| Message ID | 20231107-brcmfmac-wpa3-v1-1-4c7db8636680@marcan.st |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:aa0b:0:b0:403:3b70:6f57 with SMTP id k11csp40784vqo;
Mon, 6 Nov 2023 22:07:20 -0800 (PST)
X-Google-Smtp-Source:
AGHT+IHiXgjJxd81aCHzaT+D2Icr/3VTH2mFx6lm/azeuQyamA1a0og/veFAHjh53GKdavsSK3+i
X-Received: by 2002:a17:902:e40a:b0:1cc:3c2d:1289 with SMTP id
m10-20020a170902e40a00b001cc3c2d1289mr17788775ple.3.1699337240248;
Mon, 06 Nov 2023 22:07:20 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1699337240; cv=none;
d=google.com; s=arc-20160816;
b=0TgLuUQCkjZ84f0oeh6qEgpGXVoMytjQwF/Fo7xB8k+FXv1G0QFCaJ3nw53u25d8VD
SLInopr79sRcGs/rghI8sGo4Opjs4+WgXzmiSI6qgHWiNCTTlEU8byKlUZpCZQLrceP9
y00Co9Ra7F8TpesUtIDTVlIowlpTyu58n6+K7Opc5CWOlTs3uUbpabJHaUTS4BDLHOem
RPOrf5ZKeFFIwQaRl+o0nDsEej9IXifYUdjv8Bnx36rZWho2MG1BwJPRoRqfA22bp/hj
8GEa4ZQwwVShFzP+85xCwBH2cvQPFfLnm05DyucvsNpZ2jRgugbl30WSN6RWHDRZpbGo
A8sQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:cc:to:message-id:content-transfer-encoding
:mime-version:subject:date:from:dkim-signature;
bh=UGz7rdnqTT0XBWE7/HPUKw5lBqBEVt1klBj84RBQM9o=;
fh=DuFFqvym5z8Pa6gO5s75E1/4VpwzUzg8KfEZi6CnjGo=;
b=JgGWmQeT/pOXK0PRwAcTtHbfkh289t0foPQkRhYnNKxfPjtvDFePtI8dtvFMQfWpPA
joQi4TddHumdK3O7fHHigoIURGMUpPKERXG3Vf9agNKbNyJNlc0Zm1g7XBMP1dMXplpG
+8ri9FhihRS+aIRHnqelVhLiYEW7awaPazLSGijDG4fPUD8Si8qJ4DMLamtEBOYC2wZR
NIxjSpCFm+kx/RtCFnUZJ1HvCHGvDPQRZqn+AcszInoBM6QQbtx0MDXFD6AAzMp5GrkN
X6F9GIyxnUD8B5CDf9H7qqSBidetwn8wjGOtSMK44D+W67pSdk3j4nufxDrrp3AX4VpB
o86g==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@marcan.st header.s=default header.b=CbqR6KMr;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 23.128.96.38 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=marcan.st
Received: from fry.vger.email (fry.vger.email. [23.128.96.38])
by mx.google.com with ESMTPS id
u18-20020a170902e5d200b001cc665df825si10172413plf.436.2023.11.06.22.07.19
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Mon, 06 Nov 2023 22:07:20 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 23.128.96.38 as permitted sender) client-ip=23.128.96.38;
Authentication-Results: mx.google.com;
dkim=pass header.i=@marcan.st header.s=default header.b=CbqR6KMr;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 23.128.96.38 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=marcan.st
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
by fry.vger.email (Postfix) with ESMTP id 63B74805F411;
Mon, 6 Nov 2023 22:06:25 -0800 (PST)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at fry.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S232973AbjKGGFz (ORCPT <rfc822;heyuhang3455@gmail.com>
+ 33 others); Tue, 7 Nov 2023 01:05:55 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36908 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S229559AbjKGGFy (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Tue, 7 Nov 2023 01:05:54 -0500
Received: from mail.marcansoft.com (marcansoft.com [212.63.210.85])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3DAD410F;
Mon, 6 Nov 2023 22:05:50 -0800 (PST)
Received: from [127.0.0.1] (localhost [127.0.0.1])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits)
server-digest SHA256)
(No client certificate requested)
(Authenticated sender: sendonly@marcansoft.com)
by mail.marcansoft.com (Postfix) with ESMTPSA id 2F4D541A42;
Tue, 7 Nov 2023 06:05:44 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=marcan.st; s=default;
t=1699337148; bh=xxiIjvDbAksu9Y0ctF1XaFpoIJj+/zvV5fHsF1bZhWE=;
h=From:Date:Subject:To:Cc;
b=CbqR6KMrHZj9VLynVWP+/xA9O8EBvwGhCoiLtoxy2Gtv6X3uY2SuPrdKhzVs5KEXP
axj76Y5/95D36x2sUYdzp1uvsMDwx+dnuhjMYiz/yGdarzNoiykiw8Rp7Jl8o1vWYp
sRtxRuR/5i/DqGOrQ0l/uda7z6FjIgdGf9Xgp5JOerQQPcO28LAMgO2iWeccSCCy0i
myqPyGS1B5UNjkZ+o2HMeLXlo4igKykO2CQkKs6VFZJ2JWj3twQU3E4n9ox35AfqkH
zyONO/Ja59+x+SN5KKjLd9+hBO0bIn3LwQyRaNyvtvVVvqqFQu/yWgr6SCWY+b/kmv
SE4yY1UbiYb5Q==
From: Hector Martin <marcan@marcan.st>
Date: Tue, 07 Nov 2023 15:05:31 +0900
Subject: [PATCH] wifi: brcmfmac: cfg80211: Use WSEC to set SAE password
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-Id: <20231107-brcmfmac-wpa3-v1-1-4c7db8636680@marcan.st>
X-B4-Tracking: v=1; b=H4sIAKrTSWUC/6tWKk4tykwtVrJSqFYqSi3LLM7MzwNyDHUUlJIzE
vPSU3UzU4B8JSMDI2NDQwNz3aSi5Ny03MRk3fKCRGNdy1TTNDOzVIukVGMTJaCegqLUtMwKsHn
RsbW1AGedk2VfAAAA
To: Arend van Spriel <aspriel@gmail.com>,
Franky Lin <franky.lin@broadcom.com>,
Hante Meuleman <hante.meuleman@broadcom.com>,
Kalle Valo <kvalo@kernel.org>
Cc: Daniel Berlin <dberlin@dberlin.org>,
linux-wireless@vger.kernel.org,
brcm80211-dev-list.pdl@broadcom.com,
SHA-cyfmac-dev-list@infineon.com, linux-kernel@vger.kernel.org,
asahi@lists.linux.dev, Hector Martin <marcan@marcan.st>
X-Mailer: b4 0.12.3
X-Developer-Signature: v=1; a=openpgp-sha256; l=3904; i=marcan@marcan.st;
h=from:subject:message-id; bh=xxiIjvDbAksu9Y0ctF1XaFpoIJj+/zvV5fHsF1bZhWE=;
b=owGbwMvMwCUm+yP4NEe/cRLjabUkhlTPyztmvH8ycYLr6kUKfp8LOWw7r6s2+TX9ODqZ557ei
a+HCtOlO0pZGMS4GGTFFFkaT/Se6vacfk5dNWU6zBxWJpAhDFycAjARpSCG/8GvbKvezs6a+urN
0W/fHZctLo3OMovf6ZdReXnZtQXKt0UY/jsY6c+TjG31uZ8b/+1CVMlnbrl14YE7hR4FPJq6583
jU8wA
X-Developer-Key: i=marcan@marcan.st; a=openpgp;
fpr=FC18F00317968B7BE86201CBE22A629A4C515DD5
X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,
SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable
autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on fry.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test,
not delayed by milter-greylist-4.6.4 (fry.vger.email [0.0.0.0]);
Mon, 06 Nov 2023 22:06:25 -0800 (PST)
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1781884246118151382
X-GMAIL-MSGID: 1781884246118151382
|
| Series |
wifi: brcmfmac: cfg80211: Use WSEC to set SAE password
|
|
Commit Message
Hector Martin
Nov. 7, 2023, 6:05 a.m. UTC
Using the WSEC command instead of sae_password seems to be the supported
mechanism on newer firmware, and also how the brcmdhd driver does it.
According to user reports [1], the sae_password codepath doesn't actually
work on machines with Cypress chips anyway, so no harm in removing it.
This makes WPA3 work with iwd, or with wpa_supplicant pending a support
patchset [2].
[1] https://rachelbythebay.com/w/2023/11/06/wpa3/
[2] http://lists.infradead.org/pipermail/hostap/2023-July/041653.html
Signed-off-by: Hector Martin <marcan@marcan.st>
---
.../broadcom/brcm80211/brcmfmac/cfg80211.c | 46 +++++++++-------------
.../broadcom/brcm80211/brcmfmac/fwil_types.h | 2 +-
2 files changed, 20 insertions(+), 28 deletions(-)
---
base-commit: ffc253263a1375a65fa6c9f62a893e9767fbebfa
change-id: 20231107-brcmfmac-wpa3-9e5f66e8be34
Best regards,
Comments
On Tue, Nov 7, 2023 at 1:06 AM Hector Martin <marcan@marcan.st> wrote: > > Using the WSEC command instead of sae_password seems to be the supported > mechanism on newer firmware, and also how the brcmdhd driver does it. > > According to user reports [1], the sae_password codepath doesn't actually > work on machines with Cypress chips anyway, so no harm in removing it. > > This makes WPA3 work with iwd, or with wpa_supplicant pending a support > patchset [2]. > > [1] https://rachelbythebay.com/w/2023/11/06/wpa3/ > [2] http://lists.infradead.org/pipermail/hostap/2023-July/041653.html > > Signed-off-by: Hector Martin <marcan@marcan.st> > --- > .../broadcom/brcm80211/brcmfmac/cfg80211.c | 46 +++++++++------------- > .../broadcom/brcm80211/brcmfmac/fwil_types.h | 2 +- > 2 files changed, 20 insertions(+), 28 deletions(-) > > diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c > index 2a90bb24ba77..138af70a33b8 100644 > --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c > +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c > @@ -1687,52 +1687,44 @@ static u16 brcmf_map_fw_linkdown_reason(const struct brcmf_event_msg *e) > return reason; > } > > -static int brcmf_set_pmk(struct brcmf_if *ifp, const u8 *pmk_data, u16 pmk_len) > +static int brcmf_set_wsec(struct brcmf_if *ifp, const u8 *key, u16 key_len, u16 flags) > { > struct brcmf_pub *drvr = ifp->drvr; > struct brcmf_wsec_pmk_le pmk; > int err; > > + if (key_len > sizeof(pmk.key)) { > + bphy_err(drvr, "key must be less than %zu bytes\n", > + sizeof(pmk.key)); > + return -EINVAL; > + } > + > memset(&pmk, 0, sizeof(pmk)); > > - /* pass pmk directly */ > - pmk.key_len = cpu_to_le16(pmk_len); > - pmk.flags = cpu_to_le16(0); > - memcpy(pmk.key, pmk_data, pmk_len); > + /* pass key material directly */ > + pmk.key_len = cpu_to_le16(key_len); > + pmk.flags = cpu_to_le16(flags); > + memcpy(pmk.key, key, key_len); > > - /* store psk in firmware */ > + /* store key material in firmware */ > err = brcmf_fil_cmd_data_set(ifp, BRCMF_C_SET_WSEC_PMK, > &pmk, sizeof(pmk)); > if (err < 0) > bphy_err(drvr, "failed to change PSK in firmware (len=%u)\n", > - pmk_len); > + key_len); > > return err; > } > > +static int brcmf_set_pmk(struct brcmf_if *ifp, const u8 *pmk_data, u16 pmk_len) > +{ > + return brcmf_set_wsec(ifp, pmk_data, pmk_len, 0); > +} > + > static int brcmf_set_sae_password(struct brcmf_if *ifp, const u8 *pwd_data, > u16 pwd_len) > { > - struct brcmf_pub *drvr = ifp->drvr; > - struct brcmf_wsec_sae_pwd_le sae_pwd; > - int err; > - > - if (pwd_len > BRCMF_WSEC_MAX_SAE_PASSWORD_LEN) { > - bphy_err(drvr, "sae_password must be less than %d\n", > - BRCMF_WSEC_MAX_SAE_PASSWORD_LEN); > - return -EINVAL; > - } > - > - sae_pwd.key_len = cpu_to_le16(pwd_len); > - memcpy(sae_pwd.key, pwd_data, pwd_len); > - > - err = brcmf_fil_iovar_data_set(ifp, "sae_password", &sae_pwd, > - sizeof(sae_pwd)); > - if (err < 0) > - bphy_err(drvr, "failed to set SAE password in firmware (len=%u)\n", > - pwd_len); > - > - return err; > + return brcmf_set_wsec(ifp, pwd_data, pwd_len, BRCMF_WSEC_PASSPHRASE); > } > > static void brcmf_link_down(struct brcmf_cfg80211_vif *vif, u16 reason, > diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h > index 611d1a6aabb9..b68c46caabe8 100644 > --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h > +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h > @@ -584,7 +584,7 @@ struct brcmf_wsec_key_le { > struct brcmf_wsec_pmk_le { > __le16 key_len; > __le16 flags; > - u8 key[2 * BRCMF_WSEC_MAX_PSK_LEN + 1]; > + u8 key[BRCMF_WSEC_MAX_SAE_PASSWORD_LEN]; > }; > > /** > > --- > base-commit: ffc253263a1375a65fa6c9f62a893e9767fbebfa > change-id: 20231107-brcmfmac-wpa3-9e5f66e8be34 > > Best regards, > -- > Hector Martin <marcan@marcan.st> > > Looks good to me. Reviewed-by: Neal Gompa <neal@gompa.dev> -- 真実はいつも一つ!/ Always, there's only one truth!
Hector Martin <marcan@marcan.st> wrote: > Using the WSEC command instead of sae_password seems to be the supported > mechanism on newer firmware, and also how the brcmdhd driver does it. > > According to user reports [1], the sae_password codepath doesn't actually > work on machines with Cypress chips anyway, so no harm in removing it. > > This makes WPA3 work with iwd, or with wpa_supplicant pending a support > patchset [2]. > > [1] https://rachelbythebay.com/w/2023/11/06/wpa3/ > [2] http://lists.infradead.org/pipermail/hostap/2023-July/041653.html > > Signed-off-by: Hector Martin <marcan@marcan.st> > Reviewed-by: Neal Gompa <neal@gompa.dev> Arend, what do you think? We recently talked about people testing brcmfmac patches, has anyone else tested this?
On December 17, 2023 12:25:23 PM Kalle Valo <kvalo@kernel.org> wrote: > Hector Martin <marcan@marcan.st> wrote: > >> Using the WSEC command instead of sae_password seems to be the supported >> mechanism on newer firmware, and also how the brcmdhd driver does it. >> >> According to user reports [1], the sae_password codepath doesn't actually >> work on machines with Cypress chips anyway, so no harm in removing it. >> >> This makes WPA3 work with iwd, or with wpa_supplicant pending a support >> patchset [2]. >> >> [1] https://rachelbythebay.com/w/2023/11/06/wpa3/ >> [2] http://lists.infradead.org/pipermail/hostap/2023-July/041653.html >> >> Signed-off-by: Hector Martin <marcan@marcan.st> >> Reviewed-by: Neal Gompa <neal@gompa.dev> > > Arend, what do you think? > > We recently talked about people testing brcmfmac patches, has anyone else > tested this? Not sure I already replied so maybe I am repeating myself. I would prefer to keep the Cypress sae_password path as well although it reportedly does not work. The vendor support in the driver can be used to accommodate for that. The other option would be to have people with Cypress chipset test this patch. If that works for both we can consider dropping the sae_password path. Regards, Arend > -- > https://patchwork.kernel.org/project/linux-wireless/patch/20231107-brcmfmac-wpa3-v1-1-4c7db8636680@marcan.st/ > > https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
Arend Van Spriel <arend.vanspriel@broadcom.com> writes: > On December 17, 2023 12:25:23 PM Kalle Valo <kvalo@kernel.org> wrote: > >> Hector Martin <marcan@marcan.st> wrote: >> >>> Using the WSEC command instead of sae_password seems to be the supported >>> mechanism on newer firmware, and also how the brcmdhd driver does it. >>> >>> According to user reports [1], the sae_password codepath doesn't actually >>> work on machines with Cypress chips anyway, so no harm in removing it. >>> >>> This makes WPA3 work with iwd, or with wpa_supplicant pending a support >>> patchset [2]. >>> >>> [1] https://rachelbythebay.com/w/2023/11/06/wpa3/ >>> [2] http://lists.infradead.org/pipermail/hostap/2023-July/041653.html >>> >>> Signed-off-by: Hector Martin <marcan@marcan.st> >>> Reviewed-by: Neal Gompa <neal@gompa.dev> >> >> Arend, what do you think? >> >> We recently talked about people testing brcmfmac patches, has anyone else >> tested this? > > Not sure I already replied so maybe I am repeating myself. I would > prefer to keep the Cypress sae_password path as well although it > reportedly does not work. The vendor support in the driver can be used > to accommodate for that. The other option would be to have people with > Cypress chipset test this patch. If that works for both we can > consider dropping the sae_password path. Ok, thanks for checking.
On 2023/12/19 17:52, Arend Van Spriel wrote: > On December 17, 2023 12:25:23 PM Kalle Valo <kvalo@kernel.org> wrote: > >> Hector Martin <marcan@marcan.st> wrote: >> >>> Using the WSEC command instead of sae_password seems to be the supported >>> mechanism on newer firmware, and also how the brcmdhd driver does it. >>> >>> According to user reports [1], the sae_password codepath doesn't actually >>> work on machines with Cypress chips anyway, so no harm in removing it. >>> >>> This makes WPA3 work with iwd, or with wpa_supplicant pending a support >>> patchset [2]. >>> >>> [1] https://rachelbythebay.com/w/2023/11/06/wpa3/ >>> [2] http://lists.infradead.org/pipermail/hostap/2023-July/041653.html >>> >>> Signed-off-by: Hector Martin <marcan@marcan.st> >>> Reviewed-by: Neal Gompa <neal@gompa.dev> >> >> Arend, what do you think? >> >> We recently talked about people testing brcmfmac patches, has anyone else >> tested this? > > Not sure I already replied so maybe I am repeating myself. I would prefer > to keep the Cypress sae_password path as well although it reportedly does > not work. The vendor support in the driver can be used to accommodate for > that. The other option would be to have people with Cypress chipset test > this patch. If that works for both we can consider dropping the > sae_password path. > > Regards, > Arend So, if nobody from Cypress chimes in ever, and nobody cares nor tests Cypress chipsets, are we keeping any and all existing Cypress code-paths as bitrotting code forever and adding gratuitous conditionals every time any functionality needs to change "just in case it breaks Cypress" even though it has been tested compatible on Broadcom chipsets/firmware? Because that's not sustainable long term. - Hector
On 12/19/2023 12:01 PM, Hector Martin wrote: > > > On 2023/12/19 17:52, Arend Van Spriel wrote: >> On December 17, 2023 12:25:23 PM Kalle Valo <kvalo@kernel.org> wrote: >> >>> Hector Martin <marcan@marcan.st> wrote: >>> >>>> Using the WSEC command instead of sae_password seems to be the supported >>>> mechanism on newer firmware, and also how the brcmdhd driver does it. >>>> >>>> According to user reports [1], the sae_password codepath doesn't actually >>>> work on machines with Cypress chips anyway, so no harm in removing it. >>>> >>>> This makes WPA3 work with iwd, or with wpa_supplicant pending a support >>>> patchset [2]. >>>> >>>> [1] https://rachelbythebay.com/w/2023/11/06/wpa3/ >>>> [2] http://lists.infradead.org/pipermail/hostap/2023-July/041653.html >>>> >>>> Signed-off-by: Hector Martin <marcan@marcan.st> >>>> Reviewed-by: Neal Gompa <neal@gompa.dev> >>> >>> Arend, what do you think? >>> >>> We recently talked about people testing brcmfmac patches, has anyone else >>> tested this? >> >> Not sure I already replied so maybe I am repeating myself. I would prefer >> to keep the Cypress sae_password path as well although it reportedly does >> not work. The vendor support in the driver can be used to accommodate for >> that. The other option would be to have people with Cypress chipset test >> this patch. If that works for both we can consider dropping the >> sae_password path. >> >> Regards, >> Arend > > So, if nobody from Cypress chimes in ever, and nobody cares nor tests > Cypress chipsets, are we keeping any and all existing Cypress code-paths > as bitrotting code forever and adding gratuitous conditionals every time > any functionality needs to change "just in case it breaks Cypress" even > though it has been tested compatible on Broadcom chipsets/firmware? > > Because that's not sustainable long term. You should look into WEXT just for the fun of it. If it were up to me and a bunch of other people that would have been gone decades ago. Maybe a bad example if the sae_password is indeed not working, but the Cypress chipset is used in RPi3 and RPi4 so there must be a couple of users. Regards, Arend Regards, Arend
Hi Arend and Kalle, On Wed, Dec 20, 2023 at 12:47 AM Arend van Spriel <arend.vanspriel@broadcom.com> wrote: > > On 12/19/2023 12:01 PM, Hector Martin wrote: > > > > > > On 2023/12/19 17:52, Arend Van Spriel wrote: > >> On December 17, 2023 12:25:23 PM Kalle Valo <kvalo@kernel.org> wrote: > >> > >>> Hector Martin <marcan@marcan.st> wrote: > >>> > >>>> Using the WSEC command instead of sae_password seems to be the supported > >>>> mechanism on newer firmware, and also how the brcmdhd driver does it. > >>>> > >>>> According to user reports [1], the sae_password codepath doesn't actually > >>>> work on machines with Cypress chips anyway, so no harm in removing it. > >>>> > >>>> This makes WPA3 work with iwd, or with wpa_supplicant pending a support > >>>> patchset [2]. > >>>> > >>>> [1] https://rachelbythebay.com/w/2023/11/06/wpa3/ > >>>> [2] http://lists.infradead.org/pipermail/hostap/2023-July/041653.html > >>>> > >>>> Signed-off-by: Hector Martin <marcan@marcan.st> > >>>> Reviewed-by: Neal Gompa <neal@gompa.dev> > >>> > >>> Arend, what do you think? > >>> > >>> We recently talked about people testing brcmfmac patches, has anyone else > >>> tested this? > >> > >> Not sure I already replied so maybe I am repeating myself. I would prefer > >> to keep the Cypress sae_password path as well although it reportedly does > >> not work. The vendor support in the driver can be used to accommodate for > >> that. The other option would be to have people with Cypress chipset test > >> this patch. If that works for both we can consider dropping the > >> sae_password path. > >> > >> Regards, > >> Arend > > > > So, if nobody from Cypress chimes in ever, and nobody cares nor tests > > Cypress chipsets, are we keeping any and all existing Cypress code-paths > > as bitrotting code forever and adding gratuitous conditionals every time > > any functionality needs to change "just in case it breaks Cypress" even > > though it has been tested compatible on Broadcom chipsets/firmware? > > > > Because that's not sustainable long term. > > You should look into WEXT just for the fun of it. If it were up to me > and a bunch of other people that would have been gone decades ago. Maybe > a bad example if the sae_password is indeed not working, but the Cypress > chipset is used in RPi3 and RPi4 so there must be a couple of users. There are reports that WPA3 is broken on the Cypress chipsets the Raspberry Pis are using and this patch fixes it: https://rachelbythebay.com/w/2023/11/06/wpa3/ Based on that, it appears that all known users of WPA3 capable hardware with this driver require this fix. Thanks,
Daniel Berlin <dberlin@dberlin.org> writes: > On Tue, Dec 19, 2023 at 7:46 AM Arend van Spriel <arend.vanspriel@broadcom.com> wrote: > > On 12/19/2023 12:01 PM, Hector Martin wrote: > > > > > > On 2023/12/19 17:52, Arend Van Spriel wrote: > >> On December 17, 2023 12:25:23 PM Kalle Valo <kvalo@kernel.org> wrote: > >> > >>> Hector Martin <marcan@marcan.st> wrote: > >>> > >>>> Using the WSEC command instead of sae_password seems to be the supported > >>>> mechanism on newer firmware, and also how the brcmdhd driver does it. > >>>> > >>>> According to user reports [1], the sae_password codepath doesn't actually > >>>> work on machines with Cypress chips anyway, so no harm in removing it. > >>>> > >>>> This makes WPA3 work with iwd, or with wpa_supplicant pending a support > >>>> patchset [2]. > >>>> > >>>> [1] https://rachelbythebay.com/w/2023/11/06/wpa3/ > >>>> [2] http://lists.infradead.org/pipermail/hostap/2023-July/041653.html > >>>> > >>>> Signed-off-by: Hector Martin <marcan@marcan.st> > >>>> Reviewed-by: Neal Gompa <neal@gompa.dev> > >>> > >>> Arend, what do you think? > >>> > >>> We recently talked about people testing brcmfmac patches, has anyone else > >>> tested this? > >> > >> Not sure I already replied so maybe I am repeating myself. I would prefer > >> to keep the Cypress sae_password path as well although it reportedly does > >> not work. The vendor support in the driver can be used to accommodate for > >> that. The other option would be to have people with Cypress chipset test > >> this patch. If that works for both we can consider dropping the > >> sae_password path. > >> > >> Regards, > >> Arend > > > > So, if nobody from Cypress chimes in ever, and nobody cares nor tests > > Cypress chipsets, are we keeping any and all existing Cypress code-paths > > as bitrotting code forever and adding gratuitous conditionals every time > > any functionality needs to change "just in case it breaks Cypress" even > > though it has been tested compatible on Broadcom chipsets/firmware? > > > > Because that's not sustainable long term. > > You should look into WEXT just for the fun of it. If it were up to me > and a bunch of other people that would have been gone decades ago. Maybe > a bad example if the sae_password is indeed not working, but the Cypress > chipset is used in RPi3 and RPi4 so there must be a couple of users. > > None of this refutes what he said > > We already know it doesn't work for the rpi3/4 users because they are > blogging about it. The fact that you (not personally but as a > maintainer) don't know what works for who or doesn't is part of the > issue. Who are the users who this is for, how are you getting feedback > on what is working or not, how are you testing that it stays working? > > I'm with Hector - this approach has mainly resulted in a driver that > kind of works for some people with no rhyme or reason - but nobody > knows who and what works for them. This isn't sustainable. You need > testing and feedback loops from some defined populations. > > Of course, This will all become moot as we argue about it - more and > more is breaking for more and more people (for example, management > frames are totally broken on newer chips because we silently assume > version 1). > > The driver is about one real upgrade cycle away from not working, in > current form, for the vast majority of its users. > > One would hope we don't sit and argue about how to support the future > while waiting for that to happen, instead we should be moving the > driver forward. If we need to worry about specific older chip users, > we should name who they are, how many there are, and what the limits > of support are. We should then talk about the best way to support them > while still moving the world forward. Why is it that every patch Hector submits seems to end up with flame wars? Look, we have a lot to do and please understand that our time is limited. PLEASE listen to the review feedback and try to fix the patches for the next review round, so that we can get this patch applied and move forward. And also these "we know better than you do" comments from people who clearly are not really familiar with Linux wireless project, or even kernel development, are not helping. Especially if it's in an HTML mail (which our lists automatically drop).
On 2023/12/19 23:42, Kalle Valo wrote: > Daniel Berlin <dberlin@dberlin.org> writes: > >> On Tue, Dec 19, 2023 at 7:46 AM Arend van Spriel <arend.vanspriel@broadcom.com> wrote: >> >> On 12/19/2023 12:01 PM, Hector Martin wrote: >> > >> > >> > On 2023/12/19 17:52, Arend Van Spriel wrote: >> >> On December 17, 2023 12:25:23 PM Kalle Valo <kvalo@kernel.org> wrote: >> >> >> >>> Hector Martin <marcan@marcan.st> wrote: >> >>> >> >>>> Using the WSEC command instead of sae_password seems to be the supported >> >>>> mechanism on newer firmware, and also how the brcmdhd driver does it. >> >>>> >> >>>> According to user reports [1], the sae_password codepath doesn't actually >> >>>> work on machines with Cypress chips anyway, so no harm in removing it. >> >>>> >> >>>> This makes WPA3 work with iwd, or with wpa_supplicant pending a support >> >>>> patchset [2]. >> >>>> >> >>>> [1] https://rachelbythebay.com/w/2023/11/06/wpa3/ >> >>>> [2] http://lists.infradead.org/pipermail/hostap/2023-July/041653.html >> >>>> >> >>>> Signed-off-by: Hector Martin <marcan@marcan.st> >> >>>> Reviewed-by: Neal Gompa <neal@gompa.dev> >> >>> >> >>> Arend, what do you think? >> >>> >> >>> We recently talked about people testing brcmfmac patches, has anyone else >> >>> tested this? >> >> >> >> Not sure I already replied so maybe I am repeating myself. I would prefer >> >> to keep the Cypress sae_password path as well although it reportedly does >> >> not work. The vendor support in the driver can be used to accommodate for >> >> that. The other option would be to have people with Cypress chipset test >> >> this patch. If that works for both we can consider dropping the >> >> sae_password path. >> >> >> >> Regards, >> >> Arend >> > >> > So, if nobody from Cypress chimes in ever, and nobody cares nor tests >> > Cypress chipsets, are we keeping any and all existing Cypress code-paths >> > as bitrotting code forever and adding gratuitous conditionals every time >> > any functionality needs to change "just in case it breaks Cypress" even >> > though it has been tested compatible on Broadcom chipsets/firmware? >> > >> > Because that's not sustainable long term. >> >> You should look into WEXT just for the fun of it. If it were up to me >> and a bunch of other people that would have been gone decades ago. Maybe >> a bad example if the sae_password is indeed not working, but the Cypress >> chipset is used in RPi3 and RPi4 so there must be a couple of users. >> >> None of this refutes what he said >> >> We already know it doesn't work for the rpi3/4 users because they are >> blogging about it. The fact that you (not personally but as a >> maintainer) don't know what works for who or doesn't is part of the >> issue. Who are the users who this is for, how are you getting feedback >> on what is working or not, how are you testing that it stays working? >> >> I'm with Hector - this approach has mainly resulted in a driver that >> kind of works for some people with no rhyme or reason - but nobody >> knows who and what works for them. This isn't sustainable. You need >> testing and feedback loops from some defined populations. >> >> Of course, This will all become moot as we argue about it - more and >> more is breaking for more and more people (for example, management >> frames are totally broken on newer chips because we silently assume >> version 1). >> >> The driver is about one real upgrade cycle away from not working, in >> current form, for the vast majority of its users. >> >> One would hope we don't sit and argue about how to support the future >> while waiting for that to happen, instead we should be moving the >> driver forward. If we need to worry about specific older chip users, >> we should name who they are, how many there are, and what the limits >> of support are. We should then talk about the best way to support them >> while still moving the world forward. > > Why is it that every patch Hector submits seems to end up with flame > wars? Perhaps because this driver has approximately 0.1 direct maintainers right now whose contributions are largely hem and hawing about things without providing any real sustainable solutions, and your amazing additions as the Wireless upstream maintainer have been things like nitpicking whether or not I should use "v2:" in commit messages. Just recently a patch was posted to remove the Infineon list from MAINTAINERS because that company cares so little they have literally stopped accepting emails from us. Meanwhile they are telling their customers that they do not recommend upstream brcmfmac and they should use their downstream driver [1]. As a reminder, the last patch authored by the sole (barely) active maintainer of this driver was almost a year ago. The other two Broadcom folks in MAINTAINERS haven't done anything in years. Arend himself has admitted he only gets 20% time to work on this and it never actually reaches anywhere near 20%. Meanwhile Daniel here has been revamping large chunks of the driver downstream, and fixing major longstanding issues with an intent to upstream. But apparently his opinion doesn't matter. Hey Linus, you have an M2 MacBook Air, right? I assume you want WiFi to work on it properly upstream some day. With the dismal state of brcmfmac maintainership, and with the disdain the people involved have for the people *actually* doing the work on the driver and trying to get everything upstream, that is never going to happen at this rate. Care to chime in? As far as I'm concerned, Cypress support should be ifdeffed out behind a Kconfig flag marked BROKEN. If someone cares about it, they better step up to maintain it and actually test things. We can't have companies submitting device support patches and then checking out and abandoning them and expect the remaining people actually working on the driver to tiptoe around their code "just in case we break them" with no way to actually test anything or properly support those chips. Even the Raspberry Pi folks have been silent other than some empty words and no actual action, so far. You'd think they'd care a bit more about shipping hardware with zero actual upstream maintainer support, but apparently they don't. [1] https://community.infineon.com/t5/AIROC-Wi-Fi-and-Wi-Fi-Bluetooth/Queries-re-linux-in-tree-driver-for-Infineon-Wifi-BT-controllers/td-p/354857 - Hector
On Tue, 19 Dec 2023 at 16:06, Hector Martin <marcan@marcan.st> wrote: > > On 2023/12/19 23:42, Kalle Valo wrote: > > > > Why is it that every patch Hector submits seems to end up with flame > > wars? Well, I do think some of it is Hector's personality and forceful approaches, but I do think part of it is also the area in question. Because I do agree with Hector that.. > Just recently a patch was posted to remove the Infineon list from > MAINTAINERS because that company cares so little they have literally > stopped accepting emails from us. Meanwhile they are telling their > customers that they do not recommend upstream brcmfmac and they should > use their downstream driver [1]. Unquestionably broadcom is not helping maintain things, and I think it should matter. As Hector says, they point to their random driver dumps on their site that you can't even download unless you are a "Broadcom community member" or whatever, and hey - any company that works that way should be seen as pretty much hostile to any actual maintenance and proper development. If Daniel and Hector are responsive to actual problem reports for the changes they cause, I do think that should count a lot. I don't think Cypress support should necessarily be removed (or marked broken), but if the sae_password code already doesn't work, _that_ part certainly shouldn't hold things up? Put another way: if we effectively don't have a driver maintainer that can test things, and somebody is willing to step up, shouldn't we take that person up on it? Linus
On 2023/12/20 10:44, Linus Torvalds wrote: > On Tue, 19 Dec 2023 at 16:06, Hector Martin <marcan@marcan.st> wrote: >> >> On 2023/12/19 23:42, Kalle Valo wrote: >>> >>> Why is it that every patch Hector submits seems to end up with flame >>> wars? > > Well, I do think some of it is Hector's personality and forceful > approaches, but I do think part of it is also the area in question. > > Because I do agree with Hector that.. > >> Just recently a patch was posted to remove the Infineon list from >> MAINTAINERS because that company cares so little they have literally >> stopped accepting emails from us. Meanwhile they are telling their >> customers that they do not recommend upstream brcmfmac and they should >> use their downstream driver [1]. > > Unquestionably broadcom is not helping maintain things, and I think it > should matter. > > As Hector says, they point to their random driver dumps on their site > that you can't even download unless you are a "Broadcom community > member" or whatever, and hey - any company that works that way should > be seen as pretty much hostile to any actual maintenance and proper > development. > > If Daniel and Hector are responsive to actual problem reports for the > changes they cause, I do think that should count a lot. Of course we're happy to do that. If this change goes in and we get an actual report of breakage from someone, we'll have learned some very valuable information: That there is, in fact, an end-user use case (hardware/firmware/AP setting combination) where this code functions and matters, and perhaps we'll have found someone willing to test things in the future. Then we revert and rework the patch to keep the old code path alive in that case. The report will also give us valuable information about how to condition it, because e.g. right now we don't even know if the sae_password code works on any Cypress chips/firmwares at all, or conversely whether the new WSEC code rather makes things work on some subset of Cypress chips/firmwares instead. It is largely a mystery to everyone outside of Broadcom and Cypress how that whole corporate division fork worked and when and how the firmwares started diverging (never mind how Apple's Broadcom firmwares may themselves differ). It's the "don't touch it just in case" approach that is not sustainable, because then we'll just be accumulating technical debt without the slightest clue whether it even does anything useful or not, and needlessly setting back development on the other and newer chips. All this would, of course, be much easier if the vendor actually replied to our emails, since evidently they know what chips/firmware branches might have support for this, but even before Cypress names got removed from MAINTAINERS I was already getting radio silence from them when I asked questions like this, and even on the Broadcom side I had trouble getting Arend to answer simple questions. Ultimately, with minimal to no vendor cooperation, this driver becomes a reverse engineered, community supported driver, with the inevitable gaps in testing and support that entails when we don't have the information the manufacturers do, and people need to understand the consequences of that. If the manufacturers aren't stepping up to do their job, other members of the community (or customers of those vendors) need to do so if there are hardware configurations they rely on, because Daniel and I can't sign up to proactively maintain and test every single Broadcom and Cypress/Infineon chip out there. We don't have the hardware, nor do we have that kind of bandwidth/time. Support for hardware that no maintainer/developer is proactively testing will necessarily fall back to being reactive to regression reports. > I don't think Cypress support should necessarily be removed (or marked > broken), but if the sae_password code already doesn't work, _that_ > part certainly shouldn't hold things up? > > Put another way: if we effectively don't have a driver maintainer that > can test things, and somebody is willing to step up, shouldn't we take > that person up on it? Personally, I do think the rPi folks themselves should step up for *testing* at the very least. I did point them at our downstream WiFi branch at one point during a previous discussion and haven't heard back, so either they never tested it, or they did and it didn't break anything. If they're shipping popular Linux hardware where the WiFi chipset vendor has fully and completely checked out of any upstream support, they need to either accept that upstream support will likely break at some point (because that's just what happens when nobody cares about a given piece of hardware, especially with drivers shared across others like this one) or they need to proactively step up and take on, minimally, an early testing role themselves. - Hector
Hey Hector, On Tue, Nov 07, 2023 at 03:05:31PM +0900, Hector Martin wrote: > Using the WSEC command instead of sae_password seems to be the supported > mechanism on newer firmware, and also how the brcmdhd driver does it. > > According to user reports [1], the sae_password codepath doesn't actually > work on machines with Cypress chips anyway, so no harm in removing it. I'm sorry to disappoint you but I've just tested this patch on a "Pinebook Pro" which has AP6255 module and it broke WPA3 Personal. No error messages are emitted to the kernel log, just iwctl saying it can't establish connection. This is using "Cypress" firmware from the Linux firmware tree [0] renamed to "brcmfmac43455-sdio.bin" which has the following features (extracted from last two lines): 43455c0-roml/43455_sdio-pno-aoe-pktfilter-pktctx-wfds-mfp-dfsradar-wowlpf-idsup-idauth-noclminc-clm_min-obss-obssdump-swdiv-gtkoe-roamprof-txbf-ve-sae-dpp-sr-okc-bpd Version: 7.45.234 (4ca95bb CY) CRC: 212e223d Date: Thu 2021-04-15 03:06:00 PDT Ucode Ver: 1043.2161 FWID 01-996384e2 DVID 01-1fda2915 This module is used on many SBCs, including some RaspberryPi boards. The reason RaspberryPi owners complain about lack of WPA3 Personal support is that most of them are using obscure downstream distros which ship brcmfmac firmware from somewhere else rather than the Linux firmware tree, so they lack the "sae" feature. Another is that it only works with iwd while default is wpa_supplicant. So far all known reports of those who tried the right firmware on RaspberryPi boards confirm WPA3 Personal was working with iwd [1]. I'll be happy to do more testing if needed. Thank you very much for your hard and insightful work! [0] https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/plain/cypress/cyfmac43455-sdio.bin [1] https://github.com/raspberrypi/linux/issues/4718#issuecomment-1279951709
Linus Torvalds <torvalds@linux-foundation.org> writes: >> Just recently a patch was posted to remove the Infineon list from >> MAINTAINERS because that company cares so little they have literally >> stopped accepting emails from us. Meanwhile they are telling their >> customers that they do not recommend upstream brcmfmac and they should >> use their downstream driver [1]. > > Unquestionably broadcom is not helping maintain things, and I think it > should matter. > > As Hector says, they point to their random driver dumps on their site > that you can't even download unless you are a "Broadcom community > member" or whatever, and hey - any company that works that way should > be seen as pretty much hostile to any actual maintenance and proper > development. Sadly this is the normal in the wireless world. All vendors focus on the latest generation, currently it's Wi-Fi 7, and lose interest on older generations. And vendors lose focus on the upstream drivers even faster, usually after a customer project ends. So in practise what we try to do is keep the drivers working somehow on our own, even after the vendors are long gone. If we would deliberately allow breaking drivers because vendor/corporations don't support us, I suspect we would have sevaral broken drivers in upstream. > If Daniel and Hector are responsive to actual problem reports for the > changes they cause, I do think that should count a lot. Sure, but they could also respect to the review comments. I find Arend's proposal is reasonable and that's what I would implement in v2. We (linux-wireless) make abstractions to workaround firmware problems or interface conflicts all the time, just look at ath10k for example. I would not be surprised if we need to add even more abstractions to brcmfmac in the future. And Arend is the expert here, he has best knowledge of Broadcom devices and I trust him. Has anyone even investigated what it would need to implement Arend's proposal? At least I don't see any indication of that.
On Wed, Dec 20, 2023 at 01:16:20PM +0900, Hector Martin wrote: > > > On 2023/12/20 10:44, Linus Torvalds wrote: > > Put another way: if we effectively don't have a driver maintainer that > > can test things, and somebody is willing to step up, shouldn't we take > > that person up on it? > > Personally, I do think the rPi folks themselves should step up for > *testing* at the very least. I did point them at our downstream WiFi > branch at one point during a previous discussion and haven't heard back, > so either they never tested it, or they did and it didn't break > anything. If they're shipping popular Linux hardware where the WiFi > chipset vendor has fully and completely checked out of any upstream > support, they need to either accept that upstream support will likely > break at some point (because that's just what happens when nobody cares > about a given piece of hardware, especially with drivers shared across > others like this one) or they need to proactively step up and take on, > minimally, an early testing role themselves. I'm agree that downstream (e.g. rPi) developers should also participating in upstream kernel development. Also Cc: rPi folks to solicit their opinions. Thanks.
On Wed, 20 Dec 2023 at 01:54, Linus Torvalds <torvalds@linux-foundation.org> wrote: > > On Tue, 19 Dec 2023 at 16:06, Hector Martin <marcan@marcan.st> wrote: > > > > On 2023/12/19 23:42, Kalle Valo wrote: > > > > > > Why is it that every patch Hector submits seems to end up with flame > > > wars? > > Well, I do think some of it is Hector's personality and forceful > approaches, but I do think part of it is also the area in question. > > Because I do agree with Hector that.. > > > Just recently a patch was posted to remove the Infineon list from > > MAINTAINERS because that company cares so little they have literally > > stopped accepting emails from us. Meanwhile they are telling their > > customers that they do not recommend upstream brcmfmac and they should > > use their downstream driver [1]. > > Unquestionably broadcom is not helping maintain things, and I think it > should matter. > > As Hector says, they point to their random driver dumps on their site > that you can't even download unless you are a "Broadcom community > member" or whatever, and hey - any company that works that way should > be seen as pretty much hostile to any actual maintenance and proper > development. > > If Daniel and Hector are responsive to actual problem reports for the > changes they cause, I do think that should count a lot. > > I don't think Cypress support should necessarily be removed (or marked > broken), but if the sae_password code already doesn't work, _that_ > part certainly shouldn't hold things up? > > Put another way: if we effectively don't have a driver maintainer that > can test things, and somebody is willing to step up, shouldn't we take > that person up on it? I am trying to help try and find a maintainer in the community, but of course I can't guarantee anything. Theoretically of course it should be someone from Broadcom, Raspberry Pi, etc. and not the community (not that this helps unblock us promptly). I just would like to say this upstream Cypress driver has a large number of users via Fedora and CentOS Stream Automotive Distribution. And that's just the Fedora family of distros. But the Apple Silicon devices have a pretty large amount of users also. We need to find a way of accommodating both. If that's either fork the code into two separate files somehow or find another maintainer, I don't know (just my uninformed opinion). Is mise le meas/Regards, Eric Curtin > > Linus >
Kalle Valo <kvalo@kernel.org> writes: > And Arend is the expert here, he has best knowledge of Broadcom > devices and I trust him. But Arend decided to step down: https://patchwork.kernel.org/project/linux-wireless/patch/20231220095750.307829-1-arend.vanspriel@broadcom.com/ And no wonder.
On Wed, 20 Dec 2023 at 16:05, Kalle Valo <kvalo@kernel.org> wrote: > > Kalle Valo <kvalo@kernel.org> writes: > > > And Arend is the expert here, he has best knowledge of Broadcom > > devices and I trust him. > > But Arend decided to step down: > > https://patchwork.kernel.org/project/linux-wireless/patch/20231220095750.307829-1-arend.vanspriel@broadcom.com/ > > And no wonder. By the way, just in case my earlier email was misinterpreted, when I suggested we find another maintainer, I meant a co-maintainer to help spread the load, test, review, etc. I'm sad Arend stepped down and that we have less maintainers now. I meant it in good spirits. I have received messages from almost 100 people that seem interested in helping integrate Broadcom wifi in the upstream kernel. I have asked them kindly to not pollute the mailing list and to read this thread to get full context. Is mise le meas/Regards, Eric Curtin > > -- > https://patchwork.kernel.org/project/linux-wireless/list/ > > https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches >
On 2023/12/20 19:16, Paul Fertser wrote: > Hey Hector, > > On Tue, Nov 07, 2023 at 03:05:31PM +0900, Hector Martin wrote: >> Using the WSEC command instead of sae_password seems to be the supported >> mechanism on newer firmware, and also how the brcmdhd driver does it. >> >> According to user reports [1], the sae_password codepath doesn't actually >> work on machines with Cypress chips anyway, so no harm in removing it. > > I'm sorry to disappoint you but I've just tested this patch on a > "Pinebook Pro" which has AP6255 module and it broke WPA3 Personal. > > No error messages are emitted to the kernel log, just iwctl saying it > can't establish connection. > > This is using "Cypress" firmware from the Linux firmware tree [0] > renamed to "brcmfmac43455-sdio.bin" which has the following features > (extracted from last two lines): > > 43455c0-roml/43455_sdio-pno-aoe-pktfilter-pktctx-wfds-mfp-dfsradar-wowlpf-idsup-idauth-noclminc-clm_min-obss-obssdump-swdiv-gtkoe-roamprof-txbf-ve-sae-dpp-sr-okc-bpd Version: 7.45.234 (4ca95bb CY) CRC: 212e223d Date: Thu 2021-04-15 03:06:00 PDT Ucode Ver: 1043.2161 FWID 01-996384e2 > DVID 01-1fda2915 > > > This module is used on many SBCs, including some RaspberryPi > boards. The reason RaspberryPi owners complain about lack of WPA3 > Personal support is that most of them are using obscure downstream > distros which ship brcmfmac firmware from somewhere else rather than > the Linux firmware tree, so they lack the "sae" feature. Another is > that it only works with iwd while default is wpa_supplicant. > > So far all known reports of those who tried the right firmware on > RaspberryPi boards confirm WPA3 Personal was working with iwd [1]. > > > I'll be happy to do more testing if needed. Thank you very much for > your hard and insightful work! Thank you for being the first person to actually test any of this :) Now we actually have a reason to keep the code. The next thing I wonder is whether any of the *other* Cypress chips will respond to WSEC (in addition to or instead of sae_password)... Are you willing to test all the other wifi stuff we have queued up downstream? There's a whole pile of changes here: https://github.com/AsahiLinux/linux/commits/bits/080-wifi/ If things break it would be very helpful if you could bisect it down to the specific commit. This patch is also in there of course, feel free to revert/rebase it out. - Hector
On 2023/12/20 19:20, Kalle Valo wrote: > Linus Torvalds <torvalds@linux-foundation.org> writes: > >>> Just recently a patch was posted to remove the Infineon list from >>> MAINTAINERS because that company cares so little they have literally >>> stopped accepting emails from us. Meanwhile they are telling their >>> customers that they do not recommend upstream brcmfmac and they should >>> use their downstream driver [1]. >> >> Unquestionably broadcom is not helping maintain things, and I think it >> should matter. >> >> As Hector says, they point to their random driver dumps on their site >> that you can't even download unless you are a "Broadcom community >> member" or whatever, and hey - any company that works that way should >> be seen as pretty much hostile to any actual maintenance and proper >> development. > > Sadly this is the normal in the wireless world. All vendors focus on the > latest generation, currently it's Wi-Fi 7, and lose interest on older > generations. And vendors lose focus on the upstream drivers even faster, > usually after a customer project ends. > > So in practise what we try to do is keep the drivers working somehow on > our own, even after the vendors are long gone. If we would deliberately > allow breaking drivers because vendor/corporations don't support us, I > suspect we would have sevaral broken drivers in upstream. > >> If Daniel and Hector are responsive to actual problem reports for the >> changes they cause, I do think that should count a lot. > > Sure, but they could also respect to the review comments. I find Arend's > proposal is reasonable and that's what I would implement in v2. We > (linux-wireless) make abstractions to workaround firmware problems or > interface conflicts all the time, just look at ath10k for example. I > would not be surprised if we need to add even more abstractions to > brcmfmac in the future. And Arend is the expert here, he has best > knowledge of Broadcom devices and I trust him. > > Has anyone even investigated what it would need to implement Arend's > proposal? At least I don't see any indication of that. Of course we can implement it (and we will as we actually got a report of this patch breaking Cypress now, finally). The question was never whether it could be done, we're already doing a bunch of abstractions to deal with just the Broadcom-only side of things too. The point I was trying to make is that we need to *know* what firmware abstractions we need and *why* they are needed. We can't just say, for every change, "well, nobody knows if the existing code works or not, so let's just add an abstraction just in case the change breaks something". As far as anyone involved in the discussions until now could tell, this code was just something some Cypress person dumped upstream, and nobody involved was being responsive to any of our inquiries, so there was no way to be certain it worked at all, whether it was supported in public firmware, or anything else. *Now* that we know the existing code is actually functional and not just dead/broken, and that the WSEC approach is conversely not functional on the Cypress firmwares, it makes sense to introduce an abstraction. Here's an example of the case where an abstraction was *not* needed: I switched over WPA PSK configuration from hex-encoded to binary. That was needed to make more recent Apple firmwares work. My evidence at the time that that change *was* at least fairly backwards compatible was that the OpenBSD driver had been doing it that way all along. Had we introduced an abstraction/conditional for that case "just in case", it would have generated superfluous technical debt for no reason. - Hector
On 12/20/2023 7:14 PM, Hector Martin wrote: > > > On 2023/12/20 19:20, Kalle Valo wrote: >> Linus Torvalds <torvalds@linux-foundation.org> writes: >> >>>> Just recently a patch was posted to remove the Infineon list from >>>> MAINTAINERS because that company cares so little they have literally >>>> stopped accepting emails from us. Meanwhile they are telling their >>>> customers that they do not recommend upstream brcmfmac and they should >>>> use their downstream driver [1]. >>> >>> Unquestionably broadcom is not helping maintain things, and I think it >>> should matter. >>> >>> As Hector says, they point to their random driver dumps on their site >>> that you can't even download unless you are a "Broadcom community >>> member" or whatever, and hey - any company that works that way should >>> be seen as pretty much hostile to any actual maintenance and proper >>> development. >> >> Sadly this is the normal in the wireless world. All vendors focus on the >> latest generation, currently it's Wi-Fi 7, and lose interest on older >> generations. And vendors lose focus on the upstream drivers even faster, >> usually after a customer project ends. >> >> So in practise what we try to do is keep the drivers working somehow on >> our own, even after the vendors are long gone. If we would deliberately >> allow breaking drivers because vendor/corporations don't support us, I >> suspect we would have sevaral broken drivers in upstream. >> >>> If Daniel and Hector are responsive to actual problem reports for the >>> changes they cause, I do think that should count a lot. >> >> Sure, but they could also respect to the review comments. I find Arend's >> proposal is reasonable and that's what I would implement in v2. We >> (linux-wireless) make abstractions to workaround firmware problems or >> interface conflicts all the time, just look at ath10k for example. I >> would not be surprised if we need to add even more abstractions to >> brcmfmac in the future. And Arend is the expert here, he has best >> knowledge of Broadcom devices and I trust him. >> >> Has anyone even investigated what it would need to implement Arend's >> proposal? At least I don't see any indication of that. > > Of course we can implement it (and we will as we actually got a report > of this patch breaking Cypress now, finally). > > The question was never whether it could be done, we're already doing a > bunch of abstractions to deal with just the Broadcom-only side of things > too. The point I was trying to make is that we need to *know* what > firmware abstractions we need and *why* they are needed. We can't just > say, for every change, "well, nobody knows if the existing code works or > not, so let's just add an abstraction just in case the change breaks > something". As far as anyone involved in the discussions until now could > tell, this code was just something some Cypress person dumped upstream, > and nobody involved was being responsive to any of our inquiries, so > there was no way to be certain it worked at all, whether it was > supported in public firmware, or anything else. > > *Now* that we know the existing code is actually functional and not just > dead/broken, and that the WSEC approach is conversely not functional on > the Cypress firmwares, it makes sense to introduce an abstraction. Just a quick look in the git history could have told you that it was not just dumped upstream and at least one person was using it and extended it for 802.11r support (fast-roaming): author Paweł Drewniak <czajernia@gmail.com> 2021-08-24 23:13:30 +0100 committer Kalle Valo <kvalo@codeaurora.org> 2021-08-29 11:33:07 +0300 commit 4b51de063d5310f1fb297388b7955926e63e45c9 (patch) tree ba2ccb5cbd055d482a8daa263f5e53531c07667f /drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c parent 81f9ebd43659320a88cae8ed5124c50b4d47ab66 (diff) download wireless-4b51de063d5310f1fb297388b7955926e63e45c9.tar.gz brcmfmac: Add WPA3 Personal with FT to supported cipher suites This allows the driver to connect to BSSIDs supporting SAE with 802.11r. Tested on Raspberry Pi 4 Model B (STA) and UniFi 6LR/OpenWRT 21.02.0-rc2. AP was set to 'sae-mixed' (WPA2/3 Personal). Signed-off-by: Paweł Drewniak <czajernia@gmail.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/20210824221330.3847139-1-czajernia@gmail.com > Here's an example of the case where an abstraction was *not* needed: I > switched over WPA PSK configuration from hex-encoded to binary. That was > needed to make more recent Apple firmwares work. My evidence at the time > that that change *was* at least fairly backwards compatible was that the > OpenBSD driver had been doing it that way all along. Had we introduced > an abstraction/conditional for that case "just in case", it would have > generated superfluous technical debt for no reason. Fully agreeing here and you already given the argument for that in the commit message. Hence there was no discussion whatsoever about that. Regards, Arend
On 2023/12/21 4:36, Arend van Spriel wrote: > On 12/20/2023 7:14 PM, Hector Martin wrote: >> >> >> On 2023/12/20 19:20, Kalle Valo wrote: >>> Linus Torvalds <torvalds@linux-foundation.org> writes: >>> >>>>> Just recently a patch was posted to remove the Infineon list from >>>>> MAINTAINERS because that company cares so little they have literally >>>>> stopped accepting emails from us. Meanwhile they are telling their >>>>> customers that they do not recommend upstream brcmfmac and they should >>>>> use their downstream driver [1]. >>>> >>>> Unquestionably broadcom is not helping maintain things, and I think it >>>> should matter. >>>> >>>> As Hector says, they point to their random driver dumps on their site >>>> that you can't even download unless you are a "Broadcom community >>>> member" or whatever, and hey - any company that works that way should >>>> be seen as pretty much hostile to any actual maintenance and proper >>>> development. >>> >>> Sadly this is the normal in the wireless world. All vendors focus on the >>> latest generation, currently it's Wi-Fi 7, and lose interest on older >>> generations. And vendors lose focus on the upstream drivers even faster, >>> usually after a customer project ends. >>> >>> So in practise what we try to do is keep the drivers working somehow on >>> our own, even after the vendors are long gone. If we would deliberately >>> allow breaking drivers because vendor/corporations don't support us, I >>> suspect we would have sevaral broken drivers in upstream. >>> >>>> If Daniel and Hector are responsive to actual problem reports for the >>>> changes they cause, I do think that should count a lot. >>> >>> Sure, but they could also respect to the review comments. I find Arend's >>> proposal is reasonable and that's what I would implement in v2. We >>> (linux-wireless) make abstractions to workaround firmware problems or >>> interface conflicts all the time, just look at ath10k for example. I >>> would not be surprised if we need to add even more abstractions to >>> brcmfmac in the future. And Arend is the expert here, he has best >>> knowledge of Broadcom devices and I trust him. >>> >>> Has anyone even investigated what it would need to implement Arend's >>> proposal? At least I don't see any indication of that. >> >> Of course we can implement it (and we will as we actually got a report >> of this patch breaking Cypress now, finally). >> >> The question was never whether it could be done, we're already doing a >> bunch of abstractions to deal with just the Broadcom-only side of things >> too. The point I was trying to make is that we need to *know* what >> firmware abstractions we need and *why* they are needed. We can't just >> say, for every change, "well, nobody knows if the existing code works or >> not, so let's just add an abstraction just in case the change breaks >> something". As far as anyone involved in the discussions until now could >> tell, this code was just something some Cypress person dumped upstream, >> and nobody involved was being responsive to any of our inquiries, so >> there was no way to be certain it worked at all, whether it was >> supported in public firmware, or anything else. >> >> *Now* that we know the existing code is actually functional and not just >> dead/broken, and that the WSEC approach is conversely not functional on >> the Cypress firmwares, it makes sense to introduce an abstraction. > > Just a quick look in the git history could have told you that it was not > just dumped upstream and at least one person was using it and extended > it for 802.11r support (fast-roaming): > > > author Paweł Drewniak <czajernia@gmail.com> 2021-08-24 23:13:30 +0100 > committer Kalle Valo <kvalo@codeaurora.org> 2021-08-29 11:33:07 +0300 > commit 4b51de063d5310f1fb297388b7955926e63e45c9 (patch) > tree ba2ccb5cbd055d482a8daa263f5e53531c07667f > /drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c > parent 81f9ebd43659320a88cae8ed5124c50b4d47ab66 (diff) > download wireless-4b51de063d5310f1fb297388b7955926e63e45c9.tar.gz > brcmfmac: Add WPA3 Personal with FT to supported cipher suites > This allows the driver to connect to BSSIDs supporting SAE with 802.11r. > Tested on Raspberry Pi 4 Model B (STA) and UniFi 6LR/OpenWRT 21.02.0-rc2. > AP was set to 'sae-mixed' (WPA2/3 Personal). > > Signed-off-by: Paweł Drewniak <czajernia@gmail.com> > Signed-off-by: Kalle Valo <kvalo@codeaurora.org> > Link: https://lore.kernel.org/r/20210824221330.3847139-1-czajernia@gmail.com Sure, but we also had user reports of it *not* actually working (maybe it regressed?). We didn't know whether it was functional with the linux-firmware blobs in any way, I wanted confirmation of that. And we also didn't know that the patch *would* break it at all; perhaps the Cypress firmware had also grown support for the WSEC mechanism. That's why I wanted someone to actually confirm the code worked (in some subset of cases) and the patch didn't, before starting to introduce conditionals. There is, of course, also the element that the Cypress side has been long unmaintained, and if nobody is testing/giving feedback/complaining, perhaps it's better to err on the side of maybe breaking something and see if that gets someone to come out of the woodwork if it really breaks, rather than tiptoeing around the code without knowing what's going on and without anyone actually testing things. It's not about this *specific* patch, it's about the general situation of not being able to touch firmware interfaces "just in case Cypress breaks" being unsustainable in the long term. I wasn't pushing back because I think this particular one will be hard, I was pushing back because I can read the tea leaves and see this is not going to end well if it's the approach we start taking for everything. We *need* someone to be testing patches on Cypress, we can't just "try not to touch it" and cross our fingers. That just ends in disaster, we are not going to succeed in not breaking it either way and it's going to make the driver worse. - Hector
- SHA-cyfmac-dev-list@infineon.com On 12/21/2023 1:49 AM, Hector Martin wrote: > > > On 2023/12/21 4:36, Arend van Spriel wrote: >> On 12/20/2023 7:14 PM, Hector Martin wrote: >>> >>> >>> On 2023/12/20 19:20, Kalle Valo wrote: >>>> Linus Torvalds <torvalds@linux-foundation.org> writes: >>>> >>>>>> Just recently a patch was posted to remove the Infineon list from >>>>>> MAINTAINERS because that company cares so little they have literally >>>>>> stopped accepting emails from us. Meanwhile they are telling their >>>>>> customers that they do not recommend upstream brcmfmac and they should >>>>>> use their downstream driver [1]. >>>>> >>>>> Unquestionably broadcom is not helping maintain things, and I think it >>>>> should matter. >>>>> >>>>> As Hector says, they point to their random driver dumps on their site >>>>> that you can't even download unless you are a "Broadcom community >>>>> member" or whatever, and hey - any company that works that way should >>>>> be seen as pretty much hostile to any actual maintenance and proper >>>>> development. >>>> >>>> Sadly this is the normal in the wireless world. All vendors focus on the >>>> latest generation, currently it's Wi-Fi 7, and lose interest on older >>>> generations. And vendors lose focus on the upstream drivers even faster, >>>> usually after a customer project ends. >>>> >>>> So in practise what we try to do is keep the drivers working somehow on >>>> our own, even after the vendors are long gone. If we would deliberately >>>> allow breaking drivers because vendor/corporations don't support us, I >>>> suspect we would have sevaral broken drivers in upstream. >>>> >>>>> If Daniel and Hector are responsive to actual problem reports for the >>>>> changes they cause, I do think that should count a lot. >>>> >>>> Sure, but they could also respect to the review comments. I find Arend's >>>> proposal is reasonable and that's what I would implement in v2. We >>>> (linux-wireless) make abstractions to workaround firmware problems or >>>> interface conflicts all the time, just look at ath10k for example. I >>>> would not be surprised if we need to add even more abstractions to >>>> brcmfmac in the future. And Arend is the expert here, he has best >>>> knowledge of Broadcom devices and I trust him. >>>> >>>> Has anyone even investigated what it would need to implement Arend's >>>> proposal? At least I don't see any indication of that. >>> >>> Of course we can implement it (and we will as we actually got a report >>> of this patch breaking Cypress now, finally). >>> >>> The question was never whether it could be done, we're already doing a >>> bunch of abstractions to deal with just the Broadcom-only side of things >>> too. The point I was trying to make is that we need to *know* what >>> firmware abstractions we need and *why* they are needed. We can't just >>> say, for every change, "well, nobody knows if the existing code works or >>> not, so let's just add an abstraction just in case the change breaks >>> something". As far as anyone involved in the discussions until now could >>> tell, this code was just something some Cypress person dumped upstream, >>> and nobody involved was being responsive to any of our inquiries, so >>> there was no way to be certain it worked at all, whether it was >>> supported in public firmware, or anything else. >>> >>> *Now* that we know the existing code is actually functional and not just >>> dead/broken, and that the WSEC approach is conversely not functional on >>> the Cypress firmwares, it makes sense to introduce an abstraction. >> >> Just a quick look in the git history could have told you that it was not >> just dumped upstream and at least one person was using it and extended >> it for 802.11r support (fast-roaming): >> >> >> author Paweł Drewniak <czajernia@gmail.com> 2021-08-24 23:13:30 +0100 >> committer Kalle Valo <kvalo@codeaurora.org> 2021-08-29 11:33:07 +0300 >> commit 4b51de063d5310f1fb297388b7955926e63e45c9 (patch) >> tree ba2ccb5cbd055d482a8daa263f5e53531c07667f >> /drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c >> parent 81f9ebd43659320a88cae8ed5124c50b4d47ab66 (diff) >> download wireless-4b51de063d5310f1fb297388b7955926e63e45c9.tar.gz >> brcmfmac: Add WPA3 Personal with FT to supported cipher suites >> This allows the driver to connect to BSSIDs supporting SAE with 802.11r. >> Tested on Raspberry Pi 4 Model B (STA) and UniFi 6LR/OpenWRT 21.02.0-rc2. >> AP was set to 'sae-mixed' (WPA2/3 Personal). >> >> Signed-off-by: Paweł Drewniak <czajernia@gmail.com> >> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> >> Link: https://lore.kernel.org/r/20210824221330.3847139-1-czajernia@gmail.com > > Sure, but we also had user reports of it *not* actually working (maybe > it regressed?). We didn't know whether it was functional with the > linux-firmware blobs in any way, I wanted confirmation of that. And we > also didn't know that the patch *would* break it at all; perhaps the > Cypress firmware had also grown support for the WSEC mechanism. > > That's why I wanted someone to actually confirm the code worked (in some > subset of cases) and the patch didn't, before starting to introduce > conditionals. There is, of course, also the element that the Cypress > side has been long unmaintained, and if nobody is testing/giving > feedback/complaining, perhaps it's better to err on the side of maybe > breaking something and see if that gets someone to come out of the > woodwork if it really breaks, rather than tiptoeing around the code > without knowing what's going on and without anyone actually testing things. That is because you distrust the intent that Cypress was really contributing. They were and I trusted them to not just throw in a feature like WPA3. When Infineon took over they went mute. Upon reviewing your patch (again) I also sent an email to them asking specifically about the status of the sae_password interface. I did not use the mailing list which indeed bounces these days (hence removed them) but the last living soul that I had contact with about a year ago whether they were still comitted to be involved. I guess out of politeness or embarrassment I got confirmation they were and never heard from him again. The query about the sae_password interface is still pending. > It's not about this *specific* patch, it's about the general situation > of not being able to touch firmware interfaces "just in case Cypress > breaks" being unsustainable in the long term. I wasn't pushing back > because I think this particular one will be hard, I was pushing back > because I can read the tea leaves and see this is not going to end well > if it's the approach we start taking for everything. We *need* someone > to be testing patches on Cypress, we can't just "try not to touch it" > and cross our fingers. That just ends in disaster, we are not going to > succeed in not breaking it either way and it's going to make the driver > worse. I admire you ability of reading tea leaves. You saw the Grim I reckon. Admittedly your responses on every comment from my side (or Kalle for that matter) was polarizing every discussion. That is common way people treat each other nowadays especially online where a conversation is just a pile of text going shit. It does not bring out the best in me either, but it was draining every ounce of energy from me so better end it by stepping out. I added the ground work for multi-vendor support, but have not decided on the approach to take. Abstract per firmware interface primitive or simply have a cfg80211.c and fwil_types.h per vendor OR implement a vendor-specific cfg80211 callback and override the default callback during the driver attach, ie. in brcmf_fwvid_wcc_attach(). The latter duplicates things, but lean towards that as it may be easier on the long-term. What do your tea leaves tell you ;-) Regards, Arend
Hi Julian, >>>>>> Using the WSEC command instead of sae_password seems to be the supported >>>>>> mechanism on newer firmware, and also how the brcmdhd driver does it. >>>>>> >>>>>> According to user reports [1], the sae_password codepath doesn't actually >>>>>> work on machines with Cypress chips anyway, so no harm in removing it. >>>>>> >>>>>> This makes WPA3 work with iwd, or with wpa_supplicant pending a support >>>>>> patchset [2]. >>>>>> >>>>>> [1] https://rachelbythebay.com/w/2023/11/06/wpa3/ >>>>>> [2] http://lists.infradead.org/pipermail/hostap/2023-July/041653.html >>>>>> >>>>>> Signed-off-by: Hector Martin <marcan@marcan.st> >>>>>> Reviewed-by: Neal Gompa <neal@gompa.dev> >>>>> >>>>> Arend, what do you think? >>>>> >>>>> We recently talked about people testing brcmfmac patches, has anyone else >>>>> tested this? >>>> >>>> Not sure I already replied so maybe I am repeating myself. I would prefer >>>> to keep the Cypress sae_password path as well although it reportedly does >>>> not work. The vendor support in the driver can be used to accommodate for >>>> that. The other option would be to have people with Cypress chipset test >>>> this patch. If that works for both we can consider dropping the >>>> sae_password path. >>>> >>>> Regards, >>>> Arend >>> >>> So, if nobody from Cypress chimes in ever, and nobody cares nor tests >>> Cypress chipsets, are we keeping any and all existing Cypress code-paths >>> as bitrotting code forever and adding gratuitous conditionals every time >>> any functionality needs to change "just in case it breaks Cypress" even >>> though it has been tested compatible on Broadcom chipsets/firmware? >>> >>> Because that's not sustainable long term. >> >> You should look into WEXT just for the fun of it. If it were up to me >> and a bunch of other people that would have been gone decades ago. Maybe >> a bad example if the sae_password is indeed not working, but the Cypress >> chipset is used in RPi3 and RPi4 so there must be a couple of users. > > There are reports that WPA3 is broken on the Cypress chipsets the > Raspberry Pis are using and this patch fixes it: > https://rachelbythebay.com/w/2023/11/06/wpa3/ > > Based on that, it appears that all known users of WPA3 capable > hardware with this driver require this fix. the Pis are all using an outdated firmware. In their distro they put the firmware already under the alternates systems, but it just lacks the SAE offload support that is required to make WPA3 work. The linux-firmware version does the trick nicely. I documented what I did to make this work on Pi5 (note that I normally use Fedora on Pi4 and thus never encountered this issue) https://holtmann.dev/enabling-wpa3-on-raspberry-pi/ However you need to use iwd and not hope that you get a wpa_supplicant released version that will work. So whole game of wpa_supplicant is vendor specific to the company that provides the driver is also insane, but that is another story. Use iwd and you can most likely have WPA3 support if you have the right firmware. Regards Marcel
On Thu, Dec 21, 2023 at 3:40 PM Marcel Holtmann <marcel@holtmann.org> wrote: > > Hi Julian, > > >>>>>> Using the WSEC command instead of sae_password seems to be the supported > >>>>>> mechanism on newer firmware, and also how the brcmdhd driver does it. > >>>>>> > >>>>>> According to user reports [1], the sae_password codepath doesn't actually > >>>>>> work on machines with Cypress chips anyway, so no harm in removing it. > >>>>>> > >>>>>> This makes WPA3 work with iwd, or with wpa_supplicant pending a support > >>>>>> patchset [2]. > >>>>>> > >>>>>> [1] https://rachelbythebay.com/w/2023/11/06/wpa3/ > >>>>>> [2] http://lists.infradead.org/pipermail/hostap/2023-July/041653.html > >>>>>> > >>>>>> Signed-off-by: Hector Martin <marcan@marcan.st> > >>>>>> Reviewed-by: Neal Gompa <neal@gompa.dev> > >>>>> > >>>>> Arend, what do you think? > >>>>> > >>>>> We recently talked about people testing brcmfmac patches, has anyone else > >>>>> tested this? > >>>> > >>>> Not sure I already replied so maybe I am repeating myself. I would prefer > >>>> to keep the Cypress sae_password path as well although it reportedly does > >>>> not work. The vendor support in the driver can be used to accommodate for > >>>> that. The other option would be to have people with Cypress chipset test > >>>> this patch. If that works for both we can consider dropping the > >>>> sae_password path. > >>>> > >>>> Regards, > >>>> Arend > >>> > >>> So, if nobody from Cypress chimes in ever, and nobody cares nor tests > >>> Cypress chipsets, are we keeping any and all existing Cypress code-paths > >>> as bitrotting code forever and adding gratuitous conditionals every time > >>> any functionality needs to change "just in case it breaks Cypress" even > >>> though it has been tested compatible on Broadcom chipsets/firmware? > >>> > >>> Because that's not sustainable long term. > >> > >> You should look into WEXT just for the fun of it. If it were up to me > >> and a bunch of other people that would have been gone decades ago. Maybe > >> a bad example if the sae_password is indeed not working, but the Cypress > >> chipset is used in RPi3 and RPi4 so there must be a couple of users. > > > > There are reports that WPA3 is broken on the Cypress chipsets the > > Raspberry Pis are using and this patch fixes it: > > https://rachelbythebay.com/w/2023/11/06/wpa3/ > > > > Based on that, it appears that all known users of WPA3 capable > > hardware with this driver require this fix. > > the Pis are all using an outdated firmware. In their distro they put the > firmware already under the alternates systems, but it just lacks the SAE > offload support that is required to make WPA3 work. The linux-firmware > version does the trick nicely. > > I documented what I did to make this work on Pi5 (note that I normally > use Fedora on Pi4 and thus never encountered this issue) > > https://holtmann.dev/enabling-wpa3-on-raspberry-pi/ > > However you need to use iwd and not hope that you get a wpa_supplicant > released version that will work. > > So whole game of wpa_supplicant is vendor specific to the company that > provides the driver is also insane, but that is another story. Use iwd > and you can most likely have WPA3 support if you have the right firmware. > wpa_supplicant is perfectly fine if the necessary patches are backported, as Fedora has done: https://src.fedoraproject.org/rpms/wpa_supplicant/c/99f4bf2096d3976cee01c499d7a30c1376f5f0f7 -- 真実はいつも一つ!/ Always, there's only one truth!
On 2023/12/21 18:57, Arend van Spriel wrote: > - SHA-cyfmac-dev-list@infineon.com > > On 12/21/2023 1:49 AM, Hector Martin wrote: >> >> >> On 2023/12/21 4:36, Arend van Spriel wrote: >>> On 12/20/2023 7:14 PM, Hector Martin wrote: >>>> >>>> >>>> On 2023/12/20 19:20, Kalle Valo wrote: >>>>> Linus Torvalds <torvalds@linux-foundation.org> writes: >>>>> >>>>>>> Just recently a patch was posted to remove the Infineon list from >>>>>>> MAINTAINERS because that company cares so little they have literally >>>>>>> stopped accepting emails from us. Meanwhile they are telling their >>>>>>> customers that they do not recommend upstream brcmfmac and they should >>>>>>> use their downstream driver [1]. >>>>>> >>>>>> Unquestionably broadcom is not helping maintain things, and I think it >>>>>> should matter. >>>>>> >>>>>> As Hector says, they point to their random driver dumps on their site >>>>>> that you can't even download unless you are a "Broadcom community >>>>>> member" or whatever, and hey - any company that works that way should >>>>>> be seen as pretty much hostile to any actual maintenance and proper >>>>>> development. >>>>> >>>>> Sadly this is the normal in the wireless world. All vendors focus on the >>>>> latest generation, currently it's Wi-Fi 7, and lose interest on older >>>>> generations. And vendors lose focus on the upstream drivers even faster, >>>>> usually after a customer project ends. >>>>> >>>>> So in practise what we try to do is keep the drivers working somehow on >>>>> our own, even after the vendors are long gone. If we would deliberately >>>>> allow breaking drivers because vendor/corporations don't support us, I >>>>> suspect we would have sevaral broken drivers in upstream. >>>>> >>>>>> If Daniel and Hector are responsive to actual problem reports for the >>>>>> changes they cause, I do think that should count a lot. >>>>> >>>>> Sure, but they could also respect to the review comments. I find Arend's >>>>> proposal is reasonable and that's what I would implement in v2. We >>>>> (linux-wireless) make abstractions to workaround firmware problems or >>>>> interface conflicts all the time, just look at ath10k for example. I >>>>> would not be surprised if we need to add even more abstractions to >>>>> brcmfmac in the future. And Arend is the expert here, he has best >>>>> knowledge of Broadcom devices and I trust him. >>>>> >>>>> Has anyone even investigated what it would need to implement Arend's >>>>> proposal? At least I don't see any indication of that. >>>> >>>> Of course we can implement it (and we will as we actually got a report >>>> of this patch breaking Cypress now, finally). >>>> >>>> The question was never whether it could be done, we're already doing a >>>> bunch of abstractions to deal with just the Broadcom-only side of things >>>> too. The point I was trying to make is that we need to *know* what >>>> firmware abstractions we need and *why* they are needed. We can't just >>>> say, for every change, "well, nobody knows if the existing code works or >>>> not, so let's just add an abstraction just in case the change breaks >>>> something". As far as anyone involved in the discussions until now could >>>> tell, this code was just something some Cypress person dumped upstream, >>>> and nobody involved was being responsive to any of our inquiries, so >>>> there was no way to be certain it worked at all, whether it was >>>> supported in public firmware, or anything else. >>>> >>>> *Now* that we know the existing code is actually functional and not just >>>> dead/broken, and that the WSEC approach is conversely not functional on >>>> the Cypress firmwares, it makes sense to introduce an abstraction. >>> >>> Just a quick look in the git history could have told you that it was not >>> just dumped upstream and at least one person was using it and extended >>> it for 802.11r support (fast-roaming): >>> >>> >>> author Paweł Drewniak <czajernia@gmail.com> 2021-08-24 23:13:30 +0100 >>> committer Kalle Valo <kvalo@codeaurora.org> 2021-08-29 11:33:07 +0300 >>> commit 4b51de063d5310f1fb297388b7955926e63e45c9 (patch) >>> tree ba2ccb5cbd055d482a8daa263f5e53531c07667f >>> /drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c >>> parent 81f9ebd43659320a88cae8ed5124c50b4d47ab66 (diff) >>> download wireless-4b51de063d5310f1fb297388b7955926e63e45c9.tar.gz >>> brcmfmac: Add WPA3 Personal with FT to supported cipher suites >>> This allows the driver to connect to BSSIDs supporting SAE with 802.11r. >>> Tested on Raspberry Pi 4 Model B (STA) and UniFi 6LR/OpenWRT 21.02.0-rc2. >>> AP was set to 'sae-mixed' (WPA2/3 Personal). >>> >>> Signed-off-by: Paweł Drewniak <czajernia@gmail.com> >>> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> >>> Link: https://lore.kernel.org/r/20210824221330.3847139-1-czajernia@gmail.com >> >> Sure, but we also had user reports of it *not* actually working (maybe >> it regressed?). We didn't know whether it was functional with the >> linux-firmware blobs in any way, I wanted confirmation of that. And we >> also didn't know that the patch *would* break it at all; perhaps the >> Cypress firmware had also grown support for the WSEC mechanism. >> >> That's why I wanted someone to actually confirm the code worked (in some >> subset of cases) and the patch didn't, before starting to introduce >> conditionals. There is, of course, also the element that the Cypress >> side has been long unmaintained, and if nobody is testing/giving >> feedback/complaining, perhaps it's better to err on the side of maybe >> breaking something and see if that gets someone to come out of the >> woodwork if it really breaks, rather than tiptoeing around the code >> without knowing what's going on and without anyone actually testing things. > > That is because you distrust the intent that Cypress was really > contributing. They were and I trusted them to not just throw in a > feature like WPA3. When Infineon took over they went mute. Upon > reviewing your patch (again) I also sent an email to them asking > specifically about the status of the sae_password interface. I did not > use the mailing list which indeed bounces these days (hence removed > them) but the last living soul that I had contact with about a year ago > whether they were still comitted to be involved. I guess out of > politeness or embarrassment I got confirmation they were and never heard > from him again. The query about the sae_password interface is still pending. If only corporate acquisition politics didn't repeatedly throw a wrench into this one... :/ This is where we are though, Infineon clearly doesn't care, so it's time to move on. >> It's not about this *specific* patch, it's about the general situation >> of not being able to touch firmware interfaces "just in case Cypress >> breaks" being unsustainable in the long term. I wasn't pushing back >> because I think this particular one will be hard, I was pushing back >> because I can read the tea leaves and see this is not going to end well >> if it's the approach we start taking for everything. We *need* someone >> to be testing patches on Cypress, we can't just "try not to touch it" >> and cross our fingers. That just ends in disaster, we are not going to >> succeed in not breaking it either way and it's going to make the driver >> worse. > > I admire you ability of reading tea leaves. You saw the Grim I reckon. > Admittedly your responses on every comment from my side (or Kalle for > that matter) was polarizing every discussion. That is common way people > treat each other nowadays especially online where a conversation is just > a pile of text going shit. It does not bring out the best in me either, > but it was draining every ounce of energy from me so better end it by > stepping out. The hilariously outdated kernel development model surely doesn't help either (I've stated my opinion on this quite a few times if you've followed around) ;) This stuff gets *really* frustrating when you're trying to improve what is, I hope we can all admit, an undermaintained driver (that is not to say it's anyone's fault personally), and end up getting held back due to everything from coding style nitpicks to people not having the time to be responsive. It's just not helpful. It's important to know when to step aside and let people actually get stuff done. When Daniel started sending me brcmfmac patches downstream, I took a look at a few of them, decided he knew what he was doing, and just started pulling in his branches wholesale. Was it perfect? No, I had to debug at least one regression at one point. But it took me less time to do that than it would've to go through the commits with a fine toothed comb, so it was clearly the right decision. That is not to say that should be the standard upstream (we make a point of moving fast and breaking things more downstream, since it's a proving ground for what eventually will be upstreamed), but I think it does demonstrate the kind of delegation ability that is sorely lacking in many drivers and subsystems in the kernel these days. Maintainers become entrenched in their position, long beyond the point where they have the time/motivation/ability to drive the code forward, and end up in the way of new people who are trying to make a difference. I think Linus knows full well the kernel maintainer community is stagnating. That doesn't mean people should step down entirely. But it does mean they need to recognize when this is happening and, at least, proactively try to bring new people in, instead of just continuing to play a gatekeeping role. The role of maintainers should not be that of a wall people have to climb over to get their changes in, it should be to guide new contributors and help onboard people who can contribute, as peers and eventually as future maintainers. Kalle, in the other thread you said "this is not fun anymore, this is more like a business with requirements and demands coming from everywhere.". That's what it feels like to us when our changes get rejected because the local vars aren't in reverse Christmas tree order, or because our commit messages have "v2:" in them. It feels like some manager is trying to justify their position by creating busywork for everyone else. Nobody should actually care about any of those things, and if they do, they need to step back and really ask themselves how they ended up believing that. If the goal is to enforce a reasonable shared coding style so things don't spiral into chaos, FFS, let's just do what every other project does these days and adopt clang-format. Then *all* of us can stop wasting time on these trivialities and go back to getting stuff done. And really, nobody cares about commit messages as long as the tags are right, the subject line is succinct, and the important information is in there. Extra stuff never hurt anyone. > I added the ground work for multi-vendor support, but have not decided > on the approach to take. Abstract per firmware interface primitive or > simply have a cfg80211.c and fwil_types.h per vendor OR implement a > vendor-specific cfg80211 callback and override the default callback > during the driver attach, ie. in brcmf_fwvid_wcc_attach(). The latter > duplicates things, but lean towards that as it may be easier on the > long-term. What do your tea leaves tell you ;-) FWIW, I was hoping you'd stay on at least as a reviewer. Your contributions are valuable. You obviously know the driver and hardware much better than most people. I encourage you to, at least, post a v2 of the MAINTAINERS patch with yourself as an R: line. As far as the actual driver abstraction architecture, I'm going to leave it to Daniel to decide what makes the most sense, since he's the one introducing new mechanisms for that already. There's always room for refactoring later though, depending on the direction things take with the vendor split. BTW, clang-format also makes refactoring a lot less painful ;) - Hector
Hi Neal, >>>>>>>> Using the WSEC command instead of sae_password seems to be the supported >>>>>>>> mechanism on newer firmware, and also how the brcmdhd driver does it. >>>>>>>> >>>>>>>> According to user reports [1], the sae_password codepath doesn't actually >>>>>>>> work on machines with Cypress chips anyway, so no harm in removing it. >>>>>>>> >>>>>>>> This makes WPA3 work with iwd, or with wpa_supplicant pending a support >>>>>>>> patchset [2]. >>>>>>>> >>>>>>>> [1] https://rachelbythebay.com/w/2023/11/06/wpa3/ >>>>>>>> [2] http://lists.infradead.org/pipermail/hostap/2023-July/041653.html >>>>>>>> >>>>>>>> Signed-off-by: Hector Martin <marcan@marcan.st> >>>>>>>> Reviewed-by: Neal Gompa <neal@gompa.dev> >>>>>>> >>>>>>> Arend, what do you think? >>>>>>> >>>>>>> We recently talked about people testing brcmfmac patches, has anyone else >>>>>>> tested this? >>>>>> >>>>>> Not sure I already replied so maybe I am repeating myself. I would prefer >>>>>> to keep the Cypress sae_password path as well although it reportedly does >>>>>> not work. The vendor support in the driver can be used to accommodate for >>>>>> that. The other option would be to have people with Cypress chipset test >>>>>> this patch. If that works for both we can consider dropping the >>>>>> sae_password path. >>>>>> >>>>>> Regards, >>>>>> Arend >>>>> >>>>> So, if nobody from Cypress chimes in ever, and nobody cares nor tests >>>>> Cypress chipsets, are we keeping any and all existing Cypress code-paths >>>>> as bitrotting code forever and adding gratuitous conditionals every time >>>>> any functionality needs to change "just in case it breaks Cypress" even >>>>> though it has been tested compatible on Broadcom chipsets/firmware? >>>>> >>>>> Because that's not sustainable long term. >>>> >>>> You should look into WEXT just for the fun of it. If it were up to me >>>> and a bunch of other people that would have been gone decades ago. Maybe >>>> a bad example if the sae_password is indeed not working, but the Cypress >>>> chipset is used in RPi3 and RPi4 so there must be a couple of users. >>> >>> There are reports that WPA3 is broken on the Cypress chipsets the >>> Raspberry Pis are using and this patch fixes it: >>> https://rachelbythebay.com/w/2023/11/06/wpa3/ >>> >>> Based on that, it appears that all known users of WPA3 capable >>> hardware with this driver require this fix. >> >> the Pis are all using an outdated firmware. In their distro they put the >> firmware already under the alternates systems, but it just lacks the SAE >> offload support that is required to make WPA3 work. The linux-firmware >> version does the trick nicely. >> >> I documented what I did to make this work on Pi5 (note that I normally >> use Fedora on Pi4 and thus never encountered this issue) >> >> https://holtmann.dev/enabling-wpa3-on-raspberry-pi/ >> >> However you need to use iwd and not hope that you get a wpa_supplicant >> released version that will work. >> >> So whole game of wpa_supplicant is vendor specific to the company that >> provides the driver is also insane, but that is another story. Use iwd >> and you can most likely have WPA3 support if you have the right firmware. >> > > wpa_supplicant is perfectly fine if the necessary patches are > backported, as Fedora has done: > https://src.fedoraproject.org/rpms/wpa_supplicant/c/99f4bf2096d3976cee01c499d7a30c1376f5f0f7 my point exactly. Tell me when the last hostap release was and how much delta that has to HEAD. So the wpa_supplicant you have in Fedora is essentially yet another fork of an upstream project. One of many. Reality is there is limited interest to make WiFi great on Linux. And if you really look honestly, then you realize it is pretty bad. Regards Marcel
On Fri, 22 Dec 2023 at 05:19, Hector Martin <marcan@marcan.st> wrote: > > > > On 2023/12/21 18:57, Arend van Spriel wrote: > > - SHA-cyfmac-dev-list@infineon.com > > > > On 12/21/2023 1:49 AM, Hector Martin wrote: > >> > >> > >> On 2023/12/21 4:36, Arend van Spriel wrote: > >>> On 12/20/2023 7:14 PM, Hector Martin wrote: > >>>> > >>>> > >>>> On 2023/12/20 19:20, Kalle Valo wrote: > >>>>> Linus Torvalds <torvalds@linux-foundation.org> writes: > >>>>> > >>>>>>> Just recently a patch was posted to remove the Infineon list from > >>>>>>> MAINTAINERS because that company cares so little they have literally > >>>>>>> stopped accepting emails from us. Meanwhile they are telling their > >>>>>>> customers that they do not recommend upstream brcmfmac and they should > >>>>>>> use their downstream driver [1]. > >>>>>> > >>>>>> Unquestionably broadcom is not helping maintain things, and I think it > >>>>>> should matter. > >>>>>> > >>>>>> As Hector says, they point to their random driver dumps on their site > >>>>>> that you can't even download unless you are a "Broadcom community > >>>>>> member" or whatever, and hey - any company that works that way should > >>>>>> be seen as pretty much hostile to any actual maintenance and proper > >>>>>> development. > >>>>> > >>>>> Sadly this is the normal in the wireless world. All vendors focus on the > >>>>> latest generation, currently it's Wi-Fi 7, and lose interest on older > >>>>> generations. And vendors lose focus on the upstream drivers even faster, > >>>>> usually after a customer project ends. > >>>>> > >>>>> So in practise what we try to do is keep the drivers working somehow on > >>>>> our own, even after the vendors are long gone. If we would deliberately > >>>>> allow breaking drivers because vendor/corporations don't support us, I > >>>>> suspect we would have sevaral broken drivers in upstream. > >>>>> > >>>>>> If Daniel and Hector are responsive to actual problem reports for the > >>>>>> changes they cause, I do think that should count a lot. > >>>>> > >>>>> Sure, but they could also respect to the review comments. I find Arend's > >>>>> proposal is reasonable and that's what I would implement in v2. We > >>>>> (linux-wireless) make abstractions to workaround firmware problems or > >>>>> interface conflicts all the time, just look at ath10k for example. I > >>>>> would not be surprised if we need to add even more abstractions to > >>>>> brcmfmac in the future. And Arend is the expert here, he has best > >>>>> knowledge of Broadcom devices and I trust him. > >>>>> > >>>>> Has anyone even investigated what it would need to implement Arend's > >>>>> proposal? At least I don't see any indication of that. > >>>> > >>>> Of course we can implement it (and we will as we actually got a report > >>>> of this patch breaking Cypress now, finally). > >>>> > >>>> The question was never whether it could be done, we're already doing a > >>>> bunch of abstractions to deal with just the Broadcom-only side of things > >>>> too. The point I was trying to make is that we need to *know* what > >>>> firmware abstractions we need and *why* they are needed. We can't just > >>>> say, for every change, "well, nobody knows if the existing code works or > >>>> not, so let's just add an abstraction just in case the change breaks > >>>> something". As far as anyone involved in the discussions until now could > >>>> tell, this code was just something some Cypress person dumped upstream, > >>>> and nobody involved was being responsive to any of our inquiries, so > >>>> there was no way to be certain it worked at all, whether it was > >>>> supported in public firmware, or anything else. > >>>> > >>>> *Now* that we know the existing code is actually functional and not just > >>>> dead/broken, and that the WSEC approach is conversely not functional on > >>>> the Cypress firmwares, it makes sense to introduce an abstraction. > >>> > >>> Just a quick look in the git history could have told you that it was not > >>> just dumped upstream and at least one person was using it and extended > >>> it for 802.11r support (fast-roaming): > >>> > >>> > >>> author Paweł Drewniak <czajernia@gmail.com> 2021-08-24 23:13:30 +0100 > >>> committer Kalle Valo <kvalo@codeaurora.org> 2021-08-29 11:33:07 +0300 > >>> commit 4b51de063d5310f1fb297388b7955926e63e45c9 (patch) > >>> tree ba2ccb5cbd055d482a8daa263f5e53531c07667f > >>> /drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c > >>> parent 81f9ebd43659320a88cae8ed5124c50b4d47ab66 (diff) > >>> download wireless-4b51de063d5310f1fb297388b7955926e63e45c9.tar.gz > >>> brcmfmac: Add WPA3 Personal with FT to supported cipher suites > >>> This allows the driver to connect to BSSIDs supporting SAE with 802.11r. > >>> Tested on Raspberry Pi 4 Model B (STA) and UniFi 6LR/OpenWRT 21.02.0-rc2. > >>> AP was set to 'sae-mixed' (WPA2/3 Personal). > >>> > >>> Signed-off-by: Paweł Drewniak <czajernia@gmail.com> > >>> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> > >>> Link: https://lore.kernel.org/r/20210824221330.3847139-1-czajernia@gmail.com > >> > >> Sure, but we also had user reports of it *not* actually working (maybe > >> it regressed?). We didn't know whether it was functional with the > >> linux-firmware blobs in any way, I wanted confirmation of that. And we > >> also didn't know that the patch *would* break it at all; perhaps the > >> Cypress firmware had also grown support for the WSEC mechanism. > >> > >> That's why I wanted someone to actually confirm the code worked (in some > >> subset of cases) and the patch didn't, before starting to introduce > >> conditionals. There is, of course, also the element that the Cypress > >> side has been long unmaintained, and if nobody is testing/giving > >> feedback/complaining, perhaps it's better to err on the side of maybe > >> breaking something and see if that gets someone to come out of the > >> woodwork if it really breaks, rather than tiptoeing around the code > >> without knowing what's going on and without anyone actually testing things. > > > > That is because you distrust the intent that Cypress was really > > contributing. They were and I trusted them to not just throw in a > > feature like WPA3. When Infineon took over they went mute. Upon > > reviewing your patch (again) I also sent an email to them asking > > specifically about the status of the sae_password interface. I did not > > use the mailing list which indeed bounces these days (hence removed > > them) but the last living soul that I had contact with about a year ago > > whether they were still comitted to be involved. I guess out of > > politeness or embarrassment I got confirmation they were and never heard > > from him again. The query about the sae_password interface is still pending. > > If only corporate acquisition politics didn't repeatedly throw a wrench > into this one... :/ > > This is where we are though, Infineon clearly doesn't care, so it's time > to move on. > > >> It's not about this *specific* patch, it's about the general situation > >> of not being able to touch firmware interfaces "just in case Cypress > >> breaks" being unsustainable in the long term. I wasn't pushing back > >> because I think this particular one will be hard, I was pushing back > >> because I can read the tea leaves and see this is not going to end well > >> if it's the approach we start taking for everything. We *need* someone > >> to be testing patches on Cypress, we can't just "try not to touch it" > >> and cross our fingers. That just ends in disaster, we are not going to > >> succeed in not breaking it either way and it's going to make the driver > >> worse. > > > > I admire you ability of reading tea leaves. You saw the Grim I reckon. > > Admittedly your responses on every comment from my side (or Kalle for > > that matter) was polarizing every discussion. That is common way people > > treat each other nowadays especially online where a conversation is just > > a pile of text going shit. It does not bring out the best in me either, > > but it was draining every ounce of energy from me so better end it by > > stepping out. > > The hilariously outdated kernel development model surely doesn't help > either (I've stated my opinion on this quite a few times if you've > followed around) ;) > > This stuff gets *really* frustrating when you're trying to improve what > is, I hope we can all admit, an undermaintained driver (that is not to > say it's anyone's fault personally), and end up getting held back due to > everything from coding style nitpicks to people not having the time to > be responsive. It's just not helpful. It's important to know when to > step aside and let people actually get stuff done. > > When Daniel started sending me brcmfmac patches downstream, I took a > look at a few of them, decided he knew what he was doing, and just > started pulling in his branches wholesale. Was it perfect? No, I had to > debug at least one regression at one point. But it took me less time to > do that than it would've to go through the commits with a fine toothed > comb, so it was clearly the right decision. > > That is not to say that should be the standard upstream (we make a point > of moving fast and breaking things more downstream, since it's a proving > ground for what eventually will be upstreamed), but I think it does > demonstrate the kind of delegation ability that is sorely lacking in > many drivers and subsystems in the kernel these days. Maintainers become > entrenched in their position, long beyond the point where they have the > time/motivation/ability to drive the code forward, and end up in the way > of new people who are trying to make a difference. I think Linus knows > full well the kernel maintainer community is stagnating. > > That doesn't mean people should step down entirely. But it does mean > they need to recognize when this is happening and, at least, proactively > try to bring new people in, instead of just continuing to play a > gatekeeping role. The role of maintainers should not be that of a wall > people have to climb over to get their changes in, it should be to guide > new contributors and help onboard people who can contribute, as peers > and eventually as future maintainers. > > Kalle, in the other thread you said "this is not fun anymore, this is > more like a business with requirements and demands coming from > everywhere.". That's what it feels like to us when our changes get > rejected because the local vars aren't in reverse Christmas tree order, > or because our commit messages have "v2:" in them. It feels like some > manager is trying to justify their position by creating busywork for > everyone else. Nobody should actually care about any of those things, > and if they do, they need to step back and really ask themselves how > they ended up believing that. If the goal is to enforce a reasonable > shared coding style so things don't spiral into chaos, FFS, let's just > do what every other project does these days and adopt clang-format. Then > *all* of us can stop wasting time on these trivialities and go back to > getting stuff done. And really, nobody cares about commit messages as > long as the tags are right, the subject line is succinct, and the > important information is in there. Extra stuff never hurt anyone. > > > I added the ground work for multi-vendor support, but have not decided > > on the approach to take. Abstract per firmware interface primitive or > > simply have a cfg80211.c and fwil_types.h per vendor OR implement a > > vendor-specific cfg80211 callback and override the default callback > > during the driver attach, ie. in brcmf_fwvid_wcc_attach(). The latter > > duplicates things, but lean towards that as it may be easier on the > > long-term. What do your tea leaves tell you ;-) > > FWIW, I was hoping you'd stay on at least as a reviewer. Your > contributions are valuable. You obviously know the driver and hardware > much better than most people. I encourage you to, at least, post a v2 of > the MAINTAINERS patch with yourself as an R: line. I generally agree with this email, especially that Arend should stay on as a reviewer/maintainer. We need more people as either maintainers/contributors/reviewers/code writers/testers, not less, to delegate, co-maintain, test, merge, make the code more portable to many wifi devices, etc. What really matters at the end of the day I guess is writing the code that works across all the devices and testing it. Which is why I spread awareness about this area, got 100s of responses, especially on Linkedin, there's at least a portion of these that want to help, in good spirits. Is mise le meas/Regards, Eric Curtin > > As far as the actual driver abstraction architecture, I'm going to leave > it to Daniel to decide what makes the most sense, since he's the one > introducing new mechanisms for that already. There's always room for > refactoring later though, depending on the direction things take with > the vendor split. BTW, clang-format also makes refactoring a lot less > painful ;) > > - Hector >
On 12/22/2023 1:03 AM, Neal Gompa wrote: > On Thu, Dec 21, 2023 at 3:40 PM Marcel Holtmann <marcel@holtmann.org> wrote: >> >> Hi Julian, >> >>>>>>>> Using the WSEC command instead of sae_password seems to be the supported >>>>>>>> mechanism on newer firmware, and also how the brcmdhd driver does it. >>>>>>>> >>>>>>>> According to user reports [1], the sae_password codepath doesn't actually >>>>>>>> work on machines with Cypress chips anyway, so no harm in removing it. >>>>>>>> >>>>>>>> This makes WPA3 work with iwd, or with wpa_supplicant pending a support >>>>>>>> patchset [2]. >>>>>>>> >>>>>>>> [1] https://rachelbythebay.com/w/2023/11/06/wpa3/ >>>>>>>> [2] http://lists.infradead.org/pipermail/hostap/2023-July/041653.html >>>>>>>> >>>>>>>> Signed-off-by: Hector Martin <marcan@marcan.st> >>>>>>>> Reviewed-by: Neal Gompa <neal@gompa.dev> >>>>>>> >>>>>>> Arend, what do you think? >>>>>>> >>>>>>> We recently talked about people testing brcmfmac patches, has anyone else >>>>>>> tested this? >>>>>> >>>>>> Not sure I already replied so maybe I am repeating myself. I would prefer >>>>>> to keep the Cypress sae_password path as well although it reportedly does >>>>>> not work. The vendor support in the driver can be used to accommodate for >>>>>> that. The other option would be to have people with Cypress chipset test >>>>>> this patch. If that works for both we can consider dropping the >>>>>> sae_password path. >>>>>> >>>>>> Regards, >>>>>> Arend >>>>> >>>>> So, if nobody from Cypress chimes in ever, and nobody cares nor tests >>>>> Cypress chipsets, are we keeping any and all existing Cypress code-paths >>>>> as bitrotting code forever and adding gratuitous conditionals every time >>>>> any functionality needs to change "just in case it breaks Cypress" even >>>>> though it has been tested compatible on Broadcom chipsets/firmware? >>>>> >>>>> Because that's not sustainable long term. >>>> >>>> You should look into WEXT just for the fun of it. If it were up to me >>>> and a bunch of other people that would have been gone decades ago. Maybe >>>> a bad example if the sae_password is indeed not working, but the Cypress >>>> chipset is used in RPi3 and RPi4 so there must be a couple of users. >>> >>> There are reports that WPA3 is broken on the Cypress chipsets the >>> Raspberry Pis are using and this patch fixes it: >>> https://rachelbythebay.com/w/2023/11/06/wpa3/ >>> >>> Based on that, it appears that all known users of WPA3 capable >>> hardware with this driver require this fix. >> >> the Pis are all using an outdated firmware. In their distro they put the >> firmware already under the alternates systems, but it just lacks the SAE >> offload support that is required to make WPA3 work. The linux-firmware >> version does the trick nicely. >> >> I documented what I did to make this work on Pi5 (note that I normally >> use Fedora on Pi4 and thus never encountered this issue) >> >> https://holtmann.dev/enabling-wpa3-on-raspberry-pi/ >> >> However you need to use iwd and not hope that you get a wpa_supplicant >> released version that will work. >> >> So whole game of wpa_supplicant is vendor specific to the company that >> provides the driver is also insane, but that is another story. Use iwd >> and you can most likely have WPA3 support if you have the right firmware. >> > > wpa_supplicant is perfectly fine if the necessary patches are > backported, as Fedora has done: > https://src.fedoraproject.org/rpms/wpa_supplicant/c/99f4bf2096d3976cee01c499d7a30c1376f5f0f7 The brcmfmac firmware has its own 802.11 stack implementation and as such it has a SME running in firmware which means the driver only implements the NL80211_CMD_CONNECT primitive. Now if the firmware also has in-driver supplicant (*-idsup-*) supporting SAE (*-sae-*) it can be offloaded. That is what Cypress went with at least for upstream. For firmware without these in the firmware target string the driver needs to implement support for NL80211_CMD_EXTERNAL_AUTH, which is what we opted for in Broadcom BCA (or WCC-Access as we call it these days). So I don't think it is a fair assessment to call the wpa_supplicant implementation vendor specific. Regards, Arend
On 12/22/2023 6:10 AM, Hector Martin wrote: > > > On 2023/12/21 18:57, Arend van Spriel wrote: >> - SHA-cyfmac-dev-list@infineon.com >> >> On 12/21/2023 1:49 AM, Hector Martin wrote: >>> >>> >>> On 2023/12/21 4:36, Arend van Spriel wrote: >>>> On 12/20/2023 7:14 PM, Hector Martin wrote: >>>>> >>>>> >>>>> On 2023/12/20 19:20, Kalle Valo wrote: >>>>>> Linus Torvalds <torvalds@linux-foundation.org> writes: >>>>>> >>>>>>>> Just recently a patch was posted to remove the Infineon list from >>>>>>>> MAINTAINERS because that company cares so little they have literally >>>>>>>> stopped accepting emails from us. Meanwhile they are telling their >>>>>>>> customers that they do not recommend upstream brcmfmac and they should >>>>>>>> use their downstream driver [1]. >>>>>>> >>>>>>> Unquestionably broadcom is not helping maintain things, and I think it >>>>>>> should matter. >>>>>>> >>>>>>> As Hector says, they point to their random driver dumps on their site >>>>>>> that you can't even download unless you are a "Broadcom community >>>>>>> member" or whatever, and hey - any company that works that way should >>>>>>> be seen as pretty much hostile to any actual maintenance and proper >>>>>>> development. >>>>>> >>>>>> Sadly this is the normal in the wireless world. All vendors focus on the >>>>>> latest generation, currently it's Wi-Fi 7, and lose interest on older >>>>>> generations. And vendors lose focus on the upstream drivers even faster, >>>>>> usually after a customer project ends. >>>>>> >>>>>> So in practise what we try to do is keep the drivers working somehow on >>>>>> our own, even after the vendors are long gone. If we would deliberately >>>>>> allow breaking drivers because vendor/corporations don't support us, I >>>>>> suspect we would have sevaral broken drivers in upstream. >>>>>> >>>>>>> If Daniel and Hector are responsive to actual problem reports for the >>>>>>> changes they cause, I do think that should count a lot. >>>>>> >>>>>> Sure, but they could also respect to the review comments. I find Arend's >>>>>> proposal is reasonable and that's what I would implement in v2. We >>>>>> (linux-wireless) make abstractions to workaround firmware problems or >>>>>> interface conflicts all the time, just look at ath10k for example. I >>>>>> would not be surprised if we need to add even more abstractions to >>>>>> brcmfmac in the future. And Arend is the expert here, he has best >>>>>> knowledge of Broadcom devices and I trust him. >>>>>> >>>>>> Has anyone even investigated what it would need to implement Arend's >>>>>> proposal? At least I don't see any indication of that. >>>>> >>>>> Of course we can implement it (and we will as we actually got a report >>>>> of this patch breaking Cypress now, finally). >>>>> >>>>> The question was never whether it could be done, we're already doing a >>>>> bunch of abstractions to deal with just the Broadcom-only side of things >>>>> too. The point I was trying to make is that we need to *know* what >>>>> firmware abstractions we need and *why* they are needed. We can't just >>>>> say, for every change, "well, nobody knows if the existing code works or >>>>> not, so let's just add an abstraction just in case the change breaks >>>>> something". As far as anyone involved in the discussions until now could >>>>> tell, this code was just something some Cypress person dumped upstream, >>>>> and nobody involved was being responsive to any of our inquiries, so >>>>> there was no way to be certain it worked at all, whether it was >>>>> supported in public firmware, or anything else. >>>>> >>>>> *Now* that we know the existing code is actually functional and not just >>>>> dead/broken, and that the WSEC approach is conversely not functional on >>>>> the Cypress firmwares, it makes sense to introduce an abstraction. >>>> >>>> Just a quick look in the git history could have told you that it was not >>>> just dumped upstream and at least one person was using it and extended >>>> it for 802.11r support (fast-roaming): >>>> >>>> >>>> author Paweł Drewniak <czajernia@gmail.com> 2021-08-24 23:13:30 +0100 >>>> committer Kalle Valo <kvalo@codeaurora.org> 2021-08-29 11:33:07 +0300 >>>> commit 4b51de063d5310f1fb297388b7955926e63e45c9 (patch) >>>> tree ba2ccb5cbd055d482a8daa263f5e53531c07667f >>>> /drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c >>>> parent 81f9ebd43659320a88cae8ed5124c50b4d47ab66 (diff) >>>> download wireless-4b51de063d5310f1fb297388b7955926e63e45c9.tar.gz >>>> brcmfmac: Add WPA3 Personal with FT to supported cipher suites >>>> This allows the driver to connect to BSSIDs supporting SAE with 802.11r. >>>> Tested on Raspberry Pi 4 Model B (STA) and UniFi 6LR/OpenWRT 21.02.0-rc2. >>>> AP was set to 'sae-mixed' (WPA2/3 Personal). >>>> >>>> Signed-off-by: Paweł Drewniak <czajernia@gmail.com> >>>> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> >>>> Link: https://lore.kernel.org/r/20210824221330.3847139-1-czajernia@gmail.com >>> >>> Sure, but we also had user reports of it *not* actually working (maybe >>> it regressed?). We didn't know whether it was functional with the >>> linux-firmware blobs in any way, I wanted confirmation of that. And we >>> also didn't know that the patch *would* break it at all; perhaps the >>> Cypress firmware had also grown support for the WSEC mechanism. >>> >>> That's why I wanted someone to actually confirm the code worked (in some >>> subset of cases) and the patch didn't, before starting to introduce >>> conditionals. There is, of course, also the element that the Cypress >>> side has been long unmaintained, and if nobody is testing/giving >>> feedback/complaining, perhaps it's better to err on the side of maybe >>> breaking something and see if that gets someone to come out of the >>> woodwork if it really breaks, rather than tiptoeing around the code >>> without knowing what's going on and without anyone actually testing things. >> >> That is because you distrust the intent that Cypress was really >> contributing. They were and I trusted them to not just throw in a >> feature like WPA3. When Infineon took over they went mute. Upon >> reviewing your patch (again) I also sent an email to them asking >> specifically about the status of the sae_password interface. I did not >> use the mailing list which indeed bounces these days (hence removed >> them) but the last living soul that I had contact with about a year ago >> whether they were still comitted to be involved. I guess out of >> politeness or embarrassment I got confirmation they were and never heard >> from him again. The query about the sae_password interface is still pending. > > If only corporate acquisition politics didn't repeatedly throw a wrench > into this one... :/ > > This is where we are though, Infineon clearly doesn't care, so it's time > to move on. > >>> It's not about this *specific* patch, it's about the general situation >>> of not being able to touch firmware interfaces "just in case Cypress >>> breaks" being unsustainable in the long term. I wasn't pushing back >>> because I think this particular one will be hard, I was pushing back >>> because I can read the tea leaves and see this is not going to end well >>> if it's the approach we start taking for everything. We *need* someone >>> to be testing patches on Cypress, we can't just "try not to touch it" >>> and cross our fingers. That just ends in disaster, we are not going to >>> succeed in not breaking it either way and it's going to make the driver >>> worse. >> >> I admire you ability of reading tea leaves. You saw the Grim I reckon. >> Admittedly your responses on every comment from my side (or Kalle for >> that matter) was polarizing every discussion. That is common way people >> treat each other nowadays especially online where a conversation is just >> a pile of text going shit. It does not bring out the best in me either, >> but it was draining every ounce of energy from me so better end it by >> stepping out. > > The hilariously outdated kernel development model surely doesn't help > either (I've stated my opinion on this quite a few times if you've > followed around) ;) It is not a fair statement to call the kernel development process outdated. It is a vast code base that needs agreed upon steps to keep it rolling as it is. Attend a plumbers conference or collaboration summit or better become a speaker and vent all your opinions there and have a discussion with community members. They are held yearly and maybe over the past years things have been introduced that give more churn than value and that would be a great topic for discussion. However, it is better left outside of the development workflow. > This stuff gets *really* frustrating when you're trying to improve what > is, I hope we can all admit, an undermaintained driver (that is not to > say it's anyone's fault personally), and end up getting held back due to > everything from coding style nitpicks to people not having the time to > be responsive. It's just not helpful. It's important to know when to > step aside and let people actually get stuff done. > > When Daniel started sending me brcmfmac patches downstream, I took a > look at a few of them, decided he knew what he was doing, and just > started pulling in his branches wholesale. Was it perfect? No, I had to > debug at least one regression at one point. But it took me less time to > do that than it would've to go through the commits with a fine toothed > comb, so it was clearly the right decision. With the patch that started it all I simply had another view based on trusting my peers. Infineon has been pulling away from brcmfmac off the bat, but Cypress was serious enough about the driver not to drop a heap of dung on it. Based on that I felt regressions would be around the corner if we took it as is. > That is not to say that should be the standard upstream (we make a point > of moving fast and breaking things more downstream, since it's a proving > ground for what eventually will be upstreamed), but I think it does > demonstrate the kind of delegation ability that is sorely lacking in > many drivers and subsystems in the kernel these days. Maintainers become > entrenched in their position, long beyond the point where they have the > time/motivation/ability to drive the code forward, and end up in the way > of new people who are trying to make a difference. I think Linus knows > full well the kernel maintainer community is stagnating. > > That doesn't mean people should step down entirely. But it does mean > they need to recognize when this is happening and, at least, proactively > try to bring new people in, instead of just continuing to play a > gatekeeping role. The role of maintainers should not be that of a wall > people have to climb over to get their changes in, it should be to guide > new contributors and help onboard people who can contribute, as peers > and eventually as future maintainers. > > Kalle, in the other thread you said "this is not fun anymore, this is > more like a business with requirements and demands coming from > everywhere.". That's what it feels like to us when our changes get > rejected because the local vars aren't in reverse Christmas tree order, > or because our commit messages have "v2:" in them. It feels like some > manager is trying to justify their position by creating busywork for > everyone else. Nobody should actually care about any of those things, > and if they do, they need to step back and really ask themselves how > they ended up believing that. If the goal is to enforce a reasonable > shared coding style so things don't spiral into chaos, FFS, let's just > do what every other project does these days and adopt clang-format. Then > *all* of us can stop wasting time on these trivialities and go back to > getting stuff done. And really, nobody cares about commit messages as > long as the tags are right, the subject line is succinct, and the > important information is in there. Extra stuff never hurt anyone. https://docs.kernel.org/process/clang-format.html#clangformat Enjoy!! >> I added the ground work for multi-vendor support, but have not decided >> on the approach to take. Abstract per firmware interface primitive or >> simply have a cfg80211.c and fwil_types.h per vendor OR implement a >> vendor-specific cfg80211 callback and override the default callback >> during the driver attach, ie. in brcmf_fwvid_wcc_attach(). The latter >> duplicates things, but lean towards that as it may be easier on the >> long-term. What do your tea leaves tell you ;-) > > FWIW, I was hoping you'd stay on at least as a reviewer. Your > contributions are valuable. You obviously know the driver and hardware > much better than most people. I encourage you to, at least, post a v2 of > the MAINTAINERS patch with yourself as an R: line. > > As far as the actual driver abstraction architecture, I'm going to leave > it to Daniel to decide what makes the most sense, since he's the one > introducing new mechanisms for that already. There's always room for > refactoring later though, depending on the direction things take with > the vendor split. BTW, clang-format also makes refactoring a lot less > painful ;) Refactoring a single driver is not so painful, but rather a nice relaxing puzzle ;-)
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c index 2a90bb24ba77..138af70a33b8 100644 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c @@ -1687,52 +1687,44 @@ static u16 brcmf_map_fw_linkdown_reason(const struct brcmf_event_msg *e) return reason; } -static int brcmf_set_pmk(struct brcmf_if *ifp, const u8 *pmk_data, u16 pmk_len) +static int brcmf_set_wsec(struct brcmf_if *ifp, const u8 *key, u16 key_len, u16 flags) { struct brcmf_pub *drvr = ifp->drvr; struct brcmf_wsec_pmk_le pmk; int err; + if (key_len > sizeof(pmk.key)) { + bphy_err(drvr, "key must be less than %zu bytes\n", + sizeof(pmk.key)); + return -EINVAL; + } + memset(&pmk, 0, sizeof(pmk)); - /* pass pmk directly */ - pmk.key_len = cpu_to_le16(pmk_len); - pmk.flags = cpu_to_le16(0); - memcpy(pmk.key, pmk_data, pmk_len); + /* pass key material directly */ + pmk.key_len = cpu_to_le16(key_len); + pmk.flags = cpu_to_le16(flags); + memcpy(pmk.key, key, key_len); - /* store psk in firmware */ + /* store key material in firmware */ err = brcmf_fil_cmd_data_set(ifp, BRCMF_C_SET_WSEC_PMK, &pmk, sizeof(pmk)); if (err < 0) bphy_err(drvr, "failed to change PSK in firmware (len=%u)\n", - pmk_len); + key_len); return err; } +static int brcmf_set_pmk(struct brcmf_if *ifp, const u8 *pmk_data, u16 pmk_len) +{ + return brcmf_set_wsec(ifp, pmk_data, pmk_len, 0); +} + static int brcmf_set_sae_password(struct brcmf_if *ifp, const u8 *pwd_data, u16 pwd_len) { - struct brcmf_pub *drvr = ifp->drvr; - struct brcmf_wsec_sae_pwd_le sae_pwd; - int err; - - if (pwd_len > BRCMF_WSEC_MAX_SAE_PASSWORD_LEN) { - bphy_err(drvr, "sae_password must be less than %d\n", - BRCMF_WSEC_MAX_SAE_PASSWORD_LEN); - return -EINVAL; - } - - sae_pwd.key_len = cpu_to_le16(pwd_len); - memcpy(sae_pwd.key, pwd_data, pwd_len); - - err = brcmf_fil_iovar_data_set(ifp, "sae_password", &sae_pwd, - sizeof(sae_pwd)); - if (err < 0) - bphy_err(drvr, "failed to set SAE password in firmware (len=%u)\n", - pwd_len); - - return err; + return brcmf_set_wsec(ifp, pwd_data, pwd_len, BRCMF_WSEC_PASSPHRASE); } static void brcmf_link_down(struct brcmf_cfg80211_vif *vif, u16 reason, diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h index 611d1a6aabb9..b68c46caabe8 100644 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h @@ -584,7 +584,7 @@ struct brcmf_wsec_key_le { struct brcmf_wsec_pmk_le { __le16 key_len; __le16 flags; - u8 key[2 * BRCMF_WSEC_MAX_PSK_LEN + 1]; + u8 key[BRCMF_WSEC_MAX_SAE_PASSWORD_LEN]; }; /**