1*4882a593Smuzhiyun /* SPDX-License-Identifier: GPL-2.0+ */ 2*4882a593Smuzhiyun /* 3*4882a593Smuzhiyun * MACsec netdev header, used for h/w accelerated implementations. 4*4882a593Smuzhiyun * 5*4882a593Smuzhiyun * Copyright (c) 2015 Sabrina Dubroca <sd@queasysnail.net> 6*4882a593Smuzhiyun */ 7*4882a593Smuzhiyun #ifndef _NET_MACSEC_H_ 8*4882a593Smuzhiyun #define _NET_MACSEC_H_ 9*4882a593Smuzhiyun 10*4882a593Smuzhiyun #include <linux/u64_stats_sync.h> 11*4882a593Smuzhiyun #include <uapi/linux/if_link.h> 12*4882a593Smuzhiyun #include <uapi/linux/if_macsec.h> 13*4882a593Smuzhiyun 14*4882a593Smuzhiyun #define MACSEC_DEFAULT_PN_LEN 4 15*4882a593Smuzhiyun #define MACSEC_XPN_PN_LEN 8 16*4882a593Smuzhiyun 17*4882a593Smuzhiyun #define MACSEC_SALT_LEN 12 18*4882a593Smuzhiyun #define MACSEC_NUM_AN 4 /* 2 bits for the association number */ 19*4882a593Smuzhiyun 20*4882a593Smuzhiyun typedef u64 __bitwise sci_t; 21*4882a593Smuzhiyun typedef u32 __bitwise ssci_t; 22*4882a593Smuzhiyun 23*4882a593Smuzhiyun typedef union salt { 24*4882a593Smuzhiyun struct { 25*4882a593Smuzhiyun u32 ssci; 26*4882a593Smuzhiyun u64 pn; 27*4882a593Smuzhiyun } __packed; 28*4882a593Smuzhiyun u8 bytes[MACSEC_SALT_LEN]; 29*4882a593Smuzhiyun } __packed salt_t; 30*4882a593Smuzhiyun 31*4882a593Smuzhiyun typedef union pn { 32*4882a593Smuzhiyun struct { 33*4882a593Smuzhiyun #if defined(__LITTLE_ENDIAN_BITFIELD) 34*4882a593Smuzhiyun u32 lower; 35*4882a593Smuzhiyun u32 upper; 36*4882a593Smuzhiyun #elif defined(__BIG_ENDIAN_BITFIELD) 37*4882a593Smuzhiyun u32 upper; 38*4882a593Smuzhiyun u32 lower; 39*4882a593Smuzhiyun #else 40*4882a593Smuzhiyun #error "Please fix <asm/byteorder.h>" 41*4882a593Smuzhiyun #endif 42*4882a593Smuzhiyun }; 43*4882a593Smuzhiyun u64 full64; 44*4882a593Smuzhiyun } pn_t; 45*4882a593Smuzhiyun 46*4882a593Smuzhiyun /** 47*4882a593Smuzhiyun * struct macsec_key - SA key 48*4882a593Smuzhiyun * @id: user-provided key identifier 49*4882a593Smuzhiyun * @tfm: crypto struct, key storage 50*4882a593Smuzhiyun * @salt: salt used to generate IV in XPN cipher suites 51*4882a593Smuzhiyun */ 52*4882a593Smuzhiyun struct macsec_key { 53*4882a593Smuzhiyun u8 id[MACSEC_KEYID_LEN]; 54*4882a593Smuzhiyun struct crypto_aead *tfm; 55*4882a593Smuzhiyun salt_t salt; 56*4882a593Smuzhiyun }; 57*4882a593Smuzhiyun 58*4882a593Smuzhiyun struct macsec_rx_sc_stats { 59*4882a593Smuzhiyun __u64 InOctetsValidated; 60*4882a593Smuzhiyun __u64 InOctetsDecrypted; 61*4882a593Smuzhiyun __u64 InPktsUnchecked; 62*4882a593Smuzhiyun __u64 InPktsDelayed; 63*4882a593Smuzhiyun __u64 InPktsOK; 64*4882a593Smuzhiyun __u64 InPktsInvalid; 65*4882a593Smuzhiyun __u64 InPktsLate; 66*4882a593Smuzhiyun __u64 InPktsNotValid; 67*4882a593Smuzhiyun __u64 InPktsNotUsingSA; 68*4882a593Smuzhiyun __u64 InPktsUnusedSA; 69*4882a593Smuzhiyun }; 70*4882a593Smuzhiyun 71*4882a593Smuzhiyun struct macsec_rx_sa_stats { 72*4882a593Smuzhiyun __u32 InPktsOK; 73*4882a593Smuzhiyun __u32 InPktsInvalid; 74*4882a593Smuzhiyun __u32 InPktsNotValid; 75*4882a593Smuzhiyun __u32 InPktsNotUsingSA; 76*4882a593Smuzhiyun __u32 InPktsUnusedSA; 77*4882a593Smuzhiyun }; 78*4882a593Smuzhiyun 79*4882a593Smuzhiyun struct macsec_tx_sa_stats { 80*4882a593Smuzhiyun __u32 OutPktsProtected; 81*4882a593Smuzhiyun __u32 OutPktsEncrypted; 82*4882a593Smuzhiyun }; 83*4882a593Smuzhiyun 84*4882a593Smuzhiyun struct macsec_tx_sc_stats { 85*4882a593Smuzhiyun __u64 OutPktsProtected; 86*4882a593Smuzhiyun __u64 OutPktsEncrypted; 87*4882a593Smuzhiyun __u64 OutOctetsProtected; 88*4882a593Smuzhiyun __u64 OutOctetsEncrypted; 89*4882a593Smuzhiyun }; 90*4882a593Smuzhiyun 91*4882a593Smuzhiyun struct macsec_dev_stats { 92*4882a593Smuzhiyun __u64 OutPktsUntagged; 93*4882a593Smuzhiyun __u64 InPktsUntagged; 94*4882a593Smuzhiyun __u64 OutPktsTooLong; 95*4882a593Smuzhiyun __u64 InPktsNoTag; 96*4882a593Smuzhiyun __u64 InPktsBadTag; 97*4882a593Smuzhiyun __u64 InPktsUnknownSCI; 98*4882a593Smuzhiyun __u64 InPktsNoSCI; 99*4882a593Smuzhiyun __u64 InPktsOverrun; 100*4882a593Smuzhiyun }; 101*4882a593Smuzhiyun 102*4882a593Smuzhiyun /** 103*4882a593Smuzhiyun * struct macsec_rx_sa - receive secure association 104*4882a593Smuzhiyun * @active: 105*4882a593Smuzhiyun * @next_pn: packet number expected for the next packet 106*4882a593Smuzhiyun * @lock: protects next_pn manipulations 107*4882a593Smuzhiyun * @key: key structure 108*4882a593Smuzhiyun * @ssci: short secure channel identifier 109*4882a593Smuzhiyun * @stats: per-SA stats 110*4882a593Smuzhiyun */ 111*4882a593Smuzhiyun struct macsec_rx_sa { 112*4882a593Smuzhiyun struct macsec_key key; 113*4882a593Smuzhiyun ssci_t ssci; 114*4882a593Smuzhiyun spinlock_t lock; 115*4882a593Smuzhiyun union { 116*4882a593Smuzhiyun pn_t next_pn_halves; 117*4882a593Smuzhiyun u64 next_pn; 118*4882a593Smuzhiyun }; 119*4882a593Smuzhiyun refcount_t refcnt; 120*4882a593Smuzhiyun bool active; 121*4882a593Smuzhiyun struct macsec_rx_sa_stats __percpu *stats; 122*4882a593Smuzhiyun struct macsec_rx_sc *sc; 123*4882a593Smuzhiyun struct rcu_head rcu; 124*4882a593Smuzhiyun }; 125*4882a593Smuzhiyun 126*4882a593Smuzhiyun struct pcpu_rx_sc_stats { 127*4882a593Smuzhiyun struct macsec_rx_sc_stats stats; 128*4882a593Smuzhiyun struct u64_stats_sync syncp; 129*4882a593Smuzhiyun }; 130*4882a593Smuzhiyun 131*4882a593Smuzhiyun struct pcpu_tx_sc_stats { 132*4882a593Smuzhiyun struct macsec_tx_sc_stats stats; 133*4882a593Smuzhiyun struct u64_stats_sync syncp; 134*4882a593Smuzhiyun }; 135*4882a593Smuzhiyun 136*4882a593Smuzhiyun /** 137*4882a593Smuzhiyun * struct macsec_rx_sc - receive secure channel 138*4882a593Smuzhiyun * @sci: secure channel identifier for this SC 139*4882a593Smuzhiyun * @active: channel is active 140*4882a593Smuzhiyun * @sa: array of secure associations 141*4882a593Smuzhiyun * @stats: per-SC stats 142*4882a593Smuzhiyun */ 143*4882a593Smuzhiyun struct macsec_rx_sc { 144*4882a593Smuzhiyun struct macsec_rx_sc __rcu *next; 145*4882a593Smuzhiyun sci_t sci; 146*4882a593Smuzhiyun bool active; 147*4882a593Smuzhiyun struct macsec_rx_sa __rcu *sa[MACSEC_NUM_AN]; 148*4882a593Smuzhiyun struct pcpu_rx_sc_stats __percpu *stats; 149*4882a593Smuzhiyun refcount_t refcnt; 150*4882a593Smuzhiyun struct rcu_head rcu_head; 151*4882a593Smuzhiyun }; 152*4882a593Smuzhiyun 153*4882a593Smuzhiyun /** 154*4882a593Smuzhiyun * struct macsec_tx_sa - transmit secure association 155*4882a593Smuzhiyun * @active: 156*4882a593Smuzhiyun * @next_pn: packet number to use for the next packet 157*4882a593Smuzhiyun * @lock: protects next_pn manipulations 158*4882a593Smuzhiyun * @key: key structure 159*4882a593Smuzhiyun * @ssci: short secure channel identifier 160*4882a593Smuzhiyun * @stats: per-SA stats 161*4882a593Smuzhiyun */ 162*4882a593Smuzhiyun struct macsec_tx_sa { 163*4882a593Smuzhiyun struct macsec_key key; 164*4882a593Smuzhiyun ssci_t ssci; 165*4882a593Smuzhiyun spinlock_t lock; 166*4882a593Smuzhiyun union { 167*4882a593Smuzhiyun pn_t next_pn_halves; 168*4882a593Smuzhiyun u64 next_pn; 169*4882a593Smuzhiyun }; 170*4882a593Smuzhiyun refcount_t refcnt; 171*4882a593Smuzhiyun bool active; 172*4882a593Smuzhiyun struct macsec_tx_sa_stats __percpu *stats; 173*4882a593Smuzhiyun struct rcu_head rcu; 174*4882a593Smuzhiyun }; 175*4882a593Smuzhiyun 176*4882a593Smuzhiyun /** 177*4882a593Smuzhiyun * struct macsec_tx_sc - transmit secure channel 178*4882a593Smuzhiyun * @active: 179*4882a593Smuzhiyun * @encoding_sa: association number of the SA currently in use 180*4882a593Smuzhiyun * @encrypt: encrypt packets on transmit, or authenticate only 181*4882a593Smuzhiyun * @send_sci: always include the SCI in the SecTAG 182*4882a593Smuzhiyun * @end_station: 183*4882a593Smuzhiyun * @scb: single copy broadcast flag 184*4882a593Smuzhiyun * @sa: array of secure associations 185*4882a593Smuzhiyun * @stats: stats for this TXSC 186*4882a593Smuzhiyun */ 187*4882a593Smuzhiyun struct macsec_tx_sc { 188*4882a593Smuzhiyun bool active; 189*4882a593Smuzhiyun u8 encoding_sa; 190*4882a593Smuzhiyun bool encrypt; 191*4882a593Smuzhiyun bool send_sci; 192*4882a593Smuzhiyun bool end_station; 193*4882a593Smuzhiyun bool scb; 194*4882a593Smuzhiyun struct macsec_tx_sa __rcu *sa[MACSEC_NUM_AN]; 195*4882a593Smuzhiyun struct pcpu_tx_sc_stats __percpu *stats; 196*4882a593Smuzhiyun }; 197*4882a593Smuzhiyun 198*4882a593Smuzhiyun /** 199*4882a593Smuzhiyun * struct macsec_secy - MACsec Security Entity 200*4882a593Smuzhiyun * @netdev: netdevice for this SecY 201*4882a593Smuzhiyun * @n_rx_sc: number of receive secure channels configured on this SecY 202*4882a593Smuzhiyun * @sci: secure channel identifier used for tx 203*4882a593Smuzhiyun * @key_len: length of keys used by the cipher suite 204*4882a593Smuzhiyun * @icv_len: length of ICV used by the cipher suite 205*4882a593Smuzhiyun * @validate_frames: validation mode 206*4882a593Smuzhiyun * @xpn: enable XPN for this SecY 207*4882a593Smuzhiyun * @operational: MAC_Operational flag 208*4882a593Smuzhiyun * @protect_frames: enable protection for this SecY 209*4882a593Smuzhiyun * @replay_protect: enable packet number checks on receive 210*4882a593Smuzhiyun * @replay_window: size of the replay window 211*4882a593Smuzhiyun * @tx_sc: transmit secure channel 212*4882a593Smuzhiyun * @rx_sc: linked list of receive secure channels 213*4882a593Smuzhiyun */ 214*4882a593Smuzhiyun struct macsec_secy { 215*4882a593Smuzhiyun struct net_device *netdev; 216*4882a593Smuzhiyun unsigned int n_rx_sc; 217*4882a593Smuzhiyun sci_t sci; 218*4882a593Smuzhiyun u16 key_len; 219*4882a593Smuzhiyun u16 icv_len; 220*4882a593Smuzhiyun enum macsec_validation_type validate_frames; 221*4882a593Smuzhiyun bool xpn; 222*4882a593Smuzhiyun bool operational; 223*4882a593Smuzhiyun bool protect_frames; 224*4882a593Smuzhiyun bool replay_protect; 225*4882a593Smuzhiyun u32 replay_window; 226*4882a593Smuzhiyun struct macsec_tx_sc tx_sc; 227*4882a593Smuzhiyun struct macsec_rx_sc __rcu *rx_sc; 228*4882a593Smuzhiyun }; 229*4882a593Smuzhiyun 230*4882a593Smuzhiyun /** 231*4882a593Smuzhiyun * struct macsec_context - MACsec context for hardware offloading 232*4882a593Smuzhiyun */ 233*4882a593Smuzhiyun struct macsec_context { 234*4882a593Smuzhiyun union { 235*4882a593Smuzhiyun struct net_device *netdev; 236*4882a593Smuzhiyun struct phy_device *phydev; 237*4882a593Smuzhiyun }; 238*4882a593Smuzhiyun enum macsec_offload offload; 239*4882a593Smuzhiyun 240*4882a593Smuzhiyun struct macsec_secy *secy; 241*4882a593Smuzhiyun struct macsec_rx_sc *rx_sc; 242*4882a593Smuzhiyun struct { 243*4882a593Smuzhiyun unsigned char assoc_num; 244*4882a593Smuzhiyun u8 key[MACSEC_MAX_KEY_LEN]; 245*4882a593Smuzhiyun union { 246*4882a593Smuzhiyun struct macsec_rx_sa *rx_sa; 247*4882a593Smuzhiyun struct macsec_tx_sa *tx_sa; 248*4882a593Smuzhiyun }; 249*4882a593Smuzhiyun } sa; 250*4882a593Smuzhiyun union { 251*4882a593Smuzhiyun struct macsec_tx_sc_stats *tx_sc_stats; 252*4882a593Smuzhiyun struct macsec_tx_sa_stats *tx_sa_stats; 253*4882a593Smuzhiyun struct macsec_rx_sc_stats *rx_sc_stats; 254*4882a593Smuzhiyun struct macsec_rx_sa_stats *rx_sa_stats; 255*4882a593Smuzhiyun struct macsec_dev_stats *dev_stats; 256*4882a593Smuzhiyun } stats; 257*4882a593Smuzhiyun 258*4882a593Smuzhiyun u8 prepare:1; 259*4882a593Smuzhiyun }; 260*4882a593Smuzhiyun 261*4882a593Smuzhiyun /** 262*4882a593Smuzhiyun * struct macsec_ops - MACsec offloading operations 263*4882a593Smuzhiyun */ 264*4882a593Smuzhiyun struct macsec_ops { 265*4882a593Smuzhiyun /* Device wide */ 266*4882a593Smuzhiyun int (*mdo_dev_open)(struct macsec_context *ctx); 267*4882a593Smuzhiyun int (*mdo_dev_stop)(struct macsec_context *ctx); 268*4882a593Smuzhiyun /* SecY */ 269*4882a593Smuzhiyun int (*mdo_add_secy)(struct macsec_context *ctx); 270*4882a593Smuzhiyun int (*mdo_upd_secy)(struct macsec_context *ctx); 271*4882a593Smuzhiyun int (*mdo_del_secy)(struct macsec_context *ctx); 272*4882a593Smuzhiyun /* Security channels */ 273*4882a593Smuzhiyun int (*mdo_add_rxsc)(struct macsec_context *ctx); 274*4882a593Smuzhiyun int (*mdo_upd_rxsc)(struct macsec_context *ctx); 275*4882a593Smuzhiyun int (*mdo_del_rxsc)(struct macsec_context *ctx); 276*4882a593Smuzhiyun /* Security associations */ 277*4882a593Smuzhiyun int (*mdo_add_rxsa)(struct macsec_context *ctx); 278*4882a593Smuzhiyun int (*mdo_upd_rxsa)(struct macsec_context *ctx); 279*4882a593Smuzhiyun int (*mdo_del_rxsa)(struct macsec_context *ctx); 280*4882a593Smuzhiyun int (*mdo_add_txsa)(struct macsec_context *ctx); 281*4882a593Smuzhiyun int (*mdo_upd_txsa)(struct macsec_context *ctx); 282*4882a593Smuzhiyun int (*mdo_del_txsa)(struct macsec_context *ctx); 283*4882a593Smuzhiyun /* Statistics */ 284*4882a593Smuzhiyun int (*mdo_get_dev_stats)(struct macsec_context *ctx); 285*4882a593Smuzhiyun int (*mdo_get_tx_sc_stats)(struct macsec_context *ctx); 286*4882a593Smuzhiyun int (*mdo_get_tx_sa_stats)(struct macsec_context *ctx); 287*4882a593Smuzhiyun int (*mdo_get_rx_sc_stats)(struct macsec_context *ctx); 288*4882a593Smuzhiyun int (*mdo_get_rx_sa_stats)(struct macsec_context *ctx); 289*4882a593Smuzhiyun }; 290*4882a593Smuzhiyun 291*4882a593Smuzhiyun void macsec_pn_wrapped(struct macsec_secy *secy, struct macsec_tx_sa *tx_sa); 292*4882a593Smuzhiyun 293*4882a593Smuzhiyun #endif /* _NET_MACSEC_H_ */ 294