macsec.h - cachepc-linux - Fork of AMDESE/linux with modifications for CachePC side-channel attack

	cachepc-linux Fork of AMDESE/linux with modifications for CachePC side-channel attack
	git clone https://git.sinitax.com/sinitax/cachepc-linux
	Log \| Files \| Refs \| README \| LICENSE \| sfeed.txt
macsec.h (7066B)
      1/* SPDX-License-Identifier: GPL-2.0+ */
      2/*
      3 * MACsec netdev header, used for h/w accelerated implementations.
      4 *
      5 * Copyright (c) 2015 Sabrina Dubroca <sd@queasysnail.net>
      6 */
      7#ifndef _NET_MACSEC_H_
      8#define _NET_MACSEC_H_
      9
     10#include <linux/u64_stats_sync.h>
     11#include <uapi/linux/if_link.h>
     12#include <uapi/linux/if_macsec.h>
     13
     14#define MACSEC_DEFAULT_PN_LEN 4
     15#define MACSEC_XPN_PN_LEN 8
     16
     17#define MACSEC_SALT_LEN 12
     18#define MACSEC_NUM_AN 4 /* 2 bits for the association number */
     19
     20typedef u64 __bitwise sci_t;
     21typedef u32 __bitwise ssci_t;
     22
     23typedef union salt {
     24	struct {
     25		u32 ssci;
     26		u64 pn;
     27	} __packed;
     28	u8 bytes[MACSEC_SALT_LEN];
     29} __packed salt_t;
     30
     31typedef union pn {
     32	struct {
     33#if defined(__LITTLE_ENDIAN_BITFIELD)
     34		u32 lower;
     35		u32 upper;
     36#elif defined(__BIG_ENDIAN_BITFIELD)
     37		u32 upper;
     38		u32 lower;
     39#else
     40#error	"Please fix <asm/byteorder.h>"
     41#endif
     42	};
     43	u64 full64;
     44} pn_t;
     45
     46/**
     47 * struct macsec_key - SA key
     48 * @id: user-provided key identifier
     49 * @tfm: crypto struct, key storage
     50 * @salt: salt used to generate IV in XPN cipher suites
     51 */
     52struct macsec_key {
     53	u8 id[MACSEC_KEYID_LEN];
     54	struct crypto_aead *tfm;
     55	salt_t salt;
     56};
     57
     58struct macsec_rx_sc_stats {
     59	__u64 InOctetsValidated;
     60	__u64 InOctetsDecrypted;
     61	__u64 InPktsUnchecked;
     62	__u64 InPktsDelayed;
     63	__u64 InPktsOK;
     64	__u64 InPktsInvalid;
     65	__u64 InPktsLate;
     66	__u64 InPktsNotValid;
     67	__u64 InPktsNotUsingSA;
     68	__u64 InPktsUnusedSA;
     69};
     70
     71struct macsec_rx_sa_stats {
     72	__u32 InPktsOK;
     73	__u32 InPktsInvalid;
     74	__u32 InPktsNotValid;
     75	__u32 InPktsNotUsingSA;
     76	__u32 InPktsUnusedSA;
     77};
     78
     79struct macsec_tx_sa_stats {
     80	__u32 OutPktsProtected;
     81	__u32 OutPktsEncrypted;
     82};
     83
     84struct macsec_tx_sc_stats {
     85	__u64 OutPktsProtected;
     86	__u64 OutPktsEncrypted;
     87	__u64 OutOctetsProtected;
     88	__u64 OutOctetsEncrypted;
     89};
     90
     91struct macsec_dev_stats {
     92	__u64 OutPktsUntagged;
     93	__u64 InPktsUntagged;
     94	__u64 OutPktsTooLong;
     95	__u64 InPktsNoTag;
     96	__u64 InPktsBadTag;
     97	__u64 InPktsUnknownSCI;
     98	__u64 InPktsNoSCI;
     99	__u64 InPktsOverrun;
    100};
    101
    102/**
    103 * struct macsec_rx_sa - receive secure association
    104 * @active:
    105 * @next_pn: packet number expected for the next packet
    106 * @lock: protects next_pn manipulations
    107 * @key: key structure
    108 * @ssci: short secure channel identifier
    109 * @stats: per-SA stats
    110 */
    111struct macsec_rx_sa {
    112	struct macsec_key key;
    113	ssci_t ssci;
    114	spinlock_t lock;
    115	union {
    116		pn_t next_pn_halves;
    117		u64 next_pn;
    118	};
    119	refcount_t refcnt;
    120	bool active;
    121	struct macsec_rx_sa_stats __percpu *stats;
    122	struct macsec_rx_sc *sc;
    123	struct rcu_head rcu;
    124};
    125
    126struct pcpu_rx_sc_stats {
    127	struct macsec_rx_sc_stats stats;
    128	struct u64_stats_sync syncp;
    129};
    130
    131struct pcpu_tx_sc_stats {
    132	struct macsec_tx_sc_stats stats;
    133	struct u64_stats_sync syncp;
    134};
    135
    136/**
    137 * struct macsec_rx_sc - receive secure channel
    138 * @sci: secure channel identifier for this SC
    139 * @active: channel is active
    140 * @sa: array of secure associations
    141 * @stats: per-SC stats
    142 */
    143struct macsec_rx_sc {
    144	struct macsec_rx_sc __rcu *next;
    145	sci_t sci;
    146	bool active;
    147	struct macsec_rx_sa __rcu *sa[MACSEC_NUM_AN];
    148	struct pcpu_rx_sc_stats __percpu *stats;
    149	refcount_t refcnt;
    150	struct rcu_head rcu_head;
    151};
    152
    153/**
    154 * struct macsec_tx_sa - transmit secure association
    155 * @active:
    156 * @next_pn: packet number to use for the next packet
    157 * @lock: protects next_pn manipulations
    158 * @key: key structure
    159 * @ssci: short secure channel identifier
    160 * @stats: per-SA stats
    161 */
    162struct macsec_tx_sa {
    163	struct macsec_key key;
    164	ssci_t ssci;
    165	spinlock_t lock;
    166	union {
    167		pn_t next_pn_halves;
    168		u64 next_pn;
    169	};
    170	refcount_t refcnt;
    171	bool active;
    172	struct macsec_tx_sa_stats __percpu *stats;
    173	struct rcu_head rcu;
    174};
    175
    176/**
    177 * struct macsec_tx_sc - transmit secure channel
    178 * @active:
    179 * @encoding_sa: association number of the SA currently in use
    180 * @encrypt: encrypt packets on transmit, or authenticate only
    181 * @send_sci: always include the SCI in the SecTAG
    182 * @end_station:
    183 * @scb: single copy broadcast flag
    184 * @sa: array of secure associations
    185 * @stats: stats for this TXSC
    186 */
    187struct macsec_tx_sc {
    188	bool active;
    189	u8 encoding_sa;
    190	bool encrypt;
    191	bool send_sci;
    192	bool end_station;
    193	bool scb;
    194	struct macsec_tx_sa __rcu *sa[MACSEC_NUM_AN];
    195	struct pcpu_tx_sc_stats __percpu *stats;
    196};
    197
    198/**
    199 * struct macsec_secy - MACsec Security Entity
    200 * @netdev: netdevice for this SecY
    201 * @n_rx_sc: number of receive secure channels configured on this SecY
    202 * @sci: secure channel identifier used for tx
    203 * @key_len: length of keys used by the cipher suite
    204 * @icv_len: length of ICV used by the cipher suite
    205 * @validate_frames: validation mode
    206 * @xpn: enable XPN for this SecY
    207 * @operational: MAC_Operational flag
    208 * @protect_frames: enable protection for this SecY
    209 * @replay_protect: enable packet number checks on receive
    210 * @replay_window: size of the replay window
    211 * @tx_sc: transmit secure channel
    212 * @rx_sc: linked list of receive secure channels
    213 */
    214struct macsec_secy {
    215	struct net_device *netdev;
    216	unsigned int n_rx_sc;
    217	sci_t sci;
    218	u16 key_len;
    219	u16 icv_len;
    220	enum macsec_validation_type validate_frames;
    221	bool xpn;
    222	bool operational;
    223	bool protect_frames;
    224	bool replay_protect;
    225	u32 replay_window;
    226	struct macsec_tx_sc tx_sc;
    227	struct macsec_rx_sc __rcu *rx_sc;
    228};
    229
    230/**
    231 * struct macsec_context - MACsec context for hardware offloading
    232 */
    233struct macsec_context {
    234	union {
    235		struct net_device *netdev;
    236		struct phy_device *phydev;
    237	};
    238	enum macsec_offload offload;
    239
    240	struct macsec_secy *secy;
    241	struct macsec_rx_sc *rx_sc;
    242	struct {
    243		unsigned char assoc_num;
    244		u8 key[MACSEC_MAX_KEY_LEN];
    245		union {
    246			struct macsec_rx_sa *rx_sa;
    247			struct macsec_tx_sa *tx_sa;
    248		};
    249	} sa;
    250	union {
    251		struct macsec_tx_sc_stats *tx_sc_stats;
    252		struct macsec_tx_sa_stats *tx_sa_stats;
    253		struct macsec_rx_sc_stats *rx_sc_stats;
    254		struct macsec_rx_sa_stats *rx_sa_stats;
    255		struct macsec_dev_stats  *dev_stats;
    256	} stats;
    257
    258	u8 prepare:1;
    259};
    260
    261/**
    262 * struct macsec_ops - MACsec offloading operations
    263 */
    264struct macsec_ops {
    265	/* Device wide */
    266	int (*mdo_dev_open)(struct macsec_context *ctx);
    267	int (*mdo_dev_stop)(struct macsec_context *ctx);
    268	/* SecY */
    269	int (*mdo_add_secy)(struct macsec_context *ctx);
    270	int (*mdo_upd_secy)(struct macsec_context *ctx);
    271	int (*mdo_del_secy)(struct macsec_context *ctx);
    272	/* Security channels */
    273	int (*mdo_add_rxsc)(struct macsec_context *ctx);
    274	int (*mdo_upd_rxsc)(struct macsec_context *ctx);
    275	int (*mdo_del_rxsc)(struct macsec_context *ctx);
    276	/* Security associations */
    277	int (*mdo_add_rxsa)(struct macsec_context *ctx);
    278	int (*mdo_upd_rxsa)(struct macsec_context *ctx);
    279	int (*mdo_del_rxsa)(struct macsec_context *ctx);
    280	int (*mdo_add_txsa)(struct macsec_context *ctx);
    281	int (*mdo_upd_txsa)(struct macsec_context *ctx);
    282	int (*mdo_del_txsa)(struct macsec_context *ctx);
    283	/* Statistics */
    284	int (*mdo_get_dev_stats)(struct macsec_context *ctx);
    285	int (*mdo_get_tx_sc_stats)(struct macsec_context *ctx);
    286	int (*mdo_get_tx_sa_stats)(struct macsec_context *ctx);
    287	int (*mdo_get_rx_sc_stats)(struct macsec_context *ctx);
    288	int (*mdo_get_rx_sa_stats)(struct macsec_context *ctx);
    289};
    290
    291void macsec_pn_wrapped(struct macsec_secy *secy, struct macsec_tx_sa *tx_sa);
    292
    293#endif /* _NET_MACSEC_H_ */