element14 Community
element14 Community
    Register Log In
  • Site
  • Search
  • Log In Register
  • About Us
  • Community Hub
    Community Hub
    • What's New on element14
    • Feedback and Support
    • Benefits of Membership
    • Personal Blogs
    • Members Area
    • Achievement Levels
  • Learn
    Learn
    • Ask an Expert
    • eBooks
    • element14 presents
    • Learning Center
    • Tech Spotlight
    • STEM Academy
    • Webinars, Training and Events
    • Learning Groups
  • Technologies
    Technologies
    • 3D Printing
    • FPGA
    • Industrial Automation
    • Internet of Things
    • Power & Energy
    • Sensors
    • Technology Groups
  • Challenges & Projects
    Challenges & Projects
    • Design Challenges
    • element14 presents Projects
    • Project14
    • Arduino Projects
    • Raspberry Pi Projects
    • Project Groups
  • Products
    Products
    • Arduino
    • Avnet Boards Community
    • Dev Tools
    • Manufacturers
    • Multicomp Pro
    • Product Groups
    • Raspberry Pi
    • RoadTests & Reviews
  • Store
    Store
    • Visit Your Store
    • Choose another store...
      • Europe
      •  Austria (German)
      •  Belgium (Dutch, French)
      •  Bulgaria (Bulgarian)
      •  Czech Republic (Czech)
      •  Denmark (Danish)
      •  Estonia (Estonian)
      •  Finland (Finnish)
      •  France (French)
      •  Germany (German)
      •  Hungary (Hungarian)
      •  Ireland
      •  Israel
      •  Italy (Italian)
      •  Latvia (Latvian)
      •  
      •  Lithuania (Lithuanian)
      •  Netherlands (Dutch)
      •  Norway (Norwegian)
      •  Poland (Polish)
      •  Portugal (Portuguese)
      •  Romania (Romanian)
      •  Russia (Russian)
      •  Slovakia (Slovak)
      •  Slovenia (Slovenian)
      •  Spain (Spanish)
      •  Sweden (Swedish)
      •  Switzerland(German, French)
      •  Turkey (Turkish)
      •  United Kingdom
      • Asia Pacific
      •  Australia
      •  China
      •  Hong Kong
      •  India
      •  Korea (Korean)
      •  Malaysia
      •  New Zealand
      •  Philippines
      •  Singapore
      •  Taiwan
      •  Thailand (Thai)
      • Americas
      •  Brazil (Portuguese)
      •  Canada
      •  Mexico (Spanish)
      •  United States
      Can't find the country/region you're looking for? Visit our export site or find a local distributor.
  • Translate
  • Profile
  • Settings
Industrial Automation
  • Technologies
  • More
Industrial Automation
Blog Connect to AVNET iotconnect.io with Node-RED - part 10: Trusted Platform Module (TPM) Security
  • Blog
  • Forum
  • Documents
  • Quiz
  • Events
  • Polls
  • Files
  • Members
  • Mentions
  • Sub-Groups
  • Tags
  • More
  • Cancel
  • New
Join Industrial Automation to participate - click to join for free!
  • Share
  • More
  • Cancel
Group Actions
  • Group RSS
  • More
  • Cancel
Engagement
  • Author Author: Jan Cumps
  • Date Created: 22 May 2021 1:46 PM Date Created
  • Views 2569 views
  • Likes 8 likes
  • Comments 6 comments
  • raspberry
  • security
  • avnet
  • smartedge
  • trusted_platform_module
  • iot
  • tpm
Related
Recommended

Connect to AVNET iotconnect.io with Node-RED - part 10: Trusted Platform Module (TPM) Security

Jan Cumps
Jan Cumps
22 May 2021

AVNET's iotconnect.io cloud platform is an online service that you can use to send data to, and then show it on a dashboard. In this blog series I'm learning how to talk to it with Node-RED.

In this post: authentication with a hardware support: Trusted Platform Module (TPM) sign-on.

image

Several of the previous posts work on generic Raspberry Pi, BB, ... . This one is different.

You need hardware that supports TPM. I'm using the Avnet SmartEdge IIOTGateWay. It has an Infineon SLB9670SLB9670 (datasheet) IC on the pcb. This TPM module has a unique ID (+Endorsement Key (EK) and EK certificate). And it's supported by Linux kernel. See here for a breakout post: Infineon SLx9670 Trusted Platform Module (TPM) for IoT Security.

 

In essence, what happens in this post, for hardware and software, is identical to this post on GitHub, but on the SmartEdge, this is part of the out-of-box setup. Infineon has a module for Raspberry Pi that gives the same experience.

 

This is recent functionality. TPM is supported in the Python SDK since the first release of the SmartEdge.

I'm using a pre-release of the Node-RED modules here. Production release is imminent.

 

Scenario:

 

Register a TPM enabled device on IoTConnect portal, and let it connect and share sensor data.

 

Together with part 8b and later of this series (CA signed certificates), TPM authentication is a decent choice for industrial applications.

And the scenario isn't very different. CA Signed and TPM security both rely on certificates. CA Signed via software, TPM via a hardware module.

 

The TPM approach uses 3 functions of the Infineon chip:

  • get the unique identification
  • retrieve an endorsement key (EK, equivalent to public key), that can be used to register the device on IoTConnect cloud.
  • use the on-silicon key to validate sign-on.

 

Why TPM?

CA Signed and TPM are both strong solutions.

An advantage of TPM is that you can't accidently share the private key because it can't be retrieved from the IC.

An advantage of CA based authentication is that it doesn't need additional components to the BOM (this may become less of an issue when microcontrollers and processors come with on-board TPM).

Provisioning can be automated for both solutions.

This is one intrusion vector less. Software attacks to retrieve the private key will not work.

 

Steps:

 

I am assuming at this point that you have a Linux box with TPM support. See the header block of this post for details.

Like the previous solution, you can script the provisioning via an REST API, but I'm doing the steps manually here.

 

Create a template that supports TPM authentication

 

image

I've created a number of templates in this series. Everything is the same, except that this time I select TPM as Authentication Type.

Like the other examples, I create the attribute.

 

image

I've also created a longitude and latitude attribute. That's for later, when I'm going to show the portal's capability to show a device on a map.

 

Provision a device

 

The keys to register a TPM on IoTConnect, are ihe unique ID of the hardware TPM and the Endorsement key of that module.

IoTConnect cloud runs on Azure, and the Azure utility tpm_device_provision is used to get that data.

Source code is available on GitHub. On the SmartEdge, it's installed out of box.

 

The utility uses the Linux TPM driver to get the info, and can be executed from the command line:

 

yes 2>/dev/null|/opt/avnet-iot/iotservices/tpm_device_provision

 

image

The output has all info I need. Not in a friendly way to collect from a command line, but the Avnet Python samples show how you can retrieve the relevant data.

 

id_ek = cmdline("yes 2>/dev/null|/opt/avnet-iot/iotservices/tpm_device_provision")
# ...
            lines = id_ek.splitlines()
            uniqueId = mystr(lines[3], 'utf-8')
            EndorsementKey = mystr(lines[6], 'utf-8')

 

The Avnet example then uses the REST api to provision the device. Here's the same process via the portal:

image

 

Node-RED Config and Test

 

image

 

On the device's Node-RED flow, you have to set the Registration Id from the previous step as unique id.

Like all previous posts, the CPID is retrieved from the IoTConnect portal.

The Scope ID is a value you also get from Avnet when registering. For trial subscriptions, you can usually find it back in the IoTConnectSDK.conf.default they provide.

That is it. The rest of the flow is exactly the same as in all previous posts.

 

When you enable the flow, you should see the green embelishment and Connected label under the IoTConnect node.

image

 

As usual with security, the end result doesn't look spectacular.

The real power is behind the scenes: hardware based authentication.

 

 

The Python SDK with On Semiconductor RSL10 BLE article seriesIndustry
part 1: overview and goal
part 2: WiFi Provisioning
part 3: Adding a Module (RSL10)
part 4: Talk BLE to the On Semi RSL10 Sensor Kit
part 5: A Cloud User Experience Example
part 6: Register as a Gateway Device
part 7: Register a Gateway and Client Devices
part 8: Get BLE Image from Camera and Send to Cloud
The NODE-Red SDK article seriesIndustry
part 1: overview and goal
register a Thing and connect to IoTConnect.io cloud
part 2: create an account and log on to the portal
part 3: set up the thing and its interface in the cloud
part 4: set up Node-RED and first exchange
interact with IoTConnect.io cloud
part 5: online dashboard
part 6: rules and alerts
part 7: messages and commands from the cloud
safer connections with certificates
part 8a: safer connect with Self Signed Certificates
part 8b: safer connect with CA certificatesY
commercial and industrial scale: outsource certificate generation and programming to subcontractors and suppliers
part 9a: Outsource Certificate Signing in IIoT Supply ChainY
part 9b: IIoT supply chain and Certificates - Create Ca Root certificate, Load to IoTConnect Cloud and ValidateY
part 9c: IIoT supply chain and Certificates - Create an Intermediate CA Certificate for your SubcontractorY
part 9d: IIoT supply chain and Certificates - Subcontractor Generates a Thing Certificate for Your DeviceY
part 9e: IIoT supply chain and Certificates - Test!Y
commercial and industrial scale: Trusted Platform Module (TPM) Authentication
part 10: Trusted Platform Module (TPM) SecurityY
Infineon SLx9670 Trusted Platform Module (TPM) for IoT SecurityY
Infineon Trust Platform Module + Raspberry Pi 3 B - Review
part 11: Act as Gateway with Clients
The Automate Device Provisioning and Cloud Configuration article seriesIndustry
Automatic Provisioning with REST APIY
  • Sign in to reply
  • scottiebabe
    scottiebabe over 1 year ago

    Nice work!

    • Cancel
    • Vote Up 0 Vote Down
    • Sign in to reply
    • More
    • Cancel
  • Jan Cumps
    Jan Cumps over 3 years ago in reply to Jan Cumps

    Current activity:

    Use a Rasberry Pi as Gateway Device, with currently 1 Client Device (named self).  With Node-RED as engine and TPM as authentication.

    Node-RED is generating a random value for the Gateway firmwareversion attribute and a different number for the Client firmwareversion attribute.

    image

    • Cancel
    • Vote Up 0 Vote Down
    • Sign in to reply
    • More
    • Cancel
  • Jan Cumps
    Jan Cumps over 4 years ago

    As a test, I moved my node-red design to another device that doesn't have TPM - a generic Pi 3.

    This to check if the authentication is done each time, or when registering. Out of curiousity.

    This test was as expected. On the device that doesn't have the trusted platform, the connection was refused.

     

    [INFO_IN04] Thu, 27 May 2021 11:54:57 GMT [***_***] : Initializing...
    27 May 13:54:57 - [info] Started flows
    [INFO_IN07] Thu, 27 May 2021 11:54:58 GMT [***_***] : BaseUrl received to sync the device information
    [INFO_IN01] Thu, 27 May 2021 11:54:59 GMT [***_***] : Device information received successfully
    [INFO_IN05] Thu, 27 May 2021 11:54:59 GMT [***_***] : Connecting...
    27 May 13:54:59 - [red] Uncaught Exception:
    27 May 13:54:59 - Error: connect ECONNREFUSED 127.0.0.1:2323
        at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1144:16)
    nodered.service: Main process exited, code=exited, status=1/FAILURE
    nodered.service: Failed with result 'exit-code'.

    • Cancel
    • Vote Up 0 Vote Down
    • Sign in to reply
    • More
    • Cancel
  • Jan Cumps
    Jan Cumps over 4 years ago in reply to Jan Cumps

    a deeper dive into the TPM - hardware and Linux software.

     

    Infineon SLx9670 Trusted Platform Module (TPM) for IoT Security

     

    image

     

    It's not an in-depth review because I'm learning, I don't understand half of it yet. Scratching the surface ...

    • Cancel
    • Vote Up 0 Vote Down
    • Sign in to reply
    • More
    • Cancel
  • shs5789
    shs5789 over 4 years ago

    Nice Documentation.

    • Cancel
    • Vote Up 0 Vote Down
    • Sign in to reply
    • More
    • Cancel
>
element14 Community

element14 is the first online community specifically for engineers. Connect with your peers and get expert answers to your questions.

  • Members
  • Learn
  • Technologies
  • Challenges & Projects
  • Products
  • Store
  • About Us
  • Feedback & Support
  • FAQs
  • Terms of Use
  • Privacy Policy
  • Legal and Copyright Notices
  • Sitemap
  • Cookies

An Avnet Company © 2025 Premier Farnell Limited. All Rights Reserved.

Premier Farnell Ltd, registered in England and Wales (no 00876412), registered office: Farnell House, Forge Lane, Leeds LS12 2NE.

ICP 备案号 10220084.

Follow element14

  • X
  • Facebook
  • linkedin
  • YouTube