Download FreeRTOS
 

Quality RTOS & Embedded Software

CATEGORIES

LATEST POSTS

Simplifying Authenticated Cloud Connectivity for Any Device

by Richard Barry on 14 Dec 2023

Introduction

Featured FreeRTOS IoT reference integrations show how to integrate the Long-Term Support (LTS) versions of FreeRTOS libraries with hardware enforced security to help create secure cloud connected devices. This blog describes how to use Wi-Fi and Cellular connectivity modules that implement the AWS IoT ExpressLink specification (from here on, "ExpressLink") to achieve the same outcome even on microcontrollers (MCUs) too small to run the software libraries.

ExpressLink simplifies connected device software, reducing RAM and ROM footprints. It also simplifies hardware design, manufacturing, and device onboarding at scale. Onboarding refers to the process of connecting a device to the correct cloud account when the device is first powered up.

IoT devices often use a host MCU to run application software, and a separate communication module to access Wi-Fi, Bluetooth, or cellular networks. Some communication modules go further than just managing the wireless network and provide higher level protocols, like a TCP/IP stack. More commonly, though, all the software needed for secure authenticated cloud communication is linked with the application software, and runs on the host MCU. The orange boxes in Figure 1 represent libraries typically used to create secure cloud connections.

Typical library set required for secure device-to-cloud IoT connectivity
Figure 1 - Typical library set required for secure device-to-cloud IoT connectivity

In Figure 1:

  • MQTT is an application layer protocol often used to communicate with cloud hosted servers.
  • TLS is the same Transport Layer Security protocol used to secure HTTPS connections.
  • The key management and secure storage modules secure the private keys used for authentication and encryption.
  • Provisioning is the mechanism used to allocate private keys and unique identities to devices, which is challenging when scaling production.

In Figure 2, you can see a host microcontroller executing this functionality, with the help of a Wi-Fi or cellular module to connect to the network.

Executing security and connectivity software on a host microcontroller
Figure 2 - Executing security and connectivity software on a host microcontroller

Using an Operating System (OS) to encapsulate complex functionality into autonomous threads of execution, called tasks, simplifies the interface between the libraries (orange) and application code (green). For example, Figure 3 uses a real-time OS (RTOS) to encapsulate the MQTT protocol and the more complex over-the-air (OTA) update state machine into their own tasks, which we refer to as agent (or daemon) tasks. Well-designed agents are easily reusable and thread-safe. They make the application code simpler because the functionality now running in the agents no longer needs to be designed into the application software's control flow. Agents also hide low-level library dependencies, which Figure 3 just shows as "Middleware libraries".

Using multithreading to simplify interfaces
Figure 3 - Using multithreading to simplify interfaces

Agents are a helpful simplification, but ExpressLink goes much further by moving the security and connectivity functionality from the host MCU to the connectivity module, which provides a further step change in simplicity. The ExpressLink specification also mandates OTA update capabilities for both the ExpressLink module and the host MCU.

Using ExpressLink removes the need for the application writer to configure or build the libraries, or learn even the simplified agent API. Offloading all that functionality from the host MCU significantly decreases the MCU's ROM and RAM requirements. ExpressLink also offloads cryptographic firmware validation, reducing the host MCU's compute requirements.

ExpressLink simplifies hardware design further by mandating hardware backed secure storage for encryption and authentication keys, offloading that requirement from the MCU hardware too.

Executing security and connectivity software on the communication module
Figure 4 - Executing security and connectivity software on the communication module

The ExpressLink specification defines an AT command set. To use the command set from the host MCU, you just need a UART driver. With an automated onboarding process, all you have to do is write the string "AT+connect" to the serial port to create a TLS encrypted and authenticated connection to the correct cloud account, even when powering on for the first time, and without having supplied secrets to the device’s manufacturing supply chain.

There is a FreeRTOS IoT reference integration that utilises ST's I-Cube-ExpressLink to connect both large and small MCUs to AWS. The smallest MCU in this reference is the STM32G0, which has 32K of program space and 8K of RAM.

About the author

Richard Barry founded the FreeRTOS project in 2003, spent more than a decade developing and promoting FreeRTOS through his company Real Time Engineers Ltd, and now continues his work on FreeRTOS within a larger team as a principal engineer at Amazon Web Services. Richard graduated with 1st Class Honors in Computing for Real Time Systems, and was awarded an Honorary Doctorate for his contributions to the development of embedded technology. Richard has also been directly involved in the startup of several companies, and authored several books.
View articles by this author
FreeRTOS forums Get industry-leading support from experts and collaborate with peers around the globe. View Forums
Copyright (C) Amazon Web Services, Inc. or its affiliates. All rights reserved.