wpa_supplicant triggers macsec_newlink without config data for hardware offload module

B beilushao at gmail.com
Thu Jul 17 08:29:30 PDT 2025 

Hello, all,

First minor correction: using strace, I observed that "macsec_newlink"
is triggered from "macsec_create_transmit_sc", rather than from
"macsec_drv_macsec_init" (the latter only prepares some initial
settings without actually sending a message). That said,
"macsec_newlink" is still invoked with offloading unset, so all calls
to "macsec_is_offloading" remain false.

Reviewing the relevant changes in git history:

In the initial commit 3cf3227a21d1fb020fe26128e60321bd2151e922 ("net:
macsec: hardware offloading infrastructure"), MACsec offloading was
hardcoded to be off by default in macsec_newlink:

/* MACsec offloading is off by default */
macsec->offload = MACSEC_OFFLOAD_OFF;

At that time, I guess it had to be manually set with OFFLOAD_PHY.

Later, commit dcb780fb279514f268826f2e9f4df3bc75610703 ("net: macsec:
add nla support for changing the offloading selection") introduced NLA
support (macsec_upd_offload), making the offload selection switchable
and calling mdo_add_secy or mdo_del_secy as needed.
Subsequently, commit 791bb3fcafcedd11f9066da9fee9342ecb6904d0 ("net:
macsec: add support for specifying offload upon link creation") made
offload configurable, but it is still set at macsec_newlink.

I believe all these flows have been well tested with iproute2. To
support wpa_supplicant, there are two possible ways to address the
issue:

1) Fix the missing offload at the first newlink message.
2) Keep the current flow in wpa_supplicant, but detect offload config
change in macsec.c (change_link_common) and handle it similarly to
macsec_upd_offload.

Between the two, I favor the first option as it is simpler and more
appropriate for where the change should occur. The patch is
straightforward:

--- wpa_supplicant-2.11/src/drivers/driver_macsec_linux.c
2024-07-20 20:04:37.000000000 +0200
+++ wpa_supplicant-2.11_new/src/drivers/driver_macsec_linux.c
2025-07-17 17:05:47.118890103 +0200
@@ -1176,10 +1176,18 @@
                return -1;
        }

        rtnl_link_set_link(link, drv->parent_ifi);

+       #ifdef LIBNL_HAS_OFFLOAD
+       if (drv->offload_set) {
+               wpa_printf(MSG_DEBUG, DRV_PREFIX
+                          "setting offload=%d", drv->offload);
+           rtnl_link_macsec_set_offload(link, drv->offload);
+       }
+    #endif /* LIBNL_HAS_OFFLOAD */
+
        sci = mka_sci_u64(&sc->sci);
        rtnl_link_macsec_set_sci(link, sci);

        drv->created_link = true;

Any feedback or comments are appreciated :-)

Best regards,
Beilu

More information about the Hostap mailing list