ZDS 2023 - Provisioning.pdf

1、ZDS 2023PROVISIONINGNRF9160 FEATHERI TOOK THE RED PILL ZEPHYR LIVE SESSIONSYOUTUBE.COM/C/CIRCUITDOJO-Make it easy to set up and deploy -Make them secure-Make them easy to maintain-Save time!PROVISIONING DEVICES#ZDS2023-Focus on generating and provisioning device certificates-Touch on device specific

2、 configuration as well-Open source tools that make the job easier-Caveats and important security implications-Will not be hitting on JITPPROVISIONING DEVICES#ZDS2023GENERATING CERTIFICATES-There are a few ways to do this:-If youre using AWS IoT you can generate certs on the AWS console-You can also

3、do it the old fashioned way using openssl or esa-rsa CLI-Pyrinas CLI will also sign and load certs directlyGENERATING CERTIFICATES#ZDS2023GENERATING CERTIFICATES#ZDS2023#Init and CAeasyrsa init-pkieasyrsa build-ca#Servereasyrsa gen-req mosquitto nopasseasyrsa sign-req server mosquitto#Clienteasyrsa

4、gen-req nrf9160 nopass batcheasyrsa sign-req client test batchGENERATING CERTIFICATES#ZDS2023GENERATING CERTIFICATES#ZDS2023-The Pyrinas CLI uses:-Rcgen crate for cert gen-Serialport crate for writing to UART/USB-It will:-Keep all certs organized per device-Generate server and CA certificates-Facili

5、tate loading certs over console shellGENERATING CERTIFICATES#ZDS2023GENERATING CERTIFICATES#ZDS2023/.pyrinas tree-L 3.certs 352656102712240 5d7d961e4c114c8d ca server config.tomlGENERATING CERTIFICATES#ZDS2023STORING CERTIFICATES#ZDS2023-Unique identifier-For the nRF9160 the IMEI is the unique ident

6、ifier-For anything else:MAC address(Ethernet,Wifi or BLE)-nRF Device ID in OTP FICR-Immutable and random enough to be unique for all devices in the fleetGENERATING CERTIFICATES#ZDS2023-nRF Cloud-Easy API that generates certificates for easy provisioning on nRF91 devices-Every nRF9160 Feather has a s

7、et of nRF Cloud certs written to them-Written via CMNG AT commandGENERATING CERTIFICATES#ZDS2023GENERATING CERTIFICATES#ZDS2023-Important caveats!-Make sure that your device&server is capable of using the type of cert generated(RSA vs EC)-You keep the device with private keys secure and air gapped(i

8、f possible)-Ideally use something that is open source and auditedGENERATING CERTIFICATES#ZDS2023STORING CERTIFICATESCONFIG_CONSOLE=yCONFIG_HWINFO=yCONFIG_SETTINGS=yCONFIG_SHELL=yCONFIG_SHELL_WILDCARD=nCONFIG_PYRINAS=yCONFIG_PYRINAS_AT_SHELL=yCONFIG_PYRINAS_CREDENTIALS_SHELL=ySTORING CERTIFICATES#ZDS

9、2023Requirements For Pyrinas CLI-There are 3 ways to store certificates:-In a secure certificate store like one on the nRF91 or nRF53-In the filesystem(on or off chip)-Secure element(limited support in Zephyr)STORING CERTIFICATES#ZDS2023STORING CERTIFICATES#ZDS2023-For nRF9160-Uses the CMNG AT comma

10、nds to modify the secure key store-Using a custom AT shell implementation(see pyrinas/lib/shell/at_shell.c)STORING CERTIFICATES#ZDS2023-For other devices you need to use the settings subsystem-The der flag for the Pyrinas CLI writes to the settings subsystem-Downsides:-Stored in clear text with easy

11、 accessSTORING CERTIFICATES#ZDS2023LOADING CERTIFICATES /*Get CA,cert and pk*/for(int i=TLS_CREDENTIAL_CA_CERTIFICATE;i=TLS_CREDENTIAL_PRIVATE_KEY;i+)err=load_credential(CONFIG_PYRINAS_CLOUD_SEC_TAG,i,cloud_credentialsi-1,sizeof(cloud_credentialsi-1);if(err)LOG_WRN(Unable to load.);LOADING CERTIFICA

12、TES#ZDS2023static int load_credential(int tag,enum tls_credential_type type,uint8_t*buf,size_t buf_len)int err;struct pyrinas_cloud_settings_params params=0;char name64=0;snprintf(name,sizeof(name),pyrinas/cred/%i/%i,tag,type);LOG_INF(Getting%s,log_strdup(name);LOADING CERTIFICATES#ZDS2023Using sett

13、ings Subsystem/*First get data from disk.*/err=settings_load_subtree_direct(name,settings_read_callback,¶ms);if(err 0|!params.found)LOG_INF(%s not found,log_strdup(name);return-EINVAL;else LOG_DBG(%s found,log_strdup(name);LOADING CERTIFICATES#ZDS2023/*Then add the credential(s)*/err=tls_credent

14、ial_add(tag,type,buf,params.len);if(err transport.tls.config;client-transport.type=MQTT_TRANSPORT_SECURE;tls_config-peer_verify=CONFIG_PYRINAS_CLOUD_PEER_VERIFY;tls_config-cipher_count=0;tls_config-cipher_list=NULL;tls_config-sec_tag_count=ARRAY_SIZE(sec_tag_list);tls_config-sec_tag_list=sec_tag_lis

15、t;tls_config-hostname=init-hostname;#if defined(CONFIG_NRF_MODEM)tls_config-session_cache=TLS_SESSION_CACHE_DISABLED;#endifUSING THEM!#ZDS2023int golioth_set_proto_coap_dtls(struct golioth_client*client,sec_tag_t*sec_tag_list,size_t sec_tag_count)if(!sec_tag_list|!sec_tag_count)return-EINVAL;client-

16、proto=IPPROTO_DTLS_1_2;client-tls.sec_tag_list=sec_tag_list;client-tls.sec_tag_count=sec_tag_count;return 0;-Security tag(s)are provided as a list-Provided to(D)TLS configuration-Then connection and handshake is handled by underlying transport/(D)TLS implementation USING THEM!#ZDS2023DEVICE CONFIGUR

17、ATION-Many ways to attack this!-Our process:-Encode(JSON/CBOR)-Use the settings subsystem to store-Recall-Decode and applyDEVICE CONFIGURATION#ZDS2023/*Config*/static struct app_config config=APP_CONFIG_DEFAULT();DEVICE CONFIGURATION#ZDS2023#define APP_CONFIG_DEFAULT().gps=APP_CONFIG_GPS_DEFAULT(),.

18、general=APP_CONFIG_GENERAL_DEFAULT(),DEVICE CONFIGURATION#ZDS2023DEVICE CONFIGURATION#ZDS2023/*Get configuration*/uint8_t temp_buf256=0;struct app_config temp_config=APP_CONFIG_DEFAULT();int ret=app_storage_get_settings(config,temp_buf,sizeof(temp_buf);DEVICE CONFIGURATION#ZDS2023/*Decode config and

19、 place into memory*/ret=decode_app_config(&temp_config,temp_buf,ret);/*Compare and apply*/compare_and_apply_config(&config,&temp_config,true);-When read out of settings subsystem:-We set sane defaults-Config is decoded-If the config is missing values,theyre covered by the defaults-Robust even though

20、 structure changesDEVICE CONFIGURATION#ZDS2023-Configurations can be written/updated-Cloud.(MQTT Subscription/CoAP Observe)-BLE(custom characteristic for handling config)-Over CLI shell using settings shell module-Non-configured devices are gatedDEVICE CONFIGURATION#ZDS2023DEMO-Tons of resources out

21、 there on cert generation-Open source tools out there to inspire you-Once loaded,lots of the hard stuff is abstracted away-Device configuration can be handled similarlySUMMARY#ZDS2023-Easy RSA -https:/ by Smallstep-https:/ generation of PSK.Upload of SSL certificates-https:/golioth.io/-nRF Cloud-https:/ at !