From patchwork Tue Feb 7 14:59:42 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Emeel Hakim X-Patchwork-Id: 1742109 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=1P88DqLX; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=Nvidia.com header.i=@Nvidia.com header.a=rsa-sha256 header.s=selector2 header.b=N3Jd31y2; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4PGD0b0LKZz23h0 for ; Tue, 14 Feb 2023 18:50:55 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-ID:Date:Subject:CC :To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=o8ke2aSurLuVpmwmuOs22OgXpO/RNuUJh1OW+RgrSas=; b=1P88DqLX8d8Qg4 J9McORbuYHqzQBysaukEtT7afrsh3KvoA5IoZI7OlGEDEpGUa0k+6U/vZ9DqtRYQXgEjAUfEDz9vf 4fvMAjAupNAnWjzLW2t9nT1qIacewhMkP7cZML+cfiZ1rIYXCkuzW2wQNn10drqvvogPjjFkk534l JLa9UrUkgEdiejNW9Ql0i0sVHaY+Kq4VjQK58gg5h7LqPGMtnZmEH3SyhImtJn4ape9XhuU2mGeD1 DYoUG6nEeYYafzzJHReUMXnjglIIxI7tdtc7eU8SGiZO5Ts3uTbHBSM5x5L0gm9fBV0qDAbhISb0K aYNBRH3S1jvWIJRFO7pA==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1pRq3j-000KEe-It; Tue, 14 Feb 2023 07:49:03 +0000 Received: from mail-mw2nam04on2062f.outbound.protection.outlook.com ([2a01:111:f400:7e8c::62f] helo=NAM04-MW2-obe.outbound.protection.outlook.com) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1pPPS6-00CbMm-JI for Hostap@lists.infradead.org; Tue, 07 Feb 2023 15:00:13 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=NCopeAzIsMmCbXXLNbQHb7Ym8hwLjwswi3aW5V3HbUHdD9YxgHRwVj+NRCYC3PBCT2lmalJgAuohIOfYTkLrELXo/ZxGydPnVRx5xT0YeAFwpRK/T3vvU7JQq3+6xhK/D4dIJ3LxI4nyVyq5yIxreJQ7IKEFFwKA0gYZRbXhmUV3hW7r4Icmb9BPYVeOo+w9VtrcN/iNkQhfPXeztBgilnKrYJ0SCCu0aPdD7XzJGoERztRx2/jzJ4yHBIqZTyNTus8uEriVstZSgMbfTAlq8g9AuLuSejUUMzOHwZ5/NyyeF30zH786k+bJz19+3cqbnddEkBZ66NOj3taXjYp4wA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=PmEw5tu54653KCTFt09WRwvC04n9JbOhiEDaTfLge7k=; b=DgB/YMpG/8zhIj8jGFAAqkJR894DLUuer6qagSuYkD9jMYUdV9ZslTWW/vlzR4sVcRASc4qbNQhM4JQjDJu/89aOyUbeqxwc7mo0LBANwxWnlleLsJ9ui/EfLk3LhgW/K8fRvRqdH8DIln4wPU4pimyNkFcHvXGlt65IfIo+mIl5Q2X5nwGua+Ci2cUUtn0YrhDWnNaXink1JYrU7eDL/Wx0FJtDX1lxVAp8XX+q3EPpxxBui3oV8WxK5N+4PqwkjHP2rIZD3H2JmFvTNX9ICOs7TlQIaWJvbTYrjJVwqPpbkWGcpipCpk8cNBZZ7OEDksz0XGtchBNpfTAmL6GrqA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.117.160) smtp.rcpttodomain=lists.infradead.org smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=PmEw5tu54653KCTFt09WRwvC04n9JbOhiEDaTfLge7k=; b=N3Jd31y2yOeHxuP8uRaZd8smqdd7QCXOEhsTBD7xYPB/TmqcaecHdiAalEusWU4m6Fk1nZN13qanRLHZF+CDLQcUfAvhaw6NNHCAHAiDWZ64pGixFC9ciQu6BIg8+gc90y9kPkWy9VB+8b8YYgbZ4GycJIA3d/ARK4r/32Q4MWsmCtw0UtAMuGX+6EwXDS/NCZHS98TN03S02JWGZBbX1OinGHVvQc58UkJv39EdlDEjGVGyhuni/p+HvZasz55SWQQPEU31tOgN6MXGyDUaGRV3ZzBVZG1EuM8bgbKoU6r0y1+0c4YNYumk9D7RgHeQW07qEBszxVrnRwqp2BxTQA== Received: from BN9PR03CA0229.namprd03.prod.outlook.com (2603:10b6:408:f8::24) by BL1PR12MB5064.namprd12.prod.outlook.com (2603:10b6:208:30a::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6064.34; Tue, 7 Feb 2023 15:00:05 +0000 Received: from BN8NAM11FT067.eop-nam11.prod.protection.outlook.com (2603:10b6:408:f8:cafe::1c) by BN9PR03CA0229.outlook.office365.com (2603:10b6:408:f8::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6064.36 via Frontend Transport; Tue, 7 Feb 2023 15:00:05 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.160) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.117.160 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.117.160; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.117.160) by BN8NAM11FT067.mail.protection.outlook.com (10.13.177.159) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6064.34 via Frontend Transport; Tue, 7 Feb 2023 15:00:05 +0000 Received: from rnnvmail203.nvidia.com (10.129.68.9) by mail.nvidia.com (10.129.200.66) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Tue, 7 Feb 2023 06:59:52 -0800 Received: from rnnvmail205.nvidia.com (10.129.68.10) by rnnvmail203.nvidia.com (10.129.68.9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Tue, 7 Feb 2023 06:59:51 -0800 Received: from vdi.nvidia.com (10.127.8.9) by mail.nvidia.com (10.129.68.10) with Microsoft SMTP Server id 15.2.986.36 via Frontend Transport; Tue, 7 Feb 2023 06:59:49 -0800 From: Emeel Hakim To: CC: Emeel Hakim Subject: [PATCH 1/2] mka: Allow configuration of MACsec hardware offload Date: Tue, 7 Feb 2023 16:59:42 +0200 Message-ID: <20230207145943.4575-1-ehakim@nvidia.com> X-Mailer: git-send-email 2.21.3 MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BN8NAM11FT067:EE_|BL1PR12MB5064:EE_ X-MS-Office365-Filtering-Correlation-Id: 58c5854f-e8ef-46ee-35d9-08db091bff71 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: /+gNvPl9fBgp2HiMI7j9cdPKUKK1IQMwxCrK97efRW7YnymrYBaN/33nn6nyrTjcJY6LR8+fghJXZXCyTbKdiESSlbV8oIfZpcYUj6BH+PyJomcAGIlAu5QKYe227WBmxVfDEBe1RHdJmwPBNwqcxWUVU7a83Zi7T9gMDgVt0F21lWWretHErdEe/dgWQqYLtca6NiAK8oVdjtWaqTC1YlGXZoZYWTBS61/x16P0TVnyM0/9IYAX7asmxs0CA+u3t2e89cz4uC+FyuLPxIQrVv04YiGRasjU4cOBT9PyX8pv3UcrgF7yl6z2Ma5rj9rr/PVwIyefsGN3VgHqq5ejGbwTCujvUBd/7srDXoPeVWqrXnmyUxwll8NQxu+ikgm/GgoV0ZZELKFvOmAgzSdSygofkpI3BWSXs31/3tsPuUVUTL2KoffmFCepvrMIvTrhXXscU3ZU2jiMSqIaKP7WC8D041agjIXdyCZoQmAK4Z1Kq5Mz/AWZHPnRioOzai9JkOMbi5v6n6gdRES5v4nTKM5kKWQnK8gVNTmJpuNGeE2QwjQwefylSHDOQ4KP0CZz8NiyLraLCyIwK+JpTWV3e7aSXhaQiUpyDVhKKqBDKLEkZYvsF4iR2E1syVncGWAL0jz6Jz1bfBRAUNVVeG1ZdGsgoQWwEz1V1ES7a2GgutIq8Fejzcja5CK1M7AR/ZgyLon5gvqJt6nB9y4T3iAqSrBFyoDxcU1Zy47uwZxEmAI= X-Forefront-Antispam-Report: CIP:216.228.117.160;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc6edge1.nvidia.com;CAT:NONE;SFS:(13230025)(4636009)(346002)(376002)(136003)(39860400002)(396003)(451199018)(46966006)(40470700004)(36840700001)(336012)(47076005)(40460700003)(83380400001)(426003)(82740400003)(40480700001)(7636003)(356005)(8936002)(36860700001)(41300700001)(6916009)(4326008)(8676002)(2906002)(70586007)(70206006)(30864003)(1076003)(82310400005)(26005)(2616005)(186003)(107886003)(316002)(478600001)(7696005)(36756003)(6666004)(86362001)(5660300002)(461764006);DIR:OUT;SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Feb 2023 15:00:05.5402 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 58c5854f-e8ef-46ee-35d9-08db091bff71 X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.160];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: BN8NAM11FT067.eop-nam11.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL1PR12MB5064 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20230207_070010_728955_3FC83486 X-CRM114-Status: GOOD ( 16.44 ) X-Spam-Score: 0.6 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Add new configuration parameter macsec_offload to allow user to set up MACsec hardware offload feature. Signed-off-by: Emeel Hakim --- hostapd/config_file.c | 11 +++++++++++ hostapd/hostapd.conf | 8 ++++++++ src/ap/ap_config.h | 13 +++++++++++++ src/ap/wpa_auth_kay.c | 1 + src/driver [...] Content analysis details: (0.6 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_NONE SPF: sender does not publish an SPF Record -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 1.0 FORGED_SPF_HELO No description available. -0.2 DKIMWL_WL_HIGH DKIMwl.org - High trust sender X-Mailman-Approved-At: Mon, 13 Feb 2023 23:48:58 -0800 X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org Add new configuration parameter macsec_offload to allow user to set up MACsec hardware offload feature. Signed-off-by: Emeel Hakim --- hostapd/config_file.c | 11 +++++++++++ hostapd/hostapd.conf | 8 ++++++++ src/ap/ap_config.h | 13 +++++++++++++ src/ap/wpa_auth_kay.c | 1 + src/drivers/driver.h | 10 ++++++++++ src/pae/ieee802_1x_cp.c | 8 ++++++++ src/pae/ieee802_1x_kay.c | 8 ++++++-- src/pae/ieee802_1x_kay.h | 7 +++++-- src/pae/ieee802_1x_secy_ops.c | 20 ++++++++++++++++++++ src/pae/ieee802_1x_secy_ops.h | 1 + wpa_supplicant/config.c | 1 + wpa_supplicant/config_file.c | 1 + wpa_supplicant/config_ssid.h | 12 ++++++++++++ wpa_supplicant/driver_i.h | 8 ++++++++ wpa_supplicant/wpa_cli.c | 1 + wpa_supplicant/wpa_supplicant.conf | 9 +++++++++ wpa_supplicant/wpas_kay.c | 8 +++++++- 17 files changed, 122 insertions(+), 5 deletions(-) diff --git a/hostapd/config_file.c b/hostapd/config_file.c index 76f9cf831..e1ad0bf00 100644 --- a/hostapd/config_file.c +++ b/hostapd/config_file.c @@ -4636,6 +4636,17 @@ static int hostapd_config_fill(struct hostapd_config *conf, bss->macsec_replay_protect = macsec_replay_protect; } else if (os_strcmp(buf, "macsec_replay_window") == 0) { bss->macsec_replay_window = atoi(pos); + } else if (os_strcmp(buf, "macsec_offload") == 0) { + int macsec_offload = atoi(pos); + + if (macsec_offload < 0 || macsec_offload > 2) { + wpa_printf(MSG_ERROR, + "Line %d: invalid macsec_offload (%d): '%s'.", + line, macsec_offload, pos); + return 1; + } + bss->macsec_offload = macsec_offload; + } else if (os_strcmp(buf, "macsec_port") == 0) { int macsec_port = atoi(pos); diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf index c5e74a6a2..0e5b8d82b 100644 --- a/hostapd/hostapd.conf +++ b/hostapd/hostapd.conf @@ -1117,6 +1117,14 @@ eapol_key_index_workaround=0 # 0: No replay window, strict check (default) # 1..2^32-1: number of packets that could be misordered # +# macsec_offload: IEEE 802.1X/MACsec hardware offload +# This setting applies only when MACsec is in use, i.e., +# - macsec_policy is enabled +# - the key server has decided to enable MACsec +# 0 = MACSEC_OFFLOAD_OFF (default) +# 1 = MACSEC_OFFLOAD_PHY +# 2 = MACSEC_OFFLOAD_MAC +# # macsec_port: IEEE 802.1X/MACsec port # Port component of the SCI # Range: 1-65534 (default: 1) diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h index 1631cf2aa..dfe259c30 100644 --- a/src/ap/ap_config.h +++ b/src/ap/ap_config.h @@ -844,6 +844,19 @@ struct hostapd_bss_config { */ u32 macsec_replay_window; + /** + * macsec_offload - Enable MACsec offload + * + * This setting applies only when MACsec is in use, i.e., + * - macsec_policy is enabled + * - the key server has decided to enable MACsec + * + * 0 = MACSEC_OFFLOAD_OFF (default) + * 1 = MACSEC_OFFLOAD_PHY + * 2 = MACSEC_OFFLOAD_MAC + */ + int macsec_offload; + /** * macsec_port - MACsec port (in SCI) * diff --git a/src/ap/wpa_auth_kay.c b/src/ap/wpa_auth_kay.c index e2c4e109e..664ab8872 100644 --- a/src/ap/wpa_auth_kay.c +++ b/src/ap/wpa_auth_kay.c @@ -327,6 +327,7 @@ int ieee802_1x_alloc_kay_sm_hapd(struct hostapd_data *hapd, res = ieee802_1x_kay_init(kay_ctx, policy, hapd->conf->macsec_replay_protect, hapd->conf->macsec_replay_window, + hapd->conf->macsec_offload, hapd->conf->macsec_port, hapd->conf->mka_priority, hapd->conf->macsec_csindex, diff --git a/src/drivers/driver.h b/src/drivers/driver.h index cb27282aa..a6171b3ef 100644 --- a/src/drivers/driver.h +++ b/src/drivers/driver.h @@ -4505,6 +4505,16 @@ struct wpa_driver_ops { */ int (*set_replay_protect)(void *priv, bool enabled, u32 window); + /** + * set_offload - Set offload + * @priv: Private driver interface data + * @offload: 0 = MACSEC_OFFLOAD_OFF + * 1 = MACSEC_OFFLOAD_PHY + * 2 = MACSEC_OFFLOAD_MAC + * Returns: 0 on success, -1 on failure (or if not supported) + */ + int (*set_offload)(void *priv, u8 offload); + /** * set_current_cipher_suite - Set current cipher suite * @priv: Private driver interface data diff --git a/src/pae/ieee802_1x_cp.c b/src/pae/ieee802_1x_cp.c index 2bf3e8e8c..e9782174d 100644 --- a/src/pae/ieee802_1x_cp.c +++ b/src/pae/ieee802_1x_cp.c @@ -84,6 +84,7 @@ struct ieee802_1x_cp_sm { /* not defined IEEE Std 802.1X-2010 */ struct ieee802_1x_kay *kay; + u8 offload; }; static void ieee802_1x_cp_retire_when_timeout(void *eloop_ctx, @@ -188,6 +189,7 @@ SM_STATE(CP, AUTHENTICATED) sm->protect_frames = false; sm->replay_protect = false; sm->validate_frames = Checked; + sm->offload = sm->kay->macsec_offload; sm->port_valid = false; sm->controlled_port_enabled = true; @@ -197,6 +199,7 @@ SM_STATE(CP, AUTHENTICATED) secy_cp_control_encrypt(sm->kay, sm->kay->macsec_encrypt); secy_cp_control_validate_frames(sm->kay, sm->validate_frames); secy_cp_control_replay(sm->kay, sm->replay_protect, sm->replay_window); + secy_cp_control_offload(sm->kay, sm->offload); } @@ -208,6 +211,7 @@ SM_STATE(CP, SECURED) sm->protect_frames = sm->kay->macsec_protect; sm->replay_protect = sm->kay->macsec_replay_protect; + sm->offload = sm->kay->macsec_offload; sm->validate_frames = sm->kay->macsec_validate; sm->current_cipher_suite = sm->cipher_suite; @@ -223,6 +227,7 @@ SM_STATE(CP, SECURED) secy_cp_control_encrypt(sm->kay, sm->kay->macsec_encrypt); secy_cp_control_validate_frames(sm->kay, sm->validate_frames); secy_cp_control_replay(sm->kay, sm->replay_protect, sm->replay_window); + secy_cp_control_offload(sm->kay, sm->offload); } @@ -462,6 +467,7 @@ struct ieee802_1x_cp_sm * ieee802_1x_cp_sm_init(struct ieee802_1x_kay *kay) sm->validate_frames = kay->macsec_validate; sm->replay_protect = kay->macsec_replay_protect; sm->replay_window = kay->macsec_replay_window; + sm->offload = kay->macsec_offload; sm->controlled_port_enabled = false; @@ -491,6 +497,8 @@ struct ieee802_1x_cp_sm * ieee802_1x_cp_sm_init(struct ieee802_1x_kay *kay) secy_cp_control_confidentiality_offset(sm->kay, sm->confidentiality_offset); secy_cp_control_current_cipher_suite(sm->kay, sm->current_cipher_suite); + secy_cp_control_offload(sm->kay, sm->offload); + SM_STEP_RUN(CP); diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c index a1f8ae934..7c05263c5 100644 --- a/src/pae/ieee802_1x_kay.c +++ b/src/pae/ieee802_1x_kay.c @@ -3464,8 +3464,9 @@ static void kay_l2_receive(void *ctx, const u8 *src_addr, const u8 *buf, struct ieee802_1x_kay * ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy, bool macsec_replay_protect, u32 macsec_replay_window, - u16 port, u8 priority, u32 macsec_csindex, - const char *ifname, const u8 *addr) + u8 macsec_offload, u16 port, u8 priority, + u32 macsec_csindex, const char *ifname, + const u8 *addr) { struct ieee802_1x_kay *kay; @@ -3524,6 +3525,7 @@ ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy, kay->macsec_validate = Disabled; kay->macsec_replay_protect = false; kay->macsec_replay_window = 0; + kay->macsec_offload = 0; kay->macsec_confidentiality = CONFIDENTIALITY_NONE; kay->mka_hello_time = MKA_HELLO_TIME; } else { @@ -3540,6 +3542,7 @@ ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy, kay->macsec_validate = Strict; kay->macsec_replay_protect = macsec_replay_protect; kay->macsec_replay_window = macsec_replay_window; + kay->macsec_offload = macsec_offload; kay->mka_hello_time = MKA_HELLO_TIME; } @@ -3740,6 +3743,7 @@ ieee802_1x_kay_create_mka(struct ieee802_1x_kay *kay, secy_cp_control_protect_frames(kay, kay->macsec_protect); secy_cp_control_replay(kay, kay->macsec_replay_protect, kay->macsec_replay_window); + secy_cp_control_offload(kay, kay->macsec_offload); if (secy_create_transmit_sc(kay, participant->txsc)) goto fail; diff --git a/src/pae/ieee802_1x_kay.h b/src/pae/ieee802_1x_kay.h index 11cf7b758..3aad6d2ed 100644 --- a/src/pae/ieee802_1x_kay.h +++ b/src/pae/ieee802_1x_kay.h @@ -166,6 +166,7 @@ struct ieee802_1x_kay_ctx { int (*delete_transmit_sa)(void *ctx, struct transmit_sa *sa); int (*enable_transmit_sa)(void *ctx, struct transmit_sa *sa); int (*disable_transmit_sa)(void *ctx, struct transmit_sa *sa); + int (*set_offload)(void *ctx, u8 offload); }; struct ieee802_1x_kay { @@ -206,6 +207,7 @@ struct ieee802_1x_kay { bool is_key_server; bool is_obliged_key_server; char if_name[IFNAMSIZ]; + u8 macsec_offload; unsigned int macsec_csindex; /* MACsec cipher suite table index */ int mka_algindex; /* MKA alg table index */ @@ -240,8 +242,9 @@ u64 mka_sci_u64(struct ieee802_1x_mka_sci *sci); struct ieee802_1x_kay * ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy, bool macsec_replay_protect, u32 macsec_replay_window, - u16 port, u8 priority, u32 macsec_csindex, - const char *ifname, const u8 *addr); + u8 macsec_offload, u16 port, u8 priority, + u32 macsec_csindex, const char *ifname, + const u8 *addr); void ieee802_1x_kay_deinit(struct ieee802_1x_kay *kay); struct ieee802_1x_mka_participant * diff --git a/src/pae/ieee802_1x_secy_ops.c b/src/pae/ieee802_1x_secy_ops.c index 0f36e6b53..f35baadbf 100644 --- a/src/pae/ieee802_1x_secy_ops.c +++ b/src/pae/ieee802_1x_secy_ops.c @@ -85,6 +85,26 @@ int secy_cp_control_replay(struct ieee802_1x_kay *kay, bool enabled, u32 win) } +int secy_cp_control_offload(struct ieee802_1x_kay *kay, u8 offload) +{ + struct ieee802_1x_kay_ctx *ops; + + if (!kay) { + wpa_printf(MSG_ERROR, "KaY: %s params invalid", __func__); + return -1; + } + + ops = kay->ctx; + if (!ops || !ops->set_offload) { + wpa_printf(MSG_ERROR, + "KaY: secy set_offload operation not supported"); + return -1; + } + + return ops->set_offload(ops->ctx, offload); +} + + int secy_cp_control_current_cipher_suite(struct ieee802_1x_kay *kay, u64 cs) { struct ieee802_1x_kay_ctx *ops; diff --git a/src/pae/ieee802_1x_secy_ops.h b/src/pae/ieee802_1x_secy_ops.h index 18c06f665..b82507bca 100644 --- a/src/pae/ieee802_1x_secy_ops.h +++ b/src/pae/ieee802_1x_secy_ops.h @@ -23,6 +23,7 @@ int secy_cp_control_validate_frames(struct ieee802_1x_kay *kay, int secy_cp_control_protect_frames(struct ieee802_1x_kay *kay, bool flag); int secy_cp_control_encrypt(struct ieee802_1x_kay *kay, bool enabled); int secy_cp_control_replay(struct ieee802_1x_kay *kay, bool flag, u32 win); +int secy_cp_control_offload(struct ieee802_1x_kay *kay, u8 offload); int secy_cp_control_current_cipher_suite(struct ieee802_1x_kay *kay, u64 cs); int secy_cp_control_confidentiality_offset(struct ieee802_1x_kay *kay, enum confidentiality_offset co); diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c index 9477ad472..eed53f155 100644 --- a/wpa_supplicant/config.c +++ b/wpa_supplicant/config.c @@ -2677,6 +2677,7 @@ static const struct parse_data ssid_fields[] = { { INT_RANGE(macsec_integ_only, 0, 1) }, { INT_RANGE(macsec_replay_protect, 0, 1) }, { INT(macsec_replay_window) }, + { INT_RANGE(macsec_offload, 0, 2) }, { INT_RANGE(macsec_port, 1, 65534) }, { INT_RANGE(mka_priority, 0, 255) }, { INT_RANGE(macsec_csindex, 0, 1) }, diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c index 4d50f44a8..3cbf9b1e8 100644 --- a/wpa_supplicant/config_file.c +++ b/wpa_supplicant/config_file.c @@ -814,6 +814,7 @@ static void wpa_config_write_network(FILE *f, struct wpa_ssid *ssid) INT(macsec_integ_only); INT(macsec_replay_protect); INT(macsec_replay_window); + INT(macsec_offload); INT(macsec_port); INT_DEF(mka_priority, DEFAULT_PRIO_NOT_KEY_SERVER); INT(macsec_csindex); diff --git a/wpa_supplicant/config_ssid.h b/wpa_supplicant/config_ssid.h index 4d89e04b9..d3136a66b 100644 --- a/wpa_supplicant/config_ssid.h +++ b/wpa_supplicant/config_ssid.h @@ -926,6 +926,18 @@ struct wpa_ssid { */ u32 macsec_replay_window; + /** + * macsec_offload - Enable MACsec hardware offload + * + * This setting applies only when MACsec is in use, i.e., + * - the key server has decided to enable MACsec + * + * 0 = MACSEC_OFFLOAD_OFF (default) + * 1 = MACSEC_OFFLOAD_PHY + * 2 = MACSEC_OFFLOAD_MAC + */ + int macsec_offload; + /** * macsec_port - MACsec port (in SCI) * diff --git a/wpa_supplicant/driver_i.h b/wpa_supplicant/driver_i.h index 5dd2a514c..cfce5fa6a 100644 --- a/wpa_supplicant/driver_i.h +++ b/wpa_supplicant/driver_i.h @@ -803,6 +803,14 @@ static inline int wpa_drv_set_replay_protect(struct wpa_supplicant *wpa_s, window); } +static inline int wpa_drv_set_offload(struct wpa_supplicant *wpa_s, u8 offload) +{ + if (!wpa_s->driver->set_offload) + return -1; + return wpa_s->driver->set_offload(wpa_s->drv_priv, offload); + +} + static inline int wpa_drv_set_current_cipher_suite(struct wpa_supplicant *wpa_s, u64 cs) { diff --git a/wpa_supplicant/wpa_cli.c b/wpa_supplicant/wpa_cli.c index bfdc42de4..f808ac424 100644 --- a/wpa_supplicant/wpa_cli.c +++ b/wpa_supplicant/wpa_cli.c @@ -1487,6 +1487,7 @@ static const char *network_fields[] = { "macsec_integ_only", "macsec_replay_protect", "macsec_replay_window", + "macsec_offload", "macsec_port", "mka_priority", #endif /* CONFIG_MACSEC */ diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf index 1bb3cc18b..f0b82443e 100644 --- a/wpa_supplicant/wpa_supplicant.conf +++ b/wpa_supplicant/wpa_supplicant.conf @@ -1142,6 +1142,15 @@ fast_reauth=1 # 0: No replay window, strict check (default) # 1..2^32-1: number of packets that could be misordered # +# macsec_offload - Enable MACsec hardware offload +# +# This setting applies only when MACsec is in use, i.e., +# - the key server has decided to enable MACsec +# +# 0 = MACSEC_OFFLOAD_OFF (default) +# 1 = MACSEC_OFFLOAD_PHY +# 2 = MACSEC_OFFLOAD_MAC +# # macsec_port: IEEE 802.1X/MACsec port # Port component of the SCI # Range: 1-65534 (default: 1) diff --git a/wpa_supplicant/wpas_kay.c b/wpa_supplicant/wpas_kay.c index c3ef93bf7..4eb1d5a81 100644 --- a/wpa_supplicant/wpas_kay.c +++ b/wpa_supplicant/wpas_kay.c @@ -97,6 +97,10 @@ static int wpas_set_receive_lowest_pn(void *wpa_s, struct receive_sa *sa) return wpa_drv_set_receive_lowest_pn(wpa_s, sa); } +static int wpas_set_offload(void *wpa_s, u8 offload) +{ + return wpa_drv_set_offload(wpa_s, offload); +} static unsigned int conf_offset_val(enum confidentiality_offset co) { @@ -219,6 +223,7 @@ int ieee802_1x_alloc_kay_sm(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid) kay_ctx->enable_protect_frames = wpas_enable_protect_frames; kay_ctx->enable_encrypt = wpas_enable_encrypt; kay_ctx->set_replay_protect = wpas_set_replay_protect; + kay_ctx->set_offload = wpas_set_offload; kay_ctx->set_current_cipher_suite = wpas_set_current_cipher_suite; kay_ctx->enable_controlled_port = wpas_enable_controlled_port; kay_ctx->get_receive_lowest_pn = wpas_get_receive_lowest_pn; @@ -239,7 +244,8 @@ int ieee802_1x_alloc_kay_sm(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid) kay_ctx->disable_transmit_sa = wpas_disable_transmit_sa; res = ieee802_1x_kay_init(kay_ctx, policy, ssid->macsec_replay_protect, - ssid->macsec_replay_window, ssid->macsec_port, + ssid->macsec_replay_window, + ssid->macsec_offload, ssid->macsec_port, ssid->mka_priority, ssid->macsec_csindex, wpa_s->ifname, wpa_s->own_addr); /* ieee802_1x_kay_init() frees kay_ctx on failure */