Colibri iMX6ULL which kernel / driver version for WPA3?

Hi everyone,

in addition to that question:

I would like to know, what kernel and/or driver version of the mwifiex is needed to run a hostapd with WPA3.

Thanks.
Pete

5.1.0 BSP comes with hostapd compiled with disabled WPA3. You need rebuild hostapd yourself or provide some recipe to Yocto to enable WPA3.

You may check if your driver supports WPA3 using iw phy command. Supported Ciphers section should list mandatory WPA3 entries. Try googling for them. I found them once, can’t tell which ones at the moment.

CONFIG_MXMWIFIEX driver from NXP supports WPA3_SAE, CONFIG_MWIFIEX from Marvell doesn’t.

I would try WPA3 already, but working at home I see no device or card that would support WPA3_SAE…

Hi Edward,
thanks for the info. I had already recompiled hostapd with SAE.
It seems like my problem is the kernel configuration you mentioned…

What kernel and/or BSP version is required to have CONFIG_MXMWIFIEX enabled?
Would CONFIG_MXMWIFIEX be enabled per default or will that always have to enabled manually?

Thanks

Please CHECK THIS and perhaps patch below. to enable menu config of particular SDIO / SD8997 / etc card variants. Once kernel and driver compiled, you will need to create driver config file as suggested in PDF pointed there. Newer kernel should work as well GIT

Edward

Thanks for the support, @Edward.

@PeteH , One question before going into details about WPA3: Do you plan to use it with the AW-CM276NF WiFi/Bluetooth module embedded in the Colibri iMX6ULL WB?

Because, if that is the case, it does not support WPA3 “out-of-the-box”.
But by using the NXP drivers, you may be capable to enable it.
See this application note.

Best regards,
André Curvello

Hi @andrecurvello.tx and @Edward

Thanks for getting back to me.
Yes, I would like to have WPA3 on the Colibri iMX6ULL.

So far I have done the following:

  • Upgrade to Toradex BSP 5.2.0
  • Configure and build the Kernel with the NXP mx_mwifiex driver enabled
  • Build hostapd with sae enabled

Any hints suggestions on using the new driver?
Just loading the module does not provide a device.

BG
Pete

Hi @PeteH,

Unfortunately, we don’t have plans to officially add the WPA3 support on our BSP 5, but we are discussing its addition on BSP 6.

Until there, you may have to rely on NXP Application Note for WPA3.

Best regards,
André Curvello

@Edward can you maybe provide some more inside on your setup for WPA3?

We have the new nxp drive up and running. It loads and we can create APs with hostapd and connect to those networks. But we can’t connect to WPA3 networks we are trying to connect to.

Can you maybe provide your hostapd.conf for WPA3?

BG
Pete

Hi @PeteH,

Unfortunately I see almost no devices around with WPA3 support. So I don’t very care about it.

What I know that Toradex Yocto by default compiles hostapd with WPA3 SAE support turned off. I’ve hostapd compiled with it enabled. In a week or two I’ll try establishing WPA3 connection between Colibri and some Intel 9xxx card, perhaps as well between two Colibries.

Here’s hostapd.conf for SD8997. Replace SSID and PASSPHRASE with your settings. Switch wpa_key_mgmt from SAE to WPA-PSK to switch between WPA3 SAE and WPA2-PSK.

driver=nl80211
logger_syslog=-1
logger_syslog_level=2
logger_stdout=-1
logger_stdout_level=2
# a=5GHz, g=2.4GHz
hw_mode=g
# channel=0 turns on ACS survey
channel=1
# Please take the following into consideration:
# Country code (ISO/IEC 3166-1). Used to set regulatory domain.
# Set as needed to indicate country in which device is operating.
# This can limit available channels and transmit power.
#country_code=US
# Enable IEEE 802.11d. This advertises the country_code and the set of allowed
# channels and transmit power levels based on the regulatory limits. The
# country_code setting must be configured with the correct country for
# IEEE 802.11d functions.
# (default: 0 = disabled)
#ieee80211d=1
# Enable IEEE 802.11h. This enables radar detection and DFS support if
# available. DFS support is required on outdoor 5 GHz channels in most countries
# of the world. This can be used only with ieee80211d=1.
# (default: 0 = disabled)
#ieee80211h=1
interface=uap0
ctrl_interface=/var/run/hostapd
ctrl_interface_group=0
disassoc_low_ack=1
preamble=1
wmm_enabled=1
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
# Put a 3 here if you want both WPA/WPA2
wpa=2
wpa_passphrase=***PASSPHRASE***
#wpa_key_mgmt=WPA-PSK
wpa_key_mgmt=SAE
wpa_pairwise=TKIP
rsn_pairwise=CCMP
ssid=***SSID***
ieee80211n=1
ht_capab=[HT40+][LDPC][GF][SHORT-GI-20][SHORT-GI-40][TX-STBC][RX-STBC123][DSSS_CCK-40]

Hi @PeteH,

I finally tried to run WPA3 hostapd on iMX6ULL-wifi.

  1. Above hostapd.conf misses wpa_pairwise=CCMP instead of =TKIP.
  2. Another thing I had to change is to add host_mlme=1 option to driver *.conf file.
  3. I just want to remind you that to run WPA3.SAE AP on Colibries hostapd has to be compiled with WPA3/SAE enabled. I don’t know what and how to add to Yocto layers to make hostapd compiled with WPA3 enabled. I just loaded hostapd sources, edited configuration and recompiled it on target.

UM11490 document is enough to configure hostapd and NXP driver for WPA3. Their example hostapd.conf for WPA3 worked as well.

After that my Colibri WPA3 AP was recognized by Windows with Intel AC 9660 card. After connection Windows gave medal in notification area:

2749-screenshot-2021-05-24-112914.png

Some notes regarding compatibility. For better compatibility with old devices you may switch from WAP3 SAE (wpa_key_mgmt=SAE) to WPA3 SAE transition mode (wpa_key_mgmt=SAE WPA-PSK). Devices that don’t recognise WPA3 SAE will mistakenly think it is enterprise network and ask on connection not only for password but as well for user name. Not all devices will be able to connect even in transition mode. iPhone 6 plus works in transient mode. Older Android devices seem trying to connect in transient mode but fail after many attempts. Windows machines with old WiFi cards as well are unable to connect even in transient mode.

Regarding wpa_supplicant. It is as well compiled with WPA3 support disabled. Here’s wpa_cli command prompt

> set_network 0 key_mgmt SAE
FAIL
> set_network 0 key_mgmt WPA-PSK
OK
> set_network 0 key_mgmt SAE
FAIL
> 

As you see key_mgmt=SAE is not supported. You need to persuade Yocto to compile wpa_supplicant with WPA3 enabled. Compiling hostapd and wpa_supplicant both should see CONFIG_SAE defined.

Dear @andrecurvello.tx or any other Yocto guru, is there a chance to properly bbappend or something in my own layer, which would modify wpa_supplicant and hostapd make .config files?

In wpa-supplicant recipe there’s defconfig file which misses CONFIG_SAE=y line. This recipe belongs to layer with high priority (5). How should I properly add in my own layer which would feed do_compile stage of wpa-supplicant recipy with .config file with CONFIG_SAE enabled?

Replacing defconfig in wpa-supplicant recipe works, but I’d love to not touch it in that folder.

Thanks

@PeteH,

regarding wpa_supplicant. Once you compile it with CONFIG_SAE=y, (perhaps add host_mlme=1 to driver .conf file), you need to specify in wpa_supplicant.conf network{} settings these keys:

  1. Looks like sae_password="xxx" should be used instead of psk="xxx" to provide password.
  2. ieee80211w=2 seems being mandatory. Without it connection to WPA3 AP seems being inpossible.
  3. key_mgmt=SAE is required if you want WPA3 connection instead of transient connection. Once you establish connection, start wpa_cli and enter status command. You should see SAE, not PSK.

Works so far.

@Edward Thanks for all the feedback you gave me so far :slight_smile:
I will give it a try, today or tomorrow.

For the CONFIG_SAE I “cheated” a bit.

  • I copied the hostapd defconfig file to meta-mylayer/recipes-connectivity/hostapd/hostapd/defconfig-sae
  • I added the line CONFIG_SAE=y to my defconfig-sae file
  • I add the file meta-mylayer/recipes-connectivity/hostapd/hostapd_2.9.bbappend with the following content:
    FILESEXTRAPATHS_prepend := “${THISDIR}/${PN}:”

SRC_URI += “file://defconfig-sae”

do_configure_append() {
install -m 0644 ${WORKDIR}/defconfig-sae ${B}/.config
}

But I think there are better ways :slight_smile:

HI @PeteH

Did you have success setting up WPA3 and wpa_supplicant on Colibri iMX6ULL?

Best regards,
Jaski

Hi everyone, we managed to make WPA3 (AP) working in Torizon 6.1.0. We tried this with Verdin iMX8M Plus but there are no reason to believe this doesn’t work in other modules. Steps to add this:

  1. Add CONFIG_SAE=y manually to wpa_suplicant defconfig in Yocto (layers/openembedded-core/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/). There is no mention at all about this, so one should add it by hand.
  2. Follow this tutorial.
  3. Run the following:
nmcli con modify <WIFI_AP_NAME> 802-11-wireless-security.key-mgmt sae
nmcli con modify <WIFI_AP_NAME> 802-11-wireless-security.pmf 3
1 Like