1 /* SPDX-License-Identifier: GPL-2.0-only */ 2 /* Atlantic Network Driver 3 * Copyright (C) 2020 Marvell International Ltd. 4 */ 5 6 #ifndef _MACSEC_STRUCT_H_ 7 #define _MACSEC_STRUCT_H_ 8 9 /*! Represents the bitfields of a single row in the Egress CTL Filter 10 * table. 11 */ 12 struct aq_mss_egress_ctlf_record { 13 /*! This is used to store the 48 bit value used to compare SA, DA or 14 * halfDA+half SA value. 15 */ 16 u32 sa_da[2]; 17 /*! This is used to store the 16 bit ethertype value used for 18 * comparison. 19 */ 20 u32 eth_type; 21 /*! The match mask is per-nibble. 0 means don't care, i.e. every value 22 * will match successfully. The total data is 64 bit, i.e. 16 nibbles 23 * masks. 24 */ 25 u32 match_mask; 26 /*! 0: No compare, i.e. This entry is not used 27 * 1: compare DA only 28 * 2: compare SA only 29 * 3: compare half DA + half SA 30 * 4: compare ether type only 31 * 5: compare DA + ethertype 32 * 6: compare SA + ethertype 33 * 7: compare DA+ range. 34 */ 35 u32 match_type; 36 /*! 0: Bypass the remaining modules if matched. 37 * 1: Forward to next module for more classifications. 38 */ 39 u32 action; 40 }; 41 42 /*! Represents the bitfields of a single row in the Egress Packet 43 * Classifier table. 44 */ 45 struct aq_mss_egress_class_record { 46 /*! VLAN ID field. */ 47 u32 vlan_id; 48 /*! VLAN UP field. */ 49 u32 vlan_up; 50 /*! VLAN Present in the Packet. */ 51 u32 vlan_valid; 52 /*! The 8 bit value used to compare with extracted value for byte 3. */ 53 u32 byte3; 54 /*! The 8 bit value used to compare with extracted value for byte 2. */ 55 u32 byte2; 56 /*! The 8 bit value used to compare with extracted value for byte 1. */ 57 u32 byte1; 58 /*! The 8 bit value used to compare with extracted value for byte 0. */ 59 u32 byte0; 60 /*! The 8 bit TCI field used to compare with extracted value. */ 61 u32 tci; 62 /*! The 64 bit SCI field in the SecTAG. */ 63 u32 sci[2]; 64 /*! The 16 bit Ethertype (in the clear) field used to compare with 65 * extracted value. 66 */ 67 u32 eth_type; 68 /*! This is to specify the 40bit SNAP header if the SNAP header's mask 69 * is enabled. 70 */ 71 u32 snap[2]; 72 /*! This is to specify the 24bit LLC header if the LLC header's mask is 73 * enabled. 74 */ 75 u32 llc; 76 /*! The 48 bit MAC_SA field used to compare with extracted value. */ 77 u32 mac_sa[2]; 78 /*! The 48 bit MAC_DA field used to compare with extracted value. */ 79 u32 mac_da[2]; 80 /*! The 32 bit Packet number used to compare with extracted value. */ 81 u32 pn; 82 /*! 0~63: byte location used extracted by packets comparator, which 83 * can be anything from the first 64 bytes of the MAC packets. 84 * This byte location counted from MAC' DA address. i.e. set to 0 85 * will point to byte 0 of DA address. 86 */ 87 u32 byte3_location; 88 /*! 0: don't care 89 * 1: enable comparison of extracted byte pointed by byte 3 location. 90 */ 91 u32 byte3_mask; 92 /*! 0~63: byte location used extracted by packets comparator, which 93 * can be anything from the first 64 bytes of the MAC packets. 94 * This byte location counted from MAC' DA address. i.e. set to 0 95 * will point to byte 0 of DA address. 96 */ 97 u32 byte2_location; 98 /*! 0: don't care 99 * 1: enable comparison of extracted byte pointed by byte 2 location. 100 */ 101 u32 byte2_mask; 102 /*! 0~63: byte location used extracted by packets comparator, which 103 * can be anything from the first 64 bytes of the MAC packets. 104 * This byte location counted from MAC' DA address. i.e. set to 0 105 * will point to byte 0 of DA address. 106 */ 107 u32 byte1_location; 108 /*! 0: don't care 109 * 1: enable comparison of extracted byte pointed by byte 1 location. 110 */ 111 u32 byte1_mask; 112 /*! 0~63: byte location used extracted by packets comparator, which 113 * can be anything from the first 64 bytes of the MAC packets. 114 * This byte location counted from MAC' DA address. i.e. set to 0 115 * will point to byte 0 of DA address. 116 */ 117 u32 byte0_location; 118 /*! 0: don't care 119 * 1: enable comparison of extracted byte pointed by byte 0 location. 120 */ 121 u32 byte0_mask; 122 /*! Mask is per-byte. 123 * 0: don't care 124 * 1: enable comparison of extracted VLAN ID field. 125 */ 126 u32 vlan_id_mask; 127 /*! 0: don't care 128 * 1: enable comparison of extracted VLAN UP field. 129 */ 130 u32 vlan_up_mask; 131 /*! 0: don't care 132 * 1: enable comparison of extracted VLAN Valid field. 133 */ 134 u32 vlan_valid_mask; 135 /*! This is bit mask to enable comparison the 8 bit TCI field, 136 * including the AN field. 137 * For explicit SECTAG, AN is hardware controlled. For sending 138 * packet w/ explicit SECTAG, rest of the TCI fields are directly 139 * from the SECTAG. 140 */ 141 u32 tci_mask; 142 /*! Mask is per-byte. 143 * 0: don't care 144 * 1: enable comparison of SCI 145 * Note: If this field is not 0, this means the input packet's 146 * SECTAG is explicitly tagged and MACSEC module will only update 147 * the MSDU. 148 * PN number is hardware controlled. 149 */ 150 u32 sci_mask; 151 /*! Mask is per-byte. 152 * 0: don't care 153 * 1: enable comparison of Ethertype. 154 */ 155 u32 eth_type_mask; 156 /*! Mask is per-byte. 157 * 0: don't care and no SNAP header exist. 158 * 1: compare the SNAP header. 159 * If this bit is set to 1, the extracted filed will assume the 160 * SNAP header exist as encapsulated in 802.3 (RFC 1042). I.E. the 161 * next 5 bytes after the the LLC header is SNAP header. 162 */ 163 u32 snap_mask; 164 /*! 0: don't care and no LLC header exist. 165 * 1: compare the LLC header. 166 * If this bit is set to 1, the extracted filed will assume the 167 * LLC header exist as encapsulated in 802.3 (RFC 1042). I.E. the 168 * next three bytes after the 802.3MAC header is LLC header. 169 */ 170 u32 llc_mask; 171 /*! Mask is per-byte. 172 * 0: don't care 173 * 1: enable comparison of MAC_SA. 174 */ 175 u32 sa_mask; 176 /*! Mask is per-byte. 177 * 0: don't care 178 * 1: enable comparison of MAC_DA. 179 */ 180 u32 da_mask; 181 /*! Mask is per-byte. */ 182 u32 pn_mask; 183 /*! Reserved. This bit should be always 0. */ 184 u32 eight02dot2; 185 /*! 1: For explicit sectag case use TCI_SC from table 186 * 0: use TCI_SC from explicit sectag. 187 */ 188 u32 tci_sc; 189 /*! 1: For explicit sectag case,use TCI_V,ES,SCB,E,C from table 190 * 0: use TCI_V,ES,SCB,E,C from explicit sectag. 191 */ 192 u32 tci_87543; 193 /*! 1: indicates that incoming packet has explicit sectag. */ 194 u32 exp_sectag_en; 195 /*! If packet matches and tagged as controlled-packet, this SC/SA 196 * index is used for later SC and SA table lookup. 197 */ 198 u32 sc_idx; 199 /*! This field is used to specify how many SA entries are 200 * associated with 1 SC entry. 201 * 2'b00: 1 SC has 4 SA. 202 * SC index is equivalent to {SC_Index[4:2], 1'b0}. 203 * SA index is equivalent to {SC_Index[4:2], SC entry's current AN[1:0] 204 * 2'b10: 1 SC has 2 SA. 205 * SC index is equivalent to SC_Index[4:1] 206 * SA index is equivalent to {SC_Index[4:1], SC entry's current AN[0]} 207 * 2'b11: 1 SC has 1 SA. No SC entry exists for the specific SA. 208 * SA index is equivalent to SC_Index[4:0] 209 * Note: if specified as 2'b11, hardware AN roll over is not 210 * supported. 211 */ 212 u32 sc_sa; 213 /*! 0: the packets will be sent to MAC FIFO 214 * 1: The packets will be sent to Debug/Loopback FIFO. 215 * If the above's action is drop, this bit has no meaning. 216 */ 217 u32 debug; 218 /*! 0: forward to remaining modules 219 * 1: bypass the next encryption modules. This packet is considered 220 * un-control packet. 221 * 2: drop 222 * 3: Reserved. 223 */ 224 u32 action; 225 /*! 0: Not valid entry. This entry is not used 226 * 1: valid entry. 227 */ 228 u32 valid; 229 }; 230 231 /*! Represents the bitfields of a single row in the Egress SC Lookup table. */ 232 struct aq_mss_egress_sc_record { 233 /*! This is to specify when the SC was first used. Set by HW. */ 234 u32 start_time; 235 /*! This is to specify when the SC was last used. Set by HW. */ 236 u32 stop_time; 237 /*! This is to specify which of the SA entries are used by current HW. 238 * Note: This value need to be set by SW after reset. It will be 239 * automatically updated by HW, if AN roll over is enabled. 240 */ 241 u32 curr_an; 242 /*! 0: Clear the SA Valid Bit after PN expiry. 243 * 1: Do not Clear the SA Valid bit after PN expiry of the current SA. 244 * When the Enable AN roll over is set, S/W does not need to 245 * program the new SA's and the H/W will automatically roll over 246 * between the SA's without session expiry. 247 * For normal operation, Enable AN Roll over will be set to '0' 248 * and in which case, the SW needs to program the new SA values 249 * after the current PN expires. 250 */ 251 u32 an_roll; 252 /*! This is the TCI field used if packet is not explicitly tagged. */ 253 u32 tci; 254 /*! This value indicates the offset where the decryption will start. 255 * [[Values of 0, 4, 8-50]. 256 */ 257 u32 enc_off; 258 /*! 0: Do not protect frames, all the packets will be forwarded 259 * unchanged. MIB counter (OutPktsUntagged) will be updated. 260 * 1: Protect. 261 */ 262 u32 protect; 263 /*! 0: when none of the SA related to SC has inUse set. 264 * 1: when either of the SA related to the SC has inUse set. 265 * This bit is set by HW. 266 */ 267 u32 recv; 268 /*! 0: H/W Clears this bit on the first use. 269 * 1: SW updates this entry, when programming the SC Table. 270 */ 271 u32 fresh; 272 /*! AES Key size 273 * 00 - 128bits 274 * 01 - 192bits 275 * 10 - 256bits 276 * 11 - Reserved. 277 */ 278 u32 sak_len; 279 /*! 0: Invalid SC 280 * 1: Valid SC. 281 */ 282 u32 valid; 283 }; 284 285 /*! Represents the bitfields of a single row in the Egress SA Lookup table. */ 286 struct aq_mss_egress_sa_record { 287 /*! This is to specify when the SC was first used. Set by HW. */ 288 u32 start_time; 289 /*! This is to specify when the SC was last used. Set by HW. */ 290 u32 stop_time; 291 /*! This is set by SW and updated by HW to store the Next PN number 292 * used for encryption. 293 */ 294 u32 next_pn; 295 /*! The Next_PN number is going to wrapped around from 0xFFFF_FFFF 296 * to 0. set by HW. 297 */ 298 u32 sat_pn; 299 /*! 0: This SA is in use. 300 * 1: This SA is Fresh and set by SW. 301 */ 302 u32 fresh; 303 /*! 0: Invalid SA 304 * 1: Valid SA. 305 */ 306 u32 valid; 307 }; 308 309 /*! Represents the bitfields of a single row in the Egress SA Key 310 * Lookup table. 311 */ 312 struct aq_mss_egress_sakey_record { 313 /*! Key for AES-GCM processing. */ 314 u32 key[8]; 315 }; 316 317 /*! Represents the bitfields of a single row in the Ingress Pre-MACSec 318 * CTL Filter table. 319 */ 320 struct aq_mss_ingress_prectlf_record { 321 /*! This is used to store the 48 bit value used to compare SA, DA 322 * or halfDA+half SA value. 323 */ 324 u32 sa_da[2]; 325 /*! This is used to store the 16 bit ethertype value used for 326 * comparison. 327 */ 328 u32 eth_type; 329 /*! The match mask is per-nibble. 0 means don't care, i.e. every 330 * value will match successfully. The total data is 64 bit, i.e. 331 * 16 nibbles masks. 332 */ 333 u32 match_mask; 334 /*! 0: No compare, i.e. This entry is not used 335 * 1: compare DA only 336 * 2: compare SA only 337 * 3: compare half DA + half SA 338 * 4: compare ether type only 339 * 5: compare DA + ethertype 340 * 6: compare SA + ethertype 341 * 7: compare DA+ range. 342 */ 343 u32 match_type; 344 /*! 0: Bypass the remaining modules if matched. 345 * 1: Forward to next module for more classifications. 346 */ 347 u32 action; 348 }; 349 350 /*! Represents the bitfields of a single row in the Ingress Pre-MACSec 351 * Packet Classifier table. 352 */ 353 struct aq_mss_ingress_preclass_record { 354 /*! The 64 bit SCI field used to compare with extracted value. 355 * Should have SCI value in case TCI[SCI_SEND] == 0. This will be 356 * used for ICV calculation. 357 */ 358 u32 sci[2]; 359 /*! The 8 bit TCI field used to compare with extracted value. */ 360 u32 tci; 361 /*! 8 bit encryption offset. */ 362 u32 encr_offset; 363 /*! The 16 bit Ethertype (in the clear) field used to compare with 364 * extracted value. 365 */ 366 u32 eth_type; 367 /*! This is to specify the 40bit SNAP header if the SNAP header's 368 * mask is enabled. 369 */ 370 u32 snap[2]; 371 /*! This is to specify the 24bit LLC header if the LLC header's 372 * mask is enabled. 373 */ 374 u32 llc; 375 /*! The 48 bit MAC_SA field used to compare with extracted value. */ 376 u32 mac_sa[2]; 377 /*! The 48 bit MAC_DA field used to compare with extracted value. */ 378 u32 mac_da[2]; 379 /*! 0: this is to compare with non-LPBK packet 380 * 1: this is to compare with LPBK packet. 381 * This value is used to compare with a controlled-tag which goes 382 * with the packet when looped back from Egress port. 383 */ 384 u32 lpbk_packet; 385 /*! The value of this bit mask will affects how the SC index and SA 386 * index created. 387 * 2'b00: 1 SC has 4 SA. 388 * SC index is equivalent to {SC_Index[4:2], 1'b0}. 389 * SA index is equivalent to {SC_Index[4:2], SECTAG's AN[1:0]} 390 * Here AN bits are not compared. 391 * 2'b10: 1 SC has 2 SA. 392 * SC index is equivalent to SC_Index[4:1] 393 * SA index is equivalent to {SC_Index[4:1], SECTAG's AN[0]} 394 * Compare AN[1] field only 395 * 2'b11: 1 SC has 1 SA. No SC entry exists for the specific SA. 396 * SA index is equivalent to SC_Index[4:0] 397 * AN[1:0] bits are compared. 398 * NOTE: This design is to supports different usage of AN. User 399 * can either ping-pong buffer 2 SA by using only the AN[0] bit. 400 * Or use 4 SA per SC by use AN[1:0] bits. Or even treat each SA 401 * as independent. i.e. AN[1:0] is just another matching pointer 402 * to select SA. 403 */ 404 u32 an_mask; 405 /*! This is bit mask to enable comparison the upper 6 bits TCI 406 * field, which does not include the AN field. 407 * 0: don't compare 408 * 1: enable comparison of the bits. 409 */ 410 u32 tci_mask; 411 /*! 0: don't care 412 * 1: enable comparison of SCI. 413 */ 414 u32 sci_mask; 415 /*! Mask is per-byte. 416 * 0: don't care 417 * 1: enable comparison of Ethertype. 418 */ 419 u32 eth_type_mask; 420 /*! Mask is per-byte. 421 * 0: don't care and no SNAP header exist. 422 * 1: compare the SNAP header. 423 * If this bit is set to 1, the extracted filed will assume the 424 * SNAP header exist as encapsulated in 802.3 (RFC 1042). I.E. the 425 * next 5 bytes after the the LLC header is SNAP header. 426 */ 427 u32 snap_mask; 428 /*! Mask is per-byte. 429 * 0: don't care and no LLC header exist. 430 * 1: compare the LLC header. 431 * If this bit is set to 1, the extracted filed will assume the 432 * LLC header exist as encapsulated in 802.3 (RFC 1042). I.E. the 433 * next three bytes after the 802.3MAC header is LLC header. 434 */ 435 u32 llc_mask; 436 /*! Reserved. This bit should be always 0. */ 437 u32 _802_2_encapsulate; 438 /*! Mask is per-byte. 439 * 0: don't care 440 * 1: enable comparison of MAC_SA. 441 */ 442 u32 sa_mask; 443 /*! Mask is per-byte. 444 * 0: don't care 445 * 1: enable comparison of MAC_DA. 446 */ 447 u32 da_mask; 448 /*! 0: don't care 449 * 1: enable checking if this is loopback packet or not. 450 */ 451 u32 lpbk_mask; 452 /*! If packet matches and tagged as controlled-packet. This SC/SA 453 * index is used for later SC and SA table lookup. 454 */ 455 u32 sc_idx; 456 /*! 0: the packets will be sent to MAC FIFO 457 * 1: The packets will be sent to Debug/Loopback FIFO. 458 * If the above's action is drop. This bit has no meaning. 459 */ 460 u32 proc_dest; 461 /*! 0: Process: Forward to next two modules for 802.1AE decryption. 462 * 1: Process but keep SECTAG: Forward to next two modules for 463 * 802.1AE decryption but keep the MACSEC header with added error 464 * code information. ICV will be stripped for all control packets. 465 * 2: Bypass: Bypass the next two decryption modules but processed 466 * by post-classification. 467 * 3: Drop: drop this packet and update counts accordingly. 468 */ 469 u32 action; 470 /*! 0: This is a controlled-port packet if matched. 471 * 1: This is an uncontrolled-port packet if matched. 472 */ 473 u32 ctrl_unctrl; 474 /*! Use the SCI value from the Table if 'SC' bit of the input 475 * packet is not present. 476 */ 477 u32 sci_from_table; 478 /*! Reserved. */ 479 u32 reserved; 480 /*! 0: Not valid entry. This entry is not used 481 * 1: valid entry. 482 */ 483 u32 valid; 484 }; 485 486 /*! Represents the bitfields of a single row in the Ingress SC Lookup table. */ 487 struct aq_mss_ingress_sc_record { 488 /*! This is to specify when the SC was first used. Set by HW. */ 489 u32 stop_time; 490 /*! This is to specify when the SC was first used. Set by HW. */ 491 u32 start_time; 492 /*! 0: Strict 493 * 1: Check 494 * 2: Disabled. 495 */ 496 u32 validate_frames; 497 /*! 1: Replay control enabled. 498 * 0: replay control disabled. 499 */ 500 u32 replay_protect; 501 /*! This is to specify the window range for anti-replay. Default is 0. 502 * 0: is strict order enforcement. 503 */ 504 u32 anti_replay_window; 505 /*! 0: when none of the SA related to SC has inUse set. 506 * 1: when either of the SA related to the SC has inUse set. 507 * This bit is set by HW. 508 */ 509 u32 receiving; 510 /*! 0: when hardware processed the SC for the first time, it clears 511 * this bit 512 * 1: This bit is set by SW, when it sets up the SC. 513 */ 514 u32 fresh; 515 /*! 0: The AN number will not automatically roll over if Next_PN is 516 * saturated. 517 * 1: The AN number will automatically roll over if Next_PN is 518 * saturated. 519 * Rollover is valid only after expiry. Normal roll over between 520 * SA's should be normal process. 521 */ 522 u32 an_rol; 523 /*! Reserved. */ 524 u32 reserved; 525 /*! 0: Invalid SC 526 * 1: Valid SC. 527 */ 528 u32 valid; 529 }; 530 531 /*! Represents the bitfields of a single row in the Ingress SA Lookup table. */ 532 struct aq_mss_ingress_sa_record { 533 /*! This is to specify when the SC was first used. Set by HW. */ 534 u32 stop_time; 535 /*! This is to specify when the SC was first used. Set by HW. */ 536 u32 start_time; 537 /*! This is updated by HW to store the expected NextPN number for 538 * anti-replay. 539 */ 540 u32 next_pn; 541 /*! The Next_PN number is going to wrapped around from 0XFFFF_FFFF 542 * to 0. set by HW. 543 */ 544 u32 sat_nextpn; 545 /*! 0: This SA is not yet used. 546 * 1: This SA is inUse. 547 */ 548 u32 in_use; 549 /*! 0: when hardware processed the SC for the first time, it clears 550 * this timer 551 * 1: This bit is set by SW, when it sets up the SC. 552 */ 553 u32 fresh; 554 /*! Reserved. */ 555 u32 reserved; 556 /*! 0: Invalid SA. 557 * 1: Valid SA. 558 */ 559 u32 valid; 560 }; 561 562 /*! Represents the bitfields of a single row in the Ingress SA Key 563 * Lookup table. 564 */ 565 struct aq_mss_ingress_sakey_record { 566 /*! Key for AES-GCM processing. */ 567 u32 key[8]; 568 /*! AES key size 569 * 00 - 128bits 570 * 01 - 192bits 571 * 10 - 256bits 572 * 11 - reserved. 573 */ 574 u32 key_len; 575 }; 576 577 /*! Represents the bitfields of a single row in the Ingress Post- 578 * MACSec Packet Classifier table. 579 */ 580 struct aq_mss_ingress_postclass_record { 581 /*! The 8 bit value used to compare with extracted value for byte 0. */ 582 u32 byte0; 583 /*! The 8 bit value used to compare with extracted value for byte 1. */ 584 u32 byte1; 585 /*! The 8 bit value used to compare with extracted value for byte 2. */ 586 u32 byte2; 587 /*! The 8 bit value used to compare with extracted value for byte 3. */ 588 u32 byte3; 589 /*! Ethertype in the packet. */ 590 u32 eth_type; 591 /*! Ether Type value > 1500 (0x5dc). */ 592 u32 eth_type_valid; 593 /*! VLAN ID after parsing. */ 594 u32 vlan_id; 595 /*! VLAN priority after parsing. */ 596 u32 vlan_up; 597 /*! Valid VLAN coding. */ 598 u32 vlan_valid; 599 /*! SA index. */ 600 u32 sai; 601 /*! SAI hit, i.e. controlled packet. */ 602 u32 sai_hit; 603 /*! Mask for payload ethertype field. */ 604 u32 eth_type_mask; 605 /*! 0~63: byte location used extracted by packets comparator, which 606 * can be anything from the first 64 bytes of the MAC packets. 607 * This byte location counted from MAC' DA address. i.e. set to 0 608 * will point to byte 0 of DA address. 609 */ 610 u32 byte3_location; 611 /*! Mask for Byte Offset 3. */ 612 u32 byte3_mask; 613 /*! 0~63: byte location used extracted by packets comparator, which 614 * can be anything from the first 64 bytes of the MAC packets. 615 * This byte location counted from MAC' DA address. i.e. set to 0 616 * will point to byte 0 of DA address. 617 */ 618 u32 byte2_location; 619 /*! Mask for Byte Offset 2. */ 620 u32 byte2_mask; 621 /*! 0~63: byte location used extracted by packets comparator, which 622 * can be anything from the first 64 bytes of the MAC packets. 623 * This byte location counted from MAC' DA address. i.e. set to 0 624 * will point to byte 0 of DA address. 625 */ 626 u32 byte1_location; 627 /*! Mask for Byte Offset 1. */ 628 u32 byte1_mask; 629 /*! 0~63: byte location used extracted by packets comparator, which 630 * can be anything from the first 64 bytes of the MAC packets. 631 * This byte location counted from MAC' DA address. i.e. set to 0 632 * will point to byte 0 of DA address. 633 */ 634 u32 byte0_location; 635 /*! Mask for Byte Offset 0. */ 636 u32 byte0_mask; 637 /*! Mask for Ethertype valid field. Indicates 802.3 vs. Other. */ 638 u32 eth_type_valid_mask; 639 /*! Mask for VLAN ID field. */ 640 u32 vlan_id_mask; 641 /*! Mask for VLAN UP field. */ 642 u32 vlan_up_mask; 643 /*! Mask for VLAN valid field. */ 644 u32 vlan_valid_mask; 645 /*! Mask for SAI. */ 646 u32 sai_mask; 647 /*! Mask for SAI_HIT. */ 648 u32 sai_hit_mask; 649 /*! Action if only first level matches and second level does not. 650 * 0: pass 651 * 1: drop (fail). 652 */ 653 u32 firstlevel_actions; 654 /*! Action if both first and second level matched. 655 * 0: pass 656 * 1: drop (fail). 657 */ 658 u32 secondlevel_actions; 659 /*! Reserved. */ 660 u32 reserved; 661 /*! 0: Not valid entry. This entry is not used 662 * 1: valid entry. 663 */ 664 u32 valid; 665 }; 666 667 /*! Represents the bitfields of a single row in the Ingress Post- 668 * MACSec CTL Filter table. 669 */ 670 struct aq_mss_ingress_postctlf_record { 671 /*! This is used to store the 48 bit value used to compare SA, DA 672 * or halfDA+half SA value. 673 */ 674 u32 sa_da[2]; 675 /*! This is used to store the 16 bit ethertype value used for 676 * comparison. 677 */ 678 u32 eth_type; 679 /*! The match mask is per-nibble. 0 means don't care, i.e. every 680 * value will match successfully. The total data is 64 bit, i.e. 681 * 16 nibbles masks. 682 */ 683 u32 match_mask; 684 /*! 0: No compare, i.e. This entry is not used 685 * 1: compare DA only 686 * 2: compare SA only 687 * 3: compare half DA + half SA 688 * 4: compare ether type only 689 * 5: compare DA + ethertype 690 * 6: compare SA + ethertype 691 * 7: compare DA+ range. 692 */ 693 u32 match_type; 694 /*! 0: Bypass the remaining modules if matched. 695 * 1: Forward to next module for more classifications. 696 */ 697 u32 action; 698 }; 699 700 /*! Represents the Egress MIB counters for a single SC. Counters are 701 * 64 bits, lower 32 bits in field[0]. 702 */ 703 struct aq_mss_egress_sc_counters { 704 /*! The number of integrity protected but not encrypted packets 705 * for this transmitting SC. 706 */ 707 u32 sc_protected_pkts[2]; 708 /*! The number of integrity protected and encrypted packets for 709 * this transmitting SC. 710 */ 711 u32 sc_encrypted_pkts[2]; 712 /*! The number of plain text octets that are integrity protected 713 * but not encrypted on the transmitting SC. 714 */ 715 u32 sc_protected_octets[2]; 716 /*! The number of plain text octets that are integrity protected 717 * and encrypted on the transmitting SC. 718 */ 719 u32 sc_encrypted_octets[2]; 720 }; 721 722 /*! Represents the Egress MIB counters for a single SA. Counters are 723 * 64 bits, lower 32 bits in field[0]. 724 */ 725 struct aq_mss_egress_sa_counters { 726 /*! The number of dropped packets for this transmitting SA. */ 727 u32 sa_hit_drop_redirect[2]; 728 /*! TODO */ 729 u32 sa_protected2_pkts[2]; 730 /*! The number of integrity protected but not encrypted packets 731 * for this transmitting SA. 732 */ 733 u32 sa_protected_pkts[2]; 734 /*! The number of integrity protected and encrypted packets for 735 * this transmitting SA. 736 */ 737 u32 sa_encrypted_pkts[2]; 738 }; 739 740 /*! Represents the common Egress MIB counters; the counter not 741 * associated with a particular SC/SA. Counters are 64 bits, lower 32 742 * bits in field[0]. 743 */ 744 struct aq_mss_egress_common_counters { 745 /*! The number of transmitted packets classified as MAC_CTL packets. */ 746 u32 ctl_pkt[2]; 747 /*! The number of transmitted packets that did not match any rows 748 * in the Egress Packet Classifier table. 749 */ 750 u32 unknown_sa_pkts[2]; 751 /*! The number of transmitted packets where the SC table entry has 752 * protect=0 (so packets are forwarded unchanged). 753 */ 754 u32 untagged_pkts[2]; 755 /*! The number of transmitted packets discarded because the packet 756 * length is greater than the ifMtu of the Common Port interface. 757 */ 758 u32 too_long[2]; 759 /*! The number of transmitted packets for which table memory was 760 * affected by an ECC error during processing. 761 */ 762 u32 ecc_error_pkts[2]; 763 /*! The number of transmitted packets for where the matched row in 764 * the Egress Packet Classifier table has action=drop. 765 */ 766 u32 unctrl_hit_drop_redir[2]; 767 }; 768 769 /*! Represents the Ingress MIB counters for a single SA. Counters are 770 * 64 bits, lower 32 bits in field[0]. 771 */ 772 struct aq_mss_ingress_sa_counters { 773 /*! For this SA, the number of received packets without a SecTAG. */ 774 u32 untagged_hit_pkts[2]; 775 /*! For this SA, the number of received packets that were dropped. */ 776 u32 ctrl_hit_drop_redir_pkts[2]; 777 /*! For this SA which is not currently in use, the number of 778 * received packets that have been discarded, and have either the 779 * packets encrypted or the matched row in the Ingress SC Lookup 780 * table has validate_frames=Strict. 781 */ 782 u32 not_using_sa[2]; 783 /*! For this SA which is not currently in use, the number of 784 * received, unencrypted, packets with the matched row in the 785 * Ingress SC Lookup table has validate_frames!=Strict. 786 */ 787 u32 unused_sa[2]; 788 /*! For this SA, the number discarded packets with the condition 789 * that the packets are not valid and one of the following 790 * conditions are true: either the matched row in the Ingress SC 791 * Lookup table has validate_frames=Strict or the packets 792 * encrypted. 793 */ 794 u32 not_valid_pkts[2]; 795 /*! For this SA, the number of packets with the condition that the 796 * packets are not valid and the matched row in the Ingress SC 797 * Lookup table has validate_frames=Check. 798 */ 799 u32 invalid_pkts[2]; 800 /*! For this SA, the number of validated packets. */ 801 u32 ok_pkts[2]; 802 /*! For this SC, the number of received packets that have been 803 * discarded with the condition: the matched row in the Ingress 804 * SC Lookup table has replay_protect=1 and the PN of the packet 805 * is lower than the lower bound replay check PN. 806 */ 807 u32 late_pkts[2]; 808 /*! For this SA, the number of packets with the condition that the 809 * PN of the packets is lower than the lower bound replay 810 * protection PN. 811 */ 812 u32 delayed_pkts[2]; 813 /*! For this SC, the number of packets with the following condition: 814 * - the matched row in the Ingress SC Lookup table has 815 * replay_protect=0 or 816 * - the matched row in the Ingress SC Lookup table has 817 * replay_protect=1 and the packet is not encrypted and the 818 * integrity check has failed or 819 * - the matched row in the Ingress SC Lookup table has 820 * replay_protect=1 and the packet is encrypted and integrity 821 * check has failed. 822 */ 823 u32 unchecked_pkts[2]; 824 /*! The number of octets of plaintext recovered from received 825 * packets that were integrity protected but not encrypted. 826 */ 827 u32 validated_octets[2]; 828 /*! The number of octets of plaintext recovered from received 829 * packets that were integrity protected and encrypted. 830 */ 831 u32 decrypted_octets[2]; 832 }; 833 834 /*! Represents the common Ingress MIB counters; the counter not 835 * associated with a particular SA. Counters are 64 bits, lower 32 836 * bits in field[0]. 837 */ 838 struct aq_mss_ingress_common_counters { 839 /*! The number of received packets classified as MAC_CTL packets. */ 840 u32 ctl_pkts[2]; 841 /*! The number of received packets with the MAC security tag 842 * (SecTAG), not matching any rows in the Ingress Pre-MACSec 843 * Packet Classifier table. 844 */ 845 u32 tagged_miss_pkts[2]; 846 /*! The number of received packets without the MAC security tag 847 * (SecTAG), not matching any rows in the Ingress Pre-MACSec 848 * Packet Classifier table. 849 */ 850 u32 untagged_miss_pkts[2]; 851 /*! The number of received packets discarded without the MAC 852 * security tag (SecTAG) and with the matched row in the Ingress 853 * SC Lookup table having validate_frames=Strict. 854 */ 855 u32 notag_pkts[2]; 856 /*! The number of received packets without the MAC security tag 857 * (SecTAG) and with the matched row in the Ingress SC Lookup 858 * table having validate_frames!=Strict. 859 */ 860 u32 untagged_pkts[2]; 861 /*! The number of received packets discarded with an invalid 862 * SecTAG or a zero value PN or an invalid ICV. 863 */ 864 u32 bad_tag_pkts[2]; 865 /*! The number of received packets discarded with unknown SCI 866 * information with the condition: 867 * the matched row in the Ingress SC Lookup table has 868 * validate_frames=Strict or the C bit in the SecTAG is set. 869 */ 870 u32 no_sci_pkts[2]; 871 /*! The number of received packets with unknown SCI with the condition: 872 * The matched row in the Ingress SC Lookup table has 873 * validate_frames!=Strict and the C bit in the SecTAG is not set. 874 */ 875 u32 unknown_sci_pkts[2]; 876 /*! The number of received packets by the controlled port service 877 * that passed the Ingress Post-MACSec Packet Classifier table 878 * check. 879 */ 880 u32 ctrl_prt_pass_pkts[2]; 881 /*! The number of received packets by the uncontrolled port 882 * service that passed the Ingress Post-MACSec Packet Classifier 883 * table check. 884 */ 885 u32 unctrl_prt_pass_pkts[2]; 886 /*! The number of received packets by the controlled port service 887 * that failed the Ingress Post-MACSec Packet Classifier table 888 * check. 889 */ 890 u32 ctrl_prt_fail_pkts[2]; 891 /*! The number of received packets by the uncontrolled port 892 * service that failed the Ingress Post-MACSec Packet Classifier 893 * table check. 894 */ 895 u32 unctrl_prt_fail_pkts[2]; 896 /*! The number of received packets discarded because the packet 897 * length is greater than the ifMtu of the Common Port interface. 898 */ 899 u32 too_long_pkts[2]; 900 /*! The number of received packets classified as MAC_CTL by the 901 * Ingress Post-MACSec CTL Filter table. 902 */ 903 u32 igpoc_ctl_pkts[2]; 904 /*! The number of received packets for which table memory was 905 * affected by an ECC error during processing. 906 */ 907 u32 ecc_error_pkts[2]; 908 /*! The number of received packets by the uncontrolled port 909 * service that were dropped. 910 */ 911 u32 unctrl_hit_drop_redir[2]; 912 }; 913 914 #endif 915