diff mbox series

cfg80211: AP mode driver offload for FILS association crypto

Message ID 1631083922-24136-1-git-send-email-subratm@codeaurora.org (mailing list archive)
State Changes Requested
Delegated to: Johannes Berg
Headers show
Series cfg80211: AP mode driver offload for FILS association crypto | expand

Commit Message

Subrat Mishra Sept. 8, 2021, 6:52 a.m. UTC
Add a driver FILS crypto offload extended capability flag to indicate
that the driver running in AP mode is capable of handling encryption
and decryption of (Re)Association request and response frames.
Add a command to set FILS AAD data to driver.

This feature is supported on drivers running in AP mode only.
This extended capability is exchanged with hostapd during cfg80211
init. If the driver indicates this capability, then before sending the
Authentication response frame, hostapd sets FILS AAD data to the
driver. This allows the driver to decrypt (Re)Association Request
frame and encrypt (Re)Association Response frame. FILS Key derivation
will still be done in hostapd.

Signed-off-by: Subrat Mishra <subratm@codeaurora.org>

Comments

Johannes Berg Sept. 8, 2021, 7:01 a.m. UTC | #1
On Wed, 2021-09-08 at 12:22 +0530, Subrat Mishra wrote:
> 
> +	{
> +		.cmd = NL80211_CMD_SET_FILS_AAD,
> +		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
> +		.doit = nl80211_set_fils_aad,
> +		.flags = GENL_UNS_ADMIN_PERM,
> +		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
> +				  NL80211_FLAG_NEED_RTNL,

I don't know how long you've been sitting on this patch, but NEED_RTNL
is no longer acceptable.

johannes
Johannes Berg Sept. 8, 2021, 7:02 a.m. UTC | #2
> +	TP_STRUCT__entry(WIPHY_ENTRY
> +			 NETDEV_ENTRY
> +			 __array(u8, macaddr, ETH_ALEN)
> +			 __field(u8, kek_len)
> +	),
> +	TP_fast_assign(WIPHY_ASSIGN;
> +		       NETDEV_ASSIGN;
> +		       FILS_AAD_ASSIGN(fils_aad);
> +	),

I don't think we typically do the alignment like that?
johannes
kernel test robot Sept. 8, 2021, 10:18 a.m. UTC | #3
Hi Subrat,

Thank you for the patch! Perhaps something to improve:

[auto build test WARNING on mac80211-next/master]
[also build test WARNING on next-20210908]
[cannot apply to mac80211/master v5.14]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]

url:    https://github.com/0day-ci/linux/commits/Subrat-Mishra/cfg80211-AP-mode-driver-offload-for-FILS-association-crypto/20210908-145513
base:   https://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211-next.git master
config: x86_64-randconfig-a006-20210908 (attached as .config)
compiler: gcc-9 (Debian 9.3.0-22) 9.3.0
reproduce (this is a W=1 build):
        # https://github.com/0day-ci/linux/commit/5f1db10bda1cc92823809fe6d36a487c9bca883b
        git remote add linux-review https://github.com/0day-ci/linux
        git fetch --no-tags linux-review Subrat-Mishra/cfg80211-AP-mode-driver-offload-for-FILS-association-crypto/20210908-145513
        git checkout 5f1db10bda1cc92823809fe6d36a487c9bca883b
        # save the attached .config to linux build tree
        make W=1 ARCH=x86_64 

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>

All warnings (new ones prefixed by >>):

   In file included from net/wireless/sysfs.c:16:
>> include/net/cfg80211.h:765:1: warning: 'static' is not at beginning of declaration [-Wold-style-declaration]
     765 | static inline enum nl80211_channel_type
         | ^~~~~~
>> include/net/cfg80211.h:765:1: warning: 'inline' is not at beginning of declaration [-Wold-style-declaration]
   include/net/cfg80211.h:765:15: error: expected ';', identifier or '(' before 'enum'
     765 | static inline enum nl80211_channel_type
         |               ^~~~
   include/net/cfg80211.h:765:15: error: 'inline' in empty declaration
>> include/net/cfg80211.h:766:1: warning: no previous prototype for 'cfg80211_get_chandef_type' [-Wmissing-prototypes]
     766 | cfg80211_get_chandef_type(const struct cfg80211_chan_def *chandef)
         | ^~~~~~~~~~~~~~~~~~~~~~~~~
--
   In file included from net/wireless/trace.h:12,
                    from net/wireless/trace.c:5:
>> include/net/cfg80211.h:765:1: warning: 'static' is not at beginning of declaration [-Wold-style-declaration]
     765 | static inline enum nl80211_channel_type
         | ^~~~~~
>> include/net/cfg80211.h:765:1: warning: 'inline' is not at beginning of declaration [-Wold-style-declaration]
   include/net/cfg80211.h:765:15: error: expected ';', identifier or '(' before 'enum'
     765 | static inline enum nl80211_channel_type
         |               ^~~~
   include/net/cfg80211.h:765:15: error: 'inline' in empty declaration
>> include/net/cfg80211.h:766:1: warning: no previous prototype for 'cfg80211_get_chandef_type' [-Wmissing-prototypes]
     766 | cfg80211_get_chandef_type(const struct cfg80211_chan_def *chandef)
         | ^~~~~~~~~~~~~~~~~~~~~~~~~
   In file included from net/wireless/trace.h:3683,
                    from net/wireless/trace.c:5:
   include/trace/define_trace.h:95:42: fatal error: ./trace.h: No such file or directory
      95 | #include TRACE_INCLUDE(TRACE_INCLUDE_FILE)
         |                                          ^
   compilation terminated.


vim +/static +765 include/net/cfg80211.h

5f1db10bda1cc92 Subrat Mishra  2021-09-08  757  
3d9d1d6656a73ea Johannes Berg  2012-11-08  758  /**
3d9d1d6656a73ea Johannes Berg  2012-11-08  759   * cfg80211_get_chandef_type - return old channel type from chandef
3d9d1d6656a73ea Johannes Berg  2012-11-08  760   * @chandef: the channel definition
3d9d1d6656a73ea Johannes Berg  2012-11-08  761   *
0ae997dc75efb60 Yacine Belkadi 2013-01-12  762   * Return: The old channel type (NOHT, HT20, HT40+/-) from a given
3d9d1d6656a73ea Johannes Berg  2012-11-08  763   * chandef, which must have a bandwidth allowing this conversion.
3d9d1d6656a73ea Johannes Berg  2012-11-08  764   */
683b6d3b31a5195 Johannes Berg  2012-11-08 @765  static inline enum nl80211_channel_type
683b6d3b31a5195 Johannes Berg  2012-11-08 @766  cfg80211_get_chandef_type(const struct cfg80211_chan_def *chandef)
683b6d3b31a5195 Johannes Berg  2012-11-08  767  {
3d9d1d6656a73ea Johannes Berg  2012-11-08  768  	switch (chandef->width) {
3d9d1d6656a73ea Johannes Berg  2012-11-08  769  	case NL80211_CHAN_WIDTH_20_NOHT:
3d9d1d6656a73ea Johannes Berg  2012-11-08  770  		return NL80211_CHAN_NO_HT;
3d9d1d6656a73ea Johannes Berg  2012-11-08  771  	case NL80211_CHAN_WIDTH_20:
3d9d1d6656a73ea Johannes Berg  2012-11-08  772  		return NL80211_CHAN_HT20;
3d9d1d6656a73ea Johannes Berg  2012-11-08  773  	case NL80211_CHAN_WIDTH_40:
3d9d1d6656a73ea Johannes Berg  2012-11-08  774  		if (chandef->center_freq1 > chandef->chan->center_freq)
3d9d1d6656a73ea Johannes Berg  2012-11-08  775  			return NL80211_CHAN_HT40PLUS;
3d9d1d6656a73ea Johannes Berg  2012-11-08  776  		return NL80211_CHAN_HT40MINUS;
3d9d1d6656a73ea Johannes Berg  2012-11-08  777  	default:
3d9d1d6656a73ea Johannes Berg  2012-11-08  778  		WARN_ON(1);
3d9d1d6656a73ea Johannes Berg  2012-11-08  779  		return NL80211_CHAN_NO_HT;
3d9d1d6656a73ea Johannes Berg  2012-11-08  780  	}
3d9d1d6656a73ea Johannes Berg  2012-11-08  781  }
3d9d1d6656a73ea Johannes Berg  2012-11-08  782  

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
diff mbox series

Patch

diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h
index 62dd842..48b9027 100644
--- a/include/net/cfg80211.h
+++ b/include/net/cfg80211.h
@@ -740,6 +740,22 @@  struct cfg80211_tid_config {
 };
 
 /**
+ * struct cfg80211_fils_aad - FILS AAD data
+ * @macaddr: STA MAC address
+ * @kek: FILS KEK
+ * @kek_len: FILS KEK length
+ * @snonce: STA Nonce
+ * @anonce: AP Nonce
+ */
+struct cfg80211_fils_aad {
+	const u8 *macaddr;
+	const u8 *kek;
+	u8 kek_len;
+	const u8 *snonce;
+	const u8 *anonce;
+}
+
+/**
  * cfg80211_get_chandef_type - return old channel type from chandef
  * @chandef: the channel definition
  *
@@ -4018,6 +4034,10 @@  struct mgmt_frame_regs {
  * @set_sar_specs: Update the SAR (TX power) settings.
  *
  * @color_change: Initiate a color change.
+ *
+ * @set_fils_aad: Set FILS AAD data to the AP driver so that the driver can use
+ * 	those to decrypt (Re)Association Request and encrypt (Re)Association
+ * 	Response frame.
  */
 struct cfg80211_ops {
 	int	(*suspend)(struct wiphy *wiphy, struct cfg80211_wowlan *wow);
@@ -4348,6 +4368,8 @@  struct cfg80211_ops {
 	int	(*color_change)(struct wiphy *wiphy,
 				struct net_device *dev,
 				struct cfg80211_color_change_settings *params);
+	int     (*set_fils_aad)(struct wiphy *wiphy, struct net_device *dev,
+				struct cfg80211_fils_aad *fils_aad);
 };
 
 /*
diff --git a/include/uapi/linux/nl80211.h b/include/uapi/linux/nl80211.h
index c2efea9..e89bbf8 100644
--- a/include/uapi/linux/nl80211.h
+++ b/include/uapi/linux/nl80211.h
@@ -301,6 +301,29 @@ 
  */
 
 /**
+ * DOC: FILS shared key crypto offload
+ *
+ * This feature is applicable to drivers running in AP mode.
+ *
+ * FILS shared key crypto offload can be advertised by drivers by setting
+ * @NL80211_EXT_FEATURE_FILS_CRYPTO_OFFLOAD flag. The drivers that support
+ * FILS shared key crypto offload should be able to encrypt and decrypt
+ * association frames for FILS shared key authentication as per IEEE 802.11ai.
+ * With this capability, for FILS key derivation, drivers depend on userspace.
+ *
+ * After FILS key derivation, userspace shares the FILS AAD details with the
+ * driver and the driver stores the same to use in decryption of association
+ * request and in encryption of association response. The below parameters
+ * should be given to the driver in %NL80211_CMD_SET_FILS_AAD.
+ *	%NL80211_ATTR_MAC - STA MAC address, used for storing FILS AAD per STA
+ *	%NL80211_ATTR_FILS_KEK - Used for encryption or decryption
+ *	%NL80211_ATTR_FILS_NONCES - Used for encryption or decryption
+ *			(STA Nonce 16 bytes followed by AP Nonce 16 bytes)
+ *
+ * Once the association is done, the driver cleans the FILS AAD data.
+ */
+
+/**
  * enum nl80211_commands - supported nl80211 commands
  *
  * @NL80211_CMD_UNSPEC: unspecified command to catch errors
@@ -1200,6 +1223,12 @@ 
  * @NL80211_CMD_COLOR_CHANGE_COMPLETED: Notify userland that the color change
  *	has completed
  *
+ * @NL80211_CMD_SET_FILS_AAD: Set FILS AAD data to the driver using -
+ *	&NL80211_ATTR_MAC - for STA MAC address
+ *	&NL80211_ATTR_FILS_KEK - for KEK
+ *	&NL80211_ATTR_FILS_NONCES - for FILS Nonces
+ *		(STA Nonce 16 bytes followed by AP Nonce 16 bytes)
+ *
  * @NL80211_CMD_MAX: highest used command number
  * @__NL80211_CMD_AFTER_LAST: internal use
  */
@@ -1440,6 +1469,8 @@  enum nl80211_commands {
 	NL80211_CMD_COLOR_CHANGE_ABORTED,
 	NL80211_CMD_COLOR_CHANGE_COMPLETED,
 
+	NL80211_CMD_SET_FILS_AAD,
+
 	/* add new commands above here */
 
 	/* used to define NL80211_CMD_MAX below */
@@ -5995,6 +6026,11 @@  enum nl80211_feature_flags {
  * @NL80211_EXT_FEATURE_BSS_COLOR: The driver supports BSS color collision
  *	detection and change announcemnts.
  *
+ * @NL80211_EXT_FEATURE_FILS_CRYPTO_OFFLOAD: Driver running in AP mode supports
+ *	FILS encryption and decryption for (Re)Association Request and Response
+ *	frames. Userspace has to share FILS AAD details to the driver by using
+ *	@NL80211_CMD_SET_FILS_AAD.
+ *
  * @NUM_NL80211_EXT_FEATURES: number of extended features.
  * @MAX_NL80211_EXT_FEATURES: highest extended feature index.
  */
@@ -6060,6 +6096,7 @@  enum nl80211_ext_feature_index {
 	NL80211_EXT_FEATURE_SECURE_RTT,
 	NL80211_EXT_FEATURE_PROT_RANGE_NEGO_AND_MEASURE,
 	NL80211_EXT_FEATURE_BSS_COLOR,
+	NL80211_EXT_FEATURE_FILS_CRYPTO_OFFLOAD,
 
 	/* add new features before the definition below */
 	NUM_NL80211_EXT_FEATURES,
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index bf7cd47..e287ee5 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -14904,6 +14904,29 @@  static int nl80211_color_change(struct sk_buff *skb, struct genl_info *info)
 	return err;
 }
 
+static int nl80211_set_fils_aad(struct sk_buff *skb,
+				struct genl_info *info)
+{
+	struct cfg80211_registered_device *rdev = info->user_ptr[0];
+	struct net_device *dev = info->user_ptr[1];
+	struct cfg80211_fils_aad fils_aad = {};
+	u8 *nonces;
+
+	if (!info->attrs[NL80211_ATTR_MAC] ||
+	    !info->attrs[NL80211_ATTR_FILS_KEK] ||
+	    !info->attrs[NL80211_ATTR_FILS_NONCES])
+		return -EINVAL;
+
+	fils_aad.macaddr = nla_data(info->attrs[NL80211_ATTR_MAC]);
+	fils_aad.kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
+	fils_aad.kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
+	nonces = nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
+	fils_aad.snonce = nonces;
+	fils_aad.anonce = nonces + FILS_NONCE_LEN;
+
+	return rdev_set_fils_aad(rdev, dev, &fils_aad);
+}
+
 #define NL80211_FLAG_NEED_WIPHY		0x01
 #define NL80211_FLAG_NEED_NETDEV	0x02
 #define NL80211_FLAG_NEED_RTNL		0x04
@@ -15907,6 +15930,14 @@  static const struct genl_small_ops nl80211_small_ops[] = {
 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
 				  NL80211_FLAG_NEED_RTNL,
 	},
+	{
+		.cmd = NL80211_CMD_SET_FILS_AAD,
+		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+		.doit = nl80211_set_fils_aad,
+		.flags = GENL_UNS_ADMIN_PERM,
+		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
+				  NL80211_FLAG_NEED_RTNL,
+	},
 };
 
 static struct genl_family nl80211_fam __ro_after_init = {
diff --git a/net/wireless/rdev-ops.h b/net/wireless/rdev-ops.h
index ce6bf21..cc1efec 100644
--- a/net/wireless/rdev-ops.h
+++ b/net/wireless/rdev-ops.h
@@ -1381,4 +1381,18 @@  static inline int rdev_color_change(struct cfg80211_registered_device *rdev,
 	return ret;
 }
 
+static inline int
+rdev_set_fils_aad(struct cfg80211_registered_device *rdev,
+		  struct net_device *dev, struct cfg80211_fils_aad *fils_aad)
+{
+	int ret = -EOPNOTSUPP;
+
+	trace_rdev_set_fils_aad(&rdev->wiphy, dev, fils_aad);
+	if (rdev->ops->set_fils_aad)
+		ret = rdev->ops->set_fils_aad(&rdev->wiphy, dev, fils_aad);
+	trace_rdev_return_int(&rdev->wiphy, ret);
+
+	return ret;
+}
+
 #endif /* __CFG80211_RDEV_OPS */
diff --git a/net/wireless/trace.h b/net/wireless/trace.h
index 19b78d4..b6eb23b 100644
--- a/net/wireless/trace.h
+++ b/net/wireless/trace.h
@@ -167,6 +167,19 @@ 
 			__entry->center_freq1, __entry->freq1_offset,	\
 			__entry->center_freq2
 
+#define FILS_AAD_ASSIGN(fa)                                                  \
+	do {                                                                 \
+		if (fa) {                                                    \
+			ether_addr_copy(__entry->macaddr, fa->macaddr);      \
+			__entry->kek_len = fa->kek_len;                      \
+		} else {                                                     \
+			eth_zero_addr(__entry->macaddr);                     \
+			__entry->kek_len = 0;                                \
+		}                                                            \
+	} while (0)
+#define FILS_AAD_PR_FMT                                                      \
+	"macaddr: %pM, kek_len: %d"
+
 #define SINFO_ENTRY __field(int, generation)	    \
 		    __field(u32, connected_time)    \
 		    __field(u32, inactive_time)	    \
@@ -2614,6 +2627,24 @@  DEFINE_EVENT(wiphy_wdev_cookie_evt, rdev_abort_pmsr,
 	TP_ARGS(wiphy, wdev, cookie)
 );
 
+TRACE_EVENT(rdev_set_fils_aad,
+	TP_PROTO(struct wiphy *wiphy, struct net_device *netdev,
+		 struct cfg80211_fils_aad *fils_aad),
+	TP_ARGS(wiphy, netdev, fils_aad),
+	TP_STRUCT__entry(WIPHY_ENTRY
+			 NETDEV_ENTRY
+			 __array(u8, macaddr, ETH_ALEN)
+			 __field(u8, kek_len)
+	),
+	TP_fast_assign(WIPHY_ASSIGN;
+		       NETDEV_ASSIGN;
+		       FILS_AAD_ASSIGN(fils_aad);
+	),
+	TP_printk(WIPHY_PR_FMT ", " NETDEV_PR_FMT ", " FILS_AAD_PR_FMT,
+		  WIPHY_PR_ARG, NETDEV_PR_ARG, __entry->macaddr,
+		  __entry->kek_len)
+);
+
 /*************************************************************
  *	     cfg80211 exported functions traces		     *
  *************************************************************/