nrfconnect · carlescufi · Apr 23, 2025 · Mar 27, 2025 · Apr 1, 2025 · Jan 29, 2025
diff --git a/drivers/wifi/nrf_wifi/CMakeLists.txt b/drivers/wifi/nrf_wifi/CMakeLists.txt
@@ -70,17 +70,6 @@ zephyr_library_sources_ifdef(CONFIG_NRF70_DEBUG_SHELL
   src/debug_shell.c
 )
 
-zephyr_compile_definitions_ifdef(CONFIG_NRF70_ON_QSPI
-# These are XIP related anomalies and aren't applicable for nRF7002 and cause
-# throughput issues.
-  -DNRF53_ERRATA_43_ENABLE_WORKAROUND=0
-  -DNRF52_ERRATA_215_ENABLE_WORKAROUND=0
-# nRF70 QSPI doesn't use 192MHz clock and most samples use 128MHz, this can cause anomaly 159
-# but as its rare and not seen in most cases, we can disable it.
-# Alternative is 128MHz CPU should be disabled that impacts Wi-Fi performance.
-  -DNRF53_ERRATA_159_ENABLE_WORKAROUND=0
-)
-
 zephyr_library_link_libraries(nrf70-buslib nrf-wifi-shim)
 
 if (CONFIG_NRF_WIFI_PATCHES_BUILTIN)

diff --git a/modules/hostap/Kconfig b/modules/hostap/Kconfig
@@ -25,17 +25,21 @@ if WIFI_NM_WPA_SUPPLICANT
 
 config HEAP_MEM_POOL_ADD_SIZE_HOSTAP
 	def_int 66560 if WIFI_NM_HOSTAPD_AP
-	def_int 41808 if WIFI_NM_WPA_SUPPLICANT_AP || WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE
+	def_int 55000 if WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE
+	def_int 41808 if WIFI_NM_WPA_SUPPLICANT_AP
 	# 30K is mandatory, but might need more for long duration use cases
 	def_int 30000
 
 config WIFI_NM_WPA_SUPPLICANT_THREAD_STACK_SIZE
 	int "Stack size for wpa_supplicant thread"
-	default 8192
+	# TODO: Providing higher stack size for Enterprise mode to fix stack
+	# overflow issues. Need to identify the cause for higher stack usage.
+	default 8192 if WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE
+	default 5600
 
 config WIFI_NM_WPA_SUPPLICANT_WQ_STACK_SIZE
 	int "Stack size for wpa_supplicant iface workqueue"
-	default 6144
+	default 4400
 
 config WIFI_NM_WPA_SUPPLICANT_WQ_PRIO
 	int "Thread priority of wpa_supplicant iface workqueue"

diff --git a/modules/nrf_wifi/bus/CMakeLists.txt b/modules/nrf_wifi/bus/CMakeLists.txt
@@ -12,6 +12,20 @@ endif()
 set(NRF_WIFI_DIR ${ZEPHYR_CURRENT_MODULE_DIR})
 
 if (CONFIG_NRF70_BUSLIB)
+
+  if(CONFIG_NRF70_ON_QSPI OR CONFIG_NORDIC_QSPI_NOR)
+    zephyr_compile_definitions(
+    # These are XIP related anomalies and aren't applicable for nRF7002 and cause
+    # throughput issues.
+      -DNRF53_ERRATA_43_ENABLE_WORKAROUND=0
+      -DNRF52_ERRATA_215_ENABLE_WORKAROUND=0
+    # nRF70 QSPI doesn't use 192MHz clock and most samples use 128MHz, this can cause anomaly 159
+    # but as its rare and not seen in most cases, we can disable it.
+    # Alternative is 128MHz CPU should be disabled that impacts Wi-Fi performance.
+      -DNRF53_ERRATA_159_ENABLE_WORKAROUND=0
+    )
+  endif()
+
   zephyr_library_named(nrf70-buslib)
   zephyr_library_include_directories(
     inc

diff --git a/snippets/wifi-enterprise/wifi-enterprise.conf b/snippets/wifi-enterprise/wifi-enterprise.conf
@@ -7,10 +7,20 @@ CONFIG_NET_BUF_VARIABLE_DATA_SIZE=y
 CONFIG_MBEDTLS_ENABLE_HEAP=y
 CONFIG_MBEDTLS_HEAP_SIZE=70000
 
+#For use with Wi-Fi Credentials
+CONFIG_WIFI_CREDENTIALS=y
+CONFIG_FLASH=y
+CONFIG_FLASH_PAGE_LAYOUT=y
+CONFIG_FLASH_MAP=y
+CONFIG_NVS=y
+CONFIG_SETTINGS=y
+CONFIG_SETTINGS_NVS=y
+
 # For use with TLS credentials
 CONFIG_TLS_CREDENTIALS_SHELL=y
 CONFIG_BASE64=y
 CONFIG_TLS_CREDENTIALS=y
 CONFIG_TLS_CREDENTIALS_SHELL_CRED_BUF_SIZE=8192
 CONFIG_TLS_MAX_CREDENTIALS_NUMBER=6
 CONFIG_HEAP_MEM_POOL_ADD_SIZE_TLS_CRED_SHELL=9000
+CONFIG_NRF_WIFI_DATA_HEAP_SIZE=100000
diff --git a/subsys/net/l2/wifi/wifi_mgmt.c b/subsys/net/l2/wifi/wifi_mgmt.c
@@ -1310,6 +1310,9 @@ static int __stored_creds_to_params(struct wifi_credentials_personal *creds,
 {
 	char *ssid = NULL;
 	char *psk = NULL;
+#ifdef CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE
+	char *key_passwd = NULL;
+#endif /* CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE */
 	int ret;
 
 	/* SSID */
@@ -1355,6 +1358,29 @@ static int __stored_creds_to_params(struct wifi_credentials_personal *creds,
 	/* Defaults */
 	params->security = creds->header.type;
 
+#ifdef CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE
+	if (params->security == WIFI_SECURITY_TYPE_EAP_TLS) {
+		if (creds->header.key_passwd_length > 0) {
+			key_passwd = (char *)k_malloc(creds->header.key_passwd_length + 1);
+			if (!key_passwd) {
+				LOG_ERR("Failed to allocate memory for key_passwd\n");
+				ret = -ENOMEM;
+				goto err_out;
+			}
+			memset(key_passwd, 0, creds->header.key_passwd_length + 1);
+			ret = snprintf(key_passwd, creds->header.key_passwd_length + 1, "%s",
+				       creds->header.key_passwd);
+			if (ret > creds->header.key_passwd_length) {
+				LOG_ERR("key_passwd string truncated\n");
+				ret = -EINVAL;
+				goto err_out;
+			}
+			params->key_passwd = key_passwd;
+			params->key_passwd_length = creds->header.key_passwd_length;
+		}
+	}
+#endif /* CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE */
+
 	/* If channel is set to 0 we default to ANY. 0 is not a valid Wi-Fi channel. */
 	params->channel = (creds->header.channel != 0) ? creds->header.channel : WIFI_CHANNEL_ANY;
 	params->timeout = (creds->header.timeout != 0)
@@ -1395,6 +1421,13 @@ static int __stored_creds_to_params(struct wifi_credentials_personal *creds,
 		psk = NULL;
 	}
 
+#ifdef CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE
+	if (key_passwd) {
+		k_free(key_passwd);
+		key_passwd = NULL;
+	}
+#endif /* CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE */
+
 	return ret;
 }
 

diff --git a/subsys/net/l2/wifi/wifi_shell.c b/subsys/net/l2/wifi/wifi_shell.c
@@ -2136,7 +2136,7 @@ static int cmd_wifi_ap_enable(const struct shell *sh, size_t argc,
 		return -ENOEXEC;
 	}
 
-#ifdef CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE
+#ifdef CONFIG_WIFI_NM_HOSTAPD_CRYPTO_ENTERPRISE
 	/* Load the enterprise credentials if needed */
 	if (cnx_params.security == WIFI_SECURITY_TYPE_EAP_TLS ||
 	    cnx_params.security == WIFI_SECURITY_TYPE_EAP_PEAP_MSCHAPV2 ||

diff --git a/subsys/net/lib/wifi_credentials/CMakeLists.txt b/subsys/net/lib/wifi_credentials/CMakeLists.txt
@@ -34,3 +34,43 @@ if(WIFI_CREDENTIALS_STATIC_SSID)
 		"Static Wi-Fi configuration is used, please remove before deployment!"
 	)
 endif()
+
+if(DEFINED CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE AND NOT DEFINED CONFIG_NET_L2_WIFI_SHELL)
+  # Wi-Fi Enterprise test certificates handling
+  set(gen_inc_dir ${ZEPHYR_BINARY_DIR}/misc/generated)
+  set(gen_dir ${gen_inc_dir}/wifi_enterprise_test_certs)
+  if(NOT DEFINED WIFI_TEST_CERTS_DIR)
+    set(WIFI_TEST_CERTS_DIR ${ZEPHYR_BASE}/samples/net/wifi/test_certs/rsa3k)
+  endif()
+  # Create output directory for test certs
+  file(MAKE_DIRECTORY ${gen_dir})
+
+  # convert .pem files to array data at build time
+  zephyr_include_directories(${gen_inc_dir})
+
+  foreach(cert_file IN ITEMS
+      ${WIFI_TEST_CERTS_DIR}/client.pem
+      ${WIFI_TEST_CERTS_DIR}/client-key.pem
+      ${WIFI_TEST_CERTS_DIR}/ca.pem
+      ${WIFI_TEST_CERTS_DIR}/client2.pem
+      ${WIFI_TEST_CERTS_DIR}/client-key2.pem
+      ${WIFI_TEST_CERTS_DIR}/ca2.pem
+      )
+
+  if(EXISTS ${cert_file})
+      get_filename_component(cert_name ${cert_file} NAME)
+      generate_inc_file_for_target(
+          app
+          ${cert_file}
+          ${gen_dir}/${cert_name}.inc
+          )
+    else()
+      get_filename_component(cert_name ${cert_file} NAME)
+      file(WRITE ${gen_dir}/${cert_name}.inc "// Empty file generated because ${cert_file} does not exist\n")
+    endif()
+  endforeach()
+
+  # Add explicit dependency on app target for ZEPHYR_CURRENT_LIBRARY, so these
+  # headers are generated at the correct point in the build
+  add_dependencies(${ZEPHYR_CURRENT_LIBRARY} app)
+endif()
diff --git a/subsys/net/lib/wifi_credentials/Kconfig b/subsys/net/lib/wifi_credentials/Kconfig
@@ -73,6 +73,32 @@ config WIFI_CREDENTIALS_CONNECT_STORED_CONNECTION_TIMEOUT
 	help
 	   Wait period before falling back to the next entry in the list of stored SSIDs.
 
+
+if WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE
+
+config WIFI_CREDENTIALS_RUNTIME_CERTIFICATES
+	bool "Provide Wi-Fi enterprise security certificates at run-time"
+	select TLS_CREDENTIALS
+	select TLS_CREDENTIALS_SHELL
+	select BASE64
+	default y if WIFI_SHELL_RUNTIME_CERTIFICATES
+	help
+	  This option enables providing Wi-Fi enterprise security certificates at run-time.
+	  Uses the TLS credentials subsystem to store and manage the certificates.
+
+if WIFI_CREDENTIALS_RUNTIME_CERTIFICATES
+
+config HEAP_MEM_POOL_ADD_SIZE_WIFI_CERT
+	int "Wi-Fi enterprise security certificates memory pool size"
+	# STA - 6 certs and each assume 1500 bytes
+	default 12000
+	help
+	   The size of the memory pool used by the Wi-Fi enterprise security certificates.
+
+endif # WIFI_CREDENTIALS_RUNTIME_CERTIFICATES
+
+endif # WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE
+
 endif # WIFI_CREDENTIALS_CONNECT_STORED
 
 endif # WIFI_CREDENTIALS

diff --git a/subsys/net/lib/wifi_credentials/wifi_credentials.c b/subsys/net/lib/wifi_credentials/wifi_credentials.c
@@ -136,6 +136,7 @@ int wifi_credentials_get_by_ssid_personal_struct(const char *ssid, size_t ssid_l
 	    buf->header.type != WIFI_SECURITY_TYPE_PSK &&
 	    buf->header.type != WIFI_SECURITY_TYPE_PSK_SHA256 &&
 	    buf->header.type != WIFI_SECURITY_TYPE_SAE &&
+	    buf->header.type != WIFI_SECURITY_TYPE_EAP_TLS &&
 	    buf->header.type != WIFI_SECURITY_TYPE_WPA_PSK) {
 		LOG_ERR("Requested WiFi credentials entry is corrupted");
 		ret = -EPROTO;