Skip to main content
Thistle Control Center

Grinn Setup

The board embeds an Infineon Trust M that is directly usable from the operating system. First we need to flash the latest version of the Operating system to the board. Refer to the documentation on the grinn documentation. We used the image rity-demo-image-grinn-genio-700-sbc-20250826144125. To flash the board, it needs to be powered on, and connected to the host computer through the debug USB port. The android tooling are also required for your platform. Finally, we had to rename the dialout group to uucp in all files, as our host system used uucp for serial access - but this step is optional and depends on your system

Flashing the board

# setup workdir and python venv
mkdir workdir
cd workdir
python -m venv ./venv
source venv/bin/activate
pip3 install -U genio-tools
source venv/bin/activate

# OPTIONAL: rename dialout group to uucp if your distribution uses uucp 
cd venv; sed -i 's/dialout/uucp/g' $(find . -type f); cd ..

# unpack image
tar -xf rity-demo-image-grinn-genio-700-sbc.aiotflash.tar.xz
cd rity-demo-image-grinn-genio-700-sbc-20250826144125

# flash
genio-flash -d 2
Genio Tools: v1.6.2
Yocto Image:
        name:     Rity Demo Image (rity-demo-image)
        distro:   Rity Demo Layer 24.1-release (rity-demo)
        codename: kirkstone
        machine:  grinn-genio-700-sbc
        overlays: []
[...]
Rebooting

First boot and Trust M setup

You shouls now be able to to connect on the board through the serial port emulated by the debug USB port. Note that the baudrate is 921600. 
sudo picocom -b 921600 /dev/ttyUSB0
# user is root, there is no password
We can now proceed to install the Infineon Trust M tooling. Note that this now requires an internet connection on the board, feel free to connect it through ethernet or using an external usb wifi dongle. 
wget https://downloads.thistle.tech/trustm_lite.tar.bz2
tar -xf trustm_lite.tar.bz2
cp tools/trustm_* /usr/bin
We now need to create a symlink for the Trust M device. It’s connected by default to i2c-6, but the Infineon Tooling expects it to be at i2c-1. 
ln -s /dev/i2c-6 /dev/i2c-1
trustm_chipinfo
To persist this symlink after reboot, create a udev rule that automatically creates it when the i2c-6 device is detected: 
echo 'KERNEL=="i2c-6", SYMLINK+="i2c-1"' > /etc/udev/rules.d/99-i2c-trustm.rules
udevadm control --reload-rules
udevadm trigger
This udev rule will automatically create the /dev/i2c-1 symlink pointing to /dev/i2c-6 whenever the device is detected, ensuring it persists across reboots. 
root@grinn-genio-700-sbc:~# trustm_chipinfo
Read Chip Info [0xE0C2]: Success.
========================================================
CIM Identifier             [bCimIdentifer]: 0xcd
Platform Identifer   [bPlatformIdentifier]: 0x16
Model Identifer         [bModelIdentifier]: 0x33
ID of ROM mask                  [wROMCode]: 0x9401
Chip Type                    [rgbChipType]: 0x00 0x1c 0x00 0x01 0x00 0x00
Batch Number              [rgbBatchNumber]: 0x0a 0x04 0x4e 0x28 0x00 0x18
X-coordinate              [wChipPositionX]: 0x00a0
Y-coordinate              [wChipPositionY]: 0x009a
Firmware Identifier [dwFirmwareIdentifier]: 0x80101071
Build Number                 [rgbESWBuild]: 24 40
Chip software build:
OPTIGA(TM) Trust M rev.3; Firmware Version: 3.00.2440
========================================================

Public key writing

Now that the tooling is installed, we can write the public key that will be used to verify the update. this public key is taken directly from the Thistle Control Center. 
printf "ecdsa:BCZNF4QicZXh5dJ6XQs/RqGPhGM5mg9/iCTBzGdY9tlP8h8BcyGlbHu7BSZOrOp61mrNm2N/P36GbJjLnmlEe6Y=" > pub
sudo trustm_data -e -w 0xe0e8 -i pub

Update bundle creation and deployment

You can now create a release on the Thistle Control Center. Feel free to create a test release with any file, so that we can test it using the Thistle Embedded client. In order to do so, you will need to create a config file. This config file uses the device enrollment token that is also taken from the Thistle Control Center. 
cat config.json
{
  "name": "tutorial",
  "device_enrollment_token": "5260a5ee034858025a20d10a306741f9d3368691f5d02b87d91aff0143d5ebe0",
  "public_keys": [
    "trustm:/dev/i2c-1"
  ],
  "persistent_directory": "/tmp/thistle/persist"
}
We can now run the update using the Thistle Update Client. 
wget https://downloads.thistle.tech/embedded-client/1.6.1/tuc-1.6.1-aarch64-unknown-linux-musl.gz
chmod +x tuc
./tuc
!! enrolling new device with server...
!! Thistle client starting up - version 1.6.0
!! installing update 0 => 2
!! setting update status to Started
!! setting update status to Pass