wpa_supplicant triggers macsec_newlink without config data for hardware offload module

B beilushao at gmail.com
Wed Jul 16 03:41:22 PDT 2025 

Hello, all,

We have recently begun developing a proxy kernel module that hooks
into driver/net/macsec.c to propagate macsec_ops to our hardware,
which supports MACsec offload.
The module works as expected with the iproute2 tool: the relevant
hooks are invoked with the appropriate configuration data during
operations like "ip link add link ...".

However, when configuring MACsec via wpa_supplicant instead of
iproute2, we encounter an issue in the path (driver_macsec_linux.c in
wpa_supplicant → driver/net/macsec.c in the kernel):

1) The macsec_newlink function is called, but it does not receive
config data, which is necessary for MACsec offload setup.
2) The configuration data is only provided later, when
macsec_transmit_sc is triggered from driver_macsec_linux.c. At this
point, it is too late.
3) As a result, all "macsec_is_offloaded" calls will be "false".

Our module simply implements the various macsec_ops. For reference,
here’s a skeleton of the relevant code:
/* Device-wide operations */
static int proxy_mdo_dev_open(struct macsec_context *ctx)
{
    PROXY_LOG("mdo_dev_open called");
    return 0;
}
static int proxy_mdo_dev_stop(struct macsec_context *ctx)
{
    PROXY_LOG("mdo_dev_stop called");
    return 0;
}
// ... other ops are the same ...
/* The proxy macsec_ops structure */
static const struct macsec_ops proxy_macsec_ops = {
    .mdo_dev_open = proxy_mdo_dev_open,
    .mdo_dev_stop = proxy_mdo_dev_stop,
    // ... other ops ...
};

static int __init macsec_proxy_init(void)
{
    dev = dev_get_by_name(&init_net, "eth100");
    if (dev) {
        pr_info("Assigned macsec_ops to netdev %p\n", dev);
        dev->features |= NETIF_F_HW_MACSEC;
        dev->macsec_ops = &proxy_macsec_ops;
    }
}

Questions:

1) Is this behavior (delayed config data) expected from wpa_supplicant?
2) Is there a recommended way to handle MACsec offload setup in this
scenario, or a way to force config data to be provided earlier (e.g.,
at macsec_newlink)?
3) Are there known differences in how iproute2 and wpa_supplicant
interact with the kernel MACsec driver regarding initial config
propagation?

Any insights or best practices for handling MACsec offload in this
scenario would be appreciated.

Best regards,
Beilu

More information about the Hostap mailing list