Releases: raspberrypi/rpi-sb-provisioner
Release list
v2.3.1: Fixes & failure reporting
This release adds a saved signing-key registry, programming-rig customisation hooks, firmware-crypto bootstrap for at-rest secret wrapping, and fixes Ethernet image transfer over the fastboot TCP data plane. It also refreshes the bundled fastboot gadgets and corrects NVMe FDE LUKS passphrase derivation.
Highlights
- Add a saved-key registry for multiple PEM and PKCS#11 signing keys, with one active key driving provisioning and CUSTOMER_KEY_* config sync. The Options page is redesigned as a tile grid showing per-key status, encrypted-at-rest state, fingerprint, and RSA-2048 fit-for-purpose checks.
- Add provision-failed customisation hooks for all provisioner styles so programming rigs can signal errors (for example status LEDs) when bootstrap, triage, or provisioning aborts.
- Export TARGET_USB_PATH, TARGET_DEVICE_PATH, and full manufacturing-database field values to customisation hooks, enabling per-port rig indicators and post-flash automation (issue #273).
- Flash OS images over the fastboot TCP data plane when the daemon advertises split USB+TCP mode, restoring Ethernet image transfer in naked-, fde-, and sb-provisioner (issue #314).
- Refresh bundled fastboot gadgets to rpi-fastbootd 14.0.0~git20260608, with on-device EEPROM update/verify/read commands and SPI flash identity getvars.
- Rebundle gadgets with libblockdeviceid-based block device ID derivation for LUKS passphrase generation, matching the boot-time cryptroot unlocker so NVMe FDE volumes provisioned by the host unlock correctly on first boot (issue #316).
- Generate a firmware-crypto key on hosts that have none via
rpi-fw-crypto genkeyin postinst, so device-bound wrapping of secrets at rest (HSM PINs, uploaded PEM keys) works without a pre-existing factory device key.
Reliability Fixes
- Fix validate-key and manual key paths outside /etc/rpi-sb-provisioner/keys being rejected despite valid PEM content.
- Load the OpenSSL default provider before key parsing and return clearer errors for public keys, certificates, OpenSSH keys, and encrypted PEMs.
- Reject EEPROM images whose MFG_VER is below the board's min_boot_ver before write or verify, preventing downgrades on boards that require a newer bootloader baseline.
- Use best-effort USB path lookup for the initial TRIAGE-STARTED record so triage does not abort under set -e when the path is not yet resolvable.
- Fix get_usb_path_for_serial() udevadm fallback using the wrong variable.
- Do not invoke provision-failed for duplicate bootstrap@ lock contention or triage failure while bootstrap is still in progress (expected USB re-enumeration during DUT reboot).
Upgrade Notes
- The supported releases are 2.3.1 and 2.3.0; 2.3.0~pre* builds are no longer supported.
- Legacy single-key PEM/PKCS#11 config entries are migrated into the saved-key registry automatically on first access.
- postinst may generate a firmware-crypto key on hosts that have none, enabling at-rest wrapping without a pre-existing factory device key. This is skipped when a key already exists or the crypto service is unavailable, and never blocks installation.
- The manufacturing database schema gains customer_key_fingerprint and customer_key_label columns; postinst migrates existing databases.
- When the provisioning host and target share an Ethernet link, bulk image transfer can use the fastboot TCP data plane. USB remains required for control-plane commands.
What's Changed
- docs: Enhance README and API documentation for IDP artefacts and key … by @tdewey-rpi in #312
- 2.3.1: Fix roll-up by @tdewey-rpi in #318
- 2.3.1: Release by @tdewey-rpi in #321
Full Changelog: v2.3.0...v2.3.1
2.3.0
This release adds IDP image provisioning, firmware-crypto-backed device identity
workflows, OpenSSL 3 PKCS#11 provider support, and a broad set of provisioning
reliability fixes accumulated through the 2.3.0 preview series.
Highlights
- Add IDP (Image Description Provisioning) support for rpi-image-gen artefacts,
including archive upload, JSON/image validation, metadata-driven WebUI
configuration, secure-boot slot signing, customisation hooks, and service-log
viewing. - Add Raspberry Pi firmware crypto integration for cryptroot unlock and
Raspberry Pi Connect device identity registration. The device firmware crypto
key is provisioned and OTP-locked as part of the provisioning flow. - Move HSM support from the deprecated OpenSSL ENGINE path to OpenSSL 3
pkcs11-provider/OSSL_STORE, with provider readiness checks and HSM key
discovery in the WebUI. - Encrypt stored HSM PINs and uploaded PEM signing keys at rest using a
device-bound AES-256-GCM wrapper derived from the Raspberry Pi firmware crypto
device key. - Add A/B-capable 2712 EEPROM signing support and refresh bundled fastboot
gadgets for EEPROM measurements, fixed A/B bootfiles, and monolithic sparse
whole-disk image writing. - Remove the manual Raspberry Pi 5 re-plug step by using
set_reboot_order=0x3
in the recovery configuration so devices return to RPIBOOT automatically.
Reliability Fixes
- Fix the Trixie/systemd 257 cryptroot initramfs switch-root regression reported
in #299. - Use kernel crypto module aliases and copy modules for all applicable kernels,
improving compatibility across kernel updates. - Preserve real provisioner exit statuses from cleanup traps so failures are
visible to systemd, the WebUI, and manufacturing records. - Invalidate cached signed artefacts when firmware or signing keys change, and
wipe cached workdir artefacts on package upgrade. - Replace the WebUI state database inotify watcher with authenticated local
notification endpoints to avoid steady-state CPU spin while keeping device
status updates responsive.
Upgrade Notes
- The final supported release is
2.3.0; the2.3.0~pre*builds are no longer
supported. - Runtime dependencies now require recent
rpi-eepromandrpibootpackages,
pluspkcs11-provider, p11-kit support,gnutls-bin, and
librpifwcrypto. - Package upgrades clear
/srv/rpi-sb-provisioner/workdircached artefacts.
Persistent data such as images, manufacturing databases, state databases, logs
and configuration are preserved. - Stored PINs and uploaded PEM signing keys are migrated to device-wrapped
storage when saved on a system with firmware crypto support. Wrapped material
is intentionally bound to that provisioner device.
What's Changed
- fix: Catch error codes from customisation scripts by @tdewey-rpi in #264
- docs: Update README for 2.2.0 UI by @tdewey-rpi in #265
- 2.3.0: New visualisers, new options UI, IDP support, Fastboot upgrades by @tdewey-rpi in #275
- Validate IDP JSON, always deploy rpifwcrypto keys by @tdewey-rpi in #278
- Raspberry Pi Connect Device Identity support by @tdewey-rpi in #279
- fastboot: Update gadgets to b290c63e7b91f49d84334ac652f38f611c3d92a3 by @tdewey-rpi in #280
- IDP Support Enhancements by @tdewey-rpi in #281
- 2.3.0: cryptroot uses rpifwcrypto, falls back to OTP by @tdewey-rpi in #283
- Missing comma in udev rules by @stu-spp in #284
- provisioners: Fixup error status capture in cleanup() by @tdewey-rpi in #285
- IDP Provisioner Testing Fixes by @tdewey-rpi in #287
- provisioners: Update Connect terminology by @mudge in #291
- 2.3.0: Hardening & resilience fixes by @tdewey-rpi in #292
- 2.3.0: Liveness & TCP worker improvements by @tdewey-rpi in #293
- provisioner-service: ui: Raspberry Pi 5 re-plug banners by @tdewey-rpi in #294
- debian/control: Add missing zlib1g-dev & libzstd-dev build dep by @starnight in #288
- 2.3.0: Device detail page fixes by @tdewey-rpi in #295
- 2.3.0-pre1: Release by @tdewey-rpi in #297
- 2.3.0-pre2: Update Cryptroot, Fastboot by @tdewey-rpi in #300
- deps: Bump rpi-eeprom, rpiboot by @tdewey-rpi in #301
- 2.3.0-pre2: Eliminate Pi5 replug events by @tdewey-rpi in #302
- changelog: Update pre2 by @tdewey-rpi in #303
- Fix secure-boot configured but no partitions with static.role="boot" in image.json by @stu-spp in #304
- 2.3.0-pre3: A/B EEPROM signing support by @tdewey-rpi in #306
- Completely remove
root=from cmdilne.txt modifications. by @stu-spp in #307 - 2.3.0-pre4: Legacy OS flashing fixed, EEPROM measurements trimmed by @tdewey-rpi in #308
- 2.3.0: Add key encryption at rest, bump deps by @tdewey-rpi in #310
New Contributors
- @mudge made their first contribution in #291
- @starnight made their first contribution in #288
Full Changelog: v2.2.0...v2.3.0
v2.3.0-pre4
What's Changed
- Completely remove
root=from cmdilne.txt modifications. by @stu-spp in #307 - 2.3.0-pre4: Legacy OS flashing fixed, EEPROM measurements trimmed by @tdewey-rpi in #308
Full Changelog: v2.3.0-pre3...v2.3.0-pre4
v2.3.0-pre3
What's Changed
- Fix secure-boot configured but no partitions with static.role="boot" in image.json by @stu-spp in #304
- 2.3.0-pre3: A/B EEPROM signing support by @tdewey-rpi in #306
Full Changelog: v2.3.0-pre2...v2.3.0-pre3
v2.3.0: Deps, fastboot, cryptroot, replug
-
cryptroot_initramfs regression fix (#299):
- Refresh the bundled cryptroot_initramfs from pi-gen-micro. The
Trixie-rebuilt image (systemd 257) refused systemctl switch-root
from non-initrd mode, leaving devices provisioned successfully
but stuck at the initramfs login prompt instead of pivoting into
the unlocked rootfs. - The new image is marked as an initrd (/etc/initrd-release) and
the cryptroot service has been rewired into the standard systemd
initrd flow: Before=initrd-root-fs.target with the pivot
delegated to systemd's stock initrd-switch-root.service, instead
of the bespoke multi-user.target + manual switch-root from
v2.1.3. - getty is masked in the cryptroot image: the "localhost login:"
symptom cannot recur, and emergency.target still gets a console
via sulogin if cryptroot.service fails.
- Refresh the bundled cryptroot_initramfs from pi-gen-micro. The
-
Kernel module list durability (also #299):
- host-support/kernel_modules.list: switch from concrete crypto
module names (chacha-neon, chacha_generic, aes-arm64, ...) to
kernel crypto API aliases (crypto-xts(aes), crypto-adiantum,
crypto-nhpoly1305, crypto-xchacha12). Aliases are resolved by
libkmod via modules.alias and survive the upstream module
renames between 6.12 and 6.18, fixing the secondary
provisioning-time failure also reported in #299.
- host-support/kernel_modules.list: switch from concrete crypto
-
Bundled rpi-fastbootd refresh:
- Refresh the fastboot gadget image to pick up rpi-fastbootd
be8a8ce ("vars: Add eeprom manipulation, data fetch"), which
adds oem eeprom-update / eeprom-verify / eeprom-read plus
signed-eeprom, eeprom-device, eeprom-size, eeprom-sha256,
eeprom-jedec, eeprom-unique-id and eeprom-spi-speed getvars.
- Refresh the fastboot gadget image to pick up rpi-fastbootd
-
Dependency refresh:
- debian/control: require rpi-eeprom (>= 28.23-1) to pick up the
rpiboot/recovery image that honours set_reboot_order in the
recovery config.txt.
- debian/control: require rpi-eeprom (>= 28.23-1) to pick up the
-
Bootstrap: eliminate re-plug requirement on Pi 5 (and Pi 4):
- service/rpi-sb-bootstrap.sh: insert set_reboot_order=0x3 ahead
of recovery_reboot=1 in both the secure-boot keywriting recovery
config and the non-secure EEPROM-update recovery config, so the
device reboots straight back into RPIBOOT mode ready for the
fastboot bootstrap phase instead of requiring a manual USB
re-plug.
- service/rpi-sb-bootstrap.sh: insert set_reboot_order=0x3 ahead
v2.3.0-pre1: IDP, Pi Connect, Options, performance, fastboot, everything?
-
Pre-release:
- First preview of the 2.3.0 line. Combines the IDP, Connect and
rpifwcrypto work from the 2.3.0 changelog draft with the
post-April stabilisation and re-plug guidance work below.
- First preview of the 2.3.0 line. Combines the IDP, Connect and
-
IDP (Image Description Provisioning) Support:
- Add support for consuming IDP-style artefacts from rpi-image-gen,
enabling pre-built partition layouts, encryption, and sparse image
provisioning via the device-side fastboot IDP protocol - Add new rpi-idp-provisioner.sh orchestrator implementing the full
IDP protocol: erase, stage JSON, idpinit, idpwrite, idpgetblk/flash
loop, and idpdone, with timeout_fatal wrappers on all fastboot
commands - Add rpi-idp-provisioner@.service systemd template unit
- Extend triage to detect IDP artefact directories
(GOLD_MASTER_OS_FILE pointing to a directory) and route to the
IDP provisioner automatically - IDP pre-flight validation: JSON syntax, referenced .simg file
existence, device class and storage type cross-checks against
host configuration
- Add support for consuming IDP-style artefacts from rpi-image-gen,
-
IDP WebUI:
- Add image-first progressive disclosure UI: selecting an IDP
artefact auto-populates device family, storage type, and cipher
from the artefact's JSON metadata, locking those fields with
"Set by image" badges - Hide the FDE-only provisioning style tile for IDP artefacts, as
encryption is defined by the IDP JSON; provisioning style collapses
to a binary Secure Boot / Naked choice - Support upload of .tar.gz, .tgz, and .zip archives containing IDP
artefacts, with security validation (path traversal checks, disk
space checks, atomic extraction) - Add /analyze-image endpoint returning IDP metadata (device class,
storage type, encryption, cipher, partition count, image version) - Display IDP badge in the image list for artefact directories
- Add image-first progressive disclosure UI: selecting an IDP
-
Image SHA256 Improvements:
- Compute SHA256 of IDP archives before extraction, capturing the
fingerprint of the exact artefact uploaded - Store IDP archive hash in a .sha256 sidecar file alongside the
extracted artefact directory, reusing the existing sidecar pattern - Update /get-image-sha256 to return sidecar hash directly for IDP
artefact directories, avoiding unnecessary background calculation - Add is_idp flag to ImageInfo struct for reliable IDP detection
in image listings, replacing fragile sha256 string comparison - Clean up sidecar files when deleting IDP artefact directories
- Compute SHA256 of IDP archives before extraction, capturing the
-
Bug Fixes:
- Fix image deletion from the Options page: frontend was calling
/images/delete (non-existent) instead of /delete-image (the
documented and registered endpoint) - Fix HTTP method for image deletion: changed from DELETE to POST
to match the backend handler - Fix image browser detail pane overflowing its container by adding
box-sizing: border-box to .image-list and .firmware-notes - Fix cleanup_orphans destroying persistent data directories
(images, workdir, databases): TEMP_BASE now points to a dedicated
/srv/rpi-sb-provisioner/tmp subdirectory, and all temp directory
creation uses a new make_temp_dir helper - Fix rpi-sb-common.sh base directory variables overwriting values
pre-set by sourcing scripts (e.g. rpi-sb-bootstrap.sh)
- Fix image deletion from the Options page: frontend was calling
-
IDP Validation in provisioner-service:
- Extend GOLD_MASTER_OS_FILE validation in options.cpp to support
directories: validates exactly one .json file exists, JSON is
syntactically valid, and all referenced .simg files are present
- Extend GOLD_MASTER_OS_FILE validation in options.cpp to support
-
Packaging:
- Add rpi-idp-provisioner.sh to /usr/bin and
rpi-idp-provisioner@.service to /usr/lib/systemd/system in
debian/install - Create /var/lock/rpi-sb-provisioner in postinst so with_lock()
works on fresh installs; LOCK_BASE was previously assumed to
exist but never created by the package - Remove redundant per-call board_type migration probe from
record_state() in host-support/state-recording: postinst
already performs a more thorough state.db schema migration on
upgrade, so the runtime probe added two SQLite invocations to
every device state transition for no benefit
- Add rpi-idp-provisioner.sh to /usr/bin and
-
Raspberry Pi Connect Device Identity Registration:
- Automatically register provisioned devices with the Raspberry Pi
Connect management API when RPI_CONNECT_API_KEY is configured - Request signing uses the device's firmware crypto ECDSA key via
fastbootd's 'oem fwcrypto sign-hash' command; the private key
never leaves hardware - Add RPI_CONNECT_API_KEY and RPI_CONNECT_DESCRIPTION config
options with validation in options.cpp - Add Cloud Services section to options UI with password-masked
API key input and description prefix field - Add connect_registered and connect_device_id columns to
manufacturing database schema, with migration in postinst - Add Connect columns to manufacturing UI table and CSV export
- Non-fatal: registration failures log warnings but never abort
provisioning (set +e guard, curl timeouts, robust PEM capture)
- Automatically register provisioned devices with the Raspberry Pi
-
Cryptroot rpifwcrypto Support:
- Update cryptroot initramfs to unlock the encrypted root filesystem
using the device's firmware crypto ECDSA key (rpifwcrypto), in
place of key material delivered out-of-band or stored on disk - Triage now always provisions the device firmware crypto key
(oem fwcrypto init) before provisioning proceeds, regardless of
provisioning style, and verifies the key is written to OTP before
continuing -- aborting the device if provisioning fails - Establishes a hardware-held device unique identity that underpins
both LUKS unlock (via a derived secret bound to the key and other
measurements) and Raspberry Pi Connect device identity
registration; the private key never leaves the SoC
- Update cryptroot initramfs to unlock the encrypted root filesystem
-
Provisioner Exit Status Fix:
- Fix cleanup() trap handler in rpi-sb-provisioner.sh,
rpi-fde-provisioner.sh, rpi-naked-provisioner.sh,
rpi-idp-provisioner.sh and rpi-sb-bootstrap.sh swallowing the
real exit status: the re-entry guard and CLEANUP_DONE=1
assignment clobbered $? before it was captured, so any failure
caught by the trap (set -e, die, SIGTERM) was reported as
success -- the systemd unit showed "Deactivated successfully"
and the WebUI saw a clean run despite aborted provisioning - Capture $? as the first statement of cleanup() so the original
exit status propagates through to systemd and the manufacturing
database
- Fix cleanup() trap handler in rpi-sb-provisioner.sh,
-
IDP Refinements:
- Sign boot slots for secure-boot IDP provisioning, and drop a
boot_ramdisk config.txt next to the signed boot.img so the
device picks up the signed bootchain on first boot - Ensure the device unique firmware crypto key is OTP-locked at
the end of provisioning, establishing an immutable hardware
identity for subsequent boots - Expand the encryption flag matcher so all LUKS2 cipher variants
are recognised as encrypted IDP layouts (fixes LUKS2 cipher
field handling) - Fall back to the configured storage type when the IDP JSON does
not name one, instead of refusing to provision - Catch all non-supported storage types up-front with a clear
error rather than proceeding to a broken flash - Add missing timeout_nonfatal wrappers in rpi-idp-provisioner.sh
- Default timeout_fatal to 30s in the IDP provisioner
- Wire provision-started hook arguments through rpi-sb-common.sh
and move the IDP provision-started hook to the correct
lifecycle point - Add IDP provisioner customisation hook editors to the WebUI
- Allow IDP service log viewing in the WebUI
- Fix incorrect zero2w platform name mapping in the IDP
provisioner, image-handling paths, and documentation
- Sign boot slots for secure-boot IDP provisioning, and drop a
-
Re-plug Guidance:
- Record the discovered board type per device so re-plug guidance
can be tailored to the family - Add Raspberry Pi 5 re-plug banners to the WebUI, prompting
operators to physically re-plug devices that cannot enter
RPIBOOT automatically - Improve device and detail-view liveness so the WebUI reflects
in-flight provisioning state without manual refresh - Capture provisioning intent vs observed state for fields that
cannot yet be confirmed over fastboot (jtag_locked,
eeprom_write_protected); add a devkey_revoked column observed
via 'getvar secure-devkey'; clarify signed_boot_enabled as
derived from pubkey_programmed in the manufacturing API
- Record the discovered board type per device so re-plug guidance
-
Fastboot Data Path & Gadget Updates:
- Use TCP for the data path when fastbootd advertises support,
improving throughput over USB on capable hardware - Refresh the bundled fastboot gadget against upstream
rpi-fastbootd, through b1e51bd4, e8c13a5 and finally
f3ce930249ab0d657ddaf5d3ba4a076320894c78
- Use TCP for the data path when fastbootd advertises support,
-
Workdir Cache Invalidation:
- Invalidate cached signed artefacts in $RPI_SB_WORKDIR when the
selected firmware or signing keys change, so stale boot.img
files are never re-flashed - Wipe all cached provisioning artefacts under $RPI_SB_WORKDIR on
package upgrade
- Invalidate cached signed artefacts in $RPI_SB_WORKDIR when the
-
Triage:
- Trust idempotent 'oem fwcrypto init' and drop the pre-check
that round-tripped over fastboot before initialisation
- Trust idempotent 'oem fwcrypto init' and drop the pre-check
-
Configuration Plumbing:
- Introduce shared resolvers for special configuration flags,
consumed by both provisioner-service and rpi-sb-bootstrap.sh,
so flag interpretation is consistent across host components
- Introduce shared resolvers for special configuration flags,
-
Database Contention:
- Use SQL busy timeouts in provisioner-service to handle SQLite
contention gracefully un...
- Use SQL busy timeouts in provisioner-service to handle SQLite
v2.2.0
What's Changed
Naked Provisioner & Image Customisation
- Expand naked-provisioner stages to include bootfs-mounted and rootfs-mounted phases for full image customisation support (fixes #258)
- Use
cp --reflink=autofor image copying, optimising performance and reducing disk usage on btrfs/xfs hosts - Add checks to ensure customisation scripts are executable before running
- Flash modified image when customisation scripts are executed
Provisioning Hooks
- Add
provision-startedstage and hook, allowing actions (e.g. LED control, rig signaling) to execute at the start of provisioning
Customisation WebUI
- Add copy-sources functionality allowing users to select and copy scripts from other provisioners during stage editing
- Display dropdown for available scripts from other provisioners, improving usability and efficiency
Provisioning Improvements
- Consolidate loop device management functions (
ensure_next_loopdev,ensure_loopdev_partitions,unmount,unmount_image) intorpi-sb-common.shfor better code reuse and maintainability - Improve cleanup logic in provisioner scripts to properly unmount images before deletion, preventing dangling loop devices
- Enhance error handling in losetup operations with clearer exit messages on failure
- Remove redundant
get_variablefunction fromrpi-fde-provisioner.sh
Features (from earlier in this release cycle)
- Add PKCS#11 HSM signing support for secure signing operations
- Add USB speed attribute detection for better device capability identification
- Add CSRF token validation for critical endpoints
- Add
kernel_modules.listfor configurable kernel module inclusion - Integrate rpi-modcopy for improved kernel module handling and dependency resolution
- Add
RPI_DEVICE_RPIBOOT_GPIOconfiguration for Pi 4 family secure-boot provisioning (fixes #242)
WebUI Accessibility
- Add
lang="en", semantic HTML structure, ARIA roles/live regions, table captions, accessible tab interfaces, and screen-reader-only descriptions for D3 visualizations - Improve focus visibility with enhanced CSS outline styles
Packaging
- Add rpi-modcopy dependency for kernel module handling
- Fix CMake configuration for jsoncpp dependency
- Improve upgrade experience by shipping config defaults to
/usr/share/rpi-sb-provisioner/defaults/with user overrides in/etc/rpi-sb-provisioner/, eliminating dpkg conffile prompts during upgrades
Full Changelog: v2.1.3...v2.2.0
v2.1.3: Trixie packages, D3.js visualisation
What's Changed
- Fix documented RPIBOOT PIDs by @lurch in #223
- Followup to #223 - remove the USB PID that never existed by @lurch in #224
- Simplify Zero 2 W connection instructions by @lurch in #227
- 2.1.2: Provisioning map, Trixie build by @tdewey-rpi in #226
- Fixup device state reporting by @tdewey-rpi in #228
- Make
IPV6_ADDRESSparsing easier to understand. by @stu-spp in #247 - metadata_gather before post-flash for db access by @stu-spp in #248
- v2.1.3 by @tdewey-rpi in #250
- feat: Add edge avoidance force and improve link rendering in device v… by @tdewey-rpi in #251
- Revise provisioning capacity and throughput metrics by @tdewey-rpi in #252
- fix: Update CMake configuration for jsoncpp dependency by @tdewey-rpi in #253
New Contributors
Full Changelog: v2.1.1...v2.1.3
v2.1.1: Bugfix release
Headlines
- WebUI Navigation Fixes - Resolved hanging issues on pages using AJAX for smoother user experience
- Boot Image Generator Improvements - Better POSIX compliance and enhanced UI controls
- Package Versioning Fix - Corrected Debian package version format for boot images
Who Should Upgrade
- All users - Important WebUI bug fixes improve stability and usability
- Boot image generator users - Fixed script compatibility issues and improved UI controls
- Users experiencing WebUI hangs - Navigation issues on AJAX pages now resolved
What's Changed
Bug Fixes
-
WebUI Stability
- Fixed navigation hangs on pages using AJAX requests
- Implemented proper cleanup for WebSocket connections on page unload
- Added auto-refresh cleanup mechanisms to prevent memory leaks
- Improved resource management across devices, manufacturing, scantool, service log, and services views
-
Boot Image Generator
- Fixed bashisms in boot image generator script for better POSIX compliance
- Corrected package versioning format - now prefixes SHA256 hash with '0.' for valid Debian versioning
- Added explicit boot image generation button in WebUI
- Enhanced button styling for better user experience
- Improved boot package status handling for more accurate state reporting
Breaking Changes
None. This release maintains full backward compatibility with v2.1.0.
Known Issues
- Boot image generator requires at least 32GB free disk space
Full Changelog: v2.1.0...v2.1.1
v2.1.0
Headlines
- Automatic Boot Image Generation - Generate signed boot images and Debian packages from uploaded OS images, enabling configuration updates without full re-provisioning
- Complete Documentation Rewrite - README transformed into a beginner-friendly guide with step-by-step instructions and comprehensive troubleshooting
- Enhanced EEPROM Support - Proper EEPROM updates for naked (non-secure-boot) provisioning on Pi 4 and Pi 5
- Architecture Documentation - New workflow diagrams and detailed system design explanations
Who Should Upgrade
- All users - Important bug fixes and usability improvements
- New users - Significantly improved documentation makes getting started easier
- Naked provisioning users - EEPROM updates now work correctly for non-secure-boot devices
- Users wanting configuration updates - Deploy kernel and config.txt changes to provisioned devices without re-provisioning
What's Changed
New Features
-
Boot Image Generator - Introduces
rpi-sb-image-bootimg-generatortool and systemd service- Automatically extracts boot partition from uploaded images
- Creates signed boot.img and boot.sig for secure boot
- Generates installable Debian packages for pushing updates to deployed devices
- Full logging support in
/var/log/rpi-sb-provisioner/bootimg-generator/
-
Enhanced EEPROM Updates
- Non-secure-boot devices now receive proper EEPROM updates on 2711/2712
- Improved special re-provisioning handling for Pi 5
- Migration from custom
writeSig()to standardizedrpi-eeprom-digesttool - Better firmware version detection and logging
-
API Security
- New
RPI_SB_PROVISIONER_ENABLE_PRIVATE_KEY_APIconfiguration option - Pagination and ordering for service log API
- Enhanced audit logging
- New
Documentation
- Complete README rewrite with:
- "What Problem Does This Solve?" introduction
- Step-by-step getting started guide
- Device-specific connection instructions
- Comprehensive troubleshooting section
- New architecture documentation with workflow diagrams
- Boot image generator and Debian package guides
- Enhanced API documentation
Improvements
- Strip GNU and Bash-specific syntax for better POSIX compliance
- Better error handling and logging throughout bootstrap process
- Enhanced USB topology-based device status UI
- Improved manufacturing database accuracy (secure vs signed states)
- Fixed shell option detection in customization scripts
- Fixed regex in
simg_expanded_size()function - Fixed depmod handling for kernel modules
Dependencies
- Update
rpibootto >= 20251002~150524 - Update
rpi-eepromto >= 28.5 - Update embedded
curlto 8.16.0
Breaking Changes
None. This release maintains backward compatibility with v2.0.x configurations.
Known Issues
- Special re-provisioning with boot image regeneration only supported on Pi 5 (2712)
- Boot image generator requires at least 32GB free disk space
Full Changelog: v2.0.6...v2.1.0