Skip to main content

Install and run TrustEdge with Zephyr RTOS

You can install and run TrustEdge with Zephyr using either the native simulator (native_sim 64-bit board) or the STM32H745 Discovery Kit.

Before you begin

Ensure you have the following:

System requirements:

  • Ubuntu 64-bit (the minimum version we have tested is on 22.04).

  • A minimum of 40 GB of disk space (for all the tools and resources).

Environment variable: ${MOCN_MSS} should point to the DigiCert TrustCore SDK repo on your machine.

TrustEdge Zephyr patch: Keep the trustedge.zephyr.patch ready. Contact your DigiCert sales representative.

Install Zephyr

This script installs Zephyr OS, all required dependencies, and the Zephyr SDK. It also sets the necessary environment variables in .bashrc for TrustEdge development and builds.

Note

This script is tested on Ubuntu 64-bit (the minimum version we have tested is on 22.04). This script automates all the steps mentioned in:

If it is your first-time setup

Run the following command:

cd
${MOCN_MSS}
./scripts/ci/trustedge/ci_trustedge_build_zephyr.sh --zephyr-install

If the branch already exists locally

Run the following command:

cd
${MOCN_MSS}
./scripts/ci/trustedge/ci_trustedge_build_zephyr.sh --zephyr-install

Perform the following steps:

  1. Download the trustedge.zephyr.patch and copy it to your host machine.

    Note

    You can get this patch from DigiCert Support.

  2. Run the following command to apply the patch:

    cd ${ZEPHYR_BASE}
    git apply <path-to>/trustedge_zephyr.patch
    cd ${MOCN_MSS}
    ./scripts/ci/trustedge/ci_trustedge_build_zephyr.sh --board native_sim

    This command Add the following hosbuilds TrustEdge with Zephyr runtime and places the binary in ./bin/trustedge. It also builds device_provision, a tool used to prepare the flash file system.

  3. Run the following command to add a host entry to /etc/hosts for provisioning:

    127.0.0.1       provision.digicert.com
  4. Run the following command to prepare the flash.bin:

    cd ${MOCN_MSS}
    ./src/examples/zephyr_examples/device_provision/provision_flash.sh --bootstrap <path/to/boostrap/zip>

    If flash provisioning is skipped, use the following Python script for TrustEdge binary to bootstrap the file system:

    cd ${MOCN_MSS}
    cd ./src/examples/zephyr_examples/trustedge_sample/helper
    python tcp_server.py --bootstrap <path-to-bootstrap-zip> --filesys <path-to-filesystem-zip>
  5. Run the following command to execute TrustEdge in another terminal:

    cd ${MOCN_MSS}
    ./bin/trustedge

The above command runs the TrustEdge agent flow. You can now test device provisioning and certificate policy handling scenarios.

TrustEdge examples

TrustEdge includes a built-in REST API over HTTPS. You can use curl to test functions like:

  • Key generation

  • EST enrollment

  1. Run the following command to install the required tools:

    sudo apt install zip unzip
  2. Run the following command to load certificates into flash:

    ./scripts/ci/trustedge/ci_trustedge_build_zephyr.sh --board native_sim
    
    ./src/examples/zephyr_examples/device_provision/provision_flash.sh --load-certs --bootstrap <path/to/boostrap/zip>
    ./bin/trustedge

    The above command loads both the Root CA certificate and the server’s private key and certificate into the device’s flash storage. The Root CA certificate is necessary for the EST protocol when connecting to the DigiCert® Device Trust Manager, while the server key and certificate pair are needed to authenticate and secure the TLS communications with the TrustEdge REST API server.

  3. Run the following command to build and run TrustEdge:

    ./scripts/ci/trustedge/ci_trustedge_build_zephyr.sh --board native_sim
    
    ./src/examples/zephyr_examples/device_provision/provision_flash.sh --load-certs --bootstrap <path/to/boostrap/zip>
    ./bin/trustedge
  4. Run a curl request to verify the TrustEdge build:

    curl --cacert ${MOCN_MSS}/pki_certs/rootCA.pem https://localhost:8443/v1/key/asymmetric -H 'Content-Type: application/json' -d '{
        "keyCertAttributes": {
            "outputMode": "buffered",
            "algorithm": "rsa+2048",
            "keySource": "SW"
        }
    }'
  5. Run the curl request once again to trigger an enrollment flow:

     curl --cacert ${MOCN_MSS/co}/pki_certs/rootCA.pem https://localhost:8443/v1/certificate/enroll -H 'Content-Type: application/json' -d@${MOCN_MSS}/src/trustedge/test/data/est_request.json
  6. Inspect Flash (LittleFS) on host machine using a provisioning tool called FUSE:

    $ ./src/examples/zephyr_examples/device_provision/build/zephyr/zephyr.exe
    Mounting flash at flash/
    uart connected to pseudotty: /dev/pts/2
    [00:00:00.000,000] <inf> littlefs: littlefs partition at /lfs1
    *** Booting Zephyr OS build v4.0.0-3113-g5aeda6fe7dfa ***
    [00:00:00.000,000] <inf> littlefs: LittleFS version 2.9, disk version 2.1
    [00:00:00.000,000] <inf> littlefs: FS at flash-controller@0:0x100000 is 768 0x1000-byte blocks with 512 cycle
    [00:00:00.000,000] <inf> littlefs: partition sizes: rd 16 ; pr 16 ; ca 64 ; la 32
    [00:00:00.000,000] <inf> app: Total partition size: 12288 bytes
    [00:00:00.000,000] <inf> app: Available size: 11376 bytes
  7. Run the following command in another terminal to view the lfs1 directory structure, including config, certs, and logs.

    $ cd ${MOCN_MSS}
    $ tree flash/
    flash
    └── lfs1
        ├── bootstrap.zip
        ├── etc
        │   └── digicert
        │       ├── conf
        │       │   ├── applied_policy.json
        │       │   ├── bootstrap_config.json
        │       │   ├── failed_policy.json
        │       │   ├── metrics.pb
        │       │   ├── pending_policy.json
        │       │   ├── processing_policy.json
        │       │   └── version.txt
        │       ├── keystore
        │       │   ├── ca
        │       │   │   ├── devtm-integration-account-intermediate-ca.crt
        │       │   │   ├── devtm-integration-account-root-ca.crt
        │       │   │   ├── DigiCertGlobalRootCA.crt
        │       │   │   ├── DigiCertGlobalRootG2.crt
        │       │   │   ├── Rendezvous-zone-1-0.crt
        │       │   │   └── Rendezvous-zone-2-0.crt
        │       │   ├── certs
        │       │   │   ├── be_zephy00.crt
        │       │   │   └── te-api-server.pem
        │       │   ├── conf
        │       │   ├── crls
        │       │   ├── keys
        │       │   │   ├── be_zephy00-key.crt
        │       │   │   ├── server_key_gen.pem
        │       │   │   └── te-api-server.pem
        │       │   ├── psks
        │       │   └── req
        │       │       └── issued
        │       ├── scripts
        │       ├── service
        │       │   ├── completed
        │       │   ├── failed
        │       │   ├── processing
        │       │   └── request
        │       └── trustedge.json
        └── tmp
    
    20 directories, 20 files

Perform the following steps:

  1. Download the trustedge.zephyr.patch and copy it to your host machine.

    Note

    You can get this patch from DigiCert Support.

  2. Run the following command to apply the patch:

    cd ${ZEPHYR_BASE}
    git apply <path-to>/trustedge_zephyr.patch
    cd ${MOCN_MSS}
    ./scripts/ci/trustedge/ci_trustedge_build_zephyr.sh --board stm32h745i_disco

    This command builds TrustEdge with Zephyr runtime and places the binary in ./bin/trustedge. It also builds device_provision, a tool used to prepare the flash file system.

  3. Run the following command to prepare the flash:

    cd ${MOCN_MSS}/src/examples/zephyr_examples/trustedge_sample
    west flash
  4. Run the following command to start the TCP server to allow the device to fetch the file system and bootstrap files:

    cd ${MOCN_MSS}
    cd ./src/examples/zephyr_examples/trustedge_sample/helper
    python tcp_server.py --bootstrap <path-to-bootstrap-zip> --filesys <path-to-filesystem-zip>
  5. Run the following command to connect to UART:

    minicom --device /dev/pts/<num>
  6. Run the following command to start TrustEdge from the UART shell:

    uart:~$ trustedge start
  7. Run the following command to check logs:

    uart:~$ fs cat /lfs1/log/log.0000
  8. (Optional), run the following command to check the TrustEdge status:

    trustedge status
    
  9. (Optional) run the following command to check the TrustEdge connection:

    trustedge state