From 2fd3874ba5291180a5ca61d510cbeebc51431d34 Mon Sep 17 00:00:00 2001 From: Sam Friedman Date: Thu, 29 Jun 2023 21:29:08 -0400 Subject: [PATCH] auth: move PSK handling to samples - move system settings into samples - add PSK support to hardcoded_credentials module - remove PSK handling in system_client - update samples to use the same auth for consistency Signed-off-by: Sam Friedman --- .github/workflows/twister_dfu_nrf52840dk.yml | 4 +- .gitlab-ci.yml | 6 +- include/net/golioth/system_client.h | 5 + net/golioth/Kconfig | 25 -- net/golioth/system_client.c | 238 ++++--------------- samples/common/CMakeLists.txt | 1 + samples/common/Kconfig | 27 ++- samples/common/Kconfig.defconfig | 12 +- samples/common/hardcoded_credentials.c | 40 +++- samples/common/runtime_psk.conf | 11 + samples/common/settings_golioth.c | 138 +++++++++++ samples/dfu/README.rst | 95 ++++++-- samples/dfu/sample.yaml | 3 - samples/hello/README.rst | 68 +++++- samples/hello/sample.yaml | 3 + samples/hello/src/main.c | 7 - samples/hello_sporadic/README.rst | 77 +++++- samples/lightdb/delete/README.rst | 77 +++++- samples/lightdb/get/README.rst | 77 +++++- samples/lightdb/observe/README.rst | 77 +++++- samples/lightdb/set/README.rst | 77 +++++- samples/lightdb_led/README.rst | 77 +++++- samples/lightdb_stream/README.rst | 77 +++++- samples/logging/README.rst | 77 +++++- samples/settings/README.rst | 104 ++++++-- samples/settings/boards/qemu_x86.conf | 3 - samples/settings/prj.conf | 11 - samples/test/prj.conf | 5 + tests/lightdb/Kconfig | 8 +- tests/lightdb/README.rst | 4 +- 30 files changed, 1090 insertions(+), 344 deletions(-) create mode 100644 samples/common/runtime_psk.conf create mode 100644 samples/common/settings_golioth.c diff --git a/.github/workflows/twister_dfu_nrf52840dk.yml b/.github/workflows/twister_dfu_nrf52840dk.yml index 440c181c..4993cbde 100644 --- a/.github/workflows/twister_dfu_nrf52840dk.yml +++ b/.github/workflows/twister_dfu_nrf52840dk.yml @@ -44,8 +44,8 @@ jobs: # For item 5, the file needs to have contents like (use base64 encoding): # # export GOLIOTH_SYSTEM_SERVER_HOST=coap.golioth.dev - # export GOLIOTH_SYSTEM_CLIENT_PSK_ID=device_psk_id@ci - # export GOLIOTH_SYSTEM_CLIENT_PSK=device_psk + # export GOLIOTH_SAMPLE_HARDCODED_PSK_ID=device_psk_id@ci + # export GOLIOTH_SAMPLE_HARDCODED_PSK=device_psk # export GOLIOTH_SAMPLE_WIFI_SSID=golioth-runner-xxx # export GOLIOTH_SAMPLE_WIFI_PSK=password_for_wifi # export GOLIOTH_DEVICE_NAME=nrf52840dk diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 38c172e0..80447d64 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -118,14 +118,14 @@ pre-commit: # - GOLIOTH_SYSTEM_SERVER_HOST: used to setup 'golioth' Python script (in this job script) and by device firmware # - GOLIOTH_SYSTEM_SERVER_API_PORT: used to setup 'golioth' Python script (in this job script) # -# - GOLIOTH_SYSTEM_CLIENT_PSK_ID: used by device firmware -# - GOLIOTH_SYSTEM_CLIENT_PSK: used by device firmware +# - GOLIOTH_SAMPLE_HARDCODED_PSK_ID: used by device firmware +# - GOLIOTH_SAMPLE_HARDCODED_PSK: used by device firmware # # It is also assumed that a self-hosted goliothd is used and there is no authentication required by # 'golioth' Python script at api URL http://${GOLIOTH_SYSTEM_SERVER_HOST}:${GOLIOTH_SYSTEM_SERVER_API_PORT}. # # Project with id ${GOLIOTH_PROJECT_ID} needs to exist and device with ${GOLIOTH_DEVICE_NAME} name -# needs to be provisioned with ${GOLIOTH_SYSTEM_CLIENT_PSK_ID} and ${GOLIOTH_SYSTEM_CLIENT_PSK} as +# needs to be provisioned with ${GOLIOTH_SAMPLE_HARDCODED_PSK_ID} and ${GOLIOTH_SAMPLE_HARDCODED_PSK} as # DTLS credentials. # twister-qemu-goliothd: diff --git a/include/net/golioth/system_client.h b/include/net/golioth/system_client.h index 6808f043..c397fac5 100644 --- a/include/net/golioth/system_client.h +++ b/include/net/golioth/system_client.h @@ -27,6 +27,11 @@ void golioth_system_client_start(void); */ void golioth_system_client_stop(void); +/** + * @brief Restart Golioth system client + */ +void golioth_system_client_request_reconnect(void); + /** * @brief Get pointer to Golioth system client instance */ diff --git a/net/golioth/Kconfig b/net/golioth/Kconfig index c0ddef10..dbf15752 100644 --- a/net/golioth/Kconfig +++ b/net/golioth/Kconfig @@ -242,22 +242,6 @@ config GOLIOTH_SYSTEM_SERVER_PORT help Defines port number of Golioth server. -if GOLIOTH_AUTH_METHOD_PSK - -config GOLIOTH_SYSTEM_CLIENT_PSK_ID - string "PSK ID" - depends on !GOLIOTH_SYSTEM_SETTINGS - help - Defines PSK ID used during DTLS handshake with Golioth server. - -config GOLIOTH_SYSTEM_CLIENT_PSK - string "PSK" - depends on !GOLIOTH_SYSTEM_SETTINGS - help - Defines PSK used during DTLS handshake with Golioth server. - -endif # GOLIOTH_AUTH_METHOD_PSK - if GOLIOTH_AUTH_METHOD_CERT config GOLIOTH_SYSTEM_CLIENT_CA_PATH @@ -303,15 +287,6 @@ config GOLIOTH_SYSTEM_CLIENT_RX_BUF_SIZE Size of receive buffer, which is used for reading data from network socket. -config GOLIOTH_SYSTEM_SETTINGS - bool "Load credentials from persistent settings" - default y - depends on GOLIOTH_AUTH_METHOD_PSK - depends on SETTINGS - help - When selected, Golioth credentials will be loaded from settings - subsystem. - endif # GOLIOTH_SYSTEM_CLIENT endif # GOLIOTH diff --git a/net/golioth/system_client.c b/net/golioth/system_client.c index cdf61729..ec9a8532 100644 --- a/net/golioth/system_client.c +++ b/net/golioth/system_client.c @@ -14,27 +14,13 @@ LOG_MODULE_REGISTER(golioth_system, CONFIG_GOLIOTH_SYSTEM_CLIENT_LOG_LEVEL); #include #include #include -#include #include +#include #define RX_BUFFER_SIZE CONFIG_GOLIOTH_SYSTEM_CLIENT_RX_BUF_SIZE -#ifdef CONFIG_GOLIOTH_SYSTEM_CLIENT_PSK_ID -#define TLS_PSK_ID CONFIG_GOLIOTH_SYSTEM_CLIENT_PSK_ID -#else -#define TLS_PSK_ID "" -#endif - -#ifdef CONFIG_GOLIOTH_SYSTEM_CLIENT_PSK -#define TLS_PSK CONFIG_GOLIOTH_SYSTEM_CLIENT_PSK -#else -#define TLS_PSK "" -#endif - #ifdef CONFIG_MBEDTLS_PSK_MAX_LEN #define PSK_MAX_LEN CONFIG_MBEDTLS_PSK_MAX_LEN -BUILD_ASSERT(sizeof(TLS_PSK) - 1 <= CONFIG_MBEDTLS_PSK_MAX_LEN, - "PSK exceeds mbedTLS configured maximum PSK length"); #else /* * Support NCS mirror of Zephyr, which does not have CONFIG_MBEDTLS_PSK_MAX_LEN @@ -43,18 +29,14 @@ BUILD_ASSERT(sizeof(TLS_PSK) - 1 <= CONFIG_MBEDTLS_PSK_MAX_LEN, #define PSK_MAX_LEN 64 #endif +#define PSK_ID_MAX_LEN 64 + static const uint8_t tls_ca_crt[] = { #if defined(CONFIG_GOLIOTH_SYSTEM_CLIENT_CA_PATH) #include "golioth-systemclient-ca.inc" #endif }; -#if defined(CONFIG_GOLIOTH_SYSTEM_SETTINGS) -static void golioth_settings_check_credentials(void); -#else -static inline void golioth_settings_check_credentials(void) {} -#endif - #define PING_INTERVAL (CONFIG_GOLIOTH_SYSTEM_CLIENT_PING_INTERVAL_SEC * 1000) #define RECV_TIMEOUT (CONFIG_GOLIOTH_SYSTEM_CLIENT_RX_TIMEOUT_SEC * 1000) @@ -82,13 +64,6 @@ enum { static atomic_t flags; -static inline void client_request_reconnect(void) -{ - if (!atomic_test_and_set_bit(&flags, FLAG_RECONNECT)) { - eventfd_write(fds[POLLFD_EVENT].fd, 1); - } -} - static inline void client_notify_timeout(void) { eventfd_write(fds[POLLFD_EVENT].fd, 1); @@ -127,19 +102,45 @@ static bool golioth_psk_is_valid(const uint8_t *psk, size_t psk_len) return (psk_len > 0); } -static int golioth_check_psk_credentials(const uint8_t *psk_id, size_t psk_id_len, - const char *psk, size_t psk_len) +static int golioth_check_psk_credentials(void) { int err = 0; + uint8_t credential[MAX(PSK_MAX_LEN, PSK_ID_MAX_LEN)]; + size_t cred_len = PSK_ID_MAX_LEN; - if (!golioth_psk_id_is_valid(psk_id, psk_id_len)) { + err = tls_credential_get(CONFIG_GOLIOTH_SYSTEM_CLIENT_CREDENTIALS_TAG, + TLS_CREDENTIAL_PSK_ID, + credential, &cred_len); + if (err < 0) { + LOG_WRN("Could not read PSK-ID: %d", err); + goto finish; + } + + if (!golioth_psk_id_is_valid(credential, cred_len)) { LOG_WRN("Configured PSK-ID is invalid"); err = -EINVAL; + goto finish; } - if (!golioth_psk_is_valid(psk, psk_len)) { + cred_len = PSK_MAX_LEN; + err = tls_credential_get(CONFIG_GOLIOTH_SYSTEM_CLIENT_CREDENTIALS_TAG, + TLS_CREDENTIAL_PSK, + credential, &cred_len); + if (err < 0) { + LOG_WRN("Could not read PSK: %d", err); + goto finish; + } + + if (!golioth_psk_is_valid(credential, cred_len)) { LOG_WRN("Configured PSK is invalid"); err = -EINVAL; + goto finish; + } + +finish: + /* Assume credentials are valid if we can't access them */ + if (err == -EACCES) { + err = 0; } return err; @@ -171,37 +172,6 @@ static int golioth_check_cert_credentials(void) return err; } -static int init_tls_auth_psk(void) -{ - int err; - - err = golioth_check_psk_credentials(TLS_PSK_ID, sizeof(TLS_PSK_ID) - 1, - TLS_PSK, sizeof(TLS_PSK) - 1); - if (err) { - return err; - } - - err = tls_credential_add(CONFIG_GOLIOTH_SYSTEM_CLIENT_CREDENTIALS_TAG, - TLS_CREDENTIAL_PSK, - TLS_PSK, - sizeof(TLS_PSK) - 1); - if (err < 0) { - LOG_ERR("Failed to register PSK: %d", err); - return err; - } - - err = tls_credential_add(CONFIG_GOLIOTH_SYSTEM_CLIENT_CREDENTIALS_TAG, - TLS_CREDENTIAL_PSK_ID, - TLS_PSK_ID, - sizeof(TLS_PSK_ID) - 1); - if (err < 0) { - LOG_ERR("Failed to register PSK ID: %d", err); - return err; - } - - return 0; -} - static int init_tls_auth_cert(void) { int err; @@ -219,9 +189,7 @@ static int init_tls_auth_cert(void) static int init_tls(void) { - if (IS_ENABLED(CONFIG_GOLIOTH_AUTH_METHOD_PSK)) { - return init_tls_auth_psk(); - } else if (IS_ENABLED(CONFIG_GOLIOTH_AUTH_METHOD_CERT)) { + if (IS_ENABLED(CONFIG_GOLIOTH_AUTH_METHOD_CERT)) { return init_tls_auth_cert(); } @@ -277,15 +245,7 @@ static int golioth_system_init(void) return err; } - if (IS_ENABLED(CONFIG_GOLIOTH_SYSTEM_SETTINGS)) { - err = settings_subsys_init(); - if (err) { - LOG_ERR("Failed to initialize settings subsystem: %d", err); - return err; - } - } else { - init_tls(); - } + init_tls(); return 0; } @@ -452,7 +412,7 @@ void golioth_system_client_start(void) { int err = 0; if (IS_ENABLED(CONFIG_GOLIOTH_AUTH_METHOD_PSK)) { - golioth_settings_check_credentials(); + err = golioth_check_psk_credentials(); } else if (IS_ENABLED(CONFIG_GOLIOTH_AUTH_METHOD_CERT)) { err = golioth_check_cert_credentials(); } @@ -460,7 +420,8 @@ void golioth_system_client_start(void) if (err == 0) { k_sem_give(&sys_client_started); } else { - LOG_WRN("Error loading TLS credentials, golioth system client was not started"); + LOG_WRN("Error loading TLS credentials, golioth system client was not started: %d", + err); } } @@ -474,126 +435,9 @@ void golioth_system_client_stop(void) } } -#if defined(CONFIG_GOLIOTH_SYSTEM_SETTINGS) - -/* - * TLS credentials subsystem just remembers pointers to memory areas where - * credentials are stored. This means that we need to allocate memory for - * credentials ourselves. - */ -static uint8_t golioth_dtls_psk[PSK_MAX_LEN]; -static size_t golioth_dtls_psk_len; -static uint8_t golioth_dtls_psk_id[64]; -static size_t golioth_dtls_psk_id_len; - -static void golioth_settings_check_credentials(void) -{ - golioth_check_psk_credentials(golioth_dtls_psk_id, golioth_dtls_psk_id_len, - golioth_dtls_psk, golioth_dtls_psk_len); -} - -static int golioth_settings_get(const char *name, char *dst, int val_len_max) -{ - uint8_t *val; - size_t val_len; - - if (!strcmp(name, "psk")) { - val = golioth_dtls_psk; - val_len = strlen(golioth_dtls_psk); - } else if (!strcmp(name, "psk-id")) { - val = golioth_dtls_psk_id; - val_len = strlen(golioth_dtls_psk_id); - } else { - LOG_WRN("Unsupported key '%s'", name); - return -ENOENT; - } - - if (val_len > val_len_max) { - LOG_ERR("Not enough space (%zu %d)", val_len, val_len_max); - return -ENOMEM; - } - - memcpy(dst, val, val_len); - - return val_len; -} - -static int golioth_settings_set(const char *name, size_t len_rd, - settings_read_cb read_cb, void *cb_arg) +void golioth_system_client_request_reconnect(void) { - enum tls_credential_type type; - uint8_t *value; - size_t *value_len; - size_t buffer_len; - ssize_t ret; - int err; - - if (!strcmp(name, "psk")) { - type = TLS_CREDENTIAL_PSK; - value = golioth_dtls_psk; - value_len = &golioth_dtls_psk_len; - buffer_len = sizeof(golioth_dtls_psk); - } else if (!strcmp(name, "psk-id")) { - type = TLS_CREDENTIAL_PSK_ID; - value = golioth_dtls_psk_id; - value_len = &golioth_dtls_psk_id_len; - buffer_len = sizeof(golioth_dtls_psk_id); - } else { - LOG_ERR("Unsupported key '%s'", name); - return -ENOTSUP; - } - - if (IS_ENABLED(CONFIG_SETTINGS_RUNTIME)) { - err = tls_credential_delete(CONFIG_GOLIOTH_SYSTEM_CLIENT_CREDENTIALS_TAG, type); - if (err && err != -ENOENT) { - LOG_ERR("Failed to delete cred %s: %d", - name, err); - return err; - } - } - - ret = read_cb(cb_arg, value, buffer_len); - if (ret < 0) { - LOG_ERR("Failed to read value: %d", (int) ret); - return ret; - } - - *value_len = ret; - - LOG_DBG("Name: %s", name); - LOG_HEXDUMP_DBG(value, *value_len, "value"); - - switch (type) { - case TLS_CREDENTIAL_PSK_ID: - if (!golioth_psk_id_is_valid(value, *value_len)) { - LOG_WRN("Configured PSK-ID is invalid"); - return -EINVAL; - } - break; - case TLS_CREDENTIAL_PSK: - if (!golioth_psk_is_valid(value, *value_len)) { - LOG_WRN("Configured PSK is invalid"); - return -EINVAL; - } - break; - default: - break; - } - - err = tls_credential_add(CONFIG_GOLIOTH_SYSTEM_CLIENT_CREDENTIALS_TAG, type, - value, *value_len); - if (err) { - LOG_ERR("Failed to add cred %s: %d", name, err); - return err; + if (!atomic_test_and_set_bit(&flags, FLAG_RECONNECT)) { + eventfd_write(fds[POLLFD_EVENT].fd, 1); } - - client_request_reconnect(); - - return 0; } - -SETTINGS_STATIC_HANDLER_DEFINE(golioth, "golioth", - IS_ENABLED(CONFIG_SETTINGS_RUNTIME) ? golioth_settings_get : NULL, - golioth_settings_set, NULL, NULL); - -#endif /* defined(CONFIG_GOLIOTH_SYSTEM_SETTINGS) */ diff --git a/samples/common/CMakeLists.txt b/samples/common/CMakeLists.txt index 44767c60..5405530d 100644 --- a/samples/common/CMakeLists.txt +++ b/samples/common/CMakeLists.txt @@ -1,6 +1,7 @@ zephyr_library_sources_ifdef(CONFIG_GOLIOTH_SAMPLE_HARDCODED_CREDENTIALS hardcoded_credentials.c) zephyr_library_sources_ifdef(CONFIG_GOLIOTH_SAMPLES_COMMON net_connect.c) zephyr_library_sources_ifdef(CONFIG_GOLIOTH_SAMPLE_NRF91_LTE_MONITOR nrf91_lte_monitor.c) +zephyr_library_sources_ifdef(CONFIG_GOLIOTH_SAMPLE_PSK_SETTINGS settings_golioth.c) zephyr_library_sources_ifdef(CONFIG_GOLIOTH_SAMPLE_SETTINGS_AUTOLOAD settings_autoload.c) zephyr_library_sources_ifdef(CONFIG_GOLIOTH_SAMPLE_SETTINGS_SHELL settings_shell.c) zephyr_library_sources_ifdef(CONFIG_GOLIOTH_SAMPLE_WIFI wifi.c) diff --git a/samples/common/Kconfig b/samples/common/Kconfig index a2cafa5e..5ca3d172 100644 --- a/samples/common/Kconfig +++ b/samples/common/Kconfig @@ -19,6 +19,20 @@ config GOLIOTH_SAMPLE_HARDCODED_CREDENTIALS if GOLIOTH_SAMPLE_HARDCODED_CREDENTIALS +if GOLIOTH_AUTH_METHOD_PSK + +config GOLIOTH_SAMPLE_HARDCODED_PSK_ID + string "PSK ID" + help + Defines PSK ID used during DTLS handshake with Golioth server. + +config GOLIOTH_SAMPLE_HARDCODED_PSK + string "PSK" + help + Defines PSK used during DTLS handshake with Golioth server. + +endif # GOLIOTH_AUTH_METHOD_PSK + if GOLIOTH_AUTH_METHOD_CERT config GOLIOTH_SAMPLE_HARDCODED_CRT_PATH @@ -54,8 +68,18 @@ config GOLIOTH_SAMPLE_NRF91_LTE_MONITOR help LTE Link Control events monitor for nRF91. +config GOLIOTH_SAMPLE_PSK_SETTINGS + bool "Load credentials from persistent settings" + default y if !GOLIOTH_SAMPLE_HARDCODED_CREDENTIALS + depends on GOLIOTH_AUTH_METHOD_PSK + depends on SETTINGS + help + When selected, Golioth credentials will be loaded from settings + subsystem. + config GOLIOTH_SAMPLE_SETTINGS_AUTOLOAD bool "Automatically load settings before main()" + default y if GOLIOTH_SAMPLE_PSK_SETTINGS depends on SETTINGS help Load settings automatically before running main() function. Enable it, @@ -63,6 +87,7 @@ config GOLIOTH_SAMPLE_SETTINGS_AUTOLOAD config GOLIOTH_SAMPLE_SETTINGS_SHELL bool "Settings shell" + default y if GOLIOTH_SAMPLE_PSK_SETTINGS depends on SHELL depends on SETTINGS depends on !SETTINGS_SHELL @@ -80,7 +105,7 @@ config GOLIOTH_SAMPLE_WIFI config GOLIOTH_SAMPLE_WIFI_SETTINGS bool "Load SSID and PSK from settigs subsystem" - default y if GOLIOTH_SYSTEM_SETTINGS + default n depends on GOLIOTH_SAMPLE_WIFI depends on SETTINGS help diff --git a/samples/common/Kconfig.defconfig b/samples/common/Kconfig.defconfig index 34c5d7c1..7295c738 100644 --- a/samples/common/Kconfig.defconfig +++ b/samples/common/Kconfig.defconfig @@ -89,11 +89,15 @@ config GOLIOTH_SYSTEM_SERVER_HOST if GOLIOTH_AUTH_METHOD_PSK -config GOLIOTH_SYSTEM_CLIENT_PSK_ID - default "$(GOLIOTH_SYSTEM_CLIENT_PSK_ID)" if "$(GOLIOTH_SYSTEM_CLIENT_PSK_ID)" != "" +if GOLIOTH_SAMPLE_HARDCODED_CREDENTIALS + +config GOLIOTH_SAMPLE_HARDCODED_PSK_ID + default "$(GOLIOTH_SAMPLE_HARDCODED_PSK_ID)" if "$(GOLIOTH_SAMPLE_HARDCODED_PSK_ID)" != "" -config GOLIOTH_SYSTEM_CLIENT_PSK - default "$(GOLIOTH_SYSTEM_CLIENT_PSK)" if "$(GOLIOTH_SYSTEM_CLIENT_PSK)" != "" +config GOLIOTH_SAMPLE_HARDCODED_PSK + default "$(GOLIOTH_SAMPLE_HARDCODED_PSK)" if "$(GOLIOTH_SAMPLE_HARDCODED_PSK)" != "" + +endif # GOLIOTH_SAMPLE_HARDCODED_CREDENTIALS endif # GOLIOTH_AUTH_METHOD_PSK diff --git a/samples/common/hardcoded_credentials.c b/samples/common/hardcoded_credentials.c index 144df9b9..2d302253 100644 --- a/samples/common/hardcoded_credentials.c +++ b/samples/common/hardcoded_credentials.c @@ -7,6 +7,7 @@ #include LOG_MODULE_REGISTER(golioth_hardcoded_credentials, LOG_LEVEL_DBG); +#include #include static const uint8_t tls_client_crt[] = { @@ -21,7 +22,25 @@ static const uint8_t tls_client_key[] = { #endif }; -void hardcoded_credentials_set(void) +#if defined(CONFIG_GOLIOTH_SAMPLE_HARDCODED_PSK_ID) +#define HARDCODED_PSK_ID CONFIG_GOLIOTH_SAMPLE_HARDCODED_PSK_ID +#else +#define HARDCODED_PSK_ID "" +#endif + +#if defined(CONFIG_GOLIOTH_SAMPLE_HARDCODED_PSK) +#define HARDCODED_PSK CONFIG_GOLIOTH_SAMPLE_HARDCODED_PSK +#else +#define HARDCODED_PSK "" +#endif + + +#if defined(CONFIG_MBEDTLS_PSK_MAX_LEN) && defined(CONFIG_GOLIOTH_AUTH_METHOD_PSK) +BUILD_ASSERT(sizeof(CONFIG_GOLIOTH_SAMPLE_HARDCODED_PSK) - 1 <= CONFIG_MBEDTLS_PSK_MAX_LEN, + "PSK exceeds mbedTLS configured maximum PSK length"); +#endif + +static int hardcoded_credentials_set(void) { if (IS_ENABLED(CONFIG_GOLIOTH_AUTH_METHOD_CERT)) { int err = tls_credential_add(CONFIG_GOLIOTH_SYSTEM_CLIENT_CREDENTIALS_TAG, @@ -37,5 +56,24 @@ void hardcoded_credentials_set(void) if (err < 0) { LOG_ERR("Failed to register private key: %d", err); } + } else if (IS_ENABLED(CONFIG_GOLIOTH_AUTH_METHOD_PSK)) { + int err = tls_credential_add(CONFIG_GOLIOTH_SYSTEM_CLIENT_CREDENTIALS_TAG, + TLS_CREDENTIAL_PSK, + HARDCODED_PSK, sizeof(HARDCODED_PSK) - 1); + if (err < 0) { + LOG_ERR("Failed to register PSK: %d", err); + } + + err = tls_credential_add(CONFIG_GOLIOTH_SYSTEM_CLIENT_CREDENTIALS_TAG, + TLS_CREDENTIAL_PSK_ID, + HARDCODED_PSK_ID, sizeof(HARDCODED_PSK_ID) - 1); + if (err < 0) { + LOG_ERR("Failed to register PSK ID: %d", err); + } + } + + return 0; } + +SYS_INIT(hardcoded_credentials_set, APPLICATION, CONFIG_GOLIOTH_SYSTEM_CLIENT_INIT_PRIORITY); diff --git a/samples/common/runtime_psk.conf b/samples/common/runtime_psk.conf new file mode 100644 index 00000000..a31da63e --- /dev/null +++ b/samples/common/runtime_psk.conf @@ -0,0 +1,11 @@ +CONFIG_GOLIOTH_SAMPLE_HARDCODED_CREDENTIALS=n + +CONFIG_FLASH=y +CONFIG_FLASH_MAP=y +CONFIG_NVS=y + +CONFIG_SETTINGS=y +CONFIG_SETTINGS_RUNTIME=y +CONFIG_GOLIOTH_SAMPLE_PSK_SETTINGS=y +CONFIG_GOLIOTH_SAMPLE_SETTINGS_AUTOLOAD=y +CONFIG_GOLIOTH_SAMPLE_SETTINGS_SHELL=y diff --git a/samples/common/settings_golioth.c b/samples/common/settings_golioth.c new file mode 100644 index 00000000..12487f80 --- /dev/null +++ b/samples/common/settings_golioth.c @@ -0,0 +1,138 @@ +/* + * Copyright (c) 2023 Golioth, Inc. + * + * SPDX-License-Identifier: Apache-2.0 + */ + +#include +LOG_MODULE_REGISTER(golioth_sample_settings, CONFIG_GOLIOTH_SYSTEM_CLIENT_LOG_LEVEL); + +#include +#include +#include +#include +#include + +#ifdef CONFIG_MBEDTLS_PSK_MAX_LEN +#define PSK_MAX_LEN CONFIG_MBEDTLS_PSK_MAX_LEN +#else +/* + * Support NCS mirror of Zephyr, which does not have CONFIG_MBEDTLS_PSK_MAX_LEN + * defined yet. + */ +#define PSK_MAX_LEN 64 +#endif + +#define PSK_ID_MAX_LEN 64 + +/* + * TLS credentials subsystem just remembers pointers to memory areas where + * credentials are stored. This means that we need to allocate memory for + * credentials ourselves. + */ +static uint8_t golioth_dtls_psk[PSK_MAX_LEN]; +static size_t golioth_dtls_psk_len; +static uint8_t golioth_dtls_psk_id[PSK_ID_MAX_LEN]; +static size_t golioth_dtls_psk_id_len; + +static int golioth_settings_get(const char *name, char *dst, int val_len_max) +{ + uint8_t *val; + size_t val_len; + + if (!strcmp(name, "psk")) { + val = golioth_dtls_psk; + val_len = strlen(golioth_dtls_psk); + } else if (!strcmp(name, "psk-id")) { + val = golioth_dtls_psk_id; + val_len = strlen(golioth_dtls_psk_id); + } else { + LOG_WRN("Unsupported key '%s'", name); + return -ENOENT; + } + + if (val_len > val_len_max) { + LOG_ERR("Not enough space (%zu %d)", val_len, val_len_max); + return -ENOMEM; + } + + memcpy(dst, val, val_len); + + return val_len; +} + +static int golioth_settings_set(const char *name, size_t len_rd, + settings_read_cb read_cb, void *cb_arg) +{ + enum tls_credential_type type; + uint8_t *value; + size_t *value_len; + size_t buffer_len; + ssize_t ret; + int err; + + if (!strcmp(name, "psk")) { + type = TLS_CREDENTIAL_PSK; + value = golioth_dtls_psk; + value_len = &golioth_dtls_psk_len; + buffer_len = sizeof(golioth_dtls_psk); + } else if (!strcmp(name, "psk-id")) { + type = TLS_CREDENTIAL_PSK_ID; + value = golioth_dtls_psk_id; + value_len = &golioth_dtls_psk_id_len; + buffer_len = sizeof(golioth_dtls_psk_id); + } else { + LOG_ERR("Unsupported key '%s'", name); + return -ENOTSUP; + } + + if (IS_ENABLED(CONFIG_SETTINGS_RUNTIME)) { + err = tls_credential_delete(CONFIG_GOLIOTH_SYSTEM_CLIENT_CREDENTIALS_TAG, type); + if (err && err != -ENOENT) { + LOG_ERR("Failed to delete cred %s: %d", + name, err); + return err; + } + } + + ret = read_cb(cb_arg, value, buffer_len); + if (ret < 0) { + LOG_ERR("Failed to read value: %d", (int) ret); + return ret; + } + + *value_len = ret; + + LOG_DBG("Name: %s", name); + LOG_HEXDUMP_DBG(value, *value_len, "value"); + + err = tls_credential_add(CONFIG_GOLIOTH_SYSTEM_CLIENT_CREDENTIALS_TAG, type, + value, *value_len); + if (err) { + LOG_ERR("Failed to add cred %s: %d", name, err); + return err; + } + + golioth_system_client_request_reconnect(); + + return 0; +} + +static int golioth_settings_init(void) +{ + int err = settings_subsys_init(); + + if (err) { + LOG_ERR("Failed to initialize settings subsystem: %d", err); + return err; + } + + return 0; +} + +SYS_INIT(golioth_settings_init, APPLICATION, + CONFIG_GOLIOTH_SYSTEM_CLIENT_INIT_PRIORITY); + +SETTINGS_STATIC_HANDLER_DEFINE(golioth, "golioth", + IS_ENABLED(CONFIG_SETTINGS_RUNTIME) ? golioth_settings_get : NULL, + golioth_settings_set, NULL, NULL); diff --git a/samples/dfu/README.rst b/samples/dfu/README.rst index f10463ee..0f985ddd 100644 --- a/samples/dfu/README.rst +++ b/samples/dfu/README.rst @@ -19,23 +19,94 @@ Requirements - Golioth credentials - Network connectivity -nRF9160 DK with nRF Connect SDK -******************************* +Authentication specific configuration +************************************* -Build Zephyr sample application for nRF9160 DK: +Golioth offers two `authentication methods`_: Pre-Shared Keys (PSK) or Public +Key Cryptography using Certificates (certs). Normally, it is the responsibility +of the Golioth SDK user to load these credentials at runtime. For simplicity, +we provide facilities to hardcode these credentials or set them at +runtime for our samples. + +PSK based auth - Hardcoded +========================== + +Configure the following Kconfig options based on your Golioth credentials: + +- ``GOLIOTH_SAMPLE_HARDCODED_PSK_ID`` - PSK ID of registered device +- ``GOLIOTH_SAMPLE_HARDCODED_PSK`` - PSK of registered device + +by adding these lines to configuration file (e.g. ``prj.conf``): + +.. code-block:: cfg + + CONFIG_GOLIOTH_SAMPLE_HARDCODED_PSK_ID="my-psk-id" + CONFIG_GOLIOTH_SAMPLE_HARDCODED_PSK="my-psk" + +PSK based auth - Runtime +======================== + +We provide an option for setting Golioth credentials through the Zephyr +shell. This is based on the `Zephyr Settings subsystem`_. + +Enable the settings shell by including the following configuration overlay +file: .. code-block:: console - $ west build -b nrf9160dk_nrf9160_ns samples/dfu - $ west flash + $ west build -- -DOVERLAY_CONFIG=${ZEPHYR_GOLIOTH_MODULE_DIR}/samples/common/runtime_psk.conf + +Alternatively, you can add the following options to ``prj.conf``: -Configure PSK-ID and PSK using the device shell based on your Golioth credentials and reboot: +.. code-block:: cfg + + CONFIG_GOLIOTH_SAMPLE_HARDCODED_CREDENTIALS=n + + CONFIG_FLASH=y + CONFIG_FLASH_MAP=y + CONFIG_NVS=y + + CONFIG_SETTINGS=y + CONFIG_SETTINGS_RUNTIME=y + CONFIG_GOLIOTH_SAMPLE_PSK_SETTINGS=y + CONFIG_GOLIOTH_SAMPLE_SETTINGS_AUTOLOAD=y + CONFIG_GOLIOTH_SAMPLE_SETTINGS_SHELL=y + +At runtime, configure PSK-ID and PSK using the device shell based on your +Golioth credentials: .. code-block:: console uart:~$ settings set golioth/psk-id uart:~$ settings set golioth/psk - uart:~$ kernel reboot cold + uart:-$ kernel reboot cold + +Certificate based auth - Hardcoded +================================== + +Configure the following Kconfig options based on your Golioth credentials: + +- ``CONFIG_GOLIOTH_AUTH_METHOD_CERT`` - use certificate-based authentication +- ``CONFIG_GOLIOTH_SAMPLE_HARDCODED_CRT_PATH`` - device certificate +- ``CONFIG_GOLIOTH_SAMPLE_HARDCODED_KEY_PATH`` - device private key + +by adding these lines to configuration file (e.g. ``prj.conf``): + +.. code-block:: cfg + + CONFIG_GOLIOTH_AUTH_METHOD_CERT=y + CONFIG_GOLIOTH_SAMPLE_HARDCODED_CRT_PATH="keys/device.crt.der" + CONFIG_GOLIOTH_SAMPLE_HARDCODED_KEY_PATH="keys/device.key.der" + +nRF9160 DK with nRF Connect SDK +******************************* + +Build Zephyr sample application for nRF9160 DK: + +.. code-block:: console + + $ west build -b nrf9160dk_nrf9160_ns samples/dfu + $ west flash Now rebuild the application with the new version number 1.2.3 to distinguish it from the old firmware: @@ -149,14 +220,6 @@ shell: uart:~$ settings set wifi/ssid uart:~$ settings set wifi/psk -Configure PSK-ID and PSK using the device shell based on your Golioth credentials and reboot: - -.. code-block:: console - - uart:~$ settings set golioth/psk-id - uart:~$ settings set golioth/psk - uart:~$ kernel reboot cold - Prepare new firmware ==================== @@ -272,6 +335,8 @@ Related documentation: - `Signing Binaries`_ - `Flash map`_ +.. _authentication methods: https://docs.golioth.io/firmware/zephyr-device-sdk/authentication/ +.. _Zephyr Settings subsystem: https://docs.zephyrproject.org/latest/services/settings/index.html .. _MCUboot: https://docs.zephyrproject.org/3.3.0/services/device_mgmt/dfu.html#mcuboot .. _Signing Binaries: https://docs.zephyrproject.org/3.3.0/develop/west/sign.html#west-sign .. _Flash map: https://docs.zephyrproject.org/3.3.0/services/storage/flash_map/flash_map.html diff --git a/samples/dfu/sample.yaml b/samples/dfu/sample.yaml index 8cdf84c9..e5f9c806 100644 --- a/samples/dfu/sample.yaml +++ b/samples/dfu/sample.yaml @@ -16,9 +16,6 @@ tests: mimxrt1060_evkb nrf52840dk_nrf52840 extra_args: - dfu_CONFIG_GOLIOTH_SYSTEM_SETTINGS=n dfu_CONFIG_BOOT_DELAY=10000 sample.golioth.dfu.ncs: platform_allow: nrf9160dk_nrf9160_ns - extra_configs: - - CONFIG_GOLIOTH_SYSTEM_SETTINGS=n diff --git a/samples/hello/README.rst b/samples/hello/README.rst index b868d45d..37ce5a3c 100644 --- a/samples/hello/README.rst +++ b/samples/hello/README.rst @@ -19,29 +19,73 @@ Building and Running Authentication specific configuration ===================================== -PSK based auth --------------- +Golioth offers two `authentication methods`_: Pre-Shared Keys (PSK) or Public +Key Cryptography using Certificates (certs). Normally, it is the responsibility +of the Golioth SDK user to load these credentials at runtime. For simplicity, +we provide facilities to hardcode these credentials or set them at +runtime for our samples. + +PSK based auth - Hardcoded +-------------------------- Configure the following Kconfig options based on your Golioth credentials: -- GOLIOTH_SYSTEM_CLIENT_PSK_ID - PSK ID of registered device -- GOLIOTH_SYSTEM_CLIENT_PSK - PSK of registered device +- ``GOLIOTH_SAMPLE_HARDCODED_PSK_ID`` - PSK ID of registered device +- ``GOLIOTH_SAMPLE_HARDCODED_PSK`` - PSK of registered device by adding these lines to configuration file (e.g. ``prj.conf``): .. code-block:: cfg - CONFIG_GOLIOTH_SYSTEM_CLIENT_PSK_ID="my-psk-id" - CONFIG_GOLIOTH_SYSTEM_CLIENT_PSK="my-psk" + CONFIG_GOLIOTH_SAMPLE_HARDCODED_PSK_ID="my-psk-id" + CONFIG_GOLIOTH_SAMPLE_HARDCODED_PSK="my-psk" + +PSK based auth - Runtime +------------------------ + +We provide an option for setting Golioth credentials through the Zephyr +shell. This is based on the `Zephyr Settings subsystem`_. + +Enable the settings shell by including the following configuration overlay +file: + +.. code-block:: console + + $ west build -- -DOVERLAY_CONFIG=${ZEPHYR_GOLIOTH_MODULE_DIR}/samples/common/runtime_psk.conf + +Alternatively, you can add the following options to ``prj.conf``: + +.. code-block:: cfg + + CONFIG_GOLIOTH_SAMPLE_HARDCODED_CREDENTIALS=n + + CONFIG_FLASH=y + CONFIG_FLASH_MAP=y + CONFIG_NVS=y + + CONFIG_SETTINGS=y + CONFIG_SETTINGS_RUNTIME=y + CONFIG_GOLIOTH_SAMPLE_PSK_SETTINGS=y + CONFIG_GOLIOTH_SAMPLE_SETTINGS_AUTOLOAD=y + CONFIG_GOLIOTH_SAMPLE_SETTINGS_SHELL=y + +At runtime, configure PSK-ID and PSK using the device shell based on your +Golioth credentials: + +.. code-block:: console + + uart:~$ settings set golioth/psk-id + uart:~$ settings set golioth/psk + uart:-$ kernel reboot cold -Certificate based auth ----------------------- +Certificate based auth - Hardcoded +---------------------------------- Configure the following Kconfig options based on your Golioth credentials: -- CONFIG_GOLIOTH_AUTH_METHOD_CERT - use certificate-based authentication -- CONFIG_GOLIOTH_SAMPLE_HARDCODED_CRT_PATH - device certificate -- CONFIG_GOLIOTH_SAMPLE_HARDCODED_KEY_PATH - device private key +- ``CONFIG_GOLIOTH_AUTH_METHOD_CERT`` - use certificate-based authentication +- ``CONFIG_GOLIOTH_SAMPLE_HARDCODED_CRT_PATH`` - device certificate +- ``CONFIG_GOLIOTH_SAMPLE_HARDCODED_KEY_PATH`` - device private key by adding these lines to configuration file (e.g. ``prj.conf``): @@ -184,6 +228,8 @@ This is the output from the serial console: Responses to Hello messages are printed above as a hexdump of "Hello mark". This means that communication with Golioth is working. +.. _authentication methods: https://docs.golioth.io/firmware/zephyr-device-sdk/authentication/ +.. _Zephyr Settings subsystem: https://docs.zephyrproject.org/latest/services/settings/index.html .. _Networking with QEMU: https://docs.zephyrproject.org/3.3.0/connectivity/networking/qemu_setup.html .. _ESP32: https://docs.zephyrproject.org/3.3.0/boards/xtensa/esp32/doc/index.html .. _AT Binary Lists: https://docs.espressif.com/projects/esp-at/en/latest/AT_Binary_Lists/index.html diff --git a/samples/hello/sample.yaml b/samples/hello/sample.yaml index fb74fde6..81150d8f 100644 --- a/samples/hello/sample.yaml +++ b/samples/hello/sample.yaml @@ -72,3 +72,6 @@ tests: CONFIG_GOLIOTH_SAMPLE_HARDCODED_KEY_PATH extra_configs: - CONFIG_GOLIOTH_AUTH_METHOD_CERT=y + sample.golioth.hello.psk.runtime.buildonly: + build_only: true + extra_args: OVERLAY_CONFIG="../common/runtime_psk.conf" diff --git a/samples/hello/src/main.c b/samples/hello/src/main.c index dffe792c..25c901c0 100644 --- a/samples/hello/src/main.c +++ b/samples/hello/src/main.c @@ -8,7 +8,6 @@ LOG_MODULE_REGISTER(golioth_hello, LOG_LEVEL_DBG); #include -#include #include #include @@ -32,12 +31,6 @@ int main(void) net_connect(); } - /* Note: In production, you would provision unique credentials onto each - * device. For simplicity, we provide a utility to hardcode credentials as - * kconfig options in the samples. - */ - hardcoded_credentials_set(); - client->on_connect = golioth_on_connect; golioth_system_client_start(); diff --git a/samples/hello_sporadic/README.rst b/samples/hello_sporadic/README.rst index 90d39c5f..39912ede 100644 --- a/samples/hello_sporadic/README.rst +++ b/samples/hello_sporadic/README.rst @@ -16,17 +16,84 @@ Requirements Building and Running ******************** +Authentication specific configuration +===================================== + +Golioth offers two `authentication methods`_: Pre-Shared Keys (PSK) or Public +Key Cryptography using Certificates (certs). Normally, it is the responsibility +of the Golioth SDK user to load these credentials at runtime. For simplicity, +we provide facilities to hardcode these credentials or set them at +runtime for our samples. + +PSK based auth - Hardcoded +-------------------------- + +Configure the following Kconfig options based on your Golioth credentials: + +- ``GOLIOTH_SAMPLE_HARDCODED_PSK_ID`` - PSK ID of registered device +- ``GOLIOTH_SAMPLE_HARDCODED_PSK`` - PSK of registered device + +by adding these lines to configuration file (e.g. ``prj.conf``): + +.. code-block:: cfg + + CONFIG_GOLIOTH_SAMPLE_HARDCODED_PSK_ID="my-psk-id" + CONFIG_GOLIOTH_SAMPLE_HARDCODED_PSK="my-psk" + +PSK based auth - Runtime +------------------------ + +We provide an option for setting Golioth credentials through the Zephyr +shell. This is based on the `Zephyr Settings subsystem`_. + +Enable the settings shell by including the following configuration overlay +file: + +.. code-block:: console + + $ west build -- -DOVERLAY_CONFIG=${ZEPHYR_GOLIOTH_MODULE_DIR}/samples/common/runtime_psk.conf + +Alternatively, you can add the following options to ``prj.conf``: + +.. code-block:: cfg + + CONFIG_GOLIOTH_SAMPLE_HARDCODED_CREDENTIALS=n + + CONFIG_FLASH=y + CONFIG_FLASH_MAP=y + CONFIG_NVS=y + + CONFIG_SETTINGS=y + CONFIG_SETTINGS_RUNTIME=y + CONFIG_GOLIOTH_SAMPLE_PSK_SETTINGS=y + CONFIG_GOLIOTH_SAMPLE_SETTINGS_AUTOLOAD=y + CONFIG_GOLIOTH_SAMPLE_SETTINGS_SHELL=y + +At runtime, configure PSK-ID and PSK using the device shell based on your +Golioth credentials: + +.. code-block:: console + + uart:~$ settings set golioth/psk-id + uart:~$ settings set golioth/psk + uart:-$ kernel reboot cold + +Certificate based auth - Hardcoded +---------------------------------- + Configure the following Kconfig options based on your Golioth credentials: -- GOLIOTH_SYSTEM_CLIENT_PSK_ID - PSK ID of registered device -- GOLIOTH_SYSTEM_CLIENT_PSK - PSK of registered device +- ``CONFIG_GOLIOTH_AUTH_METHOD_CERT`` - use certificate-based authentication +- ``CONFIG_GOLIOTH_SAMPLE_HARDCODED_CRT_PATH`` - device certificate +- ``CONFIG_GOLIOTH_SAMPLE_HARDCODED_KEY_PATH`` - device private key by adding these lines to configuration file (e.g. ``prj.conf``): .. code-block:: cfg - CONFIG_GOLIOTH_SYSTEM_CLIENT_PSK_ID="my-psk-id" - CONFIG_GOLIOTH_SYSTEM_CLIENT_PSK="my-psk" + CONFIG_GOLIOTH_AUTH_METHOD_CERT=y + CONFIG_GOLIOTH_SAMPLE_HARDCODED_CRT_PATH="keys/device.crt.der" + CONFIG_GOLIOTH_SAMPLE_HARDCODED_KEY_PATH="keys/device.key.der" Platform specific configuration =============================== @@ -168,6 +235,8 @@ This is the output from the serial console: [00:04:14.181,000] golioth_system: Client connected! [00:04:14.898,000] golioth_system: Disconnect request +.. _authentication methods: https://docs.golioth.io/firmware/zephyr-device-sdk/authentication/ +.. _Zephyr Settings subsystem: https://docs.zephyrproject.org/latest/services/settings/index.html .. _Networking with QEMU: https://docs.zephyrproject.org/3.3.0/connectivity/networking/qemu_setup.html .. _ESP32: https://docs.zephyrproject.org/3.3.0/boards/xtensa/esp32/doc/index.html .. _AT Binary Lists: https://docs.espressif.com/projects/esp-at/en/latest/AT_Binary_Lists/index.html diff --git a/samples/lightdb/delete/README.rst b/samples/lightdb/delete/README.rst index 331b0c2d..db768695 100644 --- a/samples/lightdb/delete/README.rst +++ b/samples/lightdb/delete/README.rst @@ -15,17 +15,84 @@ Requirements Building and Running ******************** +Authentication specific configuration +===================================== + +Golioth offers two `authentication methods`_: Pre-Shared Keys (PSK) or Public +Key Cryptography using Certificates (certs). Normally, it is the responsibility +of the Golioth SDK user to load these credentials at runtime. For simplicity, +we provide facilities to hardcode these credentials or set them at +runtime for our samples. + +PSK based auth - Hardcoded +-------------------------- + +Configure the following Kconfig options based on your Golioth credentials: + +- ``GOLIOTH_SAMPLE_HARDCODED_PSK_ID`` - PSK ID of registered device +- ``GOLIOTH_SAMPLE_HARDCODED_PSK`` - PSK of registered device + +by adding these lines to configuration file (e.g. ``prj.conf``): + +.. code-block:: cfg + + CONFIG_GOLIOTH_SAMPLE_HARDCODED_PSK_ID="my-psk-id" + CONFIG_GOLIOTH_SAMPLE_HARDCODED_PSK="my-psk" + +PSK based auth - Runtime +------------------------ + +We provide an option for setting Golioth credentials through the Zephyr +shell. This is based on the `Zephyr Settings subsystem`_. + +Enable the settings shell by including the following configuration overlay +file: + +.. code-block:: console + + $ west build -- -DOVERLAY_CONFIG=${ZEPHYR_GOLIOTH_MODULE_DIR}/samples/common/runtime_psk.conf + +Alternatively, you can add the following options to ``prj.conf``: + +.. code-block:: cfg + + CONFIG_GOLIOTH_SAMPLE_HARDCODED_CREDENTIALS=n + + CONFIG_FLASH=y + CONFIG_FLASH_MAP=y + CONFIG_NVS=y + + CONFIG_SETTINGS=y + CONFIG_SETTINGS_RUNTIME=y + CONFIG_GOLIOTH_SAMPLE_PSK_SETTINGS=y + CONFIG_GOLIOTH_SAMPLE_SETTINGS_AUTOLOAD=y + CONFIG_GOLIOTH_SAMPLE_SETTINGS_SHELL=y + +At runtime, configure PSK-ID and PSK using the device shell based on your +Golioth credentials: + +.. code-block:: console + + uart:~$ settings set golioth/psk-id + uart:~$ settings set golioth/psk + uart:-$ kernel reboot cold + +Certificate based auth - Hardcoded +---------------------------------- + Configure the following Kconfig options based on your Golioth credentials: -- GOLIOTH_SYSTEM_CLIENT_PSK_ID - PSK ID of registered device -- GOLIOTH_SYSTEM_CLIENT_PSK - PSK of registered device +- ``CONFIG_GOLIOTH_AUTH_METHOD_CERT`` - use certificate-based authentication +- ``CONFIG_GOLIOTH_SAMPLE_HARDCODED_CRT_PATH`` - device certificate +- ``CONFIG_GOLIOTH_SAMPLE_HARDCODED_KEY_PATH`` - device private key by adding these lines to configuration file (e.g. ``prj.conf``): .. code-block:: cfg - CONFIG_GOLIOTH_SYSTEM_CLIENT_PSK_ID="my-psk-id" - CONFIG_GOLIOTH_SYSTEM_CLIENT_PSK="my-psk" + CONFIG_GOLIOTH_AUTH_METHOD_CERT=y + CONFIG_GOLIOTH_SAMPLE_HARDCODED_CRT_PATH="keys/device.crt.der" + CONFIG_GOLIOTH_SAMPLE_HARDCODED_KEY_PATH="keys/device.key.der" Platform specific configuration =============================== @@ -174,6 +241,8 @@ The value can be set with: goliothctl lightdb set /counter -b "{\"counter\":34}" +.. _authentication methods: https://docs.golioth.io/firmware/zephyr-device-sdk/authentication/ +.. _Zephyr Settings subsystem: https://docs.zephyrproject.org/latest/services/settings/index.html .. _Networking with QEMU: https://docs.zephyrproject.org/3.3.0/connectivity/networking/qemu_setup.html .. _ESP32: https://docs.zephyrproject.org/3.3.0/boards/xtensa/esp32/doc/index.html .. _AT Binary Lists: https://docs.espressif.com/projects/esp-at/en/latest/AT_Binary_Lists/index.html diff --git a/samples/lightdb/get/README.rst b/samples/lightdb/get/README.rst index 0b5179a9..c2ead819 100644 --- a/samples/lightdb/get/README.rst +++ b/samples/lightdb/get/README.rst @@ -15,17 +15,84 @@ Requirements Building and Running ******************** +Authentication specific configuration +===================================== + +Golioth offers two `authentication methods`_: Pre-Shared Keys (PSK) or Public +Key Cryptography using Certificates (certs). Normally, it is the responsibility +of the Golioth SDK user to load these credentials at runtime. For simplicity, +we provide facilities to hardcode these credentials or set them at +runtime for our samples. + +PSK based auth - Hardcoded +-------------------------- + +Configure the following Kconfig options based on your Golioth credentials: + +- ``GOLIOTH_SAMPLE_HARDCODED_PSK_ID`` - PSK ID of registered device +- ``GOLIOTH_SAMPLE_HARDCODED_PSK`` - PSK of registered device + +by adding these lines to configuration file (e.g. ``prj.conf``): + +.. code-block:: cfg + + CONFIG_GOLIOTH_SAMPLE_HARDCODED_PSK_ID="my-psk-id" + CONFIG_GOLIOTH_SAMPLE_HARDCODED_PSK="my-psk" + +PSK based auth - Runtime +------------------------ + +We provide an option for setting Golioth credentials through the Zephyr +shell. This is based on the `Zephyr Settings subsystem`_. + +Enable the settings shell by including the following configuration overlay +file: + +.. code-block:: console + + $ west build -- -DOVERLAY_CONFIG=${ZEPHYR_GOLIOTH_MODULE_DIR}/samples/common/runtime_psk.conf + +Alternatively, you can add the following options to ``prj.conf``: + +.. code-block:: cfg + + CONFIG_GOLIOTH_SAMPLE_HARDCODED_CREDENTIALS=n + + CONFIG_FLASH=y + CONFIG_FLASH_MAP=y + CONFIG_NVS=y + + CONFIG_SETTINGS=y + CONFIG_SETTINGS_RUNTIME=y + CONFIG_GOLIOTH_SAMPLE_PSK_SETTINGS=y + CONFIG_GOLIOTH_SAMPLE_SETTINGS_AUTOLOAD=y + CONFIG_GOLIOTH_SAMPLE_SETTINGS_SHELL=y + +At runtime, configure PSK-ID and PSK using the device shell based on your +Golioth credentials: + +.. code-block:: console + + uart:~$ settings set golioth/psk-id + uart:~$ settings set golioth/psk + uart:-$ kernel reboot cold + +Certificate based auth - Hardcoded +---------------------------------- + Configure the following Kconfig options based on your Golioth credentials: -- GOLIOTH_SYSTEM_CLIENT_PSK_ID - PSK ID of registered device -- GOLIOTH_SYSTEM_CLIENT_PSK - PSK of registered device +- ``CONFIG_GOLIOTH_AUTH_METHOD_CERT`` - use certificate-based authentication +- ``CONFIG_GOLIOTH_SAMPLE_HARDCODED_CRT_PATH`` - device certificate +- ``CONFIG_GOLIOTH_SAMPLE_HARDCODED_KEY_PATH`` - device private key by adding these lines to configuration file (e.g. ``prj.conf``): .. code-block:: cfg - CONFIG_GOLIOTH_SYSTEM_CLIENT_PSK_ID="my-psk-id" - CONFIG_GOLIOTH_SYSTEM_CLIENT_PSK="my-psk" + CONFIG_GOLIOTH_AUTH_METHOD_CERT=y + CONFIG_GOLIOTH_SAMPLE_HARDCODED_CRT_PATH="keys/device.crt.der" + CONFIG_GOLIOTH_SAMPLE_HARDCODED_KEY_PATH="keys/device.key.der" Platform specific configuration =============================== @@ -180,6 +247,8 @@ The value can be set with: goliothctl lightdb set /counter -b 12 +.. _authentication methods: https://docs.golioth.io/firmware/zephyr-device-sdk/authentication/ +.. _Zephyr Settings subsystem: https://docs.zephyrproject.org/latest/services/settings/index.html .. _Networking with QEMU: https://docs.zephyrproject.org/3.3.0/connectivity/networking/qemu_setup.html .. _ESP32: https://docs.zephyrproject.org/3.3.0/boards/xtensa/esp32/doc/index.html .. _AT Binary Lists: https://docs.espressif.com/projects/esp-at/en/latest/AT_Binary_Lists/index.html diff --git a/samples/lightdb/observe/README.rst b/samples/lightdb/observe/README.rst index bb2c10e2..0bdabf80 100644 --- a/samples/lightdb/observe/README.rst +++ b/samples/lightdb/observe/README.rst @@ -16,17 +16,84 @@ Requirements Building and Running ******************** +Authentication specific configuration +===================================== + +Golioth offers two `authentication methods`_: Pre-Shared Keys (PSK) or Public +Key Cryptography using Certificates (certs). Normally, it is the responsibility +of the Golioth SDK user to load these credentials at runtime. For simplicity, +we provide facilities to hardcode these credentials or set them at +runtime for our samples. + +PSK based auth - Hardcoded +-------------------------- + +Configure the following Kconfig options based on your Golioth credentials: + +- ``GOLIOTH_SAMPLE_HARDCODED_PSK_ID`` - PSK ID of registered device +- ``GOLIOTH_SAMPLE_HARDCODED_PSK`` - PSK of registered device + +by adding these lines to configuration file (e.g. ``prj.conf``): + +.. code-block:: cfg + + CONFIG_GOLIOTH_SAMPLE_HARDCODED_PSK_ID="my-psk-id" + CONFIG_GOLIOTH_SAMPLE_HARDCODED_PSK="my-psk" + +PSK based auth - Runtime +------------------------ + +We provide an option for setting Golioth credentials through the Zephyr +shell. This is based on the `Zephyr Settings subsystem`_. + +Enable the settings shell by including the following configuration overlay +file: + +.. code-block:: console + + $ west build -- -DOVERLAY_CONFIG=${ZEPHYR_GOLIOTH_MODULE_DIR}/samples/common/runtime_psk.conf + +Alternatively, you can add the following options to ``prj.conf``: + +.. code-block:: cfg + + CONFIG_GOLIOTH_SAMPLE_HARDCODED_CREDENTIALS=n + + CONFIG_FLASH=y + CONFIG_FLASH_MAP=y + CONFIG_NVS=y + + CONFIG_SETTINGS=y + CONFIG_SETTINGS_RUNTIME=y + CONFIG_GOLIOTH_SAMPLE_PSK_SETTINGS=y + CONFIG_GOLIOTH_SAMPLE_SETTINGS_AUTOLOAD=y + CONFIG_GOLIOTH_SAMPLE_SETTINGS_SHELL=y + +At runtime, configure PSK-ID and PSK using the device shell based on your +Golioth credentials: + +.. code-block:: console + + uart:~$ settings set golioth/psk-id + uart:~$ settings set golioth/psk + uart:-$ kernel reboot cold + +Certificate based auth - Hardcoded +---------------------------------- + Configure the following Kconfig options based on your Golioth credentials: -- GOLIOTH_SYSTEM_CLIENT_PSK_ID - PSK ID of registered device -- GOLIOTH_SYSTEM_CLIENT_PSK - PSK of registered device +- ``CONFIG_GOLIOTH_AUTH_METHOD_CERT`` - use certificate-based authentication +- ``CONFIG_GOLIOTH_SAMPLE_HARDCODED_CRT_PATH`` - device certificate +- ``CONFIG_GOLIOTH_SAMPLE_HARDCODED_KEY_PATH`` - device private key by adding these lines to configuration file (e.g. ``prj.conf``): .. code-block:: cfg - CONFIG_GOLIOTH_SYSTEM_CLIENT_PSK_ID="my-psk-id" - CONFIG_GOLIOTH_SYSTEM_CLIENT_PSK="my-psk" + CONFIG_GOLIOTH_AUTH_METHOD_CERT=y + CONFIG_GOLIOTH_SAMPLE_HARDCODED_CRT_PATH="keys/device.crt.der" + CONFIG_GOLIOTH_SAMPLE_HARDCODED_KEY_PATH="keys/device.key.der" Platform specific configuration =============================== @@ -174,6 +241,8 @@ retrieves it every time that it's updated. The value can be updates as such: goliothctl lightdb set /counter -b 12 +.. _authentication methods: https://docs.golioth.io/firmware/zephyr-device-sdk/authentication/ +.. _Zephyr Settings subsystem: https://docs.zephyrproject.org/latest/services/settings/index.html .. _Networking with QEMU: https://docs.zephyrproject.org/3.3.0/connectivity/networking/qemu_setup.html .. _ESP32: https://docs.zephyrproject.org/3.3.0/boards/xtensa/esp32/doc/index.html .. _AT Binary Lists: https://docs.espressif.com/projects/esp-at/en/latest/AT_Binary_Lists/index.html diff --git a/samples/lightdb/set/README.rst b/samples/lightdb/set/README.rst index 98c6e3c8..1cb89d95 100644 --- a/samples/lightdb/set/README.rst +++ b/samples/lightdb/set/README.rst @@ -16,17 +16,84 @@ Requirements Building and Running ******************** +Authentication specific configuration +===================================== + +Golioth offers two `authentication methods`_: Pre-Shared Keys (PSK) or Public +Key Cryptography using Certificates (certs). Normally, it is the responsibility +of the Golioth SDK user to load these credentials at runtime. For simplicity, +we provide facilities to hardcode these credentials or set them at +runtime for our samples. + +PSK based auth - Hardcoded +-------------------------- + +Configure the following Kconfig options based on your Golioth credentials: + +- ``GOLIOTH_SAMPLE_HARDCODED_PSK_ID`` - PSK ID of registered device +- ``GOLIOTH_SAMPLE_HARDCODED_PSK`` - PSK of registered device + +by adding these lines to configuration file (e.g. ``prj.conf``): + +.. code-block:: cfg + + CONFIG_GOLIOTH_SAMPLE_HARDCODED_PSK_ID="my-psk-id" + CONFIG_GOLIOTH_SAMPLE_HARDCODED_PSK="my-psk" + +PSK based auth - Runtime +------------------------ + +We provide an option for setting Golioth credentials through the Zephyr +shell. This is based on the `Zephyr Settings subsystem`_. + +Enable the settings shell by including the following configuration overlay +file: + +.. code-block:: console + + $ west build -- -DOVERLAY_CONFIG=${ZEPHYR_GOLIOTH_MODULE_DIR}/samples/common/runtime_psk.conf + +Alternatively, you can add the following options to ``prj.conf``: + +.. code-block:: cfg + + CONFIG_GOLIOTH_SAMPLE_HARDCODED_CREDENTIALS=n + + CONFIG_FLASH=y + CONFIG_FLASH_MAP=y + CONFIG_NVS=y + + CONFIG_SETTINGS=y + CONFIG_SETTINGS_RUNTIME=y + CONFIG_GOLIOTH_SAMPLE_PSK_SETTINGS=y + CONFIG_GOLIOTH_SAMPLE_SETTINGS_AUTOLOAD=y + CONFIG_GOLIOTH_SAMPLE_SETTINGS_SHELL=y + +At runtime, configure PSK-ID and PSK using the device shell based on your +Golioth credentials: + +.. code-block:: console + + uart:~$ settings set golioth/psk-id + uart:~$ settings set golioth/psk + uart:-$ kernel reboot cold + +Certificate based auth - Hardcoded +---------------------------------- + Configure the following Kconfig options based on your Golioth credentials: -- GOLIOTH_SYSTEM_CLIENT_PSK_ID - PSK ID of registered device -- GOLIOTH_SYSTEM_CLIENT_PSK - PSK of registered device +- ``CONFIG_GOLIOTH_AUTH_METHOD_CERT`` - use certificate-based authentication +- ``CONFIG_GOLIOTH_SAMPLE_HARDCODED_CRT_PATH`` - device certificate +- ``CONFIG_GOLIOTH_SAMPLE_HARDCODED_KEY_PATH`` - device private key by adding these lines to configuration file (e.g. ``prj.conf``): .. code-block:: cfg - CONFIG_GOLIOTH_SYSTEM_CLIENT_PSK_ID="my-psk-id" - CONFIG_GOLIOTH_SYSTEM_CLIENT_PSK="my-psk" + CONFIG_GOLIOTH_AUTH_METHOD_CERT=y + CONFIG_GOLIOTH_SAMPLE_HARDCODED_CRT_PATH="keys/device.crt.der" + CONFIG_GOLIOTH_SAMPLE_HARDCODED_KEY_PATH="keys/device.key.der" Platform specific configuration =============================== @@ -179,6 +246,8 @@ with its value. Current value can be fetched using following command: goliothctl lightdb get /counter +.. _authentication methods: https://docs.golioth.io/firmware/zephyr-device-sdk/authentication/ +.. _Zephyr Settings subsystem: https://docs.zephyrproject.org/latest/services/settings/index.html .. _Networking with QEMU: https://docs.zephyrproject.org/3.3.0/connectivity/networking/qemu_setup.html .. _ESP32: https://docs.zephyrproject.org/3.3.0/boards/xtensa/esp32/doc/index.html .. _AT Binary Lists: https://docs.espressif.com/projects/esp-at/en/latest/AT_Binary_Lists/index.html diff --git a/samples/lightdb_led/README.rst b/samples/lightdb_led/README.rst index 2e7f6684..2875423a 100644 --- a/samples/lightdb_led/README.rst +++ b/samples/lightdb_led/README.rst @@ -16,17 +16,84 @@ Requirements Building and Running ******************** +Authentication specific configuration +===================================== + +Golioth offers two `authentication methods`_: Pre-Shared Keys (PSK) or Public +Key Cryptography using Certificates (certs). Normally, it is the responsibility +of the Golioth SDK user to load these credentials at runtime. For simplicity, +we provide facilities to hardcode these credentials or set them at +runtime for our samples. + +PSK based auth - Hardcoded +-------------------------- + +Configure the following Kconfig options based on your Golioth credentials: + +- ``GOLIOTH_SAMPLE_HARDCODED_PSK_ID`` - PSK ID of registered device +- ``GOLIOTH_SAMPLE_HARDCODED_PSK`` - PSK of registered device + +by adding these lines to configuration file (e.g. ``prj.conf``): + +.. code-block:: cfg + + CONFIG_GOLIOTH_SAMPLE_HARDCODED_PSK_ID="my-psk-id" + CONFIG_GOLIOTH_SAMPLE_HARDCODED_PSK="my-psk" + +PSK based auth - Runtime +------------------------ + +We provide an option for setting Golioth credentials through the Zephyr +shell. This is based on the `Zephyr Settings subsystem`_. + +Enable the settings shell by including the following configuration overlay +file: + +.. code-block:: console + + $ west build -- -DOVERLAY_CONFIG=${ZEPHYR_GOLIOTH_MODULE_DIR}/samples/common/runtime_psk.conf + +Alternatively, you can add the following options to ``prj.conf``: + +.. code-block:: cfg + + CONFIG_GOLIOTH_SAMPLE_HARDCODED_CREDENTIALS=n + + CONFIG_FLASH=y + CONFIG_FLASH_MAP=y + CONFIG_NVS=y + + CONFIG_SETTINGS=y + CONFIG_SETTINGS_RUNTIME=y + CONFIG_GOLIOTH_SAMPLE_PSK_SETTINGS=y + CONFIG_GOLIOTH_SAMPLE_SETTINGS_AUTOLOAD=y + CONFIG_GOLIOTH_SAMPLE_SETTINGS_SHELL=y + +At runtime, configure PSK-ID and PSK using the device shell based on your +Golioth credentials: + +.. code-block:: console + + uart:~$ settings set golioth/psk-id + uart:~$ settings set golioth/psk + uart:-$ kernel reboot cold + +Certificate based auth - Hardcoded +---------------------------------- + Configure the following Kconfig options based on your Golioth credentials: -- GOLIOTH_SYSTEM_CLIENT_PSK_ID - PSK ID of registered device -- GOLIOTH_SYSTEM_CLIENT_PSK - PSK of registered device +- ``CONFIG_GOLIOTH_AUTH_METHOD_CERT`` - use certificate-based authentication +- ``CONFIG_GOLIOTH_SAMPLE_HARDCODED_CRT_PATH`` - device certificate +- ``CONFIG_GOLIOTH_SAMPLE_HARDCODED_KEY_PATH`` - device private key by adding these lines to configuration file (e.g. ``prj.conf``): .. code-block:: cfg - CONFIG_GOLIOTH_SYSTEM_CLIENT_PSK_ID="my-psk-id" - CONFIG_GOLIOTH_SYSTEM_CLIENT_PSK="my-psk" + CONFIG_GOLIOTH_AUTH_METHOD_CERT=y + CONFIG_GOLIOTH_SAMPLE_HARDCODED_CRT_PATH="keys/device.crt.der" + CONFIG_GOLIOTH_SAMPLE_HARDCODED_KEY_PATH="keys/device.key.der" Platform specific configuration =============================== @@ -195,6 +262,8 @@ as: - ``/aliases/led3`` +.. _authentication methods: https://docs.golioth.io/firmware/zephyr-device-sdk/authentication/ +.. _Zephyr Settings subsystem: https://docs.zephyrproject.org/latest/services/settings/index.html .. _Networking with QEMU: https://docs.zephyrproject.org/3.3.0/connectivity/networking/qemu_setup.html .. _ESP32: https://docs.zephyrproject.org/3.3.0/boards/xtensa/esp32/doc/index.html .. _AT Binary Lists: https://docs.espressif.com/projects/esp-at/en/latest/AT_Binary_Lists/index.html diff --git a/samples/lightdb_stream/README.rst b/samples/lightdb_stream/README.rst index ca43fc73..07f3c057 100644 --- a/samples/lightdb_stream/README.rst +++ b/samples/lightdb_stream/README.rst @@ -18,17 +18,84 @@ Requirements Building and Running ******************** +Authentication specific configuration +===================================== + +Golioth offers two `authentication methods`_: Pre-Shared Keys (PSK) or Public +Key Cryptography using Certificates (certs). Normally, it is the responsibility +of the Golioth SDK user to load these credentials at runtime. For simplicity, +we provide facilities to hardcode these credentials or set them at +runtime for our samples. + +PSK based auth - Hardcoded +-------------------------- + +Configure the following Kconfig options based on your Golioth credentials: + +- ``GOLIOTH_SAMPLE_HARDCODED_PSK_ID`` - PSK ID of registered device +- ``GOLIOTH_SAMPLE_HARDCODED_PSK`` - PSK of registered device + +by adding these lines to configuration file (e.g. ``prj.conf``): + +.. code-block:: cfg + + CONFIG_GOLIOTH_SAMPLE_HARDCODED_PSK_ID="my-psk-id" + CONFIG_GOLIOTH_SAMPLE_HARDCODED_PSK="my-psk" + +PSK based auth - Runtime +------------------------ + +We provide an option for setting Golioth credentials through the Zephyr +shell. This is based on the `Zephyr Settings subsystem`_. + +Enable the settings shell by including the following configuration overlay +file: + +.. code-block:: console + + $ west build -- -DOVERLAY_CONFIG=${ZEPHYR_GOLIOTH_MODULE_DIR}/samples/common/runtime_psk.conf + +Alternatively, you can add the following options to ``prj.conf``: + +.. code-block:: cfg + + CONFIG_GOLIOTH_SAMPLE_HARDCODED_CREDENTIALS=n + + CONFIG_FLASH=y + CONFIG_FLASH_MAP=y + CONFIG_NVS=y + + CONFIG_SETTINGS=y + CONFIG_SETTINGS_RUNTIME=y + CONFIG_GOLIOTH_SAMPLE_PSK_SETTINGS=y + CONFIG_GOLIOTH_SAMPLE_SETTINGS_AUTOLOAD=y + CONFIG_GOLIOTH_SAMPLE_SETTINGS_SHELL=y + +At runtime, configure PSK-ID and PSK using the device shell based on your +Golioth credentials: + +.. code-block:: console + + uart:~$ settings set golioth/psk-id + uart:~$ settings set golioth/psk + uart:-$ kernel reboot cold + +Certificate based auth - Hardcoded +---------------------------------- + Configure the following Kconfig options based on your Golioth credentials: -- GOLIOTH_SYSTEM_CLIENT_PSK_ID - PSK ID of registered device -- GOLIOTH_SYSTEM_CLIENT_PSK - PSK of registered device +- ``CONFIG_GOLIOTH_AUTH_METHOD_CERT`` - use certificate-based authentication +- ``CONFIG_GOLIOTH_SAMPLE_HARDCODED_CRT_PATH`` - device certificate +- ``CONFIG_GOLIOTH_SAMPLE_HARDCODED_KEY_PATH`` - device private key by adding these lines to configuration file (e.g. ``prj.conf``): .. code-block:: cfg - CONFIG_GOLIOTH_SYSTEM_CLIENT_PSK_ID="my-psk-id" - CONFIG_GOLIOTH_SYSTEM_CLIENT_PSK="my-psk" + CONFIG_GOLIOTH_AUTH_METHOD_CERT=y + CONFIG_GOLIOTH_SAMPLE_HARDCODED_CRT_PATH="keys/device.crt.der" + CONFIG_GOLIOTH_SAMPLE_HARDCODED_KEY_PATH="keys/device.key.der" Platform specific configuration =============================== @@ -257,6 +324,8 @@ Historical data can be queried using following command: ] +.. _authentication methods: https://docs.golioth.io/firmware/zephyr-device-sdk/authentication/ +.. _Zephyr Settings subsystem: https://docs.zephyrproject.org/latest/services/settings/index.html .. _Networking with QEMU: https://docs.zephyrproject.org/3.3.0/connectivity/networking/qemu_setup.html .. _ESP32: https://docs.zephyrproject.org/3.3.0/boards/xtensa/esp32/doc/index.html .. _AT Binary Lists: https://docs.espressif.com/projects/esp-at/en/latest/AT_Binary_Lists/index.html diff --git a/samples/logging/README.rst b/samples/logging/README.rst index 6a55f941..1c96aab9 100644 --- a/samples/logging/README.rst +++ b/samples/logging/README.rst @@ -16,17 +16,84 @@ Requirements Building and Running ******************** +Authentication specific configuration +===================================== + +Golioth offers two `authentication methods`_: Pre-Shared Keys (PSK) or Public +Key Cryptography using Certificates (certs). Normally, it is the responsibility +of the Golioth SDK user to load these credentials at runtime. For simplicity, +we provide facilities to hardcode these credentials or set them at +runtime for our samples. + +PSK based auth - Hardcoded +-------------------------- + +Configure the following Kconfig options based on your Golioth credentials: + +- ``GOLIOTH_SAMPLE_HARDCODED_PSK_ID`` - PSK ID of registered device +- ``GOLIOTH_SAMPLE_HARDCODED_PSK`` - PSK of registered device + +by adding these lines to configuration file (e.g. ``prj.conf``): + +.. code-block:: cfg + + CONFIG_GOLIOTH_SAMPLE_HARDCODED_PSK_ID="my-psk-id" + CONFIG_GOLIOTH_SAMPLE_HARDCODED_PSK="my-psk" + +PSK based auth - Runtime +------------------------ + +We provide an option for setting Golioth credentials through the Zephyr +shell. This is based on the `Zephyr Settings subsystem`_. + +Enable the settings shell by including the following configuration overlay +file: + +.. code-block:: console + + $ west build -- -DOVERLAY_CONFIG=${ZEPHYR_GOLIOTH_MODULE_DIR}/samples/common/runtime_psk.conf + +Alternatively, you can add the following options to ``prj.conf``: + +.. code-block:: cfg + + CONFIG_GOLIOTH_SAMPLE_HARDCODED_CREDENTIALS=n + + CONFIG_FLASH=y + CONFIG_FLASH_MAP=y + CONFIG_NVS=y + + CONFIG_SETTINGS=y + CONFIG_SETTINGS_RUNTIME=y + CONFIG_GOLIOTH_SAMPLE_PSK_SETTINGS=y + CONFIG_GOLIOTH_SAMPLE_SETTINGS_AUTOLOAD=y + CONFIG_GOLIOTH_SAMPLE_SETTINGS_SHELL=y + +At runtime, configure PSK-ID and PSK using the device shell based on your +Golioth credentials: + +.. code-block:: console + + uart:~$ settings set golioth/psk-id + uart:~$ settings set golioth/psk + uart:-$ kernel reboot cold + +Certificate based auth - Hardcoded +---------------------------------- + Configure the following Kconfig options based on your Golioth credentials: -- GOLIOTH_SYSTEM_CLIENT_PSK_ID - PSK ID of registered device -- GOLIOTH_SYSTEM_CLIENT_PSK - PSK of registered device +- ``CONFIG_GOLIOTH_AUTH_METHOD_CERT`` - use certificate-based authentication +- ``CONFIG_GOLIOTH_SAMPLE_HARDCODED_CRT_PATH`` - device certificate +- ``CONFIG_GOLIOTH_SAMPLE_HARDCODED_KEY_PATH`` - device private key by adding these lines to configuration file (e.g. ``prj.conf``): .. code-block:: cfg - CONFIG_GOLIOTH_SYSTEM_CLIENT_PSK_ID="my-psk-id" - CONFIG_GOLIOTH_SYSTEM_CLIENT_PSK="my-psk" + CONFIG_GOLIOTH_AUTH_METHOD_CERT=y + CONFIG_GOLIOTH_SAMPLE_HARDCODED_CRT_PATH="keys/device.crt.der" + CONFIG_GOLIOTH_SAMPLE_HARDCODED_KEY_PATH="keys/device.key.der" Platform specific configuration =============================== @@ -198,6 +265,8 @@ This is how logs are visible [2021-04-08 14:20:32 +0000 UTC] level:DEBUG module:"golioth_logging" message:"Log 2: 0" metadata:{fields:{key:"func" value:{string_value:"func_2"}} fields:{key:"index" value:{number_value:8}} fields:{key:"uptime" value:{number_value:100000}}} device_id:"xxxxxxxxxxxxxxxxxxxxxxxx" [2021-04-08 14:20:32 +0000 UTC] level:DEBUG module:"golioth_logging" message:"Log 1: 0" metadata:{fields:{key:"func" value:{string_value:"func_1"}} fields:{key:"index" value:{number_value:7}} fields:{key:"uptime" value:{number_value:100000}}} device_id:"xxxxxxxxxxxxxxxxxxxxxxxx" +.. _authentication methods: https://docs.golioth.io/firmware/zephyr-device-sdk/authentication/ +.. _Zephyr Settings subsystem: https://docs.zephyrproject.org/latest/services/settings/index.html .. _Networking with QEMU: https://docs.zephyrproject.org/3.3.0/connectivity/networking/qemu_setup.html .. _ESP32: https://docs.zephyrproject.org/3.3.0/boards/xtensa/esp32/doc/index.html .. _AT Binary Lists: https://docs.espressif.com/projects/esp-at/en/latest/AT_Binary_Lists/index.html diff --git a/samples/settings/README.rst b/samples/settings/README.rst index 9a918d7a..dc87137c 100644 --- a/samples/settings/README.rst +++ b/samples/settings/README.rst @@ -18,6 +18,85 @@ Requirements Building and Running ******************** +Authentication specific configuration +===================================== + +Golioth offers two `authentication methods`_: Pre-Shared Keys (PSK) or Public +Key Cryptography using Certificates (certs). Normally, it is the responsibility +of the Golioth SDK user to load these credentials at runtime. For simplicity, +we provide facilities to hardcode these credentials or set them at +runtime for our samples. + +PSK based auth - Hardcoded +-------------------------- + +Configure the following Kconfig options based on your Golioth credentials: + +- ``GOLIOTH_SAMPLE_HARDCODED_PSK_ID`` - PSK ID of registered device +- ``GOLIOTH_SAMPLE_HARDCODED_PSK`` - PSK of registered device + +by adding these lines to configuration file (e.g. ``prj.conf``): + +.. code-block:: cfg + + CONFIG_GOLIOTH_SAMPLE_HARDCODED_PSK_ID="my-psk-id" + CONFIG_GOLIOTH_SAMPLE_HARDCODED_PSK="my-psk" + +PSK based auth - Runtime +------------------------ + +We provide an option for setting Golioth credentials through the Zephyr +shell. This is based on the `Zephyr Settings subsystem`_. + +Enable the settings shell by including the following configuration overlay +file: + +.. code-block:: console + + $ west build -- -DOVERLAY_CONFIG=${ZEPHYR_GOLIOTH_MODULE_DIR}/samples/common/runtime_psk.conf + +Alternatively, you can add the following options to ``prj.conf``: + +.. code-block:: cfg + + CONFIG_GOLIOTH_SAMPLE_HARDCODED_CREDENTIALS=n + + CONFIG_FLASH=y + CONFIG_FLASH_MAP=y + CONFIG_NVS=y + + CONFIG_SETTINGS=y + CONFIG_SETTINGS_RUNTIME=y + CONFIG_GOLIOTH_SAMPLE_PSK_SETTINGS=y + CONFIG_GOLIOTH_SAMPLE_SETTINGS_AUTOLOAD=y + CONFIG_GOLIOTH_SAMPLE_SETTINGS_SHELL=y + +At runtime, configure PSK-ID and PSK using the device shell based on your +Golioth credentials: + +.. code-block:: console + + uart:~$ settings set golioth/psk-id + uart:~$ settings set golioth/psk + uart:-$ kernel reboot cold + +Certificate based auth - Hardcoded +---------------------------------- + +Configure the following Kconfig options based on your Golioth credentials: + +- ``CONFIG_GOLIOTH_AUTH_METHOD_CERT`` - use certificate-based authentication +- ``CONFIG_GOLIOTH_SAMPLE_HARDCODED_CRT_PATH`` - device certificate +- ``CONFIG_GOLIOTH_SAMPLE_HARDCODED_KEY_PATH`` - device private key + +by adding these lines to configuration file (e.g. ``prj.conf``): + +.. code-block:: cfg + + CONFIG_GOLIOTH_AUTH_METHOD_CERT=y + CONFIG_GOLIOTH_SAMPLE_HARDCODED_CRT_PATH="keys/device.crt.der" + CONFIG_GOLIOTH_SAMPLE_HARDCODED_KEY_PATH="keys/device.key.der" + Platform specific configuration =============================== @@ -62,13 +141,6 @@ sample application (i.e., ``samples/settings``) and type: $ west build -b nrf52840dk_nrf52840 samples/settings $ west flash -Configure PSK-ID and PSK using the device shell based on your Golioth credentials: - -.. code-block:: console - - uart:~$ settings set golioth/psk-id - uart:~$ settings set golioth/psk - Configure WiFi SSID and PSK using the device shell and reboot: .. code-block:: console @@ -90,14 +162,6 @@ for MCUboot. Build and flash examples are below: $ west build -b nrf9160dk_nrf9160_ns samples/settings $ west flash -Configure PSK-ID and PSK using the device shell based on your Golioth credentials and reboot: - -.. code-block:: console - - uart:~$ settings set golioth/psk-id - uart:~$ settings set golioth/psk - uart:~$ kernel reboot cold - ESP32 ----- @@ -118,12 +182,6 @@ sample application (i.e., ``samples/settings``) and type: $ west build -b esp32 samples/settings $ west flash -Configure PSK-ID and PSK using the device shell based on your Golioth credentials and reboot: - -.. code-block:: console - - uart:~$ settings set golioth/psk-id - uart:~$ settings set golioth/psk - uart:~$ kernel reboot cold - +.. _authentication methods: https://docs.golioth.io/firmware/zephyr-device-sdk/authentication/ +.. _Zephyr Settings subsystem: https://docs.zephyrproject.org/latest/services/settings/index.html .. _AT Binary Lists: https://docs.espressif.com/projects/esp-at/en/latest/AT_Binary_Lists/index.html diff --git a/samples/settings/boards/qemu_x86.conf b/samples/settings/boards/qemu_x86.conf index ca5683ba..15f11ae2 100644 --- a/samples/settings/boards/qemu_x86.conf +++ b/samples/settings/boards/qemu_x86.conf @@ -9,6 +9,3 @@ CONFIG_NET_CONFIG_NEED_IPV4=y CONFIG_NET_CONFIG_MY_IPV4_ADDR="192.0.2.1" CONFIG_NET_CONFIG_MY_IPV4_GW="192.0.2.2" CONFIG_NET_CONFIG_PEER_IPV4_ADDR="192.0.2.2" - -# Disable credentials from system settings -CONFIG_GOLIOTH_SYSTEM_SETTINGS=n diff --git a/samples/settings/prj.conf b/samples/settings/prj.conf index 38fe40a1..0dd9e252 100644 --- a/samples/settings/prj.conf +++ b/samples/settings/prj.conf @@ -3,17 +3,6 @@ CONFIG_GOLIOTH_SAMPLES_COMMON=y # Application CONFIG_LOG_BACKEND_GOLIOTH=y -CONFIG_REBOOT=y - -CONFIG_FLASH=y -CONFIG_FLASH_MAP=y -CONFIG_NVS=y - -CONFIG_SETTINGS=y -CONFIG_SETTINGS_RUNTIME=y -CONFIG_GOLIOTH_SAMPLE_SETTINGS_AUTOLOAD=y -CONFIG_GOLIOTH_SAMPLE_SETTINGS_SHELL=y - CONFIG_SYSTEM_WORKQUEUE_STACK_SIZE=4096 CONFIG_GOLIOTH_SETTINGS=y diff --git a/samples/test/prj.conf b/samples/test/prj.conf index 42dfab55..6bb274d4 100644 --- a/samples/test/prj.conf +++ b/samples/test/prj.conf @@ -11,11 +11,16 @@ CONFIG_FLASH=y CONFIG_FLASH_MAP=y CONFIG_NVS=y +CONFIG_GOLIOTH_SAMPLE_HARDCODED_CREDENTIALS=n + CONFIG_SETTINGS=y CONFIG_SETTINGS_RUNTIME=y +CONFIG_GOLIOTH_SAMPLE_PSK_SETTINGS=y CONFIG_GOLIOTH_SAMPLE_SETTINGS_AUTOLOAD=y CONFIG_GOLIOTH_SAMPLE_SETTINGS_SHELL=y +CONFIG_GOLIOTH_SAMPLE_WIFI_SETTINGS=y + CONFIG_SYSTEM_WORKQUEUE_STACK_SIZE=4096 CONFIG_ZTEST=y diff --git a/tests/lightdb/Kconfig b/tests/lightdb/Kconfig index 4174c3a6..3b6b377b 100644 --- a/tests/lightdb/Kconfig +++ b/tests/lightdb/Kconfig @@ -3,10 +3,10 @@ mainmenu "Test options" config GOLIOTH_SYSTEM_SERVER_HOST default "$(GOLIOTH_SYSTEM_SERVER_HOST)" if "$(GOLIOTH_SYSTEM_SERVER_HOST)" != "" -config GOLIOTH_SYSTEM_CLIENT_PSK_ID - default "$(GOLIOTH_SYSTEM_CLIENT_PSK_ID)" if "$(GOLIOTH_SYSTEM_CLIENT_PSK_ID)" != "" +config GOLIOTH_SAMPLE_HARDCODED_PSK_ID + default "$(GOLIOTH_SAMPLE_HARDCODED_PSK_ID)" if "$(GOLIOTH_SAMPLE_HARDCODED_PSK_ID)" != "" -config GOLIOTH_SYSTEM_CLIENT_PSK - default "$(GOLIOTH_SYSTEM_CLIENT_PSK)" if "$(GOLIOTH_SYSTEM_CLIENT_PSK)" != "" +config GOLIOTH_SAMPLE_HARDCODED_PSK + default "$(GOLIOTH_SAMPLE_HARDCODED_PSK)" if "$(GOLIOTH_SAMPLE_HARDCODED_PSK)" != "" source "Kconfig.zephyr" diff --git a/tests/lightdb/README.rst b/tests/lightdb/README.rst index 34cbaf24..ac67071c 100644 --- a/tests/lightdb/README.rst +++ b/tests/lightdb/README.rst @@ -25,8 +25,8 @@ environment variables: .. code-block:: shell export GOLIOTH_SYSTEM_SERVER_HOST="192.0.2.2" - export GOLIOTH_SYSTEM_CLIENT_PSK_ID="my-psk-id" - export GOLIOTH_SYSTEM_CLIENT_PSK="my-psk" + export GOLIOTH_SAMPLE_HARDCODED_PSK_ID="my-psk-id" + export GOLIOTH_SAMPLE_HARDCODED_PSK="my-psk" Run ``twister``: