IoT/IIoT

---

The G3 module embedded software image includes components enabling its use in Internet of Things and/or Industrial Internet of Things applications. these components are controlled by the standard chkconfig command and are disabled by default.

Note

In general, IoT/IIoT applications will require Trusted Platform Module (TPM) hardware to be installed in the G3 module. This is standard on the G3MTBR which is intended for IoT gateway applications. All other modules support the addition of a TPM on an application specific daughter card via the I²C bus.

The following sections discuss enabling and configuring the IoT/IIoT related sofware components.

TPM

Getting Started with the Trusted Platform Module (TPM)

Note

The following instructions require the use of your favorite terminal based text editor. If you do not have a preferred text editor, vim and Gnu nano come pre-installed. If you are not already familiar with vim, we recommend that you stick with Gnu nano. You can find a cheat sheet at the Gnu nano website.

1. To start, run the following commands in your bash shell while logged into the target as root…

# Set the DTB to one that supports TPM2 and reboot.
fw_setenv mender_dtb_name stm32mp1-g3mtbr-none.dtb
reboot

# Add TPM2 PKCS11 Store environment variable to .bashrc.
# This enables using the TPM2 in your current shell environment.
echo "export TPM2_PKCS11_STORE=/data/opt/tpm2-pkcs11/" >> ~/.bashrc
source ~/.bashrc

2. Configure OpenSSL to use the Trusted Platform Module (TPM) by adding the settings below to /etc/ssl/openssl.cnf beneath HOME = . on line 13 and before # Extra OBJECT IDENTIFIER info.

# Add support for the TPM2
openssl_conf = openssl_init
[openssl_init]
engines=engine_section

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib/engines-1.1/pkcs11.so
MODULE_PATH = /usr/lib/libtpm2_pkcs11.so.0
init = 0

Connecting to AWS Greengrass V1

Add TPM2_PKCS11_STORE to the Greengrass init.d service so the file looks like below. The TPM2 will not work correctly with Greengrass on boot unless the environment variable TPM2_PKCS_STORE is defined and configured beforehand:

Error

Nick - What is the path to the GG init script?

#!/bin/sh
#           levels  start   kill
#===================================
# chkconfig:        45      80      20
# description:  AWS IoT Greengrass

export TPM2_PKCS11_STORE=/data/opt/tpm2-pkcs11/
GG_LAUNCHER="$(find /data/greengrass -type f -name greengrassd)"

case "${1}" in
    start | stop | restart)
            ${GG_LAUNCHER} ${1}
    ;;
    *)
    echo "Usage: $0 {start|stop|restart}"
    exit 1
    ;;
esac

1. Run:

/usr/bin/tpm2-gg-setup.sh

2. Copy the generated device certificate to your host computer:

scp root@<ip-address>:/data/greengrass/certs/deviceCert.csr .

Important

You will need to substitute the IP address of your target in the command above.

3. Upload your device certificate and associate it with your Greengrass Core policy:

   • On the left, under AWS IOT, select Secure->Certificates then on the right select Add certificate->Create certificate.

   • Select “Create certificate with certificate signing request (CSR)” then upload your deviceCert.csr file from the previous step and select Create.

   • If successful, a pop-up will appear prompting you to download the results. Download both the Device certificate and the RSA Amazon trust services endpoint, and copy both of them to /data/greengrass/certs on your target.

   • Activate the new certificate by checking its box on the left and selecting Actions->Activate.

   • Select your newly created certificate and select Attach policies then select your Greengrass core’s associated policy and select Attach policies

4. Edit the Greengrass configuration file, /data/greengrass/config/config.json, so the following fields match:

"runtime" : {
    "cgroup" : {
       "useSystemd" : "no"
    },
},
"crypto": {
    "caPath" :  "file:///data/greengrass/certs/root.ca.pem",
    "PKCS11": {
       "OpenSSLEngine": "/usr/lib/engines-1.1/pkcs11.so",
       "P11Provider": "/usr/lib/libtpm2_pkcs11.so.0",
       "slotLabel": "greengrass",
       "slotUserPin": "123456"
    },
    "principals": {
        "SecretsManager" : {
            "privateKeyPath" : "file:///data/greengrass/certs/hash-setup.private.key"
        },
        "IoTCertificate" : {
            "privateKeyPath" : "file:///data/greengrass/certs/hash-setup.private.key",
            "certificatePath" : "file:///data/greengrass/certs/hash-setup.cert.pem"
        },
        "MQTTServerCertificate" : {
            "privateKeyPath" : "file:///data/greengrass/certs/hash-setup.private.key",
            "certificatePath" : "file:///data/greengrass/certs/hash-setup.cert.pem"
        }
    }
}

5. Restart Greengrass and test local MQTT broker to AWS Cloud connection

AWS Greengrass

Warning

A credit card is necessary to sign up for AWS, even though it’s free to use if you stay under the AWS Free Tier limits.

The following documentation is meant as a suppliment to the official AWS Greengrass V1 documentation. We recommend first reviewing Amazon’s documentation to get the most value out of our documentation.

Interacting with the AWS Greengrass Daemon

You can perform the following actions in your bash shell on the target:

• Start/Stop/Restart:

/etc/init.d/greengrass start|stop|restart

• Greengrass Logs:

tail -f /data/greengrass/ggc/var/log/system/runtime.log

• Greengrass Lambda Logs:

tail -f /data/greengrass/ggc/var/log/*/*/*.log

Getting Started with the AWS Greengrass Daemon

1. Create the Greengrass Group and Core. Follow this procedure from AWS EXACTLY! Adjust the Group and Core names for your use. Stop when it instructs you to install Greengrass software (step 11) because the Greengrass software is already installed and ready to be configured.

Error

Nick - step 11? there is no step 11 here… is this in the referenced doc? If yes, there should be a hyperlink to it.

2. Configure Greengrass Group:

   When running AWS IoT Greengrass initially without Docker, all Lambda functions must run without containerization. In this step, set the default containerization for the group to No container. Do this before you deploy the group for the first time.

   • In the AWS IoT console, choose Greengrass, and then choose Groups.

   • Choose the group whose settings you want to change.

   • Choose Settings.

   • Under Lambda runtime environment, choose No container.

   • Choose Update default Lambda execution configuration. Review the message in the confirmation window, and then choose Continue.

3. Download your AWS core security resources and copy them to your gateway. Replace hash-setup with the file you downloaded in step 1:

scp hash-setup.tar.gz root@<ip-address>:/data/greengrass

Important

You will need to substitute the IP address of your target in the command above.

4. Untar your AWS core security resources (from step 3) to /data/greengrass:

tar zxvf /data/greengrass/hash-setup.tar.gz -C /data/greengrass/

5. Edit the Greengrass config file, /data/greengrass/config/config.json, so the following fields match:

"runtime" : {
  "cgroup" : {
    "useSystemd" : "no"
  }
},
"crypto" : {
  "principals" : {
    "SecretsManager" : {
      "privateKeyPath" : "file:///data/greengrass/certs/hash-setup.private.key"
    },
    "IoTCertificate" : {
      "privateKeyPath" : "file:///data/greengrass/certs/hash-setup.private.key",
      "certificatePath" : "file:///data/greengrass/certs/hash-setup.cert.pem"
    }
  },
  "caPath" : "file:///data/greengrass/certs/root.ca.pem"
}

6. Create a lambda function in Greengrass by following these instructions. Step 10 is optional since aliases are not required.

   Error

   Nick - step 10? there is no step 10 here… is this in the referenced doc? If yes, there should be a hyperlink to it.

   • When creating your Python lambda, make sure to choose the python3.8 runtime

   • Under Basic settings, your Handler name must match the convention: filname.name_of_function_handle

7. Configure your newly added lambda function using these instructions, stopping at step 15.

   Error

   Nick - step 15? there is no step 15 here… is this in the referenced doc? If yes, there should be a hyperlink to it.

   • In step 7, you don’t have to set the timeout to 25, but make sure you remember to change the Lambda Lifecycle to Make this function long-lived and keep it running indefinitely

     Error

     Nick - step 7? we’re in step 7 here… is this in the referenced doc? If yes, there should be a hyperlink to it.

8. Deploy your lambda using these instructions.

9. Verify that the lambda is running on the core device using these instructions.

Connecting Greengrass to a MQTT Broker

By default, the G3 module platform runs mosquitto for its local MQTT broker, but other MQTT brokers exist as well. Below are basic instructions to connect the local mosquitto broker to AWS Greengrass in order to forward MQTT messages to and from the AWS Cloud:

1. Ensure that mosquitto and Greengrass are running by checking the output of the following commands:

/etc/init.d/mosquitto status
ps -elf | grep greengrass

2. Using the skills you learned in Getting Started, copy the code below and create a new lambda in a file named MqttClient.py. Under “Basic settings”, your Handler name will be MqttClient.function_handler:

import logging
import os
import json
from threading import Timer

import greengrasssdk
import paho.mqtt.client as mqtt

# Creating a greengrass core sdk client
iot_data = greengrasssdk.client('iot-data')

logger = logging.getLogger(__name__)
logger.setLevel(logging.INFO)
streamHandler = logging.StreamHandler()
formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
streamHandler.setFormatter(formatter)
logger.addHandler(streamHandler)

GROUP_ID = None
THING_NAME = None
THING_ARN = None
HOST = 'localhost'
PORT = 1883
USERNAME = None
PASSWORD = None
MQTT_SUB = "#"
TIMER_INTERVAL = 1

if 'USERNAME' in os.environ:
    USERNAME = os.environ['USERNAME']

if 'PASSWORD' in os.environ:
    PASSWORD = os.environ['PASSWORD']

# The callback for when the client receives a CONNACK response from the server.
def on_connect(client, userdata, flags, rc):
    logger.info("Connected with result code " + str(rc))

    # Subscribing in on_connect() means that if we lose the connection and
    # reconnect then subscriptions will be renewed.
    client.subscribe(MQTT_SUB)

# The callback for when a PUBLISH message is received from the server.
def on_message(client, userdata, msg):
    logger.info('on_message received')
    topic = msg.topic

    # Publish the message to the MQTT server
    logger.info('Publishing message to |GG| from broker on topic [' + topic + ']')

    payload = msg.payload
    try:
        json_payload = json.dumps(str(payload.decode("utf-8")))
    except UnicodeDecodeError:
        payload = payload.hex()

    try:
        iot_data.publish(topic=topic, payload=payload)
    except Exception as error:
        logger.error('An exception occurred: {}'.format(error))


mqtt_client = mqtt.Client()
mqtt_client.on_connect = on_connect
mqtt_client.on_message = on_message

mqtt_client.username_pw_set(USERNAME, PASSWORD)

def greengrass_mqtt_client_loop():
    error = None

    try:
        mqtt_client.connect(HOST, PORT, 60)
        # Blocking call that processes network traffic, dispatches callbacks
        # and handles reconnecting.
        mqtt_client.loop_forever()
        logger.info('Should never get Here')
    except ConnectionRefusedError as e:
        # Connection refused, try connecting again in 5 seconds
        error = ('Connection to the MQTT server failed [' + str(e) + '], '
                 'make sure it is running and the settings are correct')
    except Exception as e:
        # Something else went wrong
        error = 'Something went wrong [' + str(e) + ']'

    # If we get here we'll start log the error, if any, and loop again
    if error is not None: logger.error(error)
    logger.error('Reconnecting')
    Timer(TIMER_INTERVAL, greengrass_mqtt_client_loop).start()

# Asynchronously schedule this function to run in TIMER_INTERVAL seconds.
# We don't call the function immediately in case the MQTT configuration
# is incorrect.
Timer(TIMER_INTERVAL, greengrass_mqtt_client_loop).start()

# This is invoked when a message is received from |GG|
def function_handler(event, context):
    try:
        inbound_topic = context.client_context.custom['subject']

        # Publish the message to the MQTT server
        logger.info('Publishing message to broker from |GG| on topic [' +
                    inbound_topic + ']')

        mqtt_client.publish(inbound_topic, json.dumps(event))
    except Exception as error:
        logger.error('An exception occurred: {}'.format(error))

    return

3. Add MQTT topic subscriptions to lambda function(s) to transport MQTT data to and from the local MQTT broker and the AWS Cloud and vice versa. This step and the following steps use the MQTT topics of foo and bar as an example, as seen below:

   Source	Target	Topic
   MqttLambda	IoT Cloud	foo
   IoT Cloud	MqttLambda	bar

4. Deploy the lambda to the Greengrass Core.

5. Verify MQTT traffic from local broker to AWS Cloud:

mosquitto_pub -h <ip_address> -t foo -m "from local broker"

Important

You will need to substitute the IP address of your target in the command above.

6. Now check the AWS IoT Test Console to check if the message on topic foo was received.

7. Verify MQTT traffic from AWS Cloud to local broker:

mosquitto_sub -h <ip_address> -v -t bar

Important

You will need to substitute the IP address of your target in the command above.

8. Send an MQTT message on topic bar from the AWS IoT Test Console and check the output of mosquitto_sub to see if the local broker recieved the MQTT message.