diff options
author | David Ahern <dsahern@gmail.com> | 2020-03-04 19:58:31 +0000 |
---|---|---|
committer | David Ahern <dsahern@gmail.com> | 2020-03-04 19:59:35 +0000 |
commit | ad19a18e4263bb527e5a046e44aed02e5998a8de (patch) | |
tree | 09811582140982aaa8e71ca224ce6a9944115aa9 | |
parent | a5c44b821c9a32304c9d8211224e917808d412fe (diff) | |
parent | c15674d80d49dac94d659de443675f19e23a734e (diff) | |
download | iproute2-ad19a18e4263bb527e5a046e44aed02e5998a8de.tar.gz |
Merge branch 'macsec-offload' into next
Antoine Tenart says:
====================
This series adds support for selecting and reporting the offloading mode
of a MACsec interface. Available modes are for now 'off' and 'phy',
'off' being the default when an interface is created. Modes are not only
'off' and 'on' as the MACsec operations can be offloaded to multiple
kinds of specialized hardware devices, at least to PHYs and Ethernet
MACs. The later isn't currently supported in the kernel though.
The first patch adds support for reporting the offloading mode currently
selected for a given MACsec interface through the `ip macsec show`
command:
# ip macsec show
18: macsec0: protect on validate strict sc off sa off encrypt on send_sci on end_station off scb off replay off
cipher suite: GCM-AES-128, using ICV length 16
TXSC: 3e5035b67c860001 on SA 0
0: PN 1, state on, key 00000000000000000000000000000000
RXSC: b4969112700f0001, state on
0: PN 1, state on, key 01000000000000000000000000000000
-> offload: phy
19: macsec1: protect on validate strict sc off sa off encrypt on send_sci on end_station off scb off replay off
cipher suite: GCM-AES-128, using ICV length 16
TXSC: 3e5035b67c880001 on SA 0
1: PN 1, state on, key 00000000000000000000000000000000
RXSC: b4969112700f0001, state on
1: PN 1, state on, key 01000000000000000000000000000000
-> offload: off
The second patch allows an user to change the offloading mode at runtime
through a new subcommand, `ip macsec offload`:
# ip macsec offload macsec0 phy
# ip macsec offload macsec0 off
If a mode isn't supported, `ip macsec offload` will report an issue
(-EOPNOTSUPP).
Giving the offloading mode when a macsec interface is created was
discussed; it is not implemented in this series. It could come later
on, when needed, as we'll still want to support updating the offloading
mode at runtime (what's implemented in this series).
====================
Signed-off-by: David Ahern <dsahern@gmail.com>
-rw-r--r-- | ip/ipmacsec.c | 83 | ||||
-rw-r--r-- | man/man8/ip-macsec.8 | 7 |
2 files changed, 88 insertions, 2 deletions
diff --git a/ip/ipmacsec.c b/ip/ipmacsec.c index ad6ad7d6b..4e500e4e4 100644 --- a/ip/ipmacsec.c +++ b/ip/ipmacsec.c @@ -31,6 +31,11 @@ static const char * const validate_str[] = { [MACSEC_VALIDATE_STRICT] = "strict", }; +static const char * const offload_str[] = { + [MACSEC_OFFLOAD_OFF] = "off", + [MACSEC_OFFLOAD_PHY] = "phy", +}; + struct sci { __u64 sci; __u16 port; @@ -93,6 +98,7 @@ static void ipmacsec_usage(void) " ip macsec del DEV rx SCI sa { 0..3 }\n" " ip macsec show\n" " ip macsec show DEV\n" + " ip macsec offload DEV [ off | phy ]\n" "where OPTS := [ pn <u32> ] [ on | off ]\n" " ID := 128-bit hex string\n" " KEY := 128-bit or 256-bit hex string\n" @@ -354,6 +360,7 @@ enum cmd { CMD_ADD, CMD_DEL, CMD_UPD, + CMD_OFFLOAD, __CMD_MAX }; @@ -370,6 +377,9 @@ static const enum macsec_nl_commands macsec_commands[__CMD_MAX][2][2] = { [0] = {-1, MACSEC_CMD_DEL_RXSC}, [1] = {MACSEC_CMD_DEL_TXSA, MACSEC_CMD_DEL_RXSA}, }, + [CMD_OFFLOAD] = { + [0] = {-1, MACSEC_CMD_UPD_OFFLOAD }, + }, }; static int do_modify_nl(enum cmd c, enum macsec_nl_commands cmd, int ifindex, @@ -529,6 +539,44 @@ static int do_modify(enum cmd c, int argc, char **argv) return -1; } +static int do_offload(enum cmd c, int argc, char **argv) +{ + enum macsec_offload offload; + struct rtattr *attr; + int ifindex, ret; + + if (argc == 0) + ipmacsec_usage(); + + ifindex = ll_name_to_index(*argv); + if (!ifindex) { + fprintf(stderr, "Device \"%s\" does not exist.\n", *argv); + return -1; + } + argc--; argv++; + + if (argc == 0) + ipmacsec_usage(); + + ret = one_of("offload", *argv, offload_str, ARRAY_SIZE(offload_str), + (int *)&offload); + if (ret) + ipmacsec_usage(); + + MACSEC_GENL_REQ(req, MACSEC_BUFLEN, macsec_commands[c][0][1], NLM_F_REQUEST); + + addattr32(&req.n, MACSEC_BUFLEN, MACSEC_ATTR_IFINDEX, ifindex); + + attr = addattr_nest(&req.n, MACSEC_BUFLEN, MACSEC_ATTR_OFFLOAD); + addattr8(&req.n, MACSEC_BUFLEN, MACSEC_OFFLOAD_ATTR_TYPE, offload); + addattr_nest_end(&req.n, attr); + + if (rtnl_talk(&genl_rth, &req.n, NULL) < 0) + return -2; + + return 0; +} + /* dump/show */ static struct { int ifindex; @@ -605,6 +653,22 @@ static const char *cs_id_to_name(__u64 cid) } } +static const char *validate_to_str(__u8 validate) +{ + if (validate >= ARRAY_SIZE(validate_str)) + return "(unknown)"; + + return validate_str[validate]; +} + +static const char *offload_to_str(__u8 offload) +{ + if (offload >= ARRAY_SIZE(offload_str)) + return "(unknown)"; + + return offload_str[offload]; +} + static void print_attrs(struct rtattr *attrs[]) { print_flag(attrs, "protect", MACSEC_SECY_ATTR_PROTECT); @@ -613,7 +677,7 @@ static void print_attrs(struct rtattr *attrs[]) __u8 val = rta_getattr_u8(attrs[MACSEC_SECY_ATTR_VALIDATE]); print_string(PRINT_ANY, "validate", - "validate %s ", validate_str[val]); + "validate %s ", validate_to_str(val)); } print_flag(attrs, "sc", MACSEC_RXSC_ATTR_ACTIVE); @@ -997,6 +1061,19 @@ static int process(struct nlmsghdr *n, void *arg) if (attrs[MACSEC_ATTR_RXSC_LIST]) print_rxsc_list(attrs[MACSEC_ATTR_RXSC_LIST]); + if (attrs[MACSEC_ATTR_OFFLOAD]) { + struct rtattr *attrs_offload[MACSEC_OFFLOAD_ATTR_MAX + 1]; + __u8 offload; + + parse_rtattr_nested(attrs_offload, MACSEC_OFFLOAD_ATTR_MAX, + attrs[MACSEC_ATTR_OFFLOAD]); + + offload = rta_getattr_u8(attrs_offload[MACSEC_OFFLOAD_ATTR_TYPE]); + print_string(PRINT_ANY, "offload", + " offload: %s ", offload_to_str(offload)); + print_nl(); + } + close_json_object(); return 0; @@ -1068,6 +1145,8 @@ int do_ipmacsec(int argc, char **argv) return do_modify(CMD_UPD, argc-1, argv+1); if (matches(*argv, "delete") == 0) return do_modify(CMD_DEL, argc-1, argv+1); + if (matches(*argv, "offload") == 0) + return do_offload(CMD_OFFLOAD, argc-1, argv+1); fprintf(stderr, "Command \"%s\" is unknown, try \"ip macsec help\".\n", *argv); @@ -1137,7 +1216,7 @@ static void macsec_print_opt(struct link_util *lu, FILE *f, struct rtattr *tb[]) print_string(PRINT_ANY, "validation", "validate %s ", - validate_str[val]); + validate_to_str(val)); } const char *inc_sci, *es, *replay; diff --git a/man/man8/ip-macsec.8 b/man/man8/ip-macsec.8 index 2179b3368..d5f9d240b 100644 --- a/man/man8/ip-macsec.8 +++ b/man/man8/ip-macsec.8 @@ -53,6 +53,9 @@ ip-macsec \- MACsec device configuration .BI "ip macsec del " DEV " rx " SCI " sa" .RI "{ " 0..3 " }" +.BI "ip macsec offload " DEV +.RB "{ " off " | " phy " }" + .B ip macsec show .RI [ " DEV " ] @@ -102,6 +105,10 @@ type. .SS Display MACsec configuration .nf # ip macsec show +.PP +.SS Configure offloading on an interface +.nf +# ip macsec offload macsec0 phy .SH NOTES This tool can be used to configure the 802.1AE keys of the interface. Note that 802.1AE uses GCM-AES |