IoT Edge with TPM and Azure Security Central for IoT

Recently I’ve spent quite a few time trying to test a Linux VM where I wanted configure a Trusted Platform Module (TPM) and then install Azure Security Central (ASC) Agent for IoT. For testing the scenario I needed an IoT Hub and an IoT Hub Device provisioning service (DPS). Looking at different articles in the documentation I found some difficulties, so I created my own, hoping could be useful for someone else.

In a nutshell what you can do:

  1. Install Hyper-V on Windows 10 and create a Linux image.
  2. Install and compile Azure IoT SDK.
  3. Create and configure IoT Hub and the DPS.
  4. Install IoT Edge runtime.
  5. Give permission to the IoT Edge to access the hardware TPM module.
  6. Install ASC for IoT.
  7. Testing the scenario

Install Hyper-V on Windows 10 and create a Linux image

If you haven’t Hyper-V enabled on your Windows 10 machine you have to enable. All the details and requirement can be found here, but to put it simple from PowerShell console as Administrator:

Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All

Now open Hyper-V Manager and create create an External Virtual Switch: Action, Virtual Switch Manager, External, Create Virtual Switch and make sure the connection type is set to External network, then press ok.

To create the Virtual Machine download an iso image, for an Ubuntu Server, I used 18.04. Ok, from the Hyper-V Manager in the Action menu, select new Virtual Machine, specify Generation 2, in the configure Network, set the value of Connection to the Virtual Switch previously created, in the install options, select Install an operating system from a bootable image file and use the file you downloaded.

Important now in the security setting check Enable TPM and uncheck Enable Secure Boot

Well done, if you start your Linux VM you can complete the installation, choosing languages etc. I have installed SSH because I prefer to connect to it using a different terminal that make more simple to paste and copy code.

Install and compile Azure IoT SDK

In this section we will install Azure IoT SDK and we will compile to use for and hardware TPM.

sudo apt-get update
sudo apt-get upgrade

sudo apt-get install -y git cmake build-essential curl libcurl4-openssl-dev libssl-dev uuid-dev

sudo apt-get install libcurl3 libcurl-openssl1.0-dev
sudo apt-get install auditd audispd-plugins

sudo reboot
git clone https://github.com/Azure/iotedge --recursive
git clone -b 2020-01-22 https://github.com/Azure/azure-iot-sdk-c.git --recursive
cd azure-iot-sdk-c
git submodule update --init

cmake -Duse_prov_client:BOOL=ON .
cd provisioning_client/tools/tpm_device_provision
make
sudo ./tpm_device_provision

The last command give you the Registration Id and Endorsement key of the TPM that we will use later, you should see something similar at the following image.

Create and configure IoT Hub the DPS

There are a lot of posts on how to create an Azure IoT Hub, a DPS and how to link the IoT Hub to the DPS so I don’t want to do it here.

You also have to enable in the IoT Hub the Azure Security Center for IoT.


What you have to do now is registering a new device in the DPS, under Manage Enrollments, you can create a new single one, here you have to select TPM, use the Registration Id and Endorsement Key, give a name, select IoT Edge and finally save the device.

At this point you are ready to install the IoT Edge runtime and configure it to use the new device under the DPS.

Install IoT Edge runtime

Start installing the IoT Edge runtime.

curl https://packages.microsoft.com/config/ubuntu/18.04/multiarch/prod.list > ./microsoft-prod.list
sudo cp ./microsoft-prod.list /etc/apt/sources.list.d/
curl https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > microsoft.gpg
sudo cp ./microsoft.gpg /etc/apt/trusted.gpg.d/

sudo apt-get update
sudo apt-get install moby-engine
sudo apt-get install moby-cli
sudo apt-get update
sudo apt-get install iotedge

Now you have to configure the security daemon to work with the TPM and your device. For that you need the scope id of you DPS, that you can grab from the overview page and the Registration Id of the device you enrolled before.

Don’t forget to comment out the manual registration part, that it’s uncommented by default and use the DPS TPM provisioning configuration section of the config.yaml file. It’s also important the indentation of the file, please note 2 spaces in the image below.

sudo nano /etc/iotedge/config.yaml
nano /etc/docker/daemon.json

and put the code here

{
    "dns": ["1.1.1.1"]
}

Now it’s better to reboot the VM. At this link you can have details on the DNS server in container engine settings.

Next step is to give IoT Edge access to the TPM.

Give permission to the IoT Edge to access the hardware TPM module

For hardware TPM you need to perform this operation.

tpm=$(sudo find /sys -name dev -print | fgrep tpm | sed 's/.\{4\}$//')
sudo touch /etc/udev/rules.d/tpmaccess.rules
sudo nano /etc/udev/rules.d/tpmaccess.rules

Now copy the following code in the just created file.

# allow iotedge access to tpm0
KERNEL=="tpm0", SUBSYSTEM=="tpm", GROUP="iotedge", MODE="0660"

Now save the file and run this code.

/bin/udevadm trigger $tpm

sudo systemctl restart iotedge
sudo systemctl status iotedge

Now you should see the runtime running in an active state

Install ASC for IoT

Now it’s time to install the ASC IoT module in the IoT Edge runtime. Open the IoT Hub, in left panel search for IoT Edge, and select the one you have created before.

Select Set Modules, and Add Marketplace Module and search for Azure Security Center for IoT.

On the module settings tab, add

{
    "NetworkingConfig": {
        "EndpointsConfig": {
            "host": {}
        }
    },
    "HostConfig": {
        "Privileged": true,
        "NetworkMode": "host",
        "PidMode": "host",
        "Binds": [
            "/:/host"
        ]
    }
}

Under Runtime setting, set the image mcr.microsoft.com/azureiotedge-hub:1.0.9.2 or one of the latest, last step now is to create a new route.

FROM /messages/modules/AzureSecurityCenterforIoT/* INTO $upstream

Now you can check if all the modules are running:

sudo systemctl restart iotedge
sudo systemctl status iotedge
sudo docker ps

You should see 3 modules running (azureiotsecurity, azureiotedge-hub, azureiotedge-agent) after a few seconds.

Testing the scenario

Will now try to simulate an attack and look at the Azure Security Center.

cd
git clone https://github.com/Azure/Azure-IoT-Security --recursive
cd Azure-IoT-Security/trigger_events

sudo chmod +x trigger_events.sh
sudo ./trigger_events.sh --exploit

sudo ./trigger_events.sh --malicious

Happy coding!

Published by Pietro

Passionate Developer, family man, working at Microsoft, the creator of a beautiful Kids' app and a community contributor.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: