Connect a Linux device with a TPM
This tutorial explains how to securely connect a Linux device with a Trusted Platform Module (TPM) to Device Management over an IP connection.
Device Management Client supports the PARSEC open-source initiative, which provides a platform-agnostic interface for calling the secure storage and operation services of a TPM on Linux.
This lets you generate the device's bootstrap private key on a TPM during the factory provisioning flow. When the device calls the Device Management bootstrap server, as part of the DTLS handshake, Device Management Client uses the bootstrap key by calling an API without having to export the key.
Prerequisites
-
A Linux PC (x86 Linux) on which you provision production credentials, as described in the Pelion Device Management factory tool demo documentation.
Important: Make sure to upload your certificate authority (CA) certificate file to your Device Management account.
Connecting the device
-
Open a terminal, and clone the example repository to a convenient location on your development environment:
git clone https://github.com/PelionIoT/mbed-cloud-client-example cd mbed-cloud-client-example
-
Deploy the example repository:
mbed deploy
-
Delete the
add_definitions(-DMBED_CONF_APP_DEVELOPER_MODE=1)
line from thedefine.txt
configuration file to compile Device Management Client example in production mode. -
Navigate to the Device Management Client example folder, and run:
python pal-platform/pal-platform.py deploy --target=x86_x64_NativeLinux_mbedtls generate cd __x86_x64_NativeLinux_mbedtls cmake -G "Unix Makefiles" -DPARSEC_TPM_SE_SUPPORT=ON -DCMAKE_BUILD_TYPE=Release -DCMAKE_TOOLCHAIN_FILE=./../pal-platform/Toolchain/GCC/GCC.cmake -DEXTERNAL_DEFINE_FILE=./../define_linux_psa.txt
The build creates binaries under
mbed-cloud-client-example/__x86_x64_NativeLinux_mbedtls
.Note: If you experience build problems, see the Troubleshooting section for potential issues and workarounds.
-
Set the entropy source:
export ENTROPYSOURCE=<file-name>
For example:
export ENTROPYSOURCE=/dev/urandom
Note: The
ENTROPYSOURCE
environment variable is optional. If you do not use it, Device Management uses a default entropy source, which is Linux-platform-dependent. -
Run the application:
./Release/mbedCloudClientExample.elf
You should see a message when the device connects to Device Management:
Client registered Endpoint Name: 013584750b3400000000000100100051 Device Id: 013584750b3400000000000100100051