forked from nrfconnect/sdk-nrf
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
samples: nrf9160: Add AWS IoT provisioning sample
Signed-off-by: Simen S. Røstad <simen.rostad@nordicsemi.no>
- Loading branch information
1 parent
59c887b
commit 1f698ad
Showing
13 changed files
with
541 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| # | ||
| # Copyright (c) 2020 Nordic Semiconductor | ||
| # | ||
| # SPDX-License-Identifier: LicenseRef-Nordic-5-Clause | ||
| # | ||
|
|
||
| cmake_minimum_required(VERSION 3.20.0) | ||
|
|
||
| find_package(Zephyr REQUIRED HINTS $ENV{ZEPHYR_BASE}) | ||
| project(aws_iot_provisioning) | ||
|
|
||
| # NORDIC SDK APP START | ||
| target_sources(app PRIVATE src/main.c) | ||
| # NORDIC SDK APP END | ||
|
|
||
| zephyr_include_directories(src) | ||
|
|
||
| # Make folder containing certificates global so that it can be located by | ||
| # the AWS IoT library. | ||
| zephyr_include_directories_ifdef(CONFIG_AWS_IOT_PROVISION_CERTIFICATES certs) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| # | ||
| # Copyright (c) 2020 Nordic Semiconductor ASA | ||
| # | ||
| # SPDX-License-Identifier: LicenseRef-Nordic-5-Clause | ||
| # | ||
|
|
||
| menu "Zephyr Kernel" | ||
| source "Kconfig.zephyr" | ||
| endmenu | ||
|
|
||
| module = AWS_IOT_PROVISION | ||
| module-str = AWS IoT provision | ||
| source "${ZEPHYR_BASE}/subsys/logging/Kconfig.template.log_config" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,48 @@ | ||
| # AWS IoT provisioning | ||
|
|
||
| PoC sample that connects to AWS IoT, requests credentials, and performs run-time provisioning of the nRF9160 modem. | ||
| After provisioning, the sample connects to AWS IoT using the new credentials. | ||
|
|
||
| This sample depends on https://github.com/coderbyheart/aws-iot-device-credentials-workaround | ||
|
|
||
| ## Prerequisites | ||
|
|
||
| 1. Load credentials into the security tag set by `CONFIG_AWS_IOT_SEC_TAG`. | ||
| 2. Configure the client ID by setting `CONFIG_AWS_IOT_CLIENT_ID_STATIC`. | ||
| 3. Configure the broker hostname by setting `CONFIG_AWS_IOT_BROKER_HOST_NAME`. | ||
|
|
||
| These configurations can be set in `samples/nrf9160/aws_iot_provisioning/prj.conf`. | ||
|
|
||
| ## Operation | ||
|
|
||
| The sample performs the following operational chain: | ||
|
|
||
| 1. Connects to LTE | ||
| 2. Connects to AWS IoT using the provisioning credentials loaded in the sec tag set by `CONFIG_AWS_IOT_SEC_TAG` | ||
| 3. Subscribes to `certificate/${deviceId}/create/accepted/+` (+ = Wild card token) | ||
| 4. Requests new credentials by sending an empty message to `certificate/${deviceId}/create` | ||
| 5. Receives new private key on topic `certificate/${deviceId}/create/accepted/key` | ||
| 6. Receives new client certificate on topic `certificate/${deviceId}/create/accepted/cert` | ||
| 7. Disconnects from AWS IoT | ||
| 8. Puts modem into offline mode. | ||
| 9. Writes private key, client certificate, and CA to security tag 50. (CA is needed and is hardcoded in the sample) | ||
| 10. Clears subscriptions | ||
| 11. Puts modem into normal mode (connects to LTE) | ||
| 12. Connect to AWS IoT with the new credentials referenced to by security tag 50. | ||
|
|
||
| ## Native TLS (MbedTLS) on the application core | ||
|
|
||
| Native TLS can be enabled by including `overlay-native_tls.conf` in the west build command. | ||
| Example: `west build -b thingy91_nrf9160_ns -- -DOVERLAY_CONFIG=overlay-native_tls.conf` | ||
|
|
||
| Note that in order to use Native TLS, the provisioning credentials needs to be loaded into the MbedTLS stack at run time. | ||
| This happens automatically when including the overlay file. The credentials are loaded into the security tag set by `CONFIG_AWS_IOT_SEC_TAG`. | ||
| The AWS IoT library will take the credentials located under `samples/nrf9160/aws_iot_provisioning/certs` (`ca-cert.pem`, `client-cert.pem`, and `private-key.pem`), and | ||
| provision them to the security tag set by `CONFIG_AWS_IOT_SEC_TAG`. | ||
|
|
||
| During testing the device was able to receive a 4.5Kb test payload. | ||
|
|
||
| > **Warning** | ||
| > Handling of credentials received in one big message on topic `$aws/certificates/create/payload-format/accepted` has not been implemented. | ||
| > Meaning that the device will be able to receive large payloads but will not perform provisioning and reconnection to AWS IoT. | ||
| > Only handling for the workaround that does not depend on MbedTLS has. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,2 @@ | ||
| "-----BEGIN CERTIFICATE-----\n" | ||
| "-----END CERTIFICATE-----\n" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,2 @@ | ||
| "-----BEGIN CERTIFICATE-----\n" | ||
| "-----END CERTIFICATE-----\n" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,2 @@ | ||
| "-----BEGIN RSA PRIVATE KEY-----\n" | ||
| "-----END RSA PRIVATE KEY-----\n" |
52 changes: 52 additions & 0 deletions
52
samples/nrf9160/aws_iot_provisioning/overlay-native_tls.conf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,52 @@ | ||
| # TLS configuration | ||
| CONFIG_MODEM_KEY_MGMT=y | ||
| CONFIG_NORDIC_SECURITY_BACKEND=y | ||
| CONFIG_NET_SOCKETS_SOCKOPT_TLS=y | ||
| CONFIG_NET_SOCKETS_TLS_MAX_CONTEXTS=2 | ||
| CONFIG_NET_SOCKETS_TLS_SET_MAX_FRAGMENT_LENGTH=y | ||
| CONFIG_POSIX_MAX_FDS=10 | ||
| # Enable Socket Logging for debug | ||
| CONFIG_NET_LOG=y | ||
| CONFIG_NET_SOCKETS_LOG_LEVEL_DBG=y | ||
| CONFIG_MBEDTLS=y | ||
| CONFIG_MBEDTLS_TLS_LIBRARY=y | ||
| CONFIG_MBEDTLS_ENABLE_HEAP=y | ||
| CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_ENABLED=y | ||
| CONFIG_MBEDTLS_MAC_SHA256_ENABLED=y | ||
| CONFIG_MBEDTLS_SSL_IN_CONTENT_LEN=5120 | ||
| CONFIG_MBEDTLS_SSL_OUT_CONTENT_LEN=4096 | ||
| CONFIG_MBEDTLS_HEAP_SIZE=120000 | ||
| CONFIG_MBEDTLS_SSL_SERVER_NAME_INDICATION=y | ||
| #Cipher Suite disable | ||
| CONFIG_MBEDTLS_CTR_DRBG_C=n | ||
| CONFIG_MBEDTLS_CHACHA20_C=n | ||
| CONFIG_MBEDTLS_POLY1305_C=n | ||
| CONFIG_MBEDTLS_SHA1_C=n | ||
| CONFIG_MBEDTLS_DHM_C=n | ||
| CONFIG_MBEDTLS_CMAC_C=n | ||
| CONFIG_MBEDTLS_CIPHER_MODE_CTR=n | ||
| CONFIG_MBEDTLS_CIPHER_MODE_CFB=n | ||
| CONFIG_MBEDTLS_CIPHER_MODE_OFB=n | ||
| CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED=n | ||
| CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED=n | ||
| #Cipher Suite enable | ||
| CONFIG_MBEDTLS_CIPHER=y | ||
| CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED=y | ||
| CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED=y | ||
| CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED=y | ||
| CONFIG_PSA_WANT_ECC_SECP_R1_256=y | ||
| CONFIG_PSA_WANT_ALG_ECDH=y | ||
| CONFIG_PSA_WANT_ALG_ECDSA=y | ||
| CONFIG_PSA_WANT_ALG_DETERMINISTIC_ECDSA=y | ||
| CONFIG_MBEDTLS_ECDSA_DETERMINISTIC=y | ||
| CONFIG_MBEDTLS_ECP_C=y | ||
| CONFIG_MBEDTLS_SHA512_C=y | ||
| CONFIG_MBEDTLS_ECDH_C=y | ||
| CONFIG_MBEDTLS_SSL_SRV_C=y | ||
| CONFIG_MBEDTLS_AES_C=y | ||
| CONFIG_MBEDTLS_CCM_C=y | ||
| CONFIG_MBEDTLS_PKCS1_V15=y | ||
| CONFIG_MBEDTLS_ECDSA_C=y | ||
| CONFIG_MBEDTLS_GCM_C=y | ||
| CONFIG_MBEDTLS_SHA256_C=y | ||
| CONFIG_MBEDTLS_X509_LIBRARY=y |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,53 @@ | ||
| # | ||
| # Copyright (c) 2020 Nordic Semiconductor ASA | ||
| # | ||
| # SPDX-License-Identifier: LicenseRef-Nordic-5-Clause | ||
| # | ||
| # General config | ||
| CONFIG_NCS_SAMPLES_DEFAULTS=y | ||
|
|
||
| # NEWLIB C | ||
| CONFIG_NEWLIB_LIBC=y | ||
| CONFIG_NEWLIB_LIBC_FLOAT_PRINTF=y | ||
|
|
||
| # Network | ||
| CONFIG_NETWORKING=y | ||
| CONFIG_NET_NATIVE=n | ||
|
|
||
| # LTE link control | ||
| CONFIG_LTE_LINK_CONTROL=y | ||
| CONFIG_LTE_NETWORK_MODE_LTE_M=y | ||
| CONFIG_LTE_AUTO_INIT_AND_CONNECT=y | ||
|
|
||
| # Heaps and stacks | ||
| CONFIG_MAIN_STACK_SIZE=8096 | ||
|
|
||
| # Modem library | ||
| CONFIG_NRF_MODEM_LIB=y | ||
|
|
||
| # AWS IoT library | ||
| CONFIG_AWS_IOT=y | ||
| CONFIG_AWS_IOT_LOG_LEVEL_DBG=y | ||
| CONFIG_AWS_IOT_CLIENT_ID_STATIC="client-id" | ||
| CONFIG_AWS_IOT_BROKER_HOST_NAME="hostname" | ||
| # Security tag used for connection to fleet provisioning service | ||
| CONFIG_AWS_IOT_SEC_TAG=43 | ||
| CONFIG_AWS_IOT_APP_SUBSCRIPTION_LIST_COUNT=1 | ||
| CONFIG_AWS_FOTA=n | ||
| CONFIG_AWS_IOT_AUTO_DEVICE_SHADOW_REQUEST=n | ||
| # Increased AWS IoT payload buffer to be able to receive large payloads when using native TLS. | ||
| CONFIG_AWS_IOT_MQTT_PAYLOAD_BUFFER_LEN=8096 | ||
|
|
||
| # MQTT - Maximum MQTT keepalive timeout specified by AWS IoT Core | ||
| CONFIG_MQTT_KEEPALIVE=1200 | ||
| CONFIG_MQTT_CLEAN_SESSION=y | ||
|
|
||
| # Modem key management - Used to run-time provision the modem. | ||
| CONFIG_MODEM_KEY_MGMT=y | ||
|
|
||
| CONFIG_NRF_MODEM_LIB_TRACE=y | ||
|
|
||
|
|
||
| # AT Host | ||
| CONFIG_UART_INTERRUPT_DRIVEN=y | ||
| CONFIG_AT_HOST_LIBRARY=y |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,10 @@ | ||
| sample: | ||
| name: AWS IoT sample | ||
| tests: | ||
| sample.nrf9160.aws_iot: | ||
| build_only: true | ||
| integration_platforms: | ||
| - nrf9160dk_nrf9160_ns | ||
| - thingy91_nrf9160_ns | ||
| platform_allow: nrf9160dk_nrf9160_ns thingy91_nrf9160_ns | ||
| tags: ci_build |
Oops, something went wrong.