Re: [RFC PATCH] rt2800lib: unconditionally enable MFP

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Stanislaw Gruszka <stf_xl@wp.pl>
To: Julian Calaby <julian.calaby@gmail.com>
Cc: Rui Salvaterra <rsalvaterra@gmail.com>,
	Kalle Valo <kvalo@codeaurora.org>,
	Larry Finger <Larry.Finger@lwfinger.net>,
	linux-wireless@vger.kernel.org
Subject: Re: [RFC PATCH] rt2800lib: unconditionally enable MFP
Date: Sun, 24 May 2020 14:39:31 +0200	[thread overview]
Message-ID: <20200524123931.GA915983@wp.pl> (raw)
In-Reply-To: <CAGRGNgWuQjQzDS9-cPAx7TnDfEiGnSccw4vqPAE_gWV=QS5JVw@mail.gmail.com>

Hi

On Sun, May 24, 2020 at 09:42:51PM +1000, Julian Calaby wrote:
> Hi Stanislaw,
> 
> On Sun, May 24, 2020 at 9:27 PM Stanislaw Gruszka <stf_xl@wp.pl> wrote:
> >
> > On Sun, May 24, 2020 at 10:47:31AM +0100, Rui Salvaterra wrote:
> > > According to Larry [1] (and successfully verified on b43) mac80211
> > > transparently falls back to software for unsupported hardware cyphers. Thus,
> > > there's no reason for not unconditionally enabling MFP. This gives us WPA3
> > > support out of the box, without having to manually disable hardware crypto.
> > >
> > > Tested on an RT2790-based Wi-Fi card.
> > >
> > > [1] https://lore.kernel.org/linux-wireless/8252e6a1-b83c-64eb-2503-2686374216ae@lwfinger.net/
> >
> > AFICT more work need to be done to support MFP by HW encryption properly
> > on rt2x00. See this message and whole thread:
> > https://lore.kernel.org/linux-wireless/977a3cf4-3ec5-4aaa-b3d4-eea2e8593652@nbd.name/
> 
> Am I reading this right: rt2x00 offloads some of the processing to the
> card which interferes with MFP when using software encryption, so
> therefore we need to disable that offload when using software
> encryption with MFP.

Yes.

We offload encryption to HW based on cipher. Modern ciphers like 
GCMP, BIP_GMAC, etc, are not supported by rt2x00 HW. In such case
rt2x00mac_set_key() will return -EOPNOTSUPP and all encryption will
be done by mac80211 - MFP will work just fine.

But MFP can still be used with CCMP cipher, which we offload to HW,
and that would create problems described by Felix.

> So if mac80211 knows that this offload is happening and that we can't
> use hardware crypto for MFP, could it be smart enough to disable the
> offload itself?
> 
> And once mac80211 is smart enough to make those decisions, couldn't we
> just enable MFP by default?

If we will have indicator from mac80211 that MFP is configured, we can
just return -EOPNOTSUPP from rt2x00mac_set_key() for CCMP and that will
make MFP work without specifying nohwcrypt module parameter - software
encryption will be used anyway.

Optimal solution though would be implement similar code like in mt76, so
we will have HW encryption for MFP+CCMP, but this is not trivial, and
I think handling encryption fully in software is ok.

Stanislaw

next prev parent reply	other threads:[~2020-05-24 12:39 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-05-24  9:47 [RFC PATCH] rt2800lib: unconditionally enable MFP Rui Salvaterra
2020-05-24 11:17 ` Stanislaw Gruszka
2020-05-24 11:42   ` Julian Calaby
2020-05-24 12:39     ` Stanislaw Gruszka [this message]
2020-05-25  9:15       ` Johannes Berg
2020-05-25  9:31         ` Stanislaw Gruszka
2020-05-25  9:49           ` Johannes Berg
2020-05-25 10:58             ` Stanislaw Gruszka
2020-05-25 11:14               ` Rui Salvaterra
2020-05-25 12:25                 ` Stanislaw Gruszka
2020-05-25 12:33                   ` Rui Salvaterra
2020-05-25 13:13                 ` Rui Salvaterra
2020-05-25 13:14                   ` Johannes Berg
2020-05-25 13:28                     ` Rui Salvaterra
2020-05-24 15:07   ` Rui Salvaterra
2020-05-25  0:02     ` Larry Finger
2020-05-25  9:17       ` Johannes Berg
2020-05-25  8:17     ` Stanislaw Gruszka

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200524123931.GA915983@wp.pl \
    --to=stf_xl@wp.pl \
    --cc=Larry.Finger@lwfinger.net \
    --cc=julian.calaby@gmail.com \
    --cc=kvalo@codeaurora.org \
    --cc=linux-wireless@vger.kernel.org \
    --cc=rsalvaterra@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.