Summary
If one does not have a device that is secured and has a key in OTP, then one cannot upload a private key as it cannot be device wrapped. This creates an bootstrap issue when wants to create the first secured device using rpi-sb-provisioner.
Workaround
- Copy a signing key to your rpi-sb-provisioner keys directory.
- Edit /etc/rpi-sb-provisioner/config and point CUSTOMER_KEY_FILE_PEM at the signing key.
- This will show a big red warning that at least one of your keys is unecrypted at rest. Ignore that for now.
- Create your signed bootloader and provision a secured device
- Copy your configuration and data files (including /etc/rpi-sb-provisioner, /var/lib/rpi-sb-provisioner, /var/log/rpi-sb-provisioner, and any custom directories (e.g. /srv/rpi-sb-provisioner) to the new secured device.
- Once you have verified the new secured device works, wipe storage of the unsecured bootstrap device
- Rotate and encrypt your signing key
(Note that 5 and 6 are untested yet, they are my plan at this point).
Summary
If one does not have a device that is secured and has a key in OTP, then one cannot upload a private key as it cannot be device wrapped. This creates an bootstrap issue when wants to create the first secured device using rpi-sb-provisioner.
Workaround
(Note that 5 and 6 are untested yet, they are my plan at this point).