yocto_layer_test/meta-st/meta-st-stm32mpu-hce
sdt-haejun 407fc253a7 test 2023-10-04 16:29:08 +09:00
..
conf test 2023-10-04 16:29:08 +09:00
hello_world_example test 2023-10-04 16:29:08 +09:00
mx/STM32MP157C-DK2/DeviceTree/hce test 2023-10-04 16:29:08 +09:00
recipes-aws test 2023-10-04 16:29:08 +09:00
recipes-bsp/u-boot test 2023-10-04 16:29:08 +09:00
recipes-kernel test 2023-10-04 16:29:08 +09:00
recipes-st/images test 2023-10-04 16:29:08 +09:00
recipes-tpm2/tpm2-pkcs11 test 2023-10-04 16:29:08 +09:00
CONTRIBUTING.md test 2023-10-04 16:29:08 +09:00
License.md test 2023-10-04 16:29:08 +09:00
README.md test 2023-10-04 16:29:08 +09:00

README.md

meta-st-stm32mpu-hce

OpenEmbedded meta layer to install a AWS greengrass application.

ref : https://aws.amazon.com/fr/greengrass/

This document describe the process to add the "AWS greengrass" application in the openSTlinux distribution, and how to configure the target to execute the AWS greengrass certification included the Hardware Security Integration test group.
The Hardware Security Module used is the STM4RasPI expansion board (component TPM2 ST33TPHF20SPI).

Notes :

  1. This process has been tested with the STM32MP1 OpenSTLinux distribution MMDV-v2.0.0 (openstlinux-5.4-dunfell-mp1-20-06-24).
  2. This process has been tested with following software release :
  • meta-java: "3b65eea96eddde97169ca5e00be01a9dbd257786"
  • meta-virtualization: "ff997b6b3ba800978546098ab3cdaa113b6695e1"
  • meta-security: "c74cc97641fd93e0e7a4383255e9a0ab3deaf9d7"
  1. The Greengrass application is delivered by Amazon as binaries for a RASPBIAN distribution.
  2. The AWS IoT Greengrass version installed is v1.11.0, AWS IoT Device Tester version used for AWS certification is IDT v3.2.0
  3. The target is configured to Support the Greengrass Over-the-Air Updates (OTA)

Process for installation :

Install the openSTlinux distribution yocto environment on your Host.

ref : STM32MP1 Distribution Package - OpenSTLinux distribution

Clone following git repository into [your STM32MP1 Distribution path]/layers/meta-st/

PC $> cd [your STM32MP1 Distribution path]/layers/meta-st
PC $> git clone https://github.com/SigmaDeltaTechnologiesInc/meta-st-stm32mpu-hce
PC $> cd meta-st-stm32mpu-hce
PC $> git checkout remotes/origin/dunfell

Add TPM2 recipes

PC $> cd [your STM32MP1 Distribution path]/layers
PC $> git clone git://git.yoctoproject.org/meta-security
PC $> cd meta-security
PC $> git checkout remotes/origin/dunfell

Setup the build environment

Executes the command, on the host :

PC $> cd [your STM32MP1 Distribution path]
PC $> DISTRO=openstlinux-weston MACHINE=stm32mp1-hce source layers/meta-st/scripts/envsetup.sh

Add Virtualization (docker) in OpenSTLinux distribution

PC $> cd [your STM32MP1 Distribution path]/layers
PC $> git clone git://git.yoctoproject.org/meta-virtualization
PC $> cd meta-virtualization
PC $> git checkout remotes/origin/dunfell
PC $> cd [your STM32MP1 Distribution path]/build-openstlinuxweston-stm32mp1-hce
PC $> bitbake-layers add-layer [your STM32MP1 Distribution path]/layers/meta-virtualization

Apply the following update in the file [your STM32MP1 Distribution path]/layers/meta-st/meta-st-openstlinux/conf/distro/openstlinux-weston.conf

 DISTRO_FEATURES_append = " virtualization "

Add JAVA JDK in OpenSTLinux distribution

PC $> cd [your STM32MP1 Distribution path]/layers
PC $> git clone git://git.yoctoproject.org/meta-java
PC $> cd meta-java
PC $> git checkout remotes/origin/dunfell
PC $> cd [your STM32MP1 Distribution path]/build-openstlinuxweston-stm32mp1-hce
PC $> bitbake-layers add-layer [your STM32MP1 Distribution path]/layers/meta-java

Apply the following update in the file [your STM32MP1 Distribution path]/build-openstlinuxweston-stm32mp1-hce/conf/local.conf

# Possible provider: cacao-initial-native and jamvm-initial-native
PREFERRED_PROVIDER_virtual/java-initial-native = "cacao-initial-native"

# Possible provider: cacao-native and jamvm-native
PREFERRED_PROVIDER_virtual/java-native = "jamvm-native"

# Optional since there is only one provider for now
PREFERRED_PROVIDER_virtual/javac-native = "ecj-bootstrap-native"

Increase the ROOFS partition size

Update the file [your STM32MP1 Distribution path]/layers/meta-st/meta-st-stm32mp/conf/machine/include/st-machine-common-stm32mp.inc

IMAGE_ROOTFS_MAXSIZE = "2097152"

Increase the BOOFS partition size

Update the file [your STM32MP1 Distribution path]/layers/meta-st/meta-st-stm32mp/conf/machine/include/st-machine-common-stm32mp.inc

BOOTFS_PARTITION_SIZE = "512000"

Enable TPM build

Apply the following update in the file [your STM32MP1 Distribution path]/layers/meta-st/meta-st-openstlinux/conf/distro/include/openstlinux.inc

DISTRO_FEATURES_append = " tpm2 "

Add AWS

PC $> cd [your STM32MP1 Distribution path]/layers
PC $> git clone https://github.com/aws/meta-aws
PC $> cd meta-aws
PC $> git checkout remotes/origin/dunfell
PC $> cd [your STM32MP1 Distribution path]/build-openstlinuxweston-stm32mp1-hce
PC $> bitbake-layers add-layer [your STM32MP1 Distribution path]/layers/meta-aws

Add meta-scipy Layer

PC $> cd [your STM32MP1 Distribution path]/layers
PC $> git clone https://github.com/gpanders/meta-scipy
PC $> cd meta-scipy
PC $> git checkout remotes/origin/dunfell
PC $> cd [your STM32MP1 Distribution path]/build-openstlinuxweston-stm32mp1-hce
PC $> bitbake-layers add-layer [your STM32MP1 Distribution path]/layers/meta-scipy

Add meta-scikit-learn Layer

PC $> cd [your STM32MP1 Distribution path]/layers
PC $> git clone https://github.com/tuxable-ltd/meta-scikit-learn
PC $> cd meta-scikit-learn
PC $> git checkout remotes/origin/dunfell
PC $> cd [your STM32MP1 Distribution path]/build-openstlinuxweston-stm32mp1-hce
PC $> bitbake-layers add-layer [your STM32MP1 Distribution path]/layers/meta-scikit-learn

Build the image

In the folder [your STM32MP1 Distribution path]/build-openstlinuxweston-stm32mp1-hce

Executes the command :

PC $> bitbake st-image-hce

Flash the emmc

The tsv file flashlayout_st-image-hce/trusted/FlashLayout_emmc_stm32mp157c-hce-mx-trusted.tsv is located in
[your STM32MP1 Distribution path]/build-openstlinuxweston-stm32mp1-hce/tmp-glibc/deploy/images/stm32mp1-hce/flashlayout_st-image-hce

ref : STM32CubeProgrammer

Run the scripts for some extra configuration on the target (to execute only one time after the first boot)

Executes the commands, on the target :

Board $> source /greengrass/tpm_update.sh

Board $> source /greengrass/aws_certif_update.sh

TPM2 token intialisation

Note : keep the PINs (123456) and PKCS11 STORE folder (usr/local/pkcs11_tpm), scripts and greengrass config files examples use these values. Executes the commands, on the target :

Board $> cd /tools

Board $> ./tpm2_ptool.py init --primary-auth=123456 --path=$TPM2_PKCS11_STORE

Board $> ./tpm2_ptool.py addtoken --pid=1 --sopin=123456 --userpin=123456 --label=greengrass --path $TPM2_PKCS11_STORE

Board $> ./tpm2_ptool.py addkey --algorithm=rsa2048 --label="greengrass" --userpin=123456 --key-label=greenkey --path=$TPM2_PKCS11_STORE

OPTIONAL : Verifications with pkcs11-tool

Executes this command on the target to verify the token created.

Board $> pkcs11-tool --module /usr/lib/libtpm2_pkcs11.so.0 -L

Output :


Available slots:
   Slot 0 (0x1): greengrass STMicro
     token label        : greengrass
     token manufacturer : STMicro
     token model        :
    token flags        : login required, rng, token initialized, PIN initialized
     hardware version   : 1.38
     firmware version   : 74.8
     serial num         : 0000000000000000
     pin min/max        : 5/128

AT THIS STEP, THE CONFIGURATION OF THE BOARD IS COMPLETED TO BE USED WITH THE AWS IoT Device Tester.

Process to execute the AWS Greengrass certification testing

A) Go to the Amazon site to AWS IoT Device Tester for AWS IoT Greengrass Versions

Install the AWS IoT Device Tester.

B) Configure your ssh connection (ssh keys)

Go to the Amazon site to Configure Your Host Computer to Access Your Device Under Test

C) Configure the IDT

Example of of the config folder install for Windows.

c:\devicetester_greengrass_win\devicetester_greengrass_win\configs\

See the Amazon site Setting Configuration to Run the AWS IoT Greengrass Qualification Suite

There is a configuration file example installed on your Host :

/[your STM32MP1 Distribution path]/layers/meta-st/meta-st-demo-aws/recipes-aws/greengrasstests/greengrasstests/device-hsm.json

Note : With this example the certification tests are performed in Root.

D) Execute the tests, go to the Amazon site to Running Tests

Process to to create a Certificat Signature Request using the hardware-protected private key

  1. Update openssl tool configuration to use module tpm2_pkcs11

add the following lines in /etc/ssl/openssl.cnf at the beginning of the file (after "HOME = .):


openssl_conf = openssl_init
[openssl_init]
engines=engine_section
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib/engines-1.1/pkcs11.so
MODULE_PATH = /usr/lib/libtpm2_pkcs11.so.0
init = 0
  1. How to create a CSR "Certificat Signature Request" with openssl Executes the command, on target :
Board $> openssl req -engine pkcs11 -new -key "pkcs11:token=greengrass;object=greenkey;type=private;pin-value=123456" -keyform engine -out /usr/local/req.csr

This CSR "/usr/local/req.csr" is used to create clients certificats on the AWS amazon Cloud to store on the board.
There is a greengrass configuration file example to update with your AWS account parameter and certificats created, on the target : /greengrass/config/config_secu_example.json
You need also to download the root CA on Amazon site and stored it on the target greengrass/certs/root.ca.pem.

  1. Connection to Amazon cloud

Before starting the greengrass core on the target you need to set the TPM2_PKCS11_STORE environment variable.

Executes the command on the target :

 Board $> export TPM2_PKCS11_STORE=/usr/local/pkcs11_tpm

In case of trouble to reinit all the TPM/PKCS11 layers

How to reset the TPM and PKCS11 store :

Executes the commands, on the target:

Board $> cd /usr/bin
Board $> ./tpm2_clear -Q
Board $> rm /usr/local/pkcs11_tpm/*

Error debug

WARNING: You have included the meta-virtualization layer, but 'virtualization' has not been enabled in your DISTRO_FEATURES. Some bbappend files may not take effect. See the meta-virtualization README for details on enabling virtualization support.
ERROR: ParseError at /home/mirika-rnd/Work/STM32MP15-Ecosystem-v2.0.0-Mando/Distribution-Package//openstlinux-5.4-dunfell-mp1-20-06-24/layers/meta-virtualization/recipes-extended/libvirt/libvirt-python.inc:1: Could not inherit file classes/python3targetconfig.bbclass

remove python3targetconfig 1 line in libvirt-python.inc

ERROR: ParseError at /home/mirika-rnd/Work/STM32MP15-Ecosystem-v2.0.0-Mando/Distribution-Package/openstlinux-5.4-dunfell-mp1-20-06-24/layers/meta-security/recipes-mac/AppArmor/apparmor_2.13.6.bb:37: Could not inherit file classes/python3targetconfig.bbclass

Remove python3targetconfig 37 line in apparmor_2.13.6.bb

ERROR: Nothing RPROVIDES 'openjdk-8' (but /home/mirika-rnd/Work/STM32MP15-Ecosystem-v2.0.0-Mando/Distribution-Package/openstlinux-5.4-dunfell-mp1-20-06-24/layers/meta-st/meta-st-stm32mpu-hce/recipes-st/images/st-image-aws-ec21.bb RDEPENDS on or otherwise requires it)
NOTE: Runtime target 'openjdk-8' is unbuildable, removing...
Missing or unbuildable dependency chain was: ['openjdk-8']

sudo apt-get install openjdk-8-jdk

ERROR: Nothing PROVIDES 'libgfortran' (but /home/builder/Workspace/Distribution-Package/openstlinux-5.4-dunfell-mp1-20-06-24/layers/meta-openembedded/meta-oe/recipes-devtools/lapack/lapack_3.9.0.bb DEPENDS on or otherwise requires it)
libgfortran was skipped: libgfortran needs fortran support to be enabled in the compiler
ERROR: Required build target 'python3-scipy' has no buildable providers.
Missing or unbuildable dependency chain was: ['python3-scipy', 'lapack', 'libgfortran']

sudo apt-get install -y libgfortran-8-dev

Added by SDT in local.conf for HCE

# Possible provider: cacao-initial-native and jamvm-initial-native
PREFERRED_PROVIDER_virtual/java-initial-native = "cacao-initial-native"
# Possible provider: cacao-native and jamvm-native
PREFERRED_PROVIDER_virtual/java-native = "jamvm-native"
# Optional since there is only one provider for now
PREFERRED_PROVIDER_virtual/javac-native = "ecj-bootstrap-native"
# =========================================================================
# SDT cumtomize
IMAGE_INSTALL_append = " python3-pandas python3-numpy python3-can"
IMAGE_INSTALL_append = " python3-scikit-learn python3-scipy "
FORTRAN_forcevariable = ",fortran"
RUNTIMETARGET_append_pn-gcc-runtime = " libquadmath"
HOSTTOOLS += "gfortran"
# =========================================================================

SDT.inc