This demonstrator shows a general over-the-air firmware update workflow secured by wolfSSL products and TPM.
It uses the following products:
- wolfBoot: Secure boot loader. (Home page)
- wolfTPM: TPM library. (Home page)
- wolfMQTT: MQTT library. (Home page)
- wolfSSL: Secure TLS/SSL library. (Home page)
- wolfCrypt: Cryptography engine. (Home page)
This demonstrator uses a software TPM to simulate TPM functionality.
For details, see SWTPM simulator setup.
Alternatively, you can use the .devcontainer, which builds the software TPM from the official repository: ibmswtpm2.
First, initialize the git submodules.
git submodule update --init --recursive
You need to run swtpm before initializing the TPM tools so the hash of the public key can be stored in the NV index. Then build each module as follows.
- Build the TPM tools and initialize swtpm
cd ./wolfBoot
make tpmtools
./tools/tpm/rot -write
cd ./tools/bin-assemble
make
- Build wolfSSL
cd ./wolfBoot/lib/wolfssl/
./autogen.sh
./configure --disable-shared --enable-wolftpm
make -j
make install
- Build wolfTPM
cd ./wolfBoot/lib/wolfTPM/
./autogen.sh
./configure --disable-shared --enable-swtpm
make -j
make install
- Build wolfMQTT
cd ./wolfMQTT
./autogen.sh
./configure --disable-shared
make -j
- Build wolfBoot and the application
make test-sim-internal-flash-with-update V=1
- Build the OTA server app
make fwserver/fwserver
- Run swtpm. If you are using a devcontainer, run:
/opt/ibmswtpm2/src/tpm_server - From another terminal, run:
This command lets wolfBoot start the application and prints the firmware version (default: 1).
./wolfBoot/wolfboot.elf get_version - Trigger the OTA flow with the
otacommand:The application booted by wolfBoot starts the OTA flow. Once OTA starts, the application connects to the MQTT broker and subscribes to the firmware data topic, then waits for messages../wolfBoot/wolfboot.elf ota - Open another terminal and run:
This tool emulates the OTA server and sends the new firmware to the MQTT broker.
./fwserver/fwserver -t - The application receives the MQTT message and verifies it. Finally, the firmware is stored in internal flash and the update is triggered by wolfBoot.
- Run:
The application shows the new firmware version (default: 10).
./wolfBoot/wolfboot.elf get_version
You can try part of the remote attestation functionality.
wolfBoot calculates its own hash and extends it to PCR 16. (Measured Boot)
Then the application requests a quote from swtpm with this command:
./wolfBoot/wolfboot.elf attestation
This demo app supports additional test commands.
You can find them in ./app/app_sim.c.
We use objcopy to prepare the file that emulates internal flash.
However, macOS does not include objcopy by default.
Please install it and set OBJCOPY= when you build the app and wolfBoot.
Also, if wolfBoot runs in a native macOS environment, a temporary file named test_app is generated on each run.
Please delete it after each run.