This repository was archived by the owner on Dec 10, 2021. It is now read-only.
1. Prerequisites
This and following instructions are standard "Getting Started with Amazon FreeRTOS" with some minor modifications mainly related to certificate provisioning.
To follow along with this tutorial, you need an AWS account, an IAM user with permission to access AWS IoT and Amazon FreeRTOS, and one of the supported hardware platforms.
To create an AWS account, see Create and Activate an AWS Account.
To add an IAM user to your AWS account, see IAM User Guide. To grant your IAM user account access to AWS IoT and Amazon FreeRTOS, attach the following IAM policies to your IAM user account:
- AmazonFreeRTOSFullAccess
- AWSIoTFullAccess
- Browse to the IAM console, and from the navigation pane, choose Users.
- Enter your user name in the search text box, and then choose it from the list.
- Choose Add permissions.
- Choose Attach existing policies directly.
- In the search box, enter AmazonFreeRTOSFullAccess, choose it from the list, and then choose Next: Review.
- Choose Add permissions.
- Browse to the IAM console, and from the navigation pane, choose Users.
- Enter your user name in the search text box, and then choose it from the list.
- Choose Add permissions.
- Choose Attach existing policies directly.
- In the search box, enter AWSIoTFullAccess, choose it from the list, and then choose Next: Review.
- Choose Add permissions.
For more information about IAM and user accounts, see IAM User Guide. For more information about policies, see IAM Permissions and Policies.
- You can register your OPTIGA™ Trust Shield 2Go either via a direct communication to i2c interface on any embedded linux board; e.g. Raspberry Pi3, or via an OPTIGA™ Trust Perso Shield (link pending)
-
via the direct I2C interface
- An example connection with OPTIGA™ Trust X Security Shield 2Go and RPi3 is below. Note: This setup is valid, if you want to provision the device using a direct i2c connection. Alternative you can use an FTDI USB/i2c converter for this.
- An example connection with OPTIGA™ Trust X Security Shield 2Go and RPi3 is below. Note: This setup is valid, if you want to provision the device using a direct i2c connection. Alternative you can use an FTDI USB/i2c converter for this.
-
via the OPTIGA™ Trust Perso Shield (link pending)
- In this case no special actions are required except for installation of the FTDI/libusb drivers
- Windows
- FTDI D2XX Direct Drivers
- Unplug and plugin your device
- Linux; e.g. Debian based
apt-get install libusb-1.0-0-dev libusb-1.0-0
-
- AWS related settings:
- Make sure the AWS CLI is installed on your system. For more information, see Installing the AWS Command Line Interface. Please choose the "Installing the AWS CLI Using pip" option.
- Run
aws configureto configure the AWS CLI. For more information, see Configuring the AWS CLI - Use the following command to install the boto3 Python module:
$ pip install boto3
- [Optional for Windows] Install MSYS2
- Install Git client by executing the
pacman -S git git-guicommand in the MSYS2 environment - Note: We recommend to use the 32bit version of the MSYS2 launcher, i.e. MSYS2 MinGW 32-bit
- Install Git client by executing the
- [Optional for Linux] Install a basic development package; e.g.
$ sudo apt install build-essential
Download the latest version of the Personalization AppNote either by cloning recursively its repository by issuing the following command
$ git clone --recursive https://github.com/Infineon/personalize-optiga-trust-xOr directly downloading the latest release
In the Linux terminal or
$ cd personalize-optiga-trust-x/source
$ make rpi3|libusb**Note: The selection between the two options rpi3 or libusb should be taken based on the setup you would like to use. In case of a direct I2C interface please seletc the rpi3 option, otherwise libusb **
During the build process you should see console output similar to the one below.
Built process of mbedTLS and OPTIGA Trust X library
mkdir -p ./build
mkdir -p ./../bin
make -C ./mbedtls-2.6.0/ no_test
make[1]: Entering directory '/home/pi/personalize-optiga-trust-x/source/mbedtls-2.6.0'
make[2]: Entering directory '/home/pi/personalize-optiga-trust-x/source/mbedtls-2.6.0/library'
CC aes.c
CC aesni.c
CC arc4.c
CC asn1parse.c
CC asn1write.c
CC base64.c
CC bignum.c
CC blowfish.c
CC camellia.c
CC ccm.c
CC cipher.c
CC cipher_wrap.c
CC cmac.c
CC ctr_drbg.c
CC des.c
CC dhm.c
CC ecdh.c
CC ecdsa.c
CC ecjpake.c
CC ecp.c
CC ecp_curves.c
CC entropy.c
CC entropy_poll.c
CC error.c
CC gcm.c
CC havege.c
CC hmac_drbg.c
CC md.c
CC md2.c
CC md4.c
CC md5.c
CC md_wrap.c
CC memory_buffer_alloc.c
CC oid.c
CC padlock.c
CC pem.c
CC pk.c
CC pk_wrap.c
CC pkcs12.c
CC pkcs5.c
CC pkparse.c
CC pkwrite.c
CC platform.c
CC ripemd160.c
CC rsa.c
CC sha1.c
CC sha256.c
CC sha512.c
CC threading.c
CC timing.c
CC version.c
CC version_features.c
CC xtea.c
AR libmbedcrypto.a
RL libmbedcrypto.a
CC certs.c
CC pkcs11.c
CC x509.c
CC x509_create.c
CC x509_crl.c
CC x509_crt.c
CC x509_csr.c
CC x509write_crt.c
CC x509write_csr.c
AR libmbedx509.a
RL libmbedx509.a
CC debug.c
CC net_sockets.c
CC ssl_cache.c
CC ssl_ciphersuites.c
CC ssl_cli.c
CC ssl_cookie.c
CC ssl_srv.c
CC ssl_ticket.c
CC ssl_tls.c
AR libmbedtls.a
RL libmbedtls.a
make[2]: Leaving directory '/home/pi/personalize-optiga-trust-x/source/mbedtls-2.6.0/library'
make[2]: Entering directory '/home/pi/personalize-optiga-trust-x/source/mbedtls-2.6.0/programs'
CC aes/aescrypt2.c
CC aes/crypt_and_hash.c
CC hash/hello.c
CC hash/generic_sum.c
CC pkey/dh_client.c
CC pkey/dh_genprime.c
CC pkey/dh_server.c
CC pkey/ecdh_curve25519.c
CC pkey/ecdsa.c
CC pkey/gen_key.c
CC pkey/key_app.c
CC pkey/key_app_writer.c
CC pkey/mpi_demo.c
CC pkey/pk_decrypt.c
CC pkey/pk_encrypt.c
CC pkey/pk_sign.c
CC pkey/pk_verify.c
CC pkey/rsa_genkey.c
CC pkey/rsa_decrypt.c
CC pkey/rsa_encrypt.c
CC pkey/rsa_sign.c
CC pkey/rsa_verify.c
CC pkey/rsa_sign_pss.c
CC pkey/rsa_verify_pss.c
CC ssl/dtls_client.c
CC ssl/dtls_server.c
CC ssl/ssl_client1.c
CC ssl/ssl_client2.c
CC ssl/ssl_server.c
CC ssl/ssl_server2.c
CC ssl/ssl_fork_server.c
CC ssl/mini_client.c
CC ssl/ssl_mail_client.c
CC random/gen_entropy.c
CC random/gen_random_havege.c
CC random/gen_random_ctr_drbg.c
CC test/ssl_cert_test.c
CC test/benchmark.c
CC test/selftest.c
CC test/udp_proxy.c
CC util/pem2der.c
CC util/strerror.c
CC x509/cert_app.c
CC x509/crl_app.c
CC x509/cert_req.c
CC x509/cert_write.c
CC x509/req_app.c
make[2]: Leaving directory '/home/pi/personalize-optiga-trust-x/source/mbedtls-2.6.0/programs'
make[1]: Leaving directory '/home/pi/personalize-optiga-trust-x/source/mbedtls-2.6.0'
Compiling optiga_trust_x/optiga/crypt/optiga_crypt.c
Compiling optiga_trust_x/optiga/util/optiga_util.c
Compiling optiga_trust_x/optiga/cmd/CommandLib.c
Compiling optiga_trust_x/optiga/common/Logger.c
Compiling optiga_trust_x/optiga/common/Util.c
Compiling optiga_trust_x/optiga/comms/optiga_comms.c
Compiling optiga_trust_x/optiga/comms/ifx_i2c/ifx_i2c.c
Compiling optiga_trust_x/optiga/comms/ifx_i2c/ifx_i2c_config.c
Compiling optiga_trust_x/optiga/comms/ifx_i2c/ifx_i2c_data_link_layer.c
Compiling optiga_trust_x/optiga/comms/ifx_i2c/ifx_i2c_physical_layer.c
Compiling optiga_trust_x/optiga/comms/ifx_i2c/ifx_i2c_transport_layer.c
Compiling optiga_trust_x/pal/linux/pal.c
Compiling optiga_trust_x/pal/linux/pal_gpio.c
Compiling optiga_trust_x/pal/linux/pal_i2c.c
Compiling optiga_trust_x/pal/linux/pal_ifx_i2c_config.c
Compiling optiga_trust_x/pal/linux/pal_os_event.c
Compiling optiga_trust_x/pal/linux/pal_os_lock.c
Compiling optiga_trust_x/pal/linux/pal_os_timer.c
Compiling json_parser/cJSON.c
Compiling json_parser/JSON_parser.c
Compiling optiga_generate_csr.c
optiga_generate_csr.c: In function ‘__optiga_sign_wrap’:
optiga_generate_csr.c:88:35: warning: passing argument 1 of ‘optiga_crypt_ecdsa_sign’ discards ‘const’ qualifier from pointer target type [-Wdiscarded-qualifiers]
status = optiga_crypt_ecdsa_sign(hash, hash_len, optiga_key_id, der_signature, &ds_len);
^~~~
In file included from optiga_generate_csr.c:54:0:
./optiga_trust_x/optiga/include/optiga/optiga_crypt.h:403:21: note: expected ‘uint8_t * {aka unsigned char *}’ but argument is of type ‘const unsigned char *’
optiga_lib_status_t optiga_crypt_ecdsa_sign(uint8_t * digest,
^~~~~~~~~~~~~~~~~~~~~~~
optiga_generate_csr.c:102:30: warning: format ‘%lu’ expects argument of type ‘long unsigned int’, but argument 2 has type ‘size_t {aka unsigned int}’ [-Wformat=]
mbedtls_printf( " Size %lu\n", *sig_len);
^
Linking ../bin/optiga_generate_csr
Compiling optiga_upload_crt.c
Linking ../bin/optiga_upload_crtYour binaries are ready to be used and can be found in the folder bin in the root directory of your project
The precompiled binaries can be found in the bin directory of the repository. For instance instead of the the command listed below on windows (in this case you need to have an the OPTIGA™ Trust Perso Shield connected), you can use
$ ../bin/libusb_win_x86/optiga_generate_csr -o ../IO_files/optiga.csr -i ../IO_files/config.jsn$ sudo ../bin/rpi3_linux_arm/optiga_generate_csr -f /dev/i2c-1 -o ../IO_files/optiga.csr -i ../IO_files/config.jsn-
-f /dev/i2c-1Path to the i2c device to which # Infineon's OPTIGA™ Trust X is connected -
-o optiga.csrPath to a file, where a generated Certificate Signing Request will be stored -
-i ../IO_file/config.jsnJSON config file to define your own Distiguished Name for the End-Device Certificate
Example config.jsn:
{
"CN": "AWS IoT Certificate",
"O": "Infineon Technologies AG",
"C": "DE",
"ST": "Germany"
}Upload the result certificate onto the security chip
$ sudo ../bin/rpi3_linux_arm/optiga_upload_crt -f /dev/i2c-1 -c ../IO_files/certificate_in_der.der -o 0xE0E1-
-f /dev/i2c-1Path to the i2c device to which # Infineon's OPTIGA™ Trust X is connected -
-c certificate_in_der.derDER encoded certificate which you want to upload to the device -
-0 0xE0E1Optional parameter which defines in which Object ID to write the given certificate
Make sure you have completed Prerequisites step before continuing using the script.
Open the file configure.json and fill in the following details:
- thing_name : Name of the thing you want to create or you already have created
- policy_name: Name of the policy you want to create or you already have created
- certificate_objectid: Certificate Object ID on the OPTIGA™ Trust device. Possible values are
0xE0E1,0xE0E2,0xE0E3.0xE0E1is default - privatekey_objectid: Private Key Object ID on the OPTIGA™ Trust device. Possible values are
0xE0F1,0xE0F2,0xE0F3.0xE0F1is default - executable_path: in the bin folder you can find many different targets; you can select depending on you setup either:
"libusb_win_x86","libusb_win_x86","libusb_linux_x86_64", or"rpi3_linux_arm" - i2c_device: In case if you have a raw communciation via GPIO you need to put here you i2c device, for instance /dev/i2c-1
- Open a terminal prompt
- Go to the <BASE_FOLDER>/scripts/aws_config_quick_start directory and run the following command:
$ sudo python SetupAWS.py setup*Note: sudo is required only for Linux as you need to get an access to hardware, which is possible either by creating according exceptions in Linux policy or by prepending your command with sudo
This script creates an IoT thing, certificate, and policy. It attaches the IoT policy to the certificate and the certificate to the IoT thing. It also also generates a keypair on OPTIGA™ Trust X device, generates a CSR based on a configuration provided in aws_optiga_cert.jsn file and sign it with one of AWS IoT Core Certificate Authorities
Using this repository you can generate a new CSR which can be used to issue a new X.509 certificate signed by an AWS IoT Core Server. Additionally to the requirements mentioned above ypu need to install an [AWS Command Line Interface](AWS Command Line Interface) which is available as a packet for many platforms; e.g. it can be installed on Raspberry Pi by using the following guidance [Note: you need to have a valid AWS account for this].
$ cd <root_folder_of_the_app_note>/bin
$ sudo ./rpi_linux_arm/optiga_generate_csr -f /dev/i2c-1 -o ../../IO_files/optiga.csr -i ../../IO_files/config.jsn
Data read:
{
"CN": "AWS IoT Certificate",
"O": "Infineon Technologies AG",
"C": "DE",
"ST": "Germany"
}
CN=AWS IoT Certificate,O=Infineon Technologies AG,C=DE,ST=Germany
OPTIGA(TM) Trust X initialized.
Keypair generated.
Public key is
04A9A8AADE3AED513FBCFFDC276E89F245B70B380B3D9DB81F19BD3A56C8C11889B963582D2CFCC383229DF708C5060C3DE8B1F9F13E1FDAEE901330B117EF
. Checking subject name...
. Loading the private key ...
. Writing the certificate request ...
OPTIGA(TM) Trust X Signature generation
304502205C4F90D147D511E3A36445E35BC251EA9EDD02E712B36D8EA7E8677F85EDDBB2022100F7630F847048CAFBC3D04285F3A229E4579478E23DC9855649997E0BD310 Size 71
okFor Windows and the OPTIGA™ Trust Perso Shield
$ cd <root_folder_of_the_app_note>/bin
$ libusb_win_x86\optiga_generate_csr -o ../../IO_files/optiga.csr -i ../../IO_files/config.jsn
Data read:
{
"CN": "AWS IoT Certificate",
"O": "Infineon Technologies AG",
"C": "DE",
"ST": "Germany"
}
CN=AWS IoT Certificate,O=Infineon Technologies AG,C=DE,ST=Germany
OPTIGA(TM) Trust X initialized.
Keypair generated.
Public key is
046DB52B0D78BF52B8122610CEA37DE90DAA40D61C841B112F81CB5A69D9026BA33F4E9431CAEB1725CCC538FA07ED66FBF11AB3E85D7B7207DDE876614875B128
. Seeding the random number generator...
. Checking subject name...
. Loading the private key ...
. Writing the certificate request ...
OPTIGA(TM) Trust X Signature generation
3045022100E526263EDB74C630F4CC4D910018DD1DA4350983ADFBFBC8B0AF1639C3615FDC0220023C6979ED2EC5CE4E855C5C0D827376D4FE3FBCAEA7170FE06A10290C59FC4D Size 71
ok$ cd ../IO_files
$ aws iot create-certificate-from-csr --region <your-region-eg-us-east-2> --certificate-signing-request file://optiga.csr --set-as-active --certificate-pem-outfile optiga.pem --query certificateArn > optiga.aws_arn$ sudo ../bin/<platfrom_build_name>/optiga_upload_crt -f /dev/i2c-1 -c optiga.pem
OPTIGA(TM) Trust X initialized.
******************** Certificate read ********************
Length: 605
30 82 02 59 30 82 01 FE A0 03 02 01 02 02 02 10 01 30 0A 06 08 2A 86 48 CE 3D 04 03 02 30 42 31 0B 30 09 06 03 55 04 06 13 02 44 45 31 10 30 0E 06 03 55 04 08 0C 07 47 65 72 6D 61 6E 79 31 21 30 1F 06 03 55 04 0A 0C 18 49 6E 66 69 6E 65 6F 6E 20 54 65 63 68 6E 6F 6C 6F 67 69 65 73 20 41 47 30 1E 17 0D 31 38 31 32 30 33 31 36 32 31 31 34 5A 17 0D 31 39 31 32 31 33 31 36 32 31 31 34 5A 30 60 31 0B 30 09 06 03 55 04 06 13 02 44 45 31 10 30 0E 06 03 55 04 08 13 07 47 65 72 6D 61 6E 79 31 21 30 1F 06 03 55 04 0A 13 18 49 6E 66 69 6E 65 6F 6E 20 54 65 63 68 6E 6F 6C 6F 67 69 65 73 20 41 47 31 1C 30 1A 06 03 55 04 03 13 13 41 57 53 20 49 6F 54 20 43 65 72 74 69 66 69 63 61 74 65 30 59 30 13 06 07 2A 86 48 CE 3D 02 01 06 08 2A 86 48 CE 3D 03 01 07 03 42
******************** END ********************
cert. version : 3
serial number : 10:01
issuer name : C=DE, ST=Germany, O=Infineon Technologies AG
subject name : C=DE, ST=Germany, O=Infineon Technologies AG, CN=AWS IoT Certificate
issued on : 2018-12-03 16:21:14
expires on : 2019-12-13 16:21:14
signed using : ECDSA with SHA256
EC key size : 256 bits
cert. type : SSL Client, Email
key usage : Digital Signature, Non Repudiation, Key Encipherment
ext key usage : TLS Web Client Authentication, E-mail Protection
******************** END ********************
******************** Writing certificate ********************
Certificate successfully written
******************** END ********************$ set /p AWS_ARN= < optiga.aws_arn
$ aws iot attach-thing-principal --thing-name "my_thing" --principal %AWS_ARN%
$ aws iot attach-principal-policy --policy-name "my_policy" --principal %AWS_ARN%$ export AWS_ARN=$(echo `cat optiga.aws_arn`)
$ aws iot attach-thing-principal --thing-name "my_thing" --principal $AWS_ARN
$ aws iot attach-principal-policy --policy-name "my_policy" --principal $AWS_ARNNote: A policy and a thing should be already created and available at you AWS IoT instance in the used region.