# WPA Supplicant configuration options # # Copyright (c) 2023 Nordic Semiconductor # # SPDX-License-Identifier: Apache-2.0 # config WIFI_NM_WPA_SUPPLICANT bool "WPA Suplicant from hostap project [EXPERIMENTAL]" select POSIX_TIMERS select POSIX_SIGNALS select POSIX_API select FILE_SYSTEM select NET_SOCKETS select NET_SOCKETS_PACKET select NET_SOCKETPAIR select NET_L2_WIFI_MGMT select WIFI_NM select EXPERIMENTAL select COMMON_LIBC_MALLOC help WPA supplicant as a network management backend for WIFI_NM. if WIFI_NM_WPA_SUPPLICANT config HEAP_MEM_POOL_ADD_SIZE_HOSTAP def_int 66560 if WIFI_NM_HOSTAPD_AP def_int 41808 if WIFI_NM_WPA_SUPPLICANT_AP || WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE # 30K is mandatory, but might need more for long duration use cases def_int 30000 config WIFI_NM_WPA_SUPPLICANT_THREAD_STACK_SIZE int "Stack size for wpa_supplicant thread" default 8192 config WIFI_NM_WPA_SUPPLICANT_WQ_STACK_SIZE int "Stack size for wpa_supplicant iface workqueue" default 6144 config WIFI_NM_WPA_SUPPLICANT_WQ_PRIO int "Thread priority of wpa_supplicant iface workqueue" default 7 config WIFI_NM_WPA_SUPPLICANT_PRIO int "Thread priority of wpa_supplicant" default 0 # Currently we default ZVFS_OPEN_MAX to 16 in lib/posix/Kconfig # l2_packet - 1 # ctrl_iface - 2 * socketpairs = 4(local and global) # z_wpa_event_sock - 1 socketpair = 2 # Remaining left for the applications running in default configuration # Supplicant API is stack heavy (buffers + snprintfs) and control interface # uses socketpair which pushes the stack usage causing overflow for 2048 bytes. # So we set SYSTEM_WORKQUEUE_STACK_SIZE default to 2560 in kernel/Kconfig module = WIFI_NM_WPA_SUPPLICANT module-str = WPA supplicant source "subsys/logging/Kconfig.template.log_config" config WIFI_NM_WPA_SUPPLICANT_DEBUG_LEVEL int "Min compiled-in debug message level for WPA supplicant" default 0 if WIFI_NM_WPA_SUPPLICANT_LOG_LEVEL_DBG # MSG_EXCESSIVE default 3 if WIFI_NM_WPA_SUPPLICANT_LOG_LEVEL_INF # MSG_INFO default 4 if WIFI_NM_WPA_SUPPLICANT_LOG_LEVEL_WRN # MSG_WARNING default 5 if WIFI_NM_WPA_SUPPLICANT_LOG_LEVEL_ERR # MSG_ERROR default 5 help Minimum priority level of a debug message emitted by WPA supplicant that is compiled-in the firmware. See wpa_debug.h file of the supplicant for available levels and functions for emitting the messages. Note that runtime filtering can also be configured in addition to the compile-time filtering. if WIFI_NM_WPA_SUPPLICANT_LOG_LEVEL_DBG # hostap debug is very verbose and despite large log buffer sizes # log messages can be lost. So, we set the log mode to immediate # to avoid losing any debug messages. choice LOG_MODE default LOG_MODE_IMMEDIATE endchoice endif # WIFI_NM_WPA_SUPPLICANT_LOG_LEVEL_DBG # Memory optimizations config WIFI_NM_WPA_SUPPLICANT_ADVANCED_FEATURES bool "Advanced features" default y if WIFI_NM_WPA_SUPPLICANT_ADVANCED_FEATURES config WIFI_NM_WPA_SUPPLICANT_ROBUST_AV bool "Robust Audio Video streaming support" default y # Hidden as these are mandatory for WFA certification config WIFI_NM_WPA_SUPPLICANT_WMM_AC bool default y config WIFI_NM_WPA_SUPPLICANT_MBO bool default y config WIFI_NM_WPA_SUPPLICANT_WNM bool "Wireless Network Management support" default y config WIFI_NM_WPA_SUPPLICANT_RRM bool "Radio Resource Management support" default y endif config WIFI_NM_WPA_SUPPLICANT_WEP bool "WEP (Legacy crypto) support" choice WIFI_NM_WPA_SUPPLICANT_CRYPTO_BACKEND prompt "WPA supplicant crypto implementation" default WIFI_NM_WPA_SUPPLICANT_CRYPTO_ALT help Select the crypto implementation to use for WPA supplicant. WIFI_NM_WPA_SUPPLICANT_CRYPTO_ALT supports enterprise mode and DPP. config WIFI_NM_WPA_SUPPLICANT_CRYPTO_ALT bool "Crypto Mbedtls alt support for WiFi" select MBEDTLS select MBEDTLS_CIPHER_MODE_CTR_ENABLED select MBEDTLS_CIPHER_MODE_CBC_ENABLED select MBEDTLS_CIPHER_AES_ENABLED select MBEDTLS_CIPHER_DES_ENABLED select MBEDTLS_MD5 select MBEDTLS_SHA1 select MBEDTLS_ENTROPY_C select MBEDTLS_CIPHER select MBEDTLS_ECP_C select MBEDTLS_ECP_ALL_ENABLED select MBEDTLS_CMAC select MBEDTLS_PKCS5_C select MBEDTLS_PK_WRITE_C select MBEDTLS_ECDH_C select MBEDTLS_ECDSA_C select MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED select MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED select MBEDTLS_NIST_KW_C select MBEDTLS_DHM_C select MBEDTLS_HKDF_C config WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE bool "No Crypto support for WiFi" config WIFI_NM_WPA_SUPPLICANT_CRYPTO_EXT bool "External Crypto support for hostap" help Use external crypto implementation for hostp, this is useful for platforms where the crypto implementation is provided by the platform and not by Zephyr. The external crypto implementation should provide the required APIs and any other dependencies required by hostap. endchoice config WIFI_NM_WPA_SUPPLICANT_CRYPTO_MBEDTLS_PSA bool "Crypto Platform Secure Architecture support for WiFi" imply MBEDTLS_PSA_CRYPTO_C select MBEDTLS_USE_PSA_CRYPTO select PSA_WANT_ALG_ECDH select PSA_WANT_ALG_HMAC select PSA_WANT_ALG_CCM select PSA_WANT_ALG_CTR select PSA_WANT_ALG_MD5 select PSA_WANT_ALG_SHA_1 select PSA_WANT_ALG_SHA_256 select PSA_WANT_ALG_SHA_224 select PSA_WANT_ALG_SHA_384 select PSA_WANT_ALG_SHA_512 select PSA_WANT_ALG_PBKDF2_HMAC select PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128 select PSA_WANT_KEY_TYPE_AES select PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY select PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY help Support Mbedtls 3.x to use PSA apis instead of legacy apis. config WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE bool "Enterprise Crypto support for WiFi" select MBEDTLS_PEM_CERTIFICATE_FORMAT select MBEDTLS_SERVER_NAME_INDICATION select MBEDTLS_X509_CRL_PARSE_C select MBEDTLS_TLS_VERSION_1_2 depends on !WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE config EAP_TLS bool "EAP-TLS support" config EAP_TTLS bool "EAP-TTLS support" config EAP_PEAP bool "EAP-PEAP support" config EAP_MD5 bool "EAP-MD5 support" config EAP_GTC bool "EAP-GTC support" config EAP_MSCHAPV2 bool "EAP-MSCHAPv2 support" config EAP_LEAP bool "EAP-LEAP support" config EAP_PSK bool "EAP-PSK support" config EAP_PAX bool "EAP-PAX support" config EAP_SAKE bool "EAP-SAKE support" config EAP_GPSK bool "EAP-GPSK support" config EAP_PWD bool "EAP-PWD support" config EAP_EKE bool "EAP-EKE support" config EAP_IKEV2 bool "EAP-IKEv2 support" config EAP_SIM bool "EAP-SIM support" config EAP_AKA bool "EAP-AKA support" config EAP_FAST bool "EAP-FAST support" config EAP_ALL bool "All EAP methods support" select EAP_TLS select EAP_PEAP select EAP_GTC select EAP_TTLS select EAP_MSCHAPV2 default y if WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE config WIFI_NM_WPA_SUPPLICANT_WPA3 bool "WPA3 support" depends on !WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE default y config WIFI_NM_WPA_SUPPLICANT_AP bool "SoftAP mode support based on WPA supplicant" config WIFI_NM_WPA_SUPPLICANT_WPS bool "WPS support" depends on !WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE config WIFI_NM_HOSTAPD_WPS bool "WPS hostapd support" depends on !WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE depends on WIFI_NM_HOSTAPD_AP config WIFI_NM_WPA_SUPPLICANT_P2P bool "P2P mode support" select WIFI_NM_WPA_SUPPLICANT_AP select WIFI_NM_WPA_SUPPLICANT_WPS select WIFI_NM_WPA_SUPPLICANT_EAPOL config WIFI_NM_WPA_SUPPLICANT_EAPOL bool "EAPoL supplicant" default y if WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE config WIFI_NM_WPA_SUPPLICANT_CLI bool "CLI support for wpa_supplicant" default n config WIFI_NM_WPA_SUPPLICANT_INF_MON bool "Monitor the net mgmt event to add/del interface" default y config WIFI_NM_HOSTAPD_AP bool "FullAP mode support based on Hostapd" depends on !WIFI_NM_WPA_SUPPLICANT_INF_MON config WIFI_NM_HOSTAPD_CRYPTO_ENTERPRISE bool "Hostapd crypto enterprise support" config EAP_SERVER_TLS bool "EAP-TLS server support" config EAP_SERVER_IDENTITY bool "EAP-IDENTITY server support" config EAP_SERVER_MD5 bool "EAP-MD5 server support" config EAP_SERVER_MSCHAPV2 bool "EAP-MSCHAPV2 server support" config EAP_SERVER_PEAP bool "EAP-PEAP server support" config EAP_SERVER_GTC bool "EAP-GTC server support" config EAP_SERVER_TTLS bool "EAP-TTLS server support" config EAP_SERVER_ALL bool "All EAP methods support" select EAP_SERVER_TLS select EAP_SERVER_MSCHAPV2 select EAP_SERVER_PEAP select EAP_SERVER_GTC select EAP_SERVER_TTLS default y if WIFI_NM_HOSTAPD_CRYPTO_ENTERPRISE config WIFI_NM_WPA_SUPPLICANT_BSS_MAX_IDLE_TIME int "BSS max idle timeout in seconds" range 0 64000 default 300 help BSS max idle timeout is the period for which AP may keep a client in associated state while there is no traffic from that particular client. Set 0 to disable inclusion of BSS max idle time tag in association request. If a non-zero value is set, STA can suggest a timeout by including BSS max idle period in the association request. AP may choose to consider or ignore the STA's preferred value. Ref: Sec 11.21.13 of IEEE Std 802.11™-2020 config WIFI_NM_WPA_SUPPLICANT_NO_DEBUG bool "Disable printing of debug messages, saves code size significantly" config WIFI_NM_WPA_SUPPLICANT_DPP bool "WFA Easy Connect DPP" select DPP select DPP2 select GAS select GAS_SERVER select OFFCHANNEL select MBEDTLS_X509_CSR_WRITE_C select MBEDTLS_X509_CSR_PARSE_C config WIFI_NM_WPA_SUPPLICANT_11AX bool "IEEE 802.11ax HE support" depends on WIFI_NM_WPA_SUPPLICANT_AP || WIFI_NM_HOSTAPD_AP default y config WPA_CLI bool "WPA CLI support" default y if WIFI_NM_WPA_SUPPLICANT_CLI help Enable WPA CLI support for wpa_supplicant. if WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE config MBEDTLS_SSL_MAX_CONTENT_LEN default 16384 endif config WIFI_NM_WPA_SUPPLICANT_ROAMING bool "Roaming support" imply IEEE80211R help Enable roaming support with wpa_supplicant. When current BSS RSSI drops, STA will try to find an AP with better RSSI. If found, STA will reassociate to the new AP automatically without losing connection. config WIFI_NM_WPA_SUPPLICANT_SKIP_DHCP_ON_ROAMING bool "Skip DHCP after roaming to new AP" help For L2 roaming, the original AP and new AP are in the same subnet, client can use same IP address and skip DHCP. Enable this to skip DHCP. For L3 roaming, the original AP and new AP are in different subnet, client needs to get new IP address after roaming to new AP. Disable this to keep DHCP after roaming. # Create hidden config options that are used in hostap. This way we do not need # to mark them as allowed for CI checks, and also someone else cannot use the # same name options. config SME bool default y config NO_CONFIG_WRITE bool default y config NO_CONFIG_BLOBS bool default y if !WIFI_NM_WPA_SUPPLICANT_DPP && !WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE config CTRL_IFACE bool default y config CTRL_IFACE_ZEPHYR bool default y config NO_RANDOM_POOL bool default y config WNM bool config NO_WPA bool default y if WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE config NO_PBKDF2 bool default y if WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE config SAE_PK bool config FST bool config TESTING_OPTIONS bool config AP bool depends on WIFI_NM_WPA_SUPPLICANT_AP || WIFI_NM_HOSTAPD_AP default y if WIFI_NM_WPA_SUPPLICANT_AP || WIFI_NM_HOSTAPD_AP config NO_RADIUS bool config NO_VLAN bool config NO_ACCOUNTING bool config NEED_AP_MLME bool config IEEE80211AX bool config EAP_SERVER bool config EAP_SERVER_IDENTITY bool config P2P bool config GAS bool config GAS_SERVER bool config OFFCHANNEL bool config WPS bool config WSC bool config IEEE8021X_EAPOL bool config CRYPTO_INTERNAL bool config ECC bool config MBO bool config NO_STDOUT_DEBUG bool config SAE bool config SHA256 bool config SHA384 bool config SHA512 bool config SUITEB192 bool config SUITEB bool config WEP bool default y if WIFI_NM_WPA_SUPPLICANT_WEP config WPA_CRYPTO bool config WPA_SUPP_CRYPTO bool config ROBUST_AV bool default y depends on WIFI_NM_WPA_SUPPLICANT_ROBUST_AV config RRM bool default y depends on WIFI_NM_WPA_SUPPLICANT_RRM config WMM_AC bool config DPP bool config DPP2 bool config DPP3 bool config ACS bool config IEEE80211AC bool config IEEE80211R bool depends on !WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE config NW_SEL_RELIABILITY bool default y depends on WIFI_NM_WPA_SUPPLICANT_NW_SEL_RELIABILITY choice WIFI_NM_WPA_SUPPLICANT_NW_SEL prompt "WPA supplicant Network selection criterion" default WIFI_NM_WPA_SUPPLICANT_NW_SEL_THROUGHPUT help Select the network selection method for the supplicant. config WIFI_NM_WPA_SUPPLICANT_NW_SEL_THROUGHPUT bool "Throughput based network selection" help Select the network based on throughput. config WIFI_NM_WPA_SUPPLICANT_NW_SEL_RELIABILITY bool "Reliability based network selection" help Select the network based on reliability. endchoice config SAE_PWE_EARLY_EXIT bool "Exit early if PWE if found" help In order to mitigate side channel attacks, even if the PWE is found the WPA supplicant goes through full iterations, but in some low-resource systems this can be intensive, so, add an option to exit early. Note that this is highly insecure and shouldn't be used in production config WIFI_NM_WPA_SUPPLICANT_CRYPTO_TEST bool depends on WIFI_NM_WPA_SUPPLICANT_CRYPTO_MBEDTLS_PSA config WIFI_NM_WPA_CTRL_RESP_TIMEOUT_S int "WPA supplicant control interface response timeout in seconds" default 15 help Timeout for the control interface commands to get a response from the supplicant. endif # WIFI_NM_WPA_SUPPLICANT