This demo shows how to use 3rd party hardware AVH to automatically test and deploy application using GitHub Actions. On each commit and pull request a test job is started using a virtual STM32U5 IoT Discovery Kit, which confirms the firmware is functional. Another GHA job is available to deploy the firmware to real hardware using Amazon IoT firmware update service.
Arm TrustZone for Cortex-M enables System-Wide Security for IoT Devices. The technology reduces the potential for attack by isolating the critical security firmware, assets and private information from the rest of the application.
This repository contains example applications that leverage this technology. The architecture of the application is shown in the diagram below.
Applications Parts:
- AWS Demos - For the CI/CD flow only the OTA demo is used
- Secure second stage bootloader (BL2): Prebuilt BL2
- Trusted Firmware (TF-M): Prebuilt TF-M
- Access to 3rd party hardware AVH service
- AWS account with IAM user access
- GitHub repository with Actions enabled
- Keil Studio Cloud account and a corresponding access token
- STM32U5 IoT Discovery Kit hardware
Enable following GitHub actions workflows in the repository: .github/workflows.
You'll need to set following repository action secrets:
Prerequisites
KSC_ACCESS_TOKEN- Access token for Keil Studio CloudGIT_ACCESS_TOKEN- Access token for GitHub with repository access rights (your GitHub account needs to have access to Arm-Debug/solar-build-and-run which currently is private)AVH_ACCESS_TOKEN- Access token for AVH 3rd party hardware serviceAWS_ACCESS_KEY_IDandAWS_SECRET_ACCESS_KEY- AWS IAM user credentials
Created during the setup
AVH_MQTT_ENDPOINT- A MQTT endpoint address, you can find it in your AWS IoT Core settingsAVH_OTA_KEY- AWS OTA Singer public keyOTA_SIGNING_PROFILE- Signing profile nameOTA_S3_BUCKET- AWS S3 bucket name used for firmware storage during OTAOTA_TARGET- AWS IoT Thing ARN of your deviceOTA_ROLE_ARN- ARN of the AWS OTA service roleOTA_POLICY- Name of OTA policy attached to certificateAVH_CERT- Virtual device self-signed certificate
You'll need to follow the demo application documentation to setup and provision the hardware board. Follow the docs available here for Over-the-air updates via MQTT Demo on B-U585I-IOT02A board.
At the end of the setup you need to have:
- Board booting to AWS OTA application, connecting to the cloud and polling for updates
- AWS IoT Core Thing setup according to the guide above
- Following GitHub secrets set:
AVH_MQTT_ENDPOINT- A MQTT endpoint addressAVH_OTA_KEY- AWS OTA Singer public keyOTA_SIGNING_PROFILE- Signing profile nameOTA_S3_BUCKET- AWS S3 bucket name used for firmware storage during OTAOTA_TARGET- AWS IoT Thing ARN of your deviceOTA_POLICY- Name of OTA policy attached to certificateOTA_ROLE_ARN- ARN of the AWS OTA service role