free MACsec resources
and APIs to write SA policy.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/common/cnxk/meson.build       |   1 +
 drivers/common/cnxk/roc_mbox.h        |  12 ++
 drivers/common/cnxk/roc_mcs.h         |  43 ++++++
 drivers/common/cnxk/roc_mcs_sec_cfg.c | 211 ++++++++++++++++++++++++++
 drivers/common/cnxk/version.map       |   4 +
 5 files changed, 271 insertions(+)
 create mode 100644 drivers/common/cnxk/roc_mcs_sec_cfg.c

diff --git a/drivers/common/cnxk/meson.build b/drivers/common/cnxk/meson.build
index e33c002676..589baf74fe 100644
--- a/drivers/common/cnxk/meson.build
+++ b/drivers/common/cnxk/meson.build
@@ -27,6 +27,7 @@ sources = files(
         'roc_ie_ot.c',
         'roc_mbox.c',
         'roc_mcs.c',
+        'roc_mcs_sec_cfg.c',
         'roc_ml.c',
         'roc_model.c',
         'roc_nix.c',
diff --git a/drivers/common/cnxk/roc_mbox.h b/drivers/common/cnxk/roc_mbox.h
index ef7a7d6513..ab1173e805 100644
--- a/drivers/common/cnxk/roc_mbox.h
+++ b/drivers/common/cnxk/roc_mbox.h
@@ -300,6 +300,7 @@ struct mbox_msghdr {
 	M(MCS_ALLOC_RESOURCES, 0xa000, mcs_alloc_resources, mcs_alloc_rsrc_req,                    \
 	  mcs_alloc_rsrc_rsp)                                                                      \
 	M(MCS_FREE_RESOURCES, 0xa001, mcs_free_resources, mcs_free_rsrc_req, msg_rsp)              \
+	M(MCS_SA_PLCY_WRITE, 0xa005, mcs_sa_plcy_write, mcs_sa_plcy_write_req, msg_rsp)            \
 	M(MCS_GET_HW_INFO, 0xa00b, mcs_get_hw_info, msg_req, mcs_hw_info)                          \
 
 /* Messages initiated by AF (range 0xC00 - 0xDFF) */
@@ -725,6 +726,17 @@ struct mcs_free_rsrc_req {
 	uint64_t __io rsvd;
 };
 
+struct mcs_sa_plcy_write_req {
+	struct mbox_msghdr hdr;
+	uint64_t __io plcy[2][9]; /* Support 2 SA policy */
+	uint8_t __io sa_index[2];
+	uint8_t __io sa_cnt;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
+
+
 struct mcs_hw_info {
 	struct mbox_msghdr hdr;
 	uint8_t __io num_mcs_blks; /* Number of MCS blocks */
diff --git a/drivers/common/cnxk/roc_mcs.h b/drivers/common/cnxk/roc_mcs.h
index 2f06ce2659..ea4c6ddc05 100644
--- a/drivers/common/cnxk/roc_mcs.h
+++ b/drivers/common/cnxk/roc_mcs.h
@@ -7,6 +7,39 @@
 
 #define MCS_AES_GCM_256_KEYLEN 32
 
+struct roc_mcs_alloc_rsrc_req {
+	uint8_t rsrc_type;
+	uint8_t rsrc_cnt; /* Resources count */
+	uint8_t dir;	  /* Macsec ingress or egress side */
+	uint8_t all;	  /* Allocate all resource type one each */
+};
+
+struct roc_mcs_alloc_rsrc_rsp {
+	uint8_t flow_ids[128]; /* Index of reserved entries */
+	uint8_t secy_ids[128];
+	uint8_t sc_ids[128];
+	uint8_t sa_ids[256];
+	uint8_t rsrc_type;
+	uint8_t rsrc_cnt; /* No of entries reserved */
+	uint8_t dir;
+	uint8_t all;
+};
+
+struct roc_mcs_free_rsrc_req {
+	uint8_t rsrc_id; /* Index of the entry to be freed */
+	uint8_t rsrc_type;
+	uint8_t dir;
+	uint8_t all; /* Free all the cam resources */
+};
+
+
+struct roc_mcs_sa_plcy_write_req {
+	uint64_t plcy[2][9];
+	uint8_t sa_index[2];
+	uint8_t sa_cnt;
+	uint8_t dir;
+};
+
 struct roc_mcs_hw_info {
 	uint8_t num_mcs_blks; /* Number of MCS blocks */
 	uint8_t tcam_entries; /* RX/TX Tcam entries per mcs block */
@@ -38,4 +71,14 @@ __roc_api void roc_mcs_dev_fini(struct roc_mcs *mcs);
 __roc_api struct roc_mcs *roc_mcs_dev_get(uint8_t mcs_idx);
 /* HW info get */
 __roc_api int roc_mcs_hw_info_get(struct roc_mcs_hw_info *hw_info);
+
+/* Resource allocation and free */
+__roc_api int roc_mcs_rsrc_alloc(struct roc_mcs *mcs, struct roc_mcs_alloc_rsrc_req *req,
+				 struct roc_mcs_alloc_rsrc_rsp *rsp);
+__roc_api int roc_mcs_rsrc_free(struct roc_mcs *mcs, struct roc_mcs_free_rsrc_req *req);
+/* SA policy read and write */
+__roc_api int roc_mcs_sa_policy_write(struct roc_mcs *mcs,
+				      struct roc_mcs_sa_plcy_write_req *sa_plcy);
+__roc_api int roc_mcs_sa_policy_read(struct roc_mcs *mcs,
+				     struct roc_mcs_sa_plcy_write_req *sa_plcy);
 #endif /* _ROC_MCS_H_ */
diff --git a/drivers/common/cnxk/roc_mcs_sec_cfg.c b/drivers/common/cnxk/roc_mcs_sec_cfg.c
new file mode 100644
index 0000000000..041be51b4b
--- /dev/null
+++ b/drivers/common/cnxk/roc_mcs_sec_cfg.c
@@ -0,0 +1,211 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2023 Marvell.
+ */
+
+#include "roc_api.h"
+#include "roc_priv.h"
+
+int
+roc_mcs_rsrc_alloc(struct roc_mcs *mcs, struct roc_mcs_alloc_rsrc_req *req,
+		   struct roc_mcs_alloc_rsrc_rsp *rsp)
+{
+	struct mcs_priv *priv = roc_mcs_to_mcs_priv(mcs);
+	struct mcs_alloc_rsrc_req *rsrc_req;
+	struct mcs_alloc_rsrc_rsp *rsrc_rsp;
+	int rc, i;
+
+	MCS_SUPPORT_CHECK;
+
+	if (req == NULL || rsp == NULL)
+		return -EINVAL;
+
+	rsrc_req = mbox_alloc_msg_mcs_alloc_resources(mcs->mbox);
+	if (rsrc_req == NULL)
+		return -ENOMEM;
+
+	rsrc_req->rsrc_type = req->rsrc_type;
+	rsrc_req->rsrc_cnt = req->rsrc_cnt;
+	rsrc_req->mcs_id = mcs->idx;
+	rsrc_req->dir = req->dir;
+	rsrc_req->all = req->all;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&rsrc_rsp);
+	if (rc)
+		return rc;
+
+	if (rsrc_rsp->all) {
+		rsrc_rsp->rsrc_cnt = 1;
+		rsrc_rsp->rsrc_type = 0xFF;
+	}
+
+	for (i = 0; i < rsrc_rsp->rsrc_cnt; i++) {
+		switch (rsrc_rsp->rsrc_type) {
+		case MCS_RSRC_TYPE_FLOWID:
+			rsp->flow_ids[i] = rsrc_rsp->flow_ids[i];
+			plt_bitmap_set(priv->dev_rsrc.tcam_bmap,
+				       rsp->flow_ids[i] +
+					       ((req->dir == MCS_TX) ? priv->tcam_entries : 0));
+			break;
+		case MCS_RSRC_TYPE_SECY:
+			rsp->secy_ids[i] = rsrc_rsp->secy_ids[i];
+			plt_bitmap_set(priv->dev_rsrc.secy_bmap,
+				       rsp->secy_ids[i] +
+					       ((req->dir == MCS_TX) ? priv->secy_entries : 0));
+			break;
+		case MCS_RSRC_TYPE_SC:
+			rsp->sc_ids[i] = rsrc_rsp->sc_ids[i];
+			plt_bitmap_set(priv->dev_rsrc.sc_bmap,
+				       rsp->sc_ids[i] +
+					       ((req->dir == MCS_TX) ? priv->sc_entries : 0));
+			break;
+		case MCS_RSRC_TYPE_SA:
+			rsp->sa_ids[i] = rsrc_rsp->sa_ids[i];
+			plt_bitmap_set(priv->dev_rsrc.sa_bmap,
+				       rsp->sa_ids[i] +
+					       ((req->dir == MCS_TX) ? priv->sa_entries : 0));
+			break;
+		default:
+			rsp->flow_ids[i] = rsrc_rsp->flow_ids[i];
+			rsp->secy_ids[i] = rsrc_rsp->secy_ids[i];
+			rsp->sc_ids[i] = rsrc_rsp->sc_ids[i];
+			rsp->sa_ids[i] = rsrc_rsp->sa_ids[i];
+			plt_bitmap_set(priv->dev_rsrc.tcam_bmap,
+				       rsp->flow_ids[i] +
+					       ((req->dir == MCS_TX) ? priv->tcam_entries : 0));
+			plt_bitmap_set(priv->dev_rsrc.secy_bmap,
+				       rsp->secy_ids[i] +
+					       ((req->dir == MCS_TX) ? priv->secy_entries : 0));
+			plt_bitmap_set(priv->dev_rsrc.sc_bmap,
+				       rsp->sc_ids[i] +
+					       ((req->dir == MCS_TX) ? priv->sc_entries : 0));
+			plt_bitmap_set(priv->dev_rsrc.sa_bmap,
+				       rsp->sa_ids[i] +
+					       ((req->dir == MCS_TX) ? priv->sa_entries : 0));
+			break;
+		}
+	}
+	rsp->rsrc_type = rsrc_rsp->rsrc_type;
+	rsp->rsrc_cnt = rsrc_rsp->rsrc_cnt;
+	rsp->dir = rsrc_rsp->dir;
+	rsp->all = rsrc_rsp->all;
+
+	return 0;
+}
+
+int
+roc_mcs_rsrc_free(struct roc_mcs *mcs, struct roc_mcs_free_rsrc_req *free_req)
+{
+	struct mcs_priv *priv = roc_mcs_to_mcs_priv(mcs);
+	struct mcs_free_rsrc_req *req;
+	struct msg_rsp *rsp;
+	uint32_t pos;
+	int i, rc;
+
+	MCS_SUPPORT_CHECK;
+
+	if (free_req == NULL)
+		return -EINVAL;
+
+	req = mbox_alloc_msg_mcs_free_resources(mcs->mbox);
+	if (req == NULL)
+		return -ENOMEM;
+
+	req->rsrc_id = free_req->rsrc_id;
+	req->rsrc_type = free_req->rsrc_type;
+	req->mcs_id = mcs->idx;
+	req->dir = free_req->dir;
+	req->all = free_req->all;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&rsp);
+	if (rc)
+		return rc;
+
+	switch (free_req->rsrc_type) {
+	case MCS_RSRC_TYPE_FLOWID:
+		pos = free_req->rsrc_id + ((req->dir == MCS_TX) ? priv->tcam_entries : 0);
+		plt_bitmap_clear(priv->dev_rsrc.tcam_bmap, pos);
+		for (i = 0; i < MAX_PORTS_PER_MCS; i++) {
+			uint32_t set = plt_bitmap_get(priv->port_rsrc[i].tcam_bmap, pos);
+
+			if (set) {
+				plt_bitmap_clear(priv->port_rsrc[i].tcam_bmap, pos);
+				break;
+			}
+		}
+		break;
+	case MCS_RSRC_TYPE_SECY:
+		pos = free_req->rsrc_id + ((req->dir == MCS_TX) ? priv->secy_entries : 0);
+		plt_bitmap_clear(priv->dev_rsrc.secy_bmap, pos);
+		for (i = 0; i < MAX_PORTS_PER_MCS; i++) {
+			uint32_t set = plt_bitmap_get(priv->port_rsrc[i].secy_bmap, pos);
+
+			if (set) {
+				plt_bitmap_clear(priv->port_rsrc[i].secy_bmap, pos);
+				break;
+			}
+		}
+		break;
+	case MCS_RSRC_TYPE_SC:
+		pos = free_req->rsrc_id + ((req->dir == MCS_TX) ? priv->sc_entries : 0);
+		plt_bitmap_clear(priv->dev_rsrc.sc_bmap, pos);
+		for (i = 0; i < MAX_PORTS_PER_MCS; i++) {
+			uint32_t set = plt_bitmap_get(priv->port_rsrc[i].sc_bmap, pos);
+
+			if (set) {
+				plt_bitmap_clear(priv->port_rsrc[i].sc_bmap, pos);
+				break;
+			}
+		}
+		break;
+	case MCS_RSRC_TYPE_SA:
+		pos = free_req->rsrc_id + ((req->dir == MCS_TX) ? priv->sa_entries : 0);
+		plt_bitmap_clear(priv->dev_rsrc.sa_bmap, pos);
+		for (i = 0; i < MAX_PORTS_PER_MCS; i++) {
+			uint32_t set = plt_bitmap_get(priv->port_rsrc[i].sa_bmap, pos);
+
+			if (set) {
+				plt_bitmap_clear(priv->port_rsrc[i].sa_bmap, pos);
+				break;
+			}
+		}
+		break;
+	default:
+		break;
+	}
+
+	return rc;
+}
+
+int
+roc_mcs_sa_policy_write(struct roc_mcs *mcs, struct roc_mcs_sa_plcy_write_req *sa_plcy)
+{
+	struct mcs_sa_plcy_write_req *sa;
+	struct msg_rsp *rsp;
+
+	MCS_SUPPORT_CHECK;
+
+	if (sa_plcy == NULL)
+		return -EINVAL;
+
+	sa = mbox_alloc_msg_mcs_sa_plcy_write(mcs->mbox);
+	if (sa == NULL)
+		return -ENOMEM;
+
+	mbox_memcpy(sa->plcy, sa_plcy->plcy, sizeof(uint64_t) * 2 * 9);
+	sa->sa_index[0] = sa_plcy->sa_index[0];
+	sa->sa_index[1] = sa_plcy->sa_index[1];
+	sa->sa_cnt = sa_plcy->sa_cnt;
+	sa->mcs_id = mcs->idx;
+	sa->dir = sa_plcy->dir;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
+
+int
+roc_mcs_sa_policy_read(struct roc_mcs *mcs __plt_unused,
+		       struct roc_mcs_sa_plcy_write_req *sa __plt_unused)
+{
+	MCS_SUPPORT_CHECK;
+
+	return -ENOTSUP;
+}
diff --git a/drivers/common/cnxk/version.map b/drivers/common/cnxk/version.map
index 900290b866..bd8a3095f9 100644
--- a/drivers/common/cnxk/version.map
+++ b/drivers/common/cnxk/version.map
@@ -139,6 +139,10 @@ INTERNAL {
 	roc_mcs_dev_fini;
 	roc_mcs_dev_get;
 	roc_mcs_hw_info_get;
+	roc_mcs_rsrc_alloc;
+	roc_mcs_rsrc_free;
+	roc_mcs_sa_policy_read;
+	roc_mcs_sa_policy_write;
 	roc_nix_bpf_alloc;
 	roc_nix_bpf_config;
 	roc_nix_bpf_connect;
-- 
2.25.1

[PATCH v4 03/15] common/cnxk: add MACsec SC configuration APIs

[Akhil Goyal]

Added ROC APIs to configure MACsec secure channel(SC)
and its mapping with SAs for both Rx and Tx.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/common/cnxk/roc_mbox.h        |  37 ++++++
 drivers/common/cnxk/roc_mcs.h         |  41 ++++++
 drivers/common/cnxk/roc_mcs_sec_cfg.c | 171 ++++++++++++++++++++++++++
 drivers/common/cnxk/version.map       |   7 ++
 4 files changed, 256 insertions(+)

diff --git a/drivers/common/cnxk/roc_mbox.h b/drivers/common/cnxk/roc_mbox.h
index ab1173e805..40b761ee99 100644
--- a/drivers/common/cnxk/roc_mbox.h
+++ b/drivers/common/cnxk/roc_mbox.h
@@ -300,7 +300,10 @@ struct mbox_msghdr {
 	M(MCS_ALLOC_RESOURCES, 0xa000, mcs_alloc_resources, mcs_alloc_rsrc_req,                    \
 	  mcs_alloc_rsrc_rsp)                                                                      \
 	M(MCS_FREE_RESOURCES, 0xa001, mcs_free_resources, mcs_free_rsrc_req, msg_rsp)              \
+	M(MCS_RX_SC_CAM_WRITE, 0xa004, mcs_rx_sc_cam_write, mcs_rx_sc_cam_write_req, msg_rsp)      \
 	M(MCS_SA_PLCY_WRITE, 0xa005, mcs_sa_plcy_write, mcs_sa_plcy_write_req, msg_rsp)            \
+	M(MCS_TX_SC_SA_MAP_WRITE, 0xa006, mcs_tx_sc_sa_map_write, mcs_tx_sc_sa_map, msg_rsp)       \
+	M(MCS_RX_SC_SA_MAP_WRITE, 0xa007, mcs_rx_sc_sa_map_write, mcs_rx_sc_sa_map, msg_rsp)       \
 	M(MCS_GET_HW_INFO, 0xa00b, mcs_get_hw_info, msg_req, mcs_hw_info)                          \
 
 /* Messages initiated by AF (range 0xC00 - 0xDFF) */
@@ -726,6 +729,16 @@ struct mcs_free_rsrc_req {
 	uint64_t __io rsvd;
 };
 
+/* RX SC_CAM mapping */
+struct mcs_rx_sc_cam_write_req {
+	struct mbox_msghdr hdr;
+	uint64_t __io sci;     /* SCI */
+	uint64_t __io secy_id; /* secy index mapped to SC */
+	uint8_t __io sc_id;    /* SC CAM entry index */
+	uint8_t __io mcs_id;
+	uint64_t __io rsvd;
+};
+
 struct mcs_sa_plcy_write_req {
 	struct mbox_msghdr hdr;
 	uint64_t __io plcy[2][9]; /* Support 2 SA policy */
@@ -736,6 +749,30 @@ struct mcs_sa_plcy_write_req {
 	uint64_t __io rsvd;
 };
 
+struct mcs_tx_sc_sa_map {
+	struct mbox_msghdr hdr;
+	uint8_t __io sa_index0;
+	uint8_t __io sa_index1;
+	uint8_t __io rekey_ena;
+	uint8_t __io sa_index0_vld;
+	uint8_t __io sa_index1_vld;
+	uint8_t __io tx_sa_active;
+	uint64_t __io sectag_sci;
+	uint8_t __io sc_id; /* used as index for SA_MEM_MAP */
+	uint8_t __io mcs_id;
+	uint64_t __io rsvd;
+};
+
+struct mcs_rx_sc_sa_map {
+	struct mbox_msghdr hdr;
+	uint8_t __io sa_index;
+	uint8_t __io sa_in_use;
+	uint8_t __io sc_id;
+	/* an range is 0-3, sc_id + an used as index SA_MEM_MAP */
+	uint8_t __io an;
+	uint8_t __io mcs_id;
+	uint64_t __io rsvd;
+};
 
 struct mcs_hw_info {
 	struct mbox_msghdr hdr;
diff --git a/drivers/common/cnxk/roc_mcs.h b/drivers/common/cnxk/roc_mcs.h
index ea4c6ddc05..e947f93460 100644
--- a/drivers/common/cnxk/roc_mcs.h
+++ b/drivers/common/cnxk/roc_mcs.h
@@ -32,6 +32,12 @@ struct roc_mcs_free_rsrc_req {
 	uint8_t all; /* Free all the cam resources */
 };
 
+/* RX SC_CAM mapping */
+struct roc_mcs_rx_sc_cam_write_req {
+	uint64_t sci;	  /* SCI */
+	uint64_t secy_id; /* secy index mapped to SC */
+	uint8_t sc_id;	  /* SC CAM entry index */
+};
 
 struct roc_mcs_sa_plcy_write_req {
 	uint64_t plcy[2][9];
@@ -40,6 +46,24 @@ struct roc_mcs_sa_plcy_write_req {
 	uint8_t dir;
 };
 
+struct roc_mcs_tx_sc_sa_map {
+	uint8_t sa_index0;
+	uint8_t sa_index1;
+	uint8_t rekey_ena;
+	uint8_t sa_index0_vld;
+	uint8_t sa_index1_vld;
+	uint8_t tx_sa_active;
+	uint64_t sectag_sci;
+	uint8_t sc_id; /* used as index for SA_MEM_MAP */
+};
+
+struct roc_mcs_rx_sc_sa_map {
+	uint8_t sa_index;
+	uint8_t sa_in_use;
+	uint8_t sc_id;
+	uint8_t an; /* value range 0-3, sc_id + an used as index SA_MEM_MAP */
+};
+
 struct roc_mcs_hw_info {
 	uint8_t num_mcs_blks; /* Number of MCS blocks */
 	uint8_t tcam_entries; /* RX/TX Tcam entries per mcs block */
@@ -81,4 +105,21 @@ __roc_api int roc_mcs_sa_policy_write(struct roc_mcs *mcs,
 				      struct roc_mcs_sa_plcy_write_req *sa_plcy);
 __roc_api int roc_mcs_sa_policy_read(struct roc_mcs *mcs,
 				     struct roc_mcs_sa_plcy_write_req *sa_plcy);
+/* RX SC read, write and enable */
+__roc_api int roc_mcs_rx_sc_cam_write(struct roc_mcs *mcs,
+				      struct roc_mcs_rx_sc_cam_write_req *rx_sc_cam);
+__roc_api int roc_mcs_rx_sc_cam_read(struct roc_mcs *mcs,
+				     struct roc_mcs_rx_sc_cam_write_req *rx_sc_cam);
+__roc_api int roc_mcs_rx_sc_cam_enable(struct roc_mcs *mcs,
+				       struct roc_mcs_rx_sc_cam_write_req *rx_sc_cam);
+/* RX SC-SA MAP read and write */
+__roc_api int roc_mcs_rx_sc_sa_map_write(struct roc_mcs *mcs,
+					 struct roc_mcs_rx_sc_sa_map *rx_sc_sa_map);
+__roc_api int roc_mcs_rx_sc_sa_map_read(struct roc_mcs *mcs,
+					struct roc_mcs_rx_sc_sa_map *rx_sc_sa_map);
+/* TX SC-SA MAP read and write */
+__roc_api int roc_mcs_tx_sc_sa_map_write(struct roc_mcs *mcs,
+					 struct roc_mcs_tx_sc_sa_map *tx_sc_sa_map);
+__roc_api int roc_mcs_tx_sc_sa_map_read(struct roc_mcs *mcs,
+					struct roc_mcs_tx_sc_sa_map *tx_sc_sa_map);
 #endif /* _ROC_MCS_H_ */
diff --git a/drivers/common/cnxk/roc_mcs_sec_cfg.c b/drivers/common/cnxk/roc_mcs_sec_cfg.c
index 041be51b4b..9b87952112 100644
--- a/drivers/common/cnxk/roc_mcs_sec_cfg.c
+++ b/drivers/common/cnxk/roc_mcs_sec_cfg.c
@@ -209,3 +209,174 @@ roc_mcs_sa_policy_read(struct roc_mcs *mcs __plt_unused,
 
 	return -ENOTSUP;
 }
+
+
+int
+roc_mcs_rx_sc_cam_write(struct roc_mcs *mcs, struct roc_mcs_rx_sc_cam_write_req *rx_sc_cam)
+{
+	struct mcs_priv *priv = roc_mcs_to_mcs_priv(mcs);
+	struct mcs_rx_sc_cam_write_req *rx_sc;
+	struct msg_rsp *rsp;
+	int i, rc;
+
+	MCS_SUPPORT_CHECK;
+
+	if (rx_sc_cam == NULL)
+		return -EINVAL;
+
+	rx_sc = mbox_alloc_msg_mcs_rx_sc_cam_write(mcs->mbox);
+	if (rx_sc == NULL)
+		return -ENOMEM;
+
+	rx_sc->sci = rx_sc_cam->sci;
+	rx_sc->secy_id = rx_sc_cam->secy_id;
+	rx_sc->sc_id = rx_sc_cam->sc_id;
+	rx_sc->mcs_id = mcs->idx;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&rsp);
+	if (rc)
+		return rc;
+
+	for (i = 0; i < MAX_PORTS_PER_MCS; i++) {
+		uint32_t set = plt_bitmap_get(priv->port_rsrc[i].secy_bmap, rx_sc_cam->secy_id);
+
+		if (set) {
+			plt_bitmap_set(priv->port_rsrc[i].sc_bmap, rx_sc_cam->sc_id);
+			break;
+		}
+	}
+
+	return 0;
+}
+
+int
+roc_mcs_rx_sc_cam_read(struct roc_mcs *mcs __plt_unused,
+		       struct roc_mcs_rx_sc_cam_write_req *rx_sc_cam __plt_unused)
+{
+	MCS_SUPPORT_CHECK;
+
+	return -ENOTSUP;
+}
+
+int
+roc_mcs_rx_sc_cam_enable(struct roc_mcs *mcs __plt_unused,
+			 struct roc_mcs_rx_sc_cam_write_req *rx_sc_cam __plt_unused)
+{
+	MCS_SUPPORT_CHECK;
+
+	return -ENOTSUP;
+}
+
+int
+roc_mcs_rx_sc_sa_map_write(struct roc_mcs *mcs, struct roc_mcs_rx_sc_sa_map *rx_sc_sa_map)
+{
+	struct mcs_priv *priv = roc_mcs_to_mcs_priv(mcs);
+	struct mcs_rx_sc_sa_map *sa_map;
+	struct msg_rsp *rsp;
+	uint16_t sc_id;
+	int i, rc;
+
+	MCS_SUPPORT_CHECK;
+
+	if (rx_sc_sa_map == NULL)
+		return -EINVAL;
+
+	sc_id = rx_sc_sa_map->sc_id;
+	sa_map = mbox_alloc_msg_mcs_rx_sc_sa_map_write(mcs->mbox);
+	if (sa_map == NULL)
+		return -ENOMEM;
+
+	sa_map->sa_index = rx_sc_sa_map->sa_index;
+	sa_map->sa_in_use = rx_sc_sa_map->sa_in_use;
+	sa_map->sc_id = rx_sc_sa_map->sc_id;
+	sa_map->an = rx_sc_sa_map->an;
+	sa_map->mcs_id = mcs->idx;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&rsp);
+	if (rc)
+		return rc;
+
+	for (i = 0; i < MAX_PORTS_PER_MCS; i++) {
+		uint32_t set = plt_bitmap_get(priv->port_rsrc[i].sc_bmap, sc_id);
+
+		if (set) {
+			plt_bitmap_set(priv->port_rsrc[i].sa_bmap, rx_sc_sa_map->sa_index);
+			priv->port_rsrc[i].sc_conf[sc_id].rx.sa_idx = rx_sc_sa_map->sa_index;
+			priv->port_rsrc[i].sc_conf[sc_id].rx.an = rx_sc_sa_map->an;
+			break;
+		}
+	}
+
+	return 0;
+}
+
+int
+roc_mcs_rx_sc_sa_map_read(struct roc_mcs *mcs __plt_unused,
+			  struct roc_mcs_rx_sc_sa_map *rx_sc_sa_map __plt_unused)
+{
+	MCS_SUPPORT_CHECK;
+
+	return -ENOTSUP;
+}
+
+int
+roc_mcs_tx_sc_sa_map_write(struct roc_mcs *mcs, struct roc_mcs_tx_sc_sa_map *tx_sc_sa_map)
+{
+	struct mcs_priv *priv = roc_mcs_to_mcs_priv(mcs);
+	struct mcs_tx_sc_sa_map *sa_map;
+	struct msg_rsp *rsp;
+	uint16_t sc_id;
+	int i, rc;
+
+	MCS_SUPPORT_CHECK;
+
+	if (tx_sc_sa_map == NULL)
+		return -EINVAL;
+
+	sa_map = mbox_alloc_msg_mcs_tx_sc_sa_map_write(mcs->mbox);
+	if (sa_map == NULL)
+		return -ENOMEM;
+
+	sa_map->sa_index0 = tx_sc_sa_map->sa_index0;
+	sa_map->sa_index1 = tx_sc_sa_map->sa_index1;
+	sa_map->rekey_ena = tx_sc_sa_map->rekey_ena;
+	sa_map->sa_index0_vld = tx_sc_sa_map->sa_index0_vld;
+	sa_map->sa_index1_vld = tx_sc_sa_map->sa_index1_vld;
+	sa_map->tx_sa_active = tx_sc_sa_map->tx_sa_active;
+	sa_map->sectag_sci = tx_sc_sa_map->sectag_sci;
+	sa_map->sc_id = tx_sc_sa_map->sc_id;
+	sa_map->mcs_id = mcs->idx;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&rsp);
+	if (rc)
+		return rc;
+
+	sc_id = tx_sc_sa_map->sc_id;
+	for (i = 0; i < MAX_PORTS_PER_MCS; i++) {
+		uint32_t set = plt_bitmap_get(priv->port_rsrc[i].sc_bmap, sc_id + priv->sc_entries);
+
+		if (set) {
+			uint32_t pos = priv->sa_entries + tx_sc_sa_map->sa_index0;
+
+			plt_bitmap_set(priv->port_rsrc[i].sa_bmap, pos);
+			priv->port_rsrc[i].sc_conf[sc_id].tx.sa_idx0 = tx_sc_sa_map->sa_index0;
+			pos = priv->sa_entries + tx_sc_sa_map->sa_index1;
+			plt_bitmap_set(priv->port_rsrc[i].sa_bmap, pos);
+			priv->port_rsrc[i].sc_conf[sc_id].tx.sa_idx1 = tx_sc_sa_map->sa_index1;
+			priv->port_rsrc[i].sc_conf[sc_id].tx.sci = tx_sc_sa_map->sectag_sci;
+			priv->port_rsrc[i].sc_conf[sc_id].tx.rekey_enb = tx_sc_sa_map->rekey_ena;
+			break;
+		}
+	}
+
+	return 0;
+}
+
+int
+roc_mcs_tx_sc_sa_map_read(struct roc_mcs *mcs __plt_unused,
+			  struct roc_mcs_tx_sc_sa_map *tx_sc_sa_map __plt_unused)
+{
+	MCS_SUPPORT_CHECK;
+
+	return -ENOTSUP;
+}
diff --git a/drivers/common/cnxk/version.map b/drivers/common/cnxk/version.map
index bd8a3095f9..dbfda62ad1 100644
--- a/drivers/common/cnxk/version.map
+++ b/drivers/common/cnxk/version.map
@@ -141,8 +141,15 @@ INTERNAL {
 	roc_mcs_hw_info_get;
 	roc_mcs_rsrc_alloc;
 	roc_mcs_rsrc_free;
+	roc_mcs_rx_sc_cam_enable;
+	roc_mcs_rx_sc_cam_read;
+	roc_mcs_rx_sc_cam_write;
+	roc_mcs_rx_sc_sa_map_read;
+	roc_mcs_rx_sc_sa_map_write;
 	roc_mcs_sa_policy_read;
 	roc_mcs_sa_policy_write;
+	roc_mcs_tx_sc_sa_map_read;
+	roc_mcs_tx_sc_sa_map_write;
 	roc_nix_bpf_alloc;
 	roc_nix_bpf_config;
 	roc_nix_bpf_connect;
-- 
2.25.1

[PATCH v4 04/15] common/cnxk: add MACsec secy and flow configuration

[Akhil Goyal]

Added ROC APIs to configure MACsec secy policy and
flow entries.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/common/cnxk/roc_mbox.h        |  38 +++++++++
 drivers/common/cnxk/roc_mcs.h         |  37 +++++++++
 drivers/common/cnxk/roc_mcs_sec_cfg.c | 115 ++++++++++++++++++++++++++
 drivers/common/cnxk/version.map       |   5 ++
 4 files changed, 195 insertions(+)

diff --git a/drivers/common/cnxk/roc_mbox.h b/drivers/common/cnxk/roc_mbox.h
index 40b761ee99..fcfcc90f6c 100644
--- a/drivers/common/cnxk/roc_mbox.h
+++ b/drivers/common/cnxk/roc_mbox.h
@@ -300,10 +300,14 @@ struct mbox_msghdr {
 	M(MCS_ALLOC_RESOURCES, 0xa000, mcs_alloc_resources, mcs_alloc_rsrc_req,                    \
 	  mcs_alloc_rsrc_rsp)                                                                      \
 	M(MCS_FREE_RESOURCES, 0xa001, mcs_free_resources, mcs_free_rsrc_req, msg_rsp)              \
+	M(MCS_FLOWID_ENTRY_WRITE, 0xa002, mcs_flowid_entry_write, mcs_flowid_entry_write_req,      \
+	  msg_rsp)                                                                                 \
+	M(MCS_SECY_PLCY_WRITE, 0xa003, mcs_secy_plcy_write, mcs_secy_plcy_write_req, msg_rsp)      \
 	M(MCS_RX_SC_CAM_WRITE, 0xa004, mcs_rx_sc_cam_write, mcs_rx_sc_cam_write_req, msg_rsp)      \
 	M(MCS_SA_PLCY_WRITE, 0xa005, mcs_sa_plcy_write, mcs_sa_plcy_write_req, msg_rsp)            \
 	M(MCS_TX_SC_SA_MAP_WRITE, 0xa006, mcs_tx_sc_sa_map_write, mcs_tx_sc_sa_map, msg_rsp)       \
 	M(MCS_RX_SC_SA_MAP_WRITE, 0xa007, mcs_rx_sc_sa_map_write, mcs_rx_sc_sa_map, msg_rsp)       \
+	M(MCS_FLOWID_ENA_ENTRY, 0xa008, mcs_flowid_ena_entry, mcs_flowid_ena_dis_entry, msg_rsp)   \
 	M(MCS_GET_HW_INFO, 0xa00b, mcs_get_hw_info, msg_req, mcs_hw_info)                          \
 
 /* Messages initiated by AF (range 0xC00 - 0xDFF) */
@@ -729,6 +733,31 @@ struct mcs_free_rsrc_req {
 	uint64_t __io rsvd;
 };
 
+struct mcs_flowid_entry_write_req {
+	struct mbox_msghdr hdr;
+	uint64_t __io data[4];
+	uint64_t __io mask[4];
+	uint64_t __io sci; /* CNF10K-B for tx_secy_mem_map */
+	uint8_t __io flow_id;
+	uint8_t __io secy_id; /* secyid for which flowid is mapped */
+	/* sc_id is Valid if dir = MCS_TX, SC_CAM id mapped to flowid */
+	uint8_t __io sc_id;
+	uint8_t __io ena; /* Enable tcam entry */
+	uint8_t __io ctr_pkt;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
+
+struct mcs_secy_plcy_write_req {
+	struct mbox_msghdr hdr;
+	uint64_t __io plcy;
+	uint8_t __io secy_id;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
+
 /* RX SC_CAM mapping */
 struct mcs_rx_sc_cam_write_req {
 	struct mbox_msghdr hdr;
@@ -774,6 +803,15 @@ struct mcs_rx_sc_sa_map {
 	uint64_t __io rsvd;
 };
 
+struct mcs_flowid_ena_dis_entry {
+	struct mbox_msghdr hdr;
+	uint8_t __io flow_id;
+	uint8_t __io ena;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
+
 struct mcs_hw_info {
 	struct mbox_msghdr hdr;
 	uint8_t __io num_mcs_blks; /* Number of MCS blocks */
diff --git a/drivers/common/cnxk/roc_mcs.h b/drivers/common/cnxk/roc_mcs.h
index e947f93460..38c2d5626a 100644
--- a/drivers/common/cnxk/roc_mcs.h
+++ b/drivers/common/cnxk/roc_mcs.h
@@ -32,6 +32,24 @@ struct roc_mcs_free_rsrc_req {
 	uint8_t all; /* Free all the cam resources */
 };
 
+struct roc_mcs_flowid_entry_write_req {
+	uint64_t data[4];
+	uint64_t mask[4];
+	uint64_t sci; /* 105N for tx_secy_mem_map */
+	uint8_t flow_id;
+	uint8_t secy_id; /* secyid for which flowid is mapped */
+	uint8_t sc_id;	 /* Valid if dir = MCS_TX, SC_CAM id mapped to flowid */
+	uint8_t ena;	 /* Enable tcam entry */
+	uint8_t ctr_pkt;
+	uint8_t dir;
+};
+
+struct roc_mcs_secy_plcy_write_req {
+	uint64_t plcy;
+	uint8_t secy_id;
+	uint8_t dir;
+};
+
 /* RX SC_CAM mapping */
 struct roc_mcs_rx_sc_cam_write_req {
 	uint64_t sci;	  /* SCI */
@@ -64,6 +82,12 @@ struct roc_mcs_rx_sc_sa_map {
 	uint8_t an; /* value range 0-3, sc_id + an used as index SA_MEM_MAP */
 };
 
+struct roc_mcs_flowid_ena_dis_entry {
+	uint8_t flow_id;
+	uint8_t ena;
+	uint8_t dir;
+};
+
 struct roc_mcs_hw_info {
 	uint8_t num_mcs_blks; /* Number of MCS blocks */
 	uint8_t tcam_entries; /* RX/TX Tcam entries per mcs block */
@@ -112,6 +136,11 @@ __roc_api int roc_mcs_rx_sc_cam_read(struct roc_mcs *mcs,
 				     struct roc_mcs_rx_sc_cam_write_req *rx_sc_cam);
 __roc_api int roc_mcs_rx_sc_cam_enable(struct roc_mcs *mcs,
 				       struct roc_mcs_rx_sc_cam_write_req *rx_sc_cam);
+/* SECY policy read and write */
+__roc_api int roc_mcs_secy_policy_write(struct roc_mcs *mcs,
+					struct roc_mcs_secy_plcy_write_req *secy_plcy);
+__roc_api int roc_mcs_secy_policy_read(struct roc_mcs *mcs,
+				       struct roc_mcs_rx_sc_cam_write_req *rx_sc_cam);
 /* RX SC-SA MAP read and write */
 __roc_api int roc_mcs_rx_sc_sa_map_write(struct roc_mcs *mcs,
 					 struct roc_mcs_rx_sc_sa_map *rx_sc_sa_map);
@@ -122,4 +151,12 @@ __roc_api int roc_mcs_tx_sc_sa_map_write(struct roc_mcs *mcs,
 					 struct roc_mcs_tx_sc_sa_map *tx_sc_sa_map);
 __roc_api int roc_mcs_tx_sc_sa_map_read(struct roc_mcs *mcs,
 					struct roc_mcs_tx_sc_sa_map *tx_sc_sa_map);
+/* Flow entry read, write and enable */
+__roc_api int roc_mcs_flowid_entry_write(struct roc_mcs *mcs,
+					 struct roc_mcs_flowid_entry_write_req *flowid_req);
+__roc_api int roc_mcs_flowid_entry_read(struct roc_mcs *mcs,
+					struct roc_mcs_flowid_entry_write_req *flowid_rsp);
+__roc_api int roc_mcs_flowid_entry_enable(struct roc_mcs *mcs,
+					  struct roc_mcs_flowid_ena_dis_entry *entry);
+
 #endif /* _ROC_MCS_H_ */
diff --git a/drivers/common/cnxk/roc_mcs_sec_cfg.c b/drivers/common/cnxk/roc_mcs_sec_cfg.c
index 9b87952112..44b4919bbc 100644
--- a/drivers/common/cnxk/roc_mcs_sec_cfg.c
+++ b/drivers/common/cnxk/roc_mcs_sec_cfg.c
@@ -267,6 +267,38 @@ roc_mcs_rx_sc_cam_enable(struct roc_mcs *mcs __plt_unused,
 	return -ENOTSUP;
 }
 
+int
+roc_mcs_secy_policy_write(struct roc_mcs *mcs, struct roc_mcs_secy_plcy_write_req *secy_plcy)
+{
+	struct mcs_secy_plcy_write_req *secy;
+	struct msg_rsp *rsp;
+
+	MCS_SUPPORT_CHECK;
+
+	if (secy_plcy == NULL)
+		return -EINVAL;
+
+	secy = mbox_alloc_msg_mcs_secy_plcy_write(mcs->mbox);
+	if (secy == NULL)
+		return -ENOMEM;
+
+	secy->plcy = secy_plcy->plcy;
+	secy->secy_id = secy_plcy->secy_id;
+	secy->mcs_id = mcs->idx;
+	secy->dir = secy_plcy->dir;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
+
+int
+roc_mcs_secy_policy_read(struct roc_mcs *mcs __plt_unused,
+			 struct roc_mcs_rx_sc_cam_write_req *rx_sc_cam __plt_unused)
+{
+	MCS_SUPPORT_CHECK;
+
+	return -ENOTSUP;
+}
+
 int
 roc_mcs_rx_sc_sa_map_write(struct roc_mcs *mcs, struct roc_mcs_rx_sc_sa_map *rx_sc_sa_map)
 {
@@ -380,3 +412,86 @@ roc_mcs_tx_sc_sa_map_read(struct roc_mcs *mcs __plt_unused,
 
 	return -ENOTSUP;
 }
+
+int
+roc_mcs_flowid_entry_write(struct roc_mcs *mcs, struct roc_mcs_flowid_entry_write_req *flowid_req)
+{
+	struct mcs_priv *priv = roc_mcs_to_mcs_priv(mcs);
+	struct mcs_flowid_entry_write_req *flow_req;
+	struct msg_rsp *rsp;
+	uint8_t port;
+	int rc;
+
+	MCS_SUPPORT_CHECK;
+
+	if (flowid_req == NULL)
+		return -EINVAL;
+
+	flow_req = mbox_alloc_msg_mcs_flowid_entry_write(mcs->mbox);
+	if (flow_req == NULL)
+		return -ENOMEM;
+
+	mbox_memcpy(flow_req->data, flowid_req->data, sizeof(uint64_t) * 4);
+	mbox_memcpy(flow_req->mask, flowid_req->mask, sizeof(uint64_t) * 4);
+	flow_req->sci = flowid_req->sci;
+	flow_req->flow_id = flowid_req->flow_id;
+	flow_req->secy_id = flowid_req->secy_id;
+	flow_req->sc_id = flowid_req->sc_id;
+	flow_req->ena = flowid_req->ena;
+	flow_req->ctr_pkt = flowid_req->ctr_pkt;
+	flow_req->mcs_id = mcs->idx;
+	flow_req->dir = flowid_req->dir;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&rsp);
+	if (rc)
+		return rc;
+
+	if (flow_req->mask[3] & (BIT_ULL(10) | BIT_ULL(11)))
+		return rc;
+
+	port = (flow_req->data[3] >> 10) & 0x3;
+
+	plt_bitmap_set(priv->port_rsrc[port].tcam_bmap,
+		       flowid_req->flow_id +
+			       ((flowid_req->dir == MCS_TX) ? priv->tcam_entries : 0));
+	plt_bitmap_set(priv->port_rsrc[port].secy_bmap,
+		       flowid_req->secy_id +
+			       ((flowid_req->dir == MCS_TX) ? priv->secy_entries : 0));
+
+	if (flowid_req->dir == MCS_TX)
+		plt_bitmap_set(priv->port_rsrc[port].sc_bmap, priv->sc_entries + flowid_req->sc_id);
+
+	return 0;
+}
+
+int
+roc_mcs_flowid_entry_read(struct roc_mcs *mcs __plt_unused,
+			  struct roc_mcs_flowid_entry_write_req *flowid_rsp __plt_unused)
+{
+	MCS_SUPPORT_CHECK;
+
+	return -ENOTSUP;
+}
+
+int
+roc_mcs_flowid_entry_enable(struct roc_mcs *mcs, struct roc_mcs_flowid_ena_dis_entry *entry)
+{
+	struct mcs_flowid_ena_dis_entry *flow_entry;
+	struct msg_rsp *rsp;
+
+	MCS_SUPPORT_CHECK;
+
+	if (entry == NULL)
+		return -EINVAL;
+
+	flow_entry = mbox_alloc_msg_mcs_flowid_ena_entry(mcs->mbox);
+	if (flow_entry == NULL)
+		return -ENOMEM;
+
+	flow_entry->flow_id = entry->flow_id;
+	flow_entry->ena = entry->ena;
+	flow_entry->mcs_id = mcs->idx;
+	flow_entry->dir = entry->dir;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
diff --git a/drivers/common/cnxk/version.map b/drivers/common/cnxk/version.map
index dbfda62ad1..3d9da3b187 100644
--- a/drivers/common/cnxk/version.map
+++ b/drivers/common/cnxk/version.map
@@ -138,6 +138,9 @@ INTERNAL {
 	roc_mcs_dev_init;
 	roc_mcs_dev_fini;
 	roc_mcs_dev_get;
+	roc_mcs_flowid_entry_enable;
+	roc_mcs_flowid_entry_read;
+	roc_mcs_flowid_entry_write;
 	roc_mcs_hw_info_get;
 	roc_mcs_rsrc_alloc;
 	roc_mcs_rsrc_free;
@@ -148,6 +151,8 @@ INTERNAL {
 	roc_mcs_rx_sc_sa_map_write;
 	roc_mcs_sa_policy_read;
 	roc_mcs_sa_policy_write;
+	roc_mcs_secy_policy_read;
+	roc_mcs_secy_policy_write;
 	roc_mcs_tx_sc_sa_map_read;
 	roc_mcs_tx_sc_sa_map_write;
 	roc_nix_bpf_alloc;
-- 
2.25.1

[PATCH v4 05/15] common/cnxk: add MACsec PN and LMAC mode configuration

[Akhil Goyal]

Added ROC APIs for setting packet number and LMAC
related configurations.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/common/cnxk/roc_mbox.h        | 56 +++++++++++++++++++++
 drivers/common/cnxk/roc_mcs.c         | 71 +++++++++++++++++++++++++++
 drivers/common/cnxk/roc_mcs.h         | 48 ++++++++++++++++++
 drivers/common/cnxk/roc_mcs_sec_cfg.c | 31 ++++++++++++
 drivers/common/cnxk/version.map       |  5 ++
 5 files changed, 211 insertions(+)

diff --git a/drivers/common/cnxk/roc_mbox.h b/drivers/common/cnxk/roc_mbox.h
index fcfcc90f6c..62c5c3a3ce 100644
--- a/drivers/common/cnxk/roc_mbox.h
+++ b/drivers/common/cnxk/roc_mbox.h
@@ -308,7 +308,11 @@ struct mbox_msghdr {
 	M(MCS_TX_SC_SA_MAP_WRITE, 0xa006, mcs_tx_sc_sa_map_write, mcs_tx_sc_sa_map, msg_rsp)       \
 	M(MCS_RX_SC_SA_MAP_WRITE, 0xa007, mcs_rx_sc_sa_map_write, mcs_rx_sc_sa_map, msg_rsp)       \
 	M(MCS_FLOWID_ENA_ENTRY, 0xa008, mcs_flowid_ena_entry, mcs_flowid_ena_dis_entry, msg_rsp)   \
+	M(MCS_PN_TABLE_WRITE, 0xa009, mcs_pn_table_write, mcs_pn_table_write_req, msg_rsp)         \
+	M(MCS_SET_ACTIVE_LMAC, 0xa00a, mcs_set_active_lmac, mcs_set_active_lmac, msg_rsp)          \
 	M(MCS_GET_HW_INFO, 0xa00b, mcs_get_hw_info, msg_req, mcs_hw_info)                          \
+	M(MCS_SET_LMAC_MODE, 0xa013, mcs_set_lmac_mode, mcs_set_lmac_mode, msg_rsp)                \
+	M(MCS_SET_PN_THRESHOLD, 0xa014, mcs_set_pn_threshold, mcs_set_pn_threshold, msg_rsp)       \
 
 /* Messages initiated by AF (range 0xC00 - 0xDFF) */
 #define MBOX_UP_CGX_MESSAGES                                                   \
@@ -812,6 +816,34 @@ struct mcs_flowid_ena_dis_entry {
 	uint64_t __io rsvd;
 };
 
+struct mcs_pn_table_write_req {
+	struct mbox_msghdr hdr;
+	uint64_t __io next_pn;
+	uint8_t __io pn_id;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
+
+struct mcs_cam_entry_read_req {
+	struct mbox_msghdr hdr;
+	uint8_t __io rsrc_type; /* TCAM/SECY/SC/SA/PN */
+	uint8_t __io rsrc_id;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
+
+struct mcs_cam_entry_read_rsp {
+	struct mbox_msghdr hdr;
+	uint64_t __io reg_val[10];
+	uint8_t __io rsrc_type;
+	uint8_t __io rsrc_id;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
+
 struct mcs_hw_info {
 	struct mbox_msghdr hdr;
 	uint8_t __io num_mcs_blks; /* Number of MCS blocks */
@@ -822,6 +854,30 @@ struct mcs_hw_info {
 	uint64_t __io rsvd[16];
 };
 
+struct mcs_set_active_lmac {
+	struct mbox_msghdr hdr;
+	uint32_t __io lmac_bmap; /* bitmap of active lmac per mcs block */
+	uint8_t __io mcs_id;
+	uint16_t __io channel_base; /* MCS channel base */
+	uint64_t __io rsvd;
+};
+
+struct mcs_set_lmac_mode {
+	struct mbox_msghdr hdr;
+	uint8_t __io mode; /* '1' for internal bypass mode (passthrough), '0' for MCS processing */
+	uint8_t __io lmac_id;
+	uint8_t __io mcs_id;
+	uint64_t __io rsvd;
+};
+
+struct mcs_set_pn_threshold {
+	struct mbox_msghdr hdr;
+	uint64_t __io threshold;
+	uint8_t __io xpn; /* '1' for setting xpn threshold */
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
 
 /* NPA mbox message formats */
 
diff --git a/drivers/common/cnxk/roc_mcs.c b/drivers/common/cnxk/roc_mcs.c
index 20433eae83..38f1e9b2f7 100644
--- a/drivers/common/cnxk/roc_mcs.c
+++ b/drivers/common/cnxk/roc_mcs.c
@@ -38,6 +38,77 @@ roc_mcs_hw_info_get(struct roc_mcs_hw_info *hw_info)
 	return rc;
 }
 
+int
+roc_mcs_active_lmac_set(struct roc_mcs *mcs, struct roc_mcs_set_active_lmac *lmac)
+{
+	struct mcs_set_active_lmac *req;
+	struct msg_rsp *rsp;
+
+	/* Only needed for 105N */
+	if (!roc_model_is_cnf10kb())
+		return 0;
+
+	if (lmac == NULL)
+		return -EINVAL;
+
+	MCS_SUPPORT_CHECK;
+
+	req = mbox_alloc_msg_mcs_set_active_lmac(mcs->mbox);
+	if (req == NULL)
+		return -ENOMEM;
+
+	req->lmac_bmap = lmac->lmac_bmap;
+	req->channel_base = lmac->channel_base;
+	req->mcs_id = mcs->idx;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
+
+int
+roc_mcs_lmac_mode_set(struct roc_mcs *mcs, struct roc_mcs_set_lmac_mode *port)
+{
+	struct mcs_set_lmac_mode *req;
+	struct msg_rsp *rsp;
+
+	if (port == NULL)
+		return -EINVAL;
+
+	MCS_SUPPORT_CHECK;
+
+	req = mbox_alloc_msg_mcs_set_lmac_mode(mcs->mbox);
+	if (req == NULL)
+		return -ENOMEM;
+
+	req->lmac_id = port->lmac_id;
+	req->mcs_id = mcs->idx;
+	req->mode = port->mode;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
+
+int
+roc_mcs_pn_threshold_set(struct roc_mcs *mcs, struct roc_mcs_set_pn_threshold *pn)
+{
+	struct mcs_set_pn_threshold *req;
+	struct msg_rsp *rsp;
+
+	if (pn == NULL)
+		return -EINVAL;
+
+	MCS_SUPPORT_CHECK;
+
+	req = mbox_alloc_msg_mcs_set_pn_threshold(mcs->mbox);
+	if (req == NULL)
+		return -ENOMEM;
+
+	req->threshold = pn->threshold;
+	req->mcs_id = mcs->idx;
+	req->dir = pn->dir;
+	req->xpn = pn->xpn;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
+
 static int
 mcs_alloc_bmap(uint16_t entries, void **mem, struct plt_bitmap **bmap)
 {
diff --git a/drivers/common/cnxk/roc_mcs.h b/drivers/common/cnxk/roc_mcs.h
index 38c2d5626a..bedae3bf42 100644
--- a/drivers/common/cnxk/roc_mcs.h
+++ b/drivers/common/cnxk/roc_mcs.h
@@ -88,6 +88,25 @@ struct roc_mcs_flowid_ena_dis_entry {
 	uint8_t dir;
 };
 
+struct roc_mcs_pn_table_write_req {
+	uint64_t next_pn;
+	uint8_t pn_id;
+	uint8_t dir;
+};
+
+struct roc_mcs_cam_entry_read_req {
+	uint8_t rsrc_type; /* TCAM/SECY/SC/SA/PN */
+	uint8_t rsrc_id;
+	uint8_t dir;
+};
+
+struct roc_mcs_cam_entry_read_rsp {
+	uint64_t reg_val[10];
+	uint8_t rsrc_type;
+	uint8_t rsrc_id;
+	uint8_t dir;
+};
+
 struct roc_mcs_hw_info {
 	uint8_t num_mcs_blks; /* Number of MCS blocks */
 	uint8_t tcam_entries; /* RX/TX Tcam entries per mcs block */
@@ -97,6 +116,24 @@ struct roc_mcs_hw_info {
 	uint64_t rsvd[16];
 };
 
+struct roc_mcs_set_lmac_mode {
+	uint8_t mode; /* '1' for internal bypass mode (passthrough), '0' for MCS processing */
+	uint8_t lmac_id;
+	uint64_t rsvd;
+};
+
+struct roc_mcs_set_active_lmac {
+	uint32_t lmac_bmap;    /* bitmap of active lmac per mcs block */
+	uint16_t channel_base; /* MCS channel base */
+	uint64_t rsvd;
+};
+
+struct roc_mcs_set_pn_threshold {
+	uint64_t threshold;
+	uint8_t xpn; /* '1' for setting xpn threshold */
+	uint8_t dir;
+	uint64_t rsvd;
+};
 
 struct roc_mcs {
 	TAILQ_ENTRY(roc_mcs) next;
@@ -119,6 +156,12 @@ __roc_api void roc_mcs_dev_fini(struct roc_mcs *mcs);
 __roc_api struct roc_mcs *roc_mcs_dev_get(uint8_t mcs_idx);
 /* HW info get */
 __roc_api int roc_mcs_hw_info_get(struct roc_mcs_hw_info *hw_info);
+/* Active lmac bmap set */
+__roc_api int roc_mcs_active_lmac_set(struct roc_mcs *mcs, struct roc_mcs_set_active_lmac *lmac);
+/* Port bypass mode set */
+__roc_api int roc_mcs_lmac_mode_set(struct roc_mcs *mcs, struct roc_mcs_set_lmac_mode *port);
+/* (X)PN threshold set */
+__roc_api int roc_mcs_pn_threshold_set(struct roc_mcs *mcs, struct roc_mcs_set_pn_threshold *pn);
 
 /* Resource allocation and free */
 __roc_api int roc_mcs_rsrc_alloc(struct roc_mcs *mcs, struct roc_mcs_alloc_rsrc_req *req,
@@ -129,6 +172,11 @@ __roc_api int roc_mcs_sa_policy_write(struct roc_mcs *mcs,
 				      struct roc_mcs_sa_plcy_write_req *sa_plcy);
 __roc_api int roc_mcs_sa_policy_read(struct roc_mcs *mcs,
 				     struct roc_mcs_sa_plcy_write_req *sa_plcy);
+/* PN Table read and write */
+__roc_api int roc_mcs_pn_table_write(struct roc_mcs *mcs,
+				     struct roc_mcs_pn_table_write_req *pn_table);
+__roc_api int roc_mcs_pn_table_read(struct roc_mcs *mcs,
+				    struct roc_mcs_pn_table_write_req *pn_table);
 /* RX SC read, write and enable */
 __roc_api int roc_mcs_rx_sc_cam_write(struct roc_mcs *mcs,
 				      struct roc_mcs_rx_sc_cam_write_req *rx_sc_cam);
diff --git a/drivers/common/cnxk/roc_mcs_sec_cfg.c b/drivers/common/cnxk/roc_mcs_sec_cfg.c
index 44b4919bbc..7b3a4c91e8 100644
--- a/drivers/common/cnxk/roc_mcs_sec_cfg.c
+++ b/drivers/common/cnxk/roc_mcs_sec_cfg.c
@@ -210,6 +210,37 @@ roc_mcs_sa_policy_read(struct roc_mcs *mcs __plt_unused,
 	return -ENOTSUP;
 }
 
+int
+roc_mcs_pn_table_write(struct roc_mcs *mcs, struct roc_mcs_pn_table_write_req *pn_table)
+{
+	struct mcs_pn_table_write_req *pn;
+	struct msg_rsp *rsp;
+
+	MCS_SUPPORT_CHECK;
+
+	if (pn_table == NULL)
+		return -EINVAL;
+
+	pn = mbox_alloc_msg_mcs_pn_table_write(mcs->mbox);
+	if (pn == NULL)
+		return -ENOMEM;
+
+	pn->next_pn = pn_table->next_pn;
+	pn->pn_id = pn_table->pn_id;
+	pn->mcs_id = mcs->idx;
+	pn->dir = pn_table->dir;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
+
+int
+roc_mcs_pn_table_read(struct roc_mcs *mcs __plt_unused,
+		      struct roc_mcs_pn_table_write_req *sa __plt_unused)
+{
+	MCS_SUPPORT_CHECK;
+
+	return -ENOTSUP;
+}
 
 int
 roc_mcs_rx_sc_cam_write(struct roc_mcs *mcs, struct roc_mcs_rx_sc_cam_write_req *rx_sc_cam)
diff --git a/drivers/common/cnxk/version.map b/drivers/common/cnxk/version.map
index 3d9da3b187..0591747961 100644
--- a/drivers/common/cnxk/version.map
+++ b/drivers/common/cnxk/version.map
@@ -135,6 +135,7 @@ INTERNAL {
 	roc_se_auth_key_set;
 	roc_se_ciph_key_set;
 	roc_se_ctx_init;
+	roc_mcs_active_lmac_set;
 	roc_mcs_dev_init;
 	roc_mcs_dev_fini;
 	roc_mcs_dev_get;
@@ -142,6 +143,10 @@ INTERNAL {
 	roc_mcs_flowid_entry_read;
 	roc_mcs_flowid_entry_write;
 	roc_mcs_hw_info_get;
+	roc_mcs_lmac_mode_set;
+	roc_mcs_pn_table_write;
+	roc_mcs_pn_table_read;
+	roc_mcs_pn_threshold_set;
 	roc_mcs_rsrc_alloc;
 	roc_mcs_rsrc_free;
 	roc_mcs_rx_sc_cam_enable;
-- 
2.25.1

[PATCH v4 06/15] common/cnxk: add MACsec stats

[Akhil Goyal]

Added ROC APIs for MACsec stats for SC/SECY/FLOW/PORT

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/common/cnxk/meson.build     |   1 +
 drivers/common/cnxk/roc_mbox.h      |  93 ++++++++++++++
 drivers/common/cnxk/roc_mcs.h       |  85 ++++++++++++
 drivers/common/cnxk/roc_mcs_stats.c | 193 ++++++++++++++++++++++++++++
 drivers/common/cnxk/version.map     |   5 +
 5 files changed, 377 insertions(+)
 create mode 100644 drivers/common/cnxk/roc_mcs_stats.c

diff --git a/drivers/common/cnxk/meson.build b/drivers/common/cnxk/meson.build
index 589baf74fe..79e10bac74 100644
--- a/drivers/common/cnxk/meson.build
+++ b/drivers/common/cnxk/meson.build
@@ -28,6 +28,7 @@ sources = files(
         'roc_mbox.c',
         'roc_mcs.c',
         'roc_mcs_sec_cfg.c',
+        'roc_mcs_stats.c',
         'roc_ml.c',
         'roc_model.c',
         'roc_nix.c',
diff --git a/drivers/common/cnxk/roc_mbox.h b/drivers/common/cnxk/roc_mbox.h
index 62c5c3a3ce..3f3a6aadc8 100644
--- a/drivers/common/cnxk/roc_mbox.h
+++ b/drivers/common/cnxk/roc_mbox.h
@@ -311,6 +311,11 @@ struct mbox_msghdr {
 	M(MCS_PN_TABLE_WRITE, 0xa009, mcs_pn_table_write, mcs_pn_table_write_req, msg_rsp)         \
 	M(MCS_SET_ACTIVE_LMAC, 0xa00a, mcs_set_active_lmac, mcs_set_active_lmac, msg_rsp)          \
 	M(MCS_GET_HW_INFO, 0xa00b, mcs_get_hw_info, msg_req, mcs_hw_info)                          \
+	M(MCS_GET_FLOWID_STATS, 0xa00c, mcs_get_flowid_stats, mcs_stats_req, mcs_flowid_stats)     \
+	M(MCS_GET_SECY_STATS, 0xa00d, mcs_get_secy_stats, mcs_stats_req, mcs_secy_stats)           \
+	M(MCS_GET_SC_STATS, 0xa00e, mcs_get_sc_stats, mcs_stats_req, mcs_sc_stats)                 \
+	M(MCS_GET_PORT_STATS, 0xa010, mcs_get_port_stats, mcs_stats_req, mcs_port_stats)           \
+	M(MCS_CLEAR_STATS, 0xa011, mcs_clear_stats, mcs_clear_stats, msg_rsp)                      \
 	M(MCS_SET_LMAC_MODE, 0xa013, mcs_set_lmac_mode, mcs_set_lmac_mode, msg_rsp)                \
 	M(MCS_SET_PN_THRESHOLD, 0xa014, mcs_set_pn_threshold, mcs_set_pn_threshold, msg_rsp)       \
 
@@ -879,6 +884,94 @@ struct mcs_set_pn_threshold {
 	uint64_t __io rsvd;
 };
 
+struct mcs_stats_req {
+	struct mbox_msghdr hdr;
+	uint8_t __io id;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
+
+struct mcs_flowid_stats {
+	struct mbox_msghdr hdr;
+	uint64_t __io tcam_hit_cnt;
+	uint64_t __io rsvd;
+};
+
+struct mcs_secy_stats {
+	struct mbox_msghdr hdr;
+	uint64_t __io ctl_pkt_bcast_cnt;
+	uint64_t __io ctl_pkt_mcast_cnt;
+	uint64_t __io ctl_pkt_ucast_cnt;
+	uint64_t __io ctl_octet_cnt;
+	uint64_t __io unctl_pkt_bcast_cnt;
+	uint64_t __io unctl_pkt_mcast_cnt;
+	uint64_t __io unctl_pkt_ucast_cnt;
+	uint64_t __io unctl_octet_cnt;
+	/* Valid only for RX */
+	uint64_t __io octet_decrypted_cnt;
+	uint64_t __io octet_validated_cnt;
+	uint64_t __io pkt_port_disabled_cnt;
+	uint64_t __io pkt_badtag_cnt;
+	uint64_t __io pkt_nosa_cnt;
+	uint64_t __io pkt_nosaerror_cnt;
+	uint64_t __io pkt_tagged_ctl_cnt;
+	uint64_t __io pkt_untaged_cnt;
+	uint64_t __io pkt_ctl_cnt;   /* CN10K-B */
+	uint64_t __io pkt_notag_cnt; /* CNF10K-B */
+	/* Valid only for TX */
+	uint64_t __io octet_encrypted_cnt;
+	uint64_t __io octet_protected_cnt;
+	uint64_t __io pkt_noactivesa_cnt;
+	uint64_t __io pkt_toolong_cnt;
+	uint64_t __io pkt_untagged_cnt;
+	uint64_t __io rsvd[4];
+};
+
+struct mcs_port_stats {
+	struct mbox_msghdr hdr;
+	uint64_t __io tcam_miss_cnt;
+	uint64_t __io parser_err_cnt;
+	uint64_t __io preempt_err_cnt; /* CNF10K-B */
+	uint64_t __io sectag_insert_err_cnt;
+	uint64_t __io rsvd[4];
+};
+
+struct mcs_sc_stats {
+	struct mbox_msghdr hdr;
+	/* RX */
+	uint64_t __io hit_cnt;
+	uint64_t __io pkt_invalid_cnt;
+	uint64_t __io pkt_late_cnt;
+	uint64_t __io pkt_notvalid_cnt;
+	uint64_t __io pkt_unchecked_cnt;
+	uint64_t __io pkt_delay_cnt;	  /* CNF10K-B */
+	uint64_t __io pkt_ok_cnt;	  /* CNF10K-B */
+	uint64_t __io octet_decrypt_cnt;  /* CN10K-B */
+	uint64_t __io octet_validate_cnt; /* CN10K-B */
+	/* TX */
+	uint64_t __io pkt_encrypt_cnt;
+	uint64_t __io pkt_protected_cnt;
+	uint64_t __io octet_encrypt_cnt;   /* CN10K-B */
+	uint64_t __io octet_protected_cnt; /* CN10K-B */
+	uint64_t __io rsvd[4];
+};
+
+struct mcs_clear_stats {
+	struct mbox_msghdr hdr;
+#define MCS_FLOWID_STATS 0
+#define MCS_SECY_STATS	 1
+#define MCS_SC_STATS	 2
+#define MCS_SA_STATS	 3
+#define MCS_PORT_STATS	 4
+	uint8_t __io type; /* FLOWID, SECY, SC, SA, PORT */
+	/* type = PORT, If id = FF(invalid) port no is derived from pcifunc */
+	uint8_t __io id;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint8_t __io all; /* All resources stats mapped to PF are cleared */
+};
+
 /* NPA mbox message formats */
 
 /* NPA mailbox error codes
diff --git a/drivers/common/cnxk/roc_mcs.h b/drivers/common/cnxk/roc_mcs.h
index bedae3bf42..3fbeee13fa 100644
--- a/drivers/common/cnxk/roc_mcs.h
+++ b/drivers/common/cnxk/roc_mcs.h
@@ -135,6 +135,76 @@ struct roc_mcs_set_pn_threshold {
 	uint64_t rsvd;
 };
 
+struct roc_mcs_stats_req {
+	uint8_t id;
+	uint8_t dir;
+};
+
+struct roc_mcs_flowid_stats {
+	uint64_t tcam_hit_cnt;
+};
+
+struct roc_mcs_secy_stats {
+	uint64_t ctl_pkt_bcast_cnt;
+	uint64_t ctl_pkt_mcast_cnt;
+	uint64_t ctl_pkt_ucast_cnt;
+	uint64_t ctl_octet_cnt;
+	uint64_t unctl_pkt_bcast_cnt;
+	uint64_t unctl_pkt_mcast_cnt;
+	uint64_t unctl_pkt_ucast_cnt;
+	uint64_t unctl_octet_cnt;
+	/* Valid only for RX */
+	uint64_t octet_decrypted_cnt;
+	uint64_t octet_validated_cnt;
+	uint64_t pkt_port_disabled_cnt;
+	uint64_t pkt_badtag_cnt;
+	uint64_t pkt_nosa_cnt;
+	uint64_t pkt_nosaerror_cnt;
+	uint64_t pkt_tagged_ctl_cnt;
+	uint64_t pkt_untaged_cnt;
+	uint64_t pkt_ctl_cnt;	/* CN10K-B */
+	uint64_t pkt_notag_cnt; /* CNF10K-B */
+	/* Valid only for TX */
+	uint64_t octet_encrypted_cnt;
+	uint64_t octet_protected_cnt;
+	uint64_t pkt_noactivesa_cnt;
+	uint64_t pkt_toolong_cnt;
+	uint64_t pkt_untagged_cnt;
+};
+
+struct roc_mcs_sc_stats {
+	/* RX */
+	uint64_t hit_cnt;
+	uint64_t pkt_invalid_cnt;
+	uint64_t pkt_late_cnt;
+	uint64_t pkt_notvalid_cnt;
+	uint64_t pkt_unchecked_cnt;
+	uint64_t pkt_delay_cnt;	     /* CNF10K-B */
+	uint64_t pkt_ok_cnt;	     /* CNF10K-B */
+	uint64_t octet_decrypt_cnt;  /* CN10K-B */
+	uint64_t octet_validate_cnt; /* CN10K-B */
+	/* TX */
+	uint64_t pkt_encrypt_cnt;
+	uint64_t pkt_protected_cnt;
+	uint64_t octet_encrypt_cnt;   /* CN10K-B */
+	uint64_t octet_protected_cnt; /* CN10K-B */
+};
+
+struct roc_mcs_port_stats {
+	uint64_t tcam_miss_cnt;
+	uint64_t parser_err_cnt;
+	uint64_t preempt_err_cnt; /* CNF10K-B */
+	uint64_t sectag_insert_err_cnt;
+};
+
+struct roc_mcs_clear_stats {
+	uint8_t type; /* FLOWID, SECY, SC, SA, PORT */
+	/* type = PORT, If id = FF(invalid) port no is derived from pcifunc */
+	uint8_t id;
+	uint8_t dir;
+	uint8_t all; /* All resources stats mapped to PF are cleared */
+};
+
 struct roc_mcs {
 	TAILQ_ENTRY(roc_mcs) next;
 	struct plt_pci_device *pci_dev;
@@ -207,4 +277,19 @@ __roc_api int roc_mcs_flowid_entry_read(struct roc_mcs *mcs,
 __roc_api int roc_mcs_flowid_entry_enable(struct roc_mcs *mcs,
 					  struct roc_mcs_flowid_ena_dis_entry *entry);
 
+/* Flow id stats get */
+__roc_api int roc_mcs_flowid_stats_get(struct roc_mcs *mcs, struct roc_mcs_stats_req *mcs_req,
+				       struct roc_mcs_flowid_stats *stats);
+/* Secy stats get */
+__roc_api int roc_mcs_secy_stats_get(struct roc_mcs *mcs, struct roc_mcs_stats_req *mcs_req,
+				     struct roc_mcs_secy_stats *stats);
+/* SC stats get */
+__roc_api int roc_mcs_sc_stats_get(struct roc_mcs *mcs, struct roc_mcs_stats_req *mcs_req,
+				   struct roc_mcs_sc_stats *stats);
+/* Port stats get */
+__roc_api int roc_mcs_port_stats_get(struct roc_mcs *mcs, struct roc_mcs_stats_req *mcs_req,
+				     struct roc_mcs_port_stats *stats);
+/* Clear stats */
+__roc_api int roc_mcs_stats_clear(struct roc_mcs *mcs, struct roc_mcs_clear_stats *mcs_req);
+
 #endif /* _ROC_MCS_H_ */
diff --git a/drivers/common/cnxk/roc_mcs_stats.c b/drivers/common/cnxk/roc_mcs_stats.c
new file mode 100644
index 0000000000..24ac8a31cd
--- /dev/null
+++ b/drivers/common/cnxk/roc_mcs_stats.c
@@ -0,0 +1,193 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2022 Marvell.
+ */
+
+#include "roc_api.h"
+#include "roc_priv.h"
+
+int
+roc_mcs_flowid_stats_get(struct roc_mcs *mcs, struct roc_mcs_stats_req *mcs_req,
+			 struct roc_mcs_flowid_stats *stats)
+{
+	struct mcs_flowid_stats *rsp;
+	struct mcs_stats_req *req;
+	int rc;
+
+	MCS_SUPPORT_CHECK;
+
+	req = mbox_alloc_msg_mcs_get_flowid_stats(mcs->mbox);
+	if (req == NULL)
+		return -ENOSPC;
+
+	req->id = mcs_req->id;
+	req->mcs_id = mcs->idx;
+	req->dir = mcs_req->dir;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&rsp);
+	if (rc)
+		return rc;
+
+	stats->tcam_hit_cnt = rsp->tcam_hit_cnt;
+
+	return rc;
+}
+
+int
+roc_mcs_secy_stats_get(struct roc_mcs *mcs, struct roc_mcs_stats_req *mcs_req,
+		       struct roc_mcs_secy_stats *stats)
+{
+	struct mcs_secy_stats *rsp;
+	struct mcs_stats_req *req;
+	int rc;
+
+	MCS_SUPPORT_CHECK;
+
+	req = mbox_alloc_msg_mcs_get_secy_stats(mcs->mbox);
+	if (req == NULL)
+		return -ENOSPC;
+
+	req->id = mcs_req->id;
+	req->mcs_id = mcs->idx;
+	req->dir = mcs_req->dir;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&rsp);
+	if (rc)
+		return rc;
+
+	stats->ctl_pkt_bcast_cnt = rsp->ctl_pkt_bcast_cnt;
+	stats->ctl_pkt_mcast_cnt = rsp->ctl_pkt_mcast_cnt;
+	stats->ctl_pkt_ucast_cnt = rsp->ctl_pkt_ucast_cnt;
+	stats->ctl_octet_cnt = rsp->ctl_octet_cnt;
+	stats->unctl_pkt_bcast_cnt = rsp->unctl_pkt_bcast_cnt;
+	stats->unctl_pkt_mcast_cnt = rsp->unctl_pkt_mcast_cnt;
+	stats->unctl_pkt_ucast_cnt = rsp->unctl_pkt_ucast_cnt;
+	stats->unctl_octet_cnt = rsp->unctl_octet_cnt;
+
+	if (mcs_req->dir == MCS_RX) {
+		stats->octet_decrypted_cnt = rsp->octet_decrypted_cnt;
+		stats->octet_validated_cnt = rsp->octet_validated_cnt;
+		stats->pkt_port_disabled_cnt = rsp->pkt_port_disabled_cnt;
+		stats->pkt_badtag_cnt = rsp->pkt_badtag_cnt;
+		stats->pkt_nosa_cnt = rsp->pkt_nosa_cnt;
+		stats->pkt_nosaerror_cnt = rsp->pkt_nosaerror_cnt;
+		stats->pkt_tagged_ctl_cnt = rsp->pkt_tagged_ctl_cnt;
+		stats->pkt_untaged_cnt = rsp->pkt_untaged_cnt;
+		if (roc_model_is_cn10kb_a0())
+			/* CN10K-B */
+			stats->pkt_ctl_cnt = rsp->pkt_ctl_cnt;
+		else
+			/* CNF10K-B */
+			stats->pkt_notag_cnt = rsp->pkt_notag_cnt;
+	} else {
+		stats->octet_encrypted_cnt = rsp->octet_encrypted_cnt;
+		stats->octet_protected_cnt = rsp->octet_protected_cnt;
+		stats->pkt_noactivesa_cnt = rsp->pkt_noactivesa_cnt;
+		stats->pkt_toolong_cnt = rsp->pkt_toolong_cnt;
+		stats->pkt_untagged_cnt = rsp->pkt_untagged_cnt;
+	}
+
+	return rc;
+}
+
+int
+roc_mcs_sc_stats_get(struct roc_mcs *mcs, struct roc_mcs_stats_req *mcs_req,
+		     struct roc_mcs_sc_stats *stats)
+{
+	struct mcs_stats_req *req;
+	struct mcs_sc_stats *rsp;
+	int rc;
+
+	MCS_SUPPORT_CHECK;
+
+	req = mbox_alloc_msg_mcs_get_sc_stats(mcs->mbox);
+	if (req == NULL)
+		return -ENOSPC;
+
+	req->id = mcs_req->id;
+	req->mcs_id = mcs->idx;
+	req->dir = mcs_req->dir;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&rsp);
+	if (rc)
+		return rc;
+
+	if (mcs_req->dir == MCS_RX) {
+		stats->hit_cnt = rsp->hit_cnt;
+		stats->pkt_invalid_cnt = rsp->pkt_invalid_cnt;
+		stats->pkt_late_cnt = rsp->pkt_late_cnt;
+		stats->pkt_notvalid_cnt = rsp->pkt_notvalid_cnt;
+		stats->pkt_unchecked_cnt = rsp->pkt_unchecked_cnt;
+		if (roc_model_is_cn10kb_a0()) {
+			stats->octet_decrypt_cnt = rsp->octet_decrypt_cnt;
+			stats->octet_validate_cnt = rsp->octet_validate_cnt;
+		} else {
+			stats->pkt_delay_cnt = rsp->pkt_delay_cnt;
+			stats->pkt_ok_cnt = rsp->pkt_ok_cnt;
+		}
+	} else {
+		stats->pkt_encrypt_cnt = rsp->pkt_encrypt_cnt;
+		stats->pkt_protected_cnt = rsp->pkt_protected_cnt;
+		if (roc_model_is_cn10kb_a0()) {
+			stats->octet_encrypt_cnt = rsp->octet_encrypt_cnt;
+			stats->octet_protected_cnt = rsp->octet_protected_cnt;
+		}
+	}
+
+	return rc;
+}
+
+int
+roc_mcs_port_stats_get(struct roc_mcs *mcs, struct roc_mcs_stats_req *mcs_req,
+		       struct roc_mcs_port_stats *stats)
+{
+	struct mcs_port_stats *rsp;
+	struct mcs_stats_req *req;
+	int rc;
+
+	MCS_SUPPORT_CHECK;
+
+	req = mbox_alloc_msg_mcs_get_port_stats(mcs->mbox);
+	if (req == NULL)
+		return -ENOSPC;
+
+	req->id = mcs_req->id;
+	req->mcs_id = mcs->idx;
+	req->dir = mcs_req->dir;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&rsp);
+	if (rc)
+		return rc;
+
+	stats->tcam_miss_cnt = rsp->tcam_miss_cnt;
+	stats->parser_err_cnt = rsp->parser_err_cnt;
+	if (roc_model_is_cnf10kb())
+		stats->preempt_err_cnt = rsp->preempt_err_cnt;
+
+	stats->sectag_insert_err_cnt = rsp->sectag_insert_err_cnt;
+
+	return rc;
+}
+
+int
+roc_mcs_stats_clear(struct roc_mcs *mcs, struct roc_mcs_clear_stats *mcs_req)
+{
+	struct mcs_clear_stats *req;
+	struct msg_rsp *rsp;
+
+	MCS_SUPPORT_CHECK;
+
+	if (!roc_model_is_cn10kb_a0() && mcs_req->type == MCS_SA_STATS)
+		return MCS_ERR_HW_NOTSUP;
+
+	req = mbox_alloc_msg_mcs_clear_stats(mcs->mbox);
+	if (req == NULL)
+		return -ENOSPC;
+
+	req->type = mcs_req->type;
+	req->id = mcs_req->id;
+	req->mcs_id = mcs->idx;
+	req->dir = mcs_req->dir;
+	req->all = mcs_req->all;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
diff --git a/drivers/common/cnxk/version.map b/drivers/common/cnxk/version.map
index 0591747961..d8890e3538 100644
--- a/drivers/common/cnxk/version.map
+++ b/drivers/common/cnxk/version.map
@@ -142,11 +142,13 @@ INTERNAL {
 	roc_mcs_flowid_entry_enable;
 	roc_mcs_flowid_entry_read;
 	roc_mcs_flowid_entry_write;
+	roc_mcs_flowid_stats_get;
 	roc_mcs_hw_info_get;
 	roc_mcs_lmac_mode_set;
 	roc_mcs_pn_table_write;
 	roc_mcs_pn_table_read;
 	roc_mcs_pn_threshold_set;
+	roc_mcs_port_stats_get;
 	roc_mcs_rsrc_alloc;
 	roc_mcs_rsrc_free;
 	roc_mcs_rx_sc_cam_enable;
@@ -156,8 +158,11 @@ INTERNAL {
 	roc_mcs_rx_sc_sa_map_write;
 	roc_mcs_sa_policy_read;
 	roc_mcs_sa_policy_write;
+	roc_mcs_sc_stats_get;
 	roc_mcs_secy_policy_read;
 	roc_mcs_secy_policy_write;
+	roc_mcs_secy_stats_get;
+	roc_mcs_stats_clear;
 	roc_mcs_tx_sc_sa_map_read;
 	roc_mcs_tx_sc_sa_map_write;
 	roc_nix_bpf_alloc;
-- 
2.25.1

[PATCH v4 07/15] common/cnxk: add MACsec interrupt APIs

[Akhil Goyal]

Added ROC APIs to support various MACsec interrupts.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/common/cnxk/roc_dev.c      |  86 +++++++++++++++++
 drivers/common/cnxk/roc_mbox.h     |  37 +++++++-
 drivers/common/cnxk/roc_mcs.c      | 117 +++++++++++++++++++++++
 drivers/common/cnxk/roc_mcs.h      | 144 +++++++++++++++++++++++++++++
 drivers/common/cnxk/roc_mcs_priv.h |   8 ++
 drivers/common/cnxk/version.map    |   3 +
 6 files changed, 394 insertions(+), 1 deletion(-)

diff --git a/drivers/common/cnxk/roc_dev.c b/drivers/common/cnxk/roc_dev.c
index 571679c968..4b0ba218ed 100644
--- a/drivers/common/cnxk/roc_dev.c
+++ b/drivers/common/cnxk/roc_dev.c
@@ -527,6 +527,91 @@ pf_vf_mbox_send_up_msg(struct dev *dev, void *rec_msg)
 	}
 }
 
+static int
+mbox_up_handler_mcs_intr_notify(struct dev *dev, struct mcs_intr_info *info, struct msg_rsp *rsp)
+{
+	struct roc_mcs_event_desc desc = {0};
+	struct roc_mcs *mcs;
+
+	plt_base_dbg("pf:%d/vf:%d msg id 0x%x (%s) from: pf:%d/vf:%d", dev_get_pf(dev->pf_func),
+		     dev_get_vf(dev->pf_func), info->hdr.id, mbox_id2name(info->hdr.id),
+		     dev_get_pf(info->hdr.pcifunc), dev_get_vf(info->hdr.pcifunc));
+
+	mcs = roc_idev_mcs_get(info->mcs_id);
+	if (!mcs)
+		goto exit;
+
+	if (info->intr_mask) {
+		switch (info->intr_mask) {
+		case MCS_CPM_RX_SECTAG_V_EQ1_INT:
+			desc.type = ROC_MCS_EVENT_SECTAG_VAL_ERR;
+			desc.subtype = ROC_MCS_EVENT_RX_SECTAG_V_EQ1;
+			break;
+		case MCS_CPM_RX_SECTAG_E_EQ0_C_EQ1_INT:
+			desc.type = ROC_MCS_EVENT_SECTAG_VAL_ERR;
+			desc.subtype = ROC_MCS_EVENT_RX_SECTAG_E_EQ0_C_EQ1;
+			break;
+		case MCS_CPM_RX_SECTAG_SL_GTE48_INT:
+			desc.type = ROC_MCS_EVENT_SECTAG_VAL_ERR;
+			desc.subtype = ROC_MCS_EVENT_RX_SECTAG_SL_GTE48;
+			break;
+		case MCS_CPM_RX_SECTAG_ES_EQ1_SC_EQ1_INT:
+			desc.type = ROC_MCS_EVENT_SECTAG_VAL_ERR;
+			desc.subtype = ROC_MCS_EVENT_RX_SECTAG_ES_EQ1_SC_EQ1;
+			break;
+		case MCS_CPM_RX_SECTAG_SC_EQ1_SCB_EQ1_INT:
+			desc.type = ROC_MCS_EVENT_SECTAG_VAL_ERR;
+			desc.subtype = ROC_MCS_EVENT_RX_SECTAG_SC_EQ1_SCB_EQ1;
+			break;
+		case MCS_CPM_RX_PACKET_XPN_EQ0_INT:
+			desc.type = ROC_MCS_EVENT_RX_SA_PN_HARD_EXP;
+			desc.metadata.sa_idx = info->sa_id;
+			break;
+		case MCS_CPM_RX_PN_THRESH_REACHED_INT:
+			desc.type = ROC_MCS_EVENT_RX_SA_PN_SOFT_EXP;
+			desc.metadata.sa_idx = info->sa_id;
+			break;
+		case MCS_CPM_TX_PACKET_XPN_EQ0_INT:
+			desc.type = ROC_MCS_EVENT_TX_SA_PN_HARD_EXP;
+			desc.metadata.sa_idx = info->sa_id;
+			break;
+		case MCS_CPM_TX_PN_THRESH_REACHED_INT:
+			desc.type = ROC_MCS_EVENT_TX_SA_PN_SOFT_EXP;
+			desc.metadata.sa_idx = info->sa_id;
+			break;
+		case MCS_CPM_TX_SA_NOT_VALID_INT:
+			desc.type = ROC_MCS_EVENT_SA_NOT_VALID;
+			break;
+		case MCS_BBE_RX_DFIFO_OVERFLOW_INT:
+		case MCS_BBE_TX_DFIFO_OVERFLOW_INT:
+			desc.type = ROC_MCS_EVENT_FIFO_OVERFLOW;
+			desc.subtype = ROC_MCS_EVENT_DATA_FIFO_OVERFLOW;
+			desc.metadata.lmac_id = info->lmac_id;
+			break;
+		case MCS_BBE_RX_PLFIFO_OVERFLOW_INT:
+		case MCS_BBE_TX_PLFIFO_OVERFLOW_INT:
+			desc.type = ROC_MCS_EVENT_FIFO_OVERFLOW;
+			desc.subtype = ROC_MCS_EVENT_POLICY_FIFO_OVERFLOW;
+			desc.metadata.lmac_id = info->lmac_id;
+			break;
+		case MCS_PAB_RX_CHAN_OVERFLOW_INT:
+		case MCS_PAB_TX_CHAN_OVERFLOW_INT:
+			desc.type = ROC_MCS_EVENT_FIFO_OVERFLOW;
+			desc.subtype = ROC_MCS_EVENT_PKT_ASSM_FIFO_OVERFLOW;
+			desc.metadata.lmac_id = info->lmac_id;
+			break;
+		default:
+			goto exit;
+		}
+
+		mcs_event_cb_process(mcs, &desc);
+	}
+
+exit:
+	rsp->hdr.rc = 0;
+	return 0;
+}
+
 static int
 mbox_up_handler_cgx_link_event(struct dev *dev, struct cgx_link_info_msg *msg,
 			       struct msg_rsp *rsp)
@@ -615,6 +700,7 @@ mbox_process_msgs_up(struct dev *dev, struct mbox_msghdr *req)
 		return err;                                                    \
 	}
 		MBOX_UP_CGX_MESSAGES
+		MBOX_UP_MCS_MESSAGES
 #undef M
 	}
 
diff --git a/drivers/common/cnxk/roc_mbox.h b/drivers/common/cnxk/roc_mbox.h
index 3f3a6aadc8..d964ba9f9d 100644
--- a/drivers/common/cnxk/roc_mbox.h
+++ b/drivers/common/cnxk/roc_mbox.h
@@ -316,6 +316,7 @@ struct mbox_msghdr {
 	M(MCS_GET_SC_STATS, 0xa00e, mcs_get_sc_stats, mcs_stats_req, mcs_sc_stats)                 \
 	M(MCS_GET_PORT_STATS, 0xa010, mcs_get_port_stats, mcs_stats_req, mcs_port_stats)           \
 	M(MCS_CLEAR_STATS, 0xa011, mcs_clear_stats, mcs_clear_stats, msg_rsp)                      \
+	M(MCS_INTR_CFG, 0xa012, mcs_intr_cfg, mcs_intr_cfg, msg_rsp)                               \
 	M(MCS_SET_LMAC_MODE, 0xa013, mcs_set_lmac_mode, mcs_set_lmac_mode, msg_rsp)                \
 	M(MCS_SET_PN_THRESHOLD, 0xa014, mcs_set_pn_threshold, mcs_set_pn_threshold, msg_rsp)       \
 
@@ -324,9 +325,11 @@ struct mbox_msghdr {
 	M(CGX_LINK_EVENT, 0xC00, cgx_link_event, cgx_link_info_msg, msg_rsp)   \
 	M(CGX_PTP_RX_INFO, 0xC01, cgx_ptp_rx_info, cgx_ptp_rx_info_msg, msg_rsp)
 
+#define MBOX_UP_MCS_MESSAGES M(MCS_INTR_NOTIFY, 0xE00, mcs_intr_notify, mcs_intr_info, msg_rsp)
+
 enum {
 #define M(_name, _id, _1, _2, _3) MBOX_MSG_##_name = _id,
-	MBOX_MESSAGES MBOX_UP_CGX_MESSAGES
+	MBOX_MESSAGES MBOX_UP_CGX_MESSAGES MBOX_UP_MCS_MESSAGES
 #undef M
 };
 
@@ -867,6 +870,38 @@ struct mcs_set_active_lmac {
 	uint64_t __io rsvd;
 };
 
+#define MCS_CPM_RX_SECTAG_V_EQ1_INT	     BIT_ULL(0)
+#define MCS_CPM_RX_SECTAG_E_EQ0_C_EQ1_INT    BIT_ULL(1)
+#define MCS_CPM_RX_SECTAG_SL_GTE48_INT	     BIT_ULL(2)
+#define MCS_CPM_RX_SECTAG_ES_EQ1_SC_EQ1_INT  BIT_ULL(3)
+#define MCS_CPM_RX_SECTAG_SC_EQ1_SCB_EQ1_INT BIT_ULL(4)
+#define MCS_CPM_RX_PACKET_XPN_EQ0_INT	     BIT_ULL(5)
+#define MCS_CPM_RX_PN_THRESH_REACHED_INT     BIT_ULL(6)
+#define MCS_CPM_TX_PACKET_XPN_EQ0_INT	     BIT_ULL(7)
+#define MCS_CPM_TX_PN_THRESH_REACHED_INT     BIT_ULL(8)
+#define MCS_CPM_TX_SA_NOT_VALID_INT	     BIT_ULL(9)
+#define MCS_BBE_RX_DFIFO_OVERFLOW_INT	     BIT_ULL(10)
+#define MCS_BBE_RX_PLFIFO_OVERFLOW_INT	     BIT_ULL(11)
+#define MCS_BBE_TX_DFIFO_OVERFLOW_INT	     BIT_ULL(12)
+#define MCS_BBE_TX_PLFIFO_OVERFLOW_INT	     BIT_ULL(13)
+#define MCS_PAB_RX_CHAN_OVERFLOW_INT	     BIT_ULL(14)
+#define MCS_PAB_TX_CHAN_OVERFLOW_INT	     BIT_ULL(15)
+
+struct mcs_intr_cfg {
+	struct mbox_msghdr hdr;
+	uint64_t __io intr_mask; /* Interrupt enable mask */
+	uint8_t __io mcs_id;
+};
+
+struct mcs_intr_info {
+	struct mbox_msghdr hdr;
+	uint64_t __io intr_mask;
+	int __io sa_id;
+	uint8_t __io mcs_id;
+	uint8_t __io lmac_id;
+	uint64_t __io rsvd;
+};
+
 struct mcs_set_lmac_mode {
 	struct mbox_msghdr hdr;
 	uint8_t __io mode; /* '1' for internal bypass mode (passthrough), '0' for MCS processing */
diff --git a/drivers/common/cnxk/roc_mcs.c b/drivers/common/cnxk/roc_mcs.c
index 38f1e9b2f7..e9090da575 100644
--- a/drivers/common/cnxk/roc_mcs.c
+++ b/drivers/common/cnxk/roc_mcs.c
@@ -5,6 +5,18 @@
 #include "roc_api.h"
 #include "roc_priv.h"
 
+struct mcs_event_cb {
+	TAILQ_ENTRY(mcs_event_cb) next;
+	enum roc_mcs_event_type event;
+	roc_mcs_dev_cb_fn cb_fn;
+	void *cb_arg;
+	void *ret_param;
+	uint32_t active;
+};
+TAILQ_HEAD(mcs_event_cb_list, mcs_event_cb);
+
+PLT_STATIC_ASSERT(ROC_MCS_MEM_SZ >= (sizeof(struct mcs_priv) + sizeof(struct mcs_event_cb_list)));
+
 int
 roc_mcs_hw_info_get(struct roc_mcs_hw_info *hw_info)
 {
@@ -109,6 +121,107 @@ roc_mcs_pn_threshold_set(struct roc_mcs *mcs, struct roc_mcs_set_pn_threshold *p
 	return mbox_process_msg(mcs->mbox, (void *)&rsp);
 }
 
+int
+roc_mcs_intr_configure(struct roc_mcs *mcs, struct roc_mcs_intr_cfg *config)
+{
+	struct mcs_intr_cfg *req;
+	struct msg_rsp *rsp;
+
+	if (config == NULL)
+		return -EINVAL;
+
+	MCS_SUPPORT_CHECK;
+
+	req = mbox_alloc_msg_mcs_intr_cfg(mcs->mbox);
+	if (req == NULL)
+		return -ENOMEM;
+
+	req->intr_mask = config->intr_mask;
+	req->mcs_id = mcs->idx;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
+
+int
+roc_mcs_event_cb_register(struct roc_mcs *mcs, enum roc_mcs_event_type event,
+			  roc_mcs_dev_cb_fn cb_fn, void *cb_arg, void *userdata)
+{
+	struct mcs_event_cb_list *cb_list = (struct mcs_event_cb_list *)roc_mcs_to_mcs_cb_list(mcs);
+	struct mcs_event_cb *cb;
+
+	if (cb_fn == NULL || cb_arg == NULL || userdata == NULL)
+		return -EINVAL;
+
+	MCS_SUPPORT_CHECK;
+
+	TAILQ_FOREACH (cb, cb_list, next) {
+		if (cb->cb_fn == cb_fn && cb->cb_arg == cb_arg && cb->event == event)
+			break;
+	}
+
+	if (cb == NULL) {
+		cb = plt_zmalloc(sizeof(struct mcs_event_cb), 0);
+		if (!cb)
+			return -ENOMEM;
+
+		cb->cb_fn = cb_fn;
+		cb->cb_arg = cb_arg;
+		cb->event = event;
+		mcs->userdata = userdata;
+		TAILQ_INSERT_TAIL(cb_list, cb, next);
+	}
+
+	return 0;
+}
+
+int
+roc_mcs_event_cb_unregister(struct roc_mcs *mcs, enum roc_mcs_event_type event)
+{
+	struct mcs_event_cb_list *cb_list = (struct mcs_event_cb_list *)roc_mcs_to_mcs_cb_list(mcs);
+	struct mcs_event_cb *cb, *next;
+
+	MCS_SUPPORT_CHECK;
+
+	for (cb = TAILQ_FIRST(cb_list); cb != NULL; cb = next) {
+		next = TAILQ_NEXT(cb, next);
+
+		if (cb->event != event)
+			continue;
+
+		if (cb->active == 0) {
+			TAILQ_REMOVE(cb_list, cb, next);
+			plt_free(cb);
+		} else {
+			return -EAGAIN;
+		}
+	}
+
+	return 0;
+}
+
+int
+mcs_event_cb_process(struct roc_mcs *mcs, struct roc_mcs_event_desc *desc)
+{
+	struct mcs_event_cb_list *cb_list = (struct mcs_event_cb_list *)roc_mcs_to_mcs_cb_list(mcs);
+	struct mcs_event_cb mcs_cb;
+	struct mcs_event_cb *cb;
+	int rc = 0;
+
+	TAILQ_FOREACH (cb, cb_list, next) {
+		if (cb->cb_fn == NULL || cb->event != desc->type)
+			continue;
+
+		mcs_cb = *cb;
+		cb->active = 1;
+		mcs_cb.ret_param = desc;
+
+		rc = mcs_cb.cb_fn(mcs->userdata, mcs_cb.ret_param, mcs_cb.cb_arg);
+		cb->active = 0;
+	}
+
+	return rc;
+}
+
 static int
 mcs_alloc_bmap(uint16_t entries, void **mem, struct plt_bitmap **bmap)
 {
@@ -227,6 +340,7 @@ mcs_alloc_rsrc_bmap(struct roc_mcs *mcs)
 struct roc_mcs *
 roc_mcs_dev_init(uint8_t mcs_idx)
 {
+	struct mcs_event_cb_list *cb_list;
 	struct roc_mcs *mcs;
 	struct npa_lf *npa;
 
@@ -255,6 +369,9 @@ roc_mcs_dev_init(uint8_t mcs_idx)
 	if (mcs_alloc_rsrc_bmap(mcs))
 		goto exit;
 
+	cb_list = (struct mcs_event_cb_list *)roc_mcs_to_mcs_cb_list(mcs);
+	TAILQ_INIT(cb_list);
+
 	roc_idev_mcs_set(mcs);
 	mcs->refcount++;
 
diff --git a/drivers/common/cnxk/roc_mcs.h b/drivers/common/cnxk/roc_mcs.h
index 3fbeee13fa..b2ca6ee51b 100644
--- a/drivers/common/cnxk/roc_mcs.h
+++ b/drivers/common/cnxk/roc_mcs.h
@@ -116,6 +116,34 @@ struct roc_mcs_hw_info {
 	uint64_t rsvd[16];
 };
 
+#define ROC_MCS_CPM_RX_SECTAG_V_EQ1_INT		 BIT_ULL(0)
+#define ROC_MCS_CPM_RX_SECTAG_E_EQ0_C_EQ1_INT	 BIT_ULL(1)
+#define ROC_MCS_CPM_RX_SECTAG_SL_GTE48_INT	 BIT_ULL(2)
+#define ROC_MCS_CPM_RX_SECTAG_ES_EQ1_SC_EQ1_INT	 BIT_ULL(3)
+#define ROC_MCS_CPM_RX_SECTAG_SC_EQ1_SCB_EQ1_INT BIT_ULL(4)
+#define ROC_MCS_CPM_RX_PACKET_XPN_EQ0_INT	 BIT_ULL(5)
+#define ROC_MCS_CPM_RX_PN_THRESH_REACHED_INT	 BIT_ULL(6)
+#define ROC_MCS_CPM_TX_PACKET_XPN_EQ0_INT	 BIT_ULL(7)
+#define ROC_MCS_CPM_TX_PN_THRESH_REACHED_INT	 BIT_ULL(8)
+#define ROC_MCS_CPM_TX_SA_NOT_VALID_INT		 BIT_ULL(9)
+#define ROC_MCS_BBE_RX_DFIFO_OVERFLOW_INT	 BIT_ULL(10)
+#define ROC_MCS_BBE_RX_PLFIFO_OVERFLOW_INT	 BIT_ULL(11)
+#define ROC_MCS_BBE_TX_DFIFO_OVERFLOW_INT	 BIT_ULL(12)
+#define ROC_MCS_BBE_TX_PLFIFO_OVERFLOW_INT	 BIT_ULL(13)
+#define ROC_MCS_PAB_RX_CHAN_OVERFLOW_INT	 BIT_ULL(14)
+#define ROC_MCS_PAB_TX_CHAN_OVERFLOW_INT	 BIT_ULL(15)
+
+struct roc_mcs_intr_cfg {
+	uint64_t intr_mask; /* Interrupt enable mask */
+};
+
+struct roc_mcs_intr_info {
+	uint64_t intr_mask;
+	int sa_id;
+	uint8_t lmac_id;
+	uint64_t rsvd;
+};
+
 struct roc_mcs_set_lmac_mode {
 	uint8_t mode; /* '1' for internal bypass mode (passthrough), '0' for MCS processing */
 	uint8_t lmac_id;
@@ -205,6 +233,113 @@ struct roc_mcs_clear_stats {
 	uint8_t all; /* All resources stats mapped to PF are cleared */
 };
 
+enum roc_mcs_event_subtype {
+	ROC_MCS_SUBEVENT_UNKNOWN,
+
+	/* subevents of ROC_MCS_EVENT_SECTAG_VAL_ERR sectag validation events
+	 * ROC_MCS_EVENT_RX_SECTAG_V_EQ1
+	 *	Validation check: SecTag.TCI.V = 1
+	 * ROC_MCS_EVENT_RX_SECTAG_E_EQ0_C_EQ1
+	 *	Validation check: SecTag.TCI.E = 0 && SecTag.TCI.C = 1
+	 * ROC_MCS_EVENT_RX_SECTAG_SL_GTE48
+	 *	Validation check: SecTag.SL >= 'd48
+	 * ROC_MCS_EVENT_RX_SECTAG_ES_EQ1_SC_EQ1
+	 *	Validation check: SecTag.TCI.ES = 1 && SecTag.TCI.SC = 1
+	 * ROC_MCS_EVENT_RX_SECTAG_SC_EQ1_SCB_EQ1
+	 *	Validation check: SecTag.TCI.SC = 1 && SecTag.TCI.SCB = 1
+	 */
+	ROC_MCS_EVENT_RX_SECTAG_V_EQ1,
+	ROC_MCS_EVENT_RX_SECTAG_E_EQ0_C_EQ1,
+	ROC_MCS_EVENT_RX_SECTAG_SL_GTE48,
+	ROC_MCS_EVENT_RX_SECTAG_ES_EQ1_SC_EQ1,
+	ROC_MCS_EVENT_RX_SECTAG_SC_EQ1_SCB_EQ1,
+
+	/* subevents of ROC_MCS_EVENT_FIFO_OVERFLOW error event
+	 * ROC_MCS_EVENT_DATA_FIFO_OVERFLOW:
+	 *	Notifies data FIFO overflow fatal error in BBE unit.
+	 * ROC_MCS_EVENT_POLICY_FIFO_OVERFLOW
+	 *	Notifies policy FIFO overflow fatal error in BBE unit.
+	 * ROC_MCS_EVENT_PKT_ASSM_FIFO_OVERFLOW,
+	 *	Notifies output FIFO overflow fatal error in PAB unit.
+	 */
+	ROC_MCS_EVENT_DATA_FIFO_OVERFLOW,
+	ROC_MCS_EVENT_POLICY_FIFO_OVERFLOW,
+	ROC_MCS_EVENT_PKT_ASSM_FIFO_OVERFLOW,
+};
+
+enum roc_mcs_event_type {
+	ROC_MCS_EVENT_UNKNOWN,
+
+	/* Notifies BBE_INT_DFIFO/PLFIFO_OVERFLOW or PAB_INT_OVERFLOW
+	 * interrupts, it's a fatal error that causes packet corruption.
+	 */
+	ROC_MCS_EVENT_FIFO_OVERFLOW,
+
+	/* Notifies CPM_RX_SECTAG_X validation error interrupt */
+	ROC_MCS_EVENT_SECTAG_VAL_ERR,
+	/* Notifies CPM_RX_PACKET_XPN_EQ0 (SecTag.PN == 0 in ingress) interrupt */
+	ROC_MCS_EVENT_RX_SA_PN_HARD_EXP,
+	/* Notifies CPM_RX_PN_THRESH_REACHED interrupt */
+	ROC_MCS_EVENT_RX_SA_PN_SOFT_EXP,
+	/* Notifies CPM_TX_PACKET_XPN_EQ0 (PN wrapped in egress) interrupt */
+	ROC_MCS_EVENT_TX_SA_PN_HARD_EXP,
+	/* Notifies CPM_TX_PN_THRESH_REACHED interrupt */
+	ROC_MCS_EVENT_TX_SA_PN_SOFT_EXP,
+	/* Notifies CPM_TX_SA_NOT_VALID interrupt */
+	ROC_MCS_EVENT_SA_NOT_VALID,
+	/* Notifies recovery of software driven port reset */
+	ROC_MCS_EVENT_PORT_RESET_RECOVERY,
+};
+
+union roc_mcs_event_data {
+	/* Valid for below events
+	 * - ROC_MCS_EVENT_RX_SA_PN_SOFT_EXP
+	 * - ROC_MCS_EVENT_TX_SA_PN_SOFT_EXP
+	 */
+	struct {
+		uint8_t secy_idx;
+		uint8_t sc_idx;
+		uint8_t sa_idx;
+	};
+	/* Valid for below event
+	 * - ROC_MCS_EVENT_FIFO_OVERFLOW
+	 *
+	 * Upon fatal error notification on a MCS port, ROC driver resets below attributes of active
+	 * flow entities(sc & sa) and than resets the port.
+	 * - Reset NEXT_PN of active SAs to 1.
+	 * - Reset TX active SA for each SC, TX_SA_ACTIVE = 0, SA_INDEX0_VLD = 1.
+	 * - Clear SA_IN_USE for active ANs in RX_SA_MAP_MEM.
+	 * - Clear all stats mapping to this port.
+	 * - Reactivate SA_IN_USE for active ANs in RX_SA_MAP_MEM.
+	 *
+	 *  ROC driver notifies the following flow entity(sc & sa) details in application callback,
+	 *  application is expected to exchange the Tx/Rx NEXT_PN, TX_SA_ACTIVE, active RX SC AN
+	 *  details with peer device so that peer device can resets it's MACsec flow states and than
+	 *  resume packet transfers.
+	 */
+	struct {
+		uint16_t *tx_sa_array; /* Tx SAs whose PN memories were reset (NEXT_PN=1) */
+		uint16_t *rx_sa_array; /* Rx SAs whose PN memories were reset (NEXT_PN=1) */
+		uint16_t *tx_sc_array; /* Tx SCs whose active SAs were reset (TX_SA_ACTIVE=0) */
+		uint16_t *rx_sc_array; /* Rx SCs whose state was reset */
+		uint8_t *sc_an_array;  /* AN of Rx SCs(in rx_sc_array) which were reactivated */
+		uint8_t num_tx_sa;     /* num entries in tx_sa_array */
+		uint8_t num_rx_sa;     /* num entries in rx_sa_array */
+		uint8_t num_tx_sc;     /* num entries in tx_sc_array */
+		uint8_t num_rx_sc;     /* num entries in rx_sc_array */
+		uint8_t lmac_id;       /* lmac_id/port which was recovered from fatal error */
+	};
+};
+
+struct roc_mcs_event_desc {
+	enum roc_mcs_event_type type;
+	enum roc_mcs_event_subtype subtype;
+	union roc_mcs_event_data metadata;
+};
+
+/** User application callback to be registered for any notifications from driver. */
+typedef int (*roc_mcs_dev_cb_fn)(void *userdata, struct roc_mcs_event_desc *desc, void *cb_arg);
+
 struct roc_mcs {
 	TAILQ_ENTRY(roc_mcs) next;
 	struct plt_pci_device *pci_dev;
@@ -292,4 +427,13 @@ __roc_api int roc_mcs_port_stats_get(struct roc_mcs *mcs, struct roc_mcs_stats_r
 /* Clear stats */
 __roc_api int roc_mcs_stats_clear(struct roc_mcs *mcs, struct roc_mcs_clear_stats *mcs_req);
 
+/* Register user callback routines */
+__roc_api int roc_mcs_event_cb_register(struct roc_mcs *mcs, enum roc_mcs_event_type event,
+					roc_mcs_dev_cb_fn cb_fn, void *cb_arg, void *userdata);
+/* Unregister user callback routines */
+__roc_api int roc_mcs_event_cb_unregister(struct roc_mcs *mcs, enum roc_mcs_event_type event);
+
+/* Configure interrupts */
+__roc_api int roc_mcs_intr_configure(struct roc_mcs *mcs, struct roc_mcs_intr_cfg *config);
+
 #endif /* _ROC_MCS_H_ */
diff --git a/drivers/common/cnxk/roc_mcs_priv.h b/drivers/common/cnxk/roc_mcs_priv.h
index 9e0bbe4392..8da03f4295 100644
--- a/drivers/common/cnxk/roc_mcs_priv.h
+++ b/drivers/common/cnxk/roc_mcs_priv.h
@@ -62,4 +62,12 @@ roc_mcs_to_mcs_priv(struct roc_mcs *roc_mcs)
 	return (struct mcs_priv *)&roc_mcs->reserved[0];
 }
 
+static inline void *
+roc_mcs_to_mcs_cb_list(struct roc_mcs *roc_mcs)
+{
+	return (void *)((uintptr_t)roc_mcs->reserved + sizeof(struct mcs_priv));
+}
+
+int mcs_event_cb_process(struct roc_mcs *mcs, struct roc_mcs_event_desc *desc);
+
 #endif /* _ROC_MCS_PRIV_H_ */
diff --git a/drivers/common/cnxk/version.map b/drivers/common/cnxk/version.map
index d8890e3538..d10dfcd84e 100644
--- a/drivers/common/cnxk/version.map
+++ b/drivers/common/cnxk/version.map
@@ -139,11 +139,14 @@ INTERNAL {
 	roc_mcs_dev_init;
 	roc_mcs_dev_fini;
 	roc_mcs_dev_get;
+	roc_mcs_event_cb_register;
+	roc_mcs_event_cb_unregister;
 	roc_mcs_flowid_entry_enable;
 	roc_mcs_flowid_entry_read;
 	roc_mcs_flowid_entry_write;
 	roc_mcs_flowid_stats_get;
 	roc_mcs_hw_info_get;
+	roc_mcs_intr_configure;
 	roc_mcs_lmac_mode_set;
 	roc_mcs_pn_table_write;
 	roc_mcs_pn_table_read;
-- 
2.25.1

[PATCH v4 08/15] common/cnxk: add MACsec port configuration

[Akhil Goyal]

Added ROC APIs for MACsec port configurations

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/common/cnxk/roc_mbox.h  |  40 ++++
 drivers/common/cnxk/roc_mcs.c   | 346 ++++++++++++++++++++++++++++++++
 drivers/common/cnxk/roc_mcs.h   |  48 +++++
 drivers/common/cnxk/version.map |   4 +
 4 files changed, 438 insertions(+)

diff --git a/drivers/common/cnxk/roc_mbox.h b/drivers/common/cnxk/roc_mbox.h
index d964ba9f9d..d7c0385a8b 100644
--- a/drivers/common/cnxk/roc_mbox.h
+++ b/drivers/common/cnxk/roc_mbox.h
@@ -319,6 +319,9 @@ struct mbox_msghdr {
 	M(MCS_INTR_CFG, 0xa012, mcs_intr_cfg, mcs_intr_cfg, msg_rsp)                               \
 	M(MCS_SET_LMAC_MODE, 0xa013, mcs_set_lmac_mode, mcs_set_lmac_mode, msg_rsp)                \
 	M(MCS_SET_PN_THRESHOLD, 0xa014, mcs_set_pn_threshold, mcs_set_pn_threshold, msg_rsp)       \
+	M(MCS_PORT_RESET, 0xa018, mcs_port_reset, mcs_port_reset_req, msg_rsp)                     \
+	M(MCS_PORT_CFG_SET, 0xa019, mcs_port_cfg_set, mcs_port_cfg_set_req, msg_rsp)               \
+	M(MCS_PORT_CFG_GET, 0xa020, mcs_port_cfg_get, mcs_port_cfg_get_req, mcs_port_cfg_get_rsp)  \
 
 /* Messages initiated by AF (range 0xC00 - 0xDFF) */
 #define MBOX_UP_CGX_MESSAGES                                                   \
@@ -919,6 +922,43 @@ struct mcs_set_pn_threshold {
 	uint64_t __io rsvd;
 };
 
+struct mcs_port_cfg_set_req {
+	struct mbox_msghdr hdr;
+	uint8_t __io cstm_tag_rel_mode_sel;
+	uint8_t __io custom_hdr_enb;
+	uint8_t __io fifo_skid;
+	uint8_t __io lmac_mode;
+	uint8_t __io lmac_id;
+	uint8_t __io mcs_id;
+	uint64_t __io rsvd;
+};
+
+struct mcs_port_cfg_get_req {
+	struct mbox_msghdr hdr;
+	uint8_t __io lmac_id;
+	uint8_t __io mcs_id;
+	uint64_t __io rsvd;
+};
+
+struct mcs_port_cfg_get_rsp {
+	struct mbox_msghdr hdr;
+	uint8_t __io cstm_tag_rel_mode_sel;
+	uint8_t __io custom_hdr_enb;
+	uint8_t __io fifo_skid;
+	uint8_t __io lmac_mode;
+	uint8_t __io lmac_id;
+	uint8_t __io mcs_id;
+	uint64_t __io rsvd;
+};
+
+struct mcs_port_reset_req {
+	struct mbox_msghdr hdr;
+	uint8_t __io reset;
+	uint8_t __io mcs_id;
+	uint8_t __io lmac_id;
+	uint64_t __io rsvd;
+};
+
 struct mcs_stats_req {
 	struct mbox_msghdr hdr;
 	uint8_t __io id;
diff --git a/drivers/common/cnxk/roc_mcs.c b/drivers/common/cnxk/roc_mcs.c
index e9090da575..e6e6197a49 100644
--- a/drivers/common/cnxk/roc_mcs.c
+++ b/drivers/common/cnxk/roc_mcs.c
@@ -76,6 +76,25 @@ roc_mcs_active_lmac_set(struct roc_mcs *mcs, struct roc_mcs_set_active_lmac *lma
 	return mbox_process_msg(mcs->mbox, (void *)&rsp);
 }
 
+static int
+mcs_port_reset_set(struct roc_mcs *mcs, struct roc_mcs_port_reset_req *port, uint8_t reset)
+{
+	struct mcs_port_reset_req *req;
+	struct msg_rsp *rsp;
+
+	MCS_SUPPORT_CHECK;
+
+	req = mbox_alloc_msg_mcs_port_reset(mcs->mbox);
+	if (req == NULL)
+		return -ENOMEM;
+
+	req->reset = reset;
+	req->lmac_id = port->port_id;
+	req->mcs_id = mcs->idx;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
+
 int
 roc_mcs_lmac_mode_set(struct roc_mcs *mcs, struct roc_mcs_set_lmac_mode *port)
 {
@@ -121,6 +140,64 @@ roc_mcs_pn_threshold_set(struct roc_mcs *mcs, struct roc_mcs_set_pn_threshold *p
 	return mbox_process_msg(mcs->mbox, (void *)&rsp);
 }
 
+int
+roc_mcs_port_cfg_set(struct roc_mcs *mcs, struct roc_mcs_port_cfg_set_req *req)
+{
+	struct mcs_port_cfg_set_req *set_req;
+	struct msg_rsp *rsp;
+
+	MCS_SUPPORT_CHECK;
+
+	if (req == NULL)
+		return -EINVAL;
+
+	set_req = mbox_alloc_msg_mcs_port_cfg_set(mcs->mbox);
+	if (set_req == NULL)
+		return -ENOMEM;
+
+	set_req->cstm_tag_rel_mode_sel = req->cstm_tag_rel_mode_sel;
+	set_req->custom_hdr_enb = req->custom_hdr_enb;
+	set_req->fifo_skid = req->fifo_skid;
+	set_req->lmac_mode = req->port_mode;
+	set_req->lmac_id = req->port_id;
+	set_req->mcs_id = mcs->idx;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
+
+int
+roc_mcs_port_cfg_get(struct roc_mcs *mcs, struct roc_mcs_port_cfg_get_req *req,
+		     struct roc_mcs_port_cfg_get_rsp *rsp)
+{
+	struct mcs_port_cfg_get_req *get_req;
+	struct mcs_port_cfg_get_rsp *get_rsp;
+	int rc;
+
+	MCS_SUPPORT_CHECK;
+
+	if (req == NULL)
+		return -EINVAL;
+
+	get_req = mbox_alloc_msg_mcs_port_cfg_get(mcs->mbox);
+	if (get_req == NULL)
+		return -ENOMEM;
+
+	get_req->lmac_id = req->port_id;
+	get_req->mcs_id = mcs->idx;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&get_rsp);
+	if (rc)
+		return rc;
+
+	rsp->cstm_tag_rel_mode_sel = get_rsp->cstm_tag_rel_mode_sel;
+	rsp->custom_hdr_enb = get_rsp->custom_hdr_enb;
+	rsp->fifo_skid = get_rsp->fifo_skid;
+	rsp->port_mode = get_rsp->lmac_mode;
+	rsp->port_id = get_rsp->lmac_id;
+
+	return 0;
+}
+
 int
 roc_mcs_intr_configure(struct roc_mcs *mcs, struct roc_mcs_intr_cfg *config)
 {
@@ -142,6 +219,275 @@ roc_mcs_intr_configure(struct roc_mcs *mcs, struct roc_mcs_intr_cfg *config)
 	return mbox_process_msg(mcs->mbox, (void *)&rsp);
 }
 
+int
+roc_mcs_port_recovery(struct roc_mcs *mcs, union roc_mcs_event_data *mdata, uint8_t port_id)
+{
+	struct mcs_priv *priv = roc_mcs_to_mcs_priv(mcs);
+	struct roc_mcs_pn_table_write_req pn_table = {0};
+	struct roc_mcs_rx_sc_sa_map rx_map = {0};
+	struct roc_mcs_tx_sc_sa_map tx_map = {0};
+	struct roc_mcs_port_reset_req port = {0};
+	struct roc_mcs_clear_stats stats = {0};
+	int tx_cnt = 0, rx_cnt = 0, rc = 0;
+	uint64_t set;
+	int i;
+
+	port.port_id = port_id;
+	rc = mcs_port_reset_set(mcs, &port, 1);
+
+	/* Reset TX/RX PN tables */
+	for (i = 0; i < (priv->sa_entries << 1); i++) {
+		set = plt_bitmap_get(priv->port_rsrc[port_id].sa_bmap, i);
+		if (set) {
+			pn_table.pn_id = i;
+			pn_table.next_pn = 1;
+			pn_table.dir = MCS_RX;
+			if (i >= priv->sa_entries) {
+				pn_table.dir = MCS_TX;
+				pn_table.pn_id -= priv->sa_entries;
+			}
+			rc = roc_mcs_pn_table_write(mcs, &pn_table);
+			if (rc)
+				return rc;
+
+			if (i >= priv->sa_entries)
+				tx_cnt++;
+			else
+				rx_cnt++;
+		}
+	}
+
+	if (tx_cnt || rx_cnt) {
+		mdata->tx_sa_array = plt_zmalloc(tx_cnt * sizeof(uint16_t), 0);
+		if (tx_cnt && (mdata->tx_sa_array == NULL)) {
+			rc = -ENOMEM;
+			goto exit;
+		}
+		mdata->rx_sa_array = plt_zmalloc(rx_cnt * sizeof(uint16_t), 0);
+		if (rx_cnt && (mdata->rx_sa_array == NULL)) {
+			rc = -ENOMEM;
+			goto exit;
+		}
+
+		mdata->num_tx_sa = tx_cnt;
+		mdata->num_rx_sa = rx_cnt;
+		for (i = 0; i < (priv->sa_entries << 1); i++) {
+			set = plt_bitmap_get(priv->port_rsrc[port_id].sa_bmap, i);
+			if (set) {
+				if (i >= priv->sa_entries)
+					mdata->tx_sa_array[--tx_cnt] = i - priv->sa_entries;
+				else
+					mdata->rx_sa_array[--rx_cnt] = i;
+			}
+		}
+	}
+	tx_cnt = 0;
+	rx_cnt = 0;
+
+	/* Reset Tx active SA to index:0 */
+	for (i = priv->sc_entries; i < (priv->sc_entries << 1); i++) {
+		set = plt_bitmap_get(priv->port_rsrc[port_id].sc_bmap, i);
+		if (set) {
+			uint16_t sc_id = i - priv->sc_entries;
+
+			tx_map.sa_index0 = priv->port_rsrc[port_id].sc_conf[sc_id].tx.sa_idx0;
+			tx_map.sa_index1 = priv->port_rsrc[port_id].sc_conf[sc_id].tx.sa_idx1;
+			tx_map.rekey_ena = priv->port_rsrc[port_id].sc_conf[sc_id].tx.rekey_enb;
+			tx_map.sectag_sci = priv->port_rsrc[port_id].sc_conf[sc_id].tx.sci;
+			tx_map.sa_index0_vld = 1;
+			tx_map.sa_index1_vld = 0;
+			tx_map.tx_sa_active = 0;
+			tx_map.sc_id = sc_id;
+			rc = roc_mcs_tx_sc_sa_map_write(mcs, &tx_map);
+			if (rc)
+				return rc;
+
+			tx_cnt++;
+		}
+	}
+
+	if (tx_cnt) {
+		mdata->tx_sc_array = plt_zmalloc(tx_cnt * sizeof(uint16_t), 0);
+		if (tx_cnt && (mdata->tx_sc_array == NULL)) {
+			rc = -ENOMEM;
+			goto exit;
+		}
+
+		mdata->num_tx_sc = tx_cnt;
+		for (i = priv->sc_entries; i < (priv->sc_entries << 1); i++) {
+			set = plt_bitmap_get(priv->port_rsrc[port_id].sc_bmap, i);
+			if (set)
+				mdata->tx_sc_array[--tx_cnt] = i - priv->sc_entries;
+		}
+	}
+
+	/* Clear SA_IN_USE for active ANs in RX CPM */
+	for (i = 0; i < priv->sc_entries; i++) {
+		set = plt_bitmap_get(priv->port_rsrc[port_id].sc_bmap, i);
+		if (set) {
+			rx_map.sa_index = priv->port_rsrc[port_id].sc_conf[i].rx.sa_idx;
+			rx_map.an = priv->port_rsrc[port_id].sc_conf[i].rx.an;
+			rx_map.sa_in_use = 0;
+			rx_map.sc_id = i;
+			rc = roc_mcs_rx_sc_sa_map_write(mcs, &rx_map);
+			if (rc)
+				return rc;
+
+			rx_cnt++;
+		}
+	}
+
+	/* Reset flow(flow/secy/sc/sa) stats mapped to this PORT */
+	for (i = 0; i < (priv->tcam_entries << 1); i++) {
+		set = plt_bitmap_get(priv->port_rsrc[port_id].tcam_bmap, i);
+		if (set) {
+			stats.type = MCS_FLOWID_STATS;
+			stats.id = i;
+			stats.dir = MCS_RX;
+			if (i >= priv->sa_entries) {
+				stats.dir = MCS_TX;
+				stats.id -= priv->tcam_entries;
+			}
+			rc = roc_mcs_stats_clear(mcs, &stats);
+			if (rc)
+				return rc;
+		}
+	}
+	for (i = 0; i < (priv->secy_entries << 1); i++) {
+		set = plt_bitmap_get(priv->port_rsrc[port_id].secy_bmap, i);
+		if (set) {
+			stats.type = MCS_SECY_STATS;
+			stats.id = i;
+			stats.dir = MCS_RX;
+			if (i >= priv->sa_entries) {
+				stats.dir = MCS_TX;
+				stats.id -= priv->secy_entries;
+			}
+			rc = roc_mcs_stats_clear(mcs, &stats);
+			if (rc)
+				return rc;
+		}
+	}
+	for (i = 0; i < (priv->sc_entries << 1); i++) {
+		set = plt_bitmap_get(priv->port_rsrc[port_id].sc_bmap, i);
+		if (set) {
+			stats.type = MCS_SC_STATS;
+			stats.id = i;
+			stats.dir = MCS_RX;
+			if (i >= priv->sa_entries) {
+				stats.dir = MCS_TX;
+				stats.id -= priv->sc_entries;
+			}
+			rc = roc_mcs_stats_clear(mcs, &stats);
+			if (rc)
+				return rc;
+		}
+	}
+	if (roc_model_is_cn10kb_a0()) {
+		for (i = 0; i < (priv->sa_entries << 1); i++) {
+			set = plt_bitmap_get(priv->port_rsrc[port_id].sa_bmap, i);
+			if (set) {
+				stats.type = MCS_SA_STATS;
+				stats.id = i;
+				stats.dir = MCS_RX;
+				if (i >= priv->sa_entries) {
+					stats.dir = MCS_TX;
+					stats.id -= priv->sa_entries;
+				}
+				rc = roc_mcs_stats_clear(mcs, &stats);
+				if (rc)
+					return rc;
+			}
+		}
+	}
+	{
+		stats.type = MCS_PORT_STATS;
+		stats.id = port_id;
+		rc = roc_mcs_stats_clear(mcs, &stats);
+		if (rc)
+			return rc;
+	}
+
+	if (rx_cnt) {
+		mdata->rx_sc_array = plt_zmalloc(rx_cnt * sizeof(uint16_t), 0);
+		if (mdata->rx_sc_array == NULL) {
+			rc = -ENOMEM;
+			goto exit;
+		}
+		mdata->sc_an_array = plt_zmalloc(rx_cnt * sizeof(uint8_t), 0);
+		if (mdata->sc_an_array == NULL) {
+			rc = -ENOMEM;
+			goto exit;
+		}
+
+		mdata->num_rx_sc = rx_cnt;
+	}
+
+	/* Reactivate in-use ANs for active SCs in RX CPM */
+	for (i = 0; i < priv->sc_entries; i++) {
+		set = plt_bitmap_get(priv->port_rsrc[port_id].sc_bmap, i);
+		if (set) {
+			rx_map.sa_index = priv->port_rsrc[port_id].sc_conf[i].rx.sa_idx;
+			rx_map.an = priv->port_rsrc[port_id].sc_conf[i].rx.an;
+			rx_map.sa_in_use = 1;
+			rx_map.sc_id = i;
+			rc = roc_mcs_rx_sc_sa_map_write(mcs, &rx_map);
+			if (rc)
+				return rc;
+
+			mdata->rx_sc_array[--rx_cnt] = i;
+			mdata->sc_an_array[rx_cnt] = priv->port_rsrc[port_id].sc_conf[i].rx.an;
+		}
+	}
+
+	port.port_id = port_id;
+	rc = mcs_port_reset_set(mcs, &port, 0);
+
+	return rc;
+exit:
+	if (mdata->num_tx_sa)
+		plt_free(mdata->tx_sa_array);
+	if (mdata->num_rx_sa)
+		plt_free(mdata->rx_sa_array);
+	if (mdata->num_tx_sc)
+		plt_free(mdata->tx_sc_array);
+	if (mdata->num_rx_sc) {
+		plt_free(mdata->rx_sc_array);
+		plt_free(mdata->sc_an_array);
+	}
+	return rc;
+}
+
+int
+roc_mcs_port_reset(struct roc_mcs *mcs, struct roc_mcs_port_reset_req *port)
+{
+	struct roc_mcs_event_desc desc = {0};
+	int rc;
+
+	/* Initiate port reset and software recovery */
+	rc = roc_mcs_port_recovery(mcs, &desc.metadata, port->port_id);
+	if (rc)
+		goto exit;
+
+	desc.type = ROC_MCS_EVENT_PORT_RESET_RECOVERY;
+	/* Notify the entity details to the application which are recovered */
+	mcs_event_cb_process(mcs, &desc);
+
+exit:
+	if (desc.metadata.num_tx_sa)
+		plt_free(desc.metadata.tx_sa_array);
+	if (desc.metadata.num_rx_sa)
+		plt_free(desc.metadata.rx_sa_array);
+	if (desc.metadata.num_tx_sc)
+		plt_free(desc.metadata.tx_sc_array);
+	if (desc.metadata.num_rx_sc) {
+		plt_free(desc.metadata.rx_sc_array);
+		plt_free(desc.metadata.sc_an_array);
+	}
+
+	return rc;
+}
+
 int
 roc_mcs_event_cb_register(struct roc_mcs *mcs, enum roc_mcs_event_type event,
 			  roc_mcs_dev_cb_fn cb_fn, void *cb_arg, void *userdata)
diff --git a/drivers/common/cnxk/roc_mcs.h b/drivers/common/cnxk/roc_mcs.h
index b2ca6ee51b..d06057726f 100644
--- a/drivers/common/cnxk/roc_mcs.h
+++ b/drivers/common/cnxk/roc_mcs.h
@@ -163,6 +163,43 @@ struct roc_mcs_set_pn_threshold {
 	uint64_t rsvd;
 };
 
+struct roc_mcs_port_cfg_set_req {
+	/* Index of custom tag (= cstm_indx[x] in roc_mcs_custom_tag_cfg_get_rsp struct) to use
+	 * when TX SECY_PLCY_MEMX[SECTAG_INSERT_MODE] = 0 (relative offset mode)
+	 */
+	uint8_t cstm_tag_rel_mode_sel;
+	/* In ingress path, custom_hdr_enb = 1 when the port is expected to receive pkts
+	 * that have 8B custom header before DMAC
+	 */
+	uint8_t custom_hdr_enb;
+	/* Valid fifo skid values are 14,28,56 for 25G,50G,100G respectively
+	 * FIFOs need to be configured based on the port_mode, valid only for 105N
+	 */
+	uint8_t fifo_skid;
+	uint8_t port_mode; /* 2'b00 - 25G or less, 2'b01 - 50G, 2'b10 - 100G */
+	uint8_t port_id;
+	uint64_t rsvd;
+};
+
+struct roc_mcs_port_cfg_get_req {
+	uint8_t port_id;
+	uint64_t rsvd;
+};
+
+struct roc_mcs_port_cfg_get_rsp {
+	uint8_t cstm_tag_rel_mode_sel;
+	uint8_t custom_hdr_enb;
+	uint8_t fifo_skid;
+	uint8_t port_mode;
+	uint8_t port_id;
+	uint64_t rsvd;
+};
+
+struct roc_mcs_port_reset_req {
+	uint8_t port_id;
+	uint64_t rsvd;
+};
+
 struct roc_mcs_stats_req {
 	uint8_t id;
 	uint8_t dir;
@@ -367,6 +404,13 @@ __roc_api int roc_mcs_active_lmac_set(struct roc_mcs *mcs, struct roc_mcs_set_ac
 __roc_api int roc_mcs_lmac_mode_set(struct roc_mcs *mcs, struct roc_mcs_set_lmac_mode *port);
 /* (X)PN threshold set */
 __roc_api int roc_mcs_pn_threshold_set(struct roc_mcs *mcs, struct roc_mcs_set_pn_threshold *pn);
+/* Reset port */
+__roc_api int roc_mcs_port_reset(struct roc_mcs *mcs, struct roc_mcs_port_reset_req *port);
+/* Get port config */
+__roc_api int roc_mcs_port_cfg_set(struct roc_mcs *mcs, struct roc_mcs_port_cfg_set_req *req);
+/* Set port config */
+__roc_api int roc_mcs_port_cfg_get(struct roc_mcs *mcs, struct roc_mcs_port_cfg_get_req *req,
+				   struct roc_mcs_port_cfg_get_rsp *rsp);
 
 /* Resource allocation and free */
 __roc_api int roc_mcs_rsrc_alloc(struct roc_mcs *mcs, struct roc_mcs_alloc_rsrc_req *req,
@@ -436,4 +480,8 @@ __roc_api int roc_mcs_event_cb_unregister(struct roc_mcs *mcs, enum roc_mcs_even
 /* Configure interrupts */
 __roc_api int roc_mcs_intr_configure(struct roc_mcs *mcs, struct roc_mcs_intr_cfg *config);
 
+/* Port recovery from fatal errors */
+__roc_api int roc_mcs_port_recovery(struct roc_mcs *mcs, union roc_mcs_event_data *mdata,
+				    uint8_t port_id);
+
 #endif /* _ROC_MCS_H_ */
diff --git a/drivers/common/cnxk/version.map b/drivers/common/cnxk/version.map
index d10dfcd84e..6c0defa27e 100644
--- a/drivers/common/cnxk/version.map
+++ b/drivers/common/cnxk/version.map
@@ -151,6 +151,10 @@ INTERNAL {
 	roc_mcs_pn_table_write;
 	roc_mcs_pn_table_read;
 	roc_mcs_pn_threshold_set;
+	roc_mcs_port_cfg_get;
+	roc_mcs_port_cfg_set;
+	roc_mcs_port_recovery;
+	roc_mcs_port_reset;
 	roc_mcs_port_stats_get;
 	roc_mcs_rsrc_alloc;
 	roc_mcs_rsrc_free;
-- 
2.25.1

[PATCH v4 09/15] common/cnxk: add MACsec control port configuration

[Akhil Goyal]

Added ROC APIs to configure MACsec control port.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/common/cnxk/roc_mbox.h  |  72 ++++++++++++++++++++
 drivers/common/cnxk/roc_mcs.c   | 117 ++++++++++++++++++++++++++++++++
 drivers/common/cnxk/roc_mcs.h   |  65 ++++++++++++++++++
 drivers/common/cnxk/version.map |   4 ++
 4 files changed, 258 insertions(+)

diff --git a/drivers/common/cnxk/roc_mbox.h b/drivers/common/cnxk/roc_mbox.h
index d7c0385a8b..446f49aeaf 100644
--- a/drivers/common/cnxk/roc_mbox.h
+++ b/drivers/common/cnxk/roc_mbox.h
@@ -319,9 +319,17 @@ struct mbox_msghdr {
 	M(MCS_INTR_CFG, 0xa012, mcs_intr_cfg, mcs_intr_cfg, msg_rsp)                               \
 	M(MCS_SET_LMAC_MODE, 0xa013, mcs_set_lmac_mode, mcs_set_lmac_mode, msg_rsp)                \
 	M(MCS_SET_PN_THRESHOLD, 0xa014, mcs_set_pn_threshold, mcs_set_pn_threshold, msg_rsp)       \
+	M(MCS_ALLOC_CTRL_PKT_RULE, 0xa015, mcs_alloc_ctrl_pkt_rule, mcs_alloc_ctrl_pkt_rule_req,   \
+	  mcs_alloc_ctrl_pkt_rule_rsp)                                                             \
+	M(MCS_FREE_CTRL_PKT_RULE, 0xa016, mcs_free_ctrl_pkt_rule, mcs_free_ctrl_pkt_rule_req,      \
+	  msg_rsp)                                                                                 \
+	M(MCS_CTRL_PKT_RULE_WRITE, 0xa017, mcs_ctrl_pkt_rule_write, mcs_ctrl_pkt_rule_write_req,   \
+	  msg_rsp)                                                                                 \
 	M(MCS_PORT_RESET, 0xa018, mcs_port_reset, mcs_port_reset_req, msg_rsp)                     \
 	M(MCS_PORT_CFG_SET, 0xa019, mcs_port_cfg_set, mcs_port_cfg_set_req, msg_rsp)               \
 	M(MCS_PORT_CFG_GET, 0xa020, mcs_port_cfg_get, mcs_port_cfg_get_req, mcs_port_cfg_get_rsp)  \
+	M(MCS_CUSTOM_TAG_CFG_GET, 0xa021, mcs_custom_tag_cfg_get, mcs_custom_tag_cfg_get_req,      \
+	  mcs_custom_tag_cfg_get_rsp)                                                              \
 
 /* Messages initiated by AF (range 0xC00 - 0xDFF) */
 #define MBOX_UP_CGX_MESSAGES                                                   \
@@ -922,6 +930,53 @@ struct mcs_set_pn_threshold {
 	uint64_t __io rsvd;
 };
 
+enum mcs_ctrl_pkt_rule_type {
+	MCS_CTRL_PKT_RULE_TYPE_ETH,
+	MCS_CTRL_PKT_RULE_TYPE_DA,
+	MCS_CTRL_PKT_RULE_TYPE_RANGE,
+	MCS_CTRL_PKT_RULE_TYPE_COMBO,
+	MCS_CTRL_PKT_RULE_TYPE_MAC,
+};
+
+struct mcs_alloc_ctrl_pkt_rule_req {
+	struct mbox_msghdr hdr;
+	uint8_t __io rule_type;
+	uint8_t __io mcs_id; /* MCS block ID */
+	uint8_t __io dir;    /* Macsec ingress or egress side */
+	uint64_t __io rsvd;
+};
+
+struct mcs_alloc_ctrl_pkt_rule_rsp {
+	struct mbox_msghdr hdr;
+	uint8_t __io rule_idx;
+	uint8_t __io rule_type;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
+
+struct mcs_free_ctrl_pkt_rule_req {
+	struct mbox_msghdr hdr;
+	uint8_t __io rule_idx;
+	uint8_t __io rule_type;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint8_t __io all; /* Free all the rule resources */
+	uint64_t __io rsvd;
+};
+
+struct mcs_ctrl_pkt_rule_write_req {
+	struct mbox_msghdr hdr;
+	uint64_t __io data0;
+	uint64_t __io data1;
+	uint64_t __io data2;
+	uint8_t __io rule_idx;
+	uint8_t __io rule_type;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
+
 struct mcs_port_cfg_set_req {
 	struct mbox_msghdr hdr;
 	uint8_t __io cstm_tag_rel_mode_sel;
@@ -951,6 +1006,23 @@ struct mcs_port_cfg_get_rsp {
 	uint64_t __io rsvd;
 };
 
+struct mcs_custom_tag_cfg_get_req {
+	struct mbox_msghdr hdr;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
+
+struct mcs_custom_tag_cfg_get_rsp {
+	struct mbox_msghdr hdr;
+	uint16_t __io cstm_etype[8];
+	uint8_t __io cstm_indx[8];
+	uint8_t __io cstm_etype_en;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
+
 struct mcs_port_reset_req {
 	struct mbox_msghdr hdr;
 	uint8_t __io reset;
diff --git a/drivers/common/cnxk/roc_mcs.c b/drivers/common/cnxk/roc_mcs.c
index e6e6197a49..1e3235ad73 100644
--- a/drivers/common/cnxk/roc_mcs.c
+++ b/drivers/common/cnxk/roc_mcs.c
@@ -140,6 +140,88 @@ roc_mcs_pn_threshold_set(struct roc_mcs *mcs, struct roc_mcs_set_pn_threshold *p
 	return mbox_process_msg(mcs->mbox, (void *)&rsp);
 }
 
+int
+roc_mcs_ctrl_pkt_rule_alloc(struct roc_mcs *mcs, struct roc_mcs_alloc_ctrl_pkt_rule_req *req,
+			    struct roc_mcs_alloc_ctrl_pkt_rule_rsp *rsp)
+{
+	struct mcs_alloc_ctrl_pkt_rule_req *rule_req;
+	struct mcs_alloc_ctrl_pkt_rule_rsp *rule_rsp;
+	int rc;
+
+	MCS_SUPPORT_CHECK;
+
+	if (req == NULL || rsp == NULL)
+		return -EINVAL;
+
+	rule_req = mbox_alloc_msg_mcs_alloc_ctrl_pkt_rule(mcs->mbox);
+	if (rule_req == NULL)
+		return -ENOMEM;
+
+	rule_req->rule_type = req->rule_type;
+	rule_req->mcs_id = mcs->idx;
+	rule_req->dir = req->dir;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&rule_rsp);
+	if (rc)
+		return rc;
+
+	rsp->rule_type = rule_rsp->rule_type;
+	rsp->rule_idx = rule_rsp->rule_idx;
+	rsp->dir = rule_rsp->dir;
+
+	return 0;
+}
+
+int
+roc_mcs_ctrl_pkt_rule_free(struct roc_mcs *mcs, struct roc_mcs_free_ctrl_pkt_rule_req *req)
+{
+	struct mcs_free_ctrl_pkt_rule_req *rule_req;
+	struct msg_rsp *rsp;
+
+	MCS_SUPPORT_CHECK;
+
+	if (req == NULL)
+		return -EINVAL;
+
+	rule_req = mbox_alloc_msg_mcs_free_ctrl_pkt_rule(mcs->mbox);
+	if (rule_req == NULL)
+		return -ENOMEM;
+
+	rule_req->rule_type = req->rule_type;
+	rule_req->rule_idx = req->rule_idx;
+	rule_req->mcs_id = mcs->idx;
+	rule_req->dir = req->dir;
+	rule_req->all = req->all;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
+
+int
+roc_mcs_ctrl_pkt_rule_write(struct roc_mcs *mcs, struct roc_mcs_ctrl_pkt_rule_write_req *req)
+{
+	struct mcs_ctrl_pkt_rule_write_req *rule_req;
+	struct msg_rsp *rsp;
+
+	MCS_SUPPORT_CHECK;
+
+	if (req == NULL)
+		return -EINVAL;
+
+	rule_req = mbox_alloc_msg_mcs_ctrl_pkt_rule_write(mcs->mbox);
+	if (rule_req == NULL)
+		return -ENOMEM;
+
+	rule_req->rule_type = req->rule_type;
+	rule_req->rule_idx = req->rule_idx;
+	rule_req->mcs_id = mcs->idx;
+	rule_req->dir = req->dir;
+	rule_req->data0 = req->data0;
+	rule_req->data1 = req->data1;
+	rule_req->data2 = req->data2;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
+
 int
 roc_mcs_port_cfg_set(struct roc_mcs *mcs, struct roc_mcs_port_cfg_set_req *req)
 {
@@ -198,6 +280,41 @@ roc_mcs_port_cfg_get(struct roc_mcs *mcs, struct roc_mcs_port_cfg_get_req *req,
 	return 0;
 }
 
+int
+roc_mcs_custom_tag_cfg_get(struct roc_mcs *mcs, struct roc_mcs_custom_tag_cfg_get_req *req,
+			   struct roc_mcs_custom_tag_cfg_get_rsp *rsp)
+{
+	struct mcs_custom_tag_cfg_get_req *get_req;
+	struct mcs_custom_tag_cfg_get_rsp *get_rsp;
+	int i, rc;
+
+	MCS_SUPPORT_CHECK;
+
+	if (req == NULL)
+		return -EINVAL;
+
+	get_req = mbox_alloc_msg_mcs_custom_tag_cfg_get(mcs->mbox);
+	if (get_req == NULL)
+		return -ENOMEM;
+
+	get_req->dir = req->dir;
+	get_req->mcs_id = mcs->idx;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&get_rsp);
+	if (rc)
+		return rc;
+
+	for (i = 0; i < 8; i++) {
+		rsp->cstm_etype[i] = get_rsp->cstm_etype[i];
+		rsp->cstm_indx[i] = get_rsp->cstm_indx[i];
+	}
+
+	rsp->cstm_etype_en = get_rsp->cstm_etype_en;
+	rsp->dir = get_rsp->dir;
+
+	return 0;
+}
+
 int
 roc_mcs_intr_configure(struct roc_mcs *mcs, struct roc_mcs_intr_cfg *config)
 {
diff --git a/drivers/common/cnxk/roc_mcs.h b/drivers/common/cnxk/roc_mcs.h
index d06057726f..e8d6b070db 100644
--- a/drivers/common/cnxk/roc_mcs.h
+++ b/drivers/common/cnxk/roc_mcs.h
@@ -163,6 +163,45 @@ struct roc_mcs_set_pn_threshold {
 	uint64_t rsvd;
 };
 
+enum roc_mcs_ctrl_pkt_rule_type {
+	ROC_MCS_CTRL_PKT_RULE_TYPE_ETH,
+	ROC_MCS_CTRL_PKT_RULE_TYPE_DA,
+	ROC_MCS_CTRL_PKT_RULE_TYPE_RANGE,
+	ROC_MCS_CTRL_PKT_RULE_TYPE_COMBO,
+	ROC_MCS_CTRL_PKT_RULE_TYPE_MAC,
+};
+
+struct roc_mcs_alloc_ctrl_pkt_rule_req {
+	uint8_t rule_type;
+	uint8_t dir; /* Macsec ingress or egress side */
+	uint64_t rsvd;
+};
+
+struct roc_mcs_alloc_ctrl_pkt_rule_rsp {
+	uint8_t rule_idx;
+	uint8_t rule_type;
+	uint8_t dir;
+	uint64_t rsvd;
+};
+
+struct roc_mcs_free_ctrl_pkt_rule_req {
+	uint8_t rule_idx;
+	uint8_t rule_type;
+	uint8_t dir;
+	uint8_t all; /* Free all the rule resources */
+	uint64_t rsvd;
+};
+
+struct roc_mcs_ctrl_pkt_rule_write_req {
+	uint64_t data0;
+	uint64_t data1;
+	uint64_t data2;
+	uint8_t rule_idx;
+	uint8_t rule_type;
+	uint8_t dir;
+	uint64_t rsvd;
+};
+
 struct roc_mcs_port_cfg_set_req {
 	/* Index of custom tag (= cstm_indx[x] in roc_mcs_custom_tag_cfg_get_rsp struct) to use
 	 * when TX SECY_PLCY_MEMX[SECTAG_INSERT_MODE] = 0 (relative offset mode)
@@ -195,6 +234,19 @@ struct roc_mcs_port_cfg_get_rsp {
 	uint64_t rsvd;
 };
 
+struct roc_mcs_custom_tag_cfg_get_req {
+	uint8_t dir;
+	uint64_t rsvd;
+};
+
+struct roc_mcs_custom_tag_cfg_get_rsp {
+	uint16_t cstm_etype[8]; /* EthType/TPID */
+	uint8_t cstm_indx[8];	/* Custom tag index used to identify the VLAN etype */
+	uint8_t cstm_etype_en;	/* bitmap of enabled custom tags */
+	uint8_t dir;
+	uint64_t rsvd;
+};
+
 struct roc_mcs_port_reset_req {
 	uint8_t port_id;
 	uint64_t rsvd;
@@ -411,6 +463,10 @@ __roc_api int roc_mcs_port_cfg_set(struct roc_mcs *mcs, struct roc_mcs_port_cfg_
 /* Set port config */
 __roc_api int roc_mcs_port_cfg_get(struct roc_mcs *mcs, struct roc_mcs_port_cfg_get_req *req,
 				   struct roc_mcs_port_cfg_get_rsp *rsp);
+/* Get custom tag config */
+__roc_api int roc_mcs_custom_tag_cfg_get(struct roc_mcs *mcs,
+					 struct roc_mcs_custom_tag_cfg_get_req *req,
+					 struct roc_mcs_custom_tag_cfg_get_rsp *rsp);
 
 /* Resource allocation and free */
 __roc_api int roc_mcs_rsrc_alloc(struct roc_mcs *mcs, struct roc_mcs_alloc_rsrc_req *req,
@@ -456,6 +512,15 @@ __roc_api int roc_mcs_flowid_entry_read(struct roc_mcs *mcs,
 __roc_api int roc_mcs_flowid_entry_enable(struct roc_mcs *mcs,
 					  struct roc_mcs_flowid_ena_dis_entry *entry);
 
+/* Control packet rule alloc, free and write */
+__roc_api int roc_mcs_ctrl_pkt_rule_alloc(struct roc_mcs *mcs,
+					  struct roc_mcs_alloc_ctrl_pkt_rule_req *req,
+					  struct roc_mcs_alloc_ctrl_pkt_rule_rsp *rsp);
+__roc_api int roc_mcs_ctrl_pkt_rule_free(struct roc_mcs *mcs,
+					 struct roc_mcs_free_ctrl_pkt_rule_req *req);
+__roc_api int roc_mcs_ctrl_pkt_rule_write(struct roc_mcs *mcs,
+					  struct roc_mcs_ctrl_pkt_rule_write_req *req);
+
 /* Flow id stats get */
 __roc_api int roc_mcs_flowid_stats_get(struct roc_mcs *mcs, struct roc_mcs_stats_req *mcs_req,
 				       struct roc_mcs_flowid_stats *stats);
diff --git a/drivers/common/cnxk/version.map b/drivers/common/cnxk/version.map
index 6c0defa27e..914d0d2caa 100644
--- a/drivers/common/cnxk/version.map
+++ b/drivers/common/cnxk/version.map
@@ -136,6 +136,10 @@ INTERNAL {
 	roc_se_ciph_key_set;
 	roc_se_ctx_init;
 	roc_mcs_active_lmac_set;
+	roc_mcs_ctrl_pkt_rule_alloc;
+	roc_mcs_ctrl_pkt_rule_free;
+	roc_mcs_ctrl_pkt_rule_write;
+	roc_mcs_custom_tag_cfg_get;
 	roc_mcs_dev_init;
 	roc_mcs_dev_fini;
 	roc_mcs_dev_get;
-- 
2.25.1

[PATCH v4 10/15] common/cnxk: add MACsec FIPS mbox

[Akhil Goyal]

Added MACsec FIPS configuration mbox

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/common/cnxk/roc_mbox.h | 74 ++++++++++++++++++++++++++++++++++
 drivers/common/cnxk/roc_mcs.h  | 69 +++++++++++++++++++++++++++++++
 2 files changed, 143 insertions(+)

diff --git a/drivers/common/cnxk/roc_mbox.h b/drivers/common/cnxk/roc_mbox.h
index 446f49aeaf..2f85b2f755 100644
--- a/drivers/common/cnxk/roc_mbox.h
+++ b/drivers/common/cnxk/roc_mbox.h
@@ -330,6 +330,15 @@ struct mbox_msghdr {
 	M(MCS_PORT_CFG_GET, 0xa020, mcs_port_cfg_get, mcs_port_cfg_get_req, mcs_port_cfg_get_rsp)  \
 	M(MCS_CUSTOM_TAG_CFG_GET, 0xa021, mcs_custom_tag_cfg_get, mcs_custom_tag_cfg_get_req,      \
 	  mcs_custom_tag_cfg_get_rsp)                                                              \
+	M(MCS_FIPS_RESET, 0xa040, mcs_fips_reset, mcs_fips_req, msg_rsp)                           \
+	M(MCS_FIPS_MODE_SET, 0xa041, mcs_fips_mode_set, mcs_fips_mode_req, msg_rsp)                \
+	M(MCS_FIPS_CTL_SET, 0xa042, mcs_fips_ctl_set, mcs_fips_ctl_req, msg_rsp)                   \
+	M(MCS_FIPS_IV_SET, 0xa043, mcs_fips_iv_set, mcs_fips_iv_req, msg_rsp)                      \
+	M(MCS_FIPS_CTR_SET, 0xa044, mcs_fips_ctr_set, mcs_fips_ctr_req, msg_rsp)                   \
+	M(MCS_FIPS_KEY_SET, 0xa045, mcs_fips_key_set, mcs_fips_key_req, msg_rsp)                   \
+	M(MCS_FIPS_BLOCK_SET, 0xa046, mcs_fips_block_set, mcs_fips_block_req, msg_rsp)             \
+	M(MCS_FIPS_START, 0xa047, mcs_fips_start, mcs_fips_req, msg_rsp)                           \
+	M(MCS_FIPS_RESULT_GET, 0xa048, mcs_fips_result_get, mcs_fips_req, mcs_fips_result_rsp)
 
 /* Messages initiated by AF (range 0xC00 - 0xDFF) */
 #define MBOX_UP_CGX_MESSAGES                                                   \
@@ -1119,6 +1128,71 @@ struct mcs_clear_stats {
 	uint8_t __io all; /* All resources stats mapped to PF are cleared */
 };
 
+struct mcs_fips_req {
+	struct mbox_msghdr hdr;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+};
+
+struct mcs_fips_mode_req {
+	struct mbox_msghdr hdr;
+	uint64_t __io mode;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+};
+
+struct mcs_fips_ctl_req {
+	struct mbox_msghdr hdr;
+	uint64_t __io ctl;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+};
+
+struct mcs_fips_iv_req {
+	struct mbox_msghdr hdr;
+	uint32_t __io iv_bits95_64;
+	uint64_t __io iv_bits63_0;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+};
+
+struct mcs_fips_ctr_req {
+	struct mbox_msghdr hdr;
+	uint32_t __io fips_ctr;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+};
+
+struct mcs_fips_key_req {
+	struct mbox_msghdr hdr;
+	uint64_t __io sak_bits255_192;
+	uint64_t __io sak_bits191_128;
+	uint64_t __io sak_bits127_64;
+	uint64_t __io sak_bits63_0;
+	uint64_t __io hashkey_bits127_64;
+	uint64_t __io hashkey_bits63_0;
+	uint8_t __io sak_len;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+};
+
+struct mcs_fips_block_req {
+	struct mbox_msghdr hdr;
+	uint64_t __io blk_bits127_64;
+	uint64_t __io blk_bits63_0;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+};
+
+struct mcs_fips_result_rsp {
+	struct mbox_msghdr hdr;
+	uint64_t __io blk_bits127_64;
+	uint64_t __io blk_bits63_0;
+	uint64_t __io icv_bits127_64;
+	uint64_t __io icv_bits63_0;
+	uint8_t __io result_pass;
+};
+
 /* NPA mbox message formats */
 
 /* NPA mailbox error codes
diff --git a/drivers/common/cnxk/roc_mcs.h b/drivers/common/cnxk/roc_mcs.h
index e8d6b070db..5b1423ac8f 100644
--- a/drivers/common/cnxk/roc_mcs.h
+++ b/drivers/common/cnxk/roc_mcs.h
@@ -426,6 +426,56 @@ struct roc_mcs_event_desc {
 	union roc_mcs_event_data metadata;
 };
 
+struct roc_mcs_fips_req {
+	uint8_t dir;
+};
+
+struct roc_mcs_fips_mode {
+	uint64_t mode;
+	uint8_t dir;
+};
+
+struct roc_mcs_fips_ctl {
+	uint64_t ctl;
+	uint8_t dir;
+};
+
+struct roc_mcs_fips_iv {
+	uint32_t iv_bits95_64;
+	uint64_t iv_bits63_0;
+	uint8_t dir;
+};
+
+struct roc_mcs_fips_ctr {
+	uint32_t fips_ctr;
+	uint8_t dir;
+};
+
+struct roc_mcs_fips_key {
+	uint64_t sak_bits255_192;
+	uint64_t sak_bits191_128;
+	uint64_t sak_bits127_64;
+	uint64_t sak_bits63_0;
+	uint64_t hashkey_bits127_64;
+	uint64_t hashkey_bits63_0;
+	uint8_t sak_len;
+	uint8_t dir;
+};
+
+struct roc_mcs_fips_block {
+	uint64_t blk_bits127_64;
+	uint64_t blk_bits63_0;
+	uint8_t dir;
+};
+
+struct roc_mcs_fips_result_rsp {
+	uint64_t blk_bits127_64;
+	uint64_t blk_bits63_0;
+	uint64_t icv_bits127_64;
+	uint64_t icv_bits63_0;
+	uint8_t result_pass;
+};
+
 /** User application callback to be registered for any notifications from driver. */
 typedef int (*roc_mcs_dev_cb_fn)(void *userdata, struct roc_mcs_event_desc *desc, void *cb_arg);
 
@@ -549,4 +599,23 @@ __roc_api int roc_mcs_intr_configure(struct roc_mcs *mcs, struct roc_mcs_intr_cf
 __roc_api int roc_mcs_port_recovery(struct roc_mcs *mcs, union roc_mcs_event_data *mdata,
 				    uint8_t port_id);
 
+/* FIPS reset */
+__roc_api int roc_mcs_fips_reset(struct roc_mcs *mcs, struct roc_mcs_fips_req *req);
+/* FIPS mode set */
+__roc_api int roc_mcs_fips_mode_set(struct roc_mcs *mcs, struct roc_mcs_fips_mode *req);
+/* FIPS ctl set */
+__roc_api int roc_mcs_fips_ctl_set(struct roc_mcs *mcs, struct roc_mcs_fips_ctl *req);
+/* FIPS iv set */
+__roc_api int roc_mcs_fips_iv_set(struct roc_mcs *mcs, struct roc_mcs_fips_iv *req);
+/* FIPS ctr set */
+__roc_api int roc_mcs_fips_ctr_set(struct roc_mcs *mcs, struct roc_mcs_fips_ctr *req);
+/* FIPS key set */
+__roc_api int roc_mcs_fips_key_set(struct roc_mcs *mcs, struct roc_mcs_fips_key *req);
+/* FIPS block set */
+__roc_api int roc_mcs_fips_block_set(struct roc_mcs *mcs, struct roc_mcs_fips_block *req);
+/* FIPS start */
+__roc_api int roc_mcs_fips_start(struct roc_mcs *mcs, struct roc_mcs_fips_req *req);
+/* FIPS result */
+__roc_api int roc_mcs_fips_result_get(struct roc_mcs *mcs, struct roc_mcs_fips_req *req,
+				      struct roc_mcs_fips_result_rsp *rsp);
 #endif /* _ROC_MCS_H_ */
-- 
2.25.1

[PATCH v4 11/15] common/cnxk: derive hash key for MACsec

[Akhil Goyal]

MACsec hardware configuration need hash key to be generated
from the cipher key of AES-GCM-128/256.
Added an ROC API to derive the hash key and extend the case
for AES-256 as well.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/common/cnxk/roc_aes.c   | 86 ++++++++++++++++++++++-----------
 drivers/common/cnxk/roc_aes.h   |  4 +-
 drivers/common/cnxk/version.map |  1 +
 3 files changed, 60 insertions(+), 31 deletions(-)

diff --git a/drivers/common/cnxk/roc_aes.c b/drivers/common/cnxk/roc_aes.c
index f821c8b710..d84feb546a 100644
--- a/drivers/common/cnxk/roc_aes.c
+++ b/drivers/common/cnxk/roc_aes.c
@@ -4,9 +4,10 @@
 
 #include "roc_api.h"
 
-#define KEY_WORD_LEN	 (ROC_CPT_AES_XCBC_KEY_LENGTH / sizeof(uint32_t))
-#define KEY_ROUNDS	 10			/* (Nr+1)*Nb */
-#define KEY_SCHEDULE_LEN ((KEY_ROUNDS + 1) * 4) /* (Nr+1)*Nb words */
+#define KEY128_ROUNDS		10		/* (Nr+1)*Nb */
+#define KEY256_ROUNDS		14		/* (Nr+1)*Nb */
+#define KEY_SCHEDULE_LEN(nr)	((nr + 1) * 4)	/* (Nr+1)*Nb words */
+#define AES_HASH_KEY_LEN	16
 
 /*
  * AES 128 implementation based on NIST FIPS 197 suitable for LittleEndian
@@ -93,22 +94,30 @@ GF8mul(uint8_t byte, uint32_t mp)
 }
 
 static void
-aes_key_expand(const uint8_t *key, uint32_t *ks)
+aes_key_expand(const uint8_t *key, uint32_t len, uint32_t *ks)
 {
-	unsigned int i = 4;
+	uint32_t len_words = len / sizeof(uint32_t);
+	unsigned int schedule_len;
+	unsigned int i = len_words;
 	uint32_t temp;
 
+	schedule_len = (len == ROC_CPT_AES128_KEY_LEN) ? KEY_SCHEDULE_LEN(KEY128_ROUNDS) :
+							 KEY_SCHEDULE_LEN(KEY256_ROUNDS);
 	/* Skip key in ks */
-	memcpy(ks, key, KEY_WORD_LEN * sizeof(uint32_t));
+	memcpy(ks, key, len);
 
-	while (i < KEY_SCHEDULE_LEN) {
+	while (i < schedule_len) {
 		temp = ks[i - 1];
-		if ((i & 0x3) == 0) {
+		if ((i & (len_words - 1)) == 0) {
 			temp = rot_word(temp);
 			temp = sub_word(temp);
-			temp ^= (uint32_t)GF8mul(1, 1 << ((i >> 2) - 1));
+			temp ^= (uint32_t)GF8mul(1, 1 << ((i / len_words) - 1));
 		}
-		ks[i] = ks[i - 4] ^ temp;
+		if (len == ROC_CPT_AES256_KEY_LEN) {
+			if ((i % len_words) == 4)
+				temp = sub_word(temp);
+		}
+		ks[i] = ks[i - len_words] ^ temp;
 		i++;
 	}
 }
@@ -145,64 +154,83 @@ mix_columns(uint8_t *sRc)
 }
 
 static void
-cipher(uint8_t *in, uint8_t *out, uint32_t *ks)
+cipher(uint8_t *in, uint8_t *out, uint32_t *ks, uint32_t key_rounds, uint8_t in_len)
 {
-	uint32_t state[KEY_WORD_LEN];
+	uint8_t data_word_len = in_len / sizeof(uint32_t);
+	uint32_t state[data_word_len];
 	unsigned int i, round;
 
 	memcpy(state, in, sizeof(state));
 
 	/* AddRoundKey(state, w[0, Nb-1]) // See Sec. 5.1.4 */
-	for (i = 0; i < KEY_WORD_LEN; i++)
+	for (i = 0; i < data_word_len; i++)
 		state[i] ^= ks[i];
 
-	for (round = 1; round < KEY_ROUNDS; round++) {
+	for (round = 1; round < key_rounds; round++) {
 		/* SubBytes(state) // See Sec. 5.1.1 */
-		for (i = 0; i < KEY_WORD_LEN; i++)
+		for (i = 0; i < data_word_len; i++)
 			state[i] = sub_word(state[i]);
 
 		/* ShiftRows(state) // See Sec. 5.1.2 */
-		for (i = 0; i < KEY_WORD_LEN; i++)
+		for (i = 0; i < data_word_len; i++)
 			shift_word((uint8_t *)state, i, i);
 
 		/* MixColumns(state) // See Sec. 5.1.3 */
-		for (i = 0; i < KEY_WORD_LEN; i++)
+		for (i = 0; i < data_word_len; i++)
 			mix_columns((uint8_t *)&state[i]);
 
 		/* AddRoundKey(state, w[round*Nb, (round+1)*Nb-1]) */
-		for (i = 0; i < KEY_WORD_LEN; i++)
-			state[i] ^= ks[round * 4 + i];
+		for (i = 0; i < data_word_len; i++)
+			state[i] ^= ks[round * data_word_len + i];
 	}
 
 	/* SubBytes(state) */
-	for (i = 0; i < KEY_WORD_LEN; i++)
+	for (i = 0; i < data_word_len; i++)
 		state[i] = sub_word(state[i]);
 
 	/* ShiftRows(state) */
-	for (i = 0; i < KEY_WORD_LEN; i++)
+	for (i = 0; i < data_word_len; i++)
 		shift_word((uint8_t *)state, i, i);
 
 	/* AddRoundKey(state, w[Nr*Nb, (Nr+1)*Nb-1]) */
-	for (i = 0; i < KEY_WORD_LEN; i++)
-		state[i] ^= ks[KEY_ROUNDS * 4 + i];
-	memcpy(out, state, KEY_WORD_LEN * sizeof(uint32_t));
+	for (i = 0; i < data_word_len; i++)
+		state[i] ^= ks[key_rounds * data_word_len + i];
+	memcpy(out, state, data_word_len * sizeof(uint32_t));
 }
 
 void
 roc_aes_xcbc_key_derive(const uint8_t *auth_key, uint8_t *derived_key)
 {
-	uint32_t aes_ks[KEY_SCHEDULE_LEN] = {0};
+	uint32_t aes_ks[KEY_SCHEDULE_LEN(KEY128_ROUNDS)] = {0};
 	uint8_t k1[16] = {[0 ... 15] = 0x01};
 	uint8_t k2[16] = {[0 ... 15] = 0x02};
 	uint8_t k3[16] = {[0 ... 15] = 0x03};
 
-	aes_key_expand(auth_key, aes_ks);
+	aes_key_expand(auth_key, ROC_CPT_AES_XCBC_KEY_LENGTH, aes_ks);
 
-	cipher(k1, derived_key, aes_ks);
+	cipher(k1, derived_key, aes_ks, KEY128_ROUNDS, sizeof(k1));
 	derived_key += sizeof(k1);
 
-	cipher(k2, derived_key, aes_ks);
+	cipher(k2, derived_key, aes_ks, KEY128_ROUNDS, sizeof(k2));
 	derived_key += sizeof(k2);
 
-	cipher(k3, derived_key, aes_ks);
+	cipher(k3, derived_key, aes_ks, KEY128_ROUNDS, sizeof(k3));
+}
+
+void
+roc_aes_hash_key_derive(const uint8_t *key, uint16_t len, uint8_t hash_key[])
+{
+	uint8_t data[AES_HASH_KEY_LEN] = {0x0};
+
+	if (len == ROC_CPT_AES128_KEY_LEN) {
+		uint32_t aes_ks[KEY_SCHEDULE_LEN(KEY128_ROUNDS)] = {0};
+
+		aes_key_expand(key, ROC_CPT_AES128_KEY_LEN, aes_ks);
+		cipher(data, hash_key, aes_ks, KEY128_ROUNDS, sizeof(data));
+	} else {
+		uint32_t aes_ks[KEY_SCHEDULE_LEN(KEY256_ROUNDS)] = {0};
+
+		aes_key_expand(key, ROC_CPT_AES256_KEY_LEN, aes_ks);
+		cipher(data, hash_key, aes_ks, KEY256_ROUNDS, sizeof(data));
+	}
 }
diff --git a/drivers/common/cnxk/roc_aes.h b/drivers/common/cnxk/roc_aes.h
index 954039139f..3b4b921bcd 100644
--- a/drivers/common/cnxk/roc_aes.h
+++ b/drivers/common/cnxk/roc_aes.h
@@ -8,7 +8,7 @@
 /*
  * Derive k1, k2, k3 from 128 bit AES key
  */
-void __roc_api roc_aes_xcbc_key_derive(const uint8_t *auth_key,
-				       uint8_t *derived_key);
+void __roc_api roc_aes_xcbc_key_derive(const uint8_t *auth_key, uint8_t *derived_key);
+void __roc_api roc_aes_hash_key_derive(const uint8_t *key, uint16_t len, uint8_t *hash_key);
 
 #endif /* _ROC_AES_H_ */
diff --git a/drivers/common/cnxk/version.map b/drivers/common/cnxk/version.map
index 914d0d2caa..8c71497df8 100644
--- a/drivers/common/cnxk/version.map
+++ b/drivers/common/cnxk/version.map
@@ -30,6 +30,7 @@ INTERNAL {
 	roc_ae_ec_grp_put;
 	roc_ae_fpm_get;
 	roc_ae_fpm_put;
+	roc_aes_hash_key_derive;
 	roc_aes_xcbc_key_derive;
 	roc_bphy_cgx_cpri_mode_change;
 	roc_bphy_cgx_cpri_mode_misc;
-- 
2.25.1

[PATCH v4 12/15] net/cnxk: add MACsec initialization

[Akhil Goyal]

Added initialization routines for MACsec for
cn10kb platform.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/net/cnxk/cn10k_ethdev_sec.c |   6 ++
 drivers/net/cnxk/cnxk_ethdev.c      |  13 +++
 drivers/net/cnxk/cnxk_ethdev.h      |  14 +++
 drivers/net/cnxk/cnxk_ethdev_mcs.c  | 151 ++++++++++++++++++++++++++++
 drivers/net/cnxk/cnxk_ethdev_mcs.h  |  61 +++++++++++
 drivers/net/cnxk/meson.build        |   1 +
 6 files changed, 246 insertions(+)
 create mode 100644 drivers/net/cnxk/cnxk_ethdev_mcs.c
 create mode 100644 drivers/net/cnxk/cnxk_ethdev_mcs.h

diff --git a/drivers/net/cnxk/cn10k_ethdev_sec.c b/drivers/net/cnxk/cn10k_ethdev_sec.c
index 5bc547051d..8dd2c8b7a5 100644
--- a/drivers/net/cnxk/cn10k_ethdev_sec.c
+++ b/drivers/net/cnxk/cn10k_ethdev_sec.c
@@ -1090,9 +1090,15 @@ cn10k_eth_sec_ops_override(void)
 	init_once = 1;
 
 	/* Update platform specific ops */
+	cnxk_eth_sec_ops.macsec_sa_create = NULL;
+	cnxk_eth_sec_ops.macsec_sc_create = NULL;
+	cnxk_eth_sec_ops.macsec_sa_destroy = NULL;
+	cnxk_eth_sec_ops.macsec_sc_destroy = NULL;
 	cnxk_eth_sec_ops.session_create = cn10k_eth_sec_session_create;
 	cnxk_eth_sec_ops.session_destroy = cn10k_eth_sec_session_destroy;
 	cnxk_eth_sec_ops.capabilities_get = cn10k_eth_sec_capabilities_get;
 	cnxk_eth_sec_ops.session_update = cn10k_eth_sec_session_update;
 	cnxk_eth_sec_ops.session_stats_get = cn10k_eth_sec_session_stats_get;
+	cnxk_eth_sec_ops.macsec_sc_stats_get = NULL;
+	cnxk_eth_sec_ops.macsec_sa_stats_get = NULL;
 }
diff --git a/drivers/net/cnxk/cnxk_ethdev.c b/drivers/net/cnxk/cnxk_ethdev.c
index 916198d802..5368f0777d 100644
--- a/drivers/net/cnxk/cnxk_ethdev.c
+++ b/drivers/net/cnxk/cnxk_ethdev.c
@@ -1961,6 +1961,16 @@ cnxk_eth_dev_init(struct rte_eth_dev *eth_dev)
 	if (rc)
 		goto free_mac_addrs;
 
+	if (roc_feature_nix_has_macsec()) {
+		rc = cnxk_mcs_dev_init(dev, 0);
+		if (rc) {
+			plt_err("Failed to init MCS");
+			goto free_mac_addrs;
+		}
+		dev->rx_offload_capa |= RTE_ETH_RX_OFFLOAD_MACSEC_STRIP;
+		dev->tx_offload_capa |= RTE_ETH_TX_OFFLOAD_MACSEC_INSERT;
+	}
+
 	plt_nix_dbg("Port=%d pf=%d vf=%d ver=%s hwcap=0x%" PRIx64
 		    " rxoffload_capa=0x%" PRIx64 " txoffload_capa=0x%" PRIx64,
 		    eth_dev->data->port_id, roc_nix_get_pf(nix),
@@ -2058,6 +2068,9 @@ cnxk_eth_dev_uninit(struct rte_eth_dev *eth_dev, bool reset)
 	}
 	eth_dev->data->nb_rx_queues = 0;
 
+	if (roc_feature_nix_has_macsec())
+		cnxk_mcs_dev_fini(dev);
+
 	/* Free security resources */
 	nix_security_release(dev);
 
diff --git a/drivers/net/cnxk/cnxk_ethdev.h b/drivers/net/cnxk/cnxk_ethdev.h
index e280d6c05e..d5bb06b823 100644
--- a/drivers/net/cnxk/cnxk_ethdev.h
+++ b/drivers/net/cnxk/cnxk_ethdev.h
@@ -395,6 +395,9 @@ struct cnxk_eth_dev {
 	/* Reassembly dynfield/flag offsets */
 	int reass_dynfield_off;
 	int reass_dynflag_bit;
+
+	/* MCS device */
+	struct cnxk_mcs_dev *mcs_dev;
 };
 
 struct cnxk_eth_rxq_sp {
@@ -623,6 +626,17 @@ int cnxk_nix_cman_config_set(struct rte_eth_dev *dev, const struct rte_eth_cman_
 
 int cnxk_nix_cman_config_get(struct rte_eth_dev *dev, struct rte_eth_cman_config *config);
 
+int cnxk_mcs_dev_init(struct cnxk_eth_dev *dev, uint8_t mcs_idx);
+void cnxk_mcs_dev_fini(struct cnxk_eth_dev *dev);
+
+struct cnxk_macsec_sess *cnxk_eth_macsec_sess_get_by_sess(struct cnxk_eth_dev *dev,
+							  const struct rte_security_session *sess);
+int cnxk_mcs_flow_configure(struct rte_eth_dev *eth_dev, const struct rte_flow_attr *attr,
+			     const struct rte_flow_item pattern[],
+			     const struct rte_flow_action actions[], struct rte_flow_error *error,
+			     void **mcs_flow);
+int cnxk_mcs_flow_destroy(struct cnxk_eth_dev *eth_dev, void *mcs_flow);
+
 /* Other private functions */
 int nix_recalc_mtu(struct rte_eth_dev *eth_dev);
 int nix_mtr_validate(struct rte_eth_dev *dev, uint32_t id);
diff --git a/drivers/net/cnxk/cnxk_ethdev_mcs.c b/drivers/net/cnxk/cnxk_ethdev_mcs.c
new file mode 100644
index 0000000000..b0205f45c5
--- /dev/null
+++ b/drivers/net/cnxk/cnxk_ethdev_mcs.c
@@ -0,0 +1,151 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2023 Marvell.
+ */
+
+#include <cnxk_ethdev.h>
+#include <cnxk_ethdev_mcs.h>
+#include <roc_mcs.h>
+
+static int
+cnxk_mcs_event_cb(void *userdata, struct roc_mcs_event_desc *desc, void *cb_arg)
+{
+	struct rte_eth_event_macsec_desc d = {0};
+
+	d.metadata = (uint64_t)userdata;
+
+	switch (desc->type) {
+	case ROC_MCS_EVENT_SECTAG_VAL_ERR:
+		d.type = RTE_ETH_EVENT_MACSEC_SECTAG_VAL_ERR;
+		switch (desc->subtype) {
+		case ROC_MCS_EVENT_RX_SECTAG_V_EQ1:
+			d.subtype = RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_V_EQ1;
+			break;
+		case ROC_MCS_EVENT_RX_SECTAG_E_EQ0_C_EQ1:
+			d.subtype = RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_E_EQ0_C_EQ1;
+			break;
+		case ROC_MCS_EVENT_RX_SECTAG_SL_GTE48:
+			d.subtype = RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_SL_GTE48;
+			break;
+		case ROC_MCS_EVENT_RX_SECTAG_ES_EQ1_SC_EQ1:
+			d.subtype = RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_ES_EQ1_SC_EQ1;
+			break;
+		case ROC_MCS_EVENT_RX_SECTAG_SC_EQ1_SCB_EQ1:
+			d.subtype = RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_SC_EQ1_SCB_EQ1;
+			break;
+		default:
+			plt_err("Unknown MACsec sub event : %d", desc->subtype);
+		}
+		break;
+	case ROC_MCS_EVENT_RX_SA_PN_HARD_EXP:
+		d.type = RTE_ETH_EVENT_MACSEC_RX_SA_PN_HARD_EXP;
+		break;
+	case ROC_MCS_EVENT_RX_SA_PN_SOFT_EXP:
+		d.type = RTE_ETH_EVENT_MACSEC_RX_SA_PN_SOFT_EXP;
+		break;
+	case ROC_MCS_EVENT_TX_SA_PN_HARD_EXP:
+		d.type = RTE_ETH_EVENT_MACSEC_TX_SA_PN_HARD_EXP;
+		break;
+	case ROC_MCS_EVENT_TX_SA_PN_SOFT_EXP:
+		d.type = RTE_ETH_EVENT_MACSEC_TX_SA_PN_SOFT_EXP;
+		break;
+	default:
+		plt_err("Unknown MACsec event type: %d", desc->type);
+	}
+
+	rte_eth_dev_callback_process(cb_arg, RTE_ETH_EVENT_MACSEC, &d);
+
+	return 0;
+}
+
+void
+cnxk_mcs_dev_fini(struct cnxk_eth_dev *dev)
+{
+	struct cnxk_mcs_dev *mcs_dev = dev->mcs_dev;
+	int rc;
+
+	rc = roc_mcs_event_cb_unregister(mcs_dev->mdev, ROC_MCS_EVENT_SECTAG_VAL_ERR);
+	if (rc)
+		plt_err("Failed to unregister MCS event callback: rc: %d", rc);
+
+	rc = roc_mcs_event_cb_unregister(mcs_dev->mdev, ROC_MCS_EVENT_TX_SA_PN_SOFT_EXP);
+	if (rc)
+		plt_err("Failed to unregister MCS event callback: rc: %d", rc);
+
+	rc = roc_mcs_event_cb_unregister(mcs_dev->mdev, ROC_MCS_EVENT_RX_SA_PN_SOFT_EXP);
+	if (rc)
+		plt_err("Failed to unregister MCS event callback: rc: %d", rc);
+
+	/* Cleanup MACsec dev */
+	roc_mcs_dev_fini(mcs_dev->mdev);
+
+	plt_free(mcs_dev);
+}
+
+int
+cnxk_mcs_dev_init(struct cnxk_eth_dev *dev, uint8_t mcs_idx)
+{
+	struct roc_mcs_intr_cfg intr_cfg = {0};
+	struct roc_mcs_hw_info hw_info = {0};
+	struct cnxk_mcs_dev *mcs_dev;
+	int rc;
+
+	rc = roc_mcs_hw_info_get(&hw_info);
+	if (rc) {
+		plt_err("MCS HW info get failed: rc: %d ", rc);
+		return rc;
+	}
+
+	mcs_dev = plt_zmalloc(sizeof(struct cnxk_mcs_dev), PLT_CACHE_LINE_SIZE);
+	if (!mcs_dev)
+		return -ENOMEM;
+
+	mcs_dev->idx = mcs_idx;
+	mcs_dev->mdev = roc_mcs_dev_init(mcs_dev->idx);
+	if (!mcs_dev->mdev) {
+		plt_free(mcs_dev);
+		return rc;
+	}
+	mcs_dev->port_id = dev->eth_dev->data->port_id;
+
+	intr_cfg.intr_mask =
+		ROC_MCS_CPM_RX_SECTAG_V_EQ1_INT | ROC_MCS_CPM_RX_SECTAG_E_EQ0_C_EQ1_INT |
+		ROC_MCS_CPM_RX_SECTAG_SL_GTE48_INT | ROC_MCS_CPM_RX_SECTAG_ES_EQ1_SC_EQ1_INT |
+		ROC_MCS_CPM_RX_SECTAG_SC_EQ1_SCB_EQ1_INT | ROC_MCS_CPM_RX_PACKET_XPN_EQ0_INT |
+		ROC_MCS_CPM_RX_PN_THRESH_REACHED_INT | ROC_MCS_CPM_TX_PACKET_XPN_EQ0_INT |
+		ROC_MCS_CPM_TX_PN_THRESH_REACHED_INT | ROC_MCS_CPM_TX_SA_NOT_VALID_INT |
+		ROC_MCS_BBE_RX_DFIFO_OVERFLOW_INT | ROC_MCS_BBE_RX_PLFIFO_OVERFLOW_INT |
+		ROC_MCS_BBE_TX_DFIFO_OVERFLOW_INT | ROC_MCS_BBE_TX_PLFIFO_OVERFLOW_INT |
+		ROC_MCS_PAB_RX_CHAN_OVERFLOW_INT | ROC_MCS_PAB_TX_CHAN_OVERFLOW_INT;
+
+	rc = roc_mcs_intr_configure(mcs_dev->mdev, &intr_cfg);
+	if (rc) {
+		plt_err("Failed to configure MCS interrupts: rc: %d", rc);
+		plt_free(mcs_dev);
+		return rc;
+	}
+
+	rc = roc_mcs_event_cb_register(mcs_dev->mdev, ROC_MCS_EVENT_SECTAG_VAL_ERR,
+				       cnxk_mcs_event_cb, dev->eth_dev, mcs_dev);
+	if (rc) {
+		plt_err("Failed to register MCS event callback: rc: %d", rc);
+		plt_free(mcs_dev);
+		return rc;
+	}
+	rc = roc_mcs_event_cb_register(mcs_dev->mdev, ROC_MCS_EVENT_TX_SA_PN_SOFT_EXP,
+				       cnxk_mcs_event_cb, dev->eth_dev, mcs_dev);
+	if (rc) {
+		plt_err("Failed to register MCS event callback: rc: %d", rc);
+		plt_free(mcs_dev);
+		return rc;
+	}
+	rc = roc_mcs_event_cb_register(mcs_dev->mdev, ROC_MCS_EVENT_RX_SA_PN_SOFT_EXP,
+				       cnxk_mcs_event_cb, dev->eth_dev, mcs_dev);
+	if (rc) {
+		plt_err("Failed to register MCS event callback: rc: %d", rc);
+		plt_free(mcs_dev);
+		return rc;
+	}
+	dev->mcs_dev = mcs_dev;
+
+	return 0;
+}
diff --git a/drivers/net/cnxk/cnxk_ethdev_mcs.h b/drivers/net/cnxk/cnxk_ethdev_mcs.h
new file mode 100644
index 0000000000..762c299fb8
--- /dev/null
+++ b/drivers/net/cnxk/cnxk_ethdev_mcs.h
@@ -0,0 +1,61 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2023 Marvell.
+ */
+
+#include <cnxk_ethdev.h>
+
+#define CNXK_MACSEC_HASH_KEY 16
+
+struct cnxk_mcs_dev {
+	uint64_t default_sci;
+	void *mdev;
+	uint8_t port_id;
+	uint8_t idx;
+};
+
+struct cnxk_mcs_event_data {
+	/* Valid for below events
+	 * - ROC_MCS_EVENT_RX_SA_PN_SOFT_EXP
+	 * - ROC_MCS_EVENT_TX_SA_PN_SOFT_EXP
+	 */
+	struct {
+		uint8_t secy_idx;
+		uint8_t sc_idx;
+		uint8_t sa_idx;
+	};
+	/* Valid for below event
+	 * - ROC_MCS_EVENT_FIFO_OVERFLOW
+	 *
+	 * Upon fatal error notification on a MCS port, driver resets below attributes of active
+	 * flow entities(sc & sa) and then resets the port.
+	 * - Reset NEXT_PN of active SAs to 1.
+	 * - Reset TX active SA for each SC, TX_SA_ACTIVE = 0, SA_INDEX0_VLD = 1.
+	 * - Clear SA_IN_USE for active ANs in RX_SA_MAP_MEM.
+	 * - Clear all stats mapping to this port.
+	 * - Reactivate SA_IN_USE for active ANs in RX_SA_MAP_MEM.
+	 *
+	 *  UMD driver notifies the following flow entity(sc & sa) details in application callback,
+	 *  application is expected to exchange the Tx/Rx NEXT_PN, TX_SA_ACTIVE, active RX SC AN
+	 *  details with peer device so that peer device can resets it's MACsec flow states and than
+	 *  resume packet transfers.
+	 */
+	struct {
+		uint16_t *tx_sa_array; /* Tx SAs whose PN memories were reset (NEXT_PN=1) */
+		uint16_t *rx_sa_array; /* Rx SAs whose PN memories were reset (NEXT_PN=1) */
+		uint16_t *tx_sc_array; /* Tx SCs whose active SAs were reset (TX_SA_ACTIVE=0) */
+		uint16_t *rx_sc_array; /* Rx SCs whose state was reset */
+		uint8_t *sc_an_array;  /* AN of Rx SCs(in rx_sc_array) which were reactivated */
+		uint8_t num_tx_sa;     /* num entries in tx_sa_array */
+		uint8_t num_rx_sa;     /* num entries in rx_sa_array */
+		uint8_t num_tx_sc;     /* num entries in tx_sc_array */
+		uint8_t num_rx_sc;     /* num entries in rx_sc_array */
+		uint8_t lmac_id;       /* lmac_id/port which was recovered from fatal error */
+	};
+};
+
+struct cnxk_mcs_event_desc {
+	struct rte_eth_dev *eth_dev;
+	enum roc_mcs_event_type type;
+	enum roc_mcs_event_subtype subtype;
+	struct cnxk_mcs_event_data metadata;
+};
diff --git a/drivers/net/cnxk/meson.build b/drivers/net/cnxk/meson.build
index 394d3d01f4..4a77d02792 100644
--- a/drivers/net/cnxk/meson.build
+++ b/drivers/net/cnxk/meson.build
@@ -22,6 +22,7 @@ sources = files(
         'cnxk_ethdev.c',
         'cnxk_ethdev_cman.c',
         'cnxk_ethdev_devargs.c',
+        'cnxk_ethdev_mcs.c',
         'cnxk_ethdev_mtr.c',
         'cnxk_ethdev_ops.c',
         'cnxk_ethdev_sec.c',
-- 
2.25.1

[PATCH v4 13/15] net/cnxk: create/destroy MACsec SC/SA

[Akhil Goyal]

Added support to create/destroy MACsec SA and SC.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/net/cnxk/cn10k_ethdev_sec.c |   9 +-
 drivers/net/cnxk/cnxk_ethdev_mcs.c  | 253 ++++++++++++++++++++++++++++
 drivers/net/cnxk/cnxk_ethdev_mcs.h  |  16 ++
 3 files changed, 274 insertions(+), 4 deletions(-)

diff --git a/drivers/net/cnxk/cn10k_ethdev_sec.c b/drivers/net/cnxk/cn10k_ethdev_sec.c
index 8dd2c8b7a5..1db29a0b55 100644
--- a/drivers/net/cnxk/cn10k_ethdev_sec.c
+++ b/drivers/net/cnxk/cn10k_ethdev_sec.c
@@ -9,6 +9,7 @@
 #include <rte_pmd_cnxk.h>
 
 #include <cn10k_ethdev.h>
+#include <cnxk_ethdev_mcs.h>
 #include <cnxk_security.h>
 #include <roc_priv.h>
 
@@ -1090,10 +1091,10 @@ cn10k_eth_sec_ops_override(void)
 	init_once = 1;
 
 	/* Update platform specific ops */
-	cnxk_eth_sec_ops.macsec_sa_create = NULL;
-	cnxk_eth_sec_ops.macsec_sc_create = NULL;
-	cnxk_eth_sec_ops.macsec_sa_destroy = NULL;
-	cnxk_eth_sec_ops.macsec_sc_destroy = NULL;
+	cnxk_eth_sec_ops.macsec_sa_create = cnxk_eth_macsec_sa_create;
+	cnxk_eth_sec_ops.macsec_sc_create = cnxk_eth_macsec_sc_create;
+	cnxk_eth_sec_ops.macsec_sa_destroy = cnxk_eth_macsec_sa_destroy;
+	cnxk_eth_sec_ops.macsec_sc_destroy = cnxk_eth_macsec_sc_destroy;
 	cnxk_eth_sec_ops.session_create = cn10k_eth_sec_session_create;
 	cnxk_eth_sec_ops.session_destroy = cn10k_eth_sec_session_destroy;
 	cnxk_eth_sec_ops.capabilities_get = cn10k_eth_sec_capabilities_get;
diff --git a/drivers/net/cnxk/cnxk_ethdev_mcs.c b/drivers/net/cnxk/cnxk_ethdev_mcs.c
index b0205f45c5..8eb21108cb 100644
--- a/drivers/net/cnxk/cnxk_ethdev_mcs.c
+++ b/drivers/net/cnxk/cnxk_ethdev_mcs.c
@@ -6,6 +6,259 @@
 #include <cnxk_ethdev_mcs.h>
 #include <roc_mcs.h>
 
+static int
+mcs_resource_alloc(struct cnxk_mcs_dev *mcs_dev, enum mcs_direction dir, uint8_t rsrc_id[],
+		   uint8_t rsrc_cnt, enum cnxk_mcs_rsrc_type type)
+{
+	struct roc_mcs_alloc_rsrc_req req = {0};
+	struct roc_mcs_alloc_rsrc_rsp rsp;
+	int i;
+
+	req.rsrc_type = type;
+	req.rsrc_cnt = rsrc_cnt;
+	req.dir = dir;
+
+	memset(&rsp, 0, sizeof(struct roc_mcs_alloc_rsrc_rsp));
+
+	if (roc_mcs_rsrc_alloc(mcs_dev->mdev, &req, &rsp)) {
+		plt_err("Cannot allocate mcs resource.");
+		return -1;
+	}
+
+	for (i = 0; i < rsrc_cnt; i++) {
+		switch (rsp.rsrc_type) {
+		case CNXK_MCS_RSRC_TYPE_FLOWID:
+			rsrc_id[i] = rsp.flow_ids[i];
+			break;
+		case CNXK_MCS_RSRC_TYPE_SECY:
+			rsrc_id[i] = rsp.secy_ids[i];
+			break;
+		case CNXK_MCS_RSRC_TYPE_SC:
+			rsrc_id[i] = rsp.sc_ids[i];
+			break;
+		case CNXK_MCS_RSRC_TYPE_SA:
+			rsrc_id[i] = rsp.sa_ids[i];
+			break;
+		default:
+			plt_err("Invalid mcs resource allocated.");
+			return -1;
+		}
+	}
+	return 0;
+}
+
+int
+cnxk_eth_macsec_sa_create(void *device, struct rte_security_macsec_sa *conf)
+{
+	struct rte_eth_dev *eth_dev = (struct rte_eth_dev *)device;
+	struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev);
+	uint8_t salt[RTE_SECURITY_MACSEC_SALT_LEN] = {0};
+	struct roc_mcs_pn_table_write_req pn_req = {0};
+	uint8_t hash_key_rev[CNXK_MACSEC_HASH_KEY] = {0};
+	uint8_t hash_key[CNXK_MACSEC_HASH_KEY] = {0};
+	struct cnxk_mcs_dev *mcs_dev = dev->mcs_dev;
+	struct roc_mcs_sa_plcy_write_req req;
+	uint8_t ciph_key[32] = {0};
+	enum mcs_direction dir;
+	uint8_t sa_id = 0;
+	int i, ret = 0;
+
+	if (!roc_feature_nix_has_macsec())
+		return -ENOTSUP;
+
+	dir = (conf->dir == RTE_SECURITY_MACSEC_DIR_TX) ? MCS_TX : MCS_RX;
+	ret = mcs_resource_alloc(mcs_dev, dir, &sa_id, 1, CNXK_MCS_RSRC_TYPE_SA);
+	if (ret) {
+		plt_err("Failed to allocate SA id.");
+		return -ENOMEM;
+	}
+	memset(&req, 0, sizeof(struct roc_mcs_sa_plcy_write_req));
+	req.sa_index[0] = sa_id;
+	req.sa_cnt = 1;
+	req.dir = dir;
+
+	if (conf->key.length != 16 && conf->key.length != 32)
+		return -EINVAL;
+
+	for (i = 0; i < conf->key.length; i++)
+		ciph_key[i] = conf->key.data[conf->key.length - 1 - i];
+
+	memcpy(&req.plcy[0][0], ciph_key, conf->key.length);
+
+	roc_aes_hash_key_derive(conf->key.data, conf->key.length, hash_key);
+	for (i = 0; i < CNXK_MACSEC_HASH_KEY; i++)
+		hash_key_rev[i] = hash_key[CNXK_MACSEC_HASH_KEY - 1 - i];
+
+	memcpy(&req.plcy[0][4], hash_key_rev, CNXK_MACSEC_HASH_KEY);
+
+	for (i = 0; i < RTE_SECURITY_MACSEC_SALT_LEN; i++)
+		salt[i] = conf->salt[RTE_SECURITY_MACSEC_SALT_LEN - 1 - i];
+	memcpy(&req.plcy[0][6], salt, RTE_SECURITY_MACSEC_SALT_LEN);
+
+	req.plcy[0][7] |= (uint64_t)conf->ssci << 32;
+	req.plcy[0][8] = (conf->dir == RTE_SECURITY_MACSEC_DIR_TX) ? (conf->an & 0x3) : 0;
+
+	ret = roc_mcs_sa_policy_write(mcs_dev->mdev, &req);
+	if (ret) {
+		plt_err("Failed to write SA policy.");
+		return -EINVAL;
+	}
+	pn_req.next_pn = ((uint64_t)conf->xpn << 32) | rte_be_to_cpu_32(conf->next_pn);
+	pn_req.pn_id = sa_id;
+	pn_req.dir = dir;
+
+	ret = roc_mcs_pn_table_write(mcs_dev->mdev, &pn_req);
+	if (ret) {
+		plt_err("Failed to write PN table.");
+		return -EINVAL;
+	}
+
+	return sa_id;
+}
+
+int
+cnxk_eth_macsec_sa_destroy(void *device, uint16_t sa_id, enum rte_security_macsec_direction dir)
+{
+	struct rte_eth_dev *eth_dev = (struct rte_eth_dev *)device;
+	struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev);
+	struct cnxk_mcs_dev *mcs_dev = dev->mcs_dev;
+	struct roc_mcs_clear_stats stats_req = {0};
+	struct roc_mcs_free_rsrc_req req = {0};
+	int ret = 0;
+
+	if (!roc_feature_nix_has_macsec())
+		return -ENOTSUP;
+
+	stats_req.type = CNXK_MCS_RSRC_TYPE_SA;
+	stats_req.id = sa_id;
+	stats_req.dir = (dir == RTE_SECURITY_MACSEC_DIR_TX) ? MCS_TX : MCS_RX;
+	stats_req.all = 0;
+
+	ret = roc_mcs_stats_clear(mcs_dev->mdev, &stats_req);
+	if (ret)
+		plt_err("Failed to clear stats for SA id %u, dir %u.", sa_id, dir);
+
+	req.rsrc_id = sa_id;
+	req.dir = (dir == RTE_SECURITY_MACSEC_DIR_TX) ? MCS_TX : MCS_RX;
+	req.rsrc_type = CNXK_MCS_RSRC_TYPE_SA;
+
+	ret = roc_mcs_rsrc_free(mcs_dev->mdev, &req);
+	if (ret)
+		plt_err("Failed to free SA id %u, dir %u.", sa_id, dir);
+
+	return ret;
+}
+
+int
+cnxk_eth_macsec_sc_create(void *device, struct rte_security_macsec_sc *conf)
+{
+	struct rte_eth_dev *eth_dev = (struct rte_eth_dev *)device;
+	struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev);
+	struct roc_mcs_set_pn_threshold pn_thresh = {0};
+	struct cnxk_mcs_dev *mcs_dev = dev->mcs_dev;
+	enum mcs_direction dir;
+	uint8_t sc_id = 0;
+	int i, ret = 0;
+
+	if (!roc_feature_nix_has_macsec())
+		return -ENOTSUP;
+
+	dir = (conf->dir == RTE_SECURITY_MACSEC_DIR_TX) ? MCS_TX : MCS_RX;
+	ret = mcs_resource_alloc(mcs_dev, dir, &sc_id, 1, CNXK_MCS_RSRC_TYPE_SC);
+	if (ret) {
+		plt_err("Failed to allocate SC id.");
+		return -ENOMEM;
+	}
+
+	if (conf->dir == RTE_SECURITY_MACSEC_DIR_TX) {
+		struct roc_mcs_tx_sc_sa_map req = {0};
+
+		req.sa_index0 = conf->sc_tx.sa_id & 0xFF;
+		req.sa_index1 = conf->sc_tx.sa_id_rekey & 0xFF;
+		req.rekey_ena = conf->sc_tx.re_key_en;
+		req.sa_index0_vld = conf->sc_tx.active;
+		req.sa_index1_vld = conf->sc_tx.re_key_en && conf->sc_tx.active;
+		req.tx_sa_active = 0;
+		req.sectag_sci = conf->sc_tx.sci;
+		req.sc_id = sc_id;
+
+		ret = roc_mcs_tx_sc_sa_map_write(mcs_dev->mdev, &req);
+		if (ret) {
+			plt_err("Failed to map TX SC-SA");
+			return -EINVAL;
+		}
+		pn_thresh.xpn = conf->sc_tx.is_xpn;
+	} else {
+		for (i = 0; i < RTE_SECURITY_MACSEC_NUM_AN; i++) {
+			struct roc_mcs_rx_sc_sa_map req = {0};
+
+			req.sa_index = conf->sc_rx.sa_id[i] & 0x7F;
+			req.sc_id = sc_id;
+			req.an = i & 0x3;
+			req.sa_in_use = 0;
+			/* Clearing the sa_in_use bit automatically clears
+			 * the corresponding pn_thresh_reached bit
+			 */
+			ret = roc_mcs_rx_sc_sa_map_write(mcs_dev->mdev, &req);
+			if (ret) {
+				plt_err("Failed to map RX SC-SA");
+				return -EINVAL;
+			}
+			req.sa_in_use = conf->sc_rx.sa_in_use[i];
+			ret = roc_mcs_rx_sc_sa_map_write(mcs_dev->mdev, &req);
+			if (ret) {
+				plt_err("Failed to map RX SC-SA");
+				return -EINVAL;
+			}
+		}
+		pn_thresh.xpn = conf->sc_rx.is_xpn;
+	}
+
+	pn_thresh.threshold = conf->pn_threshold;
+	pn_thresh.dir = dir;
+
+	ret = roc_mcs_pn_threshold_set(mcs_dev->mdev, &pn_thresh);
+	if (ret) {
+		plt_err("Failed to write PN threshold.");
+		return -EINVAL;
+	}
+
+	return sc_id;
+}
+
+int
+cnxk_eth_macsec_sc_destroy(void *device, uint16_t sc_id, enum rte_security_macsec_direction dir)
+{
+	struct rte_eth_dev *eth_dev = (struct rte_eth_dev *)device;
+	struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev);
+	struct cnxk_mcs_dev *mcs_dev = dev->mcs_dev;
+	struct roc_mcs_clear_stats stats_req = {0};
+	struct roc_mcs_free_rsrc_req req = {0};
+	int ret = 0;
+
+	if (!roc_feature_nix_has_macsec())
+		return -ENOTSUP;
+
+	stats_req.type = CNXK_MCS_RSRC_TYPE_SC;
+	stats_req.id = sc_id;
+	stats_req.dir = (dir == RTE_SECURITY_MACSEC_DIR_TX) ? MCS_TX : MCS_RX;
+	stats_req.all = 0;
+
+	ret = roc_mcs_stats_clear(mcs_dev->mdev, &stats_req);
+	if (ret)
+		plt_err("Failed to clear stats for SC id %u, dir %u.", sc_id, dir);
+
+	req.rsrc_id = sc_id;
+	req.dir = (dir == RTE_SECURITY_MACSEC_DIR_TX) ? MCS_TX : MCS_RX;
+	req.rsrc_type = CNXK_MCS_RSRC_TYPE_SC;
+
+	ret = roc_mcs_rsrc_free(mcs_dev->mdev, &req);
+	if (ret)
+		plt_err("Failed to free SC id.");
+
+	return ret;
+}
+
 static int
 cnxk_mcs_event_cb(void *userdata, struct roc_mcs_event_desc *desc, void *cb_arg)
 {
diff --git a/drivers/net/cnxk/cnxk_ethdev_mcs.h b/drivers/net/cnxk/cnxk_ethdev_mcs.h
index 762c299fb8..68c6493169 100644
--- a/drivers/net/cnxk/cnxk_ethdev_mcs.h
+++ b/drivers/net/cnxk/cnxk_ethdev_mcs.h
@@ -13,6 +13,14 @@ struct cnxk_mcs_dev {
 	uint8_t idx;
 };
 
+enum cnxk_mcs_rsrc_type {
+	CNXK_MCS_RSRC_TYPE_FLOWID,
+	CNXK_MCS_RSRC_TYPE_SECY,
+	CNXK_MCS_RSRC_TYPE_SC,
+	CNXK_MCS_RSRC_TYPE_SA,
+	CNXK_MCS_RSRC_TYPE_PORT,
+};
+
 struct cnxk_mcs_event_data {
 	/* Valid for below events
 	 * - ROC_MCS_EVENT_RX_SA_PN_SOFT_EXP
@@ -59,3 +67,11 @@ struct cnxk_mcs_event_desc {
 	enum roc_mcs_event_subtype subtype;
 	struct cnxk_mcs_event_data metadata;
 };
+
+int cnxk_eth_macsec_sa_create(void *device, struct rte_security_macsec_sa *conf);
+int cnxk_eth_macsec_sc_create(void *device, struct rte_security_macsec_sc *conf);
+
+int cnxk_eth_macsec_sa_destroy(void *device, uint16_t sa_id,
+			       enum rte_security_macsec_direction dir);
+int cnxk_eth_macsec_sc_destroy(void *device, uint16_t sc_id,
+			       enum rte_security_macsec_direction dir);
-- 
2.25.1

[PATCH v4 14/15] net/cnxk: add MACsec session and flow configuration

[Akhil Goyal]

Added support for MACsec session/flow create/destroy.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/net/cnxk/cn10k_ethdev_sec.c |  11 +-
 drivers/net/cnxk/cn10k_flow.c       |  23 ++-
 drivers/net/cnxk/cnxk_ethdev.c      |   2 +
 drivers/net/cnxk/cnxk_ethdev.h      |  16 ++
 drivers/net/cnxk/cnxk_ethdev_mcs.c  | 262 ++++++++++++++++++++++++++++
 drivers/net/cnxk/cnxk_ethdev_mcs.h  |  25 +++
 drivers/net/cnxk/cnxk_ethdev_sec.c  |   2 +-
 drivers/net/cnxk/cnxk_flow.c        |   5 +
 8 files changed, 342 insertions(+), 4 deletions(-)

diff --git a/drivers/net/cnxk/cn10k_ethdev_sec.c b/drivers/net/cnxk/cn10k_ethdev_sec.c
index 1db29a0b55..f20e573338 100644
--- a/drivers/net/cnxk/cn10k_ethdev_sec.c
+++ b/drivers/net/cnxk/cn10k_ethdev_sec.c
@@ -642,7 +642,9 @@ cn10k_eth_sec_session_create(void *device,
 	if (conf->action_type != RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL)
 		return -ENOTSUP;
 
-	if (conf->protocol != RTE_SECURITY_PROTOCOL_IPSEC)
+	if (conf->protocol == RTE_SECURITY_PROTOCOL_MACSEC)
+		return cnxk_eth_macsec_session_create(dev, conf, sess);
+	else if (conf->protocol != RTE_SECURITY_PROTOCOL_IPSEC)
 		return -ENOTSUP;
 
 	if (rte_security_dynfield_register() < 0)
@@ -887,13 +889,18 @@ cn10k_eth_sec_session_destroy(void *device, struct rte_security_session *sess)
 {
 	struct rte_eth_dev *eth_dev = (struct rte_eth_dev *)device;
 	struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev);
+	struct cnxk_macsec_sess *macsec_sess;
 	struct cnxk_eth_sec_sess *eth_sec;
 	rte_spinlock_t *lock;
 	void *sa_dptr;
 
 	eth_sec = cnxk_eth_sec_sess_get_by_sess(dev, sess);
-	if (!eth_sec)
+	if (!eth_sec) {
+		macsec_sess = cnxk_eth_macsec_sess_get_by_sess(dev, sess);
+		if (macsec_sess)
+			return cnxk_eth_macsec_session_destroy(dev, sess);
 		return -ENOENT;
+	}
 
 	lock = eth_sec->inb ? &dev->inb.lock : &dev->outb.lock;
 	rte_spinlock_lock(lock);
diff --git a/drivers/net/cnxk/cn10k_flow.c b/drivers/net/cnxk/cn10k_flow.c
index d7a3442c5f..db5e427362 100644
--- a/drivers/net/cnxk/cn10k_flow.c
+++ b/drivers/net/cnxk/cn10k_flow.c
@@ -1,10 +1,11 @@
 /* SPDX-License-Identifier: BSD-3-Clause
  * Copyright(C) 2020 Marvell.
  */
-#include <cnxk_flow.h>
 #include "cn10k_flow.h"
 #include "cn10k_ethdev.h"
 #include "cn10k_rx.h"
+#include "cnxk_ethdev_mcs.h"
+#include <cnxk_flow.h>
 
 static int
 cn10k_mtr_connect(struct rte_eth_dev *eth_dev, uint32_t mtr_id)
@@ -133,6 +134,7 @@ cn10k_flow_create(struct rte_eth_dev *eth_dev, const struct rte_flow_attr *attr,
 	const struct rte_flow_action *act_q = NULL;
 	struct roc_npc *npc = &dev->npc;
 	struct roc_npc_flow *flow;
+	void *mcs_flow = NULL;
 	int vtag_actions = 0;
 	uint32_t req_act = 0;
 	int mark_actions;
@@ -187,6 +189,17 @@ cn10k_flow_create(struct rte_eth_dev *eth_dev, const struct rte_flow_attr *attr,
 		}
 	}
 
+	if (actions[0].type == RTE_FLOW_ACTION_TYPE_SECURITY &&
+	    cnxk_eth_macsec_sess_get_by_sess(dev, actions[0].conf) != NULL) {
+		rc = cnxk_mcs_flow_configure(eth_dev, attr, pattern, actions, error, &mcs_flow);
+		if (rc) {
+			rte_flow_error_set(error, rc, RTE_FLOW_ERROR_TYPE_ACTION, NULL,
+					   "Failed to configure mcs flow");
+			return NULL;
+		}
+		return (struct rte_flow *)mcs_flow;
+	}
+
 	flow = cnxk_flow_create(eth_dev, attr, pattern, actions, error);
 	if (!flow) {
 		if (mtr)
@@ -265,6 +278,14 @@ cn10k_flow_destroy(struct rte_eth_dev *eth_dev, struct rte_flow *rte_flow,
 		}
 	}
 
+	if (cnxk_eth_macsec_sess_get_by_sess(dev, (void *)flow) != NULL) {
+		rc = cnxk_mcs_flow_destroy(dev, (void *)flow);
+		if (rc < 0)
+			rte_flow_error_set(error, rc, RTE_FLOW_ERROR_TYPE_UNSPECIFIED,
+					NULL, "Failed to free mcs flow");
+		return rc;
+	}
+
 	mtr_id = flow->mtr_id;
 	rc = cnxk_flow_destroy(eth_dev, flow, error);
 	if (!rc && mtr_id != ROC_NIX_MTR_ID_INVALID) {
diff --git a/drivers/net/cnxk/cnxk_ethdev.c b/drivers/net/cnxk/cnxk_ethdev.c
index 5368f0777d..4b98faa729 100644
--- a/drivers/net/cnxk/cnxk_ethdev.c
+++ b/drivers/net/cnxk/cnxk_ethdev.c
@@ -1969,6 +1969,8 @@ cnxk_eth_dev_init(struct rte_eth_dev *eth_dev)
 		}
 		dev->rx_offload_capa |= RTE_ETH_RX_OFFLOAD_MACSEC_STRIP;
 		dev->tx_offload_capa |= RTE_ETH_TX_OFFLOAD_MACSEC_INSERT;
+
+		TAILQ_INIT(&dev->mcs_list);
 	}
 
 	plt_nix_dbg("Port=%d pf=%d vf=%d ver=%s hwcap=0x%" PRIx64
diff --git a/drivers/net/cnxk/cnxk_ethdev.h b/drivers/net/cnxk/cnxk_ethdev.h
index d5bb06b823..45dc72b609 100644
--- a/drivers/net/cnxk/cnxk_ethdev.h
+++ b/drivers/net/cnxk/cnxk_ethdev.h
@@ -292,6 +292,21 @@ struct cnxk_eth_dev_sec_outb {
 	uint64_t cpt_eng_caps;
 };
 
+/* MACsec session private data */
+struct cnxk_macsec_sess {
+	/* List entry */
+	TAILQ_ENTRY(cnxk_macsec_sess) entry;
+
+	/* Back pointer to session */
+	struct rte_security_session *sess;
+	enum mcs_direction dir;
+	uint64_t sci;
+	uint8_t secy_id;
+	uint8_t sc_id;
+	uint8_t flow_id;
+};
+TAILQ_HEAD(cnxk_macsec_sess_list, cnxk_macsec_sess);
+
 struct cnxk_eth_dev {
 	/* ROC NIX */
 	struct roc_nix nix;
@@ -398,6 +413,7 @@ struct cnxk_eth_dev {
 
 	/* MCS device */
 	struct cnxk_mcs_dev *mcs_dev;
+	struct cnxk_macsec_sess_list mcs_list;
 };
 
 struct cnxk_eth_rxq_sp {
diff --git a/drivers/net/cnxk/cnxk_ethdev_mcs.c b/drivers/net/cnxk/cnxk_ethdev_mcs.c
index 8eb21108cb..87bfcb8b4e 100644
--- a/drivers/net/cnxk/cnxk_ethdev_mcs.c
+++ b/drivers/net/cnxk/cnxk_ethdev_mcs.c
@@ -259,6 +259,268 @@ cnxk_eth_macsec_sc_destroy(void *device, uint16_t sc_id, enum rte_security_macse
 	return ret;
 }
 
+struct cnxk_macsec_sess *
+cnxk_eth_macsec_sess_get_by_sess(struct cnxk_eth_dev *dev, const struct rte_security_session *sess)
+{
+	struct cnxk_macsec_sess *macsec_sess = NULL;
+
+	TAILQ_FOREACH(macsec_sess, &dev->mcs_list, entry) {
+		if (macsec_sess->sess == sess)
+			return macsec_sess;
+	}
+
+	return NULL;
+}
+
+int
+cnxk_eth_macsec_session_create(struct cnxk_eth_dev *dev, struct rte_security_session_conf *conf,
+			       struct rte_security_session *sess)
+{
+	struct cnxk_macsec_sess *macsec_sess_priv = SECURITY_GET_SESS_PRIV(sess);
+	struct rte_security_macsec_xform *xform = &conf->macsec;
+	struct cnxk_mcs_dev *mcs_dev = dev->mcs_dev;
+	struct roc_mcs_secy_plcy_write_req req;
+	enum mcs_direction dir;
+	uint8_t secy_id = 0;
+	uint8_t sectag_tci = 0;
+	int ret = 0;
+
+	if (!roc_feature_nix_has_macsec())
+		return -ENOTSUP;
+
+	dir = (xform->dir == RTE_SECURITY_MACSEC_DIR_TX) ? MCS_TX : MCS_RX;
+	ret = mcs_resource_alloc(mcs_dev, dir, &secy_id, 1, CNXK_MCS_RSRC_TYPE_SECY);
+	if (ret) {
+		plt_err("Failed to allocate SECY id.");
+		return -ENOMEM;
+	}
+
+	req.secy_id = secy_id;
+	req.dir = dir;
+	req.plcy = 0L;
+
+	if (xform->dir == RTE_SECURITY_MACSEC_DIR_TX) {
+		sectag_tci = ((uint8_t)xform->tx_secy.sectag_version << 5) |
+			     ((uint8_t)xform->tx_secy.end_station << 4) |
+			     ((uint8_t)xform->tx_secy.send_sci << 3) |
+			     ((uint8_t)xform->tx_secy.scb << 2) |
+			     ((uint8_t)xform->tx_secy.encrypt << 1) |
+			     (uint8_t)xform->tx_secy.encrypt;
+		req.plcy = (((uint64_t)xform->tx_secy.mtu & 0xFFFF) << 28) |
+			   (((uint64_t)sectag_tci & 0x3F) << 22) |
+			   (((uint64_t)xform->tx_secy.sectag_off & 0x7F) << 15) |
+			   ((uint64_t)xform->tx_secy.sectag_insert_mode << 14) |
+			   ((uint64_t)xform->tx_secy.icv_include_da_sa << 13) |
+			   (((uint64_t)xform->cipher_off & 0x7F) << 6) |
+			   ((uint64_t)xform->alg << 2) |
+			   ((uint64_t)xform->tx_secy.protect_frames << 1) |
+			   (uint64_t)xform->tx_secy.ctrl_port_enable;
+	} else {
+		req.plcy = ((uint64_t)xform->rx_secy.replay_win_sz << 18) |
+			   ((uint64_t)xform->rx_secy.replay_protect << 17) |
+			   ((uint64_t)xform->rx_secy.icv_include_da_sa << 16) |
+			   (((uint64_t)xform->cipher_off & 0x7F) << 9) |
+			   ((uint64_t)xform->alg << 5) |
+			   ((uint64_t)xform->rx_secy.preserve_sectag << 4) |
+			   ((uint64_t)xform->rx_secy.preserve_icv << 3) |
+			   ((uint64_t)xform->rx_secy.validate_frames << 1) |
+			   (uint64_t)xform->rx_secy.ctrl_port_enable;
+	}
+
+	ret = roc_mcs_secy_policy_write(mcs_dev->mdev, &req);
+	if (ret) {
+		plt_err(" Failed to configure Tx SECY");
+		return -EINVAL;
+	}
+
+	if (xform->dir == RTE_SECURITY_MACSEC_DIR_RX) {
+		struct roc_mcs_rx_sc_cam_write_req rx_sc_cam = {0};
+
+		rx_sc_cam.sci = xform->sci;
+		rx_sc_cam.secy_id = secy_id & 0x3F;
+		rx_sc_cam.sc_id = xform->sc_id;
+		ret = roc_mcs_rx_sc_cam_write(mcs_dev->mdev, &rx_sc_cam);
+		if (ret) {
+			plt_err(" Failed to write rx_sc_cam");
+			return -EINVAL;
+		}
+	}
+	macsec_sess_priv->sci = xform->sci;
+	macsec_sess_priv->sc_id = xform->sc_id;
+	macsec_sess_priv->secy_id = secy_id;
+	macsec_sess_priv->dir = dir;
+	macsec_sess_priv->sess = sess;
+
+	TAILQ_INSERT_TAIL(&dev->mcs_list, macsec_sess_priv, entry);
+
+	return 0;
+}
+
+int
+cnxk_eth_macsec_session_destroy(struct cnxk_eth_dev *dev, struct rte_security_session *sess)
+{
+	struct cnxk_mcs_dev *mcs_dev = dev->mcs_dev;
+	struct roc_mcs_clear_stats stats_req = {0};
+	struct roc_mcs_free_rsrc_req req = {0};
+	struct cnxk_macsec_sess *s;
+	int ret = 0;
+
+	if (!roc_feature_nix_has_macsec())
+		return -ENOTSUP;
+
+	s = SECURITY_GET_SESS_PRIV(sess);
+
+	stats_req.type = CNXK_MCS_RSRC_TYPE_SECY;
+	stats_req.id = s->secy_id;
+	stats_req.dir = s->dir;
+	stats_req.all = 0;
+
+	ret = roc_mcs_stats_clear(mcs_dev->mdev, &stats_req);
+	if (ret)
+		plt_err("Failed to clear stats for SECY id %u, dir %u.", s->secy_id, s->dir);
+
+	req.rsrc_id = s->secy_id;
+	req.dir = s->dir;
+	req.rsrc_type = CNXK_MCS_RSRC_TYPE_SECY;
+
+	ret = roc_mcs_rsrc_free(mcs_dev->mdev, &req);
+	if (ret)
+		plt_err("Failed to free SC id.");
+
+	TAILQ_REMOVE(&dev->mcs_list, s, entry);
+
+	return ret;
+}
+
+int
+cnxk_mcs_flow_configure(struct rte_eth_dev *eth_dev, const struct rte_flow_attr *attr __rte_unused,
+			 const struct rte_flow_item pattern[],
+			 const struct rte_flow_action actions[],
+			 struct rte_flow_error *error __rte_unused, void **mcs_flow)
+{
+	struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev);
+	const struct rte_flow_item_eth *eth_item = NULL;
+	struct cnxk_mcs_dev *mcs_dev = dev->mcs_dev;
+	struct roc_mcs_flowid_entry_write_req req;
+	struct cnxk_mcs_flow_opts opts = {0};
+	struct cnxk_macsec_sess *sess;
+	struct rte_ether_addr src;
+	struct rte_ether_addr dst;
+	int ret;
+	int i = 0;
+
+	if (!roc_feature_nix_has_macsec())
+		return -ENOTSUP;
+
+	sess = cnxk_eth_macsec_sess_get_by_sess(dev,
+			(const struct rte_security_session *)actions->conf);
+	if (sess == NULL)
+		return -EINVAL;
+
+	ret = mcs_resource_alloc(mcs_dev, sess->dir, &sess->flow_id, 1,
+				 CNXK_MCS_RSRC_TYPE_FLOWID);
+	if (ret) {
+		plt_err("Failed to allocate FLow id.");
+		return -ENOMEM;
+	}
+	memset(&req, 0, sizeof(struct roc_mcs_flowid_entry_write_req));
+	req.sci = sess->sci;
+	req.flow_id = sess->flow_id;
+	req.secy_id = sess->secy_id;
+	req.sc_id = sess->sc_id;
+	req.ena = 1;
+	req.ctr_pkt = 0;
+	req.dir = sess->dir;
+
+	while (pattern[i].type != RTE_FLOW_ITEM_TYPE_END) {
+		if (pattern[i].type == RTE_FLOW_ITEM_TYPE_ETH)
+			eth_item = pattern[i].spec;
+		else
+			plt_err("Unhandled flow item : %d", pattern[i].type);
+		i++;
+	}
+	if (eth_item) {
+		dst = eth_item->hdr.dst_addr;
+		src = eth_item->hdr.src_addr;
+
+		/* Find ways to fill opts */
+
+		req.data[0] =
+			(uint64_t)dst.addr_bytes[0] << 40 | (uint64_t)dst.addr_bytes[1] << 32 |
+			(uint64_t)dst.addr_bytes[2] << 24 | (uint64_t)dst.addr_bytes[3] << 16 |
+			(uint64_t)dst.addr_bytes[4] << 8 | (uint64_t)dst.addr_bytes[5] |
+			(uint64_t)src.addr_bytes[5] << 48 | (uint64_t)src.addr_bytes[4] << 56;
+		req.data[1] = (uint64_t)src.addr_bytes[3] | (uint64_t)src.addr_bytes[2] << 8 |
+			      (uint64_t)src.addr_bytes[1] << 16 |
+			      (uint64_t)src.addr_bytes[0] << 24 |
+			      (uint64_t)eth_item->hdr.ether_type << 32 |
+			      ((uint64_t)opts.outer_tag_id & 0xFFFF) << 48;
+		req.data[2] = ((uint64_t)opts.outer_tag_id & 0xF0000) |
+			      ((uint64_t)opts.outer_priority & 0xF) << 4 |
+			      ((uint64_t)opts.second_outer_tag_id & 0xFFFFF) << 8 |
+			      ((uint64_t)opts.second_outer_priority & 0xF) << 28 |
+			      ((uint64_t)opts.bonus_data << 32) |
+			      ((uint64_t)opts.tag_match_bitmap << 48) |
+			      ((uint64_t)opts.packet_type & 0xF) << 56 |
+			      ((uint64_t)opts.outer_vlan_type & 0x7) << 60 |
+			      ((uint64_t)opts.inner_vlan_type & 0x1) << 63;
+		req.data[3] = ((uint64_t)opts.inner_vlan_type & 0x6) >> 1 |
+			      ((uint64_t)opts.num_tags & 0x7F) << 2 |
+			      ((uint64_t)opts.flowid_user & 0x1F) << 9 |
+			      ((uint64_t)opts.express & 1) << 14 |
+			      ((uint64_t)opts.lmac_id & 0x1F) << 15;
+
+		req.mask[0] = 0x0;
+		req.mask[1] = 0xFFFFFFFF00000000;
+		req.mask[2] = 0xFFFFFFFFFFFFFFFF;
+		req.mask[3] = 0xFFFFFFFFFFFFFFFF;
+
+		ret = roc_mcs_flowid_entry_write(mcs_dev->mdev, &req);
+		if (ret)
+			return ret;
+		*mcs_flow = (void *)(uintptr_t)actions->conf;
+	} else {
+		plt_err("Flow not confirured");
+		return -EINVAL;
+	}
+	return 0;
+}
+
+int
+cnxk_mcs_flow_destroy(struct cnxk_eth_dev *dev, void *flow)
+{
+	const struct cnxk_macsec_sess *s = cnxk_eth_macsec_sess_get_by_sess(dev, flow);
+	struct cnxk_mcs_dev *mcs_dev = dev->mcs_dev;
+	struct roc_mcs_clear_stats stats_req = {0};
+	struct roc_mcs_free_rsrc_req req = {0};
+	int ret = 0;
+
+	if (!roc_feature_nix_has_macsec())
+		return -ENOTSUP;
+
+	if (s == NULL)
+		return 0;
+
+	stats_req.type = CNXK_MCS_RSRC_TYPE_FLOWID;
+	stats_req.id = s->flow_id;
+	stats_req.dir = s->dir;
+	stats_req.all = 0;
+
+	ret = roc_mcs_stats_clear(mcs_dev->mdev, &stats_req);
+	if (ret)
+		plt_err("Failed to clear stats for Flow id %u, dir %u.", s->flow_id, s->dir);
+
+	req.rsrc_id = s->flow_id;
+	req.dir = s->dir;
+	req.rsrc_type = CNXK_MCS_RSRC_TYPE_FLOWID;
+
+	ret = roc_mcs_rsrc_free(mcs_dev->mdev, &req);
+	if (ret)
+		plt_err("Failed to free flow_id: %d.", s->flow_id);
+
+	return ret;
+}
+
 static int
 cnxk_mcs_event_cb(void *userdata, struct roc_mcs_event_desc *desc, void *cb_arg)
 {
diff --git a/drivers/net/cnxk/cnxk_ethdev_mcs.h b/drivers/net/cnxk/cnxk_ethdev_mcs.h
index 68c6493169..2b1a6f2c90 100644
--- a/drivers/net/cnxk/cnxk_ethdev_mcs.h
+++ b/drivers/net/cnxk/cnxk_ethdev_mcs.h
@@ -21,6 +21,27 @@ enum cnxk_mcs_rsrc_type {
 	CNXK_MCS_RSRC_TYPE_PORT,
 };
 
+struct cnxk_mcs_flow_opts {
+	uint32_t outer_tag_id;
+	/**< {VLAN_ID[11:0]}, or 20-bit MPLS label*/
+	uint8_t outer_priority;
+	/**< {PCP/Pbits, DE/CFI} or {1'b0, EXP} for MPLS.*/
+	uint32_t second_outer_tag_id;
+	/**< {VLAN_ID[11:0]}, or 20-bit MPLS label*/
+	uint8_t second_outer_priority;
+	/**< {PCP/Pbits, DE/CFI} or {1'b0, EXP} for MPLS. */
+	uint16_t bonus_data;
+	/**< 2 bytes of additional bonus data extracted from one of the custom tags*/
+	uint8_t tag_match_bitmap;
+	uint8_t packet_type;
+	uint8_t outer_vlan_type;
+	uint8_t inner_vlan_type;
+	uint8_t num_tags;
+	bool express;
+	uint8_t lmac_id;
+	uint8_t flowid_user;
+};
+
 struct cnxk_mcs_event_data {
 	/* Valid for below events
 	 * - ROC_MCS_EVENT_RX_SA_PN_SOFT_EXP
@@ -75,3 +96,7 @@ int cnxk_eth_macsec_sa_destroy(void *device, uint16_t sa_id,
 			       enum rte_security_macsec_direction dir);
 int cnxk_eth_macsec_sc_destroy(void *device, uint16_t sc_id,
 			       enum rte_security_macsec_direction dir);
+
+int cnxk_eth_macsec_session_create(struct cnxk_eth_dev *dev, struct rte_security_session_conf *conf,
+				   struct rte_security_session *sess);
+int cnxk_eth_macsec_session_destroy(struct cnxk_eth_dev *dev, struct rte_security_session *sess);
diff --git a/drivers/net/cnxk/cnxk_ethdev_sec.c b/drivers/net/cnxk/cnxk_ethdev_sec.c
index a66d58ca61..dc17c128de 100644
--- a/drivers/net/cnxk/cnxk_ethdev_sec.c
+++ b/drivers/net/cnxk/cnxk_ethdev_sec.c
@@ -284,7 +284,7 @@ cnxk_eth_sec_sess_get_by_sess(struct cnxk_eth_dev *dev,
 static unsigned int
 cnxk_eth_sec_session_get_size(void *device __rte_unused)
 {
-	return sizeof(struct cnxk_eth_sec_sess);
+	return RTE_MAX(sizeof(struct cnxk_macsec_sess), sizeof(struct cnxk_eth_sec_sess));
 }
 
 struct rte_security_ops cnxk_eth_sec_ops = {
diff --git a/drivers/net/cnxk/cnxk_flow.c b/drivers/net/cnxk/cnxk_flow.c
index d9d9478ade..1b88542dcb 100644
--- a/drivers/net/cnxk/cnxk_flow.c
+++ b/drivers/net/cnxk/cnxk_flow.c
@@ -289,6 +289,11 @@ cnxk_flow_validate(struct rte_eth_dev *eth_dev, const struct rte_flow_attr *attr
 	uint16_t dst_pf_func = 0;
 	int rc;
 
+	/* Skip flow validation for MACsec. */
+	if (actions[0].type == RTE_FLOW_ACTION_TYPE_SECURITY &&
+	    cnxk_eth_macsec_sess_get_by_sess(dev, actions[0].conf) != NULL)
+		return 0;
+
 	memset(&flow, 0, sizeof(flow));
 	flow.is_validate = true;
 
-- 
2.25.1

[PATCH v4 15/15] net/cnxk: add MACsec stats

[Akhil Goyal]

Added support for MACsec SC/flow/session stats.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 doc/guides/rel_notes/release_23_07.rst |  5 ++
 drivers/net/cnxk/cn10k_ethdev_sec.c    | 11 +++--
 drivers/net/cnxk/cnxk_ethdev_mcs.c     | 64 ++++++++++++++++++++++++++
 drivers/net/cnxk/cnxk_ethdev_mcs.h     |  9 ++++
 4 files changed, 86 insertions(+), 3 deletions(-)

diff --git a/doc/guides/rel_notes/release_23_07.rst b/doc/guides/rel_notes/release_23_07.rst
index 915c37529a..f126be1435 100644
--- a/doc/guides/rel_notes/release_23_07.rst
+++ b/doc/guides/rel_notes/release_23_07.rst
@@ -139,6 +139,11 @@ New Features
   for new capability registers, large passthrough BAR and some
   performance enhancements for UPT.
 
+* **Updated Marvell cnxk ethdev driver.**
+
+  Added support for Inline MACsec processing using rte_security framework
+  for CN103 platform.
+
 * **Added new algorithms to cryptodev.**
 
   * Added asymmetric algorithm ShangMi 2 (SM2) along with prime field curve support.
diff --git a/drivers/net/cnxk/cn10k_ethdev_sec.c b/drivers/net/cnxk/cn10k_ethdev_sec.c
index f20e573338..b98fc9378e 100644
--- a/drivers/net/cnxk/cn10k_ethdev_sec.c
+++ b/drivers/net/cnxk/cn10k_ethdev_sec.c
@@ -1058,12 +1058,17 @@ cn10k_eth_sec_session_stats_get(void *device, struct rte_security_session *sess,
 {
 	struct rte_eth_dev *eth_dev = (struct rte_eth_dev *)device;
 	struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev);
+	struct cnxk_macsec_sess *macsec_sess;
 	struct cnxk_eth_sec_sess *eth_sec;
 	int rc;
 
 	eth_sec = cnxk_eth_sec_sess_get_by_sess(dev, sess);
-	if (eth_sec == NULL)
+	if (eth_sec == NULL) {
+		macsec_sess = cnxk_eth_macsec_sess_get_by_sess(dev, sess);
+		if (macsec_sess)
+			return cnxk_eth_macsec_session_stats_get(dev, macsec_sess, stats);
 		return -EINVAL;
+	}
 
 	rc = roc_nix_inl_sa_sync(&dev->nix, eth_sec->sa, eth_sec->inb,
 			    ROC_NIX_INL_SA_OP_FLUSH);
@@ -1107,6 +1112,6 @@ cn10k_eth_sec_ops_override(void)
 	cnxk_eth_sec_ops.capabilities_get = cn10k_eth_sec_capabilities_get;
 	cnxk_eth_sec_ops.session_update = cn10k_eth_sec_session_update;
 	cnxk_eth_sec_ops.session_stats_get = cn10k_eth_sec_session_stats_get;
-	cnxk_eth_sec_ops.macsec_sc_stats_get = NULL;
-	cnxk_eth_sec_ops.macsec_sa_stats_get = NULL;
+	cnxk_eth_sec_ops.macsec_sc_stats_get = cnxk_eth_macsec_sc_stats_get;
+	cnxk_eth_sec_ops.macsec_sa_stats_get = cnxk_eth_macsec_sa_stats_get;
 }
diff --git a/drivers/net/cnxk/cnxk_ethdev_mcs.c b/drivers/net/cnxk/cnxk_ethdev_mcs.c
index 87bfcb8b4e..5264774394 100644
--- a/drivers/net/cnxk/cnxk_ethdev_mcs.c
+++ b/drivers/net/cnxk/cnxk_ethdev_mcs.c
@@ -521,6 +521,70 @@ cnxk_mcs_flow_destroy(struct cnxk_eth_dev *dev, void *flow)
 	return ret;
 }
 
+int
+cnxk_eth_macsec_sa_stats_get(void *device, uint16_t sa_id, enum rte_security_macsec_direction dir,
+			     struct rte_security_macsec_sa_stats *stats)
+{
+	RTE_SET_USED(device);
+	RTE_SET_USED(sa_id);
+	RTE_SET_USED(dir);
+	RTE_SET_USED(stats);
+
+	return 0;
+}
+
+int
+cnxk_eth_macsec_sc_stats_get(void *device, uint16_t sc_id, enum rte_security_macsec_direction dir,
+			     struct rte_security_macsec_sc_stats *stats)
+{
+	struct rte_eth_dev *eth_dev = (struct rte_eth_dev *)device;
+	struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev);
+	struct cnxk_mcs_dev *mcs_dev = dev->mcs_dev;
+	struct roc_mcs_stats_req req = {0};
+
+	if (!roc_feature_nix_has_macsec())
+		return -ENOTSUP;
+
+	req.id = sc_id;
+	req.dir = (dir == RTE_SECURITY_MACSEC_DIR_RX) ? MCS_RX : MCS_TX;
+
+	return roc_mcs_sc_stats_get(mcs_dev->mdev, &req, (struct roc_mcs_sc_stats *)stats);
+}
+
+int
+cnxk_eth_macsec_session_stats_get(struct cnxk_eth_dev *dev, struct cnxk_macsec_sess *sess,
+				  struct rte_security_stats *stats)
+{
+	struct cnxk_mcs_dev *mcs_dev = dev->mcs_dev;
+	struct roc_mcs_flowid_stats flow_stats = {0};
+	struct roc_mcs_port_stats port_stats = {0};
+	struct roc_mcs_stats_req req = {0};
+
+	if (!roc_feature_nix_has_macsec())
+		return -ENOTSUP;
+
+	req.id = sess->flow_id;
+	req.dir = sess->dir;
+	roc_mcs_flowid_stats_get(mcs_dev->mdev, &req, &flow_stats);
+	plt_nix_dbg("\n******* FLOW_ID IDX[%u] STATS dir: %u********\n", sess->flow_id, sess->dir);
+	plt_nix_dbg("TX: tcam_hit_cnt: 0x%" PRIx64 "\n", flow_stats.tcam_hit_cnt);
+
+	req.id = mcs_dev->port_id;
+	req.dir = sess->dir;
+	roc_mcs_port_stats_get(mcs_dev->mdev, &req, &port_stats);
+	plt_nix_dbg("\n********** PORT[0] STATS ****************\n");
+	plt_nix_dbg("RX tcam_miss_cnt: 0x%" PRIx64 "\n", port_stats.tcam_miss_cnt);
+	plt_nix_dbg("RX parser_err_cnt: 0x%" PRIx64 "\n", port_stats.parser_err_cnt);
+	plt_nix_dbg("RX preempt_err_cnt: 0x%" PRIx64 "\n", port_stats.preempt_err_cnt);
+	plt_nix_dbg("RX sectag_insert_err_cnt: 0x%" PRIx64 "\n", port_stats.sectag_insert_err_cnt);
+
+	req.id = sess->secy_id;
+	req.dir = sess->dir;
+
+	return roc_mcs_secy_stats_get(mcs_dev->mdev, &req,
+				      (struct roc_mcs_secy_stats *)(&stats->macsec));
+}
+
 static int
 cnxk_mcs_event_cb(void *userdata, struct roc_mcs_event_desc *desc, void *cb_arg)
 {
diff --git a/drivers/net/cnxk/cnxk_ethdev_mcs.h b/drivers/net/cnxk/cnxk_ethdev_mcs.h
index 2b1a6f2c90..4a59dd3df9 100644
--- a/drivers/net/cnxk/cnxk_ethdev_mcs.h
+++ b/drivers/net/cnxk/cnxk_ethdev_mcs.h
@@ -97,6 +97,15 @@ int cnxk_eth_macsec_sa_destroy(void *device, uint16_t sa_id,
 int cnxk_eth_macsec_sc_destroy(void *device, uint16_t sc_id,
 			       enum rte_security_macsec_direction dir);
 
+int cnxk_eth_macsec_sa_stats_get(void *device, uint16_t sa_id,
+				 enum rte_security_macsec_direction dir,
+				 struct rte_security_macsec_sa_stats *stats);
+int cnxk_eth_macsec_sc_stats_get(void *device, uint16_t sa_id,
+				 enum rte_security_macsec_direction dir,
+				 struct rte_security_macsec_sc_stats *stats);
+int cnxk_eth_macsec_session_stats_get(struct cnxk_eth_dev *dev, struct cnxk_macsec_sess *sess,
+				      struct rte_security_stats *stats);
+
 int cnxk_eth_macsec_session_create(struct cnxk_eth_dev *dev, struct rte_security_session_conf *conf,
 				   struct rte_security_session *sess);
 int cnxk_eth_macsec_session_destroy(struct cnxk_eth_dev *dev, struct rte_security_session *sess);
-- 
2.25.1

Re: [PATCH v4 15/15] net/cnxk: add MACsec stats

[Jerin Jacob]

On Tue, Jun 13, 2023 at 3:52 PM Akhil Goyal <gakhil@marvell.com> wrote:
>
> Added support for MACsec SC/flow/session stats.
>
> Signed-off-by: Akhil Goyal <gakhil@marvell.com>
> ---
>  doc/guides/rel_notes/release_23_07.rst |  5 ++
>  drivers/net/cnxk/cn10k_ethdev_sec.c    | 11 +++--
>  drivers/net/cnxk/cnxk_ethdev_mcs.c     | 64 ++++++++++++++++++++++++++
>  drivers/net/cnxk/cnxk_ethdev_mcs.h     |  9 ++++
>  4 files changed, 86 insertions(+), 3 deletions(-)
>
> diff --git a/doc/guides/rel_notes/release_23_07.rst b/doc/guides/rel_notes/release_23_07.rst
> index 915c37529a..f126be1435 100644
> --- a/doc/guides/rel_notes/release_23_07.rst
> +++ b/doc/guides/rel_notes/release_23_07.rst
> @@ -139,6 +139,11 @@ New Features
>    for new capability registers, large passthrough BAR and some
>    performance enhancements for UPT.
>
> +* **Updated Marvell cnxk ethdev driver.**

1) Please rebase with dpdk-next-mrvl where this line already exists
2) Change the copyright year to 2023 for new files
3) Fix the following warnings

### [PATCH] common/cnxk: add MACsec interrupt APIs

WARNING:SPACING: space prohibited between function name and open parenthesis '('
#240: FILE: drivers/common/cnxk/roc_mcs.c:157:
+       TAILQ_FOREACH (cb, cb_list, next) {

WARNING:SPACING: space prohibited between function name and open parenthesis '('
#293: FILE: drivers/common/cnxk/roc_mcs.c:210:
+       TAILQ_FOREACH (cb, cb_list, next) {

total: 0 errors, 2 warnings, 482 lines checked

Good to merge the next version.

[PATCH v5 00/15] net/cnxk: add MACsec support

[Akhil Goyal]

Added MACsec support in Marvell cnxk PMD.
The patchset is pending from last release [1]
Sending as a new series as the functionality is now
complete and tested on hardware.

[1] https://patches.dpdk.org/project/dpdk/cover/20220928124516.93050-1-gakhil@marvell.com/

Changes in v5:
- fix copyright year
- fix release notes
- fix checkpatch warning

Changes in v4:
Fix build with RHEL/CentOS

Changes in v3:
- rebased
- fixed warning PRI*64
- added release notes

Changes in v2:
- Addressed review comments from Jerin.



Akhil Goyal (15):
  common/cnxk: add ROC MACsec initialization
  common/cnxk: add MACsec SA configuration
  common/cnxk: add MACsec SC configuration APIs
  common/cnxk: add MACsec secy and flow configuration
  common/cnxk: add MACsec PN and LMAC mode configuration
  common/cnxk: add MACsec stats
  common/cnxk: add MACsec interrupt APIs
  common/cnxk: add MACsec port configuration
  common/cnxk: add MACsec control port configuration
  common/cnxk: add MACsec FIPS mbox
  common/cnxk: derive hash key for MACsec
  net/cnxk: add MACsec initialization
  net/cnxk: create/destroy MACsec SC/SA
  net/cnxk: add MACsec session and flow configuration
  net/cnxk: add MACsec stats

 doc/guides/rel_notes/release_23_07.rst |  10 +-
 drivers/common/cnxk/meson.build        |   3 +
 drivers/common/cnxk/roc_aes.c          |  86 ++-
 drivers/common/cnxk/roc_aes.h          |   4 +-
 drivers/common/cnxk/roc_api.h          |   3 +
 drivers/common/cnxk/roc_dev.c          |  86 +++
 drivers/common/cnxk/roc_features.h     |  12 +
 drivers/common/cnxk/roc_idev.c         |  46 ++
 drivers/common/cnxk/roc_idev.h         |   3 +
 drivers/common/cnxk/roc_idev_priv.h    |   1 +
 drivers/common/cnxk/roc_mbox.h         | 524 ++++++++++++++-
 drivers/common/cnxk/roc_mcs.c          | 871 +++++++++++++++++++++++++
 drivers/common/cnxk/roc_mcs.h          | 624 ++++++++++++++++++
 drivers/common/cnxk/roc_mcs_priv.h     |  73 +++
 drivers/common/cnxk/roc_mcs_sec_cfg.c  | 528 +++++++++++++++
 drivers/common/cnxk/roc_mcs_stats.c    | 193 ++++++
 drivers/common/cnxk/roc_priv.h         |   3 +
 drivers/common/cnxk/roc_utils.c        |   5 +
 drivers/common/cnxk/version.map        |  45 ++
 drivers/net/cnxk/cn10k_ethdev_sec.c    |  25 +-
 drivers/net/cnxk/cn10k_flow.c          |  23 +-
 drivers/net/cnxk/cnxk_ethdev.c         |  15 +
 drivers/net/cnxk/cnxk_ethdev.h         |  30 +
 drivers/net/cnxk/cnxk_ethdev_mcs.c     | 730 +++++++++++++++++++++
 drivers/net/cnxk/cnxk_ethdev_mcs.h     | 116 ++++
 drivers/net/cnxk/cnxk_ethdev_sec.c     |   2 +-
 drivers/net/cnxk/cnxk_flow.c           |   5 +
 drivers/net/cnxk/meson.build           |   1 +
 28 files changed, 4025 insertions(+), 42 deletions(-)
 create mode 100644 drivers/common/cnxk/roc_mcs.c
 create mode 100644 drivers/common/cnxk/roc_mcs.h
 create mode 100644 drivers/common/cnxk/roc_mcs_priv.h
 create mode 100644 drivers/common/cnxk/roc_mcs_sec_cfg.c
 create mode 100644 drivers/common/cnxk/roc_mcs_stats.c
 create mode 100644 drivers/net/cnxk/cnxk_ethdev_mcs.c
 create mode 100644 drivers/net/cnxk/cnxk_ethdev_mcs.h

-- 
2.25.1

[PATCH v5 01/15] common/cnxk: add ROC MACsec initialization

[Akhil Goyal]

Added ROC init and fini APIs for supporting MACsec.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/common/cnxk/meson.build     |   1 +
 drivers/common/cnxk/roc_api.h       |   3 +
 drivers/common/cnxk/roc_features.h  |  12 ++
 drivers/common/cnxk/roc_idev.c      |  46 ++++++
 drivers/common/cnxk/roc_idev.h      |   3 +
 drivers/common/cnxk/roc_idev_priv.h |   1 +
 drivers/common/cnxk/roc_mbox.h      |  65 +++++++-
 drivers/common/cnxk/roc_mcs.c       | 220 ++++++++++++++++++++++++++++
 drivers/common/cnxk/roc_mcs.h       |  42 ++++++
 drivers/common/cnxk/roc_mcs_priv.h  |  65 ++++++++
 drivers/common/cnxk/roc_priv.h      |   3 +
 drivers/common/cnxk/roc_utils.c     |   5 +
 drivers/common/cnxk/version.map     |   7 +
 13 files changed, 472 insertions(+), 1 deletion(-)
 create mode 100644 drivers/common/cnxk/roc_mcs.c
 create mode 100644 drivers/common/cnxk/roc_mcs.h
 create mode 100644 drivers/common/cnxk/roc_mcs_priv.h

diff --git a/drivers/common/cnxk/meson.build b/drivers/common/cnxk/meson.build
index 631b594f32..e33c002676 100644
--- a/drivers/common/cnxk/meson.build
+++ b/drivers/common/cnxk/meson.build
@@ -26,6 +26,7 @@ sources = files(
         'roc_irq.c',
         'roc_ie_ot.c',
         'roc_mbox.c',
+        'roc_mcs.c',
         'roc_ml.c',
         'roc_model.c',
         'roc_nix.c',
diff --git a/drivers/common/cnxk/roc_api.h b/drivers/common/cnxk/roc_api.h
index bbc94ab48e..f630853088 100644
--- a/drivers/common/cnxk/roc_api.h
+++ b/drivers/common/cnxk/roc_api.h
@@ -114,4 +114,7 @@
 /* ML */
 #include "roc_ml.h"
 
+/* MACsec */
+#include "roc_mcs.h"
+
 #endif /* _ROC_API_H_ */
diff --git a/drivers/common/cnxk/roc_features.h b/drivers/common/cnxk/roc_features.h
index 36ef315f5a..815f800e7a 100644
--- a/drivers/common/cnxk/roc_features.h
+++ b/drivers/common/cnxk/roc_features.h
@@ -59,4 +59,16 @@ roc_feature_nix_has_age_drop_stats(void)
 {
 	return (roc_model_is_cn10kb() || roc_model_is_cn10ka_b0());
 }
+
+static inline bool
+roc_feature_nix_has_macsec(void)
+{
+	return roc_model_is_cn10kb();
+}
+
+static inline bool
+roc_feature_bphy_has_macsec(void)
+{
+	return roc_model_is_cnf10kb();
+}
 #endif
diff --git a/drivers/common/cnxk/roc_idev.c b/drivers/common/cnxk/roc_idev.c
index f420f0158d..e6c6b34d78 100644
--- a/drivers/common/cnxk/roc_idev.c
+++ b/drivers/common/cnxk/roc_idev.c
@@ -38,6 +38,7 @@ idev_set_defaults(struct idev_cfg *idev)
 	idev->num_lmtlines = 0;
 	idev->bphy = NULL;
 	idev->cpt = NULL;
+	TAILQ_INIT(&idev->mcs_list);
 	idev->nix_inl_dev = NULL;
 	TAILQ_INIT(&idev->roc_nix_list);
 	plt_spinlock_init(&idev->nix_inl_dev_lock);
@@ -187,6 +188,51 @@ roc_idev_cpt_get(void)
 	return NULL;
 }
 
+struct roc_mcs *
+roc_idev_mcs_get(uint8_t mcs_idx)
+{
+	struct idev_cfg *idev = idev_get_cfg();
+	struct roc_mcs *mcs = NULL;
+
+	if (idev != NULL) {
+		TAILQ_FOREACH(mcs, &idev->mcs_list, next) {
+			if (mcs->idx == mcs_idx)
+				return mcs;
+		}
+	}
+
+	return NULL;
+}
+
+void
+roc_idev_mcs_set(struct roc_mcs *mcs)
+{
+	struct idev_cfg *idev = idev_get_cfg();
+	struct roc_mcs *mcs_iter = NULL;
+
+	if (idev != NULL) {
+		TAILQ_FOREACH(mcs_iter, &idev->mcs_list, next) {
+			if (mcs_iter->idx == mcs->idx)
+				return;
+		}
+		TAILQ_INSERT_TAIL(&idev->mcs_list, mcs, next);
+	}
+}
+
+void
+roc_idev_mcs_free(struct roc_mcs *mcs)
+{
+	struct idev_cfg *idev = idev_get_cfg();
+	struct roc_mcs *mcs_iter = NULL;
+
+	if (idev != NULL) {
+		TAILQ_FOREACH(mcs_iter, &idev->mcs_list, next) {
+			if (mcs_iter->idx == mcs->idx)
+				TAILQ_REMOVE(&idev->mcs_list, mcs, next);
+		}
+	}
+}
+
 uint64_t *
 roc_nix_inl_outb_ring_base_get(struct roc_nix *roc_nix)
 {
diff --git a/drivers/common/cnxk/roc_idev.h b/drivers/common/cnxk/roc_idev.h
index 640ca97708..aea7f5279d 100644
--- a/drivers/common/cnxk/roc_idev.h
+++ b/drivers/common/cnxk/roc_idev.h
@@ -19,4 +19,7 @@ struct roc_nix *__roc_api roc_idev_npa_nix_get(void);
 uint64_t __roc_api roc_idev_nix_inl_meta_aura_get(void);
 struct roc_nix_list *__roc_api roc_idev_nix_list_get(void);
 
+struct roc_mcs *__roc_api roc_idev_mcs_get(uint8_t mcs_idx);
+void __roc_api roc_idev_mcs_set(struct roc_mcs *mcs);
+void __roc_api roc_idev_mcs_free(struct roc_mcs *mcs);
 #endif /* _ROC_IDEV_H_ */
diff --git a/drivers/common/cnxk/roc_idev_priv.h b/drivers/common/cnxk/roc_idev_priv.h
index 4983578fc6..80f8465e1c 100644
--- a/drivers/common/cnxk/roc_idev_priv.h
+++ b/drivers/common/cnxk/roc_idev_priv.h
@@ -31,6 +31,7 @@ struct idev_cfg {
 	struct roc_bphy *bphy;
 	struct roc_cpt *cpt;
 	struct roc_sso *sso;
+	struct roc_mcs_head mcs_list;
 	struct nix_inl_dev *nix_inl_dev;
 	struct idev_nix_inl_cfg inl_cfg;
 	struct roc_nix_list roc_nix_list;
diff --git a/drivers/common/cnxk/roc_mbox.h b/drivers/common/cnxk/roc_mbox.h
index 93c5451c0f..ef7a7d6513 100644
--- a/drivers/common/cnxk/roc_mbox.h
+++ b/drivers/common/cnxk/roc_mbox.h
@@ -295,7 +295,12 @@ struct mbox_msghdr {
 	  nix_bpids)                                                           \
 	M(NIX_FREE_BPIDS, 0x8029, nix_free_bpids, nix_bpids, msg_rsp)          \
 	M(NIX_RX_CHAN_CFG, 0x802a, nix_rx_chan_cfg, nix_rx_chan_cfg,           \
-	  nix_rx_chan_cfg)
+	  nix_rx_chan_cfg)                                                     \
+	/* MCS mbox IDs (range 0xa000 - 0xbFFF) */                                                 \
+	M(MCS_ALLOC_RESOURCES, 0xa000, mcs_alloc_resources, mcs_alloc_rsrc_req,                    \
+	  mcs_alloc_rsrc_rsp)                                                                      \
+	M(MCS_FREE_RESOURCES, 0xa001, mcs_free_resources, mcs_free_rsrc_req, msg_rsp)              \
+	M(MCS_GET_HW_INFO, 0xa00b, mcs_get_hw_info, msg_req, mcs_hw_info)                          \
 
 /* Messages initiated by AF (range 0xC00 - 0xDFF) */
 #define MBOX_UP_CGX_MESSAGES                                                   \
@@ -673,6 +678,64 @@ struct cgx_set_link_mode_rsp {
 	int __io status;
 };
 
+/* MCS mbox structures */
+enum mcs_direction {
+	MCS_RX,
+	MCS_TX,
+};
+
+enum mcs_rsrc_type {
+	MCS_RSRC_TYPE_FLOWID,
+	MCS_RSRC_TYPE_SECY,
+	MCS_RSRC_TYPE_SC,
+	MCS_RSRC_TYPE_SA,
+};
+
+struct mcs_alloc_rsrc_req {
+	struct mbox_msghdr hdr;
+	uint8_t __io rsrc_type;
+	uint8_t __io rsrc_cnt; /* Resources count */
+	uint8_t __io mcs_id;   /* MCS block ID */
+	uint8_t __io dir;      /* Macsec ingress or egress side */
+	uint8_t __io all;      /* Allocate all resource type one each */
+	uint64_t __io rsvd;
+};
+
+struct mcs_alloc_rsrc_rsp {
+	struct mbox_msghdr hdr;
+	uint8_t __io flow_ids[128]; /* Index of reserved entries */
+	uint8_t __io secy_ids[128];
+	uint8_t __io sc_ids[128];
+	uint8_t __io sa_ids[256];
+	uint8_t __io rsrc_type;
+	uint8_t __io rsrc_cnt; /* No of entries reserved */
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint8_t __io all;
+	uint8_t __io rsvd[256];
+};
+
+struct mcs_free_rsrc_req {
+	struct mbox_msghdr hdr;
+	uint8_t __io rsrc_id; /* Index of the entry to be freed */
+	uint8_t __io rsrc_type;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint8_t __io all; /* Free all the cam resources */
+	uint64_t __io rsvd;
+};
+
+struct mcs_hw_info {
+	struct mbox_msghdr hdr;
+	uint8_t __io num_mcs_blks; /* Number of MCS blocks */
+	uint8_t __io tcam_entries; /* RX/TX Tcam entries per mcs block */
+	uint8_t __io secy_entries; /* RX/TX SECY entries per mcs block */
+	uint8_t __io sc_entries;   /* RX/TX SC CAM entries per mcs block */
+	uint16_t __io sa_entries;  /* PN table entries = SA entries */
+	uint64_t __io rsvd[16];
+};
+
+
 /* NPA mbox message formats */
 
 /* NPA mailbox error codes
diff --git a/drivers/common/cnxk/roc_mcs.c b/drivers/common/cnxk/roc_mcs.c
new file mode 100644
index 0000000000..75d8e077e4
--- /dev/null
+++ b/drivers/common/cnxk/roc_mcs.c
@@ -0,0 +1,220 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2023 Marvell.
+ */
+
+#include "roc_api.h"
+#include "roc_priv.h"
+
+int
+roc_mcs_hw_info_get(struct roc_mcs_hw_info *hw_info)
+{
+	struct mcs_hw_info *hw;
+	struct npa_lf *npa;
+	int rc;
+
+	MCS_SUPPORT_CHECK;
+
+	if (hw_info == NULL)
+		return -EINVAL;
+
+	/* Use mbox handler of first probed pci_func for
+	 * initial mcs mbox communication.
+	 */
+	npa = idev_npa_obj_get();
+	if (!npa)
+		return MCS_ERR_DEVICE_NOT_FOUND;
+
+	mbox_alloc_msg_mcs_get_hw_info(npa->mbox);
+	rc = mbox_process_msg(npa->mbox, (void *)&hw);
+	if (rc)
+		return rc;
+
+	hw_info->num_mcs_blks = hw->num_mcs_blks;
+	hw_info->tcam_entries = hw->tcam_entries;
+	hw_info->secy_entries = hw->secy_entries;
+	hw_info->sc_entries = hw->sc_entries;
+	hw_info->sa_entries = hw->sa_entries;
+
+	return rc;
+}
+
+static int
+mcs_alloc_bmap(uint16_t entries, void **mem, struct plt_bitmap **bmap)
+{
+	size_t bmap_sz;
+	int rc = 0;
+
+	bmap_sz = plt_bitmap_get_memory_footprint(entries);
+	*mem = plt_zmalloc(bmap_sz, PLT_CACHE_LINE_SIZE);
+	if (*mem == NULL)
+		rc = -ENOMEM;
+
+	*bmap = plt_bitmap_init(entries, *mem, bmap_sz);
+	if (!*bmap) {
+		plt_free(*mem);
+		*mem = NULL;
+		rc = -ENOMEM;
+	}
+
+	return rc;
+}
+
+static void
+rsrc_bmap_free(struct mcs_rsrc *rsrc)
+{
+	plt_bitmap_free(rsrc->tcam_bmap);
+	plt_free(rsrc->tcam_bmap_mem);
+	plt_bitmap_free(rsrc->secy_bmap);
+	plt_free(rsrc->secy_bmap_mem);
+	plt_bitmap_free(rsrc->sc_bmap);
+	plt_free(rsrc->sc_bmap_mem);
+	plt_bitmap_free(rsrc->sa_bmap);
+	plt_free(rsrc->sa_bmap_mem);
+}
+
+static int
+rsrc_bmap_alloc(struct mcs_priv *priv, struct mcs_rsrc *rsrc)
+{
+	int rc;
+
+	rc = mcs_alloc_bmap(priv->tcam_entries << 1, &rsrc->tcam_bmap_mem, &rsrc->tcam_bmap);
+	if (rc)
+		goto exit;
+
+	rc = mcs_alloc_bmap(priv->secy_entries << 1, &rsrc->secy_bmap_mem, &rsrc->secy_bmap);
+	if (rc)
+		goto exit;
+
+	rc = mcs_alloc_bmap(priv->sc_entries << 1, &rsrc->sc_bmap_mem, &rsrc->sc_bmap);
+	if (rc)
+		goto exit;
+
+	rc = mcs_alloc_bmap(priv->sa_entries << 1, &rsrc->sa_bmap_mem, &rsrc->sa_bmap);
+	if (rc)
+		goto exit;
+
+	return rc;
+exit:
+	rsrc_bmap_free(rsrc);
+
+	return rc;
+}
+
+static int
+mcs_alloc_rsrc_bmap(struct roc_mcs *mcs)
+{
+	struct mcs_priv *priv = roc_mcs_to_mcs_priv(mcs);
+	struct mcs_hw_info *hw;
+	int i, rc;
+
+	mbox_alloc_msg_mcs_get_hw_info(mcs->mbox);
+	rc = mbox_process_msg(mcs->mbox, (void *)&hw);
+	if (rc)
+		return rc;
+
+	priv->num_mcs_blks = hw->num_mcs_blks;
+	priv->tcam_entries = hw->tcam_entries;
+	priv->secy_entries = hw->secy_entries;
+	priv->sc_entries = hw->sc_entries;
+	priv->sa_entries = hw->sa_entries;
+
+	rc = rsrc_bmap_alloc(priv, &priv->dev_rsrc);
+	if (rc)
+		return rc;
+
+	priv->port_rsrc = plt_zmalloc(sizeof(struct mcs_rsrc) * 4, 0);
+	if (priv->port_rsrc == NULL) {
+		rsrc_bmap_free(&priv->dev_rsrc);
+		return -ENOMEM;
+	}
+
+	for (i = 0; i < MAX_PORTS_PER_MCS; i++) {
+		rc = rsrc_bmap_alloc(priv, &priv->port_rsrc[i]);
+		if (rc)
+			goto exit;
+
+		priv->port_rsrc[i].sc_conf =
+			plt_zmalloc(priv->sc_entries * sizeof(struct mcs_sc_conf), 0);
+		if (priv->port_rsrc[i].sc_conf == NULL) {
+			rsrc_bmap_free(&priv->port_rsrc[i]);
+			goto exit;
+		}
+	}
+
+	return rc;
+
+exit:
+	while (i--) {
+		rsrc_bmap_free(&priv->port_rsrc[i]);
+		plt_free(priv->port_rsrc[i].sc_conf);
+	}
+	plt_free(priv->port_rsrc);
+
+	return -ENOMEM;
+}
+
+struct roc_mcs *
+roc_mcs_dev_init(uint8_t mcs_idx)
+{
+	struct roc_mcs *mcs;
+	struct npa_lf *npa;
+
+	if (!(roc_feature_bphy_has_macsec() || roc_feature_nix_has_macsec()))
+		return NULL;
+
+	mcs = roc_idev_mcs_get(mcs_idx);
+	if (mcs) {
+		plt_info("Skipping device, mcs device already probed");
+		mcs->refcount++;
+		return mcs;
+	}
+
+	mcs = plt_zmalloc(sizeof(struct roc_mcs), PLT_CACHE_LINE_SIZE);
+	if (!mcs)
+		return NULL;
+
+	npa = idev_npa_obj_get();
+	if (!npa)
+		goto exit;
+
+	mcs->mbox = npa->mbox;
+	mcs->idx = mcs_idx;
+
+	/* Add any per mcsv initialization */
+	if (mcs_alloc_rsrc_bmap(mcs))
+		goto exit;
+
+	roc_idev_mcs_set(mcs);
+	mcs->refcount++;
+
+	return mcs;
+exit:
+	plt_free(mcs);
+	return NULL;
+}
+
+void
+roc_mcs_dev_fini(struct roc_mcs *mcs)
+{
+	struct mcs_priv *priv;
+	int i;
+
+	mcs->refcount--;
+	if (mcs->refcount > 0)
+		return;
+
+	priv = roc_mcs_to_mcs_priv(mcs);
+
+	rsrc_bmap_free(&priv->dev_rsrc);
+
+	for (i = 0; i < MAX_PORTS_PER_MCS; i++) {
+		rsrc_bmap_free(&priv->port_rsrc[i]);
+		plt_free(priv->port_rsrc[i].sc_conf);
+	}
+
+	plt_free(priv->port_rsrc);
+
+	roc_idev_mcs_free(mcs);
+
+	plt_free(mcs);
+}
diff --git a/drivers/common/cnxk/roc_mcs.h b/drivers/common/cnxk/roc_mcs.h
new file mode 100644
index 0000000000..1eca59c41c
--- /dev/null
+++ b/drivers/common/cnxk/roc_mcs.h
@@ -0,0 +1,42 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2023 Marvell.
+ */
+
+#ifndef ROC_MCS_H
+#define ROC_MCS_H
+
+#define MCS_AES_GCM_256_KEYLEN 32
+
+struct roc_mcs_hw_info {
+	uint8_t num_mcs_blks; /* Number of MCS blocks */
+	uint8_t tcam_entries; /* RX/TX Tcam entries per mcs block */
+	uint8_t secy_entries; /* RX/TX SECY entries per mcs block */
+	uint8_t sc_entries;   /* RX/TX SC CAM entries per mcs block */
+	uint16_t sa_entries;  /* PN table entries = SA entries */
+	uint64_t rsvd[16];
+};
+
+
+struct roc_mcs {
+	TAILQ_ENTRY(roc_mcs) next;
+	struct plt_pci_device *pci_dev;
+	struct mbox *mbox;
+	void *userdata;
+	uint8_t idx;
+	uint8_t refcount;
+
+#define ROC_MCS_MEM_SZ (1 * 1024)
+	uint8_t reserved[ROC_MCS_MEM_SZ] __plt_cache_aligned;
+} __plt_cache_aligned;
+
+TAILQ_HEAD(roc_mcs_head, roc_mcs);
+
+/* Initialization */
+__roc_api struct roc_mcs *roc_mcs_dev_init(uint8_t mcs_idx);
+__roc_api void roc_mcs_dev_fini(struct roc_mcs *mcs);
+/* Get roc mcs dev structure */
+__roc_api struct roc_mcs *roc_mcs_dev_get(uint8_t mcs_idx);
+/* HW info get */
+__roc_api int roc_mcs_hw_info_get(struct roc_mcs_hw_info *hw_info);
+
+#endif /* ROC_MCS_H */
diff --git a/drivers/common/cnxk/roc_mcs_priv.h b/drivers/common/cnxk/roc_mcs_priv.h
new file mode 100644
index 0000000000..17a60509ca
--- /dev/null
+++ b/drivers/common/cnxk/roc_mcs_priv.h
@@ -0,0 +1,65 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2023 Marvell.
+ */
+
+#ifndef _ROC_MCS_PRIV_H_
+#define _ROC_MCS_PRIV_H_
+
+#define MAX_PORTS_PER_MCS 4
+
+enum mcs_error_status {
+	MCS_ERR_PARAM = -900,
+	MCS_ERR_HW_NOTSUP = -901,
+	MCS_ERR_DEVICE_NOT_FOUND = -902,
+};
+
+#define MCS_SUPPORT_CHECK                                                                          \
+	do {                                                                                       \
+		if (!(roc_feature_bphy_has_macsec() || roc_feature_nix_has_macsec()))              \
+			return MCS_ERR_HW_NOTSUP;                                                  \
+	} while (0)
+
+struct mcs_sc_conf {
+	struct {
+		uint64_t sci;
+		uint16_t sa_idx0;
+		uint16_t sa_idx1;
+		uint8_t rekey_enb;
+	} tx;
+	struct {
+		uint16_t sa_idx;
+		uint8_t an;
+	} rx;
+};
+
+struct mcs_rsrc {
+	struct plt_bitmap *tcam_bmap;
+	void *tcam_bmap_mem;
+	struct plt_bitmap *secy_bmap;
+	void *secy_bmap_mem;
+	struct plt_bitmap *sc_bmap;
+	void *sc_bmap_mem;
+	struct plt_bitmap *sa_bmap;
+	void *sa_bmap_mem;
+	struct mcs_sc_conf *sc_conf;
+};
+
+struct mcs_priv {
+	struct mcs_rsrc *port_rsrc;
+	struct mcs_rsrc dev_rsrc;
+	uint64_t default_sci;
+	uint32_t lmac_bmap;
+	uint8_t num_mcs_blks;
+	uint8_t tcam_entries;
+	uint8_t secy_entries;
+	uint8_t sc_entries;
+	uint16_t sa_entries;
+};
+
+static inline struct mcs_priv *
+roc_mcs_to_mcs_priv(struct roc_mcs *roc_mcs)
+{
+	return (struct mcs_priv *)&roc_mcs->reserved[0];
+}
+
+#endif /* _ROC_MCS_PRIV_H_ */
diff --git a/drivers/common/cnxk/roc_priv.h b/drivers/common/cnxk/roc_priv.h
index 14fe2e452a..254a2d3310 100644
--- a/drivers/common/cnxk/roc_priv.h
+++ b/drivers/common/cnxk/roc_priv.h
@@ -44,6 +44,9 @@
 /* DPI */
 #include "roc_dpi_priv.h"
 
+/* MCS */
+#include "roc_mcs_priv.h"
+
 /* REE */
 #include "roc_ree_priv.h"
 
diff --git a/drivers/common/cnxk/roc_utils.c b/drivers/common/cnxk/roc_utils.c
index fe291fce96..9af2ae9b69 100644
--- a/drivers/common/cnxk/roc_utils.c
+++ b/drivers/common/cnxk/roc_utils.c
@@ -16,6 +16,7 @@ roc_error_msg_get(int errorcode)
 	case NPA_ERR_PARAM:
 	case NPC_ERR_PARAM:
 	case SSO_ERR_PARAM:
+	case MCS_ERR_PARAM:
 	case UTIL_ERR_PARAM:
 		err_msg = "Invalid parameter";
 		break;
@@ -35,6 +36,7 @@ roc_error_msg_get(int errorcode)
 		err_msg = "Operation not supported";
 		break;
 	case NIX_ERR_HW_NOTSUP:
+	case MCS_ERR_HW_NOTSUP:
 		err_msg = "Hardware does not support";
 		break;
 	case NIX_ERR_QUEUE_INVALID_RANGE:
@@ -223,6 +225,9 @@ roc_error_msg_get(int errorcode)
 	case SSO_ERR_DEVICE_NOT_BOUNDED:
 		err_msg = "SSO pf/vf not found";
 		break;
+	case MCS_ERR_DEVICE_NOT_FOUND:
+		err_msg = "MCS device not found";
+		break;
 	case UTIL_ERR_FS:
 		err_msg = "file operation failed";
 		break;
diff --git a/drivers/common/cnxk/version.map b/drivers/common/cnxk/version.map
index e1335e9068..900290b866 100644
--- a/drivers/common/cnxk/version.map
+++ b/drivers/common/cnxk/version.map
@@ -94,6 +94,9 @@ INTERNAL {
 	roc_idev_cpt_get;
 	roc_idev_cpt_set;
 	roc_idev_lmt_base_addr_get;
+	roc_idev_mcs_free;
+	roc_idev_mcs_get;
+	roc_idev_mcs_set;
 	roc_idev_npa_maxpools_get;
 	roc_idev_npa_maxpools_set;
 	roc_idev_npa_nix_get;
@@ -132,6 +135,10 @@ INTERNAL {
 	roc_se_auth_key_set;
 	roc_se_ciph_key_set;
 	roc_se_ctx_init;
+	roc_mcs_dev_init;
+	roc_mcs_dev_fini;
+	roc_mcs_dev_get;
+	roc_mcs_hw_info_get;
 	roc_nix_bpf_alloc;
 	roc_nix_bpf_config;
 	roc_nix_bpf_connect;
-- 
2.25.1

[PATCH v5 02/15] common/cnxk: add MACsec SA configuration

[Akhil Goyal]

Added ROC APIs to allocate/free MACsec resources
and APIs to write SA policy.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/common/cnxk/meson.build       |   1 +
 drivers/common/cnxk/roc_mbox.h        |  12 ++
 drivers/common/cnxk/roc_mcs.h         |  43 ++++++
 drivers/common/cnxk/roc_mcs_sec_cfg.c | 211 ++++++++++++++++++++++++++
 drivers/common/cnxk/version.map       |   4 +
 5 files changed, 271 insertions(+)
 create mode 100644 drivers/common/cnxk/roc_mcs_sec_cfg.c

diff --git a/drivers/common/cnxk/meson.build b/drivers/common/cnxk/meson.build
index e33c002676..589baf74fe 100644
--- a/drivers/common/cnxk/meson.build
+++ b/drivers/common/cnxk/meson.build
@@ -27,6 +27,7 @@ sources = files(
         'roc_ie_ot.c',
         'roc_mbox.c',
         'roc_mcs.c',
+        'roc_mcs_sec_cfg.c',
         'roc_ml.c',
         'roc_model.c',
         'roc_nix.c',
diff --git a/drivers/common/cnxk/roc_mbox.h b/drivers/common/cnxk/roc_mbox.h
index ef7a7d6513..ab1173e805 100644
--- a/drivers/common/cnxk/roc_mbox.h
+++ b/drivers/common/cnxk/roc_mbox.h
@@ -300,6 +300,7 @@ struct mbox_msghdr {
 	M(MCS_ALLOC_RESOURCES, 0xa000, mcs_alloc_resources, mcs_alloc_rsrc_req,                    \
 	  mcs_alloc_rsrc_rsp)                                                                      \
 	M(MCS_FREE_RESOURCES, 0xa001, mcs_free_resources, mcs_free_rsrc_req, msg_rsp)              \
+	M(MCS_SA_PLCY_WRITE, 0xa005, mcs_sa_plcy_write, mcs_sa_plcy_write_req, msg_rsp)            \
 	M(MCS_GET_HW_INFO, 0xa00b, mcs_get_hw_info, msg_req, mcs_hw_info)                          \
 
 /* Messages initiated by AF (range 0xC00 - 0xDFF) */
@@ -725,6 +726,17 @@ struct mcs_free_rsrc_req {
 	uint64_t __io rsvd;
 };
 
+struct mcs_sa_plcy_write_req {
+	struct mbox_msghdr hdr;
+	uint64_t __io plcy[2][9]; /* Support 2 SA policy */
+	uint8_t __io sa_index[2];
+	uint8_t __io sa_cnt;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
+
+
 struct mcs_hw_info {
 	struct mbox_msghdr hdr;
 	uint8_t __io num_mcs_blks; /* Number of MCS blocks */
diff --git a/drivers/common/cnxk/roc_mcs.h b/drivers/common/cnxk/roc_mcs.h
index 1eca59c41c..6fda9308d7 100644
--- a/drivers/common/cnxk/roc_mcs.h
+++ b/drivers/common/cnxk/roc_mcs.h
@@ -7,6 +7,39 @@
 
 #define MCS_AES_GCM_256_KEYLEN 32
 
+struct roc_mcs_alloc_rsrc_req {
+	uint8_t rsrc_type;
+	uint8_t rsrc_cnt; /* Resources count */
+	uint8_t dir;	  /* Macsec ingress or egress side */
+	uint8_t all;	  /* Allocate all resource type one each */
+};
+
+struct roc_mcs_alloc_rsrc_rsp {
+	uint8_t flow_ids[128]; /* Index of reserved entries */
+	uint8_t secy_ids[128];
+	uint8_t sc_ids[128];
+	uint8_t sa_ids[256];
+	uint8_t rsrc_type;
+	uint8_t rsrc_cnt; /* No of entries reserved */
+	uint8_t dir;
+	uint8_t all;
+};
+
+struct roc_mcs_free_rsrc_req {
+	uint8_t rsrc_id; /* Index of the entry to be freed */
+	uint8_t rsrc_type;
+	uint8_t dir;
+	uint8_t all; /* Free all the cam resources */
+};
+
+
+struct roc_mcs_sa_plcy_write_req {
+	uint64_t plcy[2][9];
+	uint8_t sa_index[2];
+	uint8_t sa_cnt;
+	uint8_t dir;
+};
+
 struct roc_mcs_hw_info {
 	uint8_t num_mcs_blks; /* Number of MCS blocks */
 	uint8_t tcam_entries; /* RX/TX Tcam entries per mcs block */
@@ -39,4 +72,14 @@ __roc_api struct roc_mcs *roc_mcs_dev_get(uint8_t mcs_idx);
 /* HW info get */
 __roc_api int roc_mcs_hw_info_get(struct roc_mcs_hw_info *hw_info);
 
+/* Resource allocation and free */
+__roc_api int roc_mcs_rsrc_alloc(struct roc_mcs *mcs, struct roc_mcs_alloc_rsrc_req *req,
+				 struct roc_mcs_alloc_rsrc_rsp *rsp);
+__roc_api int roc_mcs_rsrc_free(struct roc_mcs *mcs, struct roc_mcs_free_rsrc_req *req);
+/* SA policy read and write */
+__roc_api int roc_mcs_sa_policy_write(struct roc_mcs *mcs,
+				      struct roc_mcs_sa_plcy_write_req *sa_plcy);
+__roc_api int roc_mcs_sa_policy_read(struct roc_mcs *mcs,
+				     struct roc_mcs_sa_plcy_write_req *sa_plcy);
+
 #endif /* ROC_MCS_H */
diff --git a/drivers/common/cnxk/roc_mcs_sec_cfg.c b/drivers/common/cnxk/roc_mcs_sec_cfg.c
new file mode 100644
index 0000000000..041be51b4b
--- /dev/null
+++ b/drivers/common/cnxk/roc_mcs_sec_cfg.c
@@ -0,0 +1,211 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2023 Marvell.
+ */
+
+#include "roc_api.h"
+#include "roc_priv.h"
+
+int
+roc_mcs_rsrc_alloc(struct roc_mcs *mcs, struct roc_mcs_alloc_rsrc_req *req,
+		   struct roc_mcs_alloc_rsrc_rsp *rsp)
+{
+	struct mcs_priv *priv = roc_mcs_to_mcs_priv(mcs);
+	struct mcs_alloc_rsrc_req *rsrc_req;
+	struct mcs_alloc_rsrc_rsp *rsrc_rsp;
+	int rc, i;
+
+	MCS_SUPPORT_CHECK;
+
+	if (req == NULL || rsp == NULL)
+		return -EINVAL;
+
+	rsrc_req = mbox_alloc_msg_mcs_alloc_resources(mcs->mbox);
+	if (rsrc_req == NULL)
+		return -ENOMEM;
+
+	rsrc_req->rsrc_type = req->rsrc_type;
+	rsrc_req->rsrc_cnt = req->rsrc_cnt;
+	rsrc_req->mcs_id = mcs->idx;
+	rsrc_req->dir = req->dir;
+	rsrc_req->all = req->all;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&rsrc_rsp);
+	if (rc)
+		return rc;
+
+	if (rsrc_rsp->all) {
+		rsrc_rsp->rsrc_cnt = 1;
+		rsrc_rsp->rsrc_type = 0xFF;
+	}
+
+	for (i = 0; i < rsrc_rsp->rsrc_cnt; i++) {
+		switch (rsrc_rsp->rsrc_type) {
+		case MCS_RSRC_TYPE_FLOWID:
+			rsp->flow_ids[i] = rsrc_rsp->flow_ids[i];
+			plt_bitmap_set(priv->dev_rsrc.tcam_bmap,
+				       rsp->flow_ids[i] +
+					       ((req->dir == MCS_TX) ? priv->tcam_entries : 0));
+			break;
+		case MCS_RSRC_TYPE_SECY:
+			rsp->secy_ids[i] = rsrc_rsp->secy_ids[i];
+			plt_bitmap_set(priv->dev_rsrc.secy_bmap,
+				       rsp->secy_ids[i] +
+					       ((req->dir == MCS_TX) ? priv->secy_entries : 0));
+			break;
+		case MCS_RSRC_TYPE_SC:
+			rsp->sc_ids[i] = rsrc_rsp->sc_ids[i];
+			plt_bitmap_set(priv->dev_rsrc.sc_bmap,
+				       rsp->sc_ids[i] +
+					       ((req->dir == MCS_TX) ? priv->sc_entries : 0));
+			break;
+		case MCS_RSRC_TYPE_SA:
+			rsp->sa_ids[i] = rsrc_rsp->sa_ids[i];
+			plt_bitmap_set(priv->dev_rsrc.sa_bmap,
+				       rsp->sa_ids[i] +
+					       ((req->dir == MCS_TX) ? priv->sa_entries : 0));
+			break;
+		default:
+			rsp->flow_ids[i] = rsrc_rsp->flow_ids[i];
+			rsp->secy_ids[i] = rsrc_rsp->secy_ids[i];
+			rsp->sc_ids[i] = rsrc_rsp->sc_ids[i];
+			rsp->sa_ids[i] = rsrc_rsp->sa_ids[i];
+			plt_bitmap_set(priv->dev_rsrc.tcam_bmap,
+				       rsp->flow_ids[i] +
+					       ((req->dir == MCS_TX) ? priv->tcam_entries : 0));
+			plt_bitmap_set(priv->dev_rsrc.secy_bmap,
+				       rsp->secy_ids[i] +
+					       ((req->dir == MCS_TX) ? priv->secy_entries : 0));
+			plt_bitmap_set(priv->dev_rsrc.sc_bmap,
+				       rsp->sc_ids[i] +
+					       ((req->dir == MCS_TX) ? priv->sc_entries : 0));
+			plt_bitmap_set(priv->dev_rsrc.sa_bmap,
+				       rsp->sa_ids[i] +
+					       ((req->dir == MCS_TX) ? priv->sa_entries : 0));
+			break;
+		}
+	}
+	rsp->rsrc_type = rsrc_rsp->rsrc_type;
+	rsp->rsrc_cnt = rsrc_rsp->rsrc_cnt;
+	rsp->dir = rsrc_rsp->dir;
+	rsp->all = rsrc_rsp->all;
+
+	return 0;
+}
+
+int
+roc_mcs_rsrc_free(struct roc_mcs *mcs, struct roc_mcs_free_rsrc_req *free_req)
+{
+	struct mcs_priv *priv = roc_mcs_to_mcs_priv(mcs);
+	struct mcs_free_rsrc_req *req;
+	struct msg_rsp *rsp;
+	uint32_t pos;
+	int i, rc;
+
+	MCS_SUPPORT_CHECK;
+
+	if (free_req == NULL)
+		return -EINVAL;
+
+	req = mbox_alloc_msg_mcs_free_resources(mcs->mbox);
+	if (req == NULL)
+		return -ENOMEM;
+
+	req->rsrc_id = free_req->rsrc_id;
+	req->rsrc_type = free_req->rsrc_type;
+	req->mcs_id = mcs->idx;
+	req->dir = free_req->dir;
+	req->all = free_req->all;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&rsp);
+	if (rc)
+		return rc;
+
+	switch (free_req->rsrc_type) {
+	case MCS_RSRC_TYPE_FLOWID:
+		pos = free_req->rsrc_id + ((req->dir == MCS_TX) ? priv->tcam_entries : 0);
+		plt_bitmap_clear(priv->dev_rsrc.tcam_bmap, pos);
+		for (i = 0; i < MAX_PORTS_PER_MCS; i++) {
+			uint32_t set = plt_bitmap_get(priv->port_rsrc[i].tcam_bmap, pos);
+
+			if (set) {
+				plt_bitmap_clear(priv->port_rsrc[i].tcam_bmap, pos);
+				break;
+			}
+		}
+		break;
+	case MCS_RSRC_TYPE_SECY:
+		pos = free_req->rsrc_id + ((req->dir == MCS_TX) ? priv->secy_entries : 0);
+		plt_bitmap_clear(priv->dev_rsrc.secy_bmap, pos);
+		for (i = 0; i < MAX_PORTS_PER_MCS; i++) {
+			uint32_t set = plt_bitmap_get(priv->port_rsrc[i].secy_bmap, pos);
+
+			if (set) {
+				plt_bitmap_clear(priv->port_rsrc[i].secy_bmap, pos);
+				break;
+			}
+		}
+		break;
+	case MCS_RSRC_TYPE_SC:
+		pos = free_req->rsrc_id + ((req->dir == MCS_TX) ? priv->sc_entries : 0);
+		plt_bitmap_clear(priv->dev_rsrc.sc_bmap, pos);
+		for (i = 0; i < MAX_PORTS_PER_MCS; i++) {
+			uint32_t set = plt_bitmap_get(priv->port_rsrc[i].sc_bmap, pos);
+
+			if (set) {
+				plt_bitmap_clear(priv->port_rsrc[i].sc_bmap, pos);
+				break;
+			}
+		}
+		break;
+	case MCS_RSRC_TYPE_SA:
+		pos = free_req->rsrc_id + ((req->dir == MCS_TX) ? priv->sa_entries : 0);
+		plt_bitmap_clear(priv->dev_rsrc.sa_bmap, pos);
+		for (i = 0; i < MAX_PORTS_PER_MCS; i++) {
+			uint32_t set = plt_bitmap_get(priv->port_rsrc[i].sa_bmap, pos);
+
+			if (set) {
+				plt_bitmap_clear(priv->port_rsrc[i].sa_bmap, pos);
+				break;
+			}
+		}
+		break;
+	default:
+		break;
+	}
+
+	return rc;
+}
+
+int
+roc_mcs_sa_policy_write(struct roc_mcs *mcs, struct roc_mcs_sa_plcy_write_req *sa_plcy)
+{
+	struct mcs_sa_plcy_write_req *sa;
+	struct msg_rsp *rsp;
+
+	MCS_SUPPORT_CHECK;
+
+	if (sa_plcy == NULL)
+		return -EINVAL;
+
+	sa = mbox_alloc_msg_mcs_sa_plcy_write(mcs->mbox);
+	if (sa == NULL)
+		return -ENOMEM;
+
+	mbox_memcpy(sa->plcy, sa_plcy->plcy, sizeof(uint64_t) * 2 * 9);
+	sa->sa_index[0] = sa_plcy->sa_index[0];
+	sa->sa_index[1] = sa_plcy->sa_index[1];
+	sa->sa_cnt = sa_plcy->sa_cnt;
+	sa->mcs_id = mcs->idx;
+	sa->dir = sa_plcy->dir;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
+
+int
+roc_mcs_sa_policy_read(struct roc_mcs *mcs __plt_unused,
+		       struct roc_mcs_sa_plcy_write_req *sa __plt_unused)
+{
+	MCS_SUPPORT_CHECK;
+
+	return -ENOTSUP;
+}
diff --git a/drivers/common/cnxk/version.map b/drivers/common/cnxk/version.map
index 900290b866..bd8a3095f9 100644
--- a/drivers/common/cnxk/version.map
+++ b/drivers/common/cnxk/version.map
@@ -139,6 +139,10 @@ INTERNAL {
 	roc_mcs_dev_fini;
 	roc_mcs_dev_get;
 	roc_mcs_hw_info_get;
+	roc_mcs_rsrc_alloc;
+	roc_mcs_rsrc_free;
+	roc_mcs_sa_policy_read;
+	roc_mcs_sa_policy_write;
 	roc_nix_bpf_alloc;
 	roc_nix_bpf_config;
 	roc_nix_bpf_connect;
-- 
2.25.1

[PATCH v5 03/15] common/cnxk: add MACsec SC configuration APIs

[Akhil Goyal]

Added ROC APIs to configure MACsec secure channel(SC)
and its mapping with SAs for both Rx and Tx.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/common/cnxk/roc_mbox.h        |  37 ++++++
 drivers/common/cnxk/roc_mcs.h         |  42 +++++++
 drivers/common/cnxk/roc_mcs_sec_cfg.c | 171 ++++++++++++++++++++++++++
 drivers/common/cnxk/version.map       |   7 ++
 4 files changed, 257 insertions(+)

diff --git a/drivers/common/cnxk/roc_mbox.h b/drivers/common/cnxk/roc_mbox.h
index ab1173e805..40b761ee99 100644
--- a/drivers/common/cnxk/roc_mbox.h
+++ b/drivers/common/cnxk/roc_mbox.h
@@ -300,7 +300,10 @@ struct mbox_msghdr {
 	M(MCS_ALLOC_RESOURCES, 0xa000, mcs_alloc_resources, mcs_alloc_rsrc_req,                    \
 	  mcs_alloc_rsrc_rsp)                                                                      \
 	M(MCS_FREE_RESOURCES, 0xa001, mcs_free_resources, mcs_free_rsrc_req, msg_rsp)              \
+	M(MCS_RX_SC_CAM_WRITE, 0xa004, mcs_rx_sc_cam_write, mcs_rx_sc_cam_write_req, msg_rsp)      \
 	M(MCS_SA_PLCY_WRITE, 0xa005, mcs_sa_plcy_write, mcs_sa_plcy_write_req, msg_rsp)            \
+	M(MCS_TX_SC_SA_MAP_WRITE, 0xa006, mcs_tx_sc_sa_map_write, mcs_tx_sc_sa_map, msg_rsp)       \
+	M(MCS_RX_SC_SA_MAP_WRITE, 0xa007, mcs_rx_sc_sa_map_write, mcs_rx_sc_sa_map, msg_rsp)       \
 	M(MCS_GET_HW_INFO, 0xa00b, mcs_get_hw_info, msg_req, mcs_hw_info)                          \
 
 /* Messages initiated by AF (range 0xC00 - 0xDFF) */
@@ -726,6 +729,16 @@ struct mcs_free_rsrc_req {
 	uint64_t __io rsvd;
 };
 
+/* RX SC_CAM mapping */
+struct mcs_rx_sc_cam_write_req {
+	struct mbox_msghdr hdr;
+	uint64_t __io sci;     /* SCI */
+	uint64_t __io secy_id; /* secy index mapped to SC */
+	uint8_t __io sc_id;    /* SC CAM entry index */
+	uint8_t __io mcs_id;
+	uint64_t __io rsvd;
+};
+
 struct mcs_sa_plcy_write_req {
 	struct mbox_msghdr hdr;
 	uint64_t __io plcy[2][9]; /* Support 2 SA policy */
@@ -736,6 +749,30 @@ struct mcs_sa_plcy_write_req {
 	uint64_t __io rsvd;
 };
 
+struct mcs_tx_sc_sa_map {
+	struct mbox_msghdr hdr;
+	uint8_t __io sa_index0;
+	uint8_t __io sa_index1;
+	uint8_t __io rekey_ena;
+	uint8_t __io sa_index0_vld;
+	uint8_t __io sa_index1_vld;
+	uint8_t __io tx_sa_active;
+	uint64_t __io sectag_sci;
+	uint8_t __io sc_id; /* used as index for SA_MEM_MAP */
+	uint8_t __io mcs_id;
+	uint64_t __io rsvd;
+};
+
+struct mcs_rx_sc_sa_map {
+	struct mbox_msghdr hdr;
+	uint8_t __io sa_index;
+	uint8_t __io sa_in_use;
+	uint8_t __io sc_id;
+	/* an range is 0-3, sc_id + an used as index SA_MEM_MAP */
+	uint8_t __io an;
+	uint8_t __io mcs_id;
+	uint64_t __io rsvd;
+};
 
 struct mcs_hw_info {
 	struct mbox_msghdr hdr;
diff --git a/drivers/common/cnxk/roc_mcs.h b/drivers/common/cnxk/roc_mcs.h
index 6fda9308d7..1fb36b5eaa 100644
--- a/drivers/common/cnxk/roc_mcs.h
+++ b/drivers/common/cnxk/roc_mcs.h
@@ -32,6 +32,12 @@ struct roc_mcs_free_rsrc_req {
 	uint8_t all; /* Free all the cam resources */
 };
 
+/* RX SC_CAM mapping */
+struct roc_mcs_rx_sc_cam_write_req {
+	uint64_t sci;	  /* SCI */
+	uint64_t secy_id; /* secy index mapped to SC */
+	uint8_t sc_id;	  /* SC CAM entry index */
+};
 
 struct roc_mcs_sa_plcy_write_req {
 	uint64_t plcy[2][9];
@@ -40,6 +46,24 @@ struct roc_mcs_sa_plcy_write_req {
 	uint8_t dir;
 };
 
+struct roc_mcs_tx_sc_sa_map {
+	uint8_t sa_index0;
+	uint8_t sa_index1;
+	uint8_t rekey_ena;
+	uint8_t sa_index0_vld;
+	uint8_t sa_index1_vld;
+	uint8_t tx_sa_active;
+	uint64_t sectag_sci;
+	uint8_t sc_id; /* used as index for SA_MEM_MAP */
+};
+
+struct roc_mcs_rx_sc_sa_map {
+	uint8_t sa_index;
+	uint8_t sa_in_use;
+	uint8_t sc_id;
+	uint8_t an; /* value range 0-3, sc_id + an used as index SA_MEM_MAP */
+};
+
 struct roc_mcs_hw_info {
 	uint8_t num_mcs_blks; /* Number of MCS blocks */
 	uint8_t tcam_entries; /* RX/TX Tcam entries per mcs block */
@@ -82,4 +106,22 @@ __roc_api int roc_mcs_sa_policy_write(struct roc_mcs *mcs,
 __roc_api int roc_mcs_sa_policy_read(struct roc_mcs *mcs,
 				     struct roc_mcs_sa_plcy_write_req *sa_plcy);
 
+/* RX SC read, write and enable */
+__roc_api int roc_mcs_rx_sc_cam_write(struct roc_mcs *mcs,
+				      struct roc_mcs_rx_sc_cam_write_req *rx_sc_cam);
+__roc_api int roc_mcs_rx_sc_cam_read(struct roc_mcs *mcs,
+				     struct roc_mcs_rx_sc_cam_write_req *rx_sc_cam);
+__roc_api int roc_mcs_rx_sc_cam_enable(struct roc_mcs *mcs,
+				       struct roc_mcs_rx_sc_cam_write_req *rx_sc_cam);
+/* RX SC-SA MAP read and write */
+__roc_api int roc_mcs_rx_sc_sa_map_write(struct roc_mcs *mcs,
+					 struct roc_mcs_rx_sc_sa_map *rx_sc_sa_map);
+__roc_api int roc_mcs_rx_sc_sa_map_read(struct roc_mcs *mcs,
+					struct roc_mcs_rx_sc_sa_map *rx_sc_sa_map);
+/* TX SC-SA MAP read and write */
+__roc_api int roc_mcs_tx_sc_sa_map_write(struct roc_mcs *mcs,
+					 struct roc_mcs_tx_sc_sa_map *tx_sc_sa_map);
+__roc_api int roc_mcs_tx_sc_sa_map_read(struct roc_mcs *mcs,
+					struct roc_mcs_tx_sc_sa_map *tx_sc_sa_map);
+
 #endif /* ROC_MCS_H */
diff --git a/drivers/common/cnxk/roc_mcs_sec_cfg.c b/drivers/common/cnxk/roc_mcs_sec_cfg.c
index 041be51b4b..9b87952112 100644
--- a/drivers/common/cnxk/roc_mcs_sec_cfg.c
+++ b/drivers/common/cnxk/roc_mcs_sec_cfg.c
@@ -209,3 +209,174 @@ roc_mcs_sa_policy_read(struct roc_mcs *mcs __plt_unused,
 
 	return -ENOTSUP;
 }
+
+
+int
+roc_mcs_rx_sc_cam_write(struct roc_mcs *mcs, struct roc_mcs_rx_sc_cam_write_req *rx_sc_cam)
+{
+	struct mcs_priv *priv = roc_mcs_to_mcs_priv(mcs);
+	struct mcs_rx_sc_cam_write_req *rx_sc;
+	struct msg_rsp *rsp;
+	int i, rc;
+
+	MCS_SUPPORT_CHECK;
+
+	if (rx_sc_cam == NULL)
+		return -EINVAL;
+
+	rx_sc = mbox_alloc_msg_mcs_rx_sc_cam_write(mcs->mbox);
+	if (rx_sc == NULL)
+		return -ENOMEM;
+
+	rx_sc->sci = rx_sc_cam->sci;
+	rx_sc->secy_id = rx_sc_cam->secy_id;
+	rx_sc->sc_id = rx_sc_cam->sc_id;
+	rx_sc->mcs_id = mcs->idx;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&rsp);
+	if (rc)
+		return rc;
+
+	for (i = 0; i < MAX_PORTS_PER_MCS; i++) {
+		uint32_t set = plt_bitmap_get(priv->port_rsrc[i].secy_bmap, rx_sc_cam->secy_id);
+
+		if (set) {
+			plt_bitmap_set(priv->port_rsrc[i].sc_bmap, rx_sc_cam->sc_id);
+			break;
+		}
+	}
+
+	return 0;
+}
+
+int
+roc_mcs_rx_sc_cam_read(struct roc_mcs *mcs __plt_unused,
+		       struct roc_mcs_rx_sc_cam_write_req *rx_sc_cam __plt_unused)
+{
+	MCS_SUPPORT_CHECK;
+
+	return -ENOTSUP;
+}
+
+int
+roc_mcs_rx_sc_cam_enable(struct roc_mcs *mcs __plt_unused,
+			 struct roc_mcs_rx_sc_cam_write_req *rx_sc_cam __plt_unused)
+{
+	MCS_SUPPORT_CHECK;
+
+	return -ENOTSUP;
+}
+
+int
+roc_mcs_rx_sc_sa_map_write(struct roc_mcs *mcs, struct roc_mcs_rx_sc_sa_map *rx_sc_sa_map)
+{
+	struct mcs_priv *priv = roc_mcs_to_mcs_priv(mcs);
+	struct mcs_rx_sc_sa_map *sa_map;
+	struct msg_rsp *rsp;
+	uint16_t sc_id;
+	int i, rc;
+
+	MCS_SUPPORT_CHECK;
+
+	if (rx_sc_sa_map == NULL)
+		return -EINVAL;
+
+	sc_id = rx_sc_sa_map->sc_id;
+	sa_map = mbox_alloc_msg_mcs_rx_sc_sa_map_write(mcs->mbox);
+	if (sa_map == NULL)
+		return -ENOMEM;
+
+	sa_map->sa_index = rx_sc_sa_map->sa_index;
+	sa_map->sa_in_use = rx_sc_sa_map->sa_in_use;
+	sa_map->sc_id = rx_sc_sa_map->sc_id;
+	sa_map->an = rx_sc_sa_map->an;
+	sa_map->mcs_id = mcs->idx;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&rsp);
+	if (rc)
+		return rc;
+
+	for (i = 0; i < MAX_PORTS_PER_MCS; i++) {
+		uint32_t set = plt_bitmap_get(priv->port_rsrc[i].sc_bmap, sc_id);
+
+		if (set) {
+			plt_bitmap_set(priv->port_rsrc[i].sa_bmap, rx_sc_sa_map->sa_index);
+			priv->port_rsrc[i].sc_conf[sc_id].rx.sa_idx = rx_sc_sa_map->sa_index;
+			priv->port_rsrc[i].sc_conf[sc_id].rx.an = rx_sc_sa_map->an;
+			break;
+		}
+	}
+
+	return 0;
+}
+
+int
+roc_mcs_rx_sc_sa_map_read(struct roc_mcs *mcs __plt_unused,
+			  struct roc_mcs_rx_sc_sa_map *rx_sc_sa_map __plt_unused)
+{
+	MCS_SUPPORT_CHECK;
+
+	return -ENOTSUP;
+}
+
+int
+roc_mcs_tx_sc_sa_map_write(struct roc_mcs *mcs, struct roc_mcs_tx_sc_sa_map *tx_sc_sa_map)
+{
+	struct mcs_priv *priv = roc_mcs_to_mcs_priv(mcs);
+	struct mcs_tx_sc_sa_map *sa_map;
+	struct msg_rsp *rsp;
+	uint16_t sc_id;
+	int i, rc;
+
+	MCS_SUPPORT_CHECK;
+
+	if (tx_sc_sa_map == NULL)
+		return -EINVAL;
+
+	sa_map = mbox_alloc_msg_mcs_tx_sc_sa_map_write(mcs->mbox);
+	if (sa_map == NULL)
+		return -ENOMEM;
+
+	sa_map->sa_index0 = tx_sc_sa_map->sa_index0;
+	sa_map->sa_index1 = tx_sc_sa_map->sa_index1;
+	sa_map->rekey_ena = tx_sc_sa_map->rekey_ena;
+	sa_map->sa_index0_vld = tx_sc_sa_map->sa_index0_vld;
+	sa_map->sa_index1_vld = tx_sc_sa_map->sa_index1_vld;
+	sa_map->tx_sa_active = tx_sc_sa_map->tx_sa_active;
+	sa_map->sectag_sci = tx_sc_sa_map->sectag_sci;
+	sa_map->sc_id = tx_sc_sa_map->sc_id;
+	sa_map->mcs_id = mcs->idx;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&rsp);
+	if (rc)
+		return rc;
+
+	sc_id = tx_sc_sa_map->sc_id;
+	for (i = 0; i < MAX_PORTS_PER_MCS; i++) {
+		uint32_t set = plt_bitmap_get(priv->port_rsrc[i].sc_bmap, sc_id + priv->sc_entries);
+
+		if (set) {
+			uint32_t pos = priv->sa_entries + tx_sc_sa_map->sa_index0;
+
+			plt_bitmap_set(priv->port_rsrc[i].sa_bmap, pos);
+			priv->port_rsrc[i].sc_conf[sc_id].tx.sa_idx0 = tx_sc_sa_map->sa_index0;
+			pos = priv->sa_entries + tx_sc_sa_map->sa_index1;
+			plt_bitmap_set(priv->port_rsrc[i].sa_bmap, pos);
+			priv->port_rsrc[i].sc_conf[sc_id].tx.sa_idx1 = tx_sc_sa_map->sa_index1;
+			priv->port_rsrc[i].sc_conf[sc_id].tx.sci = tx_sc_sa_map->sectag_sci;
+			priv->port_rsrc[i].sc_conf[sc_id].tx.rekey_enb = tx_sc_sa_map->rekey_ena;
+			break;
+		}
+	}
+
+	return 0;
+}
+
+int
+roc_mcs_tx_sc_sa_map_read(struct roc_mcs *mcs __plt_unused,
+			  struct roc_mcs_tx_sc_sa_map *tx_sc_sa_map __plt_unused)
+{
+	MCS_SUPPORT_CHECK;
+
+	return -ENOTSUP;
+}
diff --git a/drivers/common/cnxk/version.map b/drivers/common/cnxk/version.map
index bd8a3095f9..dbfda62ad1 100644
--- a/drivers/common/cnxk/version.map
+++ b/drivers/common/cnxk/version.map
@@ -141,8 +141,15 @@ INTERNAL {
 	roc_mcs_hw_info_get;
 	roc_mcs_rsrc_alloc;
 	roc_mcs_rsrc_free;
+	roc_mcs_rx_sc_cam_enable;
+	roc_mcs_rx_sc_cam_read;
+	roc_mcs_rx_sc_cam_write;
+	roc_mcs_rx_sc_sa_map_read;
+	roc_mcs_rx_sc_sa_map_write;
 	roc_mcs_sa_policy_read;
 	roc_mcs_sa_policy_write;
+	roc_mcs_tx_sc_sa_map_read;
+	roc_mcs_tx_sc_sa_map_write;
 	roc_nix_bpf_alloc;
 	roc_nix_bpf_config;
 	roc_nix_bpf_connect;
-- 
2.25.1

[PATCH v5 04/15] common/cnxk: add MACsec secy and flow configuration

[Akhil Goyal]

Added ROC APIs to configure MACsec secy policy and
flow entries.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/common/cnxk/roc_mbox.h        |  38 +++++++++
 drivers/common/cnxk/roc_mcs.h         |  37 +++++++++
 drivers/common/cnxk/roc_mcs_sec_cfg.c | 115 ++++++++++++++++++++++++++
 drivers/common/cnxk/version.map       |   5 ++
 4 files changed, 195 insertions(+)

diff --git a/drivers/common/cnxk/roc_mbox.h b/drivers/common/cnxk/roc_mbox.h
index 40b761ee99..fcfcc90f6c 100644
--- a/drivers/common/cnxk/roc_mbox.h
+++ b/drivers/common/cnxk/roc_mbox.h
@@ -300,10 +300,14 @@ struct mbox_msghdr {
 	M(MCS_ALLOC_RESOURCES, 0xa000, mcs_alloc_resources, mcs_alloc_rsrc_req,                    \
 	  mcs_alloc_rsrc_rsp)                                                                      \
 	M(MCS_FREE_RESOURCES, 0xa001, mcs_free_resources, mcs_free_rsrc_req, msg_rsp)              \
+	M(MCS_FLOWID_ENTRY_WRITE, 0xa002, mcs_flowid_entry_write, mcs_flowid_entry_write_req,      \
+	  msg_rsp)                                                                                 \
+	M(MCS_SECY_PLCY_WRITE, 0xa003, mcs_secy_plcy_write, mcs_secy_plcy_write_req, msg_rsp)      \
 	M(MCS_RX_SC_CAM_WRITE, 0xa004, mcs_rx_sc_cam_write, mcs_rx_sc_cam_write_req, msg_rsp)      \
 	M(MCS_SA_PLCY_WRITE, 0xa005, mcs_sa_plcy_write, mcs_sa_plcy_write_req, msg_rsp)            \
 	M(MCS_TX_SC_SA_MAP_WRITE, 0xa006, mcs_tx_sc_sa_map_write, mcs_tx_sc_sa_map, msg_rsp)       \
 	M(MCS_RX_SC_SA_MAP_WRITE, 0xa007, mcs_rx_sc_sa_map_write, mcs_rx_sc_sa_map, msg_rsp)       \
+	M(MCS_FLOWID_ENA_ENTRY, 0xa008, mcs_flowid_ena_entry, mcs_flowid_ena_dis_entry, msg_rsp)   \
 	M(MCS_GET_HW_INFO, 0xa00b, mcs_get_hw_info, msg_req, mcs_hw_info)                          \
 
 /* Messages initiated by AF (range 0xC00 - 0xDFF) */
@@ -729,6 +733,31 @@ struct mcs_free_rsrc_req {
 	uint64_t __io rsvd;
 };
 
+struct mcs_flowid_entry_write_req {
+	struct mbox_msghdr hdr;
+	uint64_t __io data[4];
+	uint64_t __io mask[4];
+	uint64_t __io sci; /* CNF10K-B for tx_secy_mem_map */
+	uint8_t __io flow_id;
+	uint8_t __io secy_id; /* secyid for which flowid is mapped */
+	/* sc_id is Valid if dir = MCS_TX, SC_CAM id mapped to flowid */
+	uint8_t __io sc_id;
+	uint8_t __io ena; /* Enable tcam entry */
+	uint8_t __io ctr_pkt;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
+
+struct mcs_secy_plcy_write_req {
+	struct mbox_msghdr hdr;
+	uint64_t __io plcy;
+	uint8_t __io secy_id;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
+
 /* RX SC_CAM mapping */
 struct mcs_rx_sc_cam_write_req {
 	struct mbox_msghdr hdr;
@@ -774,6 +803,15 @@ struct mcs_rx_sc_sa_map {
 	uint64_t __io rsvd;
 };
 
+struct mcs_flowid_ena_dis_entry {
+	struct mbox_msghdr hdr;
+	uint8_t __io flow_id;
+	uint8_t __io ena;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
+
 struct mcs_hw_info {
 	struct mbox_msghdr hdr;
 	uint8_t __io num_mcs_blks; /* Number of MCS blocks */
diff --git a/drivers/common/cnxk/roc_mcs.h b/drivers/common/cnxk/roc_mcs.h
index 1fb36b5eaa..33bd372ed0 100644
--- a/drivers/common/cnxk/roc_mcs.h
+++ b/drivers/common/cnxk/roc_mcs.h
@@ -32,6 +32,24 @@ struct roc_mcs_free_rsrc_req {
 	uint8_t all; /* Free all the cam resources */
 };
 
+struct roc_mcs_flowid_entry_write_req {
+	uint64_t data[4];
+	uint64_t mask[4];
+	uint64_t sci; /* 105N for tx_secy_mem_map */
+	uint8_t flow_id;
+	uint8_t secy_id; /* secyid for which flowid is mapped */
+	uint8_t sc_id;	 /* Valid if dir = MCS_TX, SC_CAM id mapped to flowid */
+	uint8_t ena;	 /* Enable tcam entry */
+	uint8_t ctr_pkt;
+	uint8_t dir;
+};
+
+struct roc_mcs_secy_plcy_write_req {
+	uint64_t plcy;
+	uint8_t secy_id;
+	uint8_t dir;
+};
+
 /* RX SC_CAM mapping */
 struct roc_mcs_rx_sc_cam_write_req {
 	uint64_t sci;	  /* SCI */
@@ -64,6 +82,12 @@ struct roc_mcs_rx_sc_sa_map {
 	uint8_t an; /* value range 0-3, sc_id + an used as index SA_MEM_MAP */
 };
 
+struct roc_mcs_flowid_ena_dis_entry {
+	uint8_t flow_id;
+	uint8_t ena;
+	uint8_t dir;
+};
+
 struct roc_mcs_hw_info {
 	uint8_t num_mcs_blks; /* Number of MCS blocks */
 	uint8_t tcam_entries; /* RX/TX Tcam entries per mcs block */
@@ -113,6 +137,11 @@ __roc_api int roc_mcs_rx_sc_cam_read(struct roc_mcs *mcs,
 				     struct roc_mcs_rx_sc_cam_write_req *rx_sc_cam);
 __roc_api int roc_mcs_rx_sc_cam_enable(struct roc_mcs *mcs,
 				       struct roc_mcs_rx_sc_cam_write_req *rx_sc_cam);
+/* SECY policy read and write */
+__roc_api int roc_mcs_secy_policy_write(struct roc_mcs *mcs,
+					struct roc_mcs_secy_plcy_write_req *secy_plcy);
+__roc_api int roc_mcs_secy_policy_read(struct roc_mcs *mcs,
+				       struct roc_mcs_rx_sc_cam_write_req *rx_sc_cam);
 /* RX SC-SA MAP read and write */
 __roc_api int roc_mcs_rx_sc_sa_map_write(struct roc_mcs *mcs,
 					 struct roc_mcs_rx_sc_sa_map *rx_sc_sa_map);
@@ -124,4 +153,12 @@ __roc_api int roc_mcs_tx_sc_sa_map_write(struct roc_mcs *mcs,
 __roc_api int roc_mcs_tx_sc_sa_map_read(struct roc_mcs *mcs,
 					struct roc_mcs_tx_sc_sa_map *tx_sc_sa_map);
 
+/* Flow entry read, write and enable */
+__roc_api int roc_mcs_flowid_entry_write(struct roc_mcs *mcs,
+					 struct roc_mcs_flowid_entry_write_req *flowid_req);
+__roc_api int roc_mcs_flowid_entry_read(struct roc_mcs *mcs,
+					struct roc_mcs_flowid_entry_write_req *flowid_rsp);
+__roc_api int roc_mcs_flowid_entry_enable(struct roc_mcs *mcs,
+					  struct roc_mcs_flowid_ena_dis_entry *entry);
+
 #endif /* ROC_MCS_H */
diff --git a/drivers/common/cnxk/roc_mcs_sec_cfg.c b/drivers/common/cnxk/roc_mcs_sec_cfg.c
index 9b87952112..44b4919bbc 100644
--- a/drivers/common/cnxk/roc_mcs_sec_cfg.c
+++ b/drivers/common/cnxk/roc_mcs_sec_cfg.c
@@ -267,6 +267,38 @@ roc_mcs_rx_sc_cam_enable(struct roc_mcs *mcs __plt_unused,
 	return -ENOTSUP;
 }
 
+int
+roc_mcs_secy_policy_write(struct roc_mcs *mcs, struct roc_mcs_secy_plcy_write_req *secy_plcy)
+{
+	struct mcs_secy_plcy_write_req *secy;
+	struct msg_rsp *rsp;
+
+	MCS_SUPPORT_CHECK;
+
+	if (secy_plcy == NULL)
+		return -EINVAL;
+
+	secy = mbox_alloc_msg_mcs_secy_plcy_write(mcs->mbox);
+	if (secy == NULL)
+		return -ENOMEM;
+
+	secy->plcy = secy_plcy->plcy;
+	secy->secy_id = secy_plcy->secy_id;
+	secy->mcs_id = mcs->idx;
+	secy->dir = secy_plcy->dir;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
+
+int
+roc_mcs_secy_policy_read(struct roc_mcs *mcs __plt_unused,
+			 struct roc_mcs_rx_sc_cam_write_req *rx_sc_cam __plt_unused)
+{
+	MCS_SUPPORT_CHECK;
+
+	return -ENOTSUP;
+}
+
 int
 roc_mcs_rx_sc_sa_map_write(struct roc_mcs *mcs, struct roc_mcs_rx_sc_sa_map *rx_sc_sa_map)
 {
@@ -380,3 +412,86 @@ roc_mcs_tx_sc_sa_map_read(struct roc_mcs *mcs __plt_unused,
 
 	return -ENOTSUP;
 }
+
+int
+roc_mcs_flowid_entry_write(struct roc_mcs *mcs, struct roc_mcs_flowid_entry_write_req *flowid_req)
+{
+	struct mcs_priv *priv = roc_mcs_to_mcs_priv(mcs);
+	struct mcs_flowid_entry_write_req *flow_req;
+	struct msg_rsp *rsp;
+	uint8_t port;
+	int rc;
+
+	MCS_SUPPORT_CHECK;
+
+	if (flowid_req == NULL)
+		return -EINVAL;
+
+	flow_req = mbox_alloc_msg_mcs_flowid_entry_write(mcs->mbox);
+	if (flow_req == NULL)
+		return -ENOMEM;
+
+	mbox_memcpy(flow_req->data, flowid_req->data, sizeof(uint64_t) * 4);
+	mbox_memcpy(flow_req->mask, flowid_req->mask, sizeof(uint64_t) * 4);
+	flow_req->sci = flowid_req->sci;
+	flow_req->flow_id = flowid_req->flow_id;
+	flow_req->secy_id = flowid_req->secy_id;
+	flow_req->sc_id = flowid_req->sc_id;
+	flow_req->ena = flowid_req->ena;
+	flow_req->ctr_pkt = flowid_req->ctr_pkt;
+	flow_req->mcs_id = mcs->idx;
+	flow_req->dir = flowid_req->dir;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&rsp);
+	if (rc)
+		return rc;
+
+	if (flow_req->mask[3] & (BIT_ULL(10) | BIT_ULL(11)))
+		return rc;
+
+	port = (flow_req->data[3] >> 10) & 0x3;
+
+	plt_bitmap_set(priv->port_rsrc[port].tcam_bmap,
+		       flowid_req->flow_id +
+			       ((flowid_req->dir == MCS_TX) ? priv->tcam_entries : 0));
+	plt_bitmap_set(priv->port_rsrc[port].secy_bmap,
+		       flowid_req->secy_id +
+			       ((flowid_req->dir == MCS_TX) ? priv->secy_entries : 0));
+
+	if (flowid_req->dir == MCS_TX)
+		plt_bitmap_set(priv->port_rsrc[port].sc_bmap, priv->sc_entries + flowid_req->sc_id);
+
+	return 0;
+}
+
+int
+roc_mcs_flowid_entry_read(struct roc_mcs *mcs __plt_unused,
+			  struct roc_mcs_flowid_entry_write_req *flowid_rsp __plt_unused)
+{
+	MCS_SUPPORT_CHECK;
+
+	return -ENOTSUP;
+}
+
+int
+roc_mcs_flowid_entry_enable(struct roc_mcs *mcs, struct roc_mcs_flowid_ena_dis_entry *entry)
+{
+	struct mcs_flowid_ena_dis_entry *flow_entry;
+	struct msg_rsp *rsp;
+
+	MCS_SUPPORT_CHECK;
+
+	if (entry == NULL)
+		return -EINVAL;
+
+	flow_entry = mbox_alloc_msg_mcs_flowid_ena_entry(mcs->mbox);
+	if (flow_entry == NULL)
+		return -ENOMEM;
+
+	flow_entry->flow_id = entry->flow_id;
+	flow_entry->ena = entry->ena;
+	flow_entry->mcs_id = mcs->idx;
+	flow_entry->dir = entry->dir;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
diff --git a/drivers/common/cnxk/version.map b/drivers/common/cnxk/version.map
index dbfda62ad1..3d9da3b187 100644
--- a/drivers/common/cnxk/version.map
+++ b/drivers/common/cnxk/version.map
@@ -138,6 +138,9 @@ INTERNAL {
 	roc_mcs_dev_init;
 	roc_mcs_dev_fini;
 	roc_mcs_dev_get;
+	roc_mcs_flowid_entry_enable;
+	roc_mcs_flowid_entry_read;
+	roc_mcs_flowid_entry_write;
 	roc_mcs_hw_info_get;
 	roc_mcs_rsrc_alloc;
 	roc_mcs_rsrc_free;
@@ -148,6 +151,8 @@ INTERNAL {
 	roc_mcs_rx_sc_sa_map_write;
 	roc_mcs_sa_policy_read;
 	roc_mcs_sa_policy_write;
+	roc_mcs_secy_policy_read;
+	roc_mcs_secy_policy_write;
 	roc_mcs_tx_sc_sa_map_read;
 	roc_mcs_tx_sc_sa_map_write;
 	roc_nix_bpf_alloc;
-- 
2.25.1

[PATCH v5 05/15] common/cnxk: add MACsec PN and LMAC mode configuration

[Akhil Goyal]

Added ROC APIs for setting packet number and LMAC
related configurations.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/common/cnxk/roc_mbox.h        | 56 +++++++++++++++++++++
 drivers/common/cnxk/roc_mcs.c         | 71 +++++++++++++++++++++++++++
 drivers/common/cnxk/roc_mcs.h         | 49 ++++++++++++++++++
 drivers/common/cnxk/roc_mcs_sec_cfg.c | 31 ++++++++++++
 drivers/common/cnxk/version.map       |  5 ++
 5 files changed, 212 insertions(+)

diff --git a/drivers/common/cnxk/roc_mbox.h b/drivers/common/cnxk/roc_mbox.h
index fcfcc90f6c..62c5c3a3ce 100644
--- a/drivers/common/cnxk/roc_mbox.h
+++ b/drivers/common/cnxk/roc_mbox.h
@@ -308,7 +308,11 @@ struct mbox_msghdr {
 	M(MCS_TX_SC_SA_MAP_WRITE, 0xa006, mcs_tx_sc_sa_map_write, mcs_tx_sc_sa_map, msg_rsp)       \
 	M(MCS_RX_SC_SA_MAP_WRITE, 0xa007, mcs_rx_sc_sa_map_write, mcs_rx_sc_sa_map, msg_rsp)       \
 	M(MCS_FLOWID_ENA_ENTRY, 0xa008, mcs_flowid_ena_entry, mcs_flowid_ena_dis_entry, msg_rsp)   \
+	M(MCS_PN_TABLE_WRITE, 0xa009, mcs_pn_table_write, mcs_pn_table_write_req, msg_rsp)         \
+	M(MCS_SET_ACTIVE_LMAC, 0xa00a, mcs_set_active_lmac, mcs_set_active_lmac, msg_rsp)          \
 	M(MCS_GET_HW_INFO, 0xa00b, mcs_get_hw_info, msg_req, mcs_hw_info)                          \
+	M(MCS_SET_LMAC_MODE, 0xa013, mcs_set_lmac_mode, mcs_set_lmac_mode, msg_rsp)                \
+	M(MCS_SET_PN_THRESHOLD, 0xa014, mcs_set_pn_threshold, mcs_set_pn_threshold, msg_rsp)       \
 
 /* Messages initiated by AF (range 0xC00 - 0xDFF) */
 #define MBOX_UP_CGX_MESSAGES                                                   \
@@ -812,6 +816,34 @@ struct mcs_flowid_ena_dis_entry {
 	uint64_t __io rsvd;
 };
 
+struct mcs_pn_table_write_req {
+	struct mbox_msghdr hdr;
+	uint64_t __io next_pn;
+	uint8_t __io pn_id;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
+
+struct mcs_cam_entry_read_req {
+	struct mbox_msghdr hdr;
+	uint8_t __io rsrc_type; /* TCAM/SECY/SC/SA/PN */
+	uint8_t __io rsrc_id;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
+
+struct mcs_cam_entry_read_rsp {
+	struct mbox_msghdr hdr;
+	uint64_t __io reg_val[10];
+	uint8_t __io rsrc_type;
+	uint8_t __io rsrc_id;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
+
 struct mcs_hw_info {
 	struct mbox_msghdr hdr;
 	uint8_t __io num_mcs_blks; /* Number of MCS blocks */
@@ -822,6 +854,30 @@ struct mcs_hw_info {
 	uint64_t __io rsvd[16];
 };
 
+struct mcs_set_active_lmac {
+	struct mbox_msghdr hdr;
+	uint32_t __io lmac_bmap; /* bitmap of active lmac per mcs block */
+	uint8_t __io mcs_id;
+	uint16_t __io channel_base; /* MCS channel base */
+	uint64_t __io rsvd;
+};
+
+struct mcs_set_lmac_mode {
+	struct mbox_msghdr hdr;
+	uint8_t __io mode; /* '1' for internal bypass mode (passthrough), '0' for MCS processing */
+	uint8_t __io lmac_id;
+	uint8_t __io mcs_id;
+	uint64_t __io rsvd;
+};
+
+struct mcs_set_pn_threshold {
+	struct mbox_msghdr hdr;
+	uint64_t __io threshold;
+	uint8_t __io xpn; /* '1' for setting xpn threshold */
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
 
 /* NPA mbox message formats */
 
diff --git a/drivers/common/cnxk/roc_mcs.c b/drivers/common/cnxk/roc_mcs.c
index 75d8e077e4..966e5be247 100644
--- a/drivers/common/cnxk/roc_mcs.c
+++ b/drivers/common/cnxk/roc_mcs.c
@@ -38,6 +38,77 @@ roc_mcs_hw_info_get(struct roc_mcs_hw_info *hw_info)
 	return rc;
 }
 
+int
+roc_mcs_active_lmac_set(struct roc_mcs *mcs, struct roc_mcs_set_active_lmac *lmac)
+{
+	struct mcs_set_active_lmac *req;
+	struct msg_rsp *rsp;
+
+	/* Only needed for 105N */
+	if (!roc_model_is_cnf10kb())
+		return 0;
+
+	if (lmac == NULL)
+		return -EINVAL;
+
+	MCS_SUPPORT_CHECK;
+
+	req = mbox_alloc_msg_mcs_set_active_lmac(mcs->mbox);
+	if (req == NULL)
+		return -ENOMEM;
+
+	req->lmac_bmap = lmac->lmac_bmap;
+	req->channel_base = lmac->channel_base;
+	req->mcs_id = mcs->idx;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
+
+int
+roc_mcs_lmac_mode_set(struct roc_mcs *mcs, struct roc_mcs_set_lmac_mode *port)
+{
+	struct mcs_set_lmac_mode *req;
+	struct msg_rsp *rsp;
+
+	if (port == NULL)
+		return -EINVAL;
+
+	MCS_SUPPORT_CHECK;
+
+	req = mbox_alloc_msg_mcs_set_lmac_mode(mcs->mbox);
+	if (req == NULL)
+		return -ENOMEM;
+
+	req->lmac_id = port->lmac_id;
+	req->mcs_id = mcs->idx;
+	req->mode = port->mode;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
+
+int
+roc_mcs_pn_threshold_set(struct roc_mcs *mcs, struct roc_mcs_set_pn_threshold *pn)
+{
+	struct mcs_set_pn_threshold *req;
+	struct msg_rsp *rsp;
+
+	if (pn == NULL)
+		return -EINVAL;
+
+	MCS_SUPPORT_CHECK;
+
+	req = mbox_alloc_msg_mcs_set_pn_threshold(mcs->mbox);
+	if (req == NULL)
+		return -ENOMEM;
+
+	req->threshold = pn->threshold;
+	req->mcs_id = mcs->idx;
+	req->dir = pn->dir;
+	req->xpn = pn->xpn;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
+
 static int
 mcs_alloc_bmap(uint16_t entries, void **mem, struct plt_bitmap **bmap)
 {
diff --git a/drivers/common/cnxk/roc_mcs.h b/drivers/common/cnxk/roc_mcs.h
index 33bd372ed0..94969e14f1 100644
--- a/drivers/common/cnxk/roc_mcs.h
+++ b/drivers/common/cnxk/roc_mcs.h
@@ -88,6 +88,25 @@ struct roc_mcs_flowid_ena_dis_entry {
 	uint8_t dir;
 };
 
+struct roc_mcs_pn_table_write_req {
+	uint64_t next_pn;
+	uint8_t pn_id;
+	uint8_t dir;
+};
+
+struct roc_mcs_cam_entry_read_req {
+	uint8_t rsrc_type; /* TCAM/SECY/SC/SA/PN */
+	uint8_t rsrc_id;
+	uint8_t dir;
+};
+
+struct roc_mcs_cam_entry_read_rsp {
+	uint64_t reg_val[10];
+	uint8_t rsrc_type;
+	uint8_t rsrc_id;
+	uint8_t dir;
+};
+
 struct roc_mcs_hw_info {
 	uint8_t num_mcs_blks; /* Number of MCS blocks */
 	uint8_t tcam_entries; /* RX/TX Tcam entries per mcs block */
@@ -97,6 +116,24 @@ struct roc_mcs_hw_info {
 	uint64_t rsvd[16];
 };
 
+struct roc_mcs_set_lmac_mode {
+	uint8_t mode; /* '1' for internal bypass mode (passthrough), '0' for MCS processing */
+	uint8_t lmac_id;
+	uint64_t rsvd;
+};
+
+struct roc_mcs_set_active_lmac {
+	uint32_t lmac_bmap;    /* bitmap of active lmac per mcs block */
+	uint16_t channel_base; /* MCS channel base */
+	uint64_t rsvd;
+};
+
+struct roc_mcs_set_pn_threshold {
+	uint64_t threshold;
+	uint8_t xpn; /* '1' for setting xpn threshold */
+	uint8_t dir;
+	uint64_t rsvd;
+};
 
 struct roc_mcs {
 	TAILQ_ENTRY(roc_mcs) next;
@@ -119,6 +156,12 @@ __roc_api void roc_mcs_dev_fini(struct roc_mcs *mcs);
 __roc_api struct roc_mcs *roc_mcs_dev_get(uint8_t mcs_idx);
 /* HW info get */
 __roc_api int roc_mcs_hw_info_get(struct roc_mcs_hw_info *hw_info);
+/* Active lmac bmap set */
+__roc_api int roc_mcs_active_lmac_set(struct roc_mcs *mcs, struct roc_mcs_set_active_lmac *lmac);
+/* Port bypass mode set */
+__roc_api int roc_mcs_lmac_mode_set(struct roc_mcs *mcs, struct roc_mcs_set_lmac_mode *port);
+/* (X)PN threshold set */
+__roc_api int roc_mcs_pn_threshold_set(struct roc_mcs *mcs, struct roc_mcs_set_pn_threshold *pn);
 
 /* Resource allocation and free */
 __roc_api int roc_mcs_rsrc_alloc(struct roc_mcs *mcs, struct roc_mcs_alloc_rsrc_req *req,
@@ -130,6 +173,12 @@ __roc_api int roc_mcs_sa_policy_write(struct roc_mcs *mcs,
 __roc_api int roc_mcs_sa_policy_read(struct roc_mcs *mcs,
 				     struct roc_mcs_sa_plcy_write_req *sa_plcy);
 
+/* PN Table read and write */
+__roc_api int roc_mcs_pn_table_write(struct roc_mcs *mcs,
+				     struct roc_mcs_pn_table_write_req *pn_table);
+__roc_api int roc_mcs_pn_table_read(struct roc_mcs *mcs,
+				    struct roc_mcs_pn_table_write_req *pn_table);
+
 /* RX SC read, write and enable */
 __roc_api int roc_mcs_rx_sc_cam_write(struct roc_mcs *mcs,
 				      struct roc_mcs_rx_sc_cam_write_req *rx_sc_cam);
diff --git a/drivers/common/cnxk/roc_mcs_sec_cfg.c b/drivers/common/cnxk/roc_mcs_sec_cfg.c
index 44b4919bbc..7b3a4c91e8 100644
--- a/drivers/common/cnxk/roc_mcs_sec_cfg.c
+++ b/drivers/common/cnxk/roc_mcs_sec_cfg.c
@@ -210,6 +210,37 @@ roc_mcs_sa_policy_read(struct roc_mcs *mcs __plt_unused,
 	return -ENOTSUP;
 }
 
+int
+roc_mcs_pn_table_write(struct roc_mcs *mcs, struct roc_mcs_pn_table_write_req *pn_table)
+{
+	struct mcs_pn_table_write_req *pn;
+	struct msg_rsp *rsp;
+
+	MCS_SUPPORT_CHECK;
+
+	if (pn_table == NULL)
+		return -EINVAL;
+
+	pn = mbox_alloc_msg_mcs_pn_table_write(mcs->mbox);
+	if (pn == NULL)
+		return -ENOMEM;
+
+	pn->next_pn = pn_table->next_pn;
+	pn->pn_id = pn_table->pn_id;
+	pn->mcs_id = mcs->idx;
+	pn->dir = pn_table->dir;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
+
+int
+roc_mcs_pn_table_read(struct roc_mcs *mcs __plt_unused,
+		      struct roc_mcs_pn_table_write_req *sa __plt_unused)
+{
+	MCS_SUPPORT_CHECK;
+
+	return -ENOTSUP;
+}
 
 int
 roc_mcs_rx_sc_cam_write(struct roc_mcs *mcs, struct roc_mcs_rx_sc_cam_write_req *rx_sc_cam)
diff --git a/drivers/common/cnxk/version.map b/drivers/common/cnxk/version.map
index 3d9da3b187..0591747961 100644
--- a/drivers/common/cnxk/version.map
+++ b/drivers/common/cnxk/version.map
@@ -135,6 +135,7 @@ INTERNAL {
 	roc_se_auth_key_set;
 	roc_se_ciph_key_set;
 	roc_se_ctx_init;
+	roc_mcs_active_lmac_set;
 	roc_mcs_dev_init;
 	roc_mcs_dev_fini;
 	roc_mcs_dev_get;
@@ -142,6 +143,10 @@ INTERNAL {
 	roc_mcs_flowid_entry_read;
 	roc_mcs_flowid_entry_write;
 	roc_mcs_hw_info_get;
+	roc_mcs_lmac_mode_set;
+	roc_mcs_pn_table_write;
+	roc_mcs_pn_table_read;
+	roc_mcs_pn_threshold_set;
 	roc_mcs_rsrc_alloc;
 	roc_mcs_rsrc_free;
 	roc_mcs_rx_sc_cam_enable;
-- 
2.25.1

[PATCH v5 06/15] common/cnxk: add MACsec stats

[Akhil Goyal]

Added ROC APIs for MACsec stats for SC/SECY/FLOW/PORT

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/common/cnxk/meson.build     |   1 +
 drivers/common/cnxk/roc_mbox.h      |  93 ++++++++++++++
 drivers/common/cnxk/roc_mcs.h       |  85 ++++++++++++
 drivers/common/cnxk/roc_mcs_stats.c | 193 ++++++++++++++++++++++++++++
 drivers/common/cnxk/version.map     |   5 +
 5 files changed, 377 insertions(+)
 create mode 100644 drivers/common/cnxk/roc_mcs_stats.c

diff --git a/drivers/common/cnxk/meson.build b/drivers/common/cnxk/meson.build
index 589baf74fe..79e10bac74 100644
--- a/drivers/common/cnxk/meson.build
+++ b/drivers/common/cnxk/meson.build
@@ -28,6 +28,7 @@ sources = files(
         'roc_mbox.c',
         'roc_mcs.c',
         'roc_mcs_sec_cfg.c',
+        'roc_mcs_stats.c',
         'roc_ml.c',
         'roc_model.c',
         'roc_nix.c',
diff --git a/drivers/common/cnxk/roc_mbox.h b/drivers/common/cnxk/roc_mbox.h
index 62c5c3a3ce..3f3a6aadc8 100644
--- a/drivers/common/cnxk/roc_mbox.h
+++ b/drivers/common/cnxk/roc_mbox.h
@@ -311,6 +311,11 @@ struct mbox_msghdr {
 	M(MCS_PN_TABLE_WRITE, 0xa009, mcs_pn_table_write, mcs_pn_table_write_req, msg_rsp)         \
 	M(MCS_SET_ACTIVE_LMAC, 0xa00a, mcs_set_active_lmac, mcs_set_active_lmac, msg_rsp)          \
 	M(MCS_GET_HW_INFO, 0xa00b, mcs_get_hw_info, msg_req, mcs_hw_info)                          \
+	M(MCS_GET_FLOWID_STATS, 0xa00c, mcs_get_flowid_stats, mcs_stats_req, mcs_flowid_stats)     \
+	M(MCS_GET_SECY_STATS, 0xa00d, mcs_get_secy_stats, mcs_stats_req, mcs_secy_stats)           \
+	M(MCS_GET_SC_STATS, 0xa00e, mcs_get_sc_stats, mcs_stats_req, mcs_sc_stats)                 \
+	M(MCS_GET_PORT_STATS, 0xa010, mcs_get_port_stats, mcs_stats_req, mcs_port_stats)           \
+	M(MCS_CLEAR_STATS, 0xa011, mcs_clear_stats, mcs_clear_stats, msg_rsp)                      \
 	M(MCS_SET_LMAC_MODE, 0xa013, mcs_set_lmac_mode, mcs_set_lmac_mode, msg_rsp)                \
 	M(MCS_SET_PN_THRESHOLD, 0xa014, mcs_set_pn_threshold, mcs_set_pn_threshold, msg_rsp)       \
 
@@ -879,6 +884,94 @@ struct mcs_set_pn_threshold {
 	uint64_t __io rsvd;
 };
 
+struct mcs_stats_req {
+	struct mbox_msghdr hdr;
+	uint8_t __io id;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
+
+struct mcs_flowid_stats {
+	struct mbox_msghdr hdr;
+	uint64_t __io tcam_hit_cnt;
+	uint64_t __io rsvd;
+};
+
+struct mcs_secy_stats {
+	struct mbox_msghdr hdr;
+	uint64_t __io ctl_pkt_bcast_cnt;
+	uint64_t __io ctl_pkt_mcast_cnt;
+	uint64_t __io ctl_pkt_ucast_cnt;
+	uint64_t __io ctl_octet_cnt;
+	uint64_t __io unctl_pkt_bcast_cnt;
+	uint64_t __io unctl_pkt_mcast_cnt;
+	uint64_t __io unctl_pkt_ucast_cnt;
+	uint64_t __io unctl_octet_cnt;
+	/* Valid only for RX */
+	uint64_t __io octet_decrypted_cnt;
+	uint64_t __io octet_validated_cnt;
+	uint64_t __io pkt_port_disabled_cnt;
+	uint64_t __io pkt_badtag_cnt;
+	uint64_t __io pkt_nosa_cnt;
+	uint64_t __io pkt_nosaerror_cnt;
+	uint64_t __io pkt_tagged_ctl_cnt;
+	uint64_t __io pkt_untaged_cnt;
+	uint64_t __io pkt_ctl_cnt;   /* CN10K-B */
+	uint64_t __io pkt_notag_cnt; /* CNF10K-B */
+	/* Valid only for TX */
+	uint64_t __io octet_encrypted_cnt;
+	uint64_t __io octet_protected_cnt;
+	uint64_t __io pkt_noactivesa_cnt;
+	uint64_t __io pkt_toolong_cnt;
+	uint64_t __io pkt_untagged_cnt;
+	uint64_t __io rsvd[4];
+};
+
+struct mcs_port_stats {
+	struct mbox_msghdr hdr;
+	uint64_t __io tcam_miss_cnt;
+	uint64_t __io parser_err_cnt;
+	uint64_t __io preempt_err_cnt; /* CNF10K-B */
+	uint64_t __io sectag_insert_err_cnt;
+	uint64_t __io rsvd[4];
+};
+
+struct mcs_sc_stats {
+	struct mbox_msghdr hdr;
+	/* RX */
+	uint64_t __io hit_cnt;
+	uint64_t __io pkt_invalid_cnt;
+	uint64_t __io pkt_late_cnt;
+	uint64_t __io pkt_notvalid_cnt;
+	uint64_t __io pkt_unchecked_cnt;
+	uint64_t __io pkt_delay_cnt;	  /* CNF10K-B */
+	uint64_t __io pkt_ok_cnt;	  /* CNF10K-B */
+	uint64_t __io octet_decrypt_cnt;  /* CN10K-B */
+	uint64_t __io octet_validate_cnt; /* CN10K-B */
+	/* TX */
+	uint64_t __io pkt_encrypt_cnt;
+	uint64_t __io pkt_protected_cnt;
+	uint64_t __io octet_encrypt_cnt;   /* CN10K-B */
+	uint64_t __io octet_protected_cnt; /* CN10K-B */
+	uint64_t __io rsvd[4];
+};
+
+struct mcs_clear_stats {
+	struct mbox_msghdr hdr;
+#define MCS_FLOWID_STATS 0
+#define MCS_SECY_STATS	 1
+#define MCS_SC_STATS	 2
+#define MCS_SA_STATS	 3
+#define MCS_PORT_STATS	 4
+	uint8_t __io type; /* FLOWID, SECY, SC, SA, PORT */
+	/* type = PORT, If id = FF(invalid) port no is derived from pcifunc */
+	uint8_t __io id;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint8_t __io all; /* All resources stats mapped to PF are cleared */
+};
+
 /* NPA mbox message formats */
 
 /* NPA mailbox error codes
diff --git a/drivers/common/cnxk/roc_mcs.h b/drivers/common/cnxk/roc_mcs.h
index 94969e14f1..16937eb4bf 100644
--- a/drivers/common/cnxk/roc_mcs.h
+++ b/drivers/common/cnxk/roc_mcs.h
@@ -135,6 +135,76 @@ struct roc_mcs_set_pn_threshold {
 	uint64_t rsvd;
 };
 
+struct roc_mcs_stats_req {
+	uint8_t id;
+	uint8_t dir;
+};
+
+struct roc_mcs_flowid_stats {
+	uint64_t tcam_hit_cnt;
+};
+
+struct roc_mcs_secy_stats {
+	uint64_t ctl_pkt_bcast_cnt;
+	uint64_t ctl_pkt_mcast_cnt;
+	uint64_t ctl_pkt_ucast_cnt;
+	uint64_t ctl_octet_cnt;
+	uint64_t unctl_pkt_bcast_cnt;
+	uint64_t unctl_pkt_mcast_cnt;
+	uint64_t unctl_pkt_ucast_cnt;
+	uint64_t unctl_octet_cnt;
+	/* Valid only for RX */
+	uint64_t octet_decrypted_cnt;
+	uint64_t octet_validated_cnt;
+	uint64_t pkt_port_disabled_cnt;
+	uint64_t pkt_badtag_cnt;
+	uint64_t pkt_nosa_cnt;
+	uint64_t pkt_nosaerror_cnt;
+	uint64_t pkt_tagged_ctl_cnt;
+	uint64_t pkt_untaged_cnt;
+	uint64_t pkt_ctl_cnt;	/* CN10K-B */
+	uint64_t pkt_notag_cnt; /* CNF10K-B */
+	/* Valid only for TX */
+	uint64_t octet_encrypted_cnt;
+	uint64_t octet_protected_cnt;
+	uint64_t pkt_noactivesa_cnt;
+	uint64_t pkt_toolong_cnt;
+	uint64_t pkt_untagged_cnt;
+};
+
+struct roc_mcs_sc_stats {
+	/* RX */
+	uint64_t hit_cnt;
+	uint64_t pkt_invalid_cnt;
+	uint64_t pkt_late_cnt;
+	uint64_t pkt_notvalid_cnt;
+	uint64_t pkt_unchecked_cnt;
+	uint64_t pkt_delay_cnt;	     /* CNF10K-B */
+	uint64_t pkt_ok_cnt;	     /* CNF10K-B */
+	uint64_t octet_decrypt_cnt;  /* CN10K-B */
+	uint64_t octet_validate_cnt; /* CN10K-B */
+	/* TX */
+	uint64_t pkt_encrypt_cnt;
+	uint64_t pkt_protected_cnt;
+	uint64_t octet_encrypt_cnt;   /* CN10K-B */
+	uint64_t octet_protected_cnt; /* CN10K-B */
+};
+
+struct roc_mcs_port_stats {
+	uint64_t tcam_miss_cnt;
+	uint64_t parser_err_cnt;
+	uint64_t preempt_err_cnt; /* CNF10K-B */
+	uint64_t sectag_insert_err_cnt;
+};
+
+struct roc_mcs_clear_stats {
+	uint8_t type; /* FLOWID, SECY, SC, SA, PORT */
+	/* type = PORT, If id = FF(invalid) port no is derived from pcifunc */
+	uint8_t id;
+	uint8_t dir;
+	uint8_t all; /* All resources stats mapped to PF are cleared */
+};
+
 struct roc_mcs {
 	TAILQ_ENTRY(roc_mcs) next;
 	struct plt_pci_device *pci_dev;
@@ -210,4 +280,19 @@ __roc_api int roc_mcs_flowid_entry_read(struct roc_mcs *mcs,
 __roc_api int roc_mcs_flowid_entry_enable(struct roc_mcs *mcs,
 					  struct roc_mcs_flowid_ena_dis_entry *entry);
 
+/* Flow id stats get */
+__roc_api int roc_mcs_flowid_stats_get(struct roc_mcs *mcs, struct roc_mcs_stats_req *mcs_req,
+				       struct roc_mcs_flowid_stats *stats);
+/* Secy stats get */
+__roc_api int roc_mcs_secy_stats_get(struct roc_mcs *mcs, struct roc_mcs_stats_req *mcs_req,
+				     struct roc_mcs_secy_stats *stats);
+/* SC stats get */
+__roc_api int roc_mcs_sc_stats_get(struct roc_mcs *mcs, struct roc_mcs_stats_req *mcs_req,
+				   struct roc_mcs_sc_stats *stats);
+/* Port stats get */
+__roc_api int roc_mcs_port_stats_get(struct roc_mcs *mcs, struct roc_mcs_stats_req *mcs_req,
+				     struct roc_mcs_port_stats *stats);
+/* Clear stats */
+__roc_api int roc_mcs_stats_clear(struct roc_mcs *mcs, struct roc_mcs_clear_stats *mcs_req);
+
 #endif /* ROC_MCS_H */
diff --git a/drivers/common/cnxk/roc_mcs_stats.c b/drivers/common/cnxk/roc_mcs_stats.c
new file mode 100644
index 0000000000..cac611959d
--- /dev/null
+++ b/drivers/common/cnxk/roc_mcs_stats.c
@@ -0,0 +1,193 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2023 Marvell.
+ */
+
+#include "roc_api.h"
+#include "roc_priv.h"
+
+int
+roc_mcs_flowid_stats_get(struct roc_mcs *mcs, struct roc_mcs_stats_req *mcs_req,
+			 struct roc_mcs_flowid_stats *stats)
+{
+	struct mcs_flowid_stats *rsp;
+	struct mcs_stats_req *req;
+	int rc;
+
+	MCS_SUPPORT_CHECK;
+
+	req = mbox_alloc_msg_mcs_get_flowid_stats(mcs->mbox);
+	if (req == NULL)
+		return -ENOSPC;
+
+	req->id = mcs_req->id;
+	req->mcs_id = mcs->idx;
+	req->dir = mcs_req->dir;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&rsp);
+	if (rc)
+		return rc;
+
+	stats->tcam_hit_cnt = rsp->tcam_hit_cnt;
+
+	return rc;
+}
+
+int
+roc_mcs_secy_stats_get(struct roc_mcs *mcs, struct roc_mcs_stats_req *mcs_req,
+		       struct roc_mcs_secy_stats *stats)
+{
+	struct mcs_secy_stats *rsp;
+	struct mcs_stats_req *req;
+	int rc;
+
+	MCS_SUPPORT_CHECK;
+
+	req = mbox_alloc_msg_mcs_get_secy_stats(mcs->mbox);
+	if (req == NULL)
+		return -ENOSPC;
+
+	req->id = mcs_req->id;
+	req->mcs_id = mcs->idx;
+	req->dir = mcs_req->dir;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&rsp);
+	if (rc)
+		return rc;
+
+	stats->ctl_pkt_bcast_cnt = rsp->ctl_pkt_bcast_cnt;
+	stats->ctl_pkt_mcast_cnt = rsp->ctl_pkt_mcast_cnt;
+	stats->ctl_pkt_ucast_cnt = rsp->ctl_pkt_ucast_cnt;
+	stats->ctl_octet_cnt = rsp->ctl_octet_cnt;
+	stats->unctl_pkt_bcast_cnt = rsp->unctl_pkt_bcast_cnt;
+	stats->unctl_pkt_mcast_cnt = rsp->unctl_pkt_mcast_cnt;
+	stats->unctl_pkt_ucast_cnt = rsp->unctl_pkt_ucast_cnt;
+	stats->unctl_octet_cnt = rsp->unctl_octet_cnt;
+
+	if (mcs_req->dir == MCS_RX) {
+		stats->octet_decrypted_cnt = rsp->octet_decrypted_cnt;
+		stats->octet_validated_cnt = rsp->octet_validated_cnt;
+		stats->pkt_port_disabled_cnt = rsp->pkt_port_disabled_cnt;
+		stats->pkt_badtag_cnt = rsp->pkt_badtag_cnt;
+		stats->pkt_nosa_cnt = rsp->pkt_nosa_cnt;
+		stats->pkt_nosaerror_cnt = rsp->pkt_nosaerror_cnt;
+		stats->pkt_tagged_ctl_cnt = rsp->pkt_tagged_ctl_cnt;
+		stats->pkt_untaged_cnt = rsp->pkt_untaged_cnt;
+		if (roc_model_is_cn10kb_a0())
+			/* CN10K-B */
+			stats->pkt_ctl_cnt = rsp->pkt_ctl_cnt;
+		else
+			/* CNF10K-B */
+			stats->pkt_notag_cnt = rsp->pkt_notag_cnt;
+	} else {
+		stats->octet_encrypted_cnt = rsp->octet_encrypted_cnt;
+		stats->octet_protected_cnt = rsp->octet_protected_cnt;
+		stats->pkt_noactivesa_cnt = rsp->pkt_noactivesa_cnt;
+		stats->pkt_toolong_cnt = rsp->pkt_toolong_cnt;
+		stats->pkt_untagged_cnt = rsp->pkt_untagged_cnt;
+	}
+
+	return rc;
+}
+
+int
+roc_mcs_sc_stats_get(struct roc_mcs *mcs, struct roc_mcs_stats_req *mcs_req,
+		     struct roc_mcs_sc_stats *stats)
+{
+	struct mcs_stats_req *req;
+	struct mcs_sc_stats *rsp;
+	int rc;
+
+	MCS_SUPPORT_CHECK;
+
+	req = mbox_alloc_msg_mcs_get_sc_stats(mcs->mbox);
+	if (req == NULL)
+		return -ENOSPC;
+
+	req->id = mcs_req->id;
+	req->mcs_id = mcs->idx;
+	req->dir = mcs_req->dir;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&rsp);
+	if (rc)
+		return rc;
+
+	if (mcs_req->dir == MCS_RX) {
+		stats->hit_cnt = rsp->hit_cnt;
+		stats->pkt_invalid_cnt = rsp->pkt_invalid_cnt;
+		stats->pkt_late_cnt = rsp->pkt_late_cnt;
+		stats->pkt_notvalid_cnt = rsp->pkt_notvalid_cnt;
+		stats->pkt_unchecked_cnt = rsp->pkt_unchecked_cnt;
+		if (roc_model_is_cn10kb_a0()) {
+			stats->octet_decrypt_cnt = rsp->octet_decrypt_cnt;
+			stats->octet_validate_cnt = rsp->octet_validate_cnt;
+		} else {
+			stats->pkt_delay_cnt = rsp->pkt_delay_cnt;
+			stats->pkt_ok_cnt = rsp->pkt_ok_cnt;
+		}
+	} else {
+		stats->pkt_encrypt_cnt = rsp->pkt_encrypt_cnt;
+		stats->pkt_protected_cnt = rsp->pkt_protected_cnt;
+		if (roc_model_is_cn10kb_a0()) {
+			stats->octet_encrypt_cnt = rsp->octet_encrypt_cnt;
+			stats->octet_protected_cnt = rsp->octet_protected_cnt;
+		}
+	}
+
+	return rc;
+}
+
+int
+roc_mcs_port_stats_get(struct roc_mcs *mcs, struct roc_mcs_stats_req *mcs_req,
+		       struct roc_mcs_port_stats *stats)
+{
+	struct mcs_port_stats *rsp;
+	struct mcs_stats_req *req;
+	int rc;
+
+	MCS_SUPPORT_CHECK;
+
+	req = mbox_alloc_msg_mcs_get_port_stats(mcs->mbox);
+	if (req == NULL)
+		return -ENOSPC;
+
+	req->id = mcs_req->id;
+	req->mcs_id = mcs->idx;
+	req->dir = mcs_req->dir;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&rsp);
+	if (rc)
+		return rc;
+
+	stats->tcam_miss_cnt = rsp->tcam_miss_cnt;
+	stats->parser_err_cnt = rsp->parser_err_cnt;
+	if (roc_model_is_cnf10kb())
+		stats->preempt_err_cnt = rsp->preempt_err_cnt;
+
+	stats->sectag_insert_err_cnt = rsp->sectag_insert_err_cnt;
+
+	return rc;
+}
+
+int
+roc_mcs_stats_clear(struct roc_mcs *mcs, struct roc_mcs_clear_stats *mcs_req)
+{
+	struct mcs_clear_stats *req;
+	struct msg_rsp *rsp;
+
+	MCS_SUPPORT_CHECK;
+
+	if (!roc_model_is_cn10kb_a0() && mcs_req->type == MCS_SA_STATS)
+		return MCS_ERR_HW_NOTSUP;
+
+	req = mbox_alloc_msg_mcs_clear_stats(mcs->mbox);
+	if (req == NULL)
+		return -ENOSPC;
+
+	req->type = mcs_req->type;
+	req->id = mcs_req->id;
+	req->mcs_id = mcs->idx;
+	req->dir = mcs_req->dir;
+	req->all = mcs_req->all;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
diff --git a/drivers/common/cnxk/version.map b/drivers/common/cnxk/version.map
index 0591747961..d8890e3538 100644
--- a/drivers/common/cnxk/version.map
+++ b/drivers/common/cnxk/version.map
@@ -142,11 +142,13 @@ INTERNAL {
 	roc_mcs_flowid_entry_enable;
 	roc_mcs_flowid_entry_read;
 	roc_mcs_flowid_entry_write;
+	roc_mcs_flowid_stats_get;
 	roc_mcs_hw_info_get;
 	roc_mcs_lmac_mode_set;
 	roc_mcs_pn_table_write;
 	roc_mcs_pn_table_read;
 	roc_mcs_pn_threshold_set;
+	roc_mcs_port_stats_get;
 	roc_mcs_rsrc_alloc;
 	roc_mcs_rsrc_free;
 	roc_mcs_rx_sc_cam_enable;
@@ -156,8 +158,11 @@ INTERNAL {
 	roc_mcs_rx_sc_sa_map_write;
 	roc_mcs_sa_policy_read;
 	roc_mcs_sa_policy_write;
+	roc_mcs_sc_stats_get;
 	roc_mcs_secy_policy_read;
 	roc_mcs_secy_policy_write;
+	roc_mcs_secy_stats_get;
+	roc_mcs_stats_clear;
 	roc_mcs_tx_sc_sa_map_read;
 	roc_mcs_tx_sc_sa_map_write;
 	roc_nix_bpf_alloc;
-- 
2.25.1

[PATCH v5 07/15] common/cnxk: add MACsec interrupt APIs

[Akhil Goyal]

Added ROC APIs to support various MACsec interrupts.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/common/cnxk/roc_dev.c      |  86 +++++++++++++++++
 drivers/common/cnxk/roc_mbox.h     |  37 +++++++-
 drivers/common/cnxk/roc_mcs.c      | 117 +++++++++++++++++++++++
 drivers/common/cnxk/roc_mcs.h      | 144 +++++++++++++++++++++++++++++
 drivers/common/cnxk/roc_mcs_priv.h |   8 ++
 drivers/common/cnxk/version.map    |   3 +
 6 files changed, 394 insertions(+), 1 deletion(-)

diff --git a/drivers/common/cnxk/roc_dev.c b/drivers/common/cnxk/roc_dev.c
index 571679c968..4b0ba218ed 100644
--- a/drivers/common/cnxk/roc_dev.c
+++ b/drivers/common/cnxk/roc_dev.c
@@ -527,6 +527,91 @@ pf_vf_mbox_send_up_msg(struct dev *dev, void *rec_msg)
 	}
 }
 
+static int
+mbox_up_handler_mcs_intr_notify(struct dev *dev, struct mcs_intr_info *info, struct msg_rsp *rsp)
+{
+	struct roc_mcs_event_desc desc = {0};
+	struct roc_mcs *mcs;
+
+	plt_base_dbg("pf:%d/vf:%d msg id 0x%x (%s) from: pf:%d/vf:%d", dev_get_pf(dev->pf_func),
+		     dev_get_vf(dev->pf_func), info->hdr.id, mbox_id2name(info->hdr.id),
+		     dev_get_pf(info->hdr.pcifunc), dev_get_vf(info->hdr.pcifunc));
+
+	mcs = roc_idev_mcs_get(info->mcs_id);
+	if (!mcs)
+		goto exit;
+
+	if (info->intr_mask) {
+		switch (info->intr_mask) {
+		case MCS_CPM_RX_SECTAG_V_EQ1_INT:
+			desc.type = ROC_MCS_EVENT_SECTAG_VAL_ERR;
+			desc.subtype = ROC_MCS_EVENT_RX_SECTAG_V_EQ1;
+			break;
+		case MCS_CPM_RX_SECTAG_E_EQ0_C_EQ1_INT:
+			desc.type = ROC_MCS_EVENT_SECTAG_VAL_ERR;
+			desc.subtype = ROC_MCS_EVENT_RX_SECTAG_E_EQ0_C_EQ1;
+			break;
+		case MCS_CPM_RX_SECTAG_SL_GTE48_INT:
+			desc.type = ROC_MCS_EVENT_SECTAG_VAL_ERR;
+			desc.subtype = ROC_MCS_EVENT_RX_SECTAG_SL_GTE48;
+			break;
+		case MCS_CPM_RX_SECTAG_ES_EQ1_SC_EQ1_INT:
+			desc.type = ROC_MCS_EVENT_SECTAG_VAL_ERR;
+			desc.subtype = ROC_MCS_EVENT_RX_SECTAG_ES_EQ1_SC_EQ1;
+			break;
+		case MCS_CPM_RX_SECTAG_SC_EQ1_SCB_EQ1_INT:
+			desc.type = ROC_MCS_EVENT_SECTAG_VAL_ERR;
+			desc.subtype = ROC_MCS_EVENT_RX_SECTAG_SC_EQ1_SCB_EQ1;
+			break;
+		case MCS_CPM_RX_PACKET_XPN_EQ0_INT:
+			desc.type = ROC_MCS_EVENT_RX_SA_PN_HARD_EXP;
+			desc.metadata.sa_idx = info->sa_id;
+			break;
+		case MCS_CPM_RX_PN_THRESH_REACHED_INT:
+			desc.type = ROC_MCS_EVENT_RX_SA_PN_SOFT_EXP;
+			desc.metadata.sa_idx = info->sa_id;
+			break;
+		case MCS_CPM_TX_PACKET_XPN_EQ0_INT:
+			desc.type = ROC_MCS_EVENT_TX_SA_PN_HARD_EXP;
+			desc.metadata.sa_idx = info->sa_id;
+			break;
+		case MCS_CPM_TX_PN_THRESH_REACHED_INT:
+			desc.type = ROC_MCS_EVENT_TX_SA_PN_SOFT_EXP;
+			desc.metadata.sa_idx = info->sa_id;
+			break;
+		case MCS_CPM_TX_SA_NOT_VALID_INT:
+			desc.type = ROC_MCS_EVENT_SA_NOT_VALID;
+			break;
+		case MCS_BBE_RX_DFIFO_OVERFLOW_INT:
+		case MCS_BBE_TX_DFIFO_OVERFLOW_INT:
+			desc.type = ROC_MCS_EVENT_FIFO_OVERFLOW;
+			desc.subtype = ROC_MCS_EVENT_DATA_FIFO_OVERFLOW;
+			desc.metadata.lmac_id = info->lmac_id;
+			break;
+		case MCS_BBE_RX_PLFIFO_OVERFLOW_INT:
+		case MCS_BBE_TX_PLFIFO_OVERFLOW_INT:
+			desc.type = ROC_MCS_EVENT_FIFO_OVERFLOW;
+			desc.subtype = ROC_MCS_EVENT_POLICY_FIFO_OVERFLOW;
+			desc.metadata.lmac_id = info->lmac_id;
+			break;
+		case MCS_PAB_RX_CHAN_OVERFLOW_INT:
+		case MCS_PAB_TX_CHAN_OVERFLOW_INT:
+			desc.type = ROC_MCS_EVENT_FIFO_OVERFLOW;
+			desc.subtype = ROC_MCS_EVENT_PKT_ASSM_FIFO_OVERFLOW;
+			desc.metadata.lmac_id = info->lmac_id;
+			break;
+		default:
+			goto exit;
+		}
+
+		mcs_event_cb_process(mcs, &desc);
+	}
+
+exit:
+	rsp->hdr.rc = 0;
+	return 0;
+}
+
 static int
 mbox_up_handler_cgx_link_event(struct dev *dev, struct cgx_link_info_msg *msg,
 			       struct msg_rsp *rsp)
@@ -615,6 +700,7 @@ mbox_process_msgs_up(struct dev *dev, struct mbox_msghdr *req)
 		return err;                                                    \
 	}
 		MBOX_UP_CGX_MESSAGES
+		MBOX_UP_MCS_MESSAGES
 #undef M
 	}
 
diff --git a/drivers/common/cnxk/roc_mbox.h b/drivers/common/cnxk/roc_mbox.h
index 3f3a6aadc8..d964ba9f9d 100644
--- a/drivers/common/cnxk/roc_mbox.h
+++ b/drivers/common/cnxk/roc_mbox.h
@@ -316,6 +316,7 @@ struct mbox_msghdr {
 	M(MCS_GET_SC_STATS, 0xa00e, mcs_get_sc_stats, mcs_stats_req, mcs_sc_stats)                 \
 	M(MCS_GET_PORT_STATS, 0xa010, mcs_get_port_stats, mcs_stats_req, mcs_port_stats)           \
 	M(MCS_CLEAR_STATS, 0xa011, mcs_clear_stats, mcs_clear_stats, msg_rsp)                      \
+	M(MCS_INTR_CFG, 0xa012, mcs_intr_cfg, mcs_intr_cfg, msg_rsp)                               \
 	M(MCS_SET_LMAC_MODE, 0xa013, mcs_set_lmac_mode, mcs_set_lmac_mode, msg_rsp)                \
 	M(MCS_SET_PN_THRESHOLD, 0xa014, mcs_set_pn_threshold, mcs_set_pn_threshold, msg_rsp)       \
 
@@ -324,9 +325,11 @@ struct mbox_msghdr {
 	M(CGX_LINK_EVENT, 0xC00, cgx_link_event, cgx_link_info_msg, msg_rsp)   \
 	M(CGX_PTP_RX_INFO, 0xC01, cgx_ptp_rx_info, cgx_ptp_rx_info_msg, msg_rsp)
 
+#define MBOX_UP_MCS_MESSAGES M(MCS_INTR_NOTIFY, 0xE00, mcs_intr_notify, mcs_intr_info, msg_rsp)
+
 enum {
 #define M(_name, _id, _1, _2, _3) MBOX_MSG_##_name = _id,
-	MBOX_MESSAGES MBOX_UP_CGX_MESSAGES
+	MBOX_MESSAGES MBOX_UP_CGX_MESSAGES MBOX_UP_MCS_MESSAGES
 #undef M
 };
 
@@ -867,6 +870,38 @@ struct mcs_set_active_lmac {
 	uint64_t __io rsvd;
 };
 
+#define MCS_CPM_RX_SECTAG_V_EQ1_INT	     BIT_ULL(0)
+#define MCS_CPM_RX_SECTAG_E_EQ0_C_EQ1_INT    BIT_ULL(1)
+#define MCS_CPM_RX_SECTAG_SL_GTE48_INT	     BIT_ULL(2)
+#define MCS_CPM_RX_SECTAG_ES_EQ1_SC_EQ1_INT  BIT_ULL(3)
+#define MCS_CPM_RX_SECTAG_SC_EQ1_SCB_EQ1_INT BIT_ULL(4)
+#define MCS_CPM_RX_PACKET_XPN_EQ0_INT	     BIT_ULL(5)
+#define MCS_CPM_RX_PN_THRESH_REACHED_INT     BIT_ULL(6)
+#define MCS_CPM_TX_PACKET_XPN_EQ0_INT	     BIT_ULL(7)
+#define MCS_CPM_TX_PN_THRESH_REACHED_INT     BIT_ULL(8)
+#define MCS_CPM_TX_SA_NOT_VALID_INT	     BIT_ULL(9)
+#define MCS_BBE_RX_DFIFO_OVERFLOW_INT	     BIT_ULL(10)
+#define MCS_BBE_RX_PLFIFO_OVERFLOW_INT	     BIT_ULL(11)
+#define MCS_BBE_TX_DFIFO_OVERFLOW_INT	     BIT_ULL(12)
+#define MCS_BBE_TX_PLFIFO_OVERFLOW_INT	     BIT_ULL(13)
+#define MCS_PAB_RX_CHAN_OVERFLOW_INT	     BIT_ULL(14)
+#define MCS_PAB_TX_CHAN_OVERFLOW_INT	     BIT_ULL(15)
+
+struct mcs_intr_cfg {
+	struct mbox_msghdr hdr;
+	uint64_t __io intr_mask; /* Interrupt enable mask */
+	uint8_t __io mcs_id;
+};
+
+struct mcs_intr_info {
+	struct mbox_msghdr hdr;
+	uint64_t __io intr_mask;
+	int __io sa_id;
+	uint8_t __io mcs_id;
+	uint8_t __io lmac_id;
+	uint64_t __io rsvd;
+};
+
 struct mcs_set_lmac_mode {
 	struct mbox_msghdr hdr;
 	uint8_t __io mode; /* '1' for internal bypass mode (passthrough), '0' for MCS processing */
diff --git a/drivers/common/cnxk/roc_mcs.c b/drivers/common/cnxk/roc_mcs.c
index 966e5be247..d33cc2bafc 100644
--- a/drivers/common/cnxk/roc_mcs.c
+++ b/drivers/common/cnxk/roc_mcs.c
@@ -5,6 +5,18 @@
 #include "roc_api.h"
 #include "roc_priv.h"
 
+struct mcs_event_cb {
+	TAILQ_ENTRY(mcs_event_cb) next;
+	enum roc_mcs_event_type event;
+	roc_mcs_dev_cb_fn cb_fn;
+	void *cb_arg;
+	void *ret_param;
+	uint32_t active;
+};
+TAILQ_HEAD(mcs_event_cb_list, mcs_event_cb);
+
+PLT_STATIC_ASSERT(ROC_MCS_MEM_SZ >= (sizeof(struct mcs_priv) + sizeof(struct mcs_event_cb_list)));
+
 int
 roc_mcs_hw_info_get(struct roc_mcs_hw_info *hw_info)
 {
@@ -109,6 +121,107 @@ roc_mcs_pn_threshold_set(struct roc_mcs *mcs, struct roc_mcs_set_pn_threshold *p
 	return mbox_process_msg(mcs->mbox, (void *)&rsp);
 }
 
+int
+roc_mcs_intr_configure(struct roc_mcs *mcs, struct roc_mcs_intr_cfg *config)
+{
+	struct mcs_intr_cfg *req;
+	struct msg_rsp *rsp;
+
+	if (config == NULL)
+		return -EINVAL;
+
+	MCS_SUPPORT_CHECK;
+
+	req = mbox_alloc_msg_mcs_intr_cfg(mcs->mbox);
+	if (req == NULL)
+		return -ENOMEM;
+
+	req->intr_mask = config->intr_mask;
+	req->mcs_id = mcs->idx;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
+
+int
+roc_mcs_event_cb_register(struct roc_mcs *mcs, enum roc_mcs_event_type event,
+			  roc_mcs_dev_cb_fn cb_fn, void *cb_arg, void *userdata)
+{
+	struct mcs_event_cb_list *cb_list = (struct mcs_event_cb_list *)roc_mcs_to_mcs_cb_list(mcs);
+	struct mcs_event_cb *cb;
+
+	if (cb_fn == NULL || cb_arg == NULL || userdata == NULL)
+		return -EINVAL;
+
+	MCS_SUPPORT_CHECK;
+
+	TAILQ_FOREACH(cb, cb_list, next) {
+		if (cb->cb_fn == cb_fn && cb->cb_arg == cb_arg && cb->event == event)
+			break;
+	}
+
+	if (cb == NULL) {
+		cb = plt_zmalloc(sizeof(struct mcs_event_cb), 0);
+		if (!cb)
+			return -ENOMEM;
+
+		cb->cb_fn = cb_fn;
+		cb->cb_arg = cb_arg;
+		cb->event = event;
+		mcs->userdata = userdata;
+		TAILQ_INSERT_TAIL(cb_list, cb, next);
+	}
+
+	return 0;
+}
+
+int
+roc_mcs_event_cb_unregister(struct roc_mcs *mcs, enum roc_mcs_event_type event)
+{
+	struct mcs_event_cb_list *cb_list = (struct mcs_event_cb_list *)roc_mcs_to_mcs_cb_list(mcs);
+	struct mcs_event_cb *cb, *next;
+
+	MCS_SUPPORT_CHECK;
+
+	for (cb = TAILQ_FIRST(cb_list); cb != NULL; cb = next) {
+		next = TAILQ_NEXT(cb, next);
+
+		if (cb->event != event)
+			continue;
+
+		if (cb->active == 0) {
+			TAILQ_REMOVE(cb_list, cb, next);
+			plt_free(cb);
+		} else {
+			return -EAGAIN;
+		}
+	}
+
+	return 0;
+}
+
+int
+mcs_event_cb_process(struct roc_mcs *mcs, struct roc_mcs_event_desc *desc)
+{
+	struct mcs_event_cb_list *cb_list = (struct mcs_event_cb_list *)roc_mcs_to_mcs_cb_list(mcs);
+	struct mcs_event_cb mcs_cb;
+	struct mcs_event_cb *cb;
+	int rc = 0;
+
+	TAILQ_FOREACH(cb, cb_list, next) {
+		if (cb->cb_fn == NULL || cb->event != desc->type)
+			continue;
+
+		mcs_cb = *cb;
+		cb->active = 1;
+		mcs_cb.ret_param = desc;
+
+		rc = mcs_cb.cb_fn(mcs->userdata, mcs_cb.ret_param, mcs_cb.cb_arg);
+		cb->active = 0;
+	}
+
+	return rc;
+}
+
 static int
 mcs_alloc_bmap(uint16_t entries, void **mem, struct plt_bitmap **bmap)
 {
@@ -227,6 +340,7 @@ mcs_alloc_rsrc_bmap(struct roc_mcs *mcs)
 struct roc_mcs *
 roc_mcs_dev_init(uint8_t mcs_idx)
 {
+	struct mcs_event_cb_list *cb_list;
 	struct roc_mcs *mcs;
 	struct npa_lf *npa;
 
@@ -255,6 +369,9 @@ roc_mcs_dev_init(uint8_t mcs_idx)
 	if (mcs_alloc_rsrc_bmap(mcs))
 		goto exit;
 
+	cb_list = (struct mcs_event_cb_list *)roc_mcs_to_mcs_cb_list(mcs);
+	TAILQ_INIT(cb_list);
+
 	roc_idev_mcs_set(mcs);
 	mcs->refcount++;
 
diff --git a/drivers/common/cnxk/roc_mcs.h b/drivers/common/cnxk/roc_mcs.h
index 16937eb4bf..0044ccefb7 100644
--- a/drivers/common/cnxk/roc_mcs.h
+++ b/drivers/common/cnxk/roc_mcs.h
@@ -116,6 +116,34 @@ struct roc_mcs_hw_info {
 	uint64_t rsvd[16];
 };
 
+#define ROC_MCS_CPM_RX_SECTAG_V_EQ1_INT		 BIT_ULL(0)
+#define ROC_MCS_CPM_RX_SECTAG_E_EQ0_C_EQ1_INT	 BIT_ULL(1)
+#define ROC_MCS_CPM_RX_SECTAG_SL_GTE48_INT	 BIT_ULL(2)
+#define ROC_MCS_CPM_RX_SECTAG_ES_EQ1_SC_EQ1_INT	 BIT_ULL(3)
+#define ROC_MCS_CPM_RX_SECTAG_SC_EQ1_SCB_EQ1_INT BIT_ULL(4)
+#define ROC_MCS_CPM_RX_PACKET_XPN_EQ0_INT	 BIT_ULL(5)
+#define ROC_MCS_CPM_RX_PN_THRESH_REACHED_INT	 BIT_ULL(6)
+#define ROC_MCS_CPM_TX_PACKET_XPN_EQ0_INT	 BIT_ULL(7)
+#define ROC_MCS_CPM_TX_PN_THRESH_REACHED_INT	 BIT_ULL(8)
+#define ROC_MCS_CPM_TX_SA_NOT_VALID_INT		 BIT_ULL(9)
+#define ROC_MCS_BBE_RX_DFIFO_OVERFLOW_INT	 BIT_ULL(10)
+#define ROC_MCS_BBE_RX_PLFIFO_OVERFLOW_INT	 BIT_ULL(11)
+#define ROC_MCS_BBE_TX_DFIFO_OVERFLOW_INT	 BIT_ULL(12)
+#define ROC_MCS_BBE_TX_PLFIFO_OVERFLOW_INT	 BIT_ULL(13)
+#define ROC_MCS_PAB_RX_CHAN_OVERFLOW_INT	 BIT_ULL(14)
+#define ROC_MCS_PAB_TX_CHAN_OVERFLOW_INT	 BIT_ULL(15)
+
+struct roc_mcs_intr_cfg {
+	uint64_t intr_mask; /* Interrupt enable mask */
+};
+
+struct roc_mcs_intr_info {
+	uint64_t intr_mask;
+	int sa_id;
+	uint8_t lmac_id;
+	uint64_t rsvd;
+};
+
 struct roc_mcs_set_lmac_mode {
 	uint8_t mode; /* '1' for internal bypass mode (passthrough), '0' for MCS processing */
 	uint8_t lmac_id;
@@ -205,6 +233,113 @@ struct roc_mcs_clear_stats {
 	uint8_t all; /* All resources stats mapped to PF are cleared */
 };
 
+enum roc_mcs_event_subtype {
+	ROC_MCS_SUBEVENT_UNKNOWN,
+
+	/* subevents of ROC_MCS_EVENT_SECTAG_VAL_ERR sectag validation events
+	 * ROC_MCS_EVENT_RX_SECTAG_V_EQ1
+	 *	Validation check: SecTag.TCI.V = 1
+	 * ROC_MCS_EVENT_RX_SECTAG_E_EQ0_C_EQ1
+	 *	Validation check: SecTag.TCI.E = 0 && SecTag.TCI.C = 1
+	 * ROC_MCS_EVENT_RX_SECTAG_SL_GTE48
+	 *	Validation check: SecTag.SL >= 'd48
+	 * ROC_MCS_EVENT_RX_SECTAG_ES_EQ1_SC_EQ1
+	 *	Validation check: SecTag.TCI.ES = 1 && SecTag.TCI.SC = 1
+	 * ROC_MCS_EVENT_RX_SECTAG_SC_EQ1_SCB_EQ1
+	 *	Validation check: SecTag.TCI.SC = 1 && SecTag.TCI.SCB = 1
+	 */
+	ROC_MCS_EVENT_RX_SECTAG_V_EQ1,
+	ROC_MCS_EVENT_RX_SECTAG_E_EQ0_C_EQ1,
+	ROC_MCS_EVENT_RX_SECTAG_SL_GTE48,
+	ROC_MCS_EVENT_RX_SECTAG_ES_EQ1_SC_EQ1,
+	ROC_MCS_EVENT_RX_SECTAG_SC_EQ1_SCB_EQ1,
+
+	/* subevents of ROC_MCS_EVENT_FIFO_OVERFLOW error event
+	 * ROC_MCS_EVENT_DATA_FIFO_OVERFLOW:
+	 *	Notifies data FIFO overflow fatal error in BBE unit.
+	 * ROC_MCS_EVENT_POLICY_FIFO_OVERFLOW
+	 *	Notifies policy FIFO overflow fatal error in BBE unit.
+	 * ROC_MCS_EVENT_PKT_ASSM_FIFO_OVERFLOW,
+	 *	Notifies output FIFO overflow fatal error in PAB unit.
+	 */
+	ROC_MCS_EVENT_DATA_FIFO_OVERFLOW,
+	ROC_MCS_EVENT_POLICY_FIFO_OVERFLOW,
+	ROC_MCS_EVENT_PKT_ASSM_FIFO_OVERFLOW,
+};
+
+enum roc_mcs_event_type {
+	ROC_MCS_EVENT_UNKNOWN,
+
+	/* Notifies BBE_INT_DFIFO/PLFIFO_OVERFLOW or PAB_INT_OVERFLOW
+	 * interrupts, it's a fatal error that causes packet corruption.
+	 */
+	ROC_MCS_EVENT_FIFO_OVERFLOW,
+
+	/* Notifies CPM_RX_SECTAG_X validation error interrupt */
+	ROC_MCS_EVENT_SECTAG_VAL_ERR,
+	/* Notifies CPM_RX_PACKET_XPN_EQ0 (SecTag.PN == 0 in ingress) interrupt */
+	ROC_MCS_EVENT_RX_SA_PN_HARD_EXP,
+	/* Notifies CPM_RX_PN_THRESH_REACHED interrupt */
+	ROC_MCS_EVENT_RX_SA_PN_SOFT_EXP,
+	/* Notifies CPM_TX_PACKET_XPN_EQ0 (PN wrapped in egress) interrupt */
+	ROC_MCS_EVENT_TX_SA_PN_HARD_EXP,
+	/* Notifies CPM_TX_PN_THRESH_REACHED interrupt */
+	ROC_MCS_EVENT_TX_SA_PN_SOFT_EXP,
+	/* Notifies CPM_TX_SA_NOT_VALID interrupt */
+	ROC_MCS_EVENT_SA_NOT_VALID,
+	/* Notifies recovery of software driven port reset */
+	ROC_MCS_EVENT_PORT_RESET_RECOVERY,
+};
+
+union roc_mcs_event_data {
+	/* Valid for below events
+	 * - ROC_MCS_EVENT_RX_SA_PN_SOFT_EXP
+	 * - ROC_MCS_EVENT_TX_SA_PN_SOFT_EXP
+	 */
+	struct {
+		uint8_t secy_idx;
+		uint8_t sc_idx;
+		uint8_t sa_idx;
+	};
+	/* Valid for below event
+	 * - ROC_MCS_EVENT_FIFO_OVERFLOW
+	 *
+	 * Upon fatal error notification on a MCS port, ROC driver resets below attributes of active
+	 * flow entities(sc & sa) and than resets the port.
+	 * - Reset NEXT_PN of active SAs to 1.
+	 * - Reset TX active SA for each SC, TX_SA_ACTIVE = 0, SA_INDEX0_VLD = 1.
+	 * - Clear SA_IN_USE for active ANs in RX_SA_MAP_MEM.
+	 * - Clear all stats mapping to this port.
+	 * - Reactivate SA_IN_USE for active ANs in RX_SA_MAP_MEM.
+	 *
+	 *  ROC driver notifies the following flow entity(sc & sa) details in application callback,
+	 *  application is expected to exchange the Tx/Rx NEXT_PN, TX_SA_ACTIVE, active RX SC AN
+	 *  details with peer device so that peer device can resets it's MACsec flow states and than
+	 *  resume packet transfers.
+	 */
+	struct {
+		uint16_t *tx_sa_array; /* Tx SAs whose PN memories were reset (NEXT_PN=1) */
+		uint16_t *rx_sa_array; /* Rx SAs whose PN memories were reset (NEXT_PN=1) */
+		uint16_t *tx_sc_array; /* Tx SCs whose active SAs were reset (TX_SA_ACTIVE=0) */
+		uint16_t *rx_sc_array; /* Rx SCs whose state was reset */
+		uint8_t *sc_an_array;  /* AN of Rx SCs(in rx_sc_array) which were reactivated */
+		uint8_t num_tx_sa;     /* num entries in tx_sa_array */
+		uint8_t num_rx_sa;     /* num entries in rx_sa_array */
+		uint8_t num_tx_sc;     /* num entries in tx_sc_array */
+		uint8_t num_rx_sc;     /* num entries in rx_sc_array */
+		uint8_t lmac_id;       /* lmac_id/port which was recovered from fatal error */
+	};
+};
+
+struct roc_mcs_event_desc {
+	enum roc_mcs_event_type type;
+	enum roc_mcs_event_subtype subtype;
+	union roc_mcs_event_data metadata;
+};
+
+/** User application callback to be registered for any notifications from driver. */
+typedef int (*roc_mcs_dev_cb_fn)(void *userdata, struct roc_mcs_event_desc *desc, void *cb_arg);
+
 struct roc_mcs {
 	TAILQ_ENTRY(roc_mcs) next;
 	struct plt_pci_device *pci_dev;
@@ -295,4 +430,13 @@ __roc_api int roc_mcs_port_stats_get(struct roc_mcs *mcs, struct roc_mcs_stats_r
 /* Clear stats */
 __roc_api int roc_mcs_stats_clear(struct roc_mcs *mcs, struct roc_mcs_clear_stats *mcs_req);
 
+/* Register user callback routines */
+__roc_api int roc_mcs_event_cb_register(struct roc_mcs *mcs, enum roc_mcs_event_type event,
+					roc_mcs_dev_cb_fn cb_fn, void *cb_arg, void *userdata);
+/* Unregister user callback routines */
+__roc_api int roc_mcs_event_cb_unregister(struct roc_mcs *mcs, enum roc_mcs_event_type event);
+
+/* Configure interrupts */
+__roc_api int roc_mcs_intr_configure(struct roc_mcs *mcs, struct roc_mcs_intr_cfg *config);
+
 #endif /* ROC_MCS_H */
diff --git a/drivers/common/cnxk/roc_mcs_priv.h b/drivers/common/cnxk/roc_mcs_priv.h
index 17a60509ca..4289aa6968 100644
--- a/drivers/common/cnxk/roc_mcs_priv.h
+++ b/drivers/common/cnxk/roc_mcs_priv.h
@@ -62,4 +62,12 @@ roc_mcs_to_mcs_priv(struct roc_mcs *roc_mcs)
 	return (struct mcs_priv *)&roc_mcs->reserved[0];
 }
 
+static inline void *
+roc_mcs_to_mcs_cb_list(struct roc_mcs *roc_mcs)
+{
+	return (void *)((uintptr_t)roc_mcs->reserved + sizeof(struct mcs_priv));
+}
+
+int mcs_event_cb_process(struct roc_mcs *mcs, struct roc_mcs_event_desc *desc);
+
 #endif /* _ROC_MCS_PRIV_H_ */
diff --git a/drivers/common/cnxk/version.map b/drivers/common/cnxk/version.map
index d8890e3538..d10dfcd84e 100644
--- a/drivers/common/cnxk/version.map
+++ b/drivers/common/cnxk/version.map
@@ -139,11 +139,14 @@ INTERNAL {
 	roc_mcs_dev_init;
 	roc_mcs_dev_fini;
 	roc_mcs_dev_get;
+	roc_mcs_event_cb_register;
+	roc_mcs_event_cb_unregister;
 	roc_mcs_flowid_entry_enable;
 	roc_mcs_flowid_entry_read;
 	roc_mcs_flowid_entry_write;
 	roc_mcs_flowid_stats_get;
 	roc_mcs_hw_info_get;
+	roc_mcs_intr_configure;
 	roc_mcs_lmac_mode_set;
 	roc_mcs_pn_table_write;
 	roc_mcs_pn_table_read;
-- 
2.25.1

[PATCH v5 08/15] common/cnxk: add MACsec port configuration

[Akhil Goyal]

Added ROC APIs for MACsec port configurations

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/common/cnxk/roc_mbox.h  |  40 ++++
 drivers/common/cnxk/roc_mcs.c   | 346 ++++++++++++++++++++++++++++++++
 drivers/common/cnxk/roc_mcs.h   |  48 +++++
 drivers/common/cnxk/version.map |   4 +
 4 files changed, 438 insertions(+)

diff --git a/drivers/common/cnxk/roc_mbox.h b/drivers/common/cnxk/roc_mbox.h
index d964ba9f9d..d7c0385a8b 100644
--- a/drivers/common/cnxk/roc_mbox.h
+++ b/drivers/common/cnxk/roc_mbox.h
@@ -319,6 +319,9 @@ struct mbox_msghdr {
 	M(MCS_INTR_CFG, 0xa012, mcs_intr_cfg, mcs_intr_cfg, msg_rsp)                               \
 	M(MCS_SET_LMAC_MODE, 0xa013, mcs_set_lmac_mode, mcs_set_lmac_mode, msg_rsp)                \
 	M(MCS_SET_PN_THRESHOLD, 0xa014, mcs_set_pn_threshold, mcs_set_pn_threshold, msg_rsp)       \
+	M(MCS_PORT_RESET, 0xa018, mcs_port_reset, mcs_port_reset_req, msg_rsp)                     \
+	M(MCS_PORT_CFG_SET, 0xa019, mcs_port_cfg_set, mcs_port_cfg_set_req, msg_rsp)               \
+	M(MCS_PORT_CFG_GET, 0xa020, mcs_port_cfg_get, mcs_port_cfg_get_req, mcs_port_cfg_get_rsp)  \
 
 /* Messages initiated by AF (range 0xC00 - 0xDFF) */
 #define MBOX_UP_CGX_MESSAGES                                                   \
@@ -919,6 +922,43 @@ struct mcs_set_pn_threshold {
 	uint64_t __io rsvd;
 };
 
+struct mcs_port_cfg_set_req {
+	struct mbox_msghdr hdr;
+	uint8_t __io cstm_tag_rel_mode_sel;
+	uint8_t __io custom_hdr_enb;
+	uint8_t __io fifo_skid;
+	uint8_t __io lmac_mode;
+	uint8_t __io lmac_id;
+	uint8_t __io mcs_id;
+	uint64_t __io rsvd;
+};
+
+struct mcs_port_cfg_get_req {
+	struct mbox_msghdr hdr;
+	uint8_t __io lmac_id;
+	uint8_t __io mcs_id;
+	uint64_t __io rsvd;
+};
+
+struct mcs_port_cfg_get_rsp {
+	struct mbox_msghdr hdr;
+	uint8_t __io cstm_tag_rel_mode_sel;
+	uint8_t __io custom_hdr_enb;
+	uint8_t __io fifo_skid;
+	uint8_t __io lmac_mode;
+	uint8_t __io lmac_id;
+	uint8_t __io mcs_id;
+	uint64_t __io rsvd;
+};
+
+struct mcs_port_reset_req {
+	struct mbox_msghdr hdr;
+	uint8_t __io reset;
+	uint8_t __io mcs_id;
+	uint8_t __io lmac_id;
+	uint64_t __io rsvd;
+};
+
 struct mcs_stats_req {
 	struct mbox_msghdr hdr;
 	uint8_t __io id;
diff --git a/drivers/common/cnxk/roc_mcs.c b/drivers/common/cnxk/roc_mcs.c
index d33cc2bafc..2ae3dc0695 100644
--- a/drivers/common/cnxk/roc_mcs.c
+++ b/drivers/common/cnxk/roc_mcs.c
@@ -76,6 +76,25 @@ roc_mcs_active_lmac_set(struct roc_mcs *mcs, struct roc_mcs_set_active_lmac *lma
 	return mbox_process_msg(mcs->mbox, (void *)&rsp);
 }
 
+static int
+mcs_port_reset_set(struct roc_mcs *mcs, struct roc_mcs_port_reset_req *port, uint8_t reset)
+{
+	struct mcs_port_reset_req *req;
+	struct msg_rsp *rsp;
+
+	MCS_SUPPORT_CHECK;
+
+	req = mbox_alloc_msg_mcs_port_reset(mcs->mbox);
+	if (req == NULL)
+		return -ENOMEM;
+
+	req->reset = reset;
+	req->lmac_id = port->port_id;
+	req->mcs_id = mcs->idx;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
+
 int
 roc_mcs_lmac_mode_set(struct roc_mcs *mcs, struct roc_mcs_set_lmac_mode *port)
 {
@@ -121,6 +140,64 @@ roc_mcs_pn_threshold_set(struct roc_mcs *mcs, struct roc_mcs_set_pn_threshold *p
 	return mbox_process_msg(mcs->mbox, (void *)&rsp);
 }
 
+int
+roc_mcs_port_cfg_set(struct roc_mcs *mcs, struct roc_mcs_port_cfg_set_req *req)
+{
+	struct mcs_port_cfg_set_req *set_req;
+	struct msg_rsp *rsp;
+
+	MCS_SUPPORT_CHECK;
+
+	if (req == NULL)
+		return -EINVAL;
+
+	set_req = mbox_alloc_msg_mcs_port_cfg_set(mcs->mbox);
+	if (set_req == NULL)
+		return -ENOMEM;
+
+	set_req->cstm_tag_rel_mode_sel = req->cstm_tag_rel_mode_sel;
+	set_req->custom_hdr_enb = req->custom_hdr_enb;
+	set_req->fifo_skid = req->fifo_skid;
+	set_req->lmac_mode = req->port_mode;
+	set_req->lmac_id = req->port_id;
+	set_req->mcs_id = mcs->idx;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
+
+int
+roc_mcs_port_cfg_get(struct roc_mcs *mcs, struct roc_mcs_port_cfg_get_req *req,
+		     struct roc_mcs_port_cfg_get_rsp *rsp)
+{
+	struct mcs_port_cfg_get_req *get_req;
+	struct mcs_port_cfg_get_rsp *get_rsp;
+	int rc;
+
+	MCS_SUPPORT_CHECK;
+
+	if (req == NULL)
+		return -EINVAL;
+
+	get_req = mbox_alloc_msg_mcs_port_cfg_get(mcs->mbox);
+	if (get_req == NULL)
+		return -ENOMEM;
+
+	get_req->lmac_id = req->port_id;
+	get_req->mcs_id = mcs->idx;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&get_rsp);
+	if (rc)
+		return rc;
+
+	rsp->cstm_tag_rel_mode_sel = get_rsp->cstm_tag_rel_mode_sel;
+	rsp->custom_hdr_enb = get_rsp->custom_hdr_enb;
+	rsp->fifo_skid = get_rsp->fifo_skid;
+	rsp->port_mode = get_rsp->lmac_mode;
+	rsp->port_id = get_rsp->lmac_id;
+
+	return 0;
+}
+
 int
 roc_mcs_intr_configure(struct roc_mcs *mcs, struct roc_mcs_intr_cfg *config)
 {
@@ -142,6 +219,275 @@ roc_mcs_intr_configure(struct roc_mcs *mcs, struct roc_mcs_intr_cfg *config)
 	return mbox_process_msg(mcs->mbox, (void *)&rsp);
 }
 
+int
+roc_mcs_port_recovery(struct roc_mcs *mcs, union roc_mcs_event_data *mdata, uint8_t port_id)
+{
+	struct mcs_priv *priv = roc_mcs_to_mcs_priv(mcs);
+	struct roc_mcs_pn_table_write_req pn_table = {0};
+	struct roc_mcs_rx_sc_sa_map rx_map = {0};
+	struct roc_mcs_tx_sc_sa_map tx_map = {0};
+	struct roc_mcs_port_reset_req port = {0};
+	struct roc_mcs_clear_stats stats = {0};
+	int tx_cnt = 0, rx_cnt = 0, rc = 0;
+	uint64_t set;
+	int i;
+
+	port.port_id = port_id;
+	rc = mcs_port_reset_set(mcs, &port, 1);
+
+	/* Reset TX/RX PN tables */
+	for (i = 0; i < (priv->sa_entries << 1); i++) {
+		set = plt_bitmap_get(priv->port_rsrc[port_id].sa_bmap, i);
+		if (set) {
+			pn_table.pn_id = i;
+			pn_table.next_pn = 1;
+			pn_table.dir = MCS_RX;
+			if (i >= priv->sa_entries) {
+				pn_table.dir = MCS_TX;
+				pn_table.pn_id -= priv->sa_entries;
+			}
+			rc = roc_mcs_pn_table_write(mcs, &pn_table);
+			if (rc)
+				return rc;
+
+			if (i >= priv->sa_entries)
+				tx_cnt++;
+			else
+				rx_cnt++;
+		}
+	}
+
+	if (tx_cnt || rx_cnt) {
+		mdata->tx_sa_array = plt_zmalloc(tx_cnt * sizeof(uint16_t), 0);
+		if (tx_cnt && (mdata->tx_sa_array == NULL)) {
+			rc = -ENOMEM;
+			goto exit;
+		}
+		mdata->rx_sa_array = plt_zmalloc(rx_cnt * sizeof(uint16_t), 0);
+		if (rx_cnt && (mdata->rx_sa_array == NULL)) {
+			rc = -ENOMEM;
+			goto exit;
+		}
+
+		mdata->num_tx_sa = tx_cnt;
+		mdata->num_rx_sa = rx_cnt;
+		for (i = 0; i < (priv->sa_entries << 1); i++) {
+			set = plt_bitmap_get(priv->port_rsrc[port_id].sa_bmap, i);
+			if (set) {
+				if (i >= priv->sa_entries)
+					mdata->tx_sa_array[--tx_cnt] = i - priv->sa_entries;
+				else
+					mdata->rx_sa_array[--rx_cnt] = i;
+			}
+		}
+	}
+	tx_cnt = 0;
+	rx_cnt = 0;
+
+	/* Reset Tx active SA to index:0 */
+	for (i = priv->sc_entries; i < (priv->sc_entries << 1); i++) {
+		set = plt_bitmap_get(priv->port_rsrc[port_id].sc_bmap, i);
+		if (set) {
+			uint16_t sc_id = i - priv->sc_entries;
+
+			tx_map.sa_index0 = priv->port_rsrc[port_id].sc_conf[sc_id].tx.sa_idx0;
+			tx_map.sa_index1 = priv->port_rsrc[port_id].sc_conf[sc_id].tx.sa_idx1;
+			tx_map.rekey_ena = priv->port_rsrc[port_id].sc_conf[sc_id].tx.rekey_enb;
+			tx_map.sectag_sci = priv->port_rsrc[port_id].sc_conf[sc_id].tx.sci;
+			tx_map.sa_index0_vld = 1;
+			tx_map.sa_index1_vld = 0;
+			tx_map.tx_sa_active = 0;
+			tx_map.sc_id = sc_id;
+			rc = roc_mcs_tx_sc_sa_map_write(mcs, &tx_map);
+			if (rc)
+				return rc;
+
+			tx_cnt++;
+		}
+	}
+
+	if (tx_cnt) {
+		mdata->tx_sc_array = plt_zmalloc(tx_cnt * sizeof(uint16_t), 0);
+		if (tx_cnt && (mdata->tx_sc_array == NULL)) {
+			rc = -ENOMEM;
+			goto exit;
+		}
+
+		mdata->num_tx_sc = tx_cnt;
+		for (i = priv->sc_entries; i < (priv->sc_entries << 1); i++) {
+			set = plt_bitmap_get(priv->port_rsrc[port_id].sc_bmap, i);
+			if (set)
+				mdata->tx_sc_array[--tx_cnt] = i - priv->sc_entries;
+		}
+	}
+
+	/* Clear SA_IN_USE for active ANs in RX CPM */
+	for (i = 0; i < priv->sc_entries; i++) {
+		set = plt_bitmap_get(priv->port_rsrc[port_id].sc_bmap, i);
+		if (set) {
+			rx_map.sa_index = priv->port_rsrc[port_id].sc_conf[i].rx.sa_idx;
+			rx_map.an = priv->port_rsrc[port_id].sc_conf[i].rx.an;
+			rx_map.sa_in_use = 0;
+			rx_map.sc_id = i;
+			rc = roc_mcs_rx_sc_sa_map_write(mcs, &rx_map);
+			if (rc)
+				return rc;
+
+			rx_cnt++;
+		}
+	}
+
+	/* Reset flow(flow/secy/sc/sa) stats mapped to this PORT */
+	for (i = 0; i < (priv->tcam_entries << 1); i++) {
+		set = plt_bitmap_get(priv->port_rsrc[port_id].tcam_bmap, i);
+		if (set) {
+			stats.type = MCS_FLOWID_STATS;
+			stats.id = i;
+			stats.dir = MCS_RX;
+			if (i >= priv->sa_entries) {
+				stats.dir = MCS_TX;
+				stats.id -= priv->tcam_entries;
+			}
+			rc = roc_mcs_stats_clear(mcs, &stats);
+			if (rc)
+				return rc;
+		}
+	}
+	for (i = 0; i < (priv->secy_entries << 1); i++) {
+		set = plt_bitmap_get(priv->port_rsrc[port_id].secy_bmap, i);
+		if (set) {
+			stats.type = MCS_SECY_STATS;
+			stats.id = i;
+			stats.dir = MCS_RX;
+			if (i >= priv->sa_entries) {
+				stats.dir = MCS_TX;
+				stats.id -= priv->secy_entries;
+			}
+			rc = roc_mcs_stats_clear(mcs, &stats);
+			if (rc)
+				return rc;
+		}
+	}
+	for (i = 0; i < (priv->sc_entries << 1); i++) {
+		set = plt_bitmap_get(priv->port_rsrc[port_id].sc_bmap, i);
+		if (set) {
+			stats.type = MCS_SC_STATS;
+			stats.id = i;
+			stats.dir = MCS_RX;
+			if (i >= priv->sa_entries) {
+				stats.dir = MCS_TX;
+				stats.id -= priv->sc_entries;
+			}
+			rc = roc_mcs_stats_clear(mcs, &stats);
+			if (rc)
+				return rc;
+		}
+	}
+	if (roc_model_is_cn10kb_a0()) {
+		for (i = 0; i < (priv->sa_entries << 1); i++) {
+			set = plt_bitmap_get(priv->port_rsrc[port_id].sa_bmap, i);
+			if (set) {
+				stats.type = MCS_SA_STATS;
+				stats.id = i;
+				stats.dir = MCS_RX;
+				if (i >= priv->sa_entries) {
+					stats.dir = MCS_TX;
+					stats.id -= priv->sa_entries;
+				}
+				rc = roc_mcs_stats_clear(mcs, &stats);
+				if (rc)
+					return rc;
+			}
+		}
+	}
+	{
+		stats.type = MCS_PORT_STATS;
+		stats.id = port_id;
+		rc = roc_mcs_stats_clear(mcs, &stats);
+		if (rc)
+			return rc;
+	}
+
+	if (rx_cnt) {
+		mdata->rx_sc_array = plt_zmalloc(rx_cnt * sizeof(uint16_t), 0);
+		if (mdata->rx_sc_array == NULL) {
+			rc = -ENOMEM;
+			goto exit;
+		}
+		mdata->sc_an_array = plt_zmalloc(rx_cnt * sizeof(uint8_t), 0);
+		if (mdata->sc_an_array == NULL) {
+			rc = -ENOMEM;
+			goto exit;
+		}
+
+		mdata->num_rx_sc = rx_cnt;
+	}
+
+	/* Reactivate in-use ANs for active SCs in RX CPM */
+	for (i = 0; i < priv->sc_entries; i++) {
+		set = plt_bitmap_get(priv->port_rsrc[port_id].sc_bmap, i);
+		if (set) {
+			rx_map.sa_index = priv->port_rsrc[port_id].sc_conf[i].rx.sa_idx;
+			rx_map.an = priv->port_rsrc[port_id].sc_conf[i].rx.an;
+			rx_map.sa_in_use = 1;
+			rx_map.sc_id = i;
+			rc = roc_mcs_rx_sc_sa_map_write(mcs, &rx_map);
+			if (rc)
+				return rc;
+
+			mdata->rx_sc_array[--rx_cnt] = i;
+			mdata->sc_an_array[rx_cnt] = priv->port_rsrc[port_id].sc_conf[i].rx.an;
+		}
+	}
+
+	port.port_id = port_id;
+	rc = mcs_port_reset_set(mcs, &port, 0);
+
+	return rc;
+exit:
+	if (mdata->num_tx_sa)
+		plt_free(mdata->tx_sa_array);
+	if (mdata->num_rx_sa)
+		plt_free(mdata->rx_sa_array);
+	if (mdata->num_tx_sc)
+		plt_free(mdata->tx_sc_array);
+	if (mdata->num_rx_sc) {
+		plt_free(mdata->rx_sc_array);
+		plt_free(mdata->sc_an_array);
+	}
+	return rc;
+}
+
+int
+roc_mcs_port_reset(struct roc_mcs *mcs, struct roc_mcs_port_reset_req *port)
+{
+	struct roc_mcs_event_desc desc = {0};
+	int rc;
+
+	/* Initiate port reset and software recovery */
+	rc = roc_mcs_port_recovery(mcs, &desc.metadata, port->port_id);
+	if (rc)
+		goto exit;
+
+	desc.type = ROC_MCS_EVENT_PORT_RESET_RECOVERY;
+	/* Notify the entity details to the application which are recovered */
+	mcs_event_cb_process(mcs, &desc);
+
+exit:
+	if (desc.metadata.num_tx_sa)
+		plt_free(desc.metadata.tx_sa_array);
+	if (desc.metadata.num_rx_sa)
+		plt_free(desc.metadata.rx_sa_array);
+	if (desc.metadata.num_tx_sc)
+		plt_free(desc.metadata.tx_sc_array);
+	if (desc.metadata.num_rx_sc) {
+		plt_free(desc.metadata.rx_sc_array);
+		plt_free(desc.metadata.sc_an_array);
+	}
+
+	return rc;
+}
+
 int
 roc_mcs_event_cb_register(struct roc_mcs *mcs, enum roc_mcs_event_type event,
 			  roc_mcs_dev_cb_fn cb_fn, void *cb_arg, void *userdata)
diff --git a/drivers/common/cnxk/roc_mcs.h b/drivers/common/cnxk/roc_mcs.h
index 0044ccefb7..c82ab0020c 100644
--- a/drivers/common/cnxk/roc_mcs.h
+++ b/drivers/common/cnxk/roc_mcs.h
@@ -163,6 +163,43 @@ struct roc_mcs_set_pn_threshold {
 	uint64_t rsvd;
 };
 
+struct roc_mcs_port_cfg_set_req {
+	/* Index of custom tag (= cstm_indx[x] in roc_mcs_custom_tag_cfg_get_rsp struct) to use
+	 * when TX SECY_PLCY_MEMX[SECTAG_INSERT_MODE] = 0 (relative offset mode)
+	 */
+	uint8_t cstm_tag_rel_mode_sel;
+	/* In ingress path, custom_hdr_enb = 1 when the port is expected to receive pkts
+	 * that have 8B custom header before DMAC
+	 */
+	uint8_t custom_hdr_enb;
+	/* Valid fifo skid values are 14,28,56 for 25G,50G,100G respectively
+	 * FIFOs need to be configured based on the port_mode, valid only for 105N
+	 */
+	uint8_t fifo_skid;
+	uint8_t port_mode; /* 2'b00 - 25G or less, 2'b01 - 50G, 2'b10 - 100G */
+	uint8_t port_id;
+	uint64_t rsvd;
+};
+
+struct roc_mcs_port_cfg_get_req {
+	uint8_t port_id;
+	uint64_t rsvd;
+};
+
+struct roc_mcs_port_cfg_get_rsp {
+	uint8_t cstm_tag_rel_mode_sel;
+	uint8_t custom_hdr_enb;
+	uint8_t fifo_skid;
+	uint8_t port_mode;
+	uint8_t port_id;
+	uint64_t rsvd;
+};
+
+struct roc_mcs_port_reset_req {
+	uint8_t port_id;
+	uint64_t rsvd;
+};
+
 struct roc_mcs_stats_req {
 	uint8_t id;
 	uint8_t dir;
@@ -367,6 +404,13 @@ __roc_api int roc_mcs_active_lmac_set(struct roc_mcs *mcs, struct roc_mcs_set_ac
 __roc_api int roc_mcs_lmac_mode_set(struct roc_mcs *mcs, struct roc_mcs_set_lmac_mode *port);
 /* (X)PN threshold set */
 __roc_api int roc_mcs_pn_threshold_set(struct roc_mcs *mcs, struct roc_mcs_set_pn_threshold *pn);
+/* Reset port */
+__roc_api int roc_mcs_port_reset(struct roc_mcs *mcs, struct roc_mcs_port_reset_req *port);
+/* Get port config */
+__roc_api int roc_mcs_port_cfg_set(struct roc_mcs *mcs, struct roc_mcs_port_cfg_set_req *req);
+/* Set port config */
+__roc_api int roc_mcs_port_cfg_get(struct roc_mcs *mcs, struct roc_mcs_port_cfg_get_req *req,
+				   struct roc_mcs_port_cfg_get_rsp *rsp);
 
 /* Resource allocation and free */
 __roc_api int roc_mcs_rsrc_alloc(struct roc_mcs *mcs, struct roc_mcs_alloc_rsrc_req *req,
@@ -439,4 +483,8 @@ __roc_api int roc_mcs_event_cb_unregister(struct roc_mcs *mcs, enum roc_mcs_even
 /* Configure interrupts */
 __roc_api int roc_mcs_intr_configure(struct roc_mcs *mcs, struct roc_mcs_intr_cfg *config);
 
+/* Port recovery from fatal errors */
+__roc_api int roc_mcs_port_recovery(struct roc_mcs *mcs, union roc_mcs_event_data *mdata,
+				    uint8_t port_id);
+
 #endif /* ROC_MCS_H */
diff --git a/drivers/common/cnxk/version.map b/drivers/common/cnxk/version.map
index d10dfcd84e..6c0defa27e 100644
--- a/drivers/common/cnxk/version.map
+++ b/drivers/common/cnxk/version.map
@@ -151,6 +151,10 @@ INTERNAL {
 	roc_mcs_pn_table_write;
 	roc_mcs_pn_table_read;
 	roc_mcs_pn_threshold_set;
+	roc_mcs_port_cfg_get;
+	roc_mcs_port_cfg_set;
+	roc_mcs_port_recovery;
+	roc_mcs_port_reset;
 	roc_mcs_port_stats_get;
 	roc_mcs_rsrc_alloc;
 	roc_mcs_rsrc_free;
-- 
2.25.1

[PATCH v5 09/15] common/cnxk: add MACsec control port configuration

[Akhil Goyal]

Added ROC APIs to configure MACsec control port.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/common/cnxk/roc_mbox.h  |  72 ++++++++++++++++++++
 drivers/common/cnxk/roc_mcs.c   | 117 ++++++++++++++++++++++++++++++++
 drivers/common/cnxk/roc_mcs.h   |  65 ++++++++++++++++++
 drivers/common/cnxk/version.map |   4 ++
 4 files changed, 258 insertions(+)

diff --git a/drivers/common/cnxk/roc_mbox.h b/drivers/common/cnxk/roc_mbox.h
index d7c0385a8b..446f49aeaf 100644
--- a/drivers/common/cnxk/roc_mbox.h
+++ b/drivers/common/cnxk/roc_mbox.h
@@ -319,9 +319,17 @@ struct mbox_msghdr {
 	M(MCS_INTR_CFG, 0xa012, mcs_intr_cfg, mcs_intr_cfg, msg_rsp)                               \
 	M(MCS_SET_LMAC_MODE, 0xa013, mcs_set_lmac_mode, mcs_set_lmac_mode, msg_rsp)                \
 	M(MCS_SET_PN_THRESHOLD, 0xa014, mcs_set_pn_threshold, mcs_set_pn_threshold, msg_rsp)       \
+	M(MCS_ALLOC_CTRL_PKT_RULE, 0xa015, mcs_alloc_ctrl_pkt_rule, mcs_alloc_ctrl_pkt_rule_req,   \
+	  mcs_alloc_ctrl_pkt_rule_rsp)                                                             \
+	M(MCS_FREE_CTRL_PKT_RULE, 0xa016, mcs_free_ctrl_pkt_rule, mcs_free_ctrl_pkt_rule_req,      \
+	  msg_rsp)                                                                                 \
+	M(MCS_CTRL_PKT_RULE_WRITE, 0xa017, mcs_ctrl_pkt_rule_write, mcs_ctrl_pkt_rule_write_req,   \
+	  msg_rsp)                                                                                 \
 	M(MCS_PORT_RESET, 0xa018, mcs_port_reset, mcs_port_reset_req, msg_rsp)                     \
 	M(MCS_PORT_CFG_SET, 0xa019, mcs_port_cfg_set, mcs_port_cfg_set_req, msg_rsp)               \
 	M(MCS_PORT_CFG_GET, 0xa020, mcs_port_cfg_get, mcs_port_cfg_get_req, mcs_port_cfg_get_rsp)  \
+	M(MCS_CUSTOM_TAG_CFG_GET, 0xa021, mcs_custom_tag_cfg_get, mcs_custom_tag_cfg_get_req,      \
+	  mcs_custom_tag_cfg_get_rsp)                                                              \
 
 /* Messages initiated by AF (range 0xC00 - 0xDFF) */
 #define MBOX_UP_CGX_MESSAGES                                                   \
@@ -922,6 +930,53 @@ struct mcs_set_pn_threshold {
 	uint64_t __io rsvd;
 };
 
+enum mcs_ctrl_pkt_rule_type {
+	MCS_CTRL_PKT_RULE_TYPE_ETH,
+	MCS_CTRL_PKT_RULE_TYPE_DA,
+	MCS_CTRL_PKT_RULE_TYPE_RANGE,
+	MCS_CTRL_PKT_RULE_TYPE_COMBO,
+	MCS_CTRL_PKT_RULE_TYPE_MAC,
+};
+
+struct mcs_alloc_ctrl_pkt_rule_req {
+	struct mbox_msghdr hdr;
+	uint8_t __io rule_type;
+	uint8_t __io mcs_id; /* MCS block ID */
+	uint8_t __io dir;    /* Macsec ingress or egress side */
+	uint64_t __io rsvd;
+};
+
+struct mcs_alloc_ctrl_pkt_rule_rsp {
+	struct mbox_msghdr hdr;
+	uint8_t __io rule_idx;
+	uint8_t __io rule_type;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
+
+struct mcs_free_ctrl_pkt_rule_req {
+	struct mbox_msghdr hdr;
+	uint8_t __io rule_idx;
+	uint8_t __io rule_type;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint8_t __io all; /* Free all the rule resources */
+	uint64_t __io rsvd;
+};
+
+struct mcs_ctrl_pkt_rule_write_req {
+	struct mbox_msghdr hdr;
+	uint64_t __io data0;
+	uint64_t __io data1;
+	uint64_t __io data2;
+	uint8_t __io rule_idx;
+	uint8_t __io rule_type;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
+
 struct mcs_port_cfg_set_req {
 	struct mbox_msghdr hdr;
 	uint8_t __io cstm_tag_rel_mode_sel;
@@ -951,6 +1006,23 @@ struct mcs_port_cfg_get_rsp {
 	uint64_t __io rsvd;
 };
 
+struct mcs_custom_tag_cfg_get_req {
+	struct mbox_msghdr hdr;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
+
+struct mcs_custom_tag_cfg_get_rsp {
+	struct mbox_msghdr hdr;
+	uint16_t __io cstm_etype[8];
+	uint8_t __io cstm_indx[8];
+	uint8_t __io cstm_etype_en;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+	uint64_t __io rsvd;
+};
+
 struct mcs_port_reset_req {
 	struct mbox_msghdr hdr;
 	uint8_t __io reset;
diff --git a/drivers/common/cnxk/roc_mcs.c b/drivers/common/cnxk/roc_mcs.c
index 2ae3dc0695..1f269ddae5 100644
--- a/drivers/common/cnxk/roc_mcs.c
+++ b/drivers/common/cnxk/roc_mcs.c
@@ -140,6 +140,88 @@ roc_mcs_pn_threshold_set(struct roc_mcs *mcs, struct roc_mcs_set_pn_threshold *p
 	return mbox_process_msg(mcs->mbox, (void *)&rsp);
 }
 
+int
+roc_mcs_ctrl_pkt_rule_alloc(struct roc_mcs *mcs, struct roc_mcs_alloc_ctrl_pkt_rule_req *req,
+			    struct roc_mcs_alloc_ctrl_pkt_rule_rsp *rsp)
+{
+	struct mcs_alloc_ctrl_pkt_rule_req *rule_req;
+	struct mcs_alloc_ctrl_pkt_rule_rsp *rule_rsp;
+	int rc;
+
+	MCS_SUPPORT_CHECK;
+
+	if (req == NULL || rsp == NULL)
+		return -EINVAL;
+
+	rule_req = mbox_alloc_msg_mcs_alloc_ctrl_pkt_rule(mcs->mbox);
+	if (rule_req == NULL)
+		return -ENOMEM;
+
+	rule_req->rule_type = req->rule_type;
+	rule_req->mcs_id = mcs->idx;
+	rule_req->dir = req->dir;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&rule_rsp);
+	if (rc)
+		return rc;
+
+	rsp->rule_type = rule_rsp->rule_type;
+	rsp->rule_idx = rule_rsp->rule_idx;
+	rsp->dir = rule_rsp->dir;
+
+	return 0;
+}
+
+int
+roc_mcs_ctrl_pkt_rule_free(struct roc_mcs *mcs, struct roc_mcs_free_ctrl_pkt_rule_req *req)
+{
+	struct mcs_free_ctrl_pkt_rule_req *rule_req;
+	struct msg_rsp *rsp;
+
+	MCS_SUPPORT_CHECK;
+
+	if (req == NULL)
+		return -EINVAL;
+
+	rule_req = mbox_alloc_msg_mcs_free_ctrl_pkt_rule(mcs->mbox);
+	if (rule_req == NULL)
+		return -ENOMEM;
+
+	rule_req->rule_type = req->rule_type;
+	rule_req->rule_idx = req->rule_idx;
+	rule_req->mcs_id = mcs->idx;
+	rule_req->dir = req->dir;
+	rule_req->all = req->all;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
+
+int
+roc_mcs_ctrl_pkt_rule_write(struct roc_mcs *mcs, struct roc_mcs_ctrl_pkt_rule_write_req *req)
+{
+	struct mcs_ctrl_pkt_rule_write_req *rule_req;
+	struct msg_rsp *rsp;
+
+	MCS_SUPPORT_CHECK;
+
+	if (req == NULL)
+		return -EINVAL;
+
+	rule_req = mbox_alloc_msg_mcs_ctrl_pkt_rule_write(mcs->mbox);
+	if (rule_req == NULL)
+		return -ENOMEM;
+
+	rule_req->rule_type = req->rule_type;
+	rule_req->rule_idx = req->rule_idx;
+	rule_req->mcs_id = mcs->idx;
+	rule_req->dir = req->dir;
+	rule_req->data0 = req->data0;
+	rule_req->data1 = req->data1;
+	rule_req->data2 = req->data2;
+
+	return mbox_process_msg(mcs->mbox, (void *)&rsp);
+}
+
 int
 roc_mcs_port_cfg_set(struct roc_mcs *mcs, struct roc_mcs_port_cfg_set_req *req)
 {
@@ -198,6 +280,41 @@ roc_mcs_port_cfg_get(struct roc_mcs *mcs, struct roc_mcs_port_cfg_get_req *req,
 	return 0;
 }
 
+int
+roc_mcs_custom_tag_cfg_get(struct roc_mcs *mcs, struct roc_mcs_custom_tag_cfg_get_req *req,
+			   struct roc_mcs_custom_tag_cfg_get_rsp *rsp)
+{
+	struct mcs_custom_tag_cfg_get_req *get_req;
+	struct mcs_custom_tag_cfg_get_rsp *get_rsp;
+	int i, rc;
+
+	MCS_SUPPORT_CHECK;
+
+	if (req == NULL)
+		return -EINVAL;
+
+	get_req = mbox_alloc_msg_mcs_custom_tag_cfg_get(mcs->mbox);
+	if (get_req == NULL)
+		return -ENOMEM;
+
+	get_req->dir = req->dir;
+	get_req->mcs_id = mcs->idx;
+
+	rc = mbox_process_msg(mcs->mbox, (void *)&get_rsp);
+	if (rc)
+		return rc;
+
+	for (i = 0; i < 8; i++) {
+		rsp->cstm_etype[i] = get_rsp->cstm_etype[i];
+		rsp->cstm_indx[i] = get_rsp->cstm_indx[i];
+	}
+
+	rsp->cstm_etype_en = get_rsp->cstm_etype_en;
+	rsp->dir = get_rsp->dir;
+
+	return 0;
+}
+
 int
 roc_mcs_intr_configure(struct roc_mcs *mcs, struct roc_mcs_intr_cfg *config)
 {
diff --git a/drivers/common/cnxk/roc_mcs.h b/drivers/common/cnxk/roc_mcs.h
index c82ab0020c..e52797aac7 100644
--- a/drivers/common/cnxk/roc_mcs.h
+++ b/drivers/common/cnxk/roc_mcs.h
@@ -163,6 +163,45 @@ struct roc_mcs_set_pn_threshold {
 	uint64_t rsvd;
 };
 
+enum roc_mcs_ctrl_pkt_rule_type {
+	ROC_MCS_CTRL_PKT_RULE_TYPE_ETH,
+	ROC_MCS_CTRL_PKT_RULE_TYPE_DA,
+	ROC_MCS_CTRL_PKT_RULE_TYPE_RANGE,
+	ROC_MCS_CTRL_PKT_RULE_TYPE_COMBO,
+	ROC_MCS_CTRL_PKT_RULE_TYPE_MAC,
+};
+
+struct roc_mcs_alloc_ctrl_pkt_rule_req {
+	uint8_t rule_type;
+	uint8_t dir; /* Macsec ingress or egress side */
+	uint64_t rsvd;
+};
+
+struct roc_mcs_alloc_ctrl_pkt_rule_rsp {
+	uint8_t rule_idx;
+	uint8_t rule_type;
+	uint8_t dir;
+	uint64_t rsvd;
+};
+
+struct roc_mcs_free_ctrl_pkt_rule_req {
+	uint8_t rule_idx;
+	uint8_t rule_type;
+	uint8_t dir;
+	uint8_t all; /* Free all the rule resources */
+	uint64_t rsvd;
+};
+
+struct roc_mcs_ctrl_pkt_rule_write_req {
+	uint64_t data0;
+	uint64_t data1;
+	uint64_t data2;
+	uint8_t rule_idx;
+	uint8_t rule_type;
+	uint8_t dir;
+	uint64_t rsvd;
+};
+
 struct roc_mcs_port_cfg_set_req {
 	/* Index of custom tag (= cstm_indx[x] in roc_mcs_custom_tag_cfg_get_rsp struct) to use
 	 * when TX SECY_PLCY_MEMX[SECTAG_INSERT_MODE] = 0 (relative offset mode)
@@ -195,6 +234,19 @@ struct roc_mcs_port_cfg_get_rsp {
 	uint64_t rsvd;
 };
 
+struct roc_mcs_custom_tag_cfg_get_req {
+	uint8_t dir;
+	uint64_t rsvd;
+};
+
+struct roc_mcs_custom_tag_cfg_get_rsp {
+	uint16_t cstm_etype[8]; /* EthType/TPID */
+	uint8_t cstm_indx[8];	/* Custom tag index used to identify the VLAN etype */
+	uint8_t cstm_etype_en;	/* bitmap of enabled custom tags */
+	uint8_t dir;
+	uint64_t rsvd;
+};
+
 struct roc_mcs_port_reset_req {
 	uint8_t port_id;
 	uint64_t rsvd;
@@ -411,6 +463,10 @@ __roc_api int roc_mcs_port_cfg_set(struct roc_mcs *mcs, struct roc_mcs_port_cfg_
 /* Set port config */
 __roc_api int roc_mcs_port_cfg_get(struct roc_mcs *mcs, struct roc_mcs_port_cfg_get_req *req,
 				   struct roc_mcs_port_cfg_get_rsp *rsp);
+/* Get custom tag config */
+__roc_api int roc_mcs_custom_tag_cfg_get(struct roc_mcs *mcs,
+					 struct roc_mcs_custom_tag_cfg_get_req *req,
+					 struct roc_mcs_custom_tag_cfg_get_rsp *rsp);
 
 /* Resource allocation and free */
 __roc_api int roc_mcs_rsrc_alloc(struct roc_mcs *mcs, struct roc_mcs_alloc_rsrc_req *req,
@@ -459,6 +515,15 @@ __roc_api int roc_mcs_flowid_entry_read(struct roc_mcs *mcs,
 __roc_api int roc_mcs_flowid_entry_enable(struct roc_mcs *mcs,
 					  struct roc_mcs_flowid_ena_dis_entry *entry);
 
+/* Control packet rule alloc, free and write */
+__roc_api int roc_mcs_ctrl_pkt_rule_alloc(struct roc_mcs *mcs,
+					  struct roc_mcs_alloc_ctrl_pkt_rule_req *req,
+					  struct roc_mcs_alloc_ctrl_pkt_rule_rsp *rsp);
+__roc_api int roc_mcs_ctrl_pkt_rule_free(struct roc_mcs *mcs,
+					 struct roc_mcs_free_ctrl_pkt_rule_req *req);
+__roc_api int roc_mcs_ctrl_pkt_rule_write(struct roc_mcs *mcs,
+					  struct roc_mcs_ctrl_pkt_rule_write_req *req);
+
 /* Flow id stats get */
 __roc_api int roc_mcs_flowid_stats_get(struct roc_mcs *mcs, struct roc_mcs_stats_req *mcs_req,
 				       struct roc_mcs_flowid_stats *stats);
diff --git a/drivers/common/cnxk/version.map b/drivers/common/cnxk/version.map
index 6c0defa27e..914d0d2caa 100644
--- a/drivers/common/cnxk/version.map
+++ b/drivers/common/cnxk/version.map
@@ -136,6 +136,10 @@ INTERNAL {
 	roc_se_ciph_key_set;
 	roc_se_ctx_init;
 	roc_mcs_active_lmac_set;
+	roc_mcs_ctrl_pkt_rule_alloc;
+	roc_mcs_ctrl_pkt_rule_free;
+	roc_mcs_ctrl_pkt_rule_write;
+	roc_mcs_custom_tag_cfg_get;
 	roc_mcs_dev_init;
 	roc_mcs_dev_fini;
 	roc_mcs_dev_get;
-- 
2.25.1

[PATCH v5 10/15] common/cnxk: add MACsec FIPS mbox

[Akhil Goyal]

Added MACsec FIPS configuration mbox

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/common/cnxk/roc_mbox.h | 74 ++++++++++++++++++++++++++++++++++
 drivers/common/cnxk/roc_mcs.h  | 69 +++++++++++++++++++++++++++++++
 2 files changed, 143 insertions(+)

diff --git a/drivers/common/cnxk/roc_mbox.h b/drivers/common/cnxk/roc_mbox.h
index 446f49aeaf..2f85b2f755 100644
--- a/drivers/common/cnxk/roc_mbox.h
+++ b/drivers/common/cnxk/roc_mbox.h
@@ -330,6 +330,15 @@ struct mbox_msghdr {
 	M(MCS_PORT_CFG_GET, 0xa020, mcs_port_cfg_get, mcs_port_cfg_get_req, mcs_port_cfg_get_rsp)  \
 	M(MCS_CUSTOM_TAG_CFG_GET, 0xa021, mcs_custom_tag_cfg_get, mcs_custom_tag_cfg_get_req,      \
 	  mcs_custom_tag_cfg_get_rsp)                                                              \
+	M(MCS_FIPS_RESET, 0xa040, mcs_fips_reset, mcs_fips_req, msg_rsp)                           \
+	M(MCS_FIPS_MODE_SET, 0xa041, mcs_fips_mode_set, mcs_fips_mode_req, msg_rsp)                \
+	M(MCS_FIPS_CTL_SET, 0xa042, mcs_fips_ctl_set, mcs_fips_ctl_req, msg_rsp)                   \
+	M(MCS_FIPS_IV_SET, 0xa043, mcs_fips_iv_set, mcs_fips_iv_req, msg_rsp)                      \
+	M(MCS_FIPS_CTR_SET, 0xa044, mcs_fips_ctr_set, mcs_fips_ctr_req, msg_rsp)                   \
+	M(MCS_FIPS_KEY_SET, 0xa045, mcs_fips_key_set, mcs_fips_key_req, msg_rsp)                   \
+	M(MCS_FIPS_BLOCK_SET, 0xa046, mcs_fips_block_set, mcs_fips_block_req, msg_rsp)             \
+	M(MCS_FIPS_START, 0xa047, mcs_fips_start, mcs_fips_req, msg_rsp)                           \
+	M(MCS_FIPS_RESULT_GET, 0xa048, mcs_fips_result_get, mcs_fips_req, mcs_fips_result_rsp)
 
 /* Messages initiated by AF (range 0xC00 - 0xDFF) */
 #define MBOX_UP_CGX_MESSAGES                                                   \
@@ -1119,6 +1128,71 @@ struct mcs_clear_stats {
 	uint8_t __io all; /* All resources stats mapped to PF are cleared */
 };
 
+struct mcs_fips_req {
+	struct mbox_msghdr hdr;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+};
+
+struct mcs_fips_mode_req {
+	struct mbox_msghdr hdr;
+	uint64_t __io mode;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+};
+
+struct mcs_fips_ctl_req {
+	struct mbox_msghdr hdr;
+	uint64_t __io ctl;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+};
+
+struct mcs_fips_iv_req {
+	struct mbox_msghdr hdr;
+	uint32_t __io iv_bits95_64;
+	uint64_t __io iv_bits63_0;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+};
+
+struct mcs_fips_ctr_req {
+	struct mbox_msghdr hdr;
+	uint32_t __io fips_ctr;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+};
+
+struct mcs_fips_key_req {
+	struct mbox_msghdr hdr;
+	uint64_t __io sak_bits255_192;
+	uint64_t __io sak_bits191_128;
+	uint64_t __io sak_bits127_64;
+	uint64_t __io sak_bits63_0;
+	uint64_t __io hashkey_bits127_64;
+	uint64_t __io hashkey_bits63_0;
+	uint8_t __io sak_len;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+};
+
+struct mcs_fips_block_req {
+	struct mbox_msghdr hdr;
+	uint64_t __io blk_bits127_64;
+	uint64_t __io blk_bits63_0;
+	uint8_t __io mcs_id;
+	uint8_t __io dir;
+};
+
+struct mcs_fips_result_rsp {
+	struct mbox_msghdr hdr;
+	uint64_t __io blk_bits127_64;
+	uint64_t __io blk_bits63_0;
+	uint64_t __io icv_bits127_64;
+	uint64_t __io icv_bits63_0;
+	uint8_t __io result_pass;
+};
+
 /* NPA mbox message formats */
 
 /* NPA mailbox error codes
diff --git a/drivers/common/cnxk/roc_mcs.h b/drivers/common/cnxk/roc_mcs.h
index e52797aac7..afac6c92e2 100644
--- a/drivers/common/cnxk/roc_mcs.h
+++ b/drivers/common/cnxk/roc_mcs.h
@@ -426,6 +426,56 @@ struct roc_mcs_event_desc {
 	union roc_mcs_event_data metadata;
 };
 
+struct roc_mcs_fips_req {
+	uint8_t dir;
+};
+
+struct roc_mcs_fips_mode {
+	uint64_t mode;
+	uint8_t dir;
+};
+
+struct roc_mcs_fips_ctl {
+	uint64_t ctl;
+	uint8_t dir;
+};
+
+struct roc_mcs_fips_iv {
+	uint32_t iv_bits95_64;
+	uint64_t iv_bits63_0;
+	uint8_t dir;
+};
+
+struct roc_mcs_fips_ctr {
+	uint32_t fips_ctr;
+	uint8_t dir;
+};
+
+struct roc_mcs_fips_key {
+	uint64_t sak_bits255_192;
+	uint64_t sak_bits191_128;
+	uint64_t sak_bits127_64;
+	uint64_t sak_bits63_0;
+	uint64_t hashkey_bits127_64;
+	uint64_t hashkey_bits63_0;
+	uint8_t sak_len;
+	uint8_t dir;
+};
+
+struct roc_mcs_fips_block {
+	uint64_t blk_bits127_64;
+	uint64_t blk_bits63_0;
+	uint8_t dir;
+};
+
+struct roc_mcs_fips_result_rsp {
+	uint64_t blk_bits127_64;
+	uint64_t blk_bits63_0;
+	uint64_t icv_bits127_64;
+	uint64_t icv_bits63_0;
+	uint8_t result_pass;
+};
+
 /** User application callback to be registered for any notifications from driver. */
 typedef int (*roc_mcs_dev_cb_fn)(void *userdata, struct roc_mcs_event_desc *desc, void *cb_arg);
 
@@ -552,4 +602,23 @@ __roc_api int roc_mcs_intr_configure(struct roc_mcs *mcs, struct roc_mcs_intr_cf
 __roc_api int roc_mcs_port_recovery(struct roc_mcs *mcs, union roc_mcs_event_data *mdata,
 				    uint8_t port_id);
 
+/* FIPS reset */
+__roc_api int roc_mcs_fips_reset(struct roc_mcs *mcs, struct roc_mcs_fips_req *req);
+/* FIPS mode set */
+__roc_api int roc_mcs_fips_mode_set(struct roc_mcs *mcs, struct roc_mcs_fips_mode *req);
+/* FIPS ctl set */
+__roc_api int roc_mcs_fips_ctl_set(struct roc_mcs *mcs, struct roc_mcs_fips_ctl *req);
+/* FIPS iv set */
+__roc_api int roc_mcs_fips_iv_set(struct roc_mcs *mcs, struct roc_mcs_fips_iv *req);
+/* FIPS ctr set */
+__roc_api int roc_mcs_fips_ctr_set(struct roc_mcs *mcs, struct roc_mcs_fips_ctr *req);
+/* FIPS key set */
+__roc_api int roc_mcs_fips_key_set(struct roc_mcs *mcs, struct roc_mcs_fips_key *req);
+/* FIPS block set */
+__roc_api int roc_mcs_fips_block_set(struct roc_mcs *mcs, struct roc_mcs_fips_block *req);
+/* FIPS start */
+__roc_api int roc_mcs_fips_start(struct roc_mcs *mcs, struct roc_mcs_fips_req *req);
+/* FIPS result */
+__roc_api int roc_mcs_fips_result_get(struct roc_mcs *mcs, struct roc_mcs_fips_req *req,
+				      struct roc_mcs_fips_result_rsp *rsp);
 #endif /* ROC_MCS_H */
-- 
2.25.1

[PATCH v5 11/15] common/cnxk: derive hash key for MACsec

[Akhil Goyal]

MACsec hardware configuration need hash key to be generated
from the cipher key of AES-GCM-128/256.
Added an ROC API to derive the hash key and extend the case
for AES-256 as well.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/common/cnxk/roc_aes.c   | 86 ++++++++++++++++++++++-----------
 drivers/common/cnxk/roc_aes.h   |  4 +-
 drivers/common/cnxk/version.map |  1 +
 3 files changed, 60 insertions(+), 31 deletions(-)

diff --git a/drivers/common/cnxk/roc_aes.c b/drivers/common/cnxk/roc_aes.c
index f821c8b710..d84feb546a 100644
--- a/drivers/common/cnxk/roc_aes.c
+++ b/drivers/common/cnxk/roc_aes.c
@@ -4,9 +4,10 @@
 
 #include "roc_api.h"
 
-#define KEY_WORD_LEN	 (ROC_CPT_AES_XCBC_KEY_LENGTH / sizeof(uint32_t))
-#define KEY_ROUNDS	 10			/* (Nr+1)*Nb */
-#define KEY_SCHEDULE_LEN ((KEY_ROUNDS + 1) * 4) /* (Nr+1)*Nb words */
+#define KEY128_ROUNDS		10		/* (Nr+1)*Nb */
+#define KEY256_ROUNDS		14		/* (Nr+1)*Nb */
+#define KEY_SCHEDULE_LEN(nr)	((nr + 1) * 4)	/* (Nr+1)*Nb words */
+#define AES_HASH_KEY_LEN	16
 
 /*
  * AES 128 implementation based on NIST FIPS 197 suitable for LittleEndian
@@ -93,22 +94,30 @@ GF8mul(uint8_t byte, uint32_t mp)
 }
 
 static void
-aes_key_expand(const uint8_t *key, uint32_t *ks)
+aes_key_expand(const uint8_t *key, uint32_t len, uint32_t *ks)
 {
-	unsigned int i = 4;
+	uint32_t len_words = len / sizeof(uint32_t);
+	unsigned int schedule_len;
+	unsigned int i = len_words;
 	uint32_t temp;
 
+	schedule_len = (len == ROC_CPT_AES128_KEY_LEN) ? KEY_SCHEDULE_LEN(KEY128_ROUNDS) :
+							 KEY_SCHEDULE_LEN(KEY256_ROUNDS);
 	/* Skip key in ks */
-	memcpy(ks, key, KEY_WORD_LEN * sizeof(uint32_t));
+	memcpy(ks, key, len);
 
-	while (i < KEY_SCHEDULE_LEN) {
+	while (i < schedule_len) {
 		temp = ks[i - 1];
-		if ((i & 0x3) == 0) {
+		if ((i & (len_words - 1)) == 0) {
 			temp = rot_word(temp);
 			temp = sub_word(temp);
-			temp ^= (uint32_t)GF8mul(1, 1 << ((i >> 2) - 1));
+			temp ^= (uint32_t)GF8mul(1, 1 << ((i / len_words) - 1));
 		}
-		ks[i] = ks[i - 4] ^ temp;
+		if (len == ROC_CPT_AES256_KEY_LEN) {
+			if ((i % len_words) == 4)
+				temp = sub_word(temp);
+		}
+		ks[i] = ks[i - len_words] ^ temp;
 		i++;
 	}
 }
@@ -145,64 +154,83 @@ mix_columns(uint8_t *sRc)
 }
 
 static void
-cipher(uint8_t *in, uint8_t *out, uint32_t *ks)
+cipher(uint8_t *in, uint8_t *out, uint32_t *ks, uint32_t key_rounds, uint8_t in_len)
 {
-	uint32_t state[KEY_WORD_LEN];
+	uint8_t data_word_len = in_len / sizeof(uint32_t);
+	uint32_t state[data_word_len];
 	unsigned int i, round;
 
 	memcpy(state, in, sizeof(state));
 
 	/* AddRoundKey(state, w[0, Nb-1]) // See Sec. 5.1.4 */
-	for (i = 0; i < KEY_WORD_LEN; i++)
+	for (i = 0; i < data_word_len; i++)
 		state[i] ^= ks[i];
 
-	for (round = 1; round < KEY_ROUNDS; round++) {
+	for (round = 1; round < key_rounds; round++) {
 		/* SubBytes(state) // See Sec. 5.1.1 */
-		for (i = 0; i < KEY_WORD_LEN; i++)
+		for (i = 0; i < data_word_len; i++)
 			state[i] = sub_word(state[i]);
 
 		/* ShiftRows(state) // See Sec. 5.1.2 */
-		for (i = 0; i < KEY_WORD_LEN; i++)
+		for (i = 0; i < data_word_len; i++)
 			shift_word((uint8_t *)state, i, i);
 
 		/* MixColumns(state) // See Sec. 5.1.3 */
-		for (i = 0; i < KEY_WORD_LEN; i++)
+		for (i = 0; i < data_word_len; i++)
 			mix_columns((uint8_t *)&state[i]);
 
 		/* AddRoundKey(state, w[round*Nb, (round+1)*Nb-1]) */
-		for (i = 0; i < KEY_WORD_LEN; i++)
-			state[i] ^= ks[round * 4 + i];
+		for (i = 0; i < data_word_len; i++)
+			state[i] ^= ks[round * data_word_len + i];
 	}
 
 	/* SubBytes(state) */
-	for (i = 0; i < KEY_WORD_LEN; i++)
+	for (i = 0; i < data_word_len; i++)
 		state[i] = sub_word(state[i]);
 
 	/* ShiftRows(state) */
-	for (i = 0; i < KEY_WORD_LEN; i++)
+	for (i = 0; i < data_word_len; i++)
 		shift_word((uint8_t *)state, i, i);
 
 	/* AddRoundKey(state, w[Nr*Nb, (Nr+1)*Nb-1]) */
-	for (i = 0; i < KEY_WORD_LEN; i++)
-		state[i] ^= ks[KEY_ROUNDS * 4 + i];
-	memcpy(out, state, KEY_WORD_LEN * sizeof(uint32_t));
+	for (i = 0; i < data_word_len; i++)
+		state[i] ^= ks[key_rounds * data_word_len + i];
+	memcpy(out, state, data_word_len * sizeof(uint32_t));
 }
 
 void
 roc_aes_xcbc_key_derive(const uint8_t *auth_key, uint8_t *derived_key)
 {
-	uint32_t aes_ks[KEY_SCHEDULE_LEN] = {0};
+	uint32_t aes_ks[KEY_SCHEDULE_LEN(KEY128_ROUNDS)] = {0};
 	uint8_t k1[16] = {[0 ... 15] = 0x01};
 	uint8_t k2[16] = {[0 ... 15] = 0x02};
 	uint8_t k3[16] = {[0 ... 15] = 0x03};
 
-	aes_key_expand(auth_key, aes_ks);
+	aes_key_expand(auth_key, ROC_CPT_AES_XCBC_KEY_LENGTH, aes_ks);
 
-	cipher(k1, derived_key, aes_ks);
+	cipher(k1, derived_key, aes_ks, KEY128_ROUNDS, sizeof(k1));
 	derived_key += sizeof(k1);
 
-	cipher(k2, derived_key, aes_ks);
+	cipher(k2, derived_key, aes_ks, KEY128_ROUNDS, sizeof(k2));
 	derived_key += sizeof(k2);
 
-	cipher(k3, derived_key, aes_ks);
+	cipher(k3, derived_key, aes_ks, KEY128_ROUNDS, sizeof(k3));
+}
+
+void
+roc_aes_hash_key_derive(const uint8_t *key, uint16_t len, uint8_t hash_key[])
+{
+	uint8_t data[AES_HASH_KEY_LEN] = {0x0};
+
+	if (len == ROC_CPT_AES128_KEY_LEN) {
+		uint32_t aes_ks[KEY_SCHEDULE_LEN(KEY128_ROUNDS)] = {0};
+
+		aes_key_expand(key, ROC_CPT_AES128_KEY_LEN, aes_ks);
+		cipher(data, hash_key, aes_ks, KEY128_ROUNDS, sizeof(data));
+	} else {
+		uint32_t aes_ks[KEY_SCHEDULE_LEN(KEY256_ROUNDS)] = {0};
+
+		aes_key_expand(key, ROC_CPT_AES256_KEY_LEN, aes_ks);
+		cipher(data, hash_key, aes_ks, KEY256_ROUNDS, sizeof(data));
+	}
 }
diff --git a/drivers/common/cnxk/roc_aes.h b/drivers/common/cnxk/roc_aes.h
index 954039139f..3b4b921bcd 100644
--- a/drivers/common/cnxk/roc_aes.h
+++ b/drivers/common/cnxk/roc_aes.h
@@ -8,7 +8,7 @@
 /*
  * Derive k1, k2, k3 from 128 bit AES key
  */
-void __roc_api roc_aes_xcbc_key_derive(const uint8_t *auth_key,
-				       uint8_t *derived_key);
+void __roc_api roc_aes_xcbc_key_derive(const uint8_t *auth_key, uint8_t *derived_key);
+void __roc_api roc_aes_hash_key_derive(const uint8_t *key, uint16_t len, uint8_t *hash_key);
 
 #endif /* _ROC_AES_H_ */
diff --git a/drivers/common/cnxk/version.map b/drivers/common/cnxk/version.map
index 914d0d2caa..8c71497df8 100644
--- a/drivers/common/cnxk/version.map
+++ b/drivers/common/cnxk/version.map
@@ -30,6 +30,7 @@ INTERNAL {
 	roc_ae_ec_grp_put;
 	roc_ae_fpm_get;
 	roc_ae_fpm_put;
+	roc_aes_hash_key_derive;
 	roc_aes_xcbc_key_derive;
 	roc_bphy_cgx_cpri_mode_change;
 	roc_bphy_cgx_cpri_mode_misc;
-- 
2.25.1

[PATCH v5 12/15] net/cnxk: add MACsec initialization

[Akhil Goyal]

Added initialization routines for MACsec for
cn10kb platform.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/net/cnxk/cn10k_ethdev_sec.c |   6 ++
 drivers/net/cnxk/cnxk_ethdev.c      |  13 +++
 drivers/net/cnxk/cnxk_ethdev.h      |  14 +++
 drivers/net/cnxk/cnxk_ethdev_mcs.c  | 151 ++++++++++++++++++++++++++++
 drivers/net/cnxk/cnxk_ethdev_mcs.h  |  66 ++++++++++++
 drivers/net/cnxk/meson.build        |   1 +
 6 files changed, 251 insertions(+)
 create mode 100644 drivers/net/cnxk/cnxk_ethdev_mcs.c
 create mode 100644 drivers/net/cnxk/cnxk_ethdev_mcs.h

diff --git a/drivers/net/cnxk/cn10k_ethdev_sec.c b/drivers/net/cnxk/cn10k_ethdev_sec.c
index 5bc547051d..8dd2c8b7a5 100644
--- a/drivers/net/cnxk/cn10k_ethdev_sec.c
+++ b/drivers/net/cnxk/cn10k_ethdev_sec.c
@@ -1090,9 +1090,15 @@ cn10k_eth_sec_ops_override(void)
 	init_once = 1;
 
 	/* Update platform specific ops */
+	cnxk_eth_sec_ops.macsec_sa_create = NULL;
+	cnxk_eth_sec_ops.macsec_sc_create = NULL;
+	cnxk_eth_sec_ops.macsec_sa_destroy = NULL;
+	cnxk_eth_sec_ops.macsec_sc_destroy = NULL;
 	cnxk_eth_sec_ops.session_create = cn10k_eth_sec_session_create;
 	cnxk_eth_sec_ops.session_destroy = cn10k_eth_sec_session_destroy;
 	cnxk_eth_sec_ops.capabilities_get = cn10k_eth_sec_capabilities_get;
 	cnxk_eth_sec_ops.session_update = cn10k_eth_sec_session_update;
 	cnxk_eth_sec_ops.session_stats_get = cn10k_eth_sec_session_stats_get;
+	cnxk_eth_sec_ops.macsec_sc_stats_get = NULL;
+	cnxk_eth_sec_ops.macsec_sa_stats_get = NULL;
 }
diff --git a/drivers/net/cnxk/cnxk_ethdev.c b/drivers/net/cnxk/cnxk_ethdev.c
index 916198d802..5368f0777d 100644
--- a/drivers/net/cnxk/cnxk_ethdev.c
+++ b/drivers/net/cnxk/cnxk_ethdev.c
@@ -1961,6 +1961,16 @@ cnxk_eth_dev_init(struct rte_eth_dev *eth_dev)
 	if (rc)
 		goto free_mac_addrs;
 
+	if (roc_feature_nix_has_macsec()) {
+		rc = cnxk_mcs_dev_init(dev, 0);
+		if (rc) {
+			plt_err("Failed to init MCS");
+			goto free_mac_addrs;
+		}
+		dev->rx_offload_capa |= RTE_ETH_RX_OFFLOAD_MACSEC_STRIP;
+		dev->tx_offload_capa |= RTE_ETH_TX_OFFLOAD_MACSEC_INSERT;
+	}
+
 	plt_nix_dbg("Port=%d pf=%d vf=%d ver=%s hwcap=0x%" PRIx64
 		    " rxoffload_capa=0x%" PRIx64 " txoffload_capa=0x%" PRIx64,
 		    eth_dev->data->port_id, roc_nix_get_pf(nix),
@@ -2058,6 +2068,9 @@ cnxk_eth_dev_uninit(struct rte_eth_dev *eth_dev, bool reset)
 	}
 	eth_dev->data->nb_rx_queues = 0;
 
+	if (roc_feature_nix_has_macsec())
+		cnxk_mcs_dev_fini(dev);
+
 	/* Free security resources */
 	nix_security_release(dev);
 
diff --git a/drivers/net/cnxk/cnxk_ethdev.h b/drivers/net/cnxk/cnxk_ethdev.h
index e280d6c05e..d5bb06b823 100644
--- a/drivers/net/cnxk/cnxk_ethdev.h
+++ b/drivers/net/cnxk/cnxk_ethdev.h
@@ -395,6 +395,9 @@ struct cnxk_eth_dev {
 	/* Reassembly dynfield/flag offsets */
 	int reass_dynfield_off;
 	int reass_dynflag_bit;
+
+	/* MCS device */
+	struct cnxk_mcs_dev *mcs_dev;
 };
 
 struct cnxk_eth_rxq_sp {
@@ -623,6 +626,17 @@ int cnxk_nix_cman_config_set(struct rte_eth_dev *dev, const struct rte_eth_cman_
 
 int cnxk_nix_cman_config_get(struct rte_eth_dev *dev, struct rte_eth_cman_config *config);
 
+int cnxk_mcs_dev_init(struct cnxk_eth_dev *dev, uint8_t mcs_idx);
+void cnxk_mcs_dev_fini(struct cnxk_eth_dev *dev);
+
+struct cnxk_macsec_sess *cnxk_eth_macsec_sess_get_by_sess(struct cnxk_eth_dev *dev,
+							  const struct rte_security_session *sess);
+int cnxk_mcs_flow_configure(struct rte_eth_dev *eth_dev, const struct rte_flow_attr *attr,
+			     const struct rte_flow_item pattern[],
+			     const struct rte_flow_action actions[], struct rte_flow_error *error,
+			     void **mcs_flow);
+int cnxk_mcs_flow_destroy(struct cnxk_eth_dev *eth_dev, void *mcs_flow);
+
 /* Other private functions */
 int nix_recalc_mtu(struct rte_eth_dev *eth_dev);
 int nix_mtr_validate(struct rte_eth_dev *dev, uint32_t id);
diff --git a/drivers/net/cnxk/cnxk_ethdev_mcs.c b/drivers/net/cnxk/cnxk_ethdev_mcs.c
new file mode 100644
index 0000000000..b0205f45c5
--- /dev/null
+++ b/drivers/net/cnxk/cnxk_ethdev_mcs.c
@@ -0,0 +1,151 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2023 Marvell.
+ */
+
+#include <cnxk_ethdev.h>
+#include <cnxk_ethdev_mcs.h>
+#include <roc_mcs.h>
+
+static int
+cnxk_mcs_event_cb(void *userdata, struct roc_mcs_event_desc *desc, void *cb_arg)
+{
+	struct rte_eth_event_macsec_desc d = {0};
+
+	d.metadata = (uint64_t)userdata;
+
+	switch (desc->type) {
+	case ROC_MCS_EVENT_SECTAG_VAL_ERR:
+		d.type = RTE_ETH_EVENT_MACSEC_SECTAG_VAL_ERR;
+		switch (desc->subtype) {
+		case ROC_MCS_EVENT_RX_SECTAG_V_EQ1:
+			d.subtype = RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_V_EQ1;
+			break;
+		case ROC_MCS_EVENT_RX_SECTAG_E_EQ0_C_EQ1:
+			d.subtype = RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_E_EQ0_C_EQ1;
+			break;
+		case ROC_MCS_EVENT_RX_SECTAG_SL_GTE48:
+			d.subtype = RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_SL_GTE48;
+			break;
+		case ROC_MCS_EVENT_RX_SECTAG_ES_EQ1_SC_EQ1:
+			d.subtype = RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_ES_EQ1_SC_EQ1;
+			break;
+		case ROC_MCS_EVENT_RX_SECTAG_SC_EQ1_SCB_EQ1:
+			d.subtype = RTE_ETH_SUBEVENT_MACSEC_RX_SECTAG_SC_EQ1_SCB_EQ1;
+			break;
+		default:
+			plt_err("Unknown MACsec sub event : %d", desc->subtype);
+		}
+		break;
+	case ROC_MCS_EVENT_RX_SA_PN_HARD_EXP:
+		d.type = RTE_ETH_EVENT_MACSEC_RX_SA_PN_HARD_EXP;
+		break;
+	case ROC_MCS_EVENT_RX_SA_PN_SOFT_EXP:
+		d.type = RTE_ETH_EVENT_MACSEC_RX_SA_PN_SOFT_EXP;
+		break;
+	case ROC_MCS_EVENT_TX_SA_PN_HARD_EXP:
+		d.type = RTE_ETH_EVENT_MACSEC_TX_SA_PN_HARD_EXP;
+		break;
+	case ROC_MCS_EVENT_TX_SA_PN_SOFT_EXP:
+		d.type = RTE_ETH_EVENT_MACSEC_TX_SA_PN_SOFT_EXP;
+		break;
+	default:
+		plt_err("Unknown MACsec event type: %d", desc->type);
+	}
+
+	rte_eth_dev_callback_process(cb_arg, RTE_ETH_EVENT_MACSEC, &d);
+
+	return 0;
+}
+
+void
+cnxk_mcs_dev_fini(struct cnxk_eth_dev *dev)
+{
+	struct cnxk_mcs_dev *mcs_dev = dev->mcs_dev;
+	int rc;
+
+	rc = roc_mcs_event_cb_unregister(mcs_dev->mdev, ROC_MCS_EVENT_SECTAG_VAL_ERR);
+	if (rc)
+		plt_err("Failed to unregister MCS event callback: rc: %d", rc);
+
+	rc = roc_mcs_event_cb_unregister(mcs_dev->mdev, ROC_MCS_EVENT_TX_SA_PN_SOFT_EXP);
+	if (rc)
+		plt_err("Failed to unregister MCS event callback: rc: %d", rc);
+
+	rc = roc_mcs_event_cb_unregister(mcs_dev->mdev, ROC_MCS_EVENT_RX_SA_PN_SOFT_EXP);
+	if (rc)
+		plt_err("Failed to unregister MCS event callback: rc: %d", rc);
+
+	/* Cleanup MACsec dev */
+	roc_mcs_dev_fini(mcs_dev->mdev);
+
+	plt_free(mcs_dev);
+}
+
+int
+cnxk_mcs_dev_init(struct cnxk_eth_dev *dev, uint8_t mcs_idx)
+{
+	struct roc_mcs_intr_cfg intr_cfg = {0};
+	struct roc_mcs_hw_info hw_info = {0};
+	struct cnxk_mcs_dev *mcs_dev;
+	int rc;
+
+	rc = roc_mcs_hw_info_get(&hw_info);
+	if (rc) {
+		plt_err("MCS HW info get failed: rc: %d ", rc);
+		return rc;
+	}
+
+	mcs_dev = plt_zmalloc(sizeof(struct cnxk_mcs_dev), PLT_CACHE_LINE_SIZE);
+	if (!mcs_dev)
+		return -ENOMEM;
+
+	mcs_dev->idx = mcs_idx;
+	mcs_dev->mdev = roc_mcs_dev_init(mcs_dev->idx);
+	if (!mcs_dev->mdev) {
+		plt_free(mcs_dev);
+		return rc;
+	}
+	mcs_dev->port_id = dev->eth_dev->data->port_id;
+
+	intr_cfg.intr_mask =
+		ROC_MCS_CPM_RX_SECTAG_V_EQ1_INT | ROC_MCS_CPM_RX_SECTAG_E_EQ0_C_EQ1_INT |
+		ROC_MCS_CPM_RX_SECTAG_SL_GTE48_INT | ROC_MCS_CPM_RX_SECTAG_ES_EQ1_SC_EQ1_INT |
+		ROC_MCS_CPM_RX_SECTAG_SC_EQ1_SCB_EQ1_INT | ROC_MCS_CPM_RX_PACKET_XPN_EQ0_INT |
+		ROC_MCS_CPM_RX_PN_THRESH_REACHED_INT | ROC_MCS_CPM_TX_PACKET_XPN_EQ0_INT |
+		ROC_MCS_CPM_TX_PN_THRESH_REACHED_INT | ROC_MCS_CPM_TX_SA_NOT_VALID_INT |
+		ROC_MCS_BBE_RX_DFIFO_OVERFLOW_INT | ROC_MCS_BBE_RX_PLFIFO_OVERFLOW_INT |
+		ROC_MCS_BBE_TX_DFIFO_OVERFLOW_INT | ROC_MCS_BBE_TX_PLFIFO_OVERFLOW_INT |
+		ROC_MCS_PAB_RX_CHAN_OVERFLOW_INT | ROC_MCS_PAB_TX_CHAN_OVERFLOW_INT;
+
+	rc = roc_mcs_intr_configure(mcs_dev->mdev, &intr_cfg);
+	if (rc) {
+		plt_err("Failed to configure MCS interrupts: rc: %d", rc);
+		plt_free(mcs_dev);
+		return rc;
+	}
+
+	rc = roc_mcs_event_cb_register(mcs_dev->mdev, ROC_MCS_EVENT_SECTAG_VAL_ERR,
+				       cnxk_mcs_event_cb, dev->eth_dev, mcs_dev);
+	if (rc) {
+		plt_err("Failed to register MCS event callback: rc: %d", rc);
+		plt_free(mcs_dev);
+		return rc;
+	}
+	rc = roc_mcs_event_cb_register(mcs_dev->mdev, ROC_MCS_EVENT_TX_SA_PN_SOFT_EXP,
+				       cnxk_mcs_event_cb, dev->eth_dev, mcs_dev);
+	if (rc) {
+		plt_err("Failed to register MCS event callback: rc: %d", rc);
+		plt_free(mcs_dev);
+		return rc;
+	}
+	rc = roc_mcs_event_cb_register(mcs_dev->mdev, ROC_MCS_EVENT_RX_SA_PN_SOFT_EXP,
+				       cnxk_mcs_event_cb, dev->eth_dev, mcs_dev);
+	if (rc) {
+		plt_err("Failed to register MCS event callback: rc: %d", rc);
+		plt_free(mcs_dev);
+		return rc;
+	}
+	dev->mcs_dev = mcs_dev;
+
+	return 0;
+}
diff --git a/drivers/net/cnxk/cnxk_ethdev_mcs.h b/drivers/net/cnxk/cnxk_ethdev_mcs.h
new file mode 100644
index 0000000000..29a2e34a56
--- /dev/null
+++ b/drivers/net/cnxk/cnxk_ethdev_mcs.h
@@ -0,0 +1,66 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2023 Marvell.
+ */
+
+#ifndef CNXK_ETHDEV_MCS_H
+#define CNXK_ETHDEV_MCS_H
+
+#include <cnxk_ethdev.h>
+
+#define CNXK_MACSEC_HASH_KEY 16
+
+struct cnxk_mcs_dev {
+	uint64_t default_sci;
+	void *mdev;
+	uint8_t port_id;
+	uint8_t idx;
+};
+
+struct cnxk_mcs_event_data {
+	/* Valid for below events
+	 * - ROC_MCS_EVENT_RX_SA_PN_SOFT_EXP
+	 * - ROC_MCS_EVENT_TX_SA_PN_SOFT_EXP
+	 */
+	struct {
+		uint8_t secy_idx;
+		uint8_t sc_idx;
+		uint8_t sa_idx;
+	};
+	/* Valid for below event
+	 * - ROC_MCS_EVENT_FIFO_OVERFLOW
+	 *
+	 * Upon fatal error notification on a MCS port, driver resets below attributes of active
+	 * flow entities(sc & sa) and then resets the port.
+	 * - Reset NEXT_PN of active SAs to 1.
+	 * - Reset TX active SA for each SC, TX_SA_ACTIVE = 0, SA_INDEX0_VLD = 1.
+	 * - Clear SA_IN_USE for active ANs in RX_SA_MAP_MEM.
+	 * - Clear all stats mapping to this port.
+	 * - Reactivate SA_IN_USE for active ANs in RX_SA_MAP_MEM.
+	 *
+	 *  UMD driver notifies the following flow entity(sc & sa) details in application callback,
+	 *  application is expected to exchange the Tx/Rx NEXT_PN, TX_SA_ACTIVE, active RX SC AN
+	 *  details with peer device so that peer device can resets it's MACsec flow states and than
+	 *  resume packet transfers.
+	 */
+	struct {
+		uint16_t *tx_sa_array; /* Tx SAs whose PN memories were reset (NEXT_PN=1) */
+		uint16_t *rx_sa_array; /* Rx SAs whose PN memories were reset (NEXT_PN=1) */
+		uint16_t *tx_sc_array; /* Tx SCs whose active SAs were reset (TX_SA_ACTIVE=0) */
+		uint16_t *rx_sc_array; /* Rx SCs whose state was reset */
+		uint8_t *sc_an_array;  /* AN of Rx SCs(in rx_sc_array) which were reactivated */
+		uint8_t num_tx_sa;     /* num entries in tx_sa_array */
+		uint8_t num_rx_sa;     /* num entries in rx_sa_array */
+		uint8_t num_tx_sc;     /* num entries in tx_sc_array */
+		uint8_t num_rx_sc;     /* num entries in rx_sc_array */
+		uint8_t lmac_id;       /* lmac_id/port which was recovered from fatal error */
+	};
+};
+
+struct cnxk_mcs_event_desc {
+	struct rte_eth_dev *eth_dev;
+	enum roc_mcs_event_type type;
+	enum roc_mcs_event_subtype subtype;
+	struct cnxk_mcs_event_data metadata;
+};
+
+#endif /* CNXK_ETHDEV_MCS_H */
diff --git a/drivers/net/cnxk/meson.build b/drivers/net/cnxk/meson.build
index 394d3d01f4..4a77d02792 100644
--- a/drivers/net/cnxk/meson.build
+++ b/drivers/net/cnxk/meson.build
@@ -22,6 +22,7 @@ sources = files(
         'cnxk_ethdev.c',
         'cnxk_ethdev_cman.c',
         'cnxk_ethdev_devargs.c',
+        'cnxk_ethdev_mcs.c',
         'cnxk_ethdev_mtr.c',
         'cnxk_ethdev_ops.c',
         'cnxk_ethdev_sec.c',
-- 
2.25.1

[PATCH v5 13/15] net/cnxk: create/destroy MACsec SC/SA

[Akhil Goyal]

Added support to create/destroy MACsec SA and SC.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/net/cnxk/cn10k_ethdev_sec.c |   9 +-
 drivers/net/cnxk/cnxk_ethdev_mcs.c  | 253 ++++++++++++++++++++++++++++
 drivers/net/cnxk/cnxk_ethdev_mcs.h  |  16 ++
 3 files changed, 274 insertions(+), 4 deletions(-)

diff --git a/drivers/net/cnxk/cn10k_ethdev_sec.c b/drivers/net/cnxk/cn10k_ethdev_sec.c
index 8dd2c8b7a5..1db29a0b55 100644
--- a/drivers/net/cnxk/cn10k_ethdev_sec.c
+++ b/drivers/net/cnxk/cn10k_ethdev_sec.c
@@ -9,6 +9,7 @@
 #include <rte_pmd_cnxk.h>
 
 #include <cn10k_ethdev.h>
+#include <cnxk_ethdev_mcs.h>
 #include <cnxk_security.h>
 #include <roc_priv.h>
 
@@ -1090,10 +1091,10 @@ cn10k_eth_sec_ops_override(void)
 	init_once = 1;
 
 	/* Update platform specific ops */
-	cnxk_eth_sec_ops.macsec_sa_create = NULL;
-	cnxk_eth_sec_ops.macsec_sc_create = NULL;
-	cnxk_eth_sec_ops.macsec_sa_destroy = NULL;
-	cnxk_eth_sec_ops.macsec_sc_destroy = NULL;
+	cnxk_eth_sec_ops.macsec_sa_create = cnxk_eth_macsec_sa_create;
+	cnxk_eth_sec_ops.macsec_sc_create = cnxk_eth_macsec_sc_create;
+	cnxk_eth_sec_ops.macsec_sa_destroy = cnxk_eth_macsec_sa_destroy;
+	cnxk_eth_sec_ops.macsec_sc_destroy = cnxk_eth_macsec_sc_destroy;
 	cnxk_eth_sec_ops.session_create = cn10k_eth_sec_session_create;
 	cnxk_eth_sec_ops.session_destroy = cn10k_eth_sec_session_destroy;
 	cnxk_eth_sec_ops.capabilities_get = cn10k_eth_sec_capabilities_get;
diff --git a/drivers/net/cnxk/cnxk_ethdev_mcs.c b/drivers/net/cnxk/cnxk_ethdev_mcs.c
index b0205f45c5..8eb21108cb 100644
--- a/drivers/net/cnxk/cnxk_ethdev_mcs.c
+++ b/drivers/net/cnxk/cnxk_ethdev_mcs.c
@@ -6,6 +6,259 @@
 #include <cnxk_ethdev_mcs.h>
 #include <roc_mcs.h>
 
+static int
+mcs_resource_alloc(struct cnxk_mcs_dev *mcs_dev, enum mcs_direction dir, uint8_t rsrc_id[],
+		   uint8_t rsrc_cnt, enum cnxk_mcs_rsrc_type type)
+{
+	struct roc_mcs_alloc_rsrc_req req = {0};
+	struct roc_mcs_alloc_rsrc_rsp rsp;
+	int i;
+
+	req.rsrc_type = type;
+	req.rsrc_cnt = rsrc_cnt;
+	req.dir = dir;
+
+	memset(&rsp, 0, sizeof(struct roc_mcs_alloc_rsrc_rsp));
+
+	if (roc_mcs_rsrc_alloc(mcs_dev->mdev, &req, &rsp)) {
+		plt_err("Cannot allocate mcs resource.");
+		return -1;
+	}
+
+	for (i = 0; i < rsrc_cnt; i++) {
+		switch (rsp.rsrc_type) {
+		case CNXK_MCS_RSRC_TYPE_FLOWID:
+			rsrc_id[i] = rsp.flow_ids[i];
+			break;
+		case CNXK_MCS_RSRC_TYPE_SECY:
+			rsrc_id[i] = rsp.secy_ids[i];
+			break;
+		case CNXK_MCS_RSRC_TYPE_SC:
+			rsrc_id[i] = rsp.sc_ids[i];
+			break;
+		case CNXK_MCS_RSRC_TYPE_SA:
+			rsrc_id[i] = rsp.sa_ids[i];
+			break;
+		default:
+			plt_err("Invalid mcs resource allocated.");
+			return -1;
+		}
+	}
+	return 0;
+}
+
+int
+cnxk_eth_macsec_sa_create(void *device, struct rte_security_macsec_sa *conf)
+{
+	struct rte_eth_dev *eth_dev = (struct rte_eth_dev *)device;
+	struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev);
+	uint8_t salt[RTE_SECURITY_MACSEC_SALT_LEN] = {0};
+	struct roc_mcs_pn_table_write_req pn_req = {0};
+	uint8_t hash_key_rev[CNXK_MACSEC_HASH_KEY] = {0};
+	uint8_t hash_key[CNXK_MACSEC_HASH_KEY] = {0};
+	struct cnxk_mcs_dev *mcs_dev = dev->mcs_dev;
+	struct roc_mcs_sa_plcy_write_req req;
+	uint8_t ciph_key[32] = {0};
+	enum mcs_direction dir;
+	uint8_t sa_id = 0;
+	int i, ret = 0;
+
+	if (!roc_feature_nix_has_macsec())
+		return -ENOTSUP;
+
+	dir = (conf->dir == RTE_SECURITY_MACSEC_DIR_TX) ? MCS_TX : MCS_RX;
+	ret = mcs_resource_alloc(mcs_dev, dir, &sa_id, 1, CNXK_MCS_RSRC_TYPE_SA);
+	if (ret) {
+		plt_err("Failed to allocate SA id.");
+		return -ENOMEM;
+	}
+	memset(&req, 0, sizeof(struct roc_mcs_sa_plcy_write_req));
+	req.sa_index[0] = sa_id;
+	req.sa_cnt = 1;
+	req.dir = dir;
+
+	if (conf->key.length != 16 && conf->key.length != 32)
+		return -EINVAL;
+
+	for (i = 0; i < conf->key.length; i++)
+		ciph_key[i] = conf->key.data[conf->key.length - 1 - i];
+
+	memcpy(&req.plcy[0][0], ciph_key, conf->key.length);
+
+	roc_aes_hash_key_derive(conf->key.data, conf->key.length, hash_key);
+	for (i = 0; i < CNXK_MACSEC_HASH_KEY; i++)
+		hash_key_rev[i] = hash_key[CNXK_MACSEC_HASH_KEY - 1 - i];
+
+	memcpy(&req.plcy[0][4], hash_key_rev, CNXK_MACSEC_HASH_KEY);
+
+	for (i = 0; i < RTE_SECURITY_MACSEC_SALT_LEN; i++)
+		salt[i] = conf->salt[RTE_SECURITY_MACSEC_SALT_LEN - 1 - i];
+	memcpy(&req.plcy[0][6], salt, RTE_SECURITY_MACSEC_SALT_LEN);
+
+	req.plcy[0][7] |= (uint64_t)conf->ssci << 32;
+	req.plcy[0][8] = (conf->dir == RTE_SECURITY_MACSEC_DIR_TX) ? (conf->an & 0x3) : 0;
+
+	ret = roc_mcs_sa_policy_write(mcs_dev->mdev, &req);
+	if (ret) {
+		plt_err("Failed to write SA policy.");
+		return -EINVAL;
+	}
+	pn_req.next_pn = ((uint64_t)conf->xpn << 32) | rte_be_to_cpu_32(conf->next_pn);
+	pn_req.pn_id = sa_id;
+	pn_req.dir = dir;
+
+	ret = roc_mcs_pn_table_write(mcs_dev->mdev, &pn_req);
+	if (ret) {
+		plt_err("Failed to write PN table.");
+		return -EINVAL;
+	}
+
+	return sa_id;
+}
+
+int
+cnxk_eth_macsec_sa_destroy(void *device, uint16_t sa_id, enum rte_security_macsec_direction dir)
+{
+	struct rte_eth_dev *eth_dev = (struct rte_eth_dev *)device;
+	struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev);
+	struct cnxk_mcs_dev *mcs_dev = dev->mcs_dev;
+	struct roc_mcs_clear_stats stats_req = {0};
+	struct roc_mcs_free_rsrc_req req = {0};
+	int ret = 0;
+
+	if (!roc_feature_nix_has_macsec())
+		return -ENOTSUP;
+
+	stats_req.type = CNXK_MCS_RSRC_TYPE_SA;
+	stats_req.id = sa_id;
+	stats_req.dir = (dir == RTE_SECURITY_MACSEC_DIR_TX) ? MCS_TX : MCS_RX;
+	stats_req.all = 0;
+
+	ret = roc_mcs_stats_clear(mcs_dev->mdev, &stats_req);
+	if (ret)
+		plt_err("Failed to clear stats for SA id %u, dir %u.", sa_id, dir);
+
+	req.rsrc_id = sa_id;
+	req.dir = (dir == RTE_SECURITY_MACSEC_DIR_TX) ? MCS_TX : MCS_RX;
+	req.rsrc_type = CNXK_MCS_RSRC_TYPE_SA;
+
+	ret = roc_mcs_rsrc_free(mcs_dev->mdev, &req);
+	if (ret)
+		plt_err("Failed to free SA id %u, dir %u.", sa_id, dir);
+
+	return ret;
+}
+
+int
+cnxk_eth_macsec_sc_create(void *device, struct rte_security_macsec_sc *conf)
+{
+	struct rte_eth_dev *eth_dev = (struct rte_eth_dev *)device;
+	struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev);
+	struct roc_mcs_set_pn_threshold pn_thresh = {0};
+	struct cnxk_mcs_dev *mcs_dev = dev->mcs_dev;
+	enum mcs_direction dir;
+	uint8_t sc_id = 0;
+	int i, ret = 0;
+
+	if (!roc_feature_nix_has_macsec())
+		return -ENOTSUP;
+
+	dir = (conf->dir == RTE_SECURITY_MACSEC_DIR_TX) ? MCS_TX : MCS_RX;
+	ret = mcs_resource_alloc(mcs_dev, dir, &sc_id, 1, CNXK_MCS_RSRC_TYPE_SC);
+	if (ret) {
+		plt_err("Failed to allocate SC id.");
+		return -ENOMEM;
+	}
+
+	if (conf->dir == RTE_SECURITY_MACSEC_DIR_TX) {
+		struct roc_mcs_tx_sc_sa_map req = {0};
+
+		req.sa_index0 = conf->sc_tx.sa_id & 0xFF;
+		req.sa_index1 = conf->sc_tx.sa_id_rekey & 0xFF;
+		req.rekey_ena = conf->sc_tx.re_key_en;
+		req.sa_index0_vld = conf->sc_tx.active;
+		req.sa_index1_vld = conf->sc_tx.re_key_en && conf->sc_tx.active;
+		req.tx_sa_active = 0;
+		req.sectag_sci = conf->sc_tx.sci;
+		req.sc_id = sc_id;
+
+		ret = roc_mcs_tx_sc_sa_map_write(mcs_dev->mdev, &req);
+		if (ret) {
+			plt_err("Failed to map TX SC-SA");
+			return -EINVAL;
+		}
+		pn_thresh.xpn = conf->sc_tx.is_xpn;
+	} else {
+		for (i = 0; i < RTE_SECURITY_MACSEC_NUM_AN; i++) {
+			struct roc_mcs_rx_sc_sa_map req = {0};
+
+			req.sa_index = conf->sc_rx.sa_id[i] & 0x7F;
+			req.sc_id = sc_id;
+			req.an = i & 0x3;
+			req.sa_in_use = 0;
+			/* Clearing the sa_in_use bit automatically clears
+			 * the corresponding pn_thresh_reached bit
+			 */
+			ret = roc_mcs_rx_sc_sa_map_write(mcs_dev->mdev, &req);
+			if (ret) {
+				plt_err("Failed to map RX SC-SA");
+				return -EINVAL;
+			}
+			req.sa_in_use = conf->sc_rx.sa_in_use[i];
+			ret = roc_mcs_rx_sc_sa_map_write(mcs_dev->mdev, &req);
+			if (ret) {
+				plt_err("Failed to map RX SC-SA");
+				return -EINVAL;
+			}
+		}
+		pn_thresh.xpn = conf->sc_rx.is_xpn;
+	}
+
+	pn_thresh.threshold = conf->pn_threshold;
+	pn_thresh.dir = dir;
+
+	ret = roc_mcs_pn_threshold_set(mcs_dev->mdev, &pn_thresh);
+	if (ret) {
+		plt_err("Failed to write PN threshold.");
+		return -EINVAL;
+	}
+
+	return sc_id;
+}
+
+int
+cnxk_eth_macsec_sc_destroy(void *device, uint16_t sc_id, enum rte_security_macsec_direction dir)
+{
+	struct rte_eth_dev *eth_dev = (struct rte_eth_dev *)device;
+	struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev);
+	struct cnxk_mcs_dev *mcs_dev = dev->mcs_dev;
+	struct roc_mcs_clear_stats stats_req = {0};
+	struct roc_mcs_free_rsrc_req req = {0};
+	int ret = 0;
+
+	if (!roc_feature_nix_has_macsec())
+		return -ENOTSUP;
+
+	stats_req.type = CNXK_MCS_RSRC_TYPE_SC;
+	stats_req.id = sc_id;
+	stats_req.dir = (dir == RTE_SECURITY_MACSEC_DIR_TX) ? MCS_TX : MCS_RX;
+	stats_req.all = 0;
+
+	ret = roc_mcs_stats_clear(mcs_dev->mdev, &stats_req);
+	if (ret)
+		plt_err("Failed to clear stats for SC id %u, dir %u.", sc_id, dir);
+
+	req.rsrc_id = sc_id;
+	req.dir = (dir == RTE_SECURITY_MACSEC_DIR_TX) ? MCS_TX : MCS_RX;
+	req.rsrc_type = CNXK_MCS_RSRC_TYPE_SC;
+
+	ret = roc_mcs_rsrc_free(mcs_dev->mdev, &req);
+	if (ret)
+		plt_err("Failed to free SC id.");
+
+	return ret;
+}
+
 static int
 cnxk_mcs_event_cb(void *userdata, struct roc_mcs_event_desc *desc, void *cb_arg)
 {
diff --git a/drivers/net/cnxk/cnxk_ethdev_mcs.h b/drivers/net/cnxk/cnxk_ethdev_mcs.h
index 29a2e34a56..1076cd16b5 100644
--- a/drivers/net/cnxk/cnxk_ethdev_mcs.h
+++ b/drivers/net/cnxk/cnxk_ethdev_mcs.h
@@ -16,6 +16,14 @@ struct cnxk_mcs_dev {
 	uint8_t idx;
 };
 
+enum cnxk_mcs_rsrc_type {
+	CNXK_MCS_RSRC_TYPE_FLOWID,
+	CNXK_MCS_RSRC_TYPE_SECY,
+	CNXK_MCS_RSRC_TYPE_SC,
+	CNXK_MCS_RSRC_TYPE_SA,
+	CNXK_MCS_RSRC_TYPE_PORT,
+};
+
 struct cnxk_mcs_event_data {
 	/* Valid for below events
 	 * - ROC_MCS_EVENT_RX_SA_PN_SOFT_EXP
@@ -63,4 +71,12 @@ struct cnxk_mcs_event_desc {
 	struct cnxk_mcs_event_data metadata;
 };
 
+int cnxk_eth_macsec_sa_create(void *device, struct rte_security_macsec_sa *conf);
+int cnxk_eth_macsec_sc_create(void *device, struct rte_security_macsec_sc *conf);
+
+int cnxk_eth_macsec_sa_destroy(void *device, uint16_t sa_id,
+			       enum rte_security_macsec_direction dir);
+int cnxk_eth_macsec_sc_destroy(void *device, uint16_t sc_id,
+			       enum rte_security_macsec_direction dir);
+
 #endif /* CNXK_ETHDEV_MCS_H */
-- 
2.25.1

[PATCH v5 14/15] net/cnxk: add MACsec session and flow configuration

[Akhil Goyal]

Added support for MACsec session/flow create/destroy.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 drivers/net/cnxk/cn10k_ethdev_sec.c |  11 +-
 drivers/net/cnxk/cn10k_flow.c       |  23 ++-
 drivers/net/cnxk/cnxk_ethdev.c      |   2 +
 drivers/net/cnxk/cnxk_ethdev.h      |  16 ++
 drivers/net/cnxk/cnxk_ethdev_mcs.c  | 262 ++++++++++++++++++++++++++++
 drivers/net/cnxk/cnxk_ethdev_mcs.h  |  25 +++
 drivers/net/cnxk/cnxk_ethdev_sec.c  |   2 +-
 drivers/net/cnxk/cnxk_flow.c        |   5 +
 8 files changed, 342 insertions(+), 4 deletions(-)

diff --git a/drivers/net/cnxk/cn10k_ethdev_sec.c b/drivers/net/cnxk/cn10k_ethdev_sec.c
index 1db29a0b55..f20e573338 100644
--- a/drivers/net/cnxk/cn10k_ethdev_sec.c
+++ b/drivers/net/cnxk/cn10k_ethdev_sec.c
@@ -642,7 +642,9 @@ cn10k_eth_sec_session_create(void *device,
 	if (conf->action_type != RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL)
 		return -ENOTSUP;
 
-	if (conf->protocol != RTE_SECURITY_PROTOCOL_IPSEC)
+	if (conf->protocol == RTE_SECURITY_PROTOCOL_MACSEC)
+		return cnxk_eth_macsec_session_create(dev, conf, sess);
+	else if (conf->protocol != RTE_SECURITY_PROTOCOL_IPSEC)
 		return -ENOTSUP;
 
 	if (rte_security_dynfield_register() < 0)
@@ -887,13 +889,18 @@ cn10k_eth_sec_session_destroy(void *device, struct rte_security_session *sess)
 {
 	struct rte_eth_dev *eth_dev = (struct rte_eth_dev *)device;
 	struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev);
+	struct cnxk_macsec_sess *macsec_sess;
 	struct cnxk_eth_sec_sess *eth_sec;
 	rte_spinlock_t *lock;
 	void *sa_dptr;
 
 	eth_sec = cnxk_eth_sec_sess_get_by_sess(dev, sess);
-	if (!eth_sec)
+	if (!eth_sec) {
+		macsec_sess = cnxk_eth_macsec_sess_get_by_sess(dev, sess);
+		if (macsec_sess)
+			return cnxk_eth_macsec_session_destroy(dev, sess);
 		return -ENOENT;
+	}
 
 	lock = eth_sec->inb ? &dev->inb.lock : &dev->outb.lock;
 	rte_spinlock_lock(lock);
diff --git a/drivers/net/cnxk/cn10k_flow.c b/drivers/net/cnxk/cn10k_flow.c
index d7a3442c5f..db5e427362 100644
--- a/drivers/net/cnxk/cn10k_flow.c
+++ b/drivers/net/cnxk/cn10k_flow.c
@@ -1,10 +1,11 @@
 /* SPDX-License-Identifier: BSD-3-Clause
  * Copyright(C) 2020 Marvell.
  */
-#include <cnxk_flow.h>
 #include "cn10k_flow.h"
 #include "cn10k_ethdev.h"
 #include "cn10k_rx.h"
+#include "cnxk_ethdev_mcs.h"
+#include <cnxk_flow.h>
 
 static int
 cn10k_mtr_connect(struct rte_eth_dev *eth_dev, uint32_t mtr_id)
@@ -133,6 +134,7 @@ cn10k_flow_create(struct rte_eth_dev *eth_dev, const struct rte_flow_attr *attr,
 	const struct rte_flow_action *act_q = NULL;
 	struct roc_npc *npc = &dev->npc;
 	struct roc_npc_flow *flow;
+	void *mcs_flow = NULL;
 	int vtag_actions = 0;
 	uint32_t req_act = 0;
 	int mark_actions;
@@ -187,6 +189,17 @@ cn10k_flow_create(struct rte_eth_dev *eth_dev, const struct rte_flow_attr *attr,
 		}
 	}
 
+	if (actions[0].type == RTE_FLOW_ACTION_TYPE_SECURITY &&
+	    cnxk_eth_macsec_sess_get_by_sess(dev, actions[0].conf) != NULL) {
+		rc = cnxk_mcs_flow_configure(eth_dev, attr, pattern, actions, error, &mcs_flow);
+		if (rc) {
+			rte_flow_error_set(error, rc, RTE_FLOW_ERROR_TYPE_ACTION, NULL,
+					   "Failed to configure mcs flow");
+			return NULL;
+		}
+		return (struct rte_flow *)mcs_flow;
+	}
+
 	flow = cnxk_flow_create(eth_dev, attr, pattern, actions, error);
 	if (!flow) {
 		if (mtr)
@@ -265,6 +278,14 @@ cn10k_flow_destroy(struct rte_eth_dev *eth_dev, struct rte_flow *rte_flow,
 		}
 	}
 
+	if (cnxk_eth_macsec_sess_get_by_sess(dev, (void *)flow) != NULL) {
+		rc = cnxk_mcs_flow_destroy(dev, (void *)flow);
+		if (rc < 0)
+			rte_flow_error_set(error, rc, RTE_FLOW_ERROR_TYPE_UNSPECIFIED,
+					NULL, "Failed to free mcs flow");
+		return rc;
+	}
+
 	mtr_id = flow->mtr_id;
 	rc = cnxk_flow_destroy(eth_dev, flow, error);
 	if (!rc && mtr_id != ROC_NIX_MTR_ID_INVALID) {
diff --git a/drivers/net/cnxk/cnxk_ethdev.c b/drivers/net/cnxk/cnxk_ethdev.c
index 5368f0777d..4b98faa729 100644
--- a/drivers/net/cnxk/cnxk_ethdev.c
+++ b/drivers/net/cnxk/cnxk_ethdev.c
@@ -1969,6 +1969,8 @@ cnxk_eth_dev_init(struct rte_eth_dev *eth_dev)
 		}
 		dev->rx_offload_capa |= RTE_ETH_RX_OFFLOAD_MACSEC_STRIP;
 		dev->tx_offload_capa |= RTE_ETH_TX_OFFLOAD_MACSEC_INSERT;
+
+		TAILQ_INIT(&dev->mcs_list);
 	}
 
 	plt_nix_dbg("Port=%d pf=%d vf=%d ver=%s hwcap=0x%" PRIx64
diff --git a/drivers/net/cnxk/cnxk_ethdev.h b/drivers/net/cnxk/cnxk_ethdev.h
index d5bb06b823..45dc72b609 100644
--- a/drivers/net/cnxk/cnxk_ethdev.h
+++ b/drivers/net/cnxk/cnxk_ethdev.h
@@ -292,6 +292,21 @@ struct cnxk_eth_dev_sec_outb {
 	uint64_t cpt_eng_caps;
 };
 
+/* MACsec session private data */
+struct cnxk_macsec_sess {
+	/* List entry */
+	TAILQ_ENTRY(cnxk_macsec_sess) entry;
+
+	/* Back pointer to session */
+	struct rte_security_session *sess;
+	enum mcs_direction dir;
+	uint64_t sci;
+	uint8_t secy_id;
+	uint8_t sc_id;
+	uint8_t flow_id;
+};
+TAILQ_HEAD(cnxk_macsec_sess_list, cnxk_macsec_sess);
+
 struct cnxk_eth_dev {
 	/* ROC NIX */
 	struct roc_nix nix;
@@ -398,6 +413,7 @@ struct cnxk_eth_dev {
 
 	/* MCS device */
 	struct cnxk_mcs_dev *mcs_dev;
+	struct cnxk_macsec_sess_list mcs_list;
 };
 
 struct cnxk_eth_rxq_sp {
diff --git a/drivers/net/cnxk/cnxk_ethdev_mcs.c b/drivers/net/cnxk/cnxk_ethdev_mcs.c
index 8eb21108cb..87bfcb8b4e 100644
--- a/drivers/net/cnxk/cnxk_ethdev_mcs.c
+++ b/drivers/net/cnxk/cnxk_ethdev_mcs.c
@@ -259,6 +259,268 @@ cnxk_eth_macsec_sc_destroy(void *device, uint16_t sc_id, enum rte_security_macse
 	return ret;
 }
 
+struct cnxk_macsec_sess *
+cnxk_eth_macsec_sess_get_by_sess(struct cnxk_eth_dev *dev, const struct rte_security_session *sess)
+{
+	struct cnxk_macsec_sess *macsec_sess = NULL;
+
+	TAILQ_FOREACH(macsec_sess, &dev->mcs_list, entry) {
+		if (macsec_sess->sess == sess)
+			return macsec_sess;
+	}
+
+	return NULL;
+}
+
+int
+cnxk_eth_macsec_session_create(struct cnxk_eth_dev *dev, struct rte_security_session_conf *conf,
+			       struct rte_security_session *sess)
+{
+	struct cnxk_macsec_sess *macsec_sess_priv = SECURITY_GET_SESS_PRIV(sess);
+	struct rte_security_macsec_xform *xform = &conf->macsec;
+	struct cnxk_mcs_dev *mcs_dev = dev->mcs_dev;
+	struct roc_mcs_secy_plcy_write_req req;
+	enum mcs_direction dir;
+	uint8_t secy_id = 0;
+	uint8_t sectag_tci = 0;
+	int ret = 0;
+
+	if (!roc_feature_nix_has_macsec())
+		return -ENOTSUP;
+
+	dir = (xform->dir == RTE_SECURITY_MACSEC_DIR_TX) ? MCS_TX : MCS_RX;
+	ret = mcs_resource_alloc(mcs_dev, dir, &secy_id, 1, CNXK_MCS_RSRC_TYPE_SECY);
+	if (ret) {
+		plt_err("Failed to allocate SECY id.");
+		return -ENOMEM;
+	}
+
+	req.secy_id = secy_id;
+	req.dir = dir;
+	req.plcy = 0L;
+
+	if (xform->dir == RTE_SECURITY_MACSEC_DIR_TX) {
+		sectag_tci = ((uint8_t)xform->tx_secy.sectag_version << 5) |
+			     ((uint8_t)xform->tx_secy.end_station << 4) |
+			     ((uint8_t)xform->tx_secy.send_sci << 3) |
+			     ((uint8_t)xform->tx_secy.scb << 2) |
+			     ((uint8_t)xform->tx_secy.encrypt << 1) |
+			     (uint8_t)xform->tx_secy.encrypt;
+		req.plcy = (((uint64_t)xform->tx_secy.mtu & 0xFFFF) << 28) |
+			   (((uint64_t)sectag_tci & 0x3F) << 22) |
+			   (((uint64_t)xform->tx_secy.sectag_off & 0x7F) << 15) |
+			   ((uint64_t)xform->tx_secy.sectag_insert_mode << 14) |
+			   ((uint64_t)xform->tx_secy.icv_include_da_sa << 13) |
+			   (((uint64_t)xform->cipher_off & 0x7F) << 6) |
+			   ((uint64_t)xform->alg << 2) |
+			   ((uint64_t)xform->tx_secy.protect_frames << 1) |
+			   (uint64_t)xform->tx_secy.ctrl_port_enable;
+	} else {
+		req.plcy = ((uint64_t)xform->rx_secy.replay_win_sz << 18) |
+			   ((uint64_t)xform->rx_secy.replay_protect << 17) |
+			   ((uint64_t)xform->rx_secy.icv_include_da_sa << 16) |
+			   (((uint64_t)xform->cipher_off & 0x7F) << 9) |
+			   ((uint64_t)xform->alg << 5) |
+			   ((uint64_t)xform->rx_secy.preserve_sectag << 4) |
+			   ((uint64_t)xform->rx_secy.preserve_icv << 3) |
+			   ((uint64_t)xform->rx_secy.validate_frames << 1) |
+			   (uint64_t)xform->rx_secy.ctrl_port_enable;
+	}
+
+	ret = roc_mcs_secy_policy_write(mcs_dev->mdev, &req);
+	if (ret) {
+		plt_err(" Failed to configure Tx SECY");
+		return -EINVAL;
+	}
+
+	if (xform->dir == RTE_SECURITY_MACSEC_DIR_RX) {
+		struct roc_mcs_rx_sc_cam_write_req rx_sc_cam = {0};
+
+		rx_sc_cam.sci = xform->sci;
+		rx_sc_cam.secy_id = secy_id & 0x3F;
+		rx_sc_cam.sc_id = xform->sc_id;
+		ret = roc_mcs_rx_sc_cam_write(mcs_dev->mdev, &rx_sc_cam);
+		if (ret) {
+			plt_err(" Failed to write rx_sc_cam");
+			return -EINVAL;
+		}
+	}
+	macsec_sess_priv->sci = xform->sci;
+	macsec_sess_priv->sc_id = xform->sc_id;
+	macsec_sess_priv->secy_id = secy_id;
+	macsec_sess_priv->dir = dir;
+	macsec_sess_priv->sess = sess;
+
+	TAILQ_INSERT_TAIL(&dev->mcs_list, macsec_sess_priv, entry);
+
+	return 0;
+}
+
+int
+cnxk_eth_macsec_session_destroy(struct cnxk_eth_dev *dev, struct rte_security_session *sess)
+{
+	struct cnxk_mcs_dev *mcs_dev = dev->mcs_dev;
+	struct roc_mcs_clear_stats stats_req = {0};
+	struct roc_mcs_free_rsrc_req req = {0};
+	struct cnxk_macsec_sess *s;
+	int ret = 0;
+
+	if (!roc_feature_nix_has_macsec())
+		return -ENOTSUP;
+
+	s = SECURITY_GET_SESS_PRIV(sess);
+
+	stats_req.type = CNXK_MCS_RSRC_TYPE_SECY;
+	stats_req.id = s->secy_id;
+	stats_req.dir = s->dir;
+	stats_req.all = 0;
+
+	ret = roc_mcs_stats_clear(mcs_dev->mdev, &stats_req);
+	if (ret)
+		plt_err("Failed to clear stats for SECY id %u, dir %u.", s->secy_id, s->dir);
+
+	req.rsrc_id = s->secy_id;
+	req.dir = s->dir;
+	req.rsrc_type = CNXK_MCS_RSRC_TYPE_SECY;
+
+	ret = roc_mcs_rsrc_free(mcs_dev->mdev, &req);
+	if (ret)
+		plt_err("Failed to free SC id.");
+
+	TAILQ_REMOVE(&dev->mcs_list, s, entry);
+
+	return ret;
+}
+
+int
+cnxk_mcs_flow_configure(struct rte_eth_dev *eth_dev, const struct rte_flow_attr *attr __rte_unused,
+			 const struct rte_flow_item pattern[],
+			 const struct rte_flow_action actions[],
+			 struct rte_flow_error *error __rte_unused, void **mcs_flow)
+{
+	struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev);
+	const struct rte_flow_item_eth *eth_item = NULL;
+	struct cnxk_mcs_dev *mcs_dev = dev->mcs_dev;
+	struct roc_mcs_flowid_entry_write_req req;
+	struct cnxk_mcs_flow_opts opts = {0};
+	struct cnxk_macsec_sess *sess;
+	struct rte_ether_addr src;
+	struct rte_ether_addr dst;
+	int ret;
+	int i = 0;
+
+	if (!roc_feature_nix_has_macsec())
+		return -ENOTSUP;
+
+	sess = cnxk_eth_macsec_sess_get_by_sess(dev,
+			(const struct rte_security_session *)actions->conf);
+	if (sess == NULL)
+		return -EINVAL;
+
+	ret = mcs_resource_alloc(mcs_dev, sess->dir, &sess->flow_id, 1,
+				 CNXK_MCS_RSRC_TYPE_FLOWID);
+	if (ret) {
+		plt_err("Failed to allocate FLow id.");
+		return -ENOMEM;
+	}
+	memset(&req, 0, sizeof(struct roc_mcs_flowid_entry_write_req));
+	req.sci = sess->sci;
+	req.flow_id = sess->flow_id;
+	req.secy_id = sess->secy_id;
+	req.sc_id = sess->sc_id;
+	req.ena = 1;
+	req.ctr_pkt = 0;
+	req.dir = sess->dir;
+
+	while (pattern[i].type != RTE_FLOW_ITEM_TYPE_END) {
+		if (pattern[i].type == RTE_FLOW_ITEM_TYPE_ETH)
+			eth_item = pattern[i].spec;
+		else
+			plt_err("Unhandled flow item : %d", pattern[i].type);
+		i++;
+	}
+	if (eth_item) {
+		dst = eth_item->hdr.dst_addr;
+		src = eth_item->hdr.src_addr;
+
+		/* Find ways to fill opts */
+
+		req.data[0] =
+			(uint64_t)dst.addr_bytes[0] << 40 | (uint64_t)dst.addr_bytes[1] << 32 |
+			(uint64_t)dst.addr_bytes[2] << 24 | (uint64_t)dst.addr_bytes[3] << 16 |
+			(uint64_t)dst.addr_bytes[4] << 8 | (uint64_t)dst.addr_bytes[5] |
+			(uint64_t)src.addr_bytes[5] << 48 | (uint64_t)src.addr_bytes[4] << 56;
+		req.data[1] = (uint64_t)src.addr_bytes[3] | (uint64_t)src.addr_bytes[2] << 8 |
+			      (uint64_t)src.addr_bytes[1] << 16 |
+			      (uint64_t)src.addr_bytes[0] << 24 |
+			      (uint64_t)eth_item->hdr.ether_type << 32 |
+			      ((uint64_t)opts.outer_tag_id & 0xFFFF) << 48;
+		req.data[2] = ((uint64_t)opts.outer_tag_id & 0xF0000) |
+			      ((uint64_t)opts.outer_priority & 0xF) << 4 |
+			      ((uint64_t)opts.second_outer_tag_id & 0xFFFFF) << 8 |
+			      ((uint64_t)opts.second_outer_priority & 0xF) << 28 |
+			      ((uint64_t)opts.bonus_data << 32) |
+			      ((uint64_t)opts.tag_match_bitmap << 48) |
+			      ((uint64_t)opts.packet_type & 0xF) << 56 |
+			      ((uint64_t)opts.outer_vlan_type & 0x7) << 60 |
+			      ((uint64_t)opts.inner_vlan_type & 0x1) << 63;
+		req.data[3] = ((uint64_t)opts.inner_vlan_type & 0x6) >> 1 |
+			      ((uint64_t)opts.num_tags & 0x7F) << 2 |
+			      ((uint64_t)opts.flowid_user & 0x1F) << 9 |
+			      ((uint64_t)opts.express & 1) << 14 |
+			      ((uint64_t)opts.lmac_id & 0x1F) << 15;
+
+		req.mask[0] = 0x0;
+		req.mask[1] = 0xFFFFFFFF00000000;
+		req.mask[2] = 0xFFFFFFFFFFFFFFFF;
+		req.mask[3] = 0xFFFFFFFFFFFFFFFF;
+
+		ret = roc_mcs_flowid_entry_write(mcs_dev->mdev, &req);
+		if (ret)
+			return ret;
+		*mcs_flow = (void *)(uintptr_t)actions->conf;
+	} else {
+		plt_err("Flow not confirured");
+		return -EINVAL;
+	}
+	return 0;
+}
+
+int
+cnxk_mcs_flow_destroy(struct cnxk_eth_dev *dev, void *flow)
+{
+	const struct cnxk_macsec_sess *s = cnxk_eth_macsec_sess_get_by_sess(dev, flow);
+	struct cnxk_mcs_dev *mcs_dev = dev->mcs_dev;
+	struct roc_mcs_clear_stats stats_req = {0};
+	struct roc_mcs_free_rsrc_req req = {0};
+	int ret = 0;
+
+	if (!roc_feature_nix_has_macsec())
+		return -ENOTSUP;
+
+	if (s == NULL)
+		return 0;
+
+	stats_req.type = CNXK_MCS_RSRC_TYPE_FLOWID;
+	stats_req.id = s->flow_id;
+	stats_req.dir = s->dir;
+	stats_req.all = 0;
+
+	ret = roc_mcs_stats_clear(mcs_dev->mdev, &stats_req);
+	if (ret)
+		plt_err("Failed to clear stats for Flow id %u, dir %u.", s->flow_id, s->dir);
+
+	req.rsrc_id = s->flow_id;
+	req.dir = s->dir;
+	req.rsrc_type = CNXK_MCS_RSRC_TYPE_FLOWID;
+
+	ret = roc_mcs_rsrc_free(mcs_dev->mdev, &req);
+	if (ret)
+		plt_err("Failed to free flow_id: %d.", s->flow_id);
+
+	return ret;
+}
+
 static int
 cnxk_mcs_event_cb(void *userdata, struct roc_mcs_event_desc *desc, void *cb_arg)
 {
diff --git a/drivers/net/cnxk/cnxk_ethdev_mcs.h b/drivers/net/cnxk/cnxk_ethdev_mcs.h
index 1076cd16b5..a9148cc374 100644
--- a/drivers/net/cnxk/cnxk_ethdev_mcs.h
+++ b/drivers/net/cnxk/cnxk_ethdev_mcs.h
@@ -24,6 +24,27 @@ enum cnxk_mcs_rsrc_type {
 	CNXK_MCS_RSRC_TYPE_PORT,
 };
 
+struct cnxk_mcs_flow_opts {
+	uint32_t outer_tag_id;
+	/**< {VLAN_ID[11:0]}, or 20-bit MPLS label*/
+	uint8_t outer_priority;
+	/**< {PCP/Pbits, DE/CFI} or {1'b0, EXP} for MPLS.*/
+	uint32_t second_outer_tag_id;
+	/**< {VLAN_ID[11:0]}, or 20-bit MPLS label*/
+	uint8_t second_outer_priority;
+	/**< {PCP/Pbits, DE/CFI} or {1'b0, EXP} for MPLS. */
+	uint16_t bonus_data;
+	/**< 2 bytes of additional bonus data extracted from one of the custom tags*/
+	uint8_t tag_match_bitmap;
+	uint8_t packet_type;
+	uint8_t outer_vlan_type;
+	uint8_t inner_vlan_type;
+	uint8_t num_tags;
+	bool express;
+	uint8_t lmac_id;
+	uint8_t flowid_user;
+};
+
 struct cnxk_mcs_event_data {
 	/* Valid for below events
 	 * - ROC_MCS_EVENT_RX_SA_PN_SOFT_EXP
@@ -79,4 +100,8 @@ int cnxk_eth_macsec_sa_destroy(void *device, uint16_t sa_id,
 int cnxk_eth_macsec_sc_destroy(void *device, uint16_t sc_id,
 			       enum rte_security_macsec_direction dir);
 
+int cnxk_eth_macsec_session_create(struct cnxk_eth_dev *dev, struct rte_security_session_conf *conf,
+				   struct rte_security_session *sess);
+int cnxk_eth_macsec_session_destroy(struct cnxk_eth_dev *dev, struct rte_security_session *sess);
+
 #endif /* CNXK_ETHDEV_MCS_H */
diff --git a/drivers/net/cnxk/cnxk_ethdev_sec.c b/drivers/net/cnxk/cnxk_ethdev_sec.c
index a66d58ca61..dc17c128de 100644
--- a/drivers/net/cnxk/cnxk_ethdev_sec.c
+++ b/drivers/net/cnxk/cnxk_ethdev_sec.c
@@ -284,7 +284,7 @@ cnxk_eth_sec_sess_get_by_sess(struct cnxk_eth_dev *dev,
 static unsigned int
 cnxk_eth_sec_session_get_size(void *device __rte_unused)
 {
-	return sizeof(struct cnxk_eth_sec_sess);
+	return RTE_MAX(sizeof(struct cnxk_macsec_sess), sizeof(struct cnxk_eth_sec_sess));
 }
 
 struct rte_security_ops cnxk_eth_sec_ops = {
diff --git a/drivers/net/cnxk/cnxk_flow.c b/drivers/net/cnxk/cnxk_flow.c
index d9d9478ade..1b88542dcb 100644
--- a/drivers/net/cnxk/cnxk_flow.c
+++ b/drivers/net/cnxk/cnxk_flow.c
@@ -289,6 +289,11 @@ cnxk_flow_validate(struct rte_eth_dev *eth_dev, const struct rte_flow_attr *attr
 	uint16_t dst_pf_func = 0;
 	int rc;
 
+	/* Skip flow validation for MACsec. */
+	if (actions[0].type == RTE_FLOW_ACTION_TYPE_SECURITY &&
+	    cnxk_eth_macsec_sess_get_by_sess(dev, actions[0].conf) != NULL)
+		return 0;
+
 	memset(&flow, 0, sizeof(flow));
 	flow.is_validate = true;
 
-- 
2.25.1

[PATCH v5 15/15] net/cnxk: add MACsec stats

[Akhil Goyal]

Added support for MACsec SC/flow/session stats.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 doc/guides/rel_notes/release_23_07.rst | 10 ++--
 drivers/net/cnxk/cn10k_ethdev_sec.c    | 11 +++--
 drivers/net/cnxk/cnxk_ethdev_mcs.c     | 64 ++++++++++++++++++++++++++
 drivers/net/cnxk/cnxk_ethdev_mcs.h     |  9 ++++
 4 files changed, 87 insertions(+), 7 deletions(-)

diff --git a/doc/guides/rel_notes/release_23_07.rst b/doc/guides/rel_notes/release_23_07.rst
index 915c37529a..d6af8c25a7 100644
--- a/doc/guides/rel_notes/release_23_07.rst
+++ b/doc/guides/rel_notes/release_23_07.rst
@@ -139,6 +139,12 @@ New Features
   for new capability registers, large passthrough BAR and some
   performance enhancements for UPT.
 
+* **Updated Marvell cnxk ethdev driver.**
+
+  * Extended ``RTE_FLOW_ACTION_TYPE_PORT_ID`` to redirect traffic across PF ports.
+  * Added support for Inline MACsec processing using rte_security framework
+    for CN103 platform.
+
 * **Added new algorithms to cryptodev.**
 
   * Added asymmetric algorithm ShangMi 2 (SM2) along with prime field curve support.
@@ -155,10 +161,6 @@ New Features
   * Added support for SM3 hash operations.
   * Added support for AES-CCM in cn9k and cn10k drivers.
 
-* **Updated Marvell cnxk ethdev driver.**
-
-  * Extended ``RTE_FLOW_ACTION_TYPE_PORT_ID`` to redirect traffic across PF ports.
-
 * **Updated OpenSSL crypto driver.**
 
   * Added SM2 algorithm support in asymmetric crypto operations.
diff --git a/drivers/net/cnxk/cn10k_ethdev_sec.c b/drivers/net/cnxk/cn10k_ethdev_sec.c
index f20e573338..b98fc9378e 100644
--- a/drivers/net/cnxk/cn10k_ethdev_sec.c
+++ b/drivers/net/cnxk/cn10k_ethdev_sec.c
@@ -1058,12 +1058,17 @@ cn10k_eth_sec_session_stats_get(void *device, struct rte_security_session *sess,
 {
 	struct rte_eth_dev *eth_dev = (struct rte_eth_dev *)device;
 	struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev);
+	struct cnxk_macsec_sess *macsec_sess;
 	struct cnxk_eth_sec_sess *eth_sec;
 	int rc;
 
 	eth_sec = cnxk_eth_sec_sess_get_by_sess(dev, sess);
-	if (eth_sec == NULL)
+	if (eth_sec == NULL) {
+		macsec_sess = cnxk_eth_macsec_sess_get_by_sess(dev, sess);
+		if (macsec_sess)
+			return cnxk_eth_macsec_session_stats_get(dev, macsec_sess, stats);
 		return -EINVAL;
+	}
 
 	rc = roc_nix_inl_sa_sync(&dev->nix, eth_sec->sa, eth_sec->inb,
 			    ROC_NIX_INL_SA_OP_FLUSH);
@@ -1107,6 +1112,6 @@ cn10k_eth_sec_ops_override(void)
 	cnxk_eth_sec_ops.capabilities_get = cn10k_eth_sec_capabilities_get;
 	cnxk_eth_sec_ops.session_update = cn10k_eth_sec_session_update;
 	cnxk_eth_sec_ops.session_stats_get = cn10k_eth_sec_session_stats_get;
-	cnxk_eth_sec_ops.macsec_sc_stats_get = NULL;
-	cnxk_eth_sec_ops.macsec_sa_stats_get = NULL;
+	cnxk_eth_sec_ops.macsec_sc_stats_get = cnxk_eth_macsec_sc_stats_get;
+	cnxk_eth_sec_ops.macsec_sa_stats_get = cnxk_eth_macsec_sa_stats_get;
 }
diff --git a/drivers/net/cnxk/cnxk_ethdev_mcs.c b/drivers/net/cnxk/cnxk_ethdev_mcs.c
index 87bfcb8b4e..5264774394 100644
--- a/drivers/net/cnxk/cnxk_ethdev_mcs.c
+++ b/drivers/net/cnxk/cnxk_ethdev_mcs.c
@@ -521,6 +521,70 @@ cnxk_mcs_flow_destroy(struct cnxk_eth_dev *dev, void *flow)
 	return ret;
 }
 
+int
+cnxk_eth_macsec_sa_stats_get(void *device, uint16_t sa_id, enum rte_security_macsec_direction dir,
+			     struct rte_security_macsec_sa_stats *stats)
+{
+	RTE_SET_USED(device);
+	RTE_SET_USED(sa_id);
+	RTE_SET_USED(dir);
+	RTE_SET_USED(stats);
+
+	return 0;
+}
+
+int
+cnxk_eth_macsec_sc_stats_get(void *device, uint16_t sc_id, enum rte_security_macsec_direction dir,
+			     struct rte_security_macsec_sc_stats *stats)
+{
+	struct rte_eth_dev *eth_dev = (struct rte_eth_dev *)device;
+	struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev);
+	struct cnxk_mcs_dev *mcs_dev = dev->mcs_dev;
+	struct roc_mcs_stats_req req = {0};
+
+	if (!roc_feature_nix_has_macsec())
+		return -ENOTSUP;
+
+	req.id = sc_id;
+	req.dir = (dir == RTE_SECURITY_MACSEC_DIR_RX) ? MCS_RX : MCS_TX;
+
+	return roc_mcs_sc_stats_get(mcs_dev->mdev, &req, (struct roc_mcs_sc_stats *)stats);
+}
+
+int
+cnxk_eth_macsec_session_stats_get(struct cnxk_eth_dev *dev, struct cnxk_macsec_sess *sess,
+				  struct rte_security_stats *stats)
+{
+	struct cnxk_mcs_dev *mcs_dev = dev->mcs_dev;
+	struct roc_mcs_flowid_stats flow_stats = {0};
+	struct roc_mcs_port_stats port_stats = {0};
+	struct roc_mcs_stats_req req = {0};
+
+	if (!roc_feature_nix_has_macsec())
+		return -ENOTSUP;
+
+	req.id = sess->flow_id;
+	req.dir = sess->dir;
+	roc_mcs_flowid_stats_get(mcs_dev->mdev, &req, &flow_stats);
+	plt_nix_dbg("\n******* FLOW_ID IDX[%u] STATS dir: %u********\n", sess->flow_id, sess->dir);
+	plt_nix_dbg("TX: tcam_hit_cnt: 0x%" PRIx64 "\n", flow_stats.tcam_hit_cnt);
+
+	req.id = mcs_dev->port_id;
+	req.dir = sess->dir;
+	roc_mcs_port_stats_get(mcs_dev->mdev, &req, &port_stats);
+	plt_nix_dbg("\n********** PORT[0] STATS ****************\n");
+	plt_nix_dbg("RX tcam_miss_cnt: 0x%" PRIx64 "\n", port_stats.tcam_miss_cnt);
+	plt_nix_dbg("RX parser_err_cnt: 0x%" PRIx64 "\n", port_stats.parser_err_cnt);
+	plt_nix_dbg("RX preempt_err_cnt: 0x%" PRIx64 "\n", port_stats.preempt_err_cnt);
+	plt_nix_dbg("RX sectag_insert_err_cnt: 0x%" PRIx64 "\n", port_stats.sectag_insert_err_cnt);
+
+	req.id = sess->secy_id;
+	req.dir = sess->dir;
+
+	return roc_mcs_secy_stats_get(mcs_dev->mdev, &req,
+				      (struct roc_mcs_secy_stats *)(&stats->macsec));
+}
+
 static int
 cnxk_mcs_event_cb(void *userdata, struct roc_mcs_event_desc *desc, void *cb_arg)
 {
diff --git a/drivers/net/cnxk/cnxk_ethdev_mcs.h b/drivers/net/cnxk/cnxk_ethdev_mcs.h
index a9148cc374..131dab10c5 100644
--- a/drivers/net/cnxk/cnxk_ethdev_mcs.h
+++ b/drivers/net/cnxk/cnxk_ethdev_mcs.h
@@ -100,6 +100,15 @@ int cnxk_eth_macsec_sa_destroy(void *device, uint16_t sa_id,
 int cnxk_eth_macsec_sc_destroy(void *device, uint16_t sc_id,
 			       enum rte_security_macsec_direction dir);
 
+int cnxk_eth_macsec_sa_stats_get(void *device, uint16_t sa_id,
+				 enum rte_security_macsec_direction dir,
+				 struct rte_security_macsec_sa_stats *stats);
+int cnxk_eth_macsec_sc_stats_get(void *device, uint16_t sa_id,
+				 enum rte_security_macsec_direction dir,
+				 struct rte_security_macsec_sc_stats *stats);
+int cnxk_eth_macsec_session_stats_get(struct cnxk_eth_dev *dev, struct cnxk_macsec_sess *sess,
+				      struct rte_security_stats *stats);
+
 int cnxk_eth_macsec_session_create(struct cnxk_eth_dev *dev, struct rte_security_session_conf *conf,
 				   struct rte_security_session *sess);
 int cnxk_eth_macsec_session_destroy(struct cnxk_eth_dev *dev, struct rte_security_session *sess);
-- 
2.25.1

Re: [PATCH v5 15/15] net/cnxk: add MACsec stats

[Jerin Jacob]

On Wed, Jun 14, 2023 at 6:41 PM Akhil Goyal <gakhil@marvell.com> wrote:
>
> Added support for MACsec SC/flow/session stats.
>
> Signed-off-by: Akhil Goyal <gakhil@marvell.com>


Series applied to dpdk-next-net-mrvl/for-next-net. Thanks

> ---
>  doc/guides/rel_notes/release_23_07.rst | 10 ++--
>  drivers/net/cnxk/cn10k_ethdev_sec.c    | 11 +++--
>  drivers/net/cnxk/cnxk_ethdev_mcs.c     | 64 ++++++++++++++++++++++++++
>  drivers/net/cnxk/cnxk_ethdev_mcs.h     |  9 ++++
>  4 files changed, 87 insertions(+), 7 deletions(-)
>
> diff --git a/doc/guides/rel_notes/release_23_07.rst b/doc/guides/rel_notes/release_23_07.rst
> index 915c37529a..d6af8c25a7 100644
> --- a/doc/guides/rel_notes/release_23_07.rst
> +++ b/doc/guides/rel_notes/release_23_07.rst
> @@ -139,6 +139,12 @@ New Features
>    for new capability registers, large passthrough BAR and some
>    performance enhancements for UPT.
>
> +* **Updated Marvell cnxk ethdev driver.**
> +
> +  * Extended ``RTE_FLOW_ACTION_TYPE_PORT_ID`` to redirect traffic across PF ports.
> +  * Added support for Inline MACsec processing using rte_security framework
> +    for CN103 platform.
> +
>  * **Added new algorithms to cryptodev.**
>
>    * Added asymmetric algorithm ShangMi 2 (SM2) along with prime field curve support.
> @@ -155,10 +161,6 @@ New Features
>    * Added support for SM3 hash operations.
>    * Added support for AES-CCM in cn9k and cn10k drivers.
>
> -* **Updated Marvell cnxk ethdev driver.**
> -
> -  * Extended ``RTE_FLOW_ACTION_TYPE_PORT_ID`` to redirect traffic across PF ports.
> -
>  * **Updated OpenSSL crypto driver.**
>
>    * Added SM2 algorithm support in asymmetric crypto operations.
> diff --git a/drivers/net/cnxk/cn10k_ethdev_sec.c b/drivers/net/cnxk/cn10k_ethdev_sec.c
> index f20e573338..b98fc9378e 100644
> --- a/drivers/net/cnxk/cn10k_ethdev_sec.c
> +++ b/drivers/net/cnxk/cn10k_ethdev_sec.c
> @@ -1058,12 +1058,17 @@ cn10k_eth_sec_session_stats_get(void *device, struct rte_security_session *sess,
>  {
>         struct rte_eth_dev *eth_dev = (struct rte_eth_dev *)device;
>         struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev);
> +       struct cnxk_macsec_sess *macsec_sess;
>         struct cnxk_eth_sec_sess *eth_sec;
>         int rc;
>
>         eth_sec = cnxk_eth_sec_sess_get_by_sess(dev, sess);
> -       if (eth_sec == NULL)
> +       if (eth_sec == NULL) {
> +               macsec_sess = cnxk_eth_macsec_sess_get_by_sess(dev, sess);
> +               if (macsec_sess)
> +                       return cnxk_eth_macsec_session_stats_get(dev, macsec_sess, stats);
>                 return -EINVAL;
> +       }
>
>         rc = roc_nix_inl_sa_sync(&dev->nix, eth_sec->sa, eth_sec->inb,
>                             ROC_NIX_INL_SA_OP_FLUSH);
> @@ -1107,6 +1112,6 @@ cn10k_eth_sec_ops_override(void)
>         cnxk_eth_sec_ops.capabilities_get = cn10k_eth_sec_capabilities_get;
>         cnxk_eth_sec_ops.session_update = cn10k_eth_sec_session_update;
>         cnxk_eth_sec_ops.session_stats_get = cn10k_eth_sec_session_stats_get;
> -       cnxk_eth_sec_ops.macsec_sc_stats_get = NULL;
> -       cnxk_eth_sec_ops.macsec_sa_stats_get = NULL;
> +       cnxk_eth_sec_ops.macsec_sc_stats_get = cnxk_eth_macsec_sc_stats_get;
> +       cnxk_eth_sec_ops.macsec_sa_stats_get = cnxk_eth_macsec_sa_stats_get;
>  }
> diff --git a/drivers/net/cnxk/cnxk_ethdev_mcs.c b/drivers/net/cnxk/cnxk_ethdev_mcs.c
> index 87bfcb8b4e..5264774394 100644
> --- a/drivers/net/cnxk/cnxk_ethdev_mcs.c
> +++ b/drivers/net/cnxk/cnxk_ethdev_mcs.c
> @@ -521,6 +521,70 @@ cnxk_mcs_flow_destroy(struct cnxk_eth_dev *dev, void *flow)
>         return ret;
>  }
>
> +int
> +cnxk_eth_macsec_sa_stats_get(void *device, uint16_t sa_id, enum rte_security_macsec_direction dir,
> +                            struct rte_security_macsec_sa_stats *stats)
> +{
> +       RTE_SET_USED(device);
> +       RTE_SET_USED(sa_id);
> +       RTE_SET_USED(dir);
> +       RTE_SET_USED(stats);
> +
> +       return 0;
> +}
> +
> +int
> +cnxk_eth_macsec_sc_stats_get(void *device, uint16_t sc_id, enum rte_security_macsec_direction dir,
> +                            struct rte_security_macsec_sc_stats *stats)
> +{
> +       struct rte_eth_dev *eth_dev = (struct rte_eth_dev *)device;
> +       struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev);
> +       struct cnxk_mcs_dev *mcs_dev = dev->mcs_dev;
> +       struct roc_mcs_stats_req req = {0};
> +
> +       if (!roc_feature_nix_has_macsec())
> +               return -ENOTSUP;
> +
> +       req.id = sc_id;
> +       req.dir = (dir == RTE_SECURITY_MACSEC_DIR_RX) ? MCS_RX : MCS_TX;
> +
> +       return roc_mcs_sc_stats_get(mcs_dev->mdev, &req, (struct roc_mcs_sc_stats *)stats);
> +}
> +
> +int
> +cnxk_eth_macsec_session_stats_get(struct cnxk_eth_dev *dev, struct cnxk_macsec_sess *sess,
> +                                 struct rte_security_stats *stats)
> +{
> +       struct cnxk_mcs_dev *mcs_dev = dev->mcs_dev;
> +       struct roc_mcs_flowid_stats flow_stats = {0};
> +       struct roc_mcs_port_stats port_stats = {0};
> +       struct roc_mcs_stats_req req = {0};
> +
> +       if (!roc_feature_nix_has_macsec())
> +               return -ENOTSUP;
> +
> +       req.id = sess->flow_id;
> +       req.dir = sess->dir;
> +       roc_mcs_flowid_stats_get(mcs_dev->mdev, &req, &flow_stats);
> +       plt_nix_dbg("\n******* FLOW_ID IDX[%u] STATS dir: %u********\n", sess->flow_id, sess->dir);
> +       plt_nix_dbg("TX: tcam_hit_cnt: 0x%" PRIx64 "\n", flow_stats.tcam_hit_cnt);
> +
> +       req.id = mcs_dev->port_id;
> +       req.dir = sess->dir;
> +       roc_mcs_port_stats_get(mcs_dev->mdev, &req, &port_stats);
> +       plt_nix_dbg("\n********** PORT[0] STATS ****************\n");
> +       plt_nix_dbg("RX tcam_miss_cnt: 0x%" PRIx64 "\n", port_stats.tcam_miss_cnt);
> +       plt_nix_dbg("RX parser_err_cnt: 0x%" PRIx64 "\n", port_stats.parser_err_cnt);
> +       plt_nix_dbg("RX preempt_err_cnt: 0x%" PRIx64 "\n", port_stats.preempt_err_cnt);
> +       plt_nix_dbg("RX sectag_insert_err_cnt: 0x%" PRIx64 "\n", port_stats.sectag_insert_err_cnt);
> +
> +       req.id = sess->secy_id;
> +       req.dir = sess->dir;
> +
> +       return roc_mcs_secy_stats_get(mcs_dev->mdev, &req,
> +                                     (struct roc_mcs_secy_stats *)(&stats->macsec));
> +}
> +
>  static int
>  cnxk_mcs_event_cb(void *userdata, struct roc_mcs_event_desc *desc, void *cb_arg)
>  {
> diff --git a/drivers/net/cnxk/cnxk_ethdev_mcs.h b/drivers/net/cnxk/cnxk_ethdev_mcs.h
> index a9148cc374..131dab10c5 100644
> --- a/drivers/net/cnxk/cnxk_ethdev_mcs.h
> +++ b/drivers/net/cnxk/cnxk_ethdev_mcs.h
> @@ -100,6 +100,15 @@ int cnxk_eth_macsec_sa_destroy(void *device, uint16_t sa_id,
>  int cnxk_eth_macsec_sc_destroy(void *device, uint16_t sc_id,
>                                enum rte_security_macsec_direction dir);
>
> +int cnxk_eth_macsec_sa_stats_get(void *device, uint16_t sa_id,
> +                                enum rte_security_macsec_direction dir,
> +                                struct rte_security_macsec_sa_stats *stats);
> +int cnxk_eth_macsec_sc_stats_get(void *device, uint16_t sa_id,
> +                                enum rte_security_macsec_direction dir,
> +                                struct rte_security_macsec_sc_stats *stats);
> +int cnxk_eth_macsec_session_stats_get(struct cnxk_eth_dev *dev, struct cnxk_macsec_sess *sess,
> +                                     struct rte_security_stats *stats);
> +
>  int cnxk_eth_macsec_session_create(struct cnxk_eth_dev *dev, struct rte_security_session_conf *conf,
>                                    struct rte_security_session *sess);
>  int cnxk_eth_macsec_session_destroy(struct cnxk_eth_dev *dev, struct rte_security_session *sess);
> --
> 2.25.1
>