lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAFSh4UzYXp7OaNcZOWQfyxznQfcF+Ng0scboX9-kxhrcpLKd7w@mail.gmail.com>
Date:   Mon, 1 Mar 2021 15:00:53 +0000
From:   Tom Cook <tom.k.cook@...il.com>
To:     Network Development <netdev@...r.kernel.org>
Subject: MACSEC configuration - is CONFIG_MACSEC enough?

I'm trying to use MACSEC on an arm64 embedded platform; I'm trying to
create an encrypted channel between two of them rather than doing
switch port access etc.  The vendor's BSP only provides a 4.9 kernel
so that's what I'm using.  I've added CONFIG_MACSEC=y to the kernel
config.  This then forces CONFIG_CRYPTO_GCM=y and CONFIG_CRYPTO_AES=y.

I've tried both manual configuration of MACSEC interfaces and also
using wpa_supplicant to do MKA negotiation.  I then add IP addresses
to the MACSEC interfaces in the 192.168.149.0/24 subnet.  In both
cases, the result is that the macsec0 interface has flags
BROADCAST,MULTICAST,UP,LOWER_UP but is in the UNKNOWN state.
Attempting to ping from one to the other results in encrypted ARP
frames being transmitted but then discarded at the receiver end.
tcpdump shows the frames arriving at the receiver and `ip -s macsec
show` shows these frames being added to the InPktsNotValid counter.

AFAICT from macsec.c, InPktsNotValid means either that the decryption
failed or that memory allocation for the decryption failed.

Is there some other bit of kernel config I need to do to get the
decryption to work correctly?

The SOC is a cavium cn8030.  This part is equipped with a crypto
accelerator but support for it is not compiled into the kernel.

Thanks for any help,
Tom Cook

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ