Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable support for IWD in NM and kernel #1258

Closed
jprestwo opened this issue Sep 20, 2019 · 10 comments
Closed

Enable support for IWD in NM and kernel #1258

jprestwo opened this issue Sep 20, 2019 · 10 comments
Assignees
@miguelinux
Labels
enhancement

Comments

@jprestwo
Copy link

The IWD package was added to clear recently, but in order for it to work with NetworkManager, NM must be built using the --with-iwd flag. This will not enable IWD as the default wifi daemon, the user will still need to set the wifi backend in NetworkManager.conf.

For 'full' IWD support the kernel also requires some additional features:

CONFIG_CRYPTO_USER_API_SKCIPHER
CONFIG_CRYPTO_USER_API_AEAD
CONFIG_CRYPTO_USER_API_HASH
CONFIG_CRYPTO_RSA
CONFIG_CRYPTO_AES_X86_64
CONFIG_CRYPTO_AES_NI_INTEL
CONFIG_CRYPTO_MD4
CONFIG_CRYPTO_SHA1_SSSE3
CONFIG_CRYPTO_SHA256_SSSE3
CONFIG_CRYPTO_SHA512_SSSE3
CONFIG_CRYPTO_ECB
CONFIG_CRYPTO_CMAC
CONFIG_CRYPTO_DES
CONFIG_CRYPTO_DES3_EDE_X86_64
CONFIG_CRYPTO_ARC4
CONFIG_KEY_DH_OPERATIONS
CONFIG_ASYMMETRIC_KEY_TYPE
CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE
CONFIG_X509_CERTIFICATE_PARSER
CONFIG_PKCS7_MESSAGE_PARSER
CONFIG_PKCS8_PRIVATE_KEY_PARSER

Some of these may already be enabled in clear, this is just IWD's complete list of required kernel features. This will enable IWD features such as WPS and Enterprise networks among others.
@ahkok
Copy link
Contributor

ahkok commented Sep 20, 2019

I've done the NetworkManager change. NetworkManager-1.16.2-60

The kernel has most of the options enabled. Once the NetworkManager change is available, we can test whether additional kernel changes are needed.

From my checks, only CONFIG_CRYPTO_USER_API_AEAD is currently disabled, and I don't think it's needed for WPA2 etc. since we know that already works, but, that'll be easier to check in 2-3 days.

@jprestwo
Copy link
Author

Great, thank you.

I built NM myself and can confirm that WPA2 PSK networks work. Enterprise networks (EAP-TLS at least) do not work though. I didn't get past loading my private key. This makes me think the PKCS7/8 options were not enabled, nor was there a module available on the default clear installation. I do think API_AEAD is needed for TLS though, so that might have to be turned on.

Anyways, I'll wait till NM goes live and try it out again.

@jprestwo
Copy link
Author

@ahkok, looks like we are good to go. Just verified IWD works as expected. Thanks for getting this in.

@ahkok
Copy link
Contributor

ahkok commented Sep 23, 2019

can you advise on what CONFIG_CRYPTO_USER_API_AEAD is needed for? I think we can just enable it, but, it would help if we had a good reason.

@jprestwo
Copy link
Author

ELL appears to use it as a bulk encryption algorithm option for TLS:

https://git.kernel.org/pub/scm/libs/ell/ell.git/tree/ell/tls-suites.c#n1097

@ahkok
Copy link
Contributor

ahkok commented Sep 26, 2019

@miguelinux can you enable CONFIG_CRYPTO_USER_API_AEAD in the -native and -lts kernels?

@ahkok
Copy link
Contributor

ahkok commented Sep 26, 2019

Close when done.

@miguelinux
Copy link
Member

The change is already in the -nativeand -lts
you will find it, in the next public release.

clrpackages pushed a commit to clearlinux-pkgs/linux that referenced this issue Oct 14, 2019
@miguelinux @djklimes
enable some missing crypto modules
3059031 
* Random Number Generation
 - Pseudo Random Number Generation for Cryptographic modules
 - NIST SP800-90A DRBG
 - User-space interface for random number generator algorithms
 - User-space interface for AEAD cipher algorithms
* Hardware crypto devices
 - Support for VIA PadLock ACE

resolve clearlinux/distribution#1258
clrpackages pushed a commit to clearlinux-pkgs/linux-lts2018 that referenced this issue Oct 14, 2019
@miguelinux
enable some missing crypto modules
c64b552 
* Random Number Generation
 - Pseudo Random Number Generation for Cryptographic modules
 - NIST SP800-90A DRBG
 - User-space interface for random number generator algorithms
 - User-space interface for AEAD cipher algorithms
* Hardware crypto devices
 - Support for VIA PadLock ACE

resolve clearlinux/distribution#1258
clrpackages pushed a commit to clearlinux-pkgs/linux-lts2017 that referenced this issue Oct 15, 2019
@miguelinux
enable some missing crypto modules
4f839ff 
* Random Number Generation
 - Pseudo Random Number Generation for Cryptographic modules
 - NIST SP800-90A DRBG
 - User-space interface for random number generator algorithms
 - User-space interface for AEAD cipher algorithms
* Hardware crypto devices
 - Support for VIA PadLock ACE

resolve clearlinux/distribution#1258
@miguelinux
Copy link
Member

The CONFIG_CRYPTO_USER_API_AEAD is enabled in the -native and -lts kernels.

@thiagomacieira
Copy link

Please enable for all kernels. It's user API.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@miguelinux miguelinux

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@miguelinux @thiagomacieira @jprestwo @ahkok