** Description changed: + [ Impact ] + + Users cannot connect to WPA3 APs (with the obvious ramifications for + usability and security). + + [ Test Plan ] + + For each affected model (3A+, 3B+, 4, 5), for each affected $series, and + for each $image (server / desktop): + + 1. Configure a test AP to accept WPA3 connections only (details will vary by AP, so out of scope for these instructions) + 2. Configure netplan (server) or NetworkManager (desktop) to connect to the WPA3 AP + 3. Observe failure on current linux-firmware-raspi firmware + 4. Enable proposed (append $series-proposed to first Suites: line in /etc/apt/sources.list.d/ubuntu.sources) + 5. sudo apt install linux-firmware-raspi + 6. sudo reboot + 7. Observe connection succeeds after reboot + 8. Reconfigure AP to accept WPA/WPA2 connections only + 9. Re-test connection to ensure it still works correctly + 10. Additionally, to ensure no Bluetooth regressions: + + On server: + 1. sudo apt install bluez + 2. sudo bluetoothctl + 3. scan on + 4. Enable pairing on another device (e.g. mobile phone) + 5. pair MAC + + On desktop: + 1. Launch gnome-control-center + 2. Switch to bluetooth tab + 3. Enable pairing on another device (e.g. mobile phone) + 4. Pair device + + [ Where things could go wrong ] + + The linux-firmware-raspi package is a horrible hybrid of the wifi, + bluetooth, and boot firmwares and thus tinkering with this package has + the potential to break any or all three systems. + + The boot mechanism should only have the potential to be affected on the + 3 and 4 series of Pis (on the 5 the boot firmware is entirely in + EEPROM), but the reboot in the test plan (necessary to reload the wifi + firmware anyway) also doubles as a check that we haven't broken this. + + Regressions in the wifi firmware are guarded against by the test plan + checking WPA, WPA2, and WPA3, and checks that WPA3 actually fails with + the original firmware (so we can ensure we're not getting a false- + positive from an AP that's still accepting, say, WPA2 connections). + + Regressions in the bluetooth firmware are guarded against by the test + plan checking we can still scan for, and pair with, another device. + + [ Original Description ] + Current linux-firmware-raspi package version in Noble, Oracular and Plucky is "2-0ubuntu1" dated 2024-04-13. It's quite old compared with Raspberry OS current version. This causes (IMO) an important security flaw in Ubuntu because the Raspberry Pi 4 and latter models Wifi can't use WPA3, is limited to WPA2. Thanks and best regards.
** Description changed: [ Impact ] Users cannot connect to WPA3 APs (with the obvious ramifications for usability and security). [ Test Plan ] For each affected model (3A+, 3B+, 4, 5), for each affected $series, and for each $image (server / desktop): 1. Configure a test AP to accept WPA3 connections only (details will vary by AP, so out of scope for these instructions) 2. Configure netplan (server) or NetworkManager (desktop) to connect to the WPA3 AP 3. Observe failure on current linux-firmware-raspi firmware 4. Enable proposed (append $series-proposed to first Suites: line in /etc/apt/sources.list.d/ubuntu.sources) 5. sudo apt install linux-firmware-raspi 6. sudo reboot 7. Observe connection succeeds after reboot 8. Reconfigure AP to accept WPA/WPA2 connections only 9. Re-test connection to ensure it still works correctly 10. Additionally, to ensure no Bluetooth regressions: On server: 1. sudo apt install bluez 2. sudo bluetoothctl 3. scan on 4. Enable pairing on another device (e.g. mobile phone) 5. pair MAC On desktop: 1. Launch gnome-control-center 2. Switch to bluetooth tab 3. Enable pairing on another device (e.g. mobile phone) 4. Pair device [ Where things could go wrong ] The linux-firmware-raspi package is a horrible hybrid of the wifi, bluetooth, and boot firmwares and thus tinkering with this package has the potential to break any or all three systems. The boot mechanism should only have the potential to be affected on the 3 and 4 series of Pis (on the 5 the boot firmware is entirely in EEPROM), but the reboot in the test plan (necessary to reload the wifi firmware anyway) also doubles as a check that we haven't broken this. Regressions in the wifi firmware are guarded against by the test plan checking WPA, WPA2, and WPA3, and checks that WPA3 actually fails with the original firmware (so we can ensure we're not getting a false- positive from an AP that's still accepting, say, WPA2 connections). Regressions in the bluetooth firmware are guarded against by the test plan checking we can still scan for, and pair with, another device. + [ Additional notes ] + + NOTE TO SELF: check whether noble / plucky linux-firmware packages are + planning to move to unaliased (/usr/lib) locations. If *not*, you need + to adjust d/diversions in the backport (and remove the extra migration + logic), and remove the block remaking the alternatives config in + d/rules. + [ Original Description ] Current linux-firmware-raspi package version in Noble, Oracular and Plucky is "2-0ubuntu1" dated 2024-04-13. It's quite old compared with Raspberry OS current version. This causes (IMO) an important security flaw in Ubuntu because the Raspberry Pi 4 and latter models Wifi can't use WPA3, is limited to WPA2. Thanks and best regards. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2095105 Title: [SRU] Please, update linux-firmware-raspi package to a version that allow Wifi with WPA3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-firmware-raspi/+bug/2095105/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
