Home > On-Demand Archives > Q&A Sessions >
Live Q&A - Developing secure IoT devices with AWS IoT and the STM32L4 Discovery kit IoT node
Slim Jallouli - STMicroelectronics - Watch Now - Duration: 26:06
Hi Sam,
The scripts use .bat files so they are windows only. We have plans to make these scripts cross platform in the future.
Hi, Slim,
Very nice and informative talk. The hands-on material it surely helps to ramp up into secure IoT devices with AWS.
I have a pair of questions about which kind of MCU / setup support this setup better:
- In the slides we can see an active image "block" and a download are "block", it also mentions a swap area, and at some point the downloaded image became the active image. How the application image is built so it can run from different addresses? It is made by building position-independent code (PIC) or it uses some kind of HW "trickery" like memory aliasing or something like this? If it is a software thing, do you have any application note regarding it, and if it is a HW thing which MCU families support it?
- I have understood that port of the secure design relies on the SBSFU running behind the STM32 firewall. Which MCU families support it? Which will be the implications (vulnerabilities) of deploying a similar solution in a MCU without this feature?
Thanks,
Hi Carles,
1) SBSFU will copy the new image in the old image location and the old image to the download area. That way, SBSFU can fall back to the old image if the new one fails (for any reason, example power loss during the swap). So the application will always run from a well known address and you do not need a PIC code.
Here is the link to SBSFU user manual
https://www.st.com/resource/en/application_note/dm00414677-integration-guide-for-the-xcubesbsfu-stm32cube-expansion-package-stmicroelectronics.pdf
https://www.st.com/X-CUBE-SBSFU
2) On the L4, SBSFU make use of the Firewall, PCROP, MPU, Readout protection, write protection and watchdog. The Firewall is available only on the L4. SBSFU can run on other STM32s but will not make use of the Firewall. This for sure will reduce the application security level (example STSAFE pairing keys exposure, TLS cession key exposure or any other key that you wan to protect).
The project plus scripts are available here https://www.st.com/content/dam/AME/2021/mdg/X-CUBE_AWS_Hands-On_21_03_15.zip
You can use STM32CubeIDE 1.5.1. You will get compile error with STM32CubeIDE 1.6.x You can send a ticket on https://my.st.com/ols and we'll tell you how to fix it.
Thanks,
Slim
Hi Slim,
During the Q&A session there was mention of some resource limitations when using the OTA demo in this talk. I was wondering if you could provide some figures on RAM & Flash memory requirements for that scenario and how much is used by SBSFU. It would be good to understand what percentage of the memory is left of the user application.
Thanks
Thanks
I enjoyed this talk. It was very concise but with just enough details and links for me. I've ordered a pair of the boards and can't wait to experiment with an end-to-end secure IoT platform.
Here is the link to the project and the scripts https://www.st.com/content/dam/AME/2021/mdg/X-CUBE_AWS_Hands-On_21_03_15.zip
I recommend that you use STM32CubeIDE v 1.5.1
You can use STM32CubeIDE 1.6.x but we need to send you instructions on how to solve compile issues. Please use https://my.st.com/ols to post your issues with STM32CubeIDE or the scripts
A question for Q&A: Does the Amazon FreeRTOS implementation work well with C++ projects? The demo showed C code only.
The code demoed is C code only. You can use C++ on top of it
I've continued to review the online materials at STM and AWS this weekend. When it comes time for me to design my own boards based on the 2 chip lines (H755Z or L4S5VIT): Am I able to just add the STM32 chip plus STSAFE-A110 to my design and continue to re-use/port the AWS FreeRTOS and STM software stack and continue to use the end-to-end secure IoT as demonstrated in the Discovery board?
Yes you will be able to add STM32L4S5 + STSAFE to your hardware and use the end-to end security and all the features demonstrated in the video.
Slim Jallouli, thanks for the insightful presentation. A few questions:
1) In the slide number 30. What would happen if during the OTA Agent OTA PAL the received image didn't match the signing certificate? Would the image be rejected at that point or would it need to be installed first and execute the SelfTest?
2) Does AWS support OTA jobs using lower bandwidth communication links, e.g. LoRa?
3) The qualified port of FreeRTOS appears to be instrumental to the demonstrated capability. Any idea of what the chances would be to extend the AWS integration to other RTOS in the future, e.g. Zephyr?
Thanks
1) if during the OTA Agent OTA PAL the received image didn't match the signing certificate thennothing will happen. The OTA PAL will invalidate the new image and will not start the update process
2) Update over LoRA will have it's own update mechanism and it is currently being developed (Not ready yet)
3) Unfortunately we do not have any plans to extend AWS integration with other RTOs except FreeRTOS. Things might change in the future
Does WB55 microcontroller family support these features?
FreeRTOS port to STM32WB55 include SBSFU support. However, STSAFE is not supported yet on STM32WB55. I recommend you to get in contact with one of ST's representative to put you in contact with SBSFU specialist to enable that feature. Please not that FreeRTOS WB do not use certificates to authenticate with AWS
Is it possible to use MQTT protocol to transmit sensor data over BLE? Can this be implemented on a WB55 target?
Yes it possible. we have a FreeRTOS BLE port of STM32WB55.
Please use https://my.st.com/ols and post a request to be granted access, using the subject line ?Amazon Free RTOS TeamSpace: Whitelist Request?
Do you have any recommendations to manage unique keys for each ST-SAFE instance when producing at scale?
Hi,
SBSFU has the capability to generate keys the first time the device boots up. This feature is not enabled by default. Please use https://my.st.com/ols or contact your ST representative and will help you enable that feature
Thank you,
Slim
Hi,
Here is the link to the project and scripts https://www.st.com/content/dam/AME/2021/mdg/X-CUBE_AWS_Hands-On_21_03_15.zip
For STM32CubeIDE I recommend using v 1.5.1
please do not hesitate to post your questions to https://my.st.com/ols and mention X-CUBE-AWS on the title
Thank you,
Slim
14:15:03 From David Kanceruk : Can the code you demonstrated in your session run on the STM32L475VG version of the STM32 Discovery Kit IoT node board? 14:15:51 From David Kanceruk : Is the image verified each time the MCU boots up? 14:16:19 From David Kanceruk : What is the impact on boot time when STSAFE is used? 14:17:10 From Hitesh Rai : I have similar questions, can this all be ported to STM32F412RG? And if yes, is there a porting guide for it?
Hi Slim,
Thanks for the informative presentation. Can this demo(X-CUBE_AWS_Hands-On_21_03_15.zip) work on Ubuntu? thanks.