Introduction to IoT and MQTT and Secure Edge Devices

This is the introductory course for Secure Edge Devices. The purpose of this series is to practice industry best practices in security development focused on embedded systems that act as a gateway to cloud computing. This component is typically called edge computing. Edge computing devices range from ARM Cortex-A single cores processors, to fanless industrial PCs, to Xeon 1U servers.

This course focuses on two main aspects of secure edge systems: the embedded Linux configuration and security and Azure IoT hub integration. We will use a Raspberry Pi 4 for this class due to its popularity. Throughout the class we discuss various threat models and evaluate if the Raspberry Pi 4 is an appropriate choice for secure edge development.

Topics Covered during this Course

• Embedded Linux development with Buildroot
• Linux security technologies: dm-crypt, dm-verity, IMA
• Buildroot security hardening
• Overview of cryptographic coprocessors like TPM and others
• Basic Linux reverse engineering tools
• MQTT
• Azure Device Provisioning Service
• Azure IoT Hub

Day 1 - Buildroot Day

• Introduction to buildroot
• How to package custom software in buildroot
• Embedded Linux Hardening
• A survey of cryptographic hardware for edge devices
• Blackbox analysis of buildroot images

Assignment 1: Buildroot overview

• Students will download and build the default buildroot configuration
• Students will then create an out-of-tree buildroot configuration to keep custom modifications to buildroot
• We will analyze our buildroot configuration to understand how to modify settings for uboot, the compiler toolchain, and the rootfs.

Assignment 2: Buildroot Packaging

• Students will modify their rootfs and add existing buildroot packages to their system
• We will make a custom software, and add a custom out-of-tree package to buildroot and add it to the rootfs
• Students will understand and practice when and how to build the package during development, when a full build is required and how to troubleshoot the build system.

Assignment 3:Embedded Linux Hardening (Software)

• Students will investigate the busybox configuration and evaluate its security.
• Students will become comfortable with and perform audit of the Linux kernel configuration
• We will discuss various Linux security technology such as dm-crypt, dm-verity, linux key retention service, LUKS, and others
• Students will audit and evaluate the buildroot configuration to include the compiler settings, rootfs generation
• We will discuss various security approaches for example user/groups vs other mandatory access control
• We will cover in detail, how the development lifecycle should build-in these security milestones

Assignment 5: Embedded Linux Hardening (Hardware)

• We will discuss the Raspberry’s PI security vs other ARM Cortex SoC
• We will discuss and secure boot and explain u-boot FIT signing
• The instructor will show and explain various additional co-processors like TPM and secure elements.
• Students will evaluate the security of the Raspberry Pi from a hardware perspective

Assignment 6: Blackbox Buildroot

• Students will be given a blackbox buildroot image and will attempt to reverse engineer it
• We will cover briefly Linux RE tools (take the Intro to Hardware Hacking class for in-depth hands-on)
• Students will monitor the raspberry pi’s behavior and attempt to modify the system

Day 2 - MQTT and Azure IoT Hub

• Introduction to MQTT
• How to configure Azure IoT Device Provisioning Service
• How to combine everything we learned with Azure IoT Hub

Assignment 7: Azure for Embedded Developers

• For all Azure exercises, students will need their own Azure subscription or sandbox. If that’s not available, not a problem, students will be able to watch the instructor demonstrate all steps
• We’ll overview the basic components we will need for this course which is Azure IoT Hub and Virtual Machines (for MQTT).
• Overview of the Azure SDK ecosystem focusing on powershell and python use cases.

Assignment 8: MQTT

• Using Mosquitto, students will deploy a MQTT server to an Azure VM
• For live students, they will be able to dynamically interact with on-stream elements over MQTT such as manipulating RGBs and activating alarms remotely
• We will discuss and experiment with various QoS of MQTT messages
• We will discuss several security options when deploying raw MQTT

Assignment 9: Mutual TLS Overview

• As Azure IoT requires mutual TLS, we will overview PKI and TLS topics
• Students will build development PKI chains and understand various IoT provisioning systems
• Using Azure Device Provisioning System, we will register our development PKIs

Assignment 10: Complete Azure IoT Edge Deployment

• In this final exercises, students will deploy IoT Hub to Azure
• Using Python SDKs, students will connect to IoT Hub with mutual TLS
• Students will then send and receive messages using IoT Hub
• BONUS FOR LIVE STUDENTS: they will be able to participate in an interactive on-stream example of Azure IoT messages with the other students world-wide and the instructor

Class Requirements

• A laptop/desktop capable of running VMWare and at least 50GB of available storage. If students want to try the Azure examples they need their own Azure environment and the ability to create resources in Azure.
• The following hardware is required:
• Raspberry Pi 4 8GB (Note the power supply requirements here.
• We will be using the WiFi capabilities therefore you will need the ability to SSH into your RPi over WiFi