1/* SPDX-License-Identifier: GPL-2.0+ */ 2/* 3 * MACsec netdev header, used for h/w accelerated implementations. 4 * 5 * Copyright (c) 2015 Sabrina Dubroca <sd@queasysnail.net> 6 */ 7#ifndef _NET_MACSEC_H_ 8#define _NET_MACSEC_H_ 9 10#include <linux/u64_stats_sync.h> 11#include <uapi/linux/if_link.h> 12#include <uapi/linux/if_macsec.h> 13 14#define MACSEC_DEFAULT_PN_LEN 4 15#define MACSEC_XPN_PN_LEN 8 16 17#define MACSEC_SALT_LEN 12 18#define MACSEC_NUM_AN 4 /* 2 bits for the association number */ 19 20typedef u64 __bitwise sci_t; 21typedef u32 __bitwise ssci_t; 22 23typedef union salt { 24 struct { 25 u32 ssci; 26 u64 pn; 27 } __packed; 28 u8 bytes[MACSEC_SALT_LEN]; 29} __packed salt_t; 30 31typedef union pn { 32 struct { 33#if defined(__LITTLE_ENDIAN_BITFIELD) 34 u32 lower; 35 u32 upper; 36#elif defined(__BIG_ENDIAN_BITFIELD) 37 u32 upper; 38 u32 lower; 39#else 40#error "Please fix <asm/byteorder.h>" 41#endif 42 }; 43 u64 full64; 44} pn_t; 45 46/** 47 * struct macsec_key - SA key 48 * @id: user-provided key identifier 49 * @tfm: crypto struct, key storage 50 * @salt: salt used to generate IV in XPN cipher suites 51 */ 52struct macsec_key { 53 u8 id[MACSEC_KEYID_LEN]; 54 struct crypto_aead *tfm; 55 salt_t salt; 56}; 57 58struct macsec_rx_sc_stats { 59 __u64 InOctetsValidated; 60 __u64 InOctetsDecrypted; 61 __u64 InPktsUnchecked; 62 __u64 InPktsDelayed; 63 __u64 InPktsOK; 64 __u64 InPktsInvalid; 65 __u64 InPktsLate; 66 __u64 InPktsNotValid; 67 __u64 InPktsNotUsingSA; 68 __u64 InPktsUnusedSA; 69}; 70 71struct macsec_rx_sa_stats { 72 __u32 InPktsOK; 73 __u32 InPktsInvalid; 74 __u32 InPktsNotValid; 75 __u32 InPktsNotUsingSA; 76 __u32 InPktsUnusedSA; 77}; 78 79struct macsec_tx_sa_stats { 80 __u32 OutPktsProtected; 81 __u32 OutPktsEncrypted; 82}; 83 84struct macsec_tx_sc_stats { 85 __u64 OutPktsProtected; 86 __u64 OutPktsEncrypted; 87 __u64 OutOctetsProtected; 88 __u64 OutOctetsEncrypted; 89}; 90 91struct macsec_dev_stats { 92 __u64 OutPktsUntagged; 93 __u64 InPktsUntagged; 94 __u64 OutPktsTooLong; 95 __u64 InPktsNoTag; 96 __u64 InPktsBadTag; 97 __u64 InPktsUnknownSCI; 98 __u64 InPktsNoSCI; 99 __u64 InPktsOverrun; 100}; 101 102/** 103 * struct macsec_rx_sa - receive secure association 104 * @active: 105 * @next_pn: packet number expected for the next packet 106 * @lock: protects next_pn manipulations 107 * @key: key structure 108 * @ssci: short secure channel identifier 109 * @stats: per-SA stats 110 */ 111struct macsec_rx_sa { 112 struct macsec_key key; 113 ssci_t ssci; 114 spinlock_t lock; 115 union { 116 pn_t next_pn_halves; 117 u64 next_pn; 118 }; 119 refcount_t refcnt; 120 bool active; 121 struct macsec_rx_sa_stats __percpu *stats; 122 struct macsec_rx_sc *sc; 123 struct rcu_head rcu; 124}; 125 126struct pcpu_rx_sc_stats { 127 struct macsec_rx_sc_stats stats; 128 struct u64_stats_sync syncp; 129}; 130 131struct pcpu_tx_sc_stats { 132 struct macsec_tx_sc_stats stats; 133 struct u64_stats_sync syncp; 134}; 135 136/** 137 * struct macsec_rx_sc - receive secure channel 138 * @sci: secure channel identifier for this SC 139 * @active: channel is active 140 * @sa: array of secure associations 141 * @stats: per-SC stats 142 */ 143struct macsec_rx_sc { 144 struct macsec_rx_sc __rcu *next; 145 sci_t sci; 146 bool active; 147 struct macsec_rx_sa __rcu *sa[MACSEC_NUM_AN]; 148 struct pcpu_rx_sc_stats __percpu *stats; 149 refcount_t refcnt; 150 struct rcu_head rcu_head; 151}; 152 153/** 154 * struct macsec_tx_sa - transmit secure association 155 * @active: 156 * @next_pn: packet number to use for the next packet 157 * @lock: protects next_pn manipulations 158 * @key: key structure 159 * @ssci: short secure channel identifier 160 * @stats: per-SA stats 161 */ 162struct macsec_tx_sa { 163 struct macsec_key key; 164 ssci_t ssci; 165 spinlock_t lock; 166 union { 167 pn_t next_pn_halves; 168 u64 next_pn; 169 }; 170 refcount_t refcnt; 171 bool active; 172 struct macsec_tx_sa_stats __percpu *stats; 173 struct rcu_head rcu; 174}; 175 176/** 177 * struct macsec_tx_sc - transmit secure channel 178 * @active: 179 * @encoding_sa: association number of the SA currently in use 180 * @encrypt: encrypt packets on transmit, or authenticate only 181 * @send_sci: always include the SCI in the SecTAG 182 * @end_station: 183 * @scb: single copy broadcast flag 184 * @sa: array of secure associations 185 * @stats: stats for this TXSC 186 */ 187struct macsec_tx_sc { 188 bool active; 189 u8 encoding_sa; 190 bool encrypt; 191 bool send_sci; 192 bool end_station; 193 bool scb; 194 struct macsec_tx_sa __rcu *sa[MACSEC_NUM_AN]; 195 struct pcpu_tx_sc_stats __percpu *stats; 196}; 197 198/** 199 * struct macsec_secy - MACsec Security Entity 200 * @netdev: netdevice for this SecY 201 * @n_rx_sc: number of receive secure channels configured on this SecY 202 * @sci: secure channel identifier used for tx 203 * @key_len: length of keys used by the cipher suite 204 * @icv_len: length of ICV used by the cipher suite 205 * @validate_frames: validation mode 206 * @xpn: enable XPN for this SecY 207 * @operational: MAC_Operational flag 208 * @protect_frames: enable protection for this SecY 209 * @replay_protect: enable packet number checks on receive 210 * @replay_window: size of the replay window 211 * @tx_sc: transmit secure channel 212 * @rx_sc: linked list of receive secure channels 213 */ 214struct macsec_secy { 215 struct net_device *netdev; 216 unsigned int n_rx_sc; 217 sci_t sci; 218 u16 key_len; 219 u16 icv_len; 220 enum macsec_validation_type validate_frames; 221 bool xpn; 222 bool operational; 223 bool protect_frames; 224 bool replay_protect; 225 u32 replay_window; 226 struct macsec_tx_sc tx_sc; 227 struct macsec_rx_sc __rcu *rx_sc; 228}; 229 230/** 231 * struct macsec_context - MACsec context for hardware offloading 232 */ 233struct macsec_context { 234 union { 235 struct net_device *netdev; 236 struct phy_device *phydev; 237 }; 238 enum macsec_offload offload; 239 240 struct macsec_secy *secy; 241 struct macsec_rx_sc *rx_sc; 242 struct { 243 bool update_pn; 244 unsigned char assoc_num; 245 u8 key[MACSEC_MAX_KEY_LEN]; 246 union { 247 struct macsec_rx_sa *rx_sa; 248 struct macsec_tx_sa *tx_sa; 249 }; 250 } sa; 251 union { 252 struct macsec_tx_sc_stats *tx_sc_stats; 253 struct macsec_tx_sa_stats *tx_sa_stats; 254 struct macsec_rx_sc_stats *rx_sc_stats; 255 struct macsec_rx_sa_stats *rx_sa_stats; 256 struct macsec_dev_stats *dev_stats; 257 } stats; 258 259 u8 prepare:1; 260}; 261 262/** 263 * struct macsec_ops - MACsec offloading operations 264 */ 265struct macsec_ops { 266 /* Device wide */ 267 int (*mdo_dev_open)(struct macsec_context *ctx); 268 int (*mdo_dev_stop)(struct macsec_context *ctx); 269 /* SecY */ 270 int (*mdo_add_secy)(struct macsec_context *ctx); 271 int (*mdo_upd_secy)(struct macsec_context *ctx); 272 int (*mdo_del_secy)(struct macsec_context *ctx); 273 /* Security channels */ 274 int (*mdo_add_rxsc)(struct macsec_context *ctx); 275 int (*mdo_upd_rxsc)(struct macsec_context *ctx); 276 int (*mdo_del_rxsc)(struct macsec_context *ctx); 277 /* Security associations */ 278 int (*mdo_add_rxsa)(struct macsec_context *ctx); 279 int (*mdo_upd_rxsa)(struct macsec_context *ctx); 280 int (*mdo_del_rxsa)(struct macsec_context *ctx); 281 int (*mdo_add_txsa)(struct macsec_context *ctx); 282 int (*mdo_upd_txsa)(struct macsec_context *ctx); 283 int (*mdo_del_txsa)(struct macsec_context *ctx); 284 /* Statistics */ 285 int (*mdo_get_dev_stats)(struct macsec_context *ctx); 286 int (*mdo_get_tx_sc_stats)(struct macsec_context *ctx); 287 int (*mdo_get_tx_sa_stats)(struct macsec_context *ctx); 288 int (*mdo_get_rx_sc_stats)(struct macsec_context *ctx); 289 int (*mdo_get_rx_sa_stats)(struct macsec_context *ctx); 290}; 291 292void macsec_pn_wrapped(struct macsec_secy *secy, struct macsec_tx_sa *tx_sa); 293 294#endif /* _NET_MACSEC_H_ */ 295