diff mbox series

[3/3] ethdev: add MACsec flow item

Message ID 20220814184620.512343-4-gakhil@marvell.com (mailing list archive)
State Superseded
Delegated to: Thomas Monjalon
Headers show
Series security: support MACsec | expand

Checks

Context Check Description
ci/intel-Testing success Testing PASS
ci/iol-aarch64-compile-testing success Testing PASS
ci/iol-x86_64-unit-testing fail Testing issues
ci/iol-x86_64-compile-testing fail Testing issues
ci/iol-aarch64-unit-testing success Testing PASS
ci/iol-intel-Performance success Performance Testing PASS
ci/iol-intel-Functional success Functional Testing PASS
ci/iol-mellanox-Performance success Performance Testing PASS
ci/github-robot: build success github build: passed
ci/Intel-compilation fail Compilation issues
ci/checkpatch success coding style OK

Commit Message

Akhil Goyal Aug. 14, 2022, 6:46 p.m. UTC
A new flow item is defined for MACsec flows which can be
offloaded to an inline device. If the flow matches with
MACsec header, device will process as per the security
session created using rte_security APIs.
If an error comes while MACsec processing in HW, PMD will
notify with the events defined in this patch.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 lib/ethdev/rte_ethdev.h | 55 +++++++++++++++++++++++++++++++++++++++++
 lib/ethdev/rte_flow.h   | 18 ++++++++++++++
 2 files changed, 73 insertions(+)

Comments

Ori Kam Aug. 15, 2022, 12:49 p.m. UTC | #1
> -----Original Message-----
> From: Akhil Goyal <gakhil@marvell.com>
> Sent: Sunday, 14 August 2022 21:46
> 
> A new flow item is defined for MACsec flows which can be
> offloaded to an inline device. If the flow matches with
> MACsec header, device will process as per the security
> session created using rte_security APIs.
> If an error comes while MACsec processing in HW, PMD will
> notify with the events defined in this patch.
> 
> Signed-off-by: Akhil Goyal <gakhil@marvell.com>
> ---
>  lib/ethdev/rte_ethdev.h | 55
> +++++++++++++++++++++++++++++++++++++++++
>  lib/ethdev/rte_flow.h   | 18 ++++++++++++++
>  2 files changed, 73 insertions(+)
> 
> diff --git a/lib/ethdev/rte_ethdev.h b/lib/ethdev/rte_ethdev.h
> index de9e970d4d..24661b01e9 100644
> --- a/lib/ethdev/rte_ethdev.h
> +++ b/lib/ethdev/rte_ethdev.h
> @@ -3864,6 +3864,61 @@ rte_eth_tx_buffer_count_callback(struct
> rte_mbuf **pkts, uint16_t unsent,
>  int
>  rte_eth_tx_done_cleanup(uint16_t port_id, uint16_t queue_id, uint32_t
> free_cnt);
> 
> +/**
> + * Subtypes for MACsec offload event(@ref RTE_ETH_EVENT_MACSEC)
> raised by
> + * Ethernet device.
> + */
> +enum rte_eth_macsec_event_subtype {
> +	RTE_ETH_MACSEC_SUBEVENT_UNKNOWN,
> +	/* subevents of RTE_ETH_MACSEC_EVENT_SECTAG_VAL_ERR sectag
> validation events
> +	 * RTE_ETH_MACSEC_EVENT_RX_SECTAG_V_EQ1
> +	 *	Validation check: SecTag.TCI.V = 1
> +	 * RTE_ETH_MACSEC_EVENT_RX_SECTAG_E_EQ0_C_EQ1
> +	 *	Validation check: SecTag.TCI.E = 0 && SecTag.TCI.C = 1
> +	 * RTE_ETH_MACSEC_EVENT_RX_SECTAG_SL_GTE48
> +	 *	Validation check: SecTag.SL >= 'd48
> +	 * RTE_ETH_MACSEC_EVENT_RX_SECTAG_ES_EQ1_SC_EQ1
> +	 *	Validation check: SecTag.TCI.ES = 1 && SecTag.TCI.SC = 1
> +	 * RTE_ETH_MACSEC_EVENT_RX_SECTAG_SC_EQ1_SCB_EQ1
> +	 *	Validation check: SecTag.TCI.SC = 1 && SecTag.TCI.SCB = 1
> +	 */
> +	RTE_ETH_MACSEC_SUBEVENT_RX_SECTAG_V_EQ1,
> +	RTE_ETH_MACSEC_SUBEVENT_RX_SECTAG_E_EQ0_C_EQ1,
> +	RTE_ETH_MACSEC_SUBEVENT_RX_SECTAG_SL_GTE48,
> +	RTE_ETH_MACSEC_SUBEVENT_RX_SECTAG_ES_EQ1_SC_EQ1,
> +	RTE_ETH_MACSEC_SUBEVENT_RX_SECTAG_SC_EQ1_SCB_EQ1,
> +};
> +
> +enum rte_eth_macsec_event_type {
> +	RTE_ETH_MACSEC_EVENT_UNKNOWN,
> +	RTE_ETH_MACSEC_EVENT_SECTAG_VAL_ERR,
> +	RTE_ETH_MACSEC_EVENT_RX_SA_PN_HARD_EXP,
> +	RTE_ETH_MACSEC_EVENT_RX_SA_PN_SOFT_EXP,
> +	RTE_ETH_MACSEC_EVENT_TX_SA_PN_HARD_EXP,
> +	RTE_ETH_MACSEC_EVENT_TX_SA_PN_SOFT_EXP,
> +	/* Notifies Invalid SA event */
> +	RTE_ETH_MACSEC_EVENT_SA_NOT_VALID,
> +};
> +
> +/**
> + * Descriptor for @ref RTE_ETH_EVENT_MACSEC event. Used by eth dev to
> send extra
> + * information of the MACsec offload event.
> + */
> +struct rte_eth_event_macsec_desc {
> +	enum rte_eth_macsec_event_type type;
> +	enum rte_eth_macsec_event_subtype subtype;
> +	/**
> +	 * Event specific metadata.
> +	 *
> +	 * For the following events, *userdata* registered
> +	 * with the *rte_security_session* would be returned
> +	 * as metadata,
> +	 *
> +	 * @see struct rte_security_session_conf
> +	 */
> +	uint64_t metadata;
> +};
> +
>  /**
>   * Subtypes for IPsec offload event(@ref RTE_ETH_EVENT_IPSEC) raised by
>   * eth device.
> diff --git a/lib/ethdev/rte_flow.h b/lib/ethdev/rte_flow.h
> index a79f1e7ef0..4114c84a02 100644
> --- a/lib/ethdev/rte_flow.h
> +++ b/lib/ethdev/rte_flow.h
> @@ -35,6 +35,7 @@
>  #include <rte_l2tpv2.h>
>  #include <rte_ppp.h>
>  #include <rte_gre.h>
> +#include <rte_macsec.h>
> 
>  #ifdef __cplusplus
>  extern "C" {
> @@ -668,6 +669,13 @@ enum rte_flow_item_type {
>  	 * See struct rte_flow_item_gre_opt.
>  	 */
>  	RTE_FLOW_ITEM_TYPE_GRE_OPTION,
> +
> +	/**
> +	 * Matches MACsec Ethernet Header.
> +	 *
> +	 * See struct rte_flow_item_macsec.
> +	 */
> +	RTE_FLOW_ITEM_TYPE_MACSEC,
>  };
> 
>  /**
> @@ -1214,6 +1222,16 @@ struct rte_flow_item_gre_opt {
>  	struct rte_gre_hdr_opt_sequence sequence;
>  };
> 
> +/**
> + * RTE_FLOW_ITEM_TYPE_MACSEC.
> + *
> + * Matches MACsec header.
> + */
> +struct rte_flow_item_macsec {
> +	struct rte_macsec_hdr macsec_hdr;
> +};
> +
> +
>  /**
>   * RTE_FLOW_ITEM_TYPE_FUZZY
>   *
> --
> 2.25.1

Acked-by: Ori Kam <orika@nvidia.com>
Best,
Ori
diff mbox series

Patch

diff --git a/lib/ethdev/rte_ethdev.h b/lib/ethdev/rte_ethdev.h
index de9e970d4d..24661b01e9 100644
--- a/lib/ethdev/rte_ethdev.h
+++ b/lib/ethdev/rte_ethdev.h
@@ -3864,6 +3864,61 @@  rte_eth_tx_buffer_count_callback(struct rte_mbuf **pkts, uint16_t unsent,
 int
 rte_eth_tx_done_cleanup(uint16_t port_id, uint16_t queue_id, uint32_t free_cnt);
 
+/**
+ * Subtypes for MACsec offload event(@ref RTE_ETH_EVENT_MACSEC) raised by
+ * Ethernet device.
+ */
+enum rte_eth_macsec_event_subtype {
+	RTE_ETH_MACSEC_SUBEVENT_UNKNOWN,
+	/* subevents of RTE_ETH_MACSEC_EVENT_SECTAG_VAL_ERR sectag validation events
+	 * RTE_ETH_MACSEC_EVENT_RX_SECTAG_V_EQ1
+	 *	Validation check: SecTag.TCI.V = 1
+	 * RTE_ETH_MACSEC_EVENT_RX_SECTAG_E_EQ0_C_EQ1
+	 *	Validation check: SecTag.TCI.E = 0 && SecTag.TCI.C = 1
+	 * RTE_ETH_MACSEC_EVENT_RX_SECTAG_SL_GTE48
+	 *	Validation check: SecTag.SL >= 'd48
+	 * RTE_ETH_MACSEC_EVENT_RX_SECTAG_ES_EQ1_SC_EQ1
+	 *	Validation check: SecTag.TCI.ES = 1 && SecTag.TCI.SC = 1
+	 * RTE_ETH_MACSEC_EVENT_RX_SECTAG_SC_EQ1_SCB_EQ1
+	 *	Validation check: SecTag.TCI.SC = 1 && SecTag.TCI.SCB = 1
+	 */
+	RTE_ETH_MACSEC_SUBEVENT_RX_SECTAG_V_EQ1,
+	RTE_ETH_MACSEC_SUBEVENT_RX_SECTAG_E_EQ0_C_EQ1,
+	RTE_ETH_MACSEC_SUBEVENT_RX_SECTAG_SL_GTE48,
+	RTE_ETH_MACSEC_SUBEVENT_RX_SECTAG_ES_EQ1_SC_EQ1,
+	RTE_ETH_MACSEC_SUBEVENT_RX_SECTAG_SC_EQ1_SCB_EQ1,
+};
+
+enum rte_eth_macsec_event_type {
+	RTE_ETH_MACSEC_EVENT_UNKNOWN,
+	RTE_ETH_MACSEC_EVENT_SECTAG_VAL_ERR,
+	RTE_ETH_MACSEC_EVENT_RX_SA_PN_HARD_EXP,
+	RTE_ETH_MACSEC_EVENT_RX_SA_PN_SOFT_EXP,
+	RTE_ETH_MACSEC_EVENT_TX_SA_PN_HARD_EXP,
+	RTE_ETH_MACSEC_EVENT_TX_SA_PN_SOFT_EXP,
+	/* Notifies Invalid SA event */
+	RTE_ETH_MACSEC_EVENT_SA_NOT_VALID,
+};
+
+/**
+ * Descriptor for @ref RTE_ETH_EVENT_MACSEC event. Used by eth dev to send extra
+ * information of the MACsec offload event.
+ */
+struct rte_eth_event_macsec_desc {
+	enum rte_eth_macsec_event_type type;
+	enum rte_eth_macsec_event_subtype subtype;
+	/**
+	 * Event specific metadata.
+	 *
+	 * For the following events, *userdata* registered
+	 * with the *rte_security_session* would be returned
+	 * as metadata,
+	 *
+	 * @see struct rte_security_session_conf
+	 */
+	uint64_t metadata;
+};
+
 /**
  * Subtypes for IPsec offload event(@ref RTE_ETH_EVENT_IPSEC) raised by
  * eth device.
diff --git a/lib/ethdev/rte_flow.h b/lib/ethdev/rte_flow.h
index a79f1e7ef0..4114c84a02 100644
--- a/lib/ethdev/rte_flow.h
+++ b/lib/ethdev/rte_flow.h
@@ -35,6 +35,7 @@ 
 #include <rte_l2tpv2.h>
 #include <rte_ppp.h>
 #include <rte_gre.h>
+#include <rte_macsec.h>
 
 #ifdef __cplusplus
 extern "C" {
@@ -668,6 +669,13 @@  enum rte_flow_item_type {
 	 * See struct rte_flow_item_gre_opt.
 	 */
 	RTE_FLOW_ITEM_TYPE_GRE_OPTION,
+
+	/**
+	 * Matches MACsec Ethernet Header.
+	 *
+	 * See struct rte_flow_item_macsec.
+	 */
+	RTE_FLOW_ITEM_TYPE_MACSEC,
 };
 
 /**
@@ -1214,6 +1222,16 @@  struct rte_flow_item_gre_opt {
 	struct rte_gre_hdr_opt_sequence sequence;
 };
 
+/**
+ * RTE_FLOW_ITEM_TYPE_MACSEC.
+ *
+ * Matches MACsec header.
+ */
+struct rte_flow_item_macsec {
+	struct rte_macsec_hdr macsec_hdr;
+};
+
+
 /**
  * RTE_FLOW_ITEM_TYPE_FUZZY
  *