diff --git a/doc/nrf/app_dev/device_guides/nrf70/features.rst b/doc/nrf/app_dev/device_guides/nrf70/features.rst index 7a3083818b0a..2abe5d24f74d 100644 --- a/doc/nrf/app_dev/device_guides/nrf70/features.rst +++ b/doc/nrf/app_dev/device_guides/nrf70/features.rst @@ -49,6 +49,7 @@ The nRF70 Series devices also support the following functionalities: * :ref:`ug_nrf70_developing_raw_ieee_80211_packet_transmission`: Allows the injection of raw IEEE 802.11 frames in Station and Monitor modes. * :ref:`Promiscuous reception `: Allows the reception of IEEE 802.11 packets from a connected BSSID when operating in Station mode. +* :ref:`Wi-Fi Advanced security modes `: Allows usage of certificate based Wi-Fi security and Platform Security Architecture(PSA) security framework. Peer-to-peer support in the form of Wi-Fi Direct® will be available in the future. diff --git a/doc/nrf/protocols/wifi/advanced_modes/index.rst b/doc/nrf/protocols/wifi/advanced_modes/index.rst index fe1d9c4d44c0..de7b33c0a412 100644 --- a/doc/nrf/protocols/wifi/advanced_modes/index.rst +++ b/doc/nrf/protocols/wifi/advanced_modes/index.rst @@ -14,3 +14,4 @@ The following subpages cover topics related to the transmission and reception of sniffer_rx_operation promiscuous_operation offloaded_raw_tx + wifi_advanced_security_modes.rst diff --git a/doc/nrf/protocols/wifi/advanced_modes/wifi_advanced_security_modes.rst b/doc/nrf/protocols/wifi/advanced_modes/wifi_advanced_security_modes.rst new file mode 100644 index 000000000000..9778ba3349a4 --- /dev/null +++ b/doc/nrf/protocols/wifi/advanced_modes/wifi_advanced_security_modes.rst @@ -0,0 +1,79 @@ +.. _ug_nrf70_wifi_advanced_security_modes: + +Wi-Fi advanced security modes +############################# + +.. contents:: + :local: + :depth: 2 + +The nRF70 Series device Wi-Fi solution supports various advanced security modes to provide secure communication over Wi-Fi. +The advanced security modes supported by the nRF70 Series device Wi-Fi solution are: + +* Wi-Fi Enterprise security +* Wi-Fi PSA support + +Wi-Fi Enterprise security +************************* + +Te nRF70 Series device Wi-Fi solution supports Wi-Fi Enterprise security, the below methods are supported: + +* WPA2-EAP-TLS + +Below sections provide details on how to enable and use Wi-Fi Enterprise security in your applications. + + +Wi-Fi Enterprise test: X.509 Certificate header generation +========================================================== + +Wi-Fi enterprise security requires use of X.509 certificates, test certificates +in PEM format are committed to the repo at :zephyr_file:`subsys/net/lib/wifi_credentials/test_certs` and the during the +build process the certificates are converted to a C header file that is included by the Wi-Fi shell +module. + +.. note:: + + Only samples that use :ref:`Wi-Fi Credentials ` library support Wi-Fi Enterprise security. + + +.. code-block:: bash + + $ cp client.pem subsys/net/lib/wifi_credentials/test_certs/ + $ cp client-key.pem subsys/net/lib/wifi_credentials/test_certs/ + $ cp ca.pem subsys/net/lib/wifi_credentials/test_certs/ + $ west build -p -b samples/wifi/sta -- -DEXTRA_CONF_FILE=overlay-enterprise.conf + +To initiate Wi-Fi connection, the following command can be used: + +.. code-block:: console + + uart:~$ wifi connect -s -k 7 -a anon -K + +Server certificate is also provided in the same directory for testing purposes. +Any AAA server can be used for testing purposes, for example, ``FreeRADIUS`` or ``hostapd``. + +.. note:: + + The certificates are for testing purposes only and should not be used in production. + They are generated using `FreeRADIUS raddb `_ scripts. + + +Wi-Fi PSA support +***************** + +The nRF70 Series device Wi-Fi solution supports `Platform Security Architecture (PSA)`_ (PSA) APIs for cryptographic operations. + +The nRF70 Series device Wi-Fi solution currently supports only WPA2-personal security profile in PSA mode. +WPA3-personal and Enterprise security profiles will be supported in future releases using PSA APIs. + + +Enabling Wi-Fi PSA support +========================== + +To enable the Wi-Fi PSA support in your applications, you must enable the :kconfig:option:`CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ALT_NCS_PSA` Kconfig option in your application. + +.. code-block:: console + + $ west build -p -b samples/wifi/shell -- -DCONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ALT_NCS_PSA=y + +Wi-Fi connection process is similar to the non-PSA mode, the only difference is that the cryptographic operations are performed using PSA APIs. diff --git a/doc/nrf/releases_and_maturity/migration/migration_guide_2.8.rst b/doc/nrf/releases_and_maturity/migration/migration_guide_2.8.rst index bdac23da5824..f26b9521accc 100644 --- a/doc/nrf/releases_and_maturity/migration/migration_guide_2.8.rst +++ b/doc/nrf/releases_and_maturity/migration/migration_guide_2.8.rst @@ -121,7 +121,11 @@ nRF70 Series Libraries ========= -This section describes the changes related to libraries. +Wi-Fi® +------ + + * For :ref:`lib_wifi_credentials` library: + Syntax for `add` command has been modified to support getopt model. LTE link control library ------------------------ diff --git a/doc/nrf/releases_and_maturity/releases/release-notes-changelog.rst b/doc/nrf/releases_and_maturity/releases/release-notes-changelog.rst index b53f64e559a1..597cdb7e47ed 100644 --- a/doc/nrf/releases_and_maturity/releases/release-notes-changelog.rst +++ b/doc/nrf/releases_and_maturity/releases/release-notes-changelog.rst @@ -257,6 +257,7 @@ Wi-Fi * The WPA supplicant is now switched to Zephyr upstream's fork instead of |NCS|. * Added the :ref:`ug_nrf70_developing_offloaded_raw_tx` page. +* Added support advanced security modes in the Wi-Fi stack, please see the :ref:`ug_nrf70_wifi_advanced_security_modes` page for more information. Applications ============ @@ -711,6 +712,11 @@ Wi-Fi samples * Added support for running the full stack on the Thingy:91 X. This is a special configuration that uses the nRF5340 as the host chip instead of the nRF9151. + * Added overlay to support enterprise mode. + +* :ref:`wifi_sta_sample` sample: + + * Added overlay to support enterprise mode. Other samples -------------