Install and run TrustEdge with Zephyr RTOS
You can install and run TrustEdge with Zephyr RTOS using either the native simulator (native_sim 64-bit board) or the STM32H745 Discovery Kit.
For a list of supported hardware, consult your vendor documentation at (STM32 discovery kits).
Before you begin
Ensure you have the following:
System requirements:
Ubuntu 64-bit (the minimum version we have tested is on
22.04).A minimum of 40 GB of disk space (for all the tools and resources).
Environment variable: The ${MOCN_MSS} should point to the DigiCert® TrustEdge GitHub repository.
Note
The DigiCert® TrustEdge GitHub repository is publicly accessible and contains the source code. All users can view, clone, and fork this repository.
TrustEdge Zephyr patch: Keep the trustedge.zephyr.patch ready. To get this patch file, contact your DigiCert account representative.
Install Zephyr
This script installs Zephyr OS, all required dependencies, and the Zephyr SDK. It also sets the necessary environment variables in .bashrc for TrustEdge development and builds.
Note
This script is tested on Ubuntu 64-bit (the minimum version we have tested is on 22.04). This script automates all the steps mentioned in:
If it is your first-time setup
Run the following command:
cd
${MOCN_MSS}
./scripts/ci/trustedge/ci_trustedge_build_zephyr.sh --zephyr-installIf the branch already exists locally
Run the following command:
cd
${MOCN_MSS}
./scripts/ci/trustedge/ci_trustedge_build_zephyr.sh --zephyr-installPerform the following steps:
Download the
trustedge.zephyr.patchand copy it to your host machine.Note
You can get this patch from DigiCert Support.
Run the following command to apply the patch:
cd ${ZEPHYR_BASE} git apply <path-to>/trustedge_zephyr.patch cd ${MOCN_MSS} ./scripts/ci/trustedge/ci_trustedge_build_zephyr.sh --board native_simThis command Add the following hosbuilds TrustEdge with Zephyr runtime and places the binary in
./bin/trustedge. It also builds device_provision, a tool used to prepare the flash file system.Run the following command to add a host entry to
/etc/hostsfor provisioning:127.0.0.1 provision.digicert.com
Run the following command to prepare the flash.bin:
cd ${MOCN_MSS} ./src/examples/zephyr_examples/device_provision/provision_flash.sh --bootstrap <path/to/boostrap/zip>If flash provisioning is skipped, use the following Python script for TrustEdge binary to bootstrap the file system:
cd ${MOCN_MSS} cd ./src/examples/zephyr_examples/trustedge_sample/helper python tcp_server.py --bootstrap <path-to-bootstrap-zip> --filesys <path-to-filesystem-zip>Run the following command to execute TrustEdge in another terminal:
cd ${MOCN_MSS} ./bin/trustedge
The above command runs the TrustEdge agent flow. You can now test device provisioning and certificate policy handling scenarios.
TrustEdge examples
TrustEdge includes a built-in REST API over HTTPS. You can use curl to test functions like:
Key generation
EST enrollment
Run the following command to install the required tools:
sudo apt install zip unzip
Run the following command to load certificates into flash:
./scripts/ci/trustedge/ci_trustedge_build_zephyr.sh --board native_sim ./src/examples/zephyr_examples/device_provision/provision_flash.sh --load-certs --bootstrap <path/to/boostrap/zip> ./bin/trustedge
The above command loads both the Root CA certificate and the server’s private key and certificate into the device’s flash storage. The Root CA certificate is necessary for the EST protocol when connecting to the DigiCert® Device Trust Manager, while the server key and certificate pair are needed to authenticate and secure the TLS communications with the TrustEdge REST API server.
Run the following command to build and run TrustEdge:
./scripts/ci/trustedge/ci_trustedge_build_zephyr.sh --board native_sim ./src/examples/zephyr_examples/device_provision/provision_flash.sh --load-certs --bootstrap <path/to/boostrap/zip> ./bin/trustedge
Run a
curlrequest to verify the TrustEdge build:curl --cacert ${MOCN_MSS}/pki_certs/rootCA.pem https://localhost:8443/v1/key/asymmetric -H 'Content-Type: application/json' -d '{ "keyCertAttributes": { "outputMode": "buffered", "algorithm": "rsa+2048", "keySource": "SW" } }'Run the
curlrequest once again to trigger an enrollment flow:curl --cacert ${MOCN_MSS/co}/pki_certs/rootCA.pem https://localhost:8443/v1/certificate/enroll -H 'Content-Type: application/json' -d@${MOCN_MSS}/src/trustedge/test/data/est_request.jsonInspect Flash (LittleFS) on host machine using a provisioning tool called FUSE:
$ ./src/examples/zephyr_examples/device_provision/build/zephyr/zephyr.exe Mounting flash at flash/ uart connected to pseudotty: /dev/pts/2 [00:00:00.000,000] <inf> littlefs: littlefs partition at /lfs1 *** Booting Zephyr OS build v4.0.0-3113-g5aeda6fe7dfa *** [00:00:00.000,000] <inf> littlefs: LittleFS version 2.9, disk version 2.1 [00:00:00.000,000] <inf> littlefs: FS at flash-controller@0:0x100000 is 768 0x1000-byte blocks with 512 cycle [00:00:00.000,000] <inf> littlefs: partition sizes: rd 16 ; pr 16 ; ca 64 ; la 32 [00:00:00.000,000] <inf> app: Total partition size: 12288 bytes [00:00:00.000,000] <inf> app: Available size: 11376 bytes
Run the following command in another terminal to view the
lfs1directory structure, including config, certs, and logs.$ cd ${MOCN_MSS} $ tree flash/ flash └── lfs1 ├── bootstrap.zip ├── etc │ └── digicert │ ├── conf │ │ ├── applied_policy.json │ │ ├── bootstrap_config.json │ │ ├── failed_policy.json │ │ ├── metrics.pb │ │ ├── pending_policy.json │ │ ├── processing_policy.json │ │ └── version.txt │ ├── keystore │ │ ├── ca │ │ │ ├── devtm-integration-account-intermediate-ca.crt │ │ │ ├── devtm-integration-account-root-ca.crt │ │ │ ├── DigiCertGlobalRootCA.crt │ │ │ ├── DigiCertGlobalRootG2.crt │ │ │ ├── Rendezvous-zone-1-0.crt │ │ │ └── Rendezvous-zone-2-0.crt │ │ ├── certs │ │ │ ├── be_zephy00.crt │ │ │ └── te-api-server.pem │ │ ├── conf │ │ ├── crls │ │ ├── keys │ │ │ ├── be_zephy00-key.crt │ │ │ ├── server_key_gen.pem │ │ │ └── te-api-server.pem │ │ ├── psks │ │ └── req │ │ └── issued │ ├── scripts │ ├── service │ │ ├── completed │ │ ├── failed │ │ ├── processing │ │ └── request │ └── trustedge.json └── tmp 20 directories, 20 files
Perform the following steps:
Download the
trustedge.zephyr.patchand copy it to your host machine.Note
You can get this patch from DigiCert Support.
Run the following command to apply the patch:
cd ${ZEPHYR_BASE} git apply <path-to>/trustedge_zephyr.patch cd ${MOCN_MSS} ./scripts/ci/trustedge/ci_trustedge_build_zephyr.sh --board stm32h745i_discoThis command builds TrustEdge with Zephyr runtime and places the binary in
./bin/trustedge. It also builds device_provision, a tool used to prepare the flash file system.Run the following command to prepare the flash:
cd ${MOCN_MSS}/src/examples/zephyr_examples/trustedge_sample west flashRun the following command to start the TCP server to allow the device to fetch the file system and bootstrap files:
cd ${MOCN_MSS} cd ./src/examples/zephyr_examples/trustedge_sample/helper python tcp_server.py --bootstrap <path-to-bootstrap-zip> --filesys <path-to-filesystem-zip>Run the following command to connect to UART:
minicom --device /dev/pts/<num>
Run the following command to start TrustEdge from the UART shell:
uart:~$ trustedge start
Run the following command to check logs:
uart:~$ fs cat /lfs1/log/log.0000
(Optional), run the following command to check the TrustEdge status:
trustedge status
(Optional) run the following command to check the TrustEdge connection:
trustedge state