MACsec Intel FPGA System Design User Guide

ID 767516
Date 6/26/2023

A newer version of this document is available. Customers should click here to go to the newest version.

Document Table of Contents

2.3. Data Path Between MACsec and MCDMA

The datapath at MCDMA interface is AVST with an additional channel ID signal which differentiates between the PF/VF groups. Your logic should have a mapping table and routing logic to MUX and DeMUX the packets. This can be done in either AVST or AXI-ST (post bridge logic) interfaces. The solution’s ecosystem supports an AXI-St MUX/DeMUX block which you can leverage. Map the AVST Channel ID as AXI-St TID if ID is supported.
Figure 13. MACSec(s) to MCDMA Path
Figure 14. Timing Diagram for Packet Boundary Alignment (Pkt FIFO in AVST)
The bridge logic shown in Figure 13 above between the MACsec and the MCDMA supports a few functions as mentioned below:
  • The MACsec AXI-St interface supports multi-packet mode where a packet can start at a next segment when the current packet ends. But the MCDMA’s AVST interface treats the entire bus as single segment.Therefore, there is conversion logic which converts multi-packet to single packet in AXI-St first. This conversion also eases the packet filtering logic at a fixed bit fields during the start of a packet.
  • This path includes CDC FIFOs (DC FIFO) in both the directions to accommodate the clock domain crossing between MACsec 400MHz and MCDMA 250/500 MHz. This interface is 512-bits wide.
  • The MACsec expects AXI-St valid not be de-asserted in between a packet’s SOP and EOP unless Ready is deasserted. Therefore, a complete packet must be available in the FIFO before asserting Valid on the MACsec AXI-St RX interface of an uncontrolled port using a packet FIFO.
  • Handling the packets from the MACsec TX uncontrolled port to MCDMA path as handshake is not supported. Therefore, you need to either drop the packet or maintain a bigger buffer. Consider a scenario where the packet is in flight and the buffer gets filled. To avoid such issues, write a packet into a buffer only when the empty space in buffer is higher than the MTU (Ethernet packet size). Assume MCDMA is already prepopulated with a descriptor for D2H Transfer.
  • It is understood that MACsec forwards all its received packets on decryption line to uncontrolled RX interface, without any type of filtering. The encrypted packets are also routed in this manner. Your logic should implement packet filtering based on the required Ether type. An example would be dropping every packet when Ether type is not 0x888E(EAPOL).

Certain applications might require Gen4x8 instead of the Gen4x16 PCIe configuration. For these cases there can be an adaptor block that converts 256-bit user interface to 512-bit user interface to retain the logic which targets the Gen4x16 PCIe MCDMA.