Tutorial: Secure Amazon IoT Greengrass Nucleus Lite with Trusted Platform Module (TPM)
This tutorial explains how to enable and configure Trusted Platform Module (TPM) support for Amazon IoT Greengrass nucleus lite. TPM provides hardware-based root of trust for secure key storage. This security feature protects cryptographic operations and sensitive credentials, enhancing device security and integrity.
When you complete this integration, your Amazon IoT Greengrass core device will use TPM-protected private keys for its identity and communication with Amazon IoT services.
For more information about security on Amazon IoT Greengrass devices, see Security in Amazon IoT Greengrass.
Important
This mechanism is supported only with installing Amazon IoT Greengrass nucleus lite with manual resource provisioning.
Prerequisites
To complete this tutorial, you need the following:
-
A Linux-compatible device with TPM 2.0 hardware or NitroTPM
-
A developer machine with Greengrass Nucleus Lite installed. For more information, see Install the Amazon IoT Greengrass Core software (console).
-
Instructions in this tutorial are defined for Ubuntu 24.04 LTS.
-
Any Linux distribution that can support the Linux TPM2 Software Stack
can support this mechanism. -
A developer machine with Amazon CLI
installed and configured with permissions to: -
Create and manage Amazon IoT resources
-
Create and manage IAM roles and policies
-
-
Root or sudo privileges on the device.
This tutorial contains instructions on how to use the TPM2 chip as a Hardware Security Module (HSM) to create a private key and CSR which is used to create the Amazon IoT thing certificate.
Step 1: Set up a NitroTPM instance
-
Set up a NitroTPM instance. For more information, see NitroTPM.
-
Launch final instance using the custom AMI created in the previous step.
Important
When connecting with SSH, use the
ubuntuuser instead ofroot. -
Check that the TPM device is present and working by running the following command:
ls -la /dev/tpm*You should see
/dev/tpm0and/dev/tpmrm0devices.
Step 2: Install and configure TPM tools
-
Install the required packages by running the following command:
sudo apt update sudo apt install tpm2-openssl tpm2-tools tpm2-abrmd libtss2-tcti-tabrmd0 -
Verify the TPM device's permissions by running the following command:
ls -l /dev/tpm0 # Should be owned by tss:root with permissions 0660 ls -l /dev/tpmrm0 # Should be owned by tss:tss with permissions 0660
Step 3: Configure the OpenSSL TPM2 provider
-
Edit the OpenSSL configuration file:
sudo vi /etc/ssl/openssl.cnf -
Add the following configuration:
[openssl_init] providers = provider_sect [provider_sect] default = default_sect tpm2 = tpm2_sect [default_sect] activate = 1 [tpm2_sect] identity = tpm2 module = /usr/local/lib64/tpm2.so activate = 1 -
Adjust the module path as necessary. You can find the correct path using:
find /usr -name "tpm2.so"
Step 4: Generate persistent TPM keys
-
Create a primary key by running the following command:
sudo tpm2_createprimary -C o -c primary.ctx -
Create an ECC key object by running the following command:
sudo tpm2_create -C primary.ctx -g sha256 -G ecc256 -r device.priv -u device.pub -
Load the key by running the following command:
sudo tpm2_load -C primary.ctx -r device.priv -u device.pub -c device.ctx -
Make the key persistent by running the following command:
sudo tpm2_evictcontrol -C o -c device.ctx 0x81000002This creates a persistent key with the handle (like
0x81000002).
Step 5: Generate Certificate Signing Request (CSR)
In this step, you'll use the TPM2-protected private key to generate a Certificate Signing Request (CSR).
-
Generate a CSR using the TPM key:
openssl req -new -provider tpm2 -key "handle:0x81000002" \ -out device.csr \ -subj "/CN=TPMThing" -
Replace
0x81000002with your chosen handle value andTPMThingwith your desired thing name.
Step 6: Create the certificate from CSR
-
On your development computer, create a folder where you downloaded the certificate for the Amazon IoT thing.
mkdir greengrass-v2-certs -
Use the CSR file to create and download the certificate for the Amazon IoT thing to your development computer.
aws iot create-certificate-from-csr \ --set-as-active \ --certificate-signing-request file://path_to_device.csr\ --certificate-pem-outfile greengrass-v2-certs/device.pem.crtIf the request succeeds, the response looks similar to the following example:
{ "certificateArn": "arn:aws:iot:us-west-2:123456789012:cert/aa0b7958770878eabe251d8a7ddd547f4889c524c9b574ab9fbf65f32248b1d4", "certificateId": "aa0b7958770878eabe251d8a7ddd547f4889c524c9b574ab9fbf65f32248b1d4", "certificatePem": "-----BEGIN CERTIFICATE----- MIICiTCCAfICCQD6m7oRw0uXOjANBgkqhkiG9w 0BAQUFADCBiDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRAwDgYDVQQHEwdTZ WF0dGxlMQ8wDQYDVQQKEwZBbWF6b24xFDASBgNVBAsTC0lBTSBDb25zb2xlMRIw EAYDVQQDEwlUZXN0Q2lsYWMxHzAdBgkqhkiG9w0BCQEWEG5vb25lQGFtYXpvbi5 jb20wHhcNMTEwNDI1MjA0NTIxWhcNMTIwNDI0MjA0NTIxWjCBiDELMAkGA1UEBh MCVVMxCzAJBgNVBAgTAldBMRAwDgYDVQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZBb WF6b24xFDASBgNVBAsTC0lBTSBDb25zb2xlMRIwEAYDVQQDEwlUZXN0Q2lsYWMx HzAdBgkqhkiG9w0BCQEWEG5vb25lQGFtYXpvbi5jb20wgZ8wDQYJKoZIhvcNAQE BBQADgY0AMIGJAoGBAMaK0dn+a4GmWIWJ21uUSfwfEvySWtC2XADZ4nB+BLYgVI k60CpiwsZ3G93vUEIO3IyNoH/f0wYK8m9TrDHudUZg3qX4waLG5M43q7Wgc/MbQ ITxOUSQv7c7ugFFDzQGBzZswY6786m86gpEIbb3OhjZnzcvQAaRHhdlQWIMm2nr AgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAtCu4nUhVVxYUntneD9+h8Mg9q6q+auN KyExzyLwaxlAoo7TJHidbtS4J5iNmZgXL0FkbFFBjvSfpJIlJ00zbhNYS5f6Guo EDmFJl0ZxBHjJnyp378OD8uTs7fLvjx79LjSTbNYiytVbZPQUQ5Yaxu2jXnimvw 3rrszlaEXAMPLE= -----END CERTIFICATE-----" }
Step 7: Set up Greengrass Nucleus Lite with TPM support
To enable TPM support in Greengrass Nucleus Lite, make the following changes:
-
Configure user permissions by adding the
ggcoreuser to thetssgroup for TPM access:sudo usermod -a -G tss ggcore -
Update the credentials directory by completing the following steps:
-
Remove the private key file from the credentials directory.
-
Since we are using persistent TPM keys, no private key file needs to be copied.
-
-
Copy the new
device.pem.crtinto that credentials directory.
-
-
Edit
config.yamlwith the following TPM-specific configuration:system: privateKeyPath: "handle:0x81000002" # Use your chosen handle certificateFilePath: "" # Replace with the path of device.pem.crt ... -
Reboot your Greengrass Nucleus Lite by running the following command:
systemctl restart greengrass-lite.target
Troubleshooting
If you encounter issues during the setup or operation of your TPM2-enabled Amazon IoT Greengrass device, try the following troubleshooting steps:
TPM device is not found (when using NitroTPM)
If /dev/tpm0 is not present, do the following steps:
-
Verify you're using a NitroTPM-supported instance type.
-
Ensure the AMI was created with
--tpm-support v2.0. -
Verify that the instance was launched from the custom AMI.
Permission denied errors
If you encounter TPM access errors, do the following:
-
Verify that the user is in the
tssgroup:groups $USER. -
Check the TPM device's permissions using the following command:
ls -l /dev/tpm* -
Verify you logged out and logged back in after adding to the
tssgroup.
OpenSSL provider issues
If TPM provider is not found, do the following:
-
Verify
tpm2.sopath in the/etc/ssl/openssl.cnf. -
Check provider installation by running the following command:
openssl list -providers -
Verify the
tpm2-opensslpackage is properly installed.
Next steps
Now that you've successfully integrated your Amazon IoT Greengrass core device with TPM2, you can:
-
Deploy components to your secure Amazon IoT Greengrass device
-
Set up additional Amazon IoT Greengrass devices with TPM2 integration
For more information about security on Amazon IoT Greengrass devices, see Security in Amazon IoT Greengrass.