Manufacture (Experimental)

Manufacturing service is an EdgeScale cloud service to help user maintain keys, device identities and fusing devices.

The general workflow like below.

_images/mft_flow.png

MFT-GW: manufaturing service gateway which is used for distributing the fuse binary images and collecting fusing records.

Targe-Device: the device will be fused

Key Management

Introduction

Key management is designed for customers to manage their own keys. The customer can upload the key to the cloud or use the managed service to generate keys in the cloud. If the key is generated by cloud, it will be maintained and stored in cloud HSM.

The major components are:
  • Create
  • Delete
  • View
  • Update

Get Key List

  • Click Manufacture > Key Management in the left navigation bar.
_images/mft_key1.png
  • Click the solution title to open solution detail page.
_images/mft_key2.png

Key Operation

  • Click Create button to create a key.

Type: select Upload Key.

_images/mft_key3.png

Type: select Auto generate key.

_images/mft_key4.png

After finish all blanks, click submit, then you will create a key successfully. There will be a new item in the key list, click the edit icon at the end column, you can edit current key

_images/mft_key5.png
  • Click delete icon at the action column, you can delete current key.
_images/mft_key6.png
  • Click download icon at the action column, download HSM key when you want to sign the image by yourself.
_images/mft_key7.png
  • Download HSM engine for openssl-1.1.1.

    HSM engine is used for openssl 1.1.1+ to sign images with HSM key:
    1. Copy edgescale_hsm.so to /usr/lib/x86_64-linux-gnu/engines-1.1/edgescale_hsm.so
    2. Patch 0001-sign-images-with-openssl-engine.patch to cst.
    3. Download super root fake key from console.edgescale.org, save fake key with name “srk.pri”.
    4. Create srk.pub with openssl command: # openssl rsa -in srk.pri -pubout -RSAPublicKey_out > srk.pub
    5. Use srk.pri/srk.pub to sign images with cst tool.

Fuse Management

Introduction

Fuse management is designed for customers to manage their fuse config setting. After the fuse arguments are configured, a fuse config file is generated. In this config file, no device specific information included. It cloud be used as fuse project config for batch devices.

The major components are:
  • Create
  • Delete
  • View
  • Update

Get Fuse List

  • Click Manufacture > Fuse Management in the left navigation bar.
_images/mft_fuse1.png
  • Click the solution title to open solution detail page.
_images/mft_fuse2.png

Fuse Operation

  • Click Create button to create a key.

Type: Setting Generate.

_images/mft_fuse3.png _images/mft_fuse4.png

Type: Upload Config.

_images/mft_fuse5.png

After finish all blanks, click Preview, then you can check the config file.

_images/mft_fuse6.png
  • Click delete icon at the end column, you can delete current key.
_images/mft_fuse7.png

Device Provision

Introduction

Device Provision is designed for generating fuse binaries for customer. The customer is registering a manufacturing project with fixed number of devices, key pair and other fusing arguments. The cloud generates fuse binaries for each devices according to the project config. In the fuse binary, it contains the fuse arguments and the device specific id which can be fused as the HW root trust for the device.

The major components are:
  • Create
  • Delete
  • View
  • Update

Get Provision List

  • Click Manufacture > Device Provision in the left navigation bar.
_images/mft_pro1.png
  • Click the solution title to open solution detail page.
_images/mft_pro2.png

Provision Operation

  • Click Create button to create a config file.
_images/mft_pro3.png

After finish all blanks, click Submit, then you will create a config file successfully. There will be a new item in the config list, click the download icon at the end column, you can download this file

  • Click delete icon at the end column, you can delete current config file.
_images/mft_pro4.png

Manufacturing Demo

  1. log in https://console.edgescale.org/ with your account.
  2. Open Manufacture -> Key Management. Then click create button on the right column to create a key.
_images/mft_create.png

“Root Key” can be generated by CST tool which is included in LSDK release.

_images/mft_newkey.png
  1. Open Fuse Management and create a “fuse config” file. Set POVDD GPIO as 0x59 for ls1046afrwy
_images/mft_newfuse.png
  1. Open Device Provision and create a device config.
_images/mft_config1.png

Download config file and save it as tar ball fuse_config.tar.gz.

_images/mft_config2.png
  1. On PC Linux system, install mft gateway service software.

    • Install udev rule.
    # cat > /etc/udev/rules.d/10-mft.rules << EOF
    ACTION=="add", ATTRS{idVendor}=="10c4", ATTRS{idProduct}=="ea60", SYMLINK="ttyMFT"
    EOF
    #udev control --reload
    
    • Download mft-gateway demo pkg from here

    • Install dockerce

    • Install gateway service

      # set dhcp bind interface and cwtap mac in etc/cwtap.conf, for example:

      _images/mft_cmd1.png

      # ./startup.sh <eth_interface>, eth_interface is the network interface set above, for example:

      _images/mft_cmd2.png
  2. Open fuse_demo page (http://192.168.1.101) in the browser on PC, then click upload button to upload fuse_config.tar.gz got at step 4.

_images/mft_fuse_config.png
  1. Refresh the page then you can find the OEM UID list:
_images/mft_oemuid.png
  1. Check cwtap and board serial port in server:
_images/mft_cmd3.png
  1. Click the start button to start fuse provision of target device. The system will select randomly unused OEM UID to do the fusing.
_images/mft_fuse_provision.png
  1. The QR code will show in browser automatically after the record been posted to gateway. It may take several minutes. This QR can be scanned by mobile app to claim and manage the corresponding device.
_images/mft_qr.png
  1. Click export button to export all successful items to fuse_result.csv file. Click reset button to drop all data from database. Currently this demo only support one project.
_images/mft_export.png
  1. Upload result to EdgeScale cloud via edgescale-cli

    If you met error “secure public key not upload”, you should click mft project edit button to upload sk_pub first. Currently we only support get ls1046afrwy sk_pub from edgescale cloud lab service.

_images/mft_upload_sk_pub.png
$escli device upload-db  --keyid <project-id>  -f <db.csv>

Here keyid can be got from file fuse_config.yaml in fuse.config.tgz in step 4.
db.csv can be got in step 11.

For example:
$escli device upload-db  --keyid c0f6f99d-8467-4162-befb-828a72048d8e -f fuse_result.csv
  1. Claim board by mobile APP.
  • Download QR scan APP from this link

  • Install QR_code_online APP on your mobile

  • Open the APP, login and scan the device QR generated at step 10

    _images/mft_qr_before.png
  • After scan, the APP shows that the device is claimed successfully.

    _images/mft_qr_after.png