search

opiproject / sztp

Secure Zero Touch Provisioning (sZTP) in OPI
Apache License 2.0
20 stars 14 forks source link

sztp: how to get access to TPM vendor-specific-agnostic #2

Open glimchb opened 1 year ago

glimchb commented 1 year ago

per https://github.com/opiproject/opi-prov-life/blob/main/ZTP.md

we need IDEVID access, public/private keys, certificate, serial number to start SZTP process ...

see IEEE 802.1AR - Secure Device Identity

also see https://github.com/usnistgov/iDevIDCerts

@shachartal @mestery @prasunkapoor @rsb-oss @jainvipin @alknopfler @achilikin @gupta-alok ?

let's start the discussion here, on slack and on our next meeting

alknopfler commented 1 year ago

Doubt I'm having on my table:

glimchb commented 1 year ago

@alknopfler

  1. Customer places an order to DPU vendor to buy DPUs
  2. without Security (classic ZTP) - Vendor will send only Serial Numbers of the devices back to the Customer
  3. with sZTP - Vendor creates certificates with serial numbers and sends them back to the Customer
  4. Vendor places iDEVID (priv key, pub key, certif,..) to the Device's TPM-like storage
  5. Customer loads this information to the Bootstrap server using NB APIs or configuration file
  6. Devices arrive to the site and powered up
  7. Device get URL of the Bootstrap server (via mDNS or SLAAC or DHCP)
  8. Device offers iDEVID to the Bootstrap server
  9. Bootstrap server verifies iDEVID of the device
  10. Bootstrap server optionally sends ownership voucher to the device
  11. Bootstrap server sends signed artifacts (OS image, config) to the device
  12. Device verifies signed artifacts and starts installation
glimchb commented 1 year ago

also see here https://wiki.archlinux.org/title/Trusted_Platform_Module also see here https://github.com/tpm2-software also see https://github.com/opiproject/sztp/issues/123