macsec.c (108903B)
1// SPDX-License-Identifier: GPL-2.0-or-later 2/* 3 * drivers/net/macsec.c - MACsec device 4 * 5 * Copyright (c) 2015 Sabrina Dubroca <sd@queasysnail.net> 6 */ 7 8#include <linux/types.h> 9#include <linux/skbuff.h> 10#include <linux/socket.h> 11#include <linux/module.h> 12#include <crypto/aead.h> 13#include <linux/etherdevice.h> 14#include <linux/netdevice.h> 15#include <linux/rtnetlink.h> 16#include <linux/refcount.h> 17#include <net/genetlink.h> 18#include <net/sock.h> 19#include <net/gro_cells.h> 20#include <net/macsec.h> 21#include <linux/phy.h> 22#include <linux/byteorder/generic.h> 23#include <linux/if_arp.h> 24 25#include <uapi/linux/if_macsec.h> 26 27#define MACSEC_SCI_LEN 8 28 29/* SecTAG length = macsec_eth_header without the optional SCI */ 30#define MACSEC_TAG_LEN 6 31 32struct macsec_eth_header { 33 struct ethhdr eth; 34 /* SecTAG */ 35 u8 tci_an; 36#if defined(__LITTLE_ENDIAN_BITFIELD) 37 u8 short_length:6, 38 unused:2; 39#elif defined(__BIG_ENDIAN_BITFIELD) 40 u8 unused:2, 41 short_length:6; 42#else 43#error "Please fix <asm/byteorder.h>" 44#endif 45 __be32 packet_number; 46 u8 secure_channel_id[8]; /* optional */ 47} __packed; 48 49#define MACSEC_TCI_VERSION 0x80 50#define MACSEC_TCI_ES 0x40 /* end station */ 51#define MACSEC_TCI_SC 0x20 /* SCI present */ 52#define MACSEC_TCI_SCB 0x10 /* epon */ 53#define MACSEC_TCI_E 0x08 /* encryption */ 54#define MACSEC_TCI_C 0x04 /* changed text */ 55#define MACSEC_AN_MASK 0x03 /* association number */ 56#define MACSEC_TCI_CONFID (MACSEC_TCI_E | MACSEC_TCI_C) 57 58/* minimum secure data length deemed "not short", see IEEE 802.1AE-2006 9.7 */ 59#define MIN_NON_SHORT_LEN 48 60 61#define GCM_AES_IV_LEN 12 62#define DEFAULT_ICV_LEN 16 63 64#define for_each_rxsc(secy, sc) \ 65 for (sc = rcu_dereference_bh(secy->rx_sc); \ 66 sc; \ 67 sc = rcu_dereference_bh(sc->next)) 68#define for_each_rxsc_rtnl(secy, sc) \ 69 for (sc = rtnl_dereference(secy->rx_sc); \ 70 sc; \ 71 sc = rtnl_dereference(sc->next)) 72 73#define pn_same_half(pn1, pn2) (!(((pn1) >> 31) ^ ((pn2) >> 31))) 74 75struct gcm_iv_xpn { 76 union { 77 u8 short_secure_channel_id[4]; 78 ssci_t ssci; 79 }; 80 __be64 pn; 81} __packed; 82 83struct gcm_iv { 84 union { 85 u8 secure_channel_id[8]; 86 sci_t sci; 87 }; 88 __be32 pn; 89}; 90 91#define MACSEC_VALIDATE_DEFAULT MACSEC_VALIDATE_STRICT 92 93struct pcpu_secy_stats { 94 struct macsec_dev_stats stats; 95 struct u64_stats_sync syncp; 96}; 97 98/** 99 * struct macsec_dev - private data 100 * @secy: SecY config 101 * @real_dev: pointer to underlying netdevice 102 * @dev_tracker: refcount tracker for @real_dev reference 103 * @stats: MACsec device stats 104 * @secys: linked list of SecY's on the underlying device 105 * @gro_cells: pointer to the Generic Receive Offload cell 106 * @offload: status of offloading on the MACsec device 107 */ 108struct macsec_dev { 109 struct macsec_secy secy; 110 struct net_device *real_dev; 111 netdevice_tracker dev_tracker; 112 struct pcpu_secy_stats __percpu *stats; 113 struct list_head secys; 114 struct gro_cells gro_cells; 115 enum macsec_offload offload; 116}; 117 118/** 119 * struct macsec_rxh_data - rx_handler private argument 120 * @secys: linked list of SecY's on this underlying device 121 */ 122struct macsec_rxh_data { 123 struct list_head secys; 124}; 125 126static struct macsec_dev *macsec_priv(const struct net_device *dev) 127{ 128 return (struct macsec_dev *)netdev_priv(dev); 129} 130 131static struct macsec_rxh_data *macsec_data_rcu(const struct net_device *dev) 132{ 133 return rcu_dereference_bh(dev->rx_handler_data); 134} 135 136static struct macsec_rxh_data *macsec_data_rtnl(const struct net_device *dev) 137{ 138 return rtnl_dereference(dev->rx_handler_data); 139} 140 141struct macsec_cb { 142 struct aead_request *req; 143 union { 144 struct macsec_tx_sa *tx_sa; 145 struct macsec_rx_sa *rx_sa; 146 }; 147 u8 assoc_num; 148 bool valid; 149 bool has_sci; 150}; 151 152static struct macsec_rx_sa *macsec_rxsa_get(struct macsec_rx_sa __rcu *ptr) 153{ 154 struct macsec_rx_sa *sa = rcu_dereference_bh(ptr); 155 156 if (!sa || !sa->active) 157 return NULL; 158 159 if (!refcount_inc_not_zero(&sa->refcnt)) 160 return NULL; 161 162 return sa; 163} 164 165static void free_rx_sc_rcu(struct rcu_head *head) 166{ 167 struct macsec_rx_sc *rx_sc = container_of(head, struct macsec_rx_sc, rcu_head); 168 169 free_percpu(rx_sc->stats); 170 kfree(rx_sc); 171} 172 173static struct macsec_rx_sc *macsec_rxsc_get(struct macsec_rx_sc *sc) 174{ 175 return refcount_inc_not_zero(&sc->refcnt) ? sc : NULL; 176} 177 178static void macsec_rxsc_put(struct macsec_rx_sc *sc) 179{ 180 if (refcount_dec_and_test(&sc->refcnt)) 181 call_rcu(&sc->rcu_head, free_rx_sc_rcu); 182} 183 184static void free_rxsa(struct rcu_head *head) 185{ 186 struct macsec_rx_sa *sa = container_of(head, struct macsec_rx_sa, rcu); 187 188 crypto_free_aead(sa->key.tfm); 189 free_percpu(sa->stats); 190 kfree(sa); 191} 192 193static void macsec_rxsa_put(struct macsec_rx_sa *sa) 194{ 195 if (refcount_dec_and_test(&sa->refcnt)) 196 call_rcu(&sa->rcu, free_rxsa); 197} 198 199static struct macsec_tx_sa *macsec_txsa_get(struct macsec_tx_sa __rcu *ptr) 200{ 201 struct macsec_tx_sa *sa = rcu_dereference_bh(ptr); 202 203 if (!sa || !sa->active) 204 return NULL; 205 206 if (!refcount_inc_not_zero(&sa->refcnt)) 207 return NULL; 208 209 return sa; 210} 211 212static void free_txsa(struct rcu_head *head) 213{ 214 struct macsec_tx_sa *sa = container_of(head, struct macsec_tx_sa, rcu); 215 216 crypto_free_aead(sa->key.tfm); 217 free_percpu(sa->stats); 218 kfree(sa); 219} 220 221static void macsec_txsa_put(struct macsec_tx_sa *sa) 222{ 223 if (refcount_dec_and_test(&sa->refcnt)) 224 call_rcu(&sa->rcu, free_txsa); 225} 226 227static struct macsec_cb *macsec_skb_cb(struct sk_buff *skb) 228{ 229 BUILD_BUG_ON(sizeof(struct macsec_cb) > sizeof(skb->cb)); 230 return (struct macsec_cb *)skb->cb; 231} 232 233#define MACSEC_PORT_ES (htons(0x0001)) 234#define MACSEC_PORT_SCB (0x0000) 235#define MACSEC_UNDEF_SCI ((__force sci_t)0xffffffffffffffffULL) 236#define MACSEC_UNDEF_SSCI ((__force ssci_t)0xffffffff) 237 238#define MACSEC_GCM_AES_128_SAK_LEN 16 239#define MACSEC_GCM_AES_256_SAK_LEN 32 240 241#define DEFAULT_SAK_LEN MACSEC_GCM_AES_128_SAK_LEN 242#define DEFAULT_XPN false 243#define DEFAULT_SEND_SCI true 244#define DEFAULT_ENCRYPT false 245#define DEFAULT_ENCODING_SA 0 246 247static bool send_sci(const struct macsec_secy *secy) 248{ 249 const struct macsec_tx_sc *tx_sc = &secy->tx_sc; 250 251 return tx_sc->send_sci || 252 (secy->n_rx_sc > 1 && !tx_sc->end_station && !tx_sc->scb); 253} 254 255static sci_t make_sci(const u8 *addr, __be16 port) 256{ 257 sci_t sci; 258 259 memcpy(&sci, addr, ETH_ALEN); 260 memcpy(((char *)&sci) + ETH_ALEN, &port, sizeof(port)); 261 262 return sci; 263} 264 265static sci_t macsec_frame_sci(struct macsec_eth_header *hdr, bool sci_present) 266{ 267 sci_t sci; 268 269 if (sci_present) 270 memcpy(&sci, hdr->secure_channel_id, 271 sizeof(hdr->secure_channel_id)); 272 else 273 sci = make_sci(hdr->eth.h_source, MACSEC_PORT_ES); 274 275 return sci; 276} 277 278static unsigned int macsec_sectag_len(bool sci_present) 279{ 280 return MACSEC_TAG_LEN + (sci_present ? MACSEC_SCI_LEN : 0); 281} 282 283static unsigned int macsec_hdr_len(bool sci_present) 284{ 285 return macsec_sectag_len(sci_present) + ETH_HLEN; 286} 287 288static unsigned int macsec_extra_len(bool sci_present) 289{ 290 return macsec_sectag_len(sci_present) + sizeof(__be16); 291} 292 293/* Fill SecTAG according to IEEE 802.1AE-2006 10.5.3 */ 294static void macsec_fill_sectag(struct macsec_eth_header *h, 295 const struct macsec_secy *secy, u32 pn, 296 bool sci_present) 297{ 298 const struct macsec_tx_sc *tx_sc = &secy->tx_sc; 299 300 memset(&h->tci_an, 0, macsec_sectag_len(sci_present)); 301 h->eth.h_proto = htons(ETH_P_MACSEC); 302 303 if (sci_present) { 304 h->tci_an |= MACSEC_TCI_SC; 305 memcpy(&h->secure_channel_id, &secy->sci, 306 sizeof(h->secure_channel_id)); 307 } else { 308 if (tx_sc->end_station) 309 h->tci_an |= MACSEC_TCI_ES; 310 if (tx_sc->scb) 311 h->tci_an |= MACSEC_TCI_SCB; 312 } 313 314 h->packet_number = htonl(pn); 315 316 /* with GCM, C/E clear for !encrypt, both set for encrypt */ 317 if (tx_sc->encrypt) 318 h->tci_an |= MACSEC_TCI_CONFID; 319 else if (secy->icv_len != DEFAULT_ICV_LEN) 320 h->tci_an |= MACSEC_TCI_C; 321 322 h->tci_an |= tx_sc->encoding_sa; 323} 324 325static void macsec_set_shortlen(struct macsec_eth_header *h, size_t data_len) 326{ 327 if (data_len < MIN_NON_SHORT_LEN) 328 h->short_length = data_len; 329} 330 331/* Checks if a MACsec interface is being offloaded to an hardware engine */ 332static bool macsec_is_offloaded(struct macsec_dev *macsec) 333{ 334 if (macsec->offload == MACSEC_OFFLOAD_MAC || 335 macsec->offload == MACSEC_OFFLOAD_PHY) 336 return true; 337 338 return false; 339} 340 341/* Checks if underlying layers implement MACsec offloading functions. */ 342static bool macsec_check_offload(enum macsec_offload offload, 343 struct macsec_dev *macsec) 344{ 345 if (!macsec || !macsec->real_dev) 346 return false; 347 348 if (offload == MACSEC_OFFLOAD_PHY) 349 return macsec->real_dev->phydev && 350 macsec->real_dev->phydev->macsec_ops; 351 else if (offload == MACSEC_OFFLOAD_MAC) 352 return macsec->real_dev->features & NETIF_F_HW_MACSEC && 353 macsec->real_dev->macsec_ops; 354 355 return false; 356} 357 358static const struct macsec_ops *__macsec_get_ops(enum macsec_offload offload, 359 struct macsec_dev *macsec, 360 struct macsec_context *ctx) 361{ 362 if (ctx) { 363 memset(ctx, 0, sizeof(*ctx)); 364 ctx->offload = offload; 365 366 if (offload == MACSEC_OFFLOAD_PHY) 367 ctx->phydev = macsec->real_dev->phydev; 368 else if (offload == MACSEC_OFFLOAD_MAC) 369 ctx->netdev = macsec->real_dev; 370 } 371 372 if (offload == MACSEC_OFFLOAD_PHY) 373 return macsec->real_dev->phydev->macsec_ops; 374 else 375 return macsec->real_dev->macsec_ops; 376} 377 378/* Returns a pointer to the MACsec ops struct if any and updates the MACsec 379 * context device reference if provided. 380 */ 381static const struct macsec_ops *macsec_get_ops(struct macsec_dev *macsec, 382 struct macsec_context *ctx) 383{ 384 if (!macsec_check_offload(macsec->offload, macsec)) 385 return NULL; 386 387 return __macsec_get_ops(macsec->offload, macsec, ctx); 388} 389 390/* validate MACsec packet according to IEEE 802.1AE-2018 9.12 */ 391static bool macsec_validate_skb(struct sk_buff *skb, u16 icv_len, bool xpn) 392{ 393 struct macsec_eth_header *h = (struct macsec_eth_header *)skb->data; 394 int len = skb->len - 2 * ETH_ALEN; 395 int extra_len = macsec_extra_len(!!(h->tci_an & MACSEC_TCI_SC)) + icv_len; 396 397 /* a) It comprises at least 17 octets */ 398 if (skb->len <= 16) 399 return false; 400 401 /* b) MACsec EtherType: already checked */ 402 403 /* c) V bit is clear */ 404 if (h->tci_an & MACSEC_TCI_VERSION) 405 return false; 406 407 /* d) ES or SCB => !SC */ 408 if ((h->tci_an & MACSEC_TCI_ES || h->tci_an & MACSEC_TCI_SCB) && 409 (h->tci_an & MACSEC_TCI_SC)) 410 return false; 411 412 /* e) Bits 7 and 8 of octet 4 of the SecTAG are clear */ 413 if (h->unused) 414 return false; 415 416 /* rx.pn != 0 if not XPN (figure 10-5 with 802.11AEbw-2013 amendment) */ 417 if (!h->packet_number && !xpn) 418 return false; 419 420 /* length check, f) g) h) i) */ 421 if (h->short_length) 422 return len == extra_len + h->short_length; 423 return len >= extra_len + MIN_NON_SHORT_LEN; 424} 425 426#define MACSEC_NEEDED_HEADROOM (macsec_extra_len(true)) 427#define MACSEC_NEEDED_TAILROOM MACSEC_STD_ICV_LEN 428 429static void macsec_fill_iv_xpn(unsigned char *iv, ssci_t ssci, u64 pn, 430 salt_t salt) 431{ 432 struct gcm_iv_xpn *gcm_iv = (struct gcm_iv_xpn *)iv; 433 434 gcm_iv->ssci = ssci ^ salt.ssci; 435 gcm_iv->pn = cpu_to_be64(pn) ^ salt.pn; 436} 437 438static void macsec_fill_iv(unsigned char *iv, sci_t sci, u32 pn) 439{ 440 struct gcm_iv *gcm_iv = (struct gcm_iv *)iv; 441 442 gcm_iv->sci = sci; 443 gcm_iv->pn = htonl(pn); 444} 445 446static struct macsec_eth_header *macsec_ethhdr(struct sk_buff *skb) 447{ 448 return (struct macsec_eth_header *)skb_mac_header(skb); 449} 450 451static sci_t dev_to_sci(struct net_device *dev, __be16 port) 452{ 453 return make_sci(dev->dev_addr, port); 454} 455 456static void __macsec_pn_wrapped(struct macsec_secy *secy, 457 struct macsec_tx_sa *tx_sa) 458{ 459 pr_debug("PN wrapped, transitioning to !oper\n"); 460 tx_sa->active = false; 461 if (secy->protect_frames) 462 secy->operational = false; 463} 464 465void macsec_pn_wrapped(struct macsec_secy *secy, struct macsec_tx_sa *tx_sa) 466{ 467 spin_lock_bh(&tx_sa->lock); 468 __macsec_pn_wrapped(secy, tx_sa); 469 spin_unlock_bh(&tx_sa->lock); 470} 471EXPORT_SYMBOL_GPL(macsec_pn_wrapped); 472 473static pn_t tx_sa_update_pn(struct macsec_tx_sa *tx_sa, 474 struct macsec_secy *secy) 475{ 476 pn_t pn; 477 478 spin_lock_bh(&tx_sa->lock); 479 480 pn = tx_sa->next_pn_halves; 481 if (secy->xpn) 482 tx_sa->next_pn++; 483 else 484 tx_sa->next_pn_halves.lower++; 485 486 if (tx_sa->next_pn == 0) 487 __macsec_pn_wrapped(secy, tx_sa); 488 spin_unlock_bh(&tx_sa->lock); 489 490 return pn; 491} 492 493static void macsec_encrypt_finish(struct sk_buff *skb, struct net_device *dev) 494{ 495 struct macsec_dev *macsec = netdev_priv(dev); 496 497 skb->dev = macsec->real_dev; 498 skb_reset_mac_header(skb); 499 skb->protocol = eth_hdr(skb)->h_proto; 500} 501 502static void macsec_count_tx(struct sk_buff *skb, struct macsec_tx_sc *tx_sc, 503 struct macsec_tx_sa *tx_sa) 504{ 505 struct pcpu_tx_sc_stats *txsc_stats = this_cpu_ptr(tx_sc->stats); 506 507 u64_stats_update_begin(&txsc_stats->syncp); 508 if (tx_sc->encrypt) { 509 txsc_stats->stats.OutOctetsEncrypted += skb->len; 510 txsc_stats->stats.OutPktsEncrypted++; 511 this_cpu_inc(tx_sa->stats->OutPktsEncrypted); 512 } else { 513 txsc_stats->stats.OutOctetsProtected += skb->len; 514 txsc_stats->stats.OutPktsProtected++; 515 this_cpu_inc(tx_sa->stats->OutPktsProtected); 516 } 517 u64_stats_update_end(&txsc_stats->syncp); 518} 519 520static void count_tx(struct net_device *dev, int ret, int len) 521{ 522 if (likely(ret == NET_XMIT_SUCCESS || ret == NET_XMIT_CN)) { 523 struct pcpu_sw_netstats *stats = this_cpu_ptr(dev->tstats); 524 525 u64_stats_update_begin(&stats->syncp); 526 stats->tx_packets++; 527 stats->tx_bytes += len; 528 u64_stats_update_end(&stats->syncp); 529 } 530} 531 532static void macsec_encrypt_done(struct crypto_async_request *base, int err) 533{ 534 struct sk_buff *skb = base->data; 535 struct net_device *dev = skb->dev; 536 struct macsec_dev *macsec = macsec_priv(dev); 537 struct macsec_tx_sa *sa = macsec_skb_cb(skb)->tx_sa; 538 int len, ret; 539 540 aead_request_free(macsec_skb_cb(skb)->req); 541 542 rcu_read_lock_bh(); 543 macsec_encrypt_finish(skb, dev); 544 macsec_count_tx(skb, &macsec->secy.tx_sc, macsec_skb_cb(skb)->tx_sa); 545 len = skb->len; 546 ret = dev_queue_xmit(skb); 547 count_tx(dev, ret, len); 548 rcu_read_unlock_bh(); 549 550 macsec_txsa_put(sa); 551 dev_put(dev); 552} 553 554static struct aead_request *macsec_alloc_req(struct crypto_aead *tfm, 555 unsigned char **iv, 556 struct scatterlist **sg, 557 int num_frags) 558{ 559 size_t size, iv_offset, sg_offset; 560 struct aead_request *req; 561 void *tmp; 562 563 size = sizeof(struct aead_request) + crypto_aead_reqsize(tfm); 564 iv_offset = size; 565 size += GCM_AES_IV_LEN; 566 567 size = ALIGN(size, __alignof__(struct scatterlist)); 568 sg_offset = size; 569 size += sizeof(struct scatterlist) * num_frags; 570 571 tmp = kmalloc(size, GFP_ATOMIC); 572 if (!tmp) 573 return NULL; 574 575 *iv = (unsigned char *)(tmp + iv_offset); 576 *sg = (struct scatterlist *)(tmp + sg_offset); 577 req = tmp; 578 579 aead_request_set_tfm(req, tfm); 580 581 return req; 582} 583 584static struct sk_buff *macsec_encrypt(struct sk_buff *skb, 585 struct net_device *dev) 586{ 587 int ret; 588 struct scatterlist *sg; 589 struct sk_buff *trailer; 590 unsigned char *iv; 591 struct ethhdr *eth; 592 struct macsec_eth_header *hh; 593 size_t unprotected_len; 594 struct aead_request *req; 595 struct macsec_secy *secy; 596 struct macsec_tx_sc *tx_sc; 597 struct macsec_tx_sa *tx_sa; 598 struct macsec_dev *macsec = macsec_priv(dev); 599 bool sci_present; 600 pn_t pn; 601 602 secy = &macsec->secy; 603 tx_sc = &secy->tx_sc; 604 605 /* 10.5.1 TX SA assignment */ 606 tx_sa = macsec_txsa_get(tx_sc->sa[tx_sc->encoding_sa]); 607 if (!tx_sa) { 608 secy->operational = false; 609 kfree_skb(skb); 610 return ERR_PTR(-EINVAL); 611 } 612 613 if (unlikely(skb_headroom(skb) < MACSEC_NEEDED_HEADROOM || 614 skb_tailroom(skb) < MACSEC_NEEDED_TAILROOM)) { 615 struct sk_buff *nskb = skb_copy_expand(skb, 616 MACSEC_NEEDED_HEADROOM, 617 MACSEC_NEEDED_TAILROOM, 618 GFP_ATOMIC); 619 if (likely(nskb)) { 620 consume_skb(skb); 621 skb = nskb; 622 } else { 623 macsec_txsa_put(tx_sa); 624 kfree_skb(skb); 625 return ERR_PTR(-ENOMEM); 626 } 627 } else { 628 skb = skb_unshare(skb, GFP_ATOMIC); 629 if (!skb) { 630 macsec_txsa_put(tx_sa); 631 return ERR_PTR(-ENOMEM); 632 } 633 } 634 635 unprotected_len = skb->len; 636 eth = eth_hdr(skb); 637 sci_present = send_sci(secy); 638 hh = skb_push(skb, macsec_extra_len(sci_present)); 639 memmove(hh, eth, 2 * ETH_ALEN); 640 641 pn = tx_sa_update_pn(tx_sa, secy); 642 if (pn.full64 == 0) { 643 macsec_txsa_put(tx_sa); 644 kfree_skb(skb); 645 return ERR_PTR(-ENOLINK); 646 } 647 macsec_fill_sectag(hh, secy, pn.lower, sci_present); 648 macsec_set_shortlen(hh, unprotected_len - 2 * ETH_ALEN); 649 650 skb_put(skb, secy->icv_len); 651 652 if (skb->len - ETH_HLEN > macsec_priv(dev)->real_dev->mtu) { 653 struct pcpu_secy_stats *secy_stats = this_cpu_ptr(macsec->stats); 654 655 u64_stats_update_begin(&secy_stats->syncp); 656 secy_stats->stats.OutPktsTooLong++; 657 u64_stats_update_end(&secy_stats->syncp); 658 659 macsec_txsa_put(tx_sa); 660 kfree_skb(skb); 661 return ERR_PTR(-EINVAL); 662 } 663 664 ret = skb_cow_data(skb, 0, &trailer); 665 if (unlikely(ret < 0)) { 666 macsec_txsa_put(tx_sa); 667 kfree_skb(skb); 668 return ERR_PTR(ret); 669 } 670 671 req = macsec_alloc_req(tx_sa->key.tfm, &iv, &sg, ret); 672 if (!req) { 673 macsec_txsa_put(tx_sa); 674 kfree_skb(skb); 675 return ERR_PTR(-ENOMEM); 676 } 677 678 if (secy->xpn) 679 macsec_fill_iv_xpn(iv, tx_sa->ssci, pn.full64, tx_sa->key.salt); 680 else 681 macsec_fill_iv(iv, secy->sci, pn.lower); 682 683 sg_init_table(sg, ret); 684 ret = skb_to_sgvec(skb, sg, 0, skb->len); 685 if (unlikely(ret < 0)) { 686 aead_request_free(req); 687 macsec_txsa_put(tx_sa); 688 kfree_skb(skb); 689 return ERR_PTR(ret); 690 } 691 692 if (tx_sc->encrypt) { 693 int len = skb->len - macsec_hdr_len(sci_present) - 694 secy->icv_len; 695 aead_request_set_crypt(req, sg, sg, len, iv); 696 aead_request_set_ad(req, macsec_hdr_len(sci_present)); 697 } else { 698 aead_request_set_crypt(req, sg, sg, 0, iv); 699 aead_request_set_ad(req, skb->len - secy->icv_len); 700 } 701 702 macsec_skb_cb(skb)->req = req; 703 macsec_skb_cb(skb)->tx_sa = tx_sa; 704 aead_request_set_callback(req, 0, macsec_encrypt_done, skb); 705 706 dev_hold(skb->dev); 707 ret = crypto_aead_encrypt(req); 708 if (ret == -EINPROGRESS) { 709 return ERR_PTR(ret); 710 } else if (ret != 0) { 711 dev_put(skb->dev); 712 kfree_skb(skb); 713 aead_request_free(req); 714 macsec_txsa_put(tx_sa); 715 return ERR_PTR(-EINVAL); 716 } 717 718 dev_put(skb->dev); 719 aead_request_free(req); 720 macsec_txsa_put(tx_sa); 721 722 return skb; 723} 724 725static bool macsec_post_decrypt(struct sk_buff *skb, struct macsec_secy *secy, u32 pn) 726{ 727 struct macsec_rx_sa *rx_sa = macsec_skb_cb(skb)->rx_sa; 728 struct pcpu_rx_sc_stats *rxsc_stats = this_cpu_ptr(rx_sa->sc->stats); 729 struct macsec_eth_header *hdr = macsec_ethhdr(skb); 730 u32 lowest_pn = 0; 731 732 spin_lock(&rx_sa->lock); 733 if (rx_sa->next_pn_halves.lower >= secy->replay_window) 734 lowest_pn = rx_sa->next_pn_halves.lower - secy->replay_window; 735 736 /* Now perform replay protection check again 737 * (see IEEE 802.1AE-2006 figure 10-5) 738 */ 739 if (secy->replay_protect && pn < lowest_pn && 740 (!secy->xpn || pn_same_half(pn, lowest_pn))) { 741 spin_unlock(&rx_sa->lock); 742 u64_stats_update_begin(&rxsc_stats->syncp); 743 rxsc_stats->stats.InPktsLate++; 744 u64_stats_update_end(&rxsc_stats->syncp); 745 return false; 746 } 747 748 if (secy->validate_frames != MACSEC_VALIDATE_DISABLED) { 749 u64_stats_update_begin(&rxsc_stats->syncp); 750 if (hdr->tci_an & MACSEC_TCI_E) 751 rxsc_stats->stats.InOctetsDecrypted += skb->len; 752 else 753 rxsc_stats->stats.InOctetsValidated += skb->len; 754 u64_stats_update_end(&rxsc_stats->syncp); 755 } 756 757 if (!macsec_skb_cb(skb)->valid) { 758 spin_unlock(&rx_sa->lock); 759 760 /* 10.6.5 */ 761 if (hdr->tci_an & MACSEC_TCI_C || 762 secy->validate_frames == MACSEC_VALIDATE_STRICT) { 763 u64_stats_update_begin(&rxsc_stats->syncp); 764 rxsc_stats->stats.InPktsNotValid++; 765 u64_stats_update_end(&rxsc_stats->syncp); 766 return false; 767 } 768 769 u64_stats_update_begin(&rxsc_stats->syncp); 770 if (secy->validate_frames == MACSEC_VALIDATE_CHECK) { 771 rxsc_stats->stats.InPktsInvalid++; 772 this_cpu_inc(rx_sa->stats->InPktsInvalid); 773 } else if (pn < lowest_pn) { 774 rxsc_stats->stats.InPktsDelayed++; 775 } else { 776 rxsc_stats->stats.InPktsUnchecked++; 777 } 778 u64_stats_update_end(&rxsc_stats->syncp); 779 } else { 780 u64_stats_update_begin(&rxsc_stats->syncp); 781 if (pn < lowest_pn) { 782 rxsc_stats->stats.InPktsDelayed++; 783 } else { 784 rxsc_stats->stats.InPktsOK++; 785 this_cpu_inc(rx_sa->stats->InPktsOK); 786 } 787 u64_stats_update_end(&rxsc_stats->syncp); 788 789 // Instead of "pn >=" - to support pn overflow in xpn 790 if (pn + 1 > rx_sa->next_pn_halves.lower) { 791 rx_sa->next_pn_halves.lower = pn + 1; 792 } else if (secy->xpn && 793 !pn_same_half(pn, rx_sa->next_pn_halves.lower)) { 794 rx_sa->next_pn_halves.upper++; 795 rx_sa->next_pn_halves.lower = pn + 1; 796 } 797 798 spin_unlock(&rx_sa->lock); 799 } 800 801 return true; 802} 803 804static void macsec_reset_skb(struct sk_buff *skb, struct net_device *dev) 805{ 806 skb->pkt_type = PACKET_HOST; 807 skb->protocol = eth_type_trans(skb, dev); 808 809 skb_reset_network_header(skb); 810 if (!skb_transport_header_was_set(skb)) 811 skb_reset_transport_header(skb); 812 skb_reset_mac_len(skb); 813} 814 815static void macsec_finalize_skb(struct sk_buff *skb, u8 icv_len, u8 hdr_len) 816{ 817 skb->ip_summed = CHECKSUM_NONE; 818 memmove(skb->data + hdr_len, skb->data, 2 * ETH_ALEN); 819 skb_pull(skb, hdr_len); 820 pskb_trim_unique(skb, skb->len - icv_len); 821} 822 823static void count_rx(struct net_device *dev, int len) 824{ 825 struct pcpu_sw_netstats *stats = this_cpu_ptr(dev->tstats); 826 827 u64_stats_update_begin(&stats->syncp); 828 stats->rx_packets++; 829 stats->rx_bytes += len; 830 u64_stats_update_end(&stats->syncp); 831} 832 833static void macsec_decrypt_done(struct crypto_async_request *base, int err) 834{ 835 struct sk_buff *skb = base->data; 836 struct net_device *dev = skb->dev; 837 struct macsec_dev *macsec = macsec_priv(dev); 838 struct macsec_rx_sa *rx_sa = macsec_skb_cb(skb)->rx_sa; 839 struct macsec_rx_sc *rx_sc = rx_sa->sc; 840 int len; 841 u32 pn; 842 843 aead_request_free(macsec_skb_cb(skb)->req); 844 845 if (!err) 846 macsec_skb_cb(skb)->valid = true; 847 848 rcu_read_lock_bh(); 849 pn = ntohl(macsec_ethhdr(skb)->packet_number); 850 if (!macsec_post_decrypt(skb, &macsec->secy, pn)) { 851 rcu_read_unlock_bh(); 852 kfree_skb(skb); 853 goto out; 854 } 855 856 macsec_finalize_skb(skb, macsec->secy.icv_len, 857 macsec_extra_len(macsec_skb_cb(skb)->has_sci)); 858 macsec_reset_skb(skb, macsec->secy.netdev); 859 860 len = skb->len; 861 if (gro_cells_receive(&macsec->gro_cells, skb) == NET_RX_SUCCESS) 862 count_rx(dev, len); 863 864 rcu_read_unlock_bh(); 865 866out: 867 macsec_rxsa_put(rx_sa); 868 macsec_rxsc_put(rx_sc); 869 dev_put(dev); 870} 871 872static struct sk_buff *macsec_decrypt(struct sk_buff *skb, 873 struct net_device *dev, 874 struct macsec_rx_sa *rx_sa, 875 sci_t sci, 876 struct macsec_secy *secy) 877{ 878 int ret; 879 struct scatterlist *sg; 880 struct sk_buff *trailer; 881 unsigned char *iv; 882 struct aead_request *req; 883 struct macsec_eth_header *hdr; 884 u32 hdr_pn; 885 u16 icv_len = secy->icv_len; 886 887 macsec_skb_cb(skb)->valid = false; 888 skb = skb_share_check(skb, GFP_ATOMIC); 889 if (!skb) 890 return ERR_PTR(-ENOMEM); 891 892 ret = skb_cow_data(skb, 0, &trailer); 893 if (unlikely(ret < 0)) { 894 kfree_skb(skb); 895 return ERR_PTR(ret); 896 } 897 req = macsec_alloc_req(rx_sa->key.tfm, &iv, &sg, ret); 898 if (!req) { 899 kfree_skb(skb); 900 return ERR_PTR(-ENOMEM); 901 } 902 903 hdr = (struct macsec_eth_header *)skb->data; 904 hdr_pn = ntohl(hdr->packet_number); 905 906 if (secy->xpn) { 907 pn_t recovered_pn = rx_sa->next_pn_halves; 908 909 recovered_pn.lower = hdr_pn; 910 if (hdr_pn < rx_sa->next_pn_halves.lower && 911 !pn_same_half(hdr_pn, rx_sa->next_pn_halves.lower)) 912 recovered_pn.upper++; 913 914 macsec_fill_iv_xpn(iv, rx_sa->ssci, recovered_pn.full64, 915 rx_sa->key.salt); 916 } else { 917 macsec_fill_iv(iv, sci, hdr_pn); 918 } 919 920 sg_init_table(sg, ret); 921 ret = skb_to_sgvec(skb, sg, 0, skb->len); 922 if (unlikely(ret < 0)) { 923 aead_request_free(req); 924 kfree_skb(skb); 925 return ERR_PTR(ret); 926 } 927 928 if (hdr->tci_an & MACSEC_TCI_E) { 929 /* confidentiality: ethernet + macsec header 930 * authenticated, encrypted payload 931 */ 932 int len = skb->len - macsec_hdr_len(macsec_skb_cb(skb)->has_sci); 933 934 aead_request_set_crypt(req, sg, sg, len, iv); 935 aead_request_set_ad(req, macsec_hdr_len(macsec_skb_cb(skb)->has_sci)); 936 skb = skb_unshare(skb, GFP_ATOMIC); 937 if (!skb) { 938 aead_request_free(req); 939 return ERR_PTR(-ENOMEM); 940 } 941 } else { 942 /* integrity only: all headers + data authenticated */ 943 aead_request_set_crypt(req, sg, sg, icv_len, iv); 944 aead_request_set_ad(req, skb->len - icv_len); 945 } 946 947 macsec_skb_cb(skb)->req = req; 948 skb->dev = dev; 949 aead_request_set_callback(req, 0, macsec_decrypt_done, skb); 950 951 dev_hold(dev); 952 ret = crypto_aead_decrypt(req); 953 if (ret == -EINPROGRESS) { 954 return ERR_PTR(ret); 955 } else if (ret != 0) { 956 /* decryption/authentication failed 957 * 10.6 if validateFrames is disabled, deliver anyway 958 */ 959 if (ret != -EBADMSG) { 960 kfree_skb(skb); 961 skb = ERR_PTR(ret); 962 } 963 } else { 964 macsec_skb_cb(skb)->valid = true; 965 } 966 dev_put(dev); 967 968 aead_request_free(req); 969 970 return skb; 971} 972 973static struct macsec_rx_sc *find_rx_sc(struct macsec_secy *secy, sci_t sci) 974{ 975 struct macsec_rx_sc *rx_sc; 976 977 for_each_rxsc(secy, rx_sc) { 978 if (rx_sc->sci == sci) 979 return rx_sc; 980 } 981 982 return NULL; 983} 984 985static struct macsec_rx_sc *find_rx_sc_rtnl(struct macsec_secy *secy, sci_t sci) 986{ 987 struct macsec_rx_sc *rx_sc; 988 989 for_each_rxsc_rtnl(secy, rx_sc) { 990 if (rx_sc->sci == sci) 991 return rx_sc; 992 } 993 994 return NULL; 995} 996 997static enum rx_handler_result handle_not_macsec(struct sk_buff *skb) 998{ 999 /* Deliver to the uncontrolled port by default */ 1000 enum rx_handler_result ret = RX_HANDLER_PASS; 1001 struct ethhdr *hdr = eth_hdr(skb); 1002 struct macsec_rxh_data *rxd; 1003 struct macsec_dev *macsec; 1004 1005 rcu_read_lock(); 1006 rxd = macsec_data_rcu(skb->dev); 1007 1008 list_for_each_entry_rcu(macsec, &rxd->secys, secys) { 1009 struct sk_buff *nskb; 1010 struct pcpu_secy_stats *secy_stats = this_cpu_ptr(macsec->stats); 1011 struct net_device *ndev = macsec->secy.netdev; 1012 1013 /* If h/w offloading is enabled, HW decodes frames and strips 1014 * the SecTAG, so we have to deduce which port to deliver to. 1015 */ 1016 if (macsec_is_offloaded(macsec) && netif_running(ndev)) { 1017 if (ether_addr_equal_64bits(hdr->h_dest, 1018 ndev->dev_addr)) { 1019 /* exact match, divert skb to this port */ 1020 skb->dev = ndev; 1021 skb->pkt_type = PACKET_HOST; 1022 ret = RX_HANDLER_ANOTHER; 1023 goto out; 1024 } else if (is_multicast_ether_addr_64bits( 1025 hdr->h_dest)) { 1026 /* multicast frame, deliver on this port too */ 1027 nskb = skb_clone(skb, GFP_ATOMIC); 1028 if (!nskb) 1029 break; 1030 1031 nskb->dev = ndev; 1032 if (ether_addr_equal_64bits(hdr->h_dest, 1033 ndev->broadcast)) 1034 nskb->pkt_type = PACKET_BROADCAST; 1035 else 1036 nskb->pkt_type = PACKET_MULTICAST; 1037 1038 __netif_rx(nskb); 1039 } 1040 continue; 1041 } 1042 1043 /* 10.6 If the management control validateFrames is not 1044 * Strict, frames without a SecTAG are received, counted, and 1045 * delivered to the Controlled Port 1046 */ 1047 if (macsec->secy.validate_frames == MACSEC_VALIDATE_STRICT) { 1048 u64_stats_update_begin(&secy_stats->syncp); 1049 secy_stats->stats.InPktsNoTag++; 1050 u64_stats_update_end(&secy_stats->syncp); 1051 continue; 1052 } 1053 1054 /* deliver on this port */ 1055 nskb = skb_clone(skb, GFP_ATOMIC); 1056 if (!nskb) 1057 break; 1058 1059 nskb->dev = ndev; 1060 1061 if (__netif_rx(nskb) == NET_RX_SUCCESS) { 1062 u64_stats_update_begin(&secy_stats->syncp); 1063 secy_stats->stats.InPktsUntagged++; 1064 u64_stats_update_end(&secy_stats->syncp); 1065 } 1066 } 1067 1068out: 1069 rcu_read_unlock(); 1070 return ret; 1071} 1072 1073static rx_handler_result_t macsec_handle_frame(struct sk_buff **pskb) 1074{ 1075 struct sk_buff *skb = *pskb; 1076 struct net_device *dev = skb->dev; 1077 struct macsec_eth_header *hdr; 1078 struct macsec_secy *secy = NULL; 1079 struct macsec_rx_sc *rx_sc; 1080 struct macsec_rx_sa *rx_sa; 1081 struct macsec_rxh_data *rxd; 1082 struct macsec_dev *macsec; 1083 unsigned int len; 1084 sci_t sci; 1085 u32 hdr_pn; 1086 bool cbit; 1087 struct pcpu_rx_sc_stats *rxsc_stats; 1088 struct pcpu_secy_stats *secy_stats; 1089 bool pulled_sci; 1090 int ret; 1091 1092 if (skb_headroom(skb) < ETH_HLEN) 1093 goto drop_direct; 1094 1095 hdr = macsec_ethhdr(skb); 1096 if (hdr->eth.h_proto != htons(ETH_P_MACSEC)) 1097 return handle_not_macsec(skb); 1098 1099 skb = skb_unshare(skb, GFP_ATOMIC); 1100 *pskb = skb; 1101 if (!skb) 1102 return RX_HANDLER_CONSUMED; 1103 1104 pulled_sci = pskb_may_pull(skb, macsec_extra_len(true)); 1105 if (!pulled_sci) { 1106 if (!pskb_may_pull(skb, macsec_extra_len(false))) 1107 goto drop_direct; 1108 } 1109 1110 hdr = macsec_ethhdr(skb); 1111 1112 /* Frames with a SecTAG that has the TCI E bit set but the C 1113 * bit clear are discarded, as this reserved encoding is used 1114 * to identify frames with a SecTAG that are not to be 1115 * delivered to the Controlled Port. 1116 */ 1117 if ((hdr->tci_an & (MACSEC_TCI_C | MACSEC_TCI_E)) == MACSEC_TCI_E) 1118 return RX_HANDLER_PASS; 1119 1120 /* now, pull the extra length */ 1121 if (hdr->tci_an & MACSEC_TCI_SC) { 1122 if (!pulled_sci) 1123 goto drop_direct; 1124 } 1125 1126 /* ethernet header is part of crypto processing */ 1127 skb_push(skb, ETH_HLEN); 1128 1129 macsec_skb_cb(skb)->has_sci = !!(hdr->tci_an & MACSEC_TCI_SC); 1130 macsec_skb_cb(skb)->assoc_num = hdr->tci_an & MACSEC_AN_MASK; 1131 sci = macsec_frame_sci(hdr, macsec_skb_cb(skb)->has_sci); 1132 1133 rcu_read_lock(); 1134 rxd = macsec_data_rcu(skb->dev); 1135 1136 list_for_each_entry_rcu(macsec, &rxd->secys, secys) { 1137 struct macsec_rx_sc *sc = find_rx_sc(&macsec->secy, sci); 1138 1139 sc = sc ? macsec_rxsc_get(sc) : NULL; 1140 1141 if (sc) { 1142 secy = &macsec->secy; 1143 rx_sc = sc; 1144 break; 1145 } 1146 } 1147 1148 if (!secy) 1149 goto nosci; 1150 1151 dev = secy->netdev; 1152 macsec = macsec_priv(dev); 1153 secy_stats = this_cpu_ptr(macsec->stats); 1154 rxsc_stats = this_cpu_ptr(rx_sc->stats); 1155 1156 if (!macsec_validate_skb(skb, secy->icv_len, secy->xpn)) { 1157 u64_stats_update_begin(&secy_stats->syncp); 1158 secy_stats->stats.InPktsBadTag++; 1159 u64_stats_update_end(&secy_stats->syncp); 1160 goto drop_nosa; 1161 } 1162 1163 rx_sa = macsec_rxsa_get(rx_sc->sa[macsec_skb_cb(skb)->assoc_num]); 1164 if (!rx_sa) { 1165 /* 10.6.1 if the SA is not in use */ 1166 1167 /* If validateFrames is Strict or the C bit in the 1168 * SecTAG is set, discard 1169 */ 1170 if (hdr->tci_an & MACSEC_TCI_C || 1171 secy->validate_frames == MACSEC_VALIDATE_STRICT) { 1172 u64_stats_update_begin(&rxsc_stats->syncp); 1173 rxsc_stats->stats.InPktsNotUsingSA++; 1174 u64_stats_update_end(&rxsc_stats->syncp); 1175 goto drop_nosa; 1176 } 1177 1178 /* not Strict, the frame (with the SecTAG and ICV 1179 * removed) is delivered to the Controlled Port. 1180 */ 1181 u64_stats_update_begin(&rxsc_stats->syncp); 1182 rxsc_stats->stats.InPktsUnusedSA++; 1183 u64_stats_update_end(&rxsc_stats->syncp); 1184 goto deliver; 1185 } 1186 1187 /* First, PN check to avoid decrypting obviously wrong packets */ 1188 hdr_pn = ntohl(hdr->packet_number); 1189 if (secy->replay_protect) { 1190 bool late; 1191 1192 spin_lock(&rx_sa->lock); 1193 late = rx_sa->next_pn_halves.lower >= secy->replay_window && 1194 hdr_pn < (rx_sa->next_pn_halves.lower - secy->replay_window); 1195 1196 if (secy->xpn) 1197 late = late && pn_same_half(rx_sa->next_pn_halves.lower, hdr_pn); 1198 spin_unlock(&rx_sa->lock); 1199 1200 if (late) { 1201 u64_stats_update_begin(&rxsc_stats->syncp); 1202 rxsc_stats->stats.InPktsLate++; 1203 u64_stats_update_end(&rxsc_stats->syncp); 1204 goto drop; 1205 } 1206 } 1207 1208 macsec_skb_cb(skb)->rx_sa = rx_sa; 1209 1210 /* Disabled && !changed text => skip validation */ 1211 if (hdr->tci_an & MACSEC_TCI_C || 1212 secy->validate_frames != MACSEC_VALIDATE_DISABLED) 1213 skb = macsec_decrypt(skb, dev, rx_sa, sci, secy); 1214 1215 if (IS_ERR(skb)) { 1216 /* the decrypt callback needs the reference */ 1217 if (PTR_ERR(skb) != -EINPROGRESS) { 1218 macsec_rxsa_put(rx_sa); 1219 macsec_rxsc_put(rx_sc); 1220 } 1221 rcu_read_unlock(); 1222 *pskb = NULL; 1223 return RX_HANDLER_CONSUMED; 1224 } 1225 1226 if (!macsec_post_decrypt(skb, secy, hdr_pn)) 1227 goto drop; 1228 1229deliver: 1230 macsec_finalize_skb(skb, secy->icv_len, 1231 macsec_extra_len(macsec_skb_cb(skb)->has_sci)); 1232 macsec_reset_skb(skb, secy->netdev); 1233 1234 if (rx_sa) 1235 macsec_rxsa_put(rx_sa); 1236 macsec_rxsc_put(rx_sc); 1237 1238 skb_orphan(skb); 1239 len = skb->len; 1240 ret = gro_cells_receive(&macsec->gro_cells, skb); 1241 if (ret == NET_RX_SUCCESS) 1242 count_rx(dev, len); 1243 else 1244 macsec->secy.netdev->stats.rx_dropped++; 1245 1246 rcu_read_unlock(); 1247 1248 *pskb = NULL; 1249 return RX_HANDLER_CONSUMED; 1250 1251drop: 1252 macsec_rxsa_put(rx_sa); 1253drop_nosa: 1254 macsec_rxsc_put(rx_sc); 1255 rcu_read_unlock(); 1256drop_direct: 1257 kfree_skb(skb); 1258 *pskb = NULL; 1259 return RX_HANDLER_CONSUMED; 1260 1261nosci: 1262 /* 10.6.1 if the SC is not found */ 1263 cbit = !!(hdr->tci_an & MACSEC_TCI_C); 1264 if (!cbit) 1265 macsec_finalize_skb(skb, DEFAULT_ICV_LEN, 1266 macsec_extra_len(macsec_skb_cb(skb)->has_sci)); 1267 1268 list_for_each_entry_rcu(macsec, &rxd->secys, secys) { 1269 struct sk_buff *nskb; 1270 1271 secy_stats = this_cpu_ptr(macsec->stats); 1272 1273 /* If validateFrames is Strict or the C bit in the 1274 * SecTAG is set, discard 1275 */ 1276 if (cbit || 1277 macsec->secy.validate_frames == MACSEC_VALIDATE_STRICT) { 1278 u64_stats_update_begin(&secy_stats->syncp); 1279 secy_stats->stats.InPktsNoSCI++; 1280 u64_stats_update_end(&secy_stats->syncp); 1281 continue; 1282 } 1283 1284 /* not strict, the frame (with the SecTAG and ICV 1285 * removed) is delivered to the Controlled Port. 1286 */ 1287 nskb = skb_clone(skb, GFP_ATOMIC); 1288 if (!nskb) 1289 break; 1290 1291 macsec_reset_skb(nskb, macsec->secy.netdev); 1292 1293 ret = __netif_rx(nskb); 1294 if (ret == NET_RX_SUCCESS) { 1295 u64_stats_update_begin(&secy_stats->syncp); 1296 secy_stats->stats.InPktsUnknownSCI++; 1297 u64_stats_update_end(&secy_stats->syncp); 1298 } else { 1299 macsec->secy.netdev->stats.rx_dropped++; 1300 } 1301 } 1302 1303 rcu_read_unlock(); 1304 *pskb = skb; 1305 return RX_HANDLER_PASS; 1306} 1307 1308static struct crypto_aead *macsec_alloc_tfm(char *key, int key_len, int icv_len) 1309{ 1310 struct crypto_aead *tfm; 1311 int ret; 1312 1313 /* Pick a sync gcm(aes) cipher to ensure order is preserved. */ 1314 tfm = crypto_alloc_aead("gcm(aes)", 0, CRYPTO_ALG_ASYNC); 1315 1316 if (IS_ERR(tfm)) 1317 return tfm; 1318 1319 ret = crypto_aead_setkey(tfm, key, key_len); 1320 if (ret < 0) 1321 goto fail; 1322 1323 ret = crypto_aead_setauthsize(tfm, icv_len); 1324 if (ret < 0) 1325 goto fail; 1326 1327 return tfm; 1328fail: 1329 crypto_free_aead(tfm); 1330 return ERR_PTR(ret); 1331} 1332 1333static int init_rx_sa(struct macsec_rx_sa *rx_sa, char *sak, int key_len, 1334 int icv_len) 1335{ 1336 rx_sa->stats = alloc_percpu(struct macsec_rx_sa_stats); 1337 if (!rx_sa->stats) 1338 return -ENOMEM; 1339 1340 rx_sa->key.tfm = macsec_alloc_tfm(sak, key_len, icv_len); 1341 if (IS_ERR(rx_sa->key.tfm)) { 1342 free_percpu(rx_sa->stats); 1343 return PTR_ERR(rx_sa->key.tfm); 1344 } 1345 1346 rx_sa->ssci = MACSEC_UNDEF_SSCI; 1347 rx_sa->active = false; 1348 rx_sa->next_pn = 1; 1349 refcount_set(&rx_sa->refcnt, 1); 1350 spin_lock_init(&rx_sa->lock); 1351 1352 return 0; 1353} 1354 1355static void clear_rx_sa(struct macsec_rx_sa *rx_sa) 1356{ 1357 rx_sa->active = false; 1358 1359 macsec_rxsa_put(rx_sa); 1360} 1361 1362static void free_rx_sc(struct macsec_rx_sc *rx_sc) 1363{ 1364 int i; 1365 1366 for (i = 0; i < MACSEC_NUM_AN; i++) { 1367 struct macsec_rx_sa *sa = rtnl_dereference(rx_sc->sa[i]); 1368 1369 RCU_INIT_POINTER(rx_sc->sa[i], NULL); 1370 if (sa) 1371 clear_rx_sa(sa); 1372 } 1373 1374 macsec_rxsc_put(rx_sc); 1375} 1376 1377static struct macsec_rx_sc *del_rx_sc(struct macsec_secy *secy, sci_t sci) 1378{ 1379 struct macsec_rx_sc *rx_sc, __rcu **rx_scp; 1380 1381 for (rx_scp = &secy->rx_sc, rx_sc = rtnl_dereference(*rx_scp); 1382 rx_sc; 1383 rx_scp = &rx_sc->next, rx_sc = rtnl_dereference(*rx_scp)) { 1384 if (rx_sc->sci == sci) { 1385 if (rx_sc->active) 1386 secy->n_rx_sc--; 1387 rcu_assign_pointer(*rx_scp, rx_sc->next); 1388 return rx_sc; 1389 } 1390 } 1391 1392 return NULL; 1393} 1394 1395static struct macsec_rx_sc *create_rx_sc(struct net_device *dev, sci_t sci) 1396{ 1397 struct macsec_rx_sc *rx_sc; 1398 struct macsec_dev *macsec; 1399 struct net_device *real_dev = macsec_priv(dev)->real_dev; 1400 struct macsec_rxh_data *rxd = macsec_data_rtnl(real_dev); 1401 struct macsec_secy *secy; 1402 1403 list_for_each_entry(macsec, &rxd->secys, secys) { 1404 if (find_rx_sc_rtnl(&macsec->secy, sci)) 1405 return ERR_PTR(-EEXIST); 1406 } 1407 1408 rx_sc = kzalloc(sizeof(*rx_sc), GFP_KERNEL); 1409 if (!rx_sc) 1410 return ERR_PTR(-ENOMEM); 1411 1412 rx_sc->stats = netdev_alloc_pcpu_stats(struct pcpu_rx_sc_stats); 1413 if (!rx_sc->stats) { 1414 kfree(rx_sc); 1415 return ERR_PTR(-ENOMEM); 1416 } 1417 1418 rx_sc->sci = sci; 1419 rx_sc->active = true; 1420 refcount_set(&rx_sc->refcnt, 1); 1421 1422 secy = &macsec_priv(dev)->secy; 1423 rcu_assign_pointer(rx_sc->next, secy->rx_sc); 1424 rcu_assign_pointer(secy->rx_sc, rx_sc); 1425 1426 if (rx_sc->active) 1427 secy->n_rx_sc++; 1428 1429 return rx_sc; 1430} 1431 1432static int init_tx_sa(struct macsec_tx_sa *tx_sa, char *sak, int key_len, 1433 int icv_len) 1434{ 1435 tx_sa->stats = alloc_percpu(struct macsec_tx_sa_stats); 1436 if (!tx_sa->stats) 1437 return -ENOMEM; 1438 1439 tx_sa->key.tfm = macsec_alloc_tfm(sak, key_len, icv_len); 1440 if (IS_ERR(tx_sa->key.tfm)) { 1441 free_percpu(tx_sa->stats); 1442 return PTR_ERR(tx_sa->key.tfm); 1443 } 1444 1445 tx_sa->ssci = MACSEC_UNDEF_SSCI; 1446 tx_sa->active = false; 1447 refcount_set(&tx_sa->refcnt, 1); 1448 spin_lock_init(&tx_sa->lock); 1449 1450 return 0; 1451} 1452 1453static void clear_tx_sa(struct macsec_tx_sa *tx_sa) 1454{ 1455 tx_sa->active = false; 1456 1457 macsec_txsa_put(tx_sa); 1458} 1459 1460static struct genl_family macsec_fam; 1461 1462static struct net_device *get_dev_from_nl(struct net *net, 1463 struct nlattr **attrs) 1464{ 1465 int ifindex = nla_get_u32(attrs[MACSEC_ATTR_IFINDEX]); 1466 struct net_device *dev; 1467 1468 dev = __dev_get_by_index(net, ifindex); 1469 if (!dev) 1470 return ERR_PTR(-ENODEV); 1471 1472 if (!netif_is_macsec(dev)) 1473 return ERR_PTR(-ENODEV); 1474 1475 return dev; 1476} 1477 1478static enum macsec_offload nla_get_offload(const struct nlattr *nla) 1479{ 1480 return (__force enum macsec_offload)nla_get_u8(nla); 1481} 1482 1483static sci_t nla_get_sci(const struct nlattr *nla) 1484{ 1485 return (__force sci_t)nla_get_u64(nla); 1486} 1487 1488static int nla_put_sci(struct sk_buff *skb, int attrtype, sci_t value, 1489 int padattr) 1490{ 1491 return nla_put_u64_64bit(skb, attrtype, (__force u64)value, padattr); 1492} 1493 1494static ssci_t nla_get_ssci(const struct nlattr *nla) 1495{ 1496 return (__force ssci_t)nla_get_u32(nla); 1497} 1498 1499static int nla_put_ssci(struct sk_buff *skb, int attrtype, ssci_t value) 1500{ 1501 return nla_put_u32(skb, attrtype, (__force u64)value); 1502} 1503 1504static struct macsec_tx_sa *get_txsa_from_nl(struct net *net, 1505 struct nlattr **attrs, 1506 struct nlattr **tb_sa, 1507 struct net_device **devp, 1508 struct macsec_secy **secyp, 1509 struct macsec_tx_sc **scp, 1510 u8 *assoc_num) 1511{ 1512 struct net_device *dev; 1513 struct macsec_secy *secy; 1514 struct macsec_tx_sc *tx_sc; 1515 struct macsec_tx_sa *tx_sa; 1516 1517 if (!tb_sa[MACSEC_SA_ATTR_AN]) 1518 return ERR_PTR(-EINVAL); 1519 1520 *assoc_num = nla_get_u8(tb_sa[MACSEC_SA_ATTR_AN]); 1521 1522 dev = get_dev_from_nl(net, attrs); 1523 if (IS_ERR(dev)) 1524 return ERR_CAST(dev); 1525 1526 if (*assoc_num >= MACSEC_NUM_AN) 1527 return ERR_PTR(-EINVAL); 1528 1529 secy = &macsec_priv(dev)->secy; 1530 tx_sc = &secy->tx_sc; 1531 1532 tx_sa = rtnl_dereference(tx_sc->sa[*assoc_num]); 1533 if (!tx_sa) 1534 return ERR_PTR(-ENODEV); 1535 1536 *devp = dev; 1537 *scp = tx_sc; 1538 *secyp = secy; 1539 return tx_sa; 1540} 1541 1542static struct macsec_rx_sc *get_rxsc_from_nl(struct net *net, 1543 struct nlattr **attrs, 1544 struct nlattr **tb_rxsc, 1545 struct net_device **devp, 1546 struct macsec_secy **secyp) 1547{ 1548 struct net_device *dev; 1549 struct macsec_secy *secy; 1550 struct macsec_rx_sc *rx_sc; 1551 sci_t sci; 1552 1553 dev = get_dev_from_nl(net, attrs); 1554 if (IS_ERR(dev)) 1555 return ERR_CAST(dev); 1556 1557 secy = &macsec_priv(dev)->secy; 1558 1559 if (!tb_rxsc[MACSEC_RXSC_ATTR_SCI]) 1560 return ERR_PTR(-EINVAL); 1561 1562 sci = nla_get_sci(tb_rxsc[MACSEC_RXSC_ATTR_SCI]); 1563 rx_sc = find_rx_sc_rtnl(secy, sci); 1564 if (!rx_sc) 1565 return ERR_PTR(-ENODEV); 1566 1567 *secyp = secy; 1568 *devp = dev; 1569 1570 return rx_sc; 1571} 1572 1573static struct macsec_rx_sa *get_rxsa_from_nl(struct net *net, 1574 struct nlattr **attrs, 1575 struct nlattr **tb_rxsc, 1576 struct nlattr **tb_sa, 1577 struct net_device **devp, 1578 struct macsec_secy **secyp, 1579 struct macsec_rx_sc **scp, 1580 u8 *assoc_num) 1581{ 1582 struct macsec_rx_sc *rx_sc; 1583 struct macsec_rx_sa *rx_sa; 1584 1585 if (!tb_sa[MACSEC_SA_ATTR_AN]) 1586 return ERR_PTR(-EINVAL); 1587 1588 *assoc_num = nla_get_u8(tb_sa[MACSEC_SA_ATTR_AN]); 1589 if (*assoc_num >= MACSEC_NUM_AN) 1590 return ERR_PTR(-EINVAL); 1591 1592 rx_sc = get_rxsc_from_nl(net, attrs, tb_rxsc, devp, secyp); 1593 if (IS_ERR(rx_sc)) 1594 return ERR_CAST(rx_sc); 1595 1596 rx_sa = rtnl_dereference(rx_sc->sa[*assoc_num]); 1597 if (!rx_sa) 1598 return ERR_PTR(-ENODEV); 1599 1600 *scp = rx_sc; 1601 return rx_sa; 1602} 1603 1604static const struct nla_policy macsec_genl_policy[NUM_MACSEC_ATTR] = { 1605 [MACSEC_ATTR_IFINDEX] = { .type = NLA_U32 }, 1606 [MACSEC_ATTR_RXSC_CONFIG] = { .type = NLA_NESTED }, 1607 [MACSEC_ATTR_SA_CONFIG] = { .type = NLA_NESTED }, 1608 [MACSEC_ATTR_OFFLOAD] = { .type = NLA_NESTED }, 1609}; 1610 1611static const struct nla_policy macsec_genl_rxsc_policy[NUM_MACSEC_RXSC_ATTR] = { 1612 [MACSEC_RXSC_ATTR_SCI] = { .type = NLA_U64 }, 1613 [MACSEC_RXSC_ATTR_ACTIVE] = { .type = NLA_U8 }, 1614}; 1615 1616static const struct nla_policy macsec_genl_sa_policy[NUM_MACSEC_SA_ATTR] = { 1617 [MACSEC_SA_ATTR_AN] = { .type = NLA_U8 }, 1618 [MACSEC_SA_ATTR_ACTIVE] = { .type = NLA_U8 }, 1619 [MACSEC_SA_ATTR_PN] = NLA_POLICY_MIN_LEN(4), 1620 [MACSEC_SA_ATTR_KEYID] = { .type = NLA_BINARY, 1621 .len = MACSEC_KEYID_LEN, }, 1622 [MACSEC_SA_ATTR_KEY] = { .type = NLA_BINARY, 1623 .len = MACSEC_MAX_KEY_LEN, }, 1624 [MACSEC_SA_ATTR_SSCI] = { .type = NLA_U32 }, 1625 [MACSEC_SA_ATTR_SALT] = { .type = NLA_BINARY, 1626 .len = MACSEC_SALT_LEN, }, 1627}; 1628 1629static const struct nla_policy macsec_genl_offload_policy[NUM_MACSEC_OFFLOAD_ATTR] = { 1630 [MACSEC_OFFLOAD_ATTR_TYPE] = { .type = NLA_U8 }, 1631}; 1632 1633/* Offloads an operation to a device driver */ 1634static int macsec_offload(int (* const func)(struct macsec_context *), 1635 struct macsec_context *ctx) 1636{ 1637 int ret; 1638 1639 if (unlikely(!func)) 1640 return 0; 1641 1642 if (ctx->offload == MACSEC_OFFLOAD_PHY) 1643 mutex_lock(&ctx->phydev->lock); 1644 1645 /* Phase I: prepare. The drive should fail here if there are going to be 1646 * issues in the commit phase. 1647 */ 1648 ctx->prepare = true; 1649 ret = (*func)(ctx); 1650 if (ret) 1651 goto phy_unlock; 1652 1653 /* Phase II: commit. This step cannot fail. */ 1654 ctx->prepare = false; 1655 ret = (*func)(ctx); 1656 /* This should never happen: commit is not allowed to fail */ 1657 if (unlikely(ret)) 1658 WARN(1, "MACsec offloading commit failed (%d)\n", ret); 1659 1660phy_unlock: 1661 if (ctx->offload == MACSEC_OFFLOAD_PHY) 1662 mutex_unlock(&ctx->phydev->lock); 1663 1664 return ret; 1665} 1666 1667static int parse_sa_config(struct nlattr **attrs, struct nlattr **tb_sa) 1668{ 1669 if (!attrs[MACSEC_ATTR_SA_CONFIG]) 1670 return -EINVAL; 1671 1672 if (nla_parse_nested_deprecated(tb_sa, MACSEC_SA_ATTR_MAX, attrs[MACSEC_ATTR_SA_CONFIG], macsec_genl_sa_policy, NULL)) 1673 return -EINVAL; 1674 1675 return 0; 1676} 1677 1678static int parse_rxsc_config(struct nlattr **attrs, struct nlattr **tb_rxsc) 1679{ 1680 if (!attrs[MACSEC_ATTR_RXSC_CONFIG]) 1681 return -EINVAL; 1682 1683 if (nla_parse_nested_deprecated(tb_rxsc, MACSEC_RXSC_ATTR_MAX, attrs[MACSEC_ATTR_RXSC_CONFIG], macsec_genl_rxsc_policy, NULL)) 1684 return -EINVAL; 1685 1686 return 0; 1687} 1688 1689static bool validate_add_rxsa(struct nlattr **attrs) 1690{ 1691 if (!attrs[MACSEC_SA_ATTR_AN] || 1692 !attrs[MACSEC_SA_ATTR_KEY] || 1693 !attrs[MACSEC_SA_ATTR_KEYID]) 1694 return false; 1695 1696 if (nla_get_u8(attrs[MACSEC_SA_ATTR_AN]) >= MACSEC_NUM_AN) 1697 return false; 1698 1699 if (attrs[MACSEC_SA_ATTR_PN] && 1700 *(u64 *)nla_data(attrs[MACSEC_SA_ATTR_PN]) == 0) 1701 return false; 1702 1703 if (attrs[MACSEC_SA_ATTR_ACTIVE]) { 1704 if (nla_get_u8(attrs[MACSEC_SA_ATTR_ACTIVE]) > 1) 1705 return false; 1706 } 1707 1708 if (nla_len(attrs[MACSEC_SA_ATTR_KEYID]) != MACSEC_KEYID_LEN) 1709 return false; 1710 1711 return true; 1712} 1713 1714static int macsec_add_rxsa(struct sk_buff *skb, struct genl_info *info) 1715{ 1716 struct net_device *dev; 1717 struct nlattr **attrs = info->attrs; 1718 struct macsec_secy *secy; 1719 struct macsec_rx_sc *rx_sc; 1720 struct macsec_rx_sa *rx_sa; 1721 unsigned char assoc_num; 1722 int pn_len; 1723 struct nlattr *tb_rxsc[MACSEC_RXSC_ATTR_MAX + 1]; 1724 struct nlattr *tb_sa[MACSEC_SA_ATTR_MAX + 1]; 1725 int err; 1726 1727 if (!attrs[MACSEC_ATTR_IFINDEX]) 1728 return -EINVAL; 1729 1730 if (parse_sa_config(attrs, tb_sa)) 1731 return -EINVAL; 1732 1733 if (parse_rxsc_config(attrs, tb_rxsc)) 1734 return -EINVAL; 1735 1736 if (!validate_add_rxsa(tb_sa)) 1737 return -EINVAL; 1738 1739 rtnl_lock(); 1740 rx_sc = get_rxsc_from_nl(genl_info_net(info), attrs, tb_rxsc, &dev, &secy); 1741 if (IS_ERR(rx_sc)) { 1742 rtnl_unlock(); 1743 return PTR_ERR(rx_sc); 1744 } 1745 1746 assoc_num = nla_get_u8(tb_sa[MACSEC_SA_ATTR_AN]); 1747 1748 if (nla_len(tb_sa[MACSEC_SA_ATTR_KEY]) != secy->key_len) { 1749 pr_notice("macsec: nl: add_rxsa: bad key length: %d != %d\n", 1750 nla_len(tb_sa[MACSEC_SA_ATTR_KEY]), secy->key_len); 1751 rtnl_unlock(); 1752 return -EINVAL; 1753 } 1754 1755 pn_len = secy->xpn ? MACSEC_XPN_PN_LEN : MACSEC_DEFAULT_PN_LEN; 1756 if (nla_len(tb_sa[MACSEC_SA_ATTR_PN]) != pn_len) { 1757 pr_notice("macsec: nl: add_rxsa: bad pn length: %d != %d\n", 1758 nla_len(tb_sa[MACSEC_SA_ATTR_PN]), pn_len); 1759 rtnl_unlock(); 1760 return -EINVAL; 1761 } 1762 1763 if (secy->xpn) { 1764 if (!tb_sa[MACSEC_SA_ATTR_SSCI] || !tb_sa[MACSEC_SA_ATTR_SALT]) { 1765 rtnl_unlock(); 1766 return -EINVAL; 1767 } 1768 1769 if (nla_len(tb_sa[MACSEC_SA_ATTR_SALT]) != MACSEC_SALT_LEN) { 1770 pr_notice("macsec: nl: add_rxsa: bad salt length: %d != %d\n", 1771 nla_len(tb_sa[MACSEC_SA_ATTR_SALT]), 1772 MACSEC_SA_ATTR_SALT); 1773 rtnl_unlock(); 1774 return -EINVAL; 1775 } 1776 } 1777 1778 rx_sa = rtnl_dereference(rx_sc->sa[assoc_num]); 1779 if (rx_sa) { 1780 rtnl_unlock(); 1781 return -EBUSY; 1782 } 1783 1784 rx_sa = kmalloc(sizeof(*rx_sa), GFP_KERNEL); 1785 if (!rx_sa) { 1786 rtnl_unlock(); 1787 return -ENOMEM; 1788 } 1789 1790 err = init_rx_sa(rx_sa, nla_data(tb_sa[MACSEC_SA_ATTR_KEY]), 1791 secy->key_len, secy->icv_len); 1792 if (err < 0) { 1793 kfree(rx_sa); 1794 rtnl_unlock(); 1795 return err; 1796 } 1797 1798 if (tb_sa[MACSEC_SA_ATTR_PN]) { 1799 spin_lock_bh(&rx_sa->lock); 1800 rx_sa->next_pn = nla_get_u64(tb_sa[MACSEC_SA_ATTR_PN]); 1801 spin_unlock_bh(&rx_sa->lock); 1802 } 1803 1804 if (tb_sa[MACSEC_SA_ATTR_ACTIVE]) 1805 rx_sa->active = !!nla_get_u8(tb_sa[MACSEC_SA_ATTR_ACTIVE]); 1806 1807 rx_sa->sc = rx_sc; 1808 1809 /* If h/w offloading is available, propagate to the device */ 1810 if (macsec_is_offloaded(netdev_priv(dev))) { 1811 const struct macsec_ops *ops; 1812 struct macsec_context ctx; 1813 1814 ops = macsec_get_ops(netdev_priv(dev), &ctx); 1815 if (!ops) { 1816 err = -EOPNOTSUPP; 1817 goto cleanup; 1818 } 1819 1820 ctx.sa.assoc_num = assoc_num; 1821 ctx.sa.rx_sa = rx_sa; 1822 ctx.secy = secy; 1823 memcpy(ctx.sa.key, nla_data(tb_sa[MACSEC_SA_ATTR_KEY]), 1824 secy->key_len); 1825 1826 err = macsec_offload(ops->mdo_add_rxsa, &ctx); 1827 if (err) 1828 goto cleanup; 1829 } 1830 1831 if (secy->xpn) { 1832 rx_sa->ssci = nla_get_ssci(tb_sa[MACSEC_SA_ATTR_SSCI]); 1833 nla_memcpy(rx_sa->key.salt.bytes, tb_sa[MACSEC_SA_ATTR_SALT], 1834 MACSEC_SALT_LEN); 1835 } 1836 1837 nla_memcpy(rx_sa->key.id, tb_sa[MACSEC_SA_ATTR_KEYID], MACSEC_KEYID_LEN); 1838 rcu_assign_pointer(rx_sc->sa[assoc_num], rx_sa); 1839 1840 rtnl_unlock(); 1841 1842 return 0; 1843 1844cleanup: 1845 kfree(rx_sa); 1846 rtnl_unlock(); 1847 return err; 1848} 1849 1850static bool validate_add_rxsc(struct nlattr **attrs) 1851{ 1852 if (!attrs[MACSEC_RXSC_ATTR_SCI]) 1853 return false; 1854 1855 if (attrs[MACSEC_RXSC_ATTR_ACTIVE]) { 1856 if (nla_get_u8(attrs[MACSEC_RXSC_ATTR_ACTIVE]) > 1) 1857 return false; 1858 } 1859 1860 return true; 1861} 1862 1863static int macsec_add_rxsc(struct sk_buff *skb, struct genl_info *info) 1864{ 1865 struct net_device *dev; 1866 sci_t sci = MACSEC_UNDEF_SCI; 1867 struct nlattr **attrs = info->attrs; 1868 struct macsec_rx_sc *rx_sc; 1869 struct nlattr *tb_rxsc[MACSEC_RXSC_ATTR_MAX + 1]; 1870 struct macsec_secy *secy; 1871 bool was_active; 1872 int ret; 1873 1874 if (!attrs[MACSEC_ATTR_IFINDEX]) 1875 return -EINVAL; 1876 1877 if (parse_rxsc_config(attrs, tb_rxsc)) 1878 return -EINVAL; 1879 1880 if (!validate_add_rxsc(tb_rxsc)) 1881 return -EINVAL; 1882 1883 rtnl_lock(); 1884 dev = get_dev_from_nl(genl_info_net(info), attrs); 1885 if (IS_ERR(dev)) { 1886 rtnl_unlock(); 1887 return PTR_ERR(dev); 1888 } 1889 1890 secy = &macsec_priv(dev)->secy; 1891 sci = nla_get_sci(tb_rxsc[MACSEC_RXSC_ATTR_SCI]); 1892 1893 rx_sc = create_rx_sc(dev, sci); 1894 if (IS_ERR(rx_sc)) { 1895 rtnl_unlock(); 1896 return PTR_ERR(rx_sc); 1897 } 1898 1899 was_active = rx_sc->active; 1900 if (tb_rxsc[MACSEC_RXSC_ATTR_ACTIVE]) 1901 rx_sc->active = !!nla_get_u8(tb_rxsc[MACSEC_RXSC_ATTR_ACTIVE]); 1902 1903 if (macsec_is_offloaded(netdev_priv(dev))) { 1904 const struct macsec_ops *ops; 1905 struct macsec_context ctx; 1906 1907 ops = macsec_get_ops(netdev_priv(dev), &ctx); 1908 if (!ops) { 1909 ret = -EOPNOTSUPP; 1910 goto cleanup; 1911 } 1912 1913 ctx.rx_sc = rx_sc; 1914 ctx.secy = secy; 1915 1916 ret = macsec_offload(ops->mdo_add_rxsc, &ctx); 1917 if (ret) 1918 goto cleanup; 1919 } 1920 1921 rtnl_unlock(); 1922 1923 return 0; 1924 1925cleanup: 1926 rx_sc->active = was_active; 1927 rtnl_unlock(); 1928 return ret; 1929} 1930 1931static bool validate_add_txsa(struct nlattr **attrs) 1932{ 1933 if (!attrs[MACSEC_SA_ATTR_AN] || 1934 !attrs[MACSEC_SA_ATTR_PN] || 1935 !attrs[MACSEC_SA_ATTR_KEY] || 1936 !attrs[MACSEC_SA_ATTR_KEYID]) 1937 return false; 1938 1939 if (nla_get_u8(attrs[MACSEC_SA_ATTR_AN]) >= MACSEC_NUM_AN) 1940 return false; 1941 1942 if (nla_get_u32(attrs[MACSEC_SA_ATTR_PN]) == 0) 1943 return false; 1944 1945 if (attrs[MACSEC_SA_ATTR_ACTIVE]) { 1946 if (nla_get_u8(attrs[MACSEC_SA_ATTR_ACTIVE]) > 1) 1947 return false; 1948 } 1949 1950 if (nla_len(attrs[MACSEC_SA_ATTR_KEYID]) != MACSEC_KEYID_LEN) 1951 return false; 1952 1953 return true; 1954} 1955 1956static int macsec_add_txsa(struct sk_buff *skb, struct genl_info *info) 1957{ 1958 struct net_device *dev; 1959 struct nlattr **attrs = info->attrs; 1960 struct macsec_secy *secy; 1961 struct macsec_tx_sc *tx_sc; 1962 struct macsec_tx_sa *tx_sa; 1963 unsigned char assoc_num; 1964 int pn_len; 1965 struct nlattr *tb_sa[MACSEC_SA_ATTR_MAX + 1]; 1966 bool was_operational; 1967 int err; 1968 1969 if (!attrs[MACSEC_ATTR_IFINDEX]) 1970 return -EINVAL; 1971 1972 if (parse_sa_config(attrs, tb_sa)) 1973 return -EINVAL; 1974 1975 if (!validate_add_txsa(tb_sa)) 1976 return -EINVAL; 1977 1978 rtnl_lock(); 1979 dev = get_dev_from_nl(genl_info_net(info), attrs); 1980 if (IS_ERR(dev)) { 1981 rtnl_unlock(); 1982 return PTR_ERR(dev); 1983 } 1984 1985 secy = &macsec_priv(dev)->secy; 1986 tx_sc = &secy->tx_sc; 1987 1988 assoc_num = nla_get_u8(tb_sa[MACSEC_SA_ATTR_AN]); 1989 1990 if (nla_len(tb_sa[MACSEC_SA_ATTR_KEY]) != secy->key_len) { 1991 pr_notice("macsec: nl: add_txsa: bad key length: %d != %d\n", 1992 nla_len(tb_sa[MACSEC_SA_ATTR_KEY]), secy->key_len); 1993 rtnl_unlock(); 1994 return -EINVAL; 1995 } 1996 1997 pn_len = secy->xpn ? MACSEC_XPN_PN_LEN : MACSEC_DEFAULT_PN_LEN; 1998 if (nla_len(tb_sa[MACSEC_SA_ATTR_PN]) != pn_len) { 1999 pr_notice("macsec: nl: add_txsa: bad pn length: %d != %d\n", 2000 nla_len(tb_sa[MACSEC_SA_ATTR_PN]), pn_len); 2001 rtnl_unlock(); 2002 return -EINVAL; 2003 } 2004 2005 if (secy->xpn) { 2006 if (!tb_sa[MACSEC_SA_ATTR_SSCI] || !tb_sa[MACSEC_SA_ATTR_SALT]) { 2007 rtnl_unlock(); 2008 return -EINVAL; 2009 } 2010 2011 if (nla_len(tb_sa[MACSEC_SA_ATTR_SALT]) != MACSEC_SALT_LEN) { 2012 pr_notice("macsec: nl: add_txsa: bad salt length: %d != %d\n", 2013 nla_len(tb_sa[MACSEC_SA_ATTR_SALT]), 2014 MACSEC_SA_ATTR_SALT); 2015 rtnl_unlock(); 2016 return -EINVAL; 2017 } 2018 } 2019 2020 tx_sa = rtnl_dereference(tx_sc->sa[assoc_num]); 2021 if (tx_sa) { 2022 rtnl_unlock(); 2023 return -EBUSY; 2024 } 2025 2026 tx_sa = kmalloc(sizeof(*tx_sa), GFP_KERNEL); 2027 if (!tx_sa) { 2028 rtnl_unlock(); 2029 return -ENOMEM; 2030 } 2031 2032 err = init_tx_sa(tx_sa, nla_data(tb_sa[MACSEC_SA_ATTR_KEY]), 2033 secy->key_len, secy->icv_len); 2034 if (err < 0) { 2035 kfree(tx_sa); 2036 rtnl_unlock(); 2037 return err; 2038 } 2039 2040 spin_lock_bh(&tx_sa->lock); 2041 tx_sa->next_pn = nla_get_u64(tb_sa[MACSEC_SA_ATTR_PN]); 2042 spin_unlock_bh(&tx_sa->lock); 2043 2044 if (tb_sa[MACSEC_SA_ATTR_ACTIVE]) 2045 tx_sa->active = !!nla_get_u8(tb_sa[MACSEC_SA_ATTR_ACTIVE]); 2046 2047 was_operational = secy->operational; 2048 if (assoc_num == tx_sc->encoding_sa && tx_sa->active) 2049 secy->operational = true; 2050 2051 /* If h/w offloading is available, propagate to the device */ 2052 if (macsec_is_offloaded(netdev_priv(dev))) { 2053 const struct macsec_ops *ops; 2054 struct macsec_context ctx; 2055 2056 ops = macsec_get_ops(netdev_priv(dev), &ctx); 2057 if (!ops) { 2058 err = -EOPNOTSUPP; 2059 goto cleanup; 2060 } 2061 2062 ctx.sa.assoc_num = assoc_num; 2063 ctx.sa.tx_sa = tx_sa; 2064 ctx.secy = secy; 2065 memcpy(ctx.sa.key, nla_data(tb_sa[MACSEC_SA_ATTR_KEY]), 2066 secy->key_len); 2067 2068 err = macsec_offload(ops->mdo_add_txsa, &ctx); 2069 if (err) 2070 goto cleanup; 2071 } 2072 2073 if (secy->xpn) { 2074 tx_sa->ssci = nla_get_ssci(tb_sa[MACSEC_SA_ATTR_SSCI]); 2075 nla_memcpy(tx_sa->key.salt.bytes, tb_sa[MACSEC_SA_ATTR_SALT], 2076 MACSEC_SALT_LEN); 2077 } 2078 2079 nla_memcpy(tx_sa->key.id, tb_sa[MACSEC_SA_ATTR_KEYID], MACSEC_KEYID_LEN); 2080 rcu_assign_pointer(tx_sc->sa[assoc_num], tx_sa); 2081 2082 rtnl_unlock(); 2083 2084 return 0; 2085 2086cleanup: 2087 secy->operational = was_operational; 2088 kfree(tx_sa); 2089 rtnl_unlock(); 2090 return err; 2091} 2092 2093static int macsec_del_rxsa(struct sk_buff *skb, struct genl_info *info) 2094{ 2095 struct nlattr **attrs = info->attrs; 2096 struct net_device *dev; 2097 struct macsec_secy *secy; 2098 struct macsec_rx_sc *rx_sc; 2099 struct macsec_rx_sa *rx_sa; 2100 u8 assoc_num; 2101 struct nlattr *tb_rxsc[MACSEC_RXSC_ATTR_MAX + 1]; 2102 struct nlattr *tb_sa[MACSEC_SA_ATTR_MAX + 1]; 2103 int ret; 2104 2105 if (!attrs[MACSEC_ATTR_IFINDEX]) 2106 return -EINVAL; 2107 2108 if (parse_sa_config(attrs, tb_sa)) 2109 return -EINVAL; 2110 2111 if (parse_rxsc_config(attrs, tb_rxsc)) 2112 return -EINVAL; 2113 2114 rtnl_lock(); 2115 rx_sa = get_rxsa_from_nl(genl_info_net(info), attrs, tb_rxsc, tb_sa, 2116 &dev, &secy, &rx_sc, &assoc_num); 2117 if (IS_ERR(rx_sa)) { 2118 rtnl_unlock(); 2119 return PTR_ERR(rx_sa); 2120 } 2121 2122 if (rx_sa->active) { 2123 rtnl_unlock(); 2124 return -EBUSY; 2125 } 2126 2127 /* If h/w offloading is available, propagate to the device */ 2128 if (macsec_is_offloaded(netdev_priv(dev))) { 2129 const struct macsec_ops *ops; 2130 struct macsec_context ctx; 2131 2132 ops = macsec_get_ops(netdev_priv(dev), &ctx); 2133 if (!ops) { 2134 ret = -EOPNOTSUPP; 2135 goto cleanup; 2136 } 2137 2138 ctx.sa.assoc_num = assoc_num; 2139 ctx.sa.rx_sa = rx_sa; 2140 ctx.secy = secy; 2141 2142 ret = macsec_offload(ops->mdo_del_rxsa, &ctx); 2143 if (ret) 2144 goto cleanup; 2145 } 2146 2147 RCU_INIT_POINTER(rx_sc->sa[assoc_num], NULL); 2148 clear_rx_sa(rx_sa); 2149 2150 rtnl_unlock(); 2151 2152 return 0; 2153 2154cleanup: 2155 rtnl_unlock(); 2156 return ret; 2157} 2158 2159static int macsec_del_rxsc(struct sk_buff *skb, struct genl_info *info) 2160{ 2161 struct nlattr **attrs = info->attrs; 2162 struct net_device *dev; 2163 struct macsec_secy *secy; 2164 struct macsec_rx_sc *rx_sc; 2165 sci_t sci; 2166 struct nlattr *tb_rxsc[MACSEC_RXSC_ATTR_MAX + 1]; 2167 int ret; 2168 2169 if (!attrs[MACSEC_ATTR_IFINDEX]) 2170 return -EINVAL; 2171 2172 if (parse_rxsc_config(attrs, tb_rxsc)) 2173 return -EINVAL; 2174 2175 if (!tb_rxsc[MACSEC_RXSC_ATTR_SCI]) 2176 return -EINVAL; 2177 2178 rtnl_lock(); 2179 dev = get_dev_from_nl(genl_info_net(info), info->attrs); 2180 if (IS_ERR(dev)) { 2181 rtnl_unlock(); 2182 return PTR_ERR(dev); 2183 } 2184 2185 secy = &macsec_priv(dev)->secy; 2186 sci = nla_get_sci(tb_rxsc[MACSEC_RXSC_ATTR_SCI]); 2187 2188 rx_sc = del_rx_sc(secy, sci); 2189 if (!rx_sc) { 2190 rtnl_unlock(); 2191 return -ENODEV; 2192 } 2193 2194 /* If h/w offloading is available, propagate to the device */ 2195 if (macsec_is_offloaded(netdev_priv(dev))) { 2196 const struct macsec_ops *ops; 2197 struct macsec_context ctx; 2198 2199 ops = macsec_get_ops(netdev_priv(dev), &ctx); 2200 if (!ops) { 2201 ret = -EOPNOTSUPP; 2202 goto cleanup; 2203 } 2204 2205 ctx.rx_sc = rx_sc; 2206 ctx.secy = secy; 2207 ret = macsec_offload(ops->mdo_del_rxsc, &ctx); 2208 if (ret) 2209 goto cleanup; 2210 } 2211 2212 free_rx_sc(rx_sc); 2213 rtnl_unlock(); 2214 2215 return 0; 2216 2217cleanup: 2218 rtnl_unlock(); 2219 return ret; 2220} 2221 2222static int macsec_del_txsa(struct sk_buff *skb, struct genl_info *info) 2223{ 2224 struct nlattr **attrs = info->attrs; 2225 struct net_device *dev; 2226 struct macsec_secy *secy; 2227 struct macsec_tx_sc *tx_sc; 2228 struct macsec_tx_sa *tx_sa; 2229 u8 assoc_num; 2230 struct nlattr *tb_sa[MACSEC_SA_ATTR_MAX + 1]; 2231 int ret; 2232 2233 if (!attrs[MACSEC_ATTR_IFINDEX]) 2234 return -EINVAL; 2235 2236 if (parse_sa_config(attrs, tb_sa)) 2237 return -EINVAL; 2238 2239 rtnl_lock(); 2240 tx_sa = get_txsa_from_nl(genl_info_net(info), attrs, tb_sa, 2241 &dev, &secy, &tx_sc, &assoc_num); 2242 if (IS_ERR(tx_sa)) { 2243 rtnl_unlock(); 2244 return PTR_ERR(tx_sa); 2245 } 2246 2247 if (tx_sa->active) { 2248 rtnl_unlock(); 2249 return -EBUSY; 2250 } 2251 2252 /* If h/w offloading is available, propagate to the device */ 2253 if (macsec_is_offloaded(netdev_priv(dev))) { 2254 const struct macsec_ops *ops; 2255 struct macsec_context ctx; 2256 2257 ops = macsec_get_ops(netdev_priv(dev), &ctx); 2258 if (!ops) { 2259 ret = -EOPNOTSUPP; 2260 goto cleanup; 2261 } 2262 2263 ctx.sa.assoc_num = assoc_num; 2264 ctx.sa.tx_sa = tx_sa; 2265 ctx.secy = secy; 2266 2267 ret = macsec_offload(ops->mdo_del_txsa, &ctx); 2268 if (ret) 2269 goto cleanup; 2270 } 2271 2272 RCU_INIT_POINTER(tx_sc->sa[assoc_num], NULL); 2273 clear_tx_sa(tx_sa); 2274 2275 rtnl_unlock(); 2276 2277 return 0; 2278 2279cleanup: 2280 rtnl_unlock(); 2281 return ret; 2282} 2283 2284static bool validate_upd_sa(struct nlattr **attrs) 2285{ 2286 if (!attrs[MACSEC_SA_ATTR_AN] || 2287 attrs[MACSEC_SA_ATTR_KEY] || 2288 attrs[MACSEC_SA_ATTR_KEYID] || 2289 attrs[MACSEC_SA_ATTR_SSCI] || 2290 attrs[MACSEC_SA_ATTR_SALT]) 2291 return false; 2292 2293 if (nla_get_u8(attrs[MACSEC_SA_ATTR_AN]) >= MACSEC_NUM_AN) 2294 return false; 2295 2296 if (attrs[MACSEC_SA_ATTR_PN] && nla_get_u32(attrs[MACSEC_SA_ATTR_PN]) == 0) 2297 return false; 2298 2299 if (attrs[MACSEC_SA_ATTR_ACTIVE]) { 2300 if (nla_get_u8(attrs[MACSEC_SA_ATTR_ACTIVE]) > 1) 2301 return false; 2302 } 2303 2304 return true; 2305} 2306 2307static int macsec_upd_txsa(struct sk_buff *skb, struct genl_info *info) 2308{ 2309 struct nlattr **attrs = info->attrs; 2310 struct net_device *dev; 2311 struct macsec_secy *secy; 2312 struct macsec_tx_sc *tx_sc; 2313 struct macsec_tx_sa *tx_sa; 2314 u8 assoc_num; 2315 struct nlattr *tb_sa[MACSEC_SA_ATTR_MAX + 1]; 2316 bool was_operational, was_active; 2317 pn_t prev_pn; 2318 int ret = 0; 2319 2320 prev_pn.full64 = 0; 2321 2322 if (!attrs[MACSEC_ATTR_IFINDEX]) 2323 return -EINVAL; 2324 2325 if (parse_sa_config(attrs, tb_sa)) 2326 return -EINVAL; 2327 2328 if (!validate_upd_sa(tb_sa)) 2329 return -EINVAL; 2330 2331 rtnl_lock(); 2332 tx_sa = get_txsa_from_nl(genl_info_net(info), attrs, tb_sa, 2333 &dev, &secy, &tx_sc, &assoc_num); 2334 if (IS_ERR(tx_sa)) { 2335 rtnl_unlock(); 2336 return PTR_ERR(tx_sa); 2337 } 2338 2339 if (tb_sa[MACSEC_SA_ATTR_PN]) { 2340 int pn_len; 2341 2342 pn_len = secy->xpn ? MACSEC_XPN_PN_LEN : MACSEC_DEFAULT_PN_LEN; 2343 if (nla_len(tb_sa[MACSEC_SA_ATTR_PN]) != pn_len) { 2344 pr_notice("macsec: nl: upd_txsa: bad pn length: %d != %d\n", 2345 nla_len(tb_sa[MACSEC_SA_ATTR_PN]), pn_len); 2346 rtnl_unlock(); 2347 return -EINVAL; 2348 } 2349 2350 spin_lock_bh(&tx_sa->lock); 2351 prev_pn = tx_sa->next_pn_halves; 2352 tx_sa->next_pn = nla_get_u64(tb_sa[MACSEC_SA_ATTR_PN]); 2353 spin_unlock_bh(&tx_sa->lock); 2354 } 2355 2356 was_active = tx_sa->active; 2357 if (tb_sa[MACSEC_SA_ATTR_ACTIVE]) 2358 tx_sa->active = nla_get_u8(tb_sa[MACSEC_SA_ATTR_ACTIVE]); 2359 2360 was_operational = secy->operational; 2361 if (assoc_num == tx_sc->encoding_sa) 2362 secy->operational = tx_sa->active; 2363 2364 /* If h/w offloading is available, propagate to the device */ 2365 if (macsec_is_offloaded(netdev_priv(dev))) { 2366 const struct macsec_ops *ops; 2367 struct macsec_context ctx; 2368 2369 ops = macsec_get_ops(netdev_priv(dev), &ctx); 2370 if (!ops) { 2371 ret = -EOPNOTSUPP; 2372 goto cleanup; 2373 } 2374 2375 ctx.sa.assoc_num = assoc_num; 2376 ctx.sa.tx_sa = tx_sa; 2377 ctx.secy = secy; 2378 2379 ret = macsec_offload(ops->mdo_upd_txsa, &ctx); 2380 if (ret) 2381 goto cleanup; 2382 } 2383 2384 rtnl_unlock(); 2385 2386 return 0; 2387 2388cleanup: 2389 if (tb_sa[MACSEC_SA_ATTR_PN]) { 2390 spin_lock_bh(&tx_sa->lock); 2391 tx_sa->next_pn_halves = prev_pn; 2392 spin_unlock_bh(&tx_sa->lock); 2393 } 2394 tx_sa->active = was_active; 2395 secy->operational = was_operational; 2396 rtnl_unlock(); 2397 return ret; 2398} 2399 2400static int macsec_upd_rxsa(struct sk_buff *skb, struct genl_info *info) 2401{ 2402 struct nlattr **attrs = info->attrs; 2403 struct net_device *dev; 2404 struct macsec_secy *secy; 2405 struct macsec_rx_sc *rx_sc; 2406 struct macsec_rx_sa *rx_sa; 2407 u8 assoc_num; 2408 struct nlattr *tb_rxsc[MACSEC_RXSC_ATTR_MAX + 1]; 2409 struct nlattr *tb_sa[MACSEC_SA_ATTR_MAX + 1]; 2410 bool was_active; 2411 pn_t prev_pn; 2412 int ret = 0; 2413 2414 prev_pn.full64 = 0; 2415 2416 if (!attrs[MACSEC_ATTR_IFINDEX]) 2417 return -EINVAL; 2418 2419 if (parse_rxsc_config(attrs, tb_rxsc)) 2420 return -EINVAL; 2421 2422 if (parse_sa_config(attrs, tb_sa)) 2423 return -EINVAL; 2424 2425 if (!validate_upd_sa(tb_sa)) 2426 return -EINVAL; 2427 2428 rtnl_lock(); 2429 rx_sa = get_rxsa_from_nl(genl_info_net(info), attrs, tb_rxsc, tb_sa, 2430 &dev, &secy, &rx_sc, &assoc_num); 2431 if (IS_ERR(rx_sa)) { 2432 rtnl_unlock(); 2433 return PTR_ERR(rx_sa); 2434 } 2435 2436 if (tb_sa[MACSEC_SA_ATTR_PN]) { 2437 int pn_len; 2438 2439 pn_len = secy->xpn ? MACSEC_XPN_PN_LEN : MACSEC_DEFAULT_PN_LEN; 2440 if (nla_len(tb_sa[MACSEC_SA_ATTR_PN]) != pn_len) { 2441 pr_notice("macsec: nl: upd_rxsa: bad pn length: %d != %d\n", 2442 nla_len(tb_sa[MACSEC_SA_ATTR_PN]), pn_len); 2443 rtnl_unlock(); 2444 return -EINVAL; 2445 } 2446 2447 spin_lock_bh(&rx_sa->lock); 2448 prev_pn = rx_sa->next_pn_halves; 2449 rx_sa->next_pn = nla_get_u64(tb_sa[MACSEC_SA_ATTR_PN]); 2450 spin_unlock_bh(&rx_sa->lock); 2451 } 2452 2453 was_active = rx_sa->active; 2454 if (tb_sa[MACSEC_SA_ATTR_ACTIVE]) 2455 rx_sa->active = nla_get_u8(tb_sa[MACSEC_SA_ATTR_ACTIVE]); 2456 2457 /* If h/w offloading is available, propagate to the device */ 2458 if (macsec_is_offloaded(netdev_priv(dev))) { 2459 const struct macsec_ops *ops; 2460 struct macsec_context ctx; 2461 2462 ops = macsec_get_ops(netdev_priv(dev), &ctx); 2463 if (!ops) { 2464 ret = -EOPNOTSUPP; 2465 goto cleanup; 2466 } 2467 2468 ctx.sa.assoc_num = assoc_num; 2469 ctx.sa.rx_sa = rx_sa; 2470 ctx.secy = secy; 2471 2472 ret = macsec_offload(ops->mdo_upd_rxsa, &ctx); 2473 if (ret) 2474 goto cleanup; 2475 } 2476 2477 rtnl_unlock(); 2478 return 0; 2479 2480cleanup: 2481 if (tb_sa[MACSEC_SA_ATTR_PN]) { 2482 spin_lock_bh(&rx_sa->lock); 2483 rx_sa->next_pn_halves = prev_pn; 2484 spin_unlock_bh(&rx_sa->lock); 2485 } 2486 rx_sa->active = was_active; 2487 rtnl_unlock(); 2488 return ret; 2489} 2490 2491static int macsec_upd_rxsc(struct sk_buff *skb, struct genl_info *info) 2492{ 2493 struct nlattr **attrs = info->attrs; 2494 struct net_device *dev; 2495 struct macsec_secy *secy; 2496 struct macsec_rx_sc *rx_sc; 2497 struct nlattr *tb_rxsc[MACSEC_RXSC_ATTR_MAX + 1]; 2498 unsigned int prev_n_rx_sc; 2499 bool was_active; 2500 int ret; 2501 2502 if (!attrs[MACSEC_ATTR_IFINDEX]) 2503 return -EINVAL; 2504 2505 if (parse_rxsc_config(attrs, tb_rxsc)) 2506 return -EINVAL; 2507 2508 if (!validate_add_rxsc(tb_rxsc)) 2509 return -EINVAL; 2510 2511 rtnl_lock(); 2512 rx_sc = get_rxsc_from_nl(genl_info_net(info), attrs, tb_rxsc, &dev, &secy); 2513 if (IS_ERR(rx_sc)) { 2514 rtnl_unlock(); 2515 return PTR_ERR(rx_sc); 2516 } 2517 2518 was_active = rx_sc->active; 2519 prev_n_rx_sc = secy->n_rx_sc; 2520 if (tb_rxsc[MACSEC_RXSC_ATTR_ACTIVE]) { 2521 bool new = !!nla_get_u8(tb_rxsc[MACSEC_RXSC_ATTR_ACTIVE]); 2522 2523 if (rx_sc->active != new) 2524 secy->n_rx_sc += new ? 1 : -1; 2525 2526 rx_sc->active = new; 2527 } 2528 2529 /* If h/w offloading is available, propagate to the device */ 2530 if (macsec_is_offloaded(netdev_priv(dev))) { 2531 const struct macsec_ops *ops; 2532 struct macsec_context ctx; 2533 2534 ops = macsec_get_ops(netdev_priv(dev), &ctx); 2535 if (!ops) { 2536 ret = -EOPNOTSUPP; 2537 goto cleanup; 2538 } 2539 2540 ctx.rx_sc = rx_sc; 2541 ctx.secy = secy; 2542 2543 ret = macsec_offload(ops->mdo_upd_rxsc, &ctx); 2544 if (ret) 2545 goto cleanup; 2546 } 2547 2548 rtnl_unlock(); 2549 2550 return 0; 2551 2552cleanup: 2553 secy->n_rx_sc = prev_n_rx_sc; 2554 rx_sc->active = was_active; 2555 rtnl_unlock(); 2556 return ret; 2557} 2558 2559static bool macsec_is_configured(struct macsec_dev *macsec) 2560{ 2561 struct macsec_secy *secy = &macsec->secy; 2562 struct macsec_tx_sc *tx_sc = &secy->tx_sc; 2563 int i; 2564 2565 if (secy->n_rx_sc > 0) 2566 return true; 2567 2568 for (i = 0; i < MACSEC_NUM_AN; i++) 2569 if (tx_sc->sa[i]) 2570 return true; 2571 2572 return false; 2573} 2574 2575static int macsec_upd_offload(struct sk_buff *skb, struct genl_info *info) 2576{ 2577 struct nlattr *tb_offload[MACSEC_OFFLOAD_ATTR_MAX + 1]; 2578 enum macsec_offload offload, prev_offload; 2579 int (*func)(struct macsec_context *ctx); 2580 struct nlattr **attrs = info->attrs; 2581 struct net_device *dev; 2582 const struct macsec_ops *ops; 2583 struct macsec_context ctx; 2584 struct macsec_dev *macsec; 2585 int ret; 2586 2587 if (!attrs[MACSEC_ATTR_IFINDEX]) 2588 return -EINVAL; 2589 2590 if (!attrs[MACSEC_ATTR_OFFLOAD]) 2591 return -EINVAL; 2592 2593 if (nla_parse_nested_deprecated(tb_offload, MACSEC_OFFLOAD_ATTR_MAX, 2594 attrs[MACSEC_ATTR_OFFLOAD], 2595 macsec_genl_offload_policy, NULL)) 2596 return -EINVAL; 2597 2598 dev = get_dev_from_nl(genl_info_net(info), attrs); 2599 if (IS_ERR(dev)) 2600 return PTR_ERR(dev); 2601 macsec = macsec_priv(dev); 2602 2603 if (!tb_offload[MACSEC_OFFLOAD_ATTR_TYPE]) 2604 return -EINVAL; 2605 2606 offload = nla_get_u8(tb_offload[MACSEC_OFFLOAD_ATTR_TYPE]); 2607 if (macsec->offload == offload) 2608 return 0; 2609 2610 /* Check if the offloading mode is supported by the underlying layers */ 2611 if (offload != MACSEC_OFFLOAD_OFF && 2612 !macsec_check_offload(offload, macsec)) 2613 return -EOPNOTSUPP; 2614 2615 /* Check if the net device is busy. */ 2616 if (netif_running(dev)) 2617 return -EBUSY; 2618 2619 rtnl_lock(); 2620 2621 prev_offload = macsec->offload; 2622 macsec->offload = offload; 2623 2624 /* Check if the device already has rules configured: we do not support 2625 * rules migration. 2626 */ 2627 if (macsec_is_configured(macsec)) { 2628 ret = -EBUSY; 2629 goto rollback; 2630 } 2631 2632 ops = __macsec_get_ops(offload == MACSEC_OFFLOAD_OFF ? prev_offload : offload, 2633 macsec, &ctx); 2634 if (!ops) { 2635 ret = -EOPNOTSUPP; 2636 goto rollback; 2637 } 2638 2639 if (prev_offload == MACSEC_OFFLOAD_OFF) 2640 func = ops->mdo_add_secy; 2641 else 2642 func = ops->mdo_del_secy; 2643 2644 ctx.secy = &macsec->secy; 2645 ret = macsec_offload(func, &ctx); 2646 if (ret) 2647 goto rollback; 2648 2649 /* Force features update, since they are different for SW MACSec and 2650 * HW offloading cases. 2651 */ 2652 netdev_update_features(dev); 2653 2654 rtnl_unlock(); 2655 return 0; 2656 2657rollback: 2658 macsec->offload = prev_offload; 2659 2660 rtnl_unlock(); 2661 return ret; 2662} 2663 2664static void get_tx_sa_stats(struct net_device *dev, int an, 2665 struct macsec_tx_sa *tx_sa, 2666 struct macsec_tx_sa_stats *sum) 2667{ 2668 struct macsec_dev *macsec = macsec_priv(dev); 2669 int cpu; 2670 2671 /* If h/w offloading is available, propagate to the device */ 2672 if (macsec_is_offloaded(macsec)) { 2673 const struct macsec_ops *ops; 2674 struct macsec_context ctx; 2675 2676 ops = macsec_get_ops(macsec, &ctx); 2677 if (ops) { 2678 ctx.sa.assoc_num = an; 2679 ctx.sa.tx_sa = tx_sa; 2680 ctx.stats.tx_sa_stats = sum; 2681 ctx.secy = &macsec_priv(dev)->secy; 2682 macsec_offload(ops->mdo_get_tx_sa_stats, &ctx); 2683 } 2684 return; 2685 } 2686 2687 for_each_possible_cpu(cpu) { 2688 const struct macsec_tx_sa_stats *stats = 2689 per_cpu_ptr(tx_sa->stats, cpu); 2690 2691 sum->OutPktsProtected += stats->OutPktsProtected; 2692 sum->OutPktsEncrypted += stats->OutPktsEncrypted; 2693 } 2694} 2695 2696static int copy_tx_sa_stats(struct sk_buff *skb, struct macsec_tx_sa_stats *sum) 2697{ 2698 if (nla_put_u32(skb, MACSEC_SA_STATS_ATTR_OUT_PKTS_PROTECTED, 2699 sum->OutPktsProtected) || 2700 nla_put_u32(skb, MACSEC_SA_STATS_ATTR_OUT_PKTS_ENCRYPTED, 2701 sum->OutPktsEncrypted)) 2702 return -EMSGSIZE; 2703 2704 return 0; 2705} 2706 2707static void get_rx_sa_stats(struct net_device *dev, 2708 struct macsec_rx_sc *rx_sc, int an, 2709 struct macsec_rx_sa *rx_sa, 2710 struct macsec_rx_sa_stats *sum) 2711{ 2712 struct macsec_dev *macsec = macsec_priv(dev); 2713 int cpu; 2714 2715 /* If h/w offloading is available, propagate to the device */ 2716 if (macsec_is_offloaded(macsec)) { 2717 const struct macsec_ops *ops; 2718 struct macsec_context ctx; 2719 2720 ops = macsec_get_ops(macsec, &ctx); 2721 if (ops) { 2722 ctx.sa.assoc_num = an; 2723 ctx.sa.rx_sa = rx_sa; 2724 ctx.stats.rx_sa_stats = sum; 2725 ctx.secy = &macsec_priv(dev)->secy; 2726 ctx.rx_sc = rx_sc; 2727 macsec_offload(ops->mdo_get_rx_sa_stats, &ctx); 2728 } 2729 return; 2730 } 2731 2732 for_each_possible_cpu(cpu) { 2733 const struct macsec_rx_sa_stats *stats = 2734 per_cpu_ptr(rx_sa->stats, cpu); 2735 2736 sum->InPktsOK += stats->InPktsOK; 2737 sum->InPktsInvalid += stats->InPktsInvalid; 2738 sum->InPktsNotValid += stats->InPktsNotValid; 2739 sum->InPktsNotUsingSA += stats->InPktsNotUsingSA; 2740 sum->InPktsUnusedSA += stats->InPktsUnusedSA; 2741 } 2742} 2743 2744static int copy_rx_sa_stats(struct sk_buff *skb, 2745 struct macsec_rx_sa_stats *sum) 2746{ 2747 if (nla_put_u32(skb, MACSEC_SA_STATS_ATTR_IN_PKTS_OK, sum->InPktsOK) || 2748 nla_put_u32(skb, MACSEC_SA_STATS_ATTR_IN_PKTS_INVALID, 2749 sum->InPktsInvalid) || 2750 nla_put_u32(skb, MACSEC_SA_STATS_ATTR_IN_PKTS_NOT_VALID, 2751 sum->InPktsNotValid) || 2752 nla_put_u32(skb, MACSEC_SA_STATS_ATTR_IN_PKTS_NOT_USING_SA, 2753 sum->InPktsNotUsingSA) || 2754 nla_put_u32(skb, MACSEC_SA_STATS_ATTR_IN_PKTS_UNUSED_SA, 2755 sum->InPktsUnusedSA)) 2756 return -EMSGSIZE; 2757 2758 return 0; 2759} 2760 2761static void get_rx_sc_stats(struct net_device *dev, 2762 struct macsec_rx_sc *rx_sc, 2763 struct macsec_rx_sc_stats *sum) 2764{ 2765 struct macsec_dev *macsec = macsec_priv(dev); 2766 int cpu; 2767 2768 /* If h/w offloading is available, propagate to the device */ 2769 if (macsec_is_offloaded(macsec)) { 2770 const struct macsec_ops *ops; 2771 struct macsec_context ctx; 2772 2773 ops = macsec_get_ops(macsec, &ctx); 2774 if (ops) { 2775 ctx.stats.rx_sc_stats = sum; 2776 ctx.secy = &macsec_priv(dev)->secy; 2777 ctx.rx_sc = rx_sc; 2778 macsec_offload(ops->mdo_get_rx_sc_stats, &ctx); 2779 } 2780 return; 2781 } 2782 2783 for_each_possible_cpu(cpu) { 2784 const struct pcpu_rx_sc_stats *stats; 2785 struct macsec_rx_sc_stats tmp; 2786 unsigned int start; 2787 2788 stats = per_cpu_ptr(rx_sc->stats, cpu); 2789 do { 2790 start = u64_stats_fetch_begin_irq(&stats->syncp); 2791 memcpy(&tmp, &stats->stats, sizeof(tmp)); 2792 } while (u64_stats_fetch_retry_irq(&stats->syncp, start)); 2793 2794 sum->InOctetsValidated += tmp.InOctetsValidated; 2795 sum->InOctetsDecrypted += tmp.InOctetsDecrypted; 2796 sum->InPktsUnchecked += tmp.InPktsUnchecked; 2797 sum->InPktsDelayed += tmp.InPktsDelayed; 2798 sum->InPktsOK += tmp.InPktsOK; 2799 sum->InPktsInvalid += tmp.InPktsInvalid; 2800 sum->InPktsLate += tmp.InPktsLate; 2801 sum->InPktsNotValid += tmp.InPktsNotValid; 2802 sum->InPktsNotUsingSA += tmp.InPktsNotUsingSA; 2803 sum->InPktsUnusedSA += tmp.InPktsUnusedSA; 2804 } 2805} 2806 2807static int copy_rx_sc_stats(struct sk_buff *skb, struct macsec_rx_sc_stats *sum) 2808{ 2809 if (nla_put_u64_64bit(skb, MACSEC_RXSC_STATS_ATTR_IN_OCTETS_VALIDATED, 2810 sum->InOctetsValidated, 2811 MACSEC_RXSC_STATS_ATTR_PAD) || 2812 nla_put_u64_64bit(skb, MACSEC_RXSC_STATS_ATTR_IN_OCTETS_DECRYPTED, 2813 sum->InOctetsDecrypted, 2814 MACSEC_RXSC_STATS_ATTR_PAD) || 2815 nla_put_u64_64bit(skb, MACSEC_RXSC_STATS_ATTR_IN_PKTS_UNCHECKED, 2816 sum->InPktsUnchecked, 2817 MACSEC_RXSC_STATS_ATTR_PAD) || 2818 nla_put_u64_64bit(skb, MACSEC_RXSC_STATS_ATTR_IN_PKTS_DELAYED, 2819 sum->InPktsDelayed, 2820 MACSEC_RXSC_STATS_ATTR_PAD) || 2821 nla_put_u64_64bit(skb, MACSEC_RXSC_STATS_ATTR_IN_PKTS_OK, 2822 sum->InPktsOK, 2823 MACSEC_RXSC_STATS_ATTR_PAD) || 2824 nla_put_u64_64bit(skb, MACSEC_RXSC_STATS_ATTR_IN_PKTS_INVALID, 2825 sum->InPktsInvalid, 2826 MACSEC_RXSC_STATS_ATTR_PAD) || 2827 nla_put_u64_64bit(skb, MACSEC_RXSC_STATS_ATTR_IN_PKTS_LATE, 2828 sum->InPktsLate, 2829 MACSEC_RXSC_STATS_ATTR_PAD) || 2830 nla_put_u64_64bit(skb, MACSEC_RXSC_STATS_ATTR_IN_PKTS_NOT_VALID, 2831 sum->InPktsNotValid, 2832 MACSEC_RXSC_STATS_ATTR_PAD) || 2833 nla_put_u64_64bit(skb, MACSEC_RXSC_STATS_ATTR_IN_PKTS_NOT_USING_SA, 2834 sum->InPktsNotUsingSA, 2835 MACSEC_RXSC_STATS_ATTR_PAD) || 2836 nla_put_u64_64bit(skb, MACSEC_RXSC_STATS_ATTR_IN_PKTS_UNUSED_SA, 2837 sum->InPktsUnusedSA, 2838 MACSEC_RXSC_STATS_ATTR_PAD)) 2839 return -EMSGSIZE; 2840 2841 return 0; 2842} 2843 2844static void get_tx_sc_stats(struct net_device *dev, 2845 struct macsec_tx_sc_stats *sum) 2846{ 2847 struct macsec_dev *macsec = macsec_priv(dev); 2848 int cpu; 2849 2850 /* If h/w offloading is available, propagate to the device */ 2851 if (macsec_is_offloaded(macsec)) { 2852 const struct macsec_ops *ops; 2853 struct macsec_context ctx; 2854 2855 ops = macsec_get_ops(macsec, &ctx); 2856 if (ops) { 2857 ctx.stats.tx_sc_stats = sum; 2858 ctx.secy = &macsec_priv(dev)->secy; 2859 macsec_offload(ops->mdo_get_tx_sc_stats, &ctx); 2860 } 2861 return; 2862 } 2863 2864 for_each_possible_cpu(cpu) { 2865 const struct pcpu_tx_sc_stats *stats; 2866 struct macsec_tx_sc_stats tmp; 2867 unsigned int start; 2868 2869 stats = per_cpu_ptr(macsec_priv(dev)->secy.tx_sc.stats, cpu); 2870 do { 2871 start = u64_stats_fetch_begin_irq(&stats->syncp); 2872 memcpy(&tmp, &stats->stats, sizeof(tmp)); 2873 } while (u64_stats_fetch_retry_irq(&stats->syncp, start)); 2874 2875 sum->OutPktsProtected += tmp.OutPktsProtected; 2876 sum->OutPktsEncrypted += tmp.OutPktsEncrypted; 2877 sum->OutOctetsProtected += tmp.OutOctetsProtected; 2878 sum->OutOctetsEncrypted += tmp.OutOctetsEncrypted; 2879 } 2880} 2881 2882static int copy_tx_sc_stats(struct sk_buff *skb, struct macsec_tx_sc_stats *sum) 2883{ 2884 if (nla_put_u64_64bit(skb, MACSEC_TXSC_STATS_ATTR_OUT_PKTS_PROTECTED, 2885 sum->OutPktsProtected, 2886 MACSEC_TXSC_STATS_ATTR_PAD) || 2887 nla_put_u64_64bit(skb, MACSEC_TXSC_STATS_ATTR_OUT_PKTS_ENCRYPTED, 2888 sum->OutPktsEncrypted, 2889 MACSEC_TXSC_STATS_ATTR_PAD) || 2890 nla_put_u64_64bit(skb, MACSEC_TXSC_STATS_ATTR_OUT_OCTETS_PROTECTED, 2891 sum->OutOctetsProtected, 2892 MACSEC_TXSC_STATS_ATTR_PAD) || 2893 nla_put_u64_64bit(skb, MACSEC_TXSC_STATS_ATTR_OUT_OCTETS_ENCRYPTED, 2894 sum->OutOctetsEncrypted, 2895 MACSEC_TXSC_STATS_ATTR_PAD)) 2896 return -EMSGSIZE; 2897 2898 return 0; 2899} 2900 2901static void get_secy_stats(struct net_device *dev, struct macsec_dev_stats *sum) 2902{ 2903 struct macsec_dev *macsec = macsec_priv(dev); 2904 int cpu; 2905 2906 /* If h/w offloading is available, propagate to the device */ 2907 if (macsec_is_offloaded(macsec)) { 2908 const struct macsec_ops *ops; 2909 struct macsec_context ctx; 2910 2911 ops = macsec_get_ops(macsec, &ctx); 2912 if (ops) { 2913 ctx.stats.dev_stats = sum; 2914 ctx.secy = &macsec_priv(dev)->secy; 2915 macsec_offload(ops->mdo_get_dev_stats, &ctx); 2916 } 2917 return; 2918 } 2919 2920 for_each_possible_cpu(cpu) { 2921 const struct pcpu_secy_stats *stats; 2922 struct macsec_dev_stats tmp; 2923 unsigned int start; 2924 2925 stats = per_cpu_ptr(macsec_priv(dev)->stats, cpu); 2926 do { 2927 start = u64_stats_fetch_begin_irq(&stats->syncp); 2928 memcpy(&tmp, &stats->stats, sizeof(tmp)); 2929 } while (u64_stats_fetch_retry_irq(&stats->syncp, start)); 2930 2931 sum->OutPktsUntagged += tmp.OutPktsUntagged; 2932 sum->InPktsUntagged += tmp.InPktsUntagged; 2933 sum->OutPktsTooLong += tmp.OutPktsTooLong; 2934 sum->InPktsNoTag += tmp.InPktsNoTag; 2935 sum->InPktsBadTag += tmp.InPktsBadTag; 2936 sum->InPktsUnknownSCI += tmp.InPktsUnknownSCI; 2937 sum->InPktsNoSCI += tmp.InPktsNoSCI; 2938 sum->InPktsOverrun += tmp.InPktsOverrun; 2939 } 2940} 2941 2942static int copy_secy_stats(struct sk_buff *skb, struct macsec_dev_stats *sum) 2943{ 2944 if (nla_put_u64_64bit(skb, MACSEC_SECY_STATS_ATTR_OUT_PKTS_UNTAGGED, 2945 sum->OutPktsUntagged, 2946 MACSEC_SECY_STATS_ATTR_PAD) || 2947 nla_put_u64_64bit(skb, MACSEC_SECY_STATS_ATTR_IN_PKTS_UNTAGGED, 2948 sum->InPktsUntagged, 2949 MACSEC_SECY_STATS_ATTR_PAD) || 2950 nla_put_u64_64bit(skb, MACSEC_SECY_STATS_ATTR_OUT_PKTS_TOO_LONG, 2951 sum->OutPktsTooLong, 2952 MACSEC_SECY_STATS_ATTR_PAD) || 2953 nla_put_u64_64bit(skb, MACSEC_SECY_STATS_ATTR_IN_PKTS_NO_TAG, 2954 sum->InPktsNoTag, 2955 MACSEC_SECY_STATS_ATTR_PAD) || 2956 nla_put_u64_64bit(skb, MACSEC_SECY_STATS_ATTR_IN_PKTS_BAD_TAG, 2957 sum->InPktsBadTag, 2958 MACSEC_SECY_STATS_ATTR_PAD) || 2959 nla_put_u64_64bit(skb, MACSEC_SECY_STATS_ATTR_IN_PKTS_UNKNOWN_SCI, 2960 sum->InPktsUnknownSCI, 2961 MACSEC_SECY_STATS_ATTR_PAD) || 2962 nla_put_u64_64bit(skb, MACSEC_SECY_STATS_ATTR_IN_PKTS_NO_SCI, 2963 sum->InPktsNoSCI, 2964 MACSEC_SECY_STATS_ATTR_PAD) || 2965 nla_put_u64_64bit(skb, MACSEC_SECY_STATS_ATTR_IN_PKTS_OVERRUN, 2966 sum->InPktsOverrun, 2967 MACSEC_SECY_STATS_ATTR_PAD)) 2968 return -EMSGSIZE; 2969 2970 return 0; 2971} 2972 2973static int nla_put_secy(struct macsec_secy *secy, struct sk_buff *skb) 2974{ 2975 struct macsec_tx_sc *tx_sc = &secy->tx_sc; 2976 struct nlattr *secy_nest = nla_nest_start_noflag(skb, 2977 MACSEC_ATTR_SECY); 2978 u64 csid; 2979 2980 if (!secy_nest) 2981 return 1; 2982 2983 switch (secy->key_len) { 2984 case MACSEC_GCM_AES_128_SAK_LEN: 2985 csid = secy->xpn ? MACSEC_CIPHER_ID_GCM_AES_XPN_128 : MACSEC_DEFAULT_CIPHER_ID; 2986 break; 2987 case MACSEC_GCM_AES_256_SAK_LEN: 2988 csid = secy->xpn ? MACSEC_CIPHER_ID_GCM_AES_XPN_256 : MACSEC_CIPHER_ID_GCM_AES_256; 2989 break; 2990 default: 2991 goto cancel; 2992 } 2993 2994 if (nla_put_sci(skb, MACSEC_SECY_ATTR_SCI, secy->sci, 2995 MACSEC_SECY_ATTR_PAD) || 2996 nla_put_u64_64bit(skb, MACSEC_SECY_ATTR_CIPHER_SUITE, 2997 csid, MACSEC_SECY_ATTR_PAD) || 2998 nla_put_u8(skb, MACSEC_SECY_ATTR_ICV_LEN, secy->icv_len) || 2999 nla_put_u8(skb, MACSEC_SECY_ATTR_OPER, secy->operational) || 3000 nla_put_u8(skb, MACSEC_SECY_ATTR_PROTECT, secy->protect_frames) || 3001 nla_put_u8(skb, MACSEC_SECY_ATTR_REPLAY, secy->replay_protect) || 3002 nla_put_u8(skb, MACSEC_SECY_ATTR_VALIDATE, secy->validate_frames) || 3003 nla_put_u8(skb, MACSEC_SECY_ATTR_ENCRYPT, tx_sc->encrypt) || 3004 nla_put_u8(skb, MACSEC_SECY_ATTR_INC_SCI, tx_sc->send_sci) || 3005 nla_put_u8(skb, MACSEC_SECY_ATTR_ES, tx_sc->end_station) || 3006 nla_put_u8(skb, MACSEC_SECY_ATTR_SCB, tx_sc->scb) || 3007 nla_put_u8(skb, MACSEC_SECY_ATTR_ENCODING_SA, tx_sc->encoding_sa)) 3008 goto cancel; 3009 3010 if (secy->replay_protect) { 3011 if (nla_put_u32(skb, MACSEC_SECY_ATTR_WINDOW, secy->replay_window)) 3012 goto cancel; 3013 } 3014 3015 nla_nest_end(skb, secy_nest); 3016 return 0; 3017 3018cancel: 3019 nla_nest_cancel(skb, secy_nest); 3020 return 1; 3021} 3022 3023static noinline_for_stack int 3024dump_secy(struct macsec_secy *secy, struct net_device *dev, 3025 struct sk_buff *skb, struct netlink_callback *cb) 3026{ 3027 struct macsec_tx_sc_stats tx_sc_stats = {0, }; 3028 struct macsec_tx_sa_stats tx_sa_stats = {0, }; 3029 struct macsec_rx_sc_stats rx_sc_stats = {0, }; 3030 struct macsec_rx_sa_stats rx_sa_stats = {0, }; 3031 struct macsec_dev *macsec = netdev_priv(dev); 3032 struct macsec_dev_stats dev_stats = {0, }; 3033 struct macsec_tx_sc *tx_sc = &secy->tx_sc; 3034 struct nlattr *txsa_list, *rxsc_list; 3035 struct macsec_rx_sc *rx_sc; 3036 struct nlattr *attr; 3037 void *hdr; 3038 int i, j; 3039 3040 hdr = genlmsg_put(skb, NETLINK_CB(cb->skb).portid, cb->nlh->nlmsg_seq, 3041 &macsec_fam, NLM_F_MULTI, MACSEC_CMD_GET_TXSC); 3042 if (!hdr) 3043 return -EMSGSIZE; 3044 3045 genl_dump_check_consistent(cb, hdr); 3046 3047 if (nla_put_u32(skb, MACSEC_ATTR_IFINDEX, dev->ifindex)) 3048 goto nla_put_failure; 3049 3050 attr = nla_nest_start_noflag(skb, MACSEC_ATTR_OFFLOAD); 3051 if (!attr) 3052 goto nla_put_failure; 3053 if (nla_put_u8(skb, MACSEC_OFFLOAD_ATTR_TYPE, macsec->offload)) 3054 goto nla_put_failure; 3055 nla_nest_end(skb, attr); 3056 3057 if (nla_put_secy(secy, skb)) 3058 goto nla_put_failure; 3059 3060 attr = nla_nest_start_noflag(skb, MACSEC_ATTR_TXSC_STATS); 3061 if (!attr) 3062 goto nla_put_failure; 3063 3064 get_tx_sc_stats(dev, &tx_sc_stats); 3065 if (copy_tx_sc_stats(skb, &tx_sc_stats)) { 3066 nla_nest_cancel(skb, attr); 3067 goto nla_put_failure; 3068 } 3069 nla_nest_end(skb, attr); 3070 3071 attr = nla_nest_start_noflag(skb, MACSEC_ATTR_SECY_STATS); 3072 if (!attr) 3073 goto nla_put_failure; 3074 get_secy_stats(dev, &dev_stats); 3075 if (copy_secy_stats(skb, &dev_stats)) { 3076 nla_nest_cancel(skb, attr); 3077 goto nla_put_failure; 3078 } 3079 nla_nest_end(skb, attr); 3080 3081 txsa_list = nla_nest_start_noflag(skb, MACSEC_ATTR_TXSA_LIST); 3082 if (!txsa_list) 3083 goto nla_put_failure; 3084 for (i = 0, j = 1; i < MACSEC_NUM_AN; i++) { 3085 struct macsec_tx_sa *tx_sa = rtnl_dereference(tx_sc->sa[i]); 3086 struct nlattr *txsa_nest; 3087 u64 pn; 3088 int pn_len; 3089 3090 if (!tx_sa) 3091 continue; 3092 3093 txsa_nest = nla_nest_start_noflag(skb, j++); 3094 if (!txsa_nest) { 3095 nla_nest_cancel(skb, txsa_list); 3096 goto nla_put_failure; 3097 } 3098 3099 attr = nla_nest_start_noflag(skb, MACSEC_SA_ATTR_STATS); 3100 if (!attr) { 3101 nla_nest_cancel(skb, txsa_nest); 3102 nla_nest_cancel(skb, txsa_list); 3103 goto nla_put_failure; 3104 } 3105 memset(&tx_sa_stats, 0, sizeof(tx_sa_stats)); 3106 get_tx_sa_stats(dev, i, tx_sa, &tx_sa_stats); 3107 if (copy_tx_sa_stats(skb, &tx_sa_stats)) { 3108 nla_nest_cancel(skb, attr); 3109 nla_nest_cancel(skb, txsa_nest); 3110 nla_nest_cancel(skb, txsa_list); 3111 goto nla_put_failure; 3112 } 3113 nla_nest_end(skb, attr); 3114 3115 if (secy->xpn) { 3116 pn = tx_sa->next_pn; 3117 pn_len = MACSEC_XPN_PN_LEN; 3118 } else { 3119 pn = tx_sa->next_pn_halves.lower; 3120 pn_len = MACSEC_DEFAULT_PN_LEN; 3121 } 3122 3123 if (nla_put_u8(skb, MACSEC_SA_ATTR_AN, i) || 3124 nla_put(skb, MACSEC_SA_ATTR_PN, pn_len, &pn) || 3125 nla_put(skb, MACSEC_SA_ATTR_KEYID, MACSEC_KEYID_LEN, tx_sa->key.id) || 3126 (secy->xpn && nla_put_ssci(skb, MACSEC_SA_ATTR_SSCI, tx_sa->ssci)) || 3127 nla_put_u8(skb, MACSEC_SA_ATTR_ACTIVE, tx_sa->active)) { 3128 nla_nest_cancel(skb, txsa_nest); 3129 nla_nest_cancel(skb, txsa_list); 3130 goto nla_put_failure; 3131 } 3132 3133 nla_nest_end(skb, txsa_nest); 3134 } 3135 nla_nest_end(skb, txsa_list); 3136 3137 rxsc_list = nla_nest_start_noflag(skb, MACSEC_ATTR_RXSC_LIST); 3138 if (!rxsc_list) 3139 goto nla_put_failure; 3140 3141 j = 1; 3142 for_each_rxsc_rtnl(secy, rx_sc) { 3143 int k; 3144 struct nlattr *rxsa_list; 3145 struct nlattr *rxsc_nest = nla_nest_start_noflag(skb, j++); 3146 3147 if (!rxsc_nest) { 3148 nla_nest_cancel(skb, rxsc_list); 3149 goto nla_put_failure; 3150 } 3151 3152 if (nla_put_u8(skb, MACSEC_RXSC_ATTR_ACTIVE, rx_sc->active) || 3153 nla_put_sci(skb, MACSEC_RXSC_ATTR_SCI, rx_sc->sci, 3154 MACSEC_RXSC_ATTR_PAD)) { 3155 nla_nest_cancel(skb, rxsc_nest); 3156 nla_nest_cancel(skb, rxsc_list); 3157 goto nla_put_failure; 3158 } 3159 3160 attr = nla_nest_start_noflag(skb, MACSEC_RXSC_ATTR_STATS); 3161 if (!attr) { 3162 nla_nest_cancel(skb, rxsc_nest); 3163 nla_nest_cancel(skb, rxsc_list); 3164 goto nla_put_failure; 3165 } 3166 memset(&rx_sc_stats, 0, sizeof(rx_sc_stats)); 3167 get_rx_sc_stats(dev, rx_sc, &rx_sc_stats); 3168 if (copy_rx_sc_stats(skb, &rx_sc_stats)) { 3169 nla_nest_cancel(skb, attr); 3170 nla_nest_cancel(skb, rxsc_nest); 3171 nla_nest_cancel(skb, rxsc_list); 3172 goto nla_put_failure; 3173 } 3174 nla_nest_end(skb, attr); 3175 3176 rxsa_list = nla_nest_start_noflag(skb, 3177 MACSEC_RXSC_ATTR_SA_LIST); 3178 if (!rxsa_list) { 3179 nla_nest_cancel(skb, rxsc_nest); 3180 nla_nest_cancel(skb, rxsc_list); 3181 goto nla_put_failure; 3182 } 3183 3184 for (i = 0, k = 1; i < MACSEC_NUM_AN; i++) { 3185 struct macsec_rx_sa *rx_sa = rtnl_dereference(rx_sc->sa[i]); 3186 struct nlattr *rxsa_nest; 3187 u64 pn; 3188 int pn_len; 3189 3190 if (!rx_sa) 3191 continue; 3192 3193 rxsa_nest = nla_nest_start_noflag(skb, k++); 3194 if (!rxsa_nest) { 3195 nla_nest_cancel(skb, rxsa_list); 3196 nla_nest_cancel(skb, rxsc_nest); 3197 nla_nest_cancel(skb, rxsc_list); 3198 goto nla_put_failure; 3199 } 3200 3201 attr = nla_nest_start_noflag(skb, 3202 MACSEC_SA_ATTR_STATS); 3203 if (!attr) { 3204 nla_nest_cancel(skb, rxsa_list); 3205 nla_nest_cancel(skb, rxsc_nest); 3206 nla_nest_cancel(skb, rxsc_list); 3207 goto nla_put_failure; 3208 } 3209 memset(&rx_sa_stats, 0, sizeof(rx_sa_stats)); 3210 get_rx_sa_stats(dev, rx_sc, i, rx_sa, &rx_sa_stats); 3211 if (copy_rx_sa_stats(skb, &rx_sa_stats)) { 3212 nla_nest_cancel(skb, attr); 3213 nla_nest_cancel(skb, rxsa_list); 3214 nla_nest_cancel(skb, rxsc_nest); 3215 nla_nest_cancel(skb, rxsc_list); 3216 goto nla_put_failure; 3217 } 3218 nla_nest_end(skb, attr); 3219 3220 if (secy->xpn) { 3221 pn = rx_sa->next_pn; 3222 pn_len = MACSEC_XPN_PN_LEN; 3223 } else { 3224 pn = rx_sa->next_pn_halves.lower; 3225 pn_len = MACSEC_DEFAULT_PN_LEN; 3226 } 3227 3228 if (nla_put_u8(skb, MACSEC_SA_ATTR_AN, i) || 3229 nla_put(skb, MACSEC_SA_ATTR_PN, pn_len, &pn) || 3230 nla_put(skb, MACSEC_SA_ATTR_KEYID, MACSEC_KEYID_LEN, rx_sa->key.id) || 3231 (secy->xpn && nla_put_ssci(skb, MACSEC_SA_ATTR_SSCI, rx_sa->ssci)) || 3232 nla_put_u8(skb, MACSEC_SA_ATTR_ACTIVE, rx_sa->active)) { 3233 nla_nest_cancel(skb, rxsa_nest); 3234 nla_nest_cancel(skb, rxsc_nest); 3235 nla_nest_cancel(skb, rxsc_list); 3236 goto nla_put_failure; 3237 } 3238 nla_nest_end(skb, rxsa_nest); 3239 } 3240 3241 nla_nest_end(skb, rxsa_list); 3242 nla_nest_end(skb, rxsc_nest); 3243 } 3244 3245 nla_nest_end(skb, rxsc_list); 3246 3247 genlmsg_end(skb, hdr); 3248 3249 return 0; 3250 3251nla_put_failure: 3252 genlmsg_cancel(skb, hdr); 3253 return -EMSGSIZE; 3254} 3255 3256static int macsec_generation = 1; /* protected by RTNL */ 3257 3258static int macsec_dump_txsc(struct sk_buff *skb, struct netlink_callback *cb) 3259{ 3260 struct net *net = sock_net(skb->sk); 3261 struct net_device *dev; 3262 int dev_idx, d; 3263 3264 dev_idx = cb->args[0]; 3265 3266 d = 0; 3267 rtnl_lock(); 3268 3269 cb->seq = macsec_generation; 3270 3271 for_each_netdev(net, dev) { 3272 struct macsec_secy *secy; 3273 3274 if (d < dev_idx) 3275 goto next; 3276 3277 if (!netif_is_macsec(dev)) 3278 goto next; 3279 3280 secy = &macsec_priv(dev)->secy; 3281 if (dump_secy(secy, dev, skb, cb) < 0) 3282 goto done; 3283next: 3284 d++; 3285 } 3286 3287done: 3288 rtnl_unlock(); 3289 cb->args[0] = d; 3290 return skb->len; 3291} 3292 3293static const struct genl_small_ops macsec_genl_ops[] = { 3294 { 3295 .cmd = MACSEC_CMD_GET_TXSC, 3296 .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, 3297 .dumpit = macsec_dump_txsc, 3298 }, 3299 { 3300 .cmd = MACSEC_CMD_ADD_RXSC, 3301 .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, 3302 .doit = macsec_add_rxsc, 3303 .flags = GENL_ADMIN_PERM, 3304 }, 3305 { 3306 .cmd = MACSEC_CMD_DEL_RXSC, 3307 .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, 3308 .doit = macsec_del_rxsc, 3309 .flags = GENL_ADMIN_PERM, 3310 }, 3311 { 3312 .cmd = MACSEC_CMD_UPD_RXSC, 3313 .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, 3314 .doit = macsec_upd_rxsc, 3315 .flags = GENL_ADMIN_PERM, 3316 }, 3317 { 3318 .cmd = MACSEC_CMD_ADD_TXSA, 3319 .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, 3320 .doit = macsec_add_txsa, 3321 .flags = GENL_ADMIN_PERM, 3322 }, 3323 { 3324 .cmd = MACSEC_CMD_DEL_TXSA, 3325 .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, 3326 .doit = macsec_del_txsa, 3327 .flags = GENL_ADMIN_PERM, 3328 }, 3329 { 3330 .cmd = MACSEC_CMD_UPD_TXSA, 3331 .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, 3332 .doit = macsec_upd_txsa, 3333 .flags = GENL_ADMIN_PERM, 3334 }, 3335 { 3336 .cmd = MACSEC_CMD_ADD_RXSA, 3337 .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, 3338 .doit = macsec_add_rxsa, 3339 .flags = GENL_ADMIN_PERM, 3340 }, 3341 { 3342 .cmd = MACSEC_CMD_DEL_RXSA, 3343 .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, 3344 .doit = macsec_del_rxsa, 3345 .flags = GENL_ADMIN_PERM, 3346 }, 3347 { 3348 .cmd = MACSEC_CMD_UPD_RXSA, 3349 .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, 3350 .doit = macsec_upd_rxsa, 3351 .flags = GENL_ADMIN_PERM, 3352 }, 3353 { 3354 .cmd = MACSEC_CMD_UPD_OFFLOAD, 3355 .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, 3356 .doit = macsec_upd_offload, 3357 .flags = GENL_ADMIN_PERM, 3358 }, 3359}; 3360 3361static struct genl_family macsec_fam __ro_after_init = { 3362 .name = MACSEC_GENL_NAME, 3363 .hdrsize = 0, 3364 .version = MACSEC_GENL_VERSION, 3365 .maxattr = MACSEC_ATTR_MAX, 3366 .policy = macsec_genl_policy, 3367 .netnsok = true, 3368 .module = THIS_MODULE, 3369 .small_ops = macsec_genl_ops, 3370 .n_small_ops = ARRAY_SIZE(macsec_genl_ops), 3371}; 3372 3373static netdev_tx_t macsec_start_xmit(struct sk_buff *skb, 3374 struct net_device *dev) 3375{ 3376 struct macsec_dev *macsec = netdev_priv(dev); 3377 struct macsec_secy *secy = &macsec->secy; 3378 struct pcpu_secy_stats *secy_stats; 3379 int ret, len; 3380 3381 if (macsec_is_offloaded(netdev_priv(dev))) { 3382 skb->dev = macsec->real_dev; 3383 return dev_queue_xmit(skb); 3384 } 3385 3386 /* 10.5 */ 3387 if (!secy->protect_frames) { 3388 secy_stats = this_cpu_ptr(macsec->stats); 3389 u64_stats_update_begin(&secy_stats->syncp); 3390 secy_stats->stats.OutPktsUntagged++; 3391 u64_stats_update_end(&secy_stats->syncp); 3392 skb->dev = macsec->real_dev; 3393 len = skb->len; 3394 ret = dev_queue_xmit(skb); 3395 count_tx(dev, ret, len); 3396 return ret; 3397 } 3398 3399 if (!secy->operational) { 3400 kfree_skb(skb); 3401 dev->stats.tx_dropped++; 3402 return NETDEV_TX_OK; 3403 } 3404 3405 skb = macsec_encrypt(skb, dev); 3406 if (IS_ERR(skb)) { 3407 if (PTR_ERR(skb) != -EINPROGRESS) 3408 dev->stats.tx_dropped++; 3409 return NETDEV_TX_OK; 3410 } 3411 3412 macsec_count_tx(skb, &macsec->secy.tx_sc, macsec_skb_cb(skb)->tx_sa); 3413 3414 macsec_encrypt_finish(skb, dev); 3415 len = skb->len; 3416 ret = dev_queue_xmit(skb); 3417 count_tx(dev, ret, len); 3418 return ret; 3419} 3420 3421#define SW_MACSEC_FEATURES \ 3422 (NETIF_F_SG | NETIF_F_HIGHDMA | NETIF_F_FRAGLIST) 3423 3424/* If h/w offloading is enabled, use real device features save for 3425 * VLAN_FEATURES - they require additional ops 3426 * HW_MACSEC - no reason to report it 3427 */ 3428#define REAL_DEV_FEATURES(dev) \ 3429 ((dev)->features & ~(NETIF_F_VLAN_FEATURES | NETIF_F_HW_MACSEC)) 3430 3431static int macsec_dev_init(struct net_device *dev) 3432{ 3433 struct macsec_dev *macsec = macsec_priv(dev); 3434 struct net_device *real_dev = macsec->real_dev; 3435 int err; 3436 3437 dev->tstats = netdev_alloc_pcpu_stats(struct pcpu_sw_netstats); 3438 if (!dev->tstats) 3439 return -ENOMEM; 3440 3441 err = gro_cells_init(&macsec->gro_cells, dev); 3442 if (err) { 3443 free_percpu(dev->tstats); 3444 return err; 3445 } 3446 3447 if (macsec_is_offloaded(macsec)) { 3448 dev->features = REAL_DEV_FEATURES(real_dev); 3449 } else { 3450 dev->features = real_dev->features & SW_MACSEC_FEATURES; 3451 dev->features |= NETIF_F_LLTX | NETIF_F_GSO_SOFTWARE; 3452 } 3453 3454 dev->needed_headroom = real_dev->needed_headroom + 3455 MACSEC_NEEDED_HEADROOM; 3456 dev->needed_tailroom = real_dev->needed_tailroom + 3457 MACSEC_NEEDED_TAILROOM; 3458 3459 if (is_zero_ether_addr(dev->dev_addr)) 3460 eth_hw_addr_inherit(dev, real_dev); 3461 if (is_zero_ether_addr(dev->broadcast)) 3462 memcpy(dev->broadcast, real_dev->broadcast, dev->addr_len); 3463 3464 /* Get macsec's reference to real_dev */ 3465 dev_hold_track(real_dev, &macsec->dev_tracker, GFP_KERNEL); 3466 3467 return 0; 3468} 3469 3470static void macsec_dev_uninit(struct net_device *dev) 3471{ 3472 struct macsec_dev *macsec = macsec_priv(dev); 3473 3474 gro_cells_destroy(&macsec->gro_cells); 3475 free_percpu(dev->tstats); 3476} 3477 3478static netdev_features_t macsec_fix_features(struct net_device *dev, 3479 netdev_features_t features) 3480{ 3481 struct macsec_dev *macsec = macsec_priv(dev); 3482 struct net_device *real_dev = macsec->real_dev; 3483 3484 if (macsec_is_offloaded(macsec)) 3485 return REAL_DEV_FEATURES(real_dev); 3486 3487 features &= (real_dev->features & SW_MACSEC_FEATURES) | 3488 NETIF_F_GSO_SOFTWARE | NETIF_F_SOFT_FEATURES; 3489 features |= NETIF_F_LLTX; 3490 3491 return features; 3492} 3493 3494static int macsec_dev_open(struct net_device *dev) 3495{ 3496 struct macsec_dev *macsec = macsec_priv(dev); 3497 struct net_device *real_dev = macsec->real_dev; 3498 int err; 3499 3500 err = dev_uc_add(real_dev, dev->dev_addr); 3501 if (err < 0) 3502 return err; 3503 3504 if (dev->flags & IFF_ALLMULTI) { 3505 err = dev_set_allmulti(real_dev, 1); 3506 if (err < 0) 3507 goto del_unicast; 3508 } 3509 3510 if (dev->flags & IFF_PROMISC) { 3511 err = dev_set_promiscuity(real_dev, 1); 3512 if (err < 0) 3513 goto clear_allmulti; 3514 } 3515 3516 /* If h/w offloading is available, propagate to the device */ 3517 if (macsec_is_offloaded(macsec)) { 3518 const struct macsec_ops *ops; 3519 struct macsec_context ctx; 3520 3521 ops = macsec_get_ops(netdev_priv(dev), &ctx); 3522 if (!ops) { 3523 err = -EOPNOTSUPP; 3524 goto clear_allmulti; 3525 } 3526 3527 ctx.secy = &macsec->secy; 3528 err = macsec_offload(ops->mdo_dev_open, &ctx); 3529 if (err) 3530 goto clear_allmulti; 3531 } 3532 3533 if (netif_carrier_ok(real_dev)) 3534 netif_carrier_on(dev); 3535 3536 return 0; 3537clear_allmulti: 3538 if (dev->flags & IFF_ALLMULTI) 3539 dev_set_allmulti(real_dev, -1); 3540del_unicast: 3541 dev_uc_del(real_dev, dev->dev_addr); 3542 netif_carrier_off(dev); 3543 return err; 3544} 3545 3546static int macsec_dev_stop(struct net_device *dev) 3547{ 3548 struct macsec_dev *macsec = macsec_priv(dev); 3549 struct net_device *real_dev = macsec->real_dev; 3550 3551 netif_carrier_off(dev); 3552 3553 /* If h/w offloading is available, propagate to the device */ 3554 if (macsec_is_offloaded(macsec)) { 3555 const struct macsec_ops *ops; 3556 struct macsec_context ctx; 3557 3558 ops = macsec_get_ops(macsec, &ctx); 3559 if (ops) { 3560 ctx.secy = &macsec->secy; 3561 macsec_offload(ops->mdo_dev_stop, &ctx); 3562 } 3563 } 3564 3565 dev_mc_unsync(real_dev, dev); 3566 dev_uc_unsync(real_dev, dev); 3567 3568 if (dev->flags & IFF_ALLMULTI) 3569 dev_set_allmulti(real_dev, -1); 3570 3571 if (dev->flags & IFF_PROMISC) 3572 dev_set_promiscuity(real_dev, -1); 3573 3574 dev_uc_del(real_dev, dev->dev_addr); 3575 3576 return 0; 3577} 3578 3579static void macsec_dev_change_rx_flags(struct net_device *dev, int change) 3580{ 3581 struct net_device *real_dev = macsec_priv(dev)->real_dev; 3582 3583 if (!(dev->flags & IFF_UP)) 3584 return; 3585 3586 if (change & IFF_ALLMULTI) 3587 dev_set_allmulti(real_dev, dev->flags & IFF_ALLMULTI ? 1 : -1); 3588 3589 if (change & IFF_PROMISC) 3590 dev_set_promiscuity(real_dev, 3591 dev->flags & IFF_PROMISC ? 1 : -1); 3592} 3593 3594static void macsec_dev_set_rx_mode(struct net_device *dev) 3595{ 3596 struct net_device *real_dev = macsec_priv(dev)->real_dev; 3597 3598 dev_mc_sync(real_dev, dev); 3599 dev_uc_sync(real_dev, dev); 3600} 3601 3602static int macsec_set_mac_address(struct net_device *dev, void *p) 3603{ 3604 struct macsec_dev *macsec = macsec_priv(dev); 3605 struct net_device *real_dev = macsec->real_dev; 3606 struct sockaddr *addr = p; 3607 int err; 3608 3609 if (!is_valid_ether_addr(addr->sa_data)) 3610 return -EADDRNOTAVAIL; 3611 3612 if (!(dev->flags & IFF_UP)) 3613 goto out; 3614 3615 err = dev_uc_add(real_dev, addr->sa_data); 3616 if (err < 0) 3617 return err; 3618 3619 dev_uc_del(real_dev, dev->dev_addr); 3620 3621out: 3622 eth_hw_addr_set(dev, addr->sa_data); 3623 macsec->secy.sci = dev_to_sci(dev, MACSEC_PORT_ES); 3624 3625 /* If h/w offloading is available, propagate to the device */ 3626 if (macsec_is_offloaded(macsec)) { 3627 const struct macsec_ops *ops; 3628 struct macsec_context ctx; 3629 3630 ops = macsec_get_ops(macsec, &ctx); 3631 if (ops) { 3632 ctx.secy = &macsec->secy; 3633 macsec_offload(ops->mdo_upd_secy, &ctx); 3634 } 3635 } 3636 3637 return 0; 3638} 3639 3640static int macsec_change_mtu(struct net_device *dev, int new_mtu) 3641{ 3642 struct macsec_dev *macsec = macsec_priv(dev); 3643 unsigned int extra = macsec->secy.icv_len + macsec_extra_len(true); 3644 3645 if (macsec->real_dev->mtu - extra < new_mtu) 3646 return -ERANGE; 3647 3648 dev->mtu = new_mtu; 3649 3650 return 0; 3651} 3652 3653static void macsec_get_stats64(struct net_device *dev, 3654 struct rtnl_link_stats64 *s) 3655{ 3656 if (!dev->tstats) 3657 return; 3658 3659 dev_fetch_sw_netstats(s, dev->tstats); 3660 3661 s->rx_dropped = dev->stats.rx_dropped; 3662 s->tx_dropped = dev->stats.tx_dropped; 3663} 3664 3665static int macsec_get_iflink(const struct net_device *dev) 3666{ 3667 return macsec_priv(dev)->real_dev->ifindex; 3668} 3669 3670static const struct net_device_ops macsec_netdev_ops = { 3671 .ndo_init = macsec_dev_init, 3672 .ndo_uninit = macsec_dev_uninit, 3673 .ndo_open = macsec_dev_open, 3674 .ndo_stop = macsec_dev_stop, 3675 .ndo_fix_features = macsec_fix_features, 3676 .ndo_change_mtu = macsec_change_mtu, 3677 .ndo_set_rx_mode = macsec_dev_set_rx_mode, 3678 .ndo_change_rx_flags = macsec_dev_change_rx_flags, 3679 .ndo_set_mac_address = macsec_set_mac_address, 3680 .ndo_start_xmit = macsec_start_xmit, 3681 .ndo_get_stats64 = macsec_get_stats64, 3682 .ndo_get_iflink = macsec_get_iflink, 3683}; 3684 3685static const struct device_type macsec_type = { 3686 .name = "macsec", 3687}; 3688 3689static const struct nla_policy macsec_rtnl_policy[IFLA_MACSEC_MAX + 1] = { 3690 [IFLA_MACSEC_SCI] = { .type = NLA_U64 }, 3691 [IFLA_MACSEC_PORT] = { .type = NLA_U16 }, 3692 [IFLA_MACSEC_ICV_LEN] = { .type = NLA_U8 }, 3693 [IFLA_MACSEC_CIPHER_SUITE] = { .type = NLA_U64 }, 3694 [IFLA_MACSEC_WINDOW] = { .type = NLA_U32 }, 3695 [IFLA_MACSEC_ENCODING_SA] = { .type = NLA_U8 }, 3696 [IFLA_MACSEC_ENCRYPT] = { .type = NLA_U8 }, 3697 [IFLA_MACSEC_PROTECT] = { .type = NLA_U8 }, 3698 [IFLA_MACSEC_INC_SCI] = { .type = NLA_U8 }, 3699 [IFLA_MACSEC_ES] = { .type = NLA_U8 }, 3700 [IFLA_MACSEC_SCB] = { .type = NLA_U8 }, 3701 [IFLA_MACSEC_REPLAY_PROTECT] = { .type = NLA_U8 }, 3702 [IFLA_MACSEC_VALIDATION] = { .type = NLA_U8 }, 3703}; 3704 3705static void macsec_free_netdev(struct net_device *dev) 3706{ 3707 struct macsec_dev *macsec = macsec_priv(dev); 3708 3709 free_percpu(macsec->stats); 3710 free_percpu(macsec->secy.tx_sc.stats); 3711 3712 /* Get rid of the macsec's reference to real_dev */ 3713 dev_put_track(macsec->real_dev, &macsec->dev_tracker); 3714} 3715 3716static void macsec_setup(struct net_device *dev) 3717{ 3718 ether_setup(dev); 3719 dev->min_mtu = 0; 3720 dev->max_mtu = ETH_MAX_MTU; 3721 dev->priv_flags |= IFF_NO_QUEUE; 3722 dev->netdev_ops = &macsec_netdev_ops; 3723 dev->needs_free_netdev = true; 3724 dev->priv_destructor = macsec_free_netdev; 3725 SET_NETDEV_DEVTYPE(dev, &macsec_type); 3726 3727 eth_zero_addr(dev->broadcast); 3728} 3729 3730static int macsec_changelink_common(struct net_device *dev, 3731 struct nlattr *data[]) 3732{ 3733 struct macsec_secy *secy; 3734 struct macsec_tx_sc *tx_sc; 3735 3736 secy = &macsec_priv(dev)->secy; 3737 tx_sc = &secy->tx_sc; 3738 3739 if (data[IFLA_MACSEC_ENCODING_SA]) { 3740 struct macsec_tx_sa *tx_sa; 3741 3742 tx_sc->encoding_sa = nla_get_u8(data[IFLA_MACSEC_ENCODING_SA]); 3743 tx_sa = rtnl_dereference(tx_sc->sa[tx_sc->encoding_sa]); 3744 3745 secy->operational = tx_sa && tx_sa->active; 3746 } 3747 3748 if (data[IFLA_MACSEC_WINDOW]) 3749 secy->replay_window = nla_get_u32(data[IFLA_MACSEC_WINDOW]); 3750 3751 if (data[IFLA_MACSEC_ENCRYPT]) 3752 tx_sc->encrypt = !!nla_get_u8(data[IFLA_MACSEC_ENCRYPT]); 3753 3754 if (data[IFLA_MACSEC_PROTECT]) 3755 secy->protect_frames = !!nla_get_u8(data[IFLA_MACSEC_PROTECT]); 3756 3757 if (data[IFLA_MACSEC_INC_SCI]) 3758 tx_sc->send_sci = !!nla_get_u8(data[IFLA_MACSEC_INC_SCI]); 3759 3760 if (data[IFLA_MACSEC_ES]) 3761 tx_sc->end_station = !!nla_get_u8(data[IFLA_MACSEC_ES]); 3762 3763 if (data[IFLA_MACSEC_SCB]) 3764 tx_sc->scb = !!nla_get_u8(data[IFLA_MACSEC_SCB]); 3765 3766 if (data[IFLA_MACSEC_REPLAY_PROTECT]) 3767 secy->replay_protect = !!nla_get_u8(data[IFLA_MACSEC_REPLAY_PROTECT]); 3768 3769 if (data[IFLA_MACSEC_VALIDATION]) 3770 secy->validate_frames = nla_get_u8(data[IFLA_MACSEC_VALIDATION]); 3771 3772 if (data[IFLA_MACSEC_CIPHER_SUITE]) { 3773 switch (nla_get_u64(data[IFLA_MACSEC_CIPHER_SUITE])) { 3774 case MACSEC_CIPHER_ID_GCM_AES_128: 3775 case MACSEC_DEFAULT_CIPHER_ID: 3776 secy->key_len = MACSEC_GCM_AES_128_SAK_LEN; 3777 secy->xpn = false; 3778 break; 3779 case MACSEC_CIPHER_ID_GCM_AES_256: 3780 secy->key_len = MACSEC_GCM_AES_256_SAK_LEN; 3781 secy->xpn = false; 3782 break; 3783 case MACSEC_CIPHER_ID_GCM_AES_XPN_128: 3784 secy->key_len = MACSEC_GCM_AES_128_SAK_LEN; 3785 secy->xpn = true; 3786 break; 3787 case MACSEC_CIPHER_ID_GCM_AES_XPN_256: 3788 secy->key_len = MACSEC_GCM_AES_256_SAK_LEN; 3789 secy->xpn = true; 3790 break; 3791 default: 3792 return -EINVAL; 3793 } 3794 } 3795 3796 return 0; 3797} 3798 3799static int macsec_changelink(struct net_device *dev, struct nlattr *tb[], 3800 struct nlattr *data[], 3801 struct netlink_ext_ack *extack) 3802{ 3803 struct macsec_dev *macsec = macsec_priv(dev); 3804 struct macsec_tx_sc tx_sc; 3805 struct macsec_secy secy; 3806 int ret; 3807 3808 if (!data) 3809 return 0; 3810 3811 if (data[IFLA_MACSEC_CIPHER_SUITE] || 3812 data[IFLA_MACSEC_ICV_LEN] || 3813 data[IFLA_MACSEC_SCI] || 3814 data[IFLA_MACSEC_PORT]) 3815 return -EINVAL; 3816 3817 /* Keep a copy of unmodified secy and tx_sc, in case the offload 3818 * propagation fails, to revert macsec_changelink_common. 3819 */ 3820 memcpy(&secy, &macsec->secy, sizeof(secy)); 3821 memcpy(&tx_sc, &macsec->secy.tx_sc, sizeof(tx_sc)); 3822 3823 ret = macsec_changelink_common(dev, data); 3824 if (ret) 3825 return ret; 3826 3827 /* If h/w offloading is available, propagate to the device */ 3828 if (macsec_is_offloaded(macsec)) { 3829 const struct macsec_ops *ops; 3830 struct macsec_context ctx; 3831 int ret; 3832 3833 ops = macsec_get_ops(netdev_priv(dev), &ctx); 3834 if (!ops) { 3835 ret = -EOPNOTSUPP; 3836 goto cleanup; 3837 } 3838 3839 ctx.secy = &macsec->secy; 3840 ret = macsec_offload(ops->mdo_upd_secy, &ctx); 3841 if (ret) 3842 goto cleanup; 3843 } 3844 3845 return 0; 3846 3847cleanup: 3848 memcpy(&macsec->secy.tx_sc, &tx_sc, sizeof(tx_sc)); 3849 memcpy(&macsec->secy, &secy, sizeof(secy)); 3850 3851 return ret; 3852} 3853 3854static void macsec_del_dev(struct macsec_dev *macsec) 3855{ 3856 int i; 3857 3858 while (macsec->secy.rx_sc) { 3859 struct macsec_rx_sc *rx_sc = rtnl_dereference(macsec->secy.rx_sc); 3860 3861 rcu_assign_pointer(macsec->secy.rx_sc, rx_sc->next); 3862 free_rx_sc(rx_sc); 3863 } 3864 3865 for (i = 0; i < MACSEC_NUM_AN; i++) { 3866 struct macsec_tx_sa *sa = rtnl_dereference(macsec->secy.tx_sc.sa[i]); 3867 3868 if (sa) { 3869 RCU_INIT_POINTER(macsec->secy.tx_sc.sa[i], NULL); 3870 clear_tx_sa(sa); 3871 } 3872 } 3873} 3874 3875static void macsec_common_dellink(struct net_device *dev, struct list_head *head) 3876{ 3877 struct macsec_dev *macsec = macsec_priv(dev); 3878 struct net_device *real_dev = macsec->real_dev; 3879 3880 /* If h/w offloading is available, propagate to the device */ 3881 if (macsec_is_offloaded(macsec)) { 3882 const struct macsec_ops *ops; 3883 struct macsec_context ctx; 3884 3885 ops = macsec_get_ops(netdev_priv(dev), &ctx); 3886 if (ops) { 3887 ctx.secy = &macsec->secy; 3888 macsec_offload(ops->mdo_del_secy, &ctx); 3889 } 3890 } 3891 3892 unregister_netdevice_queue(dev, head); 3893 list_del_rcu(&macsec->secys); 3894 macsec_del_dev(macsec); 3895 netdev_upper_dev_unlink(real_dev, dev); 3896 3897 macsec_generation++; 3898} 3899 3900static void macsec_dellink(struct net_device *dev, struct list_head *head) 3901{ 3902 struct macsec_dev *macsec = macsec_priv(dev); 3903 struct net_device *real_dev = macsec->real_dev; 3904 struct macsec_rxh_data *rxd = macsec_data_rtnl(real_dev); 3905 3906 macsec_common_dellink(dev, head); 3907 3908 if (list_empty(&rxd->secys)) { 3909 netdev_rx_handler_unregister(real_dev); 3910 kfree(rxd); 3911 } 3912} 3913 3914static int register_macsec_dev(struct net_device *real_dev, 3915 struct net_device *dev) 3916{ 3917 struct macsec_dev *macsec = macsec_priv(dev); 3918 struct macsec_rxh_data *rxd = macsec_data_rtnl(real_dev); 3919 3920 if (!rxd) { 3921 int err; 3922 3923 rxd = kmalloc(sizeof(*rxd), GFP_KERNEL); 3924 if (!rxd) 3925 return -ENOMEM; 3926 3927 INIT_LIST_HEAD(&rxd->secys); 3928 3929 err = netdev_rx_handler_register(real_dev, macsec_handle_frame, 3930 rxd); 3931 if (err < 0) { 3932 kfree(rxd); 3933 return err; 3934 } 3935 } 3936 3937 list_add_tail_rcu(&macsec->secys, &rxd->secys); 3938 return 0; 3939} 3940 3941static bool sci_exists(struct net_device *dev, sci_t sci) 3942{ 3943 struct macsec_rxh_data *rxd = macsec_data_rtnl(dev); 3944 struct macsec_dev *macsec; 3945 3946 list_for_each_entry(macsec, &rxd->secys, secys) { 3947 if (macsec->secy.sci == sci) 3948 return true; 3949 } 3950 3951 return false; 3952} 3953 3954static int macsec_add_dev(struct net_device *dev, sci_t sci, u8 icv_len) 3955{ 3956 struct macsec_dev *macsec = macsec_priv(dev); 3957 struct macsec_secy *secy = &macsec->secy; 3958 3959 macsec->stats = netdev_alloc_pcpu_stats(struct pcpu_secy_stats); 3960 if (!macsec->stats) 3961 return -ENOMEM; 3962 3963 secy->tx_sc.stats = netdev_alloc_pcpu_stats(struct pcpu_tx_sc_stats); 3964 if (!secy->tx_sc.stats) { 3965 free_percpu(macsec->stats); 3966 return -ENOMEM; 3967 } 3968 3969 if (sci == MACSEC_UNDEF_SCI) 3970 sci = dev_to_sci(dev, MACSEC_PORT_ES); 3971 3972 secy->netdev = dev; 3973 secy->operational = true; 3974 secy->key_len = DEFAULT_SAK_LEN; 3975 secy->icv_len = icv_len; 3976 secy->validate_frames = MACSEC_VALIDATE_DEFAULT; 3977 secy->protect_frames = true; 3978 secy->replay_protect = false; 3979 secy->xpn = DEFAULT_XPN; 3980 3981 secy->sci = sci; 3982 secy->tx_sc.active = true; 3983 secy->tx_sc.encoding_sa = DEFAULT_ENCODING_SA; 3984 secy->tx_sc.encrypt = DEFAULT_ENCRYPT; 3985 secy->tx_sc.send_sci = DEFAULT_SEND_SCI; 3986 secy->tx_sc.end_station = false; 3987 secy->tx_sc.scb = false; 3988 3989 return 0; 3990} 3991 3992static struct lock_class_key macsec_netdev_addr_lock_key; 3993 3994static int macsec_newlink(struct net *net, struct net_device *dev, 3995 struct nlattr *tb[], struct nlattr *data[], 3996 struct netlink_ext_ack *extack) 3997{ 3998 struct macsec_dev *macsec = macsec_priv(dev); 3999 rx_handler_func_t *rx_handler; 4000 u8 icv_len = DEFAULT_ICV_LEN; 4001 struct net_device *real_dev; 4002 int err, mtu; 4003 sci_t sci; 4004 4005 if (!tb[IFLA_LINK]) 4006 return -EINVAL; 4007 real_dev = __dev_get_by_index(net, nla_get_u32(tb[IFLA_LINK])); 4008 if (!real_dev) 4009 return -ENODEV; 4010 if (real_dev->type != ARPHRD_ETHER) 4011 return -EINVAL; 4012 4013 dev->priv_flags |= IFF_MACSEC; 4014 4015 macsec->real_dev = real_dev; 4016 4017 if (data && data[IFLA_MACSEC_OFFLOAD]) 4018 macsec->offload = nla_get_offload(data[IFLA_MACSEC_OFFLOAD]); 4019 else 4020 /* MACsec offloading is off by default */ 4021 macsec->offload = MACSEC_OFFLOAD_OFF; 4022 4023 /* Check if the offloading mode is supported by the underlying layers */ 4024 if (macsec->offload != MACSEC_OFFLOAD_OFF && 4025 !macsec_check_offload(macsec->offload, macsec)) 4026 return -EOPNOTSUPP; 4027 4028 /* send_sci must be set to true when transmit sci explicitly is set */ 4029 if ((data && data[IFLA_MACSEC_SCI]) && 4030 (data && data[IFLA_MACSEC_INC_SCI])) { 4031 u8 send_sci = !!nla_get_u8(data[IFLA_MACSEC_INC_SCI]); 4032 4033 if (!send_sci) 4034 return -EINVAL; 4035 } 4036 4037 if (data && data[IFLA_MACSEC_ICV_LEN]) 4038 icv_len = nla_get_u8(data[IFLA_MACSEC_ICV_LEN]); 4039 mtu = real_dev->mtu - icv_len - macsec_extra_len(true); 4040 if (mtu < 0) 4041 dev->mtu = 0; 4042 else 4043 dev->mtu = mtu; 4044 4045 rx_handler = rtnl_dereference(real_dev->rx_handler); 4046 if (rx_handler && rx_handler != macsec_handle_frame) 4047 return -EBUSY; 4048 4049 err = register_netdevice(dev); 4050 if (err < 0) 4051 return err; 4052 4053 netdev_lockdep_set_classes(dev); 4054 lockdep_set_class(&dev->addr_list_lock, 4055 &macsec_netdev_addr_lock_key); 4056 4057 err = netdev_upper_dev_link(real_dev, dev, extack); 4058 if (err < 0) 4059 goto unregister; 4060 4061 /* need to be already registered so that ->init has run and 4062 * the MAC addr is set 4063 */ 4064 if (data && data[IFLA_MACSEC_SCI]) 4065 sci = nla_get_sci(data[IFLA_MACSEC_SCI]); 4066 else if (data && data[IFLA_MACSEC_PORT]) 4067 sci = dev_to_sci(dev, nla_get_be16(data[IFLA_MACSEC_PORT])); 4068 else 4069 sci = dev_to_sci(dev, MACSEC_PORT_ES); 4070 4071 if (rx_handler && sci_exists(real_dev, sci)) { 4072 err = -EBUSY; 4073 goto unlink; 4074 } 4075 4076 err = macsec_add_dev(dev, sci, icv_len); 4077 if (err) 4078 goto unlink; 4079 4080 if (data) { 4081 err = macsec_changelink_common(dev, data); 4082 if (err) 4083 goto del_dev; 4084 } 4085 4086 /* If h/w offloading is available, propagate to the device */ 4087 if (macsec_is_offloaded(macsec)) { 4088 const struct macsec_ops *ops; 4089 struct macsec_context ctx; 4090 4091 ops = macsec_get_ops(macsec, &ctx); 4092 if (ops) { 4093 ctx.secy = &macsec->secy; 4094 err = macsec_offload(ops->mdo_add_secy, &ctx); 4095 if (err) 4096 goto del_dev; 4097 } 4098 } 4099 4100 err = register_macsec_dev(real_dev, dev); 4101 if (err < 0) 4102 goto del_dev; 4103 4104 netif_stacked_transfer_operstate(real_dev, dev); 4105 linkwatch_fire_event(dev); 4106 4107 macsec_generation++; 4108 4109 return 0; 4110 4111del_dev: 4112 macsec_del_dev(macsec); 4113unlink: 4114 netdev_upper_dev_unlink(real_dev, dev); 4115unregister: 4116 unregister_netdevice(dev); 4117 return err; 4118} 4119 4120static int macsec_validate_attr(struct nlattr *tb[], struct nlattr *data[], 4121 struct netlink_ext_ack *extack) 4122{ 4123 u64 csid = MACSEC_DEFAULT_CIPHER_ID; 4124 u8 icv_len = DEFAULT_ICV_LEN; 4125 int flag; 4126 bool es, scb, sci; 4127 4128 if (!data) 4129 return 0; 4130 4131 if (data[IFLA_MACSEC_CIPHER_SUITE]) 4132 csid = nla_get_u64(data[IFLA_MACSEC_CIPHER_SUITE]); 4133 4134 if (data[IFLA_MACSEC_ICV_LEN]) { 4135 icv_len = nla_get_u8(data[IFLA_MACSEC_ICV_LEN]); 4136 if (icv_len != DEFAULT_ICV_LEN) { 4137 char dummy_key[DEFAULT_SAK_LEN] = { 0 }; 4138 struct crypto_aead *dummy_tfm; 4139 4140 dummy_tfm = macsec_alloc_tfm(dummy_key, 4141 DEFAULT_SAK_LEN, 4142 icv_len); 4143 if (IS_ERR(dummy_tfm)) 4144 return PTR_ERR(dummy_tfm); 4145 crypto_free_aead(dummy_tfm); 4146 } 4147 } 4148 4149 switch (csid) { 4150 case MACSEC_CIPHER_ID_GCM_AES_128: 4151 case MACSEC_CIPHER_ID_GCM_AES_256: 4152 case MACSEC_CIPHER_ID_GCM_AES_XPN_128: 4153 case MACSEC_CIPHER_ID_GCM_AES_XPN_256: 4154 case MACSEC_DEFAULT_CIPHER_ID: 4155 if (icv_len < MACSEC_MIN_ICV_LEN || 4156 icv_len > MACSEC_STD_ICV_LEN) 4157 return -EINVAL; 4158 break; 4159 default: 4160 return -EINVAL; 4161 } 4162 4163 if (data[IFLA_MACSEC_ENCODING_SA]) { 4164 if (nla_get_u8(data[IFLA_MACSEC_ENCODING_SA]) >= MACSEC_NUM_AN) 4165 return -EINVAL; 4166 } 4167 4168 for (flag = IFLA_MACSEC_ENCODING_SA + 1; 4169 flag < IFLA_MACSEC_VALIDATION; 4170 flag++) { 4171 if (data[flag]) { 4172 if (nla_get_u8(data[flag]) > 1) 4173 return -EINVAL; 4174 } 4175 } 4176 4177 es = data[IFLA_MACSEC_ES] ? nla_get_u8(data[IFLA_MACSEC_ES]) : false; 4178 sci = data[IFLA_MACSEC_INC_SCI] ? nla_get_u8(data[IFLA_MACSEC_INC_SCI]) : false; 4179 scb = data[IFLA_MACSEC_SCB] ? nla_get_u8(data[IFLA_MACSEC_SCB]) : false; 4180 4181 if ((sci && (scb || es)) || (scb && es)) 4182 return -EINVAL; 4183 4184 if (data[IFLA_MACSEC_VALIDATION] && 4185 nla_get_u8(data[IFLA_MACSEC_VALIDATION]) > MACSEC_VALIDATE_MAX) 4186 return -EINVAL; 4187 4188 if ((data[IFLA_MACSEC_REPLAY_PROTECT] && 4189 nla_get_u8(data[IFLA_MACSEC_REPLAY_PROTECT])) && 4190 !data[IFLA_MACSEC_WINDOW]) 4191 return -EINVAL; 4192 4193 return 0; 4194} 4195 4196static struct net *macsec_get_link_net(const struct net_device *dev) 4197{ 4198 return dev_net(macsec_priv(dev)->real_dev); 4199} 4200 4201static size_t macsec_get_size(const struct net_device *dev) 4202{ 4203 return nla_total_size_64bit(8) + /* IFLA_MACSEC_SCI */ 4204 nla_total_size(1) + /* IFLA_MACSEC_ICV_LEN */ 4205 nla_total_size_64bit(8) + /* IFLA_MACSEC_CIPHER_SUITE */ 4206 nla_total_size(4) + /* IFLA_MACSEC_WINDOW */ 4207 nla_total_size(1) + /* IFLA_MACSEC_ENCODING_SA */ 4208 nla_total_size(1) + /* IFLA_MACSEC_ENCRYPT */ 4209 nla_total_size(1) + /* IFLA_MACSEC_PROTECT */ 4210 nla_total_size(1) + /* IFLA_MACSEC_INC_SCI */ 4211 nla_total_size(1) + /* IFLA_MACSEC_ES */ 4212 nla_total_size(1) + /* IFLA_MACSEC_SCB */ 4213 nla_total_size(1) + /* IFLA_MACSEC_REPLAY_PROTECT */ 4214 nla_total_size(1) + /* IFLA_MACSEC_VALIDATION */ 4215 0; 4216} 4217 4218static int macsec_fill_info(struct sk_buff *skb, 4219 const struct net_device *dev) 4220{ 4221 struct macsec_secy *secy = &macsec_priv(dev)->secy; 4222 struct macsec_tx_sc *tx_sc = &secy->tx_sc; 4223 u64 csid; 4224 4225 switch (secy->key_len) { 4226 case MACSEC_GCM_AES_128_SAK_LEN: 4227 csid = secy->xpn ? MACSEC_CIPHER_ID_GCM_AES_XPN_128 : MACSEC_DEFAULT_CIPHER_ID; 4228 break; 4229 case MACSEC_GCM_AES_256_SAK_LEN: 4230 csid = secy->xpn ? MACSEC_CIPHER_ID_GCM_AES_XPN_256 : MACSEC_CIPHER_ID_GCM_AES_256; 4231 break; 4232 default: 4233 goto nla_put_failure; 4234 } 4235 4236 if (nla_put_sci(skb, IFLA_MACSEC_SCI, secy->sci, 4237 IFLA_MACSEC_PAD) || 4238 nla_put_u8(skb, IFLA_MACSEC_ICV_LEN, secy->icv_len) || 4239 nla_put_u64_64bit(skb, IFLA_MACSEC_CIPHER_SUITE, 4240 csid, IFLA_MACSEC_PAD) || 4241 nla_put_u8(skb, IFLA_MACSEC_ENCODING_SA, tx_sc->encoding_sa) || 4242 nla_put_u8(skb, IFLA_MACSEC_ENCRYPT, tx_sc->encrypt) || 4243 nla_put_u8(skb, IFLA_MACSEC_PROTECT, secy->protect_frames) || 4244 nla_put_u8(skb, IFLA_MACSEC_INC_SCI, tx_sc->send_sci) || 4245 nla_put_u8(skb, IFLA_MACSEC_ES, tx_sc->end_station) || 4246 nla_put_u8(skb, IFLA_MACSEC_SCB, tx_sc->scb) || 4247 nla_put_u8(skb, IFLA_MACSEC_REPLAY_PROTECT, secy->replay_protect) || 4248 nla_put_u8(skb, IFLA_MACSEC_VALIDATION, secy->validate_frames) || 4249 0) 4250 goto nla_put_failure; 4251 4252 if (secy->replay_protect) { 4253 if (nla_put_u32(skb, IFLA_MACSEC_WINDOW, secy->replay_window)) 4254 goto nla_put_failure; 4255 } 4256 4257 return 0; 4258 4259nla_put_failure: 4260 return -EMSGSIZE; 4261} 4262 4263static struct rtnl_link_ops macsec_link_ops __read_mostly = { 4264 .kind = "macsec", 4265 .priv_size = sizeof(struct macsec_dev), 4266 .maxtype = IFLA_MACSEC_MAX, 4267 .policy = macsec_rtnl_policy, 4268 .setup = macsec_setup, 4269 .validate = macsec_validate_attr, 4270 .newlink = macsec_newlink, 4271 .changelink = macsec_changelink, 4272 .dellink = macsec_dellink, 4273 .get_size = macsec_get_size, 4274 .fill_info = macsec_fill_info, 4275 .get_link_net = macsec_get_link_net, 4276}; 4277 4278static bool is_macsec_master(struct net_device *dev) 4279{ 4280 return rcu_access_pointer(dev->rx_handler) == macsec_handle_frame; 4281} 4282 4283static int macsec_notify(struct notifier_block *this, unsigned long event, 4284 void *ptr) 4285{ 4286 struct net_device *real_dev = netdev_notifier_info_to_dev(ptr); 4287 LIST_HEAD(head); 4288 4289 if (!is_macsec_master(real_dev)) 4290 return NOTIFY_DONE; 4291 4292 switch (event) { 4293 case NETDEV_DOWN: 4294 case NETDEV_UP: 4295 case NETDEV_CHANGE: { 4296 struct macsec_dev *m, *n; 4297 struct macsec_rxh_data *rxd; 4298 4299 rxd = macsec_data_rtnl(real_dev); 4300 list_for_each_entry_safe(m, n, &rxd->secys, secys) { 4301 struct net_device *dev = m->secy.netdev; 4302 4303 netif_stacked_transfer_operstate(real_dev, dev); 4304 } 4305 break; 4306 } 4307 case NETDEV_UNREGISTER: { 4308 struct macsec_dev *m, *n; 4309 struct macsec_rxh_data *rxd; 4310 4311 rxd = macsec_data_rtnl(real_dev); 4312 list_for_each_entry_safe(m, n, &rxd->secys, secys) { 4313 macsec_common_dellink(m->secy.netdev, &head); 4314 } 4315 4316 netdev_rx_handler_unregister(real_dev); 4317 kfree(rxd); 4318 4319 unregister_netdevice_many(&head); 4320 break; 4321 } 4322 case NETDEV_CHANGEMTU: { 4323 struct macsec_dev *m; 4324 struct macsec_rxh_data *rxd; 4325 4326 rxd = macsec_data_rtnl(real_dev); 4327 list_for_each_entry(m, &rxd->secys, secys) { 4328 struct net_device *dev = m->secy.netdev; 4329 unsigned int mtu = real_dev->mtu - (m->secy.icv_len + 4330 macsec_extra_len(true)); 4331 4332 if (dev->mtu > mtu) 4333 dev_set_mtu(dev, mtu); 4334 } 4335 } 4336 } 4337 4338 return NOTIFY_OK; 4339} 4340 4341static struct notifier_block macsec_notifier = { 4342 .notifier_call = macsec_notify, 4343}; 4344 4345static int __init macsec_init(void) 4346{ 4347 int err; 4348 4349 pr_info("MACsec IEEE 802.1AE\n"); 4350 err = register_netdevice_notifier(&macsec_notifier); 4351 if (err) 4352 return err; 4353 4354 err = rtnl_link_register(&macsec_link_ops); 4355 if (err) 4356 goto notifier; 4357 4358 err = genl_register_family(&macsec_fam); 4359 if (err) 4360 goto rtnl; 4361 4362 return 0; 4363 4364rtnl: 4365 rtnl_link_unregister(&macsec_link_ops); 4366notifier: 4367 unregister_netdevice_notifier(&macsec_notifier); 4368 return err; 4369} 4370 4371static void __exit macsec_exit(void) 4372{ 4373 genl_unregister_family(&macsec_fam); 4374 rtnl_link_unregister(&macsec_link_ops); 4375 unregister_netdevice_notifier(&macsec_notifier); 4376 rcu_barrier(); 4377} 4378 4379module_init(macsec_init); 4380module_exit(macsec_exit); 4381 4382MODULE_ALIAS_RTNL_LINK("macsec"); 4383MODULE_ALIAS_GENL_FAMILY("macsec"); 4384 4385MODULE_DESCRIPTION("MACsec IEEE 802.1AE"); 4386MODULE_LICENSE("GPL v2");