Skip to content

how-to-provision-devices-at-scale-linux-on-windows-tpm.md

Latest commit

 

History

History
193 lines (125 loc) · 8.77 KB

how-to-provision-devices-at-scale-linux-on-windows-tpm.md

File metadata and controls

193 lines (125 loc) · 8.77 KB
title Create and provision an IoT Edge for Linux on Windows device by using a TPM
description Use a simulated TPM on a Linux on Windows device to test the Azure device provisioning service for Azure IoT Edge.
author sethmanheim
ms.author sethm
ms.date 01/21/2025
ms.topic how-to
ms.service azure-iot-edge
ms.custom linux-related-content
services iot-edge

Create and provision an IoT Edge for Linux on Windows device at scale by using a TPM

[!INCLUDE iot-edge-version-all-supported]

This article provides instructions for autoprovisioning an Azure IoT Edge for Linux on Windows device by using a Trusted Platform Module (TPM). You can automatically provision Azure IoT Edge devices with the Azure IoT Hub device provisioning service. If you're unfamiliar with the process of autoprovisioning, review the provisioning overview before you continue.

This article outlines two methodologies. Select your preference based on the architecture of your solution:

  • Autoprovision a Linux on Windows device with physical TPM hardware.
  • Autoprovision a Linux on Windows device by using a simulated TPM. We recommend this methodology only as a testing scenario. A simulated TPM doesn't offer the same security as a physical TPM.

The tasks are as follows:

Physical TPM

  • Install IoT Edge for Linux on Windows.
  • Retrieve the TPM information from your device.
  • Create an individual enrollment for the device.
  • Provision your device with its TPM information.

Simulated TPM

  • Install IoT Edge for Linux on Windows.
  • Set up your simulated TPM and retrieve its provisioning information.
  • Create an individual enrollment for the device.
  • Provision your device with its TPM information.

Prerequisites

[!INCLUDE iot-edge-prerequisites-at-scale-cloud-resources.md]

[!INCLUDE iot-edge-prerequisites-linux-on-windows.md]

Note

TPM 2.0 is required when you use TPM attestation with the device provisioning service.

You can only create individual, not group, device provisioning service enrollments when you use a TPM.

[!INCLUDE install-iot-edge-linux-on-windows.md]

There are some steps to prepare your device for provisioning with TPM. Leave your deployment open while you prepare your device. You'll return to your deployment later in the article.

Enable TPM passthrough

The IoT Edge for Linux on Windows VM has a TPM feature that can be enabled or disabled. By default, it's disabled. When this feature is enabled, the VM can access the host machine's TPM.

  1. Open PowerShell in an elevated session.

  2. If you haven't already, set the execution policy on your device to AllSigned so that you can run the IoT Edge for Linux on Windows PowerShell functions.

    Set-ExecutionPolicy -ExecutionPolicy AllSigned -Force

  3. Turn on the TPM feature.

    Set-EflowVmFeature -feature 'DpsTpm' -enable

Retrieve the TPM information from your device

Physical TPM

To provision your device, you need an Endorsement key for your TPM chip and Registration ID for your device. You provide this information to your instance of the device provisioning service so that the service can recognize your device when it tries to connect.

The endorsement key is unique to each TPM chip. It is obtained from the TPM chip manufacturer associated with it. You can derive a unique registration ID for your TPM device by, for example, creating an SHA-256 hash of the endorsement key.

IoT Edge for Linux on Windows provides a PowerShell script to help retrieve this information from your TPM. To use the script, follow these steps on your device:

  1. Open PowerShell in an elevated session.

  2. Run the command.

    Get-EflowVmTpmProvisioningInfo | Format-List

Simulated TPM

If you don't have a physical TPM available and want to test this provisioning method, you can simulate a TPM on your device.

The IoT Hub device provisioning service provides samples that simulate a TPM and return the endorsement key and registration ID for you.

  1. Choose one of the samples from the following list, based on your preferred language.
  2. Stop following the device provisioning service sample steps after you have the simulated TPM running and have collected the Endorsement key and Registration ID. Don't select Enter to run registration in the sample application.
  3. Keep the window hosting the simulated TPM running until you're finished testing this scenario.
  4. Return to this article to create a device provisioning service enrollment and configure your device.

Simulated TPM samples:

[!INCLUDE tpm-create-a-device-provision-service-enrollment.md]

Provision the device with its cloud identity

  1. Open an elevated PowerShell session on the Windows device.

  2. Provision your device by using the Scope ID that you collected from your instance of the device provisioning service.

    Provision-EflowVM -provisioningType "DpsTpm" -scopeId "SCOPE_ID_HERE"

    If you enrolled the device using a custom Registration Id, you must specify that registration ID as well when provisioning:

    Provision-EflowVM -provisioningType "DpsTpm" -scopeId "SCOPE_ID_HERE" -registrationId "REGISTRATION_ID_HERE"

Verify successful installation

Verify that IoT Edge for Linux on Windows was successfully installed and configured on your IoT Edge device.

If the runtime started successfully, you can go into your IoT hub and start deploying IoT Edge modules to your device.

You can verify that the individual enrollment that you created in the device provisioning service was used. Go to your device provisioning service instance in the Azure portal. Open the enrollment details for the individual enrollment that you created. Notice that the status of the enrollment is assigned and the device ID is listed.

Use the following commands on your device to verify that the IoT Edge installed and started successfully.

  1. Connect to your IoT Edge for Linux on Windows VM by using the following command in your PowerShell session:

    Connect-EflowVm

    [!NOTE] The only account allowed to SSH to the VM is the user who created it.

  2. After you're signed in, you can check the list of running IoT Edge modules by using the following Linux command:

    sudo iotedge list

  3. If you need to troubleshoot the IoT Edge service, use the following Linux commands.

    1. If you need to troubleshoot the service, retrieve the service logs.

      sudo iotedge system logs

    2. Use the check tool to verify configuration and connection status of the device.

      sudo iotedge check

    [!NOTE] On a newly provisioned device, you may see an error related to IoT Edge Hub:

    × production readiness: Edge Hub's storage directory is persisted on the host filesystem - Error

    Could not check current state of edgeHub container

    This error is expected on a newly provisioned device because the IoT Edge Hub module isn't running. To resolve the error, in IoT Hub, set the modules for the device and create a deployment. Creating a deployment for the device starts the modules on the device including the IoT Edge Hub module.

[!INCLUDE uninstall-iot-edge-linux-on-windows.md]

Next steps

The device provisioning service enrollment process lets you set the device ID and device twin tags at the same time as you provision the new device. You can use those values to target individual devices or groups of devices by using automatic device management.

Learn how to deploy and monitor IoT Edge modules at scale by using the Azure portal or the Azure CLI.