* [PATCH net-next 1/3] uapi: add MACsec bits
2016-03-07 17:12 [PATCH net-next 0/3] MACsec IEEE 802.1AE implementation Sabrina Dubroca
@ 2016-03-07 17:12 ` Sabrina Dubroca
2016-03-08 19:52 ` Johannes Berg
2016-03-07 17:12 ` [PATCH net-next 2/3] net: add MACsec netdevice priv_flags and helper Sabrina Dubroca
` (2 subsequent siblings)
3 siblings, 1 reply; 16+ messages in thread
From: Sabrina Dubroca @ 2016-03-07 17:12 UTC (permalink / raw)
To: netdev
Cc: Hannes Frederic Sowa, Florian Westphal, Paolo Abeni, stephen,
Sabrina Dubroca
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Reviewed-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
---
v1:
- rebase
RFCv2:
- add include, detected by the kbuild robot
- split off the attributes for RXSC and SA from enum macsec_attrs
---
include/uapi/linux/Kbuild | 1 +
include/uapi/linux/if_ether.h | 1 +
include/uapi/linux/if_link.h | 21 ++++++
include/uapi/linux/if_macsec.h | 165 +++++++++++++++++++++++++++++++++++++++++
4 files changed, 188 insertions(+)
create mode 100644 include/uapi/linux/if_macsec.h
diff --git a/include/uapi/linux/Kbuild b/include/uapi/linux/Kbuild
index ebd10e624598..e25ebcfbcb48 100644
--- a/include/uapi/linux/Kbuild
+++ b/include/uapi/linux/Kbuild
@@ -173,6 +173,7 @@ header-y += if_hippi.h
header-y += if_infiniband.h
header-y += if_link.h
header-y += if_ltalk.h
+header-y += if_macsec.h
header-y += if_packet.h
header-y += if_phonet.h
header-y += if_plip.h
diff --git a/include/uapi/linux/if_ether.h b/include/uapi/linux/if_ether.h
index ea9221b0331a..4a93051c578c 100644
--- a/include/uapi/linux/if_ether.h
+++ b/include/uapi/linux/if_ether.h
@@ -83,6 +83,7 @@
#define ETH_P_8021AD 0x88A8 /* 802.1ad Service VLAN */
#define ETH_P_802_EX1 0x88B5 /* 802.1 Local Experimental 1. */
#define ETH_P_TIPC 0x88CA /* TIPC */
+#define ETH_P_MACSEC 0x88E5 /* 802.1ae MACsec */
#define ETH_P_8021AH 0x88E7 /* 802.1ah Backbone Service Tag */
#define ETH_P_MVRP 0x88F5 /* 802.1Q MVRP */
#define ETH_P_1588 0x88F7 /* IEEE 1588 Timesync */
diff --git a/include/uapi/linux/if_link.h b/include/uapi/linux/if_link.h
index d452cea59020..e19eb1a3a8c0 100644
--- a/include/uapi/linux/if_link.h
+++ b/include/uapi/linux/if_link.h
@@ -413,6 +413,27 @@ enum {
#define IFLA_VRF_PORT_MAX (__IFLA_VRF_PORT_MAX - 1)
+/* MACSEC section */
+enum {
+ IFLA_MACSEC_UNSPEC,
+ IFLA_MACSEC_SCI,
+ IFLA_MACSEC_PORT,
+ IFLA_MACSEC_ICV_LEN,
+ IFLA_MACSEC_CIPHER_SUITE,
+ IFLA_MACSEC_WINDOW,
+ IFLA_MACSEC_ENCODING_SA,
+ IFLA_MACSEC_ENCRYPT,
+ IFLA_MACSEC_PROTECT,
+ IFLA_MACSEC_INC_SCI,
+ IFLA_MACSEC_ES,
+ IFLA_MACSEC_SCB,
+ IFLA_MACSEC_REPLAY_PROTECT,
+ IFLA_MACSEC_VALIDATION,
+ __IFLA_MACSEC_MAX,
+};
+
+#define IFLA_MACSEC_MAX (__IFLA_MACSEC_MAX - 1)
+
/* IPVLAN section */
enum {
IFLA_IPVLAN_UNSPEC,
diff --git a/include/uapi/linux/if_macsec.h b/include/uapi/linux/if_macsec.h
new file mode 100644
index 000000000000..bd1abe1717e9
--- /dev/null
+++ b/include/uapi/linux/if_macsec.h
@@ -0,0 +1,165 @@
+/*
+ * include/uapi/linux/if_macsec.h - MACsec device
+ *
+ * Copyright (c) 2015 Sabrina Dubroca <sd@queasysnail.net>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ */
+
+#ifndef _UAPI_MACSEC_H
+#define _UAPI_MACSEC_H
+
+#include <linux/types.h>
+
+#define MACSEC_GENL_NAME "macsec"
+#define MACSEC_GENL_VERSION 1
+
+#define MACSEC_MAX_KEY_LEN 128
+
+
+#define DEFAULT_CIPHER_NAME "GCM-AES-128"
+#define DEFAULT_CIPHER_ID 0x0080020001000001ULL
+#define DEFAULT_CIPHER_ALT 0x0080C20001000001ULL
+
+#define MACSEC_MIN_ICV_LEN 8
+#define MACSEC_MAX_ICV_LEN 32
+
+enum macsec_attrs {
+ MACSEC_ATTR_UNSPEC,
+ MACSEC_ATTR_IFINDEX,
+ MACSEC_ATTR_SCI,
+ MACSEC_ATTR_ENCODING_SA,
+ MACSEC_ATTR_WINDOW,
+ MACSEC_ATTR_CIPHER_SUITE,
+ MACSEC_ATTR_ICV_LEN,
+ MACSEC_TXSA_LIST,
+ MACSEC_RXSC_LIST,
+ MACSEC_TXSC_STATS,
+ MACSEC_SECY_STATS,
+ MACSEC_ATTR_PROTECT,
+ MACSEC_ATTR_REPLAY,
+ MACSEC_ATTR_OPER,
+ MACSEC_ATTR_VALIDATE,
+ MACSEC_ATTR_ENCRYPT,
+ MACSEC_ATTR_INC_SCI,
+ MACSEC_ATTR_ES,
+ MACSEC_ATTR_SCB,
+ __MACSEC_ATTR_END,
+ NUM_MACSEC_ATTR = __MACSEC_ATTR_END,
+ MACSEC_ATTR_MAX = __MACSEC_ATTR_END - 1,
+};
+
+enum macsec_sa_list_attrs {
+ MACSEC_SA_LIST_UNSPEC,
+ MACSEC_SA,
+ __MACSEC_ATTR_SA_LIST_MAX,
+ MACSEC_ATTR_SA_LIST_MAX = __MACSEC_ATTR_SA_LIST_MAX - 1,
+};
+
+enum macsec_rxsc_list_attrs {
+ MACSEC_RXSC_LIST_UNSPEC,
+ MACSEC_RXSC,
+ __MACSEC_ATTR_RXSC_LIST_MAX,
+ MACSEC_ATTR_RXSC_LIST_MAX = __MACSEC_ATTR_RXSC_LIST_MAX - 1,
+};
+
+enum macsec_rxsc_attrs {
+ MACSEC_ATTR_SC_UNSPEC,
+ /* use the same value to allow generic helper function, see
+ * get_*_from_nl in drivers/net/macsec.c */
+ MACSEC_ATTR_SC_IFINDEX = MACSEC_ATTR_IFINDEX,
+ MACSEC_ATTR_SC_SCI = MACSEC_ATTR_SCI,
+ MACSEC_ATTR_SC_ACTIVE,
+ MACSEC_RXSA_LIST,
+ MACSEC_RXSC_STATS,
+ __MACSEC_ATTR_SC_END,
+ NUM_MACSEC_SC_ATTR = __MACSEC_ATTR_SC_END,
+ MACSEC_ATTR_SC_MAX = __MACSEC_ATTR_SC_END - 1,
+};
+
+enum macsec_sa_attrs {
+ MACSEC_ATTR_SA_UNSPEC,
+ /* use the same value to allow generic helper function, see
+ * get_*_from_nl in drivers/net/macsec.c */
+ MACSEC_ATTR_SA_IFINDEX = MACSEC_ATTR_IFINDEX,
+ MACSEC_ATTR_SA_SCI = MACSEC_ATTR_SCI,
+ MACSEC_ATTR_SA_AN,
+ MACSEC_ATTR_SA_ACTIVE,
+ MACSEC_ATTR_SA_PN,
+ MACSEC_ATTR_SA_KEY,
+ MACSEC_ATTR_SA_KEYID,
+ MACSEC_SA_STATS,
+ __MACSEC_ATTR_SA_END,
+ NUM_MACSEC_SA_ATTR = __MACSEC_ATTR_SA_END,
+ MACSEC_ATTR_SA_MAX = __MACSEC_ATTR_SA_END - 1,
+};
+
+enum macsec_nl_commands {
+ MACSEC_CMD_GET_TXSC,
+ MACSEC_CMD_ADD_RXSC,
+ MACSEC_CMD_DEL_RXSC,
+ MACSEC_CMD_UPD_RXSC,
+ MACSEC_CMD_ADD_TXSA,
+ MACSEC_CMD_DEL_TXSA,
+ MACSEC_CMD_UPD_TXSA,
+ MACSEC_CMD_ADD_RXSA,
+ MACSEC_CMD_DEL_RXSA,
+ MACSEC_CMD_UPD_RXSA,
+};
+
+enum validation_type {
+ MACSEC_VALIDATE_DISABLED = 0,
+ MACSEC_VALIDATE_CHECK = 1,
+ MACSEC_VALIDATE_STRICT = 2,
+ __MACSEC_VALIDATE_MAX,
+};
+#define MACSEC_VALIDATE_MAX (__MACSEC_VALIDATE_MAX - 1)
+
+struct macsec_rx_sc_stats {
+ __u64 InOctetsValidated;
+ __u64 InOctetsDecrypted;
+ __u64 InPktsUnchecked;
+ __u64 InPktsDelayed;
+ __u64 InPktsOK;
+ __u64 InPktsInvalid;
+ __u64 InPktsLate;
+ __u64 InPktsNotValid;
+ __u64 InPktsNotUsingSA;
+ __u64 InPktsUnusedSA;
+};
+
+struct macsec_rx_sa_stats {
+ __u32 InPktsOK;
+ __u32 InPktsInvalid;
+ __u32 InPktsNotValid;
+ __u32 InPktsNotUsingSA;
+ __u32 InPktsUnusedSA;
+};
+
+struct macsec_tx_sc_stats {
+ __u64 OutPktsProtected;
+ __u64 OutPktsEncrypted;
+ __u64 OutOctetsProtected;
+ __u64 OutOctetsEncrypted;
+};
+
+struct macsec_tx_sa_stats {
+ __u32 OutPktsProtected;
+ __u32 OutPktsEncrypted;
+};
+
+struct macsec_dev_stats {
+ __u64 OutPktsUntagged;
+ __u64 InPktsUntagged;
+ __u64 OutPktsTooLong;
+ __u64 InPktsNoTag;
+ __u64 InPktsBadTag;
+ __u64 InPktsUnknownSCI;
+ __u64 InPktsNoSCI;
+ __u64 InPktsOverrun;
+};
+
+#endif /* _UAPI_MACSEC_H */
--
2.7.2
^ permalink raw reply related [flat|nested] 16+ messages in thread* Re: [PATCH net-next 1/3] uapi: add MACsec bits
2016-03-07 17:12 ` [PATCH net-next 1/3] uapi: add MACsec bits Sabrina Dubroca
@ 2016-03-08 19:52 ` Johannes Berg
2016-03-09 10:51 ` Sabrina Dubroca
0 siblings, 1 reply; 16+ messages in thread
From: Johannes Berg @ 2016-03-08 19:52 UTC (permalink / raw)
To: Sabrina Dubroca, netdev
Cc: Hannes Frederic Sowa, Florian Westphal, Paolo Abeni, stephen
On Mon, 2016-03-07 at 18:12 +0100, Sabrina Dubroca wrote:
> +++ b/include/uapi/linux/if_macsec.h
Some bits of documentation in this file, regarding all the various
operations and attributes, might be nice. At least the netlink types?
E.g., given this:
> +#define DEFAULT_CIPHER_NAME "GCM-AES-128"
> +#define DEFAULT_CIPHER_ID 0x0080020001000001ULL
> +#define DEFAULT_CIPHER_ALT 0x0080C20001000001ULL
> +enum macsec_attrs {
[...]
> + MACSEC_ATTR_CIPHER_SUITE,
should that be the ID, the alternate ID, or the string?
> + MACSEC_ATTR_ICV_LEN,
> + MACSEC_TXSA_LIST,
> + MACSEC_RXSC_LIST,
> + MACSEC_TXSC_STATS,
> + MACSEC_SECY_STATS,
> + MACSEC_ATTR_PROTECT,
This seems a bit inconsistent, MACSEC_ATTR_* vs. MACSEC_*?
> +enum macsec_sa_list_attrs {
> + MACSEC_SA_LIST_UNSPEC,
> + MACSEC_SA,
> + __MACSEC_ATTR_SA_LIST_MAX,
> + MACSEC_ATTR_SA_LIST_MAX = __MACSEC_ATTR_SA_LIST_MAX - 1,
> +};
Again, without documentation, it seems odd to have an enum with just a
single useful entry? If you just wanted an array you don't need this at
all? The netlink nesting properties could be specified somewhere.
> +enum macsec_rxsc_list_attrs {
> + MACSEC_RXSC_LIST_UNSPEC,
> + MACSEC_RXSC,
similarly here
> +enum macsec_rxsc_attrs {
> + MACSEC_ATTR_SC_UNSPEC,
> + /* use the same value to allow generic helper function, see
> + * get_*_from_nl in drivers/net/macsec.c */
> + MACSEC_ATTR_SC_IFINDEX = MACSEC_ATTR_IFINDEX,
> + MACSEC_ATTR_SC_SCI = MACSEC_ATTR_SCI,
This seems odd, this must be nested inside the top-level attributes
since it's a single genl family, so why not use the top-level
attributes to start with?
If you need multiple you can use dump with multiple messages.
> +enum macsec_sa_attrs {
> + MACSEC_ATTR_SA_UNSPEC,
> + /* use the same value to allow generic helper function, see
> + * get_*_from_nl in drivers/net/macsec.c */
> + MACSEC_ATTR_SA_IFINDEX = MACSEC_ATTR_IFINDEX,
> + MACSEC_ATTR_SA_SCI = MACSEC_ATTR_SCI,
likewise here
> +enum validation_type {
> + MACSEC_VALIDATE_DISABLED = 0,
> + MACSEC_VALIDATE_CHECK = 1,
> + MACSEC_VALIDATE_STRICT = 2,
> + __MACSEC_VALIDATE_MAX,
> +};
> +#define MACSEC_VALIDATE_MAX (__MACSEC_VALIDATE_MAX - 1)
everywhere else you put that into the enum, why not here?
> +struct macsec_rx_sc_stats {
> + __u64 InOctetsValidated;
> + __u64 InOctetsDecrypted;
> + __u64 InPktsUnchecked;
> + __u64 InPktsDelayed;
> + __u64 InPktsOK;
> + __u64 InPktsInvalid;
> + __u64 InPktsLate;
> + __u64 InPktsNotValid;
> + __u64 InPktsNotUsingSA;
> + __u64 InPktsUnusedSA;
> +};
It might be worth splitting those into attributes so that, if some
hardware offload can't provide all of the counters in the future, they
can just be left out of the netlink message?
johannes
^ permalink raw reply [flat|nested] 16+ messages in thread* Re: [PATCH net-next 1/3] uapi: add MACsec bits
2016-03-08 19:52 ` Johannes Berg
@ 2016-03-09 10:51 ` Sabrina Dubroca
2016-03-09 11:34 ` Johannes Berg
0 siblings, 1 reply; 16+ messages in thread
From: Sabrina Dubroca @ 2016-03-09 10:51 UTC (permalink / raw)
To: Johannes Berg
Cc: netdev, Hannes Frederic Sowa, Florian Westphal, Paolo Abeni,
stephen
2016-03-08, 20:52:48 +0100, Johannes Berg wrote:
> On Mon, 2016-03-07 at 18:12 +0100, Sabrina Dubroca wrote:
>
> > +++ b/include/uapi/linux/if_macsec.h
>
> Some bits of documentation in this file, regarding all the various
> operations and attributes, might be nice. At least the netlink types?
ok. Most of them are already indicated in the policies, but I can add
some comments here.
> E.g., given this:
>
> > +#define DEFAULT_CIPHER_NAME "GCM-AES-128"
> > +#define DEFAULT_CIPHER_ID 0x0080020001000001ULL
> > +#define DEFAULT_CIPHER_ALT 0x0080C20001000001ULL
>
> > +enum macsec_attrs {
> [...]
> > + MACSEC_ATTR_CIPHER_SUITE,
>
> should that be the ID, the alternate ID, or the string?
uh, the string is never actually used, I could get rid of it.
> > + MACSEC_ATTR_ICV_LEN,
> > + MACSEC_TXSA_LIST,
> > + MACSEC_RXSC_LIST,
> > + MACSEC_TXSC_STATS,
> > + MACSEC_SECY_STATS,
> > + MACSEC_ATTR_PROTECT,
>
> This seems a bit inconsistent, MACSEC_ATTR_* vs. MACSEC_*?
Only the MACSEC_ATTR_* can be set, the others are just for dumping.
> > +enum macsec_sa_list_attrs {
> > + MACSEC_SA_LIST_UNSPEC,
> > + MACSEC_SA,
> > + __MACSEC_ATTR_SA_LIST_MAX,
> > + MACSEC_ATTR_SA_LIST_MAX = __MACSEC_ATTR_SA_LIST_MAX - 1,
> > +};
>
> Again, without documentation, it seems odd to have an enum with just a
> single useful entry? If you just wanted an array you don't need this at
> all? The netlink nesting properties could be specified somewhere.
Yes, in dump_secy(), I nest the TXSA_LIST, and then each SA underneath
it. I'm not sure how that would work without the list. Can you have
an array without the dummy level of nesting?
> > +enum macsec_rxsc_list_attrs {
> > + MACSEC_RXSC_LIST_UNSPEC,
> > + MACSEC_RXSC,
>
> similarly here
>
> > +enum macsec_rxsc_attrs {
> > + MACSEC_ATTR_SC_UNSPEC,
> > + /* use the same value to allow generic helper function, see
> > + * get_*_from_nl in drivers/net/macsec.c */
> > + MACSEC_ATTR_SC_IFINDEX = MACSEC_ATTR_IFINDEX,
> > + MACSEC_ATTR_SC_SCI = MACSEC_ATTR_SCI,
>
> This seems odd, this must be nested inside the top-level attributes
> since it's a single genl family, so why not use the top-level
> attributes to start with?
>
> If you need multiple you can use dump with multiple messages.
>
> > +enum macsec_sa_attrs {
> > + MACSEC_ATTR_SA_UNSPEC,
> > + /* use the same value to allow generic helper function, see
> > + * get_*_from_nl in drivers/net/macsec.c */
> > + MACSEC_ATTR_SA_IFINDEX = MACSEC_ATTR_IFINDEX,
> > + MACSEC_ATTR_SA_SCI = MACSEC_ATTR_SCI,
>
> likewise here
>
> > +enum validation_type {
> > + MACSEC_VALIDATE_DISABLED = 0,
> > + MACSEC_VALIDATE_CHECK = 1,
> > + MACSEC_VALIDATE_STRICT = 2,
> > + __MACSEC_VALIDATE_MAX,
> > +};
> > +#define MACSEC_VALIDATE_MAX (__MACSEC_VALIDATE_MAX - 1)
>
> everywhere else you put that into the enum, why not here?
Will fix.
> > +struct macsec_rx_sc_stats {
> > + __u64 InOctetsValidated;
> > + __u64 InOctetsDecrypted;
> > + __u64 InPktsUnchecked;
> > + __u64 InPktsDelayed;
> > + __u64 InPktsOK;
> > + __u64 InPktsInvalid;
> > + __u64 InPktsLate;
> > + __u64 InPktsNotValid;
> > + __u64 InPktsNotUsingSA;
> > + __u64 InPktsUnusedSA;
> > +};
>
> It might be worth splitting those into attributes so that, if some
> hardware offload can't provide all of the counters in the future, they
> can just be left out of the netlink message?
These stats are defined by the standard, but marked optional.
A hardware device that doesn't implement some stat could just ignore
it and export 0.
I don't have a strong opinion about this.
Thanks,
--
Sabrina
^ permalink raw reply [flat|nested] 16+ messages in thread* Re: [PATCH net-next 1/3] uapi: add MACsec bits
2016-03-09 10:51 ` Sabrina Dubroca
@ 2016-03-09 11:34 ` Johannes Berg
2016-03-10 9:55 ` Sabrina Dubroca
0 siblings, 1 reply; 16+ messages in thread
From: Johannes Berg @ 2016-03-09 11:34 UTC (permalink / raw)
To: Sabrina Dubroca
Cc: netdev, Hannes Frederic Sowa, Florian Westphal, Paolo Abeni,
stephen
On Wed, 2016-03-09 at 11:51 +0100, Sabrina Dubroca wrote:
> > > +#define DEFAULT_CIPHER_NAME "GCM-AES-128"
> > > +#define DEFAULT_CIPHER_ID 0x0080020001000001ULL
> > > +#define DEFAULT_CIPHER_ALT 0x0080C20001000001ULL
> >
> > > +enum macsec_attrs {
> > [...]
> > > + MACSEC_ATTR_CIPHER_SUITE,
> >
> > should that be the ID, the alternate ID, or the string?
>
> uh, the string is never actually used, I could get rid of it.
Heh, ok. I was actually wondering about the string but didn't look up
where/if it was used :)
> > > + MACSEC_ATTR_ICV_LEN,
> > > + MACSEC_TXSA_LIST,
> > > + MACSEC_RXSC_LIST,
> > > + MACSEC_TXSC_STATS,
> > > + MACSEC_SECY_STATS,
> > > + MACSEC_ATTR_PROTECT,
> >
> > This seems a bit inconsistent, MACSEC_ATTR_* vs. MACSEC_*?
>
> Only the MACSEC_ATTR_* can be set, the others are just for dumping.
Makes sense too.
I tend to prefer the names having a consistent prefix to indicate the
enum they're used in, which indicates the nesting level in nl80211 etc.
and makes it easier to figure out in the code that they're used
correctly (since accidentally mixing enums will give no warnings), but
that's just personal preference I guess.
> > > +enum macsec_sa_list_attrs {
> > > + MACSEC_SA_LIST_UNSPEC,
> > > + MACSEC_SA,
> > > + __MACSEC_ATTR_SA_LIST_MAX,
> > > + MACSEC_ATTR_SA_LIST_MAX = __MACSEC_ATTR_SA_LIST_MAX - 1,
> > > +};
> >
> > Again, without documentation, it seems odd to have an enum with
> > just a
> > single useful entry? If you just wanted an array you don't need
> > this at
> > all? The netlink nesting properties could be specified somewhere.
>
> Yes, in dump_secy(), I nest the TXSA_LIST, and then each SA
> underneath
> it. I'm not sure how that would work without the list. Can you have
> an array without the dummy level of nesting?
So, if I understand correctly, your message would be
[
..., /* e.g. IFINDEX, perhaps */
TXSA_LIST -> [
MACSEC_SA -> [
MACSEC_ATTR_SA_AN -> ...,
MACSEC_ATTR_SA_PN -> ...
],
MACSEC_SA -> [...],
MACSEC_SA -> [...],
...
],
]
right? That seems pretty odd to me, usually the same nesting level in
netlink shouldn't contain the same attribute multiple times, as I
understand it.
I *think* the way we do this in nl80211 is more customary, it would be
like this in your case (without defining the sa_list_attrs enum):
[
..., /* e.g. IFINDEX, perhaps */
TXSA_LIST -> [
1 -> [
MACSEC_ATTR_SA_AN -> ...,
MACSEC_ATTR_SA_PN -> ...
],
2 -> [...],
3 -> [...],
...
],
]
See, for example, nl80211_send_wowlan_patterns() which nests like this:
[
NL80211_WOWLAN_TRIG_PKT_PATTERN -> [
1 -> [
NL80211_PKTPAT_MASK -> ...,
NL80211_PKTPAT_PATTERN -> ...,
NL80211_PKTPAT_OFFSET -> ...,
],
2 -> [...],
...
]
]
> These stats are defined by the standard, but marked optional.
> A hardware device that doesn't implement some stat could just ignore
> it and export 0.
Fair enough. I tend to think there could be a difference between
knowing the value was 0 and knowing it wasn't provided, particularly
for the "exceptions" that you'd hope are mostly 0 under good operating
conditions, but I don't have a strong opinion about these or,
obviously, any idea about whether hardware might not be able to provide
them.
johannes
^ permalink raw reply [flat|nested] 16+ messages in thread* Re: [PATCH net-next 1/3] uapi: add MACsec bits
2016-03-09 11:34 ` Johannes Berg
@ 2016-03-10 9:55 ` Sabrina Dubroca
0 siblings, 0 replies; 16+ messages in thread
From: Sabrina Dubroca @ 2016-03-10 9:55 UTC (permalink / raw)
To: Johannes Berg
Cc: netdev, Hannes Frederic Sowa, Florian Westphal, Paolo Abeni,
stephen
Hi Johannes,
2016-03-09, 12:34:23 +0100, Johannes Berg wrote:
> On Wed, 2016-03-09 at 11:51 +0100, Sabrina Dubroca wrote:
> > > > + MACSEC_ATTR_ICV_LEN,
> > > > + MACSEC_TXSA_LIST,
> > > > + MACSEC_RXSC_LIST,
> > > > + MACSEC_TXSC_STATS,
> > > > + MACSEC_SECY_STATS,
> > > > + MACSEC_ATTR_PROTECT,
> > >
> > > This seems a bit inconsistent, MACSEC_ATTR_* vs. MACSEC_*?
> >
> > Only the MACSEC_ATTR_* can be set, the others are just for dumping.
>
> Makes sense too.
>
> I tend to prefer the names having a consistent prefix to indicate the
> enum they're used in, which indicates the nesting level in nl80211 etc.
> and makes it easier to figure out in the code that they're used
> correctly (since accidentally mixing enums will give no warnings), but
> that's just personal preference I guess.
I see. I like the verification aspect, I'm adapting the enums now.
> > > > +enum macsec_sa_list_attrs {
> > > > + MACSEC_SA_LIST_UNSPEC,
> > > > + MACSEC_SA,
> > > > + __MACSEC_ATTR_SA_LIST_MAX,
> > > > + MACSEC_ATTR_SA_LIST_MAX = __MACSEC_ATTR_SA_LIST_MAX - 1,
> > > > +};
> > >
> > > Again, without documentation, it seems odd to have an enum with
> > > just a
> > > single useful entry? If you just wanted an array you don't need
> > > this at
> > > all? The netlink nesting properties could be specified somewhere.
> >
> > Yes, in dump_secy(), I nest the TXSA_LIST, and then each SA
> > underneath
> > it. I'm not sure how that would work without the list. Can you have
> > an array without the dummy level of nesting?
>
>
> So, if I understand correctly, your message would be
> [
> ..., /* e.g. IFINDEX, perhaps */
> TXSA_LIST -> [
> MACSEC_SA -> [
> MACSEC_ATTR_SA_AN -> ...,
> MACSEC_ATTR_SA_PN -> ...
> ],
> MACSEC_SA -> [...],
> MACSEC_SA -> [...],
> ...
> ],
> ]
>
> right? That seems pretty odd to me, usually the same nesting level in
> netlink shouldn't contain the same attribute multiple times, as I
> understand it.
Well, it worked ;)
> I *think* the way we do this in nl80211 is more customary, it would be
> like this in your case (without defining the sa_list_attrs enum):
>
> [
> ..., /* e.g. IFINDEX, perhaps */
> TXSA_LIST -> [
> 1 -> [
> MACSEC_ATTR_SA_AN -> ...,
> MACSEC_ATTR_SA_PN -> ...
> ],
> 2 -> [...],
> 3 -> [...],
> ...
> ],
> ]
>
> See, for example, nl80211_send_wowlan_patterns() which nests like this:
>
> [
> NL80211_WOWLAN_TRIG_PKT_PATTERN -> [
> 1 -> [
> NL80211_PKTPAT_MASK -> ...,
> NL80211_PKTPAT_PATTERN -> ...,
> NL80211_PKTPAT_OFFSET -> ...,
> ],
> 2 -> [...],
> ...
> ]
> ]
Ah, ok. I'm using this now, no more dummy enum. And thanks for the pointer!
> > These stats are defined by the standard, but marked optional.
> > A hardware device that doesn't implement some stat could just ignore
> > it and export 0.
>
> Fair enough. I tend to think there could be a difference between
> knowing the value was 0 and knowing it wasn't provided, particularly
> for the "exceptions" that you'd hope are mostly 0 under good operating
> conditions, but I don't have a strong opinion about these or,
> obviously, any idea about whether hardware might not be able to provide
> them.
Hmm, yeah, that makes sense. I'll think about it a bit more, maybe I
will change that before I resubmit. The separate attributes would
also help a bit in case we need to add more stats.
Thanks,
--
Sabrina
^ permalink raw reply [flat|nested] 16+ messages in thread
* [PATCH net-next 2/3] net: add MACsec netdevice priv_flags and helper
2016-03-07 17:12 [PATCH net-next 0/3] MACsec IEEE 802.1AE implementation Sabrina Dubroca
2016-03-07 17:12 ` [PATCH net-next 1/3] uapi: add MACsec bits Sabrina Dubroca
@ 2016-03-07 17:12 ` Sabrina Dubroca
2016-03-07 17:12 ` [PATCH net-next 3/3] macsec: introduce IEEE 802.1AE driver Sabrina Dubroca
2016-03-07 17:12 ` [PATCH iproute2 net-next] ip: add MACsec support Sabrina Dubroca
3 siblings, 0 replies; 16+ messages in thread
From: Sabrina Dubroca @ 2016-03-07 17:12 UTC (permalink / raw)
To: netdev
Cc: Hannes Frederic Sowa, Florian Westphal, Paolo Abeni, stephen,
Sabrina Dubroca
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Reviewed-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
---
v1: rebase
RFCv2: add kerneldoc comment, detected by kbuild robot
---
include/linux/netdevice.h | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
index efe7cec111fa..1ac109cabafc 100644
--- a/include/linux/netdevice.h
+++ b/include/linux/netdevice.h
@@ -1325,6 +1325,7 @@ struct net_device_ops {
* @IFF_RXFH_CONFIGURED: device has had Rx Flow indirection table configured
* @IFF_PHONY_HEADROOM: the headroom value is controlled by an external
* entity (i.e. the master device for bridged veth)
+ * @IFF_MACSEC: device is a MACsec device
*/
enum netdev_priv_flags {
IFF_802_1Q_VLAN = 1<<0,
@@ -1354,6 +1355,7 @@ enum netdev_priv_flags {
IFF_TEAM = 1<<24,
IFF_RXFH_CONFIGURED = 1<<25,
IFF_PHONY_HEADROOM = 1<<26,
+ IFF_MACSEC = 1<<27,
};
#define IFF_802_1Q_VLAN IFF_802_1Q_VLAN
@@ -1382,6 +1384,7 @@ enum netdev_priv_flags {
#define IFF_L3MDEV_SLAVE IFF_L3MDEV_SLAVE
#define IFF_TEAM IFF_TEAM
#define IFF_RXFH_CONFIGURED IFF_RXFH_CONFIGURED
+#define IFF_MACSEC IFF_MACSEC
/**
* struct net_device - The DEVICE structure.
@@ -4025,6 +4028,11 @@ static inline void skb_gso_error_unwind(struct sk_buff *skb, __be16 protocol,
skb->mac_len = mac_len;
}
+static inline bool netif_is_macsec(const struct net_device *dev)
+{
+ return dev->priv_flags & IFF_MACSEC;
+}
+
static inline bool netif_is_macvlan(const struct net_device *dev)
{
return dev->priv_flags & IFF_MACVLAN;
--
2.7.2
^ permalink raw reply related [flat|nested] 16+ messages in thread* [PATCH net-next 3/3] macsec: introduce IEEE 802.1AE driver
2016-03-07 17:12 [PATCH net-next 0/3] MACsec IEEE 802.1AE implementation Sabrina Dubroca
2016-03-07 17:12 ` [PATCH net-next 1/3] uapi: add MACsec bits Sabrina Dubroca
2016-03-07 17:12 ` [PATCH net-next 2/3] net: add MACsec netdevice priv_flags and helper Sabrina Dubroca
@ 2016-03-07 17:12 ` Sabrina Dubroca
2016-03-07 19:05 ` David Miller
2016-03-08 20:13 ` Johannes Berg
2016-03-07 17:12 ` [PATCH iproute2 net-next] ip: add MACsec support Sabrina Dubroca
3 siblings, 2 replies; 16+ messages in thread
From: Sabrina Dubroca @ 2016-03-07 17:12 UTC (permalink / raw)
To: netdev
Cc: Hannes Frederic Sowa, Florian Westphal, Paolo Abeni, stephen,
Sabrina Dubroca
This is an implementation of MACsec/IEEE 802.1AE. This driver
provides authentication and encryption of traffic in a LAN, typically
with GCM-AES-128, and optional replay protection.
http://standards.ieee.org/getieee802/download/802.1AE-2006.pdf
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Reviewed-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
---
v1:
- fix ENCODING_SA param validation
- add parent link to netlink ifdumps
RFCv2:
- rcu fixes pointed out by Florian
- get rid of magic numbers in shortlength field validation, use a nice
helper function instead
- extract post-decrypt handling from macsec_handle_frame to reuse it in
the decrypt callback
- needed headroom shouldn't include hard_header len, pointed out by Paolo
- added refcounting on macsec_rx_sc
- fixed ->dellink behavior
---
drivers/net/Kconfig | 7 +
drivers/net/Makefile | 1 +
drivers/net/macsec.c | 3037 ++++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 3045 insertions(+)
create mode 100644 drivers/net/macsec.c
diff --git a/drivers/net/Kconfig b/drivers/net/Kconfig
index f184fb5bd110..2a1ba62b7da2 100644
--- a/drivers/net/Kconfig
+++ b/drivers/net/Kconfig
@@ -193,6 +193,13 @@ config GENEVE
To compile this driver as a module, choose M here: the module
will be called geneve.
+config MACSEC
+ tristate "IEEE 802.1AE MAC-level encryption (MACsec)"
+ select CRYPTO_AES
+ select CRYPTO_GCM
+ ---help---
+ MACsec is an encryption standard for Ethernet.
+
config NETCONSOLE
tristate "Network console logging support"
---help---
diff --git a/drivers/net/Makefile b/drivers/net/Makefile
index 900b0c5320bb..1aa7cb845663 100644
--- a/drivers/net/Makefile
+++ b/drivers/net/Makefile
@@ -10,6 +10,7 @@ obj-$(CONFIG_IPVLAN) += ipvlan/
obj-$(CONFIG_DUMMY) += dummy.o
obj-$(CONFIG_EQUALIZER) += eql.o
obj-$(CONFIG_IFB) += ifb.o
+obj-$(CONFIG_MACSEC) += macsec.o
obj-$(CONFIG_MACVLAN) += macvlan.o
obj-$(CONFIG_MACVTAP) += macvtap.o
obj-$(CONFIG_MII) += mii.o
diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c
new file mode 100644
index 000000000000..af79f59d4dd7
--- /dev/null
+++ b/drivers/net/macsec.c
@@ -0,0 +1,3037 @@
+/*
+ * drivers/net/macsec.c - MACsec device
+ *
+ * Copyright (c) 2015 Sabrina Dubroca <sd@queasysnail.net>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ */
+
+#include <linux/types.h>
+#include <linux/skbuff.h>
+#include <linux/socket.h>
+#include <linux/module.h>
+#include <crypto/aead.h>
+#include <linux/etherdevice.h>
+#include <linux/rtnetlink.h>
+#include <net/genetlink.h>
+#include <net/sock.h>
+
+#include <uapi/linux/if_macsec.h>
+
+typedef u64 __bitwise sci_t;
+
+#define MACSEC_SCI_LEN 8
+
+/* SecTAG length = macsec_eth_header without the optional SCI */
+#define MACSEC_TAG_LEN 6
+
+struct macsec_eth_header {
+ struct ethhdr eth;
+ /* SecTAG */
+ u8 tci_an;
+#if defined(__LITTLE_ENDIAN_BITFIELD)
+ u8 short_length:6,
+ unused:2;
+#elif defined(__BIG_ENDIAN_BITFIELD)
+ u8 unused:2,
+ short_length:6;
+#else
+#error "Please fix <asm/byteorder.h>"
+#endif
+ __be32 packet_number;
+ u8 secure_channel_id[8]; /* optional */
+} __packed;
+
+#define MACSEC_TCI_VERSION 0x80
+#define MACSEC_TCI_ES 0x40 /* end station */
+#define MACSEC_TCI_SC 0x20 /* SCI present */
+#define MACSEC_TCI_SCB 0x10 /* epon */
+#define MACSEC_TCI_E 0x08 /* encryption */
+#define MACSEC_TCI_C 0x04 /* changed text */
+#define MACSEC_AN_MASK 0x03 /* association number */
+#define MACSEC_TCI_CONFID (MACSEC_TCI_E | MACSEC_TCI_C)
+
+#define MACSEC_SHORTLEN_THR 48
+
+#define GCM_AES_IV_LEN 12
+#define DEFAULT_ICV_LEN 16
+
+#define for_each_rxsc(secy, sc) \
+ for (sc = rcu_dereference_bh(secy->rx_sc); \
+ sc; \
+ sc = rcu_dereference_bh(sc->next))
+#define for_each_rxsc_rtnl(secy, sc) \
+ for (sc = rtnl_dereference(secy->rx_sc); \
+ sc; \
+ sc = rtnl_dereference(sc->next))
+
+struct gcm_iv {
+ union {
+ u8 secure_channel_id[8];
+ sci_t sci;
+ };
+ __be32 pn;
+};
+
+/**
+ * struct macsec_key - SA key
+ * @id user-provided key identifier
+ * @tfm crypto struct, key storage
+ */
+struct macsec_key {
+ u64 id;
+ struct crypto_aead *tfm;
+};
+
+/**
+ * struct macsec_rx_sa - receive secure association
+ * @active
+ * @next_pn packet number expected for the next packet
+ * @lock protects next_pn manipulations
+ * @key key structure
+ * @stats per-SA stats
+ */
+struct macsec_rx_sa {
+ bool active;
+ u32 next_pn;
+ spinlock_t lock;
+ struct macsec_key key;
+ struct macsec_rx_sa_stats __percpu *stats;
+ struct macsec_rx_sc *sc;
+ atomic_t refcnt;
+ struct rcu_head rcu;
+};
+
+struct pcpu_rx_sc_stats {
+ struct macsec_rx_sc_stats stats;
+ struct u64_stats_sync syncp;
+};
+
+/**
+ * struct macsec_rx_sc - receive secure channel
+ * @sci secure channel identifier for this SC
+ * @active channel is active
+ * @sa array of secure associations
+ * @stats per-SC stats
+ */
+struct macsec_rx_sc {
+ struct macsec_rx_sc __rcu *next;
+ sci_t sci;
+ bool active;
+ struct macsec_rx_sa __rcu *sa[4];
+ struct pcpu_rx_sc_stats __percpu *stats;
+ atomic_t refcnt;
+ struct rcu_head rcu_head;
+};
+
+/**
+ * struct macsec_tx_sa - transmit secure association
+ * @active
+ * @next_pn packet number to use for the next packet
+ * @lock protects next_pn manipulations
+ * @key key structure
+ * @stats per-SA stats
+ */
+struct macsec_tx_sa {
+ bool active;
+ u32 next_pn;
+ spinlock_t lock;
+ struct macsec_key key;
+ struct macsec_tx_sa_stats __percpu *stats;
+ atomic_t refcnt;
+ struct rcu_head rcu;
+};
+
+struct pcpu_tx_sc_stats {
+ struct macsec_tx_sc_stats stats;
+ struct u64_stats_sync syncp;
+};
+
+/**
+ * struct macsec_tx_sc - transmit secure channel
+ * @active
+ * @encoding_sa association number of the SA currently in use
+ * @encrypt encrypt packets on transmit, or authenticate only
+ * @send_sci always include the SCI in the SecTAG
+ * @end_station
+ * @scb single copy broadcast flag
+ * @sa array of secure associations
+ * @stats stats for this TXSC
+ */
+struct macsec_tx_sc {
+ bool active;
+ u8 encoding_sa;
+ bool encrypt;
+ bool send_sci;
+ bool end_station;
+ bool scb;
+ struct macsec_tx_sa __rcu *sa[4];
+ struct pcpu_tx_sc_stats __percpu *stats;
+};
+
+#define MACSEC_VALIDATE_DEFAULT MACSEC_VALIDATE_STRICT
+
+/**
+ * struct macsec_secy - MACsec Security Entity
+ * @netdev netdevice for this SecY
+ * @n_rx_sc number of receive secure channels configured on this SecY
+ * @sci secure channel identifier used for tx
+ * @key_len length of keys used by the cipher suite
+ * @icv_len length of ICV used by the cipher suite
+ * @validate_frames validation mode
+ * @operational MAC_Operational flag
+ * @protect_frames enable protection for this SecY
+ * @replay_protect enable packet number checks on receive
+ * @replay_window size of the replay window
+ * @tx_sc transmit secure channel
+ * @rx_sc linked list of receive secure channels
+ */
+struct macsec_secy {
+ struct net_device *netdev;
+ unsigned int n_rx_sc;
+ sci_t sci;
+ u16 key_len;
+ u16 icv_len;
+ enum validation_type validate_frames;
+ bool operational;
+ bool protect_frames;
+ bool replay_protect;
+ u32 replay_window;
+ struct macsec_tx_sc tx_sc;
+ struct macsec_rx_sc __rcu *rx_sc;
+};
+
+struct pcpu_secy_stats {
+ struct macsec_dev_stats stats;
+ struct u64_stats_sync syncp;
+};
+
+/**
+ * struct macsec_dev - private data
+ * @secy SecY config
+ * @real_dev pointer to underlying netdevice
+ * @stats MACsec device stats
+ * @secys linked list of SecY's on the underlying device
+ */
+struct macsec_dev {
+ struct macsec_secy secy;
+ struct net_device *real_dev;
+ struct pcpu_secy_stats __percpu *stats;
+ struct list_head secys;
+};
+
+/**
+ * struct macsec_rxh_data - rx_handler private argument
+ * @secys linked list of SecY's on this underlying device
+ */
+struct macsec_rxh_data {
+ struct list_head secys;
+};
+
+static struct macsec_dev *macsec_priv(const struct net_device *dev)
+{
+ return (struct macsec_dev *)netdev_priv(dev);
+}
+
+static struct macsec_rxh_data *macsec_data_rcu(const struct net_device *dev)
+{
+ return rcu_dereference_bh(dev->rx_handler_data);
+}
+
+static struct macsec_rxh_data *macsec_data_rtnl(const struct net_device *dev)
+{
+ return rtnl_dereference(dev->rx_handler_data);
+}
+
+struct macsec_cb {
+ struct aead_request *req;
+ union {
+ struct macsec_tx_sa *tx_sa;
+ struct macsec_rx_sa *rx_sa;
+ };
+ u8 assoc_num;
+ bool valid;
+ bool has_sci;
+};
+
+static struct macsec_rx_sa *macsec_rxsa_get(struct macsec_rx_sa __rcu *ptr)
+{
+ struct macsec_rx_sa *sa = rcu_dereference_bh(ptr);
+
+ if (!sa || !sa->active)
+ return NULL;
+
+ if (!atomic_inc_not_zero(&sa->refcnt))
+ return NULL;
+
+ return sa;
+}
+
+static void free_rx_sc_rcu(struct rcu_head *head)
+{
+ struct macsec_rx_sc *rx_sc = container_of(head, struct macsec_rx_sc, rcu_head);
+
+ free_percpu(rx_sc->stats);
+ kfree(rx_sc);
+}
+
+static struct macsec_rx_sc *macsec_rxsc_get(struct macsec_rx_sc *sc)
+{
+ return atomic_inc_not_zero(&sc->refcnt) ? sc : NULL;
+}
+
+static void macsec_rxsc_put(struct macsec_rx_sc *sc)
+{
+ if (atomic_dec_and_test(&sc->refcnt))
+ call_rcu(&sc->rcu_head, free_rx_sc_rcu);
+}
+
+static void free_rxsa(struct rcu_head *head)
+{
+ struct macsec_rx_sa *sa = container_of(head, struct macsec_rx_sa, rcu);
+
+ crypto_free_aead(sa->key.tfm);
+ free_percpu(sa->stats);
+ macsec_rxsc_put(sa->sc);
+ kfree(sa);
+}
+
+static void macsec_rxsa_put(struct macsec_rx_sa *sa)
+{
+ if (atomic_dec_and_test(&sa->refcnt))
+ call_rcu(&sa->rcu, free_rxsa);
+}
+
+static struct macsec_tx_sa *macsec_txsa_get(struct macsec_tx_sa __rcu *ptr)
+{
+ struct macsec_tx_sa *sa = rcu_dereference_bh(ptr);
+
+ if (!sa || !sa->active)
+ return NULL;
+
+ if (!atomic_inc_not_zero(&sa->refcnt))
+ return NULL;
+
+ return sa;
+}
+
+static void free_txsa(struct rcu_head *head)
+{
+ struct macsec_tx_sa *sa = container_of(head, struct macsec_tx_sa, rcu);
+
+ crypto_free_aead(sa->key.tfm);
+ free_percpu(sa->stats);
+ kfree(sa);
+}
+
+static void macsec_txsa_put(struct macsec_tx_sa *sa)
+{
+ if (atomic_dec_and_test(&sa->refcnt))
+ call_rcu(&sa->rcu, free_txsa);
+}
+
+static struct macsec_cb *macsec_skb_cb(struct sk_buff *skb)
+{
+ BUILD_BUG_ON(sizeof(struct macsec_cb) > sizeof(skb->cb));
+ return (struct macsec_cb *)skb->cb;
+}
+
+#define MACSEC_PORT_ES (htons(0x0001))
+#define MACSEC_PORT_SCB (0x0000)
+#define MACSEC_UNDEF_SCI ((__force sci_t)0xffffffffffffffffULL)
+
+#define DEFAULT_SAK_LEN 16
+#define DEFAULT_SEND_SCI true
+#define DEFAULT_ENCRYPT false
+#define DEFAULT_ENCODING_SA 0
+
+static sci_t make_sci(u8 *addr, __be16 port)
+{
+ sci_t sci;
+
+ memcpy(&sci, addr, ETH_ALEN);
+ memcpy(((char *)&sci) + ETH_ALEN, &port, sizeof(port));
+
+ return sci;
+}
+
+static sci_t macsec_frame_sci(struct macsec_eth_header *hdr, bool sci_present)
+{
+ sci_t sci;
+
+ if (sci_present)
+ memcpy(&sci, hdr->secure_channel_id,
+ sizeof(hdr->secure_channel_id));
+ else
+ sci = make_sci(hdr->eth.h_source, MACSEC_PORT_ES);
+
+ return sci;
+}
+
+static unsigned int macsec_sectag_len(bool sci_present)
+{
+ return MACSEC_TAG_LEN + (sci_present ? MACSEC_SCI_LEN : 0);
+}
+
+static unsigned int macsec_hdr_len(bool sci_present)
+{
+ return macsec_sectag_len(sci_present) + ETH_HLEN;
+}
+
+static unsigned int macsec_extra_len(bool sci_present)
+{
+ return macsec_sectag_len(sci_present) + sizeof(__be16);
+}
+
+/* Fill SecTAG according to IEEE 802.1AE-2006 10.5.3 */
+static void macsec_fill_sectag(struct macsec_eth_header *h,
+ const struct macsec_secy *secy, u32 pn)
+{
+ const struct macsec_tx_sc *tx_sc = &secy->tx_sc;
+
+ memset(&h->tci_an, 0, macsec_sectag_len(tx_sc->send_sci));
+ h->eth.h_proto = htons(ETH_P_MACSEC);
+
+ if (tx_sc->send_sci ||
+ (secy->n_rx_sc > 1 && !tx_sc->end_station && !tx_sc->scb)) {
+ h->tci_an |= MACSEC_TCI_SC;
+ memcpy(&h->secure_channel_id, &secy->sci,
+ sizeof(h->secure_channel_id));
+ } else {
+ if (tx_sc->end_station)
+ h->tci_an |= MACSEC_TCI_ES;
+ if (tx_sc->scb)
+ h->tci_an |= MACSEC_TCI_SCB;
+ }
+
+ h->packet_number = htonl(pn);
+
+ /* with GCM, C/E clear for !encrypt, both set for encrypt */
+ if (tx_sc->encrypt)
+ h->tci_an |= MACSEC_TCI_CONFID;
+ else if (secy->icv_len != DEFAULT_ICV_LEN)
+ h->tci_an |= MACSEC_TCI_C;
+
+ h->tci_an |= tx_sc->encoding_sa;
+}
+
+static void macsec_set_shortlen(struct macsec_eth_header *h, size_t data_len)
+{
+ if (data_len < MACSEC_SHORTLEN_THR)
+ h->short_length = data_len;
+}
+
+/* minimum secure data length deemed "not short", see IEEE 802.1AE-2006 9.7 */
+#define MIN_NON_SHORT_LEN 48
+
+/* validate MACsec packet according to IEEE 802.1AE-2006 9.12 */
+static bool macsec_validate_skb(struct sk_buff *skb, u16 icv_len)
+{
+ struct macsec_eth_header *h = (struct macsec_eth_header *)skb->data;
+ int len = skb->len - 2 * ETH_ALEN;
+ int extra_len = macsec_extra_len(!!(h->tci_an & MACSEC_TCI_SC)) + icv_len;
+
+ /* a) It comprises at least 17 octets */
+ if (skb->len <= 16)
+ return false;
+
+ /* b) MACsec EtherType: already checked */
+
+ /* c) V bit is clear */
+ if (h->tci_an & MACSEC_TCI_VERSION)
+ return false;
+
+ /* d) ES or SCB => !SC */
+ if ((h->tci_an & MACSEC_TCI_ES || h->tci_an & MACSEC_TCI_SCB) &&
+ (h->tci_an & MACSEC_TCI_SC))
+ return false;
+
+ /* e) Bits 7 and 8 of octet 4 of the SecTAG are clear */
+ if (h->unused)
+ return false;
+
+ /* rx.pn != 0 (figure 10-5) */
+ if (!h->packet_number)
+ return false;
+
+ /* length check, f) g) h) i) */
+ if (h->short_length)
+ return len == extra_len + h->short_length;
+ return len >= extra_len + MIN_NON_SHORT_LEN;
+}
+
+#define MACSEC_NEEDED_HEADROOM (macsec_extra_len(true))
+#define MACSEC_NEEDED_TAILROOM MACSEC_MAX_ICV_LEN
+
+static void macsec_fill_iv(unsigned char *iv, sci_t sci, u32 pn)
+{
+ struct gcm_iv *gcm_iv = (struct gcm_iv *)iv;
+
+ gcm_iv->sci = sci;
+ gcm_iv->pn = htonl(pn);
+}
+
+static struct macsec_eth_header *macsec_ethhdr(struct sk_buff *skb)
+{
+ return (struct macsec_eth_header *)skb_mac_header(skb);
+}
+
+static u32 tx_sa_update_pn(struct macsec_tx_sa *tx_sa, struct macsec_secy *secy)
+{
+ u32 pn;
+
+ spin_lock_bh(&tx_sa->lock);
+ pn = tx_sa->next_pn;
+
+ tx_sa->next_pn++;
+ if (tx_sa->next_pn == 0) {
+ pr_debug("PN wrapped, transitionning to !oper\n");
+ tx_sa->active = false;
+ if (secy->protect_frames)
+ secy->operational = false;
+ }
+ spin_unlock_bh(&tx_sa->lock);
+
+ return pn;
+}
+
+static void macsec_encrypt_finish(struct sk_buff *skb, struct net_device *dev)
+{
+ struct macsec_dev *macsec = netdev_priv(dev);
+
+ skb->dev = macsec->real_dev;
+ skb_reset_mac_header(skb);
+ skb->protocol = eth_hdr(skb)->h_proto;
+}
+
+static void macsec_count_tx(struct sk_buff *skb, struct macsec_tx_sc *tx_sc,
+ struct macsec_tx_sa *tx_sa)
+{
+ struct pcpu_tx_sc_stats *txsc_stats = this_cpu_ptr(tx_sc->stats);
+
+ u64_stats_update_begin(&txsc_stats->syncp);
+ if (tx_sc->encrypt) {
+ txsc_stats->stats.OutOctetsEncrypted += skb->len;
+ txsc_stats->stats.OutPktsEncrypted++;
+ this_cpu_inc(tx_sa->stats->OutPktsEncrypted);
+ } else {
+ txsc_stats->stats.OutOctetsProtected += skb->len;
+ txsc_stats->stats.OutPktsProtected++;
+ this_cpu_inc(tx_sa->stats->OutPktsProtected);
+ }
+ u64_stats_update_end(&txsc_stats->syncp);
+}
+
+static void count_tx(struct net_device *dev, int ret, int len)
+{
+ if (likely(ret == NET_XMIT_SUCCESS || ret == NET_XMIT_CN)) {
+ struct pcpu_sw_netstats *stats = this_cpu_ptr(dev->tstats);
+
+ u64_stats_update_begin(&stats->syncp);
+ stats->tx_packets++;
+ stats->tx_bytes += len;
+ u64_stats_update_end(&stats->syncp);
+ } else {
+ dev->stats.tx_dropped++;
+ }
+}
+
+static void macsec_encrypt_done(struct crypto_async_request *base, int err)
+{
+ struct sk_buff *skb = base->data;
+ struct net_device *dev = skb->dev;
+ struct macsec_dev *macsec = macsec_priv(dev);
+ struct macsec_tx_sa *sa = macsec_skb_cb(skb)->tx_sa;
+ int len, ret;
+
+ aead_request_free(macsec_skb_cb(skb)->req);
+
+ rcu_read_lock_bh();
+ macsec_encrypt_finish(skb, dev);
+ macsec_count_tx(skb, &macsec->secy.tx_sc, macsec_skb_cb(skb)->tx_sa);
+ len = skb->len;
+ ret = dev_queue_xmit(skb);
+ count_tx(dev, ret, len);
+ rcu_read_unlock_bh();
+
+ macsec_txsa_put(sa);
+ dev_put(dev);
+}
+
+static struct sk_buff *macsec_encrypt(struct sk_buff *skb,
+ struct net_device *dev)
+{
+ int ret;
+ struct scatterlist sg[MAX_SKB_FRAGS + 1];
+ unsigned char iv[GCM_AES_IV_LEN];
+ struct ethhdr *eth;
+ struct macsec_eth_header *hh;
+ size_t unprotected_len;
+ struct aead_request *req;
+ struct macsec_secy *secy;
+ struct macsec_tx_sc *tx_sc;
+ struct macsec_tx_sa *tx_sa;
+ struct macsec_dev *macsec = macsec_priv(dev);
+ u32 pn;
+
+ secy = &macsec->secy;
+ tx_sc = &secy->tx_sc;
+
+ /* 10.5.1 TX SA assignment */
+ tx_sa = macsec_txsa_get(tx_sc->sa[tx_sc->encoding_sa]);
+ if (!tx_sa) {
+ secy->operational = false;
+ kfree_skb(skb);
+ return ERR_PTR(-EINVAL);
+ }
+
+ if (unlikely(skb_headroom(skb) < MACSEC_NEEDED_HEADROOM ||
+ skb_tailroom(skb) < MACSEC_NEEDED_TAILROOM)) {
+ struct sk_buff *nskb = skb_copy_expand(skb,
+ MACSEC_NEEDED_HEADROOM,
+ MACSEC_NEEDED_TAILROOM,
+ GFP_ATOMIC);
+ if (likely(nskb)) {
+ consume_skb(skb);
+ skb = nskb;
+ } else {
+ macsec_txsa_put(tx_sa);
+ kfree_skb(skb);
+ return ERR_PTR(-ENOMEM);
+ }
+ } else {
+ skb = skb_unshare(skb, GFP_ATOMIC);
+ if (!skb) {
+ macsec_txsa_put(tx_sa);
+ return ERR_PTR(-ENOMEM);
+ }
+ }
+
+ unprotected_len = skb->len;
+ eth = eth_hdr(skb);
+ hh = (struct macsec_eth_header *)skb_push(skb, macsec_extra_len(tx_sc->send_sci));
+ memmove(hh, eth, 2 * ETH_ALEN);
+
+ pn = tx_sa_update_pn(tx_sa, secy);
+ if (pn == 0) {
+ macsec_txsa_put(tx_sa);
+ kfree_skb(skb);
+ return ERR_PTR(-ENOLINK);
+ }
+ macsec_fill_sectag(hh, secy, pn);
+ macsec_set_shortlen(hh, unprotected_len - 2 * ETH_ALEN);
+
+ macsec_fill_iv(iv, secy->sci, pn);
+
+ skb_put(skb, secy->icv_len);
+
+ if (skb->len - ETH_HLEN > macsec_priv(dev)->real_dev->mtu) {
+ struct pcpu_secy_stats *secy_stats = this_cpu_ptr(macsec->stats);
+
+ u64_stats_update_begin(&secy_stats->syncp);
+ secy_stats->stats.OutPktsTooLong++;
+ u64_stats_update_end(&secy_stats->syncp);
+
+ macsec_txsa_put(tx_sa);
+ kfree_skb(skb);
+ return ERR_PTR(-EINVAL);
+ }
+
+ req = aead_request_alloc(tx_sa->key.tfm, GFP_ATOMIC);
+ if (!req) {
+ macsec_txsa_put(tx_sa);
+ kfree_skb(skb);
+ return ERR_PTR(-ENOMEM);
+ }
+
+ sg_init_table(sg, MAX_SKB_FRAGS + 1);
+ skb_to_sgvec(skb, sg, 0, skb->len);
+
+ if (tx_sc->encrypt) {
+ int len = skb->len - macsec_hdr_len(tx_sc->send_sci) -
+ secy->icv_len;
+ aead_request_set_crypt(req, sg, sg, len, iv);
+ aead_request_set_ad(req, macsec_hdr_len(tx_sc->send_sci));
+ } else {
+ aead_request_set_crypt(req, sg, sg, 0, iv);
+ aead_request_set_ad(req, skb->len - secy->icv_len);
+ }
+
+ macsec_skb_cb(skb)->req = req;
+ macsec_skb_cb(skb)->tx_sa = tx_sa;
+ aead_request_set_callback(req, 0, macsec_encrypt_done, skb);
+
+ dev_hold(skb->dev);
+ ret = crypto_aead_encrypt(req);
+ if (ret == -EINPROGRESS) {
+ return ERR_PTR(ret);
+ } else if (ret != 0) {
+ dev_put(skb->dev);
+ kfree_skb(skb);
+ aead_request_free(req);
+ macsec_txsa_put(tx_sa);
+ return ERR_PTR(-EINVAL);
+ }
+
+ dev_put(skb->dev);
+ aead_request_free(req);
+ macsec_txsa_put(tx_sa);
+
+ return skb;
+}
+
+static bool macsec_post_decrypt(struct sk_buff *skb, struct macsec_secy *secy, u32 pn)
+{
+ struct macsec_rx_sa *rx_sa = macsec_skb_cb(skb)->rx_sa;
+ struct pcpu_rx_sc_stats *rxsc_stats = this_cpu_ptr(rx_sa->sc->stats);
+ struct macsec_eth_header *hdr = macsec_ethhdr(skb);
+ u32 lowest_pn = 0;
+
+ spin_lock(&rx_sa->lock);
+ if (rx_sa->next_pn >= secy->replay_window)
+ lowest_pn = rx_sa->next_pn - secy->replay_window;
+
+ /* Now perform replay protection check again
+ * (see IEEE 802.1AE-2006 figure 10-5)
+ */
+ if (secy->replay_protect && pn < lowest_pn) {
+ spin_unlock(&rx_sa->lock);
+ u64_stats_update_begin(&rxsc_stats->syncp);
+ rxsc_stats->stats.InPktsLate++;
+ u64_stats_update_end(&rxsc_stats->syncp);
+ return false;
+ }
+
+ if (secy->validate_frames != MACSEC_VALIDATE_DISABLED) {
+ u64_stats_update_begin(&rxsc_stats->syncp);
+ if (hdr->tci_an & MACSEC_TCI_E)
+ rxsc_stats->stats.InOctetsDecrypted += skb->len;
+ else
+ rxsc_stats->stats.InOctetsValidated += skb->len;
+ u64_stats_update_end(&rxsc_stats->syncp);
+ }
+
+ if (!macsec_skb_cb(skb)->valid) {
+ spin_unlock(&rx_sa->lock);
+
+ /* 10.6.5 */
+ if (hdr->tci_an & MACSEC_TCI_C ||
+ secy->validate_frames == MACSEC_VALIDATE_STRICT) {
+ u64_stats_update_begin(&rxsc_stats->syncp);
+ rxsc_stats->stats.InPktsNotValid++;
+ u64_stats_update_end(&rxsc_stats->syncp);
+ return false;
+ }
+
+ u64_stats_update_begin(&rxsc_stats->syncp);
+ if (secy->validate_frames == MACSEC_VALIDATE_CHECK) {
+ rxsc_stats->stats.InPktsInvalid++;
+ this_cpu_inc(rx_sa->stats->InPktsInvalid);
+ } else if (pn < lowest_pn) {
+ rxsc_stats->stats.InPktsDelayed++;
+ } else {
+ rxsc_stats->stats.InPktsUnchecked++;
+ }
+ u64_stats_update_end(&rxsc_stats->syncp);
+ } else {
+ u64_stats_update_begin(&rxsc_stats->syncp);
+ if (pn < lowest_pn) {
+ rxsc_stats->stats.InPktsDelayed++;
+ } else {
+ rxsc_stats->stats.InPktsOK++;
+ this_cpu_inc(rx_sa->stats->InPktsOK);
+ }
+ u64_stats_update_end(&rxsc_stats->syncp);
+
+ if (pn >= rx_sa->next_pn)
+ rx_sa->next_pn = pn + 1;
+ spin_unlock(&rx_sa->lock);
+ }
+
+ return true;
+}
+
+static void macsec_reset_skb(struct sk_buff *skb, struct net_device *dev)
+{
+ skb->pkt_type = PACKET_HOST;
+ skb->protocol = eth_type_trans(skb, dev);
+
+ skb_reset_network_header(skb);
+ if (!skb_transport_header_was_set(skb))
+ skb_reset_transport_header(skb);
+ skb_reset_mac_len(skb);
+}
+
+static void macsec_finalize_skb(struct sk_buff *skb, u8 icv_len, u8 hdr_len)
+{
+ memmove(skb->data + hdr_len, skb->data, 2 * ETH_ALEN);
+ skb_pull(skb, hdr_len);
+ pskb_trim_unique(skb, skb->len - icv_len);
+}
+
+static void count_rx(struct net_device *dev, int len)
+{
+ struct pcpu_sw_netstats *stats = this_cpu_ptr(dev->tstats);
+
+ u64_stats_update_begin(&stats->syncp);
+ stats->rx_packets++;
+ stats->rx_bytes += len;
+ u64_stats_update_end(&stats->syncp);
+}
+
+static void macsec_decrypt_done(struct crypto_async_request *base, int err)
+{
+ struct sk_buff *skb = base->data;
+ struct net_device *dev = skb->dev;
+ struct macsec_dev *macsec = macsec_priv(dev);
+ struct macsec_rx_sa *rx_sa = macsec_skb_cb(skb)->rx_sa;
+ int len, ret;
+ u32 pn;
+
+ aead_request_free(macsec_skb_cb(skb)->req);
+
+ rcu_read_lock_bh();
+ pn = ntohl(macsec_ethhdr(skb)->packet_number);
+ if (!macsec_post_decrypt(skb, &macsec->secy, pn)) {
+ rcu_read_unlock_bh();
+ kfree_skb(skb);
+ goto out;
+ }
+
+ macsec_finalize_skb(skb, macsec->secy.icv_len,
+ macsec_extra_len(macsec_skb_cb(skb)->has_sci));
+ macsec_reset_skb(skb, macsec->secy.netdev);
+
+ len = skb->len;
+ ret = netif_rx(skb);
+ if (ret == NET_RX_SUCCESS)
+ count_rx(dev, len);
+ else
+ macsec->secy.netdev->stats.rx_dropped++;
+
+ rcu_read_unlock_bh();
+
+out:
+ macsec_rxsa_put(rx_sa);
+ dev_put(dev);
+ return;
+}
+
+static struct sk_buff *macsec_decrypt(struct sk_buff *skb,
+ struct net_device *dev,
+ struct macsec_rx_sa *rx_sa,
+ sci_t sci,
+ struct macsec_secy *secy)
+{
+ int ret;
+ struct scatterlist sg[MAX_SKB_FRAGS + 1];
+ unsigned char iv[GCM_AES_IV_LEN];
+ struct aead_request *req;
+ struct macsec_eth_header *hdr;
+ u16 icv_len = secy->icv_len;
+
+ macsec_skb_cb(skb)->valid = 0;
+ skb = skb_share_check(skb, GFP_ATOMIC);
+ if (!skb)
+ return NULL;
+
+ req = aead_request_alloc(rx_sa->key.tfm, GFP_ATOMIC);
+ if (!req) {
+ kfree_skb(skb);
+ return NULL;
+ }
+
+ hdr = (struct macsec_eth_header *)skb->data;
+ macsec_fill_iv(iv, sci, ntohl(hdr->packet_number));
+
+ sg_init_table(sg, MAX_SKB_FRAGS + 1);
+ skb_to_sgvec(skb, sg, 0, skb->len);
+
+ if (hdr->tci_an & MACSEC_TCI_E) {
+ /* confidentiality: ethernet + macsec header
+ * authenticated, encrypted payload
+ */
+ int len = skb->len - macsec_hdr_len(macsec_skb_cb(skb)->has_sci);
+
+ aead_request_set_crypt(req, sg, sg, len, iv);
+ aead_request_set_ad(req, macsec_hdr_len(macsec_skb_cb(skb)->has_sci));
+ skb = skb_unshare(skb, GFP_ATOMIC);
+ if (!skb) {
+ aead_request_free(req);
+ return NULL;
+ }
+ } else {
+ /* integrity only: all headers + data authenticated */
+ aead_request_set_crypt(req, sg, sg, icv_len, iv);
+ aead_request_set_ad(req, skb->len - icv_len);
+ }
+
+ macsec_skb_cb(skb)->req = req;
+ macsec_skb_cb(skb)->rx_sa = rx_sa;
+ skb->dev = dev;
+ aead_request_set_callback(req, 0, macsec_decrypt_done, skb);
+
+ dev_hold(dev);
+ ret = crypto_aead_decrypt(req);
+ if (ret == -EINPROGRESS) {
+ return NULL;
+ } else if (ret != 0) {
+ /* decryption/authentication failed
+ * 10.6 if validateFrames is disabled, deliver anyway
+ */
+ if (ret != -EBADMSG) {
+ kfree_skb(skb);
+ skb = NULL;
+ }
+ } else {
+ macsec_skb_cb(skb)->valid = 1;
+ }
+ dev_put(dev);
+
+ aead_request_free(req);
+
+ return skb;
+}
+
+static struct macsec_rx_sc *find_rx_sc(struct macsec_secy *secy, sci_t sci)
+{
+ struct macsec_rx_sc *rx_sc;
+
+ for_each_rxsc(secy, rx_sc) {
+ if (rx_sc->sci == sci)
+ return rx_sc;
+ }
+
+ return NULL;
+}
+
+static struct macsec_rx_sc *find_rx_sc_rtnl(struct macsec_secy *secy, sci_t sci)
+{
+ struct macsec_rx_sc *rx_sc;
+
+ for_each_rxsc_rtnl(secy, rx_sc) {
+ if (rx_sc->sci == sci)
+ return rx_sc;
+ }
+
+ return NULL;
+}
+
+static void handle_not_macsec(struct sk_buff *skb)
+{
+ struct macsec_rxh_data *rxd;
+ struct macsec_dev *macsec;
+
+ rcu_read_lock_bh();
+ rxd = macsec_data_rcu(skb->dev);
+
+ /* 10.6 If the management control validateFrames is not
+ * Strict, frames without a SecTAG are received, counted, and
+ * delivered to the Controlled Port
+ */
+ list_for_each_entry_rcu(macsec, &rxd->secys, secys) {
+ struct sk_buff *nskb;
+ int ret;
+ struct pcpu_secy_stats *secy_stats = this_cpu_ptr(macsec->stats);
+
+ if (macsec->secy.validate_frames == MACSEC_VALIDATE_STRICT) {
+ u64_stats_update_begin(&secy_stats->syncp);
+ secy_stats->stats.InPktsNoTag++;
+ u64_stats_update_end(&secy_stats->syncp);
+ continue;
+ }
+
+ /* deliver on this port */
+ nskb = skb_clone(skb, GFP_ATOMIC);
+ if (!nskb)
+ break;
+
+ nskb->dev = macsec->secy.netdev;
+
+ ret = netif_rx(nskb);
+ if (ret == NET_RX_SUCCESS) {
+ u64_stats_update_begin(&secy_stats->syncp);
+ secy_stats->stats.InPktsUntagged++;
+ u64_stats_update_end(&secy_stats->syncp);
+ } else {
+ macsec->secy.netdev->stats.rx_dropped++;
+ }
+ }
+
+ rcu_read_unlock_bh();
+}
+
+static rx_handler_result_t macsec_handle_frame(struct sk_buff **pskb)
+{
+ struct sk_buff *skb = *pskb;
+ struct net_device *dev = skb->dev;
+ struct macsec_eth_header *hdr;
+ struct macsec_secy *secy = NULL;
+ struct macsec_rx_sc *rx_sc;
+ struct macsec_rx_sa *rx_sa;
+ struct macsec_rxh_data *rxd;
+ struct macsec_dev *macsec;
+ sci_t sci;
+ u32 pn;
+ bool cbit;
+ struct pcpu_rx_sc_stats *rxsc_stats;
+ struct pcpu_secy_stats *secy_stats;
+ bool pulled_sci;
+
+ if (skb_headroom(skb) < ETH_HLEN)
+ goto drop_direct;
+
+ hdr = macsec_ethhdr(skb);
+ if (hdr->eth.h_proto != htons(ETH_P_MACSEC)) {
+ handle_not_macsec(skb);
+
+ /* and deliver to the uncontrolled port */
+ return RX_HANDLER_PASS;
+ }
+
+ skb = skb_unshare(skb, GFP_ATOMIC);
+ if (!skb) {
+ *pskb = NULL;
+ return RX_HANDLER_CONSUMED;
+ }
+
+ pulled_sci = pskb_may_pull(skb, macsec_extra_len(true));
+ if (!pulled_sci) {
+ if (!pskb_may_pull(skb, macsec_extra_len(false)))
+ goto drop_direct;
+ }
+
+ hdr = macsec_ethhdr(skb);
+
+ /* Frames with a SecTAG that has the TCI E bit set but the C
+ * bit clear are discarded, as this reserved encoding is used
+ * to identify frames with a SecTAG that are not to be
+ * delivered to the Controlled Port.
+ */
+ if ((hdr->tci_an & (MACSEC_TCI_C | MACSEC_TCI_E)) == MACSEC_TCI_E)
+ return RX_HANDLER_PASS;
+
+ /* now, pull the extra length */
+ if (hdr->tci_an & MACSEC_TCI_SC) {
+ if (!pulled_sci)
+ goto drop_direct;
+ }
+
+ /* ethernet header is part of crypto processing */
+ skb_push(skb, ETH_HLEN);
+
+ macsec_skb_cb(skb)->has_sci = !!(hdr->tci_an & MACSEC_TCI_SC);
+ macsec_skb_cb(skb)->assoc_num = hdr->tci_an & MACSEC_AN_MASK;
+ sci = macsec_frame_sci(hdr, macsec_skb_cb(skb)->has_sci);
+
+ rcu_read_lock_bh();
+ rxd = macsec_data_rcu(skb->dev);
+
+ list_for_each_entry_rcu(macsec, &rxd->secys, secys) {
+ struct macsec_rx_sc *sc = find_rx_sc(&macsec->secy, sci);
+
+ if (sc) {
+ secy = &macsec->secy;
+ rx_sc = sc;
+ break;
+ }
+ }
+
+ if (!secy)
+ goto nosci;
+
+ dev = secy->netdev;
+ macsec = macsec_priv(dev);
+ secy_stats = this_cpu_ptr(macsec->stats);
+ rxsc_stats = this_cpu_ptr(rx_sc->stats);
+
+ if (!macsec_validate_skb(skb, secy->icv_len)) {
+ u64_stats_update_begin(&secy_stats->syncp);
+ secy_stats->stats.InPktsBadTag++;
+ u64_stats_update_end(&secy_stats->syncp);
+ goto drop_nosa;
+ }
+
+ rx_sa = macsec_rxsa_get(rx_sc->sa[macsec_skb_cb(skb)->assoc_num]);
+ if (!rx_sa) {
+ /* 10.6.1 if the SA is not in use */
+
+ /* If validateFrames is Strict or the C bit in the
+ * SecTAG is set, discard
+ */
+ if (hdr->tci_an & MACSEC_TCI_C ||
+ secy->validate_frames == MACSEC_VALIDATE_STRICT) {
+ u64_stats_update_begin(&rxsc_stats->syncp);
+ rxsc_stats->stats.InPktsNotUsingSA++;
+ u64_stats_update_end(&rxsc_stats->syncp);
+ goto drop_nosa;
+ }
+
+ /* not Strict, the frame (with the SecTAG and ICV
+ * removed) is delivered to the Controlled Port.
+ */
+ u64_stats_update_begin(&rxsc_stats->syncp);
+ rxsc_stats->stats.InPktsUnusedSA++;
+ u64_stats_update_end(&rxsc_stats->syncp);
+ goto deliver;
+ }
+
+ /* First, PN check to avoid decrypting obviously wrong packets */
+ pn = ntohl(hdr->packet_number);
+ if (secy->replay_protect) {
+ bool late;
+
+ spin_lock(&rx_sa->lock);
+ late = rx_sa->next_pn >= secy->replay_window &&
+ pn < (rx_sa->next_pn - secy->replay_window);
+ spin_unlock(&rx_sa->lock);
+
+ if (late) {
+ u64_stats_update_begin(&rxsc_stats->syncp);
+ rxsc_stats->stats.InPktsLate++;
+ u64_stats_update_end(&rxsc_stats->syncp);
+ goto drop;
+ }
+ }
+
+ /* Disabled && !changed text => skip validation */
+ if (hdr->tci_an & MACSEC_TCI_C ||
+ secy->validate_frames != MACSEC_VALIDATE_DISABLED)
+ skb = macsec_decrypt(skb, dev, rx_sa, sci, secy);
+
+ if (!skb) {
+ macsec_rxsa_put(rx_sa);
+ rcu_read_unlock_bh();
+ *pskb = NULL;
+ return RX_HANDLER_CONSUMED;
+ }
+
+ if (!macsec_post_decrypt(skb, secy, pn))
+ goto drop;
+
+deliver:
+ macsec_finalize_skb(skb, secy->icv_len,
+ macsec_extra_len(macsec_skb_cb(skb)->has_sci));
+ macsec_reset_skb(skb, secy->netdev);
+
+ macsec_rxsa_put(rx_sa);
+ count_rx(dev, skb->len);
+
+ rcu_read_unlock_bh();
+
+ *pskb = skb;
+ return RX_HANDLER_ANOTHER;
+
+drop:
+ macsec_rxsa_put(rx_sa);
+drop_nosa:
+ rcu_read_unlock_bh();
+drop_direct:
+ kfree_skb(skb);
+ *pskb = NULL;
+ return RX_HANDLER_CONSUMED;
+
+nosci:
+ /* 10.6.1 if the SC is not found */
+ cbit = !!(hdr->tci_an & MACSEC_TCI_C);
+ if (!cbit)
+ macsec_finalize_skb(skb, DEFAULT_ICV_LEN,
+ macsec_extra_len(macsec_skb_cb(skb)->has_sci));
+
+ list_for_each_entry_rcu(macsec, &rxd->secys, secys) {
+ struct sk_buff *nskb;
+ int ret;
+
+ secy_stats = this_cpu_ptr(macsec->stats);
+
+ /* If validateFrames is Strict or the C bit in the
+ * SecTAG is set, discard
+ */
+ if (cbit ||
+ macsec->secy.validate_frames == MACSEC_VALIDATE_STRICT) {
+ u64_stats_update_begin(&secy_stats->syncp);
+ secy_stats->stats.InPktsNoSCI++;
+ u64_stats_update_end(&secy_stats->syncp);
+ continue;
+ }
+
+ /* not strict, the frame (with the SecTAG and ICV
+ * removed) is delivered to the Controlled Port.
+ */
+ nskb = skb_clone(skb, GFP_ATOMIC);
+ if (!nskb)
+ break;
+
+ macsec_reset_skb(nskb, macsec->secy.netdev);
+
+ ret = netif_rx(nskb);
+ if (ret == NET_RX_SUCCESS) {
+ u64_stats_update_begin(&secy_stats->syncp);
+ secy_stats->stats.InPktsUnknownSCI++;
+ u64_stats_update_end(&secy_stats->syncp);
+ } else {
+ macsec->secy.netdev->stats.rx_dropped++;
+ }
+ }
+
+ rcu_read_unlock_bh();
+ *pskb = skb;
+ return RX_HANDLER_PASS;
+}
+
+static struct crypto_aead *macsec_alloc_tfm(char *key, int key_len, int icv_len)
+{
+ struct crypto_aead *tfm;
+ int ret;
+
+ tfm = crypto_alloc_aead("gcm(aes)", 0, CRYPTO_ALG_ASYNC);
+ if (!tfm || IS_ERR(tfm))
+ return NULL;
+
+ ret = crypto_aead_setkey(tfm, key, key_len);
+ if (ret < 0) {
+ crypto_free_aead(tfm);
+ return NULL;
+ }
+
+ ret = crypto_aead_setauthsize(tfm, icv_len);
+ if (ret < 0) {
+ crypto_free_aead(tfm);
+ return NULL;
+ }
+
+ return tfm;
+}
+
+static int init_rx_sa(struct macsec_rx_sa *rx_sa, char *sak, int key_len,
+ int icv_len)
+{
+ rx_sa->stats = alloc_percpu(struct macsec_rx_sa_stats);
+ if (!rx_sa->stats)
+ return -1;
+
+ rx_sa->key.tfm = macsec_alloc_tfm(sak, key_len, icv_len);
+ if (!rx_sa->key.tfm) {
+ free_percpu(rx_sa->stats);
+ return -1;
+ }
+
+ rx_sa->active = false;
+ rx_sa->next_pn = 1;
+ atomic_set(&rx_sa->refcnt, 1);
+ spin_lock_init(&rx_sa->lock);
+
+ return 0;
+}
+
+static void clear_rx_sa(struct macsec_rx_sa *rx_sa)
+{
+ rx_sa->active = false;
+
+ macsec_rxsa_put(rx_sa);
+}
+
+static void free_rx_sc(struct macsec_rx_sc *rx_sc)
+{
+ int i;
+
+ for (i = 0; i < 4; i++) {
+ struct macsec_rx_sa *sa = rtnl_dereference(rx_sc->sa[i]);
+
+ RCU_INIT_POINTER(rx_sc->sa[i], NULL);
+ if (sa)
+ clear_rx_sa(sa);
+ }
+
+ macsec_rxsc_put(rx_sc);
+}
+
+static struct macsec_rx_sc *del_rx_sc(struct macsec_secy *secy, sci_t sci)
+{
+ struct macsec_rx_sc *rx_sc, __rcu **rx_scp;
+
+ for (rx_scp = &secy->rx_sc, rx_sc = rtnl_dereference(*rx_scp);
+ rx_sc;
+ rx_scp = &rx_sc->next, rx_sc = rtnl_dereference(*rx_scp)) {
+ if (rx_sc->sci == sci) {
+ if (rx_sc->active)
+ secy->n_rx_sc--;
+ rcu_assign_pointer(*rx_scp, rx_sc->next);
+ return rx_sc;
+ }
+ }
+
+ return NULL;
+}
+
+static struct macsec_rx_sc *create_rx_sc(struct net_device *dev, sci_t sci)
+{
+ struct macsec_rx_sc *rx_sc;
+ struct macsec_dev *macsec;
+ struct net_device *real_dev = macsec_priv(dev)->real_dev;
+ struct macsec_rxh_data *rxd = macsec_data_rtnl(real_dev);
+ struct macsec_secy *secy;
+
+ list_for_each_entry(macsec, &rxd->secys, secys) {
+ if (find_rx_sc_rtnl(&macsec->secy, sci))
+ return ERR_PTR(-EEXIST);
+ }
+
+ rx_sc = kzalloc(sizeof(*rx_sc), GFP_KERNEL);
+ if (!rx_sc)
+ return ERR_PTR(-ENOMEM);
+
+ rx_sc->stats = netdev_alloc_pcpu_stats(struct pcpu_rx_sc_stats);
+ if (!rx_sc->stats) {
+ kfree(rx_sc);
+ return ERR_PTR(-ENOMEM);
+ }
+
+ rx_sc->sci = sci;
+ rx_sc->active = true;
+ atomic_set(&rx_sc->refcnt, 1);
+
+ secy = &macsec_priv(dev)->secy;
+ rcu_assign_pointer(rx_sc->next, secy->rx_sc);
+ rcu_assign_pointer(secy->rx_sc, rx_sc);
+
+ if (rx_sc->active)
+ secy->n_rx_sc++;
+
+ return rx_sc;
+}
+
+static int init_tx_sa(struct macsec_tx_sa *tx_sa, char *sak, int key_len,
+ int icv_len)
+{
+ tx_sa->stats = alloc_percpu(struct macsec_tx_sa_stats);
+ if (!tx_sa->stats)
+ return -1;
+
+ tx_sa->key.tfm = macsec_alloc_tfm(sak, key_len, icv_len);
+ if (!tx_sa->key.tfm) {
+ free_percpu(tx_sa->stats);
+ return -1;
+ }
+
+ tx_sa->active = false;
+ atomic_set(&tx_sa->refcnt, 1);
+ spin_lock_init(&tx_sa->lock);
+
+ return 0;
+}
+
+static void clear_tx_sa(struct macsec_tx_sa *tx_sa)
+{
+ tx_sa->active = false;
+
+ macsec_txsa_put(tx_sa);
+}
+
+static struct genl_family macsec_fam = {
+ .id = GENL_ID_GENERATE,
+ .name = MACSEC_GENL_NAME,
+ .hdrsize = 0,
+ .version = MACSEC_GENL_VERSION,
+ .maxattr = MACSEC_ATTR_MAX,
+ .netnsok = true,
+};
+
+static struct net_device *get_dev_from_nl(struct net *net,
+ struct nlattr **attrs)
+{
+ int ifindex = nla_get_u32(attrs[MACSEC_ATTR_IFINDEX]);
+ struct net_device *dev;
+
+ dev = __dev_get_by_index(net, ifindex);
+ if (!dev)
+ return ERR_PTR(-ENODEV);
+
+ if (!netif_is_macsec(dev))
+ return ERR_PTR(-ENODEV);
+
+ return dev;
+}
+
+static sci_t nla_get_sci(const struct nlattr *nla)
+{
+ return (__force sci_t)nla_get_u64(nla);
+}
+
+static int nla_put_sci(struct sk_buff *skb, int attrtype, sci_t value)
+{
+ return nla_put_u64(skb, attrtype, (__force u64)value);
+}
+
+static struct macsec_tx_sa *get_txsa_from_nl(struct net *net,
+ struct nlattr **attrs,
+ struct net_device **devp,
+ struct macsec_secy **secyp,
+ struct macsec_tx_sc **scp,
+ u8 *assoc_num)
+{
+ struct net_device *dev;
+ struct macsec_secy *secy;
+ struct macsec_tx_sc *tx_sc;
+ struct macsec_tx_sa *tx_sa;
+
+ if (!attrs[MACSEC_ATTR_SA_AN])
+ return ERR_PTR(-EINVAL);
+
+ *assoc_num = nla_get_u8(attrs[MACSEC_ATTR_SA_AN]);
+
+ dev = get_dev_from_nl(net, attrs);
+ if (IS_ERR(dev))
+ return ERR_CAST(dev);
+
+ if (*assoc_num > 3)
+ return ERR_PTR(-EINVAL);
+
+ secy = &macsec_priv(dev)->secy;
+ tx_sc = &secy->tx_sc;
+
+ tx_sa = rtnl_dereference(tx_sc->sa[*assoc_num]);
+ if (!tx_sa)
+ return ERR_PTR(-ENODEV);
+
+ *devp = dev;
+ *scp = tx_sc;
+ *secyp = secy;
+ return tx_sa;
+}
+
+static struct macsec_rx_sc *get_rxsc_from_nl(struct net *net,
+ struct nlattr **attrs,
+ struct net_device **devp,
+ struct macsec_secy **secyp)
+{
+ struct net_device *dev;
+ struct macsec_secy *secy;
+ struct macsec_rx_sc *rx_sc;
+ sci_t sci;
+
+ dev = get_dev_from_nl(net, attrs);
+ if (IS_ERR(dev))
+ return ERR_CAST(dev);
+
+ secy = &macsec_priv(dev)->secy;
+
+ if (!attrs[MACSEC_ATTR_SCI])
+ return ERR_PTR(-EINVAL);
+
+ sci = nla_get_sci(attrs[MACSEC_ATTR_SCI]);
+ rx_sc = find_rx_sc_rtnl(secy, sci);
+ if (!rx_sc)
+ return ERR_PTR(-ENODEV);
+
+ *secyp = secy;
+ *devp = dev;
+
+ return rx_sc;
+}
+
+static struct macsec_rx_sa *get_rxsa_from_nl(struct net *net,
+ struct nlattr **attrs,
+ struct net_device **devp,
+ struct macsec_secy **secyp,
+ struct macsec_rx_sc **scp,
+ u8 *assoc_num)
+{
+ struct macsec_rx_sc *rx_sc;
+ struct macsec_rx_sa *rx_sa;
+
+ if (!attrs[MACSEC_ATTR_SA_AN])
+ return ERR_PTR(-EINVAL);
+
+ *assoc_num = nla_get_u8(attrs[MACSEC_ATTR_SA_AN]);
+ if (*assoc_num > 3)
+ return ERR_PTR(-EINVAL);
+
+ rx_sc = get_rxsc_from_nl(net, attrs, devp, secyp);
+ if (IS_ERR(rx_sc))
+ return ERR_CAST(rx_sc);
+
+ rx_sa = rtnl_dereference(rx_sc->sa[*assoc_num]);
+ if (!rx_sa)
+ return ERR_PTR(-ENODEV);
+
+ *scp = rx_sc;
+ return rx_sa;
+}
+
+static bool validate_add_rxsa(struct nlattr **attrs)
+{
+ if (!attrs[MACSEC_ATTR_IFINDEX] ||
+ !attrs[MACSEC_ATTR_SCI] ||
+ !attrs[MACSEC_ATTR_SA_AN] ||
+ !attrs[MACSEC_ATTR_SA_KEY] ||
+ !attrs[MACSEC_ATTR_SA_KEYID])
+ return false;
+
+ if (nla_get_u8(attrs[MACSEC_ATTR_SA_AN]) > 3)
+ return false;
+
+ if (attrs[MACSEC_ATTR_SA_PN] && nla_get_u32(attrs[MACSEC_ATTR_SA_PN]) == 0)
+ return false;
+
+ if (attrs[MACSEC_ATTR_SA_ACTIVE]) {
+ if (nla_get_u8(attrs[MACSEC_ATTR_SA_ACTIVE]) > 1)
+ return false;
+ }
+
+ return true;
+}
+
+static int macsec_add_rxsa(struct sk_buff *skb, struct genl_info *info)
+{
+ struct net_device *dev;
+ struct nlattr **attrs = info->attrs;
+ struct macsec_secy *secy;
+ struct macsec_rx_sc *rx_sc;
+ struct macsec_rx_sa *rx_sa;
+ unsigned char assoc_num;
+
+ if (!validate_add_rxsa(attrs))
+ return -EINVAL;
+
+ rtnl_lock();
+ rx_sc = get_rxsc_from_nl(genl_info_net(info), attrs, &dev, &secy);
+ if (IS_ERR(rx_sc) || !macsec_rxsc_get(rx_sc)) {
+ rtnl_unlock();
+ return PTR_ERR(rx_sc);
+ }
+
+ assoc_num = nla_get_u8(attrs[MACSEC_ATTR_SA_AN]);
+
+ if (nla_len(attrs[MACSEC_ATTR_SA_KEY]) != secy->key_len) {
+ pr_notice("macsec: nl: add_rxsa: bad key length: %d != %d\n",
+ nla_len(attrs[MACSEC_ATTR_SA_KEY]), secy->key_len);
+ rtnl_unlock();
+ return -EINVAL;
+ }
+
+ rx_sa = rtnl_dereference(rx_sc->sa[assoc_num]);
+ if (rx_sa) {
+ rtnl_unlock();
+ return -EBUSY;
+ }
+
+ rx_sa = kmalloc(sizeof(*rx_sa), GFP_KERNEL);
+ if (init_rx_sa(rx_sa, nla_data(attrs[MACSEC_ATTR_SA_KEY]), secy->key_len,
+ secy->icv_len)) {
+ rtnl_unlock();
+ return -ENOMEM;
+ }
+
+ if (attrs[MACSEC_ATTR_SA_PN]) {
+ spin_lock_bh(&rx_sa->lock);
+ rx_sa->next_pn = nla_get_u32(attrs[MACSEC_ATTR_SA_PN]);
+ spin_unlock_bh(&rx_sa->lock);
+ }
+
+ if (attrs[MACSEC_ATTR_SA_ACTIVE])
+ rx_sa->active = !!nla_get_u8(attrs[MACSEC_ATTR_SA_ACTIVE]);
+
+ rx_sa->key.id = nla_get_u64(attrs[MACSEC_ATTR_SA_KEYID]);
+ rx_sa->sc = rx_sc;
+ rcu_assign_pointer(rx_sc->sa[assoc_num], rx_sa);
+
+ rtnl_unlock();
+
+ return 0;
+}
+
+static bool validate_add_rxsc(struct nlattr **attrs)
+{
+ if (!attrs[MACSEC_ATTR_SC_IFINDEX] ||
+ !attrs[MACSEC_ATTR_SC_SCI])
+ return false;
+
+ if (attrs[MACSEC_ATTR_SC_ACTIVE]) {
+ if (nla_get_u8(attrs[MACSEC_ATTR_SC_ACTIVE]) > 1)
+ return false;
+ }
+
+ return true;
+}
+
+static int macsec_add_rxsc(struct sk_buff *skb, struct genl_info *info)
+{
+ struct net_device *dev;
+ sci_t sci = MACSEC_UNDEF_SCI;
+ struct nlattr **attrs = info->attrs;
+ struct macsec_rx_sc *rx_sc;
+
+ if (!validate_add_rxsc(attrs))
+ return -EINVAL;
+
+ rtnl_lock();
+ dev = get_dev_from_nl(genl_info_net(info), attrs);
+ if (IS_ERR(dev)) {
+ rtnl_unlock();
+ return PTR_ERR(dev);
+ }
+
+ sci = nla_get_sci(attrs[MACSEC_ATTR_SC_SCI]);
+
+ rx_sc = create_rx_sc(dev, sci);
+ if (IS_ERR(rx_sc)) {
+ rtnl_unlock();
+ return PTR_ERR(rx_sc);
+ }
+
+ if (attrs[MACSEC_ATTR_SC_ACTIVE])
+ rx_sc->active = !!nla_get_u8(attrs[MACSEC_ATTR_SC_ACTIVE]);
+
+ rtnl_unlock();
+
+ return 0;
+}
+
+static bool validate_add_txsa(struct nlattr **attrs)
+{
+ if (!attrs[MACSEC_ATTR_IFINDEX] ||
+ !attrs[MACSEC_ATTR_SA_AN] ||
+ !attrs[MACSEC_ATTR_SA_PN] ||
+ !attrs[MACSEC_ATTR_SA_KEY] ||
+ !attrs[MACSEC_ATTR_SA_KEYID])
+ return false;
+
+ if (nla_get_u8(attrs[MACSEC_ATTR_SA_AN]) > 3)
+ return false;
+
+ if (nla_get_u32(attrs[MACSEC_ATTR_SA_PN]) == 0)
+ return false;
+
+ if (attrs[MACSEC_ATTR_SA_ACTIVE]) {
+ if (nla_get_u8(attrs[MACSEC_ATTR_SA_ACTIVE]) > 1)
+ return false;
+ }
+
+ return true;
+}
+
+static int macsec_add_txsa(struct sk_buff *skb, struct genl_info *info)
+{
+ struct net_device *dev;
+ struct nlattr **attrs = info->attrs;
+ struct macsec_secy *secy;
+ struct macsec_tx_sc *tx_sc;
+ struct macsec_tx_sa *tx_sa;
+ unsigned char assoc_num;
+
+ if (!validate_add_txsa(attrs))
+ return -EINVAL;
+
+ rtnl_lock();
+ dev = get_dev_from_nl(genl_info_net(info), attrs);
+ if (IS_ERR(dev)) {
+ rtnl_unlock();
+ return PTR_ERR(dev);
+ }
+
+ secy = &macsec_priv(dev)->secy;
+ tx_sc = &secy->tx_sc;
+
+ assoc_num = nla_get_u8(attrs[MACSEC_ATTR_SA_AN]);
+
+ if (nla_len(attrs[MACSEC_ATTR_SA_KEY]) != secy->key_len) {
+ pr_notice("macsec: nl: add_txsa: bad key length: %d != %d\n",
+ nla_len(attrs[MACSEC_ATTR_SA_KEY]), secy->key_len);
+ rtnl_unlock();
+ return -EINVAL;
+ }
+
+ tx_sa = rtnl_dereference(tx_sc->sa[assoc_num]);
+ if (tx_sa) {
+ rtnl_unlock();
+ return -EBUSY;
+ }
+
+ tx_sa = kmalloc(sizeof(*tx_sa), GFP_KERNEL);
+ if (!tx_sa || init_tx_sa(tx_sa, nla_data(attrs[MACSEC_ATTR_SA_KEY]),
+ secy->key_len, secy->icv_len)) {
+ rtnl_unlock();
+ return -ENOMEM;
+ }
+
+ tx_sa->key.id = nla_get_u64(attrs[MACSEC_ATTR_SA_KEYID]);
+
+ spin_lock_bh(&tx_sa->lock);
+ tx_sa->next_pn = nla_get_u32(attrs[MACSEC_ATTR_SA_PN]);
+ spin_unlock_bh(&tx_sa->lock);
+
+ if (attrs[MACSEC_ATTR_SA_ACTIVE])
+ tx_sa->active = !!nla_get_u8(attrs[MACSEC_ATTR_SA_ACTIVE]);
+
+ if (assoc_num == tx_sc->encoding_sa && tx_sa->active)
+ secy->operational = true;
+
+ rcu_assign_pointer(tx_sc->sa[assoc_num], tx_sa);
+
+ rtnl_unlock();
+
+ return 0;
+}
+
+static int macsec_del_rxsa(struct sk_buff *skb, struct genl_info *info)
+{
+ struct net_device *dev;
+ struct macsec_secy *secy;
+ struct macsec_rx_sc *rx_sc;
+ struct macsec_rx_sa *rx_sa;
+ u8 assoc_num;
+
+ rtnl_lock();
+ rx_sa = get_rxsa_from_nl(genl_info_net(info), info->attrs, &dev, &secy,
+ &rx_sc, &assoc_num);
+ if (IS_ERR(rx_sa)) {
+ rtnl_unlock();
+ return PTR_ERR(rx_sa);
+ }
+
+ if (rx_sa->active) {
+ rtnl_unlock();
+ return -EBUSY;
+ }
+
+ RCU_INIT_POINTER(rx_sc->sa[assoc_num], NULL);
+ clear_rx_sa(rx_sa);
+
+ rtnl_unlock();
+
+ return 0;
+}
+
+static bool validate_del_rxsc(struct nlattr **attrs)
+{
+ return attrs[MACSEC_ATTR_SC_IFINDEX] && attrs[MACSEC_ATTR_SC_SCI];
+}
+
+static int macsec_del_rxsc(struct sk_buff *skb, struct genl_info *info)
+{
+ struct net_device *dev;
+ struct macsec_secy *secy;
+ struct macsec_rx_sc *rx_sc;
+ sci_t sci;
+
+ if (!validate_del_rxsc(info->attrs))
+ return -EINVAL;
+
+ rtnl_lock();
+ dev = get_dev_from_nl(genl_info_net(info), info->attrs);
+ if (IS_ERR(dev)) {
+ rtnl_unlock();
+ return PTR_ERR(dev);
+ }
+
+ secy = &macsec_priv(dev)->secy;
+ sci = nla_get_sci(info->attrs[MACSEC_ATTR_SC_SCI]);
+
+ rx_sc = del_rx_sc(secy, sci);
+ if (!rx_sc) {
+ rtnl_unlock();
+ return -ENODEV;
+ }
+
+ free_rx_sc(rx_sc);
+ rtnl_unlock();
+
+ return 0;
+}
+
+static int macsec_del_txsa(struct sk_buff *skb, struct genl_info *info)
+{
+ struct net_device *dev;
+ struct macsec_secy *secy;
+ struct macsec_tx_sc *tx_sc;
+ struct macsec_tx_sa *tx_sa;
+ u8 assoc_num;
+
+ rtnl_lock();
+ tx_sa = get_txsa_from_nl(genl_info_net(info), info->attrs, &dev, &secy,
+ &tx_sc, &assoc_num);
+ if (IS_ERR(tx_sa)) {
+ rtnl_unlock();
+ return PTR_ERR(tx_sa);
+ }
+
+ if (tx_sa->active) {
+ rtnl_unlock();
+ return -EBUSY;
+ }
+
+ RCU_INIT_POINTER(tx_sc->sa[assoc_num], NULL);
+ clear_tx_sa(tx_sa);
+
+ rtnl_unlock();
+
+ return 0;
+}
+
+static int macsec_upd_txsa(struct sk_buff *skb, struct genl_info *info)
+{
+ struct nlattr **attrs = info->attrs;
+ struct net_device *dev;
+ struct macsec_secy *secy;
+ struct macsec_tx_sc *tx_sc;
+ struct macsec_tx_sa *tx_sa;
+ u8 assoc_num;
+
+ rtnl_lock();
+ tx_sa = get_txsa_from_nl(genl_info_net(info), info->attrs, &dev, &secy,
+ &tx_sc, &assoc_num);
+ if (IS_ERR(tx_sa)) {
+ rtnl_unlock();
+ return PTR_ERR(tx_sa);
+ }
+
+ if (attrs[MACSEC_ATTR_SA_PN]) {
+ spin_lock_bh(&tx_sa->lock);
+ tx_sa->next_pn = nla_get_u32(attrs[MACSEC_ATTR_SA_PN]);
+ spin_unlock_bh(&tx_sa->lock);
+ }
+
+ if (attrs[MACSEC_ATTR_SA_ACTIVE])
+ tx_sa->active = nla_get_u8(attrs[MACSEC_ATTR_SA_ACTIVE]);
+
+ if (assoc_num == tx_sc->encoding_sa)
+ secy->operational = tx_sa->active;
+
+ rtnl_unlock();
+
+ return 0;
+}
+
+static int macsec_upd_rxsa(struct sk_buff *skb, struct genl_info *info)
+{
+ struct nlattr **attrs = info->attrs;
+ struct net_device *dev;
+ struct macsec_secy *secy;
+ struct macsec_rx_sc *rx_sc;
+ struct macsec_rx_sa *rx_sa;
+ u8 assoc_num;
+
+ rtnl_lock();
+ rx_sa = get_rxsa_from_nl(genl_info_net(info), info->attrs, &dev, &secy,
+ &rx_sc, &assoc_num);
+ if (IS_ERR(rx_sa)) {
+ rtnl_unlock();
+ return PTR_ERR(rx_sa);
+ }
+
+ if (attrs[MACSEC_ATTR_SA_PN]) {
+ spin_lock_bh(&rx_sa->lock);
+ rx_sa->next_pn = nla_get_u32(attrs[MACSEC_ATTR_SA_PN]);
+ spin_unlock_bh(&rx_sa->lock);
+ }
+
+ if (attrs[MACSEC_ATTR_SA_ACTIVE])
+ rx_sa->active = nla_get_u8(attrs[MACSEC_ATTR_SA_ACTIVE]);
+
+ rtnl_unlock();
+ return 0;
+}
+
+static int macsec_upd_rxsc(struct sk_buff *skb, struct genl_info *info)
+{
+ struct nlattr **attrs = info->attrs;
+ struct net_device *dev;
+ struct macsec_secy *secy;
+ struct macsec_rx_sc *rx_sc;
+
+ if (!validate_del_rxsc(info->attrs))
+ return -EINVAL;
+
+ rtnl_lock();
+ rx_sc = get_rxsc_from_nl(genl_info_net(info), info->attrs, &dev, &secy);
+ if (IS_ERR(rx_sc)) {
+ rtnl_unlock();
+ return PTR_ERR(rx_sc);
+ }
+
+ if (attrs[MACSEC_ATTR_SC_ACTIVE]) {
+ bool new = !!nla_get_u8(attrs[MACSEC_ATTR_SC_ACTIVE]);
+
+ if (rx_sc->active != new)
+ secy->n_rx_sc += new ? 1 : -1;
+
+ rx_sc->active = new;
+ }
+
+ rtnl_unlock();
+
+ return 0;
+}
+
+static void copy_tx_sa_stats(struct macsec_tx_sa_stats *sum,
+ struct macsec_tx_sa_stats __percpu *pstats)
+{
+ int cpu;
+
+ memset(sum, 0, sizeof(*sum));
+ for_each_possible_cpu(cpu) {
+ const struct macsec_tx_sa_stats *stats = per_cpu_ptr(pstats, cpu);
+
+ sum->OutPktsProtected += stats->OutPktsProtected;
+ sum->OutPktsEncrypted += stats->OutPktsEncrypted;
+ }
+}
+
+static void copy_rx_sa_stats(struct macsec_rx_sa_stats *sum,
+ struct macsec_rx_sa_stats __percpu *pstats)
+{
+ int cpu;
+
+ memset(sum, 0, sizeof(*sum));
+ for_each_possible_cpu(cpu) {
+ const struct macsec_rx_sa_stats *stats = per_cpu_ptr(pstats, cpu);
+
+ sum->InPktsOK += stats->InPktsOK;
+ sum->InPktsInvalid += stats->InPktsInvalid;
+ sum->InPktsNotValid += stats->InPktsNotValid;
+ sum->InPktsNotUsingSA += stats->InPktsNotUsingSA;
+ sum->InPktsUnusedSA += stats->InPktsUnusedSA;
+ }
+}
+
+static void copy_rx_sc_stats(struct macsec_rx_sc_stats *sum,
+ struct pcpu_rx_sc_stats __percpu *pstats)
+{
+ int cpu;
+
+ memset(sum, 0, sizeof(*sum));
+ for_each_possible_cpu(cpu) {
+ const struct pcpu_rx_sc_stats *stats;
+ struct macsec_rx_sc_stats tmp;
+ unsigned int start;
+
+ stats = per_cpu_ptr(pstats, cpu);
+ do {
+ start = u64_stats_fetch_begin_irq(&stats->syncp);
+ memcpy(&tmp, &stats->stats, sizeof(tmp));
+ } while (u64_stats_fetch_retry_irq(&stats->syncp, start));
+
+ sum->InOctetsValidated += tmp.InOctetsValidated;
+ sum->InOctetsDecrypted += tmp.InOctetsDecrypted;
+ sum->InPktsUnchecked += tmp.InPktsUnchecked;
+ sum->InPktsDelayed += tmp.InPktsDelayed;
+ sum->InPktsOK += tmp.InPktsOK;
+ sum->InPktsInvalid += tmp.InPktsInvalid;
+ sum->InPktsLate += tmp.InPktsLate;
+ sum->InPktsNotValid += tmp.InPktsNotValid;
+ sum->InPktsNotUsingSA += tmp.InPktsNotUsingSA;
+ sum->InPktsUnusedSA += tmp.InPktsUnusedSA;
+ }
+}
+
+static void copy_tx_sc_stats(struct macsec_tx_sc_stats *sum,
+ struct pcpu_tx_sc_stats __percpu *pstats)
+{
+ int cpu;
+
+ memset(sum, 0, sizeof(*sum));
+ for_each_possible_cpu(cpu) {
+ const struct pcpu_tx_sc_stats *stats;
+ struct macsec_tx_sc_stats tmp;
+ unsigned int start;
+
+ stats = per_cpu_ptr(pstats, cpu);
+ do {
+ start = u64_stats_fetch_begin_irq(&stats->syncp);
+ memcpy(&tmp, &stats->stats, sizeof(tmp));
+ } while (u64_stats_fetch_retry_irq(&stats->syncp, start));
+
+ sum->OutPktsProtected += tmp.OutPktsProtected;
+ sum->OutPktsEncrypted += tmp.OutPktsEncrypted;
+ sum->OutOctetsProtected += tmp.OutOctetsProtected;
+ sum->OutOctetsEncrypted += tmp.OutOctetsEncrypted;
+ }
+}
+
+static void copy_secy_stats(struct macsec_dev_stats *sum,
+ struct pcpu_secy_stats __percpu *pstats)
+{
+ int cpu;
+
+ memset(sum, 0, sizeof(*sum));
+ for_each_possible_cpu(cpu) {
+ const struct pcpu_secy_stats *stats;
+ struct macsec_dev_stats tmp;
+ unsigned int start;
+
+ stats = per_cpu_ptr(pstats, cpu);
+ do {
+ start = u64_stats_fetch_begin_irq(&stats->syncp);
+ memcpy(&tmp, &stats->stats, sizeof(tmp));
+ } while (u64_stats_fetch_retry_irq(&stats->syncp, start));
+
+ sum->OutPktsUntagged += tmp.OutPktsUntagged;
+ sum->InPktsUntagged += tmp.InPktsUntagged;
+ sum->OutPktsTooLong += tmp.OutPktsTooLong;
+ sum->InPktsNoTag += tmp.InPktsNoTag;
+ sum->InPktsBadTag += tmp.InPktsBadTag;
+ sum->InPktsUnknownSCI += tmp.InPktsUnknownSCI;
+ sum->InPktsNoSCI += tmp.InPktsNoSCI;
+ sum->InPktsOverrun += tmp.InPktsOverrun;
+ }
+}
+
+static int dump_secy(struct macsec_secy *secy, struct net_device *dev,
+ struct sk_buff *skb, struct netlink_callback *cb)
+{
+ struct macsec_rx_sc *rx_sc;
+ struct macsec_tx_sc *tx_sc = &secy->tx_sc;
+ struct nlattr *txsa_list, *rxsc_list;
+ int i;
+ void *hdr;
+ struct nlattr *attr;
+
+ hdr = genlmsg_put(skb, NETLINK_CB(cb->skb).portid, cb->nlh->nlmsg_seq,
+ &macsec_fam, NLM_F_MULTI, MACSEC_CMD_GET_TXSC);
+ if (!hdr)
+ return -EMSGSIZE;
+
+ rtnl_lock();
+
+ if (nla_put_u32(skb, MACSEC_ATTR_IFINDEX, dev->ifindex) ||
+ nla_put_sci(skb, MACSEC_ATTR_SCI, secy->sci) ||
+ nla_put_u64(skb, MACSEC_ATTR_CIPHER_SUITE, DEFAULT_CIPHER_ID) ||
+ nla_put_u8(skb, MACSEC_ATTR_ICV_LEN, secy->icv_len) ||
+ nla_put_u8(skb, MACSEC_ATTR_OPER, secy->operational) ||
+ nla_put_u8(skb, MACSEC_ATTR_PROTECT, secy->protect_frames) ||
+ nla_put_u8(skb, MACSEC_ATTR_REPLAY, secy->replay_protect) ||
+ nla_put_u8(skb, MACSEC_ATTR_VALIDATE, secy->validate_frames) ||
+ nla_put_u8(skb, MACSEC_ATTR_ENCRYPT, tx_sc->encrypt) ||
+ nla_put_u8(skb, MACSEC_ATTR_INC_SCI, tx_sc->send_sci) ||
+ nla_put_u8(skb, MACSEC_ATTR_ES, tx_sc->end_station) ||
+ nla_put_u8(skb, MACSEC_ATTR_SCB, tx_sc->scb) ||
+ nla_put_u8(skb, MACSEC_ATTR_ENCODING_SA, tx_sc->encoding_sa))
+ goto nla_put_failure;
+
+ attr = nla_reserve(skb, MACSEC_TXSC_STATS,
+ sizeof(struct macsec_tx_sc_stats));
+ if (!attr)
+ goto nla_put_failure;
+ copy_tx_sc_stats(nla_data(attr), tx_sc->stats);
+
+ attr = nla_reserve(skb, MACSEC_SECY_STATS,
+ sizeof(struct macsec_dev_stats));
+ if (!attr)
+ goto nla_put_failure;
+ copy_secy_stats(nla_data(attr), macsec_priv(dev)->stats);
+
+ if (secy->replay_protect) {
+ if (nla_put_u32(skb, MACSEC_ATTR_WINDOW, secy->replay_window))
+ goto nla_put_failure;
+ }
+
+ txsa_list = nla_nest_start(skb, MACSEC_TXSA_LIST);
+ if (!txsa_list)
+ goto nla_put_failure;
+ for (i = 0; i < 4; i++) {
+ struct macsec_tx_sa *tx_sa = rtnl_dereference(tx_sc->sa[i]);
+ struct nlattr *txsa_nest;
+
+ if (!tx_sa)
+ continue;
+
+ txsa_nest = nla_nest_start(skb, MACSEC_SA);
+ if (!txsa_nest) {
+ nla_nest_cancel(skb, txsa_list);
+ goto nla_put_failure;
+ }
+
+ if (nla_put_u8(skb, MACSEC_ATTR_SA_AN, i) ||
+ nla_put_u32(skb, MACSEC_ATTR_SA_PN, tx_sa->next_pn) ||
+ nla_put_u64(skb, MACSEC_ATTR_SA_KEYID, tx_sa->key.id) ||
+ nla_put_u8(skb, MACSEC_ATTR_SA_ACTIVE, tx_sa->active)) {
+ nla_nest_cancel(skb, txsa_nest);
+ nla_nest_cancel(skb, txsa_list);
+ goto nla_put_failure;
+ }
+
+ attr = nla_reserve(skb, MACSEC_SA_STATS,
+ sizeof(struct macsec_tx_sa_stats));
+ if (!attr)
+ goto nla_put_failure;
+ copy_tx_sa_stats(nla_data(attr), tx_sa->stats);
+
+ nla_nest_end(skb, txsa_nest);
+ }
+ nla_nest_end(skb, txsa_list);
+
+ rxsc_list = nla_nest_start(skb, MACSEC_RXSC_LIST);
+ if (!rxsc_list)
+ goto nla_put_failure;
+
+ for_each_rxsc_rtnl(secy, rx_sc) {
+ struct nlattr *rxsa_list;
+ struct nlattr *rxsc_nest = nla_nest_start(skb, MACSEC_RXSC);
+
+ if (!rxsc_nest) {
+ nla_nest_cancel(skb, rxsc_list);
+ goto nla_put_failure;
+ }
+
+ if (nla_put_u8(skb, MACSEC_ATTR_SC_ACTIVE, rx_sc->active) ||
+ nla_put_sci(skb, MACSEC_ATTR_SC_SCI, rx_sc->sci)) {
+ nla_nest_cancel(skb, rxsc_nest);
+ nla_nest_cancel(skb, rxsc_list);
+ goto nla_put_failure;
+ }
+
+ attr = nla_reserve(skb, MACSEC_RXSC_STATS,
+ sizeof(struct macsec_rx_sc_stats));
+ if (!attr)
+ goto nla_put_failure;
+ copy_rx_sc_stats(nla_data(attr), rx_sc->stats);
+
+ rxsa_list = nla_nest_start(skb, MACSEC_RXSA_LIST);
+ if (!rxsa_list) {
+ nla_nest_cancel(skb, rxsc_nest);
+ nla_nest_cancel(skb, rxsc_list);
+ goto nla_put_failure;
+ }
+
+ for (i = 0; i < 4; i++) {
+ struct macsec_rx_sa *rx_sa = rtnl_dereference(rx_sc->sa[i]);
+ struct nlattr *rxsa_nest;
+
+ if (!rx_sa)
+ continue;
+
+ rxsa_nest = nla_nest_start(skb, MACSEC_SA);
+ if (!rxsa_nest) {
+ nla_nest_cancel(skb, rxsa_list);
+ nla_nest_cancel(skb, rxsc_nest);
+ nla_nest_cancel(skb, rxsc_list);
+ goto nla_put_failure;
+ }
+
+ attr = nla_reserve(skb, MACSEC_SA_STATS,
+ sizeof(struct macsec_rx_sa_stats));
+ if (!attr)
+ goto nla_put_failure;
+ copy_rx_sa_stats(nla_data(attr), rx_sa->stats);
+
+ if (nla_put_u8(skb, MACSEC_ATTR_SA_AN, i) ||
+ nla_put_u32(skb, MACSEC_ATTR_SA_PN, rx_sa->next_pn) ||
+ nla_put_u64(skb, MACSEC_ATTR_SA_KEYID, rx_sa->key.id) ||
+ nla_put_u8(skb, MACSEC_ATTR_SA_ACTIVE, rx_sa->active)) {
+ nla_nest_cancel(skb, rxsa_nest);
+ nla_nest_cancel(skb, rxsc_nest);
+ nla_nest_cancel(skb, rxsc_list);
+ goto nla_put_failure;
+ }
+ nla_nest_end(skb, rxsa_nest);
+ }
+
+ nla_nest_end(skb, rxsa_list);
+ nla_nest_end(skb, rxsc_nest);
+ }
+
+ nla_nest_end(skb, rxsc_list);
+
+ rtnl_unlock();
+
+ genlmsg_end(skb, hdr);
+
+ return 0;
+
+nla_put_failure:
+ rtnl_unlock();
+ genlmsg_cancel(skb, hdr);
+ return -EMSGSIZE;
+}
+
+static int macsec_dump_txsc(struct sk_buff *skb, struct netlink_callback *cb)
+{
+ struct net *net = sock_net(skb->sk);
+ struct net_device *dev;
+ int dev_idx, d;
+
+ dev_idx = cb->args[0];
+
+ d = 0;
+ for_each_netdev(net, dev) {
+ struct macsec_secy *secy;
+
+ if (d < dev_idx)
+ goto next;
+
+ if (!netif_is_macsec(dev))
+ goto next;
+
+ secy = &macsec_priv(dev)->secy;
+ if (dump_secy(secy, dev, skb, cb) < 0)
+ goto done;
+next:
+ d++;
+ }
+
+done:
+ cb->args[0] = d;
+ return skb->len;
+}
+
+static const struct nla_policy macsec_genl_policy[NUM_MACSEC_ATTR] = {
+ [MACSEC_ATTR_IFINDEX] = { .type = NLA_U32 },
+ [MACSEC_ATTR_SCI] = { .type = NLA_U64 },
+ [MACSEC_ATTR_WINDOW] = { .type = NLA_U32 },
+ [MACSEC_ATTR_CIPHER_SUITE] = { .type = NLA_U64 },
+ [MACSEC_ATTR_ICV_LEN] = { .type = NLA_U8 },
+ [MACSEC_ATTR_PROTECT] = { .type = NLA_U8 },
+ [MACSEC_ATTR_REPLAY] = { .type = NLA_U8 },
+ [MACSEC_ATTR_OPER] = { .type = NLA_U8 },
+ [MACSEC_ATTR_VALIDATE] = { .type = NLA_U8 },
+ [MACSEC_ATTR_ENCRYPT] = { .type = NLA_U8 },
+ [MACSEC_ATTR_INC_SCI] = { .type = NLA_U8 },
+ [MACSEC_ATTR_ES] = { .type = NLA_U8 },
+ [MACSEC_ATTR_SCB] = { .type = NLA_U8 },
+};
+
+static const struct nla_policy macsec_genl_rxsc_policy[NUM_MACSEC_SC_ATTR] = {
+ [MACSEC_ATTR_SC_IFINDEX] = { .type = NLA_U32 },
+ [MACSEC_ATTR_SC_SCI] = { .type = NLA_U64 },
+ [MACSEC_ATTR_SC_ACTIVE] = { .type = NLA_U8 },
+};
+
+static const struct nla_policy macsec_genl_sa_policy[NUM_MACSEC_SA_ATTR] = {
+ [MACSEC_ATTR_SA_IFINDEX] = { .type = NLA_U32 },
+ [MACSEC_ATTR_SA_SCI] = { .type = NLA_U64 },
+ [MACSEC_ATTR_SA_AN] = { .type = NLA_U8 },
+ [MACSEC_ATTR_SA_ACTIVE] = { .type = NLA_U8 },
+ [MACSEC_ATTR_SA_PN] = { .type = NLA_U32 },
+ [MACSEC_ATTR_SA_KEYID] = { .type = NLA_U64 },
+ [MACSEC_ATTR_SA_KEY] = { .type = NLA_BINARY,
+ .len = MACSEC_MAX_KEY_LEN, },
+};
+
+static const struct genl_ops macsec_genl_ops[] = {
+ {
+ .cmd = MACSEC_CMD_GET_TXSC,
+ .dumpit = macsec_dump_txsc,
+ .policy = macsec_genl_policy,
+ },
+ {
+ .cmd = MACSEC_CMD_ADD_RXSC,
+ .doit = macsec_add_rxsc,
+ .policy = macsec_genl_rxsc_policy,
+ .flags = GENL_ADMIN_PERM,
+ },
+ {
+ .cmd = MACSEC_CMD_DEL_RXSC,
+ .doit = macsec_del_rxsc,
+ .policy = macsec_genl_rxsc_policy,
+ .flags = GENL_ADMIN_PERM,
+ },
+ {
+ .cmd = MACSEC_CMD_UPD_RXSC,
+ .doit = macsec_upd_rxsc,
+ .policy = macsec_genl_rxsc_policy,
+ .flags = GENL_ADMIN_PERM,
+ },
+ {
+ .cmd = MACSEC_CMD_ADD_TXSA,
+ .doit = macsec_add_txsa,
+ .policy = macsec_genl_sa_policy,
+ .flags = GENL_ADMIN_PERM,
+ },
+ {
+ .cmd = MACSEC_CMD_DEL_TXSA,
+ .doit = macsec_del_txsa,
+ .policy = macsec_genl_sa_policy,
+ .flags = GENL_ADMIN_PERM,
+ },
+ {
+ .cmd = MACSEC_CMD_UPD_TXSA,
+ .doit = macsec_upd_txsa,
+ .policy = macsec_genl_sa_policy,
+ .flags = GENL_ADMIN_PERM,
+ },
+ {
+ .cmd = MACSEC_CMD_ADD_RXSA,
+ .doit = macsec_add_rxsa,
+ .policy = macsec_genl_sa_policy,
+ .flags = GENL_ADMIN_PERM,
+ },
+ {
+ .cmd = MACSEC_CMD_DEL_RXSA,
+ .doit = macsec_del_rxsa,
+ .policy = macsec_genl_sa_policy,
+ .flags = GENL_ADMIN_PERM,
+ },
+ {
+ .cmd = MACSEC_CMD_UPD_RXSA,
+ .doit = macsec_upd_rxsa,
+ .policy = macsec_genl_sa_policy,
+ .flags = GENL_ADMIN_PERM,
+ },
+};
+
+static netdev_tx_t macsec_start_xmit(struct sk_buff *skb,
+ struct net_device *dev)
+{
+ struct macsec_dev *macsec = netdev_priv(dev);
+ struct macsec_secy *secy = &macsec->secy;
+ struct pcpu_secy_stats *secy_stats;
+ int ret, len;
+
+ /* 10.5 */
+ if (!secy->protect_frames) {
+ secy_stats = this_cpu_ptr(macsec->stats);
+ u64_stats_update_begin(&secy_stats->syncp);
+ secy_stats->stats.OutPktsUntagged++;
+ u64_stats_update_end(&secy_stats->syncp);
+ len = skb->len;
+ ret = dev_queue_xmit(skb);
+ count_tx(dev, ret, len);
+ return ret;
+ }
+
+ if (!secy->operational) {
+ kfree_skb(skb);
+ dev->stats.tx_dropped++;
+ return NETDEV_TX_OK;
+ }
+
+ skb = macsec_encrypt(skb, dev);
+ if (IS_ERR(skb)) {
+ if (PTR_ERR(skb) != -EINPROGRESS)
+ dev->stats.tx_dropped++;
+ return NETDEV_TX_OK;
+ }
+
+ macsec_count_tx(skb, &macsec->secy.tx_sc, macsec_skb_cb(skb)->tx_sa);
+
+ macsec_encrypt_finish(skb, dev);
+ len = skb->len;
+ ret = dev_queue_xmit(skb);
+ count_tx(dev, ret, len);
+ return ret;
+}
+
+#define MACSEC_FEATURES \
+ (NETIF_F_SG | NETIF_F_HIGHDMA | NETIF_F_FRAGLIST)
+static int macsec_dev_init(struct net_device *dev)
+{
+ struct macsec_dev *macsec = macsec_priv(dev);
+ struct net_device *real_dev = macsec->real_dev;
+
+ dev->tstats = netdev_alloc_pcpu_stats(struct pcpu_sw_netstats);
+ if (!dev->tstats)
+ return -ENOMEM;
+
+ dev->features = real_dev->features & MACSEC_FEATURES;
+ dev->features |= NETIF_F_LLTX | NETIF_F_GSO_SOFTWARE;
+
+ dev->needed_headroom = real_dev->needed_headroom +
+ MACSEC_NEEDED_HEADROOM;
+ dev->needed_tailroom = real_dev->needed_tailroom +
+ MACSEC_NEEDED_TAILROOM;
+
+ if (is_zero_ether_addr(dev->dev_addr))
+ eth_hw_addr_inherit(dev, real_dev);
+ if (is_zero_ether_addr(dev->broadcast))
+ memcpy(dev->broadcast, real_dev->broadcast, dev->addr_len);
+
+ return 0;
+}
+
+static void macsec_dev_uninit(struct net_device *dev)
+{
+ free_percpu(dev->tstats);
+}
+
+static netdev_features_t macsec_fix_features(struct net_device *dev,
+ netdev_features_t features)
+{
+ struct macsec_dev *macsec = macsec_priv(dev);
+ struct net_device *real_dev = macsec->real_dev;
+
+ features &= real_dev->features & MACSEC_FEATURES;
+ features |= NETIF_F_LLTX | NETIF_F_GSO_SOFTWARE;
+
+ return features;
+}
+
+static int macsec_dev_open(struct net_device *dev)
+{
+ struct macsec_dev *macsec = macsec_priv(dev);
+ struct net_device *real_dev = macsec->real_dev;
+ int err;
+
+ if (!(real_dev->flags & IFF_UP))
+ return -ENETDOWN;
+
+ err = dev_uc_add(real_dev, dev->dev_addr);
+ if (err < 0)
+ return err;
+
+ if (dev->flags & IFF_ALLMULTI) {
+ err = dev_set_allmulti(real_dev, 1);
+ if (err < 0)
+ goto del_unicast;
+ }
+
+ if (dev->flags & IFF_PROMISC) {
+ err = dev_set_promiscuity(real_dev, 1);
+ if (err < 0)
+ goto clear_allmulti;
+ }
+
+ if (netif_carrier_ok(real_dev))
+ netif_carrier_on(dev);
+
+ return 0;
+clear_allmulti:
+ if (dev->flags & IFF_ALLMULTI)
+ dev_set_allmulti(real_dev, -1);
+del_unicast:
+ dev_uc_del(real_dev, dev->dev_addr);
+ netif_carrier_off(dev);
+ return err;
+}
+
+static int macsec_dev_stop(struct net_device *dev)
+{
+ struct macsec_dev *macsec = macsec_priv(dev);
+ struct net_device *real_dev = macsec->real_dev;
+
+ netif_carrier_off(dev);
+
+ dev_mc_unsync(real_dev, dev);
+ dev_uc_unsync(real_dev, dev);
+
+ if (dev->flags & IFF_ALLMULTI)
+ dev_set_allmulti(real_dev, -1);
+
+ if (dev->flags & IFF_PROMISC)
+ dev_set_promiscuity(real_dev, -1);
+
+ dev_uc_del(real_dev, dev->dev_addr);
+
+ return 0;
+}
+
+static void macsec_dev_change_rx_flags(struct net_device *dev, int change)
+{
+ struct net_device *real_dev = macsec_priv(dev)->real_dev;
+
+ if (!(dev->flags & IFF_UP))
+ return;
+
+ if (change & IFF_ALLMULTI)
+ dev_set_allmulti(real_dev, dev->flags & IFF_ALLMULTI ? 1 : -1);
+
+ if (change & IFF_PROMISC)
+ dev_set_promiscuity(real_dev,
+ dev->flags & IFF_PROMISC ? 1 : -1);
+}
+
+static void macsec_dev_set_rx_mode(struct net_device *dev)
+{
+ struct net_device *real_dev = macsec_priv(dev)->real_dev;
+
+ dev_mc_sync(real_dev, dev);
+ dev_uc_sync(real_dev, dev);
+}
+
+static int macsec_set_mac_address(struct net_device *dev, void *p)
+{
+ struct macsec_dev *macsec = macsec_priv(dev);
+ struct net_device *real_dev = macsec->real_dev;
+ struct sockaddr *addr = p;
+ int err;
+
+ if (!is_valid_ether_addr(addr->sa_data))
+ return -EADDRNOTAVAIL;
+
+ if (!(dev->flags & IFF_UP))
+ goto out;
+
+ err = dev_uc_add(real_dev, addr->sa_data);
+ if (err < 0)
+ return err;
+
+ dev_uc_del(real_dev, dev->dev_addr);
+
+out:
+ ether_addr_copy(dev->dev_addr, addr->sa_data);
+ return 0;
+}
+
+static int macsec_change_mtu(struct net_device *dev, int new_mtu)
+{
+ struct macsec_dev *macsec = macsec_priv(dev);
+ unsigned int extra = macsec->secy.icv_len + macsec_extra_len(true);
+
+ if (macsec->real_dev->mtu - extra < new_mtu)
+ return -ERANGE;
+
+ dev->mtu = new_mtu;
+
+ return 0;
+}
+
+static struct rtnl_link_stats64 *macsec_get_stats64(struct net_device *dev,
+ struct rtnl_link_stats64 *s)
+{
+ int cpu;
+
+ if (!dev->tstats)
+ return s;
+
+ for_each_possible_cpu(cpu) {
+ struct pcpu_sw_netstats *stats;
+ struct pcpu_sw_netstats tmp;
+ int start;
+
+ stats = per_cpu_ptr(dev->tstats, cpu);
+ do {
+ start = u64_stats_fetch_begin_irq(&stats->syncp);
+ tmp.rx_packets = stats->rx_packets;
+ tmp.rx_bytes = stats->rx_bytes;
+ tmp.tx_packets = stats->tx_packets;
+ tmp.tx_bytes = stats->tx_bytes;
+ } while (u64_stats_fetch_retry_irq(&stats->syncp, start));
+
+ s->rx_packets += tmp.rx_packets;
+ s->rx_bytes += tmp.rx_bytes;
+ s->tx_packets += tmp.tx_packets;
+ s->tx_bytes += tmp.tx_bytes;
+ }
+
+ s->rx_dropped = dev->stats.rx_dropped;
+ s->tx_dropped = dev->stats.tx_dropped;
+
+ return s;
+}
+
+static int macsec_get_iflink(const struct net_device *dev)
+{
+ return macsec_priv(dev)->real_dev->ifindex;
+}
+
+static const struct net_device_ops macsec_netdev_ops = {
+ .ndo_init = macsec_dev_init,
+ .ndo_uninit = macsec_dev_uninit,
+ .ndo_open = macsec_dev_open,
+ .ndo_stop = macsec_dev_stop,
+ .ndo_fix_features = macsec_fix_features,
+ .ndo_change_mtu = macsec_change_mtu,
+ .ndo_set_rx_mode = macsec_dev_set_rx_mode,
+ .ndo_change_rx_flags = macsec_dev_change_rx_flags,
+ .ndo_set_mac_address = macsec_set_mac_address,
+ .ndo_start_xmit = macsec_start_xmit,
+ .ndo_get_stats64 = macsec_get_stats64,
+ .ndo_get_iflink = macsec_get_iflink,
+};
+
+static const struct device_type macsec_type = {
+ .name = "macsec",
+};
+
+static const struct nla_policy macsec_rtnl_policy[IFLA_MACSEC_MAX + 1] = {
+ [IFLA_MACSEC_SCI] = { .type = NLA_U64 },
+ [IFLA_MACSEC_ICV_LEN] = { .type = NLA_U8 },
+ [IFLA_MACSEC_CIPHER_SUITE] = { .type = NLA_U64 },
+ [IFLA_MACSEC_WINDOW] = { .type = NLA_U32 },
+ [IFLA_MACSEC_ENCODING_SA] = { .type = NLA_U8 },
+ [IFLA_MACSEC_ENCRYPT] = { .type = NLA_U8 },
+ [IFLA_MACSEC_PROTECT] = { .type = NLA_U8 },
+ [IFLA_MACSEC_INC_SCI] = { .type = NLA_U8 },
+ [IFLA_MACSEC_ES] = { .type = NLA_U8 },
+ [IFLA_MACSEC_SCB] = { .type = NLA_U8 },
+ [IFLA_MACSEC_REPLAY_PROTECT] = { .type = NLA_U8 },
+ [IFLA_MACSEC_VALIDATION] = { .type = NLA_U8 },
+};
+
+static void macsec_free_netdev(struct net_device *dev)
+{
+ struct macsec_dev *macsec = macsec_priv(dev);
+ struct net_device *real_dev = macsec->real_dev;
+
+ free_percpu(macsec->stats);
+ free_percpu(macsec->secy.tx_sc.stats);
+
+ dev_put(real_dev);
+ free_netdev(dev);
+}
+
+static void macsec_setup(struct net_device *dev)
+{
+ ether_setup(dev);
+ dev->tx_queue_len = 0;
+ dev->netdev_ops = &macsec_netdev_ops;
+ dev->destructor = macsec_free_netdev;
+
+ eth_zero_addr(dev->broadcast);
+}
+
+static void macsec_changelink_common(struct net_device *dev,
+ struct nlattr *data[])
+{
+ struct macsec_secy *secy;
+ struct macsec_tx_sc *tx_sc;
+
+ secy = &macsec_priv(dev)->secy;
+ tx_sc = &secy->tx_sc;
+
+ if (data[IFLA_MACSEC_ENCODING_SA]) {
+ struct macsec_tx_sa *tx_sa;
+
+ tx_sc->encoding_sa = nla_get_u8(data[IFLA_MACSEC_ENCODING_SA]);
+ tx_sa = rtnl_dereference(tx_sc->sa[tx_sc->encoding_sa]);
+
+ secy->operational = tx_sa && tx_sa->active;
+ }
+
+ if (data[IFLA_MACSEC_WINDOW])
+ secy->replay_window = nla_get_u32(data[IFLA_MACSEC_WINDOW]);
+
+ if (data[IFLA_MACSEC_ENCRYPT])
+ tx_sc->encrypt = !!nla_get_u8(data[IFLA_MACSEC_ENCRYPT]);
+
+ if (data[IFLA_MACSEC_PROTECT])
+ secy->protect_frames = !!nla_get_u8(data[IFLA_MACSEC_PROTECT]);
+
+ if (data[IFLA_MACSEC_INC_SCI])
+ tx_sc->send_sci = !!nla_get_u8(data[IFLA_MACSEC_INC_SCI]);
+
+ if (data[IFLA_MACSEC_ES])
+ tx_sc->end_station = !!nla_get_u8(data[IFLA_MACSEC_ES]);
+
+ if (data[IFLA_MACSEC_SCB])
+ tx_sc->scb = !!nla_get_u8(data[IFLA_MACSEC_SCB]);
+
+ if (data[IFLA_MACSEC_REPLAY_PROTECT])
+ secy->replay_protect = !!nla_get_u8(data[IFLA_MACSEC_REPLAY_PROTECT]);
+
+ if (data[IFLA_MACSEC_VALIDATION])
+ secy->validate_frames = nla_get_u8(data[IFLA_MACSEC_VALIDATION]);
+}
+
+static int macsec_changelink(struct net_device *dev, struct nlattr *tb[],
+ struct nlattr *data[])
+{
+ if (!data)
+ return 0;
+
+ if (data[IFLA_MACSEC_CIPHER_SUITE] ||
+ data[IFLA_MACSEC_ICV_LEN] ||
+ data[IFLA_MACSEC_SCI] ||
+ data[IFLA_MACSEC_PORT])
+ return -EINVAL;
+
+ macsec_changelink_common(dev, data);
+
+ return 0;
+}
+
+static void macsec_del_dev(struct macsec_dev *macsec)
+{
+ int i;
+
+ while (macsec->secy.rx_sc) {
+ struct macsec_rx_sc *rx_sc = rtnl_dereference(macsec->secy.rx_sc);
+
+ rcu_assign_pointer(macsec->secy.rx_sc, rx_sc->next);
+ free_rx_sc(rx_sc);
+ }
+
+ for (i = 0; i < 4; i++) {
+ struct macsec_tx_sa *sa = rtnl_dereference(macsec->secy.tx_sc.sa[i]);
+
+ if (sa) {
+ RCU_INIT_POINTER(macsec->secy.tx_sc.sa[i], NULL);
+ clear_tx_sa(sa);
+ }
+ }
+}
+
+static void macsec_dellink(struct net_device *dev, struct list_head *head)
+{
+ struct macsec_dev *macsec = macsec_priv(dev);
+ struct net_device *real_dev = macsec->real_dev;
+ struct macsec_rxh_data *rxd = macsec_data_rtnl(real_dev);
+
+ unregister_netdevice_queue(dev, head);
+ list_del_rcu(&macsec->secys);
+ if (list_empty(&rxd->secys))
+ netdev_rx_handler_unregister(real_dev);
+
+ macsec_del_dev(macsec);
+}
+
+static int register_macsec_dev(struct net_device *real_dev,
+ struct net_device *dev)
+{
+ struct macsec_dev *macsec = macsec_priv(dev);
+ struct macsec_rxh_data *rxd = macsec_data_rtnl(real_dev);
+
+ if (!rxd) {
+ int err;
+
+ rxd = kmalloc(sizeof(*rxd), GFP_KERNEL);
+ if (!rxd)
+ return -ENOMEM;
+
+ INIT_LIST_HEAD(&rxd->secys);
+
+ err = netdev_rx_handler_register(real_dev, macsec_handle_frame,
+ rxd);
+ if (err < 0)
+ return err;
+ }
+
+ list_add_tail_rcu(&macsec->secys, &rxd->secys);
+ return 0;
+}
+
+static bool sci_exists(struct net_device *dev, sci_t sci)
+{
+ struct macsec_rxh_data *rxd = macsec_data_rtnl(dev);
+ struct macsec_dev *macsec;
+
+ list_for_each_entry(macsec, &rxd->secys, secys) {
+ if (macsec->secy.sci == sci)
+ return true;
+ }
+
+ return false;
+}
+
+static sci_t dev_to_sci(struct net_device *dev, __be16 port)
+{
+ return make_sci(dev->dev_addr, port);
+}
+
+static int macsec_add_dev(struct net_device *dev, sci_t sci, u8 icv_len)
+{
+ struct macsec_dev *macsec = macsec_priv(dev);
+ struct macsec_secy *secy = &macsec->secy;
+
+ macsec->stats = netdev_alloc_pcpu_stats(struct pcpu_secy_stats);
+ if (!macsec->stats)
+ return -ENOMEM;
+
+ secy->tx_sc.stats = netdev_alloc_pcpu_stats(struct pcpu_tx_sc_stats);
+ if (!secy->tx_sc.stats) {
+ free_percpu(macsec->stats);
+ return -ENOMEM;
+ }
+
+ if (sci == MACSEC_UNDEF_SCI)
+ sci = dev_to_sci(dev, MACSEC_PORT_ES);
+
+ secy->netdev = dev;
+ secy->operational = true;
+ secy->key_len = DEFAULT_SAK_LEN;
+ secy->icv_len = icv_len;
+ secy->validate_frames = MACSEC_VALIDATE_DEFAULT;
+ secy->protect_frames = true;
+ secy->replay_protect = false;
+
+ secy->sci = sci;
+ secy->tx_sc.active = true;
+ secy->tx_sc.encoding_sa = DEFAULT_ENCODING_SA;
+ secy->tx_sc.encrypt = DEFAULT_ENCRYPT;
+ secy->tx_sc.send_sci = DEFAULT_SEND_SCI;
+ secy->tx_sc.end_station = false;
+ secy->tx_sc.scb = false;
+
+ return 0;
+}
+
+static int macsec_newlink(struct net *net, struct net_device *dev,
+ struct nlattr *tb[], struct nlattr *data[])
+{
+ struct macsec_dev *macsec = macsec_priv(dev);
+ struct net_device *real_dev;
+ int err;
+ sci_t sci;
+ u8 icv_len = DEFAULT_ICV_LEN;
+ rx_handler_func_t *rx_handler;
+
+ if (!tb[IFLA_LINK])
+ return -EINVAL;
+ real_dev = __dev_get_by_index(net, nla_get_u32(tb[IFLA_LINK]));
+ if (!real_dev)
+ return -ENODEV;
+
+ dev->priv_flags |= IFF_MACSEC;
+
+ macsec->real_dev = real_dev;
+
+ if (data && data[IFLA_MACSEC_ICV_LEN])
+ icv_len = nla_get_u8(data[IFLA_MACSEC_ICV_LEN]);
+ dev->mtu = real_dev->mtu - icv_len - macsec_extra_len(true);
+
+ rx_handler = rtnl_dereference(real_dev->rx_handler);
+ if (rx_handler && rx_handler != macsec_handle_frame)
+ return -EBUSY;
+
+ err = register_netdevice(dev);
+ if (err < 0)
+ return err;
+
+ /* need to be already registered so that ->init has run and
+ * the MAC addr is set
+ */
+ if (data && data[IFLA_MACSEC_SCI])
+ sci = nla_get_sci(data[IFLA_MACSEC_SCI]);
+ else if (data && data[IFLA_MACSEC_PORT])
+ sci = dev_to_sci(dev, nla_get_be16(data[IFLA_MACSEC_PORT]));
+ else
+ sci = dev_to_sci(dev, MACSEC_PORT_ES);
+
+ if (rx_handler && sci_exists(real_dev, sci)) {
+ err = -EBUSY;
+ goto unregister;
+ }
+
+ err = macsec_add_dev(dev, sci, icv_len);
+ if (err)
+ goto unregister;
+
+ if (data)
+ macsec_changelink_common(dev, data);
+
+ err = register_macsec_dev(real_dev, dev);
+ if (err < 0)
+ goto del_dev;
+
+ dev_hold(real_dev);
+
+ return 0;
+
+del_dev:
+ macsec_del_dev(macsec);
+unregister:
+ unregister_netdevice(dev);
+ return err;
+}
+
+static int macsec_validate_attr(struct nlattr *tb[], struct nlattr *data[])
+{
+ u64 csid = DEFAULT_CIPHER_ID;
+ u8 icv_len = DEFAULT_ICV_LEN;
+ int flag;
+ bool es, scb, sci;
+
+ if (!data)
+ return 0;
+
+ if (data[IFLA_MACSEC_CIPHER_SUITE])
+ csid = nla_get_u64(data[IFLA_MACSEC_CIPHER_SUITE]);
+
+ if (data[IFLA_MACSEC_ICV_LEN])
+ icv_len = nla_get_u8(data[IFLA_MACSEC_ICV_LEN]);
+
+ switch (csid) {
+ case DEFAULT_CIPHER_ID:
+ case DEFAULT_CIPHER_ALT:
+ if (icv_len < MACSEC_MIN_ICV_LEN ||
+ icv_len > MACSEC_MAX_ICV_LEN)
+ return -EINVAL;
+ break;
+ default:
+ return -EINVAL;
+ }
+
+ if (data[IFLA_MACSEC_ENCODING_SA]) {
+ if (nla_get_u8(data[IFLA_MACSEC_ENCODING_SA]) > 3)
+ return -EINVAL;
+ }
+
+ for (flag = IFLA_MACSEC_ENCODING_SA + 1;
+ flag < IFLA_MACSEC_VALIDATION;
+ flag++) {
+ if (data[flag]) {
+ if (nla_get_u8(data[flag]) > 1)
+ return -EINVAL;
+ }
+ }
+
+ es = data[IFLA_MACSEC_ES] ? nla_get_u8(data[IFLA_MACSEC_ES]) : false;
+ sci = data[IFLA_MACSEC_INC_SCI] ? nla_get_u8(data[IFLA_MACSEC_INC_SCI]) : false;
+ scb = data[IFLA_MACSEC_SCB] ? nla_get_u8(data[IFLA_MACSEC_SCB]) : false;
+
+ if ((sci && (scb || es)) || (scb && es))
+ return -EINVAL;
+
+ if (data[IFLA_MACSEC_VALIDATION] &&
+ nla_get_u8(data[IFLA_MACSEC_VALIDATION]) > MACSEC_VALIDATE_MAX)
+ return -EINVAL;
+
+ if ((data[IFLA_MACSEC_PROTECT] &&
+ nla_get_u8(data[IFLA_MACSEC_PROTECT])) &&
+ !data[IFLA_MACSEC_WINDOW])
+ return -EINVAL;
+
+ return 0;
+}
+
+static struct net *macsec_get_link_net(const struct net_device *dev)
+{
+ return dev_net(macsec_priv(dev)->real_dev);
+}
+
+static size_t macsec_get_size(const struct net_device *dev)
+{
+ return 0 +
+ nla_total_size(8) + /* SCI */
+ nla_total_size(1) + /* ICV_LEN */
+ nla_total_size(8) + /* CIPHER_SUITE */
+ nla_total_size(4) + /* WINDOW */
+ nla_total_size(1) + /* ENCODING_SA */
+ nla_total_size(1) + /* ENCRYPT */
+ nla_total_size(1) + /* PROTECT */
+ nla_total_size(1) + /* INC_SCI */
+ nla_total_size(1) + /* ES */
+ nla_total_size(1) + /* SCB */
+ nla_total_size(1) + /* REPLAY_PROTECT */
+ nla_total_size(1) + /* VALIDATION */
+ 0;
+}
+
+static int macsec_fill_info(struct sk_buff *skb,
+ const struct net_device *dev)
+{
+ struct macsec_secy *secy = &macsec_priv(dev)->secy;
+ struct macsec_tx_sc *tx_sc = &secy->tx_sc;
+
+ if (nla_put_sci(skb, IFLA_MACSEC_SCI, secy->sci) ||
+ nla_put_u8(skb, IFLA_MACSEC_ICV_LEN, secy->icv_len) ||
+ nla_put_u64(skb, IFLA_MACSEC_CIPHER_SUITE, DEFAULT_CIPHER_ID) ||
+ nla_put_u8(skb, IFLA_MACSEC_ENCODING_SA, tx_sc->encoding_sa) ||
+ nla_put_u8(skb, IFLA_MACSEC_ENCRYPT, tx_sc->encrypt) ||
+ nla_put_u8(skb, IFLA_MACSEC_PROTECT, secy->protect_frames) ||
+ nla_put_u8(skb, IFLA_MACSEC_INC_SCI, tx_sc->send_sci) ||
+ nla_put_u8(skb, IFLA_MACSEC_ES, tx_sc->end_station) ||
+ nla_put_u8(skb, IFLA_MACSEC_SCB, tx_sc->scb) ||
+ nla_put_u8(skb, IFLA_MACSEC_REPLAY_PROTECT, secy->replay_protect) ||
+ nla_put_u8(skb, IFLA_MACSEC_VALIDATION, secy->validate_frames) ||
+ 0)
+ goto nla_put_failure;
+
+ if (secy->replay_protect) {
+ if (nla_put_u32(skb, IFLA_MACSEC_WINDOW, secy->replay_window))
+ goto nla_put_failure;
+ }
+
+ return 0;
+
+nla_put_failure:
+ return -EMSGSIZE;
+}
+
+static struct rtnl_link_ops macsec_link_ops __read_mostly = {
+ .kind = "macsec",
+ .priv_size = sizeof(struct macsec_dev),
+ .maxtype = IFLA_MACSEC_MAX,
+ .policy = macsec_rtnl_policy,
+ .setup = macsec_setup,
+ .validate = macsec_validate_attr,
+ .newlink = macsec_newlink,
+ .changelink = macsec_changelink,
+ .dellink = macsec_dellink,
+ .get_size = macsec_get_size,
+ .fill_info = macsec_fill_info,
+ .get_link_net = macsec_get_link_net,
+};
+
+static bool is_macsec_master(struct net_device *dev)
+{
+ return rcu_access_pointer(dev->rx_handler) == macsec_handle_frame;
+}
+
+static int macsec_notify(struct notifier_block *this, unsigned long event,
+ void *ptr)
+{
+ struct net_device *real_dev = netdev_notifier_info_to_dev(ptr);
+ LIST_HEAD(head);
+
+ if (!is_macsec_master(real_dev))
+ return NOTIFY_DONE;
+
+ switch (event) {
+ case NETDEV_UNREGISTER: {
+ struct macsec_dev *m, *n;
+ struct macsec_rxh_data *rxd;
+
+ rxd = macsec_data_rtnl(real_dev);
+ list_for_each_entry_safe(m, n, &rxd->secys, secys) {
+ macsec_dellink(m->secy.netdev, &head);
+ }
+ unregister_netdevice_many(&head);
+ break;
+ }
+ case NETDEV_CHANGEMTU: {
+ struct macsec_dev *m;
+ struct macsec_rxh_data *rxd;
+
+ rxd = macsec_data_rtnl(real_dev);
+ list_for_each_entry(m, &rxd->secys, secys) {
+ struct net_device *dev = m->secy.netdev;
+ unsigned int mtu = real_dev->mtu - (m->secy.icv_len +
+ macsec_extra_len(true));
+
+ if (dev->mtu > mtu)
+ dev_set_mtu(dev, mtu);
+ }
+ }
+ }
+
+ return NOTIFY_OK;
+}
+
+static struct notifier_block macsec_notifier = {
+ .notifier_call = macsec_notify,
+};
+
+static int __init macsec_init(void)
+{
+ int err;
+
+ pr_info("MACsec IEEE 802.1AE\n");
+ err = register_netdevice_notifier(&macsec_notifier);
+ if (err)
+ return err;
+
+ err = rtnl_link_register(&macsec_link_ops);
+ if (err)
+ goto notifier;
+
+ err = genl_register_family_with_ops(&macsec_fam, macsec_genl_ops);
+ if (err)
+ goto rtnl;
+
+ return 0;
+
+rtnl:
+ rtnl_link_unregister(&macsec_link_ops);
+notifier:
+ unregister_netdevice_notifier(&macsec_notifier);
+ return err;
+}
+
+static void __exit macsec_exit(void)
+{
+ genl_unregister_family(&macsec_fam);
+ rtnl_link_unregister(&macsec_link_ops);
+ unregister_netdevice_notifier(&macsec_notifier);
+}
+
+module_init(macsec_init);
+module_exit(macsec_exit);
+
+MODULE_ALIAS_RTNL_LINK("macsec");
+
+MODULE_DESCRIPTION("MACsec IEEE 802.1AE");
+MODULE_LICENSE("GPL v2");
--
2.7.2
^ permalink raw reply related [flat|nested] 16+ messages in thread* Re: [PATCH net-next 3/3] macsec: introduce IEEE 802.1AE driver
2016-03-07 17:12 ` [PATCH net-next 3/3] macsec: introduce IEEE 802.1AE driver Sabrina Dubroca
@ 2016-03-07 19:05 ` David Miller
2016-03-08 20:13 ` Johannes Berg
1 sibling, 0 replies; 16+ messages in thread
From: David Miller @ 2016-03-07 19:05 UTC (permalink / raw)
To: sd; +Cc: netdev, hannes, fw, pabeni, stephen
From: Sabrina Dubroca <sd@queasysnail.net>
Date: Mon, 7 Mar 2016 18:12:40 +0100
> diff --git a/drivers/net/Kconfig b/drivers/net/Kconfig
> index f184fb5bd110..2a1ba62b7da2 100644
> --- a/drivers/net/Kconfig
> +++ b/drivers/net/Kconfig
> @@ -193,6 +193,13 @@ config GENEVE
> To compile this driver as a module, choose M here: the module
> will be called geneve.
>
> +config MACSEC
> + tristate "IEEE 802.1AE MAC-level encryption (MACsec)"
> + select CRYPTO_AES
> + select CRYPTO_GCM
> + ---help---
> + MACsec is an encryption standard for Ethernet.
> +
> config NETCONSOLE
> tristate "Network console logging support"
> ---help---
> diff --git a/drivers/net/Makefile b/drivers/net/Makefile
> index 900b0c5320bb..1aa7cb845663 100644
> --- a/drivers/net/Makefile
> +++ b/drivers/net/Makefile
> @@ -10,6 +10,7 @@ obj-$(CONFIG_IPVLAN) += ipvlan/
> obj-$(CONFIG_DUMMY) += dummy.o
> obj-$(CONFIG_EQUALIZER) += eql.o
> obj-$(CONFIG_IFB) += ifb.o
> +obj-$(CONFIG_MACSEC) += macsec.o
> obj-$(CONFIG_MACVLAN) += macvlan.o
> obj-$(CONFIG_MACVTAP) += macvtap.o
> obj-$(CONFIG_MII) += mii.o
> diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c
> new file mode 100644
> index 000000000000..af79f59d4dd7
> --- /dev/null
> +++ b/drivers/net/macsec.c
> @@ -0,0 +1,3037 @@
> +/*
> + * drivers/net/macsec.c - MACsec device
> + *
> + * Copyright (c) 2015 Sabrina Dubroca <sd@queasysnail.net>
> + *
> + * This program is free software; you can redistribute it and/or modify
> + * it under the terms of the GNU General Public License as published by
> + * the Free Software Foundation; either version 2 of the License, or
> + * (at your option) any later version.
> + */
> +
> +#include <linux/types.h>
> +#include <linux/skbuff.h>
> +#include <linux/socket.h>
> +#include <linux/module.h>
> +#include <crypto/aead.h>
> +#include <linux/etherdevice.h>
> +#include <linux/rtnetlink.h>
> +#include <net/genetlink.h>
> +#include <net/sock.h>
> +
> +#include <uapi/linux/if_macsec.h>
> +
> +typedef u64 __bitwise sci_t;
> +
> +#define MACSEC_SCI_LEN 8
> +
> +/* SecTAG length = macsec_eth_header without the optional SCI */
> +#define MACSEC_TAG_LEN 6
> +
> +struct macsec_eth_header {
> + struct ethhdr eth;
> + /* SecTAG */
> + u8 tci_an;
> +#if defined(__LITTLE_ENDIAN_BITFIELD)
> + u8 short_length:6,
> + unused:2;
> +#elif defined(__BIG_ENDIAN_BITFIELD)
> + u8 unused:2,
> + short_length:6;
> +#else
> +#error "Please fix <asm/byteorder.h>"
> +#endif
> + __be32 packet_number;
> + u8 secure_channel_id[8]; /* optional */
> +} __packed;
> +
> +#define MACSEC_TCI_VERSION 0x80
> +#define MACSEC_TCI_ES 0x40 /* end station */
> +#define MACSEC_TCI_SC 0x20 /* SCI present */
> +#define MACSEC_TCI_SCB 0x10 /* epon */
> +#define MACSEC_TCI_E 0x08 /* encryption */
> +#define MACSEC_TCI_C 0x04 /* changed text */
> +#define MACSEC_AN_MASK 0x03 /* association number */
> +#define MACSEC_TCI_CONFID (MACSEC_TCI_E | MACSEC_TCI_C)
> +
> +#define MACSEC_SHORTLEN_THR 48
> +
> +#define GCM_AES_IV_LEN 12
> +#define DEFAULT_ICV_LEN 16
> +
> +#define for_each_rxsc(secy, sc) \
> + for (sc = rcu_dereference_bh(secy->rx_sc); \
> + sc; \
> + sc = rcu_dereference_bh(sc->next))
> +#define for_each_rxsc_rtnl(secy, sc) \
> + for (sc = rtnl_dereference(secy->rx_sc); \
> + sc; \
> + sc = rtnl_dereference(sc->next))
> +
> +struct gcm_iv {
> + union {
> + u8 secure_channel_id[8];
> + sci_t sci;
> + };
> + __be32 pn;
> +};
> +
> +/**
> + * struct macsec_key - SA key
> + * @id user-provided key identifier
> + * @tfm crypto struct, key storage
> + */
> +struct macsec_key {
> + u64 id;
> + struct crypto_aead *tfm;
> +};
> +
> +/**
> + * struct macsec_rx_sa - receive secure association
> + * @active
> + * @next_pn packet number expected for the next packet
> + * @lock protects next_pn manipulations
> + * @key key structure
> + * @stats per-SA stats
> + */
> +struct macsec_rx_sa {
> + bool active;
> + u32 next_pn;
> + spinlock_t lock;
> + struct macsec_key key;
> + struct macsec_rx_sa_stats __percpu *stats;
> + struct macsec_rx_sc *sc;
> + atomic_t refcnt;
> + struct rcu_head rcu;
> +};
> +
> +struct pcpu_rx_sc_stats {
> + struct macsec_rx_sc_stats stats;
> + struct u64_stats_sync syncp;
> +};
> +
> +/**
> + * struct macsec_rx_sc - receive secure channel
> + * @sci secure channel identifier for this SC
> + * @active channel is active
> + * @sa array of secure associations
> + * @stats per-SC stats
> + */
> +struct macsec_rx_sc {
> + struct macsec_rx_sc __rcu *next;
> + sci_t sci;
> + bool active;
> + struct macsec_rx_sa __rcu *sa[4];
> + struct pcpu_rx_sc_stats __percpu *stats;
> + atomic_t refcnt;
> + struct rcu_head rcu_head;
> +};
> +
> +/**
> + * struct macsec_tx_sa - transmit secure association
> + * @active
> + * @next_pn packet number to use for the next packet
> + * @lock protects next_pn manipulations
> + * @key key structure
> + * @stats per-SA stats
> + */
> +struct macsec_tx_sa {
> + bool active;
> + u32 next_pn;
> + spinlock_t lock;
> + struct macsec_key key;
> + struct macsec_tx_sa_stats __percpu *stats;
> + atomic_t refcnt;
> + struct rcu_head rcu;
> +};
> +
> +struct pcpu_tx_sc_stats {
> + struct macsec_tx_sc_stats stats;
> + struct u64_stats_sync syncp;
> +};
> +
> +/**
> + * struct macsec_tx_sc - transmit secure channel
> + * @active
> + * @encoding_sa association number of the SA currently in use
> + * @encrypt encrypt packets on transmit, or authenticate only
> + * @send_sci always include the SCI in the SecTAG
> + * @end_station
> + * @scb single copy broadcast flag
> + * @sa array of secure associations
> + * @stats stats for this TXSC
> + */
> +struct macsec_tx_sc {
> + bool active;
> + u8 encoding_sa;
> + bool encrypt;
> + bool send_sci;
> + bool end_station;
> + bool scb;
> + struct macsec_tx_sa __rcu *sa[4];
> + struct pcpu_tx_sc_stats __percpu *stats;
> +};
> +
> +#define MACSEC_VALIDATE_DEFAULT MACSEC_VALIDATE_STRICT
> +
> +/**
> + * struct macsec_secy - MACsec Security Entity
> + * @netdev netdevice for this SecY
> + * @n_rx_sc number of receive secure channels configured on this SecY
> + * @sci secure channel identifier used for tx
> + * @key_len length of keys used by the cipher suite
> + * @icv_len length of ICV used by the cipher suite
> + * @validate_frames validation mode
> + * @operational MAC_Operational flag
> + * @protect_frames enable protection for this SecY
> + * @replay_protect enable packet number checks on receive
> + * @replay_window size of the replay window
> + * @tx_sc transmit secure channel
> + * @rx_sc linked list of receive secure channels
> + */
> +struct macsec_secy {
> + struct net_device *netdev;
> + unsigned int n_rx_sc;
> + sci_t sci;
> + u16 key_len;
> + u16 icv_len;
> + enum validation_type validate_frames;
> + bool operational;
> + bool protect_frames;
> + bool replay_protect;
> + u32 replay_window;
> + struct macsec_tx_sc tx_sc;
> + struct macsec_rx_sc __rcu *rx_sc;
> +};
> +
> +struct pcpu_secy_stats {
> + struct macsec_dev_stats stats;
> + struct u64_stats_sync syncp;
> +};
> +
> +/**
> + * struct macsec_dev - private data
> + * @secy SecY config
> + * @real_dev pointer to underlying netdevice
> + * @stats MACsec device stats
> + * @secys linked list of SecY's on the underlying device
> + */
> +struct macsec_dev {
> + struct macsec_secy secy;
> + struct net_device *real_dev;
> + struct pcpu_secy_stats __percpu *stats;
> + struct list_head secys;
> +};
> +
> +/**
> + * struct macsec_rxh_data - rx_handler private argument
> + * @secys linked list of SecY's on this underlying device
> + */
> +struct macsec_rxh_data {
> + struct list_head secys;
> +};
> +
> +static struct macsec_dev *macsec_priv(const struct net_device *dev)
> +{
> + return (struct macsec_dev *)netdev_priv(dev);
> +}
> +
> +static struct macsec_rxh_data *macsec_data_rcu(const struct net_device *dev)
> +{
> + return rcu_dereference_bh(dev->rx_handler_data);
> +}
> +
> +static struct macsec_rxh_data *macsec_data_rtnl(const struct net_device *dev)
> +{
> + return rtnl_dereference(dev->rx_handler_data);
> +}
> +
> +struct macsec_cb {
> + struct aead_request *req;
> + union {
> + struct macsec_tx_sa *tx_sa;
> + struct macsec_rx_sa *rx_sa;
> + };
> + u8 assoc_num;
> + bool valid;
> + bool has_sci;
> +};
> +
> +static struct macsec_rx_sa *macsec_rxsa_get(struct macsec_rx_sa __rcu *ptr)
> +{
> + struct macsec_rx_sa *sa = rcu_dereference_bh(ptr);
> +
> + if (!sa || !sa->active)
> + return NULL;
> +
> + if (!atomic_inc_not_zero(&sa->refcnt))
> + return NULL;
> +
> + return sa;
> +}
> +
> +static void free_rx_sc_rcu(struct rcu_head *head)
> +{
> + struct macsec_rx_sc *rx_sc = container_of(head, struct macsec_rx_sc, rcu_head);
> +
> + free_percpu(rx_sc->stats);
> + kfree(rx_sc);
> +}
> +
> +static struct macsec_rx_sc *macsec_rxsc_get(struct macsec_rx_sc *sc)
> +{
> + return atomic_inc_not_zero(&sc->refcnt) ? sc : NULL;
> +}
> +
> +static void macsec_rxsc_put(struct macsec_rx_sc *sc)
> +{
> + if (atomic_dec_and_test(&sc->refcnt))
> + call_rcu(&sc->rcu_head, free_rx_sc_rcu);
> +}
> +
> +static void free_rxsa(struct rcu_head *head)
> +{
> + struct macsec_rx_sa *sa = container_of(head, struct macsec_rx_sa, rcu);
> +
> + crypto_free_aead(sa->key.tfm);
> + free_percpu(sa->stats);
> + macsec_rxsc_put(sa->sc);
> + kfree(sa);
> +}
> +
> +static void macsec_rxsa_put(struct macsec_rx_sa *sa)
> +{
> + if (atomic_dec_and_test(&sa->refcnt))
> + call_rcu(&sa->rcu, free_rxsa);
> +}
> +
> +static struct macsec_tx_sa *macsec_txsa_get(struct macsec_tx_sa __rcu *ptr)
> +{
> + struct macsec_tx_sa *sa = rcu_dereference_bh(ptr);
> +
> + if (!sa || !sa->active)
> + return NULL;
> +
> + if (!atomic_inc_not_zero(&sa->refcnt))
> + return NULL;
> +
> + return sa;
> +}
> +
> +static void free_txsa(struct rcu_head *head)
> +{
> + struct macsec_tx_sa *sa = container_of(head, struct macsec_tx_sa, rcu);
> +
> + crypto_free_aead(sa->key.tfm);
> + free_percpu(sa->stats);
> + kfree(sa);
> +}
> +
> +static void macsec_txsa_put(struct macsec_tx_sa *sa)
> +{
> + if (atomic_dec_and_test(&sa->refcnt))
> + call_rcu(&sa->rcu, free_txsa);
> +}
> +
> +static struct macsec_cb *macsec_skb_cb(struct sk_buff *skb)
> +{
> + BUILD_BUG_ON(sizeof(struct macsec_cb) > sizeof(skb->cb));
> + return (struct macsec_cb *)skb->cb;
> +}
> +
> +#define MACSEC_PORT_ES (htons(0x0001))
> +#define MACSEC_PORT_SCB (0x0000)
> +#define MACSEC_UNDEF_SCI ((__force sci_t)0xffffffffffffffffULL)
> +
> +#define DEFAULT_SAK_LEN 16
> +#define DEFAULT_SEND_SCI true
> +#define DEFAULT_ENCRYPT false
> +#define DEFAULT_ENCODING_SA 0
> +
> +static sci_t make_sci(u8 *addr, __be16 port)
> +{
> + sci_t sci;
> +
> + memcpy(&sci, addr, ETH_ALEN);
> + memcpy(((char *)&sci) + ETH_ALEN, &port, sizeof(port));
> +
> + return sci;
> +}
> +
> +static sci_t macsec_frame_sci(struct macsec_eth_header *hdr, bool sci_present)
> +{
> + sci_t sci;
> +
> + if (sci_present)
> + memcpy(&sci, hdr->secure_channel_id,
> + sizeof(hdr->secure_channel_id));
> + else
> + sci = make_sci(hdr->eth.h_source, MACSEC_PORT_ES);
> +
> + return sci;
> +}
> +
> +static unsigned int macsec_sectag_len(bool sci_present)
> +{
> + return MACSEC_TAG_LEN + (sci_present ? MACSEC_SCI_LEN : 0);
> +}
> +
> +static unsigned int macsec_hdr_len(bool sci_present)
> +{
> + return macsec_sectag_len(sci_present) + ETH_HLEN;
> +}
> +
> +static unsigned int macsec_extra_len(bool sci_present)
> +{
> + return macsec_sectag_len(sci_present) + sizeof(__be16);
> +}
> +
> +/* Fill SecTAG according to IEEE 802.1AE-2006 10.5.3 */
> +static void macsec_fill_sectag(struct macsec_eth_header *h,
> + const struct macsec_secy *secy, u32 pn)
> +{
> + const struct macsec_tx_sc *tx_sc = &secy->tx_sc;
> +
> + memset(&h->tci_an, 0, macsec_sectag_len(tx_sc->send_sci));
> + h->eth.h_proto = htons(ETH_P_MACSEC);
> +
> + if (tx_sc->send_sci ||
> + (secy->n_rx_sc > 1 && !tx_sc->end_station && !tx_sc->scb)) {
> + h->tci_an |= MACSEC_TCI_SC;
> + memcpy(&h->secure_channel_id, &secy->sci,
> + sizeof(h->secure_channel_id));
> + } else {
> + if (tx_sc->end_station)
> + h->tci_an |= MACSEC_TCI_ES;
> + if (tx_sc->scb)
> + h->tci_an |= MACSEC_TCI_SCB;
> + }
> +
> + h->packet_number = htonl(pn);
> +
> + /* with GCM, C/E clear for !encrypt, both set for encrypt */
> + if (tx_sc->encrypt)
> + h->tci_an |= MACSEC_TCI_CONFID;
> + else if (secy->icv_len != DEFAULT_ICV_LEN)
> + h->tci_an |= MACSEC_TCI_C;
> +
> + h->tci_an |= tx_sc->encoding_sa;
> +}
> +
> +static void macsec_set_shortlen(struct macsec_eth_header *h, size_t data_len)
> +{
> + if (data_len < MACSEC_SHORTLEN_THR)
> + h->short_length = data_len;
> +}
> +
> +/* minimum secure data length deemed "not short", see IEEE 802.1AE-2006 9.7 */
> +#define MIN_NON_SHORT_LEN 48
> +
> +/* validate MACsec packet according to IEEE 802.1AE-2006 9.12 */
> +static bool macsec_validate_skb(struct sk_buff *skb, u16 icv_len)
> +{
> + struct macsec_eth_header *h = (struct macsec_eth_header *)skb->data;
> + int len = skb->len - 2 * ETH_ALEN;
> + int extra_len = macsec_extra_len(!!(h->tci_an & MACSEC_TCI_SC)) + icv_len;
> +
> + /* a) It comprises at least 17 octets */
> + if (skb->len <= 16)
> + return false;
> +
> + /* b) MACsec EtherType: already checked */
> +
> + /* c) V bit is clear */
> + if (h->tci_an & MACSEC_TCI_VERSION)
> + return false;
> +
> + /* d) ES or SCB => !SC */
> + if ((h->tci_an & MACSEC_TCI_ES || h->tci_an & MACSEC_TCI_SCB) &&
> + (h->tci_an & MACSEC_TCI_SC))
> + return false;
> +
> + /* e) Bits 7 and 8 of octet 4 of the SecTAG are clear */
> + if (h->unused)
> + return false;
> +
> + /* rx.pn != 0 (figure 10-5) */
> + if (!h->packet_number)
> + return false;
> +
> + /* length check, f) g) h) i) */
> + if (h->short_length)
> + return len == extra_len + h->short_length;
> + return len >= extra_len + MIN_NON_SHORT_LEN;
> +}
> +
> +#define MACSEC_NEEDED_HEADROOM (macsec_extra_len(true))
> +#define MACSEC_NEEDED_TAILROOM MACSEC_MAX_ICV_LEN
> +
> +static void macsec_fill_iv(unsigned char *iv, sci_t sci, u32 pn)
> +{
> + struct gcm_iv *gcm_iv = (struct gcm_iv *)iv;
> +
> + gcm_iv->sci = sci;
> + gcm_iv->pn = htonl(pn);
> +}
> +
> +static struct macsec_eth_header *macsec_ethhdr(struct sk_buff *skb)
> +{
> + return (struct macsec_eth_header *)skb_mac_header(skb);
> +}
> +
> +static u32 tx_sa_update_pn(struct macsec_tx_sa *tx_sa, struct macsec_secy *secy)
> +{
> + u32 pn;
> +
> + spin_lock_bh(&tx_sa->lock);
> + pn = tx_sa->next_pn;
> +
> + tx_sa->next_pn++;
> + if (tx_sa->next_pn == 0) {
> + pr_debug("PN wrapped, transitionning to !oper\n");
> + tx_sa->active = false;
> + if (secy->protect_frames)
> + secy->operational = false;
> + }
> + spin_unlock_bh(&tx_sa->lock);
> +
> + return pn;
> +}
> +
> +static void macsec_encrypt_finish(struct sk_buff *skb, struct net_device *dev)
> +{
> + struct macsec_dev *macsec = netdev_priv(dev);
> +
> + skb->dev = macsec->real_dev;
> + skb_reset_mac_header(skb);
> + skb->protocol = eth_hdr(skb)->h_proto;
> +}
> +
> +static void macsec_count_tx(struct sk_buff *skb, struct macsec_tx_sc *tx_sc,
> + struct macsec_tx_sa *tx_sa)
> +{
> + struct pcpu_tx_sc_stats *txsc_stats = this_cpu_ptr(tx_sc->stats);
> +
> + u64_stats_update_begin(&txsc_stats->syncp);
> + if (tx_sc->encrypt) {
> + txsc_stats->stats.OutOctetsEncrypted += skb->len;
> + txsc_stats->stats.OutPktsEncrypted++;
> + this_cpu_inc(tx_sa->stats->OutPktsEncrypted);
> + } else {
> + txsc_stats->stats.OutOctetsProtected += skb->len;
> + txsc_stats->stats.OutPktsProtected++;
> + this_cpu_inc(tx_sa->stats->OutPktsProtected);
> + }
> + u64_stats_update_end(&txsc_stats->syncp);
> +}
> +
> +static void count_tx(struct net_device *dev, int ret, int len)
> +{
> + if (likely(ret == NET_XMIT_SUCCESS || ret == NET_XMIT_CN)) {
> + struct pcpu_sw_netstats *stats = this_cpu_ptr(dev->tstats);
> +
> + u64_stats_update_begin(&stats->syncp);
> + stats->tx_packets++;
> + stats->tx_bytes += len;
> + u64_stats_update_end(&stats->syncp);
> + } else {
> + dev->stats.tx_dropped++;
> + }
> +}
> +
> +static void macsec_encrypt_done(struct crypto_async_request *base, int err)
> +{
> + struct sk_buff *skb = base->data;
> + struct net_device *dev = skb->dev;
> + struct macsec_dev *macsec = macsec_priv(dev);
> + struct macsec_tx_sa *sa = macsec_skb_cb(skb)->tx_sa;
> + int len, ret;
> +
> + aead_request_free(macsec_skb_cb(skb)->req);
> +
> + rcu_read_lock_bh();
> + macsec_encrypt_finish(skb, dev);
> + macsec_count_tx(skb, &macsec->secy.tx_sc, macsec_skb_cb(skb)->tx_sa);
> + len = skb->len;
> + ret = dev_queue_xmit(skb);
> + count_tx(dev, ret, len);
> + rcu_read_unlock_bh();
> +
> + macsec_txsa_put(sa);
> + dev_put(dev);
> +}
> +
> +static struct sk_buff *macsec_encrypt(struct sk_buff *skb,
> + struct net_device *dev)
> +{
> + int ret;
> + struct scatterlist sg[MAX_SKB_FRAGS + 1];
> + unsigned char iv[GCM_AES_IV_LEN];
> + struct ethhdr *eth;
> + struct macsec_eth_header *hh;
> + size_t unprotected_len;
> + struct aead_request *req;
> + struct macsec_secy *secy;
> + struct macsec_tx_sc *tx_sc;
> + struct macsec_tx_sa *tx_sa;
> + struct macsec_dev *macsec = macsec_priv(dev);
> + u32 pn;
> +
> + secy = &macsec->secy;
> + tx_sc = &secy->tx_sc;
> +
> + /* 10.5.1 TX SA assignment */
> + tx_sa = macsec_txsa_get(tx_sc->sa[tx_sc->encoding_sa]);
> + if (!tx_sa) {
> + secy->operational = false;
> + kfree_skb(skb);
> + return ERR_PTR(-EINVAL);
> + }
> +
> + if (unlikely(skb_headroom(skb) < MACSEC_NEEDED_HEADROOM ||
> + skb_tailroom(skb) < MACSEC_NEEDED_TAILROOM)) {
> + struct sk_buff *nskb = skb_copy_expand(skb,
> + MACSEC_NEEDED_HEADROOM,
> + MACSEC_NEEDED_TAILROOM,
> + GFP_ATOMIC);
> + if (likely(nskb)) {
> + consume_skb(skb);
> + skb = nskb;
> + } else {
> + macsec_txsa_put(tx_sa);
> + kfree_skb(skb);
> + return ERR_PTR(-ENOMEM);
> + }
> + } else {
> + skb = skb_unshare(skb, GFP_ATOMIC);
> + if (!skb) {
> + macsec_txsa_put(tx_sa);
> + return ERR_PTR(-ENOMEM);
> + }
> + }
> +
> + unprotected_len = skb->len;
> + eth = eth_hdr(skb);
> + hh = (struct macsec_eth_header *)skb_push(skb, macsec_extra_len(tx_sc->send_sci));
> + memmove(hh, eth, 2 * ETH_ALEN);
> +
> + pn = tx_sa_update_pn(tx_sa, secy);
> + if (pn == 0) {
> + macsec_txsa_put(tx_sa);
> + kfree_skb(skb);
> + return ERR_PTR(-ENOLINK);
> + }
> + macsec_fill_sectag(hh, secy, pn);
> + macsec_set_shortlen(hh, unprotected_len - 2 * ETH_ALEN);
> +
> + macsec_fill_iv(iv, secy->sci, pn);
> +
> + skb_put(skb, secy->icv_len);
> +
> + if (skb->len - ETH_HLEN > macsec_priv(dev)->real_dev->mtu) {
> + struct pcpu_secy_stats *secy_stats = this_cpu_ptr(macsec->stats);
> +
> + u64_stats_update_begin(&secy_stats->syncp);
> + secy_stats->stats.OutPktsTooLong++;
> + u64_stats_update_end(&secy_stats->syncp);
> +
> + macsec_txsa_put(tx_sa);
> + kfree_skb(skb);
> + return ERR_PTR(-EINVAL);
> + }
> +
> + req = aead_request_alloc(tx_sa->key.tfm, GFP_ATOMIC);
> + if (!req) {
> + macsec_txsa_put(tx_sa);
> + kfree_skb(skb);
> + return ERR_PTR(-ENOMEM);
> + }
> +
> + sg_init_table(sg, MAX_SKB_FRAGS + 1);
> + skb_to_sgvec(skb, sg, 0, skb->len);
> +
> + if (tx_sc->encrypt) {
> + int len = skb->len - macsec_hdr_len(tx_sc->send_sci) -
> + secy->icv_len;
> + aead_request_set_crypt(req, sg, sg, len, iv);
> + aead_request_set_ad(req, macsec_hdr_len(tx_sc->send_sci));
> + } else {
> + aead_request_set_crypt(req, sg, sg, 0, iv);
> + aead_request_set_ad(req, skb->len - secy->icv_len);
> + }
> +
> + macsec_skb_cb(skb)->req = req;
> + macsec_skb_cb(skb)->tx_sa = tx_sa;
> + aead_request_set_callback(req, 0, macsec_encrypt_done, skb);
> +
> + dev_hold(skb->dev);
> + ret = crypto_aead_encrypt(req);
> + if (ret == -EINPROGRESS) {
> + return ERR_PTR(ret);
> + } else if (ret != 0) {
> + dev_put(skb->dev);
> + kfree_skb(skb);
> + aead_request_free(req);
> + macsec_txsa_put(tx_sa);
> + return ERR_PTR(-EINVAL);
> + }
> +
> + dev_put(skb->dev);
> + aead_request_free(req);
> + macsec_txsa_put(tx_sa);
> +
> + return skb;
> +}
> +
> +static bool macsec_post_decrypt(struct sk_buff *skb, struct macsec_secy *secy, u32 pn)
> +{
> + struct macsec_rx_sa *rx_sa = macsec_skb_cb(skb)->rx_sa;
> + struct pcpu_rx_sc_stats *rxsc_stats = this_cpu_ptr(rx_sa->sc->stats);
> + struct macsec_eth_header *hdr = macsec_ethhdr(skb);
> + u32 lowest_pn = 0;
> +
> + spin_lock(&rx_sa->lock);
> + if (rx_sa->next_pn >= secy->replay_window)
> + lowest_pn = rx_sa->next_pn - secy->replay_window;
> +
> + /* Now perform replay protection check again
> + * (see IEEE 802.1AE-2006 figure 10-5)
> + */
> + if (secy->replay_protect && pn < lowest_pn) {
> + spin_unlock(&rx_sa->lock);
> + u64_stats_update_begin(&rxsc_stats->syncp);
> + rxsc_stats->stats.InPktsLate++;
> + u64_stats_update_end(&rxsc_stats->syncp);
> + return false;
> + }
> +
> + if (secy->validate_frames != MACSEC_VALIDATE_DISABLED) {
> + u64_stats_update_begin(&rxsc_stats->syncp);
> + if (hdr->tci_an & MACSEC_TCI_E)
> + rxsc_stats->stats.InOctetsDecrypted += skb->len;
> + else
> + rxsc_stats->stats.InOctetsValidated += skb->len;
> + u64_stats_update_end(&rxsc_stats->syncp);
> + }
> +
> + if (!macsec_skb_cb(skb)->valid) {
> + spin_unlock(&rx_sa->lock);
> +
> + /* 10.6.5 */
> + if (hdr->tci_an & MACSEC_TCI_C ||
> + secy->validate_frames == MACSEC_VALIDATE_STRICT) {
> + u64_stats_update_begin(&rxsc_stats->syncp);
> + rxsc_stats->stats.InPktsNotValid++;
> + u64_stats_update_end(&rxsc_stats->syncp);
> + return false;
> + }
> +
> + u64_stats_update_begin(&rxsc_stats->syncp);
> + if (secy->validate_frames == MACSEC_VALIDATE_CHECK) {
> + rxsc_stats->stats.InPktsInvalid++;
> + this_cpu_inc(rx_sa->stats->InPktsInvalid);
> + } else if (pn < lowest_pn) {
> + rxsc_stats->stats.InPktsDelayed++;
> + } else {
> + rxsc_stats->stats.InPktsUnchecked++;
> + }
> + u64_stats_update_end(&rxsc_stats->syncp);
> + } else {
> + u64_stats_update_begin(&rxsc_stats->syncp);
> + if (pn < lowest_pn) {
> + rxsc_stats->stats.InPktsDelayed++;
> + } else {
> + rxsc_stats->stats.InPktsOK++;
> + this_cpu_inc(rx_sa->stats->InPktsOK);
> + }
> + u64_stats_update_end(&rxsc_stats->syncp);
> +
> + if (pn >= rx_sa->next_pn)
> + rx_sa->next_pn = pn + 1;
> + spin_unlock(&rx_sa->lock);
> + }
> +
> + return true;
> +}
> +
> +static void macsec_reset_skb(struct sk_buff *skb, struct net_device *dev)
> +{
> + skb->pkt_type = PACKET_HOST;
> + skb->protocol = eth_type_trans(skb, dev);
> +
> + skb_reset_network_header(skb);
> + if (!skb_transport_header_was_set(skb))
> + skb_reset_transport_header(skb);
> + skb_reset_mac_len(skb);
> +}
> +
> +static void macsec_finalize_skb(struct sk_buff *skb, u8 icv_len, u8 hdr_len)
> +{
> + memmove(skb->data + hdr_len, skb->data, 2 * ETH_ALEN);
> + skb_pull(skb, hdr_len);
> + pskb_trim_unique(skb, skb->len - icv_len);
> +}
> +
> +static void count_rx(struct net_device *dev, int len)
> +{
> + struct pcpu_sw_netstats *stats = this_cpu_ptr(dev->tstats);
> +
> + u64_stats_update_begin(&stats->syncp);
> + stats->rx_packets++;
> + stats->rx_bytes += len;
> + u64_stats_update_end(&stats->syncp);
> +}
> +
> +static void macsec_decrypt_done(struct crypto_async_request *base, int err)
> +{
> + struct sk_buff *skb = base->data;
> + struct net_device *dev = skb->dev;
> + struct macsec_dev *macsec = macsec_priv(dev);
> + struct macsec_rx_sa *rx_sa = macsec_skb_cb(skb)->rx_sa;
> + int len, ret;
> + u32 pn;
> +
> + aead_request_free(macsec_skb_cb(skb)->req);
> +
> + rcu_read_lock_bh();
> + pn = ntohl(macsec_ethhdr(skb)->packet_number);
> + if (!macsec_post_decrypt(skb, &macsec->secy, pn)) {
> + rcu_read_unlock_bh();
> + kfree_skb(skb);
> + goto out;
> + }
> +
> + macsec_finalize_skb(skb, macsec->secy.icv_len,
> + macsec_extra_len(macsec_skb_cb(skb)->has_sci));
> + macsec_reset_skb(skb, macsec->secy.netdev);
> +
> + len = skb->len;
> + ret = netif_rx(skb);
> + if (ret == NET_RX_SUCCESS)
> + count_rx(dev, len);
> + else
> + macsec->secy.netdev->stats.rx_dropped++;
> +
> + rcu_read_unlock_bh();
> +
> +out:
> + macsec_rxsa_put(rx_sa);
> + dev_put(dev);
> + return;
> +}
> +
> +static struct sk_buff *macsec_decrypt(struct sk_buff *skb,
> + struct net_device *dev,
> + struct macsec_rx_sa *rx_sa,
> + sci_t sci,
> + struct macsec_secy *secy)
> +{
> + int ret;
> + struct scatterlist sg[MAX_SKB_FRAGS + 1];
> + unsigned char iv[GCM_AES_IV_LEN];
> + struct aead_request *req;
> + struct macsec_eth_header *hdr;
> + u16 icv_len = secy->icv_len;
> +
> + macsec_skb_cb(skb)->valid = 0;
Please use true/false for boolean variables.
> + macsec_skb_cb(skb)->valid = 1;
Likewise.
> +static void handle_not_macsec(struct sk_buff *skb)
> +{
> + struct macsec_rxh_data *rxd;
> + struct macsec_dev *macsec;
> +
> + rcu_read_lock_bh();
"bh" should be implicit in this receive code path, so plain rcu_read_lock() should
be sufficient.
> +static rx_handler_result_t macsec_handle_frame(struct sk_buff **pskb)
> +{
...
> + rcu_read_lock_bh();
Likewise.
Otherwise looks really good to me.
^ permalink raw reply [flat|nested] 16+ messages in thread* Re: [PATCH net-next 3/3] macsec: introduce IEEE 802.1AE driver
2016-03-07 17:12 ` [PATCH net-next 3/3] macsec: introduce IEEE 802.1AE driver Sabrina Dubroca
2016-03-07 19:05 ` David Miller
@ 2016-03-08 20:13 ` Johannes Berg
2016-03-09 10:56 ` Sabrina Dubroca
1 sibling, 1 reply; 16+ messages in thread
From: Johannes Berg @ 2016-03-08 20:13 UTC (permalink / raw)
To: Sabrina Dubroca, netdev
Cc: Hannes Frederic Sowa, Florian Westphal, Paolo Abeni, stephen
On Mon, 2016-03-07 at 18:12 +0100, Sabrina Dubroca wrote:
>
> +struct gcm_iv {
> + union {
> + u8 secure_channel_id[8];
> + sci_t sci;
> + };
> + __be32 pn;
> +};
Should this be __packed?
But the struct is confusing; sci_t is a host type (that depends on
endianness), and __be32 would seem to be a network type, how can they
both be in the same struct? Or does sci_t have to be __be64?
> +/**
> + * struct macsec_rx_sa - receive secure association
> + * @active
> + * @next_pn packet number expected for the next packet
> + * @lock protects next_pn manipulations
> + * @key key structure
> + * @stats per-SA stats
> + */
> +struct macsec_rx_sa {
> + bool active;
> + u32 next_pn;
> + spinlock_t lock;
If you put the spinlock first or at least next to active you can get
rid of some padding (on arches/configs where spinlock is small, at
least)
> +/**
> + * struct macsec_rx_sc - receive secure channel
> + * @sci secure channel identifier for this SC
> + * @active channel is active
> + * @sa array of secure associations
> + * @stats per-SC stats
> + */
Btw, all your kernel-doc comments are actually malformed, they're
missing a colon after the @member, e.g.
@stats: per-SC stats
> +struct macsec_tx_sc {
> + bool active;
> + u8 encoding_sa;
> + bool encrypt;
> + bool send_sci;
> + bool end_station;
> + bool scb;
> + struct macsec_tx_sa __rcu *sa[4];
What's 4?
> +static sci_t make_sci(u8 *addr, __be16 port)
> +{
> + sci_t sci;
> +
> + memcpy(&sci, addr, ETH_ALEN);
> + memcpy(((char *)&sci) + ETH_ALEN, &port, sizeof(port));
> +
> + return sci;
> +}
Oh, maybe this explains my earlier question - looks like the sci_t
isn't really a 64-bit integer but some kind of structure.
Is there really much point in using a __bitwise u64 typedef, rather
than a small packed struct then?
> +/* minimum secure data length deemed "not short", see IEEE 802.1AE-
> 2006 9.7 */
> +#define MIN_NON_SHORT_LEN 48
I saw
> +#define MACSEC_SHORTLEN_THR 48
before, are they different? Seem very similar.
> + tx_sa->next_pn++;
> + if (tx_sa->next_pn == 0) {
> + pr_debug("PN wrapped, transitionning to !oper\n");
typo: transitioning
> +static const struct genl_ops macsec_genl_ops[] = {
> + {
> + .cmd = MACSEC_CMD_GET_TXSC,
> + .dumpit = macsec_dump_txsc,
> + .policy = macsec_genl_policy,
> + },
> + {
> + .cmd = MACSEC_CMD_ADD_RXSC,
> + .doit = macsec_add_rxsc,
> + .policy = macsec_genl_rxsc_policy,
> + .flags = GENL_ADMIN_PERM,
IMHO, having different policies for different operations is pretty
confusing. I now slowly start to understand why you had to do all this
aliasing with the IDs. However, perhaps it'd be better to define a top-
level attribute list with the ifindex etc., and make all the
*additional* data needed for RXSC operations for example go into a
nested attribute in the top-level.
That way, you have the same policy for everything and also don't have
to play tricks with the aliasing since the top-level attributes
actually exist now, coming from the same namespace & policy.
johannes
^ permalink raw reply [flat|nested] 16+ messages in thread* Re: [PATCH net-next 3/3] macsec: introduce IEEE 802.1AE driver
2016-03-08 20:13 ` Johannes Berg
@ 2016-03-09 10:56 ` Sabrina Dubroca
2016-03-09 11:24 ` Johannes Berg
0 siblings, 1 reply; 16+ messages in thread
From: Sabrina Dubroca @ 2016-03-09 10:56 UTC (permalink / raw)
To: Johannes Berg
Cc: netdev, Hannes Frederic Sowa, Florian Westphal, Paolo Abeni,
stephen
2016-03-08, 21:13:53 +0100, Johannes Berg wrote:
> On Mon, 2016-03-07 at 18:12 +0100, Sabrina Dubroca wrote:
> >
> > +struct gcm_iv {
> > + union {
> > + u8 secure_channel_id[8];
> > + sci_t sci;
> > + };
> > + __be32 pn;
> > +};
>
> Should this be __packed?
I think that's not necessary here.
> But the struct is confusing; sci_t is a host type (that depends on
> endianness), and __be32 would seem to be a network type, how can they
> both be in the same struct? Or does sci_t have to be __be64?
>
> > +/**
> > + * struct macsec_rx_sa - receive secure association
> > + * @active
> > + * @next_pn packet number expected for the next packet
> > + * @lock protects next_pn manipulations
> > + * @key key structure
> > + * @stats per-SA stats
> > + */
> > +struct macsec_rx_sa {
> > + bool active;
> > + u32 next_pn;
> > + spinlock_t lock;
>
> If you put the spinlock first or at least next to active you can get
> rid of some padding (on arches/configs where spinlock is small, at
> least)
Ok, I rearranged macsec_rx_sa and macsec_tx_sa.
> > +/**
> > + * struct macsec_rx_sc - receive secure channel
> > + * @sci secure channel identifier for this SC
> > + * @active channel is active
> > + * @sa array of secure associations
> > + * @stats per-SC stats
> > + */
>
> Btw, all your kernel-doc comments are actually malformed, they're
> missing a colon after the @member, e.g.
>
> @stats: per-SC stats
duh, I never noticed that :(
Thanks.
> > +struct macsec_tx_sc {
> > + bool active;
> > + u8 encoding_sa;
> > + bool encrypt;
> > + bool send_sci;
> > + bool end_station;
> > + bool scb;
> > + struct macsec_tx_sa __rcu *sa[4];
>
>
> What's 4?
Good point. I added:
#define MACSEC_NUM_AN 4 /* 2 bits for the association number */
and used it in all the range tests (< 4, >= 3).
> > +static sci_t make_sci(u8 *addr, __be16 port)
> > +{
> > + sci_t sci;
> > +
> > + memcpy(&sci, addr, ETH_ALEN);
> > + memcpy(((char *)&sci) + ETH_ALEN, &port, sizeof(port));
> > +
> > + return sci;
> > +}
>
> Oh, maybe this explains my earlier question - looks like the sci_t
> isn't really a 64-bit integer but some kind of structure.
Yes, the bits in the SCI have some meaning.
> Is there really much point in using a __bitwise u64 typedef, rather
> than a small packed struct then?
I can use == tests, as in find_rx_sc().
> > +/* minimum secure data length deemed "not short", see IEEE 802.1AE-
> > 2006 9.7 */
> > +#define MIN_NON_SHORT_LEN 48
>
> I saw
>
> > +#define MACSEC_SHORTLEN_THR 48
>
> before, are they different? Seem very similar.
They are exactly the same, good catch.
> > + tx_sa->next_pn++;
> > + if (tx_sa->next_pn == 0) {
> > + pr_debug("PN wrapped, transitionning to !oper\n");
>
> typo: transitioning
Fixed.
> > +static const struct genl_ops macsec_genl_ops[] = {
> > + {
> > + .cmd = MACSEC_CMD_GET_TXSC,
> > + .dumpit = macsec_dump_txsc,
> > + .policy = macsec_genl_policy,
> > + },
> > + {
> > + .cmd = MACSEC_CMD_ADD_RXSC,
> > + .doit = macsec_add_rxsc,
> > + .policy = macsec_genl_rxsc_policy,
> > + .flags = GENL_ADMIN_PERM,
>
> IMHO, having different policies for different operations is pretty
> confusing. I now slowly start to understand why you had to do all this
> aliasing with the IDs. However, perhaps it'd be better to define a top-
> level attribute list with the ifindex etc., and make all the
> *additional* data needed for RXSC operations for example go into a
> nested attribute in the top-level.
>
> That way, you have the same policy for everything and also don't have
> to play tricks with the aliasing since the top-level attributes
> actually exist now, coming from the same namespace & policy.
That's a good idea, I'll have a look today.
I don't really like the aliasing games I have to play, but I'd like to
keep the RXSC attributes separate from the SA attributes, I think it
looks cleaner (the first RFC had everything in the same policy:
http://www.spinics.net/lists/netdev/msg358152.html).
Thanks for the review.
--
Sabrina
^ permalink raw reply [flat|nested] 16+ messages in thread* Re: [PATCH net-next 3/3] macsec: introduce IEEE 802.1AE driver
2016-03-09 10:56 ` Sabrina Dubroca
@ 2016-03-09 11:24 ` Johannes Berg
2016-03-09 17:09 ` David Miller
0 siblings, 1 reply; 16+ messages in thread
From: Johannes Berg @ 2016-03-09 11:24 UTC (permalink / raw)
To: Sabrina Dubroca
Cc: netdev, Hannes Frederic Sowa, Florian Westphal, Paolo Abeni,
stephen
Hi,
Thanks for the comments.
> > > +struct gcm_iv {
> > > + union {
> > > + u8 secure_channel_id[8];
> > > + sci_t sci;
> > > + };
> > > + __be32 pn;
> > > +};
> >
> > Should this be __packed?
>
> I think that's not necessary here.
Yeah, there's probably no way a compiler could ever do something with
it that's not the same as packed, but it seems to me that just out of
convention structs that have some wire-format meaning should usually be
__packed. But it's your call. I'm not even entirely sure it has a wire-
format or similar meaning, although the name indicates it gets used
into the encryption and must be exactly these 12 octets.
> > That way, you have the same policy for everything and also don't
> > have
> > to play tricks with the aliasing since the top-level attributes
> > actually exist now, coming from the same namespace & policy.
>
> That's a good idea, I'll have a look today.
> I don't really like the aliasing games I have to play, but I'd like
> to
> keep the RXSC attributes separate from the SA attributes, I think it
> looks cleaner (the first RFC had everything in the same policy:
> http://www.spinics.net/lists/netdev/msg358152.html).
>
Ah, I see. Keeping it separate makes sense, but you can still achieve
that like this:
msg = [ifindex -> 7,
rxsc -> [ sci -> 2, ...
],
...
]
with nested data. I'd also do the same for the stats and a whole bunch
of others too, I guess. I tend to imagine it as a kind of "dict of
dicts" (the message with nested).
Thanks,
johannes
^ permalink raw reply [flat|nested] 16+ messages in thread* Re: [PATCH net-next 3/3] macsec: introduce IEEE 802.1AE driver
2016-03-09 11:24 ` Johannes Berg
@ 2016-03-09 17:09 ` David Miller
0 siblings, 0 replies; 16+ messages in thread
From: David Miller @ 2016-03-09 17:09 UTC (permalink / raw)
To: johannes; +Cc: sd, netdev, hannes, fw, pabeni, stephen
From: Johannes Berg <johannes@sipsolutions.net>
Date: Wed, 09 Mar 2016 12:24:20 +0100
> Yeah, there's probably no way a compiler could ever do something with
> it that's not the same as packed, but it seems to me that just out of
> convention structs that have some wire-format meaning should usually be
> __packed.
Not unless absolutely necessary.
There is a serious performance penalty for using __packed on some
architectures. __packed has several undesirable side-effects, one
of which is that it causes the compiler to be unable to assume the
alignment of anything.
^ permalink raw reply [flat|nested] 16+ messages in thread
* [PATCH iproute2 net-next] ip: add MACsec support
2016-03-07 17:12 [PATCH net-next 0/3] MACsec IEEE 802.1AE implementation Sabrina Dubroca
` (2 preceding siblings ...)
2016-03-07 17:12 ` [PATCH net-next 3/3] macsec: introduce IEEE 802.1AE driver Sabrina Dubroca
@ 2016-03-07 17:12 ` Sabrina Dubroca
2016-03-07 19:48 ` Stephen Hemminger
3 siblings, 1 reply; 16+ messages in thread
From: Sabrina Dubroca @ 2016-03-07 17:12 UTC (permalink / raw)
To: netdev
Cc: Hannes Frederic Sowa, Florian Westphal, Paolo Abeni, stephen,
Sabrina Dubroca
Extend ip-link to create MACsec devices
ip link add link <master> <macsec> type macsec [options]
Add `ip macsec` command to configure receive-side secure channels and
secure associations within a macsec netdevice.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
---
This needs the MACsec UAPI headers.
ip/Makefile | 2 +-
ip/ip.c | 3 +-
ip/ip_common.h | 1 +
ip/ipmacsec.c | 1140 +++++++++++++++++++++++++++++++++++++++++++++++++
man/man8/Makefile | 2 +-
man/man8/ip-link.8.in | 134 ++++++
man/man8/ip-macsec.8 | 110 +++++
7 files changed, 1389 insertions(+), 3 deletions(-)
create mode 100644 ip/ipmacsec.c
create mode 100644 man/man8/ip-macsec.8
diff --git a/ip/Makefile b/ip/Makefile
index f3d298739cac..fe59ea8bdc76 100644
--- a/ip/Makefile
+++ b/ip/Makefile
@@ -7,7 +7,7 @@ IPOBJ=ip.o ipaddress.o ipaddrlabel.o iproute.o iprule.o ipnetns.o \
iplink_vxlan.o tcp_metrics.o iplink_ipoib.o ipnetconf.o link_ip6tnl.o \
link_iptnl.o link_gre6.o iplink_bond.o iplink_bond_slave.o iplink_hsr.o \
iplink_bridge.o iplink_bridge_slave.o ipfou.o iplink_ipvlan.o \
- iplink_geneve.o iplink_vrf.o iproute_lwtunnel.o
+ iplink_geneve.o iplink_vrf.o iproute_lwtunnel.o ipmacsec.o
RTMONOBJ=rtmon.o
diff --git a/ip/ip.c b/ip/ip.c
index eea00b822088..b7000d34382f 100644
--- a/ip/ip.c
+++ b/ip/ip.c
@@ -51,7 +51,7 @@ static void usage(void)
" ip [ -force ] -batch filename\n"
"where OBJECT := { link | address | addrlabel | route | rule | neighbor | ntable |\n"
" tunnel | tuntap | maddress | mroute | mrule | monitor | xfrm |\n"
-" netns | l2tp | fou | tcp_metrics | token | netconf }\n"
+" netns | l2tp | fou | macsec | tcp_metrics | token | netconf }\n"
" OPTIONS := { -V[ersion] | -s[tatistics] | -d[etails] | -r[esolve] |\n"
" -h[uman-readable] | -iec |\n"
" -f[amily] { inet | inet6 | ipx | dnet | mpls | bridge | link } |\n"
@@ -84,6 +84,7 @@ static const struct cmd {
{ "link", do_iplink },
{ "l2tp", do_ipl2tp },
{ "fou", do_ipfou },
+ { "macsec", do_ipmacsec },
{ "tunnel", do_iptunnel },
{ "tunl", do_iptunnel },
{ "tuntap", do_iptuntap },
diff --git a/ip/ip_common.h b/ip/ip_common.h
index 815487a07b8a..ee14b1f21b0e 100644
--- a/ip/ip_common.h
+++ b/ip/ip_common.h
@@ -43,6 +43,7 @@ int do_iptunnel(int argc, char **argv);
int do_ip6tunnel(int argc, char **argv);
int do_iptuntap(int argc, char **argv);
int do_iplink(int argc, char **argv);
+int do_ipmacsec(int argc, char **argv);
int do_ipmonitor(int argc, char **argv);
int do_multiaddr(int argc, char **argv);
int do_multiroute(int argc, char **argv);
diff --git a/ip/ipmacsec.c b/ip/ipmacsec.c
new file mode 100644
index 000000000000..8de4e65b45a9
--- /dev/null
+++ b/ip/ipmacsec.c
@@ -0,0 +1,1140 @@
+/*
+ * ipmacsec.c "ip macsec".
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version
+ * 2 of the License, or (at your option) any later version.
+ *
+ * Authors: Sabrina Dubroca <sd@queasysnail.net>
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <linux/genetlink.h>
+#include <linux/if_ether.h>
+#include <linux/if_macsec.h>
+
+#include "rt_names.h"
+#include "utils.h"
+#include "ip_common.h"
+#include "ll_map.h"
+#include "libgenl.h"
+
+static const char *values_on_off[] = { "on", "off" };
+
+static const char *VALIDATE_STR[] = {
+ [MACSEC_VALIDATE_DISABLED] = "disabled",
+ [MACSEC_VALIDATE_CHECK] = "check",
+ [MACSEC_VALIDATE_STRICT] = "strict",
+};
+
+struct sci {
+ __u64 sci;
+ __u16 port;
+ char abuf[6];
+};
+
+struct sa_desc {
+ __u8 an;
+ __u32 pn;
+ __u32 key_id;
+ __u32 key_len;
+ char key[MACSEC_MAX_KEY_LEN];
+ __u8 active;
+};
+
+struct cipher_args {
+ __u64 id;
+ __u8 icv_len;
+};
+
+struct txsc_desc {
+ int ifindex;
+ __u64 sci;
+ __be16 port;
+ struct cipher_args cipher;
+ __u32 flags;
+ __u32 flags_set;
+ __u32 window;
+ enum validation_type validate;
+ bool validate_set;
+ __u8 encoding_sa;
+};
+
+struct rxsc_desc {
+ int ifindex;
+ __u64 sci;
+ __u8 active;
+};
+
+#define MACSEC_BUFLEN 1024
+
+
+/* netlink socket */
+static struct rtnl_handle genl_rth;
+static int genl_family = -1;
+
+#define MACSEC_GENL_REQ(_req, _bufsiz, _cmd, _flags) \
+ GENL_REQUEST(_req, _bufsiz, genl_family, 0, MACSEC_GENL_VERSION, _cmd, _flags)
+
+
+static void init_genl(void)
+{
+ if (genl_family >= 0)
+ return;
+
+ if (rtnl_open_byproto(&genl_rth, 0, NETLINK_GENERIC) < 0) {
+ fprintf(stderr, "Cannot open generic netlink socket\n");
+ exit(1);
+ }
+
+ genl_family = genl_resolve_family(&genl_rth, MACSEC_GENL_NAME);
+ if (genl_family < 0)
+ exit(1);
+}
+
+static void ipmacsec_usage(void)
+{
+ fprintf(stderr, "Usage: ip macsec add DEV tx sa { 0..3 } [ OPTS ] key ID KEY\n");
+ fprintf(stderr, " ip macsec set DEV tx sa { 0..3 } [ OPTS ]\n");
+ fprintf(stderr, " ip macsec del DEV tx sa { 0..3 }\n");
+ fprintf(stderr, " ip macsec add DEV rx SCI [ on | off ]\n");
+ fprintf(stderr, " ip macsec set DEV rx SCI [ on | off ]\n");
+ fprintf(stderr, " ip macsec del DEV rx SCI\n");
+ fprintf(stderr, " ip macsec add DEV rx SCI [ sa { 0..3 } [ OPTS ] key ID KEY ]\n");
+ fprintf(stderr, " ip macsec set DEV rx SCI sa { 0..3 } [ OPTS ]\n");
+ fprintf(stderr, " ip macsec del DEV rx SCI sa { 0..3 }\n");
+ fprintf(stderr, " ip macsec show\n");
+ fprintf(stderr, " ip macsec show DEV\n");
+ fprintf(stderr, "where OPTS := [ pn <u32> ] [ on | off ]\n");
+ fprintf(stderr, " SCI := { sci <u64> | port <u16> address <lladdr> }\n");
+
+ exit(-1);
+}
+
+static int one_of(const char *msg, const char *realval, const char **list,
+ size_t len, int *index)
+{
+ int i;
+
+ for (i = 0; i < len; i++) {
+ if (matches(realval, list[i]) == 0) {
+ *index = i;
+ return 0;
+ }
+ }
+
+ fprintf(stderr, "Error: argument of \"%s\" must be one of ", msg);
+ for (i = 0; i < len; i++)
+ fprintf(stderr, "\"%s\", ", list[i]);
+ fprintf(stderr, "not \"%s\"\n", realval);
+ return -1;
+}
+
+static int get_an(__u8 *val, const char *arg)
+{
+ int ret = get_u8(val, arg, 0);
+
+ if (ret)
+ return ret;
+
+ if (*val > 3)
+ return -1;
+
+ return 0;
+}
+
+static int get_sci(__u64 *sci, const char *arg)
+{
+ return get_u64(sci, arg, 16);
+}
+
+static int get_port(__be16 *port, const char *arg)
+{
+ __u16 p;
+ int ret = get_u16(&p, arg, 10);
+
+ if (ret)
+ return ret;
+
+ *port = htons(p);
+ return 0;
+}
+
+static int from_hex(char c)
+{
+ if (c >= '0' && c <= '9')
+ return c - '0';
+ if (c >= 'a' && c <= 'f')
+ return c - 'a' + 10;
+ if (c >= 'A' && c <= 'F')
+ return c - 'A' + 10;
+
+ return -1;
+}
+
+static int parse_key(char *key, __u32 *key_len, char *arg)
+{
+ __u32 i = 0;
+ char *p = arg;
+
+ while (*p && *(p + 1)) {
+ int m = from_hex(*p);
+ int l = from_hex(*(p+1));
+
+ if (m < 0) {
+ fprintf(stderr, "expected hex digit, got %c\n", *p);
+ return -1;
+ }
+ if (l < 0) {
+ fprintf(stderr, "expected hex digit, got %c\n", *(p+1));
+ return -1;
+ }
+
+ key[i] = (m << 4) | l;
+ p += 2;
+ i++;
+ }
+
+ if (*p)
+ return -1;
+
+ *key_len = i;
+ return 0;
+}
+
+#define _STR(a) #a
+#define STR(a) _STR(a)
+
+static void get_icvlen(__u8 *icvlen, char *arg)
+{
+ int ret = get_u8(icvlen, arg, 10);
+
+ if (ret)
+ invarg("expected ICV length", arg);
+
+ if (*icvlen < MACSEC_MIN_ICV_LEN || *icvlen > MACSEC_MAX_ICV_LEN)
+ invarg("ICV length must be in the range {"
+ STR(MACSEC_MIN_ICV_LEN) ".." STR(MACSEC_MAX_ICV_LEN)
+ "}", arg);
+}
+
+static bool get_sa(int *argcp, char ***argvp, __u8 *an)
+{
+ int argc = *argcp;
+ char **argv = *argvp;
+ int ret;
+
+ if (argc <= 0 || strcmp(*argv, "sa") != 0)
+ return false;
+
+ NEXT_ARG();
+ ret = get_an(an, *argv);
+ if (ret)
+ invarg("expected an { 0..3 }", *argv);
+ argc--; argv++;
+
+ *argvp = argv;
+ *argcp = argc;
+ return true;
+}
+
+static int parse_sa_args(int *argcp, char ***argvp, struct sa_desc *sa)
+{
+ int argc = *argcp;
+ char **argv = *argvp;
+ int ret;
+ bool active_set = false;
+
+ while (argc > 0) {
+ if (strcmp(*argv, "pn") == 0) {
+ if (sa->pn != 0)
+ duparg2("pn", "pn");
+ NEXT_ARG();
+ ret = get_u32(&sa->pn, *argv, 0);
+ if (ret)
+ invarg("expected pn", *argv);
+ if (sa->pn == 0)
+ invarg("expected pn != 0", *argv);
+ } else if (strcmp(*argv, "key") == 0) {
+ NEXT_ARG();
+ ret = get_u32(&sa->key_id, *argv, 0);
+ if (ret)
+ invarg("expected key id", *argv);
+ NEXT_ARG();
+ if (parse_key(sa->key, &sa->key_len, *argv))
+ invarg("expected key", *argv);
+ } else if (strcmp(*argv, "on") == 0) {
+ if (active_set)
+ duparg2("on/off", "on");
+ sa->active = true;
+ active_set = true;
+ } else if (strcmp(*argv, "off") == 0) {
+ if (active_set)
+ duparg2("on/off", "off");
+ sa->active = false;
+ active_set = true;
+ } else {
+ fprintf(stderr, "macsec: unknown command \"%s\"?\n",
+ *argv);
+ ipmacsec_usage();
+ }
+
+ argv++; argc--;
+ }
+
+ *argvp = argv;
+ *argcp = argc;
+ return 0;
+}
+
+static __u64 make_sci(char *addr, __be16 port)
+{
+ __u64 sci;
+
+ memcpy(&sci, addr, ETH_ALEN);
+ memcpy(((char *)&sci) + ETH_ALEN, &port, sizeof(port));
+
+ return sci;
+}
+
+static bool sci_complete(bool sci, bool port, bool addr, bool port_only)
+{
+ return sci || (port && (addr || port_only));
+}
+
+static int get_sci_portaddr(struct sci *sci, int *argcp, char ***argvp,
+ bool port_only, bool optional)
+{
+ int argc = *argcp;
+ char **argv = *argvp;
+ int ret;
+ bool p = false, a = false, s = false;
+
+ while (argc > 0) {
+ if (strcmp(*argv, "sci") == 0) {
+ if (p)
+ invarg("expected address", *argv);
+ if (a)
+ invarg("expected port", *argv);
+ NEXT_ARG();
+ ret = get_sci(&sci->sci, *argv);
+ if (ret)
+ invarg("expected sci", *argv);
+ s = true;
+ } else if (strcmp(*argv, "port") == 0) {
+ NEXT_ARG();
+ ret = get_port(&sci->port, *argv);
+ if (ret)
+ invarg("expected port", *argv);
+ if (sci->port == 0)
+ invarg("expected port != 0", *argv);
+ p = true;
+ } else if (strcmp(*argv, "address") == 0) {
+ NEXT_ARG();
+ ret = ll_addr_a2n(sci->abuf, sizeof(sci->abuf), *argv);
+ if (ret < 0)
+ invarg("expected lladdr", *argv);
+ a = true;
+ } else if (optional) {
+ break;
+ } else {
+ invarg("expected sci, port, or address", *argv);
+ }
+
+ argv++; argc--;
+
+ if (sci_complete(s, p, a, port_only))
+ break;
+ }
+
+ if (!optional && !sci_complete(s, p, a, port_only))
+ return -1;
+
+ if (p && a)
+ sci->sci = make_sci(sci->abuf, sci->port);
+
+ *argvp = argv;
+ *argcp = argc;
+
+ return p || a || s;
+}
+
+static bool parse_rxsci(int *argcp, char ***argvp, struct rxsc_desc *rxsc,
+ struct sa_desc *rxsa)
+{
+ struct sci sci = { 0 };
+
+ if (*argcp == 0 ||
+ get_sci_portaddr(&sci, argcp, argvp, false, false) < 0) {
+ fprintf(stderr, "expected sci\n");
+ ipmacsec_usage();
+ }
+
+ rxsc->sci = sci.sci;
+
+ return get_sa(argcp, argvp, &rxsa->an);
+}
+
+static int parse_rxsci_args(int *argcp, char ***argvp, struct rxsc_desc *rxsc)
+{
+ int argc = *argcp;
+ char **argv = *argvp;
+ bool active_set = false;
+
+ while (argc > 0) {
+ if (strcmp(*argv, "on") == 0) {
+ if (active_set)
+ duparg2("on/off", "on");
+ rxsc->active = true;
+ active_set = true;
+ } else if (strcmp(*argv, "off") == 0) {
+ if (active_set)
+ duparg2("on/off", "off");
+ rxsc->active = false;
+ active_set = true;
+ } else {
+ fprintf(stderr, "macsec: unknown command \"%s\"?\n",
+ *argv);
+ ipmacsec_usage();
+ }
+
+ argv++; argc--;
+ }
+
+ *argvp = argv;
+ *argcp = argc;
+ return 0;
+}
+
+enum cmd {
+ CMD_ADD,
+ CMD_DEL,
+ CMD_UPD,
+ __CMD_MAX
+};
+
+static const enum macsec_nl_commands macsec_commands[__CMD_MAX][2][2] = {
+ [CMD_ADD] = {
+ [0] = {-1, MACSEC_CMD_ADD_RXSC},
+ [1] = {MACSEC_CMD_ADD_TXSA, MACSEC_CMD_ADD_RXSA},
+ },
+ [CMD_UPD] = {
+ [0] = {-1, MACSEC_CMD_UPD_RXSC},
+ [1] = {MACSEC_CMD_UPD_TXSA, MACSEC_CMD_UPD_RXSA},
+ },
+ [CMD_DEL] = {
+ [0] = {-1, MACSEC_CMD_DEL_RXSC},
+ [1] = {MACSEC_CMD_DEL_TXSA, MACSEC_CMD_DEL_RXSA},
+ },
+};
+
+static int do_modify_nl(enum cmd c, enum macsec_nl_commands cmd, int ifindex,
+ struct rxsc_desc *rxsc, struct sa_desc *sa)
+{
+ MACSEC_GENL_REQ(req, MACSEC_BUFLEN, cmd, NLM_F_REQUEST);
+
+ addattr32(&req.n, MACSEC_BUFLEN, MACSEC_ATTR_IFINDEX, ifindex);
+ if (rxsc)
+ addattr64(&req.n, MACSEC_BUFLEN, MACSEC_ATTR_SCI, rxsc->sci);
+
+ if (sa->an != 0xff)
+ addattr8(&req.n, MACSEC_BUFLEN, MACSEC_ATTR_SA_AN, sa->an);
+
+ if (c != CMD_DEL) {
+ if (sa->pn)
+ addattr32(&req.n, MACSEC_BUFLEN, MACSEC_ATTR_SA_PN,
+ sa->pn);
+
+ if (sa->key_len) {
+ addattr64(&req.n, MACSEC_BUFLEN, MACSEC_ATTR_SA_KEYID,
+ sa->key_id);
+ addattr_l(&req.n, MACSEC_BUFLEN, MACSEC_ATTR_SA_KEY,
+ sa->key, sa->key_len);
+ }
+
+ if (sa->an != 0xff) {
+ if (sa->active != 0xff)
+ addattr8(&req.n, MACSEC_BUFLEN,
+ MACSEC_ATTR_SA_ACTIVE, sa->active);
+ } else {
+ if (rxsc && rxsc->active != 0xff)
+ addattr8(&req.n, MACSEC_BUFLEN,
+ MACSEC_ATTR_SC_ACTIVE, rxsc->active);
+ }
+ }
+
+ if (rtnl_talk(&genl_rth, &req.n, NULL, 0) < 0)
+ return -2;
+
+ return 0;
+}
+
+static bool check_sa_args(enum cmd c, struct sa_desc *sa)
+{
+ if (c == CMD_ADD) {
+ if (!sa->key_len) {
+ fprintf(stderr, "cannot create SA without key\n");
+ return -1;
+ }
+ } else if (c == CMD_UPD) {
+ if (sa->key_len) {
+ fprintf(stderr, "cannot change key on SA\n");
+ return -1;
+ }
+ }
+
+ return 0;
+}
+
+static int do_modify_txsa(enum cmd c, int argc, char **argv, int ifindex)
+{
+ struct sa_desc txsa = {0};
+ enum macsec_nl_commands cmd;
+
+ txsa.an = 0xff;
+ txsa.active = 0xff;
+
+ if (argc == 0 || !get_sa(&argc, &argv, &txsa.an))
+ ipmacsec_usage();
+
+ if (c == CMD_DEL)
+ goto modify;
+
+ if (parse_sa_args(&argc, &argv, &txsa))
+ return -1;
+
+ if (check_sa_args(c, &txsa))
+ return -1;
+
+modify:
+ cmd = macsec_commands[c][1][0];
+ return do_modify_nl(c, cmd, ifindex, NULL, &txsa);
+}
+
+static int do_modify_rxsci(enum cmd c, int argc, char **argv, int ifindex)
+{
+ struct rxsc_desc rxsc = {0};
+ struct sa_desc rxsa = {0};
+ bool sa_set;
+ enum macsec_nl_commands cmd;
+
+ rxsc.ifindex = ifindex;
+ rxsc.active = 0xff;
+ rxsa.an = 0xff;
+ rxsa.active = 0xff;
+
+ sa_set = parse_rxsci(&argc, &argv, &rxsc, &rxsa);
+
+ if (c == CMD_DEL)
+ goto modify;
+
+ if (sa_set && (parse_sa_args(&argc, &argv, &rxsa) ||
+ check_sa_args(c, &rxsa)))
+ return -1;
+ if (!sa_set && parse_rxsci_args(&argc, &argv, &rxsc))
+ return -1;
+
+modify:
+ cmd = macsec_commands[c][sa_set][1];
+ return do_modify_nl(c, cmd, rxsc.ifindex, &rxsc, &rxsa);
+}
+
+static int do_modify(enum cmd c, int argc, char **argv)
+{
+ int ifindex;
+
+ if (argc == 0)
+ ipmacsec_usage();
+
+ ifindex = ll_name_to_index(*argv);
+ if (!ifindex) {
+ fprintf(stderr, "Device \"%s\" does not exist.\n", *argv);
+ return -1;
+ }
+ argc--; argv++;
+
+ if (argc == 0)
+ ipmacsec_usage();
+
+ if (strcmp(*argv, "tx") == 0)
+ return do_modify_txsa(c, argc-1, argv+1, ifindex);
+ if (strcmp(*argv, "rx") == 0)
+ return do_modify_rxsci(c, argc-1, argv+1, ifindex);
+
+ ipmacsec_usage();
+ return -1;
+}
+
+/* dump/show */
+static struct {
+ int ifindex;
+ __u64 sci;
+} filter;
+
+static int validate_dump(struct rtattr **attrs)
+{
+ return attrs[MACSEC_ATTR_IFINDEX] && attrs[MACSEC_ATTR_SCI] &&
+ attrs[MACSEC_ATTR_ENCODING_SA] &&
+ attrs[MACSEC_ATTR_CIPHER_SUITE] && attrs[MACSEC_ATTR_ICV_LEN];
+}
+
+static void print_flag(FILE *f, struct rtattr *attrs[], const char *desc,
+ int field)
+{
+ if (attrs[field])
+ fprintf(f, "%s %s ", desc,
+ rta_getattr_u8(attrs[field]) ? "on" : "off");
+}
+
+static const char *cs_id_to_name(__u64 cid)
+{
+ switch (cid) {
+ case DEFAULT_CIPHER_ID:
+ case DEFAULT_CIPHER_ALT:
+ return DEFAULT_CIPHER_NAME;
+ default:
+ return "(unknown)";
+ }
+}
+
+static void print_cipher_suite(const char *prefix, __u64 cid, __u8 icv_len)
+{
+ printf("%scipher suite: %s, using ICV length %d\n", prefix,
+ cs_id_to_name(cid), icv_len);
+}
+
+static void print_attrs(const char *prefix, struct rtattr *attrs[])
+{
+ if (attrs[MACSEC_ATTR_SA_KEYID]) {
+ printf("key %llu ",
+ rta_getattr_u64(attrs[MACSEC_ATTR_SA_KEYID]));
+ }
+
+ print_flag(stdout, attrs, "protect", MACSEC_ATTR_PROTECT);
+
+ if (attrs[MACSEC_ATTR_VALIDATE]) {
+ printf("validate %s ",
+ VALIDATE_STR[rta_getattr_u8(attrs[MACSEC_ATTR_VALIDATE])]);
+ }
+
+ print_flag(stdout, attrs, "sc", MACSEC_ATTR_SC_ACTIVE);
+ print_flag(stdout, attrs, "sa", MACSEC_ATTR_SA_ACTIVE);
+ print_flag(stdout, attrs, "encrypt", MACSEC_ATTR_ENCRYPT);
+ print_flag(stdout, attrs, "send_sci", MACSEC_ATTR_INC_SCI);
+ print_flag(stdout, attrs, "end_station", MACSEC_ATTR_ES);
+ print_flag(stdout, attrs, "scb", MACSEC_ATTR_SCB);
+
+ print_flag(stdout, attrs, "replayprotect", MACSEC_ATTR_REPLAY);
+ if (attrs[MACSEC_ATTR_WINDOW]) {
+ printf("window %d ",
+ rta_getattr_u32(attrs[MACSEC_ATTR_WINDOW]));
+ }
+
+ if (attrs[MACSEC_ATTR_CIPHER_SUITE] && attrs[MACSEC_ATTR_ICV_LEN]) {
+ printf("\n");
+ print_cipher_suite(prefix,
+ rta_getattr_u64(attrs[MACSEC_ATTR_CIPHER_SUITE]),
+ rta_getattr_u8(attrs[MACSEC_ATTR_ICV_LEN]));
+ }
+
+}
+
+static void print_txsc_stats(const char *prefix, struct rtattr *attr)
+{
+ struct macsec_tx_sc_stats *stats;
+
+ if (!attr || show_stats == 0)
+ return;
+
+ stats = RTA_DATA(attr);
+ printf("%sstats: OutOctetsProtected OutOctetsEncrypted OutPktsProtected OutPktsEncrypted\n", prefix);
+ printf("%s %18llu %18llu %16llu %16llu\n", prefix,
+ stats->OutOctetsProtected, stats->OutOctetsEncrypted,
+ stats->OutPktsProtected, stats->OutPktsEncrypted);
+}
+
+static void print_secy_stats(const char *prefix, struct rtattr *attr)
+{
+ struct macsec_dev_stats *stats;
+
+ if (!attr || show_stats == 0)
+ return;
+
+ stats = RTA_DATA(attr);
+ printf("%sstats: OutPktsUntagged InPktsUntagged OutPktsTooLong InPktsNoTag InPktsBadTag InPktsUnknownSCI InPktsNoSCI InPktsOverrun\n", prefix);
+ printf("%s %15llu %14llu %14llu %11llu %12llu %16llu %11llu %13llu\n", prefix,
+ stats->OutPktsUntagged, stats->InPktsUntagged,
+ stats->OutPktsTooLong, stats->InPktsNoTag,
+ stats->InPktsBadTag, stats->InPktsUnknownSCI,
+ stats->InPktsNoSCI, stats->InPktsOverrun);
+}
+
+static void print_tx_sc(const char *prefix, __u64 sci, __u8 encoding_sa,
+ struct rtattr *txsc_stats, struct rtattr *secy_stats,
+ struct rtattr *sa)
+{
+ struct rtattr *sa_attr[MACSEC_ATTR_SA_MAX + 1];
+ struct rtattr *a;
+ int rem;
+
+ printf("%sTXSC: %016llx on SA %d\n", prefix, sci, encoding_sa);
+ print_secy_stats(prefix, secy_stats);
+ print_txsc_stats(prefix, txsc_stats);
+
+ rem = RTA_PAYLOAD(sa);
+ for (a = RTA_DATA(sa); RTA_OK(a, rem); a = RTA_NEXT(a, rem)) {
+ parse_rtattr_nested(sa_attr, MACSEC_ATTR_SA_MAX + 1, a);
+ printf("%s%s%d: PN %u, state %s, key %llu\n", prefix, prefix,
+ rta_getattr_u8(sa_attr[MACSEC_ATTR_SA_AN]),
+ rta_getattr_u32(sa_attr[MACSEC_ATTR_SA_PN]),
+ rta_getattr_u8(sa_attr[MACSEC_ATTR_SA_ACTIVE]) ? "on" :
+ "off",
+ rta_getattr_u64(sa_attr[MACSEC_ATTR_SA_KEYID]));
+ if (show_stats && sa_attr[MACSEC_SA_STATS]) {
+ struct macsec_tx_sa_stats *stats =
+ RTA_DATA(sa_attr[MACSEC_SA_STATS]);
+
+ printf("%s%s OutPktsProtected OutPktsEncrypted\n",
+ prefix, prefix);
+ printf("%s%s %16u %16u\n", prefix, prefix,
+ stats->OutPktsProtected,
+ stats->OutPktsEncrypted);
+ }
+ }
+}
+
+static void print_rxsc_stats(const char *prefix, struct rtattr *attr)
+{
+ struct macsec_rx_sc_stats *stats;
+
+ if (!attr || show_stats == 0)
+ return;
+
+ stats = RTA_DATA(attr);
+ printf("%sstats: InOctetsValidated InOctetsDecrypted InPktsUnchecked InPktsDelayed InPktsOK InPktsInvalid InPktsLate InPktsNotValid InPktsNotUsingSA InPktsUnusedSA\n", prefix);
+ printf("%s %17llu %17llu %15llu %13llu %8llu %13llu %10llu %14llu %16llu %14llu\n", prefix,
+ stats->InOctetsValidated, stats->InOctetsDecrypted,
+ stats->InPktsUnchecked, stats->InPktsDelayed, stats->InPktsOK,
+ stats->InPktsInvalid, stats->InPktsLate, stats->InPktsNotValid,
+ stats->InPktsNotUsingSA, stats->InPktsUnusedSA);
+}
+
+static void print_rx_sc(const char *prefix, __u64 sci, __u8 active, struct rtattr *rxsc_stats, struct rtattr *sa)
+{
+ struct rtattr *sa_attr[MACSEC_ATTR_SA_MAX + 1];
+ struct rtattr *a;
+ int rem;
+
+ printf("%sRXSC: %016llx, state %s\n", prefix, sci, active ? "on" :
+ "off");
+ print_rxsc_stats(prefix, rxsc_stats);
+
+ rem = RTA_PAYLOAD(sa);
+ for (a = RTA_DATA(sa); RTA_OK(a, rem); a = RTA_NEXT(a, rem)) {
+ parse_rtattr_nested(sa_attr, MACSEC_ATTR_SA_MAX + 1, a);
+ printf("%s%s%d: PN %u, state %s, key %llu\n", prefix, prefix,
+ rta_getattr_u8(sa_attr[MACSEC_ATTR_SA_AN]),
+ rta_getattr_u32(sa_attr[MACSEC_ATTR_SA_PN]),
+ rta_getattr_u8(sa_attr[MACSEC_ATTR_SA_ACTIVE]) ? "on" :
+ "off",
+ rta_getattr_u64(sa_attr[MACSEC_ATTR_SA_KEYID]));
+ if (show_stats && sa_attr[MACSEC_SA_STATS]) {
+ struct macsec_rx_sa_stats *stats = RTA_DATA(sa_attr[MACSEC_SA_STATS]);
+
+ printf("%s%s InPktsOK InPktsInvalid InPktsNotValid InPktsNotUsingSA InPktsUnusedSA\n", prefix, prefix);
+ printf("%s%s %8u %13u %14u %16u %14u\n",
+ prefix, prefix, stats->InPktsOK,
+ stats->InPktsInvalid, stats->InPktsNotValid,
+ stats->InPktsNotUsingSA, stats->InPktsUnusedSA);
+ }
+ }
+}
+
+static int process(const struct sockaddr_nl *who, struct nlmsghdr *n,
+ void *arg)
+{
+ struct genlmsghdr *ghdr;
+ struct rtattr *attrs[MACSEC_ATTR_MAX + 1], *sc, *c;
+ int len = n->nlmsg_len;
+ int ifindex;
+ __u64 sci;
+ __u8 encoding_sa;
+ int rem;
+
+ if (n->nlmsg_type != genl_family)
+ return -1;
+
+ len -= NLMSG_LENGTH(GENL_HDRLEN);
+ if (len < 0)
+ return -1;
+
+ ghdr = NLMSG_DATA(n);
+ if (ghdr->cmd != MACSEC_CMD_GET_TXSC)
+ return 0;
+
+ parse_rtattr(attrs, MACSEC_ATTR_MAX, (void *) ghdr + GENL_HDRLEN, len);
+ if (!validate_dump(attrs)) {
+ printf("missing some attribute\n");
+ return -1;
+ }
+
+ ifindex = rta_getattr_u32(attrs[MACSEC_ATTR_IFINDEX]);
+ sci = rta_getattr_u64(attrs[MACSEC_ATTR_SCI]);
+ encoding_sa = rta_getattr_u8(attrs[MACSEC_ATTR_ENCODING_SA]);
+
+ if (filter.ifindex && ifindex != filter.ifindex)
+ return 0;
+
+ if (filter.sci && sci != filter.sci)
+ return 0;
+
+ printf("%d: %s: ", ifindex, ll_index_to_name(ifindex));
+ print_attrs(" ", attrs);
+
+ print_tx_sc(" ", sci, encoding_sa, attrs[MACSEC_TXSC_STATS],
+ attrs[MACSEC_SECY_STATS], attrs[MACSEC_TXSA_LIST]);
+
+ if (!attrs[MACSEC_RXSC_LIST])
+ return 0;
+
+ sc = attrs[MACSEC_RXSC_LIST];
+ rem = RTA_PAYLOAD(sc);
+ for (c = RTA_DATA(sc); RTA_OK(c, rem); c = RTA_NEXT(c, rem)) {
+ struct rtattr *sc_attr[MACSEC_ATTR_SC_MAX + 1];
+
+ parse_rtattr_nested(sc_attr, MACSEC_ATTR_SC_MAX + 1, c);
+ print_rx_sc(" ",
+ rta_getattr_u64(sc_attr[MACSEC_ATTR_SC_SCI]),
+ rta_getattr_u32(sc_attr[MACSEC_ATTR_SC_ACTIVE]),
+ sc_attr[MACSEC_RXSC_STATS],
+ sc_attr[MACSEC_RXSA_LIST]);
+ }
+
+ return 0;
+}
+
+static int do_dump(int ifindex)
+{
+ MACSEC_GENL_REQ(req, MACSEC_BUFLEN, MACSEC_CMD_GET_TXSC,
+ NLM_F_REQUEST | NLM_F_DUMP);
+
+ memset(&filter, 0, sizeof(filter));
+ filter.ifindex = ifindex;
+
+ req.n.nlmsg_seq = genl_rth.dump = ++genl_rth.seq;
+ if (rtnl_send(&genl_rth, &req, req.n.nlmsg_len) < 0) {
+ perror("Failed to send dump request");
+ exit(1);
+ }
+
+ if (rtnl_dump_filter(&genl_rth, process, stdout) < 0) {
+ fprintf(stderr, "Dump terminated\n");
+ exit(1);
+ }
+
+ return 0;
+}
+
+static int do_show(int argc, char **argv)
+{
+ int ifindex;
+
+ if (argc == 0)
+ return do_dump(0);
+
+ ifindex = ll_name_to_index(*argv);
+ if (ifindex == 0) {
+ fprintf(stderr, "Device \"%s\" does not exist.\n", *argv);
+ return -1;
+ }
+
+ argc--, argv++;
+ if (argc == 0)
+ return do_dump(ifindex);
+
+ ipmacsec_usage();
+ return -1;
+}
+
+int do_ipmacsec(int argc, char **argv)
+{
+ init_genl();
+
+ if (argc < 1)
+ ipmacsec_usage();
+
+ if (matches(*argv, "help") == 0)
+ ipmacsec_usage();
+
+ if (matches(*argv, "show") == 0)
+ return do_show(argc-1, argv+1);
+
+ if (matches(*argv, "add") == 0)
+ return do_modify(CMD_ADD, argc-1, argv+1);
+ if (matches(*argv, "set") == 0)
+ return do_modify(CMD_UPD, argc-1, argv+1);
+ if (matches(*argv, "delete") == 0)
+ return do_modify(CMD_DEL, argc-1, argv+1);
+
+ fprintf(stderr, "Command \"%s\" is unknown, try \"ip macsec help\".\n",
+ *argv);
+ exit(-1);
+}
+
+/* device creation */
+static void macsec_print_opt(struct link_util *lu, FILE *f, struct rtattr *tb[])
+{
+ if (!tb)
+ return;
+
+ if (tb[IFLA_MACSEC_SCI])
+ fprintf(f, "sci %016llx ", rta_getattr_u64(tb[IFLA_MACSEC_SCI]));
+
+ print_flag(f, tb, "protect", IFLA_MACSEC_PROTECT);
+
+ if (tb[IFLA_MACSEC_CIPHER_SUITE])
+ fprintf(f, "cipher %s ", cs_id_to_name(rta_getattr_u64(tb[IFLA_MACSEC_CIPHER_SUITE])));
+
+ if (tb[IFLA_MACSEC_ICV_LEN])
+ fprintf(f, "icvlen %d ", rta_getattr_u8(tb[IFLA_MACSEC_ICV_LEN]));
+
+ if (tb[IFLA_MACSEC_ENCODING_SA])
+ fprintf(f, "encodingsa %d ", rta_getattr_u8(tb[IFLA_MACSEC_ENCODING_SA]));
+
+ if (tb[IFLA_MACSEC_VALIDATION])
+ fprintf(f, "validate %s ", VALIDATE_STR[rta_getattr_u8(tb[IFLA_MACSEC_VALIDATION])]);
+
+ print_flag(f, tb, "encrypt", IFLA_MACSEC_ENCRYPT);
+ print_flag(f, tb, "send_sci", IFLA_MACSEC_INC_SCI);
+ print_flag(f, tb, "end_station", IFLA_MACSEC_ES);
+ print_flag(f, tb, "scb", IFLA_MACSEC_SCB);
+
+ print_flag(f, tb, "replayprotect", IFLA_MACSEC_REPLAY_PROTECT);
+ if (tb[IFLA_MACSEC_WINDOW])
+ fprintf(f, "window %d ", rta_getattr_u32(tb[IFLA_MACSEC_WINDOW]));
+}
+
+
+static int do_cipher_suite(struct cipher_args *cipher, int *argcp,
+ char ***argvp)
+{
+ char **argv = *argvp;
+ int argc = *argcp;
+
+ if (argc == 0)
+ return -1;
+
+ if (strcmp(*argv, "default") == 0 ||
+ strcmp(*argv, "gcm-aes-128") == 0)
+ cipher->id = DEFAULT_CIPHER_ID;
+ NEXT_ARG();
+
+ if (strcmp(*argv, "icvlen") == 0) {
+ NEXT_ARG();
+ if (cipher->icv_len != 0)
+ duparg2("icvlen", "icvlen");
+ get_icvlen(&cipher->icv_len, *argv);
+ }
+ *argcp = argc;
+ *argvp = argv;
+
+ return 0;
+}
+
+static bool check_txsc_flags(bool es, bool scb, bool sci)
+{
+ if (sci && (es || scb))
+ return false;
+ if (es && scb)
+ return false;
+ return true;
+}
+
+static void usage(FILE *f)
+{
+ fprintf(f,
+ "Usage: ... macsec [ port PORT | sci SCI ]\n"
+ " [ cipher CIPHER_SUITE ]\n"
+ " [ encrypt { on | off } ]\n"
+ " [ send_sci { on | off } ]\n"
+ " [ es { on | off } ]\n"
+ " [ scb { on | off } ]\n"
+ " [ protect { on | off } ]\n"
+ " [ replay { on | off} [ window { 0..2^32-1 } ]\n"
+ " [ validate { strict | check | disabled } ]\n"
+ " [ encoding { 0..3 } ]\n"
+ );
+ fprintf(f, "CIPHER_SUITE := [ default = gcm-aes-128 ] icvlen { 8..32 }\n");
+}
+
+static int macsec_parse_opt(struct link_util *lu, int argc, char **argv,
+ struct nlmsghdr *hdr)
+{
+ int ret;
+ __u8 encoding_sa = 0xff;
+ __u32 window = -1;
+ struct cipher_args cipher = {0};
+ enum validation_type validate;
+ bool es = false, scb = false, send_sci = false;
+ int replay_protect = -1;
+ struct sci sci = { 0 };
+
+ ret = get_sci_portaddr(&sci, &argc, &argv, true, true);
+ if (ret < 0) {
+ fprintf(stderr, "expected sci\n");
+ return -1;
+ }
+
+ if (ret > 0) {
+ if (sci.sci)
+ addattr_l(hdr, MACSEC_BUFLEN, IFLA_MACSEC_SCI,
+ &sci.sci, sizeof(sci.sci));
+ else
+ addattr_l(hdr, MACSEC_BUFLEN, IFLA_MACSEC_PORT,
+ &sci.port, sizeof(sci.port));
+ }
+
+ while (argc > 0) {
+ if (strcmp(*argv, "cipher") == 0) {
+ if (cipher.id)
+ duparg2("cipher", "cipher");
+ NEXT_ARG();
+ if (do_cipher_suite(&cipher, &argc, &argv))
+ return -1;
+ } else if (strcmp(*argv, "encrypt") == 0) {
+ NEXT_ARG();
+ int i;
+
+ ret = one_of("encrypt", *argv, values_on_off,
+ ARRAY_SIZE(values_on_off), &i);
+ if (ret != 0)
+ return ret;
+ addattr8(hdr, MACSEC_BUFLEN, IFLA_MACSEC_ENCRYPT, !i);
+ } else if (strcmp(*argv, "send_sci") == 0) {
+ NEXT_ARG();
+ int i;
+
+ ret = one_of("send_sci", *argv, values_on_off,
+ ARRAY_SIZE(values_on_off), &i);
+ if (ret != 0)
+ return ret;
+ send_sci = !i;
+ addattr8(hdr, MACSEC_BUFLEN, IFLA_MACSEC_INC_SCI, send_sci);
+ } else if (strcmp(*argv, "es") == 0) {
+ NEXT_ARG();
+ int i;
+
+ ret = one_of("es", *argv, values_on_off,
+ ARRAY_SIZE(values_on_off), &i);
+ if (ret != 0)
+ return ret;
+ es = !i;
+ addattr8(hdr, MACSEC_BUFLEN, IFLA_MACSEC_ES, es);
+ } else if (strcmp(*argv, "scb") == 0) {
+ NEXT_ARG();
+ int i;
+
+ ret = one_of("scb", *argv, values_on_off,
+ ARRAY_SIZE(values_on_off), &i);
+ if (ret != 0)
+ return ret;
+ scb = !i;
+ addattr8(hdr, MACSEC_BUFLEN, IFLA_MACSEC_SCB, scb);
+ } else if (strcmp(*argv, "protect") == 0) {
+ NEXT_ARG();
+ int i;
+
+ ret = one_of("protect", *argv, values_on_off,
+ ARRAY_SIZE(values_on_off), &i);
+ if (ret != 0)
+ return ret;
+ addattr8(hdr, MACSEC_BUFLEN, IFLA_MACSEC_PROTECT, !i);
+ } else if (strcmp(*argv, "replay") == 0) {
+ NEXT_ARG();
+ int i;
+
+ ret = one_of("replay", *argv, values_on_off,
+ ARRAY_SIZE(values_on_off), &i);
+ if (ret != 0)
+ return ret;
+ replay_protect = !i;
+ } else if (strcmp(*argv, "window") == 0) {
+ NEXT_ARG();
+ ret = get_u32(&window, *argv, 0);
+ if (ret)
+ invarg("expected replay window size", *argv);
+ } else if (strcmp(*argv, "validate") == 0) {
+ NEXT_ARG();
+ ret = one_of("validate", *argv,
+ VALIDATE_STR, ARRAY_SIZE(VALIDATE_STR),
+ (int *)&validate);
+ if (ret != 0)
+ return ret;
+ addattr8(hdr, MACSEC_BUFLEN, IFLA_MACSEC_VALIDATION,
+ validate);
+ } else if (strcmp(*argv, "encoding") == 0) {
+ if (encoding_sa != 0xff)
+ duparg2("encoding", "encoding");
+ NEXT_ARG();
+ ret = get_an(&encoding_sa, *argv);
+ if (ret)
+ invarg("expected an { 0..3 }", *argv);
+ } else {
+ fprintf(stderr, "macsec: unknown command \"%s\"?\n",
+ *argv);
+ usage(stderr);
+ return -1;
+ }
+
+ argv++; argc--;
+ }
+
+ if (!check_txsc_flags(es, scb, send_sci)) {
+ fprintf(stderr, "invalid combination of send_sci/es/scb\n");
+ return -1;
+ }
+
+ if (window != -1 && replay_protect == -1) {
+ fprintf(stderr, "replay window set, but replay protection not enabled. did you mean 'replay on window %u'?\n", window);
+ return -1;
+ }
+
+ if (cipher.id) {
+ addattr_l(hdr, MACSEC_BUFLEN, IFLA_MACSEC_CIPHER_SUITE,
+ &cipher.id, sizeof(cipher.id));
+ addattr_l(hdr, MACSEC_BUFLEN, IFLA_MACSEC_ICV_LEN,
+ &cipher.icv_len, sizeof(cipher.icv_len));
+ }
+
+ if (replay_protect != -1) {
+ addattr32(hdr, MACSEC_BUFLEN, IFLA_MACSEC_WINDOW, window);
+ addattr8(hdr, MACSEC_BUFLEN, IFLA_MACSEC_REPLAY_PROTECT,
+ replay_protect);
+ }
+
+ if (encoding_sa != 0xff) {
+ addattr_l(hdr, MACSEC_BUFLEN, IFLA_MACSEC_ENCODING_SA,
+ &encoding_sa, sizeof(encoding_sa));
+ }
+
+ return 0;
+}
+
+static void macsec_print_help(struct link_util *lu, int argc, char **argv,
+ FILE *f)
+{
+ usage(f);
+}
+
+struct link_util macsec_link_util = {
+ .id = "macsec",
+ .maxattr = IFLA_MACSEC_MAX,
+ .parse_opt = macsec_parse_opt,
+ .print_help = macsec_print_help,
+ .print_opt = macsec_print_opt,
+ .slave = false,
+};
diff --git a/man/man8/Makefile b/man/man8/Makefile
index 2f77640676df..18602f96015a 100644
--- a/man/man8/Makefile
+++ b/man/man8/Makefile
@@ -7,7 +7,7 @@ MAN8PAGES = $(TARGETS) ip.8 arpd.8 lnstat.8 routel.8 rtacct.8 rtmon.8 rtpr.8 ss.
tc-mqprio.8 tc-netem.8 tc-pfifo.8 tc-pfifo_fast.8 tc-prio.8 tc-red.8 \
tc-sfb.8 tc-sfq.8 tc-stab.8 tc-tbf.8 \
bridge.8 rtstat.8 ctstat.8 nstat.8 routef.8 \
- ip-addrlabel.8 ip-fou.8 ip-gue.8 ip-l2tp.8 \
+ ip-addrlabel.8 ip-fou.8 ip-gue.8 ip-l2tp.8 ip-macsec.8 \
ip-maddress.8 ip-monitor.8 ip-mroute.8 ip-neighbour.8 \
ip-netns.8 ip-ntable.8 ip-rule.8 ip-tunnel.8 ip-xfrm.8 \
ip-tcp_metrics.8 ip-netconf.8 ip-token.8 \
diff --git a/man/man8/ip-link.8.in b/man/man8/ip-link.8.in
index 4d3234352004..cacb3a896d2f 100644
--- a/man/man8/ip-link.8.in
+++ b/man/man8/ip-link.8.in
@@ -260,6 +260,9 @@ Link types:
.sp
.BR geneve
- GEneric NEtwork Virtualization Encapsulation
+.sp
+.BR macsec
+- Interface for IEEE 802.1AE MAC Security (MACsec)
.in -8
.TP
@@ -819,6 +822,137 @@ forces the underlying interface into promiscuous mode. Passing the
using standard tools.
.in -8
+.TP
+MACsec Type Support
+For a link of type
+.I MACsec
+the following additional arguments are supported:
+
+.BI "ip link add link " DEVICE " name " NAME
+.BI type " macsec "
+.R " [ "
+.BI port " PORT "
+.R " | "
+.BI sci " SCI "
+.R " ] [ "
+.BI cipher " CIPHER_SUITE "
+.R " ] ["
+.BI encrypt
+.R " { "
+.BI "on "
+.R " |"
+.BI "off "
+.R " } "
+.R " ] ["
+.BI send_sci
+.R " { "
+.BI "on "
+.R " |"
+.BI "off "
+.R " } "
+.R " ] ["
+.BI es
+.R " { "
+.BI "on "
+.R " |"
+.BI "off "
+.R " } "
+.R " ] ["
+.BI scb
+.R " { "
+.BI "on "
+.R " |"
+.BI "off "
+.R " } "
+.R " ] ["
+.BI protect
+.R " { "
+.BI "on "
+.R " |"
+.BI "off "
+.R " } "
+.R " ] ["
+.BI replay
+.R " { "
+.BI "on "
+.R " |"
+.BI "off "
+.R " } "
+.BI window
+.R " { "
+.BI "0..2^32-1 "
+.R " } "
+.R " ] ["
+.BI validate
+.R " { "
+.BI "strict "
+.R " |"
+.BI "check "
+.R " |"
+.BI "disabled "
+.R " } "
+.R " ] ["
+.BI encoding
+.R " {"
+.BI "0..3 "
+.R " } "
+.R " ]"
+
+.in +8
+.sp
+.BI port " PORT "
+- sets the port number for this MACsec device.
+
+.sp
+.BI sci " SCI "
+- sets the SCI for this MACsec device.
+
+.sp
+.BI cipher " CIPHER_SUITE "
+- defines the cipher suite to use.
+
+.sp
+.BR "encrypt on " or " encrypt off"
+- switches between authenticated encryption, or authenticity mode only.
+
+.sp
+.BR "send_sci on " or " send_sci off"
+- specifies whether the SCI is included in every packet, or only when it is necessary.
+
+.sp
+.BR "es on " or " es off"
+- sets the End Station bit.
+
+.sp
+.BR "scb on " or " scb off"
+- sets the Single Copy Broadcast bit.
+
+.sp
+.BR "protect on " or " protect off"
+- enables MACsec protection on the device.
+
+.sp
+.BR "replay on " or " replay off"
+- enables replay protection on the device.
+
+.in +8
+
+.sp
+.BI window " SIZE "
+- sets the size of the replay window.
+
+.in -8
+
+.sp
+.BR "validate strict " or " validate check " or " validate disabled"
+- sets the validation mode on the device.
+
+.sp
+.BI encoding " AN "
+- sets the active secure association for transmission.
+
+.in -8
+
.SS ip link delete - delete virtual link
.TP
diff --git a/man/man8/ip-macsec.8 b/man/man8/ip-macsec.8
new file mode 100644
index 000000000000..1920878571a8
--- /dev/null
+++ b/man/man8/ip-macsec.8
@@ -0,0 +1,110 @@
+.TH IP\-MACSEC 8 "07 Mar 2016" "iproute" "Linux"
+.SH "NAME"
+ip-macsec \- MACsec device configuration
+.SH "SYNOPSIS"
+.BI "ip link add link " DEVICE " name " NAME
+.BR type " macsec "
+.R " [ "
+.R " [ "
+.B cipher " { " default " | " gcm-aes-128 " } "
+.R " ] "
+.B icvlen
+.I ICVLEN
+.R " ] [ "
+.B encrypt " { " on " | " off " } "
+.R " ] [ "
+.B send_sci " { " on " | " off " } "
+.R " ] [ "
+.B es " { " on " | " off " } "
+.R " ] [ "
+.B scb " { " on " | " off " } "
+.R " ] [ "
+.B protect " { " on " | " off " } "
+.R " ] [ "
+.B replay " { " on " | " off " } "
+.R " ] [ "
+.B window
+.I WINDOW
+.R " ] [ "
+.B encoding
+.I SA
+.R " ]"
+
+.BR "ip macsec add"
+.IR DEV
+.B "tx sa { 0..3 } [ OPTS ] key ID KEY"
+.br
+.BR "ip macsec set"
+.IR DEV
+.B "tx sa { 0..3 } [ OPTS ]"
+.br
+.BR "ip macsec del"
+.IR DEV
+.B "tx sa { 0..3 }"
+
+.BR "ip macsec add"
+.IR DEV
+.B "rx SCI [ on | off ]"
+.br
+.BR "ip macsec set"
+.IR DEV
+.B "rx SCI [ on | off ]"
+.br
+.BR "ip macsec del"
+.IR DEV
+.B "rx SCI"
+
+.BR "ip macsec add"
+.IR DEV
+.B "rx SCI [ sa { 0..3 } [ OPTS ] key ID KEY ]"
+.br
+.BR "ip macsec set"
+.IR DEV
+.B "rx SCI sa { 0..3 } [ OPTS ]"
+.br
+.BR "ip macsec del"
+.IR DEV
+.B "rx SCI sa { 0..3 }"
+
+.BR "ip macsec show [ DEV ]"
+
+.IR OPTS " := [ pn <u32> ] [ on | off ]"
+.br
+.IR SCI " := { sci <u64> | port <u16> address <lladdr> }"
+
+
+.SH "DESCRIPTION"
+The
+.B ip macsec
+commands are used to configure transmit secure associations and receive secure channels and their secure associations on a MACsec device created with the
+.B ip link add
+command using the
+.I macsec
+type.
+
+.SH "EXAMPLES"
+.PP
+.SS Create a MACsec device on link eth0
+.nf
+# ip link add device eth0 macsec0 type macsec port 11 encrypt on
+.PP
+.SS Configure a secure association on that device
+.nf
+# ip macsec add macsec0 tx sa 0 pn 1024 on key 1 81818181818181818181818181818181
+.PP
+.SS Configure a receive channel
+.nf
+# ip macsec add macsec0 rx port 1234 address c6:19:52:8f:e6:a0
+.PP
+.SS Configure a receive association
+.nf
+# ip macsec add macsec0 rx port 1234 address c6:19:52:8f:e6:a0 sa 0 pn 1 on key 0 82828282828282828282828282828282
+.PP
+.SS Display MACsec configuration
+.nf
+# ip macsec show
+.SH "SEE ALSO"
+.br
+.BR ip-link (8)
+.SH "AUTHOR"
+Sabrina Dubroca <sd@queasysnail.net>
--
2.7.2
^ permalink raw reply related [flat|nested] 16+ messages in thread* Re: [PATCH iproute2 net-next] ip: add MACsec support
2016-03-07 17:12 ` [PATCH iproute2 net-next] ip: add MACsec support Sabrina Dubroca
@ 2016-03-07 19:48 ` Stephen Hemminger
2016-03-08 10:49 ` Sabrina Dubroca
0 siblings, 1 reply; 16+ messages in thread
From: Stephen Hemminger @ 2016-03-07 19:48 UTC (permalink / raw)
To: Sabrina Dubroca
Cc: netdev, Hannes Frederic Sowa, Florian Westphal, Paolo Abeni
> +static int one_of(const char *msg, const char *realval, const char **list,
> + size_t len, int *index)
> +{
> + int i;
> +
> + for (i = 0; i < len; i++) {
> + if (matches(realval, list[i]) == 0) {
> + *index = i;
> + return 0;
> + }
> + }
> +
> + fprintf(stderr, "Error: argument of \"%s\" must be one of ", msg);
> + for (i = 0; i < len; i++)
> + fprintf(stderr, "\"%s\", ", list[i]);
> + fprintf(stderr, "not \"%s\"\n", realval);
> + return -1;
> +}
> +
> +static int get_an(__u8 *val, const char *arg)
> +{
> + int ret = get_u8(val, arg, 0);
> +
> + if (ret)
> + return ret;
> +
> + if (*val > 3)
> + return -1;
> +
> + return 0;
> +}
> +
> +static int get_sci(__u64 *sci, const char *arg)
> +{
> + return get_u64(sci, arg, 16);
> +}
> +
> +static int get_port(__be16 *port, const char *arg)
> +{
> + __u16 p;
> + int ret = get_u16(&p, arg, 10);
> +
> + if (ret)
> + return ret;
> +
> + *port = htons(p);
> + return 0;
> +}
Some of these should probably go into lib
> +static int from_hex(char c)
> +{
> + if (c >= '0' && c <= '9')
> + return c - '0';
> + if (c >= 'a' && c <= 'f')
> + return c - 'a' + 10;
> + if (c >= 'A' && c <= 'F')
> + return c - 'A' + 10;
> +
> + return -1;
> +}
There already several copies of similar code (ipl2tp, ipmaddr, ipx)
for basically the same code.
...
> + print_flag(stdout, attrs, "sc", MACSEC_ATTR_SC_ACTIVE);
> + print_flag(stdout, attrs, "sa", MACSEC_ATTR_SA_ACTIVE);
> + print_flag(stdout, attrs, "encrypt", MACSEC_ATTR_ENCRYPT);
> + print_flag(stdout, attrs, "send_sci", MACSEC_ATTR_INC_SCI);
> + print_flag(stdout, attrs, "end_station", MACSEC_ATTR_ES);
> + print_flag(stdout, attrs, "scb", MACSEC_ATTR_SCB);
> +
> + print_flag(stdout, attrs, "replayprotect", MACSEC_ATTR_REPLAY);
> + if (attrs[MACSEC_ATTR_WINDOW]) {
> + printf("window %d ",
> + rta_getattr_u32(attrs[MACSEC_ATTR_WINDOW]));
> + }
> +
> + if (attrs[MACSEC_ATTR_CIPHER_SUITE] && attrs[MACSEC_ATTR_ICV_LEN]) {
> + printf("\n");
> + print_cipher_suite(prefix,
> + rta_getattr_u64(attrs[MACSEC_ATTR_CIPHER_SUITE]),
> + rta_getattr_u8(attrs[MACSEC_ATTR_ICV_LEN]));
> + }
> +
> +}
It is unwritten rule of ip commands that the print and set commands should
be invertable. I.e if you are going to print an attribute the format should
be the same as the argument passed in.
^ permalink raw reply [flat|nested] 16+ messages in thread* Re: [PATCH iproute2 net-next] ip: add MACsec support
2016-03-07 19:48 ` Stephen Hemminger
@ 2016-03-08 10:49 ` Sabrina Dubroca
0 siblings, 0 replies; 16+ messages in thread
From: Sabrina Dubroca @ 2016-03-08 10:49 UTC (permalink / raw)
To: Stephen Hemminger
Cc: netdev, Hannes Frederic Sowa, Florian Westphal, Paolo Abeni
2016-03-07, 11:48:42 -0800, Stephen Hemminger wrote:
>
> > +static int one_of(const char *msg, const char *realval, const char **list,
> > + size_t len, int *index)
> > +{
> > + int i;
> > +
> > + for (i = 0; i < len; i++) {
> > + if (matches(realval, list[i]) == 0) {
> > + *index = i;
> > + return 0;
> > + }
> > + }
> > +
> > + fprintf(stderr, "Error: argument of \"%s\" must be one of ", msg);
> > + for (i = 0; i < len; i++)
> > + fprintf(stderr, "\"%s\", ", list[i]);
> > + fprintf(stderr, "not \"%s\"\n", realval);
> > + return -1;
> > +}
> > +
> > +static int get_an(__u8 *val, const char *arg)
> > +{
> > + int ret = get_u8(val, arg, 0);
> > +
> > + if (ret)
> > + return ret;
> > +
> > + if (*val > 3)
> > + return -1;
> > +
> > + return 0;
> > +}
> > +
> > +static int get_sci(__u64 *sci, const char *arg)
> > +{
> > + return get_u64(sci, arg, 16);
> > +}
> > +
> > +static int get_port(__be16 *port, const char *arg)
> > +{
> > + __u16 p;
> > + int ret = get_u16(&p, arg, 10);
> > +
> > + if (ret)
> > + return ret;
> > +
> > + *port = htons(p);
> > + return 0;
> > +}
>
> Some of these should probably go into lib
I could add get_be16:
int get_be16(__be16 *val, const char *arg, int base);
And maybe get_u8_range for get_an:
int get_u8_range(__u8 *val, const char *arg, int base, int start, int end);
I could also move one_of to lib, not sure if that would be used.
There are a lot of on/off in iplink, but the way I wrote one_of
doesn't really work to set/clear a flag.
Adding a function pointer to handle a match seems a bit heavy.
What do you think?
> > +static int from_hex(char c)
> > +{
> > + if (c >= '0' && c <= '9')
> > + return c - '0';
> > + if (c >= 'a' && c <= 'f')
> > + return c - 'a' + 10;
> > + if (c >= 'A' && c <= 'F')
> > + return c - 'A' + 10;
> > +
> > + return -1;
> > +}
>
> There already several copies of similar code (ipl2tp, ipmaddr, ipx)
> for basically the same code.
Right, I'll make a common helper for that.
I also noticed hexstring_a2n, which I could use if it also returned
the number of elements it parsed to the caller, so I will make that
change (it has no user for now).
> ...
> > + print_flag(stdout, attrs, "sc", MACSEC_ATTR_SC_ACTIVE);
> > + print_flag(stdout, attrs, "sa", MACSEC_ATTR_SA_ACTIVE);
> > + print_flag(stdout, attrs, "encrypt", MACSEC_ATTR_ENCRYPT);
> > + print_flag(stdout, attrs, "send_sci", MACSEC_ATTR_INC_SCI);
> > + print_flag(stdout, attrs, "end_station", MACSEC_ATTR_ES);
> > + print_flag(stdout, attrs, "scb", MACSEC_ATTR_SCB);
> > +
> > + print_flag(stdout, attrs, "replayprotect", MACSEC_ATTR_REPLAY);
> > + if (attrs[MACSEC_ATTR_WINDOW]) {
> > + printf("window %d ",
> > + rta_getattr_u32(attrs[MACSEC_ATTR_WINDOW]));
> > + }
> > +
> > + if (attrs[MACSEC_ATTR_CIPHER_SUITE] && attrs[MACSEC_ATTR_ICV_LEN]) {
> > + printf("\n");
> > + print_cipher_suite(prefix,
> > + rta_getattr_u64(attrs[MACSEC_ATTR_CIPHER_SUITE]),
> > + rta_getattr_u8(attrs[MACSEC_ATTR_ICV_LEN]));
> > + }
> > +
> > +}
>
> It is unwritten rule of ip commands that the print and set commands should
> be invertable. I.e if you are going to print an attribute the format should
> be the same as the argument passed in.
Oops, will fix.
Thanks,
--
Sabrina
^ permalink raw reply [flat|nested] 16+ messages in thread