Skip to content

Commit

Permalink
Merge pull request #50 from ARMmbed/release-3.3.0
Browse files Browse the repository at this point in the history
mbed-cloud-client 3.3.0
  • Loading branch information
teetak01 authored Jul 2, 2019
2 parents 4f4a846 + 4365417 commit 1a16ef2
Show file tree
Hide file tree
Showing 21 changed files with 1,083 additions and 718 deletions.
25 changes: 25 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,17 @@
## Changelog for Pelion Device Management Client

### Release 3.3.0 (02.07.2019)

#### Device Management Connect client

* Updated Mbed CoAP to 4.8.0.
* A fix to accommodate a null terminator space for managing a common name parameter (max 64 characters) in an `X.509` certificate.
* A fix to clear a stored SSL session when the device rebootstraps. Without clearing, a bootstrap loop may render the device unusable.

#### Factory configurator client

New `kcm_item_get_size_and_data` API - combines `kcm_item_get_data_size` and `kcm_item_get_data` into one synchronous API.

### Release 3.2.0 (12.06.2019)

#### Device Management Connect client
Expand Down Expand Up @@ -52,6 +64,19 @@ Other changes:
* [Linux] When creating threads, use the system provided `PTHREAD_STACK_MIN` as a minimum value. Previously, the application was allowed to define values smaller than the system-defined minimum.
* Implemented **SSL session resume** feature. This feature is enabled by default. Use the `PAL_USE_SSL_SESSION_RESUME` flag to control it.

### Yocto changes

* Removed the dependency of requiring Mbed CLI to be globally installed. This allows also virtualenv installations of Mbed CLI to work with the provided meta-layers.
* Changed the meta-layer to use SSH authentication for Mbed CLI when needed. This is mostly needed when pulling in meta-layers from private repositories.
* Changed the `meta-mbed-cloud-client.lib` file to use `https` format instead of `ssh`.

**Delta update related:**

* Modified application makefiles to call the new script for building a `tar` package of `rootfs`.
* Added the `build-raspberry-update-rootfs-tar.sh` script for building a `tar` package of `rootfs` contents to be used for delta purposes.
* Edited the local configuration sample and `fstab` to set `rootfs` into "read-only" mode so that delta firmware update can be applied into the device.
* Edited the Update client `metalayer recipe` to include the `Prepare` script in the image for delta processing.

### Release 3.1.1 (13.05.2019)

No changes.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -24,9 +24,7 @@
#include "common_utils.h"
#include "pal.h"
#include "fcc_utils.h"
#if defined(MBED_CONF_MBED_CLOUD_CLIENT_PSA_SUPPORT) && defined(TARGET_LIKE_MBED)
#include "psa/lifecycle.h"
#endif

/**
* Device general info
*/
Expand Down Expand Up @@ -134,46 +132,21 @@ fcc_status_e fcc_finalize(void)

fcc_status_e fcc_storage_delete()
{
kcm_status_e status = KCM_STATUS_SUCCESS;
kcm_status_e kcm_status = KCM_STATUS_SUCCESS;

SA_PV_LOG_INFO_FUNC_ENTER_NO_ARGS();

#ifndef MBED_CONF_MBED_CLOUD_CLIENT_EXTERNAL_SST_SUPPORT
SA_PV_ERR_RECOVERABLE_RETURN_IF((!g_is_fcc_initialized), FCC_STATUS_NOT_INITIALIZED, "FCC not initialized");
#endif


// Finalize KCM before deleting all the storage. This way KCM module will do a lazy init again (also re-initializing the PSA if used)
status = kcm_finalize();
SA_PV_ERR_RECOVERABLE_RETURN_IF((status != KCM_STATUS_SUCCESS), FCC_STATUS_KCM_STORAGE_ERROR, "Failed kcm_finalize");

// This will delete the external storage such as certificates, etc
// However, RBP data may remain in storage (in case of V7 or V8)
// We remove the external storage first because some of its metadata may be contained inside the internal storage,
// and we may need access to it when deleting the external storage
status = storage_reset();
SA_PV_ERR_RECOVERABLE_RETURN_IF((status == KCM_STATUS_ESFS_ERROR), FCC_STATUS_KCM_STORAGE_ERROR, "Failed in storage_reset. got ESFS error");
SA_PV_ERR_RECOVERABLE_RETURN_IF((status != KCM_STATUS_SUCCESS), FCC_STATUS_ERROR, "Failed storage reset");

// If using PSA - change to clean state
#if defined(MBED_CONF_MBED_CLOUD_CLIENT_PSA_SUPPORT) && defined(TARGET_LIKE_MBED)
psa_status_t psa_status;

/* Go back to an empty storage state
* * In case of non-PSA boards (such as K64F and K66F) with KVSTORE config, this is not really needed, as kv_reset()
* called by storage_reset()) as PSA and RBP items are stored in the same TDBStore. In this case, the call will
* get us from an empty storage state to an empty storage state.
* * In case of a user provided SST, we do not know whether pal_SSTReset() will also remove the PSA storage (probably
* not), so we probably need this call.
* * In case of actual PSA boards, with KVSTORE config, we must call this function so the PSA storage is removed.
* * Irrelevant for PSA over Linux
*/
psa_status = mbed_psa_reboot_and_request_new_security_state(PSA_LIFECYCLE_ASSEMBLY_AND_TEST);
SA_PV_ERR_RECOVERABLE_RETURN_IF((psa_status != PSA_SUCCESS), FCC_STATUS_ERROR, "Failed storage reset");

#endif
kcm_status = kcm_finalize();
SA_PV_ERR_RECOVERABLE_RETURN_IF((kcm_status != KCM_STATUS_SUCCESS), FCC_STATUS_KCM_STORAGE_ERROR, "Failed kcm_finalize");

kcm_status = storage_reset();
SA_PV_ERR_RECOVERABLE_RETURN_IF((kcm_status != KCM_STATUS_SUCCESS), FCC_STATUS_KCM_STORAGE_ERROR, "Failed for storage reset");

SA_PV_LOG_INFO_FUNC_EXIT_NO_ARGS();

return FCC_STATUS_SUCCESS;
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -626,7 +626,7 @@ static fcc_status_e verify_device_certificate_and_private_key(bool use_bootstrap
size_t size_of_parameter_name = 0;
uint8_t *second_mode_parameter_name = NULL;
size_t size_of_second_mode_parameter_name = 0;
storage_cert_chain_context_s *cert_chain;
storage_cert_chain_context_s *cert_chain = NULL;
kcm_cert_chain_handle chain_handle;
size_t chain_len = 0;
palX509Handle_t x509_cert_handle = NULLPTR;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -119,7 +119,7 @@ static const fcc_bundle_group_lookup_record_s fcc_groups_lookup_table[FCC_MAX_CO
* @return
* true for success, false otherwise.
*/
static bool prepare_reponse_message(uint8_t **bundle_response_out, size_t *bundle_response_size_out, fcc_status_e fcc_status, cn_cbor *encoder, const uint8_t *session_id, size_t session_id_len)
static bool prepare_response_message(uint8_t **bundle_response_out, size_t *bundle_response_size_out, fcc_status_e fcc_status, cn_cbor *encoder, const uint8_t *session_id, size_t session_id_len)
{
bool status = false;
cn_cbor_errback err;
Expand Down Expand Up @@ -301,7 +301,7 @@ static bool fcc_bundle_process_session_id(cn_cbor *parser, cn_cbor *encoder, con
// Get the session ID from the message and make sure that it is either a text or bytes string
SA_PV_ERR_RECOVERABLE_RETURN_IF((parser->type != CN_CBOR_TEXT), false, "Session ID of wrong type");

// Output the values for use of the prepare_reponse_message() function in case of an error during the bundle handling process
// Output the values for use of the prepare_response_message() function in case of an error during the bundle handling process
*session_id = (uint8_t *)parser->v.bytes;
*session_id_len = (size_t)parser->length;

Expand Down Expand Up @@ -477,7 +477,7 @@ fcc_status_e fcc_bundle_handler(const uint8_t *encoded_blob, size_t encoded_blob
SA_PV_ERR_RECOVERABLE_GOTO_IF((kcm_status != KCM_STATUS_SUCCESS), fcc_status = fcc_convert_kcm_to_fcc_status(kcm_status), free_cbor_list_and_out, "Failed for kcm_init");

// Check if factory flow is disabled (if flag in storage), if it is, do not proceed
// Turn on is_fcc_factory_disabled even if we get an error, so that we know not tp prepare a response
// Turn on is_fcc_factory_disabled even if we get an error, so that we know not to prepare a response
fcc_status = fcc_is_factory_disabled(&is_fcc_factory_disabled);
SA_PV_ERR_RECOVERABLE_GOTO_IF((fcc_status != FCC_STATUS_SUCCESS), is_fcc_factory_disabled = true, free_cbor_list_and_out, "Failed for fcc_is_factory_disabled");
SA_PV_ERR_RECOVERABLE_GOTO_IF((is_fcc_factory_disabled), fcc_status = FCC_STATUS_FACTORY_DISABLED_ERROR, free_cbor_list_and_out, "FCC is disabled, service not available");
Expand Down Expand Up @@ -589,7 +589,7 @@ fcc_status_e fcc_bundle_handler(const uint8_t *encoded_blob, size_t encoded_blob
// If we discovered that factory is disabled (or fcc_is_factory_disabled failed) - do not prepare a response
if (is_fcc_factory_disabled == false) {
//Prepare bundle response message
status = prepare_reponse_message(bundle_response_out, bundle_response_size_out, fcc_status, response_cbor, session_id, session_id_len);
status = prepare_response_message(bundle_response_out, bundle_response_size_out, fcc_status, response_cbor, session_id, session_id_len);
SA_PV_ERR_RECOVERABLE_RETURN_IF((status != true), FCC_STATUS_BUNDLE_RESPONSE_ERROR, "Failed to prepare out response");
SA_PV_LOG_INFO_FUNC_EXIT_NO_ARGS();
FCC_END_TIMER("Total fcc_bundle_handler device", 0, fcc_bundle_timer);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ extern "C" {
* Allocates and initializes file storage resources.
*
* @returns
* KCM_STATUS_SUCCESS in case of success or one of the `::kcm_status_e` errors otherwise.
* KCM_STATUS_SUCCESS in case of success, or one of the `::kcm_status_e` errors otherwise.
*/
kcm_status_e kcm_init(void);

Expand All @@ -48,7 +48,7 @@ extern "C" {
* Finalizes and frees file storage resources.
*
* @returns
* ::KCM_STATUS_SUCCESS in case of success or one of the `::kcm_status_e` errors otherwise.
* ::KCM_STATUS_SUCCESS in case of success, or one of the `::kcm_status_e` errors otherwise.
*/
kcm_status_e kcm_finalize(void);

Expand All @@ -66,7 +66,7 @@ extern "C" {
* @param[in] kcm_item_name KCM item name. See comment above.
* @param[in] kcm_item_name_len KCM item name length. kcm_item_name_len must be at most ::KCM_MAX_FILENAME_SIZE bytes.
* @param[in] kcm_item_type KCM item type as defined in `::kcm_item_type_e`.
* @param[in] kcm_item_is_factory True if the KCM item is a factory item, otherwise false.
* @param[in] kcm_item_is_factory True if the KCM item is a factory item; otherwise, false.
* @param[in] kcm_item_data KCM item data buffer. Can be NULL if `kcm_item_data_size` is 0.
* @param[in] kcm_item_data_size KCM item data buffer size in bytes. Can be 0 if you want to store an empty file.
* @param[in] kcm_item_info Optional item info. Currently, this parameter is used only for PSA configuration. The parameter points to
Expand All @@ -86,7 +86,7 @@ extern "C" {
size_t kcm_item_data_size,
const kcm_security_desc_s kcm_item_info);

/* === Keys, Certificates and Configuration data retrieval === */
/* === Key, certificate, and configuration data retrieval === */

/**
* Retrieves the KCM item data size from secure storage.
Expand Down Expand Up @@ -128,6 +128,29 @@ extern "C" {
size_t kcm_item_data_max_size,
size_t *kcm_item_data_act_size_out);

/**
* Retrieves KCM item data and its size from secure storage.
* The buffer for the data is allocated internally and the caller is responsible to free it.
* If kcm_status_e` error returned, no need to free the buffer
*
* @param[in] kcm_item_name KCM item name.
* @param[in] kcm_item_name_len KCM item name length.
* @param[in] kcm_item_type KCM item type as defined in `::kcm_item_type_e`.
* @param[out] kcm_item_data_out KCM item data output buffer. The buffer allocated internally.
* @param[out] kcm_item_data_size_out KCM item data output buffer size in bytes.
*
* @returns
* ::KCM_STATUS_SUCCESS in case of success.
* ::KCM_STATUS_ITEM_NOT_FOUND if kcm_item_name isn't found in the secure storage.
* One of the `::kcm_status_e` errors otherwise.
*/
kcm_status_e kcm_item_get_size_and_data(const uint8_t * kcm_item_name,
size_t kcm_item_name_len,
kcm_item_type_e kcm_item_type,
uint8_t ** kcm_item_data_out,
size_t * kcm_item_data_size_out);


#ifdef MBED_CONF_MBED_CLOUD_CLIENT_PSA_SUPPORT

/* === Key and Configuration Manager with Platform Secure Architecture (PSA) support uses PSA key IDs from 0x1 up to 0x2800 === */
Expand All @@ -142,7 +165,7 @@ extern "C" {
* @param[in] kcm_item_name_len KCM item name length.
* @param[in] kcm_item_type KCM item type as defined in `::kcm_item_type_e`.
* Only ::KCM_PRIVATE_KEY_ITEM and ::KCM_PUBLIC_KEY_ITEM are valid.
* Other types will result in a ::KCM_STATUS_INVALID_PARAMETER error.
* Other types result in a ::KCM_STATUS_INVALID_PARAMETER error.
* @param[out] key_handle_out Pointer to handle for the PSA key.
*
* @returns
Expand All @@ -156,18 +179,18 @@ extern "C" {
kcm_key_handle_t *key_handle_out);

/**
* Frees all resources associated with the PSA private/public key and sets zero to the handle value.
* Frees all resources associated with the PSA private/public key and sets the handle value to zero.
* This API must be called after ::kcm_item_get_handle().
*
* @param[in] key_handle Pointer to handle of the PSA key.
* @param[in] key_handle Pointer to the handle of the PSA key.
*
* @returns
* ::KCM_STATUS_SUCCESS in case of success or one of the `::kcm_status_e` errors otherwise.
* ::KCM_STATUS_SUCCESS in case of success, or one of the `::kcm_status_e` errors otherwise.
*/
kcm_status_e kcm_item_close_handle(kcm_key_handle_t *key_handle);
#endif

/* === Keys, Certificates, and Configuration delete === */
/* === Key, certificate, and configuration delete === */

/**
* Deletes a KCM item from a secure storage.
Expand All @@ -177,7 +200,7 @@ extern "C" {
* @param[in] kcm_item_type KCM item type as defined in `::kcm_item_type_e`.
*
* @returns
* ::KCM_STATUS_SUCCESS status in case of success or one of ::kcm_status_e errors otherwise.
* ::KCM_STATUS_SUCCESS status in case of success, or one of the ::kcm_status_e errors otherwise.
*/
kcm_status_e kcm_item_delete(const uint8_t *kcm_item_name,
size_t kcm_item_name_len,
Expand All @@ -193,10 +216,10 @@ extern "C" {
* @param[in] kcm_chain_name Certificate chain name.
* @param[in] kcm_chain_name_len Certificate chain name length.
* @param[in] kcm_chain_len The number of certificates in the chain.
* @param[in] kcm_chain_is_factory True if the KCM chain is a factory item, otherwise false.
* @param[in] kcm_chain_is_factory True if the KCM chain is a factory item; otherwise, false.
*
* @returns
* ::KCM_STATUS_SUCCESS in case of success or one of the `::kcm_status_e` errors otherwise.
* ::KCM_STATUS_SUCCESS in case of success, or one of the `::kcm_status_e` errors otherwise.
*/
kcm_status_e kcm_cert_chain_create(kcm_cert_chain_handle *kcm_chain_handle,
const uint8_t *kcm_chain_name,
Expand All @@ -214,8 +237,17 @@ extern "C" {
* @param[out] kcm_chain_len The length of the certificate chain.
*
* @returns
* ::KCM_STATUS_SUCCESS in case of success or one of the `::kcm_status_e` errors otherwise.
* ::KCM_STATUS_SUCCESS in case of success
* If the first certificate of the chain is missing, the function returns a
* ::KCM_STATUS_ITEM_NOT_FOUND error.
* If one of the next certificates is missing, the function returns:
* ::KCM_STATUS_ITEM_NOT_FOUND for SST storage configuration.
* ::KCM_STATUS_SUCCESS for Device Management Client secure storage configuration.
* If there is an attempt to read the missing certificate using the opened chain handle, through the `::kcm_cert_chain_get_next_size`
* or `::kcm_cert_chain_get_next_data` APIs, the called API then returns a ::KCM_STATUS_ITEM_NOT_FOUND error.
* One of the `::kcm_status_e` errors otherwise.
*/

kcm_status_e kcm_cert_chain_open(kcm_cert_chain_handle *kcm_chain_handle,
const uint8_t *kcm_chain_name,
size_t kcm_chain_name_len,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -28,13 +28,19 @@
#include "psa/crypto_types.h"


/** The maximum individual keys allow to store in KSA
/** ksa table version current version number
*/
#define KSA_MAX_TABLE_ENTRIES 15
#define KSA_TABLE_VERSION_NUM 0x1

/** The initial individual keys allow to store in KSA
*/
#define KSA_INITIAL_TABLE_ENTRIES 10


/** 0 is not a valid slot number under any circumstance
* as defined in psa_crypto.h
/* 0 is not a valid handle under any circumstance. This
* implementation provides slots number 1 to N where N is the
* number of available slots.
* Defined in psa_crypto.h
*/
#define KSA_INVALID_SLOT_NUMBER 0

Expand Down
Loading

0 comments on commit 1a16ef2

Please sign in to comment.