Please note that we have discontinued the keySTREAM DevKit for new customers. We will continue to maintain this page as a courtesy to the valued customers who have purchased the kit in the past.
Scope of this document is to provide a quick start guide for the Kudelski IoT keySTREAM Pico SE DevKit users. Kudelski IoT keySTREAM gives you a device-to-cloud solution for securing all the key assets of your IoT ecosystem, end to end and during its entire lifecycle.
This HAT for Raspberry Pi is the ideal companion to build a prototype for your IoT use-case, with security embedded by design.
This Quick Start Guide will walk you through the steps to set up and run a sample app on Raspberry Pi using keySTREAM functionalities.
At the end of this process, you will have:
Once you are at this stage, you are free to build your prototype and continue to use keySTREAM to manage and update the security of your solution.
The Pico SE DevKit is an add-on board for Raspberry PI. It embeds the Pico SE - 800 and enables keySTREAM services.
The Pico SE Dev Kit is built to be stacked on a Raspberry PI and allows to stack even more cool stuffs. On a Raspberry Pi, the HAT is plugged on the GPIO pins and allows to plug other HATs.
This is the ideal companion to build a prototype of your IoT use case. No soldering needed, just plug it onto the Raspberry Pi.
You kit contains:
From registration to writing your first demo app, follow the steps bellow.
Go to the keySTREAM portal and create your free account. It will give you access to the Security Management UI and all needed resources.
Download the Library and the Sample Application here:
This project compiles the SCL demo app for Raspberry Pi platform with the SAL and Secure Client Library (SCL) for Pico SE hardware.
Make sure you have ready:
Folder scl-demo-app-release contains
Folder sal-posix.public_rpi contains
Copy folder salapi and sal-posix from sal-posix.public_rpi and place them to scl-demo-app-release/platform/posix/
Following are the different configuration for which app can be compiled. The app executable will be generated with name scl_demo_app
cd scl-demo-app-release/build/posix
make USE_DEBUG=1
cd scl-demo-app-release/build/posix
make
Add configuration fields in scl-demo-app-release/app/include/scl_config.h as follow:
#define APP_CONFIG_SCL_ISEP_ADDRESS icpp.mss.iot.kudelski.com
#define APP_CONFIG_SCL_ISEP_PORT 38292
#define APP_CONFIG_SCL_CONTEXT_SERIAL_NB 000-Test-000
#define APP_CONFIG_SCL_CONTEXT_PROFILE kiot:cp:sampleapp:test
#define APP_CONFIG_SCL_DEVICE_SERIAL_NUMBER SN0000
#define APP_CONFIG_SCL_FIRMWARE_VERSION test-v0
#define APP_CONFIG_ISEP_SEG_SEED "2B2B426E1035AD6B73F0561DC4E05472"
#define APP_CONFIG_APP_SEG_SEED "14EC2B3717661B462538D445F0A57DE4"
Important note
To make this demo app working, you may need to upgrade the firmware of the PicoSE. Please refer to the section "Troubleshoot - Upgrade PicoSE to latest version" if you have an error 14 when requesting the Claim Token.
SCL demo application provides sample reference code for easy SCL integration. It provides reference code for following features.
This project compiles the SCL demo app with the SAL-Posix and Secure Client Library (SCL).
The SCL demo app file structure is as follow:
SCL-demo-app is an interactive application with following user menu. The sample code for basic setup which is required for any of following functionalities is done in function sclAppStart(). This covers the features Device Identity Provisioning and Device Registration.
###################################
###### Select keySTREAM feature ######
1 : Device Claim Token
2 : Zero Touch Provisioning
3 : End2End Encryption
4 : WhatsUp Interval
5 : Applicative Feature Authorization
6 : Send WhatsUp
7 : Device info sealing
x : Exit
Enter your choice:
This option will print Device Claim Token. This token should be provided on keySTREAM Portal to register device with keySTREAM. This token is required for Device Onboarding.
This option will print Device's X.509 certificates and CA certificate in PEM format. These certificates can be used to support authentication to IoT infrastructure such as AWS, Azure, etc. These certificates need to be created on Portal. Once the certificates are created on the Portal, execute "Send WhatsUp" step to sync with keySTREAM server.
This option will show how to use SCL to encrypt and sign the data. The encrypted data can be sent to server and keySTREAM server can be used to decrypt the data. E2E Data Protection needs to be enabled on Portal. Details can be found at End to End data protection. Once the Portal is configured to enable E2E Data Protection, execute "Send WhatsUp" step to sync with keySTREAM server.
This option will print the currently configured WhatsUp Period. Device needs to communicate with keySTREAM server using SCL API sclConnectionNotification() at least once every WhatsUp Period. This value can be configured on Portal. Details can be found at Device Secure Heartbeat. Once the WhatsUp Period is configured on the Portal, execute "Send WhatsUp" step to sync with keySTREAM server.
This option will print the Applicative Feature Authorization and its metadata configured on Customer onBoarding Portal. Details can be found at Applicative Feature Authorization. Once the Applicative Feature Authorization is created on the Portal, execute "Send WhatsUp" step to sync with keySTREAM server.
This option will call sclConnectionNotification() which is required to be called at least once every WhatsUp interval.
If you change any device configuration on Portal then make sure to execute this option which will internally call sclConnectionNotification().
This option will ask user to provide device profile prefix and device profile string. It will use this information to configure SCL to seal device information.
Before you exercise this option, make sure that a device profile is created on the Portal. Use the same Prefix allocated to your account on the Portal during this option.
For more details check Device Information Sealing.
In case if you don't use allocated Prefix, your device may reject bootstrapping continuously. To resolve this, please refer Force Refurbish under Troubleshoot section below.
This option will show reference SCL calls to stop SCL.
If your device ends up in a situation where it's not able to bootstrap, sclConnectionNotification() is continuously returning error and device is not getting displayed in MY DEVICES then you can try doing force refurbish of that device. Following is the process to force refurbish a device.
curl --location --request PUT 'https://mss.iot.kudelski.com/dm/<DM UUID>/business/devices/<Rot Public UID>/refurbish?force=true' --header 'Authorization: Basic <Secret>'
For more details visit Device Refurbish and IAM.
Download the utility on the Resource menu of the Portal. This utility is intended to work on Raspberry PI board only. Copy picose-fw-upgrade_rpi.zip to Raspberry Pi and follow below steps to compile this utility.
$ unzip picose-fw-upgrade_rpi.zip
$ cd picose-fw-upgrade_rpi/picose-fw-upgrade/build/posix
$ chmod 777 prebuild/convertFileToBin.py*
$ chmod 777 execute-prebuild*
Note: It is advised to unzip picose-fw-upgrade_rpi.zip in Raspberry-Pi environment to avoid any file format conversion.
make FIRMWARE_PATH=../../firmware/Firmware_PICO_SE_800_01.08.00_ROT_01.10.82_00000060_0004_prod_01_20201217_5926.fotapk
A binary named picose-fw-upgrade will be created at picose-fw-upgrade/build/posix.
make clean
This utility supports the following commands: - info - validate - upgrade
This command prints the information of the platform.
$ ./picose-fw-upgrade info
And it prints the info like this -
RoT UID: xxxxxxxxxxxxxxxx
RoT Version: 01.10.82
SCL Version: 01.12.00
Build Version: R-CYYAD-BHFAG
E_K_SE_INFO_TYPE_PLATFORM_VERSION: 01.08.00
Here RoT Version will show the current firmware version on PicoSE.
This command validates and confirms if the firmware copied in the firmware folder can be installed or not.
$ ./picose-fw-upgrade validate
This command upgrades the firmware copied in the firmware folder to the platform.
$ ./picose-fw-upgrade upgrade
Post successful upgrade, run info command to confirm the RoT Version has changed.
$ ./picose-fw-upgrade info
RoT UID: xxxxxxxxxxxxxxxx
RoT Version: 01.11.00
SCL Version: 01.12.00
Build Version: R-CYYAD-BHFAG
E_K_SE_INFO_TYPE_PLATFORM_VERSION: 01.08.00
Read carefully before using the software.
THIS IS A LEGAL AGREEMENT BETWEEN THE END USER OF THE ACCOMPANYING SOFTWARE ("you" or "Customer") AND NAGRAVISION SA ("Nagravision").
By installing or using the Software, you are agreeing to be bound by the terms of this Agreement. If you have any questions or concerns about the terms of this Agreement, please contact Nagravision prior to using the Software. If you do not agree with these terms, do not install or use the Software.
Notice Regarding Limitation of Liability: This Agreement limits the liability of Nagravision and your corresponding remedies. You are urged to read this Agreement carefully.
Software License Agreement: THIS SOFTWARE LICENSE AGREEMENT (this "Agreement") is entered into as of the date of the download of the Software (the "Effective Date") by and between NAGRAVISION SA, a Swiss corporation with its principal offices at 22-24 Route de Geneve, 1033 Cheseaux-sur-Lausanne, Switzerland, and the Customer by whom the Software has been downloaded on the keySTREAM documentation portal.
Nagravision and Customer agree as follows:
As used in this Agreement:
"Documentation" means the user documentation relating to the Software that is provided in conjunction with theSoftware on the keySTREAM documentation portal.
"Intellectual Property Right" means any of the following: (i) all letters patent and applications for letters patent throughout the world, including all patent applications in preparation for filing anywhere in the world, all reissues, divisions, continuations, continuations-in-part, extensions, renewals, and reexaminations of any of the foregoing; (ii) common law and statutory trade secrets and all other confidential or proprietary or useful information that has independent value, and all know-how, in each case whether or not reduced to a writing or other tangible form; (iii) all copyrights, whether arising under statutory or common law, registered or unregistered, now or hereafter in force throughout the world, and all applications for registration thereof, whether pending or in preparation, all extensions and renewals of any thereof and all proceeds of the foregoing; (iv) all trademarks, trade names, corporate names, company names, business names, fictitious business names, trade styles, service marks, certification marks, collective marks, logos, other source of business identifiers, prints, and labels on which any of the foregoing have appeared or appear, designs and general intangibles of a like nature, now existing anywhere in the world or hereafter adopted or acquired, whether currently in use or not, all registrations and records thereof and all applications in connection therewith, whether pending or in preparation for filing, including registrations, recordings, and applications in any country, all reissues, renewals, and extensions thereof, all of the goodwill of the business connected with the use of, and symbolized by such items, and all proceeds of, and rights associated with, the foregoing; and (v) all proceeds of, and rights associated with, the foregoing (as appropriate to such rights), including the right to sue third parties for any actual or threatened past, present, or future infringements, dilutions or misappropriations of any of the foregoing, or for any injury to the goodwill associated with the use of any property or rights set forth in clause (iv), and all rights corresponding thereto throughout the world.
"Software" means theSCL integration kit as made accessible by Nagravision on the keySTREAM documentation portal under this Agreement.
Subject to Customer's compliance with all terms of thisAgreement, Nagravision hereby grants to Customer, and Customer hereby accepts, a limited, fully paid up, non-exclusive, non-transferable, non-assignable and non-sublicensable license to use theSoftware internally solely, for testing and evaluation and validation purposes in a manner that is consistent with theDocumentation.
Nagravision or its licensors own and shall retain allIntellectual Property Rights in the Software (including any improvements, derivative works, enhancements, extensions, upgrades, and modifications thereof or thereto, whether made or authored by Nagravision, Customer, or a third party) and in the Documentation. Customer shall not acquire any rights in the Software, the Documentation, or any improvements, derivative works, enhancements, extensions, upgrades, and modifications thereof or thereto, other than those expressly specified inSection 2.1 of this Agreement. Customer acknowledges that the Software andDocumentation contain proprietary information and trade secrets of Nagravision and its licensors, if any, whether or not any portion thereof is or may be the subject of a valid copyright or patent.
Customer shall not: (a) exceed the scope of the licenses granted in this Section 2; (b) sublicense, assign, delegate, rent, lease, sell, time-share, distribute or otherwise transfer the licenses granted hereunder or any of the related rights or obligations, whether as a stand-alone or bundledSoftware, for any reason, and any attempt to make any such sublicense, assignment, delegation or other transfer by Customer shall be void; (c) reverse engineer, decompile, disassemble or otherwise attempt to learn the source code, structure, algorithms or ideas underlying the Software; (d) release the results of any report developed or commissioned by Customer with respect to the performance or functional evaluation of any Software to any third party without prior written approval of Nagravision for each such release; (e) modify, translate or create derivative works of the Software without the prior written consent of Nagravision; (f) possess or use the Software or any portion thereof, other than in the machine-readable object code form provided by Nagravision; or(g) remove any copyright, trademark, patent or other proprietary notices that appear on the Software or copies thereof.
This Agreement and the licenses granted hereunder shall remain in effect for the time an integration project which requires the use of the Software is conducted. Notwithstanding the foregoing, this Agreement and the licenses granted hereunder shall automatically terminate if Customer failsto comply with the terms and conditions of this Agreement or ceases to do business, including, without limitation, a winding down of operations, assignment to a receivership, bankruptcy or otherwise. Upon such termination, all licenses granted hereunder by Nagravision shall terminate and Customer shall immediately cease its use of the Software. Customer shall, immediately upon such termination, destroy all Software, Documentation, and other materials and information provided by Nagravision and any copies thereof made byCustomer, including copies in all forms, partial and incomplete, on any typesof media and in any computer memory, and whether or not modified or merged in other materials. Upon Nagravision's request, Customer shall certify to Nagravision in a writing signed by Customer that it has retained no copies of such Software, Documentation, materials, or information.Termination shall not limit Nagravision from pursuing any other available remedies.
NAGRAVISION AND ITS LICENSORS PROVIDE THE SOFTWARE AND DOCUMENTATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EXPRESS, IMPLIED OR STATUTORY, INCLUDING BUT NOT LIMITED TO WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. NO ORAL OR WRITTEN INFORMATION OR ADVICE GIVEN BY NAGRAVISION SHALL CREATE A WARRANTY.
EXCEPT FOR FRAUD AND WILFUL MISCONDUCT, NAGRAVISION SHALL NOT BE LIABLE, WHETHER IN CONTRACT, IN TORT OR UNDER ANY WARRANTY FOR ANY LOSSES OR DAMAGES ARISING UNDER THIS AGREEMENT. THIS EXCLUSION OF LIABILITY SHALL NOT APPLY TO LIABILITY OF NAGRAVISION FOR DEATH OR PERSONAL INJURY CAUSED BY THE NEGLIGENCE OF NAGRAVISION IN ANY JURISDICTION WHERE BY LAW SUCH LIABILITY CANNOT BE LIMITED OR EXCLUDED.
Customer shall, in its use of the Software, comply with all applicable export and import control laws and regulations of any country or regulatory regime having jurisdiction over an export or re-export of suchSoftware. Customer will defend, indemnify, and hold harmless Nagravision from and against any violation of such laws or regulations byCustomer or any of its agents, officers, directors or employees.
This Agreement and all matters relating to this Agreement shall be construed and controlled by the laws of Switzerland, without reference to its conflict of law provisions or to international conventions. Any litigation arising out of or in connection with this Agreement shall be submitted to the exclusive competence of the courts of the Canton of Vaud, Switzerland. For the avoidance of doubt, the United Nations Convention onContracts for the International Sales of Products shall not apply to thisAgreement or other transactions contemplated under this Agreement.
Customer agrees and acknowledges that any breach ofSection 2, or any other misappropriation, misuse, or infringement byCustomer of Nagravision's Intellectual Property Rights, would cause Nagravision injury for which monetary damages would not be an adequate remedy.Accordingly, in the event of such a breach or threatened breach, Nagravision shall be entitled to apply for injunctive relief in any court of competent jurisdiction without prejudice to the other remedies available to such party for such breach or threatened breach.
If Nagravision employs attorneys to enforce any rights arising out of or relating to this Agreement, the prevailing party shall been titled to seek its reasonable attorney fees, costs, and other expenses.
This Agreement contains the entire understanding between the parties and supersedes all prior or contemporaneous oral or written agreements regarding the subject matter hereof. This Agreement does not obligate either party to enter into any other agreement or relationship with the other party. Nothing in this Agreement shall be deemed to create a partnership or joint venture between the parties. The terms of this Agreement shall prevail over any additional or inconsistent terms contained in a Customer purchase order or other documents, and such additional or inconsistent terms will have no force or effect. Customer may not assign its rights or obligations under this agreement without Nagravision's prior written consent. It is further understood and agreed that no failure or delay by either party in exercising any right, power or privilege hereunder will operate as a waiver thereof, nor will any single or partial exercise thereof preclude any other or further exercise thereof or the exercise of any right, power, or privilege hereunder. If any provision of this agreement is found to be invalid or unenforceable by a court of competent jurisdiction, the remaining provisions shall remain in full force and effect.