Offloaded TLSSocket and BG96 support for it #11357
Conversation
|
@kivaisan, thank you for your changes. |
| @@ -118,6 +119,7 @@ class AT_CellularStack : public NetworkStack, public AT_CellularBase { | |||
| bool started; // socket has been opened on modem stack | |||
| bool tx_ready; // socket is ready for sending on modem stack | |||
| bool rx_avail; // socket has data for reading on modem stack | |||
| bool tls_socket; | |||
There was a problem hiding this comment.
I'll add similar description as other fields. This is internally used by AT_CellularStack to define if socket is offloaded TLSSocket.
| if ((_at.get_last_error() == NSAPI_ERROR_OK) && err) { | ||
| if (err == BG96_SOCKET_BIND_FAIL) { | ||
| socket->id = -1; | ||
| if (socket->tls_socket) { |
There was a problem hiding this comment.
What is the value of this when using MbedTLS for TLSSocket?
There was a problem hiding this comment.
It is set to false for mbedtls based TLSSocket because in that case socket looks like a normal TCP socket from CellularStack point of view.
|
Will this work with MbedTLS anymore or should you encapsulate the BG96 SSL code inside MBED_CONF_NSAPI_OFFLOAD_TLSSOCKET macro? |
| @@ -48,6 +48,10 @@ static nsapi_error_t _tlssocket_connect_to_daytime_srv(TLSSocket &sock) | |||
| return err; | |||
| } | |||
|
|
|||
| TEST_ASSERT_EQUAL(NSAPI_ERROR_OK, sock.set_root_ca_cert(tls_global::cert)); | |||
|
|
|||
| sock.set_timeout(10000); // Set timeout for case TLSSocket does not support peer closed indication | |||
There was a problem hiding this comment.
Don't we also need this in other functions connecting to various servers, for example here?
There was a problem hiding this comment.
I think there is some room for little refactoring in here to use common method for opening the server connection in different test cases, but I think that should be done as a separate task.
features/netsocket/TLSSocket.cpp
Outdated
| @@ -46,5 +48,71 @@ TLSSocket::~TLSSocket() | |||
| */ | |||
| close(); | |||
| } | |||
| #endif | |||
There was a problem hiding this comment.
Please, add the // MBEDTLS_SSL_CLI_C for readability.
features/netsocket/TLSSocket.h
Outdated
| * | ||
| * @param root_ca Root CA Certificate in any Mbed TLS-supported format. | ||
| * @param len Length of certificate (including terminating 0 for PEM). | ||
| * @return 0 on success, negative error code on failure. |
There was a problem hiding this comment.
Should we stick to the NSAPI_ERROR_OK convention, rather than disclose its value 0?
There was a problem hiding this comment.
Good finding. I'll provide a fix.
| @@ -65,6 +65,10 @@ | |||
| "socket-stats-max-count": { | |||
| "help": "Maximum number of socket statistics cached", | |||
| "value": 10 | |||
| }, | |||
| "offload-tlssocket" : { | |||
There was a problem hiding this comment.
Just a thought here, please reject if "offload" is in fact a widely used name for what you are trying to achieve :)
To me it sounds like "offload" is a potential gain for the user, as they offload the memory and processor (and probably increase the load on the external modem?) but doesn't exactly indicate the main choice that user makes with this flag.
I wonder if something like "external" (from mbed-os perspective) or "embedded" would better suit the purpose?
Are there any reasons, different than offloading the main core, that would make users switch this on?
There was a problem hiding this comment.
@AnttiKauppila , @kjbracey-arm, @lauri-piikivi what do you think about the term "offloaded"? The same term was already used for DNS:
mbed-os/features/cellular/mbed_lib.json
Line 24 in 4e10e98
If offloaded TLSSocket is enabled, mbedtls socket cannot be used. This was discussed and at the moment there is no requirement to support both at the same time. Supporting both at the same time would require API break, or a different class name for offloaded TLSSocket. |
|
@kivaisan Is this targeting 5.14 ? It has not been labeled. Please let us know asap. If it is, we should have reviews done today to get into CI |
The question was if this still work with MbedTLS like previously (not simultaneously with offload) |
Yes. Offloading is an optional feature and is disabled by default. In case of mbedtls based TLSSocket cellularstack handles the socket as a normal TCP socket. |
@AnttiKauppila , what do you think? |
|
This is not in hurry for 5.14 |
| SKIP_IF_TCP_UNSUPPORTED(); | ||
| TLSSocket sock; | ||
| TEST_ASSERT_EQUAL(NSAPI_ERROR_OK, sock.open(NetworkInterface::get_default_instance())); | ||
| TEST_ASSERT_EQUAL(NSAPI_ERROR_OK, sock.set_root_ca_cert(tls_global::cert)); | ||
| TEST_ASSERT_EQUAL(NSAPI_ERROR_AUTH_FAILURE, | ||
| sock.connect("google.com", 443)); // 443 is https port. | ||
| TEST_ASSERT_EQUAL(NSAPI_ERROR_AUTH_FAILURE, sock.connect("www.mtvuutiset.fi", https_port)); |
There was a problem hiding this comment.
Sorry, I didn't understand your comment. Could you please describe more?
There was a problem hiding this comment.
@AriParkkila , was there something you requested for this?
There was a problem hiding this comment.
How about using e.g. example.com here instead of www.mtvuutiset.fi.
There was a problem hiding this comment.
Example.com does not work either. Probably uses some CA root already included in the BG96 modem. But I removed mtvuutiset.fi as well. I think those other handshake tests verifies the needed functionality.
|
@kivaisan Please add Release notes section above for |
|
I would also suggest adding more details to the commits. There are one liners for functionality changes, provide more information there. |
|
I updated commit messages (and also squashed some) and also added some release note description. |
|
@AnttiKauppila Please approve this functionality change |
I updated release notes and also description a bit about usage. |
|
Please switch the content of your Also, add some notes about security implications, because offloading is a potential security risk, if modem is connected by unprotected wires to main CPU. It allows man-in-the-middle attacks using just soldering iron and TTL-serial adapter. |
|
Please update the design document as well: https://github.com/ARMmbed/mbed-os/blob/master/docs/design-documents/features/connectivity/TLSSocket%20-%20Design%20document.md |
I disagree. I think description should be more detailed info than release note entry.
I think note about security concern can be part of this documentation, not commit description. |
|
@kivaisan We are improving the PR template, there will be more subsections. We should provide more details in the release notes as we have provided so far. I'll schedule CI now |
|
CI started |
Test run: SUCCESSSummary: 11 of 11 test jobs passed |
adbridge
added
release-version: 6.0.0-alpha-1
|
@adbridge Why is this marked now for 6.0? What is the reasoning and who demanded this? |
adbridge
added
release-version: 5.15.0-rc1
and removed
release-version: 6.0.0-alpha-1
Description
Some external modems have an internal TLSSocket implementation which can be used instead of mbedtls based TLSSocket. Using offloaded TLSSocket can result in significantly reduce ROM usage.
Offloaded TLSSocket can be enabled by enabling
"nsapi.offload-tlssocket"and the used network stack (e.g. cellular modem's CellularStack class) must support the setsockopt's defined in nsapi_types.h.Compared to original mbedtls based TLSSocket, offloaded TLSSocket brings in one significant API limitation. Offloaded TLSSocket requires setting of certificates and keys after
open()and beforeconnect()calls, where mbedtls based TLSSocket allows setting these beforeopen()call.This PR also includes a reference implementation for BG96 cellular modem.
Pull request type
Reviewers
@AnttiKauppila @kjbracey-arm
Release Notes
Some external modems have an internal TLSSocket implementation which can be used instead of mbedtls based TLSSocket. Using offloaded TLSSocket can result in significantly reduce ROM usage.
Offloaded TLSSocket can be enabled by enabling
"nsapi.offload-tlssocket"and the used network stack (e.g. cellular modem's CellularStack class) must support the setsockopt's defined in nsapi_types.h.Compared to original mbedtls based TLSSocket, offloaded TLSSocket brings in one significant API limitation. Offloaded TLSSocket requires setting of certificates and keys after
open()and beforeconnect()calls, where mbedtls based TLSSocket allows setting these beforeopen()call.This PR also includes a reference implementation for BG96 cellular modem.