• State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Subscribers 88 subscribers
  • Views 1429 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 280013
Options
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Accessing PSK key using modem_key_mgmt library

k.szpila

In our application we want to connect to our server using LWM2M to exchange some data. To make a connection secure PSK key and indentity needs to be set to lwm2m objects:

#define OBJ_SERVER_IDENTITY_ID "0/0/3"
#define OBJ_SECRET_KEY_ID "0/0/5"

I want to use modem_key_mgmt to store:
 - PSK in `MODEM_KEY_MGMT_CRED_TYPE_PSK`
- Identity in `MODEM_KEY_MGMT_CRED_TYPE_IDENTITY`

Writing and reading of `MODEM_KEY_MGMT_CRED_TYPE_IDENTITY` works fine.
I'm able to write to `MODEM_KEY_MGMT_CRED_TYPE_PSK`, but whenever i'm trying to get the key i get an -1 error `-EACCESS`


How should I access PSK key using modem_key_mgmt library?

I'm using:

- sdk-nrf - 1.6.0
- nrfxlib - 1.6.0

 - zephyr  v2.6.0-rc1-ncs1

Parents
  • 0

    Hi,

    As is mentioned in the AT command guide, the application is not allowed to read PSKs out of the modem: https://infocenter.nordicsemi.com/topic/ref_at_commands/REF/at_commands/security/cmng_set.html

    But why do you need to set the PSK in the LwM2M object?

    The server shouldn't get the PSK from the device (especially not over an unsecured link), and the application doesn't need to know it as long as you are using the DTLS stack in the modem.

    Best regards,

    Didrik

  • 0 in reply to Didrik Rokhaug

    Hi, thanks for the reply.

    Now i'm a little confused.

    So if I enabled `CONFIG_LWM2M_DTLS_SUPPORT`. All I need to do is to write PSK key using `modem_key_mgmt_write`
    and DLTS stack will take care of the rest?

    In sample code from sdk-nrf `/samples/nrf9160/lwm2m_client` in function `lwm2m_setup`, `lwm2m_init_security()` is called.
    In this function and PSK and  endpoint name are written respectively to "0,0,3" and "0,0,5" object so I thought I need to do the same.

    Let me explain our production concept little more:
    1. During production device will be provisioned with our LWM2M server address and PSK over zephyr SHELL. endpoint name is generated based on modem IMEI.

    2.PSK is written to MODEM_KEY_MGMT_CRED_TYPE_PSK PSK_ID,
       endpoint name is written to MODEM_KEY_MGMT_CRED_TYPE_IDENTITY,
       LWM2M server URL will be stored using zephyr settings.

    3. From now on device should try to connect using provided credentials.

    How do I pass this value to lwm2m_clinet? Because from what I understand, i need to
    Write LWM2M server URL to "0,0,0"
    Write PSK to "0,0,3" (can't do that, because of permission errors)
    Write endpoint name to "0,0,5"
    Call `lwm2m_rd_client_start`

    I don't want to use `lwm2m_init_security()` from lwm2m_client_utils since it relays on configs sets at compilation time.

    How should I do it?

Reply
  • 0 in reply to Didrik Rokhaug

    Hi, thanks for the reply.

    Now i'm a little confused.

    So if I enabled `CONFIG_LWM2M_DTLS_SUPPORT`. All I need to do is to write PSK key using `modem_key_mgmt_write`
    and DLTS stack will take care of the rest?

    In sample code from sdk-nrf `/samples/nrf9160/lwm2m_client` in function `lwm2m_setup`, `lwm2m_init_security()` is called.
    In this function and PSK and  endpoint name are written respectively to "0,0,3" and "0,0,5" object so I thought I need to do the same.

    Let me explain our production concept little more:
    1. During production device will be provisioned with our LWM2M server address and PSK over zephyr SHELL. endpoint name is generated based on modem IMEI.

    2.PSK is written to MODEM_KEY_MGMT_CRED_TYPE_PSK PSK_ID,
       endpoint name is written to MODEM_KEY_MGMT_CRED_TYPE_IDENTITY,
       LWM2M server URL will be stored using zephyr settings.

    3. From now on device should try to connect using provided credentials.

    How do I pass this value to lwm2m_clinet? Because from what I understand, i need to
    Write LWM2M server URL to "0,0,0"
    Write PSK to "0,0,3" (can't do that, because of permission errors)
    Write endpoint name to "0,0,5"
    Call `lwm2m_rd_client_start`

    I don't want to use `lwm2m_init_security()` from lwm2m_client_utils since it relays on configs sets at compilation time.

    How should I do it?

Children
  • +1 in reply to k.szpila

    By default, you need to set the PSK so the LwM2M client is able to provision it to the DTLS stack. However, as you have already done that during production, you don't need to write the PSK to "0,0,5".

    Here is the full explanation I got from one of our developers:

    No, this is not mandatory, on certain condition. The LwM2M library is capable of provisioning the PSK/PSK_ID with the Zephyr native credential management subsystem, but for that you need to set the PSK in the security object - that's what the upstream documentation refers to as it's the default behavior.
    As an alternative (which we actually use with nRF91), the LwM2M library can skip that part if we provide our own function to provision credentials https://github.com/nrfconnect/sdk-nrf/blob/main/subsys/net/lib/lwm2m_client_utils/lwm2m/lwm2m_security.c#L53. For our sample the function is empty and we provision PSK/PSK_ID directly from main based on the aforementioned Kconfig value. But it should be also fine to skip the provisioning at all, if the PSK is already available in the modem, just remember to use the correct secure tag.
    If LwM2M bootstrap is used however, there's no way around the Security object - the bootstrap server will write the credentials in there, and it's the application responsibility to read it from that object and provision it to the modem, we do that in the sample here.
Related