Hardware accelerated crypto engine for MACsec encryption/ decryption per device or per LAG member port at line rate.

device/macsec/dataplane/cryptoengine.yaml

@@ -7,16 +7,21 @@ components:
       properties:
         choice:
           description: >-
-            Engine type based on encryption and/ or decryption capability. Supported types: encrypt_only - engine can only encrypt transmitted packets but it cannot decrypt packets upon arrival. As the packets cannot be decrypted on arrival, such packets cannot be delivered to the receiving device. Hence only stateless traffic can be sent.
+            Engine type based on encryption and/ or decryption capability. Supported types: 1) encrypt_only - engine can only encrypt transmitted packets but it cannot decrypt packets upon arrival. As the packets cannot be decrypted on arrival, such packets cannot be delivered to the receiving device. Hence only stateless traffic can be sent. 2) encrypt_decrypt - engine can both encrypt transmitted packets and decrypt packets on arrival. Such engine can have hardware acceleration for faster encryption/ decryption. As both encryption and decryption are possible, stateful (e.g. TCP) traffic can be sent/ received.
           type: string
           default: encrypt_only
           x-field-uid: 1
           x-enum:
             encrypt_only:
               x-field-uid: 1
+            encrypt_decrypt:
+              x-field-uid: 2
         encrypt_only:
           $ref: '#/components/schemas/SecureEntity.CryptoEngine.EncryptOnly'
           x-field-uid: 2
+        encrypt_decrypt:
+          $ref: '#/components/schemas/SecureEntity.CryptoEngine.EncryptDecrypt'
+          x-field-uid: 3
     SecureEntity.CryptoEngine.EncryptOnly:
       description: >-
         The container for encrypt only engine configuration.
@@ -30,6 +35,17 @@ components:
         traffic_options:
           $ref: '#/components/schemas/SecureEntity.CryptoEngine.EncryptOnly.TrafficOptions'
           x-field-uid: 2
+    SecureEntity.CryptoEngine.EncryptDecrypt:
+      description: >-
+        The container for encrypt and decrypt engine configuration.
+      type: object
+      properties:
+        tx_pn:
+          $ref: '#/components/schemas/SecureEntity.CryptoEngine.EncryptDecrypt.TxPn'
+          x-field-uid: 1
+        hardware_acceleration:
+          $ref: '#/components/schemas/SecureEntity.CryptoEngine.EncryptDecrypt.HardwareAcceleration'
+          x-field-uid: 2
     SecureEntity.CryptoEngine.EncryptOnly.TxSc:
       description: >-
         The container for Tx secure channel configuration.
@@ -82,7 +98,7 @@ components:
           minLength: 1
           maxLength: 16
           minimum: 1
-          default: "0x06"
+          default: "06"
           x-field-uid: 2
     SecureEntity.CryptoEngine.EncryptOnly.IncrementingPn:
       description: >-
@@ -114,7 +130,7 @@ components:
           minLength: 1
           maxLength: 16
           minimum: 1
-          default: "0x010000"
+          default: "01"
           x-field-uid: 3
     SecureEntity.CryptoEngine.EncryptOnly.TrafficOptions:
       description: >-
@@ -127,3 +143,42 @@ components:
           type: boolean
           default: true 
           x-field-uid: 1
+    SecureEntity.CryptoEngine.EncryptDecrypt.TxPn:
+      description: >-
+        Tx packet number(PN) configuration.
+      type: object
+      properties:
+        starting_pn:
+          description: >-
+            The starting packet number(PN).
+          type: integer
+          format: uint32
+          minimum: 1
+          default: 1
+          x-field-uid: 1
+        starting_xpn:
+          description: >-
+            The starting extended packet number(XPN).
+          type: string
+          format: hex
+          minLength: 1
+          maxLength: 16
+          minimum: 1
+          default: "01"
+          x-field-uid: 2
+    SecureEntity.CryptoEngine.EncryptDecrypt.HardwareAcceleration:
+      description: >-
+        Hardware acceleration configuration for offloading MACsec processing to hardware.
+      type: object
+      properties:
+        choice:
+          description: >-
+            Hardware acceleration types. Per port global parameters for chosen hardware acceleration mode applicable for all MACsec sessions from the test port are available at options.per_port_options.protocols.macsec.hardware_acceleration.
+          type: string
+          default: none
+          x-field-uid: 1
+          x-enum:
+            none:
+              x-field-uid: 1
+            inline_crypto:
+              x-field-uid: 2

device/macsec/dataplane/dataplane.yaml

@@ -19,7 +19,7 @@ components:
         encapsulation:
           description: >-
             A container of encapsulation properties for a secure entity(SecY).
-          $ref: './tx.yaml#/components/schemas/SecureEntity.DataPlane.Encapsulation'
+          $ref: '#/components/schemas/SecureEntity.DataPlane.Encapsulation'
           x-field-uid: 2
 
     SecureEntity.DataPlane.Encapsulation:
@@ -43,3 +43,8 @@ components:
             Crypto engine properties of SecY.
           $ref: './cryptoengine.yaml#/components/schemas/SecureEntity.CryptoEngine'
           x-field-uid: 3
+        vlan_options:
+          description: >-
+            VLAN options of SecY.
+          $ref: './vlanoptions.yaml#/components/schemas/SecureEntity.VlanOptions'
+          x-field-uid: 4

device/macsec/dataplane/rx.yaml

@@ -7,13 +7,13 @@ components:
       properties:
         replay_protection:
           description: |-
-            Enable replay protection on not. 
+            Enable replay protection or not.
           type: boolean
           default: false
           x-field-uid: 1
         replay_window:
           description: |-
-            Replay window size. 
+            Replay window size.
           type: integer
           format: uint32
           minimum: 1

device/macsec/dataplane/tx.yaml

@@ -7,13 +7,13 @@ components:
       properties:
         end_station:
           description: |-
-            End station on not.
+            End station or not.
           type: boolean
           default: false
           x-field-uid: 1
         include_sci:
           description: |-
-            Include SCI on not.
+            Include SCI or not.
           type: boolean
-          default: false
+          default: true
           x-field-uid: 2

device/macsec/dataplane/vlanoptions.yaml

@@ -0,0 +1,13 @@
+components:
+  schemas:
+    SecureEntity.VlanOptions:
+      description: >-
+        A container for VLAN options of SecY.
+      type: object
+      properties:
+        encrypt_interface_vlans:
+          description: >-
+            Send interface VLANS as encrypted or not. If it is false, VLANs go in cleartext. If hardware_accelerated.inline_crypto mode is chosen, option related to offset must be changed from default 12 (to 16 for example for single cleartext VLAN) at appropriate place to handle cleartext VLAN in receive direction.
+          type: boolean
+          default: true
+          x-field-uid: 1

device/macsec/mka/basic.yaml

@@ -71,6 +71,8 @@ components:
             MKA Version.
           type: integer
           format: uint32
+          minimum: 1
+          maximum: 255
           default: 3
           x-field-uid: 8
         mka_hello_time:
@@ -101,7 +103,7 @@ components:
           description: |-
             Delay Protect or not. When delay protect is enabled, it guards against delaying the delivery of MACsec encrypted frames by an attacker to the recipient.
           type: boolean
-          default: true
+          default: false
           x-field-uid: 12
         rekey_mode:
           description: >-
@@ -149,15 +151,13 @@ components:
       properties:
         choice:
           description: |-
-              Key source. Choose one from PSK or MSK.
+              Key source. Current choice is PSK only.
           type: string
           default: psk
           x-field-uid: 1
           x-enum:
             psk:
               x-field-uid: 1
-            msk:
-              x-field-uid: 2
         psks:
           description: |-
             PSK chain.
@@ -182,12 +182,12 @@ components:
           x-field-uid: 1
         cak_name:
           description: |-
-              Connectivity association key(CAK) name.
+              Connectivity association key(CAK) name. The value should be in sync with CAK name in DUT.
           type: string
           format: hex
           minLength: 1
           maxLength: 64
-          default: "F123456789ABCDEF0123456789ABCDEFF123456789ABCDEF0123456789ABCDEF"
+          default: "ABCD"
           x-field-uid: 2
         start_offset_time:
           description: |-
@@ -246,7 +246,7 @@ components:
 
     Mka.Basic.PskChainStartTime:
       description: >-
-        Pre-shared key(PSK) chain start time in UTC time format DD-MM-YYYY HH:MM:SS. If this time is set, the key start time will be relative to this value. Otherwise if this value is not set, key start time will be relative to test start time.
+        Pre-shared key(PSK) chain start time in UTC time format DD-MM-YYYY HH:MM:SS. For any key in chain, key start offset time and end offset time will be relative to this chain start time. There can be two cases depending on number of keys in key chain. 1) Single key in key chain - Test port and DUT need not be time synced for single key if key chain start time is set to some past time. As default key chain start time is Unix epoch time, default value suffices for single key in chain. 2) More than one key - Test program should set key chain start time to some future time e.g. few minutes ahead of current time in both test config and DUT config. This requires both test port and DUT to be time synced.
       type: object
       properties:
         choice:
@@ -276,6 +276,7 @@ components:
           format: uint32
           minimum: 1
           maximum: 31
+          default: 1
           x-field-uid: 1
         month:
           description: |-
@@ -284,6 +285,7 @@ components:
           format: uint32
           minimum: 1
           maximum: 12
+          default: 1
           x-field-uid: 2
         year:
           description: |-
@@ -292,6 +294,7 @@ components:
           format: uint32
           minimum: 0
           maximum: 9999
+          default: 1970
           x-field-uid: 3
         hour:
           description: |-
@@ -300,6 +303,7 @@ components:
           format: uint32
           minimum: 0
           maximum: 23
+          default: 0
           x-field-uid: 4
         minute:
           description: |-
@@ -308,6 +312,7 @@ components:
           format: uint32
           minimum: 0
           maximum: 59
+          default: 0
           x-field-uid: 5
         second:
           description: |-
@@ -316,6 +321,7 @@ components:
           format: uint32
           minimum: 0
           maximum: 59
+          default: 0
           x-field-uid: 6
 
     Mka.Basic.RekeyMode:

device/macsec/mka/keyserver.yaml

@@ -40,7 +40,6 @@ components:
           type: integer
           format: uint32
           minimum: 1
-          maximum: 65535
           default: 1
           x-field-uid: 3
         starting_distributed_an:

flow/packet-headers/macsec.yaml

@@ -5,7 +5,7 @@ components:
       type: object
       properties:
         choice:
-          description: Currently only auto choice is allowed. If choice is auto, MACsec header is autogenerated. If auto choice is selected, MACsec protocol must be configured in device; flow.tx_rx.choice must be of type 'device' and flow.tx_rx.device.tx_names[0] must be chosen to be an endpoint that is on or behind a MACSec enabled ethernet to be able to correctly auto-fill the fields of the MACsec header. If one of the conditions is not true, the implementation should return an error specifying the issue. A custom choice can be added in future to allow user to set specific MACsec header fields and/ or to generate flow.tx_rx.port type of traffic with MACSec header fields explicitly specified by the user.
+          description: Currently only auto choice is allowed. If choice is auto, MACsec header is autogenerated. If auto choice is selected, MACsec protocol must be configured in either device or LAG members (ports); flow.tx_rx.choice must be of type 'device' and flow.tx_rx.device.tx_names[0] must be chosen to be an endpoint that is on or behind a MACSec enabled ethernet to be able to correctly auto-fill the fields of the MACsec header. If one of the conditions is not true, the implementation should return an error specifying the issue. A custom choice can be added in future to allow user to set specific MACsec header fields and/ or to generate flow.tx_rx.port type of traffic with MACSec header fields explicitly specified by the user.
           type: string
           default: auto
           x-field-uid: 1

lag/lag.yaml

@@ -53,6 +53,9 @@ components:
         ethernet:
           $ref: '../device/ethernet.yaml#/components/schemas/Device.EthernetBase'
           x-field-uid: 3
+        macsec:
+          $ref: './macsec/macsec.yaml#/components/schemas/Lag.Port.Macsec'
+          x-field-uid: 4
     Lag.Protocol:
       type: object
       properties:

lag/macsec/dataplane/cryptoengine.yaml

@@ -0,0 +1,69 @@
+components:
+  schemas:
+    Lag.Port.Macsec.SecureEntity.CryptoEngine:
+      description: >-
+        A container of crypto engine properties of a SecY.
+      type: object
+      properties:
+        choice:
+          description: >-
+            Engine type based on encryption and/ or decryption capability. Supported type: encrypt_decrypt - engine can both encrypt transmitted packets and decrypt packets on arrival. Such engine can have hardware acceleration for faster encryption/ decryption. As both encryption and decryption are possible, stateful (e.g. TCP) traffic can be sent/ received.
+          type: string
+          default: encrypt_decrypt
+          x-field-uid: 1
+          x-enum:
+            encrypt_decrypt:
+              x-field-uid: 1
+        encrypt_decrypt:
+          $ref: '#/components/schemas/Lag.Port.Macsec.SecureEntity.CryptoEngine.EncryptDecrypt'
+          x-field-uid: 2
+    Lag.Port.Macsec.SecureEntity.CryptoEngine.EncryptDecrypt:
+      description: >-
+        The container for configuration of crypto engine of encrypt and decrypt type.
+      type: object
+      properties:
+        tx_pn:
+          $ref: '#/components/schemas/Lag.Port.Macsec.SecureEntity.CryptoEngine.EncryptDecrypt.TxPn'
+          x-field-uid: 1
+        hardware_acceleration:
+          $ref: '#/components/schemas/Lag.Port.Macsec.SecureEntity.CryptoEngine.EncryptDecrypt.HardwareAcceleration'
+          x-field-uid: 2
+    Lag.Port.Macsec.SecureEntity.CryptoEngine.EncryptDecrypt.TxPn:
+      description: >-
+        Tx packet number(PN) configuration.
+      type: object
+      properties:
+        starting_pn:
+          description: >-
+            The starting packet number(PN).
+          type: integer
+          format: uint32
+          minimum: 1
+          default: 1
+          x-field-uid: 1
+        starting_xpn:
+          description: >-
+            The starting extended packet number(XPN).
+          type: string
+          format: hex
+          minLength: 1
+          maxLength: 16
+          minimum: 1
+          default: "01"
+          x-field-uid: 2
+    Lag.Port.Macsec.SecureEntity.CryptoEngine.EncryptDecrypt.HardwareAcceleration:
+      description: >-
+        Hardware acceleration configuration for offloading MACsec processing to hardware.
+      type: object
+      properties:
+        choice:
+          description: >-
+            Hardware acceleration types.
+          type: string
+          default: none
+          x-field-uid: 1
+          x-enum:
+            none:
+              x-field-uid: 1
+            inline_crypto:
+              x-field-uid: 2