lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun, 8 May 2022 12:09:51 +0300 From: Lior Nahmanson <liorna@...dia.com> To: <edumazet@...gle.com>, <kuba@...nel.org>, <pabeni@...hat.com> CC: <davem@...emloft.net>, <netdev@...r.kernel.org>, Lior Nahmanson <liorna@...dia.com> Subject: [PATCH net-next v1 00/3] Introduce MACsec offload SKB extension This patchset introduces MACsec SKB extension to lay the ground for MACsec HW offload. MACsec is an IEEE standard (IEEE 802.1AE) for MAC security. It defines a way to establish a protocol independent connection between two hosts with data confidentiality, authenticity and/or integrity, using GCM-AES. MACsec operates on the Ethernet layer and as such is a layer 2 protocol, which means it’s designed to secure traffic within a layer 2 network, including DHCP or ARP requests. Linux has a software implementation of the MACsec standard and HW offloading support. The offloading is re-using the logic, netlink API and data structures of the existing MACsec software implementation. For Tx: In the current MACsec offload implementation, MACsec interfaces are sharing the same MAC address of their parent interface by default. Therefore, HW can't distinguish if a packet was sent from MACsec interface and need to be offloaded or not. Also, it can't distinguish from which MACsec interface it was sent in case there are multiple MACsec interface with the same MAC address. Used SKB extension, so SW can mark if a packet is needed to be offloaded and use the SCI, which is unique value for each MACsec interface, to notify the HW from which MACsec interface the packet is sent. For Rx: Like in the Tx changes, packet that don't have SecTAG header aren't necessary been offloaded by the HW. Therefore, the MACsec driver needs to distinguish if the packet was offloaded or not and handle accordingly. Moreover, if there are more than one MACsec device with the same MAC address as in the packet's destination MAC, the packet will forward only to this device and only to the desired one. Used SKB extension and marking it by the HW if the packet was offloaded and to which MACsec offload device it belongs according to the packet's SCI. 1) patch 0001-0002, Add support to SKB extension in MACsec code: net/macsec: Add MACsec skb extension Tx Data path support net/macsec: Add MACsec skb extension Rx Data path support 2) patch 0003, Move some MACsec driver code for sharing with various drivers that implements offload: net/macsec: Move some code for sharing with various drivers that implements offload Follow-up patchset for Nvidia MACsec HW offload will be submitted later on. -- 2.25.4
Powered by blists - more mailing lists