diff options
| -rw-r--r-- | drivers/net/wireless/intel/iwlwifi/iwl-nvm-parse.c | 25 | ||||
| -rw-r--r-- | drivers/net/wireless/intel/iwlwifi/mld/mac80211.c | 11 | ||||
| -rw-r--r-- | drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 16 |
3 files changed, 43 insertions, 9 deletions
diff --git a/drivers/net/wireless/intel/iwlwifi/iwl-nvm-parse.c b/drivers/net/wireless/intel/iwlwifi/iwl-nvm-parse.c index 4424443d2328..a67b9572aac3 100644 --- a/drivers/net/wireless/intel/iwlwifi/iwl-nvm-parse.c +++ b/drivers/net/wireless/intel/iwlwifi/iwl-nvm-parse.c @@ -5,6 +5,7 @@ * Copyright (C) 2016-2017 Intel Deutschland GmbH */ #include <linux/types.h> +#include <linux/fips.h> #include <linux/slab.h> #include <linux/export.h> #include <linux/etherdevice.h> @@ -543,16 +544,22 @@ static void iwl_init_vht_hw_capab(struct iwl_trans *trans, else vht_cap->cap |= IEEE80211_VHT_CAP_TX_ANTENNA_PATTERN; + /* + * With fips_enabled crypto is done by software, so the HW cannot + * split up A-MSDUs and the real limit that was set applies. + * Note that EHT doesn't honour this (HE copies the VHT value), + * but EHT is also entirely disabled for fips_enabled. + */ switch (iwlwifi_mod_params.amsdu_size) { case IWL_AMSDU_DEF: - if (trans->mac_cfg->mq_rx_supported) + if (trans->mac_cfg->mq_rx_supported && !fips_enabled) vht_cap->cap |= IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_11454; else vht_cap->cap |= IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_3895; break; case IWL_AMSDU_2K: - if (trans->mac_cfg->mq_rx_supported) + if (trans->mac_cfg->mq_rx_supported && !fips_enabled) vht_cap->cap |= IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_11454; else @@ -909,7 +916,9 @@ iwl_nvm_fixup_sband_iftd(struct iwl_trans *trans, bool slow_pcie = (!trans->mac_cfg->integrated && trans->info.pcie_link_speed < PCI_EXP_LNKSTA_CLS_8_0GB); - if (!data->sku_cap_11be_enable || iwlwifi_mod_params.disable_11be) + /* EHT needs WPA3/MFP so cannot do it for fips_enabled */ + if (!data->sku_cap_11be_enable || iwlwifi_mod_params.disable_11be || + fips_enabled) iftype_data->eht_cap.has_eht = false; /* Advertise an A-MPDU exponent extension based on @@ -1197,11 +1206,19 @@ static void iwl_init_sbands(struct iwl_trans *trans, n_used += iwl_init_sband_channels(data, sband, n_channels, NL80211_BAND_6GHZ); - if (data->sku_cap_11ax_enable && !iwlwifi_mod_params.disable_11ax) + /* + * 6 GHz requires WPA3 which requires MFP, which FW cannot do + * when fips_enabled, so don't advertise any 6 GHz channels to + * avoid spending time on scanning those channels and perhaps + * even finding APs there that cannot be used. + */ + if (!fips_enabled && data->sku_cap_11ax_enable && + !iwlwifi_mod_params.disable_11ax) iwl_init_he_hw_capab(trans, data, sband, tx_chains, rx_chains, fw); else sband->n_channels = 0; + if (n_channels != n_used) IWL_ERR_DEV(dev, "NVM: used only %d of %d channels\n", n_used, n_channels); diff --git a/drivers/net/wireless/intel/iwlwifi/mld/mac80211.c b/drivers/net/wireless/intel/iwlwifi/mld/mac80211.c index c6e61c843f77..3ea6d4c1b779 100644 --- a/drivers/net/wireless/intel/iwlwifi/mld/mac80211.c +++ b/drivers/net/wireless/intel/iwlwifi/mld/mac80211.c @@ -4,6 +4,7 @@ */ #include <net/mac80211.h> +#include <linux/fips.h> #include <linux/ip.h> #include "mld.h" @@ -156,6 +157,9 @@ static void iwl_mld_hw_set_security(struct iwl_mld *mld) WLAN_CIPHER_SUITE_BIP_GMAC_256 }; + if (fips_enabled) + return; + hw->wiphy->n_cipher_suites = ARRAY_SIZE(mld_ciphers); hw->wiphy->cipher_suites = mld_ciphers; @@ -180,6 +184,9 @@ static void iwl_mld_hw_set_pm(struct iwl_mld *mld) if (!device_can_wakeup(mld->trans->dev)) return; + if (fips_enabled) + return; + mld->wowlan.flags |= WIPHY_WOWLAN_MAGIC_PKT | WIPHY_WOWLAN_DISCONNECT | WIPHY_WOWLAN_EAP_IDENTITY_REQ | @@ -284,9 +291,11 @@ static void iwl_mac_hw_set_wiphy(struct iwl_mld *mld) WIPHY_FLAG_SUPPORTS_TDLS | WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK; + /* For fips_enabled, don't support WiFi7 due to WPA3/MFP requirements */ if (mld->nvm_data->sku_cap_11be_enable && !iwlwifi_mod_params.disable_11ax && - !iwlwifi_mod_params.disable_11be) + !iwlwifi_mod_params.disable_11be && + !fips_enabled) wiphy->flags |= WIPHY_FLAG_SUPPORTS_MLO; /* the firmware uses u8 for num of iterations, but 0xff is saved for diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c index fa9d5e0b6609..55ae1caded53 100644 --- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c +++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c @@ -5,6 +5,7 @@ * Copyright (C) 2016-2017 Intel Deutschland GmbH */ #include <linux/kernel.h> +#include <linux/fips.h> #include <linux/slab.h> #include <linux/skbuff.h> #include <linux/netdevice.h> @@ -461,7 +462,9 @@ int iwl_mvm_mac_setup_register(struct iwl_mvm *mvm) IWL_ERR(mvm, "iwlmvm doesn't allow to disable BT Coex, check bt_coex_active module parameter\n"); - ieee80211_hw_set(hw, MFP_CAPABLE); + if (!fips_enabled) + ieee80211_hw_set(hw, MFP_CAPABLE); + mvm->ciphers[hw->wiphy->n_cipher_suites] = WLAN_CIPHER_SUITE_AES_CMAC; hw->wiphy->n_cipher_suites++; if (iwl_mvm_has_new_rx_api(mvm)) { @@ -485,12 +488,17 @@ int iwl_mvm_mac_setup_register(struct iwl_mvm *mvm) hw->wiphy->pmsr_capa = &iwl_mvm_pmsr_capa; } - if (sec_key_ver && + /* + * beacon protection must be handled by firmware, + * so cannot be done with fips_enabled + */ + if (!fips_enabled && sec_key_ver && fw_has_capa(&mvm->fw->ucode_capa, IWL_UCODE_TLV_CAPA_BIGTK_TX_SUPPORT)) wiphy_ext_feature_set(hw->wiphy, NL80211_EXT_FEATURE_BEACON_PROTECTION); - else if (fw_has_capa(&mvm->fw->ucode_capa, + else if (!fips_enabled && + fw_has_capa(&mvm->fw->ucode_capa, IWL_UCODE_TLV_CAPA_BIGTK_SUPPORT)) wiphy_ext_feature_set(hw->wiphy, NL80211_EXT_FEATURE_BEACON_PROTECTION_CLIENT); @@ -730,7 +738,7 @@ int iwl_mvm_mac_setup_register(struct iwl_mvm *mvm) #ifdef CONFIG_PM_SLEEP if ((unified || mvm->fw->img[IWL_UCODE_WOWLAN].num_sec) && - device_can_wakeup(mvm->trans->dev)) { + device_can_wakeup(mvm->trans->dev) && !fips_enabled) { mvm->wowlan.flags |= WIPHY_WOWLAN_MAGIC_PKT | WIPHY_WOWLAN_DISCONNECT | WIPHY_WOWLAN_EAP_IDENTITY_REQ | |