Skip to content

[gearsyncd,macsec]: Deterministic MACsec backend selection for gearbox ports #3926

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

[gearsyncd,macsec]: Deterministic MACsec backend selection for gearbox ports #3926

wants to merge 2 commits into from

Conversation

@rajshekhar-nexthop
Copy link

@rajshekhar-nexthop rajshekhar-nexthop commented Oct 9, 2025
edited
Loading

What I did
Introduce a platform capability flag in the gearbox config to determine, per PHY, whether MACsec is supported (applies to all ports mapped to that PHY). MACsec orchestration will:

  • Use PHY switch by default on gearbox ports
  • Use NPU/global switch only when the platform marks the PHY as not supporting MACsec

Have added three DVS testcases:

test_macsec_phy_switch_default: This tests the scenario when the macsec_supported field is absent in the gearbox_config.json
test_macsec_phy_switch_explicit: This tests the scenario when the macsec_supported field is set as true in the gearbox_config.json
test_macsec_npu_switch: This tests the scenario when the macsec_supported field is set as false in the gearbox_config.json

Why I did it
On gearbox ports, creating MACsec on the PHY switch fails (SAI_STATUS_NOT_IMPLEMENTED) if gearbox PHY does not have the MACsec engine.

How I verified it
Manually verified on DUT by adding macsec_supported=false in gearbox_config.json and configuring the macsec on the PHY port. Also ran the dvs testcase and made sure it is passing sudo pytest -v tests/test_macsec_gearbox.py

Details if related
HLD: sonic-net/SONiC#2072
gearbox_config.json changes are posted here: https://github.com/sonic-net/sonic-buildimage/pull/24169/files#diff-737ea59a7eba8ea0ed71a15a052868815f7faad351fd353736ad196932bed57a

Co-authored by @shreyansh-nexthop

@mssonicbld
Copy link
Collaborator

mssonicbld commented Oct 9, 2025

/azp run

@azure-pipelines
Copy link

azure-pipelines bot commented Oct 9, 2025

Azure Pipelines successfully started running 1 pipeline(s).

@mssonicbld
Copy link
Collaborator

mssonicbld commented Oct 9, 2025

/azp run

@azure-pipelines
Copy link

azure-pipelines bot commented Oct 9, 2025

Azure Pipelines successfully started running 1 pipeline(s).

@rajshekhar-nexthop rajshekhar-nexthop mentioned this pull request Oct 9, 2025
Open
@rajshekhar-nexthop rajshekhar-nexthop force-pushed the rajshekhar.macsec_gearbox branch from ec74bde to ca0690b Compare November 3, 2025 17:21
@mssonicbld
Copy link
Collaborator

mssonicbld commented Nov 3, 2025

/azp run

@azure-pipelines
Copy link

azure-pipelines bot commented Nov 3, 2025

Azure Pipelines successfully started running 1 pipeline(s).

@rajshekhar-nexthop
Deterministic MACsec backend selection for gearbox ports
ec48c16
@rajshekhar-nexthop
tests: add MACsec PHY/NPU switch testcases and helpers for gearbox ma…
aeca8bc 
…csec_supported fix

Why I did it
On gearbox ports, creating MACsec on the PHY switch fails with SAI_STATUS_NOT_IMPLEMENTED if the gearbox PHY lacks a MACsec engine. A fix for this issue has already been committed. This PR aims to create the corresponding test case to validate that fix.

How I did it
Have added three testcases:

- test_macsec_phy_switch_default: This tests the scenario when the macsec_supported field is absent in the gearbox_config.json
- test_macsec_phy_switch_explicit: This tests the scenario when the macsec_supported field is set as true in the gearbox_config.json
- test_macsec_npu_switch: This tests the scenario when the macsec_supported field is set as false in the gearbox_config.json

Some helpers functions:

- verify_macsec_in_asic_db: This verifies if the ASIC_DB has the required entries created or not.
- verify_macsec_in_gb_asic_db: This verifies if the GB_ASIC_DB has the required entries created or not.
- setup_gearbox_table: The job of this function is change the value of macsec_supported field. It modifies the value as per the requirement of the testcase. It writes the file gearbox_config.json
- enable_macsec_on_port: Helper function to enable macsec.
- cleanup_macsec: Helper function to delete macsec configuration.
@rajshekhar-nexthop rajshekhar-nexthop force-pushed the rajshekhar.macsec_gearbox branch from ca0690b to aeca8bc Compare November 3, 2025 17:27
@mssonicbld
Copy link
Collaborator

mssonicbld commented Nov 3, 2025

/azp run

@azure-pipelines
Copy link

azure-pipelines bot commented Nov 3, 2025

Azure Pipelines successfully started running 1 pipeline(s).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@prsunny prsunny Awaiting requested review from prsunny prsunny is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

SONiC Chassis
Status: No status

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rajshekhar-nexthop @mssonicbld