MACsec Overview
The IEEE 802.1AE MACsec standard and its amendments provide the infrastructure for secure L2 network communication, offering authentication and confidentiality of the data communicated between two peers on the network.
-
Authentication only, no confidentiality
-
Either GCM-AES-128 or GCM-AES-256 at a time
-
32-bit Packet number and does not support Extended Packet Number (64-bit PN)
NvMACsec is enabled by default in the ethernet DT variable “nvidia,macsec-enable = <0x1>”. When enabled, ethernet MTU size is reduced by 34 bytes to accommodate MACsec related headers.
nv_macsec_wpa_supplicant -i <interface_name> -D nv_macsec -c nv_wpa_supplicant_macsec.conf &
eqos_1_09: eqos_1_09 {
cmd = "iolauncher -U 3333:3333,3660,3500,3350,3775,3640,2280,3000,2281,2282,2283,3780,3790,6025,6026,40002,40006,40007,45011,45037,45057,45066,45071,45040,40037,45112 --secpol-type supplicant_launch_t --set-var SOCK=/eqos_1 nv_macsec_wpa_supplicant -i eqos_1 -D nv_macsec -c /etc/nv_wpa_supplicant_macsec_template.conf";
sc7 = "restart";
critical_process = "no";
heartbeat = "no";
oneshot = "no";
};
eapol_version=3
ap_scan=0
network={
key_mgmt=NONE
eapol_flags=0
mka_priority=16
macsec_policy=1
macsec_integ_only=1
macsec_cak_len=16
mka_cak_pkcs_id=MACSEC_CAK_eqos_0
mka_ckn=112233445566778899AABBCCDDEEFF112233445566778899AABBCCDDEEFF1122
}
key_mgmt: Don’t change the default value
eapol_flags: Don’t change the default value
mka_priority : It is the MKA key server priority. Lower the value, higher is the key server priority.
macsec_policy: Flag to enable or disable MACsec. Make sure to set it to 1 for MACsec to be enabled.
macsec_integ_only: Flag to specify if encryption/integrity check to be enabled only. Orin doesn’t support encryption. Make sure to set it to 1 for Nvmacsec.
macsec_cak_len: Length of the CAK in bytes programmed in secure storage.
mka_cak_pkcs_id: PKCS ID used while programming the CAK in secure storage. The NvMACsec will retrieve CAK handle from securely stored CAK using pkcs11 api’s. Details on programing the CAK to secure storage can be referred from “Provisioning PKCS#11 Key Objects” section under “Understanding Security” chapter of PDK.
mka_ckn: Any 32 byte network name used while forming the SC.
macsec_cs_index: If the DUT is the key server this parameter is used to decide the cipher suite. This parameter 0 is configured to 0 to select GCM_AES_128, 1 to select GCM_AES_256
macsec_pn_exhaustion: If the DUT is the key server this parameter is used to program the number of frames after which Re-Keying needs to be initiated.
msg.i.dcmd= SIOCGDRVSPEC
ifd.ifd_cmd = NV_MACSEC_DBG_CMD_READ_IRQ_STATS
macro in
nv_macsec.h
for error stats of MACSEC.
/** Tx debug buffer capture done */
nveu64_t tx_dbg_capture_done;
/** Tx MTU check failed */
nveu64_t tx_mtu_check_fail;
/** Tx MAC CRC err */
nveu64_t tx_mac_crc_error;
/** Tx SC AN not valid */
nveu64_t tx_sc_an_not_valid;
/** Tx AES GCM buffer overflow */
nveu64_t tx_aes_gcm_buf_ovf;
/** Tx LUT lookup miss */
nveu64_t tx_lkup_miss;
/** Tx uninitialized key slot */
nveu64_t tx_uninit_key_slot;
/** Tx PN threshold reached */
nveu64_t tx_pn_threshold;
/** Tx PN exhausted */
nveu64_t tx_pn_exhausted;
/** Tx debug buffer capture done */
nveu64_t rx_dbg_capture_done;
/** Rx ICV error threshold */
nveu64_t rx_icv_err_threshold;
/** Rx replay error */
nveu64_t rx_replay_error;
/** Rx MTU check failed */
nveu64_t rx_mtu_check_fail;
/** Rx MAC CRC err */
nveu64_t rx_mac_crc_error;
/** Rx AES GCM buffer overflow */
nveu64_t rx_aes_gcm_buf_ovf;
/** Rx LUT lookup miss */
nveu64_t rx_lkup_miss;
/** Rx uninitialized key slot */
nveu64_t rx_uninit_key_slot;
/** Rx PN exhausted */
nveu64_t rx_pn_exhausted;
/** Secure reg violation */
nveu64_t secure_reg_viol;
ifd.ifd_cmd = NV_MACSEC_DBG_CMD_READ_MMC_CNTRS
macro in
nv_macsec.h
for functional stats of MACsec.
/** This counter provides the number of controller port macsec
* untaged packets */
nveul64_t rx_pkts_no_tag;
/** This counter provides the number of controller port macsec
* untaged packets validateFrame != strict */
nveul64_t rx_pkts_untagged;
/** This counter provides the number of invalid tag or icv packets */
nveul64_t rx_pkts_bad_tag;
/** This counter provides the number of no sc lookup hit or sc match
* packets */
nveul64_t rx_pkts_no_sa_err;
/** This counter provides the number of no sc lookup hit or sc match
* packets validateFrame != strict */
nveul64_t rx_pkts_no_sa;
/** This counter provides the number of late packets
*received PN < lowest PN */
nveul64_t rx_pkts_late[16];
/** This counter provides the number of overrun packets */
nveul64_t rx_pkts_overrun;
/** This counter provides the number of octets after IVC passing */
nveul64_t rx_octets_validated;
/** This counter provides the number not valid packets */
nveul64_t rx_pkts_not_valid[16];
/** This counter provides the number of invalid packets */
nveul64_t in_pkts_invalid[16];
/** This counter provides the number of in packet delayed */
nveul64_t rx_pkts_delayed[16];
/** This counter provides the number of in packets un checked */
nveul64_t rx_pkts_unchecked[16];
/** This counter provides the number of in packets ok */
nveul64_t rx_pkts_ok[16];
/** This counter provides the number of out packets untaged */
nveul64_t tx_pkts_untaged;
/** This counter provides the number of out too long */
nveul64_t tx_pkts_too_long;
/** This counter provides the number of out packets protected */
nveul64_t tx_pkts_protected[16];
/** This counter provides the number of out octets protected */
nveul64_t tx_octets_protected;
sessionSetup: C_FindObjects failed, 0x0
nvpkcs_session_setup: sessionSetup failed, 0x6
KaY-ieee802_1x_kay_create_mka: nvpkcs_session_setup() failed.