I'm trying to get greengrass working with a SLB9670 tpm, and can't seem to get it working no matter what I try. All documentation online seems incorrect or deprecated in relation to this process. This is the script I'm using to generate the key/cert pair and setup greengrass:
/home/usr/tpm2-pkcs11/tools/tpm2_ptool.py init --path=/opt/tpm2-pkcs11/
chmod 777 /opt/tpm2-pkcs11
/home/usr/tpm2-pkcs11/tools/tpm2_ptool.py addtoken --pid=1 --sopin=123456 --userpin=123456 --label=greengrass --path=/opt/tpm2-pkcs11/
/home/usr/tpm2-pkcs11/tools/tpm2_ptool.py addkey --algorithm=rsa2048 --label=greengrass --key-label=iotkey --userpin=123456 --path=/opt/tpm2-pkcs11/
rsa_auth=$(/home/usr/tpm2-pkcs11/tools/tpm2_ptool.py export --label=greengrass --path=/opt/tpm2-pkcs11/ --userpin=123456 --key-label=iotkey | grep "object-auth" | cut -d ' ' -f2-)
openssl req -new -provider tpm2 -provider base -key=iotkey.pem -subj="/C=US/O=Company" --passin="pass:$rsa_auth" -out=csr.req
certArn=$(aws iot create-certificate-from-csr --certificate-pem-outfile /home/usr/cert.pem --certificate-signing-request file://csr.req | grep certificateArn | awk '{ print $NF }' | tr -d '"' | tr -d ',' | xargs)
certId=$(echo $certArn | sed 's@.*/@@' | xargs)
aws iot update-certificate --certificate-id $certId --new-status ACTIVE
/home/usr/tpm2-pkcs11/tools/tpm2_ptool.py addcert --label=greengrass --key-label=iotkey --path=/opt/tpm2-pkcs11/ cert.pem
aws iot create-thing --thing-name myThing
aws iot add-thing-to-thing-group --thing-name myThing --thing-group-name thingGroup
aws iot attach-thing-principal --thing-name myThing --principal "$certArn"
aws iot attach-policy --policy-name GreengrassV2IoTThingPolicy --target "$certArn"
aws iot attach-policy --policy-name Assume-Role-Policy --target "$certArn"
aws iot attach-policy --policy-name GreengrassTESCertificatePolicyGreengrassV2TokenExchangeRoleAlias --target "$certArn"
sudo mkdir -p /greengrass/v2
chmod 777 /greengrass/v2
sudo curl -o /greengrass/v2/AmazonRootCA1.pem https://www.amazontrust.com/repository/AmazonRootCA1.pem
sudo -E java -Droot="/greengrass/v2" -Dlog.store=FILE -jar ./GreengrassInstaller/lib/Greengrass.jar --trusted-plugin ./GreengrassInstaller/aws.greengrass.crypto.Pkcs11Provider.jar --init-config ./GreengrassInstaller/config.yaml --component-default-user root:root --setup-system-service true
And this is my config.yaml file:
---
system:
certificateFilePath: "pkcs11:object=iotkey;type=cert"
privateKeyPath: "pkcs11:object=iotkey;type=private"
rootCaPath: "/greengrass/v2/AmazonRootCA1.pem"
rootpath: "/greengrass/v2"
thingName: "myThing"
services:
aws.greengrass.Nucleus:
componentType: "NUCLEUS"
version: "2.11.2"
configuration:
awsRegion: "us-east-2"
iotRoleAlias: "GreengrassV2TokenExchangeRoleAlias"
iotDataEndpoint: "myPrefix.iot.us-west-2.amazonaws.com"
iotCredEndpoint: "myPrefix.credentials.iot.us-west-2.amazonaws.com"
aws.greengrass.crypto.Pkcs11Provider:
configuration:
name: "tpm2_pkcs11"
library: "/home/usr/tpm2-tss/tpm2-pkcs11/src/.libs/tpm2_pkcs11.so"
slot: 1
userPin: "123456"
This all works correctly, generates the key/cert as verified by
p11tool --list-all --login "{{URL}}"
but when the greengrass nucleus runs, I'm getting the error:
Failed to connect to AWS IoT Core. {clientId=myThing, error=The connection was closed unexpectedly}.
I've tried the above, as well as generating a key/cert completely outside the tpm then importing them, still get the same error.
