1 | /* SPDX-License-Identifier: GPL-2.0-only */ |
2 | /* Atlantic Network Driver |
3 | * Copyright (C) 2020 Marvell International Ltd. |
4 | */ |
5 | |
6 | #ifndef _MACSEC_STRUCT_H_ |
7 | #define _MACSEC_STRUCT_H_ |
8 | |
9 | /*! Represents the bitfields of a single row in the Egress CTL Filter |
10 | * table. |
11 | */ |
12 | struct aq_mss_egress_ctlf_record { |
13 | /*! This is used to store the 48 bit value used to compare SA, DA or |
14 | * halfDA+half SA value. |
15 | */ |
16 | u32 sa_da[2]; |
17 | /*! This is used to store the 16 bit ethertype value used for |
18 | * comparison. |
19 | */ |
20 | u32 eth_type; |
21 | /*! The match mask is per-nibble. 0 means don't care, i.e. every value |
22 | * will match successfully. The total data is 64 bit, i.e. 16 nibbles |
23 | * masks. |
24 | */ |
25 | u32 match_mask; |
26 | /*! 0: No compare, i.e. This entry is not used |
27 | * 1: compare DA only |
28 | * 2: compare SA only |
29 | * 3: compare half DA + half SA |
30 | * 4: compare ether type only |
31 | * 5: compare DA + ethertype |
32 | * 6: compare SA + ethertype |
33 | * 7: compare DA+ range. |
34 | */ |
35 | u32 match_type; |
36 | /*! 0: Bypass the remaining modules if matched. |
37 | * 1: Forward to next module for more classifications. |
38 | */ |
39 | u32 action; |
40 | }; |
41 | |
42 | /*! Represents the bitfields of a single row in the Egress Packet |
43 | * Classifier table. |
44 | */ |
45 | struct aq_mss_egress_class_record { |
46 | /*! VLAN ID field. */ |
47 | u32 vlan_id; |
48 | /*! VLAN UP field. */ |
49 | u32 vlan_up; |
50 | /*! VLAN Present in the Packet. */ |
51 | u32 vlan_valid; |
52 | /*! The 8 bit value used to compare with extracted value for byte 3. */ |
53 | u32 byte3; |
54 | /*! The 8 bit value used to compare with extracted value for byte 2. */ |
55 | u32 byte2; |
56 | /*! The 8 bit value used to compare with extracted value for byte 1. */ |
57 | u32 byte1; |
58 | /*! The 8 bit value used to compare with extracted value for byte 0. */ |
59 | u32 byte0; |
60 | /*! The 8 bit TCI field used to compare with extracted value. */ |
61 | u32 tci; |
62 | /*! The 64 bit SCI field in the SecTAG. */ |
63 | u32 sci[2]; |
64 | /*! The 16 bit Ethertype (in the clear) field used to compare with |
65 | * extracted value. |
66 | */ |
67 | u32 eth_type; |
68 | /*! This is to specify the 40bit SNAP header if the SNAP header's mask |
69 | * is enabled. |
70 | */ |
71 | u32 snap[2]; |
72 | /*! This is to specify the 24bit LLC header if the LLC header's mask is |
73 | * enabled. |
74 | */ |
75 | u32 llc; |
76 | /*! The 48 bit MAC_SA field used to compare with extracted value. */ |
77 | u32 mac_sa[2]; |
78 | /*! The 48 bit MAC_DA field used to compare with extracted value. */ |
79 | u32 mac_da[2]; |
80 | /*! The 32 bit Packet number used to compare with extracted value. */ |
81 | u32 pn; |
82 | /*! 0~63: byte location used extracted by packets comparator, which |
83 | * can be anything from the first 64 bytes of the MAC packets. |
84 | * This byte location counted from MAC' DA address. i.e. set to 0 |
85 | * will point to byte 0 of DA address. |
86 | */ |
87 | u32 byte3_location; |
88 | /*! 0: don't care |
89 | * 1: enable comparison of extracted byte pointed by byte 3 location. |
90 | */ |
91 | u32 byte3_mask; |
92 | /*! 0~63: byte location used extracted by packets comparator, which |
93 | * can be anything from the first 64 bytes of the MAC packets. |
94 | * This byte location counted from MAC' DA address. i.e. set to 0 |
95 | * will point to byte 0 of DA address. |
96 | */ |
97 | u32 byte2_location; |
98 | /*! 0: don't care |
99 | * 1: enable comparison of extracted byte pointed by byte 2 location. |
100 | */ |
101 | u32 byte2_mask; |
102 | /*! 0~63: byte location used extracted by packets comparator, which |
103 | * can be anything from the first 64 bytes of the MAC packets. |
104 | * This byte location counted from MAC' DA address. i.e. set to 0 |
105 | * will point to byte 0 of DA address. |
106 | */ |
107 | u32 byte1_location; |
108 | /*! 0: don't care |
109 | * 1: enable comparison of extracted byte pointed by byte 1 location. |
110 | */ |
111 | u32 byte1_mask; |
112 | /*! 0~63: byte location used extracted by packets comparator, which |
113 | * can be anything from the first 64 bytes of the MAC packets. |
114 | * This byte location counted from MAC' DA address. i.e. set to 0 |
115 | * will point to byte 0 of DA address. |
116 | */ |
117 | u32 byte0_location; |
118 | /*! 0: don't care |
119 | * 1: enable comparison of extracted byte pointed by byte 0 location. |
120 | */ |
121 | u32 byte0_mask; |
122 | /*! Mask is per-byte. |
123 | * 0: don't care |
124 | * 1: enable comparison of extracted VLAN ID field. |
125 | */ |
126 | u32 vlan_id_mask; |
127 | /*! 0: don't care |
128 | * 1: enable comparison of extracted VLAN UP field. |
129 | */ |
130 | u32 vlan_up_mask; |
131 | /*! 0: don't care |
132 | * 1: enable comparison of extracted VLAN Valid field. |
133 | */ |
134 | u32 vlan_valid_mask; |
135 | /*! This is bit mask to enable comparison the 8 bit TCI field, |
136 | * including the AN field. |
137 | * For explicit SECTAG, AN is hardware controlled. For sending |
138 | * packet w/ explicit SECTAG, rest of the TCI fields are directly |
139 | * from the SECTAG. |
140 | */ |
141 | u32 tci_mask; |
142 | /*! Mask is per-byte. |
143 | * 0: don't care |
144 | * 1: enable comparison of SCI |
145 | * Note: If this field is not 0, this means the input packet's |
146 | * SECTAG is explicitly tagged and MACSEC module will only update |
147 | * the MSDU. |
148 | * PN number is hardware controlled. |
149 | */ |
150 | u32 sci_mask; |
151 | /*! Mask is per-byte. |
152 | * 0: don't care |
153 | * 1: enable comparison of Ethertype. |
154 | */ |
155 | u32 eth_type_mask; |
156 | /*! Mask is per-byte. |
157 | * 0: don't care and no SNAP header exist. |
158 | * 1: compare the SNAP header. |
159 | * If this bit is set to 1, the extracted filed will assume the |
160 | * SNAP header exist as encapsulated in 802.3 (RFC 1042). I.E. the |
161 | * next 5 bytes after the LLC header is SNAP header. |
162 | */ |
163 | u32 snap_mask; |
164 | /*! 0: don't care and no LLC header exist. |
165 | * 1: compare the LLC header. |
166 | * If this bit is set to 1, the extracted filed will assume the |
167 | * LLC header exist as encapsulated in 802.3 (RFC 1042). I.E. the |
168 | * next three bytes after the 802.3MAC header is LLC header. |
169 | */ |
170 | u32 llc_mask; |
171 | /*! Mask is per-byte. |
172 | * 0: don't care |
173 | * 1: enable comparison of MAC_SA. |
174 | */ |
175 | u32 sa_mask; |
176 | /*! Mask is per-byte. |
177 | * 0: don't care |
178 | * 1: enable comparison of MAC_DA. |
179 | */ |
180 | u32 da_mask; |
181 | /*! Mask is per-byte. */ |
182 | u32 pn_mask; |
183 | /*! Reserved. This bit should be always 0. */ |
184 | u32 eight02dot2; |
185 | /*! 1: For explicit sectag case use TCI_SC from table |
186 | * 0: use TCI_SC from explicit sectag. |
187 | */ |
188 | u32 tci_sc; |
189 | /*! 1: For explicit sectag case,use TCI_V,ES,SCB,E,C from table |
190 | * 0: use TCI_V,ES,SCB,E,C from explicit sectag. |
191 | */ |
192 | u32 tci_87543; |
193 | /*! 1: indicates that incoming packet has explicit sectag. */ |
194 | u32 exp_sectag_en; |
195 | /*! If packet matches and tagged as controlled-packet, this SC/SA |
196 | * index is used for later SC and SA table lookup. |
197 | */ |
198 | u32 sc_idx; |
199 | /*! This field is used to specify how many SA entries are |
200 | * associated with 1 SC entry. |
201 | * 2'b00: 1 SC has 4 SA. |
202 | * SC index is equivalent to {SC_Index[4:2], 1'b0}. |
203 | * SA index is equivalent to {SC_Index[4:2], SC entry's current AN[1:0] |
204 | * 2'b10: 1 SC has 2 SA. |
205 | * SC index is equivalent to SC_Index[4:1] |
206 | * SA index is equivalent to {SC_Index[4:1], SC entry's current AN[0]} |
207 | * 2'b11: 1 SC has 1 SA. No SC entry exists for the specific SA. |
208 | * SA index is equivalent to SC_Index[4:0] |
209 | * Note: if specified as 2'b11, hardware AN roll over is not |
210 | * supported. |
211 | */ |
212 | u32 sc_sa; |
213 | /*! 0: the packets will be sent to MAC FIFO |
214 | * 1: The packets will be sent to Debug/Loopback FIFO. |
215 | * If the above's action is drop, this bit has no meaning. |
216 | */ |
217 | u32 debug; |
218 | /*! 0: forward to remaining modules |
219 | * 1: bypass the next encryption modules. This packet is considered |
220 | * un-control packet. |
221 | * 2: drop |
222 | * 3: Reserved. |
223 | */ |
224 | u32 action; |
225 | /*! 0: Not valid entry. This entry is not used |
226 | * 1: valid entry. |
227 | */ |
228 | u32 valid; |
229 | }; |
230 | |
231 | /*! Represents the bitfields of a single row in the Egress SC Lookup table. */ |
232 | struct aq_mss_egress_sc_record { |
233 | /*! This is to specify when the SC was first used. Set by HW. */ |
234 | u32 start_time; |
235 | /*! This is to specify when the SC was last used. Set by HW. */ |
236 | u32 stop_time; |
237 | /*! This is to specify which of the SA entries are used by current HW. |
238 | * Note: This value need to be set by SW after reset. It will be |
239 | * automatically updated by HW, if AN roll over is enabled. |
240 | */ |
241 | u32 curr_an; |
242 | /*! 0: Clear the SA Valid Bit after PN expiry. |
243 | * 1: Do not Clear the SA Valid bit after PN expiry of the current SA. |
244 | * When the Enable AN roll over is set, S/W does not need to |
245 | * program the new SA's and the H/W will automatically roll over |
246 | * between the SA's without session expiry. |
247 | * For normal operation, Enable AN Roll over will be set to '0' |
248 | * and in which case, the SW needs to program the new SA values |
249 | * after the current PN expires. |
250 | */ |
251 | u32 an_roll; |
252 | /*! This is the TCI field used if packet is not explicitly tagged. */ |
253 | u32 tci; |
254 | /*! This value indicates the offset where the decryption will start. |
255 | * [[Values of 0, 4, 8-50]. |
256 | */ |
257 | u32 enc_off; |
258 | /*! 0: Do not protect frames, all the packets will be forwarded |
259 | * unchanged. MIB counter (OutPktsUntagged) will be updated. |
260 | * 1: Protect. |
261 | */ |
262 | u32 protect; |
263 | /*! 0: when none of the SA related to SC has inUse set. |
264 | * 1: when either of the SA related to the SC has inUse set. |
265 | * This bit is set by HW. |
266 | */ |
267 | u32 recv; |
268 | /*! 0: H/W Clears this bit on the first use. |
269 | * 1: SW updates this entry, when programming the SC Table. |
270 | */ |
271 | u32 fresh; |
272 | /*! AES Key size |
273 | * 00 - 128bits |
274 | * 01 - 192bits |
275 | * 10 - 256bits |
276 | * 11 - Reserved. |
277 | */ |
278 | u32 sak_len; |
279 | /*! 0: Invalid SC |
280 | * 1: Valid SC. |
281 | */ |
282 | u32 valid; |
283 | }; |
284 | |
285 | /*! Represents the bitfields of a single row in the Egress SA Lookup table. */ |
286 | struct aq_mss_egress_sa_record { |
287 | /*! This is to specify when the SC was first used. Set by HW. */ |
288 | u32 start_time; |
289 | /*! This is to specify when the SC was last used. Set by HW. */ |
290 | u32 stop_time; |
291 | /*! This is set by SW and updated by HW to store the Next PN number |
292 | * used for encryption. |
293 | */ |
294 | u32 next_pn; |
295 | /*! The Next_PN number is going to wrapped around from 0xFFFF_FFFF |
296 | * to 0. set by HW. |
297 | */ |
298 | u32 sat_pn; |
299 | /*! 0: This SA is in use. |
300 | * 1: This SA is Fresh and set by SW. |
301 | */ |
302 | u32 fresh; |
303 | /*! 0: Invalid SA |
304 | * 1: Valid SA. |
305 | */ |
306 | u32 valid; |
307 | }; |
308 | |
309 | /*! Represents the bitfields of a single row in the Egress SA Key |
310 | * Lookup table. |
311 | */ |
312 | struct aq_mss_egress_sakey_record { |
313 | /*! Key for AES-GCM processing. */ |
314 | u32 key[8]; |
315 | }; |
316 | |
317 | /*! Represents the bitfields of a single row in the Ingress Pre-MACSec |
318 | * CTL Filter table. |
319 | */ |
320 | struct aq_mss_ingress_prectlf_record { |
321 | /*! This is used to store the 48 bit value used to compare SA, DA |
322 | * or halfDA+half SA value. |
323 | */ |
324 | u32 sa_da[2]; |
325 | /*! This is used to store the 16 bit ethertype value used for |
326 | * comparison. |
327 | */ |
328 | u32 eth_type; |
329 | /*! The match mask is per-nibble. 0 means don't care, i.e. every |
330 | * value will match successfully. The total data is 64 bit, i.e. |
331 | * 16 nibbles masks. |
332 | */ |
333 | u32 match_mask; |
334 | /*! 0: No compare, i.e. This entry is not used |
335 | * 1: compare DA only |
336 | * 2: compare SA only |
337 | * 3: compare half DA + half SA |
338 | * 4: compare ether type only |
339 | * 5: compare DA + ethertype |
340 | * 6: compare SA + ethertype |
341 | * 7: compare DA+ range. |
342 | */ |
343 | u32 match_type; |
344 | /*! 0: Bypass the remaining modules if matched. |
345 | * 1: Forward to next module for more classifications. |
346 | */ |
347 | u32 action; |
348 | }; |
349 | |
350 | /*! Represents the bitfields of a single row in the Ingress Pre-MACSec |
351 | * Packet Classifier table. |
352 | */ |
353 | struct aq_mss_ingress_preclass_record { |
354 | /*! The 64 bit SCI field used to compare with extracted value. |
355 | * Should have SCI value in case TCI[SCI_SEND] == 0. This will be |
356 | * used for ICV calculation. |
357 | */ |
358 | u32 sci[2]; |
359 | /*! The 8 bit TCI field used to compare with extracted value. */ |
360 | u32 tci; |
361 | /*! 8 bit encryption offset. */ |
362 | u32 encr_offset; |
363 | /*! The 16 bit Ethertype (in the clear) field used to compare with |
364 | * extracted value. |
365 | */ |
366 | u32 eth_type; |
367 | /*! This is to specify the 40bit SNAP header if the SNAP header's |
368 | * mask is enabled. |
369 | */ |
370 | u32 snap[2]; |
371 | /*! This is to specify the 24bit LLC header if the LLC header's |
372 | * mask is enabled. |
373 | */ |
374 | u32 llc; |
375 | /*! The 48 bit MAC_SA field used to compare with extracted value. */ |
376 | u32 mac_sa[2]; |
377 | /*! The 48 bit MAC_DA field used to compare with extracted value. */ |
378 | u32 mac_da[2]; |
379 | /*! 0: this is to compare with non-LPBK packet |
380 | * 1: this is to compare with LPBK packet. |
381 | * This value is used to compare with a controlled-tag which goes |
382 | * with the packet when looped back from Egress port. |
383 | */ |
384 | u32 lpbk_packet; |
385 | /*! The value of this bit mask will affects how the SC index and SA |
386 | * index created. |
387 | * 2'b00: 1 SC has 4 SA. |
388 | * SC index is equivalent to {SC_Index[4:2], 1'b0}. |
389 | * SA index is equivalent to {SC_Index[4:2], SECTAG's AN[1:0]} |
390 | * Here AN bits are not compared. |
391 | * 2'b10: 1 SC has 2 SA. |
392 | * SC index is equivalent to SC_Index[4:1] |
393 | * SA index is equivalent to {SC_Index[4:1], SECTAG's AN[0]} |
394 | * Compare AN[1] field only |
395 | * 2'b11: 1 SC has 1 SA. No SC entry exists for the specific SA. |
396 | * SA index is equivalent to SC_Index[4:0] |
397 | * AN[1:0] bits are compared. |
398 | * NOTE: This design is to supports different usage of AN. User |
399 | * can either ping-pong buffer 2 SA by using only the AN[0] bit. |
400 | * Or use 4 SA per SC by use AN[1:0] bits. Or even treat each SA |
401 | * as independent. i.e. AN[1:0] is just another matching pointer |
402 | * to select SA. |
403 | */ |
404 | u32 an_mask; |
405 | /*! This is bit mask to enable comparison the upper 6 bits TCI |
406 | * field, which does not include the AN field. |
407 | * 0: don't compare |
408 | * 1: enable comparison of the bits. |
409 | */ |
410 | u32 tci_mask; |
411 | /*! 0: don't care |
412 | * 1: enable comparison of SCI. |
413 | */ |
414 | u32 sci_mask; |
415 | /*! Mask is per-byte. |
416 | * 0: don't care |
417 | * 1: enable comparison of Ethertype. |
418 | */ |
419 | u32 eth_type_mask; |
420 | /*! Mask is per-byte. |
421 | * 0: don't care and no SNAP header exist. |
422 | * 1: compare the SNAP header. |
423 | * If this bit is set to 1, the extracted filed will assume the |
424 | * SNAP header exist as encapsulated in 802.3 (RFC 1042). I.E. the |
425 | * next 5 bytes after the LLC header is SNAP header. |
426 | */ |
427 | u32 snap_mask; |
428 | /*! Mask is per-byte. |
429 | * 0: don't care and no LLC header exist. |
430 | * 1: compare the LLC header. |
431 | * If this bit is set to 1, the extracted filed will assume the |
432 | * LLC header exist as encapsulated in 802.3 (RFC 1042). I.E. the |
433 | * next three bytes after the 802.3MAC header is LLC header. |
434 | */ |
435 | u32 llc_mask; |
436 | /*! Reserved. This bit should be always 0. */ |
437 | u32 _802_2_encapsulate; |
438 | /*! Mask is per-byte. |
439 | * 0: don't care |
440 | * 1: enable comparison of MAC_SA. |
441 | */ |
442 | u32 sa_mask; |
443 | /*! Mask is per-byte. |
444 | * 0: don't care |
445 | * 1: enable comparison of MAC_DA. |
446 | */ |
447 | u32 da_mask; |
448 | /*! 0: don't care |
449 | * 1: enable checking if this is loopback packet or not. |
450 | */ |
451 | u32 lpbk_mask; |
452 | /*! If packet matches and tagged as controlled-packet. This SC/SA |
453 | * index is used for later SC and SA table lookup. |
454 | */ |
455 | u32 sc_idx; |
456 | /*! 0: the packets will be sent to MAC FIFO |
457 | * 1: The packets will be sent to Debug/Loopback FIFO. |
458 | * If the above's action is drop. This bit has no meaning. |
459 | */ |
460 | u32 proc_dest; |
461 | /*! 0: Process: Forward to next two modules for 802.1AE decryption. |
462 | * 1: Process but keep SECTAG: Forward to next two modules for |
463 | * 802.1AE decryption but keep the MACSEC header with added error |
464 | * code information. ICV will be stripped for all control packets. |
465 | * 2: Bypass: Bypass the next two decryption modules but processed |
466 | * by post-classification. |
467 | * 3: Drop: drop this packet and update counts accordingly. |
468 | */ |
469 | u32 action; |
470 | /*! 0: This is a controlled-port packet if matched. |
471 | * 1: This is an uncontrolled-port packet if matched. |
472 | */ |
473 | u32 ctrl_unctrl; |
474 | /*! Use the SCI value from the Table if 'SC' bit of the input |
475 | * packet is not present. |
476 | */ |
477 | u32 sci_from_table; |
478 | /*! Reserved. */ |
479 | u32 reserved; |
480 | /*! 0: Not valid entry. This entry is not used |
481 | * 1: valid entry. |
482 | */ |
483 | u32 valid; |
484 | }; |
485 | |
486 | /*! Represents the bitfields of a single row in the Ingress SC Lookup table. */ |
487 | struct aq_mss_ingress_sc_record { |
488 | /*! This is to specify when the SC was first used. Set by HW. */ |
489 | u32 stop_time; |
490 | /*! This is to specify when the SC was first used. Set by HW. */ |
491 | u32 start_time; |
492 | /*! 0: Strict |
493 | * 1: Check |
494 | * 2: Disabled. |
495 | */ |
496 | u32 validate_frames; |
497 | /*! 1: Replay control enabled. |
498 | * 0: replay control disabled. |
499 | */ |
500 | u32 replay_protect; |
501 | /*! This is to specify the window range for anti-replay. Default is 0. |
502 | * 0: is strict order enforcement. |
503 | */ |
504 | u32 anti_replay_window; |
505 | /*! 0: when none of the SA related to SC has inUse set. |
506 | * 1: when either of the SA related to the SC has inUse set. |
507 | * This bit is set by HW. |
508 | */ |
509 | u32 receiving; |
510 | /*! 0: when hardware processed the SC for the first time, it clears |
511 | * this bit |
512 | * 1: This bit is set by SW, when it sets up the SC. |
513 | */ |
514 | u32 fresh; |
515 | /*! 0: The AN number will not automatically roll over if Next_PN is |
516 | * saturated. |
517 | * 1: The AN number will automatically roll over if Next_PN is |
518 | * saturated. |
519 | * Rollover is valid only after expiry. Normal roll over between |
520 | * SA's should be normal process. |
521 | */ |
522 | u32 an_rol; |
523 | /*! Reserved. */ |
524 | u32 reserved; |
525 | /*! 0: Invalid SC |
526 | * 1: Valid SC. |
527 | */ |
528 | u32 valid; |
529 | }; |
530 | |
531 | /*! Represents the bitfields of a single row in the Ingress SA Lookup table. */ |
532 | struct aq_mss_ingress_sa_record { |
533 | /*! This is to specify when the SC was first used. Set by HW. */ |
534 | u32 stop_time; |
535 | /*! This is to specify when the SC was first used. Set by HW. */ |
536 | u32 start_time; |
537 | /*! This is updated by HW to store the expected NextPN number for |
538 | * anti-replay. |
539 | */ |
540 | u32 next_pn; |
541 | /*! The Next_PN number is going to wrapped around from 0XFFFF_FFFF |
542 | * to 0. set by HW. |
543 | */ |
544 | u32 sat_nextpn; |
545 | /*! 0: This SA is not yet used. |
546 | * 1: This SA is inUse. |
547 | */ |
548 | u32 in_use; |
549 | /*! 0: when hardware processed the SC for the first time, it clears |
550 | * this timer |
551 | * 1: This bit is set by SW, when it sets up the SC. |
552 | */ |
553 | u32 fresh; |
554 | /*! Reserved. */ |
555 | u32 reserved; |
556 | /*! 0: Invalid SA. |
557 | * 1: Valid SA. |
558 | */ |
559 | u32 valid; |
560 | }; |
561 | |
562 | /*! Represents the bitfields of a single row in the Ingress SA Key |
563 | * Lookup table. |
564 | */ |
565 | struct aq_mss_ingress_sakey_record { |
566 | /*! Key for AES-GCM processing. */ |
567 | u32 key[8]; |
568 | /*! AES key size |
569 | * 00 - 128bits |
570 | * 01 - 192bits |
571 | * 10 - 256bits |
572 | * 11 - reserved. |
573 | */ |
574 | u32 key_len; |
575 | }; |
576 | |
577 | /*! Represents the bitfields of a single row in the Ingress Post- |
578 | * MACSec Packet Classifier table. |
579 | */ |
580 | struct aq_mss_ingress_postclass_record { |
581 | /*! The 8 bit value used to compare with extracted value for byte 0. */ |
582 | u32 byte0; |
583 | /*! The 8 bit value used to compare with extracted value for byte 1. */ |
584 | u32 byte1; |
585 | /*! The 8 bit value used to compare with extracted value for byte 2. */ |
586 | u32 byte2; |
587 | /*! The 8 bit value used to compare with extracted value for byte 3. */ |
588 | u32 byte3; |
589 | /*! Ethertype in the packet. */ |
590 | u32 eth_type; |
591 | /*! Ether Type value > 1500 (0x5dc). */ |
592 | u32 eth_type_valid; |
593 | /*! VLAN ID after parsing. */ |
594 | u32 vlan_id; |
595 | /*! VLAN priority after parsing. */ |
596 | u32 vlan_up; |
597 | /*! Valid VLAN coding. */ |
598 | u32 vlan_valid; |
599 | /*! SA index. */ |
600 | u32 sai; |
601 | /*! SAI hit, i.e. controlled packet. */ |
602 | u32 sai_hit; |
603 | /*! Mask for payload ethertype field. */ |
604 | u32 eth_type_mask; |
605 | /*! 0~63: byte location used extracted by packets comparator, which |
606 | * can be anything from the first 64 bytes of the MAC packets. |
607 | * This byte location counted from MAC' DA address. i.e. set to 0 |
608 | * will point to byte 0 of DA address. |
609 | */ |
610 | u32 byte3_location; |
611 | /*! Mask for Byte Offset 3. */ |
612 | u32 byte3_mask; |
613 | /*! 0~63: byte location used extracted by packets comparator, which |
614 | * can be anything from the first 64 bytes of the MAC packets. |
615 | * This byte location counted from MAC' DA address. i.e. set to 0 |
616 | * will point to byte 0 of DA address. |
617 | */ |
618 | u32 byte2_location; |
619 | /*! Mask for Byte Offset 2. */ |
620 | u32 byte2_mask; |
621 | /*! 0~63: byte location used extracted by packets comparator, which |
622 | * can be anything from the first 64 bytes of the MAC packets. |
623 | * This byte location counted from MAC' DA address. i.e. set to 0 |
624 | * will point to byte 0 of DA address. |
625 | */ |
626 | u32 byte1_location; |
627 | /*! Mask for Byte Offset 1. */ |
628 | u32 byte1_mask; |
629 | /*! 0~63: byte location used extracted by packets comparator, which |
630 | * can be anything from the first 64 bytes of the MAC packets. |
631 | * This byte location counted from MAC' DA address. i.e. set to 0 |
632 | * will point to byte 0 of DA address. |
633 | */ |
634 | u32 byte0_location; |
635 | /*! Mask for Byte Offset 0. */ |
636 | u32 byte0_mask; |
637 | /*! Mask for Ethertype valid field. Indicates 802.3 vs. Other. */ |
638 | u32 eth_type_valid_mask; |
639 | /*! Mask for VLAN ID field. */ |
640 | u32 vlan_id_mask; |
641 | /*! Mask for VLAN UP field. */ |
642 | u32 vlan_up_mask; |
643 | /*! Mask for VLAN valid field. */ |
644 | u32 vlan_valid_mask; |
645 | /*! Mask for SAI. */ |
646 | u32 sai_mask; |
647 | /*! Mask for SAI_HIT. */ |
648 | u32 sai_hit_mask; |
649 | /*! Action if only first level matches and second level does not. |
650 | * 0: pass |
651 | * 1: drop (fail). |
652 | */ |
653 | u32 firstlevel_actions; |
654 | /*! Action if both first and second level matched. |
655 | * 0: pass |
656 | * 1: drop (fail). |
657 | */ |
658 | u32 secondlevel_actions; |
659 | /*! Reserved. */ |
660 | u32 reserved; |
661 | /*! 0: Not valid entry. This entry is not used |
662 | * 1: valid entry. |
663 | */ |
664 | u32 valid; |
665 | }; |
666 | |
667 | /*! Represents the bitfields of a single row in the Ingress Post- |
668 | * MACSec CTL Filter table. |
669 | */ |
670 | struct aq_mss_ingress_postctlf_record { |
671 | /*! This is used to store the 48 bit value used to compare SA, DA |
672 | * or halfDA+half SA value. |
673 | */ |
674 | u32 sa_da[2]; |
675 | /*! This is used to store the 16 bit ethertype value used for |
676 | * comparison. |
677 | */ |
678 | u32 eth_type; |
679 | /*! The match mask is per-nibble. 0 means don't care, i.e. every |
680 | * value will match successfully. The total data is 64 bit, i.e. |
681 | * 16 nibbles masks. |
682 | */ |
683 | u32 match_mask; |
684 | /*! 0: No compare, i.e. This entry is not used |
685 | * 1: compare DA only |
686 | * 2: compare SA only |
687 | * 3: compare half DA + half SA |
688 | * 4: compare ether type only |
689 | * 5: compare DA + ethertype |
690 | * 6: compare SA + ethertype |
691 | * 7: compare DA+ range. |
692 | */ |
693 | u32 match_type; |
694 | /*! 0: Bypass the remaining modules if matched. |
695 | * 1: Forward to next module for more classifications. |
696 | */ |
697 | u32 action; |
698 | }; |
699 | |
700 | /*! Represents the Egress MIB counters for a single SC. Counters are |
701 | * 64 bits, lower 32 bits in field[0]. |
702 | */ |
703 | struct aq_mss_egress_sc_counters { |
704 | /*! The number of integrity protected but not encrypted packets |
705 | * for this transmitting SC. |
706 | */ |
707 | u32 sc_protected_pkts[2]; |
708 | /*! The number of integrity protected and encrypted packets for |
709 | * this transmitting SC. |
710 | */ |
711 | u32 sc_encrypted_pkts[2]; |
712 | /*! The number of plain text octets that are integrity protected |
713 | * but not encrypted on the transmitting SC. |
714 | */ |
715 | u32 sc_protected_octets[2]; |
716 | /*! The number of plain text octets that are integrity protected |
717 | * and encrypted on the transmitting SC. |
718 | */ |
719 | u32 sc_encrypted_octets[2]; |
720 | }; |
721 | |
722 | /*! Represents the Egress MIB counters for a single SA. Counters are |
723 | * 64 bits, lower 32 bits in field[0]. |
724 | */ |
725 | struct aq_mss_egress_sa_counters { |
726 | /*! The number of dropped packets for this transmitting SA. */ |
727 | u32 sa_hit_drop_redirect[2]; |
728 | /*! TODO */ |
729 | u32 sa_protected2_pkts[2]; |
730 | /*! The number of integrity protected but not encrypted packets |
731 | * for this transmitting SA. |
732 | */ |
733 | u32 sa_protected_pkts[2]; |
734 | /*! The number of integrity protected and encrypted packets for |
735 | * this transmitting SA. |
736 | */ |
737 | u32 sa_encrypted_pkts[2]; |
738 | }; |
739 | |
740 | /*! Represents the common Egress MIB counters; the counter not |
741 | * associated with a particular SC/SA. Counters are 64 bits, lower 32 |
742 | * bits in field[0]. |
743 | */ |
744 | struct aq_mss_egress_common_counters { |
745 | /*! The number of transmitted packets classified as MAC_CTL packets. */ |
746 | u32 ctl_pkt[2]; |
747 | /*! The number of transmitted packets that did not match any rows |
748 | * in the Egress Packet Classifier table. |
749 | */ |
750 | u32 unknown_sa_pkts[2]; |
751 | /*! The number of transmitted packets where the SC table entry has |
752 | * protect=0 (so packets are forwarded unchanged). |
753 | */ |
754 | u32 untagged_pkts[2]; |
755 | /*! The number of transmitted packets discarded because the packet |
756 | * length is greater than the ifMtu of the Common Port interface. |
757 | */ |
758 | u32 too_long[2]; |
759 | /*! The number of transmitted packets for which table memory was |
760 | * affected by an ECC error during processing. |
761 | */ |
762 | u32 ecc_error_pkts[2]; |
763 | /*! The number of transmitted packets for where the matched row in |
764 | * the Egress Packet Classifier table has action=drop. |
765 | */ |
766 | u32 unctrl_hit_drop_redir[2]; |
767 | }; |
768 | |
769 | /*! Represents the Ingress MIB counters for a single SA. Counters are |
770 | * 64 bits, lower 32 bits in field[0]. |
771 | */ |
772 | struct aq_mss_ingress_sa_counters { |
773 | /*! For this SA, the number of received packets without a SecTAG. */ |
774 | u32 untagged_hit_pkts[2]; |
775 | /*! For this SA, the number of received packets that were dropped. */ |
776 | u32 ctrl_hit_drop_redir_pkts[2]; |
777 | /*! For this SA which is not currently in use, the number of |
778 | * received packets that have been discarded, and have either the |
779 | * packets encrypted or the matched row in the Ingress SC Lookup |
780 | * table has validate_frames=Strict. |
781 | */ |
782 | u32 not_using_sa[2]; |
783 | /*! For this SA which is not currently in use, the number of |
784 | * received, unencrypted, packets with the matched row in the |
785 | * Ingress SC Lookup table has validate_frames!=Strict. |
786 | */ |
787 | u32 unused_sa[2]; |
788 | /*! For this SA, the number discarded packets with the condition |
789 | * that the packets are not valid and one of the following |
790 | * conditions are true: either the matched row in the Ingress SC |
791 | * Lookup table has validate_frames=Strict or the packets |
792 | * encrypted. |
793 | */ |
794 | u32 not_valid_pkts[2]; |
795 | /*! For this SA, the number of packets with the condition that the |
796 | * packets are not valid and the matched row in the Ingress SC |
797 | * Lookup table has validate_frames=Check. |
798 | */ |
799 | u32 invalid_pkts[2]; |
800 | /*! For this SA, the number of validated packets. */ |
801 | u32 ok_pkts[2]; |
802 | /*! For this SC, the number of received packets that have been |
803 | * discarded with the condition: the matched row in the Ingress |
804 | * SC Lookup table has replay_protect=1 and the PN of the packet |
805 | * is lower than the lower bound replay check PN. |
806 | */ |
807 | u32 late_pkts[2]; |
808 | /*! For this SA, the number of packets with the condition that the |
809 | * PN of the packets is lower than the lower bound replay |
810 | * protection PN. |
811 | */ |
812 | u32 delayed_pkts[2]; |
813 | /*! For this SC, the number of packets with the following condition: |
814 | * - the matched row in the Ingress SC Lookup table has |
815 | * replay_protect=0 or |
816 | * - the matched row in the Ingress SC Lookup table has |
817 | * replay_protect=1 and the packet is not encrypted and the |
818 | * integrity check has failed or |
819 | * - the matched row in the Ingress SC Lookup table has |
820 | * replay_protect=1 and the packet is encrypted and integrity |
821 | * check has failed. |
822 | */ |
823 | u32 unchecked_pkts[2]; |
824 | /*! The number of octets of plaintext recovered from received |
825 | * packets that were integrity protected but not encrypted. |
826 | */ |
827 | u32 validated_octets[2]; |
828 | /*! The number of octets of plaintext recovered from received |
829 | * packets that were integrity protected and encrypted. |
830 | */ |
831 | u32 decrypted_octets[2]; |
832 | }; |
833 | |
834 | /*! Represents the common Ingress MIB counters; the counter not |
835 | * associated with a particular SA. Counters are 64 bits, lower 32 |
836 | * bits in field[0]. |
837 | */ |
838 | struct aq_mss_ingress_common_counters { |
839 | /*! The number of received packets classified as MAC_CTL packets. */ |
840 | u32 ctl_pkts[2]; |
841 | /*! The number of received packets with the MAC security tag |
842 | * (SecTAG), not matching any rows in the Ingress Pre-MACSec |
843 | * Packet Classifier table. |
844 | */ |
845 | u32 tagged_miss_pkts[2]; |
846 | /*! The number of received packets without the MAC security tag |
847 | * (SecTAG), not matching any rows in the Ingress Pre-MACSec |
848 | * Packet Classifier table. |
849 | */ |
850 | u32 untagged_miss_pkts[2]; |
851 | /*! The number of received packets discarded without the MAC |
852 | * security tag (SecTAG) and with the matched row in the Ingress |
853 | * SC Lookup table having validate_frames=Strict. |
854 | */ |
855 | u32 notag_pkts[2]; |
856 | /*! The number of received packets without the MAC security tag |
857 | * (SecTAG) and with the matched row in the Ingress SC Lookup |
858 | * table having validate_frames!=Strict. |
859 | */ |
860 | u32 untagged_pkts[2]; |
861 | /*! The number of received packets discarded with an invalid |
862 | * SecTAG or a zero value PN or an invalid ICV. |
863 | */ |
864 | u32 bad_tag_pkts[2]; |
865 | /*! The number of received packets discarded with unknown SCI |
866 | * information with the condition: |
867 | * the matched row in the Ingress SC Lookup table has |
868 | * validate_frames=Strict or the C bit in the SecTAG is set. |
869 | */ |
870 | u32 no_sci_pkts[2]; |
871 | /*! The number of received packets with unknown SCI with the condition: |
872 | * The matched row in the Ingress SC Lookup table has |
873 | * validate_frames!=Strict and the C bit in the SecTAG is not set. |
874 | */ |
875 | u32 unknown_sci_pkts[2]; |
876 | /*! The number of received packets by the controlled port service |
877 | * that passed the Ingress Post-MACSec Packet Classifier table |
878 | * check. |
879 | */ |
880 | u32 ctrl_prt_pass_pkts[2]; |
881 | /*! The number of received packets by the uncontrolled port |
882 | * service that passed the Ingress Post-MACSec Packet Classifier |
883 | * table check. |
884 | */ |
885 | u32 unctrl_prt_pass_pkts[2]; |
886 | /*! The number of received packets by the controlled port service |
887 | * that failed the Ingress Post-MACSec Packet Classifier table |
888 | * check. |
889 | */ |
890 | u32 ctrl_prt_fail_pkts[2]; |
891 | /*! The number of received packets by the uncontrolled port |
892 | * service that failed the Ingress Post-MACSec Packet Classifier |
893 | * table check. |
894 | */ |
895 | u32 unctrl_prt_fail_pkts[2]; |
896 | /*! The number of received packets discarded because the packet |
897 | * length is greater than the ifMtu of the Common Port interface. |
898 | */ |
899 | u32 too_long_pkts[2]; |
900 | /*! The number of received packets classified as MAC_CTL by the |
901 | * Ingress Post-MACSec CTL Filter table. |
902 | */ |
903 | u32 igpoc_ctl_pkts[2]; |
904 | /*! The number of received packets for which table memory was |
905 | * affected by an ECC error during processing. |
906 | */ |
907 | u32 ecc_error_pkts[2]; |
908 | /*! The number of received packets by the uncontrolled port |
909 | * service that were dropped. |
910 | */ |
911 | u32 unctrl_hit_drop_redir[2]; |
912 | }; |
913 | |
914 | #endif |
915 | |