How to integrate AWS IoT Greengrass on top of openSTLinux distribution

Revision as of 10:22, 3 December 2019 by Registered User
This message will disappear after all relevant tasks have been resolved.
Semantic MediaWiki
There are 1 incomplete or pending task to finish installation of Semantic MediaWiki. An administrator or user with sufficient rights can complete it. This should be done before adding new data to avoid inconsistencies.

1. Article purpose[edit source]

The purpose of this article is to explain how to integrate Amazon Web Service (AWS) IoT Greengrass[1] on top of OpenSTLinux, included the security part with the connection to a Hardware Security Module (a TPMv2.0).

This article explains step by step how to add the yocto "meta-demo-aws" on top of openSTLinux distribution, to configure the image to add or not the extra elements for executing the AWS greengrass certification tests.

2. Prerequisites[edit source]

2.1. Hardware prerequisites[edit source]

  • STM32MP157C-DK2
STM32MP157C-DK2
  • STM32MP157V-EV1

2.2. Software prerequisites[edit source]

The STM32MP1 Distribution Package must be install on your host. To do this follow the procedure described in the Install the STM32MP1 OpenSTLinux distribution article.

2.3. Software update with meta-st-demo-aws[edit source]

1.Clone following git repository into [your STM32MP1 Distribution path]/layers/meta-st/ 

git clone ssh://${USER}@gerrit.st.com:29418/stm32mpuapp/meta/meta-st-stm32mpu-app-aws.git meta-st-demo-aws

2.Update of the meta-security layer to support the pkcs11 with tpm2 

cd [your STM32MP1 Distribution path]/layers/meta-security
git chekout warrior
(commit : 4f7be0d252f68d8e8d442a7ed8c6e8a852872d28)

3.Enable TPM build

This step is optional and require a TPM expansion board : STPM4RasPI expansion board[2]

Apply the following patch in the file [your STM32MP1 Distribution path]/layers/meta-st/meta-st-openstlinux/conf/distro/include/openstlinux.inc 

DISTRO_FEATURES_append = " tpm2 "

4.Setup the build environment

Executes the command, on the host : 

source [your STM32MP1 Distribution path]/layers/meta-st/scripts/envsetup.sh

Select your DISTRO (ex: openstlinux-weston) and Select the demo-aws MACHINE (ex: stm32mp1-demo-aws)

5.Build the image

The image is configured by default to include elements for the execution of the AWS greengrass test. If you don't want this you can delete it from the image. In the file recipes-st/images/st-image-demo-aws.bb delete ${IMAGE_AWSGREENGRASSTEST_PART} in CORE_IMAGE_EXTRA_INSTALL definition.

In the folder [your STM32MP1 Distribution path]//build-openstlinuxweston-stm32mp1-demo-aws Executes the command : 

bitbake st-image-demo-aws

6.Flash the sdscard

Use the programmer tool STM32CubeProgrammer

The tsv file FlashLayout_sdcard_ stm32mp157c-demo-aws-mx-trusted.tsv is located in [your STM32MP1 Distribution path]/build-openstlinuxweston-stm32mp1-demo-aws/tmp-glibc/deploy/images/stm32mp1-demo-aws/flashlayout_st-image-demo-aws

2.4. AWS greengrass target initialization[edit source]

1.Configuration of the target

Run the scripts for some extra configuration on the target (to execute only one time after the first boot). 

source /greengrass/tpm_update.sh

If the you have configured the execution of the AWS greengrass test. 

source /greengrass/awsgreengrass_certif.sh

2.TPM token initialization

Note : keep the PINs (123456) and PKCS11 STORE folder (usr/local/pkcs11_tpm), scripts and greengrass config files examples use these values.

Executes the commands, on the target : 

cd /tools
./tpm2_ptool.py init --pobj-pin=123456 --path=/usr/local/pkcs11_tpm
./tpm2_ptool.py addtoken --pid=1 --pobj-pin=123456 --sopin=123456 --userpin=123456 --label=greengrass --path=/usr/local/pkcs11_tpm
./tpm2_ptool.py addkey --algorithm=rsa2048 --label=greengrass --userpin=123456 --key-label=greenkey --path=/usr/local/pkcs11_tpm

OPTIONAL : Verifications with pkcs11-tool

Executes this command on the target to verify the token created. 

pkcs11-tool --module /usr/lib/libtpm2_pkcs11.so.0 -L

Example of output expected : 

Available slots:
   Slot 0 (0x1): greengrass STMicro
     token label        : greengrass
     token manufacturer : STMicro
     token model        :
    token flags        : login required, rng, token initialized, PIN initialized
     hardware version   : 1.38
     firmware version   : 74.8
     serial num         : 0000000000000000
     pin min/max        : 5/128

AT THIS STEP, THE CONFIGURATION OF THE BOARD IS COMPLETED TO BE USED WITH THE AWS IoT Device Tester.

2.5. Process to execute the AWS Greengrass certification testing[edit source]

1.Go to the Amazon site to AWS IoT Device Tester for AWS IoT Greengrass Versions

Install the AWS IoT Device Tester.

2.Configure your ssh connection (ssh keys)

Go to the Amazon site to [Configure Your Host Computer to Access Your Device Under Test]Cite error: Closing </ref> missing for <ref> tag

3. References[edit source]

  1. Amazon Web Service (AWS) IoT Greengrass [1]
  2. STPM4RasPI expansion board


Internet of Things

Trusted Platform Module

Flash memory shortened to gain space in titles, tables and block diagrams

Retrieved from "https://wiki.st.com/stm32mpu-ecosystem-v2/index.php?title=How_to_integrate_AWS_IoT_Greengrass_on_top_of_openSTLinux_distribution&oldid=64932"