Yocto Raspberry Pi Trust M Integration
In this example we will build a Raspberry Pi image containing the linux-optiga-trust-m tooling. The toolkit will be directly installed and usable on your Raspberry Pi 4, so that you can explore the features offered by the platform. This versatile platform is directly usable, and will allow you to implement many security solutions such as device authentication, secure communications.
Using Thistle Yocto Build, it is very easy to build fully usable images directly with Yocto. For this example we will use a Raspberry Pi 4 as a target platform, and connect it to a Adafruit Infineon Trust M Breakout Board with a Qwiic adapter from Sparkfun.
Tools needed
To get started you need to obtain a few dependencies and the Thistle Yocto Build binary. Note that the build system only supports x86_64 hosts.
# Ubuntu (22.10 onwards)
$ apt install gawk wget git-core diffstat unzip texinfo gcc-multilib build-essential chrpath socat cpio python3 python3-pip python3-pexpect xz-utils debianutils iputils-ping python3-git python3-jinja2 libegl1-mesa libsdl1.2-dev pylint xterm python3-subunit mesa-common-dev zstd lz4 file curl locales dpkg
# Yocto build requires that en_US.UTF-8 be in locale
$ locale-gen en_US
$ locale-gen en_US.UTF-8
$ update-locale
# Arch - also requires `sdl` from the AUR
$ pacman -S base-devel git diffstat unzip texinfo python chrpath wget xterm rpcsvc-proto socat cpio inetutils
$ curl -L -o thistle-yocto-build https://github.com/thistletech/thistle-yocto-build/releases/download/v2.2.0/thistle-yocto-build
$ chmod +x thistle-yocto-build
Build the project
To quickly get started, we can use the gen-config option of thistle-yocto-build. This will generate the default configuration for the Raspberry Pi 4.
$ ./thistle-yocto-build gen-config rpi4
Generated default thistle-yocto-build config file at conf.yml
We now need to amend the configuration, so that the trust-m package provided by meta-thistle will be built and installed on the target. We also enabled i2c on the Raspberry Pi, and enabled automatic loading of the i2c kernel module.
...
local_conf_header:
standard: |
PACKAGE_CLASSES = "package_rpm"
CONF_VERSION = "2"
IMAGE_INSTALL:append = " trust-m trust-m-dev"
KERNEL_MODULE_AUTOLOAD:rpi += "i2c-dev i2c-bcm2708"
ENABLE_I2C = "1"
We can now build the image ! Building this image takes approximately 60 minutes on a Ryzen5 3600, and requires ~50GB of free storage. This build will be performed in debug mode, with SSH enabled.
$ ./thistle-yocto-build build --debug conf.yml
~~ Thistle Yocto Build Starting ~~
[...]
Build done in 3430s
WARNING: Build successful
Build artifact folder: "/home/user/rpi/build/deploy"
Analyzing build for security issues...
No issues detected
Connect breakout board and copy image
Once the build is finished, boot the built image by copying it onto your Raspberry Pi 4 SD card:
$ cp ./build/deploy/images/raspberrypi4-64-thistle/base-raspberrypi4*.rootfs.wic fullimg.wic
$ sudo dd if=fullimg.wic of=/dev/mmcblk0 status=progress
Execute Trust M tooling
We can now connect the Raspberry Pi 4, and test the Trust M tooling !
# connect using SSH and the credentials set at build-time
$ ssh thistle@192.168.4.41
# get chipinfo of connected Trust M
$ raspberrypi4-64-thistle:~$ sudo trustm_chipinfo
Password:
Read Chip Info [0xE0C2]: Success.
========================================================
CIM Identifier [bCimIdentifer]: 0xcd
Platform Identifer [bPlatformIdentifier]: 0x16
Model Identifer [bModelIdentifier]: 0x33
ID of ROM mask [wROMCode]: 0x8401
Chip Type [rgbChipType]: 0x00 0x1c 0x00 0x01 0x00 0x00
Batch Number [rgbBatchNumber]: 0x0a 0x09 0x1b 0x5c 0x00 0x0b
X-coordinate [wChipPositionX]: 0x002c
Y-coordinate [wChipPositionY]: 0x0055
Firmware Identifier [dwFirmwareIdentifier]: 0x80101071
Build Number [rgbESWBuild]: 08 09
Chip software build:
OPTIGA(TM) Trust M rev.1; Firmware Version: 1.30.809
========================================================
Next Steps
- Have a look at the configuration page to explore all the possible options
- Use the Thistle Update Client to update the images directly on your device