575 lines
12 KiB
Plaintext
575 lines
12 KiB
Plaintext
# WPA Supplicant configuration options
|
|
#
|
|
# Copyright (c) 2023 Nordic Semiconductor
|
|
#
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
#
|
|
|
|
config WIFI_NM_WPA_SUPPLICANT
|
|
bool "WPA Suplicant from hostap project [EXPERIMENTAL]"
|
|
select POSIX_TIMERS
|
|
select POSIX_SIGNALS
|
|
select POSIX_API
|
|
select FILE_SYSTEM
|
|
select NET_SOCKETS
|
|
select NET_SOCKETS_PACKET
|
|
select NET_SOCKETPAIR
|
|
select NET_L2_WIFI_MGMT
|
|
select WIFI_NM
|
|
select EXPERIMENTAL
|
|
select COMMON_LIBC_MALLOC
|
|
help
|
|
WPA supplicant as a network management backend for WIFI_NM.
|
|
|
|
if WIFI_NM_WPA_SUPPLICANT
|
|
|
|
config HEAP_MEM_POOL_ADD_SIZE_HOSTAP
|
|
def_int 85000 if WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE && !MBEDTLS_ENABLE_HEAP
|
|
def_int 40000 if WIFI_NM_WPA_SUPPLICANT_AP
|
|
# 8192 for MbedTLS heap
|
|
def_int 21808 if MBEDTLS_ENABLE_HEAP
|
|
# 30K is mandatory, but might need more for long duration use cases
|
|
def_int 30000
|
|
|
|
config WIFI_NM_WPA_SUPPLICANT_THREAD_STACK_SIZE
|
|
int "Stack size for wpa_supplicant thread"
|
|
default 8192
|
|
|
|
config WIFI_NM_WPA_SUPPLICANT_WQ_STACK_SIZE
|
|
int "Stack size for wpa_supplicant iface workqueue"
|
|
default 6144
|
|
|
|
config WIFI_NM_WPA_SUPPLICANT_WQ_PRIO
|
|
int "Thread priority of wpa_supplicant iface workqueue"
|
|
default 7
|
|
|
|
config WIFI_NM_WPA_SUPPLICANT_PRIO
|
|
int "Thread priority of wpa_supplicant"
|
|
default 0
|
|
|
|
# Currently we default ZVFS_OPEN_MAX to 16 in lib/posix/Kconfig
|
|
# l2_packet - 1
|
|
# ctrl_iface - 2 * socketpairs = 4(local and global)
|
|
# z_wpa_event_sock - 1 socketpair = 2
|
|
# Remaining left for the applications running in default configuration
|
|
|
|
# Supplicant API is stack heavy (buffers + snprintfs) and control interface
|
|
# uses socketpair which pushes the stack usage causing overflow for 2048 bytes.
|
|
# So we set SYSTEM_WORKQUEUE_STACK_SIZE default to 2560 in kernel/Kconfig
|
|
|
|
module = WIFI_NM_WPA_SUPPLICANT
|
|
module-str = WPA supplicant
|
|
source "subsys/logging/Kconfig.template.log_config"
|
|
|
|
config WIFI_NM_WPA_SUPPLICANT_DEBUG_LEVEL
|
|
int "Min compiled-in debug message level for WPA supplicant"
|
|
default 0 if WIFI_NM_WPA_SUPPLICANT_LOG_LEVEL_DBG # MSG_EXCESSIVE
|
|
default 3 if WIFI_NM_WPA_SUPPLICANT_LOG_LEVEL_INF # MSG_INFO
|
|
default 4 if WIFI_NM_WPA_SUPPLICANT_LOG_LEVEL_WRN # MSG_WARNING
|
|
default 5 if WIFI_NM_WPA_SUPPLICANT_LOG_LEVEL_ERR # MSG_ERROR
|
|
default 6
|
|
help
|
|
Minimum priority level of a debug message emitted by WPA supplicant that
|
|
is compiled-in the firmware. See wpa_debug.h file of the supplicant for
|
|
available levels and functions for emitting the messages. Note that
|
|
runtime filtering can also be configured in addition to the compile-time
|
|
filtering.
|
|
|
|
# Memory optimizations
|
|
config WIFI_NM_WPA_SUPPLICANT_ADVANCED_FEATURES
|
|
bool "Advanced features"
|
|
default y
|
|
|
|
if WIFI_NM_WPA_SUPPLICANT_ADVANCED_FEATURES
|
|
|
|
config WIFI_NM_WPA_SUPPLICANT_ROBUST_AV
|
|
bool "Robust Audio Video streaming support"
|
|
default y
|
|
|
|
# Hidden as these are mandatory for WFA certification
|
|
config WIFI_NM_WPA_SUPPLICANT_WMM_AC
|
|
bool
|
|
default y
|
|
|
|
config WIFI_NM_WPA_SUPPLICANT_MBO
|
|
bool
|
|
default y
|
|
|
|
config WIFI_NM_WPA_SUPPLICANT_WNM
|
|
bool "Wireless Network Management support"
|
|
default y
|
|
|
|
config WIFI_NM_WPA_SUPPLICANT_RRM
|
|
bool "Radio Resource Management support"
|
|
default y
|
|
endif
|
|
|
|
config WIFI_NM_WPA_SUPPLICANT_WEP
|
|
bool "WEP (Legacy crypto) support"
|
|
|
|
choice WIFI_NM_WPA_SUPPLICANT_CRYPTO_BACKEND
|
|
prompt "WPA supplicant crypto implementation"
|
|
default WIFI_NM_WPA_SUPPLICANT_CRYPTO_ALT
|
|
help
|
|
Select the crypto implementation to use for WPA supplicant.
|
|
WIFI_NM_WPA_SUPPLICANT_CRYPTO_ALT supports enterprise mode
|
|
and DPP.
|
|
|
|
config WIFI_NM_WPA_SUPPLICANT_CRYPTO
|
|
bool "Crypto support for WiFi"
|
|
select MBEDTLS
|
|
select MBEDTLS_SHA1
|
|
select MBEDTLS_CIPHER
|
|
select MBEDTLS_CIPHER_MODE_CTR_ENABLED
|
|
select MBEDTLS_CIPHER_MODE_CBC_ENABLED
|
|
select MBEDTLS_CIPHER_AES_ENABLED
|
|
select MBEDTLS_ECP_C
|
|
select MBEDTLS_ECP_ALL_ENABLED
|
|
select MBEDTLS_CMAC
|
|
select MBEDTLS_PKCS5_C
|
|
select MBEDTLS_PK_WRITE_C
|
|
select MBEDTLS_ECDH_C
|
|
select MBEDTLS_ECDSA_C
|
|
select MBEDTLS_ECJPAKE_C
|
|
select MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
|
|
select MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
|
|
select MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
|
|
select MBEDTLS_KEY_EXCHANGE_ALL_ENABLED
|
|
|
|
config WIFI_NM_WPA_SUPPLICANT_CRYPTO_ALT
|
|
bool "Crypto Mbedtls alt support for WiFi"
|
|
select MBEDTLS
|
|
select MBEDTLS_CIPHER_MODE_CTR_ENABLED
|
|
select MBEDTLS_CIPHER_MODE_CBC_ENABLED
|
|
select MBEDTLS_CIPHER_AES_ENABLED
|
|
select MBEDTLS_CIPHER_DES_ENABLED
|
|
select MBEDTLS_MD5
|
|
select MBEDTLS_SHA1
|
|
select MBEDTLS_ENTROPY_C
|
|
select MBEDTLS_CIPHER
|
|
select MBEDTLS_ECP_C
|
|
select MBEDTLS_ECP_ALL_ENABLED
|
|
select MBEDTLS_CMAC
|
|
select MBEDTLS_PKCS5_C
|
|
select MBEDTLS_PK_WRITE_C
|
|
select MBEDTLS_ECDH_C
|
|
select MBEDTLS_ECDSA_C
|
|
select MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
|
|
select MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
|
|
select MBEDTLS_NIST_KW_C
|
|
select MBEDTLS_DHM_C
|
|
select MBEDTLS_HKDF_C
|
|
select MBEDTLS_SERVER_NAME_INDICATION
|
|
select MBEDTLS_X509_CRL_PARSE_C
|
|
select MBEDTLS_TLS_VERSION_1_2
|
|
|
|
config WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE
|
|
bool "No Crypto support for WiFi"
|
|
|
|
endchoice
|
|
|
|
config WIFI_NM_WPA_SUPPLICANT_CRYPTO_MBEDTLS_PSA
|
|
bool "Crypto Platform Secure Architecture support for WiFi"
|
|
help
|
|
Support Mbedtls 3.x to use PSA apis instead of legacy apis.
|
|
|
|
config WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE
|
|
bool "Enterprise Crypto support for WiFi"
|
|
select MBEDTLS_PEM_CERTIFICATE_FORMAT
|
|
depends on !WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE
|
|
|
|
config EAP_TLS
|
|
bool "EAP-TLS support"
|
|
|
|
config EAP_TTLS
|
|
bool "EAP-TTLS support"
|
|
|
|
config EAP_PEAP
|
|
bool "EAP-PEAP support"
|
|
|
|
config EAP_MD5
|
|
bool "EAP-MD5 support"
|
|
|
|
config EAP_GTC
|
|
bool "EAP-GTC support"
|
|
|
|
config EAP_MSCHAPV2
|
|
bool "EAP-MSCHAPv2 support"
|
|
|
|
config EAP_LEAP
|
|
bool "EAP-LEAP support"
|
|
|
|
config EAP_PSK
|
|
bool "EAP-PSK support"
|
|
|
|
config EAP_PAX
|
|
bool "EAP-PAX support"
|
|
|
|
config EAP_SAKE
|
|
bool "EAP-SAKE support"
|
|
|
|
config EAP_GPSK
|
|
bool "EAP-GPSK support"
|
|
|
|
config EAP_PWD
|
|
bool "EAP-PWD support"
|
|
|
|
config EAP_EKE
|
|
bool "EAP-EKE support"
|
|
|
|
config EAP_IKEV2
|
|
bool "EAP-IKEv2 support"
|
|
|
|
config EAP_SIM
|
|
bool "EAP-SIM support"
|
|
|
|
config EAP_AKA
|
|
bool "EAP-AKA support"
|
|
|
|
config EAP_ALL
|
|
bool "All EAP methods support"
|
|
select EAP_TLS
|
|
default y if WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE
|
|
|
|
config WIFI_NM_WPA_SUPPLICANT_WPA3
|
|
bool "WPA3 support"
|
|
depends on !WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE
|
|
default y
|
|
|
|
config WIFI_NM_WPA_SUPPLICANT_AP
|
|
bool "SoftAP mode support based on WPA supplicant"
|
|
|
|
config WIFI_NM_WPA_SUPPLICANT_WPS
|
|
bool "WPS support"
|
|
depends on !WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE
|
|
|
|
config WIFI_NM_WPA_SUPPLICANT_P2P
|
|
bool "P2P mode support"
|
|
select WIFI_NM_WPA_SUPPLICANT_AP
|
|
select WIFI_NM_WPA_SUPPLICANT_WPS
|
|
select WIFI_NM_WPA_SUPPLICANT_EAPOL
|
|
|
|
config WIFI_NM_WPA_SUPPLICANT_EAPOL
|
|
bool "EAPoL supplicant"
|
|
default y if WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE
|
|
|
|
config WIFI_NM_WPA_SUPPLICANT_CLI
|
|
bool "CLI support for wpa_supplicant"
|
|
default n
|
|
|
|
config WIFI_NM_WPA_SUPPLICANT_INF_MON
|
|
bool "Monitor the net mgmt event to add/del interface"
|
|
default y
|
|
|
|
config WIFI_NM_HOSTAPD_AP
|
|
bool "FullAP mode support based on Hostapd"
|
|
depends on !WIFI_NM_WPA_SUPPLICANT_INF_MON
|
|
|
|
config WIFI_NM_WPA_SUPPLICANT_BSS_MAX_IDLE_TIME
|
|
int "BSS max idle timeout in seconds"
|
|
range 0 64000
|
|
default 300
|
|
help
|
|
BSS max idle timeout is the period for which AP may keep a client
|
|
in associated state while there is no traffic from that particular
|
|
client. Set 0 to disable inclusion of BSS max idle time tag in
|
|
association request. If a non-zero value is set, STA can suggest a
|
|
timeout by including BSS max idle period in the association request.
|
|
AP may choose to consider or ignore the STA's preferred value.
|
|
Ref: Sec 11.21.13 of IEEE Std 802.11™-2020
|
|
|
|
config WIFI_NM_WPA_SUPPLICANT_NO_DEBUG
|
|
bool "Disable printing of debug messages, saves code size significantly"
|
|
|
|
|
|
config WIFI_NM_WPA_SUPPLICANT_DPP
|
|
bool "WFA Easy Connect DPP"
|
|
select DPP
|
|
select DPP2
|
|
select DPP3
|
|
select GAS
|
|
select GAS_SERVER
|
|
select OFFCHANNEL
|
|
select MBEDTLS_X509_CSR_WRITE_C
|
|
select MBEDTLS_X509_CSR_PARSE_C
|
|
|
|
config WPA_CLI
|
|
bool "WPA CLI support"
|
|
help
|
|
Enable WPA CLI support for wpa_supplicant.
|
|
|
|
if WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE
|
|
config MBEDTLS_SSL_MAX_CONTENT_LEN
|
|
default 16384
|
|
endif
|
|
|
|
config WIFI_NM_WPA_SUPPLICANT_ROAMING
|
|
bool "Roaming support"
|
|
imply IEEE80211R
|
|
help
|
|
Enable roaming support with wpa_supplicant. When current BSS RSSI drops,
|
|
STA will try to find an AP with better RSSI. If found, STA will reassociate
|
|
to the new AP automatically without losing connection.
|
|
|
|
config WIFI_NM_WPA_SUPPLICANT_SKIP_DHCP_ON_ROAMING
|
|
bool "Skip DHCP after roaming to new AP"
|
|
help
|
|
For L2 roaming, the original AP and new AP are in the same subnet, client
|
|
can use same IP address and skip DHCP. Enable this to skip DHCP.
|
|
For L3 roaming, the original AP and new AP are in different subnet, client
|
|
needs to get new IP address after roaming to new AP. Disable this to keep
|
|
DHCP after roaming.
|
|
|
|
# Create hidden config options that are used in hostap. This way we do not need
|
|
# to mark them as allowed for CI checks, and also someone else cannot use the
|
|
# same name options.
|
|
|
|
config SME
|
|
bool
|
|
default y
|
|
|
|
config NO_CONFIG_WRITE
|
|
bool
|
|
default y
|
|
|
|
config NO_CONFIG_BLOBS
|
|
bool
|
|
default y if !WIFI_NM_WPA_SUPPLICANT_DPP && !WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE
|
|
|
|
config CTRL_IFACE
|
|
bool
|
|
default y
|
|
|
|
config CTRL_IFACE_ZEPHYR
|
|
bool
|
|
default y
|
|
|
|
config NO_RANDOM_POOL
|
|
bool
|
|
default y
|
|
|
|
config WNM
|
|
bool
|
|
|
|
config NO_WPA
|
|
bool
|
|
default y if WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE
|
|
|
|
config NO_PBKDF2
|
|
bool
|
|
default y if WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE
|
|
|
|
config SAE_PK
|
|
bool
|
|
|
|
config FST
|
|
bool
|
|
|
|
config TESTING_OPTIONS
|
|
bool
|
|
|
|
config AP
|
|
bool
|
|
depends on WIFI_NM_WPA_SUPPLICANT_AP
|
|
default y if WIFI_NM_WPA_SUPPLICANT_AP
|
|
|
|
config NO_RADIUS
|
|
bool
|
|
|
|
config NO_VLAN
|
|
bool
|
|
|
|
config NO_ACCOUNTING
|
|
bool
|
|
|
|
config NEED_AP_MLME
|
|
bool
|
|
|
|
config IEEE80211AX
|
|
bool
|
|
|
|
config EAP_SERVER
|
|
bool
|
|
|
|
config EAP_SERVER_IDENTITY
|
|
bool
|
|
|
|
config P2P
|
|
bool
|
|
|
|
config GAS
|
|
bool
|
|
|
|
config GAS_SERVER
|
|
bool
|
|
|
|
config OFFCHANNEL
|
|
bool
|
|
|
|
config WPS
|
|
bool
|
|
|
|
config WSC
|
|
bool
|
|
|
|
config EAP_TLS
|
|
bool
|
|
|
|
config IEEE8021X_EAPOL
|
|
bool
|
|
|
|
config EAP_PEAP
|
|
bool
|
|
|
|
config EAP_TTLS
|
|
bool
|
|
|
|
config EAP_MD5
|
|
bool
|
|
|
|
config EAP_MSCHAPv2
|
|
bool
|
|
|
|
config EAP_LEAP
|
|
bool
|
|
|
|
config EAP_PSK
|
|
bool
|
|
|
|
config EAP_FAST
|
|
bool
|
|
|
|
config EAP_PAX
|
|
bool
|
|
|
|
config EAP_SAKE
|
|
bool
|
|
|
|
config EAP_GPSK
|
|
bool
|
|
|
|
config EAP_PWD
|
|
bool
|
|
|
|
config EAP_EKE
|
|
bool
|
|
|
|
config EAP_IKEv2
|
|
bool
|
|
|
|
config CRYPTO_INTERNAL
|
|
bool
|
|
|
|
config ECC
|
|
bool
|
|
|
|
config MBO
|
|
bool
|
|
|
|
config NO_STDOUT_DEBUG
|
|
bool
|
|
|
|
config SAE
|
|
bool
|
|
|
|
config SHA256
|
|
bool
|
|
|
|
config SHA384
|
|
bool
|
|
|
|
config SHA512
|
|
bool
|
|
|
|
config SUITEB192
|
|
bool
|
|
|
|
config SUITEB
|
|
bool
|
|
|
|
config WEP
|
|
bool
|
|
default y if WIFI_NM_WPA_SUPPLICANT_WEP
|
|
|
|
config WPA_CRYPTO
|
|
bool
|
|
|
|
config WPA_SUPP_CRYPTO
|
|
bool
|
|
|
|
config ROBUST_AV
|
|
bool
|
|
default y
|
|
depends on WIFI_NM_WPA_SUPPLICANT_ROBUST_AV
|
|
|
|
config RRM
|
|
bool
|
|
default y
|
|
depends on WIFI_NM_WPA_SUPPLICANT_RRM
|
|
|
|
config WMM_AC
|
|
bool
|
|
|
|
config DPP
|
|
bool
|
|
|
|
config DPP2
|
|
bool
|
|
|
|
config DPP3
|
|
bool
|
|
|
|
config ACS
|
|
bool
|
|
|
|
config IEEE80211AC
|
|
bool
|
|
|
|
config IEEE80211R
|
|
bool
|
|
depends on !WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE
|
|
|
|
config NW_SEL_RELIABILITY
|
|
bool
|
|
default y
|
|
depends on WIFI_NM_WPA_SUPPLICANT_NW_SEL_RELIABILITY
|
|
|
|
choice WIFI_NM_WPA_SUPPLICANT_NW_SEL
|
|
prompt "WPA supplicant Network selection criterion"
|
|
default WIFI_NM_WPA_SUPPLICANT_NW_SEL_THROUGHPUT
|
|
help
|
|
Select the network selection method for the supplicant.
|
|
|
|
config WIFI_NM_WPA_SUPPLICANT_NW_SEL_THROUGHPUT
|
|
bool "Throughput based network selection"
|
|
help
|
|
Select the network based on throughput.
|
|
|
|
config WIFI_NM_WPA_SUPPLICANT_NW_SEL_RELIABILITY
|
|
bool "Reliability based network selection"
|
|
help
|
|
Select the network based on reliability.
|
|
|
|
endchoice
|
|
|
|
config SAE_PWE_EARLY_EXIT
|
|
bool "Exit early if PWE if found"
|
|
help
|
|
In order to mitigate side channel attacks, even if the PWE is found the WPA
|
|
supplicant goes through full iterations, but in some low-resource systems
|
|
this can be intensive, so, add an option to exit early.
|
|
Note that this is highly insecure and shouldn't be used in production
|
|
|
|
config WIFI_NM_WPA_SUPPLICANT_CRYPTO_TEST
|
|
bool
|
|
depends on WIFI_NM_WPA_SUPPLICANT_CRYPTO_MBEDTLS_PSA
|
|
|
|
config WIFI_NM_WPA_CTRL_RESP_TIMEOUT_S
|
|
int "WPA supplicant control interface response timeout in seconds"
|
|
default 15
|
|
help
|
|
Timeout for the control interface commands to get a response from the
|
|
supplicant.
|
|
|
|
endif # WIFI_NM_WPA_SUPPLICANT
|