Azure Iot edge module deployement workflow

[anoop18pant]

Hi,

We are working on a security critical solution. So i want to understand if we do the module deployment on IOT edge device from IOT hub how does the integrity and identity gets verified by IOT edge runtime before starting the module. Not able to find the details on Microsoft documentation.

I ahve following question:

1. Can you please tell us how does IOT edge runtime checks the authenticity of the deployed module before starting it? Details like what and how it checks ?

ThAnks

[ggjjj]

we have a feature called Notary Content Trust which is in private preview right now. The feature will verify the integrity of the container images using Notary - TUF based framework. To try this feature, you can look into the documentation - https://github.com/Azure/iotedge/blob/master/doc/NotaryContentTrust.md

[ggjjj]

In short, the iot edge runtime works with notary service to verify the digest of the container images via a root CA that is installed in the device.

[anoop18pant]

That means currently edge runtime is using notary service some internal mechanism. We have to just intall the device certificate which ll be generated from root CA certificate?,Or do i need to do some other configuration also? Can you please confirm.

[ggjjj]

Currently the notary service has to be installed in the device. In Private preview its manually need to installed. For configuration on the device, the root CA belonging to a Container Registry needs to be installed in the device. So for example, if there are two registries(where the signed images are uploaded) , two root CA needs to configured in the device. That's all in the device side. For publishing images you can follow the documentation to understand the entire process.

[anoop18pant]

Hi, Basically i want to know if i dont want to intall notaey service on device. On device i have only edge run timre. Then if i am deploying a module from IOt hub then how does security service of edge runtime verify the module identity/hash on iot edge device. Can you please clarfy .

[ggjjj]

For private preview, you would have to install notary service on device. Eventually our release package would contain notary service and automatically install in the device in public preview ( no timeline yet). Once the deployment is set and the device is configured with the root CA then the iot edge runtime would verify the digest of the container by working with Notary services.

[anoop18pant]

So you want to say in current public realease of iot edge there is no check on module identity done by edge run time before deploying and starting the container?

[ggjjj]

In current public release, the content trust feature is enabled an experimental feature but doesn't meet the support of a public release. The bits are in and the notary service has to be manually installed for you to try it out.

[anoop18pant]

Sorry to say but still my doubt is not clear.My question is very simple.Currently when iot edge agent downloads the module from repository does it run any check on downloaded module from security point of view before starting the downloaded module. Without notary service installed.Do you understand my query.?

[ggjjj]

No it doesn't not do any checks currently

[anoop18pant]

As per Microsoft Azure IOt edge 1.1 documentation link https://docs.microsoft.com/en-us/azure/iot-edge/iot-edge-security-manager?view=iotedge-2018-06

The responsibilities of the IoT Edge security manager include ->>Provision IoT Edge modules with unique identities.

What is the meaning of this "Provision IoT Edge modules with unique identities." Can you please explain it in a bit detail.

Also below link says: https://docs.microsoft.com/en-us/azure/iot-edge/security?view=iotedge-2020-11

Software attestation All healthy systems, including intelligent edge systems, need patches and upgrades. Security is important for update processes, otherwise they can be potential threat vectors. The security framework for IoT Edge calls for updates through measured and signed packages to assure the integrity of and authenticate the source of the packages. This standard applies to all operating systems and application software bits.

Then what is the meaning of these if it does not guarantee then why mentioned on MS docs.

[ggjjj]

Sorry for the delay. @pmzara who is on-call will assist in answering the specific question.

[anoop18pant]

Ok thank you. My simple question is when run time downloads the iot edge modules from container registry does it perform any type of check before starting the module. Because as per docs link i mentioned in my earlier post it says identity service performs some check before starting the modules. So i want to understand what check it perform?

[pmzara]

@anoop18pant About your question: "What is the meaning of this "Provision IoT Edge modules with unique identities.". This link will help you understand unique identities. - https://docs.microsoft.com/en-us/azure/iot-edge/iot-edge-modules?view=iotedge-2020-11

About Software attestation. The sentence of the link means that we are constantly applying security and vulnerability patches in our components and in the third-party libraries/frameworks/OS that we use to develop these components.

We don't perform any type of check before starting the module at this moment. As @ggjjj mentioned before we added support for notary integration in our component but this feature is in private preview.

[anoop18pant]

As you are saying that there is no security check before starting the module. Then can anyone can deploy the hacked module on our edge device? Is there no security for this? Can you please answer if this is the case then how iot edge is providing the security?

[github-actions[bot]]

This issue is being marked as stale because it has been open for 30 days with no activity.