* @RX_MPDU_RES_STATUS_SEC_TKIP_ENC: this frame is encrypted using TKIP
  * @RX_MPDU_RES_STATUS_SEC_EXT_ENC: this frame is encrypted using extension
  *     algorithm
- * @RX_MPDU_RES_STATUS_SEC_CCM_CMAC_ENC: this frame is encrypted using CCM_CMAC
+ * @RX_MPDU_RES_STATUS_SEC_CMAC_GMAC_ENC: this frame is protected using
+ *     CMAC or GMAC
  * @RX_MPDU_RES_STATUS_SEC_ENC_ERR: this frame couldn't be decrypted
  * @RX_MPDU_RES_STATUS_SEC_ENC_MSK: bitmask of the encryption algorithm
  * @RX_MPDU_RES_STATUS_DEC_DONE: this frame has been successfully decrypted
        RX_MPDU_RES_STATUS_SEC_CCM_ENC                  = (2 << 8),
        RX_MPDU_RES_STATUS_SEC_TKIP_ENC                 = (3 << 8),
        RX_MPDU_RES_STATUS_SEC_EXT_ENC                  = (4 << 8),
-       RX_MPDU_RES_STATUS_SEC_CCM_CMAC_ENC             = (6 << 8),
+       RX_MPDU_RES_STATUS_SEC_CMAC_GMAC_ENC            = (6 << 8),
        RX_MPDU_RES_STATUS_SEC_ENC_ERR                  = (7 << 8),
        RX_MPDU_RES_STATUS_SEC_ENC_MSK                  = (7 << 8),
        RX_MPDU_RES_STATUS_DEC_DONE                     = BIT(11),
        IWL_RX_MPDU_STATUS_ICV_OK               = BIT(5),
        IWL_RX_MPDU_STATUS_MIC_OK               = BIT(6),
        IWL_RX_MPDU_RES_STATUS_TTAK_OK          = BIT(7),
+       /* overlayed since IWL_UCODE_TLV_API_DEPRECATE_TTAK */
+       IWL_RX_MPDU_STATUS_REPLAY_ERROR         = BIT(7),
        IWL_RX_MPDU_STATUS_SEC_MASK             = 0x7 << 8,
        IWL_RX_MPDU_STATUS_SEC_UNKNOWN          = IWL_RX_MPDU_STATUS_SEC_MASK,
        IWL_RX_MPDU_STATUS_SEC_NONE             = 0x0 << 8,
 
                hw->wiphy->pmsr_capa = &iwl_mvm_pmsr_capa;
        }
 
+       if (fw_has_capa(&mvm->fw->ucode_capa,
+                       IWL_UCODE_TLV_CAPA_BIGTK_SUPPORT))
+               wiphy_ext_feature_set(hw->wiphy,
+                                     NL80211_EXT_FEATURE_BEACON_PROTECTION_CLIENT);
+
        ieee80211_hw_set(hw, SINGLE_SCAN_ON_ALL_BANDS);
        hw->wiphy->features |=
                NL80211_FEATURE_SCHED_SCAN_RANDOM_MAC_ADDR |
 
        switch (cmd) {
        case SET_KEY:
+               if (keyidx == 6 || keyidx == 7)
+                       rcu_assign_pointer(mvmvif->bcn_prot.keys[keyidx - 6],
+                                          key);
+
                if ((vif->type == NL80211_IFTYPE_ADHOC ||
                     vif->type == NL80211_IFTYPE_AP) && !sta) {
                        /*
 
                break;
        case DISABLE_KEY:
+               if (keyidx == 6 || keyidx == 7)
+                       RCU_INIT_POINTER(mvmvif->bcn_prot.keys[keyidx - 6],
+                                        NULL);
+
                ret = -ENOENT;
                for (i = 0; i < ARRAY_SIZE(mvmvif->ap_early_keys); i++) {
                        if (mvmvif->ap_early_keys[i] == key) {
 
        rx_status->chain_signal[2] = S8_MIN;
 }
 
-static int iwl_mvm_rx_crypto(struct iwl_mvm *mvm, struct ieee80211_hdr *hdr,
+static int iwl_mvm_rx_mgmt_crypto(struct ieee80211_sta *sta,
+                                 struct ieee80211_hdr *hdr,
+                                 struct iwl_rx_mpdu_desc *desc,
+                                 u32 status)
+{
+       struct iwl_mvm_sta *mvmsta;
+       struct iwl_mvm_vif *mvmvif;
+       u8 fwkeyid = u32_get_bits(status, IWL_RX_MPDU_STATUS_KEY);
+       u8 keyid;
+       struct ieee80211_key_conf *key;
+       u32 len = le16_to_cpu(desc->mpdu_len);
+       const u8 *frame = (void *)hdr;
+
+       /*
+        * For non-beacon, we don't really care. But beacons may
+        * be filtered out, and we thus need the firmware's replay
+        * detection, otherwise beacons the firmware previously
+        * filtered could be replayed, or something like that, and
+        * it can filter a lot - though usually only if nothing has
+        * changed.
+        */
+       if (!ieee80211_is_beacon(hdr->frame_control))
+               return 0;
+
+       /* good cases */
+       if (likely(status & IWL_RX_MPDU_STATUS_MIC_OK &&
+                  !(status & IWL_RX_MPDU_STATUS_REPLAY_ERROR)))
+               return 0;
+
+       if (!sta)
+               return -1;
+
+       mvmsta = iwl_mvm_sta_from_mac80211(sta);
+
+       /* what? */
+       if (fwkeyid != 6 && fwkeyid != 7)
+               return -1;
+
+       mvmvif = iwl_mvm_vif_from_mac80211(mvmsta->vif);
+
+       key = rcu_dereference(mvmvif->bcn_prot.keys[fwkeyid - 6]);
+       if (!key)
+               return -1;
+
+       if (len < key->icv_len + IEEE80211_GMAC_PN_LEN + 2)
+               return -1;
+
+       /*
+        * See if the key ID matches - if not this may be due to a
+        * switch and the firmware may erroneously report !MIC_OK.
+        */
+       keyid = frame[len - key->icv_len - IEEE80211_GMAC_PN_LEN - 2];
+       if (keyid != fwkeyid)
+               return -1;
+
+       /* Report status to mac80211 */
+       if (!(status & IWL_RX_MPDU_STATUS_MIC_OK))
+               ieee80211_key_mic_failure(key);
+       else if (status & IWL_RX_MPDU_STATUS_REPLAY_ERROR)
+               ieee80211_key_replay(key);
+
+       return -1;
+}
+
+static int iwl_mvm_rx_crypto(struct iwl_mvm *mvm, struct ieee80211_sta *sta,
+                            struct ieee80211_hdr *hdr,
                             struct ieee80211_rx_status *stats, u16 phy_info,
                             struct iwl_rx_mpdu_desc *desc,
                             u32 pkt_flags, int queue, u8 *crypt_len)
                        return -1;
                stats->flag |= RX_FLAG_DECRYPTED;
                return 0;
+       case RX_MPDU_RES_STATUS_SEC_CMAC_GMAC_ENC:
+               return iwl_mvm_rx_mgmt_crypto(sta, hdr, desc, status);
        default:
                /*
                 * Sometimes we can get frames that were not decrypted
 
        iwl_mvm_decode_lsig(skb, &phy_data);
 
-       rx_status = IEEE80211_SKB_RXCB(skb);
-
-       if (iwl_mvm_rx_crypto(mvm, hdr, rx_status, phy_info, desc,
-                             le32_to_cpu(pkt->len_n_flags), queue,
-                             &crypt_len)) {
-               kfree_skb(skb);
-               return;
-       }
-
        /*
         * Keep packets with CRC errors (and with overrun) for monitor mode
         * (otherwise the firmware discards them) but mark them as bad.
                sta = ieee80211_find_sta_by_ifaddr(mvm->hw, hdr->addr2, NULL);
        }
 
+       if (iwl_mvm_rx_crypto(mvm, sta, hdr, rx_status, phy_info, desc,
+                             le32_to_cpu(pkt->len_n_flags), queue,
+                             &crypt_len)) {
+               kfree_skb(skb);
+               goto out;
+       }
+
        if (sta) {
                struct iwl_mvm_sta *mvmsta = iwl_mvm_sta_from_mac80211(sta);
                struct ieee80211_vif *tx_blocked_vif =
 
 
        /* verify the key details match the required command's expectations */
        if (WARN_ON((keyconf->flags & IEEE80211_KEY_FLAG_PAIRWISE) ||
-                   (keyconf->keyidx != 4 && keyconf->keyidx != 5) ||
+                   (keyconf->keyidx != 4 && keyconf->keyidx != 5 &&
+                    keyconf->keyidx != 6 && keyconf->keyidx != 7) ||
                    (keyconf->cipher != WLAN_CIPHER_SUITE_AES_CMAC &&
                     keyconf->cipher != WLAN_CIPHER_SUITE_BIP_GMAC_128 &&
                     keyconf->cipher != WLAN_CIPHER_SUITE_BIP_GMAC_256)))
                                                       ((u64) pn[0] << 40));
        }
 
-       IWL_DEBUG_INFO(mvm, "%s igtk for sta %u\n",
+       IWL_DEBUG_INFO(mvm, "%s %sIGTK (%d) for sta %u\n",
                       remove_key ? "removing" : "installing",
-                      igtk_cmd.sta_id);
+                      keyconf->keyidx >= 6 ? "B" : "",
+                      keyconf->keyidx, igtk_cmd.sta_id);
 
        if (!iwl_mvm_has_new_rx_api(mvm)) {
                struct iwl_mvm_mgmt_mcast_key_cmd_v1 igtk_cmd_v1 = {