You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
598 lines
14 KiB
598 lines
14 KiB
# WPA Supplicant configuration options |
|
# |
|
# Copyright (c) 2023 Nordic Semiconductor |
|
# |
|
# SPDX-License-Identifier: Apache-2.0 |
|
# |
|
|
|
config WIFI_NM_WPA_SUPPLICANT |
|
bool "WPA Suplicant from hostap project [EXPERIMENTAL]" |
|
select POSIX_TIMERS |
|
select POSIX_SIGNALS |
|
select POSIX_API |
|
select NET_SOCKETS |
|
select NET_SOCKETS_PACKET |
|
select NET_SOCKETPAIR |
|
select NET_L2_WIFI_MGMT |
|
select WIFI_NM |
|
select EXPERIMENTAL |
|
select COMMON_LIBC_MALLOC |
|
help |
|
WPA supplicant as a network management backend for WIFI_NM. |
|
|
|
if WIFI_NM_WPA_SUPPLICANT |
|
|
|
config HEAP_MEM_POOL_ADD_SIZE_HOSTAP |
|
def_int 66560 if WIFI_NM_HOSTAPD_AP |
|
def_int 48000 if WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE |
|
def_int 41808 if WIFI_NM_WPA_SUPPLICANT_AP |
|
# 30K is mandatory, but might need more for long duration use cases |
|
def_int 30000 |
|
|
|
config WIFI_NM_WPA_SUPPLICANT_THREAD_STACK_SIZE |
|
int "Stack size for wpa_supplicant thread" |
|
# TODO: Providing higher stack size for Enterprise mode to fix stack |
|
# overflow issues. Need to identify the cause for higher stack usage. |
|
default 8192 if WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE |
|
default 5800 |
|
|
|
config WIFI_NM_WPA_SUPPLICANT_WQ_STACK_SIZE |
|
int "Stack size for wpa_supplicant iface workqueue" |
|
default 4400 |
|
|
|
config WIFI_NM_WPA_SUPPLICANT_WQ_PRIO |
|
int "Thread priority of wpa_supplicant iface workqueue" |
|
default 7 |
|
|
|
config WIFI_NM_WPA_SUPPLICANT_PRIO |
|
int "Thread priority of wpa_supplicant" |
|
default 0 |
|
|
|
# Currently we default ZVFS_OPEN_MAX to 16 in lib/posix/Kconfig |
|
# l2_packet - 1 |
|
# ctrl_iface - 2 * socketpairs = 4(local and global) |
|
# z_wpa_event_sock - 1 socketpair = 2 |
|
# Remaining left for the applications running in default configuration |
|
|
|
# Supplicant API is stack heavy (buffers + snprintfs) and control interface |
|
# uses socketpair which pushes the stack usage causing overflow for 2048 bytes. |
|
# So we set SYSTEM_WORKQUEUE_STACK_SIZE default to 2560 in kernel/Kconfig |
|
|
|
module = WIFI_NM_WPA_SUPPLICANT |
|
module-str = WPA supplicant |
|
source "subsys/logging/Kconfig.template.log_config" |
|
|
|
config WIFI_NM_WPA_SUPPLICANT_DEBUG_LEVEL |
|
int "Min compiled-in debug message level for WPA supplicant" |
|
default 0 if WIFI_NM_WPA_SUPPLICANT_LOG_LEVEL_DBG # MSG_EXCESSIVE |
|
default 3 if WIFI_NM_WPA_SUPPLICANT_LOG_LEVEL_INF # MSG_INFO |
|
default 4 if WIFI_NM_WPA_SUPPLICANT_LOG_LEVEL_WRN # MSG_WARNING |
|
default 5 if WIFI_NM_WPA_SUPPLICANT_LOG_LEVEL_ERR # MSG_ERROR |
|
default 5 |
|
help |
|
Minimum priority level of a debug message emitted by WPA supplicant that |
|
is compiled-in the firmware. See wpa_debug.h file of the supplicant for |
|
available levels and functions for emitting the messages. Note that |
|
runtime filtering can also be configured in addition to the compile-time |
|
filtering. |
|
|
|
if WIFI_NM_WPA_SUPPLICANT_LOG_LEVEL_DBG |
|
# hostap debug is very verbose and despite large log buffer sizes |
|
# log messages can be lost. So, we set the log mode to immediate |
|
# to avoid losing any debug messages. |
|
choice LOG_MODE |
|
default LOG_MODE_IMMEDIATE |
|
endchoice |
|
endif # WIFI_NM_WPA_SUPPLICANT_LOG_LEVEL_DBG |
|
|
|
# Memory optimizations |
|
config WIFI_NM_WPA_SUPPLICANT_ADVANCED_FEATURES |
|
bool "Advanced features" |
|
default y if !SOC_FAMILY_NORDIC_NRF |
|
|
|
if WIFI_NM_WPA_SUPPLICANT_ADVANCED_FEATURES |
|
|
|
config WIFI_NM_WPA_SUPPLICANT_ROBUST_AV |
|
bool "Robust Audio Video streaming support" |
|
default y |
|
|
|
# Hidden as these are mandatory for WFA certification |
|
config WIFI_NM_WPA_SUPPLICANT_WMM_AC |
|
bool |
|
default y |
|
|
|
config WIFI_NM_WPA_SUPPLICANT_MBO |
|
bool |
|
default y |
|
|
|
config WIFI_NM_WPA_SUPPLICANT_WNM |
|
bool "Wireless Network Management support" |
|
default y |
|
|
|
config WIFI_NM_WPA_SUPPLICANT_RRM |
|
bool "Radio Resource Management support" |
|
default y |
|
endif |
|
|
|
config WIFI_NM_WPA_SUPPLICANT_WEP |
|
bool "WEP (Legacy crypto) support" |
|
|
|
choice WIFI_NM_WPA_SUPPLICANT_CRYPTO_BACKEND |
|
prompt "WPA supplicant crypto implementation" |
|
default WIFI_NM_WPA_SUPPLICANT_CRYPTO_ALT |
|
help |
|
Select the crypto implementation to use for WPA supplicant. |
|
WIFI_NM_WPA_SUPPLICANT_CRYPTO_ALT supports enterprise mode |
|
and DPP. |
|
|
|
config WIFI_NM_WPA_SUPPLICANT_CRYPTO_ALT |
|
bool "Crypto Mbedtls alt support for WiFi" |
|
select MBEDTLS |
|
select MBEDTLS_CIPHER_MODE_CTR_ENABLED |
|
select MBEDTLS_CIPHER_MODE_CBC_ENABLED |
|
select MBEDTLS_CIPHER_AES_ENABLED |
|
select MBEDTLS_CIPHER_DES_ENABLED |
|
select MBEDTLS_MD5 |
|
select MBEDTLS_SHA1 |
|
select MBEDTLS_SHA384 |
|
select MBEDTLS_ENTROPY_C |
|
select MBEDTLS_CIPHER |
|
select MBEDTLS_ECP_C |
|
select MBEDTLS_ECP_ALL_ENABLED |
|
select MBEDTLS_CMAC |
|
select MBEDTLS_PKCS5_C |
|
select MBEDTLS_PK_WRITE_C |
|
select MBEDTLS_ECDH_C |
|
select MBEDTLS_ECDSA_C |
|
select MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED |
|
select MBEDTLS_RSA_C |
|
select MBEDTLS_PKCS1_V15 |
|
select MBEDTLS_PKCS1_V21 |
|
select MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED |
|
select MBEDTLS_NIST_KW_C |
|
select MBEDTLS_DHM_C |
|
select MBEDTLS_HKDF_C |
|
|
|
config WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE |
|
bool "No Crypto support for WiFi" |
|
|
|
config WIFI_NM_WPA_SUPPLICANT_CRYPTO_EXT |
|
bool "External Crypto support for hostap" |
|
help |
|
Use external crypto implementation for hostp, this is useful for |
|
platforms where the crypto implementation is provided by the platform |
|
and not by Zephyr. The external crypto implementation should provide |
|
the required APIs and any other dependencies required by hostap. |
|
|
|
endchoice |
|
|
|
config WIFI_NM_WPA_SUPPLICANT_CRYPTO_MBEDTLS_PSA |
|
bool "Crypto Platform Secure Architecture support for WiFi" |
|
imply MBEDTLS_PSA_CRYPTO_C |
|
select MBEDTLS_USE_PSA_CRYPTO |
|
select PSA_WANT_ALG_ECDH |
|
select PSA_WANT_ALG_HMAC |
|
select PSA_WANT_ALG_CCM |
|
select PSA_WANT_ALG_CTR |
|
select PSA_WANT_ALG_MD5 |
|
select PSA_WANT_ALG_SHA_1 |
|
select PSA_WANT_ALG_SHA_256 |
|
select PSA_WANT_ALG_SHA_224 |
|
select PSA_WANT_ALG_SHA_384 |
|
select PSA_WANT_ALG_SHA_512 |
|
select PSA_WANT_ALG_PBKDF2_HMAC |
|
select PSA_WANT_ALG_CMAC |
|
select PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128 |
|
select PSA_WANT_KEY_TYPE_AES |
|
select PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY |
|
select PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY |
|
help |
|
Support Mbedtls 3.x to use PSA apis instead of legacy apis. |
|
|
|
config WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE |
|
bool "Enterprise Crypto support for WiFi" |
|
select MBEDTLS_PEM_CERTIFICATE_FORMAT if MBEDTLS_BUILTIN |
|
select MBEDTLS_SERVER_NAME_INDICATION if MBEDTLS_BUILTIN |
|
select MBEDTLS_X509_CRL_PARSE_C |
|
select MBEDTLS_TLS_VERSION_1_2 |
|
depends on !WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE |
|
|
|
config EAP_TLS |
|
bool "EAP-TLS support" |
|
|
|
config EAP_TTLS |
|
bool "EAP-TTLS support" |
|
|
|
config EAP_PEAP |
|
bool "EAP-PEAP support" |
|
|
|
config EAP_MD5 |
|
bool "EAP-MD5 support" |
|
|
|
config EAP_GTC |
|
bool "EAP-GTC support" |
|
|
|
config EAP_MSCHAPV2 |
|
bool "EAP-MSCHAPv2 support" |
|
|
|
config EAP_LEAP |
|
bool "EAP-LEAP support" |
|
|
|
config EAP_PSK |
|
bool "EAP-PSK support" |
|
|
|
config EAP_PAX |
|
bool "EAP-PAX support" |
|
|
|
config EAP_SAKE |
|
bool "EAP-SAKE support" |
|
|
|
config EAP_GPSK |
|
bool "EAP-GPSK support" |
|
|
|
config EAP_PWD |
|
bool "EAP-PWD support" |
|
|
|
config EAP_EKE |
|
bool "EAP-EKE support" |
|
|
|
config EAP_IKEV2 |
|
bool "EAP-IKEv2 support" |
|
|
|
config EAP_SIM |
|
bool "EAP-SIM support" |
|
|
|
config EAP_AKA |
|
bool "EAP-AKA support" |
|
|
|
config EAP_FAST |
|
bool "EAP-FAST support" |
|
|
|
config EAP_ALL |
|
bool "All EAP methods support" |
|
select EAP_TLS |
|
select EAP_PEAP |
|
select EAP_GTC |
|
select EAP_TTLS |
|
select EAP_MSCHAPV2 |
|
default y if WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE |
|
|
|
config WIFI_NM_WPA_SUPPLICANT_WPA3 |
|
bool "WPA3 support" |
|
depends on !WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE |
|
default y |
|
|
|
config WIFI_NM_WPA_SUPPLICANT_AP |
|
bool "SoftAP mode support based on WPA supplicant" |
|
|
|
config WIFI_NM_WPA_SUPPLICANT_WPS |
|
bool "WPS support" |
|
depends on !WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE |
|
|
|
config WIFI_NM_HOSTAPD_WPS |
|
bool "WPS hostapd support" |
|
depends on !WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE |
|
depends on WIFI_NM_HOSTAPD_AP |
|
|
|
config WIFI_NM_WPA_SUPPLICANT_P2P |
|
bool "P2P mode support" |
|
select WIFI_NM_WPA_SUPPLICANT_AP |
|
select WIFI_NM_WPA_SUPPLICANT_WPS |
|
select WIFI_NM_WPA_SUPPLICANT_EAPOL |
|
|
|
config WIFI_NM_WPA_SUPPLICANT_EAPOL |
|
bool "EAPoL supplicant" |
|
default y if WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE |
|
|
|
config WIFI_NM_WPA_SUPPLICANT_CLI |
|
bool "CLI support for wpa_supplicant" |
|
|
|
config WIFI_NM_WPA_SUPPLICANT_INF_MON |
|
bool "Monitor the net mgmt event to add/del interface" |
|
default y |
|
|
|
config WIFI_NM_HOSTAPD_AP |
|
bool "FullAP mode support based on Hostapd" |
|
depends on !WIFI_NM_WPA_SUPPLICANT_INF_MON |
|
|
|
config WIFI_NM_HOSTAPD_CRYPTO_ENTERPRISE |
|
bool "Hostapd crypto enterprise support" |
|
depends on WIFI_NM_HOSTAPD_AP |
|
|
|
config EAP_SERVER_TLS |
|
bool "EAP-TLS server support" |
|
|
|
config EAP_SERVER_IDENTITY |
|
bool "EAP-IDENTITY server support" |
|
|
|
config EAP_SERVER_MD5 |
|
bool "EAP-MD5 server support" |
|
|
|
config EAP_SERVER_MSCHAPV2 |
|
bool "EAP-MSCHAPV2 server support" |
|
|
|
config EAP_SERVER_PEAP |
|
bool "EAP-PEAP server support" |
|
|
|
config EAP_SERVER_GTC |
|
bool "EAP-GTC server support" |
|
|
|
config EAP_SERVER_TTLS |
|
bool "EAP-TTLS server support" |
|
|
|
config EAP_SERVER_ALL |
|
bool "All EAP methods support" |
|
select EAP_SERVER_TLS |
|
select EAP_SERVER_MSCHAPV2 |
|
select EAP_SERVER_PEAP |
|
select EAP_SERVER_GTC |
|
select EAP_SERVER_TTLS |
|
default y if WIFI_NM_HOSTAPD_CRYPTO_ENTERPRISE |
|
|
|
config WIFI_NM_WPA_SUPPLICANT_BSS_MAX_IDLE_TIME |
|
int "BSS max idle timeout in seconds" |
|
range 0 64000 |
|
default 300 |
|
help |
|
BSS max idle timeout is the period for which AP may keep a client |
|
in associated state while there is no traffic from that particular |
|
client. Set 0 to disable inclusion of BSS max idle time tag in |
|
association request. If a non-zero value is set, STA can suggest a |
|
timeout by including BSS max idle period in the association request. |
|
AP may choose to consider or ignore the STA's preferred value. |
|
Ref: Sec 11.21.13 of IEEE Std 802.11™-2020 |
|
|
|
config WIFI_NM_WPA_SUPPLICANT_NO_DEBUG |
|
bool "Disable printing of debug messages, saves code size significantly" |
|
|
|
|
|
config WIFI_NM_WPA_SUPPLICANT_DPP |
|
bool "WFA Easy Connect DPP" |
|
select DPP |
|
select DPP2 |
|
select DPP3 |
|
select GAS |
|
select GAS_SERVER |
|
select OFFCHANNEL |
|
select MBEDTLS_X509_CSR_WRITE_C |
|
select MBEDTLS_X509_CSR_PARSE_C |
|
|
|
config WIFI_NM_WPA_SUPPLICANT_11AX |
|
bool "IEEE 802.11ax HE support" |
|
depends on WIFI_NM_WPA_SUPPLICANT_AP || WIFI_NM_HOSTAPD_AP |
|
default y |
|
|
|
config WPA_CLI |
|
bool "WPA CLI support" |
|
default y if WIFI_NM_WPA_SUPPLICANT_CLI |
|
help |
|
Enable WPA CLI support for wpa_supplicant. |
|
|
|
if WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE |
|
config MBEDTLS_SSL_MAX_CONTENT_LEN |
|
default 16384 |
|
endif |
|
|
|
config WIFI_NM_WPA_SUPPLICANT_ROAMING |
|
bool "Roaming support" |
|
imply IEEE80211R |
|
help |
|
Enable roaming support with wpa_supplicant. When current BSS RSSI drops, |
|
STA will try to find an AP with better RSSI. If found, STA will reassociate |
|
to the new AP automatically without losing connection. |
|
|
|
config WIFI_NM_WPA_SUPPLICANT_SKIP_DHCP_ON_ROAMING |
|
bool "Skip DHCP after roaming to new AP" |
|
help |
|
For L2 roaming, the original AP and new AP are in the same subnet, client |
|
can use same IP address and skip DHCP. Enable this to skip DHCP. |
|
For L3 roaming, the original AP and new AP are in different subnet, client |
|
needs to get new IP address after roaming to new AP. Disable this to keep |
|
DHCP after roaming. |
|
|
|
# Create hidden config options that are used in hostap. This way we do not need |
|
# to mark them as allowed for CI checks, and also someone else cannot use the |
|
# same name options. |
|
|
|
config SME |
|
bool |
|
default y |
|
|
|
config NO_CONFIG_WRITE |
|
bool |
|
default y |
|
|
|
config NO_CONFIG_BLOBS |
|
bool |
|
default y if !WIFI_NM_WPA_SUPPLICANT_DPP && !WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE |
|
|
|
config CTRL_IFACE |
|
bool |
|
default y |
|
|
|
config CTRL_IFACE_ZEPHYR |
|
bool |
|
default y |
|
|
|
config NO_RANDOM_POOL |
|
bool |
|
default y |
|
|
|
config WNM |
|
bool |
|
|
|
config NO_WPA |
|
bool |
|
default y if WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE |
|
|
|
config NO_PBKDF2 |
|
bool |
|
default y if WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE |
|
|
|
config SAE_PK |
|
bool |
|
|
|
config FST |
|
bool |
|
|
|
config TESTING_OPTIONS |
|
bool |
|
|
|
config AP |
|
bool |
|
depends on WIFI_NM_WPA_SUPPLICANT_AP || WIFI_NM_HOSTAPD_AP |
|
default y if WIFI_NM_WPA_SUPPLICANT_AP || WIFI_NM_HOSTAPD_AP |
|
|
|
config NO_RADIUS |
|
bool |
|
|
|
config NO_VLAN |
|
bool |
|
|
|
config NO_ACCOUNTING |
|
bool |
|
|
|
config NEED_AP_MLME |
|
bool |
|
|
|
config IEEE80211AX |
|
bool |
|
|
|
config EAP_SERVER |
|
bool |
|
|
|
config EAP_SERVER_IDENTITY |
|
bool |
|
|
|
config P2P |
|
bool |
|
|
|
config GAS |
|
bool |
|
|
|
config GAS_SERVER |
|
bool |
|
|
|
config OFFCHANNEL |
|
bool |
|
|
|
config WPS |
|
bool |
|
|
|
config WSC |
|
bool |
|
|
|
config IEEE8021X_EAPOL |
|
bool |
|
|
|
config CRYPTO_INTERNAL |
|
bool |
|
|
|
config ECC |
|
bool |
|
|
|
config MBO |
|
bool |
|
|
|
config NO_STDOUT_DEBUG |
|
bool |
|
|
|
config SAE |
|
bool |
|
|
|
config SHA256 |
|
bool |
|
|
|
config SHA384 |
|
bool |
|
|
|
config SHA512 |
|
bool |
|
|
|
config SUITEB192 |
|
bool |
|
|
|
config SUITEB |
|
bool |
|
|
|
config WEP |
|
bool |
|
default y if WIFI_NM_WPA_SUPPLICANT_WEP |
|
|
|
config WPA_CRYPTO |
|
bool |
|
|
|
config WPA_SUPP_CRYPTO |
|
bool |
|
|
|
config NO_ROBUST_AV |
|
bool |
|
|
|
config NO_RRM |
|
bool |
|
|
|
config NO_WMM_AC |
|
bool |
|
|
|
config DPP |
|
bool |
|
|
|
config DPP2 |
|
bool |
|
|
|
config DPP3 |
|
bool |
|
|
|
config ACS |
|
bool |
|
|
|
config IEEE80211AC |
|
bool |
|
|
|
config IEEE80211R |
|
bool |
|
depends on !WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE |
|
|
|
config NW_SEL_RELIABILITY |
|
bool |
|
default y |
|
depends on WIFI_NM_WPA_SUPPLICANT_NW_SEL_RELIABILITY |
|
|
|
choice WIFI_NM_WPA_SUPPLICANT_NW_SEL |
|
prompt "WPA supplicant Network selection criterion" |
|
default WIFI_NM_WPA_SUPPLICANT_NW_SEL_THROUGHPUT |
|
help |
|
Select the network selection method for the supplicant. |
|
|
|
config WIFI_NM_WPA_SUPPLICANT_NW_SEL_THROUGHPUT |
|
bool "Throughput based network selection" |
|
help |
|
Select the network based on throughput. |
|
|
|
config WIFI_NM_WPA_SUPPLICANT_NW_SEL_RELIABILITY |
|
bool "Reliability based network selection" |
|
help |
|
Select the network based on reliability. |
|
|
|
endchoice |
|
|
|
config SAE_PWE_EARLY_EXIT |
|
bool "Exit early if PWE if found" |
|
help |
|
In order to mitigate side channel attacks, even if the PWE is found the WPA |
|
supplicant goes through full iterations, but in some low-resource systems |
|
this can be intensive, so, add an option to exit early. |
|
Note that this is highly insecure and shouldn't be used in production |
|
|
|
config WIFI_NM_WPA_SUPPLICANT_CRYPTO_TEST |
|
bool |
|
depends on WIFI_NM_WPA_SUPPLICANT_CRYPTO_MBEDTLS_PSA |
|
|
|
config WIFI_NM_WPA_CTRL_RESP_TIMEOUT_S |
|
int "WPA supplicant control interface response timeout in seconds" |
|
default 15 |
|
help |
|
Timeout for the control interface commands to get a response from the |
|
supplicant. |
|
|
|
endif # WIFI_NM_WPA_SUPPLICANT
|
|
|