Quickstart: Create and provision a simulated TPM device using Python device SDK for IoT Hub Device Provisioning Service

Article
03/31/2023

In this quickstart, you create a simulated IoT device on a Windows computer. The simulated device includes a TPM simulator as a Hardware Security Module (HSM). You use device sample Python code to connect this simulated device with your IoT hub using an individual enrollment with the Device Provisioning Service (DPS).

Prerequisites

Familiar with provisioning concepts.
Completion of Set up IoT Hub Device Provisioning Service with the Azure portal.
An Azure account with an active subscription. Trial Subscription.
Visual Studio 2015+ with Desktop development with C++.
CMake build system.
Git.

Important

This article only applies to the deprecated V1 Python SDK. Device and service clients for the Iot Hub Device Provisioning Service are not yet available in V2. The team is currently hard at work to bring V2 to feature parity.

Note

The initial device twin state configuration is available only in the standard tier of IoT Hub. For more information about the basic and standard IoT Hub tiers, see How to choose the right IoT Hub tier.

Prepare the environment

Make sure you have installed either Visual Studio 2015 or later, with the 'Desktop development with C++' workload enabled for your Visual Studio installation.
Download and install the CMake build system.
Make sure git is installed on your machine and is added to the environment variables accessible to the command window. See Software Freedom Conservancy's Git client tools for the latest version of git tools to install, which includes the Git Bash, the command-line app that you can use to interact with your local Git repository.

Open a command prompt or Git Bash. Clone the GitHub repo for device simulation code sample:

git clone --single-branch --branch v1-deprecated https://github.com/Azure/azure-iot-sdk-python.git --recursive

Create a folder in your local copy of this GitHub repo for CMake build process.
```
cd azure-iot-sdk-python/c
mkdir cmake
cd cmake
```
The code sample uses a Windows TPM simulator. Run the following command to enable the SAS token authentication. It also generates a Visual Studio solution for the simulated device.
```
cmake -Duse_prov_client:BOOL=ON -Duse_tpm_simulator:BOOL=ON ..
```
In a separate command prompt, navigate to the TPM simulator folder and run the TPM simulator to be the HSM for the simulated device. Click Allow Access. It listens over a socket on ports 2321 and 2322. Do not close this command window; you will need to keep this simulator running until the end of this quickstart guide.
```
.\azure-iot-sdk-python\c\provisioning_client\deps\utpm\tools\tpm_simulator\Simulator.exe
```

Create a device enrollment entry

The Azure IoT Device Provisioning Service supports two types of enrollments:

Enrollment groups: Used to enroll multiple related devices.
Individual enrollments: Used to enroll a single device.

This article demonstrates individual enrollments.

Open the solution generated in the cmake folder named azure_iot_sdks.sln, and build it in Visual Studio.
Right-click the tpm_device_provision project and select Set as Startup Project. Run the solution. The output window displays the Endorsement key and the Registration ID needed for device enrollment. Note down these values.
Sign in to the Azure portal, select the All resources button on the left-hand menu and open your Device Provisioning service.
From the Device Provisioning Service menu, select Manage enrollments. Select Individual Enrollments tab and select the Add individual enrollment button at the top.
In the Add Enrollment panel, enter the following information:
- Select TPM as the identity attestation Mechanism.
- Enter the Registration ID and Endorsement key for your TPM device from the values you noted previously.
- Select an IoT hub linked with your provisioning service.
- Optionally, you may provide the following information:
  - Enter a unique Device ID. Make sure to avoid sensitive data while naming your device. If you choose not to provide one, the registration ID will be used to identify the device instead.
  - Update the Initial device twin state with the desired initial configuration for the device.
- Once complete, press the Save button.
On successful enrollment, the Registration ID of your device will appear in the list under the Individual Enrollments tab.

Simulate the device

Download and install Python 2.x or 3.x. Make sure to use the 32-bit or 64-bit installation as required by your setup. When prompted during the installation, make sure to add Python to your platform-specific environment variables.
- If you are using Windows OS, then Visual C++ redistributable package to allow the use of native DLLs from Python.
Follow these instructions to build the Python packages.

Note

If running the build_client.cmd make sure to use the --use-tpm-simulator flag.

Note

If using pip make sure to also install the azure-iot-provisioning-device-client package. Note that the released PIP packages are using the real TPM, not the simulator. To use the simulator you need to compile from the source using the --use-tpm-simulator flag.

Navigate to the samples folder.

cd azure-iot-sdk-python/provisioning_device_client/samples

Using your Python IDE, edit the python script named provisioning_device_client_sample.py. Modify the GLOBAL_PROV_URI and ID_SCOPE variables to the values noted previously. Also make sure SECURITY_DEVICE_TYPE is set to ProvisioningSecurityDeviceType.TPM
```
GLOBAL_PROV_URI = "{globalServiceEndpoint}"
ID_SCOPE = "{idScope}"
SECURITY_DEVICE_TYPE = ProvisioningSecurityDeviceType.TPM
PROTOCOL = ProvisioningTransportProvider.HTTP
```

Run the sample.

python provisioning_device_client_sample.py

Notice the messages that simulate the device booting and connecting to the Device Provisioning Service to get your IoT hub information.
On successful provisioning of your simulated device to the IoT hub linked with your provisioning service, the device ID appears on the hub's IoT devices blade.

If you changed the initial device twin state from the default value in the enrollment entry for your device, it can pull the desired twin state from the hub and act accordingly. For more information, see Understand and use device twins in IoT Hub

Clean up resources

If you plan to continue working on and exploring the device client sample, do not clean up the resources created in this quickstart. If you do not plan to continue, use the following steps to delete all resources created by this quickstart.

Close the device client sample output window on your machine.
Close the TPM simulator window on your machine.
From the left-hand menu in the Azure portal, select All resources and then select your Device Provisioning service. Open the Manage Enrollments blade for your service, and then select the Individual Enrollments tab. Select the check box next to the REGISTRATION ID of the device you enrolled in this quickstart, and press the Delete button at the top of the pane.
From the left-hand menu in the Azure portal, select All resources and then select your IoT hub. Open the IoT devices blade for your hub, select the check box next to the DEVICE ID of the device you registered in this quickstart, and then press the Delete button at the top of the pane.

Next steps

In this quickstart, you’ve created a TPM simulated device on your machine and provisioned it to your IoT hub using the IoT Hub Device Provisioning Service. To learn how to enroll your TPM device programmatically, continue to the quickstart for programmatic enrollment of a TPM device.

Azure quickstart - Enroll TPM device to Azure IoT Hub Device Provisioning Service