EnactTrust
EnactTrust is a driver to interact with TPM2 devices on IoT devices. EnactTrust facilities doing Remote Attestation ProceedureS (RATS, see RFC9334) by collecting Evidence about the state of a device, and relaying that Evidence to a Verifier operated by the device owner, or by EnactTrust.
Security and compliance for IoT & Edge systems
Typical use cases are:
- protection of IoT devices in the field (including offline)
- monitoring of the device health of Edge devices
- compliance with IEC 62443 for Industrial IoT systems
To learn more about EnactTrust, read our whitepaper.
Quick start
Use this Dockerfile to try EnactTrust in 3 minutes. All you need is a unique user id from https://a3s.enacttrust.com and these few commands:
docker build --tag enact .
docker run -d -t --name enact-quickstart enact
docker exec -it enact-quickstart sh
$tpm_server &> tpm.log
$enact onboard A3S_USER_ID
By default EnactTrust protects the Linux password file, and alerts for unauthorized changes to the system credentials and accounts.
To send fresh evidence just execute enact without any parameters, because your system is already onboarded.
Screenshots
Explore device health by visiting the EnactTrust Security Cloud.
Installation
Please check the INSTALL.md file for step by step instructions. Short summary is available below:
- Git clone this repo
- Make
- Register at https://a3s.enacttrust.com
- enact onboard A3S_USER_ID (get user id from the step above)
- enact
If you're familiar with attestation and are comfortable with looking at C code, you can also try out the EnactTrust API which is aimed primarily at 3rd party integrations.
Requirements
EnactTrust is built for the IoT & Edge devices that live in the field for 3/5/10 years, therefore our implementation is highly portable and EnactTrust supports the most popular firmware architectures. Including the major RTOS solutions, like FreeRTOS, Zephyr and others:
| Architecture | EnactTrust | QuickStart |
|---|---|---|
| RTOS | Yes | |
| Bare-metal | Yes | |
| Safety-critical (FSM) | Yes | |
| Linux | Yes | Yes |
Additionally, we aim to support hardware hardening technologies like TrustZone (TF-M & TF-A).
Built With
The QuickStart version of EnactTrust uses:
- wolfTPM — Our QuickStart version uses wolfTPM because it is designed for embedded systems and requires no external dependencies.
- libcurl — Our agent uses Curl to communicate easily with our cloud server.
Let us know if you want access to our TF-M and TF-A variant of EnactTrust by sending us an email.
Tiers
This version of EnactTrust is called "Quick Start" and is designed toward ease of use.
Note: EnactTrust is meant to run in a memory isolated environment, so it can protect your system even when your device is compromised or under attack.
Here is the complete list of EnactTrust versions:
- Quick start - Basic attestation for 1 node (this version).
- Developer - Advanced attestation for 5 nodes.
- Enterprise - Protecting IoT products during their entire lifecycle, ZeroTrust security model for critical infrastructure, available on premise and as a managed service, EnactTrust agent deployed in memory isolation to protect the system even in the case of an attack.
History
The original concept of EnactTrust emerged during 2017 and involves the largest trade fair for "Internet of Things" - Embedded World in Nuremberg/Germany. For the very first time there was a dedicated Trusted Platform Module(TPM) track. Presenters included managers from ARM, OnSemi and other industry leaders. Surprisingly, no one from the five speakers talked about Trusted Computing or mentioned the use of TPM 2.0 modules.
The capability to build trust into a computer system remained just a marketing slogan in 2017. Therefore, in early 2018 we built the first prototype of what later became known as EnactTrust. It took years of development and testing with interested companies to define the core features and qualities of EnactTrust that we have today.
The current "Quick Start" version of EnactTrust is re-written to use the open-source wolfTPM and libcurl librariers, and targets Linux for ease of use.
Contact us
The goal of EnactTrust is to make IoT and Edge systems more secure. Send us an email with your questions and we will respond. Alternatively, you could also use TPM.dev forum.
We look forward to receiving your comments and questions.