wifi: enterprise: Add support for runtime certificates #87656
Conversation
krish2718
force-pushed
the
wifi_ent_rejig
branch
2 times, most recently
from
37adaa1 to
c167779
Compare
krish2718
changed the title
github-actions
bot
added
area: Networking
area: Build System
area: Wi-Fi
github-actions
bot
requested review from
jukkar,
kartben,
MaochenWang1,
nashif,
nordicjm and
tejlmand
|
@MaochenWang1 I have not done any AP mode testing on this as nRF70 doesn't support AP + Enterprise mode, it would e good if NXP can do some tests. |
Sure, will review, test and feedback |
FYI, I am seeing issues even with build time certs, debugging now will push fixes soon. |
krish2718
force-pushed
the
wifi_ent_rejig
branch
from
c167779 to
ee1ba90
Compare
|
I have resolved the compliance except for below: I tried to get checkpatch ignore using |
krish2718
force-pushed
the
wifi_ent_rejig
branch
from
ee1ba90 to
52257b7
Compare
Tested end-end, it is working fine. |
krish2718
force-pushed
the
wifi_ent_rejig
branch
from
52257b7 to
07de5fe
Compare
krish2718
force-pushed
the
wifi_ent_rejig
branch
from
07de5fe to
ee8a511
Compare
Using TLS credentials library add support for run-time certificates where the installed certs are retrieved from the credential store (as of now only volatile backend is tested). This helps in production environments. Implements zephyrproject-rtos#79564. Signed-off-by: Chaitanya Tata <Chaitanya.Tata@nordicsemi.no>
The volatile backend stores the credentials on the heap, so, explicitly add a config option that can be overridden in case there are more certs than the default. Signed-off-by: Chaitanya Tata <Chaitanya.Tata@nordicsemi.no>
Instead of having an overlay move the Enterprise configurations to a dedicated snippet so that it can be enabled with any sample. Can be used along with Wi-Fi snippet e.g., `-S "wifi-ipv4;wifi-enterprise"`. Signed-off-by: Chaitanya Tata <Chaitanya.Tata@nordicsemi.no>
Enable TLS credentials shell to manager Wi-Fi enterprise certs. Signed-off-by: Chaitanya Tata <Chaitanya.Tata@nordicsemi.no>
Deletion of credential should use the pointer from the reference slot not the temporary buffer, this causes a crash (unknown error). Signed-off-by: Chaitanya Tata <Chaitanya.Tata@nordicsemi.no>
Certificates usage depends on STA/AP mode, but we don't have that information at a build time, so, make all certs as optional and if a file isn't found then generate an empty header so that corresponding C code will be built. Any missing mandatory certificates will be validated before connection and connection is failed. Signed-off-by: Chaitanya Tata <Chaitanya.Tata@nordicsemi.no>
|
Need to fix a build error and also add a test case to catch build errors and convert the script from shell->python for cross-platform support. |
RSA3K based certs are not supported on all platforms, so, keep both variants, rsa2k (the older certs but with longer expiry 9999 days) and rsa3k (latest ones) and we can have more variants in this folders. Also, add a cmake variable to override the path with default as rsa3k. Signed-off-by: Chaitanya Tata <Chaitanya.Tata@nordicsemi.no>
The command should work with existing certs rather than a generic example, also fix the key-management. Signed-off-by: Chaitanya Tata <Chaitanya.Tata@nordicsemi.no>
For enterprise mode we need to install multiple certs to the TLS credentials store, so, add a helper script in python to make it work cross-platforms. Signed-off-by: Chaitanya Tata <Chaitanya.Tata@nordicsemi.no>
This is needed to ensure run-time certs feature builds. Signed-off-by: Chaitanya Tata <Chaitanya.Tata@nordicsemi.no>
krish2718
dismissed stale reviews from MaochenWang1, jukkar, and rlubos
via
a8df6df
krish2718
force-pushed
the
wifi_ent_rejig
branch
from
8f9b7de to
a8df6df
Compare
|
|
||
| def check_requirements(): | ||
| try: | ||
| installed_version = version('nrfcloud-utils') |
There was a problem hiding this comment.
Why is a generic wifi sample pulling in nrf cloud stuff? This sounds wrong.
There was a problem hiding this comment.
Though it's named nrfcloud it does work with non-nRF boards too, I have tested with STM32 Nucleo board. The reason for using nrfcloud util is it already supports TLS credential shell based device access. In the future we can write up a standalone tool part of Zephyr repo itself.
| To facilitate installation of the certificates, a helper script is provided in the ``samples/net/wifi/test_certs`` directory. The script can be used to install the certificates at runtime. | ||
|
|
||
| .. code-block:: bash | ||
|
|
||
| $ west build -p -b <board> samples/net/wifi -- -DEXTRA_CONF_FILE=overlay-enterprise-variable-bufs.conf | ||
| $ samples/net/wifi/test_certs/install_certs.py -p samples/net/wifi/test_certs/rsa2k | ||
|
|
||
| The script will install the certificates in the ``rsa2k`` directory to the TLS credentials store in the device over UART and using TLS credentials shell commands. |
There was a problem hiding this comment.
so all devices are supporting the AT commands this tool seems to be using?
There was a problem hiding this comment.
This doesn't use AT command, but TLS credentials shell (part of Zephyr)
| Compile time certificates | ||
| ------------------------- | ||
|
|
||
| Test certificates in PEM format are committed to the repo at :zephyr_file:`samples/net/wifi/test_certs` and the during the |
There was a problem hiding this comment.
really not a fan of the proliferation of binary certificates in-tree. Can't we just have instructions on what steps people sjhould take to generate them? It seems to me as this would be much more useful, too.
There was a problem hiding this comment.
Sure, but for a quick testing it's useful to have a golden certs that just work. Else any mistakes in cert generation are tough to debug.
Implements #79564
The certificate installation is handled by a helper script which simplifies installation process, but even without that PR
credshell can be used manually but it's cumbersome.