diff --git a/doc/nrf/links.txt b/doc/nrf/links.txt index b633da73da5e..b5ed3e94eff7 100644 --- a/doc/nrf/links.txt +++ b/doc/nrf/links.txt @@ -138,6 +138,8 @@ .. _`nRF Cloud JSON protocol schemas`: https://github.com/nRFCloud/application-protocols .. _`device_credentials_installer.py`: https://github.com/nRFCloud/utils/blob/master/python/modem-firmware-1.3%2B/device_credentials_installer.py .. _`nrf_cloud_provision.py`: https://github.com/nRFCloud/utils/blob/master/python/modem-firmware-1.3%2B/README.md#nrf-cloud-device-provisioning +.. _`nRF Cloud Utilities Create CA Cert`: https://github.com/nRFCloud/utils/blob/master/python/modem-firmware-1.3%2B/README.md#create-ca-cert +.. _`nRF Cloud Utilities Create Device Credentials`: https://github.com/nRFCloud/utils/blob/master/python/modem-firmware-1.3%2B/README.md#create-device-credentials .. _`nRF Cloud Utilities documentation`: https://github.com/nRFCloud/utils/blob/master/python/modem-firmware-1.3%2B/README.md .. _`TF-M sample incompatibility issue`: https://github.com/zephyrproject-rtos/zephyr/issues/34658 @@ -812,6 +814,8 @@ .. _`Set up your AWS account`: https://docs.aws.amazon.com/iot/latest/developerguide/setting-up.html .. _`AWS IoT Core policy examples`: https://docs.aws.amazon.com/iot/latest/developerguide/example-iot-policies.html .. _`Security best practices in AWS IoT Core`: https://docs.aws.amazon.com/iot/latest/developerguide/security-best-practices.html +.. _`AWS IoT Core Server Authentication`: https://docs.aws.amazon.com/iot/latest/developerguide/server-authentication.html +.. _`CA certificates for server authentication in AWS IoT Core`: https://docs.aws.amazon.com/iot/latest/developerguide/server-authentication.html#server-authentication-certs .. _`AWS IoT console`: https://console.aws.amazon.com/iot/home .. _`AWS S3 console`: https://console.aws.amazon.com/s3/home @@ -838,6 +842,10 @@ .. _`Matter Simple Setup for Thread Overview`: https://developer.amazon.com/docs/frustration-free-setup/matter-simple-setup-for-thread-overview.html .. _`Amazon Alexa integration with Matter`: https://developer.amazon.com/en-US/docs/alexa/smarthome/matter-support.html +.. ### Source: *.amazontrust.com + +.. _`Amazon Root CA 1`: https://www.amazontrust.com/repository/AmazonRootCA1.pem + .. ### Source: openthread.io .. _`OpenThread.io`: https://openthread.io/ @@ -961,6 +969,7 @@ .. _`nRF Cloud documentation`: .. _`nRF Connect for Cloud documentation`: https://docs.nrfcloud.com/ .. _`nRF Cloud Device Messages`: https://docs.nrfcloud.com/Devices/MessagesAndAlerts/DeviceMessages.html +.. _`nRF Cloud Device ID`: https://docs.nrfcloud.com/Devices/Properties/DeviceId.html .. _`nRF Cloud Device Shadows`: https://docs.nrfcloud.com/Devices/Properties/Shadows.html .. _`nRF Cloud Security`: https://docs.nrfcloud.com/Devices/Security/Security.html .. _`nRF Cloud Just-In-Time-Provisioning`: https://docs.nrfcloud.com/Devices/Associations/Provisioning.html#just-in-time-provisioning @@ -981,8 +990,11 @@ .. _`nRF Connect for Cloud Patch Device State`: https://api.nrfcloud.com/v1#operation/UpdateDeviceState .. _`nRF Cloud REST API ListMessages`: https://api.nrfcloud.com/v1#tag/Messages/operation/ListMessages .. _`nRF Cloud Location Services`: https://api.nrfcloud.com/v1#tag/Location-Services +.. _`nRF Cloud REST API ProvisionDevices`: https://api.nrfcloud.com/v1#tag/IP-Devices/operation/ProvisionDevices .. _`nRF Cloud RegisterPublicKeys Endpoint`: https://api.nrfcloud.com/v1/#operation/RegisterPublicKeys +.. _`nRF Cloud Portal Provision Devices`: https://nrfcloud.com/#/provision-devices +.. _`nRF Cloud Portal Devices`: https://nrfcloud.com/#/devices .. ### Source: zigbeealliance.org & csa-iot.org diff --git a/doc/nrf/releases_and_maturity/releases/release-notes-changelog.rst b/doc/nrf/releases_and_maturity/releases/release-notes-changelog.rst index ccc1fd7a5e91..e39aec088b29 100644 --- a/doc/nrf/releases_and_maturity/releases/release-notes-changelog.rst +++ b/doc/nrf/releases_and_maturity/releases/release-notes-changelog.rst @@ -323,13 +323,20 @@ Cellular samples (renamed from nRF9160 samples) * :ref:`nrf_cloud_multi_service` sample: * Renamed Cellular: nRF Cloud MQTT multi-service to Cellular: nRF Cloud multi-service. - * Added documentation for using the :ref:`lib_nrf_cloud_alert` and :ref:`lib_nrf_cloud_log` libraries. - * Changed the :file:`overlay_nrfcloud_logging.conf` file to enable JSON logs by default. - * The :c:struct:`nrf_cloud_obj` structure and associated functions are now used to encode and decode nRF Cloud data. - * Cleaned up and simplified connection logic. - * Switched from using the :ref:`lte_lc_readme` library directly to using Zephyr's ``conn_mgr`` and the :kconfig:option:`CONFIG_LTE_CONNECTIVITY` Kconfig option. + * Added: + + * Documentation for using the :ref:`lib_nrf_cloud_alert` and :ref:`lib_nrf_cloud_log` libraries. + * An overlay that allows the sample to be used with Wi-Fi instead of LTE. + * The :file:`overlay_coap.conf` file and made changes to the sample to enable the use of CoAP instead of MQTT to connect with nRF Cloud. + + * Updated: + + * The :file:`overlay_nrfcloud_logging.conf` file to enable JSON logs by default. + * The encoding and decoding of nRF Cloud data to use the :c:struct:`nrf_cloud_obj` structure and associated functions. + * The connection logic by cleaning and simplifying it. + * From using the :ref:`lte_lc_readme` library directly to using Zephyr's ``conn_mgr`` and the :kconfig:option:`CONFIG_LTE_CONNECTIVITY` Kconfig option. + * Removed the Kconfig options :kconfig:option:`CONFIG_LTE_INIT_RETRY_TIMEOUT_SECONDS` and :kconfig:option:`CLOUD_CONNECTION_REESTABLISH_DELAY_SECONDS` as they are no longer needed. - * Added the :file:`overlay_coap.conf` file and made changes to the sample to enable the use of CoAP instead of MQTT to connect with nRF Cloud. * :ref:`http_application_update_sample` sample: @@ -581,6 +588,7 @@ Libraries for networking * :c:func:`nrf_cloud_obj_pgps_request_create` function that creates a P-GPS request for nRF Cloud. * A new internal codec function :c:func:`nrf_cloud_obj_location_request_payload_add`, which excludes local Wi-Fi access point MAC addresses from the location request. * Support for CoAP CBOR type handling to nrf_cloud_obj. + * Warning message discouraging use of :kconfig:option:`CONFIG_NRF_CLOUD_PROVISION_CERTIFICATES` for purposes other than testing. * Updated: diff --git a/samples/cellular/nrf_cloud_multi_service/.gitignore b/samples/cellular/nrf_cloud_multi_service/.gitignore new file mode 100644 index 000000000000..b2290143a47b --- /dev/null +++ b/samples/cellular/nrf_cloud_multi_service/.gitignore @@ -0,0 +1 @@ +certs diff --git a/samples/cellular/nrf_cloud_multi_service/CMakeLists.txt b/samples/cellular/nrf_cloud_multi_service/CMakeLists.txt index bae5f55643a2..c77c1da34376 100644 --- a/samples/cellular/nrf_cloud_multi_service/CMakeLists.txt +++ b/samples/cellular/nrf_cloud_multi_service/CMakeLists.txt @@ -10,6 +10,9 @@ find_package(Zephyr REQUIRED HINTS $ENV{ZEPHYR_BASE}) project(nrf_cloud_multi_service) zephyr_compile_definitions(PROJECT_NAME=${PROJECT_NAME}) +# Include certs files if enabled. +zephyr_include_directories_ifdef(CONFIG_NRF_CLOUD_PROVISION_CERTIFICATES certs) + # NORDIC SDK APP START target_sources(app PRIVATE src/main.c) target_sources(app PRIVATE src/application.c) diff --git a/samples/cellular/nrf_cloud_multi_service/README.rst b/samples/cellular/nrf_cloud_multi_service/README.rst index 78b1ef03f1a3..4914c01ce371 100644 --- a/samples/cellular/nrf_cloud_multi_service/README.rst +++ b/samples/cellular/nrf_cloud_multi_service/README.rst @@ -47,6 +47,7 @@ This sample implements or demonstrates the following features: * Transmission of an alert on sample startup using the :ref:`lib_nrf_cloud_alert` library. * Transmission of additional alerts, whenever a specified temperature limit is exceeded. * Optional transmission of log messages to the cloud using the :ref:`lib_nrf_cloud_log` library. +* Experimental support for Wi-Fi connectivity. .. _nrf_cloud_multi_service_structure_and_theory_of_operation: @@ -225,7 +226,7 @@ The Wi-Fi location tracking method is not enabled by default and requires the nR When enabled, this location method scans the MAC addresses of nearby access points and submits them to nRF Cloud to obtain a location estimate. -See :ref:`nrf_cloud_multi_service_building_wifi` for details on how to enable Wi-Fi location tracking. +See :ref:`nrf_cloud_multi_service_building_wifi_scan` for details on how to enable Wi-Fi location tracking. This sample supports placing P-GPS data in external flash for the nRF9160 development kit version 0.14.0 and later. To enable this, add the following parameter to your build command: @@ -411,6 +412,196 @@ To monitor the GNSS module (for instance, to see whether A-GPS or P-GPS assistan See also the :ref:`nrf_cloud_multi_service_test_counter`. + +.. _nrf_cloud_multi_service_hardcoded_certs: + +Provisioning with hard-coded CA and device certificates +======================================================= + +The :kconfig:option:`CONFIG_NRF_CLOUD_PROVISION_CERTIFICATES` Kconfig option allows you to use hard-coded CA and device certificates stored in unprotected program memory for connecting to nRF Cloud. + +.. important:: + The :kconfig:option:`CONFIG_NRF_CLOUD_PROVISION_CERTIFICATES` Kconfig option is not secure, and should be used only for demonstration purposes! + Because this setting stores your device's private key in unprotected program memory, using it makes your device vulnerable to impersonation. + +If you are certain you understand the inherent security risks, you can provision your device with :kconfig:option:`CONFIG_NRF_CLOUD_PROVISION_CERTIFICATES` as follows: + +First, generate a self-managed CA certificate: + +1. Download and install the `nRF Cloud Utilities `_ repo. +#. Use the nRF Cloud Utilities :file:`create_ca_cert.py` Python script to generate the certificate: + + .. code-block:: console + + python3 create_ca_cert.py -c US -f self_ca_ + + Remember to set ``-c`` to your two-letter country code. + See the `Create CA Cert `_ section in the nRF Cloud Utilities documentation for more details. + + You should now have three files: + + * :file:`self_ca__ca.pem` + * :file:`self_ca__prv.pem` + * :file:`self_ca__pub.pem` + + Where ```` is your certificate's serial number in hex. + You will use these files to sign device certificates. + + You only need to generate these three files once. + They can be used to sign as many device certificates as you need. + +Next, complete the following steps for each device you wish to provision: + +1. Create a globally unique `device ID `_ for the device. + + The ID can be anything you want, as long as it is not prefixed with ``nrf-`` and is globally unique. + + Each device should have its own device ID, and you must use this device ID exactly in all of the remaining steps for that device, otherwise provisioning will fail. + +#. Use the :file:`create_device_credentials.py` Python script to generate a self-signed certificate for the device: + + .. code-block:: console + + python3 create_device_credentials.py -ca "self_ca__ca.pem" -ca_key "self_ca__prv.pem" -c US -cn "" -f cred_ + + Where ```` is the device ID you created, and :file:`self_ca__ca.pem`, and :file:`self_ca__prv.pem` are the corresponding file names from the previous step. + + Remember to set ``-c`` to your two-letter country code. + See the `Create Device Credentials `_ section in the nRF Cloud Utilities documentation for more details. + + You should now have an additional three files: + + * :file:`cred__crt.pem` + * :file:`cred__pub.pem` + * :file:`cred__prv.pem` + + These three files can only be used by a single device. + + .. important:: + + If an attacker obtains the private key contained in :file:`cred__prv.pem`, they will be able to impersonate your device. + Since using hard-coded certificates does not protect this private key from extraction, this option should not be used in production! + +#. Create a CSV file named :file:`_cred.csv` and give it the following contents: + + .. code-block:: none + + ,,,,"" + + Where ```` is replaced by the device ID you created, and ```` is replaced by the exact contents of :file:`_crt.pem`. + + For example, if the device ID you created is ``698d4c11-0ccc-4f04-89cd-6882724e3f6f``: + + .. code-block:: none + + 698d4c11-0ccc-4f04-89cd-6882724e3f6f,,,,"-----BEGIN CERTIFICATE----- + sCC8AtbNQhzbp4y01FEzXaf5Fko3Qdq0o5LbuNpVA7S6AKAkjt17QzKJAiGWHakh + RnwzoA2dF4wR0rMP5vR6dqBblaGAA5hN7GE2vPBHTDNZGJ6tZ9dnO6446dg9gGds + eeadE1HdVnUj8nb+7CGm39vJ4fuNk9vogH0nMdxjCnXAinoOMRx8EklQsR747+Gz + sxcdVYuNEb/E2vWBHTDNZGJ6tZC1JC9d6/RC3Vb1JC4tWnK9mk/Jw984ZuYugpMc + 1t9umoGFYCz0nMdxjCnXAbnoOMC5A0RxcWPzxfC5A0RH+j+mwoMxwhgfFY4EhVxp + oCC8labNQhzRC3Vc1JC4tWnK9mpVA7k/o5LbuNpVA7S6AKAkjt17QzKJAiGWHakh + RXwcoAndF4wPzxfC5A0RHponmwBHTDoM7GE2vPBHTDNZGJ6tZ9dnO6446dg9gGds + eefdE1HcVnULbuNpVA7S6AKAkjxjCnt1gH0nMdxjCnXAinoOMRx8EklQsR747+Fz + srm/VYaNEb/E2vPBHTDNZGJ6tZc1JC9d6/RC3Vc1JC4tWnK9mk/Jr984ZuYugpMc + nt9uZTGFYCzZD0FFAA5NAC4i1PARStFycWPzxfC5A0RqodhswoMxwhgfFY4EhVx= + -----END CERTIFICATE----- + " + + Do not attempt to use this example directly, it has been filled with dummy data. + See `nRF Cloud REST API ProvisionDevices`_ for more details. + +#. Navigate to the `Provision Devices `_ page of the nRF Cloud portal and upload the :file:`_cred.csv` file you created. + + You should see a message stating that the file was uploaded successfully, and a device with the device ID you created should appear in the `Devices `_ page. + +#. Download `Amazon Root CA 1`_ and save it as :file:`AmazonRootCA1.pem`. + + See `CA certificates for server authentication in AWS IoT Core`_ for more details. + Do not confuse this CA cert with your self-managed CA cert. + +#. Prepare the :file:`cred__crt.pem`, :file:`cred__prv.pem`, and :file:`AmazonRootCA1.pem` files for use by the device. + + Your device needs these files in order to connect to nRF Cloud. + To be usable by your device, they need to be reformatted as C strings and given specific names (:file:`client-cert.pem`, :file:`private-key.pem` and :file:`ca-cert.pem` respectively). + + You can perform the reformatting and renaming as follows: + + .. tabs:: + + .. group-tab:: Bash + + .. code-block:: console + + awk 'NF { print "\""$0"\\n\""}' "cred__crt.pem" > client-cert.pem + awk 'NF { print "\""$0"\\n\""}' "cred__prv.pem" > private-key.pem + awk 'NF { print "\""$0"\\n\""}' AmazonrootCA1.pem > ca-cert.pem + + Where ```` is replaced with the device ID you created. + + .. group-tab:: PowerShell + + .. code-block:: console + + gc ".\cred__crt.pem" | %{"""$_\n"""} | out-file -encoding utf8 client-cert.pem + gc ".\cred__prv.pem" | %{"""$_\n"""} | out-file -encoding utf8 private-key.pem + gc .\AmazonrootCA1.pem | %{"""$_\n"""} | out-file -encoding utf8 ca-cert.pem + + Where ```` is replaced with the device ID you created. + + You should now have the following three files: + + * :file:`client-cert.pem` + * :file:`private-key.pem` + * :file:`ca-cert.pem` + + And the contents of each file should be similar to the following: + + .. code-block:: C + + "-----BEGIN CERTIFICATE-----\n" + "sCC8AtbNQhzbp4y01FEzXaf5Fko3Qdq0o5LbuNpVA7S6AKAkjt17QzKJAiGWHakh\n" + "RnwzoA2dF4wR0rMP5vR6dqBblaGAA5hN7GE2vPBHTDNZGJ6tZ9dnO6446dg9gGds\n" + "eeadE1HdVnUj8nb+7CGm39vJ4fuNk9vogH0nMdxjCnXAinoOMRx8EklQsR747+Gz\n" + "sxcdVYuNEb/E2vWBHTDNZGJ6tZC1JC9d6/RC3Vb1JC4tWnK9mk/Jw984ZuYugpMc\n" + "1t9umoGFYCz0nMdxjCnXAbnoOMC5A0RxcWPzxfC5A0RH+j+mwoMxwhgfFY4EhVxp\n" + "oCC8labNQhzRC3Vc1JC4tWnK9mpVA7k/o5LbuNpVA7S6AKAkjt17QzKJAiGWHakh\n" + "RXwcoAndF4wPzxfC5A0RHponmwBHTDoM7GE2vPBHTDNZGJ6tZ9dnO6446dg9gGds\n" + "eefdE1HcVnULbuNpVA7S6AKAkjxjCnt1gH0nMdxjCnXAinoOMRx8EklQsR747+Fz\n" + "srm/VYaNEb/E2vPBHTDNZGJ6tZc1JC9d6/RC3Vc1JC4tWnK9mk/Jr984ZuYugpMc\n" + "nt9uZTGFYCzZD0FFAA5NAC4i1PARStFycWPzxfC5A0RqodhswoMxwhgfFY4EhVx=\n" + "-----END CERTIFICATE-----\n" + + Do not attempt to use this example directly, it has been filled with dummy data. + +#. Create a :file:`certs` folder directly in the :file:`nrf_cloud_multi_service` folder, and copy :file:`client-cert.pem`, :file:`private-key.pem` and :file:`ca-cert.pem` into it. + + Be sure not to place the new folder in the :file:`nrf_cloud_multi_service/src` folder by accident. + + Now these certs are automatically used if the :kconfig:option:`CONFIG_NRF_CLOUD_PROVISION_CERTIFICATES` Kconfig option is enabled. + +#. Build the sample with the :kconfig:option:`CONFIG_NRF_CLOUD_PROVISION_CERTIFICATES` Kconfig option enabled and the device ID you created configured. + + This is required for provisioning to succeed. + + Do this by enabling the :kconfig:option:`CONFIG_NRF_CLOUD_CLIENT_ID_SRC_COMPILE_TIME` Kconfig option and setting the :kconfig:option:`CONFIG_NRF_CLOUD_CLIENT_ID` Kconfig option to the device ID. + + For example, if the device ID is ``698d4c11-0ccc-4f04-89cd-6882724e3f6f``: + + .. tabs:: + + .. group-tab:: Bash + + .. code-block:: console + + west build --board your_board -p always -- -DCONFIG_NRF_CLOUD_PROVISION_CERTIFICATES=y -DCONFIG_NRF_CLOUD_CLIENT_ID_SRC_COMPILE_TIME=y -DCONFIG_NRF_CLOUD_CLIENT_ID="698d4c11-0ccc-4f04-89cd-6882724e3f6f" + + .. group-tab:: PowerShell + + .. code-block:: console + + west build --board your_board -p always -- -DCONFIG_NRF_CLOUD_PROVISION_CERTIFICATES=y -DCONFIG_NRF_CLOUD_CLIENT_ID_SRC_COMPILE_TIME=y "-DCONFIG_NRF_CLOUD_CLIENT_ID=\`"698d4c11-0ccc-4f04-89cd-6882724e3f6f\`"" + Configuration options ===================== @@ -728,7 +919,7 @@ For example: west build -p -b nrf9160dk_nrf9160_ns -- -DOVERLAY_CONFIG="overlay_coap.conf" -.. _nrf_cloud_multi_service_building_wifi: +.. _nrf_cloud_multi_service_building_wifi_scan: Building with nRF7002 EK Wi-Fi scanning support (for nRF9160 DK) ================================================================ @@ -747,6 +938,58 @@ This is only supported on the `Nordic nRF9160 DK`_ with an attached nRF7002 EK. See also :ref:`the paragraphs on the Wi-Fi location tracking method `. +.. _nrf_cloud_multi_service_building_wifi_conn: + +Building with experimental support for Wi-Fi connectivity for nRF5340 DK with nRF7002 EK (MQTT only) +==================================================================================================== + +This sample :ref:`experimentally ` supports connecting to nRF Cloud using Wi-Fi instead of using LTE. + +An overlay for this is only provided for the nRF5340 DK with the nRF7002 EK shield attached. +It is possible to use Wi-Fi with other hardware combinations (such as the nRF7002 DK), but you must adjust heap and stack usage accordingly. +See the :file:`src/prj.conf` configuration file and the :file:`overlay_nrf7002ek_wifi_no_lte.conf` overlay for additional details. + +Connecting to nRF Cloud using Wi-Fi is currently only possible with MQTT, and only by using the experimental and insecure Kconfig option :kconfig:option:`CONFIG_NRF_CLOUD_PROVISION_CERTIFICATES`. +See :ref:`nrf_cloud_multi_service_hardcoded_certs` for details on setting it up. + +Once it is set up, you can configure your build to use Wi-Fi connectivity on the nRF5340 DK with the nRF7002 EK shield by using the ``--board nrf5340dk_nrf5340_cpuapp`` target and the ``-DSHIELD=nrf7002ek`` and ``-DOVERLAY_CONFIG=overlay_nrf7002ek_wifi_no_lte.conf`` options. +These options must be used in addition to the options required by the :kconfig:option:`CONFIG_NRF_CLOUD_PROVISION_CERTIFICATES` Kconfig option. + +For example, for a device provisioned with the device ID ``698d4c11-0ccc-4f04-89cd-6882724e3f6f``: + +.. tabs:: + + .. group-tab:: Bash + + .. code-block:: console + + west build --board nrf5340dk_nrf5340_cpuapp -p always -- -DSHIELD=nrf7002ek -DOVERLAY_CONFIG=overlay_nrf7002ek_wifi_no_lte.conf -DCONFIG_NRF_CLOUD_PROVISION_CERTIFICATES=y -DCONFIG_NRF_CLOUD_CLIENT_ID_SRC_COMPILE_TIME=y -DCONFIG_NRF_CLOUD_CLIENT_ID="698d4c11-0ccc-4f04-89cd-6882724e3f6f" + + .. group-tab:: PowerShell + + .. code-block:: console + + west build --board nrf5340dk_nrf5340_cpuapp -p always -- -DSHIELD=nrf7002ek "-DOVERLAY_CONFIG=overlay_nrf7002ek_wifi_no_lte.conf" -DCONFIG_NRF_CLOUD_PROVISION_CERTIFICATES=y -DCONFIG_NRF_CLOUD_CLIENT_ID_SRC_COMPILE_TIME=y "-DCONFIG_NRF_CLOUD_CLIENT_ID=\`"698d4c11-0ccc-4f04-89cd-6882724e3f6f\`"" + +Configuring Wi-Fi access point credentials +========================================== + +This sample uses the :ref:`lib_wifi_credentials` library to manage Wi-Fi credentials. +Before the sample can connect to a Wi-Fi network, you must configure at least one credential set. + +Once your device has been flashed with this sample, you can add a credential by connecting to your device's UART interface and then entering the following command: + +.. code-block:: console + + wifi_cred add WPA2-PSK + +Where ```` is replaced with the SSID of the Wi-Fi access point you want your device to connect to, and ```` is its password. +Then either reboot the device or use the ``wifi_cred auto_connect`` command to manually trigger a connection attempt. + +From now on, these credentials will automatically be used when the configured network is reachable. + +See the :ref:`Wi-Fi shell sample documentation ` for more details on the ``wifi_cred`` command. + Building with nRF Cloud logging support ======================================= diff --git a/samples/cellular/nrf_cloud_multi_service/overlay_nrf7002ek_wifi_no_lte.conf b/samples/cellular/nrf_cloud_multi_service/overlay_nrf7002ek_wifi_no_lte.conf new file mode 100644 index 000000000000..95efac30a114 --- /dev/null +++ b/samples/cellular/nrf_cloud_multi_service/overlay_nrf7002ek_wifi_no_lte.conf @@ -0,0 +1,126 @@ +# +# Copyright (c) 2023 Nordic Semiconductor ASA +# +# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause +# + +# Note that this overlay is not compatible with nrf9160! Use something such as the nrf5340 as the +# host microcontroller. + +## Disable Modem/LTE/nrf91-specific features +CONFIG_NRF_MODEM_LIB=n +CONFIG_MODEM_INFO=n +CONFIG_MODEM_INFO_ADD_NETWORK=n +CONFIG_AT_HOST_LIBRARY=n +CONFIG_LTE_LINK_CONTROL=n + +## Disable offloaded sockets (we are going to switch to the native networking stack) +CONFIG_NET_SOCKETS_OFFLOAD=n + +## Disable cloud features reliant on or specific to nrf91 modem features +CONFIG_NRF_CLOUD_AGPS=n +CONFIG_NRF_CLOUD_PGPS=n +CONFIG_NRF_CLOUD_PGPS_REQUEST_UPON_INIT=n +CONFIG_LOCATION_METHOD_GNSS=n +CONFIG_LOCATION_METHOD_CELLULAR=n + +## Disable FOTA to conserve memory +CONFIG_NRF_CLOUD_FOTA=n +CONFIG_BOOTLOADER_MCUBOOT=n +CONFIG_IMG_MANAGER=n +CONFIG_MCUBOOT_IMG_MANAGER=n + +## Disable LTE-event-driven date_time updates (the date_time library will still periodically +## refresh its timestamp, this setting only controls whether LTE-event-driven date_time updates +## are enabled) +CONFIG_DATE_TIME_AUTO_UPDATE=n + +## Disable LED patterns since enabling WiFi shield takes control of two LEDs +CONFIG_LED_INDICATION_DISABLED=y + +## Disable LTE conn_mgr bindings +CONFIG_LTE_CONNECTIVITY=n + +## These had to be disabled for LTE with conn_mgr, but there is no reason to disable them for +## wifi with conn_mgr, so re-enable them. +CONFIG_NET_IPV6_NBR_CACHE=y +CONFIG_NET_IPV6_MLD=y +CONFIG_DNS_RESOLVER=y + +## Enable Wi-Fi drivers, (and the native NET stack so that the location library can access them) +CONFIG_WIFI=y +CONFIG_WIFI_NRF700X=y + +## Enable Wi-Fi conn_mgr bindings +CONFIG_L2_WIFI_CONNECTIVITY=y +CONFIG_NET_CONNECTION_MANAGER_STACK_SIZE=4096 + +## Enable WIFI_MGMT_EXT and WIFI_CREDENTIALS for simplified Wi-Fi connection setup +CONFIG_WIFI_CREDENTIALS=y +CONFIG_WIFI_MGMT_EXT=y +CONFIG_WIFI_CREDENTIALS_BACKEND_SETTINGS=y + +## Use compile-time client ID for nRF Cloud +CONFIG_NRF_CLOUD_CLIENT_ID_SRC_COMPILE_TIME=y + +## Enable flash and NVS settings, required by WIFI_CREDENTIALS +CONFIG_SETTINGS=y +CONFIG_SETTINGS_NVS=y +CONFIG_NVS=y +CONFIG_FLASH=y +CONFIG_FLASH_PAGE_LAYOUT=y +CONFIG_FLASH_MAP=y + +## Enable Wi-Fi networking and native networking stack +CONFIG_WPA_SUPP=y +CONFIG_NET_L2_ETHERNET=y +CONFIG_NET_NATIVE=y +CONFIG_NRF_SECURITY=y +CONFIG_NET_SOCKETS_SOCKOPT_TLS=y +CONFIG_NET_CONTEXT_SNDTIMEO=y +CONFIG_NET_TCP=y +CONFIG_NET_TCP_WORKQ_STACK_SIZE=2048 +CONFIG_NET_DHCPV4=y + +## Configure native MBEDTLS to support nRF Cloud MQTT +CONFIG_MQTT_LIB_TLS=y +CONFIG_MBEDTLS=y +CONFIG_MBEDTLS_ENABLE_HEAP=y +CONFIG_MBEDTLS_RSA_C=y +CONFIG_MBEDTLS_SSL_SERVER_NAME_INDICATION=y +CONFIG_MBEDTLS_HEAP_SIZE=120000 + +## Enable Wi-Fi location tracking +CONFIG_LOCATION_TRACKING_WIFI=y +CONFIG_LOCATION_METHOD_WIFI=y +# Align this with CONFIG_LOCATION_METHOD_WIFI_SCANNING_RESULTS_MAX_CNT. +# Also see comments for CONFIG_HEAP_MEM_POOL_SIZE. +# We set this to 30 in this overlay (as opposed to 60 in the wifi-scan-only overlay) so that +# CONFIG_HEAP_MEM_POOL_SIZE can be small enough to leave at least 24kB of unused RAM in the final +# build, which is required by WPA_supp +CONFIG_NRF700X_SCAN_LIMIT=30 +CONFIG_LOCATION_METHOD_WIFI_SCANNING_RESULTS_MAX_CNT=30 + +## Enable shell and WIFI_CREDENTIALS shell +CONFIG_SHELL=y +CONFIG_WIFI_CREDENTIALS_SHELL=y +# Increased stack size needed for wifi_cred auto_connect command +CONFIG_SHELL_STACK_SIZE=4096 + +## Resource allocation tweaks needed to support Wi-Fi. +CONFIG_MAIN_STACK_SIZE=2048 +CONFIG_SYSTEM_WORKQUEUE_STACK_SIZE=4096 +CONFIG_NET_MGMT_EVENT_STACK_SIZE=4096 +CONFIG_NRF_CLOUD_CONNECTION_POLL_THREAD_STACK_SIZE=8192 +CONFIG_APPLICATION_THREAD_STACK_SIZE=3072 +CONFIG_MESSAGE_THREAD_STACK_SIZE=3072 +CONFIG_DATE_TIME_THREAD_STACK_SIZE=2048 +CONFIG_NET_TX_STACK_SIZE=2048 +CONFIG_NET_RX_STACK_SIZE=2048 +CONFIG_POSIX_MAX_FDS=16 +CONFIG_NET_SOCKETS_POLL_MAX=8 +# Heap allocation should be changed when CONFIG_LOCATION_METHOD_WIFI_SCANNING_RESULTS_MAX_CNT +# and CONFIG_NRF700X_SCAN_LIMIT (which should be the same value) are changed. With the limit at 30, +# this could be set as low as 130000. Add 256 bytes for each additional scanning result, assuming +# sane SSID lengths. We set the heap much higher in case of long SSIDs. +CONFIG_HEAP_MEM_POOL_SIZE=130000 diff --git a/samples/cellular/nrf_cloud_multi_service/src/cloud_connection.c b/samples/cellular/nrf_cloud_multi_service/src/cloud_connection.c index 9734c6259f2e..17a9d90c666a 100644 --- a/samples/cellular/nrf_cloud_multi_service/src/cloud_connection.c +++ b/samples/cellular/nrf_cloud_multi_service/src/cloud_connection.c @@ -6,7 +6,6 @@ #include #include #include -#include #include #include #include @@ -274,9 +273,24 @@ static void l4_event_handler(struct net_mgmt_event_callback *cb, if (event == NET_EVENT_L4_CONNECTED) { LOG_INF("Network connectivity gained!"); + k_sleep(K_MSEC(1000)); + /* Set the network ready flag */ k_event_post(&cloud_events, NETWORK_READY); + /* If LTE-event-driven date_time updates are disabled, manually trigger a date_time + * timestamp refresh. + * + * Note: The CONFIG_DATE_TIME_AUTO_UPDATE setting controls specifically whether + * LTE-event-driven date_time updates are enabled. The date_time library will still + * periodically refresh its timestamp if CONFIG_DATE_TIME_AUTO_UPDATE is disabled, + * but this refresh is infrequent, so we are manually requesting a refresh + * whenever internet access becomes available so that we get a timestamp + * immediately. + */ + if (!IS_ENABLED(CONFIG_DATE_TIME_AUTO_UPDATE)) { + date_time_update_async(NULL); + } } else if (event == NET_EVENT_L4_DISCONNECTED) { LOG_INF("Network connectivity lost!"); @@ -313,6 +327,10 @@ static void cloud_event_handler(const struct nrf_cloud_evt *nrf_cloud_evt) break; case NRF_CLOUD_EVT_TRANSPORT_CONNECT_ERROR: LOG_DBG("NRF_CLOUD_EVT_TRANSPORT_CONNECT_ERROR: %d", nrf_cloud_evt->status); + + /* Disconnect from cloud immediately rather than wait for retry timeout. */ + disconnect_cloud(); + break; case NRF_CLOUD_EVT_USER_ASSOCIATION_REQUEST: LOG_DBG("NRF_CLOUD_EVT_USER_ASSOCIATION_REQUEST"); diff --git a/samples/cellular/nrf_cloud_multi_service/src/fota_support.c b/samples/cellular/nrf_cloud_multi_service/src/fota_support.c index f2af9100b071..539c94953c2b 100644 --- a/samples/cellular/nrf_cloud_multi_service/src/fota_support.c +++ b/samples/cellular/nrf_cloud_multi_service/src/fota_support.c @@ -19,9 +19,11 @@ void fota_reboot(const unsigned int delay_s, const bool error) { LOG_INF("Rebooting in %us%s", delay_s, error ? " due to error" : "..."); +#if defined(CONFIG_LTE_LINK_CONTROL) if (error) { (void)lte_lc_deinit(); } +#endif LOG_PANIC(); k_sleep(K_SECONDS(delay_s)); diff --git a/samples/cellular/nrf_cloud_multi_service/src/location_tracking.c b/samples/cellular/nrf_cloud_multi_service/src/location_tracking.c index d2b368dcb8fc..035c9befca36 100644 --- a/samples/cellular/nrf_cloud_multi_service/src/location_tracking.c +++ b/samples/cellular/nrf_cloud_multi_service/src/location_tracking.c @@ -47,6 +47,19 @@ static void location_event_handler(const struct location_event_data *event_data) } } +static void enable_modem_gnss(void) +{ + if (IS_ENABLED(CONFIG_LTE_LINK_CONTROL)) { + int err = lte_lc_func_mode_set(LTE_LC_FUNC_MODE_ACTIVATE_GNSS); + + if (err) { + LOG_ERR("Activating GNSS failed, error: %d. Continuing without GNSS", err); + } + } else { + LOG_WRN("CONFIG_LTE_LINK_CONTROL must be enabled in order to use GNSS"); + } +} + int start_location_tracking(location_update_cb_t handler_cb, int interval) { int err; @@ -57,10 +70,9 @@ int start_location_tracking(location_update_cb_t handler_cb, int interval) LOG_WRN("Date and time unknown. Location Services results may suffer"); } - /* Enable GNSS on the modem */ - err = lte_lc_func_mode_set(LTE_LC_FUNC_MODE_ACTIVATE_GNSS); - if (err) { - LOG_ERR("Activating GNSS failed, error: %d. Continuing without GNSS", err); + /* Enable GNSS on the modem if appropriate */ + if (IS_ENABLED(CONFIG_LOCATION_TRACKING_GNSS)) { + enable_modem_gnss(); } /* Update the location update handler. */ diff --git a/subsys/net/lib/nrf_cloud/Kconfig.nrf_cloud_mqtt b/subsys/net/lib/nrf_cloud/Kconfig.nrf_cloud_mqtt index 41b2292baaf1..d1e15bf52839 100644 --- a/subsys/net/lib/nrf_cloud/Kconfig.nrf_cloud_mqtt +++ b/subsys/net/lib/nrf_cloud/Kconfig.nrf_cloud_mqtt @@ -29,11 +29,14 @@ config NRF_CLOUD_STATIC_IPV4_ADDR config NRF_CLOUD_PROVISION_CERTIFICATES bool "nRF Cloud library provision of certificate" select MODEM_KEY_MGMT if NRF_MODEM_LIB + select EXPERIMENTAL default y if BOARD_QEMU_X86 imply MBEDTLS_PEM_CERTIFICATE_FORMAT if MBEDTLS help Enable run-time provisioning of certificates from the certificates header file selected by using NRF_CLOUD_CERTIFICATES_FILE + Please note that this option stores your device's private key in unprotected memory. + It is not secure, and for testing purposes only. config NRF_CLOUD_CERTIFICATES_FILE string "nRF Cloud certificates" diff --git a/subsys/net/lib/nrf_cloud/src/nrf_cloud_transport.c b/subsys/net/lib/nrf_cloud/src/nrf_cloud_transport.c index 5e782da19767..c0197b66db7d 100644 --- a/subsys/net/lib/nrf_cloud/src/nrf_cloud_transport.c +++ b/subsys/net/lib/nrf_cloud/src/nrf_cloud_transport.c @@ -507,6 +507,9 @@ static int nct_provision(void) nct.tls_config.hostname = NRF_CLOUD_HOSTNAME; #if defined(CONFIG_NRF_CLOUD_PROVISION_CERTIFICATES) + LOG_WRN("CONFIG_NRF_CLOUD_PROVISION_CERTIFICATES is not secure and should be used only for " + "testing purposes"); + #if defined(CONFIG_NRF_MODEM_LIB) { int err;