# Raspberry PI Edge Setup

Edge requires a TPM chip to function. The Infineon OPTIGA SLB 9670 can be used with Raspberry PI 3 Model B+ to provide TPM 2.0 support. The Edge has been tested with 18.04.2, 20.04.1 and 20.04.3. 20.04.3 should be used for all new development.

# Prerequisites

Raspberry PI 3 Model B+
Infineon, OPTIGA SLB 9670 TPM2.0 Iridium Board
Monitor and HDMI cable, USB Keyboard, Mouse, Power & Network Cable
Micro SD Card 16 GB, ScanDisk,Ultra,10,A1
SD Card Reader for Flashing Operating System
Download & Install SD Card Formatter in your Laptop
Download & Install etcher in your laptop
Download Ubuntu 18.04.2, ubuntu-18.04.2-preinstalled-server-armhf+raspi3.img.xz or Ubuntu 20.04.1, ubuntu-20.04.1-preinstalled-server-armhf+raspi.img.xz or Ubuntu 20.04.3, ubuntu-20.04.3-preinstalled-server-armhf+raspi.img.xz
Access to Ability Platform instance with configured Device Provisioning Service
Access to ABB Ability™ Edge deliverables
ABB proxy address for your country
Type Definitions uploaded to your ABB Ability™ Platform instance

# Edge System Setup

In order to provision an edge, it is necessary to mount TPM2.0 chip properly on Raspberry PI as indicated below.

Setup Image

# Ubuntu Installation

Proceed to these steps to install an OS:

Put SD card in Card-Reader and Format it using SD Card Formatter tool.
Flash the Ubuntu image and an SD card using Etcher Tool.
Put same SD card to your RaspberryPI device connected with a Monitor and HDMI cable, Keyboard, Mouse, Power & Network Cable.
On RaspberryPI boot up black screen, login with default username as 'ubuntu' and password as 'ubuntu'
On first login, RaspberryPI will ask you to change your default password.

Disable automatic updates.

sudo vim /etc/apt/apt.conf.d/20auto-upgrades

Change both settings to 0 as shown.

APT::Periodic::Update-Package-Lists "0";
APT::Periodic::Unattended-Upgrade "0";

Save and Exit.

When on the ABB network, it is necessary to configure the ABB Internet Proxy and use a valid NTP time server to set the system time at startup. ABB networks do not allow synchronization with external time sources. ABB IS provides time.abb.com for machines running on the ABB network.
- Edit /etc/systemd/timesyncd.conf and replace its content with:
```
[Time]
NTP=time.abb.com
```
Then run command systemctl restart systemd-timesyncd to make new changes effective immediately. Keep in mind that NTP synchronizes system clock by altering it in tiny increments, hence a skewed system clock may take up to an hour to catch up with the standard time.
Optional. Change the default time zone if desired.

To set a default system time zone, run the following command:
```
rm /etc/localtime && ln -sf /usr/share/zoneinfo/Europe/Helsinki  /etc/localtime
```
Substitute the path to zoneinfo file to desired geolocation; the UTC time zone file is located at /usr/share/zoneinfo/UTC.
Optional. Change the hostname by editing /etc/hostname. Replace the default hostname 'ubuntu' with your custom hostname.

REBOOT before proceeding with setup. Verify hostname, time, timezone and internet access is available.

# Setup Process

Install supporting tools

WARNING

Do not run an upgrade sudo apt-get upgrade. An upgrade will advance the OS kernel and this version has not been verified yet.
```
sudo apt-get update && sudo apt install -y build-essential unzip
```
Install Linux kernel to activate TPM module to work on Raspberry PI. Aquire either the 18.04 or 20.04 kernel as needed. All new develoment should use the 20.04.3 version of Ubuntu.

The 18.04.2 Kernel can be downloaded from SharePoint, or from a member of edge security team (Shivu Patil). No matter where the zip archive is acquired from, validate its MD5 checksum ensure that it matches bb7d5756304260c76cdb25e3b08ad40a. Transfer the zip file to the Raspberry PI and rename it to linux_415.zip. The procedure below is expecting the file in the /home/ubuntu folder.

The 20.04.1 Kernel can be downloaded from SharePoint, or from a member of edge security team (Shivu Patil). No matter where the zip archive is acquired from, validate its MD5 checksum ensure that it matches 68ffbc22b2c73a399a933683b049f1a1. Transfer the zip file to the Raspberry PI and rename it to linux_540.zip. The procedure below is expecting the file in the /home/ubuntu folder.

The 20.04.3 Kernel can be downloaded from SharePoint, or from a member of edge security team (Shivu Patil). No matter where the zip archive is acquired from, validate its MD5 checksum ensure that it matches 5a02c2d51d3e3caa4c7b89c5109e2c73. Transfer the zip file to the Raspberry PI and rename it to linux_540_1044.zip. The procedure below is expecting the file in the /home/ubuntu folder.

Custom Kernel

The Ability Edge only works with Ubuntu at this time. A custom kernel is required to access the Infineon TPM chip. Infineon provides a procedure to create a Raspian Kernel here. The zip file contains a Doc folder with a PDF with the detailed instructions for Raspian. The procedure was used as a template to build the customer Ubuntu kernel provided by Ability. ABB will provide updated instructions in a future release.
If using 18.04.2 or 20.04.1, skip to step 4. If using the 20.04.3 kernel, use the steps below to install the new kernel.

   sudo -i
   cd /home/ubuntu
   unzip linux_540_1044.zip
   cd linux
   ./tpm_install.sh
   exit

Skip to step 6.

Use the following procedure to install the kernel.

Important

All the following steps must be performed as the root user.

sudo -i
cd /home/ubuntu
unzip linux_415.zip   // or linux_540.zip 
cd linux
make modules_install
cp arch/arm/boot/zImage /boot/vmlinuz
cp arch/arm/boot/dts/*.dtb /boot/
cp arch/arm/boot/dts/overlays/*.dtb* /boot/firmware/overlays/
cp arch/arm/boot/dts/overlays/README /boot/firmware/overlays/
exit

Edit /boot/firmware/config.txt

sudo vim /boot/firmware/config.txt

Add dtoverlay=infineon-tpm to the file if not already present and save and exit.

Edit system configuration to load TPM related modules in Raspberry PI.

Edit/etc/modules with sudo vim /etc/modules and add tpm_tis_spi as shown.

# /etc/modules: kernel modules to load at boot time.
#
# This file contains the names of kernel modules that should be loaded
# at boot time, one per line. Lines beginning with "#" are ignored.
tpm_tis_spi

Reboot with sudo reboot.

ll /dev/tpm*
crw------- 1 root root  10,   224 Jan 28  2018 /dev/tpm0
crw------- 1 root root 253, 65536 Jan 28  2018 /dev/tpmrm0

Once rebooted, Edge software can be installed and configured.

# Install the Edge

Each release of the ABB Ability™ Platform also has a release of the ABB Ability™ Edge software. After the hardware is running Ubuntu, use the following procedure to install the correct software for the version of the ABB Ability™ Platform instance the ABB Ability™ Edge will communicate with. Use the following link for the latest installation information.

ABB Ability™ Edge Software Installation

# Configure Ability PKI for the Edge

Ability Public Key Infrastructure offers services including Certificate enrollment, renewal, revocation etc. Ability Edge provides configuration place holders to be updated by the developers depending upon the purpose (dev/test/production), when updated Ability Edge autonomously enroll itself with the Ability PKI based on the configuration. The certificates rooted in the Ability ROOT CA are used for authentication of the devices connecting to the Ability Platform.

Unlocking and Clearing TPM

The TPM can be locked or fail to clear in some situations. When the TPM is locked, use the TSS tool to unlock it and the Edge Decommissioning Package to clear the TPM. Whenever the Raspberry PI is reloaded, the Edge Decommissioning Package should be used to clear the TPM.

# Next Steps

The ABB Ability™ Edge should be up and running. Additional development and testing can continue from here.

← B&R 3100 Edge Setup Module Development Guide →