After creating an attestation profile, you must associate it with the TPM-based template. This ensures that the gateways you enroll using the TPM-based template are tamper-detectable.

Prerequisites

You must have a valid attestation profile.

Procedure

  1. From the VMware Pulse IoT Center console, go to Security > Profiles.
  2. Copy the Profile ID of the attestation profile that you have created.
  3. Go to Device Templates and click the TPM-based template that you have created.
  4. Scroll down to the Custom Properties section and click the edit icon.
  5. In the Edit Custom Property window, click the edit icon against the security-profile-id.
  6. Paste the Profile ID under the Default Value text box. Click DONE.
  7. Click SAVE to save the changes.
  8. Next, configure the TPM attestation level in your gateway. Run the following command to open the iotc.cfg file: 
    vi /opt/vmware/iotc-agent/conf/iotc-agent.cfg
  9. Set the TPM attestation level to full: 
    tpmAttestationLevel = full
    Note: If you want to enable only boot attestation, then set tpmAttestationLevel = boot. If you want to enable both runtime and boot attestation, set tpmAttestationLevel = full.

Results

You have successfully associated the attestation profile to your TPM-based device template. You can now onboard your gateway using the TPM-based template.

What to do next

Onboard a gateway using the TPM-based authentication method. For more information, see Onboard a Gateway Using TPM-Based Authentication. After on-boarding your gateway, go to Audit Log in the VMware Pulse IoT Center console and verify that the following audit types are displayed:
  • TPM Boot Attestation Succeeded
  • Runtime Boot Attestation Succeeded

If there is an attestation failure, verify the following:

  • Verify the Alerts tab for any alerts corresponding to the boot or runtime attestation.
  • Verify the Properties tab of the device.
    If there is a boot failure, the cause of the error is displayed. For example: 
    boot-is-tampered
true
boot-tamper-details:
"PCR8 mismatched."
    For a run-time failure, the cause of the error is displayed. For example: 
    runtime-is-tampered
true
runtime-tamper-details:
"Files with mis-matched digests: /etc/chrony.conf"