SlideShare a Scribd company logo

Integrate IoT cloud analytics and over the-air (ota) updates with google and mender.io

Mender.io, profile picture
Mender.io

The document discusses Mirza Krak's integration of IoT cloud analytics and over-the-air updates with mender.io and Google Cloud IoT Core. It highlights the importance of secure and efficient device management, authentication, and software updates for IoT devices in challenging environments. The document also provides an overview of mender.io's capabilities, the Yocto project for building custom Linux distributions, and the complexities of device authentication in IoT systems.

Software
1 of 28
Downloaded 23 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Mirza Krak Embedded Solutions Architect Mender.io Integrate IoT cloud analytics and over-the-air (OTA) updates with Google and Mender.io
● Over-the-air software updates for IoT and Mender introduction ● Yocto Project introduction ● Google IoT Core and Cloud IoT introduction ● Device authentication integration between Cloud IoT and Mender Session overview
● Mirza Krak ○ 8 years in Embedded Linux ■ U-boot and Linux kernel ■ Yocto/Buildroot ○ mirza.krak@northern.tech About me ● mender.io ○ Open-source update manager for embedded devices ○ Open source (Apache License, v2) ○ Supports a variation of update styles ■ Dual A/B rootfs layout ■ Update Modules (beta) ○ Remote deployment management (server) ○ Under active development
https://northern.tech/careers We are hiring
Internet of Things (IoT) The Internet of things (IoT) is the extension of Internet connectivity into physical devices and everyday objects. Embedded with electronics, Internet connectivity, and other forms of hardware (such as sensors), these devices can communicate and interact with others over the Internet, and they can be remotely monitored and controlled Source: WikipediaIt means taking all the things in the world and connecting them to the internet
Connected devices must be remotely updatable ● There will be bugs, vulnerabilities ○ 1-25 per 1000 lines of code* ○ Botnets w/ millions of devices: Mirai, Hajime, Brickerbot ● 
 and new features ● 
 after device is deployed to the field *Source: Steve McConnell, Code Complete Source: Ars Technica
IoT devices are in a harsh environment ● Remote ○ Expensive to reach physically ● Long expected lifetime ○ 5 - 10 years ● Unreliable power ○ Battery ○ Suddenly unplugged ● Unreliable network ○ Intermittent connectivity ○ Low bandwidth ○ Insecure What can go wrong?
Criteria for IoT software update management ● Robust and secure ● Atomic installation & consistent across devices ● Secure transport and codesigning ● Integrates with existing development environment ● Easy to get started ● Bandwidth consumption ● Downtime during update What can go wrong?
General IoT update manager workflow Detect update (secure channel) Download (secure channel) Integrity (e.g. checksum) Authenticate (e.g. signature) DecryptExtract Install Failure recovery (e.g. roll back) Compatibility check Sanity checks Post-install actions Pre-install actions Must-have Environment-specific (Re)Start* *E.g. reboot, restart service, start container
Mender provides both client and server ● Client-server model ○ Apache 2.0 ○ Mender provides both, including web UI ○ No need to “glue” several projects ○ Server can integrate with 3rd party clients through its REST API ● Supports updating ○ File system images ○ Update Modules (beta) ■ Application updates ■ Containers ■ nd more
Mender uses a dual A/B system layout ● Very robust ○ Fully atomic and consistent ● Integrates well ○ OS, kernel, apps unchanged ○ Needs bootloader “flip” support ○ Partition layout, requires 2x rootfs storage ● Fairly short downtime (minute) ○ 1 reboot OS A (active) Bootloader Device/System OS B (inactive) Kernel Kernel ● Mender deploys to inactive partition, then reboots into it ○ Common design for IoT ○ Used in newer Androids (‘N’ and later)
Mender - server Mender Devices Users API Gateway TCP 443 DeviceAdm DeviceAuth UserAdm Inventory Deployments GUI Conductor Storage Proxy TCP 9000 Minio MongoDB ElasticSearch Redis Filesystem external clients stateless application layer persistent storage ● Microservices ● Only port 433 and 9000 ● RESTful API ○ Device API ○ Management API /api/management/v1/deployments /api/management/v1/admission /api/management/v1/devauth/ 
. https://docs.mender.io/apis/overview
Yocto Project is a Linux build system “It's not an embedded Linux Distribution, It creates a custom one for you.” ● Structured way to build a Linux distribution from source, using software “meta layers” ● Flexible and very portable between hardware ○ Requires some learning ● Probably the most popular Linux “OS” for IoT devices ○ Major board manufacturers provide BSPs as Yocto meta layers ● Mender provides meta-mender for integrating the Mender client ● Google provides meta-gcp-iot for integrating Mender and MQTT telemetry application
Google IoT Core “Cloud IoT Core is a fully managed service that allows you to easily and securely connect, manage, and ingest data from millions of globally dispersed devices” ● MQTT and HTTP protocols ● scales automatically in response to real-time changes ● industry-standard security protocols protect your data.
Google Cloud IoT (example)
Google IoT Core Protocol bridge MQTT protocol endpoint Automatic load balancing Global data access with Pub/Sub Device manager Configure individual devices Update and control devices Role level access control Console and APIs for device deployment and monitoring
Device authentication is complex ● To securely authenticate to cloud services, devices need an identity and credential tuple ○ Typically a serial number and public/private keypair ● Different cloud services use different identity and credential tuples ● Result: Identity and key management becomes very complex and error-prone
Device authentication in Google IoT Core Device identity is based on an asymmetric key-pair of two supported formats: ○ RSA 256 public key wrapped in a X.509v3 certificate ○ Elliptic curve (ECDSA) algorithm using P-256 and SHA-256 [more efficient, better suited for small devices] Credentials may optionally have an expiration timestamp A device can have up to 3 credentials associated with it at a time, allowing for rotation The service should never need the private key The sequence shown here is only one way to handle device provisioning
Device authentication in Google IoT Core MQTT/HTTP broker Verify JWT signature with public key Run API Script with public key files Create JWT Secure Sign JWT Save device public key association Device Key pair securely generated in Microchip ATECC608A or NXP A71CH Provisioner Device manager OK Create device (deviceid, public key) OK Connect (device id, signed JWT) Connected Secure element w/ private keys soldered to the device Public keys passed as file
Device authentication in Mender Unique client identity Unique client key pair Mender client IoT device Trusted server cert Root certs Mender server Mender config Trusted server cert API gateway (nginx) RSA key unique to this client. Used to sign client identity in auth requests. Will be tied to client identity in server. TLS (https) 1. Auth request: client identity, signed(client identity) 2. Reject (if client unknown/pending) or issue JWT auth token to client. Clients get JWT auth token if: A. They are preauthorized, or B. Accepted (once pending) by user/script Identity attributes (key-value). Identity scheme is customizable, typically serial number or MAC address is used. More info: Identity in Mender
Device authentication integration workflow
Device authentication integration workflow
Device authentication integration workflow
Device authentication integration workflow
Device authentication integration workflow
Integration based on common private key Identity tied to Private Key (secure on disk or in secure element) MQTT Client Mender Agent Mender OTA Server Google Cloud IoT Core OTA and Firmware ManagementTelemetry and Data plane
Reference integration Step-by-step tutorial available bit.ly/mender-google
Thank you Questions?

More Related Content

PDF
Configuring wifi in open embedded builds
Mender.io
 
PDF
A million ways to provision embedded linux devices
Mender.io
 
PDF
Embedded linux build systems
Mender.io
 
PDF
Mender: The open-source software update solution
Mender.io
 
PDF
IoT: Contrasting Yocto/Buildroot to binary OSes
Mender.io
 
PDF
Mender; the open-source software update solution
Mender.io
 
PDF
The ultimate guide to software updates on embedded linux devices
Mender.io
 
PDF
Mender.io | Develop embedded applications faster | Comparing C and Golang
Mender.io
 
Configuring wifi in open embedded builds
Mender.io
 
A million ways to provision embedded linux devices
Mender.io
 
Embedded linux build systems
Mender.io
 
Mender: The open-source software update solution
Mender.io
 
IoT: Contrasting Yocto/Buildroot to binary OSes
Mender.io
 
Mender; the open-source software update solution
Mender.io
 
The ultimate guide to software updates on embedded linux devices
Mender.io
 
Mender.io | Develop embedded applications faster | Comparing C and Golang
Mender.io
 

What's hot (20)

PDF
Software update for embedded systems - elce2014
Stefano Babic
 
PDF
Userspace drivers-2016
Chris Simmonds
 
PDF
Build your own embedded linux distributions by yocto project
Yen-Chin Lee
 
PDF
Claudio Scordino - Handling mixed criticality on embedded multi-core systems
linuxlab_conf
 
PDF
Emanuele Faranda - Creating network overlays with IoT devices using N2N
linuxlab_conf
 
PDF
Qubes os presentation_to_clug_20150727
csirac2
 
PDF
libreCMC : The Libre Embedded GNU/Linux Distro
All Things Open
 
PPTX
Eclipse IDE Yocto Plugin
cudma
 
PDF
The Yocto Project
rossburton
 
PDF
Automotive Grade Linux and systemd
Alison Chaiken
 
PDF
MikroTik User Guide
seolangit4
 
PDF
Software update for IoT: the current state of play
Chris Simmonds
 
PDF
Yocto project and open embedded training
H Ming
 
ODP
Embedded Android : System Development - Part III
Emertxe Information Technologies Pvt Ltd
 
PDF
Kernel Recipes 2013 - Viewing real time ltt trace using gtkwave
Anne Nicolas
 
PDF
Linux field-update-2015
Chris Simmonds
 
PDF
SBC 2012 - Malware Memory Forensics (Nguyễn Cháș„n Việt)
Security Bootcamp
 
PDF
Needle In An Encrypted Haystack: Forensics in a hardened environment (with Fu...
Nicolas Collery
 
PDF
Embedded Android: Android beyond the smartphone
Chris Simmonds
 
PDF
Run Qt on Linux embedded systems using Yocto
Marco Cavallini
 
Software update for embedded systems - elce2014
Stefano Babic
 
Userspace drivers-2016
Chris Simmonds
 
Build your own embedded linux distributions by yocto project
Yen-Chin Lee
 
Claudio Scordino - Handling mixed criticality on embedded multi-core systems
linuxlab_conf
 
Emanuele Faranda - Creating network overlays with IoT devices using N2N
linuxlab_conf
 
Qubes os presentation_to_clug_20150727
csirac2
 
libreCMC : The Libre Embedded GNU/Linux Distro
All Things Open
 
Eclipse IDE Yocto Plugin
cudma
 
The Yocto Project
rossburton
 
Automotive Grade Linux and systemd
Alison Chaiken
 
MikroTik User Guide
seolangit4
 
Software update for IoT: the current state of play
Chris Simmonds
 
Yocto project and open embedded training
H Ming
 
Embedded Android : System Development - Part III
Emertxe Information Technologies Pvt Ltd
 
Kernel Recipes 2013 - Viewing real time ltt trace using gtkwave
Anne Nicolas
 
Linux field-update-2015
Chris Simmonds
 
SBC 2012 - Malware Memory Forensics (Nguyễn Cháș„n Việt)
Security Bootcamp
 
Needle In An Encrypted Haystack: Forensics in a hardened environment (with Fu...
Nicolas Collery
 
Embedded Android: Android beyond the smartphone
Chris Simmonds
 
Run Qt on Linux embedded systems using Yocto
Marco Cavallini
 
Ad

Similar to Integrate IoT cloud analytics and over the-air (ota) updates with google and mender.io (20)

PDF
Iot development from prototype to production
Mender.io
 
PDF
IoT Development from Prototype to Production
Mender.io
 
PDF
Secure IOT Gateway
LF Events
 
PDF
Developing Interoperable Components for an Open IoT Foundation
Eurotech
 
PDF
Survey of Operating Systems for the IoT Environment
Eswar Publications
 
PDF
Software Updates for Connected Devices - OSCON 2018
Mender.io
 
PDF
how to implement an IoT architecture
Roberto Siagri
 
PDF
Software update for IoT Embedded World 2017
Chris Simmonds
 
PPTX
Creating the open source building blocks for IoT
Ian Skerrett
 
PDF
WSO2Con EU 2015: IoT in Finance
WSO2
 
PDF
Successful Industrial IoT Patterns
WSO2
 
PDF
BKK16-500K2 CTO talk - The End to End Story
Linaro
 
PDF
Platform for a Connected World
All Things Open
 
PPTX
Eclipse IoT slide deck [MASTER DECK].pptx
NguynHongDanh5
 
PDF
OSGi and Java in Industrial IoT
Eurotech
 
PDF
IoT Prototyping using BBB and Debian
Mender.io
 
PDF
IoT and Embedded OS Lecture - Cristian Toma and George Iosif
IT&C Security Master Informatics Security Master
 
PPTX
How to build iot applications with google cloud
Mohamed Nageh
 
PPTX
IoT Developer Survey 2017
Ian Skerrett
 
PPTX
3 Software Stacks for IoT Solutions
Ian Skerrett
 
Iot development from prototype to production
Mender.io
 
IoT Development from Prototype to Production
Mender.io
 
Secure IOT Gateway
LF Events
 
Developing Interoperable Components for an Open IoT Foundation
Eurotech
 
Survey of Operating Systems for the IoT Environment
Eswar Publications
 
Software Updates for Connected Devices - OSCON 2018
Mender.io
 
how to implement an IoT architecture
Roberto Siagri
 
Software update for IoT Embedded World 2017
Chris Simmonds
 
Creating the open source building blocks for IoT
Ian Skerrett
 
WSO2Con EU 2015: IoT in Finance
WSO2
 
Successful Industrial IoT Patterns
WSO2
 
BKK16-500K2 CTO talk - The End to End Story
Linaro
 
Platform for a Connected World
All Things Open
 
Eclipse IoT slide deck [MASTER DECK].pptx
NguynHongDanh5
 
OSGi and Java in Industrial IoT
Eurotech
 
IoT Prototyping using BBB and Debian
Mender.io
 
IoT and Embedded OS Lecture - Cristian Toma and George Iosif
IT&C Security Master Informatics Security Master
 
How to build iot applications with google cloud
Mohamed Nageh
 
IoT Developer Survey 2017
Ian Skerrett
 
3 Software Stacks for IoT Solutions
Ian Skerrett
 
Ad

More from Mender.io (8)

PDF
Why the yocto project for my io t project elc_edinburgh_2018
Mender.io
 
PDF
Strategies for developing and deploying your embedded applications and images
Mender.io
 
PDF
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018
Mender.io
 
PDF
Embedded Linux Build Systems - Texas Linux Fest 2018
Mender.io
 
PDF
Linux IoT Botnet Wars - ESC Boston 2018
Mender.io
 
PDF
Securing the Connected Car - SCaLE 2018
Mender.io
 
PDF
Mender.io | Securing the Connected Car
Mender.io
 
PDF
Linux IoT Botnet Wars and the lack of basic security hardening
Mender.io
 
Why the yocto project for my io t project elc_edinburgh_2018
Mender.io
 
Strategies for developing and deploying your embedded applications and images
Mender.io
 
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018
Mender.io
 
Embedded Linux Build Systems - Texas Linux Fest 2018
Mender.io
 
Linux IoT Botnet Wars - ESC Boston 2018
Mender.io
 
Securing the Connected Car - SCaLE 2018
Mender.io
 
Mender.io | Securing the Connected Car
Mender.io
 
Linux IoT Botnet Wars and the lack of basic security hardening
Mender.io
 

Recently uploaded (20)

PPTX
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
PDF
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
PDF
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
PPT
Introduction Database Management System for Course Database
ReinertYosua
 
PDF
Flood Susceptibility Mapping Using Image-Based 2D-CNN Deep Learnin. Overview ...
lawrenceomai2
 
PPTX
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
PPTX
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
PDF
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
PDF
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
PDF
System and Network Administraation Chapter 3
jaramharo
 
PPTX
Online Work Permit System for Fast Permit Processing
SHEQ Network Limited
 
PDF
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
PPTX
Introduction to Artificial Intelligence
lohedi9363
 
PDF
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
PDF
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
PPTX
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
PPTX
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
PDF
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
PPTX
VVF-Customer-Presentation2025-Ver1.9.pptx
blackmambaettijean
 
PDF
Upgrade and Innovation Strategies for SAP ERP Customers
Virendra Rai, PMP
 
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
Introduction Database Management System for Course Database
ReinertYosua
 
Flood Susceptibility Mapping Using Image-Based 2D-CNN Deep Learnin. Overview ...
lawrenceomai2
 
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
System and Network Administraation Chapter 3
jaramharo
 
Online Work Permit System for Fast Permit Processing
SHEQ Network Limited
 
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
Introduction to Artificial Intelligence
lohedi9363
 
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
VVF-Customer-Presentation2025-Ver1.9.pptx
blackmambaettijean
 
Upgrade and Innovation Strategies for SAP ERP Customers
Virendra Rai, PMP
 

Integrate IoT cloud analytics and over the-air (ota) updates with google and mender.io

  • 1. Mirza Krak Embedded Solutions Architect Mender.io Integrate IoT cloud analytics and over-the-air (OTA) updates with Google and Mender.io
  • 2. ● Over-the-air software updates for IoT and Mender introduction ● Yocto Project introduction ● Google IoT Core and Cloud IoT introduction ● Device authentication integration between Cloud IoT and Mender Session overview
  • 3. ● Mirza Krak ○ 8 years in Embedded Linux ■ U-boot and Linux kernel ■ Yocto/Buildroot ○ mirza.krak@northern.tech About me ● mender.io ○ Open-source update manager for embedded devices ○ Open source (Apache License, v2) ○ Supports a variation of update styles ■ Dual A/B rootfs layout ■ Update Modules (beta) ○ Remote deployment management (server) ○ Under active development
  • 5. Internet of Things (IoT) The Internet of things (IoT) is the extension of Internet connectivity into physical devices and everyday objects. Embedded with electronics, Internet connectivity, and other forms of hardware (such as sensors), these devices can communicate and interact with others over the Internet, and they can be remotely monitored and controlled Source: WikipediaIt means taking all the things in the world and connecting them to the internet
  • 6. Connected devices must be remotely updatable ● There will be bugs, vulnerabilities ○ 1-25 per 1000 lines of code* ○ Botnets w/ millions of devices: Mirai, Hajime, Brickerbot ● 
 and new features ● 
 after device is deployed to the field *Source: Steve McConnell, Code Complete Source: Ars Technica
  • 7. IoT devices are in a harsh environment ● Remote ○ Expensive to reach physically ● Long expected lifetime ○ 5 - 10 years ● Unreliable power ○ Battery ○ Suddenly unplugged ● Unreliable network ○ Intermittent connectivity ○ Low bandwidth ○ Insecure What can go wrong?
  • 8. Criteria for IoT software update management ● Robust and secure ● Atomic installation & consistent across devices ● Secure transport and codesigning ● Integrates with existing development environment ● Easy to get started ● Bandwidth consumption ● Downtime during update What can go wrong?
  • 9. General IoT update manager workflow Detect update (secure channel) Download (secure channel) Integrity (e.g. checksum) Authenticate (e.g. signature) DecryptExtract Install Failure recovery (e.g. roll back) Compatibility check Sanity checks Post-install actions Pre-install actions Must-have Environment-specific (Re)Start* *E.g. reboot, restart service, start container
  • 10. Mender provides both client and server ● Client-server model ○ Apache 2.0 ○ Mender provides both, including web UI ○ No need to “glue” several projects ○ Server can integrate with 3rd party clients through its REST API ● Supports updating ○ File system images ○ Update Modules (beta) ■ Application updates ■ Containers ■ nd more
  • 11. Mender uses a dual A/B system layout ● Very robust ○ Fully atomic and consistent ● Integrates well ○ OS, kernel, apps unchanged ○ Needs bootloader “flip” support ○ Partition layout, requires 2x rootfs storage ● Fairly short downtime (minute) ○ 1 reboot OS A (active) Bootloader Device/System OS B (inactive) Kernel Kernel ● Mender deploys to inactive partition, then reboots into it ○ Common design for IoT ○ Used in newer Androids (‘N’ and later)
  • 12. Mender - server Mender Devices Users API Gateway TCP 443 DeviceAdm DeviceAuth UserAdm Inventory Deployments GUI Conductor Storage Proxy TCP 9000 Minio MongoDB ElasticSearch Redis Filesystem external clients stateless application layer persistent storage ● Microservices ● Only port 433 and 9000 ● RESTful API ○ Device API ○ Management API /api/management/v1/deployments /api/management/v1/admission /api/management/v1/devauth/ 
. https://docs.mender.io/apis/overview
  • 13. Yocto Project is a Linux build system “It's not an embedded Linux Distribution, It creates a custom one for you.” ● Structured way to build a Linux distribution from source, using software “meta layers” ● Flexible and very portable between hardware ○ Requires some learning ● Probably the most popular Linux “OS” for IoT devices ○ Major board manufacturers provide BSPs as Yocto meta layers ● Mender provides meta-mender for integrating the Mender client ● Google provides meta-gcp-iot for integrating Mender and MQTT telemetry application
  • 14. Google IoT Core “Cloud IoT Core is a fully managed service that allows you to easily and securely connect, manage, and ingest data from millions of globally dispersed devices” ● MQTT and HTTP protocols ● scales automatically in response to real-time changes ● industry-standard security protocols protect your data.
  • 15. Google Cloud IoT (example)
  • 16. Google IoT Core Protocol bridge MQTT protocol endpoint Automatic load balancing Global data access with Pub/Sub Device manager Configure individual devices Update and control devices Role level access control Console and APIs for device deployment and monitoring
  • 17. Device authentication is complex ● To securely authenticate to cloud services, devices need an identity and credential tuple ○ Typically a serial number and public/private keypair ● Different cloud services use different identity and credential tuples ● Result: Identity and key management becomes very complex and error-prone
  • 18. Device authentication in Google IoT Core Device identity is based on an asymmetric key-pair of two supported formats: ○ RSA 256 public key wrapped in a X.509v3 certificate ○ Elliptic curve (ECDSA) algorithm using P-256 and SHA-256 [more efficient, better suited for small devices] Credentials may optionally have an expiration timestamp A device can have up to 3 credentials associated with it at a time, allowing for rotation The service should never need the private key The sequence shown here is only one way to handle device provisioning
  • 19. Device authentication in Google IoT Core MQTT/HTTP broker Verify JWT signature with public key Run API Script with public key files Create JWT Secure Sign JWT Save device public key association Device Key pair securely generated in Microchip ATECC608A or NXP A71CH Provisioner Device manager OK Create device (deviceid, public key) OK Connect (device id, signed JWT) Connected Secure element w/ private keys soldered to the device Public keys passed as file
  • 20. Device authentication in Mender Unique client identity Unique client key pair Mender client IoT device Trusted server cert Root certs Mender server Mender config Trusted server cert API gateway (nginx) RSA key unique to this client. Used to sign client identity in auth requests. Will be tied to client identity in server. TLS (https) 1. Auth request: client identity, signed(client identity) 2. Reject (if client unknown/pending) or issue JWT auth token to client. Clients get JWT auth token if: A. They are preauthorized, or B. Accepted (once pending) by user/script Identity attributes (key-value). Identity scheme is customizable, typically serial number or MAC address is used. More info: Identity in Mender
  • 26. Integration based on common private key Identity tied to Private Key (secure on disk or in secure element) MQTT Client Mender Agent Mender OTA Server Google Cloud IoT Core OTA and Firmware ManagementTelemetry and Data plane
  • 27. Reference integration Step-by-step tutorial available bit.ly/mender-google