使用 Linux 虚拟机上的虚拟 TPM 创建和预配 IoT Edge 设备Create and provision an IoT Edge device with a virtual TPM on a Linux virtual machine

可以使用设备预配服务自动预配 Azure IoT Edge 设备。Azure IoT Edge devices can be automatically provisioned using the Device Provisioning Service. 如果不熟悉自动预配过程,请在继续操作之前查看自动预配的概念If you're unfamiliar with the process of autoprovisioning, review the autoprovisioning concepts before continuing.

本文介绍如何使用以下步骤,在模拟的 IoT Edge 设备上测试自动预配:This article shows you how to test autoprovisioning on a simulated IoT Edge device with the following steps:

  • 使用用于确保硬件安全性的模拟受信任平台模块 (TPM) 在 Hyper-V 中创建 Linux 虚拟机 (VM)。Create a Linux virtual machine (VM) in Hyper-V with a simulated Trusted Platform Module (TPM) for hardware security.
  • 创建 IoT 中心设备预配服务 (DPS) 的实例。Create an instance of IoT Hub Device Provisioning Service (DPS).
  • 为设备创建个人注册Create an individual enrollment for the device
  • 安装 IoT Edge 运行时并将设备连接到 IoT 中心Install the IoT Edge runtime and connect the device to IoT Hub

本文中的步骤仅用于测试目的。The steps in this article are meant for testing purposes.

先决条件Prerequisites

  • 已启用 Hyper-V 的 Windows 开发计算机。A Windows development machine with Hyper-V enabled. 本文使用运行 Ubuntu Server VM 的 Windows 10。This article uses Windows 10 running an Ubuntu Server VM.
  • 活动的 IoT 中心。An active IoT Hub.

创建包含虚拟 TPM 的 Linux 虚拟机Create a Linux virtual machine with a virtual TPM

在本部分,我们将在 Hyper-V 上创建新的 Linux 虚拟机。In this section, you create a new Linux virtual machine on Hyper-V. 然后,我们将使用模拟 TPM 配置此虚拟机,以便可以使用它来测试如何在 IoT Edge 中使用自动预配。You configured this virtual machine with a simulated TPM so that you can use it for testing how automatic provisioning works with IoT Edge.

创建虚拟交换机Create a virtual switch

使用虚拟交换机可将虚拟机连接到物理网络。A virtual switch enables your virtual machine to connect to a physical network.

  1. 在 Windows 计算机上打开 Hyper-V 管理器。Open Hyper-V Manager on your Windows machine.

  2. 在“操作”菜单中,选择“虚拟交换机管理器”。 In the Actions menu, select Virtual Switch Manager.

  3. 选择一个“外部”虚拟交换机,然后选择“创建虚拟交换机”。 Choose an External virtual switch, then select Create Virtual Switch.

  4. 为新的虚拟交换机命名,例如 EdgeSwitchGive your new virtual switch a name, for example EdgeSwitch. 确保将连接类型设置为“外部网络”,然后选择“确定”。 Make sure that the connection type is set to External network, then select Ok.

  5. 此时会弹出一条警告,指出网络连接可能会中断。A pop-up warns you that network connectivity may be disrupted. 选择“是”继续。 Select Yes to continue.

如果创建新虚拟交换机时出现错误,请确保没有其他任何交换机正在使用以太网适配器,并且没有其他任何交换机使用相同的名称。If you see errors while creating the new virtual switch, ensure that no other switches are using the ethernet adaptor, and that no other switches use the same name.

创建虚拟机Create virtual machine

  1. 下载虚拟机使用的磁盘映像文件,并将其保存在本地。Download a disk image file to use for your virtual machine and save it locally. 例如 Ubuntu 服务器For example, Ubuntu server.

  2. 返回 Hyper-V 管理器,在“操作”菜单中选择“新建” > “虚拟机”。 In Hyper-V Manager again, select New > Virtual Machine in the Actions menu.

  3. 使用以下特定配置完成“新建虚拟机向导”: Complete the New Virtual Machine Wizard with the following specific configurations:

    1. 指定代系:选择“第 2 代” 。Specify Generation: Select Generation 2. 第 2 代虚拟机已启用嵌套虚拟化,在虚拟机上运行 IoT Edge 必须启用此功能。Generation 2 virtual machines have nested virtualization enabled, which is required to run IoT Edge on a virtual machine.
    2. 配置网络:设置“连接”的值设置为在上一部分创建的虚拟交换机 。Configure Networking: Set the value of Connection to the virtual switch that you created in the previous section.
    3. 安装选项:选择“从可启动映像文件安装操作系统”,并浏览到本地保存的磁盘映像文件 。Installation Options: Select Install an operating system from a bootable image file and browse to the disk image file that you saved locally.
  4. 在向导中选择“完成”以创建虚拟机。 Select Finish in the wizard to create the virtual machine.

创建新的 VM 可能需要几分钟。It may take a few minutes to create the new VM.

启用虚拟 TPMEnable virtual TPM

创建 VM 后,打开其设置以启用虚拟受信任平台模块 (TPM) 来自动预配设备。Once your VM is created, open its settings to enable the virtual trusted platform module (TPM) that lets you autoprovision the device.

  1. 选择该虚拟机,然后打开其“设置”。 Select the virtual machine, then open its Settings.

  2. 导航到“安全性”。 Navigate to Security.

  3. 取消选中“启用安全启动”。 Uncheck Enable Secure Boot.

  4. 选中“启用受信任的平台模块”。 Check Enable Trusted Platform Module.

  5. 单击 “确定”Click OK.

启动虚拟机并收集 TPM 数据Start the virtual machine and collect TPM data

在虚拟机中,生成一个可用于检索设备“注册 ID”和“认可密钥”的 C SDK 工具。 In the virtual machine, build a C SDK tool that you can use to retrieve the device's Registration ID and Endorsement Key.

  1. 启动并连接到虚拟机。Start your virtual machine and connect to it.

  2. 遵照虚拟机中的提示完成安装过程,然后重新启动虚拟机。Follow the prompts within the virtual machine to finish the installation process and reboot the machine.

  3. 登录到 VM,然后遵循设置 Linux 开发环境中的步骤安装并生成适用于 C 的 Azure IoT 设备 SDK。Sign in to your VM, then follow the steps in Set up a Linux development environment to install and build the Azure IoT device SDK for C.

    Tip

    在本文中,我们将在虚拟机中进行复制和粘贴,而在 Hyper-V 管理器连接应用程序中难以执行此类操作。In the course of this article, you'll copy to and paste from the virtual machine, which is not easy through the Hyper-V Manager connection application. 可以通过 Hyper-V 管理器连接到虚拟机一次,以检索其 IP 地址:ifconfigYou may want to connect to virtual machine through Hyper-V Manager once to retrieve its IP address: ifconfig. 然后,可以使用该 IP 地址通过 SSH 进行连接:ssh <username>@<ipaddress>Then, you can use the IP address to connect through SSH: ssh <username>@<ipaddress>.

  4. 运行以下命令,生成用于检索设备预配信息的 C SDK 工具。Run the following commands to build an C SDK tool that retrieves your device provisioning information.

    cd azure-iot-sdk-c/cmake
    cmake -Duse_prov_client:BOOL=ON ..
    cd provisioning_client/tools/tpm_device_provision
    make
    sudo ./tpm_device_provision
    

    Tip

    如果要使用 TPM 模拟器进行测试,则需要放置一个额外的参数 -Duse_tpm_simulator:BOOL=ON 来启用它。If you are testing with TPM simulator, you'll need to put an extra parameter -Duse_tpm_simulator:BOOL=ON to enable it. 完整命令将为 cmake -Duse_prov_client:BOOL=ON -Duse_tpm_simulator:BOOL=ON ..The full command will be cmake -Duse_prov_client:BOOL=ON -Duse_tpm_simulator:BOOL=ON ...

  5. 复制“注册 ID”和“认可密钥”的值。 Copy the values for Registration ID and Endorsement Key. 稍后要使用这些值在 DPS 中为设备创建个人注册。You use these values to create an individual enrollment for your device in DPS.

设置 IoT 中心设备预配服务Set up the IoT Hub Device Provisioning Service

在 Azure 中创建 IoT 中心设备预配服务的新实例,并将其链接到 IoT 中心。Create a new instance of the IoT Hub Device Provisioning Service in Azure, and link it to your IoT hub. 可以遵照设置 IoT 中心 DPS 中的说明操作。You can follow the instructions in Set up the IoT Hub DPS.

运行设备预配服务后,从概述页复制“ID 范围”的值。 After you have the Device Provisioning Service running, copy the value of ID Scope from the overview page. 配置 IoT Edge 运行时时,需要使用此值。You use this value when you configure the IoT Edge runtime.

创建 DPS 注册Create a DPS enrollment

从虚拟机中检索预配信息,并使用该信息在设备预配服务中创建个人注册。Retrieve the provisioning information from your virtual machine, and use that to create an individual enrollment in Device Provisioning Service.

在 DPS 中创建注册时,可以声明“初始设备孪生状态”。 When you create an enrollment in DPS, you have the opportunity to declare an Initial Device Twin State. 在设备孪生中可以设置标记,以便按解决方案中所需的任何指标(例如区域、环境、位置或设备类型)将设备分组。In the device twin, you can set tags to group devices by any metric you need in your solution, like region, environment, location, or device type. 这些标记用于创建自动部署These tags are used to create automatic deployments.

  1. Azure 门户中,导航到 IoT 中心设备预配服务的实例。In the Azure portal, navigate to your instance of IoT Hub Device Provisioning Service.

  2. 在“设置”下,选择“管理注册”。 Under Settings, select Manage enrollments.

  3. 选择“添加个人注册”,然后完成以下步骤以配置注册: Select Add individual enrollment then complete the following steps to configure the enrollment:

    1. 对于“机制”,请选择“TPM”。 For Mechanism, select TPM.

    2. 提供从虚拟机中复制的“认可密钥”和“注册 ID”。 Provide the Endorsement key and Registration ID that you copied from your virtual machine.

    3. 选择“True”,以声明此虚拟机是 IoT Edge 设备。 Select True to declare that this virtual machine is an IoT Edge device.

    4. 选择要将设备连接到的链接“IoT 中心”。 Choose the linked IoT Hub that you want to connect your device to. 可以选择多个中心,设备将根据所选的分配策略分配到其中的一个中心。You can choose multiple hubs, and the device will be assigned to one of them according to the selected allocation policy.

    5. 根据需要,为设备提供一个 ID。Provide an ID for your device if you'd like. 可以使用设备 ID 将单个设备指定为模块部署的目标。You can use device IDs to target an individual device for module deployment. 如果未提供设备 ID,则会使用注册 ID。If you don't provide a device ID, the registration ID is used.

    6. 根据需要,将标记值添加到“初始设备孪生状态”。 Add a tag value to the Initial Device Twin State if you'd like. 可以使用标记将设备组指定为模块部署的目标。You can use tags to target groups of devices for module deployment. 例如:For example:

      {
         "tags": {
            "environment": "test"
         },
         "properties": {
            "desired": {}
         }
      }
      
    7. 选择“其他安全性验证” 。Select Save.

既然此设备已存在注册,IoT Edge 运行时在安装期间可以自动预配设备。Now that an enrollment exists for this device, the IoT Edge runtime can automatically provision the device during installation.

安装 IoT Edge 运行时Install the IoT Edge runtime

IoT Edge 运行时部署在所有 IoT Edge 设备上。The IoT Edge runtime is deployed on all IoT Edge devices. 该运行时的组件在容器中运行,允许你将其他容器部署到设备,以便在边缘上运行代码。Its components run in containers, and allow you to deploy additional containers to the device so that you can run code at the edge. 在虚拟机上安装 IoT Edge 运行时。Install the IoT Edge runtime on your virtual machine.

在开始学习本文之前,请了解与设备类型匹配的 DPS“ID 范围”和设备“注册 ID”。 Know your DPS ID Scope and device Registration ID before beginning the article that matches your device type. 如果已安装示例 Ubuntu 服务器,请使用 x64 说明。If you installed the example Ubuntu server, use the x64 instructions. 确保将 IoT Edge 运行时配置为自动预配而不是手动预配。Make sure to configure the IoT Edge runtime for automatic, not manual, provisioning.

在 Linux 上安装 Azure IoT Edge 运行时Install the Azure IoT Edge runtime on Linux

向 IoT Edge 授予 TPM 的访问权限Give IoT Edge access to the TPM

IoT Edge 运行时需要有权访问 TPM 才能自动预配设备。In order for the IoT Edge runtime to automatically provision your device, it needs access to the TPM.

通过覆盖系统设置可以授予 IoT Edge 运行时对 TPM 的访问权限,以便 iotedge 服务获得根特权 。You can give TPM access to the IoT Edge runtime by overriding the systemd settings so that the iotedge service has root privileges. 如果不想提升服务权限,也可以使用以下步骤手动提供 TPM 访问权限。If you don't want to elevate the service privileges, you can also use the following steps to manually provide TPM access.

  1. 在设备上找到 TPM 硬件模块的文件路径,并将其保存为本地变量。Find the file path to the TPM hardware module on your device and save it as a local variable.

    tpm=$(sudo find /sys -name dev -print | fgrep tpm | sed 's/.\{4\}$//')
    
  2. 创建一条新规则,用于向 IoT Edge 运行时授予 tpm0 的访问权限。Create a new rule that will give the IoT Edge runtime access to tpm0.

    sudo touch /etc/udev/rules.d/tpmaccess.rules
    
  3. 打开 rules 文件。Open the rules file.

    sudo nano /etc/udev/rules.d/tpmaccess.rules
    
  4. 将以下访问信息复制到 rules 文件。Copy the following access information into the rules file.

    # allow iotedge access to tpm0
    KERNEL=="tpm0", SUBSYSTEM=="tpm", GROUP="iotedge", MODE="0660"
    
  5. 保存并退出该文件。Save and exit the file.

  6. 触发 udev 系统来评估新规则。Trigger the udev system to evaluate the new rule.

    /bin/udevadm trigger $tpm
    
  7. 验证是否已成功应用该规则。Verify that the rule was successfully applied.

    ls -l /dev/tpm0
    

    如果成功应用,输出将如下所示:Successful output looks like the following:

    crw-rw---- 1 root iotedge 10, 224 Jul 20 16:27 /dev/tpm0
    

    如果未看到应用了正确的权限,请尝试重新启动计算机来刷新 udev。If you don't see that the correct permissions have been applied, try rebooting your machine to refresh udev.

  8. 打开 IoT Edge 运行时 overrides 文件。Open the IoT Edge runtime overrides file.

    sudo systemctl edit iotedge.service
    
  9. 添加以下代码以建立 TPM 环境变量。Add the following code to establish a TPM environment variable.

    [Service]
    Environment=IOTEDGE_USE_TPM_DEVICE=ON
    
  10. 保存并退出该文件。Save and exit the file.

  11. 验证重写是否成功。Verify that the override was successful.

    sudo systemctl cat iotedge.service
    

    如果重写成功,输出将显示 iotedge 默认服务变量,然后显示 override.conf 中设置的环境变量。Successful output displays the iotedge default service variables, and then shows the environment variable that you set in override.conf.

  12. 重载设置。Reload the settings.

    sudo systemctl daemon-reload
    

重启 IoT Edge 运行时Restart the IoT Edge runtime

重启 IoT Edge 运行时,使之拾取你在设备上所做的所有配置更改。Restart the IoT Edge runtime so that it picks up all the configuration changes that you made on the device.

sudo systemctl restart iotedge

检查 IoT Edge 运行时是否正在运行。Check to see that the IoT Edge runtime is running.

sudo systemctl status iotedge

如果出现预配错误,可能表示配置更改尚未生效。If you see provisioning errors, it may be that the configuration changes haven't taken effect yet. 请尝试再次重启 IoT Edge 守护程序。Try restarting the IoT Edge daemon again.

sudo systemctl daemon-reload

或者,请尝试重启虚拟机,以确定重新启动后更改是否生效。Or, try restarting your virtual machine to see if the changes take effect on a fresh start.

验证是否成功安装Verify successful installation

如果运行时成功启动,则可以转到 IoT 中心,查看新设备是否自动预配。If the runtime started successfully, you can go into your IoT Hub and see that your new device was automatically provisioned. 现在,设备已准备好运行 IoT Edge 模块。Now your device is ready to run IoT Edge modules.

检查 IoT Edge 守护程序的状态。Check the status of the IoT Edge Daemon.

systemctl status iotedge

检查守护程序日志。Examine daemon logs.

journalctl -u iotedge --no-pager --no-full

列出正在运行的模块。List running modules.

iotedge list

可以验证是否使用了在设备预配服务中创建的个人注册。You can verify that the individual enrollment that you created in Device Provisioning Service was used. 在 Azure 门户中导航到设备预配服务实例。Navigate to your Device Provisioning Service instance in the Azure portal. 打开创建的个人注册的注册详细信息。Open the enrollment details for the individual enrollment that you created. 注意注册状态是否为“已分配”并且设备 ID 已列出。 Notice that the status of the enrollment is assigned and the device ID is listed.

后续步骤Next steps

使用设备预配服务注册过程可以在预配新设备的同时,设置设备 ID 和设备孪生标记。The Device Provisioning Service enrollment process lets you set the device ID and device twin tags at the same time as you provision the new device. 可以在自动设备管理中,使用这些值将单个设备或设备组指定为目标。You can use those values to target individual devices or groups of devices using automatic device management. 了解如何使用 Azure 门户大规模部署和监视 IoT Edge 模块,或使用 Azure CLI 执行此操作。Learn how to Deploy and monitor IoT Edge modules at scale using the Azure portal or using Azure CLI.