Greengrass scripts fail on brand new Zymkey 4i

I’m following the instructions here: https://docs.zymbit.com/tutorials/aws-iot/greengrass/Zymkey%20Getting%20Started%20Guide%20for%20AWS%20IoT%20Greengrass%20Devices_1.1.pdf

I also commented out the line that installs the awscli since I want to handle the csr out of band. As part of this, I removed the common shell script. However it looks like the line that does the init token is failing with CKR_SLOT_ID_INVALID: Slot 0 does not exist.:

sudo zk_pkcs11-util --use-zkslot 0  --init-token --slot 0 --label "greengrass" --pin 1234 --so-pin 1234

However, when I run the command zk_pkcs11-util --show-slots I’m getting the following:

Available slots:
Slot 0
    Slot info:
        Description:      SoftHSM slot ID 0x0
        Manufacturer ID:  SoftHSM project
        Hardware version: 2.5
        Firmware version: 2.5
        Token present:    yes
    Token info:
        Manufacturer ID:  SoftHSM project
        Model:            SoftHSM v2
        Hardware version: 2.5
        Firmware version: 2.5
        Serial number:
        Initialized:      no
        User PIN init.:   no
        Label:

The full output of the bootstrap-zymbit.sh script is below. I’m running this on a RPi5 under Raspbian (uname -r returns 6.6.51+rpt-rpi-2712)

Hit:1 http://deb.debian.org/debian bookworm InRelease
Hit:2 http://deb.debian.org/debian-security bookworm-security InRelease
Hit:3 http://deb.debian.org/debian bookworm-updates InRelease
Hit:4 http://archive.raspberrypi.com/debian bookworm InRelease
Hit:5 https://zk-sw-repo.s3.amazonaws.com/apt-repo-bookworm-aarch64 bookworm InRelease
Reading package lists... Done
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
The following packages have been kept back:
  labwc libcamera-ipa libcamera-tools libpipewire-0.3-0 libpipewire-0.3-modules libspa-0.2-bluetooth libspa-0.2-libcamera libspa-0.2-modules
  linux-headers-rpi-2712 linux-headers-rpi-v8 linux-image-rpi-2712 linux-image-rpi-v8 pipewire pipewire-bin pipewire-pulse python3-libcamera
  raspberrypi-ui-mods rpicam-apps wf-panel-pi wfplug-connect
0 upgraded, 0 newly installed, 0 to remove and 20 not upgraded.
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
jq is already the newest version (1.6-2.1).
python3-pip is already the newest version (23.0.1+dfsg-1+rpt1).
opensc is already the newest version (0.23.0-0.3+deb12u2).
0 upgraded, 0 newly installed, 0 to remove and 20 not upgraded.
CKR_SLOT_ID_INVALID: Slot 0 does not exist.
ERROR: A label for the object must be supplied. Use --label <text>
Engine "zymkey_ssl" set.
ERROR: bootstrap-common.sh was not found, you will have to manually sign the CSR, activate the certificate, and copy the certificate file back to this device.

The error on the last line is a red herring, I delibrately want to manually sign the CSR.

The output in your first display is the default before you initialize any PKCS slots. First thing you need to do is initialize a PKCS token. You should not include --use-zkslot 0 for this step.

For example:

sudo zk_pkcs11-util --init-token --slot 0 --label "iotkey" --pin 1234 --so-pin 1234

That will return you the PKCS SLOT_NUMBER you need to use. zk_pkcs11-util --show-slots will also show you the SLOT_NUMBER at this point. It is a big number, like 2042742417.

You can now feed that SLOT_NUMBER into the next command to create a new key object. Specifying --use-zkslot 0 here says use the ZYMKEY’s slot 0 private key.

The command would look like this:

sudo zk_pkcs11-util --use-zkslot 0 --slot 2042742417 --label iotkey --id 2042742417 --pin 1234

There are a couple of ways you can ID the PKCS slots (by label, id, etc.) so your syntax can vary a bit. Main thing is that you need to init the PKCS storage, then use that SLOT_NUMBER as your slot reference for PKCS activities. The use-zkslot references the ZYMKEY’s key slot.

Hope that helps you get going.