This release adds IDP image provisioning, firmware-crypto-backed device identity
workflows, OpenSSL 3 PKCS#11 provider support, and a broad set of provisioning
reliability fixes accumulated through the 2.3.0 preview series.
Highlights
- Add IDP (Image Description Provisioning) support for rpi-image-gen artefacts,
including archive upload, JSON/image validation, metadata-driven WebUI
configuration, secure-boot slot signing, customisation hooks, and service-log
viewing. - Add Raspberry Pi firmware crypto integration for cryptroot unlock and
Raspberry Pi Connect device identity registration. The device firmware crypto
key is provisioned and OTP-locked as part of the provisioning flow. - Move HSM support from the deprecated OpenSSL ENGINE path to OpenSSL 3
pkcs11-provider/OSSL_STORE, with provider readiness checks and HSM key
discovery in the WebUI. - Encrypt stored HSM PINs and uploaded PEM signing keys at rest using a
device-bound AES-256-GCM wrapper derived from the Raspberry Pi firmware crypto
device key. - Add A/B-capable 2712 EEPROM signing support and refresh bundled fastboot
gadgets for EEPROM measurements, fixed A/B bootfiles, and monolithic sparse
whole-disk image writing. - Remove the manual Raspberry Pi 5 re-plug step by using
set_reboot_order=0x3
in the recovery configuration so devices return to RPIBOOT automatically.
Reliability Fixes
- Fix the Trixie/systemd 257 cryptroot initramfs switch-root regression reported
in #299. - Use kernel crypto module aliases and copy modules for all applicable kernels,
improving compatibility across kernel updates. - Preserve real provisioner exit statuses from cleanup traps so failures are
visible to systemd, the WebUI, and manufacturing records. - Invalidate cached signed artefacts when firmware or signing keys change, and
wipe cached workdir artefacts on package upgrade. - Replace the WebUI state database inotify watcher with authenticated local
notification endpoints to avoid steady-state CPU spin while keeping device
status updates responsive.
Upgrade Notes
- The final supported release is
2.3.0; the2.3.0~pre*builds are no longer
supported. - Runtime dependencies now require recent
rpi-eepromandrpibootpackages,
pluspkcs11-provider, p11-kit support,gnutls-bin, and
librpifwcrypto. - Package upgrades clear
/srv/rpi-sb-provisioner/workdircached artefacts.
Persistent data such as images, manufacturing databases, state databases, logs
and configuration are preserved. - Stored PINs and uploaded PEM signing keys are migrated to device-wrapped
storage when saved on a system with firmware crypto support. Wrapped material
is intentionally bound to that provisioner device.
What's Changed
- fix: Catch error codes from customisation scripts by @tdewey-rpi in #264
- docs: Update README for 2.2.0 UI by @tdewey-rpi in #265
- 2.3.0: New visualisers, new options UI, IDP support, Fastboot upgrades by @tdewey-rpi in #275
- Validate IDP JSON, always deploy rpifwcrypto keys by @tdewey-rpi in #278
- Raspberry Pi Connect Device Identity support by @tdewey-rpi in #279
- fastboot: Update gadgets to b290c63e7b91f49d84334ac652f38f611c3d92a3 by @tdewey-rpi in #280
- IDP Support Enhancements by @tdewey-rpi in #281
- 2.3.0: cryptroot uses rpifwcrypto, falls back to OTP by @tdewey-rpi in #283
- Missing comma in udev rules by @stu-spp in #284
- provisioners: Fixup error status capture in cleanup() by @tdewey-rpi in #285
- IDP Provisioner Testing Fixes by @tdewey-rpi in #287
- provisioners: Update Connect terminology by @mudge in #291
- 2.3.0: Hardening & resilience fixes by @tdewey-rpi in #292
- 2.3.0: Liveness & TCP worker improvements by @tdewey-rpi in #293
- provisioner-service: ui: Raspberry Pi 5 re-plug banners by @tdewey-rpi in #294
- debian/control: Add missing zlib1g-dev & libzstd-dev build dep by @starnight in #288
- 2.3.0: Device detail page fixes by @tdewey-rpi in #295
- 2.3.0-pre1: Release by @tdewey-rpi in #297
- 2.3.0-pre2: Update Cryptroot, Fastboot by @tdewey-rpi in #300
- deps: Bump rpi-eeprom, rpiboot by @tdewey-rpi in #301
- 2.3.0-pre2: Eliminate Pi5 replug events by @tdewey-rpi in #302
- changelog: Update pre2 by @tdewey-rpi in #303
- Fix secure-boot configured but no partitions with static.role="boot" in image.json by @stu-spp in #304
- 2.3.0-pre3: A/B EEPROM signing support by @tdewey-rpi in #306
- Completely remove
root=from cmdilne.txt modifications. by @stu-spp in #307 - 2.3.0-pre4: Legacy OS flashing fixed, EEPROM measurements trimmed by @tdewey-rpi in #308
- 2.3.0: Add key encryption at rest, bump deps by @tdewey-rpi in #310
New Contributors
- @mudge made their first contribution in #291
- @starnight made their first contribution in #288
Full Changelog: v2.2.0...v2.3.0