From: "Radu Pirea (OSS)" <radu-nicolae.pirea@oss.nxp.com>
To: Sabrina Dubroca <sd@queasysnail.net>
Cc: andrew@lunn.ch, hkallweit1@gmail.com, linux@armlinux.org.uk,
davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
pabeni@redhat.com, richardcochran@gmail.com,
sebastian.tobuschat@nxp.com, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [RFC net-next v3 4/6] net: phy: nxp-c45-tja11xx: add MACsec support
Date: Mon, 11 Sep 2023 18:57:26 +0300 [thread overview]
Message-ID: <e169bc7e-b0af-a87b-e549-5fdcf447f381@oss.nxp.com> (raw)
In-Reply-To: <ZP8BXxD0WZtdJ913@hog>
On 11.09.2023 15:00, Sabrina Dubroca wrote:
> 2023-09-06, 19:01:32 +0300, Radu Pirea (NXP OSS) wrote:
>> +static bool nxp_c45_sci_valid(sci_t sci, bool scb)
>> +{
>> + u16 port = sci_to_cpu(sci);
>> +
>> + if (scb && port != 0)
>> + return false;
>> + if (!scb && port != 1)
>> + return false;
>
> For non-SCB (ie normal case), only port 1 is allowed? That doesn't
> seem to match what nxp_c45_rx_sc_valid was doing in v2, but it is also
> called from nxp_c45_mdo_add_rxsc..
This port number restriction is valid only if end_station is true.
In nxp_c45_mdo_add_rxsc I forgot to check end_station flag.
>
>> +
>> + return true;
>> +}
>> +
>
> [...]
>> +static void nxp_c45_tx_sa_next(struct nxp_c45_secy *phy_secy,
>> + struct nxp_c45_sa *next_sa, u8 encoding_sa)
>> +{
>> + struct nxp_c45_sa *sa;
>> +
>> + sa = nxp_c45_find_sa(&phy_secy->sa_list, TX_SA, encoding_sa);
>> + if (!IS_ERR(sa)) {
>> + memcpy(next_sa, sa, sizeof(*sa));
>> + } else {
>> + next_sa->is_key_a = true;
>> + next_sa->an = encoding_sa;
>> + }
>> +}
>
> What is this doing? Why are you filling a fake SA struct when none is
> currently configured?
>
To reuse nxp_c45_tx_sa_update.
>
>
>> +static int nxp_c45_mdo_upd_txsa(struct macsec_context *ctx)
>> +{
>> + struct macsec_tx_sa *tx_sa = ctx->sa.tx_sa;
>> + struct phy_device *phydev = ctx->phydev;
>> + struct nxp_c45_phy *priv = phydev->priv;
>> + struct nxp_c45_secy *phy_secy;
>> + u8 an = ctx->sa.assoc_num;
>> + struct nxp_c45_sa *sa;
>> +
>> + phydev_dbg(phydev, "update TX SA %u %s to TX SC %016llx\n",
>> + an, ctx->sa.tx_sa->active ? "enabled" : "disabled",
>> + sci_to_cpu(ctx->secy->sci));
>> +
>> + phy_secy = nxp_c45_find_secy(&priv->macsec->secy_list, ctx->secy->sci);
>> + if (IS_ERR(phy_secy))
>> + return PTR_ERR(phy_secy);
>> +
>> + sa = nxp_c45_find_sa(&phy_secy->sa_list, TX_SA, an);
>> + if (IS_ERR(sa))
>> + return PTR_ERR(sa);
>> +
>> + nxp_c45_select_secy(phydev, phy_secy->secy_id);
>> + nxp_c45_sa_set_pn(phydev, sa, tx_sa->next_pn, 0);
>
> The macsec core doesn't increment its PN when we're offloading. If
> userspace didn't pass a new PN, aren't we resetting the HW's PN back
> to its initial value here? That would cause replay protection to fail,
> and the PN reuse would break GCM.
>
> Could you check by inspecting the sequence numbers sent by the device
> before and after this:
>
> ip macsec set macsec0 tx sa 0 on
Here the tx sa 0 pn is set 1. I will store the initial pn, and if the sa
is updated with the same pn or if the new pn is 0, I will not update it.
Thank you for pointing that out.
>
>
> And same for nxp_c45_mdo_upd_rxsa -> nxp_c45_sa_set_pn. Testing would
> require enabling replay protection and making the PN go backward on
> the TX side.
>
>> + nxp_c45_tx_sa_update(phydev, sa, ctx->secy->tx_sc.encoding_sa,
>> + tx_sa->active);
>> + return 0;
>> +}
>
--
Radu P.
next prev parent reply other threads:[~2023-09-11 15:57 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-06 16:01 [RFC net-next v3 0/6] Add MACsec support for TJA11XX C45 PHYs Radu Pirea (NXP OSS)
2023-09-06 16:01 ` [RFC net-next v3 1/6] net: macsec: move sci_to_cpu to macsec header Radu Pirea (NXP OSS)
2023-09-06 16:01 ` [RFC net-next v3 2/6] net: macsec: documentation for macsec_context and macsec_ops Radu Pirea (NXP OSS)
2023-09-06 16:01 ` [RFC net-next v3 3/6] net: macsec: introduce mdo_insert_tx_tag Radu Pirea (NXP OSS)
2023-09-06 16:01 ` [RFC net-next v3 4/6] net: phy: nxp-c45-tja11xx: add MACsec support Radu Pirea (NXP OSS)
2023-09-07 15:00 ` Simon Horman
2023-09-08 6:55 ` Radu Pirea (OSS)
2023-09-11 12:00 ` Sabrina Dubroca
2023-09-11 15:57 ` Radu Pirea (OSS) [this message]
2023-09-06 16:01 ` [RFC net-next v3 5/6] net: phy: nxp-c45-tja11xx: add MACsec statistics Radu Pirea (NXP OSS)
2023-09-11 12:00 ` Sabrina Dubroca
2023-09-11 15:04 ` Radu Pirea (OSS)
2023-09-06 16:01 ` [RFC net-next v3 6/6] net: phy: nxp-c45-tja11xx: implement mdo_insert_tx_tag Radu Pirea (NXP OSS)
2023-09-07 15:04 ` Simon Horman
2023-09-08 6:09 ` Radu Pirea (OSS)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e169bc7e-b0af-a87b-e549-5fdcf447f381@oss.nxp.com \
--to=radu-nicolae.pirea@oss.nxp.com \
--cc=andrew@lunn.ch \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=hkallweit1@gmail.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@armlinux.org.uk \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=richardcochran@gmail.com \
--cc=sd@queasysnail.net \
--cc=sebastian.tobuschat@nxp.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).