Connect to AVNET iotconnect.io with Node-RED - part 10: Trusted Platform Module (TPM) Security

22 May 2021

AVNET's iotconnect.io cloud platform is an online service that you can use to send data to, and then show it on a dashboard. In this blog series I'm learning how to talk to it with Node-RED.

In this post: authentication with a hardware support: Trusted Platform Module (TPM) sign-on.

Several of the previous posts work on generic Raspberry Pi, BB, ... . This one is different.

You need hardware that supports TPM. I'm using the Avnet SmartEdge IIOTGateWay. It has an Infineon SLB9670SLB9670 (datasheet) IC on the pcb. This TPM module has a unique ID (+Endorsement Key (EK) and EK certificate). And it's supported by Linux kernel. See here for a breakout post: Infineon SLx9670 Trusted Platform Module (TPM) for IoT Security.

In essence, what happens in this post, for hardware and software, is identical to this post on GitHub, but on the SmartEdge, this is part of the out-of-box setup. Infineon has a module for Raspberry Pi that gives the same experience.

This is recent functionality. TPM is supported in the Python SDK since the first release of the SmartEdge.

I'm using a pre-release of the Node-RED modules here. Production release is imminent.

Scenario:

Together with part 8b and later of this series (CA signed certificates), TPM authentication is a decent choice for industrial applications.

And the scenario isn't very different. CA Signed and TPM security both rely on certificates. CA Signed via software, TPM via a hardware module.

The TPM approach uses 3 functions of the Infineon chip:

get the unique identification
retrieve an endorsement key (EK, equivalent to public key), that can be used to register the device on IoTConnect cloud.
use the on-silicon key to validate sign-on.

Why TPM?

CA Signed and TPM are both strong solutions.

An advantage of TPM is that you can't accidently share the private key because it can't be retrieved from the IC.

An advantage of CA based authentication is that it doesn't need additional components to the BOM (this may become less of an issue when microcontrollers and processors come with on-board TPM).

Provisioning can be automated for both solutions.

This is one intrusion vector less. Software attacks to retrieve the private key will not work.

Steps:

I am assuming at this point that you have a Linux box with TPM support. See the header block of this post for details.

Like the previous solution, you can script the provisioning via an REST API, but I'm doing the steps manually here.

Create a template that supports TPM authentication

I've created a number of templates in this series. Everything is the same, except that this time I select TPM as Authentication Type.

Like the other examples, I create the attribute.

I've also created a longitude and latitude attribute. That's for later, when I'm going to show the portal's capability to show a device on a map.

Provision a device

The keys to register a TPM on IoTConnect, are ihe unique ID of the hardware TPM and the Endorsement key of that module.

IoTConnect cloud runs on Azure, and the Azure utility tpm_device_provision is used to get that data.

Source code is available on GitHub. On the SmartEdge, it's installed out of box.

The utility uses the Linux TPM driver to get the info, and can be executed from the command line:

yes 2>/dev/null|/opt/avnet-iot/iotservices/tpm_device_provision

The output has all info I need. Not in a friendly way to collect from a command line, but the Avnet Python samples show how you can retrieve the relevant data.

id_ek = cmdline("yes 2>/dev/null|/opt/avnet-iot/iotservices/tpm_device_provision")
# ...
            lines = id_ek.splitlines()
            uniqueId = mystr(lines[3], 'utf-8')
            EndorsementKey = mystr(lines[6], 'utf-8')

The Avnet example then uses the REST api to provision the device. Here's the same process via the portal:

Node-RED Config and Test

On the device's Node-RED flow, you have to set the Registration Id from the previous step as unique id.

Like all previous posts, the CPID is retrieved from the IoTConnect portal.

The Scope ID is a value you also get from Avnet when registering. For trial subscriptions, you can usually find it back in the IoTConnectSDK.conf.default they provide.

That is it. The rest of the flow is exactly the same as in all previous posts.

When you enable the flow, you should see the green embelishment and Connected label under the IoTConnect node.

As usual with security, the end result doesn't look spectacular.

The real power is behind the scenes: hardware based authentication.

The Python SDK with On Semiconductor RSL10 BLE article series	Industry
part 1: overview and goal
part 2: WiFi Provisioning
part 3: Adding a Module (RSL10)
part 4: Talk BLE to the On Semi RSL10 Sensor Kit
part 5: A Cloud User Experience Example
part 6: Register as a Gateway Device
part 7: Register a Gateway and Client Devices
part 8: Get BLE Image from Camera and Send to Cloud
The NODE-Red SDK article series	Industry
part 1: overview and goal
register a Thing and connect to IoTConnect.io cloud
part 2: create an account and log on to the portal
part 3: set up the thing and its interface in the cloud
part 4: set up Node-RED and first exchange
interact with IoTConnect.io cloud
part 5: online dashboard
part 6: rules and alerts
part 7: messages and commands from the cloud
safer connections with certificates
part 8a: safer connect with Self Signed Certificates
part 8b: safer connect with CA certificates	Y
commercial and industrial scale: outsource certificate generation and programming to subcontractors and suppliers
part 9a: Outsource Certificate Signing in IIoT Supply Chain	Y
part 9b: IIoT supply chain and Certificates - Create Ca Root certificate, Load to IoTConnect Cloud and Validate	Y
part 9c: IIoT supply chain and Certificates - Create an Intermediate CA Certificate for your Subcontractor	Y
part 9d: IIoT supply chain and Certificates - Subcontractor Generates a Thing Certificate for Your Device	Y
part 9e: IIoT supply chain and Certificates - Test!	Y
commercial and industrial scale: Trusted Platform Module (TPM) Authentication
part 10: Trusted Platform Module (TPM) Security	Y
Infineon SLx9670 Trusted Platform Module (TPM) for IoT Security	Y
Infineon Trust Platform Module + Raspberry Pi 3 B - Review
part 11: Act as Gateway with Clients
The Automate Device Provisioning and Cloud Configuration article series	Industry
Automatic Provisioning with REST API	Y

scottiebabe over 1 year ago

Nice work!
- Cancel
- Vote Up 0 Vote Down
- Sign in to reply
- More
- Cancel
Jan Cumps over 3 years ago in reply to Jan Cumps

Current activity:
Use a Rasberry Pi as Gateway Device, with currently 1 Client Device (named self). With Node-RED as engine and TPM as authentication.
Node-RED is generating a random value for the Gateway firmwareversion attribute and a different number for the Client firmwareversion attribute.
- Cancel
- Vote Up 0 Vote Down
- Sign in to reply
- More
- Cancel

Jan Cumps over 4 years ago

As a test, I moved my node-red design to another device that doesn't have TPM - a generic Pi 3.

This to check if the authentication is done each time, or when registering. Out of curiousity.

This test was as expected. On the device that doesn't have the trusted platform, the connection was refused.

[INFO_IN04] Thu, 27 May 2021 11:54:57 GMT [***_***] : Initializing...
27 May 13:54:57 - [info] Started flows
[INFO_IN07] Thu, 27 May 2021 11:54:58 GMT [***_***] : BaseUrl received to sync the device information
[INFO_IN01] Thu, 27 May 2021 11:54:59 GMT [***_***] : Device information received successfully
[INFO_IN05] Thu, 27 May 2021 11:54:59 GMT [***_***] : Connecting...
27 May 13:54:59 - [red] Uncaught Exception:
27 May 13:54:59 - Error: connect ECONNREFUSED 127.0.0.1:2323
    at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1144:16)
nodered.service: Main process exited, code=exited, status=1/FAILURE
nodered.service: Failed with result 'exit-code'.

Jan Cumps over 4 years ago in reply to Jan Cumps

a deeper dive into the TPM - hardware and Linux software.

Infineon SLx9670 Trusted Platform Module (TPM) for IoT Security

It's not an in-depth review because I'm learning, I don't understand half of it yet. Scratching the surface ...
- Cancel
- Vote Up 0 Vote Down
- Sign in to reply
- More
- Cancel
shs5789 over 4 years ago

Nice Documentation.
- Cancel
- Vote Up 0 Vote Down
- Sign in to reply
- More
- Cancel