I am trying to setup Greengrass Core on my Yocto based device with an ATECC608B-TNGTLS HSM. I have it setup as follows:

root@blox-rema:\~# p11tool --provider=/usr/lib/libcryptoauth.so --list-tokens
Token 0:
URL: pkcs11:model=ATECC608B;manufacturer=Microchip%20Technology%20Inc;serial=ABCDEFGH;token=MCHP
Label: MCHP
Type: Hardware token
Flags: RNG, uPIN uninitialized
Manufacturer: Microchip Technology Inc
Model: ATECC608B
Serial: ABCDEFGH
Module:

root@blox-rema:\~# p11tool --provider=/usr/lib/libcryptoauth.so --list-all
Object 0:
URL: pkcs11:model=ATECC608B;manufacturer=Microchip%20Technology%20Inc;serial=ABCDEFGH;token=MCHP;id=ABCDEFGH;object=device;type=private
Type: Private key (EC/ECDSA-SECP256R1)
Label: device
Flags: CKA_PRIVATE; CKA_NEVER_EXTRACTABLE; CKA_SENSITIVE;
ID: ABCDEFGH

Object 1:
URL: pkcs11:model=ATECC608B;manufacturer=Microchip%20Technology%20Inc;serial=ABCDEFGH;token=MCHP;id=ABCDEFGH;object=device;type=public
Type: Public key (EC/ECDSA-SECP256R1)
Label: device
ID: ABCDEFGH

Next I configured my greengrass core config file as follows:

---

system:
certificateFilePath: "pkcs11:object=device;type=cert"
privateKeyPath: "pkcs11:object=device;type=private"
rootCaPath: "/greengrass/v2/config/AmazonRootCA1.pem"
rootpath: "/greengrass/v2"
thingName: "ABCDEFGH"
services:
aws.greengrass.crypto.Pkcs11Provider:
configuration:
library: "/usr/lib/libcryptoauth.so"
name: "lybcryptauth_pkcs11"
slot: 0
userPin: 1234
dependencies: \[\]
version: "0.0.0"
aws.greengrass.Nucleus:
componentType: "NUCLEUS"
configuration:
awsRegion: "eu-west-1"
componentStoreMaxSizeBytes: "10000000000"
deploymentPollingFrequencySeconds: "15"
envStage: "prod"
fipsMode: "false"
fleetStatus:
periodicStatusPublishIntervalSeconds: 86400
greengrassDataPlaneEndpoint: ""
greengrassDataPlanePort: "8443"
httpClient: {}
iotCredEndpoint: "ABCDEFGH"
iotDataEndpoint: "ABCDEFGH"
iotRoleAlias: "ABCDEFGH"
jvmOptions: "-Dlog.store=FILE"
logging: {}
mqtt:
spooler: {}
networkProxy:
proxy: {}
platformOverride: {}
runWithDefault:
posixShell: "sh"
posixUser: "ggc_user:ggc_group"
s3EndpointType: "GLOBAL"
telemetry: {}
dependencies: \[\]
lifecycle:
bootstrap:
requiresPrivilege: "true"
script: "\\nset -eu\\nKERNEL_ROOT="/greengrass/v2"\\nUNPACK_DIR="/greengrass/v2/packages/artifacts-unarchived/aws.greengrass.Nucleus/2.13.0/aws.greengrass.nucleus"\
\\nrm -r "$KERNEL_ROOT"/alts/current/\*\\necho "-Dlog.store=FILE" \> "\
$KERNEL_ROOT/alts/current/launch.params"\\nln -sf "$UNPACK_DIR" "$KERNEL_ROOT/alts/current/distro"\
\\nexit 100"
version: "2.12.6"
DeploymentService:
ComponentToGroups: {}
dependencies: \[\]
GroupToRootComponents: {}
version: "0.0.0"
FleetStatusService:
dependencies: \[\]
lastPeriodicUpdateTime: 1731961100156
sequenceNumber: 31
main:
dependencies:
\- "aws.greengrass.Nucleus"
lifecycle: {}
TelemetryAgent:
dependencies: \[\]
runtime:
lastPeriodicAggregationMetricsTime: 1730226064766
lastPeriodicPublishMetricsTime: 1731959838274
version: "0.0.0"
UpdateSystemPolicyService:
dependencies: \[\]
version: "0.0.0"

and usually started through a systemd service:

\[Unit\]
Description=Greengrass Core
After=network.target

\[Service\]
Type=simple
PIDFile=/greengrass/v2/alts/loader.pid
RemainAfterExit=no
Restart=on-failure
RestartSec=10
ExecStart=/bin/sh /greengrass/v2/alts/current/distro/bin/loader
KillMode=mixed

\[Install\]
WantedBy=multi-user.target

However, when running greengrass I get the error "Mqtt connection provider for pkcs11 is unavailable" that I don't have any idea on how to solve. These are the relevant logs up until the error:

2024-11-19T16:07:21.668Z \[INFO\] (main) com.aws.greengrass.util.platforms.Platform: Getting platform instance com.aws.greengrass.util.platforms.unix.linux.LinuxPlatform.. {}
2024-11-19T16:07:21.696Z \[INFO\] (main) com.aws.greengrass.lifecyclemanager.Kernel: No ongoing deployment detected. Proceed as default. {}
2024-11-19T16:07:21.814Z \[INFO\] (main) com.aws.greengrass.config.Configuration: config-loading. Read configuration from a file path. {path=/greengrass/v2/config/config.tlog}
2024-11-19T16:07:21.896Z \[INFO\] (main) com.aws.greengrass.lifecyclemanager.Kernel: effective-config-dump-complete. {file=/greengrass/v2/config/effectiveConfig.yaml}
2024-11-19T16:07:22.071Z \[INFO\] (main) com.aws.greengrass.lifecyclemanager.KernelLifecycle: system-start. Launch Nucleus. {configPath=/greengrass/v2/config, rootPath=/greengrass/v2, version=2.12.6}
2024-11-19T16:07:22.288Z \[INFO\] (main) software.amazon.awssdk.eventstreamrpc.RpcServer: IpcServer started.... {}
2024-11-19T16:07:22.356Z \[INFO\] (main) com.aws.greengrass.lifecyclemanager.KernelLifecycle: Found Plugin: PKCS11CryptoKeyService. {}
2024-11-19T16:07:22.357Z \[INFO\] (main) com.aws.greengrass.lifecyclemanager.KernelLifecycle: serviceImplementors: {UpdateSystemPolicyService:class com.aws.greengrass.lifecyclemanager.UpdateSystemPolicyService...}. {}
2024-11-19T16:07:22.369Z \[INFO\] (main) com.aws.greengrass.security.SecurityService: Register crypto key service provider. {keyType=file}
2024-11-19T16:07:22.370Z \[INFO\] (main) com.aws.greengrass.security.SecurityService: Register MQTT connection security provider. {keyType=file}
2024-11-19T16:07:22.377Z \[INFO\] (main) com.aws.greengrass.mqttclient.spool.Spool: Spooler has been configured. {maxSizeInBytes=2621440, storageType=Memory, keepQos0WhenOffline=false}
2024-11-19T16:07:22.378Z \[INFO\] (main) com.aws.greengrass.mqttclient.spool.Spool: Memory Spooler has been set up. {}
2024-11-19T16:07:22.393Z \[INFO\] (main) com.aws.greengrass.lifecyclemanager.Kernel: Attempt to load service from plugins. {serviceName=aws.greengrass.Nucleus}
2024-11-19T16:07:22.419Z \[INFO\] (main) com.aws.greengrass.lifecyclemanager.Kernel: Attempt to load service from plugins. {serviceName=main}
2024-11-19T16:07:22.433Z \[INFO\] (main) com.aws.greengrass.lifecyclemanager.Kernel: Attempt to load service from plugins. {serviceName=UpdateSystemPolicyService}
2024-11-19T16:07:22.435Z \[INFO\] (main) com.aws.greengrass.lifecyclemanager.Kernel: Attempt to load service from plugins. {serviceName=DeploymentService}
2024-11-19T16:07:22.505Z \[INFO\] (main) com.aws.greengrass.lifecyclemanager.Kernel: Attempt to load service from plugins. {serviceName=TelemetryAgent}
2024-11-19T16:07:22.529Z \[INFO\] (pool-3-thread-6) com.aws.greengrass.security.SecurityService: get-mqtt-connection-builder. task failed and will be retried. {task-attempt=1}
com.aws.greengrass.security.exceptions.ServiceUnavailableException: Mqtt connection provider for pkcs11 is unavailable
at com.aws.greengrass.security.SecurityService.selectMqttConnectionProvider(SecurityService.java:219)

Does anyone have any idea what I am doing wrong? The HSM seems to be set up correctly and the thing and it's certificate have been automatically created through Microchip's trust platform using a manifest file. I have already tried changing the pin, slot number, user, ... but no result.

It's my first time setting up greengrass with an HSM and any help would be much appreciated!