Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add generated device certificate, device private key and code signing key usage to aws-iot-example #7

Merged
merged 14 commits into from
Sep 25, 2023
Merged

Add generated device certificate, device private key and code signing key usage to aws-iot-example #7

merged 14 commits into from
Sep 25, 2023

Conversation

bence-balogh
Copy link
Contributor

Add generated device certificate, device private key and code signing key usage to aws-iot-example

Description

The device device certificate and private key can be generated with a Python script. The generated keys are embedded into a separate binary blob that can be loaded to a predefined memory address. The provisioning procedure uses the data from this binary.

The code signing key is included in the provisioning bundle which is generated during the TF-M. This provisioning bundle also has to be loaded to a predefined address and during the MCUBoot initialization, the key is provisioned into the OTP.
The new TF-M version enables code-signing key generation but at the moment it's disabled for the aws-iot-example.

Test Steps

Built the aws-iot-example and ran an OTA test.

Checklist:

  • I have tested my changes. No regression in existing tests.
  • I have modified and/or added unit-tests to cover the code changes in this Pull Request.

Related Issue

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@bence-balogh bence-balogh requested a review from a team as a code owner September 19, 2023 12:43
@sirnish sirnish self-requested a review September 19, 2023 12:47
@urutva urutva force-pushed the dev/benbal01/provisioning branch 3 times, most recently from 4caef40 to 603c751 Compare September 21, 2023 09:43
bence-balogh and others added 13 commits September 22, 2023 07:48
@bence-balogh @urutva
aws-iot-example: Add provisioning data to binary
2dfd75a 
The keyCLIENT_CERTIFICATE_PEM, keyCLIENT_PRIVATE_KEY_PEM
and keyJITR_DEVICE_CERTIFICATE_AUTHORITY_PEM macros are used
in the new provisioning binary. They are loaded into a predefined
address and the dev_mode_key_provisioning.c can use it directly.

Signed-off-by: Bence Balogh <bence.balogh@arm.com>
@bence-balogh @urutva
aws-iot-example: Check if prov-bundle is loaded
85938c3 
Check the provisioning magic before and after the provisioning
data to see whethet the bundle is loaded and valid.

Signed-off-by: Bence Balogh <bence.balogh@arm.com>
@bence-balogh @urutva
aws-iot-example: Generate credentials header
0123f8e 
The credentials header that's used in the provisioning
binary blob is generated by the generate_credentials_header.py
python script. The script uses pem files to generate the header.
The pem files' paths can be passed with cmake definitions during
the cmake configuration.

Signed-off-by: Bence Balogh <bence.balogh@arm.com>
@bence-balogh @urutva
aws-iot-example: Preprocess the linkerscript
39ce738 
The .ld and .sct linker scripts for the provisioning_data
can include the provisioning_config.h this way, so the
addresses will always by in-sync.

Signed-off-by: Bence Balogh <bence.balogh@arm.com>
@bence-balogh @urutva
aws-iot-example: Update docs with cert generation
4048d12 
Signed-off-by: Bence Balogh <bence.balogh@arm.com>
@bence-balogh @urutva
ci: Use new provisioning in the CI scripts
2966d51 
Signed-off-by: Bence Balogh <bence.balogh@arm.com>
@urutva
docs: Add pyelftools as dependency
ea57f90 
Signed-off-by: Devaraj Ranganna <devaraj.ranganna@arm.com>
@urutva
tf-m: Update TF-M to get provisioning bundle
5be9c46 
The latest changes in TF-M includes the possiblity to disable TF-M dummy
provisioning and enabling provisioning bundle to provision OTA update
verification key.

In addition, create a patch to fix the following cmake build error.

Direct dependency on generated_private_key_s.pem causes build failure as
the generated file is in a different location than what CMake is
expecting.

Signed-off-by: Devaraj Ranganna <devaraj.ranganna@arm.com>
@urutva
aws-iot-example: Disable TF-M dummy provisioning
c2920c4 
The corstone-300 target supports provisioning bundle in TF-M, therefore,
disable dummy provisioning and enable provisioning bundle.

Signed-off-by: Devaraj Ranganna <devaraj.ranganna@arm.com>
@urutva
ci: Install python module pyelftools
29ea83e 
The `pyelftools` is needed by TF-M to generate provisioning bundle.

Signed-off-by: Devaraj Ranganna <devaraj.ranganna@arm.com>
@urutva
ci: Pass provisioning bundle to FVP
2e8823d 
Signed-off-by: Devaraj Ranganna <devaraj.ranganna@arm.com>
@urutva
ci: save encrypted_provisioning_bundle.bin to artifacts
baa5035 
Signed-off-by: Devaraj Ranganna <devaraj.ranganna@arm.com>
@urutva
ci: Pass device credentials to the build script in the ci
e9325b1 
Signed-off-by: Devaraj Ranganna <devaraj.ranganna@arm.com>
@urutva
ci: Update spell-check dictionary
4028476 
Signed-off-by: Devaraj Ranganna <devaraj.ranganna@arm.com>
@urutva urutva merged commit 5b44cdf into FreeRTOS:main Sep 25, 2023
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@urutva urutva urutva approved these changes

@aggarg aggarg aggarg approved these changes

@sirnish sirnish Awaiting requested review from sirnish

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@bence-balogh @urutva @aggarg