include/net/macsec.h

0001 /* SPDX-License-Identifier: GPL-2.0+ */
0002 /*
0003  * MACsec netdev header, used for h/w accelerated implementations.
0004  *
0005  * Copyright (c) 2015 Sabrina Dubroca <sd@queasysnail.net>
0006  */
0007 #ifndef _NET_MACSEC_H_
0008 #define _NET_MACSEC_H_
0009
0010 #include <linux/u64_stats_sync.h>
0011 #include <uapi/linux/if_link.h>
0012 #include <uapi/linux/if_macsec.h>
0013
0014 #define MACSEC_DEFAULT_PN_LEN 4
0015 #define MACSEC_XPN_PN_LEN 8
0016
0017 #define MACSEC_SALT_LEN 12
0018 #define MACSEC_NUM_AN 4 /* 2 bits for the association number */
0019
0020 typedef u64 __bitwise sci_t;
0021 typedef u32 __bitwise ssci_t;
0022
0023 typedef union salt {
0024     struct {
0025         u32 ssci;
0026         u64 pn;
0027     } __packed;
0028     u8 bytes[MACSEC_SALT_LEN];
0029 } __packed salt_t;
0030
0031 typedef union pn {
0032     struct {
0033 #if defined(__LITTLE_ENDIAN_BITFIELD)
0034         u32 lower;
0035         u32 upper;
0036 #elif defined(__BIG_ENDIAN_BITFIELD)
0037         u32 upper;
0038         u32 lower;
0039 #else
0040 #error  "Please fix <asm/byteorder.h>"
0041 #endif
0042     };
0043     u64 full64;
0044 } pn_t;
0045
0046 /**
0047  * struct macsec_key - SA key
0048  * @id: user-provided key identifier
0049  * @tfm: crypto struct, key storage
0050  * @salt: salt used to generate IV in XPN cipher suites
0051  */
0052 struct macsec_key {
0053     u8 id[MACSEC_KEYID_LEN];
0054     struct crypto_aead *tfm;
0055     salt_t salt;
0056 };
0057
0058 struct macsec_rx_sc_stats {
0059     __u64 InOctetsValidated;
0060     __u64 InOctetsDecrypted;
0061     __u64 InPktsUnchecked;
0062     __u64 InPktsDelayed;
0063     __u64 InPktsOK;
0064     __u64 InPktsInvalid;
0065     __u64 InPktsLate;
0066     __u64 InPktsNotValid;
0067     __u64 InPktsNotUsingSA;
0068     __u64 InPktsUnusedSA;
0069 };
0070
0071 struct macsec_rx_sa_stats {
0072     __u32 InPktsOK;
0073     __u32 InPktsInvalid;
0074     __u32 InPktsNotValid;
0075     __u32 InPktsNotUsingSA;
0076     __u32 InPktsUnusedSA;
0077 };
0078
0079 struct macsec_tx_sa_stats {
0080     __u32 OutPktsProtected;
0081     __u32 OutPktsEncrypted;
0082 };
0083
0084 struct macsec_tx_sc_stats {
0085     __u64 OutPktsProtected;
0086     __u64 OutPktsEncrypted;
0087     __u64 OutOctetsProtected;
0088     __u64 OutOctetsEncrypted;
0089 };
0090
0091 struct macsec_dev_stats {
0092     __u64 OutPktsUntagged;
0093     __u64 InPktsUntagged;
0094     __u64 OutPktsTooLong;
0095     __u64 InPktsNoTag;
0096     __u64 InPktsBadTag;
0097     __u64 InPktsUnknownSCI;
0098     __u64 InPktsNoSCI;
0099     __u64 InPktsOverrun;
0100 };
0101
0102 /**
0103  * struct macsec_rx_sa - receive secure association
0104  * @active:
0105  * @next_pn: packet number expected for the next packet
0106  * @lock: protects next_pn manipulations
0107  * @key: key structure
0108  * @ssci: short secure channel identifier
0109  * @stats: per-SA stats
0110  */
0111 struct macsec_rx_sa {
0112     struct macsec_key key;
0113     ssci_t ssci;
0114     spinlock_t lock;
0115     union {
0116         pn_t next_pn_halves;
0117         u64 next_pn;
0118     };
0119     refcount_t refcnt;
0120     bool active;
0121     struct macsec_rx_sa_stats __percpu *stats;
0122     struct macsec_rx_sc *sc;
0123     struct rcu_head rcu;
0124 };
0125
0126 struct pcpu_rx_sc_stats {
0127     struct macsec_rx_sc_stats stats;
0128     struct u64_stats_sync syncp;
0129 };
0130
0131 struct pcpu_tx_sc_stats {
0132     struct macsec_tx_sc_stats stats;
0133     struct u64_stats_sync syncp;
0134 };
0135
0136 /**
0137  * struct macsec_rx_sc - receive secure channel
0138  * @sci: secure channel identifier for this SC
0139  * @active: channel is active
0140  * @sa: array of secure associations
0141  * @stats: per-SC stats
0142  */
0143 struct macsec_rx_sc {
0144     struct macsec_rx_sc __rcu *next;
0145     sci_t sci;
0146     bool active;
0147     struct macsec_rx_sa __rcu *sa[MACSEC_NUM_AN];
0148     struct pcpu_rx_sc_stats __percpu *stats;
0149     refcount_t refcnt;
0150     struct rcu_head rcu_head;
0151 };
0152
0153 /**
0154  * struct macsec_tx_sa - transmit secure association
0155  * @active:
0156  * @next_pn: packet number to use for the next packet
0157  * @lock: protects next_pn manipulations
0158  * @key: key structure
0159  * @ssci: short secure channel identifier
0160  * @stats: per-SA stats
0161  */
0162 struct macsec_tx_sa {
0163     struct macsec_key key;
0164     ssci_t ssci;
0165     spinlock_t lock;
0166     union {
0167         pn_t next_pn_halves;
0168         u64 next_pn;
0169     };
0170     refcount_t refcnt;
0171     bool active;
0172     struct macsec_tx_sa_stats __percpu *stats;
0173     struct rcu_head rcu;
0174 };
0175
0176 /**
0177  * struct macsec_tx_sc - transmit secure channel
0178  * @active:
0179  * @encoding_sa: association number of the SA currently in use
0180  * @encrypt: encrypt packets on transmit, or authenticate only
0181  * @send_sci: always include the SCI in the SecTAG
0182  * @end_station:
0183  * @scb: single copy broadcast flag
0184  * @sa: array of secure associations
0185  * @stats: stats for this TXSC
0186  */
0187 struct macsec_tx_sc {
0188     bool active;
0189     u8 encoding_sa;
0190     bool encrypt;
0191     bool send_sci;
0192     bool end_station;
0193     bool scb;
0194     struct macsec_tx_sa __rcu *sa[MACSEC_NUM_AN];
0195     struct pcpu_tx_sc_stats __percpu *stats;
0196 };
0197
0198 /**
0199  * struct macsec_secy - MACsec Security Entity
0200  * @netdev: netdevice for this SecY
0201  * @n_rx_sc: number of receive secure channels configured on this SecY
0202  * @sci: secure channel identifier used for tx
0203  * @key_len: length of keys used by the cipher suite
0204  * @icv_len: length of ICV used by the cipher suite
0205  * @validate_frames: validation mode
0206  * @xpn: enable XPN for this SecY
0207  * @operational: MAC_Operational flag
0208  * @protect_frames: enable protection for this SecY
0209  * @replay_protect: enable packet number checks on receive
0210  * @replay_window: size of the replay window
0211  * @tx_sc: transmit secure channel
0212  * @rx_sc: linked list of receive secure channels
0213  */
0214 struct macsec_secy {
0215     struct net_device *netdev;
0216     unsigned int n_rx_sc;
0217     sci_t sci;
0218     u16 key_len;
0219     u16 icv_len;
0220     enum macsec_validation_type validate_frames;
0221     bool xpn;
0222     bool operational;
0223     bool protect_frames;
0224     bool replay_protect;
0225     u32 replay_window;
0226     struct macsec_tx_sc tx_sc;
0227     struct macsec_rx_sc __rcu *rx_sc;
0228 };
0229
0230 /**
0231  * struct macsec_context - MACsec context for hardware offloading
0232  */
0233 struct macsec_context {
0234     union {
0235         struct net_device *netdev;
0236         struct phy_device *phydev;
0237     };
0238     enum macsec_offload offload;
0239
0240     struct macsec_secy *secy;
0241     struct macsec_rx_sc *rx_sc;
0242     struct {
0243         unsigned char assoc_num;
0244         u8 key[MACSEC_MAX_KEY_LEN];
0245         union {
0246             struct macsec_rx_sa *rx_sa;
0247             struct macsec_tx_sa *tx_sa;
0248         };
0249     } sa;
0250     union {
0251         struct macsec_tx_sc_stats *tx_sc_stats;
0252         struct macsec_tx_sa_stats *tx_sa_stats;
0253         struct macsec_rx_sc_stats *rx_sc_stats;
0254         struct macsec_rx_sa_stats *rx_sa_stats;
0255         struct macsec_dev_stats  *dev_stats;
0256     } stats;
0257
0258     u8 prepare:1;
0259 };
0260
0261 /**
0262  * struct macsec_ops - MACsec offloading operations
0263  */
0264 struct macsec_ops {
0265     /* Device wide */
0266     int (*mdo_dev_open)(struct macsec_context *ctx);
0267     int (*mdo_dev_stop)(struct macsec_context *ctx);
0268     /* SecY */
0269     int (*mdo_add_secy)(struct macsec_context *ctx);
0270     int (*mdo_upd_secy)(struct macsec_context *ctx);
0271     int (*mdo_del_secy)(struct macsec_context *ctx);
0272     /* Security channels */
0273     int (*mdo_add_rxsc)(struct macsec_context *ctx);
0274     int (*mdo_upd_rxsc)(struct macsec_context *ctx);
0275     int (*mdo_del_rxsc)(struct macsec_context *ctx);
0276     /* Security associations */
0277     int (*mdo_add_rxsa)(struct macsec_context *ctx);
0278     int (*mdo_upd_rxsa)(struct macsec_context *ctx);
0279     int (*mdo_del_rxsa)(struct macsec_context *ctx);
0280     int (*mdo_add_txsa)(struct macsec_context *ctx);
0281     int (*mdo_upd_txsa)(struct macsec_context *ctx);
0282     int (*mdo_del_txsa)(struct macsec_context *ctx);
0283     /* Statistics */
0284     int (*mdo_get_dev_stats)(struct macsec_context *ctx);
0285     int (*mdo_get_tx_sc_stats)(struct macsec_context *ctx);
0286     int (*mdo_get_tx_sa_stats)(struct macsec_context *ctx);
0287     int (*mdo_get_rx_sc_stats)(struct macsec_context *ctx);
0288     int (*mdo_get_rx_sa_stats)(struct macsec_context *ctx);
0289 };
0290
0291 void macsec_pn_wrapped(struct macsec_secy *secy, struct macsec_tx_sa *tx_sa);
0292
0293 #endif /* _NET_MACSEC_H_ */