Azure Eflow VM decryption with TPM

Deni Gahlinger 25 Reputation points
2024-04-29T08:18:57.42+00:00

I am trying to use TPM (using TSS c# library) to decrypt secrets in IoT modules running in an Eflow VM. There are three layers :

  • The host OS (Windows). That has access to the TPM
  • The Eflow VM. That returns an empty string when decrypting
  • The Module that runs on a docker container. That returns an empty string as well.

What was done

To use TPM on Eflow side, I use Set-EflowVmFeature -feature DpsTpm -enable -headless. It seems to work fine with for the Device provisionning (DPS). (we use basic DPS without customization)

To connect our modules to a server that provides the data, we need to decrypt some secrets that we get from the Module Twin. (getting the encrypted secrets from the twin works fine). The secrets are encrypted asymmetrically using TPM generated key pair and can be read only from the machine that runs the Edge Device.

We faced some issues to use TPM from the module in the Docker container (last layer where will run the module), so we :

  • Changed the Dockerfile to fix a wrong filename of the .so file for the TSS library (more details here: https://github.com/microsoft/TSS.MSR/issues/193)
  • Mount the Dbus of the EFlowVM to the Docker Container's to be able to use the same TPM from the EFlow VM.

Now, that I fixed all error messages, when I run the module, the decrypted secret is an empty string (on Eflow VM and the Docker Container, but Windows host, decryption works fine). I guess there is an issue between Windows TPM and Eflow TPM, like the Dbus to mount between the Eflow and the docker container. It seems to work fine for DPS, but for decryption, It doesn't.

When I check the --help for the Set-EflowVmFeature DpsTpm, It says "for provisioning". I don't know if that means that TPM decryption is not accessible from Eflow side and only DPS features are available or if something else is wrong in my configuration.User's image

Alternative

If Eflow doesn't provide all access to TPM to decrypt data, I imagined another alternative that is to run a service on Windows side (ASP.NET) with an endpoint string DecryptTpm(string cipher) and call it from the module directly. It will passthrough the different layers (windows - eflow - docker container).

To achieve this, I need to configure the network of the Eflow VM to have access to the host port. I found a lot of documentation about that. But I am not an expert at all in network configuration and VM, and reading many times the documentation (https://learn.microsoft.com/en-us/azure/iot-edge/how-to-configure-iot-edge-for-linux-on-windows-networking?view=iotedge-1.4) didn't help me to understand what to do.

Questions

  • Is the DpsTpm feature supposed to give access to Tpm decryption or not?
    • If yes : Why does the TPM return an empty string?
    • If no : How am I supposed to configure the network to access windows host access point from docker container module without exposing the decryption externally ?
  • Any other suggestion for another alternative?
Azure IoT
Azure IoT
A category of Azure services for internet of things devices.
385 questions
Azure IoT Edge
Azure IoT Edge
An Azure service that is used to deploy cloud workloads to run on internet of things (IoT) edge devices via standard containers.
548 questions
{count} votes