This reference integration demonstrates how to develop cloud connected applications and update them securely by integrating modular FreeRTOS kernel and libraries and utilizing hardware enforced security based on Arm TrustZone (Armv8-M).
To utilize the hardware enforced security, this integration uses PSA Certified reference implementation Trusted Firmware-M. Trusted Firmware-M provides various Secure services such as Secure boot, Crypto, Secure Storage, Attestation and Update services meeting PSA Certified requirements. This project is based on the Corstone-300 platform.
Developers and partners can use this integration as a starting point to build FreeRTOS kernel and libraires based software stack on top of Arm Cortex-M based platforms. All the components are put together in a modular manner to make porting of this integration across platforms easy.
This reference integration contains following two examples:
- Blinky example
- Demonstrates FreeRTOS kernel and TF-M integration
- AWS IoT example
- Demonstrates secure connectivity to AWS IoT core using Mbed TLS, PKCS#11 PSA Shim and coreMQTT-agent library. In addition, secure OTA using OTA agent and AWS OTA PAL PSA implementation.
Corstone platform communicates with the AWS IoT Core over a secure TLS connection. Mbed TLS running on the NSPE is used to establish the TLS connection. Mbed TLS makes use of the PSA Crypto APIs provided by TF-M for Crypto operations.
PKCS#11 APIs to perform TLS client authentication and import TLS client certificate and private key into the device. PKCS#11 has been integrated with TF-M using a thin shim. In the integration, the PKCS#11 APIs invoke the appropriate PSA Secure Storage API or Cryptographic API via the shim. This ensures the keys and certificates are protected and the cryptographic operations are performed securely within the SPE of TF-M and is isolated from the kernel, libraries and applications in the Non-secure Processing Environment. Keys and certificates are securely stored. This is enabled by TF-M’s Internal Trusted Storage (ITS) and Protected Storage (PS) services. Signing during TLS client authentication is performed by TF-M’s Crypto service.
FreeRTOS OTA Agent provides an OTA PAL layer for platforms to integrate and enable OTA updates. The demo integrates and OTA PAL implementation that makes use of the PSA Certified Firmware Update API implemented in TF-M. This allows Corstone-300 to receive new images from AWS IoT Core, authenticate using TF-M before deploying the image as the active image. The secure (TF-M) and the non-secure (FreeRTOS kernel and the application) images can be updated separately.
Every time the device boots, MCUBoot (bootloader) verifies that the image signature is valid before booting the image. Since the secure (TF-M) and the non-secure (FreeRTOS kernel and the application) images are singed separately, MCUBoot verifies that both image signatures are valid before booting. If either of the verification fails, then MCUBoot stops the booting process.
Trusted Firmware-M (TF-M) implements the Secure Processing Environment (SPE) for Armv8-M, Armv8.1-M architectures (e.g. the Cortex-M33, Cortex-M23, Cortex-M55, Cortex-M85 processors) and dual-core platforms. It is the platform security architecture reference implementation aligning with PSA Certified guidelines, enabling chips, Real Time Operating Systems and devices to become PSA Certified. Follow the link for more information on Trusted Firmware M.
Project implements cryptographic primitives, X.509 certificate manipulation and the SSL/TLS and DTLS protocols. The project provides reference implementation of PSA Cryptography API Specification by supporting the cryptographic operations via. PSA Crypto APIs. Follow the link for more information on Mbed TLS.
PKCS#11 PSA shim layer provides a reference implementation of PKCS#11 API based on Platform Security Architecture API.
This shim layer maps the PKCS#11 APIs to PSA Cryptography and Storage APIs V1.0. It follows the same PSA Cryptography API version supported in Mbed TLS 3.4.0. Certificate objects and key objects are protected by PSA secure service. By default, the device private/public keys are persistent while the code verify key is volatile.
Implementation of AWS OTA PAL based on Platform Security Architecture API.
This implementation maps the AWS OTA PAL APIs to the PSA Firmware Update and PSA Cryptography APIs. The writing, verification and activation of the update image are protected by the PSA secure services.
See CONTRIBUTING for more information.
Source code located in the Projects, Middleware/FreeRTOS directory is available under the terms of the MIT License. See the LICENSE file for more details.
Other files in the repository are available under the terms specified in each source file.