manufacturing database: devkey revocation, OTP signature present

Author: tdewey-rpi

debian/postinst

@@ -113,6 +113,7 @@ MFG_DB_SCHEMA="id              integer primary key,
     jtag_locked     integer             DEFAULT NULL,
     eeprom_write_protected integer      DEFAULT NULL,
     pubkey_programmed integer           DEFAULT NULL,
+    devkey_revoked   integer            DEFAULT NULL,
     signed_boot_enabled integer         DEFAULT NULL,
     os_image_filename varchar(255)      DEFAULT NULL,
     os_image_sha256  char(64)           DEFAULT NULL,
@@ -133,7 +134,7 @@ else
     CURRENT_COLUMNS=$(sqlite3 "$MFG_DB_PATH" "PRAGMA table_info(devices);" | awk -F'|' '{print $2}' | tr '\n' ',')
 
     # Check if any expected columns are missing
-    for COL in id boardname serial eth_mac wifi_mac bt_mac mmc_size mmc_cid rpi_duid board_revision processor memory manufacturer secure jtag_locked eeprom_write_protected pubkey_programmed signed_boot_enabled os_image_filename os_image_sha256 provision_ts; do
+    for COL in id boardname serial eth_mac wifi_mac bt_mac mmc_size mmc_cid rpi_duid board_revision processor memory manufacturer secure jtag_locked eeprom_write_protected pubkey_programmed devkey_revoked signed_boot_enabled os_image_filename os_image_sha256 provision_ts; do
         if ! echo "$CURRENT_COLUMNS" | grep -q "$COL"; then
             echo "Migration needed: column $COL is missing from manufacturing.db devices table"
 

docs/api_endpoints.adoc

@@ -50,6 +50,7 @@ The endpoint returns a JSON array where each element represents a provisioned de
     "jtag_locked": "1",
     "eeprom_write_protected": "1",
     "pubkey_programmed": "1",
+    "devkey_revoked": "0",
     "signed_boot_enabled": "1",
     "os_image_filename": "raspios-2025-04-01.img",
     "os_image_sha256": "4f2d9c5b0e3b1d8a9c1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c",

host-support/manufacturing-data

@@ -110,6 +110,7 @@ metadata_gather() {
                     jtag_locked     integer             DEFAULT NULL,
                     eeprom_write_protected integer      DEFAULT NULL,
                     pubkey_programmed integer           DEFAULT NULL,
+                    devkey_revoked   integer           DEFAULT NULL,
                     signed_boot_enabled integer         DEFAULT NULL,
                     os_image_filename varchar(255)      DEFAULT NULL,
                     os_image_sha256  char(64)           DEFAULT NULL,
@@ -142,14 +143,42 @@ metadata_gather() {
             EEPROM_WP_VALUE="0"
         fi
 
-        # Public key programming: 1 for secure provisioning, 0 for non-secure, NULL for unknown
+        # Public key programming: read from fastboot metadata 'signed-otp'
+        # Map 'present' -> 1, 'not present' -> 0, common boolean forms as fallback, else NULL
         PUBKEY_PROGRAMMED_VALUE="NULL"
-        if [ "${SECURE}" = "1" ]; then
-            PUBKEY_PROGRAMMED_VALUE="1"
-        elif [ "${SECURE}" = "0" ]; then
-            PUBKEY_PROGRAMMED_VALUE="0"
+        SIGNED_OTP="$(metadata_get "signed-otp")"
+        if [ -n "${SIGNED_OTP}" ]; then
+            SIGNED_OTP_LC="$(printf "%s" "${SIGNED_OTP}" | tr '[:upper:]' '[:lower:]')"
+            case "${SIGNED_OTP_LC}" in
+                present|1|true|yes)
+                    PUBKEY_PROGRAMMED_VALUE="1"
+                    ;;
+                "not present"|notpresent|0|false|no)
+                    PUBKEY_PROGRAMMED_VALUE="0"
+                    ;;
+                *)
+                    : # leave as NULL
+                    ;;
+            esac
         fi
 
+        # Dev key revoked (signed-devkey): 'present' -> 1, 'not present' -> 0, else NULL
+        DEVKEY_REVOKED_VALUE="NULL"
+        SIGNED_DEVKEY="$(metadata_get "signed-devkey")"
+        if [ -n "${SIGNED_DEVKEY}" ]; then
+            SIGNED_DEVKEY_LC="$(printf "%s" "${SIGNED_DEVKEY}" | tr '[:upper:]' '[:lower:]')"
+            case "${SIGNED_DEVKEY_LC}" in
+                present)
+                    DEVKEY_REVOKED_VALUE="1"
+                    ;;
+                "not present"|notpresent)
+                    DEVKEY_REVOKED_VALUE="0"
+                    ;;
+                *)
+                    : ;;
+            esac
+        fi
+
         # Signed boot: 1 for secure provisioning, 0 for non-secure, NULL for unknown
         SIGNED_BOOT_VALUE="NULL"
         if [ "${SECURE}" = "1" ]; then
@@ -195,6 +224,7 @@ metadata_gather() {
                     jtag_locked,                \
                     eeprom_write_protected,     \
                     pubkey_programmed,          \
+                    devkey_revoked,             \
                     signed_boot_enabled,        \
                     os_image_filename,          \
                     os_image_sha256             \
@@ -215,6 +245,7 @@ metadata_gather() {
                     ${JTAG_LOCKED_VALUE},         \
                     ${EEPROM_WP_VALUE},           \
                     ${PUBKEY_PROGRAMMED_VALUE},   \
+                    ${DEVKEY_REVOKED_VALUE},      \
                     ${SIGNED_BOOT_VALUE},         \
                     '${OS_IMAGE_FILENAME}',       \
                     '${OS_IMAGE_SHA256}'          \

provisioner-service/src/views/manufacturing.csp

@@ -288,6 +288,7 @@
                                 <th>JTAG Locked</th>
                                 <th>EEPROM WP</th>
                                 <th>Pubkey Prog.</th>
+                                <th>Devkey Revoked</th>
                                 <th>Signed Boot</th>
                                 <th>OS Image Filename</th>
                                 <th>OS Image SHA256</th>
@@ -318,6 +319,7 @@
                                 <td class="security-field">${formatSecurityField(device.jtag_locked)}</td>
                                 <td class="security-field">${formatSecurityField(device.eeprom_write_protected)}</td>
                                 <td class="security-field">${formatSecurityField(device.pubkey_programmed)}</td>
+                                <td class="security-field">${formatSecurityField(device.devkey_revoked)}</td>
                                 <td class="security-field">${formatSecurityField(device.signed_boot_enabled)}</td>
                                 <td>${device.os_image_filename || ''}</td>
                                 <td style="font-family: monospace;">${device.os_image_sha256 || ''}</td>