[swss] Support FIPS MACSec POST#3836
Merged
prsunny merged 34 commits intosonic-net:masterfrom Nov 11, 2025
Merged
Conversation
Collaborator
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Collaborator
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Collaborator
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Collaborator
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Collaborator
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Collaborator
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
ysmanman
changed the title
Collaborator
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Collaborator
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Contributor
Author
Contributor
Collaborator
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
wumiaont
reviewed
Aug 28, 2025
wumiaont
reviewed
Sep 4, 2025
|
Azure Pipelines successfully started running 1 pipeline(s). |
Contributor
|
/AzurePipelines run Azure.sonic-swss |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Collaborator
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Collaborator
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
judyjoseph
approved these changes
Nov 9, 2025
Contributor
judyjoseph
left a comment
judyjoseph
left a comment
There was a problem hiding this comment.
LGTM - thanks @ysmanman
Collaborator
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Contributor
|
@prsunny can you review again and merge if ok |
9 tasks
prsunny
approved these changes
Nov 11, 2025
Collaborator
prsunny
left a comment
prsunny
left a comment
There was a problem hiding this comment.
lgtm, @judyjoseph please signoff
Collaborator
|
@ysmanman , thanks for addressing the comments |
balanokia
pushed a commit
to balanokia/sonic-swss
that referenced
this pull request
Nov 17, 2025
Add SAI MACSec POST support in SWSS When FIPS is enabled in SONiC, enable MACSecPOST in switch creation. If MACSec POST is only supported in MACSec init, create MACSec objects and enable POST when initializing MACSecOrch. Set SAI POST status in StateDB accordingly based on SAI POST status notificaiton. MACSecMgr does not process any MACSec configuration if SAI POST fails. With the PR, the only case that Orchagent declares SAI MACSec POST to fail is: FIPS is enabled in SONiC; AND SAI supports MACSec POST; AND SAI returns failure on MACSec POST. We particularly verified the following on switch with current BRCM SAI (13.2.1.0) that does not support MACSec POST yet: MACSec ports came up fine when FIPS is not enabled in SONiC; MACSec ports came up fine when FIPS is enabled in SONiC and SAI does not support MACSec POST.
YairRaviv
pushed a commit
to YairRaviv/sonic-swss
that referenced
this pull request
Nov 22, 2025
Add SAI MACSec POST support in SWSS When FIPS is enabled in SONiC, enable MACSecPOST in switch creation. If MACSec POST is only supported in MACSec init, create MACSec objects and enable POST when initializing MACSecOrch. Set SAI POST status in StateDB accordingly based on SAI POST status notificaiton. MACSecMgr does not process any MACSec configuration if SAI POST fails. With the PR, the only case that Orchagent declares SAI MACSec POST to fail is: FIPS is enabled in SONiC; AND SAI supports MACSec POST; AND SAI returns failure on MACSec POST. We particularly verified the following on switch with current BRCM SAI (13.2.1.0) that does not support MACSec POST yet: MACSec ports came up fine when FIPS is not enabled in SONiC; MACSec ports came up fine when FIPS is enabled in SONiC and SAI does not support MACSec POST.
mssonicbld
added a commit
to mssonicbld/sonic-buildimage
that referenced
this pull request
Dec 3, 2025
Passing -M option to orchange to enable SAI MACSec POST when:
- FIPS is enabled in SONiC; AND
- MACSec is enabled on platform.
<!--
Please make sure you've read and understood our contributing guidelines:
https://github.com/Azure/SONiC/blob/gh-pages/CONTRIBUTING.md
** Make sure all your commits include a signature generated with `git commit -s` **
If this is a bug fix, make sure your description includes "fixes #xxxx", or
"closes #xxxx" or "resolves #xxxx"
Please provide the following information:
-->
#### Why I did it
sonic-net/sonic-swss#3836 adds `-M` option to orchagent to enable SAI MACSec POST. This PR passes the option to orchagent when:
- FIPS is enabled in SONiC; AND
- MACSec is enabled on platform.
##### Work item tracking
- Microsoft ADO **(number only)**:
#### How I did it
#### How to verify it
<!--
If PR needs to be backported, then the PR must be tested against the base branch and the earliest backport release branch and provide tested image version on these two branches. For example, if the PR is requested for master, 202211 and 202012, then the requester needs to provide test results on master and 202012.
-->
#### Which release branch to backport (provide reason below if selected)
<!--
- Note we only backport fixes to a release branch, *not* features!
- Please also provide a reason for the backporting below.
- e.g.
- [x] 202006
-->
- [ ] 202205
- [ ] 202211
- [ ] 202305
- [ ] 202311
- [ ] 202405
- [ ] 202411
- [ ] 202505
#### Tested branch (Please provide the tested image version)
<!--
- Please provide tested image version
- e.g.
- [x] 20201231.100
-->
- [ ] <!-- image version 1 -->
- [ ] <!-- image version 2 -->
#### Description for the changelog
<!--
Write a short (one line) summary that describes the changes in this
pull request for inclusion in the changelog:
-->
<!--
Ensure to add label/tag for the feature raised. example - PR#2174 under sonic-utilities repo. where, Generic Config and Update feature has been labelled as GCU.
-->
#### Link to config_db schema for YANG module changes
<!--
Provide a link to config_db schema for the table for which YANG model
is defined
Link should point to correct section on https://github.com/Azure/sonic-buildimage/blob/master/src/sonic-yang-models/doc/Configuration.md
-->
#### A picture of a cute animal (not mandatory but encouraged)
9 tasks
mssonicbld
added a commit
to sonic-net/sonic-buildimage
that referenced
this pull request
Dec 10, 2025
Passing -M option to orchange to enable SAI MACSec POST when: - FIPS is enabled in SONiC; AND - MACSec is enabled on platform. <!-- Please make sure you've read and understood our contributing guidelines: https://github.com/Azure/SONiC/blob/gh-pages/CONTRIBUTING.md failure_prs.log skip_prs.log Make sure all your commits include a signature generated with `git commit -s` ** If this is a bug fix, make sure your description includes "fixes #xxxx", or "closes #xxxx" or "resolves #xxxx" Please provide the following information: --> #### Why I did it sonic-net/sonic-swss#3836 adds `-M` option to orchagent to enable SAI MACSec POST. This PR passes the option to orchagent when: - FIPS is enabled in SONiC; AND - MACSec is enabled on platform. ##### Work item tracking - Microsoft ADO **(number only)**: #### How I did it #### How to verify it <!-- If PR needs to be backported, then the PR must be tested against the base branch and the earliest backport release branch and provide tested image version on these two branches. For example, if the PR is requested for master, 202211 and 202012, then the requester needs to provide test results on master and 202012. --> #### Which release branch to backport (provide reason below if selected) <!-- - Note we only backport fixes to a release branch, *not* features! - Please also provide a reason for the backporting below. - e.g. - [x] 202006 --> - [ ] 202205 - [ ] 202211 - [ ] 202305 - [ ] 202311 - [ ] 202405 - [ ] 202411 - [ ] 202505 #### Tested branch (Please provide the tested image version) <!-- - Please provide tested image version - e.g. - [x] 20201231.100 --> - [ ] <!-- image version 1 --> - [ ] <!-- image version 2 --> #### Description for the changelog <!-- Write a short (one line) summary that describes the changes in this pull request for inclusion in the changelog: --> <!-- Ensure to add label/tag for the feature raised. example - PR#2174 under sonic-utilities repo. where, Generic Config and Update feature has been labelled as GCU. --> #### Link to config_db schema for YANG module changes <!-- Provide a link to config_db schema for the table for which YANG model is defined Link should point to correct section on https://github.com/Azure/sonic-buildimage/blob/master/src/sonic-yang-models/doc/Configuration.md --> #### A picture of a cute animal (not mandatory but encouraged)
Pterosaur
pushed a commit
to Janetxxx/sonic-swss
that referenced
this pull request
Jan 6, 2026
Add SAI MACSec POST support in SWSS When FIPS is enabled in SONiC, enable MACSecPOST in switch creation. If MACSec POST is only supported in MACSec init, create MACSec objects and enable POST when initializing MACSecOrch. Set SAI POST status in StateDB accordingly based on SAI POST status notificaiton. MACSecMgr does not process any MACSec configuration if SAI POST fails. With the PR, the only case that Orchagent declares SAI MACSec POST to fail is: FIPS is enabled in SONiC; AND SAI supports MACSec POST; AND SAI returns failure on MACSec POST. We particularly verified the following on switch with current BRCM SAI (13.2.1.0) that does not support MACSec POST yet: MACSec ports came up fine when FIPS is not enabled in SONiC; MACSec ports came up fine when FIPS is enabled in SONiC and SAI does not support MACSec POST.
yehjunying
pushed a commit
to yehjunying/sonic-swss
that referenced
this pull request
Jan 16, 2026
Add SAI MACSec POST support in SWSS When FIPS is enabled in SONiC, enable MACSecPOST in switch creation. If MACSec POST is only supported in MACSec init, create MACSec objects and enable POST when initializing MACSecOrch. Set SAI POST status in StateDB accordingly based on SAI POST status notificaiton. MACSecMgr does not process any MACSec configuration if SAI POST fails. With the PR, the only case that Orchagent declares SAI MACSec POST to fail is: FIPS is enabled in SONiC; AND SAI supports MACSec POST; AND SAI returns failure on MACSec POST. We particularly verified the following on switch with current BRCM SAI (13.2.1.0) that does not support MACSec POST yet: MACSec ports came up fine when FIPS is not enabled in SONiC; MACSec ports came up fine when FIPS is enabled in SONiC and SAI does not support MACSec POST.
theasianpianist
pushed a commit
to theasianpianist/sonic-swss
that referenced
this pull request
Feb 4, 2026
Add SAI MACSec POST support in SWSS When FIPS is enabled in SONiC, enable MACSecPOST in switch creation. If MACSec POST is only supported in MACSec init, create MACSec objects and enable POST when initializing MACSecOrch. Set SAI POST status in StateDB accordingly based on SAI POST status notificaiton. MACSecMgr does not process any MACSec configuration if SAI POST fails. With the PR, the only case that Orchagent declares SAI MACSec POST to fail is: FIPS is enabled in SONiC; AND SAI supports MACSec POST; AND SAI returns failure on MACSec POST. We particularly verified the following on switch with current BRCM SAI (13.2.1.0) that does not support MACSec POST yet: MACSec ports came up fine when FIPS is not enabled in SONiC; MACSec ports came up fine when FIPS is enabled in SONiC and SAI does not support MACSec POST. Signed-off-by: Lawrence Lee <lawlee@microsoft.com>
baorliu
pushed a commit
to baorliu/sonic-swss
that referenced
this pull request
Feb 23, 2026
Add SAI MACSec POST support in SWSS When FIPS is enabled in SONiC, enable MACSecPOST in switch creation. If MACSec POST is only supported in MACSec init, create MACSec objects and enable POST when initializing MACSecOrch. Set SAI POST status in StateDB accordingly based on SAI POST status notificaiton. MACSecMgr does not process any MACSec configuration if SAI POST fails. With the PR, the only case that Orchagent declares SAI MACSec POST to fail is: FIPS is enabled in SONiC; AND SAI supports MACSec POST; AND SAI returns failure on MACSec POST. We particularly verified the following on switch with current BRCM SAI (13.2.1.0) that does not support MACSec POST yet: MACSec ports came up fine when FIPS is not enabled in SONiC; MACSec ports came up fine when FIPS is enabled in SONiC and SAI does not support MACSec POST. Signed-off-by: Baorong Liu <96146196+baorliu@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
10 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add SAI MACSec POST support in SWSS
With the PR, the only case that Orchagent declares SAI MACSec POST to fail is:
We particularly verified the following on switch with current BRCM SAI (13.2.1.0) that does not support MACSec POST yet: