From: Stanislaw Gruszka <sgruszka@redhat.com>
To: Felix Fietkau <nbd@nbd.name>
Cc: Tom Psyborg <pozega.tomislav@gmail.com>,
linux-wireless@vger.kernel.org, kvalo@codeaurora.org,
daniel@makrotopia.org
Subject: Re: [PATCH 2/2] rt2x00: enable experimental MFP with HW crypt
Date: Tue, 26 Mar 2019 12:35:03 +0100 [thread overview]
Message-ID: <20190326113502.GA9012@redhat.com> (raw)
In-Reply-To: <977a3cf4-3ec5-4aaa-b3d4-eea2e8593652@nbd.name>
On Tue, Mar 26, 2019 at 11:41:37AM +0100, Felix Fietkau wrote:
> On 2019-03-13 15:41, Tom Psyborg wrote:
> > On 13/03/2019, Stanislaw Gruszka <sgruszka@redhat.com> wrote:
> >> On Wed, Mar 13, 2019 at 02:48:01PM +0100, Tom Psyborg wrote:
> >>> On 13/03/2019, Stanislaw Gruszka <sgruszka@redhat.com> wrote:
> >>> > On Wed, Mar 13, 2019 at 02:02:32PM +0100, Tom Psyborg wrote:
> >>> >> On 13/03/2019, Stanislaw Gruszka <sgruszka@redhat.com> wrote:
> >>> >> > On Tue, Mar 12, 2019 at 08:11:42PM +0100, Tomislav Požega wrote:
> >>> >> >> MFP can work with enabled HW crypt engine, but in this case
> >>> >> >> available bandwidth is reduced at least when connecting to
> >>> >> >> Archer C7 (QCA9558). Enable the feature for known to work chipsets-
> >>> >> >> MT7620, RT3070 and RT5390. Userspace setting for ieee80211w should
> >>> >> >> default to 0 in order to prevent unintentional bandwidth drop.
> >>> >> >>
> >>> >> >> Signed-off-by: Tomislav Po?ega <pozega.tomislav@gmail.com>
> >>> >> >> ---
> >>> >> >> drivers/net/wireless/ralink/rt2x00/rt2800lib.c | 11 +++++++----
> >>> >> >> 1 files changed, 7 insertions(+), 4 deletions(-)
> >>> >> >>
> >>> >> >> diff --git a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c
> >>> >> >> b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c
> >>> >> >> index a03b528..bb8204d 100644
> >>> >> >> --- a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c
> >>> >> >> +++ b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c
> >>> >> >> @@ -9326,6 +9326,13 @@ static int rt2800_probe_hw_mode(struct
> >>> >> >> rt2x00_dev
> >>> >> >> *rt2x00dev)
> >>> >> >> ieee80211_hw_set(rt2x00dev->hw, SIGNAL_DBM);
> >>> >> >> ieee80211_hw_set(rt2x00dev->hw, SUPPORTS_PS);
> >>> >> >>
> >>> >> >> + /* Experimental: Set MFP with HW crypto enabled. */
> >>> >> >> + if (rt2x00_rt(rt2x00dev, RT3070) || rt2x00_rt(rt2x00dev, RT5390)
> >>> >> >> ||
> >>> >> >> + rt2x00_rt(rt2x00dev, RT6352))
> >>> >> >> + ieee80211_hw_set(rt2x00dev->hw, MFP_CAPABLE);
> >>> >> >
> >>> >> > Is not that we support MFP in hardware. We just return -EOPNOTSUPP
> >>> >> > in rt2x00mac_set_key() when mac80211 will try to set MFP ciphers
> >>> >> > (since rt2x00crypto_key_to_cipher() will return CIPHER_NONE) and
> >>> >> > we fallback to software encryption.
> >>> >> >
> >>> >> > Please repost patch that enable MFP unconditionally with
> >>> >> > 'Cc: stable@vger.kernel.org' tag.
> >>> >> >
> >>> >> > Stanislaw
> >>> >> >
> >>> >>
> >>> >> No, I have not test any other chipsets besides the ones I enabled it
> >>> >> for. It is possible this would cause problems on other devices, so
> >>> >> just enable it for the known to work ones.
> >>> >
> >>> > It's just matter of sending already encrypted frames. All chipsets
> >>> > handle that.
> >>> >
> >>> > Stanislaw
> >>> >
> >>>
> >>> The question is how well all chipsets handle that. I've seen some lags
> >>> too with MFP enabled connection. While being about 40-50% lower,
> >>> throughput would still occasionally drop to very low values, like
> >>> 800Kbps.
> >>
> >> The only reason I can image that might have impact on throughput
> >> in this case is limited CPU power since encryption is done in
> >> software. Would be good to compare with PA2 with nohwcrypte, if
> >> there are similar lags. However MFP can require more CPU power.
> >>
> >> Stanislaw
> >>
> >
> > nohwcrypt=y mfp=require: there was no throughput drop, no lag,
> > measured about 80-85Mbps but the connection frozen after a minute or
> > two. might be related to rekeying.
> >
> > CPU power cannot be the problem since I run it on laptop (2x2.20GHz)
> The lag is probably caused by failed A-MPDU setup exchanges due to
> broken management frames.
>
> I think it's likely that rt28xx chipsets are behaving like mt7612e in
> that area (since the MAC design is very similar).
> I've spent quite a bit of time making MFP work properly in mt76 on that
> chipset, and here are my findings:
> Hardware crypto for management frames is broken.
> When using management frame protection, the same pairwise encryption key
> needs to be used for both data frames and management frames.
> There is a flag in mac80211 that allows software-encryption for
> management frames only.
> That leads us to the next issue: CCMP PN is usually generated in
> hardware and stored in on-chip memory, which means the mac80211 key
> tx_pn counter will be out of sync and software-encrypted management
> packets will trigger replay protection on the other side.
> To fix this, you need to enable software generated IV if management
> frames are to be sent with the same key.
> In that case you need to set TXINFO_W0_WIV and fill TXWI_W2_IV+TXWI_W3_EIV.
> Also, for software encrypted frames you need to mask out WCID, since
> otherwise the hardware will try to encrypt the frame again.
> You can use mt76 as reference for how to do all of this
I see, I got it completely wrong. I thought with MFP we will use non
supported rt2x00 cipher and we will fallback to software encryption
anyway.
So, until properly implemented we should stay with nohwcrypt for MFP.
Stanislaw
prev parent reply other threads:[~2019-03-26 11:35 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-12 19:11 [PATCH 1/2] rt2x00: code-style fix in rt2800usb.c Tomislav Požega
2019-03-12 19:11 ` [PATCH 2/2] rt2x00: enable experimental MFP with HW crypt Tomislav Požega
2019-03-13 9:12 ` Stanislaw Gruszka
2019-03-13 13:02 ` Tom Psyborg
2019-03-13 13:09 ` Stanislaw Gruszka
2019-03-13 13:48 ` Tom Psyborg
2019-03-13 14:06 ` Stanislaw Gruszka
2019-03-13 14:41 ` Tom Psyborg
2019-03-13 15:50 ` Stanislaw Gruszka
2019-03-14 14:02 ` Tom Psyborg
2019-03-14 14:13 ` Stanislaw Gruszka
2019-03-25 14:25 ` Stanislaw Gruszka
2019-03-26 1:54 ` Tom Psyborg
2019-03-26 6:16 ` Stanislaw Gruszka
2019-03-26 8:13 ` Tom Psyborg
2019-03-26 10:41 ` Felix Fietkau
2019-03-26 11:35 ` Stanislaw Gruszka [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190326113502.GA9012@redhat.com \
--to=sgruszka@redhat.com \
--cc=daniel@makrotopia.org \
--cc=kvalo@codeaurora.org \
--cc=linux-wireless@vger.kernel.org \
--cc=nbd@nbd.name \
--cc=pozega.tomislav@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).