Introduction to Secure Device Onboard

The Intel Secure Device Onboarding (SDO) service enables SDO-compliant devices to securely register with Device Cloud based on preprovisioned identity information in the device hardware.

For more information about SDO, see https://www.intel.com/content/www/us/en/internet-of-things/secure-device-onboard.html.

The Intel enhanced privacy ID (Intel EPID)) is inserted into the silicon during manufacturing. Based on the EPID, ownership credentials are created and passed through the ownership chain from the original device manufacturer (ODM) to the final purchaser. The final purchaser receives the digital ownership receipt that contains the ownership information with the ownership credentials for the device. The purchaser uploads the digital ownership receipt file to Device Cloud and assigns an onboarding package to the device.

The following shows the flow of the ownership proxy provisioning.

Device Cloud - Secure Device Onboard Workflow

When an SDO-compliant device starts, it contacts the SDO service and provides the credentials from the firmware. The service broker authenticates the device and returns the Device Cloud URL. Device Cloud matches the certificates with the ownership identifier and identifies the onboarding package. It downloads the onboarding package to the device. The SDO agent on the device installs the package, which contains the Device Cloud device manager that registers with Device Cloud. The device manager appears as a thing on the Management Portal.

The following shows the automated device onboarding workflow for an SDO-compliant device.

Device Cloud - SDO Onboarding Workflow

Intel Secure Device Onboard Resources

If you do not already have an account, go to the Intel Developer Zone at https://software.intel.com/en-us/ and sign up for an account. Sign in to the Intel Developer Zone, go to https://software.intel.com/en-us/secure-device-onboard, click REQUEST ACCESS, and fill in the form to request access to the Secure Device Onboard resources.

Onboarding Package

The onboarding package contains the files required for the Device Cloud agent and instructions to install the files on the device. This release supports the Python agent for onboarding.

You must provide the files required to install the Device Cloud agent in a single tar.gz file that contains the following:

  • the Device Cloud agent, including the device manager application that has been prepared to run in production as a service (see Device Cloud Device Programmer's Guide: Running the Python Device Manager in a Production Environment)

  • any dependencies of the agent and the device manager, including Python and the Python package dependencies (see Device Cloud Device Programmer's Guide: Python Applications)

  • to support remote device access from either the Device Console or Remote Access links on the LaunchPad, the device manager configuration and the required server application (see the Device Cloud Remote Access User's Guide)

  • the iot-connect.cfg file containing the information to enable the device manager to connect to Device Cloud (see Device Cloud Quick Start for Linux: Generating the Device Manager Connection Configuration File in Linux and Device Cloud Device Programmer's Guide: iot-connect.cfg Reference)

  • any required scripts, such as a script to install the agent and the device manager, and other supporting files

Workflow

In this release, Device Cloud supports SDO-compliant devices and computers running the Intel SDO device simulator on Ubuntu 16.04. For more information about the device simulator, see the Intel resources.

You need to do the following:

  1. Create a tar.gz file that contains the files to onboard a simulated device and the instructions to install the files.

  2. Create the onboarding package in Device Cloud.

  3. Upload the digital ownership receipt to Device Cloud.

  4. Assign an onboarding package to the device in Device Cloud.