Skip to content

Document 'bootstrap' for signed boot provisioning #315

Description

@daniel-ambient

Summary

If one does not have a device that is secured and has a key in OTP, then one cannot upload a private key as it cannot be device wrapped. This creates an bootstrap issue when wants to create the first secured device using rpi-sb-provisioner.

Workaround

  1. Copy a signing key to your rpi-sb-provisioner keys directory.
  2. Edit /etc/rpi-sb-provisioner/config and point CUSTOMER_KEY_FILE_PEM at the signing key.
    • This will show a big red warning that at least one of your keys is unecrypted at rest. Ignore that for now.
  3. Create your signed bootloader and provision a secured device
  4. Copy your configuration and data files (including /etc/rpi-sb-provisioner, /var/lib/rpi-sb-provisioner, /var/log/rpi-sb-provisioner, and any custom directories (e.g. /srv/rpi-sb-provisioner) to the new secured device.
  5. Once you have verified the new secured device works, wipe storage of the unsecured bootstrap device
  6. Rotate and encrypt your signing key

(Note that 5 and 6 are untested yet, they are my plan at this point).

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions