X-LINUX-AZURE expansion package

Revision as of 15:41, 20 December 2023 by Registered User (→‎X-LINUX-AZURE package software setup)
This message will disappear after all relevant tasks have been resolved.
Semantic MediaWiki
There are 1 incomplete or pending task to finish installation of Semantic MediaWiki. An administrator or user with sufficient rights can complete it. This should be done before adding new data to avoid inconsistencies.
Under construction.png Coming soon

1. X-LINUX-AZURE package software installation[edit source]

There are two possibilities to install the additional X-LINUX-AZURE expansion package software to port on top of OpenSTLinux:

  • X-LINUX-AWS Starter package: TODO.
  • X-LINUX-AZURE Distribution package: an OpenEmbedded meta-layer to be added on top of the STM32MPx Distribution Package to generate AZURE expansion package.

2. X-LINUX-AZURE package software setup[edit source]

As prerequisite, you must have set up a device Azure IoT Hub or Azure IoT Central to connect your device.

Please refer to Azure IoT Hub documentation or Azure IoT Central documentation to start.

2.1. Configuration with DPS provisioning and authentication with symmetric key stored in file system[edit source]

This configuration is used for fast prototyping using IoT Central for example.

Warning white.png Warning
Symmetric key usage is not recommended for production.

Storing key in file system is not recommended for production. Use OP-TEE or TPM instead.

  • Customize the following variables
 export REGISTRATION_ID="STM32MP257F-EV1-******"
 export ID_SCOPE="0ne******"
 export SYMMETRIC_KEY="**********"
  • Create a configuration file
 cat >/etc/aziot/config.toml <<EOL
# ==============================================================================
# Hostname
# ==============================================================================
hostname = "$(hostname)"

# ==============================================================================
# Provisioning
# ==============================================================================
# DPS provisioning with symmetric key
[provisioning]
source = "dps"
global_endpoint = "https://global.azure-devices-provisioning.net/"
id_scope = "${ID_SCOPE}"

[provisioning.attestation]
method = "symmetric_key"
registration_id = "${REGISTRATION_ID}"

symmetric_key = { value = "${SYMMETRIC_KEY}" }
EOL
  • Apply the configuration
 iotedge config apply

2.2. Configuration without DPS and authentication via x509 certificate and private key stored in OP-TEE[edit source]

Warning white.png Warning
Not available yet on MP2
  • Set the PKCS11 paths
 export PKCS11_LIB="/usr/lib/libckteec.so.0"
 export OPENSSL_CONF_FILE="/etc/pki/openssl-pkcs11-optee.cnf"
  • Customize the following variables
 export PKCS11_SLOT="1"
 export PKCS11_TOKEN_LABEL="AZ_TOKEN"
 export PKCS11_KEY_LABEL="AZ_key"
 export PKCS11_KEY_ID="0"
 export PKCS11_SO_PIN="1234567890"
 export PKCS11_USER_PIN="12345"
 export DEVICE_NAME="STM32MP257F-EV1-******"
 export IOT_HUB_HOST_NAME="******.azure-devices.net"
 export CERTIFICATE_CN="$DEVICE_NAME"
  • Set the certificate paths
 export CERTIFICATE_DIR="/var/aziot/certs"
 export CERTIFICATE_NAME="${CERTIFICATE_CN}.pem"
  • Create configuration file
 cat >/etc/aziot/config.toml <<EOL
# ==============================================================================
# Hostname
# ==============================================================================
hostname = "$(hostname)"

# ==============================================================================
# Provisioning
# ==============================================================================

# Manual provisioning with X.509 certificate
[provisioning]
source = "manual"
iothub_hostname = "${IOT_HUB_HOST_NAME}"
device_id = "${DEVICE_NAME}"

[provisioning.authentication]
method = "x509"
identity_pk = "pkcs11:slot-id=${PKCS11_SLOT};object=${PKCS11_KEY_LABEL}?pin-value=${PKCS11_USER_PIN}" 

identity_cert = "file://${CERTIFICATE_DIR}/${CERTIFICATE_NAME}"                

[aziot_keys]
pkcs11_lib_path = "${PKCS11_LIB}"
pkcs11_base_slot = "pkcs11:slot-id=${PKCS11_SLOT}?pin-value=${PKCS11_USER_PIN}"
EOL
  • Make the directory if doesn't exist and change ownership to aziotcs and set permissions
 mkdir ${CERTIFICATE_DIR} -p
 chown aziotcs:aziotcs ${CERTIFICATE_DIR}
 chmod 755 ${CERTIFICATE_DIR}
  • Configure PKCS11
 pkcs11-tool --module ${PKCS11_LIB} --init-token --slot ${PKCS11_SLOT} --label ${PKCS11_TOKEN_LABEL} --so-pin ${PKCS11_SO_PIN}
 pkcs11-tool --module ${PKCS11_LIB} --label ${PKCS11_TOKEN_LABEL} --slot ${PKCS11_SLOT} --login --so-pin ${PKCS11_SO_PIN} --init-pin --pin ${PKCS11_USER_PIN}
  • Generate key pair
 pkcs11-tool --module ${PKCS11_LIB} -l --slot ${PKCS11_SLOT} --pin ${PKCS11_USER_PIN} --keypairgen --key-type rsa:2048 --label ${PKCS11_KEY_LABEL} --id ${PKCS11_KEY_ID} --usage-decrypt --usage-sign
  • Change openssl pkcs11 engine configuration file
 sed -i "s/##pkcs11_pin##/${PKCS11_USER_PIN}/g" ${OPENSSL_CONF_FILE}
  • Generate certificate
 OPENSSL_CONF=${OPENSSL_CONF_FILE} openssl req -new -x509 -days 3652 -sha256 -engine pkcs11 -keyform engine -key "pkcs11:type=private;object=${PKCS11_KEY_LABEL};token=${PKCS11_TOKEN_LABEL}" -subj "/CN=${CERTIFICATE_CN}" -out ${CERTIFICATE_DIR}/${CERTIFICATE_NAME}
  • Give aziotcs ownership to certificate and set read and write permission for aziotcs, read-only for others
 chown aziotcs:aziotcs ${CERTIFICATE_DIR}/${CERTIFICATE_NAME}
 chmod 644 ${CERTIFICATE_DIR}/${CERTIFICATE_NAME}
  • Compute certificate fingerprint
 openssl x509 -noout -fingerprint -sha1 -inform pem -in ${CERTIFICATE_DIR}/${CERTIFICATE_NAME} | sed 's/://g' | sed 's/.*=//'

Register the certificate fingerprint generated by the last command on Microsoft Azure IoT Hub and associate it to your device.

Apply the configuration: 

 iotedge config apply

2.3. Configuration without DPS and authentication via x509 certificate and private key stored in TPM[edit source]

Follow the instructions of previous section (OP-TEE configuration) but simply change the following variables: 

 export PKCS11_LIB="/usr/lib/pkcs11/libtpm2_pkcs11.so"
 export OPENSSL_CONF_FILE="/etc/pki/openssl-pkcs11-tpm.cnf"

2.4. Troubleshooting[edit source]

You can check your configuration by running the following command: 

 iotedge check

If your board has never been connected, it is a normal to have 2 errors on EdgeAgent end EdgeHub because they do not have been devployed yet.

You can see the IoTEdge logs by running the following command: 

 iotedge system logs -- -f

2.4.1. TLS connection issue[edit source]

Make sure your device has a correct date and time. On MP2, distribution do not support NTP correctly, you must do the following (use the current date) at each boot to make it work: 

 timedatectl set-ntp false
 timedatectl set-time '2023-12-13 16:14:00'

2.4.2. TPM Azure Service issue[edit source]

If your are not using a TPM for authentication, you might see TPM issues in logs that prevent from connection. You can disable the service if you do not need it: 

 systemctl stop aziot-tpmd
 systemctl disable aziot-tpmd

Amazon Web Service

Internet of things

Open portable trusted execution environment

Trusted platform module

Retrieved from "https://wiki.st.com/stm32mpu/index.php?title=X-LINUX-AZURE_expansion_package&oldid=95264"