13 KiB
meta-st-stm32mpu-hce
OpenEmbedded meta layer to install a AWS greengrass application.
ref : https://aws.amazon.com/fr/greengrass/
This document describe the process to add the "AWS greengrass" application in the openSTlinux distribution, and how to configure the target to execute the AWS greengrass certification included the Hardware Security Integration test group.
The Hardware Security Module used is the STM4RasPI expansion board (component TPM2 ST33TPHF20SPI).
Notes :
- This process has been tested with the STM32MP1 OpenSTLinux distribution MMDV-v2.0.0 (openstlinux-5.4-dunfell-mp1-20-06-24).
- This process has been tested with following software release :
- meta-java: "3b65eea96eddde97169ca5e00be01a9dbd257786"
- meta-virtualization: "ff997b6b3ba800978546098ab3cdaa113b6695e1"
- meta-security: "c74cc97641fd93e0e7a4383255e9a0ab3deaf9d7"
- The Greengrass application is delivered by Amazon as binaries for a RASPBIAN distribution.
- The AWS IoT Greengrass version installed is v1.11.0, AWS IoT Device Tester version used for AWS certification is IDT v3.2.0
- The target is configured to Support the Greengrass Over-the-Air Updates (OTA)
Process for installation :
Install the openSTlinux distribution yocto environment on your Host.
ref : STM32MP1 Distribution Package - OpenSTLinux distribution
Clone following git repository into [your STM32MP1 Distribution path]/layers/meta-st/
PC $> cd [your STM32MP1 Distribution path]/layers/meta-st
PC $> git clone https://github.com/SigmaDeltaTechnologiesInc/meta-st-stm32mpu-hce
PC $> cd meta-st-stm32mpu-hce
PC $> git checkout remotes/origin/dunfell
Add TPM2 recipes
PC $> cd [your STM32MP1 Distribution path]/layers
PC $> git clone git://git.yoctoproject.org/meta-security
PC $> cd meta-security
PC $> git checkout remotes/origin/dunfell
Setup the build environment
Executes the command, on the host :
PC $> cd [your STM32MP1 Distribution path]
PC $> DISTRO=openstlinux-weston MACHINE=stm32mp1-hce source layers/meta-st/scripts/envsetup.sh
Add Virtualization (docker) in OpenSTLinux distribution
PC $> cd [your STM32MP1 Distribution path]/layers
PC $> git clone git://git.yoctoproject.org/meta-virtualization
PC $> cd meta-virtualization
PC $> git checkout remotes/origin/dunfell
PC $> cd [your STM32MP1 Distribution path]/build-openstlinuxweston-stm32mp1-hce
PC $> bitbake-layers add-layer [your STM32MP1 Distribution path]/layers/meta-virtualization
Apply the following update in the file [your STM32MP1 Distribution path]/layers/meta-st/meta-st-openstlinux/conf/distro/openstlinux-weston.conf
DISTRO_FEATURES_append = " virtualization "
Add JAVA JDK in OpenSTLinux distribution
PC $> cd [your STM32MP1 Distribution path]/layers
PC $> git clone git://git.yoctoproject.org/meta-java
PC $> cd meta-java
PC $> git checkout remotes/origin/dunfell
PC $> cd [your STM32MP1 Distribution path]/build-openstlinuxweston-stm32mp1-hce
PC $> bitbake-layers add-layer [your STM32MP1 Distribution path]/layers/meta-java
Apply the following update in the file [your STM32MP1 Distribution path]/build-openstlinuxweston-stm32mp1-hce/conf/local.conf
# Possible provider: cacao-initial-native and jamvm-initial-native
PREFERRED_PROVIDER_virtual/java-initial-native = "cacao-initial-native"
# Possible provider: cacao-native and jamvm-native
PREFERRED_PROVIDER_virtual/java-native = "jamvm-native"
# Optional since there is only one provider for now
PREFERRED_PROVIDER_virtual/javac-native = "ecj-bootstrap-native"
Increase the ROOFS partition size
Update the file [your STM32MP1 Distribution path]/layers/meta-st/meta-st-stm32mp/conf/machine/include/st-machine-common-stm32mp.inc
IMAGE_ROOTFS_MAXSIZE = "2097152"
Increase the BOOFS partition size
Update the file [your STM32MP1 Distribution path]/layers/meta-st/meta-st-stm32mp/conf/machine/include/st-machine-common-stm32mp.inc
BOOTFS_PARTITION_SIZE = "512000"
Enable TPM build
Apply the following update in the file [your STM32MP1 Distribution path]/layers/meta-st/meta-st-openstlinux/conf/distro/include/openstlinux.inc
DISTRO_FEATURES_append = " tpm2 "
Add AWS
PC $> cd [your STM32MP1 Distribution path]/layers
PC $> git clone https://github.com/aws/meta-aws
PC $> cd meta-aws
PC $> git checkout remotes/origin/dunfell
PC $> cd [your STM32MP1 Distribution path]/build-openstlinuxweston-stm32mp1-hce
PC $> bitbake-layers add-layer [your STM32MP1 Distribution path]/layers/meta-aws
Add meta-scipy Layer
PC $> cd [your STM32MP1 Distribution path]/layers
PC $> git clone https://github.com/gpanders/meta-scipy
PC $> cd meta-scipy
PC $> git checkout remotes/origin/dunfell
PC $> cd [your STM32MP1 Distribution path]/build-openstlinuxweston-stm32mp1-hce
PC $> bitbake-layers add-layer [your STM32MP1 Distribution path]/layers/meta-scipy
Add meta-scikit-learn Layer
PC $> cd [your STM32MP1 Distribution path]/layers
PC $> git clone https://github.com/tuxable-ltd/meta-scikit-learn
PC $> cd meta-scikit-learn
PC $> git checkout remotes/origin/dunfell
PC $> cd [your STM32MP1 Distribution path]/build-openstlinuxweston-stm32mp1-hce
PC $> bitbake-layers add-layer [your STM32MP1 Distribution path]/layers/meta-scikit-learn
Build the image
In the folder [your STM32MP1 Distribution path]/build-openstlinuxweston-stm32mp1-hce
Executes the command :
PC $> bitbake st-image-hce
Flash the emmc
The tsv file flashlayout_st-image-hce/trusted/FlashLayout_emmc_stm32mp157c-hce-mx-trusted.tsv is located in
[your STM32MP1 Distribution path]/build-openstlinuxweston-stm32mp1-hce/tmp-glibc/deploy/images/stm32mp1-hce/flashlayout_st-image-hce
ref : STM32CubeProgrammer
Run the scripts for some extra configuration on the target (to execute only one time after the first boot)
Executes the commands, on the target :
Board $> source /greengrass/tpm_update.sh
Board $> source /greengrass/aws_certif_update.sh
TPM2 token intialisation
Note : keep the PINs (123456) and PKCS11 STORE folder (usr/local/pkcs11_tpm), scripts and greengrass config files examples use these values. Executes the commands, on the target :
Board $> cd /tools
Board $> ./tpm2_ptool.py init --primary-auth=123456 --path=$TPM2_PKCS11_STORE
Board $> ./tpm2_ptool.py addtoken --pid=1 --sopin=123456 --userpin=123456 --label=greengrass --path $TPM2_PKCS11_STORE
Board $> ./tpm2_ptool.py addkey --algorithm=rsa2048 --label="greengrass" --userpin=123456 --key-label=greenkey --path=$TPM2_PKCS11_STORE
OPTIONAL : Verifications with pkcs11-tool
Executes this command on the target to verify the token created.
Board $> pkcs11-tool --module /usr/lib/libtpm2_pkcs11.so.0 -L
Output :
Available slots:
Slot 0 (0x1): greengrass STMicro
token label : greengrass
token manufacturer : STMicro
token model :
token flags : login required, rng, token initialized, PIN initialized
hardware version : 1.38
firmware version : 74.8
serial num : 0000000000000000
pin min/max : 5/128
AT THIS STEP, THE CONFIGURATION OF THE BOARD IS COMPLETED TO BE USED WITH THE AWS IoT Device Tester.
Process to execute the AWS Greengrass certification testing
A) Go to the Amazon site to AWS IoT Device Tester for AWS IoT Greengrass Versions
Install the AWS IoT Device Tester.
B) Configure your ssh connection (ssh keys)
Go to the Amazon site to Configure Your Host Computer to Access Your Device Under Test
C) Configure the IDT
Example of of the config folder install for Windows.
c:\devicetester_greengrass_win\devicetester_greengrass_win\configs\
See the Amazon site Setting Configuration to Run the AWS IoT Greengrass Qualification Suite
There is a configuration file example installed on your Host :
/[your STM32MP1 Distribution path]/layers/meta-st/meta-st-demo-aws/recipes-aws/greengrasstests/greengrasstests/device-hsm.json
Note : With this example the certification tests are performed in Root.
D) Execute the tests, go to the Amazon site to Running Tests
Process to to create a Certificat Signature Request using the hardware-protected private key
- Update openssl tool configuration to use module tpm2_pkcs11
add the following lines in /etc/ssl/openssl.cnf at the beginning of the file (after "HOME = .):
openssl_conf = openssl_init
[openssl_init]
engines=engine_section
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib/engines-1.1/pkcs11.so
MODULE_PATH = /usr/lib/libtpm2_pkcs11.so.0
init = 0
- How to create a CSR "Certificat Signature Request" with openssl Executes the command, on target :
Board $> openssl req -engine pkcs11 -new -key "pkcs11:token=greengrass;object=greenkey;type=private;pin-value=123456" -keyform engine -out /usr/local/req.csr
This CSR "/usr/local/req.csr" is used to create clients certificats on the AWS amazon Cloud to store on the board.
There is a greengrass configuration file example to update with your AWS account parameter and certificats created, on the target : /greengrass/config/config_secu_example.json
You need also to download the root CA on Amazon site and stored it on the target greengrass/certs/root.ca.pem.
- Connection to Amazon cloud
Before starting the greengrass core on the target you need to set the TPM2_PKCS11_STORE environment variable.
Executes the command on the target :
Board $> export TPM2_PKCS11_STORE=/usr/local/pkcs11_tpm
In case of trouble to reinit all the TPM/PKCS11 layers
How to reset the TPM and PKCS11 store :
Executes the commands, on the target:
Board $> cd /usr/bin
Board $> ./tpm2_clear -Q
Board $> rm /usr/local/pkcs11_tpm/*
Error debug
WARNING: You have included the meta-virtualization layer, but 'virtualization' has not been enabled in your DISTRO_FEATURES. Some bbappend files may not take effect. See the meta-virtualization README for details on enabling virtualization support.
ERROR: ParseError at /home/mirika-rnd/Work/STM32MP15-Ecosystem-v2.0.0-Mando/Distribution-Package//openstlinux-5.4-dunfell-mp1-20-06-24/layers/meta-virtualization/recipes-extended/libvirt/libvirt-python.inc:1: Could not inherit file classes/python3targetconfig.bbclass
remove python3targetconfig 1 line in libvirt-python.inc
ERROR: ParseError at /home/mirika-rnd/Work/STM32MP15-Ecosystem-v2.0.0-Mando/Distribution-Package/openstlinux-5.4-dunfell-mp1-20-06-24/layers/meta-security/recipes-mac/AppArmor/apparmor_2.13.6.bb:37: Could not inherit file classes/python3targetconfig.bbclass
Remove python3targetconfig 37 line in apparmor_2.13.6.bb
ERROR: Nothing RPROVIDES 'openjdk-8' (but /home/mirika-rnd/Work/STM32MP15-Ecosystem-v2.0.0-Mando/Distribution-Package/openstlinux-5.4-dunfell-mp1-20-06-24/layers/meta-st/meta-st-stm32mpu-hce/recipes-st/images/st-image-aws-ec21.bb RDEPENDS on or otherwise requires it)
NOTE: Runtime target 'openjdk-8' is unbuildable, removing...
Missing or unbuildable dependency chain was: ['openjdk-8']
sudo apt-get install openjdk-8-jdk
ERROR: Nothing PROVIDES 'libgfortran' (but /home/builder/Workspace/Distribution-Package/openstlinux-5.4-dunfell-mp1-20-06-24/layers/meta-openembedded/meta-oe/recipes-devtools/lapack/lapack_3.9.0.bb DEPENDS on or otherwise requires it)
libgfortran was skipped: libgfortran needs fortran support to be enabled in the compiler
ERROR: Required build target 'python3-scipy' has no buildable providers.
Missing or unbuildable dependency chain was: ['python3-scipy', 'lapack', 'libgfortran']
sudo apt-get install -y libgfortran-8-dev
Added by SDT in local.conf for HCE
# Possible provider: cacao-initial-native and jamvm-initial-native
PREFERRED_PROVIDER_virtual/java-initial-native = "cacao-initial-native"
# Possible provider: cacao-native and jamvm-native
PREFERRED_PROVIDER_virtual/java-native = "jamvm-native"
# Optional since there is only one provider for now
PREFERRED_PROVIDER_virtual/javac-native = "ecj-bootstrap-native"
# =========================================================================
# SDT cumtomize
IMAGE_INSTALL_append = " python3-pandas python3-numpy python3-can"
IMAGE_INSTALL_append = " python3-scikit-learn python3-scipy "
FORTRAN_forcevariable = ",fortran"
RUNTIMETARGET_append_pn-gcc-runtime = " libquadmath"
HOSTTOOLS += "gfortran"
# =========================================================================
SDT.inc