On 2019-03-13 15:41, Tom Psyborg wrote: > On 13/03/2019, Stanislaw Gruszka <sgruszka@xxxxxxxxxx> wrote: >> On Wed, Mar 13, 2019 at 02:48:01PM +0100, Tom Psyborg wrote: >>> On 13/03/2019, Stanislaw Gruszka <sgruszka@xxxxxxxxxx> wrote: >>> > On Wed, Mar 13, 2019 at 02:02:32PM +0100, Tom Psyborg wrote: >>> >> On 13/03/2019, Stanislaw Gruszka <sgruszka@xxxxxxxxxx> wrote: >>> >> > On Tue, Mar 12, 2019 at 08:11:42PM +0100, Tomislav Požega wrote: >>> >> >> MFP can work with enabled HW crypt engine, but in this case >>> >> >> available bandwidth is reduced at least when connecting to >>> >> >> Archer C7 (QCA9558). Enable the feature for known to work chipsets- >>> >> >> MT7620, RT3070 and RT5390. Userspace setting for ieee80211w should >>> >> >> default to 0 in order to prevent unintentional bandwidth drop. >>> >> >> >>> >> >> Signed-off-by: Tomislav Po?ega <pozega.tomislav@xxxxxxxxx> >>> >> >> --- >>> >> >> drivers/net/wireless/ralink/rt2x00/rt2800lib.c | 11 +++++++---- >>> >> >> 1 files changed, 7 insertions(+), 4 deletions(-) >>> >> >> >>> >> >> diff --git a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c >>> >> >> b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c >>> >> >> index a03b528..bb8204d 100644 >>> >> >> --- a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c >>> >> >> +++ b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c >>> >> >> @@ -9326,6 +9326,13 @@ static int rt2800_probe_hw_mode(struct >>> >> >> rt2x00_dev >>> >> >> *rt2x00dev) >>> >> >> ieee80211_hw_set(rt2x00dev->hw, SIGNAL_DBM); >>> >> >> ieee80211_hw_set(rt2x00dev->hw, SUPPORTS_PS); >>> >> >> >>> >> >> + /* Experimental: Set MFP with HW crypto enabled. */ >>> >> >> + if (rt2x00_rt(rt2x00dev, RT3070) || rt2x00_rt(rt2x00dev, RT5390) >>> >> >> || >>> >> >> + rt2x00_rt(rt2x00dev, RT6352)) >>> >> >> + ieee80211_hw_set(rt2x00dev->hw, MFP_CAPABLE); >>> >> > >>> >> > Is not that we support MFP in hardware. We just return -EOPNOTSUPP >>> >> > in rt2x00mac_set_key() when mac80211 will try to set MFP ciphers >>> >> > (since rt2x00crypto_key_to_cipher() will return CIPHER_NONE) and >>> >> > we fallback to software encryption. >>> >> > >>> >> > Please repost patch that enable MFP unconditionally with >>> >> > 'Cc: stable@xxxxxxxxxxxxxxx' tag. >>> >> > >>> >> > Stanislaw >>> >> > >>> >> >>> >> No, I have not test any other chipsets besides the ones I enabled it >>> >> for. It is possible this would cause problems on other devices, so >>> >> just enable it for the known to work ones. >>> > >>> > It's just matter of sending already encrypted frames. All chipsets >>> > handle that. >>> > >>> > Stanislaw >>> > >>> >>> The question is how well all chipsets handle that. I've seen some lags >>> too with MFP enabled connection. While being about 40-50% lower, >>> throughput would still occasionally drop to very low values, like >>> 800Kbps. >> >> The only reason I can image that might have impact on throughput >> in this case is limited CPU power since encryption is done in >> software. Would be good to compare with PA2 with nohwcrypte, if >> there are similar lags. However MFP can require more CPU power. >> >> Stanislaw >> > > nohwcrypt=y mfp=require: there was no throughput drop, no lag, > measured about 80-85Mbps but the connection frozen after a minute or > two. might be related to rekeying. > > CPU power cannot be the problem since I run it on laptop (2x2.20GHz) The lag is probably caused by failed A-MPDU setup exchanges due to broken management frames. I think it's likely that rt28xx chipsets are behaving like mt7612e in that area (since the MAC design is very similar). I've spent quite a bit of time making MFP work properly in mt76 on that chipset, and here are my findings: Hardware crypto for management frames is broken. When using management frame protection, the same pairwise encryption key needs to be used for both data frames and management frames. There is a flag in mac80211 that allows software-encryption for management frames only. That leads us to the next issue: CCMP PN is usually generated in hardware and stored in on-chip memory, which means the mac80211 key tx_pn counter will be out of sync and software-encrypted management packets will trigger replay protection on the other side. To fix this, you need to enable software generated IV if management frames are to be sent with the same key. In that case you need to set TXINFO_W0_WIV and fill TXWI_W2_IV+TXWI_W3_EIV. Also, for software encrypted frames you need to mask out WCID, since otherwise the hardware will try to encrypt the frame again. You can use mt76 as reference for how to do all of this - Felix
