1. Testbed dependencies

Each component in the testbed has several dependencies. This document describes what dependencies are necessary to be installed in order to configure other modules.

1.2. Hardware Setup

  • Two Raspberry Pi’s 3 model B or 4. One for ECU and one CCU

  • Two Iridium 9670 Optiga IoT Security, TCG TPM 2.0. Alternatively, a virtual TPM can also be used. The testbed supports IBM’s Virtual TPM2.

  • Two MCP2515 CAN Controllers with TJA1050 CAN Transceivers. One for ECU and one CCU

1.3. Hardware Connection

Attention

Modificitation required to the MCP2515 board for the TJA1050 link here

Wiring a single MCP2515 + TJA1050 + TPM

Wiring for the MCP2515+ TJA1050:

Raspberry Pin

MCP2515

1

MCP2515 VCC 3v3

4

TJA1050 VCC 5v

39

GND

36

CS

35

SO

38

SI

40

SCK

37

INT

The TPM should mounted after on it’s documented pins.

1.4. Preliminaries

This section describes the setup that must be done on ECU or CCU, or both, before installing anything else.

Run a update:

sudo apt update && sudo apt upgrade

Install git:

sudo apt install git

Have a local copy of the repository:

git clone --recursive https://github.com/terilenard/dias-hackathon-testbed1.git

To update the local copy, you can run the following command from the project root directory:

git submodule update --init –recursive

In the project, there is a toolchain directory that contains scripts that can be used to install dependencies and modules. In the dependencies directory, there are linked the libraries used in the testbed.

1.5. Controller Area Network Configuration

The current section describes the Controller Area Network (CAN) configuration required for each component.

1.5.1. Electronic Control Unit and Connectivity Control Unit

The following steps must be done on each component.

Requirements:

  • MCP2515 CAN controller with TJA1050 CAN Transceiver

  • One virtual CAN (vcan)

  • One physical CAN (can1/can0)

To setup vcan go to project root:

cd dias-hackathon-testbed1

Run the setup script for vcan:

cd toolchain/scripts

Install can-utils:

sudo apt install can-utils

The following script will create a vcan0 interface and will configure it to be up on boot:

./vcan.sh

The vcan0 interface should be visable in ip link:

ip link

To setup the can interface with the MCP2515 controller you need to modify the boot/config.txt file on your image, and copy the dt overlay file:

Boot/config.txt used. In this case the MCP2515 is connected along a physical TPM:

dtparam=spi=on
dtoverlay=spi1-1cs,cs0_pin=16,cs0_spidev=off
dtoverlay=mcp2515-can2,oscillator=8000000,interrupt=26
# TPM
dtoverlay=tpm-slb9670

Note

The tpm-slb9670 should be present in /boot/overlay after you compile the tpm2-tss library.

Copy dtoverlay:

cd toolchain/utils/rpi3-mcp2515/

sudo cp mcp2515-can2.dtbo /boot/overlays

For the CAN interface to be up on boot, your /etc/network/interfaces should look like this:

auto can1
iface can1 inet manual
    pre-up /sbin/ip link set can1 type can bitrate 500000 loopback off restart-ms 100
    up /sbin/ifconfig can1 up
    down /sbin/ifconfig can1 down

Note

Please check in ip link after a reboot what index your can interface has. In the case the index does not match the configuration in /etc/network/interfaces, it should be changed accordingly. For example, from can1 to can0.

1.6. Trusted Platform Module Configuration

Both the ECU and CCU require the tpm2-tss libraries and the tpm2-tools utilities. The tss.sh script installs the required TPM2 dependencies together with the TPM2-ABRMD resource manager. This script will also compile and install IBM’s Virtual TPM. If you have a physical TPM2, there are below some command that will help you disable IBM Virtual TPM and use the dedicated one instead.

The install script is located in toolchain/scripts. From there you can execute:

./tss.sh

To verify if everything went ok run a tpm2 command to check:

tpm2_getcap -l

Warning

If the tpm2_xxx tools are not found. We suggest to follow the manual instalation below. If you can run your commands then you should skip the command below that manually compile tpm2_tools.

Go to working directory:

cd dependencies/tpm2-tools-4.3.2/

Create the build directory:

mkdir build

Bootstrap and configure:

./bootstrap

./configure

Compile:

make

sudo make install

Compared to a physical TPM, which is exposed as a linux device, the virtual TPM exposes socket which allows similar interactions with it. If you want to use the virtual TPM, then you must configure the TPM resource manager (tpm2-abrmd) to connect to the port opened by the virtual TPM, and not to the default /dev/tpm0 device. This requires some changes on the tpm2-abrmd service unit.

If you followed a similar configuration with the one in this guide, the service file should be located in /usr/local/lib/systemd/system/tpm2-abrmd.service.

[Unit]
Description=TPM2 Access Broker and Resource Management Daemon
# These settings are needed when using the device TCTI. If the
# TCP mssim is used then the settings should be commented out.
- After=dev-tpm0.device
+ #After=dev-tpm0.device
- Requires=dev-tpm0.device
+ #Requires=dev-tpm0.device
[Service]
Type=dbus                                                                                                                                                               BusName=com.intel.tss2.Tabrmd                                                                                                                                           - ExecStart=/usr/local/sbin/tpm2-abrmd
+ ExecStart=/usr/local/sbin/tpm2-abrmd --tcti=mssim:host=localhost,port=2321
User=tss
[Install]                                                                                                                                                               WantedBy=multi-user.target

After modifying the file, reload the service using:

sudo systemctl daemon-reload

Last but not least, cd to the tpm2-abrmd downloaded repository and move the following file so the tss can access the dbus:

sudo cp dist/tpm2-abrmd.conf /etc/dbus-1/system.d/tpm2-abrmd.conf

the tpm2-abrmd.conf should look like this:

Change the /dev/tpm0 ownership to tss:

sudo chown tss:tss /dev/tpm0

Now, we can restart the tpm2-abrmd and he will try to connect on port 2321 on localhost to a virtual tpm.

1.7. MQTT Broker - Mosquitto

MQTT is used for internal communication between the testbed components. Before installing the actual component, the MQTT Broker should be configured. Since different components run on ECU and CCU, the MQTT users differ.

Install mosquitto:

sudo apt install mosquitto

1.7.1 Mosquitto Configuration

On both ECU and CCU, go to /etc/mosquitto and create a passwords file. To add a mosquitto username and password you should use mosquitto_passwd. For more details check the man mosquitto_passwd.

ECU mosquitto usernames and passwords:

Service

User

Password

mixcan

mixcan

mixcan

dias-ltk-stk

slave_kmngr

slave_kmngr

CCU mosquitto usernames and passwords:

Service

User

Password

mixcan

mixcan

mixcan

dias-ltk-stk

master_kmngr

master_kmngr

dbcfeeder

dbcfeeder

dbcfeeder

cloudfeeder

cloudfeeder

cloudfeeder

dias-logging

tpm-logger

tpm-logger

log-deliverer

log-deliverer

log-deliverer

telemetry-deliverer

telemetry-deliverer

telemetry-deliverer

To append an username:password to passwords use the following command:

sudo mosquitto_passwd -b passwords <username> <password>

After, the mosquitto.service must be configure to take this file in consideration while users connect to it. Append the following line in /etc/mosquitto/mosquitto.conf to enable user and password authentication:

password_file /etc/mosquitto/passwords

Finally, restart the service to apply the changes:

sudo systemctl restart mosquitto