https://devzone.nordicsemi.com/f/nordic-q-a/58817/nrf9160-lwm2m-with-mbedtlsHello, basically I want my nRF9160 DK to establish a secure connection with DTLS by using mbedtls . What I&#39;m trying to do I&#39;m currently working with the LwM2M sample project for the nRF9160. With the CONFIG_LWM2M_DTLS_SUPPORT enabled, I&#39;ve establisheden-USTelligent Community 13Fri, 13 Mar 2020 12:13:58 GMThttps://devzone.nordicsemi.com/thread/239715?ContentTypeID=1Fri, 13 Mar 2020 12:13:58 GMT137ad170-7792-4731-bb38-c0d22fbe4515:8842185b-b630-47e7-a46d-2b481f5435a5Didrik Rokhaug<p>I got an answer from one of our developers to my questions. Note that this is mostly speculation as we have not done much (if any) testing of this:</p> <p style="padding-left:30px;"><em>None of our current chips has tamper-proof physical memory AFIK meaning our chips can be decapped and read with the right amount of motivation. TLS keys stored in the modem can theoretically be read out this way.</em></p> <p>While we (again, as far as me and the SDK developer that answered knows) do not have tamper-proof physical memory, the keys are stored in the modem, and the application is not allowed to read them back. So unless you are afraid of people physically accessing the flash, it is not possible to access the keys. The relevant AT commands for this are %XPMNG, %CMNG, and %XPRODDONE. In the future, %XSUDO will also be relevant.</p> <p style="padding-left:30px;"><em>To me, it sounds like what they want is just to use is the&nbsp;RAW&nbsp;socket type which you can build your own TLS instance ontop of with libraries like mbedTLS or your own implementation. Be warned that I have no experience in actually doing this but it&#39;s at least what I got from reading the documentation and heard from sprint reviews is that you should be able to put your own TLS ontop of RAW sockets. <br /></em></p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/239110?ContentTypeID=1Tue, 10 Mar 2020 13:02:53 GMT137ad170-7792-4731-bb38-c0d22fbe4515:0c07e3a3-76e7-47a5-b565-a2e88a5e2e01Fabian Frei<p>Hello Didrik</p> <p>Thank you for your response. I&#39;m currently having a look at&nbsp;the bsdlib implementation according to your input.&nbsp;</p> <p>In the end, we want to outsource security features such as key storage to a secure element (which offers physically tamper-proof memory).</p> <p>We have already done that in other projects by using mbedtls and setting up a bunch of corresponding software hooks. So, make the nRF9160 use the zephyr sockets with mbedtls instead of offloading the sockets seems like the most &quot;straight forward&quot; approach. Of course I&#39;m open for any other reasonable approach.</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/239020?ContentTypeID=1Tue, 10 Mar 2020 09:28:50 GMT137ad170-7792-4731-bb38-c0d22fbe4515:b18d6dba-c1e1-4997-92ec-3cafec1f2f7fDidrik Rokhaug<p>I am still working on getting you a proper answer.</p> <p>However, I am wondering why you do not want to use socket offloading?</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/238830?ContentTypeID=1Mon, 09 Mar 2020 13:27:57 GMT137ad170-7792-4731-bb38-c0d22fbe4515:549f5605-2e75-4b5a-8621-e32b3a07d071Didrik Rokhaug<p>Hi.</p> <p>While I have to do some more investigation before I can answer your questions, I can comment on the error you are seeing.</p> <p>In bsdlib (the socket interface to the modem), we define a couple of extra socket types for GPS and AT commands. When you disable socket offloading, these new socket types no longer &quot;exist&quot;.</p> <p>You can change this by modifying the at_cmd library to use nrf_sockets instead of &quot;normal&quot; socket. It should not be more than changing all the socket related calls the corresponding nrf_socket call (which should be as simple as adding &quot;nrf_&quot; in front of the call), and including nrf_socket.h instead of net/socket.h.</p> <p>I&#39;ll come back to you when I know more about how to not offload the sockets.</p> <p>Best regards,</p> <p>Didrik</p><div style="clear:both;"></div>