Intel® Secure Device Onboarding¶
SDO Product Brief¶
Intel® Secure Device Onboarding (SDO) is an automated service that enables a device to be drop-shipped and powered on to dynamically provision to a customer’s IoT platform of choice. This zero-touch model simplifies the installer’s role and scales the number of devices that can securely and automatically be deployed in production. Intel® SDO eliminates poor security practices, such as shipping default passwords, and delivers an innovative device privacy model for IoT. With a single imaging step for zero-touch onboarding, device makers can mass produce devices and leave configuration to Intel® SDO.
SDO Benefits¶
Automated deployment - Break free from hard-coded or manual activation methods with dynamic discovery of the customer’s IoT platform for fast onboarding at power on.
Hardware Protected Onboarding - Eliminate passwords with Intel® Enhanced Privacy ID (Intel EPID) to anonymously authenticate devices. Prevents hackers from tracing the device from factory to owner.
Streamline Distribution - Digitally trace ownership from manufacturer to customer, and provide a rendezvous point in the IoT platform where the owner can claim the device.
Ecosystem Accelerator - Eliminate expensive customer configuration pre-loads with a zero-touch experience that differentiates your solution.
SDO Product Information¶
For more information on obtaining, installing, and deploying Intel® Secure Device Onboarding, please refer to the following table:
Description |
Link |
|---|---|
Solution overview and collateral |
https://www.intel.com/content/www/us/en/internet-of-things/secure-device-onboard.html |
Ecosystem enablement tools |
https://www.intel.com/content/www/us/en/developer/tools/secure-device-onboard/overview.html |
For go to market partner inquiries |
Solution Overview¶
The SDO/BMD (Secure Device Onboard / Bare Metal Deployment) is a configuration of SDO tools and software to apply SDO in a wide variety of end-use applications. SDO provides an “out of box” onboarding experience. SDO/BMD opens this opportunity to be immediately available in a wide variety of IA deployments, by using common features of the IA architecture.
The SDO solution assumes that the manufacturer (OxM) has prepped the device in the factory to prepare it for the SDO onboard by performing the SDO Device Init (SDO-DI) Operation. SDO manufacturing tools are designed to be integrated into a manufacturing line, by storing manufacturing credentials into a device, then allowing the device and the credentials to make their way through the supply chain. Supply chain entities can forward SDO credentials by signing them over to subsequent supply chain entities or end users.
SDO/BMD refactors the SDO solution to optimize for a simple subset of SDO deployments. A set of similar devices is ordered as bare metal and shipped to a single location; they are all initialized in that location and SDO Bits installed there. The devices are targeted to specific DMS’s at initialization time, so the SDO credentials can be forwarded to the correct DMS automatically. The devices themselves are moved (i.e., “carried”) to the deployment location, and SDO automatic onboarding proceeds. To increase flexibility, the OS and all software is also downloaded during SDO.
SDO/BMD allows a COTS “bare metal” IA device to be set up and deployed using SDO automatic onboarding. The onboarding requires a setup phase, since the device is bare metal (e.g., no OS). The setup requires a secured network and a small amount of user “touch,” but both these have been optimized. The secured network can be implemented with a single small server (NUC) and a small Ethernet switch, the secure created by positioning these in a locked room. The setup facility is typically in the same location as the device installations. However, a regional deployment is possible.
The following diagrams show a typical flow of how a device is initialized with SDO and then shipped through the supply chain to the point of installation
Theory of operation¶
The user creates a setup station at the target deployment site. The setup station can be implemented by a single desktop-class computer; server class computers can be used for larger deployments. If a single Device Management Systems (DMS’s) is used for all devices, the setup station is requires a one time simple setup. For multiple DMS’s, some screen customization is required.
Each device is processed in a few minutes:
Device is unboxed
Device is attached to power and network (a wired, non-authenticated Ethernet is used)
- Device is brought to PXE-Boot:
If device has no native OS, PXE boot is usually automatic
If device has a native OS, the user attaches keyboard and display, uses F12 to force a PXE-Boot (this works on most computers)
Device runs PXE boot and automatically installs light weight boot environment with SDO; SDO credentials are allocated and installed in the device. The SDO Ownership Voucher is sent to the DMS for the Device.
The device powers itself off.
The Setup station transfers the device’ Ownership Voucher to the target DMS.
In step 4, the assumption is that all devices will be controlled by a single DMS. If multiple DMS’s are required, the user must select which DMS will receive the Ownership Voucher, based on a customized setup device:
For small installations, the user selects the DMS step 1, and devices are booted one at a time
For large installations, the setup device has several NICs and creates separate subnets for each target installation. The user plugs devices into the correct subnet (e.g., color coding of cables) and they are targeted for a particular destination.
Once device setup is complete, the device is ready to be automatically onboarded to the correct DMS. If the device is capable of different functions, this can include customized installation and credentials. For example (ECI), the same device might be be configured with ACRN hypervisor and multiple VM’s.
Typical use cases¶
With the infrastructure described above, a complete infrastructure can be created and Lifecycle of the Hardware devices (ECI BAR Nodes) can be managed with the choice of the Life Cycle Management Platform. One of the key components needed is a Management Agent which supports the industry standard Management API’s for performing Firmware over the Air (FOTA) update Software Over the Air (SOTA) update. Note: To make the solution robust, additional rollback capabilities may be needed.
SDO with Bare Metal Onboarding can:
OS Install on a bare metal SDO enabled node (this helps reduce Manufacturing SKU’s). This could be Just-In-Time at the target location of node deployment.
Onboarding to the Device Management service (DMS) of choice. This can also be Just-In-Time at the time of deployment at the target location. SDO makes it Zero-touch. Connect the device to the network and power it on; SDO performs the needed tasks automatically.
Managing ECI Deployment using Intel® SDO¶
Refer the Intel® In-band Manageability section for guidance on how to onboard to Telit, Azure, or ThingsBoard.