1# WPA Supplicant configuration options 2# 3# Copyright (c) 2023 Nordic Semiconductor 4# 5# SPDX-License-Identifier: Apache-2.0 6# 7 8config WIFI_NM_WPA_SUPPLICANT 9 bool "WPA Suplicant from hostap project [EXPERIMENTAL]" 10 select POSIX_TIMERS 11 select POSIX_SIGNALS 12 select POSIX_API 13 select NET_SOCKETS 14 select NET_SOCKETS_PACKET 15 select NET_SOCKETPAIR 16 select NET_L2_WIFI_MGMT 17 select WIFI_NM 18 select EXPERIMENTAL 19 select COMMON_LIBC_MALLOC 20 help 21 WPA supplicant as a network management backend for WIFI_NM. 22 23if WIFI_NM_WPA_SUPPLICANT 24 25config HEAP_MEM_POOL_ADD_SIZE_HOSTAP 26 def_int 66560 if WIFI_NM_HOSTAPD_AP 27 def_int 41808 if WIFI_NM_WPA_SUPPLICANT_AP || WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE 28 # 30K is mandatory, but might need more for long duration use cases 29 def_int 30000 30 31config WIFI_NM_WPA_SUPPLICANT_THREAD_STACK_SIZE 32 int "Stack size for wpa_supplicant thread" 33 default 5600 34 35config WIFI_NM_WPA_SUPPLICANT_WQ_STACK_SIZE 36 int "Stack size for wpa_supplicant iface workqueue" 37 default 4400 38 39config WIFI_NM_WPA_SUPPLICANT_WQ_PRIO 40 int "Thread priority of wpa_supplicant iface workqueue" 41 default 7 42 43config WIFI_NM_WPA_SUPPLICANT_PRIO 44 int "Thread priority of wpa_supplicant" 45 default 0 46 47# Currently we default ZVFS_OPEN_MAX to 16 in lib/posix/Kconfig 48# l2_packet - 1 49# ctrl_iface - 2 * socketpairs = 4(local and global) 50# z_wpa_event_sock - 1 socketpair = 2 51# Remaining left for the applications running in default configuration 52 53# Supplicant API is stack heavy (buffers + snprintfs) and control interface 54# uses socketpair which pushes the stack usage causing overflow for 2048 bytes. 55# So we set SYSTEM_WORKQUEUE_STACK_SIZE default to 2560 in kernel/Kconfig 56 57module = WIFI_NM_WPA_SUPPLICANT 58module-str = WPA supplicant 59source "subsys/logging/Kconfig.template.log_config" 60 61config WIFI_NM_WPA_SUPPLICANT_DEBUG_LEVEL 62 int "Min compiled-in debug message level for WPA supplicant" 63 default 0 if WIFI_NM_WPA_SUPPLICANT_LOG_LEVEL_DBG # MSG_EXCESSIVE 64 default 3 if WIFI_NM_WPA_SUPPLICANT_LOG_LEVEL_INF # MSG_INFO 65 default 4 if WIFI_NM_WPA_SUPPLICANT_LOG_LEVEL_WRN # MSG_WARNING 66 default 5 if WIFI_NM_WPA_SUPPLICANT_LOG_LEVEL_ERR # MSG_ERROR 67 default 5 68 help 69 Minimum priority level of a debug message emitted by WPA supplicant that 70 is compiled-in the firmware. See wpa_debug.h file of the supplicant for 71 available levels and functions for emitting the messages. Note that 72 runtime filtering can also be configured in addition to the compile-time 73 filtering. 74 75if WIFI_NM_WPA_SUPPLICANT_LOG_LEVEL_DBG 76# hostap debug is very verbose and despite large log buffer sizes 77# log messages can be lost. So, we set the log mode to immediate 78# to avoid losing any debug messages. 79choice LOG_MODE 80 default LOG_MODE_IMMEDIATE 81endchoice 82endif # WIFI_NM_WPA_SUPPLICANT_LOG_LEVEL_DBG 83 84# Memory optimizations 85config WIFI_NM_WPA_SUPPLICANT_ADVANCED_FEATURES 86 bool "Advanced features" 87 default y if !SOC_FAMILY_NORDIC_NRF 88 89if WIFI_NM_WPA_SUPPLICANT_ADVANCED_FEATURES 90 91config WIFI_NM_WPA_SUPPLICANT_ROBUST_AV 92 bool "Robust Audio Video streaming support" 93 default y 94 95# Hidden as these are mandatory for WFA certification 96config WIFI_NM_WPA_SUPPLICANT_WMM_AC 97 bool 98 default y 99 100config WIFI_NM_WPA_SUPPLICANT_MBO 101 bool 102 default y 103 104config WIFI_NM_WPA_SUPPLICANT_WNM 105 bool "Wireless Network Management support" 106 default y 107 108config WIFI_NM_WPA_SUPPLICANT_RRM 109 bool "Radio Resource Management support" 110 default y 111endif 112 113config WIFI_NM_WPA_SUPPLICANT_WEP 114 bool "WEP (Legacy crypto) support" 115 116choice WIFI_NM_WPA_SUPPLICANT_CRYPTO_BACKEND 117 prompt "WPA supplicant crypto implementation" 118 default WIFI_NM_WPA_SUPPLICANT_CRYPTO_ALT 119 help 120 Select the crypto implementation to use for WPA supplicant. 121 WIFI_NM_WPA_SUPPLICANT_CRYPTO_ALT supports enterprise mode 122 and DPP. 123 124config WIFI_NM_WPA_SUPPLICANT_CRYPTO_ALT 125 bool "Crypto Mbedtls alt support for WiFi" 126 select MBEDTLS 127 select MBEDTLS_CIPHER_MODE_CTR_ENABLED 128 select MBEDTLS_CIPHER_MODE_CBC_ENABLED 129 select MBEDTLS_CIPHER_AES_ENABLED 130 select MBEDTLS_CIPHER_DES_ENABLED 131 select MBEDTLS_MD5 132 select MBEDTLS_SHA1 133 select MBEDTLS_SHA384 134 select MBEDTLS_ENTROPY_C 135 select MBEDTLS_CIPHER 136 select MBEDTLS_ECP_C 137 select MBEDTLS_ECP_ALL_ENABLED 138 select MBEDTLS_CMAC 139 select MBEDTLS_PKCS5_C 140 select MBEDTLS_PK_WRITE_C 141 select MBEDTLS_ECDH_C 142 select MBEDTLS_ECDSA_C 143 select MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED 144 select MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED 145 select MBEDTLS_NIST_KW_C 146 select MBEDTLS_DHM_C 147 select MBEDTLS_HKDF_C 148 149config WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE 150 bool "No Crypto support for WiFi" 151 152config WIFI_NM_WPA_SUPPLICANT_CRYPTO_EXT 153 bool "External Crypto support for hostap" 154 help 155 Use external crypto implementation for hostp, this is useful for 156 platforms where the crypto implementation is provided by the platform 157 and not by Zephyr. The external crypto implementation should provide 158 the required APIs and any other dependencies required by hostap. 159 160endchoice 161 162config WIFI_NM_WPA_SUPPLICANT_CRYPTO_MBEDTLS_PSA 163 bool "Crypto Platform Secure Architecture support for WiFi" 164 imply MBEDTLS_PSA_CRYPTO_C 165 select MBEDTLS_USE_PSA_CRYPTO 166 select PSA_WANT_ALG_ECDH 167 select PSA_WANT_ALG_HMAC 168 select PSA_WANT_ALG_CCM 169 select PSA_WANT_ALG_CTR 170 select PSA_WANT_ALG_MD5 171 select PSA_WANT_ALG_SHA_1 172 select PSA_WANT_ALG_SHA_256 173 select PSA_WANT_ALG_SHA_224 174 select PSA_WANT_ALG_SHA_384 175 select PSA_WANT_ALG_SHA_512 176 select PSA_WANT_ALG_PBKDF2_HMAC 177 select PSA_WANT_ALG_CMAC 178 select PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128 179 select PSA_WANT_KEY_TYPE_AES 180 select PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY 181 select PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY 182 help 183 Support Mbedtls 3.x to use PSA apis instead of legacy apis. 184 185config WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE 186 bool "Enterprise Crypto support for WiFi" 187 select MBEDTLS_PEM_CERTIFICATE_FORMAT if MBEDTLS_BUILTIN 188 select MBEDTLS_SERVER_NAME_INDICATION if MBEDTLS_BUILTIN 189 select MBEDTLS_X509_CRL_PARSE_C 190 select MBEDTLS_TLS_VERSION_1_2 191 depends on !WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE 192 193config EAP_TLS 194 bool "EAP-TLS support" 195 196config EAP_TTLS 197 bool "EAP-TTLS support" 198 199config EAP_PEAP 200 bool "EAP-PEAP support" 201 202config EAP_MD5 203 bool "EAP-MD5 support" 204 205config EAP_GTC 206 bool "EAP-GTC support" 207 208config EAP_MSCHAPV2 209 bool "EAP-MSCHAPv2 support" 210 211config EAP_LEAP 212 bool "EAP-LEAP support" 213 214config EAP_PSK 215 bool "EAP-PSK support" 216 217config EAP_PAX 218 bool "EAP-PAX support" 219 220config EAP_SAKE 221 bool "EAP-SAKE support" 222 223config EAP_GPSK 224 bool "EAP-GPSK support" 225 226config EAP_PWD 227 bool "EAP-PWD support" 228 229config EAP_EKE 230 bool "EAP-EKE support" 231 232config EAP_IKEV2 233 bool "EAP-IKEv2 support" 234 235config EAP_SIM 236 bool "EAP-SIM support" 237 238config EAP_AKA 239 bool "EAP-AKA support" 240 241config EAP_FAST 242 bool "EAP-FAST support" 243 244config EAP_ALL 245 bool "All EAP methods support" 246 select EAP_TLS 247 select EAP_PEAP 248 select EAP_GTC 249 select EAP_TTLS 250 select EAP_MSCHAPV2 251 default y if WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE 252 253config WIFI_NM_WPA_SUPPLICANT_WPA3 254 bool "WPA3 support" 255 depends on !WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE 256 default y 257 258config WIFI_NM_WPA_SUPPLICANT_AP 259 bool "SoftAP mode support based on WPA supplicant" 260 261config WIFI_NM_WPA_SUPPLICANT_WPS 262 bool "WPS support" 263 depends on !WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE 264 265config WIFI_NM_HOSTAPD_WPS 266 bool "WPS hostapd support" 267 depends on !WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE 268 depends on WIFI_NM_HOSTAPD_AP 269 270config WIFI_NM_WPA_SUPPLICANT_P2P 271 bool "P2P mode support" 272 select WIFI_NM_WPA_SUPPLICANT_AP 273 select WIFI_NM_WPA_SUPPLICANT_WPS 274 select WIFI_NM_WPA_SUPPLICANT_EAPOL 275 276config WIFI_NM_WPA_SUPPLICANT_EAPOL 277 bool "EAPoL supplicant" 278 default y if WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE 279 280config WIFI_NM_WPA_SUPPLICANT_CLI 281 bool "CLI support for wpa_supplicant" 282 283config WIFI_NM_WPA_SUPPLICANT_INF_MON 284 bool "Monitor the net mgmt event to add/del interface" 285 default y 286 287config WIFI_NM_HOSTAPD_AP 288 bool "FullAP mode support based on Hostapd" 289 depends on !WIFI_NM_WPA_SUPPLICANT_INF_MON 290 291config WIFI_NM_HOSTAPD_CRYPTO_ENTERPRISE 292 bool "Hostapd crypto enterprise support" 293 294config EAP_SERVER_TLS 295 bool "EAP-TLS server support" 296 297config EAP_SERVER_IDENTITY 298 bool "EAP-IDENTITY server support" 299 300config EAP_SERVER_MD5 301 bool "EAP-MD5 server support" 302 303config EAP_SERVER_MSCHAPV2 304 bool "EAP-MSCHAPV2 server support" 305 306config EAP_SERVER_PEAP 307 bool "EAP-PEAP server support" 308 309config EAP_SERVER_GTC 310 bool "EAP-GTC server support" 311 312config EAP_SERVER_TTLS 313 bool "EAP-TTLS server support" 314 315config EAP_SERVER_ALL 316 bool "All EAP methods support" 317 select EAP_SERVER_TLS 318 select EAP_SERVER_MSCHAPV2 319 select EAP_SERVER_PEAP 320 select EAP_SERVER_GTC 321 select EAP_SERVER_TTLS 322 default y if WIFI_NM_HOSTAPD_CRYPTO_ENTERPRISE 323 324config WIFI_NM_WPA_SUPPLICANT_BSS_MAX_IDLE_TIME 325 int "BSS max idle timeout in seconds" 326 range 0 64000 327 default 300 328 help 329 BSS max idle timeout is the period for which AP may keep a client 330 in associated state while there is no traffic from that particular 331 client. Set 0 to disable inclusion of BSS max idle time tag in 332 association request. If a non-zero value is set, STA can suggest a 333 timeout by including BSS max idle period in the association request. 334 AP may choose to consider or ignore the STA's preferred value. 335 Ref: Sec 11.21.13 of IEEE Std 802.11™-2020 336 337config WIFI_NM_WPA_SUPPLICANT_NO_DEBUG 338 bool "Disable printing of debug messages, saves code size significantly" 339 340 341config WIFI_NM_WPA_SUPPLICANT_DPP 342 bool "WFA Easy Connect DPP" 343 select DPP 344 select DPP2 345 select GAS 346 select GAS_SERVER 347 select OFFCHANNEL 348 select MBEDTLS_X509_CSR_WRITE_C 349 select MBEDTLS_X509_CSR_PARSE_C 350 351config WIFI_NM_WPA_SUPPLICANT_11AX 352 bool "IEEE 802.11ax HE support" 353 depends on WIFI_NM_WPA_SUPPLICANT_AP || WIFI_NM_HOSTAPD_AP 354 default y 355 356config WPA_CLI 357 bool "WPA CLI support" 358 default y if WIFI_NM_WPA_SUPPLICANT_CLI 359 help 360 Enable WPA CLI support for wpa_supplicant. 361 362if WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE 363 config MBEDTLS_SSL_MAX_CONTENT_LEN 364 default 16384 365endif 366 367config WIFI_NM_WPA_SUPPLICANT_ROAMING 368 bool "Roaming support" 369 imply IEEE80211R 370 help 371 Enable roaming support with wpa_supplicant. When current BSS RSSI drops, 372 STA will try to find an AP with better RSSI. If found, STA will reassociate 373 to the new AP automatically without losing connection. 374 375config WIFI_NM_WPA_SUPPLICANT_SKIP_DHCP_ON_ROAMING 376 bool "Skip DHCP after roaming to new AP" 377 help 378 For L2 roaming, the original AP and new AP are in the same subnet, client 379 can use same IP address and skip DHCP. Enable this to skip DHCP. 380 For L3 roaming, the original AP and new AP are in different subnet, client 381 needs to get new IP address after roaming to new AP. Disable this to keep 382 DHCP after roaming. 383 384# Create hidden config options that are used in hostap. This way we do not need 385# to mark them as allowed for CI checks, and also someone else cannot use the 386# same name options. 387 388config SME 389 bool 390 default y 391 392config NO_CONFIG_WRITE 393 bool 394 default y 395 396config NO_CONFIG_BLOBS 397 bool 398 default y if !WIFI_NM_WPA_SUPPLICANT_DPP && !WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE 399 400config CTRL_IFACE 401 bool 402 default y 403 404config CTRL_IFACE_ZEPHYR 405 bool 406 default y 407 408config NO_RANDOM_POOL 409 bool 410 default y 411 412config WNM 413 bool 414 415config NO_WPA 416 bool 417 default y if WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE 418 419config NO_PBKDF2 420 bool 421 default y if WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE 422 423config SAE_PK 424 bool 425 426config FST 427 bool 428 429config TESTING_OPTIONS 430 bool 431 432config AP 433 bool 434 depends on WIFI_NM_WPA_SUPPLICANT_AP || WIFI_NM_HOSTAPD_AP 435 default y if WIFI_NM_WPA_SUPPLICANT_AP || WIFI_NM_HOSTAPD_AP 436 437config NO_RADIUS 438 bool 439 440config NO_VLAN 441 bool 442 443config NO_ACCOUNTING 444 bool 445 446config NEED_AP_MLME 447 bool 448 449config IEEE80211AX 450 bool 451 452config EAP_SERVER 453 bool 454 455config EAP_SERVER_IDENTITY 456 bool 457 458config P2P 459 bool 460 461config GAS 462 bool 463 464config GAS_SERVER 465 bool 466 467config OFFCHANNEL 468 bool 469 470config WPS 471 bool 472 473config WSC 474 bool 475 476config IEEE8021X_EAPOL 477 bool 478 479config CRYPTO_INTERNAL 480 bool 481 482config ECC 483 bool 484 485config MBO 486 bool 487 488config NO_STDOUT_DEBUG 489 bool 490 491config SAE 492 bool 493 494config SHA256 495 bool 496 497config SHA384 498 bool 499 500config SHA512 501 bool 502 503config SUITEB192 504 bool 505 506config SUITEB 507 bool 508 509config WEP 510 bool 511 default y if WIFI_NM_WPA_SUPPLICANT_WEP 512 513config WPA_CRYPTO 514 bool 515 516config WPA_SUPP_CRYPTO 517 bool 518 519config NO_ROBUST_AV 520 bool 521 522config NO_RRM 523 bool 524 525config NO_WMM_AC 526 bool 527 528config DPP 529 bool 530 531config DPP2 532 bool 533 534config DPP3 535 bool 536 537config ACS 538 bool 539 540config IEEE80211AC 541 bool 542 543config IEEE80211R 544 bool 545 depends on !WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE 546 547config NW_SEL_RELIABILITY 548 bool 549 default y 550 depends on WIFI_NM_WPA_SUPPLICANT_NW_SEL_RELIABILITY 551 552choice WIFI_NM_WPA_SUPPLICANT_NW_SEL 553 prompt "WPA supplicant Network selection criterion" 554 default WIFI_NM_WPA_SUPPLICANT_NW_SEL_THROUGHPUT 555 help 556 Select the network selection method for the supplicant. 557 558config WIFI_NM_WPA_SUPPLICANT_NW_SEL_THROUGHPUT 559 bool "Throughput based network selection" 560 help 561 Select the network based on throughput. 562 563config WIFI_NM_WPA_SUPPLICANT_NW_SEL_RELIABILITY 564 bool "Reliability based network selection" 565 help 566 Select the network based on reliability. 567 568endchoice 569 570config SAE_PWE_EARLY_EXIT 571 bool "Exit early if PWE if found" 572 help 573 In order to mitigate side channel attacks, even if the PWE is found the WPA 574 supplicant goes through full iterations, but in some low-resource systems 575 this can be intensive, so, add an option to exit early. 576 Note that this is highly insecure and shouldn't be used in production 577 578config WIFI_NM_WPA_SUPPLICANT_CRYPTO_TEST 579 bool 580 depends on WIFI_NM_WPA_SUPPLICANT_CRYPTO_MBEDTLS_PSA 581 582config WIFI_NM_WPA_CTRL_RESP_TIMEOUT_S 583 int "WPA supplicant control interface response timeout in seconds" 584 default 15 585 help 586 Timeout for the control interface commands to get a response from the 587 supplicant. 588 589endif # WIFI_NM_WPA_SUPPLICANT 590