MACsec Intel® FPGA IP User Guide

Download PDF
ID 736108
Date 10/21/2022
Public

A newer version of this document is available. Customers should click here to go to the newest version.

Document Table of Contents
Document Table of Contents x
1. Introduction 2. Interface Overview 3. Parameters 4. Designing with the IP Core 5. MACsec Intel® FPGA IP Example Design 6. Functional Description 7. Configuration Registers for MACsec IP 8. Document Revision History for the MACsec Intel FPGA IP User Guide
1. Introduction x
1.1. Terminology 1.2. IP Core Overview 1.3. Release Information 1.4. Device Family Support 1.5. Device Speed Grade Support and Theoretical Throughput 1.6. Resource Utilization
1.2. IP Core Overview x
1.2.1. IP Description 1.2.2. IP Core Applications
1.2.2. IP Core Applications x
1.2.2.1. SmartNIC 1.2.2.2. Ethernet Bridge + Inline MACsec
2. Interface Overview x
2.1. Block Diagram 2.2. Interfaces 2.3. Clocking Domains
2.2. Interfaces x
2.2.1. IP Interface Signals 2.2.2. IP Interface Signal Timing Diagram/Waveforms 2.2.3. Clocks, Resets, and Interrupts
2.2.1. IP Interface Signals x
2.2.1.1. Common Port Mux Interface 2.2.1.2. Common Port Demux Interface 2.2.1.3. Controlled Port Mux Interface 2.2.1.4. Controlled Port Demux Interface 2.2.1.5. Uncontrolled Port RX Interface 2.2.1.6. Uncontrolled Port TX Interface 2.2.1.7. Crypto RX Interface 2.2.1.8. Crypto TX Interface 2.2.1.9. Management Interface 2.2.1.10. Decrypt Port Mux Management Interface 2.2.1.11. Decrypt Port Demux Management Interface 2.2.1.12. Encrypt Port Mux Management Interface 2.2.1.13. Encrypt Port Demux Management Interface 2.2.1.14. Crypto IP Management Bus
2.2.2. IP Interface Signal Timing Diagram/Waveforms x
2.2.2.1. Common Port Mux Interface Waveform 2.2.2.2. Common Port Demux Interface Waveform 2.2.2.3. Controlled Port Mux Interface Waveform 2.2.2.4. Controlled Port Demux Interface Waveform 2.2.2.5. Uncontrolled Port RX Interface Waveform 2.2.2.6. Uncontrolled Port TX Interface Waveform 2.2.2.7. Crypto RX Waveform 2.2.2.8. Crypto TX Waveform 2.2.2.9. MACsec Management Interface (Read) 2.2.2.10. MACsec Management Interface (Write)
3. Parameters x
3.1. MACsec Intel FPGA IP Parameter Settings
4. Designing with the IP Core x
4.1. Installing and Licensing Intel® FPGA IP Cores 4.2. Specifying the IP Core Parameters and Options 4.3. Generated File Structure 4.4. Reset Transactions 4.5. MACsec Software Initialization Sequence 4.6. MACsec Software Rekeying
4.1. Installing and Licensing Intel® FPGA IP Cores x
4.1.1. Intel® FPGA IP Evaluation Mode
5. MACsec Intel® FPGA IP Example Design x
5.1. Port Configurations 5.2. Multi Interface Buffering Muxing/Demuxing 5.3. 2x25 GbE (Encryption + Decryption) 5.4. Packet Generator/Checker 5.5. Clocking
6. Functional Description x
6.1. AXI-ST Common/Controlled/Uncontrolled Ports 6.2. Packet Parser and Classifier 6.3. SA Lookup and Update 6.4. Encryption Framer/DeFramer 6.5. Decryption Framer/Deframer 6.6. Packet Aggregator/Disaggregator 6.7. Cryptographic AES 6.8. Error Handling 6.9. Packet Statistics
6.1. AXI-ST Common/Controlled/Uncontrolled Ports x
6.1.1. AXI-ST Single Packet Mode 6.1.2. AXI-ST Multi Packet Mode 6.1.3. User Interface Data Streaming 6.1.4. AXI-ST Ready Latency 6.1.5. Port and Secure Channel Mapping 6.1.6. Port and Crypto Channel Mapping 6.1.7. Minimum Packet Size 6.1.8. Byte Ordering 6.1.9. Controlled/Uncontrolled Port Muxing
6.1.3. User Interface Data Streaming x
6.1.3.1. Single Packet Mode Data Stream 6.1.3.2. Multi Packet Mode Data Stream
6.2. Packet Parser and Classifier x
6.2.1. Packet Parser 6.2.2. Packet Classifier
6.3. SA Lookup and Update x
6.3.1. Packet Actions 6.3.2. Packet Buffer 6.3.3. New Channel Assignment 6.3.4. Anti-Replay Protection
6.3.1. Packet Actions x
6.3.1.1. Packet Encrypt 6.3.1.2. Packet Decrypt 6.3.1.3. Packet Discard
6.3.1.3. Packet Discard x
6.3.1.3.1. PDU Validation
6.4. Encryption Framer/DeFramer x
6.4.1. Channel Allocation 6.4.2. Packet Framer 6.4.3. VLAN Tagging
6.4.2. Packet Framer x
6.4.2.1. Bypass Packet 6.4.2.2. Stream Interleaving
6.4.3. VLAN Tagging x
6.4.3.1. No VLAN Tag 6.4.3.2. VLAN Tag (Not in Clear) 6.4.3.3. VLAN Tag (Clear)
6.5. Decryption Framer/Deframer x
6.5.1. XPN Recovery 6.5.2. Replay Check Update 6.5.3. Packet Deframer
6.6. Packet Aggregator/Disaggregator x
6.6.1. Packet Aggregator 6.6.2. Packet Disaggregator
6.7. Cryptographic AES x
6.7.1. Register Address Ordering 6.7.2. Byte Order Swapping 6.7.3. Byte Ordering
6.8. Error Handling x
6.8.1. Packet Error Handling 6.8.2. Memory Blocks ECC Errors 6.8.3. Crypto Errors 6.8.4. System-Level Errors
1. Introduction
2. Interface Overview
3. Parameters
4. Designing with the IP Core
5. MACsec Intel® FPGA IP Example Design
6. Functional Description
7. Configuration Registers for MACsec IP
8. Document Revision History for the MACsec Intel FPGA IP User Guide

3.1. MACsec Intel FPGA IP Parameter Settings

Table 24.  MACsec IP Parameter Settings
Parameter Supported Values Default Settings Parameter Description
Topology Tab
Control Port
  • ENCRYPT_DECRYPT
  • ENCRYPT_ONLY
  • DECRYPT_ONLY
 ENCRYPT_DECRYPT

Controlled ports for encryption and decryption lanes.

User Mux Enable Enable, Disable ENABLE Enables the Arbiter on the user interface.
Uncontrolled Port Enable Enable, Disable DISABLE Indicates whether the uncontrolled ports for both transmit and receive lanes are enabled to receive user traffic. When disabled, the uncontrolled ports are hidden from the user.
Number of TX+RX Ports 2-64 4 Maximum number of controlled ports supported in MACsec for all ports and streams.
Number of TX Ports 0-64 2 Number of TX ports used in MACsec IP.
Maximum Crypto Channels 1024 1024 Maximum number of Crypto channels used in MACsec for all ports and streams.
Interface Property Tab
Select Port 0-64 0 Selects the port for which parameters are to be configured.
User Data Width 256 and 512 512 AXI-ST User User Interface data bus width.
Port Data Width
  • 64
  • 128
  • 256
  • 512
 64 Arbiter data bus width
Number of Segments 1-8 1

Cannot be changed.

Defines the number of segments supported for a particular data transfer clock. The data bus is segmented evenly based on the number of segments.

Arbiter Ready Latency 0-16 0 Defines the association between assertion of the READY signal and the corresponding VALID on the Arbiter interface.
Buffer Store Forward Enable 0,1 0 Buffer operates in store and forward mode when enabled. In store and forward mode, the buffer stores the entire packet from the SOP until TLAST/EOP before indicating transfer readiness at the buffer outlet.
User Metadata Width 16 16 User metadata signal bit width
Metadata Enable Enable, Disable Disable Indicates there is user metadata which is tag along with incoming/outgoing packet into MACsec IP. It is required to support PTP use case.
Port Mux/Demux Short Length Packet Handling 0,1 0 Enabling this parameter enables the Adapter module that takes care of the short length packet.
Port Mux Buffer Full Error Checking and Handling 0,1 0 Enabling this parameter enables the error check to detect the buffer full check of the port Mux buffer.
Port Demux Buffer Full Error Checking and Handling 0,1 0 Enabling this parameter enables the error check to detect the buffer full check of the port Demux buffer.
801_1AE-2018 Options Tab
Editing Port 0 0 Arbiter Port Parameters
Port Confidential Offset 0,30,50 0 Indicates the number of octets after SecTAG that is integrity protected only while remaining octets are confidential and integrity protected.
Port VLAN Clear Enable, Disable Enable Defines whether VLLAN Clear is supported for Port X.
Validate Frames Strict, Check, Disable Strict Indicates the transmitted/received frames check level.
Protect Frames True, False True Frames Protection Enable
Replay Protect True, False True Anti-Replay Protection Check Enable
XPN Mode 0,1 1 Indicates whether the 64b Extended Packet Number is supported.
Cipher Suite GCM-AES GCM-AES MACsec supports AES-GCM cipher suite.
Optional Settings Tab
SADB TX STATS DEBUG EN 0,1 1 Enables stats counter for SADB TX.
SADB RX STATS DEBUG EN 0,1 1 Enables stats counter for SADB RX.
PORT MUX CSR MUX EN 0,1 1 Enables MUX CSR. Valid when CSR_MUX_EN_BUF is set to "1".
PORT MUX CSR MUX BUF EN 0,1 1 Enables MUX Buffer CSR. Valid when CSR_MUX_BUF_EN is set to "1".
PORT MUX ACT CTRL REG EN 0,1 0 Enables Default Action Control register. Valid when CSR_MUX_BUF_EN is set to "1".
PORT MUX HI WM_REG EN 0,1 0 Enables High Watermark register. Valid when CSR_MUX_BUF_EN is set to "1".
PORT MUX LO WM_REG EN 0,1 0 Enables Low Watermark register. Valid when CSR_MUX_BUF_EN is set to "1".
PORT MUX BUF CTRL_REG EN 0,1 1 Enables Store and Forward register. Valid when CSR_MUX_BUF_EN is set to "1".
PORT MUX BUF STS_REG EN 0,1 0 Enables Buffer status register. Valid when CSR_MUX_BUF_EN is set to "1".
PORT MUX TRUNC STS_REG EN 0,1 0 Enables Truncated packet status register. Valid when CSR_MUX_BUF_EN is set to "1".
PORT MUX DISC STS_REG EN 0,1 0 Enables Discarded packet status register. Valid when CSR_MUX_BUF_EN is set to "1".
PORT DEMUX CSR DEMUX EN 0,1 0 Enables DEMUX CSR. Valid when CSR_DEMUX_EN is set to "1".
PORT DEMUX CSR DEMUX BUF EN 0,1 0 Enables DEMUX Buffer CSR. Valid when CSR_DEMUX_BUF_EN is set to "1".
PORT DEMUX ACT CTRL REG EN 0,1 0 Enables Default Action Control register. Valid when CSR_DEMUX_BUF_EN is set to "1".
PORT DEMUX HI WM REG EN 0,1 0 Enables High Watermark register. Valid when CSR_DEMUX_BUF_EN is set to "1".
PORT DEMUX LO WM REG EN 0,1 0 Enables Low Watermark register. Valid when CSR_DEMUX_BUF_EN is set to "1".
PORT DEMUX BUF CTRL REG EN 0,1 0 Enables Store and Forward register. Valid when CSR_DEMUX_BUF_EN is set to "1".
PORT DEMUX BUF STS REG EN 0,1 0 Enables Buffer status register. Valid when CSR_DEMUX_BUF_EN is set to "1".
PORT DEMUX TRUNC STS REG EN 0,1 0 Enables Truncated packet status register. Valid when CSR_DEMUX_BUF_EN is set to "1".
PORT DEMUX DISC STS REG EN 0,1 0 Enables Discarded packet status register. Valid when CSR_DEMUX_BUF_EN is set to "1".
USER PORT MULTI Enable, Disable Disable Indicates the AXI-ST Controlled/Common port is operating in Single Packet Mode or Multi Packet Mode.
Engineering Settings Tab
Hidden Parameters Enable Unchecked, Checked Unchecked Shows the hidden parameters.
CRYPTO_QHIP_EN 0,1 1 Enables AES Crypto-IP
REPLAY_PROTECT_MULTI_CYCLE 0,1 0 Enables Multi-Cycle Implementation of the Anti-Replay Protection Check Enable feature.
Ethernet Channel Width
  • 64
  • 128
  • 256
  • 512
 64 Defines supported Ethernet Channel Width.
FRAMER_STALL_WATERMARK 192 192 FIFO watermark on Framer
AGGR_FIFO_WATERMARK 10 10 FIFO watermark on Aggregator
DEAGGR_FIFO_WATERMARK 5 5 FIFO watermark on Disaggregator
AES_PORT_READYLATENCY_VLD 1-14 3 Defines the association between assertion of READY signal and the corresponding VALID on AES interface
AES_PORT_READYLATENCY_RDY 1-15 2 Defines the association between assertion of READY signal and the corresponding VALID on AES interface
MACsec Debug Testbus Enable Enable, Disable Disable sTAP Enhancement
TX Controlled Uncontrolled Priority CTRL CTRL Priority of Arbitration MUX: Controlled/Uncontrolled Ports
MACsec Debug CSR Enable Enable, Disable Disable Enabling the Debuggability feature on MACsec
Example Designs Tab
Example Design Files
Simulation Checked, Unchecked Checked When the Simulation box is checked, all necessary file sets required for simulation are generated. When this box is NOT checked, file sets required for simulation are NOT generated. Instead a gsys example design system is generated.
Synthesis Checked, Unchecked Checked When the Synthesis box is checked, all necessary file sets required for synthesis are generated. When this box is NOT checked, file sets required for synthesis are NOT generated. Instead a gsys example design system is generated.
Generated HDL Format
General file format Verilog Verilog HDL format
Target Development Kit
Current development kit None None This option provides support for various development kits listed. The details of Intel FPGA development kits can be found on Intel the Intel FPGA website: http://www.altera.com/product/boards_and kits/all-development-kits.html. If this menu is greyed out, it because no board is supported for the options selected (for example, synthesis deselected) If an Intel FPGA development board is selected, the Target Device used for generation is the one that matches the device on the development kit.
Level Two Title