Provisioning client with Azure IoT C SDK

intel-iot-devkit / meta-iot-cloud

OpenEmbedded layer to add support for multiple cloud IoT services including Microsoft Azure & Google Cloud Platform.

MIT License

69 stars 81 forks source link

Provisioning client with Azure IoT C SDK #161

Closed lorenzo-arena closed 1 year ago

lorenzo-arena commented 1 year ago

I'm trying to build the provisioning client included in the Azure IoT C SDK. I added

EXTRA_OECMAKE += " \
    -Duse_prov_client:BOOL=ON \
"

however the build fails since the repository is not clone with submodules and the utpm and RIoT dependencies are missing. I added a recipe for utpm but I'm not sure about how to handle RIoT since it's only used for the sources, and there isn't a cmake file. Is there a reason why the repository is not cloned with submodules?

srware commented 1 year ago

The repository is cloned without submodules to save bandwidth but also to ensure things are compiled against the correct libraries which will ship in the image and not something out of our control.

I've never looked into the provisioning client because it seemed pretty complicated to get working for a production image. You would have to provide your own HSM library with recipe and then specify the path to it somehow in this recipe. That bit would be doable however the default "developer" path is to use a reference HSM which uses certificates provided by a simulator in the RIoT library. Only really useful for demos and testing so not something I invested time into considering how easily it could go wrong.

Can I ask what you are planning to do with the provisioning client? Are you wanting support for the reference "not for production" implementation or you have your own HSM library you would like to build the provisioning client against for production?

lorenzo-arena commented 1 year ago

I would be using encrypted symmetric keys stored on the filesystem, so while not being as secure as a TPM I would not need a custom HSM library.

srware commented 1 year ago

I don't believe the RIoT or TPM libs should be needed for x509 or symmetric key HSM types but I need to check if in the older version currently shipping with this layer it is possible to limit compilation to only the HSM types you need. I plan to update the recipes when I get some time so it's something I can factor in as it's definitely possible in later versions.

lorenzo-arena commented 1 year ago

I ended up rewriting the recipe and setting all HSM types off except for symmetric:

# Turn off all security libraries for provisioning, leave only symmetric keys enabled
EXTRA_OECMAKE += "\
    -Dhsm_type_x509:BOOL=OFF \
    -Dhsm_type_riot:BOOL=OFF \
    -Dhsm_type_sastoken:BOOL=OFF \
    -Dhsm_type_symm_key:BOOL=ON \
"

and also using a PACKAGECONFIG for provisioning:

PACKAGECONFIG[provisioning] = "-Duse_prov_client:BOOL=ON, -Duse_prov_client:BOOL=OFF,"

srware commented 1 year ago

Hi @lorenzo-arena ,

Apologies for the lack of updates on this, it is still in my todo list. Appreciate you posting the solution that is working for you. I will look to add something similar to the upstream recipe.