1# WPA Supplicant configuration options 2# 3# Copyright (c) 2023 Nordic Semiconductor 4# 5# SPDX-License-Identifier: Apache-2.0 6# 7 8config WIFI_NM_WPA_SUPPLICANT 9 bool "WPA Suplicant from hostap project [EXPERIMENTAL]" 10 select POSIX_TIMERS 11 select POSIX_SIGNALS 12 select POSIX_API 13 select FILE_SYSTEM 14 select NET_SOCKETS 15 select NET_SOCKETS_PACKET 16 select NET_SOCKETPAIR 17 select NET_L2_WIFI_MGMT 18 select WIFI_NM 19 select EXPERIMENTAL 20 select COMMON_LIBC_MALLOC 21 help 22 WPA supplicant as a network management backend for WIFI_NM. 23 24if WIFI_NM_WPA_SUPPLICANT 25 26config HEAP_MEM_POOL_ADD_SIZE_HOSTAP 27 def_int 66560 if WIFI_NM_HOSTAPD_AP 28 def_int 41808 if WIFI_NM_WPA_SUPPLICANT_AP || WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE 29 # 30K is mandatory, but might need more for long duration use cases 30 def_int 30000 31 32config WIFI_NM_WPA_SUPPLICANT_THREAD_STACK_SIZE 33 int "Stack size for wpa_supplicant thread" 34 default 8192 35 36config WIFI_NM_WPA_SUPPLICANT_WQ_STACK_SIZE 37 int "Stack size for wpa_supplicant iface workqueue" 38 default 6144 39 40config WIFI_NM_WPA_SUPPLICANT_WQ_PRIO 41 int "Thread priority of wpa_supplicant iface workqueue" 42 default 7 43 44config WIFI_NM_WPA_SUPPLICANT_PRIO 45 int "Thread priority of wpa_supplicant" 46 default 0 47 48# Currently we default ZVFS_OPEN_MAX to 16 in lib/posix/Kconfig 49# l2_packet - 1 50# ctrl_iface - 2 * socketpairs = 4(local and global) 51# z_wpa_event_sock - 1 socketpair = 2 52# Remaining left for the applications running in default configuration 53 54# Supplicant API is stack heavy (buffers + snprintfs) and control interface 55# uses socketpair which pushes the stack usage causing overflow for 2048 bytes. 56# So we set SYSTEM_WORKQUEUE_STACK_SIZE default to 2560 in kernel/Kconfig 57 58module = WIFI_NM_WPA_SUPPLICANT 59module-str = WPA supplicant 60source "subsys/logging/Kconfig.template.log_config" 61 62config WIFI_NM_WPA_SUPPLICANT_DEBUG_LEVEL 63 int "Min compiled-in debug message level for WPA supplicant" 64 default 0 if WIFI_NM_WPA_SUPPLICANT_LOG_LEVEL_DBG # MSG_EXCESSIVE 65 default 3 if WIFI_NM_WPA_SUPPLICANT_LOG_LEVEL_INF # MSG_INFO 66 default 4 if WIFI_NM_WPA_SUPPLICANT_LOG_LEVEL_WRN # MSG_WARNING 67 default 5 if WIFI_NM_WPA_SUPPLICANT_LOG_LEVEL_ERR # MSG_ERROR 68 default 5 69 help 70 Minimum priority level of a debug message emitted by WPA supplicant that 71 is compiled-in the firmware. See wpa_debug.h file of the supplicant for 72 available levels and functions for emitting the messages. Note that 73 runtime filtering can also be configured in addition to the compile-time 74 filtering. 75 76if WIFI_NM_WPA_SUPPLICANT_LOG_LEVEL_DBG 77# hostap debug is very verbose and despite large log buffer sizes 78# log messages can be lost. So, we set the log mode to immediate 79# to avoid losing any debug messages. 80choice LOG_MODE 81 default LOG_MODE_IMMEDIATE 82endchoice 83endif # WIFI_NM_WPA_SUPPLICANT_LOG_LEVEL_DBG 84 85# Memory optimizations 86config WIFI_NM_WPA_SUPPLICANT_ADVANCED_FEATURES 87 bool "Advanced features" 88 default y 89 90if WIFI_NM_WPA_SUPPLICANT_ADVANCED_FEATURES 91 92config WIFI_NM_WPA_SUPPLICANT_ROBUST_AV 93 bool "Robust Audio Video streaming support" 94 default y 95 96# Hidden as these are mandatory for WFA certification 97config WIFI_NM_WPA_SUPPLICANT_WMM_AC 98 bool 99 default y 100 101config WIFI_NM_WPA_SUPPLICANT_MBO 102 bool 103 default y 104 105config WIFI_NM_WPA_SUPPLICANT_WNM 106 bool "Wireless Network Management support" 107 default y 108 109config WIFI_NM_WPA_SUPPLICANT_RRM 110 bool "Radio Resource Management support" 111 default y 112endif 113 114config WIFI_NM_WPA_SUPPLICANT_WEP 115 bool "WEP (Legacy crypto) support" 116 117choice WIFI_NM_WPA_SUPPLICANT_CRYPTO_BACKEND 118 prompt "WPA supplicant crypto implementation" 119 default WIFI_NM_WPA_SUPPLICANT_CRYPTO_ALT 120 help 121 Select the crypto implementation to use for WPA supplicant. 122 WIFI_NM_WPA_SUPPLICANT_CRYPTO_ALT supports enterprise mode 123 and DPP. 124 125config WIFI_NM_WPA_SUPPLICANT_CRYPTO_ALT 126 bool "Crypto Mbedtls alt support for WiFi" 127 select MBEDTLS 128 select MBEDTLS_CIPHER_MODE_CTR_ENABLED 129 select MBEDTLS_CIPHER_MODE_CBC_ENABLED 130 select MBEDTLS_CIPHER_AES_ENABLED 131 select MBEDTLS_CIPHER_DES_ENABLED 132 select MBEDTLS_MD5 133 select MBEDTLS_SHA1 134 select MBEDTLS_ENTROPY_C 135 select MBEDTLS_CIPHER 136 select MBEDTLS_ECP_C 137 select MBEDTLS_ECP_ALL_ENABLED 138 select MBEDTLS_CMAC 139 select MBEDTLS_PKCS5_C 140 select MBEDTLS_PK_WRITE_C 141 select MBEDTLS_ECDH_C 142 select MBEDTLS_ECDSA_C 143 select MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED 144 select MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED 145 select MBEDTLS_NIST_KW_C 146 select MBEDTLS_DHM_C 147 select MBEDTLS_HKDF_C 148 149config WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE 150 bool "No Crypto support for WiFi" 151 152config WIFI_NM_WPA_SUPPLICANT_CRYPTO_EXT 153 bool "External Crypto support for hostap" 154 help 155 Use external crypto implementation for hostp, this is useful for 156 platforms where the crypto implementation is provided by the platform 157 and not by Zephyr. The external crypto implementation should provide 158 the required APIs and any other dependencies required by hostap. 159 160endchoice 161 162config WIFI_NM_WPA_SUPPLICANT_CRYPTO_MBEDTLS_PSA 163 bool "Crypto Platform Secure Architecture support for WiFi" 164 imply MBEDTLS_PSA_CRYPTO_C 165 select MBEDTLS_USE_PSA_CRYPTO 166 select PSA_WANT_ALG_ECDH 167 select PSA_WANT_ALG_HMAC 168 select PSA_WANT_ALG_CCM 169 select PSA_WANT_ALG_CTR 170 select PSA_WANT_ALG_MD5 171 select PSA_WANT_ALG_SHA_1 172 select PSA_WANT_ALG_SHA_256 173 select PSA_WANT_ALG_SHA_224 174 select PSA_WANT_ALG_SHA_384 175 select PSA_WANT_ALG_SHA_512 176 select PSA_WANT_ALG_PBKDF2_HMAC 177 select PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128 178 select PSA_WANT_KEY_TYPE_AES 179 select PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY 180 select PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY 181 help 182 Support Mbedtls 3.x to use PSA apis instead of legacy apis. 183 184config WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE 185 bool "Enterprise Crypto support for WiFi" 186 select MBEDTLS_PEM_CERTIFICATE_FORMAT 187 select MBEDTLS_SERVER_NAME_INDICATION 188 select MBEDTLS_X509_CRL_PARSE_C 189 select MBEDTLS_TLS_VERSION_1_2 190 depends on !WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE 191 192config EAP_TLS 193 bool "EAP-TLS support" 194 195config EAP_TTLS 196 bool "EAP-TTLS support" 197 198config EAP_PEAP 199 bool "EAP-PEAP support" 200 201config EAP_MD5 202 bool "EAP-MD5 support" 203 204config EAP_GTC 205 bool "EAP-GTC support" 206 207config EAP_MSCHAPV2 208 bool "EAP-MSCHAPv2 support" 209 210config EAP_LEAP 211 bool "EAP-LEAP support" 212 213config EAP_PSK 214 bool "EAP-PSK support" 215 216config EAP_PAX 217 bool "EAP-PAX support" 218 219config EAP_SAKE 220 bool "EAP-SAKE support" 221 222config EAP_GPSK 223 bool "EAP-GPSK support" 224 225config EAP_PWD 226 bool "EAP-PWD support" 227 228config EAP_EKE 229 bool "EAP-EKE support" 230 231config EAP_IKEV2 232 bool "EAP-IKEv2 support" 233 234config EAP_SIM 235 bool "EAP-SIM support" 236 237config EAP_AKA 238 bool "EAP-AKA support" 239 240config EAP_FAST 241 bool "EAP-FAST support" 242 243config EAP_ALL 244 bool "All EAP methods support" 245 select EAP_TLS 246 select EAP_PEAP 247 select EAP_GTC 248 select EAP_TTLS 249 select EAP_MSCHAPV2 250 default y if WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE 251 252config WIFI_NM_WPA_SUPPLICANT_WPA3 253 bool "WPA3 support" 254 depends on !WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE 255 default y 256 257config WIFI_NM_WPA_SUPPLICANT_AP 258 bool "SoftAP mode support based on WPA supplicant" 259 260config WIFI_NM_WPA_SUPPLICANT_WPS 261 bool "WPS support" 262 depends on !WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE 263 264config WIFI_NM_HOSTAPD_WPS 265 bool "WPS hostapd support" 266 depends on !WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE 267 depends on WIFI_NM_HOSTAPD_AP 268 269config WIFI_NM_WPA_SUPPLICANT_P2P 270 bool "P2P mode support" 271 select WIFI_NM_WPA_SUPPLICANT_AP 272 select WIFI_NM_WPA_SUPPLICANT_WPS 273 select WIFI_NM_WPA_SUPPLICANT_EAPOL 274 275config WIFI_NM_WPA_SUPPLICANT_EAPOL 276 bool "EAPoL supplicant" 277 default y if WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE 278 279config WIFI_NM_WPA_SUPPLICANT_CLI 280 bool "CLI support for wpa_supplicant" 281 default n 282 283config WIFI_NM_WPA_SUPPLICANT_INF_MON 284 bool "Monitor the net mgmt event to add/del interface" 285 default y 286 287config WIFI_NM_HOSTAPD_AP 288 bool "FullAP mode support based on Hostapd" 289 depends on !WIFI_NM_WPA_SUPPLICANT_INF_MON 290 291config WIFI_NM_HOSTAPD_CRYPTO_ENTERPRISE 292 bool "Hostapd crypto enterprise support" 293 294config EAP_SERVER_TLS 295 bool "EAP-TLS server support" 296 297config EAP_SERVER_IDENTITY 298 bool "EAP-IDENTITY server support" 299 300config EAP_SERVER_MD5 301 bool "EAP-MD5 server support" 302 303config EAP_SERVER_MSCHAPV2 304 bool "EAP-MSCHAPV2 server support" 305 306config EAP_SERVER_PEAP 307 bool "EAP-PEAP server support" 308 309config EAP_SERVER_GTC 310 bool "EAP-GTC server support" 311 312config EAP_SERVER_TTLS 313 bool "EAP-TTLS server support" 314 315config EAP_SERVER_ALL 316 bool "All EAP methods support" 317 select EAP_SERVER_TLS 318 select EAP_SERVER_MSCHAPV2 319 select EAP_SERVER_PEAP 320 select EAP_SERVER_GTC 321 select EAP_SERVER_TTLS 322 default y if WIFI_NM_HOSTAPD_CRYPTO_ENTERPRISE 323 324config WIFI_NM_WPA_SUPPLICANT_BSS_MAX_IDLE_TIME 325 int "BSS max idle timeout in seconds" 326 range 0 64000 327 default 300 328 help 329 BSS max idle timeout is the period for which AP may keep a client 330 in associated state while there is no traffic from that particular 331 client. Set 0 to disable inclusion of BSS max idle time tag in 332 association request. If a non-zero value is set, STA can suggest a 333 timeout by including BSS max idle period in the association request. 334 AP may choose to consider or ignore the STA's preferred value. 335 Ref: Sec 11.21.13 of IEEE Std 802.11™-2020 336 337config WIFI_NM_WPA_SUPPLICANT_NO_DEBUG 338 bool "Disable printing of debug messages, saves code size significantly" 339 340 341config WIFI_NM_WPA_SUPPLICANT_DPP 342 bool "WFA Easy Connect DPP" 343 select DPP 344 select DPP2 345 select GAS 346 select GAS_SERVER 347 select OFFCHANNEL 348 select MBEDTLS_X509_CSR_WRITE_C 349 select MBEDTLS_X509_CSR_PARSE_C 350 351config WIFI_NM_WPA_SUPPLICANT_11AX 352 bool "IEEE 802.11ax HE support" 353 depends on WIFI_NM_WPA_SUPPLICANT_AP || WIFI_NM_HOSTAPD_AP 354 default y 355 356config WPA_CLI 357 bool "WPA CLI support" 358 default y if WIFI_NM_WPA_SUPPLICANT_CLI 359 help 360 Enable WPA CLI support for wpa_supplicant. 361 362if WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE 363 config MBEDTLS_SSL_MAX_CONTENT_LEN 364 default 16384 365endif 366 367config WIFI_NM_WPA_SUPPLICANT_ROAMING 368 bool "Roaming support" 369 imply IEEE80211R 370 help 371 Enable roaming support with wpa_supplicant. When current BSS RSSI drops, 372 STA will try to find an AP with better RSSI. If found, STA will reassociate 373 to the new AP automatically without losing connection. 374 375config WIFI_NM_WPA_SUPPLICANT_SKIP_DHCP_ON_ROAMING 376 bool "Skip DHCP after roaming to new AP" 377 help 378 For L2 roaming, the original AP and new AP are in the same subnet, client 379 can use same IP address and skip DHCP. Enable this to skip DHCP. 380 For L3 roaming, the original AP and new AP are in different subnet, client 381 needs to get new IP address after roaming to new AP. Disable this to keep 382 DHCP after roaming. 383 384# Create hidden config options that are used in hostap. This way we do not need 385# to mark them as allowed for CI checks, and also someone else cannot use the 386# same name options. 387 388config SME 389 bool 390 default y 391 392config NO_CONFIG_WRITE 393 bool 394 default y 395 396config NO_CONFIG_BLOBS 397 bool 398 default y if !WIFI_NM_WPA_SUPPLICANT_DPP && !WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE 399 400config CTRL_IFACE 401 bool 402 default y 403 404config CTRL_IFACE_ZEPHYR 405 bool 406 default y 407 408config NO_RANDOM_POOL 409 bool 410 default y 411 412config WNM 413 bool 414 415config NO_WPA 416 bool 417 default y if WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE 418 419config NO_PBKDF2 420 bool 421 default y if WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE 422 423config SAE_PK 424 bool 425 426config FST 427 bool 428 429config TESTING_OPTIONS 430 bool 431 432config AP 433 bool 434 depends on WIFI_NM_WPA_SUPPLICANT_AP || WIFI_NM_HOSTAPD_AP 435 default y if WIFI_NM_WPA_SUPPLICANT_AP || WIFI_NM_HOSTAPD_AP 436 437config NO_RADIUS 438 bool 439 440config NO_VLAN 441 bool 442 443config NO_ACCOUNTING 444 bool 445 446config NEED_AP_MLME 447 bool 448 449config IEEE80211AX 450 bool 451 452config EAP_SERVER 453 bool 454 455config EAP_SERVER_IDENTITY 456 bool 457 458config P2P 459 bool 460 461config GAS 462 bool 463 464config GAS_SERVER 465 bool 466 467config OFFCHANNEL 468 bool 469 470config WPS 471 bool 472 473config WSC 474 bool 475 476config IEEE8021X_EAPOL 477 bool 478 479config CRYPTO_INTERNAL 480 bool 481 482config ECC 483 bool 484 485config MBO 486 bool 487 488config NO_STDOUT_DEBUG 489 bool 490 491config SAE 492 bool 493 494config SHA256 495 bool 496 497config SHA384 498 bool 499 500config SHA512 501 bool 502 503config SUITEB192 504 bool 505 506config SUITEB 507 bool 508 509config WEP 510 bool 511 default y if WIFI_NM_WPA_SUPPLICANT_WEP 512 513config WPA_CRYPTO 514 bool 515 516config WPA_SUPP_CRYPTO 517 bool 518 519config ROBUST_AV 520 bool 521 default y 522 depends on WIFI_NM_WPA_SUPPLICANT_ROBUST_AV 523 524config RRM 525 bool 526 default y 527 depends on WIFI_NM_WPA_SUPPLICANT_RRM 528 529config WMM_AC 530 bool 531 532config DPP 533 bool 534 535config DPP2 536 bool 537 538config DPP3 539 bool 540 541config ACS 542 bool 543 544config IEEE80211AC 545 bool 546 547config IEEE80211R 548 bool 549 depends on !WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE 550 551config NW_SEL_RELIABILITY 552 bool 553 default y 554 depends on WIFI_NM_WPA_SUPPLICANT_NW_SEL_RELIABILITY 555 556choice WIFI_NM_WPA_SUPPLICANT_NW_SEL 557 prompt "WPA supplicant Network selection criterion" 558 default WIFI_NM_WPA_SUPPLICANT_NW_SEL_THROUGHPUT 559 help 560 Select the network selection method for the supplicant. 561 562config WIFI_NM_WPA_SUPPLICANT_NW_SEL_THROUGHPUT 563 bool "Throughput based network selection" 564 help 565 Select the network based on throughput. 566 567config WIFI_NM_WPA_SUPPLICANT_NW_SEL_RELIABILITY 568 bool "Reliability based network selection" 569 help 570 Select the network based on reliability. 571 572endchoice 573 574config SAE_PWE_EARLY_EXIT 575 bool "Exit early if PWE if found" 576 help 577 In order to mitigate side channel attacks, even if the PWE is found the WPA 578 supplicant goes through full iterations, but in some low-resource systems 579 this can be intensive, so, add an option to exit early. 580 Note that this is highly insecure and shouldn't be used in production 581 582config WIFI_NM_WPA_SUPPLICANT_CRYPTO_TEST 583 bool 584 depends on WIFI_NM_WPA_SUPPLICANT_CRYPTO_MBEDTLS_PSA 585 586config WIFI_NM_WPA_CTRL_RESP_TIMEOUT_S 587 int "WPA supplicant control interface response timeout in seconds" 588 default 15 589 help 590 Timeout for the control interface commands to get a response from the 591 supplicant. 592 593endif # WIFI_NM_WPA_SUPPLICANT 594
