New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
BRCM/Cypress 43455 firmware doesn't support WPA3-SAE #41
Comments
To resolve this problem, would it be as easy as submitting a Pull Request with the older WiFi driver that supports WPA3-SAE? |
There was a pull request from two years ago for Update CYW43455 to 7.45.234, but they went with 7.45.231. FYI: Here is the location of the CYW43455 firmware in this repository. |
I don't think a PR would help. What we ship is decided between infineon and @pelwell. |
We are likely to switch to the standard Infineon releases in the relatively near future, but @XECDesign is correct in that a PR won't make a difference either way. |
@pelwell There are many people who would like Raspberry Pi OS to support WPA3-SAE, including https://holtmann.dev/enabling-wpa3-on-raspberry-pi/ https://www.youtube.com/watch?v=yUxpm8ucQB8 Do you know if the new release will support WPA3-SAE? |
That's the intention, but weirdly the latest Cypress release of the 43455 firmware (which I found here -https://community.infineon.com/t5/Wi-Fi-Bluetooth-for-Linux/Cypress-Linux-WiFi-Driver-Release-FMAC-2023-09-01/td-p/492862) doesn't seem to enable it. The firmware string for the 2023-09-01 7.45.265 release is:
whereas for the 7.4.234 release it is:
The former gives nothing:
And this is even though the firmware string includes
So it looks like the upstream firmware is more suitable. But it seems like changing the firmware is only half the problem, if getting WPA3 support also requires switching to iwd. |
@pelwell If switching to IWD is not acceptable, then why not upgrade wpa_supplicant to a newer version (2.10) which supports WPA3-SAE? |
I didn't say it was unacceptable, but it's definitely a barrier to entry.
My Pi 5 seems to already be running 2.10:
But I don't think it's being used, since I'm connected to an AP but wpa_supplicant.conf has no mention of it. |
If you're using NetworkManager, it talks to wpa_supplicant through a socket rather than trying to populate the conf file. |
Then it seems the only barrier to WPA3 is upgrading the firmware. Is my understanding correct? |
I have upgraded the firmware locally, but apart from the iw list output I'm seeing no signs of WPA3 ability. |
@holtmann Since you have been down this path with WPA3-SAE on Raspberry Pi OS. Could you help @pelwell understand why he is not able to get this function to work as you described on your website? |
possibly related to https://github.com/Infineon/wpa3-external-supplicant |
Well, having tested the proposed firmware with an AP configured to only support WPA3, it does indeed appear to connect. Further work may be required to support AP mode, but in the usual Pi-as-client mode it's looking good. See #42. |
@pelwell Thank you for your help in working toward WPA3 function in Raspberry Pi OS! |
FYI, testing the new firmware on a clean RPiOS image has shown that you only gain the WPA3 support when NetManager is configured to use iwd instead of wpa_supplicant. That's not to say that wpa_supplicant cannot ever support WPA3, but the version we are shipping certainly doesn't. The steps to enable WPA3 are:
Obviously the aim is to have this work automatically in a new image, but we're not there yet. |
At raspberrypi/linux#4718, there's a discussion why internal WiFi doesn't support WPA3-SAE encryption (which is the most secure).
Turns out RPi OS ships with firmware
7.45.241 (1a2f2fa CY) CRC: 959ad1c7 Date: Mon 2021-11-01 00:40:29 PDT Ucode Ver: 1043.2164 FWID 01-703fd60
that doesn't support SAE:But on "official" linux-firmware repo AND in Debian repos there's a slightly older
7.45.234 (4ca95bb CY) CRC: 212e223d Date: Thu 2021-04-15 03:06:00 PDT Ucode Ver: 1043.2161 FWID 01-996384e2
that announces "sae" support:Then iw also shows SAE support on RPi OS 12:
Why does RPi's version not support SAE?
The text was updated successfully, but these errors were encountered: