include/net/macsec.h

   1 /* SPDX-License-Identifier: GPL-2.0+ */
   2 /*
   3  * MACsec netdev header, used for h/w accelerated implementations.
   4  *
   5  * Copyright (c) 2015 Sabrina Dubroca <sd@queasysnail.net>
   6  */
   7 #ifndef _NET_MACSEC_H_
   8 #define _NET_MACSEC_H_
   9
  10 #include <linux/u64_stats_sync.h>
  11 #include <uapi/linux/if_link.h>
  12 #include <uapi/linux/if_macsec.h>
  13
  14 typedef u64 __bitwise sci_t;
  15
  16 #define MACSEC_NUM_AN 4 /* 2 bits for the association number */
  17
  18 /**
  19  * struct macsec_key - SA key
  20  * @id: user-provided key identifier
  21  * @tfm: crypto struct, key storage
  22  */
  23 struct macsec_key {
  24         u8 id[MACSEC_KEYID_LEN];
  25         struct crypto_aead *tfm;
  26 };
  27
  28 struct macsec_rx_sc_stats {
  29         __u64 InOctetsValidated;
  30         __u64 InOctetsDecrypted;
  31         __u64 InPktsUnchecked;
  32         __u64 InPktsDelayed;
  33         __u64 InPktsOK;
  34         __u64 InPktsInvalid;
  35         __u64 InPktsLate;
  36         __u64 InPktsNotValid;
  37         __u64 InPktsNotUsingSA;
  38         __u64 InPktsUnusedSA;
  39 };
  40
  41 struct macsec_rx_sa_stats {
  42         __u32 InPktsOK;
  43         __u32 InPktsInvalid;
  44         __u32 InPktsNotValid;
  45         __u32 InPktsNotUsingSA;
  46         __u32 InPktsUnusedSA;
  47 };
  48
  49 struct macsec_tx_sa_stats {
  50         __u32 OutPktsProtected;
  51         __u32 OutPktsEncrypted;
  52 };
  53
  54 struct macsec_tx_sc_stats {
  55         __u64 OutPktsProtected;
  56         __u64 OutPktsEncrypted;
  57         __u64 OutOctetsProtected;
  58         __u64 OutOctetsEncrypted;
  59 };
  60
  61 /**
  62  * struct macsec_rx_sa - receive secure association
  63  * @active:
  64  * @next_pn: packet number expected for the next packet
  65  * @lock: protects next_pn manipulations
  66  * @key: key structure
  67  * @stats: per-SA stats
  68  */
  69 struct macsec_rx_sa {
  70         struct macsec_key key;
  71         spinlock_t lock;
  72         u32 next_pn;
  73         refcount_t refcnt;
  74         bool active;
  75         struct macsec_rx_sa_stats __percpu *stats;
  76         struct macsec_rx_sc *sc;
  77         struct rcu_head rcu;
  78 };
  79
  80 struct pcpu_rx_sc_stats {
  81         struct macsec_rx_sc_stats stats;
  82         struct u64_stats_sync syncp;
  83 };
  84
  85 struct pcpu_tx_sc_stats {
  86         struct macsec_tx_sc_stats stats;
  87         struct u64_stats_sync syncp;
  88 };
  89
  90 /**
  91  * struct macsec_rx_sc - receive secure channel
  92  * @sci: secure channel identifier for this SC
  93  * @active: channel is active
  94  * @sa: array of secure associations
  95  * @stats: per-SC stats
  96  */
  97 struct macsec_rx_sc {
  98         struct macsec_rx_sc __rcu *next;
  99         sci_t sci;
 100         bool active;
 101         struct macsec_rx_sa __rcu *sa[MACSEC_NUM_AN];
 102         struct pcpu_rx_sc_stats __percpu *stats;
 103         refcount_t refcnt;
 104         struct rcu_head rcu_head;
 105 };
 106
 107 /**
 108  * struct macsec_tx_sa - transmit secure association
 109  * @active:
 110  * @next_pn: packet number to use for the next packet
 111  * @lock: protects next_pn manipulations
 112  * @key: key structure
 113  * @stats: per-SA stats
 114  */
 115 struct macsec_tx_sa {
 116         struct macsec_key key;
 117         spinlock_t lock;
 118         u32 next_pn;
 119         refcount_t refcnt;
 120         bool active;
 121         struct macsec_tx_sa_stats __percpu *stats;
 122         struct rcu_head rcu;
 123 };
 124
 125 /**
 126  * struct macsec_tx_sc - transmit secure channel
 127  * @active:
 128  * @encoding_sa: association number of the SA currently in use
 129  * @encrypt: encrypt packets on transmit, or authenticate only
 130  * @send_sci: always include the SCI in the SecTAG
 131  * @end_station:
 132  * @scb: single copy broadcast flag
 133  * @sa: array of secure associations
 134  * @stats: stats for this TXSC
 135  */
 136 struct macsec_tx_sc {
 137         bool active;
 138         u8 encoding_sa;
 139         bool encrypt;
 140         bool send_sci;
 141         bool end_station;
 142         bool scb;
 143         struct macsec_tx_sa __rcu *sa[MACSEC_NUM_AN];
 144         struct pcpu_tx_sc_stats __percpu *stats;
 145 };
 146
 147 /**
 148  * struct macsec_secy - MACsec Security Entity
 149  * @netdev: netdevice for this SecY
 150  * @n_rx_sc: number of receive secure channels configured on this SecY
 151  * @sci: secure channel identifier used for tx
 152  * @key_len: length of keys used by the cipher suite
 153  * @icv_len: length of ICV used by the cipher suite
 154  * @validate_frames: validation mode
 155  * @operational: MAC_Operational flag
 156  * @protect_frames: enable protection for this SecY
 157  * @replay_protect: enable packet number checks on receive
 158  * @replay_window: size of the replay window
 159  * @tx_sc: transmit secure channel
 160  * @rx_sc: linked list of receive secure channels
 161  */
 162 struct macsec_secy {
 163         struct net_device *netdev;
 164         unsigned int n_rx_sc;
 165         sci_t sci;
 166         u16 key_len;
 167         u16 icv_len;
 168         enum macsec_validation_type validate_frames;
 169         bool operational;
 170         bool protect_frames;
 171         bool replay_protect;
 172         u32 replay_window;
 173         struct macsec_tx_sc tx_sc;
 174         struct macsec_rx_sc __rcu *rx_sc;
 175 };
 176
 177 /**
 178  * struct macsec_context - MACsec context for hardware offloading
 179  */
 180 struct macsec_context {
 181         struct phy_device *phydev;
 182         enum macsec_offload offload;
 183
 184         struct macsec_secy *secy;
 185         struct macsec_rx_sc *rx_sc;
 186         struct {
 187                 unsigned char assoc_num;
 188                 u8 key[MACSEC_KEYID_LEN];
 189                 union {
 190                         struct macsec_rx_sa *rx_sa;
 191                         struct macsec_tx_sa *tx_sa;
 192                 };
 193         } sa;
 194
 195         u8 prepare:1;
 196 };
 197
 198 /**
 199  * struct macsec_ops - MACsec offloading operations
 200  */
 201 struct macsec_ops {
 202         /* Device wide */
 203         int (*mdo_dev_open)(struct macsec_context *ctx);
 204         int (*mdo_dev_stop)(struct macsec_context *ctx);
 205         /* SecY */
 206         int (*mdo_add_secy)(struct macsec_context *ctx);
 207         int (*mdo_upd_secy)(struct macsec_context *ctx);
 208         int (*mdo_del_secy)(struct macsec_context *ctx);
 209         /* Security channels */
 210         int (*mdo_add_rxsc)(struct macsec_context *ctx);
 211         int (*mdo_upd_rxsc)(struct macsec_context *ctx);
 212         int (*mdo_del_rxsc)(struct macsec_context *ctx);
 213         /* Security associations */
 214         int (*mdo_add_rxsa)(struct macsec_context *ctx);
 215         int (*mdo_upd_rxsa)(struct macsec_context *ctx);
 216         int (*mdo_del_rxsa)(struct macsec_context *ctx);
 217         int (*mdo_add_txsa)(struct macsec_context *ctx);
 218         int (*mdo_upd_txsa)(struct macsec_context *ctx);
 219         int (*mdo_del_txsa)(struct macsec_context *ctx);
 220 };
 221
 222 void macsec_pn_wrapped(struct macsec_secy *secy, struct macsec_tx_sa *tx_sa);
 223
 224 #endif /* _NET_MACSEC_H_ */