Store bonding keys in specific location ?

RE: Store bonding keys in specific location ?

Miguel Ferreira — Wed, 31 May 2023 10:59:39 GMT

Thank you very much!

Going to close this now 🙂

Have a nice day Hieu!

RE: Store bonding keys in specific location ?

Hieu — Wed, 31 May 2023 10:55:02 GMT

Hi Miguel.

[quote user="Miguel Ferreira"]Yup only the bonding information, but probably the API as its stores all the settings. My question was based on this ticket : RE: Setting and using NVS and BT Settings with Static Partition Manager .[/quote]

Ah yes, here they are dealing with storing all of Zephyr Settings, not just the key part. They are also dealing with regular Flash partitions and NVS, not a secure storage that hides the information away. As discussed, I don't think doing so provides any security benefits.

[quote user="Miguel Ferreira"]Thanks again![/quote]

Just doing my job 🙂

If everything is clear, please feel free to close this question at your convenience.

RE: Store bonding keys in specific location ?

Miguel Ferreira — Wed, 31 May 2023 10:39:58 GMT

Hi Hieu,

Thanks for the clarification!

Yup only the bonding information, but probably the API as its stores all the settings. My question was based on this ticket : RE: Setting and using NVS and BT Settings with Static Partition Manager .

Thanks again!

RE: Store bonding keys in specific location ?

Hieu — Tue, 30 May 2023 11:35:15 GMT

Hi Miguel,

The nRF5340 supports Trusted Firmware-M (TF-M), which supports some form of secure storage. I checked with my team and there is no fully integrated solution for storing Zephyr Setting using the TF-M's secure storage options. It is theoretically possible, but one will need to implement one's own solution for that.

Additionally, from the security viewpoint, the data will be exposed when it is used, so that diminishes the benefit of secure storage.

Therefore, this option is not recommended.

[quote user="Miguel Ferreira"]Basically during yesterday I found that its maybe possible to create an nvs partition while using the Partition Manager and you can store the keys in this partition. However, so far I wasnt able to do it...[/quote]

Do you mean only the bonding information, and not the entirety of Zephyr Settings? If so, could you share your references?

If it's about the entire Zephyr Settings, then even without any customization work, it is already setup like that by default, being stored in a partition via NVS.

RE: Store bonding keys in specific location ?

Miguel Ferreira — Tue, 30 May 2023 08:20:42 GMT

Hi Hieu,

No problem! hope you had a great holiday!

At the moment we are using nrf52840... But can you point me to the nrf5340 solution please ?

Basically during yesterday I found that its maybe possible to create an nvs partition while using the Partition Manager and you can store the keys in this partition. However, so far I wasnt able to do it...

Im using the setting CONFIG_NVS=y and calling nvs_mount() pointing to my nvs_storage partition:

settings_partition:
  address: 0xfc000
  end_address: 0xfe000
  placement:
    align:
      start: 0x1000
  region: flash_primary
  size: 0x2000
nvs_storage:
  address: 0xfe000
  end_address: 0x10000
  placement:
    align:
      start: 0x1000
  region: flash_primary
  size: 0x2000

I would guess that BT APIs would use this partition but probably Im doing something wrong.

Thanks again!

RE: Store bonding keys in specific location ?

Hieu — Tue, 30 May 2023 07:51:06 GMT

Hi Miguel,

Sorry for the wait. There was a holiday.

It is not possible to store just the bonding information in a protected section and the rest of Zephyr Settings elsewhere.

Are you implementing your own protected section from the ground up, or are you using something the nRF5340's TF-M Protected Storage? I am checking internally if the entire Zephyr Settings can be stored with Protected Storage and if there is an existing solution for that, just in case you are using the nRF5340.

On other note, I have relayed your interest to our development engineers. Storing bonding information in a protected section is something that we too already had on our backlog. Hopefully, we will see it realized soon.

Hieu

RE: Store bonding keys in specific location ?

Miguel Ferreira — Fri, 26 May 2023 14:55:01 GMT

Hi,

Oh sorry. Just want to save it in "protected" section along with other credentials.
Just to summarize, right now its not possible to do it correct ?

Thanks again Hieu.

RE: Store bonding keys in specific location ?

Hieu — Fri, 26 May 2023 14:42:11 GMT

Hi Miguel,

Ah right, I understood your setup and your goal.

When I asked about your motivation, I meant what is the reason you want to control the storage location of the bonding key?

It's fine if you cannot share it. I am happy to have helped, regardless.

RE: Store bonding keys in specific location ?

Miguel Ferreira — Fri, 26 May 2023 14:00:09 GMT

Hi Hieu,

Thanks for you reply!
So basically the goal would be to store the keys in a specific memory section or even in an external memory. To detail even more what Im doing:
1 -) Use bt_conn_set_security to force pairing
2- ) Use settings_load to grab the keys and to use them after rebooting the system

This works fine, but I would like to know how or if its possible to choose the "location" where the bonding info or keys are stored.

Thank you for your help!

RE: Store bonding keys in specific location ?

Hieu — Fri, 26 May 2023 11:35:02 GMT

Hi Miguel,

Unfortunately, that is not possible, at least as of now (nRF Connect SDK v2.3.0). The bond information storage is done in keys.c, part of the Zephyr Host, using the Zephyr Settings subsystem.

You can control where all Zephyr Settings are stored, but beyond that, you don't have any control over where the bonding information is stored.

By "specific memory location," do you mean in Flash or somewhere else? Could you please elaborate your motivation for this interest? Depends on the use case, we could consider the feature for some future nRF Connect SDK version.

Hieu

*Update 2023 May 31: Added some links.