lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 22 Sep 2023 18:54:45 +0300
From: "Radu Pirea (OSS)" <radu-nicolae.pirea@....nxp.com>
To: Sabrina Dubroca <sd@...asysnail.net>, mstarovoitov@...vell.com,
 irusskikh@...vell.com
Cc: andrew@...n.ch, hkallweit1@...il.com, linux@...linux.org.uk,
 davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org,
 pabeni@...hat.com, richardcochran@...il.com,
 sebastian.tobuschat@....nxp.com, netdev@...r.kernel.org,
 linux-kernel@...r.kernel.org
Subject: Re: [PATCH net-next v5 3/7] net: macsec: indicate next pn update when
 offloading



On 21.09.2023 18:11, Sabrina Dubroca wrote:
> 2023-09-20, 12:22:33 +0300, Radu Pirea (NXP OSS) wrote:
>> Indicate next PN update using update_pn flag in macsec_context.
>> Offloaded MACsec implementations does not know whether or not the
>> MACSEC_SA_ATTR_PN attribute was passed for an SA update and assume
>> that next PN should always updated, but this is not always true.
> 
> This should probably go through net so that we can fix some drivers
> that are currently doing the wrong thing. octeontx2 should be
> fixable. atlantic looks like it would reset the PN to whatever was
> read during the last dump, and it's unclear if that can be fixed
> (AFAIU set_egress_sa_record writes the whole config at once).  mscc
> doesn't seem to modify the PN (even if requested -- should it should
> reject the update), and mlx5 doesn't allow PN update (by storing the
> initial value of next_pn on SA creation).

I updated octeontx2, mssc and mlx5. Atlantic is unclear.

Mark, Igor, in the atlantic MACsec driver, can the SAs be updated 
without a PN update?

https://elixir.bootlin.com/linux/latest/source/drivers/net/ethernet/aquantia/atlantic/macsec/macsec_api.c#L1641

https://elixir.bootlin.com/linux/latest/source/drivers/net/ethernet/aquantia/atlantic/macsec/macsec_api.c#L678

> 
>> diff --git a/include/net/macsec.h b/include/net/macsec.h
>> index ecae5eeb021a..42072fdcc183 100644
>> --- a/include/net/macsec.h
>> +++ b/include/net/macsec.h
>> @@ -254,6 +254,7 @@ struct macsec_secy {
>>    * @offload: MACsec offload status
>>    * @secy: pointer to a MACsec SecY
>>    * @rx_sc: pointer to a RX SC
>> + * @update_pn: this flag indicates updating the next PN when updating the SA
> 
> nit: "this flag indicates" is not very useful, thus:
> 
> @update_pn: when updating the SA, update the next PN
> 
>>    * @assoc_num: association number of the target SA
>>    * @key: key of the target SA
>>    * @rx_sa: pointer to an RX SA if a RX SA is added/updated/removed
>> @@ -274,6 +275,7 @@ struct macsec_context {
>>   	struct macsec_secy *secy;
>>   	struct macsec_rx_sc *rx_sc;
>>   	struct {
>> +		bool update_pn;
>>   		unsigned char assoc_num;
>>   		u8 key[MACSEC_MAX_KEY_LEN];
>>   		union {
>> -- 
>> 2.34.1
>>
> 

-- 
Radu P.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ