WPA3 broken on Pi 3 with 6.6 (and works with 6.1)

Question

WPA3 broken on Pi 3 with 6.6 (and works with 6.1)

spockfish opened this issue 25 days ago · comments

Describe the bug

When I run a 6.1 kernel on a Pi 3, using IWD, WPA3 works as expected. However, simply switching to the 6.6 kernel breaks this: the interface does not come up.

Steps to reproduce the behaviour

Run a 6.6 kernel, on a Pi 3, accessing a WPA 3 network.

Device (s)

Raspberry Pi 3 Mod. B

System

custom built OS (buildroot), with latest 6.1 or 6.6 kernel, IWD for wireless interface mgt.

Logs

No response

Additional context

There's another strange thing going on: I'm using the 'rpi-firmware-nonfree' release (https://github.com/RPi-Distro/firmware-nonfree), but the latest release does not support SAE offload, which is required for WPA3 to function.

So, the latest firmware reports (iw phy) the following:

Supported extended features:
		* [ CQM_RSSI_LIST ]: multiple CQM_RSSI_THOLD records
		* [ 4WAY_HANDSHAKE_STA_PSK ]: 4-way handshake with PSK in station mode
		* [ 4WAY_HANDSHAKE_STA_1X ]: 4-way handshake with 802.1X in station mode

And thus WPA3 not functioning, where switching back to the upstream firmware (https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/) reports this:

Supported extended features:
		* [ CQM_RSSI_LIST ]: multiple CQM_RSSI_THOLD records
		* [ 4WAY_HANDSHAKE_STA_PSK ]: 4-way handshake with PSK in station mode
		* [ 4WAY_HANDSHAKE_STA_1X ]: 4-way handshake with 802.1X in station mode
		* [ SAE_OFFLOAD ]: SAE offload support

And thus results in a working WPA3 connection, if using 6.1.

Peter Harper · Answer 1 · Mon Apr 29 2024 21:42:13 GMT+0800 (China Standard Time)

My understanding is you have to use the upstream firmware if you want WPA3 support. Is it just that buildroot is using the wrong version?

Harry ten Berge · Answer 2 · Mon Apr 29 2024 21:49:23 GMT+0800 (China Standard Time)

you have to use the upstream firmware if you want WPA3 support

That's what I said above ;-) Still does not fix the issue that this only works for 6.1, and not for 6.6.

Phil Elwell · Answer 3 · Mon Apr 29 2024 21:58:31 GMT+0800 (China Standard Time)

The upstream firmware uses the SAE feature, so there is no need to use iwd (in fact it doesn't work) - continue to use wpa_supplicant as before.

Harry ten Berge · Answer 4 · Mon Apr 29 2024 22:07:04 GMT+0800 (China Standard Time)

so there is no need to use iwd (in fact it doesn't work) - continue to use wpa_supplicant as before.

Well, it's not about 'need'. I just happen to 'like' IWD, in favour of wpa_supplicant. I've been using it on various Pi's for more than a year now.

Could you elaborate a bit on the "it doesn't work" part?

Harry ten Berge · Answer 5 · Mon Apr 29 2024 22:13:54 GMT+0800 (China Standard Time)

Hmmm.... I think I know why. IWD does not support CMD_EXTERNAL_AUTH

Phil Elwell · Answer 6 · Mon Apr 29 2024 22:15:06 GMT+0800 (China Standard Time)

Yes - that's it.

Harry ten Berge · Answer 7 · Mon Apr 29 2024 22:15:29 GMT+0800 (China Standard Time)

The upstream firmware uses the SAE feature, so there is no need to use iwd (in fact it doesn't work) - continue to use wpa_supplicant as before.

It's still not clear to me why this should be a difference between 6.1 and 6.6.
Again, with 6.1 I got this working, with 6.6 not.

Harry ten Berge · Answer 8 · Tue Apr 30 2024 16:53:48 GMT+0800 (China Standard Time)

To add to this: the same goes for the Pi 4.

With 6.1 WPA3 is working (upstream firmware), but replacing that with the latest 6.6 (and nothing else) breaks it.