From: Kirill A. Korinsky <kirill@korins.ky>
Subject: Re: wifi protected management frame (PMF) support
To: tech@openbsd.org
Date: Wed, 03 Dec 2025 22:57:26 +0100

On Sun, 23 Nov 2025 16:44:39 +0100,
Kirill A. Korinsky <kirill@korins.ky> wrote:
> 
> On Sat, 22 Nov 2025 22:45:08 +0100,
> Stefan Sperling <stsp@stsp.name> wrote:
> > 
> > This patch adds protected management frame support to iwm, iwx, and qwx.
> > Support for PMF is a prerequisite for WPA3.
> > 
> > I am sending this as one giant patch for testing. I do have incremental
> > changes with individual commit messages which make review a bit easier.
> > If you would like to review these diffs individually, please ask me to
> > send them to you.
> > 
> > Tested by me on:
> > iwm 7265, 9265	(offloads unicast PMF, multicast is done in software)
> > iwx AX200	(offloads both unicast and multicast PMF)
> > qwx QCNFA765	(offloads unicast PMF, multicast is done in software)
> > 
> > Use of PMF is controlled by the access point, so there is nothing to
> > configure with ifconfig. Please check if your access point offers settings
> > related to management frame protection related when testing this.
> > Tests in any combination of PMF disabled/optional/required across a range
> > of access points would be welcome.
> > 
> > In particular, I don't have any iwx "MA" devices to test with. There
> > could still be unexpected problems such as firmware crashes on these.
> > If you enable 'ifconfig iwx0 debug' then the driver should display the
> > name of its firmware file in dmesg. If this name begins with "iwx-ma-"
> > then you are using an MA device.
> >
> 
> Tested on:
> 
> iwx0 at pci0 dev 20 function 3 "Intel Wi-Fi 6 AX201" rev 0x00, msix
> iwx0: hw rev 0x350, fw 77.a20fb07d.0, address 98:8d:46:21:2b:6d
> 
> against both optional and required PMF on network based on Unifi Nano HD
> version 6.7.31
> 

Interesting, after installing today snapshot:

Build date: 1764790226 - Wed Dec  3 19:30:26 UTC 2025

I have:

iwx0: flags=a48843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,AUTOCONF6TEMP,AUTOCONF6,AUTOCONF4> mtu 1500
        lladdr 98:8d:46:21:2b:6d
        index 1 priority 4 llprio 3
        groups: wlan
        media: IEEE802.11 autoselect
        status: no network
        ieee80211: nwid "catap's Network" wpakey wpaprotos wpa2 wpaakms sha256-psk wpaciphers ccmp wpagroupcipher ccmp
        inet6 fe80::9a8d:46ff:fe21:2b6d%iwx0 prefixlen 64 scopeid 0x1

but as soon as I've switched network to PMF required from optional, it
works as expected:

iwx0: flags=a48843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,AUTOCONF6TEMP,AUTOCONF6,AUTOCONF4> mtu 1500
        lladdr 98:8d:46:21:2b:6d
        index 1 priority 4 llprio 3
        groups: wlan egress
        media: IEEE802.11 autoselect (VHT-MCS3 mode 11ac)
        status: active
        ieee80211: join "catap's Network" chan 40 bssid b4:fb:e4:8b:0d:78 62% wpakey wpaprotos wpa2 wpaakms sha256-psk wpaciphers ccmp wpagroupcipher ccmp
        inet6 fe80::9a8d:46ff:fe21:2b6d%iwx0 prefixlen 64 scopeid 0x1
        inet 172.31.2.77 netmask 0xffffff00 broadcast 172.31.2.255

switching network back to optional brokes it.

-- 
wbr, Kirill