From: Stefan Sperling Subject: Re: qwz: enable WPA2 association on WCN7850 To: Marcus Glocker Cc: tech@openbsd.org, Mark Kettenis , "Kirill A. Korinsky" , Patrick Wildt Date: Sun, 26 Apr 2026 07:56:10 +0200 On Sat, Apr 25, 2026 at 11:56:07PM +0200, Marcus Glocker wrote: > Bring the qwz driver up to a working WPA2 client connection on the > Qualcomm WCN7850 chip. Tested on the Samsung Galaxy Book4 Edge. Thanks for making progress on this. It looks like there are porential fixes in here for qwx as well, in particular: > 4. Make the WPA2 4-way handshake complete. > Move WMI_PEER_AUTHORIZE to fire after key install, not before; the > old order told the FW crypto was up while plain-text EAPOL was still > in flight, crashing the FW. Mask the AID to its 14-bit value before > handing it to the FW. Add the missing REO queue setup for non-QoS > frames, which is where EAPOL lives. The AID masking and REO queue fixes may also be needed in qwx. The REO queues fixes are the changes which fix an off-by-one in loops such as this one, correct? - for (i = 0; i < IEEE80211_NUM_TID; i++) { + for (i = 0; i <= HAL_DESC_REO_NON_QOS_TID; i++) { Regarding the PEER_AUTHORIZE command, did you gather evidence showing that this command relates to the WPA handshake? In qwx I have moved the PEER_AUTHORIZE command even earlier, see dev/ic/qwx.c CVS revision 1.94. My assumption was that PEER_AUTHORIZE hints at a successful AUTH frame exchange with the peer (might be important in hostap mode, which we do not use), rather than a successfully secured connection. But I have no evidence for my assumption, and the change I made to qwx might be subtly wrong. I will try out your change to see how qwx behaves with it. > > 5. Add non-coherent DMA cache sync on RX and TX. > Without explicit flushes the CPU and FW see different bytes for > the same buffer. This was the root cause of "garbage RX frames": > they were always real EAPOL Msg 1 frames torn by stale CPU cache > lines. Again, this sounds like something which would apply to qwx as well.