From ada0e502184480837b1310ffe843d351f4882ab3 Mon Sep 17 00:00:00 2001 From: Ze Gan Date: Thu, 25 Nov 2021 21:38:17 +0800 Subject: [PATCH] [iproute2]: Add macsec-xpn-support iproute2 in syncd (#8702) * Add macsec-xpn-support iproute2 in syncd Signed-off-by: Ze Gan * Polish code Signed-off-by: Ze Gan * Remove useless files Signed-off-by: Ze Gan * Add self-compiled iproute2 to docker sonic vs Signed-off-by: Ze Gan * Enhance apt install for iproute2 dependencies Signed-off-by: Ze Gan --- platform/vs/docker-sonic-vs.mk | 3 +- platform/vs/docker-syncd-vs.mk | 3 +- platform/vs/docker-syncd-vs/Dockerfile.j2 | 4 +- rules/iproute2.mk | 8 +- sonic-slave-buster/Dockerfile.j2 | 6 + src/iproute2/.gitignore | 1 + src/iproute2/Makefile | 12 +- .../patch/0001-patch-macsec-xpn-support.patch | 213 ++++++++++++++++++ 8 files changed, 238 insertions(+), 12 deletions(-) create mode 100644 src/iproute2/patch/0001-patch-macsec-xpn-support.patch diff --git a/platform/vs/docker-sonic-vs.mk b/platform/vs/docker-sonic-vs.mk index 5d50d24094..400d57c76d 100644 --- a/platform/vs/docker-sonic-vs.mk +++ b/platform/vs/docker-sonic-vs.mk @@ -13,7 +13,8 @@ $(DOCKER_SONIC_VS)_DEPENDS += $(SWSS) \ $(LIBYANG_CPP) \ $(LIBYANG_PY3) \ $(SONIC_UTILITIES_DATA) \ - $(SONIC_HOST_SERVICES_DATA) + $(SONIC_HOST_SERVICES_DATA) \ + $(IPROUTE2) # swsssdk is a dependency of sonic-py-common # TODO: sonic-py-common should depend on swsscommon instead diff --git a/platform/vs/docker-syncd-vs.mk b/platform/vs/docker-syncd-vs.mk index 1bfeeda81a..cbd1f97377 100644 --- a/platform/vs/docker-syncd-vs.mk +++ b/platform/vs/docker-syncd-vs.mk @@ -3,7 +3,8 @@ DOCKER_SYNCD_PLATFORM_CODE = vs include $(PLATFORM_PATH)/../template/docker-syncd-base.mk -$(DOCKER_SYNCD_BASE)_DEPENDS += $(SYNCD_VS) +$(DOCKER_SYNCD_BASE)_DEPENDS += $(SYNCD_VS) \ + $(IPROUTE2) $(DOCKER_SYNCD_BASE)_DBG_DEPENDS += $(SYNCD_VS_DBG) \ $(LIBSWSSCOMMON_DBG) \ diff --git a/platform/vs/docker-syncd-vs/Dockerfile.j2 b/platform/vs/docker-syncd-vs/Dockerfile.j2 index 7fc6391f36..78b01690ec 100644 --- a/platform/vs/docker-syncd-vs/Dockerfile.j2 +++ b/platform/vs/docker-syncd-vs/Dockerfile.j2 @@ -9,7 +9,7 @@ ENV DEBIAN_FRONTEND=noninteractive RUN apt-get update -RUN apt-get install -f -y iproute2 libcap2-bin +RUN apt-get install -f -y libcap2-bin COPY \ {% for deb in docker_syncd_vs_debs.split(' ') -%} @@ -20,7 +20,7 @@ debs/ RUN dpkg -i \ {% for deb in docker_syncd_vs_debs.split(' ') -%} debs/{{ deb }}{{' '}} -{%- endfor %} +{%- endfor %} || apt-get install -f -y COPY ["start.sh", "/usr/bin/"] diff --git a/rules/iproute2.mk b/rules/iproute2.mk index 33d54f4de1..302849eaf4 100644 --- a/rules/iproute2.mk +++ b/rules/iproute2.mk @@ -1,7 +1,11 @@ # iproute2 package -IPROUTE2_VERSION = 4.9.0-1 +IPROUTE2_VERSION = 5.10.0 +IPROUTE2_VERSION_FULL = $(IPROUTE2_VERSION)-4~bpo10+1 -IPROUTE2 = iproute2_$(IPROUTE2_VERSION)_$(CONFIGURED_ARCH).deb +export IPROUTE2_VERSION +export IPROUTE2_VERSION_FULL + +IPROUTE2 = iproute2_$(IPROUTE2_VERSION_FULL)_$(CONFIGURED_ARCH).deb $(IPROUTE2)_SRC_PATH = $(SRC_PATH)/iproute2 SONIC_MAKE_DEBS += $(IPROUTE2) diff --git a/sonic-slave-buster/Dockerfile.j2 b/sonic-slave-buster/Dockerfile.j2 index 34586ae44b..9f59f0c0ed 100644 --- a/sonic-slave-buster/Dockerfile.j2 +++ b/sonic-slave-buster/Dockerfile.j2 @@ -356,6 +356,12 @@ RUN apt-get update && apt-get install -y \ libsystemd-dev \ pkg-config +# For iproute2 +RUN apt-get install -y -t buster-backports \ + libbpf-dev \ + dwz \ + debhelper + RUN apt-get -y build-dep openssh # Build fix for ARMHF buster libsairedis diff --git a/src/iproute2/.gitignore b/src/iproute2/.gitignore index a0991ff440..dfa47d4833 100644 --- a/src/iproute2/.gitignore +++ b/src/iproute2/.gitignore @@ -1,3 +1,4 @@ * !.gitignore !Makefile +!patch/* diff --git a/src/iproute2/Makefile b/src/iproute2/Makefile index 5b354ce8b0..93c680628a 100644 --- a/src/iproute2/Makefile +++ b/src/iproute2/Makefile @@ -2,21 +2,21 @@ SHELL = /bin/bash .ONESHELL: .SHELLFLAGS += -e -IPROUTE2_VERSION = 4.9.0 -IPROUTE2_VERSION_FULL = $(IPROUTE2_VERSION)-1 - MAIN_TARGET = iproute2_$(IPROUTE2_VERSION_FULL)_$(CONFIGURED_ARCH).deb $(addprefix $(DEST)/, $(MAIN_TARGET)): $(DEST)/% : # Remove any stale files rm -rf iproute2-$(IPROUTE2_VERSION) - wget -O iproute2_$(IPROUTE2_VERSION).orig.tar.xz -N "https://sonicstorage.blob.core.windows.net/packages/iproute2_4.9.0.orig.tar.xz?sv=2015-04-05&sr=b&sig=9nvybd1xkXyRQbaG6Fy6wBazPA8IbZV0AO41GWXPEP8%3D&se=2154-10-23T11%3A59%3A00Z&sp=r" - wget -O iproute2_$(IPROUTE2_VERSION_FULL).dsc -N "https://sonicstorage.blob.core.windows.net/packages/iproute2_4.9.0-1.dsc?sv=2015-04-05&sr=b&sig=m6FcMH9dOh8ggipBgOsONiXvDxoi6bfUO%2BxvidsMNMQ%3D&se=2154-10-23T11%3A59%3A53Z&sp=r" - wget -O iproute2_$(IPROUTE2_VERSION_FULL).debian.tar.xz -N "https://sonicstorage.blob.core.windows.net/packages/iproute2_4.9.0-1.debian.tar.xz?sv=2015-04-05&sr=b&sig=U5NFuwG5C3vZXlUUNvoPMnKDtMKk66zbweA9rQYbEVY%3D&se=2154-10-23T12%3A00%3A15Z&sp=r" + wget -O iproute2_$(IPROUTE2_VERSION).orig.tar.xz http://deb.debian.org/debian/pool/main/i/iproute2/iproute2_$(IPROUTE2_VERSION).orig.tar.xz + wget -O iproute2_$(IPROUTE2_VERSION_FULL).dsc http://deb.debian.org/debian/pool/main/i/iproute2/iproute2_$(IPROUTE2_VERSION_FULL).dsc + wget -O iproute2_$(IPROUTE2_VERSION_FULL).debian.tar.xz http://deb.debian.org/debian/pool/main/i/iproute2/iproute2_$(IPROUTE2_VERSION_FULL).debian.tar.xz dpkg-source -x iproute2_$(IPROUTE2_VERSION_FULL).dsc pushd iproute2-$(IPROUTE2_VERSION) + + patch -p1 < ../patch/0001-patch-macsec-xpn-support.patch + dpkg-buildpackage -us -uc -b -j$(SONIC_CONFIG_MAKE_JOBS) --admindir $(SONIC_DPKG_ADMINDIR) popd diff --git a/src/iproute2/patch/0001-patch-macsec-xpn-support.patch b/src/iproute2/patch/0001-patch-macsec-xpn-support.patch new file mode 100644 index 0000000000..c55daa3fd4 --- /dev/null +++ b/src/iproute2/patch/0001-patch-macsec-xpn-support.patch @@ -0,0 +1,213 @@ +From f1ea3235b5250dfd1193b5033620b030b9789fd9 Mon Sep 17 00:00:00 2001 +From: Ze Gan +Date: Mon, 30 Aug 2021 06:45:28 +0000 +Subject: [PATCH] MACsec XPN support + +Signed-off-by: Ze Gan +--- + ip/ipmacsec.c | 86 ++++++++++++++++++++++++++++++++++++++++++++------- + 1 file changed, 74 insertions(+), 12 deletions(-) + +diff --git a/ip/ipmacsec.c b/ip/ipmacsec.c +index 18289ecd..1df19bf1 100644 +--- a/ip/ipmacsec.c ++++ b/ip/ipmacsec.c +@@ -10,6 +10,7 @@ + */ + + #include ++#include + #include + #include + #include +@@ -23,6 +24,8 @@ + #include "ll_map.h" + #include "libgenl.h" + ++#define MACSEC_SALT_LEN 12 ++ + static const char * const values_on_off[] = { "off", "on" }; + + static const char * const validate_str[] = { +@@ -45,11 +48,13 @@ struct sci { + + struct sa_desc { + __u8 an; +- __u32 pn; ++ __u64 pn; + __u8 key_id[MACSEC_KEYID_LEN]; + __u32 key_len; + __u8 key[MACSEC_MAX_KEY_LEN]; + __u8 active; ++ __u32 ssci; ++ __u8 salt[MACSEC_SALT_LEN]; + }; + + struct cipher_args { +@@ -88,7 +93,7 @@ static int genl_family = -1; + static void ipmacsec_usage(void) + { + fprintf(stderr, +- "Usage: ip macsec add DEV tx sa { 0..3 } [ OPTS ] key ID KEY\n" ++ "Usage: ip macsec add DEV tx sa { 0..3 } [ OPTS ] [ ssci SSCI salt SALT] key ID KEY\n" + " ip macsec set DEV tx sa { 0..3 } [ OPTS ]\n" + " ip macsec del DEV tx sa { 0..3 }\n" + " ip macsec add DEV rx SCI [ on | off ]\n" +@@ -100,10 +105,12 @@ static void ipmacsec_usage(void) + " ip macsec show\n" + " ip macsec show DEV\n" + " ip macsec offload DEV [ off | phy | mac ]\n" +- "where OPTS := [ pn ] [ on | off ]\n" ++ "where OPTS := [ pn ] [ on | off ]\n" + " ID := 128-bit hex string\n" + " KEY := 128-bit or 256-bit hex string\n" +- " SCI := { sci | port { 1..2^16-1 } address }\n"); ++ " SCI := { sci | port { 1..2^16-1 } address }\n" ++ " SSCI := \n" ++ " SALT := 96-bit hex string\n"); + + exit(-1); + } +@@ -198,7 +205,7 @@ static int parse_sa_args(int *argcp, char ***argvp, struct sa_desc *sa) + if (sa->pn != 0) + duparg2("pn", "pn"); + NEXT_ARG(); +- ret = get_u32(&sa->pn, *argv, 0); ++ ret = get_u64(&sa->pn, *argv, 0); + if (ret) + invarg("expected pn", *argv); + if (sa->pn == 0) +@@ -224,6 +231,22 @@ static int parse_sa_args(int *argcp, char ***argvp, struct sa_desc *sa) + duparg2("on/off", "off"); + sa->active = false; + active_set = true; ++ } else if (strcmp(*argv, "ssci") == 0) { ++ if (sa->ssci != 0) ++ duparg2("ssci", "ssci"); ++ NEXT_ARG(); ++ ret = get_u32(&sa->ssci, *argv, 0); ++ if (ret) ++ invarg("expected ssci", *argv); ++ if (sa->ssci == 0) ++ invarg("expected ssci != 0", *argv); ++ } else if (strcmp(*argv, "salt") == 0) { ++ unsigned int len; ++ ++ NEXT_ARG(); ++ if (!hexstring_a2n(*argv, sa->salt, MACSEC_SALT_LEN, ++ &len)) ++ invarg("expected salt", *argv); + } else { + fprintf(stderr, "macsec: unknown command \"%s\"?\n", + *argv); +@@ -413,9 +436,15 @@ static int do_modify_nl(enum cmd c, enum macsec_nl_commands cmd, int ifindex, + addattr8(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_AN, sa->an); + + if (c != CMD_DEL) { +- if (sa->pn) +- addattr32(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_PN, +- sa->pn); ++ if (sa->pn) { ++ if (sa->ssci == 0) { ++ addattr32(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_PN, ++ sa->pn); ++ } else { ++ addattr64(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_PN, ++ sa->pn); ++ } ++ } + + if (sa->key_len) { + addattr_l(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_KEYID, +@@ -428,6 +457,13 @@ static int do_modify_nl(enum cmd c, enum macsec_nl_commands cmd, int ifindex, + addattr8(&req.n, MACSEC_BUFLEN, + MACSEC_SA_ATTR_ACTIVE, sa->active); + } ++ ++ if (sa->ssci != 0) { ++ addattr32(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_SSCI, ++ sa->ssci); ++ addattr_l(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_SALT, ++ sa->salt, MACSEC_SALT_LEN); ++ } + } + + addattr_nest_end(&req.n, attr_sa); +@@ -456,6 +492,11 @@ static bool check_sa_args(enum cmd c, struct sa_desc *sa) + fprintf(stderr, "cannot change key on SA\n"); + return -1; + } ++ ++ if (sa->ssci) { ++ fprintf(stderr, "cannot change SSCI on SA\n"); ++ return -1; ++ } + } + + return 0; +@@ -637,6 +678,8 @@ static void print_key(struct rtattr *key) + + #define CIPHER_NAME_GCM_AES_128 "GCM-AES-128" + #define CIPHER_NAME_GCM_AES_256 "GCM-AES-256" ++#define CIPHER_NAME_GCM_AES_XPN_128 "GCM-AES-XPN-128" ++#define CIPHER_NAME_GCM_AES_XPN_256 "GCM-AES-XPN-256" + #define DEFAULT_CIPHER_NAME CIPHER_NAME_GCM_AES_128 + + static const char *cs_id_to_name(__u64 cid) +@@ -649,6 +692,10 @@ static const char *cs_id_to_name(__u64 cid) + return CIPHER_NAME_GCM_AES_128; + case MACSEC_CIPHER_ID_GCM_AES_256: + return CIPHER_NAME_GCM_AES_256; ++ case MACSEC_CIPHER_ID_GCM_AES_XPN_128: ++ return CIPHER_NAME_GCM_AES_XPN_128; ++ case MACSEC_CIPHER_ID_GCM_AES_XPN_256: ++ return CIPHER_NAME_GCM_AES_XPN_256; + default: + return "(unknown)"; + } +@@ -897,13 +944,22 @@ static void print_tx_sc(const char *prefix, __u64 sci, __u8 encoding_sa, + print_string(PRINT_FP, NULL, "%s", prefix); + print_uint(PRINT_ANY, "an", "%d:", + rta_getattr_u8(sa_attr[MACSEC_SA_ATTR_AN])); +- print_uint(PRINT_ANY, "pn", " PN %u,", +- rta_getattr_u32(sa_attr[MACSEC_SA_ATTR_PN])); ++ if (!sa_attr[MACSEC_SA_ATTR_SSCI]) { ++ print_uint(PRINT_ANY, "pn", " PN %u,", ++ rta_getattr_u32(sa_attr[MACSEC_SA_ATTR_PN])); ++ } else { ++ print_uint(PRINT_ANY, "pn", " PN %" PRIu64 ",", ++ rta_getattr_u64(sa_attr[MACSEC_SA_ATTR_PN])); ++ } + + print_bool(PRINT_JSON, "active", NULL, state); + print_string(PRINT_FP, NULL, + " state %s,", state ? "on" : "off"); + print_key(sa_attr[MACSEC_SA_ATTR_KEYID]); ++ if (sa_attr[MACSEC_SA_ATTR_SSCI]) { ++ print_uint(PRINT_ANY, "ssci", " SSCI %u,", ++ rta_getattr_u32(sa_attr[MACSEC_SA_ATTR_SSCI])); ++ } + + print_txsa_stats(prefix, sa_attr[MACSEC_SA_ATTR_STATS]); + close_json_object(); +@@ -1322,9 +1378,15 @@ static int macsec_parse_opt(struct link_util *lu, int argc, char **argv, + else if (strcmp(*argv, "gcm-aes-256") == 0 || + strcmp(*argv, "GCM-AES-256") == 0) + cipher.id = MACSEC_CIPHER_ID_GCM_AES_256; ++ else if (strcmp(*argv, "gcm-aes-xpn-128") == 0 || ++ strcmp(*argv, "GCM-AES-XPN-128") == 0) ++ cipher.id = MACSEC_CIPHER_ID_GCM_AES_XPN_128; ++ else if (strcmp(*argv, "gcm-aes-xpn-256") == 0 || ++ strcmp(*argv, "GCM-AES-XPN-256") == 0) ++ cipher.id = MACSEC_CIPHER_ID_GCM_AES_XPN_256; + else +- invarg("expected: default, gcm-aes-128 or" +- " gcm-aes-256", *argv); ++ invarg("expected: default, gcm-aes-128" ++ " gcm-aes-256 gcm-aes-xpn-128 gcm-aes-xpn-256", *argv); + } else if (strcmp(*argv, "icvlen") == 0) { + NEXT_ARG(); + if (cipher.icv_len) +-- +2.17.1 +