How to use the TPM to build a Zero-touch device on-boarding

With Pantahub you can use your TPM (Trusted Platform Module) as a secure way to onboard and connect devices to Pantahub.
This allows your device to register and authenticate using TLS backed by your TPM and that certificate will be only valid for your computer. The device registers with the ACA to get an IAK certificate
Using the AIK the device register on Pantahub and receive an IDevID from Pantahub CA The IDevID certificate is the one used in conjunction with a key in the TPM to create a TLS connection with Pantahub API
This flow is called remote TPM Attestation and is used by companies like Microsoft (documentation)

How does this flow work?

The TPM remote Attestation flow uses the Endorsement Key Certificate (EK) and the Attestation Identity Key Certificate (AIK), those are a key certificate pair.

The AIK is validated and signed by the Attestation Certificate Authority (ACA) server using the EK certificate, the EK key, and AK public key (another key created from the TPM).

Using that combination we create a new certificate request called the IDevID in order to identify the device, this certificate is signed with a private key saved on the TPM, and this key has a certification data of being loaded on the TPM (documentation about the tpm_certificate).

Now the ACA takes all this information and validates the IDevID as something loaded in a real TPM (because the IAK validates the TPM via the EK certificate) and validates the ownership of the device against a user on Pantahub. Therefore we could use any communication the IDevID as authorization method for the device. How to use it now with Pantahub

Right now in order to use this feature, you need to build your image using Pantavisor with some specific parameters to add the ownership data to be embedded in the IDevID certificate.

PANTAVISOR_TPMACA=yes \
PANTAVISOR_DEBUG=yes \
PVR_MERGE_SRC=https://pvr.pantahub.com/pantahub-ci/x64_initial_stable \
PV_AUTOTOK_FILE=~/device_autojointoken.json \
./build.docker.sh x64-uefi-installer

This will build the image with the initial ownership data in order to start the TPM process. After this, you can start your x64 machine and start the installation process

After this, the next steps are very stray forward

Install Pantavisor x64 UEFI

Select the Pantavisor installer (auto), in order to install in the main hard drive of your machine. Do not select the (auto TPM) that is not referred to the TPM-ACA flow that options are for the encrypted disk functionality.

If you want to change the target device where you want to install your Pantavisor you can enter on manual mode and run pvf-install and follow the instructions to select the correct device.

After that, the device is going to start the process and reset a couple of times until you will be able to see it on your Pantahub devices list.

After that everything is set to use your device as any other Pantahub device will.

https://drive.google.com/file/d/1zvYHe9vF5ogfkMvPIY6Ni6brzGrR7JXq

Happy trail.