lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 28 Aug 2023 16:46:02 +0300
From: "Radu Pirea (OSS)" <radu-nicolae.pirea@....nxp.com>
To: Sabrina Dubroca <sd@...asysnail.net>
Cc: andrew@...n.ch, hkallweit1@...il.com, linux@...linux.org.uk,
 davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org,
 pabeni@...hat.com, richardcochran@...il.com, sebastian.tobuschat@....com,
 netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [RFC net-next v2 5/5] net: phy: nxp-c45-tja11xx: implement
 mdo_insert_tx_tag



On 28.08.2023 13:17, Sabrina Dubroca wrote:
> 2023-08-24, 12:16:15 +0300, Radu Pirea (NXP OSS) wrote:
>> Implement mdo_insert_tx_tag to insert the TLV header in the ethernet
>> frame.
>>
>> If extscs parameter is set to 1, then the TLV header will contain the
>> TX SC that will be used to encrypt the frame, otherwise the TX SC will
>> be selected using the MAC source address.
> 
> In which case would a user choose not to use the SCI? Using the MAC
> address is probably fine in basic setups, but having to fiddle with a
> module parameter (so unloading and reloading the module, which means
> losing network connectivity) to make things work when the setup
> evolves is really not convenient.
> 
> Is there a drawback to always using the SCI?
> 

I see your concern. If the PHY driver is reloaded, then the offloaded 
MACsec configuration will vanish from the hardware. Actually, just a 
call to phy_disconnect is enough to break an offloaded MACsec iface and 
can be achieved by:
ip link set eth0 down && ip link set eth0 up

The only drawback is related to the PTP frames encryption. Due to 
hardware limitations, PHY timestamping + MACsec will not work if the 
custom header is inserted. The only way to get this work is by using the 
MAC SA selection and running PTP on the real netdev.


-- 
Radu P.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ