在 Windows 上使用虚拟 TPM 创建和预配模拟 IoT Edge 设备Create and provision a simulated IoT Edge device with a virtual TPM on Windows

可以使用设备预配服务自动预配 Azure IoT Edge 设备,就像预配未启用 Edge 的设备一样。Azure IoT Edge devices can be auto-provisioned using the Device Provisioning Service just like devices that are not edge-enabled. 如果你不熟悉自动预配过程,请在继续操作之前查看自动预配的概念If you're unfamiliar with the process of auto-provisioning, review the auto-provisioning concepts before continuing.

DPS 在个人注册和组注册中都支持 IoT Edge 设备的对称密钥证明。DPS supports symmetric key attestation for IoT Edge devices in both individual enrollment and group enrollment. 对于组注册,如果在对称密钥证明中将“是 IoT Edge 设备”选项选为 TRUE,则在该注册组下注册的所有设备都将标记为 IoT Edge 设备。For group enrollment, if you check "is IoT Edge device" option to be true in symmetric key attestation, all the devices that are registered under that enrollment group will be marked as IoT Edge devices.

本文介绍如何使用以下步骤,在模拟 IoT Edge 设备上测试自动预配:This article shows you how to test auto-provisioning on a simulated IoT Edge device with the following steps:

  • 创建 IoT 中心设备预配服务 (DPS) 的实例。Create an instance of IoT Hub Device Provisioning Service (DPS).
  • 使用用于确保硬件安全性的模拟受信任平台模块 (TPM) 在 Windows 计算机上创建一个模拟设备。Create a simulated device on your Windows machine with a simulated Trusted Platform Module (TPM) for hardware security.
  • 为设备创建个人注册。Create an individual enrollment for the device.
  • 安装 IoT Edge 运行时并将设备连接到 IoT 中心。Install the IoT Edge runtime and connect the device to IoT Hub.

提示

本文介绍了如何通过在虚拟设备上使用 TPM 证明来测试自动预配,但是在使用物理 TPM 硬件时,它大部分也同样适用。This article describes testing auto-provisioning by using TPM attestation on virtual devices, but much of it applies when using physical TPM hardware as well.

先决条件Prerequisites

  • 一台 Windows 开发计算机。A Windows development machine. 本文使用 Windows 10。This article uses Windows 10.
  • 活动的 IoT 中心。An active IoT Hub.

备注

将 TPM 证明与 DPS 一起使用时,TPM 2.0 是必需的,并且只能用于创建个人(而非组)注册。TPM 2.0 is required when using TPM attestation with DPS and can only be used to create individual, not group, enrollments.

设置 IoT 中心设备预配服务Set up the IoT Hub Device Provisioning Service

在 Azure 中创建 IoT 中心设备预配服务的新实例,并将其链接到 IoT 中心。Create a new instance of the IoT Hub Device Provisioning Service in Azure, and link it to your IoT hub. 可以遵照设置 IoT 中心 DPS 中的说明操作。You can follow the instructions in Set up the IoT Hub DPS.

运行设备预配服务后,从概述页复制“ID 范围”的值。 After you have the Device Provisioning Service running, copy the value of ID Scope from the overview page. 配置 IoT Edge 运行时时,需要使用此值。You use this value when you configure the IoT Edge runtime.

提示

如果使用的是物理 TPM 设备,则需要确定认可密钥,该密钥对于每个 TPM 芯片都是唯一的,并且可以从与之关联的 TPM 芯片制造商处获得。If you're using a physical TPM device, you need to determine the Endorsement key, which is unique to each TPM chip and is obtained from the TPM chip manufacturer associated with it. 例如,可以通过创建认可密钥的 SHA-256 哈希来为 TPM 设备派生唯一的注册 IDYou can derive a unique Registration ID for your TPM device by, for example, creating an SHA-256 hash of the endorsement key.

请按照文章如何使用 Azure 门户管理设备注册中的说明在 DPS 中创建注册,然后继续执行本文中的安装 IoT Edge 运行时部分以继续。Follow the instructions in the article How to manage device enrollments with Azure Portal to create your enrollment in DPS and then proceed with the Install the IoT Edge runtime section in this article to continue.

模拟 TPM 设备Simulate a TPM device

在 Windows 开发计算机上创建模拟 TPM 设备。Create a simulated TPM device on your Windows development machine. 检索设备的“注册 ID”和“认可密钥”,并使用它们在 DPS 中创建个人注册条目。 Retrieve the Registration ID and Endorsement key for your device, and use them to create an individual enrollment entry in DPS.

在 DPS 中创建注册时,可以声明“初始设备孪生状态”。 When you create an enrollment in DPS, you have the opportunity to declare an Initial Device Twin State. 在设备孪生中可以设置标记,以便按解决方案中所需的任何指标(例如区域、环境、位置或设备类型)将设备分组。In the device twin you can set tags to group devices by any metric you need in your solution, like region, environment, location, or device type. 这些标记用于创建自动部署These tags are used to create automatic deployments.

选择要用来创建模拟设备的 SDK 语言,并遵循本文中的步骤,直到创建了个人注册为止。Choose the SDK language that you want to use to create the simulated device, and follow the steps until you create the individual enrollment.

创建个人注册时,请选择“True” ,将 Windows 开发计算机上的模拟 TPM 设备声明为“IoT Edge设备” 。When you create the individual enrollment, select True to declare that the simulated TPM device on your Windows development machine is an IoT Edge device.

提示

在 Azure CLI 中,可以创建注册注册组,并使用“支持 Edge” 标志来指定某个设备或设备组是 IoT Edge 设备。In the Azure CLI, you can create an enrollment or an enrollment group and use the edge-enabled flag to specify that a device, or group of devices, is an IoT Edge device.

模拟设备和个人注册指南:Simulated device and individual enrollment guides:

创建个人注册后,保存“注册 ID”的值。 After creating the individual enrollment, save the value of the Registration ID. 配置 IoT Edge 运行时时,需要使用此值。You use this value when you configure the IoT Edge runtime.

安装 IoT Edge 运行时Install the IoT Edge runtime

IoT Edge 运行时部署在所有 IoT Edge 设备上。The IoT Edge runtime is deployed on all IoT Edge devices. 该运行时的组件在容器中运行,允许你将其他容器部署到设备,以便在边缘上运行代码。Its components run in containers, and allow you to deploy additional containers to the device so that you can run code at the edge.

预配设备时需要以下信息:You'll need the following information when provisioning your device:

  • DPS 的“ID 范围”值 The DPS ID Scope value
  • 为设备创建的“注册 ID” The device Registration ID you created

在运行模拟 TPM 的设备上安装 IoT Edge 运行时。Install the IoT Edge runtime on the device that is running the simulated TPM. 将 IoT Edge 运行时配置为自动预配而不是手动预配。You'll configure the IoT Edge runtime for automatic, not manual, provisioning.

提示

在安装和测试期间,确保运行 TPM 模拟器的窗口处于打开状态。Keep the window that's running the TPM simulator open during your installation and testing.

有关在 Windows 上安装 IoT Edge 的更多详细信息,包括管理容器和更新 IoT Edge 等任务的先决条件和说明,请参阅在 Windows 上安装 Azure IoT Edge 运行时For more detailed information about installing IoT Edge on Windows, including prerequisites and instructions for tasks like managing containers and updating IoT Edge, see Install the Azure IoT Edge runtime on Windows.

  1. 在管理员模式下打开 PowerShell 窗口。Open a PowerShell window in administrator mode. 在安装 IoT Edge 而不是 PowerShell (x86) 时,请确保使用 PowerShell 的 AMD64 会话。Be sure to use an AMD64 session of PowerShell when installing IoT Edge, not PowerShell (x86).

  2. Deploy-IoTEdge 命令检查 Windows 计算机是否使用了支持的版本,启用容器功能,然后下载 moby 运行时和 IoT Edge 运行时。The Deploy-IoTEdge command checks that your Windows machine is on a supported version, turns on the containers feature, and then downloads the moby runtime and the IoT Edge runtime. 该命令默认使用 Windows 容器。The command defaults to using Windows containers.

    . {Invoke-WebRequest -useb https://aka.ms/iotedge-win} | Invoke-Expression; `
    Deploy-IoTEdge
    
  3. 此时,IoT Core 设备可能会自动重启。At this point, IoT Core devices may restart automatically. 其他 Windows 10 或 Windows Server 设备可能会提示你重启。Other Windows 10 or Windows Server devices may prompt you to restart. 如果是这样,请立即重启设备。If so, restart your device now. 设备准备就绪后,再次以管理员身份运行 PowerShell。Once your device is ready, run PowerShell as an administrator again.

  4. Initialize-IoTEdge 命令在计算机上配置 IoT Edge 运行时 。The Initialize-IoTEdge command configures the IoT Edge runtime on your machine. 该命令默认为使用 Windows 容器手动预配。The command defaults to manual provisioning with Windows containers. 通过 -Dps 标志使用设备预配服务,而不是手动预配。Use the -Dps flag to use the Device Provisioning Service instead of manual provisioning.

    请将 {scope_id}{registration_id} 的占位符值替换为前面收集的数据。Replace the placeholder values for {scope_id} and {registration_id} with the data you collected earlier.

    . {Invoke-WebRequest -useb https://aka.ms/iotedge-win} | Invoke-Expression; `
    Initialize-IoTEdge -Dps -ScopeId {scope ID} -RegistrationId {registration ID}
    

验证是否成功安装Verify successful installation

如果运行时成功启动,则可以进入 IoT 中心,开始将 IoT Edge 模块部署到你的设备。If the runtime started successfully, you can go into your IoT Hub and start deploying IoT Edge modules to your device. 在设备上使用以下命令验证是否已成功安装并启动运行时。Use the following commands on your device to verify that the runtime installed and started successfully.

检查 IoT Edge 服务的状态。Check the status of the IoT Edge service.

Get-Service iotedge

检查过去 5 分钟的服务日志。Examine service logs from the last 5 minutes.

. {Invoke-WebRequest -useb aka.ms/iotedge-win} | Invoke-Expression; Get-IoTEdgeLog

列出正在运行的模块。List running modules.

iotedge list

后续步骤Next steps

使用设备预配服务注册过程可以在预配新设备的同时,设置设备 ID 和设备孪生标记。The Device Provisioning Service enrollment process lets you set the device ID and device twin tags at the same time as you provision the new device. 可以在自动设备管理中,使用这些值将单个设备或设备组指定为目标。You can use those values to target individual devices or groups of devices using automatic device management. 了解如何使用 Azure 门户大规模部署和监视 IoT Edge 模块,或使用 Azure CLI 执行此操作Learn how to Deploy and monitor IoT Edge modules at scale using the Azure portal or using Azure CLI