An exchange with a NFC target must complete within NCI_DATA_TIMEOUT.
A delay of 700 ms is not sufficient for cryptographic operations on smart
cards. CardOS 6.0 may need up to 1.3 seconds to perform 256-bit ECDH
or 3072-bit RSA. To prevent brute-force attacks, passports and similar
documents introduce even longer delays into access control protocols
(BAC/PACE).

The timeout should be higher, but not too much. The expiration allows
us to detect that a NFC target has disappeared.

Signed-off-by: Juraj Šarinay <juraj@sarinay.com>
---
v3:
  - introduce no parameter and raise the timeout unconditionally
v2: https://lore.kernel.org/netdev/20250825234354.855755-1-juraj@sarinay.com/
  - export nci_data_timeout to survive make allmodconfig
v1: https://lore.kernel.org/netdev/20250825134644.135448-1-juraj@sarinay.com/

 include/net/nfc/nci_core.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/net/nfc/nci_core.h b/include/net/nfc/nci_core.h
index e180bdf2f82b..664d5058e66e 100644
--- a/include/net/nfc/nci_core.h
+++ b/include/net/nfc/nci_core.h
@@ -52,7 +52,7 @@ enum nci_state {
 #define NCI_RF_DISC_SELECT_TIMEOUT		5000
 #define NCI_RF_DEACTIVATE_TIMEOUT		30000
 #define NCI_CMD_TIMEOUT				5000
-#define NCI_DATA_TIMEOUT			700
+#define NCI_DATA_TIMEOUT			3000
 
 struct nci_dev;
 
-- 
2.47.2

On 02/09/2025 13:36, Juraj Šarinay wrote:
> An exchange with a NFC target must complete within NCI_DATA_TIMEOUT.
> A delay of 700 ms is not sufficient for cryptographic operations on smart
> cards. CardOS 6.0 may need up to 1.3 seconds to perform 256-bit ECDH
> or 3072-bit RSA. To prevent brute-force attacks, passports and similar
> documents introduce even longer delays into access control protocols
> (BAC/PACE).
> 
> The timeout should be higher, but not too much. The expiration allows
> us to detect that a NFC target has disappeared.
> 
> Signed-off-by: Juraj Šarinay <juraj@sarinay.com>
> ---
> v3:

Thanks!

Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>

Best regards,
Krzysztof