diff --git a/tests/hwsim/test_sigma_dut.py b/tests/hwsim/test_sigma_dut.py
index f3a4cc60e..c9e7c34c8 100644
--- a/tests/hwsim/test_sigma_dut.py
+++ b/tests/hwsim/test_sigma_dut.py
@@ -4737,3 +4737,114 @@ def test_sigma_dut_ap_gtk_rekey(dev, apdev, params):
             sigma_dut_cmd_check("ap_reset_default")
         finally:
             stop_sigma_dut(sigma)
+
+def test_sigma_dut_sae_pk(dev, apdev):
+    """sigma_dut controlled STA using SAE-PK"""
+    if "SAE" not in dev[0].get_capability("auth_alg"):
+        raise HwsimSkip("SAE not supported")
+
+    ifname = dev[0].ifname
+    sigma = start_sigma_dut(ifname)
+
+    ssid = "SAE-PK test"
+    pw = "dwxm-zv66-p5ue"
+    m = "431ff8322f93b9dc50ded9f3d14ace22"
+    pk = "MHcCAQEEIAJIGlfnteonDb7rQyP/SGQjwzrZAnfrXIm4280VWajYoAoGCCqGSM49AwEHoUQDQgAEeRkstKQV+FSAMqBayqFknn2nAQsdsh/MhdX6tiHOTAFin/sUMFRMyspPtIu7YvlKdsexhI0jPVhaYZn1jKWhZg=="
+
+    try:
+        params = hostapd.wpa2_params(ssid=ssid, passphrase="12345678")
+        params['wpa_key_mgmt'] = 'SAE'
+        params["ieee80211w"] = "2"
+        params['sae_groups'] = '19'
+        params['sae_password'] = ['%s|pk=%s:%s' % (pw, m, pk)]
+        hapd = hostapd.add_ap(apdev[0], params)
+
+        sigma_dut_cmd_check("sta_reset_default,interface,%s,prog,WPA3" % ifname)
+        sigma_dut_cmd_check("sta_set_ip_config,interface,%s,dhcp,0,ip,127.0.0.11,mask,255.255.255.0" % ifname)
+        sigma_dut_cmd_check("sta_set_wireless,interface,%s,program,WPA3" % ifname)
+        sigma_dut_cmd_check("sta_set_security,interface,%s,ssid,%s,passphrase,%s,type,SAE,encpType,aes-ccmp,keymgmttype,wpa2,sae_pk,1" % (ifname, ssid, pw))
+        sigma_dut_cmd_check("sta_associate,interface,%s,ssid,%s,channel,1" % (ifname, ssid),
+                            timeout=10)
+        sigma_dut_wait_connected(ifname)
+        dev[0].dump_monitor()
+
+        sigma_dut_cmd_check("sta_reset_default,interface," + ifname)
+    finally:
+        stop_sigma_dut(sigma)
+
+def run_sigma_dut_ap_sae_pk(conffile, dev, ssid, pw, keypair, m, failure):
+    sigma_dut_cmd_check("ap_reset_default")
+    sigma_dut_cmd_check("ap_set_wireless,NAME,AP,CHANNEL,1,SSID,%s,MODE,11ng" % ssid)
+    sigma_dut_cmd_check("ap_set_security,NAME,AP,AKMSuiteType,8,PairwiseCipher,AES-CCMP-128,GroupCipher,AES-CCMP-128,GroupMgntCipher,BIP-CMAC-128,PMF,Required,PSK,%s,sae_pk,1,Transition_Disable,1,Transition_Disable_Index,0,SAE_PK_KeyPair,%s,SAE_PK_Modifier,%s" % (pw, keypair, m))
+    sigma_dut_cmd_check("ap_config_commit,NAME,AP")
+    bssid = sigma_dut_cmd_check("ap_get_mac_address,NAME,AP")
+    bssid = bssid.split(',')[3]
+
+    with open("/tmp/sigma_dut-ap.conf", "rb") as f:
+        with open(conffile, "ab") as f2:
+            f2.write(f.read())
+            f2.write('\n'.encode())
+
+    dev.set("sae_groups", "")
+    dev.connect(ssid, key_mgmt="SAE", sae_password=pw, ieee80211w="2",
+                scan_freq="2412", wait_connect=False)
+
+    ev = dev.wait_event(["CTRL-EVENT-CONNECTED",
+                         "CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=15)
+    if ev is None:
+        raise Exception("No connection result reported")
+
+    bss = dev.get_bss(bssid)
+    if 'flags' not in bss:
+        raise Exception("Could not get BSS flags from BSS table")
+    if "[SAE-H2E]" not in bss['flags'] or "[SAE-PK]" not in bss['flags']:
+        raise Exception("Unexpected BSS flags: " + bss['flags'])
+
+    if failure:
+        if "CTRL-EVENT-CONNECTED" in ev:
+            raise Exception("Unexpected connection")
+        dev.request("REMOVE_NETWORK all")
+    else:
+        if "CTRL-EVENT-CONNECTED" not in ev:
+            raise Exception("Connection failed")
+        dev.request("REMOVE_NETWORK all")
+        dev.wait_disconnected()
+    dev.dump_monitor()
+
+    sigma_dut_cmd_check("ap_reset_default")
+
+def test_sigma_dut_ap_sae_pk(dev, apdev, params):
+    """sigma_dut controlled AP using SAE-PK"""
+    logdir = params['prefix'] + ".sigma-hostapd"
+    conffile = params['prefix'] + ".sigma-conf"
+    if "SAE" not in dev[0].get_capability("auth_alg"):
+        raise HwsimSkip("SAE not supported")
+    tests = [("SAEPK-4.7.1", "fb4c-zpqh-bhdc", "saepk.pem",
+              "2ec1f37b47b402252e9dc5001e81fd1c", False),
+             ("SAEPK-5.7.1.1", "amro-yjrs-zzda", "saepk1.pem",
+              "f42baa90420032486b3229ab0890878a", False),
+             ("SAEPK-5.7.1.2", "eh56-tjce-cnzg-ymhq", "saepk2.pem",
+              "efb8b7a87e0638a93b056cb4aadf4a71", False),
+             ("SAEPK-5.7.1.3", "knny-r45l-ww3w", "saepk3.pem",
+              "6502721b2c2dfea3c9aefc5324eee9c9", False),
+             ("SAEPK-5.7.2.1", "fvys-4brw-d67c", "saepk4.pem",
+              "b63662c6f0bdd12bf5a2075ccfd7e132", False),
+             ("SAEPK-5.7.2.2", "cnj6-khsf-dgzh", "saepk5.pem",
+              "126d37fae167a53d4ebb08a235cef1da", False),
+             ("SAEPK-5.7.2.3", "hr7j-3cdr-wtq6", "saepk6.pem",
+              "61a84a86ffb1b9e23f576a0275ddcc78", True),
+             ("SAEPK-5.7.2.4", "geoh-2rvn-ivwu", "saepk7.pem",
+              "61a84a86ffb1b9e23f576a0275ddcc78", False),
+             ("SAEPK-5.7.2.4", "geoh-2rvn-ivwu", "saepk8_sig.pem",
+              "61a84a86ffb1b9e23f576a0275ddcc78", True),
+             ("SAEPK-5.7.3", "hbhh-r4um-jzjs", "saepk9.pem",
+              "af9b55bce52040892634bb3e41d557ee", False)]
+
+    with HWSimRadio() as (radio, iface):
+        sigma = start_sigma_dut(iface, hostapd_logdir=logdir)
+        try:
+            for ssid, pw, keypair, m, failure in tests:
+                run_sigma_dut_ap_sae_pk(conffile, dev[0], ssid, pw, keypair, m,
+                                        failure)
+        finally:
+            stop_sigma_dut(sigma)