MACsec Full Offload
MACsec Full offload feature, also known as MACsec inline Full offload, enables the user to offload MACsec crypto encryption and decryption, MACsec headers encapsulation and decapsulation, and Anti replay operations to the hardware.
Hardware implementation supports GCM-AES & GCM-AES-XPN encryption schemes and is supported with ConnectX-7 onwards.
MACsec introduced in MOFED v5.9 requires a minimal Kernel version of 6.1.
To enable the feature, support in both kernel and adapter firmware is required.
For support in the kernel, make sure the following flags are set as follows:
- CONFIG_MACSEC=y 
- CONFIG_MLX5_EN_MACSEC=y 
For support in firmware use the following version:
- xx.34.0364 and up 
IProute2 Configuration
Configuring Physical Interface
Client side:
- ip address flush <physical_device> 
- ip address add <client_physical_device_ip> dev <physical interface> 
- ip link set dev <physical_device>up 
Server side:
- ip address flush <physical_device> 
- ip address add <server_physical_device_ip> dev <physical interface> 
- ip link set dev <physical_device>up 
Add MACsec Device
Client side:
- ip link add link <physical_device> <macsec_device> type macsec sci <client_sci> client on 
Server side:
- ip link add link <physical_device> <macsec_device> type macsec sci <server_sci> client on 
Offload MACsec Device
Client side:
- ip macsec offload <macsec_device> mac 
Server side:
- ip macsec offload <macsec_device> mac 
Add MACsec rules:
Client side:
- ip macsec add <macsec_device> tx sa <sa_num>pn <inital_packet_number>on key <client_key_id> <client_key> 
- ip macsec add <macsec_device> rx sci <server_sci> on 
- ip macsec add <macsec_device> rx sci <server_sci>sa <sa_num> pn <inital_packet_number> on key <server_key_id> <server_key> 
Server side:
- ip macsec add <macsec_device> tx sa <sa_num>pn <inital_packet_number>on key <server_key_id> <server_key> 
- ip macsec add <macsec_device> rx sci <client_sci> on 
- i p macsec add <macsec_device> rx sci <client_sci>sa <sa_num> pn <inital_packet_number> on key <client_key_id> <client_key> 
Configure MACsec Device IPs:
Client side:
- ip address flush <macsec_device> 
- ip address add <client_macsec_device_ip> dev <macsec_device> 
- ip link set dev <macsec_device> up 
Server side:
- ip address flush <macsec_device> 
- ip address add <server_macsec_device_ip> dev <macsec_device> 
- ip link set dev <macsec_device> up 
Configuration Example
Client side:
- ip address flush enp8s0f0 
- ip address add 1.1.1.1/24 dev enp8s0f0 
- ip link set dev enp8s0f0 up 
- ip link add link enp8s0f0 macsec0 type macsec sci 1 encrypt on 
- ip macsec offload macsec0 mac 
- ip macsec add macsec0 tx sa 0 pn 1 on key 00 dffafc8d7b9a43d5b9a3dfbbf6a30c16 
- ip macsec add macsec0 rx sci 2 on 
- ip macsec add macsec0 rx sci 2 sa 0 pn 1 on key 00 ead3664f508eb06c40ac7104cdae4ce5 
- ip address flush macsec0 
- ip address add 2.2.2.1/24 dev macsec0 
- ip link set dev macsec0 up 
Server side:
- ip link del macsec0 
- ip address flush enp8s0f0 
- ip address add 1.1.1.2/24 dev enp8s0f0 
- ip link set dev enp8s0f0 up 
- ip link add link enp8s0f0 macsec0 type macsec sci 2 encrypt on 
- ip macsec offload macsec0 mac 
- ip macsec add macsec0 tx sa 0 pn 1 on key 00 ead3664f508eb06c40ac7104cdae4ce5 
- ip macsec add macsec0 rx sci 1 on 
- ip macsec add macsec0 rx sci 1 sa 0 pn 1 on key 00 dffafc8d7b9a43d5b9a3dfbbf6a30c16 
- ip address flush macsec0 
- ip address add 2.2.2.2/24 dev macsec0 
- ip link set dev macsec0 up 
- Use: "ip macsec show" command to check configuration 
- To make sure traffic is offloaded, check MACsec counters: " - ethtool -S <physical_device> | grep macsec"
Additional Resources
Linux Manual page: linux_manual