Patch to support MACsec HW offload
Benny Lønstrup Ammitzbøll
benny at ammitzboell-consult.dk
Thu Oct 27 02:37:15 PDT 2022
On 27.10.2022 10.49, Jouni Malinen wrote:
> On Wed, Oct 26, 2022 at 06:40:41PM +0200, Benny Lønstrup Ammitzbøll wrote:
>> Using wpa_supplicant to configure MACsec via the linux driver, but there is
>> currently no support for creating MACsec interfaces that offload MACsec to
>> the hardware, even though the linux MACsec implementation supports it.
>>
>> I have attached a patch I made for wpa_supplicant ver. 2.9 that adds a
>> macsec_hw_offload parameter:
>>
>> * macsec_hw_offload - Offload MACsec to hardware
>> *
>> * This setting applies only when MACsec is in use, i.e.,
>> * - macsec_policy is enabled
>> * - the key server has decided to enable MACsec
>> *
>> * 0: MACsec hardware offload is off (default)
>> * 1: MACsec hardware offload to PHY
>> * 2: MACsec hardware offload to MAC
>> */
> How would a user know which value to use here and why would this even
> need a configuration parameter? Is there some real reason for not using
> the hardware offload if the device and driver supports it? With Wi-Fi,
> the hardware encryption decryption is always used, if available, without
> the user (or anything in user space for that matter) having to really
> know about this. Why would this be any different for MACsec?
>
Valid point, so maybe the default should be to use HW offload if the
interface supports it. However, a user may be interested in measuring
the performance gain obtained with a HW offload solution (I at least
need this in my testing) in which case the parameter is useful.
/Benny
More information about the Hostap
mailing list