适用于 Azure IoT 设备制造商的安全做法Security practices for Azure IoT device manufacturers

随着越来越多的制造商发行 IoT 设备,了解常见做法指导会很有帮助。As more manufacturers release IoT devices, it's helpful to identify guidance around common practices. 本文汇总了在制造与 Azure IoT 设备预配服务 (DPS) 配合使用的设备时要考虑的建议安全做法。This article summarizes recommended security practices to consider when you manufacture devices for use with Azure IoT Device Provisioning Service (DPS).

  • 选择设备身份验证选项Selecting device authentication options
  • 在 IoT 设备上安装证书Installing certificates on IoT devices
  • 将受信任的平台模块 (TPM) 集成到制造过程中Integrating a Trusted Platform Module (TPM) into the manufacturing process

选择设备身份验证选项Selecting device authentication options

任何 IoT 设备安全措施的终极目标都是创建安全的 IoT 解决方案。The ultimate aim of any IoT device security measure is to create a secure IoT solution. 但是,硬件限制、成本和安全专业水平等问题都会影响你将选择哪些选项。But issues such as hardware limitations, cost, and level of security expertise all impact which options you choose. 此外,安全措施会影响 IoT 设备连接到云的方式。Further, your approach to security impacts how your IoT devices connect to the cloud. 尽管要考虑的 IoT 安全要素有很多,但每个客户面对的一个关键要素是使用哪种身份验证类型。While there are several elements of IoT security to consider, a key element that every customer encounters is what authentication type to use.

三种广泛使用的身份验证类型为 X.509 证书、受信任的平台模块 (TPM) 和对称密钥。Three widely used authentication types are X.509 certificates, Trusted Platform Modules (TPM), and symmetric keys. 尽管还存在其他身份验证类型,但在 Azure IoT 上构建解决方案的大多数客户都会使用这三种类型之一。While other authentication types exist, most customers who build solutions on Azure IoT use one of these three types. 本文的剩余内容将会探讨使用每种身份验证类型的优点和缺点。The rest of this article surveys pros and cons of using each authentication type.

X.509 证书X.509 certificate

X.509 证书是可用于身份验证的数字标识类型。X.509 certificates are a type of digital identity you can use for authentication. IETF RFC 5280 中阐述了 X.509 证书标准。The X.509 certificate standard is documented in IETF RFC 5280. 在 Azure IoT 中,可通过两种方式对证书进行身份验证:In Azure IoT, there are two ways to authenticate certificates:

  • 指纹。Thumbprint. 将对证书运行一种指纹算法来生成一个十六进制字符串。A thumbprint algorithm is run on a certificate to generate a hexadecimal string. 生成的字符串是该证书的唯一标识符。The generated string is a unique identifer for the certificate.
  • 基于完整链的 CA 身份验证。CA authentication based on a full chain. 证书链是对最终实体 (EE) 证书进行身份验证所需的所有证书的分层列表。A certificate chain is a hierarchical list of all certificates needed to authenticate an end-entity (EE) certificate. 若要对 EE 证书进行身份验证,需要对证书链中的每个证书(包括受信任的根 CA)进行身份验证。To authenticate an EE certificate, it's necessary to authenticate each certificate in the chain including a trusted root CA.

X.509 的优点:Pros for X.509:

  • X.509 是 Azure IoT 支持的最安全的身份验证类型。X.509 is the most secure authentication type supported in Azure IoT.
  • 使用 X.509 时,能够以较高的控制度实现证书管理。X.509 allows a high level of control for purposes of certificate management.
  • 许多供应商都可以提供基于 X.509 的身份验证解决方案。Many vendors are available to provide X.509 based authentication solutions.

X.509 的缺点:Cons for X.509:

  • 许多客户可能需要依赖于外部供应商来获得证书。Many customers may need to rely on external vendors for their certificates.
  • 证书管理的成本可能很高,并且会增加解决方案的总体成本。Certificate management can be costly and adds to total solution cost.
  • 如果未充分考虑到后勤,证书生命周期管理可能会很困难。Certificate life-cycle management can be difficult if logistics are not well thought out.

受信任的平台模块 (TPM)Trusted Platform Module (TPM)

TPM(也称为 ISO/IEC 11889)是用于安全地生成和存储加密密钥的标准。TPM, also known as ISO/IEC 11889, is a standard for securely generating and storing cryptographic keys. TPM 也指与实现了该标准的模块进行交互的虚拟或物理 I/O 设备。TPM also refers to a virtual or physical I/O device that interacts with modules that implement the standard. TPM 设备的存在形式可以是离散硬件、集成硬件、基于固件的模块或基于软件的模块。A TPM device can exist as discrete hardware, integrated hardware, a firmware-based module, or a software-based module.

TPM 与对称密钥之间有两个重要区别:There are two key differences between TPMs and symmetric keys:

  • TPM 芯片还可以存储 X.509 证书。TPM chips can also store X.509 certificates.
  • DPS 中的 TPM 证明使用 TPM 认可密钥 (EK) - 一种非对称身份验证形式。TPM attestation in DPS uses the TPM endorsement key (EK), a form of asymmetric authentication. 使用非对称身份验证时,公钥将用于加密,一个单独的私钥将用于解密。With asymmetric authentication, a public key is used for encryption, and a separate private key is used for decryption. 相反,对称密钥使用对称身份验证,私钥用于加密和解密。In contrast, symmetric keys use symmetric authentication, where the private key is used for both encryption and decryption.

TPM 的优点:Pros for TPM:

  • TPM 作为标准硬件包含在许多 Windows 设备上,内置了对操作系统的支持。TPMs are included as standard hardware on many Windows devices, with built-in support for the operating system.
  • 与基于共享访问签名 (SAS) 令牌的对称密钥证明相比,TPM 证明更便于提供保护。TPM attestation is easier to secure than shared access signature (SAS) token-based symmetric key attestation.
  • 你可以轻松续订、滚动更新设备凭据或使其过期。You can easily expire and renew, or roll, device credentials. 每当 TPM 设备需要重新预配时,DPS 就会自动滚动更新 IoT 中心凭据。DPS automatically rolls the IoT Hub credentials whenever a TPM device is due for reprovisioning.

TPM 的缺点:Cons for TPM:

  • TPM 较为复杂且难以使用。TPMs are complex and can be difficult to use.
  • 除非你有物理 TPM 或优质的仿真器,否则使用 TPM 进行应用程序开发会有难度。Application development with TPMs is difficult unless you have a physical TPM or a quality emulator.
  • 可能需要重新设计设备控制板才能在硬件中包含 TPM。You may have to redesign the board of your device to include a TPM in the hardware.
  • 如果滚动更新 TPM 上的 EK,将会销毁该 TPM 的标识并创建新的标识。If you roll the EK on a TPM, it destroys the identity of the TPM and creates a new one. 尽管物理芯片保持不变,但它会在 IoT 解决方案中使用新的标识。Although the physical chip stays the same, it has a new identity in your IoT solution.

对称密钥Symmetric key

使用对称密钥时,将使用同一个密钥来加密和解密消息。With symmetric keys, the same key is used to encrypt and decrypt messages. 因此,设备以及对该设备进行身份验证的服务都知道同一个密钥。As a result, the same key is known to both the device and the service that authenticates it. Azure IoT 支持基于 SAS 令牌的对称密钥连接。Azure IoT supports SAS token-based symmetric key connections. 对称密钥身份验证要求所有者负责保护密钥并实现与 x.509 身份验证同等级别的安全性。Symmetric key authentication requires significant owner responsibility to secure the keys and achieve an equal level of security with X.509 authentication. 如果使用对称密钥,则建议的做法是使用硬件安全模块 (HSM) 来保护密钥。If you use symmetric keys, the recommended practice is to protect the keys by using a hardware security module (HSM).

对称密钥的优点:Pros for symmetric key:

  • 使用对称密钥是开始进行身份验证的最简单且成本最低的方式。Using symmetric keys is the simplest, lowest cost way to get started with authentication.
  • 使用对称密钥可以简化过程,因为无需生成任何额外的信息。Using symmetric keys streamlines your process because there's nothing extra to generate.

对称密钥的缺点:Cons for symmetric key:

  • 对称密钥要求付出大量的精力来保护密钥。Symmetric keys take a significant degree of effort to secure the keys. 同一密钥在设备与云之间共享,这意味着,在这两个位置都必须保护该密钥。The same key is shared between device and cloud, which means the key must be protected in two places. 相比之下,使用 TPM 和 X.509 证书的难点在于,如何在不透露私钥的情况下证明公钥的所有权。In contrast, the challenge with TPM and X.509 certificates is proving possession of the public key without revealing the private key.
  • 使用对称密钥时很容易使用糟糕的安全做法。Symmetric keys make it easy to follow poor security practices. 对称密钥的常见用法趋势是对设备上未加密的密钥进行硬编码。A common tendency with symmetric keys is to hard code the unencrypted keys on devices. 尽管这种做法很方便,但会使密钥容易受到攻击。While this practice is convenient, it leaves the keys vulnerable. 可以通过在设备上安全地存储对称密钥来缓解一些风险。You can mitigate some risk by securely storing the symmetric key on the device. 但是,如果你优先考虑的是最终安全性而不是方便性,请使用 X.509 证书或 TPM 进行身份验证。However, if your priority is ultimately security rather than convenience, use X.509 certificates or TPM for authentication.

共享对称密钥Shared symmetric key

对称密钥身份验证有一个称为共享对称密钥的变体。There's a variation of symmetric key authentication known as shared symmetric key. 此方法涉及到在所有设备中使用同一个对称密钥。This approach involves using the same symmetric key in all devices. 建议避免在设备上使用共享对称密钥。The recommendation is to avoid using shared symmetric keys on your devices.

共享对称密钥的优点:Pro for shared symmetric key:

  • 易于实现,且能以较低的开销大规模生产。Simple to implement and inexpensive to produce at scale.

共享对称密钥的缺点:Cons for shared symmetric key:

  • 很容易受到攻击。Highly vulnerable to attack. 与风险相比,易于实现这一优点不值一提。The benefit of easy implementation is far outweighed by the risk.
  • 如果某人获取了共享密钥,就可以模拟你的设备。Anyone can impersonate your devices if they obtain the shared key.
  • 如果你依赖于易受攻击的共享对称密钥,可能会失去设备控制权。If you rely on a shared symmetric key that becomes compromised, you will likely lose control of the devices.

根据设备做出正确的选择Making the right choice for your devices

若要选择身份验证方法,请务必考虑适合你的独特制造过程的每种方法的优点和成本。To choose an authentication method, make sure you consider the benefits and costs of each approach for your unique manufacturing process. 对于设备身份验证,给定方法的安全性及其方便性之间往往存在一种对立的关系。For device authentication, usually there's an inverse relationship between how secure a given approach is, and how convenient it is.

在 IoT 设备上安装证书Installing certificates on IoT devices

如果使用 X.509 证书对 IoT 设备进行身份验证,本部分提供了有关如何将证书集成到制造过程的指导。If you use X.509 certificates to authenticate your IoT devices, this section offers guidance on how to integrate certificates into your manufacturing process. 需要做出几项决策。You'll need to make several decisions. 这些决策涉及到常见的证书可变因素、何时生成证书以及何时安装证书。These include decisions about common certificate variables, when to generate certificates, and when to install them.

如果你一向使用密码,可能会询问,为何不能在所有设备中使用同一个证书,就像在所有设备中使用同一个密码一样。If you're used to using passwords, you might ask why you can't use the same certificate in all your devices, in the same way that you'd be able to use the same password in all your devices. 首先,在每个位置都使用同一密码是危险的做法。First, using the same password everywhere is dangerous. 这种做法会使公司暴露在严重的 DDoS 攻击之下,例如,美国东海岸在几年前发生的 DNS 关闭。The practice has exposed companies to major DDoS attacks, including the one that took down DNS on the US East Coast several years ago. 切勿在每个位置都使用相同的密码,即使是在个人帐户中。Never use the same password everywhere, even with personal accounts. 其次,证书并非密码,而是唯一的标识。Second, a certificate isn't a password, it's a unique identity. 密码类似于机密代码,任何人都可以使用它来打开受保护建筑物的房门。A password is like a secret code that anyone can use to open a door at a secured building. 它是你知道的东西,你可以向任何人提供密码以获取进入权限。It's something you know, and you could give the password to anyone to gain entrance. 证书类似于驾照,其中包含你的照片和其他详细信息,可以向保安人员出示它,以便能够进入受保护的建筑物。A certificate is like a driver's license with your photo and other details, which you can show to a guard to get into a secured building. 它与你的身份相关联。It's tied to who you are. 如果保安人员准确地将人员与驾照进行匹配,则只有你才能使用你的驾照(身份)获取进入权限。Provided that the guard accurately matches people with driver's licenses, only you can use your license (identity) to gain entrance.

证书决策中涉及的可变因素Variables involved in certificate decisions

考虑以下可变因素,以及每个可变因素对总体制造过程的影响。Consider the following variables, and how each one impacts the overall manufacturing process.

证书信任根来自何处Where the certificate root of trust comes from

管理公钥基础结构 (PKI) 可能成本高昂且复杂,It can be costly and complex to manage a public key infrastructure (PKI). 尤其是当你的公司在管理 PKI 方面没有任何经验时。Especially if your company doesn't have any experience managing a PKI. 选项包括:Your options are:

  • 使用第三方 PKI。Use a third-party PKI. 可以向第三方证书供应商购买中间签名证书。You can buy intermediate signing certificates from a third-party certificate vendor. 或者,可以使用专用证书颁发机构 (CA)。Or you can use a private Certificate Authority (CA).
  • 使用自我管理的 PKI。Use a self-managed PKI. 你可以维护自己的 PKI 系统并生成自己的证书。You can maintain your own PKI system and generate your own certificates.

证书的存储位置Where certificates are stored

有一些因素会影响有关证书存储位置的决策。There are a few factors that impact the decision on where certificates are stored. 这些因素包括设备类型、预期利润(是否可以承受安全存储的成本)、设备功能,以及设备上可使用的现有安全技术。These factors include the type of device, expected profit margins (whether you can afford secure storage), device capabilities, and existing security technology on the device that you may be able to use. 请考虑以下选项:Consider the following options:

  • 在硬件安全模块 (HSM) 中。In a hardware security module (HSM). 强烈建议使用 HSM。Using an HSM is highly recommended. 检查设备的控制板上是否已安装 HSM。Check whether your device's control board already has an HSM installed. 如果你知道没有 HSM,请咨询硬件制造商来确定符合你的需求的 HSM。If you know you don't have an HSM, work with your hardware manufacturer to identify an HSM that meets your needs.
  • 在磁盘上的安全位置(例如受信任的执行环境 (TEE))中。In a secure place on disk such as a trusted execution environment (TEE).
  • 在本地文件系统或证书存储中。In the local file system or a certificate store. 例如 Windows 证书存储。For example, the Windows certificate store.

工厂的连接Connectivity at the factory

工厂的连接决定了如何以及何时获取要在设备上安装的证书。Connectivity at the factory determines how and when you'll get the certificates to install on the devices. 连接选项如下:Connectivity options are as follows:

  • 有连接。Connectivity. 有连接是最好的,因为它简化了在本地生成证书的过程。Having connectivity is optimal, it streamlines the process of generating certificates locally.
  • 无连接。No connectivity. 在这种情况下,可以使用 CA 签名的证书在本地离线生成设备证书。In this case, you use a signed certificate from a CA to generate device certificates locally and offline.
  • 无连接。No connectivity. 在这种情况下,可以获取提前生成的证书。In this case, you can obtain certificates that were generated ahead of time. 或者,可以使用离线 PKI 在本地生成证书。Or you can use an offline PKI to generate certificates locally.

审核要求Audit requirement

根据你生产的设备类型,可以制定规章来要求创建审核线索,规定如何在设备上安装设备标识。Depending on the type of devices you produce, you might have a regulatory requirement to create an audit trail of how device identities are installed on your devices. 审核会大幅增加生产成本。Auditing adds significant production cost. 因此,在大多数情况下,仅当有必要时才进行审核。So in most cases, only do it if necessary. 如果你不确定是否需要审核,请咨询公司的法务部门。If you're unsure whether an audit is required, check with your company's legal department. 审核选项包括:Auditing options are:

  • 非敏感行业。Not a sensitive industry. 无需审核。No auditing is required.
  • 敏感行业。Sensitive industry. 应根据合规认证要求,在安全的房间中安装证书。Certificates should be installed in a secure room according to compliance certification requirements. 如果你需要一间用于安装证书的安全房间,则可能已经知道了如何在设备中安装证书。If you need a secure room to install certificates, you are likely already aware of how certificates get installed in your devices. 另外,你可能已部署了一个审核系统。And you probably already have an audit system in place.

证书有效期Length of certificate validity

与驾照一样,证书在创建时已设置了一个过期日期。Like a driver's license, certificates have an expiration date that is set when they are created. 下面是证书有效期的选项:Here are the options for length of certificate validity:

  • 不需要续订。Renewal not required. 此方法使用较长的续订期,因此在设备的生存期内,永远不需要续订证书。This approach uses a long renewal period, so you'll never need to renew the certificate during the device's lifetime. 尽管这种方法非常方便,但也存在风险。While such an approach is convenient, it's also risky. 可以在设备上使用类似于 HSM 的安全存储来降低风险。You can reduce the risk by using secure storage like an HSM on your devices. 但是,建议的做法是避免使用长时间生存的证书。However, the recommended practice is to avoid using long-lived certificates.
  • 需要续订。Renewal required. 在设备生存期内需要续订证书。You'll need to renew the certificate during the lifetime of the device. 证书有效期取决于上下文,需要制定续订策略。The length of the certificate validity depends on context, and you'll need a strategy for renewal. 该策略应包括获取证书的位置,以及设备在续订过程中必须使用的无线功能类型。The strategy should include where you're getting certificates, and what type of over-the-air functionality your devices have to use in the renewal process.

何时生成证书When to generate certificates

工厂的 Internet 连接功能会影响证书的生成过程。The internet connectivity capabilities at your factory will impact your process for generating certificates. 对于何时生成证书,存在多个选项:You have several options for when to generate certificates:

  • 预加载的证书。Pre-loaded certificates. 某些 HSM 供应商提供一项高级服务,由 HSM 供应商为客户安装证书。Some HSM vendors offer a premium service in which the HSM vendor installs certificates for the customer. 首先,客户授权 HSM 供应商访问签名证书。First, customers give the HSM vendor access to a signing certificate. 然后,HSM 供应商在客户购买的每个 HSM 上安装由该签名证书签名的证书。Then the HSM vendor installs certificates signed by that signing certificate onto each HSM the customer buys. 客户只需在设备上安装 HSM 即可。All the customer has to do is install the HSM on the device. 尽管此服务增加了成本,但有助于简化制造过程。While this service adds cost, it helps to streamline your manufacturing process. 此外,它解决了有关何时安装证书的问题。And it resolves the question of when to install certificates.
  • 设备生成的证书。Device-generated certificates. 如果设备在内部生成证书,则必须从设备中提取公共 X.509 证书,以便在 DPS 中注册该设备。If your devices generate certificates internally, then you must extract the public X.509 certificate from the device to enroll it in DPS.
  • 联网工厂。Connected factory. 如果你的工厂已建立连接,则你随时可根据需要生成设备证书。If your factory has connectivity, you can generate device certificates whenever you need them.
  • 具有你自己的 PKI 的离线工厂。Offline factory with your own PKI. 如果你的工厂未建立连接,并且你使用自己的提供离线支持的 PKI,则可以按需生成证书。If your factory does not have connectivity, and you are using your own PKI with offline support, you can generate the certificates when you need them.
  • 具有第三方 PKI 的离线工厂。Offline factory with third-party PKI. 如果你的工厂未建立连接,并且你使用第三方 PKI,则必须提前生成证书。If your factory does not have connectivity, and you are using a third-party PKI, you must generate the certificates ahead of time. 此外,需要从建立了连接的位置生成证书。And it will be necessary to generate the certificates from a location that has connectivity.

何时安装证书When to install certificates

为 IoT 设备生成证书后,可将其安装到设备中。After you generate certificates for your IoT devices, you can install them in the devices.

如果使用 HSM 上预加载的证书,则可以简化该过程。If you use pre-loaded certificates with an HSM, the process is simplified. 在设备中安装 HSM 后,设备代码可以访问该 HSM。After the HSM is installed in the device, the device code can access it. 然后,你将调用 HSM API 来访问 HSM 中存储的证书。Then you'll call the HSM APIs to access the certificate that's stored in the HSM. 在生产过程中,此方法是最方便的。This approach is the most convenient for your manufacturing process.

如果不使用预加载的证书,则必须在生产过程中安装该证书。If you don't use a pre-loaded certificate, you must install the certificate as part of your production process. 最简单的方法是在刷新初始固件映像的同时,将证书安装到 HSM 中。The simplest approach is to install the certificate in the HSM at the same time that you flash the initial firmware image. 你的过程必须添加一个在每个设备上安装映像的步骤。Your process must add a step to install the image on each device. 完成此步骤后,可以运行最终质量检查和任何其他步骤,然后打包并交付设备。After this step, you can run final quality checks and any other steps, before you package and ship the device.

可以使用一些软件工具通过单个步骤来运行安装过程和最终质量检查。There are software tools available that let you run the installation process and final quality check in a single step. 你可以修改这些工具来生成证书,或者从预生成的证书存储中提取证书。You can modify these tools to generate a certificate, or to pull a certificate from a pre-generated certificate store. 然后,软件可以在需要安装证书的位置安装证书。Then the software can install the certificate where you need to install it. 使用此类软件工具可以大规模运行生产质量级别的制造。Software tools of this type enable you to run production quality manufacturing at scale.

在设备上安装证书后,下一步是了解如何向 DPS 注册设备。After you have certificates installed on your devices, the next step is to learn how to enroll the devices with DPS.

将 TPM 集成到制造过程Integrating a TPM into the manufacturing process

如果你使用 TPM 对 IoT 设备进行身份验证,本部分提供了相关指导。If you use a TPM to authenticate your IoT devices, this section offers guidance. 指导中涉及广泛使用的 TPM 2.0 设备,该设备支持基于哈希的消息身份验证代码 (HMAC) 密钥。The guidance covers the widely used TPM 2.0 devices that have hash-based message authentication code (HMAC) key support. TPM 芯片的 TPM 规范是由“可信计算组织”维护的 ISO 标准。The TPM specification for TPM chips is an ISO standard that's maintained by the Trusted Computing Group. 有关 TPM 的详细信息,请参阅 TPM 2.0ISO/IEC 11889 的规范。For more on TPM, see the specifications for TPM 2.0 and ISO/IEC 11889.

获取 TPM 的所有权Taking ownership of the TPM

制造包含 TPM 芯片的设备的一个关键步骤是获取 TPM 的所有权。A critical step in manufacturing a device with a TPM chip is to take ownership of the TPM. 必须执行此步骤才能向设备所有者提供密钥。This step is required so that you can provide a key to the device owner. 第一步是从设备中提取认可密钥 (EK)。The first step is to extract the endorsement key (EK) from the device. 下一步是实际主张所有权。The next step is to actually claim ownership. 如何做到这一点取决于所用的 TPM 和操作系统。How you accomplish this depends on which TPM and operating system you use. 如果需要,请联系 TPM 制造商或设备操作系统开发商来确定如何主张所有权。If needed, contact the TPM manufacturer or the developer of the device operating system to determine how to claim ownership.

在制造过程中随时可以提取 EK 和主张所有权,因此提高了灵活性。In your manufacturing process, you can extract the EK and claim ownership at different times, which adds flexibility. 许多制造商都利用了这种灵活性,它们会添加一个硬件安全模块 (HSM) 来增强其设备的安全性。Many manufacturers take advantage of this flexibility by adding a hardware security module (HSM) to enhance the security of their devices. 本部分提供了有关何时提取 EK、何时主张 TPM 所有权的指导,以及将这些步骤集成到制造时间线时的注意事项。This section provides guidance on when to extract the EK, when to claim ownership of the TPM, and considerations for integrating these steps into a manufacturing timeline.

重要

以下指导假设使用离散 TPM、固件 TPM 或集成式 TPM。The following guidance assumes you use a discrete, firmware, or integrated TPM. 在适当的位置,指导中添加了有关使用非离散 TPM 或软件 TPM 的说明。In places where it's applicable, the guidance adds notes on using a non-discrete or software TPM. 如果使用软件 TPM,可能需要执行本指导中未提到的其他步骤。If you use a software TPM, there may be additional steps that this guidance doesn't include. 软件 TPM 的实现方式多种多样,这超出了本文的范畴。Software TPMs have a variety of implementations that are beyond the scope of this article. 通常,可将软件 TPM 集成到以下常规制造时间线。In general, it's possible to integrate a software TPM into the following general manufacturing timeline. 但是,尽管软件仿真的 TPM 适用于原型制作和测试,但它不能提供与离散 TPM、固件 TPM 或集成式 TPM 相同的安全级别。However, while a software emulated TPM is suitable for prototyping and testing, it can't provide the same level of security as a discrete, firmware, or integrated TPM. 常规做法是避免在生产环境中使用软件 TPM。As a general practice, avoid using a software TPM in production.

常规生产时间线General manufacturing timeline

以下时间线显示了 TPM 如何经历生产过程并在设备中结束。The following timeline shows how a TPM goes through a production process and ends up in a device. 每个制造过程都是独特的,此时间线显示的是最常见模式。Each manufacturing process is unique, and this timeline shows the most common patterns. 时间线提供了有关何时对密钥采取特定措施的指导。The timeline offers guidance on when to take certain actions with the keys.

步骤 1:制造 TPMStep 1: TPM is manufactured

  • 如果你从某个制造商那里购买了要在设备中使用的 TPM,请查看这些 TPM 是否会自动提取公共认可密钥 (EK_pub)。If you buy TPMs from a manufacturer for use in your devices, see if they'll extract public endorsement keys (EK_pubs) for you. 如果制造商随交付的设备一起提供了 EK_pub 列表,则很有帮助。It's helpful if the manufacturer provides the list of EK_pubs with the shipped devices.

    备注

    可以在预配服务中使用共享访问策略,向 TPM 制造商授予对你的注册列表的写入访问权限。You could give the TPM manufacturer write access to your enrollment list by using shared access policies in your provisioning service. 此方法允许制造商替你将 TPM 添加到注册列表中。This approach lets them add the TPMs to your enrollment list for you. 但该操作在制造过程的早期阶段发生,需要信任该 TPM 制造商。But that is early in the manufacturing process, and it requires trust in the TPM manufacturer. 这样做时需要自控风险。Do so at your own risk.

  • 如果你是向设备制造商销售 TPM 的 TPM 制造商,请考虑随物理 TPM 为客户提供 EK_pub 列表。If you manufacture TPMs to sell to device manufacturers, consider giving your customers a list of EK_pubs along with their physical TPMs. 为客户提供 EK_pub 可让客户省去一个过程步骤。Providing customers with EK_pubs saves a step in their process.

  • 如果你是 TPM 制造商,并且制造的 TPM 与你自己的设备配合使用,请确定在过程中的哪个阶段最方便提取 EK_pub。If you manufacture TPMs to use with your own devices, identify which point in your process is the most convenient to extract the EK_pub. 可以在时间线中的任意剩余时间点提取 EK_pub。You can extract the EK_pub at any of the remaining points in the timeline.

步骤 2:将 TPM 安装到设备中Step 2: TPM is installed into a device

在生产过程中的此阶段,你应该知道了要将设备用于哪个 DPS 实例。At this point in the production process, you should know which DPS instance the device will be used with. 因此,你可将设备添加到注册列表以进行自动预配。As a result, you can add devices to the enrollment list for automated provisioning. 有关自动的设备预配的详细信息,请参阅 DPS 文档For more information about automatic device provisioning, see the DPS documentation.

  • 如果尚未提取 EK_pub,现在就是提取的好时机。If you haven't extracted the EK_pub, now is a good time to do so.
  • 也很适合在此步骤中获取 TPM 的所有权,具体取决于 TPM 的安装过程。Depending on the installation process of the TPM, this step is also a good time to take ownership of the TPM.

步骤 3:在设备上安装固件和软件Step 3: Device has firmware and software installed

在过程中的此阶段,请安装 DPS 客户端并提供 ID 范围和全局 URL 以进行预配。At this point in the process, install the DPS client along with the ID scope and global URL for provisioning.

  • 现在是提取 EK_pub 的最后机会。Now is the last chance to extract the EK_pub. 如果第三方要在你的设备上安装软件,则最好先提取 EK_pub。If a third party will install the software on your device, it's a good idea to extract the EK_pub first.
  • 非常适合在制造过程中的此阶段获取 TPM 的所有权。This point in the manufacturing process is ideal to take ownership of the TPM.

    备注

    如果使用软件 TPM,现在可以安装它。If you're using a software TPM, you can install it now. 同时提取 EK_pub。Extract the EK_pub at the same time.

步骤 4:将设备打包并运送到仓库Step 4: Device is packaged and sent to the warehouse

在部署之前,设备可以在仓库中存放 6-12 个月。A device can sit in a warehouse for 6-12 months before being deployed.

步骤 5:将设备安装在目标位置Step 5: Device is installed into the location

设备抵达其最终目标位置后,将通过 DPS 完成自动预配过程。After the device arrives at its final location, it goes through automated provisioning with DPS.

有关详细信息,请参阅自动预配概念TPM 证明For more information, see Autoprovisioning concepts and TPM attestation.

资源Resources

除了本文中建议的安全做法以外,Azure IoT 还提供了一些资源来帮助用户选择安全硬件和创建安全 IoT 部署:In addition to the recommended security practices in this article, Azure IoT provides resources to help with selecting secure hardware and creating secure IoT deployments: