[3/3] ethdev: add MACsec flow item
Checks
Commit Message
A new flow item is defined for MACsec flows which can be
offloaded to an inline device. If the flow matches with
MACsec header, device will process as per the security
session created using rte_security APIs.
If an error comes while MACsec processing in HW, PMD will
notify with the events defined in this patch.
Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
lib/ethdev/rte_ethdev.h | 55 +++++++++++++++++++++++++++++++++++++++++
lib/ethdev/rte_flow.h | 18 ++++++++++++++
2 files changed, 73 insertions(+)
Comments
> -----Original Message-----
> From: Akhil Goyal <gakhil@marvell.com>
> Sent: Sunday, 14 August 2022 21:46
>
> A new flow item is defined for MACsec flows which can be
> offloaded to an inline device. If the flow matches with
> MACsec header, device will process as per the security
> session created using rte_security APIs.
> If an error comes while MACsec processing in HW, PMD will
> notify with the events defined in this patch.
>
> Signed-off-by: Akhil Goyal <gakhil@marvell.com>
> ---
> lib/ethdev/rte_ethdev.h | 55
> +++++++++++++++++++++++++++++++++++++++++
> lib/ethdev/rte_flow.h | 18 ++++++++++++++
> 2 files changed, 73 insertions(+)
>
> diff --git a/lib/ethdev/rte_ethdev.h b/lib/ethdev/rte_ethdev.h
> index de9e970d4d..24661b01e9 100644
> --- a/lib/ethdev/rte_ethdev.h
> +++ b/lib/ethdev/rte_ethdev.h
> @@ -3864,6 +3864,61 @@ rte_eth_tx_buffer_count_callback(struct
> rte_mbuf **pkts, uint16_t unsent,
> int
> rte_eth_tx_done_cleanup(uint16_t port_id, uint16_t queue_id, uint32_t
> free_cnt);
>
> +/**
> + * Subtypes for MACsec offload event(@ref RTE_ETH_EVENT_MACSEC)
> raised by
> + * Ethernet device.
> + */
> +enum rte_eth_macsec_event_subtype {
> + RTE_ETH_MACSEC_SUBEVENT_UNKNOWN,
> + /* subevents of RTE_ETH_MACSEC_EVENT_SECTAG_VAL_ERR sectag
> validation events
> + * RTE_ETH_MACSEC_EVENT_RX_SECTAG_V_EQ1
> + * Validation check: SecTag.TCI.V = 1
> + * RTE_ETH_MACSEC_EVENT_RX_SECTAG_E_EQ0_C_EQ1
> + * Validation check: SecTag.TCI.E = 0 && SecTag.TCI.C = 1
> + * RTE_ETH_MACSEC_EVENT_RX_SECTAG_SL_GTE48
> + * Validation check: SecTag.SL >= 'd48
> + * RTE_ETH_MACSEC_EVENT_RX_SECTAG_ES_EQ1_SC_EQ1
> + * Validation check: SecTag.TCI.ES = 1 && SecTag.TCI.SC = 1
> + * RTE_ETH_MACSEC_EVENT_RX_SECTAG_SC_EQ1_SCB_EQ1
> + * Validation check: SecTag.TCI.SC = 1 && SecTag.TCI.SCB = 1
> + */
> + RTE_ETH_MACSEC_SUBEVENT_RX_SECTAG_V_EQ1,
> + RTE_ETH_MACSEC_SUBEVENT_RX_SECTAG_E_EQ0_C_EQ1,
> + RTE_ETH_MACSEC_SUBEVENT_RX_SECTAG_SL_GTE48,
> + RTE_ETH_MACSEC_SUBEVENT_RX_SECTAG_ES_EQ1_SC_EQ1,
> + RTE_ETH_MACSEC_SUBEVENT_RX_SECTAG_SC_EQ1_SCB_EQ1,
> +};
> +
> +enum rte_eth_macsec_event_type {
> + RTE_ETH_MACSEC_EVENT_UNKNOWN,
> + RTE_ETH_MACSEC_EVENT_SECTAG_VAL_ERR,
> + RTE_ETH_MACSEC_EVENT_RX_SA_PN_HARD_EXP,
> + RTE_ETH_MACSEC_EVENT_RX_SA_PN_SOFT_EXP,
> + RTE_ETH_MACSEC_EVENT_TX_SA_PN_HARD_EXP,
> + RTE_ETH_MACSEC_EVENT_TX_SA_PN_SOFT_EXP,
> + /* Notifies Invalid SA event */
> + RTE_ETH_MACSEC_EVENT_SA_NOT_VALID,
> +};
> +
> +/**
> + * Descriptor for @ref RTE_ETH_EVENT_MACSEC event. Used by eth dev to
> send extra
> + * information of the MACsec offload event.
> + */
> +struct rte_eth_event_macsec_desc {
> + enum rte_eth_macsec_event_type type;
> + enum rte_eth_macsec_event_subtype subtype;
> + /**
> + * Event specific metadata.
> + *
> + * For the following events, *userdata* registered
> + * with the *rte_security_session* would be returned
> + * as metadata,
> + *
> + * @see struct rte_security_session_conf
> + */
> + uint64_t metadata;
> +};
> +
> /**
> * Subtypes for IPsec offload event(@ref RTE_ETH_EVENT_IPSEC) raised by
> * eth device.
> diff --git a/lib/ethdev/rte_flow.h b/lib/ethdev/rte_flow.h
> index a79f1e7ef0..4114c84a02 100644
> --- a/lib/ethdev/rte_flow.h
> +++ b/lib/ethdev/rte_flow.h
> @@ -35,6 +35,7 @@
> #include <rte_l2tpv2.h>
> #include <rte_ppp.h>
> #include <rte_gre.h>
> +#include <rte_macsec.h>
>
> #ifdef __cplusplus
> extern "C" {
> @@ -668,6 +669,13 @@ enum rte_flow_item_type {
> * See struct rte_flow_item_gre_opt.
> */
> RTE_FLOW_ITEM_TYPE_GRE_OPTION,
> +
> + /**
> + * Matches MACsec Ethernet Header.
> + *
> + * See struct rte_flow_item_macsec.
> + */
> + RTE_FLOW_ITEM_TYPE_MACSEC,
> };
>
> /**
> @@ -1214,6 +1222,16 @@ struct rte_flow_item_gre_opt {
> struct rte_gre_hdr_opt_sequence sequence;
> };
>
> +/**
> + * RTE_FLOW_ITEM_TYPE_MACSEC.
> + *
> + * Matches MACsec header.
> + */
> +struct rte_flow_item_macsec {
> + struct rte_macsec_hdr macsec_hdr;
> +};
> +
> +
> /**
> * RTE_FLOW_ITEM_TYPE_FUZZY
> *
> --
> 2.25.1
Acked-by: Ori Kam <orika@nvidia.com>
Best,
Ori
@@ -3864,6 +3864,61 @@ rte_eth_tx_buffer_count_callback(struct rte_mbuf **pkts, uint16_t unsent,
int
rte_eth_tx_done_cleanup(uint16_t port_id, uint16_t queue_id, uint32_t free_cnt);
+/**
+ * Subtypes for MACsec offload event(@ref RTE_ETH_EVENT_MACSEC) raised by
+ * Ethernet device.
+ */
+enum rte_eth_macsec_event_subtype {
+ RTE_ETH_MACSEC_SUBEVENT_UNKNOWN,
+ /* subevents of RTE_ETH_MACSEC_EVENT_SECTAG_VAL_ERR sectag validation events
+ * RTE_ETH_MACSEC_EVENT_RX_SECTAG_V_EQ1
+ * Validation check: SecTag.TCI.V = 1
+ * RTE_ETH_MACSEC_EVENT_RX_SECTAG_E_EQ0_C_EQ1
+ * Validation check: SecTag.TCI.E = 0 && SecTag.TCI.C = 1
+ * RTE_ETH_MACSEC_EVENT_RX_SECTAG_SL_GTE48
+ * Validation check: SecTag.SL >= 'd48
+ * RTE_ETH_MACSEC_EVENT_RX_SECTAG_ES_EQ1_SC_EQ1
+ * Validation check: SecTag.TCI.ES = 1 && SecTag.TCI.SC = 1
+ * RTE_ETH_MACSEC_EVENT_RX_SECTAG_SC_EQ1_SCB_EQ1
+ * Validation check: SecTag.TCI.SC = 1 && SecTag.TCI.SCB = 1
+ */
+ RTE_ETH_MACSEC_SUBEVENT_RX_SECTAG_V_EQ1,
+ RTE_ETH_MACSEC_SUBEVENT_RX_SECTAG_E_EQ0_C_EQ1,
+ RTE_ETH_MACSEC_SUBEVENT_RX_SECTAG_SL_GTE48,
+ RTE_ETH_MACSEC_SUBEVENT_RX_SECTAG_ES_EQ1_SC_EQ1,
+ RTE_ETH_MACSEC_SUBEVENT_RX_SECTAG_SC_EQ1_SCB_EQ1,
+};
+
+enum rte_eth_macsec_event_type {
+ RTE_ETH_MACSEC_EVENT_UNKNOWN,
+ RTE_ETH_MACSEC_EVENT_SECTAG_VAL_ERR,
+ RTE_ETH_MACSEC_EVENT_RX_SA_PN_HARD_EXP,
+ RTE_ETH_MACSEC_EVENT_RX_SA_PN_SOFT_EXP,
+ RTE_ETH_MACSEC_EVENT_TX_SA_PN_HARD_EXP,
+ RTE_ETH_MACSEC_EVENT_TX_SA_PN_SOFT_EXP,
+ /* Notifies Invalid SA event */
+ RTE_ETH_MACSEC_EVENT_SA_NOT_VALID,
+};
+
+/**
+ * Descriptor for @ref RTE_ETH_EVENT_MACSEC event. Used by eth dev to send extra
+ * information of the MACsec offload event.
+ */
+struct rte_eth_event_macsec_desc {
+ enum rte_eth_macsec_event_type type;
+ enum rte_eth_macsec_event_subtype subtype;
+ /**
+ * Event specific metadata.
+ *
+ * For the following events, *userdata* registered
+ * with the *rte_security_session* would be returned
+ * as metadata,
+ *
+ * @see struct rte_security_session_conf
+ */
+ uint64_t metadata;
+};
+
/**
* Subtypes for IPsec offload event(@ref RTE_ETH_EVENT_IPSEC) raised by
* eth device.
@@ -35,6 +35,7 @@
#include <rte_l2tpv2.h>
#include <rte_ppp.h>
#include <rte_gre.h>
+#include <rte_macsec.h>
#ifdef __cplusplus
extern "C" {
@@ -668,6 +669,13 @@ enum rte_flow_item_type {
* See struct rte_flow_item_gre_opt.
*/
RTE_FLOW_ITEM_TYPE_GRE_OPTION,
+
+ /**
+ * Matches MACsec Ethernet Header.
+ *
+ * See struct rte_flow_item_macsec.
+ */
+ RTE_FLOW_ITEM_TYPE_MACSEC,
};
/**
@@ -1214,6 +1222,16 @@ struct rte_flow_item_gre_opt {
struct rte_gre_hdr_opt_sequence sequence;
};
+/**
+ * RTE_FLOW_ITEM_TYPE_MACSEC.
+ *
+ * Matches MACsec header.
+ */
+struct rte_flow_item_macsec {
+ struct rte_macsec_hdr macsec_hdr;
+};
+
+
/**
* RTE_FLOW_ITEM_TYPE_FUZZY
*