* [PATCH wireless-next 0/3] wifi: cfg80211/mac80211: Add support for IEEE 802.1X Authentication Protocol
@ 2026-02-26 6:54 Kavita Kavita
2026-02-26 6:54 ` [PATCH wireless-next 1/3] wifi: cfg80211: add " Kavita Kavita
` (2 more replies)
0 siblings, 3 replies; 12+ messages in thread
From: Kavita Kavita @ 2026-02-26 6:54 UTC (permalink / raw)
To: johannes; +Cc: linux-wireless, kavita.kavita
Add support for the new IEEE 802.1X authentication protocol using
Authentication frames, both without (Re)Association frame encryption
as specified in "IEEE P802.11bi/D4.0, 12.16.5" and with
(Re)Association frame encryption as specified in
"IEEE P802.11bi/D4.0, 12.16.8.2".
This patch series introduces the required changes for non-AP STA mode.
For the AP mode, no additional changes are required for this
functionality. These patches have been tested end-to-end using the
Hwsim test tool.
Note: The patches apply cleanly and do not introduce any build issues
on their own. However, the IEEE 802.1X Authentication protocol depends
on (Re)Association frame encryption support introduced during EPPKE
feature development. Without this encryption support, the IEEE 802.1X
authentication functionality will not work properly, even though the
series itself builds independently.
Functional dependencies:
- [PATCH wireless-next v4 9/9] wifi: mac80211_hwsim: Declare support
for EPPKE authentication protocol
Link: https://lore.kernel.org/linux-wireless/20260114111900.2196941-10-kavita.kavita@oss.qualcomm.com/T/#m69c7b20e0e9242b40bfa888082f87a8c9211d46e
- [PATCH wireless-next v4] wifi: mac80211: Fix AAD/Nonce computation
for management frames with MLO
Link: https://lore.kernel.org/linux-wireless/20260226042959.3766157-1-sai.magam@oss.qualcomm.com/T/#u
Both functional dependencies are under review, and until they are
merged, this series cannot be fully functional.
Kavita Kavita (3):
wifi: cfg80211: add support for IEEE 802.1X Authentication Protocol
wifi: mac80211: Add support for IEEE 802.1X authentication protocol in
non-AP STA mode
wifi: mac80211_hwsim: Advertise support for IEEE 802.1X authentication
protocol
drivers/net/wireless/virtual/mac80211_hwsim.c | 2 +
include/linux/ieee80211.h | 2 +
include/uapi/linux/nl80211.h | 9 +++
net/mac80211/mlme.c | 78 +++++++++++++++++--
net/wireless/nl80211.c | 14 +++-
5 files changed, 97 insertions(+), 8 deletions(-)
base-commit: 8bf22c33e7a172fbc72464f4cc484d23a6b412ba
--
2.34.1
^ permalink raw reply [flat|nested] 12+ messages in thread* [PATCH wireless-next 1/3] wifi: cfg80211: add support for IEEE 802.1X Authentication Protocol 2026-02-26 6:54 [PATCH wireless-next 0/3] wifi: cfg80211/mac80211: Add support for IEEE 802.1X Authentication Protocol Kavita Kavita @ 2026-02-26 6:54 ` Kavita Kavita 2026-02-26 6:54 ` [PATCH wireless-next 2/3] wifi: mac80211: Add support for IEEE 802.1X authentication protocol in non-AP STA mode Kavita Kavita 2026-02-26 6:54 ` [PATCH wireless-next 3/3] wifi: mac80211_hwsim: Advertise support for IEEE 802.1X authentication protocol Kavita Kavita 2 siblings, 0 replies; 12+ messages in thread From: Kavita Kavita @ 2026-02-26 6:54 UTC (permalink / raw) To: johannes; +Cc: linux-wireless, kavita.kavita Add an extended feature flag NL80211_EXT_FEATURE_IEEE8021X_AUTH to allow a driver to indicate support for the IEEE 802.1X authentication protocol in non-AP STA mode, as defined in "IEEE P802.11bi/D4.0, 12.16.5". In case of SME in userspace, the Authentication frame body is prepared in userspace while the driver finalizes the Authentication frame once it receives the required fields and elements. The driver indicates support for IEEE 802.1X authentication using the extended feature flag so that userspace can initiate IEEE 802.1X authentication. When the feature flag is set, process IEEE 802.1X Authentication frames from userspace in non-AP STA mode. If the flag is not set, reject IEEE 802.1X Authentication frames. Define a new authentication type NL80211_AUTHTYPE_IEEE8021X for IEEE 802.1X authentication. Signed-off-by: Kavita Kavita <kavita.kavita@oss.qualcomm.com> --- include/linux/ieee80211.h | 1 + include/uapi/linux/nl80211.h | 9 +++++++++ net/wireless/nl80211.c | 14 ++++++++++++-- 3 files changed, 22 insertions(+), 2 deletions(-) diff --git a/include/linux/ieee80211.h b/include/linux/ieee80211.h index 0aa2fb8f88de..1bf806f85372 100644 --- a/include/linux/ieee80211.h +++ b/include/linux/ieee80211.h @@ -1358,6 +1358,7 @@ struct ieee80211_tdls_data { #define WLAN_AUTH_FILS_SK 4 #define WLAN_AUTH_FILS_SK_PFS 5 #define WLAN_AUTH_FILS_PK 6 +#define WLAN_AUTH_IEEE8021X 8 #define WLAN_AUTH_EPPKE 9 #define WLAN_AUTH_LEAP 128 diff --git a/include/uapi/linux/nl80211.h b/include/uapi/linux/nl80211.h index b63f71850906..6802e6884800 100644 --- a/include/uapi/linux/nl80211.h +++ b/include/uapi/linux/nl80211.h @@ -5466,6 +5466,8 @@ enum nl80211_bss_status { * @NL80211_AUTHTYPE_FILS_SK_PFS: Fast Initial Link Setup shared key with PFS * @NL80211_AUTHTYPE_FILS_PK: Fast Initial Link Setup public key * @NL80211_AUTHTYPE_EPPKE: Enhanced Privacy Protection Key Exchange + * @NL80211_AUTHTYPE_IEEE8021X: IEEE 802.1X authentication utilizing + * Authentication frames * @__NL80211_AUTHTYPE_NUM: internal * @NL80211_AUTHTYPE_MAX: maximum valid auth algorithm * @NL80211_AUTHTYPE_AUTOMATIC: determine automatically (if necessary by @@ -5482,6 +5484,7 @@ enum nl80211_auth_type { NL80211_AUTHTYPE_FILS_SK_PFS, NL80211_AUTHTYPE_FILS_PK, NL80211_AUTHTYPE_EPPKE, + NL80211_AUTHTYPE_IEEE8021X, /* keep last */ __NL80211_AUTHTYPE_NUM, @@ -6795,6 +6798,11 @@ enum nl80211_feature_flags { * frames in both non‑AP STA and AP mode as specified in * "IEEE P802.11bi/D3.0, 12.16.6". * + * @NL80211_EXT_FEATURE_IEEE8021X_AUTH: Driver supports IEEE 802.1X + * authentication utilizing Authentication frames with user space SME + * (NL80211_CMD_AUTHENTICATE) in non-AP STA mode, as specified in + * "IEEE P802.11bi/D4.0, 12.16.5". + * * @NUM_NL80211_EXT_FEATURES: number of extended features. * @MAX_NL80211_EXT_FEATURES: highest extended feature index. */ @@ -6873,6 +6881,7 @@ enum nl80211_ext_feature_index { NL80211_EXT_FEATURE_BEACON_RATE_EHT, NL80211_EXT_FEATURE_EPPKE, NL80211_EXT_FEATURE_ASSOC_FRAME_ENCRYPTION, + NL80211_EXT_FEATURE_IEEE8021X_AUTH, /* add new features before the definition below */ NUM_NL80211_EXT_FEATURES, diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c index 6e58b238a1f8..3258ef2e3631 100644 --- a/net/wireless/nl80211.c +++ b/net/wireless/nl80211.c @@ -6542,6 +6542,10 @@ static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev, NL80211_EXT_FEATURE_EPPKE) && auth_type == NL80211_AUTHTYPE_EPPKE) return false; + if (!wiphy_ext_feature_isset(&rdev->wiphy, + NL80211_EXT_FEATURE_IEEE8021X_AUTH) && + auth_type == NL80211_AUTHTYPE_IEEE8021X) + return false; return true; case NL80211_CMD_CONNECT: if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) && @@ -6563,6 +6567,10 @@ static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev, NL80211_EXT_FEATURE_EPPKE) && auth_type == NL80211_AUTHTYPE_EPPKE) return false; + if (!wiphy_ext_feature_isset(&rdev->wiphy, + NL80211_EXT_FEATURE_IEEE8021X_AUTH) && + auth_type == NL80211_AUTHTYPE_IEEE8021X) + return false; return true; case NL80211_CMD_START_AP: if (!wiphy_ext_feature_isset(&rdev->wiphy, @@ -12077,7 +12085,8 @@ static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info) auth_type == NL80211_AUTHTYPE_FILS_SK || auth_type == NL80211_AUTHTYPE_FILS_SK_PFS || auth_type == NL80211_AUTHTYPE_FILS_PK || - auth_type == NL80211_AUTHTYPE_EPPKE) && + auth_type == NL80211_AUTHTYPE_EPPKE || + auth_type == NL80211_AUTHTYPE_IEEE8021X) && !info->attrs[NL80211_ATTR_AUTH_DATA]) return -EINVAL; @@ -12086,7 +12095,8 @@ static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info) auth_type != NL80211_AUTHTYPE_FILS_SK && auth_type != NL80211_AUTHTYPE_FILS_SK_PFS && auth_type != NL80211_AUTHTYPE_FILS_PK && - auth_type != NL80211_AUTHTYPE_EPPKE) + auth_type != NL80211_AUTHTYPE_EPPKE && + auth_type != NL80211_AUTHTYPE_IEEE8021X) return -EINVAL; req.auth_data = nla_data(info->attrs[NL80211_ATTR_AUTH_DATA]); req.auth_data_len = nla_len(info->attrs[NL80211_ATTR_AUTH_DATA]); -- 2.34.1 ^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH wireless-next 2/3] wifi: mac80211: Add support for IEEE 802.1X authentication protocol in non-AP STA mode 2026-02-26 6:54 [PATCH wireless-next 0/3] wifi: cfg80211/mac80211: Add support for IEEE 802.1X Authentication Protocol Kavita Kavita 2026-02-26 6:54 ` [PATCH wireless-next 1/3] wifi: cfg80211: add " Kavita Kavita @ 2026-02-26 6:54 ` Kavita Kavita 2026-02-26 6:54 ` [PATCH wireless-next 3/3] wifi: mac80211_hwsim: Advertise support for IEEE 802.1X authentication protocol Kavita Kavita 2 siblings, 0 replies; 12+ messages in thread From: Kavita Kavita @ 2026-02-26 6:54 UTC (permalink / raw) To: johannes; +Cc: linux-wireless, kavita.kavita Add support for the IEEE 802.1X authentication protocol in non-AP STA mode, as specified in "IEEE P802.11bi/D4.0, 12.16.5". IEEE 802.1X authentication involves multiple Authentication frame exchanges, with the non-AP STA and AP alternating transaction sequence numbers. The number of Authentication frame exchanges depends on the EAP method in use. For IEEE 802.1X authentication, process only Authentication frames with the expected transaction sequence number. For IEEE 802.1X Authentication, Table 9-71 specifies that the Encapsulation Length field as specified in Clause 9.4.1.82 shall be present in all IEEE 802.1X Authentication frames. Drop the frame in the mac80211 if the Encapsulation Length field is missing. After receiving the final Authentication frame with status code WLAN_STATUS_8021X_AUTH_SUCCESS from the AP, mac80211 marks the state as authenticated, as it indicates the EAP handshake has completed successfully over the Authentication frames as specified in Clause 12.16.5. In the PMKSA caching case, only two Authentication frames are exchanged if the AP identifies a valid PMKSA, then as specified in Clause 12.16.8.3, the AP shall set the Status Code to WLAN_STATUS_SUCCESS in the final Authentication frame and must not include an encapsulated EAPOL PDU. This frame will be the final Authentication frame from the AP when PMKSA caching is enabled, and mac80211 marks the state as authenticated. In case of authentication success or failure, forward the Authentication frame to userspace(e.g. wpa_supplicant), and let userspace validate the Authentication frame from the AP as per the specification. Signed-off-by: Kavita Kavita <kavita.kavita@oss.qualcomm.com> --- include/linux/ieee80211.h | 1 + net/mac80211/mlme.c | 78 ++++++++++++++++++++++++++++++++++++--- 2 files changed, 73 insertions(+), 6 deletions(-) diff --git a/include/linux/ieee80211.h b/include/linux/ieee80211.h index 1bf806f85372..3651b2e6c518 100644 --- a/include/linux/ieee80211.h +++ b/include/linux/ieee80211.h @@ -1508,6 +1508,7 @@ enum ieee80211_statuscode { WLAN_STATUS_SAE_PK = 127, WLAN_STATUS_DENIED_TID_TO_LINK_MAPPING = 133, WLAN_STATUS_PREF_TID_TO_LINK_MAPPING_SUGGESTED = 134, + WLAN_STATUS_8021X_AUTH_SUCCESS = 153, }; diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c index e83582b2c377..a073451b0c94 100644 --- a/net/mac80211/mlme.c +++ b/net/mac80211/mlme.c @@ -4920,7 +4920,7 @@ static void ieee80211_rx_mgmt_auth(struct ieee80211_sub_if_data *sdata, struct ieee80211_mgmt *mgmt, size_t len) { struct ieee80211_if_managed *ifmgd = &sdata->u.mgd; - u16 auth_alg, auth_transaction, status_code; + u16 auth_alg, auth_transaction, status_code, encap_len; struct ieee80211_event event = { .type = MLME_EVENT, .u.mlme.data = AUTH_EVENT, @@ -4929,6 +4929,7 @@ static void ieee80211_rx_mgmt_auth(struct ieee80211_sub_if_data *sdata, .subtype = IEEE80211_STYPE_AUTH, }; bool sae_need_confirm = false; + bool auth_fail = false; lockdep_assert_wiphy(sdata->local->hw.wiphy); @@ -4945,6 +4946,15 @@ static void ieee80211_rx_mgmt_auth(struct ieee80211_sub_if_data *sdata, auth_transaction = le16_to_cpu(mgmt->u.auth.auth_transaction); status_code = le16_to_cpu(mgmt->u.auth.status_code); + /* + * IEEE 802.1X Authentication: + * Header + Authentication Algorithm Number(2 byte) + Authentication + * Transaction Sequence Number(2 byte) + Status Code(2 byte) + + * Encapsulation Length(2 byte). + */ + if (auth_alg == WLAN_AUTH_IEEE8021X && len < 24 + 8) + return; + info.link_id = ifmgd->auth_data->link_id; if (auth_alg != ifmgd->auth_data->algorithm || @@ -4960,7 +4970,24 @@ static void ieee80211_rx_mgmt_auth(struct ieee80211_sub_if_data *sdata, goto notify_driver; } - if (status_code != WLAN_STATUS_SUCCESS) { + switch (auth_alg) { + case WLAN_AUTH_IEEE8021X: + if (status_code != WLAN_STATUS_SUCCESS && + status_code != WLAN_STATUS_8021X_AUTH_SUCCESS) + auth_fail = true; + + if (!auth_fail) { + /* Indicates length of encapsulated EAPOL PDU */ + encap_len = get_unaligned_le16(mgmt->u.auth.variable); + } + break; + default: + if (status_code != WLAN_STATUS_SUCCESS) + auth_fail = true; + break; + } + + if (auth_fail) { cfg80211_rx_mlme_mgmt(sdata->dev, (u8 *)mgmt, len); if (auth_alg == WLAN_AUTH_SAE && @@ -4997,6 +5024,7 @@ static void ieee80211_rx_mgmt_auth(struct ieee80211_sub_if_data *sdata, case WLAN_AUTH_FILS_SK_PFS: case WLAN_AUTH_FILS_PK: case WLAN_AUTH_EPPKE: + case WLAN_AUTH_IEEE8021X: break; case WLAN_AUTH_SHARED_KEY: if (ifmgd->auth_data->expected_transaction != 4) { @@ -5017,8 +5045,37 @@ static void ieee80211_rx_mgmt_auth(struct ieee80211_sub_if_data *sdata, if (ifmgd->auth_data->algorithm != WLAN_AUTH_SAE || (auth_transaction == 2 && ifmgd->auth_data->expected_transaction == 2)) { - if (!ieee80211_mark_sta_auth(sdata)) - return; /* ignore frame -- wait for timeout */ + switch (ifmgd->auth_data->algorithm) { + case WLAN_AUTH_IEEE8021X: + /* + * IEEE 802.1X authentication: + * - When the full EAP handshake completes over the + * Authentication process, the responder sets the + * Status Code to WLAN_STATUS_8021X_AUTH_SUCCESS as + * specified in "IEEE P802.11bi/D4.0, 12.16.5". + * + * - In the PMKSA caching case, only two Authentication + * frames are exchanged if the responder (e.g., AP) + * identifies a valid PMKSA, then as specified in + * "IEEE P802.11bi/D4.0, 12.16.8.3", the responder + * shall set the Status Code to SUCCESS in the final + * Authentication frame and must not include an + * encapsulated EAPOL PDU. + * + * Both conditions are treated as successful + * authentication, so mark the state to Authenticated. + */ + if (status_code != WLAN_STATUS_8021X_AUTH_SUCCESS && + !(status_code == WLAN_STATUS_SUCCESS && + encap_len == 0)) + break; + fallthrough; + default: + if (!ieee80211_mark_sta_auth(sdata)) + return; /* ignore frame -- wait for timeout */ + + break; + } } else if (ifmgd->auth_data->algorithm == WLAN_AUTH_SAE && auth_transaction == 1) { sae_need_confirm = true; @@ -8457,6 +8514,10 @@ static int ieee80211_auth(struct ieee80211_sub_if_data *sdata) } else if (auth_data->algorithm == WLAN_AUTH_EPPKE) { trans = auth_data->trans; status = auth_data->status; + } else if (auth_data->algorithm == WLAN_AUTH_IEEE8021X) { + trans = auth_data->trans; + status = auth_data->status; + auth_data->expected_transaction = trans + 1; } if (ieee80211_hw_check(&local->hw, REPORTS_TX_ACK_STATUS)) @@ -9114,7 +9175,8 @@ static int ieee80211_prep_connection(struct ieee80211_sub_if_data *sdata, } if (ifmgd->auth_data && - ifmgd->auth_data->algorithm == WLAN_AUTH_EPPKE) + (ifmgd->auth_data->algorithm == WLAN_AUTH_EPPKE || + ifmgd->auth_data->algorithm == WLAN_AUTH_IEEE8021X)) new_sta->sta.epp_peer = true; new_sta->sta.mlo = mlo; @@ -9374,6 +9436,9 @@ int ieee80211_mgd_auth(struct ieee80211_sub_if_data *sdata, case NL80211_AUTHTYPE_EPPKE: auth_alg = WLAN_AUTH_EPPKE; break; + case NL80211_AUTHTYPE_IEEE8021X: + auth_alg = WLAN_AUTH_IEEE8021X; + break; default: return -EOPNOTSUPP; } @@ -9399,7 +9464,8 @@ int ieee80211_mgd_auth(struct ieee80211_sub_if_data *sdata, if (req->auth_data_len >= 4) { if (req->auth_type == NL80211_AUTHTYPE_SAE || - req->auth_type == NL80211_AUTHTYPE_EPPKE) { + req->auth_type == NL80211_AUTHTYPE_EPPKE || + req->auth_type == NL80211_AUTHTYPE_IEEE8021X) { __le16 *pos = (__le16 *) req->auth_data; auth_data->trans = le16_to_cpu(pos[0]); -- 2.34.1 ^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH wireless-next 3/3] wifi: mac80211_hwsim: Advertise support for IEEE 802.1X authentication protocol 2026-02-26 6:54 [PATCH wireless-next 0/3] wifi: cfg80211/mac80211: Add support for IEEE 802.1X Authentication Protocol Kavita Kavita 2026-02-26 6:54 ` [PATCH wireless-next 1/3] wifi: cfg80211: add " Kavita Kavita 2026-02-26 6:54 ` [PATCH wireless-next 2/3] wifi: mac80211: Add support for IEEE 802.1X authentication protocol in non-AP STA mode Kavita Kavita @ 2026-02-26 6:54 ` Kavita Kavita 2026-02-26 8:36 ` Johannes Berg 2 siblings, 1 reply; 12+ messages in thread From: Kavita Kavita @ 2026-02-26 6:54 UTC (permalink / raw) To: johannes; +Cc: linux-wireless, kavita.kavita Advertise support for the IEEE 802.1X authentication protocol in mac80211_hwsim to enable testing scenarios. Signed-off-by: Kavita Kavita <kavita.kavita@oss.qualcomm.com> --- drivers/net/wireless/virtual/mac80211_hwsim.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/wireless/virtual/mac80211_hwsim.c b/drivers/net/wireless/virtual/mac80211_hwsim.c index 4d9f5f87e814..c86ceb5f6703 100644 --- a/drivers/net/wireless/virtual/mac80211_hwsim.c +++ b/drivers/net/wireless/virtual/mac80211_hwsim.c @@ -5640,6 +5640,8 @@ static int mac80211_hwsim_new_radio(struct genl_info *info, wiphy_ext_feature_set(hw->wiphy, NL80211_EXT_FEATURE_BSS_COLOR); + wiphy_ext_feature_set(hw->wiphy, NL80211_EXT_FEATURE_IEEE8021X_AUTH); + hw->wiphy->interface_modes = param->iftypes; /* ask mac80211 to reserve space for magic */ -- 2.34.1 ^ permalink raw reply related [flat|nested] 12+ messages in thread
* Re: [PATCH wireless-next 3/3] wifi: mac80211_hwsim: Advertise support for IEEE 802.1X authentication protocol 2026-02-26 6:54 ` [PATCH wireless-next 3/3] wifi: mac80211_hwsim: Advertise support for IEEE 802.1X authentication protocol Kavita Kavita @ 2026-02-26 8:36 ` Johannes Berg 2026-02-26 13:50 ` Kavita Kavita 0 siblings, 1 reply; 12+ messages in thread From: Johannes Berg @ 2026-02-26 8:36 UTC (permalink / raw) To: Kavita Kavita; +Cc: linux-wireless On Thu, 2026-02-26 at 12:24 +0530, Kavita Kavita wrote: > Advertise support for the IEEE 802.1X authentication protocol in > mac80211_hwsim to enable testing scenarios. Do we even need this in drivers vs. mac80211 just setting it? All the code for it is in mac80211, so it shouldn't matter? I'd actually argue NL80211_EXT_FEATURE_EPPKE is the same, mac80211 should set it instead of the driver (I didn't merge [1] yet anyway) and only NL80211_EXT_FEATURE_ASSOC_FRAME_ENCRYPTION should be in the driver? [1] https://patchwork.kernel.org/project/linux-wireless/patch/20260114111900.2196941-10-kavita.kavita@oss.qualcomm.com/ johannes ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH wireless-next 3/3] wifi: mac80211_hwsim: Advertise support for IEEE 802.1X authentication protocol 2026-02-26 8:36 ` Johannes Berg @ 2026-02-26 13:50 ` Kavita Kavita 2026-02-26 13:53 ` Johannes Berg 0 siblings, 1 reply; 12+ messages in thread From: Kavita Kavita @ 2026-02-26 13:50 UTC (permalink / raw) To: Johannes Berg; +Cc: linux-wireless On 2/26/2026 2:06 PM, Johannes Berg wrote: > On Thu, 2026-02-26 at 12:24 +0530, Kavita Kavita wrote: >> Advertise support for the IEEE 802.1X authentication protocol in >> mac80211_hwsim to enable testing scenarios. > > Do we even need this in drivers vs. mac80211 just setting it? > > All the code for it is in mac80211, so it shouldn't matter? > > I'd actually argue NL80211_EXT_FEATURE_EPPKE is the same, mac80211 > should set it instead of the driver (I didn't merge [1] yet anyway) and > only NL80211_EXT_FEATURE_ASSOC_FRAME_ENCRYPTION should be in the driver? For (Re)Association frame encryption, additional changes are required in the driver and firmware. Because of this dependency, we initially thought it was best to let the driver set the EPPKE and IEEE 802.1X Authentication feature flags as well. However, since no lower-layer changes are actually needed for EPPKE and IEEE 802.1X Authentication, these can safely be advertised directly in mac80211. The driver should only set the (Re)Association frame encryption feature flag, and mac80211 can then conditionally enable the EPPKE and IEEE 802.1X Authentication feature flags based on that indication. I will send the updated patch set with these changes. Thank you. > > > [1] https://patchwork.kernel.org/project/linux-wireless/patch/20260114111900.2196941-10-kavita.kavita@oss.qualcomm.com/ > > johannes ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH wireless-next 3/3] wifi: mac80211_hwsim: Advertise support for IEEE 802.1X authentication protocol 2026-02-26 13:50 ` Kavita Kavita @ 2026-02-26 13:53 ` Johannes Berg 2026-02-26 14:07 ` Kavita Kavita 2026-02-26 16:49 ` Kavita Kavita 0 siblings, 2 replies; 12+ messages in thread From: Johannes Berg @ 2026-02-26 13:53 UTC (permalink / raw) To: Kavita Kavita; +Cc: linux-wireless On Thu, 2026-02-26 at 19:20 +0530, Kavita Kavita wrote: > > On 2/26/2026 2:06 PM, Johannes Berg wrote: > > On Thu, 2026-02-26 at 12:24 +0530, Kavita Kavita wrote: > > > Advertise support for the IEEE 802.1X authentication protocol in > > > mac80211_hwsim to enable testing scenarios. > > > > Do we even need this in drivers vs. mac80211 just setting it? > > > > All the code for it is in mac80211, so it shouldn't matter? > > > > I'd actually argue NL80211_EXT_FEATURE_EPPKE is the same, mac80211 > > should set it instead of the driver (I didn't merge [1] yet anyway) and > > only NL80211_EXT_FEATURE_ASSOC_FRAME_ENCRYPTION should be in the driver? > > > For (Re)Association frame encryption, additional changes are required in the > driver and firmware. Because of this dependency, we initially thought it was > best to let the driver set the EPPKE and IEEE 802.1X Authentication feature > flags as well. > However, since no lower-layer changes are actually needed for EPPKE and > IEEE 802.1X Authentication, these can safely be advertised directly in mac80211. > The driver should only set the (Re)Association frame encryption feature flag, > and mac80211 can then conditionally enable the EPPKE and IEEE 802.1X Authentication > feature flags based on that indication. > > I will send the updated patch set with these changes. Thank you. Right, works for me. Can you please also resend the hwsim patch for EPPKE/assoc frame encryption then, that I linked to earlier? Feel free to just put it into this patchset (instead of this one) of course. I'm planning to apply the AAD/nonce fix soon, and then this can go in. johannes ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH wireless-next 3/3] wifi: mac80211_hwsim: Advertise support for IEEE 802.1X authentication protocol 2026-02-26 13:53 ` Johannes Berg @ 2026-02-26 14:07 ` Kavita Kavita 2026-02-26 16:49 ` Kavita Kavita 1 sibling, 0 replies; 12+ messages in thread From: Kavita Kavita @ 2026-02-26 14:07 UTC (permalink / raw) To: Johannes Berg; +Cc: linux-wireless On 2/26/2026 7:23 PM, Johannes Berg wrote: > On Thu, 2026-02-26 at 19:20 +0530, Kavita Kavita wrote: >> >> On 2/26/2026 2:06 PM, Johannes Berg wrote: >>> On Thu, 2026-02-26 at 12:24 +0530, Kavita Kavita wrote: >>>> Advertise support for the IEEE 802.1X authentication protocol in >>>> mac80211_hwsim to enable testing scenarios. >>> >>> Do we even need this in drivers vs. mac80211 just setting it? >>> >>> All the code for it is in mac80211, so it shouldn't matter? >>> >>> I'd actually argue NL80211_EXT_FEATURE_EPPKE is the same, mac80211 >>> should set it instead of the driver (I didn't merge [1] yet anyway) and >>> only NL80211_EXT_FEATURE_ASSOC_FRAME_ENCRYPTION should be in the driver? >> >> >> For (Re)Association frame encryption, additional changes are required in the >> driver and firmware. Because of this dependency, we initially thought it was >> best to let the driver set the EPPKE and IEEE 802.1X Authentication feature >> flags as well. >> However, since no lower-layer changes are actually needed for EPPKE and >> IEEE 802.1X Authentication, these can safely be advertised directly in mac80211. >> The driver should only set the (Re)Association frame encryption feature flag, >> and mac80211 can then conditionally enable the EPPKE and IEEE 802.1X Authentication >> feature flags based on that indication. >> >> I will send the updated patch set with these changes. Thank you. > > Right, works for me. Can you please also resend the hwsim patch for > EPPKE/assoc frame encryption then, that I linked to earlier? Feel free > to just put it into this patchset (instead of this one) of course. > > I'm planning to apply the AAD/nonce fix soon, and then this can go in. Sure, I will resend the hwsim patch for EPPKE/Assoc and will include it in the next patchset version. Thank you. > > johannes ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH wireless-next 3/3] wifi: mac80211_hwsim: Advertise support for IEEE 802.1X authentication protocol 2026-02-26 13:53 ` Johannes Berg 2026-02-26 14:07 ` Kavita Kavita @ 2026-02-26 16:49 ` Kavita Kavita 2026-02-26 16:50 ` Johannes Berg 1 sibling, 1 reply; 12+ messages in thread From: Kavita Kavita @ 2026-02-26 16:49 UTC (permalink / raw) To: Johannes Berg; +Cc: linux-wireless On 2/26/2026 7:23 PM, Johannes Berg wrote: > On Thu, 2026-02-26 at 19:20 +0530, Kavita Kavita wrote: >> >> On 2/26/2026 2:06 PM, Johannes Berg wrote: >>> On Thu, 2026-02-26 at 12:24 +0530, Kavita Kavita wrote: >>>> Advertise support for the IEEE 802.1X authentication protocol in >>>> mac80211_hwsim to enable testing scenarios. >>> >>> Do we even need this in drivers vs. mac80211 just setting it? >>> >>> All the code for it is in mac80211, so it shouldn't matter? >>> >>> I'd actually argue NL80211_EXT_FEATURE_EPPKE is the same, mac80211 >>> should set it instead of the driver (I didn't merge [1] yet anyway) and >>> only NL80211_EXT_FEATURE_ASSOC_FRAME_ENCRYPTION should be in the driver? >> >> >> For (Re)Association frame encryption, additional changes are required in the >> driver and firmware. Because of this dependency, we initially thought it was >> best to let the driver set the EPPKE and IEEE 802.1X Authentication feature >> flags as well. >> However, since no lower-layer changes are actually needed for EPPKE and >> IEEE 802.1X Authentication, these can safely be advertised directly in mac80211. >> The driver should only set the (Re)Association frame encryption feature flag, >> and mac80211 can then conditionally enable the EPPKE and IEEE 802.1X Authentication >> feature flags based on that indication. >> >> I will send the updated patch set with these changes. Thank you. > > Right, works for me. Can you please also resend the hwsim patch for > EPPKE/assoc frame encryption then, that I linked to earlier? Feel free > to just put it into this patchset (instead of this one) of course. > > I'm planning to apply the AAD/nonce fix soon, and then this can go in. Sorry, I missed one case earlier. EPPKE mandates (Re)Association frame encryption support, so we should only advertise EPPKE when the driver indicates support for (Re)Association frame encryption in mac80211. On the other hand, IEEE 802.1X Authentication can operate with or without (Re)Association encryption support, as specified in IEEE P802.11bi/D4.0, clauses 12.16.5 and 12.16.8.2. I am thinking to advertise IEEE 802.1X Authentication support directly from mac80211, without any (Re)Association encryption support indication from the driver. > > johannes ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH wireless-next 3/3] wifi: mac80211_hwsim: Advertise support for IEEE 802.1X authentication protocol 2026-02-26 16:49 ` Kavita Kavita @ 2026-02-26 16:50 ` Johannes Berg 2026-02-26 16:58 ` Kavita Kavita 0 siblings, 1 reply; 12+ messages in thread From: Johannes Berg @ 2026-02-26 16:50 UTC (permalink / raw) To: Kavita Kavita; +Cc: linux-wireless On Thu, 2026-02-26 at 22:19 +0530, Kavita Kavita wrote: > > Sorry, I missed one case earlier. EPPKE mandates (Re)Association frame > encryption support, so we should only advertise EPPKE when the driver indicates > support for (Re)Association frame encryption in mac80211. Oh, OK, but we could also check that in mac80211, in register_hw(), I think? johannes ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH wireless-next 3/3] wifi: mac80211_hwsim: Advertise support for IEEE 802.1X authentication protocol 2026-02-26 16:50 ` Johannes Berg @ 2026-02-26 16:58 ` Kavita Kavita 2026-02-26 17:09 ` Johannes Berg 0 siblings, 1 reply; 12+ messages in thread From: Kavita Kavita @ 2026-02-26 16:58 UTC (permalink / raw) To: Johannes Berg; +Cc: linux-wireless On 2/26/2026 10:20 PM, Johannes Berg wrote: > On Thu, 2026-02-26 at 22:19 +0530, Kavita Kavita wrote: >> >> Sorry, I missed one case earlier. EPPKE mandates (Re)Association frame >> encryption support, so we should only advertise EPPKE when the driver indicates >> support for (Re)Association frame encryption in mac80211. > > Oh, OK, but we could also check that in mac80211, in register_hw(), I > think? For EPPKE, I will handle it like this: @@ -1598,6 +1598,15 @@ int ieee80211_register_hw(struct ieee80211_hw *hw) local->sband_allocated |= BIT(band); } + /* + * mac80211 supports EPPKE, if the driver supports (Re)Association + * frame encryption + */ + if (wiphy_ext_feature_isset(local->hw.wiphy, + NL80211_EXT_FEATURE_ASSOC_FRAME_ENCRYPTION)) + wiphy_ext_feature_set(local->hw.wiphy, + NL80211_EXT_FEATURE_EPPKE); For IEEE 802.1X Authentication, I am thinking to advertise its support directly from mac80211, in ieee80211_alloc_hw_nm, without checking for (Re)Association encryption support from the driver. > > > johannes ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH wireless-next 3/3] wifi: mac80211_hwsim: Advertise support for IEEE 802.1X authentication protocol 2026-02-26 16:58 ` Kavita Kavita @ 2026-02-26 17:09 ` Johannes Berg 0 siblings, 0 replies; 12+ messages in thread From: Johannes Berg @ 2026-02-26 17:09 UTC (permalink / raw) To: Kavita Kavita; +Cc: linux-wireless On Thu, 2026-02-26 at 22:28 +0530, Kavita Kavita wrote: > > On 2/26/2026 10:20 PM, Johannes Berg wrote: > > On Thu, 2026-02-26 at 22:19 +0530, Kavita Kavita wrote: > > > > > > Sorry, I missed one case earlier. EPPKE mandates (Re)Association frame > > > encryption support, so we should only advertise EPPKE when the driver indicates > > > support for (Re)Association frame encryption in mac80211. > > > > Oh, OK, but we could also check that in mac80211, in register_hw(), I > > think? > > For EPPKE, I will handle it like this: > > @@ -1598,6 +1598,15 @@ int ieee80211_register_hw(struct ieee80211_hw *hw) > local->sband_allocated |= BIT(band); > } > > + /* > + * mac80211 supports EPPKE, if the driver supports (Re)Association > + * frame encryption > + */ > + if (wiphy_ext_feature_isset(local->hw.wiphy, > + NL80211_EXT_FEATURE_ASSOC_FRAME_ENCRYPTION)) > + wiphy_ext_feature_set(local->hw.wiphy, > + NL80211_EXT_FEATURE_EPPKE); > > For IEEE 802.1X Authentication, I am thinking to advertise its support directly > from mac80211, in ieee80211_alloc_hw_nm, without checking for (Re)Association encryption > support from the driver. > Both Makes sense, thanks! johannes ^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2026-02-26 17:09 UTC | newest] Thread overview: 12+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2026-02-26 6:54 [PATCH wireless-next 0/3] wifi: cfg80211/mac80211: Add support for IEEE 802.1X Authentication Protocol Kavita Kavita 2026-02-26 6:54 ` [PATCH wireless-next 1/3] wifi: cfg80211: add " Kavita Kavita 2026-02-26 6:54 ` [PATCH wireless-next 2/3] wifi: mac80211: Add support for IEEE 802.1X authentication protocol in non-AP STA mode Kavita Kavita 2026-02-26 6:54 ` [PATCH wireless-next 3/3] wifi: mac80211_hwsim: Advertise support for IEEE 802.1X authentication protocol Kavita Kavita 2026-02-26 8:36 ` Johannes Berg 2026-02-26 13:50 ` Kavita Kavita 2026-02-26 13:53 ` Johannes Berg 2026-02-26 14:07 ` Kavita Kavita 2026-02-26 16:49 ` Kavita Kavita 2026-02-26 16:50 ` Johannes Berg 2026-02-26 16:58 ` Kavita Kavita 2026-02-26 17:09 ` Johannes Berg
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox