WPA3 broken on Pi 3 with 6.6 (and works with 6.1)

[spockfish]

Describe the bug

When I run a 6.1 kernel on a Pi 3, using IWD, WPA3 works as expected. However, simply switching to the 6.6 kernel breaks this: the interface does not come up.

Steps to reproduce the behaviour

Run a 6.6 kernel, on a Pi 3, accessing a WPA 3 network.

Device (s)

Raspberry Pi 3 Mod. B

System

custom built OS (buildroot), with latest 6.1 or 6.6 kernel, IWD for wireless interface mgt.

Logs

No response

Additional context

There's another strange thing going on: I'm using the 'rpi-firmware-nonfree' release (https://github.com/RPi-Distro/firmware-nonfree), but the latest release does not support SAE offload, which is required for WPA3 to function.

So, the latest firmware reports (iw phy) the following:

Supported extended features:
        * [ CQM_RSSI_LIST ]: multiple CQM_RSSI_THOLD records
        * [ 4WAY_HANDSHAKE_STA_PSK ]: 4-way handshake with PSK in station mode
        * [ 4WAY_HANDSHAKE_STA_1X ]: 4-way handshake with 802.1X in station mode

And thus WPA3 not functioning, where switching back to the upstream firmware (https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/) reports this:

Supported extended features:
        * [ CQM_RSSI_LIST ]: multiple CQM_RSSI_THOLD records
        * [ 4WAY_HANDSHAKE_STA_PSK ]: 4-way handshake with PSK in station mode
        * [ 4WAY_HANDSHAKE_STA_1X ]: 4-way handshake with 802.1X in station mode
        * [ SAE_OFFLOAD ]: SAE offload support

And thus results in a working WPA3 connection, if using 6.1.

[peterharperuk]

My understanding is you have to use the upstream firmware if you want WPA3 support. Is it just that buildroot is using the wrong version?

[spockfish]

you have to use the upstream firmware if you want WPA3 support

That's what I said above ;-) Still does not fix the issue that this only works for 6.1, and not for 6.6.

[pelwell]

The upstream firmware uses the SAE feature, so there is no need to use iwd (in fact it doesn't work) - continue to use wpa_supplicant as before.

[spockfish]

so there is no need to use iwd (in fact it doesn't work) - continue to use wpa_supplicant as before.

Well, it's not about 'need'. I just happen to 'like' IWD, in favour of wpa_supplicant. I've been using it on various Pi's for more than a year now.

Could you elaborate a bit on the "it doesn't work" part?

[spockfish]

Hmmm.... I think I know why. IWD does not support CMD_EXTERNAL_AUTH

[pelwell]

Yes - that's it.

[spockfish]

The upstream firmware uses the SAE feature, so there is no need to use iwd (in fact it doesn't work) - continue to use wpa_supplicant as before.

It's still not clear to me why this should be a difference between 6.1 and 6.6. Again, with 6.1 I got this working, with 6.6 not.

[spockfish]

To add to this: the same goes for the Pi 4.

With 6.1 WPA3 is working (upstream firmware), but replacing that with the latest 6.6 (and nothing else) breaks it.

[MashiroYae]

Linux 6.9.4-1-rpi-16k #1 SMP PREEMPT Wed Jun 12 15:15:09 EDT 2024 aarch64 GNU/Linux 6.9 still not work

[EdiDD]

@spockfish how did you switch to upstream firmware?. Recompile from scratch or copy pre-compiled binaries to /boot partition ?

[spockfish]

I meant the firmware as packaged in 'linux-firmware' (https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/)

[EdiDD]

I meant the firmware as packaged in 'linux-firmware' (https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/)

Did you manually extract this archive to /lib/firmware ?

[spockfish]

Did you manually extract this archive to /lib/firmware ?

I build a custom Linux, and there's a little bit more to it then just copying it over. Most distro's provide this fairly up-to-date.