Ability™ Developer Portal
Try Sandbox for free
Get a month of free access to ABB Ability™ Platform to learn and experiment!
API Playground
Play with ABB Ability™ Platform APIs (no time limits)

# Installation of the Security Packages

Following the steps outlined below will allow you to install, update, or uninstall the necessary Debian packages that contain the security packages.

# Packages

There are three categories of Debian packages that are delivered by the ABB Digital team, and they can be reviewed in detail as follows:

# Security ​Library Package​​

  • Takes care of distribution of the TLS library (NanoSSL), TPM Software Stack (Mocana NanoTAP), Crypto library (NanoCrypto) and dependent libraries.
  • These will only be available for TPM 2.0, as TPM 1.2 currently depends on TrouSers and OpenSSL.

# TPM Management Package

  • Distributes shell scripts and executables that can be used to manage TPM.
  • Separate packages for TPM 1.2 and TPM 2.0.
  • TPM 2.0 management packages will have a hard dependency on the Security library package.

# Security Systemd Services Package​​​

  • Contains executables, configuration, and systemd service definition that enables and configures DPCM.service and secstore.service for TPM 1.2 and TPM 2.0.
  • Separate packages for TPM 1.2 and TPM 2.0.
  • Security systemd services package will have a hard dependency on the Security library package and TPM commissioning package (one of TPM management packages).

# Security Library Pac​​kage​​

This package distributes Mocana libraries for TPM access, SSL, and other cryptographic operations.

DEPENDENCIES

The TPM Management package and Security services packages will be configured to have hard dependency on this package.

# TPM Management Pac​kage

This package enables management of the TPM. The TPM Management package falls into either of two distinct packages for commissioning and decommissioning, as follows.

  • Attack surface reduction
    • Example: The "TPM clear" operation can lead to data loss and DOS attacks. This functionality is not normally required in the operational lifetime of a device. It becomes necessary under abnormal circumstances, e.g. device replacement, device end of life, etc. This functionality is available only as part of TPM decommissioning which can be used during device decommissioning.
  • Ease of use and maintenance

# TPM Commissioning Package​

The TPM commissioning package can be used to provision the TPM for use. The functionalities in this package may be executed at the post device manufacturing phase at ABB internal or at external factories before the ABB Ability™ CA certificate is issued to the Edge device.

# Additional Functionalities

  • TPM ownership and provisioning
    • Owns and provisions the TPM
    • Sets the owner password (lockout hierarchy password)
    • Creates the parent key hierarchy and sets key hierarchy password

# TPM Decommissioning Package​

The TPM decommissioning package includes functionality that is required for secure decommissioning of the device. The functionalities included in TPM decommissioning are:

  • TPM clear
    • ​Securely erases the certificate and private key, then clears the TPM
    • ​This package will have hard dependency on commissioning and library packages​. ​​​

# ​Security Services Package

The Edge security package includes the following functionalities.

  • Device Identity Management
    • Generates a unique Identity for the device (GUID V4) and performs a duplication check with the Global ID service.
    • Binds the unique ID to the CN of the Edge device certificate, which is bound to the hardware root of trust.
    • ​Updates the ID to the Global ID service database to prevent reuse.
  • Secure Device provisioning to the ABB Ability™ Platform based on the hardware root of trust
    • Provides the client a certificate-based mutually authenticated TLS channel to interface with the ABB Ability™ Platform.
  • Certificate life cycle management
    • Enrollment using Simple Certificate Enrollment Protocol (SCEP) to the ABB Ability™ PKI
    • Certificate renewal at a threshold period before expiry
  • ​​Cryptographics services from TPM
    • ​Key generation
    • Key load and unload
    • Encryption and signing
  • Secure storage of private key
    • Enables secure storage of private key encrypted using a parent root key in TPM.
    • The private key is bound to the TPM and cannot be copied or used in any other device.

DEPENDENCIES

This package will have hard dependency on security library and commissioning packages.

# Package Lifecycle Man​​agement

This section describes the install, update/upgrade and uninstall behavior of the packages described above.

# Security ​Library Package

This section describes the system changes that are performed on installation of the security library packages, and how update of the security library packages is managed and the steps performed on uninstallation.

# Packag​e Naming

The security name package follows the standard Debian package name for run time (shared libraries). The package name adheres to the naming convention, as follows:

sec-lib-[securitymodule]_[Release version]

Example: Security libraries with TPM 2.0 support will be named as:

sec-lib-tpm20_[Release version]

Example: In the future, security libraries that work with HSM may be named as:

sec-lib-hsm-[Release version]

# Instal​l​​

  • The following Security libraries will be installed:
    • Mocana TLS library (NanoSSL, OpenSSL SHIM)
    • Mocana Crypto library (NanoCrypto)
    • Mocana TCG Software Stack(TSS) (NanoTAP, NanoSMP)
  • The libraries are packed as shared objects.

No other system changes are expected on installation of security libraries.

For installation, apt install should be used as follows.

sudo apt install -y ./package_name.deb

# Update​​​

Update apt install with "--conf-old" as shown in the following example.

sudo apt install -y -o Dpkg::Options::="--force-confold" ./package_name.deb

PACKAGE FILES

All files on the system from the old package will be replaced by the new package except files which are marked as a configuration files.

The --force-confold flag helps to avoid modifying the current configuration files. With this option alone, configuration files that are not modified are left untouched. This flag must be combined with --force-confdef to let dpkg overwrite configuration files that are not modified manually.

# Uninstall​​​

To uninstall the Edge security package, run:

sudo apt remove --purgepackage_name

# Install

# TPM Managem​​ent Package

The following activities will be performed as part of the TPM managment package installation:

  • Deploy scr​ipts which enable command execution for ownership, clearing, and resetting of TPM lockout.
  • None of the commands will be triggered as part of the package installation. The user will be able to execute the commands on the shell after installation. In the event there is a need for a non-interactive installation, these commands can be invoked from the installer script as well.
  • Set up (create) a key store folder, e.g. /var/ability/certs, for storing the TPM protected key.

# Secu​​rity Services Package

The following activities will be performed as part of the Edge security package installation:

  • The Debian package deploys dpcm and secstore systemd services and associated configuration functionalities.
  • On first installation, the services will be in a disabled state.
  • The services will be synchronously enabled using the Edge installer script abb-iot-edge-setup. Upon enabling the high-level behavior of the system, the following services will be enabled:
  • The ​secstore service listens for cryptographic operations, and whether the TPM is enabled and owned. In the absence of TPM or a non-provisioned TPM, secstore throws an error.
  • The dpcm service starts up and verifies that the certificate and private key exist in the key store (/var/ability/certs). If these exist, proceed with DPS registration. If these do not exist, a new enrollment code must be configured in dpcm.config and the dpcm service enrolled to CA. Then perform DPS registration​.

If the TPM 1.2 package is already installed, attempting to install the TPM 2.0 package will throw warnings and abort the installation. First uninstall the TPM 1.2 package and then install the TPM 2.0 package and vice versa.

If secure storage or DPS services are already running and are not installed by the Debian package, first stop those services manually and install the Debian package.

# ​​Uninstall (Remove)

To uninstall the Edge security package, run: sudo apt remove package_name

# TPM Management Packag​e

  • Removal of the TPM package will leave /var/ability/certs and its certificate and private key as before.
  • The commands for TPM management will not be available after removal (scripts will be removed).

# Edge Securi​​ty Package

  • Removes the systemd service files and executables.
  • Configuration files will be left as before.

# Uninstall (Remove and Purge​​​)

# TPM Management Package

  • Performs a secure erase of the certificate and private key with the warning, "The certificate should be revoked prior to erase". Only if the user presses confirmation will the certificate be revoked. In that case, the certificate and associated private key will be deleted. Secure erase will be performed using the "shred" command which shreds or overwrites the certificate and key file multiple times with junk data prior to deletion​.

  • deletion of the key store /var/ability/certs.

  • TPM clear

# Edge Security Pac​​kage

Please closely observe the following:

  • Do not make interactive mandatory for package installation. This could cause a delay in package uninstallation.

  • Please provide a prefix to make sure that the TPM management package command name is not generic.

  • Please make sure that the "shred" command is a run time dependency on the TPM package.

  • The security package will have a hard dependency on the TPM Management Package​.

Last updated: 7/7/2021, 8:54:52 AM

Handling LAN and Internet Traffic

Feedback