search

Infineon / amazon-freertos

IoT operating system for microcontrollers. https://aws.amazon.com/freertos/
MIT License
10 stars 10 forks source link

Key-Provisioning using Optiga Trust #2

Closed Darsh-Dev closed 4 years ago

Darsh-Dev commented 4 years ago

@ayushev ,

I am exploring the amazon-freertos-optiga-trust source code. I see that "eDEVICE_PUBKEY_CERT_PRJSPC_1" certification read from the TrustX chip and using this certificate and private key (CLIENT_PRIVATE_KEY_PEM ), doing the vAlternateKeyProvisioning.

Before get the certificate from the 0xE0E1, we should write certificate in TrustX slot, right? Bcoz I'm not able getting the code for update/write the certificate 0xE0E1.

Please help me to understand the process using the Optiga-Trust.

Thanks

ayushev commented 4 years ago

Hi @Darsh-Dev here is the Getting Started Guide for Trust M. It includes the standard way to provision the device. Alternativly you can this Application Note

ayushev commented 4 years ago

Sorry, accidentaly closed it. Feel free to ask further questions id my answer wasn't clear.

ayushev commented 4 years ago

FYI. Here is also an overview of different officially qualified boards and their getting started guides https://github.com/Infineon/amazon-freertos-optiga-trust#supported-hardware

Darsh-Dev commented 4 years ago

@ayushev ,

I gone through the https://github.com/Infineon/personalize-optiga-trust/tree/master/using-amazon-root-ca. Now its clear to me.

I have another question, certificates read from 0xE0E1, however, private key is const in the code. Why it's not read from the 0xE0F1 from Optiga-Trust slot?

ayushev commented 4 years ago

Sorry, I didn't get it, where did you see the private key is const in the code?

Darsh-Dev commented 4 years ago

@ayushev ,

File: /aws_demos/application_code/common_demos/source/optiga_trust_x.c line 27:

const char CLIENT_PRIVATE_KEY_PEM[] = "-----BEGIN EC PRIVATE KEY-----\n"

xParams.ulClientPrivateKeyType = CKK_EC;
xParams.pcClientPrivateKey = ( uint8_t * ) CLIENT_PRIVATE_KEY_PEM;
xParams.ulClientPrivateKeyLength = CLIENT_PRIVATE_KEY_LENGTH;
xParams.pcClientCertificate = ( uint8_t * ) CLIENT_CERTIFICATE_PEM;
xParams.ulClientCertificateLength = CLIENT_CERTIFICATE_LENGTH;
ayushev commented 4 years ago

I couldn't find it here, in this repository. Can you please provide the link?

You might refer to the code which you have, however the code stored here, is officially qulified for Trust X, for Trust M the qulification is pending, but the code can be used, though without qulification mark from AWS. The Trust X code can be found as well on amazon-freertos official github starting from the release in October 2019

Darsh-Dev commented 4 years ago

@ayushev

Please find the https://github.com/Infineon/amazon-freertos-optiga-trust-x/blob/master/demos/st/stm32l475_discovery_trustx/common/application_code/st_code/optiga_trust_x.c.

I am trying with latest git : https://github.com/Infineon/amazon-freertos-optiga-trust

I want to use STM32L4 + TrustX code. Code is available in "amazon-freertos-optiga-trust-x" . This sample code not available in latest https://github.com/Infineon/amazon-freertos-optiga-trust.

So I copied the main.c , optiga_trust_x.c/h from previous amazon-freertos-optiga-trust-x git.

ayushev commented 4 years ago

Please find the https://github.com/Infineon/amazon-freertos-optiga-trust-x/blob/master/demos/st/stm32l475_discovery_trustx/common/application_code/st_code/optiga_trust_x.c.

@Darsh-Dev this repository has a limited support, as this integration was done before the official qualification and the amazon-freertos code restructure happened, feel free use it standalone, though. Private Key here as the comment declares isn't used, but mbedTLS (the crypto library which runs the TLS protocol establishment) requires the private key to be provided, in order to pass all the internal checks, however it's not actually used by Trust X.

So I copied the main.c , optiga_trust_x.c/h from previous amazon-freertos-optiga-trust-x git.

In the latest version, Trust X/M are initialised and used completely in the background, you don't need to control it. Thus files from the pervious version are not required. I recommend instead to enable the existing repository for the STM32 board you use. I just described jeneric steps here

Darsh-Dev commented 4 years ago

Hi @ayushev , Thanks for the update.

In the latest version, Trust X/M are initialised and used completely in the background, you don't need to control it. Thus files from the previous version are not required.

I wants to understand, how the provisioning is works in the latest version?

ayushev commented 4 years ago

The provisioning of the certificate as per now should be done in advance, before you run MQTT Demo from FreeRTOS. FOr the provisioning you have two options: 1) Use the FreeRTOS qualified board you have to make the provisioning. This way will work out only if you have fully functional Secure Element integrated in the board. To make this type of provisioning please refer to the official AWS documentation from here, (Option #2: Onboard Private Key Generation)
2) Use Personalisation AppNote. For this you need RPi3 and the Trust M Shield2Go you use

ayushev commented 4 years ago

Hello @Darsh-Dev, can we close the issue?

Darsh-Dev commented 4 years ago

No further queries now. Pl close it. If any further query we have, will post it in new case.

Thanks @ayushev for support.