Filter results by

Secure Element and "s" Modules

All Linux-based ARTIK modules include a Secure Element to keep security keys and certificates safe. When you used the Samsung ARTIK smart phone app to "on-board" your device, you connected it to ARTIK Cloud securely by using the pre-registered information in the Secure Element.

In addition, certain ARTIK modules (known as "s" modules for "secure") have strong security features and also allow custom provisioning of their Secure Element to your own chosen clouds and services. These "s" modules provide:

  • Secure boot functionality – ensure that only signed boot images can execute on the module. By signing the boot image with your own key at production, you can validate your own customized root of trust starting from the hardware.

  • Secure OS and libraries – provide functionality for you to securely execute many operations including storage, cryptography, etc. This functionality is exposed to customer applications running on Linux through security APIs.

  • Locked JTAG Port – to prevent code images from being accessed through system-level hardware.

Here we'll provide a quick overview of what you'll need to consider during these phases:

of your product deployment. Refer to the Secure Modules series for details.

Development Phase

During your software development phase, you want to be able to get up and running quickly. We won't get in your way!

  • You can do "s" module aplication development with no changes to your flow.
  • For work on boot images, we automatically generate default keys and use them as needed for your local testing.

Below, we'll quickly touch on the topics you might be wondering about. Follow the links for more details.

"s" module identification

ARTIK "s" modules are recognizable by the blue color of their identification sticker.

Standard module "s" module

Obtaining "s" modules/kits

ARTIK "s" modules and kits can be purchased through distributors such as Digi-key, Arrow, and Mouser.

Preparation

If you arrived here by way of the Getting Started article sequence, you've already done some of these preparatory steps.

  1. Make sure all the standard board setup items are completed.

    1. Set up and power the board.

    2. Prepare your development environment.
      » Download and set up the ARTIK IDE on your development PC to use the SDK.
         – and –
      » Set up your own development environment for building from source code.

    3. Update the ARTIK board image.

  2. Use ARTIK Cloud to test out standard services provided by the pre-registered Secure Element.

    1. Create a Samsung ARTIK Cloud account.

    2. On-board the device to see how the scheme works.

    3. Delete the device in preparation for custom development.

Develop applications with ARTIK IDE

  1. Use the ARTIK IDE and ARTIK SDK for application development. It automatically builds in the TrustWare image and ARTIK SDK security library.

  2. Install the artiksee security library headers file package libartik-security-dev if you will be provisioning your own clouds and servers.

  3. Develop applications as usual.

Develop from source code

This process is covered in the Advanced Developers articles.

  1. Download all needed software to set up your environment.

    1. Obtain Linux software from GitHub. You'll find all the build instructions here as well. Choose the correct branch for your module type.

    2. Likewise, obtain U-Boot code from GitHub.

    3. Utilize the build scripts from GitHub to automate the build and default code signing process.

    4. Download and copy security libraries and tools to the development board, where they will be used by the build scripts.

      • ARTIK SDK
      • Security libraries
      • TrustWare image
      • ARTIK CodeSigner tool for local boot image signing using default key
  2. Obtain optional software packages.
  3. Build the code. The build script automatically invokes the code signer tool to apply a default signature to the boot image. This signature can be used for development but not for production. You'll use these scripts:
    • release.sh to build the entire OS image
    • build_uboot.sh to build just the U-Boot image alone
    • build_ubuntu.sh to build just the Ubuntu root filesystem.
  4. Load the binary image to the ARTIK module. You can either load the full image or selected partitions. Any bootloader partitions will need to be properly signed.

Production Phase

For production, you will want to sign your bootloader code with your own keys. For this purpose, you can sign up for and use the ARTIK Key Management System (KMS ).

  1. Contact your ARTIK Sales representative.

  2. Receive a KMS account (ID and passwords).

  3. As the developer entrusted with security at your company, you'll use the ARTIK KMS portal for these secure operations.

    • You request generation of private signing keys, which never leave the system. Only the public key version is shared with you and Samsung.
    • The public key gets added to the first bootloader by the Samsung signing process; that bootloader image gets e-mailed to you.
    • You upload the secondary bootloader binaries that you create, use your private key to sign them, and then download the signed versions.
  4. Run scripts to package both keyed bootloader images, the TrustWare security binary, and the Linux image into the final sdfuse image. You'll run mksdfuse.sh for this purpose.

Unmatched bootloader images will be rejected if any attempt is made to load one to an ARTIK "s" module.

Field Support Phase

Once your product is deployed to the field, you will want to be able to perform over-the-air (OTA) updates to its software packages. Refer to the Secure Update / OTA articles for information.


Last updated on: