mbox series

[0/3] security: support MACsec

Message ID 20220814184620.512343-1-gakhil@marvell.com (mailing list archive)
Series security: support MACsec |


Akhil Goyal Aug. 14, 2022, 6:46 p.m. UTC
  Added support for MACsec in rte_security for offloading
MACsec Protocol operation to inline NIC device or a crypto device.

To support MACsec we cannot just make one security session and
send with the packet to process it. MACsec specifications suggest,
it can have 3 different entities - SECY Entity, SC(secure channel) and
SA(security association). And same SA can be used by multiple SCs and
similarly many SECY can have same SCs. Hence, in order to support this
many to one relationships between all entities, 2 new APIs are created -
rte_security_macsec_sc_create and rte_security_sa_create.
Flow of execution of the APIs would be as
- rte_security_macsec_sa_create
- rte_security_macsec_sc_create
- rte_security_session_create(for secy)
And in case of inline protocol processing rte_flow can be created with
rte_security action similar to IPsec flows except that the flow item
will be MACsec instead of IPsec.

A new flow item is added for MACsec header and a set of events are added
to specify the errors occurred during inline protocol processing.

New APIs are also created for getting SC and SA stats.

Akhil Goyal (3):
  net: add MACsec header
  security: support MACsec
  ethdev: add MACsec flow item

 doc/api/doxy-api-index.md              |   3 +-
 doc/guides/prog_guide/rte_security.rst | 107 +++++++-
 lib/ethdev/rte_ethdev.h                |  55 ++++
 lib/ethdev/rte_flow.h                  |  18 ++
 lib/net/meson.build                    |   1 +
 lib/net/rte_macsec.h                   |  56 ++++
 lib/security/rte_security.c            |  86 ++++++
 lib/security/rte_security.h            | 362 ++++++++++++++++++++++++-
 lib/security/rte_security_driver.h     |  86 ++++++
 lib/security/version.map               |   6 +
 10 files changed, 766 insertions(+), 14 deletions(-)
 create mode 100644 lib/net/rte_macsec.h