1/* SPDX-License-Identifier: GPL-2.0-only */
2/* Atlantic Network Driver
3 * Copyright (C) 2020 Marvell International Ltd.
4 */
5
6#ifndef _MACSEC_STRUCT_H_
7#define _MACSEC_STRUCT_H_
8
9/*! Represents the bitfields of a single row in the Egress CTL Filter
10 * table.
11 */
12struct aq_mss_egress_ctlf_record {
13 /*! This is used to store the 48 bit value used to compare SA, DA or
14 * halfDA+half SA value.
15 */
16 u32 sa_da[2];
17 /*! This is used to store the 16 bit ethertype value used for
18 * comparison.
19 */
20 u32 eth_type;
21 /*! The match mask is per-nibble. 0 means don't care, i.e. every value
22 * will match successfully. The total data is 64 bit, i.e. 16 nibbles
23 * masks.
24 */
25 u32 match_mask;
26 /*! 0: No compare, i.e. This entry is not used
27 * 1: compare DA only
28 * 2: compare SA only
29 * 3: compare half DA + half SA
30 * 4: compare ether type only
31 * 5: compare DA + ethertype
32 * 6: compare SA + ethertype
33 * 7: compare DA+ range.
34 */
35 u32 match_type;
36 /*! 0: Bypass the remaining modules if matched.
37 * 1: Forward to next module for more classifications.
38 */
39 u32 action;
40};
41
42/*! Represents the bitfields of a single row in the Egress Packet
43 * Classifier table.
44 */
45struct aq_mss_egress_class_record {
46 /*! VLAN ID field. */
47 u32 vlan_id;
48 /*! VLAN UP field. */
49 u32 vlan_up;
50 /*! VLAN Present in the Packet. */
51 u32 vlan_valid;
52 /*! The 8 bit value used to compare with extracted value for byte 3. */
53 u32 byte3;
54 /*! The 8 bit value used to compare with extracted value for byte 2. */
55 u32 byte2;
56 /*! The 8 bit value used to compare with extracted value for byte 1. */
57 u32 byte1;
58 /*! The 8 bit value used to compare with extracted value for byte 0. */
59 u32 byte0;
60 /*! The 8 bit TCI field used to compare with extracted value. */
61 u32 tci;
62 /*! The 64 bit SCI field in the SecTAG. */
63 u32 sci[2];
64 /*! The 16 bit Ethertype (in the clear) field used to compare with
65 * extracted value.
66 */
67 u32 eth_type;
68 /*! This is to specify the 40bit SNAP header if the SNAP header's mask
69 * is enabled.
70 */
71 u32 snap[2];
72 /*! This is to specify the 24bit LLC header if the LLC header's mask is
73 * enabled.
74 */
75 u32 llc;
76 /*! The 48 bit MAC_SA field used to compare with extracted value. */
77 u32 mac_sa[2];
78 /*! The 48 bit MAC_DA field used to compare with extracted value. */
79 u32 mac_da[2];
80 /*! The 32 bit Packet number used to compare with extracted value. */
81 u32 pn;
82 /*! 0~63: byte location used extracted by packets comparator, which
83 * can be anything from the first 64 bytes of the MAC packets.
84 * This byte location counted from MAC' DA address. i.e. set to 0
85 * will point to byte 0 of DA address.
86 */
87 u32 byte3_location;
88 /*! 0: don't care
89 * 1: enable comparison of extracted byte pointed by byte 3 location.
90 */
91 u32 byte3_mask;
92 /*! 0~63: byte location used extracted by packets comparator, which
93 * can be anything from the first 64 bytes of the MAC packets.
94 * This byte location counted from MAC' DA address. i.e. set to 0
95 * will point to byte 0 of DA address.
96 */
97 u32 byte2_location;
98 /*! 0: don't care
99 * 1: enable comparison of extracted byte pointed by byte 2 location.
100 */
101 u32 byte2_mask;
102 /*! 0~63: byte location used extracted by packets comparator, which
103 * can be anything from the first 64 bytes of the MAC packets.
104 * This byte location counted from MAC' DA address. i.e. set to 0
105 * will point to byte 0 of DA address.
106 */
107 u32 byte1_location;
108 /*! 0: don't care
109 * 1: enable comparison of extracted byte pointed by byte 1 location.
110 */
111 u32 byte1_mask;
112 /*! 0~63: byte location used extracted by packets comparator, which
113 * can be anything from the first 64 bytes of the MAC packets.
114 * This byte location counted from MAC' DA address. i.e. set to 0
115 * will point to byte 0 of DA address.
116 */
117 u32 byte0_location;
118 /*! 0: don't care
119 * 1: enable comparison of extracted byte pointed by byte 0 location.
120 */
121 u32 byte0_mask;
122 /*! Mask is per-byte.
123 * 0: don't care
124 * 1: enable comparison of extracted VLAN ID field.
125 */
126 u32 vlan_id_mask;
127 /*! 0: don't care
128 * 1: enable comparison of extracted VLAN UP field.
129 */
130 u32 vlan_up_mask;
131 /*! 0: don't care
132 * 1: enable comparison of extracted VLAN Valid field.
133 */
134 u32 vlan_valid_mask;
135 /*! This is bit mask to enable comparison the 8 bit TCI field,
136 * including the AN field.
137 * For explicit SECTAG, AN is hardware controlled. For sending
138 * packet w/ explicit SECTAG, rest of the TCI fields are directly
139 * from the SECTAG.
140 */
141 u32 tci_mask;
142 /*! Mask is per-byte.
143 * 0: don't care
144 * 1: enable comparison of SCI
145 * Note: If this field is not 0, this means the input packet's
146 * SECTAG is explicitly tagged and MACSEC module will only update
147 * the MSDU.
148 * PN number is hardware controlled.
149 */
150 u32 sci_mask;
151 /*! Mask is per-byte.
152 * 0: don't care
153 * 1: enable comparison of Ethertype.
154 */
155 u32 eth_type_mask;
156 /*! Mask is per-byte.
157 * 0: don't care and no SNAP header exist.
158 * 1: compare the SNAP header.
159 * If this bit is set to 1, the extracted filed will assume the
160 * SNAP header exist as encapsulated in 802.3 (RFC 1042). I.E. the
161 * next 5 bytes after the LLC header is SNAP header.
162 */
163 u32 snap_mask;
164 /*! 0: don't care and no LLC header exist.
165 * 1: compare the LLC header.
166 * If this bit is set to 1, the extracted filed will assume the
167 * LLC header exist as encapsulated in 802.3 (RFC 1042). I.E. the
168 * next three bytes after the 802.3MAC header is LLC header.
169 */
170 u32 llc_mask;
171 /*! Mask is per-byte.
172 * 0: don't care
173 * 1: enable comparison of MAC_SA.
174 */
175 u32 sa_mask;
176 /*! Mask is per-byte.
177 * 0: don't care
178 * 1: enable comparison of MAC_DA.
179 */
180 u32 da_mask;
181 /*! Mask is per-byte. */
182 u32 pn_mask;
183 /*! Reserved. This bit should be always 0. */
184 u32 eight02dot2;
185 /*! 1: For explicit sectag case use TCI_SC from table
186 * 0: use TCI_SC from explicit sectag.
187 */
188 u32 tci_sc;
189 /*! 1: For explicit sectag case,use TCI_V,ES,SCB,E,C from table
190 * 0: use TCI_V,ES,SCB,E,C from explicit sectag.
191 */
192 u32 tci_87543;
193 /*! 1: indicates that incoming packet has explicit sectag. */
194 u32 exp_sectag_en;
195 /*! If packet matches and tagged as controlled-packet, this SC/SA
196 * index is used for later SC and SA table lookup.
197 */
198 u32 sc_idx;
199 /*! This field is used to specify how many SA entries are
200 * associated with 1 SC entry.
201 * 2'b00: 1 SC has 4 SA.
202 * SC index is equivalent to {SC_Index[4:2], 1'b0}.
203 * SA index is equivalent to {SC_Index[4:2], SC entry's current AN[1:0]
204 * 2'b10: 1 SC has 2 SA.
205 * SC index is equivalent to SC_Index[4:1]
206 * SA index is equivalent to {SC_Index[4:1], SC entry's current AN[0]}
207 * 2'b11: 1 SC has 1 SA. No SC entry exists for the specific SA.
208 * SA index is equivalent to SC_Index[4:0]
209 * Note: if specified as 2'b11, hardware AN roll over is not
210 * supported.
211 */
212 u32 sc_sa;
213 /*! 0: the packets will be sent to MAC FIFO
214 * 1: The packets will be sent to Debug/Loopback FIFO.
215 * If the above's action is drop, this bit has no meaning.
216 */
217 u32 debug;
218 /*! 0: forward to remaining modules
219 * 1: bypass the next encryption modules. This packet is considered
220 * un-control packet.
221 * 2: drop
222 * 3: Reserved.
223 */
224 u32 action;
225 /*! 0: Not valid entry. This entry is not used
226 * 1: valid entry.
227 */
228 u32 valid;
229};
230
231/*! Represents the bitfields of a single row in the Egress SC Lookup table. */
232struct aq_mss_egress_sc_record {
233 /*! This is to specify when the SC was first used. Set by HW. */
234 u32 start_time;
235 /*! This is to specify when the SC was last used. Set by HW. */
236 u32 stop_time;
237 /*! This is to specify which of the SA entries are used by current HW.
238 * Note: This value need to be set by SW after reset. It will be
239 * automatically updated by HW, if AN roll over is enabled.
240 */
241 u32 curr_an;
242 /*! 0: Clear the SA Valid Bit after PN expiry.
243 * 1: Do not Clear the SA Valid bit after PN expiry of the current SA.
244 * When the Enable AN roll over is set, S/W does not need to
245 * program the new SA's and the H/W will automatically roll over
246 * between the SA's without session expiry.
247 * For normal operation, Enable AN Roll over will be set to '0'
248 * and in which case, the SW needs to program the new SA values
249 * after the current PN expires.
250 */
251 u32 an_roll;
252 /*! This is the TCI field used if packet is not explicitly tagged. */
253 u32 tci;
254 /*! This value indicates the offset where the decryption will start.
255 * [[Values of 0, 4, 8-50].
256 */
257 u32 enc_off;
258 /*! 0: Do not protect frames, all the packets will be forwarded
259 * unchanged. MIB counter (OutPktsUntagged) will be updated.
260 * 1: Protect.
261 */
262 u32 protect;
263 /*! 0: when none of the SA related to SC has inUse set.
264 * 1: when either of the SA related to the SC has inUse set.
265 * This bit is set by HW.
266 */
267 u32 recv;
268 /*! 0: H/W Clears this bit on the first use.
269 * 1: SW updates this entry, when programming the SC Table.
270 */
271 u32 fresh;
272 /*! AES Key size
273 * 00 - 128bits
274 * 01 - 192bits
275 * 10 - 256bits
276 * 11 - Reserved.
277 */
278 u32 sak_len;
279 /*! 0: Invalid SC
280 * 1: Valid SC.
281 */
282 u32 valid;
283};
284
285/*! Represents the bitfields of a single row in the Egress SA Lookup table. */
286struct aq_mss_egress_sa_record {
287 /*! This is to specify when the SC was first used. Set by HW. */
288 u32 start_time;
289 /*! This is to specify when the SC was last used. Set by HW. */
290 u32 stop_time;
291 /*! This is set by SW and updated by HW to store the Next PN number
292 * used for encryption.
293 */
294 u32 next_pn;
295 /*! The Next_PN number is going to wrapped around from 0xFFFF_FFFF
296 * to 0. set by HW.
297 */
298 u32 sat_pn;
299 /*! 0: This SA is in use.
300 * 1: This SA is Fresh and set by SW.
301 */
302 u32 fresh;
303 /*! 0: Invalid SA
304 * 1: Valid SA.
305 */
306 u32 valid;
307};
308
309/*! Represents the bitfields of a single row in the Egress SA Key
310 * Lookup table.
311 */
312struct aq_mss_egress_sakey_record {
313 /*! Key for AES-GCM processing. */
314 u32 key[8];
315};
316
317/*! Represents the bitfields of a single row in the Ingress Pre-MACSec
318 * CTL Filter table.
319 */
320struct aq_mss_ingress_prectlf_record {
321 /*! This is used to store the 48 bit value used to compare SA, DA
322 * or halfDA+half SA value.
323 */
324 u32 sa_da[2];
325 /*! This is used to store the 16 bit ethertype value used for
326 * comparison.
327 */
328 u32 eth_type;
329 /*! The match mask is per-nibble. 0 means don't care, i.e. every
330 * value will match successfully. The total data is 64 bit, i.e.
331 * 16 nibbles masks.
332 */
333 u32 match_mask;
334 /*! 0: No compare, i.e. This entry is not used
335 * 1: compare DA only
336 * 2: compare SA only
337 * 3: compare half DA + half SA
338 * 4: compare ether type only
339 * 5: compare DA + ethertype
340 * 6: compare SA + ethertype
341 * 7: compare DA+ range.
342 */
343 u32 match_type;
344 /*! 0: Bypass the remaining modules if matched.
345 * 1: Forward to next module for more classifications.
346 */
347 u32 action;
348};
349
350/*! Represents the bitfields of a single row in the Ingress Pre-MACSec
351 * Packet Classifier table.
352 */
353struct aq_mss_ingress_preclass_record {
354 /*! The 64 bit SCI field used to compare with extracted value.
355 * Should have SCI value in case TCI[SCI_SEND] == 0. This will be
356 * used for ICV calculation.
357 */
358 u32 sci[2];
359 /*! The 8 bit TCI field used to compare with extracted value. */
360 u32 tci;
361 /*! 8 bit encryption offset. */
362 u32 encr_offset;
363 /*! The 16 bit Ethertype (in the clear) field used to compare with
364 * extracted value.
365 */
366 u32 eth_type;
367 /*! This is to specify the 40bit SNAP header if the SNAP header's
368 * mask is enabled.
369 */
370 u32 snap[2];
371 /*! This is to specify the 24bit LLC header if the LLC header's
372 * mask is enabled.
373 */
374 u32 llc;
375 /*! The 48 bit MAC_SA field used to compare with extracted value. */
376 u32 mac_sa[2];
377 /*! The 48 bit MAC_DA field used to compare with extracted value. */
378 u32 mac_da[2];
379 /*! 0: this is to compare with non-LPBK packet
380 * 1: this is to compare with LPBK packet.
381 * This value is used to compare with a controlled-tag which goes
382 * with the packet when looped back from Egress port.
383 */
384 u32 lpbk_packet;
385 /*! The value of this bit mask will affects how the SC index and SA
386 * index created.
387 * 2'b00: 1 SC has 4 SA.
388 * SC index is equivalent to {SC_Index[4:2], 1'b0}.
389 * SA index is equivalent to {SC_Index[4:2], SECTAG's AN[1:0]}
390 * Here AN bits are not compared.
391 * 2'b10: 1 SC has 2 SA.
392 * SC index is equivalent to SC_Index[4:1]
393 * SA index is equivalent to {SC_Index[4:1], SECTAG's AN[0]}
394 * Compare AN[1] field only
395 * 2'b11: 1 SC has 1 SA. No SC entry exists for the specific SA.
396 * SA index is equivalent to SC_Index[4:0]
397 * AN[1:0] bits are compared.
398 * NOTE: This design is to supports different usage of AN. User
399 * can either ping-pong buffer 2 SA by using only the AN[0] bit.
400 * Or use 4 SA per SC by use AN[1:0] bits. Or even treat each SA
401 * as independent. i.e. AN[1:0] is just another matching pointer
402 * to select SA.
403 */
404 u32 an_mask;
405 /*! This is bit mask to enable comparison the upper 6 bits TCI
406 * field, which does not include the AN field.
407 * 0: don't compare
408 * 1: enable comparison of the bits.
409 */
410 u32 tci_mask;
411 /*! 0: don't care
412 * 1: enable comparison of SCI.
413 */
414 u32 sci_mask;
415 /*! Mask is per-byte.
416 * 0: don't care
417 * 1: enable comparison of Ethertype.
418 */
419 u32 eth_type_mask;
420 /*! Mask is per-byte.
421 * 0: don't care and no SNAP header exist.
422 * 1: compare the SNAP header.
423 * If this bit is set to 1, the extracted filed will assume the
424 * SNAP header exist as encapsulated in 802.3 (RFC 1042). I.E. the
425 * next 5 bytes after the LLC header is SNAP header.
426 */
427 u32 snap_mask;
428 /*! Mask is per-byte.
429 * 0: don't care and no LLC header exist.
430 * 1: compare the LLC header.
431 * If this bit is set to 1, the extracted filed will assume the
432 * LLC header exist as encapsulated in 802.3 (RFC 1042). I.E. the
433 * next three bytes after the 802.3MAC header is LLC header.
434 */
435 u32 llc_mask;
436 /*! Reserved. This bit should be always 0. */
437 u32 _802_2_encapsulate;
438 /*! Mask is per-byte.
439 * 0: don't care
440 * 1: enable comparison of MAC_SA.
441 */
442 u32 sa_mask;
443 /*! Mask is per-byte.
444 * 0: don't care
445 * 1: enable comparison of MAC_DA.
446 */
447 u32 da_mask;
448 /*! 0: don't care
449 * 1: enable checking if this is loopback packet or not.
450 */
451 u32 lpbk_mask;
452 /*! If packet matches and tagged as controlled-packet. This SC/SA
453 * index is used for later SC and SA table lookup.
454 */
455 u32 sc_idx;
456 /*! 0: the packets will be sent to MAC FIFO
457 * 1: The packets will be sent to Debug/Loopback FIFO.
458 * If the above's action is drop. This bit has no meaning.
459 */
460 u32 proc_dest;
461 /*! 0: Process: Forward to next two modules for 802.1AE decryption.
462 * 1: Process but keep SECTAG: Forward to next two modules for
463 * 802.1AE decryption but keep the MACSEC header with added error
464 * code information. ICV will be stripped for all control packets.
465 * 2: Bypass: Bypass the next two decryption modules but processed
466 * by post-classification.
467 * 3: Drop: drop this packet and update counts accordingly.
468 */
469 u32 action;
470 /*! 0: This is a controlled-port packet if matched.
471 * 1: This is an uncontrolled-port packet if matched.
472 */
473 u32 ctrl_unctrl;
474 /*! Use the SCI value from the Table if 'SC' bit of the input
475 * packet is not present.
476 */
477 u32 sci_from_table;
478 /*! Reserved. */
479 u32 reserved;
480 /*! 0: Not valid entry. This entry is not used
481 * 1: valid entry.
482 */
483 u32 valid;
484};
485
486/*! Represents the bitfields of a single row in the Ingress SC Lookup table. */
487struct aq_mss_ingress_sc_record {
488 /*! This is to specify when the SC was first used. Set by HW. */
489 u32 stop_time;
490 /*! This is to specify when the SC was first used. Set by HW. */
491 u32 start_time;
492 /*! 0: Strict
493 * 1: Check
494 * 2: Disabled.
495 */
496 u32 validate_frames;
497 /*! 1: Replay control enabled.
498 * 0: replay control disabled.
499 */
500 u32 replay_protect;
501 /*! This is to specify the window range for anti-replay. Default is 0.
502 * 0: is strict order enforcement.
503 */
504 u32 anti_replay_window;
505 /*! 0: when none of the SA related to SC has inUse set.
506 * 1: when either of the SA related to the SC has inUse set.
507 * This bit is set by HW.
508 */
509 u32 receiving;
510 /*! 0: when hardware processed the SC for the first time, it clears
511 * this bit
512 * 1: This bit is set by SW, when it sets up the SC.
513 */
514 u32 fresh;
515 /*! 0: The AN number will not automatically roll over if Next_PN is
516 * saturated.
517 * 1: The AN number will automatically roll over if Next_PN is
518 * saturated.
519 * Rollover is valid only after expiry. Normal roll over between
520 * SA's should be normal process.
521 */
522 u32 an_rol;
523 /*! Reserved. */
524 u32 reserved;
525 /*! 0: Invalid SC
526 * 1: Valid SC.
527 */
528 u32 valid;
529};
530
531/*! Represents the bitfields of a single row in the Ingress SA Lookup table. */
532struct aq_mss_ingress_sa_record {
533 /*! This is to specify when the SC was first used. Set by HW. */
534 u32 stop_time;
535 /*! This is to specify when the SC was first used. Set by HW. */
536 u32 start_time;
537 /*! This is updated by HW to store the expected NextPN number for
538 * anti-replay.
539 */
540 u32 next_pn;
541 /*! The Next_PN number is going to wrapped around from 0XFFFF_FFFF
542 * to 0. set by HW.
543 */
544 u32 sat_nextpn;
545 /*! 0: This SA is not yet used.
546 * 1: This SA is inUse.
547 */
548 u32 in_use;
549 /*! 0: when hardware processed the SC for the first time, it clears
550 * this timer
551 * 1: This bit is set by SW, when it sets up the SC.
552 */
553 u32 fresh;
554 /*! Reserved. */
555 u32 reserved;
556 /*! 0: Invalid SA.
557 * 1: Valid SA.
558 */
559 u32 valid;
560};
561
562/*! Represents the bitfields of a single row in the Ingress SA Key
563 * Lookup table.
564 */
565struct aq_mss_ingress_sakey_record {
566 /*! Key for AES-GCM processing. */
567 u32 key[8];
568 /*! AES key size
569 * 00 - 128bits
570 * 01 - 192bits
571 * 10 - 256bits
572 * 11 - reserved.
573 */
574 u32 key_len;
575};
576
577/*! Represents the bitfields of a single row in the Ingress Post-
578 * MACSec Packet Classifier table.
579 */
580struct aq_mss_ingress_postclass_record {
581 /*! The 8 bit value used to compare with extracted value for byte 0. */
582 u32 byte0;
583 /*! The 8 bit value used to compare with extracted value for byte 1. */
584 u32 byte1;
585 /*! The 8 bit value used to compare with extracted value for byte 2. */
586 u32 byte2;
587 /*! The 8 bit value used to compare with extracted value for byte 3. */
588 u32 byte3;
589 /*! Ethertype in the packet. */
590 u32 eth_type;
591 /*! Ether Type value > 1500 (0x5dc). */
592 u32 eth_type_valid;
593 /*! VLAN ID after parsing. */
594 u32 vlan_id;
595 /*! VLAN priority after parsing. */
596 u32 vlan_up;
597 /*! Valid VLAN coding. */
598 u32 vlan_valid;
599 /*! SA index. */
600 u32 sai;
601 /*! SAI hit, i.e. controlled packet. */
602 u32 sai_hit;
603 /*! Mask for payload ethertype field. */
604 u32 eth_type_mask;
605 /*! 0~63: byte location used extracted by packets comparator, which
606 * can be anything from the first 64 bytes of the MAC packets.
607 * This byte location counted from MAC' DA address. i.e. set to 0
608 * will point to byte 0 of DA address.
609 */
610 u32 byte3_location;
611 /*! Mask for Byte Offset 3. */
612 u32 byte3_mask;
613 /*! 0~63: byte location used extracted by packets comparator, which
614 * can be anything from the first 64 bytes of the MAC packets.
615 * This byte location counted from MAC' DA address. i.e. set to 0
616 * will point to byte 0 of DA address.
617 */
618 u32 byte2_location;
619 /*! Mask for Byte Offset 2. */
620 u32 byte2_mask;
621 /*! 0~63: byte location used extracted by packets comparator, which
622 * can be anything from the first 64 bytes of the MAC packets.
623 * This byte location counted from MAC' DA address. i.e. set to 0
624 * will point to byte 0 of DA address.
625 */
626 u32 byte1_location;
627 /*! Mask for Byte Offset 1. */
628 u32 byte1_mask;
629 /*! 0~63: byte location used extracted by packets comparator, which
630 * can be anything from the first 64 bytes of the MAC packets.
631 * This byte location counted from MAC' DA address. i.e. set to 0
632 * will point to byte 0 of DA address.
633 */
634 u32 byte0_location;
635 /*! Mask for Byte Offset 0. */
636 u32 byte0_mask;
637 /*! Mask for Ethertype valid field. Indicates 802.3 vs. Other. */
638 u32 eth_type_valid_mask;
639 /*! Mask for VLAN ID field. */
640 u32 vlan_id_mask;
641 /*! Mask for VLAN UP field. */
642 u32 vlan_up_mask;
643 /*! Mask for VLAN valid field. */
644 u32 vlan_valid_mask;
645 /*! Mask for SAI. */
646 u32 sai_mask;
647 /*! Mask for SAI_HIT. */
648 u32 sai_hit_mask;
649 /*! Action if only first level matches and second level does not.
650 * 0: pass
651 * 1: drop (fail).
652 */
653 u32 firstlevel_actions;
654 /*! Action if both first and second level matched.
655 * 0: pass
656 * 1: drop (fail).
657 */
658 u32 secondlevel_actions;
659 /*! Reserved. */
660 u32 reserved;
661 /*! 0: Not valid entry. This entry is not used
662 * 1: valid entry.
663 */
664 u32 valid;
665};
666
667/*! Represents the bitfields of a single row in the Ingress Post-
668 * MACSec CTL Filter table.
669 */
670struct aq_mss_ingress_postctlf_record {
671 /*! This is used to store the 48 bit value used to compare SA, DA
672 * or halfDA+half SA value.
673 */
674 u32 sa_da[2];
675 /*! This is used to store the 16 bit ethertype value used for
676 * comparison.
677 */
678 u32 eth_type;
679 /*! The match mask is per-nibble. 0 means don't care, i.e. every
680 * value will match successfully. The total data is 64 bit, i.e.
681 * 16 nibbles masks.
682 */
683 u32 match_mask;
684 /*! 0: No compare, i.e. This entry is not used
685 * 1: compare DA only
686 * 2: compare SA only
687 * 3: compare half DA + half SA
688 * 4: compare ether type only
689 * 5: compare DA + ethertype
690 * 6: compare SA + ethertype
691 * 7: compare DA+ range.
692 */
693 u32 match_type;
694 /*! 0: Bypass the remaining modules if matched.
695 * 1: Forward to next module for more classifications.
696 */
697 u32 action;
698};
699
700/*! Represents the Egress MIB counters for a single SC. Counters are
701 * 64 bits, lower 32 bits in field[0].
702 */
703struct aq_mss_egress_sc_counters {
704 /*! The number of integrity protected but not encrypted packets
705 * for this transmitting SC.
706 */
707 u32 sc_protected_pkts[2];
708 /*! The number of integrity protected and encrypted packets for
709 * this transmitting SC.
710 */
711 u32 sc_encrypted_pkts[2];
712 /*! The number of plain text octets that are integrity protected
713 * but not encrypted on the transmitting SC.
714 */
715 u32 sc_protected_octets[2];
716 /*! The number of plain text octets that are integrity protected
717 * and encrypted on the transmitting SC.
718 */
719 u32 sc_encrypted_octets[2];
720};
721
722/*! Represents the Egress MIB counters for a single SA. Counters are
723 * 64 bits, lower 32 bits in field[0].
724 */
725struct aq_mss_egress_sa_counters {
726 /*! The number of dropped packets for this transmitting SA. */
727 u32 sa_hit_drop_redirect[2];
728 /*! TODO */
729 u32 sa_protected2_pkts[2];
730 /*! The number of integrity protected but not encrypted packets
731 * for this transmitting SA.
732 */
733 u32 sa_protected_pkts[2];
734 /*! The number of integrity protected and encrypted packets for
735 * this transmitting SA.
736 */
737 u32 sa_encrypted_pkts[2];
738};
739
740/*! Represents the common Egress MIB counters; the counter not
741 * associated with a particular SC/SA. Counters are 64 bits, lower 32
742 * bits in field[0].
743 */
744struct aq_mss_egress_common_counters {
745 /*! The number of transmitted packets classified as MAC_CTL packets. */
746 u32 ctl_pkt[2];
747 /*! The number of transmitted packets that did not match any rows
748 * in the Egress Packet Classifier table.
749 */
750 u32 unknown_sa_pkts[2];
751 /*! The number of transmitted packets where the SC table entry has
752 * protect=0 (so packets are forwarded unchanged).
753 */
754 u32 untagged_pkts[2];
755 /*! The number of transmitted packets discarded because the packet
756 * length is greater than the ifMtu of the Common Port interface.
757 */
758 u32 too_long[2];
759 /*! The number of transmitted packets for which table memory was
760 * affected by an ECC error during processing.
761 */
762 u32 ecc_error_pkts[2];
763 /*! The number of transmitted packets for where the matched row in
764 * the Egress Packet Classifier table has action=drop.
765 */
766 u32 unctrl_hit_drop_redir[2];
767};
768
769/*! Represents the Ingress MIB counters for a single SA. Counters are
770 * 64 bits, lower 32 bits in field[0].
771 */
772struct aq_mss_ingress_sa_counters {
773 /*! For this SA, the number of received packets without a SecTAG. */
774 u32 untagged_hit_pkts[2];
775 /*! For this SA, the number of received packets that were dropped. */
776 u32 ctrl_hit_drop_redir_pkts[2];
777 /*! For this SA which is not currently in use, the number of
778 * received packets that have been discarded, and have either the
779 * packets encrypted or the matched row in the Ingress SC Lookup
780 * table has validate_frames=Strict.
781 */
782 u32 not_using_sa[2];
783 /*! For this SA which is not currently in use, the number of
784 * received, unencrypted, packets with the matched row in the
785 * Ingress SC Lookup table has validate_frames!=Strict.
786 */
787 u32 unused_sa[2];
788 /*! For this SA, the number discarded packets with the condition
789 * that the packets are not valid and one of the following
790 * conditions are true: either the matched row in the Ingress SC
791 * Lookup table has validate_frames=Strict or the packets
792 * encrypted.
793 */
794 u32 not_valid_pkts[2];
795 /*! For this SA, the number of packets with the condition that the
796 * packets are not valid and the matched row in the Ingress SC
797 * Lookup table has validate_frames=Check.
798 */
799 u32 invalid_pkts[2];
800 /*! For this SA, the number of validated packets. */
801 u32 ok_pkts[2];
802 /*! For this SC, the number of received packets that have been
803 * discarded with the condition: the matched row in the Ingress
804 * SC Lookup table has replay_protect=1 and the PN of the packet
805 * is lower than the lower bound replay check PN.
806 */
807 u32 late_pkts[2];
808 /*! For this SA, the number of packets with the condition that the
809 * PN of the packets is lower than the lower bound replay
810 * protection PN.
811 */
812 u32 delayed_pkts[2];
813 /*! For this SC, the number of packets with the following condition:
814 * - the matched row in the Ingress SC Lookup table has
815 * replay_protect=0 or
816 * - the matched row in the Ingress SC Lookup table has
817 * replay_protect=1 and the packet is not encrypted and the
818 * integrity check has failed or
819 * - the matched row in the Ingress SC Lookup table has
820 * replay_protect=1 and the packet is encrypted and integrity
821 * check has failed.
822 */
823 u32 unchecked_pkts[2];
824 /*! The number of octets of plaintext recovered from received
825 * packets that were integrity protected but not encrypted.
826 */
827 u32 validated_octets[2];
828 /*! The number of octets of plaintext recovered from received
829 * packets that were integrity protected and encrypted.
830 */
831 u32 decrypted_octets[2];
832};
833
834/*! Represents the common Ingress MIB counters; the counter not
835 * associated with a particular SA. Counters are 64 bits, lower 32
836 * bits in field[0].
837 */
838struct aq_mss_ingress_common_counters {
839 /*! The number of received packets classified as MAC_CTL packets. */
840 u32 ctl_pkts[2];
841 /*! The number of received packets with the MAC security tag
842 * (SecTAG), not matching any rows in the Ingress Pre-MACSec
843 * Packet Classifier table.
844 */
845 u32 tagged_miss_pkts[2];
846 /*! The number of received packets without the MAC security tag
847 * (SecTAG), not matching any rows in the Ingress Pre-MACSec
848 * Packet Classifier table.
849 */
850 u32 untagged_miss_pkts[2];
851 /*! The number of received packets discarded without the MAC
852 * security tag (SecTAG) and with the matched row in the Ingress
853 * SC Lookup table having validate_frames=Strict.
854 */
855 u32 notag_pkts[2];
856 /*! The number of received packets without the MAC security tag
857 * (SecTAG) and with the matched row in the Ingress SC Lookup
858 * table having validate_frames!=Strict.
859 */
860 u32 untagged_pkts[2];
861 /*! The number of received packets discarded with an invalid
862 * SecTAG or a zero value PN or an invalid ICV.
863 */
864 u32 bad_tag_pkts[2];
865 /*! The number of received packets discarded with unknown SCI
866 * information with the condition:
867 * the matched row in the Ingress SC Lookup table has
868 * validate_frames=Strict or the C bit in the SecTAG is set.
869 */
870 u32 no_sci_pkts[2];
871 /*! The number of received packets with unknown SCI with the condition:
872 * The matched row in the Ingress SC Lookup table has
873 * validate_frames!=Strict and the C bit in the SecTAG is not set.
874 */
875 u32 unknown_sci_pkts[2];
876 /*! The number of received packets by the controlled port service
877 * that passed the Ingress Post-MACSec Packet Classifier table
878 * check.
879 */
880 u32 ctrl_prt_pass_pkts[2];
881 /*! The number of received packets by the uncontrolled port
882 * service that passed the Ingress Post-MACSec Packet Classifier
883 * table check.
884 */
885 u32 unctrl_prt_pass_pkts[2];
886 /*! The number of received packets by the controlled port service
887 * that failed the Ingress Post-MACSec Packet Classifier table
888 * check.
889 */
890 u32 ctrl_prt_fail_pkts[2];
891 /*! The number of received packets by the uncontrolled port
892 * service that failed the Ingress Post-MACSec Packet Classifier
893 * table check.
894 */
895 u32 unctrl_prt_fail_pkts[2];
896 /*! The number of received packets discarded because the packet
897 * length is greater than the ifMtu of the Common Port interface.
898 */
899 u32 too_long_pkts[2];
900 /*! The number of received packets classified as MAC_CTL by the
901 * Ingress Post-MACSec CTL Filter table.
902 */
903 u32 igpoc_ctl_pkts[2];
904 /*! The number of received packets for which table memory was
905 * affected by an ECC error during processing.
906 */
907 u32 ecc_error_pkts[2];
908 /*! The number of received packets by the uncontrolled port
909 * service that were dropped.
910 */
911 u32 unctrl_hit_drop_redir[2];
912};
913
914#endif
915

source code of linux/drivers/net/ethernet/aquantia/atlantic/macsec/macsec_struct.h