• State Not Answered
  • Replies 8 replies
  • Subscribers 73 subscribers
  • Views 1909 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 242179
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

nRF9160 LwM2M sample app: cannot update DTLS keys dynamically

Bjorn191023

Hi,

I have extended the nRF9160 sample app to use Leshan bootstrap server. Using a boostrap server means getting DTLS PSK crypto keys from the bootstrap server. Hence the device must be able to update the keys while connecting. However, it seems this is not supported by the system:

1) The IP stack is offloaded in the sample app (CONFIG_NET_SOCKETS_OFFLOAD=y), meaning it is deployed on the modem to my understanding!?

2) The sample app writes keys at startup (before connecting to the network) thru function nrf_inbuilt_key_write(). The documentation of this function states: "Run this function only when LTE link is inactive. If used during active link, NRF_EACCES will be returned and the key material will not be written."

3) Since it is not possible to write/update keys when connected it is not possible to implement the bootstrap server scenario efficiently!

Please advice regarding the above limitations! How do you envision that the bootstrap server scenario shall be implemented?

I am using the nRF Connect SDK version 1.1.0.

BR / Björn

  • 0 in reply to Didrik Rokhaug

    Hi, and sorry for the wait.

    Here is the reply I got from the NCS team:

    I don't agree with the customer argumentation regarding `load_credentials`. When this function is called by the LWM2M engine, the socket that the bootstrap procedure was run on is already closed, so there is no active DTLS session.

    From what I've seen in the LWM2M implementation, the LWM2M engine will store the DTLS credentials received in the object instance stored in RAM (during the bootstrap procedure). As already pointed out, we should not try to store the credentials in the modem at this point (we can register `post_write_cb` callback), as it will break the bootstrapping procedure. I see two ways how we could tackle this problem:

    1. When the bootstrap server finishes the bootstrap procedure, we get `LWM2M_RD_CLIENT_EVENT_BOOTSTRAP_TRANSFER_COMPLETE` event in the application. At this point, the connection with the bootstrap server is done, and we have not started the connection with the actual LWM2M server. It should be safe to put the link down at this point, read the credentials from the security object and store them in the modem,
    2. Implement and register a custom `load_credentials` function as suggested, which is called just before a new socket is created. It will be called after the bootstrap procedure, and before the actual LWM2M server registration. It could be used to store the credentials in the modem as well.

    Of course, I cannot guarantee that there is no not-yet-discovered bug in the LWM2M implementation as unfortunately, even the upstream sample does not show how to combine DTLS + bootstrapping.

    Best regards,

    Didrik

  • 0 in reply to Didrik Rokhaug

    Thanks a lot Didrik,

    I will review the proposed solution again, I might have misunderstood the dynamics of the LwM2M client. I get back to you.

    BR / Björn

  • 0 in reply to Bjorn191023

    Let me know what you find out. It is valuable feedback to our developers.

Related
Terms of service