Install and run TrustEdge with Zephyr RTOS

  8 minute read  

You can install and run TrustEdge with Zephyr RTOS using either the native simulator (native_sim 64-bit board) or the STM32H745 Discovery Kit.

For a list of supported hardware, consult your vendor documentation at (STM32 discovery kits).

Before you begin

Ensure you have the following:

System requirements:

  • Ubuntu 64-bit (the minimum version we have tested is on 22.04).
  • A minimum of 40 GB of disk space (for all the tools and resources).

Environment variable: The ${MOCN_MSS} should point to the DigiCert® TrustCore SDK GitHub repository.

TrustEdge Zephyr patch: Keep the trustedge.zephyr.patch ready. To get this patch file, contact your DigiCert account representative.

Install Zephyr

This script installs Zephyr OS, all required dependencies, and the Zephyr SDK. It also sets the necessary environment variables in .bashrc for TrustEdge development and builds.

If it is your first-time setup

Run the following command:

cd
${MOCN_MSS}
./scripts/ci/trustedge/ci_trustedge_build_zephyr.sh --zephyr-install

If the branch already exists locally

Run the following command:

cd
${MOCN_MSS}
./scripts/ci/trustedge/ci_trustedge_build_zephyr.sh --zephyr-install

Build TrustEdge on native sim (64-bit)

Perform the following steps:

  1. Download the trustedge.zephyr.patch and copy it to your host machine.
  2. Run the following command to apply the patch:
    cd ${ZEPHYR_BASE}
git apply <path-to>/trustedge_zephyr.patch
cd ${MOCN_MSS}
./scripts/ci/trustedge/ci_trustedge_build_zephyr.sh --board native_sim
    This command Add the following hosbuilds TrustEdge with Zephyr runtime and places the binary in ./bin/trustedge. It also builds device_provision, a tool used to prepare the flash file system.
  3. Run the following command to add a host entry to /etc/hosts for provisioning:
    127.0.0.1       provision.digicert.com
  4. Run the following command to prepare the flash.bin:
    cd ${MOCN_MSS}
./src/examples/zephyr_examples/device_provision/provision_flash.sh --bootstrap <path/to/boostrap/zip>
    If flash provisioning is skipped, use the following Python script for TrustEdge binary to bootstrap the file system:
    cd ${MOCN_MSS}
cd ./src/examples/zephyr_examples/trustedge_sample/helper
python tcp_server.py --bootstrap <path-to-bootstrap-zip> --filesys <path-to-filesystem-zip>
  5. Run the following command to execute TrustEdge in another terminal:
    cd ${MOCN_MSS}
./bin/trustedge

The above command runs the TrustEdge agent flow. You can now test device provisioning and certificate policy handling scenarios.

TrustEdge examples

TrustEdge includes a built-in REST API over HTTPS. You can use curl to test functions like:

  • Key generation
  • EST enrollment
  1. Run the following command to install the required tools:
    sudo apt install zip unzip
  2. Run the following command to load certificates into flash:
    ./scripts/ci/trustedge/ci_trustedge_build_zephyr.sh --board native_sim

./src/examples/zephyr_examples/device_provision/provision_flash.sh --load-certs --bootstrap <path/to/boostrap/zip>
./bin/trustedge
    The above command loads both the Root CA certificate and the server’s private key and certificate into the device’s flash storage. The Root CA certificate is necessary for the EST protocol when connecting to the DigiCert® Device Trust Manager, while the server key and certificate pair are needed to authenticate and secure the TLS communications with the TrustEdge REST API server.
  3. Run the following command to build and run TrustEdge:
    ./scripts/ci/trustedge/ci_trustedge_build_zephyr.sh --board native_sim

./src/examples/zephyr_examples/device_provision/provision_flash.sh --load-certs --bootstrap <path/to/boostrap/zip>
./bin/trustedge
  4. Run a curl request to verify the TrustEdge build:
    curl --cacert ${MOCN_MSS}/pki_certs/rootCA.pem https://localhost:8443/v1/key/asymmetric -H 'Content-Type: application/json' -d '{
    "keyCertAttributes": {
        "outputMode": "buffered",
        "algorithm": "rsa+2048",
        "keySource": "SW"
    }
}'
  5. Run the curl request once again to trigger an enrollment flow:
    curl --cacert ${MOCN_MSS/co}/pki_certs/rootCA.pem https://localhost:8443/v1/certificate/enroll -H 'Content-Type: application/json' -d@${MOCN_MSS}/src/trustedge/test/data/est_request.json
  6. Inspect Flash (LittleFS) on host machine using a provisioning tool called FUSE:
    $ ./src/examples/zephyr_examples/device_provision/build/zephyr/zephyr.exe
Mounting flash at flash/
uart connected to pseudotty: /dev/pts/2
[00:00:00.000,000] <inf> littlefs: littlefs partition at /lfs1
*** Booting Zephyr OS build v4.0.0-3113-g5aeda6fe7dfa ***
[00:00:00.000,000] <inf> littlefs: LittleFS version 2.9, disk version 2.1
[00:00:00.000,000] <inf> littlefs: FS at flash-controller@0:0x100000 is 768 0x1000-byte blocks with 512 cycle
[00:00:00.000,000] <inf> littlefs: partition sizes: rd 16 ; pr 16 ; ca 64 ; la 32
[00:00:00.000,000] <inf> app: Total partition size: 12288 bytes
[00:00:00.000,000] <inf> app: Available size: 11376 bytes
  7. Run the following command in another terminal to view the lfs1 directory structure, including config, certs, and logs.
    $ cd ${MOCN_MSS}
$ tree flash/
flash
└── lfs1
    ├── bootstrap.zip
    ├── etc
    │   └── digicert
    │       ├── conf
    │       │   ├── applied_policy.json
    │       │   ├── bootstrap_config.json
    │       │   ├── failed_policy.json
    │       │   ├── metrics.pb
    │       │   ├── pending_policy.json
    │       │   ├── processing_policy.json
    │       │   └── version.txt
    │       ├── keystore
    │       │   ├── ca
    │       │   │   ├── devtm-integration-account-intermediate-ca.crt
    │       │   │   ├── devtm-integration-account-root-ca.crt
    │       │   │   ├── DigiCertGlobalRootCA.crt
    │       │   │   ├── DigiCertGlobalRootG2.crt
    │       │   │   ├── Rendezvous-zone-1-0.crt
    │       │   │   └── Rendezvous-zone-2-0.crt
    │       │   ├── certs
    │       │   │   ├── be_zephy00.crt
    │       │   │   └── te-api-server.pem
    │       │   ├── conf
    │       │   ├── crls
    │       │   ├── keys
    │       │   │   ├── be_zephy00-key.crt
    │       │   │   ├── server_key_gen.pem
    │       │   │   └── te-api-server.pem
    │       │   ├── psks
    │       │   └── req
    │       │       └── issued
    │       ├── scripts
    │       ├── service
    │       │   ├── completed
    │       │   ├── failed
    │       │   ├── processing
    │       │   └── request
    │       └── trustedge.json
    └── tmp

20 directories, 20 files

Build TrustEdge on STM32H745 Discovery Kit

Perform the following steps:

  1. Download the trustedge.zephyr.patch and copy it to your host machine.
  2. Run the following command to apply the patch:
    cd ${ZEPHYR_BASE}
git apply <path-to>/trustedge_zephyr.patch
cd ${MOCN_MSS}
./scripts/ci/trustedge/ci_trustedge_build_zephyr.sh --board stm32h745i_disco
    This command builds TrustEdge with Zephyr runtime and places the binary in ./bin/trustedge. It also builds device_provision, a tool used to prepare the flash file system.
  3. Run the following command to prepare the flash:
    cd ${MOCN_MSS}/src/examples/zephyr_examples/trustedge_sample
west flash
  4. Run the following command to start the TCP server to allow the device to fetch the file system and bootstrap files:
    cd ${MOCN_MSS}
cd ./src/examples/zephyr_examples/trustedge_sample/helper
python tcp_server.py --bootstrap <path-to-bootstrap-zip> --filesys <path-to-filesystem-zip>
  5. Run the following command to connect to UART:
    minicom --device /dev/pts/<num>
  6. Run the following command to start TrustEdge from the UART shell:
    uart:~$ trustedge start
  7. Run the following command to check logs:
    uart:~$ fs cat /lfs1/log/log.0000
  8. (Optional), run the following command to check the TrustEdge status:
    trustedge status
  9. (Optional) run the following command to check the TrustEdge connection:
    trustedge state

Build TrustEdge on ESP32-S3-DevKitC

Supported features:

The following features have been tested on ESP32-S3-DevKitC:

  • Device provisioning workflow with bootstrap certificates
  • EST enrollment workflow

Before you begin

Ensure you have the following:

System requirements:

  • Zephyr version 4.2.0.
  • Zephyr SDK version 0.17.2.

Memory requirements:

  • TrustEdge binary size: 1,487,308 bytes (~1.5 MB) for a full build.
  • Available flash: ~8 MB on ESP32-S3-DevKitC
  • Internal RAM: 642 KB total (329 KB + 313 KB), with ~512 KB effectively usable.

For memory used by TrustEdge, including Zephyr components, see src/examples/zephyr_examples/trustedge_sample/esp32s3_prj.conf

ESP32-S3 memory usage breakdown

Memory regionUsed sizeRegion sizePercentage used
mcuboot_hdr32 bytes32 bytes100 percent
metadata80 bytes96 bytes83.33 percent
FLASH1,487,140 bytes8,388,480 bytes17.73 percent
iram0_0_seg60,760 bytes329 KB18.04 percent
dram0_0_seg319,656 bytes313 KB99.73 percent
irom0_0_seg1,035,678 bytes32 MB3.09 percent
drom0_0_seg1,356,196 bytes32 MB4.04 percent
ext_dram_seg5,902,720 bytes8 MB70.37 percent
ext_iram_seg0 bytes8 MBZero percent
rtc_iram_seg0 bytes8 KBZero percent
rtc_slow_seg0 bytes8 KBZero percent
IDT_LIST0 bytes8 KBZero percent

Step 1: Build

Perform the following steps to build all required libraries against Zephyr, compile the TrustEdge binary with the Zephyr runtime. Also, build the device_provision tool for preparing the flash filesystem:

  1. Navigate to the TrustEdge workspace.
  2. Run the following command:
    cd ${MOCN_MSS}
  3. Run the Zephyr build script:
    ./scripts/ci/trustedge/ci_trustedge_build_zephyr.sh --board esp32s3_devkitc --clean

After a successful build, two directories are created:

  • MCUbootloader:
    ./src/examples/zephyr_examples/trustedge_sample/build_mcuboot/
    TrustEdge:
    ./src/examples/zephyr_examples/trustedge_sample/build/

Step 2: Flash

Flashing is done in two stages; perform the following steps:

  1. Navigate to the sample directory.
  2. Run the following command:
    cd ./src/examples/zephyr_examples/trustedge_sample
  3. Run the following command to flash the MCUbootloader:
    west flash --esp-flash-bootloader build_mcuboot/zephyr/zephyr.bin --esp-boot-address 0x0
  4. Run the following command to flash the TrustEdge binary:
    west flash

Step 3: Run

Perform the following steps:

  1. Navigate to the helper scripts directory:
    cd ${MOCN_MSS}
cd ./src/examples/zephyr_examples/trustedge_sample/helper
  2. Run the following command to prepare the file for an EST enrollment. This command creates a new filesystem zip with EST-related files.
    ./prepare_trustedge_est.sh <path-to-filesystem-zip>
  3. Run a TCP server to allow filesystem and the bootstrap files:
    python tcp_server.py --bootstrap <path-to-bootstrap-zip> --filesys <path-to-filesystem-zip>
  4. Run the following command to connect to the ESP32-S3 serial port using a minicom:
    sudo minicom -b 115200 -D /dev/ttyUSB0
  5. Run the following command from the UART shell to reboot and connect to a wireless network:
    uart:~$ kernel reboot
uart:~$ wifi connect -k <num> -s <SSID> -p <password>
    Where:
    • -s <SSID>: Your wireless network username
    • -k <num>: Key management type Valid values for -k are:
      0: None
1: WPA2-PSK
2: WPA2-PSK-256
3: SAE-HNP
4: SAE-H2E
5: SAE-AUTO
6: WAPI
7: EAP-TLS
8: WEP
9: WPA-PSK
10: WPA-Auto-Personal
11: DPP
  6. Run the following command to start TrustEdge:
    uart:~$ trustedge start
  7. Run the following command to check the TrustEdge logs:
    uart:~$ fs cat /lfs1/log/log.0000
  8. Run the following command to verify if TrustEdge is connected:
    uart:~$ trustedge state
  9. Run the following command to verify if TrustEdge is provisioned:
    uart:~$ trustedge status