The state of Internet of Things (IoT) Security is a disaster. Hardly a day goes by without news that some new product is discovered to also have some ridiculously glaring security problem. There's a potential solution: a "security in a chip" device for less that a buck, that could seriously change the landscape of IoT security.

In my previous post, I took the MicroChip AT88CK590  for a brief initial test drive. Although cool in concept, I was initially frustrated and underwhelmed. I didn't even get around to posting my experience for a couple of months. (in part, as I never actually got it doing what I wanted) Note that was with completely different eval hardware.

This time around I am looking at the much more elaborate  Zero Touch Secure Provisioning Kit for AWS IoT. Be sure to pay attention to the "-B" suffix. A similar part number at mouser is marked as "End of Life: Scheduled for obsolescence and will be discontinued by the manufacturer." You can try this link to see if they eventually carry the update.

 AT88CKECC-AWS-XSTK-B , image from MicroChip




However, when I did finally post that blog page and  tweeted it - I got the attention of the folks at MicroChip. In particular their response regarding the a new and interesting crypto chip AWS walk-through that I had not seen:

http://microchipdeveloper.com/iot:ztpk

I starts out really quite interesting! The steps are very clearly documented regarding all the (less-than-intuitive) AWS setup details. At the end of the story though, right before the culmination of anticipated technical details, it abruptly ends. I was really hoping for a code walk-through as well. Alas there was just a single "Explore" bullet item:
  • "Firmware that comes in the ZIP to see how the ARM SAM G55 communicates with the secure element (ATECC508A) and the Wi-Fi module WINC1500"
So, ok. I'm good with doing my own code analysis. Sometimes the comments are better than an external document walk-through anyhow.

There are a ton of links throughout the rather long instruction set. By the time you get to the end when reading, perhaps the  Zero Touch Secure Provisioning Kit Software Files was missed way up at step 2. I had see that, even clicked on it. But it initially looks like an ad, complete with the "Buy It Now" button in the upper right corner. But the software is there! Scroll to the bottom and click the "Getting Started " tab:


Then click on the "Get the necessary code HERE" link:


I would have included the link, but it goes to a wonky "Software Copyright" page where you need to provide a name, email, company info. You can however, then immediately download the software. (unlike some sites where you need to wait for confirmation email, bla, bla).

I had a very difficult time with this: several times when I downloaded the file, it was less than 50KB and windows reported that it was correupt when trying to open it. Fortunately my twitter thread ended up with an offer to talk with someone at MicroChip ! Later that day I had a great phone conversation with a rep from MicroChip that completely re-invigorated my interest in their crypto chip! He also helped with the download. What worked for me is copying the (apparently time-sensitive) link to clipboard... closing google chrome... and then pasting into a new chrome instance. I think there may have simply been a problem with the timing/loading of the javascript for the page. In any case the file starts downloading immediately. It is about 13MB in size.

The two main components of the zip are the (1) python scripts for setting up AWS and (2) a SAMG55 Atmel Studio Project called AWS_IoT_Zero_Touch_SAMG55.atsln

It is unfortunate that the code is "protected" behind a copyright notice. It really belongs as open source on github. Hopefully MicroChip will change that soon.

I suspect the folks at AWS are really quite happy to see they are the only IoT service listed! lol


The microchipdeveloper site is of course still a work in progress. I hope to see a lot more providers in the future. I've always been wanting to use AWS for my MQTT data anyhow: In part, well, it is MY data. I had tried the very easy to use Adafruit.io - but some time back it was offline for a long stretch. (granted it was still beta) But also - it has limitations on number of devices (5) or pay $120/year for up to 60 devices (not yet available), and show stopper: the data was out of my control. The cool thing about adafruit.io was that I could use insecure MQTT of plain HTTP with my ESP8266 (well, duh, back to the proliferation of insecure IoT, eh?) AWS is definitely more challenging in not even allowing anything but a secure connection.

One thing to point out about installing AWS CLI for Windows is that at the end of install, nothing happens. No new icons, no message of completion. Nothing. For me, the "AWS Tools for Windows" listed under Amazon Web Services in Windows 10 start menu - was something I installed last year.

To confirm AWS CLI installed correctly, simply pop into a DOS window and type "AWS":



Microsoft Windows [Version 10.0.15063]
(c) 2017 Microsoft Corporation. All rights reserved.
C:\Users\gojimmypi>aws
usage: aws [options] <command> <subcommand> [<subcommand> ...] [parameters]
To see help text, you can run:
  aws help
  aws <command></command> help
  aws <command></command> <subcommand> help
aws: error: too few arguments
C:\Users\gojimmypi>


The Python install is a little tricky for me. I already had V2.7 installed (for something that explicitly wanted that version)... and to add V3.6.3 to my path... well, I'm sure I'll bump into that at some unexpected point in the future. This is a good reason to perhaps have a VM for each development environment.

The comment " May take a while to install." should not be underestimated for the pip install step! They should change the text to: "Takes a ridiculously long time, and may seem to stop at times! " lol!

Another place to note a possible problem is on creating roles in Section III. I think the AWS console changed a little since the MicroChip instructions were created. Here's my AWS Console:


Note the "AWS Service" is selected (no radio button) and the service is called simply "Lambda" (not AWS Lambda). Next Step is actually labeled "Next: Permissions"

The final resultant JITR policy also looks a bit different from the walk-through.



My function "Author from Scratch" was also a bit different than instructions:

Instructions:



What I saw:


And here's what my actual code looks like in the function:



The instructions refer to "Rules"... it is now called "Act". Note there's an identical icon, just a different name (instructions on left; my AWS console on right):


The instructions also show running a python script as easily as if it were a batch file. I needed to use the word "python" before the script name:


I received an annoying error:


I wasted a ton of time before I realized somehow Windows 10 "set time automatically" was turned off! Argh! So a click of an option setting and VOILA! Success.

<happy dance>!!</happy dance>

Next, I will finally take a look at the code!

Check out my next post on my first bizarre AWS costs .





Copyright (c) gojimmypi all rights reserved. Blogger Image Move Cleaned: 5/3/2021 1:35:53 PM