1/* SPDX-License-Identifier: GPL-2.0-only */
2/* Atlantic Network Driver
3 * Copyright (C) 2020 Marvell International Ltd.
4 */
5
6#ifndef _MACSEC_STRUCT_H_
7#define _MACSEC_STRUCT_H_
8
9/*! Represents the bitfields of a single row in the Egress CTL Filter
10 *  table.
11 */
12struct aq_mss_egress_ctlf_record {
13	/*! This is used to store the 48 bit value used to compare SA, DA or
14	 *  halfDA+half SA value.
15	 */
16	u32 sa_da[2];
17	/*! This is used to store the 16 bit ethertype value used for
18	 *  comparison.
19	 */
20	u32 eth_type;
21	/*! The match mask is per-nibble. 0 means don't care, i.e. every value
22	 *  will match successfully. The total data is 64 bit, i.e. 16 nibbles
23	 *  masks.
24	 */
25	u32 match_mask;
26	/*! 0: No compare, i.e. This entry is not used
27	 *  1: compare DA only
28	 *  2: compare SA only
29	 *  3: compare half DA + half SA
30	 *  4: compare ether type only
31	 *  5: compare DA + ethertype
32	 *  6: compare SA + ethertype
33	 *  7: compare DA+ range.
34	 */
35	u32 match_type;
36	/*! 0: Bypass the remaining modules if matched.
37	 *  1: Forward to next module for more classifications.
38	 */
39	u32 action;
40};
41
42/*! Represents the bitfields of a single row in the Egress Packet
43 *  Classifier table.
44 */
45struct aq_mss_egress_class_record {
46	/*! VLAN ID field. */
47	u32 vlan_id;
48	/*! VLAN UP field. */
49	u32 vlan_up;
50	/*! VLAN Present in the Packet. */
51	u32 vlan_valid;
52	/*! The 8 bit value used to compare with extracted value for byte 3. */
53	u32 byte3;
54	/*! The 8 bit value used to compare with extracted value for byte 2. */
55	u32 byte2;
56	/*! The 8 bit value used to compare with extracted value for byte 1. */
57	u32 byte1;
58	/*! The 8 bit value used to compare with extracted value for byte 0. */
59	u32 byte0;
60	/*! The 8 bit TCI field used to compare with extracted value. */
61	u32 tci;
62	/*! The 64 bit SCI field in the SecTAG. */
63	u32 sci[2];
64	/*! The 16 bit Ethertype (in the clear) field used to compare with
65	 *  extracted value.
66	 */
67	u32 eth_type;
68	/*! This is to specify the 40bit SNAP header if the SNAP header's mask
69	 *  is enabled.
70	 */
71	u32 snap[2];
72	/*! This is to specify the 24bit LLC header if the LLC header's mask is
73	 *  enabled.
74	 */
75	u32 llc;
76	/*! The 48 bit MAC_SA field used to compare with extracted value. */
77	u32 mac_sa[2];
78	/*! The 48 bit MAC_DA field used to compare with extracted value. */
79	u32 mac_da[2];
80	/*! The 32 bit Packet number used to compare with extracted value. */
81	u32 pn;
82	/*! 0~63: byte location used extracted by packets comparator, which
83	 *  can be anything from the first 64 bytes of the MAC packets.
84	 *  This byte location counted from MAC' DA address. i.e. set to 0
85	 *  will point to byte 0 of DA address.
86	 */
87	u32 byte3_location;
88	/*! 0: don't care
89	 *  1: enable comparison of extracted byte pointed by byte 3 location.
90	 */
91	u32 byte3_mask;
92	/*! 0~63: byte location used extracted by packets comparator, which
93	 *  can be anything from the first 64 bytes of the MAC packets.
94	 *  This byte location counted from MAC' DA address. i.e. set to 0
95	 *  will point to byte 0 of DA address.
96	 */
97	u32 byte2_location;
98	/*! 0: don't care
99	 *  1: enable comparison of extracted byte pointed by byte 2 location.
100	 */
101	u32 byte2_mask;
102	/*! 0~63: byte location used extracted by packets comparator, which
103	 *  can be anything from the first 64 bytes of the MAC packets.
104	 *  This byte location counted from MAC' DA address. i.e. set to 0
105	 *  will point to byte 0 of DA address.
106	 */
107	u32 byte1_location;
108	/*! 0: don't care
109	 *  1: enable comparison of extracted byte pointed by byte 1 location.
110	 */
111	u32 byte1_mask;
112	/*! 0~63: byte location used extracted by packets comparator, which
113	 *  can be anything from the first 64 bytes of the MAC packets.
114	 *  This byte location counted from MAC' DA address. i.e. set to 0
115	 *  will point to byte 0 of DA address.
116	 */
117	u32 byte0_location;
118	/*! 0: don't care
119	 *  1: enable comparison of extracted byte pointed by byte 0 location.
120	 */
121	u32 byte0_mask;
122	/*! Mask is per-byte.
123	 *  0: don't care
124	 *  1: enable comparison of extracted VLAN ID field.
125	 */
126	u32 vlan_id_mask;
127	/*! 0: don't care
128	 *  1: enable comparison of extracted VLAN UP field.
129	 */
130	u32 vlan_up_mask;
131	/*! 0: don't care
132	 *  1: enable comparison of extracted VLAN Valid field.
133	 */
134	u32 vlan_valid_mask;
135	/*! This is bit mask to enable comparison the 8 bit TCI field,
136	 *  including the AN field.
137	 *  For explicit SECTAG, AN is hardware controlled. For sending
138	 *  packet w/ explicit SECTAG, rest of the TCI fields are directly
139	 *  from the SECTAG.
140	 */
141	u32 tci_mask;
142	/*! Mask is per-byte.
143	 *  0: don't care
144	 *  1: enable comparison of SCI
145	 *  Note: If this field is not 0, this means the input packet's
146	 *  SECTAG is explicitly tagged and MACSEC module will only update
147	 *  the MSDU.
148	 *  PN number is hardware controlled.
149	 */
150	u32 sci_mask;
151	/*! Mask is per-byte.
152	 *  0: don't care
153	 *  1: enable comparison of Ethertype.
154	 */
155	u32 eth_type_mask;
156	/*! Mask is per-byte.
157	 *  0: don't care and no SNAP header exist.
158	 *  1: compare the SNAP header.
159	 *  If this bit is set to 1, the extracted filed will assume the
160	 *  SNAP header exist as encapsulated in 802.3 (RFC 1042). I.E. the
161	 *  next 5 bytes after the LLC header is SNAP header.
162	 */
163	u32 snap_mask;
164	/*! 0: don't care and no LLC header exist.
165	 *  1: compare the LLC header.
166	 *  If this bit is set to 1, the extracted filed will assume the
167	 *  LLC header exist as encapsulated in 802.3 (RFC 1042). I.E. the
168	 *  next three bytes after the 802.3MAC header is LLC header.
169	 */
170	u32 llc_mask;
171	/*! Mask is per-byte.
172	 *  0: don't care
173	 *  1: enable comparison of MAC_SA.
174	 */
175	u32 sa_mask;
176	/*! Mask is per-byte.
177	 *  0: don't care
178	 *  1: enable comparison of MAC_DA.
179	 */
180	u32 da_mask;
181	/*! Mask is per-byte. */
182	u32 pn_mask;
183	/*! Reserved. This bit should be always 0. */
184	u32 eight02dot2;
185	/*! 1: For explicit sectag case use TCI_SC from table
186	 *  0: use TCI_SC from explicit sectag.
187	 */
188	u32 tci_sc;
189	/*! 1: For explicit sectag case,use TCI_V,ES,SCB,E,C from table
190	 *  0: use TCI_V,ES,SCB,E,C from explicit sectag.
191	 */
192	u32 tci_87543;
193	/*! 1: indicates that incoming packet has explicit sectag. */
194	u32 exp_sectag_en;
195	/*! If packet matches and tagged as controlled-packet, this SC/SA
196	 *  index is used for later SC and SA table lookup.
197	 */
198	u32 sc_idx;
199	/*! This field is used to specify how many SA entries are
200	 *  associated with 1 SC entry.
201	 *  2'b00: 1 SC has 4 SA.
202	 *  SC index is equivalent to {SC_Index[4:2], 1'b0}.
203	 *  SA index is equivalent to {SC_Index[4:2], SC entry's current AN[1:0]
204	 *  2'b10: 1 SC has 2 SA.
205	 *  SC index is equivalent to SC_Index[4:1]
206	 *  SA index is equivalent to {SC_Index[4:1], SC entry's current AN[0]}
207	 *  2'b11: 1 SC has 1 SA. No SC entry exists for the specific SA.
208	 *  SA index is equivalent to SC_Index[4:0]
209	 *  Note: if specified as 2'b11, hardware AN roll over is not
210	 *  supported.
211	 */
212	u32 sc_sa;
213	/*! 0: the packets will be sent to MAC FIFO
214	 *  1: The packets will be sent to Debug/Loopback FIFO.
215	 *  If the above's action is drop, this bit has no meaning.
216	 */
217	u32 debug;
218	/*! 0: forward to remaining modules
219	 *  1: bypass the next encryption modules. This packet is considered
220	 *     un-control packet.
221	 *  2: drop
222	 *  3: Reserved.
223	 */
224	u32 action;
225	/*! 0: Not valid entry. This entry is not used
226	 *  1: valid entry.
227	 */
228	u32 valid;
229};
230
231/*! Represents the bitfields of a single row in the Egress SC Lookup table. */
232struct aq_mss_egress_sc_record {
233	/*! This is to specify when the SC was first used. Set by HW. */
234	u32 start_time;
235	/*! This is to specify when the SC was last used. Set by HW. */
236	u32 stop_time;
237	/*! This is to specify which of the SA entries are used by current HW.
238	 *  Note: This value need to be set by SW after reset.  It will be
239	 *  automatically updated by HW, if AN roll over is enabled.
240	 */
241	u32 curr_an;
242	/*! 0: Clear the SA Valid Bit after PN expiry.
243	 *  1: Do not Clear the SA Valid bit after PN expiry of the current SA.
244	 *  When the Enable AN roll over is set, S/W does not need to
245	 *  program the new SA's and the H/W will automatically roll over
246	 *  between the SA's without session expiry.
247	 *  For normal operation, Enable AN Roll over will be set to '0'
248	 *  and in which case, the SW needs to program the new SA values
249	 *  after the current PN expires.
250	 */
251	u32 an_roll;
252	/*! This is the TCI field used if packet is not explicitly tagged. */
253	u32 tci;
254	/*! This value indicates the offset where the decryption will start.
255	 *  [[Values of 0, 4, 8-50].
256	 */
257	u32 enc_off;
258	/*! 0: Do not protect frames, all the packets will be forwarded
259	 *     unchanged. MIB counter (OutPktsUntagged) will be updated.
260	 *  1: Protect.
261	 */
262	u32 protect;
263	/*! 0: when none of the SA related to SC has inUse set.
264	 *  1: when either of the SA related to the SC has inUse set.
265	 *  This bit is set by HW.
266	 */
267	u32 recv;
268	/*! 0: H/W Clears this bit on the first use.
269	 *  1: SW updates this entry, when programming the SC Table.
270	 */
271	u32 fresh;
272	/*! AES Key size
273	 *  00 - 128bits
274	 *  01 - 192bits
275	 *  10 - 256bits
276	 *  11 - Reserved.
277	 */
278	u32 sak_len;
279	/*! 0: Invalid SC
280	 *  1: Valid SC.
281	 */
282	u32 valid;
283};
284
285/*! Represents the bitfields of a single row in the Egress SA Lookup table. */
286struct aq_mss_egress_sa_record {
287	/*! This is to specify when the SC was first used. Set by HW. */
288	u32 start_time;
289	/*! This is to specify when the SC was last used. Set by HW. */
290	u32 stop_time;
291	/*! This is set by SW and updated by HW to store the Next PN number
292	 *  used for encryption.
293	 */
294	u32 next_pn;
295	/*! The Next_PN number is going to wrapped around from 0xFFFF_FFFF
296	 *  to 0. set by HW.
297	 */
298	u32 sat_pn;
299	/*! 0: This SA is in use.
300	 *  1: This SA is Fresh and set by SW.
301	 */
302	u32 fresh;
303	/*! 0: Invalid SA
304	 *  1: Valid SA.
305	 */
306	u32 valid;
307};
308
309/*! Represents the bitfields of a single row in the Egress SA Key
310 *  Lookup table.
311 */
312struct aq_mss_egress_sakey_record {
313	/*! Key for AES-GCM processing. */
314	u32 key[8];
315};
316
317/*! Represents the bitfields of a single row in the Ingress Pre-MACSec
318 *  CTL Filter table.
319 */
320struct aq_mss_ingress_prectlf_record {
321	/*! This is used to store the 48 bit value used to compare SA, DA
322	 *  or halfDA+half SA value.
323	 */
324	u32 sa_da[2];
325	/*! This is used to store the 16 bit ethertype value used for
326	 *  comparison.
327	 */
328	u32 eth_type;
329	/*! The match mask is per-nibble. 0 means don't care, i.e. every
330	 *  value will match successfully. The total data is 64 bit, i.e.
331	 *  16 nibbles masks.
332	 */
333	u32 match_mask;
334	/*! 0: No compare, i.e. This entry is not used
335	 *  1: compare DA only
336	 *  2: compare SA only
337	 *  3: compare half DA + half SA
338	 *  4: compare ether type only
339	 *  5: compare DA + ethertype
340	 *  6: compare SA + ethertype
341	 *  7: compare DA+ range.
342	 */
343	u32 match_type;
344	/*! 0: Bypass the remaining modules if matched.
345	 *  1: Forward to next module for more classifications.
346	 */
347	u32 action;
348};
349
350/*! Represents the bitfields of a single row in the Ingress Pre-MACSec
351 *  Packet Classifier table.
352 */
353struct aq_mss_ingress_preclass_record {
354	/*! The 64 bit SCI field used to compare with extracted value.
355	 *  Should have SCI value in case TCI[SCI_SEND] == 0. This will be
356	 *  used for ICV calculation.
357	 */
358	u32 sci[2];
359	/*! The 8 bit TCI field used to compare with extracted value. */
360	u32 tci;
361	/*! 8 bit encryption offset. */
362	u32 encr_offset;
363	/*! The 16 bit Ethertype (in the clear) field used to compare with
364	 *  extracted value.
365	 */
366	u32 eth_type;
367	/*! This is to specify the 40bit SNAP header if the SNAP header's
368	 *  mask is enabled.
369	 */
370	u32 snap[2];
371	/*! This is to specify the 24bit LLC header if the LLC header's
372	 *  mask is enabled.
373	 */
374	u32 llc;
375	/*! The 48 bit MAC_SA field used to compare with extracted value. */
376	u32 mac_sa[2];
377	/*! The 48 bit MAC_DA field used to compare with extracted value. */
378	u32 mac_da[2];
379	/*! 0: this is to compare with non-LPBK packet
380	 *  1: this is to compare with LPBK packet.
381	 *  This value is used to compare with a controlled-tag which goes
382	 *  with the packet when looped back from Egress port.
383	 */
384	u32 lpbk_packet;
385	/*! The value of this bit mask will affects how the SC index and SA
386	 *  index created.
387	 *  2'b00: 1 SC has 4 SA.
388	 *    SC index is equivalent to {SC_Index[4:2], 1'b0}.
389	 *    SA index is equivalent to {SC_Index[4:2], SECTAG's AN[1:0]}
390	 *    Here AN bits are not compared.
391	 *  2'b10: 1 SC has 2 SA.
392	 *    SC index is equivalent to SC_Index[4:1]
393	 *    SA index is equivalent to {SC_Index[4:1], SECTAG's AN[0]}
394	 *    Compare AN[1] field only
395	 *  2'b11: 1 SC has 1 SA. No SC entry exists for the specific SA.
396	 *    SA index is equivalent to SC_Index[4:0]
397	 *    AN[1:0] bits are compared.
398	 *    NOTE: This design is to supports different usage of AN. User
399	 *    can either ping-pong buffer 2 SA by using only the AN[0] bit.
400	 *    Or use 4 SA per SC by use AN[1:0] bits. Or even treat each SA
401	 *    as independent. i.e. AN[1:0] is just another matching pointer
402	 *    to select SA.
403	 */
404	u32 an_mask;
405	/*! This is bit mask to enable comparison the upper 6 bits TCI
406	 *  field, which does not include the AN field.
407	 *  0: don't compare
408	 *  1: enable comparison of the bits.
409	 */
410	u32 tci_mask;
411	/*! 0: don't care
412	 *  1: enable comparison of SCI.
413	 */
414	u32 sci_mask;
415	/*! Mask is per-byte.
416	 *  0: don't care
417	 *  1: enable comparison of Ethertype.
418	 */
419	u32 eth_type_mask;
420	/*! Mask is per-byte.
421	 *  0: don't care and no SNAP header exist.
422	 *  1: compare the SNAP header.
423	 *  If this bit is set to 1, the extracted filed will assume the
424	 *  SNAP header exist as encapsulated in 802.3 (RFC 1042). I.E. the
425	 *  next 5 bytes after the LLC header is SNAP header.
426	 */
427	u32 snap_mask;
428	/*! Mask is per-byte.
429	 *  0: don't care and no LLC header exist.
430	 *  1: compare the LLC header.
431	 *  If this bit is set to 1, the extracted filed will assume the
432	 *  LLC header exist as encapsulated in 802.3 (RFC 1042). I.E. the
433	 *  next three bytes after the 802.3MAC header is LLC header.
434	 */
435	u32 llc_mask;
436	/*! Reserved. This bit should be always 0. */
437	u32 _802_2_encapsulate;
438	/*! Mask is per-byte.
439	 *  0: don't care
440	 *  1: enable comparison of MAC_SA.
441	 */
442	u32 sa_mask;
443	/*! Mask is per-byte.
444	 *  0: don't care
445	 *  1: enable comparison of MAC_DA.
446	 */
447	u32 da_mask;
448	/*! 0: don't care
449	 *  1: enable checking if this is loopback packet or not.
450	 */
451	u32 lpbk_mask;
452	/*! If packet matches and tagged as controlled-packet. This SC/SA
453	 *  index is used for later SC and SA table lookup.
454	 */
455	u32 sc_idx;
456	/*! 0: the packets will be sent to MAC FIFO
457	 *  1: The packets will be sent to Debug/Loopback FIFO.
458	 *  If the above's action is drop. This bit has no meaning.
459	 */
460	u32 proc_dest;
461	/*! 0: Process: Forward to next two modules for 802.1AE decryption.
462	 *  1: Process but keep SECTAG: Forward to next two modules for
463	 *     802.1AE decryption but keep the MACSEC header with added error
464	 *     code information. ICV will be stripped for all control packets.
465	 *  2: Bypass: Bypass the next two decryption modules but processed
466	 *     by post-classification.
467	 *  3: Drop: drop this packet and update counts accordingly.
468	 */
469	u32 action;
470	/*! 0: This is a controlled-port packet if matched.
471	 *  1: This is an uncontrolled-port packet if matched.
472	 */
473	u32 ctrl_unctrl;
474	/*! Use the SCI value from the Table if 'SC' bit of the input
475	 *  packet is not present.
476	 */
477	u32 sci_from_table;
478	/*! Reserved. */
479	u32 reserved;
480	/*! 0: Not valid entry. This entry is not used
481	 *  1: valid entry.
482	 */
483	u32 valid;
484};
485
486/*! Represents the bitfields of a single row in the Ingress SC Lookup table. */
487struct aq_mss_ingress_sc_record {
488	/*! This is to specify when the SC was first used. Set by HW. */
489	u32 stop_time;
490	/*! This is to specify when the SC was first used. Set by HW. */
491	u32 start_time;
492	/*! 0: Strict
493	 *  1: Check
494	 *  2: Disabled.
495	 */
496	u32 validate_frames;
497	/*! 1: Replay control enabled.
498	 *  0: replay control disabled.
499	 */
500	u32 replay_protect;
501	/*! This is to specify the window range for anti-replay. Default is 0.
502	 *  0: is strict order enforcement.
503	 */
504	u32 anti_replay_window;
505	/*! 0: when none of the SA related to SC has inUse set.
506	 *  1: when either of the SA related to the SC has inUse set.
507	 *  This bit is set by HW.
508	 */
509	u32 receiving;
510	/*! 0: when hardware processed the SC for the first time, it clears
511	 *     this bit
512	 *  1: This bit is set by SW, when it sets up the SC.
513	 */
514	u32 fresh;
515	/*! 0: The AN number will not automatically roll over if Next_PN is
516	 *     saturated.
517	 *  1: The AN number will automatically roll over if Next_PN is
518	 *     saturated.
519	 *  Rollover is valid only after expiry. Normal roll over between
520	 *  SA's should be normal process.
521	 */
522	u32 an_rol;
523	/*! Reserved. */
524	u32 reserved;
525	/*! 0: Invalid SC
526	 *  1: Valid SC.
527	 */
528	u32 valid;
529};
530
531/*! Represents the bitfields of a single row in the Ingress SA Lookup table. */
532struct aq_mss_ingress_sa_record {
533	/*! This is to specify when the SC was first used. Set by HW. */
534	u32 stop_time;
535	/*! This is to specify when the SC was first used. Set by HW. */
536	u32 start_time;
537	/*! This is updated by HW to store the expected NextPN number for
538	 *  anti-replay.
539	 */
540	u32 next_pn;
541	/*! The Next_PN number is going to wrapped around from 0XFFFF_FFFF
542	 *  to 0. set by HW.
543	 */
544	u32 sat_nextpn;
545	/*! 0: This SA is not yet used.
546	 *  1: This SA is inUse.
547	 */
548	u32 in_use;
549	/*! 0: when hardware processed the SC for the first time, it clears
550	 *     this timer
551	 *  1: This bit is set by SW, when it sets up the SC.
552	 */
553	u32 fresh;
554	/*! Reserved. */
555	u32 reserved;
556	/*! 0: Invalid SA.
557	 *  1: Valid SA.
558	 */
559	u32 valid;
560};
561
562/*! Represents the bitfields of a single row in the Ingress SA Key
563 *  Lookup table.
564 */
565struct aq_mss_ingress_sakey_record {
566	/*! Key for AES-GCM processing. */
567	u32 key[8];
568	/*! AES key size
569	 *  00 - 128bits
570	 *  01 - 192bits
571	 *  10 - 256bits
572	 *  11 - reserved.
573	 */
574	u32 key_len;
575};
576
577/*! Represents the bitfields of a single row in the Ingress Post-
578 *  MACSec Packet Classifier table.
579 */
580struct aq_mss_ingress_postclass_record {
581	/*! The 8 bit value used to compare with extracted value for byte 0. */
582	u32 byte0;
583	/*! The 8 bit value used to compare with extracted value for byte 1. */
584	u32 byte1;
585	/*! The 8 bit value used to compare with extracted value for byte 2. */
586	u32 byte2;
587	/*! The 8 bit value used to compare with extracted value for byte 3. */
588	u32 byte3;
589	/*! Ethertype in the packet. */
590	u32 eth_type;
591	/*! Ether Type value > 1500 (0x5dc). */
592	u32 eth_type_valid;
593	/*! VLAN ID after parsing. */
594	u32 vlan_id;
595	/*! VLAN priority after parsing. */
596	u32 vlan_up;
597	/*! Valid VLAN coding. */
598	u32 vlan_valid;
599	/*! SA index. */
600	u32 sai;
601	/*! SAI hit, i.e. controlled packet. */
602	u32 sai_hit;
603	/*! Mask for payload ethertype field. */
604	u32 eth_type_mask;
605	/*! 0~63: byte location used extracted by packets comparator, which
606	 *  can be anything from the first 64 bytes of the MAC packets.
607	 *  This byte location counted from MAC' DA address. i.e. set to 0
608	 *  will point to byte 0 of DA address.
609	 */
610	u32 byte3_location;
611	/*! Mask for Byte Offset 3. */
612	u32 byte3_mask;
613	/*! 0~63: byte location used extracted by packets comparator, which
614	 *  can be anything from the first 64 bytes of the MAC packets.
615	 *  This byte location counted from MAC' DA address. i.e. set to 0
616	 *  will point to byte 0 of DA address.
617	 */
618	u32 byte2_location;
619	/*! Mask for Byte Offset 2. */
620	u32 byte2_mask;
621	/*! 0~63: byte location used extracted by packets comparator, which
622	 *  can be anything from the first 64 bytes of the MAC packets.
623	 *  This byte location counted from MAC' DA address. i.e. set to 0
624	 *  will point to byte 0 of DA address.
625	 */
626	u32 byte1_location;
627	/*! Mask for Byte Offset 1. */
628	u32 byte1_mask;
629	/*! 0~63: byte location used extracted by packets comparator, which
630	 *  can be anything from the first 64 bytes of the MAC packets.
631	 *  This byte location counted from MAC' DA address. i.e. set to 0
632	 *  will point to byte 0 of DA address.
633	 */
634	u32 byte0_location;
635	/*! Mask for Byte Offset 0. */
636	u32 byte0_mask;
637	/*! Mask for Ethertype valid field. Indicates 802.3 vs. Other. */
638	u32 eth_type_valid_mask;
639	/*! Mask for VLAN ID field. */
640	u32 vlan_id_mask;
641	/*! Mask for VLAN UP field. */
642	u32 vlan_up_mask;
643	/*! Mask for VLAN valid field. */
644	u32 vlan_valid_mask;
645	/*! Mask for SAI. */
646	u32 sai_mask;
647	/*! Mask for SAI_HIT. */
648	u32 sai_hit_mask;
649	/*! Action if only first level matches and second level does not.
650	 *  0: pass
651	 *  1: drop (fail).
652	 */
653	u32 firstlevel_actions;
654	/*! Action if both first and second level matched.
655	 *  0: pass
656	 *  1: drop (fail).
657	 */
658	u32 secondlevel_actions;
659	/*! Reserved. */
660	u32 reserved;
661	/*! 0: Not valid entry. This entry is not used
662	 *  1: valid entry.
663	 */
664	u32 valid;
665};
666
667/*! Represents the bitfields of a single row in the Ingress Post-
668 *  MACSec CTL Filter table.
669 */
670struct aq_mss_ingress_postctlf_record {
671	/*! This is used to store the 48 bit value used to compare SA, DA
672	 *  or halfDA+half SA value.
673	 */
674	u32 sa_da[2];
675	/*! This is used to store the 16 bit ethertype value used for
676	 *  comparison.
677	 */
678	u32 eth_type;
679	/*! The match mask is per-nibble. 0 means don't care, i.e. every
680	 *  value will match successfully. The total data is 64 bit, i.e.
681	 *  16 nibbles masks.
682	 */
683	u32 match_mask;
684	/*! 0: No compare, i.e. This entry is not used
685	 *  1: compare DA only
686	 *  2: compare SA only
687	 *  3: compare half DA + half SA
688	 *  4: compare ether type only
689	 *  5: compare DA + ethertype
690	 *  6: compare SA + ethertype
691	 *  7: compare DA+ range.
692	 */
693	u32 match_type;
694	/*! 0: Bypass the remaining modules if matched.
695	 *  1: Forward to next module for more classifications.
696	 */
697	u32 action;
698};
699
700/*! Represents the Egress MIB counters for a single SC. Counters are
701 *  64 bits, lower 32 bits in field[0].
702 */
703struct aq_mss_egress_sc_counters {
704	/*! The number of integrity protected but not encrypted packets
705	 *  for this transmitting SC.
706	 */
707	u32 sc_protected_pkts[2];
708	/*! The number of integrity protected and encrypted packets for
709	 *  this transmitting SC.
710	 */
711	u32 sc_encrypted_pkts[2];
712	/*! The number of plain text octets that are integrity protected
713	 *  but not encrypted on the transmitting SC.
714	 */
715	u32 sc_protected_octets[2];
716	/*! The number of plain text octets that are integrity protected
717	 *  and encrypted on the transmitting SC.
718	 */
719	u32 sc_encrypted_octets[2];
720};
721
722/*! Represents the Egress MIB counters for a single SA. Counters are
723 *  64 bits, lower 32 bits in field[0].
724 */
725struct aq_mss_egress_sa_counters {
726	/*! The number of dropped packets for this transmitting SA. */
727	u32 sa_hit_drop_redirect[2];
728	/*! TODO */
729	u32 sa_protected2_pkts[2];
730	/*! The number of integrity protected but not encrypted packets
731	 *  for this transmitting SA.
732	 */
733	u32 sa_protected_pkts[2];
734	/*! The number of integrity protected and encrypted packets for
735	 *  this transmitting SA.
736	 */
737	u32 sa_encrypted_pkts[2];
738};
739
740/*! Represents the common Egress MIB counters; the counter not
741 *  associated with a particular SC/SA. Counters are 64 bits, lower 32
742 *  bits in field[0].
743 */
744struct aq_mss_egress_common_counters {
745	/*! The number of transmitted packets classified as MAC_CTL packets. */
746	u32 ctl_pkt[2];
747	/*! The number of transmitted packets that did not match any rows
748	 *  in the Egress Packet Classifier table.
749	 */
750	u32 unknown_sa_pkts[2];
751	/*! The number of transmitted packets where the SC table entry has
752	 *  protect=0 (so packets are forwarded unchanged).
753	 */
754	u32 untagged_pkts[2];
755	/*! The number of transmitted packets discarded because the packet
756	 *  length is greater than the ifMtu of the Common Port interface.
757	 */
758	u32 too_long[2];
759	/*! The number of transmitted packets for which table memory was
760	 *  affected by an ECC error during processing.
761	 */
762	u32 ecc_error_pkts[2];
763	/*! The number of transmitted packets for where the matched row in
764	 *  the Egress Packet Classifier table has action=drop.
765	 */
766	u32 unctrl_hit_drop_redir[2];
767};
768
769/*! Represents the Ingress MIB counters for a single SA. Counters are
770 *  64 bits, lower 32 bits in field[0].
771 */
772struct aq_mss_ingress_sa_counters {
773	/*! For this SA, the number of received packets without a SecTAG. */
774	u32 untagged_hit_pkts[2];
775	/*! For this SA, the number of received packets that were dropped. */
776	u32 ctrl_hit_drop_redir_pkts[2];
777	/*! For this SA which is not currently in use, the number of
778	 *  received packets that have been discarded, and have either the
779	 *  packets encrypted or the matched row in the Ingress SC Lookup
780	 *  table has validate_frames=Strict.
781	 */
782	u32 not_using_sa[2];
783	/*! For this SA which is not currently in use, the number of
784	 *  received, unencrypted, packets with the matched row in the
785	 *  Ingress SC Lookup table has validate_frames!=Strict.
786	 */
787	u32 unused_sa[2];
788	/*! For this SA, the number discarded packets with the condition
789	 *  that the packets are not valid and one of the following
790	 *  conditions are true: either the matched row in the Ingress SC
791	 *  Lookup table has validate_frames=Strict or the packets
792	 *  encrypted.
793	 */
794	u32 not_valid_pkts[2];
795	/*! For this SA, the number of packets with the condition that the
796	 *  packets are not valid and the matched row in the Ingress SC
797	 *  Lookup table has validate_frames=Check.
798	 */
799	u32 invalid_pkts[2];
800	/*! For this SA, the number of validated packets. */
801	u32 ok_pkts[2];
802	/*! For this SC, the number of received packets that have been
803	 *  discarded with the condition: the matched row in the Ingress
804	 *  SC Lookup table has replay_protect=1 and the PN of the packet
805	 *  is lower than the lower bound replay check PN.
806	 */
807	u32 late_pkts[2];
808	/*! For this SA, the number of packets with the condition that the
809	 *  PN of the packets is lower than the lower bound replay
810	 *  protection PN.
811	 */
812	u32 delayed_pkts[2];
813	/*! For this SC, the number of packets with the following condition:
814	 *  - the matched row in the Ingress SC Lookup table has
815	 *    replay_protect=0 or
816	 *  - the matched row in the Ingress SC Lookup table has
817	 *    replay_protect=1 and the packet is not encrypted and the
818	 *    integrity check has failed or
819	 *  - the matched row in the Ingress SC Lookup table has
820	 *    replay_protect=1 and the packet is encrypted and integrity
821	 *    check has failed.
822	 */
823	u32 unchecked_pkts[2];
824	/*! The number of octets of plaintext recovered from received
825	 *  packets that were integrity protected but not encrypted.
826	 */
827	u32 validated_octets[2];
828	/*! The number of octets of plaintext recovered from received
829	 *  packets that were integrity protected and encrypted.
830	 */
831	u32 decrypted_octets[2];
832};
833
834/*! Represents the common Ingress MIB counters; the counter not
835 *  associated with a particular SA. Counters are 64 bits, lower 32
836 *  bits in field[0].
837 */
838struct aq_mss_ingress_common_counters {
839	/*! The number of received packets classified as MAC_CTL packets. */
840	u32 ctl_pkts[2];
841	/*! The number of received packets with the MAC security tag
842	 *  (SecTAG), not matching any rows in the Ingress Pre-MACSec
843	 *  Packet Classifier table.
844	 */
845	u32 tagged_miss_pkts[2];
846	/*! The number of received packets without the MAC security tag
847	 *  (SecTAG), not matching any rows in the Ingress Pre-MACSec
848	 *  Packet Classifier table.
849	 */
850	u32 untagged_miss_pkts[2];
851	/*! The number of received packets discarded without the MAC
852	 *  security tag (SecTAG) and with the matched row in the Ingress
853	 *  SC Lookup table having validate_frames=Strict.
854	 */
855	u32 notag_pkts[2];
856	/*! The number of received packets without the MAC security tag
857	 *  (SecTAG) and with the matched row in the Ingress SC Lookup
858	 *  table having validate_frames!=Strict.
859	 */
860	u32 untagged_pkts[2];
861	/*! The number of received packets discarded with an invalid
862	 *  SecTAG or a zero value PN or an invalid ICV.
863	 */
864	u32 bad_tag_pkts[2];
865	/*! The number of received packets discarded with unknown SCI
866	 *  information with the condition:
867	 *  the matched row in the Ingress SC Lookup table has
868	 *  validate_frames=Strict or the C bit in the SecTAG is set.
869	 */
870	u32 no_sci_pkts[2];
871	/*! The number of received packets with unknown SCI with the condition:
872	 *  The matched row in the Ingress SC Lookup table has
873	 *  validate_frames!=Strict and the C bit in the SecTAG is not set.
874	 */
875	u32 unknown_sci_pkts[2];
876	/*! The number of received packets by the controlled port service
877	 *  that passed the Ingress Post-MACSec Packet Classifier table
878	 *  check.
879	 */
880	u32 ctrl_prt_pass_pkts[2];
881	/*! The number of received packets by the uncontrolled port
882	 *  service that passed the Ingress Post-MACSec Packet Classifier
883	 *  table check.
884	 */
885	u32 unctrl_prt_pass_pkts[2];
886	/*! The number of received packets by the controlled port service
887	 *  that failed the Ingress Post-MACSec Packet Classifier table
888	 *  check.
889	 */
890	u32 ctrl_prt_fail_pkts[2];
891	/*! The number of received packets by the uncontrolled port
892	 *  service that failed the Ingress Post-MACSec Packet Classifier
893	 *  table check.
894	 */
895	u32 unctrl_prt_fail_pkts[2];
896	/*! The number of received packets discarded because the packet
897	 *  length is greater than the ifMtu of the Common Port interface.
898	 */
899	u32 too_long_pkts[2];
900	/*! The number of received packets classified as MAC_CTL by the
901	 *  Ingress Post-MACSec CTL Filter table.
902	 */
903	u32 igpoc_ctl_pkts[2];
904	/*! The number of received packets for which table memory was
905	 *  affected by an ECC error during processing.
906	 */
907	u32 ecc_error_pkts[2];
908	/*! The number of received packets by the uncontrolled port
909	 *  service that were dropped.
910	 */
911	u32 unctrl_hit_drop_redir[2];
912};
913
914#endif
915