Skip to main content

production-deployment

The v1.0 integration flagship — a field-deployable IoT product that exercises factory provisioning → secure boot → OTA → remote attestation in one app. Every other example covers one library surface; this one covers the production lifecycle that ties them all together.

Source: examples/production-deployment/.

Lifecycle stages

  1. Factory provisioning read-back. On boot, <alp/hw_info.h> reads the EEPROM manifest programmed at factory test. Production firmware treats this as the authoritative per-unit identity (SKU, serial, HW revision, factory date).
  2. Secure-boot attestation. MCUboot chain is verified by the bootloader; the application reports back the slot it's running from and the signature key ID.
  3. Application work. Runs whatever the device actually does — for the example, a small connected sensor reporting over MQTT with TLS.
  4. OTA receive + verify. Updates are pulled via Mender (Yocto) or signed MCUboot images (Zephyr); both paths go through <alp/security.h> for signature verification before slot swap.
  5. Remote attestation. Periodically signs a freshness nonce with the on-module OPTIGA Trust M and publishes the signature alongside the EEPROM manifest data so a back-end can prove the running firmware matches the provisioned identity.

board.yaml

schema_version: 2

som:
  sku: E1M-AEN701

carrier:
  name: E1M-EVK

cores:
  m55_hp:
    os: zephyr
    app: ./src
    peripherals: [i2c, gpio]
    iot: { wifi: true, mqtt: true, tls: true }

chips:
  - optiga_trust_m
  - eeprom_24c128

diagnostics:
  log_level: info

For V2N targets, switch som.sku, carrier.name, and os: yocto; the application surfaces are identical.

Build

west alp-build -b alp_e1m_evk_aen alp-sdk/examples/production-deployment
west flash

What it ties together

SDK surfaceStage
<alp/hw_info.h>Stage 1 — factory manifest read
MCUboot + <alp/security.h>Stage 2 — boot attestation
<alp/iot.h> + <alp/security.h>Stage 3 — application traffic
MCUboot signed slot swap / MenderStage 4 — OTA
<alp/chips/optiga_trust_m.h>Stage 5 — attestation signing

See also

Questions about this page? Discuss in Community Forum