The New Wi-Fi Experience for Linux - Marcel Holtmann, Intel [Open Source Summit EU 2018]

Connecting to a Wi-Fi network is getting more and more complicated. The system should figure this out by itself.

For example, for WPA2-Enterprise you have to select all the correct options, instead of just installing a (properly signed) file.

The reason behind this is that wpa_supplicant is too low level, except that sometimes it swallows the details. The hostap project (that manages wpa_supplicant) doesn’t really want to do the high-level things.

This is why Intel started working on iwd. It is a complete Wi-Fi management tool, as automatically as possible. It also e.g. remembers passwords. It is the only entity that has to scan on the radio - with wpa_supplicant, you have to do a parallel scan in network-manager because wpa_supplicant doesn’t give you the information. It gives fast roaming possibilities because it keeps track itself of the available networks.

iwd also has clean, readable source code (uses a daemon library ELL) and it only runs on Linux. It only supports nl80211/cfg80211, no wext. The security bits are separated out and use kernel crypto (AF_ALG and keycontrol to manage keyrings, no openssl). Its API is a user-focused API. It only asks for things when it needs to. It has non-interactive interfaces for installing credentials, for enterprise provisioning (can only be done with a file, but if you leave something out (e.g. password) it will be asked for interactively). Its WPS support actually works. It also supports Wi-Fi hotspots.

There are regular releases, roughly monthly since February 2018. Latest release 0.10 on 2018-10-20.

It already supports WPA3.

The API has station, ad-hoc and AP mode.

Interacting with it goes over D-Bus, and there is a iwctl command-line client that exposes that interface to shell. There is integration available for ConnMan, but it aged a little and should be updated. Integration with NetworkManager is there for personal networks, enterprise underway. systemd-networkd is not there net.

There is a conflict with renaming network interfaces in udev, because iwd is faster than udev so udev cannot rename the interface any more because it is already up.

During development, there were a lot of fixes to the kernel as well. E.g. hotplug didn’t properly work because wpa_supplicant didn’t support it. They also built a tracing utility iwmon that decodes the nl80211 messages.

Last TODO items for 1.0: review the ELL (Embedded Linux Library) API, and review the D-Bus API.

Up to now it has been focused on the Wi-Fi, but the authentiation also applies to wired networks (802.1x). wpa_supplicant does this by converting the ethernet port into a virtual AP. iwd has an ead that does it properly, but eventually it will be spun out.

Source is on git.kernel.org, documentation on https://iwd.wiki.kernel.org/

In the future it is also going to be a replacement for hostapd (i.e. for a full-fledged access points), but at the moment it is not up to it.