Minor updates

micahl · micahl · commit 70a9c0eeff56 · 2022-10-01T02:31:16.000-07:00
diff --git a/articles/iot-edge/how-to-provision-devices-at-scale-linux-tpm.md b/articles/iot-edge/how-to-provision-devices-at-scale-linux-tpm.md
@@ -141,31 +141,6 @@ After the installation is finished and you've signed back in to your VM, you're
 
 ---
 
-<!-- iotedge-1.4 -->
-:::moniker range=">=iotedge-1.4"
-
-### Install the TPM2 Tools
-   1. Sign in to your device, and install the `tpm2-tools` package.
-
-# [Ubuntu / Debian / Raspberry Pi OS](#tab/ubuntu+debian+rpios)
-
-
-      ```bash
-      sudo apt-get install tpm2-tools
-      ```
-
-# [Red Hat Enterprise Linux](#tab/rhel)
-
-
-      ```bash
-      sudo yum install tpm2-tools
-      ```
-
----
-
-:::moniker-end
-<!-- end 1.4 -->
-
 ## Retrieve provisioning information for your TPM
 
 <!-- 1.1 -->
@@ -192,12 +167,31 @@ In this section, you build a tool that you can use to retrieve the registration
 <!-- iotedge-1.4 -->
 :::moniker range=">=iotedge-1.4"
 
-In this section, you use the TPM2 software tools to retrieve the endorsement key for your TPM and then generate a unique registration ID. This section corresponds with [Step 3: Device has firmware and software installed](../iot-dps/concepts-device-oem-security-practices.md#step-3-device-has-firmware-and-software-installed) in the process for [integrating a TPM into the manufacturing process](../iot-dps/concepts-device-oem-security-practices.md#integrating-a-tpm-into-the-manufacturing-process).
-
 > [!NOTE]
 > This article previously used the `tpm_device_provision` tool from the IoT C SDK to generate provisioning info. If you relied on that tool previously, then be aware the steps below generate a different registration ID for the same public endorsement key. If you need to recreate the registration ID as before then refer to how the C SDK's [tpm_device_provision tool](https://github.com/Azure/azure-iot-sdk-c/tree/main/provisioning_client/tools/tpm_device_provision) generates it. Be sure the registration ID for the individual enrollment in DPS matches the regisration ID the IoT Edge device is configured to use.
 
-   1. Run the script below to read the endorsement key, creating one if it does not already exist.
+In this section, you use the TPM2 software tools to retrieve the endorsement key for your TPM and then generate a unique registration ID. This section corresponds with [Step 3: Device has firmware and software installed](../iot-dps/concepts-device-oem-security-practices.md#step-3-device-has-firmware-and-software-installed) in the process for [integrating a TPM into the manufacturing process](../iot-dps/concepts-device-oem-security-practices.md#integrating-a-tpm-into-the-manufacturing-process).
+
+### Install the TPM2 Tools
+Sign in to your device, and install the `tpm2-tools` package.
+
+# [Ubuntu / Debian / Raspberry Pi OS](#tab/ubuntu+debian+rpios)
+
+
+      ```bash
+      sudo apt-get install tpm2-tools
+      ```
+
+# [Red Hat Enterprise Linux](#tab/rhel)
+
+
+      ```bash
+      sudo yum install tpm2-tools
+      ```
+
+---
+
+Run the following script to read the endorsement key, creating one if it does not already exist.
 
       ```bash
       #!/bin/sh
@@ -213,50 +207,46 @@ In this section, you use the TPM2 software tools to retrieve the endorsement key
         $SUDO tpm2_readpublic -c 0x81010001 -o ek.pub > /dev/null
         $SUDO tpm2_flushcontext -t > /dev/null
 
-        $SUDO tpm2_getcap handles-persistent >/dev/null | grep 0x81000001 > /dev/null
-        if [ $? -gt 0 ]; then
-          # Create a storage root key (SRK)
-          $SUDO tpm2_startauthsession --policy-session -S session.ctx > /dev/null
-          $SUDO tpm2_policysecret -S session.ctx -c 0x4000000B > /dev/null
-          $SUDO tpm2_create -C 0x81010001 \
-            -G rsa2048 \
-            -a 'restricted|decrypt|fixedtpm|fixedparent|sensitivedataorigin|userwithauth' \
-            -u srk.pub -r srk.priv \
-            -P session:session.ctx > /dev/null
-          $SUDO tpm2_flushcontext --transient-object > /dev/null
-
-          # store the key
-          $SUDO tpm2_startauthsession -S session.ctx --policy-session > /dev/null
-          $SUDO tpm2_policysecret -S session.ctx -c 0x4000000B > /dev/null
-          $SUDO tpm2_load -C 0x81010001 \
-            -u srk.pub -r srk.priv \
-            -P session:session.ctx \
-            -c srk.ctx > /dev/null
-
-          # make the SRK persistent
-          $SUDO tpm2_evictcontrol -c srk.ctx 0x81000001 > /dev/null
-
-          # clean up
-          $SUDO rm session.ctx srk.pub srk.priv srk.ctx ek.ctx 2> /dev/null
-        fi
+        # Create a storage root key (SRK)
+        $SUDO tpm2_startauthsession --policy-session -S session.ctx > /dev/null
+        $SUDO tpm2_policysecret -S session.ctx -c 0x4000000B > /dev/null
+        $SUDO tpm2_create -C 0x81010001 \
+          -G rsa2048 \
+          -a 'restricted|decrypt|fixedtpm|fixedparent|sensitivedataorigin|userwithauth' \
+          -u srk.pub -r srk.priv \
+          -P session:session.ctx > /dev/null
+        $SUDO tpm2_flushcontext --transient-object > /dev/null
+
+        # store the key
+        $SUDO tpm2_startauthsession -S session.ctx --policy-session > /dev/null
+        $SUDO tpm2_policysecret -S session.ctx -c 0x4000000B > /dev/null
+        $SUDO tpm2_load -C 0x81010001 \
+          -u srk.pub -r srk.priv \
+          -P session:session.ctx \
+          -c srk.ctx > /dev/null
+
+        # make the SRK persistent
+        $SUDO tpm2_evictcontrol -c srk.ctx 0x81000001 > /dev/null
+
+        # clean up
+        $SUDO rm session.ctx srk.pub srk.priv srk.ctx ek.ctx 2> /dev/null
       fi
 
       printf "Gathering the registration information...\n\nRegistration Id:\n%s\n\nEndorsement Key:\n%s\n" $(sha256sum -b ek.pub | cut -d' ' -f1 | sed -e 's/[^[:alnum:]]//g') $(base64 -w0 ek.pub)
 
       $SUDO rm ek.pub 2> /dev/null
       ```
 
-   1. The output window displays the device's **Endorsement key** and a unique **Registration ID**. Copy these values for use later when you create an individual enrollment for your device in the device provisioning service.
+The output window displays the device's **Endorsement key** and a unique **Registration ID**. Copy these values for use later when you create an individual enrollment for your device in the device provisioning service.
 
 :::moniker-end
 <!-- end iotedge-1.4 -->
 
+After you have your registration ID and endorsement key, you're ready to continue.
+
 > [!TIP]
 > If you don't want to use the TPM2 software tools to retrieve the information, you need to find another way to obtain the provisioning information. The endorsement key, which is unique to each TPM chip, is obtained from the TPM chip manufacturer associated with it. You can derive a unique registration ID for your TPM device. For example, as shown above you can create an SHA-256 hash of the endorsement key.
 
-
-After you have your registration ID and endorsement key, you're ready to continue.
-
 <!-- Create an enrollment for your device using TPM provisioning information H2 and content -->
 [!INCLUDE [tpm-create-a-device-provision-service-enrollment.md](../../includes/tpm-create-a-device-provision-service-enrollment.md)]
 
