[PATCH v2 0/5] PMKSA support for fullmac drivers

[PATCH v2 0/5] PMKSA support for fullmac drivers

[James Prestwood]

This set removes the need for the prior patch on the list:
[RFC] netdev: avoid PMKSA for fullmac drivers

And instead implementes proper support for PMKSA as opposed to
disabling it.

v2:
 * Reworked patches to utilize a new driver callback concept within
   the pmksa module. This avoids the need to expose any netdev APIs
   and makes the removal within the kernel transparent to modules
   using the PMKSA cache.

James Prestwood (5):
  netdev: don't set CQM thresholds for fullmac cards
  netdev: remove/update some iwd_notice logs
  pmksa: add driver callbacks and pmksa_cache_free
  handshake: use pmksa_cache_free
  netdev: implement PMKSA for fullmac drivers

 src/handshake.c |   6 +--
 src/netdev.c    | 133 +++++++++++++++++++++++++++++++++++++++++++++---
 src/pmksa.c     |  38 +++++++++++++-
 src/pmksa.h     |   9 ++++
 4 files changed, 173 insertions(+), 13 deletions(-)

-- 
2.34.1

[PATCH v2 1/5] netdev: don't set CQM thresholds for fullmac cards

[James Prestwood]

Since roaming is handled by the firmware setting CQM thresholds for
roaming is pointless.
---
 src/netdev.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/netdev.c b/src/netdev.c
index ecf61823..e0a39851 100644
--- a/src/netdev.c
+++ b/src/netdev.c
@@ -3827,6 +3827,15 @@ static void netdev_cmd_set_cqm_cb(struct l_genl_msg *msg, void *user_data)
 static int netdev_cqm_rssi_update(struct netdev *netdev)
 {
 	struct l_genl_msg *msg;
+	struct netdev_handshake_state *nhs = l_container_of(netdev->handshake,
+				struct netdev_handshake_state, super);
+
+	/*
+	 * Fullmac cards handle roaming in firmware, there is no need to set
+	 * CQM thresholds
+	 */
+	if (nhs->type == CONNECTION_TYPE_FULLMAC)
+		return 0;
 
 	l_debug("");
 
-- 
2.34.1

[PATCH v2 2/5] netdev: remove/update some iwd_notice logs

[James Prestwood]

The iwd_notice function was more meant for special purpose events
not general debug prints. For these error conditions we should be
using l_warn. For the informational "External Auth to SSID" log
we already print this information when connecting from station. In
addition there are logs when performing external auth so it should
be very obvious external auth is being used without this log.
---
 src/netdev.c | 11 +++--------
 1 file changed, 3 insertions(+), 8 deletions(-)

diff --git a/src/netdev.c b/src/netdev.c
index e0a39851..06282c2a 100644
--- a/src/netdev.c
+++ b/src/netdev.c
@@ -5524,23 +5524,18 @@ static void netdev_external_auth_event(struct l_genl_msg *msg,
 	}
 
 	if (action == NL80211_EXTERNAL_AUTH_ABORT) {
-		iwd_notice(IWD_NOTICE_CONNECT_INFO, "External Auth Aborted");
+		l_warn("External Auth Aborted");
 		goto error;
 	}
 
-	iwd_notice(IWD_NOTICE_CONNECT_INFO,
-			"External Auth to SSID: %s, bssid: "MAC,
-			util_ssid_to_utf8(ssid.iov_len, ssid.iov_base),
-			MAC_STR(bssid));
-
 	if (hs->ssid_len != ssid.iov_len ||
 			memcmp(hs->ssid, ssid.iov_base, hs->ssid_len)) {
-		iwd_notice(IWD_NOTICE_CONNECT_INFO, "Target SSID mismatch");
+		l_warn("Target SSID mismatch");
 		goto error;
 	}
 
 	if (memcmp(hs->aa, bssid, ETH_ALEN)) {
-		iwd_notice(IWD_NOTICE_CONNECT_INFO, "Target BSSID mismatch");
+		l_warn("Target BSSID mismatch");
 		goto error;
 	}
 
-- 
2.34.1

[PATCH v2 3/5] pmksa: add driver callbacks and pmksa_cache_free

[James Prestwood]

In order to support fullmac drivers the PMKSA entries must be added
and removed from the kernel. To accomplish this a set of driver
callbacks will be added to the PMKSA module. In addition a new
pmksa_cache_free API will be added whos only purpose is to handle
the removal from the kernel.
---
 src/pmksa.c | 38 ++++++++++++++++++++++++++++++++++++--
 src/pmksa.h |  9 +++++++++
 2 files changed, 45 insertions(+), 2 deletions(-)

diff --git a/src/pmksa.c b/src/pmksa.c
index bb539b85..a50c8208 100644
--- a/src/pmksa.c
+++ b/src/pmksa.c
@@ -40,6 +40,9 @@
 
 static uint64_t dot11RSNAConfigPMKLifetime = 43200ULL * L_USEC_PER_SEC;
 static uint32_t pmksa_cache_capacity = 255;
+static pmksa_cache_add_func_t driver_add;
+static pmksa_cache_remove_func_t driver_remove;
+static pmksa_cache_flush_func_t driver_flush;
 
 struct min_heap {
 	struct pmksa **data;
@@ -142,7 +145,7 @@ int pmksa_cache_put(struct pmksa *pmksa)
 	l_debug("Adding entry with PMKID: "PMKID, PMKID_STR(pmksa->pmkid));
 
 	if (cache.used == cache.capacity) {
-		l_free(cache.data[0]);
+		pmksa_cache_free(cache.data[0]);
 		cache.data[0] = pmksa;
 		__minheap_sift_down(cache.data, cache.used, 0, &ops);
 		return 0;
@@ -152,6 +155,9 @@ int pmksa_cache_put(struct pmksa *pmksa)
 	__minheap_sift_up(cache.data, cache.used, &ops);
 	cache.used += 1;
 
+	if (driver_add)
+		driver_add(pmksa);
+
 	return 0;
 }
 
@@ -167,7 +173,7 @@ int pmksa_cache_expire(uint64_t cutoff)
 
 	for (i = 0; i < used; i++) {
 		if (cache.data[i]->expiration <= cutoff) {
-			l_free(cache.data[i]);
+			pmksa_cache_free(cache.data[i]);
 			continue;
 		}
 
@@ -190,11 +196,30 @@ int pmksa_cache_flush(void)
 {
 	uint32_t i;
 
+	/*
+	 * The driver flush operation is done via a single kernel API call which
+	 * is why below we use l_free instead of pmksa_cache_free as to not
+	 * induce a DEL_PMKSA kernel call for each entry.
+	 */
+	if (driver_flush)
+		driver_flush();
+
 	for (i = 0; i < cache.used; i++)
 		l_free(cache.data[i]);
 
 	memset(cache.data, 0, cache.capacity * sizeof(struct pmksa *));
 	cache.used = 0;
+
+	return 0;
+}
+
+int pmksa_cache_free(struct pmksa *pmksa)
+{
+	if (driver_remove)
+		driver_remove(pmksa);
+
+	l_free(pmksa);
+
 	return 0;
 }
 
@@ -217,6 +242,15 @@ void __pmksa_set_config(const struct l_settings *config)
 					&pmksa_cache_capacity);
 }
 
+void __pmksa_set_driver_callbacks(pmksa_cache_add_func_t add,
+					pmksa_cache_remove_func_t remove,
+					pmksa_cache_flush_func_t flush)
+{
+	driver_add = add;
+	driver_remove = remove;
+	driver_flush = flush;
+}
+
 static int pmksa_init(void)
 {
 	cache.capacity = pmksa_cache_capacity;
diff --git a/src/pmksa.h b/src/pmksa.h
index 67879309..6a624504 100644
--- a/src/pmksa.h
+++ b/src/pmksa.h
@@ -32,6 +32,10 @@ struct pmksa {
 	size_t pmk_len;
 };
 
+typedef void (*pmksa_cache_add_func_t)(const struct pmksa *pmksa);
+typedef void (*pmksa_cache_remove_func_t)(const struct pmksa *pmksa);
+typedef void (*pmksa_cache_flush_func_t)(void);
+
 struct pmksa **__pmksa_cache_get_all(uint32_t *out_n_entries);
 
 struct pmksa *pmksa_cache_get(const uint8_t spa[static 6],
@@ -41,6 +45,11 @@ struct pmksa *pmksa_cache_get(const uint8_t spa[static 6],
 int pmksa_cache_put(struct pmksa *pmksa);
 int pmksa_cache_expire(uint64_t cutoff);
 int pmksa_cache_flush(void);
+int pmksa_cache_free(struct pmksa *pmksa);
 
 uint64_t pmksa_lifetime(void);
 void __pmksa_set_config(const struct l_settings *config);
+
+void __pmksa_set_driver_callbacks(pmksa_cache_add_func_t add,
+					pmksa_cache_remove_func_t remove,
+					pmksa_cache_flush_func_t flush);
-- 
2.34.1

[PATCH v2 4/5] handshake: use pmksa_cache_free

[James Prestwood]

---
 src/handshake.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/handshake.c b/src/handshake.c
index bee31beb..c469e6fa 100644
--- a/src/handshake.c
+++ b/src/handshake.c
@@ -1239,7 +1239,7 @@ static struct pmksa *handshake_state_steal_pmksa(struct handshake_state *s)
 		s->have_pmksa = false;
 
 		if (l_time_after(now, pmksa->expiration)) {
-			l_free(pmksa);
+			pmksa_cache_free(pmksa);
 			pmksa = NULL;
 		}
 
@@ -1280,7 +1280,7 @@ void handshake_state_cache_pmksa(struct handshake_state *s)
 	l_debug("Caching PMKSA for "MAC, MAC_STR(s->aa));
 
 	if (L_WARN_ON(pmksa_cache_put(pmksa) < 0))
-		l_free(pmksa);
+		pmksa_cache_free(pmksa);
 }
 
 bool handshake_state_remove_pmksa(struct handshake_state *s)
@@ -1294,7 +1294,7 @@ bool handshake_state_remove_pmksa(struct handshake_state *s)
 	if (!pmksa)
 		return false;
 
-	l_free(pmksa);
+	pmksa_cache_free(pmksa);
 
 	return true;
 }
-- 
2.34.1

[PATCH v2 5/5] netdev: implement PMKSA for fullmac drivers

[James Prestwood]

Supporting PMKSA on fullmac drivers requires that we set the PMKSA
into the kernel as well as remove it. This can now be triggered
via the new PMKSA driver callbacks which are implemented and set
with this patch.
---
 src/netdev.c | 113 +++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 113 insertions(+)

diff --git a/src/netdev.c b/src/netdev.c
index 06282c2a..ddd05621 100644
--- a/src/netdev.c
+++ b/src/netdev.c
@@ -1498,6 +1498,105 @@ static void netdev_setting_keys_failed(struct netdev_handshake_state *nhs,
 	handshake_event(&nhs->super, HANDSHAKE_EVENT_SETTING_KEYS_FAILED, &err);
 }
 
+static bool netdev_match_addr(const void *a, const void *b)
+{
+	const struct netdev *netdev = a;
+	const uint8_t *addr = b;
+
+	return memcmp(netdev->addr, addr, ETH_ALEN) == 0;
+}
+
+static struct netdev *netdev_find_by_address(const uint8_t *addr)
+{
+	return l_queue_find(netdev_list, netdev_match_addr, addr);
+}
+
+static void netdev_pmksa_driver_add(const struct pmksa *pmksa)
+{
+	struct l_genl_msg *msg;
+	struct netdev *netdev = netdev_find_by_address(pmksa->spa);
+	uint32_t expiration = (uint32_t)pmksa->expiration;
+
+	if (!netdev)
+		return;
+
+	/* Only need to set the PMKSA into the kernel for fullmac drivers */
+	if (wiphy_supports_cmds_auth_assoc(netdev->wiphy))
+		return;
+
+	l_debug("Adding PMKSA to kernel");
+
+	msg = l_genl_msg_new(NL80211_CMD_SET_PMKSA);
+
+	l_genl_msg_append_attr(msg, NL80211_ATTR_IFINDEX, 4, &netdev->index);
+	l_genl_msg_append_attr(msg, NL80211_ATTR_PMKID, 16, pmksa->pmkid);
+	l_genl_msg_append_attr(msg, NL80211_ATTR_MAC, ETH_ALEN, pmksa->aa);
+	l_genl_msg_append_attr(msg, NL80211_ATTR_SSID,
+				pmksa->ssid_len, pmksa->ssid);
+	l_genl_msg_append_attr(msg, NL80211_ATTR_PMK_LIFETIME, 4, &expiration);
+	l_genl_msg_append_attr(msg, NL80211_ATTR_PMK,
+				pmksa->pmk_len, pmksa->pmk);
+
+	if (!l_genl_family_send(nl80211, msg, NULL, NULL, NULL))
+		l_error("error sending SET_PMKSA");
+}
+
+static void netdev_pmksa_driver_remove(const struct pmksa *pmksa)
+{
+	struct l_genl_msg *msg;
+	struct netdev *netdev = netdev_find_by_address(pmksa->spa);
+
+	if (!netdev)
+		return;
+
+	/* Only need to set the PMKSA into the kernel for fullmac drivers */
+	if (wiphy_supports_cmds_auth_assoc(netdev->wiphy))
+		return;
+
+	l_debug("Removing PMKSA from kernel");
+
+	msg = l_genl_msg_new(NL80211_CMD_DEL_PMKSA);
+
+	l_genl_msg_append_attr(msg, NL80211_ATTR_IFINDEX, 4, &netdev->index);
+	l_genl_msg_append_attr(msg, NL80211_ATTR_PMKID, 16, pmksa->pmkid);
+	l_genl_msg_append_attr(msg, NL80211_ATTR_MAC, ETH_ALEN, pmksa->aa);
+	l_genl_msg_append_attr(msg, NL80211_ATTR_SSID,
+				pmksa->ssid_len, pmksa->ssid);
+
+	if (!l_genl_family_send(nl80211, msg, NULL, NULL, NULL))
+		l_error("error sending DEL_PMKSA");
+}
+
+static void netdev_flush_pmksa(struct netdev *netdev)
+{
+	struct l_genl_msg *msg;
+
+	/*
+	* We only utilize the kernel's PMKSA cache for fullmac cards,
+	* so no need to flush if this is a softmac.
+	*/
+	if (wiphy_supports_cmds_auth_assoc(netdev->wiphy))
+		return;
+
+	msg = l_genl_msg_new(NL80211_CMD_FLUSH_PMKSA);
+
+	l_genl_msg_append_attr(msg, NL80211_ATTR_IFINDEX, 4, &netdev->index);
+
+	if (!l_genl_family_send(nl80211, msg, NULL, NULL, NULL))
+		l_error("Failed to flush PMKSA for %u", netdev->index);
+}
+
+static void netdev_pmksa_driver_flush(void)
+{
+	const struct l_queue_entry *e;
+
+	for (e = l_queue_get_entries(netdev_list); e; e = e->next) {
+		struct netdev *netdev = e->data;
+
+		netdev_flush_pmksa(netdev);
+	}
+}
+
 static void try_handshake_complete(struct netdev_handshake_state *nhs)
 {
 	l_debug("ptk_installed: %u, gtk_installed: %u, igtk_installed: %u",
@@ -6544,6 +6643,16 @@ struct netdev *netdev_create_from_genl(struct l_genl_msg *msg,
 
 	netdev_get_link(netdev);
 
+	/*
+	 * Call the netdev-specific variant to flush only this devices PMKSA
+	 * cache in the kernel. This will make IWD's cache and the kernel's
+	 * cache consistent, i.e. no entries
+	 *
+	 * TODO: If we ever are storing PMKSA's on disk we would first need to
+	 *       flush, then add all the PMKSA entries at this time.
+	 */
+	netdev_flush_pmksa(netdev);
+
 	return netdev;
 }
 
@@ -6659,6 +6768,10 @@ static int netdev_init(void)
 
 	__ft_set_tx_frame_func(netdev_tx_ft_frame);
 
+	__pmksa_set_driver_callbacks(netdev_pmksa_driver_add,
+					netdev_pmksa_driver_remove,
+					netdev_pmksa_driver_flush);
+
 	unicast_watch = l_genl_add_unicast_watch(genl, NL80211_GENL_NAME,
 						netdev_unicast_notify,
 						NULL, NULL);
-- 
2.34.1

Re: [PATCH v2 0/5] PMKSA support for fullmac drivers

[Denis Kenzior]

Hi James,

On 2/13/25 2:18 PM, James Prestwood wrote:
> This set removes the need for the prior patch on the list:
> [RFC] netdev: avoid PMKSA for fullmac drivers
> 
> And instead implementes proper support for PMKSA as opposed to
> disabling it.
> 
> v2:
>   * Reworked patches to utilize a new driver callback concept within
>     the pmksa module. This avoids the need to expose any netdev APIs
>     and makes the removal within the kernel transparent to modules
>     using the PMKSA cache.
> 
> James Prestwood (5):
>    netdev: don't set CQM thresholds for fullmac cards
>    netdev: remove/update some iwd_notice logs
>    pmksa: add driver callbacks and pmksa_cache_free
>    handshake: use pmksa_cache_free
>    netdev: implement PMKSA for fullmac drivers
> 
>   src/handshake.c |   6 +--
>   src/netdev.c    | 133 +++++++++++++++++++++++++++++++++++++++++++++---
>   src/pmksa.c     |  38 +++++++++++++-
>   src/pmksa.h     |   9 ++++
>   4 files changed, 173 insertions(+), 13 deletions(-)
> 

I went ahead and applied this series as well.  Thanks!

Regards,
-Denis