Re: [PATCH 1/2] wifi: iwlwifi: enable MFP_CAPABLE in FIPS mode

From: Johannes Berg

Date: Mon Jun 29 2026 - 09:08:23 EST


Hi,

> Since we have some customers requesting this, I'd appreciate some
> clarification on what specifically cannot be done so I can better
> understand the firmware requirements.

The firmware handles various action frames that are robust action
frames, so their protection must be checked on RX and they must be
protected on TX. For example, CSA (spectrum management) action frames,
or Block-Ack action frames.

> Our testing shows MFP working with software crypto in FIPS mode
> (connection succeeds, "MFP: yes" confirmed, firmware reports SEC_ENC_ERR
> 0x707 indicating it's not handling the frames). Indeed it was working like
> this before your commit.

Sure, it *works*, but it's not secure nor fast.

> Could you help me to understand:
> - What breaks when MFP_CAPABLE is enabled in FIPS mode?
> - Is there a specific scenario (beyond WoWLAN/beacon protection) where
> firmware must handle MFP frames?

See above, I think.

> - Is the issue that it appears to work but fails in certain conditions?
>
> If possible, I would like to get information at least to justify the
> reasons why FIPS cannot be used with WiFi Intel cards (or if there is
> some way/approach to make it work).

I don't think there's any good/secure way of doing this.

johannes