netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH iproute2-next v2 0/4] macsec: add offloading support
@ 2020-03-03 10:36 Antoine Tenart
  2020-03-03 10:36 ` [PATCH iproute2-next v2 1/4] macsec: report the offloading mode currently selected Antoine Tenart
                   ` (4 more replies)
  0 siblings, 5 replies; 6+ messages in thread
From: Antoine Tenart @ 2020-03-03 10:36 UTC (permalink / raw)
  To: dsahern, sd; +Cc: Antoine Tenart, netdev

Hello,

This series adds support for selecting and reporting the offloading mode
of a MACsec interface. Available modes are for now 'off' and 'phy',
'off' being the default when an interface is created. Modes are not only
'off' and 'on' as the MACsec operations can be offloaded to multiple
kinds of specialized hardware devices, at least to PHYs and Ethernet
MACs. The later isn't currently supported in the kernel though.

The first patch adds support for reporting the offloading mode currently
selected for a given MACsec interface through the `ip macsec show`
command:

   # ip macsec show
   18: macsec0: protect on validate strict sc off sa off encrypt on send_sci on end_station off scb off replay off
       cipher suite: GCM-AES-128, using ICV length 16
       TXSC: 3e5035b67c860001 on SA 0
           0: PN 1, state on, key 00000000000000000000000000000000
       RXSC: b4969112700f0001, state on
           0: PN 1, state on, key 01000000000000000000000000000000
->     offload: phy
   19: macsec1: protect on validate strict sc off sa off encrypt on send_sci on end_station off scb off replay off
       cipher suite: GCM-AES-128, using ICV length 16
       TXSC: 3e5035b67c880001 on SA 0
           1: PN 1, state on, key 00000000000000000000000000000000
       RXSC: b4969112700f0001, state on
           1: PN 1, state on, key 01000000000000000000000000000000
->     offload: off

The second patch allows an user to change the offloading mode at runtime
through a new subcommand, `ip macsec offload`:

  # ip macsec offload macsec0 phy
  # ip macsec offload macsec0 off

If a mode isn't supported, `ip macsec offload` will report an issue
(-EOPNOTSUPP).

Giving the offloading mode when a macsec interface is created was
discussed; it is not implemented in this series. It could come later
on, when needed, as we'll still want to support updating the offloading
mode at runtime (what's implemented in this series).

Thanks!
Antoine

Since v1:
  - Added an accessor when accessing the offload_str array. Likewise
    added an accessor for the existing validate_str array.
  - Added a description of the new `macsec offload` command in the man
    page.

Antoine Tenart (4):
  macsec: report the offloading mode currently selected
  macsec: add support for changing the offloading mode
  man: document the ip macsec offload command
  macsec: add an accessor for validate_str

 ip/ipmacsec.c        | 83 ++++++++++++++++++++++++++++++++++++++++++--
 man/man8/ip-macsec.8 |  7 ++++
 2 files changed, 88 insertions(+), 2 deletions(-)

-- 
2.24.1


^ permalink raw reply	[flat|nested] 6+ messages in thread

* [PATCH iproute2-next v2 1/4] macsec: report the offloading mode currently selected
  2020-03-03 10:36 [PATCH iproute2-next v2 0/4] macsec: add offloading support Antoine Tenart
@ 2020-03-03 10:36 ` Antoine Tenart
  2020-03-03 10:36 ` [PATCH iproute2-next v2 2/4] macsec: add support for changing the offloading mode Antoine Tenart
                   ` (3 subsequent siblings)
  4 siblings, 0 replies; 6+ messages in thread
From: Antoine Tenart @ 2020-03-03 10:36 UTC (permalink / raw)
  To: dsahern, sd; +Cc: Antoine Tenart, netdev

This patch adds support to report the MACsec offloading mode currently
being enabled, which as of now can either be 'off' or 'phy'. This
information is reported through the `ip macsec show` command:

  # ip macsec show
  18: macsec0: protect on validate strict sc off sa off encrypt on send_sci on end_station off scb off replay off
      cipher suite: GCM-AES-128, using ICV length 16
      TXSC: 3e5035b67c860001 on SA 0
          0: PN 1, state on, key 00000000000000000000000000000000
      RXSC: b4969112700f0001, state on
          0: PN 1, state on, key 01000000000000000000000000000000
      offload: phy
  19: macsec1: protect on validate strict sc off sa off encrypt on send_sci on end_station off scb off replay off
      cipher suite: GCM-AES-128, using ICV length 16
      TXSC: 3e5035b67c880001 on SA 0
          1: PN 1, state on, key 00000000000000000000000000000000
      RXSC: b4969112700f0001, state on
          1: PN 1, state on, key 01000000000000000000000000000000
      offload: off

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
---
 ip/ipmacsec.c | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/ip/ipmacsec.c b/ip/ipmacsec.c
index ad6ad7d6b79f..4327c796aa1f 100644
--- a/ip/ipmacsec.c
+++ b/ip/ipmacsec.c
@@ -31,6 +31,11 @@ static const char * const validate_str[] = {
 	[MACSEC_VALIDATE_STRICT] = "strict",
 };
 
+static const char * const offload_str[] = {
+	[MACSEC_OFFLOAD_OFF] = "off",
+	[MACSEC_OFFLOAD_PHY] = "phy",
+};
+
 struct sci {
 	__u64 sci;
 	__u16 port;
@@ -605,6 +610,14 @@ static const char *cs_id_to_name(__u64 cid)
 	}
 }
 
+static const char *offload_to_str(__u8 offload)
+{
+	if (offload >= ARRAY_SIZE(offload_str))
+		return "(unknown)";
+
+	return offload_str[offload];
+}
+
 static void print_attrs(struct rtattr *attrs[])
 {
 	print_flag(attrs, "protect", MACSEC_SECY_ATTR_PROTECT);
@@ -997,6 +1010,19 @@ static int process(struct nlmsghdr *n, void *arg)
 	if (attrs[MACSEC_ATTR_RXSC_LIST])
 		print_rxsc_list(attrs[MACSEC_ATTR_RXSC_LIST]);
 
+	if (attrs[MACSEC_ATTR_OFFLOAD]) {
+		struct rtattr *attrs_offload[MACSEC_OFFLOAD_ATTR_MAX + 1];
+		__u8 offload;
+
+		parse_rtattr_nested(attrs_offload, MACSEC_OFFLOAD_ATTR_MAX,
+				    attrs[MACSEC_ATTR_OFFLOAD]);
+
+		offload = rta_getattr_u8(attrs_offload[MACSEC_OFFLOAD_ATTR_TYPE]);
+		print_string(PRINT_ANY, "offload",
+			     "    offload: %s ", offload_to_str(offload));
+		print_nl();
+	}
+
 	close_json_object();
 
 	return 0;
-- 
2.24.1


^ permalink raw reply related	[flat|nested] 6+ messages in thread

* [PATCH iproute2-next v2 2/4] macsec: add support for changing the offloading mode
  2020-03-03 10:36 [PATCH iproute2-next v2 0/4] macsec: add offloading support Antoine Tenart
  2020-03-03 10:36 ` [PATCH iproute2-next v2 1/4] macsec: report the offloading mode currently selected Antoine Tenart
@ 2020-03-03 10:36 ` Antoine Tenart
  2020-03-03 10:36 ` [PATCH iproute2-next v2 3/4] man: document the ip macsec offload command Antoine Tenart
                   ` (2 subsequent siblings)
  4 siblings, 0 replies; 6+ messages in thread
From: Antoine Tenart @ 2020-03-03 10:36 UTC (permalink / raw)
  To: dsahern, sd; +Cc: Antoine Tenart, netdev

MacSEC can now be offloaded to specialized hardware devices. Offloading
is off by default when creating a new MACsec interface, but the mode can
be updated at runtime. This patch adds a new subcommand,
`ip macsec offload`, to allow users to select the offloading mode of a
MACsec interface. It takes the mode to switch to as an argument, which
can for now either be 'off' or 'phy':

  # ip macsec offload macsec0 phy
  # ip macsec offload macsec0 off

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
---
 ip/ipmacsec.c | 45 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)

diff --git a/ip/ipmacsec.c b/ip/ipmacsec.c
index 4327c796aa1f..6104a3a5523d 100644
--- a/ip/ipmacsec.c
+++ b/ip/ipmacsec.c
@@ -98,6 +98,7 @@ static void ipmacsec_usage(void)
 		"       ip macsec del DEV rx SCI sa { 0..3 }\n"
 		"       ip macsec show\n"
 		"       ip macsec show DEV\n"
+		"       ip macsec offload DEV [ off | phy ]\n"
 		"where  OPTS := [ pn <u32> ] [ on | off ]\n"
 		"       ID   := 128-bit hex string\n"
 		"       KEY  := 128-bit or 256-bit hex string\n"
@@ -359,6 +360,7 @@ enum cmd {
 	CMD_ADD,
 	CMD_DEL,
 	CMD_UPD,
+	CMD_OFFLOAD,
 	__CMD_MAX
 };
 
@@ -375,6 +377,9 @@ static const enum macsec_nl_commands macsec_commands[__CMD_MAX][2][2] = {
 		[0] = {-1, MACSEC_CMD_DEL_RXSC},
 		[1] = {MACSEC_CMD_DEL_TXSA, MACSEC_CMD_DEL_RXSA},
 	},
+	[CMD_OFFLOAD] = {
+		[0] = {-1, MACSEC_CMD_UPD_OFFLOAD },
+	},
 };
 
 static int do_modify_nl(enum cmd c, enum macsec_nl_commands cmd, int ifindex,
@@ -534,6 +539,44 @@ static int do_modify(enum cmd c, int argc, char **argv)
 	return -1;
 }
 
+static int do_offload(enum cmd c, int argc, char **argv)
+{
+	enum macsec_offload offload;
+	struct rtattr *attr;
+	int ifindex, ret;
+
+	if (argc == 0)
+		ipmacsec_usage();
+
+	ifindex = ll_name_to_index(*argv);
+	if (!ifindex) {
+		fprintf(stderr, "Device \"%s\" does not exist.\n", *argv);
+		return -1;
+	}
+	argc--; argv++;
+
+	if (argc == 0)
+		ipmacsec_usage();
+
+	ret = one_of("offload", *argv, offload_str, ARRAY_SIZE(offload_str),
+		     (int *)&offload);
+	if (ret)
+		ipmacsec_usage();
+
+	MACSEC_GENL_REQ(req, MACSEC_BUFLEN, macsec_commands[c][0][1], NLM_F_REQUEST);
+
+	addattr32(&req.n, MACSEC_BUFLEN, MACSEC_ATTR_IFINDEX, ifindex);
+
+	attr = addattr_nest(&req.n, MACSEC_BUFLEN, MACSEC_ATTR_OFFLOAD);
+	addattr8(&req.n, MACSEC_BUFLEN, MACSEC_OFFLOAD_ATTR_TYPE, offload);
+	addattr_nest_end(&req.n, attr);
+
+	if (rtnl_talk(&genl_rth, &req.n, NULL) < 0)
+		return -2;
+
+	return 0;
+}
+
 /* dump/show */
 static struct {
 	int ifindex;
@@ -1094,6 +1137,8 @@ int do_ipmacsec(int argc, char **argv)
 		return do_modify(CMD_UPD, argc-1, argv+1);
 	if (matches(*argv, "delete") == 0)
 		return do_modify(CMD_DEL, argc-1, argv+1);
+	if (matches(*argv, "offload") == 0)
+		return do_offload(CMD_OFFLOAD, argc-1, argv+1);
 
 	fprintf(stderr, "Command \"%s\" is unknown, try \"ip macsec help\".\n",
 		*argv);
-- 
2.24.1


^ permalink raw reply related	[flat|nested] 6+ messages in thread

* [PATCH iproute2-next v2 3/4] man: document the ip macsec offload command
  2020-03-03 10:36 [PATCH iproute2-next v2 0/4] macsec: add offloading support Antoine Tenart
  2020-03-03 10:36 ` [PATCH iproute2-next v2 1/4] macsec: report the offloading mode currently selected Antoine Tenart
  2020-03-03 10:36 ` [PATCH iproute2-next v2 2/4] macsec: add support for changing the offloading mode Antoine Tenart
@ 2020-03-03 10:36 ` Antoine Tenart
  2020-03-03 10:36 ` [PATCH iproute2-next v2 4/4] macsec: add an accessor for validate_str Antoine Tenart
  2020-03-04 20:00 ` [PATCH iproute2-next v2 0/4] macsec: add offloading support David Ahern
  4 siblings, 0 replies; 6+ messages in thread
From: Antoine Tenart @ 2020-03-03 10:36 UTC (permalink / raw)
  To: dsahern, sd; +Cc: Antoine Tenart, netdev

Add a description of the `ip macsec offload` command used to select the
offloading mode on a macsec interface when the underlying device
supports it.

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
---
 man/man8/ip-macsec.8 | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/man/man8/ip-macsec.8 b/man/man8/ip-macsec.8
index 2179b33683d5..d5f9d240bf12 100644
--- a/man/man8/ip-macsec.8
+++ b/man/man8/ip-macsec.8
@@ -53,6 +53,9 @@ ip-macsec \- MACsec device configuration
 .BI "ip macsec del " DEV " rx " SCI " sa"
 .RI "{ " 0..3 " }"
 
+.BI "ip macsec offload " DEV
+.RB "{ " off " | " phy " }"
+
 .B ip macsec show
 .RI [ " DEV " ]
 
@@ -102,6 +105,10 @@ type.
 .SS Display MACsec configuration
 .nf
 # ip macsec show
+.PP
+.SS Configure offloading on an interface
+.nf
+# ip macsec offload macsec0 phy
 
 .SH NOTES
 This tool can be used to configure the 802.1AE keys of the interface. Note that 802.1AE uses GCM-AES
-- 
2.24.1


^ permalink raw reply related	[flat|nested] 6+ messages in thread

* [PATCH iproute2-next v2 4/4] macsec: add an accessor for validate_str
  2020-03-03 10:36 [PATCH iproute2-next v2 0/4] macsec: add offloading support Antoine Tenart
                   ` (2 preceding siblings ...)
  2020-03-03 10:36 ` [PATCH iproute2-next v2 3/4] man: document the ip macsec offload command Antoine Tenart
@ 2020-03-03 10:36 ` Antoine Tenart
  2020-03-04 20:00 ` [PATCH iproute2-next v2 0/4] macsec: add offloading support David Ahern
  4 siblings, 0 replies; 6+ messages in thread
From: Antoine Tenart @ 2020-03-03 10:36 UTC (permalink / raw)
  To: dsahern, sd; +Cc: Antoine Tenart, netdev

This patch adds an accessor for the validate_str array, to handle future
changes adding a member.

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
---
 ip/ipmacsec.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/ip/ipmacsec.c b/ip/ipmacsec.c
index 6104a3a5523d..4e500e4e4825 100644
--- a/ip/ipmacsec.c
+++ b/ip/ipmacsec.c
@@ -653,6 +653,14 @@ static const char *cs_id_to_name(__u64 cid)
 	}
 }
 
+static const char *validate_to_str(__u8 validate)
+{
+	if (validate >= ARRAY_SIZE(validate_str))
+		return "(unknown)";
+
+	return validate_str[validate];
+}
+
 static const char *offload_to_str(__u8 offload)
 {
 	if (offload >= ARRAY_SIZE(offload_str))
@@ -669,7 +677,7 @@ static void print_attrs(struct rtattr *attrs[])
 		__u8 val = rta_getattr_u8(attrs[MACSEC_SECY_ATTR_VALIDATE]);
 
 		print_string(PRINT_ANY, "validate",
-			     "validate %s ", validate_str[val]);
+			     "validate %s ", validate_to_str(val));
 	}
 
 	print_flag(attrs, "sc", MACSEC_RXSC_ATTR_ACTIVE);
@@ -1208,7 +1216,7 @@ static void macsec_print_opt(struct link_util *lu, FILE *f, struct rtattr *tb[])
 		print_string(PRINT_ANY,
 			     "validation",
 			     "validate %s ",
-			     validate_str[val]);
+			     validate_to_str(val));
 	}
 
 	const char *inc_sci, *es, *replay;
-- 
2.24.1


^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [PATCH iproute2-next v2 0/4] macsec: add offloading support
  2020-03-03 10:36 [PATCH iproute2-next v2 0/4] macsec: add offloading support Antoine Tenart
                   ` (3 preceding siblings ...)
  2020-03-03 10:36 ` [PATCH iproute2-next v2 4/4] macsec: add an accessor for validate_str Antoine Tenart
@ 2020-03-04 20:00 ` David Ahern
  4 siblings, 0 replies; 6+ messages in thread
From: David Ahern @ 2020-03-04 20:00 UTC (permalink / raw)
  To: Antoine Tenart, sd; +Cc: netdev

On 3/3/20 3:36 AM, Antoine Tenart wrote:
> Hello,
> 
> This series adds support for selecting and reporting the offloading mode
> of a MACsec interface. Available modes are for now 'off' and 'phy',
> 'off' being the default when an interface is created. Modes are not only
> 'off' and 'on' as the MACsec operations can be offloaded to multiple
> kinds of specialized hardware devices, at least to PHYs and Ethernet
> MACs. The later isn't currently supported in the kernel though.
> 
> The first patch adds support for reporting the offloading mode currently
> selected for a given MACsec interface through the `ip macsec show`
> command:
> 
>    # ip macsec show
>    18: macsec0: protect on validate strict sc off sa off encrypt on send_sci on end_station off scb off replay off
>        cipher suite: GCM-AES-128, using ICV length 16
>        TXSC: 3e5035b67c860001 on SA 0
>            0: PN 1, state on, key 00000000000000000000000000000000
>        RXSC: b4969112700f0001, state on
>            0: PN 1, state on, key 01000000000000000000000000000000
> ->     offload: phy
>    19: macsec1: protect on validate strict sc off sa off encrypt on send_sci on end_station off scb off replay off
>        cipher suite: GCM-AES-128, using ICV length 16
>        TXSC: 3e5035b67c880001 on SA 0
>            1: PN 1, state on, key 00000000000000000000000000000000
>        RXSC: b4969112700f0001, state on
>            1: PN 1, state on, key 01000000000000000000000000000000
> ->     offload: off
> 
> The second patch allows an user to change the offloading mode at runtime
> through a new subcommand, `ip macsec offload`:
> 
>   # ip macsec offload macsec0 phy
>   # ip macsec offload macsec0 off
> 
> If a mode isn't supported, `ip macsec offload` will report an issue
> (-EOPNOTSUPP).
> 
> Giving the offloading mode when a macsec interface is created was
> discussed; it is not implemented in this series. It could come later
> on, when needed, as we'll still want to support updating the offloading
> mode at runtime (what's implemented in this series).
> 

applied to iproute2-next. Thanks


^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2020-03-04 20:00 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-03-03 10:36 [PATCH iproute2-next v2 0/4] macsec: add offloading support Antoine Tenart
2020-03-03 10:36 ` [PATCH iproute2-next v2 1/4] macsec: report the offloading mode currently selected Antoine Tenart
2020-03-03 10:36 ` [PATCH iproute2-next v2 2/4] macsec: add support for changing the offloading mode Antoine Tenart
2020-03-03 10:36 ` [PATCH iproute2-next v2 3/4] man: document the ip macsec offload command Antoine Tenart
2020-03-03 10:36 ` [PATCH iproute2-next v2 4/4] macsec: add an accessor for validate_str Antoine Tenart
2020-03-04 20:00 ` [PATCH iproute2-next v2 0/4] macsec: add offloading support David Ahern

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).