A secure IoT environment is one of the first prerequisites of a successful product.
Following this tutorial, you will be able to run Microchip’s “Zero Touch Secure Provisioning” demo for secure authentication to AWS IoT in simple Python using Zerynth tools.
What does “Zero Touch Secure Provisioning” mean?
As you can learn reading the original tutorial made by Microchip, one of the most difficult aspects of securing a device on the cloud is securely maintaining the keys, that must be installed in the device during the manufacturing process.
The Microchip Technology ATECC508A CryptoAuthentication Device, already supported by Zerynth, securely maintains security keys and certificates (Signer and User) which makes it easy to connect IoT devices to the Cloud for secure applications in home automation, industrial networking, accessory and consumable authentication, medical, mobile and others applications.
Why “Zero Touch Secure Provisioning” in Python?
A complete integration path has led to the possibility of faithfully replicating the Microchip Zero Touch Provisioning demo in a pythonic environment thanks to Zerynth tools.
But what’s the goal of faithfully replicating something that already exists?
As you know, Zerynth’s implementation of Python for microcontrollers make embedded programming incredibly easy. Python scripts are easier to be read and probably at least ten times shorter than the counterpart in C/C++.
In addition, the Zerynth version of this demo makes the whole process more flexible, easier to customize and reuse; while retaining its secure foundation.
Last but not least, having a single programming language from the host PC scripts to the MCU firmware is a great advantage for someone with the need of understanding how the whole process of secure provisioning and connectivity happens.
The central hub of the kit is the SAMG55 Xplained Pro board, already supported by Zerynth. Then you’ll need to:
- plug WINC1500 Xplained Pro into EXT1 on the SAMG55 Xplained Pro.
- plug OLED1 Xplained Pro into EXT3 on the SAMG55 Xplained Pro.
- plug CryptoAuth Xplained Pro into EXT4 on the SAMG55 Xplained Pro.
- plug USB cable from PC into EDBG USB port on the SAMG55 Xplained Pro. This port is how the firmware is loaded/updated and also exposes a serial port (COM port, 115200 baud).
Ensure that the latest firmware is installed on the ATWINC1500. Instructions on how to upgrade the firmware are located on the ATWINC1500-XPRO product web page. Scroll to the bottom of the page and select ‘Flash Memory Download Procedure’.
Update the WINC1500 firmware to 19.5.4. Use Atmel Studio to find create a new ASF Example Project for the WINC1500 Firmware Update Project (v19.5.4) – SAMG55 Xplained Pro. Run the samg55_xplained_pro_firmware_update.bat batch script from the src folder to update.
- Install Zerynth Studio. Here you can find more info on how to get started with Zerynth
- Install AWS CLI. Used to configure AWS credentials for the Python scripts. Note: AWS CLI configure to be performed after AWS Setup. More info here.
- Download the folder of the demo that you can find on Zerynth’s GitHub https://github.com/zerynth/aws-iot-zero-touch-secure-provisioning-kit
- Log into the AWS Console for your account and select the region you want to run the kit from.
- Create an IAM user to demo/run the kit from:
- Username: ZTUser
- Enable Programmatic access and AWS Management Console access
- Add AWS managed policies AWSIoTFullAccess and AWSLambdaFullAccess
- Run aws configure from the command line on your PC to configure the AWS credentials for the ZTUser account. Make sure the enter the same region as selected in the previous step.
- Create JITR Lambda Function Policy
- Name: ZTLambdaJITRPolicy
- Policy Document:
- Create JITR Lambda Function Role:
- Role type: AWS Service Role > AWS Lambda
- Name: ZTLambdaJITRRole
- Add policies AWSLambdaBasicExecutionRole, AWSXrayWriteOnlyAccess, and ZTLambdaJITRPolicy.
See AWS CloudFormation templates and documentation in the “cloud-formation-templates” folder previously downloaded from GitHub.
Configure AWS for Just In Time Registration (JITR)
These steps will be performed from the IAM user, ZTUser, created for demonstrating this kit.
- Create the Just In Time Registration (JITR) Lambda Function
- Name: ZTLambdaJITR
- Runtime: Python 3.6
- Copy and paste the code found in ZTLambdaJITR/lambda_function.py into the code entry area.
- Existing Role: ZTLambdaJITRRole
- Create IoT Rules Engine Rule for triggering the JITR lambda function.
- Name: ZeroTouchJustInTimeRegistration
- SQL version: 2016-03-23
- Attribute: *
- Topic filter: $aws/events/certificates/registered/#
- Add action to invoke the ZTLambdaJITR lambda function.
Note: Screenshots for the AWS Setup and Configure AWS for Just In Time Registration (JITR) steps available here.
Create and Register the Certificate Authorities (CAs)
- Zerynth Python binary can be used to execute the demo custom Python scripts without further dependencies. Run
ztc info --toolsto retrieve Python path. (e.g. C:\Users\myusername\zerynth2\sys\python\python.exe). Run the following command with retrieved Python interpreter.
ca_create_root.pyto create a root CA.
ca_create_signer_csr.pyto create a CSR for a signer.
ca_create_signer.pyto sign the signer CSR with the root CA.
aws_register_signer.pyto register the signer with AWS IoT.
Note: Screenshots and details for Create and Register the Certificate Authorities (CAs) here.
Provision the ATECC508A on the kit
- Register and virtualize the device.
ztc device discover --matchdbto retrieve the device id (highlight uid column).
ztc device alias put RETRIEVEDID my_g55 xplained_samg55to assign the alias my_g55 to the device.
ztc provisioning uplink-config-firmware my_g55 --i2caddr 0x0to prepare the device for provisioning (reset the device when asked to).
ztc provisioning crypto-scan my_g55to obtain the address of the crypto element.
ztc provisioning write-config my_g55 configuration.bin --lock Trueto write desired configuration to the device. This command LOCKS the crypto element and sets the address to 0x58, this procedure is IRREVERSIBLE
- Manually reset the device and run again ztc provisioning crypto-scan my_g55 to check if the new address has been assigned.
ztc provisioning gen-private my_g55 2to generate a private key inside slot 2 of the crypto element.
- Run ztc provisioning get-csr my_g55 2 ‘C=IT,L=Pisa,O=Zerynth’ -o device.csr to generate device CSR.
kit_provision.py --ssid wifi-name --password wifi-passwordto start provisioning the crypto element.
ztc provisioning store-public my_g55 13 root-ca.crt.publicto store root-ca public key onto the crypto element.
ztc provisioning store-certificate my_g55 device device.crtto store device certificate.
ztc provisioning store-certificate my_g55 signer signer-ca.crtto store signer certificate.
Uplink Zerynth Project
- Open Zerynth Studio.
- From the Device Management Widget switch to Advanced Mode and then back to Auto mode to force alias refresh.
- Open “firmware/ZeroTouchDemo” project (You can find it on the folder download from GitHub).
- Open the serial and uplink the project. On the serial monitor you can see if the device successfully connects to the WiFi and to the cloud.
First connection failed due to JITR, second successful, all of this achieved with a simple while and try/except.
Interact with the board via AWS
aws_interact_gui.py to interact with the board and toggle LEDs. Pressing the buttons on the board will also update their state in the GUI.
The device connects and the default shadow is reported with all buttons with state “up”.
BUTTON2 is pressed and reported state goes to “down”
LED3 is selected from the GUI and desired and reported states go to “on”
Uplink the second Firmware
The flexibility of this solution is proved by the second project, which, changes only a few lines, makes completely changes the application goal exploiting the same provisioning.
The goal of this application is to have a device sending data to the cloud with the possibility of controlling the period of publishing via the device’s shadow.
Open HWControlled_Publish_Period project from firmware folder inside downloaded demo folder and uplink. the device immediately connects since JITR has already been performed. Get thing name from thing.conf.json
Go to AWS IoT->Test and subscribe to thingname/# channels
You can see incoming data on the AWS console.
Then, go to device Manage->Thing.
Then go to device shadow and edit it to see a message appear from defined callback and publish period changed accordingly.
Summary and Next Steps
Congratulations! You have created a device that is able to communicate with the Cloud (Amazon AWS) in simple Python with a high-level of security, thanks to Microchip CryptoAuthentication chip and Zerynth.
We’ll share more tutorials about this topic in the next months, stay tuned!