Received: by 2002:a25:2c96:0:0:0:0:0 with SMTP id s144csp295529ybs;
        Sun, 24 May 2020 05:43:25 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzVeZoP1MhLAogCZM32wamNnNLXezVOaIHtnSvXu998qfTxBV7+6yd5ce7Sbk6R2cDCE6HF
X-Received: by 2002:a17:906:a415:: with SMTP id l21mr15775690ejz.100.1590324205085;
        Sun, 24 May 2020 05:43:25 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1590324205; cv=none;
        d=google.com; s=arc-20160816;
        b=Sh3sHDjUSvuID+C7QxNs7FEOq7nu2mmlvfnQz+e+EWPLrUV4vsjQMSiVapO4pBySpM
         GObq1E1WXKbMuiTQZORumLSc9Nlj0+vKwgFpNKKY4QqKY6iMvr916v+1XezXM/nMLhxW
         D3y9VutbvdxqtdW53WLz7pllpBn2wncNeeV96Qkj1d76/SIBqF9t8daGbAODmv5y1Sx9
         w6PhrrJ9l8Uqy9Whwu6CHN0RhH67gHCmc0o7xZ5e0kXODGRRnaWYGE+mIRBAI/C6KExU
         jb4hGpQRhCeaNnSblYhvcZao9RkfgzZ73hKbljKIMfyppgDNyh0r6BmkzdPQnlJHPhDv
         T/cQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:in-reply-to:content-disposition
         :mime-version:references:message-id:subject:cc:to:from:date
         :dkim-signature;
        bh=fhnoPEVd6GdDQIGObtlO6gHHRE5AYPqzJxXINQdfNmU=;
        b=tmEjhUqxOWZ2YsyF8aY+2aaERPX5tnwHlDdqh1R0StGZTrR+ZKvd3nFx6G1EwZpDDO
         5aZ1U4+PV112c/luBcLVuVHAkrL5n0Sjb4uWnGBq6CPg9pdkL9DpsUWaxzW/DvbaoJDu
         bEKDr8yBOohQz6E2otH8eph+Pb+//U9PaVRqZ699rOFkSetvmj/+Rk0ILsz+8kaKYAHp
         Rbgpa7SNsBRH/QqU7+p4CpDgtk/Gkvke8HWXRnTzP5AGhnd2aZuebewBpGxTC3UqnKwl
         vFxq7WW4MA+vw9tKX5ogkY5c9UK5UBieDcijej5SCQf9LAJuz5uXaGrkUne/bswtpOjK
         M2Kg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass (test mode) header.i=@wp.pl header.s=1024a header.b=BvlE8go3;
       spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=wp.pl
Return-Path: <linux-wireless-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id c2si9070696edq.134.2020.05.24.05.42.50;
        Sun, 24 May 2020 05:43:25 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass (test mode) header.i=@wp.pl header.s=1024a header.b=BvlE8go3;
       spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=wp.pl
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728405AbgEXMjf (ORCPT <rfc822;chunkeey@gmail.com> + 99 others);
        Sun, 24 May 2020 08:39:35 -0400
Received: from mx3.wp.pl ([212.77.101.9]:53084 "EHLO mx3.wp.pl"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726734AbgEXMjf (ORCPT <rfc822;linux-wireless@vger.kernel.org>);
        Sun, 24 May 2020 08:39:35 -0400
Received: (wp-smtpd smtp.wp.pl 18117 invoked from network); 24 May 2020 14:39:32 +0200
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wp.pl; s=1024a;
          t=1590323972; bh=fhnoPEVd6GdDQIGObtlO6gHHRE5AYPqzJxXINQdfNmU=;
          h=From:To:Cc:Subject;
          b=BvlE8go3KcNlqDfEmTkf+daoWTtloiYwoDhkPEw7YK3vbTXHsmq1d5iNEw28UWrFn
           Rg+5qXcM62ZgSB6lHhXsI+QLyJx1dOCbydnb5ovt8bGu3m/9Nj5Fl7pYwd8KuL77qp
           QO0WmSjs2QV/F89fpfoV82w1mK3KZlLh3OS/1l7M=
Received: from ip4-46-39-164-203.cust.nbox.cz (HELO localhost) (stf_xl@wp.pl@[46.39.164.203])
          (envelope-sender <stf_xl@wp.pl>)
          by smtp.wp.pl (WP-SMTPD) with ECDHE-RSA-AES256-GCM-SHA384 encrypted SMTP
          for <julian.calaby@gmail.com>; 24 May 2020 14:39:32 +0200
Date:   Sun, 24 May 2020 14:39:31 +0200
From:   Stanislaw Gruszka <stf_xl@wp.pl>
To:     Julian Calaby <julian.calaby@gmail.com>
Cc:     Rui Salvaterra <rsalvaterra@gmail.com>,
        Kalle Valo <kvalo@codeaurora.org>,
        Larry Finger <Larry.Finger@lwfinger.net>,
        linux-wireless@vger.kernel.org
Subject: Re: [RFC PATCH] rt2800lib: unconditionally enable MFP
Message-ID: <20200524123931.GA915983@wp.pl>
References: <20200524094730.2684-1-rsalvaterra@gmail.com>
 <20200524111751.GA914918@wp.pl>
 <CAGRGNgWuQjQzDS9-cPAx7TnDfEiGnSccw4vqPAE_gWV=QS5JVw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAGRGNgWuQjQzDS9-cPAx7TnDfEiGnSccw4vqPAE_gWV=QS5JVw@mail.gmail.com>
X-WP-MailID: d0e6d6040c6bd726f4ee070ee5e2c0cf
X-WP-AV: skaner antywirusowy Poczty Wirtualnej Polski
X-WP-SPAM: NO 0000000 [cbM0]                               
Sender: linux-wireless-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org

Hi

On Sun, May 24, 2020 at 09:42:51PM +1000, Julian Calaby wrote:
> Hi Stanislaw,
> 
> On Sun, May 24, 2020 at 9:27 PM Stanislaw Gruszka <stf_xl@wp.pl> wrote:
> >
> > On Sun, May 24, 2020 at 10:47:31AM +0100, Rui Salvaterra wrote:
> > > According to Larry [1] (and successfully verified on b43) mac80211
> > > transparently falls back to software for unsupported hardware cyphers. Thus,
> > > there's no reason for not unconditionally enabling MFP. This gives us WPA3
> > > support out of the box, without having to manually disable hardware crypto.
> > >
> > > Tested on an RT2790-based Wi-Fi card.
> > >
> > > [1] https://lore.kernel.org/linux-wireless/8252e6a1-b83c-64eb-2503-2686374216ae@lwfinger.net/
> >
> > AFICT more work need to be done to support MFP by HW encryption properly
> > on rt2x00. See this message and whole thread:
> > https://lore.kernel.org/linux-wireless/977a3cf4-3ec5-4aaa-b3d4-eea2e8593652@nbd.name/
> 
> Am I reading this right: rt2x00 offloads some of the processing to the
> card which interferes with MFP when using software encryption, so
> therefore we need to disable that offload when using software
> encryption with MFP.

Yes.

We offload encryption to HW based on cipher. Modern ciphers like 
GCMP, BIP_GMAC, etc, are not supported by rt2x00 HW. In such case
rt2x00mac_set_key() will return -EOPNOTSUPP and all encryption will
be done by mac80211 - MFP will work just fine.

But MFP can still be used with CCMP cipher, which we offload to HW,
and that would create problems described by Felix.

> So if mac80211 knows that this offload is happening and that we can't
> use hardware crypto for MFP, could it be smart enough to disable the
> offload itself?
> 
> And once mac80211 is smart enough to make those decisions, couldn't we
> just enable MFP by default?

If we will have indicator from mac80211 that MFP is configured, we can
just return -EOPNOTSUPP from rt2x00mac_set_key() for CCMP and that will
make MFP work without specifying nohwcrypt module parameter - software
encryption will be used anyway.

Optimal solution though would be implement similar code like in mt76, so
we will have HW encryption for MFP+CCMP, but this is not trivial, and
I think handling encryption fully in software is ok.

Stanislaw