Trusted Firmware Logo

Amazon FreeRTOS Gateway Demo based on Trusted Firmware-M Profile Small

David Wang| Monday, November 16, 2020|5 min read

Amazon FreeRTOS Gateway Demo based on Trusted Firmware-M Profile Small


The typical IoT design uses Secure Socket based on TLS to connect the IoT device and cloud for security. When TLS connection is established, the upper level protocol can be applied on top of it to build the communication channel between the device and cloud application.

In the current market, the IoT Cloud venders usually use Certificate and Asymmetric based TLS cipher suite for the TLS connection. It requires the support of both symmetric and asymmetric cryptography.

The capabilities and resources may dramatically vary on different IoT devices. Some IoT devices may have very limited memory resource. The program on those devices should keep small memory footprint and basic functionalities.

TF-M Profile Small doesn’t by default include asymmetric cryptography. Hence, it doesn’t support the asymmetric based TLS (TLS for short) connection which is using by the typical IoT cloud service vendors.

To establish a secure channel, the symmetric cipher suite based connection is required. TLS Pre-Shared Key (PSK) is a good choice. Refer to the links below for more information about TLS PSK:

To connect TF-M Profile Small based device to the cloud, a gateway is needed to establish the secure channels with both the device (via TLS PSK) and the cloud (via TLS).

TF-M Profile Small also introduces the symmetric attestation. It is a useful approach for the gateway for verifying the device which is connecting to it.

Demo Overview

Let’s take a demo for the use case. In this demo, we use three Arm v8-m based devices – Arm Musca B1, LPC55S69 and STM32L5. Musca B1 and LPC55S69 have the temperature and humidity sensors connected. A secure partition (SP) in TF-M is created for collecting the data from the sensor. This SP is also responsible for packing the data for sending to the gateway.

The gateway is Raspberry Pi (RPi) in this demo. You can replace it with any device which can connect to AWS cloud directly. The major functionalities of the gateway:

Demo Overview Image

Demo Overview

System Connection

At the device side, Amazon FreeRTOS runs in Non-Secure Processing Environment (NSPE) and TF-M Profile Small runs in Secure Processing Environment (SPE). In NSPE, the TLS PSK client application is used to setup the TLS PSK connection with the gateway.

The gateway runs Linux as the OS. It uses TLS PSK server application to establish the TLS PSK connection with the client application running in the device. On the other hand, the gateway uses the AWS IoT device application to securely connect to AWS cloud. The AWS IoT device application communicates with TLS PSK server application inside of the gateway for the message exchange between the device and AWS cloud.

{% include image.html path=“/assets/images/blog/SystemConnection.png” alt=“System Connection image” %}

System Connection Diagram

Symmetric attestation

After the TLS PSK connection is established between the gateway and device, the gateway can conduct the Initial Attestation (IAT) to verify if the device is in an acceptable status. For more information of attestation, please check the PSA website.

Symmetric Attestation Image

Symmetric Attestation Block Diagram


The overall workflow is shown as the diagram below.

Workflow image

Workflow Diagram

Establish the connections:

Initial attestation:

Secure sensor application:


This demo was presented at Linaro Virtual Connect 2020.

The slides and video could be found here.

Recent Posts

post image
Trusted Firmware OP TEE Release 4.3.0

Friday, July 12, 2024

Trusted Firmware OP TEE: v4.3.0 Release

post image
Trusted Firmware-M’s First Long Term Support (LTS) Release v2.1.0

Wednesday, May 22, 2024

Trusted Firmware-M’s First Long Term Support (LTS) Release: v2.1.0

post image
MBed TLS v3.6.0 Long Term Support(LTS) Release

Tuesday, April 16, 2024

MBed TLS v3.6.0 Long Term Support(LTS) Release

post image
Trusted Firmware OP-TEE v4.2.0 Release

Sunday, April 14, 2024

Trusted Firmware OP-TEE: v4.2.0 Release

post image
Trusted Firmware-A LTS v2.10.2 released!

Tuesday, February 20, 2024

Building on the 1st TF-A LTS in 2023, Trusted Firmware-A is pleased to announce the release of the second major LTS version- LTS v2.10 \[1], its first valid tag being lts-v2.10.2. The LTS is branched out of TF-A 2.10, the second 2023 TF-A Release \[Nov’2023]