| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20200214150258.390-1-irusskikh@marvell.com>
Date: Fri, 14 Feb 2020 18:02:40 +0300
From: Igor Russkikh <irusskikh@...vell.com>
To: <netdev@...r.kernel.org>
CC: "David S . Miller" <davem@...emloft.net>,
Antoine Tenart <antoine.tenart@...tlin.com>,
Mark Starovoytov <mstarovoitov@...vell.com>,
Dmitry Bogdanov <dbogdanov@...vell.com>,
Igor Russkikh <irusskikh@...vell.com>
Subject: [RFC 00/18] net: atlantic: MACSec support for AQC devices
This RFC patchset introduces MACSec HW offloading support in
Marvell(Aquantia) AQC atlantic driver.
This implementation is a joint effort of Marvell developers on top of
the work started by Antoine Tenart.
Several patches introduce backward-incompatible changes and are
subject for discussion/drop:
1) patch 0008:
multicast/broadcast when offloading is needed to handle ARP requests,
because they have broadcast destination address;
With this patch we also match and encrypt/decrypt packets between macsec
hw and realdev based on device's mac address.
This potentially can be used to support multiple macsec offloaded interfaces
on top of one realdev.
On some environments however this could lead to problems, e.g. bridge over
macsec configuration will expect packets with unknown src MAC
should come through macsec.
The patch is questionable, we've used it because our current hw setup and
requirements assumes decryption is only done based on mac address match.
This could be changed by encrypting/decripting all the traffic (except control).
2) patch 0010:
HW offloading is enabled by default. This is a workaround for the fact
that macsec offload can't be configured at the moment of macsec device
creation. This causes side effects on atlantic device. The best way to
resolve this is to implement an option in ip tools to specify macsec
offload type immediately inside the command where it is created.
Such a comment was proposed in ip tools discussion.
3) patch 0011:
real_dev features are now propagated to macsec device (when HW
offloading is enabled), otherwise feature set might lead to HW
reconfiguration during MACSec configuration.
Also, HW offloaded macsec should be able to keep LRO LSO features,
since they are transparent for macsec engine (at least in our hardware).
Antoine Tenart (4):
net: introduce the MACSEC netdev feature
net: add a reference to MACsec ops in net_device
net: macsec: allow to reference a netdev from a MACsec context
net: macsec: add support for offloading to the MAC
Dmitry Bogdanov (9):
net: macsec: init secy pointer in macsec_context
net: macsec: invoke mdo_upd_secy callback when mac address changed
net: macsec: allow multiple macsec devices with offload
net: macsec: add support for getting offloaded stats
net: atlantic: MACSec offload skeleton
net: atlantic: MACSec egress offload HW bindings
net: atlantic: MACSec egress offload implementation
net: atlantic: MACSec offload statistics HW bindings
net: atlantic: MACSec offload statistics implementation
Mark Starovoytov (5):
net: macsec: support multicast/broadcast when offloading
net: macsec: enable HW offloading by default (when available)
net: macsec: report real_dev features when HW offloading is enabled
net: atlantic: MACSec ingress offload HW bindings
net: atlantic: MACSec ingress offload implementation
.../net/ethernet/aquantia/atlantic/Makefile | 6 +-
.../ethernet/aquantia/atlantic/aq_ethtool.c | 160 +-
.../net/ethernet/aquantia/atlantic/aq_hw.h | 6 +
.../ethernet/aquantia/atlantic/aq_macsec.c | 1842 +++++++++++
.../ethernet/aquantia/atlantic/aq_macsec.h | 138 +
.../net/ethernet/aquantia/atlantic/aq_nic.c | 21 +-
.../net/ethernet/aquantia/atlantic/aq_nic.h | 6 +-
.../ethernet/aquantia/atlantic/aq_pci_func.c | 5 +
.../aquantia/atlantic/hw_atl/hw_atl_utils.h | 51 +-
.../atlantic/hw_atl/hw_atl_utils_fw2x.c | 69 +
.../atlantic/macsec/MSS_Egress_registers.h | 78 +
.../atlantic/macsec/MSS_Ingress_registers.h | 82 +
.../aquantia/atlantic/macsec/macsec_api.c | 2938 +++++++++++++++++
.../aquantia/atlantic/macsec/macsec_api.h | 328 ++
.../aquantia/atlantic/macsec/macsec_struct.h | 919 ++++++
drivers/net/macsec.c | 510 ++-
include/linux/netdev_features.h | 3 +
include/linux/netdevice.h | 9 +
include/net/macsec.h | 29 +-
include/uapi/linux/if_link.h | 1 +
net/ethtool/common.c | 1 +
tools/include/uapi/linux/if_link.h | 1 +
22 files changed, 7018 insertions(+), 185 deletions(-)
create mode 100644 drivers/net/ethernet/aquantia/atlantic/aq_macsec.c
create mode 100644 drivers/net/ethernet/aquantia/atlantic/aq_macsec.h
create mode 100644 drivers/net/ethernet/aquantia/atlantic/macsec/MSS_Egress_registers.h
create mode 100644 drivers/net/ethernet/aquantia/atlantic/macsec/MSS_Ingress_registers.h
create mode 100644 drivers/net/ethernet/aquantia/atlantic/macsec/macsec_api.c
create mode 100644 drivers/net/ethernet/aquantia/atlantic/macsec/macsec_api.h
create mode 100644 drivers/net/ethernet/aquantia/atlantic/macsec/macsec_struct.h
--
2.17.1
Powered by blists - more mailing lists