From: Johannes Berg <johannes.berg@xxxxxxxxx> When fips_enabled is set, don't send any keys to the driver (including possibly WoWLAN KEK/KCK material), assuming that no device exists with the necessary certifications. If this turns out to be false in the future, we can add a HW flag. Signed-off-by: Johannes Berg <johannes.berg@xxxxxxxxx> Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@xxxxxxxxx> --- net/mac80211/driver-ops.c | 5 ++++- net/mac80211/driver-ops.h | 4 ++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/net/mac80211/driver-ops.c b/net/mac80211/driver-ops.c index 35349a7f16cb..ba9fba165926 100644 --- a/net/mac80211/driver-ops.c +++ b/net/mac80211/driver-ops.c @@ -1,7 +1,7 @@ // SPDX-License-Identifier: GPL-2.0-only /* * Copyright 2015 Intel Deutschland GmbH - * Copyright (C) 2022-2024 Intel Corporation + * Copyright (C) 2022-2025 Intel Corporation */ #include <net/mac80211.h> #include "ieee80211_i.h" @@ -515,6 +515,9 @@ int drv_set_key(struct ieee80211_local *local, !(sdata->vif.active_links & BIT(key->link_id)))) return -ENOLINK; + if (fips_enabled) + return -EOPNOTSUPP; + trace_drv_set_key(local, cmd, sdata, sta, key); ret = local->ops->set_key(&local->hw, cmd, &sdata->vif, sta, key); trace_drv_return_int(local, ret); diff --git a/net/mac80211/driver-ops.h b/net/mac80211/driver-ops.h index 8baebb5636ec..181bcb34b795 100644 --- a/net/mac80211/driver-ops.h +++ b/net/mac80211/driver-ops.h @@ -8,6 +8,7 @@ #ifndef __MAC80211_DRIVER_OPS #define __MAC80211_DRIVER_OPS +#include <linux/fips.h> #include <net/mac80211.h> #include "ieee80211_i.h" #include "trace.h" @@ -902,6 +903,9 @@ static inline void drv_set_rekey_data(struct ieee80211_local *local, if (!check_sdata_in_driver(sdata)) return; + if (fips_enabled) + return; + trace_drv_set_rekey_data(local, sdata, data); if (local->ops->set_rekey_data) local->ops->set_rekey_data(&local->hw, &sdata->vif, data); -- 2.34.1
