Closed marosrojis closed 1 year ago
Hi, in order to reconnect without reprovisioning you need to use the same security provider instance that you created when provisioning the device. The security client stores the authentication key from the service during the provisioning process. You can read more about TPM authentication via DPS here: https://learn.microsoft.com/azure/iot-dps/concepts-tpm-attestation#detailed-attestation-process.
We're also analyzing whether we should expose the authentication key to the user so that you could call activateIdentityKey with a new security provider instance by yourself.
Hi,
thank you for your response.
It is not possible to use the same instance of security provider when the IoT device is restarted.
The interesting thing, you don't need to have activateIdentityKey
in the security provider. The security provider uses activateIdentityKey
only to get hash algorithm during generating SAS token, nothing else (based on the stackoverflow. The activateIdentityKey
has to be only in the TPM.
And if you look at sample code to reprovisioning, there is no activateIdentityKey
too. There is only IoT Hub name and device ID, nothing else.
Thank you for your help.
After some discussion with the DPS service team, they have notified us that they don't encourage this kind of behavior for TPM since managing the state of the TPM is paramount for security purposes. For people who use TPM, the expectation will be that they reprovision each time the device is rebooted. To avoid this, we highly encourage using x509 attestation instead. Not only does it allow the kind of caching that is needed to avoid reprovisioning, but it is a more secure way for your device to connect.
Because of the above, I'm closing this thread as "won't fix/support"
Context
tpm-provider
,tpm-provider-emulator
)Description of the issue
When a device is successfully provisioned using Device Provisioning Service and TPM, there is a problem with connecting to the IoT Hub using provided IoT Hub and device ID (DPS response).
If I use a sample code, the provisioning and connecting to the IoT hub is successful. There is a problem when I want to connect to the IoT hub without reprovisioning. Based on this sample code I would like to save the IoT hub URI and Device ID to the cache and read them every time e.g. when the device is restarted.
But because I don't run reprovisioning and I would like to connect to the IoT hub using IoT Hub URI, device ID, and TPM. There is a problem the attribute
SecurityProviderTPM.idKeyPub
is null. The attribute is used only to get the hash algorithm, it is not used to generate a SAS token. The sample code works because the attributeSecurityProviderTPM.idKeyPub
is filled during the provisioning process.A similar problem is described here - https://stackoverflow.com/questions/59793319/connecting-to-azure-iot-hub-using-tpm?rq=1. There is a suggestion that works.
I already discussed the problem here.
Code sample exhibiting the issue
Console log of the issue
The
idKeyPub
is used only to get the hash algorithm (SHA-256), that's all.