Patch to support MACsec HW offload

Benny Lønstrup Ammitzbøll benny at
Thu Oct 27 02:37:15 PDT 2022

On 27.10.2022 10.49, Jouni Malinen wrote:
> On Wed, Oct 26, 2022 at 06:40:41PM +0200, Benny Lønstrup Ammitzbøll wrote:
>> Using wpa_supplicant to configure MACsec via the linux driver, but there is
>> currently no support for creating MACsec interfaces that offload MACsec to
>> the hardware, even though the linux MACsec implementation supports it.
>> I have attached a patch I made for wpa_supplicant ver. 2.9 that adds a
>> macsec_hw_offload parameter:
>>       * macsec_hw_offload - Offload MACsec to hardware
>>       *
>>       * This setting applies only when MACsec is in use, i.e.,
>>       *  - macsec_policy is enabled
>>       *  - the key server has decided to enable MACsec
>>       *
>>       * 0: MACsec hardware offload is off (default)
>>       * 1: MACsec hardware offload to PHY
>>       * 2: MACsec hardware offload to MAC
>>       */
> How would a user know which value to use here and why would this even
> need a configuration parameter? Is there some real reason for not using
> the hardware offload if the device and driver supports it? With Wi-Fi,
> the hardware encryption decryption is always used, if available, without
> the user (or anything in user space for that matter) having to really
> know about this. Why would this be any different for MACsec?
Valid point, so maybe the default should be to use HW offload if the 
interface supports it. However, a user may be interested in measuring 
the performance gain obtained with a HW offload solution (I at least 
need this in my testing) in which case the parameter is useful.


More information about the Hostap mailing list