WPA3 broken on Pi 3 with 6.6 (and works with 6.1)
spockfish opened this issue · comments
Describe the bug
When I run a 6.1 kernel on a Pi 3, using IWD, WPA3 works as expected. However, simply switching to the 6.6 kernel breaks this: the interface does not come up.
Steps to reproduce the behaviour
Run a 6.6 kernel, on a Pi 3, accessing a WPA 3 network.
Device (s)
Raspberry Pi 3 Mod. B
System
custom built OS (buildroot), with latest 6.1 or 6.6 kernel, IWD for wireless interface mgt.
Logs
No response
Additional context
There's another strange thing going on: I'm using the 'rpi-firmware-nonfree' release (https://github.com/RPi-Distro/firmware-nonfree), but the latest release does not support SAE offload, which is required for WPA3 to function.
So, the latest firmware reports (iw phy) the following:
Supported extended features:
* [ CQM_RSSI_LIST ]: multiple CQM_RSSI_THOLD records
* [ 4WAY_HANDSHAKE_STA_PSK ]: 4-way handshake with PSK in station mode
* [ 4WAY_HANDSHAKE_STA_1X ]: 4-way handshake with 802.1X in station mode
And thus WPA3 not functioning, where switching back to the upstream firmware (https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/) reports this:
Supported extended features:
* [ CQM_RSSI_LIST ]: multiple CQM_RSSI_THOLD records
* [ 4WAY_HANDSHAKE_STA_PSK ]: 4-way handshake with PSK in station mode
* [ 4WAY_HANDSHAKE_STA_1X ]: 4-way handshake with 802.1X in station mode
* [ SAE_OFFLOAD ]: SAE offload support
And thus results in a working WPA3 connection, if using 6.1.
My understanding is you have to use the upstream firmware if you want WPA3 support. Is it just that buildroot is using the wrong version?
you have to use the upstream firmware if you want WPA3 support
That's what I said above ;-) Still does not fix the issue that this only works for 6.1, and not for 6.6.
The upstream firmware uses the SAE feature, so there is no need to use iwd (in fact it doesn't work) - continue to use wpa_supplicant as before.
so there is no need to use iwd (in fact it doesn't work) - continue to use wpa_supplicant as before.
Well, it's not about 'need'. I just happen to 'like' IWD, in favour of wpa_supplicant. I've been using it on various Pi's for more than a year now.
Could you elaborate a bit on the "it doesn't work" part?
Hmmm.... I think I know why. IWD does not support CMD_EXTERNAL_AUTH
Yes - that's it.
The upstream firmware uses the SAE feature, so there is no need to use iwd (in fact it doesn't work) - continue to use wpa_supplicant as before.
It's still not clear to me why this should be a difference between 6.1 and 6.6.
Again, with 6.1 I got this working, with 6.6 not.
To add to this: the same goes for the Pi 4.
With 6.1 WPA3 is working (upstream firmware), but replacing that with the latest 6.6 (and nothing else) breaks it.