• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /* SPDX-License-Identifier: GPL-2.0-only */
2 /* Atlantic Network Driver
3  * Copyright (C) 2020 Marvell International Ltd.
4  */
5 
6 #ifndef _MACSEC_STRUCT_H_
7 #define _MACSEC_STRUCT_H_
8 
9 /*! Represents the bitfields of a single row in the Egress CTL Filter
10  *  table.
11  */
12 struct aq_mss_egress_ctlf_record {
13 	/*! This is used to store the 48 bit value used to compare SA, DA or
14 	 *  halfDA+half SA value.
15 	 */
16 	u32 sa_da[2];
17 	/*! This is used to store the 16 bit ethertype value used for
18 	 *  comparison.
19 	 */
20 	u32 eth_type;
21 	/*! The match mask is per-nibble. 0 means don't care, i.e. every value
22 	 *  will match successfully. The total data is 64 bit, i.e. 16 nibbles
23 	 *  masks.
24 	 */
25 	u32 match_mask;
26 	/*! 0: No compare, i.e. This entry is not used
27 	 *  1: compare DA only
28 	 *  2: compare SA only
29 	 *  3: compare half DA + half SA
30 	 *  4: compare ether type only
31 	 *  5: compare DA + ethertype
32 	 *  6: compare SA + ethertype
33 	 *  7: compare DA+ range.
34 	 */
35 	u32 match_type;
36 	/*! 0: Bypass the remaining modules if matched.
37 	 *  1: Forward to next module for more classifications.
38 	 */
39 	u32 action;
40 };
41 
42 /*! Represents the bitfields of a single row in the Egress Packet
43  *  Classifier table.
44  */
45 struct aq_mss_egress_class_record {
46 	/*! VLAN ID field. */
47 	u32 vlan_id;
48 	/*! VLAN UP field. */
49 	u32 vlan_up;
50 	/*! VLAN Present in the Packet. */
51 	u32 vlan_valid;
52 	/*! The 8 bit value used to compare with extracted value for byte 3. */
53 	u32 byte3;
54 	/*! The 8 bit value used to compare with extracted value for byte 2. */
55 	u32 byte2;
56 	/*! The 8 bit value used to compare with extracted value for byte 1. */
57 	u32 byte1;
58 	/*! The 8 bit value used to compare with extracted value for byte 0. */
59 	u32 byte0;
60 	/*! The 8 bit TCI field used to compare with extracted value. */
61 	u32 tci;
62 	/*! The 64 bit SCI field in the SecTAG. */
63 	u32 sci[2];
64 	/*! The 16 bit Ethertype (in the clear) field used to compare with
65 	 *  extracted value.
66 	 */
67 	u32 eth_type;
68 	/*! This is to specify the 40bit SNAP header if the SNAP header's mask
69 	 *  is enabled.
70 	 */
71 	u32 snap[2];
72 	/*! This is to specify the 24bit LLC header if the LLC header's mask is
73 	 *  enabled.
74 	 */
75 	u32 llc;
76 	/*! The 48 bit MAC_SA field used to compare with extracted value. */
77 	u32 mac_sa[2];
78 	/*! The 48 bit MAC_DA field used to compare with extracted value. */
79 	u32 mac_da[2];
80 	/*! The 32 bit Packet number used to compare with extracted value. */
81 	u32 pn;
82 	/*! 0~63: byte location used extracted by packets comparator, which
83 	 *  can be anything from the first 64 bytes of the MAC packets.
84 	 *  This byte location counted from MAC' DA address. i.e. set to 0
85 	 *  will point to byte 0 of DA address.
86 	 */
87 	u32 byte3_location;
88 	/*! 0: don't care
89 	 *  1: enable comparison of extracted byte pointed by byte 3 location.
90 	 */
91 	u32 byte3_mask;
92 	/*! 0~63: byte location used extracted by packets comparator, which
93 	 *  can be anything from the first 64 bytes of the MAC packets.
94 	 *  This byte location counted from MAC' DA address. i.e. set to 0
95 	 *  will point to byte 0 of DA address.
96 	 */
97 	u32 byte2_location;
98 	/*! 0: don't care
99 	 *  1: enable comparison of extracted byte pointed by byte 2 location.
100 	 */
101 	u32 byte2_mask;
102 	/*! 0~63: byte location used extracted by packets comparator, which
103 	 *  can be anything from the first 64 bytes of the MAC packets.
104 	 *  This byte location counted from MAC' DA address. i.e. set to 0
105 	 *  will point to byte 0 of DA address.
106 	 */
107 	u32 byte1_location;
108 	/*! 0: don't care
109 	 *  1: enable comparison of extracted byte pointed by byte 1 location.
110 	 */
111 	u32 byte1_mask;
112 	/*! 0~63: byte location used extracted by packets comparator, which
113 	 *  can be anything from the first 64 bytes of the MAC packets.
114 	 *  This byte location counted from MAC' DA address. i.e. set to 0
115 	 *  will point to byte 0 of DA address.
116 	 */
117 	u32 byte0_location;
118 	/*! 0: don't care
119 	 *  1: enable comparison of extracted byte pointed by byte 0 location.
120 	 */
121 	u32 byte0_mask;
122 	/*! Mask is per-byte.
123 	 *  0: don't care
124 	 *  1: enable comparison of extracted VLAN ID field.
125 	 */
126 	u32 vlan_id_mask;
127 	/*! 0: don't care
128 	 *  1: enable comparison of extracted VLAN UP field.
129 	 */
130 	u32 vlan_up_mask;
131 	/*! 0: don't care
132 	 *  1: enable comparison of extracted VLAN Valid field.
133 	 */
134 	u32 vlan_valid_mask;
135 	/*! This is bit mask to enable comparison the 8 bit TCI field,
136 	 *  including the AN field.
137 	 *  For explicit SECTAG, AN is hardware controlled. For sending
138 	 *  packet w/ explicit SECTAG, rest of the TCI fields are directly
139 	 *  from the SECTAG.
140 	 */
141 	u32 tci_mask;
142 	/*! Mask is per-byte.
143 	 *  0: don't care
144 	 *  1: enable comparison of SCI
145 	 *  Note: If this field is not 0, this means the input packet's
146 	 *  SECTAG is explicitly tagged and MACSEC module will only update
147 	 *  the MSDU.
148 	 *  PN number is hardware controlled.
149 	 */
150 	u32 sci_mask;
151 	/*! Mask is per-byte.
152 	 *  0: don't care
153 	 *  1: enable comparison of Ethertype.
154 	 */
155 	u32 eth_type_mask;
156 	/*! Mask is per-byte.
157 	 *  0: don't care and no SNAP header exist.
158 	 *  1: compare the SNAP header.
159 	 *  If this bit is set to 1, the extracted filed will assume the
160 	 *  SNAP header exist as encapsulated in 802.3 (RFC 1042). I.E. the
161 	 *  next 5 bytes after the the LLC header is SNAP header.
162 	 */
163 	u32 snap_mask;
164 	/*! 0: don't care and no LLC header exist.
165 	 *  1: compare the LLC header.
166 	 *  If this bit is set to 1, the extracted filed will assume the
167 	 *  LLC header exist as encapsulated in 802.3 (RFC 1042). I.E. the
168 	 *  next three bytes after the 802.3MAC header is LLC header.
169 	 */
170 	u32 llc_mask;
171 	/*! Mask is per-byte.
172 	 *  0: don't care
173 	 *  1: enable comparison of MAC_SA.
174 	 */
175 	u32 sa_mask;
176 	/*! Mask is per-byte.
177 	 *  0: don't care
178 	 *  1: enable comparison of MAC_DA.
179 	 */
180 	u32 da_mask;
181 	/*! Mask is per-byte. */
182 	u32 pn_mask;
183 	/*! Reserved. This bit should be always 0. */
184 	u32 eight02dot2;
185 	/*! 1: For explicit sectag case use TCI_SC from table
186 	 *  0: use TCI_SC from explicit sectag.
187 	 */
188 	u32 tci_sc;
189 	/*! 1: For explicit sectag case,use TCI_V,ES,SCB,E,C from table
190 	 *  0: use TCI_V,ES,SCB,E,C from explicit sectag.
191 	 */
192 	u32 tci_87543;
193 	/*! 1: indicates that incoming packet has explicit sectag. */
194 	u32 exp_sectag_en;
195 	/*! If packet matches and tagged as controlled-packet, this SC/SA
196 	 *  index is used for later SC and SA table lookup.
197 	 */
198 	u32 sc_idx;
199 	/*! This field is used to specify how many SA entries are
200 	 *  associated with 1 SC entry.
201 	 *  2'b00: 1 SC has 4 SA.
202 	 *  SC index is equivalent to {SC_Index[4:2], 1'b0}.
203 	 *  SA index is equivalent to {SC_Index[4:2], SC entry's current AN[1:0]
204 	 *  2'b10: 1 SC has 2 SA.
205 	 *  SC index is equivalent to SC_Index[4:1]
206 	 *  SA index is equivalent to {SC_Index[4:1], SC entry's current AN[0]}
207 	 *  2'b11: 1 SC has 1 SA. No SC entry exists for the specific SA.
208 	 *  SA index is equivalent to SC_Index[4:0]
209 	 *  Note: if specified as 2'b11, hardware AN roll over is not
210 	 *  supported.
211 	 */
212 	u32 sc_sa;
213 	/*! 0: the packets will be sent to MAC FIFO
214 	 *  1: The packets will be sent to Debug/Loopback FIFO.
215 	 *  If the above's action is drop, this bit has no meaning.
216 	 */
217 	u32 debug;
218 	/*! 0: forward to remaining modules
219 	 *  1: bypass the next encryption modules. This packet is considered
220 	 *     un-control packet.
221 	 *  2: drop
222 	 *  3: Reserved.
223 	 */
224 	u32 action;
225 	/*! 0: Not valid entry. This entry is not used
226 	 *  1: valid entry.
227 	 */
228 	u32 valid;
229 };
230 
231 /*! Represents the bitfields of a single row in the Egress SC Lookup table. */
232 struct aq_mss_egress_sc_record {
233 	/*! This is to specify when the SC was first used. Set by HW. */
234 	u32 start_time;
235 	/*! This is to specify when the SC was last used. Set by HW. */
236 	u32 stop_time;
237 	/*! This is to specify which of the SA entries are used by current HW.
238 	 *  Note: This value need to be set by SW after reset.  It will be
239 	 *  automatically updated by HW, if AN roll over is enabled.
240 	 */
241 	u32 curr_an;
242 	/*! 0: Clear the SA Valid Bit after PN expiry.
243 	 *  1: Do not Clear the SA Valid bit after PN expiry of the current SA.
244 	 *  When the Enable AN roll over is set, S/W does not need to
245 	 *  program the new SA's and the H/W will automatically roll over
246 	 *  between the SA's without session expiry.
247 	 *  For normal operation, Enable AN Roll over will be set to '0'
248 	 *  and in which case, the SW needs to program the new SA values
249 	 *  after the current PN expires.
250 	 */
251 	u32 an_roll;
252 	/*! This is the TCI field used if packet is not explicitly tagged. */
253 	u32 tci;
254 	/*! This value indicates the offset where the decryption will start.
255 	 *  [[Values of 0, 4, 8-50].
256 	 */
257 	u32 enc_off;
258 	/*! 0: Do not protect frames, all the packets will be forwarded
259 	 *     unchanged. MIB counter (OutPktsUntagged) will be updated.
260 	 *  1: Protect.
261 	 */
262 	u32 protect;
263 	/*! 0: when none of the SA related to SC has inUse set.
264 	 *  1: when either of the SA related to the SC has inUse set.
265 	 *  This bit is set by HW.
266 	 */
267 	u32 recv;
268 	/*! 0: H/W Clears this bit on the first use.
269 	 *  1: SW updates this entry, when programming the SC Table.
270 	 */
271 	u32 fresh;
272 	/*! AES Key size
273 	 *  00 - 128bits
274 	 *  01 - 192bits
275 	 *  10 - 256bits
276 	 *  11 - Reserved.
277 	 */
278 	u32 sak_len;
279 	/*! 0: Invalid SC
280 	 *  1: Valid SC.
281 	 */
282 	u32 valid;
283 };
284 
285 /*! Represents the bitfields of a single row in the Egress SA Lookup table. */
286 struct aq_mss_egress_sa_record {
287 	/*! This is to specify when the SC was first used. Set by HW. */
288 	u32 start_time;
289 	/*! This is to specify when the SC was last used. Set by HW. */
290 	u32 stop_time;
291 	/*! This is set by SW and updated by HW to store the Next PN number
292 	 *  used for encryption.
293 	 */
294 	u32 next_pn;
295 	/*! The Next_PN number is going to wrapped around from 0xFFFF_FFFF
296 	 *  to 0. set by HW.
297 	 */
298 	u32 sat_pn;
299 	/*! 0: This SA is in use.
300 	 *  1: This SA is Fresh and set by SW.
301 	 */
302 	u32 fresh;
303 	/*! 0: Invalid SA
304 	 *  1: Valid SA.
305 	 */
306 	u32 valid;
307 };
308 
309 /*! Represents the bitfields of a single row in the Egress SA Key
310  *  Lookup table.
311  */
312 struct aq_mss_egress_sakey_record {
313 	/*! Key for AES-GCM processing. */
314 	u32 key[8];
315 };
316 
317 /*! Represents the bitfields of a single row in the Ingress Pre-MACSec
318  *  CTL Filter table.
319  */
320 struct aq_mss_ingress_prectlf_record {
321 	/*! This is used to store the 48 bit value used to compare SA, DA
322 	 *  or halfDA+half SA value.
323 	 */
324 	u32 sa_da[2];
325 	/*! This is used to store the 16 bit ethertype value used for
326 	 *  comparison.
327 	 */
328 	u32 eth_type;
329 	/*! The match mask is per-nibble. 0 means don't care, i.e. every
330 	 *  value will match successfully. The total data is 64 bit, i.e.
331 	 *  16 nibbles masks.
332 	 */
333 	u32 match_mask;
334 	/*! 0: No compare, i.e. This entry is not used
335 	 *  1: compare DA only
336 	 *  2: compare SA only
337 	 *  3: compare half DA + half SA
338 	 *  4: compare ether type only
339 	 *  5: compare DA + ethertype
340 	 *  6: compare SA + ethertype
341 	 *  7: compare DA+ range.
342 	 */
343 	u32 match_type;
344 	/*! 0: Bypass the remaining modules if matched.
345 	 *  1: Forward to next module for more classifications.
346 	 */
347 	u32 action;
348 };
349 
350 /*! Represents the bitfields of a single row in the Ingress Pre-MACSec
351  *  Packet Classifier table.
352  */
353 struct aq_mss_ingress_preclass_record {
354 	/*! The 64 bit SCI field used to compare with extracted value.
355 	 *  Should have SCI value in case TCI[SCI_SEND] == 0. This will be
356 	 *  used for ICV calculation.
357 	 */
358 	u32 sci[2];
359 	/*! The 8 bit TCI field used to compare with extracted value. */
360 	u32 tci;
361 	/*! 8 bit encryption offset. */
362 	u32 encr_offset;
363 	/*! The 16 bit Ethertype (in the clear) field used to compare with
364 	 *  extracted value.
365 	 */
366 	u32 eth_type;
367 	/*! This is to specify the 40bit SNAP header if the SNAP header's
368 	 *  mask is enabled.
369 	 */
370 	u32 snap[2];
371 	/*! This is to specify the 24bit LLC header if the LLC header's
372 	 *  mask is enabled.
373 	 */
374 	u32 llc;
375 	/*! The 48 bit MAC_SA field used to compare with extracted value. */
376 	u32 mac_sa[2];
377 	/*! The 48 bit MAC_DA field used to compare with extracted value. */
378 	u32 mac_da[2];
379 	/*! 0: this is to compare with non-LPBK packet
380 	 *  1: this is to compare with LPBK packet.
381 	 *  This value is used to compare with a controlled-tag which goes
382 	 *  with the packet when looped back from Egress port.
383 	 */
384 	u32 lpbk_packet;
385 	/*! The value of this bit mask will affects how the SC index and SA
386 	 *  index created.
387 	 *  2'b00: 1 SC has 4 SA.
388 	 *    SC index is equivalent to {SC_Index[4:2], 1'b0}.
389 	 *    SA index is equivalent to {SC_Index[4:2], SECTAG's AN[1:0]}
390 	 *    Here AN bits are not compared.
391 	 *  2'b10: 1 SC has 2 SA.
392 	 *    SC index is equivalent to SC_Index[4:1]
393 	 *    SA index is equivalent to {SC_Index[4:1], SECTAG's AN[0]}
394 	 *    Compare AN[1] field only
395 	 *  2'b11: 1 SC has 1 SA. No SC entry exists for the specific SA.
396 	 *    SA index is equivalent to SC_Index[4:0]
397 	 *    AN[1:0] bits are compared.
398 	 *    NOTE: This design is to supports different usage of AN. User
399 	 *    can either ping-pong buffer 2 SA by using only the AN[0] bit.
400 	 *    Or use 4 SA per SC by use AN[1:0] bits. Or even treat each SA
401 	 *    as independent. i.e. AN[1:0] is just another matching pointer
402 	 *    to select SA.
403 	 */
404 	u32 an_mask;
405 	/*! This is bit mask to enable comparison the upper 6 bits TCI
406 	 *  field, which does not include the AN field.
407 	 *  0: don't compare
408 	 *  1: enable comparison of the bits.
409 	 */
410 	u32 tci_mask;
411 	/*! 0: don't care
412 	 *  1: enable comparison of SCI.
413 	 */
414 	u32 sci_mask;
415 	/*! Mask is per-byte.
416 	 *  0: don't care
417 	 *  1: enable comparison of Ethertype.
418 	 */
419 	u32 eth_type_mask;
420 	/*! Mask is per-byte.
421 	 *  0: don't care and no SNAP header exist.
422 	 *  1: compare the SNAP header.
423 	 *  If this bit is set to 1, the extracted filed will assume the
424 	 *  SNAP header exist as encapsulated in 802.3 (RFC 1042). I.E. the
425 	 *  next 5 bytes after the the LLC header is SNAP header.
426 	 */
427 	u32 snap_mask;
428 	/*! Mask is per-byte.
429 	 *  0: don't care and no LLC header exist.
430 	 *  1: compare the LLC header.
431 	 *  If this bit is set to 1, the extracted filed will assume the
432 	 *  LLC header exist as encapsulated in 802.3 (RFC 1042). I.E. the
433 	 *  next three bytes after the 802.3MAC header is LLC header.
434 	 */
435 	u32 llc_mask;
436 	/*! Reserved. This bit should be always 0. */
437 	u32 _802_2_encapsulate;
438 	/*! Mask is per-byte.
439 	 *  0: don't care
440 	 *  1: enable comparison of MAC_SA.
441 	 */
442 	u32 sa_mask;
443 	/*! Mask is per-byte.
444 	 *  0: don't care
445 	 *  1: enable comparison of MAC_DA.
446 	 */
447 	u32 da_mask;
448 	/*! 0: don't care
449 	 *  1: enable checking if this is loopback packet or not.
450 	 */
451 	u32 lpbk_mask;
452 	/*! If packet matches and tagged as controlled-packet. This SC/SA
453 	 *  index is used for later SC and SA table lookup.
454 	 */
455 	u32 sc_idx;
456 	/*! 0: the packets will be sent to MAC FIFO
457 	 *  1: The packets will be sent to Debug/Loopback FIFO.
458 	 *  If the above's action is drop. This bit has no meaning.
459 	 */
460 	u32 proc_dest;
461 	/*! 0: Process: Forward to next two modules for 802.1AE decryption.
462 	 *  1: Process but keep SECTAG: Forward to next two modules for
463 	 *     802.1AE decryption but keep the MACSEC header with added error
464 	 *     code information. ICV will be stripped for all control packets.
465 	 *  2: Bypass: Bypass the next two decryption modules but processed
466 	 *     by post-classification.
467 	 *  3: Drop: drop this packet and update counts accordingly.
468 	 */
469 	u32 action;
470 	/*! 0: This is a controlled-port packet if matched.
471 	 *  1: This is an uncontrolled-port packet if matched.
472 	 */
473 	u32 ctrl_unctrl;
474 	/*! Use the SCI value from the Table if 'SC' bit of the input
475 	 *  packet is not present.
476 	 */
477 	u32 sci_from_table;
478 	/*! Reserved. */
479 	u32 reserved;
480 	/*! 0: Not valid entry. This entry is not used
481 	 *  1: valid entry.
482 	 */
483 	u32 valid;
484 };
485 
486 /*! Represents the bitfields of a single row in the Ingress SC Lookup table. */
487 struct aq_mss_ingress_sc_record {
488 	/*! This is to specify when the SC was first used. Set by HW. */
489 	u32 stop_time;
490 	/*! This is to specify when the SC was first used. Set by HW. */
491 	u32 start_time;
492 	/*! 0: Strict
493 	 *  1: Check
494 	 *  2: Disabled.
495 	 */
496 	u32 validate_frames;
497 	/*! 1: Replay control enabled.
498 	 *  0: replay control disabled.
499 	 */
500 	u32 replay_protect;
501 	/*! This is to specify the window range for anti-replay. Default is 0.
502 	 *  0: is strict order enforcement.
503 	 */
504 	u32 anti_replay_window;
505 	/*! 0: when none of the SA related to SC has inUse set.
506 	 *  1: when either of the SA related to the SC has inUse set.
507 	 *  This bit is set by HW.
508 	 */
509 	u32 receiving;
510 	/*! 0: when hardware processed the SC for the first time, it clears
511 	 *     this bit
512 	 *  1: This bit is set by SW, when it sets up the SC.
513 	 */
514 	u32 fresh;
515 	/*! 0: The AN number will not automatically roll over if Next_PN is
516 	 *     saturated.
517 	 *  1: The AN number will automatically roll over if Next_PN is
518 	 *     saturated.
519 	 *  Rollover is valid only after expiry. Normal roll over between
520 	 *  SA's should be normal process.
521 	 */
522 	u32 an_rol;
523 	/*! Reserved. */
524 	u32 reserved;
525 	/*! 0: Invalid SC
526 	 *  1: Valid SC.
527 	 */
528 	u32 valid;
529 };
530 
531 /*! Represents the bitfields of a single row in the Ingress SA Lookup table. */
532 struct aq_mss_ingress_sa_record {
533 	/*! This is to specify when the SC was first used. Set by HW. */
534 	u32 stop_time;
535 	/*! This is to specify when the SC was first used. Set by HW. */
536 	u32 start_time;
537 	/*! This is updated by HW to store the expected NextPN number for
538 	 *  anti-replay.
539 	 */
540 	u32 next_pn;
541 	/*! The Next_PN number is going to wrapped around from 0XFFFF_FFFF
542 	 *  to 0. set by HW.
543 	 */
544 	u32 sat_nextpn;
545 	/*! 0: This SA is not yet used.
546 	 *  1: This SA is inUse.
547 	 */
548 	u32 in_use;
549 	/*! 0: when hardware processed the SC for the first time, it clears
550 	 *     this timer
551 	 *  1: This bit is set by SW, when it sets up the SC.
552 	 */
553 	u32 fresh;
554 	/*! Reserved. */
555 	u32 reserved;
556 	/*! 0: Invalid SA.
557 	 *  1: Valid SA.
558 	 */
559 	u32 valid;
560 };
561 
562 /*! Represents the bitfields of a single row in the Ingress SA Key
563  *  Lookup table.
564  */
565 struct aq_mss_ingress_sakey_record {
566 	/*! Key for AES-GCM processing. */
567 	u32 key[8];
568 	/*! AES key size
569 	 *  00 - 128bits
570 	 *  01 - 192bits
571 	 *  10 - 256bits
572 	 *  11 - reserved.
573 	 */
574 	u32 key_len;
575 };
576 
577 /*! Represents the bitfields of a single row in the Ingress Post-
578  *  MACSec Packet Classifier table.
579  */
580 struct aq_mss_ingress_postclass_record {
581 	/*! The 8 bit value used to compare with extracted value for byte 0. */
582 	u32 byte0;
583 	/*! The 8 bit value used to compare with extracted value for byte 1. */
584 	u32 byte1;
585 	/*! The 8 bit value used to compare with extracted value for byte 2. */
586 	u32 byte2;
587 	/*! The 8 bit value used to compare with extracted value for byte 3. */
588 	u32 byte3;
589 	/*! Ethertype in the packet. */
590 	u32 eth_type;
591 	/*! Ether Type value > 1500 (0x5dc). */
592 	u32 eth_type_valid;
593 	/*! VLAN ID after parsing. */
594 	u32 vlan_id;
595 	/*! VLAN priority after parsing. */
596 	u32 vlan_up;
597 	/*! Valid VLAN coding. */
598 	u32 vlan_valid;
599 	/*! SA index. */
600 	u32 sai;
601 	/*! SAI hit, i.e. controlled packet. */
602 	u32 sai_hit;
603 	/*! Mask for payload ethertype field. */
604 	u32 eth_type_mask;
605 	/*! 0~63: byte location used extracted by packets comparator, which
606 	 *  can be anything from the first 64 bytes of the MAC packets.
607 	 *  This byte location counted from MAC' DA address. i.e. set to 0
608 	 *  will point to byte 0 of DA address.
609 	 */
610 	u32 byte3_location;
611 	/*! Mask for Byte Offset 3. */
612 	u32 byte3_mask;
613 	/*! 0~63: byte location used extracted by packets comparator, which
614 	 *  can be anything from the first 64 bytes of the MAC packets.
615 	 *  This byte location counted from MAC' DA address. i.e. set to 0
616 	 *  will point to byte 0 of DA address.
617 	 */
618 	u32 byte2_location;
619 	/*! Mask for Byte Offset 2. */
620 	u32 byte2_mask;
621 	/*! 0~63: byte location used extracted by packets comparator, which
622 	 *  can be anything from the first 64 bytes of the MAC packets.
623 	 *  This byte location counted from MAC' DA address. i.e. set to 0
624 	 *  will point to byte 0 of DA address.
625 	 */
626 	u32 byte1_location;
627 	/*! Mask for Byte Offset 1. */
628 	u32 byte1_mask;
629 	/*! 0~63: byte location used extracted by packets comparator, which
630 	 *  can be anything from the first 64 bytes of the MAC packets.
631 	 *  This byte location counted from MAC' DA address. i.e. set to 0
632 	 *  will point to byte 0 of DA address.
633 	 */
634 	u32 byte0_location;
635 	/*! Mask for Byte Offset 0. */
636 	u32 byte0_mask;
637 	/*! Mask for Ethertype valid field. Indicates 802.3 vs. Other. */
638 	u32 eth_type_valid_mask;
639 	/*! Mask for VLAN ID field. */
640 	u32 vlan_id_mask;
641 	/*! Mask for VLAN UP field. */
642 	u32 vlan_up_mask;
643 	/*! Mask for VLAN valid field. */
644 	u32 vlan_valid_mask;
645 	/*! Mask for SAI. */
646 	u32 sai_mask;
647 	/*! Mask for SAI_HIT. */
648 	u32 sai_hit_mask;
649 	/*! Action if only first level matches and second level does not.
650 	 *  0: pass
651 	 *  1: drop (fail).
652 	 */
653 	u32 firstlevel_actions;
654 	/*! Action if both first and second level matched.
655 	 *  0: pass
656 	 *  1: drop (fail).
657 	 */
658 	u32 secondlevel_actions;
659 	/*! Reserved. */
660 	u32 reserved;
661 	/*! 0: Not valid entry. This entry is not used
662 	 *  1: valid entry.
663 	 */
664 	u32 valid;
665 };
666 
667 /*! Represents the bitfields of a single row in the Ingress Post-
668  *  MACSec CTL Filter table.
669  */
670 struct aq_mss_ingress_postctlf_record {
671 	/*! This is used to store the 48 bit value used to compare SA, DA
672 	 *  or halfDA+half SA value.
673 	 */
674 	u32 sa_da[2];
675 	/*! This is used to store the 16 bit ethertype value used for
676 	 *  comparison.
677 	 */
678 	u32 eth_type;
679 	/*! The match mask is per-nibble. 0 means don't care, i.e. every
680 	 *  value will match successfully. The total data is 64 bit, i.e.
681 	 *  16 nibbles masks.
682 	 */
683 	u32 match_mask;
684 	/*! 0: No compare, i.e. This entry is not used
685 	 *  1: compare DA only
686 	 *  2: compare SA only
687 	 *  3: compare half DA + half SA
688 	 *  4: compare ether type only
689 	 *  5: compare DA + ethertype
690 	 *  6: compare SA + ethertype
691 	 *  7: compare DA+ range.
692 	 */
693 	u32 match_type;
694 	/*! 0: Bypass the remaining modules if matched.
695 	 *  1: Forward to next module for more classifications.
696 	 */
697 	u32 action;
698 };
699 
700 /*! Represents the Egress MIB counters for a single SC. Counters are
701  *  64 bits, lower 32 bits in field[0].
702  */
703 struct aq_mss_egress_sc_counters {
704 	/*! The number of integrity protected but not encrypted packets
705 	 *  for this transmitting SC.
706 	 */
707 	u32 sc_protected_pkts[2];
708 	/*! The number of integrity protected and encrypted packets for
709 	 *  this transmitting SC.
710 	 */
711 	u32 sc_encrypted_pkts[2];
712 	/*! The number of plain text octets that are integrity protected
713 	 *  but not encrypted on the transmitting SC.
714 	 */
715 	u32 sc_protected_octets[2];
716 	/*! The number of plain text octets that are integrity protected
717 	 *  and encrypted on the transmitting SC.
718 	 */
719 	u32 sc_encrypted_octets[2];
720 };
721 
722 /*! Represents the Egress MIB counters for a single SA. Counters are
723  *  64 bits, lower 32 bits in field[0].
724  */
725 struct aq_mss_egress_sa_counters {
726 	/*! The number of dropped packets for this transmitting SA. */
727 	u32 sa_hit_drop_redirect[2];
728 	/*! TODO */
729 	u32 sa_protected2_pkts[2];
730 	/*! The number of integrity protected but not encrypted packets
731 	 *  for this transmitting SA.
732 	 */
733 	u32 sa_protected_pkts[2];
734 	/*! The number of integrity protected and encrypted packets for
735 	 *  this transmitting SA.
736 	 */
737 	u32 sa_encrypted_pkts[2];
738 };
739 
740 /*! Represents the common Egress MIB counters; the counter not
741  *  associated with a particular SC/SA. Counters are 64 bits, lower 32
742  *  bits in field[0].
743  */
744 struct aq_mss_egress_common_counters {
745 	/*! The number of transmitted packets classified as MAC_CTL packets. */
746 	u32 ctl_pkt[2];
747 	/*! The number of transmitted packets that did not match any rows
748 	 *  in the Egress Packet Classifier table.
749 	 */
750 	u32 unknown_sa_pkts[2];
751 	/*! The number of transmitted packets where the SC table entry has
752 	 *  protect=0 (so packets are forwarded unchanged).
753 	 */
754 	u32 untagged_pkts[2];
755 	/*! The number of transmitted packets discarded because the packet
756 	 *  length is greater than the ifMtu of the Common Port interface.
757 	 */
758 	u32 too_long[2];
759 	/*! The number of transmitted packets for which table memory was
760 	 *  affected by an ECC error during processing.
761 	 */
762 	u32 ecc_error_pkts[2];
763 	/*! The number of transmitted packets for where the matched row in
764 	 *  the Egress Packet Classifier table has action=drop.
765 	 */
766 	u32 unctrl_hit_drop_redir[2];
767 };
768 
769 /*! Represents the Ingress MIB counters for a single SA. Counters are
770  *  64 bits, lower 32 bits in field[0].
771  */
772 struct aq_mss_ingress_sa_counters {
773 	/*! For this SA, the number of received packets without a SecTAG. */
774 	u32 untagged_hit_pkts[2];
775 	/*! For this SA, the number of received packets that were dropped. */
776 	u32 ctrl_hit_drop_redir_pkts[2];
777 	/*! For this SA which is not currently in use, the number of
778 	 *  received packets that have been discarded, and have either the
779 	 *  packets encrypted or the matched row in the Ingress SC Lookup
780 	 *  table has validate_frames=Strict.
781 	 */
782 	u32 not_using_sa[2];
783 	/*! For this SA which is not currently in use, the number of
784 	 *  received, unencrypted, packets with the matched row in the
785 	 *  Ingress SC Lookup table has validate_frames!=Strict.
786 	 */
787 	u32 unused_sa[2];
788 	/*! For this SA, the number discarded packets with the condition
789 	 *  that the packets are not valid and one of the following
790 	 *  conditions are true: either the matched row in the Ingress SC
791 	 *  Lookup table has validate_frames=Strict or the packets
792 	 *  encrypted.
793 	 */
794 	u32 not_valid_pkts[2];
795 	/*! For this SA, the number of packets with the condition that the
796 	 *  packets are not valid and the matched row in the Ingress SC
797 	 *  Lookup table has validate_frames=Check.
798 	 */
799 	u32 invalid_pkts[2];
800 	/*! For this SA, the number of validated packets. */
801 	u32 ok_pkts[2];
802 	/*! For this SC, the number of received packets that have been
803 	 *  discarded with the condition: the matched row in the Ingress
804 	 *  SC Lookup table has replay_protect=1 and the PN of the packet
805 	 *  is lower than the lower bound replay check PN.
806 	 */
807 	u32 late_pkts[2];
808 	/*! For this SA, the number of packets with the condition that the
809 	 *  PN of the packets is lower than the lower bound replay
810 	 *  protection PN.
811 	 */
812 	u32 delayed_pkts[2];
813 	/*! For this SC, the number of packets with the following condition:
814 	 *  - the matched row in the Ingress SC Lookup table has
815 	 *    replay_protect=0 or
816 	 *  - the matched row in the Ingress SC Lookup table has
817 	 *    replay_protect=1 and the packet is not encrypted and the
818 	 *    integrity check has failed or
819 	 *  - the matched row in the Ingress SC Lookup table has
820 	 *    replay_protect=1 and the packet is encrypted and integrity
821 	 *    check has failed.
822 	 */
823 	u32 unchecked_pkts[2];
824 	/*! The number of octets of plaintext recovered from received
825 	 *  packets that were integrity protected but not encrypted.
826 	 */
827 	u32 validated_octets[2];
828 	/*! The number of octets of plaintext recovered from received
829 	 *  packets that were integrity protected and encrypted.
830 	 */
831 	u32 decrypted_octets[2];
832 };
833 
834 /*! Represents the common Ingress MIB counters; the counter not
835  *  associated with a particular SA. Counters are 64 bits, lower 32
836  *  bits in field[0].
837  */
838 struct aq_mss_ingress_common_counters {
839 	/*! The number of received packets classified as MAC_CTL packets. */
840 	u32 ctl_pkts[2];
841 	/*! The number of received packets with the MAC security tag
842 	 *  (SecTAG), not matching any rows in the Ingress Pre-MACSec
843 	 *  Packet Classifier table.
844 	 */
845 	u32 tagged_miss_pkts[2];
846 	/*! The number of received packets without the MAC security tag
847 	 *  (SecTAG), not matching any rows in the Ingress Pre-MACSec
848 	 *  Packet Classifier table.
849 	 */
850 	u32 untagged_miss_pkts[2];
851 	/*! The number of received packets discarded without the MAC
852 	 *  security tag (SecTAG) and with the matched row in the Ingress
853 	 *  SC Lookup table having validate_frames=Strict.
854 	 */
855 	u32 notag_pkts[2];
856 	/*! The number of received packets without the MAC security tag
857 	 *  (SecTAG) and with the matched row in the Ingress SC Lookup
858 	 *  table having validate_frames!=Strict.
859 	 */
860 	u32 untagged_pkts[2];
861 	/*! The number of received packets discarded with an invalid
862 	 *  SecTAG or a zero value PN or an invalid ICV.
863 	 */
864 	u32 bad_tag_pkts[2];
865 	/*! The number of received packets discarded with unknown SCI
866 	 *  information with the condition:
867 	 *  the matched row in the Ingress SC Lookup table has
868 	 *  validate_frames=Strict or the C bit in the SecTAG is set.
869 	 */
870 	u32 no_sci_pkts[2];
871 	/*! The number of received packets with unknown SCI with the condition:
872 	 *  The matched row in the Ingress SC Lookup table has
873 	 *  validate_frames!=Strict and the C bit in the SecTAG is not set.
874 	 */
875 	u32 unknown_sci_pkts[2];
876 	/*! The number of received packets by the controlled port service
877 	 *  that passed the Ingress Post-MACSec Packet Classifier table
878 	 *  check.
879 	 */
880 	u32 ctrl_prt_pass_pkts[2];
881 	/*! The number of received packets by the uncontrolled port
882 	 *  service that passed the Ingress Post-MACSec Packet Classifier
883 	 *  table check.
884 	 */
885 	u32 unctrl_prt_pass_pkts[2];
886 	/*! The number of received packets by the controlled port service
887 	 *  that failed the Ingress Post-MACSec Packet Classifier table
888 	 *  check.
889 	 */
890 	u32 ctrl_prt_fail_pkts[2];
891 	/*! The number of received packets by the uncontrolled port
892 	 *  service that failed the Ingress Post-MACSec Packet Classifier
893 	 *  table check.
894 	 */
895 	u32 unctrl_prt_fail_pkts[2];
896 	/*! The number of received packets discarded because the packet
897 	 *  length is greater than the ifMtu of the Common Port interface.
898 	 */
899 	u32 too_long_pkts[2];
900 	/*! The number of received packets classified as MAC_CTL by the
901 	 *  Ingress Post-MACSec CTL Filter table.
902 	 */
903 	u32 igpoc_ctl_pkts[2];
904 	/*! The number of received packets for which table memory was
905 	 *  affected by an ECC error during processing.
906 	 */
907 	u32 ecc_error_pkts[2];
908 	/*! The number of received packets by the uncontrolled port
909 	 *  service that were dropped.
910 	 */
911 	u32 unctrl_hit_drop_redir[2];
912 };
913 
914 #endif
915