Running Secure Webserver on SmartFusion2 Devices Using PolarSSL, lwIP, and FreeRTOS - Libero SoC v11.7 DG0516 Demo Guide Contents 1 Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 1.1 1.2 1.3 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Intended Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.3.1 Microsemi Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.3.2 Others . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 6 6 6 6 2 Running Secure Webserver Demo Design on SmartFusion2 Devices Using PolarSSL, lwIP and FreeRTOS 7 2.1 2.2 2.3 2.4 2.5 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.1.1 Secure Webserver Demo Design Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.1.1.1 Application Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.1.1.2 Security Layer (TLS/SSL Protocol) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.1.1.3 Transport Layer (lwIP TCP/IP Stack) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.1.1.4 RTOS and Firmware Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Design Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Demo Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 2.3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 2.3.2 Demo Design Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 2.3.3 Demo Design Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 2.3.3.1 Libero SoC Hardware Project . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 2.3.3.2 SoftConsole Firmware Project . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Setting Up the Demo Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 2.4.1 Board Setup Snapshot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Running the Demo Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 2.5.1 Running the Secure Webserver Demo with Microsoft Internet Explorer . . . . . . . . . . . . . . . . . 23 2.5.2 Running the Secure Webserver Demo with Mozilla Firefox . . . . . . . . . . . . . . . . . . . . . . . . . . 24 2.5.2.1 Blinking LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 2.5.2.2 HyperTerminal Display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 2.5.2.3 SmartFusion2 Google Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 3 Appendix: Board Setup for Running the Secure Webserver . . . . . . . . . . . . . . . . . . 29 4 Appendix: Jumper Locations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 5 Appendix: Running the Design in Static IP Mode . . . . . . . . . . . . . . . . . . . . . . . . . . 31 6 Revision History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 7 Product Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 7.1 7.2 7.3 7.4 7.5 Customer Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Customer Technical Support Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Website . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Contacting the Customer Technical Support Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.5.1 Email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.5.2 My Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.5.3 Outside the U.S. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Revision 6 36 36 36 36 36 36 36 37 2 7.6 ITAR Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Revision 6 3 Figures Figure 1. Figure 2. Figure 3. Figure 4. Figure 5. Figure 6. Figure 7. Figure 8. Figure 9. Figure 10. Figure 11. Figure 12. Figure 13. Figure 14. Figure 15. Figure 16. Figure 17. Figure 18. Figure 19. Figure 20. Figure 21. Figure 22. Figure 23. Figure 24. Figure 25. Figure 26. Figure 27. Block Diagram of Secure Webserver Demo Design on SmartFusion2 . . . . . . . . . . . . . . . . . . . . . . . 8 Client Server Communication Block Diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Demo Design Files Top-Level Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Libero Top-Level Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 High Speed Serial Interface Configurator Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Example SoftConsole Project Explorer Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 TLS/SSL Handshake Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Device Manager Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 FlashPro New Project . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 FlashPro Project Configured . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 FlashPro Program Passed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 User Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Microsoft Internet Explorer showing Certificate Error Warning Message . . . . . . . . . . . . . . . . . . . . 23 Main Menu of Secure Webserver in Internet Explorer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Mozilla Firefox showing Warning Message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Add Security Exception Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Main Menu of the Secure Webserver in Mozilla Firefox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Blinking LEDs Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 HyperTerminal Display Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 String Display on PuTTY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 SmartFusion2 Google Search Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 SmartFusion2 Advanced Development Kit Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Jumper Locations in Advanced Development Kit Board . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Project Explorer Window of SoftConsole Project . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Project Explorer Properties Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Host PC TCP/IP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Static IP Address Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Revision 6 4 Tables Table 1. Table 2. Table 3. Table 4. Table 5. Design Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . LED to Package Pins Assignments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PHY Interface Signals to Package Pins Assignments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Macros to Enable or Disable System Controller Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SmartFusion2 Advanced Kit Jumper Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Revision 6 10 13 14 15 18 5 Preface 1 Preface 1.1 Purpose This demo is for SmartFusion®2 system-on-chip (SoC) field programmable gate array (FPGA) devices. It provides instructions on how to use the corresponding reference design. 1.2 Intended Audience This demo guide is intended for: • • • FPGA designers Embedded designers System-level designers 1.3 References 1.3.1 Microsemi Publications See the following web page for a complete and up-to-date listing of SmartFusion2 device documentation: http://www.microsemi.com/products/fpga-soc/soc-fpga/sf2docs • • • • 1.3.2 UG0331: SmartFusion2 Microcontroller Subsystem User Guide UG0447: IGLOO2 and SmartFusion2 High Speed Serial Interfaces User Guide Libero SoC User Guide UG0557: SmartFusion2 SoC FPGA Advanced Development Kit User Guide Others The following references are used in this document: • • • PolarSSL TLS/SSL protocol: https://tls.mbed.org/ lwIP TCP/IP stack: • www.sics.se/~adam/lwip/ • http://download.savannah.gnu.org/releases/lwip/ FreeRTOS™ stack: www.freeRTOS.org Revision 6 6 Running Secure Webserver Demo Design on SmartFusion2 Devices Using PolarSSL, lwIP and FreeRTOS 2 Running Secure Webserver Demo Design on SmartFusion2 Devices Using PolarSSL, lwIP and FreeRTOS 2.1 Introduction This demo explains the Secure Webserver capabilities using transport layer security (TLS) and secure sockets layer (SSL) protocol and tri-speed ethernet medium access controller (TSEMAC) of the SmartFusion2 devices. This demo describes: • • • • • Use of SmartFusion2 Ethernet MAC connected to a serial gigabit media independent interface (SGMII) PHY. Integration of SmartFusion2 MAC driver with the PolarSSL library (free TLS/SSL protocol library), lwIP TCP/IP stack and the FreeRTOS operating system. Use of Microsemi cryptographic system services in the implementation of TLS/SSL protocol. Implementation of the Secure Webserver application on the SmartFusion2 Advanced Development Kit board. Procedure to run the demo. The microcontroller subsystem (MSS) of the SmartFusion2 device has an instance of the TSEMAC peripheral. The TSEMAC can be configured between the host PC and the Ethernet network at the following data transfer rates (line speeds): • • • 10 Mbps 100 Mbps 1000 Mbps See the UG0331: SmartFusion2 Microcontroller Subsystem User Guide for more information on the TSEMAC interface for SmartFusion2 devices. 2.1.1 Secure Webserver Demo Design Overview The Secure Webserver application supports TLS/SSL security protocol that encrypts and decrypts the messages to secure the communication against message tampering. Communication from the Secure Webserver ensures that the sensitive data can be translated into a secret code that is difficult to tamper the data. The Secure Webserver demo design consists of the following layers: • • • • Application Layer Security Layer (TLS/SSL Protocol) Transport Layer (lwIP TCP/IP Stack) RTOS and Firmware Layer Revision 6 7 Running Secure Webserver Demo Design on SmartFusion2 Devices Using PolarSSL, lwIP and FreeRTOS Figure 1 shows the block diagram of the Secure Webserver demo design. Figure 1 • Block Diagram of Secure Webserver Demo Design on SmartFusion2 $SSOLFDWLRQ/D\HU +7736 6HFXULW\/D\HU 7/666/3URWRFRO )UHH5726 7UDQVSRUW/D\HU ,Z,37&3,36WDFN )LUPZDUH/D\HU 6PDUW)XVLRQ$GYDQFHG 'HYHORSPHQW.LW+: 2.1.1.1 Application Layer The Secure Webserver application is implemented on the SmartFusion2 Advanced Development Kit board. The application handles the HTTPS request from the client browser and transfers the static pages to the client in response to their requests. These pages run on the client (host PC) browser. Figure 2 shows the block diagram of the connecting server (Secure Webserver application running on SmartFusion2 device) and client (web browser running on host PC). Figure 2 • Client Server Communication Block Diagram (WKHUQHW &RPPXQLFDWLRQ +RVW3& 6PDUW)XVLRQ 7/666/&OLHQW :HEEURZVHU 1HWZRUN 7/666/6HUYHU $SSOLFDWLRQ 6HULDO7HUPLQDO (PXODWLRQ 3URJUDP 6HULDO&RPPXQLFDWLRQ8$57 When the URL with IP address (for example, https://10.60.3.120) is entered in the browser, the HTTPS request is sent to the port on the Secure Webserver. The Secure Webserver then interprets the request and responds to the client with the requested page or resource. Revision 6 8 Running Secure Webserver Demo Design on SmartFusion2 Devices Using PolarSSL, lwIP and FreeRTOS 2.1.1.2 Security Layer (TLS/SSL Protocol) Internet browsers and Webservers use TLS/SSL protocol to transmit information securely. TLS/SSL protocol is used to authenticate the server and client to establish the secure communication between authenticated parties using encrypted messages. This protocol is layered above the transport protocol, TCP/IP as shown in Figure 1 on page 8. This protocol provides privacy and reliability in data transfers between the client (internet browser) and the Webserver. An Open Source PolarSSL library is used to implement the TLS/SSL protocol for the Secure Webserver application in this demo. See the following URLs for complete TLS/SSL protocol implementation details: • • • • Transport Layer Security protocol Version 1.2: http://tools.ietf.org/html/rfc5246 Transport Layer Security protocol Version 1.1: http://tools.ietf.org/html/rfc4346 Transport Layer Security protocol Version 1.0: http://tools.ietf.org/html/rfc2246 Secure Sockets Layer protocol Version 3.0: http://tools.ietf.org/html/rfc6101 The PolarSSL library includes the cryptographic and TLS/SSL protocol implementations. This library provides the application programming interface functions to implement Secure Webserver application using the TLS/SSL protocol and the software cryptographic algorithms. See https://polarssl.org/ for TLS/SSL protocol library source code written in C and licensing information. 2.1.1.3 Transport Layer (lwIP TCP/IP Stack) The lwIP stack is suitable for the embedded systems because of less resource usage. It can be used with or without the operating system. The lwIP consists of the actual implementations of the IP, ICMP, UDP, and TCP protocols, as well as the support functions such as buffer and memory management. For more information on the design and implementation, see the www.sics.se/~adam/lwIP/doc/lwIP.pdf. The lwIP is available (under a BSD license) in C source-code format for download from the following address: http://download.savannah.gnu.org/releases/lwIP/ 2.1.1.4 RTOS and Firmware Layer FreeRTOS is an open source real time operating system kernel. FreeRTOS is used in this demo to prioritize and schedule the tasks. See http://www.freertos.org for more information and the latest source code. The firmware provides the software driver implementation to configure and control the following MSS components: • • • • • Ethernet MAC System controller services MMUART GPIO SPI Revision 6 9 Running Secure Webserver Demo Design on SmartFusion2 Devices Using PolarSSL, lwIP and FreeRTOS 2.2 Design Requirements Table 1 lists the hardware and software design requirements. Table 1 • Design Requirements Design Requirements Description Hardware Requirements SmartFusion2 Advanced Development Kit: • 12 V adapter • FlashPro5 • USB A to Mini-B cable Rev A or later RJ45 cable – Host PC or Laptop Windows 64-bit Operating System Software Requirements Libero® System-on-Chip (SoC) for viewing the design files v11.7 FlashPro Programming Software v11.7 SoftConsole v3.4 SP1* Host PC Drivers USB to UART drivers One of the following serial terminal emulation programs: • HyperTerminal • TeraTerm • PuTTY – Browser Mozilla Firefox version 24 or later Internet Explorer version 8 or later Note: *For this tutorial, SoftConsole v3.4 SP1 is used. For using SoftConsole v4.0, see the TU0546: SoftConsole v4.0 and Libero SoC v11.7 Tutorial. 2.3 Demo Design 2.3.1 Introduction The demo design files are available for download from the Microsemi website: http://soc.microsemi.com/download/rsc/?f=m2s_dg0516_liberov11p7_df The demo design files include: • • • The Libero SoC hardware project with SoftConsole firmware project STAPL programming file readme.txt file Revision 6 10 Running Secure Webserver Demo Design on SmartFusion2 Devices Using PolarSSL, lwIP and FreeRTOS Figure 3 shows the top-level structure of the design files. For further details, refer to the readme.txt file. Figure 3 • Demo Design Files Top-Level Structure GRZQORDGBIROGHU! VIBVHFXUHBZHEVHUYHUBWFSBGHPRBGI OLEHUR VWDSOBSURJUDPPLQJBILOH UHDGPHW[W 2.3.2 Demo Design Features The demo has the following options: • • • 2.3.3 Blinking LEDs HyperTerminal Display SmartFusion2 Google Search Demo Design Description The demo design is implemented using an SGMII PHY interface by configuring the TSEMAC for the ten-bit interface (TBI) operation. For more information on the TSEMAC TBI interface, see the UG0331: SmartFusion2 Microcontroller Subsystem User Guide. The demo design comprises: • • Libero SoC Hardware Project SoftConsole Firmware Project Revision 6 11 Running Secure Webserver Demo Design on SmartFusion2 Devices Using PolarSSL, lwIP and FreeRTOS 2.3.3.1 Libero SoC Hardware Project Figure 4 shows the Libero SoC hardware design implementation for this demo design. Figure 4 • Libero Top-Level Design The Libero Hardware project uses the following SmartFusion2 MSS resources and IPs: 1. 2. 3. 4. TSEMAC TBI interface. MMUART_0 for RS-232 communications on the SmartFusion2 Advanced Development Kit. General purpose input and output (GPIO): Interfaces with the light-emitting diodes (LEDs). High speed serial interface (SERDESIF) SERDES_IF IP: Configured for SERDESIF_3 EPCS lane3 as shown in Figure 5 on page 13. For more information on high-speed serial interfaces, see the UG0447: IGLOO2 and SmartFusion2 High Speed Serial Interfaces User Guide. Revision 6 12 Running Secure Webserver Demo Design on SmartFusion2 Devices Using PolarSSL, lwIP and FreeRTOS Figure 5 • High Speed Serial Interface Configurator Window 5. Cryptographic system controller services: To implement TLS/SSL protocol. 2.3.3.1.1 Package Pin Assignments Package pin assignments for LEDs and PHY interface signals are shown in Table 2 and Table 3 on page 14. Table 2 lists the port names for the package pins. Table 2 • LED to Package Pins Assignments Port Name Package Pin LED_1 D26 LED_2 F26 LED_3 F27 LED_4 C26 LED_5 C28 LED_6 B27 LED_7 C27 LED_8 E26 Revision 6 13 Running Secure Webserver Demo Design on SmartFusion2 Devices Using PolarSSL, lwIP and FreeRTOS Table 3 lists the port names and directions for the package pins. Table 3 • PHY Interface Signals to Package Pins Assignments Port Name Direction Package Pin PHY_MDC Output F3 PHY_MDIO Input K7 PHY_RST Output F2 2.3.3.2 SoftConsole Firmware Project Invoke the SoftConsole project using standalone SoftConsole IDE. The following stacks are used for this demo design: • • • PolarSSL library version 1.2.8 lwIP TCP/IP stack version 1.4.1 FreeRTOS Figure 1 on page 8 shows the block diagram of the Secure Webserver application on the SmartFusion2 devices used in this demo design. Figure 6 shows an example SoftConsole software directory structure of the demo design. Figure 6 • Example SoftConsole Project Explorer Window Revision 6 14 Running Secure Webserver Demo Design on SmartFusion2 Devices Using PolarSSL, lwIP and FreeRTOS The SoftConsole workspace consists of two projects. 1. Webserver_TCP_MSS_CM3_app This project contains the Secure Webserver application implementation using PolarSSL, LWIP, and FreeRTOS. The advanced encryption standard (AES) and non-deterministic random bit generator (NRBG) system services are used to implement the Secure Webserver application. The AES and NRBG can be implemented using SmartFusion2 hardware engine or software PolarSSL library. In this demo design, AES and NRBG are implemented using SmartFusion2 hardware engine through system services. Table 4 • Macros to Enable or Disable System Controller Services System Service Macro Macro Location AES #define HW_AES 1 <download_folder>\SF2_Secure_Webserver_TCP_Demo_DF\Libero\ Webserver\SoftConsole\Webserver_TCP_sb_MSS_CM3\Webserver _TCP_sb_MSS_CM3_app\polarssl-1.2.8\include\polarssl\aes.h NRBG #define HW_NRBG 1 <download_folder>\SF2_Secure_Webserver_TCP_Demo_DF\Libero\ Webserver\SoftConsole\Webserver_TCP_sb_MSS_CM3\Webserver _TCP_sb_MSS_CM3_app\polarssl-1.2.8\include\polarssl\ssl.h Note: The system services AES and NRBG are supported for data security enabled SmartFusion2 device like M2S0150TS. If the SmartFusion2 device is not data security enabled, disable the macros mentioned in Table 4 to use the software PolarSSL AES and NRBG algorithms. 2. Webserver_TCP_MSS_CM3_hw_platform This project contains all the firmware and hardware abstraction layers that correspond to the hardware design. This project is configured as a library and is referenced by the Webserver_TCP_MSS_CM3_app application project. The contents of this folder get over-written by regenerating the root design every time and exporting the SoftConsole firmware project in the Libero SoC software. 2.3.3.2.1 TLS/SSL Protocol Implementation using PolarSSL Library The TLS/SSL protocol is divided into the following two protocol layers: • • Handshake protocol layer Record protocol layer Handshake Protocol Layer This layer consists of the following sub protocols: • • • Handshake: Used to negotiate session information between the server and the client. The session information includes session ID, peer certificates, the cipher spec, the compression algorithm, and a shared secret code that is used to generate required keys. Change Cipher spec: Used to change the key used for encryption between the client and the server. The key is computed from the information exchanged during the client-server handshake. Alert: Alert messages are generated during the client-server handshake to report an error or a change in status to the peer. Revision 6 15 Running Secure Webserver Demo Design on SmartFusion2 Devices Using PolarSSL, lwIP and FreeRTOS Figure 7 shows the overview of the TLS/SSL handshake procedure. See http://tools.ietf.org/html/rfc5246 for detailed information on handshake protocol, record protocol, and cryptographic algorithms. Figure 7 • TLS/SSL Handshake Procedure &OLHQW+RVW3&±:HE%URZVHU 6HUYHU6PDUW)XVLRQ'HYLFH &OLHQW+HOOR &U\SWRJUDSKLF,QIRUPDWLRQ 6HUYHU+HOOR 6HUYHU&HUWLILFDWHNH\([FKDQJH&OLHQW&HUWLILFDWH5HTXHVW 6HUYHU+HOOR'RQH &OLHQWFHUWLILFDWH&OLHQWNH\([FKDQJH&KDQJH&LSKHU6SHF 6HQGV6HFUHWNH\,QIRUPDWLRQ(QFU\SWHGZLWK6HUYHU3XEOLF.H\ &OLHQW)LQLVKHG &KDQJH&LSKHU6SHF6HUYHU)LQLVKHG ([FKDQJH(QFU\SWHG0HVVDJHV Record Protocol Layer The record protocol receives and encrypts data from the application and transfers to the transport layer. The record protocol fragments the received data to a size appropriate to the cryptographic algorithm and optionally compresses the data. The protocol applies a MAC or HMAC and encrypts or decrypts the data using the information negotiated during the handshake protocol. Revision 6 16 Running Secure Webserver Demo Design on SmartFusion2 Devices Using PolarSSL, lwIP and FreeRTOS 2.4 Setting Up the Demo Design The following steps describe how to setup the demo for SmartFusion2 Advanced Development Kit board: 1. 2. Connect the host PC to the J33 Connector using the USB A to mini-B cable. The USB to UART bridge drivers are automatically detected. From the detected four COM ports, select the one which location on its Properties window must be as on USB FP5 Serial Converter C. Make a note of the COM port number for serial port configuration and ensure that the COM port Location is specified as on USB FP5 Serial Converter C, as shown in Figure 8. Figure 8 • Device Manager Window 3. 4. If USB drivers are not detected automatically, install the USB driver. For serial terminal communication through the FTDI mini USB cable, install the FTDI D2XX driver. Download the drivers and installation guide from: www.microsemi.com/soc/documents/CDM_2.08.24_WHQL_Certified.zip Revision 6 17 Running Secure Webserver Demo Design on SmartFusion2 Devices Using PolarSSL, lwIP and FreeRTOS 5. Connect the jumpers on the SmartFusion2 Advanced Development Kit board as shown in Table 5. For information on jumper locations, refer to "Appendix: Jumper Locations" on page 30. Caution: Switch OFF the power supply switch, SW7, before making the jumper connections. Table 5 • SmartFusion2 Advanced Kit Jumper Settings Jumper Pin (From) Pin (To) Comments J116, J353, J354, J54 1 2 J123 2 3 These are the default jumper settings of the Advanced Dev Kit board. Ensure these jumpers are set accordingly. J124, J121, J32 1 2 JTAG programming via FTDI J118, J119 1 2 Programming SPI Flash 6. 7. 2.4.1 In the SmartFusion2 Advanced Development Kit, connect the power supply to the J42 connector. This design example can run in both Static IP and Dynamic IP modes. By default, programming files are provided for dynamic IP mode. • For static IP, connect the host PC to the J21 connector of the SmartFusion2 Advanced Development Kit board using an RJ45 cable. • For dynamic IP, connect any one of the open network ports to the J21 connector of the SmartFusion2 Advanced Development Kit board using an RJ45 cable. Board Setup Snapshot Snapshots of the SmartFusion2 Advanced Development Kit board with all the setup made is given in "Appendix: Board Setup for Running the Secure Webserver" on page 29. 2.5 Running the Demo Design The following steps describe how to run the demo design: 1. Download the demo design from: http://soc.microsemi.com/download/rsc/?f=m2s_dg0516_liberov11p7_df 2. Switch ON the SW7 power supply switch. 3. Start any serial terminal emulation program such as: • HyperTerminal • PuTTY • TeraTerm Note: In this demo PuTTY is used. The configuration for the program is: • Baud Rate: 115200 • Eight data bits • One stop bit • No Parity • No flow control For information on configuring the serial terminal emulation programs, refer to the Configuring Serial Terminal Emulation Programs Tutorial. 4. 5. Launch the FlashPro software. Click New Project. Revision 6 18 Running Secure Webserver Demo Design on SmartFusion2 Devices Using PolarSSL, lwIP and FreeRTOS 6. In the New Project window, enter the project name as shown in Figure 9. Figure 9 • FlashPro New Project 7. 8. 9. 10. Click Browse and navigate to the location where the project is required to be saved. Select Single device as the Programming mode. Click OK to save the project. Click Configure Device. Revision 6 19 Running Secure Webserver Demo Design on SmartFusion2 Devices Using PolarSSL, lwIP and FreeRTOS 11. Click Browse and navigate to the location where the Webserver_tcp_top_Secure_Demo.stp file is located and select the file. The default location is: <download_folder>\ SF2_Secure_Webserver_TCP_Demo_DF\Stapl_ProgrammingFile\Webserver_tcp_top_Secure_De mo.stp The required programming file is selected and is ready to be programmed in the device, as shown in Figure 10. Figure 10 • FlashPro Project Configured Revision 6 20 Running Secure Webserver Demo Design on SmartFusion2 Devices Using PolarSSL, lwIP and FreeRTOS 12. Click PROGRAM to start programming the device. Wait until a message is displayed, indicating that the program has passed. Figure 11 • FlashPro Program Passed Note: The demo can be run in static and dynamic modes. To run the design in Static IP mode, follow the steps mentioned in the "Appendix: Running the Design in Static IP Mode" on page 31. Revision 6 21 Running Secure Webserver Demo Design on SmartFusion2 Devices Using PolarSSL, lwIP and FreeRTOS 13. Power cycle the SmartFusion2 Advanced Development Kit board. A welcome message with the dynamic IP address is displayed in the serial terminal emulation program, as shown in Figure 12. Figure 12 • User Options 14. The IP address displayed on PuTTY should be entered in the address bar of the browser to run the Secure Webserver. If the IP address is 10.60.3.120, enter https://10.60.3.120 in the address bar of the browser. This demo supports both Microsoft Internet Explorer and Mozilla Firefox browsers. Revision 6 22 Running Secure Webserver Demo Design on SmartFusion2 Devices Using PolarSSL, lwIP and FreeRTOS 2.5.1 Running the Secure Webserver Demo with Microsoft Internet Explorer The following steps describe how to run the secure webserver demo with Microsoft Internet explorer: 1. Open the Microsoft Internet Explorer and type the URL (for example, https://10.60.3.120) in the address bar. The browser shows a warning message as shown in Figure 13. Figure 13 • Microsoft Internet Explorer showing Certificate Error Warning Message 2. Click Continue to this website (not recommended) to start secure communication with the Webserver. The Microsoft Internet Explorer displays the main menu of the Secure Webserver, as shown in Figure 14. Figure 14 • Main Menu of Secure Webserver in Internet Explorer Revision 6 23 Running Secure Webserver Demo Design on SmartFusion2 Devices Using PolarSSL, lwIP and FreeRTOS 2.5.2 Running the Secure Webserver Demo with Mozilla Firefox The following steps describe how to run the Secure Webserver Demo with Mozilla Firefox: 1. Open the Mozilla Firefox browser and enter the URL (for example, https://10.60.3.120) in the address bar. The browser shows a warning message, as shown in Figure 15. Figure 15 • Mozilla Firefox showing Warning Message 2. Select I Understand the Risks and click Add Exception…. Revision 6 24 Running Secure Webserver Demo Design on SmartFusion2 Devices Using PolarSSL, lwIP and FreeRTOS 3. Click Confirm Security Exception in Add Security Exception window, as shown in Figure 16, to start secure communication with the Webserver. Figure 16 • Add Security Exception Window Note: Adding security exception for the IP Address is required for first-time browsing only. Revision 6 25 Running Secure Webserver Demo Design on SmartFusion2 Devices Using PolarSSL, lwIP and FreeRTOS 4. The Mozilla Firefox browser displays the main menu, as shown in Figure 17. Figure 17 • Main Menu of the Secure Webserver in Mozilla Firefox The main menu has the following options: • Blinking LEDs • HyperTerminal Display • SmartFusion2 Google Search Note: These options can be verified using either Microsoft Internet Explorer or Mozilla Firefox web browsers. In this demo, the options are demonstrated using Mozilla Firefox web browser. 2.5.2.1 Blinking LEDs 1. Click Blinking LEDs on the main menu. You can observe a running LED pattern on the SmartFusion2 board. The webpage gives an option to enter the values to blink the LEDs manually as shown in Figure 18. Figure 18 • Blinking LEDs Page Revision 6 26 Running Secure Webserver Demo Design on SmartFusion2 Devices Using PolarSSL, lwIP and FreeRTOS 2. Enter any number between 1-255 to lit the LEDs manually. For example, if you enter 1, blinking LED1 goes OFF. If you enter 255, all the eight blinking LEDs go OFF. 3. Click Home to return to the main menu. Note: SmartFusion2 Advanced Development Kit has Active Low LEDs. 2.5.2.2 HyperTerminal Display 1. Click HyperTerminal Display on the main menu. Figure 19 shows a webpage that gives an option to enter a string value. Figure 19 • HyperTerminal Display Page The entered string is displayed on PuTTY, as shown in Figure 20. Figure 20 • String Display on PuTTY 2. Click Go Back One Page (arrow button) or Home to go back to the main menu. Revision 6 27 Running Secure Webserver Demo Design on SmartFusion2 Devices Using PolarSSL, lwIP and FreeRTOS 2.5.2.3 SmartFusion2 Google Search 1. Click SmartFusion2 Google Search on the main menu. Note: Internet connection is required with proper access rights to get to the SmartFusion2 Google Search page. Figure 21 shows a web page with Google search. Figure 21 • SmartFusion2 Google Search Page 2. Click Home to go back to the main menu. Revision 6 28 Appendix: Board Setup for Running the Secure Webserver 3 Appendix: Board Setup for Running the Secure Webserver Figure 22 shows the board setup for running the demo on the SmartFusion2 Advanced Development Kit board. Figure 22 • SmartFusion2 Advanced Development Kit Setup Revision 6 29 Appendix: Jumper Locations 4 Appendix: Jumper Locations Figure 23 shows the jumper locations in the SmartFusion2 Advanced Development Kit board. Figure 23 • Jumper Locations in Advanced Development Kit Board R1217 R318 R362 Y11 DS20 2 H1 DS21 J124 C604 J121 J125 DS0 DS1 DS2 9 J32 J60 19 2 20 J38 1 19 R162 R330 C596 R260 U34 U23 C1 H1 R255 C600 C332 U25 TP3 TP7 TP20 R155 TP4 R283 R282 C697 C696 J123 J29 U59 U31 H40 10 J37 20 R161 R279 R278 R276 D7 C40 1 J36 C610 J28 C638 R304 U24 SW1 2 SW4 B TP16 R267 DS16 R151 R147 SW3 A TP35 J119 B SW2 R277 C698 D8 R148 1 DS3 DS4 DS5 DS7 DS6 R222 R224 A B R306 C636 R305 C637 TP21 TP9 R152 TP12 J351 D9 C593 DS18 DS19 1 A R366 B DS17 R292 DS25 1 R253 DS23 2 3 DS29 R354 R1216 1 2 3 4 5 6 7 8 R369 R338 6 A DS24 3 2 J116 DS22 R364 R159 R158 R316 R314 Y12 R307 U5 R337 R47 R48 R308 C640 U3 R336 U7 U35 R363 R361 C467 C460 C455 U13 TP10 TP22 U32 C647 R310 R335 SW5 R272 C608 R149 C328 R150 C645 C646 C644 C641 C642 A1 C691 TP11 C630 A1 A1 U2 TP68 TP41 R346 R220 C109 C150 C236 C235 C199 C159 C116 C465 C119 C161 C562 C233 C197 C118 C163 R213 R209 R266 A1 C468 C519 R1213 Y4 C371 TP74 R211 C153 C156 Y3 R1214 R1212 R1208 R1210 R1207 R1215 R1209 C554 C394 C521 U6 TP60 R210 TP53 C476 J118 TP73 C211 C210 C213 C212 C136 C135 C138 C137 C140 C139 C142 C141 C173 C172 C175 C174 C177 C176 C179 C178 C216 C215 C92 C91 C94 C93 C96 C95 C484 R78 C471 C530 C528 C526 C625 J353 R332 R351 R352 R355 R356 TP70 TP64 R217 TP66 A1 CON1 B1 R353 R160 C382 TP27 MH2 C518 C599 U4 TP29 J354 TP26 Y20 C517 C643 C648 R311 R309 C705 J13 TP62 C671 C674 U60 C704 R375 R1211 C463 C422 R344 R345 J10 C113 C129 R54 R55 R69 TP49 C220 TP67 C362 TP56 R70 C360 TP58 C361 TP72 C359 R378 U1 TP77 C374 L6 J12 J6 R286 L5 TP28 C702 R288 R74R72 J18 R73 R71 J17 C624 R343 SW7 5 TP17 R281 R280 R300 U26 U27 R808 U9 R131 U11 C672 R840 R841 R842 R126 R373 R294 C699 R374 R289 A1 R134 C315 R138 C701 C700 R130 R125 R133 U10 A1 C703 R143 R137 R139 R141 U12 J23 J16 C324 C325 U49 C606 R396 TP1 R127 CR2 CR1 R136 C323 C316 5 C164 R298 1 P1 R140 R142 DS26 TP2 C673 R111 R112 C605 R977 R973 R974 R1518 C292 C330 C331 C257 C246 C283 R81 R76 Y2 R293 R303 R75 J15 U37 R114 C306 C282 R113 J21 J4 U58 J11 J9 J5 J7 D15 U8 C626 C313 R79 R839 C302 C314 R92 R91 R94 R93 R95 R96 R121 R120 R115 R110 R109 R108 R106 R107 R156 R372 R98 R97 C307 C308 C297 C295 C293 C98 J22 C378 TP15 R104 R105 R99 U62 R50 C214 TP24 R46 J20 R100 TP71 TP46 C181 C148 R64 C183 R60 TP54 TP33 TP57 TP39 R59 TP50 TP69 R58 C144 C146 TP42 TP44 TP76 R216 C102 C100 R42 TP40 R41 TP38 C103 TP36 TP51 C209 R40 C294 A1 C296 C89 C90 C305 C304 TP75 R218 TP78 R331 J14 C303 TP48 TP31 R63 4 R313 C692 J8 R290 R291 U28 L4 J19 C1575 C1574 C1573 C1572 C1566 D13 R327 TP30 J42 R301 J350 J54 R5484 R5483 R334 C1579 D14 R333 D10 R328 R326 U36 A1 A40 TP32 R270 R978 R975 R976 R199 R198 R197 R194 R193 R192 R179 R178 R177 DS11 DS12 DS13 DS14 DS8 DS9 DS10 MH1 U17 C623 L3 Y6 U162 DS28 J30 C926 R116 R117 R118 R119 R101 R102 R103 U19 CR3 J352 R1519 R295 C628 K1 K40 R257 R986 R984 R985 R983 R191 R190 R189 R188 R184 R183 R182 R181 C255 DS27 CR4 R196 U18 R163 C358 C357 X1 U16 5 C592 C351 1 J33 B LED9 R164 R167 R325 R168 R169 C668 R170 C666 R166 C667 R165 R171 R329 R172 C670 TP23 TP14 R173 R174 R176 R175 B1 C595 R243 J34 A A1 SW6 B32 Note: • • • Jumpers highlighted in red are set by default. Jumpers highlighted in green must be set manually. The location of the jumpers in Figure 23 are searchable. Revision 6 30 Appendix: Running the Design in Static IP Mode 5 Appendix: Running the Design in Static IP Mode The following steps describe how to run the design in Static IP mode: 1. Right-click the Webserver_TCP_MSS_CM3_app in the Project Explorer window of SoftConsole project and select Properties, as shown in Figure 24. Figure 24 • Project Explorer Window of SoftConsole Project Revision 6 31 Appendix: Running the Design in Static IP Mode Figure 25 shows removing the symbol NET_USE_DHCP in the Tool Settings tab of the Properties for Webserver_TCP_MSS_CM3_app window. Figure 25 • Project Explorer Properties Window Revision 6 32 Appendix: Running the Design in Static IP Mode If the device is connected in Static IP mode, the board static IP address is 169.254.1.23, then change the host TCP/IP settings to reflect the IP address. Figure 26 shows host PC TCP/IP settings. Figure 26 • Host PC TCP/IP Settings Revision 6 33 Appendix: Running the Design in Static IP Mode Figure 27 shows Static IP address settings. Figure 27 • Static IP Address Settings Once these settings are made, build the design. See "Running the Demo Design" section on page 18 to execute the design in static IP mode, if the SmartFusion2 device is already programmed with Webserver_TCP_top_Secure_Demo.stp file. Note: To run the application in debug mode, FlashPro4 JTAG programmer is required. Revision 6 34 Revision History 6 Revision History The following table shows important changes made in this document for each revision. Revision Changes Revision 6 (March 2016) Updated the document for Libero v11.7 software release (SAR 76931). Revision 5 (November 2015) Updated "SoftConsole Firmware Project" section (SAR 73518). Revision 4 (October 2015) Updated the document for Libero v11.6 software release (SAR 72058). Revision 3 (March 2015) Updated the document for Libero v11.5 software release (SAR 63973). Revision 2 (September 2014) Updated the document for Libero v11.4 software release (SAR 60685). Revision 1 (April 2014) Initial release. Revision 6 35 Product Support 7 Product Support Microsemi SoC Products Group backs its products with various support services, including Customer Service, Customer Technical Support Center, a website, electronic mail, and worldwide sales offices. This appendix contains information about contacting Microsemi SoC Products Group and using these support services. 7.1 Customer Service Contact Customer Service for non-technical product support, such as product pricing, product upgrades, update information, order status, and authorization. From North America, call 800.262.1060 From the rest of the world, call 650.318.4460 Fax, from anywhere in the world, 408.643.6913 7.2 Customer Technical Support Center Microsemi SoC Products Group staffs its Customer Technical Support Center with highly skilled engineers who can help answer your hardware, software, and design questions about Microsemi SoC Products. The Customer Technical Support Center spends a great deal of time creating application notes, answers to common design cycle questions, documentation of known issues, and various FAQs. So, before you contact us, please visit our online resources. It is very likely we have already answered your questions. 7.3 Technical Support For Microsemi SoC Products Support, visit http://www.microsemi.com/products/fpga-soc/design-support/fpga-soc-support. 7.4 Website You can browse a variety of technical and non-technical information on the Microsemi SoC Products Group home page, at http://www.microsemi.com/products/fpga-soc/fpga-and-soc. 7.5 Contacting the Customer Technical Support Center Highly skilled engineers staff the Technical Support Center. The Technical Support Center can be contacted by email or through the Microsemi SoC Products Group website. 7.5.1 Email You can communicate your technical questions to our email address and receive answers back by email, fax, or phone. Also, if you have design problems, you can email your design files to receive assistance. We constantly monitor the email account throughout the day. When sending your request to us, please be sure to include your full name, company name, and your contact information for efficient processing of your request. The technical support email address is [email protected]. 7.5.2 My Cases Microsemi SoC Products Group customers may submit and track technical cases online by going to My Cases. Revision 6 36 Product Support 7.5.3 Outside the U.S. Customers needing assistance outside the US time zones can either contact technical support via email ([email protected]) or contact a local sales office. Visit About Us for sales office listings and corporate contacts. 7.6 ITAR Technical Support For technical support on RH and RT FPGAs that are regulated by International Traffic in Arms Regulations (ITAR), contact us via [email protected]. Alternatively, within My Cases, select Yes in the ITAR drop-down list. For a complete list of ITAR-regulated Microsemi FPGAs, visit the ITAR web page. Revision 6 37 Microsemi Corporation (Nasdaq: MSCC) offers a comprehensive portfolio of semiconductor and system solutions for communications, defense & security, aerospace and industrial markets. Products include high-performance and radiation-hardened analog mixed-signal integrated circuits, FPGAs, SoCs and ASICs; power management products; timing and synchronization devices and precise time solutions, setting the world's standard for time; voice processing devices; RF solutions; discrete components; Enterprise Storage and Communication solutions, security technologies and scalable anti-tamper products; Ethernet solutions; Power-over-Ethernet ICs and midspans; as well as custom design capabilities and services. Microsemi is headquartered in Aliso Viejo, Calif, and has approximately 4,800 employees globally. Learn more at www.microsemi.com. Microsemi Corporate Headquarters One Enterprise, Aliso Viejo, CA 92656 USA Within the USA: +1 (800) 713-4113 Outside the USA: +1 (949) 380-6100 Sales: +1 (949) 380-6136 Fax: +1 (949) 215-4996 E-mail: [email protected] © 2016 Microsemi Corporation. All rights reserved. Microsemi and the Microsemi logo are trademarks of Microsemi Corporation. All other trademarks and service marks are the property of their respective owners. Microsemi makes no warranty, representation, or guarantee regarding the information contained herein or the suitability of its products and services for any particular purpose, nor does Microsemi assume any liability whatsoever arising out of the application or use of any product or circuit. The products sold hereunder and any other products sold by Microsemi have been subject to limited testing and should not be used in conjunction with mission-critical equipment or applications. Any performance specifications are believed to be reliable but are not verified, and Buyer must conduct and complete all performance and other testing of the products, alone and together with, or installed in, any end-products. Buyer shall not rely on any data and performance specifications or parameters provided by Microsemi. It is the Buyer's responsibility to independently determine suitability of any products and to test and verify the same. The information provided by Microsemi hereunder is provided “as is, where is” and with all faults, and the entire risk associated with such information is entirely with the Buyer. Microsemi does not grant, explicitly or implicitly, to any party any patent rights, licenses, or any other IP rights, whether with regard to such information itself or anything described by such information. Information provided in this document is proprietary to Microsemi, and Microsemi reserves the right to make any changes to the information in this document or to any products and services at any time without notice. 50200516-6/03.16