search

raspberrypi / linux

Kernel source tree for Raspberry Pi-provided kernel builds. Issues unrelated to the linux kernel should be posted on the community forum at https://forums.raspberrypi.com/
Other
10.99k stars 4.94k forks source link

WPA3 broken on Pi 3 with 6.6 (and works with 6.1) #6130

Open spockfish opened 4 months ago

spockfish commented 4 months ago

Describe the bug

When I run a 6.1 kernel on a Pi 3, using IWD, WPA3 works as expected. However, simply switching to the 6.6 kernel breaks this: the interface does not come up.

Steps to reproduce the behaviour

Run a 6.6 kernel, on a Pi 3, accessing a WPA 3 network.

Device (s)

Raspberry Pi 3 Mod. B

System

custom built OS (buildroot), with latest 6.1 or 6.6 kernel, IWD for wireless interface mgt.

Logs

No response

Additional context

There's another strange thing going on: I'm using the 'rpi-firmware-nonfree' release (https://github.com/RPi-Distro/firmware-nonfree), but the latest release does not support SAE offload, which is required for WPA3 to function.

So, the latest firmware reports (iw phy) the following:

Supported extended features:
        * [ CQM_RSSI_LIST ]: multiple CQM_RSSI_THOLD records
        * [ 4WAY_HANDSHAKE_STA_PSK ]: 4-way handshake with PSK in station mode
        * [ 4WAY_HANDSHAKE_STA_1X ]: 4-way handshake with 802.1X in station mode

And thus WPA3 not functioning, where switching back to the upstream firmware (https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/) reports this:

Supported extended features:
        * [ CQM_RSSI_LIST ]: multiple CQM_RSSI_THOLD records
        * [ 4WAY_HANDSHAKE_STA_PSK ]: 4-way handshake with PSK in station mode
        * [ 4WAY_HANDSHAKE_STA_1X ]: 4-way handshake with 802.1X in station mode
        * [ SAE_OFFLOAD ]: SAE offload support

And thus results in a working WPA3 connection, if using 6.1.

peterharperuk commented 4 months ago

My understanding is you have to use the upstream firmware if you want WPA3 support. Is it just that buildroot is using the wrong version?

spockfish commented 4 months ago

you have to use the upstream firmware if you want WPA3 support

That's what I said above ;-) Still does not fix the issue that this only works for 6.1, and not for 6.6.

pelwell commented 4 months ago

The upstream firmware uses the SAE feature, so there is no need to use iwd (in fact it doesn't work) - continue to use wpa_supplicant as before.

spockfish commented 4 months ago

so there is no need to use iwd (in fact it doesn't work) - continue to use wpa_supplicant as before.

Well, it's not about 'need'. I just happen to 'like' IWD, in favour of wpa_supplicant. I've been using it on various Pi's for more than a year now.

Could you elaborate a bit on the "it doesn't work" part?

spockfish commented 4 months ago

Hmmm.... I think I know why. IWD does not support CMD_EXTERNAL_AUTH

pelwell commented 4 months ago

Yes - that's it.

spockfish commented 4 months ago

The upstream firmware uses the SAE feature, so there is no need to use iwd (in fact it doesn't work) - continue to use wpa_supplicant as before.

It's still not clear to me why this should be a difference between 6.1 and 6.6. Again, with 6.1 I got this working, with 6.6 not.

spockfish commented 4 months ago

To add to this: the same goes for the Pi 4.

With 6.1 WPA3 is working (upstream firmware), but replacing that with the latest 6.6 (and nothing else) breaks it.

MashiroYae commented 2 months ago

Linux 6.9.4-1-rpi-16k #1 SMP PREEMPT Wed Jun 12 15:15:09 EDT 2024 aarch64 GNU/Linux 6.9 still not work