Merge pull request #100 from PelionIoT/release-4.13.1

mbed-cloud-client 4.13.1

Author: Jenia Kogan

CHANGELOG.md

@@ -1,5 +1,19 @@
 ## Changelog for Izuma Device Management Client
 
+### Release 4.13.1 (16.02.2023)
+
+- Improved error logging for certificate enrollment misconfiguration.
+- Fixed a failure in FOTA for developer flow in PSA mode. The mechanism of going through a storage reset if the compiled credential file differs from the stored credentials did not work well with PSA.
+  Read a certificate instead of a private key that we can't read in PSA mode.
+- Only synchronous DNS is currently supported. 
+  - [Linux] Change the default DNS to synchronous, by setting `PAL_DNS_API_VERSION` flag to 0.    
+  - [Zephyr] Change the default DNS to synchronous, by setting `DNS API` selection to `POSIX`.
+    **Note: For Linux devices with version >= 4.11.0, or Zephyr device with version >= 4.9.0 you should override the default DNS setting to synchronous in the application level.**
+
+#### Known issues
+
+- [Linux/Zephyr] Asynchronous DNS does not work well, and the device fails to reconnect to the cloud if some of the pods are restarted. In such a scenario, the device needs to be restarted.
+
 ### Release 4.13.0 (21.11.2022)
 
 - Izuma branding changes.
@@ -15,7 +29,13 @@
    * If a socket error is encountered, the next try will be done with the original CoaP port `5684`.
    * After 2nd failure, we alternate back to the custom port.
    * NOTE! Only port 443 can be used as an alternative customer port with Izuma Networks.
+   
+#### Known issues
 
+- [Linux/Zephyr] Asynchronous DNS does not work well, and the device fails to reconnect to the cloud if some of the pods are restarted. In such a scenario, the device needs to be restarted.
+  To address this issue, the default DNS settings should be overridden to synchronous DNS in the application level:
+  - For Linux devices, set the `PAL_DNS_API_VERSION` flag to 0.
+  - For Zephyr devices, set the `DNS API` selection to POSIX.
 
 ### Release 4.12.0 (01.03.2022)
 
@@ -24,9 +44,23 @@
    - Introduce a new `LWM2M_COMPLIANT` flag that enables connection to any LwM2M compliant bootstrap and device management services. Disabled by default.
    - Introduce a new `DISABLE_SERVER_CERT_VERIFY` flag that disables the server certificate verification during the TLS handshake. Disabled by default.
 
+#### Known issues
+
+- [Linux/Zephyr] Asynchronous DNS does not work well, and the device fails to reconnect to the cloud if some of the pods are restarted. In such a scenario, the device needs to be restarted.
+  To address this issue, the default DNS settings should be overridden to synchronous DNS in the application level:
+  - For Linux devices, set the `PAL_DNS_API_VERSION` flag to 0.
+  - For Zephyr devices, set the `DNS API` selection to POSIX.
+
 ### Release 4.11.2 (01.12.2021)
 
-Fixed a potential dead-lock situation in sn_nsdl.c CoAP tracing when tracing is enabled but trace-level is set below INFO. This fixes a regression introduced in 4.11.0 release.
+- Fixed a potential dead-lock situation in sn_nsdl.c CoAP tracing when tracing is enabled but trace-level is set below INFO. This fixes a regression introduced in 4.11.0 release.
+
+#### Known issues
+
+- [Linux/Zephyr] Asynchronous DNS does not work well, and the device fails to reconnect to the cloud if some of the pods are restarted. In such a scenario, the device needs to be restarted.
+  To address this issue, the default DNS settings should be overridden to synchronous DNS in the application level:
+  - For Linux devices, set the `PAL_DNS_API_VERSION` flag to 0.
+  - For Zephyr devices, set the `DNS API` selection to POSIX.
 
 ### Release 4.11.1 (11.10.2021)
 
@@ -35,6 +69,13 @@ Fixed a potential dead-lock situation in sn_nsdl.c CoAP tracing when tracing is
 - [Remote logging] Fixed internal flash configuration to perform a full storage erase before using it.
 - Fixed compiler warnings.
 
+#### Known issues
+
+- [Linux/Zephyr] Asynchronous DNS does not work well, and the device fails to reconnect to the cloud if some of the pods are restarted. In such a scenario, the device needs to be restarted.
+  To address this issue, the default DNS settings should be overridden to synchronous DNS in the application level:
+  - For Linux devices, set the `PAL_DNS_API_VERSION` flag to 0.
+  - For Zephyr devices, set the `DNS API` selection to POSIX.
+
 ### Release 4.11.0 (17.09.2021)
 
 ### Device Management Client
@@ -78,6 +119,13 @@ Fixed a potential dead-lock situation in sn_nsdl.c CoAP tracing when tracing is
 
 [Linux] Enabled `PAL_DNS_API_VERSION` 3 by default for Linux configurations.
 
+#### Known issues
+
+- [Linux/Zephyr] Asynchronous DNS does not work well, and the device fails to reconnect to the cloud if some of the pods are restarted. In such a scenario, the device needs to be restarted.
+  To address this issue, the default DNS settings should be overridden to synchronous DNS in the application level:
+  - For Linux devices, set the `PAL_DNS_API_VERSION` flag to 0.
+  - For Zephyr devices, set the `DNS API` selection to POSIX.
+
 ### Release 4.10.0 (07.07.2021)
 
 ### Device Management Client
@@ -124,6 +172,11 @@ Fixed a potential dead-lock situation in sn_nsdl.c CoAP tracing when tracing is
    - Of a component image on an Mbed OS devices.
 - Fix: Removed the candidate image file from its original path in Linux after FOTA completion.
 
+#### Known issues
+
+- [Zephyr] Asynchronous DNS does not work well. The device fails to reconnect to the cloud if some of the pods are restarted. In such a scenario, the device needs to be restarted.
+  To address this issue, the default DNS settings should be overridden to synchronous DNS in the application level by setting the DNS API selection to POSIX in the application's configuration settings. 
+
 ### Release 4.9.1 (17.06.2021)
 
 ### Device Management Client
@@ -132,6 +185,11 @@ Fixed a potential dead-lock situation in sn_nsdl.c CoAP tracing when tracing is
 ### Platform Adaptation Layer (PAL)
 - [Zephyr] Fixed a memory leak on DNS handling.
 
+#### Known issues
+
+- [Zephyr] Asynchronous DNS does not work well. The device fails to reconnect to the cloud if some of the pods are restarted. In such a scenario, the device needs to be restarted.
+  To address this issue, the default DNS settings should be overridden to synchronous DNS in the application level by setting the DNS API selection to POSIX in the application's configuration settings. 
+
 ### Release 4.9.0 (21.05.2021)
 
 ### Device Management Client
@@ -168,6 +226,11 @@ Fixed a potential dead-lock situation in sn_nsdl.c CoAP tracing when tracing is
 - Added new PAL_DNS_API_VERSION 3. It's an asynchronous DNS API that can return multiple DNS results.
   - This feature is currently implemented only for Linux platform and is disabled by default. You can enable it by defining PAL_DNS_API_VERSION=3. In future releases, this feature will be enabled by default for Linux.
 
+#### Known issues
+
+- [Zephyr] Asynchronous DNS does not work well. The device fails to reconnect to the cloud if some of the pods are restarted. In such a scenario, the device needs to be restarted.
+  To address this issue, the default DNS settings should be overridden to synchronous DNS in the application level by setting the DNS API selection to POSIX in the application's configuration settings. 
+
 ### Release 4.8.0 (19.04.2021)
 
 #### Device Management Client

factory-configurator-client/factory-configurator-client/source/fcc_dev_flow.c

@@ -21,12 +21,12 @@
 #include "fcc_utils.h"
 #include "cs_der_keys_and_csrs.h"
 
-typedef struct fcc_deloveper_mode_item_params {
+typedef struct fcc_developer_mode_item_params {
     const char *item_name;
     kcm_item_type_e item_kcm_type;
     const uint8_t *item_data;
     const uint32_t item_data_size;
-} fcc_deloveper_mode_item_params_s;
+} fcc_developer_mode_item_params_s;
 
 //bootstrap endpoint name
 extern const char MBED_CLOUD_DEV_BOOTSTRAP_ENDPOINT_NAME[];
@@ -69,7 +69,7 @@ fcc_status_e fcc_developer_flow(void)
 #else
     static const uint32_t is_bootstrap_mode = 1;
 #endif
-    const fcc_deloveper_mode_item_params_s fcc_deloveper_mode_item_params_table[] = {
+    const fcc_developer_mode_item_params_s fcc_developer_mode_item_params_table[] = {
 
         //param name                                //param kcm type        //param data                                              //param data_size
         //Device general info
@@ -110,8 +110,8 @@ fcc_status_e fcc_developer_flow(void)
         { NULL,                                       KCM_LAST_ITEM,         NULL,                                                    0},
     };
 
-    const fcc_deloveper_mode_item_params_s* mandatory_items_iter = &fcc_deloveper_mode_item_params_table[0];
-    uint8_t kcm_item_buffer[KCM_EC_SECP256R1_MAX_PRIV_KEY_DER_SIZE];
+    const fcc_developer_mode_item_params_s* mandatory_items_iter = &fcc_developer_mode_item_params_table[0];
+    uint8_t kcm_item_buffer[1024];
     size_t act_kcm_item_buffer_size;
 
 
@@ -129,18 +129,22 @@ fcc_status_e fcc_developer_flow(void)
         // item already exists - this means that storage already contains developer mode prov items.
         SA_PV_LOG_INFO("Developer mode prov items already exist on the storage.");
 
-        // Read the BS device private key and check if it's equal to the pre-compiled key.
-        kcm_item_get_data((const uint8_t*)g_fcc_bootstrap_device_private_key_name,
-                          strlen(g_fcc_bootstrap_device_private_key_name),
-                          KCM_PRIVATE_KEY_ITEM,
-                          kcm_item_buffer,
-                          sizeof(kcm_item_buffer), 
-                          &act_kcm_item_buffer_size);
-
-        if (act_kcm_item_buffer_size == MBED_CLOUD_DEV_BOOTSTRAP_DEVICE_PRIVATE_KEY_SIZE) {
-            // The size of the stored key is equal to the compiled key
-            if (memcmp(kcm_item_buffer, MBED_CLOUD_DEV_BOOTSTRAP_DEVICE_PRIVATE_KEY, MBED_CLOUD_DEV_BOOTSTRAP_DEVICE_PRIVATE_KEY_SIZE) == 0) {
-                // The content of the keys are equal
+        // Read the BS device certificate and check if it's equal to the pre-compiled cert.
+        // We can't check private key since it won't work for PSA
+        kcm_status = kcm_item_get_data((const uint8_t*)g_fcc_bootstrap_device_certificate_name,
+                                       strlen(g_fcc_bootstrap_device_certificate_name),
+                                       KCM_CERTIFICATE_ITEM,
+                                       kcm_item_buffer,
+                                       sizeof(kcm_item_buffer), 
+                                       &act_kcm_item_buffer_size);
+
+        SA_PV_ERR_RECOVERABLE_RETURN_IF((kcm_status != KCM_STATUS_SUCCESS), fcc_convert_kcm_to_fcc_status(kcm_status), "Get of the BS cert failed %d", kcm_status);
+                                       
+
+        if (act_kcm_item_buffer_size == MBED_CLOUD_DEV_BOOTSTRAP_DEVICE_CERTIFICATE_SIZE ) {
+            // The size of the stored cert is equal to the compiled cert
+            if (memcmp(kcm_item_buffer, MBED_CLOUD_DEV_BOOTSTRAP_DEVICE_CERTIFICATE, MBED_CLOUD_DEV_BOOTSTRAP_DEVICE_CERTIFICATE_SIZE) == 0) {
+                // The content of the certs are equal
                 // No need to override the items, just exit the function with "an item exists" status.
                 SA_PV_LOG_INFO("The stored items are equal to the compiled items.");
                 return FCC_STATUS_KCM_FILE_EXIST_ERROR;

mbed-client-pal/Configs/pal_config/Linux/Linux_default.h

@@ -184,10 +184,6 @@
     #define PAL_NET_DNS_SUPPORT 1
 #endif
 
-#if (PAL_NET_DNS_SUPPORT == 1) && !(defined(PAL_DNS_API_VERSION))
-#define PAL_DNS_API_VERSION 3 //!< asyncronous DNS API that can return multiple DNS results.
-#endif
-
 // Define this to use static memory buffer for mbedtls, instead of standard mbedtls memory system (default is using heap).
 //#undef PAL_USE_STATIC_MEMBUF_FOR_MBEDTLS
 

mbed-client/mbed-client/m2mversion.h

@@ -30,6 +30,6 @@
 /** PDMC_PATCH_VERSION
   * Pelion Device Management Client patch version
   */
-#define PDMC_PATCH_VERSION 0
+#define PDMC_PATCH_VERSION 1
 
 #endif // M2MVERSION_H

mbed-client/source/m2mnsdlinterface.cpp

@@ -2719,13 +2719,16 @@ bool M2MNsdlInterface::validate_security_object()
                     return false;
                 }
                 break;
-#ifndef MBED_CLIENT_DISABLE_EST_FEATURE
             case M2MSecurity::EST:
+#ifndef MBED_CLIENT_DISABLE_EST_FEATURE
                 // Only server public key should be populated for lwm2m, client keys will be generated
                 if (!is_bs_server && (!server_key_size || chain_size || pkey_size)) {
                     return false;
                 }
                 break;
+#else
+                tr_error("M2MNsdlInterface - EST mode activated - EST feature is NOT configured in!");
+                return false;
 #endif
             case M2MSecurity::NoSecurity:
                 if (!is_bs_server) {
@@ -2734,6 +2737,7 @@ bool M2MNsdlInterface::validate_security_object()
                 break;
             default:
                 // Security mode not supported
+                tr_error("M2MNsdlInterface - Unknown security mode - not supported.!");
                 return false;
         }
     }

zephyr/Kconfig.pal

@@ -52,7 +52,7 @@ config IZUMA_PAL_USE_APPLICATION_NETWORK_CALLBACK
 
 choice
     prompt "DNS API"
-    default IZUMA_PAL_USE_DNS_API_RESOLVE
+    default IZUMA_PAL_USE_DNS_API_POSIX
     help
       Select DNS API used by network abstraction implementation.
 
@@ -66,6 +66,7 @@ choice
         bool "DNS Resolve"
         depends on DNS_RESOLVER
         help
+          NOTE! Do not use this feature right now. Issues with reconnecting.
           Use DNS Resolve's dns_get_addr_info. This call is asynchronous and maps
           to Izuma's DNS version 3.