Skip to content

[iproute2]: Add macsec-xpn-support iproute2 in syncd #8702

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Nov 25, 2021
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion platform/vs/docker-sonic-vs.mk
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,8 @@ $(DOCKER_SONIC_VS)_DEPENDS += $(SWSS) \
$(LIBYANG_CPP) \
$(LIBYANG_PY3) \
$(SONIC_UTILITIES_DATA) \
$(SONIC_HOST_SERVICES_DATA)
$(SONIC_HOST_SERVICES_DATA) \
$(IPROUTE2)

# swsssdk is a dependency of sonic-py-common
# TODO: sonic-py-common should depend on swsscommon instead
Expand Down
3 changes: 2 additions & 1 deletion platform/vs/docker-syncd-vs.mk
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,8 @@
DOCKER_SYNCD_PLATFORM_CODE = vs
include $(PLATFORM_PATH)/../template/docker-syncd-base.mk

$(DOCKER_SYNCD_BASE)_DEPENDS += $(SYNCD_VS)
$(DOCKER_SYNCD_BASE)_DEPENDS += $(SYNCD_VS) \
$(IPROUTE2)

$(DOCKER_SYNCD_BASE)_DBG_DEPENDS += $(SYNCD_VS_DBG) \
$(LIBSWSSCOMMON_DBG) \
Expand Down
4 changes: 2 additions & 2 deletions platform/vs/docker-syncd-vs/Dockerfile.j2
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ ENV DEBIAN_FRONTEND=noninteractive

RUN apt-get update

RUN apt-get install -f -y iproute2 libcap2-bin
RUN apt-get install -f -y libcap2-bin

COPY \
{% for deb in docker_syncd_vs_debs.split(' ') -%}
Expand All @@ -20,7 +20,7 @@ debs/
RUN dpkg -i \
{% for deb in docker_syncd_vs_debs.split(' ') -%}
debs/{{ deb }}{{' '}}
{%- endfor %}
{%- endfor %} || apt-get install -f -y

COPY ["start.sh", "/usr/bin/"]

Expand Down
8 changes: 6 additions & 2 deletions rules/iproute2.mk
Original file line number Diff line number Diff line change
@@ -1,7 +1,11 @@
# iproute2 package

IPROUTE2_VERSION = 4.9.0-1
IPROUTE2_VERSION = 5.10.0
IPROUTE2_VERSION_FULL = $(IPROUTE2_VERSION)-4~bpo10+1

IPROUTE2 = iproute2_$(IPROUTE2_VERSION)_$(CONFIGURED_ARCH).deb
export IPROUTE2_VERSION
export IPROUTE2_VERSION_FULL

IPROUTE2 = iproute2_$(IPROUTE2_VERSION_FULL)_$(CONFIGURED_ARCH).deb
$(IPROUTE2)_SRC_PATH = $(SRC_PATH)/iproute2
SONIC_MAKE_DEBS += $(IPROUTE2)
6 changes: 6 additions & 0 deletions sonic-slave-buster/Dockerfile.j2
Original file line number Diff line number Diff line change
Expand Up @@ -356,6 +356,12 @@ RUN apt-get update && apt-get install -y \
libsystemd-dev \
pkg-config

# For iproute2
RUN apt-get install -y -t buster-backports \
libbpf-dev \
dwz \
debhelper

RUN apt-get -y build-dep openssh

# Build fix for ARMHF buster libsairedis
Expand Down
1 change: 1 addition & 0 deletions src/iproute2/.gitignore
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
*
!.gitignore
!Makefile
!patch/*
12 changes: 6 additions & 6 deletions src/iproute2/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -2,21 +2,21 @@ SHELL = /bin/bash
.ONESHELL:
.SHELLFLAGS += -e

IPROUTE2_VERSION = 4.9.0
IPROUTE2_VERSION_FULL = $(IPROUTE2_VERSION)-1

MAIN_TARGET = iproute2_$(IPROUTE2_VERSION_FULL)_$(CONFIGURED_ARCH).deb

$(addprefix $(DEST)/, $(MAIN_TARGET)): $(DEST)/% :
# Remove any stale files
rm -rf iproute2-$(IPROUTE2_VERSION)

wget -O iproute2_$(IPROUTE2_VERSION).orig.tar.xz -N "https://sonicstorage.blob.core.windows.net/packages/iproute2_4.9.0.orig.tar.xz?sv=2015-04-05&sr=b&sig=9nvybd1xkXyRQbaG6Fy6wBazPA8IbZV0AO41GWXPEP8%3D&se=2154-10-23T11%3A59%3A00Z&sp=r"
wget -O iproute2_$(IPROUTE2_VERSION_FULL).dsc -N "https://sonicstorage.blob.core.windows.net/packages/iproute2_4.9.0-1.dsc?sv=2015-04-05&sr=b&sig=m6FcMH9dOh8ggipBgOsONiXvDxoi6bfUO%2BxvidsMNMQ%3D&se=2154-10-23T11%3A59%3A53Z&sp=r"
wget -O iproute2_$(IPROUTE2_VERSION_FULL).debian.tar.xz -N "https://sonicstorage.blob.core.windows.net/packages/iproute2_4.9.0-1.debian.tar.xz?sv=2015-04-05&sr=b&sig=U5NFuwG5C3vZXlUUNvoPMnKDtMKk66zbweA9rQYbEVY%3D&se=2154-10-23T12%3A00%3A15Z&sp=r"
wget -O iproute2_$(IPROUTE2_VERSION).orig.tar.xz http://deb.debian.org/debian/pool/main/i/iproute2/iproute2_$(IPROUTE2_VERSION).orig.tar.xz
wget -O iproute2_$(IPROUTE2_VERSION_FULL).dsc http://deb.debian.org/debian/pool/main/i/iproute2/iproute2_$(IPROUTE2_VERSION_FULL).dsc
wget -O iproute2_$(IPROUTE2_VERSION_FULL).debian.tar.xz http://deb.debian.org/debian/pool/main/i/iproute2/iproute2_$(IPROUTE2_VERSION_FULL).debian.tar.xz
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

http://deb.debian.org

@xumia, for reproducible build, do we still need to manually backup the downloaded files to sonicstorage?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not necessary, it will upload the package automatically.

dpkg-source -x iproute2_$(IPROUTE2_VERSION_FULL).dsc

pushd iproute2-$(IPROUTE2_VERSION)

patch -p1 < ../patch/0001-patch-macsec-xpn-support.patch

dpkg-buildpackage -us -uc -b -j$(SONIC_CONFIG_MAKE_JOBS) --admindir $(SONIC_DPKG_ADMINDIR)
popd

Expand Down
213 changes: 213 additions & 0 deletions src/iproute2/patch/0001-patch-macsec-xpn-support.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,213 @@
From f1ea3235b5250dfd1193b5033620b030b9789fd9 Mon Sep 17 00:00:00 2001
From: Ze Gan <[email protected]>
Date: Mon, 30 Aug 2021 06:45:28 +0000
Subject: [PATCH] MACsec XPN support
Copy link
Collaborator

@qiluo-msft qiluo-msft Sep 9, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did you submit this patch to upstream? #Pending

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, I just generated this patch from my private repo, is it a right way?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a recommendation. If the feature is useful in general, you may collect more feedback there.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, I will do that, but I think it will take a long cycle to merge my change to the upstream and backport it to the debian.


Signed-off-by: Ze Gan <[email protected]>
---
ip/ipmacsec.c | 86 ++++++++++++++++++++++++++++++++++++++++++++-------
1 file changed, 74 insertions(+), 12 deletions(-)

diff --git a/ip/ipmacsec.c b/ip/ipmacsec.c
index 18289ecd..1df19bf1 100644
--- a/ip/ipmacsec.c
+++ b/ip/ipmacsec.c
@@ -10,6 +10,7 @@
*/

#include <stdio.h>
+#include <inttypes.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
@@ -23,6 +24,8 @@
#include "ll_map.h"
#include "libgenl.h"

+#define MACSEC_SALT_LEN 12
+
static const char * const values_on_off[] = { "off", "on" };

static const char * const validate_str[] = {
@@ -45,11 +48,13 @@ struct sci {

struct sa_desc {
__u8 an;
- __u32 pn;
+ __u64 pn;
__u8 key_id[MACSEC_KEYID_LEN];
__u32 key_len;
__u8 key[MACSEC_MAX_KEY_LEN];
__u8 active;
+ __u32 ssci;
+ __u8 salt[MACSEC_SALT_LEN];
};

struct cipher_args {
@@ -88,7 +93,7 @@ static int genl_family = -1;
static void ipmacsec_usage(void)
{
fprintf(stderr,
- "Usage: ip macsec add DEV tx sa { 0..3 } [ OPTS ] key ID KEY\n"
+ "Usage: ip macsec add DEV tx sa { 0..3 } [ OPTS ] [ ssci SSCI salt SALT] key ID KEY\n"
" ip macsec set DEV tx sa { 0..3 } [ OPTS ]\n"
" ip macsec del DEV tx sa { 0..3 }\n"
" ip macsec add DEV rx SCI [ on | off ]\n"
@@ -100,10 +105,12 @@ static void ipmacsec_usage(void)
" ip macsec show\n"
" ip macsec show DEV\n"
" ip macsec offload DEV [ off | phy | mac ]\n"
- "where OPTS := [ pn <u32> ] [ on | off ]\n"
+ "where OPTS := [ pn <u64> ] [ on | off ]\n"
" ID := 128-bit hex string\n"
" KEY := 128-bit or 256-bit hex string\n"
- " SCI := { sci <u64> | port { 1..2^16-1 } address <lladdr> }\n");
+ " SCI := { sci <u64> | port { 1..2^16-1 } address <lladdr> }\n"
+ " SSCI := <u32>\n"
+ " SALT := 96-bit hex string\n");

exit(-1);
}
@@ -198,7 +205,7 @@ static int parse_sa_args(int *argcp, char ***argvp, struct sa_desc *sa)
if (sa->pn != 0)
duparg2("pn", "pn");
NEXT_ARG();
- ret = get_u32(&sa->pn, *argv, 0);
+ ret = get_u64(&sa->pn, *argv, 0);
if (ret)
invarg("expected pn", *argv);
if (sa->pn == 0)
@@ -224,6 +231,22 @@ static int parse_sa_args(int *argcp, char ***argvp, struct sa_desc *sa)
duparg2("on/off", "off");
sa->active = false;
active_set = true;
+ } else if (strcmp(*argv, "ssci") == 0) {
+ if (sa->ssci != 0)
+ duparg2("ssci", "ssci");
+ NEXT_ARG();
+ ret = get_u32(&sa->ssci, *argv, 0);
+ if (ret)
+ invarg("expected ssci", *argv);
+ if (sa->ssci == 0)
+ invarg("expected ssci != 0", *argv);
+ } else if (strcmp(*argv, "salt") == 0) {
+ unsigned int len;
+
+ NEXT_ARG();
+ if (!hexstring_a2n(*argv, sa->salt, MACSEC_SALT_LEN,
+ &len))
+ invarg("expected salt", *argv);
} else {
fprintf(stderr, "macsec: unknown command \"%s\"?\n",
*argv);
@@ -413,9 +436,15 @@ static int do_modify_nl(enum cmd c, enum macsec_nl_commands cmd, int ifindex,
addattr8(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_AN, sa->an);

if (c != CMD_DEL) {
- if (sa->pn)
- addattr32(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_PN,
- sa->pn);
+ if (sa->pn) {
+ if (sa->ssci == 0) {
+ addattr32(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_PN,
+ sa->pn);
+ } else {
+ addattr64(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_PN,
+ sa->pn);
+ }
+ }

if (sa->key_len) {
addattr_l(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_KEYID,
@@ -428,6 +457,13 @@ static int do_modify_nl(enum cmd c, enum macsec_nl_commands cmd, int ifindex,
addattr8(&req.n, MACSEC_BUFLEN,
MACSEC_SA_ATTR_ACTIVE, sa->active);
}
+
+ if (sa->ssci != 0) {
+ addattr32(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_SSCI,
+ sa->ssci);
+ addattr_l(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_SALT,
+ sa->salt, MACSEC_SALT_LEN);
+ }
}

addattr_nest_end(&req.n, attr_sa);
@@ -456,6 +492,11 @@ static bool check_sa_args(enum cmd c, struct sa_desc *sa)
fprintf(stderr, "cannot change key on SA\n");
return -1;
}
+
+ if (sa->ssci) {
+ fprintf(stderr, "cannot change SSCI on SA\n");
+ return -1;
+ }
}

return 0;
@@ -637,6 +678,8 @@ static void print_key(struct rtattr *key)

#define CIPHER_NAME_GCM_AES_128 "GCM-AES-128"
#define CIPHER_NAME_GCM_AES_256 "GCM-AES-256"
+#define CIPHER_NAME_GCM_AES_XPN_128 "GCM-AES-XPN-128"
+#define CIPHER_NAME_GCM_AES_XPN_256 "GCM-AES-XPN-256"
#define DEFAULT_CIPHER_NAME CIPHER_NAME_GCM_AES_128

static const char *cs_id_to_name(__u64 cid)
@@ -649,6 +692,10 @@ static const char *cs_id_to_name(__u64 cid)
return CIPHER_NAME_GCM_AES_128;
case MACSEC_CIPHER_ID_GCM_AES_256:
return CIPHER_NAME_GCM_AES_256;
+ case MACSEC_CIPHER_ID_GCM_AES_XPN_128:
+ return CIPHER_NAME_GCM_AES_XPN_128;
+ case MACSEC_CIPHER_ID_GCM_AES_XPN_256:
+ return CIPHER_NAME_GCM_AES_XPN_256;
default:
return "(unknown)";
}
@@ -897,13 +944,22 @@ static void print_tx_sc(const char *prefix, __u64 sci, __u8 encoding_sa,
print_string(PRINT_FP, NULL, "%s", prefix);
print_uint(PRINT_ANY, "an", "%d:",
rta_getattr_u8(sa_attr[MACSEC_SA_ATTR_AN]));
- print_uint(PRINT_ANY, "pn", " PN %u,",
- rta_getattr_u32(sa_attr[MACSEC_SA_ATTR_PN]));
+ if (!sa_attr[MACSEC_SA_ATTR_SSCI]) {
+ print_uint(PRINT_ANY, "pn", " PN %u,",
+ rta_getattr_u32(sa_attr[MACSEC_SA_ATTR_PN]));
+ } else {
+ print_uint(PRINT_ANY, "pn", " PN %" PRIu64 ",",
+ rta_getattr_u64(sa_attr[MACSEC_SA_ATTR_PN]));
+ }

print_bool(PRINT_JSON, "active", NULL, state);
print_string(PRINT_FP, NULL,
" state %s,", state ? "on" : "off");
print_key(sa_attr[MACSEC_SA_ATTR_KEYID]);
+ if (sa_attr[MACSEC_SA_ATTR_SSCI]) {
+ print_uint(PRINT_ANY, "ssci", " SSCI %u,",
+ rta_getattr_u32(sa_attr[MACSEC_SA_ATTR_SSCI]));
+ }

print_txsa_stats(prefix, sa_attr[MACSEC_SA_ATTR_STATS]);
close_json_object();
@@ -1322,9 +1378,15 @@ static int macsec_parse_opt(struct link_util *lu, int argc, char **argv,
else if (strcmp(*argv, "gcm-aes-256") == 0 ||
strcmp(*argv, "GCM-AES-256") == 0)
cipher.id = MACSEC_CIPHER_ID_GCM_AES_256;
+ else if (strcmp(*argv, "gcm-aes-xpn-128") == 0 ||
+ strcmp(*argv, "GCM-AES-XPN-128") == 0)
+ cipher.id = MACSEC_CIPHER_ID_GCM_AES_XPN_128;
+ else if (strcmp(*argv, "gcm-aes-xpn-256") == 0 ||
+ strcmp(*argv, "GCM-AES-XPN-256") == 0)
+ cipher.id = MACSEC_CIPHER_ID_GCM_AES_XPN_256;
else
- invarg("expected: default, gcm-aes-128 or"
- " gcm-aes-256", *argv);
+ invarg("expected: default, gcm-aes-128"
+ " gcm-aes-256 gcm-aes-xpn-128 gcm-aes-xpn-256", *argv);
} else if (strcmp(*argv, "icvlen") == 0) {
NEXT_ARG();
if (cipher.icv_len)
--
2.17.1