6.1.2. AXI-ST Interface Using MAC Security (MACsec) Profile Pattern
Signal Name | Direction | Description |
---|---|---|
algorithm_type | Input/Output | Indicates the cryptographic operation mode for the corresponding cycle.
|
encrypt_decrypt | Input/Output | Indicates the type of cryptographic operation for the corresponding cycle.
|
key_128b_256b | Input/Output | Indicates the key size. The signal is only valid when the key_en signal is set to 1.
Note: The SM4 algorithm only supports 128 bit key size.
|
pattern[2:0] | Input/Output |
Pattern ID: Indicates the pattern profile selected for the current clock cycle.
When the signal switches from the IDLE state to the MACSEC state, indicates that the data associated in the given clock cycle is related to the MAC Security.
|
TID[9:0] | Input/Output | Channel ID. Available when the pattern is set to MACsec profile. When pattern ID is set to MACsec, the channel ID indicates to the logic which cryptographic channel or slot is the packet starting at this clock is associated with. |
TID[15:10] | Input/Output | Port/Stream ID. Indicates the stream/port that a group or channels can be associated with. The expectation is that you associate multiple channels to a given port of up to 64 ports. On the output side, the Symmetric Cryptographic IP core does not merge or pack data belonging to channels that don’t belong to the same port together. |
TID[25:16] | Input/Output | Channel ID when the pattern[2:0] is set to MAC Security profile. When pattern ID is set to MACsec, the channel ID indicates to the logic which cryptographic channel or slot is the packet ending at this clock is associated with. |
TID[31:26] | Input/Output | Port/Stream ID when the pattern[2:0] is set to MAC Security profile. Indicates the stream/port of an ending packet when there are 2 packets in the same cycle. The expectation is that you associate multiple channels to a given port of up to 64 ports. On the output side, the Symmetric Cryptographic IP core does not merge or pack data belonging to channels that don’t belong to the same port together. |
key_en | Input | When set and pattern[2:0] is set to the MAC Security profile, indicates that the data field contains keys to program in the key slots identified by TID[9:0]. You must set the key_128b_256b signal to specify the key size, 128 or 256 bit key.
This key_en is a standalone operation per clock. You can select to send the keys at one time or individually. Asserting this signal while data is in process is not allowed. |
next_packet_en | Output | When the profile is MACsec and tlast is asserted with a tkeep indicating that there is at least 1 word (128 bits) of free data lines excluding the MAC, this signal indicates that a new packet starts within the same clock. The new packet is 128 bits aligned. |
data_en, MAC_IV_tweak_en | Input | When pattern[2:0] is set to the MAC Security profile, indicates that the corresponding clock cycle includes either data only, or data with IV for the corresponding channel, per TID[9:0] setting. |
data_en, MAC_IV_tweak_en | Output | When pattern[2:0] is set to the MAC Security profile, indicates that the corresponding clock cycle includes either data only, or data followed by the MAC for the corresponding channel, per TID[9:0] setting. |
tlast | Input/Output | When set, indicates that the data ends (EOP) in the current clock cycle.
Note: The tkeep signal specifies the number of valid bytes in this cycle.
|
data_en | MAC_IV_tweak_en | data[511:0] |
---|---|---|
data_en and MAC_IV_tweak_en as Input Signals | ||
0 | 0 | Reserved |
0 | 1 | The hardware expects you to start a new packet in this clock cycle, starting with an IV without any trailing data from the previous packet. |
1 | 0 | Bits [511:0] contain input data sent to the AES/SM4 Inline Cryptographic Accelerator. The hardware assumes that the IV was sent in a previous clock cycle. |
1 | 1 | The hardware expects the end one packet in the current clock cycle and a start of another packet. You must assert the tlast signal to indicate the end of one packet and set the tkeep signal accordingly. The tkeep signal with tlast signal indicate the number of trailing bits before you indicate the new IV.
In the current clock cycle, bits [127:0] contain:
|
data_en and MAC_IV_tweak_en as Output Signals | ||
0 | 0 | Reserved |
0 | 1 | Bits [127:0] contain the MAC of the requested GCM operation. |
1 | 0 | Bits [511:0] contain input data sent to the AES/SM4 Inline Cryptographic Accelerator. The data is any of the following: AAD sent back to your logic, cleartext or ciphertext based on the requested operation. |
1 | 1 | Bits [511:0] contain the input data sent to the AES/SM4 Inline Cryptographic Accelerator followed by 128 bits of the MAC. The data is any of the following: AAD sent back to your logic, cleartext or ciphertext based on the requested operation. You must assert the tlast signal to indicate the end of one packet. The tkeep signal indicates the length of the valid data. |