[iproute2]: Add macsec-xpn-support iproute2 in syncd (#8702)

* Add macsec-xpn-support iproute2 in syncd

Signed-off-by: Ze Gan <ganze718@gmail.com>

* Polish code

Signed-off-by: Ze Gan <ganze718@gmail.com>

* Remove useless files

Signed-off-by: Ze Gan <ganze718@gmail.com>

* Add self-compiled iproute2 to docker sonic vs

Signed-off-by: Ze Gan <ganze718@gmail.com>

* Enhance apt install for iproute2 dependencies

Signed-off-by: Ze Gan <ganze718@gmail.com>
This commit is contained in:
Ze Gan 2021-11-25 21:38:17 +08:00 committed by GitHub
parent 879c18417a
commit ada0e50218
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 238 additions and 12 deletions

View File

@ -13,7 +13,8 @@ $(DOCKER_SONIC_VS)_DEPENDS += $(SWSS) \
$(LIBYANG_CPP) \
$(LIBYANG_PY3) \
$(SONIC_UTILITIES_DATA) \
$(SONIC_HOST_SERVICES_DATA)
$(SONIC_HOST_SERVICES_DATA) \
$(IPROUTE2)
# swsssdk is a dependency of sonic-py-common
# TODO: sonic-py-common should depend on swsscommon instead

View File

@ -3,7 +3,8 @@
DOCKER_SYNCD_PLATFORM_CODE = vs
include $(PLATFORM_PATH)/../template/docker-syncd-base.mk
$(DOCKER_SYNCD_BASE)_DEPENDS += $(SYNCD_VS)
$(DOCKER_SYNCD_BASE)_DEPENDS += $(SYNCD_VS) \
$(IPROUTE2)
$(DOCKER_SYNCD_BASE)_DBG_DEPENDS += $(SYNCD_VS_DBG) \
$(LIBSWSSCOMMON_DBG) \

View File

@ -9,7 +9,7 @@ ENV DEBIAN_FRONTEND=noninteractive
RUN apt-get update
RUN apt-get install -f -y iproute2 libcap2-bin
RUN apt-get install -f -y libcap2-bin
COPY \
{% for deb in docker_syncd_vs_debs.split(' ') -%}
@ -20,7 +20,7 @@ debs/
RUN dpkg -i \
{% for deb in docker_syncd_vs_debs.split(' ') -%}
debs/{{ deb }}{{' '}}
{%- endfor %}
{%- endfor %} || apt-get install -f -y
COPY ["start.sh", "/usr/bin/"]

View File

@ -1,7 +1,11 @@
# iproute2 package
IPROUTE2_VERSION = 4.9.0-1
IPROUTE2_VERSION = 5.10.0
IPROUTE2_VERSION_FULL = $(IPROUTE2_VERSION)-4~bpo10+1
IPROUTE2 = iproute2_$(IPROUTE2_VERSION)_$(CONFIGURED_ARCH).deb
export IPROUTE2_VERSION
export IPROUTE2_VERSION_FULL
IPROUTE2 = iproute2_$(IPROUTE2_VERSION_FULL)_$(CONFIGURED_ARCH).deb
$(IPROUTE2)_SRC_PATH = $(SRC_PATH)/iproute2
SONIC_MAKE_DEBS += $(IPROUTE2)

View File

@ -356,6 +356,12 @@ RUN apt-get update && apt-get install -y \
libsystemd-dev \
pkg-config
# For iproute2
RUN apt-get install -y -t buster-backports \
libbpf-dev \
dwz \
debhelper
RUN apt-get -y build-dep openssh
# Build fix for ARMHF buster libsairedis

View File

@ -1,3 +1,4 @@
*
!.gitignore
!Makefile
!patch/*

View File

@ -2,21 +2,21 @@ SHELL = /bin/bash
.ONESHELL:
.SHELLFLAGS += -e
IPROUTE2_VERSION = 4.9.0
IPROUTE2_VERSION_FULL = $(IPROUTE2_VERSION)-1
MAIN_TARGET = iproute2_$(IPROUTE2_VERSION_FULL)_$(CONFIGURED_ARCH).deb
$(addprefix $(DEST)/, $(MAIN_TARGET)): $(DEST)/% :
# Remove any stale files
rm -rf iproute2-$(IPROUTE2_VERSION)
wget -O iproute2_$(IPROUTE2_VERSION).orig.tar.xz -N "https://sonicstorage.blob.core.windows.net/packages/iproute2_4.9.0.orig.tar.xz?sv=2015-04-05&sr=b&sig=9nvybd1xkXyRQbaG6Fy6wBazPA8IbZV0AO41GWXPEP8%3D&se=2154-10-23T11%3A59%3A00Z&sp=r"
wget -O iproute2_$(IPROUTE2_VERSION_FULL).dsc -N "https://sonicstorage.blob.core.windows.net/packages/iproute2_4.9.0-1.dsc?sv=2015-04-05&sr=b&sig=m6FcMH9dOh8ggipBgOsONiXvDxoi6bfUO%2BxvidsMNMQ%3D&se=2154-10-23T11%3A59%3A53Z&sp=r"
wget -O iproute2_$(IPROUTE2_VERSION_FULL).debian.tar.xz -N "https://sonicstorage.blob.core.windows.net/packages/iproute2_4.9.0-1.debian.tar.xz?sv=2015-04-05&sr=b&sig=U5NFuwG5C3vZXlUUNvoPMnKDtMKk66zbweA9rQYbEVY%3D&se=2154-10-23T12%3A00%3A15Z&sp=r"
wget -O iproute2_$(IPROUTE2_VERSION).orig.tar.xz http://deb.debian.org/debian/pool/main/i/iproute2/iproute2_$(IPROUTE2_VERSION).orig.tar.xz
wget -O iproute2_$(IPROUTE2_VERSION_FULL).dsc http://deb.debian.org/debian/pool/main/i/iproute2/iproute2_$(IPROUTE2_VERSION_FULL).dsc
wget -O iproute2_$(IPROUTE2_VERSION_FULL).debian.tar.xz http://deb.debian.org/debian/pool/main/i/iproute2/iproute2_$(IPROUTE2_VERSION_FULL).debian.tar.xz
dpkg-source -x iproute2_$(IPROUTE2_VERSION_FULL).dsc
pushd iproute2-$(IPROUTE2_VERSION)
patch -p1 < ../patch/0001-patch-macsec-xpn-support.patch
dpkg-buildpackage -us -uc -b -j$(SONIC_CONFIG_MAKE_JOBS) --admindir $(SONIC_DPKG_ADMINDIR)
popd

View File

@ -0,0 +1,213 @@
From f1ea3235b5250dfd1193b5033620b030b9789fd9 Mon Sep 17 00:00:00 2001
From: Ze Gan <ganze718@gmail.com>
Date: Mon, 30 Aug 2021 06:45:28 +0000
Subject: [PATCH] MACsec XPN support
Signed-off-by: Ze Gan <ganze718@gmail.com>
---
ip/ipmacsec.c | 86 ++++++++++++++++++++++++++++++++++++++++++++-------
1 file changed, 74 insertions(+), 12 deletions(-)
diff --git a/ip/ipmacsec.c b/ip/ipmacsec.c
index 18289ecd..1df19bf1 100644
--- a/ip/ipmacsec.c
+++ b/ip/ipmacsec.c
@@ -10,6 +10,7 @@
*/
#include <stdio.h>
+#include <inttypes.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
@@ -23,6 +24,8 @@
#include "ll_map.h"
#include "libgenl.h"
+#define MACSEC_SALT_LEN 12
+
static const char * const values_on_off[] = { "off", "on" };
static const char * const validate_str[] = {
@@ -45,11 +48,13 @@ struct sci {
struct sa_desc {
__u8 an;
- __u32 pn;
+ __u64 pn;
__u8 key_id[MACSEC_KEYID_LEN];
__u32 key_len;
__u8 key[MACSEC_MAX_KEY_LEN];
__u8 active;
+ __u32 ssci;
+ __u8 salt[MACSEC_SALT_LEN];
};
struct cipher_args {
@@ -88,7 +93,7 @@ static int genl_family = -1;
static void ipmacsec_usage(void)
{
fprintf(stderr,
- "Usage: ip macsec add DEV tx sa { 0..3 } [ OPTS ] key ID KEY\n"
+ "Usage: ip macsec add DEV tx sa { 0..3 } [ OPTS ] [ ssci SSCI salt SALT] key ID KEY\n"
" ip macsec set DEV tx sa { 0..3 } [ OPTS ]\n"
" ip macsec del DEV tx sa { 0..3 }\n"
" ip macsec add DEV rx SCI [ on | off ]\n"
@@ -100,10 +105,12 @@ static void ipmacsec_usage(void)
" ip macsec show\n"
" ip macsec show DEV\n"
" ip macsec offload DEV [ off | phy | mac ]\n"
- "where OPTS := [ pn <u32> ] [ on | off ]\n"
+ "where OPTS := [ pn <u64> ] [ on | off ]\n"
" ID := 128-bit hex string\n"
" KEY := 128-bit or 256-bit hex string\n"
- " SCI := { sci <u64> | port { 1..2^16-1 } address <lladdr> }\n");
+ " SCI := { sci <u64> | port { 1..2^16-1 } address <lladdr> }\n"
+ " SSCI := <u32>\n"
+ " SALT := 96-bit hex string\n");
exit(-1);
}
@@ -198,7 +205,7 @@ static int parse_sa_args(int *argcp, char ***argvp, struct sa_desc *sa)
if (sa->pn != 0)
duparg2("pn", "pn");
NEXT_ARG();
- ret = get_u32(&sa->pn, *argv, 0);
+ ret = get_u64(&sa->pn, *argv, 0);
if (ret)
invarg("expected pn", *argv);
if (sa->pn == 0)
@@ -224,6 +231,22 @@ static int parse_sa_args(int *argcp, char ***argvp, struct sa_desc *sa)
duparg2("on/off", "off");
sa->active = false;
active_set = true;
+ } else if (strcmp(*argv, "ssci") == 0) {
+ if (sa->ssci != 0)
+ duparg2("ssci", "ssci");
+ NEXT_ARG();
+ ret = get_u32(&sa->ssci, *argv, 0);
+ if (ret)
+ invarg("expected ssci", *argv);
+ if (sa->ssci == 0)
+ invarg("expected ssci != 0", *argv);
+ } else if (strcmp(*argv, "salt") == 0) {
+ unsigned int len;
+
+ NEXT_ARG();
+ if (!hexstring_a2n(*argv, sa->salt, MACSEC_SALT_LEN,
+ &len))
+ invarg("expected salt", *argv);
} else {
fprintf(stderr, "macsec: unknown command \"%s\"?\n",
*argv);
@@ -413,9 +436,15 @@ static int do_modify_nl(enum cmd c, enum macsec_nl_commands cmd, int ifindex,
addattr8(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_AN, sa->an);
if (c != CMD_DEL) {
- if (sa->pn)
- addattr32(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_PN,
- sa->pn);
+ if (sa->pn) {
+ if (sa->ssci == 0) {
+ addattr32(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_PN,
+ sa->pn);
+ } else {
+ addattr64(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_PN,
+ sa->pn);
+ }
+ }
if (sa->key_len) {
addattr_l(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_KEYID,
@@ -428,6 +457,13 @@ static int do_modify_nl(enum cmd c, enum macsec_nl_commands cmd, int ifindex,
addattr8(&req.n, MACSEC_BUFLEN,
MACSEC_SA_ATTR_ACTIVE, sa->active);
}
+
+ if (sa->ssci != 0) {
+ addattr32(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_SSCI,
+ sa->ssci);
+ addattr_l(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_SALT,
+ sa->salt, MACSEC_SALT_LEN);
+ }
}
addattr_nest_end(&req.n, attr_sa);
@@ -456,6 +492,11 @@ static bool check_sa_args(enum cmd c, struct sa_desc *sa)
fprintf(stderr, "cannot change key on SA\n");
return -1;
}
+
+ if (sa->ssci) {
+ fprintf(stderr, "cannot change SSCI on SA\n");
+ return -1;
+ }
}
return 0;
@@ -637,6 +678,8 @@ static void print_key(struct rtattr *key)
#define CIPHER_NAME_GCM_AES_128 "GCM-AES-128"
#define CIPHER_NAME_GCM_AES_256 "GCM-AES-256"
+#define CIPHER_NAME_GCM_AES_XPN_128 "GCM-AES-XPN-128"
+#define CIPHER_NAME_GCM_AES_XPN_256 "GCM-AES-XPN-256"
#define DEFAULT_CIPHER_NAME CIPHER_NAME_GCM_AES_128
static const char *cs_id_to_name(__u64 cid)
@@ -649,6 +692,10 @@ static const char *cs_id_to_name(__u64 cid)
return CIPHER_NAME_GCM_AES_128;
case MACSEC_CIPHER_ID_GCM_AES_256:
return CIPHER_NAME_GCM_AES_256;
+ case MACSEC_CIPHER_ID_GCM_AES_XPN_128:
+ return CIPHER_NAME_GCM_AES_XPN_128;
+ case MACSEC_CIPHER_ID_GCM_AES_XPN_256:
+ return CIPHER_NAME_GCM_AES_XPN_256;
default:
return "(unknown)";
}
@@ -897,13 +944,22 @@ static void print_tx_sc(const char *prefix, __u64 sci, __u8 encoding_sa,
print_string(PRINT_FP, NULL, "%s", prefix);
print_uint(PRINT_ANY, "an", "%d:",
rta_getattr_u8(sa_attr[MACSEC_SA_ATTR_AN]));
- print_uint(PRINT_ANY, "pn", " PN %u,",
- rta_getattr_u32(sa_attr[MACSEC_SA_ATTR_PN]));
+ if (!sa_attr[MACSEC_SA_ATTR_SSCI]) {
+ print_uint(PRINT_ANY, "pn", " PN %u,",
+ rta_getattr_u32(sa_attr[MACSEC_SA_ATTR_PN]));
+ } else {
+ print_uint(PRINT_ANY, "pn", " PN %" PRIu64 ",",
+ rta_getattr_u64(sa_attr[MACSEC_SA_ATTR_PN]));
+ }
print_bool(PRINT_JSON, "active", NULL, state);
print_string(PRINT_FP, NULL,
" state %s,", state ? "on" : "off");
print_key(sa_attr[MACSEC_SA_ATTR_KEYID]);
+ if (sa_attr[MACSEC_SA_ATTR_SSCI]) {
+ print_uint(PRINT_ANY, "ssci", " SSCI %u,",
+ rta_getattr_u32(sa_attr[MACSEC_SA_ATTR_SSCI]));
+ }
print_txsa_stats(prefix, sa_attr[MACSEC_SA_ATTR_STATS]);
close_json_object();
@@ -1322,9 +1378,15 @@ static int macsec_parse_opt(struct link_util *lu, int argc, char **argv,
else if (strcmp(*argv, "gcm-aes-256") == 0 ||
strcmp(*argv, "GCM-AES-256") == 0)
cipher.id = MACSEC_CIPHER_ID_GCM_AES_256;
+ else if (strcmp(*argv, "gcm-aes-xpn-128") == 0 ||
+ strcmp(*argv, "GCM-AES-XPN-128") == 0)
+ cipher.id = MACSEC_CIPHER_ID_GCM_AES_XPN_128;
+ else if (strcmp(*argv, "gcm-aes-xpn-256") == 0 ||
+ strcmp(*argv, "GCM-AES-XPN-256") == 0)
+ cipher.id = MACSEC_CIPHER_ID_GCM_AES_XPN_256;
else
- invarg("expected: default, gcm-aes-128 or"
- " gcm-aes-256", *argv);
+ invarg("expected: default, gcm-aes-128"
+ " gcm-aes-256 gcm-aes-xpn-128 gcm-aes-xpn-256", *argv);
} else if (strcmp(*argv, "icvlen") == 0) {
NEXT_ARG();
if (cipher.icv_len)
--
2.17.1