-
Notifications
You must be signed in to change notification settings - Fork 15
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add generated device certificate, device private key and code signing key usage to aws-iot-example #7
Merged
urutva
merged 14 commits into
FreeRTOS:main
from
bence-balogh:dev/benbal01/provisioning
Sep 25, 2023
Merged
Add generated device certificate, device private key and code signing key usage to aws-iot-example #7
urutva
merged 14 commits into
FreeRTOS:main
from
bence-balogh:dev/benbal01/provisioning
Sep 25, 2023
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
urutva
force-pushed
the
dev/benbal01/provisioning
branch
3 times, most recently
from
September 21, 2023 09:43
4caef40
to
603c751
Compare
The keyCLIENT_CERTIFICATE_PEM, keyCLIENT_PRIVATE_KEY_PEM and keyJITR_DEVICE_CERTIFICATE_AUTHORITY_PEM macros are used in the new provisioning binary. They are loaded into a predefined address and the dev_mode_key_provisioning.c can use it directly. Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Check the provisioning magic before and after the provisioning data to see whethet the bundle is loaded and valid. Signed-off-by: Bence Balogh <bence.balogh@arm.com>
The credentials header that's used in the provisioning binary blob is generated by the generate_credentials_header.py python script. The script uses pem files to generate the header. The pem files' paths can be passed with cmake definitions during the cmake configuration. Signed-off-by: Bence Balogh <bence.balogh@arm.com>
The .ld and .sct linker scripts for the provisioning_data can include the provisioning_config.h this way, so the addresses will always by in-sync. Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Devaraj Ranganna <devaraj.ranganna@arm.com>
The latest changes in TF-M includes the possiblity to disable TF-M dummy provisioning and enabling provisioning bundle to provision OTA update verification key. In addition, create a patch to fix the following cmake build error. Direct dependency on generated_private_key_s.pem causes build failure as the generated file is in a different location than what CMake is expecting. Signed-off-by: Devaraj Ranganna <devaraj.ranganna@arm.com>
The corstone-300 target supports provisioning bundle in TF-M, therefore, disable dummy provisioning and enable provisioning bundle. Signed-off-by: Devaraj Ranganna <devaraj.ranganna@arm.com>
The `pyelftools` is needed by TF-M to generate provisioning bundle. Signed-off-by: Devaraj Ranganna <devaraj.ranganna@arm.com>
Signed-off-by: Devaraj Ranganna <devaraj.ranganna@arm.com>
Signed-off-by: Devaraj Ranganna <devaraj.ranganna@arm.com>
Signed-off-by: Devaraj Ranganna <devaraj.ranganna@arm.com>
urutva
force-pushed
the
dev/benbal01/provisioning
branch
from
September 22, 2023 07:49
603c751
to
e9325b1
Compare
Signed-off-by: Devaraj Ranganna <devaraj.ranganna@arm.com>
urutva
force-pushed
the
dev/benbal01/provisioning
branch
from
September 22, 2023 10:03
b1741b5
to
4028476
Compare
urutva
approved these changes
Sep 22, 2023
aggarg
approved these changes
Sep 24, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add generated device certificate, device private key and code signing key usage to aws-iot-example
Description
The device device certificate and private key can be generated with a Python script. The generated keys are embedded into a separate binary blob that can be loaded to a predefined memory address. The provisioning procedure uses the data from this binary.
The code signing key is included in the provisioning bundle which is generated during the TF-M. This provisioning bundle also has to be loaded to a predefined address and during the MCUBoot initialization, the key is provisioned into the OTP.
The new TF-M version enables code-signing key generation but at the moment it's disabled for the aws-iot-example.
Test Steps
Built the aws-iot-example and ran an OTA test.
Checklist:
Related Issue
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.