diff mbox series

[v2,3/3] security: support MACsec

Message ID 20220928122253.23108-4-gakhil@marvell.com (mailing list archive)
State Superseded, archived
Delegated to: Thomas Monjalon
Headers show
Series security: support MACsec | expand

Checks

Context Check Description
ci/Intel-compilation warning apply issues
ci/checkpatch warning coding style issues

Commit Message

Akhil Goyal Sept. 28, 2022, 12:22 p.m. UTC
Added support for MACsec in rte_security for offloading
MACsec Protocol operation to inline NIC device or a crypto device.

To support MACsec we cannot just make one security session and
send with the packet to process it. MACsec specifications suggest,
it has 3 different entities - SECY Entity, SC(secure channel) and
SA(security association). And same SA can be used by multiple SCs and
similarly many SECY can have same SCs. Hence, in order to support this
many to one relationships between all entities, 2 new APIs are created -
rte_security_macsec_sc_create and rte_security_macsec_sa_create.
Flow of execution of the APIs would be as
- rte_security_macsec_sa_create
- rte_security_macsec_sc_create
- rte_security_session_create(for secy)
And in case of inline protocol processing rte_flow can be created with
rte_security action. A new flow item will be added for MACsec header.
New APIs are also created for getting SC and SA stats.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 doc/guides/prog_guide/rte_security.rst | 107 ++++++-
 doc/guides/rel_notes/deprecation.rst   |   5 -
 doc/guides/rel_notes/release_22_11.rst |  10 +
 lib/security/rte_security.c            |  86 ++++++
 lib/security/rte_security.h            | 370 ++++++++++++++++++++++++-
 lib/security/rte_security_driver.h     |  86 ++++++
 lib/security/version.map               |   6 +
 7 files changed, 652 insertions(+), 18 deletions(-)
diff mbox series

Patch

diff --git a/doc/guides/prog_guide/rte_security.rst b/doc/guides/prog_guide/rte_security.rst
index 277169a335..62e7b8d72e 100644
--- a/doc/guides/prog_guide/rte_security.rst
+++ b/doc/guides/prog_guide/rte_security.rst
@@ -347,6 +347,55 @@  The CRC is Ethernet CRC-32 as specified in Ethernet/[ISO/IEC 8802-3].
     * Other DOCSIS protocol functionality such as Header Checksum (HCS)
       calculation may be added in the future.
 
+MACSEC Protocol
+~~~~~~~~~~~~~~~
+
+Media Access Control security (MACsec) provides point-to-point security on Ethernet
+links and is defined by IEEE standard 802.1AE. MACsec secures an Ethernet link for
+almost all traffic, including frames from the Link Layer Discovery Protocol (LLDP),
+Link Aggregation Control Protocol (LACP), Dynamic Host Configuration Protocol (DHCP),
+Address Resolution Protocol (ARP), and other protocols that are not typically secured
+on an Ethernet link because of limitations with other security solutions.
+
+.. code-block:: c
+
+             Receive                                                Transmit
+             -------                                                --------
+
+         Ethernet frame                                          Ethernet frame
+         from  network                                           towards network
+                |                                                      ^
+                ~                                                      |
+                |                                                      ~
+                V                                                      |
+    +-----------------------+      +------------------+      +-------------------------+
+    | Secure frame verify   |      | Cipher Suite(SA) |      | Secure Frame Generation |
+    +-----------------------+<-----+------------------+----->+-------------------------+
+    | SecTAG + ICV remove   |      |  SECY   |   SC   |      | SecTAG + ICV Added      |
+    +---+-------------------+      +------------------+      +-------------------------+
+                |                                                      ^
+                |                                                      |
+                V                                                      |
+        Packet to Core/App                                     Packet from core/App
+
+
+
+To configure MACsec on an inline NIC device or a lookaside crypto device, a security
+association(SA) and a secure channel(SC) are created before creating rte_security
+session.
+
+SA is created using API ``rte_security_macsec_sa_create`` which allows setting
+SA keys, salt, SSCI, packet number(PN) into the PMD and the API returns a handle
+which can be used to map it with a secure channel using the API
+``rte_security_macsec_sc_create``. Same SAs can be used for multiple SCs.
+The Rx SC will need a set of 4 SAs for each of the association numbers(AN).
+For Tx SC a single SA is set which will be used by hardware to process the packet.
+
+The API ``rte_security_macsec_sc_create`` returns a handle for SC and this handle
+is set in ``rte_security_macsec_xform`` to create a MACsec session using
+``rte_security_session_create``.
+
+
 Device Features and Capabilities
 ---------------------------------
 
@@ -519,6 +568,35 @@  protocol.
         RTE_CRYPTODEV_END_OF_CAPABILITIES_LIST()
     };
 
+Below is the example PMD capability for MACsec
+
+.. code-block:: c
+
+    static const struct rte_security_capability pmd_security_capabilities[] = {
+        {
+                .action = RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL,
+                .protocol = RTE_SECURITY_PROTOCOL_MACSEC,
+                .macsec = {
+                        .mtu = 1500,
+                        .alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+                        .max_nb_sc = 64,
+                        .max_nb_sa = 128,
+                        .max_nb_sess = 64,
+                        .replay_win_sz = 4096,
+                        .relative_sectag_insert = 1,
+                        .fixed_sectag_insert = 1,
+                        .icv_include_da_sa = 1,
+                        .ctrl_port_enable = 1,
+                        .preserve_sectag = 1,
+                        .preserve_icv = 1,
+                        .validate_frames = 1,
+                        .re_key = 1,
+                        .anti_replay = 1,
+                },
+                .crypto_capabilities = NULL,
+        },
+    };
+
 Capabilities Discovery
 ~~~~~~~~~~~~~~~~~~~~~~
 
@@ -658,6 +736,8 @@  which will be updated in the future.
 
 IPsec related configuration parameters are defined in ``rte_security_ipsec_xform``
 
+MACsec related configuration parameters are defined in ``rte_security_macsec_xform``
+
 PDCP related configuration parameters are defined in ``rte_security_pdcp_xform``
 
 DOCSIS related configuration parameters are defined in ``rte_security_docsis_xform``
@@ -679,7 +759,7 @@  The ingress/egress flow attribute should match that specified in the security
 session if the security session supports the definition of the direction.
 
 Multiple flows can be configured to use the same security session. For
-example if the security session specifies an egress IPsec SA, then multiple
+example if the security session specifies an egress IPsec/MACsec SA, then multiple
 flows can be specified to that SA. In the case of an ingress IPsec SA then
 it is only valid to have a single flow to map to that security session.
 
@@ -689,8 +769,8 @@  it is only valid to have a single flow to map to that security session.
                  |
         +--------|--------+
         |    Add/Remove   |
-        |     IPsec SA    |   <------ Build security flow action of
-        |        |        |           ipsec transform
+        | IPsec/MACsec SA |   <------ Build security flow action of
+        |        |        |           IPsec/MACsec transform
         |--------|--------|
                  |
         +--------V--------+
@@ -709,9 +789,9 @@  it is only valid to have a single flow to map to that security session.
         |                 |
         +--------|--------+
 
-* Add/Delete SA flow:
+* Add/Delete IPsec SA flow:
   To add a new inline SA construct a rte_flow_item for Ethernet + IP + ESP
-  using the SA selectors and the ``rte_crypto_ipsec_xform`` as the ``rte_flow_action``.
+  using the SA selectors and the ``rte_security_ipsec_xform`` as the ``rte_flow_action``.
   Note that any rte_flow_items may be empty, which means it is not checked.
 
 .. code-block:: console
@@ -726,6 +806,23 @@  it is only valid to have a single flow to map to that security session.
         |  Eth  | ->  ... -> |   ESP  | -> | END |
         +-------+            +--------+    +-----+
 
+* Add/Delete MACsec SA flow:
+  To add a new inline SA construct a rte_flow_item for Ethernet + SecTAG
+  using the SA selectors and the ``rte_security_macsec_xform`` as the ``rte_flow_action``.
+  Note that any rte_flow_items may be empty, which means it is not checked.
+
+.. code-block:: console
+
+    In its most basic form, MACsec flow specification is as follows:
+        +-------+     +----------+     +-----+
+        |  Eth  | ->  |  SecTag  |  -> | END |
+        +-------+     +----------+     +-----+
+
+    However, the API can represent, MACsec offload with any encapsulation:
+        +-------+            +--------+    +-----+
+        |  Eth  | ->  ... -> | SecTag | -> | END |
+        +-------+            +--------+    +-----+
+
 
 Telemetry support
 -----------------
diff --git a/doc/guides/rel_notes/deprecation.rst b/doc/guides/rel_notes/deprecation.rst
index e83bc648fc..3915644501 100644
--- a/doc/guides/rel_notes/deprecation.rst
+++ b/doc/guides/rel_notes/deprecation.rst
@@ -151,11 +151,6 @@  Deprecation Notices
   pointer for the private data to the application which can be attached
   to the packet while enqueuing.
 
-* security: MACsec support is planned to be added in DPDK 22.11,
-  which would result in updates to structures ``rte_security_macsec_xform``,
-  ``rte_security_macsec_stats`` and security capability structure
-  ``rte_security_capability`` to accommodate MACsec capabilities.
-
 * eventdev: The function ``rte_event_crypto_adapter_queue_pair_add`` will
   accept configuration of type ``rte_event_crypto_adapter_queue_conf`` instead
   of ``rte_event``, similar to ``rte_event_eth_rx_adapter_queue_add`` signature.
diff --git a/doc/guides/rel_notes/release_22_11.rst b/doc/guides/rel_notes/release_22_11.rst
index 510485017d..701d25ffda 100644
--- a/doc/guides/rel_notes/release_22_11.rst
+++ b/doc/guides/rel_notes/release_22_11.rst
@@ -72,6 +72,11 @@  New Features
   * Added AES-CCM support in lookaside protocol (IPsec) for CN9K & CN10K.
   * Added AES & DES DOCSIS algorithm support in lookaside crypto for CN9K.
 
+* **Added support for MACsec in rte_security.**
+
+  * Added MACsec transform for rte_security session and added new APIs to configure
+    security associations(SA) and secure channels(SC).
+
 * **Added eventdev adapter instance get API.**
 
   * Added ``rte_event_eth_rx_adapter_instance_get`` to get Rx adapter
@@ -209,6 +214,11 @@  API Changes
 * ethdev: Promoted ``rte_flow_pick_transfer_proxy()``
   from experimental to stable.
 
+* security: MACsec support is added which resulted in updates to
+  structures ``rte_security_macsec_xform``, ``rte_security_macsec_stats``
+  and security capability structure ``rte_security_capability`` to
+  accommodate MACsec capabilities.
+
 * telemetry: The allowed characters in names for dictionary values
   are now limited to alphanumeric characters and a small subset of additional
   printable characters.
diff --git a/lib/security/rte_security.c b/lib/security/rte_security.c
index 22d6269d93..f0bbc9d147 100644
--- a/lib/security/rte_security.c
+++ b/lib/security/rte_security.c
@@ -124,6 +124,92 @@  rte_security_session_destroy(struct rte_security_ctx *instance,
 	return 0;
 }
 
+int
+rte_security_macsec_sc_create(struct rte_security_ctx *instance,
+			      struct rte_security_macsec_sc *conf)
+{
+	int sc_id;
+
+	RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, macsec_sc_create, -EINVAL, -ENOTSUP);
+	RTE_PTR_OR_ERR_RET(conf, -EINVAL);
+
+	sc_id = instance->ops->macsec_sc_create(instance->device, conf);
+	if (sc_id >= 0)
+		instance->macsec_sc_cnt++;
+
+	return sc_id;
+}
+
+int
+rte_security_macsec_sa_create(struct rte_security_ctx *instance,
+			      struct rte_security_macsec_sa *conf)
+{
+	int sa_id;
+
+	RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, macsec_sa_create, -EINVAL, -ENOTSUP);
+	RTE_PTR_OR_ERR_RET(conf, -EINVAL);
+
+	sa_id = instance->ops->macsec_sa_create(instance->device, conf);
+	if (sa_id >= 0)
+		instance->macsec_sa_cnt++;
+
+	return sa_id;
+}
+
+int
+rte_security_macsec_sc_destroy(struct rte_security_ctx *instance, uint16_t sc_id)
+{
+	int ret;
+
+	RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, macsec_sc_destroy, -EINVAL, -ENOTSUP);
+
+	ret = instance->ops->macsec_sc_destroy(instance->device, sc_id);
+	if (ret != 0)
+		return ret;
+
+	if (instance->macsec_sc_cnt)
+		instance->macsec_sc_cnt--;
+
+	return 0;
+}
+
+int
+rte_security_macsec_sa_destroy(struct rte_security_ctx *instance, uint16_t sa_id)
+{
+	int ret;
+
+	RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, macsec_sa_destroy, -EINVAL, -ENOTSUP);
+
+	ret = instance->ops->macsec_sa_destroy(instance->device, sa_id);
+	if (ret != 0)
+		return ret;
+
+	if (instance->macsec_sa_cnt)
+		instance->macsec_sa_cnt--;
+
+	return 0;
+}
+
+int
+rte_security_macsec_sc_stats_get(struct rte_security_ctx *instance, uint16_t sc_id,
+			         struct rte_security_macsec_sc_stats *stats)
+{
+	RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, macsec_sc_stats_get, -EINVAL, -ENOTSUP);
+	RTE_PTR_OR_ERR_RET(stats, -EINVAL);
+
+	return instance->ops->macsec_sc_stats_get(instance->device, sc_id, stats);
+}
+
+int
+rte_security_macsec_sa_stats_get(struct rte_security_ctx *instance, uint16_t sa_id,
+			         struct rte_security_macsec_sa_stats *stats)
+{
+	RTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, macsec_sa_stats_get, -EINVAL, -ENOTSUP);
+	RTE_PTR_OR_ERR_RET(stats, -EINVAL);
+
+	return instance->ops->macsec_sa_stats_get(instance->device, sa_id, stats);
+}
+
 int
 __rte_security_set_pkt_metadata(struct rte_security_ctx *instance,
 				struct rte_security_session *sess,
diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h
index 3e8cd29082..74fe3ef5d7 100644
--- a/lib/security/rte_security.h
+++ b/lib/security/rte_security.h
@@ -73,6 +73,10 @@  struct rte_security_ctx {
 	/**< Pointer to security ops for the device */
 	uint16_t sess_cnt;
 	/**< Number of sessions attached to this context */
+	uint16_t macsec_sc_cnt;
+	/**< Number of MACsec SC attached to this context */
+	uint16_t macsec_sa_cnt;
+	/**< Number of MACsec SA attached to this context */
 	uint32_t flags;
 	/**< Flags for security context */
 };
@@ -351,12 +355,166 @@  struct rte_security_ipsec_xform {
 	/**< UDP parameters, ignored when udp_encap option not specified */
 };
 
+/**
+ * MACSec packet flow direction
+ */
+enum rte_security_macsec_direction {
+	/** Generate SecTag and encrypt/authenticate */
+	RTE_SECURITY_MACSEC_DIR_TX,
+	/** Remove SecTag and decrypt/verify */
+	RTE_SECURITY_MACSEC_DIR_RX,
+};
+
+/** Maximum number of association numbers for a secure channel. */
+#define RTE_SECURITY_MACSEC_NUM_AN	4
+/** Salt length for MACsec SA. */
+#define RTE_SECURITY_MACSEC_SALT_LEN	12
+
+/**
+ * MACsec secure association(SA) configuration structure.
+ */
+struct rte_security_macsec_sa {
+	/** Direction of SA */
+	enum rte_security_macsec_direction dir;
+	/** MACsec SA key for AES-GCM 128/256 */
+	struct {
+		const uint8_t *data;	/**< pointer to key data */
+		uint16_t length;	/**< key length in bytes */
+	} key;
+	/** 96-bit value distributed by key agreement protocol */
+	uint8_t salt[RTE_SECURITY_MACSEC_SALT_LEN];
+	/** Association number to be used */
+	uint8_t an : 2;
+	/** Short Secure Channel Identifier, to be used for XPN cases */
+	uint32_t ssci;
+	/** Extended packet number */
+	uint32_t xpn;
+	/** Packet number expected/ to be used for next packet of this SA */
+	uint32_t next_pn;
+};
+
+/**
+ * MACsec Secure Channel configuration parameters.
+ */
+struct rte_security_macsec_sc {
+	/** Direction of SC */
+	enum rte_security_macsec_direction dir;
+	union {
+		struct {
+			/** SAs for each association number */
+			uint16_t sa_id[RTE_SECURITY_MACSEC_NUM_AN];
+			/** flag to denote which all SAs are in use for each association number */
+			uint8_t sa_in_use[RTE_SECURITY_MACSEC_NUM_AN];
+			/** Channel is active */
+			uint8_t active : 1;
+			/** Reserved bitfields for future */
+			uint8_t reserved : 7;
+		} sc_rx;
+		struct {
+			uint16_t sa_id; /**< SA id to be used for encryption */
+			uint16_t sa_id_rekey; /**< Rekeying SA id to be used for encryption */
+			uint64_t sci; /**< SCI value to be used if send_sci is set */
+			uint8_t active : 1; /**< Channel is active */
+			uint8_t re_key_en : 1; /**< Enable Rekeying */
+			/** Reserved bitfields for future */
+			uint8_t reserved : 6;
+		} sc_tx;
+	};
+};
+
+/**
+ * MACsec Supported Algorithm list as per IEEE Std 802.1AE
+ */
+enum rte_security_macsec_alg {
+	RTE_SECURITY_MACSEC_ALG_GCM_128, /**< AES-GCM 128 bit block cipher */
+	RTE_SECURITY_MACSEC_ALG_GCM_256, /**< AES-GCM 256 bit block cipher */
+	RTE_SECURITY_MACSEC_ALG_GCM_XPN_128, /**< AES-GCM 128 bit block cipher with unique SSCI */
+	RTE_SECURITY_MACSEC_ALG_GCM_XPN_256, /**< AES-GCM 256 bit block cipher with unique SSCI */
+};
+
+/** Disable Validation of MACsec frame */
+#define RTE_SECURITY_MACSEC_VALIDATE_DISABLE	0
+/** Validate MACsec frame but do not discard invalid frame */
+#define RTE_SECURITY_MACSEC_VALIDATE_NO_DISCARD	1
+/** Validate MACsec frame and discart invalid frame */
+#define RTE_SECURITY_MACSEC_VALIDATE_STRICT	2
+/** Do not perform any MACsec operation */
+#define RTE_SECURITY_MACSEC_VALIDATE_NO_OP	3
+
 /**
  * MACsec security session configuration
  */
 struct rte_security_macsec_xform {
-	/** To be Filled */
-	int dummy;
+	/** Direction of flow/secure channel */
+	enum rte_security_macsec_direction dir;
+	/** MACsec algorithm to be used */
+	enum rte_security_macsec_alg alg;
+	/** cipher offset from start of ethernet header */
+	uint8_t cipher_off;
+	/**
+	 * SCI to be used for RX flow identification or
+	 * to set SCI in packet for TX when send_sci is set
+	 */
+	uint64_t sci;
+	/** Receive/transmit secure channel id created by *rte_security_macsec_sc_create* */
+	uint16_t sc_id;
+	union {
+		struct {
+			/** MTU for transmit frame (Valid for inline processing) */
+			uint16_t mtu;
+			/**
+			 * Offset to insert sectag from start of ethernet header or
+			 * from a matching VLAN tag
+			 */
+			uint8_t sectag_off;
+			/** Enable MACsec protection of frames */
+			uint16_t protect_frames : 1;
+			/**
+			 * Sectag insertion mode
+			 * If 1, Sectag is inserted at fixed sectag_off set above.
+			 * If 0, Sectag is inserted at relative sectag_off from a matching
+			 * VLAN tag set.
+			 */
+			uint16_t sectag_insert_mode : 1;
+			/** ICV includes source and destination MAC addresses */
+			uint16_t icv_include_da_sa : 1;
+			/** Control port is enabled */
+			uint16_t ctrl_port_enable : 1;
+			/** Version of MACsec header. Should be 0 */
+			uint16_t sectag_version : 1;
+			/** Enable end station. SCI is not valid */
+			uint16_t end_station : 1;
+			/** Send SCI along with sectag */
+			uint16_t send_sci : 1;
+			/** enable secure channel support EPON - single copy broadcast */
+			uint16_t scb : 1;
+			/**
+			 * Enable packet encryption and set RTE_MACSEC_TCI_C and
+			 * RTE_MACSEC_TCI_E in sectag
+			 */
+			uint16_t encrypt : 1;
+			/** Reserved bitfields for future */
+			uint16_t reserved : 7;
+		} tx_secy;
+		struct {
+			/** Replay Window size to be supported */
+			uint32_t replay_win_sz;
+			/** Set bits as per RTE_SECURITY_MACSEC_VALIDATE_* */
+			uint16_t validate_frames : 2;
+			/** ICV includes source and destination MAC addresses */
+			uint16_t icv_include_da_sa : 1;
+			/** Control port is enabled */
+			uint16_t ctrl_port_enable : 1;
+			/** Do not strip SecTAG after processing */
+			uint16_t preserve_sectag : 1;
+			/** Do not strip ICV from the packet after processing */
+			uint16_t preserve_icv : 1;
+			/** Enable anti-replay protection */
+			uint16_t replay_protect : 1;
+			/** Reserved bitfields for future */
+			uint16_t reserved : 9;
+		} rx_secy;
+	};
 };
 
 /**
@@ -510,7 +668,7 @@  struct rte_security_session_conf {
 	};
 	/**< Configuration parameters for security session */
 	struct rte_crypto_sym_xform *crypto_xform;
-	/**< Security Session Crypto Transformations */
+	/**< Security Session Crypto Transformations. NULL in case of MACsec */
 	void *userdata;
 	/**< Application specific userdata to be saved with session */
 };
@@ -585,6 +743,80 @@  int
 rte_security_session_destroy(struct rte_security_ctx *instance,
 			     struct rte_security_session *sess);
 
+/**
+ * @warning
+ * @b EXPERIMENTAL: this API may change without prior notice
+ *
+ * Create MACsec security channel(SC)
+ *
+ * @param   instance	security instance
+ * @param   conf	MACsec SC configuration params
+ * @return
+ *  - secure channel id if successful
+ *  - -EINVAL if configuration params are invalid of instance is NULL.
+ *  - -ENOTSUP if device does not support MACsec.
+ *  - -ENOMEM if PMD is not capable to create more SC.
+ *  - other negative value for other errors.
+ */
+__rte_experimental
+int
+rte_security_macsec_sc_create(struct rte_security_ctx *instance,
+			      struct rte_security_macsec_sc *conf);
+
+/**
+ * @warning
+ * @b EXPERIMENTAL: this API may change without prior notice
+ *
+ * Destroy MACsec security channel(SC)
+ *
+ * @param   instance	security instance
+ * @param   sc_id	SC id to be destroyed
+ * @return
+ *  - 0 if successful
+ *  - -EINVAL if sc_id is invalid or instance is NULL.
+ *  - -EBUSY if sc is being used by some session.
+ */
+__rte_experimental
+int
+rte_security_macsec_sc_destroy(struct rte_security_ctx *instance, uint16_t sc_id);
+
+/**
+ * @warning
+ * @b EXPERIMENTAL: this API may change without prior notice
+ *
+ * Create MACsec security association(SA)
+ *
+ * @param   instance	security instance
+ * @param   conf	MACsec SA configuration params
+ * @return
+ *  - positive SA id if successful
+ *  - -EINVAL if configuration params are invalid of instance is NULL.
+ *  - -ENOTSUP if device does not support MACsec.
+ *  - -ENOMEM if PMD is not capable to create more SAs.
+ *  - other negative value for other errors.
+ */
+__rte_experimental
+int
+rte_security_macsec_sa_create(struct rte_security_ctx *instance,
+			      struct rte_security_macsec_sa *conf);
+
+/**
+ * @warning
+ * @b EXPERIMENTAL: this API may change without prior notice
+ *
+ * Destroy MACsec security association(SA)
+ *
+ * @param   instance	security instance
+ * @param   sa_id	SA id to be destroyed
+ * @return
+ *  - 0 if successful
+ *  - -EINVAL if sa_id is invalid or instance is NULL.
+ *  - -EBUSY if sa is being used by some session.
+ */
+__rte_experimental
+int
+rte_security_macsec_sa_destroy(struct rte_security_ctx *instance, uint16_t sa_id);
+
 /** Device-specific metadata field type */
 typedef uint64_t rte_security_dynfield_t;
 /** Dynamic mbuf field for device-specific metadata */
@@ -710,8 +942,62 @@  rte_security_attach_session(struct rte_crypto_op *op,
 	return __rte_security_attach_session(op->sym, sess);
 }
 
-struct rte_security_macsec_stats {
-	uint64_t reserved;
+struct rte_security_macsec_secy_stats {
+	uint64_t ctl_pkt_bcast_cnt;
+	uint64_t ctl_pkt_mcast_cnt;
+	uint64_t ctl_pkt_ucast_cnt;
+	uint64_t ctl_octet_cnt;
+	uint64_t unctl_pkt_bcast_cnt;
+	uint64_t unctl_pkt_mcast_cnt;
+	uint64_t unctl_pkt_ucast_cnt;
+	uint64_t unctl_octet_cnt;
+	/* Valid only for RX */
+	uint64_t octet_decrypted_cnt;
+	uint64_t octet_validated_cnt;
+	uint64_t pkt_port_disabled_cnt;
+	uint64_t pkt_badtag_cnt;
+	uint64_t pkt_nosa_cnt;
+	uint64_t pkt_nosaerror_cnt;
+	uint64_t pkt_tagged_ctl_cnt;
+	uint64_t pkt_untaged_cnt;
+	uint64_t pkt_ctl_cnt;
+	uint64_t pkt_notag_cnt;
+	/* Valid only for TX */
+	uint64_t octet_encrypted_cnt;
+	uint64_t octet_protected_cnt;
+	uint64_t pkt_noactivesa_cnt;
+	uint64_t pkt_toolong_cnt;
+	uint64_t pkt_untagged_cnt;
+};
+
+struct rte_security_macsec_sc_stats {
+	/* RX */
+	uint64_t hit_cnt;
+	uint64_t pkt_invalid_cnt;
+	uint64_t pkt_late_cnt;
+	uint64_t pkt_notvalid_cnt;
+	uint64_t pkt_unchecked_cnt;
+	uint64_t pkt_delay_cnt;
+	uint64_t pkt_ok_cnt;
+	uint64_t octet_decrypt_cnt;
+	uint64_t octet_validate_cnt;
+	/* TX */
+	uint64_t pkt_encrypt_cnt;
+	uint64_t pkt_protected_cnt;
+	uint64_t octet_encrypt_cnt;
+	uint64_t octet_protected_cnt;
+};
+
+struct rte_security_macsec_sa_stats {
+	/* RX */
+	uint64_t pkt_invalid_cnt;
+	uint64_t pkt_nosaerror_cnt;
+	uint64_t pkt_notvalid_cnt;
+	uint64_t pkt_ok_cnt;
+	uint64_t pkt_nosa_cnt;
+	/* TX */
+	uint64_t pkt_encrypt_cnt;
+	uint64_t pkt_protected_cnt;
 };
 
 struct rte_security_ipsec_stats {
@@ -739,7 +1025,7 @@  struct rte_security_stats {
 
 	RTE_STD_C11
 	union {
-		struct rte_security_macsec_stats macsec;
+		struct rte_security_macsec_secy_stats macsec;
 		struct rte_security_ipsec_stats ipsec;
 		struct rte_security_pdcp_stats pdcp;
 		struct rte_security_docsis_stats docsis;
@@ -765,6 +1051,44 @@  rte_security_session_stats_get(struct rte_security_ctx *instance,
 			       struct rte_security_session *sess,
 			       struct rte_security_stats *stats);
 
+/**
+ * @warning
+ * @b EXPERIMENTAL: this API may change without prior notice
+ *
+ * Get MACsec SA statistics
+ *
+ * @param	instance	security instance
+ * @param	sa_id		SA id for which stats are needed
+ * @param	stats		statistics
+ * @return
+ *  - On success, return 0
+ *  - On failure, a negative value
+ */
+__rte_experimental
+int
+rte_security_macsec_sa_stats_get(struct rte_security_ctx *instance,
+				 uint16_t sa_id,
+				 struct rte_security_macsec_sa_stats *stats);
+
+/**
+ * @warning
+ * @b EXPERIMENTAL: this API may change without prior notice
+ *
+ * Get MACsec SC statistics
+ *
+ * @param	instance	security instance
+ * @param	sc_id		SC id for which stats are needed
+ * @param	stats		SC statistics
+ * @return
+ *  - On success, return 0
+ *  - On failure, a negative value
+ */
+__rte_experimental
+int
+rte_security_macsec_sc_stats_get(struct rte_security_ctx *instance,
+				 uint16_t sc_id,
+				 struct rte_security_macsec_sc_stats *stats);
+
 /**
  * Security capability definition
  */
@@ -791,8 +1115,38 @@  struct rte_security_capability {
 		} ipsec;
 		/**< IPsec capability */
 		struct {
-			/* To be Filled */
-			int dummy;
+			/** MTU supported for inline TX */
+			uint16_t mtu;
+			/** MACsec algorithm to be used */
+			enum rte_security_macsec_alg alg;
+			/** Maximum number of secure channels supported. */
+			uint16_t max_nb_sc;
+			/** Maximum number of SAs supported. */
+			uint16_t max_nb_sa;
+			/** Maximum number of SAs supported. */
+			uint16_t max_nb_sess;
+			/** MACsec Anti Replay Window Size. */
+			uint32_t replay_win_sz;
+			/** Support Sectag insertion at relative offset. */
+			uint16_t relative_sectag_insert : 1;
+			/** Support Sectag insertion at fixed offset. */
+			uint16_t fixed_sectag_insert : 1;
+			/** ICV includes source and destination MAC addresses */
+			uint16_t icv_include_da_sa : 1;
+			/** Control port traffic is supported */
+			uint16_t ctrl_port_enable : 1;
+			/** Do not strip SecTAG after processing */
+			uint16_t preserve_sectag : 1;
+			/** Do not strip ICV from the packet after processing */
+			uint16_t preserve_icv : 1;
+			/** Support frame validation as per RTE_SECURITY_MACSEC_VALIDATE_* */
+			uint16_t validate_frames : 1;
+			/** support re-keying on SA expiry */
+			uint16_t re_key : 1;
+			/** support Anti replay */
+			uint16_t anti_replay : 1;
+			/** Reserved bitfields for future capabilities */
+			uint16_t reserved : 7;
 		} macsec;
 		/**< MACsec capability */
 		struct {
diff --git a/lib/security/rte_security_driver.h b/lib/security/rte_security_driver.h
index 0063a66524..1da286dad4 100644
--- a/lib/security/rte_security_driver.h
+++ b/lib/security/rte_security_driver.h
@@ -63,6 +63,50 @@  typedef int (*security_session_update_t)(void *device,
 		struct rte_security_session *sess,
 		struct rte_security_session_conf *conf);
 
+/**
+ * Configure a MACsec secure channel(SC) on a device.
+ *
+ * @param	device		Crypto/eth device pointer
+ * @param	conf		MACsec SC configuration params
+ *
+ * @return
+ *  - positive sc_id if SC is created successfully.
+ *  - -EINVAL if input parameters are invalid.
+ *  - -ENOTSUP if device does not support MACsec.
+ *  - -ENOMEM if the SC cannot be created.
+ */
+typedef int (*security_macsec_sc_create_t)(void *device, struct rte_security_macsec_sc *conf);
+
+/**
+ * Free MACsec secure channel(SC).
+ *
+ * @param	device		Crypto/eth device pointer
+ * @param	sc_id		MACsec SC id
+ */
+typedef int (*security_macsec_sc_destroy_t)(void *device, uint16_t sc_id);
+
+/**
+ * Configure a MACsec security Association(SA) on a device.
+ *
+ * @param	device		Crypto/eth device pointer
+ * @param	conf		MACsec SA configuration params
+ *
+ * @return
+ *  - positive sa_id if SA is created successfully.
+ *  - -EINVAL if input parameters are invalid.
+ *  - -ENOTSUP if device does not support MACsec.
+ *  - -ENOMEM if the SA cannot be created.
+ */
+typedef int (*security_macsec_sa_create_t)(void *device, struct rte_security_macsec_sa *conf);
+
+/**
+ * Free MACsec security association(SA).
+ *
+ * @param	device		Crypto/eth device pointer
+ * @param	sa_id		MACsec SA id
+ */
+typedef int (*security_macsec_sa_destroy_t)(void *device, uint16_t sa_id);
+
 /**
  * Get the size of a security session
  *
@@ -89,6 +133,36 @@  typedef int (*security_session_stats_get_t)(void *device,
 		struct rte_security_session *sess,
 		struct rte_security_stats *stats);
 
+/**
+ * Get MACsec secure channel stats from the PMD.
+ *
+ * @param	device		Crypto/eth device pointer
+ * @param	sc_id		secure channel id created by rte_security_macsec_sc_create()
+ * @param	stats		SC stats of the driver
+ *
+ * @return
+ *  - 0 if success.
+ *  - -EINVAL if sc_id or device is invalid.
+ */
+typedef int (*security_macsec_sc_stats_get_t)(void *device, uint16_t sc_id,
+		struct rte_security_macsec_sc_stats *stats);
+
+/**
+ * Get MACsec SA stats from the PMD.
+ *
+ * @param	device		Crypto/eth device pointer
+ * @param	sa_id		secure channel id created by rte_security_macsec_sc_create()
+ * @param	stats		SC stats of the driver
+ *
+ * @return
+ *  - 0 if success.
+ *  - -EINVAL if sa_id or device is invalid.
+ */
+typedef int (*security_macsec_sa_stats_get_t)(void *device, uint16_t sa_id,
+		struct rte_security_macsec_sa_stats *stats);
+
+
+
 __rte_internal
 int rte_security_dynfield_register(void);
 
@@ -136,6 +210,18 @@  struct rte_security_ops {
 	/**< Update mbuf metadata. */
 	security_capabilities_get_t capabilities_get;
 	/**< Get security capabilities. */
+	security_macsec_sc_create_t macsec_sc_create;
+	/**< Configure a MACsec security channel(SC). */
+	security_macsec_sc_destroy_t macsec_sc_destroy;
+	/**< Free a MACsec security channel(SC). */
+	security_macsec_sa_create_t macsec_sa_create;
+	/**< Configure a MACsec security association(SA). */
+	security_macsec_sa_destroy_t macsec_sa_destroy;
+	/**< Free a MACsec security association(SA). */
+	security_macsec_sc_stats_get_t macsec_sc_stats_get;
+	/**< Get MACsec SC statistics. */
+	security_macsec_sa_stats_get_t macsec_sa_stats_get;
+	/**< Get MACsec SA statistics. */
 };
 
 #ifdef __cplusplus
diff --git a/lib/security/version.map b/lib/security/version.map
index 85ca7921e7..07dcce9ffb 100644
--- a/lib/security/version.map
+++ b/lib/security/version.map
@@ -15,6 +15,12 @@  EXPERIMENTAL {
 
 	__rte_security_set_pkt_metadata;
 	rte_security_dynfield_offset;
+	rte_security_macsec_sa_create;
+	rte_security_macsec_sa_destroy;
+	rte_security_macsec_sa_stats_get;
+	rte_security_macsec_sc_create;
+	rte_security_macsec_sc_destroy;
+	rte_security_macsec_sc_stats_get;
 	rte_security_session_stats_get;
 	rte_security_session_update;
 };