https://devzone.nordicsemi.com/f/nordic-q-a/75215/mesh-security-materials-generation-is-it-possible-to-generate-mesh-security-materials-by-usersHello Nordic Experts, I almost finished the development for my mesh project with nRF52840. But I faced some t ricky issues when in mass production. that is the time for provisioning is too long. my purpose is below: the devices can be communicateden-USTelligent Community 13Sun, 23 May 2021 15:49:06 GMThttps://devzone.nordicsemi.com/thread/311186?ContentTypeID=1Sun, 23 May 2021 15:49:06 GMT137ad170-7792-4731-bb38-c0d22fbe4515:8583e5fb-2642-484f-b876-eaae021d527fxiaolongba<p>Hi <a href="https://devzone.nordicsemi.com/members/mttrinh">Mttrinh</a></p> <p>My comments as below:</p> [quote userid="15475" url="~/f/nordic-q-a/75215/mesh-security-materials-generation-is-it-possible-to-generate-mesh-security-materials-by-users/311126#311126"]e don&#39;t have any PC tools for that. Our developer don&#39;t think it is possible&nbsp;to pre-flash security materials as there are flash headers that need to be stored as well. They also need to be dumped, otherwise stack won&#39;t be able to restore configuration.[/quote] <p>OK, Got it.</p> [quote userid="15475" url="~/f/nordic-q-a/75215/mesh-security-materials-generation-is-it-possible-to-generate-mesh-security-materials-by-users/311126#311126"]The mesh specification doesn&#39;t allow pre-flashing configuration. This may lead to security vulnerabilities. E.g. DevKey generated during provisioning and can&#39;t be changed until device is reset and re-provisioned.[/quote] <p>Yes, I got it. But I don&#39;t think this a security vulnerability as this approach is only used in mass production and it just speeded up the process of provisioning, In other words, these material security materials are stored into the flash in advance and bypass the process of provisioning. Such as these security materials can be obtained from a customer&#39;s server, and others is impossible to get unless the information in the server is&nbsp;disclosed</p> [quote userid="15475" url="~/f/nordic-q-a/75215/mesh-security-materials-generation-is-it-possible-to-generate-mesh-security-materials-by-users/311126#311126"]Thus, with pre-flashed configuration, the devices will anyway need to be reprovisioned for the security reasons.[/quote] <p>why? I cannot get your point, as I said above, these mesh security materials are stored into the internal flash in mass production. they can communicate with each other after power on if the customer purchased these products from the store.&nbsp;</p> [quote userid="15475" url="~/f/nordic-q-a/75215/mesh-security-materials-generation-is-it-possible-to-generate-mesh-security-materials-by-users/311126#311126"]If you still wants to do this, there is mesh_stack_provisioning_data_store() function that is called when device is provisioned. The customer may use it to pre-configure device. It can use provisioner example to see how provisioner preconfigures itself.[/quote] <p>OK, let me check and feedback to you soon.</p> <p></p> <p>Anyway, many thanks for your detailed replies.</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/311126?ContentTypeID=1Fri, 21 May 2021 16:41:44 GMT137ad170-7792-4731-bb38-c0d22fbe4515:f09fa0a0-08e7-48d8-a2ee-026ef982893aMttrinh<p>Hi,</p> <p>We don&#39;t have any PC tools for that. Our developer don&#39;t think it is possible&nbsp;to pre-flash security materials as there are flash headers that need to be stored as well. They also need to be dumped, otherwise stack won&#39;t be able to restore configuration.</p> <p>The mesh specification doesn&#39;t allow pre-flashing configuration. This may lead to security vulnerabilities. E.g. DevKey generated during provisioning and can&#39;t be changed until device is reset and re-provisioned. Thus, with pre-flashed configuration, the devices will anyway need to be reprovisioned for the security reasons.</p> <p>If you still wants to do this, there is mesh_stack_provisioning_data_store() function that is called when device is provisioned. The customer may use it to pre-configure device. It can use provisioner example to see how provisioner preconfigures itself.<br /> <br />Regarding flash entries allocations. Here is the order of files stored in flash: <a href="https://github.com/NordicSemiconductor/nRF5-SDK-for-Mesh/blob/master/mesh/core/include/mesh_opt.h#L61-L68">https://github.com/NordicSemiconductor/nRF5-SDK-for-Mesh/blob/master/mesh/core/include/mesh_opt.h#L61-L68</a>&nbsp;and for example these are entries stored in DSM: <a href="https://github.com/NordicSemiconductor/nRF5-SDK-for-Mesh/blob/master/mesh/access/include/mesh_opt_dsm.h#L57-L66">https://github.com/NordicSemiconductor/nRF5-SDK-for-Mesh/blob/master/mesh/access/include/mesh_opt_dsm.h#L57-L66</a>.</p> <p>So, in front of NetKey, customer might see addresses&#39; allocation. MESH_OPT_NET_STATE_FILE_ID holds IV Index and SeqNum and they should be first entries stored in flash. Their order is shown here: <a href="https://github.com/NordicSemiconductor/nRF5-SDK-for-Mesh/blob/master/mesh/core/include/mesh_opt_net_state.h#L56-L59">https://github.com/NordicSemiconductor/nRF5-SDK-for-Mesh/blob/master/mesh/core/include/mesh_opt_net_state.h#L56-L59</a></p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/310541?ContentTypeID=1Wed, 19 May 2021 16:09:16 GMT137ad170-7792-4731-bb38-c0d22fbe4515:940da210-a171-4943-b91b-5378f48e1495xiaolongba<p>also, I found the corresponding mesh security materials after calling the function <a href="https://infocenter.nordicsemi.com/topic/com.nordic.infocenter.meshsdk.v5.0.0/group__MESH__STACK.html#gadcc65e154a945f96efabceefd6e4ba70" rel="noopener noreferrer" target="_blank">mesh_stack_persistence_flash_usage()</a><span>&nbsp;</span>, the details as below:</p> <p><img src="https://devzone.nordicsemi.com/resized-image/__size/320x240/__key/communityserver-discussions-components-files/4/pastedimage1621440418529v1.png" alt=" " /></p> <p>the first red highlighted is Netkey, the second one is devkey, the third one is appkey, But I dont know what do the others mean? could you explain to me what are they? and where is the iv index &amp; unicast address etc?</p> <p></p> <p>thanks in advance.</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/310539?ContentTypeID=1Wed, 19 May 2021 15:35:04 GMT137ad170-7792-4731-bb38-c0d22fbe4515:16436b1f-b116-4079-86ed-dd8986087674xiaolongba<p>Hi Bro,</p> <p>what do the mesh security materials mean is&nbsp; netkey,appkey,unicast address, iv index, etc. and I would like to generate these parameters with the PC tool and store them into the internal flash through UART, so I don&#39;t need to provision unprovisioned&nbsp;devices one by one at this moment. so they can communicate with each other after power on.</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/310534?ContentTypeID=1Wed, 19 May 2021 15:31:06 GMT137ad170-7792-4731-bb38-c0d22fbe4515:ae04a75f-860b-4a71-a171-2dcc00628ae3Mttrinh<p>Hi,&nbsp;</p> <p>I might have mistunderstood your question, by &quot;generating the mesh security materials&quot; do you mean provisioning the device?</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/310438?ContentTypeID=1Wed, 19 May 2021 12:32:27 GMT137ad170-7792-4731-bb38-c0d22fbe4515:f22c98d5-53a8-4c1a-9c1d-63d291234aebxiaolongba<p>Hi <a href="https://devzone.nordicsemi.com/members/mttrinh">Mttrinh</a></p> <p>Big thanks for your detailed replies, regarding the ways to generate mesh security materials you mentioned above is not what I expected. Actually, I would like to generate this info with one specified pc tool or lib that can be used for my own pc tool for mass production. Is it possible?</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/310411?ContentTypeID=1Wed, 19 May 2021 11:36:00 GMT137ad170-7792-4731-bb38-c0d22fbe4515:f4db1ed1-8864-4323-82a5-2814b6418e40Mttrinh<p>Hi,</p> <p>1. We do have our <a href="https://www.nordicsemi.com/Software-and-tools/Development-Tools/nRF-Mesh/GetStarted" rel="noopener noreferrer" target="_blank">nRF Mesh app for iOS and Android</a>, assuming that you have support for PB-GATT and Proxy feature. The sample app is for development/protoyping purposes targeting developers to make debugging easier, so it is recommeded that you create your own app. The nRF Mesh app is open-source and can be used as a reference. It can be found on our Github, see <a href="https://github.com/NordicSemiconductor/Android-nRF-Mesh-Library" rel="noopener noreferrer" target="_blank">here</a>&nbsp;and <a href="https://github.com/NordicSemiconductor/IOS-nRF-Mesh-Library" rel="noopener noreferrer" target="_blank">here</a>.</p> <p>2. You can use this function <a href="https://infocenter.nordicsemi.com/topic/com.nordic.infocenter.meshsdk.v5.0.0/group__MESH__STACK.html#gadcc65e154a945f96efabceefd6e4ba70" rel="noopener noreferrer" target="_blank">mesh_stack_persistence_flash_usage()</a>&nbsp;to get which&nbsp;<span>flash areas used by the mesh stack to store the provisioning data.</span></p><div style="clear:both;"></div>