Workshop Exercise 3.1 - Introduction to FDO
Table of Contents
- Objective
- Step 1 - An Overview of FDO
- Step 2 - The Overall Workflow
- Step 3 - Creating the Ownership Voucher
- Step 4 - First Boot at Destination
- Special Thanks
Objective
In this exercise, we’ll learn about what FDO is and review the key principles of Red Hat’s implimentation of secure device onboarding.
Step 1 - An Overview of FDO
FDO, or FIDO Device Onboard is actually a specification for securely onboarding devices, specifically edge and IoT devices. It works to solve the fundamental challenge of “how do I know this edge device is mine, and hasn’t been tampered with”.
A few of the key design principles for FDO are:
- Leveraging standard tools for authentication and trust
- Compatibility with other tooling
- Hardware/platform agnostic
- Open specification
- “Late binding” - devices can be pre-configured without needing to know the final destination
Red Hat’s implimentation integrates with the Device Edge stack to provide the ability to securely onboard Device Edge at remote sites.
Step 2 - The Overall Workflow
The FDO workflow involves 7 major steps:
- The device manufacturer preps devices with the FDO client and certifcates, and creates an ownership voucher
- The device manufacturer stores the ownership voucher and sends the device to its destination
- The device owner boots the device
- The devices calls out to the rendezvous server
- The rendezvous server sends the information of the onboarding server
- The device forms a secure channel with the onboarding server
- The device grabs secrets and files, as well as automated configuration steps
Step 3 - Creating the Ownership Voucher
In Red Hat’s implimenation of FDO, the ownership voucher steps are handled by the edge-simplified-installer. We’ll provide the address of our manufacturing server, and the installer will handle the rest while applying our image to the edge device.
Step 4 - First Boot at Destination
Once the device has reached its destination, steps 3-7 from above happen. For our lab today, we’ll be using the ‘all-in-one’ setup of FDO, so all the components will reside on the same system, however production implimentations will have the various functionality spread out across different systems.
Special Thanks
A special thank you to Luis Arizmendi Alonso for his deep dives on FDO, which are referenced heavily throughout this workshop.
Navigation
| Previous Exercise | Next Exercise |