wifi: Upmerge for 2.8.0

CODEOWNERS

@@ -514,6 +514,7 @@
 /samples/wifi/softap/                     @D-Triveni @krish2718
 /samples/wifi/monitor/                    @D-Triveni
 /samples/wifi/promiscuous/                @D-Triveni
+/samples/wifi/offloaded_raw_tx/           @kapbh @sachinthegreen
 /samples/zigbee/                          @nrfconnect/ncs-zigbee
 
 /samples/app_event_manager/*.rst          @nrfconnect/ncs-si-muffin-doc @nrfconnect/ncs-si-bluebagel-doc

cmake/sysbuild/nrf700x.cmake

@@ -16,6 +16,8 @@ function(setup_nrf700x_xip_data)
     set(NRF70_PATCH ${NRF70_FW_BINS}/radio_test/nrf70.bin)
   elseif(SB_CONFIG_WIFI_NRF70_SCAN_ONLY)
     set(NRF70_PATCH ${NRF70_FW_BINS}/scan_only/nrf70.bin)
+  elseif(SB_CONFIG_WIFI_NRF70_OFFLOADED_RAW_TX)
+    set(NRF70_PATCH ${NRF70_FW_BINS}/offloaded_raw_tx/nrf70.bin)
   elseif(SB_CONFIG_WIFI_NRF70_SYSTEM_WITH_RAW_MODES)
     set(NRF70_PATCH ${NRF70_FW_BINS}/system_with_raw/nrf70.bin)
   else()

doc/nrf/app_dev/device_guides/nrf70/features.rst

@@ -49,6 +49,8 @@ The nRF70 Series devices also support the following functionalities:
 
 * :ref:`ug_nrf70_developing_raw_ieee_80211_packet_transmission`: Allows the injection of raw IEEE 802.11 frames in Station and Monitor modes.
 * :ref:`Promiscuous reception <ug_nrf70_developing_promiscuous_packet_reception>`: Allows the reception of IEEE 802.11 packets from a connected BSSID when operating in Station mode.
+* :ref:`Offloaded raw transmission <ug_nrf70_developing_offloaded_raw_tx>`: Allows the offloading of raw IEEE 802.11 frame transmission to the nRF Wi-Fi driver.
+* :ref:`Wi-Fi advanced security modes <ug_nrf70_wifi_advanced_security_modes>`: Allows the use of advanced security modes, certificate-based Wi-Fi security, and the Platform Security Architecture (PSA) security framework.
 
 Peer-to-peer support in the form of Wi-Fi Direct® will be available in the future.
 

doc/nrf/app_dev/device_guides/nrf70/index.rst

@@ -130,3 +130,4 @@ The following subpages cover topics related to developing applications with the
    power_profiling
    nrf7002ek_dev_guide
    nrf7002eb_dev_guide
+   wifi_advanced_security_modes

doc/nrf/app_dev/device_guides/nrf70/wifi_advanced_security_modes.rst

@@ -0,0 +1,86 @@
+.. _ug_nrf70_wifi_advanced_security_modes:
+
+nRF70 Series advanced security modes
+####################################
+
+.. contents::
+   :local:
+   :depth: 2
+
+Enterprise security
+*******************
+
+The nRF70 Series devices support Wi-Fi® enterprise security, which is a more secure form of Wi-Fi security compared to Wi-Fi personal security.
+Wi-Fi enterprise security is used in corporate environments where the security requirements are more stringent.
+It is based on the IEEE 802.1X standard, which defines the port-based network access control.
+
+The nRF70 Series devices support the following Wi-Fi enterprise security mode, ``WPA2-EAP-TLS``.
+This mode uses the Extensible Authentication Protocol (EAP) with Transport Layer Security (TLS) for authentication.
+The client and the authentication server exchange certificates to authenticate each other.
+
+
+Enterprise testing: X.509 certificate headers generation
+========================================================
+
+Wi-Fi enterprise security requires use of X.509 certificates.
+Test certificates in PEM format are available at :zephyr_file:`samples/net/wifi/test_certs/` repository.
+During the build process, the certificates are converted to a C header file that is included in the Wi-Fi shell module or the :ref:`Wi-Fi credentials <lib_wifi_credentials>` library.
+
+To use custom certificates, use the following commands:
+
+.. code-block:: bash
+
+    $ cp client.pem samples/net/wifi/test_certs/
+    $ cp client-key.pem samples/net/wifi/test_certs/
+    $ cp ca.pem samples/net/wifi/test_certs/
+    $ cp client.pem samples/net/wifi/test_certs/client2.pem
+    $ cp client-key.pem samples/net/wifi/test_certs/client-key2.pem
+    $ cp ca.pem samples/net/wifi/test_certs/ca2.pem
+
+    $ west build -p -b <board> samples/net/wifi -- -DEXTRA_CONF_FILE=overlay-enterprise.conf
+
+.. note::
+     The EAP phase2 certificates (suffixed with 2) are unused in ``WPA2-EAP-TLS`` but are mandatory for building the sample application.
+     The phase1 certificates are copied as phase2 certificates to avoid build errors as a temporary workaround.
+
+To establish a Wi-Fi connection, use the following command:
+
+.. code-block:: console
+
+    uart:~$ wifi connect -s <SSID> -k 7 -a anon -K <key passphrase>
+
+.. code-block:: console
+
+   uart:~$ wifi_cred add -s <SSID> -k 7 -a anon -K <key passphrase>
+
+
+.. note::
+
+      The Wi-Fi credentials only support 16characters for the anonymous identity and the key passphrase.
+
+The server certificate is also provided in the same directory for testing purposes.
+You can use any AAA server for testing purposes, such as FreeRADIUS or hostapd.
+
+.. note::
+
+    The certificates are for testing purposes only and should not be used for production.
+
+.. _ug_nrf70_developing_wifi_psa_support:
+
+Platform Security Architecture (PSA) crypto support
+***************************************************
+
+The nRF70 Series devices support the `Platform Security Architecture (PSA)`_ security framework.
+This framework provides a set of APIs for cryptographic operations, which are used by the nRF70 Series.
+This improves the security of the nRF70 device compared to the non-PSA mode.
+
+.. note::
+
+      Currently, the PSA crypto support is only applicable to the WPA2™-personal security profile.
+
+Enable PSA support
+==================
+
+To enable the nRF70 PSA crypto support in your applications, use the :kconfig:option:`CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ALT_NCS_PSA` Kconfig option.
+
+The Wi-Fi connection process is similar to the non-PSA mode, however, the only difference is that the cryptographic operations are performed using PSA crypto APIs.

doc/nrf/links.txt

@@ -912,6 +912,8 @@
 
 .. _`Testing the nRF Connect platform with Apple, Google and Samsung ecosystems`: https://devzone.nordicsemi.com/nordic/nordic-blog/b/blog/posts/matter-testing-nrf-connect-sdk-platform-with-apple-google-and-samsung-ecosystems-218911247#mcetoc_1gkq24ojdf
 
+.. _`Online Power Profiler for Wi-Fi`: https://devzone.nordicsemi.com/power/w/opp/14/online-power-profiler-for-wi-fi
+
 .. ### Source: App stores (play.google.com & apps.apple.com)
 
 .. _`Fast Pair Validator app`: https://play.google.com/store/apps/details?id=com.google.location.nearby.apps.fastpair.validator

doc/nrf/protocols/wifi/advanced_modes/index.rst

@@ -13,3 +13,4 @@ The following subpages cover topics related to the transmission and reception of
    raw_tx_operation
    sniffer_rx_operation
    promiscuous_operation
+   offloaded_raw_tx

doc/nrf/protocols/wifi/advanced_modes/offloaded_raw_tx.rst

@@ -0,0 +1,62 @@
+.. _ug_nrf70_developing_offloaded_raw_tx:
+
+Offloaded raw transmit operation
+################################
+
+.. contents::
+   :local:
+   :depth: 2
+
+The nRF70 Series ICs can be used as offloaded raw transmit devices, where the nRF70 Series device can transmit frames at regular intervals utilizing very low power.
+The contents of the frame as well as parameters such as frequency and channel of transmission are programmable.
+
+The major functionality of transmitting the frames is offloaded to the nRF70 device, thereby placing minimal requirements on the host (mainly programming capability).
+This results in minimal host memory requirements (RAM and flash memory).
+
+This can be used for applications such as indoor navigation and tracking, where it is essential for anchor nodes to perform low-power beaconing.
+Anchor devices can transmit beacon-compliant packets containing tracking or location information inside the BSSID or SSID fields.
+Devices scanning for these beacon-compliant packets can use this information.
+
+Offloaded raw TX mode in Wi-Fi driver
+*************************************
+
+The offloaded raw transmit operation is supported as a separate stand-alone compile-time mode of operation in the nRF Wi-Fi driver and is exclusive to the following existing modes of operation:
+
+* Wi-Fi mode
+* Radio Test mode
+
+In addition to providing start or stop control over the offloaded raw transmit operation, the driver supports the update of the following configuration parameters:
+
+* Frame contents
+* Channel of operation
+* Data rate
+* Rate flags
+* Periodicity of transmission
+* Transmit power
+
+.. _ug_nrf70_developing_enabling_offloaded_raw_tx:
+
+Offloaded raw transmit API
+**************************
+
+The offloaded raw transmit functionality of nRF70 Series ICs can be utilized by using the APIs provided by the driver.
+The API reference can be found at:
+
+| Header file: :file:`zephyr/drivers/wifi/nrfwifi/off_raw_tx/off_raw_tx_api.h`
+
+
+See the :ref:`Offloaded raw transmit sample <wifi_offloaded_raw_tx_packet_sample>` to know more about the offloaded raw transmit API.
+
+.. _ug_nrf70_developing_offloaded_raw_tx_power_consumption:
+
+Power consumption
+*****************
+
+The power consumed by the nRF70 Series device during the offloaded raw TX operation depends on the following parameters:
+
+* Operating data rate (for example, 6 Mbps, MCS0) : Power consumption decreases as the data rate increases.
+* Payload length : Power consumption increases with the payload length.
+* Periodicity of transmission : Power consumption increases as the period between successive transmissions decreases.
+* Transmit power : Power consumption increases as the transmit power increases.
+
+For optimizing the power consumption of your application, you can use the `Online Power Profiler for Wi-Fi`_ tool.

doc/nrf/releases_and_maturity/migration/migration_guide_2.8.rst

@@ -123,6 +123,19 @@ Libraries
 
 This section describes the changes related to libraries.
 
+Wi-Fi®
+------
+
+.. toggle::
+
+   * For :ref:`lib_wifi_credentials` library:
+
+     * Syntax for ``add`` command has been modified to support ``getopt`` model.
+         For example, the following command with old syntax:
+         ``wifi_cred add SSID WPA2-PSK password`` should be replaced with the following command with new syntax:
+         ``wifi_cred add -s SSID -k 1 -p password``.
+         ``wifi_cred add --help`` command will provide more information on the new syntax.
+
 LTE link control library
 ------------------------
 

include/net/wifi_credentials.h

@@ -29,10 +29,16 @@ extern "C" {
 #define WIFI_CREDENTIALS_FLAG_2_4GHz		BIT(2)
 /* this entry can use the 5 GHz band */
 #define WIFI_CREDENTIALS_FLAG_5GHz		BIT(3)
+/* this entry can use the 6 GHz band */
+#define WIFI_CREDENTIALS_FLAG_6GHz		BIT(4)
 /* this entry requires management frame protection */
-#define WIFI_CREDENTIALS_FLAG_MFP_REQUIRED	BIT(4)
+#define WIFI_CREDENTIALS_FLAG_MFP_REQUIRED	BIT(5)
 /* this entry disables management frame protection */
-#define WIFI_CREDENTIALS_FLAG_MFP_DISABLED	BIT(5)
+#define WIFI_CREDENTIALS_FLAG_MFP_DISABLED	BIT(6)
+/* this entry has anonymous identity configured */
+#define WIFI_CREDENTIALS_FLAG_ANONYMOUS_IDENTITY  BIT(7)
+/* this entry has key password configured */
+#define WIFI_CREDENTIALS_FLAG_KEY_PASSWORD  BIT(8)
 
 #define WIFI_CREDENTIALS_MAX_PASSWORD_LEN\
 	MAX(WIFI_PSK_MAX_LEN, CONFIG_WIFI_CREDENTIALS_SAE_PASSWORD_LENGTH)
@@ -53,6 +59,10 @@ struct wifi_credentials_header {
 	uint32_t flags;
 	uint8_t channel;
 	uint32_t timeout;
+	char anon_id[16];
+	uint8_t aid_length;
+	char key_passwd[16];
+	uint8_t key_passwd_length;
 };
 
 /**