Connect a Linux device with a TPM

This tutorial explains how to securely connect a Linux device with a Trusted Platform Module (TPM) to Device Management over an IP connection.

Device Management Client supports the PARSEC open-source initiative, which provides a platform-agnostic interface for calling the secure storage and operation services of a TPM on Linux.

This lets you generate the device's bootstrap private key on a TPM during the factory provisioning flow. When the device calls the Device Management bootstrap server, as part of the DTLS handshake, Device Management Client uses the bootstrap key by calling an API without having to export the key.

Prerequisites

• A Linux PC (x86 Linux) on which you provision production credentials, as described in the Pelion Device Management factory tool demo documentation.

  Important: Make sure to upload your certificate authority (CA) certificate file to your Device Management account.

• Mbed CLI.

Connecting the device

1. Open a terminal, and clone the example repository to a convenient location on your development environment:

   git clone https://github.com/PelionIoT/mbed-cloud-client-example
   cd mbed-cloud-client-example
   

2. Deploy the example repository:

   mbed deploy
   

3. Delete the add_definitions(-DMBED_CONF_APP_DEVELOPER_MODE=1) line from the define.txt configuration file to compile Device Management Client example in production mode.

4. Navigate to the Device Management Client example folder, and run:

   python pal-platform/pal-platform.py deploy --target=x86_x64_NativeLinux_mbedtls generate
   cd __x86_x64_NativeLinux_mbedtls
   
   cmake -G "Unix Makefiles" -DPARSEC_TPM_SE_SUPPORT=ON -DCMAKE_BUILD_TYPE=Release -DCMAKE_TOOLCHAIN_FILE=./../pal-platform/Toolchain/GCC/GCC.cmake -DEXTERNAL_DEFINE_FILE=./../define_linux_psa.txt
   

   The build creates binaries under mbed-cloud-client-example/__x86_x64_NativeLinux_mbedtls.

   Note: If you experience build problems, see the Troubleshooting section for potential issues and workarounds.

5. Set the entropy source:

   export ENTROPYSOURCE=<file-name>

   For example:

   export ENTROPYSOURCE=/dev/urandom

   Note: The ENTROPYSOURCE environment variable is optional. If you do not use it, Device Management uses a default entropy source, which is Linux-platform-dependent.

6. Run the application:

   ./Release/mbedCloudClientExample.elf
   

   You should see a message when the device connects to Device Management:

   Client registered
   Endpoint Name: 013584750b3400000000000100100051
   Device Id: 013584750b3400000000000100100051