[02/13] security: add MACsec packet number threshold
Checks
Commit Message
Added Packet number threshold parameter in MACsec SC
configuration to identify the maximum allowed threshold
for packet number field in the packet.
A field is_xpn is also added to identify if the SAs are
configured for extended packet number or not so that
packet number threshold can be configured accordingly.
Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
lib/security/rte_security.h | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
Comments
On Wed, 24 May 2023 01:19:07 +0530
Akhil Goyal <gakhil@marvell.com> wrote:
> diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h
> index c7a523b6d6..30bac4e25a 100644
> --- a/lib/security/rte_security.h
> +++ b/lib/security/rte_security.h
> @@ -399,6 +399,8 @@ struct rte_security_macsec_sa {
> struct rte_security_macsec_sc {
> /** Direction of SC */
> enum rte_security_macsec_direction dir;
> + /** Packet number threshold */
> + uint64_t pn_threshold;
> union {
> struct {
> /** SAs for each association number */
> @@ -407,8 +409,10 @@ struct rte_security_macsec_sc {
> uint8_t sa_in_use[RTE_SECURITY_MACSEC_NUM_AN];
> /** Channel is active */
> uint8_t active : 1;
> + /** Extended packet number is enabled for SAs */
> + uint8_t is_xpn : 1;
> /** Reserved bitfields for future */
> - uint8_t reserved : 7;
> + uint8
Is this an ABI change? If so needs to wait for 23.11 release
> On Wed, 24 May 2023 01:19:07 +0530
> Akhil Goyal <gakhil@marvell.com> wrote:
>
> > diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h
> > index c7a523b6d6..30bac4e25a 100644
> > --- a/lib/security/rte_security.h
> > +++ b/lib/security/rte_security.h
> > @@ -399,6 +399,8 @@ struct rte_security_macsec_sa {
> > struct rte_security_macsec_sc {
> > /** Direction of SC */
> > enum rte_security_macsec_direction dir;
> > + /** Packet number threshold */
> > + uint64_t pn_threshold;
> > union {
> > struct {
> > /** SAs for each association number */
> > @@ -407,8 +409,10 @@ struct rte_security_macsec_sc {
> > uint8_t sa_in_use[RTE_SECURITY_MACSEC_NUM_AN];
> > /** Channel is active */
> > uint8_t active : 1;
> > + /** Extended packet number is enabled for SAs */
> > + uint8_t is_xpn : 1;
> > /** Reserved bitfields for future */
> > - uint8_t reserved : 7;
> > + uint8
>
> Is this an ABI change? If so needs to wait for 23.11 release
rte_security_macsec_sc/sa_create are experimental APIs. So, it won't be an issue I believe.
> Subject: RE: [EXT] Re: [PATCH 02/13] security: add MACsec packet number
> threshold
>
> > On Wed, 24 May 2023 01:19:07 +0530
> > Akhil Goyal <gakhil@marvell.com> wrote:
> >
> > > diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h
> > > index c7a523b6d6..30bac4e25a 100644
> > > --- a/lib/security/rte_security.h
> > > +++ b/lib/security/rte_security.h
> > > @@ -399,6 +399,8 @@ struct rte_security_macsec_sa {
> > > struct rte_security_macsec_sc {
> > > /** Direction of SC */
> > > enum rte_security_macsec_direction dir;
> > > + /** Packet number threshold */
> > > + uint64_t pn_threshold;
> > > union {
> > > struct {
> > > /** SAs for each association number */
> > > @@ -407,8 +409,10 @@ struct rte_security_macsec_sc {
> > > uint8_t sa_in_use[RTE_SECURITY_MACSEC_NUM_AN];
> > > /** Channel is active */
> > > uint8_t active : 1;
> > > + /** Extended packet number is enabled for SAs */
> > > + uint8_t is_xpn : 1;
> > > /** Reserved bitfields for future */
> > > - uint8_t reserved : 7;
> > > + uint8
> >
> > Is this an ABI change? If so needs to wait for 23.11 release
> rte_security_macsec_sc/sa_create are experimental APIs. So, it won't be an
> issue I believe.
Looking at the ABI issues reported for this patchset.
Even if these APIs are experimental, we cannot really change them.
As all are part of rte_security_ctx which is exposed.
But, user is not required to know its contents and it should not be exposed.
In next release I would make it internal like rte_security_session.
For now, I would defer this MACsec support to next release.
@@ -399,6 +399,8 @@ struct rte_security_macsec_sa {
struct rte_security_macsec_sc {
/** Direction of SC */
enum rte_security_macsec_direction dir;
+ /** Packet number threshold */
+ uint64_t pn_threshold;
union {
struct {
/** SAs for each association number */
@@ -407,8 +409,10 @@ struct rte_security_macsec_sc {
uint8_t sa_in_use[RTE_SECURITY_MACSEC_NUM_AN];
/** Channel is active */
uint8_t active : 1;
+ /** Extended packet number is enabled for SAs */
+ uint8_t is_xpn : 1;
/** Reserved bitfields for future */
- uint8_t reserved : 7;
+ uint8_t reserved : 6;
} sc_rx;
struct {
uint16_t sa_id; /**< SA ID to be used for encryption */
@@ -416,8 +420,10 @@ struct rte_security_macsec_sc {
uint64_t sci; /**< SCI value to be used if send_sci is set */
uint8_t active : 1; /**< Channel is active */
uint8_t re_key_en : 1; /**< Enable Rekeying */
+ /** Extended packet number is enabled for SAs */
+ uint8_t is_xpn : 1;
/** Reserved bitfields for future */
- uint8_t reserved : 6;
+ uint8_t reserved : 5;
} sc_tx;
};
};