• State Not Answered
  • Replies 2 replies
  • Subscribers 74 subscribers
  • Views 983 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 313692
Options

Certificates & key management unit on nRF9160 for provisioning

chris_h

Hi,

I have a few questions on key/certificate storage on the nRF9160, specifically relating to getting ready to provision them for production

In the image below, its looks like the application core and LTE modem core have separate embedded flash storage. 

  1. I am a bit confused by this as the modem firmware, which I assumed is stored on its own embedded flash, can be programmed through nrfjprog / nRF Connect programmer via Jlink.  Are the memories linked?  How is this happening?
  2. The extract from the 9160PS below says that the KMU is stored in the UICR, however ensuring the CPU has no access to stored cryptographic keys. When I erase the UICR on nrfjprog, the keys still remain.  Is this a different memory sector or modem specific memory UICR? I know the keys are meant to be erased via the AT commands on the modem COM, I'm just trying to understand more about the memory layout

  3. I have been updating certificates using both the nRFConnect LTE link monitor, which operates on the modem COM port, and a custom program sending out AT commands on the modem COM port.  Are there any other methods i.e. via Jlink?
  4. What keys/certificates are preprogrammed in the nRF9160 SiP (not DK) from the factory? 

Thanks!

Kind regards,

Chris

  • 0

    Hi Chris,

    Thanks for checking us for your questions.

    I am a bit confused by this as the modem firmware, which I assumed is stored on its own embedded flash, can be programmed through nrfjprog / nRF Connect programmer via Jlink.  Are the memories linked?  How is this happening?

    You can find the explanation about LTE modem from nRF9160 specs. "Application and modem domains interact through the interprocessor communication (IPC) mechanism. The LTE modem is accessible to users through the modem API." The developer should be able to use it with modem library running on the application core.

    The extract from the 9160PS below says that the KMU is stored in the UICR, however ensuring the CPU has no access to stored cryptographic keys. When I erase the UICR on nrfjprog, the keys still remain.  Is this a different memory sector or modem specific memory UICR? I know the keys are meant to be erased via the AT commands on the modem COM, I'm just trying to understand more about the memory layout

    There is some discussion on this topic here (+) nrf9160 Private Key Storage - Nordic Q&A - Nordic DevZone - Nordic DevZone (nordicsemi.com)

    I have been updating certificates using both the nRFConnect LTE link monitor, which operates on the modem COM port, and a custom program sending out AT commands on the modem COM port.  Are there any other methods i.e. via Jlink?

    No, AT commands are only supported via the application core uart peripheral.

    JLink programmer/debugger is used for program or debugging fw but not for communication.

    What keys/certificates are preprogrammed in the nRF9160 SiP (not DK) from the factory? 

    Values above 2147483647 are reserved for the modem. <sec_tag>s with values above 2147483647 might be visible in the %CMNG list command, and the developer can ignore them for application development.

    You may see 429496729x in the latest nRF9160 SiP. The use case for these keys/ CA is the Identity and provisioning service of nRF Cloud, the modem library should have them and the developer does not need to set the sec_tag manually anywhere.

    Best regards,

    Charlie

  • 0 in reply to Charlie

    Hi Charlie, thank you for this information.  It is much more clear now and the links provided helped

Related
Terms of service