From 998534c99eceafe580746caa5df1e9545fb59cde Mon Sep 17 00:00:00 2001
From: Mark Starovoytov <mstarovoitov@marvell.com>
Date: Fri, 24 Apr 2020 11:38:56 +0300
Subject: [PATCH 1/2] macsec: add support for MAC offload

This patch enables MAC HW offload usage in iproute, since MACSec
implementation supports it now.

Signed-off-by: Mark Starovoytov <mstarovoitov@marvell.com>
Signed-off-by: Igor Russkikh <irusskikh@marvell.com>
Signed-off-by: David Ahern <dsahern@gmail.com>
---
 ip/ipmacsec.c        | 3 ++-
 man/man8/ip-macsec.8 | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/ip/ipmacsec.c b/ip/ipmacsec.c
index 4e500e4e..d214b101 100644
--- a/ip/ipmacsec.c
+++ b/ip/ipmacsec.c
@@ -34,6 +34,7 @@ static const char * const validate_str[] = {
 static const char * const offload_str[] = {
 	[MACSEC_OFFLOAD_OFF] = "off",
 	[MACSEC_OFFLOAD_PHY] = "phy",
+	[MACSEC_OFFLOAD_MAC] = "mac",
 };
 
 struct sci {
@@ -98,7 +99,7 @@ static void ipmacsec_usage(void)
 		"       ip macsec del DEV rx SCI sa { 0..3 }\n"
 		"       ip macsec show\n"
 		"       ip macsec show DEV\n"
-		"       ip macsec offload DEV [ off | phy ]\n"
+		"       ip macsec offload DEV [ off | phy | mac ]\n"
 		"where  OPTS := [ pn <u32> ] [ on | off ]\n"
 		"       ID   := 128-bit hex string\n"
 		"       KEY  := 128-bit or 256-bit hex string\n"
diff --git a/man/man8/ip-macsec.8 b/man/man8/ip-macsec.8
index d5f9d240..b2ee7bee 100644
--- a/man/man8/ip-macsec.8
+++ b/man/man8/ip-macsec.8
@@ -54,7 +54,7 @@ ip-macsec \- MACsec device configuration
 .RI "{ " 0..3 " }"
 
 .BI "ip macsec offload " DEV
-.RB "{ " off " | " phy " }"
+.RB "{ " off " | " phy " | " mac " }"
 
 .B ip macsec show
 .RI [ " DEV " ]

From bcbeb35ca4351928b4b8e4cb28802880312be0f1 Mon Sep 17 00:00:00 2001
From: Mark Starovoytov <mstarovoitov@marvell.com>
Date: Fri, 24 Apr 2020 11:38:57 +0300
Subject: [PATCH 2/2] macsec: add support for specifying offload at link add
 time

This patch adds support for configuring offload mode upon MACsec
device creation.

If offload mode is not specified, then netlink attribute is not
added. Default behavior on the kernel side in this case is
backward-compatible (offloading is disabled by default).

Example:
$ ip link add link eth0 macsec0 type macsec port 11 encrypt on offload mac

Signed-off-by: Mark Starovoytov <mstarovoitov@marvell.com>
Signed-off-by: Igor Russkikh <irusskikh@marvell.com>
Signed-off-by: David Ahern <dsahern@gmail.com>
---
 ip/ipmacsec.c        | 20 ++++++++++++++++++++
 man/man8/ip-macsec.8 |  8 +++++++-
 2 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/ip/ipmacsec.c b/ip/ipmacsec.c
index d214b101..18289ecd 100644
--- a/ip/ipmacsec.c
+++ b/ip/ipmacsec.c
@@ -1220,6 +1220,15 @@ static void macsec_print_opt(struct link_util *lu, FILE *f, struct rtattr *tb[])
 			     validate_to_str(val));
 	}
 
+	if (tb[IFLA_MACSEC_OFFLOAD]) {
+		__u8 val = rta_getattr_u8(tb[IFLA_MACSEC_OFFLOAD]);
+
+		print_string(PRINT_ANY,
+			     "offload",
+			     "offload %s ",
+			     offload_to_str(val));
+	}
+
 	const char *inc_sci, *es, *replay;
 
 	if (is_json_context()) {
@@ -1268,6 +1277,7 @@ static void usage(FILE *f)
 		"                  [ replay { on | off} window { 0..2^32-1 } ]\n"
 		"                  [ validate { strict | check | disabled } ]\n"
 		"                  [ encodingsa { 0..3 } ]\n"
+		"                  [ offload { mac | phy | off } ]\n"
 		);
 }
 
@@ -1277,6 +1287,7 @@ static int macsec_parse_opt(struct link_util *lu, int argc, char **argv,
 	int ret;
 	__u8 encoding_sa = 0xff;
 	__u32 window = -1;
+	enum macsec_offload offload;
 	struct cipher_args cipher = {0};
 	enum macsec_validation_type validate;
 	bool es = false, scb = false, send_sci = false;
@@ -1398,6 +1409,15 @@ static int macsec_parse_opt(struct link_util *lu, int argc, char **argv,
 			ret = get_an(&encoding_sa, *argv);
 			if (ret)
 				invarg("expected an { 0..3 }", *argv);
+		} else if (strcmp(*argv, "offload") == 0) {
+			NEXT_ARG();
+			ret = one_of("offload", *argv,
+				     offload_str, ARRAY_SIZE(offload_str),
+				     (int *)&offload);
+			if (ret != 0)
+				return ret;
+			addattr8(n, MACSEC_BUFLEN,
+				 IFLA_MACSEC_OFFLOAD, offload);
 		} else {
 			fprintf(stderr, "macsec: unknown command \"%s\"?\n",
 				*argv);
diff --git a/man/man8/ip-macsec.8 b/man/man8/ip-macsec.8
index b2ee7bee..8e9175c5 100644
--- a/man/man8/ip-macsec.8
+++ b/man/man8/ip-macsec.8
@@ -23,6 +23,8 @@ ip-macsec \- MACsec device configuration
 ] [
 .BR validate " { " strict " | " check " | " disabled " } ] ["
 .BI encodingsa " SA"
+] [
+.BR offload " { " off " | " phy " | " mac " }"
 ]
 
 .BI "ip macsec add " DEV " tx sa"
@@ -86,7 +88,7 @@ type.
 
 .SH EXAMPLES
 .PP
-.SS Create a MACsec device on link eth0
+.SS Create a MACsec device on link eth0 (offload is disabled by default)
 .nf
 # ip link add link eth0 macsec0 type macsec port 11 encrypt on
 .PP
@@ -109,6 +111,10 @@ type.
 .SS Configure offloading on an interface
 .nf
 # ip macsec offload macsec0 phy
+.PP
+.SS Configure offloading upon MACsec device creation
+.nf
+# ip link add link eth0 macsec0 type macsec port 11 encrypt on offload mac
 
 .SH NOTES
 This tool can be used to configure the 802.1AE keys of the interface. Note that 802.1AE uses GCM-AES