198 lines
5.3 KiB
ReStructuredText
198 lines
5.3 KiB
ReStructuredText
===================================
|
|
StarlingX: Secure Device Onboarding
|
|
===================================
|
|
|
|
Storyboard: https://storyboard.openstack.org/#!/story/2008117
|
|
|
|
This spec describes a new feature to enable secure Zero Touch
|
|
Provisioning (ZTP) of SDO devices securely.
|
|
|
|
|
|
Problem description
|
|
===================
|
|
|
|
Secure Device Onboard(SDO) is an open source software that is in the process
|
|
of becoming an industry standard through the FIDO alliance, which automates
|
|
the process of securely onboarding SDO capable devices. By "onboard" we mean the
|
|
process by which device establishes its first trusted connection with the
|
|
device management service.
|
|
|
|
SDO brings in late binding, wherein the device owner can choose the Device
|
|
management platform to which the device onboards just at or before comissioning
|
|
of the device at the point of installation.
|
|
|
|
StarlingX needs to support deployments in environments that have a combination
|
|
of compute systems ranging from small IOT devices to high compute Xeon platforms.
|
|
Considering StarlingX is installed on some of these systems and requires to
|
|
support the secure provisioning of the other non-StarlingX based devices,
|
|
integrating/developing the SDO on Starlingx would add an additional capability
|
|
to provision a non-Starlingx based devices.
|
|
|
|
The devices to be onboarded through SDO can be X-86/ARM based platform. Also, as
|
|
earlier stated ranging from small compute IoT devices to higher compute Xeon
|
|
devices. The only condition is that, the device must come with necessary
|
|
credentials and SDO client software during the manufacturing stage.
|
|
|
|
Use Cases
|
|
---------
|
|
|
|
This proposal aims to support SDO onboarding capability on the StarlingX based
|
|
platforms so that these systems can provision other devices that supports SDO.
|
|
Thus ideally, the user deploying an SDO device would just power on it and
|
|
connect to the network, whereupon the device would boot, connect itself to a
|
|
StarlingX cloud and be fully provisioned by StarlingX SDO services and support
|
|
in bringing up the device to fully functional state.
|
|
|
|
Proposed change
|
|
===============
|
|
|
|
Overview of SDO and Integration on Starlingx
|
|
--------------------------------------------
|
|
|
|
The SDO on-boarding process automates the secure provisioning of devices and it
|
|
involves interactions between number of different entities that participate
|
|
in the process. Those include: Manufacturer, Device, Owner, Rendezvous service,
|
|
Device platform service.
|
|
|
|
We aim to enable SDO Rendezvous service and Device platform service on Starlingx
|
|
kubernetes cluster.
|
|
|
|
The Device platform service provides the components for the device owner to
|
|
integrate his choice of Device management service.
|
|
|
|
The device will be initialized with SDO special software load and security
|
|
credentials created by utilizing the supply chain tools by the device manufacturer.
|
|
Device's ownership vouchers will also be generated by the same tool, and then
|
|
be feed into the Device platform service before going through the SDO process.
|
|
|
|
Device platform service synchronizes the voucher information with Rendezvous
|
|
service which plays the role of directing the target device to the owner Device
|
|
platfrom service.
|
|
|
|
Once the device powers on, It can establish a secure connection with the
|
|
desired Device management service through standard SDO process. After that, the
|
|
provision operation of the device node can be automatically performed.
|
|
|
|
The enabling of services are taken up in phases. The details of which are below:
|
|
|
|
* Phase One:
|
|
Enable Rendezvous service as an application on Starlingx.
|
|
|
|
* Phase two:
|
|
Enable the Device platform service on Starlingx.
|
|
|
|
This spec aims to close on Phase one details.
|
|
|
|
StarlingX support of SDO
|
|
------------------------
|
|
|
|
There will be an Armada manifest and SDO helm charts for Rendezvous service,
|
|
which will be uploaded and applied to pull the container images from a
|
|
public registry, configure and launch the SDO services pods.
|
|
|
|
The SDO applications will be packaged as a tarball that can be transferred to
|
|
the system and activated with system application-upload & system
|
|
application-apply.
|
|
|
|
Alternatives
|
|
------------
|
|
|
|
None
|
|
|
|
Data model impact
|
|
-----------------
|
|
|
|
None
|
|
|
|
REST API impact
|
|
---------------
|
|
|
|
None
|
|
|
|
Security impact
|
|
---------------
|
|
|
|
None
|
|
|
|
Other end user impact
|
|
---------------------
|
|
|
|
None
|
|
|
|
Performance Impact
|
|
------------------
|
|
|
|
TBD
|
|
|
|
Developer impact
|
|
----------------
|
|
|
|
TBD
|
|
|
|
Upgrade impact
|
|
--------------
|
|
|
|
None
|
|
|
|
|
|
Implementation
|
|
==============
|
|
|
|
Assignee(s)
|
|
-----------
|
|
|
|
Primary assignee:
|
|
|
|
* Poornima Y N
|
|
|
|
Repos Impacted
|
|
--------------
|
|
|
|
* SDO-armada-app
|
|
|
|
Work Items
|
|
----------
|
|
|
|
* Create new repo for the new application 'SDO', define required armada
|
|
manifests and import helm charts for app
|
|
|
|
|
|
Dependencies
|
|
============
|
|
|
|
* TBD
|
|
|
|
|
|
Testing
|
|
=======
|
|
|
|
Test cases will be developed for adding systems of various personalities and
|
|
capabilities to the StarlingX cloud. Both positive and negative tests (e.g.
|
|
tests with bad credentials which should be rejected) will be defined.
|
|
|
|
|
|
Documentation Impact
|
|
====================
|
|
|
|
We will add new documents for the SDO process.
|
|
|
|
|
|
References
|
|
==========
|
|
|
|
* Code: https://github.com/secure-device-onboard
|
|
* Release: https://github.com/secure-device-onboard/release/releases/
|
|
* Document: https://secure-device-onboard.github.io/docs/
|
|
|
|
|
|
History
|
|
=======
|
|
|
|
.. list-table:: Revisions
|
|
:header-rows: 1
|
|
|
|
* - Release Name
|
|
- Description
|
|
* - STX 5.0
|
|
- Introduced
|