Recently I’ve spent quite a few time trying to test a Linux VM where I wanted configure a Trusted Platform Module (TPM) and then install Azure Security Central (ASC) Agent for IoT. For testing the scenario I needed an IoT Hub and an IoT Hub Device provisioning service (DPS). Looking at different articles in the documentation I found some difficulties, so I created my own, hoping could be useful for someone else.
In a nutshell what you can do:
- Install Hyper-V on Windows 10 and create a Linux image.
- Install and compile Azure IoT SDK.
- Create and configure IoT Hub and the DPS.
- Install IoT Edge runtime.
- Give permission to the IoT Edge to access the hardware TPM module.
- Install ASC for IoT.
- Testing the scenario
Install Hyper-V on Windows 10 and create a Linux image
If you haven’t Hyper-V enabled on your Windows 10 machine you have to enable. All the details and requirement can be found here, but to put it simple from PowerShell console as Administrator:
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All
Now open Hyper-V Manager and create create an External Virtual Switch: Action, Virtual Switch Manager, External, Create Virtual Switch and make sure the connection type is set to External network, then press ok.
To create the Virtual Machine download an iso image, for an Ubuntu Server, I used 18.04. Ok, from the Hyper-V Manager in the Action menu, select new Virtual Machine, specify Generation 2, in the configure Network, set the value of Connection to the Virtual Switch previously created, in the install options, select Install an operating system from a bootable image file and use the file you downloaded.
Important now in the security setting check Enable TPM and uncheck Enable Secure Boot

Well done, if you start your Linux VM you can complete the installation, choosing languages etc. I have installed SSH because I prefer to connect to it using a different terminal that make more simple to paste and copy code.
Install and compile Azure IoT SDK
In this section we will install Azure IoT SDK and we will compile to use for and hardware TPM.
sudo apt-get update
sudo apt-get upgrade
sudo apt-get install -y git cmake build-essential curl libcurl4-openssl-dev libssl-dev uuid-dev
sudo apt-get install libcurl3 libcurl-openssl1.0-dev
sudo apt-get install auditd audispd-plugins
sudo reboot
git clone https://github.com/Azure/iotedge --recursive
git clone -b 2020-01-22 https://github.com/Azure/azure-iot-sdk-c.git --recursive
cd azure-iot-sdk-c
git submodule update --init
cmake -Duse_prov_client:BOOL=ON .
cd provisioning_client/tools/tpm_device_provision
make
sudo ./tpm_device_provision
The last command give you the Registration Id and Endorsement key of the TPM that we will use later, you should see something similar at the following image.

Create and configure IoT Hub the DPS
There are a lot of posts on how to create an Azure IoT Hub, a DPS and how to link the IoT Hub to the DPS so I don’t want to do it here.
You also have to enable in the IoT Hub the Azure Security Center for IoT.
What you have to do now is registering a new device in the DPS, under Manage Enrollments, you can create a new single one, here you have to select TPM, use the Registration Id and Endorsement Key, give a name, select IoT Edge and finally save the device.

At this point you are ready to install the IoT Edge runtime and configure it to use the new device under the DPS.
Install IoT Edge runtime
Start installing the IoT Edge runtime.
curl https://packages.microsoft.com/config/ubuntu/18.04/multiarch/prod.list > ./microsoft-prod.list
sudo cp ./microsoft-prod.list /etc/apt/sources.list.d/
curl https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > microsoft.gpg
sudo cp ./microsoft.gpg /etc/apt/trusted.gpg.d/
sudo apt-get update
sudo apt-get install moby-engine
sudo apt-get install moby-cli
sudo apt-get update
sudo apt-get install iotedge
Now you have to configure the security daemon to work with the TPM and your device. For that you need the scope id of you DPS, that you can grab from the overview page and the Registration Id of the device you enrolled before.
Don’t forget to comment out the manual registration part, that it’s uncommented by default and use the DPS TPM provisioning configuration section of the config.yaml file. It’s also important the indentation of the file, please note 2 spaces in the image below.
sudo nano /etc/iotedge/config.yaml

nano /etc/docker/daemon.json
and put the code here
{
"dns": ["1.1.1.1"]
}
Now it’s better to reboot the VM. At this link you can have details on the DNS server in container engine settings.
Next step is to give IoT Edge access to the TPM.
Give permission to the IoT Edge to access the hardware TPM module
For hardware TPM you need to perform this operation.
tpm=$(sudo find /sys -name dev -print | fgrep tpm | sed 's/.\{4\}$//')
sudo touch /etc/udev/rules.d/tpmaccess.rules
sudo nano /etc/udev/rules.d/tpmaccess.rules
Now copy the following code in the just created file.
# allow iotedge access to tpm0
KERNEL=="tpm0", SUBSYSTEM=="tpm", GROUP="iotedge", MODE="0660"
Now save the file and run this code.
/bin/udevadm trigger $tpm
sudo systemctl restart iotedge
sudo systemctl status iotedge
Now you should see the runtime running in an active state

Install ASC for IoT
Now it’s time to install the ASC IoT module in the IoT Edge runtime. Open the IoT Hub, in left panel search for IoT Edge, and select the one you have created before.
Select Set Modules, and Add Marketplace Module and search for Azure Security Center for IoT.

On the module settings tab, add
{
"NetworkingConfig": {
"EndpointsConfig": {
"host": {}
}
},
"HostConfig": {
"Privileged": true,
"NetworkMode": "host",
"PidMode": "host",
"Binds": [
"/:/host"
]
}
}

Under Runtime setting, set the image mcr.microsoft.com/azureiotedge-hub:1.0.9.2 or one of the latest, last step now is to create a new route.
FROM /messages/modules/AzureSecurityCenterforIoT/* INTO $upstream
Now you can check if all the modules are running:
sudo systemctl restart iotedge
sudo systemctl status iotedge
sudo docker ps
You should see 3 modules running (azureiotsecurity, azureiotedge-hub, azureiotedge-agent) after a few seconds.
Testing the scenario
Will now try to simulate an attack and look at the Azure Security Center.
cd
git clone https://github.com/Azure/Azure-IoT-Security --recursive
cd Azure-IoT-Security/trigger_events
sudo chmod +x trigger_events.sh
sudo ./trigger_events.sh --exploit
sudo ./trigger_events.sh --malicious


Happy coding!