Wi-Fi Provisioning
Wi-Fi provisioning is the process of connecting a new Wi-Fi device to a Wi-Fi network. The provisioning process involves providing the device with the network name (SSID) and its security credentials.
Having a simple provisioning process is imperative to the user experience of a Wi-Fi device. There are many ways to provision a Wi-Fi device based on what kind of security you need, and we will go through a few of them here.
The nRF Connect SDK provides the Wi-Fi credentials library to load and store Wi-Fi network credentials.
Static Wi-Fi configuration
The most straightforward way to provision a Wi-Fi device is to provide the necessary information statically in the application, before flashing it to the device. We will take a look at how to do this in Exercise 2 of this lesson.
To do this, we enable the following Kconfigs
CONFIG_WIFI_CREDENTIALS_STATIC=y
CONFIG_WIFI_CREDENTIALS_STATIC_SSID="<your_network_SSID>"
CONFIG_WIFI_CREDENTIALS_STATIC_PASSWORD="<your_network_password>"CONFIG_WIFI_CREDENTIALS_STATIC– Static Wi-Fi network configurationCONFIG_WIFI_CREDENTIALS_STATIC_SSID– SSID of statically configured Wi-Fi networkCONFIG_WIFI_CREDENTIALS_STATIC_PASSWORD– Password of statically configured Wi-Fi network
You can also choose the Wi-Fi network security type:
CONFIG_WIFI_CREDENTIALS_STATIC_TYPE_OPEN– no securityCONFIG_WIFI_CREDENTIALS_STATIC_TYPE_PSK– WPA2CONFIG_WIFI_CREDENTIALS_STATIC_TYPE_PSK_SHA256– WPA2 with SHA256CONFIG_WIFI_CREDENTIALS_STATIC_TYPE_SAE– WPA3
Static provisioning is not recommended in deployed products since the end-consumer will likely want to input the network information for their specific Wi-Fi network.
Provisioning over shell
Another way to provision the Wi-Fi device is to provide the credentials via a shell interface and then store the credentials in flash. To enable shell commands in the application, enable the following Kconfigs
CONFIG_SHELL=y
CONFIG_NET_L2_WIFI_SHELL=y
CONFIG_WIFI_CREDENTIALS_SHELL=y
CONFIG_SHELL_STACK_SIZE=5200CONFIG_SHELL– Enables support for shellCONFIG_NET_L2_WIFI_SHELL– Shell commands for Wi-Fi,wifiCONFIG_WIFI_CREDENTIALS_SHELL– Enables the shell commands used to manage Wi-Fi credentialsCONFIG_SHELL_STACK_SIZE– Sets the stack size allocated to the shell thread
Using shell commands, issue the following command to add the Wi-Fi credentials and then initiate a connection to Wi-Fi
wifi_cred add -s "<your_network_SSID>" -p "<your_network_password>" -k <key_mgmt>
wifi_cred auto_connectYou can replace <key-mgmt>{0: None, 1: WPA2-PSK, 2: WPA2-PSK-256, 3: SAE-HNP, 4: SAE-H2E, 5: SAE-AUTO, 6: WAPI, 7: EAP-TLS, 8: WEP, 9 : WPA-PSK, 10 : WPA-Auto-Personal, 11: DPP}.
Provisioning over Bluetooth LE
Another secure method is to provide the network information over another protocol, such as Bluetooth LE. When provisioning a Wi-Fi device over Bluetooth LE, one uses a third Bluetooth LE enabled device, typically a smart phone, to connect to the Wi-Fi device over Bluetooth LE and provide the network credentials. The end-device can then connect to the AP and join the Wi-Fi network with the provided network credentials. We will take a closer look at how to do this in Exercise 3.
To do this, the nRF Connect SDK provides the Wi-Fi Provisioning Service, which implements a GATT service for Wi-Fi provisioning. This service also uses the Wi-Fi credentials library to handle and store the configuration during provisioning.
Provisioning with SoftAP mode
Software-enabled Access Point (SoftAP or SAP) mode allows the Wi-Fi device to operate as a virtual router or temporary access point (AP) and accept connections from other Wi-Fi station devices.
SoftAP mode is typically used in scenarios where a Wi-Fi device wishes to share its internet connection with nearby station devices. For instance, smartphone Wi-Fi hotspots utilize SoftAP mode. The smartphone acts as a virtual router, allowing other station devices to connect to the internet through it. Alternatively, SoftAP mode can be used to securely provision Wi-Fi devices into an access point network.
nRF70 Series devices support Wi-Fi provisioning using the SoftAP mode as one of the provisioning methods. The nRF70 Series device can temporarily enable SoftAP mode and accept a connection from a nearby smart phone, so the smart phone can share the Wi-Fi credentials over Wi-Fi.
To enable SAP mode, enable the folowing Kconfigs
CONFIG_NRF70_AP_MODE=y
CONFIG_WIFI_NM_WPA_SUPPLICANT_AP=yStoring the credentials
The Wi-Fi credentials library provides two different backend options for credential storage, either using the Zephyr Settings subsystem (CONFIG_WIFI_CREDENTIALS_BACKEND_SETTINGS) or PSA Protected Storage (CONFIG_WIFI_CREDENTIALS_BACKEND_PSA).
The PSA backend is part of the Trusted Firmware-M, which is included as a child image in your application when building for the non-secure build-target. This is explained in detail in Multi-Image Builds in nRF Connect SDK Fundamentals course.
We will cover how to enable both of these backends in Exercise 2 of this lesson. The following exercises will only support building with TF-M and PSA backend, as this is the most secure option.
When using this backend, you must build the application with TF-M, using the build targets below:
| Board | Build with TF-M |
| nRF7002 DK | nrf7002dk_nrf5340_cpuapp_ns |
| nRF5340 DK with nRF7002 EK | nrf5340dk_nrf5340_cpuapp_ns |
Wi-Fi provisioning is the process of connecting a new Wi-Fi device to a Wi-Fi network. The provisioning process involves providing the device with the network name (SSID) and its security credentials.
Having a simple provisioning process is imperative to the user experience of a Wi-Fi device. There are many ways to provision a Wi-Fi device based on what kind of security you need, and we will go through a few of them here.
The nRF Connect SDK provides the Wi-Fi credentials library to load and store Wi-Fi network credentials.
Static Wi-Fi configuration
The most straightforward way to provision a Wi-Fi device is to provide the necessary information statically in the application, before flashing it to the device. We will take a look at how to do this in Exercise 2 of this lesson.
To do this, we enable the following Kconfigs
CONFIG_WIFI_CREDENTIALS_STATIC=y
CONFIG_WIFI_CREDENTIALS_STATIC_SSID="<your_network_SSID>"
CONFIG_WIFI_CREDENTIALS_STATIC_PASSWORD="<your_network_password>"CONFIG_WIFI_CREDENTIALS_STATIC– Static Wi-Fi network configurationCONFIG_WIFI_CREDENTIALS_STATIC_SSID– SSID of statically configured Wi-Fi networkCONFIG_WIFI_CREDENTIALS_STATIC_PASSWORD– Password of statically configured Wi-Fi network
You can also choose the Wi-Fi network security type:
CONFIG_WIFI_CREDENTIALS_STATIC_TYPE_OPEN– no securityCONFIG_WIFI_CREDENTIALS_STATIC_TYPE_PSK– WPA2CONFIG_WIFI_CREDENTIALS_STATIC_TYPE_PSK_SHA256– WPA2 with SHA256CONFIG_WIFI_CREDENTIALS_STATIC_TYPE_SAE– WPA3
Static provisioning is not recommended in deployed products since the end-consumer will likely want to input the network information for their specific Wi-Fi network.
Provisioning over shell
Another way to provision the Wi-Fi device is to provide the credentials via a shell interface and then store the credentials in flash. To enable shell commands in the application, enable the following Kconfigs
CONFIG_SHELL=y
CONFIG_WIFI_CREDENTIALS_SHELL=y
CONFIG_SHELL_STACK_SIZE=4400CONFIG_SHELL– Enables support for shellCONFIG_WIFI_CREDENTIALS_SHELL– Enables the shell commands used to manage Wi-Fi credentialsCONFIG_SHELL_STACK_SIZE– Sets the stack size allocated to the shell thread
Using shell commands, issue the following command to add the Wi-Fi credentials and then initiate a connection to Wi-Fi
wifi_cred add "<SSID>" WPA2-PSK "<PSK>"
wifi_cred add helpYou can replace WPA2-PSK with the security protocol used by your AP, supported arguments are {OPEN, WPA2-PSK, WPA2-PSK-SHA256, WPA3-SAE}.
Provisioning over Bluetooth LE
Another secure method is to provide the network information over another protocol, such as Bluetooth LE. When provisioning a Wi-Fi device over Bluetooth LE, one uses a third Bluetooth LE enabled device, typically a smart phone, to connect to the Wi-Fi device over Bluetooth LE and provide the network credentials. The end-device can then connect to the AP and join the Wi-Fi network with the provided network credentials. We will take a closer look at how to do this in Exercise 3.
To do this, the nRF Connect SDK provides the Wi-Fi Provisioning Service, which implements a GATT service for Wi-Fi provisioning. This service also uses the Wi-Fi credentials library to handle and store the configuration during provisioning.
Provisioning with SoftAP mode
Software-enabled Access Point (SoftAP or SAP) mode allows the Wi-Fi device to operate as a virtual router or temporary access point (AP) and accept connections from other Wi-Fi station devices.
SoftAP mode is typically used in scenarios where a Wi-Fi device wishes to share its internet connection with nearby station devices. For instance, smartphone Wi-Fi hotspots utilize SoftAP mode. The smartphone acts as a virtual router, allowing other station devices to connect to the internet through it. Alternatively, SoftAP mode can be used to securely provision Wi-Fi devices into an access point network.
nRF70 Series devices support Wi-Fi provisioning using the SoftAP mode as one of the provisioning methods. The nRF70 Series device can temporarily enable SoftAP mode and accept a connection from a nearby smart phone, so the smart phone can share the Wi-Fi credentials over Wi-Fi.
To enable SAP mode, enable the folowing Kconfigs
CONFIG_NRF70_AP_MODE=y
CONFIG_WIFI_NM_WPA_SUPPLICANT_AP=yStoring the credentials
The Wi-Fi credentials library provides two different backend options for credential storage, either using the Zephyr Settings subsystem (CONFIG_WIFI_CREDENTIALS_BACKEND_SETTINGS) or PSA Protected Storage (CONFIG_WIFI_CREDENTIALS_BACKEND_PSA).
The PSA backend is part of the Trusted Firmware-M, which is included as a child image in your application when building for the non-secure build-target. This is explained in detail in Multi-Image Builds in nRF Connect SDK Fundamentals course.
We will cover how to enable both of these backends in Exercise 2 of this lesson. The following exercises will only support building with TF-M and PSA backend, as this is the most secure option.
When using this backend, you must build the application with TF-M, using the build targets below:
| Board | Build with TF-M |
| nRF7002 DK | nrf7002dk_nrf5340_cpuapp_ns |
| nRF5340 DK with nRF7002 EK | nrf5340dk_nrf5340_cpuapp_ns |
Wi-Fi provisioning is the process of connecting a new Wi-Fi device to a Wi-Fi network. The provisioning process involves providing the device with the network name (SSID) and its security credentials.
Having a simple provisioning process is imperative to the user experience of a Wi-Fi device. There are many ways to provision a Wi-Fi device based on what kind of security you need, and we will go through a few of them here.
The nRF Connect SDK provides the Wi-Fi credentials library to load and store Wi-Fi network credentials.
Static Wi-Fi configuration
The most straightforward way to provision a Wi-Fi device is to provide the necessary information statically in the application, before flashing it to the device. We will take a look at how to do this in Exercise 2 of this lesson.
To do this, we enable the following Kconfigs
CONFIG_WIFI_CREDENTIALS_STATIC=y
CONFIG_WIFI_CREDENTIALS_STATIC_SSID="<your_network_SSID>"
CONFIG_WIFI_CREDENTIALS_STATIC_PASSWORD="<your_network_password>"CONFIG_WIFI_CREDENTIALS_STATIC– Static Wi-Fi network configurationCONFIG_WIFI_CREDENTIALS_STATIC_SSID– SSID of statically configured Wi-Fi networkCONFIG_WIFI_CREDENTIALS_STATIC_PASSWORD– Password of statically configured Wi-Fi network
You can also choose the Wi-Fi network security type:
CONFIG_WIFI_CREDENTIALS_STATIC_TYPE_OPEN– no securityCONFIG_WIFI_CREDENTIALS_STATIC_TYPE_PSK– WPA2CONFIG_WIFI_CREDENTIALS_STATIC_TYPE_PSK_SHA256– WPA2 with SHA256CONFIG_WIFI_CREDENTIALS_STATIC_TYPE_SAE– WPA3
Static provisioning is not recommended in deployed products since the end-consumer will likely want to input the network information for their specific Wi-Fi network.
Provisioning over shell
Another way to provision the Wi-Fi device is to provide the credentials via a shell interface and then store the credentials in flash. To enable shell commands in the application, enable the following Kconfigs
CONFIG_SHELL=y
CONFIG_WIFI_CREDENTIALS_SHELL=y
CONFIG_SHELL_STACK_SIZE=4400CONFIG_SHELL– Enables support for shellCONFIG_WIFI_CREDENTIALS_SHELL– Enables the shell commands used to manage Wi-Fi credentialsCONFIG_SHELL_STACK_SIZE– Sets the stack size allocated to the shell thread
Using shell commands, issue the following command to add the Wi-Fi credentials and then initiate a connection to Wi-Fi
wifi_cred add "<SSID>" WPA2-PSK "<PSK>"
wifi_cred add helpYou can replace WPA2-PSK with the security protocol used by your AP, supported arguments are {OPEN, WPA2-PSK, WPA2-PSK-SHA256, WPA3-SAE}.
Provisioning over Bluetooth LE
Another secure method is to provide the network information over another protocol, such as Bluetooth LE. When provisioning a Wi-Fi device over Bluetooth LE, one uses a third Bluetooth LE enabled device, typically a smart phone, to connect to the Wi-Fi device over Bluetooth LE and provide the network credentials. The end-device can then connect to the AP and join the Wi-Fi network with the provided network credentials. We will take a closer look at how to do this in Exercise 3.
To do this, the nRF Connect SDK provides the Wi-Fi Provisioning Service, which implements a GATT service for Wi-Fi provisioning. This service also uses the Wi-Fi credentials library to handle and store the configuration during provisioning
Storing the credentials
The Wi-Fi credentials library provides two different backend options for credential storage, either using the Zephyr Settings subsystem (CONFIG_WIFI_CREDENTIALS_BACKEND_SETTINGS) or PSA Protected Storage (CONFIG_WIFI_CREDENTIALS_BACKEND_PSA).
The PSA backend is part of the Trusted Firmware-M, which is included as a child image in your application when building for the non-secure build-target. This is explained in detail in Multi-Image Builds in nRF Connect SDK Fundamentals course.
We will cover how to enable both of these backends in Exercise 2 of this lesson. The following exercises will only support building with TF-M and PSA backend, as this is the most secure option.
When using this backend, you must build the application with TF-M, using the build targets below:
| Board | Build with TF-M |
| nRF7002 DK | nrf7002dk_nrf5340_cpuapp_ns |
| nRF5340 DK with nRF7002 EK | nrf5340dk_nrf5340_cpuapp_ns |
