2 * drivers/net/macsec.c - MACsec device
4 * Copyright (c) 2015 Sabrina Dubroca <sd@queasysnail.net>
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
12 #include <linux/types.h>
13 #include <linux/skbuff.h>
14 #include <linux/socket.h>
15 #include <linux/module.h>
16 #include <crypto/aead.h>
17 #include <linux/etherdevice.h>
18 #include <linux/rtnetlink.h>
19 #include <linux/refcount.h>
20 #include <net/genetlink.h>
22 #include <net/gro_cells.h>
23 #include <linux/if_arp.h>
25 #include <uapi/linux/if_macsec.h>
27 typedef u64 __bitwise sci_t;
29 #define MACSEC_SCI_LEN 8
31 /* SecTAG length = macsec_eth_header without the optional SCI */
32 #define MACSEC_TAG_LEN 6
34 struct macsec_eth_header {
38 #if defined(__LITTLE_ENDIAN_BITFIELD)
41 #elif defined(__BIG_ENDIAN_BITFIELD)
45 #error "Please fix <asm/byteorder.h>"
48 u8 secure_channel_id[8]; /* optional */
51 #define MACSEC_TCI_VERSION 0x80
52 #define MACSEC_TCI_ES 0x40 /* end station */
53 #define MACSEC_TCI_SC 0x20 /* SCI present */
54 #define MACSEC_TCI_SCB 0x10 /* epon */
55 #define MACSEC_TCI_E 0x08 /* encryption */
56 #define MACSEC_TCI_C 0x04 /* changed text */
57 #define MACSEC_AN_MASK 0x03 /* association number */
58 #define MACSEC_TCI_CONFID (MACSEC_TCI_E | MACSEC_TCI_C)
60 /* minimum secure data length deemed "not short", see IEEE 802.1AE-2006 9.7 */
61 #define MIN_NON_SHORT_LEN 48
63 #define GCM_AES_IV_LEN 12
64 #define DEFAULT_ICV_LEN 16
66 #define MACSEC_NUM_AN 4 /* 2 bits for the association number */
68 #define for_each_rxsc(secy, sc) \
69 for (sc = rcu_dereference_bh(secy->rx_sc); \
71 sc = rcu_dereference_bh(sc->next))
72 #define for_each_rxsc_rtnl(secy, sc) \
73 for (sc = rtnl_dereference(secy->rx_sc); \
75 sc = rtnl_dereference(sc->next))
79 u8 secure_channel_id[8];
86 * struct macsec_key - SA key
87 * @id: user-provided key identifier
88 * @tfm: crypto struct, key storage
91 u8 id[MACSEC_KEYID_LEN];
92 struct crypto_aead *tfm;
95 struct macsec_rx_sc_stats {
96 __u64 InOctetsValidated;
97 __u64 InOctetsDecrypted;
98 __u64 InPktsUnchecked;
103 __u64 InPktsNotValid;
104 __u64 InPktsNotUsingSA;
105 __u64 InPktsUnusedSA;
108 struct macsec_rx_sa_stats {
111 __u32 InPktsNotValid;
112 __u32 InPktsNotUsingSA;
113 __u32 InPktsUnusedSA;
116 struct macsec_tx_sa_stats {
117 __u32 OutPktsProtected;
118 __u32 OutPktsEncrypted;
121 struct macsec_tx_sc_stats {
122 __u64 OutPktsProtected;
123 __u64 OutPktsEncrypted;
124 __u64 OutOctetsProtected;
125 __u64 OutOctetsEncrypted;
128 struct macsec_dev_stats {
129 __u64 OutPktsUntagged;
130 __u64 InPktsUntagged;
131 __u64 OutPktsTooLong;
134 __u64 InPktsUnknownSCI;
140 * struct macsec_rx_sa - receive secure association
142 * @next_pn: packet number expected for the next packet
143 * @lock: protects next_pn manipulations
144 * @key: key structure
145 * @stats: per-SA stats
147 struct macsec_rx_sa {
148 struct macsec_key key;
153 struct macsec_rx_sa_stats __percpu *stats;
154 struct macsec_rx_sc *sc;
158 struct pcpu_rx_sc_stats {
159 struct macsec_rx_sc_stats stats;
160 struct u64_stats_sync syncp;
164 * struct macsec_rx_sc - receive secure channel
165 * @sci: secure channel identifier for this SC
166 * @active: channel is active
167 * @sa: array of secure associations
168 * @stats: per-SC stats
170 struct macsec_rx_sc {
171 struct macsec_rx_sc __rcu *next;
174 struct macsec_rx_sa __rcu *sa[MACSEC_NUM_AN];
175 struct pcpu_rx_sc_stats __percpu *stats;
177 struct rcu_head rcu_head;
181 * struct macsec_tx_sa - transmit secure association
183 * @next_pn: packet number to use for the next packet
184 * @lock: protects next_pn manipulations
185 * @key: key structure
186 * @stats: per-SA stats
188 struct macsec_tx_sa {
189 struct macsec_key key;
194 struct macsec_tx_sa_stats __percpu *stats;
198 struct pcpu_tx_sc_stats {
199 struct macsec_tx_sc_stats stats;
200 struct u64_stats_sync syncp;
204 * struct macsec_tx_sc - transmit secure channel
206 * @encoding_sa: association number of the SA currently in use
207 * @encrypt: encrypt packets on transmit, or authenticate only
208 * @send_sci: always include the SCI in the SecTAG
210 * @scb: single copy broadcast flag
211 * @sa: array of secure associations
212 * @stats: stats for this TXSC
214 struct macsec_tx_sc {
221 struct macsec_tx_sa __rcu *sa[MACSEC_NUM_AN];
222 struct pcpu_tx_sc_stats __percpu *stats;
225 #define MACSEC_VALIDATE_DEFAULT MACSEC_VALIDATE_STRICT
228 * struct macsec_secy - MACsec Security Entity
229 * @netdev: netdevice for this SecY
230 * @n_rx_sc: number of receive secure channels configured on this SecY
231 * @sci: secure channel identifier used for tx
232 * @key_len: length of keys used by the cipher suite
233 * @icv_len: length of ICV used by the cipher suite
234 * @validate_frames: validation mode
235 * @operational: MAC_Operational flag
236 * @protect_frames: enable protection for this SecY
237 * @replay_protect: enable packet number checks on receive
238 * @replay_window: size of the replay window
239 * @tx_sc: transmit secure channel
240 * @rx_sc: linked list of receive secure channels
243 struct net_device *netdev;
244 unsigned int n_rx_sc;
248 enum macsec_validation_type validate_frames;
253 struct macsec_tx_sc tx_sc;
254 struct macsec_rx_sc __rcu *rx_sc;
257 struct pcpu_secy_stats {
258 struct macsec_dev_stats stats;
259 struct u64_stats_sync syncp;
263 * struct macsec_dev - private data
265 * @real_dev: pointer to underlying netdevice
266 * @stats: MACsec device stats
267 * @secys: linked list of SecY's on the underlying device
270 struct macsec_secy secy;
271 struct net_device *real_dev;
272 struct pcpu_secy_stats __percpu *stats;
273 struct list_head secys;
274 struct gro_cells gro_cells;
275 unsigned int nest_level;
279 * struct macsec_rxh_data - rx_handler private argument
280 * @secys: linked list of SecY's on this underlying device
282 struct macsec_rxh_data {
283 struct list_head secys;
286 static struct macsec_dev *macsec_priv(const struct net_device *dev)
288 return (struct macsec_dev *)netdev_priv(dev);
291 static struct macsec_rxh_data *macsec_data_rcu(const struct net_device *dev)
293 return rcu_dereference_bh(dev->rx_handler_data);
296 static struct macsec_rxh_data *macsec_data_rtnl(const struct net_device *dev)
298 return rtnl_dereference(dev->rx_handler_data);
302 struct aead_request *req;
304 struct macsec_tx_sa *tx_sa;
305 struct macsec_rx_sa *rx_sa;
312 static struct macsec_rx_sa *macsec_rxsa_get(struct macsec_rx_sa __rcu *ptr)
314 struct macsec_rx_sa *sa = rcu_dereference_bh(ptr);
316 if (!sa || !sa->active)
319 if (!refcount_inc_not_zero(&sa->refcnt))
325 static void free_rx_sc_rcu(struct rcu_head *head)
327 struct macsec_rx_sc *rx_sc = container_of(head, struct macsec_rx_sc, rcu_head);
329 free_percpu(rx_sc->stats);
333 static struct macsec_rx_sc *macsec_rxsc_get(struct macsec_rx_sc *sc)
335 return refcount_inc_not_zero(&sc->refcnt) ? sc : NULL;
338 static void macsec_rxsc_put(struct macsec_rx_sc *sc)
340 if (refcount_dec_and_test(&sc->refcnt))
341 call_rcu(&sc->rcu_head, free_rx_sc_rcu);
344 static void free_rxsa(struct rcu_head *head)
346 struct macsec_rx_sa *sa = container_of(head, struct macsec_rx_sa, rcu);
348 crypto_free_aead(sa->key.tfm);
349 free_percpu(sa->stats);
353 static void macsec_rxsa_put(struct macsec_rx_sa *sa)
355 if (refcount_dec_and_test(&sa->refcnt))
356 call_rcu(&sa->rcu, free_rxsa);
359 static struct macsec_tx_sa *macsec_txsa_get(struct macsec_tx_sa __rcu *ptr)
361 struct macsec_tx_sa *sa = rcu_dereference_bh(ptr);
363 if (!sa || !sa->active)
366 if (!refcount_inc_not_zero(&sa->refcnt))
372 static void free_txsa(struct rcu_head *head)
374 struct macsec_tx_sa *sa = container_of(head, struct macsec_tx_sa, rcu);
376 crypto_free_aead(sa->key.tfm);
377 free_percpu(sa->stats);
381 static void macsec_txsa_put(struct macsec_tx_sa *sa)
383 if (refcount_dec_and_test(&sa->refcnt))
384 call_rcu(&sa->rcu, free_txsa);
387 static struct macsec_cb *macsec_skb_cb(struct sk_buff *skb)
389 BUILD_BUG_ON(sizeof(struct macsec_cb) > sizeof(skb->cb));
390 return (struct macsec_cb *)skb->cb;
393 #define MACSEC_PORT_ES (htons(0x0001))
394 #define MACSEC_PORT_SCB (0x0000)
395 #define MACSEC_UNDEF_SCI ((__force sci_t)0xffffffffffffffffULL)
397 #define MACSEC_GCM_AES_128_SAK_LEN 16
398 #define MACSEC_GCM_AES_256_SAK_LEN 32
400 #define DEFAULT_SAK_LEN MACSEC_GCM_AES_128_SAK_LEN
401 #define DEFAULT_SEND_SCI true
402 #define DEFAULT_ENCRYPT false
403 #define DEFAULT_ENCODING_SA 0
405 static bool send_sci(const struct macsec_secy *secy)
407 const struct macsec_tx_sc *tx_sc = &secy->tx_sc;
409 return tx_sc->send_sci ||
410 (secy->n_rx_sc > 1 && !tx_sc->end_station && !tx_sc->scb);
413 static sci_t make_sci(u8 *addr, __be16 port)
417 memcpy(&sci, addr, ETH_ALEN);
418 memcpy(((char *)&sci) + ETH_ALEN, &port, sizeof(port));
423 static sci_t macsec_frame_sci(struct macsec_eth_header *hdr, bool sci_present)
428 memcpy(&sci, hdr->secure_channel_id,
429 sizeof(hdr->secure_channel_id));
431 sci = make_sci(hdr->eth.h_source, MACSEC_PORT_ES);
436 static unsigned int macsec_sectag_len(bool sci_present)
438 return MACSEC_TAG_LEN + (sci_present ? MACSEC_SCI_LEN : 0);
441 static unsigned int macsec_hdr_len(bool sci_present)
443 return macsec_sectag_len(sci_present) + ETH_HLEN;
446 static unsigned int macsec_extra_len(bool sci_present)
448 return macsec_sectag_len(sci_present) + sizeof(__be16);
451 /* Fill SecTAG according to IEEE 802.1AE-2006 10.5.3 */
452 static void macsec_fill_sectag(struct macsec_eth_header *h,
453 const struct macsec_secy *secy, u32 pn,
456 const struct macsec_tx_sc *tx_sc = &secy->tx_sc;
458 memset(&h->tci_an, 0, macsec_sectag_len(sci_present));
459 h->eth.h_proto = htons(ETH_P_MACSEC);
462 h->tci_an |= MACSEC_TCI_SC;
463 memcpy(&h->secure_channel_id, &secy->sci,
464 sizeof(h->secure_channel_id));
466 if (tx_sc->end_station)
467 h->tci_an |= MACSEC_TCI_ES;
469 h->tci_an |= MACSEC_TCI_SCB;
472 h->packet_number = htonl(pn);
474 /* with GCM, C/E clear for !encrypt, both set for encrypt */
476 h->tci_an |= MACSEC_TCI_CONFID;
477 else if (secy->icv_len != DEFAULT_ICV_LEN)
478 h->tci_an |= MACSEC_TCI_C;
480 h->tci_an |= tx_sc->encoding_sa;
483 static void macsec_set_shortlen(struct macsec_eth_header *h, size_t data_len)
485 if (data_len < MIN_NON_SHORT_LEN)
486 h->short_length = data_len;
489 /* validate MACsec packet according to IEEE 802.1AE-2006 9.12 */
490 static bool macsec_validate_skb(struct sk_buff *skb, u16 icv_len)
492 struct macsec_eth_header *h = (struct macsec_eth_header *)skb->data;
493 int len = skb->len - 2 * ETH_ALEN;
494 int extra_len = macsec_extra_len(!!(h->tci_an & MACSEC_TCI_SC)) + icv_len;
496 /* a) It comprises at least 17 octets */
500 /* b) MACsec EtherType: already checked */
502 /* c) V bit is clear */
503 if (h->tci_an & MACSEC_TCI_VERSION)
506 /* d) ES or SCB => !SC */
507 if ((h->tci_an & MACSEC_TCI_ES || h->tci_an & MACSEC_TCI_SCB) &&
508 (h->tci_an & MACSEC_TCI_SC))
511 /* e) Bits 7 and 8 of octet 4 of the SecTAG are clear */
515 /* rx.pn != 0 (figure 10-5) */
516 if (!h->packet_number)
519 /* length check, f) g) h) i) */
521 return len == extra_len + h->short_length;
522 return len >= extra_len + MIN_NON_SHORT_LEN;
525 #define MACSEC_NEEDED_HEADROOM (macsec_extra_len(true))
526 #define MACSEC_NEEDED_TAILROOM MACSEC_STD_ICV_LEN
528 static void macsec_fill_iv(unsigned char *iv, sci_t sci, u32 pn)
530 struct gcm_iv *gcm_iv = (struct gcm_iv *)iv;
533 gcm_iv->pn = htonl(pn);
536 static struct macsec_eth_header *macsec_ethhdr(struct sk_buff *skb)
538 return (struct macsec_eth_header *)skb_mac_header(skb);
541 static u32 tx_sa_update_pn(struct macsec_tx_sa *tx_sa, struct macsec_secy *secy)
545 spin_lock_bh(&tx_sa->lock);
549 if (tx_sa->next_pn == 0) {
550 pr_debug("PN wrapped, transitioning to !oper\n");
551 tx_sa->active = false;
552 if (secy->protect_frames)
553 secy->operational = false;
555 spin_unlock_bh(&tx_sa->lock);
560 static void macsec_encrypt_finish(struct sk_buff *skb, struct net_device *dev)
562 struct macsec_dev *macsec = netdev_priv(dev);
564 skb->dev = macsec->real_dev;
565 skb_reset_mac_header(skb);
566 skb->protocol = eth_hdr(skb)->h_proto;
569 static void macsec_count_tx(struct sk_buff *skb, struct macsec_tx_sc *tx_sc,
570 struct macsec_tx_sa *tx_sa)
572 struct pcpu_tx_sc_stats *txsc_stats = this_cpu_ptr(tx_sc->stats);
574 u64_stats_update_begin(&txsc_stats->syncp);
575 if (tx_sc->encrypt) {
576 txsc_stats->stats.OutOctetsEncrypted += skb->len;
577 txsc_stats->stats.OutPktsEncrypted++;
578 this_cpu_inc(tx_sa->stats->OutPktsEncrypted);
580 txsc_stats->stats.OutOctetsProtected += skb->len;
581 txsc_stats->stats.OutPktsProtected++;
582 this_cpu_inc(tx_sa->stats->OutPktsProtected);
584 u64_stats_update_end(&txsc_stats->syncp);
587 static void count_tx(struct net_device *dev, int ret, int len)
589 if (likely(ret == NET_XMIT_SUCCESS || ret == NET_XMIT_CN)) {
590 struct pcpu_sw_netstats *stats = this_cpu_ptr(dev->tstats);
592 u64_stats_update_begin(&stats->syncp);
594 stats->tx_bytes += len;
595 u64_stats_update_end(&stats->syncp);
599 static void macsec_encrypt_done(struct crypto_async_request *base, int err)
601 struct sk_buff *skb = base->data;
602 struct net_device *dev = skb->dev;
603 struct macsec_dev *macsec = macsec_priv(dev);
604 struct macsec_tx_sa *sa = macsec_skb_cb(skb)->tx_sa;
607 aead_request_free(macsec_skb_cb(skb)->req);
610 macsec_encrypt_finish(skb, dev);
611 macsec_count_tx(skb, &macsec->secy.tx_sc, macsec_skb_cb(skb)->tx_sa);
613 ret = dev_queue_xmit(skb);
614 count_tx(dev, ret, len);
615 rcu_read_unlock_bh();
621 static struct aead_request *macsec_alloc_req(struct crypto_aead *tfm,
623 struct scatterlist **sg,
626 size_t size, iv_offset, sg_offset;
627 struct aead_request *req;
630 size = sizeof(struct aead_request) + crypto_aead_reqsize(tfm);
632 size += GCM_AES_IV_LEN;
634 size = ALIGN(size, __alignof__(struct scatterlist));
636 size += sizeof(struct scatterlist) * num_frags;
638 tmp = kmalloc(size, GFP_ATOMIC);
642 *iv = (unsigned char *)(tmp + iv_offset);
643 *sg = (struct scatterlist *)(tmp + sg_offset);
646 aead_request_set_tfm(req, tfm);
651 static struct sk_buff *macsec_encrypt(struct sk_buff *skb,
652 struct net_device *dev)
655 struct scatterlist *sg;
656 struct sk_buff *trailer;
659 struct macsec_eth_header *hh;
660 size_t unprotected_len;
661 struct aead_request *req;
662 struct macsec_secy *secy;
663 struct macsec_tx_sc *tx_sc;
664 struct macsec_tx_sa *tx_sa;
665 struct macsec_dev *macsec = macsec_priv(dev);
669 secy = &macsec->secy;
670 tx_sc = &secy->tx_sc;
672 /* 10.5.1 TX SA assignment */
673 tx_sa = macsec_txsa_get(tx_sc->sa[tx_sc->encoding_sa]);
675 secy->operational = false;
677 return ERR_PTR(-EINVAL);
680 if (unlikely(skb_headroom(skb) < MACSEC_NEEDED_HEADROOM ||
681 skb_tailroom(skb) < MACSEC_NEEDED_TAILROOM)) {
682 struct sk_buff *nskb = skb_copy_expand(skb,
683 MACSEC_NEEDED_HEADROOM,
684 MACSEC_NEEDED_TAILROOM,
690 macsec_txsa_put(tx_sa);
692 return ERR_PTR(-ENOMEM);
695 skb = skb_unshare(skb, GFP_ATOMIC);
697 macsec_txsa_put(tx_sa);
698 return ERR_PTR(-ENOMEM);
702 unprotected_len = skb->len;
704 sci_present = send_sci(secy);
705 hh = skb_push(skb, macsec_extra_len(sci_present));
706 memmove(hh, eth, 2 * ETH_ALEN);
708 pn = tx_sa_update_pn(tx_sa, secy);
710 macsec_txsa_put(tx_sa);
712 return ERR_PTR(-ENOLINK);
714 macsec_fill_sectag(hh, secy, pn, sci_present);
715 macsec_set_shortlen(hh, unprotected_len - 2 * ETH_ALEN);
717 skb_put(skb, secy->icv_len);
719 if (skb->len - ETH_HLEN > macsec_priv(dev)->real_dev->mtu) {
720 struct pcpu_secy_stats *secy_stats = this_cpu_ptr(macsec->stats);
722 u64_stats_update_begin(&secy_stats->syncp);
723 secy_stats->stats.OutPktsTooLong++;
724 u64_stats_update_end(&secy_stats->syncp);
726 macsec_txsa_put(tx_sa);
728 return ERR_PTR(-EINVAL);
731 ret = skb_cow_data(skb, 0, &trailer);
732 if (unlikely(ret < 0)) {
733 macsec_txsa_put(tx_sa);
738 req = macsec_alloc_req(tx_sa->key.tfm, &iv, &sg, ret);
740 macsec_txsa_put(tx_sa);
742 return ERR_PTR(-ENOMEM);
745 macsec_fill_iv(iv, secy->sci, pn);
747 sg_init_table(sg, ret);
748 ret = skb_to_sgvec(skb, sg, 0, skb->len);
749 if (unlikely(ret < 0)) {
750 aead_request_free(req);
751 macsec_txsa_put(tx_sa);
756 if (tx_sc->encrypt) {
757 int len = skb->len - macsec_hdr_len(sci_present) -
759 aead_request_set_crypt(req, sg, sg, len, iv);
760 aead_request_set_ad(req, macsec_hdr_len(sci_present));
762 aead_request_set_crypt(req, sg, sg, 0, iv);
763 aead_request_set_ad(req, skb->len - secy->icv_len);
766 macsec_skb_cb(skb)->req = req;
767 macsec_skb_cb(skb)->tx_sa = tx_sa;
768 aead_request_set_callback(req, 0, macsec_encrypt_done, skb);
771 ret = crypto_aead_encrypt(req);
772 if (ret == -EINPROGRESS) {
774 } else if (ret != 0) {
777 aead_request_free(req);
778 macsec_txsa_put(tx_sa);
779 return ERR_PTR(-EINVAL);
783 aead_request_free(req);
784 macsec_txsa_put(tx_sa);
789 static bool macsec_post_decrypt(struct sk_buff *skb, struct macsec_secy *secy, u32 pn)
791 struct macsec_rx_sa *rx_sa = macsec_skb_cb(skb)->rx_sa;
792 struct pcpu_rx_sc_stats *rxsc_stats = this_cpu_ptr(rx_sa->sc->stats);
793 struct macsec_eth_header *hdr = macsec_ethhdr(skb);
796 spin_lock(&rx_sa->lock);
797 if (rx_sa->next_pn >= secy->replay_window)
798 lowest_pn = rx_sa->next_pn - secy->replay_window;
800 /* Now perform replay protection check again
801 * (see IEEE 802.1AE-2006 figure 10-5)
803 if (secy->replay_protect && pn < lowest_pn) {
804 spin_unlock(&rx_sa->lock);
805 u64_stats_update_begin(&rxsc_stats->syncp);
806 rxsc_stats->stats.InPktsLate++;
807 u64_stats_update_end(&rxsc_stats->syncp);
811 if (secy->validate_frames != MACSEC_VALIDATE_DISABLED) {
812 u64_stats_update_begin(&rxsc_stats->syncp);
813 if (hdr->tci_an & MACSEC_TCI_E)
814 rxsc_stats->stats.InOctetsDecrypted += skb->len;
816 rxsc_stats->stats.InOctetsValidated += skb->len;
817 u64_stats_update_end(&rxsc_stats->syncp);
820 if (!macsec_skb_cb(skb)->valid) {
821 spin_unlock(&rx_sa->lock);
824 if (hdr->tci_an & MACSEC_TCI_C ||
825 secy->validate_frames == MACSEC_VALIDATE_STRICT) {
826 u64_stats_update_begin(&rxsc_stats->syncp);
827 rxsc_stats->stats.InPktsNotValid++;
828 u64_stats_update_end(&rxsc_stats->syncp);
832 u64_stats_update_begin(&rxsc_stats->syncp);
833 if (secy->validate_frames == MACSEC_VALIDATE_CHECK) {
834 rxsc_stats->stats.InPktsInvalid++;
835 this_cpu_inc(rx_sa->stats->InPktsInvalid);
836 } else if (pn < lowest_pn) {
837 rxsc_stats->stats.InPktsDelayed++;
839 rxsc_stats->stats.InPktsUnchecked++;
841 u64_stats_update_end(&rxsc_stats->syncp);
843 u64_stats_update_begin(&rxsc_stats->syncp);
844 if (pn < lowest_pn) {
845 rxsc_stats->stats.InPktsDelayed++;
847 rxsc_stats->stats.InPktsOK++;
848 this_cpu_inc(rx_sa->stats->InPktsOK);
850 u64_stats_update_end(&rxsc_stats->syncp);
852 if (pn >= rx_sa->next_pn)
853 rx_sa->next_pn = pn + 1;
854 spin_unlock(&rx_sa->lock);
860 static void macsec_reset_skb(struct sk_buff *skb, struct net_device *dev)
862 skb->pkt_type = PACKET_HOST;
863 skb->protocol = eth_type_trans(skb, dev);
865 skb_reset_network_header(skb);
866 if (!skb_transport_header_was_set(skb))
867 skb_reset_transport_header(skb);
868 skb_reset_mac_len(skb);
871 static void macsec_finalize_skb(struct sk_buff *skb, u8 icv_len, u8 hdr_len)
873 skb->ip_summed = CHECKSUM_NONE;
874 memmove(skb->data + hdr_len, skb->data, 2 * ETH_ALEN);
875 skb_pull(skb, hdr_len);
876 pskb_trim_unique(skb, skb->len - icv_len);
879 static void count_rx(struct net_device *dev, int len)
881 struct pcpu_sw_netstats *stats = this_cpu_ptr(dev->tstats);
883 u64_stats_update_begin(&stats->syncp);
885 stats->rx_bytes += len;
886 u64_stats_update_end(&stats->syncp);
889 static void macsec_decrypt_done(struct crypto_async_request *base, int err)
891 struct sk_buff *skb = base->data;
892 struct net_device *dev = skb->dev;
893 struct macsec_dev *macsec = macsec_priv(dev);
894 struct macsec_rx_sa *rx_sa = macsec_skb_cb(skb)->rx_sa;
895 struct macsec_rx_sc *rx_sc = rx_sa->sc;
899 aead_request_free(macsec_skb_cb(skb)->req);
902 macsec_skb_cb(skb)->valid = true;
905 pn = ntohl(macsec_ethhdr(skb)->packet_number);
906 if (!macsec_post_decrypt(skb, &macsec->secy, pn)) {
907 rcu_read_unlock_bh();
912 macsec_finalize_skb(skb, macsec->secy.icv_len,
913 macsec_extra_len(macsec_skb_cb(skb)->has_sci));
914 macsec_reset_skb(skb, macsec->secy.netdev);
917 if (gro_cells_receive(&macsec->gro_cells, skb) == NET_RX_SUCCESS)
920 rcu_read_unlock_bh();
923 macsec_rxsa_put(rx_sa);
924 macsec_rxsc_put(rx_sc);
928 static struct sk_buff *macsec_decrypt(struct sk_buff *skb,
929 struct net_device *dev,
930 struct macsec_rx_sa *rx_sa,
932 struct macsec_secy *secy)
935 struct scatterlist *sg;
936 struct sk_buff *trailer;
938 struct aead_request *req;
939 struct macsec_eth_header *hdr;
940 u16 icv_len = secy->icv_len;
942 macsec_skb_cb(skb)->valid = false;
943 skb = skb_share_check(skb, GFP_ATOMIC);
945 return ERR_PTR(-ENOMEM);
947 ret = skb_cow_data(skb, 0, &trailer);
948 if (unlikely(ret < 0)) {
952 req = macsec_alloc_req(rx_sa->key.tfm, &iv, &sg, ret);
955 return ERR_PTR(-ENOMEM);
958 hdr = (struct macsec_eth_header *)skb->data;
959 macsec_fill_iv(iv, sci, ntohl(hdr->packet_number));
961 sg_init_table(sg, ret);
962 ret = skb_to_sgvec(skb, sg, 0, skb->len);
963 if (unlikely(ret < 0)) {
964 aead_request_free(req);
969 if (hdr->tci_an & MACSEC_TCI_E) {
970 /* confidentiality: ethernet + macsec header
971 * authenticated, encrypted payload
973 int len = skb->len - macsec_hdr_len(macsec_skb_cb(skb)->has_sci);
975 aead_request_set_crypt(req, sg, sg, len, iv);
976 aead_request_set_ad(req, macsec_hdr_len(macsec_skb_cb(skb)->has_sci));
977 skb = skb_unshare(skb, GFP_ATOMIC);
979 aead_request_free(req);
980 return ERR_PTR(-ENOMEM);
983 /* integrity only: all headers + data authenticated */
984 aead_request_set_crypt(req, sg, sg, icv_len, iv);
985 aead_request_set_ad(req, skb->len - icv_len);
988 macsec_skb_cb(skb)->req = req;
990 aead_request_set_callback(req, 0, macsec_decrypt_done, skb);
993 ret = crypto_aead_decrypt(req);
994 if (ret == -EINPROGRESS) {
996 } else if (ret != 0) {
997 /* decryption/authentication failed
998 * 10.6 if validateFrames is disabled, deliver anyway
1000 if (ret != -EBADMSG) {
1005 macsec_skb_cb(skb)->valid = true;
1009 aead_request_free(req);
1014 static struct macsec_rx_sc *find_rx_sc(struct macsec_secy *secy, sci_t sci)
1016 struct macsec_rx_sc *rx_sc;
1018 for_each_rxsc(secy, rx_sc) {
1019 if (rx_sc->sci == sci)
1026 static struct macsec_rx_sc *find_rx_sc_rtnl(struct macsec_secy *secy, sci_t sci)
1028 struct macsec_rx_sc *rx_sc;
1030 for_each_rxsc_rtnl(secy, rx_sc) {
1031 if (rx_sc->sci == sci)
1038 static void handle_not_macsec(struct sk_buff *skb)
1040 struct macsec_rxh_data *rxd;
1041 struct macsec_dev *macsec;
1044 rxd = macsec_data_rcu(skb->dev);
1046 /* 10.6 If the management control validateFrames is not
1047 * Strict, frames without a SecTAG are received, counted, and
1048 * delivered to the Controlled Port
1050 list_for_each_entry_rcu(macsec, &rxd->secys, secys) {
1051 struct sk_buff *nskb;
1052 struct pcpu_secy_stats *secy_stats = this_cpu_ptr(macsec->stats);
1054 if (macsec->secy.validate_frames == MACSEC_VALIDATE_STRICT) {
1055 u64_stats_update_begin(&secy_stats->syncp);
1056 secy_stats->stats.InPktsNoTag++;
1057 u64_stats_update_end(&secy_stats->syncp);
1061 /* deliver on this port */
1062 nskb = skb_clone(skb, GFP_ATOMIC);
1066 nskb->dev = macsec->secy.netdev;
1068 if (netif_rx(nskb) == NET_RX_SUCCESS) {
1069 u64_stats_update_begin(&secy_stats->syncp);
1070 secy_stats->stats.InPktsUntagged++;
1071 u64_stats_update_end(&secy_stats->syncp);
1078 static rx_handler_result_t macsec_handle_frame(struct sk_buff **pskb)
1080 struct sk_buff *skb = *pskb;
1081 struct net_device *dev = skb->dev;
1082 struct macsec_eth_header *hdr;
1083 struct macsec_secy *secy = NULL;
1084 struct macsec_rx_sc *rx_sc;
1085 struct macsec_rx_sa *rx_sa;
1086 struct macsec_rxh_data *rxd;
1087 struct macsec_dev *macsec;
1092 struct pcpu_rx_sc_stats *rxsc_stats;
1093 struct pcpu_secy_stats *secy_stats;
1097 if (skb_headroom(skb) < ETH_HLEN)
1100 hdr = macsec_ethhdr(skb);
1101 if (hdr->eth.h_proto != htons(ETH_P_MACSEC)) {
1102 handle_not_macsec(skb);
1104 /* and deliver to the uncontrolled port */
1105 return RX_HANDLER_PASS;
1108 skb = skb_unshare(skb, GFP_ATOMIC);
1111 return RX_HANDLER_CONSUMED;
1113 pulled_sci = pskb_may_pull(skb, macsec_extra_len(true));
1115 if (!pskb_may_pull(skb, macsec_extra_len(false)))
1119 hdr = macsec_ethhdr(skb);
1121 /* Frames with a SecTAG that has the TCI E bit set but the C
1122 * bit clear are discarded, as this reserved encoding is used
1123 * to identify frames with a SecTAG that are not to be
1124 * delivered to the Controlled Port.
1126 if ((hdr->tci_an & (MACSEC_TCI_C | MACSEC_TCI_E)) == MACSEC_TCI_E)
1127 return RX_HANDLER_PASS;
1129 /* now, pull the extra length */
1130 if (hdr->tci_an & MACSEC_TCI_SC) {
1135 /* ethernet header is part of crypto processing */
1136 skb_push(skb, ETH_HLEN);
1138 macsec_skb_cb(skb)->has_sci = !!(hdr->tci_an & MACSEC_TCI_SC);
1139 macsec_skb_cb(skb)->assoc_num = hdr->tci_an & MACSEC_AN_MASK;
1140 sci = macsec_frame_sci(hdr, macsec_skb_cb(skb)->has_sci);
1143 rxd = macsec_data_rcu(skb->dev);
1145 list_for_each_entry_rcu(macsec, &rxd->secys, secys) {
1146 struct macsec_rx_sc *sc = find_rx_sc(&macsec->secy, sci);
1147 sc = sc ? macsec_rxsc_get(sc) : NULL;
1150 secy = &macsec->secy;
1160 macsec = macsec_priv(dev);
1161 secy_stats = this_cpu_ptr(macsec->stats);
1162 rxsc_stats = this_cpu_ptr(rx_sc->stats);
1164 if (!macsec_validate_skb(skb, secy->icv_len)) {
1165 u64_stats_update_begin(&secy_stats->syncp);
1166 secy_stats->stats.InPktsBadTag++;
1167 u64_stats_update_end(&secy_stats->syncp);
1171 rx_sa = macsec_rxsa_get(rx_sc->sa[macsec_skb_cb(skb)->assoc_num]);
1173 /* 10.6.1 if the SA is not in use */
1175 /* If validateFrames is Strict or the C bit in the
1176 * SecTAG is set, discard
1178 if (hdr->tci_an & MACSEC_TCI_C ||
1179 secy->validate_frames == MACSEC_VALIDATE_STRICT) {
1180 u64_stats_update_begin(&rxsc_stats->syncp);
1181 rxsc_stats->stats.InPktsNotUsingSA++;
1182 u64_stats_update_end(&rxsc_stats->syncp);
1186 /* not Strict, the frame (with the SecTAG and ICV
1187 * removed) is delivered to the Controlled Port.
1189 u64_stats_update_begin(&rxsc_stats->syncp);
1190 rxsc_stats->stats.InPktsUnusedSA++;
1191 u64_stats_update_end(&rxsc_stats->syncp);
1195 /* First, PN check to avoid decrypting obviously wrong packets */
1196 pn = ntohl(hdr->packet_number);
1197 if (secy->replay_protect) {
1200 spin_lock(&rx_sa->lock);
1201 late = rx_sa->next_pn >= secy->replay_window &&
1202 pn < (rx_sa->next_pn - secy->replay_window);
1203 spin_unlock(&rx_sa->lock);
1206 u64_stats_update_begin(&rxsc_stats->syncp);
1207 rxsc_stats->stats.InPktsLate++;
1208 u64_stats_update_end(&rxsc_stats->syncp);
1213 macsec_skb_cb(skb)->rx_sa = rx_sa;
1215 /* Disabled && !changed text => skip validation */
1216 if (hdr->tci_an & MACSEC_TCI_C ||
1217 secy->validate_frames != MACSEC_VALIDATE_DISABLED)
1218 skb = macsec_decrypt(skb, dev, rx_sa, sci, secy);
1221 /* the decrypt callback needs the reference */
1222 if (PTR_ERR(skb) != -EINPROGRESS) {
1223 macsec_rxsa_put(rx_sa);
1224 macsec_rxsc_put(rx_sc);
1228 return RX_HANDLER_CONSUMED;
1231 if (!macsec_post_decrypt(skb, secy, pn))
1235 macsec_finalize_skb(skb, secy->icv_len,
1236 macsec_extra_len(macsec_skb_cb(skb)->has_sci));
1237 macsec_reset_skb(skb, secy->netdev);
1240 macsec_rxsa_put(rx_sa);
1241 macsec_rxsc_put(rx_sc);
1245 ret = gro_cells_receive(&macsec->gro_cells, skb);
1246 if (ret == NET_RX_SUCCESS)
1249 macsec->secy.netdev->stats.rx_dropped++;
1254 return RX_HANDLER_CONSUMED;
1257 macsec_rxsa_put(rx_sa);
1259 macsec_rxsc_put(rx_sc);
1264 return RX_HANDLER_CONSUMED;
1267 /* 10.6.1 if the SC is not found */
1268 cbit = !!(hdr->tci_an & MACSEC_TCI_C);
1270 macsec_finalize_skb(skb, DEFAULT_ICV_LEN,
1271 macsec_extra_len(macsec_skb_cb(skb)->has_sci));
1273 list_for_each_entry_rcu(macsec, &rxd->secys, secys) {
1274 struct sk_buff *nskb;
1276 secy_stats = this_cpu_ptr(macsec->stats);
1278 /* If validateFrames is Strict or the C bit in the
1279 * SecTAG is set, discard
1282 macsec->secy.validate_frames == MACSEC_VALIDATE_STRICT) {
1283 u64_stats_update_begin(&secy_stats->syncp);
1284 secy_stats->stats.InPktsNoSCI++;
1285 u64_stats_update_end(&secy_stats->syncp);
1289 /* not strict, the frame (with the SecTAG and ICV
1290 * removed) is delivered to the Controlled Port.
1292 nskb = skb_clone(skb, GFP_ATOMIC);
1296 macsec_reset_skb(nskb, macsec->secy.netdev);
1298 ret = netif_rx(nskb);
1299 if (ret == NET_RX_SUCCESS) {
1300 u64_stats_update_begin(&secy_stats->syncp);
1301 secy_stats->stats.InPktsUnknownSCI++;
1302 u64_stats_update_end(&secy_stats->syncp);
1304 macsec->secy.netdev->stats.rx_dropped++;
1310 return RX_HANDLER_PASS;
1313 static struct crypto_aead *macsec_alloc_tfm(char *key, int key_len, int icv_len)
1315 struct crypto_aead *tfm;
1318 /* Pick a sync gcm(aes) cipher to ensure order is preserved. */
1319 tfm = crypto_alloc_aead("gcm(aes)", 0, CRYPTO_ALG_ASYNC);
1324 ret = crypto_aead_setkey(tfm, key, key_len);
1328 ret = crypto_aead_setauthsize(tfm, icv_len);
1334 crypto_free_aead(tfm);
1335 return ERR_PTR(ret);
1338 static int init_rx_sa(struct macsec_rx_sa *rx_sa, char *sak, int key_len,
1341 rx_sa->stats = alloc_percpu(struct macsec_rx_sa_stats);
1345 rx_sa->key.tfm = macsec_alloc_tfm(sak, key_len, icv_len);
1346 if (IS_ERR(rx_sa->key.tfm)) {
1347 free_percpu(rx_sa->stats);
1348 return PTR_ERR(rx_sa->key.tfm);
1351 rx_sa->active = false;
1353 refcount_set(&rx_sa->refcnt, 1);
1354 spin_lock_init(&rx_sa->lock);
1359 static void clear_rx_sa(struct macsec_rx_sa *rx_sa)
1361 rx_sa->active = false;
1363 macsec_rxsa_put(rx_sa);
1366 static void free_rx_sc(struct macsec_rx_sc *rx_sc)
1370 for (i = 0; i < MACSEC_NUM_AN; i++) {
1371 struct macsec_rx_sa *sa = rtnl_dereference(rx_sc->sa[i]);
1373 RCU_INIT_POINTER(rx_sc->sa[i], NULL);
1378 macsec_rxsc_put(rx_sc);
1381 static struct macsec_rx_sc *del_rx_sc(struct macsec_secy *secy, sci_t sci)
1383 struct macsec_rx_sc *rx_sc, __rcu **rx_scp;
1385 for (rx_scp = &secy->rx_sc, rx_sc = rtnl_dereference(*rx_scp);
1387 rx_scp = &rx_sc->next, rx_sc = rtnl_dereference(*rx_scp)) {
1388 if (rx_sc->sci == sci) {
1391 rcu_assign_pointer(*rx_scp, rx_sc->next);
1399 static struct macsec_rx_sc *create_rx_sc(struct net_device *dev, sci_t sci)
1401 struct macsec_rx_sc *rx_sc;
1402 struct macsec_dev *macsec;
1403 struct net_device *real_dev = macsec_priv(dev)->real_dev;
1404 struct macsec_rxh_data *rxd = macsec_data_rtnl(real_dev);
1405 struct macsec_secy *secy;
1407 list_for_each_entry(macsec, &rxd->secys, secys) {
1408 if (find_rx_sc_rtnl(&macsec->secy, sci))
1409 return ERR_PTR(-EEXIST);
1412 rx_sc = kzalloc(sizeof(*rx_sc), GFP_KERNEL);
1414 return ERR_PTR(-ENOMEM);
1416 rx_sc->stats = netdev_alloc_pcpu_stats(struct pcpu_rx_sc_stats);
1417 if (!rx_sc->stats) {
1419 return ERR_PTR(-ENOMEM);
1423 rx_sc->active = true;
1424 refcount_set(&rx_sc->refcnt, 1);
1426 secy = &macsec_priv(dev)->secy;
1427 rcu_assign_pointer(rx_sc->next, secy->rx_sc);
1428 rcu_assign_pointer(secy->rx_sc, rx_sc);
1436 static int init_tx_sa(struct macsec_tx_sa *tx_sa, char *sak, int key_len,
1439 tx_sa->stats = alloc_percpu(struct macsec_tx_sa_stats);
1443 tx_sa->key.tfm = macsec_alloc_tfm(sak, key_len, icv_len);
1444 if (IS_ERR(tx_sa->key.tfm)) {
1445 free_percpu(tx_sa->stats);
1446 return PTR_ERR(tx_sa->key.tfm);
1449 tx_sa->active = false;
1450 refcount_set(&tx_sa->refcnt, 1);
1451 spin_lock_init(&tx_sa->lock);
1456 static void clear_tx_sa(struct macsec_tx_sa *tx_sa)
1458 tx_sa->active = false;
1460 macsec_txsa_put(tx_sa);
1463 static struct genl_family macsec_fam;
1465 static struct net_device *get_dev_from_nl(struct net *net,
1466 struct nlattr **attrs)
1468 int ifindex = nla_get_u32(attrs[MACSEC_ATTR_IFINDEX]);
1469 struct net_device *dev;
1471 dev = __dev_get_by_index(net, ifindex);
1473 return ERR_PTR(-ENODEV);
1475 if (!netif_is_macsec(dev))
1476 return ERR_PTR(-ENODEV);
1481 static sci_t nla_get_sci(const struct nlattr *nla)
1483 return (__force sci_t)nla_get_u64(nla);
1486 static int nla_put_sci(struct sk_buff *skb, int attrtype, sci_t value,
1489 return nla_put_u64_64bit(skb, attrtype, (__force u64)value, padattr);
1492 static struct macsec_tx_sa *get_txsa_from_nl(struct net *net,
1493 struct nlattr **attrs,
1494 struct nlattr **tb_sa,
1495 struct net_device **devp,
1496 struct macsec_secy **secyp,
1497 struct macsec_tx_sc **scp,
1500 struct net_device *dev;
1501 struct macsec_secy *secy;
1502 struct macsec_tx_sc *tx_sc;
1503 struct macsec_tx_sa *tx_sa;
1505 if (!tb_sa[MACSEC_SA_ATTR_AN])
1506 return ERR_PTR(-EINVAL);
1508 *assoc_num = nla_get_u8(tb_sa[MACSEC_SA_ATTR_AN]);
1510 dev = get_dev_from_nl(net, attrs);
1512 return ERR_CAST(dev);
1514 if (*assoc_num >= MACSEC_NUM_AN)
1515 return ERR_PTR(-EINVAL);
1517 secy = &macsec_priv(dev)->secy;
1518 tx_sc = &secy->tx_sc;
1520 tx_sa = rtnl_dereference(tx_sc->sa[*assoc_num]);
1522 return ERR_PTR(-ENODEV);
1530 static struct macsec_rx_sc *get_rxsc_from_nl(struct net *net,
1531 struct nlattr **attrs,
1532 struct nlattr **tb_rxsc,
1533 struct net_device **devp,
1534 struct macsec_secy **secyp)
1536 struct net_device *dev;
1537 struct macsec_secy *secy;
1538 struct macsec_rx_sc *rx_sc;
1541 dev = get_dev_from_nl(net, attrs);
1543 return ERR_CAST(dev);
1545 secy = &macsec_priv(dev)->secy;
1547 if (!tb_rxsc[MACSEC_RXSC_ATTR_SCI])
1548 return ERR_PTR(-EINVAL);
1550 sci = nla_get_sci(tb_rxsc[MACSEC_RXSC_ATTR_SCI]);
1551 rx_sc = find_rx_sc_rtnl(secy, sci);
1553 return ERR_PTR(-ENODEV);
1561 static struct macsec_rx_sa *get_rxsa_from_nl(struct net *net,
1562 struct nlattr **attrs,
1563 struct nlattr **tb_rxsc,
1564 struct nlattr **tb_sa,
1565 struct net_device **devp,
1566 struct macsec_secy **secyp,
1567 struct macsec_rx_sc **scp,
1570 struct macsec_rx_sc *rx_sc;
1571 struct macsec_rx_sa *rx_sa;
1573 if (!tb_sa[MACSEC_SA_ATTR_AN])
1574 return ERR_PTR(-EINVAL);
1576 *assoc_num = nla_get_u8(tb_sa[MACSEC_SA_ATTR_AN]);
1577 if (*assoc_num >= MACSEC_NUM_AN)
1578 return ERR_PTR(-EINVAL);
1580 rx_sc = get_rxsc_from_nl(net, attrs, tb_rxsc, devp, secyp);
1582 return ERR_CAST(rx_sc);
1584 rx_sa = rtnl_dereference(rx_sc->sa[*assoc_num]);
1586 return ERR_PTR(-ENODEV);
1593 static const struct nla_policy macsec_genl_policy[NUM_MACSEC_ATTR] = {
1594 [MACSEC_ATTR_IFINDEX] = { .type = NLA_U32 },
1595 [MACSEC_ATTR_RXSC_CONFIG] = { .type = NLA_NESTED },
1596 [MACSEC_ATTR_SA_CONFIG] = { .type = NLA_NESTED },
1599 static const struct nla_policy macsec_genl_rxsc_policy[NUM_MACSEC_RXSC_ATTR] = {
1600 [MACSEC_RXSC_ATTR_SCI] = { .type = NLA_U64 },
1601 [MACSEC_RXSC_ATTR_ACTIVE] = { .type = NLA_U8 },
1604 static const struct nla_policy macsec_genl_sa_policy[NUM_MACSEC_SA_ATTR] = {
1605 [MACSEC_SA_ATTR_AN] = { .type = NLA_U8 },
1606 [MACSEC_SA_ATTR_ACTIVE] = { .type = NLA_U8 },
1607 [MACSEC_SA_ATTR_PN] = { .type = NLA_U32 },
1608 [MACSEC_SA_ATTR_KEYID] = { .type = NLA_BINARY,
1609 .len = MACSEC_KEYID_LEN, },
1610 [MACSEC_SA_ATTR_KEY] = { .type = NLA_BINARY,
1611 .len = MACSEC_MAX_KEY_LEN, },
1614 static int parse_sa_config(struct nlattr **attrs, struct nlattr **tb_sa)
1616 if (!attrs[MACSEC_ATTR_SA_CONFIG])
1619 if (nla_parse_nested(tb_sa, MACSEC_SA_ATTR_MAX,
1620 attrs[MACSEC_ATTR_SA_CONFIG],
1621 macsec_genl_sa_policy, NULL))
1627 static int parse_rxsc_config(struct nlattr **attrs, struct nlattr **tb_rxsc)
1629 if (!attrs[MACSEC_ATTR_RXSC_CONFIG])
1632 if (nla_parse_nested(tb_rxsc, MACSEC_RXSC_ATTR_MAX,
1633 attrs[MACSEC_ATTR_RXSC_CONFIG],
1634 macsec_genl_rxsc_policy, NULL))
1640 static bool validate_add_rxsa(struct nlattr **attrs)
1642 if (!attrs[MACSEC_SA_ATTR_AN] ||
1643 !attrs[MACSEC_SA_ATTR_KEY] ||
1644 !attrs[MACSEC_SA_ATTR_KEYID])
1647 if (nla_get_u8(attrs[MACSEC_SA_ATTR_AN]) >= MACSEC_NUM_AN)
1650 if (attrs[MACSEC_SA_ATTR_PN] && nla_get_u32(attrs[MACSEC_SA_ATTR_PN]) == 0)
1653 if (attrs[MACSEC_SA_ATTR_ACTIVE]) {
1654 if (nla_get_u8(attrs[MACSEC_SA_ATTR_ACTIVE]) > 1)
1658 if (nla_len(attrs[MACSEC_SA_ATTR_KEYID]) != MACSEC_KEYID_LEN)
1664 static int macsec_add_rxsa(struct sk_buff *skb, struct genl_info *info)
1666 struct net_device *dev;
1667 struct nlattr **attrs = info->attrs;
1668 struct macsec_secy *secy;
1669 struct macsec_rx_sc *rx_sc;
1670 struct macsec_rx_sa *rx_sa;
1671 unsigned char assoc_num;
1672 struct nlattr *tb_rxsc[MACSEC_RXSC_ATTR_MAX + 1];
1673 struct nlattr *tb_sa[MACSEC_SA_ATTR_MAX + 1];
1676 if (!attrs[MACSEC_ATTR_IFINDEX])
1679 if (parse_sa_config(attrs, tb_sa))
1682 if (parse_rxsc_config(attrs, tb_rxsc))
1685 if (!validate_add_rxsa(tb_sa))
1689 rx_sc = get_rxsc_from_nl(genl_info_net(info), attrs, tb_rxsc, &dev, &secy);
1690 if (IS_ERR(rx_sc)) {
1692 return PTR_ERR(rx_sc);
1695 assoc_num = nla_get_u8(tb_sa[MACSEC_SA_ATTR_AN]);
1697 if (nla_len(tb_sa[MACSEC_SA_ATTR_KEY]) != secy->key_len) {
1698 pr_notice("macsec: nl: add_rxsa: bad key length: %d != %d\n",
1699 nla_len(tb_sa[MACSEC_SA_ATTR_KEY]), secy->key_len);
1704 rx_sa = rtnl_dereference(rx_sc->sa[assoc_num]);
1710 rx_sa = kmalloc(sizeof(*rx_sa), GFP_KERNEL);
1716 err = init_rx_sa(rx_sa, nla_data(tb_sa[MACSEC_SA_ATTR_KEY]),
1717 secy->key_len, secy->icv_len);
1724 if (tb_sa[MACSEC_SA_ATTR_PN]) {
1725 spin_lock_bh(&rx_sa->lock);
1726 rx_sa->next_pn = nla_get_u32(tb_sa[MACSEC_SA_ATTR_PN]);
1727 spin_unlock_bh(&rx_sa->lock);
1730 if (tb_sa[MACSEC_SA_ATTR_ACTIVE])
1731 rx_sa->active = !!nla_get_u8(tb_sa[MACSEC_SA_ATTR_ACTIVE]);
1733 nla_memcpy(rx_sa->key.id, tb_sa[MACSEC_SA_ATTR_KEYID], MACSEC_KEYID_LEN);
1735 rcu_assign_pointer(rx_sc->sa[assoc_num], rx_sa);
1742 static bool validate_add_rxsc(struct nlattr **attrs)
1744 if (!attrs[MACSEC_RXSC_ATTR_SCI])
1747 if (attrs[MACSEC_RXSC_ATTR_ACTIVE]) {
1748 if (nla_get_u8(attrs[MACSEC_RXSC_ATTR_ACTIVE]) > 1)
1755 static int macsec_add_rxsc(struct sk_buff *skb, struct genl_info *info)
1757 struct net_device *dev;
1758 sci_t sci = MACSEC_UNDEF_SCI;
1759 struct nlattr **attrs = info->attrs;
1760 struct macsec_rx_sc *rx_sc;
1761 struct nlattr *tb_rxsc[MACSEC_RXSC_ATTR_MAX + 1];
1763 if (!attrs[MACSEC_ATTR_IFINDEX])
1766 if (parse_rxsc_config(attrs, tb_rxsc))
1769 if (!validate_add_rxsc(tb_rxsc))
1773 dev = get_dev_from_nl(genl_info_net(info), attrs);
1776 return PTR_ERR(dev);
1779 sci = nla_get_sci(tb_rxsc[MACSEC_RXSC_ATTR_SCI]);
1781 rx_sc = create_rx_sc(dev, sci);
1782 if (IS_ERR(rx_sc)) {
1784 return PTR_ERR(rx_sc);
1787 if (tb_rxsc[MACSEC_RXSC_ATTR_ACTIVE])
1788 rx_sc->active = !!nla_get_u8(tb_rxsc[MACSEC_RXSC_ATTR_ACTIVE]);
1795 static bool validate_add_txsa(struct nlattr **attrs)
1797 if (!attrs[MACSEC_SA_ATTR_AN] ||
1798 !attrs[MACSEC_SA_ATTR_PN] ||
1799 !attrs[MACSEC_SA_ATTR_KEY] ||
1800 !attrs[MACSEC_SA_ATTR_KEYID])
1803 if (nla_get_u8(attrs[MACSEC_SA_ATTR_AN]) >= MACSEC_NUM_AN)
1806 if (nla_get_u32(attrs[MACSEC_SA_ATTR_PN]) == 0)
1809 if (attrs[MACSEC_SA_ATTR_ACTIVE]) {
1810 if (nla_get_u8(attrs[MACSEC_SA_ATTR_ACTIVE]) > 1)
1814 if (nla_len(attrs[MACSEC_SA_ATTR_KEYID]) != MACSEC_KEYID_LEN)
1820 static int macsec_add_txsa(struct sk_buff *skb, struct genl_info *info)
1822 struct net_device *dev;
1823 struct nlattr **attrs = info->attrs;
1824 struct macsec_secy *secy;
1825 struct macsec_tx_sc *tx_sc;
1826 struct macsec_tx_sa *tx_sa;
1827 unsigned char assoc_num;
1828 struct nlattr *tb_sa[MACSEC_SA_ATTR_MAX + 1];
1831 if (!attrs[MACSEC_ATTR_IFINDEX])
1834 if (parse_sa_config(attrs, tb_sa))
1837 if (!validate_add_txsa(tb_sa))
1841 dev = get_dev_from_nl(genl_info_net(info), attrs);
1844 return PTR_ERR(dev);
1847 secy = &macsec_priv(dev)->secy;
1848 tx_sc = &secy->tx_sc;
1850 assoc_num = nla_get_u8(tb_sa[MACSEC_SA_ATTR_AN]);
1852 if (nla_len(tb_sa[MACSEC_SA_ATTR_KEY]) != secy->key_len) {
1853 pr_notice("macsec: nl: add_txsa: bad key length: %d != %d\n",
1854 nla_len(tb_sa[MACSEC_SA_ATTR_KEY]), secy->key_len);
1859 tx_sa = rtnl_dereference(tx_sc->sa[assoc_num]);
1865 tx_sa = kmalloc(sizeof(*tx_sa), GFP_KERNEL);
1871 err = init_tx_sa(tx_sa, nla_data(tb_sa[MACSEC_SA_ATTR_KEY]),
1872 secy->key_len, secy->icv_len);
1879 nla_memcpy(tx_sa->key.id, tb_sa[MACSEC_SA_ATTR_KEYID], MACSEC_KEYID_LEN);
1881 spin_lock_bh(&tx_sa->lock);
1882 tx_sa->next_pn = nla_get_u32(tb_sa[MACSEC_SA_ATTR_PN]);
1883 spin_unlock_bh(&tx_sa->lock);
1885 if (tb_sa[MACSEC_SA_ATTR_ACTIVE])
1886 tx_sa->active = !!nla_get_u8(tb_sa[MACSEC_SA_ATTR_ACTIVE]);
1888 if (assoc_num == tx_sc->encoding_sa && tx_sa->active)
1889 secy->operational = true;
1891 rcu_assign_pointer(tx_sc->sa[assoc_num], tx_sa);
1898 static int macsec_del_rxsa(struct sk_buff *skb, struct genl_info *info)
1900 struct nlattr **attrs = info->attrs;
1901 struct net_device *dev;
1902 struct macsec_secy *secy;
1903 struct macsec_rx_sc *rx_sc;
1904 struct macsec_rx_sa *rx_sa;
1906 struct nlattr *tb_rxsc[MACSEC_RXSC_ATTR_MAX + 1];
1907 struct nlattr *tb_sa[MACSEC_SA_ATTR_MAX + 1];
1909 if (!attrs[MACSEC_ATTR_IFINDEX])
1912 if (parse_sa_config(attrs, tb_sa))
1915 if (parse_rxsc_config(attrs, tb_rxsc))
1919 rx_sa = get_rxsa_from_nl(genl_info_net(info), attrs, tb_rxsc, tb_sa,
1920 &dev, &secy, &rx_sc, &assoc_num);
1921 if (IS_ERR(rx_sa)) {
1923 return PTR_ERR(rx_sa);
1926 if (rx_sa->active) {
1931 RCU_INIT_POINTER(rx_sc->sa[assoc_num], NULL);
1939 static int macsec_del_rxsc(struct sk_buff *skb, struct genl_info *info)
1941 struct nlattr **attrs = info->attrs;
1942 struct net_device *dev;
1943 struct macsec_secy *secy;
1944 struct macsec_rx_sc *rx_sc;
1946 struct nlattr *tb_rxsc[MACSEC_RXSC_ATTR_MAX + 1];
1948 if (!attrs[MACSEC_ATTR_IFINDEX])
1951 if (parse_rxsc_config(attrs, tb_rxsc))
1954 if (!tb_rxsc[MACSEC_RXSC_ATTR_SCI])
1958 dev = get_dev_from_nl(genl_info_net(info), info->attrs);
1961 return PTR_ERR(dev);
1964 secy = &macsec_priv(dev)->secy;
1965 sci = nla_get_sci(tb_rxsc[MACSEC_RXSC_ATTR_SCI]);
1967 rx_sc = del_rx_sc(secy, sci);
1979 static int macsec_del_txsa(struct sk_buff *skb, struct genl_info *info)
1981 struct nlattr **attrs = info->attrs;
1982 struct net_device *dev;
1983 struct macsec_secy *secy;
1984 struct macsec_tx_sc *tx_sc;
1985 struct macsec_tx_sa *tx_sa;
1987 struct nlattr *tb_sa[MACSEC_SA_ATTR_MAX + 1];
1989 if (!attrs[MACSEC_ATTR_IFINDEX])
1992 if (parse_sa_config(attrs, tb_sa))
1996 tx_sa = get_txsa_from_nl(genl_info_net(info), attrs, tb_sa,
1997 &dev, &secy, &tx_sc, &assoc_num);
1998 if (IS_ERR(tx_sa)) {
2000 return PTR_ERR(tx_sa);
2003 if (tx_sa->active) {
2008 RCU_INIT_POINTER(tx_sc->sa[assoc_num], NULL);
2016 static bool validate_upd_sa(struct nlattr **attrs)
2018 if (!attrs[MACSEC_SA_ATTR_AN] ||
2019 attrs[MACSEC_SA_ATTR_KEY] ||
2020 attrs[MACSEC_SA_ATTR_KEYID])
2023 if (nla_get_u8(attrs[MACSEC_SA_ATTR_AN]) >= MACSEC_NUM_AN)
2026 if (attrs[MACSEC_SA_ATTR_PN] && nla_get_u32(attrs[MACSEC_SA_ATTR_PN]) == 0)
2029 if (attrs[MACSEC_SA_ATTR_ACTIVE]) {
2030 if (nla_get_u8(attrs[MACSEC_SA_ATTR_ACTIVE]) > 1)
2037 static int macsec_upd_txsa(struct sk_buff *skb, struct genl_info *info)
2039 struct nlattr **attrs = info->attrs;
2040 struct net_device *dev;
2041 struct macsec_secy *secy;
2042 struct macsec_tx_sc *tx_sc;
2043 struct macsec_tx_sa *tx_sa;
2045 struct nlattr *tb_sa[MACSEC_SA_ATTR_MAX + 1];
2047 if (!attrs[MACSEC_ATTR_IFINDEX])
2050 if (parse_sa_config(attrs, tb_sa))
2053 if (!validate_upd_sa(tb_sa))
2057 tx_sa = get_txsa_from_nl(genl_info_net(info), attrs, tb_sa,
2058 &dev, &secy, &tx_sc, &assoc_num);
2059 if (IS_ERR(tx_sa)) {
2061 return PTR_ERR(tx_sa);
2064 if (tb_sa[MACSEC_SA_ATTR_PN]) {
2065 spin_lock_bh(&tx_sa->lock);
2066 tx_sa->next_pn = nla_get_u32(tb_sa[MACSEC_SA_ATTR_PN]);
2067 spin_unlock_bh(&tx_sa->lock);
2070 if (tb_sa[MACSEC_SA_ATTR_ACTIVE])
2071 tx_sa->active = nla_get_u8(tb_sa[MACSEC_SA_ATTR_ACTIVE]);
2073 if (assoc_num == tx_sc->encoding_sa)
2074 secy->operational = tx_sa->active;
2081 static int macsec_upd_rxsa(struct sk_buff *skb, struct genl_info *info)
2083 struct nlattr **attrs = info->attrs;
2084 struct net_device *dev;
2085 struct macsec_secy *secy;
2086 struct macsec_rx_sc *rx_sc;
2087 struct macsec_rx_sa *rx_sa;
2089 struct nlattr *tb_rxsc[MACSEC_RXSC_ATTR_MAX + 1];
2090 struct nlattr *tb_sa[MACSEC_SA_ATTR_MAX + 1];
2092 if (!attrs[MACSEC_ATTR_IFINDEX])
2095 if (parse_rxsc_config(attrs, tb_rxsc))
2098 if (parse_sa_config(attrs, tb_sa))
2101 if (!validate_upd_sa(tb_sa))
2105 rx_sa = get_rxsa_from_nl(genl_info_net(info), attrs, tb_rxsc, tb_sa,
2106 &dev, &secy, &rx_sc, &assoc_num);
2107 if (IS_ERR(rx_sa)) {
2109 return PTR_ERR(rx_sa);
2112 if (tb_sa[MACSEC_SA_ATTR_PN]) {
2113 spin_lock_bh(&rx_sa->lock);
2114 rx_sa->next_pn = nla_get_u32(tb_sa[MACSEC_SA_ATTR_PN]);
2115 spin_unlock_bh(&rx_sa->lock);
2118 if (tb_sa[MACSEC_SA_ATTR_ACTIVE])
2119 rx_sa->active = nla_get_u8(tb_sa[MACSEC_SA_ATTR_ACTIVE]);
2125 static int macsec_upd_rxsc(struct sk_buff *skb, struct genl_info *info)
2127 struct nlattr **attrs = info->attrs;
2128 struct net_device *dev;
2129 struct macsec_secy *secy;
2130 struct macsec_rx_sc *rx_sc;
2131 struct nlattr *tb_rxsc[MACSEC_RXSC_ATTR_MAX + 1];
2133 if (!attrs[MACSEC_ATTR_IFINDEX])
2136 if (parse_rxsc_config(attrs, tb_rxsc))
2139 if (!validate_add_rxsc(tb_rxsc))
2143 rx_sc = get_rxsc_from_nl(genl_info_net(info), attrs, tb_rxsc, &dev, &secy);
2144 if (IS_ERR(rx_sc)) {
2146 return PTR_ERR(rx_sc);
2149 if (tb_rxsc[MACSEC_RXSC_ATTR_ACTIVE]) {
2150 bool new = !!nla_get_u8(tb_rxsc[MACSEC_RXSC_ATTR_ACTIVE]);
2152 if (rx_sc->active != new)
2153 secy->n_rx_sc += new ? 1 : -1;
2155 rx_sc->active = new;
2163 static int copy_tx_sa_stats(struct sk_buff *skb,
2164 struct macsec_tx_sa_stats __percpu *pstats)
2166 struct macsec_tx_sa_stats sum = {0, };
2169 for_each_possible_cpu(cpu) {
2170 const struct macsec_tx_sa_stats *stats = per_cpu_ptr(pstats, cpu);
2172 sum.OutPktsProtected += stats->OutPktsProtected;
2173 sum.OutPktsEncrypted += stats->OutPktsEncrypted;
2176 if (nla_put_u32(skb, MACSEC_SA_STATS_ATTR_OUT_PKTS_PROTECTED, sum.OutPktsProtected) ||
2177 nla_put_u32(skb, MACSEC_SA_STATS_ATTR_OUT_PKTS_ENCRYPTED, sum.OutPktsEncrypted))
2183 static int copy_rx_sa_stats(struct sk_buff *skb,
2184 struct macsec_rx_sa_stats __percpu *pstats)
2186 struct macsec_rx_sa_stats sum = {0, };
2189 for_each_possible_cpu(cpu) {
2190 const struct macsec_rx_sa_stats *stats = per_cpu_ptr(pstats, cpu);
2192 sum.InPktsOK += stats->InPktsOK;
2193 sum.InPktsInvalid += stats->InPktsInvalid;
2194 sum.InPktsNotValid += stats->InPktsNotValid;
2195 sum.InPktsNotUsingSA += stats->InPktsNotUsingSA;
2196 sum.InPktsUnusedSA += stats->InPktsUnusedSA;
2199 if (nla_put_u32(skb, MACSEC_SA_STATS_ATTR_IN_PKTS_OK, sum.InPktsOK) ||
2200 nla_put_u32(skb, MACSEC_SA_STATS_ATTR_IN_PKTS_INVALID, sum.InPktsInvalid) ||
2201 nla_put_u32(skb, MACSEC_SA_STATS_ATTR_IN_PKTS_NOT_VALID, sum.InPktsNotValid) ||
2202 nla_put_u32(skb, MACSEC_SA_STATS_ATTR_IN_PKTS_NOT_USING_SA, sum.InPktsNotUsingSA) ||
2203 nla_put_u32(skb, MACSEC_SA_STATS_ATTR_IN_PKTS_UNUSED_SA, sum.InPktsUnusedSA))
2209 static int copy_rx_sc_stats(struct sk_buff *skb,
2210 struct pcpu_rx_sc_stats __percpu *pstats)
2212 struct macsec_rx_sc_stats sum = {0, };
2215 for_each_possible_cpu(cpu) {
2216 const struct pcpu_rx_sc_stats *stats;
2217 struct macsec_rx_sc_stats tmp;
2220 stats = per_cpu_ptr(pstats, cpu);
2222 start = u64_stats_fetch_begin_irq(&stats->syncp);
2223 memcpy(&tmp, &stats->stats, sizeof(tmp));
2224 } while (u64_stats_fetch_retry_irq(&stats->syncp, start));
2226 sum.InOctetsValidated += tmp.InOctetsValidated;
2227 sum.InOctetsDecrypted += tmp.InOctetsDecrypted;
2228 sum.InPktsUnchecked += tmp.InPktsUnchecked;
2229 sum.InPktsDelayed += tmp.InPktsDelayed;
2230 sum.InPktsOK += tmp.InPktsOK;
2231 sum.InPktsInvalid += tmp.InPktsInvalid;
2232 sum.InPktsLate += tmp.InPktsLate;
2233 sum.InPktsNotValid += tmp.InPktsNotValid;
2234 sum.InPktsNotUsingSA += tmp.InPktsNotUsingSA;
2235 sum.InPktsUnusedSA += tmp.InPktsUnusedSA;
2238 if (nla_put_u64_64bit(skb, MACSEC_RXSC_STATS_ATTR_IN_OCTETS_VALIDATED,
2239 sum.InOctetsValidated,
2240 MACSEC_RXSC_STATS_ATTR_PAD) ||
2241 nla_put_u64_64bit(skb, MACSEC_RXSC_STATS_ATTR_IN_OCTETS_DECRYPTED,
2242 sum.InOctetsDecrypted,
2243 MACSEC_RXSC_STATS_ATTR_PAD) ||
2244 nla_put_u64_64bit(skb, MACSEC_RXSC_STATS_ATTR_IN_PKTS_UNCHECKED,
2245 sum.InPktsUnchecked,
2246 MACSEC_RXSC_STATS_ATTR_PAD) ||
2247 nla_put_u64_64bit(skb, MACSEC_RXSC_STATS_ATTR_IN_PKTS_DELAYED,
2249 MACSEC_RXSC_STATS_ATTR_PAD) ||
2250 nla_put_u64_64bit(skb, MACSEC_RXSC_STATS_ATTR_IN_PKTS_OK,
2252 MACSEC_RXSC_STATS_ATTR_PAD) ||
2253 nla_put_u64_64bit(skb, MACSEC_RXSC_STATS_ATTR_IN_PKTS_INVALID,
2255 MACSEC_RXSC_STATS_ATTR_PAD) ||
2256 nla_put_u64_64bit(skb, MACSEC_RXSC_STATS_ATTR_IN_PKTS_LATE,
2258 MACSEC_RXSC_STATS_ATTR_PAD) ||
2259 nla_put_u64_64bit(skb, MACSEC_RXSC_STATS_ATTR_IN_PKTS_NOT_VALID,
2261 MACSEC_RXSC_STATS_ATTR_PAD) ||
2262 nla_put_u64_64bit(skb, MACSEC_RXSC_STATS_ATTR_IN_PKTS_NOT_USING_SA,
2263 sum.InPktsNotUsingSA,
2264 MACSEC_RXSC_STATS_ATTR_PAD) ||
2265 nla_put_u64_64bit(skb, MACSEC_RXSC_STATS_ATTR_IN_PKTS_UNUSED_SA,
2267 MACSEC_RXSC_STATS_ATTR_PAD))
2273 static int copy_tx_sc_stats(struct sk_buff *skb,
2274 struct pcpu_tx_sc_stats __percpu *pstats)
2276 struct macsec_tx_sc_stats sum = {0, };
2279 for_each_possible_cpu(cpu) {
2280 const struct pcpu_tx_sc_stats *stats;
2281 struct macsec_tx_sc_stats tmp;
2284 stats = per_cpu_ptr(pstats, cpu);
2286 start = u64_stats_fetch_begin_irq(&stats->syncp);
2287 memcpy(&tmp, &stats->stats, sizeof(tmp));
2288 } while (u64_stats_fetch_retry_irq(&stats->syncp, start));
2290 sum.OutPktsProtected += tmp.OutPktsProtected;
2291 sum.OutPktsEncrypted += tmp.OutPktsEncrypted;
2292 sum.OutOctetsProtected += tmp.OutOctetsProtected;
2293 sum.OutOctetsEncrypted += tmp.OutOctetsEncrypted;
2296 if (nla_put_u64_64bit(skb, MACSEC_TXSC_STATS_ATTR_OUT_PKTS_PROTECTED,
2297 sum.OutPktsProtected,
2298 MACSEC_TXSC_STATS_ATTR_PAD) ||
2299 nla_put_u64_64bit(skb, MACSEC_TXSC_STATS_ATTR_OUT_PKTS_ENCRYPTED,
2300 sum.OutPktsEncrypted,
2301 MACSEC_TXSC_STATS_ATTR_PAD) ||
2302 nla_put_u64_64bit(skb, MACSEC_TXSC_STATS_ATTR_OUT_OCTETS_PROTECTED,
2303 sum.OutOctetsProtected,
2304 MACSEC_TXSC_STATS_ATTR_PAD) ||
2305 nla_put_u64_64bit(skb, MACSEC_TXSC_STATS_ATTR_OUT_OCTETS_ENCRYPTED,
2306 sum.OutOctetsEncrypted,
2307 MACSEC_TXSC_STATS_ATTR_PAD))
2313 static int copy_secy_stats(struct sk_buff *skb,
2314 struct pcpu_secy_stats __percpu *pstats)
2316 struct macsec_dev_stats sum = {0, };
2319 for_each_possible_cpu(cpu) {
2320 const struct pcpu_secy_stats *stats;
2321 struct macsec_dev_stats tmp;
2324 stats = per_cpu_ptr(pstats, cpu);
2326 start = u64_stats_fetch_begin_irq(&stats->syncp);
2327 memcpy(&tmp, &stats->stats, sizeof(tmp));
2328 } while (u64_stats_fetch_retry_irq(&stats->syncp, start));
2330 sum.OutPktsUntagged += tmp.OutPktsUntagged;
2331 sum.InPktsUntagged += tmp.InPktsUntagged;
2332 sum.OutPktsTooLong += tmp.OutPktsTooLong;
2333 sum.InPktsNoTag += tmp.InPktsNoTag;
2334 sum.InPktsBadTag += tmp.InPktsBadTag;
2335 sum.InPktsUnknownSCI += tmp.InPktsUnknownSCI;
2336 sum.InPktsNoSCI += tmp.InPktsNoSCI;
2337 sum.InPktsOverrun += tmp.InPktsOverrun;
2340 if (nla_put_u64_64bit(skb, MACSEC_SECY_STATS_ATTR_OUT_PKTS_UNTAGGED,
2341 sum.OutPktsUntagged,
2342 MACSEC_SECY_STATS_ATTR_PAD) ||
2343 nla_put_u64_64bit(skb, MACSEC_SECY_STATS_ATTR_IN_PKTS_UNTAGGED,
2345 MACSEC_SECY_STATS_ATTR_PAD) ||
2346 nla_put_u64_64bit(skb, MACSEC_SECY_STATS_ATTR_OUT_PKTS_TOO_LONG,
2348 MACSEC_SECY_STATS_ATTR_PAD) ||
2349 nla_put_u64_64bit(skb, MACSEC_SECY_STATS_ATTR_IN_PKTS_NO_TAG,
2351 MACSEC_SECY_STATS_ATTR_PAD) ||
2352 nla_put_u64_64bit(skb, MACSEC_SECY_STATS_ATTR_IN_PKTS_BAD_TAG,
2354 MACSEC_SECY_STATS_ATTR_PAD) ||
2355 nla_put_u64_64bit(skb, MACSEC_SECY_STATS_ATTR_IN_PKTS_UNKNOWN_SCI,
2356 sum.InPktsUnknownSCI,
2357 MACSEC_SECY_STATS_ATTR_PAD) ||
2358 nla_put_u64_64bit(skb, MACSEC_SECY_STATS_ATTR_IN_PKTS_NO_SCI,
2360 MACSEC_SECY_STATS_ATTR_PAD) ||
2361 nla_put_u64_64bit(skb, MACSEC_SECY_STATS_ATTR_IN_PKTS_OVERRUN,
2363 MACSEC_SECY_STATS_ATTR_PAD))
2369 static int nla_put_secy(struct macsec_secy *secy, struct sk_buff *skb)
2371 struct macsec_tx_sc *tx_sc = &secy->tx_sc;
2372 struct nlattr *secy_nest = nla_nest_start(skb, MACSEC_ATTR_SECY);
2378 switch (secy->key_len) {
2379 case MACSEC_GCM_AES_128_SAK_LEN:
2380 csid = MACSEC_DEFAULT_CIPHER_ID;
2382 case MACSEC_GCM_AES_256_SAK_LEN:
2383 csid = MACSEC_CIPHER_ID_GCM_AES_256;
2389 if (nla_put_sci(skb, MACSEC_SECY_ATTR_SCI, secy->sci,
2390 MACSEC_SECY_ATTR_PAD) ||
2391 nla_put_u64_64bit(skb, MACSEC_SECY_ATTR_CIPHER_SUITE,
2392 csid, MACSEC_SECY_ATTR_PAD) ||
2393 nla_put_u8(skb, MACSEC_SECY_ATTR_ICV_LEN, secy->icv_len) ||
2394 nla_put_u8(skb, MACSEC_SECY_ATTR_OPER, secy->operational) ||
2395 nla_put_u8(skb, MACSEC_SECY_ATTR_PROTECT, secy->protect_frames) ||
2396 nla_put_u8(skb, MACSEC_SECY_ATTR_REPLAY, secy->replay_protect) ||
2397 nla_put_u8(skb, MACSEC_SECY_ATTR_VALIDATE, secy->validate_frames) ||
2398 nla_put_u8(skb, MACSEC_SECY_ATTR_ENCRYPT, tx_sc->encrypt) ||
2399 nla_put_u8(skb, MACSEC_SECY_ATTR_INC_SCI, tx_sc->send_sci) ||
2400 nla_put_u8(skb, MACSEC_SECY_ATTR_ES, tx_sc->end_station) ||
2401 nla_put_u8(skb, MACSEC_SECY_ATTR_SCB, tx_sc->scb) ||
2402 nla_put_u8(skb, MACSEC_SECY_ATTR_ENCODING_SA, tx_sc->encoding_sa))
2405 if (secy->replay_protect) {
2406 if (nla_put_u32(skb, MACSEC_SECY_ATTR_WINDOW, secy->replay_window))
2410 nla_nest_end(skb, secy_nest);
2414 nla_nest_cancel(skb, secy_nest);
2418 static int dump_secy(struct macsec_secy *secy, struct net_device *dev,
2419 struct sk_buff *skb, struct netlink_callback *cb)
2421 struct macsec_rx_sc *rx_sc;
2422 struct macsec_tx_sc *tx_sc = &secy->tx_sc;
2423 struct nlattr *txsa_list, *rxsc_list;
2426 struct nlattr *attr;
2428 hdr = genlmsg_put(skb, NETLINK_CB(cb->skb).portid, cb->nlh->nlmsg_seq,
2429 &macsec_fam, NLM_F_MULTI, MACSEC_CMD_GET_TXSC);
2433 genl_dump_check_consistent(cb, hdr);
2435 if (nla_put_u32(skb, MACSEC_ATTR_IFINDEX, dev->ifindex))
2436 goto nla_put_failure;
2438 if (nla_put_secy(secy, skb))
2439 goto nla_put_failure;
2441 attr = nla_nest_start(skb, MACSEC_ATTR_TXSC_STATS);
2443 goto nla_put_failure;
2444 if (copy_tx_sc_stats(skb, tx_sc->stats)) {
2445 nla_nest_cancel(skb, attr);
2446 goto nla_put_failure;
2448 nla_nest_end(skb, attr);
2450 attr = nla_nest_start(skb, MACSEC_ATTR_SECY_STATS);
2452 goto nla_put_failure;
2453 if (copy_secy_stats(skb, macsec_priv(dev)->stats)) {
2454 nla_nest_cancel(skb, attr);
2455 goto nla_put_failure;
2457 nla_nest_end(skb, attr);
2459 txsa_list = nla_nest_start(skb, MACSEC_ATTR_TXSA_LIST);
2461 goto nla_put_failure;
2462 for (i = 0, j = 1; i < MACSEC_NUM_AN; i++) {
2463 struct macsec_tx_sa *tx_sa = rtnl_dereference(tx_sc->sa[i]);
2464 struct nlattr *txsa_nest;
2469 txsa_nest = nla_nest_start(skb, j++);
2471 nla_nest_cancel(skb, txsa_list);
2472 goto nla_put_failure;
2475 if (nla_put_u8(skb, MACSEC_SA_ATTR_AN, i) ||
2476 nla_put_u32(skb, MACSEC_SA_ATTR_PN, tx_sa->next_pn) ||
2477 nla_put(skb, MACSEC_SA_ATTR_KEYID, MACSEC_KEYID_LEN, tx_sa->key.id) ||
2478 nla_put_u8(skb, MACSEC_SA_ATTR_ACTIVE, tx_sa->active)) {
2479 nla_nest_cancel(skb, txsa_nest);
2480 nla_nest_cancel(skb, txsa_list);
2481 goto nla_put_failure;
2484 attr = nla_nest_start(skb, MACSEC_SA_ATTR_STATS);
2486 nla_nest_cancel(skb, txsa_nest);
2487 nla_nest_cancel(skb, txsa_list);
2488 goto nla_put_failure;
2490 if (copy_tx_sa_stats(skb, tx_sa->stats)) {
2491 nla_nest_cancel(skb, attr);
2492 nla_nest_cancel(skb, txsa_nest);
2493 nla_nest_cancel(skb, txsa_list);
2494 goto nla_put_failure;
2496 nla_nest_end(skb, attr);
2498 nla_nest_end(skb, txsa_nest);
2500 nla_nest_end(skb, txsa_list);
2502 rxsc_list = nla_nest_start(skb, MACSEC_ATTR_RXSC_LIST);
2504 goto nla_put_failure;
2507 for_each_rxsc_rtnl(secy, rx_sc) {
2509 struct nlattr *rxsa_list;
2510 struct nlattr *rxsc_nest = nla_nest_start(skb, j++);
2513 nla_nest_cancel(skb, rxsc_list);
2514 goto nla_put_failure;
2517 if (nla_put_u8(skb, MACSEC_RXSC_ATTR_ACTIVE, rx_sc->active) ||
2518 nla_put_sci(skb, MACSEC_RXSC_ATTR_SCI, rx_sc->sci,
2519 MACSEC_RXSC_ATTR_PAD)) {
2520 nla_nest_cancel(skb, rxsc_nest);
2521 nla_nest_cancel(skb, rxsc_list);
2522 goto nla_put_failure;
2525 attr = nla_nest_start(skb, MACSEC_RXSC_ATTR_STATS);
2527 nla_nest_cancel(skb, rxsc_nest);
2528 nla_nest_cancel(skb, rxsc_list);
2529 goto nla_put_failure;
2531 if (copy_rx_sc_stats(skb, rx_sc->stats)) {
2532 nla_nest_cancel(skb, attr);
2533 nla_nest_cancel(skb, rxsc_nest);
2534 nla_nest_cancel(skb, rxsc_list);
2535 goto nla_put_failure;
2537 nla_nest_end(skb, attr);
2539 rxsa_list = nla_nest_start(skb, MACSEC_RXSC_ATTR_SA_LIST);
2541 nla_nest_cancel(skb, rxsc_nest);
2542 nla_nest_cancel(skb, rxsc_list);
2543 goto nla_put_failure;
2546 for (i = 0, k = 1; i < MACSEC_NUM_AN; i++) {
2547 struct macsec_rx_sa *rx_sa = rtnl_dereference(rx_sc->sa[i]);
2548 struct nlattr *rxsa_nest;
2553 rxsa_nest = nla_nest_start(skb, k++);
2555 nla_nest_cancel(skb, rxsa_list);
2556 nla_nest_cancel(skb, rxsc_nest);
2557 nla_nest_cancel(skb, rxsc_list);
2558 goto nla_put_failure;
2561 attr = nla_nest_start(skb, MACSEC_SA_ATTR_STATS);
2563 nla_nest_cancel(skb, rxsa_list);
2564 nla_nest_cancel(skb, rxsc_nest);
2565 nla_nest_cancel(skb, rxsc_list);
2566 goto nla_put_failure;
2568 if (copy_rx_sa_stats(skb, rx_sa->stats)) {
2569 nla_nest_cancel(skb, attr);
2570 nla_nest_cancel(skb, rxsa_list);
2571 nla_nest_cancel(skb, rxsc_nest);
2572 nla_nest_cancel(skb, rxsc_list);
2573 goto nla_put_failure;
2575 nla_nest_end(skb, attr);
2577 if (nla_put_u8(skb, MACSEC_SA_ATTR_AN, i) ||
2578 nla_put_u32(skb, MACSEC_SA_ATTR_PN, rx_sa->next_pn) ||
2579 nla_put(skb, MACSEC_SA_ATTR_KEYID, MACSEC_KEYID_LEN, rx_sa->key.id) ||
2580 nla_put_u8(skb, MACSEC_SA_ATTR_ACTIVE, rx_sa->active)) {
2581 nla_nest_cancel(skb, rxsa_nest);
2582 nla_nest_cancel(skb, rxsc_nest);
2583 nla_nest_cancel(skb, rxsc_list);
2584 goto nla_put_failure;
2586 nla_nest_end(skb, rxsa_nest);
2589 nla_nest_end(skb, rxsa_list);
2590 nla_nest_end(skb, rxsc_nest);
2593 nla_nest_end(skb, rxsc_list);
2595 genlmsg_end(skb, hdr);
2600 genlmsg_cancel(skb, hdr);
2604 static int macsec_generation = 1; /* protected by RTNL */
2606 static int macsec_dump_txsc(struct sk_buff *skb, struct netlink_callback *cb)
2608 struct net *net = sock_net(skb->sk);
2609 struct net_device *dev;
2612 dev_idx = cb->args[0];
2617 cb->seq = macsec_generation;
2619 for_each_netdev(net, dev) {
2620 struct macsec_secy *secy;
2625 if (!netif_is_macsec(dev))
2628 secy = &macsec_priv(dev)->secy;
2629 if (dump_secy(secy, dev, skb, cb) < 0)
2641 static const struct genl_ops macsec_genl_ops[] = {
2643 .cmd = MACSEC_CMD_GET_TXSC,
2644 .dumpit = macsec_dump_txsc,
2645 .policy = macsec_genl_policy,
2648 .cmd = MACSEC_CMD_ADD_RXSC,
2649 .doit = macsec_add_rxsc,
2650 .policy = macsec_genl_policy,
2651 .flags = GENL_ADMIN_PERM,
2654 .cmd = MACSEC_CMD_DEL_RXSC,
2655 .doit = macsec_del_rxsc,
2656 .policy = macsec_genl_policy,
2657 .flags = GENL_ADMIN_PERM,
2660 .cmd = MACSEC_CMD_UPD_RXSC,
2661 .doit = macsec_upd_rxsc,
2662 .policy = macsec_genl_policy,
2663 .flags = GENL_ADMIN_PERM,
2666 .cmd = MACSEC_CMD_ADD_TXSA,
2667 .doit = macsec_add_txsa,
2668 .policy = macsec_genl_policy,
2669 .flags = GENL_ADMIN_PERM,
2672 .cmd = MACSEC_CMD_DEL_TXSA,
2673 .doit = macsec_del_txsa,
2674 .policy = macsec_genl_policy,
2675 .flags = GENL_ADMIN_PERM,
2678 .cmd = MACSEC_CMD_UPD_TXSA,
2679 .doit = macsec_upd_txsa,
2680 .policy = macsec_genl_policy,
2681 .flags = GENL_ADMIN_PERM,
2684 .cmd = MACSEC_CMD_ADD_RXSA,
2685 .doit = macsec_add_rxsa,
2686 .policy = macsec_genl_policy,
2687 .flags = GENL_ADMIN_PERM,
2690 .cmd = MACSEC_CMD_DEL_RXSA,
2691 .doit = macsec_del_rxsa,
2692 .policy = macsec_genl_policy,
2693 .flags = GENL_ADMIN_PERM,
2696 .cmd = MACSEC_CMD_UPD_RXSA,
2697 .doit = macsec_upd_rxsa,
2698 .policy = macsec_genl_policy,
2699 .flags = GENL_ADMIN_PERM,
2703 static struct genl_family macsec_fam __ro_after_init = {
2704 .name = MACSEC_GENL_NAME,
2706 .version = MACSEC_GENL_VERSION,
2707 .maxattr = MACSEC_ATTR_MAX,
2709 .module = THIS_MODULE,
2710 .ops = macsec_genl_ops,
2711 .n_ops = ARRAY_SIZE(macsec_genl_ops),
2714 static netdev_tx_t macsec_start_xmit(struct sk_buff *skb,
2715 struct net_device *dev)
2717 struct macsec_dev *macsec = netdev_priv(dev);
2718 struct macsec_secy *secy = &macsec->secy;
2719 struct pcpu_secy_stats *secy_stats;
2723 if (!secy->protect_frames) {
2724 secy_stats = this_cpu_ptr(macsec->stats);
2725 u64_stats_update_begin(&secy_stats->syncp);
2726 secy_stats->stats.OutPktsUntagged++;
2727 u64_stats_update_end(&secy_stats->syncp);
2728 skb->dev = macsec->real_dev;
2730 ret = dev_queue_xmit(skb);
2731 count_tx(dev, ret, len);
2735 if (!secy->operational) {
2737 dev->stats.tx_dropped++;
2738 return NETDEV_TX_OK;
2741 skb = macsec_encrypt(skb, dev);
2743 if (PTR_ERR(skb) != -EINPROGRESS)
2744 dev->stats.tx_dropped++;
2745 return NETDEV_TX_OK;
2748 macsec_count_tx(skb, &macsec->secy.tx_sc, macsec_skb_cb(skb)->tx_sa);
2750 macsec_encrypt_finish(skb, dev);
2752 ret = dev_queue_xmit(skb);
2753 count_tx(dev, ret, len);
2757 #define MACSEC_FEATURES \
2758 (NETIF_F_SG | NETIF_F_HIGHDMA | NETIF_F_FRAGLIST)
2759 static struct lock_class_key macsec_netdev_addr_lock_key;
2761 static int macsec_dev_init(struct net_device *dev)
2763 struct macsec_dev *macsec = macsec_priv(dev);
2764 struct net_device *real_dev = macsec->real_dev;
2767 dev->tstats = netdev_alloc_pcpu_stats(struct pcpu_sw_netstats);
2771 err = gro_cells_init(&macsec->gro_cells, dev);
2773 free_percpu(dev->tstats);
2777 dev->features = real_dev->features & MACSEC_FEATURES;
2778 dev->features |= NETIF_F_LLTX | NETIF_F_GSO_SOFTWARE;
2780 dev->needed_headroom = real_dev->needed_headroom +
2781 MACSEC_NEEDED_HEADROOM;
2782 dev->needed_tailroom = real_dev->needed_tailroom +
2783 MACSEC_NEEDED_TAILROOM;
2785 if (is_zero_ether_addr(dev->dev_addr))
2786 eth_hw_addr_inherit(dev, real_dev);
2787 if (is_zero_ether_addr(dev->broadcast))
2788 memcpy(dev->broadcast, real_dev->broadcast, dev->addr_len);
2793 static void macsec_dev_uninit(struct net_device *dev)
2795 struct macsec_dev *macsec = macsec_priv(dev);
2797 gro_cells_destroy(&macsec->gro_cells);
2798 free_percpu(dev->tstats);
2801 static netdev_features_t macsec_fix_features(struct net_device *dev,
2802 netdev_features_t features)
2804 struct macsec_dev *macsec = macsec_priv(dev);
2805 struct net_device *real_dev = macsec->real_dev;
2807 features &= (real_dev->features & MACSEC_FEATURES) |
2808 NETIF_F_GSO_SOFTWARE | NETIF_F_SOFT_FEATURES;
2809 features |= NETIF_F_LLTX;
2814 static int macsec_dev_open(struct net_device *dev)
2816 struct macsec_dev *macsec = macsec_priv(dev);
2817 struct net_device *real_dev = macsec->real_dev;
2820 err = dev_uc_add(real_dev, dev->dev_addr);
2824 if (dev->flags & IFF_ALLMULTI) {
2825 err = dev_set_allmulti(real_dev, 1);
2830 if (dev->flags & IFF_PROMISC) {
2831 err = dev_set_promiscuity(real_dev, 1);
2833 goto clear_allmulti;
2836 if (netif_carrier_ok(real_dev))
2837 netif_carrier_on(dev);
2841 if (dev->flags & IFF_ALLMULTI)
2842 dev_set_allmulti(real_dev, -1);
2844 dev_uc_del(real_dev, dev->dev_addr);
2845 netif_carrier_off(dev);
2849 static int macsec_dev_stop(struct net_device *dev)
2851 struct macsec_dev *macsec = macsec_priv(dev);
2852 struct net_device *real_dev = macsec->real_dev;
2854 netif_carrier_off(dev);
2856 dev_mc_unsync(real_dev, dev);
2857 dev_uc_unsync(real_dev, dev);
2859 if (dev->flags & IFF_ALLMULTI)
2860 dev_set_allmulti(real_dev, -1);
2862 if (dev->flags & IFF_PROMISC)
2863 dev_set_promiscuity(real_dev, -1);
2865 dev_uc_del(real_dev, dev->dev_addr);
2870 static void macsec_dev_change_rx_flags(struct net_device *dev, int change)
2872 struct net_device *real_dev = macsec_priv(dev)->real_dev;
2874 if (!(dev->flags & IFF_UP))
2877 if (change & IFF_ALLMULTI)
2878 dev_set_allmulti(real_dev, dev->flags & IFF_ALLMULTI ? 1 : -1);
2880 if (change & IFF_PROMISC)
2881 dev_set_promiscuity(real_dev,
2882 dev->flags & IFF_PROMISC ? 1 : -1);
2885 static void macsec_dev_set_rx_mode(struct net_device *dev)
2887 struct net_device *real_dev = macsec_priv(dev)->real_dev;
2889 dev_mc_sync(real_dev, dev);
2890 dev_uc_sync(real_dev, dev);
2893 static sci_t dev_to_sci(struct net_device *dev, __be16 port)
2895 return make_sci(dev->dev_addr, port);
2898 static int macsec_set_mac_address(struct net_device *dev, void *p)
2900 struct macsec_dev *macsec = macsec_priv(dev);
2901 struct net_device *real_dev = macsec->real_dev;
2902 struct sockaddr *addr = p;
2905 if (!is_valid_ether_addr(addr->sa_data))
2906 return -EADDRNOTAVAIL;
2908 if (!(dev->flags & IFF_UP))
2911 err = dev_uc_add(real_dev, addr->sa_data);
2915 dev_uc_del(real_dev, dev->dev_addr);
2918 ether_addr_copy(dev->dev_addr, addr->sa_data);
2919 macsec->secy.sci = dev_to_sci(dev, MACSEC_PORT_ES);
2923 static int macsec_change_mtu(struct net_device *dev, int new_mtu)
2925 struct macsec_dev *macsec = macsec_priv(dev);
2926 unsigned int extra = macsec->secy.icv_len + macsec_extra_len(true);
2928 if (macsec->real_dev->mtu - extra < new_mtu)
2936 static void macsec_get_stats64(struct net_device *dev,
2937 struct rtnl_link_stats64 *s)
2944 for_each_possible_cpu(cpu) {
2945 struct pcpu_sw_netstats *stats;
2946 struct pcpu_sw_netstats tmp;
2949 stats = per_cpu_ptr(dev->tstats, cpu);
2951 start = u64_stats_fetch_begin_irq(&stats->syncp);
2952 tmp.rx_packets = stats->rx_packets;
2953 tmp.rx_bytes = stats->rx_bytes;
2954 tmp.tx_packets = stats->tx_packets;
2955 tmp.tx_bytes = stats->tx_bytes;
2956 } while (u64_stats_fetch_retry_irq(&stats->syncp, start));
2958 s->rx_packets += tmp.rx_packets;
2959 s->rx_bytes += tmp.rx_bytes;
2960 s->tx_packets += tmp.tx_packets;
2961 s->tx_bytes += tmp.tx_bytes;
2964 s->rx_dropped = dev->stats.rx_dropped;
2965 s->tx_dropped = dev->stats.tx_dropped;
2968 static int macsec_get_iflink(const struct net_device *dev)
2970 return macsec_priv(dev)->real_dev->ifindex;
2974 static int macsec_get_nest_level(struct net_device *dev)
2976 return macsec_priv(dev)->nest_level;
2980 static const struct net_device_ops macsec_netdev_ops = {
2981 .ndo_init = macsec_dev_init,
2982 .ndo_uninit = macsec_dev_uninit,
2983 .ndo_open = macsec_dev_open,
2984 .ndo_stop = macsec_dev_stop,
2985 .ndo_fix_features = macsec_fix_features,
2986 .ndo_change_mtu = macsec_change_mtu,
2987 .ndo_set_rx_mode = macsec_dev_set_rx_mode,
2988 .ndo_change_rx_flags = macsec_dev_change_rx_flags,
2989 .ndo_set_mac_address = macsec_set_mac_address,
2990 .ndo_start_xmit = macsec_start_xmit,
2991 .ndo_get_stats64 = macsec_get_stats64,
2992 .ndo_get_iflink = macsec_get_iflink,
2993 .ndo_get_lock_subclass = macsec_get_nest_level,
2996 static const struct device_type macsec_type = {
3000 static const struct nla_policy macsec_rtnl_policy[IFLA_MACSEC_MAX + 1] = {
3001 [IFLA_MACSEC_SCI] = { .type = NLA_U64 },
3002 [IFLA_MACSEC_PORT] = { .type = NLA_U16 },
3003 [IFLA_MACSEC_ICV_LEN] = { .type = NLA_U8 },
3004 [IFLA_MACSEC_CIPHER_SUITE] = { .type = NLA_U64 },
3005 [IFLA_MACSEC_WINDOW] = { .type = NLA_U32 },
3006 [IFLA_MACSEC_ENCODING_SA] = { .type = NLA_U8 },
3007 [IFLA_MACSEC_ENCRYPT] = { .type = NLA_U8 },
3008 [IFLA_MACSEC_PROTECT] = { .type = NLA_U8 },
3009 [IFLA_MACSEC_INC_SCI] = { .type = NLA_U8 },
3010 [IFLA_MACSEC_ES] = { .type = NLA_U8 },
3011 [IFLA_MACSEC_SCB] = { .type = NLA_U8 },
3012 [IFLA_MACSEC_REPLAY_PROTECT] = { .type = NLA_U8 },
3013 [IFLA_MACSEC_VALIDATION] = { .type = NLA_U8 },
3016 static void macsec_free_netdev(struct net_device *dev)
3018 struct macsec_dev *macsec = macsec_priv(dev);
3020 free_percpu(macsec->stats);
3021 free_percpu(macsec->secy.tx_sc.stats);
3025 static void macsec_setup(struct net_device *dev)
3029 dev->max_mtu = ETH_MAX_MTU;
3030 dev->priv_flags |= IFF_NO_QUEUE;
3031 dev->netdev_ops = &macsec_netdev_ops;
3032 dev->needs_free_netdev = true;
3033 dev->priv_destructor = macsec_free_netdev;
3034 SET_NETDEV_DEVTYPE(dev, &macsec_type);
3036 eth_zero_addr(dev->broadcast);
3039 static int macsec_changelink_common(struct net_device *dev,
3040 struct nlattr *data[])
3042 struct macsec_secy *secy;
3043 struct macsec_tx_sc *tx_sc;
3045 secy = &macsec_priv(dev)->secy;
3046 tx_sc = &secy->tx_sc;
3048 if (data[IFLA_MACSEC_ENCODING_SA]) {
3049 struct macsec_tx_sa *tx_sa;
3051 tx_sc->encoding_sa = nla_get_u8(data[IFLA_MACSEC_ENCODING_SA]);
3052 tx_sa = rtnl_dereference(tx_sc->sa[tx_sc->encoding_sa]);
3054 secy->operational = tx_sa && tx_sa->active;
3057 if (data[IFLA_MACSEC_WINDOW])
3058 secy->replay_window = nla_get_u32(data[IFLA_MACSEC_WINDOW]);
3060 if (data[IFLA_MACSEC_ENCRYPT])
3061 tx_sc->encrypt = !!nla_get_u8(data[IFLA_MACSEC_ENCRYPT]);
3063 if (data[IFLA_MACSEC_PROTECT])
3064 secy->protect_frames = !!nla_get_u8(data[IFLA_MACSEC_PROTECT]);
3066 if (data[IFLA_MACSEC_INC_SCI])
3067 tx_sc->send_sci = !!nla_get_u8(data[IFLA_MACSEC_INC_SCI]);
3069 if (data[IFLA_MACSEC_ES])
3070 tx_sc->end_station = !!nla_get_u8(data[IFLA_MACSEC_ES]);
3072 if (data[IFLA_MACSEC_SCB])
3073 tx_sc->scb = !!nla_get_u8(data[IFLA_MACSEC_SCB]);
3075 if (data[IFLA_MACSEC_REPLAY_PROTECT])
3076 secy->replay_protect = !!nla_get_u8(data[IFLA_MACSEC_REPLAY_PROTECT]);
3078 if (data[IFLA_MACSEC_VALIDATION])
3079 secy->validate_frames = nla_get_u8(data[IFLA_MACSEC_VALIDATION]);
3081 if (data[IFLA_MACSEC_CIPHER_SUITE]) {
3082 switch (nla_get_u64(data[IFLA_MACSEC_CIPHER_SUITE])) {
3083 case MACSEC_CIPHER_ID_GCM_AES_128:
3084 case MACSEC_DEFAULT_CIPHER_ID:
3085 secy->key_len = MACSEC_GCM_AES_128_SAK_LEN;
3087 case MACSEC_CIPHER_ID_GCM_AES_256:
3088 secy->key_len = MACSEC_GCM_AES_256_SAK_LEN;
3098 static int macsec_changelink(struct net_device *dev, struct nlattr *tb[],
3099 struct nlattr *data[],
3100 struct netlink_ext_ack *extack)
3105 if (data[IFLA_MACSEC_CIPHER_SUITE] ||
3106 data[IFLA_MACSEC_ICV_LEN] ||
3107 data[IFLA_MACSEC_SCI] ||
3108 data[IFLA_MACSEC_PORT])
3111 return macsec_changelink_common(dev, data);
3114 static void macsec_del_dev(struct macsec_dev *macsec)
3118 while (macsec->secy.rx_sc) {
3119 struct macsec_rx_sc *rx_sc = rtnl_dereference(macsec->secy.rx_sc);
3121 rcu_assign_pointer(macsec->secy.rx_sc, rx_sc->next);
3125 for (i = 0; i < MACSEC_NUM_AN; i++) {
3126 struct macsec_tx_sa *sa = rtnl_dereference(macsec->secy.tx_sc.sa[i]);
3129 RCU_INIT_POINTER(macsec->secy.tx_sc.sa[i], NULL);
3135 static void macsec_common_dellink(struct net_device *dev, struct list_head *head)
3137 struct macsec_dev *macsec = macsec_priv(dev);
3138 struct net_device *real_dev = macsec->real_dev;
3140 unregister_netdevice_queue(dev, head);
3141 list_del_rcu(&macsec->secys);
3142 macsec_del_dev(macsec);
3143 netdev_upper_dev_unlink(real_dev, dev);
3145 macsec_generation++;
3148 static void macsec_dellink(struct net_device *dev, struct list_head *head)
3150 struct macsec_dev *macsec = macsec_priv(dev);
3151 struct net_device *real_dev = macsec->real_dev;
3152 struct macsec_rxh_data *rxd = macsec_data_rtnl(real_dev);
3154 macsec_common_dellink(dev, head);
3156 if (list_empty(&rxd->secys)) {
3157 netdev_rx_handler_unregister(real_dev);
3162 static int register_macsec_dev(struct net_device *real_dev,
3163 struct net_device *dev)
3165 struct macsec_dev *macsec = macsec_priv(dev);
3166 struct macsec_rxh_data *rxd = macsec_data_rtnl(real_dev);
3171 rxd = kmalloc(sizeof(*rxd), GFP_KERNEL);
3175 INIT_LIST_HEAD(&rxd->secys);
3177 err = netdev_rx_handler_register(real_dev, macsec_handle_frame,
3185 list_add_tail_rcu(&macsec->secys, &rxd->secys);
3189 static bool sci_exists(struct net_device *dev, sci_t sci)
3191 struct macsec_rxh_data *rxd = macsec_data_rtnl(dev);
3192 struct macsec_dev *macsec;
3194 list_for_each_entry(macsec, &rxd->secys, secys) {
3195 if (macsec->secy.sci == sci)
3202 static int macsec_add_dev(struct net_device *dev, sci_t sci, u8 icv_len)
3204 struct macsec_dev *macsec = macsec_priv(dev);
3205 struct macsec_secy *secy = &macsec->secy;
3207 macsec->stats = netdev_alloc_pcpu_stats(struct pcpu_secy_stats);
3211 secy->tx_sc.stats = netdev_alloc_pcpu_stats(struct pcpu_tx_sc_stats);
3212 if (!secy->tx_sc.stats) {
3213 free_percpu(macsec->stats);
3217 if (sci == MACSEC_UNDEF_SCI)
3218 sci = dev_to_sci(dev, MACSEC_PORT_ES);
3221 secy->operational = true;
3222 secy->key_len = DEFAULT_SAK_LEN;
3223 secy->icv_len = icv_len;
3224 secy->validate_frames = MACSEC_VALIDATE_DEFAULT;
3225 secy->protect_frames = true;
3226 secy->replay_protect = false;
3229 secy->tx_sc.active = true;
3230 secy->tx_sc.encoding_sa = DEFAULT_ENCODING_SA;
3231 secy->tx_sc.encrypt = DEFAULT_ENCRYPT;
3232 secy->tx_sc.send_sci = DEFAULT_SEND_SCI;
3233 secy->tx_sc.end_station = false;
3234 secy->tx_sc.scb = false;
3239 static int macsec_newlink(struct net *net, struct net_device *dev,
3240 struct nlattr *tb[], struct nlattr *data[],
3241 struct netlink_ext_ack *extack)
3243 struct macsec_dev *macsec = macsec_priv(dev);
3244 rx_handler_func_t *rx_handler;
3245 u8 icv_len = DEFAULT_ICV_LEN;
3246 struct net_device *real_dev;
3252 real_dev = __dev_get_by_index(net, nla_get_u32(tb[IFLA_LINK]));
3255 if (real_dev->type != ARPHRD_ETHER)
3258 dev->priv_flags |= IFF_MACSEC;
3260 macsec->real_dev = real_dev;
3262 /* send_sci must be set to true when transmit sci explicitly is set */
3263 if ((data && data[IFLA_MACSEC_SCI]) &&
3264 (data && data[IFLA_MACSEC_INC_SCI])) {
3265 u8 send_sci = !!nla_get_u8(data[IFLA_MACSEC_INC_SCI]);
3271 if (data && data[IFLA_MACSEC_ICV_LEN])
3272 icv_len = nla_get_u8(data[IFLA_MACSEC_ICV_LEN]);
3273 mtu = real_dev->mtu - icv_len - macsec_extra_len(true);
3279 rx_handler = rtnl_dereference(real_dev->rx_handler);
3280 if (rx_handler && rx_handler != macsec_handle_frame)
3283 err = register_netdevice(dev);
3287 macsec->nest_level = dev_get_nest_level(real_dev) + 1;
3288 netdev_lockdep_set_classes(dev);
3289 lockdep_set_class_and_subclass(&dev->addr_list_lock,
3290 &macsec_netdev_addr_lock_key,
3291 macsec_get_nest_level(dev));
3293 err = netdev_upper_dev_link(real_dev, dev, extack);
3297 /* need to be already registered so that ->init has run and
3298 * the MAC addr is set
3300 if (data && data[IFLA_MACSEC_SCI])
3301 sci = nla_get_sci(data[IFLA_MACSEC_SCI]);
3302 else if (data && data[IFLA_MACSEC_PORT])
3303 sci = dev_to_sci(dev, nla_get_be16(data[IFLA_MACSEC_PORT]));
3305 sci = dev_to_sci(dev, MACSEC_PORT_ES);
3307 if (rx_handler && sci_exists(real_dev, sci)) {
3312 err = macsec_add_dev(dev, sci, icv_len);
3317 err = macsec_changelink_common(dev, data);
3322 err = register_macsec_dev(real_dev, dev);
3326 netif_stacked_transfer_operstate(real_dev, dev);
3327 linkwatch_fire_event(dev);
3329 macsec_generation++;
3334 macsec_del_dev(macsec);
3336 netdev_upper_dev_unlink(real_dev, dev);
3338 unregister_netdevice(dev);
3342 static int macsec_validate_attr(struct nlattr *tb[], struct nlattr *data[],
3343 struct netlink_ext_ack *extack)
3345 u64 csid = MACSEC_DEFAULT_CIPHER_ID;
3346 u8 icv_len = DEFAULT_ICV_LEN;
3353 if (data[IFLA_MACSEC_CIPHER_SUITE])
3354 csid = nla_get_u64(data[IFLA_MACSEC_CIPHER_SUITE]);
3356 if (data[IFLA_MACSEC_ICV_LEN]) {
3357 icv_len = nla_get_u8(data[IFLA_MACSEC_ICV_LEN]);
3358 if (icv_len != DEFAULT_ICV_LEN) {
3359 char dummy_key[DEFAULT_SAK_LEN] = { 0 };
3360 struct crypto_aead *dummy_tfm;
3362 dummy_tfm = macsec_alloc_tfm(dummy_key,
3365 if (IS_ERR(dummy_tfm))
3366 return PTR_ERR(dummy_tfm);
3367 crypto_free_aead(dummy_tfm);
3372 case MACSEC_CIPHER_ID_GCM_AES_128:
3373 case MACSEC_CIPHER_ID_GCM_AES_256:
3374 case MACSEC_DEFAULT_CIPHER_ID:
3375 if (icv_len < MACSEC_MIN_ICV_LEN ||
3376 icv_len > MACSEC_STD_ICV_LEN)
3383 if (data[IFLA_MACSEC_ENCODING_SA]) {
3384 if (nla_get_u8(data[IFLA_MACSEC_ENCODING_SA]) >= MACSEC_NUM_AN)
3388 for (flag = IFLA_MACSEC_ENCODING_SA + 1;
3389 flag < IFLA_MACSEC_VALIDATION;
3392 if (nla_get_u8(data[flag]) > 1)
3397 es = data[IFLA_MACSEC_ES] ? nla_get_u8(data[IFLA_MACSEC_ES]) : false;
3398 sci = data[IFLA_MACSEC_INC_SCI] ? nla_get_u8(data[IFLA_MACSEC_INC_SCI]) : false;
3399 scb = data[IFLA_MACSEC_SCB] ? nla_get_u8(data[IFLA_MACSEC_SCB]) : false;
3401 if ((sci && (scb || es)) || (scb && es))
3404 if (data[IFLA_MACSEC_VALIDATION] &&
3405 nla_get_u8(data[IFLA_MACSEC_VALIDATION]) > MACSEC_VALIDATE_MAX)
3408 if ((data[IFLA_MACSEC_REPLAY_PROTECT] &&
3409 nla_get_u8(data[IFLA_MACSEC_REPLAY_PROTECT])) &&
3410 !data[IFLA_MACSEC_WINDOW])
3416 static struct net *macsec_get_link_net(const struct net_device *dev)
3418 return dev_net(macsec_priv(dev)->real_dev);
3421 static size_t macsec_get_size(const struct net_device *dev)
3423 return nla_total_size_64bit(8) + /* IFLA_MACSEC_SCI */
3424 nla_total_size(1) + /* IFLA_MACSEC_ICV_LEN */
3425 nla_total_size_64bit(8) + /* IFLA_MACSEC_CIPHER_SUITE */
3426 nla_total_size(4) + /* IFLA_MACSEC_WINDOW */
3427 nla_total_size(1) + /* IFLA_MACSEC_ENCODING_SA */
3428 nla_total_size(1) + /* IFLA_MACSEC_ENCRYPT */
3429 nla_total_size(1) + /* IFLA_MACSEC_PROTECT */
3430 nla_total_size(1) + /* IFLA_MACSEC_INC_SCI */
3431 nla_total_size(1) + /* IFLA_MACSEC_ES */
3432 nla_total_size(1) + /* IFLA_MACSEC_SCB */
3433 nla_total_size(1) + /* IFLA_MACSEC_REPLAY_PROTECT */
3434 nla_total_size(1) + /* IFLA_MACSEC_VALIDATION */
3438 static int macsec_fill_info(struct sk_buff *skb,
3439 const struct net_device *dev)
3441 struct macsec_secy *secy = &macsec_priv(dev)->secy;
3442 struct macsec_tx_sc *tx_sc = &secy->tx_sc;
3445 switch (secy->key_len) {
3446 case MACSEC_GCM_AES_128_SAK_LEN:
3447 csid = MACSEC_DEFAULT_CIPHER_ID;
3449 case MACSEC_GCM_AES_256_SAK_LEN:
3450 csid = MACSEC_CIPHER_ID_GCM_AES_256;
3453 goto nla_put_failure;
3456 if (nla_put_sci(skb, IFLA_MACSEC_SCI, secy->sci,
3458 nla_put_u8(skb, IFLA_MACSEC_ICV_LEN, secy->icv_len) ||
3459 nla_put_u64_64bit(skb, IFLA_MACSEC_CIPHER_SUITE,
3460 csid, IFLA_MACSEC_PAD) ||
3461 nla_put_u8(skb, IFLA_MACSEC_ENCODING_SA, tx_sc->encoding_sa) ||
3462 nla_put_u8(skb, IFLA_MACSEC_ENCRYPT, tx_sc->encrypt) ||
3463 nla_put_u8(skb, IFLA_MACSEC_PROTECT, secy->protect_frames) ||
3464 nla_put_u8(skb, IFLA_MACSEC_INC_SCI, tx_sc->send_sci) ||
3465 nla_put_u8(skb, IFLA_MACSEC_ES, tx_sc->end_station) ||
3466 nla_put_u8(skb, IFLA_MACSEC_SCB, tx_sc->scb) ||
3467 nla_put_u8(skb, IFLA_MACSEC_REPLAY_PROTECT, secy->replay_protect) ||
3468 nla_put_u8(skb, IFLA_MACSEC_VALIDATION, secy->validate_frames) ||
3470 goto nla_put_failure;
3472 if (secy->replay_protect) {
3473 if (nla_put_u32(skb, IFLA_MACSEC_WINDOW, secy->replay_window))
3474 goto nla_put_failure;
3483 static struct rtnl_link_ops macsec_link_ops __read_mostly = {
3485 .priv_size = sizeof(struct macsec_dev),
3486 .maxtype = IFLA_MACSEC_MAX,
3487 .policy = macsec_rtnl_policy,
3488 .setup = macsec_setup,
3489 .validate = macsec_validate_attr,
3490 .newlink = macsec_newlink,
3491 .changelink = macsec_changelink,
3492 .dellink = macsec_dellink,
3493 .get_size = macsec_get_size,
3494 .fill_info = macsec_fill_info,
3495 .get_link_net = macsec_get_link_net,
3498 static bool is_macsec_master(struct net_device *dev)
3500 return rcu_access_pointer(dev->rx_handler) == macsec_handle_frame;
3503 static int macsec_notify(struct notifier_block *this, unsigned long event,
3506 struct net_device *real_dev = netdev_notifier_info_to_dev(ptr);
3509 if (!is_macsec_master(real_dev))
3515 case NETDEV_CHANGE: {
3516 struct macsec_dev *m, *n;
3517 struct macsec_rxh_data *rxd;
3519 rxd = macsec_data_rtnl(real_dev);
3520 list_for_each_entry_safe(m, n, &rxd->secys, secys) {
3521 struct net_device *dev = m->secy.netdev;
3523 netif_stacked_transfer_operstate(real_dev, dev);
3527 case NETDEV_UNREGISTER: {
3528 struct macsec_dev *m, *n;
3529 struct macsec_rxh_data *rxd;
3531 rxd = macsec_data_rtnl(real_dev);
3532 list_for_each_entry_safe(m, n, &rxd->secys, secys) {
3533 macsec_common_dellink(m->secy.netdev, &head);
3536 netdev_rx_handler_unregister(real_dev);
3539 unregister_netdevice_many(&head);
3542 case NETDEV_CHANGEMTU: {
3543 struct macsec_dev *m;
3544 struct macsec_rxh_data *rxd;
3546 rxd = macsec_data_rtnl(real_dev);
3547 list_for_each_entry(m, &rxd->secys, secys) {
3548 struct net_device *dev = m->secy.netdev;
3549 unsigned int mtu = real_dev->mtu - (m->secy.icv_len +
3550 macsec_extra_len(true));
3553 dev_set_mtu(dev, mtu);
3561 static struct notifier_block macsec_notifier = {
3562 .notifier_call = macsec_notify,
3565 static int __init macsec_init(void)
3569 pr_info("MACsec IEEE 802.1AE\n");
3570 err = register_netdevice_notifier(&macsec_notifier);
3574 err = rtnl_link_register(&macsec_link_ops);
3578 err = genl_register_family(&macsec_fam);
3585 rtnl_link_unregister(&macsec_link_ops);
3587 unregister_netdevice_notifier(&macsec_notifier);
3591 static void __exit macsec_exit(void)
3593 genl_unregister_family(&macsec_fam);
3594 rtnl_link_unregister(&macsec_link_ops);
3595 unregister_netdevice_notifier(&macsec_notifier);
3599 module_init(macsec_init);
3600 module_exit(macsec_exit);
3602 MODULE_ALIAS_RTNL_LINK("macsec");
3603 MODULE_ALIAS_GENL_FAMILY("macsec");
3605 MODULE_DESCRIPTION("MACsec IEEE 802.1AE");
3606 MODULE_LICENSE("GPL v2");
projects / releases.git / blob