| Message ID | 20250211195855.85360-1-prestwoj@gmail.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | [1/2] wiphy: add driver quirk to disable SAE | expand |
| Context | Check | Description |
|---|---|---|
| tedd_an/pre-ci_am | success | Success |
On Tue, Feb 11, 2025 at 1:59 PM James Prestwood <prestwoj@gmail.com> wrote: > > SAE/WPA3 is completely broken on brcmfmac, at least without a custom > kernel patch which isn't included in many OS distributions. In order > to help with this add a driver quirk so devices with brcmfmac can > utilize WPA2 instead of WPA3 and at least connect to networks at > this capacity until the fix is more widely distributed. > --- > src/wiphy.c | 10 +++++++++- > 1 file changed, 9 insertions(+), 1 deletion(-) > > diff --git a/src/wiphy.c b/src/wiphy.c > index c7df648a..46f7a6d9 100644 > --- a/src/wiphy.c > +++ b/src/wiphy.c > @@ -74,6 +74,7 @@ enum driver_flag { > POWER_SAVE_DISABLE = 0x4, > OWE_DISABLE = 0x8, > MULTICAST_RX_DISABLE = 0x10, > + SAE_DISABLE = 0x20, > }; > > struct driver_flag_name { > @@ -106,7 +107,8 @@ static const struct driver_flag_name driver_flag_names[] = { > { "ForcePae", FORCE_PAE }, > { "PowerSaveDisable", POWER_SAVE_DISABLE }, > { "OweDisable", OWE_DISABLE }, > - { "MulticastRxDisable", MULTICAST_RX_DISABLE } > + { "MulticastRxDisable", MULTICAST_RX_DISABLE }, > + { "SaeDisable", SAE_DISABLE }, > }; > > struct wiphy { > @@ -202,6 +204,9 @@ uint16_t wiphy_get_supported_ciphers(struct wiphy *wiphy, uint16_t mask) > > static bool wiphy_can_connect_sae(struct wiphy *wiphy) > { > + if (wiphy->driver_flags & SAE_DISABLE) > + return false; > + > /* > * WPA3 Specification version 3, Section 2.2: > * A STA shall not enable WEP and TKIP > @@ -1368,6 +1373,9 @@ static void wiphy_print_basic_info(struct wiphy *wiphy) > if (wiphy->driver_flags & MULTICAST_RX_DISABLE) > flags = l_strv_append(flags, "MulticastRxDisable"); > > + if (wiphy->driver_flags & SAE_DISABLE) > + flags = l_strv_append(flags, "SaeDisable"); > + > joined = l_strjoinv(flags, ' '); > > l_info("\tDriver Flags: %s", joined); > -- > 2.34.1 > > James, What should I do with this patch? Should I apply it? (I do not think I should). I am trying to get the kernel patch in the 6.6 kernel. They, RPiOS, just pushed a new kernel 6.6.74 and the one line patch is not yet in there. I guess I do not really understand what you are proposing. The default RPI kernel, with the patched version of IWD 3.3 (with the'[RFC] netdev: avoid PMKSA for fullmac drivers') patch will connect properly with wpa2 SSIDs when used with the un-patched kernel. The patched kernel will also connect to WPA2 SSIDs with the bonus of connecting to WPA3 as well. Curious, Keith
Hi Keith, On 2/11/25 12:32 PM, KeithG wrote: > On Tue, Feb 11, 2025 at 1:59 PM James Prestwood <prestwoj@gmail.com> wrote: >> SAE/WPA3 is completely broken on brcmfmac, at least without a custom >> kernel patch which isn't included in many OS distributions. In order >> to help with this add a driver quirk so devices with brcmfmac can >> utilize WPA2 instead of WPA3 and at least connect to networks at >> this capacity until the fix is more widely distributed. >> --- >> src/wiphy.c | 10 +++++++++- >> 1 file changed, 9 insertions(+), 1 deletion(-) >> >> diff --git a/src/wiphy.c b/src/wiphy.c >> index c7df648a..46f7a6d9 100644 >> --- a/src/wiphy.c >> +++ b/src/wiphy.c >> @@ -74,6 +74,7 @@ enum driver_flag { >> POWER_SAVE_DISABLE = 0x4, >> OWE_DISABLE = 0x8, >> MULTICAST_RX_DISABLE = 0x10, >> + SAE_DISABLE = 0x20, >> }; >> >> struct driver_flag_name { >> @@ -106,7 +107,8 @@ static const struct driver_flag_name driver_flag_names[] = { >> { "ForcePae", FORCE_PAE }, >> { "PowerSaveDisable", POWER_SAVE_DISABLE }, >> { "OweDisable", OWE_DISABLE }, >> - { "MulticastRxDisable", MULTICAST_RX_DISABLE } >> + { "MulticastRxDisable", MULTICAST_RX_DISABLE }, >> + { "SaeDisable", SAE_DISABLE }, >> }; >> >> struct wiphy { >> @@ -202,6 +204,9 @@ uint16_t wiphy_get_supported_ciphers(struct wiphy *wiphy, uint16_t mask) >> >> static bool wiphy_can_connect_sae(struct wiphy *wiphy) >> { >> + if (wiphy->driver_flags & SAE_DISABLE) >> + return false; >> + >> /* >> * WPA3 Specification version 3, Section 2.2: >> * A STA shall not enable WEP and TKIP >> @@ -1368,6 +1373,9 @@ static void wiphy_print_basic_info(struct wiphy *wiphy) >> if (wiphy->driver_flags & MULTICAST_RX_DISABLE) >> flags = l_strv_append(flags, "MulticastRxDisable"); >> >> + if (wiphy->driver_flags & SAE_DISABLE) >> + flags = l_strv_append(flags, "SaeDisable"); >> + >> joined = l_strjoinv(flags, ' '); >> >> l_info("\tDriver Flags: %s", joined); >> -- >> 2.34.1 >> >> > James, > > What should I do with this patch? Should I apply it? (I do not think I > should). I am trying to get the kernel patch in the 6.6 kernel. They, > RPiOS, just pushed a new kernel 6.6.74 and the one line patch is not > yet in there. > > I guess I do not really understand what you are proposing. The default > RPI kernel, with the patched version of IWD 3.3 (with the'[RFC] > netdev: avoid PMKSA for fullmac drivers') patch will connect properly > with wpa2 SSIDs when used with the un-patched kernel. The patched > kernel will also connect to WPA2 SSIDs with the bonus of connecting to > WPA3 as well. The issue I'm solving here is if you have a hybrid WPA2/WPA3 network. IWD will always prefer WPA3, but any brcmfmac devices _without_ a patched kernel will fail to connect and WPA2 is never tried. This patch allows the user to set this new option, which will avoid WPA3 entirely. Basically, its gets brcmfmac "working" to some extent using WPA2 vs completely non-functional for WPA3/WPA2 hybrid networks. Applying this patch won't have any effect unless you set the option in main.conf. > > Curious, > > Keith
Hi Keith, On 2/11/25 12:36 PM, James Prestwood wrote: > Hi Keith, > > On 2/11/25 12:32 PM, KeithG wrote: >> On Tue, Feb 11, 2025 at 1:59 PM James Prestwood <prestwoj@gmail.com> >> wrote: >>> SAE/WPA3 is completely broken on brcmfmac, at least without a custom >>> kernel patch which isn't included in many OS distributions. In order >>> to help with this add a driver quirk so devices with brcmfmac can >>> utilize WPA2 instead of WPA3 and at least connect to networks at >>> this capacity until the fix is more widely distributed. >>> --- >>> src/wiphy.c | 10 +++++++++- >>> 1 file changed, 9 insertions(+), 1 deletion(-) >>> >>> diff --git a/src/wiphy.c b/src/wiphy.c >>> index c7df648a..46f7a6d9 100644 >>> --- a/src/wiphy.c >>> +++ b/src/wiphy.c >>> @@ -74,6 +74,7 @@ enum driver_flag { >>> POWER_SAVE_DISABLE = 0x4, >>> OWE_DISABLE = 0x8, >>> MULTICAST_RX_DISABLE = 0x10, >>> + SAE_DISABLE = 0x20, >>> }; >>> >>> struct driver_flag_name { >>> @@ -106,7 +107,8 @@ static const struct driver_flag_name >>> driver_flag_names[] = { >>> { "ForcePae", FORCE_PAE }, >>> { "PowerSaveDisable", POWER_SAVE_DISABLE }, >>> { "OweDisable", OWE_DISABLE }, >>> - { "MulticastRxDisable", MULTICAST_RX_DISABLE } >>> + { "MulticastRxDisable", MULTICAST_RX_DISABLE }, >>> + { "SaeDisable", SAE_DISABLE }, >>> }; >>> >>> struct wiphy { >>> @@ -202,6 +204,9 @@ uint16_t wiphy_get_supported_ciphers(struct >>> wiphy *wiphy, uint16_t mask) >>> >>> static bool wiphy_can_connect_sae(struct wiphy *wiphy) >>> { >>> + if (wiphy->driver_flags & SAE_DISABLE) >>> + return false; >>> + >>> /* >>> * WPA3 Specification version 3, Section 2.2: >>> * A STA shall not enable WEP and TKIP >>> @@ -1368,6 +1373,9 @@ static void wiphy_print_basic_info(struct >>> wiphy *wiphy) >>> if (wiphy->driver_flags & MULTICAST_RX_DISABLE) >>> flags = l_strv_append(flags, >>> "MulticastRxDisable"); >>> >>> + if (wiphy->driver_flags & SAE_DISABLE) >>> + flags = l_strv_append(flags, "SaeDisable"); >>> + >>> joined = l_strjoinv(flags, ' '); >>> >>> l_info("\tDriver Flags: %s", joined); >>> -- >>> 2.34.1 >>> >>> >> James, >> >> What should I do with this patch? Should I apply it? (I do not think I >> should). I am trying to get the kernel patch in the 6.6 kernel. They, >> RPiOS, just pushed a new kernel 6.6.74 and the one line patch is not >> yet in there. >> >> I guess I do not really understand what you are proposing. The default >> RPI kernel, with the patched version of IWD 3.3 (with the'[RFC] >> netdev: avoid PMKSA for fullmac drivers') patch will connect properly >> with wpa2 SSIDs when used with the un-patched kernel. The patched >> kernel will also connect to WPA2 SSIDs with the bonus of connecting to >> WPA3 as well. > > The issue I'm solving here is if you have a hybrid WPA2/WPA3 network. > IWD will always prefer WPA3, but any brcmfmac devices _without_ a > patched kernel will fail to connect and WPA2 is never tried. This > patch allows the user to set this new option, which will avoid WPA3 > entirely. Basically, its gets brcmfmac "working" to some extent using > WPA2 vs completely non-functional for WPA3/WPA2 hybrid networks. > > Applying this patch won't have any effect unless you set the option in > main.conf. Also by the way, that patch referenced in the earlier thread(s) with Arend doesn't seem to apply to the 6.6 rasbian kernel. Looks like that file has changed locations between 6.6 and upstream so its an easy modification, but that might be a reason the Raspi kernel folks wouldn't take it. > >> >> Curious, >> >> Keith
All, On 2/11/25 11:58 AM, James Prestwood wrote: > SAE/WPA3 is completely broken on brcmfmac, at least without a custom > kernel patch which isn't included in many OS distributions. In order > to help with this add a driver quirk so devices with brcmfmac can > utilize WPA2 instead of WPA3 and at least connect to networks at > this capacity until the fix is more widely distributed. Both for my own reference and so others don't have to go digging through threads. The kernel patch that fixes SAE/WPA3 on brcmfmac can be found here: https://lore.kernel.org/linux-wireless/20241215120401.238320-1-arend.vanspriel@broadcom.com/ > --- > src/wiphy.c | 10 +++++++++- > 1 file changed, 9 insertions(+), 1 deletion(-) > > diff --git a/src/wiphy.c b/src/wiphy.c > index c7df648a..46f7a6d9 100644 > --- a/src/wiphy.c > +++ b/src/wiphy.c > @@ -74,6 +74,7 @@ enum driver_flag { > POWER_SAVE_DISABLE = 0x4, > OWE_DISABLE = 0x8, > MULTICAST_RX_DISABLE = 0x10, > + SAE_DISABLE = 0x20, > }; > > struct driver_flag_name { > @@ -106,7 +107,8 @@ static const struct driver_flag_name driver_flag_names[] = { > { "ForcePae", FORCE_PAE }, > { "PowerSaveDisable", POWER_SAVE_DISABLE }, > { "OweDisable", OWE_DISABLE }, > - { "MulticastRxDisable", MULTICAST_RX_DISABLE } > + { "MulticastRxDisable", MULTICAST_RX_DISABLE }, > + { "SaeDisable", SAE_DISABLE }, > }; > > struct wiphy { > @@ -202,6 +204,9 @@ uint16_t wiphy_get_supported_ciphers(struct wiphy *wiphy, uint16_t mask) > > static bool wiphy_can_connect_sae(struct wiphy *wiphy) > { > + if (wiphy->driver_flags & SAE_DISABLE) > + return false; > + > /* > * WPA3 Specification version 3, Section 2.2: > * A STA shall not enable WEP and TKIP > @@ -1368,6 +1373,9 @@ static void wiphy_print_basic_info(struct wiphy *wiphy) > if (wiphy->driver_flags & MULTICAST_RX_DISABLE) > flags = l_strv_append(flags, "MulticastRxDisable"); > > + if (wiphy->driver_flags & SAE_DISABLE) > + flags = l_strv_append(flags, "SaeDisable"); > + > joined = l_strjoinv(flags, ' '); > > l_info("\tDriver Flags: %s", joined);
diff --git a/src/wiphy.c b/src/wiphy.c index c7df648a..46f7a6d9 100644 --- a/src/wiphy.c +++ b/src/wiphy.c @@ -74,6 +74,7 @@ enum driver_flag { POWER_SAVE_DISABLE = 0x4, OWE_DISABLE = 0x8, MULTICAST_RX_DISABLE = 0x10, + SAE_DISABLE = 0x20, }; struct driver_flag_name { @@ -106,7 +107,8 @@ static const struct driver_flag_name driver_flag_names[] = { { "ForcePae", FORCE_PAE }, { "PowerSaveDisable", POWER_SAVE_DISABLE }, { "OweDisable", OWE_DISABLE }, - { "MulticastRxDisable", MULTICAST_RX_DISABLE } + { "MulticastRxDisable", MULTICAST_RX_DISABLE }, + { "SaeDisable", SAE_DISABLE }, }; struct wiphy { @@ -202,6 +204,9 @@ uint16_t wiphy_get_supported_ciphers(struct wiphy *wiphy, uint16_t mask) static bool wiphy_can_connect_sae(struct wiphy *wiphy) { + if (wiphy->driver_flags & SAE_DISABLE) + return false; + /* * WPA3 Specification version 3, Section 2.2: * A STA shall not enable WEP and TKIP @@ -1368,6 +1373,9 @@ static void wiphy_print_basic_info(struct wiphy *wiphy) if (wiphy->driver_flags & MULTICAST_RX_DISABLE) flags = l_strv_append(flags, "MulticastRxDisable"); + if (wiphy->driver_flags & SAE_DISABLE) + flags = l_strv_append(flags, "SaeDisable"); + joined = l_strjoinv(flags, ' '); l_info("\tDriver Flags: %s", joined);