From: Kirill A. Korinsky Subject: Re: wifi protected management frame (PMF) support To: Peter Hessler Cc: tech@openbsd.org Date: Wed, 03 Dec 2025 23:33:23 +0100 On Wed, 03 Dec 2025 23:12:18 +0100, Peter Hessler wrote: > > On 2025 Dec 03 (Wed) at 22:57:26 +0100 (+0100), Kirill A. Korinsky wrote: > :On Sun, 23 Nov 2025 16:44:39 +0100, > :Kirill A. Korinsky wrote: > :> > :> On Sat, 22 Nov 2025 22:45:08 +0100, > :> Stefan Sperling wrote: > :> > > :> > This patch adds protected management frame support to iwm, iwx, and qwx. > :> > Support for PMF is a prerequisite for WPA3. > :> > > :> > I am sending this as one giant patch for testing. I do have incremental > :> > changes with individual commit messages which make review a bit easier. > :> > If you would like to review these diffs individually, please ask me to > :> > send them to you. > :> > > :> > Tested by me on: > :> > iwm 7265, 9265 (offloads unicast PMF, multicast is done in software) > :> > iwx AX200 (offloads both unicast and multicast PMF) > :> > qwx QCNFA765 (offloads unicast PMF, multicast is done in software) > :> > > :> > Use of PMF is controlled by the access point, so there is nothing to > :> > configure with ifconfig. Please check if your access point offers settings > :> > related to management frame protection related when testing this. > :> > Tests in any combination of PMF disabled/optional/required across a range > :> > of access points would be welcome. > :> > > :> > In particular, I don't have any iwx "MA" devices to test with. There > :> > could still be unexpected problems such as firmware crashes on these. > :> > If you enable 'ifconfig iwx0 debug' then the driver should display the > :> > name of its firmware file in dmesg. If this name begins with "iwx-ma-" > :> > then you are using an MA device. > :> > > :> > :> Tested on: > :> > :> iwx0 at pci0 dev 20 function 3 "Intel Wi-Fi 6 AX201" rev 0x00, msix > :> iwx0: hw rev 0x350, fw 77.a20fb07d.0, address 98:8d:46:21:2b:6d > :> > :> against both optional and required PMF on network based on Unifi Nano HD > :> version 6.7.31 > :> > : > :Interesting, after installing today snapshot: > : > :Build date: 1764790226 - Wed Dec 3 19:30:26 UTC 2025 > : > :I have: > : > :iwx0: flags=a48843 mtu 1500 > : lladdr 98:8d:46:21:2b:6d > : index 1 priority 4 llprio 3 > : groups: wlan > : media: IEEE802.11 autoselect > : status: no network > : ieee80211: nwid "catap's Network" wpakey wpaprotos wpa2 wpaakms sha256-psk wpaciphers ccmp wpagroupcipher ccmp > : inet6 fe80::9a8d:46ff:fe21:2b6d%iwx0 prefixlen 64 scopeid 0x1 > : > :but as soon as I've switched network to PMF required from optional, it > :works as expected: > : > :iwx0: flags=a48843 mtu 1500 > : lladdr 98:8d:46:21:2b:6d > : index 1 priority 4 llprio 3 > : groups: wlan egress > : media: IEEE802.11 autoselect (VHT-MCS3 mode 11ac) > : status: active > : ieee80211: join "catap's Network" chan 40 bssid b4:fb:e4:8b:0d:78 62% wpakey wpaprotos wpa2 wpaakms sha256-psk wpaciphers ccmp wpagroupcipher ccmp > : inet6 fe80::9a8d:46ff:fe21:2b6d%iwx0 prefixlen 64 scopeid 0x1 > : inet 172.31.2.77 netmask 0xffffff00 broadcast 172.31.2.255 > : > :switching network back to optional brokes it. > : > :-- > :wbr, Kirill > : > > That's the same behaviour I saw, I sent a patch in this thread to fix it. > > I've tried https://marc.info/?l=openbsd-tech&m=176479083517754&w=2 and it, indeed, fixes my issue -- wbr, Kirill