Developing secure IoT devices with AWS IoT and the STM32L4 Discovery kit IoT node
Development of modern IoT devices is impossible without 2 features that fundamentally differentiate them from their non-connected siblings:
- Strong Root of Trust
- Ability to reliably update their firmware Over-the-Air (or Over-the-Wire)
STMicroelectronics collaborated with AWS to create reference designs for connected devices. Those designs leverage the power of secure hyperscale AWS IoT message broker, STM32 MCUs, and STSAFE secure elements.
During this session with hands-on lab demo, we will show how you can easily start developing your first IoT connected device using the flagship STM32L4+ Discovery kit IoT node (B-L4S5I-IOT01A), STM32 Cube IDE and AWS CLI. The presentation will be accompanied with a code repository so you can replicate all the steps of the demonstration.
Hi Sam,
The scripts use .bat files so they are windows only. We have plans to make these scripts cross platform in the future.
Hi, Slim,
Very nice and informative talk. The hands-on material it surely helps to ramp up into secure IoT devices with AWS.
I have a pair of questions about which kind of MCU / setup support this setup better:
- In the slides we can see an active image "block" and a download are "block", it also mentions a swap area, and at some point the downloaded image became the active image. How the application image is built so it can run from different addresses? It is made by building position-independent code (PIC) or it uses some kind of HW "trickery" like memory aliasing or something like this? If it is a software thing, do you have any application note regarding it, and if it is a HW thing which MCU families support it?
- I have understood that port of the secure design relies on the SBSFU running behind the STM32 firewall. Which MCU families support it? Which will be the implications (vulnerabilities) of deploying a similar solution in a MCU without this feature?
Thanks,
Hi Carles,
1) SBSFU will copy the new image in the old image location and the old image to the download area. That way, SBSFU can fall back to the old image if the new one fails (for any reason, example power loss during the swap). So the application will always run from a well known address and you do not need a PIC code.
Here is the link to SBSFU user manual
https://www.st.com/resource/en/application_note/dm00414677-integration-guide-for-the-xcubesbsfu-stm32cube-expansion-package-stmicroelectronics.pdf
https://www.st.com/X-CUBE-SBSFU
2) On the L4, SBSFU make use of the Firewall, PCROP, MPU, Readout protection, write protection and watchdog. The Firewall is available only on the L4. SBSFU can run on other STM32s but will not make use of the Firewall. This for sure will reduce the application security level (example STSAFE pairing keys exposure, TLS cession key exposure or any other key that you wan to protect).
The project plus scripts are available here https://www.st.com/content/dam/AME/2021/mdg/X-CUBE_AWS_Hands-On_21_03_15.zip
You can use STM32CubeIDE 1.5.1. You will get compile error with STM32CubeIDE 1.6.x You can send a ticket on https://my.st.com/ols and we'll tell you how to fix it.
Thanks,
Slim
Hi Slim,
During the Q&A session there was mention of some resource limitations when using the OTA demo in this talk. I was wondering if you could provide some figures on RAM & Flash memory requirements for that scenario and how much is used by SBSFU. It would be good to understand what percentage of the memory is left of the user application.
Thanks
Thanks
I enjoyed this talk. It was very concise but with just enough details and links for me. I've ordered a pair of the boards and can't wait to experiment with an end-to-end secure IoT platform.
Here is the link to the project and the scripts https://www.st.com/content/dam/AME/2021/mdg/X-CUBE_AWS_Hands-On_21_03_15.zip
I recommend that you use STM32CubeIDE v 1.5.1
You can use STM32CubeIDE 1.6.x but we need to send you instructions on how to solve compile issues. Please use https://my.st.com/ols to post your issues with STM32CubeIDE or the scripts
A question for Q&A: Does the Amazon FreeRTOS implementation work well with C++ projects? The demo showed C code only.
The code demoed is C code only. You can use C++ on top of it
I've continued to review the online materials at STM and AWS this weekend. When it comes time for me to design my own boards based on the 2 chip lines (H755Z or L4S5VIT): Am I able to just add the STM32 chip plus STSAFE-A110 to my design and continue to re-use/port the AWS FreeRTOS and STM software stack and continue to use the end-to-end secure IoT as demonstrated in the Discovery board?
Yes you will be able to add STM32L4S5 + STSAFE to your hardware and use the end-to end security and all the features demonstrated in the video.
Slim Jallouli, thanks for the insightful presentation. A few questions:
1) In the slide number 30. What would happen if during the OTA Agent OTA PAL the received image didn't match the signing certificate? Would the image be rejected at that point or would it need to be installed first and execute the SelfTest?
2) Does AWS support OTA jobs using lower bandwidth communication links, e.g. LoRa?
3) The qualified port of FreeRTOS appears to be instrumental to the demonstrated capability. Any idea of what the chances would be to extend the AWS integration to other RTOS in the future, e.g. Zephyr?
Thanks
1) if during the OTA Agent OTA PAL the received image didn't match the signing certificate thennothing will happen. The OTA PAL will invalidate the new image and will not start the update process
2) Update over LoRA will have it's own update mechanism and it is currently being developed (Not ready yet)
3) Unfortunately we do not have any plans to extend AWS integration with other RTOs except FreeRTOS. Things might change in the future
Does WB55 microcontroller family support these features?
FreeRTOS port to STM32WB55 include SBSFU support. However, STSAFE is not supported yet on STM32WB55. I recommend you to get in contact with one of ST's representative to put you in contact with SBSFU specialist to enable that feature. Please not that FreeRTOS WB do not use certificates to authenticate with AWS
Is it possible to use MQTT protocol to transmit sensor data over BLE? Can this be implemented on a WB55 target?
Yes it possible. we have a FreeRTOS BLE port of STM32WB55.
Please use https://my.st.com/ols and post a request to be granted access, using the subject line ?Amazon Free RTOS TeamSpace: Whitelist Request?
Do you have any recommendations to manage unique keys for each ST-SAFE instance when producing at scale?
Hi,
SBSFU has the capability to generate keys the first time the device boots up. This feature is not enabled by default. Please use https://my.st.com/ols or contact your ST representative and will help you enable that feature
Thank you,
Slim
Hi,
Here is the link to the project and scripts https://www.st.com/content/dam/AME/2021/mdg/X-CUBE_AWS_Hands-On_21_03_15.zip
For STM32CubeIDE I recommend using v 1.5.1
please do not hesitate to post your questions to https://my.st.com/ols and mention X-CUBE-AWS on the title
Thank you,
Slim
Hi Slim,
Thanks for the informative presentation. Can this demo(X-CUBE_AWS_Hands-On_21_03_15.zip) work on Ubuntu? thanks.