The New Wi-Fi Experience for Linux - Marcel Holtmann, Intel [Open Source Summit EU 2018]

Connecting to a Wi-Fi network is getting more and more complicated. The system should figure this out by itself.

For example, for WPA2-Enterprise you have to select all the correct options, instead of just installing a (properly signed) file.

The reason behind this is that wpa_supplicant is too low level, except that sometimes it swallows the details. The hostap project (that manages wpa_supplicant) doesn’t really want to do the high-level things.

This is why Intel started working on iwd. It is a complete Wi-Fi management tool, as automatically as possible. It also e.g. remembers passwords. It is the only entity that has to scan on the radio - with wpa_supplicant, you have to do a parallel scan in network-manager because wpa_supplicant doesn’t give you the information. It gives fast roaming possibilities because it keeps track itself of the available networks.

iwd also has clean, readable source code (uses a daemon library ELL) and it only runs on Linux. It only supports nl80211/cfg80211, no wext. The security bits are separated out and use kernel crypto (AF_ALG and keycontrol to manage keyrings, no openssl). Its API is a user-focused API. It only asks for things when it needs to. It has non-interactive interfaces for installing credentials, for enterprise provisioning (can only be done with a file, but if you leave something out (e.g. password) it will be asked for interactively). Its WPS support actually works. It also supports Wi-Fi hotspots.

There are regular releases, roughly monthly since February 2018. Latest release 0.10 on 2018-10-20.

It already supports WPA3.

The API has station, ad-hoc and AP mode.

Interacting with it goes over D-Bus, and there is a iwctl command-line client that exposes that interface to shell. There is integration available for ConnMan, but it aged a little and should be updated. Integration with NetworkManager is there for personal networks, enterprise underway. systemd-networkd is not there net.

There is a conflict with renaming network interfaces in udev, because iwd is faster than udev so udev cannot rename the interface any more because it is already up.

During development, there were a lot of fixes to the kernel as well. E.g. hotplug didn’t properly work because wpa_supplicant didn’t support it. They also built a tracing utility iwmon that decodes the nl80211 messages.

Last TODO items for 1.0: review the ELL (Embedded Linux Library) API, and review the D-Bus API.

Up to now it has been focused on the Wi-Fi, but the authentiation also applies to wired networks (802.1x). wpa_supplicant does this by converting the ethernet port into a virtual AP. iwd has an ead that does it properly, but eventually it will be spun out.

Source is on, documentation on

In the future it is also going to be a replacement for hostapd (i.e. for a full-fledged access points), but at the moment it is not up to it.