MACsec Overview
The IEEE 802.1AE MACsec standard and its amendments provide the infrastructure for secure L2 network communication -- offering authentication and, optionally, confidentiality of the data communicated between two peers on the network.
The NVIDIA MACsec(NvMACsec) implementation for Orin has two major entities: KaY entity (IEEE 802.1x standard) and SecY entity (IEEE 802.1AE standard). In NvMACsec, KaY entity is implemented in the nv_macsec_wpa_supplicant application and SecY entity is part of the NvMACsec hardware. The NvMACsec nv_macsec_wpa_supplicant tool is implemented using open source wpa_supplicant version 2.10 and supports the following:
-
Authentication only, no confidentiality
-
Either GCM-AES-128 or GCM-AES-256 at a time
-
32-bit packet number, but it does not support Extended Packet Number (64-bit PN)
-
The entire MACsec traffic path hardware accelerated. Software programs the keys, and hardware handles MACsec SecY entity roles.
-
NvMACsec support 802.1X with pre-shared keys only
-
NvMACsec hardware can support maximum 8 secure channels (SCs) with 4 ANs in each secure channel or maximum 16 secure channels with 2 ANs in each secure channel.
NvMACsec is enabled by default in the Ethernet DT variable
nvidia,macsec-enable = <0x1>. When enabled, the MTU Ethernet
size is reduced by 34 bytes to accommodate MACsec-related headers.
When MACsec is used over VLAN, the position of the VLAN header with respect to
SECTAG is based on the DT parameter
nvidia,macsec_vlan_in_clear=<0x1>. When this parameter is set to
1, the VLAN header is placed before SECTAG, and when this parameter
is set to 0, the VLAN header is placed after the SECTAG.
NvMACsec can be used on Orin by launching a supplicant process in the
background using the following command with root privileges. The NvMACsec supplicant
process should not be killed abruptly and can be gracefully terminated with the SIGINT
(Ctrl+C) signal. In QNX, the following command can be prepended with the
SOCK=<sock_variable> to run the supplicant application on a
specific interface. The same can be applied to run the supplicant on Guest OS0 or Guest
OS1.
nv_macsec_wpa_supplicant -i <interface_name> -D nv_macsec -c nv_wpa_supplicant_macsec.conf &eqos_1_09: eqos_1_09 {
cmd = "iolauncher -U 3333:3333,3660,3500,3350,3775,3640,2280,3000,2281,2282,2283,3780,3790,6025,6026,40002,40006,40007,45011,45037,45057,45066,45071,45040,40037,45112 --secpol-type supplicant_launch_t --set-var SOCK=/eqos_1 nv_macsec_wpa_supplicant -i eqos_1 -D nv_macsec -c /etc/nv_wpa_supplicant_macsec_template.conf";
sc7 = "restart";
critical_process = "no";
heartbeat = "no";
oneshot = "no";
};
eapol_version=3
ap_scan=0
network={
key_mgmt=NONE
eapol_flags=0
mka_priority=16
macsec_policy=1
macsec_integ_only=1
macsec_cak_len=16
mka_cak_pkcs_id=MACSEC_CAK_eqos_0
mka_ckn=112233445566778899AABBCCDDEEFF112233445566778899AABBCCDDEEFF1122
}
key_mgmt: Don’t change the default value.
eapol_flags: Don’t change the default value
mka_priority : It is the MKA key server priority. The lower the value, the higher the key server priority.
macsec_policy: Flag to
enable or disable MACsec. Set it to 1 for MACsec to be
enabled.
macsec_integ_only: Flag to specify if
encryption/integrity check only should be enabled. Orin doesn’t support encryption.
Set it to 1 for NvMACsec.
macsec_cak_len: Length of the CAK in bytes programmed in secure storage.
mka_cak_pkcs_id: PKCS ID used while programming the CAK in secure storage. The NvMACsec will retrieve the CAK handle from securely stored CAK using PKCS11# APIs. For details on programing the CAK to secure storage, refer to “Provisioning PKCS#11 Key Objects” in the NVIDIA DRIVE OS QNX PDK Developer Guide.
mka_ckn: Any 32-byte network name used while forming the secure channel.
macsec_cs_index: If the DUT is
the key server, this parameter is used to decide the cipher suite. This parameter is
configured to 0 to select GCM_AES_128, and
1 to select
GCM_AES_256.
DEVCTLs with the
following
details:msg.i.dcmd= SIOCGDRVSPEC- ifd.ifd_cmd = NV_MACSEC_DBG_CMD_READ_IRQ_STATS macro in nv_macsec.h for error statics of MACSEC)
/** Tx debug buffer capture done */
nveu64_t tx_dbg_capture_done;
/** Tx MTU check failed */
nveu64_t tx_mtu_check_fail;
/** Tx MAC CRC err */
nveu64_t tx_mac_crc_error;
/** Tx SC AN not valid */
nveu64_t tx_sc_an_not_valid;
/** Tx AES GCM buffer overflow */
nveu64_t tx_aes_gcm_buf_ovf;
/** Tx LUT lookup miss */
nveu64_t tx_lkup_miss;
/** Tx uninitialized key slot */
nveu64_t tx_uninit_key_slot;
/** Tx PN threshold reached */
nveu64_t tx_pn_threshold;
/** Tx PN exhausted */
nveu64_t tx_pn_exhausted;
/** Tx debug buffer capture done */
nveu64_t rx_dbg_capture_done;
/** Rx ICV error threshold */
nveu64_t rx_icv_err_threshold;
/** Rx replay error */
nveu64_t rx_replay_error;
/** Rx MTU check failed */
nveu64_t rx_mtu_check_fail;
/** Rx MAC CRC err */
nveu64_t rx_mac_crc_error;
/** Rx AES GCM buffer overflow */
nveu64_t rx_aes_gcm_buf_ovf;
/** Rx LUT lookup miss */
nveu64_t rx_lkup_miss;
/** Rx uninitialized key slot */
nveu64_t rx_uninit_key_slot;
/** Rx PN exhausted */
nveu64_t rx_pn_exhausted;
/** Secure reg violation */
nveu64_t secure_reg_viol;
2. ifd.ifd_cmd = NV_MACSEC_DBG_CMD_READ_MMC_CNTRS macro in nv_macsec.h for functional stats of MACsec)
Following are details of NvMACsec MMC counters:
/** This counter provides the number of controller port macsec
* untaged packets */
nveul64_t rx_pkts_no_tag;
/** This counter provides the number of controller port macsec
* untaged packets validateFrame != strict */
nveul64_t rx_pkts_untagged;
/** This counter provides the number of invalid tag or icv packets */
nveul64_t rx_pkts_bad_tag;
/** This counter provides the number of no sc lookup hit or sc match
* packets */
nveul64_t rx_pkts_no_sa_err;
/** This counter provides the number of no sc lookup hit or sc match
* packets validateFrame != strict */
nveul64_t rx_pkts_no_sa;
/** This counter provides the number of late packets
*received PN < lowest PN */
nveul64_t rx_pkts_late[16];
/** This counter provides the number of overrun packets */
nveul64_t rx_pkts_overrun;
/** This counter provides the number of octets after IVC passing */
nveul64_t rx_octets_validated;
/** This counter provides the number not valid packets */
nveul64_t rx_pkts_not_valid[16];
/** This counter provides the number of invalid packets */
nveul64_t in_pkts_invalid[16];
/** This counter provides the number of in packet delayed */
nveul64_t rx_pkts_delayed[16];
/** This counter provides the number of in packets un checked */
nveul64_t rx_pkts_unchecked[16];
/** This counter provides the number of in packets ok */
nveul64_t rx_pkts_ok[16];
/** This counter provides the number of out packets untaged */
nveul64_t tx_pkts_untaged;
/** This counter provides the number of out too long */
nveul64_t tx_pkts_too_long;
/** This counter provides the number of out packets protected */
nveul64_t tx_pkts_protected[16];
/** This counter provides the number of out octets protected */
nveul64_t tx_octets_protected;
nvidia,macsec-enable, then expect the following
errors in boot logs. They not harmful if MACsec is not being
used:sessionSetup: C_FindObjects failed, 0x0
nvpkcs_session_setup: sessionSetup failed, 0x6
KaY-ieee802_1x_kay_create_mka: nvpkcs_session_setup() failed.