Device Provisioning with TPM

Artur Laksberg edited this page Jul 12, 2016 · 7 revisions

Why TPM?

Windows 10 IoT Core devices connected to Azure can be secured with the Trusted Platform Module, which makes them impervious to cloning and impersonation. This is essential for devices that need to be secure and trusted.

Unlike in the traditional approach in which the device credentials are stored directly on the device (in the application code or a configuration file), devices equipped with TPM store device credentials in a dedicated hardware device. Once stored, the credentials cannot be read or duplicated.

How To Provision Your Device

A device that is "provisioned" to use the TPM gets a built-in identity with which it can connect to Azure IoT Core.

At this moment, only devices running the latest version of Windows 10 IoT Core Insider Preview can be provisioned to use TPM.

To provision your IoT device, first connect to it using the Windows Device Portal.

In the vertical navigation bar, click the "TPM configuration" link:

Navigation Bar

If this is the first time the device is being provisioned, you will be prompted to install TPM on the device:

Select TPM

If you have a hardware TPM, plug it into your device and select the appropriate configuration from the list. If you don't have a physical TPM, you can use a Software TPM Emulator that provides no security but allows you to use the same programming model as you would use to target a "real" TPM. You can develop your app using the Software TPM Emulator knowing that when you deploy it on a production machine with a hardware TPM, the security will "light up".

Now select your desired TPM configuration and click "Install":

Select TPM

You will be prompted to reboot your device:

Reboot Prompt

After your device reboots, reload the page and fill out the TPM configuration tab for logical device id 0 (TPM supports storing multiple independent Azure identities, and you can always add additional identities later)

You can get the device properties from the Azure Portal.

Navigate to the IoT Hub properties and click "Devices":

Note the name of your IoT Hub -- this is the string that will go to the "Azure IoT Hub Hostname" field.

Now select the desired device from the list and collect its Id and Primary Key -- paste this information in the other two fields in the form:

The filled out tab will look like this:

Reboot Prompt

(Again, remember to use the data specific to your IoT Hub and your desired instance).

Click Save -- your device is now provisioned to secure connect to Azure IoT Hub!

Show Me The Code!

The raison d'etre of secure device provisioning is being able to write secure code that has no security-sensitive information in it.

The code generated by the Connected Services for Azure IoT Hub will look like this:

TpmDevice myDevice = new TpmDevice(0); // Use logical device 0 on the TPM
string hubUri = myDevice.GetHostName();
string deviceId = myDevice.GetDeviceId();
string sasToken = myDevice.GetSASToken();

var deviceClient = DeviceClient.Create(
    hubUri,
    AuthenticationMethodFactory.
        CreateAuthenticationWithToken(deviceId, sasToken), TransportType.Amqp);

As can be seen, the device primary key is not present in the code. Instead, it is stored in the TPM at slot 0. TPM device generates a short-lived SAS token that is then used to connect to the IoT Hub.

To compile this code, include packages Microsoft.Azure.Devices.Client and Microsoft.Devices.Tpm into your project and add the following using directives to your source file:

using Microsoft.Devices.Tpm;
using Microsoft.Azure.Devices.Client;