Getting into Cellular and security with nRF9160

RE: Getting into Cellular and security with nRF9160

Håkon Alseth — Mon, 13 Nov 2023 14:19:40 GMT

Hi,

[quote user="zazas321"]1. By using the secure image, I can place the certificate there and just make the special API calls to get the credentials when needed. Is that how it works?[/quote]

Certificates are stored in the modem, and you access them by referencing the specific security tag where you initially stored the credentials.

I think your questions are valid, like for instance this one:

[quote user=""]How do I decide if I need this in my application or not? [/quote]

The answer to this question is based on the nRF9160 hardware model.

The modem can only communicate with the application in a "non-secure mode", and the default boot-up mode for a Cortex M33 CPU core is "secure mode".

This means that if you want to use the modem, you have to do this in the non-secure mode, ie. with board "nrf9160dk_nrf9160_ns" (or other equivilant board _ns prefix'ed).

I hope this clarifies the reason why everything for nRF9160 will include TF-M.

That being said; you have several image sizes (feature sets) for TF-M. If you need crypto-acceleration in your application space, this will effectively be a non-secure callable function to the secure part.

Now, to answer your question directly: Where does the credentials go?

Normally you provision your device from a 3rd party, like a computer in production (or a webservice for that matter) - this way, credentials are never stored in the .hex, but rather fetched and stored into the modem from an external source.

[quote user="zazas321"]2. How does the merged hex file look like in that case? Does it hash the whole part of secure image to ensure is not availae to extract any information from it?[/quote]

You reference the sec_tag where you initially provisioned the certificates - they're now stored in the modem itself.

You can program the specific tag using our tools, for instance in nRF connect for desktop - Cellular monitor (PC application):

This takes in a certificate, and wraps it around the AT%CMNG call to write it into the modem itself.

[quote user="zazas321"]3. Can you recommend which sample project would be best suited for example that I have explained above? In the NCS sample directory there is quite a few different security and TF-M samples available. I can fully decide which one would suit my particular application best[/quote]

at_client can take in AT commands via uart.

If you want to use a CLI based tool, you can look at this blog post:

Automating nRF91 TLS credential management via serial port AT commands

And also this project:

https://github.com/NordicSemiconductor/nrfcredstore

Kind regards,

Håkon

RE: Getting into Cellular and security with nRF9160

zazas321 — Wed, 08 Nov 2023 15:56:50 GMT

Thank you for your quick reply. Before we close this ticket, i would like to explain a scenario and I would like you to confirm this to ensure I understand this correct.

I could use TF-M and multi image in the following scenario:

Lets say I want to use MQTT TLS with the nRF91DK. TLS requires a certificate that I want to protect.

Normally, I would just include the certificate in the header file and just use it. That is a security vulnerability since everyone who have access to firmware hex file could extract the certificate if they put some effort ( it would not be easy because the certificate normally is a bunch of random characters) but this data would be somewhere within plain sight in the hex file I think.

1. By using the secure image, I can place the certificate there and just make the special API calls to get the credentials when needed. Is that how it works?

2. How does the merged hex file look like in that case? Does it hash the whole part of secure image to ensure is not availae to extract any information from it?

3. Can you recommend which sample project would be best suited for example that I have explained above? In the NCS sample directory there is quite a few different security and TF-M samples available. I can fully decide which one would suit my particular application best

I would appreciate if you could respond to each of my questions one by one. That way it would be very clear for me. Thanks!

RE: Getting into Cellular and security with nRF9160

Øyvind — Wed, 08 Nov 2023 13:31:29 GMT

Hello,

As mentioned in lesson one of the Cellular IoT fundementals course, the nRF9160 has two domains, the secure and non-secure domain.

At boot-up, the application always starts execution from the secure domain. From there, the Trusted Firmware-M (TF-M) is started (image one), which will configure part of the memory and peripherals as non-secure and then jump to the main application (image two) in the non-secure area.

This is all automated by the nRF Connect SDK when building your application for the non-secure domain. As you can see from the figure, the modem library, which interfaces with the LTE modem, is defined in the non-secure domain. Therefore, when building for the nRF9160, you should always build for the non-secure domain.

All nRF9160 applications (the parent image) require Trusted Firmware-M (the child image) to be programmed together with the actual application. When building an application for the non-secure domain, TF-M is automatically included as the child image, making it a multi-image build.

In your case, as you are new to this, I would recommend not thinking about the TF-M child image at this stage as it is automatically included. More information on secure build can be found under Build targets in our documentation. If you feel something is not covered or missing in course, please leave feedback in Feedback button on DevAcademy.

Have a look at our documentation for Working with the nRF91 series, and please test the Cellular samples in our nRF Connect SDK. We also have Precompiled application and modem firmware packages which includes our most used samples and applications to test with your development kit. These are found in the Downloads tab of the nRF9160DK product page.

Kind regards,
Øyvind