By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Can't get greengrass to work with TPM privkey and cert

0

I'm trying to get greengrass working with a SLB9670 tpm, and can't seem to get it working no matter what I try. All documentation online seems incorrect or deprecated in relation to this process. This is the script I'm using to generate the key/cert pair and setup greengrass:

/home/usr/tpm2-pkcs11/tools/tpm2_ptool.py init --path=/opt/tpm2-pkcs11/
chmod 777 /opt/tpm2-pkcs11
/home/usr/tpm2-pkcs11/tools/tpm2_ptool.py addtoken --pid=1 --sopin=123456 --userpin=123456 --label=greengrass --path=/opt/tpm2-pkcs11/
/home/usr/tpm2-pkcs11/tools/tpm2_ptool.py addkey --algorithm=rsa2048 --label=greengrass --key-label=iotkey --userpin=123456 --path=/opt/tpm2-pkcs11/
rsa_auth=$(/home/usr/tpm2-pkcs11/tools/tpm2_ptool.py export --label=greengrass --path=/opt/tpm2-pkcs11/ --userpin=123456 --key-label=iotkey | grep "object-auth" | cut -d ' ' -f2-)
openssl req -new -provider tpm2 -provider base -key=iotkey.pem -subj="/C=US/O=Company" --passin="pass:$rsa_auth" -out=csr.req
certArn=$(aws iot create-certificate-from-csr --certificate-pem-outfile /home/usr/cert.pem --certificate-signing-request file://csr.req | grep certificateArn | awk '{ print $NF }' | tr -d '"' | tr -d ',' | xargs)
certId=$(echo $certArn | sed 's@.*/@@' | xargs)
aws iot update-certificate --certificate-id $certId --new-status ACTIVE
/home/usr/tpm2-pkcs11/tools/tpm2_ptool.py addcert --label=greengrass --key-label=iotkey --path=/opt/tpm2-pkcs11/ cert.pem
aws iot create-thing --thing-name myThing
aws iot add-thing-to-thing-group --thing-name myThing --thing-group-name thingGroup
aws iot attach-thing-principal --thing-name myThing --principal "$certArn"
aws iot attach-policy --policy-name GreengrassV2IoTThingPolicy --target "$certArn"
aws iot attach-policy --policy-name Assume-Role-Policy --target "$certArn"
aws iot attach-policy --policy-name GreengrassTESCertificatePolicyGreengrassV2TokenExchangeRoleAlias --target "$certArn"
sudo mkdir -p /greengrass/v2
chmod 777 /greengrass/v2
sudo curl -o /greengrass/v2/AmazonRootCA1.pem https://www.amazontrust.com/repository/AmazonRootCA1.pem
sudo -E java -Droot="/greengrass/v2" -Dlog.store=FILE -jar ./GreengrassInstaller/lib/Greengrass.jar --trusted-plugin ./GreengrassInstaller/aws.greengrass.crypto.Pkcs11Provider.jar --init-config ./GreengrassInstaller/config.yaml --component-default-user root:root --setup-system-service true

And this is my config.yaml file:

---
system:
  certificateFilePath: "pkcs11:object=iotkey;type=cert"
  privateKeyPath: "pkcs11:object=iotkey;type=private"
  rootCaPath: "/greengrass/v2/AmazonRootCA1.pem"
  rootpath: "/greengrass/v2"
  thingName: "myThing"
services:
  aws.greengrass.Nucleus:
    componentType: "NUCLEUS"
    version: "2.11.2"
    configuration:
      awsRegion: "us-east-2"
      iotRoleAlias: "GreengrassV2TokenExchangeRoleAlias"
      iotDataEndpoint: "myPrefix.iot.us-west-2.amazonaws.com"
      iotCredEndpoint: "myPrefix.credentials.iot.us-west-2.amazonaws.com"
  aws.greengrass.crypto.Pkcs11Provider:
    configuration:
      name: "tpm2_pkcs11"
      library: "/home/usr/tpm2-tss/tpm2-pkcs11/src/.libs/tpm2_pkcs11.so"
      slot: 1
      userPin: "123456"

This all works correctly, generates the key/cert as verified by

p11tool --list-all --login "{{URL}}"

but when the greengrass nucleus runs, I'm getting the error:

Failed to connect to AWS IoT Core. {clientId=myThing, error=The connection was closed unexpectedly}.

I've tried the above, as well as generating a key/cert completely outside the tpm then importing them, still get the same error.

  • MassimilianoAWS EXPERT
    9 months ago

    Please check the AWSIoTV2 logs in CloudWatch for the reason of the disconnection. If you have not enabled logging yet for AWS IoT you can do it from the Setting section in the console. https://docs.aws.amazon.com/iot/latest/developerguide/configure-logging.html

  • JSylvester
    9 months ago

    @MassimilianoAWS Sorry just noticed this comment - It doesn't seem to be generating any logs at all in this case. The last log in that log group I have is before I started trying to do this. Edit: the fact that no logs are being generated at all in that log group despite debug (highest verbosity) level being on, makes me thing the greengrass service isn't actually reaching out to IoT properly at all. If that's the case idk why it would be happening, installing greengrass normally with provisioning works fine on the device.

Topics
Internet of Things (IoT)
Tags
AWS IoT GreengrassAWS IoT Core
Language
English
JSylvester
asked 9 months ago202 views
1 Answer
1
Accepted Answer

Figured out the issue, my endpoints in the config.yaml were incorrect, because I have 2 awscli profiles on the device I was working on. It must have been on the wrong profile when I fetched the endpoints, which is strange as the other profile is not used often. Thanks @MassimilianoAWS for the log group suggestion, it led to me realizing gg nucleus was not contacting AWS at all, which made me check the endpoints.

JSylvester
answered 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content