Enabling WPA3 on Raspberry Pi

December 3, 2023 - 3 minutes read - 431 words

Introduction

After getting the Raspberry Pi 5 it was very disappointing to see that it does not support WPA3 for WiFi connections.

$ iw list
Wiphy phy0
	wiphy index: 0
    ...
	Supported extended features:
		* [ CQM_RSSI_LIST ]: multiple CQM_RSSI_THOLD records
		* [ 4WAY_HANDSHAKE_STA_PSK ]: 4-way handshake with PSK in station mode
		* [ 4WAY_HANDSHAKE_STA_1X ]: 4-way handshake with 802.1X in station mode
		* [ DFS_OFFLOAD ]: DFS offload

There is even a ticket open open on Github and besides a lot of comments, it seems nobody really cares.

Luckily in another ticket it seems the matter of fact is that the Raspberry OS just ships a WiFi firmware with SAE support disabled. The SAE support is required to enable WPA3.

Installing new firmware

The Raspberry OS (Bookworm) has selected to put the firmware of the WiFi hardware behind the Debian alternatives systems.

$ update-alternatives --get-selections
...
cyfmac43455-sdio.bin  auto  /lib/firmware/cypress/cyfmac43455-sdio-standard.bin
...

$ update-alternatives --list cyfmac43455-sdio.bin
/lib/firmware/cypress/cyfmac43455-sdio-minimal.bin
/lib/firmware/cypress/cyfmac43455-sdio-standard.bin

The problem is that neither of the two firmware files provided are supporting any kind of SAE operation to enable WPA3.

$ strings /lib/firmware/cypress/cyfmac43455-sdio-standard.bin | grep FWID

3455c0-roml/43455_sdio-pno-aoe-pktfilter-pktctx-lpc-pwropt-43455_ftrs-wfds-mfp-dfsradar-wowlpf-idsup-idauth-noclminc-clm_min-obss-obssdump-swdiv Version: 7.45.241 (1a2f2fa CY) CRC: 959ad1c7 Date: Mon 2021-11-01 00:40:29 PDT Ucode Ver: 1043.2164 FWID 01-703fd60
$ strings /lib/firmware/cypress/cyfmac43455-sdio-minimal.bin | grep FWID
43455c0-roml/43455_sdio-pno-aoe-pktfilter-pktctx-lpc-pwropt-txbf-wl11u-wfds-mfp-wowlpf-idsup-idauth-maxclients-noclminc-clm_min Version: 7.45.241 (1a2f2fa CY) CRC: 349757d5 Date: Mon 2021-11-01 00:40:07 PDT Ucode Ver: 1043.2164 FWID 01-5209c09

Maybe you need to ask Broadcom/Cypress for a WPA3 enabled firmware or pay more money or something, but for hardware from 2023 it is really odd to not support WPA3.

However if you compare the upstream firmware from linux-firmware repository, you see that an older firmware actually supports SAE.

$ curl -L https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/plain/cypress/cyfmac43455-sdio.bin -o /lib/firmware/cypress/cyfmac43455-sdio-upstream.bin

$ strings /lib/firmware/cypress/cyfmac43455-sdio-upstream.bin
43455c0-roml/43455_sdio-pno-aoe-pktfilter-pktctx-wfds-mfp-dfsradar-wowlpf-idsup-idauth-noclminc-clm_min-obss-obssdump-swdiv-gtkoe-roamprof-txbf-ve-sae-dpp-sr-okc-bpd Version: 7.45.234 (4ca95bb CY) CRC: 212e223d Date: Thu 2021-04-15 03:06:00 PDT Ucode Ver: 1043.2161 FWID 01-996384e2

Now it is enough to just install the firmware via the Debian alternatives systems.

$ update-alternatives --install /lib/firmware/cypress/cyfmac43455-sdio.bin cyfmac43455-sdio.bin /lib/firmware/cypress/cyfmac43455-sdio-upstream.bin 100

$ update-alternatives --get-selections
...
cyfmac43455-sdio.bin  auto  /lib/firmware/cypress/cyfmac43455-sdio-upstream.bin

And after a reboot, the device comes up with SAE support and if you use iwd instead of wpa_supplicant it will start using WPA3 if the network supports it as well.

$ iw list
Wiphy phy0
	wiphy index: 0
    ...
	Supported extended features:
		* [ CQM_RSSI_LIST ]: multiple CQM_RSSI_THOLD records
		* [ 4WAY_HANDSHAKE_STA_PSK ]: 4-way handshake with PSK in station mode
		* [ 4WAY_HANDSHAKE_STA_1X ]: 4-way handshake with 802.1X in station mode
		* [ DFS_OFFLOAD ]: DFS offload
		* [ SAE_OFFLOAD ]: SAE offload support
		* [ 4WAY_HANDSHAKE_AP_PSK ]: AP mode PSK offload support
		* [ SAE_OFFLOAD_AP ]: AP mode SAE authentication offload support