Merge branch 'main' into dev/tdewey/verification-guide

Author: tdewey-rpi

debian/postinst

@@ -67,8 +67,8 @@ else
             CREATE TABLE devices_new($STATE_DB_SCHEMA);
             
             -- Copy data from old table to new table (handling all columns)
-            INSERT INTO devices_new($(echo $CURRENT_COLUMNS | sed 's/,$//'))
-            SELECT $(echo $CURRENT_COLUMNS | sed 's/,$//') 
+            INSERT INTO devices_new($(echo "$CURRENT_COLUMNS" | sed 's/,$//'))
+            SELECT $(echo "$CURRENT_COLUMNS" | sed 's/,$//') 
             FROM devices;
             
             -- Drop old table
@@ -95,6 +95,7 @@ fi
 
 # Define the expected schema for manufacturing.db devices table
 # secure is set to 1 by default, as any prior release of rpi-sb-provisioner will have only offered secure provisioning
+# Security tracking fields default to NULL to distinguish between not-applied vs unknown state
 MFG_DB_SCHEMA="id              integer primary key,
     boardname       varchar(255)        not null,
     serial          char(8)             not null,
@@ -109,6 +110,10 @@ MFG_DB_SCHEMA="id              integer primary key,
     memory          varchar(255)        not null,
     manufacturer    varchar(255)        not null,
     secure          integer             not null DEFAULT 1,
+    jtag_locked     integer             DEFAULT NULL,
+    eeprom_write_protected integer      DEFAULT NULL,
+    pubkey_programmed integer           DEFAULT NULL,
+    signed_boot_enabled integer         DEFAULT NULL,
     provision_ts    timestamp           default current_timestamp"
 
 # Ensure WAL journal mode
@@ -126,7 +131,7 @@ else
     CURRENT_COLUMNS=$(sqlite3 "$MFG_DB_PATH" "PRAGMA table_info(devices);" | awk -F'|' '{print $2}' | tr '\n' ',')
 
     # Check if any expected columns are missing
-    for COL in id boardname serial eth_mac wifi_mac bt_mac mmc_size mmc_cid rpi_duid board_revision processor memory manufacturer secure provision_ts; do
+    for COL in id boardname serial eth_mac wifi_mac bt_mac mmc_size mmc_cid rpi_duid board_revision processor memory manufacturer secure jtag_locked eeprom_write_protected pubkey_programmed signed_boot_enabled provision_ts; do
         if ! echo "$CURRENT_COLUMNS" | grep -q "$COL"; then
             echo "Migration needed: column $COL is missing from manufacturing.db devices table"
 
@@ -135,8 +140,8 @@ else
             CREATE TABLE devices_new($MFG_DB_SCHEMA);
             
             -- Copy data from old table to new table
-            INSERT INTO devices_new($(echo $CURRENT_COLUMNS | sed 's/,$//'))
-            SELECT $(echo $CURRENT_COLUMNS | sed 's/,$//') 
+            INSERT INTO devices_new($(echo "$CURRENT_COLUMNS" | sed 's/,$//'))
+            SELECT $(echo "$CURRENT_COLUMNS" | sed 's/,$//') 
             FROM devices;
             
             -- Drop old table

docs/api_endpoints.adoc

@@ -47,6 +47,10 @@ The endpoint returns a JSON array where each element represents a provisioned de
     "memory": "2GB",
     "manufacturer": "Sony UK",
     "secure": "yes",
+    "jtag_locked": "1",
+    "eeprom_write_protected": "1",
+    "pubkey_programmed": "1",
+    "signed_boot_enabled": "1",
     "provision_ts": "2025-04-28 13:53:28"
   },
   ...
@@ -72,6 +76,10 @@ The endpoint returns a JSON array where each element represents a provisioned de
 |memory|Device memory size (e.g., "2GB")
 |manufacturer|Device manufacturer
 |secure|Whether a device has been provisioned with a device unique identity
+|jtag_locked|JTAG debugging lock status (1=locked, 0=unlocked, null=unknown)
+|eeprom_write_protected|EEPROM write protection status (1=enabled, 0=disabled, null=unknown)
+|pubkey_programmed|Customer public key programming status (1=programmed, 0=not programmed, null=unknown)
+|signed_boot_enabled|Signed boot enablement status (1=enabled, 0=disabled, null=unknown)
 |provision_ts|Timestamp of when the device was provisioned
 |===
 

host-support/manufacturing-data

@@ -91,6 +91,7 @@ metadata_gather() {
         sqlite3 "${RPI_SB_PROVISIONER_MANUFACTURING_DB}" "PRAGMA journal_mode=WAL;" > /dev/null 2>&1
 
         # Define the schema for devices table
+        # Security tracking fields default to NULL to distinguish between not-applied vs unknown state
         EXPECTED_SCHEMA="id              integer primary key,
                     boardname       varchar(255)        not null,
                     serial          char(8)             not null,
@@ -105,6 +106,10 @@ metadata_gather() {
                     memory          varchar(255)        not null,
                     manufacturer    varchar(255)        not null,
                     secure          integer             not null,
+                    jtag_locked     integer             DEFAULT NULL,
+                    eeprom_write_protected integer      DEFAULT NULL,
+                    pubkey_programmed integer           DEFAULT NULL,
+                    signed_boot_enabled integer         DEFAULT NULL,
                     provision_ts    timestamp           default current_timestamp"
 
         # Check if the table exists
@@ -115,6 +120,41 @@ metadata_gather() {
             sqlite3 "${RPI_SB_PROVISIONER_MANUFACTURING_DB}" "CREATE TABLE devices($EXPECTED_SCHEMA);" > /dev/null 2>&1
         fi
 
+        # Determine security flags based on provisioning configuration
+        # JTAG lock status: 1 if enabled, 0 if explicitly disabled, NULL if not configured
+        JTAG_LOCKED_VALUE="NULL"
+        if [ -n "${RPI_DEVICE_LOCK_JTAG}" ]; then
+            JTAG_LOCKED_VALUE="1"
+        elif [ "${SECURE}" = "1" ]; then
+            # For secure provisioning, explicitly track that JTAG locking was not enabled
+            JTAG_LOCKED_VALUE="0"
+        fi
+        
+        # EEPROM write protection status: 1 if enabled, 0 if explicitly disabled, NULL if not configured  
+        EEPROM_WP_VALUE="NULL"
+        if [ -n "${RPI_DEVICE_EEPROM_WP_SET}" ]; then
+            EEPROM_WP_VALUE="1"
+        elif [ "${SECURE}" = "1" ]; then
+            # For secure provisioning, explicitly track that EEPROM WP was not enabled
+            EEPROM_WP_VALUE="0"
+        fi
+        
+        # Public key programming: 1 for secure provisioning, 0 for non-secure, NULL for unknown
+        PUBKEY_PROGRAMMED_VALUE="NULL"
+        if [ "${SECURE}" = "1" ]; then
+            PUBKEY_PROGRAMMED_VALUE="1"
+        elif [ "${SECURE}" = "0" ]; then
+            PUBKEY_PROGRAMMED_VALUE="0"
+        fi
+        
+        # Signed boot: 1 for secure provisioning, 0 for non-secure, NULL for unknown
+        SIGNED_BOOT_VALUE="NULL"
+        if [ "${SECURE}" = "1" ]; then
+            SIGNED_BOOT_VALUE="1"
+        elif [ "${SECURE}" = "0" ]; then
+            SIGNED_BOOT_VALUE="0"
+        fi
+
         # Insert new device data
         sqlite3 "${RPI_SB_PROVISIONER_MANUFACTURING_DB}" \
         "INSERT INTO devices(           \
@@ -130,7 +170,11 @@ metadata_gather() {
                     processor,                  \
                     memory,                     \
                     manufacturer,               \
-                    secure                      \
+                    secure,                     \
+                    jtag_locked,                \
+                    eeprom_write_protected,     \
+                    pubkey_programmed,          \
+                    signed_boot_enabled         \
                 ) VALUES (                      \
                     '${BOARD_STR}',               \
                     '${TARGET_DEVICE_SERIAL}',    \
@@ -144,7 +188,11 @@ metadata_gather() {
                     '${PROCESSOR_STR}',           \
                     '${MEMORY_STR}',              \
                     '${MANUFACTURER_STR}',        \
-                    '${SECURE}'                   \
+                    '${SECURE}',                  \
+                    ${JTAG_LOCKED_VALUE},         \
+                    ${EEPROM_WP_VALUE},           \
+                    ${PUBKEY_PROGRAMMED_VALUE},   \
+                    ${SIGNED_BOOT_VALUE}          \
         );" > /dev/null 2>&1
         announce_stop "Manufacturing Database Insertion"
     fi

provisioner-service/src/views/manufacturing.csp

@@ -134,6 +134,26 @@
             margin: 15px 0;
             border-left: 5px solid #d32f2f;
         }
+        
+        .security-field {
+            text-align: center;
+            font-weight: bold;
+        }
+        
+        .security-enabled {
+            color: #28a745;
+            font-size: 14px;
+        }
+        
+        .security-disabled {
+            color: #dc3545;
+            font-size: 14px;
+        }
+        
+        .security-unknown {
+            color: #6c757d;
+            font-size: 14px;
+        }
     </style>
 </head>
 <body>
@@ -178,6 +198,19 @@
     </div>
 
     <script>
+        // Function to format security field values
+        function formatSecurityField(value) {
+            if (value === null || value === undefined || value === '') {
+                return '<span class="security-unknown">?</span>';
+            } else if (value === '1') {
+                return '<span class="security-enabled">✓</span>';
+            } else if (value === '0') {
+                return '<span class="security-disabled">✗</span>';
+            } else {
+                return '<span class="security-unknown">?</span>';
+            }
+        }
+
         // Handle scroll indicator visibility
         function updateScrollIndicator() {
             const container = document.querySelector('.table-container');
@@ -252,6 +285,10 @@
                                 <th>Memory</th>
                                 <th>Manufacturer</th>
                                 <th>Secure</th>
+                                <th>JTAG Locked</th>
+                                <th>EEPROM WP</th>
+                                <th>Pubkey Prog.</th>
+                                <th>Signed Boot</th>
                             </tr>
                         </thead>
                         <tbody>
@@ -276,13 +313,17 @@
                                 <td>${device.memory || ''}</td>
                                 <td>${device.manufacturer || ''}</td>
                                 <td>${device.secure || ''}</td>
+                                <td class="security-field">${formatSecurityField(device.jtag_locked)}</td>
+                                <td class="security-field">${formatSecurityField(device.eeprom_write_protected)}</td>
+                                <td class="security-field">${formatSecurityField(device.pubkey_programmed)}</td>
+                                <td class="security-field">${formatSecurityField(device.signed_boot_enabled)}</td>
                             </tr>
                         `;
                     });
                 } else {
                     tableHtml += `
                         <tr>
-                            <td colspan="15" class="no-devices">No manufacturing data available</td>
+                            <td colspan="19" class="no-devices">No manufacturing data available</td>
                         </tr>
                     `;
                 }
@@ -333,7 +374,18 @@
             rows.forEach(row => {
                 const rowData = [];
                 row.querySelectorAll('td').forEach(cell => {
-                    rowData.push('"' + (cell.innerText || '') + '"');
+                    // For security fields, extract the symbol and convert to readable text
+                    let cellText = cell.innerText || '';
+                    if (cell.classList.contains('security-field')) {
+                        const span = cell.querySelector('span');
+                        if (span) {
+                            const symbol = span.innerText;
+                            if (symbol === '✓') cellText = 'Yes';
+                            else if (symbol === '✗') cellText = 'No';
+                            else if (symbol === '?') cellText = 'Unknown';
+                        }
+                    }
+                    rowData.push('"' + cellText + '"');
                 });
                 if (rowData.length > 1) { // Skip empty rows
                     csvContent += rowData.join(',') + '\r\n';