> ## Documentation Index
> Fetch the complete documentation index at: https://docs.thistle.tech/llms.txt
> Use this file to discover all available pages before exploring further.

# OPTIGA Trust M & Raspberry Pi 4 With Yocto

> Integration example using OPTIGA Trust M with Raspberry Pi 4 and Yocto

In this example we will build a Raspberry Pi image containing the [linux-optiga-trust-m tooling](https://github.com/Infineon/linux-optiga-trust-m). The toolkit will be directly installed and usable on your Raspberry Pi 4, so that you can explore the features offered by the platform. This [versatile platform](https://www.infineon.com/cms/en/product/security-smart-card-solutions/optiga-embedded-security-solutions/optiga-trust/optiga-trust-m-sls32aia/) is directly usable, and will allow you to implement many security solutions such as device authentication, secure communications.

Using Thistle Yocto Build, it is very easy to build fully usable images directly with Yocto. For this example we will use a Raspberry Pi 4 as a target platform, and connect it to a [Adafruit Infineon Trust M Breakout Board](https://www.adafruit.com/product/4351) with a [Qwiic adapter from Sparkfun](https://www.sparkfun.com/products/15794).

<img src="https://mintcdn.com/thistletechnologies/MrBm0BC7xpW_ySdM/images/rpi-trustm.jpeg?fit=max&auto=format&n=MrBm0BC7xpW_ySdM&q=85&s=d72e06146d04cdb17e7945337651163b" alt="&#x22;RPi-4 with Trust M&#x22;" width="1600" height="947" data-path="images/rpi-trustm.jpeg" />

## Tools needed

To get started you need to obtain a few dependencies and the Thistle Yocto Build binary. Note that the build system only supports x86\_64 hosts.

```bash theme={"dark"}
# Ubuntu (22.10 onwards)
$ apt install gawk wget git-core diffstat unzip texinfo gcc-multilib build-essential chrpath socat cpio python3 python3-pip python3-pexpect xz-utils debianutils iputils-ping python3-git python3-jinja2 libegl1-mesa libsdl1.2-dev pylint xterm python3-subunit mesa-common-dev zstd lz4 file curl locales dpkg
# Yocto build requires that en_US.UTF-8 be in locale
$ locale-gen en_US
$ locale-gen en_US.UTF-8
$ update-locale

# Arch - also requires `sdl` from the AUR
$ pacman -S base-devel git diffstat unzip texinfo python chrpath wget xterm rpcsvc-proto socat cpio inetutils

$ curl -L -o thistle-yocto-build https://github.com/thistletech/thistle-yocto-build/releases/download/v2.2.0/thistle-yocto-build
$ chmod +x thistle-yocto-build
```

## Build the project

To quickly get started, we can use the `gen-config` option of thistle-yocto-build. This will generate the default configuration for the Raspberry Pi 4.

```bash theme={"dark"}
$ ./thistle-yocto-build gen-config rpi4
Generated default thistle-yocto-build config file at conf.yml
```

We now need to amend the configuration, so that the [trust-m package provided by meta-thistle](https://github.com/thistletech/meta-thistle/tree/main/meta-trust-m) will be built and installed on the target. We also enabled i2c on the Raspberry Pi, and enabled automatic loading of the i2c kernel module.

```yaml theme={"dark"}
---
local_conf_header:
  standard: |
    PACKAGE_CLASSES = "package_rpm"
    CONF_VERSION = "2"
    IMAGE_INSTALL:append = " trust-m trust-m-dev"
    KERNEL_MODULE_AUTOLOAD:rpi += "i2c-dev i2c-bcm2708"
    ENABLE_I2C = "1"
```

We can now build the image! Building this image takes approximately 60 minutes on a Ryzen5 3600, and requires \~50GB of free storage. This build will be performed in debug mode, with SSH enabled.

```bash theme={"dark"}
$ ./thistle-yocto-build build --debug conf.yml
~~ Thistle Yocto Build Starting  ~~
```

```text theme={"dark"}
[...]

Build done in 3430s
WARNING: Build successful
Build artifact folder: "/home/user/rpi/build/deploy"
Analyzing build for security issues...
No issues detected
```

## Connect breakout board and copy image

Once the build is finished, boot the built image by copying it onto your Raspberry Pi 4 SD card:

```bash theme={"dark"}
$ cp ./build/deploy/images/raspberrypi4-64-thistle/base-raspberrypi4*.rootfs.wic  fullimg.wic
$ sudo dd if=fullimg.wic of=/dev/mmcblk0 status=progress
```

## Execute Trust M tooling

We can now connect the Raspberry Pi 4, and test the Trust M tooling!

```bash theme={"dark"}
# connect using SSH and the credentials set at build-time
$ ssh thistle@192.168.4.41

# get chipinfo of connected Trust M
$ raspberrypi4-64-thistle:~$ sudo trustm_chipinfo
Password:
```

```text theme={"dark"}
Read Chip Info [0xE0C2]: Success.
========================================================
CIM Identifier             [bCimIdentifer]: 0xcd
Platform Identifer   [bPlatformIdentifier]: 0x16
Model Identifer         [bModelIdentifier]: 0x33
ID of ROM mask                  [wROMCode]: 0x8401
Chip Type                    [rgbChipType]: 0x00 0x1c 0x00 0x01 0x00 0x00
Batch Number              [rgbBatchNumber]: 0x0a 0x09 0x1b 0x5c 0x00 0x0b
X-coordinate              [wChipPositionX]: 0x002c
Y-coordinate              [wChipPositionY]: 0x0055
Firmware Identifier [dwFirmwareIdentifier]: 0x80101071
Build Number                 [rgbESWBuild]: 08 09

Chip software build:
OPTIGA Trust M rev.1; Firmware Version: 1.30.809
========================================================
```

## Next Steps

* [Enable Thistle Verified Boot (TVB) on Raspberry Pi 4](/hardware/raspberry_pi/rpi4_tvb)
* Use the [Thistle Update Client (tuc)](/binaries#thistle-update-client-tuc) to update the images directly on your device