wpa_supplicant/wpa_supplicant-mka-Allow-configuration-of-MACsec-hardware-offload.patch

From 6d24673ab89d9002990ee51e7c87d308ca07cd01 Mon Sep 17 00:00:00 2001
Message-ID: <6d24673ab89d9002990ee51e7c87d308ca07cd01.1706279162.git.davide.caratti@gmail.com>
From: Emeel Hakim <ehakim@nvidia.com>
Date: Tue, 14 Feb 2023 10:26:56 +0200
Subject: [PATCH] mka: Allow configuration of MACsec hardware offload

Add new configuration parameter macsec_offload to allow user to set up
MACsec hardware offload feature.

Signed-off-by: Emeel Hakim <ehakim@nvidia.com>
---
 hostapd/config_file.c              | 10 ++++++++++
 hostapd/hostapd.conf               |  8 ++++++++
 src/ap/ap_config.h                 | 13 +++++++++++++
 src/ap/wpa_auth_kay.c              |  1 +
 src/drivers/driver.h               | 10 ++++++++++
 src/pae/ieee802_1x_cp.c            |  7 +++++++
 src/pae/ieee802_1x_kay.c           |  7 +++++--
 src/pae/ieee802_1x_kay.h           |  6 ++++--
 src/pae/ieee802_1x_secy_ops.c      | 20 ++++++++++++++++++++
 src/pae/ieee802_1x_secy_ops.h      |  1 +
 wpa_supplicant/config.c            |  1 +
 wpa_supplicant/config_file.c       |  1 +
 wpa_supplicant/config_ssid.h       | 12 ++++++++++++
 wpa_supplicant/driver_i.h          |  8 ++++++++
 wpa_supplicant/wpa_cli.c           |  1 +
 wpa_supplicant/wpa_supplicant.conf |  9 +++++++++
 wpa_supplicant/wpas_kay.c          | 10 +++++++++-
 17 files changed, 120 insertions(+), 5 deletions(-)

--- a/src/ap/ap_config.h
+++ b/src/ap/ap_config.h
@@ -833,6 +833,19 @@ struct hostapd_bss_config {
 	u32 macsec_replay_window;
 
 	/**
+	 * macsec_offload - Enable MACsec offload
+	 *
+	 * This setting applies only when MACsec is in use, i.e.,
+	 *  - macsec_policy is enabled
+	 *  - the key server has decided to enable MACsec
+	 *
+	 * 0 = MACSEC_OFFLOAD_OFF (default)
+	 * 1 = MACSEC_OFFLOAD_PHY
+	 * 2 = MACSEC_OFFLOAD_MAC
+	 */
+	int macsec_offload;
+
+	/**
 	 * macsec_port - MACsec port (in SCI)
 	 *
 	 * Port component of the SCI.
--- a/src/ap/wpa_auth_kay.c
+++ b/src/ap/wpa_auth_kay.c
@@ -328,6 +328,7 @@ int ieee802_1x_alloc_kay_sm_hapd(struct
 	res = ieee802_1x_kay_init(kay_ctx, policy,
 				  hapd->conf->macsec_replay_protect,
 				  hapd->conf->macsec_replay_window,
+				  hapd->conf->macsec_offload,
 				  hapd->conf->macsec_port,
 				  hapd->conf->mka_priority,
 				  hapd->conf->macsec_csindex,
--- a/src/drivers/driver.h
+++ b/src/drivers/driver.h
@@ -4168,6 +4168,16 @@ struct wpa_driver_ops {
 	int (*set_replay_protect)(void *priv, bool enabled, u32 window);
 
 	/**
+	 * set_offload - Set MACsec hardware offload
+	 * @priv: Private driver interface data
+	 * @offload: 0 = MACSEC_OFFLOAD_OFF
+	 *           1 = MACSEC_OFFLOAD_PHY
+	 *           2 = MACSEC_OFFLOAD_MAC
+	 * Returns: 0 on success, -1 on failure (or if not supported)
+	 */
+	int (*set_offload)(void *priv, u8 offload);
+
+	/**
 	 * set_current_cipher_suite - Set current cipher suite
 	 * @priv: Private driver interface data
 	 * @cs: EUI64 identifier
--- a/src/pae/ieee802_1x_cp.c
+++ b/src/pae/ieee802_1x_cp.c
@@ -84,6 +84,7 @@ struct ieee802_1x_cp_sm {
 
 	/* not defined IEEE Std 802.1X-2010 */
 	struct ieee802_1x_kay *kay;
+	u8 offload;
 };
 
 static void ieee802_1x_cp_retire_when_timeout(void *eloop_ctx,
@@ -188,6 +189,7 @@ SM_STATE(CP, AUTHENTICATED)
 	sm->protect_frames = false;
 	sm->replay_protect = false;
 	sm->validate_frames = Checked;
+	sm->offload = sm->kay->macsec_offload;
 
 	sm->port_valid = false;
 	sm->controlled_port_enabled = true;
@@ -197,6 +199,7 @@ SM_STATE(CP, AUTHENTICATED)
 	secy_cp_control_encrypt(sm->kay, sm->kay->macsec_encrypt);
 	secy_cp_control_validate_frames(sm->kay, sm->validate_frames);
 	secy_cp_control_replay(sm->kay, sm->replay_protect, sm->replay_window);
+	secy_cp_control_offload(sm->kay, sm->offload);
 }
 
 
@@ -208,6 +211,7 @@ SM_STATE(CP, SECURED)
 
 	sm->protect_frames = sm->kay->macsec_protect;
 	sm->replay_protect = sm->kay->macsec_replay_protect;
+	sm->offload = sm->kay->macsec_offload;
 	sm->validate_frames = sm->kay->macsec_validate;
 
 	sm->current_cipher_suite = sm->cipher_suite;
@@ -223,6 +227,7 @@ SM_STATE(CP, SECURED)
 	secy_cp_control_encrypt(sm->kay, sm->kay->macsec_encrypt);
 	secy_cp_control_validate_frames(sm->kay, sm->validate_frames);
 	secy_cp_control_replay(sm->kay, sm->replay_protect, sm->replay_window);
+	secy_cp_control_offload(sm->kay, sm->offload);
 }
 
 
@@ -462,6 +467,7 @@ struct ieee802_1x_cp_sm * ieee802_1x_cp_
 	sm->validate_frames = kay->macsec_validate;
 	sm->replay_protect = kay->macsec_replay_protect;
 	sm->replay_window = kay->macsec_replay_window;
+	sm->offload = kay->macsec_offload;
 
 	sm->controlled_port_enabled = false;
 
@@ -491,6 +497,7 @@ struct ieee802_1x_cp_sm * ieee802_1x_cp_
 	secy_cp_control_confidentiality_offset(sm->kay,
 					       sm->confidentiality_offset);
 	secy_cp_control_current_cipher_suite(sm->kay, sm->current_cipher_suite);
+	secy_cp_control_offload(sm->kay, sm->offload);
 
 	SM_STEP_RUN(CP);
 
--- a/src/pae/ieee802_1x_kay.c
+++ b/src/pae/ieee802_1x_kay.c
@@ -3464,8 +3464,8 @@ static void kay_l2_receive(void *ctx, co
 struct ieee802_1x_kay *
 ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
 		    bool macsec_replay_protect, u32 macsec_replay_window,
-		    u16 port, u8 priority, u32 macsec_csindex,
-		    const char *ifname, const u8 *addr)
+		    u8 macsec_offload, u16 port, u8 priority,
+		    u32 macsec_csindex, const char *ifname, const u8 *addr)
 {
 	struct ieee802_1x_kay *kay;
 
@@ -3524,6 +3524,7 @@ ieee802_1x_kay_init(struct ieee802_1x_ka
 		kay->macsec_validate = Disabled;
 		kay->macsec_replay_protect = false;
 		kay->macsec_replay_window = 0;
+		kay->macsec_offload = 0;
 		kay->macsec_confidentiality = CONFIDENTIALITY_NONE;
 		kay->mka_hello_time = MKA_HELLO_TIME;
 	} else {
@@ -3540,6 +3541,7 @@ ieee802_1x_kay_init(struct ieee802_1x_ka
 		kay->macsec_validate = Strict;
 		kay->macsec_replay_protect = macsec_replay_protect;
 		kay->macsec_replay_window = macsec_replay_window;
+		kay->macsec_offload = macsec_offload;
 		kay->mka_hello_time = MKA_HELLO_TIME;
 	}
 
@@ -3740,6 +3742,7 @@ ieee802_1x_kay_create_mka(struct ieee802
 	secy_cp_control_protect_frames(kay, kay->macsec_protect);
 	secy_cp_control_replay(kay, kay->macsec_replay_protect,
 			       kay->macsec_replay_window);
+	secy_cp_control_offload(kay, kay->macsec_offload);
 	if (secy_create_transmit_sc(kay, participant->txsc))
 		goto fail;
 
--- a/src/pae/ieee802_1x_kay.h
+++ b/src/pae/ieee802_1x_kay.h
@@ -166,6 +166,7 @@ struct ieee802_1x_kay_ctx {
 	int (*delete_transmit_sa)(void *ctx, struct transmit_sa *sa);
 	int (*enable_transmit_sa)(void *ctx, struct transmit_sa *sa);
 	int (*disable_transmit_sa)(void *ctx, struct transmit_sa *sa);
+	int (*set_offload)(void *ctx, u8 offload);
 };
 
 struct ieee802_1x_kay {
@@ -206,6 +207,7 @@ struct ieee802_1x_kay {
 	bool is_key_server;
 	bool is_obliged_key_server;
 	char if_name[IFNAMSIZ];
+	u8 macsec_offload;
 
 	unsigned int macsec_csindex;  /* MACsec cipher suite table index */
 	int mka_algindex;  /* MKA alg table index */
@@ -240,8 +242,8 @@ u64 mka_sci_u64(struct ieee802_1x_mka_sc
 struct ieee802_1x_kay *
 ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
 		    bool macsec_replay_protect, u32 macsec_replay_window,
-		    u16 port, u8 priority, u32 macsec_csindex,
-		    const char *ifname, const u8 *addr);
+		    u8 macsec_offload, u16 port, u8 priority,
+		    u32 macsec_csindex, const char *ifname, const u8 *addr);
 void ieee802_1x_kay_deinit(struct ieee802_1x_kay *kay);
 
 struct ieee802_1x_mka_participant *
--- a/src/pae/ieee802_1x_secy_ops.c
+++ b/src/pae/ieee802_1x_secy_ops.c
@@ -85,6 +85,26 @@ int secy_cp_control_replay(struct ieee80
 }
 
 
+int secy_cp_control_offload(struct ieee802_1x_kay *kay, u8 offload)
+{
+	struct ieee802_1x_kay_ctx *ops;
+
+	if (!kay) {
+		wpa_printf(MSG_ERROR, "KaY: %s params invalid", __func__);
+		return -1;
+	}
+
+	ops = kay->ctx;
+	if (!ops || !ops->set_offload) {
+		wpa_printf(MSG_ERROR,
+			   "KaY: secy set_offload operation not supported");
+		return -1;
+	}
+
+	return ops->set_offload(ops->ctx, offload);
+}
+
+
 int secy_cp_control_current_cipher_suite(struct ieee802_1x_kay *kay, u64 cs)
 {
 	struct ieee802_1x_kay_ctx *ops;
--- a/src/pae/ieee802_1x_secy_ops.h
+++ b/src/pae/ieee802_1x_secy_ops.h
@@ -23,6 +23,7 @@ int secy_cp_control_validate_frames(stru
 int secy_cp_control_protect_frames(struct ieee802_1x_kay *kay, bool flag);
 int secy_cp_control_encrypt(struct ieee802_1x_kay *kay, bool enabled);
 int secy_cp_control_replay(struct ieee802_1x_kay *kay, bool flag, u32 win);
+int secy_cp_control_offload(struct ieee802_1x_kay *kay, u8 offload);
 int secy_cp_control_current_cipher_suite(struct ieee802_1x_kay *kay, u64 cs);
 int secy_cp_control_confidentiality_offset(struct ieee802_1x_kay *kay,
 					   enum confidentiality_offset co);
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
@@ -2610,6 +2610,7 @@ static const struct parse_data ssid_fiel
 	{ INT_RANGE(macsec_integ_only, 0, 1) },
 	{ INT_RANGE(macsec_replay_protect, 0, 1) },
 	{ INT(macsec_replay_window) },
+	{ INT_RANGE(macsec_offload, 0, 2) },
 	{ INT_RANGE(macsec_port, 1, 65534) },
 	{ INT_RANGE(mka_priority, 0, 255) },
 	{ INT_RANGE(macsec_csindex, 0, 1) },
--- a/wpa_supplicant/config_file.c
+++ b/wpa_supplicant/config_file.c
@@ -808,6 +808,7 @@ static void wpa_config_write_network(FIL
 	INT(macsec_integ_only);
 	INT(macsec_replay_protect);
 	INT(macsec_replay_window);
+	INT(macsec_offload);
 	INT(macsec_port);
 	INT_DEF(mka_priority, DEFAULT_PRIO_NOT_KEY_SERVER);
 	INT(macsec_csindex);
--- a/wpa_supplicant/config_ssid.h
+++ b/wpa_supplicant/config_ssid.h
@@ -896,6 +896,18 @@ struct wpa_ssid {
 	u32 macsec_replay_window;
 
 	/**
+	 * macsec_offload - Enable MACsec hardware offload
+	 *
+	 * This setting applies only when MACsec is in use, i.e.,
+	 *  - the key server has decided to enable MACsec
+	 *
+	 * 0 = MACSEC_OFFLOAD_OFF (default)
+	 * 1 = MACSEC_OFFLOAD_PHY
+	 * 2 = MACSEC_OFFLOAD_MAC
+	 */
+	int macsec_offload;
+
+	/**
 	 * macsec_port - MACsec port (in SCI)
 	 *
 	 * Port component of the SCI.
--- a/wpa_supplicant/driver_i.h
+++ b/wpa_supplicant/driver_i.h
@@ -804,6 +804,14 @@ static inline int wpa_drv_set_replay_pro
 						 window);
 }
 
+static inline int wpa_drv_set_offload(struct wpa_supplicant *wpa_s, u8 offload)
+{
+	if (!wpa_s->driver->set_offload)
+		return -1;
+	return wpa_s->driver->set_offload(wpa_s->drv_priv, offload);
+
+}
+
 static inline int wpa_drv_set_current_cipher_suite(struct wpa_supplicant *wpa_s,
 						   u64 cs)
 {
--- a/wpa_supplicant/wpa_cli.c
+++ b/wpa_supplicant/wpa_cli.c
@@ -1473,6 +1473,7 @@ static const char *network_fields[] = {
 	"macsec_integ_only",
 	"macsec_replay_protect",
 	"macsec_replay_window",
+	"macsec_offload",
 	"macsec_port",
 	"mka_priority",
 #endif /* CONFIG_MACSEC */
--- a/wpa_supplicant/wpa_supplicant.conf
+++ b/wpa_supplicant/wpa_supplicant.conf
@@ -1094,6 +1094,15 @@ fast_reauth=1
 # 0: No replay window, strict check (default)
 # 1..2^32-1: number of packets that could be misordered
 #
+# macsec_offload - Enable MACsec hardware offload
+#
+# This setting applies only when MACsec is in use, i.e.,
+#  - the key server has decided to enable MACsec
+#
+# 0 = MACSEC_OFFLOAD_OFF (default)
+# 1 = MACSEC_OFFLOAD_PHY
+# 2 = MACSEC_OFFLOAD_MAC
+#
 # macsec_port: IEEE 802.1X/MACsec port
 # Port component of the SCI
 # Range: 1-65534 (default: 1)
--- a/wpa_supplicant/wpas_kay.c
+++ b/wpa_supplicant/wpas_kay.c
@@ -98,6 +98,12 @@ static int wpas_set_receive_lowest_pn(vo
 }
 
 
+static int wpas_set_offload(void *wpa_s, u8 offload)
+{
+	return wpa_drv_set_offload(wpa_s, offload);
+}
+
+
 static unsigned int conf_offset_val(enum confidentiality_offset co)
 {
 	switch (co) {
@@ -220,6 +226,7 @@ int ieee802_1x_alloc_kay_sm(struct wpa_s
 	kay_ctx->enable_protect_frames = wpas_enable_protect_frames;
 	kay_ctx->enable_encrypt = wpas_enable_encrypt;
 	kay_ctx->set_replay_protect = wpas_set_replay_protect;
+	kay_ctx->set_offload = wpas_set_offload;
 	kay_ctx->set_current_cipher_suite = wpas_set_current_cipher_suite;
 	kay_ctx->enable_controlled_port = wpas_enable_controlled_port;
 	kay_ctx->get_receive_lowest_pn = wpas_get_receive_lowest_pn;
@@ -240,7 +247,8 @@ int ieee802_1x_alloc_kay_sm(struct wpa_s
 	kay_ctx->disable_transmit_sa = wpas_disable_transmit_sa;
 
 	res = ieee802_1x_kay_init(kay_ctx, policy, ssid->macsec_replay_protect,
-				  ssid->macsec_replay_window, ssid->macsec_port,
+				  ssid->macsec_replay_window,
+				  ssid->macsec_offload, ssid->macsec_port,
 				  ssid->mka_priority, ssid->macsec_csindex,
 				  wpa_s->ifname, wpa_s->own_addr);
 	/* ieee802_1x_kay_init() frees kay_ctx on failure */
align package configuration to RHEL - fix build configuration (keeping CONFIG_IPV6 enabled) - add RHEL patches for legacy renegotiation - add RHEL patches for handling disabled WEP - backport support for macsec HW offload - backport hardening fix for PEAP client - remove fedora patches we don't want - add gating configuration (same as c9s) Resolves: RHEL-43250 Signed-off-by: Davide Caratti <dcaratti@redhat.com> 2024-06-18 16:42:13 +00:00			`From 6d24673ab89d9002990ee51e7c87d308ca07cd01 Mon Sep 17 00:00:00 2001`
			`Message-ID: <6d24673ab89d9002990ee51e7c87d308ca07cd01.1706279162.git.davide.caratti@gmail.com>`
			`From: Emeel Hakim <ehakim@nvidia.com>`
			`Date: Tue, 14 Feb 2023 10:26:56 +0200`
			`Subject: [PATCH] mka: Allow configuration of MACsec hardware offload`

			`Add new configuration parameter macsec_offload to allow user to set up`
			`MACsec hardware offload feature.`

			`Signed-off-by: Emeel Hakim <ehakim@nvidia.com>`
			`---`
			`hostapd/config_file.c \| 10 ++++++++++`
			`hostapd/hostapd.conf \| 8 ++++++++`
			`src/ap/ap_config.h \| 13 +++++++++++++`
			`src/ap/wpa_auth_kay.c \| 1 +`
			`src/drivers/driver.h \| 10 ++++++++++`
			`src/pae/ieee802_1x_cp.c \| 7 +++++++`
			`src/pae/ieee802_1x_kay.c \| 7 +++++--`
			`src/pae/ieee802_1x_kay.h \| 6 ++++--`
			`src/pae/ieee802_1x_secy_ops.c \| 20 ++++++++++++++++++++`
			`src/pae/ieee802_1x_secy_ops.h \| 1 +`
			`wpa_supplicant/config.c \| 1 +`
			`wpa_supplicant/config_file.c \| 1 +`
			`wpa_supplicant/config_ssid.h \| 12 ++++++++++++`
			`wpa_supplicant/driver_i.h \| 8 ++++++++`
			`wpa_supplicant/wpa_cli.c \| 1 +`
			`wpa_supplicant/wpa_supplicant.conf \| 9 +++++++++`
			`wpa_supplicant/wpas_kay.c \| 10 +++++++++-`
			`17 files changed, 120 insertions(+), 5 deletions(-)`

			`--- a/src/ap/ap_config.h`
			`+++ b/src/ap/ap_config.h`
			`@@ -833,6 +833,19 @@ struct hostapd_bss_config {`
			`u32 macsec_replay_window;`

			`/**`
			`+ * macsec_offload - Enable MACsec offload`
			`+ *`
			`+ * This setting applies only when MACsec is in use, i.e.,`
			`+ * - macsec_policy is enabled`
			`+ * - the key server has decided to enable MACsec`
			`+ *`
			`+ * 0 = MACSEC_OFFLOAD_OFF (default)`
			`+ * 1 = MACSEC_OFFLOAD_PHY`
			`+ * 2 = MACSEC_OFFLOAD_MAC`
			`+ */`
			`+ int macsec_offload;`
			`+`
			`+ /**`
			`* macsec_port - MACsec port (in SCI)`
			`*`
			`* Port component of the SCI.`
			`--- a/src/ap/wpa_auth_kay.c`
			`+++ b/src/ap/wpa_auth_kay.c`
			`@@ -328,6 +328,7 @@ int ieee802_1x_alloc_kay_sm_hapd(struct`
			`res = ieee802_1x_kay_init(kay_ctx, policy,`
			`hapd->conf->macsec_replay_protect,`
			`hapd->conf->macsec_replay_window,`
			`+ hapd->conf->macsec_offload,`
			`hapd->conf->macsec_port,`
			`hapd->conf->mka_priority,`
			`hapd->conf->macsec_csindex,`
			`--- a/src/drivers/driver.h`
			`+++ b/src/drivers/driver.h`
			`@@ -4168,6 +4168,16 @@ struct wpa_driver_ops {`
			`int (set_replay_protect)(void priv, bool enabled, u32 window);`

			`/**`
			`+ * set_offload - Set MACsec hardware offload`
			`+ * @priv: Private driver interface data`
			`+ * @offload: 0 = MACSEC_OFFLOAD_OFF`
			`+ * 1 = MACSEC_OFFLOAD_PHY`
			`+ * 2 = MACSEC_OFFLOAD_MAC`
			`+ * Returns: 0 on success, -1 on failure (or if not supported)`
			`+ */`
			`+ int (set_offload)(void priv, u8 offload);`
			`+`
			`+ /**`
			`* set_current_cipher_suite - Set current cipher suite`
			`* @priv: Private driver interface data`
			`* @cs: EUI64 identifier`
			`--- a/src/pae/ieee802_1x_cp.c`
			`+++ b/src/pae/ieee802_1x_cp.c`
			`@@ -84,6 +84,7 @@ struct ieee802_1x_cp_sm {`

			`/* not defined IEEE Std 802.1X-2010 */`
			`struct ieee802_1x_kay *kay;`
			`+ u8 offload;`
			`};`

			`static void ieee802_1x_cp_retire_when_timeout(void *eloop_ctx,`
			`@@ -188,6 +189,7 @@ SM_STATE(CP, AUTHENTICATED)`
			`sm->protect_frames = false;`
			`sm->replay_protect = false;`
			`sm->validate_frames = Checked;`
			`+ sm->offload = sm->kay->macsec_offload;`

			`sm->port_valid = false;`
			`sm->controlled_port_enabled = true;`
			`@@ -197,6 +199,7 @@ SM_STATE(CP, AUTHENTICATED)`
			`secy_cp_control_encrypt(sm->kay, sm->kay->macsec_encrypt);`
			`secy_cp_control_validate_frames(sm->kay, sm->validate_frames);`
			`secy_cp_control_replay(sm->kay, sm->replay_protect, sm->replay_window);`
			`+ secy_cp_control_offload(sm->kay, sm->offload);`
			`}`


			`@@ -208,6 +211,7 @@ SM_STATE(CP, SECURED)`

			`sm->protect_frames = sm->kay->macsec_protect;`
			`sm->replay_protect = sm->kay->macsec_replay_protect;`
			`+ sm->offload = sm->kay->macsec_offload;`
			`sm->validate_frames = sm->kay->macsec_validate;`

			`sm->current_cipher_suite = sm->cipher_suite;`
			`@@ -223,6 +227,7 @@ SM_STATE(CP, SECURED)`
			`secy_cp_control_encrypt(sm->kay, sm->kay->macsec_encrypt);`
			`secy_cp_control_validate_frames(sm->kay, sm->validate_frames);`
			`secy_cp_control_replay(sm->kay, sm->replay_protect, sm->replay_window);`
			`+ secy_cp_control_offload(sm->kay, sm->offload);`
			`}`


			`@@ -462,6 +467,7 @@ struct ieee802_1x_cp_sm * ieee802_1x_cp_`
			`sm->validate_frames = kay->macsec_validate;`
			`sm->replay_protect = kay->macsec_replay_protect;`
			`sm->replay_window = kay->macsec_replay_window;`
			`+ sm->offload = kay->macsec_offload;`

			`sm->controlled_port_enabled = false;`

			`@@ -491,6 +497,7 @@ struct ieee802_1x_cp_sm * ieee802_1x_cp_`
			`secy_cp_control_confidentiality_offset(sm->kay,`
			`sm->confidentiality_offset);`
			`secy_cp_control_current_cipher_suite(sm->kay, sm->current_cipher_suite);`
			`+ secy_cp_control_offload(sm->kay, sm->offload);`

			`SM_STEP_RUN(CP);`

			`--- a/src/pae/ieee802_1x_kay.c`
			`+++ b/src/pae/ieee802_1x_kay.c`
			`@@ -3464,8 +3464,8 @@ static void kay_l2_receive(void *ctx, co`
			`struct ieee802_1x_kay *`
			`ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,`
			`bool macsec_replay_protect, u32 macsec_replay_window,`
			`- u16 port, u8 priority, u32 macsec_csindex,`
			`- const char ifname, const u8 addr)`
			`+ u8 macsec_offload, u16 port, u8 priority,`
			`+ u32 macsec_csindex, const char ifname, const u8 addr)`
			`{`
			`struct ieee802_1x_kay *kay;`

			`@@ -3524,6 +3524,7 @@ ieee802_1x_kay_init(struct ieee802_1x_ka`
			`kay->macsec_validate = Disabled;`
			`kay->macsec_replay_protect = false;`
			`kay->macsec_replay_window = 0;`
			`+ kay->macsec_offload = 0;`
			`kay->macsec_confidentiality = CONFIDENTIALITY_NONE;`
			`kay->mka_hello_time = MKA_HELLO_TIME;`
			`} else {`
			`@@ -3540,6 +3541,7 @@ ieee802_1x_kay_init(struct ieee802_1x_ka`
			`kay->macsec_validate = Strict;`
			`kay->macsec_replay_protect = macsec_replay_protect;`
			`kay->macsec_replay_window = macsec_replay_window;`
			`+ kay->macsec_offload = macsec_offload;`
			`kay->mka_hello_time = MKA_HELLO_TIME;`
			`}`

			`@@ -3740,6 +3742,7 @@ ieee802_1x_kay_create_mka(struct ieee802`
			`secy_cp_control_protect_frames(kay, kay->macsec_protect);`
			`secy_cp_control_replay(kay, kay->macsec_replay_protect,`
			`kay->macsec_replay_window);`
			`+ secy_cp_control_offload(kay, kay->macsec_offload);`
			`if (secy_create_transmit_sc(kay, participant->txsc))`
			`goto fail;`

			`--- a/src/pae/ieee802_1x_kay.h`
			`+++ b/src/pae/ieee802_1x_kay.h`
			`@@ -166,6 +166,7 @@ struct ieee802_1x_kay_ctx {`
			`int (delete_transmit_sa)(void ctx, struct transmit_sa *sa);`
			`int (enable_transmit_sa)(void ctx, struct transmit_sa *sa);`
			`int (disable_transmit_sa)(void ctx, struct transmit_sa *sa);`
			`+ int (set_offload)(void ctx, u8 offload);`
			`};`

			`struct ieee802_1x_kay {`
			`@@ -206,6 +207,7 @@ struct ieee802_1x_kay {`
			`bool is_key_server;`
			`bool is_obliged_key_server;`
			`char if_name[IFNAMSIZ];`
			`+ u8 macsec_offload;`

			`unsigned int macsec_csindex; /* MACsec cipher suite table index */`
			`int mka_algindex; /* MKA alg table index */`
			`@@ -240,8 +242,8 @@ u64 mka_sci_u64(struct ieee802_1x_mka_sc`
			`struct ieee802_1x_kay *`
			`ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,`
			`bool macsec_replay_protect, u32 macsec_replay_window,`
			`- u16 port, u8 priority, u32 macsec_csindex,`
			`- const char ifname, const u8 addr);`
			`+ u8 macsec_offload, u16 port, u8 priority,`
			`+ u32 macsec_csindex, const char ifname, const u8 addr);`
			`void ieee802_1x_kay_deinit(struct ieee802_1x_kay *kay);`

			`struct ieee802_1x_mka_participant *`
			`--- a/src/pae/ieee802_1x_secy_ops.c`
			`+++ b/src/pae/ieee802_1x_secy_ops.c`
			`@@ -85,6 +85,26 @@ int secy_cp_control_replay(struct ieee80`
			`}`


			`+int secy_cp_control_offload(struct ieee802_1x_kay *kay, u8 offload)`
			`+{`
			`+ struct ieee802_1x_kay_ctx *ops;`
			`+`
			`+ if (!kay) {`
			`+ wpa_printf(MSG_ERROR, "KaY: %s params invalid", __func__);`
			`+ return -1;`
			`+ }`
			`+`
			`+ ops = kay->ctx;`
			`+ if (!ops \|\| !ops->set_offload) {`
			`+ wpa_printf(MSG_ERROR,`
			`+ "KaY: secy set_offload operation not supported");`
			`+ return -1;`
			`+ }`
			`+`
			`+ return ops->set_offload(ops->ctx, offload);`
			`+}`
			`+`
			`+`
			`int secy_cp_control_current_cipher_suite(struct ieee802_1x_kay *kay, u64 cs)`
			`{`
			`struct ieee802_1x_kay_ctx *ops;`
			`--- a/src/pae/ieee802_1x_secy_ops.h`
			`+++ b/src/pae/ieee802_1x_secy_ops.h`
			`@@ -23,6 +23,7 @@ int secy_cp_control_validate_frames(stru`
			`int secy_cp_control_protect_frames(struct ieee802_1x_kay *kay, bool flag);`
			`int secy_cp_control_encrypt(struct ieee802_1x_kay *kay, bool enabled);`
			`int secy_cp_control_replay(struct ieee802_1x_kay *kay, bool flag, u32 win);`
			`+int secy_cp_control_offload(struct ieee802_1x_kay *kay, u8 offload);`
			`int secy_cp_control_current_cipher_suite(struct ieee802_1x_kay *kay, u64 cs);`
			`int secy_cp_control_confidentiality_offset(struct ieee802_1x_kay *kay,`
			`enum confidentiality_offset co);`
			`--- a/wpa_supplicant/config.c`
			`+++ b/wpa_supplicant/config.c`
			`@@ -2610,6 +2610,7 @@ static const struct parse_data ssid_fiel`
			`{ INT_RANGE(macsec_integ_only, 0, 1) },`
			`{ INT_RANGE(macsec_replay_protect, 0, 1) },`
			`{ INT(macsec_replay_window) },`
			`+ { INT_RANGE(macsec_offload, 0, 2) },`
			`{ INT_RANGE(macsec_port, 1, 65534) },`
			`{ INT_RANGE(mka_priority, 0, 255) },`
			`{ INT_RANGE(macsec_csindex, 0, 1) },`
			`--- a/wpa_supplicant/config_file.c`
			`+++ b/wpa_supplicant/config_file.c`
			`@@ -808,6 +808,7 @@ static void wpa_config_write_network(FIL`
			`INT(macsec_integ_only);`
			`INT(macsec_replay_protect);`
			`INT(macsec_replay_window);`
			`+ INT(macsec_offload);`
			`INT(macsec_port);`
			`INT_DEF(mka_priority, DEFAULT_PRIO_NOT_KEY_SERVER);`
			`INT(macsec_csindex);`
			`--- a/wpa_supplicant/config_ssid.h`
			`+++ b/wpa_supplicant/config_ssid.h`
			`@@ -896,6 +896,18 @@ struct wpa_ssid {`
			`u32 macsec_replay_window;`

			`/**`
			`+ * macsec_offload - Enable MACsec hardware offload`
			`+ *`
			`+ * This setting applies only when MACsec is in use, i.e.,`
			`+ * - the key server has decided to enable MACsec`
			`+ *`
			`+ * 0 = MACSEC_OFFLOAD_OFF (default)`
			`+ * 1 = MACSEC_OFFLOAD_PHY`
			`+ * 2 = MACSEC_OFFLOAD_MAC`
			`+ */`
			`+ int macsec_offload;`
			`+`
			`+ /**`
			`* macsec_port - MACsec port (in SCI)`
			`*`
			`* Port component of the SCI.`
			`--- a/wpa_supplicant/driver_i.h`
			`+++ b/wpa_supplicant/driver_i.h`
			`@@ -804,6 +804,14 @@ static inline int wpa_drv_set_replay_pro`
			`window);`
			`}`

			`+static inline int wpa_drv_set_offload(struct wpa_supplicant *wpa_s, u8 offload)`
			`+{`
			`+ if (!wpa_s->driver->set_offload)`
			`+ return -1;`
			`+ return wpa_s->driver->set_offload(wpa_s->drv_priv, offload);`
			`+`
			`+}`
			`+`
			`static inline int wpa_drv_set_current_cipher_suite(struct wpa_supplicant *wpa_s,`
			`u64 cs)`
			`{`
			`--- a/wpa_supplicant/wpa_cli.c`
			`+++ b/wpa_supplicant/wpa_cli.c`
			`@@ -1473,6 +1473,7 @@ static const char *network_fields[] = {`
			`"macsec_integ_only",`
			`"macsec_replay_protect",`
			`"macsec_replay_window",`
			`+ "macsec_offload",`
			`"macsec_port",`
			`"mka_priority",`
			`#endif /* CONFIG_MACSEC */`
			`--- a/wpa_supplicant/wpa_supplicant.conf`
			`+++ b/wpa_supplicant/wpa_supplicant.conf`
			`@@ -1094,6 +1094,15 @@ fast_reauth=1`
			`# 0: No replay window, strict check (default)`
			`# 1..2^32-1: number of packets that could be misordered`
			`#`
			`+# macsec_offload - Enable MACsec hardware offload`
			`+#`
			`+# This setting applies only when MACsec is in use, i.e.,`
			`+# - the key server has decided to enable MACsec`
			`+#`
			`+# 0 = MACSEC_OFFLOAD_OFF (default)`
			`+# 1 = MACSEC_OFFLOAD_PHY`
			`+# 2 = MACSEC_OFFLOAD_MAC`
			`+#`
			`# macsec_port: IEEE 802.1X/MACsec port`
			`# Port component of the SCI`
			`# Range: 1-65534 (default: 1)`
			`--- a/wpa_supplicant/wpas_kay.c`
			`+++ b/wpa_supplicant/wpas_kay.c`
			`@@ -98,6 +98,12 @@ static int wpas_set_receive_lowest_pn(vo`
			`}`


			`+static int wpas_set_offload(void *wpa_s, u8 offload)`
			`+{`
			`+ return wpa_drv_set_offload(wpa_s, offload);`
			`+}`
			`+`
			`+`
			`static unsigned int conf_offset_val(enum confidentiality_offset co)`
			`{`
			`switch (co) {`
			`@@ -220,6 +226,7 @@ int ieee802_1x_alloc_kay_sm(struct wpa_s`
			`kay_ctx->enable_protect_frames = wpas_enable_protect_frames;`
			`kay_ctx->enable_encrypt = wpas_enable_encrypt;`
			`kay_ctx->set_replay_protect = wpas_set_replay_protect;`
			`+ kay_ctx->set_offload = wpas_set_offload;`
			`kay_ctx->set_current_cipher_suite = wpas_set_current_cipher_suite;`
			`kay_ctx->enable_controlled_port = wpas_enable_controlled_port;`
			`kay_ctx->get_receive_lowest_pn = wpas_get_receive_lowest_pn;`
			`@@ -240,7 +247,8 @@ int ieee802_1x_alloc_kay_sm(struct wpa_s`
			`kay_ctx->disable_transmit_sa = wpas_disable_transmit_sa;`

			`res = ieee802_1x_kay_init(kay_ctx, policy, ssid->macsec_replay_protect,`
			`- ssid->macsec_replay_window, ssid->macsec_port,`
			`+ ssid->macsec_replay_window,`
			`+ ssid->macsec_offload, ssid->macsec_port,`
			`ssid->mka_priority, ssid->macsec_csindex,`
			`wpa_s->ifname, wpa_s->own_addr);`
			`/* ieee802_1x_kay_init() frees kay_ctx on failure */`