linux icon indicating copy to clipboard operation
linux copied to clipboard
verified publisher icon raspberrypi

WPA3 broken on Pi 3 with 6.6 (and works with 6.1)

Open spockfish opened this issue 1 year ago • 52 comments

Describe the bug

When I run a 6.1 kernel on a Pi 3, using IWD, WPA3 works as expected. However, simply switching to the 6.6 kernel breaks this: the interface does not come up.

Steps to reproduce the behaviour

Run a 6.6 kernel, on a Pi 3, accessing a WPA 3 network.

Device (s)

Raspberry Pi 3 Mod. B

System

custom built OS (buildroot), with latest 6.1 or 6.6 kernel, IWD for wireless interface mgt.

Logs

No response

Additional context

There's another strange thing going on: I'm using the 'rpi-firmware-nonfree' release (https://github.com/RPi-Distro/firmware-nonfree), but the latest release does not support SAE offload, which is required for WPA3 to function.

So, the latest firmware reports (iw phy) the following:

Supported extended features:
		* [ CQM_RSSI_LIST ]: multiple CQM_RSSI_THOLD records
		* [ 4WAY_HANDSHAKE_STA_PSK ]: 4-way handshake with PSK in station mode
		* [ 4WAY_HANDSHAKE_STA_1X ]: 4-way handshake with 802.1X in station mode

And thus WPA3 not functioning, where switching back to the upstream firmware (https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/) reports this:

Supported extended features:
		* [ CQM_RSSI_LIST ]: multiple CQM_RSSI_THOLD records
		* [ 4WAY_HANDSHAKE_STA_PSK ]: 4-way handshake with PSK in station mode
		* [ 4WAY_HANDSHAKE_STA_1X ]: 4-way handshake with 802.1X in station mode
		* [ SAE_OFFLOAD ]: SAE offload support

And thus results in a working WPA3 connection, if using 6.1.

spockfish avatar Apr 29 '24 13:04 spockfish

My understanding is you have to use the upstream firmware if you want WPA3 support. Is it just that buildroot is using the wrong version?

peterharperuk avatar Apr 29 '24 13:04 peterharperuk

you have to use the upstream firmware if you want WPA3 support

That's what I said above ;-) Still does not fix the issue that this only works for 6.1, and not for 6.6.

spockfish avatar Apr 29 '24 13:04 spockfish

The upstream firmware uses the SAE feature, so there is no need to use iwd (in fact it doesn't work) - continue to use wpa_supplicant as before.

pelwell avatar Apr 29 '24 13:04 pelwell

so there is no need to use iwd (in fact it doesn't work) - continue to use wpa_supplicant as before.

Well, it's not about 'need'. I just happen to 'like' IWD, in favour of wpa_supplicant. I've been using it on various Pi's for more than a year now.

Could you elaborate a bit on the "it doesn't work" part?

spockfish avatar Apr 29 '24 14:04 spockfish

Hmmm.... I think I know why. IWD does not support CMD_EXTERNAL_AUTH

spockfish avatar Apr 29 '24 14:04 spockfish

Yes - that's it.

pelwell avatar Apr 29 '24 14:04 pelwell

The upstream firmware uses the SAE feature, so there is no need to use iwd (in fact it doesn't work) - continue to use wpa_supplicant as before.

It's still not clear to me why this should be a difference between 6.1 and 6.6. Again, with 6.1 I got this working, with 6.6 not.

spockfish avatar Apr 29 '24 14:04 spockfish

To add to this: the same goes for the Pi 4.

With 6.1 WPA3 is working (upstream firmware), but replacing that with the latest 6.6 (and nothing else) breaks it.

spockfish avatar Apr 30 '24 08:04 spockfish

Linux 6.9.4-1-rpi-16k #1 SMP PREEMPT Wed Jun 12 15:15:09 EDT 2024 aarch64 GNU/Linux 6.9 still not work

MashiroYae avatar Jun 18 '24 02:06 MashiroYae