You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/iot-edge/iot-edge-security-manager.md
+22-22Lines changed: 22 additions & 22 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -7,18 +7,18 @@ author: eustacea
7
7
manager: philmea
8
8
9
9
ms.author: eustacea
10
-
ms.date: 07/30/2018
10
+
ms.date: 08/30/2019
11
11
ms.topic: article
12
12
ms.service: iot-edge
13
13
ms.custom: seodec18
14
14
---
15
15
# Azure IoT Edge security manager
16
16
17
-
The Azure IoT Edge security manager is a well-bounded security core for protecting the IoT Edge device and all its components by abstracting the secure silicon hardware. It is the focal point for security hardening and provides technology integration point to original device manufacturers (OEM).
17
+
The Azure IoT Edge security manager is a well-bounded security core for protecting the IoT Edge device and all its components by abstracting the secure silicon hardware. It is the focal point for security hardening and provides technology integration point to original equipment manufacturers (OEM).
IoT Edge security manager aims to defend the integrity of the IoT Edge device and all inherent software operations. It does so by transitioning trust from underlying hardware root of trust hardware (if available) to securely bootstrap IoT Edge runtime and continue to monitor the integrity of its operations. The IoT Edge security manager is software working along with secure silicon hardware (where available) to help deliver the highest security assurances possible.
21
+
IoT Edge security manager aims to defend the integrity of the IoT Edge device and all inherent software operations. The security manager transitions trust from underlying hardware root of trust hardware (if available) to bootstrap the IoT Edge runtime and monitor ongoing operations. The IoT Edge security manager is software working along with secure silicon hardware (where available) to help deliver the highest security assurances possible.
22
22
23
23
The responsibilities of the IoT Edge security manager include, but aren't limited to:
24
24
@@ -37,79 +37,79 @@ IoT Edge security manager includes three components:
37
37
38
38
## The IoT Edge security daemon
39
39
40
-
IoT Edge security daemon is the software responsible for the logical operations of IoT Edge security manager. It is a significant portion of the trusted computing base of the IoT Edge device.
40
+
The IoT Edge security daemon is responsible for the logical operations of IoT Edge security manager. It represents a significant portion of the trusted computing base of the IoT Edge device.
41
41
42
42
### Design principles
43
43
44
44
The IoT Edge security daemon follows two core principles: maximize operational integrity, and minimize bloat and churn.
45
45
46
46
#### Maximize operational integrity
47
47
48
-
IoT Edge security daemon operates with the highest integrity possible within the defense capability of any given root of trust hardware. With proper integration, the root of trust hardware measures and monitors the security daemon statically and at runtime to resist tampering.
48
+
The IoT Edge security daemon operates with the highest integrity possible within the defense capability of any given root of trust hardware. With proper integration, the root of trust hardware measures and monitors the security daemon statically and at runtime to resist tampering.
49
49
50
-
Physical access is always a threat to IoT devices. Hardware root of trust plays an important role in defending the integrity of the IoT Edge security daemon. Hardware root of trust come in two flavors:
50
+
Physical access is always a threat to IoT devices. Hardware root of trust plays an important role in defending the integrity of the IoT Edge security daemon. Hardware root of trust come in two varieties:
51
51
52
52
* secure elements for the protection of sensitive information like secrets and cryptographic keys.
53
53
* secure enclaves for the protection of secrets like keys, and sensitive workloads like metering and billing.
54
54
55
-
Two kinds of execution environments exist to utilize hardware root of trust:
55
+
Two kinds of execution environments exist to use hardware root of trust:
56
56
57
-
* The standard or rich execution environment (REE) that rely on the use of secure elements to protect sensitive information.
58
-
* The trusted execution environment (TEE) that rely on the use of secure enclave technology to protect sensitive information and offer protection to software execution.
57
+
* The standard or rich execution environment (REE) that relies on the use of secure elements to protect sensitive information.
58
+
* The trusted execution environment (TEE) that relies on the use of secure enclave technology to protect sensitive information and offer protection to software execution.
59
59
60
-
For devices using secure enclaves as hardware root of trust, sensitive logic within IoT Edge security daemon is expected to reside within the enclave. Non-sensitive portions of the security daemon can reside outside of the TEE. In any case, it is expected of original design manufacturers (ODM) and original equipment manufacturers (OEM) to extend trust from their HSM to measure and defend the integrity of the IoT Edge security daemon at boot and runtime.
60
+
For devices using secure enclaves as hardware root of trust, sensitive logic within IoT Edge security daemon should be inside the enclave. Non-sensitive portions of the security daemon can be outside of the TEE. In any case, original design manufacturers (ODM) and original equipment manufacturers (OEM) should extend trust from their HSM to measure and defend the integrity of the IoT Edge security daemon at boot and runtime.
61
61
62
62
#### Minimize bloat and churn
63
63
64
-
Another core principle for the IoT Edge security daemon is to minimize churn. For the highest level of trust, the IoT Edge security daemon can tightly couple with the device hardware root of trust and operate as native code. It is common for these types of realizations to update the daemon software through the hardware root of trust's secure update paths (as opposed to OS provided update mechanisms), which can be challenging depending on specific hardware and deployment scenario. While security renewal is strong recommendation for IoT devices, it stands to reason that excessive update requirements or large update payloads can expand the threat surface in many ways. Examples include skipping of updates to maximize operational availability or root of trust hardware too constrained to process large update payloads. As such, the design of IoT Edge security daemon is concise to keep the footprint and hence the trusted computing base small and to minimize update requirements.
64
+
Another core principle for the IoT Edge security daemon is to minimize churn. For the highest level of trust, the IoT Edge security daemon can tightly couple with the device hardware root of trust and operate as native code. It's common for these types of realizations to update the daemon software through the hardware root of trust's secure update paths (as opposed to OS provided update mechanisms), which can be challenging in some scenarios. While security renewal is recommended for IoT devices, excessive update requirements or large update payloads can expand the threat surface in many ways. Examples include skipping of updates to maximize operational availability or root of trust hardware too constrained to process large update payloads. As such, the design of IoT Edge security daemon is concise to keep the footprint and trusted computing base small and to minimize update requirements.
The IoT Edge security daemon is architected to take advantage of any available hardware root of trust technology for security hardening. It also allows for split-world operation between a Standard/Rich Execution Environment (REE) and a Trusted Execution Environment (TEE) when hardware technologies offer trusted execution environments. Role-specific interfaces enable the interplay of major components of IoT Edge to assure the integrity of the IoT Edge device and its operations.
70
+
The IoT Edge security daemon takes advantage of any available hardware root of trust technology for security hardening. It also allows for split-world operation between a standard/rich execution environment (REE) and a trusted execution environment (TEE) when hardware technologies offer trusted execution environments. Role-specific interfaces enable the major components of IoT Edge to assure the integrity of the IoT Edge device and its operations.
71
71
72
72
#### Cloud interface
73
73
74
-
The cloud interface allows IoT Edge security daemon to access cloud services such as cloud compliments to device security like security renewal. For example, IoT Edge security daemon currently uses this interface to access the Azure IoT Hub [Device Provisioning Service (DPS)](https://docs.microsoft.com/azure/iot-dps/) for device identity lifecycle management.
74
+
The cloud interface allows the IoT Edge security daemon to access cloud services such as cloud compliments to device security like security renewal. For example, the IoT Edge security daemon currently uses this interface to access the Azure IoT Hub [Device Provisioning Service](https://docs.microsoft.com/azure/iot-dps/) for device identity lifecycle management.
75
75
76
76
#### Management API
77
77
78
-
IoT Edge security daemon offers a management API, which is called by the IoT Edge agent when creating/starting/stopping/removing an edge module. The IoT Edge security daemon stores “registrations” for all active modules. These registrations map a module’s identity to some properties of the module. A few examples for these properties are the process identifier (pid) of the process running in the container or the hash of the docker container’s contents.
78
+
IoT Edge security daemon offers a management API, which is called by the IoT Edge agent when creating/starting/stopping/removing an IoT Edge module. The security daemon stores “registrations” for all active modules. These registrations map a module’s identity to some properties of the module. A few examples for these properties are the process identifier (pid) of the process running in the container or the hash of the docker container’s contents.
79
79
80
-
These properties are used by the workload API (described below) to attest that the caller is authorized to perform an action.
80
+
These properties are used by the workload API (described below) to verify that the caller is authorized to perform an action.
81
81
82
-
The Management API is a privileged API, callable only from the IoT Edge agent. Since the IoT Edge security daemon bootstraps and starts the IoT Edge agent, it can create an implicit registration for the IoT Edge agent, after it has attested that the IoT Edge agent has not been tampered with. The same attestation process that the workload API uses is used to restrict access to the management API to only the IoT Edge agent.
82
+
The management API is a privileged API, callable only from the IoT Edge agent. Since the IoT Edge security daemon bootstraps and starts the IoT Edge agent, it can create an implicit registration for the IoT Edge agent, after it has attested that the IoT Edge agent has not been tampered with. The same attestation process that the workload API uses also restricts access to the management API to only the IoT Edge agent.
83
83
84
84
#### Container API
85
85
86
-
IoT Edge security daemon offers the container interface to interact with the container system in use like Moby and Docker for module instantiation.
86
+
The container API interacts with the container system in use for module management, like Moby or Docker.
87
87
88
88
#### Workload API
89
89
90
-
The workload API is an IoT Edge security daemon API accessible to all modules, including IoT Edge agent. It provides proof of identity, either an HSM rooted signed token or X509 certificate, and corresponding trust bundle to a module. The trust bundle contains CA certificates for all the other servers that the modules should trust.
90
+
The workload API is accessible to all modules. It provides proof of identity, either as an HSM rooted signed token or an X509 certificate, and the corresponding trust bundle to a module. The trust bundle contains CA certificates for all the other servers that the modules should trust.
91
91
92
-
IoT Edge security daemon uses an attestation process to guard this API. When a module calls this API, IoT Edge security daemon attempts to find a registration for the identity. If successful, it uses the properties of the registration to measure the module. If the result of the measurement process matches the registration, a new HSM rooted signed token or X509 certificate is generated. The corresponding CA certificates (trust bundle) are returned to the module. The module uses this certificate to connect to IoT Hub, other modules, or start a server. When the signed token or certificate nears expiration, it is the responsibility of the module to request a new certificate.
92
+
The IoT Edge security daemon uses an attestation process to guard this API. When a module calls this API, the security daemon attempts to find a registration for the identity. If successful, it uses the properties of the registration to measure the module. If the result of the measurement process matches the registration, a new proof of identity is generated. The corresponding CA certificates (trust bundle) are returned to the module. The module uses this certificate to connect to IoT Hub, other modules, or start a server. When the signed token or certificate nears expiration, it's the responsibility of the module to request a new certificate.
93
93
94
94
### Integration and maintenance
95
95
96
96
Microsoft maintains the main code base for the [IoT Edge security daemon on GitHub](https://github.com/Azure/iotedge/tree/master/edgelet).
97
97
98
98
#### Installation and updates
99
99
100
-
Installation and updates of the IoT Edge security daemon are managed through the operating system's package management system. IoT Edge devices with hardware root of trust should provide additional hardening to the integrity of the daemon by managing its lifecycle through the secure boot and updates management systems. It is left to devices makers to explore these avenues in accordance with their respective device capabilities.
100
+
Installation and updates of the IoT Edge security daemon are managed through the operating system's package management system. IoT Edge devices with hardware root of trust should provide additional hardening to the integrity of the daemon by managing its lifecycle through the secure boot and updates management systems. Device makers should explore these avenues based on their respective device capabilities.
101
101
102
102
#### Versioning
103
103
104
104
The IoT Edge runtime tracks and reports the version of the IoT Edge security daemon. The version is reported as the *runtime.platform.version* attribute of the IoT Edge agent module reported property.
The HSM PAL abstracts all root of trust hardware to isolate the developer or user of IoT Edge from their complexities. It comprises a combination of Application Programming Interface (API) and transdomain communications procedures, for example communication between a standard execution environment and a secure enclave. The actual implementation of the HSM PAL depends on the specific secure hardware in use. Its existence enables the use of virtually any secure silicon hardware.
108
+
The HSM PAL abstracts all root of trust hardware to isolate the developer or user of IoT Edge from their complexities. It includes a combination of application programming interface (API) and trans-domain communication procedures, for example communication between a standard execution environment and a secure enclave. The actual implementation of the HSM PAL depends on the specific secure hardware in use. Its existence enables the use of virtually any secure silicon hardware.
109
109
110
110
## Secure silicon root of trust hardware
111
111
112
-
Secure silicon is necessary to anchor trust inside the IoT Edge device hardware. Secure silicon come in variety to include Trusted Platform Module (TPM), embedded Secure Element (eSE), ARM TrustZone, Intel SGX, and custom secure silicon technologies. The use of secure silicon root of trust in devices is highly recommended given the threats associated with physically accessibility of IoT devices.
112
+
Secure silicon is necessary to anchor trust inside the IoT Edge device hardware. Secure silicon come in variety to include Trusted Platform Module (TPM), embedded Secure Element (eSE), ARM TrustZone, Intel SGX, and custom secure silicon technologies. The use of secure silicon root of trust in devices is recommended given the threats associated with physical accessibility of IoT devices.
113
113
114
114
## IoT Edge security manager integration and maintenance
0 commit comments