| Antoine Tenart | c0e4ead | 2020-01-13 23:31:39 +0100 | [diff] [blame] | 1 | /* SPDX-License-Identifier: GPL-2.0+ */ |
| 2 | /* |
| 3 | * MACsec netdev header, used for h/w accelerated implementations. |
| 4 | * |
| 5 | * Copyright (c) 2015 Sabrina Dubroca <sd@queasysnail.net> |
| 6 | */ |
| 7 | #ifndef _NET_MACSEC_H_ |
| 8 | #define _NET_MACSEC_H_ |
| 9 | |
| 10 | #include <linux/u64_stats_sync.h> |
| 11 | #include <uapi/linux/if_link.h> |
| 12 | #include <uapi/linux/if_macsec.h> |
| 13 | |
| 14 | typedef u64 __bitwise sci_t; |
| 15 | |
| 16 | #define MACSEC_NUM_AN 4 /* 2 bits for the association number */ |
| 17 | |
| 18 | /** |
| 19 | * struct macsec_key - SA key |
| 20 | * @id: user-provided key identifier |
| 21 | * @tfm: crypto struct, key storage |
| 22 | */ |
| 23 | struct macsec_key { |
| 24 | u8 id[MACSEC_KEYID_LEN]; |
| 25 | struct crypto_aead *tfm; |
| 26 | }; |
| 27 | |
| 28 | struct macsec_rx_sc_stats { |
| 29 | __u64 InOctetsValidated; |
| 30 | __u64 InOctetsDecrypted; |
| 31 | __u64 InPktsUnchecked; |
| 32 | __u64 InPktsDelayed; |
| 33 | __u64 InPktsOK; |
| 34 | __u64 InPktsInvalid; |
| 35 | __u64 InPktsLate; |
| 36 | __u64 InPktsNotValid; |
| 37 | __u64 InPktsNotUsingSA; |
| 38 | __u64 InPktsUnusedSA; |
| 39 | }; |
| 40 | |
| 41 | struct macsec_rx_sa_stats { |
| 42 | __u32 InPktsOK; |
| 43 | __u32 InPktsInvalid; |
| 44 | __u32 InPktsNotValid; |
| 45 | __u32 InPktsNotUsingSA; |
| 46 | __u32 InPktsUnusedSA; |
| 47 | }; |
| 48 | |
| 49 | struct macsec_tx_sa_stats { |
| 50 | __u32 OutPktsProtected; |
| 51 | __u32 OutPktsEncrypted; |
| 52 | }; |
| 53 | |
| 54 | struct macsec_tx_sc_stats { |
| 55 | __u64 OutPktsProtected; |
| 56 | __u64 OutPktsEncrypted; |
| 57 | __u64 OutOctetsProtected; |
| 58 | __u64 OutOctetsEncrypted; |
| 59 | }; |
| 60 | |
| 61 | /** |
| 62 | * struct macsec_rx_sa - receive secure association |
| 63 | * @active: |
| 64 | * @next_pn: packet number expected for the next packet |
| 65 | * @lock: protects next_pn manipulations |
| 66 | * @key: key structure |
| 67 | * @stats: per-SA stats |
| 68 | */ |
| 69 | struct macsec_rx_sa { |
| 70 | struct macsec_key key; |
| 71 | spinlock_t lock; |
| 72 | u32 next_pn; |
| 73 | refcount_t refcnt; |
| 74 | bool active; |
| 75 | struct macsec_rx_sa_stats __percpu *stats; |
| 76 | struct macsec_rx_sc *sc; |
| 77 | struct rcu_head rcu; |
| 78 | }; |
| 79 | |
| 80 | struct pcpu_rx_sc_stats { |
| 81 | struct macsec_rx_sc_stats stats; |
| 82 | struct u64_stats_sync syncp; |
| 83 | }; |
| 84 | |
| 85 | struct pcpu_tx_sc_stats { |
| 86 | struct macsec_tx_sc_stats stats; |
| 87 | struct u64_stats_sync syncp; |
| 88 | }; |
| 89 | |
| 90 | /** |
| 91 | * struct macsec_rx_sc - receive secure channel |
| 92 | * @sci: secure channel identifier for this SC |
| 93 | * @active: channel is active |
| 94 | * @sa: array of secure associations |
| 95 | * @stats: per-SC stats |
| 96 | */ |
| 97 | struct macsec_rx_sc { |
| 98 | struct macsec_rx_sc __rcu *next; |
| 99 | sci_t sci; |
| 100 | bool active; |
| 101 | struct macsec_rx_sa __rcu *sa[MACSEC_NUM_AN]; |
| 102 | struct pcpu_rx_sc_stats __percpu *stats; |
| 103 | refcount_t refcnt; |
| 104 | struct rcu_head rcu_head; |
| 105 | }; |
| 106 | |
| 107 | /** |
| 108 | * struct macsec_tx_sa - transmit secure association |
| 109 | * @active: |
| 110 | * @next_pn: packet number to use for the next packet |
| 111 | * @lock: protects next_pn manipulations |
| 112 | * @key: key structure |
| 113 | * @stats: per-SA stats |
| 114 | */ |
| 115 | struct macsec_tx_sa { |
| 116 | struct macsec_key key; |
| 117 | spinlock_t lock; |
| 118 | u32 next_pn; |
| 119 | refcount_t refcnt; |
| 120 | bool active; |
| 121 | struct macsec_tx_sa_stats __percpu *stats; |
| 122 | struct rcu_head rcu; |
| 123 | }; |
| 124 | |
| 125 | /** |
| 126 | * struct macsec_tx_sc - transmit secure channel |
| 127 | * @active: |
| 128 | * @encoding_sa: association number of the SA currently in use |
| 129 | * @encrypt: encrypt packets on transmit, or authenticate only |
| 130 | * @send_sci: always include the SCI in the SecTAG |
| 131 | * @end_station: |
| 132 | * @scb: single copy broadcast flag |
| 133 | * @sa: array of secure associations |
| 134 | * @stats: stats for this TXSC |
| 135 | */ |
| 136 | struct macsec_tx_sc { |
| 137 | bool active; |
| 138 | u8 encoding_sa; |
| 139 | bool encrypt; |
| 140 | bool send_sci; |
| 141 | bool end_station; |
| 142 | bool scb; |
| 143 | struct macsec_tx_sa __rcu *sa[MACSEC_NUM_AN]; |
| 144 | struct pcpu_tx_sc_stats __percpu *stats; |
| 145 | }; |
| 146 | |
| 147 | /** |
| 148 | * struct macsec_secy - MACsec Security Entity |
| 149 | * @netdev: netdevice for this SecY |
| 150 | * @n_rx_sc: number of receive secure channels configured on this SecY |
| 151 | * @sci: secure channel identifier used for tx |
| 152 | * @key_len: length of keys used by the cipher suite |
| 153 | * @icv_len: length of ICV used by the cipher suite |
| 154 | * @validate_frames: validation mode |
| 155 | * @operational: MAC_Operational flag |
| 156 | * @protect_frames: enable protection for this SecY |
| 157 | * @replay_protect: enable packet number checks on receive |
| 158 | * @replay_window: size of the replay window |
| 159 | * @tx_sc: transmit secure channel |
| 160 | * @rx_sc: linked list of receive secure channels |
| 161 | */ |
| 162 | struct macsec_secy { |
| 163 | struct net_device *netdev; |
| 164 | unsigned int n_rx_sc; |
| 165 | sci_t sci; |
| 166 | u16 key_len; |
| 167 | u16 icv_len; |
| 168 | enum macsec_validation_type validate_frames; |
| 169 | bool operational; |
| 170 | bool protect_frames; |
| 171 | bool replay_protect; |
| 172 | u32 replay_window; |
| 173 | struct macsec_tx_sc tx_sc; |
| 174 | struct macsec_rx_sc __rcu *rx_sc; |
| 175 | }; |
| 176 | |
| Antoine Tenart | 7656426 | 2020-01-13 23:31:40 +0100 | [diff] [blame] | 177 | /** |
| 178 | * struct macsec_context - MACsec context for hardware offloading |
| 179 | */ |
| 180 | struct macsec_context { |
| 181 | struct phy_device *phydev; |
| 182 | enum macsec_offload offload; |
| 183 | |
| 184 | struct macsec_secy *secy; |
| 185 | struct macsec_rx_sc *rx_sc; |
| 186 | struct { |
| 187 | unsigned char assoc_num; |
| 188 | u8 key[MACSEC_KEYID_LEN]; |
| 189 | union { |
| 190 | struct macsec_rx_sa *rx_sa; |
| 191 | struct macsec_tx_sa *tx_sa; |
| 192 | }; |
| 193 | } sa; |
| 194 | |
| 195 | u8 prepare:1; |
| 196 | }; |
| 197 | |
| Antoine Tenart | 0830e20 | 2020-01-13 23:31:41 +0100 | [diff] [blame] | 198 | /** |
| 199 | * struct macsec_ops - MACsec offloading operations |
| 200 | */ |
| 201 | struct macsec_ops { |
| 202 | /* Device wide */ |
| 203 | int (*mdo_dev_open)(struct macsec_context *ctx); |
| 204 | int (*mdo_dev_stop)(struct macsec_context *ctx); |
| 205 | /* SecY */ |
| 206 | int (*mdo_add_secy)(struct macsec_context *ctx); |
| 207 | int (*mdo_upd_secy)(struct macsec_context *ctx); |
| 208 | int (*mdo_del_secy)(struct macsec_context *ctx); |
| 209 | /* Security channels */ |
| 210 | int (*mdo_add_rxsc)(struct macsec_context *ctx); |
| 211 | int (*mdo_upd_rxsc)(struct macsec_context *ctx); |
| 212 | int (*mdo_del_rxsc)(struct macsec_context *ctx); |
| 213 | /* Security associations */ |
| 214 | int (*mdo_add_rxsa)(struct macsec_context *ctx); |
| 215 | int (*mdo_upd_rxsa)(struct macsec_context *ctx); |
| 216 | int (*mdo_del_rxsa)(struct macsec_context *ctx); |
| 217 | int (*mdo_add_txsa)(struct macsec_context *ctx); |
| 218 | int (*mdo_upd_txsa)(struct macsec_context *ctx); |
| 219 | int (*mdo_del_txsa)(struct macsec_context *ctx); |
| 220 | }; |
| 221 | |
| Antoine Tenart | 5c937de | 2020-01-13 23:31:47 +0100 | [diff] [blame] | 222 | void macsec_pn_wrapped(struct macsec_secy *secy, struct macsec_tx_sa *tx_sa); |
| 223 | |
| Antoine Tenart | c0e4ead | 2020-01-13 23:31:39 +0100 | [diff] [blame] | 224 | #endif /* _NET_MACSEC_H_ */ |