[PATCH iproute2-next 0/2] macsec: add offloading support

[PATCH iproute2-next 0/2] macsec: add offloading support

[Igor Russkikh]

From: Mark Starovoytov <mstarovoitov@marvell.com>

This series adds support for selecting the offloading mode of a MACsec
interface at link creation time.
Available modes are for now 'off', 'phy' and 'mac', 'off' being the default
when an interface is created.

First patch adds support for MAC offloading.

Last patch allows a user to change the offloading mode at runtime
through a new attribute, `ip link add link ... offload`:

  # ip link add link enp1s0 type macsec encrypt on offload off
  # ip link add link enp1s0 type macsec encrypt on offload phy
  # ip link add link enp1s0 type macsec encrypt on offload mac

Mark Starovoytov (2):
  macsec: add support for MAC offload
  macsec: add support for specifying offload at link add time

 ip/ipmacsec.c        | 23 ++++++++++++++++++++++-
 man/man8/ip-macsec.8 | 10 ++++++++--
 2 files changed, 30 insertions(+), 3 deletions(-)

-- 
2.20.1

[PATCH iproute2-next 1/2] macsec: add support for MAC offload

[Igor Russkikh]

From: Mark Starovoytov <mstarovoitov@marvell.com>

This patch enables MAC HW offload usage in iproute, since MACSec
implementation supports it now.

Signed-off-by: Mark Starovoytov <mstarovoitov@marvell.com>
Signed-off-by: Igor Russkikh <irusskikh@marvell.com>
---
 ip/ipmacsec.c        | 3 ++-
 man/man8/ip-macsec.8 | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/ip/ipmacsec.c b/ip/ipmacsec.c
index 4e500e4e..d214b101 100644
--- a/ip/ipmacsec.c
+++ b/ip/ipmacsec.c
@@ -34,6 +34,7 @@ static const char * const validate_str[] = {
 static const char * const offload_str[] = {
 	[MACSEC_OFFLOAD_OFF] = "off",
 	[MACSEC_OFFLOAD_PHY] = "phy",
+	[MACSEC_OFFLOAD_MAC] = "mac",
 };
 
 struct sci {
@@ -98,7 +99,7 @@ static void ipmacsec_usage(void)
 		"       ip macsec del DEV rx SCI sa { 0..3 }\n"
 		"       ip macsec show\n"
 		"       ip macsec show DEV\n"
-		"       ip macsec offload DEV [ off | phy ]\n"
+		"       ip macsec offload DEV [ off | phy | mac ]\n"
 		"where  OPTS := [ pn <u32> ] [ on | off ]\n"
 		"       ID   := 128-bit hex string\n"
 		"       KEY  := 128-bit or 256-bit hex string\n"
diff --git a/man/man8/ip-macsec.8 b/man/man8/ip-macsec.8
index d5f9d240..b2ee7bee 100644
--- a/man/man8/ip-macsec.8
+++ b/man/man8/ip-macsec.8
@@ -54,7 +54,7 @@ ip-macsec \- MACsec device configuration
 .RI "{ " 0..3 " }"
 
 .BI "ip macsec offload " DEV
-.RB "{ " off " | " phy " }"
+.RB "{ " off " | " phy " | " mac " }"
 
 .B ip macsec show
 .RI [ " DEV " ]
-- 
2.20.1

[PATCH iproute2-next 2/2] macsec: add support for specifying offload at link add time

[Igor Russkikh]

From: Mark Starovoytov <mstarovoitov@marvell.com>

This patch adds support for configuring offload mode upon MACsec
device creation.

If offload mode is not specified, then netlink attribute is not
added. Default behavior on the kernel side in this case is
backward-compatible (offloading is disabled by default).

Example:
$ ip link add link eth0 macsec0 type macsec port 11 encrypt on offload mac

Signed-off-by: Mark Starovoytov <mstarovoitov@marvell.com>
Signed-off-by: Igor Russkikh <irusskikh@marvell.com>
---
 ip/ipmacsec.c        | 20 ++++++++++++++++++++
 man/man8/ip-macsec.8 |  8 +++++++-
 2 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/ip/ipmacsec.c b/ip/ipmacsec.c
index d214b101..18289ecd 100644
--- a/ip/ipmacsec.c
+++ b/ip/ipmacsec.c
@@ -1220,6 +1220,15 @@ static void macsec_print_opt(struct link_util *lu, FILE *f, struct rtattr *tb[])
 			     validate_to_str(val));
 	}
 
+	if (tb[IFLA_MACSEC_OFFLOAD]) {
+		__u8 val = rta_getattr_u8(tb[IFLA_MACSEC_OFFLOAD]);
+
+		print_string(PRINT_ANY,
+			     "offload",
+			     "offload %s ",
+			     offload_to_str(val));
+	}
+
 	const char *inc_sci, *es, *replay;
 
 	if (is_json_context()) {
@@ -1268,6 +1277,7 @@ static void usage(FILE *f)
 		"                  [ replay { on | off} window { 0..2^32-1 } ]\n"
 		"                  [ validate { strict | check | disabled } ]\n"
 		"                  [ encodingsa { 0..3 } ]\n"
+		"                  [ offload { mac | phy | off } ]\n"
 		);
 }
 
@@ -1277,6 +1287,7 @@ static int macsec_parse_opt(struct link_util *lu, int argc, char **argv,
 	int ret;
 	__u8 encoding_sa = 0xff;
 	__u32 window = -1;
+	enum macsec_offload offload;
 	struct cipher_args cipher = {0};
 	enum macsec_validation_type validate;
 	bool es = false, scb = false, send_sci = false;
@@ -1398,6 +1409,15 @@ static int macsec_parse_opt(struct link_util *lu, int argc, char **argv,
 			ret = get_an(&encoding_sa, *argv);
 			if (ret)
 				invarg("expected an { 0..3 }", *argv);
+		} else if (strcmp(*argv, "offload") == 0) {
+			NEXT_ARG();
+			ret = one_of("offload", *argv,
+				     offload_str, ARRAY_SIZE(offload_str),
+				     (int *)&offload);
+			if (ret != 0)
+				return ret;
+			addattr8(n, MACSEC_BUFLEN,
+				 IFLA_MACSEC_OFFLOAD, offload);
 		} else {
 			fprintf(stderr, "macsec: unknown command \"%s\"?\n",
 				*argv);
diff --git a/man/man8/ip-macsec.8 b/man/man8/ip-macsec.8
index b2ee7bee..8e9175c5 100644
--- a/man/man8/ip-macsec.8
+++ b/man/man8/ip-macsec.8
@@ -23,6 +23,8 @@ ip-macsec \- MACsec device configuration
 ] [
 .BR validate " { " strict " | " check " | " disabled " } ] ["
 .BI encodingsa " SA"
+] [
+.BR offload " { " off " | " phy " | " mac " }"
 ]
 
 .BI "ip macsec add " DEV " tx sa"
@@ -86,7 +88,7 @@ type.
 
 .SH EXAMPLES
 .PP
-.SS Create a MACsec device on link eth0
+.SS Create a MACsec device on link eth0 (offload is disabled by default)
 .nf
 # ip link add link eth0 macsec0 type macsec port 11 encrypt on
 .PP
@@ -109,6 +111,10 @@ type.
 .SS Configure offloading on an interface
 .nf
 # ip macsec offload macsec0 phy
+.PP
+.SS Configure offloading upon MACsec device creation
+.nf
+# ip link add link eth0 macsec0 type macsec port 11 encrypt on offload mac
 
 .SH NOTES
 This tool can be used to configure the 802.1AE keys of the interface. Note that 802.1AE uses GCM-AES
-- 
2.20.1

Re: [PATCH iproute2-next 0/2] macsec: add offloading support

[David Ahern]

On 4/24/20 2:38 AM, Igor Russkikh wrote:
> From: Mark Starovoytov <mstarovoitov@marvell.com>
> 
> This series adds support for selecting the offloading mode of a MACsec
> interface at link creation time.
> Available modes are for now 'off', 'phy' and 'mac', 'off' being the default
> when an interface is created.
> 
> First patch adds support for MAC offloading.
> 
> Last patch allows a user to change the offloading mode at runtime
> through a new attribute, `ip link add link ... offload`:
> 
>   # ip link add link enp1s0 type macsec encrypt on offload off
>   # ip link add link enp1s0 type macsec encrypt on offload phy
>   # ip link add link enp1s0 type macsec encrypt on offload mac
> 
> Mark Starovoytov (2):
>   macsec: add support for MAC offload
>   macsec: add support for specifying offload at link add time
> 
>  ip/ipmacsec.c        | 23 ++++++++++++++++++++++-
>  man/man8/ip-macsec.8 | 10 ++++++++--
>  2 files changed, 30 insertions(+), 3 deletions(-)
> 

applied to iproute2-next. Thanks

[PATCH iproute2-next 0/2] macsec: add offloading support

[Antoine Tenart]

Hello,

This series adds support for selecting and reporting the offloading mode
of a MACsec interface. Available modes are for now 'off' and 'phy',
'off' being the default when an interface is created. Modes are not only
'off' and 'on' as the MACsec operations can be offloaded to multiple
kinds of specialized hardware devices, at least to PHYs and Ethernet
MACs. The later isn't currently supported in the kernel though.

The first patch adds support for reporting the offloading mode currently
selected for a given MACsec interface through the `ip macsec show`
command:

   # ip macsec show
   18: macsec0: protect on validate strict sc off sa off encrypt on send_sci on end_station off scb off replay off
       cipher suite: GCM-AES-128, using ICV length 16
       TXSC: 3e5035b67c860001 on SA 0
           0: PN 1, state on, key 00000000000000000000000000000000
       RXSC: b4969112700f0001, state on
           0: PN 1, state on, key 01000000000000000000000000000000
->     offload: phy
   19: macsec1: protect on validate strict sc off sa off encrypt on send_sci on end_station off scb off replay off
       cipher suite: GCM-AES-128, using ICV length 16
       TXSC: 3e5035b67c880001 on SA 0
           1: PN 1, state on, key 00000000000000000000000000000000
       RXSC: b4969112700f0001, state on
           1: PN 1, state on, key 01000000000000000000000000000000
->     offload: off

The second patch allows an user to change the offloading mode at runtime
through a new subcommand, `ip macsec offload`:

  # ip macsec offload macsec0 phy
  # ip macsec offload macsec0 off

If a mode isn't supported, `ip macsec offload` will report an issue
(-EOPNOTSUPP).

One thing not supported in this series would be the ability to list all
supported modes (for now 'off' and 'phy') depending on the h/w interface
capabilities. This can come up in a later patch, as this is not critical
to get the feature used, but I would like this to be compatible with the
current series. I can think of 2 possibilities: either through
`ip macsec show` or through `ip macsec offload` (for example when no
argument is given). What are your thoughts on this?

Thanks!
Antoine

Antoine Tenart (2):
  macsec: report the offloading mode currently selected
  macsec: add support for changing the offloading mode

 ip/ipmacsec.c | 63 +++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 63 insertions(+)

-- 
2.24.1

Re: [PATCH iproute2-next 0/2] macsec: add offloading support

[Sabrina Dubroca]

2020-01-20, 21:18:21 +0100, Antoine Tenart wrote:
> If a mode isn't supported, `ip macsec offload` will report an issue
> (-EOPNOTSUPP).
> 
> One thing not supported in this series would be the ability to list all
> supported modes (for now 'off' and 'phy') depending on the h/w interface
> capabilities. This can come up in a later patch, as this is not critical
> to get the feature used, but I would like this to be compatible with the
> current series. I can think of 2 possibilities: either through
> `ip macsec show` or through `ip macsec offload` (for example when no
> argument is given). What are your thoughts on this?

I don't think that's really helpful. The device could change between
listing available modes and enabling offloading. The failure of "ip
macsec offload blah" (or whatever the command ends up being) will do
the same job anyway.

-- 
Sabrina