BRCM/Cypress 43455 firmware doesn't support WPA3-SAE
Closed this issue ยท 18 comments
At raspberrypi/linux#4718, there's a discussion why internal WiFi doesn't support WPA3-SAE encryption (which is the most secure).
Turns out RPi OS ships with firmware 7.45.241 (1a2f2fa CY) CRC: 959ad1c7 Date: Mon 2021-11-01 00:40:29 PDT Ucode Ver: 1043.2164 FWID 01-703fd60 that doesn't support SAE:
$ curl -sL https://github.com/RPi-Distro/firmware-nonfree/raw/bookworm/debian/config/brcm80211/cypress/cyfmac43455-sdio-standard.bin | grep -i sae -c
0
But on "official" linux-firmware repo AND in Debian repos there's a slightly older 7.45.234 (4ca95bb CY) CRC: 212e223d Date: Thu 2021-04-15 03:06:00 PDT Ucode Ver: 1043.2161 FWID 01-996384e2 that announces "sae" support:
$ curl -sL https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/plain/cypress/cyfmac43455-sdio.bin | strings | tail -n 2 | grep -i sae
43455c0-roml/43455_sdio-pno-aoe-pktfilter-pktctx-wfds-mfp-dfsradar-wowlpf-idsup-idauth-noclminc-clm_min-obss-obssdump-swdiv-gtkoe-roamprof-txbf-ve-sae-dpp-sr-okc-bpd Version: 7.45.234 (4ca95bb CY) CRC: 212e223d Date: Thu 2021-04-15 03:06:00 PDT Ucode Ver: 1043.2161 FWID 01-996384e2
Then iw also shows SAE support on RPi OS 12:
$ iw phy | grep -i sae
* [ SAE_OFFLOAD ]: SAE offload support
* [ SAE_OFFLOAD_AP ]: AP mode SAE authentication offload support
Why does RPi's version not support SAE?
To resolve this problem, would it be as easy as submitting a Pull Request with the older WiFi driver that supports WPA3-SAE?
There was a pull request from two years ago for Update CYW43455 to 7.45.234, but they went with 7.45.231.
FYI: Here is the location of the CYW43455 firmware in this repository.
debian/config/brcm80211/cypress
I don't think a PR would help. What we ship is decided between infineon and @pelwell.
We are likely to switch to the standard Infineon releases in the relatively near future, but @XECDesign is correct in that a PR won't make a difference either way.
@pelwell There are many people who would like Raspberry Pi OS to support WPA3-SAE, including
https://holtmann.dev/enabling-wpa3-on-raspberry-pi/
https://www.youtube.com/watch?v=yUxpm8ucQB8
Do you know if the new release will support WPA3-SAE?
Do you know if the new release will support WPA3-SAE?
That's the intention, but weirdly the latest Cypress release of the 43455 firmware (which I found here -https://community.infineon.com/t5/Wi-Fi-Bluetooth-for-Linux/Cypress-Linux-WiFi-Driver-Release-FMAC-2023-09-01/td-p/492862) doesn't seem to enable it.
The firmware string for the 2023-09-01 7.45.265 release is:
43455c0-roml/43455_sdio-pno-aoe-pktfilter-pktctx-wfds-mfp-dfsradar-wowlpf-noclminc-clm_min-obss-obssdump-swdiv-gtkoe-roamprof-txbf-ve-extsae-dpp-sr-okc-bpd Version: 7.45.265 (28bca26 CY) CRC: 68bafb8c Date: Tue 2023-08-29 01:51:02 PDT Ucode Ver: 1043.2170 FWID 01-b677b91b
whereas for the 7.4.234 release it is:
43455c0-roml/43455_sdio-pno-aoe-pktfilter-pktctx-wfds-mfp-dfsradar-wowlpf-idsup-idauth-noclminc-clm_min-obss-obssdump-swdiv-gtkoe-roamprof-txbf-ve-sae-dpp-sr-okc-bpd Version: 7.45.234 (4ca95bb CY) CRC: 212e223d Date: Thu 2021-04-15 03:06:00 PDT Ucode Ver: 1043.2161 FWID 01-996384e2
The former gives nothing:
$ iw list | grep SAE
And this is even though the firmware string includes extsae ,whereas with the upstream, older firmware you get:
$ iw list | grep SAE
* [ SAE_OFFLOAD ]: SAE offload support
* [ SAE_OFFLOAD_AP ]: AP mode SAE authentication offload support
So it looks like the upstream firmware is more suitable.
But it seems like changing the firmware is only half the problem, if getting WPA3 support also requires switching to iwd.
@pelwell
If you do much research about using WPA3-SAE with Raspberry Pi OS, there are plenty of people who are willing to use IWD.
If switching to IWD is not acceptable, then why not upgrade wpa_supplicant to a newer version (2.10) which supports WPA3-SAE?
If you do much research about using WPA3-SAE with Raspberry Pi OS, there are plenty of people who are willing to use IWD.
I didn't say it was unacceptable, but it's definitely a barrier to entry.
If switching to IWD is not acceptable, then why not upgrade wpa_supplicant to a newer version (2.10) which supports WPA3-SAE?
My Pi 5 seems to already be running 2.10:
pi@raspberrypi:~$ wpa_supplicant -v
wpa_supplicant v2.10
Copyright (c) 2003-2022, Jouni Malinen <j@w1.fi> and contributors
But I don't think it's being used, since I'm connected to an AP but wpa_supplicant.conf has no mention of it.
But I don't think it's being used, since I'm connected to an AP but wpa_supplicant.conf has no mention of it.
If you're using NetworkManager, it talks to wpa_supplicant through a socket rather than trying to populate the conf file.
Then it seems the only barrier to WPA3 is upgrading the firmware. Is my understanding correct?
I have upgraded the firmware locally, but apart from the iw list output I'm seeing no signs of WPA3 ability.
@holtmann
The RPi-Distro team is looking to add WPA3-SAE function to Raspberry Pi OS.
Since you have been down this path with WPA3-SAE on Raspberry Pi OS. Could you help @pelwell understand why he is not able to get this function to work as you described on your website?
https://holtmann.dev/enabling-wpa3-on-raspberry-pi/
possibly related to https://github.com/Infineon/wpa3-external-supplicant
Well, having tested the proposed firmware with an AP configured to only support WPA3, it does indeed appear to connect. Further work may be required to support AP mode, but in the usual Pi-as-client mode it's looking good.
See #42.
@pelwell Thank you for your help in working toward WPA3 function in Raspberry Pi OS!
FYI, testing the new firmware on a clean RPiOS image has shown that you only gain the WPA3 support when NetManager is configured to use iwd instead of wpa_supplicant. That's not to say that wpa_supplicant cannot ever support WPA3, but the version we are shipping certainly doesn't.
The steps to enable WPA3 are:
- Install the new firmware (
sudo apt install firmware-brcm80211when we push the update). - Install iwd (
sudo apt install iwd). - Put the following in
/etc/NetworkManager/conf.d/wifi_backend.conf:[device] wifi.backend=iwd - Reboot.
Obviously the aim is to have this work automatically in a new image, but we're not there yet.
RPI OS seems to be using a older version of the brcmfmac firmware for the wifi chip CYW43455 which is used on Raspberry pi 3B+ and newer.
12.5 Bookworm 64-bit | Linux: 6.6.28 64-bit dmesg returns:
brcmfmac: brcmf_c_preinit_dcmds: Firmware: BCM4345/6 wl0: Apr 15 2021 03:03:20 version 7.45.234 (4ca95bb CY) FWID 01-996384e2
Looking at what OP wrote, it has been downgraded to be inline with Debian?
Interestinlgy on Infineons product page for CYW43455 the old fmac software is listed from 2021-12-08.
At the time of writing the newest version of Cypress Linux WiFi Driver Release (FMAC). Which was released 2024-01-18! Seems like it is targeted at a 6.19 kernel - we can now bring it over to Bookworm?
A moderator on the release page says:
CYW43455 is Not Recommended for New Design(NRND) and is on yearly release which is scheduled for the end of Aug 2024.
Which I found odd when you look at their attached link CYW43455 says "active and preferred".
Many have commented on that release the necessary files/support for CYW43455 is still missing from the package, it is past my technical expertise to find it.
Sidenote: While scouraging forums I came across this from a Infineon rep which said that they did not support IWD - โSep 04, 2023.
Apparently, in #42 it was decided and commited to use the older version 7.45.234 (4ca95bb CY) CRC: 212e223d Date: Thu 2021-04-15 03:06:00 PDT Ucode Ver: 1043.2161 FWID 01-996384e2 which is also used in upstream Linux firmware repo.
So closing this, as it's also already in RPi OS 12 repos. Thank you, @pelwell