We use some essential cookies to make our website work.

We use optional cookies, as detailed in our cookie policy, to remember your settings and understand how you use our website.

Secure Raspberry Pi Connect at scale

We recently released a major upgrade to our secure boot provisioning software, rpi-sb-provisioner, making it easier to provision more complex operating system images and deploy Raspberry Pi Connect at scale.

In my many years as a software engineer, I always found working with secure boot more complicated than it had any right to be. So, in 2024, we released the first version of rpi-sb-provisioner: a system designed to help you provision your OS on devices with secure boot and full disk encryption enabled in a boring and predictable way.

Since then, we’ve received plenty of feedback from users, and the provisioner has evolved significantly — from a collection of shell scripts and tools to a system with a manufacturing database, an audit log, and a web UI. Every change was designed to address a concrete user problem.

Of course, there’s more to making Raspberry Pi–powered devices and projects than simply getting your OS onto the system; we also had to teach rpi-sb-provisioner to play nicely with our other tools.

Integrating Raspberry Pi Connect

Users continue to tell us how useful they find Raspberry Pi Connect for remotely managing their devices. But when you’re provisioning devices at scale, you can’t afford to slow down to manually associate each one; you also want those associations to survive OS updates, factory resets, and so on.

Version 2.3 of rpi-sb-provisioner makes use of the new device identity support in Raspberry Pi Connect for Organisations, allowing you to automatically give your devices an immutable identity and tie them to your Raspberry Pi Connect for Organisations account.

Flexible image description provisioning

Previous releases of rpi-sb-provisioner assumed that you had created a traditional Raspberry Pi OS–derived image using pi-gen. After the initial release, however, we received a range of questions from users who wanted to provision more complex layouts or build images in a more ergonomic way. To address both needs, we introduced image description provisioning (IDP) in rpi-image-gen, which is now integrated into version 2.3 of rpi-sb-provisioner.

Image description provisioning transforms rpi-sb-provisioner from a fixed-function provisioner into a fully programmable provisioning system, enabling you to specify a wide range of partition layouts, types, and other attributes. IDP can also be used to provision operating systems that weren’t created with rpi-image-gen: if you can describe it, you can provision it.

The rpi-sb-provisioner 2.3 OS image selection view; IDP artefacts have extended metadata to help you pick the correct image and confirm your assumptions ahead of production

Making use of rpi-fw-crypto

With the release of rpi-fw-crypto, Raspberry Pi devices now have a mechanism for using asymmetric cryptography without unduly exposing the device-unique private key written by rpi-sb-provisioner. We make use of this function in two major areas:

  1. On the provisioning server, to encrypt and bind the signing material (a PEM file or HSM PIN) to the provisioning server.
  2. On the provisioned devices, as part of the material used to calculate a full disk encryption key, either through a supplied pre-boot authentication environment or one you build with rpi-image-gen.
An example key added to the rpi-sb-provisioner 2.3 secure boot key selection options; the key hash and encryption state are shown so that you can confirm which key you’re writing to the devices

More to come

The rpi-sb-provisioner system will continue to evolve to respond to user needs. Sharing feedback on the tool and how it has or hasn’t worked for you, or just hard-earned tales from manufacturing devices at scale, helps us make the system better for our customers — industrial, embedded, and enthusiast alike.

Find out more about provisioning Raspberry Pi Connect at scale in our bulk provisioning documentation.

rpi-sb-provisioner, rpi-fw-crypto, and rpi-image-gen are all open source projects available on our software sources page.

No comments
Jump to the comment form

Leave a Comment