Re: [PATCH 1/2] wiphy: add driver quirk to disable SAE

[James Prestwood <prestwoj@gmail.com>]

Hi Keith,

On 2/11/25 12:32 PM, KeithG wrote:
> On Tue, Feb 11, 2025 at 1:59 PM James Prestwood <prestwoj@gmail.com> wrote:
>> SAE/WPA3 is completely broken on brcmfmac, at least without a custom
>> kernel patch which isn't included in many OS distributions. In order
>> to help with this add a driver quirk so devices with brcmfmac can
>> utilize WPA2 instead of WPA3 and at least connect to networks at
>> this capacity until the fix is more widely distributed.
>> ---
>>   src/wiphy.c | 10 +++++++++-
>>   1 file changed, 9 insertions(+), 1 deletion(-)
>>
>> diff --git a/src/wiphy.c b/src/wiphy.c
>> index c7df648a..46f7a6d9 100644
>> --- a/src/wiphy.c
>> +++ b/src/wiphy.c
>> @@ -74,6 +74,7 @@ enum driver_flag {
>>          POWER_SAVE_DISABLE = 0x4,
>>          OWE_DISABLE = 0x8,
>>          MULTICAST_RX_DISABLE = 0x10,
>> +       SAE_DISABLE = 0x20,
>>   };
>>
>>   struct driver_flag_name {
>> @@ -106,7 +107,8 @@ static const struct driver_flag_name driver_flag_names[] = {
>>          { "ForcePae",           FORCE_PAE },
>>          { "PowerSaveDisable",   POWER_SAVE_DISABLE },
>>          { "OweDisable",         OWE_DISABLE },
>> -       { "MulticastRxDisable", MULTICAST_RX_DISABLE }
>> +       { "MulticastRxDisable", MULTICAST_RX_DISABLE },
>> +       { "SaeDisable",         SAE_DISABLE },
>>   };
>>
>>   struct wiphy {
>> @@ -202,6 +204,9 @@ uint16_t wiphy_get_supported_ciphers(struct wiphy *wiphy, uint16_t mask)
>>
>>   static bool wiphy_can_connect_sae(struct wiphy *wiphy)
>>   {
>> +       if (wiphy->driver_flags & SAE_DISABLE)
>> +               return false;
>> +
>>          /*
>>           * WPA3 Specification version 3, Section 2.2:
>>           * A STA shall not enable WEP and TKIP
>> @@ -1368,6 +1373,9 @@ static void wiphy_print_basic_info(struct wiphy *wiphy)
>>                  if (wiphy->driver_flags & MULTICAST_RX_DISABLE)
>>                          flags = l_strv_append(flags, "MulticastRxDisable");
>>
>> +               if (wiphy->driver_flags & SAE_DISABLE)
>> +                       flags = l_strv_append(flags, "SaeDisable");
>> +
>>                  joined = l_strjoinv(flags, ' ');
>>
>>                  l_info("\tDriver Flags: %s", joined);
>> --
>> 2.34.1
>>
>>
> James,
>
> What should I do with this patch? Should I apply it? (I do not think I
> should). I am trying to get the kernel patch in the 6.6 kernel. They,
> RPiOS, just pushed a new kernel 6.6.74 and the one line patch is not
> yet in there.
>
> I guess I do not really understand what you are proposing. The default
> RPI kernel, with the patched version of IWD 3.3 (with the'[RFC]
> netdev: avoid PMKSA for fullmac drivers') patch will connect properly
> with wpa2 SSIDs when used with the un-patched kernel. The patched
> kernel will also connect to WPA2 SSIDs with the bonus of connecting to
> WPA3 as well.

The issue I'm solving here is if you have a hybrid WPA2/WPA3 network. 
IWD will always prefer WPA3, but any brcmfmac devices _without_ a 
patched kernel will fail to connect and WPA2 is never tried. This patch 
allows the user to set this new option, which will avoid WPA3 entirely. 
Basically, its gets brcmfmac "working" to some extent using WPA2 vs 
completely non-functional for WPA3/WPA2 hybrid networks.

Applying this patch won't have any effect unless you set the option in 
main.conf.

>
> Curious,
>
> Keith