How to enable TLS for MQTT on nRF5340

Hi Support team,

I'm currently using an nRF5340 DK and an ublox-SARA-R4 modem for MQTT communication, the Zephyr native MQTT lib was used. It can work well.
Now I want to enable TLS for the MQTT connection, and the root CA, client certificate and private key are generated.

Could you help give some guidance(sample or documentation) for the kconfig and steps of enabling TLS on MQTT? I'm using the net stack socket, not the offloaded socket.
There is a sample 'Secure MQTT Sensor/Actuator', but it can not be found in nRF SDK 2.5.2 and 2.6.1, where can I find the source code of this sample?
Thank you very much.

Best regards,
Yanpeng Wu

Parents

0 AHaug 1 hour ago
Hi,

Here's a first suggestion to resources that might help (albeit it's from the WiFi academy course so it might not be relevant, but please have a look and see if the links are helpful for 5340 with TLS on MQTT):

Process of enabling TLS on MQTT using the net stack socket:

1. Enable TLS support for the MQTT Library by enabling the following Kconfig `CONFIG_MQTT_LIB_TLS` https://academy.nordicsemi.com/courses/wi-fi-fundamentals/lessons/lesson-4-wifi-fundamentals/topic/mqtt-library/
CONFIG_MQTT_LIB_TLS

2. Set the transport type of the client to be secure. This is done in the `mqtt_transport` transport field in `struct mqtt_client`, by setting `transport.type` to `MQTT_TRANSPORT_SECURE` https://academy.nordicsemi.com/courses/wi-fi-fundamentals/lessons/lesson-4-wifi-fundamentals/topic/mqtt-library/

client_ctx.transport.type = MQTT_TRANSPORT_SECURE;

3. Define `struct mqtt_sec_config` and set the TLS configuration for the application. This includes the hostname for the MQTT broker, the security tags, and the preference for peer verification [source](academy.nordicsemi.com/.../).

struct mqtt_sec_config *tls_config = &client_ctx.transport.tls.config; tls_config->peer_verify = TLS_PEER_VERIFY_REQUIRED; tls_config->cipher_list = NULL; tls_config->sec_tag_list = m_sec_tags; tls_config->sec_tag_count = ARRAY_SIZE(m_sec_tags); tls_config->hostname = MQTT_BROKER_HOSTNAME;

4. Before establishing the connection to the MQTT broker, write the certificate for the TLS connection to the device using the `tls_credential_add()` API call from the TLS credentials subsystem of the Zephyr socket API [source](academy.nordicsemi.com/.../).

5. You can also check and configure the following library Kconfig options specific to the MQTT helper library: `CONFIG_MQTT_HELPER_PORT` and `CONFIG_MQTT_HELPER_SEC_TAG` [source](docs.nordicsemi.com/.../description.html

For more detailed information, you can refer to the https://docs.nordicsemi.com/bundle/ncs-latest/page/zephyr/connectivity/networking/api/mqtt.html#using_mqtt_with_tls

Kind regards,
Andreas
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 AHaug 1 hour ago
Hi,

Here's a first suggestion to resources that might help (albeit it's from the WiFi academy course so it might not be relevant, but please have a look and see if the links are helpful for 5340 with TLS on MQTT):

Process of enabling TLS on MQTT using the net stack socket:

1. Enable TLS support for the MQTT Library by enabling the following Kconfig `CONFIG_MQTT_LIB_TLS` https://academy.nordicsemi.com/courses/wi-fi-fundamentals/lessons/lesson-4-wifi-fundamentals/topic/mqtt-library/
CONFIG_MQTT_LIB_TLS

2. Set the transport type of the client to be secure. This is done in the `mqtt_transport` transport field in `struct mqtt_client`, by setting `transport.type` to `MQTT_TRANSPORT_SECURE` https://academy.nordicsemi.com/courses/wi-fi-fundamentals/lessons/lesson-4-wifi-fundamentals/topic/mqtt-library/

client_ctx.transport.type = MQTT_TRANSPORT_SECURE;

3. Define `struct mqtt_sec_config` and set the TLS configuration for the application. This includes the hostname for the MQTT broker, the security tags, and the preference for peer verification [source](academy.nordicsemi.com/.../).

struct mqtt_sec_config *tls_config = &client_ctx.transport.tls.config; tls_config->peer_verify = TLS_PEER_VERIFY_REQUIRED; tls_config->cipher_list = NULL; tls_config->sec_tag_list = m_sec_tags; tls_config->sec_tag_count = ARRAY_SIZE(m_sec_tags); tls_config->hostname = MQTT_BROKER_HOSTNAME;

4. Before establishing the connection to the MQTT broker, write the certificate for the TLS connection to the device using the `tls_credential_add()` API call from the TLS credentials subsystem of the Zephyr socket API [source](academy.nordicsemi.com/.../).

5. You can also check and configure the following library Kconfig options specific to the MQTT helper library: `CONFIG_MQTT_HELPER_PORT` and `CONFIG_MQTT_HELPER_SEC_TAG` [source](docs.nordicsemi.com/.../description.html

For more detailed information, you can refer to the https://docs.nordicsemi.com/bundle/ncs-latest/page/zephyr/connectivity/networking/api/mqtt.html#using_mqtt_with_tls

Kind regards,
Andreas
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

0 Yanpengwu 50 minutes ago in reply to AHaug

Hi Andreas,

Thank you very much for the detailed guidance. The WiFi academy course is great for the first step.
When I downloaded the course code and tried to compile the wififund_less4_exer2_solution, it failed due to a failure to open the dependency file as below:

-- Generating done
-- Build files have been written to: C:/02_dataLogger/03course_WIFI_code/wifi-fund-main/lesson4/wififund_less4_exer2_solution/build/tfm
[31/163] Building C object secure_fw/partitions/crypto/mbedcrypto/nrf_security_src/CMakeFiles/crypto_service_mbedcrypto.dir/C_/ncs/v2.5.2/modules/crypto/mbedtls/library/memory_buffer_alloc.o
FAILED: secure_fw/partitions/crypto/mbedcrypto/nrf_security_src/CMakeFiles/crypto_service_mbedcrypto.dir/C_/ncs/v2.5.2/modules/crypto/mbedtls/library/memory_buffer_alloc.o 
C:\ncs\toolchains\c57af46cb7\opt\zephyr-sdk\arm-zephyr-eabi\bin\arm-zephyr-eabi-gcc.exe -DBL1_HEADER_SIZE=0x000 -DBL1_TRAILER_SIZE=0x000 -DBL2_HEADER_SIZE=0x000 -DBL2_TRAILER_SIZE=0x000 -DCONFIG_TFM_FLOAT_ABI=0 -DCONFIG_TFM_PARTITION_META -DCONFIG_TFM_USE_TRUSTZONE -DCRYPTO_HW_ACCELERATOR -DDAUTH_CHIP_DEFAULT -DMBEDTLS_CONFIG_FILE=\"nrf-config.h\" -DMBEDTLS_PSA_CRYPTO_BUILTIN_KEYS -DMBEDTLS_PSA_CRYPTO_CONFIG_FILE=\"C:/ncs/v2.5.2/modules/tee/tf-m/trusted-firmware-m/lib/ext/mbedcrypto/mbedcrypto_config/crypto_config_default.h\" -DMBEDTLS_PSA_CRYPTO_DRIVERS -DMBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER -DMBEDTLS_USER_CONFIG_FILE=\"nrf-config-user.h\" -DMCUBOOT_IMAGE_NUMBER=1 -DNRF5340_XXAA_APPLICATION -DNRF53_SERIES -DNRF_ALLOW_NON_SECURE_RESET -DNRF_NS_STORAGE -DNRF_SKIP_FICR_NS_COPY_TO_RAM -DPLATFORM_DEFAULT_BL1 -DPLATFORM_NS_NV_COUNTERS=0 -DPROJECT_CONFIG_HEADER_FILE=\"C:/02_dataLogger/03course_WIFI_code/wifi-fund-main/lesson4/wififund_less4_exer2_solution/build/modules/nrf/modules/tfm/zephyr/tfm_config.h\" -DPSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER -DPSA_CRYPTO_SECURE -DPS_CRYPTO_AEAD_ALG_GCM -DPS_ENCRYPTION -DTFM_FIH_PROFILE_OFF -DTFM_INTERNAL_TRUSTED_STORAGE_SERVICE_SID=0x00000070 -DTFM_LVL=1 -DTFM_PARTITION_CRYPTO -DTFM_PARTITION_LOG_LEVEL=TFM_PARTITION_LOG_LEVEL_SILENCE -DTFM_PARTITION_NS_AGENT_TZ -DTFM_PARTITION_PLATFORM -DTFM_SPM_LOG_LEVEL=TFM_SPM_LOG_LEVEL_SILENCE -D__NRF_TFM__ -IC:/ncs/v2.5.2/modules/tee/tf-m/trusted-firmware-m/secure_fw/partitions/crypto -IC:/ncs/v2.5.2/modules/tee/tf-m/trusted-firmware-m/secure_fw/partitions/crypto/psa_driver_api -Isecure_fw/partitions/crypto/mbedcrypto/nrf_security_src/include/generated -IC:/ncs/v2.5.2/nrf/subsys/nrf_security/tfm/../include -IC:/ncs/v2.5.2/nrf/ext/oberon/psa/core/include -IC:/ncs/v2.5.2/nrf/ext/oberon/psa/core/library -IC:/ncs/v2.5.2/modules/crypto/mbedtls/include -IC:/ncs/v2.5.2/modules/crypto/mbedtls/library -IC:/ncs/v2.5.2/nrf/subsys/nrf_security/tfm/../../../../nrfxlib/crypto/nrf_oberon/include -IC:/ncs/v2.5.2/nrf/subsys/nrf_security/tfm/../../../../nrfxlib/crypto/nrf_oberon/include/mbedtls -IC:/ncs/v2.5.2/nrf/ext/oberon/psa/drivers -IC:/ncs/v2.5.2/modules/tee/tf-m/trusted-firmware-m/interface/include -Igenerated/interface/include -IC:/ncs/v2.5.2/modules/tee/tf-m/trusted-firmware-m/config -IC:/ncs/v2.5.2/modules/tee/tf-m/trusted-firmware-m/secure_fw/include -IC:/ncs/v2.5.2/modules/tee/tf-m/trusted-firmware-m/secure_fw/partitions/firmware_update -IC:/ncs/v2.5.2/modules/tee/tf-m/trusted-firmware-m/secure_fw/partitions/initial_attestation -IC:/ncs/v2.5.2/modules/tee/tf-m/trusted-firmware-m/secure_fw/partitions/internal_trusted_storage -IC:/ncs/v2.5.2/modules/tee/tf-m/trusted-firmware-m/secure_fw/partitions/platform -IC:/ncs/v2.5.2/modules/tee/tf-m/trusted-firmware-m/secure_fw/partitions/protected_storage -IC:/ncs/v2.5.2/modules/tee/tf-m/trusted-firmware-m/secure_fw/spm/include -IC:/ncs/v2.5.2/modules/tee/tf-m/trusted-firmware-m/platform/ext/target/nordic_nrf/common/core/. -IC:/ncs/v2.5.2/modules/tee/tf-m/trusted-firmware-m/platform/ext/target/nordic_nrf/common/core/native_drivers -IC:/ncs/v2.5.2/modules/hal/nordic/nrfx -IC:/ncs/v2.5.2/modules/hal/nordic/nrfx/mdk -IC:/ncs/v2.5.2/modules/hal/nordic/nrfx/drivers/include -IC:/ncs/v2.5.2/modules/tee/tf-m/trusted-firmware-m/platform/ext/target/nordic_nrf/common/core/common -IC:/ncs/v2.5.2/modules/tee/tf-m/trusted-firmware-m/platform/.. -IC:/ncs/v2.5.2/modules/tee/tf-m/trusted-firmware-m/platform/ext/target/nordic_nrf/common/core/services/include -IC:/ncs/v2.5.2/modules/tee/tf-m/trusted-firmware-m/platform/ext/target/nordic_nrf/common/nrf5340/. -IC:/ncs/v2.5.2/nrf/modules/tfm/tfm/boards/include -IC:/ncs/v2.5.2/nrf/modules/tfm/tfm/boards/partition -I../zephyr/include/generated -IC:/ncs/v2.5.2/nrf/modules/tfm/tfm/boards/board -I../zephyr/misc/generated/syscalls_links/include -IC:/ncs/v2.5.2/zephyr/include -IC:/ncs/v2.5.2/nrf/modules/tfm/tfm/boards/services/include -IC:/ncs/v2.5.2/nrf/include -IC:/ncs/v2.5.2/nrf/include/tfm -IC:/ncs/v2.5.2/modules/tee/tf-m/trusted-firmware-m/platform/ext/accelerator/interface -IC:/ncs/v2.5.2/modules/tee/tf-m/trusted-firmware-m/platform/./ext -IC:/ncs/v2.5.2/modules/tee/tf-m/trusted-firmware-m/platform/./ext/cmsis -IC:/ncs/v2.5.2/modules/tee/tf-m/trusted-firmware-m/platform/./ext/common -IC:/ncs/v2.5.2/modules/tee/tf-m/trusted-firmware-m/platform/./ext/driver -IC:/ncs/v2.5.2/modules/tee/tf-m/trusted-firmware-m/platform/./include -IC:/ncs/v2.5.2/modules/tee/tf-m/trusted-firmware-m/platform/ext/common -IC:/ncs/v2.5.2/modules/tee/tf-m/trusted-firmware-m/lib/fih/inc -isystem C:/ncs/v2.5.2/nrfxlib/crypto/nrf_cc312_platform/include -isystem C:/ncs/v2.5.2/nrfxlib/crypto/nrf_oberon/include/mbedtls -isystem C:/ncs/v2.5.2/nrfxlib/crypto/nrf_oberon/include -mcpu=cortex-m33+nodsp+nofp -Os -DNDEBUG -fmacro-prefix-map=C:/ncs/v2.5.2/modules/tee/tf-m/trusted-firmware-m/../tf-m-tests=TFM_TEST_REPO_PATH -specs=nano.specs -Wall -Wno-format -Wno-return-type -Wno-unused-but-set-variable -c -fdata-sections -ffunction-sections -fno-builtin -fshort-enums -funsigned-char -mthumb -nostdlib -std=c99 -gdwarf-4 -g -imacros C:/02_dataLogger/03course_WIFI_code/wifi-fund-main/lesson4/wififund_less4_exer2_solution/build/zephyr/include/generated/autoconf.h -Wno-unused-function -Wno-unused-variable -Wno-stringop-overflow -Wno-stringop-overread -Wno-strict-aliasing -Wno-unused-const-variable -Wno-unused-parameter -mfloat-abi=soft -mcmse -Wno-unused-value -include C:/ncs/v2.5.2/modules/tee/tf-m/trusted-firmware-m/platform/include/cmsis_override.h -MD -MT secure_fw/partitions/crypto/mbedcrypto/nrf_security_src/CMakeFiles/crypto_service_mbedcrypto.dir/C_/ncs/v2.5.2/modules/crypto/mbedtls/library/memory_buffer_alloc.o -MF secure_fw\partitions\crypto\mbedcrypto\nrf_security_src\CMakeFiles\crypto_service_mbedcrypto.dir\C_\ncs\v2.5.2\modules\crypto\mbedtls\library\memory_buffer_alloc.o.d -o secure_fw/partitions/crypto/mbedcrypto/nrf_security_src/CMakeFiles/crypto_service_mbedcrypto.dir/C_/ncs/v2.5.2/modules/crypto/mbedtls/library/memory_buffer_alloc.o -c C:/ncs/v2.5.2/modules/crypto/mbedtls/library/memory_buffer_alloc.c
C:/ncs/v2.5.2/modules/crypto/mbedtls/library/memory_buffer_alloc.c:614:1: fatal error: opening dependency file secure_fw\partitions\crypto\mbedcrypto\nrf_security_src\CMakeFiles\crypto_service_mbedcrypto.dir\C_\ncs\v2.5.2\modules\crypto\mbedtls\library\memory_buffer_alloc.o.d: No such file or directory
  614 | }
      | ^
compilation terminated.
ninja: build stopped: subcommand failed.

I built it for nrf5340dk_nrf5340_cpuapp_ns, could you help tell me how to build it?

In addition, there is a script cert_to_header.py. In a typical application, should I use this script to transform certificate files to .h file, or use tls_credential_add() to add certificate files directly?

Thank you very much.

Best regards,
Yanpeng Wu

0 AHaug 39 minutes ago in reply to Yanpengwu
This is where the issue comes. The academy course for wifi is built and only supported for

nRF7002 DK (stand-alone) or nRF7002 EK with the nRF5340 DK

Unless you have the EK to put on top its not meant to be used for the 5340DK alone.

The configurations were more meant as an inspiration for you to have a closer look at.

I recommend you also consider if the path length is too long ( C:/02_dataLogger/03course_WIFI_code/wifi-fund-main/lesson4/wififund_less4_exer2_solution/build/tfm) On windows there is a limit to 250 chars, and the path here might cause issues for files further into the building procedure.

Kind regards,
Andreas
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel