Wiki -> https://fedoraproject.org/wiki/Changes/WifiMACRandomization This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee. == Summary == Adopt stable-ssid as the default MAC address randomization mode for Wi-Fi networks in NetworkManager for Fedora 40, enhancing user privacy without compromising network stability. == Owner == * Name: [[User:sfaye| Stanislas FAYE]], [[User:Till| Till Maas]] * Email: <sfaye@xxxxxxxxxx>, <till@xxxxxxxxxxxxxxxxx> == Detailed Description == The change involves adding a new file, /usr/lib/NetworkManager/conf.d/22-wifi-mac-addr.conf. This file sets `wifi.cloned-mac-address=”stable-ssid”` as the default mode for MAC address randomization in Wi-Fi connections within NetworkManager for [https://docs.fedoraproject.org/en-US/releases/f40/ Fedora Linux 40]. The `stable-ssid` mode, which generates a MAC address based on the network's SSID, is aimed at enhancing user privacy. This new default value will apply to Wi-Fi profiles in [https://docs.fedoraproject.org/en-US/releases/f40/ Fedora Linux 40], but profiles have the option to explicitly set different values to override the default. The content of the added file is: [connection.22-wifi-mac-addr] match-device=type:wifi wifi.cloned-mac-address=stable-ssid [.config] enable=nm-version-min:1.45 For further details, please refer to `man NetworkManager.conf`. Note that this change will impact networks that rely on static MAC addresses. Users may need to adjust their Wi-Fi settings, particularly if their network operations depend on consistent MAC addresses. For example, networks with access control based on MAC addresses will need to explicitly set `wifi.cloned-mac-address` to “preserve” in network profiles to avoid any disruptions in connectivity. == Benefit to Fedora == This change enhances user privacy by addressing the issue of MAC address tracking method used by network operators and advertisers to gather data about users’ movements and device usage patterns. By randomizing MAC addresses, Fedora reduces the potential for this type of passive surveillance, thereby enhancing individual privacy. It aligns Fedora with privacy-focused features present in other modern operating systems. The generated MAC address under the `stable-ssid` mode is derived from the network’s SSID, a per-host key (from `/etc/machine-id` and `/var/lib/NetworkManager/secret_key`), and a per-interface identifier. == Scope == * Proposal owners: The [https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/1789 merge request] is already merged upstream. * Other developers: N/A * Release engineering: [https://pagure.io/releng/issues #Releng issue number] * Policies and guidelines: N/A (not needed for this Change) * Trademark approval: N/A (not needed for this Change) == Upgrade/compatibility impact == With the adoption of `stable-ssid` as the default in Fedora 40, existing users may experience changes in their Wi-Fi connection behavior, particularly those whose network setups depend on fixed MAC addresses. It’s crucial for users to be aware that upgrading to Fedora 40 will apply this new MAC address randomization by default. Users needing to maintain consistent MAC addresses for specific networks can address this by following one of these steps: 1. Manually set `wifi.cloned-mac-address` to `permanent` for specific profiles using `nmcli connection modify [$PROFILE] wifi.cloned-mac-address permanent` 2. Create a custom configuration file in `/etc/NetworkManager/conf.d/22-wifi-mac-addr.conf`, which can be empty or contain specific configurations. This will prevent the default file in `/usr/lib` from being loaded. 3. Create a higher priority .conf file like /etc/NetworkManager/conf.d/90-wifi-mac-addr.conf with: [connection-90-wifi-mac-addr-conf] wifi.cloned-mac-address=permanent For details on the order in which configuration files are loaded and their priority, refer to `man NetworkManager.conf` == How To Test == * Upgrade NetworkManager to version 1.45 or newer implementing the stable-ssid mode * Connect to Wi-Fi network using nmcli or the GNOME network settings * Use `ip link show` (replacing [device] with your Wi-Fi device’s name) to check the MAC address assigned to the device. * Note the MAC address and reconnect to the same network to confirm that the MAC address remains consistent across sessions. * Connect to different Wi-Fi networks and observe the MAC address for each connection. * Ensure that the MAC address is derived from the network’s SSID. * Manually override the MAC address for a specific Wi-Fi profile using `nmcli connection modify [profile] wifi.cloned-mac-address [your-mac-address]` to set a specific MAC address * Reconnect to the network and use `nmcli device show [device]` to verify that the specified MAC address is being used. == User Experience == Users will experience an additional layer of privacy without any required action on their part. The change is transparent, with minimal impact on the day-to-day user experience. However, for those with specific network configurations reliant on static MAC addresses, this update may require manual adjustments to network profile settings. Users in such scenarios will need to be aware of the change and how to revert to a fixed MAC address if necessary, ensuring their network connectivity aligns with their requirements. == Dependencies == N/A == Contingency Plan == * Contingency mechanism: Revert to previous MAC address handling if significant issues arise. * Contingency deadline: Beta freeze of Fedora 40. * Blocks release? No == Documentation == No documentation change is required. == Release Notes == The change will be mentioned in the Release Notes. -- Aoife Moloney Fedora Operations Architect Fedora Project Matrix: @amoloney:fedora.im IRC: amoloney -- _______________________________________________ devel-announce mailing list -- devel-announce@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-announce-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue