• State Verified Answer
  • Replies 37 replies
  • Subscribers 76 subscribers
  • Views 7237 views
  • Users 0 members are here
Attachments (7) Download All
Nordic Case Info
  • Case ID: 299891
Options

nRF9160, SLM Firmware behaves incorrectly after activating Native TLS (critical problems)

Stas Jis

Hi, 
We managed to build and flash SLM (SDK 2.1.2) with Native TLS.
To be able to download about 5Kb of data at one time (from AWS broker).


But not everything works fine, we have several critical problems with this build:
1) First, We can't check certificates, the same we did it before.

Previously, I used commands like this (321, is our internal secure tag):
- AT%CMNG=1,321,0 (For check exists the CA certificate);
- AT%CMNG=1,321,1 (For check exists the Client certificate);
- AT%CMNG=1,321,2  (For check exists the Private Key);

But after moving to Native TLC, and generating the new certificates (via commands like the AT#XCMNG=0,321,0...), We see other certificates by AT%CMNG=1 command:
%CMNG: 3210,0,"AD6FB002E6B34C0559FA8F93A3794FF12C4E3F119BD77290C52525123FB9EA74"
%CMNG: 3211,0,"EA89F71E2A945D88A7A71C3C35D2F3BA5466B0ACEC750270134F511FB0CB4143"
%CMNG: 3212,0,"EB569D288E10B1D9D5B1BD45642AD4B8D063E0C48584A6C3A7A700987D671B68"

Can I use them to verify the CA, Client and private key?
- AT%CMNG=1,3210,0 (For CA);
- AT%CMNG=1,3211,0 (For Client);
- AT%CMNG=1,3212,0 (For check exist the Private Key).

2) Second: We lost access to nRF Cloud.

All commands for working with CMNG had to be changed (was AT%CMNG became AT#XCMNG), and it helped for access to AWS broker, but not to nRF Cloud.
Our previous certificates don't work more (with Native TLS).
I tried to reinstall them using the #XCMNG AT command, but that didn't work.
AT commands and answers look fine.
Maybe this is due to the generation and installation of a private key, we use:
AT%KEYGEN=16842753,2,0\r\n


But after using the
AT%KEYGEN=16842753,2,0\r\n, followed by saving the CA/Client certificates, we have the next results (every install certificate command returned OK):
[7/12 17:55:04:025] %CMNG: 16842753,2,"7494C435C484599577AB9B04E85DD594C5B5C9676750CA6DA17284E99A93B9C7"
[7/12 17:55:04:025] %CMNG: 168427530,0,"AD6FB002E6B34C0559FA8F93A3794FF12C4E3F119BD77290C52525123FB9EA74"
[7/12 17:55:04:025] %CMNG: 168427531,0,"D12494EF17B635B10A7511A513CB37B3101D58008ADE0D4BAA381D85A63DA675"

But if we tried to connect to nRF Cloud nothing happened.
We didn't have some ERROR or Event about the nRF Cloud connection.
We received the OK after about 900ms and CSCON: 0 after 6 seconds.
What are we doing wrong with nRF Cloud access now? Is it still because of the  AT%KEYGEN=16842753,2,0  AT command?

3) Third: Something happening with MQTT Disconnect:
After AT#XMQTTCON=0 we received a weird answer (\r\n) and nRF Reset.


AT#XMQTTCON=0
 Ready



Parents
  • 0

    Hello, 

    Sorry for the delayed answer here. I am looking into the issue on my side. Will get back to you within tomorrow. 

    Kind regards,
    Øyvind

  • 0 in reply to Øyvind

    Hello, I've had some issues with my application not allowing to connect to AWS. Trying to find the solution to this first. 

    1) First, We can't check certificates, the same we did it before.

    No, the XCMNG command does not support the list or read functionality. 

    2) Second: We lost access to nRF Cloud.

    What do you get when trying to connect to nRF Cloud? Make sure to disable CONFIG_NRF_CLOUD_CLIENT_ID_SRC_INTERNAL_UUID in prj.conf, i.e. setting 

    CONFIG_NRF_CLOUD_CLIENT_ID_SRC_INTERNAL_UUID=n. 
    3) Third: Something happening with MQTT Disconnect:
    You did not receive #XMQTTEVT: 1,0 ?
    Kind regards,
    Øyvind
  • 0 in reply to Øyvind

    Hi ,
    I apologize for wait. We have tested your solution.
    We modified everything as specified in the file native_tls_mqtt_aws_unload.diff.
    And we see that the connection/disconnection process with the broker works correctly, without any problems.

    But we still cannot get the TF-M logs (from UART1) when we using nRF9160DK.

    We included all definitions in prj.conf, except for one (CONFIG_TFM_LOG_LEVEL_SILENCE=n) the project did not build with it (we work with SDK 2.1.2):

    CONFIG_NRF_MODEM_LIB_TRACE=n
    CONFIG_TFM_SECURE_UART1=y
    #CONFIG_TFM_LOG_LEVEL_SILENCE=n
    CONFIG_TFM_SPM_LOG_LEVEL_DEBUG=y
    CONFIG_TFM_EXCEPTION_INFO_DUMP=y
    CONFIG_THREAD_NAME=y
    CONFIG_THREAD_ANALYZER=y
    CONFIG_TFM_HALT_ON_CORE_PANIC=y

    And if we test the connection / disconnection process with a broker via LTE Link Monitor (COM31).
    And in parallel polling another terminal (COM27), we didn't see anything.
    Not a bit of logs.

    I have attached our prj.conf, maybe something is wrong?

    CONFIG_LOG=y
CONFIG_LOG_DEFAULT_LEVEL=3
CONFIG_STACK_SENTINEL=y
CONFIG_NEWLIB_LIBC=y
CONFIG_NEWLIB_LIBC_FLOAT_PRINTF=y
CONFIG_RING_BUFFER=y

# Segger RTT
CONFIG_USE_SEGGER_RTT=y
CONFIG_RTT_CONSOLE=y
CONFIG_UART_CONSOLE=n
CONFIG_LOG_BACKEND_RTT=y
CONFIG_LOG_BACKEND_UART=n

# Network
CONFIG_NETWORKING=y
CONFIG_NET_SOCKETS=y
CONFIG_NET_NATIVE=n

# Modem library
CONFIG_NRF_MODEM_LIB=y
# Align the max FD entry to NRF_MODEM_MAX_SOCKET_COUNT(8)
CONFIG_POSIX_MAX_FDS=8
# Enable below for modem trace
CONFIG_NRF_MODEM_LIB_TRACE=n
CONFIG_TFM_SECURE_UART1=y
#CONFIG_TFM_LOG_LEVEL_SILENCE=n
# Handle modem fault
CONFIG_NRF_MODEM_LIB_ON_FAULT_APPLICATION_SPECIFIC=y

# Use GPIO
CONFIG_GPIO=y
CONFIG_GPIO_NRFX=y

# UART interface
CONFIG_SERIAL=y
CONFIG_UART_ASYNC_API=y
CONFIG_NRFX_TIMER2=y

# Stacks and heaps
CONFIG_MAIN_STACK_SIZE=4096
CONFIG_HEAP_MEM_POOL_SIZE=16384
CONFIG_SYSTEM_WORKQUEUE_STACK_SIZE=4096

# Device power management
CONFIG_PM_DEVICE=y

# FOTA
CONFIG_HTTP_PARSER_URL=y
CONFIG_FOTA_DOWNLOAD=y
CONFIG_FOTA_DOWNLOAD_PROGRESS_EVT=y
CONFIG_DFU_TARGET=y
CONFIG_DOWNLOAD_CLIENT=y
CONFIG_DOWNLOAD_CLIENT_STACK_SIZE=4096
CONFIG_BOOTLOADER_MCUBOOT=y
CONFIG_IMG_MANAGER=y

# FLASH
CONFIG_FLASH=y
CONFIG_FLASH_PAGE_LAYOUT=y
CONFIG_FLASH_MAP=y
CONFIG_MPU_ALLOW_FLASH_WRITE=y
CONFIG_IMG_ERASE_PROGRESSIVELY=y

# Settings
CONFIG_SETTINGS=y
CONFIG_SETTINGS_FCB=y
CONFIG_FCB=y

# nRF Cloud
#CONFIG_NRF_CLOUD_IPV6=y
CONFIG_NRF_CLOUD_MQTT=y
CONFIG_NRF_CLOUD_FOTA=n
CONFIG_NRF_CLOUD_AGPS=y
CONFIG_NRF_CLOUD_AGPS_FILTERED=n
CONFIG_NRF_CLOUD_PGPS=y
CONFIG_NRF_CLOUD_CELL_POS=y
CONFIG_NRF_CLOUD_LOG_LEVEL_INF=y
CONFIG_NRF_CLOUD_GPS_LOG_LEVEL_INF=y
CONFIG_DATE_TIME=y
CONFIG_MODEM_INFO=y
CONFIG_MODEM_INFO_ADD_DATE_TIME=n
CONFIG_AT_MONITOR=y
CONFIG_MODEM_JWT=y
CONFIG_NRF_CLOUD_CLIENT_ID_SRC_INTERNAL_UUID=y

#
# SLM-specific configurations
#
CONFIG_SLM_CUSTOMIZED=n
CONFIG_SLM_LOG_LEVEL_INF=y
CONFIG_SLM_EXTERNAL_XTAL=n
CONFIG_SLM_START_SLEEP=n
#CONFIG_SLM_DATAMODE_URC=y

# nRF Cloud based location services
CONFIG_SLM_AGPS=y
CONFIG_SLM_PGPS=y
CONFIG_SLM_CELL_POS=y
CONFIG_SLM_LOG_LEVEL_DBG=y
CONFIG_NRF_CLOUD_LOG_LEVEL_DBG=y
CONFIG_MQTT_CLEAN_SESSION=y

CONFIG_TFM_SPM_LOG_LEVEL_DEBUG=y
CONFIG_TFM_EXCEPTION_INFO_DUMP=y
CONFIG_THREAD_NAME=y
CONFIG_THREAD_ANALYZER=y
CONFIG_TFM_HALT_ON_CORE_PANIC=y

CONFIG_TFM_CRYPTO_PARTITION_STACK_SIZE=0x2500


  • 0 in reply to Stas Jis

    Hi Stas, 

    Just to confirm after our meeting yesterday. The work-around works for you, and the reset issue we saw earlier is gone. This means that there is no use for the TF-M logs.

    As mentioned, please test the solution thoroughly and let us know if there are any further issues with the native TLS solution.

    Kind regards,
    Øyvind

  • 0 in reply to Stas Jis

    Hi Stas,

    Can you share with me what you did to get the certs working for AWS... i've got the link receiving 4k of data from mosquito test server (encrypted) but i cannot get it to work with aws, or when authenticating with mosquito. 

    I've also set CONFIG_TFM_CRYPTO_PARTITION_STACK_SIZE=0x2500

    any advise would me much appreciated

    thanks

    Trent

Reply Children
No Data
Related
Terms of service