Wind River Linux 5.X and Intel Gateway Solutions for Iot

Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

EDUCATION SERVICES

Wind River Linux 5.x and Intel Gateway Solutions for IoT

Version 1.0 A

LECTURE GUIDE

Volume 2 of 2 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

LECTURE GUIDE Wind River Linux 5.x and Intel Gateway Solutions for IoT, Version 1.0 A Education Services Production Date: October 2014

Wind River, Tornado, and VxWorks are registered trademarks of Wind River Systems, Inc. The Wind River logo is a trademark of Wind River Systems, Inc. Any third-party trademarks refer- enced are the property of their respective owners. For further information regarding Wind River trademarks, please see:

http://www.windriver.com/company/terms/trademark.html

Wind River may refer to third-party documentation by listing publications or providing links to third-party Web sites for informational purposes. Wind River accepts no responsibility for the information provided in such third-party documentation.

This document is designed to support the Wind River Linux 5.x and Intel Gateway Solutions for IoT course. It is not designed as a stand-alone document, nor is it intended as a substitute for documentation that accompanies Tornado, VxWorks, or Wind River Workbench or any other Wind River Systems, Inc. software or hardware product.

http://education.windriver.com Education Services Department Wind River Systems, Inc. 500 Wind River Way, Alameda, CA 94501 510-748-4100 (phone) 510-749-2454 (fax) E-mail: [email protected] For training outside of North America, please contact your local sales ofﬁce. Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Contents

8 Integrity Measurement 1

9 Managing IDP Targets Remotely 41

10 Connectivity 89

11 IDP Application Stacks 115

12 Linux GRSecurity 141

13 Additional Resources from Wind River 169

v Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Integrity Measurement

1 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

Agenda

Integrity Measurement

• What Is Integrity Measurement? • Role of IM Tools • Application Integrity Measurement (AIM) • Maintaining Integrity Measurement • Embedded Control

2 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Integrity Measurement

Objectives

By the end of this chapter you will be able to: • Configure a platform project with tamper proof file system • Identify tools provided with IDP for integrity measurement • Differentiate between controlled and uncontrolled software invocation

Wind River Education Services 3 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

Agenda

Integrity Measurement

• What Is Integrity Measurement? • Role of IM Tools • Application Integrity Measurement (AIM) • Maintaining Integrity Measurement • Embedded Control

4 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Integrity Measurement

What Is Integrity Measurement?

• Integrity measurement is a way to validate that the software image has not been changed since it was last successfully installed or updated. • Using a tamper-proof file system is one way to accomplish this goal. • By default, you enable the tamper-proof file system by configuring with --enable-addons=wr-idp. • The tamper-proof file system feature is included by default, assuming the tar.bz2 file system image used is *-dist-srm.tar.bz2 — for example, projDir/export/images/wrlinux-image-glibc-idp-quark-dist-srm.tar.bz2

Wind River Education Services 5 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

Integrity Measurement Architecture (IMA)

• IMA is an open-source component from Trusted Computing Group. • It is part of the Linux security subsystem, with both kernel and run-time components. • IMA maintains a run-time measurement list and, if anchored in a hardware trusted platform module (TPM), an aggregate integrity value over this list. – Anchor the aggregate integrity value in the TPM so any software attack cannot compromise the measurement list without detection. – On a trusted boot system, use IMA to attest to the system's run-time integrity. • The kernel maintains the measurement list as extended file attributes.

6 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Integrity Measurement

Linux Kernel AIM • Aliases: tamper-proof file system, IMA appraise, application integrity measurement – All executable programs and scripts are verified against their RSA signature when using sys_exec(), sys_mmap(), or syscall. – Signatures are stored in extended attributes, or named file metadata. Failed signatures cannot execute.

Wind River Education Services 7 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

Agenda

Integrity Measurement

• What Is Integrity Measurement? • Role of IM Tools • Application Integrity Measurement (AIM) • Maintaining Integrity Measurement • Embedded Control

8 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Integrity Measurement

IM Tools

• To verify RPM packages and certificates and to import certificates and IMA signature lists into the kernel. imtools --verifycert verify the CA Certificate from vendor and import the verified certificate into the kernel imtools --listcert list the CA certificates on the target imtools --removecert remove a CA certificate from the target imtools --get-rpm-imasign get the IMA signature list from the PRM package imtools --addimasign import the IMA signature into the kernel

Wind River Education Services 9 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

Role of IM Tools

• Tamper-proof file system – prevents unauthorized software from running on the target system • Remote attestation – lets you verify that there has been no tampering with the software on the device • Trusted boot – lets owners know that the system is booting the correct software image • SRM signing tool – a Wind River tool used to sign the boot loader, kernel, and root file system files, as well as RPM packages used for updates and upgrades

10 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Integrity Measurement

SRM Signing Tool

• It is used to: – create keys for the different roles – sign GRUB images and inject root certificates – sign the Linux kernel – sign all components (GRUB stage2, Linux kernel, applications) in a rootfs tar ball – sign RPM packages and applications within the packages

Vendor Owner Key Pair Certificate Unsigned Software Signed Software GRUB Stage 2 GRUB Stage 2

Linux kernel Linux kernel

Rootfs tar ball SST Rootfs tar ball

RPM Package RPM Package

Wind River Education Services 11 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

SRM Signing Tool (SST)

• SST is located in the following folder: projDir/layers/wr-idp/wr-srm/recipes-devtools/sst/files • You must have root privileges to use the sign-all subcommand. • The target boots if the boot loader is not signed. However, if the boot loader is signed by an incorrect SST owner certificate, the system does not boot. • The target does not boot if the boot loader is signed but the kernel is not signed correctly by SST. • The target does boot if neither the boot loader nor the kernel image is signed.

12 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Integrity Measurement

SST

$ ./SST ############################################################ ## ## ## This is SRM Signing Tool! ## ## ## ############################################################ ERROR: no sub-command provided

SYNOPSIS: SST - Unified command line interface for SRM enablement

SYNTAX: ./SST [target]

SUB-COMMAND: create-key: create private keys and X509v3 certificates sign-bootloader: process boot-loader images (u-boot or grub) sign-kernel: process Linux kernel images (uImage or bzImage) sign-app-folder: process folder and generate signature list sign-rpm: process RPM packages sign-all: process Wind River target rootfs tarball

Wind River Education Services 13 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

FIPS 140-2 OpenSSL The Federal Information Processing Standard (FIPS) Publication 140-2 A U.S. government computer security standard used to accredit cryptographic modules.

IDP 2.0 offers prebuilt binaries: . OpenSSL FIPS module: /usr/local/ssl/fips-2.0/lib/fipscanister.o . FIPS-140-2 compatible OpenSSL application: /usr/local/ssl/bin/openssl . FIPS-140-2 compatible OpenSSL static lib: /usr/local/ssl/lib/libcrypto.a . FIPS-140-2 compatible OpenSSL shared lib: /usr/local/ssl/lib/libcrypto.so

14 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Integrity Measurement

Agenda

Integrity Measurement

• What Is Integrity Measurement? • Role of IM Tools • Application Integrity Measurement (AIM) • Maintaining Integrity Measurement • Embedded Control

Wind River Education Services 15 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

Application Integrity Measurement (AIM)

• The tamper-proof file system, also known as application integrity measurement (AIM), is part of the IDP secure remote management (SRM) feature. • The tamper-proof file system prevents end users from modifying the device software and from executing unauthorized applications on the device. – You can only update the device software using the authorized approaches provided by SRM. • AIM tests that the application has not been tampered with before allowing the device to load and run it. • NOTE: This measurement is done only against executable files, not configuration files.

16 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Integrity Measurement

Application Integrity Monitor

Tampered Provides assurance that the file Apps Malware Apps Apps Apps system has not been tampered X X with either on-line or offline.

Linux Kernel IMA Appraisal Patches

File Level Integrity Measurement

. Performs Integrity checks before the Linux kernel either runs an executable file or maps a dynamic library file by verifying the RSA signatures of the files . Applications without valid signatures created by authorized certificates can’t be executed

Wind River Education Services 17 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

User Space Integrity Measurement

• The purpose of application integrity measurement is to assure that the run results of text-based scripts can be trusted when the system invokes them with a controlled approach.

• Controlled approach: $ . / c e r t a i n −s c r i p t . sh $ /root/certain −perl−s c r i p t . p l

• Uncontrolled approach: $ bash ./certain −s c r i p t . sh $ perl /root/certain −perl−s c r i p t . p l

18 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Integrity Measurement

Application Resource Control

. Role Based Access Control policies or per-App

Apps . System resource management Apps Apps capabilities include memory, CPU, file and network resource. GRSecurity Resource Control Policies . Apps run in a chroot jail . Apps get killed if not following policies Linux Kernel GRsecurity . Advanced Memory & File System Protection GRsecurity based resource control . Includes PaX and Address Space Layout Randomization (ASLR)

Very good overview available at http://en.wikipedia.org/wiki/Grsecurity1

1http://en.wikipedia.org/wiki/Grsecurity

Wind River Education Services 19 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

Controlled Approach

• The tamper-proof feature always prevents compiled executable files and text-based plain scripts from running if they cannot provide a verified signature. – Text-based plain scripts are bash, Perl, or python scripts invoked from an absolute or relative path. $ ./certain-script.sh $ /root/certain-perl-script.pl • However, when these scripts are executed directly by the interpreter, the tamper-proof feature does not prevent them from running. Running from the interpreter is not a controlled approach. $ bash ./certain-script.sh $ perl /root/certain-perl-script.pl

• Controlled approach: $ . / c e r t a i n −s c r i p t . sh $ /root/certain −perl−s c r i p t . p l

• Uncontrolled approach: $ bash ./certain −s c r i p t . sh $ perl /root/certain −perl−s c r i p t . p l

20 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Integrity Measurement

Agenda

Integrity Measurement

• What Is Integrity Measurement? • Role of IM Tools • Application Integrity Measurement (AIM) • Maintaining Integrity Measurement • Embedded Control

Wind River Education Services 21 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

Secure Package Management

5. Target is notified to update

2. Assemble into a RPM package Repository 6. Target downloads package Package Package 8. Written Files 4. Added to to disk repository 7. Package 3. Sign with integrity checked private key of certificate Files

1. Trust relationship established Authorized Storage Certificate Certificates

Trusted software vendor Deployed target

Repository is typically accessed via https, but other protocols may be used.

22 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Integrity Measurement

Encrypted Storage . dm-crypt inserts a software layer between a virtual device and real block device to transparently, on the fly, encrypt and decrypt data to the block device. . cryptsetup is front-end tool used to create dm-crypt managed block devices under Linux. . The key for encrypted storage can be protected by TPM’s sealing function so that only a device running a trusted stack can access the encrypted storage

Key Real device unseal TPM (sealed node, ie GRUB-ima by PCRs) PCR4 /dev/sdb

Stage1 PCR5

PCR8 cryptsetup Userspace Stage2 dm-crypt Kernel Boot cmdline device-mapper space

creates Linux kernel Virtual encrypted device (/dev/mapper/encrypted_sdb)

Wind River Education Services 23 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

Repository Management

• A RPM repository server maintains the customized packages for your SRM solution. Typically the RPM repository is set up on a separate machine. • You can use local repositories (on the target itself) and remote repositories (located on a remote system). • Use the tool spm_repo to manage (add, remove, list) both local and remote repositories. # spm_repo --help Usage:spm_repo --addremote --deleterepo --addlocal --listrepo --installrpm --deleterpm --listrpm (--verbose) 24 © 2014 Wind River Systems, Inc.

Remote repositories are mapped to a repo name that lets the tools use the same format for both local and remote repositories for commands other than addremote.

24 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Integrity Measurement

Package Management

• The spm_repo tool also maintained packages. • Install RPM with # spm_repo --installrpm rpmname • List installed RPM s with # spm_repo –listrpm • Remove an RPM with # rpm_repo –deleterpm rpmname

Wind River Education Services 25 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

RPM5

• Wind River Linux uses RPM version 5. • RPM5 is compatible with RPM4 (Red Hat version) at the command line. • RPM5 is better (faster) with queries (-q).

26 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Integrity Measurement

RPM Package Verification • RPM related enhancements: – Extend the RPM header, store an RSA signature which can be verified by OpenSSL instead of traditional GnuPG, and back end with Linux kernel root of trust retention. – Encapsulate RPM package management, software stack as shown in the figure below. RPM5 or smartpm can only install RPM packages that are successfully verified (against the extended header).

Wind River Education Services 27 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

OMA Device Management

• The OMA Device Management (OMA DM) specification created by the Open Mobile Alliance (OMA) Device Management (DM) Working Group is designed to manage mobile devices such as mobile phones, PDAs, and tablet computers. Device management is intended to support the following uses: – Provisioning – configuring the device (including first time use), enabling and disabling features – Device configuration – to allow changes to device settings and parameters – Software upgrades – to load new software or bug fixes on the device, including applications and system software. – Fault management – to report errors from a device, or query the status of a device

28 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Integrity Measurement

OMA Device Management (cont’d)

• The OMA DM specification supports all the above functions, and a device may optionally implement all or a subset of these features. Since the OMA DM specification is aimed at mobile devices, it is designed with sensitivity to the following: – small footprint devices, where memory and storage space may be limited – constraints on communication bandwidth, such as in wireless connectivity – tight security, as the devices are vulnerable to software attacks. Authentication and challenges are part of the specification.

Wind River Education Services 29 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

OMA Device Management (cont’d)

• SRM utilizes the Works System OneAgent OMA Device Management Communications (DMC) agent. • The agent supports several OMA DM management objects (MO) through extensible wrappers (MO wrappers). • The DMA agent reports device information and executes commands using OMA DM protocols to a remote OMA server. • Currently the following objects are supported: – DevInfo, DMAcc, ConnMO, and SCOMO • Configure with --with-layer=wr-wks-oneagent-oma-dm-ia

30 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Integrity Measurement

OMA Device Management (cont’d)

• Technically, the OMA DM protocol uses XML for data exchange (more specifically, the sub-set defined by SyncML). • The device management takes place by communication between a server (which is managing the device) and the client (the device being managed). • OMA DM is designed to support and utilize any number of data transports such as: – physically over both wireline (USB, RS-232) and wireless media (GSM, CDMA, IrDA or Bluetooth) – transport layers implemented over any of WSP (WAP), HTTP, or OBEX, or similar transports

Wind River Education Services 31 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

OMA Device Management (cont’d)

• The communication protocol is a request-response protocol. • Authentication and challenge of authentication are built in, to ensure that the server and client only communicate after proper validation. • The server and client are both stateful — that is, after authentication, a specific sequence of messages must be exchanged to perform any task.

32 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Integrity Measurement

Agenda

Integrity Measurement

• What Is Integrity Measurement? • Role of IM Tools • Application Integrity Measurement (AIM) • Maintaining Integrity Measurement • Embedded Control

Wind River Education Services 33 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

Embedded Control • Embedded Control is a combination of McAfee Application Control and McAfee Change Control products

Application Control Change Control • Dynamic whitelisting • Monitors and prevents • Secures against zero day changes to the file system attacks • Write protects files from • Prevents unauthorized unauthorized tampering updates • Read protects critical files • Prevents execution of • Track changes to files in unauthorized scripts real time • Protect fixed-function • Records who made systems changes to which files • Provides a trust model to authorize changes

• Embedded Control is designed to work with Wind River Linux

34 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Integrity Measurement

Embedded Control Features • Execution control – controls what runs on your embedded devices. – allows only authorized software to run and permits only validated changes to the systems. – automatically creates a dynamic whitelist of the authorized programs and applications. – only programs contained in the whitelist can execute. Other programs (scripts and binaries) are prevented from executing. • System integrity – configure access to the protected systems. – prevent from changing what is authorized to run on a system, unless presented with an authentication key.

Wind River Education Services 35 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

Embedded Control Features

• Change tracking and control – tracks changes in real time. – allows changes only to the needed target systems and through authorized means. • Activity record and change visibility – records all activity for protected systems and provides visibility into the sources of change. – deploys only valid changes and prevents invalid changes from being deployed. – captures detailed information for every change to a protected system, including who, what, where, when, and how. • Low operational expenses and overhead – does not have any ongoing maintenance overhead. – does not depend on rules or signature databases and has a small footprint. 36 © 2014 Wind River Systems, Inc.

36 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Integrity Measurement

Questions

1. How do you enable the tamper proof file system in IDP? 2. What is SST? Is it on the target or the HOST? 3. What is spm_repo? 4. What uses are supported by OMA-DM?

Answers

1. Use –with-addons=wr-idp, then use –srm.tar.bz2 tarball for the ﬁle system. 2. The SRM signing tool. It is on the host. 3. spm_repo is the tool used to manage the repositories and packages for target system updates. 4. Provisioning, Device conﬁguration, Software upgrades, Fault management

Wind River Education Services 37 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

Review

In this chapter you learned to: • Configure a platform project with tamper proof file system • Identify tools provided with IDP for integrity measurement • Differentiate between controlled and uncontrolled software invocation

38 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Integrity Measurement

Wind River Education Services 39 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

40 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Managing IDP Targets Remotely

41 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

Agenda

Managing IDP Targets Remotely

• Edge Management System • TR-069 • OMA DM • Webif

42 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Managing IDP Targets Remotely

Objectives

By the end of this chapter you will be able to: • Use cloud based Edge Management System • Log into Webif on the target system • Review the target system status • Alter target network device configuration • Modify target boot operation • Create new pages for Webif

Wind River Education Services 43 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

Agenda

Managing IDP Targets Remotely

• Edge Management System • TR-069 • OMA DM • Webif

44 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Managing IDP Targets Remotely

Edge Management System

• Provides a foundation for building IoT apps • Event-based rules engine • Data visualization • API access to data • Delivered as “Software as a Service” • Multiple hosting options to fit customer requirements

Wind River Education Services 45 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

Edge Management System Home Screen

46 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Managing IDP Targets Remotely

Device Management - Overview

Wind River Education Services 47 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

Device Management - Details

48 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Managing IDP Targets Remotely

Device Management - SW Installation

temp_sw_install 1.4.3

Wind River Education Services 49 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

Charts

50 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Managing IDP Targets Remotely

Alerts

Wind River Education Services 51 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

Rules

52 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Managing IDP Targets Remotely

Rules Definition

Wind River Education Services 53 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

Actions

54 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Managing IDP Targets Remotely

Actions Definition

Wind River Education Services 55 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

Agenda

Managing IDP Targets Remotely

• Edge Management System • TR-069 • OMA DM • Webif

56 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Managing IDP Targets Remotely

Works Systems OneAgent TR

• Targeted towards Wired connections (DSL, Fiber, Cable, etc) • TR-069 – A protocol for communication between Customer Premise Equipment (CPE) and Auto- Configuration Server (ACS). Combine secure auto-configuration and other CPE management functions within a common framework. – Extends: • TR-098 - data model for internet gateway devices (DSL modems with built in routers) • TR-104 - data model and any specific items for VoIP devices • TR-106 - a base object structure for TR-069 enabled devices • TR-110 - a reference model for VoIP configurations • TR-111 - covers applying TR-069 to remote management of home networking devices • And more... • OneAgent TR-069 Agent: – Standard Compliance: • TR-069 Amendment 2, TR-111 Part2, TR-142, TR-143 Cor-1 – Advantages: • Complete TR-069 Standard Support • Total solution with ACS • Fully optimized in memory storage and run time memory

Wind River Education Services 57 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

Agenda

Managing IDP Targets Remotely

• Edge Management System • TR-069 • OMA DM • Webif

58 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Managing IDP Targets Remotely

OMA-DM A device management protocol specified by the Open Mobile Alliance (OMA) Device Management (DM) Working Group

Management Objects: Connectivity Management Object (ConnMO) Firmware Update Management Object (FUMO) Software Component Management Object (SCOMO) Diagnostic and Monitoring Management Object (DiagMon) Device Capability Management Object (DCMO) …

Works Systems OneAgent DM client: – Compact and easy for adaptations: Kept most up to date with OMA DM standards and management objects (MO) including OMA defined MO, WIMAX MO, 3GPP IMS MO, ETSI M2M MO and flexible Framework for implementation of Firmware and Software Management functionalities. Provides the major functions defined in OMA DM protocols, including Bootstrap, Provisioning, Configuration Maintenance/Management, Software management, Fault Detection, Query and Reporting, Firmware Update. – Interoperability: Works Systems’ OMA DM IOP server is ready for interoperability testing. Dedicated test tools are also available.

Wind River Education Services 59 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

Agenda

Managing IDP Targets Remotely

• Edge Management System • TR-069 • OMA DM • Webif

60 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Managing IDP Targets Remotely

What Is Webif?

• Webif is a web browser-based interface for configuring network connections and checking the services running on the target. • You can use the Webif interface to configure your gateway or router (your IDP device) in the same way you would configure your home Wi-Fi router. • When you create a default SRM platform project, the project automatically includes layers wr-idp-devkit and glibc-idp. • This includes Webif in the project, and sets up your IDP target to act as a gateway by default.

Wind River Education Services 61 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

How Do You Connect?

• Example — to connect to a bridge interface with at least the wlan0 (WiFi) device (br-lan) with the default IP address 192.168.1.1, point your favorite web browser to this address. • The usual caveats are still in force (you must have wireless connectivity to that network, the target must be up and running, etc.) • The device uses an SSID that matches IDPDK-xxxx where xxxx represents the last four hexadecimal digits of the WLAN MAC address. • The default WPA2 password is windriveridp.

62 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Managing IDP Targets Remotely

Logging in to Webif

Wind River Education Services 63 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

Webif Initial Screen

64 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Managing IDP Targets Remotely

Webif Info Page

• The System tab: – gives basic information about the target system • The Notes tab: – provides a place to put notes about this system – Notes are saved on the target system. • The About tab: – tells you about the creators of Webif

Wind River Education Services 65 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

Webif Graphs Page

66 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Managing IDP Targets Remotely

Webif Graphs Page (cont’d)

• The CPU tab: – displays CPU utilization over time – restarts the display each time you enter the page • The Interface tab: – graphically displays the network traffic on each interface – can display in bits/sec or Bytes/sec – autoscales the graphs

Wind River Education Services 67 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

Webif Status Page

68 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Managing IDP Targets Remotely

Webif Status Page (cont’d)

• The System tab: – shows the RAM used and available – shows tracked connections (see Conntrack page) – shows mount usage (the space used and the total space on each mounted file system) • The Modules tabs: – lists all currently installed kernel modules (output of lsmod) • The Processes tab: – shows the output from the BusyBox version of the ps command – refreshes every 20 seconds – After you stop the refreshes, you can send signals to processes.

Wind River Education Services 69 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

Webif Status Page (cont’d)

• The Interfaces tab: – displays address and traffic information for each net interface – The Show raw statistics button gives output from the command ifconfig. • The Crontabs tab: – lists the contents of the directory /etc/crontabs • The DHCP Clients tab: – displays each DHCP leasee • The Netstat tab: – displays output from the command netstat • The Conntrack tab: – displays output from /proc/net/nf_conntrack – lets you filter the output to find information more easily

70 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Managing IDP Targets Remotely

Webif Status Page (cont’d)

• The Iptables tab: – displays output from iptables -L • The USB tab: – shows any attached USB devices – lets you unmount file systems • The Diagnostics tab: – lets you ping a host – traceroute a host

Wind River Education Services 71 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

Webif Log Page

72 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Managing IDP Targets Remotely

Webif Log Page (cont’d)

• The Syslog tab: – lets you filter out unwanted information • The Kernel tab: – lets you filter out unwanted information

Wind River Education Services 73 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

Webif System Page

74 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Managing IDP Targets Remotely

Webif System Page (cont’d)

• The Access Control tab: – lets you create, edit, or delete Webif users – Webif users are not system users — they cannot log in to system. • The Password tab: – lets Webif users change their password • The Settings tab: – lets you change the host name of target – lets you change the time settings of target – lets you change Webif settings • The Startup tab: – lets you edit the script /etc/init.d/custom-user-startup, which takes effect on the next boot

Wind River Education Services 75 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

Webif System Page (cont’d)

• The Crontabs tab: – lets you edit cron tables (schedule jobs periodically) • The File Editor tab: – lets you browse and edit files in the target file system • The Mountpoints tab: – lets you modify fstab entries (mount & unmount file systems at boot) • The TPM tab: – displays TPM information • The Backup & Restore tab: – takes snapshots of the target configuration information – restores target configuration information from a snapshot • The Reboot tab: – reboots the target system

76 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Managing IDP Targets Remotely

Webif Network Page

Wind River Education Services 77 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

Webif Network Page (cont’d)

Use the Network page to review and configure the various network devices in the target. • The Networks tab: – lets you review and alter network configurations • The Wireless tab: – lets you review and alter the WiFi configuration • The Zigbee tab: – lets you check and upgrade firmware at the next boot – lets you start and stop networks • The Bluetooth tab: – shows the status of the Bluetooth daemon

78 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Managing IDP Targets Remotely

Webif Network Page (cont’d)

• The Firewall tab: – lets you review and alter firewall settings • The DHCP tab: – lets you review and alter DHCP server settings • The Hosts tab: – lets you review and alter the contents of /etc/hosts • The Routes tab: – lets you review and alter network routing information • The UPnP tab: – lets you enable, disable, or configure universal plug and play (UPnP) – also lets you configure Ushare

Wind River Education Services 79 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

Webif Network Page (cont’d)

• The MultiWAN tab: – lets you enable and configure multiple WAN interfaces – lets you review and alter the multi-WAN monitoring configuration • The Tweaks tab: – lets you alter the network configuration for better performance – lets you change connection tracking

80 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Managing IDP Targets Remotely

Webif Device Agent Page

Wind River Education Services 81 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

Webif Device Agent Page (cont’d)

• The RPM Repository tab: – lets you review and alter the repositories used to update the target system • The WKS OMA DMC tab: – Works Systems Open Mobile Alliance Device Management Communications agent – lets you review and alter DMC agent settings • The OneAgent TR069 tab: – Works Systems – lets you review and alter TR069 agent settings

82 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Managing IDP Targets Remotely

Webif Logout Page

Wind River Education Services 83 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

Custom Pages

• You can add pages and or tabs to Webif. • For more information, see the Programmer’s Guide (chapter 20).

84 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Managing IDP Targets Remotely

Questions

1. How can you modify what happens during the target boot process? 2. How are Webif users different from target system users? 3. Can you start and stop target system processes from Webif? 4. You can render the Webif useless. (True/False) 5. You can reboot the target remotely. (True/False)

Answers

1. On the Webif Info page, from the menu select System > Startup, then alter the script /etc/init.d/customer-user-startup. 2. Webif users are not logged into the target, they are simply allowed to view web pages. Target system users can log in to the target system. They might share user names, but they are distinct populations. 3. Yes. You can stop them at any time. You can also start them, but only at boot time, or or by running select daemons like Bluetooth. You can also execute commands like ping and traceroute, although they have ﬁnite life times. 4. True. By disabling Webif access to all users, it becomes unusable - at least until you restart the Webif server on the target. 5. True. From the Webif menu, select System > Reboot to reboot the target system.

Wind River Education Services 85 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

Review

In this chapter you learned to: • Log into Webif on the target system • Review the target system status • Alter target network device configuration • Modify target boot operation • Create new pages for Webif

86 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Managing IDP Targets Remotely

Wind River Education Services 87 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

88 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Connectivity

89 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

Agenda

Connectivity

• Hardware Connectivity Options • Software Connectivity Options • Multiwan

90 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Connectivity

Objectives

By the end of this chapter you will be able to understand : • Hardware connectivity options supported by IDP ecosystem • Software connectivity options provided by IDP ecosystem • Failover capability of Multiwan

Wind River Education Services 91 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

IDP Connectivity

Wireless Wired Protocols Mobile – 2G/3G/4G/LTE Ethernet RS-232 OPC-DA IPSec Bluetooth – Low Energy USB Host RS-485 MQTT PPTP Wi-Fi – AP/Client/AdHoc USB Device CAN Bus OpenSSL L2TP 802.15.4 ZigBee GPIO I2C SPI

Cloud Connectivity Digi

MODBUS CoAP

Cloud Connectivity Soln Family Eurotech

92 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Connectivity

Agenda

Connectivity

• Hardware Connectivity Options • Software Connectivity Options • Multiwan

Wind River Education Services 93 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

Hardware Connectivity Options

• IDP provides connectivity options beyond those included in Wind River Linux 5.0.1. – Wi-Fi • Iwlwifi (Intel IPW2100, IPW2200, 3945ABG, 4065AGN) • Rt2x00 (Ralink USB devices RT2770, RT2870, RT3070 RT3071, RT3072, RT3572) • Rt73usb (Ralink USB devices RT2571W, RT2573 & RT2671) – Bluetooth • BlueZ Bluetooth stack – documented online at http://www.bluez.org – adds the software capability and functionality to support Bluetooth – requires an external Bluetooth adapter

94 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Connectivity

IDP 2.0 – Communications Capabilities

Internet WAN connectivity via Mobile, Wi-Fi & Ethernet Wi-Fi Wi-Fi

Ethernet LAN connectivity via Wi-Fi & Ethernet Ethernet

Cell Tower Mobile Data 2G/3G/LTE Failover from: PAN & WPAN connectivity via ZigBee & Bluetooth Ethernet -> Wi Fi -> Mobile

WPAN - Wireless Personal Area Network

Wind River Education Services 95 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

IDP WAN Communications Support

Specific to Cross Hill Industry / Energy Reference Design

Ethernet – Dual 10/100 Wi-Fi – Supported via mini PCIe – Intel Centrino Advanced-N 6205 • 802.11 a / b / g / n • Client Mode Mobile - Supported via mini PCIe – Telit HE910 PCI

Automatic Failover / Failback capability available between WAN interfaces (ie. Ethernet -> Wi-Fi -> Mobile)

96 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Connectivity

LAN / WPAN Communications Support

Specific to Cross Hill Industry / Energy Reference Design

Ethernet – Dual 10/100 Wi-Fi – 802.11 a / b / g / n – Access Point or Ad-Hoc Mode WPAN – Bluetooth with LE – Dual 802.15.4 – ZigBee Serial – RS-485 up to 2.7 Mbps – RS-232

Wind River Education Services 97 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

IEEE 802.15.4 Basis of 6LowPAN (IPv6 Low power Wireless Personal Area Network), ZigBee, and others

Offers the lower network layers of a type of wireless personal area network (WPAN)

• Focused on low-cost, low-speed ubiquitous communication between devices (in contrast with other, more end-user oriented approaches, such as Wi-Fi).

• Targets a 10-meter communications range @ 250 kbit/s.

• Important features include – real-time suitability by reservation of guaranteed time slots, – collision avoidance through CSMA/CA –Integrated support for secure communications (AES128) handled at MAC layer, key management provided by upper layers. – Can also include power management functions such as link quality and energy detection. – 127 byte frames – Capable of running in unlicensed frequencies, including the 2.4- GHz band in the U.S. – Mesh networking built in

98 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Connectivity

802.15.4 – Node Types Full-function device (FFD). Can serve as the coordinator of a PAN or as a common node. Implements a general model of communication which allows it to talk to any other device: it may also relay messages, in which case it is dubbed a coordinator (or PAN coordinator when it is in charge of the whole network).

Reduced-function devices (RFD). Meant for extremely simple devices with very modest resource and communication requirements; due to this, they can only communicate with FFDs and can never act as coordinators.

Wind River Education Services 99 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

What is ZigBee?

A specification for a suite of high level communication protocols used to create personal area networks built from small, low- power digital radios

• Used in applications that require a low data rate, long battery life, and secure networking

• Based on IEEE 802.15.4 protocol

• intended to be simpler and less expensive than other WPANs, such as Bluetooth or Wi-Fi.

100 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Connectivity

Exegin ZigBee Software Stack • Provided by Exegin (based in Vancouver, BC) • 32-bit ZigBee stack for ZigBee 2006, ZigBee PRO, and proprietary stack profiles ‒ Fully reconfigurable at run-time ‒ Coordinator, router, or end device ‒ Support of both standard and high-security modes ‒ Targeted at embedded devices, uses <256kB Flash, <24kB RAM • certified in January 2010 by NTS • Deployed with several million smart meters • ZigBee Smart Energy Profile 1.0 • Allows multiple instances to share code on one processor

Wind River Education Services 101 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

IDP ZigBee Implementation • Uses Atmel ATmega WPAN SOC on Cross Clanton Cross Hill-Z Hill SPI Module Application Application • Provides 2 completely independent WPAN networks Exegin ZigBee • ZigBee Stack Profiles Stack – ZigBee 2007 Exegin 802.15.4 Interface Library – ZigBee PRO • Cluster Libraries SPI – ZigBee Cluster Library 2008 – ZigBee Smart Energy 1.0

• Programming Language Exegin 802.15.4 Firmware running on – C Atmel Dual Radio SOC • Customers may interface at either ZigBee or 802.15.4 layers

102 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Connectivity

Agenda

Connectivity

• Hardware Connectivity Options • Software Connectivity Options • Multiwan

Wind River Education Services 103 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

Software Connectivity Options

• Connectivity provided with IDP that is beyond Wind River Linux 5.0.1. – VPN • ipsec_vpn – strongSwan implementation --with-template=feature/ipsec_vpn • pptp_vpn – pptpvpn.org implementation –with-template=feature/l2tp • l2tp_vpn – openl2tp.org implementation --with-template=feature/l2tp_vpn – MQTT • Message Queue Telemetry Transport • mqtt.org –with-template=feature/mqtt • Mosquitto server provided, lua client

104 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Connectivity

Agenda

Connectivity

• Hardware Connectivity Options • Software Connectivity Options • Multiwan

Wind River Education Services 105 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

Multiwan • The Multiwan monitors the status of the networking interfaces. • When the primary interface is down, this daemon automatically connects the secondary interface. • Polling interval is defined in /etc/config/multiwan • Enable Multiwan using the Webif interface.

• If you modiﬁed the settings in Webif, click Save Changes and then Apply Changes.

106 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Connectivity

Multiwan • The polling interval time of multiwan can be expanded to reduce multiwan’s CPU usage by modifying the configure file /etc/config/multiwan • The value behind health_interval in /etc/config/multiwan controls the polling interval time of multiwan. The default value of health_interval is 3, it can be increased for example 50 to reduce CPU usage a lot.

• If you modiﬁed the settings in Webif, click Save Changes and then Apply Changes.

Wind River Education Services 107 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

Example on Cross Hill board with 3G WWAN • Ethernet with WWAN failover: o WAN (Ethernet) interface is the primary connection. o If the WAN interface fails, IDP’s Multiwan failovers to the WWAN interface. Primary Ethernet connection fails

Internet Internet Internet Internet

Ethernet WAN 3G WWAN Ethernet WAN 3G WWAN

108 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Connectivity

Example on Cross Hill board with 3G WWAN (cont’d) • Enabling 3G WWAN o Configure and build the platform project with --with-template=feature/netifd o Place a SIM card into the Cross Hill Board. o Deploy IDP by using deploy.sh script with -b cross-hill option o On Webif, select Network > Networks, and ensure the settings for wwan Configuration. 21 © 2014 Wind River Systems, Inc.

• In wwan Configuration, ensure Connection Type, Interface, and Device are collect. • Also, make sure Default Route and Peer DNS are selected. • Additionally, ensure APN Name is correct. If not, set the correct APN name for your SIM card. • If you modified the settings in Webif, click Save Changes and then Apply Changes. • To use the predefined network configuration file for Cross Hill board, you need to deploy the kernel image and root filesystem from wrlinux-image-glibc-idp-intel-quark-dist- srm.tar.bz2 by using deploy.sh with -b cross-hill option. • Example: sudo ./deploy.sh -f export/images/wrlinux-image-glibc-idp-intel-quark-dist- srm.tar.bz2 -d /dev/sdb -y -b cross-hill

Wind River Education Services 109 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

Example on Cross Hill board with 3G WWAN (cont’d) • Monitor Configuration

o WAN: o WWAN:

• On Webif, Select * Network* > * Multiwan*. • Ensure Priority Interface is wan. • In Monitor Configuration For wan, ensure Failover To is wwan, and Auto Up is selected. • In Monitor Configuration For wwan, ensure Failover To is wan, and Auto Up is selected. • If you modified the settings in Webif, click Save Changes and then Apply Changes.

110 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Connectivity

Questions

1. What are some hardware connectivity options for IDP? 2. Name some software connectivity options for IDP. 3. Explain what the Multiwan’s role is.

Answers

1. Wi-Fi, Bluetooth, ZigBee, Cellular (2G,3G,LTE) 2. MQTT, VPN (ipsec_vpn, pptp_vpn, l2tp_vpn) 3. The Multiwan monitors the status of the networking interfaces. When the primary interface is down, this daemon automatically connects the secondary interface.

Wind River Education Services 111 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

Review

In this chapter you learned to: • Hardware connectivity options supported by IDP • Software connectivity options provided by IDP • Understand failover capability of Multiwan

112 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Connectivity

Wind River Education Services 113 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

114 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

IDP Application Stacks

115 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

Agenda

IDP Application Stacks

• OpenJDK • Lua/MQTT • Python • SQLite • OSGi

116 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

IDP Application Stacks

Objectives

By the end of this chapter you will be able to: • Configure OpenJDK into your target • Configure MQTT and Lua into your target • Identify why you would use an SQLite3 database in your target • Identify the advantages of using OSGi in your target

Wind River Education Services 117 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

Agenda

IDP Application Stacks

• OpenJDK • Lua/MQTT • Python • SQLite • OSGi

118 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

IDP Application Stacks

OpenJDK

• Open source implementation of Java SE 7 • IDP provides run-time environments: – Java Runtime Environment (JRE) 1.6.0_27 – Cacao (1.6.0+r68fe50ac34ec) • Open source Java virtual machine • Includes JIT capability • To include this in your target image, configure it with: --enable-addons=wr-idp is required --with-template= feature/openjdk-bin – Automatically included when --enable-rootfs= glibc-idp

Wind River Education Services 119 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

OpenJDK Java Applications Host

JDK (Java JDK (Java Development Kit) Development Kit) JRE (Java Runtime Environment) Compiler Java class Library Javadoc

Jarsigner JVM Zero VM Cacao VM …

Bitbake Build System IDP Native Environment

A full, free, open source edition of Java Standard Edition (SE), Java Virtual Machine (JVM) implementation: . Supports Java SE versions 6 and 7, leverages system provided libraries (zlib, libpng, ...) . Choice of JVM – OpenJDK, Zero VM, Cacao VM . For a full list of features supported by openjdk, please refer to: http://openjdk.java.net/

120 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

IDP Application Stacks

Using OpenJDK

• Build on your host and download to the target. • Build on your host and include in an image. – Project configuration needs to include a few things: – Include --enable-internet-download=yes. – Your project local.conf file needs REBUILD_OPENJDK = "yes". – The process takes quite some time. – Create a layer to contain your Java project code. – Ensure that the template.conf file has IMAGE_INSTALL_append += "myjavaprj".

Wind River Education Services 121 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

OpenJDK – Hello World Create a file HelloWorld.java with the following contents:

public class HelloWorld { public static void main(String[] args) { System.out.println("Hello, World"); } }

Compile HelloWorld.java into a HelloWorld class file using the Java complier javac

$ javac HelloWorld.java

Transfer the HelloWorld.class file to the IDP target

$ scp HelloWorld.class root@

On the target, execute the HelloWorld program as follows

root@WR-IntelligentDevice:~# java HelloWorld Hello, World root@WR-IntelligentDevice:~#

122 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

IDP Application Stacks

Agenda

IDP Application Stacks

• OpenJDK • Lua/MQTT • Python • SQLite • OSGi

Wind River Education Services 123 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

Lua

• A scripting language that grew out of programs developed for the specialized data entry requirements of petrochemical simulations. • Created in 1993, first released to the outside in 1996. • Wind River IDP uses version 5.1.5 by default, though a 5.2 version is also provided. • Common uses of Lua: – a configuration language for applications – a standalone scripting language – an embedded language in applications to modify run-time behavior – complete language fits into 180kB, can go as low as 80k depending on features required.

124 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

IDP Application Stacks

MQTT

• MQTT = Message Queue Telemetry Transport . A lightweight (low power, low network bandwidth) publish- and-subscribe messaging protocol for M2M IoT • Designed for: – constrained devices and – low bandwidth, or high latency, or unreliable networks • TCP/IP port 1883 is reserved with IANA for use with MQTT. TCP/IP port 8883 is also registered, for using MQTT over SSL.

Wind River Education Services 125 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

MQTT & IDP

• Placed into the image by default with --enable-rootfs=glibc-idp. • Alternatively you need --enable-addons=wr-idp --with-template=feature/mqtt

Broker Topic Topic ......

Publish Subscribe

Client Client Client Client Client Client Client ……

126 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

IDP Application Stacks

MQTT & IDP

• MQTT offered by IDP: – paho.mqtt.lua: a client-side implementation based on Lua for version 3.1 of the MQTT protocol – command-line utilities for publishing and subscribing to MQTT topics – mosquitto: server version 3.1 of the MQTT protocol • A Mosquitto server starts at boot time. – version 1.1.3 – MQTT 3.1 broker • Includes example programs by default. /root/examples/mqtt-client/* • For more information, go to http://mosquitto.org.

Wind River Education Services 127 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

MQTT – Example

Statistics about RX&TX packets from a number of devices in a network need to be collected. The number of packets received needs to be sent to two different locations.

Set up two separate topics to capture the data from the devices: 1. Network/packets/sent 2. Network/packets/received

Three subscribers will be set up (two for RX, one for TX) to retrieve the data. Subscriber Side $ mosquitto_sub -h aaeon -t network/packets/sent Publisher Side: $ mosquitto_pub -h aaeon -t network/packets/sent -m “$HOSTNAME: 5“

Subscribers RX Collector1 RX Collector2 TX Collector

Broker Network/packets/received Network/packets/sent

Publishers Device Device Device

128 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

IDP Application Stacks

Agenda

IDP Application Stacks

• OpenJDK • Lua/MQTT • Python • SQLite • OSGi

Wind River Education Services 129 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

Python

• Open source implementation of Python 2.7 • To include this in your target image, configure it with: --enable-addons=wr-idp is required --with-template= feature/python – Automatically included with --enable-rootfs= glibc-idp

130 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

IDP Application Stacks

Using Python

• Build on your host and include in an image. – Start with the default IDP platform project – Add the file setup.py to the application to manage it by the Python setuptools utilities. – Set up the build layer for the new package. • Define license, add source code and support files, create recipe file – Build the directory infrastructure inside the layer and add it to the target file system • make -C build packagename • make -C build packagename.addpkg • make fs

Wind River Education Services 131 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

Agenda

IDP Application Stacks

• OpenJDK • Lua/MQTT • Python • SQLite • OSGi

132 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

IDP Application Stacks

SQLite

• SQLite is a terminal based frontend to the SQLite library that can evaluate queries interactively • SQLite is an embedded relational database engine. • Its developers call it a self-contained, serverless, zero-configuration, transactional SQL database engine. • SQLite implements most of the SQL-92 standard for SQL. • The SQLite engine is statically or dynamically linked into the application, not a standalone process. • The SQLite library can require less than 300 kB. • An SQLite database is a single, ordinary disk file that can be located anywhere in the directory hierarchy.

Wind River Education Services 133 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

Architecture

• To include SQLite use the option --enable-addons=wr-idp • SQLite has modular architecture • SQLite has 3 layer of modules in processing SQL queries – Compile •SQL queries are compiled starting with tokenizer and parsing. – Execute using virtual machine •Virtual Machine also called Virtual Database Engine executes compiled SQL queries – Storage •This performs read/write to the storage device for the given SQL query

134 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

IDP Application Stacks

Agenda

IDP Application Stacks

• OpenJDK • Lua/MQTT • Python • SQLite • OSGi

Wind River Education Services 135 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

OSGi

• The Open Services Gateway Initiative (OSGi) defines an architecture for developing and deploying modular applications and libraries. • The ProSyst mBS Smart Home SDK provides a base from which you can tailor images for specific home device management platforms. • The OSGi bundle consists of three main components: – The OSGi run-time serves as the base for tailored images. – Eclipse plug-ins provide facilities for simplified development and testing of OSGi-based projects. – The OSGi run-time validator provides an option to validate the components on a specific target platform.

136 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

IDP Application Stacks

OSGi Development

• Developing on the OSGi platform means first building your application using OSGi APIs, then deploying it in an OSGi container. • That provides the following advantages: – You can install, uninstall, start, and stop different modules of your application dynamically, without restarting the container. – An application can have more than one version of a particular module running at a time. – OSGi provides very good infrastructure for developing service- oriented applications, as well as embedded, mobile, and rich Internet applications.

Wind River Education Services 137 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

Questions

1. Which Java implementation is part of IDP 2.0? 2. What type of database is SQLite 3? 3. What does MQTT mean? 4. Why would you use OSGi in an IDP target system?

Answers

1. OpenJDK-6 2. Relational 3. MQ telemetry transport 4. Because you can install, uninstall, start, or stop applications, run multiple version of components simultaneously, or provide good infrastructure for service-oriented applications.

138 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

IDP Application Stacks

Review

In this chapter you learned to: • Configure OpenJDK into your target • Configure MQTT and Lua into your target • Configure and run Python on your target • Identify why you would use an SQLite3 database in your target • Identify the advantages of using OSGi in your target

Wind River Education Services 139 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

140 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Linux GRSecurity

141 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

Agenda

Linux GRSecurity

• GRSecurity • PAX and ASLR • ACL/RBAC • GRSecurity tools

142 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Linux GRSecurity

Objectives

By the end of this chapter you will be able to: • Describe Grsecurity • Understand ASLR and RBAC • Security prevention by PAX • Understand tools and interact with GRSecurity system

Wind River Education Services 143 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

Agenda

Linux GRSecurity

• GRSecurity • PAX and ASLR • ACL/RBAC • GRSecurity tools

144 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Linux GRSecurity

GRSecurity

• GRSecurity is a set of security patches released under GNU GPL to enhance Linux security. • Kernel patches includes Linux kernel 2.6.32, 3.2 and current “stable” Linux • Grsecurity support role based access control, auditing, chroot hardening, anti-bruteforcing, anti- info leaking • Integrates PaX for defense against memory corruption

Wind River Education Services 145 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

GRSecurity (Cont …)

• A typical application of grsecurity is Web servers and systems that accept remote connection • GRSecurity goals – Detection – Prevention – Containment

146 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Linux GRSecurity

GRSecurity Features

• A robust ACL(Access Control List) system with an intelligent userspace administration tool • Extensive auditing capabilities • Measures to stop the most common methods of exploiting a system: – Address space modification – Races (specifically filesystem races, most common of which are /tmp races) – Breaking a chroot(2) jail

Wind River Education Services 147 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

GRSecurity Features Cont…

• Supports sysctl so that it can be included with Linux distributions and allow the user to modify the options to his/her liking • Netfilter module that drops connections to unserved TCP and UDP ports • Many of the same randomness features as OpenBSD • An enhanced implementation of Trusted Path Execution (TPE) Ex: PAX MPROTECT • Larger entropy pool for the TCP/IP-stack and random source tcp ports • Additional root restrictions in chroot • An RBAC-system

148 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Linux GRSecurity

GRSecurity Detection

• Implemented in two forms – Auditing – Logging of real attacks • CONFIG_GRKERNSEC_AUDIT_CHDIR • CONFIG_GRKERNSEC_AUDIT_MOUNT • CONFIG_GRKERNSEC_AUDIT_IPC • Inode and device numbers used wherever possible • Parent process info logged

Wind River Education Services 149 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

Agenda

Linux GRSecurity

• GRSecurity • PAX and ASLR • ACL/RBAC • GRSecurity tools

150 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Linux GRSecurity

GRSecurity PaX

• PaX is a major component of the grsecurity which is used in preventing security threats • PaX is a bundle of patches applied in kernel • PaX uses hardware non-executable flags to disable stack memory as executable, in places where hardware non- executable flag is not available it uses VM non-executable flags • PaX prevents program memory from writing by enabling read only flag • PaX also supports ASLR ( Address Space Layout Randomization)

Wind River Education Services 151 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

GRSecurity PaX ASLR

• ASLR randomizes important memory addresses of a program to hinder attack – This will make a class of exploit techniques fail with a quantifiable probability – If detection attempts failed it most likely crash the attacked task • Randomizes address spaces both stack and mmap of the library files on starting an application • Address Space Layout Randomization kernel configuration – CONFIG_PAX_ASLR=y – CONFIG_PAX_RANDKSTACK=y – CONFIG_PAX_RANDUSTACK=y – CONFIG_PAX_RANDMMAP=y

152 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Linux GRSecurity

GRSecurity PaX Implementation

• Modified include/asm-/processor.h to support executable and non-executable pages • Kernel is modified to check PaX flags in ELF and a.out file file to use non-executable pages • Non-Executables pages are made Supervisor in TLB and Execuatble pages are user only • MMAP(2) function is modified to support ASLR on mapping libraries files • MPROTECT(2) is modified to keep non-executable pages from being executable on mprotect

Wind River Education Services 153 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

Agenda

Linux GRSecurity

• GRSecurity • PAX and ASLR • ACL/RBAC • GRSecurity tools

154 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Linux GRSecurity

GRSecurity ACL

• An ACL (Access Control List) system is software that provides ﬁne–grained access control for your computer • ACL supports restricting access to files, sockets and device for all users including root • ACL provides full MAC ( Mandatory Access Control) • ACL method may provide least privileges to the task, which forces attackers to re-evaluate their methods of attack

Wind River Education Services 155 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

GRSecurity ACL Features

• Process–based ACLs • Process–based resource restrictions • Process–based IP ACLs • Resource to prevent bruteforce attacking of processes • Full–featured intelligent learning mode that produces least– privilege ACLs with no configuration • Full–featured fine–grained auditing • Configurable process accounting • Configurable log suppression • Human–readable configuration files • Secure and intelligent policy enforcement

156 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Linux GRSecurity

GRSecurity ACL Features

• Supports hide, protect, and override subject flags • Supports PaX flags • Shared memory protection • Integrated local attack response on all alerts • Supports read, write, append, execute, view, and read–only ptrace object sions • Subject flag that ensures a process can never execute trojaned code • ACLs can be placed on non–existent files/processes • ACL regeneration on subjects and objects

Wind River Education Services 157 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

GRSecurity ACL Features

• Administrative mode to use for regular sysadmin tasks • ACL system is resealed up admin logout • /proc/pid file descriptor/memory restriction • Globbing support on ACL objects • Not filesystem dependent • Scales well: supports as many ACLs as memory can handle • No runtime memory allocation • SMP safe • O(1) time efficiency for most operations • Administrator mode • ACL inheritance

158 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Linux GRSecurity

GRSecurity RBAC

• RBAC is an access control, restricting system access to authorized users • RBAC restricts access to files, capabilities, resources or sockets for all users including root • It is similar to MAC ( Mandatory Access Control) • GRSecurity RBAC only part of security system may not provide complete security but greatly increase the difficulty of successfully compromising the system. • In GRSecurity RBAC is maintained by policy file in /etc/grsec/policy

Wind River Education Services 159 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

GRSecurity RBAC Policy Structure

• Policy structure is made of – Role - an abstraction that encompasses traditional users and groups that exist in Linux distributions and special roles, that are specific to grsecurity – Subjects - processes or directories – Objects - ﬁles, capabilities, resources, PaX flags, and IP ACLs

Role 1 Role N

Subjects Subjects

Files

Sockets

Resources

Capabilities Capabilities

160 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Linux GRSecurity

GRSecurity RBAC Policy Roles

• A role can be user, groups or special • Role hierarchy – User  group  default : First a user role attempts to match, if not found, a group role is tried to match, if group role is not found, default role is used • IP based roles – Defined as “role_allow_ip IP/optional netmask “ • Ex: role_allow_ip 192.168.1.0/24 • Role transistions – Role transitions specify which special roles a given role is allowed to authenticate to. This applies to special roles that do not require password authentication as well. • Ex: role_transitions www_admin dns_admin

Wind River Education Services 161 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

RBAC Domains and Inheritance

• Domains – Domains combine users that do not share common GID – Domains let share a single policy Domains work just like roles • Inheritance – Grsecurity implements inheritance in two kinds • By Command “inheritance” • Or by using the subject from the parent without defined by “o”

/ { / { / rwx / rwx /etc rx /etc rx /tmp rw /tmp rw } } /usr/bin/mailman { /usr/bin/mailman { /tmp rwx / rwx } /etc rx /tmp rwx }

162 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Linux GRSecurity

GRSecurity RBAC Resource restrictions

• GRSecurity ACL provides resources restrictions defined below – RES_CPU -- CPU time in milliseconds – RES_FSIZE -- Maximum file size in bytes – RES_DATA -- Maximum data size in bytes – RES_STACK -- Maximum stack size in bytes – RES_CORE -- Maximum core size in bytes – RES_RSS -- Maximum resident set size – RES_NPROC -- Maximum number of processes – RES_NOFILE -- Maximum number of open files – RES_MEMLOCK -- Maximum locked--in--memory in bytes – RES_AS -- Address space limit in bytes – RES_LOCKS -- Maximum file locks

Wind River Education Services 163 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

GRSecurity RBAC Sample This role can use gradm to authenticate to the kernel A policy for gradm • GRSecurity sample will automatically be added to the role.

role default G role_transitions admin Default user subject / / r /opt rx Special role transition without passwd authentication, here default role is allowed /home rwxcd to transition to admin, If a user tries to authenticate to a role that is not within his /mnt rw transition table, he will receive a permission denied error

164 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Linux GRSecurity

Agenda

Linux GRSecurity

• GRSecurity • PAX and ASLR • ACL/RBAC • GRSecurity tools

Wind River Education Services 165 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

GRSecurity tools • Grsecurity Administration tool – gradm • Learning mode – “gradm –F –L /etc/grsec/learning,mod” • Creating rules for your host – “gradm –F –L /etc/grsec/learning,mod –o /etc/grsec/learning.roles” • Help – “gradm -h” • PAX Control – paxctl • Creating PAX Flags for a binary – “paxctl -c ” • View flags – “paxctl -v ”

166 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Linux GRSecurity

Wind River Education Services 167 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

168 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Additional Resources from Wind River

169 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

Agenda

Additional Resources from Wind River

• Wind River Support Network • Customer Support • Additional Training Classes • On-Demand Learning • Mentoring • Your Instructor • Your Field Application Engineer • Wind River Professional Services

170 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Additional Resources from Wind River

Wind River Support Network

• Log in: go to www.windriver.com/support, then from the menu select Support > Support Network Login • Requires a Wind River license number or validation code • Part of your Wind River support contract • Contains: – Downloads – Release notes – Tech tips and application notes – Patches – Manuals • Online Technical Service Request (TSR) Manager – Create, view, modify TSRs • Fastest way to get assistance from Wind River support

Wind River Education Services 171 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

Customer Support

• Multiple support programs to meet your support needs (standard, premium, custom) • For contact information, go to www.windriver.com/support/contact.html. • Refer to the Customer Support User’s Guide (CSUG) for details.

172 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Additional Resources from Wind River

Additional Training Classes

Category Courses Essentials Workbench, Real-Time Programming OS VxWorks, Linux Multicore Technology Overview, SMP, AMP, Hypervisor Networking Platform, Real-time Certification DO-178B, IEC 61508, ARINC 653 Low-level Board Support Package, Device Drivers, On-Chip Debugging Security Multiple Independent Levels of Security (MILS)

• For a complete list, go to www.WindRiver.com then select Education > Course Catalog.

Wind River Education Services 173 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

On-Demand Learning

Productivity Pass offers: • Annual subscription to learning resources • Unlimited access to on-demand catalog for one full year • 24/7 support for using the online materials • Advanced and specialized tutorials • Quick-tip videos • Leading-edge technology overviews • Downloadable how-to guides • New courses and resources that become available during your subscription, with no added charge

For more information, go to www.windriver.com then select Education from the menu.

174 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Additional Resources from Wind River

Mentoring

• Remote or on-site assistance – Product installation and configuration – Tool integration into work flow processes – Technology adoption and design considerations – Technology assistance, usage, and best practices – Migration to multicore platforms – Performance analysis and optimization • Focused on vertical market segments: – Aerospace and Defense – Networking – Industrial and Medical – Consumer • For more information, go to www.windriver.com and select Education from the menu.

Wind River Education Services 175 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

Your Instructor

• Available via email or phone • Questions about a course you completed • Questions about other training classes • May not have the answer, but can often guide you to one

176 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Additional Resources from Wind River

Your Field Application Engineer (FAE)

• Works closely with your account manager (AM) • Broad technical knowledge and experience • Role is to ensure that the technical needs of your company or project are understood and addressed • Do you know who your FAE is?

Wind River Education Services 177 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Wind River Linux 5.x and Intel Gateway Solutions for IoT

Wind River Professional Services

Custom enabling services to help you transition and execute Architectural Consulting & Planning Services • Architectural studies and technology migration planning Platform Services VxWorks 5 / 6 (DO-178B, IEC 61508) • Application and middleware development • Porting, integration and migration services VxWorks 653 • Kernel, OS, and hypervisor customization and optimization (DO-178B) • BSPs, drivers, boot loaders • VxWorks MILS Feature and roadmap acceleration (Common Criteria) Turnkey Product Development Services (Hardware & Software) • Wind River Linux Turnkey product design and manufacturing insertion (Common Criteria) IP Management Services • WR Android Platform Long term customized platform management FAST Certification Services • System safety and security consulting (IEC61508, DO178, MILS)

Tooling Services Workbench • Workbench customization and integration • Simics modeling, integration, and consulting services Simics • Test Management methodology consulting Test Management and integration services

178 Wind River Education Services Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

Additional Resources from Wind River

Wind River Education Services 179 Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute Subject to Wind River Terms of Use - Do Not Copy – Do Not Distribute

http://education.windriver.com [email protected]