wpa_supplicant triggers macsec_newlink without config data for hardware offload module

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello, all,

We have recently begun developing a proxy kernel module that hooks
into driver/net/macsec.c to propagate macsec_ops to our hardware,
which supports MACsec offload.
The module works as expected with the iproute2 tool: the relevant
hooks are invoked with the appropriate configuration data during
operations like "ip link add link ...".

However, when configuring MACsec via wpa_supplicant instead of
iproute2, we encounter an issue in the path (driver_macsec_linux.c in
wpa_supplicant → driver/net/macsec.c in the kernel):

1) The macsec_newlink function is called, but it does not receive
config data, which is necessary for MACsec offload setup.
2) The configuration data is only provided later, when
macsec_transmit_sc is triggered from driver_macsec_linux.c. At this
point, it is too late.
3) As a result, all "macsec_is_offloaded" calls will be "false".

Our module simply implements the various macsec_ops. For reference,
here’s a skeleton of the relevant code:
/* Device-wide operations */
static int proxy_mdo_dev_open(struct macsec_context *ctx)
{
    PROXY_LOG("mdo_dev_open called");
    return 0;
}
static int proxy_mdo_dev_stop(struct macsec_context *ctx)
{
    PROXY_LOG("mdo_dev_stop called");
    return 0;
}
// ... other ops are the same ...
/* The proxy macsec_ops structure */
static const struct macsec_ops proxy_macsec_ops = {
    .mdo_dev_open = proxy_mdo_dev_open,
    .mdo_dev_stop = proxy_mdo_dev_stop,
    // ... other ops ...
};

static int __init macsec_proxy_init(void)
{
    dev = dev_get_by_name(&init_net, "eth100");
    if (dev) {
        pr_info("Assigned macsec_ops to netdev %p\n", dev);
        dev->features |= NETIF_F_HW_MACSEC;
        dev->macsec_ops = &proxy_macsec_ops;
    }
}

Questions:

1) Is this behavior (delayed config data) expected from wpa_supplicant?
2) Is there a recommended way to handle MACsec offload setup in this
scenario, or a way to force config data to be provided earlier (e.g.,
at macsec_newlink)?
3) Are there known differences in how iproute2 and wpa_supplicant
interact with the kernel MACsec driver regarding initial config
propagation?

Any insights or best practices for handling MACsec offload in this
scenario would be appreciated.

Best regards,
Beilu

_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux