diff mbox series

[02/13] security: add MACsec packet number threshold

Message ID	20230523194918.1940212-3-gakhil@marvell.com (mailing list archive)
State	Superseded, archived
Delegated to:	akhil goyal
Headers	From: Akhil Goyal <gakhil@marvell.com> To: <dev@dpdk.org>, Akhil Goyal <gakhil@marvell.com> CC: <thomas@monjalon.net>, <olivier.matz@6wind.com>, <orika@nvidia.com>, <david.marchand@redhat.com>, <hemant.agrawal@nxp.com>, <vattunuru@marvell.com>, <ferruh.yigit@amd.com>, <jerinj@marvell.com>, <adwivedi@marvell.com> Subject: [PATCH 02/13] security: add MACsec packet number threshold Date: Wed, 24 May 2023 01:19:07 +0530 Message-ID: <20230523194918.1940212-3-gakhil@marvell.com> In-Reply-To: <20230523194918.1940212-1-gakhil@marvell.com> References: <20220928124516.93050-5-gakhil@marvell.com> <20230523194918.1940212-1-gakhil@marvell.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain Precedence: list Errors-To: dev-bounces@dpdk.org
Series	Add MACsec unit test cases \| [00/13] Add MACsec unit test cases [01/13] security: add direction in SA/SC configuration [02/13] security: add MACsec packet number threshold [03/13] test/security: add inline MACsec cases [04/13] test/security: add MACsec integrity cases [05/13] test/security: verify multi flow MACsec [06/13] test/security: add MACsec VLAN cases [07/13] test/security: add MACsec negative cases [08/13] test/security: verify MACsec stats [09/13] test/security: verify MACsec interrupts [10/13] test/security: verify MACsec Tx HW rekey [11/13] test/security: verify MACsec Rx rekey [12/13] test/security: verify MACsec anti replay [13/13] test/security: remove no MACsec support case

Checks

Context	Check	Description
ci/checkpatch	success	coding style OK

Commit Message

Akhil Goyal May 23, 2023, 7:49 p.m. UTC

  Added Packet number threshold parameter in MACsec SC
configuration to identify the maximum allowed threshold
for packet number field in the packet.
A field is_xpn is also added to identify if the SAs are
configured for extended packet number or not so that
packet number threshold can be configured accordingly.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 lib/security/rte_security.h | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

Comments

Stephen Hemminger May 23, 2023, 9:29 p.m. UTC | #1

On Wed, 24 May 2023 01:19:07 +0530
Akhil Goyal <gakhil@marvell.com> wrote:

> diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h
> index c7a523b6d6..30bac4e25a 100644
> --- a/lib/security/rte_security.h
> +++ b/lib/security/rte_security.h
> @@ -399,6 +399,8 @@ struct rte_security_macsec_sa {
>  struct rte_security_macsec_sc {
>  	/** Direction of SC */
>  	enum rte_security_macsec_direction dir;
> +	/** Packet number threshold */
> +	uint64_t pn_threshold;
>  	union {
>  		struct {
>  			/** SAs for each association number */
> @@ -407,8 +409,10 @@ struct rte_security_macsec_sc {
>  			uint8_t sa_in_use[RTE_SECURITY_MACSEC_NUM_AN];
>  			/** Channel is active */
>  			uint8_t active : 1;
> +			/** Extended packet number is enabled for SAs */
> +			uint8_t is_xpn : 1;
>  			/** Reserved bitfields for future */
> -			uint8_t reserved : 7;
> +			uint8

Is this an ABI change? If so needs to wait for 23.11 release

Akhil Goyal May 24, 2023, 7:12 a.m. UTC | #2

> On Wed, 24 May 2023 01:19:07 +0530
> Akhil Goyal <gakhil@marvell.com> wrote:
> 
> > diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h
> > index c7a523b6d6..30bac4e25a 100644
> > --- a/lib/security/rte_security.h
> > +++ b/lib/security/rte_security.h
> > @@ -399,6 +399,8 @@ struct rte_security_macsec_sa {
> >  struct rte_security_macsec_sc {
> >  	/** Direction of SC */
> >  	enum rte_security_macsec_direction dir;
> > +	/** Packet number threshold */
> > +	uint64_t pn_threshold;
> >  	union {
> >  		struct {
> >  			/** SAs for each association number */
> > @@ -407,8 +409,10 @@ struct rte_security_macsec_sc {
> >  			uint8_t sa_in_use[RTE_SECURITY_MACSEC_NUM_AN];
> >  			/** Channel is active */
> >  			uint8_t active : 1;
> > +			/** Extended packet number is enabled for SAs */
> > +			uint8_t is_xpn : 1;
> >  			/** Reserved bitfields for future */
> > -			uint8_t reserved : 7;
> > +			uint8
> 
> Is this an ABI change? If so needs to wait for 23.11 release
rte_security_macsec_sc/sa_create are experimental APIs. So, it won't be an issue I believe.

Akhil Goyal May 24, 2023, 8:09 a.m. UTC | #3

> Subject: RE: [EXT] Re: [PATCH 02/13] security: add MACsec packet number
> threshold
> 
> > On Wed, 24 May 2023 01:19:07 +0530
> > Akhil Goyal <gakhil@marvell.com> wrote:
> >
> > > diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h
> > > index c7a523b6d6..30bac4e25a 100644
> > > --- a/lib/security/rte_security.h
> > > +++ b/lib/security/rte_security.h
> > > @@ -399,6 +399,8 @@ struct rte_security_macsec_sa {
> > >  struct rte_security_macsec_sc {
> > >  	/** Direction of SC */
> > >  	enum rte_security_macsec_direction dir;
> > > +	/** Packet number threshold */
> > > +	uint64_t pn_threshold;
> > >  	union {
> > >  		struct {
> > >  			/** SAs for each association number */
> > > @@ -407,8 +409,10 @@ struct rte_security_macsec_sc {
> > >  			uint8_t sa_in_use[RTE_SECURITY_MACSEC_NUM_AN];
> > >  			/** Channel is active */
> > >  			uint8_t active : 1;
> > > +			/** Extended packet number is enabled for SAs */
> > > +			uint8_t is_xpn : 1;
> > >  			/** Reserved bitfields for future */
> > > -			uint8_t reserved : 7;
> > > +			uint8
> >
> > Is this an ABI change? If so needs to wait for 23.11 release
> rte_security_macsec_sc/sa_create are experimental APIs. So, it won't be an
> issue I believe.
Looking at the ABI issues reported for this patchset.
Even if these APIs are experimental, we cannot really change them.
As all are part of rte_security_ctx which is exposed.
But, user is not required to know its contents and it should not be exposed.
In next release I would make it internal like rte_security_session.
For now, I would defer this MACsec support to next release.

diff mbox series

Patch

diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h
index c7a523b6d6..30bac4e25a 100644
--- a/lib/security/rte_security.h
+++ b/lib/security/rte_security.h
@@ -399,6 +399,8 @@  struct rte_security_macsec_sa {
 struct rte_security_macsec_sc {
 	/** Direction of SC */
 	enum rte_security_macsec_direction dir;
+	/** Packet number threshold */
+	uint64_t pn_threshold;
 	union {
 		struct {
 			/** SAs for each association number */
@@ -407,8 +409,10 @@  struct rte_security_macsec_sc {
 			uint8_t sa_in_use[RTE_SECURITY_MACSEC_NUM_AN];
 			/** Channel is active */
 			uint8_t active : 1;
+			/** Extended packet number is enabled for SAs */
+			uint8_t is_xpn : 1;
 			/** Reserved bitfields for future */
-			uint8_t reserved : 7;
+			uint8_t reserved : 6;
 		} sc_rx;
 		struct {
 			uint16_t sa_id; /**< SA ID to be used for encryption */
@@ -416,8 +420,10 @@  struct rte_security_macsec_sc {
 			uint64_t sci; /**< SCI value to be used if send_sci is set */
 			uint8_t active : 1; /**< Channel is active */
 			uint8_t re_key_en : 1; /**< Enable Rekeying */
+			/** Extended packet number is enabled for SAs */
+			uint8_t is_xpn : 1;
 			/** Reserved bitfields for future */
-			uint8_t reserved : 6;
+			uint8_t reserved : 5;
 		} sc_tx;
 	};
 };