* MACSEC configuration - is CONFIG_MACSEC enough?
@ 2021-03-01 15:00 Tom Cook
2021-03-02 17:06 ` Tom Cook
0 siblings, 1 reply; 2+ messages in thread
From: Tom Cook @ 2021-03-01 15:00 UTC (permalink / raw)
To: Network Development
I'm trying to use MACSEC on an arm64 embedded platform; I'm trying to
create an encrypted channel between two of them rather than doing
switch port access etc. The vendor's BSP only provides a 4.9 kernel
so that's what I'm using. I've added CONFIG_MACSEC=y to the kernel
config. This then forces CONFIG_CRYPTO_GCM=y and CONFIG_CRYPTO_AES=y.
I've tried both manual configuration of MACSEC interfaces and also
using wpa_supplicant to do MKA negotiation. I then add IP addresses
to the MACSEC interfaces in the 192.168.149.0/24 subnet. In both
cases, the result is that the macsec0 interface has flags
BROADCAST,MULTICAST,UP,LOWER_UP but is in the UNKNOWN state.
Attempting to ping from one to the other results in encrypted ARP
frames being transmitted but then discarded at the receiver end.
tcpdump shows the frames arriving at the receiver and `ip -s macsec
show` shows these frames being added to the InPktsNotValid counter.
AFAICT from macsec.c, InPktsNotValid means either that the decryption
failed or that memory allocation for the decryption failed.
Is there some other bit of kernel config I need to do to get the
decryption to work correctly?
The SOC is a cavium cn8030. This part is equipped with a crypto
accelerator but support for it is not compiled into the kernel.
Thanks for any help,
Tom Cook
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: MACSEC configuration - is CONFIG_MACSEC enough?
2021-03-01 15:00 MACSEC configuration - is CONFIG_MACSEC enough? Tom Cook
@ 2021-03-02 17:06 ` Tom Cook
0 siblings, 0 replies; 2+ messages in thread
From: Tom Cook @ 2021-03-02 17:06 UTC (permalink / raw)
To: Network Development
Never mind, I found commit b3bdc3acbb44d74d0b7ba4d97169577a2b46dc88
that fixed this in 4.10-rc9 or so. Sorry for wasting your time.
Regards,
Tom Cook
On Mon, Mar 1, 2021 at 3:00 PM Tom Cook <tom.k.cook@gmail.com> wrote:
>
> I'm trying to use MACSEC on an arm64 embedded platform; I'm trying to
> create an encrypted channel between two of them rather than doing
> switch port access etc. The vendor's BSP only provides a 4.9 kernel
> so that's what I'm using. I've added CONFIG_MACSEC=y to the kernel
> config. This then forces CONFIG_CRYPTO_GCM=y and CONFIG_CRYPTO_AES=y.
>
> I've tried both manual configuration of MACSEC interfaces and also
> using wpa_supplicant to do MKA negotiation. I then add IP addresses
> to the MACSEC interfaces in the 192.168.149.0/24 subnet. In both
> cases, the result is that the macsec0 interface has flags
> BROADCAST,MULTICAST,UP,LOWER_UP but is in the UNKNOWN state.
> Attempting to ping from one to the other results in encrypted ARP
> frames being transmitted but then discarded at the receiver end.
> tcpdump shows the frames arriving at the receiver and `ip -s macsec
> show` shows these frames being added to the InPktsNotValid counter.
>
> AFAICT from macsec.c, InPktsNotValid means either that the decryption
> failed or that memory allocation for the decryption failed.
>
> Is there some other bit of kernel config I need to do to get the
> decryption to work correctly?
>
> The SOC is a cavium cn8030. This part is equipped with a crypto
> accelerator but support for it is not compiled into the kernel.
>
> Thanks for any help,
> Tom Cook
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-03-03 4:23 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-01 15:00 MACSEC configuration - is CONFIG_MACSEC enough? Tom Cook
2021-03-02 17:06 ` Tom Cook
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.