• State Resolved
  • Locked Locked
  • Replies 1 reply
  • Subscribers 40 subscribers
  • Views 921 views
  • Users 0 members are here
Support feedback
Options
Options
Similar topics

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

RTOS/CC3220SF-LAUNCHXL: CC3220SF LaunchPad Connect to AWS IoT

Tim Lai
Prodigy 190 points
Part Number: CC3220SF-LAUNCHXL
Other Parts Discussed in Thread: CC3220SF, UNIFLASH

Tool/software: TI-RTOS

Hi All,

Recently, I program AWS SDK (aws_cc3220_1_10_00_07) to CC3220SF LaunchPad to connect to AWS IoT

I followed this thread (e2e.ti.com/.../593513 to set up

my setting:

Step 1. Select MCU Image add subscribe_publish_sample_CC3220SF_LAUNCHXL_tirtos_ccs.bin (mcuflashimg.bin)

Step2. add file for TLS Protocol ( root-ca, certificate, private key ) and subscribe_publish_sample_CC3220SF_LAUNCHXL_tirtos_ccs.bin

Step3. add Service Pack

 

Step4. add Trusted Root-Certificate Catalog.

 

Step5. Successfully connect to AWS IoT

I am confused by some question below:

1. In step1, why did I need to select Private Key File Name:dummy-root-ca-cert-key and Certification File Name:dummy-root-ca-cert when I select MCU image (subscribe_publish_sample_CC3220SF_LAUNCHXL_tirtos_ccs.bin (mcuflashimg.bin)

2. In step2, the same Q1, I know that the root-ca.crt, xxx.certificate.pem.crt and xxx.private.pem.key are for SSL/TLS protocol, but why need to add dummy-root-ca-cert? What does that do?

3.  In step4,  Why need to add Trusted Root-Certificate Catalog. What does that do?

4. why need to change the code in network_sl.c 

Thank you for being patient with me.

  • 0
    TI__Mastermind 25955 points
    Hi user4754651,

    Thank you for using the prior posts in the E2E forum as a first method of troubleshooting! To answer your questions:

    1. Short answer: File system security.

    Longer answer: During programming, the image is first downloaded onto the serial flash where it is signed and encrypted. Upon first boot, the bootloader reads the encrypted image from serial flash, then decrypts the image and writes it onto the on-chip flash. to ensure complete image integrity, a hash of the application binary is generated and stored in the filesystem as a secure system file. this hash is used during boot time to verify that the image stored on the on-chip flash corresponds with the image that was programmed. This also allows for tampering detection. To find out more, please refer to section 3 and 7.2 of http://www.ti.com/lit/swra509

    2. For TLS/SSL dummy-root-ca-cert is only needed for File System Security, not SSL/TLS. Please refer to the link above as well as the UniFlash guide http://www.ti.com/lit/swru469

    3. The Trusted Root-Certificate is a file provided by TI containing a list of known and trusted root CAs and alist of revoked certificates. The list of CAs supported by TI can be found in SWRA509 linked above.

    4. The modified code also checks to make sure that returned value of getErrno(retConnect) does not equal the value for SL_ERROR_BSD_ESECUNKNOWNROOTCA... in other words, if the root ca is known and the connection failed, the failure will be reported as NETWORK_ERR_NET_CONNECT_FAILED. If the connection failed and the root ca is unknown, the error will not be reported as NETWORK_ERR_NET_CONNECT_FAILED.

    Sincerely,
    Bryan Kahler