Use DPS with TPM in Python

[marosrojis]

I would like to ask you if is there any reason why you don't support provisioning with TPM in Python?

We are working on an IoT solution (30k+ IoT devices). Every device has a TPM. We would like to use Device Provisioning Service to establish a connection with the IoT hub. Because we can use TPM, for us it makes sense to use your DPS solution with TPM. Our main language is Python, we would like to use it for this device application too.

But I see you don't support provision with TPM in your Python SDK. Is there any reason why you don't support it, please? I'm thinking I would implement it ourselves but maybe there is a problem which I can't see now. I see you supported this case in your previous SDK version.

Our main problem is, we don't have the device in our hands before the device is delivered to the customer. That means, we can't for example generate and save an X.509 certificate to the device. We have only the public key from TPM.

I would like to ask you, can you please help us with how to use DPS and TPM together in Python? I would like to avoid to implement the application in different language.

Thank you.

[anthonyvercolano]

@marosrojis The short answer on this is that there is a body of code that implements a transition of arguments from python to C. The c code is what works with the tpm. This transition layer was never available for python. It is for node, c# and java. It is not likely to be available any time soon.

[Saljack]

Does it mean that there is not way how to use TPM with Python? Why is it not possible to implement it in Python? It is pretty weird that other implementations supports it. Is the reason that Python library supports only MQTT? Is there any workaround? I thought call C library or call directly REST API from Python and get some token but I cannot find any information about any token and TPM. I found only documentation with DPS registration and TPM but there is missing next steps. There are only two documented options how to connect to Azure IoT hub, symmetric key and X.509 there is nothing about TPM.

[ryanwinter]

Hi @Saljack,

Would you be willing to jump on a call and talk more on your scenario?

If so, can you post your email address here and I can get in touch.

Thanks
Ryan

[Saljack]

@ryanwinter Yes I am willing to call with you. But I would appreciate it if it was described in documentation. The REST API od DPS is again accessible (there was 404 for few days). And I found there a TpmRegistrationResult which has an authenticationKey with description Encrypted authentication key. which is not helpful. I assume it is encrypted by SRK and then EK public keys. But why is it not described in documentation?
There is also a recommendation to store connection information and not call DPS on every restart but there is no sample how to store these information.
You can see my email in github profile.

[ryanwinter]

You can read more on the TPM attestation process for DPS here. Yes the authenticationKey is returned by the DPS register call and is encrypted with the provided SRK and EK.

[ryanwinter]

Closing as @Saljack went with a different SDK