CVSROOT: /cvs Module name: src Changes by: s...@cvs.openbsd.org 2020/06/19 05:12:46
Modified files: sys/dev/pci : if_iwx.c if_iwxreg.h Log message: Add WPA2 (CCMP) crypto offload support to iwx(4). Much thanks to Sara Sharon who helped me by providing hints about new firmware behaviour. Contrary to older iwn(4) and iwm(4) devices, key material is no longer part of the Tx command. Instead, firmware will encrypt outgoing traffic as soon as the station associated with a Tx queue has an encryption key configured. Each Tx queue is created with an associated station ID (which in our case is a constant and represents the AP) and a traffic identifier (TID). The driver was configuring data Tx queues with the "management TID". This magic TID value bypasses hardware encryption and resulted in plaintext frames being sent while received frames were decrypted as expected since the station had a key. This behaviour looked rather strange and was difficult for me to debug. The clues which Sara provided led to the solution: iwx(4) must configure data Tx queues with the "non-QOS TID" in order to allow for encryption in the firmware's data Tx path. The rest of the offload mechanism works as it did on iwn(4) and iwm(4). Tested by sven falempin and myself.