MACsec Intel® FPGA IP User Guide

ID 736108
Date 4/03/2023
Public

A newer version of this document is available. Customers should click here to go to the newest version.

Document Table of Contents

4.5. MACsec Software Initialization Sequence

To bring up a port as a MACsec control port, there is an initialization sequence that needs to be followed.

Follow the steps below to start the initialization sequence:

  1. Set “Control port enable” to False (the default value is False).
  2. Program the per-MACsec instance configuration:
    1. Set all the global stats counters to 0x0 (default is 0x0).
    2. Set the key length (False – 128 bits; True – 256 bits) for the MACsec instance associated with the port.
    3. Set the extended packet numbering mode for the MACsec instance associated with the port (False – regular packet numbering; True – extended packet numbering).
    4. Zeroing port SAs (GLOBAL_ZERO CSR).
    5. Optional: Set the confidentiality offset for the MACsec instance (default is 0x0).
  3. Program the Tx Configuration:
    1. Set the Tx basic configuration for the MACsec instance.
    2. Set the packet numbering limit value for the MACsec instance.
    3. Set the maximum packet bytes supported value for the MACsec instance.
    4. Set the SCI value for the port.
  4. Choose a security association and program the following configuration:
    1. Set the Key value for the SA.
    2. Set the next packet number value for the SA.
    3. Set the confidentiality offset value for the SA.
    4. Initialize all the stats configuration.
  5. Set the SA value to the chosen security association.
  6. Program the Rx Configuration:
    1. Set the Rx basic configuration for the MACsec instance.
    2. Set the replay window length if the replay protect is enabled for the MACsec instance.
    3. Set the default SCI per port.
  7. Program the security channel that is used on the lane by configuring:
    1. Set the SCI value for the security channel.
    2. Initialize all the stats configuration.
  8. Choose a security association and program the following configuration:
    1. Set the Key value for the SA belonging to the SC.
    2. Set the next packet number value for the SA belonging to the SC.
    3. Set the lowest PN value for SA belonging to the SC.
    4. Initialize all the stats configuration.
  9. Set the SA value to the chosen security association. If there are multiple security associations programmed on Rx, enable them.
  10. Once all of the above is programmed, enable the port as a control port.