EN | 中文
- Introduction
- OPTIGA™ Trust M2 ID2
- System Setup
- AliOS-Things environment setup Using OPTIGA™ Trust M2 ID2
- FAQs
This document describes how to setup the environment to demonstrate mqttapp using AliOS-Things software package with the OPTIGA™ Trust M2 ID2 ESP32-DevKitC V4.
Definition | Source |
---|---|
[1] ESP32-DevKitC V4_usermanual | espressif |
[2] Infineon_I2C_Protocol | Infineon |
Abbreviation | Definition |
---|---|
API | Application Programming Interface |
ESP32 | ESP32-DevKitC V4 |
I2C | Inter Integrated Circuit |
IoT | Internet of Things |
OS | Operating System |
PAL | Platform Abstraction Layer |
RSA | Rivest-Shamir-Adleman |
PC | Personal Computer |
RST | Reset |
SCL | Serial Clock |
SDA | Serial Data |
SW | Software |
TTL | Transistor Transistor Logic |
USB | Universal Serial Bus |
OPTIGA™ Trust M2 ID2 is a security solution with a pre-programmed security controller with wide range of security features. It supports secure data, key and metadata object update, hibernate and cryptographic toolbox functionalities, secure communication, platform integrity, data store protection and lifecycle management for Connected Device Security. This document describe the porting guide of OPTIGA™ host library for other platforms supported by AliOS-Things.
OPTIGA™ Trust M2 ID2 ESP32-DevKitC V4 is designed to provide all the components required to setup the environment to demonstrate the features of the OPTIGA™ Trust M2 ID2.
No. | Item | Description |
---|---|---|
1 | ESP32-DevKitC V4 | Hardware Evaluation board for ESP32 microcontroller. |
2 | ESP32 DevKitC Adapter for Shield2Go | ESP32-DevKitC V4 compatible connector to add Shield2Go board on ESP32-DevKitC V4. |
3 | OPTIGA™ Trust M2 ID2 Security Shield2Go | Shield2Go board contains OPTIGA™ Trust M2 ID2 chip. It is compatible with Infineon’s ESP32 DevKitC Adapter for Shield2Go. |
4 | Micro USB to USB cable | The cable provides DC supply to ESP32-DevKitC V4 and to flash software. |
This section explains the basic components required for system setup.
This system consists of the following components:
- ESP32-DevKitC V4
- The ESP32-DevKitC V4 is an evaluation board with ESP32 Microcontroller from espressif. For more information refer document [1].
- It is used as a reference platform to simulate the Host.
- It interacts via I2C.
- ESP32 DevKitC Adapter for Shield2Go
- It acts as a gateway to add Shield2Go boards onto ESP32-DevKitC V4.
- OPTIGA™ Trust M2 ID2 Security Shield2Go
- Shield2Go board contains OPTIGA™ Trust M2 ID2 chip.
The following interface/connection is done among the above components: - Micro USB data cable (with Data line) from PC is connected to ESP32-DevKitC V4 to supply power.
- Shield2Go board contains OPTIGA™ Trust M2 ID2 chip.
The hardware required to run OPTIGA™ Trust M2 ID2 setup is described in this section.
Connector supports I2C, reset pin and power supply interfaces among others.
No. | Description | Pin |
---|---|---|
1 | I2C SCL | GPIO 22 |
2 | I2C SDA | GPIO 21 |
3 | RST | GPIO 25 |
4 | VCC | GPIO 26 |
5 | GND | GND |
For more information about the ESP32 Specification, Architecture and Design/Schematic, refer document [1]
The ESP32 DevKitC adapter is an evaluation board that allows users to easily combine different Shield2Go boards to ESP compliant ecosystem, for fast evaluation of IoT systems. With its solderless connectors, it allows users to easily stack Shield2Go boards instead of soldering it. The adapter design is derived from ESP32-DevKitC V4 evaluation board.
ESP32 DevKitC adapter features are as follows:
- Provide power supply and connectivity for Shield2Go boards.
- Level shifting handling capabilities between CMOS 3.3V and TTL 5V.
- Solder bridges to selectively deactivate level shifting.
- Additional pins enable setting the reference voltages for level shifting.
- Separate power control switches for Socket.
- Level shifting handling capabilities between CMOS 3.3V and TTL 5V.
More information is available at Infineon website.
Shield2Go boards are equipped with featured Infineon ICs and provide a standardized form factor and pin layout, allowing a ‘plug and play’ approach for easy prototyping.
The OPTIGA™ Trust M2 ID2 Shield2Go is equipped with OPTIGA™ Trust M2 ID2 security chip. It allows users to develop system solutions by combining Shield2Go with ESP32 DevKitC Adapter for Shield2Go and ESP32.
Note: Ensure no voltage supplied to any of the pins exceeds the absolute maximum rating of Vcc + 0.3 V.
This section describes the software used in ESP32 to run the AliOS-Things OPTIGA™ Trust M2 ID2 setup.
All the software components required on AliOS-Things for ESP32 are explained in the following sections.
- OPTIGA™ Trust M2 ID2 Host Library consists of the following:
- Service Layer
The layers (Util and Crypt) provide APIs to interact with OPTIGA™ for various use-case functionalities. - Access Layer
This layer manages the access to the command interface of OPTIGA™ security chip. It also provides the communication interface to the OPTIGA™. - Platform Abstraction Layer
This layer provides platform agnostic interfaces for the underlying HW and SW platform functionalities used by OPTIGA™ libraries. - Platform Layer
This layer provides the platform specific components and libraries for the supported platforms.
- Service Layer
- IFX I2C Protocol
This is an implementation as per document [2]. - ESP32 I2C Driver
These are low level I2C device driver for I2C communication from ESP32 to OPTIGA™ Trust M2 ID2 Security chip.
A 32-bit or 64-bit PC with Windows 7/10 Operating System with the below requirements need to be used for setting up ESP32 to run the AliOS-Things using OPTIGA™ Trust M2 ID2 setup:
-
One USB port.
-
Python 2.7.14 version to install AliOS-Thing dependency packages
Link to download Python 2.7.14: Download link. -
Visual Studio Code for development environment.
Link to download Visual Studio Code: Download link -
Git for downloading source code.
Link to download git: Download link -
FTD driver to access ESP32 via COM port.
Link to download FTD driver: Download link -
ASN1 editor require to extract OPTIGA™ supported RSA fields from key provided by Ali key distribution center user is free to use any editor which supports ASN format.
Link to download ASN1 editor: Download linkNote: Add C:\Python27 and C:\Python27\Scripts path to environment variable in the beginning of the environment variable list.
- Setup Visual Studio Code as describe from the link
- Create a folder in < workspace > (here "workspace" is the folder where AliOS-Things repository will be cloned, for example %USERPROFILE%/Documents)
- Open command prompt and go to the directory < workspace >
- Download aos-2.1-esp32-with-optiga-se.patch file from the link (Refer section for the patch contain).
- Execute below commands to download AliOS-Things source package
git clone https://github.com/alibaba/AliOS-Things.git
cd AliOS-Things
git checkout rel_2.1.0
git pull origin rel_2.1.0
git apply aos-2.1-esp32-with-optiga-se.patch
Note: Ignore below warnings while applying the patch
- Add project to Visual studio code (e.g. Go to File->add folder to workspace->select top level directory of AliOS-Things repository).
- Open new Terminal in visual studio code (go to Terminal ->New Terminal)
- To upgrade aos-cube, follow the below steps in Visual Studio Code Terminal
pip install --upgrade setuptools
pip install --upgrade wheel
pip install --upgrade aos-cube
This section describes how to configure and build mqttapp example in AliOS-Things source code for ESP32.
Note: To use customize Device name and secret please refer this section.
- Execute below command to configure the mqttapp example (make sure you run the terminal in the root of the AliOS-Things repository)
aos make mqttapp@esp32devkitc -c config
Note: while execution above step if below error occurs
Execute below command in the terminal
git clone https://gitee.com/alios-things/kconfig-frontends-win32.git ./build/kconfig/Win32/
Repeat from step 1
- Open < workspace >\AliOS-Things\build\build_rules\toolchain\ aos_toolchain_xtensa.mk file and check the variable assigned with the below specified value.
COMPILER_SPECIFIC_OPTIMIZED_CFLAGS := -O0
- Execute below command to enable OPTIGA™ host library and iTLS
aos make menuconfig
- Below options need to be selected for ID2
Security -> Link Security ID2
Security -> Root of trust, SE-KM
Security -> Root of trust, OPTIGA
Security -> Lightweight TLS Support by ID2
- Change below options to change TLS to iTLS
Deselect Middleware -> Linkkit Configuration -> Linkkit HAL Config ->support TLS
Select Middleware -> Linkkit Configuration -> Linkkit HAL Config ->support ITLS
- Save and exit from menuconfig
- To build source code execute below command (make sure you are running python2.7 "python -V")
aos make
- Execute below command to flash the generated HEX file (Check the COM port number from device manager which is connected with your ESP32-DevKitC V4)
aos upload mqttapp@esp32devkitc
- Execute below command to run mqttapp (Check the COM port number from device manager which is connected with your ESP32-DevKitC V4)
aos monitor COMn 115200(‘n’ is the port number assigned to ESP32-DevKitC V4)
- Press reset button
- To configure Wi-Fi execute below command (after restart press enter in serial port console)
netmgr connect wifi_name wifi_password
- Below is the example log of successful cloud connection
- Access the website : https://www.alibabacloud.com/ , and push the button of "Free Account".
- Fill in your registration information, and push the "Confirm" button.
- Finish the Verification process by your Email or by your Phone.
- Now you have an individual account. And please finish the "Basic Information" & "Payment Information" registration.
- Use this account to login the "IoT Platform", in order to create a new Ali IoT device
- Select the Tab of "Documentation".
- Click Quick Start -> Use IoT Platform -> Create products and devices, here is a detail manual to guide you how to create an Ali IoT Device.
- Note: Please select the "ID2" in the "Authentication Mode" list. But so far it's not aviable for oversea customers.
- When you create product successfully, you can view it in Device Management Panel. Push the "View" button to get the "ProductKey" & "ProductSecret“
- Replace the "ProductKey" & "ProductSecret" in the .\app.\example\mqttapp\mqtt_example.c, and make a new for "#define DEVICE_NAME", ignore the "DEVICE_SECRET"
-
Compile your project.
-
After download the new image and power on you device, then you will see the device status on the panel of : IoT Platform Console -> Maintenance -> Real-time Monitoring
This section describes the modification require to use key type as per needs.
- Below Modification is required in AliOS-Things\security\irot\se\chipset\chip_template\chip_config.h
#define CHIP_CRYPTO_TYPE_CONFIG CHIP_CRYPTO_TYPE_RSA
- Below Modification is required in AliOS-Things\security\id2\aos.mk
ifeq ($(CONFIG_LS_KM_SE), y)
$(NAME)_DEFINES += ID2_CRYPTO_TYPE_CONFIG=ID2_CRYPTO_TYPE_RSA
- Below Modification is required in AliOS-Things\security\irot\se\chipset\chip_template\chip_config.h
#define CHIP_CRYPTO_TYPE_CONFIG CHIP_CRYPTO_TYPE_AES
- Below Modification is required in AliOS-Things\security\id2\aos.mk
ifeq ($(CONFIG_LS_KM_SE), y)
$(NAME)_DEFINES += ID2_CRYPTO_TYPE_CONFIG=ID2_CRYPTO_TYPE_AES
- Create an ID2 device node in https://cn.aliyun.com/
- Replace the device name and device secret in the below section present in AliOS-Things\app\example\mqttapp\mqtt_example.c file
#define DEVICE_NAME "your device name"
#define DEVICE_SECRET "your device secret"
#define PRODUCT_KEY "your product key"
#define PRODUCT_SECRET "your product secret"
- Before doing an OPTIGA™ chip power off, it is recommended to wait until the security event counter on OPTIGA™ reaches zero. This can lead to certain time delays which leads to connection timeout on the server side.
- The above code flow is implemented in irot_hal_cleanup but it is disabled by default using macro OPTIGA_SE_ENABLE_POWER_DOWN.
- To enable the code flow, uncomment the macro definition present in AliOS-Things\security\irot\se\src\core\optiga_se_adapter.c file
#define OPTIGA_SE_ENABLE_POWER_DOWN
The host library present in AliOS-Things\3rdparty\experimental\optiga location can be port to different platform supported by the AliOS-Things framework.
- Platform abstraction layer for platform low level drivers like I2C, Timer located in AliOS-Things\3rdparty\experimental\optiga\pal can be modified as described here.
- User need to use platform specific libitls.a library which should be present in AliOS-Things\security\itls\lib<platform specific folder>.
Below are the modification present in the patch.
- OPTIGA™ host library including platform dependent file for ESP32 specific.
- Modified i2c driver to support read and write operation for maximum 20bytes of data
- Shielded connection option is disabled due to the limitation of the i2c driver.
- ESP32 platform supported libitls.a library.