-
AN3170 Getting Started with AWS Greengrass® on SAMA5D2
IntroductionThis application note shows how to implement a Cloud
Edge Node utilizing a Microchip SAMA5D2 MPU, a MicrochipSecure
Hardware Element, and Amazon Web Services (AWS®) IoT
Greengrass.
What are Cloud Services?Cloud services provide resources that
are accessible over the Internet. These available resources are not
strictlylimited, and are increasing in number and functionality
almost daily. One of the main benefits of Cloud services isremoving
the burden of maintaining compute and storage servers by
individuals and organizations. The servers thatimplement Cloud
services are maintained by service providers such as Amazon Web
Services (AWS). Internet ofThings (IoT) is a subset of Cloud
services that are tailored to devices such as actuators and
sensors. An optimizationof IoT services is a concept called Cloud
Edge Computing. Edge computing brings web services to servers
anddevices located near the clients that are using those services.
Although not owned by the Cloud service providers,the Edge Devices
are under the control of the Cloud service providers.
Amazon Cloud ServicesAWS IoT Greengrass is a combination of
software and Cloud services that allow special AWS IoT devices to
provideIoT services to other devices on the same local network. Not
all AWS IoT devices can work with AWS IoTGreengrass. The SAMA5D2,
however, can run AWS IoT Greengrass software and does provide the
necessarycompute resources listed in the AWS IoT system
requirements.
Microchip and Edge ComputingIn addition to the SAMA5D2, the
system described in this app note includes an ATECC608A secure
element. Thissecure element is utilized by Greengrass to implement
Hardware Security Integration (HSI).
© 2019 Microchip Technology Inc. DS00003170A-page 1
-
Table of Contents
Introduction.....................................................................................................................................................1
1. What are Cloud
Services?............................................................................................................12.
Amazon Cloud
Services...............................................................................................................13.
Microchip and Edge
Computing...................................................................................................
1
1.
Prerequisites...........................................................................................................................................
4
2. Procedure
Overview................................................................................................................................5
2.1. Setting Up the
Hardware..............................................................................................................52.2.
Setting Up AWS
Services.............................................................................................................5
3. Greengrass Group Creation
Successful...............................................................................................
14
4. Languages Used By
Greengrass..........................................................................................................
15
4.1. Building the Target
Image...........................................................................................................154.2.
Copy the Target Image to an
SDCard........................................................................................
154.3. Copy Greengrass Core and
Certificates....................................................................................
154.4. Boot the
SDCard........................................................................................................................
164.5. Edit Greengrass Configuration to Use Port 443
(optional).........................................................164.6.
Add ggc_user and
ggc_group....................................................................................................
164.7. Start the Greengrass
Core.........................................................................................................
174.8. Deploy the Group from AWS
Console........................................................................................17
5. Next
Steps.............................................................................................................................................19
6. Greengrass System
Requirements.......................................................................................................
20
7. Secure
Element.....................................................................................................................................21
7.1. Configuring cryptoauthlib PKCS11
Library.................................................................................
217.2. Using
p11-kit-proxy.....................................................................................................................227.3.
Device Initialization Using
P11tool.............................................................................................
227.4. Verifying the
Initialization............................................................................................................227.5.
Probing the
device......................................................................................................................237.6.
Setting Up the Greengrass
Certificate........................................................................................247.7.
Summary....................................................................................................................................257.8.
Additional
Resources.................................................................................................................
25
8. Revision
History....................................................................................................................................
26
8.1. Rev. A -
07/2019.........................................................................................................................26
The Microchip
Website.................................................................................................................................27
Product Change Notification
Service............................................................................................................27
Customer
Support........................................................................................................................................
27
Microchip Devices Code Protection
Feature................................................................................................
27
Legal
Notice.................................................................................................................................................
27
AN3170
© 2019 Microchip Technology Inc. DS00003170A-page 2
-
Trademarks..................................................................................................................................................
28
Quality Management
System.......................................................................................................................
28
Worldwide Sales and
Service.......................................................................................................................29
AN3170
© 2019 Microchip Technology Inc. DS00003170A-page 3
-
1. Prerequisites• SAMA5D2C-XULT development board – Part number
ATSAMA5D2C-XULT• USB to UART cable – Part number FTDI TTL-232R-3V3•
ATECC608A Secure4 click board™ from MikroElektronika - Part number
MIKROE-2829• 4.7 KOhm resistor• Microchip mikroBUS™ Xplained Pro
board - Part Number: ATMBUSADAPTER-XPRO• Linux® host PC• Wired
router connected to the Internet
AN3170Prerequisites
© 2019 Microchip Technology Inc. DS00003170A-page 4
-
2. Procedure OverviewThe process of building an AWS IoT
Greengrass system is straightforward, but requires several
different activities.This application note divides the activities
into easy-to-follow processes.
1. Set up the hardware.2. Set up AWS IoT services.3. Build the
target image.4. Configure the target.5. Run Greengrass on the
target.6. Deploy a Greengrass group from the Cloud.
2.1 Setting Up the HardwareThe hardware should be set up as
follows:
1. Plug the XPRO adapter in the XPRO EXT2 socket.2. Plug the
Secure4 Click into the XPRO adapter.3. Place a 4.7 KOhm resistor
between 3.3V and the SCL line to avoid a communication problem that
exists with
some of the SAMA5D2 Flexcom ports.4. Connect the Ethernet cable
from the board to a router with a live Internet connection.5.
Connect the USB to UART cable to the host PC and to the debug
connector on the SAMA5D2C Xplained Ultra
(XULT) board.
2.2 Setting Up AWS ServicesAmazon Web Services (AWS) are a
collection of Cloud services available for many different purposes.
Thisapplication note uses a small subset of these services to get
started using AWS IoT Greengrass. To get aGreengrass system working
properly, several different AWS Services must be configured
correctly to work together.These services include AWS IAM, AWS IoT
Core, and AWS IoT Greengrass. One of the more tricky pieces of
thesystem is getting the correct Roles and Permissions.
2.2.1 OverviewThe process for setting up AWS services consists
of the steps listed below. Details of each step are given in
thesections that follow.
1. Create an AWS Account if you do not already have one.2. Open
the AWS Console.3. Go to the correct Region.4. Create Greengrass
objects – Group, Core, Certificates, Roles, and Permissions.5.
Create a Greengrass Aware Device (GGAD) to test the Greengrass
Core.6. Download the Greengrass Core software.7. Download all
certificates and keys.
2.2.2 Create an AWS AccountOpen the AWS home page at
http://aws.amazon.com/, and choose Create an AWS Account.
Follow the instructions after pressing the “Sign Up” button in
the upper right.
AN3170Procedure Overview
© 2019 Microchip Technology Inc. DS00003170A-page 5
http://aws.amazon.com/
-
2.2.3 Open the AWS ConsoleGo to the AWS console by going to
https://console.aws.amazon.com/.
Search for Greengrass in the “Find Services” area. Then click on
“IoT Greengrass”. Amazon Web Services aredivided into regions. Not
all regions support all AWS services. See the table below for the
regions that support AWSIoT Greengrass.
When implementing a Greengrass system, be sure to use one of the
regions listed below.
AN3170Procedure Overview
© 2019 Microchip Technology Inc. DS00003170A-page 6
https://console.aws.amazon.com/
-
Table 2-1. Greengrass Regions
Region Name Region
US East (N. Virginia) us-east-1
US West (Oregon) us-west-2
Asia Pacific (Sydney) ap-southeast-2
Asia Pacific (Tokyo) ap-northeast-1
EU (Frankfurt) eu-central-1
EU (Ireland) eu-west-1
If the currently selected region does not support Greengrass,
the following message will appear. Select a properregion by using
the drop-down menu near the upper right.
2.2.4 Create a Greengrass GroupThe main AWS Console window for
AWS IoT is shown below.
From the left navigation bar, select the “Greengrass” option if
it is not already selected. Press the “Create a Group”button. A
Greengrass group is a collection of items that are required to
deploy a running Greengrass system.
AN3170Procedure Overview
© 2019 Microchip Technology Inc. DS00003170A-page 7
-
2.2.5 Provision the Newly Created GroupNow that the Greengrass
Group is created, it must be provisioned. The “Easy Creation”
option allows AWS IoT tocreate certificates, a Core, and a Role.
The user selects the name of the Group and the name of the Core for
theGreengrass group. Press the “Use easy creation” button in the
lower right-hand corner of the screen.
AN3170Procedure Overview
© 2019 Microchip Technology Inc. DS00003170A-page 8
-
2.2.6 Name the Greengrass GroupThe first step of the easy
creation process is to name the group.
A Greengrass group is a representation of the Greengrass Core
(SAMA5D2 board running the Greengrass Coresoftware), local devices
that communicate with the Core, and Lambda functions that run on
the core.
See the example below.
2.2.7 Name the Greengrass CoreThe Greengrass Core is the SAMA5D2
system that runs the Greengrass Core software. See the example
namebelow.
AN3170Procedure Overview
© 2019 Microchip Technology Inc. DS00003170A-page 9
-
2.2.8 Create the GroupSince we are using the “Easy Creation”
wizard, AWS IoT is going to perform most of the work for
provisioning. Pressthe “Create Group and Core” button to perform
the following:
1. Create the Greengrass Group.2. Create a Greengrass Core
representing the SAMA5D2 system.3. Create Keys and Certificates
that will later be downloaded to the SAMA5D2.4. Attach a security
policy to the Greengrass Core certificate.
AN3170Procedure Overview
© 2019 Microchip Technology Inc. DS00003170A-page 10
-
2.2.9 Download Certificates and Core SoftwareIt is extremely
important to download the keys and certificates for client
authentication now. Although certificates canbe downloaded at any
time, this is the only opportunity to download the private key.
When using Hardware SecurityIntegration (HSI), these keys will be
overwritten. Unless you are very comfortable with HSI, it is a good
idea to try outGreengrass without HSI at first. After the
Greengrass core is totally functional, then you can use the
HardwareSecure Element to implement HSI to add another layer of
security to the Greengrass Core.
These downloaded credentials are used by the AWS endpoint to
authenticate the Greengrass Core. TLS Clientauthentication is the
mechanism used for this validation. Make sure the download archive
file is protected againstunauthorized copying by storing in a
secure location.
After downloading the keys and certificate, you must also
download a Root CA certificate that corresponds to theAWS endpoint
to which the Greengrass core talks. Press the “Choose a root CA”
button and then download thecorrect certificate for your endpoint.
In this example, the certificate is “Amazon Root CA 1”. This root
CA certificate isthe certificate that validates the AWS endpoint,
and is not necessarily the same certificate used to sign the
clientcertificate.
AN3170Procedure Overview
© 2019 Microchip Technology Inc. DS00003170A-page 11
-
Next, press the “Choose your platform” button and download the
ARMV7L version of the Greengrass Core software.This system was
tested with version 1.8.0.
AN3170Procedure Overview
© 2019 Microchip Technology Inc. DS00003170A-page 12
-
AN3170Procedure Overview
© 2019 Microchip Technology Inc. DS00003170A-page 13
-
3. Greengrass Group Creation Successful
AN3170Greengrass Group Creation Successful
© 2019 Microchip Technology Inc. DS00003170A-page 14
-
4. Languages Used By GreengrassAlthough many languages can be
used to implement AWS Greengrass Lambda functions, this application
note usesthe Python® 2.7 programming language.
Other languages that can be used for Lambda functions are:
• Node.JS 6.10• Java 8• C• C++• Any language that supports
importing C libraries
4.1 Building the Target ImageThe software for the target system
can be built using the Buildroot tool. This process is performed on
a Linux hostPC.
1. Change directory to a base location. In this example, cd to
your home directory:$ cd
2. Create gg directory:$ mkdir gg
3. Change to the new directory:$ cd gg
4. Clone the following buildroot-external repository:$ git clone
git://github.com/linux4sam/buildroot-external-microchip-cloud
greengrass
5. Clone and checkout linux4sam_6.0 buildroot repository:$ git
clone git://github.com/linux4sam/buildroot-at91.git -b
linux4sam_6.0
6. Change to the buildroot directory:$ cd buildroot-at91/
7. At this time, there is a manual step required to enable SSL
for the host-python package. In the Buildroot“package/python”
directory, modify the file python.mk. There is a variable
namedHOST_PYTHON_CONF_OPTS that contains the line –disable-ssl \.
This line must be deleted in order to buildthe python-cryptoauthlib
package. The line below uses the “gedit” program to edit the file,
but any editor willwork. After deleting the line containing
“--disable-ssl”, be sure to save the file:$ gedit
package/python/python.mk
8. Set up the configuration for buildroot:$ make
BR2_EXTERNAL=../greengrass sama5d2_xplained_greenkey_defconfig
9. Make the buildroot project:$ make
4.2 Copy the Target Image to an SDCardAt this point, Buildroot
has created an entire SDCard image “./output/images/sdcard.img”.
This image should now becopied to an SDCard. You can use any number
of different tools, such as Etcher, or you can carefully use the
“dd”command that is built into Linux. Be careful that your
destination drive is the SDCard, because if you type the wrongname,
a hard drive on your host PC could be erased.
4.3 Copy Greengrass Core and CertificatesWith the SDCard mounted
on the host filesystem, untar the Greengrass Core software, and
certificates to theSDCard.
Assuming the SDCard partition 2 is mounted on /mnt and that the
Greengrass core and certificates were downloadedto the user
“Download” directory, perform the following:
AN3170Languages Used By Greengrass
© 2019 Microchip Technology Inc. DS00003170A-page 15
-
$ cd /mnt
$ sudo tar -xzvf
~/Downloads/greengrass-linux-armv7l-1.8.0.tar.gz
$ cd greengrass
$ sudo tar -xzvf ~/Downloads/-setup.tar.gz
$ sudo cp ~/Downloads/AmazonRootCA1.pem certs/root.ca.pem
4.4 Boot the SDCardNow place the SDCard into the SAMA5D2C XULT
board and power it up.
4.5 Edit Greengrass Configuration to Use Port 443 (optional)The
default configuration for Greengrass uses ports 8883 and 8443. In
some environments, these ports may beblocked by firewalls.
Greengrass can be configured to use port 443 instead. This is the
same port used by the “https”protocol.
This step is performed on the console of the SAMA5D2C XULT
board.
Edit the file /greengrass/config/config.json to have the
iotMqttPort, iotHttpPort, and ggHttpPort parameters as shownbelow:#
vim /greengrass/config/config.json{ "coreThing" : { "caPath" :
"root.ca.pem", "certPath" : "2222222222.cert.pem", "keyPath" :
"2222222222.private.key", "thingArn" :
"arn:aws:iot:::thing/sama5_group_Core", "iotHost" : "”,
"iotMqttPort" : 443, "iotHttpPort" : 443, "ggHost" :
"greengrass-ats.iot..amazonaws.com", "ggHttpPort" : 443,
"keepAlive" : 600 }, "runtime" : { "cgroup" : { "useSystemd" :
"yes" } }, "managedRespawn" : false, "crypto" : { "principals" : {
"SecretsManager" : { "privateKeyPath" :
"file:///greengrass/certs/2222222222.private.key" },
"IoTCertificate" : { "privateKeyPath" :
"file:///greengrass/certs/2222222222.private.key",
"certificatePath" : "file:///greengrass/certs/2222222222.cert.pem"
} }, "caPath" : "file:///greengrass/certs/root.ca.pem" }}
4.6 Add ggc_user and ggc_groupGreengrass Core software assumes
that ggc_user and ggc_group are on the Linux system. Add them as
follows:
# adduser -S ggc_user
# addgroup -S ggc_group
AN3170Languages Used By Greengrass
© 2019 Microchip Technology Inc. DS00003170A-page 16
-
4.7 Start the Greengrass CoreOn the SDCard, a file named
start.sh is found in the /root directory. This shell script starts
the Greengrass softwareafter performing housekeeping tasks. Start
Greengrass with:
# ./start.sh
The Greengrass system is now running.
4.8 Deploy the Group from AWS ConsoleFrom the AWS Console,
select AWS IoT Greengrass, and select Groups. Then press the group
that you created. Inthe upper right, under the “Actions” menu,
select “Deploy”. This will copy files from the AWS servers to
yourSAMA5D2 Core system. Since this is the first deployment of this
core, you will need to answer several questions.
On the “Configure how Devices discover your Core” screen, select
“Automatic detection”.
On the “Grant permission to access other services” screen, press
“Grant permission”.
AN3170Languages Used By Greengrass
© 2019 Microchip Technology Inc. DS00003170A-page 17
-
AN3170Languages Used By Greengrass
© 2019 Microchip Technology Inc. DS00003170A-page 18
-
5. Next StepsYou now have a running Greengrass system. Modules 1
and 2 in the AWS tutorial do not apply to the SAMA5D2CXULT system.
This application note has walked you through those steps.
You can now follow tutorials starting with module 3 at the link
below:
https://docs.aws.amazon.com/greengrass/latest/developerguide/module3-I.html
AN3170Next Steps
© 2019 Microchip Technology Inc. DS00003170A-page 19
https://docs.aws.amazon.com/greengrass/latest/developerguide/module3-I.html
-
6. Greengrass System RequirementsThe AWS Greengrass
documentation describes several requirements of the Linux system.
The Buildroot systemmakes sure the following items are enabled.
The following items are required:
• Minimum 128 MB RAM allocated to the AWS IoT Greengrass core
device.• Linux kernel version 4.4 or greater:• Glibc library
version 2.14 or greater.• The /var/run directory must be present on
the device.• Hardlink and symlink protection• The following Linux
kernel configurations must be enabled on the device:
– Namespace: CONFIG_IPC_NS, CONFIG_UTS_NS, CONFIG_USER_NS,
CONFIG_PID_NS– CGroups: CONFIG_CGROUP_DEVICE, CONFIG_CGROUPS,
CONFIG_MEMCG– Others: CONFIG_POSIX_MQUEUE, CONFIG_OVERLAY_FS,
CONFIG_HAVE_ARCH_SECCOMP_FILTER, CONFIG_SECCOMP_FILTER,
CONFIG_KEYS,CONFIG_SECCOMP
• dev/stdin, /dev/stdout, and /dev/stderr must be enabled• The
Linux kernel must support cgroups in order to run AWS IoT
Greengrass with containers.• The memory cgroup must be enabled and
mounted to allow AWS IoT Greengrass to set the memory limit for
Lambda functions.• The root certificate for Amazon S3 and AWS
IoT must be present in the system trust store.
The following items are optional:
• The devices cgroup must be enabled and mounted if Lambda
functions with Local Resource Access (LRA) areused to open files on
the AWS IoT Greengrass core device.
• Python version 2.7 is required if Python Lambda functions are
used. If so, ensure that it is added to your PATHenvironment
variable.
• The following commands are required for Greengrass OTA Agent:
wget, realpath, tar, readlink, basename,dirname, pidof, df, grep,
and umount.
AN3170Greengrass System Requirements
© 2019 Microchip Technology Inc. DS00003170A-page 20
-
7. Secure ElementAfter successfully getting Greengrass running
using downloaded credentials from AWS, you can now
implementGreengrass HSI using the ATECC608A Secure Element.
These steps are performed on the SAMA5D2C XULT board.
7.1 Configuring cryptoauthlib PKCS11 LibraryBy default, the
following files are created:
• /etc/cryptoauthlib/cryptoauthlib.conf# Cryptoauthlib
Configuration Filefilestore = /var/lib/cryptoauthlib
• /var/lib/cryptoauthlib/slot.conf.tmpl# Reserved Configuration
for a device# The objects in this file will be created and marked
as undeletable# These are processed in order. Configuration
parameters must be comma# delimited and may not contain spaces
interface = i2c,0xB0freeslots = 1,2,3
# Slot 0 is the primary private keyobject = private,device,0
# Slot 10 is the certificate data for the device's public
key#object = certificate,device,10
# Slot 12 is the intermediate/signer certificate data#object =
certificate,signer,12
# Slot 15 is a public keyobject = public,root,15
7.1.1 cryptoauthlib.confThis file provides the basic
configuation information for the library. The only variable is
“filestore” which is wherecryptoauthlib will find device specific
configuration and where it will store object files from pkcs11
operations.
7.1.2 slot.conf.tmplThis is a template for device configuration
files that cryptoauthlib will use to map devices and their
resources intopkcs11 tokens and objects.
A device file must be named .conf
For a single device:
# cd /var/lib/cryptoauthlib
# cp slot.conf.tmpl 0.conf
Then edit 0.conf to match the device configuration being used.
In this case change the interface line frominterface = i2c,0xB0
tointerface = i2c,0xC0
7.1.3 interfaceAllows values: 'hid', 'i2c' If using i2c specify
the address in hex for the device. This is in the device format
(upper 7bits define the address) so will not appear the same as the
i2cdetect address (lower 7 bits).
AN3170Secure Element
© 2019 Microchip Technology Inc. DS00003170A-page 21
-
7.1.4 freeslotsThis is a list of slots that may be used by the
library when a pkcs11 operation that creates new objects is used.
Whenthe library is initialized, it scans for files of the form
..conf, which defines theobject using that device resource.
7.2 Using p11-kit-proxy1. Create or edit the global
configuration file: /etc/pkcs11/pkcs11.conf
# This setting controls whether to load user configuration from
the# ~/.config/pkcs11 directory. Possible values:# none: No user
configuration# merge: Merge the user config over the system
configuration (default)# only: Only user configuration, ignore
system configurationuser-config: merge
2. Create a module configuration file:
/usr/share/p11-kit/modules/cryptoauthlib.modulemodule:
/usr/lib/libcryptoauth.socritical: yestrust-policy: yesmanaged:
yeslog-calls: noFor more details on the configuration files, see
the configuration documentation.
7.3 Device Initialization Using P11toolTo initialize the device
with a basic configuration (known as the standard TLS
configuration) using p11tool:# p11tool --initialize
"pkcs11:serial=9F9CB19FF7BF" --label greengrassEnter Security
Officer's PIN:Initializing token... done
Token was successfully initialized; use --initialize-pin and
--initialize-so-pin to set or reset PINsThe device must be
identified in some way to p11tool using the pkcs11 string. In this
example, the serial numberpreviously obtained from the p11tool
--list-all command is used. The label is a required field but is
currentlytreated as a dummy value, as the library provides the
value and it will be a field in the configuration file in the
future.
7.4 Verifying the InitializationOnce the
initialization/configuration is complete, rerunning the p11tool
--list-all command displays the requiredobjects:# p11tool
–-list-all pkcs11:token=0123EEObject 0: URL:
pkcs11:model=ATECC608A;manufacturer=Microchip%20Technology%20Inc;serial=9F9CB19FF7BF;token=0123EE;object=device;type=private
Type: Private key Label: device Flags: CKA_PRIVATE; CKA_SENSITIVE;
ID:
Object 1: URL:
pkcs11:model=ATECC608A;manufacturer=Microchip%20Technology%20Inc;serial=9F9CB19FF7BF;token=0123EE;object=device;type=public
Type: Public key Label: device ID:
Object 2: URL:
pkcs11:model=ATECC608A;manufacturer=Microchip%20Technology
AN3170Secure Element
© 2019 Microchip Technology Inc. DS00003170A-page 22
https://p11-glue.github.io/p11-glue/p11-kit/manual/pkcs11-conf.html
-
%20Inc;serial=9F9CB19FF7BF;token=0123EE;object=root;type=public
Type: Public key Label: root ID:At this point, all the tests listed
at the end of the pkcs11 readme can be conducted. However, these
tests areunnecessary as we move through the next steps for
configuring Greengrass.
7.5 Probing the deviceAn uninitialized device with the defaults
provided in the readme displays the following:# p11tool –list-all
pkcs11:token=0123EEObject 0: URL:
pkcs11:model=ATECC608A;manufacturer=Microchip%20Technology%20Inc;serial=9F9CB19FF7BF;token=0123EE;object=device;type=private
Type: Private key Label: device Flags: CKA_PRIVATE; CKA_SENSITIVE;
ID:
7.5.1 TroubleshootingIf the device does not appear at all:#
p11tool –list-all pkcs11:token=0123EEp11-kit: ateccx08: module
failed to initialize: An error occurred on the devicepkcs11_init:
PKCS #11 initialization error.warning: no token URL was provided
for this operation; the available tokens are:Probe the bus and
obtain the actual device address:# i2cdetect -y 0 0 1 2 3 4 5 6 7 8
9 a b c d e f00: -- -- -- -- -- -- -- -- -- -- -- -- --10: -- -- --
-- -- -- -- -- -- -- -- -- -- -- -- --20: -- -- -- -- -- -- -- --
-- -- -- -- -- -- -- --30: -- -- -- -- -- -- -- -- -- -- -- -- --
-- -- --40: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --50: --
-- -- -- -- -- -- -- -- -- -- -- -- -- -- --60: 60 -- -- -- -- --
-- -- -- -- -- -- -- -- -- --70: -- -- -- -- -- -- -- --Remember
the expected format for the device address is shifted left 1 bit
from the value returned from i2cdetect.Thus edit
/var/lib/cryptoauthlib/0.conf with the probed value (0x60 becomes
0xC0 when shifted):# Reserved Configuration for a device# The
objects in this file will be created and marked as undeletable#
These are processed in order. Configuration parameters must be
comma# delimited and may not contain spaces
interface = i2c,0xC0freeslots = 1,2,3
# Slot 0 is the primary private keyobject = private,device,0
# Slot 10 is the certificate data for the device's public
key#object = certificate,device,10
# Slot 12 is the intermedate/signer certificate data#object =
certificate,signer,12
# Slot 15 is a public keyobject = public,root,15To initialize
the device with a basic configuration (known as the standard TLS
configuration) using p11tool:
AN3170Secure Element
© 2019 Microchip Technology Inc. DS00003170A-page 23
-
# p11tool --initialize "pkcs11:serial=9F9CB19FF7BF" --label
greengrassEnter Security Officer's PIN:Initializing
token...done
Token was successfully initialized; use --initialize-pin and
--initialize-so-pin to set or reset PINs
7.6 Setting Up the Greengrass CertificateThe Greengrass instance
should already be set up. In order to use the hardware keys rather
than the AWS providedkeys, a CSR has to be created using openssl:#
openssl req -engine pkcs11 -key
"pkcs11:token=0123EE;object=device;type=private" -keyform engine
-new -out new_device.csr -subj "/CN=NEW CSR EXAMPLE"engine "pkcs11"
set.To verify the CSR was created correctly:# openssl req -in
new_device.csr -verify -text -nooutverify OKCertificate Request:
Data: Version: 1 (0x0) Subject: CN = NEW CSR EXAMPLE Subject Public
Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256
bit) pub: 04:7b:4b:e6:3e:95:22:a2:2b:59:0a:18:0b:fa:c0:
38:d2:cb:50:5d:3d:3a:50:c1:09:97:13:df:cd:79:
79:e5:ec:9a:82:68:fc:9d:b5:4a:35:dc:93:cb:b6:
97:6a:ab:9f:61:a9:9f:2c:19:79:85:8e:78:ba:85: 74:4d:d7:75:c4 ASN1
OID: prime256v1 NIST CURVE: P-256 Attributes: a0:00 Signature
Algorithm: ecdsa-with-SHA256
30:46:02:21:00:dc:6c:75:8e:5d:1f:ef:b9:36:a1:a7:13:5d:
88:bb:a6:84:4f:b4:53:92:fe:32:ce:45:23:b7:52:bc:01:b5:
f5:02:21:00:8c:ea:ab:4f:54:63:fe:52:0b:11:a1:e5:39:07:
ee:d4:a9:e0:28:9e:29:c2:e1:52:a0:bf:d9:42:b5:06:07:0f
7.6.1 Submit the CSR to AWS to Obtain the Connection
CertificateTo obtain the connection certificate, use the AWS
console:
1. Browse to Things->Your_Greengrass_Core->Security.2.
Click the “View other options” button. This provides a menu of
options.3. To use the csr generated, click the “Create with CSR”
button and provide the new_device.csr file.4. Click the “Upload
CSR” button. This should give a “Certificate Created!” success
screen.5. Download the certificate provided and save it to
/greengrass/certs/ on the SAMA5D2 platform.6. Before closing the
screen, be sure to click the “Activate” the certificate to allow
connections to AWS.7. Click the “Attach a policy” button and attach
the Greengrass core policy created during the Greengrass
tutorial
7.6.2 Edit the config.json file to Use the pkcs11 ProviderThis
section duplicates the information provided in AWS
documentation.
The final step is to modify the /greengrass/config/config.json
file to inform Greengrass of the pkcs11provider.
First, remove the caPath, certPath, and keyPath properties from
the coreThing object.{ "coreThing" : {
AN3170Secure Element
© 2019 Microchip Technology Inc. DS00003170A-page 24
-
"caPath": "root-ca-pem", "certPath": "cloud-pem-crt", "keyPath":
"cloud-pem-key", ... }, ...}If using p11-kit:{ "crypto": {
"caPath": "file:///greengrass/certs/root.ca.pem", "PKCS11": {
"OpenSSLEngine":
"/usr/lib/arm-linux-gnueabihf/engines-1.1/pkcs11.so",
"P11Provider": "/usr/lib/arm-linux-gnueabihf/p11-kit-proxy.so",
"slotLabel": "0123EE", "slotUserPin":
"00112233445566778899AABBCCDDEEFF00112233445566778899AABBCCDDEEFF"
}, "principals": { "IoTCertificate": { "privateKeyPath":
"pkcs11:token=0123EE;object=device;type=private",
"certificatePath": "file:///path-to-core-device-certificate" } } },
"coreThing" : { "thingArn" :
"arn:aws:iot:aws-region:aws-account-id:thing/thing-name", "iotHost"
: "HOST_PREFIX_HERE.iot.aws-region.amazonaws.com", "ggHost" :
"greengrass.iot.aws-region.amazonaws.com", "keepAlive" : 600 },
"runtime" : { "cgroup" : { "useSystemd" : "yes" } },
"managedRespawn" : false}
7.7 SummaryBy following the procedures detailed in this
application note, you should now be able to implement Cloud
EdgeServices using Microchip MPUs and AWS IoT Greengrass.
7.8 Additional ResourcesMicrochip MPUs –
http://www.microchip.com/mpu
Amazon Web Services – http://aws.amazon.com
AWS Management Console – https://console.aws.amazon.com
AWS IoT Greengrass Developer guide -
https://docs.aws.amazon.com/greengrass/latest/developerguide
AN3170Secure Element
© 2019 Microchip Technology Inc. DS00003170A-page 25
http://www.microchip.com/mpuhttp://aws.amazon.com/https://console.aws.amazon.com/https://docs.aws.amazon.com/greengrass/latest/developerguide
-
8. Revision History
8.1 Rev. A - 07/2019First issue.
AN3170Revision History
© 2019 Microchip Technology Inc. DS00003170A-page 26
-
The Microchip WebsiteMicrochip provides online support via our
website at http://www.microchip.com/. This website is used to make
filesand information easily available to customers. Some of the
content available includes:
• Product Support – Data sheets and errata, application notes
and sample programs, design resources, user’sguides and hardware
support documents, latest software releases and archived
software
• General Technical Support – Frequently Asked Questions (FAQs),
technical support requests, onlinediscussion groups, Microchip
design partner program member listing
• Business of Microchip – Product selector and ordering guides,
latest Microchip press releases, listing ofseminars and events,
listings of Microchip sales offices, distributors and factory
representatives
Product Change Notification ServiceMicrochip’s product change
notification service helps keep customers current on Microchip
products. Subscribers willreceive email notification whenever there
are changes, updates, revisions or errata related to a specified
productfamily or development tool of interest.
To register, go to http://www.microchip.com/pcn and follow the
registration instructions.
Customer SupportUsers of Microchip products can receive
assistance through several channels:
• Distributor or Representative• Local Sales Office• Embedded
Solutions Engineer (ESE)• Technical Support
Customers should contact their distributor, representative or
ESE for support. Local sales offices are also available tohelp
customers. A listing of sales offices and locations is included in
this document.
Technical support is available through the web site at:
http://www.microchip.com/support
Microchip Devices Code Protection FeatureNote the following
details of the code protection feature on Microchip devices:
• Microchip products meet the specification contained in their
particular Microchip Data Sheet.• Microchip believes that its
family of products is one of the most secure families of its kind
on the market today,
when used in the intended manner and under normal conditions.•
There are dishonest and possibly illegal methods used to breach the
code protection feature. All of these
methods, to our knowledge, require using the Microchip products
in a manner outside the operatingspecifications contained in
Microchip’s Data Sheets. Most likely, the person doing so is
engaged in theft ofintellectual property.
• Microchip is willing to work with the customer who is
concerned about the integrity of their code.• Neither Microchip nor
any other semiconductor manufacturer can guarantee the security of
their code. Code
protection does not mean that we are guaranteeing the product as
“unbreakable.”
Code protection is constantly evolving. We at Microchip are
committed to continuously improving the code protectionfeatures of
our products. Attempts to break Microchip’s code protection feature
may be a violation of the DigitalMillennium Copyright Act. If such
acts allow unauthorized access to your software or other
copyrighted work, youmay have a right to sue for relief under that
Act.
Legal NoticeInformation contained in this publication regarding
device applications and the like is provided only for
yourconvenience and may be superseded by updates. It is your
responsibility to ensure that your application meets with
AN3170
© 2019 Microchip Technology Inc. DS00003170A-page 27
http://www.microchip.com/http://www.microchip.com/pcnhttp://www.microchip.com/support
-
your specifications. MICROCHIP MAKES NO REPRESENTATIONS OR
WARRANTIES OF ANY KIND WHETHEREXPRESS OR IMPLIED, WRITTEN OR ORAL,
STATUTORY OR OTHERWISE, RELATED TO THE INFORMATION,INCLUDING BUT
NOT LIMITED TO ITS CONDITION, QUALITY, PERFORMANCE, MERCHANTABILITY
ORFITNESS FOR PURPOSE. Microchip disclaims all liability arising
from this information and its use. Use of Microchipdevices in life
support and/or safety applications is entirely at the buyer’s risk,
and the buyer agrees to defend,indemnify and hold harmless
Microchip from any and all damages, claims, suits, or expenses
resulting from suchuse. No licenses are conveyed, implicitly or
otherwise, under any Microchip intellectual property rights
unlessotherwise stated.
Trademarks
The Microchip name and logo, the Microchip logo, Adaptec,
AnyRate, AVR, AVR logo, AVR Freaks, BesTime,BitCloud, chipKIT,
chipKIT logo, CryptoMemory, CryptoRF, dsPIC, FlashFlex, flexPWR,
HELDO, IGLOO, JukeBlox,KeeLoq, Kleer, LANCheck, LinkMD, maXStylus,
maXTouch, MediaLB, megaAVR, Microsemi, Microsemi logo, MOST,MOST
logo, MPLAB, OptoLyzer, PackeTime, PIC, picoPower, PICSTART, PIC32
logo, PolarFire, Prochip Designer,QTouch, SAM-BA, SenGenuity,
SpyNIC, SST, SST Logo, SuperFlash, Symmetricom, SyncServer,
Tachyon,TempTrackr, TimeSource, tinyAVR, UNI/O, Vectron, and XMEGA
are registered trademarks of Microchip TechnologyIncorporated in
the U.S.A. and other countries.
APT, ClockWorks, The Embedded Control Solutions Company,
EtherSynch, FlashTec, Hyper Speed Control,HyperLight Load,
IntelliMOS, Libero, motorBench, mTouch, Powermite 3, Precision
Edge, ProASIC, ProASIC Plus,ProASIC Plus logo, Quiet-Wire,
SmartFusion, SyncWorld, Temux, TimeCesium, TimeHub, TimePictra,
TimeProvider,Vite, WinPath, and ZL are registered trademarks of
Microchip Technology Incorporated in the U.S.A.
Adjacent Key Suppression, AKS, Analog-for-the-Digital Age, Any
Capacitor, AnyIn, AnyOut, BlueSky, BodyCom,CodeGuard,
CryptoAuthentication, CryptoAutomotive, CryptoCompanion,
CryptoController, dsPICDEM,dsPICDEM.net, Dynamic Average Matching,
DAM, ECAN, EtherGREEN, In-Circuit Serial Programming, ICSP,INICnet,
Inter-Chip Connectivity, JitterBlocker, KleerNet, KleerNet logo,
memBrain, Mindi, MiWi, MPASM, MPF,MPLAB Certified logo, MPLIB,
MPLINK, MultiTRAK, NetDetach, Omniscient Code Generation,
PICDEM,PICDEM.net, PICkit, PICtail, PowerSmart, PureSilicon,
QMatrix, REAL ICE, Ripple Blocker, SAM-ICE, Serial QuadI/O,
SMART-I.S., SQI, SuperSwitcher, SuperSwitcher II, Total Endurance,
TSHARC, USBCheck, VariSense,ViewSpan, WiperLock, Wireless DNA, and
ZENA are trademarks of Microchip Technology Incorporated in the
U.S.A.and other countries.
SQTP is a service mark of Microchip Technology Incorporated in
the U.S.A.
The Adaptec logo, Frequency on Demand, Silicon Storage
Technology, and Symmcom are registered trademarks ofMicrochip
Technology Inc. in other countries.
GestIC is a registered trademark of Microchip Technology Germany
II GmbH & Co. KG, a subsidiary of MicrochipTechnology Inc., in
other countries.
All other trademarks mentioned herein are property of their
respective companies.© 2019, Microchip Technology Incorporated,
Printed in the U.S.A., All Rights Reserved.
ISBN: 978-1-5224-4798-6
AMBA, Arm, Arm7, Arm7TDMI, Arm9, Arm11, Artisan, big.LITTLE,
Cordio, CoreLink, CoreSight, Cortex, DesignStart,DynamIQ, Jazelle,
Keil, Mali, Mbed, Mbed Enabled, NEON, POP, RealView, SecurCore,
Socrates, Thumb,TrustZone, ULINK, ULINK2, ULINK-ME, ULINK-PLUS,
ULINKpro, µVision, Versatile are trademarks or registeredtrademarks
of Arm Limited (or its subsidiaries) in the US and/or
elsewhere.
Quality Management System
For information regarding Microchip’s Quality Management
Systems, please visit http://www.microchip.com/quality.
AN3170
© 2019 Microchip Technology Inc. DS00003170A-page 28
http://www.microchip.com/quality
-
AMERICAS ASIA/PACIFIC ASIA/PACIFIC EUROPECorporate Office2355
West Chandler Blvd.Chandler, AZ 85224-6199Tel: 480-792-7200Fax:
480-792-7277Technical Support:http://www.microchip.com/supportWeb
Address:http://www.microchip.comAtlantaDuluth, GATel:
678-957-9614Fax: 678-957-1455Austin, TXTel:
512-257-3370BostonWestborough, MATel: 774-760-0087Fax:
774-760-0088ChicagoItasca, ILTel: 630-285-0071Fax:
630-285-0075DallasAddison, TXTel: 972-818-7423Fax:
972-818-2924DetroitNovi, MITel: 248-848-4000Houston, TXTel:
281-894-5983IndianapolisNoblesville, INTel: 317-773-8323Fax:
317-773-5453Tel: 317-536-2380Los AngelesMission Viejo, CATel:
949-462-9523Fax: 949-462-9608Tel: 951-273-7800Raleigh, NCTel:
919-844-7510New York, NYTel: 631-435-6000San Jose, CATel:
408-735-9110Tel: 408-436-4270Canada - TorontoTel: 905-695-1980Fax:
905-695-2078
Australia - SydneyTel: 61-2-9868-6733China - BeijingTel:
86-10-8569-7000China - ChengduTel: 86-28-8665-5511China -
ChongqingTel: 86-23-8980-9588China - DongguanTel:
86-769-8702-9880China - GuangzhouTel: 86-20-8755-8029China -
HangzhouTel: 86-571-8792-8115China - Hong Kong SARTel:
852-2943-5100China - NanjingTel: 86-25-8473-2460China - QingdaoTel:
86-532-8502-7355China - ShanghaiTel: 86-21-3326-8000China -
ShenyangTel: 86-24-2334-2829China - ShenzhenTel:
86-755-8864-2200China - SuzhouTel: 86-186-6233-1526China -
WuhanTel: 86-27-5980-5300China - XianTel: 86-29-8833-7252China -
XiamenTel: 86-592-2388138China - ZhuhaiTel: 86-756-3210040
India - BangaloreTel: 91-80-3090-4444India - New DelhiTel:
91-11-4160-8631India - PuneTel: 91-20-4121-0141Japan - OsakaTel:
81-6-6152-7160Japan - TokyoTel: 81-3-6880- 3770Korea - DaeguTel:
82-53-744-4301Korea - SeoulTel: 82-2-554-7200Malaysia - Kuala
LumpurTel: 60-3-7651-7906Malaysia - PenangTel:
60-4-227-8870Philippines - ManilaTel: 63-2-634-9065SingaporeTel:
65-6334-8870Taiwan - Hsin ChuTel: 886-3-577-8366Taiwan -
KaohsiungTel: 886-7-213-7830Taiwan - TaipeiTel:
886-2-2508-8600Thailand - BangkokTel: 66-2-694-1351Vietnam - Ho Chi
MinhTel: 84-28-5448-2100
Austria - WelsTel: 43-7242-2244-39Fax: 43-7242-2244-393Denmark -
CopenhagenTel: 45-4450-2828Fax: 45-4485-2829Finland - EspooTel:
358-9-4520-820France - ParisTel: 33-1-69-53-63-20Fax:
33-1-69-30-90-79Germany - GarchingTel: 49-8931-9700Germany -
HaanTel: 49-2129-3766400Germany - HeilbronnTel:
49-7131-72400Germany - KarlsruheTel: 49-721-625370Germany -
MunichTel: 49-89-627-144-0Fax: 49-89-627-144-44Germany -
RosenheimTel: 49-8031-354-560Israel - Ra’ananaTel:
972-9-744-7705Italy - MilanTel: 39-0331-742611Fax:
39-0331-466781Italy - PadovaTel: 39-049-7625286Netherlands -
DrunenTel: 31-416-690399Fax: 31-416-690340Norway - TrondheimTel:
47-72884388Poland - WarsawTel: 48-22-3325737Romania - BucharestTel:
40-21-407-87-50Spain - MadridTel: 34-91-708-08-90Fax:
34-91-708-08-91Sweden - GothenbergTel: 46-31-704-60-40Sweden -
StockholmTel: 46-8-5090-4654UK - WokinghamTel: 44-118-921-5800Fax:
44-118-921-5820
Worldwide Sales and Service
© 2019 Microchip Technology Inc. DS00003170A-page 29
http://www.microchip.com/supporthttp://www.microchip.com
Introduction1. What are Cloud Services?2. Amazon Cloud
Services3. Microchip and Edge Computing
Table of Contents1. Prerequisites2. Procedure
Overview2.1. Setting Up the Hardware2.2. Setting Up AWS
Services2.2.1. Overview2.2.2. Create an AWS
Account2.2.3. Open the AWS Console2.2.4. Create a
Greengrass Group2.2.5. Provision the Newly Created
Group2.2.6. Name the Greengrass Group2.2.7. Name the
Greengrass Core2.2.8. Create the Group2.2.9. Download
Certificates and Core Software
3. Greengrass Group Creation Successful4. Languages
Used By Greengrass4.1. Building the Target Image4.2. Copy
the Target Image to an SDCard4.3. Copy Greengrass Core and
Certificates4.4. Boot the SDCard4.5. Edit Greengrass
Configuration to Use Port 443 (optional)4.6. Add ggc_user and
ggc_group4.7. Start the Greengrass Core4.8. Deploy the
Group from AWS Console
5. Next Steps6. Greengrass System
Requirements7. Secure Element7.1. Configuring
cryptoauthlib PKCS11
Library7.1.1. cryptoauthlib.conf7.1.2. slot.conf.tmpl7.1.3. interface7.1.4. freeslots
7.2. Using p11-kit-proxy7.3. Device Initialization
Using P11tool7.4. Verifying the
Initialization7.5. Probing the
device7.5.1. Troubleshooting
7.6. Setting Up the Greengrass
Certificate7.6.1. Submit the CSR to AWS to Obtain the
Connection Certificate7.6.2. Edit the config.json file to Use
the pkcs11 Provider
7.7. Summary7.8. Additional Resources
8. Revision History8.1. Rev. A - 07/2019
The Microchip WebsiteProduct Change Notification ServiceCustomer
SupportMicrochip Devices Code Protection FeatureLegal
NoticeTrademarksQuality Management SystemWorldwide Sales and
Service