1# WPA Supplicant configuration options
2#
3# Copyright (c) 2023 Nordic Semiconductor
4#
5# SPDX-License-Identifier: Apache-2.0
6#
7
8config WIFI_NM_WPA_SUPPLICANT
9	bool "WPA Suplicant from hostap project [EXPERIMENTAL]"
10	select POSIX_TIMERS
11	select POSIX_SIGNALS
12	select POSIX_API
13	select NET_SOCKETS
14	select NET_SOCKETS_PACKET
15	select NET_SOCKETPAIR
16	select NET_L2_WIFI_MGMT
17	select WIFI_NM
18	select EXPERIMENTAL
19	select COMMON_LIBC_MALLOC
20	help
21	  WPA supplicant as a network management backend for WIFI_NM.
22
23if WIFI_NM_WPA_SUPPLICANT
24
25config HEAP_MEM_POOL_ADD_SIZE_HOSTAP
26	def_int 66560 if WIFI_NM_HOSTAPD_AP
27	def_int 41808 if WIFI_NM_WPA_SUPPLICANT_AP || WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE
28	# 30K is mandatory, but might need more for long duration use cases
29	def_int 30000
30
31config WIFI_NM_WPA_SUPPLICANT_THREAD_STACK_SIZE
32	int "Stack size for wpa_supplicant thread"
33	default 5600
34
35config WIFI_NM_WPA_SUPPLICANT_WQ_STACK_SIZE
36	int "Stack size for wpa_supplicant iface workqueue"
37	default 4400
38
39config WIFI_NM_WPA_SUPPLICANT_WQ_PRIO
40	int "Thread priority of wpa_supplicant iface workqueue"
41	default 7
42
43config WIFI_NM_WPA_SUPPLICANT_PRIO
44	int "Thread priority of wpa_supplicant"
45	default 0
46
47# Currently we default ZVFS_OPEN_MAX to 16 in lib/posix/Kconfig
48# l2_packet - 1
49# ctrl_iface - 2 * socketpairs = 4(local and global)
50# z_wpa_event_sock - 1 socketpair = 2
51# Remaining left for the applications running in default configuration
52
53# Supplicant API is stack heavy (buffers + snprintfs) and control interface
54# uses socketpair which pushes the stack usage causing overflow for 2048 bytes.
55# So we set SYSTEM_WORKQUEUE_STACK_SIZE default to 2560 in kernel/Kconfig
56
57module = WIFI_NM_WPA_SUPPLICANT
58module-str = WPA supplicant
59source "subsys/logging/Kconfig.template.log_config"
60
61config WIFI_NM_WPA_SUPPLICANT_DEBUG_LEVEL
62	int "Min compiled-in debug message level for WPA supplicant"
63	default 0 if WIFI_NM_WPA_SUPPLICANT_LOG_LEVEL_DBG # MSG_EXCESSIVE
64	default 3 if WIFI_NM_WPA_SUPPLICANT_LOG_LEVEL_INF # MSG_INFO
65	default 4 if WIFI_NM_WPA_SUPPLICANT_LOG_LEVEL_WRN # MSG_WARNING
66	default 5 if WIFI_NM_WPA_SUPPLICANT_LOG_LEVEL_ERR # MSG_ERROR
67	default 5
68	help
69	  Minimum priority level of a debug message emitted by WPA supplicant that
70	  is compiled-in the firmware. See wpa_debug.h file of the supplicant for
71	  available levels and functions for emitting the messages. Note that
72	  runtime filtering can also be configured in addition to the compile-time
73	  filtering.
74
75if WIFI_NM_WPA_SUPPLICANT_LOG_LEVEL_DBG
76# hostap debug is very verbose and despite large log buffer sizes
77# log messages can be lost. So, we set the log mode to immediate
78# to avoid losing any debug messages.
79choice LOG_MODE
80	default LOG_MODE_IMMEDIATE
81endchoice
82endif # WIFI_NM_WPA_SUPPLICANT_LOG_LEVEL_DBG
83
84# Memory optimizations
85config WIFI_NM_WPA_SUPPLICANT_ADVANCED_FEATURES
86	bool "Advanced features"
87	default y if !SOC_FAMILY_NORDIC_NRF
88
89if WIFI_NM_WPA_SUPPLICANT_ADVANCED_FEATURES
90
91config WIFI_NM_WPA_SUPPLICANT_ROBUST_AV
92	bool "Robust Audio Video streaming support"
93	default y
94
95# Hidden as these are mandatory for WFA certification
96config WIFI_NM_WPA_SUPPLICANT_WMM_AC
97	bool
98	default y
99
100config WIFI_NM_WPA_SUPPLICANT_MBO
101	bool
102	default y
103
104config WIFI_NM_WPA_SUPPLICANT_WNM
105	bool "Wireless Network Management support"
106	default y
107
108config WIFI_NM_WPA_SUPPLICANT_RRM
109	bool "Radio Resource Management support"
110	default y
111endif
112
113config WIFI_NM_WPA_SUPPLICANT_WEP
114	bool "WEP (Legacy crypto) support"
115
116choice WIFI_NM_WPA_SUPPLICANT_CRYPTO_BACKEND
117	prompt "WPA supplicant crypto implementation"
118	default WIFI_NM_WPA_SUPPLICANT_CRYPTO_ALT
119	help
120	  Select the crypto implementation to use for WPA supplicant.
121	  WIFI_NM_WPA_SUPPLICANT_CRYPTO_ALT supports enterprise mode
122	  and DPP.
123
124config WIFI_NM_WPA_SUPPLICANT_CRYPTO_ALT
125	bool "Crypto Mbedtls alt support for WiFi"
126	select MBEDTLS
127	select MBEDTLS_CIPHER_MODE_CTR_ENABLED
128	select MBEDTLS_CIPHER_MODE_CBC_ENABLED
129	select MBEDTLS_CIPHER_AES_ENABLED
130	select MBEDTLS_CIPHER_DES_ENABLED
131	select MBEDTLS_MD5
132	select MBEDTLS_SHA1
133	select MBEDTLS_SHA384
134	select MBEDTLS_ENTROPY_C
135	select MBEDTLS_CIPHER
136	select MBEDTLS_ECP_C
137	select MBEDTLS_ECP_ALL_ENABLED
138	select MBEDTLS_CMAC
139	select MBEDTLS_PKCS5_C
140	select MBEDTLS_PK_WRITE_C
141	select MBEDTLS_ECDH_C
142	select MBEDTLS_ECDSA_C
143	select MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
144	select MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
145	select MBEDTLS_NIST_KW_C
146	select MBEDTLS_DHM_C
147	select MBEDTLS_HKDF_C
148
149config WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE
150	bool "No Crypto support for WiFi"
151
152config WIFI_NM_WPA_SUPPLICANT_CRYPTO_EXT
153	bool "External Crypto support for hostap"
154	help
155	  Use external crypto implementation for hostp, this is useful for
156	  platforms where the crypto implementation is provided by the platform
157	  and not by Zephyr. The external crypto implementation should provide
158	  the required APIs and any other dependencies required by hostap.
159
160endchoice
161
162config WIFI_NM_WPA_SUPPLICANT_CRYPTO_MBEDTLS_PSA
163	bool "Crypto Platform Secure Architecture support for WiFi"
164	imply MBEDTLS_PSA_CRYPTO_C
165	select MBEDTLS_USE_PSA_CRYPTO
166	select PSA_WANT_ALG_ECDH
167	select PSA_WANT_ALG_HMAC
168	select PSA_WANT_ALG_CCM
169	select PSA_WANT_ALG_CTR
170	select PSA_WANT_ALG_MD5
171	select PSA_WANT_ALG_SHA_1
172	select PSA_WANT_ALG_SHA_256
173	select PSA_WANT_ALG_SHA_224
174	select PSA_WANT_ALG_SHA_384
175	select PSA_WANT_ALG_SHA_512
176	select PSA_WANT_ALG_PBKDF2_HMAC
177	select PSA_WANT_ALG_CMAC
178	select PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128
179	select PSA_WANT_KEY_TYPE_AES
180	select PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY
181	select PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY
182	help
183	  Support Mbedtls 3.x to use PSA apis instead of legacy apis.
184
185config WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE
186	bool "Enterprise Crypto support for WiFi"
187	select MBEDTLS_PEM_CERTIFICATE_FORMAT if MBEDTLS_BUILTIN
188	select MBEDTLS_SERVER_NAME_INDICATION if MBEDTLS_BUILTIN
189	select MBEDTLS_X509_CRL_PARSE_C
190	select MBEDTLS_TLS_VERSION_1_2
191	depends on !WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE
192
193config EAP_TLS
194	bool "EAP-TLS support"
195
196config EAP_TTLS
197	bool "EAP-TTLS support"
198
199config EAP_PEAP
200	bool "EAP-PEAP support"
201
202config EAP_MD5
203	bool "EAP-MD5 support"
204
205config EAP_GTC
206	bool "EAP-GTC support"
207
208config EAP_MSCHAPV2
209	bool "EAP-MSCHAPv2 support"
210
211config EAP_LEAP
212	bool "EAP-LEAP support"
213
214config EAP_PSK
215	bool "EAP-PSK support"
216
217config EAP_PAX
218	bool "EAP-PAX support"
219
220config EAP_SAKE
221	bool "EAP-SAKE support"
222
223config EAP_GPSK
224	bool "EAP-GPSK support"
225
226config EAP_PWD
227	bool "EAP-PWD support"
228
229config EAP_EKE
230	bool "EAP-EKE support"
231
232config EAP_IKEV2
233	bool "EAP-IKEv2 support"
234
235config EAP_SIM
236	bool "EAP-SIM support"
237
238config EAP_AKA
239	bool "EAP-AKA support"
240
241config EAP_FAST
242	bool "EAP-FAST support"
243
244config EAP_ALL
245	bool "All EAP methods support"
246	select EAP_TLS
247	select EAP_PEAP
248	select EAP_GTC
249	select EAP_TTLS
250	select EAP_MSCHAPV2
251	default y if WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE
252
253config WIFI_NM_WPA_SUPPLICANT_WPA3
254	bool "WPA3 support"
255	depends on !WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE
256	default y
257
258config WIFI_NM_WPA_SUPPLICANT_AP
259	bool "SoftAP mode support based on WPA supplicant"
260
261config WIFI_NM_WPA_SUPPLICANT_WPS
262	bool "WPS support"
263	depends on !WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE
264
265config WIFI_NM_HOSTAPD_WPS
266	bool "WPS hostapd support"
267	depends on !WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE
268	depends on WIFI_NM_HOSTAPD_AP
269
270config WIFI_NM_WPA_SUPPLICANT_P2P
271	bool "P2P mode support"
272	select WIFI_NM_WPA_SUPPLICANT_AP
273	select WIFI_NM_WPA_SUPPLICANT_WPS
274	select WIFI_NM_WPA_SUPPLICANT_EAPOL
275
276config WIFI_NM_WPA_SUPPLICANT_EAPOL
277	bool "EAPoL supplicant"
278	default y if WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE
279
280config WIFI_NM_WPA_SUPPLICANT_CLI
281	bool "CLI support for wpa_supplicant"
282
283config WIFI_NM_WPA_SUPPLICANT_INF_MON
284	bool "Monitor the net mgmt event to add/del interface"
285	default y
286
287config WIFI_NM_HOSTAPD_AP
288	bool "FullAP mode support based on Hostapd"
289	depends on !WIFI_NM_WPA_SUPPLICANT_INF_MON
290
291config WIFI_NM_HOSTAPD_CRYPTO_ENTERPRISE
292	bool "Hostapd crypto enterprise support"
293
294config EAP_SERVER_TLS
295	bool "EAP-TLS server support"
296
297config EAP_SERVER_IDENTITY
298	bool "EAP-IDENTITY server support"
299
300config EAP_SERVER_MD5
301	bool "EAP-MD5 server support"
302
303config EAP_SERVER_MSCHAPV2
304	bool "EAP-MSCHAPV2 server support"
305
306config EAP_SERVER_PEAP
307	bool "EAP-PEAP server support"
308
309config EAP_SERVER_GTC
310	bool "EAP-GTC server support"
311
312config EAP_SERVER_TTLS
313	bool "EAP-TTLS server support"
314
315config EAP_SERVER_ALL
316	bool "All EAP methods support"
317	select EAP_SERVER_TLS
318	select EAP_SERVER_MSCHAPV2
319	select EAP_SERVER_PEAP
320	select EAP_SERVER_GTC
321	select EAP_SERVER_TTLS
322	default y if WIFI_NM_HOSTAPD_CRYPTO_ENTERPRISE
323
324config WIFI_NM_WPA_SUPPLICANT_BSS_MAX_IDLE_TIME
325	int "BSS max idle timeout in seconds"
326	range 0 64000
327	default 300
328	help
329	  BSS max idle timeout is the period for which AP may keep a client
330	  in associated state while there is no traffic from that particular
331	  client. Set 0 to disable inclusion of BSS max idle time tag in
332	  association request. If a non-zero value is set, STA can suggest a
333	  timeout by including BSS max idle period in the association request.
334	  AP may choose to consider or ignore the STA's preferred value.
335	  Ref: Sec 11.21.13 of IEEE Std 802.11™-2020
336
337config WIFI_NM_WPA_SUPPLICANT_NO_DEBUG
338	bool "Disable printing of debug messages, saves code size significantly"
339
340
341config WIFI_NM_WPA_SUPPLICANT_DPP
342	bool "WFA Easy Connect DPP"
343	select DPP
344	select DPP2
345	select GAS
346	select GAS_SERVER
347	select OFFCHANNEL
348	select MBEDTLS_X509_CSR_WRITE_C
349	select MBEDTLS_X509_CSR_PARSE_C
350
351config WIFI_NM_WPA_SUPPLICANT_11AX
352	bool "IEEE 802.11ax HE support"
353	depends on WIFI_NM_WPA_SUPPLICANT_AP || WIFI_NM_HOSTAPD_AP
354	default y
355
356config WPA_CLI
357	bool "WPA CLI support"
358	default y if WIFI_NM_WPA_SUPPLICANT_CLI
359	help
360	  Enable WPA CLI support for wpa_supplicant.
361
362if WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE
363	config MBEDTLS_SSL_MAX_CONTENT_LEN
364		default 16384
365endif
366
367config WIFI_NM_WPA_SUPPLICANT_ROAMING
368	bool "Roaming support"
369	imply IEEE80211R
370	help
371	  Enable roaming support with wpa_supplicant. When current BSS RSSI drops,
372	  STA will try to find an AP with better RSSI. If found, STA will reassociate
373	  to the new AP automatically without losing connection.
374
375config WIFI_NM_WPA_SUPPLICANT_SKIP_DHCP_ON_ROAMING
376	bool "Skip DHCP after roaming to new AP"
377	help
378	  For L2 roaming, the original AP and new AP are in the same subnet, client
379	  can use same IP address and skip DHCP. Enable this to skip DHCP.
380	  For L3 roaming, the original AP and new AP are in different subnet, client
381	  needs to get new IP address after roaming to new AP. Disable this to keep
382	  DHCP after roaming.
383
384# Create hidden config options that are used in hostap. This way we do not need
385# to mark them as allowed for CI checks, and also someone else cannot use the
386# same name options.
387
388config SME
389	bool
390	default y
391
392config NO_CONFIG_WRITE
393	bool
394	default y
395
396config NO_CONFIG_BLOBS
397	bool
398	default y if !WIFI_NM_WPA_SUPPLICANT_DPP && !WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE
399
400config CTRL_IFACE
401	bool
402	default y
403
404config CTRL_IFACE_ZEPHYR
405	bool
406	default y
407
408config NO_RANDOM_POOL
409	bool
410	default y
411
412config WNM
413	bool
414
415config NO_WPA
416	bool
417	default y if WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE
418
419config NO_PBKDF2
420	bool
421	default y if WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE
422
423config SAE_PK
424	bool
425
426config FST
427	bool
428
429config TESTING_OPTIONS
430	bool
431
432config AP
433	bool
434	depends on WIFI_NM_WPA_SUPPLICANT_AP || WIFI_NM_HOSTAPD_AP
435	default y if WIFI_NM_WPA_SUPPLICANT_AP || WIFI_NM_HOSTAPD_AP
436
437config NO_RADIUS
438	bool
439
440config NO_VLAN
441	bool
442
443config NO_ACCOUNTING
444	bool
445
446config NEED_AP_MLME
447	bool
448
449config IEEE80211AX
450	bool
451
452config EAP_SERVER
453	bool
454
455config EAP_SERVER_IDENTITY
456	bool
457
458config P2P
459	bool
460
461config GAS
462	bool
463
464config GAS_SERVER
465	bool
466
467config OFFCHANNEL
468	bool
469
470config WPS
471	bool
472
473config WSC
474	bool
475
476config IEEE8021X_EAPOL
477	bool
478
479config CRYPTO_INTERNAL
480	bool
481
482config ECC
483	bool
484
485config MBO
486	bool
487
488config NO_STDOUT_DEBUG
489	bool
490
491config SAE
492	bool
493
494config SHA256
495	bool
496
497config SHA384
498	bool
499
500config SHA512
501	bool
502
503config SUITEB192
504	bool
505
506config SUITEB
507	bool
508
509config WEP
510	bool
511	default y if WIFI_NM_WPA_SUPPLICANT_WEP
512
513config WPA_CRYPTO
514	bool
515
516config WPA_SUPP_CRYPTO
517	bool
518
519config NO_ROBUST_AV
520	bool
521
522config NO_RRM
523	bool
524
525config NO_WMM_AC
526	bool
527
528config DPP
529	bool
530
531config DPP2
532	bool
533
534config DPP3
535	bool
536
537config ACS
538	bool
539
540config IEEE80211AC
541	bool
542
543config IEEE80211R
544	bool
545	depends on !WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE
546
547config NW_SEL_RELIABILITY
548	bool
549	default y
550	depends on WIFI_NM_WPA_SUPPLICANT_NW_SEL_RELIABILITY
551
552choice WIFI_NM_WPA_SUPPLICANT_NW_SEL
553	prompt "WPA supplicant Network selection criterion"
554	default WIFI_NM_WPA_SUPPLICANT_NW_SEL_THROUGHPUT
555	help
556	  Select the network selection method for the supplicant.
557
558config WIFI_NM_WPA_SUPPLICANT_NW_SEL_THROUGHPUT
559	bool "Throughput based network selection"
560	help
561	  Select the network based on throughput.
562
563config WIFI_NM_WPA_SUPPLICANT_NW_SEL_RELIABILITY
564	bool "Reliability based network selection"
565	help
566	  Select the network based on reliability.
567
568endchoice
569
570config SAE_PWE_EARLY_EXIT
571	bool "Exit early if PWE if found"
572	help
573	  In order to mitigate side channel attacks, even if the PWE is found the WPA
574	  supplicant goes through full iterations, but in some low-resource systems
575	  this can be intensive, so, add an option to exit early.
576	  Note that this is highly insecure and shouldn't be used in production
577
578config WIFI_NM_WPA_SUPPLICANT_CRYPTO_TEST
579	bool
580	depends on WIFI_NM_WPA_SUPPLICANT_CRYPTO_MBEDTLS_PSA
581
582config WIFI_NM_WPA_CTRL_RESP_TIMEOUT_S
583	int "WPA supplicant control interface response timeout in seconds"
584	default 15
585	help
586	  Timeout for the control interface commands to get a response from the
587	  supplicant.
588
589endif # WIFI_NM_WPA_SUPPLICANT
590