"IoT Made Easy!" - This application demonstrates the in-field provisioning and registration to a cloud-computing provider by means of the ECC608-TMNGTLS CryptoAuthentication™ element and Kudelski keySTREAM Trusted Agent (KTA).
Devices: | WFI32E03 | ECC608-TMNGTLS |
Features: | Wi-Fi |
THE SOFTWARE ARE PROVIDED "AS IS" AND GIVE A PATH FOR SELF-SUPPORT AND SELF-MAINTENANCE. This repository contains example code intended to help accelerate client product development.
For additional Microchip repos, see: https://github.com/Microchip-MPLAB-Harmony
Checkout the Technical support portal to access our knowledge base, community forums or submit support ticket requests.
- Contents
- Introduction
- Bill of Material
- Prerequisites
- Hardware Setup
- Software Setup
- Firmware
- Run the Demo
- Links
This application demonstrates the usage of the WFI32E03 in a Public Key Infrastructure (PKI) based environment to ensure secure communication and data protection to Amazon Web Services (AWS). This is achieved by means of Microchip's TrustMANAGER and Kudelski's keySTREAM Trusted Agent (KTA).
The FreeRTOS™ based application will host a TCP client in Wi-Fi STA mode connecting to the Home-AP. To ensure proper Wi-Fi connectivity provide the necessary details, see here.
By default, every time the IoT device is powered-up, a TCP client socket connection to Kudelski server will be established either to initially set-up, to confirm or to renew its credentials. Only if the so called in-field provisioning process has been finished successfully, the device is able to establish a secure connection to any cloud-computing provider deploying PKI e.g., Amazon Web Services.
Subsequent to the provisioning step, the device generates the signer and device certificates and opens a TLS-based TCP client socket to AWS. The required public and private keys used during the protocol handshaking procedure are generated by means of information stored in the TrustMANAGER CryptoAuthentication™ secure element.
Just prior the MQTT based demo is started, the device has to be registered once to AWS. This step is automatically taking place during the very first cloud access.
In case of a successful connection to the MQTT broker has been establish, the application is subscribing to a specific MQTT-topic, followed by either creating a new or overwriting an existing default device shadow.
After that, the application is waiting for incoming MQTT messages to change the state of the onboard LEDs. Anytime an LED state change is taking place, a reporting message will be published to the broker. To control the onboard LEDs use a proper MQTT software running on the PC, e.g. MQTT-Explorer.
Note: It is recommended to review the following bullet points on the specific account:
a) Kudelski
- My Devices: double-check that the device state is set to "Onboarded"
b) AWS
- IoT Core → Security → Policies: double-check that a device related policy has been created
- IoT Core → Security → Certificates: double-check that a device related certificate ID has been created and activated
- IoT Core → All devices → Things: double-check that the device has been registered
| TOOLS | QUANTITY |
|---|---|
| PIC32 WFI32 2.0 Curiosity Board | 1 |
| ATECC608 TRUST Board Revision: 04-11017-R4 and above | 1 |
| CryptoAuth TrustMANAGER Board | 1 |
| MPLAB® PICkit™ 4 In-Circuit Debugger | 1 |
- Download and install the latest version of Microchip Trust Platform Design Suite (TPDS)
- Create and sign in to AWS account
- Create and sign in to Kudelski IoT keySTREAM account
- Before utilizing the target hardware platform the ECC608-TMNGTLS CryptoAuthentication™ security element (TrustMANAGER) needs to be registered at Kudelski IoT keySTREAM initially. Follow the instructions as described in setting up the ATECC608 TRUST and CryptoAuth TrustMANAGER board.
Open the Microchip Trust Platform Design Suite and select Usecases.
Now select "CryptoAuth Trust Platform - TMNG" in the Kit drop-down box and "keySTREAM™ In-field Provisioning" as the Usecase.
In the next dialog execute the Pre-Config instruction steps one by one. At first, generate the Manifest file for the ATECC608 secure element. The second step requires device related information from Kudelski IoT keySTREAM and AWS. Finish the remaining steps 3 to 6. On success, close TPDS and open the MPLAB X project separately.
Now follow the instructions as described in setting up the PIC32 WFI32 2.0 Curiosity board.
Note: It is recommended to watch the tutorial video and/or to use the Usecase Help button and follow the guidance, e.g. to create AWS things and to gather necessary data.
- Connect the ATECC608 TRUST and PIC32 WFI32 2.0 Curiosity board via mikroBUS™ header (J200)
- For normal operations set the Power Source Selection Jumper (J202) to VBUS-VIN (5-6), if the demo software has been already programmed to the device
- Connect the Target VBUS Micro-B Connector (J204) on the board to the computer using a micro USB cable
- On the GPIO Header (J207), connect U1RX (PIN 13) and U1TX (PIN 23) to TX and RX pin of any USB to UART converter. When using FTDI chips, connect GND (PIN 17) additionally.
- Home AP (Wi-Fi Access Point with internet connection)
- For device programming, follow the instruction as described in setting up the MPLAB® PICkit™ 4 In-Circuit Debugger
- To activate the TrustMANAGER secure element of board revision #4 set DIP switch 8 to ON (SW2)
- To activate the TrustMANAGER secure element of board revision #5 or later set DIP switch 5 to ON (SW2)
- Set DIP switch SW2_1 to ON to enable mikroBUS™ header and SW2_2 to OFF to disable the on-board devices
- Connect the ATECC608 and CryptoAuth TrustMANAGER board via mikroBUS™ header
- Connect the board to the computer using a micro USB cable
- Set the Power Source Selection Jumper (J202) to PKOB-VIN (3-4)
- Connect the PKOB3 Micro-B USB connector (J302) on the board to the computer using a micro USB cable
- Connect the debugger to ISCP™ header (J206)
- Connect the debugger to the computer using a micro USB cable
- MPLAB® X IDE v6.20
- MPLAB® X IDE plug-ins: MPLAB® Code Configurator (MCC) v5.7.1 and above
- MPLAB® XC32 C/C++ Compiler v4.10
- MPLAB® Harmony v3
- Device Pack: PIC32MZ-W_DFP (1.8.326)
| Harmony v3 Component | version |
|---|---|
| bsp | v3.22.0 |
| csp | v3.19.6 |
| core | v3.13.5 |
| paho.mqtt.embedded-c | v1.2.3 |
| keySTREAM_provisioning | v1.0.1 |
| cryptoauthlib | v3.7.5 |
| wolfssl | v5.4.0 |
| wolfMQTT | v1.19.2 |
| net | v3.12.2 |
| crypto | v3.8.2 |
| wireless_wifi | v3.11.1 |
| wireless_system_pic32mzw1_wfi32e01 | v3.9.1 |
| CMSIS_5 | v5.9.0 |
| CMSIS-FreeRTOS | v11.0.1 |
- Create AWS IoT Security Policy:
- AWS → IoT Core → Security → Policies → Create policy
- Enter a policy name, for example WFI32E03_control_LEDs_Policy
- Set the minimal policy statements via the Builder or use JSON format such as:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iot:Connect", "Resource": "arn:aws:iot:us-east-2:381492211849:client/${iot:Connection.Thing.ThingName}" }, { "Effect": "Allow", "Action": "iot:Publish", "Resource": "*" }, { "Effect": "Allow", "Action": "iot:Subscribe", "Resource": "*" }, { "Effect": "Allow", "Action": "iot:Receive", "Resource": "*" }, { "Effect": "Allow", "Action": [ "iot:GetThingShadow", "iot:UpdateThingShadow" ], "Resource": "*" } ] }
- Create AWS IoT Thing:
- AWS → IoT Core → All devices → Things → Create things → Create single thing
- Enter a thing name, for example WFI32E03_control_LEDs and select No shadow as the device shadow
- Choose Auto-generate a new certificate (recommended)
- Selected the desired policy and create the thing
- Important: One time possibility to download all certificates and keys!
- Set-up MQTT-Explorer:
- Enter a connection name and make sure the settings are the same as shown below
- Choose ADVANCED and add # to subscribe to all MQTT topics
- The MQTT Client ID must be same as used as AWS thing name, e.g. WFI32E03_control_LEDs
- Choose CERTIFICATES and select the previously downloaded certificates and key
- Establish a test connection to Amazon Web Services
- Enter a connection name and make sure the settings are the same as shown below
- Microchip Trust Platform Design Suite (TPDS)
- Serial Terminal application like TERA TERM
The firmware repository should be cloned/downloaded to perform the following steps:
- Check file tmg_conf.c of local TPDS user folder, e.g. C:\Users\xxx\.trustplatform\keystream_connect\, being already updated and containing the personal Wi-Fi settings, keySTREAM UID and the cloud endpoint is correct. If not, update manually or use TPDS and execute the Pre-Config instruction steps, as described in chapter Prerequisites.
- If file tmg_conf.c is up-to-date, copy from local TPDS user folder to the cloned/downloaded project folder and replace the existing file
- Open the local project file pic32mz_w1_curiosity_freertos.X in MPLAB® X IDE and Set as Main Project
- Clean and build the project
- Connect the Debugger as described here
- Program the device either for debugging or production
The Harmony MCC Project Graph's below depicts the components utilized in this project:
Note: Anytime changing the settings by means of the MCC Project Graph press button Generate, located within the Project Resources window, to apply that changes into the code. Take special care when merging with existing code.
At first, establish a connection to AWS via MQTT-Explorer. Now power-up the PIC32 WFI32 2.0 Curiosity Board and wait for a successful connection to AWS as well as a successful MQTT message publication. The application should print the following information to the connected terminal.
In case the device has been renewed or refurbished intermediate steps are printed additionally.
On successful device connection to AWS, MQTT-Explorer shows the received messages, but only previously subscribed to, related to the specific issuer.
To control a certain LED set its desired state to either on or off. It is possible to modify and publish only one but also both states at the same time. Subsequently find some examples, which can be copied and entered in the editor part of the Publish section of MQTT-Explorer.
{"state":{"desired":{"greenLED": "on"}}}
{"state":{"desired":{"redLED": "on","greenLED": "on"}}}
{"state":{"desired":{"redLED": "off"}}}
{"state":{"desired":{"redLED": "on","greenLED": "off"}}}
Take care, to publish messages to $aws/things/deviceID/shadow/update.
Device' terminal printings during MQTT message exchange.
- Microchip TrustManager
- download Microchip Trusted Platform Design Suite (TPDS)
- Amazon Web Services (AWS) login
- Kudelski IoT keySTREAM open account
- Video Tutorial "How to Set up the ECC608 TrustMANAGER with keySTREAM from Kudelski IoT"