AWS Partner Network (APN) Blog

Securing AWS IoT Greengrass Deployments with NXP’s EdgeLock SE050

By Anton Shmagin, Sr. Partner Solutions Architect at AWS
By Chinmaya Acharya, Principal Security Engineer at NXP

NXP-AWS-Partners

Within AWS IoT fleet deployments, each connected device needs to have unique, trusted, verifiable identity, such as a client certificate signed by known certificate authority (CA) and the correspondent private key.

Device identity provides context to the data generated by the device. IoT Things are virtual representations of individual devices on AWS IoT that encapsulate its unique identity, certificate, authorization policy, and unique attributes.

IoT Things can be added to IoT Groups that logically group devices based on attributes such as location, firmware version, access level, or type. Each data point generated by a device is thus contextualized by its identity and logical grouping.

Device identity allows us to manage devices at scale. It’s important that an operational manager is able to find individual devices or a group of devices with commonalities. With AWS IoT’s Device Management Fleet Indexing, devices with a unique identity can be searched for based on connectivity status, grouping, or attributes. The results of these queries can be used to target devices for configuration changes, device commands, or over-the-air-updates.

Device identity is the foundation of AWS IoT security. Devices are authenticated with AWS IoT Core by mutual authentication with the device’s client certificate and AWS IoT’s server certificate. Mutual authentication is facilitated by TLS 1.2, and data in transit between the device and the cloud is encrypted.

AWS IoT Device Defender detects misconfiguration, expired certificates, or anomalous behavior from individual devices, and automatically takes mitigation actions such as certificate revocation, over-the-air updates, or raising alerts to technicians. The device’s unique identity allows Device Defender, a fleet manager, or a technician know exactly which device is misbehaving and take targeted action towards that device.

A compromised identity could allow an attacker to spoof an IoT device, publish erroneous data to the Amazon Web Services (AWS), or gain access to device commands and over-the-air updates. AWS recommends that a hardware security module, such as a secure element or trusted platform module (TPM) be used on IoT devices when possible. Together with a strong IoT policy that uses the principal of least privilege, attacks can be minimized or mitigated altogether.

While Linux OS provides strong protection from unauthorized user access, it’s still possible to compromise the system if the attacker has full physical access to the device (file system, serial console, JTAG). NXP EdgeLock SE050 prevents attackers from extracting the private key even if the physical integrity of the device is compromised and the attacker managed to get access to the device filesystem.

In addition to providing enhanced security, EdgeLock SE050 supports virtually all provisioning methods for AWS IoT. This includes certificates signed with AWS IoT CA, certificates signed by customer CAs, Just in Time Registration (JITR)/Just in Time Provisioning (JITP), and multi-account registration. Both ECC and RSA key pairs are supported as well.

While we will not be able to go through all of the possible scenarios in this post, you can refer to the documentation included with the EdgeLock SE05x Plug and Trust middleware support package. NXP is an AWS Partner that enables secure connections and infrastructure for a smarter world.

AWS IoT Greengrass

AWS IoT Greengrass is an Internet of Things (IoT) edge runtime and cloud service that helps you build, deploy, and manage device software. Customers use AWS IoT Greengrass for their applications on millions of devices in homes, factories, vehicles, and businesses.

With AWS IoT Greengrass, you can program your devices to act locally on the data they generate, execute predictions based on machine learning (ML) models, filter and aggregate device data, and only transmit necessary information to the cloud.

IoT devices built using AWS IoT Greengrass have a number of advantages compared to those developed with the AWS IoT Device SDK for Embedded C (C-SDK). In general, AWS IoT Greengrass is more suitable for feature-rich IoT deployments that require edge processing, while constrained IoT devices are better off with C-SDK.

The main AWS IoT Greengrass benefits include:

  • Fail-safe IoT application deployment based on AWS Lambda or containers.
  • Optimized ML model deployments to the edge.
  • Identity broker allows secure access to all AWS services, based on strong Root-of-Trust identity.
  • Hardware Security Integration (HSI) interface to secure modules and TPMs, based on the PKCS#11 standard.

Data protection is essential for IoT applications, especially when it comes to user privacy. AWS IoT Greengrass authenticates and encrypts device data for both local and cloud communications so that data is never exchanged between devices and the cloud without proven identity.

You can also leverage hardware-secured end-to-end encryption for messages sent between an AWS IoT Greengrass Core and the AWS Cloud, and messages between an AWS IoT Greengrass Core and other local devices.

Secure elements such as NXP’s EdgeLock SE050 provide hardware-based protection to the secure assets (identity and encryption keys, for example) used by AWS IoT Greengrass.

In this post, we’ll go through the steps of setting up AWS IoT Greengrass with HSI interface, and safeguarding the AWS IoT Greengrass Core identity used for authentication MQTT over TLS communication between the device and AWS IoT backend. This post features AWS IoT Greengrass V1.11 and will be extended to V2 as soon as the HSI module is available.

If you choose to follow along with this post with hardware, at the end you’ll have a working device running AWS IoT Greengrass 1.11 connected to the AWS IoT Core services. The private key generated by AWS IoT Core CA will be injected into the SE050 secure element.

Required Hardware

While any Linux-based device can work with SE050, we’ll be using Raspberry Pi SBC due to its popularity as a development platform and availability.

Assembly

Please refer to Figure 1 below to assemble the “sandwich” from Raspberry Pi, OM-SE050ARD: SE050 Arduino Compatible Development Kit, and OM-SE050RPI: Arduino to Raspberry Pi Adapter Board.

It’s also possible to connect the development kit to Raspberry Pi with jumper cables if you are comfortable with electronics.

NXP-IoT-Greengrass-EdgeLock-1

Figure 1 – Raspberry Pi header pin positions for the triple-board assembly.

The following picture provides the reference positions of the jumpers on the SE050 development kit. Please make sure that J14 jumper is in 1-2 position(!) as our kit came with J14 in 3-4 position.

NXP-IoT-Greengrass-EdgeLock-2

Figure 2 – Jumper (J14) in 1-2 position.

Download Raspberry Pi OS and flash it to the microSD card using your preferred method (balenaEtcher, Raspberry Pi Imager, dd, etc.)

Next, insert the microSD card into your Raspberry Pi and power it on.

Set Up Raspberry Pi

Log in to Raspberry Pi and:

  • Enable SSH (sudo raspi-config > Interfacing Options > SSH > Enable) Documentation
  • Enable i2c (sudo raspi-config > Interfacing Options > I2C > Enable)
  • Configure WiFi (sudo raspi-config > Networking Options > Wireless LAN > SSID/Password)

Follow the steps to prepare Raspberry Pi for the AWS IoT Greengrass Core installation.

Download SE05x Middleware Package

Navigate to EdgeLock SE05x Plug and Trust middleware and download it.

Log in with your NXP.com account or register if you don’t have one.

Save the ZIP archive to your workstation and transfer to Raspberry Pi (scp/sftp on Linux/Mac, WinSCP on Windows).

Set Up Prerequisites and Compile SE050 Middleware

SSH to your Raspberry Pi:

ssh pi@<your_RPi_IP_address>

Create directory SE050 and move SE-PLUG-TRUST-MW.zip archive there:

mkdir SE050; mv SE-PLUG-TRUST-MW.zip ~/SE050; cd SE050

Extract SE-PLUG-TRUST-MW.zip archive:

unzip SE-PLUG-TRUST-MW.zip

Install necessary packages to build middleware utilities to interface i2c bus:

sudo apt-get install cmake cmake-curses-gui cmake-gui libssl-dev python-smbus i2c-tools

Check that our Raspberry Pi device can enumerate SE050 seYOUR-ENDPOINTcure element through i2c bus:

i2cdetect 1

You should receive output similar to:

WARNING! This program can confuse your I2C bus, cause data loss and worse! I will probe file /dev/i2c-1. I will probe address range 0x03-0x77. Continue? [Y/n]
0 1 2 3 4 5 6 7 8 9 a b c d e f
00: -- -- -- -- -- -- -- -- -- -- -- -- --
10: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
20: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
30: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
40: -- -- -- -- -- -- -- -- 48 -- -- -- -- -- -- --
50: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
60: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
70: -- -- -- -- -- -- -- —

In case you cannot identify the device at 0x48 address, verify your connections and jumpers.

Build and install necessary libraries and components:

cd ~/SE050/simw-top
python scripts/create_cmake_projects.py
cd ../simw-top_build/raspbian_native_se050_t1oi2c/
cmake --build .
sudo make install
sudo ldconfig /usr/local/lib

If the build is successful, you need to configure additional components to install (PKCS#11 library for SE050, as PKCS#11 is an abstraction layer Greengrass HSI interacts with).

cd ~SE050/simw-top_build/raspbian_native_se050_t1oi2c/

ccmake .

Adjust configuration to:

∙ RTOS_Default: ON
∙ WithHostCrypto_MBEDTLS: ON ∙ WithmbedTLS_ALT_SSS: ON
∙ WithSharedLIB: OFF
∙ Project: sss_pkcs11

Re-compile and install libraries:

cmake --build .

sudo make install

sudo ldconfig /usr/local/lib

Install AWS IoT Greengrass

Follow the steps to provision Greengrass Group in the AWS Console.

Make sure you save the hash-setup.tar.gz archive with config.json, private/public keypair and certificate.

From Greengrass Software, download Greengrass the Core package.

Transfer both archives to Raspberry Pi.

Next, extract the Greengrass Core software:

sudo tar -xzvf greengrass-OS-architecture-1.11.0.tar.gz -C /

Extract configuration and cryptomaterials to /greengrass:

sudo tar -xzvf hash-setup.tar.gz -C /greengrass

Extract same archive to ~/SE050 directory:

sudo tar -xzvf hash-setup.tar.gz -C ~/SE050

Download Amazon Trust Services CA certificate:

cd /greengrass/certs/

sudo wget -O root.ca.pem https://www.amazontrust.com/repository/AmazonRootCA1.pem

!NB Do not start AWS IoT Greengrass yet!!!

Inject private key to SE050:

cd ~/SE050/certs
cp hash.private.key hash.private.pem
ssscli connect se050 t1oi2c none
ssscli se05x reset
ssscli set rsa pair 0x20181001 ~/SE050/certs/hash.private.pem

In case you are using your own CA and ECC keypair, the last command will be:

ssscli set ecc pair 0x20181001 ~/SE050/certs/ecc-key.private.pem

Delete everything except device certificate from /greengrass/certs directory:

sudo rm /greengrass/certs/*private.key; sudo rm /greengrass/certs/*public.key

Update your /greengrass/config/config.json file:

{
  "coreThing" : {
    "thingArn" : "arn:aws:iot:us-east-1:AWS_ACCOUNT_NUMBER:thing/SE050_Core",
    "iotHost" : "YOUR_ENDPOINT-ats.iot.us-east-1.amazonaws.com",
    "ggHost" : "greengrass-ats.iot.us-east-1.amazonaws.com",
    "keepAlive" : 600
  },
  "runtime" : {
    "cgroup" : {
      "useSystemd" : "yes"
    }
  },
  "managedRespawn" : false,
  "crypto" : {
    "principals" : {
      "SecretsManager" : {
        "privateKeyPath" : "pkcs11:object=sss:20181001;type=private"
      },
      "IoTCertificate" : {
        "privateKeyPath" : "pkcs11:object=sss:20181001;type=private",
        "certificatePath" : "file:///greengrass/certs/HASH.cert.pem"
      },
      "MQTTServerCertificate": {
        "privateKeyPath": "pkcs11:object=sss:20181001;type=private"
      }
    },
    "PKCS11": {
      "P11Provider": "/usr/local/lib/libsss_pkcs11.so",
      "slotLabel": "SSS_PKCS11",
      "slotUserPin": "1234"
    },
    "caPath" : "file:///greengrass/certs/root.ca.pem"
  }

Start AWS IoT Greengrass

Start the greengrassd daemon:

cd /greengrass/ggc/core/

sudo ./greengrassd start

Monitor the log file located in greengrass-root/ggc/var/log/system/runtime.log. You should see output like:

[2021-01-28T17:43:47.22Z][INFO]-Connecting with MQTT.	{"endpoint": "YOUR-ENDPOINT-ats.iot.us-east-1.amazonaws.com:8883", "clientId": "SE050_Core"}
[2021-01-28T17:43:47.868Z][INFO]-MQTT connection successful.	{"attemptId": "bUIg", "clientId": "SE050_Core"}
[2021-01-28T17:43:47.868Z][INFO]-MQTT connection connected. Start subscribing.	{"clientId": "SE050_Core", "count": 1}
[2021-01-28T17:43:47.868Z][INFO]-Daemon connected to cloud.
[2021-01-28T17:43:47.868Z][INFO]-Start subscribing. {"numOfTopics": 5, "clientId": "SE050_Core"}
[2021-01-28T17:43:47.868Z][INFO]-Trying to subscribe to topic $aws/things/SE050_Core-gda/shadow/get/accepted
[2021-01-28T17:43:47.869Z][INFO]-MQTT connection established.	{"endpoint": "YOUR-ENDPOINT-ats.iot.us-east-1.amazonaws.com:8883", "clientId": "SE050_Core"}

In case you are experiencing connectivity issues, refer to the Greengrass Troubleshooting Guide.

Deploy the AWS IoT Greengrass Group

Navigate to AWS Console > Services > IoT Greengrass > Classic (V1) > Groups.

Select the Greengrass Group you created earlier. It should display Not deployed.

From the Actions menu, select Deploy.

NXP-IoT-Greengrass-EdgeLock-3

Figure 3 – AWS IoT Greengrass deployment through AWS Console.

Provided Greengrass Core communicates successfully, you should see following message in the console:

NXP-IoT-Greengrass-EdgeLock-4

Figure 4 – Successful AWS IoT Greengrass deployment.

Conclusion

In this post, we walked through the setup and configuration of AWS IoT Greengrass Core, building a PKCS#11 library for SE050, and deploying Greengrass Group. We also set up and configured the Greengrass HSI interface to NXP EdgeLock SE050.

While the configuration steps we provided allow for maximum flexibility to experiment, for production use the slots with private keys should be locked to prevent those from re-injecting the cryptomaterials. Even in the developer configuration, however, there’s no option adversary can obtain the keys from the secure element.

If you would like to learn more about SE050 functionality, please refer to the SE050 documentation. To learn about AWS IoT Greengrass Hardware Security Integration, see the HSI documentation.

.
NXP-APN-Blog-CTA-1
.


NXP – AWS Partner Spotlight

NXP is an AWS Partner whose semiconductors enable secure connections and infrastructure for a smarter world, advancing solutions markets.

Contact NXP | Partner Overview

*Already worked with NXP? Rate the Partner

*To review an AWS Partner, you must be a customer that has worked with them directly on a project.