1. Article purpose[edit source]
The purpose of this article is to explain how to integrate Amazon Web Service (AWS) IoT Greengrass[1] on top of OpenSTLinux, included the security part with the connection to a Hardware Security Module (a TPMv2.0).
This article explains step by step how to add the yocto "meta-demo-aws" on top of openSTLinux distribution, to configure the image to add or not the extra elements for executing the AWS greengrass certification tests.
2. Prerequisites[edit source]
2.1. Hardware prerequisites[edit source]
- STM32MP157C-DK2
- STM32MP157V-EV1
2.2. Software prerequisites[edit source]
The STM32MP1 Distribution Package must be install on your host. To do this follow the procedure described in the Install the STM32MP1 OpenSTLinux distribution article.
2.3. Software update with meta-st-demo-aws[edit source]
1.Clone following git repository into [your STM32MP1 Distribution path]/layers/meta-st/
git clone ssh://${USER}@gerrit.st.com:29418/stm32mpuapp/meta/meta-st-stm32mpu-app-aws.git meta-st-demo-aws
2.Update of the meta-security layer to support the pkcs11 with tpm2
cd [your STM32MP1 Distribution path]/layers/meta-security git chekout warrior (commit : 4f7be0d252f68d8e8d442a7ed8c6e8a852872d28)
3.Enable TPM build
This step is optional and require a TPM expansion board : STPM4RasPI expansion board[2]
Apply the following patch in the file [your STM32MP1 Distribution path]/layers/meta-st/meta-st-openstlinux/conf/distro/include/openstlinux.inc
DISTRO_FEATURES_append = " tpm2 "
4.Setup the build environment
Executes the command, on the host :
source [your STM32MP1 Distribution path]/layers/meta-st/scripts/envsetup.sh
Select your DISTRO (ex: openstlinux-weston) and Select the demo-aws MACHINE (ex: stm32mp1-demo-aws)
5.Build the image
The image is configured by default to include elements for the execution of the AWS greengrass test. If you don't want this you can delete it from the image. In the file recipes-st/images/st-image-demo-aws.bb delete ${IMAGE_AWSGREENGRASSTEST_PART} in CORE_IMAGE_EXTRA_INSTALL definition.
In the folder [your STM32MP1 Distribution path]//build-openstlinuxweston-stm32mp1-demo-aws Executes the command :
bitbake st-image-demo-aws
6.Flash the sdscard
Use the programmer tool STM32CubeProgrammer
The tsv file FlashLayout_sdcard_ stm32mp157c-demo-aws-mx-trusted.tsv is located in [your STM32MP1 Distribution path]/build-openstlinuxweston-stm32mp1-demo-aws/tmp-glibc/deploy/images/stm32mp1-demo-aws/flashlayout_st-image-demo-aws
2.4. AWS greengrass target initialization[edit source]
1.Configuration of the target
Run the scripts for some extra configuration on the target (to execute only one time after the first boot).
source /greengrass/tpm_update.sh
If the you have configured the execution of the AWS greengrass test.
source /greengrass/awsgreengrass_certif.sh
2.TPM token initialization
Note : keep the PINs (123456) and PKCS11 STORE folder (usr/local/pkcs11_tpm), scripts and greengrass config files examples use these values.
Executes the commands, on the target :
cd /tools ./tpm2_ptool.py init --pobj-pin=123456 --path=/usr/local/pkcs11_tpm ./tpm2_ptool.py addtoken --pid=1 --pobj-pin=123456 --sopin=123456 --userpin=123456 --label=greengrass --path=/usr/local/pkcs11_tpm ./tpm2_ptool.py addkey --algorithm=rsa2048 --label=greengrass --userpin=123456 --key-label=greenkey --path=/usr/local/pkcs11_tpm
OPTIONAL : Verifications with pkcs11-tool
Executes this command on the target to verify the token created.
pkcs11-tool --module /usr/lib/libtpm2_pkcs11.so.0 -L
Example of output expected :
Available slots: Slot 0 (0x1): greengrass STMicro token label : greengrass token manufacturer : STMicro token model : token flags : login required, rng, token initialized, PIN initialized hardware version : 1.38 firmware version : 74.8 serial num : 0000000000000000 pin min/max : 5/128
AT THIS STEP, THE CONFIGURATION OF THE BOARD IS COMPLETED TO BE USED WITH THE AWS IoT Device Tester.
2.5. Process to execute the AWS Greengrass certification testing[edit source]
1.Go to the Amazon site to AWS IoT Device Tester for AWS IoT Greengrass Versions
Install the AWS IoT Device Tester.
2.Configure your ssh connection (ssh keys)
Go to the Amazon site to [Configure Your Host Computer to Access Your Device Under Test]Cite error: Closing </ref>
missing for <ref>
tag
3. References[edit source]
- ↑ Amazon Web Service (AWS) IoT Greengrass [1]
- ↑ STPM4RasPI expansion board