From patchwork Sun Sep 11 09:26:55 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Emeel Hakim X-Patchwork-Id: 12972814 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id B5D22ECAAA1 for ; Sun, 11 Sep 2022 09:27:17 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229897AbiIKJ1P (ORCPT ); Sun, 11 Sep 2022 05:27:15 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52428 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229733AbiIKJ1O (ORCPT ); Sun, 11 Sep 2022 05:27:14 -0400 Received: from NAM11-DM6-obe.outbound.protection.outlook.com (mail-dm6nam11on2050.outbound.protection.outlook.com [40.107.223.50]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2E8D4248C9 for ; Sun, 11 Sep 2022 02:27:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=msX6JcRh6AOp28NxBHoUHnu3KQfJUR+zjPGm4a39Y6hieTnH1wXwuhEa9XEeZxFY9map4ltKZQSZmNDHTDP1Dre1PVJ39zLFu27BE+7QwXhGa9Vpn3NCcsuZ5/hpjjPTAuAmXUnwO+i2rASJU0ugE/aKya/qJh+YQJRdCA2RDOdupQ5ftxzF0O28Qmoxqf2B0gcbcwnNS1ZH5eBticOU5eyrmo3gNDGr6igENRjmb8yTsfdJ4NAVdTulRImhPppOrRbRH3GPxwH51/td0Xyoh5WDvNw7+jpNVsFTa9TUFGAGPlxoynQvXFb8Z5mEJ0ZrzVIepW+sWr941brUyNGMCg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=cYz/GcoRWdsLWWi8qWWl2RZlisBq7rwlLkRfq9j341s=; b=A5b0Az323/pPDDLbwhgn6684Q4jGmUPVLmIZKKWAWH53XTnpAgi/9AXGr4gi4TSRETyg6KuoFtToIwvk14Bf3mmQ0O7jMrHlvyxmx1dOB6qfo9BiprEXeaj9mR2Qv6og1tCujCLQoPq0DPJun9LO+h3EmWy4+UJOBbdRH7Kfm9+p6ul+HCmapA140Nvv3dEPynHuLORZzsZAEUxzFEp8vC0M5wQme7eGSCjXzzgGq2M0OwxwpS+xEsdAAb7JnB4aHtgSr4w8+r0wK3iaDyGEvxSsJUkHb5zgQIZ7MLIOIsvHS4yGy3AvNXyvRfSWiQWY5vxX5ChPs/L6Vb3RpWZVdQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 12.22.5.236) smtp.rcpttodomain=vger.kernel.org smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=cYz/GcoRWdsLWWi8qWWl2RZlisBq7rwlLkRfq9j341s=; b=nPHFclz7scNtnirsSkgB2GUhP8uWo5CNRs3GJYypTACq2iGIizZp8XylyADWkhz9SV/6wINWGfqph2ObsqMbkx0K4n77/jKoBvE5wztvOHj0V5iEe6Qq7lQC1C79rsP3AyGHAKMDIGssBA0JoQVGmBXauFCkoojNRNCYwoONM69ZutAXzk8NMQYvYnTMMoFMaZNlxdwEPmLkiqbHzejJBAkMqevKAifNiTAhDuDyWakaPzafUh6glZ1RCHMNa+xvGUVJebOHNIXdStelHMXa+WGZbh2fJW7bKcYa0uKCB/I6eCTAh2T3ygvFr4SkS9eS+C96U9fH7vxDCYi0+0f1hQ== Received: from DS7PR03CA0251.namprd03.prod.outlook.com (2603:10b6:5:3b3::16) by SA1PR12MB7149.namprd12.prod.outlook.com (2603:10b6:806:29c::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5588.14; Sun, 11 Sep 2022 09:27:07 +0000 Received: from DM6NAM11FT048.eop-nam11.prod.protection.outlook.com (2603:10b6:5:3b3:cafe::c1) by DS7PR03CA0251.outlook.office365.com (2603:10b6:5:3b3::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5612.12 via Frontend Transport; Sun, 11 Sep 2022 09:27:07 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 12.22.5.236) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 12.22.5.236 as permitted sender) receiver=protection.outlook.com; client-ip=12.22.5.236; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (12.22.5.236) by DM6NAM11FT048.mail.protection.outlook.com (10.13.173.114) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.5612.13 via Frontend Transport; Sun, 11 Sep 2022 09:27:07 +0000 Received: from rnnvmail204.nvidia.com (10.129.68.6) by DRHQMAIL109.nvidia.com (10.27.9.19) with Microsoft SMTP Server (TLS) id 15.0.1497.38; Sun, 11 Sep 2022 09:27:06 +0000 Received: from rnnvmail204.nvidia.com (10.129.68.6) by rnnvmail204.nvidia.com (10.129.68.6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.29; Sun, 11 Sep 2022 02:27:05 -0700 Received: from vdi.nvidia.com (10.127.8.9) by mail.nvidia.com (10.129.68.6) with Microsoft SMTP Server id 15.2.986.29 via Frontend Transport; Sun, 11 Sep 2022 02:27:03 -0700 From: Emeel Hakim To: , CC: , , , "Emeel Hakim" Subject: [PATCH main v5 1/2] macsec: add Extended Packet Number support Date: Sun, 11 Sep 2022 12:26:55 +0300 Message-ID: <20220911092656.13986-1-ehakim@nvidia.com> X-Mailer: git-send-email 2.21.3 MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DM6NAM11FT048:EE_|SA1PR12MB7149:EE_ X-MS-Office365-Filtering-Correlation-Id: 830331de-6913-4658-5856-08da93d7cbc3 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: j6JkAlAq/zUTFxkI1Qfe5sXG6QEQW4SCIh5hWcbRlZSa9W3/BWQB23RSSd0Zox9Wa3PgmQHs7zEjfSnN2gz1B0EVN3v1C6biieV17Ea9nHU9Xk5WFXMP61d73Y7rid7bOj0+gtocMgKoEj2SizsEJR8ZjyAJAwKd/6rh6MmSS7HToJ1H3G265KertlmFrlQ68BwNVzO37SpQxOw66R64x8J95IujtKzAfnCjUws2zaVwSRtv9NquHu6WWM/V1KD9azrnZ3R+iM9ockSzdtXXuLZXJ+Ow5eDHr0HdF5d+fGOXnn7w6MEJpXBR/P0uX3ZWaa1Iw3h6nTpRsQMRcfDfMMsjdMA/65f/YodU1BKnI6Su6X6vOnrVExdPD0Dr7i12Wl5CKUHeRgJuG76Sa8wTX7cVt7FYE3XFKRLUuMRbiGioCE01dHB4UuU5+ZT5+eVMueN3gkKheXZ4KDRZkJYPjIfAKk9t5wfeLJ83IBACFnbqfhFIDbN8E/zqvS5EKmxokNKiff8Ntla9Rnwbg5NbCpumdCPL+VKJ8IeyBjKhdwnZFV+a7u0+ecMShrA+xNtJNEXM7RsyaLZ99WsyF8UGVEz4+ufFpQxAItYLpNBUGLDDABUFkMUlI35mGOFIVNua4114E8hGtlKIixQ8Q25QWgUyhSDqk9zo5jjfYN2vdKjZCSuakU981lTN9PA/c6k8Ekt+cSBYVqI3rhFnKu2yxKAHiPni/hEggwaw+qBU6TqW8y0Dd5P2+EMwZEiK+n+yvG6pXbFBYH8xzKDNVD4ratFP8mqota94o76slrruZRtPoKFH7+DsIVEFUQtj+xBRuWzrUEiKOyuSl+4IPP5sW1fprfWP9t0K2jFuQNd+PlDEERnDXcEOpPHeQOhZpTKs X-Forefront-Antispam-Report: CIP:12.22.5.236;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:InfoNoRecords;CAT:NONE;SFS:(13230016)(4636009)(376002)(396003)(346002)(39860400002)(136003)(46966006)(40470700004)(36840700001)(36756003)(478600001)(316002)(356005)(40480700001)(41300700001)(54906003)(81166007)(40460700003)(110136005)(82740400003)(47076005)(7696005)(26005)(86362001)(2616005)(1076003)(426003)(336012)(36860700001)(107886003)(83380400001)(82310400005)(2906002)(6666004)(186003)(8676002)(4326008)(70586007)(5660300002)(70206006)(8936002)(30864003)(36900700001);DIR:OUT;SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 11 Sep 2022 09:27:07.0456 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 830331de-6913-4658-5856-08da93d7cbc3 X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[12.22.5.236];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: DM6NAM11FT048.eop-nam11.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA1PR12MB7149 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org This patch adds support for extended packet number (XPN). XPN can be configured by passing 'cipher gcm-aes-xpn-128' as part of the ip link add command using macsec type. In addition, using 'xpn' keyword instead of the 'pn', passing a 12 bytes salt using the 'salt' keyword and passing short secure channel id (ssci) using the 'ssci' keyword as part of the ip macsec command is required (see example). e.g: create a MACsec device on link eth0 with enabled xpn # ip link add link eth0 macsec0 type macsec port 11 encrypt on cipher gcm-aes-xpn-128 configure a secure association on the device # ip macsec add macsec0 tx sa 0 xpn 1024 on ssci 5 salt 838383838383838383838383 key 01 81818181818181818181818181818181 configure a secure association on the device with ssci = 5 # ip macsec add macsec0 tx sa 0 xpn 1024 on ssci 5 salt 838383838383838383838383 key 01 82828282828282828282828282828282 Signed-off-by: Emeel Hakim Reviewed-by: Sabrina Dubroca --- V1->V2: - Updated commit message. - Related uapi change got accepted upstream. "https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git/commit/?id=5d8175783585" - Allowed ssci to be empty to leave it up to the kernel to reject invalid requests. - Removed the flag option and exchanged it by a property for xpn. - Added the 64b xpn, ssci as part of the dump. V2->V3: - Add dedicated function to read ssci correctly. - Check for duplicate xpn and pn where command line has an xpn argument with upper 32bits set followed by a pn argument. - Don't use int to hold a boolean result. V3->V4: - Extend cipher suites to include 2 more options (GCM-AES-XPN-128, GCM-AES-XPN-256). - Add duparg check for both salt and ssci. - Add dedicated function to check if we are in xpn mode. V4->V5: - Updated commit message. - Updated usage print. - Use salt_set and ssci_set params in the is salt and ssci provided checks. ip/ipmacsec.c | 140 +++++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 117 insertions(+), 23 deletions(-) diff --git a/ip/ipmacsec.c b/ip/ipmacsec.c index bf48e8b5..6dd73827 100644 --- a/ip/ipmacsec.c +++ b/ip/ipmacsec.c @@ -43,11 +43,19 @@ struct sci { struct sa_desc { __u8 an; - __u32 pn; + union { + __u32 pn32; + __u64 pn64; + } pn; __u8 key_id[MACSEC_KEYID_LEN]; __u32 key_len; __u8 key[MACSEC_MAX_KEY_LEN]; __u8 active; + __u8 salt[MACSEC_SALT_LEN]; + __u32 ssci; + bool xpn; + bool salt_set; + bool ssci_set; }; struct cipher_args { @@ -98,14 +106,20 @@ static void ipmacsec_usage(void) " ip macsec show\n" " ip macsec show DEV\n" " ip macsec offload DEV [ off | phy | mac ]\n" - "where OPTS := [ pn ] [ on | off ]\n" + "where OPTS := [ pn | xpn ] [ salt SALT ] [ ssci ] [ on | off ]\n" " ID := 128-bit hex string\n" " KEY := 128-bit or 256-bit hex string\n" - " SCI := { sci | port { 1..2^16-1 } address }\n"); + " SCI := { sci | port { 1..2^16-1 } address }\n" + " SALT := 96-bit hex string\n"); exit(-1); } +static bool ciphersuite_is_xpn(__u64 cid) +{ + return (cid == MACSEC_CIPHER_ID_GCM_AES_XPN_128 || cid == MACSEC_CIPHER_ID_GCM_AES_XPN_256); +} + static int get_an(__u8 *val, const char *arg) { int ret = get_u8(val, arg, 0); @@ -124,6 +138,11 @@ static int get_sci(__u64 *sci, const char *arg) return get_be64(sci, arg, 16); } +static int get_ssci(__u32 *ssci, const char *arg) +{ + return get_be32(ssci, arg, 16); +} + static int get_port(__be16 *port, const char *arg) { return get_be16(port, arg, 0); @@ -174,14 +193,42 @@ static int parse_sa_args(int *argcp, char ***argvp, struct sa_desc *sa) while (argc > 0) { if (strcmp(*argv, "pn") == 0) { - if (sa->pn != 0) + if (sa->pn.pn64 != 0) duparg2("pn", "pn"); NEXT_ARG(); - ret = get_u32(&sa->pn, *argv, 0); + ret = get_u32(&sa->pn.pn32, *argv, 0); if (ret) invarg("expected pn", *argv); - if (sa->pn == 0) + if (sa->pn.pn32 == 0) invarg("expected pn != 0", *argv); + } else if (strcmp(*argv, "xpn") == 0) { + if (sa->pn.pn64 != 0) + duparg2("xpn", "xpn"); + NEXT_ARG(); + ret = get_u64(&sa->pn.pn64, *argv, 0); + if (ret) + invarg("expected pn", *argv); + if (sa->pn.pn64 == 0) + invarg("expected pn != 0", *argv); + sa->xpn = true; + } else if (strcmp(*argv, "salt") == 0) { + unsigned int len; + + if (sa->salt_set) + duparg2("salt", "salt"); + NEXT_ARG(); + if (!hexstring_a2n(*argv, sa->salt, MACSEC_SALT_LEN, + &len)) + invarg("expected salt", *argv); + sa->salt_set = true; + } else if (strcmp(*argv, "ssci") == 0) { + if (sa->ssci_set) + duparg2("ssci", "ssci"); + NEXT_ARG(); + ret = get_ssci(&sa->ssci, *argv); + if (ret) + invarg("expected ssci", *argv); + sa->ssci_set = true; } else if (strcmp(*argv, "key") == 0) { unsigned int len; @@ -392,9 +439,21 @@ static int do_modify_nl(enum cmd c, enum macsec_nl_commands cmd, int ifindex, addattr8(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_AN, sa->an); if (c != CMD_DEL) { - if (sa->pn) - addattr32(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_PN, - sa->pn); + if (sa->xpn) { + if (sa->pn.pn64) + addattr64(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_PN, + sa->pn.pn64); + if (sa->salt_set) + addattr_l(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_SALT, + sa->salt, MACSEC_SALT_LEN); + if (sa->ssci_set) + addattr32(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_SSCI, + sa->ssci); + } else { + if (sa->pn.pn32) + addattr32(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_PN, + sa->pn.pn32); + } if (sa->key_len) { addattr_l(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_KEYID, @@ -426,7 +485,7 @@ static bool check_sa_args(enum cmd c, struct sa_desc *sa) return -1; } - if (sa->pn == 0) { + if (sa->pn.pn64 == 0) { fprintf(stderr, "must specify a packet number != 0\n"); return -1; } @@ -615,6 +674,9 @@ static void print_key(struct rtattr *key) #define CIPHER_NAME_GCM_AES_128 "GCM-AES-128" #define CIPHER_NAME_GCM_AES_256 "GCM-AES-256" +#define CIPHER_NAME_GCM_AES_XPN_128 "GCM-AES-XPN-128" +#define CIPHER_NAME_GCM_AES_XPN_256 "GCM-AES-XPN-256" + #define DEFAULT_CIPHER_NAME CIPHER_NAME_GCM_AES_128 static const char *cs_id_to_name(__u64 cid) @@ -627,6 +689,10 @@ static const char *cs_id_to_name(__u64 cid) return CIPHER_NAME_GCM_AES_128; case MACSEC_CIPHER_ID_GCM_AES_256: return CIPHER_NAME_GCM_AES_256; + case MACSEC_CIPHER_ID_GCM_AES_XPN_128: + return CIPHER_NAME_GCM_AES_XPN_128; + case MACSEC_CIPHER_ID_GCM_AES_XPN_256: + return CIPHER_NAME_GCM_AES_XPN_256; default: return "(unknown)"; } @@ -846,8 +912,8 @@ static void print_txsa_stats(const char *prefix, struct rtattr *attr) } static void print_tx_sc(const char *prefix, __u64 sci, __u8 encoding_sa, - struct rtattr *txsc_stats, struct rtattr *secy_stats, - struct rtattr *sa) + bool is_xpn, struct rtattr *txsc_stats, + struct rtattr *secy_stats, struct rtattr *sa) { struct rtattr *sa_attr[MACSEC_SA_ATTR_MAX + 1]; struct rtattr *a; @@ -875,8 +941,16 @@ static void print_tx_sc(const char *prefix, __u64 sci, __u8 encoding_sa, print_string(PRINT_FP, NULL, "%s", prefix); print_uint(PRINT_ANY, "an", "%d:", rta_getattr_u8(sa_attr[MACSEC_SA_ATTR_AN])); - print_uint(PRINT_ANY, "pn", " PN %u,", - rta_getattr_u32(sa_attr[MACSEC_SA_ATTR_PN])); + if (is_xpn) { + print_uint(PRINT_ANY, "pn", " PN %u,", + rta_getattr_u64(sa_attr[MACSEC_SA_ATTR_PN])); + print_0xhex(PRINT_ANY, "ssci", + "SSCI %08x", + ntohl(rta_getattr_u32(sa_attr[MACSEC_SA_ATTR_SSCI]))); + } else { + print_uint(PRINT_ANY, "pn", " PN %u,", + rta_getattr_u32(sa_attr[MACSEC_SA_ATTR_PN])); + } print_bool(PRINT_JSON, "active", NULL, state); print_string(PRINT_FP, NULL, @@ -916,7 +990,8 @@ static void print_rxsc_stats(const char *prefix, struct rtattr *attr) } static void print_rx_sc(const char *prefix, __be64 sci, __u8 active, - struct rtattr *rxsc_stats, struct rtattr *sa) + bool is_xpn, struct rtattr *rxsc_stats, + struct rtattr *sa) { struct rtattr *sa_attr[MACSEC_SA_ATTR_MAX + 1]; struct rtattr *a; @@ -943,8 +1018,16 @@ static void print_rx_sc(const char *prefix, __be64 sci, __u8 active, print_string(PRINT_FP, NULL, "%s", prefix); print_uint(PRINT_ANY, "an", "%u:", rta_getattr_u8(sa_attr[MACSEC_SA_ATTR_AN])); - print_uint(PRINT_ANY, "pn", " PN %u,", - rta_getattr_u32(sa_attr[MACSEC_SA_ATTR_PN])); + if (is_xpn) { + print_uint(PRINT_ANY, "pn", " PN %u,", + rta_getattr_u64(sa_attr[MACSEC_SA_ATTR_PN])); + print_0xhex(PRINT_ANY, "ssci", + "SSCI %08x", + ntohl(rta_getattr_u32(sa_attr[MACSEC_SA_ATTR_SSCI]))); + } else { + print_uint(PRINT_ANY, "pn", " PN %u,", + rta_getattr_u32(sa_attr[MACSEC_SA_ATTR_PN])); + } print_bool(PRINT_JSON, "active", NULL, state); print_string(PRINT_FP, NULL, " state %s,", @@ -958,7 +1041,7 @@ static void print_rx_sc(const char *prefix, __be64 sci, __u8 active, close_json_array(PRINT_JSON, NULL); } -static void print_rxsc_list(struct rtattr *sc) +static void print_rxsc_list(struct rtattr *sc, bool is_xpn) { int rem = RTA_PAYLOAD(sc); struct rtattr *c; @@ -973,6 +1056,7 @@ static void print_rxsc_list(struct rtattr *sc) print_rx_sc(" ", rta_getattr_u64(sc_attr[MACSEC_RXSC_ATTR_SCI]), rta_getattr_u32(sc_attr[MACSEC_RXSC_ATTR_ACTIVE]), + is_xpn, sc_attr[MACSEC_RXSC_ATTR_STATS], sc_attr[MACSEC_RXSC_ATTR_SA_LIST]); close_json_object(); @@ -989,6 +1073,8 @@ static int process(struct nlmsghdr *n, void *arg) int ifindex; __u64 sci; __u8 encoding_sa; + __u64 cid; + bool is_xpn = false; if (n->nlmsg_type != genl_family) return -1; @@ -1032,13 +1118,15 @@ static int process(struct nlmsghdr *n, void *arg) print_attrs(attrs_secy); - print_tx_sc(" ", sci, encoding_sa, + cid = rta_getattr_u64(attrs_secy[MACSEC_SECY_ATTR_CIPHER_SUITE]); + is_xpn = ciphersuite_is_xpn(cid); + print_tx_sc(" ", sci, encoding_sa, is_xpn, attrs[MACSEC_ATTR_TXSC_STATS], attrs[MACSEC_ATTR_SECY_STATS], attrs[MACSEC_ATTR_TXSA_LIST]); if (attrs[MACSEC_ATTR_RXSC_LIST]) - print_rxsc_list(attrs[MACSEC_ATTR_RXSC_LIST]); + print_rxsc_list(attrs[MACSEC_ATTR_RXSC_LIST], is_xpn); if (attrs[MACSEC_ATTR_OFFLOAD]) { struct rtattr *attrs_offload[MACSEC_OFFLOAD_ATTR_MAX + 1]; @@ -1245,7 +1333,7 @@ static void usage(FILE *f) { fprintf(f, "Usage: ... macsec [ [ address ] port { 1..2^16-1 } | sci ]\n" - " [ cipher { default | gcm-aes-128 | gcm-aes-256 } ]\n" + " [ cipher { default | gcm-aes-128 | gcm-aes-256 | gcm-aes-xpn-128 | gcm-aes-xpn-256 } ]\n" " [ icvlen { 8..16 } ]\n" " [ encrypt { on | off } ]\n" " [ send_sci { on | off } ]\n" @@ -1300,9 +1388,15 @@ static int macsec_parse_opt(struct link_util *lu, int argc, char **argv, else if (strcmp(*argv, "gcm-aes-256") == 0 || strcmp(*argv, "GCM-AES-256") == 0) cipher.id = MACSEC_CIPHER_ID_GCM_AES_256; + else if (strcmp(*argv, "gcm-aes-xpn-128") == 0 || + strcmp(*argv, "GCM-AES-XPN-128") == 0) + cipher.id = MACSEC_CIPHER_ID_GCM_AES_XPN_128; + else if (strcmp(*argv, "gcm-aes-xpn-256") == 0 || + strcmp(*argv, "GCM-AES-XPN-256") == 0) + cipher.id = MACSEC_CIPHER_ID_GCM_AES_XPN_256; else - invarg("expected: default, gcm-aes-128 or" - " gcm-aes-256", *argv); + invarg("expected: default, gcm-aes-128, gcm-aes-256," + " gcm-aes-xpn-128 or gcm-aes-xpn-256", *argv); } else if (strcmp(*argv, "icvlen") == 0) { NEXT_ARG(); if (cipher.icv_len) From patchwork Sun Sep 11 09:26:56 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Emeel Hakim X-Patchwork-Id: 12972815 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id B6EC7C6FA83 for ; Sun, 11 Sep 2022 09:27:19 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229785AbiIKJ1R (ORCPT ); Sun, 11 Sep 2022 05:27:17 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52440 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229907AbiIKJ1Q (ORCPT ); Sun, 11 Sep 2022 05:27:16 -0400 Received: from NAM11-BN8-obe.outbound.protection.outlook.com (mail-bn8nam11on2040.outbound.protection.outlook.com [40.107.236.40]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 934C9248C9 for ; Sun, 11 Sep 2022 02:27:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=A7Sb+gBwixzEEXFvjfmdm6NNngl9OMcC64zgSeXOLiS9/HNzW71zgbgt1gSJZHLYCUwnLrSGysZWjSxcpft6ksWGLVVtTyO/5cTtdWZA34W1dkGjzzV7+cT9F3K/vj6oJ/1bZp7v1DNxUig5OX2aN+q3wVE7RGqgMLuOYu9ItPAiPNrflleHzYozIPpNgY9gA+PDpRGCq8Ttpsx64y4ZBx+JFQoh+6vYKcYdAMxt6lVMLcSs3aDP/tiPGFJW0Kx0rxCj8NXEkgbzLs5RX/XYMtGoErZie35Y26yqk+bbTAxjCqjiQizXvhuXOPNT737vH7F3Fv/aP9yr0DF4hw4kPA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=2Xns9eOU6pLDcJHTtnpNqXg4fN5uK4Lk+DKTvnm0Ikg=; b=bE+Gz8yLPMZ7Z4wa/+IVYRNO+RU6XzTwfUVPsbsA/XLm1daflJw+Fv6rcLPTU1rMvLaaiqthKQprZ0Vc/62+o9kUE9SHrafqiWZLvTkv8QalfQLs6ExGsPCSnBJOtjn6nDJ9pNWd/tYjq601aJJFpHci85cu8n6/f67vLlIAuej+205oxrdGdTRSAX6P0dmrdvTnaJGlIc1FpJwCxpAYd/x2upIPLwxUv+MRYiOb/KemEsANN4m3LhVcQKRGiQAkujHlEmz7p1cSEcyInxxqXnDHM4BDCE0wPVFEgTppotJbnsMe4u/60EBG9q44hTa1k72SlcpWVqWYEzO++XHsIg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 12.22.5.235) smtp.rcpttodomain=vger.kernel.org smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2Xns9eOU6pLDcJHTtnpNqXg4fN5uK4Lk+DKTvnm0Ikg=; b=LDCXCBctiQ83aB7uWbwFM943/JSil+1QiWVXqAB2pZVrMvuwprW7YHtpGXgWuP3XU8bRVDbHzpoIb58k2a2LY1Q5bYHPmCjbTic0WqXrYSSPMtYsDooD5/EaWuOjUhYR/c6ByZco90Lu06fzv8FdKPXr0zTyxyWTi83mWZ6SSIMKGW1Vg+3WNMAtLEw/szrE/OQHDk2mAnvbIk6/t0Nlpde5JjzyFQZVU5yjep7DKIZKH60LGp5xD8K+s2qq/VWp/hCqnSI5xyvpA6nYtqoBPPtFYljWCcDWm8uEf42zGL9A6AEcfupJPvGR9DqgW0f3oqduRiquu5uW59zb22GMJw== Received: from MW2PR16CA0062.namprd16.prod.outlook.com (2603:10b6:907:1::39) by CH0PR12MB5385.namprd12.prod.outlook.com (2603:10b6:610:d4::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5612.14; Sun, 11 Sep 2022 09:27:13 +0000 Received: from CO1NAM11FT047.eop-nam11.prod.protection.outlook.com (2603:10b6:907:1:cafe::8) by MW2PR16CA0062.outlook.office365.com (2603:10b6:907:1::39) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5612.22 via Frontend Transport; Sun, 11 Sep 2022 09:27:13 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 12.22.5.235) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 12.22.5.235 as permitted sender) receiver=protection.outlook.com; client-ip=12.22.5.235; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (12.22.5.235) by CO1NAM11FT047.mail.protection.outlook.com (10.13.174.132) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.5612.13 via Frontend Transport; Sun, 11 Sep 2022 09:27:12 +0000 Received: from rnnvmail204.nvidia.com (10.129.68.6) by DRHQMAIL107.nvidia.com (10.27.9.16) with Microsoft SMTP Server (TLS) id 15.0.1497.38; Sun, 11 Sep 2022 09:27:12 +0000 Received: from rnnvmail204.nvidia.com (10.129.68.6) by rnnvmail204.nvidia.com (10.129.68.6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.29; Sun, 11 Sep 2022 02:27:11 -0700 Received: from vdi.nvidia.com (10.127.8.9) by mail.nvidia.com (10.129.68.6) with Microsoft SMTP Server id 15.2.986.29 via Frontend Transport; Sun, 11 Sep 2022 02:27:09 -0700 From: Emeel Hakim To: , CC: , , , "Emeel Hakim" Subject: [PATCH main v5 2/2] macsec: add user manual description for extended packet number feature Date: Sun, 11 Sep 2022 12:26:56 +0300 Message-ID: <20220911092656.13986-2-ehakim@nvidia.com> X-Mailer: git-send-email 2.21.3 In-Reply-To: <20220911092656.13986-1-ehakim@nvidia.com> References: <20220911092656.13986-1-ehakim@nvidia.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CO1NAM11FT047:EE_|CH0PR12MB5385:EE_ X-MS-Office365-Filtering-Correlation-Id: 6aae8803-049e-4279-c4b3-08da93d7cf29 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: AjX+12GfqR8mAhsu5H6OpMACpHmkVEncvpqOkMI5ayOuzUNHLHYvainYcROSKhDyJEsuGxKcQ0XIxb8tpJr/V0U0aUK3FZ1AwUFJx8uP6OiSrljh1aCgfd7+iuV6A64pHlKg7OpogCaA4DG4HRXQw70lRVQpkfuZ928U3wMM6qMgeM6xIpSMy5/p0kJaRCd53fO8Ee4sdwA//a9l/CTYUY1SU4qXH2klQz7vBVQj8KtegTUdO+176W4frjZxWjvSauNwY0vLaSbIvJc91W3u2AcnnybA07lqcV9Y6L2XJXJj9rAg6UT9Mvi3qZEaTQ0qIWH5oaNQjuvsveqo+i3yFc3a+g5jwzudXbGxNhm7Y2nykShC+l5mOFUrdrTsnCVPjkQGZWbcZ3r4QFBLxT0aAIwhmvpQtvWtU+2kmU6KKPWyLUfRIRpikzqts6htMzcqrU5b1WJ23xjORyoqnDGupERPMBZ0lSz2ZmPnb1Gsjftuqjdj9z73JDKwgmMkhKmKfQlrAmC2Y9Picr83sPPE3S2zt4bllwa9+j9+srSg4tTwY0+LCC96G5+RXYaavHFK4aLhzLlADJDqJrBELSBY7bg5vtbAO0on6c56FPKtEbSi3UciRHfdKUWCU9tmJhwMnMXEtvB+aJQbXkZEknwCOxTwQ8ys8j0c5wCamQ16D0tL0JrC/MQxUi5tY97c/f2Le2TQzKwFDS3iy5gtEl5e92nB1PrEymkcn3dh18liNv7n5g+OuyzGy5ljYau63A0fXo8E/tQo3BFxuAPVOxGR6tQ1yqwXX5KYw0/T2llbbSg= X-Forefront-Antispam-Report: CIP:12.22.5.235;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:InfoNoRecords;CAT:NONE;SFS:(13230016)(4636009)(346002)(376002)(396003)(39860400002)(136003)(36840700001)(46966006)(40470700004)(40480700001)(86362001)(40460700003)(36860700001)(81166007)(82740400003)(82310400005)(356005)(70586007)(70206006)(4326008)(8936002)(6666004)(107886003)(5660300002)(41300700001)(110136005)(8676002)(1076003)(478600001)(316002)(54906003)(47076005)(426003)(2616005)(186003)(83380400001)(26005)(2906002)(7696005)(336012)(36756003)(36900700001);DIR:OUT;SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 11 Sep 2022 09:27:12.8125 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 6aae8803-049e-4279-c4b3-08da93d7cf29 X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[12.22.5.235];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: CO1NAM11FT047.eop-nam11.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH0PR12MB5385 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Update the user manual describing how to use extended packet number (XPN) feature for macsec. As part of configuring XPN, providing ssci and salt is required hence update user manual on how to provide the above as part of the ip macsec command. Signed-off-by: Emeel Hakim Reviewed-by: Sabrina Dubroca --- V1->V2: - Updated documentation. V2->V3: V3->V4: - Updated documentation. V4->V5: man/man8/ip-macsec.8 | 57 ++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 55 insertions(+), 2 deletions(-) diff --git a/man/man8/ip-macsec.8 b/man/man8/ip-macsec.8 index bb816157..1a144853 100644 --- a/man/man8/ip-macsec.8 +++ b/man/man8/ip-macsec.8 @@ -10,7 +10,7 @@ ip-macsec \- MACsec device configuration | .BI sci " " ] [ -.BR cipher " { " default " | " gcm-aes-128 " | " gcm-aes-256 " } ] [" +.BR cipher " { " default " | " gcm-aes-128 " | " gcm-aes-256 " | " gcm-aes-xpn-128 " | " gcm-aes-xpn-256 " } ] [" .BI icvlen " ICVLEN" ] [ .BR encrypt " { " on " | " off " } ] [" @@ -63,7 +63,13 @@ ip-macsec \- MACsec device configuration .IR OPTS " := [ " .BR pn " { " -.IR 1..2^32-1 " } ] [" +.IR 1..2^32-1 " } |" +.BR xpn " { " +.IR 1..2^64-1 " } ] [" +.B salt +.IR SALT " ] [" +.B ssci +.IR " ] [" .BR on " | " off " ]" .br .IR SCI " := { " @@ -75,6 +81,8 @@ ip-macsec \- MACsec device configuration } .br .IR PORT " := { " 1..2^16-1 " } " +.br +.IR SALT " := 96-bit hex string " .SH DESCRIPTION @@ -116,6 +124,29 @@ type. .nf # ip link add link eth0 macsec0 type macsec port 11 encrypt on offload mac +.SH EXTENDED PACKET NUMBER EXAMPLES +.PP +.SS Create a MACsec device on link eth0 with enabled extended packet number (offload is disabled by default) +.nf +# ip link add link eth0 macsec0 type macsec port 11 encrypt on cipher gcm-aes-xpn-128 +.PP +.SS Configure a secure association on that device +.nf +# ip macsec add macsec0 tx sa 0 xpn 1024 on salt 838383838383838383838383 ssci 123 key 01 81818181818181818181818181818181 +.PP +.SS Configure a receive channel +.nf +# ip macsec add macsec0 rx port 11 address c6:19:52:8f:e6:a0 +.PP +.SS Configure a receive association +.nf +# ip macsec add macsec0 rx port 11 address c6:19:52:8f:e6:a0 sa 0 xpn 1 on salt 838383838383838383838383 ssci 123 key 00 82828282828282828282828282828282 +.PP +.SS Display MACsec configuration +.nf +# ip macsec show +.PP + .SH NOTES This tool can be used to configure the 802.1AE keys of the interface. Note that 802.1AE uses GCM-AES with a initialization vector (IV) derived from the packet number. The same key must not be used @@ -125,6 +156,28 @@ that reconfigures the keys. It is wrong to just configure the keys statically an indefinitely. The suggested and standardized way for key management is 802.1X-2010, which is implemented by wpa_supplicant. +.SH EXTENDED PACKET NUMBER NOTES +Passing cipher +.B gcm-aes-xpn-128 +or +.B gcm-aes-xpn-256 +to +.B ip link add +command using the +.I macsec +type requires using the keyword +.B 'xpn' +instead of +.B 'pn' +in addition to providing a salt using the +.B 'salt' +keyword and ssci using the +.B 'ssci' +keyword when using the +.B ip macsec +command. + + .SH SEE ALSO .br .BR ip-link (8)