MACsec Intel FPGA System Design User Guide

ID 767516
Date 6/26/2023
Public

A newer version of this document is available. Customers should click here to go to the newest version.

Document Table of Contents

6.4. Software Overview

For MACsec IP, the software stack is shown below. It depicts end-to-end flow of control and data packets from userspace applications to the hardware layer.
Figure 32. MACsec Complete Stack with Control and Data Path

Control Path: Software tools like the CLI, IP route tool and wpa_suppliant are used to trigger control commands to configure the CSRs and initiate static/dynamic key exchanges via the socket interface.

The IP tool uses Rtnllink and Netlink APIs to create the MACsec net interface and configure secure association details into the hardware. These calls are later handled by the Linux MACsec Driver and trigger the macsec_ops() of the McDMA driver to configure the CSR region.

The wpa_supplicant uses a raw packet to send or receive EAPol packets transferred between MACsec peers for authentication/session establishment and key exchange. These packets are directly handled by the base network driver (McDMA) to do xmit() or recv() to/from the hardware queues. The wpa_supplicant also uses Rtnllink and Netlink APIs to set or create the MACsec net interface and configure secure association details into the hardware via Linux MACsec Driver and McDMA Driver(The MACsec IP APIs are integrated with McDMA Driver).

The CLI debug tool uses Rtnllink and Netlink APIs to set or create the MACsec net interface and configure secure association details into the hardware. These calls are later handled by the MACsec IP Driver(with/without McDMA driver based on McDMA IP in hardware) to configure the CSR region.

Data Path: Utilities like ping, sftp, scp, etc. are used to initiate the data transfers from userspace to hardware. Depending upon the associated network protocol used by the data transfer utility, respective protocol handler gets triggered based on send() and recv() calls from application to physical layer or vice versa.

The data path is handled by the MACsec IP and SW modules are used as bypass the data flow to above or below layers.

In case offload is off, the data path is handled by Linux MACsec Driver as Tx and Rx path.

Tx Path: The Linux MACsec Driver adds the MACsec header with 0x88e5 protocol number and other details to the frame. It forwards the encrypted/protected frame to the base network driver. This network driver copies the packet to the HW Queue.

Rx Path: On the arrival of a packet, the base network driver (McDMA) allocates the socket buffer (skb) and forwards it to the Linux MACsec driver. The MACsec Driver takes care of decrypting the packet and delivers it to the upper layers.

The following sections discuss the major modules of software stack.