doc: nrf: Create documentation for advanced Wi-Fi security modes.

Create documentation for enterprise mode and PSA. Add entry in migration
guide for the syntax change in `wifi_cred add` command.

Signed-off-by: Ravi Dondaputi <[email protected]>
Signed-off-by: Vivekananda Uppunda <[email protected]>
Signed-off-by: Chaitanya Tata <[email protected]>

doc/nrf/app_dev/device_guides/nrf70/features.rst

@@ -49,6 +49,7 @@ The nRF70 Series devices also support the following functionalities:
 
 * :ref:`ug_nrf70_developing_raw_ieee_80211_packet_transmission`: Allows the injection of raw IEEE 802.11 frames in Station and Monitor modes.
 * :ref:`Promiscuous reception <ug_nrf70_developing_promiscuous_packet_reception>`: Allows the reception of IEEE 802.11 packets from a connected BSSID when operating in Station mode.
+* :ref:`Wi-Fi Advanced security modes <ug_nrf70_wifi_advanced_security_modes>`: Allows usage of certificate based Wi-Fi security and Platform Security Architecture(PSA) security framework.
 
 Peer-to-peer support in the form of Wi-Fi Direct® will be available in the future.
 

doc/nrf/protocols/wifi/advanced_modes/index.rst

@@ -14,3 +14,4 @@ The following subpages cover topics related to the transmission and reception of
    sniffer_rx_operation
    promiscuous_operation
    offloaded_raw_tx
+   wifi_advanced_security_modes.rst

doc/nrf/protocols/wifi/advanced_modes/wifi_advanced_security_modes.rst

@@ -0,0 +1,79 @@
+.. _ug_nrf70_wifi_advanced_security_modes:
+
+Wi-Fi advanced security modes
+#############################
+
+.. contents::
+   :local:
+   :depth: 2
+
+The nRF70 Series device Wi-Fi solution supports various advanced security modes to provide secure communication over Wi-Fi.
+The advanced security modes supported by the nRF70 Series device Wi-Fi solution are:
+
+* Wi-Fi Enterprise security
+* Wi-Fi PSA support
+
+Wi-Fi Enterprise security
+*************************
+
+Te nRF70 Series device Wi-Fi solution supports Wi-Fi Enterprise security, the below methods are supported:
+
+* WPA2-EAP-TLS
+
+Below sections provide details on how to enable and use Wi-Fi Enterprise security in your applications.
+
+
+Wi-Fi Enterprise test: X.509 Certificate header generation
+==========================================================
+
+Wi-Fi enterprise security requires use of X.509 certificates, test certificates
+in PEM format are committed to the repo at :zephyr_file:`subsys/net/lib/wifi_credentials/test_certs` and the during the
+build process the certificates are converted to a C header file that is included by the Wi-Fi shell
+module.
+
+.. note::
+
+    Only samples that use :ref:`Wi-Fi Credentials <lib_wifi_credentials>` library support Wi-Fi Enterprise security.
+
+
+.. code-block:: bash
+
+    $ cp client.pem subsys/net/lib/wifi_credentials/test_certs/
+    $ cp client-key.pem subsys/net/lib/wifi_credentials/test_certs/
+    $ cp ca.pem subsys/net/lib/wifi_credentials/test_certs/
+    $ west build -p -b <board> samples/wifi/sta -- -DEXTRA_CONF_FILE=overlay-enterprise.conf
+
+To initiate Wi-Fi connection, the following command can be used:
+
+.. code-block:: console
+
+    uart:~$ wifi connect -s <SSID> -k 7 -a anon -K <key passphrase>
+
+Server certificate is also provided in the same directory for testing purposes.
+Any AAA server can be used for testing purposes, for example, ``FreeRADIUS`` or ``hostapd``.
+
+.. note::
+
+    The certificates are for testing purposes only and should not be used in production.
+    They are generated using `FreeRADIUS raddb <https://github.com/FreeRADIUS/freeradius-server/tree/master/raddb/certs>`_ scripts.
+
+
+Wi-Fi PSA support
+*****************
+
+The nRF70 Series device Wi-Fi solution supports `Platform Security Architecture (PSA)`_ (PSA) APIs for cryptographic operations.
+
+The nRF70 Series device Wi-Fi solution currently supports only WPA2-personal security profile in PSA mode.
+WPA3-personal and Enterprise security profiles will be supported in future releases using PSA APIs.
+
+
+Enabling Wi-Fi PSA support
+==========================
+
+To enable the Wi-Fi PSA support in your applications, you must enable the :kconfig:option:`CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ALT_NCS_PSA` Kconfig option in your application.
+
+.. code-block:: console
+
+    $ west build -p -b <board> samples/wifi/shell -- -DCONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ALT_NCS_PSA=y
+
+Wi-Fi connection process is similar to the non-PSA mode, the only difference is that the cryptographic operations are performed using PSA APIs.

doc/nrf/releases_and_maturity/migration/migration_guide_2.8.rst

@@ -121,7 +121,11 @@ nRF70 Series
 Libraries
 =========
 
-This section describes the changes related to libraries.
+Wi-Fi®
+------
+
+  * For :ref:`lib_wifi_credentials` library:
+    Syntax for `add` command has been modified to support getopt model.
 
 LTE link control library
 ------------------------

doc/nrf/releases_and_maturity/releases/release-notes-changelog.rst

@@ -257,6 +257,7 @@ Wi-Fi
 
 * The WPA supplicant is now switched to Zephyr upstream's fork instead of |NCS|.
 * Added the :ref:`ug_nrf70_developing_offloaded_raw_tx` page.
+* Added support advanced security modes in the Wi-Fi stack, please see the :ref:`ug_nrf70_wifi_advanced_security_modes` page for more information.
 
 Applications
 ============
@@ -711,6 +712,11 @@ Wi-Fi samples
 
   * Added support for running the full stack on the Thingy:91 X.
      This is a special configuration that uses the nRF5340 as the host chip instead of the nRF9151.
+  * Added overlay to support enterprise mode.
+
+* :ref:`wifi_sta_sample` sample:
+
+  * Added overlay to support enterprise mode.
 
 Other samples
 -------------