Patch to support MACsec HW offload

Jouni Malinen j at
Thu Oct 27 01:49:21 PDT 2022

On Wed, Oct 26, 2022 at 06:40:41PM +0200, Benny Lønstrup Ammitzbøll wrote:
> Using wpa_supplicant to configure MACsec via the linux driver, but there is
> currently no support for creating MACsec interfaces that offload MACsec to
> the hardware, even though the linux MACsec implementation supports it.
> I have attached a patch I made for wpa_supplicant ver. 2.9 that adds a
> macsec_hw_offload parameter:
>      * macsec_hw_offload - Offload MACsec to hardware
>      *
>      * This setting applies only when MACsec is in use, i.e.,
>      *  - macsec_policy is enabled
>      *  - the key server has decided to enable MACsec
>      *
>      * 0: MACsec hardware offload is off (default)
>      * 1: MACsec hardware offload to PHY
>      * 2: MACsec hardware offload to MAC
>      */

How would a user know which value to use here and why would this even
need a configuration parameter? Is there some real reason for not using
the hardware offload if the device and driver supports it? With Wi-Fi,
the hardware encryption decryption is always used, if available, without
the user (or anything in user space for that matter) having to really
know about this. Why would this be any different for MACsec?

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list