From e15a1aa8f823864adca2980c1bed5010b67c8819 Mon Sep 17 00:00:00 2001
From: Saikrishna Arcot <sarcot@microsoft.com>
Date: Mon, 22 Apr 2024 11:39:39 -0500
Subject: [PATCH] Upgrade VS syncd to Bookworm (#18347)

* Upgrade VS syncd to Bookworm

As part of this, iproute2 is no longer compiled here, since the
macsec patch is now in version 6.1. In addition, for docker-sonic-vs,
version 6.1 of iproute2 is pulled from the bullseye-backports repo.

* Update sonic-sairedis submodule

This submodule update needs to go as part of this change because it
would break compatibility with Bullseye for MACsec, but adds
compatibility for Bookworm, which is what is needed here.

This brings in the following commits:

```
73ada8d5 Fix SSCI parameter when creating MACsec tunnels on Bookworm (sonic-net/sonic-sairedis#1372)
c41a0cb9 SAI submodule update to bring saithrift changes for syncd bookworm (sonic-net/sonic-sairedis#1370)
be47489f Add Bookworm build to PR checks (sonic-net/sonic-sairedis#1371)
d9ba01b5 Update ip commands for MACsec for Bookworm (sonic-net/sonic-sairedis#1368)
```

Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
---
 platform/template/docker-gbsyncd-bookworm.mk  |  30 +++
 platform/template/docker-syncd-bookworm.mk    |  33 +++
 platform/vs/docker-gbsyncd-vs.mk              |   2 +-
 platform/vs/docker-gbsyncd-vs/Dockerfile.j2   |   2 +-
 platform/vs/docker-sonic-vs.mk                |   3 +-
 platform/vs/docker-sonic-vs/Dockerfile.j2     |  33 ++-
 platform/vs/docker-syncd-vs.mk                |   5 +-
 platform/vs/docker-syncd-vs/Dockerfile.j2     |  20 +-
 rules/iproute2.dep                            |  10 -
 rules/iproute2.mk                             |  13 -
 src/iproute2/.gitignore                       |   4 -
 src/iproute2/Makefile                         |  28 --
 .../patch/0001-patch-macsec-xpn-support.patch | 242 ------------------
 .../patch/cross-compile-changes.patch         |  12 -
 src/sonic-sairedis                            |   2 +-
 15 files changed, 94 insertions(+), 345 deletions(-)
 create mode 100644 platform/template/docker-gbsyncd-bookworm.mk
 create mode 100644 platform/template/docker-syncd-bookworm.mk
 delete mode 100644 rules/iproute2.dep
 delete mode 100644 rules/iproute2.mk
 delete mode 100644 src/iproute2/.gitignore
 delete mode 100644 src/iproute2/Makefile
 delete mode 100644 src/iproute2/patch/0001-patch-macsec-xpn-support.patch
 delete mode 100644 src/iproute2/patch/cross-compile-changes.patch

diff --git a/platform/template/docker-gbsyncd-bookworm.mk b/platform/template/docker-gbsyncd-bookworm.mk
new file mode 100644
index 000000000000..4516f6739087
--- /dev/null
+++ b/platform/template/docker-gbsyncd-bookworm.mk
@@ -0,0 +1,30 @@
+# docker image for gbsyncd
+
+
+DOCKER_GBSYNCD_BASE_STEM = docker-gbsyncd-$(DOCKER_GBSYNCD_PLATFORM_CODE)
+DOCKER_GBSYNCD_BASE = $(DOCKER_GBSYNCD_BASE_STEM).gz
+DOCKER_GBSYNCD_BASE_DBG = $(DOCKER_GBSYNCD_BASE_STEM)-$(DBG_IMAGE_MARK).gz
+
+$(DOCKER_GBSYNCD_BASE)_PATH = $(PLATFORM_PATH)/docker-gbsyncd-$(DOCKER_GBSYNCD_PLATFORM_CODE)
+
+$(DOCKER_GBSYNCD_BASE)_FILES += $(SUPERVISOR_PROC_EXIT_LISTENER_SCRIPT)
+
+$(DOCKER_GBSYNCD_BASE)_LOAD_DOCKERS += $(DOCKER_CONFIG_ENGINE_BOOKWORM)
+
+$(DOCKER_GBSYNCD_BASE)_DBG_DEPENDS += $($(DOCKER_CONFIG_ENGINE_BOOKWORM)_DBG_DEPENDS)
+
+$(DOCKER_GBSYNCD_BASE)_DBG_IMAGE_PACKAGES = $($(DOCKER_CONFIG_ENGINE_BOOKWORM)_DBG_IMAGE_PACKAGES)
+
+SONIC_DOCKER_IMAGES += $(DOCKER_GBSYNCD_BASE)
+SONIC_BOOKWORM_DOCKERS += $(DOCKER_GBSYNCD_BASE)
+SONIC_INSTALL_DOCKER_IMAGES += $(DOCKER_GBSYNCD_BASE)
+
+SONIC_DOCKER_DBG_IMAGES += $(DOCKER_GBSYNCD_BASE_DBG)
+SONIC_BOOKWORM_DBG_DOCKERS += $(DOCKER_GBSYNCD_BASE_DBG)
+SONIC_INSTALL_DOCKER_DBG_IMAGES += $(DOCKER_GBSYNCD_BASE_DBG)
+
+$(DOCKER_GBSYNCD_BASE)_CONTAINER_NAME = gbsyncd
+$(DOCKER_GBSYNCD_BASE)_RUN_OPT += --privileged -t
+$(DOCKER_GBSYNCD_BASE)_RUN_OPT += -v /host/machine.conf:/etc/machine.conf
+$(DOCKER_GBSYNCD_BASE)_RUN_OPT += -v /etc/sonic:/etc/sonic:ro
+$(DOCKER_GBSYNCD_BASE)_RUN_OPT += -v /host/warmboot:/var/warmboot
diff --git a/platform/template/docker-syncd-bookworm.mk b/platform/template/docker-syncd-bookworm.mk
new file mode 100644
index 000000000000..2a9e8284557b
--- /dev/null
+++ b/platform/template/docker-syncd-bookworm.mk
@@ -0,0 +1,33 @@
+# docker image for syncd
+
+
+DOCKER_SYNCD_BASE_STEM = docker-syncd-$(DOCKER_SYNCD_PLATFORM_CODE)
+DOCKER_SYNCD_BASE = $(DOCKER_SYNCD_BASE_STEM).gz
+DOCKER_SYNCD_BASE_DBG = $(DOCKER_SYNCD_BASE_STEM)-$(DBG_IMAGE_MARK).gz
+
+$(DOCKER_SYNCD_BASE)_PATH = $(PLATFORM_PATH)/docker-syncd-$(DOCKER_SYNCD_PLATFORM_CODE)
+
+$(DOCKER_SYNCD_BASE)_FILES += $(SUPERVISOR_PROC_EXIT_LISTENER_SCRIPT)
+
+$(DOCKER_SYNCD_BASE)_LOAD_DOCKERS += $(DOCKER_CONFIG_ENGINE_BOOKWORM)
+$(DOCKER_SYNCD_BASE)_DBG_DEPENDS += $($(DOCKER_CONFIG_ENGINE_BOOKWORM)_DBG_DEPENDS)
+$(DOCKER_SYNCD_BASE)_DBG_IMAGE_PACKAGES = $($(DOCKER_CONFIG_ENGINE_BOOKWORM)_DBG_IMAGE_PACKAGES)
+
+SONIC_DOCKER_IMAGES += $(DOCKER_SYNCD_BASE)
+ifneq ($(ENABLE_SYNCD_RPC),y)
+SONIC_INSTALL_DOCKER_IMAGES += $(DOCKER_SYNCD_BASE)
+endif
+
+SONIC_DOCKER_DBG_IMAGES += $(DOCKER_SYNCD_BASE_DBG)
+ifneq ($(ENABLE_SYNCD_RPC),y)
+SONIC_INSTALL_DOCKER_DBG_IMAGES += $(DOCKER_SYNCD_BASE_DBG)
+endif
+
+$(DOCKER_SYNCD_BASE)_CONTAINER_NAME = syncd
+$(DOCKER_SYNCD_BASE)_RUN_OPT += --privileged -t
+$(DOCKER_SYNCD_BASE)_RUN_OPT += -v /host/machine.conf:/etc/machine.conf
+$(DOCKER_SYNCD_BASE)_RUN_OPT += -v /etc/sonic:/etc/sonic:ro
+
+SONIC_BOOKWORM_DOCKERS += $(DOCKER_SYNCD_BASE)
+SONIC_BOOKWORM_DBG_DOCKERS += $(DOCKER_SYNCD_BASE_DBG)
+
diff --git a/platform/vs/docker-gbsyncd-vs.mk b/platform/vs/docker-gbsyncd-vs.mk
index 50bb8e86b41a..f3cd8a139e8f 100644
--- a/platform/vs/docker-gbsyncd-vs.mk
+++ b/platform/vs/docker-gbsyncd-vs.mk
@@ -1,7 +1,7 @@
 # docker image for vs gbsyncd
 
 DOCKER_GBSYNCD_PLATFORM_CODE = vs
-include $(PLATFORM_PATH)/../template/docker-gbsyncd-base.mk
+include $(PLATFORM_PATH)/../template/docker-gbsyncd-bookworm.mk
 
 $(DOCKER_GBSYNCD_BASE)_DEPENDS += $(SYNCD_VS)
 
diff --git a/platform/vs/docker-gbsyncd-vs/Dockerfile.j2 b/platform/vs/docker-gbsyncd-vs/Dockerfile.j2
index 7e5219f5512e..e5491fd1b5fb 100644
--- a/platform/vs/docker-gbsyncd-vs/Dockerfile.j2
+++ b/platform/vs/docker-gbsyncd-vs/Dockerfile.j2
@@ -1,4 +1,4 @@
-FROM docker-config-engine-bullseye-{{DOCKER_USERNAME}}:{{DOCKER_USERTAG}}
+FROM docker-config-engine-bookworm-{{DOCKER_USERNAME}}:{{DOCKER_USERTAG}}
 
 ARG docker_container_name
 
diff --git a/platform/vs/docker-sonic-vs.mk b/platform/vs/docker-sonic-vs.mk
index dfcff23a566e..53735eb980cf 100644
--- a/platform/vs/docker-sonic-vs.mk
+++ b/platform/vs/docker-sonic-vs.mk
@@ -11,8 +11,7 @@ $(DOCKER_SONIC_VS)_DEPENDS += $(SYNCD_VS) \
                               $(LIBYANG_CPP) \
                               $(LIBYANG_PY3) \
                               $(SONIC_UTILITIES_DATA) \
-                              $(SONIC_HOST_SERVICES_DATA) \
-                              $(IPROUTE2)
+                              $(SONIC_HOST_SERVICES_DATA)
 
 $(DOCKER_SONIC_VS)_PYTHON_WHEELS += $(SONIC_PY_COMMON_PY3) \
                                     $(SONIC_PLATFORM_COMMON_PY3) \
diff --git a/platform/vs/docker-sonic-vs/Dockerfile.j2 b/platform/vs/docker-sonic-vs/Dockerfile.j2
index 6ffef790f946..6caa69b301f9 100644
--- a/platform/vs/docker-sonic-vs/Dockerfile.j2
+++ b/platform/vs/docker-sonic-vs/Dockerfile.j2
@@ -1,3 +1,4 @@
+{% from "dockers/dockerfile-macros.j2" import install_debian_packages, install_python_wheels, copy_files %}
 FROM docker-swss-layer-bullseye-{{DOCKER_USERNAME}}:{{DOCKER_USERTAG}}
 
 ARG docker_container_name
@@ -25,7 +26,6 @@ RUN apt-get install -y net-tools \
                        openssh-client \
                        openssh-server \
                        libc-ares2 \
-                       iproute2 \
                        grub2-common \
                        bash-completion \
                        libelf1 \
@@ -69,6 +69,8 @@ RUN apt-get install -y net-tools \
                        libgssrpc4 \
                        libkdb5-10
 
+RUN apt-get install -y -t bullseye-backports iproute2
+
 # For sonic-config-engine Python 3 package
 # Install pyangbind here, outside sonic-config-engine dependencies, as pyangbind causes enum34 to be installed.
 # Then immediately uninstall enum34, as enum34 should not be installed for Python >= 3.4, as it causes a
@@ -84,32 +86,29 @@ RUN pip3 install \
          netifaces==0.10.9
 
 {% if docker_sonic_vs_debs.strip() -%}
-# Copy locally-built Debian package dependencies
-COPY {%- for deb in docker_sonic_vs_debs.split(' ') %} debs/{{ deb }}{%- endfor %} /debs/
+# Copy built Debian packages
+{{ copy_files("debs/", docker_sonic_vs_debs.split(' '), "/debs/") }}
 
-# Install locally-built Debian packages and implicitly install their dependencies
-RUN dpkg_apt() { [ -f $1 ] && { dpkg -i $1 || apt-get -y install -f; } || return 1; }; {%- for deb in docker_sonic_vs_debs.split(' ') %} dpkg_apt /debs/{{ deb }};{%- endfor %}
+# Install built Debian packages and implicitly install their dependencies
+{{ install_debian_packages(docker_sonic_vs_debs.split(' ')) }}
 {%- endif %}
 
 RUN apt-get install -y libzmq3-dev
 
 {% if docker_sonic_vs_pydebs.strip() -%}
-# Copy locally-built Debian package dependencies
-COPY {%- for deb in docker_sonic_vs_pydebs.split(' ') %} python-debs/{{ deb }}{%- endfor %} /debs/
+# Copy built Debian packages
+{{ copy_files("python-debs/", docker_sonic_vs_pydebs.split(' '), "/debs/") }}
 
-# Install locally-built Debian packages and implicitly install their dependencies
-RUN dpkg_apt() { [ -f $1 ] && { dpkg -i $1 || apt-get -y install -f; } || return 1; }; {%- for deb in docker_sonic_vs_pydebs.split(' ') %} dpkg_apt /debs/{{ deb }};{%- endfor %}
+# Install built Debian packages and implicitly install their dependencies
+{{ install_debian_packages(docker_sonic_vs_pydebs.split(' ')) }}
 {%- endif %}
 
 {% if docker_sonic_vs_whls.strip() %}
-# copy all whl PKGs first,
-copy {%- for whl in docker_sonic_vs_whls.split(' ') %} python-wheels/{{ whl }}{%- endfor %} python-wheels/
-
-# install PKGs after copying all PKGs to avoid dependency failure
-# use py3 to find python3 package, which is forced by wheel as of now
-{%- for whl in docker_sonic_vs_whls.split(' ') %}
-RUN pip{% if 'py3' in whl %}3{% else %}2{% endif %} install python-wheels/{{ whl }}
-{%- endfor %}
+# Copy locally-built Python wheel dependencies
+{{ copy_files("python-wheels/", docker_sonic_vs_whls.split(' '), "/python-wheels/") }}
+
+# Install locally-built Python wheel dependencies
+{{ install_python_wheels(docker_sonic_vs_whls.split(' ')) }}
 {% endif %}
 
 # Clean up
diff --git a/platform/vs/docker-syncd-vs.mk b/platform/vs/docker-syncd-vs.mk
index 4a062e35036e..a9656f291f24 100644
--- a/platform/vs/docker-syncd-vs.mk
+++ b/platform/vs/docker-syncd-vs.mk
@@ -1,10 +1,9 @@
 # docker image for vs syncd
 
 DOCKER_SYNCD_PLATFORM_CODE = vs
-include $(PLATFORM_PATH)/../template/docker-syncd-bullseye.mk
+include $(PLATFORM_PATH)/../template/docker-syncd-bookworm.mk
 
-$(DOCKER_SYNCD_BASE)_DEPENDS += $(SYNCD_VS) \
-                                $(IPROUTE2)
+$(DOCKER_SYNCD_BASE)_DEPENDS += $(SYNCD_VS)
 
 $(DOCKER_SYNCD_BASE)_DBG_DEPENDS += $(SYNCD_VS_DBG) \
                                 $(LIBSWSSCOMMON_DBG) \
diff --git a/platform/vs/docker-syncd-vs/Dockerfile.j2 b/platform/vs/docker-syncd-vs/Dockerfile.j2
index adc26682cf46..a29b5e6b6472 100644
--- a/platform/vs/docker-syncd-vs/Dockerfile.j2
+++ b/platform/vs/docker-syncd-vs/Dockerfile.j2
@@ -1,4 +1,5 @@
-FROM docker-config-engine-bullseye-{{DOCKER_USERNAME}}:{{DOCKER_USERTAG}}
+{% from "dockers/dockerfile-macros.j2" import install_debian_packages, install_python_wheels, copy_files %}
+FROM docker-config-engine-bookworm-{{DOCKER_USERNAME}}:{{DOCKER_USERTAG}}
 
 ARG docker_container_name
 
@@ -7,18 +8,15 @@ ENV DEBIAN_FRONTEND=noninteractive
 
 RUN apt-get update
 
-RUN apt-get install -f -y libcap2-bin
+RUN apt-get install -y libcap2-bin
 
-COPY \
-{% for deb in docker_syncd_vs_debs.split(' ') -%}
-debs/{{ deb }}{{' '}}
-{%- endfor -%}
-debs/
+{% if docker_syncd_vs_debs.strip() -%}
+# Copy built Debian packages
+{{ copy_files("debs/", docker_syncd_vs_debs.split(' '), "/debs/") }}
 
-RUN dpkg -i \
-{% for deb in docker_syncd_vs_debs.split(' ') -%}
-debs/{{ deb }}{{' '}}
-{%- endfor %} || apt-get install -f -y
+# Install built Debian packages and implicitly install their dependencies
+{{ install_debian_packages(docker_syncd_vs_debs.split(' ')) }}
+{%- endif %}
 
 COPY ["start.sh", "/usr/bin/"]
 
diff --git a/rules/iproute2.dep b/rules/iproute2.dep
deleted file mode 100644
index 9e445d9c209a..000000000000
--- a/rules/iproute2.dep
+++ /dev/null
@@ -1,10 +0,0 @@
-
-SPATH       := $($(IPROUTE2)_SRC_PATH)
-DEP_FILES   := $(SONIC_COMMON_FILES_LIST) rules/iproute2.mk rules/iproute2.dep   
-DEP_FILES   += $(SONIC_COMMON_BASE_FILES_LIST)
-DEP_FILES   += $(shell git ls-files $(SPATH))
-
-$(IPROUTE2)_CACHE_MODE  := GIT_CONTENT_SHA 
-$(IPROUTE2)_DEP_FLAGS   := $(SONIC_COMMON_FLAGS_LIST)
-$(IPROUTE2)_DEP_FILES   := $(DEP_FILES)
-
diff --git a/rules/iproute2.mk b/rules/iproute2.mk
deleted file mode 100644
index ac0b2d576ef9..000000000000
--- a/rules/iproute2.mk
+++ /dev/null
@@ -1,13 +0,0 @@
-# iproute2 package
-
-IPROUTE2_VERSION = 5.10.0
-IPROUTE2_VERSION_FULL = $(IPROUTE2_VERSION)-4
-IPROUTE2_VERSION_SONIC = $(IPROUTE2_VERSION)-4sonic1
-
-export IPROUTE2_VERSION
-export IPROUTE2_VERSION_FULL
-export IPROUTE2_VERSION_SONIC
-
-IPROUTE2 = iproute2_$(IPROUTE2_VERSION_SONIC)_$(CONFIGURED_ARCH).deb
-$(IPROUTE2)_SRC_PATH = $(SRC_PATH)/iproute2
-SONIC_MAKE_DEBS += $(IPROUTE2)
diff --git a/src/iproute2/.gitignore b/src/iproute2/.gitignore
deleted file mode 100644
index dfa47d4833b3..000000000000
--- a/src/iproute2/.gitignore
+++ /dev/null
@@ -1,4 +0,0 @@
-*
-!.gitignore
-!Makefile
-!patch/*
diff --git a/src/iproute2/Makefile b/src/iproute2/Makefile
deleted file mode 100644
index ecf849182fcb..000000000000
--- a/src/iproute2/Makefile
+++ /dev/null
@@ -1,28 +0,0 @@
-SHELL = /bin/bash
-.ONESHELL:
-.SHELLFLAGS += -e
-
-MAIN_TARGET = iproute2_$(IPROUTE2_VERSION_SONIC)_$(CONFIGURED_ARCH).deb
-
-$(addprefix $(DEST)/, $(MAIN_TARGET)): $(DEST)/% :
-	# Remove any stale files
-	rm -rf iproute2-$(IPROUTE2_VERSION)
-
-	wget -O iproute2_$(IPROUTE2_VERSION).orig.tar.xz http://deb.debian.org/debian/pool/main/i/iproute2/iproute2_$(IPROUTE2_VERSION).orig.tar.xz
-	wget -O iproute2_$(IPROUTE2_VERSION_FULL).dsc http://deb.debian.org/debian/pool/main/i/iproute2/iproute2_$(IPROUTE2_VERSION_FULL).dsc
-	wget -O iproute2_$(IPROUTE2_VERSION_FULL).debian.tar.xz http://deb.debian.org/debian/pool/main/i/iproute2/iproute2_$(IPROUTE2_VERSION_FULL).debian.tar.xz
-	dpkg-source -x iproute2_$(IPROUTE2_VERSION_FULL).dsc
-
-	pushd iproute2-$(IPROUTE2_VERSION)
-
-	patch -p1 < ../patch/0001-patch-macsec-xpn-support.patch
-
-ifeq ($(CROSS_BUILD_ENVIRON), y)
-	patch -p1 < ../patch/cross-compile-changes.patch
-	dpkg-buildpackage -us -uc -b -a$(CONFIGURED_ARCH) -Pcross,nocheck -j$(SONIC_CONFIG_MAKE_JOBS) --admindir $(SONIC_DPKG_ADMINDIR)
-else
-	dpkg-buildpackage -us -uc -b -j$(SONIC_CONFIG_MAKE_JOBS) --admindir $(SONIC_DPKG_ADMINDIR)
-endif
-	popd
-
-	mv $* $(DEST)/
diff --git a/src/iproute2/patch/0001-patch-macsec-xpn-support.patch b/src/iproute2/patch/0001-patch-macsec-xpn-support.patch
deleted file mode 100644
index db477fbd3613..000000000000
--- a/src/iproute2/patch/0001-patch-macsec-xpn-support.patch
+++ /dev/null
@@ -1,242 +0,0 @@
-From 129613207b2f1616507814fbe060a2ce317d0bbb Mon Sep 17 00:00:00 2001
-From: Ze Gan <ganze718@gmail.com>
-Date: Mon, 18 Jul 2022 15:07:15 +0000
-Subject: [PATCH] MACsec XPN support
-
-Signed-off-by: Ze Gan <ganze718@gmail.com>
----
- ip/ipmacsec.c | 97 +++++++++++++++++++++++++++++++++++++++++++--------
- 1 file changed, 83 insertions(+), 14 deletions(-)
-
-diff --git a/debian/changelog b/debian/changelog
-index 2b114c1..bf3c253 100644
---- a/debian/changelog
-+++ b/debian/changelog
-@@ -1,3 +1,9 @@
-+iproute2 (5.10.0-4sonic1) unstable; urgency=medium
-+
-+  * Enhance iproute2 to update PN for XPN
-+
-+ -- Ze Gan <ganze718@gmail.com>  Wed, 25 Jan 2023 11:25:50 -0800
-+
- iproute2 (5.10.0-4) unstable; urgency=medium
- 
-   * Backport 0012-iproute-force-rtm_dst_len-to-32-128.patch to fix ip
-diff --git a/ip/ipmacsec.c b/ip/ipmacsec.c
-index 18289ec..fffe94a 100644
---- a/ip/ipmacsec.c
-+++ b/ip/ipmacsec.c
-@@ -10,6 +10,7 @@
-  */
- 
- #include <stdio.h>
-+#include <inttypes.h>
- #include <stdlib.h>
- #include <string.h>
- #include <errno.h>
-@@ -23,6 +24,8 @@
- #include "ll_map.h"
- #include "libgenl.h"
- 
-+#define MACSEC_SALT_LEN 12
-+
- static const char * const values_on_off[] = { "off", "on" };
- 
- static const char * const validate_str[] = {
-@@ -45,11 +48,13 @@ struct sci {
- 
- struct sa_desc {
- 	__u8 an;
--	__u32 pn;
-+	__u64 pn;
- 	__u8 key_id[MACSEC_KEYID_LEN];
- 	__u32 key_len;
- 	__u8 key[MACSEC_MAX_KEY_LEN];
- 	__u8 active;
-+	__u32 ssci;
-+	__u8 salt[MACSEC_SALT_LEN];
- };
- 
- struct cipher_args {
-@@ -88,7 +93,7 @@ static int genl_family = -1;
- static void ipmacsec_usage(void)
- {
- 	fprintf(stderr,
--		"Usage: ip macsec add DEV tx sa { 0..3 } [ OPTS ] key ID KEY\n"
-+		"Usage: ip macsec add DEV tx sa { 0..3 } [ OPTS ] [ ssci SSCI salt SALT] key ID KEY\n"
- 		"       ip macsec set DEV tx sa { 0..3 } [ OPTS ]\n"
- 		"       ip macsec del DEV tx sa { 0..3 }\n"
- 		"       ip macsec add DEV rx SCI [ on | off ]\n"
-@@ -100,10 +105,12 @@ static void ipmacsec_usage(void)
- 		"       ip macsec show\n"
- 		"       ip macsec show DEV\n"
- 		"       ip macsec offload DEV [ off | phy | mac ]\n"
--		"where  OPTS := [ pn <u32> ] [ on | off ]\n"
-+		"where  OPTS := [ pn <u64> ] [ on | off ]\n"
- 		"       ID   := 128-bit hex string\n"
- 		"       KEY  := 128-bit or 256-bit hex string\n"
--		"       SCI  := { sci <u64> | port { 1..2^16-1 } address <lladdr> }\n");
-+		"       SCI  := { sci <u64> | port { 1..2^16-1 } address <lladdr> }\n"
-+		"       SSCI := <u32>\n"
-+		"       SALT := 96-bit hex string\n");
- 
- 	exit(-1);
- }
-@@ -198,7 +205,7 @@ static int parse_sa_args(int *argcp, char ***argvp, struct sa_desc *sa)
- 			if (sa->pn != 0)
- 				duparg2("pn", "pn");
- 			NEXT_ARG();
--			ret = get_u32(&sa->pn, *argv, 0);
-+			ret = get_u64(&sa->pn, *argv, 0);
- 			if (ret)
- 				invarg("expected pn", *argv);
- 			if (sa->pn == 0)
-@@ -224,6 +231,22 @@ static int parse_sa_args(int *argcp, char ***argvp, struct sa_desc *sa)
- 				duparg2("on/off", "off");
- 			sa->active = false;
- 			active_set = true;
-+		} else if (strcmp(*argv, "ssci") == 0) {
-+			if (sa->ssci != 0)
-+				duparg2("ssci", "ssci");
-+			NEXT_ARG();
-+			ret = get_u32(&sa->ssci, *argv, 0);
-+			if (ret)
-+				invarg("expected ssci", *argv);
-+			if (sa->ssci == 0)
-+				invarg("expected ssci != 0", *argv);
-+		} else if (strcmp(*argv, "salt") == 0) {
-+			unsigned int len;
-+
-+			NEXT_ARG();
-+			if (!hexstring_a2n(*argv, sa->salt, MACSEC_SALT_LEN,
-+					   &len))
-+				invarg("expected salt", *argv);
- 		} else {
- 			fprintf(stderr, "macsec: unknown command \"%s\"?\n",
- 				*argv);
-@@ -413,9 +436,15 @@ static int do_modify_nl(enum cmd c, enum macsec_nl_commands cmd, int ifindex,
- 	addattr8(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_AN, sa->an);
- 
- 	if (c != CMD_DEL) {
--		if (sa->pn)
--			addattr32(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_PN,
--				  sa->pn);
-+		if (sa->pn) {
-+			if (sa->ssci == 0) {
-+				addattr32(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_PN,
-+					sa->pn);
-+			} else {
-+				addattr64(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_PN,
-+					sa->pn);
-+			}
-+		}
- 
- 		if (sa->key_len) {
- 			addattr_l(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_KEYID,
-@@ -428,6 +457,15 @@ static int do_modify_nl(enum cmd c, enum macsec_nl_commands cmd, int ifindex,
- 			addattr8(&req.n, MACSEC_BUFLEN,
- 				 MACSEC_SA_ATTR_ACTIVE, sa->active);
- 		}
-+
-+        if (c == CMD_ADD) {
-+            if (sa->ssci != 0) {
-+                addattr32(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_SSCI,
-+                      sa->ssci);
-+                addattr_l(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_SALT,
-+                      sa->salt, MACSEC_SALT_LEN);
-+            }
-+        }
- 	}
- 
- 	addattr_nest_end(&req.n, attr_sa);
-@@ -637,6 +675,8 @@ static void print_key(struct rtattr *key)
- 
- #define CIPHER_NAME_GCM_AES_128 "GCM-AES-128"
- #define CIPHER_NAME_GCM_AES_256 "GCM-AES-256"
-+#define CIPHER_NAME_GCM_AES_XPN_128 "GCM-AES-XPN-128"
-+#define CIPHER_NAME_GCM_AES_XPN_256 "GCM-AES-XPN-256"
- #define DEFAULT_CIPHER_NAME CIPHER_NAME_GCM_AES_128
- 
- static const char *cs_id_to_name(__u64 cid)
-@@ -649,6 +689,10 @@ static const char *cs_id_to_name(__u64 cid)
- 		return CIPHER_NAME_GCM_AES_128;
- 	case MACSEC_CIPHER_ID_GCM_AES_256:
- 		return CIPHER_NAME_GCM_AES_256;
-+	case MACSEC_CIPHER_ID_GCM_AES_XPN_128:
-+		return CIPHER_NAME_GCM_AES_XPN_128;
-+	case MACSEC_CIPHER_ID_GCM_AES_XPN_256:
-+		return CIPHER_NAME_GCM_AES_XPN_256;
- 	default:
- 		return "(unknown)";
- 	}
-@@ -897,12 +941,21 @@ static void print_tx_sc(const char *prefix, __u64 sci, __u8 encoding_sa,
- 		print_string(PRINT_FP, NULL, "%s", prefix);
- 		print_uint(PRINT_ANY, "an", "%d:",
- 			   rta_getattr_u8(sa_attr[MACSEC_SA_ATTR_AN]));
--		print_uint(PRINT_ANY, "pn", " PN %u,",
--			   rta_getattr_u32(sa_attr[MACSEC_SA_ATTR_PN]));
-+		if (!sa_attr[MACSEC_SA_ATTR_SSCI]) {
-+			print_uint(PRINT_ANY, "pn", " PN %u,",
-+				rta_getattr_u32(sa_attr[MACSEC_SA_ATTR_PN]));
-+		} else {
-+			print_u64(PRINT_ANY, "pn", " PN %" PRIu64 ",",
-+				rta_getattr_u64(sa_attr[MACSEC_SA_ATTR_PN]));
-+		}
- 
- 		print_bool(PRINT_JSON, "active", NULL, state);
- 		print_string(PRINT_FP, NULL,
- 			     " state %s,", state ? "on" : "off");
-+		if (sa_attr[MACSEC_SA_ATTR_SSCI]) {
-+			print_uint(PRINT_ANY, "ssci", " SSCI %u,",
-+				ntohl(rta_getattr_u32(sa_attr[MACSEC_SA_ATTR_SSCI])));
-+		}
- 		print_key(sa_attr[MACSEC_SA_ATTR_KEYID]);
- 
- 		print_txsa_stats(prefix, sa_attr[MACSEC_SA_ATTR_STATS]);
-@@ -965,13 +1018,23 @@ static void print_rx_sc(const char *prefix, __be64 sci, __u8 active,
- 		print_string(PRINT_FP, NULL, "%s", prefix);
- 		print_uint(PRINT_ANY, "an", "%u:",
- 			   rta_getattr_u8(sa_attr[MACSEC_SA_ATTR_AN]));
--		print_uint(PRINT_ANY, "pn", " PN %u,",
--			   rta_getattr_u32(sa_attr[MACSEC_SA_ATTR_PN]));
-+		if (!sa_attr[MACSEC_SA_ATTR_SSCI]) {
-+			print_uint(PRINT_ANY, "pn", " PN %u,",
-+				rta_getattr_u32(sa_attr[MACSEC_SA_ATTR_PN]));
-+		} else {
-+			print_u64(PRINT_ANY, "pn", " PN %" PRIu64 ",",
-+				rta_getattr_u64(sa_attr[MACSEC_SA_ATTR_PN]));
-+		}
- 
- 		print_bool(PRINT_JSON, "active", NULL, state);
- 		print_string(PRINT_FP, NULL, " state %s,",
- 			     state ? "on" : "off");
- 
-+		if (sa_attr[MACSEC_SA_ATTR_SSCI]) {
-+			print_uint(PRINT_ANY, "ssci", " SSCI %u,",
-+				ntohl(rta_getattr_u32(sa_attr[MACSEC_SA_ATTR_SSCI])));
-+		}
-+
- 		print_key(sa_attr[MACSEC_SA_ATTR_KEYID]);
- 
- 		print_rxsa_stats(prefix, sa_attr[MACSEC_SA_ATTR_STATS]);
-@@ -1322,9 +1385,15 @@ static int macsec_parse_opt(struct link_util *lu, int argc, char **argv,
- 			else if (strcmp(*argv, "gcm-aes-256") == 0 ||
- 			         strcmp(*argv, "GCM-AES-256") == 0)
- 				cipher.id = MACSEC_CIPHER_ID_GCM_AES_256;
-+			else if (strcmp(*argv, "gcm-aes-xpn-128") == 0 ||
-+			         strcmp(*argv, "GCM-AES-XPN-128") == 0)
-+				cipher.id = MACSEC_CIPHER_ID_GCM_AES_XPN_128;
-+			else if (strcmp(*argv, "gcm-aes-xpn-256") == 0 ||
-+			         strcmp(*argv, "GCM-AES-XPN-256") == 0)
-+				cipher.id = MACSEC_CIPHER_ID_GCM_AES_XPN_256;
- 			else
--				invarg("expected: default, gcm-aes-128 or"
--				       " gcm-aes-256", *argv);
-+				invarg("expected: default, gcm-aes-128"
-+				       " gcm-aes-256 gcm-aes-xpn-128 gcm-aes-xpn-256", *argv);
- 		} else if (strcmp(*argv, "icvlen") == 0) {
- 			NEXT_ARG();
- 			if (cipher.icv_len)
--- 
-2.25.1
-
diff --git a/src/iproute2/patch/cross-compile-changes.patch b/src/iproute2/patch/cross-compile-changes.patch
deleted file mode 100644
index a38df0630686..000000000000
--- a/src/iproute2/patch/cross-compile-changes.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-Index: iproute2-5.10.0/tc/tc_core.c
-===================================================================
---- iproute2-5.10.0.orig/tc/tc_core.c
-+++ iproute2-5.10.0/tc/tc_core.c
-@@ -20,6 +20,7 @@
- #include <netinet/in.h>
- #include <arpa/inet.h>
- #include <string.h>
-+#include <stdint.h>
- 
- #include "utils.h"
- #include "tc_core.h"
diff --git a/src/sonic-sairedis b/src/sonic-sairedis
index a1b89c3c37b2..73ada8d57281 160000
--- a/src/sonic-sairedis
+++ b/src/sonic-sairedis
@@ -1 +1 @@
-Subproject commit a1b89c3c37b2fe1568974cd76fd62ce7f29d548f
+Subproject commit 73ada8d57281e700336ce70fb893cec005466fcd