About PLCnext TPM architecture
Hello Sir
We have a customer care about the TPM of PLCnext ,however, we have less information about the PLCnext TPM architecture and principle, what's more,how to implementation it. Could you please explain it generally, or send us some related document?
Looking forward to your replay ,Thank you very much!
Comments
Hello,
Here is some initial information:
Please let us know if you need more information.
~ Martin.
Hello Martin
Thank you for your information!
However, there are several topics we care about:
1.the general description about the architecture design of PLCnext TPM ,does it based on a FPGA? or other ways? Maybe like the attchment picture show.
2.about TPM function, does it just we claim it to customer, or is there a so-called third party inspection agency certification to make customer accept?
3.to some primary users, how we can do simple test ,for example , the same operation to PLCnext and classical PLC to show the different effect between with TPM and without TPM ?
Just discuss, I'm sorry if offended you.
Looking forward to your reply!
Hello,
I will pass your questions on to the technical experts in this area, and let you know the result.
It's no problem, these are good questions!
Regards,
Martin.
Just a short update - one of our technical experts is currently putting together answers to these questions, and we expect to be able to post these answers some time next week.
~ Martin.
OK, here are some answers from our technical experts:
TPM is an additional chip which is connected to the FPGA. The TPM protects the Initial Device Identity ("IDevID") and the default password.
In the Certification Authentication WBM Page, the details of the IDevID certificate’s chain can be checked:
Keys, certificates and individual default password are saved to the TPM during production and cannot subsequently be changed.
In IEC 62443, this data is called “Manufacturers roots of trust”, because this information is used to securely identify the device.
The device specific data is stored in the end entity certificate shown in the AXC F 2152 certificate.
Among other information, the serial number of the device is also provided securely.
This certificate is used to ensure that only trusted communication partners can communicate with the PLCnext device.
The certificates are generated with a PKI (public key infrastructure) and need to be stored securely to the device during production.
Managing a PKI requires specific processes and maintenance.
The Development process of PLCnext is certificated by TÜV-SÜD according IEC 62443-4-1.
This certification covers the PKI handling and production process.
The certificate chain is used by our engineering software (PLCnext Engineer) to prove that we are accessing a PxC device. It also protects communication between PLCnext Engineer and the PLC from tampering.
In the Application Program, programmers can use this information to check if they are running on a PLCnext Control device, or even on a specific device, by checking the serial number. The PLCnext Engineer function block
SEC_VERIFY_DEVICE_IDENTITYoffers a check of the Device Identity. In this way, it is possible to guarantee that the user program is executing on a specific device family, or even on one unique device.====================
Please let us know if you have any other questions.
~ Martin.
you can currently not download the root cert from our webpage, but it is part of the identity store of every PLCnext device.
Please refer the screenshot above from the identitiy store, the root ca is the 5th in the list.
Take care,
Frank
I have a starter kit on order and will extract it once I have it on my bench.
I am exploring the option of using the devices signed TPM cert as an attestation cert, or birth certificate, to be trusted in our own infrastructure. In the future, do you plan to make the Root cert publicly available? I think that would be far more convenient that we can automate around.
Another question: What information is present in the devices certificate that we can use to validate inventory? Is the PLCnext devices serial number encoded in the certificate somewhere for example?
As developers on the PLCnext device... do we have the ability to interact with the TPM and use it to sign? If so, can you point me to any documentation? Thanks.
The security expert who can answer these questions is back in the office next week, so I hope we can answer all the outstanding questions then.
If OPC UA is used and a Global Discovery Server (GDS) is available, then your own certificates can be provided to the device via GDS.
We provide an interface that can be used to retrieve information like this. Besides the Device Name “Subject_CN” and the serial number “Subject_SN”, the full subject is provided as a string. The idea is to let the application check if is running on the correct device. If not, the application might close itself and/or take other actions.
You can use PLCnext Engineer function blocks (below) or the Device Identity Validator Service in C++ code.
Its technically possible to generate a new private/public key from the TPM and use it on a PLCnext Control device. To proceed with this, you will need to get in touch with the technical support people in the Phoenix Contact office in your country, via your sales person. Or, with your permission, we can give them your contact details. This is not a common request, and it's better if we do this via direct contact.
(ref: #217134)