Received: by 2002:a05:7412:b995:b0:f9:9502:5bb8 with SMTP id it21csp609546rdb; Thu, 21 Dec 2023 22:16:55 -0800 (PST) X-Google-Smtp-Source: AGHT+IEDm7gzsQ27271WB/t4fwwsR9kKDfs3eyKydbHOorzXI8CRhrXwJjqv0GDZvQXTK480qyPr X-Received: by 2002:a50:d702:0:b0:554:4ad0:f4a6 with SMTP id t2-20020a50d702000000b005544ad0f4a6mr308987edi.13.1703225815150; Thu, 21 Dec 2023 22:16:55 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1703225815; cv=none; d=google.com; s=arc-20160816; b=DnieompNpk+hZG+czw+wopHEkgDxbiGjtAZ08MjexMBPii9GpypsQTG8C/dJOLv+5c rzkfzWQJO93ZB0pt+B5KoHLOk+cFXu/HQVd/EpIsU+MyaSHiuIJ76+WEGKDVhlMzMNXT OT4Rk+eDOROpZqk5MgSMMS6pKnURJ6oI+J8tQQxuIMsJgpexpHPuofGLoYqxIaT2WE0u IWk5UF1alj1Pt7AA9oHKgc7gqN8+Bm06RiBSz99mzbu+VFxvdFeY9+gCU/xuOmkn1fBU MOXVwMBXyG7foUl8J7TA/C3mAaosbj4VFzGVlZ/Klxm7pB6mgTUulhiAfNiH+kdnV35C bjdA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:list-unsubscribe :list-subscribe:list-id:precedence; bh=MOUmgEJevxp4+U20I6/hlIcyqXSOqQbg3BOnpbqc93w=; fh=VxXECp5mDAXEsKQFKe/rgS/lcAl5a4xEQkmGokbdOHs=; b=A82W0EgrdpMfmzCN8fnq56T583oUPemcM+EUTUHMqMl1eYXkbNj14lnYP/2jiIxvQM sMZvFQchyuHBKOHZBJ+S/dRUXCCdZeUCE/F9MKmE/lTQ3nsSs66J0JzpdUBWHmotj2n9 PENzQpdwweSOPRsBbM0LPxyZjg9xeKQBb8Hx8QO2lD0xANVI+UtEaH02oZ6IHe1GFx0p EkgYGXtqYMJFeTTWlrV8tDMN4bu+EM5yuVibEcvUOsQ0SwD9diu12f6B7f0gCI/mTftM C0WTOQcg94zj1hzUP4CXkp482PcPf6TRJqAP9sij6fEWw5+y82PPKjvWGgK1dnuF14/R T71w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-wireless+bounces-1202-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-wireless+bounces-1202-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3]) by mx.google.com with ESMTPS id x20-20020a50d614000000b005533935f0d9si1545409edi.407.2023.12.21.22.16.55 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 21 Dec 2023 22:16:55 -0800 (PST) Received-SPF: pass (google.com: domain of linux-wireless+bounces-1202-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-wireless+bounces-1202-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-wireless+bounces-1202-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id DB38D1F25AD6 for ; Fri, 22 Dec 2023 06:16:54 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 8913D6FC2; Fri, 22 Dec 2023 06:16:50 +0000 (UTC) X-Original-To: linux-wireless@vger.kernel.org Received: from mail.holtmann.org (coyote.holtmann.net [212.227.132.17]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 218898C0C; Fri, 22 Dec 2023 06:16:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=holtmann.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=holtmann.org Received: from smtpclient.apple (p5b3d29b7.dip0.t-ipconnect.de [91.61.41.183]) by mail.holtmann.org (Postfix) with ESMTPSA id 480CBCECCA; Fri, 22 Dec 2023 07:16:46 +0100 (CET) Content-Type: text/plain; charset=us-ascii Precedence: bulk X-Mailing-List: linux-wireless@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.300.61.1.2\)) Subject: Re: [PATCH] wifi: brcmfmac: cfg80211: Use WSEC to set SAE password From: Marcel Holtmann In-Reply-To: Date: Fri, 22 Dec 2023 07:16:35 +0100 Cc: Julian Calaby , Arend van Spriel , Kalle Valo , Hector Martin , Arend van Spriel , Franky Lin , Hante Meuleman , Daniel Berlin , linux-wireless@vger.kernel.org, brcm80211-dev-list.pdl@broadcom.com, SHA-cyfmac-dev-list@infineon.com, linux-kernel@vger.kernel.org, asahi@lists.linux.dev Content-Transfer-Encoding: quoted-printable Message-Id: <59D14D24-91DA-4DC8-B8EE-460BE02F4DDE@holtmann.org> References: <20231107-brcmfmac-wpa3-v1-1-4c7db8636680@marcan.st> <170281231651.2255653.7498073085103487666.kvalo@kernel.org> <18c80d15e30.279b.9b12b7fc0a3841636cfb5e919b41b954@broadcom.com> <1b51997f-2994-46e8-ac58-90106d1c486d@marcan.st> To: Neal Gompa X-Mailer: Apple Mail (2.3774.300.61.1.2) Hi Neal, >>>>>>>> Using the WSEC command instead of sae_password seems to be the = supported >>>>>>>> mechanism on newer firmware, and also how the brcmdhd driver = does it. >>>>>>>>=20 >>>>>>>> According to user reports [1], the sae_password codepath = doesn't actually >>>>>>>> work on machines with Cypress chips anyway, so no harm in = removing it. >>>>>>>>=20 >>>>>>>> This makes WPA3 work with iwd, or with wpa_supplicant pending a = support >>>>>>>> patchset [2]. >>>>>>>>=20 >>>>>>>> [1] https://rachelbythebay.com/w/2023/11/06/wpa3/ >>>>>>>> [2] = http://lists.infradead.org/pipermail/hostap/2023-July/041653.html >>>>>>>>=20 >>>>>>>> Signed-off-by: Hector Martin >>>>>>>> Reviewed-by: Neal Gompa >>>>>>>=20 >>>>>>> Arend, what do you think? >>>>>>>=20 >>>>>>> We recently talked about people testing brcmfmac patches, has = anyone else >>>>>>> tested this? >>>>>>=20 >>>>>> Not sure I already replied so maybe I am repeating myself. I = would prefer >>>>>> to keep the Cypress sae_password path as well although it = reportedly does >>>>>> not work. The vendor support in the driver can be used to = accommodate for >>>>>> that. The other option would be to have people with Cypress = chipset test >>>>>> this patch. If that works for both we can consider dropping the >>>>>> sae_password path. >>>>>>=20 >>>>>> Regards, >>>>>> Arend >>>>>=20 >>>>> So, if nobody from Cypress chimes in ever, and nobody cares nor = tests >>>>> Cypress chipsets, are we keeping any and all existing Cypress = code-paths >>>>> as bitrotting code forever and adding gratuitous conditionals = every time >>>>> any functionality needs to change "just in case it breaks Cypress" = even >>>>> though it has been tested compatible on Broadcom = chipsets/firmware? >>>>>=20 >>>>> Because that's not sustainable long term. >>>>=20 >>>> You should look into WEXT just for the fun of it. If it were up to = me >>>> and a bunch of other people that would have been gone decades ago. = Maybe >>>> a bad example if the sae_password is indeed not working, but the = Cypress >>>> chipset is used in RPi3 and RPi4 so there must be a couple of = users. >>>=20 >>> There are reports that WPA3 is broken on the Cypress chipsets the >>> Raspberry Pis are using and this patch fixes it: >>> https://rachelbythebay.com/w/2023/11/06/wpa3/ >>>=20 >>> Based on that, it appears that all known users of WPA3 capable >>> hardware with this driver require this fix. >>=20 >> the Pis are all using an outdated firmware. In their distro they put = the >> firmware already under the alternates systems, but it just lacks the = SAE >> offload support that is required to make WPA3 work. The = linux-firmware >> version does the trick nicely. >>=20 >> I documented what I did to make this work on Pi5 (note that I = normally >> use Fedora on Pi4 and thus never encountered this issue) >>=20 >> https://holtmann.dev/enabling-wpa3-on-raspberry-pi/ >>=20 >> However you need to use iwd and not hope that you get a = wpa_supplicant >> released version that will work. >>=20 >> So whole game of wpa_supplicant is vendor specific to the company = that >> provides the driver is also insane, but that is another story. Use = iwd >> and you can most likely have WPA3 support if you have the right = firmware. >>=20 >=20 > wpa_supplicant is perfectly fine if the necessary patches are > backported, as Fedora has done: > = https://src.fedoraproject.org/rpms/wpa_supplicant/c/99f4bf2096d3976cee01c4= 99d7a30c1376f5f0f7 my point exactly. Tell me when the last hostap release was and how much delta that has to HEAD. So the wpa_supplicant you have in Fedora is essentially yet another fork of an upstream project. One of many. Reality is there is limited interest to make WiFi great on Linux. And if you really look honestly, then you realize it is pretty bad. Regards Marcel