AWS IoT is a public cloud service to connected IoT devices and other AWS services. It provides a managed MQTT server, plus authentication, authorization and device management services.
AWS IoT provides secured, bi-directional communication between an Internet-connected Thing (the terminology of Thing can be used interchangeably with client, device, or endpoint) and the AWS cloud. This enables the collection of telemetry data from multiple Things, and the storage and analysis of the data. Users can also create applications that enable the control of these devices from mobile phones or tablets.
Things report their state by publishing JSON messages on MQTT topics. Each MQTT topic has a hierarchical name that identifies the Thing whose state is being updated. When a message is published on an MQTT topic, the message is sent to the AWS IoT MQTT message broker, which is responsible for sending all messages published on an MQTT topic to all clients subscribed to that topic.
Communication between a Thing and AWS IoT is protected through the use of Transport Layer Security and mutual authentication using X.509 certificates. AWS IoT can generate a certificate for you or you can use your own. In either case, the certificate must be registered and activated with AWS IoT, and then copied onto your Thing. When your Thing communicates with AWS IoT, it presents the certificate to AWS IoT as a credential to get authenticated and authorized~~.~~
The software and configuration in this Application Note has been tested with the following software installed on a Raspberry Pi 3 or 4. The latest version of these software packages can be downloaded and installed from the internet.
- AWS Account (Free tier is sufficient)
- Raspberry Pi 3/4
- Raspbian Buster (Linux 5.4.72-v7+)
- OpenSSL (tested with version 1.1.1d) 10 Sept 2019
- AWS Command Line Interface (CLI) aws-cli/1.16.113
- WiringPi version 2.5
- Libssl-dev version 1.1.1d-0_deb10u2
- gcc version 8.3.0-6+rpi1
- git version 1:2.20.1-2
Figure 1 Connection of Raspberry Pi 3 to Trust M
Note: Raspberry Pi 3/4 had I2C pull-up resistors populated on the GPIO pins.
Table 1
| Trust M Pin | Raspberry Pi Pin | Comments |
|---|---|---|
| 01 | 06 | Supply Voltage (GND) |
| 02 | Not Connected | |
| 03 | 03 | Serial Data Line (SDA) |
| 04 | Not Connected | |
| 05 | Not Connected | |
| 06 | Not Connected | |
| 07 | Not Connected | |
| 08 | 05 | Serial Clock Line (SCL) |
| 09 | 11* | Active Low Reset (RST) |
| 10 | 01 | Supply Voltage (VCC) |
*Note: pin 11 is GPIO17 in Raspberry Pi
If the Trust M Pin 09 is not connected to the Raspberry Pi Pin 11, a soft reset can be implemented by following these steps:
Change the reset type to use software reset as follow in the header file at "linux-optiga-trust-m/trustm_lib/optiga/include/optiga/"
- optiga_lib_config_m_v3.h for OPTIGA™ Trust M3 or
- optiga_lib_config_m_v1.h for OPTIGA™ Trust M1
#define OPTIGA_COMMS_DEFAULT_RESET_TYPE (1U)
Enables the I2C interface using the raspi-config tool command. Go to option 5 - Interfacing Options.
#Enable the Raspberry Pi I2C port
pi@raspberrypi:~ sudo raspi-config
Figure 2 Configure the I2C interface
Figure 3 Select the I2C interface
Figure 4 Enable the I2C interface
Figure 5 I2C interface is enabled
Install the require tool chain for Trust M software compilation.
#toolchain installation
pi@raspberrypi:~ sudo apt-get install libssl-dev
These steps explains how to setup the AWS CLI which can be used to communicate with AWS IoT core.
1. Install the AWS CLI by using the following apt-get command.
#installation of AWS CLI
pi@raspberrypi:~ sudo apt-get install awscli
2. Test and check if you already has the AWS CLI install successfully.
#check the AWS version
pi@raspberrypi:~ aws --version
Expected Output:
pi@raspberrypi:~ $ aws --version
aws-cli/1.16.113 Python/3.7.3 Linux/5.4.72-v7l+ botocore/1.12.103
In order to perform any interaction with AWS cloud, the credential must be input using the aws configure command. Details of how to obtain those information can be found in the Quickly Configuring the AWS CLI link.
External link: Quickly Configuring the AWS CLI
#fill in the AWS CLI login credentials
pi@raspberrypi:~ aws configure
AWS Access Key ID [None]: XXXXXXXXXXXXXXXXXXXX
AWS Secret Access Key [None]: XXXXXXXXXXXXX/XXXXXXX/XXXXXXXXXXXXXXXXX
Default region name [None]: XXXXXXXX
Default output format [None]: json
Once the AWS configuration is complete, the aws registration code can be shown using the below command to display the registration code that will be used to generate own CA certificate.
pi@raspberrypi:~ $ aws iot get-registration-code
{
"registrationCode":"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
}
In addition, you can check the current active region endpoint. This information will be used in the MQTT client.
$ aws iot describe-endpoint --endpoint-type iot:Data-ATS
{
"endpointAddress": "XXXXXXXXXXXXX-ats.iot.aws-region.amazonaws.com"
}
pi@raspberrypi:~/trustm_v3 $ git clone --recurse-submodules https://github.com/Infineon/linux-optiga-trust-m.git
Cloning into 'linux-optiga-trust-m.git'...
remote: Enumerating objects: 1362, done.
remote: Counting objects: 100% (590/590), done.
remote: Compressing objects: 100% (400/400), done.
remote: Total 1362 (delta 329), reused 411 (delta 174), pack-reused 772
Receiving objects: 100% (1362/1362), 1.67 MiB | 2.90 MiB/s, done.
Resolving deltas: 100% (850/850), done.
Submodule 'trustm_lib' (https://github.com/Infineon/optiga-trust-m.git) registered for path 'trustm_lib'
Cloning into '/home/pi/trustm_v3/linux-optiga-trust-m/trustm_lib'...
remote: Enumerating objects: 3506, done.
remote: Counting objects: 100% (21/21), done.
remote: Compressing objects: 100% (18/18), done.
remote: Total 3506 (delta 5), reused 8 (delta 2), pack-reused 3485
Receiving objects: 100% (3506/3506), 74.50 MiB | 2.44 MiB/s, done.
Resolving deltas: 100% (1831/1831), done.
Submodule path 'trustm_lib': checked out '955249c8da9edb953a14178b144788fe935586a5'
Compile the Trust M library
pi@raspberrypi:~/trustm_v3/linux-optiga-trust-m $ make
.......
………..
******* Linking bin/trustm_engine.so
Install the Trust M library
pi@raspberrypi:~/trustm_v3/linux-optiga-trust-m $ sudo make install
Create symbolic link to the openssl engine /usr/lib/arm-linux-gnueabihf/engines-1.1/trustm_engine.so
Create symbolic link to trustx_lib /usr/lib/arm-linux-gnueabihf/libtrustm.so
Check that the engine has been installed
pi@raspberrypi:~/trustm_v3/linux-optiga-trust-m $ openssl engine trustm_engine
(trustm_engine) Infineon OPTIGA TrustM Engine
Before the auto_provisioning script can be executed to create a thing with certificate from TrustM, the corresponding policy is needed to be created on the AWS IOT console.
-
Browse to the AWS IoT console.
-
In the navigation pane, go to Secure\ Policies section, click on create button, give a name and click on advanced mode
-
Then paste the following policy and click on create:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "iot:*" ], "Resource": [ "*" ], "Effect": "Allow" } ] } -
Take note of the name of the policy which is created as it will be required in the later steps
AWS IoT uses X.509 certificates for asymmetric-key based authentication. In this Application Note, the certificate is created using a CSR generated by Trust M private key and the certificate is issued by AWS. The key pair is generated by the user and the device certificate is generated by uploading the CSR to AWS IoT.
The structure of the downloaded example:
pi@raspberrypi:~/temp/linux-optiga-trust-m/ex_aws-iot-device-sdk-embedded-C-1.1.2 $ ls -l
total 84
drwxr-xr-x 5 pi pi 4096 Jun 9 14:28 aws_iot_src
drwxr-xr-x 4 pi pi 4096 Jun 9 14:28 aws_mqtt_embedded_client_lib
drwxr-xr-x 2 pi pi 4096 Jun 9 14:28 certs
-rw-r--r-- 1 pi pi 2725 Jun 9 14:28 CHANGELOG.md
-rw-r--r-- 1 pi pi 13179 Jun 9 14:28 LICENSE.txt
-rw-r--r-- 1 pi pi 600 Jun 9 14:28 NOTICE.txt
drwxr-xr-x 2 pi pi 4096 Jun 9 14:28 perso
drwxr-xr-x 2 pi pi 4096 Jun 9 14:28 pictures
-rw-r--r-- 1 pi pi 9838 Jun 9 14:28 PortingGuide.md
-rw-r--r-- 1 pi pi 7251 Jun 9 14:28 README1.md
-rw-r--r-- 1 pi pi 13006 Jun 9 14:28 README.md
drwxr-xr-x 5 pi pi 4096 Jun 9 14:28 sample_apps
Change the policy name in the auto_provision_to_aws.sh script located in linux-optiga-trust-m/ex_aws-iot-device-sdk-embedded-C-1.1.2/perso folder to match to the policy name you created in AWS IoT console
Note: Make sure the policy is already created in AWS IOT console and the policy name matches the name inside auto_provision_to_aws.sh script before running the script
pi@raspberrypi:~/temp/linux-optiga-trust-m/ex_aws-iot-device-sdk-embedded-C-1.1.2/perso $ sh auto_provision_to_aws.sh
Client1:-----> Creates new ECC 256 key length and Auth/Enc/Sign usage and generate a certificate request
engine "trustm_engine" set.
Certificate Request:
Data:
Version: 1 (0x0)
Subject: CN = TrustM_Client1
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:a9:1d:e5:57:e2:fb:63:29:3b:1c:cd:ba:ad:b8:
d5:2a:57:61:e3:3b:bc:50:2f:5a:d6:2b:89:36:bc:
33:e0:d8:39:9b:4b:8a:80:ff:9c:09:8d:4e:fc:ca:
49:c8:d6:6d:ef:bb:07:16:6d:3b:13:ee:20:7a:85:
63:2a:dd:bc:9b
ASN1 OID: prime256v1
NIST CURVE: P-256
Attributes:
a0:00
Signature Algorithm: ecdsa-with-SHA256
30:45:02:20:5a:3e:ce:ad:36:6b:86:d5:6e:36:08:56:47:bc:
b9:17:e0:c2:a7:ff:cd:e8:2d:0e:e4:a9:fb:27:38:78:56:7f:
02:21:00:e7:6f:6e:ba:85:87:33:5d:16:77:61:bc:ba:4a:78:
86:7c:b9:8f:53:90:f3:f0:b5:4c:f3:89:78:ff:30:8e:a0
-----BEGIN CERTIFICATE REQUEST-----
MIHTMHsCAQAwGTEXMBUGA1UEAwwOVHJ1c3RNX0NsaWVudDEwWTATBgcqhkjOPQIB
BggqhkjOPQMBBwNCAASpHeVX4vtjKTsczbqtuNUqV2HjO7xQL1rWK4k2vDPg2Dmb
S4qA/5wJjU78yknI1m3vuwcWbTsT7iB6hWMq3byboAAwCgYIKoZIzj0EAwIDSAAw
RQIgWj7OrTZrhtVuNghWR7y5F+DCp//N6C0O5Kn7Jzh4Vn8CIQDnb266hYczXRZ3
Yby6SniGfLmPU5Dz8LVM84l4/zCOoA==
-----END CERTIFICATE REQUEST-----
Create AWS CA signed device cert
Creating Thing in AWS Core
{
"thingName": "TrustM_IOT_DEVICE",
"thingArn": "arn:aws:iot:aws-region:aws-account-id:thing/TrustM_IOT_DEVICE",
"thingId": "c0fdb50e-6a58-4971-a669-75341cf7b89b"
}
Attach device Certificate to thing
Attach Policy
Personalization completed
copy temp/client1_e0f1.pem to aws-iot-device-sdk-embedded-C/certs
Check that the certificate client1_e0f1.pem has been copied from the temp directory to certs folder
pi@raspberrypi:~/temp/linux-optiga-trust-m/ex_aws-iot-device-sdk-embedded-C-1.1.2/certs $ ls
AmazonRootCA1.pem client1_e0f1.pem
Update the aws_iot_config.h located in linux-optiga-trust-m/ex_aws-iot-device-sdk-embedded-C-1.1.2/sample_apps/subscribe_publish_sample with your AWS IOT endpoint
#define AWS_IOT_MQTT_HOST “ XXXXXXXXXXXXX-ats.iot.aws-region.amazonaws.com“
Note: aws-region should be replaced with the region you are using.
Execute the source code compilation
pi@raspberrypi:~/temp/linux-optiga-trust-m/ex_aws-iot-device-sdk-embedded-C-1.1.2/sample_apps/subscribe_publish_sample $ make
Note: There are some compilation warnings due to the SDK version, please ignore them. From AWS IoT Core dashboard, use the Test option followed by subscribing to all the topics using the “#“ on the topic.
Figure 6 Subscribe to all the published topic
Launch the software
pi@raspberrypi:~/temp/linux-optiga-trust-m/ex_aws-iot-device-sdk-embedded-C-1.1.2/sample_apps/subscribe_publish_sample $ ./subscribe_publish_sample
AWS IoT SDK Version 1.1.2-
--
DEBUG: main L#149 rootCA /home/pi/temp/linux-optiga-trust-m/ex_aws-iot-device-sdk-embedded-C-1.1.2/sample_apps/subscribe_publish_sample/../../certs/AmazonRootCA1.pem
DEBUG: main L#150 clientCRT /home/pi/temp/linux-optiga-trust-m/ex_aws-iot-device-sdk-embedded-C-1.1.2/sample_apps/subscribe_publish_sample/../../certs/client1_e0f1.pem
DEBUG: main L#151 clientKey /home/pi/temp/linux-optiga-trust-m/ex_aws-iot-device-sdk-embedded-C-1.1.2/sample_apps/subscribe_publish_sample/../../certs/0xe0f1:^
Connecting...
DEBUG: iot_tls_connect L#135 Engine ID : trustm_engine
Subscribing...
-->sleep
-->sleep
Subscribe callback
sdkTest/sub hello from SDK : 0
-->sleep
Subscribe callback
sdkTest/sub hello from SDK : 1
->sleep
Figure 7 Published message shown in the display