MACsec Intel® FPGA IP User Guide

Download PDF
ID 736108
Date 10/02/2023
Public

A newer version of this document is available. Customers should click here to go to the newest version.

Document Table of Contents
Document Table of Contents x
1. Introduction 2. Interface Overview 3. Parameters 4. Designing with the IP Core 5. Functional Description 6. Configuration Registers for MACsec IP 7. MACsec Intel® FPGA IP Example Design 8. MACsec Intel FPGA IP User Guide Archives 9. Document Revision History for the MACsec Intel FPGA IP User Guide
1. Introduction x
1.1. Terminology 1.2. IP Core Overview 1.3. Release Information 1.4. Device Family Support 1.5. Device Speed Grade Support and Theoretical Throughput 1.6. Resource Utilization
1.2. IP Core Overview x
1.2.1. IP Description 1.2.2. IP Core Applications
1.2.2. IP Core Applications x
1.2.2.1. SmartNIC 1.2.2.2. Ethernet Bridge + Inline MACsec
2. Interface Overview x
2.1. Block Diagram 2.2. Interfaces 2.3. Clocking Domains
2.2. Interfaces x
2.2.1. IP Interface Signals 2.2.2. IP Interface Signal Timing Diagram/Waveforms 2.2.3. Clocks, Resets, and Interrupts
2.2.1. IP Interface Signals x
2.2.1.1. Common Port Mux Interface 2.2.1.2. Common Port Demux Interface 2.2.1.3. Controlled Port Mux Interface 2.2.1.4. Controlled Port Demux Interface 2.2.1.5. Uncontrolled Port RX Interface 2.2.1.6. Uncontrolled Port TX Interface 2.2.1.7. Management Interface 2.2.1.8. Decrypt Port Mux Management Interface 2.2.1.9. Decrypt Port Demux Management Interface 2.2.1.10. Encrypt Port Mux Management Interface 2.2.1.11. Encrypt Port Demux Management Interface 2.2.1.12. Crypto IP Management Bus 2.2.1.13. Miscellaneous Control Signals
2.2.2. IP Interface Signal Timing Diagram/Waveforms x
2.2.2.1. Common Port Mux Interface Waveform 2.2.2.2. Common Port Demux Interface Waveform 2.2.2.3. Controlled Port Mux Interface Waveform 2.2.2.4. Controlled Port Demux Interface Waveform 2.2.2.5. Uncontrolled Port RX Interface Waveform 2.2.2.6. Uncontrolled Port TX Interface Waveform 2.2.2.7. Crypto RX Waveform 2.2.2.8. Crypto TX Waveform 2.2.2.9. MACsec Management Interface (Read) 2.2.2.10. MACsec Management Interface (Write)
3. Parameters x
3.1. MACsec Intel FPGA IP Parameter Settings
4. Designing with the IP Core x
4.1. Installing and Licensing Intel® FPGA IP Cores 4.2. Specifying the IP Core Parameters and Options 4.3. Generated File Structure 4.4. Reset Transactions 4.5. MACsec Software Initialization Sequence
4.1. Installing and Licensing Intel® FPGA IP Cores x
4.1.1. Intel® FPGA IP Evaluation Mode
5. Functional Description x
5.1. AXI-ST Common/Controlled/Uncontrolled Ports 5.2. Packet Parser and Classifier 5.3. SA Lookup and Update 5.4. Encryption Framer/DeFramer 5.5. Decryption Framer/Deframer 5.6. Packet Aggregator/Disaggregator 5.7. Cryptographic AES 5.8. Error Handling 5.9. Packet Statistics
5.1. AXI-ST Common/Controlled/Uncontrolled Ports x
5.1.1. AXI-ST Single Packet Mode 5.1.2. AXI-ST Multi Packet Mode 5.1.3. User Interface Data Streaming 5.1.4. AXI-ST Ready Latency 5.1.5. Port and Secure Channel Mapping 5.1.6. Port and Crypto Channel Mapping 5.1.7. Minimum Packet Size 5.1.8. Byte Ordering 5.1.9. Controlled/Uncontrolled Port Muxing
5.1.3. User Interface Data Streaming x
5.1.3.1. Single Packet Mode Data Stream 5.1.3.2. Multi Packet Mode Data Stream
5.2. Packet Parser and Classifier x
5.2.1. Packet Parser 5.2.2. Packet Classifier
5.3. SA Lookup and Update x
5.3.1. Packet Actions 5.3.2. Packet Buffer 5.3.3. New Channel Assignment 5.3.4. Anti-Replay Protection
5.3.1. Packet Actions x
5.3.1.1. Packet Encrypt 5.3.1.2. Packet Decrypt 5.3.1.3. Packet Discard 5.3.1.4. PDU Validation
5.4. Encryption Framer/DeFramer x
5.4.1. Channel Allocation 5.4.2. Packet Framer 5.4.3. VLAN Tagging
5.4.2. Packet Framer x
5.4.2.1. Bypass Packet 5.4.2.2. Stream Interleaving
5.4.3. VLAN Tagging x
5.4.3.1. No VLAN Tag 5.4.3.2. VLAN Tag (Not in Clear) 5.4.3.3. VLAN Tag (Clear)
5.5. Decryption Framer/Deframer x
5.5.1. XPN Recovery 5.5.2. Replay Check Update 5.5.3. Packet Deframer
5.6. Packet Aggregator/Disaggregator x
5.6.1. Packet Aggregator 5.6.2. Packet Disaggregator
5.7. Cryptographic AES x
5.7.1. Register Address Ordering 5.7.2. Byte Order Swapping 5.7.3. Byte Ordering
5.8. Error Handling x
5.8.1. Packet Error Handling 5.8.2. Memory Blocks ECC Errors 5.8.3. Crypto Errors 5.8.4. System-Level Errors
7. MACsec Intel® FPGA IP Example Design x
7.1. Simulation Requirements 7.2. Steps to Run Simulation 7.3. Port Configurations 7.4. Multi Interface Buffering Muxing/Demuxing 7.5. 2x25 GbE (Encryption + Decryption) 7.6. Packet Generator/Checker 7.7. Clocking
1. Introduction
2. Interface Overview
3. Parameters
4. Designing with the IP Core
5. Functional Description
6. Configuration Registers for MACsec IP
7. MACsec Intel® FPGA IP Example Design
8. MACsec Intel FPGA IP User Guide Archives
9. Document Revision History for the MACsec Intel FPGA IP User Guide

5.8.3. Crypto Errors

Based on traffic sent to the Crypto HIP, there are several errors that can be flagged and the potential list of errors is shown below. These errors and flags are obtained through the TUSER.error_status and TUSER.error_code signals of the AXI-ST interface. These fatal errors are not expected since they are generated due to either invalid configuration or invalid packet format. Any errors observed from the Crypto IP need to be root-caused and fixed in hardware or configuration.
Table 54.  Crypto Errors
Category Error status code Error Description Recoverable Root Cause Mitigation Notes
Modes Invalid AES request [0x13] AES requested when it is disabled in HW No Invalid System Configuration generated by user User need to regenerate Crypto QHIP with AES enabled This error makes all MACsec traffics fail with errors.
EOB without SOB error [0x3] User indicated End of block without a start of block No MACsec IP HW error Fix MACsec IP HW logic bug  
Transfer without SOB error [0x2] Transfer started without SOB No MACsec IP HW error Fix MACsec IP HW logic bug  
Key RAM uncorrectable error [1]   No Log error in MACsec IP Error CSR and fire interrupt User needs to toggle the reset to the ICA subsystem and MACsec IP  
Stream RAM uncorrectable error [0]   No Log error in MACsec IP Error CSR and fire interrupt User needs to toggle the reset to the ICA subsystem and MACsec IP  
AES Counter overflow indication [0x7] AES counter rolled over AES GCM allowed limit No MACsec IP HW error Fix MACsec IP HW logic bug Potential back to back packets with single SOP but no EOP
Packet Processing No Key received for MACsec patterns [0x17] User tried to initiate data authentication, encryption or decryption but did not send in the key earlier No

1. Channel Inuse CSR not reset properly after new SA update

2. Channel Allocation cycle loss due to packet drop or MACsec IP error

Fix MACsec IP HW:

1. Ensure new SA update clear Channel Inuse CSR bits

2. Fix MACsec IP to ensure the Channel Allocation cycle not loss due to packet drop or MACsec IP bug

  
No IV or tweak received for MACsec patterns [0x19] User did not send any IV or tweak at the beginning of the packets No MACsec IP HW error Fix MACsec IP HW logic bug  
No end of packet for data for MACsec [0x1b] User started encryption or decryption but did not toggle end of packet and we reached max length limit No MACsec IP HW error Fix MACsec IP HW logic bug  
Crypto Internal Errors

Pack IPSec Internal Errs

Pack Gen XTS Internal Errs

Pack Gen GCM Internal Errs

Depack MACsec Internal Errs

Depack IPSec Internal Errs

Depack Gen XTS Internal Errs

Depack Gen GCM Internal Errs

Pack RAM Prefetch UNC ECC

DePack RAM Prefetch UNC ECC

256/512 Gasket

RMB Stream RAM UNC ECC

RMB Key RAM UNC ECC

Pack RAM UNC ECC

Depack RAM UNC ECC

MAC FIFO UNC ECC

MAC FIFO OVF

AXI ST Egress MST1 FIFO OVF

AXI ST Egress MST0 FIFO OVF

AXI ST Ingress SLV1 FIFO OVF

AXI ST Ingress SLV0 FIFO OVF

[0x1f]

   No Log error in MACsec IP Error CSR and fire interrupt User needs to toggle the reset to the ICA subsystem and MACsec IP  
Level Two Title