The document discusses the Enterprise Cyber-Physical Edge Virtualization Engine (EVE) project, highlighting its architecture and key components aimed at managing edge computing environments securely and efficiently. It supports zero trust and zero touch principles for application and device management while providing solutions for data analysis and integration in edge environments. Additionally, the project includes tools for device onboarding, connectivity, and security within a decentralized infrastructure.

1. Enterprise Cyber-Physical Edge
Virtualization Engine (EVE) Project
Oleg Sadov, Petr Fedchenkov – ITMO University
Roman Shaposhnik, Dr. Dmitri Chiriaev – ZEDEDA

2. Evolution in a Connected World Requires an Open Edge
2

3. › Bare metal device onboarding and management at scale
› Application/runtime deployment, update, and management at scale
› On devices in remote locations
› Don't introduce security issues
› Run different applications/runtimes
Key Requirements
ZERO TRUST
ZERO TOUCH ANY
APP | HARDWARE | NETWORK
APP
?
EDGE CONTAINERS
3

4. Sensors, Equipment, PLCs…
The Enterprise Cyber-Physical Edge Stack
Reduce outages
Improve
predictability
Increase
efficiencies
Customer Business Outcomes
Cloud/DC
Edge Software
Edge Hardware
Machines & Assets
Open source edge runtime
for ubiquity
Infra Services Layer: Virtualize & Abstract Edge
EVE-OS: EdgeVirtualization Engine
Data Services Layer: Abstract & Distribute IoT Data
IoT Edge
Greengrass
Fledge

5. Project EVE Architecture
Hardware Layer
EVE-EVC API - config, status, metrics, logs
EVErouter:
DHCP
DNS
ACLs
LISP
VPN
EVEagent:
config,
status,
metrics
Downloader
EVEmanager:
instance
orchestrator
Verifier
sha, sigs
HW
info,
metrics
Domain
mgr
dom0
Crypto
device
identity
TEE/TPM
Crypto
instance
identity
Device
onboarding
Mesh
network
TLS 1.2/1.3 OCSP stapling
Baseos
manager
Grub gpt
priority
boot
Network
interface
manager
Device
connectivity
Instance
connectivity
log
manager
Eth, RS 485, BTLE etc
NAT
I/O virtualizatiion
and
assignment
switch
mesh
cloud
Instance B
Instance C
Instance D
Driver domain(s)
Instance A
EdgeVirtualization Engine
Eth, wlan,
wwan
Hardware
watchdog
Linux
watchdog
Remote instance
consoles

6. Project EVE Architecture
Hardware Layer
EVE-EVC API - config, status, metrics, logs
EVErouter:
DHCP
DNS
ACLs
LISP
VPN
EVEagent:
config,
status,
metrics
Downloader
EVEmanager:
instance
orchestrator
Verifier
sha, sigs
HW
info,
metrics
Domain
mgr
dom0
Crypto
device
identity
TEE/TPM
Crypto
instance
identity
Device
onboarding
Mesh
network
TLS 1.2/1.3 OCSP stapling
Baseos
manager
Grub gpt
priority
boot
Network
interface
manager
Device
connectivity
Instance
connectivity
log
manager
Eth, RS 485, BTLE etc
NAT
I/O virtualizatiion
and
assignment
switch
mesh
cloud
Instance B
Instance C
Instance D
Driver domain(s)
Instance A
EdgeVirtualization Engine
Eth, wlan,
wwan
Hardware
watchdog
Linux
watchdog
Remote instance
consoles
Device Identity
Onboarding
Security
Foundation
Self
update
Device
connect-
ivity
Device
APIs
Edge
Container
runtime
Edge
Container
connect-
ivity
Deployed
Edge
Containers

7. EdgeVirtualization Controller
Project EVE Architecture
Hardware Layer
EVE-EVC API - config, status, metrics, logs
EVErouter:
DHCP
DNS
ACLs
LISP
VPN
EVEagent:
config,
status,
metrics
Downloader
EVEmanager:
instance
orchestrator
Verifier
sha, sigs
HW
info,
metrics
Domain
mgr
dom0
Crypto
device
identity
TEE/TPM
Crypto
instance
identity
Device
onboarding
Mesh
network
TLS 1.2/1.3 OCSP stapling
Baseos
manager
Grub gpt
priority
boot
Network
interface
manager
Device
connectivity
Instance
connectivity
log
manager
Eth, RS 485, BTLE etc
NAT
I/O virtualizatiion
and
assignment
switch
mesh
cloud
Instance B
Instance C
Instance D
Driver domain(s)
Instance A
EdgeVirtualization Engine
Eth, wlan,
wwan
Hardware
watchdog
Linux
watchdog
Remote instance
consoles
Device Identity
Onboarding
Security
Foundation
Self
update
Device
connect-
ivity
Device
APIs
Edge
Container
runtime
Edge
Container
connect-
ivity
Deployed
Edge
Containers
EVC sample:Adam Commercial EVC:

8. Deployment Models
8
• Extract data for local analysis / cloud
and connect to new sensors
• No interference with existing setup
• Secure apps with private networks
IoT Data
Analytics
IoT Edge
Router
Security
Appliance
• Added security for current/legacy
IoT
• Deploy a network proxy application
(e.g., MQTT)
• Add app to update firmware of
legacy hardware
• Deploy and manage security apps
• Add SPAN port collector to network
• Gain visibility and monitor traffic with
network security apps (e.g. Nozomi)
Legacy
Hardware
IT, ERP,
MES
IoT Edge Compute
EVE
Node
Node
Storage
Service
WAN/Internet
Node
IoT Edge Compute
Network
Probe
IoT Edge Compute
IDS
WAN/Internet
SPAN
PORT
Node
Node
Node
EVC EVC EVC
EVE EVE

9. EDEN – Go-based testing/modelling environment
9
PC
File/OCI Registry
Streaming
DB
ADAM
EDEN test
binaries
EDEN CLI
EVE QEMU
EVE RPi4
Cloud
EVE GCP
● Framework/CLI for
managing EVE and
ADAM
infrastructure.
● Test binaries that can
be used to write test
scripts and detect
some specific EVE
states.
DockerHub
Public VMs

10. Resources
› Project: https://www.lfedge.org/projects/eve/
› Whitepapers:
› architecture:
https://zededa.com/wp-content/uploads/2021/03/ZEDEDA-Architecture-
WP-Feb2021.pdf
› security:
https://zededa.com/wp-content/uploads/2021/03/ZEDEDA-Security-WP-
Feb2021.pdf
› EDEN Quick Start: https://github.com/lf-edge/eden
10