[PATCH 0/4] PMKSA support for fullmac drivers

[PATCH 0/4] PMKSA support for fullmac drivers

[James Prestwood]

This set removes the need for the prior patch on the list:
[RFC] netdev: avoid PMKSA for fullmac drivers

And instead implementes proper support for PMKSA as opposed to
disabling it.

James Prestwood (4):
  netdev: don't set CQM thresholds for fullmac cards
  netdev: remove/update some iwd_notice logs
  netdev: implement PMKSA for fullmac drivers
  station: use netdev_remove_pmksa

 src/netdev.c  | 88 ++++++++++++++++++++++++++++++++++++++++++++++-----
 src/netdev.h  |  2 ++
 src/station.c |  2 +-
 3 files changed, 83 insertions(+), 9 deletions(-)

-- 
2.34.1

[PATCH 1/4] netdev: don't set CQM thresholds for fullmac cards

[James Prestwood]

Since roaming is handled by the firmware setting CQM thresholds for
roaming is pointless.
---
 src/netdev.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/netdev.c b/src/netdev.c
index ecf61823..e0a39851 100644
--- a/src/netdev.c
+++ b/src/netdev.c
@@ -3827,6 +3827,15 @@ static void netdev_cmd_set_cqm_cb(struct l_genl_msg *msg, void *user_data)
 static int netdev_cqm_rssi_update(struct netdev *netdev)
 {
 	struct l_genl_msg *msg;
+	struct netdev_handshake_state *nhs = l_container_of(netdev->handshake,
+				struct netdev_handshake_state, super);
+
+	/*
+	 * Fullmac cards handle roaming in firmware, there is no need to set
+	 * CQM thresholds
+	 */
+	if (nhs->type == CONNECTION_TYPE_FULLMAC)
+		return 0;
 
 	l_debug("");
 
-- 
2.34.1

[PATCH 2/4] netdev: remove/update some iwd_notice logs

[James Prestwood]

The iwd_notice function was more meant for special purpose events
not general debug prints. For these error conditions we should be
using l_warn. For the informational "External Auth to SSID" log
we already print this information when connecting from station. In
addition there are logs when performing external auth so it should
be very obvious external auth is being used without this log.
---
 src/netdev.c | 11 +++--------
 1 file changed, 3 insertions(+), 8 deletions(-)

diff --git a/src/netdev.c b/src/netdev.c
index e0a39851..06282c2a 100644
--- a/src/netdev.c
+++ b/src/netdev.c
@@ -5524,23 +5524,18 @@ static void netdev_external_auth_event(struct l_genl_msg *msg,
 	}
 
 	if (action == NL80211_EXTERNAL_AUTH_ABORT) {
-		iwd_notice(IWD_NOTICE_CONNECT_INFO, "External Auth Aborted");
+		l_warn("External Auth Aborted");
 		goto error;
 	}
 
-	iwd_notice(IWD_NOTICE_CONNECT_INFO,
-			"External Auth to SSID: %s, bssid: "MAC,
-			util_ssid_to_utf8(ssid.iov_len, ssid.iov_base),
-			MAC_STR(bssid));
-
 	if (hs->ssid_len != ssid.iov_len ||
 			memcmp(hs->ssid, ssid.iov_base, hs->ssid_len)) {
-		iwd_notice(IWD_NOTICE_CONNECT_INFO, "Target SSID mismatch");
+		l_warn("Target SSID mismatch");
 		goto error;
 	}
 
 	if (memcmp(hs->aa, bssid, ETH_ALEN)) {
-		iwd_notice(IWD_NOTICE_CONNECT_INFO, "Target BSSID mismatch");
+		l_warn("Target BSSID mismatch");
 		goto error;
 	}
 
-- 
2.34.1

[PATCH 3/4] netdev: implement PMKSA for fullmac drivers

[James Prestwood]

Supporting PMKSA on fullmac drivers requires that we set the PMKSA
into the kernel as well as remove it. Since station has a removal
path netdev_remove_pmksa needed to be added which station will
call. This will handle both removing IWD's PMKSA cache as well as
in the kernels.

On addition its similar, we add to both IWDs cache and the kernels.
---
 src/netdev.c | 68 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 src/netdev.h |  2 ++
 2 files changed, 70 insertions(+)

diff --git a/src/netdev.c b/src/netdev.c
index 06282c2a..42fb6a4b 100644
--- a/src/netdev.c
+++ b/src/netdev.c
@@ -1498,6 +1498,52 @@ static void netdev_setting_keys_failed(struct netdev_handshake_state *nhs,
 	handshake_event(&nhs->super, HANDSHAKE_EVENT_SETTING_KEYS_FAILED, &err);
 }
 
+static void netdev_set_pmksa(struct handshake_state *hs)
+{
+	struct l_genl_msg *msg;
+	uint32_t expiration = (uint32_t)hs->expiration;
+
+	if (!hs->have_pmkid)
+		return;
+
+	msg = l_genl_msg_new(NL80211_CMD_SET_PMKSA);
+
+	l_genl_msg_append_attr(msg, NL80211_ATTR_IFINDEX, 4, &hs->ifindex);
+	l_genl_msg_append_attr(msg, NL80211_ATTR_PMKID, 16, hs->pmkid);
+	l_genl_msg_append_attr(msg, NL80211_ATTR_MAC, ETH_ALEN, hs->aa);
+	l_genl_msg_append_attr(msg, NL80211_ATTR_SSID, hs->ssid_len, hs->ssid);
+	l_genl_msg_append_attr(msg, NL80211_ATTR_PMK_LIFETIME, 4, &expiration);
+	l_genl_msg_append_attr(msg, NL80211_ATTR_PMK, hs->pmk_len, hs->pmk);
+
+	if (!l_genl_family_send(nl80211, msg, NULL, NULL, NULL))
+		l_error("error sending SET_PMKSA");
+}
+
+void netdev_remove_pmksa(struct netdev *netdev)
+{
+	struct l_genl_msg *msg;
+	struct handshake_state *hs = netdev->handshake;
+	struct netdev_handshake_state *nhs = l_container_of(hs,
+					struct netdev_handshake_state, super);
+
+	handshake_state_remove_pmksa(netdev->handshake);
+
+	if (nhs->type != CONNECTION_TYPE_FULLMAC)
+		return;
+
+	/* Fullmac cards need to set/remove the PMKSA within the kernel */
+
+	msg = l_genl_msg_new(NL80211_CMD_DEL_PMKSA);
+
+	l_genl_msg_append_attr(msg, NL80211_ATTR_IFINDEX, 4, &netdev->index);
+	l_genl_msg_append_attr(msg, NL80211_ATTR_PMKID, 16, hs->pmkid);
+	l_genl_msg_append_attr(msg, NL80211_ATTR_MAC, ETH_ALEN, hs->aa);
+	l_genl_msg_append_attr(msg, NL80211_ATTR_SSID, hs->ssid_len, hs->ssid);
+
+	if (!l_genl_family_send(nl80211, msg, NULL, NULL, NULL))
+		l_error("error sending DEL_PMKSA");
+}
+
 static void try_handshake_complete(struct netdev_handshake_state *nhs)
 {
 	l_debug("ptk_installed: %u, gtk_installed: %u, igtk_installed: %u",
@@ -1518,6 +1564,9 @@ static void try_handshake_complete(struct netdev_handshake_state *nhs)
 
 		l_debug("Invoking handshake_event()");
 
+		if (nhs->type == CONNECTION_TYPE_FULLMAC)
+			netdev_set_pmksa(&nhs->super);
+
 		handshake_state_cache_pmksa(&nhs->super);
 
 		if (handshake_event(&nhs->super, HANDSHAKE_EVENT_COMPLETE))
@@ -6469,6 +6518,23 @@ static void netdev_get_link(struct netdev *netdev)
 	L_WARN_ON(netdev->get_link_cmd_id == 0);
 }
 
+static void netdev_flush_pmksa(struct netdev *netdev)
+{
+	struct l_genl_msg *msg = l_genl_msg_new(NL80211_CMD_FLUSH_PMKSA);
+
+	/*
+	 * We only utilize the kernel's PMKSA cache for fullmac cards, so no
+	 * need to flush if this is a softmac
+	 */
+	if (wiphy_supports_cmds_auth_assoc(netdev->wiphy))
+		return;
+
+	l_genl_msg_append_attr(msg, NL80211_ATTR_IFINDEX, 4, &netdev->index);
+
+	if (!l_genl_family_send(nl80211, msg, NULL, NULL, NULL))
+		l_error("Failed to flush PMKSA");
+}
+
 struct netdev *netdev_create_from_genl(struct l_genl_msg *msg,
 					const uint8_t *set_mac)
 {
@@ -6544,6 +6610,8 @@ struct netdev *netdev_create_from_genl(struct l_genl_msg *msg,
 
 	netdev_get_link(netdev);
 
+	netdev_flush_pmksa(netdev);
+
 	return netdev;
 }
 
diff --git a/src/netdev.h b/src/netdev.h
index 6299934e..0c7d7550 100644
--- a/src/netdev.h
+++ b/src/netdev.h
@@ -218,6 +218,8 @@ int netdev_get_all_stations(struct netdev *netdev, netdev_get_station_cb_t cb,
 
 void netdev_handshake_failed(struct handshake_state *hs, uint16_t reason_code);
 
+void netdev_remove_pmksa(struct netdev *netdev);
+
 struct netdev *netdev_find(int ifindex);
 
 uint32_t netdev_watch_add(netdev_watch_func_t func,
-- 
2.34.1

[PATCH 4/4] station: use netdev_remove_pmksa

[James Prestwood]

---
 src/station.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/station.c b/src/station.c
index bb6debb9..37f98179 100644
--- a/src/station.c
+++ b/src/station.c
@@ -3432,7 +3432,7 @@ static bool station_pmksa_fallback(struct station *station, uint16_t status)
 	 * Remove the PMKSA from the handshake and return true to re-try the
 	 * same BSS without PMKSA.
 	 */
-	handshake_state_remove_pmksa(station->hs);
+	netdev_remove_pmksa(station->netdev);
 
 	station_debug_event(station, "pmksa-invalid-pmkid");
 
-- 
2.34.1

Re: [PATCH 3/4] netdev: implement PMKSA for fullmac drivers

[James Prestwood]

On 2/12/25 8:24 AM, James Prestwood wrote:
> Supporting PMKSA on fullmac drivers requires that we set the PMKSA
> into the kernel as well as remove it. Since station has a removal
> path netdev_remove_pmksa needed to be added which station will
> call. This will handle both removing IWD's PMKSA cache as well as
> in the kernels.
>
> On addition its similar, we add to both IWDs cache and the kernels.
> ---
>   src/netdev.c | 68 ++++++++++++++++++++++++++++++++++++++++++++++++++++
>   src/netdev.h |  2 ++
>   2 files changed, 70 insertions(+)
>
> diff --git a/src/netdev.c b/src/netdev.c
> index 06282c2a..42fb6a4b 100644
> --- a/src/netdev.c
> +++ b/src/netdev.c
> @@ -1498,6 +1498,52 @@ static void netdev_setting_keys_failed(struct netdev_handshake_state *nhs,
>   	handshake_event(&nhs->super, HANDSHAKE_EVENT_SETTING_KEYS_FAILED, &err);
>   }
>   
> +static void netdev_set_pmksa(struct handshake_state *hs)
> +{
> +	struct l_genl_msg *msg;
> +	uint32_t expiration = (uint32_t)hs->expiration;
> +
> +	if (!hs->have_pmkid)
> +		return;
> +
> +	msg = l_genl_msg_new(NL80211_CMD_SET_PMKSA);
> +
> +	l_genl_msg_append_attr(msg, NL80211_ATTR_IFINDEX, 4, &hs->ifindex);
> +	l_genl_msg_append_attr(msg, NL80211_ATTR_PMKID, 16, hs->pmkid);
> +	l_genl_msg_append_attr(msg, NL80211_ATTR_MAC, ETH_ALEN, hs->aa);
> +	l_genl_msg_append_attr(msg, NL80211_ATTR_SSID, hs->ssid_len, hs->ssid);
> +	l_genl_msg_append_attr(msg, NL80211_ATTR_PMK_LIFETIME, 4, &expiration);
> +	l_genl_msg_append_attr(msg, NL80211_ATTR_PMK, hs->pmk_len, hs->pmk);
> +
> +	if (!l_genl_family_send(nl80211, msg, NULL, NULL, NULL))
> +		l_error("error sending SET_PMKSA");
> +}
> +
> +void netdev_remove_pmksa(struct netdev *netdev)
> +{
> +	struct l_genl_msg *msg;
> +	struct handshake_state *hs = netdev->handshake;
> +	struct netdev_handshake_state *nhs = l_container_of(hs,
> +					struct netdev_handshake_state, super);
> +
> +	handshake_state_remove_pmksa(netdev->handshake);
> +
> +	if (nhs->type != CONNECTION_TYPE_FULLMAC)
> +		return;
> +
> +	/* Fullmac cards need to set/remove the PMKSA within the kernel */
> +
> +	msg = l_genl_msg_new(NL80211_CMD_DEL_PMKSA);
> +
> +	l_genl_msg_append_attr(msg, NL80211_ATTR_IFINDEX, 4, &netdev->index);
> +	l_genl_msg_append_attr(msg, NL80211_ATTR_PMKID, 16, hs->pmkid);
> +	l_genl_msg_append_attr(msg, NL80211_ATTR_MAC, ETH_ALEN, hs->aa);
> +	l_genl_msg_append_attr(msg, NL80211_ATTR_SSID, hs->ssid_len, hs->ssid);
> +
> +	if (!l_genl_family_send(nl80211, msg, NULL, NULL, NULL))
> +		l_error("error sending DEL_PMKSA");
> +}
> +
>   static void try_handshake_complete(struct netdev_handshake_state *nhs)
>   {
>   	l_debug("ptk_installed: %u, gtk_installed: %u, igtk_installed: %u",
> @@ -1518,6 +1564,9 @@ static void try_handshake_complete(struct netdev_handshake_state *nhs)
>   
>   		l_debug("Invoking handshake_event()");
>   
> +		if (nhs->type == CONNECTION_TYPE_FULLMAC)
> +			netdev_set_pmksa(&nhs->super);
> +
>   		handshake_state_cache_pmksa(&nhs->super);
>   
>   		if (handshake_event(&nhs->super, HANDSHAKE_EVENT_COMPLETE))
> @@ -6469,6 +6518,23 @@ static void netdev_get_link(struct netdev *netdev)
>   	L_WARN_ON(netdev->get_link_cmd_id == 0);
>   }
>   
> +static void netdev_flush_pmksa(struct netdev *netdev)
> +{
> +	struct l_genl_msg *msg = l_genl_msg_new(NL80211_CMD_FLUSH_PMKSA);
Just noticed this is leaking memory. I'll fix after reviews.
> +
> +	/*
> +	 * We only utilize the kernel's PMKSA cache for fullmac cards, so no
> +	 * need to flush if this is a softmac
> +	 */
> +	if (wiphy_supports_cmds_auth_assoc(netdev->wiphy))
> +		return;
> +
> +	l_genl_msg_append_attr(msg, NL80211_ATTR_IFINDEX, 4, &netdev->index);
> +
> +	if (!l_genl_family_send(nl80211, msg, NULL, NULL, NULL))
> +		l_error("Failed to flush PMKSA");
> +}
> +
>   struct netdev *netdev_create_from_genl(struct l_genl_msg *msg,
>   					const uint8_t *set_mac)
>   {
> @@ -6544,6 +6610,8 @@ struct netdev *netdev_create_from_genl(struct l_genl_msg *msg,
>   
>   	netdev_get_link(netdev);
>   
> +	netdev_flush_pmksa(netdev);
> +
>   	return netdev;
>   }
>   
> diff --git a/src/netdev.h b/src/netdev.h
> index 6299934e..0c7d7550 100644
> --- a/src/netdev.h
> +++ b/src/netdev.h
> @@ -218,6 +218,8 @@ int netdev_get_all_stations(struct netdev *netdev, netdev_get_station_cb_t cb,
>   
>   void netdev_handshake_failed(struct handshake_state *hs, uint16_t reason_code);
>   
> +void netdev_remove_pmksa(struct netdev *netdev);
> +
>   struct netdev *netdev_find(int ifindex);
>   
>   uint32_t netdev_watch_add(netdev_watch_func_t func,