Connect a Linux device with a TPM
This tutorial explains how to securely connect a Linux device with a Trusted Platform Module (TPM) to Device Management over an IP connection.
Device Management Client supports the PARSEC open-source initiative, which provides a platform-agnostic interface for calling the secure storage and operation services of a TPM on Linux.
This lets you generate the device's bootstrap private key on a TPM during the factory provisioning flow. When the device calls the Device Management bootstrap server, as part of the DTLS handshake, Device Management Client uses the bootstrap key by calling an API without having to export the key.
A Linux PC (x86 Linux) on which you provision production credentials, as described in the Pelion Device Management factory tool demo documentation.
Important: Make sure to upload your certificate authority (CA) certificate file to your Device Management account.
Connecting the device
Open a terminal, and clone the example repository to a convenient location on your development environment:
git clone https://github.com/ARMmbed/mbed-cloud-client-example cd mbed-cloud-client-example
Deploy the example repository:
add_definitions(-DMBED_CONF_APP_DEVELOPER_MODE=1)line from the
define.txtconfiguration file to compile Device Management Client example in production mode.
Navigate to the Device Management Client example folder, and run:
python pal-platform/pal-platform.py deploy --target=x86_x64_NativeLinux_mbedtls generate cd __x86_x64_NativeLinux_mbedtls cmake -G "Unix Makefiles" -DPARSEC_TPM_SE_SUPPORT=ON -DCMAKE_BUILD_TYPE=Release -DCMAKE_TOOLCHAIN_FILE=./../pal-platform/Toolchain/GCC/GCC.cmake -DEXTERNAL_DEFINE_FILE=./../define_linux_psa.txt
The build creates binaries under
Note: If you experience build problems, see the Troubleshooting section for potential issues and workarounds.
Set the entropy source:
ENTROPYSOURCEenvironment variable is optional. If you do not use it, Device Management uses a default entropy source, which is Linux-platform-dependent.
Run the application:
You should see a message when the device connects to Device Management:
Client registered Endpoint Name: 013584750b3400000000000100100051 Device Id: 013584750b3400000000000100100051