sztp: how to get access to TPM vendor-specific-agnostic #2

glimchb · 2022-10-05T18:24:57Z

we need IDEVID access, public/private keys, certificate, serial number to start SZTP process ...

let's start the discussion here, on slack and on our next meeting

alknopfler · 2022-10-10T08:43:56Z

Doubt I'm having on my table:

If the agent information should be pre-loaded into the bootstrap server using the API sbd, the certificates should be generated with the serial number information to get:
serial number :

sztp/config/sztpd.running.json.template

Line 102 in 0439da4

"serial-number-extraction": "wn-x509-c2n:serial-number"
certificates:

sztp/config/sztpd.running.json.template

Line 95 in 0439da4

"identity-certificates": {
artifacts:

sztp/config/sztpd.running.json.template

Line 130 in 0439da4

"wn-sztpd-1:boot-images": {

So, how could get this information to request to bootstrap first time ??? How could the agent get all this information?

glimchb · 2022-10-10T12:34:41Z

Customer places an order to DPU vendor to buy DPUs
without Security (classic ZTP) - Vendor will send only Serial Numbers of the devices back to the Customer
with sZTP - Vendor creates certificates with serial numbers and sends them back to the Customer
Vendor places iDEVID (priv key, pub key, certif,..) to the Device's TPM-like storage
Customer loads this information to the Bootstrap server using NB APIs or configuration file
Devices arrive to the site and powered up
Device get URL of the Bootstrap server (via mDNS or SLAAC or DHCP)
Device offers iDEVID to the Bootstrap server
Bootstrap server verifies iDEVID of the device
Bootstrap server optionally sends ownership voucher to the device
Bootstrap server sends signed artifacts (OS image, config) to the device
Device verifies signed artifacts and starts installation

glimchb · 2022-10-11T17:50:22Z

glimchb added the help wanted Extra attention is needed label Oct 5, 2022

glimchb transferred this issue from opiproject/opi-prov-life Oct 6, 2022

Provide feedback