0% found this document useful (0 votes)
213 views65 pages

STM32MP157 SSK Developer Guide

STM32MP157 SSK Developer Guide

Uploaded by

Martin Mayer
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
213 views65 pages

STM32MP157 SSK Developer Guide

STM32MP157 SSK Developer Guide

Uploaded by

Martin Mayer
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 65

SECURITY STARTER KIT WITH STM32MP1 AND OPTIGA™ TPM 2.

Developer Guide
Security Starter Kit with STM32MP1 and OPTIGA™ TPM 2.0
Date: December 3, 2020 | Version 1.8
FINAL

Confidentiality Notice
Copyright (c) 2020 eInfochips. - All rights reserved
This document is authored by eInfochips and is eInfochips intellectual property, including the copyrights in all countries in
the world. This document is provided under a license to use only with all other rights, including ownership rights, being
retained by eInfochips. This file may not be distributed, copied, or reproduced in any manner, electronic or otherwise,
without the express written consent of eInfochips.

Developer Guide eInfochips Private Limited Confidential Page 1 of 65


SECURITY STARTER KIT WITH STM32MP1 AND OPTIGA™ TPM 2.0

Contents
1 INTRODUCTION................................................................................................................. 5
1.1 Purpose of the Document ............................................................................................ 5
1.2 Intended Audience ...................................................................................................... 5
1.3 Prerequisites .............................................................................................................. 5
1.4 Scope of Detailed Design.............................................................................................. 5
2 ENVIRONMENT SETUP ....................................................................................................... 6
3 HARDWARE SETUP ............................................................................................................ 7
3.1 Hardware setup - Security Starter Kit with STM32MP1 and OPTIGA™ TPM 2.0 .................... 7
3.1.1 STM32MP1 board S3 Dip Switch settings for booting from SD Card ........................................... 7
3.1.2 Hardware connection between Avenger96 and OPTIGA™ TPM2.0 ............................................ 7
3.1.3 Powering up the Board ......................................................................................................... 8
3.1.4 Open board's terminal - console (Minicom) on Linux PC ........................................................... 8
4 SOFTWARE SETUP ........................................................................................................... 10
4.1 SSK- STM32MP1 and OPTIGA™ TPM 2.0 Yocto Environment Setup .................................. 10
4.1.1 Pre-requisite ...................................................................................................................... 10
4.1.2 Steps to build the BSP for the SSK- STM32MP1 and OPTIGA™ TPM 2.0 through Yocto .............. 10
4.2 Keys and certificates information. ............................................................................... 12
4.3 OPTIGA™ TPM2.0 Setup Script .................................................................................... 12
4.4 TLS Mutual Authentication & Session Establishment Using H/w Security .......................... 15
4.3 ............................................................................................................................................ 16
4.4.1 Linux Environment: Generate the required keys and certificate .............................................. 16
4.4.1.1 AWS Custom Gateway CA Creation ................................................................................................ 17
4.4.1.2 Registering Your CA Certificate ...................................................................................................... 17
4.4.2 Linux Environment: Secure Device Certificate and Private Key Gen ......................................... 20
4.5 AWS Greengrass Group Creation................................................................................. 24
4.6 AWS Console and Board: Setup AWS IoT for the Demo .................................................. 27
4.6.1 Register the Device Certificate to the AWS IoT for the “thing” ................................................ 28
4.6.2 AWS Console: Create Publish/Subscribe Policy ...................................................................... 32
4.6.3 Linux Environment: Configure the AWS Example Application that Connects to AWS ................. 33
4.6.4 Lambda Functions on AWS IoT Greengrass ........................................................................... 34
4.6.5 On Board: Execute the AWS Example Application .................................................................. 43
5 STM32MP15 SECURE BOOT .............................................................................................. 46
5.1 Secure boot implementation ...................................................................................... 46
4.1 ............................................................................................................................................ 46
5.1.1 Overview ........................................................................................................................... 46
5.1.2 Key Generation .................................................................................................................. 47
5.1.2.1 Install STM32MP Key Generator .................................................................................................... 47
5.1.2.2 STM32MP Key Generator command line interface ........................................................................... 47
5.1.2.3 Extending Public key Hash to bootfs in SD-card ................................................................................ 48
5.1.2.4 Verify Public Key Hash .................................................................................................................. 48
5.1.3 Key Registration ................................................................................................................. 48
5.1.3 .................................................................................................................................................. 48
5.1.3.1 Register hash public key ................................................................................................................ 48
5.1.4 Signing the FSBL and SSBL ................................................................................................... 49
5.1.4 .................................................................................................................................................. 50
5.1.4.1 SSBL signing ................................................................................................................................. 50
5.1.4.2 FSBL signing ................................................................................................................................. 50

Developer Guide eInfochips Private Limited Confidential Page 2 of 65


SECURITY STARTER KIT WITH STM32MP1 AND OPTIGA™ TPM 2.0

5.1.5 Flash the signed image ........................................................................................................ 50


5.1.6 Verify Authentication .......................................................................................................... 51
5.2.6 .................................................................................................................................................. 51
5.1.6.1 Bootrom Authentication ............................................................................................................... 51
5.1.6.2 TF-A authentication ...................................................................................................................... 51
5.1.7 Close the device ................................................................................................................. 51
5.2 Measured Boot with OPTIGA™ TPM2.0 ........................................................................ 52
5.2.1 Measured boot Step to verify the platform Integrity .............................................................. 52
6 APPENDIX ....................................................................................................................... 54
6.1 Avenger – 96 Boards ................................................................................................. 54
6.2 AWS Greengrass ....................................................................................................... 55
6.3 Tresor Mezzanine OPTIGA™ TPM 2.0 ........................................................................... 57
6.4 Trusted Platform Module – TPM ................................................................................. 58
6.5 Boot chains Environment overview ............................................................................. 60
6.5 ............................................................................................................................................ 60
6.5.1 Generic boot sequence ....................................................................................................... 60
6.5.2 STM32MP15 boot chain ...................................................................................................... 60
6.5.2.1 Overview ..................................................................................................................................... 60
6.5.2.2 ROM Code ................................................................................................................................... 61
6.5.2.3 First Stage Boot Loader (FSBL) ....................................................................................................... 61
6.5.2.4 Second Stage Boot Loader (SSBL) ................................................................................................... 62
6.5.2.5 Linux ........................................................................................................................................... 62
6.5.2.6 Secure OS / Secure Monitor .......................................................................................................... 62
6.6 Building a Secure Signed Image ................................................................................... 62
6.7 Measured boot Principles .......................................................................................... 64
7 REFERENCES ................................................................................................................... 65

Developer Guide eInfochips Private Limited Confidential Page 3 of 65


SECURITY STARTER KIT WITH STM32MP1 AND OPTIGA™ TPM 2.0

FIGURES

Figure 1: Security Starter Kit Architecture. .................................................................................................... 5


Figure 2: Hardware Connection Setup on Avenger96 board ........................................................................... 8
Figure 3: Secure boot process flow ............................................................................................................ 47
Figure 4: Measured Boot flow between TPM and Avenger Board. ................................................................. 52
Figure 5: AWS Greengrass Group ............................................................................................................... 56
Figure 6: Tresor Mezzanine OPTIGA™ TPM 2.0 ............................................................................................ 57
Figure 7: Root of Trust .............................................................................................................................. 58
Figure 8: Measured/Trusted Boot Process .................................................................................................. 59
Figure 9: Generic Boot Sequence ............................................................................................................... 60
Figure 10: STM32MP15 boot chain ............................................................................................................ 61
Figure 11: STM32 Image Header Description .............................................................................................. 62
Figure 12: STM32 Image Header Detailed Description ................................................................................. 63

TABLES

Table 1: Preloaded Keys and Certificates .................................................................................................... 16

DEFINITION, ACRONYMS AND ABBREVIATIONS

Definition/Acronym/Abbreviation Description
AV96 Avenger96 Board (with STM32MP157CAC MPU installed)
CSR Certificate Signing Request
DDR Double Data Rate Synchronous Dynamic
FSBL First Stage Boot Loader
PCR Platform Configuration Register
SSBL Second Stage Boot Loader
SSK Security Starter Kit
TF-A Trusted Firmware-A
TFTP Trivial File Transfer Protocol
TPM Trusted Platform module

Developer Guide eInfochips Private Limited Confidential Page 4 of 65


SECURITY STARTER KIT WITH STM32MP1 AND OPTIGA™ TPM 2.0

1 INTRODUCTION
1.1 Purpose of the Document
This guide describes - how to setup the OPTIGA™ TPM 2.0 on Arrow Avenger96 based Yocto platform
with integrated TPM driver and Amazon Greengrass support. This is a hardware layer security for
Avenger96 communication with cloud.
1.2 Intended Audience
This document is for end-user who wants to use OPTIGA™ TPM 2.0, Avenger96 with STM32MP157CAC,
AWS services, enabled with the hardware layer security.
1.3 Prerequisites
Below are the list of Hardware and software needed to enable demonstration of the AWS GG and
OPTIGA™ TPM 2.0 security,
 Security Starter Kit Setup will require following:
o Avenger96 board (with the STM32MP157CAC MPU installed)
o Tresor Mezzanine board (with the OPTIGA™ TPM 2.0 installed)
o SD-card
o MicroUSB debug cable
o Power Supply
 Linux PC (Minicom for serial console)
 Internet connectivity (Wi-Fi/Ethernet) of Board and Linux PC should be on same Network
1.4 Scope of Detailed Design
Integration of AWS IoT Greengrass with OPTIGA™ TPM 2.0 to provide secure, hardware-based
gateway/edge compute device. This integration ensures the use of private key to establish device
identity, which is securely stored in tamper-proof hardware devices, which prevents the device from
being compromised, impersonated and other malicious activities.

Figure 1: Security Starter Kit Architecture.

Developer Guide eInfochips Private Limited Confidential Page 5 of 65


SECURITY STARTER KIT WITH STM32MP1 AND OPTIGA™ TPM 2.0

2 ENVIRONMENT SETUP

1. Cloud Services – Amazon Web Services (User must have an AWS Account Credentials before
using this Guide)
2. Gateway device - Avenger96 – based on STM32MP157A (96 boards) (Processor Swapped to
STM32MP157CAC for Secure Boot Enable)
3. Hardware security device - Tresor Mezzanine Infineon OPTIGA™ TPM 2.0. (TPM device
swapped with the Infineon OPTIGA™ SLB9670 or SLM9670 TPM2.0)
4. Power Supply –12V-2A 24W AC/DC Power Supply
5. Debug Cable - MicroUSB debug cable
6. HOST PC – Linux as Operating System (Ubuntu 16.04)

Developer Guide eInfochips Private Limited Confidential Page 6 of 65


SECURITY STARTER KIT WITH STM32MP1 AND OPTIGA™ TPM 2.0

3 HARDWARE SETUP
3.1 Hardware setup - Security Starter Kit with STM32MP1 and OPTIGA™ TPM 2.0
3.1.1 STM32MP1 board S3 Dip Switch settings for booting from SD Card

3.1.2 Hardware connection between Avenger96 and OPTIGA™ TPM2.0


The mezzanine will be mounted on top of the Avenger96 board as shown in Figure 2. When the
Avenger96 board is powered-up, the Power LED on the OPTIGA™ TPM2.0 board turns on, indicating that
the board is correctly connected.

Developer Guide eInfochips Private Limited Confidential Page 7 of 65


SECURITY STARTER KIT WITH STM32MP1 AND OPTIGA™ TPM 2.0

Figure 2: Hardware Connection Setup on Avenger96 board

3.1.3 Powering up the Board


1. Take Avenger96 Board, Insert the provided SD-card (Ensure SD-card is flashed with binaries
first time)
2. Connect Micro USB Debug Cable on OPTIGA™ Tresor as shown in above Figure 2.
3. Connect Power-Adapter to Avenger96 and the board is ready to use.
4. Open Serial terminal utility viz. Minicom on HOST PC to serially connect with the board

3.1.4 Open board's terminal - console (Minicom) on Linux PC


1. Before starting this step, the SD-card must be flashed with binary image and serial cable is
plugged into board as mentioned in hardware setup 3.1.1.
2. Connect serial cable's USB end to Linux PC's USB.
3. On Linux PC, Launch Minicom utility as shown below (For debugging purpose)

Linux-PC $ sudo Minicom –s


4. Set baud rate and other settings as below
a. Baud rate 115200
b. Parity none
c. Hardware flow control/software flow control none
d. Serial device /dev/ttyUSB0
e. save setup as dfl

Developer Guide eInfochips Private Limited Confidential Page 8 of 65


SECURITY STARTER KIT WITH STM32MP1 AND OPTIGA™ TPM 2.0

5. After the Avenger96 board boots up, it will display login console on minicom terminal on Linux
PC as shown below.
6. Username for board is “root” without any password

Developer Guide eInfochips Private Limited Confidential Page 9 of 65


SECURITY STARTER KIT WITH STM32MP1 AND OPTIGA™ TPM 2.0

4 SOFTWARE SETUP
4.1 SSK- STM32MP1 and OPTIGA™ TPM 2.0 Yocto Environment Setup
4.1.1 Pre-requisite
 Linux PC (x86) having Ubuntu 16.04 LTS installed (to build Yocto image)
 Basic understanding of Linux commands
 Required steps for building a BSP for ST's development boards can be found here

4.1.2 Steps to build the BSP for the SSK- STM32MP1 and OPTIGA™ TPM 2.0 through Yocto
[Note: Default, Image will be available in the SD-card, But If user wants to install the new image
again on the SD-card or in case the image gets corrupted, then below steps can be handy]

1. Download the SSK Avenger96 release package on Linux PC


STM32MP1_SSK_Pkg _[Release].tar.gz

2. Extract the STM32MP1_SSK_Pkg _[Release].tar.gz

Linux-PC $ tar -xvf STM32MP1_SSK_Pkg _[Release].tar.gz

Extracting the tar file, one will find the below contents:
 Developer_Guide_STM32MP1_SSK.pdf that has detailed description of all the
components, examples and how to enable all features of the Kit.
 Quick_Start_Guide_STM32MP1_SSK.pdf
 Firmware_Image
 SSK_AWS_Demo
 SSK_Cert_And_Config
 SSK_Suit_Configuration
 Stm32mp1_Yocto_Build
 Copyright.txt, the copyright notice
 RELEASE_NOTES.txt, information about the release

3. Using above command one will get below listed directories:


STM32MP1_SSK_Pkg _[Release]
├── Firmware_Image
├── SSK_AWS_Demo
├── SSK_Cert_And_Config
└── SSK_Suit_Configuration

Linux-PC $ tar -xvf STM32MP1_SSK_Pkg _[Release].tar.gz

4. Run the build script build_script_avg.sh to complete Yocto environment setup.


[Note: Please refer PC_prerequisites before running the below script.]

Linux-PC $ cd Stm32mp1_Yocto_Build/
Linux-PC $ ./build_script_avg.sh

[Note: Please refer the Bitbake User Manual for better understanding of bitbake files, recipes and layers
as well as options to build an image.]

Developer Guide eInfochips Private Limited Confidential Page 10 of 65


SECURITY STARTER KIT WITH STM32MP1 AND OPTIGA™ TPM 2.0

5. Once Yocto build is complete user will get below screenshot. Create SD-card image.

 Navigate to the directory “Firmware_Image “ in order to find built SD-card image.

Linux-PC $ cd STM32MP1_SSK_Pkg_Rel_v01/Firmware_Image /

6. Flash the SD-card using below command

Linux-PC $ sudo dd if=flashlayout_av96-weston_FlashLayout_sdcard_stm32mp157a-av96-


trusted.raw of=/dev/sdb bs=1M conv=fsync ;sync

7. Unmount and eject the SD-card from the Linux PC.


8. Re-inserting the SD-card to Linux PC, it will mount below partitions, verify using below
command

Linux-PC $ sudo lsblk

├─mmcblk0p4 179:4 0 64M 0 part /media/<username>/boo s


├─mmcblk0p5 179:5 0 16M 0 part /media/<username>/vendorfs
├─mmcblk0p6 179:6 0 2G 0 part /media/<username>/roo s
└─mmcblk0p7 179:7 0 1.9G 0 part /media/<username>/userfs

9. Copy below listed files to file system i.e SSK_Suit_package

 Linux-PC $ sudo cd STM32MP1_SSK_Pkg_Rel_v01

 Linux-PC $ sudo cp -r SSK_AWS_Demo SSK_Suit_Configuration


/media/<username>/rootfs/home/root/

 Linux-PC $ sudo cp -r SSK_Cert_And_Config/AWS_Config/openssl.cnf


/media/<username>/rootfs/etc/ssl/

 Linux-PC $ sudo cp -r SSK_Cert_And_Config/AWS_Config/config.json


/media/<username>/rootfs/greengrass/config/

 Linux-PC $ sudo cp -r SSK_Cert_And_Config/AWS_ROOTCA/rootCA.key


/media/<username>/rootfs/greengrass/certs/

 Linux-PC $ sudo cp -r SSK_Cert_And_Config/AWS_ROOTCA/rootCA.pem


/media/<username>/rootfs/greengrass/certs/

 Linux-PC $ sudo cp -r SSK_Cert_And_Config/AWS_ROOTCA/root.ca.pem


/media/<username>/rootfs/greengrass/certs/

 Linux-PC $ sudo cp -r SSK_Suit_Configuration/Tpm_Measured_Boot/Measured_boot.sh


/media/<username>/rootfs/etc/init.d/

Developer Guide eInfochips Private Limited Confidential Page 11 of 65


SECURITY STARTER KIT WITH STM32MP1 AND OPTIGA™ TPM 2.0

 Linux-PC $ sudo cp -r SSK_Suit_Configuration/Tpm_Measured_Boot/rc-local.service


/media/<username>/rootfs/etc/systemd/system/

 Linux-PC $ sudo cp -r SSK_Suit_Configuration/Tpm_Measured_Boot/rc.local


/media/<username>/rootfs/etc/

 Linux-PC $ sync

10. The SD-card is now ready for use on the Avenger96 board
11. Plug the SD-card in the Avenger96 board
12. and power up the board. The board will be up and running. Launch the Minicom, booting log.
it will display boot up logs and finally ask for login.

4.2 Keys and certificates information.


 Preloaded one root certificate (associated private key provided as a file) - rootCA.pem
 One root private key - rootCA.key
 One AWS IoT root certificate - root.ca.pem
 Key pairs associated device certificate Pre-Flashed into Trusted Platform Module Chip
– Inside HSM
 One Device certificate signed with the root private key and the associated private key
needed for TLS mutual authentication with AWS IoT – [generated using
SSK_Suit_Configuration.sh]
4.3 OPTIGA™ TPM2.0 Setup Script
After successful boot-up of the Avenger96 board, the user needs to setup the hardware security chip
OPTIGA™ TPM2.0. This Setup script will setup install prerequisite packages and TPM configuration (i.e.
create Keypair, device certificate and store in OPTIGA™ TPM2.0 ).

1. Enable the Wi-Fi internet connectivity using mobile hotspot or router.


2. Use Minicom console to run the script, as mentioned below

root@stm32mp1-av96:~# cd SSK_Suit_Configuration
root@stm32mp1-av96:~#. / SSK_Suit_Configuration.sh

Developer Guide eInfochips Private Limited Confidential Page 12 of 65


SECURITY STARTER KIT WITH STM32MP1 AND OPTIGA™ TPM 2.0

3. Now, it will start installing the package. For the first time - it will take ~20 minutes.

4. After completion of script, it creates Keypair and device certificate using TPM.

5. Verify the Steps using below commands [Enter #PIN: 1234]

root@stm32mp1-av96:~# ./SSK_Suit_Configuration.sh setup_result

Developer Guide eInfochips Private Limited Confidential Page 13 of 65


SECURITY STARTER KIT WITH STM32MP1 AND OPTIGA™ TPM 2.0

Additional Steps:
[Note: If user wants to clear the TPM then below Steps will help for debugging]

6. TPM Clear command


In case of some mistakes when following the steps or any error occurred while configuring
setup, the User can reset the TPM2.0 with below command.

root@stm32mp1-av96:~# ./SSK_Suit_Configuration.sh tpm_clear

7. If TPM is clear then user will get below logs. Again, execute the above steps from 1 to 5 for
setup again as described in 4.3.

Developer Guide eInfochips Private Limited Confidential Page 14 of 65


SECURITY STARTER KIT WITH STM32MP1 AND OPTIGA™ TPM 2.0

4.4 TLS Mutual Authentication & Session Establishment Using H/w Security
Amazon cloud allows customers to use device certificates signed and issued by their own certificate
authority (CA) to connect and authenticate with AWS IoT. This is an alternative to using certificates
generated by AWS IoT and better fits customers’ needs. This method is used by “things” using MQTT
protocol. MQTT is using TLS as a secure transport mechanism. In IoT each “thing” needs to be uniquely
identified by the cloud application and that is realized by using device certificates as identifiers.

During TLS connectivity establishment, AWS IoT authenticates the connecting device by extracting the
device certificate and verifying its signature against a customer preloaded root certificate. Similarly, the
device needs to verify the server certificate against the stored AWS IoT root certificate to confirm the
authenticity of the server to which it connects. TLS mutual authentication requires the device to prove
the ownership of its private key used to form the device certificate and this is being done by signing
some data packets with the private key.

The Avenger96 Gateway with TPM2.0 facilitates the creation and signing of a device certificate. The
device certificate is intended for establishing TLS connections with mutual authentication. The Kit
provides an example of how to use the device certificate and TPM based crypto for establishing a TLS
connection with Amazon AWS IoT (usually used for running MQTT protocol that runs on top of TLS).

The example requires the user to create an AWS account, create an OEM Root CA and upload it to AWS.
The Device Certificate needs to be signed with the private key that created the OEM Root CA so the
two certificates are chained, due to the fact that Amazon AWS does not allow the activation of the
same OEM Root CA for multiple AWS accounts.

Instead, the example guides the user to perform the following steps: create an AWS Custom CA, register
the Custom CA in AWS, provide verification to AWS and create an AWS Device Certificate. Then save
the created AWS Custom CA and AWS Device key and cert in TPM2.0. This way the AWS CAs and the
AWS Device Certificate are unique and can be used with AWS for the Evaluation Kit by multiple users

To set and test the TLS mutual authentication and connectivity to AWS IoT, for this example, users
generate their own AWS Custom CA private key and certificate and AWS device key and certificate,
which must be ECDSA 256{actively using RSA-256 Technique}.
Cert/key Name of cert/key exposed by Description
TPM and AV96
Cloud IoT Root CA root.ca.pem Root CA of the Cloud IoT. It
is used for TLS mutual
authentication.
Gateway Root Certificate/Key rootCA.pem Gateway Root Certificate.
rootCA.key For the Evaluation Kit this
cert is predefined. The
associated private key is
provided as a file for
execution of the payload
verification example
application
Gateway Verification verificationCert.crt Gateway Verification
Certificate/Key verificationCert.key Certificate. For the Evaluation
Kit this cert is predefined. The
associated private key is
provided as a file for

Developer Guide eInfochips Private Limited Confidential Page 15 of 65


SECURITY STARTER KIT WITH STM32MP1 AND OPTIGA™ TPM 2.0

execution of the payload


verification of Root
Certificate with provided
AWS
Gateway/Device Private Key Stored securely under TPM Created and Stored under
PKCS11 Handle with TPM
Accessible only
Gateway/Device Certificate aws_device_cert.pem Device Credentials are
accessible with private key
being verified through TPM
Table 1: Preloaded Keys and Certificates

The AWS cloud certificate is preloaded in the AWS. The example uses the following keys and certificates:
1. AWS IoT Root Certificate : Comes preloaded with AWS
2. AWS Custom Gateway CA Key: the user generates this private key. It is used to sign the AWS
Device Certificate and to complete the AWS Custom CA Certificate registration process with
AWS IoT
3. AWS Custom Gateway CA Certificate: the user creates this certificate using the openssl tool.
This certificate needs to be uploaded to the AWS IoT cloud
4. AWS Device Private Key: Private key is generated by user and stored inside TPM securely, not
exposed to outside world
5. AWS Device Certificate: the user creates this certificate. It must be created and signed with the
AWS Custom Gateway CA Key. It is used during the AWS device registration step.

[Note: If you followed the steps in Section 4.3 - OPTIGA™ TPM2.0 Setup Script then move to step
4.4.1.2

4.4.1 Linux Environment: Generate the required keys and certificate


To use your own X.509 device certificates, you must register a CA certificate with AWS IoT. The CA
certificate can then be used to sign device certificates. You can register up to 10 CA certificates with
the same subject field per AWS account per AWS Region. This allows you to have more than one CA
sign your device certificates.

[Note: The registered CA certificate must sign Device certificates. It is common for a CA certificate to
be used to create an intermediate CA certificate. If you are using an intermediate certificate to
sign your device certificates, you must register the intermediate CA certificate. Use the AWS IoT
root CA certificate when you connect to AWS IoT even if you register your own root CA certificate.
The AWS IoT root CA certificate is used by a device to verify the identity of the AWS IoT servers ]

Earlier, AWS IoT released support for customers who need to use their own device certificates signed
by their preferred Certificate Authority (CA). This is in addition to the support for AWS IoT generated
certificates. The CA certificate is used to sign and issue device certificates, while the device certificates
are used to connect a client to AWS IoT. Certificates provide strong client side authentication for
constrained IoT devices. During TLS handshake, the server authenticates the client using the X.509
certificate presented by the client.

Developer Guide eInfochips Private Limited Confidential Page 16 of 65


SECURITY STARTER KIT WITH STM32MP1 AND OPTIGA™ TPM 2.0

With this feature, customers with existing devices in the field or new devices with certificates signed by
a CA other than AWS IoT can seamlessly authenticate with AWS IoT. It also provides manufacturers the
ability to provision device certificates using their current processes and then register those device
certificates to AWS IoT. For example, if a customer’s manufacturing lines lack internet connectivity;
they can provision their devices offline with their own CA issued certificates and later register them
with AWS IoT.

This exercise will walk you through an end-to-end process of setting up a client that uses a device
certificate signed by your own CA. First, you will generate a CA certificate that will be used to sign your
device certificate. Next, you will register the CA certificate and then register the device certificates.
After these steps, your device certificate will be ready to connect AWS IoT service.

4.4.1.1 AWS Custom Gateway CA Creation


Let us begin by creating your first sample CA certificate using OpenSSL in a terminal. In reality, you will
have the signing certificates issued by your CA vendor in the place of this sample CA. This sample CA
certificate is used later in the walkthrough to sign a device certificate that will be registered with AWS
IoT:

[Note: If you do not have a CA certificate, you can use OpenSSL tool]

To create a CA certificate
1. Generate a key pair on board at /greengrass/certs.

root@stm32mp1-av96:~# openssl genrsa -out rootCA.key 2048

2. Use the private key from the key pair to generate a CA certificate.

root@stm32mp1-av96:~# openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out
rootCA.pem

4.4.1.2 Registering Your CA Certificate


[Note: A CA certificate cannot be registered with more than one account in the same AWS Region.
However, a CA certificate can be registered with more than one account if the accounts are in different
AWS Regions. A CA certificate is used to register Device certificate, which are signed by CA certificate.]

To register a CA certificate

Get a registration code from AWS IoT. This code is used as the Common Name of the private key
verification certificate. One can retrieve the registration code using the AWS CLI or from the AWS IoT
Console >> SECURE >> CA >> Register Certificate section.

Developer Guide eInfochips Private Limited Confidential Page 17 of 65


SECURITY STARTER KIT WITH STM32MP1 AND OPTIGA™ TPM 2.0

1. Generate a key pair for the private key verification certificate:

root@stm32mp1-av96:~# openssl genrsa -out verificationCert.key 2048

2. Create a CSR for the private key verification certificate. Set the Common Name field of the
certificate to with your registration code copied from above AWS IoT Console >> SECURE >> CA
>> Register Certificate section.

root@stm32mp1-av96:~# openssl req -new -key verificationCert.key -out verificationCert.csr

User needs update some information, including the Common Name for the certificate.
Country Name (2-letter code) [AU]:
State or Province Name (full name) []:
Locality Name (for example, city) []:
Organization Name (for example, company) []:
Organizational Unit Name (for example, section) []:
Common Name (e.g. server FQDN or YOUR name)
[]: XXXXXXXXXXXXMYREGISTRATIONCODEXXXXXX
Email Address []:

Developer Guide eInfochips Private Limited Confidential Page 18 of 65


SECURITY STARTER KIT WITH STM32MP1 AND OPTIGA™ TPM 2.0

3. Use the CSR to create a private key verification certificate:

root@stm32mp1-av96:~# openssl x509 -req -in verificationCert.csr -CA rootCA.pem -CAkey rootCA.key -
CAcreateserial -out verificationCert.crt -days 500 -sha256

4. In the navigation pane , go to Secure option on IoT Console then select Secure >> CA >>
“Register your CA certificate”, and upload your sample CA certificate and verification
certificate:

Developer Guide eInfochips Private Limited Confidential Page 19 of 65


SECURITY STARTER KIT WITH STM32MP1 AND OPTIGA™ TPM 2.0

4.4.2 Linux Environment: Secure Device Certificate and Private Key Gen
You can use a CA certificate registered with AWS IoT to create a device certificate. The device certificate
must register with AWS IoT before use

1. We have made changes in Avenger96 meta-security build image


2. Check if any persistent handle is already present with OPTIGA™ TPM2.0.

root@stm32mp1-av96:~# tpm2_listpersistent
- handle: 0x81000000
name-alg:
value: sha256
raw: 0xb
attributes:
value: fixedtpm|fixedparent|sensitivedataorigin|userwithauth|restricted|decrypt
raw: 0x30072
.
.
.

3. If you want to clear the previous token and handle inside TPM2.0 Chipset then please use below
command

root@stm32mp1-av96:~# tpm2_evictcontrol -a o -c 0x81000000 -p 0x81000000

4. Install python packages,

root@stm32mp1-av96:~# pip install pyyaml ; sleep 1 ; pip install cryptography ; sleep 1 ; pip install
paramiko ; sync ;sync

5. Clone the script file to board

root@stm32mp1-av96:~# git clone https://github.com/tpm2-software/tpm2-pkcs11


root@stm32mp1-av96:~# cd tpm2-pkcs11/
root@stm32mp1-av96:~# git checkout a82d0709c97c88cc2e457ba111b6f51f21c22260

6. Run the script to generate keys and token inside TPM2.0 inside given directory.

root@stm32mp1-av96:~# cd ~/tpm2-pkcs11/tools

root@stm32mp1-av96:~#./tpm2_ptool.py init --pobj-pin=1234 --path=/opt/tpm2-pkcs11/

-Created a primary object of id: 1

root@stm32mp1-av96:~#./tpm2_ptool.py addtoken --pid=1 --pobj-pin=1234 --sopin=1234 --


userpin=1234 --label=greengrass --path=/opt/tpm2-pkcs11/

-Created token label: greengrass

root@stm32mp1-av96:~#./tpm2_ptool.py addkey --algorithm=rsa2048 --label=greengrass --


userpin=1234 --key-label=greenkey --path=/opt/tpm2-pkcs11/

Developer Guide eInfochips Private Limited Confidential Page 20 of 65


SECURITY STARTER KIT WITH STM32MP1 AND OPTIGA™ TPM 2.0

-Added key as label: "greenkey"

7. Soft link the resource manager libraries for listing token from TPM and providing to Board
console.

root@stm32mp1-av96:~#cd /usr/lib/
root@stm32mp1-av96:~# ln -s libtss2-tcti-tabrmd.so.0 libtss2-tcti-tabrmd.so

8. Now for checking the URL’s of token generated we need p11tool and p11-kit and other
packages opensc, Use p11-kit list-modules: command to list the HSI modules available with
tokens.

root@stm32mp1-av96:~# p11-kit list-modules

p11-kit-trust: p11-kit-trust.so
library-description: PKCS#11 Kit Trust Module
library-manufacturer: PKCS#11 Kit
library-version: 0.23
tpm2_pkcs11: libtpm2_pkcs11.so
library-description: TPM2.0 Cryptoki
library-manufacturer: tpm2-software.github.io
library-version: 42.42
token: greengrass
manufacturer: Infineon
model: SLB 9670
serial-number: 0000000000000000
hardware-version: 1.16
firmware-version: 7.40
flags:
rng
login-required
user-pin-initialized
token-initialized

9. Use command “p11tool –list-tokens” to see Token with its URL.

root@stm32mp1-av96:~# p11tool --list-tokens


Token 0:
URL:
pkcs11:model=SLB9670;manufacturer=Infineon;serial=0000000000000000;token=greengrass
Label: greengrass
Type: Hardware token
Flags: RNG, Requires login
Manufacturer: Infineon
Model: SLB9670
Serial: 0000000000000000
Module: libtpm2_pkcs11.so

Developer Guide eInfochips Private Limited Confidential Page 21 of 65


SECURITY STARTER KIT WITH STM32MP1 AND OPTIGA™ TPM 2.0

10. Use command “p11tool --list-privkeys pkcs11:manufacturer=Infineon” to see PKCS listing


OPTIGA™ TPM2.0 private and public keys

Note: Provide PIN: 1234 if asked

root@stm32mp1-av96:~# p11tool --list-privkeys pkcs11:manufacturer=Infineon


Object 0:
URL:
pkcs11:model=SLB9670;manufacturer=Infineon;serial=0000000000000000;token=greengrass;id=%36
%36%37%36%30%39%61%62%36%65%65%36%39%34%33%30;object=greenkey
Token 'greengrass' with URL
'pkcs11:model=SLB9670;manufacturer=Infineon;serial=0000000000000000;token=greengrass'
requires user PIN
Enter PIN:
Type: Private key (RSA)
Label: greenkey
Flags: CKA_NEVER_EXTRACTABLE; CKA_SENSITIVE;
ID: 36:36:37:36:30:39:61:62:36:65:65:36:39:34:33:30

11. Creation of soft link to "libpkcs11.so"

root@stm32mp1-av96:~# cd /usr/lib/engines-1.1/
root@stm32mp1-av96:~# /usr/lib/engines-1.1# ln -s pkcs11.so libpkcs11.so
root@stm32mp1-av96:~# export PKCS11_MODULE_PATH=/usr/lib/libtpm2_pkcs11.so

12. Edit openssl.conf for enabling PKCS11 interface for TPM (Edit only highlightened points)
Open /etc/ssl/openssl.conf

#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#

# Note that you can include other files from the main configuration
# file using the .include directive.
#.include filename

# This definition stops the following lines choking if HOME isn't


# defined.
HOME =.

openssl_conf = openssl_init

Developer Guide eInfochips Private Limited Confidential Page 22 of 65


SECURITY STARTER KIT WITH STM32MP1 AND OPTIGA™ TPM 2.0

13. Edit Below contents at last of openssl.conf, open /etc/ssl/openssl.conf

[openssl_init]
engines=engine_section

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib/engines-1.1/libpkcs11.so
MODULE_PATH = /usr/lib/pkcs11/libtpm2_pkcs11.so
init = 0

14. Generate certificate Signing Request with openssl

root@stm32mp1-av96:~# openssl req -engine pkcs11 -new -key


"pkcs11:model=SLB9670;manufacturer=Infineon;token=greengrass;object=greenkey;type=private;
pin-value=1234" -keyform engine -out /greengrass/certs/deviceCert.csr

Country Name (2 letter code) [AU]:IN


State or Province Name (full name) [Some-State]:GUJARAT
Locality Name (eg, city) []:AHM
Organization Name (eg, company) [Internet Widgits Pty Ltd]:EIC
Organizational Unit Name (eg, section) []:KB
Common Name (e.g. server FQDN or YOUR name) []:SSK
Email Address []:

Please enter the following 'extra' attributes


to be sent with your certificate request
A challenge password []:1234
An optional company name []:ARROW

15. Registering Device Certificates Manually

root@stm32mp1-av96:~# cd /greengrass/certs/
root@stm32mp1-av96:~# openssl x509 -req -in deviceCert.csr -CA rootCA.pem -CAkey rootCA.key
-CAcreateserial -out aws_device_cert.pem -days 500 -sha256

Developer Guide eInfochips Private Limited Confidential Page 23 of 65


SECURITY STARTER KIT WITH STM32MP1 AND OPTIGA™ TPM 2.0

4.5 AWS Greengrass Group Creation


1. Create a Greengrass group by login to your AWS account.
2. Sign in to the AWS Management Console on your computer and open the AWS IoT console.,
Choose Get started, If this is your first time opening this console
 In the navigation pane, choose Greengrass.

[Note: If you don't see the Greengrass node, change to an AWS Region that supports AWS IoT
Greengrass. For the list of supported regions, see [AWS IoT Greengrass] in the Amazon Web
Services General Reference.]

3. On the Welcome to AWS IoT Greengrass page, choose <Create a Group>.


 If prompted, on the Greengrass, it will need your permission to access other services
dialog box, choose, Grant permission to allow the console to create or configure the
Greengrass service role for you.

Developer Guide eInfochips Private Limited Confidential Page 24 of 65


SECURITY STARTER KIT WITH STM32MP1 AND OPTIGA™ TPM 2.0

4. On the Set up of your Greengrass group page, choose “Customize” to create a group and an
AWS IoT Greengrass

5. Enter a name for your group (for example, MyFirstGroup_TPM), and then choose Next

Add IAM Role to the


Greengrass Group

Developer Guide eInfochips Private Limited Confidential Page 25 of 65


SECURITY STARTER KIT WITH STM32MP1 AND OPTIGA™ TPM 2.0

6. Select the Stream Manager option as Customize to Disable it

Developer Guide eInfochips Private Limited Confidential Page 26 of 65


SECURITY STARTER KIT WITH STM32MP1 AND OPTIGA™ TPM 2.0

7. Select the Greengrass Core as per the Gateway Device running with it
MyFirstGroup_TPM_Core

8. Select Security type as customize to upload the Gateway Device certificate Generated by
OPTIGA™ TPM2.0 and signed with Registered RootCA with AWS depicted in Section 4.4.1

4.6 AWS Console and Board: Setup AWS IoT for the Demo
The user must go through the following steps to set and test the TLS connectivity with AWS IoT
1. Create an Amazon AWS account
2. Sign in to the AWS IoT Console
3. Create (Register) a “thing” in the Thing Registry
4. Register the CA to the AWS IoT.

Developer Guide eInfochips Private Limited Confidential Page 27 of 65


SECURITY STARTER KIT WITH STM32MP1 AND OPTIGA™ TPM 2.0

4.6.1 Register the Device Certificate to the AWS IoT for the “thing”
On the AWS console, after the AWS Custom CA Certificate has been registered and activated, for the
“thing” that has been created, the user must click again on Security as shown in the screenshot below.

1. Then click on “View other options” and then “Use my certificate” (click on “Get started”).

2. As shown in the screenshot below, the user will have to click and select the CA that was just
registered and then click on the bottom blue button “Register certificates”.

Developer Guide eInfochips Private Limited Confidential Page 28 of 65


SECURITY STARTER KIT WITH STM32MP1 AND OPTIGA™ TPM 2.0

3. As per the screen below the user has now the option to select to upload and register the Device
Certificate.

4. Select the AWS Device Certificate, aws_device_cert.pem generated in section 4.4.2, upload it
to the AWS IoT “thing”, and press the Register certificate blue button (check the “Activate all”
radio button)

Developer Guide eInfochips Private Limited Confidential Page 29 of 65


SECURITY STARTER KIT WITH STM32MP1 AND OPTIGA™ TPM 2.0

5. At this stage, the AWS IoT cloud has a “thing” ready to allow a device to connect to it: the device
is registered with an active certificate.

Developer Guide eInfochips Private Limited Confidential Page 30 of 65


SECURITY STARTER KIT WITH STM32MP1 AND OPTIGA™ TPM 2.0

Developer Guide eInfochips Private Limited Confidential Page 31 of 65


SECURITY STARTER KIT WITH STM32MP1 AND OPTIGA™ TPM 2.0

4.6.2 AWS Console: Create Publish/Subscribe Policy

For this example, device needs to be attached to a policy that allows them to subscribe and publish. To
accomplish this:

1. Create a policy that allows subscription and publishing to a topic such as in the example policy
shown in the image:

Developer Guide eInfochips Private Limited Confidential Page 32 of 65


SECURITY STARTER KIT WITH STM32MP1 AND OPTIGA™ TPM 2.0

2. Attach the device certificate to the policy, e.g.

4.6.3 Linux Environment: Configure the AWS Example Application that Connects to AWS
To enable and use the TPM as Hardware Security Integration for Gateway (Device Demo) with AWS

1. Please ensure all certificate and keys generated from section 4.4.1 and 4.4.2 are placed inside
/Greengrass/certs/
2. Enable it in the AWS IoT Greengrass config. Edit /Greengrass/config/config.json and replace the
configuration with the content based on your OpenSSL configuration and location of the keys.
A complete example of the AWS IoT Greengrass configuration with the setup completed in the
preceding sections resembles the following:

root@stm32mp1-av96: vi /Greengrass/config/config.json
{
"coreThing" : {
"thingArn"
:"arn:aws:iot:<AWS_REGION>:<AWS_ACCOUNT_NUMBER>:thing/<GG_Thing_Name>",
"iotHost" : "XXXXXXXXXXXXXXX-ats.iot.us-east-1.amazonaws.com",
"ggHost" : "greengrass-ats.iot.ap-south-1.amazonaws.com",
"keepAlive" : 600
},
"runtime" : {
"cgroup" : {
"useSystemd" : "yes"
}
},
"managedRespawn" : false,
"crypto" : {
"PKCS11": {
"OpenSSLEngine": "/usr/lib/engines-1.1/pkcs11.so",
"P11Provider": "/usr/lib/pkcs11/libtpm2_pkcs11.so",

Developer Guide eInfochips Private Limited Confidential Page 33 of 65


SECURITY STARTER KIT WITH STM32MP1 AND OPTIGA™ TPM 2.0

"SlotLabel": "greengrass",
"SlotUserPin": "1234"
},
"principals" : {
"IoTCertificate" : {
"privateKeyPath" :
"pkcs11:model=SLB9670;manufacturer=Infineon;token=greengrass;object=greenkey;type=private;
pin-value=1234",
"certificatePath" : "file:///greengrass/certs/aws_device_cert.pem"
}
},
"caPath" : "file:///greengrass/certs/root.ca.pem"
}
}

4.6.4 Lambda Functions on AWS IoT Greengrass


This section will describe, how to create and deploy a Lambda function that sends MQTT messages
from your AWS IoT Greengrass core device. The module describes Lambda function configurations,
subscriptions used to allow MQTT messaging, and deployments to a core device

Developer Guide eInfochips Private Limited Confidential Page 34 of 65


SECURITY STARTER KIT WITH STM32MP1 AND OPTIGA™ TPM 2.0

Create and Package a Lambda Function

In this step, you will:


 Download the AWS IoT Greengrass Core SDK for Python to your computer (and not AWS IoT
Greengrass core device) from https://github.com/aws/aws-greengrass-core-sdk-python/
 Create a Lambda function deployment package that contains the function code and
dependencies.
 Use the Lambda console to create a Lambda function and upload the deployment package.
 Publish a version of the Lambda function and create an alias that points to the version.

1. Downloaded the AWS IoT Greengrass Core SDK for Python to your computer.

Linux-PC $ git clone https://github.com/aws/aws-greengrass-core-sdk-python/


Linux-PC $ cd aws-greengrass-core-sdk-python/

2. The Lambda function in this module uses:


 The greengrassHelloWorld.py file in examples\HelloWorld. This is your Lambda function
code. Every five seconds, the function publishes one of two possible messages to the
hello/world topic.

 The greengrasssdk folder. This is the SDK.

3. Copy the Greengrass SDK folder into the HelloWorld folder that contains
greengrassHelloWorld.py.

Linux-PC $ cp -r greengrasssdk/ examples/HelloWorld/

4. To create the Lambda function deployment package, save greengrassHelloWorld.py and the
Greengrass SDK folder to a compressed zip file named hello_world_python_lambda.zip. The
python file and Greengrass SDK folder must be in the root of the directory.

Linux-PC $cd examples/HelloWorld/


Linux-PC $ zip -r hello_world_python_lambda.zip greengrasssdk greengrassHelloWorld.py

 Open the Lambda console and choose Create function


 Choose Author from scratch
 Name your function Greengrass_HelloWorld, and set the remaining fields as follows:
 For Runtime, choose Python 2.7
 Click on Create function at bottom.

Developer Guide eInfochips Private Limited Confidential Page 35 of 65


SECURITY STARTER KIT WITH STM32MP1 AND OPTIGA™ TPM 2.0

5. Upload your Lambda function deployment package:


On the Configuration tab, under Function code, set the following fields:
 For Code entry type, choose Upload a .zip file.
 For Runtime, choose Python 2.7.
 For Handler, enter greengrassHelloWorld.function_handler

1. Choose Upload, and then choose hello_world_python_lambda.zip. (The size of your


hello_world_python_lambda.zip file might be different from what is shown here.)

Developer Guide eInfochips Private Limited Confidential Page 36 of 65


SECURITY STARTER KIT WITH STM32MP1 AND OPTIGA™ TPM 2.0

Developer Guide eInfochips Private Limited Confidential Page 37 of 65


SECURITY STARTER KIT WITH STM32MP1 AND OPTIGA™ TPM 2.0

Developer Guide eInfochips Private Limited Confidential Page 38 of 65


SECURITY STARTER KIT WITH STM32MP1 AND OPTIGA™ TPM 2.0

2. Choose Save

3. Publish the Lambda function:


 From Actions, choose Publish new version.

4. For Version description, enter First version, and then choose Publish.

5. Create an alias for the Lambda function version:


 From Actions, choose Create alias.

 Name the alias GG_HelloWorld, set the version to 1 (which corresponds to the
version that you just published), and then choose Create.

 Note: AWS IoT Greengrass does not support Lambda aliases for $LATEST versions.

Developer Guide eInfochips Private Limited Confidential Page 39 of 65


SECURITY STARTER KIT WITH STM32MP1 AND OPTIGA™ TPM 2.0

6. In the AWS IoT console, under Greengrass, choose Groups, and then choose the group that
you created in above Steps.

 On the group configuration page, choose Lambdas, and then choose Add Lambda.

 Choose Use existing Lambda.

 Search for the name of the Lambda you created in the previous step
(Greengrass_HelloWorld, not the alias name), select it, and then choose Next:

Developer Guide eInfochips Private Limited Confidential Page 40 of 65


SECURITY STARTER KIT WITH STM32MP1 AND OPTIGA™ TPM 2.0

 For the version, choose Alias: GG_HelloWorld, and then choose Finish. You should see
the Greengrass_HelloWorld Lambda function in your group, using the GG_HelloWorld
alias.

 Choose the ellipsis (...), and then choose Edit Configuration:

7. On the Group-specific Lambda configuration page, make the following changes:


 Set Timeout to 25 seconds. This Lambda function sleeps for 20 seconds before each
invocation.
 For Lambda lifecycle, choose Make this function long-lived and keep it running
indefinitely.

Developer Guide eInfochips Private Limited Confidential Page 41 of 65


SECURITY STARTER KIT WITH STM32MP1 AND OPTIGA™ TPM 2.0

 Keep the default values for all other fields, such as Run as, Containerization, Input
payload data type, and choose Update to save your changes.

8. On the group configuration page, choose Subscriptions, and then choose Add your first
Subscription.

 In Select a source, choose Select. Then, on the Lambdas tab, choose


Greengrass_HelloWorld as the source.

9. To Select a target, choose Select. Then, on the Service tab, choose IoT Cloud, and then choose
next.

Developer Guide eInfochips Private Limited Confidential Page 42 of 65


SECURITY STARTER KIT WITH STM32MP1 AND OPTIGA™ TPM 2.0

 For Topic filter, enter hello/world, and then choose Next.

 Choose Finish

10. Configure the group's logging settings. User can configure AWS IoT Greengrass system
components and user-defined Lambda functions to write logs to the file system of the core
device.
 On the group configuration page, choose Settings.
 For Local logs configuration, choose Edit.
 On the Configure Group logging page, choose Add another log type.
 For event source, choose User Lambdas and Greengrass system, and then choose Update.
 Keep the default values for logging level and disk space limit, and then choose Save.
 Disable the Stream Manager Status.

4.6.5 On Board: Execute the AWS Example Application


To check whether the daemon is running:

root@stm32mp1-av96:~# ps aux | grep -E 'Greengrass.*daemon'

If the output contains a root entry for /Greengrass/ggc/packages/1.10.0/bin/daemon, then the daemon
is running.

1. To start the daemon:

root@stm32mp1-av96:~# cd /Greengrass/ggc/core/
root@stm32mp1-av96:~#./greengrassd start

2. In the AWS IoT console, on the group configuration page, from Actions, choose Deploy.

Developer Guide eInfochips Private Limited Confidential Page 43 of 65


SECURITY STARTER KIT WITH STM32MP1 AND OPTIGA™ TPM 2.0

3. On the Configure how devices discover your core page, choose Automatic detection. This
enables devices to automatically acquire connectivity information for the core, such as IP
address, DNS, and port number. Automatic detection is recommended, but AWS IoT
Greengrass also supports manually specified endpoints. You are prompted for the discovery
method for first time when group is deployed.

4. The first deployment might take a few minutes. When the deployment is complete, you
should see
5. Successfully completed in the Status column on the Deployments page:

6. Verify the Lambda Function Is Running on the Core Device with H/w Security enabled with
TPM.0 security keys.

7. From the navigation pane of the AWS IoT console, choose Test.

Developer Guide eInfochips Private Limited Confidential Page 44 of 65


SECURITY STARTER KIT WITH STM32MP1 AND OPTIGA™ TPM 2.0

8. Choose Subscribe to topic, and configure the following fields:


 For Subscription topic, enter hello/world. (Do not choose Subscribe to topic yet.) For
Quality of Service, choose 0. For MQTT payload display, choose Display payloads as
strings.
 Click on “Choose Subscribe to topic”

[Note: Assuming the Lambda function is running on your device, it publishes messages similar to the
following to the hello/world topic]
 Display MQTT messages on the screen like “Message from Avenger96”

Developer Guide eInfochips Private Limited Confidential Page 45 of 65


SECURITY STARTER KIT WITH STM32MP1 AND OPTIGA™ TPM 2.0

5 STM32MP15 SECURE BOOT

This section is a practical example to illustrate the construction of a secure boot image and to configure
the target device to run securely, which is possible because of the Trusted Firmware-A (TF-A) and the
STM32 KeyGen tool. This document targets the Secure Boot feature on the following applications
processors from the STM32MP157CAC family.

This application note only demonstrates the secure boot solution on the Avenger96 and
STM32MP157CAC processors, as well as some trusted features for secure boot. It focuses on:

 STM32MP boot sequence.


 Secure boot implementation
 Authentication processing
 Key generation
 Key registration
 Image signing
 Image programming
 Authentication
 Closing the device

Target audience:
Someone who has knowledge of normal booting process, familiar with signing image tools, and fuse
related concepts. User should be familiar with the basics of digital signatures and public key certificates.

[Note: For a step-by-step technical guide, please refer Avenger96_Secure_Boot_Reference ]

[Note: See Appendix Section 6.5 for more information on secure boot environment]
5.1 Secure boot implementation
5.1.1 Overview
STM32 MPU provides authentication processing with ECDSA [1] verification algorithm, based on ECC [2].
ECDSA offers better result than RSA with a smaller key. STM32 MPU relies on a 256 bits ECDSA key.

Two algorithms are supported for ECDSA calculation:


 P-256 NIST
 Brainpool 256

The algorithm selection is done via the signed binary header, as shown in STM32 header (subchapter
in this same article).

The EDCSA verification follows the process below:

Developer Guide eInfochips Private Limited Confidential Page 46 of 65


SECURITY STARTER KIT WITH STM32MP1 AND OPTIGA™ TPM 2.0

Figure 3: Secure boot process flow

5.1.2 Key Generation


First step is to generate the ECC pair of keys with STM32 KeyGen tool. This is the key pair that will be
used to sign the images.
The tool also generates a third file containing the public key hash (PKH) that will be used to authenticate
the public key on the target.

5.1.2.1 Install STM32MP Key Generator


The STM32MP Key Generator software is tested on Ubuntu 14.04 and 16.04 32-bit and 64-bit and
should work on any distribution.
To install the STM32MP Key Generator tool, you need to install STM32 KeyGen toolt . To execute,
launch the ./STM32MP_KeyGen_CLI” script.

5.1.2.2 STM32MP Key Generator command line interface


On the Linux System with STM32 KeyGen Tool installed one can use it to generate ECC key pair.
Go to path mention below and use STM32MP_KeyGen_CLI command tool.

Linux-PC $ cd /home/<username>/STMicroelectronics/STM32Cube/STM32CubeProgrammer/bin

Make a new directory with name “secure_keys” and run below command.

Linux-PC $ mkdir /home/user/secure_keys

Generate key pair using below command

Linux-PC $ ./STM32MP_KeyGen_CLI -ecc 2 -pubk /home/user/secure_keys/public.pem -prvk


/home/user/secure_keys/private.pem -hash /home/user/secure_keys/pubKeyHash.bin -pwd seed

User will see the following on his screen if key pair generated successfully fine, please note down the
key type.

Developer Guide eInfochips Private Limited Confidential Page 47 of 65


SECURITY STARTER KIT WITH STM32MP1 AND OPTIGA™ TPM 2.0

-------------------------------------------------------------------
STM32MP Key Generator v1.0.0
-------------------------------------------------------------------

brainpoolP256t1 curve is selected.


AES_256_cbc algorithm is selected for private key encryption
Generating brainpoolP256t1 keys...
Private key PEM file created
Public key PEM file created
public key hash file created
Keys generated successfully.

+ public key: /home/<username>/secure_keys/public.pem


+ private key: /home/ <username> /secure_keys/private.pem
+ public hash key: /home/ <username> /secure_keys/pubKeyHash.bin

5.1.2.3 Extending Public key Hash to bootfs in SD-card


Insert Avenger96 Image Flashed SD-card into your Linux PC.
Verify the node created for SD-card into /dev directory
Linux-PC # ls -l /dev/sd*

Copy the pubKeyHash.bin in to bootfs of SD-card partition and boot the board

Linux-PC $ cp /home/ <username> /secure_keys/pubKeyHash.bin /media/<username>/bootfs/

5.1.2.4 Verify Public Key Hash


User can verify the value after reading this pubKeyHash.binonce before fusing and locking the Key
registration

Linux-PC $ xxd -g1 /home/ <username> /secure_keys/pubKeyHash.bin

Output user can check and validate with one copied to bootfs while mmc read

00000000: eecb48dc c42541ee 3de223ff dd7a9976 ..H..%A.=.#..z.v


00000010: 3eaea651 1b52001b 3a0bc3c6 0c190365 >..Q.R..:......e

5.1.3 Key Registration


5.1.3.1 Register hash public key
First step to enabling the authentication is to burn the OTP WORD 24 to 31 in BSEC with the
corresponding public key hash (PKH, output file from STM32 KeyGen). OpenSTLinux embeds a stm32key
tool that can be called from U-Boot command line interface to program the PKH into the OTP.

PKH file (pubKeyhash.bin) must be available in a file system partition (like bootfs) on a storage device
(like SD-card) before proceeding.

Plug the SD-card into the Avenger96 board, power on the board and pause the u-boot console by
pressing any key while UBoot log is seen on the serial debug console

Developer Guide eInfochips Private Limited Confidential Page 48 of 65


SECURITY STARTER KIT WITH STM32MP1 AND OPTIGA™ TPM 2.0

Load hash file from mmc 0 partition 4 (ext4) in DDR

root@stm32mp1-av96:~#
$ STM32MP> ext4load mmc 0:4 0xc0000000 pubKeyhash.bin
32 bytes read in 0 ms

Read loaded key from DDR to confirm it is valid (without writing it in OTP)

root@stm32mp1-av96:~#
$ STM32MP> stm32key read 0xc0000000

OTP value 24: eecb48dc


OTP value 25: c42541ee
OTP value 26: 3de223ff
OTP value 27: dd7a9976
OTP value 28: 3eaea651
OTP value 29: 1b52001b
OTP value 30: 3a0bc3c6
OTP value 31: c190365

root@stm32mp1-av96:~#
$ STM32MP> stm32key fuse -y 0xc0000000

5.1.4 Signing the FSBL and SSBL


FSBL: tf-a-stm32mp157a-av96-trusted.stm32
Yocto Path: Avenger96/build-openstlinuxweston-stm32mp1-av96 /tmp-
glibc/deploy/images/stm32mp1-av96/tf-a-stm32mp157a-av96-trusted.stm32

SSBL: u-boot-stm32mp157a-av96-trusted.stm32
Yocto Path: Avenger96/build-openstlinuxweston-stm32mp1-av96 /tmp-
glibc/deploy/images/stm32mp1-av96/u-boot-stm32mp157a-av96-trusted.stm32

For more info about Avenger96 Image Partition please review the Yocto file named
“README.HOW_TO.txt” found in this directory or path:
Avenger96/layers/meta-st/meta-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-stm32mp/

Follow theseSteps to sign the images.


 copy “tf-a-stm32mp157a-av96-trusted.stm32” binary from Avenger96 Yocto build directory
path to /home/user/secure_keys/
Linux-PC $ cp Avenger96/build-openstlinuxweston-stm32mp1-av96 /tmp-
glibc/deploy/images/stm32mp1-av96/tf-a-stm32mp157a-av96-trusted.stm3
/home/user/secure_keys/

Developer Guide eInfochips Private Limited Confidential Page 49 of 65


SECURITY STARTER KIT WITH STM32MP1 AND OPTIGA™ TPM 2.0

 copy “u-boot-stm32mp157a-av96-trusted.stm32” binary from Avenger96 Yocto build


directory path to /home/user/secure_keys/

Linux-PC $ cp Avenger96/build-openstlinuxweston-stm32mp1-av96 /tmp-


glibc/deploy/images/stm32mp1-av96/ u-boot-stm32mp157a-av96-trusted.stm32
/home/user/secure_keys/

 Go to path /home/<user>STMicroelectronics/STM32Cube/STM32CubeProgrammer/bin

Linux-PC $ cd /home/<username>/STMicroelectronics/STM32Cube/STM32CubeProgrammer/bin

 Now proceed with Image signing using STM32MP_SigningTool_CLI tool.

5.1.4.1 SSBL signing

Linux-PC $ sudo ./STM32MP_SigningTool_CLI -bin /home/<user>/secure_keys/u-boot-stm32mp157a-


av96-trusted.stm32 -pubk /home/<user>/secure_keys/public.pem -prvk
/home/<user>/secure_keys/private.pem -pwd seed -a 2 -o /home/<user>/secure_keys/u-boot-
stm32mp157a-av96-trusted-signed.stm32

Prime256v1 curve is selected.


Reading Private Key File...
ECDSA signature generated.
signature verification: SUCCESS
The Signed image file generated successfully:
/home/<user>/secure_keys /u-boot-stm32mp157a-av96-trusted-signed.stm32

5.1.4.2 FSBL signing

Linux-PC $ sudo ./STM32MP_SigningTool_CLI -bin /home/<user>/secure_keys/tf-a-stm32mp157a-


av96-trusted.stm32 -pubk /home/<user>/secure_keys/public.pem -prvk
/home/<user>/secure_keys/private.pem -pwd seed -a 2 -o /home/<user>/secure_keys/tf-a-
stm32mp157a-av96-trusted-signed.stm32

Prime256v1 curve is selected.


Reading Private Key File...
ECDSA signature generated.
signature verification: SUCCESS
The Signed image file generated successfully:
/home/<user>/secure_keys /tf-a-stm32mp157a-av96-trusted-signed.bin

5.1.5 Flash the signed image


Once the images are signed, they can be flashed to the target board
1. From the mounted SD-card, identify the FSBL and SSBL partition
2. Generic partition will be

Developer Guide eInfochips Private Limited Confidential Page 50 of 65


SECURITY STARTER KIT WITH STM32MP1 AND OPTIGA™ TPM 2.0

bootfs -> ../../mmcblk0p4


fsbl1 -> ../../mmcblk0p1 ➔ FSBL (TF-A)
fsbl2 -> ../../mmcblk0p2 ➔ FSBL backup (TF-A backup–same content as FSBL)
rootfs -> ../../mmcblk0p5
ssbl -> ../../mmcblk0p3 ➔ SSBL (U-Boot)
userfs -> ../../mmcblk0p6

3. Signed-FSBL will be flashed at /dev/sdx1 and /dev/sdx2


4. Signed-SSBL will be flashed at /dev/sdx3
5. Flash the newly signed images now

FSBL:
sudo dd if=tf-a-stm32mp157a-av96-trusted-signed.stm32 of=/dev/sdb1 bs=1M conv=fdatasync
status=progress && sync

sudo dd if=tf-a-stm32mp157a-av96-trusted-signed.stm32 of=/dev/sdb2 bs=1M conv=fdatasync


status=progress && sync

SSBL:
sudo dd if=u-boot-stm32mp157a-av96-trusted-signed.stm32 of=/dev/sdb3 bs=1M conv=fdatasync
status=progress && sync

5.1.6 Verify Authentication


5.1.6.1 Bootrom Authentication
Using a signed binary, the ROM code authenticates and starts the FSBL.
If the authentication fails, the ROM code enters into a serial boot loop indicated by the blinking
Error LED (cf Bootrom common debug and error cases)
The ROM code provides secure services to the FSBL for image authentication with the same ECC
pair of keys, so there is no need to support ECDSA algorithm in FSBL.

5.1.6.2 TF-A authentication


TF-A is the FSBL used by the trusted boot chain. It is in charge of loading and verifying U-boot and
(if used) OP-TEE image binaries.
Each time a signed binary is used, TF-A will print the following status:

If the image authentication fails the boot stage traps the CPU and no more trace is displayed.

5.1.7 Close the device


Notice that this last step is not shown in the diagram above.

Without any other modification, the device is able to perform image authentication but non-
authenticated images can still be used and executed: the device is still opened, let's see this as a kind
of test mode to check that the PKH is properly set.

Developer Guide eInfochips Private Limited Confidential Page 51 of 65


SECURITY STARTER KIT WITH STM32MP1 AND OPTIGA™ TPM 2.0

As soon as the authentication process is confirmed, the device can be closed and the user forced to use
signed images.

OTP WORD0 bit 6 is the OTP bit that closes the device. Burning this bit will lock authentication
processing and force authentication from the Boot ROM. Non signed binaries will not be supported
anymore on the target.

To program this bit, the STM32CubeProgrammer or U-Boot command line interface can be used.
Here is how to proceed with U-Boot:

Board $> fuse prog 0 0x0 0x40

5.2 Measured Boot with OPTIGA™ TPM2.0


5.2.1 Measured boot Step to verify the platform Integrity

Avenger96 Board

Figure 4: Measured Boot flow between TPM and Avenger Board.

At power-up, the Avenger96 device CSU ROM code loads the FSBL. The FSBL loads U-Boot, and U-Boot
loads the Linux kernel, root file system, device tree and Linux application software. In one approach to
booting with a chain of trust, the following steps occur:
1. The device hardware measures the Kernel Image.
2. The Kernel Image authenticated is being hashed.
3. The PCR API pushes the Kernel Image Hash measurement to the TPM.

Developer Guide eInfochips Private Limited Confidential Page 52 of 65


SECURITY STARTER KIT WITH STM32MP1 AND OPTIGA™ TPM 2.0

4. The authenticated measure is stored to TPM NVRAM securely.


5. The PCR API pushes measurements to the TPM.
6. The Booting authenticates/measures Kernel Image using the TPM.
7. At every boot time, the device will measure the Linux partitions using the TPM and Verifies the
integrity check with original value stored in Tamper Proof TPM NV area.

Measuring Kernel Image Hash


Once the Board is booted and Rootfs is mounted, a measure of the kernel Image will be taken

root@stm32mp1-av96 $ sha256sum /boot/uImage | cut -d' ' -f1 >> kernel_hash

Extending Measured Hash to PCR


Calculated Kernel Image hash will be Extented to PCR for Measurement storage.

root@stm32mp1-av96 $tpm2_pcrextend 16:sha256=$kernel_hash

Measuring Content from Specified PCR


Taking the stored value from PCR in order to store in NV area

root@stm32mp1-av96 $ tpm2_pcrlist -L sha256:16 -o pcr_kernel_original.bin

Generating TPM Measured Boot Policy


Generating a TPM based policy in order to store PCR based architecture value into NV area

root@stm32mp1-av96 $ tpm2_createpolicy --policy-pcr -L sha256:16 -F pcr_kernel_original.bin -o


policy_pcr_kernel_original.out

Define NV Area in TPM for PCR Storage


Create an NV area in order to store the PCR value and specify the policy to it

root@stm32mp1-av96 $ tpm2_nvdefine -x 0x1500016 -a 0x40000001 -s 32 -L


policy_pcr_kernel_original.out -b
"policyread|policywrite|authread|authwrite|ownerwrite|ownerread"

Extending PCR value to Secure NV RAM


Storing the PCR value the Specified NV index defined

root@stm32mp1-av96 $ tpm2_nvwrite -x 0x1500016 -a 0x1500016 -P pcr:sha256:16


pcr_kernel_original.bin

Verifying Platform Integrity Check


Again, reboot the Board and perform below steps

root@stm32mp1-av96 $ sha256sum /boot/uImage | cut -d' ' -f1 >> Measure_kernel_hash


root@stm32mp1-av96 $ tpm2_pcrextend 16:sha256=$kernel_hash
root@stm32mp1-av96 $ tpm2_pcrlist -L sha256:16 -o pcr_kernel_measured.bin
root@stm32mp1-av96 $ tpm2_nvread -x 0x1500016 -a 0x1500016 -s 32 >> pcr_kernel_original.bin
root@stm32mp1-av96 $ cmp pcr_kernel_measure.bin and pcr_kernel_original.bin

If values are similar, the Platform is secure and no tamper has occurred.

Developer Guide eInfochips Private Limited Confidential Page 53 of 65


SECURITY STARTER KIT WITH STM32MP1 AND OPTIGA™ TPM 2.0

6 APPENDIX
6.1 Avenger – 96 Boards

The STM32MP157A is a highly integrated multi-market system-on-chip designed to enable secure and
space constraint applications within the Internet of Things. Avenger96 board features dual Arm Cortex-
A7 cores and an Arm Cortex-M4 core. In addition, an extensive set of interfaces and connectivity
peripherals are included to interface to cameras, touchscreen displays and MMC/SD-cards. It also fully
supports wireless communication, including WLAN and BLE.

Arrow’s Avenger96 module integrates the high-end STM32MP157 module, which offers dual 650MHz
Cortex-A7 cores and a 209MHz Cortex-M4 chip with an FPU, MPU, and DSP instructions. The
STM32MP157 model includes the optional 533MHz Vivante 3D GPU with support for OpenGL ES 2.0
and 24-bit parallel RGB displays at up to WXGA (1280×800) at 60fps. This is also the only model with
MIPI-DSI support.

96Boards (http://www.96Boards.org) is a 32-bit and 64-bit ARM® Open Platform hosted by Linaro TM
with the intension to serve the software/maker and embedded OEM communities

Processor
 STM32MP157AAC to be replaced with Chipset STM32MP157CAC in order to enable secure
boot feature
 2x ARM®Cortex-A7 up to 650 MHz
 1x ARM®Cortex-M4 up to 200 MHz
 1x 3D GPU Vivante® @ 533 MHz -OpenGL® ES 2.0
Memory/Storage
 eMMC v4.51: 8 GbyteSD 3.0 (UHS-I)
 QSPI: 2Mbyte
 EEPROM: 128 byte
 microSD Socket: UHS-1 v3.01
 RAM: 1024 Mbyte @ 533MHz

I/O Interfaces
 Host: 2x type A 2.0 high-speed and OTG, 1x type micro-B 2.0 high-speed
 One 40-pin Low Speed (LS) expansion connector (UART, SPI, I2S, I2C x2, GPIO x12, DC power)
 One 60-pin High Speed (HS) expansion connector (4L-MIPI DSI, USB, I2C x2, 4LMIPI CSI, 1-SPI)
 The board can be made compatible as an add-on mezzanine board

Connectivity
 Bluetooth 4.2 (Bluetooth Low Energy)
 High performance 2.4 GHz and 5 GHz WLAN
 Ethernet support 10/100/1000 Mbps speed

Video
 HDMI: WXGA (1366x768)@ 60 fps, HDMI 1.4

Power, Mechanical and Environmental


 Power: +8.0V to +18V
 Dimensions: 85mm x 100mm
 96Boards™ Consumer Edition standard dimensions specifications

Developer Guide eInfochips Private Limited Confidential Page 54 of 65


SECURITY STARTER KIT WITH STM32MP1 AND OPTIGA™ TPM 2.0

 Operating Temp: 0 - 40 °C

Software
 U-Boot version: U-Boot 2018.09-stm32mp-r2
 Linux version: Linux stm32mp1-av96 4.14.48

Linux Distribution: ST OpenSTLinux Weston (A Yocto Project Based Distro)

6.2 AWS Greengrass

AWS IoT Greengrass software extends cloud capabilities to local devices. This allows the cloud-based
management of application logic which can be used for any of the following and more:
 to collect and analyze data
 react autonomously to local events
 Communicate securely on local networks
 AWS Lambda functions and pre-built connectors to create server less applications that are
deployed to devices for local execution
 provides a local pub/sub message manager that can intelligently buffer messages to preserve
inbound and outbound messages to the cloud in case there is no connectivity to cloud

Developer Guide eInfochips Private Limited Confidential Page 55 of 65


SECURITY STARTER KIT WITH STM32MP1 AND OPTIGA™ TPM 2.0

The following diagram shows the basic architecture of AWS IoT Greengrass.

Figure 5: AWS Greengrass Group

AWS IoT Greengrass core software provides the following functionality:


 Deployment and local execution of connectors and Lambda functions.
 Process data streams locally with automatic exports to the AWS Cloud
 MQTT messaging over the local network between devices, connectors, and Lambda functions
using managed subscriptions.
 MQTT messaging between AWS IoT and devices, connectors, and Lambda functions using
managed subscriptions.
 Secure connections between devices and the AWS Cloud using device authentication and
authorization.
 Local shadow synchronization of devices. Shadows can be configured to sync with the AWS
Cloud.
 Secure encrypted storage of local secrets and controlled access by connectors and Lambda
functions.
 Automatic IP address detection that enables devices to discover the Greengrass core device.

Developer Guide eInfochips Private Limited Confidential Page 56 of 65


SECURITY STARTER KIT WITH STM32MP1 AND OPTIGA™ TPM 2.0

6.3 Tresor Mezzanine OPTIGA™ TPM 2.0

The Tresor Mezzanine Board provides state-of-the-art secure elements to 96Boards board. The board
is as shown in Figure 2.

Figure 6: Tresor Mezzanine OPTIGA™ TPM 2.0

The board is equipped with three separate chips that can provide security features:
 The SLB9670x provides Trusted Platform Module (TPM) 2.0 functionality through SPI
communication on the standard 96Boards LS expansion connector.
 The SLB9645x TPM 1.2 chip communicates via I2C on the standard 96Boards low-speed
expansion connector.
 The SLS32AIA020A TRUST-E authentication chip, shares the same I2C bus with the TPM 1.2
module.

Figure 10: Tresor Mezzanine connector OPTIGA™ TPM 2.0

Developer Guide eInfochips Private Limited Confidential Page 57 of 65


SECURITY STARTER KIT WITH STM32MP1 AND OPTIGA™ TPM 2.0

6.4 Trusted Platform Module – TPM

A cryptographic processor is present on most commercial PCs and servers. A typical crypto processor
has three key cryptographic capabilities
 Establishing a root of trust
 Secure boot
 Device identification

Establishing a root of trust


A TPM can prevent a bootkit attack by providing a trusted sequence of boot operation.

The following questions often arise in a running system:


 Is the operating system that is running appropriately secure?
 Is the firmware booting the OS appropriately secure?
 Is the underlying hardware appropriately secure?

Each layer must trust the layer below, as illustrated in the following diagram.

Figure 7: Root of Trust

At the root of this chain is the hardware, which has to be inherently trusted and forms the base on
which the chain of trust has been established.

A root of trust can be defined as any or all of the following:


 Set of functions in a trusted computing module that is always trusted by the firmware/OS
 Prerequisite for secure boot process
 Component that helps in detection of boot kits

Developer Guide eInfochips Private Limited Confidential Page 58 of 65


SECURITY STARTER KIT WITH STM32MP1 AND OPTIGA™ TPM 2.0

Secure boot
A secured boot builds on the underlying notion of a root of trust to protect the boot process from being
compromised on the device.
In case a chain of trust is broken, the boot process is aborted, and the device attempts to go back to its
last known good state. An extension to secured boot process is a measured boot – where the device
does not halt the boot process. Instead, it records the identity of each component that participates in
the boot process so that these component identities can be verified later against a list of approved
component identities for that device. This is called a measured boot.

These two processes are illustrate in the following diagram.

Figure 8: Measured/Trusted Boot Process

A typical sequence of a measured boot is as follows:


 The boot ROM acts as the root of trust.
 Upon a device reset, each image that forms part of the boot sequence is validated
(measured) before execution.
 The measurements are stored in a TPM.
 Each measurement serves as the proxy for the root of trust for the subsequent step in the
boot sequence.
 Normally, only critical and security-sensitive process and configuration files are considered for
the measurement.
 After the security-sensitive processes are completed, the device enters the unmeasured boot
stage before entering normal system operation state.

Device identification
Device identification steps are comprised as follows:
 Check the identity of the device that is communicating with the messaging gateway.
 Generate key pairs for the devices, which are then used to authenticate and encrypt the
traffic
 TPM stores the keys in tamper-resistant hardware.

Developer Guide eInfochips Private Limited Confidential Page 59 of 65


SECURITY STARTER KIT WITH STM32MP1 AND OPTIGA™ TPM 2.0

 The keys are generated using TPM itself and are thereby protected from being retrieved by
external programs.

The rest of this post focuses on how to integrate and use features of TPMs to protect the edge gateways
running AWS IoT Greengrass. This integration uses the PKCS#11 protocol as the interface to the TPM.
6.5 Boot chains Environment overview

6.5.1 Generic boot sequence


Starting Linux® on a processor is done in several steps that progressively initialize the platform
peripherals and memories. These steps are explained in the following paragraphs and illustrated by the
diagrams , which also gives typical memory sizes for each stage.

Figure 9: Generic Boot Sequence


6.5.2 STM32MP15 boot chain
6.5.2.1 Overview
STM32MP15 boot chain uses Trusted Firmware-A (TF-A) as the FSBL in order to fulfill all the
requirements for security-sensitive customers, and it uses U-Boot as the SSBL. Note that the
authentication is optional with this boot chain, so it can run on any STM32MP15 device security variant
(that is, with or without the Secure boot).

Developer Guide eInfochips Private Limited Confidential Page 60 of 65


SECURITY STARTER KIT WITH STM32MP1 AND OPTIGA™ TPM 2.0

Refer to the security overview for an introduction of the secure features available on STM32MP15,
from the secure boot up to trusted applications execution.

[Note: We have swapped the MPU IC on the AVENGER96 board from the STM32MP157A to
STM32MP157CAC, which supports secure boot.]

Figure 10: STM32MP15 boot chain


Note:
The STM32MP15 coprocessor can be started at the SSBL level by the U-Boot early boot feature, or later
by the Linux remoteproc framework, depending on the application startup time-targets.

6.5.2.2 ROM Code


The ROM code starts the processor in secure mode. It supports the FSBL authentication and offers
authentication services to the FSBL.

6.5.2.3 First Stage Boot Loader (FSBL)


The FSBL is executed from the SYSRAM.
Among other things, this boot loader initializes (part of) the clock tree and the DDR controller. Finally,
the FSBL loads the second-stage boot loader (SSBL) into the DDR external RAM and jumps to it.
Trusted Firmware-A (TF-A) is the FSBL used on the STM32MP15.

Developer Guide eInfochips Private Limited Confidential Page 61 of 65


SECURITY STARTER KIT WITH STM32MP1 AND OPTIGA™ TPM 2.0

6.5.2.4 Second Stage Boot Loader (SSBL)


U-Boot is commonly used as a bootloader in embedded software and it is the one used on
STM32MP15.
6.5.2.5 Linux
Linux® OS is loaded in DDR by U-Boot and executed in the non-secure context.
6.5.2.6 Secure OS / Secure Monitor
The Cortex-A7 secure world can implement a minimal secure monitor (from TF-A or U-Boot) or a real
secure OS, such as OP-TEE.

6.6 Building a Secure Signed Image


In the second step, FSBL and SSBL binaries must be signed. STM32 Signing tool allows the user to fill the
STM32 binary header that is parsed by the embedded software to authenticate each binary.

 STM32 Header
Each binary image (signed or not) loaded by ROM code and by TF-A need to include a specific
STM32 header added on top of the binary data. The header includes the authentication
information.

Figure 11: STM32 Image Header Description

Developer Guide eInfochips Private Limited Confidential Page 62 of 65


SECURITY STARTER KIT WITH STM32MP1 AND OPTIGA™ TPM 2.0

Figure 12: STM32 Image Header Detailed Description

 Signature is calculated from first byte of header version field to last byte of image given by
image length field.
 32-bit sum of all payload bytes accessed as 8-bit unsigned numbers, discarding any overflow
bits. Used to check the downloaded image integrity when signature is not used (if b0=1 in
Option flags).
 Length is the length of the built image; it does not include the length of the STM32 header.
 This field is not used by ROM code.
 Image version number is an anti-rollback monotonic counter. The ROM code checks that it is
higher or equal to the monotonic counter stored in OTP.
 Enabling signature verification is mandatory on secure closed chips.
 This field is an extract of PEM public key file that only kept the ECC Point coordinates x and y
in a raw binary format (RFC 5480). This field will be hashed with SHA-256 and compared to
the Hash of pubKey that is stored in OTP.
 This padding forces STM32 header size to 256 bytes (0x100).

Developer Guide eInfochips Private Limited Confidential Page 63 of 65


SECURITY STARTER KIT WITH STM32MP1 AND OPTIGA™ TPM 2.0

6.7 Measured boot Principles


Measuring boot is a way to inform the last software stage in case someone has tampered with the
platform. It is impossible to know what exactly has been corrupted exactly, but knowing that someone
has, is already enough to not reveal secrets. Indeed, TPMs offer a small secure locker where users can
store: keys, passwords, authentication tokens, etc. These secrets are not exposed anywhere (unlike
with any standard storage media) and TPMs have the capability to release these secrets only under
specific conditions. Here is how it works.

Starting from a root of trust (typically the SoC Boot ROM), each software stage during the boot process
(BL1, BL2, BL31, BL33/U-Boot, Linux) is supposed to do some measurements and store them in a safe
place. A measure is just a digest (let’s say, a SHA256) of a memory region. Usually each stage will ‘digest’
the next one. Each digest is then sent to the TPM, which will merge this measurement with the previous
ones.

The hardware feature used to store and merge these measurements is called Platform Configuration
Registers (PCR). At power-up, a PCR is set to a known value (either 0x00s or 0xFFs, usually). Sending a
digest to the TPM is called extending a PCR because the chosen register will extend its value with the
one received with the following logic:

PCR[x] := sha256(PCR[x] | digest)

This way, a PCR can only evolve in one direction and never go back unless the platform is reset.
In a typical measured boot flow, a TPM can be configured to disclose a secret only under a certain PCR
state. Each software stage will be in charge of extending a set of PCRs with digests of the next software
stage. Once in Linux, user software may ask the TPM to deliver its secrets, but the only way to get them
is having all PCRs matching a known pattern. This can only be obtained by extending the PCRs in the
right order, with the right digests.

Developer Guide eInfochips Private Limited Confidential Page 64 of 65


SECURITY STARTER KIT WITH STM32MP1 AND OPTIGA™ TPM 2.0

7 REFERENCES

[1] https://www.yoctoproject.org/docs/latest/bitbake-user-manual/bitbake-user-manual.html

[2] https://wiki.st.com/stm32mpu/index.php/STM32MP1_Distribution_Package

[3] https://git.yoctoproject.org/cgit/cgit.cgi/meta-security

[4] https://github.com/dh-electronics/meta-av96/tree/master/meta-av96.thud

[5] https://github.com/STMicroelectronics/meta-predmnt

[6] https://wiki.st.com/stm32mpu/wiki/How_to_integrate_AWS_IoT_Greengrass

[7] https://github.com/dh-electronics/manifest-av96

[8] https://docs.aws.amazon.com/greengrass/latest/developerguide/gg-dg.pdf

[9] https://docs.aws.amazon.com/iot/latest/developerguide/register-CA-cert.html

[10] https://www.infineon.com/dgdl/Infineon-SLB%209670VQ2.0-DataSheet-v01_04-
EN.pdf?fileId=5546d4626fc1ce0b016fc78270350cd6

[11] https://github.com/tpm2-software

[12] https://www.96boards.org/product/avenger96/

[13] https://www.96boards.org/product/tresor/

[14] https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm

[15] https://en.wikipedia.org/wiki/Elliptic-curve_cryptography

[16] https://wiki.st.com/stm32mpu/wiki/STM32MP15_secure_boot#Purpose

Developer Guide eInfochips Private Limited Confidential Page 65 of 65

You might also like