From: Peter Hessler Subject: Re: wifi protected management frame (PMF) support To: tech@openbsd.org Date: Wed, 3 Dec 2025 23:12:18 +0100 On 2025 Dec 03 (Wed) at 22:57:26 +0100 (+0100), Kirill A. Korinsky wrote: :On Sun, 23 Nov 2025 16:44:39 +0100, :Kirill A. Korinsky wrote: :> :> On Sat, 22 Nov 2025 22:45:08 +0100, :> Stefan Sperling wrote: :> > :> > This patch adds protected management frame support to iwm, iwx, and qwx. :> > Support for PMF is a prerequisite for WPA3. :> > :> > I am sending this as one giant patch for testing. I do have incremental :> > changes with individual commit messages which make review a bit easier. :> > If you would like to review these diffs individually, please ask me to :> > send them to you. :> > :> > Tested by me on: :> > iwm 7265, 9265 (offloads unicast PMF, multicast is done in software) :> > iwx AX200 (offloads both unicast and multicast PMF) :> > qwx QCNFA765 (offloads unicast PMF, multicast is done in software) :> > :> > Use of PMF is controlled by the access point, so there is nothing to :> > configure with ifconfig. Please check if your access point offers settings :> > related to management frame protection related when testing this. :> > Tests in any combination of PMF disabled/optional/required across a range :> > of access points would be welcome. :> > :> > In particular, I don't have any iwx "MA" devices to test with. There :> > could still be unexpected problems such as firmware crashes on these. :> > If you enable 'ifconfig iwx0 debug' then the driver should display the :> > name of its firmware file in dmesg. If this name begins with "iwx-ma-" :> > then you are using an MA device. :> > :> :> Tested on: :> :> iwx0 at pci0 dev 20 function 3 "Intel Wi-Fi 6 AX201" rev 0x00, msix :> iwx0: hw rev 0x350, fw 77.a20fb07d.0, address 98:8d:46:21:2b:6d :> :> against both optional and required PMF on network based on Unifi Nano HD :> version 6.7.31 :> : :Interesting, after installing today snapshot: : :Build date: 1764790226 - Wed Dec 3 19:30:26 UTC 2025 : :I have: : :iwx0: flags=a48843 mtu 1500 : lladdr 98:8d:46:21:2b:6d : index 1 priority 4 llprio 3 : groups: wlan : media: IEEE802.11 autoselect : status: no network : ieee80211: nwid "catap's Network" wpakey wpaprotos wpa2 wpaakms sha256-psk wpaciphers ccmp wpagroupcipher ccmp : inet6 fe80::9a8d:46ff:fe21:2b6d%iwx0 prefixlen 64 scopeid 0x1 : :but as soon as I've switched network to PMF required from optional, it :works as expected: : :iwx0: flags=a48843 mtu 1500 : lladdr 98:8d:46:21:2b:6d : index 1 priority 4 llprio 3 : groups: wlan egress : media: IEEE802.11 autoselect (VHT-MCS3 mode 11ac) : status: active : ieee80211: join "catap's Network" chan 40 bssid b4:fb:e4:8b:0d:78 62% wpakey wpaprotos wpa2 wpaakms sha256-psk wpaciphers ccmp wpagroupcipher ccmp : inet6 fe80::9a8d:46ff:fe21:2b6d%iwx0 prefixlen 64 scopeid 0x1 : inet 172.31.2.77 netmask 0xffffff00 broadcast 172.31.2.255 : :switching network back to optional brokes it. : :-- :wbr, Kirill : That's the same behaviour I saw, I sent a patch in this thread to fix it. -- The older I grow the more I distrust the familiar doctrine that age brings wisdom. -- H. L. Mencken