MACsec Full Offload
MACsec Full offload feature, also known as MACsec inline Full offload, enables the user to offload MACsec crypto encryption and decryption, MACsec headers encapsulation and decapsulation, and Anti replay operations to the hardware.
Hardware implementation supports GCM-AES & GCM-AES-XPN encryption schemes and is supported with ConnectX-7 onwards.
MACsec introduced in MOFED v5.9 requires a minimal Kernel version of 6.1.
To enable the feature, support in both kernel and adapter firmware is required.
For support in the kernel, make sure the following flags are set as follows:
CONFIG_MACSEC=y
CONFIG_MLX5_EN_MACSEC=y
For support in firmware use the following version:
xx.34.0364 and up
IProute2 Configuration
Configuring Physical Interface
Client side:
ip address flush <physical_device>
ip address add <client_physical_device_ip> dev <physical interface>
ip link set dev <physical_device>up
Server side:
ip address flush <physical_device>
ip address add <server_physical_device_ip> dev <physical interface>
ip link set dev <physical_device>up
Add MACsec Device
Client side:
ip link add link <physical_device> <macsec_device> type macsec sci <client_sci> client on
Server side:
ip link add link <physical_device> <macsec_device> type macsec sci <server_sci> client on
Offload MACsec Device
Client side:
ip macsec offload <macsec_device> mac
Server side:
ip macsec offload <macsec_device> mac
Add MACsec rules:
Client side:
ip macsec add <macsec_device> tx sa <sa_num>pn <inital_packet_number>on key <client_key_id> <client_key>
ip macsec add <macsec_device> rx sci <server_sci> on
ip macsec add <macsec_device> rx sci <server_sci>sa <sa_num> pn <inital_packet_number> on key <server_key_id> <server_key>
Server side:
ip macsec add <macsec_device> tx sa <sa_num>pn <inital_packet_number>on key <server_key_id> <server_key>
ip macsec add <macsec_device> rx sci <client_sci> on
i p macsec add <macsec_device> rx sci <client_sci>sa <sa_num> pn <inital_packet_number> on key <client_key_id> <client_key>
Configure MACsec Device IPs:
Client side:
ip address flush <macsec_device>
ip address add <client_macsec_device_ip> dev <macsec_device>
ip link set dev <macsec_device> up
Server side:
ip address flush <macsec_device>
ip address add <server_macsec_device_ip> dev <macsec_device>
ip link set dev <macsec_device> up
Configuration Example
Client side:
ip address flush enp8s0f0
ip address add 1.1.1.1/24 dev enp8s0f0
ip link set dev enp8s0f0 up
ip link add link enp8s0f0 macsec0 type macsec sci 1 encrypt on
ip macsec offload macsec0 mac
ip macsec add macsec0 tx sa 0 pn 1 on key 00 dffafc8d7b9a43d5b9a3dfbbf6a30c16
ip macsec add macsec0 rx sci 2 on
ip macsec add macsec0 rx sci 2 sa 0 pn 1 on key 00 ead3664f508eb06c40ac7104cdae4ce5
ip address flush macsec0
ip address add 2.2.2.1/24 dev macsec0
ip link set dev macsec0 up
Server side:
ip link del macsec0
ip address flush enp8s0f0
ip address add 1.1.1.2/24 dev enp8s0f0
ip link set dev enp8s0f0 up
ip link add link enp8s0f0 macsec0 type macsec sci 2 encrypt on
ip macsec offload macsec0 mac
ip macsec add macsec0 tx sa 0 pn 1 on key 00 ead3664f508eb06c40ac7104cdae4ce5
ip macsec add macsec0 rx sci 1 on
ip macsec add macsec0 rx sci 1 sa 0 pn 1 on key 00 dffafc8d7b9a43d5b9a3dfbbf6a30c16
ip address flush macsec0
ip address add 2.2.2.2/24 dev macsec0
ip link set dev macsec0 up
Use: "ip macsec show" command to check configuration
To make sure traffic is offloaded, check MACsec counters: "ethtool -S <physical_device> | grep macsec"
Additional Resources
Linux Manual page: linux_manual