This release adds a saved signing-key registry, programming-rig customisation hooks, firmware-crypto bootstrap for at-rest secret wrapping, and fixes Ethernet image transfer over the fastboot TCP data plane. It also refreshes the bundled fastboot gadgets and corrects NVMe FDE LUKS passphrase derivation.
Highlights
- Add a saved-key registry for multiple PEM and PKCS#11 signing keys, with one active key driving provisioning and CUSTOMER_KEY_* config sync. The Options page is redesigned as a tile grid showing per-key status, encrypted-at-rest state, fingerprint, and RSA-2048 fit-for-purpose checks.
- Add provision-failed customisation hooks for all provisioner styles so programming rigs can signal errors (for example status LEDs) when bootstrap, triage, or provisioning aborts.
- Export TARGET_USB_PATH, TARGET_DEVICE_PATH, and full manufacturing-database field values to customisation hooks, enabling per-port rig indicators and post-flash automation (issue #273).
- Flash OS images over the fastboot TCP data plane when the daemon advertises split USB+TCP mode, restoring Ethernet image transfer in naked-, fde-, and sb-provisioner (issue #314).
- Refresh bundled fastboot gadgets to rpi-fastbootd 14.0.0~git20260608, with on-device EEPROM update/verify/read commands and SPI flash identity getvars.
- Rebundle gadgets with libblockdeviceid-based block device ID derivation for LUKS passphrase generation, matching the boot-time cryptroot unlocker so NVMe FDE volumes provisioned by the host unlock correctly on first boot (issue #316).
- Generate a firmware-crypto key on hosts that have none via
rpi-fw-crypto genkeyin postinst, so device-bound wrapping of secrets at rest (HSM PINs, uploaded PEM keys) works without a pre-existing factory device key.
Reliability Fixes
- Fix validate-key and manual key paths outside /etc/rpi-sb-provisioner/keys being rejected despite valid PEM content.
- Load the OpenSSL default provider before key parsing and return clearer errors for public keys, certificates, OpenSSH keys, and encrypted PEMs.
- Reject EEPROM images whose MFG_VER is below the board's min_boot_ver before write or verify, preventing downgrades on boards that require a newer bootloader baseline.
- Use best-effort USB path lookup for the initial TRIAGE-STARTED record so triage does not abort under set -e when the path is not yet resolvable.
- Fix get_usb_path_for_serial() udevadm fallback using the wrong variable.
- Do not invoke provision-failed for duplicate bootstrap@ lock contention or triage failure while bootstrap is still in progress (expected USB re-enumeration during DUT reboot).
Upgrade Notes
- The supported releases are 2.3.1 and 2.3.0; 2.3.0~pre* builds are no longer supported.
- Legacy single-key PEM/PKCS#11 config entries are migrated into the saved-key registry automatically on first access.
- postinst may generate a firmware-crypto key on hosts that have none, enabling at-rest wrapping without a pre-existing factory device key. This is skipped when a key already exists or the crypto service is unavailable, and never blocks installation.
- The manufacturing database schema gains customer_key_fingerprint and customer_key_label columns; postinst migrates existing databases.
- When the provisioning host and target share an Ethernet link, bulk image transfer can use the fastboot TCP data plane. USB remains required for control-plane commands.
What's Changed
- docs: Enhance README and API documentation for IDP artefacts and key … by @tdewey-rpi in #312
- 2.3.1: Fix roll-up by @tdewey-rpi in #318
- 2.3.1: Release by @tdewey-rpi in #321
Full Changelog: v2.3.0...v2.3.1