https://devzone.nordicsemi.com/f/nordic-q-a/56295/nrf9160-lwm2m-sample-app-cannot-update-dtls-keys-dynamicallyHi, I have extended the nRF9160 sample app to use Leshan bootstrap server. Using a boostrap server means getting DTLS PSK crypto keys from the bootstrap server. Hence the device must be able to update the keys while connecting. However, it seems thisen-USTelligent Community 13Wed, 29 Jan 2020 15:29:19 GMThttps://devzone.nordicsemi.com/thread/231722?ContentTypeID=1Wed, 29 Jan 2020 15:29:19 GMT137ad170-7792-4731-bb38-c0d22fbe4515:5fe09987-d278-435e-9144-c3d3097251f9Didrik Rokhaug<p>Let me know what you find out. It is valuable feedback to our developers.</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/231704?ContentTypeID=1Wed, 29 Jan 2020 14:52:21 GMT137ad170-7792-4731-bb38-c0d22fbe4515:29395f7a-ef1d-405a-9085-963ac1c4ce50Bjorn191023<p>Thanks a lot Didrik,</p> <p>I will review the proposed solution again, I might have misunderstood the dynamics of the LwM2M client. I get back to you.</p> <p>BR / Bj&ouml;rn</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/231650?ContentTypeID=1Wed, 29 Jan 2020 12:50:10 GMT137ad170-7792-4731-bb38-c0d22fbe4515:fb9417a0-aded-4799-9a6e-ed4cf70bc4f8Didrik Rokhaug<p>Hi, and sorry for the wait.</p> <p>Here is the reply I got from the NCS team:</p> <p><em>I don&#39;t agree with the customer argumentation regarding `load_credentials`. When this function is called by the LWM2M engine, the socket that the bootstrap procedure was run on is already closed, so there is no active DTLS session.</em></p> <p><em>From what I&#39;ve seen in the LWM2M implementation, the LWM2M engine will store the DTLS credentials received in the object instance stored in RAM (during the bootstrap procedure). As already pointed out, we should not try to store the credentials in the modem at this point (we can register `post_write_cb` callback), as it will break the bootstrapping procedure. I see two ways how we could tackle this problem:</em></p> <ol> <li><em>When the bootstrap server finishes the bootstrap procedure, we get `LWM2M_RD_CLIENT_EVENT_BOOTSTRAP_TRANSFER_COMPLETE` event in the application. At this point, the connection with the bootstrap server is done, and we have not started the connection with the actual LWM2M server. It should be safe to put the link down at this point, read the credentials from the security object and store them in the modem,</em></li> <li><em>Implement and register a custom `load_credentials` function as suggested, which is called just before a new socket is created. It will be called after the bootstrap procedure, and before the actual LWM2M server registration. It could be used to store the credentials in the modem as well.</em></li> </ol> <p><em>Of course, I cannot guarantee that there is no not-yet-discovered bug in the LWM2M implementation as unfortunately, even the upstream sample does not show how to combine DTLS + bootstrapping.</em></p> <p>Best regards,</p> <p>Didrik</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/230797?ContentTypeID=1Fri, 24 Jan 2020 09:01:15 GMT137ad170-7792-4731-bb38-c0d22fbe4515:9910ef9c-7f4e-4a23-8376-97930068d76cDidrik Rokhaug<p>Hi.</p> <p>I have asked the NCS team if they know of any way around the LwM2M client&#39;s limitations.</p> <p>I&#39;ll come back to you when I get a reply.</p> <p>Best regards,</p> <p>Didrik</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/230516?ContentTypeID=1Thu, 23 Jan 2020 09:20:39 GMT137ad170-7792-4731-bb38-c0d22fbe4515:0b323058-8883-4e75-9c5d-06c297dcb3d5Bjorn191023<p>Hi Didrik,</p> [quote userid="81181" url="~/f/nordic-q-a/56295/nrf9160-lwm2m-sample-app-cannot-update-dtls-keys-dynamically/230422"]&nbsp;I have not used the LwM2M client a lot, but can you not write a function that disconnects, write the PSK and connect, then provide a pointer to that function in the load_credentials field in the lwm2m_ctx struct?[/quote] <p>To my understanding it is not possible. If I disconnect on low level then the DTLS session will be invalidated, meaning that we need to reconnect to &quot;coaps://&lt;url&gt;:&lt;port&gt;&quot;. The only way to that with the LwM2M client is to &quot;restart&quot;. Doing what you propose would require a change of the LwM2M client API&nbsp;.</p> [quote userid="81181" url="~/f/nordic-q-a/56295/nrf9160-lwm2m-sample-app-cannot-update-dtls-keys-dynamically/230422"]This is because of timing restrictions in the modem. As a certificate can be quite large, it is not guaranteed that the modem is able to write it to flash (which takes time) while simultaneously upholding the timing demands of the cellular network.[/quote] <p>Ok, I know that problem :-) so the reason is understood. However, I have a proposal. The bootstrap server use cases gives a session key by design. A session key is volatile while the modem only stores non-volatile keys. I propose to add the possibility to store volatile keys in the modem. This would support the LwM2M boostrap server use case out of the box.&nbsp;</p> <p>BR / Bj&ouml;rn</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/230422?ContentTypeID=1Wed, 22 Jan 2020 16:33:39 GMT137ad170-7792-4731-bb38-c0d22fbe4515:3ede84f1-edaf-4be4-9d52-230b4391941cDidrik Rokhaug[quote user="Bjorn191023"]Regarding your implementation advice: it is not possible to disconnect, store key and connect again due to the way the LwM2M client is working in your platform. When I reconnect the&nbsp;<span>LwM2M client&nbsp;will always go to the bootstrap server meaning I can get a new key...so I am stuck in an infinite loop.</span>[/quote] <p>&nbsp;I have not used the LwM2M client a lot, but can you not write a function that disconnects, write the PSK and connect, then provide a pointer to that function in the load_credentials field in the lwm2m_ctx struct?</p> <p>&nbsp;</p> <p>[quote user="Bjorn191023"][/quote]</p> <p><span>1) Why is it not possible to change keys when connected? Security?</span></p> <p><span>2) Do you have any plans to open for key change when connected?</span></p> <p></p> <p>&nbsp;This is because of timing restrictions in the modem. As a certificate can be quite large, it is not guaranteed that the modem is able to write it to flash (which takes time) while simultaneously upholding the timing demands of the cellular network.</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/230282?ContentTypeID=1Wed, 22 Jan 2020 09:50:05 GMT137ad170-7792-4731-bb38-c0d22fbe4515:be92ff6b-2b29-4283-bb1d-7511e72d561aBjorn191023<p>Hi Didrik,</p> <p>Thanks for your response. I have been at a biz trip so I have not been able to respond.</p> <p>Regarding your implementation advice: it is not possible to disconnect, store key and connect again due to the way the LwM2M client is working in your platform. When I reconnect the&nbsp;<span>LwM2M client&nbsp;will always go to the bootstrap server meaning I can get a new key...so I am stuck in an infinite loop. To fix this I need to patch your&nbsp;LwM2M client&nbsp;which I want to avoid.</span></p> <p><span>Questions:</span></p> <p><span>1) Why is it not possible to change keys when connected? Security?</span></p> <p><span>2) Do you have any plans to open for key change when connected?</span></p> <p><span>BR / Bj&ouml;rn</span></p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/228302?ContentTypeID=1Thu, 09 Jan 2020 09:31:58 GMT137ad170-7792-4731-bb38-c0d22fbe4515:d2bd8b9a-fa78-492e-ad18-3630a5e3ded5Didrik Rokhaug<p>Hi.</p> <p>&nbsp;</p> [quote user=""]The IP stack is offloaded in the sample app (CONFIG_NET_SOCKETS_OFFLOAD=y), meaning it is deployed on the modem to my understanding!?[/quote] <p>&nbsp;That is correct.</p> <p>&nbsp;</p> [quote user=""]How do you envision that the bootstrap server scenario shall be implemented?[/quote] <p>&nbsp;You would have to disconnect from the network after receiving the keys, store them, and then reconnect to the network.</p> <p>That is the only way I can think&nbsp; of at the moment.</p> <p>Best regards,</p> <p>Didrik</p><div style="clear:both;"></div>