doc: provisioning: Add documentation #11704
Conversation
github-actions
bot
added
changelog-entry-required
juhaylinen
removed
the
changelog-entry-required
Test specificationCI/Jenkins/NRF
CI/Jenkins/integration
Note: This message is automatically posted and updated by the CI |
juhaylinen
force-pushed
the
provisioning_docs
branch
from
8c03635
to
33e0c5a
Compare
github-actions
bot
added
the
changelog-entry-required
|
You can find the documentation preview for this PR at this link. It will be updated about 10 minutes after the documentation build succeeds. Note: This comment is automatically posted by the Documentation Publishing GitHub Action. |
| :local: | ||
| :depth: 2 | ||
|
|
||
| The nRF Device provisioning library enables a device to connect to Nordic Semiconductor's provisioning Service. |
There was a problem hiding this comment.
Unsure about the capitalization: Device Provisioning? Neither capitalized?
If we are talking about the cloud-side provisioning service, I believe the name will be nRF Cloud Provisioning Service, part of nRF Cloud Security Services. I can check with PMT.
There was a problem hiding this comment.
Please check the correct name.
There was a problem hiding this comment.
Just to check, the service we're talking about here is the Cloud service?
There was a problem hiding this comment.
Yes, the Cloud service
| * A pointer to a callback function which is to be called on modem state changes. | ||
| * A pointer that must be called once provisioning is done. | ||
|
|
||
| If you provide ``null`` as a callback function address argument, a corresponding default callback used. |
There was a problem hiding this comment.
| If you provide ``null`` as a callback function address argument, a corresponding default callback used. | |
| If you provide ``null`` as a callback function address argument, a corresponding default callback is used. |
| The sample shows how the device performs the following actions: | ||
|
|
||
| * Connects to nRF Device provisioning Service. | ||
| * Fetches available device specific provisioning commands. |
There was a problem hiding this comment.
We refer to the group of these commands as the provisioning configuration.
| * Acts on any AT commands, if available. | ||
| * Reports the results back to the server. | ||
| In case of errors, stops processing the commands at the first error and reports it back to server. | ||
| * Sends ``FINISHED`` response if all the previous commands are executed without errors provided and ``FINISHED`` is one of the set provisioning commands. |
There was a problem hiding this comment.
I'm not sure what 'without errors provided and FINISHED is one of the set provisioning commands' means. Possible values for the command status in the Provisioning Service are PENDING, FAILED, IN_PROGRESS, SUCCEEDED, and SKIPPED. Does this refer to the command status or the status of something in the sample, which has different values?
There was a problem hiding this comment.
FINISHED refers to the provisioning command which tells to the device that provisioning process has been finished.
There was a problem hiding this comment.
OK. So this refers specifically to something in the sample, and not the Provisioning Service.
| ************** | ||
|
|
||
| Device side interaction is not required. | ||
| You must fill the command queue at the server side. |
There was a problem hiding this comment.
Is this referring to the nRF Cloud portal interface? If so, replace 'fill the command queue' with 'define the provisioning configuration'.
You can also define the configuration using the REST API.
| .. _CONFIG_NRF_PROVISIONING_ROOT_CA_SEC_TAG: | ||
|
|
||
| CONFIG_NRF_PROVISIONING_ROOT_CA_SEC_TAG | ||
| Root CA security tag for the Nordic Semiconductor's provisioning service. |
There was a problem hiding this comment.
Again, does this refer specifically to the nRF Cloud (secure) Provisioning Service?
|
|
||
| .. include:: /includes/tfm.txt | ||
|
|
||
| The sample requires that private device key is installed on the device and the associated Device UUID is obtained from the Identity Service. |
There was a problem hiding this comment.
| The sample requires that private device key is installed on the device and the associated Device UUID is obtained from the Identity Service. | |
| The sample requires that private device key is installed on the device and the associated device UUID is obtained from the Identity Service. |
| * After the execution of the commands to report the results. | ||
|
|
||
| The library shuts down the modem for writing data to the modem's non-volatile memory, if `AT commands <AT Commands Reference Guide_>`_ are involved. | ||
| Once the memory writes are complete, connection is re-established to report the results back to the server. |
There was a problem hiding this comment.
| Once the memory writes are complete, connection is re-established to report the results back to the server. | |
| Once the memory writes are complete, the connection is re-established to report the results back to the server. |
| Once the memory writes are complete, connection is re-established to report the results back to the server. | ||
| The results are reported back to the server when either all the commands succeed or when an error occurs. | ||
| If an error occurs, the results of all the commands that are successfully executed before the error and the erroneous result are reported back to the server. | ||
| All successfully executed commands will be removed from the server-side queue, but if any errors occur, the erroneous command and all the remaining unexecuted commands will be flushed from the queue. |
There was a problem hiding this comment.
We need to be careful to distinguish this from the provisioning configuration for a claimed device in nRF Cloud: these are, as I understand, the commands we're talking about here.
On the Cloud side, the commands form the provisioining configuration, and the configuration remains in the interface and the service's data about the device until the commands are deleted by the user.
If this is some queue in the network, I'd like that to be a little clearer.
There was a problem hiding this comment.
Yes, we are talking about the provisioning configuration here.
There was a problem hiding this comment.
All successfully executed commands will be removed from the server-side queue, but if any errors occur, the erroneous command and all the remaining unexecuted commands will be flushed from the queue.
Just to be clear whether you are describing server functionality or device functionality, the removal from the queue and flushing of the queue are done on the server side, not on the device side in this library, correct?
|
|
||
| During provisioning, the library first tries to establish the transport for communicating with the service. | ||
| This procedure involves a TLS handshake where the client establishes the correct server. | ||
| The server uses the attestation token or the JWT token generated by the device for authenticating the client. |
There was a problem hiding this comment.
Cloud-side docs on attestation tokens and the Identity Service will be available next week.
juhaylinen
force-pushed
the
provisioning_docs
branch
from
33e0c5a
to
de4a977
Compare
| Once the memory writes are complete, connection is re-established to report the results back to the server. | ||
| The results are reported back to the server when either all the commands succeed or when an error occurs. | ||
| If an error occurs, the results of all the commands that are successfully executed before the error and the erroneous result are reported back to the server. | ||
| All successfully executed commands will be removed from the server-side queue, but if any errors occur, the erroneous command and all the remaining unexecuted commands will be flushed from the queue. |
There was a problem hiding this comment.
All successfully executed commands will be removed from the server-side queue, but if any errors occur, the erroneous command and all the remaining unexecuted commands will be flushed from the queue.
Just to be clear whether you are describing server functionality or device functionality, the removal from the queue and flushing of the queue are done on the server side, not on the device side in this library, correct?
|
|
||
| .. include:: /includes/tfm.txt | ||
|
|
||
| The sample requires that private device key is installed on the device and the associated device UUID is obtained from the Identity Service. |
There was a problem hiding this comment.
Perhaps "requires that the device's private key" would be clearer.
|
|
||
| <inf> nrf_provisioning_sample: Establishing LTE link ... | ||
| <inf> nrf_provisioning_http: Connected | ||
| <inf> nrf_provisioning: Disconnected from network - provisioning paused |
There was a problem hiding this comment.
I assume between "Disconnected" and "Connected" on the next line, some actual provisioning is happening?
It might be nice to say so (obviously that requires a change to the code itself, not just this documentation).
There was a problem hiding this comment.
Good point. I'll create a new PR for this.
juhaylinen
force-pushed
the
provisioning_docs
branch
from
de4a977
to
e0a24c5
Compare
juhaylinen
removed
the
changelog-entry-required
|
|
||
| The sample supports the following development kits: | ||
|
|
||
| .. table-from-sample-yaml:: |
There was a problem hiding this comment.
Perhaps use this instead?
.. table-from-rows:: /includes/sample_board_rows.txt
:header: heading
:rows: nrf9161dk_nrf9161_ns
|
|
||
| The TLS handshake needs to be done twice: | ||
|
|
||
| * Before requesting commands |
There was a problem hiding this comment.
| * Before requesting commands | |
| * Before requesting commands. |
| * AT-command based provisioning commands | ||
| * Writing key-value pair based settings to the :ref:`settings_api` storage | ||
| * TLS secured HTTP as the communication protocol | ||
| * Client authentication with Attestation Token |
There was a problem hiding this comment.
| * Client authentication with Attestation Token | |
| * Client authentication with attestation token |
| For now, HTTP is the only supported transport protocol. | ||
|
|
||
| * :kconfig:option:`CONFIG_NRF_PROVISIONING_SYS_INIT` - Initializes the client in the system initialization phase | ||
| * :kconfig:option:`CONFIG_NRF_PROVISIONING_ROOT_CA_SEC_TAG` - Root CA security tag for the provisioning Service |
There was a problem hiding this comment.
| * :kconfig:option:`CONFIG_NRF_PROVISIONING_ROOT_CA_SEC_TAG` - Root CA security tag for the provisioning Service | |
| * :kconfig:option:`CONFIG_NRF_PROVISIONING_ROOT_CA_SEC_TAG` - Root CA security tag for the Provisioning Service |
|
|
||
| * :kconfig:option:`CONFIG_NRF_PROVISIONING_SYS_INIT` - Initializes the client in the system initialization phase | ||
| * :kconfig:option:`CONFIG_NRF_PROVISIONING_ROOT_CA_SEC_TAG` - Root CA security tag for the provisioning Service | ||
| * :kconfig:option:`CONFIG_NRF_PROVISIONING_HTTP_HOSTNAME` - HTTP API hostname for the provisioning Service |
There was a problem hiding this comment.
| * :kconfig:option:`CONFIG_NRF_PROVISIONING_HTTP_HOSTNAME` - HTTP API hostname for the provisioning Service | |
| * :kconfig:option:`CONFIG_NRF_PROVISIONING_HTTP_HOSTNAME` - HTTP API hostname for the Provisioning Service |
| * :kconfig:option:`CONFIG_NRF_PROVISIONING_SYS_INIT` - Initializes the client in the system initialization phase | ||
| * :kconfig:option:`CONFIG_NRF_PROVISIONING_ROOT_CA_SEC_TAG` - Root CA security tag for the provisioning Service | ||
| * :kconfig:option:`CONFIG_NRF_PROVISIONING_HTTP_HOSTNAME` - HTTP API hostname for the provisioning Service | ||
| * :kconfig:option:`CONFIG_NRF_PROVISIONING_HTTP_PORT` - Port number for the provisioning Service |
There was a problem hiding this comment.
| * :kconfig:option:`CONFIG_NRF_PROVISIONING_HTTP_PORT` - Port number for the provisioning Service | |
| * :kconfig:option:`CONFIG_NRF_PROVISIONING_HTTP_PORT` - Port number for the Provisioning Service |
| Server<<Device [label="Get commands"]; | ||
| Server>>Device [label="Return commands"]; | ||
| Device box Device [label="Decode commands"]; | ||
| Device box Device [label="Put modem offline"]; |
There was a problem hiding this comment.
| Device box Device [label="Put modem offline"]; | |
| Device box Device [label="Set modem offline"]; |
| Server<<Device [label="Get commands"]; | ||
| Server>>Device [label="Return commands"]; | ||
| Device box Device [label="Decode commands"]; | ||
| Device box Device [label="Put modem offline"]; |
There was a problem hiding this comment.
| Device box Device [label="Put modem offline"]; | |
| Device box Device [label="Set modem offline"]; |
| ********************** | ||
|
|
||
| For testing the client, it is possible to enable Zephyr's shell and provisioning command, which makes it possible to control the client over UART. | ||
| Currently, only the supported subcommand makes it possible to trigger provisioning immediately. |
There was a problem hiding this comment.
I don't understand this.
Is only immediate provisioning available? Or immediate provisioning is available only using this particular subcommand?
There was a problem hiding this comment.
I removed the sentence. There is now more commands available for testing.
| For testing the client, it is possible to enable Zephyr's shell and provisioning command, which makes it possible to control the client over UART. | ||
| Currently, only the supported subcommand makes it possible to trigger provisioning immediately. | ||
| The feature is enabled by selecting :kconfig:option:`CONFIG_NRF_PROVISIONING_SHELL`. | ||
| The shell is meant for testing so production systems must not enable it. |
There was a problem hiding this comment.
| The shell is meant for testing so production systems must not enable it. | |
| The shell is meant for testing. Do not enable it in production. |
There was a problem hiding this comment.
Every sentence on a separate line.
| * Acts on any AT commands, if available. | ||
| * Reports the results back to the server. | ||
| In case of errors, stops processing the commands at the first error and reports it back to server. | ||
| * Sends ``FINISHED`` response if all the previous commands are executed without errors provided and ``FINISHED`` is one of the set provisioning commands. |
There was a problem hiding this comment.
OK. So this refers specifically to something in the sample, and not the Provisioning Service.
juhaylinen
force-pushed
the
provisioning_docs
branch
from
e0a24c5
to
d24f82e
Compare
| :depth: 2 | ||
|
|
||
| The nRF Device provisioning library enables a device to connect to nRF Cloud Provisioning Service, part of nRF Cloud Security Services. | ||
| It abstracts and hides the details of the transport and the encoding scheme that is used for the payload. |
There was a problem hiding this comment.
| It abstracts and hides the details of the transport and the encoding scheme that is used for the payload. | |
| It abstracts and hides the details of the transport and encoding scheme that are used for the payload. |
|
|
||
| * AT-command based provisioning commands | ||
| * Writing key-value pair based settings to the :ref:`settings_api` storage | ||
| * TLS secured HTTP as the communication protocol |
There was a problem hiding this comment.
| * TLS secured HTTP as the communication protocol | |
| * TLS-secured HTTP as the communication protocol |
| Configuration options for transport protocol | ||
| ============================================ | ||
|
|
||
| For now, HTTP is the only supported transport protocol. |
There was a problem hiding this comment.
| For now, HTTP is the only supported transport protocol. | |
| Currently, HTTP is the only supported transport protocol. |
| Initialization | ||
| ============== | ||
|
|
||
| Once initialized, the provisioning client will run on its own in the background. |
There was a problem hiding this comment.
| Once initialized, the provisioning client will run on its own in the background. | |
| Once initialized, the provisioning client runs on its own in the background. |
| ============== | ||
|
|
||
| Once initialized, the provisioning client will run on its own in the background. | ||
| The provisioning client can be initialized in following two ways: |
There was a problem hiding this comment.
| The provisioning client can be initialized in following two ways: | |
| The provisioning client can be initialized in one of the following ways: |
|
|
||
| The sample shows how the device performs the following actions: | ||
|
|
||
| * Connects to nRF Device provisioning Service. |
There was a problem hiding this comment.
If the nRF Cloud service, should be 'nRF Cloud Provisioning Service'.
| The sample shows how the device performs the following actions: | ||
|
|
||
| * Connects to nRF Device provisioning Service. | ||
| * Fetches available device specific provisioning configuration. |
There was a problem hiding this comment.
| * Fetches available device specific provisioning configuration. | |
| * Fetches available device-specific provisioning configuration. |
| ************** | ||
|
|
||
| Device side interaction is not required. | ||
| You must define the provisioning configuration at the server side. |
There was a problem hiding this comment.
| .. _CONFIG_NRF_PROVISIONING_ROOT_CA_SEC_TAG: | ||
|
|
||
| CONFIG_NRF_PROVISIONING_ROOT_CA_SEC_TAG | ||
| Root CA security tag for the nRF Cloud (secure) Provisioning Service. |
There was a problem hiding this comment.
| Root CA security tag for the nRF Cloud (secure) Provisioning Service. | |
| Root CA security tag for the nRF Cloud Provisioning Service. |
|
|
||
| #. |connect_kit| | ||
| #. |connect_terminal| | ||
| #. Add provisioning command(s) to nRF Provisioning Service. |
There was a problem hiding this comment.
| #. Add provisioning command(s) to nRF Provisioning Service. | |
| #. Add a provisioning configuration using the nRF Cloud Provisioning Service. |
https://docs.nrfcloud.com/SecurityServices/ProvisioningService/ProvisioningConfiguration/ProvisioningConfigurationPortal.html Link could also go here instead/in addition.
juhaylinen
force-pushed
the
provisioning_docs
branch
from
d24f82e
to
77a423c
Compare
|
@melwee01 I have updated the documentation as requested |
| The behavior can be overwritten by providing a unique callback function for the initialization function. | ||
|
|
||
| If anything is written to the modem's non-volatile memory, the modem needs to be set in offline mode. | ||
| This is because the modem cannot be connected while any data is to being written to its storage area. |
There was a problem hiding this comment.
| This is because the modem cannot be connected while any data is to being written to its storage area. | |
| This is because the modem cannot be connected while any data is being written to its storage area. |
| To use the default implementation, ``NULL`` can be passed as an argument to the :c:func:`nrf_provisioning_init` function. | ||
| Copy and modify the default callback function as necessary. | ||
|
|
||
| The library starts provisioning when it initializes and, then according to the configured interval. |
There was a problem hiding this comment.
| The library starts provisioning when it initializes and, then according to the configured interval. | |
| The library starts provisioning when it initializes, then according to the configured interval. |
| Once the memory writes are complete, the connection is re-established to report the results back to the server. | ||
| The results are reported back to the server when either all the commands succeed or when an error occurs. | ||
| If an error occurs, the results of all the commands that are successfully executed before the error and the erroneous result are reported back to the server. | ||
| All successfully executed commands will be removed from the server-side queue, but if any errors occur, the erroneous command and all the remaining unexecuted commands will be flushed from the server-side queue. |
There was a problem hiding this comment.
| All successfully executed commands will be removed from the server-side queue, but if any errors occur, the erroneous command and all the remaining unexecuted commands will be flushed from the server-side queue. | |
| All successfully executed commands will be removed from the server-side queue, but if any errors occur, the erroneous command and all the remaining unexecuted commands are removed from the server-side queue. |
| ************** | ||
|
|
||
| Device side interaction is not required. | ||
| You must define the provisioning configuration at the server side, see `nRF Cloud provisioning configuration`_. |
There was a problem hiding this comment.
| You must define the provisioning configuration at the server side, see `nRF Cloud provisioning configuration`_. | |
| You must define the provisioning configuration at the server side. See `nRF Cloud provisioning configuration`_. |
There was a problem hiding this comment.
All sentences in separate lines in rst.
|
|
||
| #. |connect_kit| | ||
| #. |connect_terminal| | ||
| #. Add a provisioning configuration using the nRF Cloud Provisioning Service, see `nRF Cloud provisioning configuration`. |
There was a problem hiding this comment.
| #. Add a provisioning configuration using the nRF Cloud Provisioning Service, see `nRF Cloud provisioning configuration`. | |
| #. Add a provisioning configuration using the nRF Cloud Provisioning Service. See `nRF Cloud provisioning configuration`. |
juhaylinen
force-pushed
the
provisioning_docs
branch
from
77a423c
to
4c4554d
Compare
| #. |connect_kit| | ||
| #. |connect_terminal| | ||
| #. Add a provisioning configuration using the nRF Cloud Provisioning Service. | ||
| #. See `nRF Cloud provisioning configuration`. |
There was a problem hiding this comment.
Sorry for a further nitpick, but I think this will now render as a numbered step when it was probably intended to be a follow-up to the previous line.
@peknis, I don't know the proper formatting to suggest. What do you think?
| #. Add a provisioning configuration using the nRF Cloud Provisioning Service. | ||
| #. See `nRF Cloud provisioning configuration`. |
There was a problem hiding this comment.
| #. Add a provisioning configuration using the nRF Cloud Provisioning Service. | |
| #. See `nRF Cloud provisioning configuration`. | |
| #. Add a provisioning configuration using the nRF Cloud Provisioning Service. | |
| See `nRF Cloud provisioning configuration`. |
Add documentation for nrf_provisioning library and sample. Update changelog. Signed-off-by: Juha Ylinen <juha.ylinen@nordicsemi.no>
juhaylinen
force-pushed
the
provisioning_docs
branch
from
4c4554d
to
9bde210
Compare
juhaylinen
removed
the
doc-required
Add documentation for nrf_provisioning library and sample.
Update changelog.