From 9d43b9d7a4a0080ce59da87b41321719947ffbaa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mattias=20Walstr=C3=B6m?= <lazzer@gmail.com>
Date: Fri, 9 Jan 2026 23:43:20 +0100
Subject: [PATCH 1/2] hostapd: Do not recreate bss-interfaces

By default, hostapd always recreate all bss interfaces,
we create them in confd so we do not want this behaviour.
---
 .../hostapd/0002-do-not-recreate-interfaces.patch   | 13 +++++++++++++
 1 file changed, 13 insertions(+)
 create mode 100644 patches/hostapd/0002-do-not-recreate-interfaces.patch

diff --git a/patches/hostapd/0002-do-not-recreate-interfaces.patch b/patches/hostapd/0002-do-not-recreate-interfaces.patch
new file mode 100644
index 000000000..0dfe9aa40
--- /dev/null
+++ b/patches/hostapd/0002-do-not-recreate-interfaces.patch
@@ -0,0 +1,13 @@
+diff --git a/src/ap/hostapd.c b/src/ap/hostapd.c
+index 2406658da..4226a98ca 100644
+--- a/src/ap/hostapd.c
++++ b/src/ap/hostapd.c
+@@ -1508,7 +1496,7 @@ static int hostapd_setup_bss(struct hostapd_data *hapd, int first,
+ 				   conf->iface, addr, hapd,
+ 				   &hapd->drv_priv, force_ifname, if_addr,
+ 				   conf->bridge[0] ? conf->bridge : NULL,
+-				   first == -1)) {
++				   1)) {
+ 			wpa_printf(MSG_ERROR, "Failed to add BSS (BSSID="
+ 				   MACSTR ")", MAC2STR(hapd->own_addr));
+ 			hapd->interface_added = 0;

From 2ff02d0c48629d6f0e252a9a419ea3181c8748f5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mattias=20Walstr=C3=B6m?= <lazzer@gmail.com>
Date: Sat, 10 Jan 2026 10:52:04 +0100
Subject: [PATCH 2/2] yang: keystore: Revert changes done when merging
 WireGuard

Accept the changes done when including Wi-Fi accesspoint,
which renames cleartext-symmetric-key to symmetric-key.
---
 src/confd/yang/confd/infix-if-wireguard.yang      |  2 +-
 src/confd/yang/confd/infix-keystore.yang          | 13 +++++++++++--
 test/case/interfaces/wireguard_multipoint/test.py |  8 ++++----
 3 files changed, 16 insertions(+), 7 deletions(-)

diff --git a/src/confd/yang/confd/infix-if-wireguard.yang b/src/confd/yang/confd/infix-if-wireguard.yang
index 6afb3c17c..20ca77d93 100644
--- a/src/confd/yang/confd/infix-if-wireguard.yang
+++ b/src/confd/yang/confd/infix-if-wireguard.yang
@@ -75,7 +75,7 @@ submodule infix-if-wireguard {
 
          This provides post-quantum resistance as an attacker would need
          to break both the Curve25519 key exchange and this symmetric key.";
-      must "derived-from-or-self(deref(.)/../ks:key-format, 'ixct:wireguard-symmetric-key-format')" {
+      must "derived-from-or-self(deref(.)/../infix-ks:key-format, 'ixct:wireguard-symmetric-key-format')" {
         error-message "Preshared key must be in wireguard-symmetric-key-format";
       }
     }
diff --git a/src/confd/yang/confd/infix-keystore.yang b/src/confd/yang/confd/infix-keystore.yang
index ec7536d6f..9f1f61bd6 100644
--- a/src/confd/yang/confd/infix-keystore.yang
+++ b/src/confd/yang/confd/infix-keystore.yang
@@ -39,10 +39,19 @@ module infix-keystore {
     }
   }
   deviation "/ks:keystore/ks:symmetric-keys/ks:symmetric-key/ks:key-format" {
-    deviate replace {
+    deviate not-supported;
+  }
+  augment "/ks:keystore/ks:symmetric-keys/ks:symmetric-key" {
+    leaf key-format {
       type identityref {
         base infix-ct:symmetric-key-format;
       }
+      description
+        "Identifies the symmetric key's format
+
+        Valid symmetric key formats are:
+        wifi-preshared-key-format      - WiFi preshared key
+        wireguard-symmetric-key-format - WireGuard preshared key";
     }
   }
   deviation "/ks:keystore/ks:symmetric-keys/ks:symmetric-key/ks:key-type/ks:cleartext-symmetric-key" {
@@ -52,7 +61,7 @@ module infix-keystore {
     case cleartext-symmetric-key {
       leaf symmetric-key {
         type string;
-        must "../../key-format != 'infix-ct:wifi-preshared-key-format' or " +
+        must "../infix-ks:key-format != 'infix-ct:wifi-preshared-key-format' or " +
           "(string-length(.) >= 8 and string-length(.) <= 63)" {
           error-message "WiFi pre-shared key must be 8-63 characters long";
         }
diff --git a/test/case/interfaces/wireguard_multipoint/test.py b/test/case/interfaces/wireguard_multipoint/test.py
index bb9e86645..531192103 100755
--- a/test/case/interfaces/wireguard_multipoint/test.py
+++ b/test/case/interfaces/wireguard_multipoint/test.py
@@ -76,11 +76,11 @@ def configure_server(dut):
                     "symmetric-key": [{
                         "name": "psk-client1",
                         "infix-keystore:symmetric-key": psk_client1,
-                        "key-format": "infix-crypto-types:wireguard-symmetric-key-format"
+                        "infix-keystore:key-format": "infix-crypto-types:wireguard-symmetric-key-format"
                     }, {
                         "name": "psk-client2",
                         "infix-keystore:symmetric-key": psk_client2,
-                        "key-format": "infix-crypto-types:wireguard-symmetric-key-format"
+                        "infix-keystore:key-format": "infix-crypto-types:wireguard-symmetric-key-format"
                     }]
                 }
             }
@@ -227,7 +227,7 @@ def configure_client1(dut):
                     "symmetric-key": [{
                         "name": "psk-server",
                         "infix-keystore:symmetric-key": psk_client1,
-                        "key-format": "infix-crypto-types:wireguard-symmetric-key-format"
+                        "infix-keystore:key-format": "infix-crypto-types:wireguard-symmetric-key-format"
                     }]
                 }
             }
@@ -361,7 +361,7 @@ def configure_client2(dut):
                     "symmetric-key": [{
                         "name": "psk-server",
                         "infix-keystore:symmetric-key": psk_client2,
-                        "key-format": "infix-crypto-types:wireguard-symmetric-key-format"
+                        "infix-keystore:key-format": "infix-crypto-types:wireguard-symmetric-key-format"
                     }]
                 }
             }