Capture JTAG, EEPROM states in manufacturing database

tdewey-rpi · tdewey-rpi · commit 1b7e76ff46bf · 2025-08-07T12:47:14.000-07:00
- Updated the devices table schema to include new security tracking fields: jtag_locked, eeprom_write_protected, pubkey_programmed, and signed_boot_enabled, with defaults set to NULL.
- Modified data migration logic to accommodate the new schema, ensuring proper data insertion from the old table.
- Added logic to determine security flags based on provisioning configuration during metadata gathering.
diff --git a/debian/postinst b/debian/postinst
@@ -67,8 +67,8 @@ else
             CREATE TABLE devices_new($STATE_DB_SCHEMA);
             
             -- Copy data from old table to new table (handling all columns)
-            INSERT INTO devices_new($(echo $CURRENT_COLUMNS | sed 's/,$//'))
-            SELECT $(echo $CURRENT_COLUMNS | sed 's/,$//') 
+            INSERT INTO devices_new($(echo "$CURRENT_COLUMNS" | sed 's/,$//'))
+            SELECT $(echo "$CURRENT_COLUMNS" | sed 's/,$//') 
             FROM devices;
             
             -- Drop old table
@@ -95,6 +95,7 @@ fi
 
 # Define the expected schema for manufacturing.db devices table
 # secure is set to 1 by default, as any prior release of rpi-sb-provisioner will have only offered secure provisioning
+# Security tracking fields default to NULL to distinguish between not-applied vs unknown state
 MFG_DB_SCHEMA="id              integer primary key,
     boardname       varchar(255)        not null,
     serial          char(8)             not null,
@@ -109,6 +110,10 @@ MFG_DB_SCHEMA="id              integer primary key,
     memory          varchar(255)        not null,
     manufacturer    varchar(255)        not null,
     secure          integer             not null DEFAULT 1,
+    jtag_locked     integer             DEFAULT NULL,
+    eeprom_write_protected integer      DEFAULT NULL,
+    pubkey_programmed integer           DEFAULT NULL,
+    signed_boot_enabled integer         DEFAULT NULL,
     provision_ts    timestamp           default current_timestamp"
 
 # Ensure WAL journal mode
@@ -126,7 +131,7 @@ else
     CURRENT_COLUMNS=$(sqlite3 "$MFG_DB_PATH" "PRAGMA table_info(devices);" | awk -F'|' '{print $2}' | tr '\n' ',')
     
     # Check if any expected columns are missing
-    for COL in id boardname serial eth_mac wifi_mac bt_mac mmc_size mmc_cid rpi_duid board_revision processor memory manufacturer secure provision_ts; do
+    for COL in id boardname serial eth_mac wifi_mac bt_mac mmc_size mmc_cid rpi_duid board_revision processor memory manufacturer secure jtag_locked eeprom_write_protected pubkey_programmed signed_boot_enabled provision_ts; do
         if ! echo "$CURRENT_COLUMNS" | grep -q "$COL"; then
             echo "Migration needed: column $COL is missing from manufacturing.db devices table"
             
@@ -135,8 +140,8 @@ else
             CREATE TABLE devices_new($MFG_DB_SCHEMA);
             
             -- Copy data from old table to new table
-            INSERT INTO devices_new($(echo $CURRENT_COLUMNS | sed 's/,$//'))
-            SELECT $(echo $CURRENT_COLUMNS | sed 's/,$//') 
+            INSERT INTO devices_new($(echo "$CURRENT_COLUMNS" | sed 's/,$//'))
+            SELECT $(echo "$CURRENT_COLUMNS" | sed 's/,$//') 
             FROM devices;
             
             -- Drop old table
diff --git a/host-support/manufacturing-data b/host-support/manufacturing-data
@@ -91,6 +91,7 @@ metadata_gather() {
         sqlite3 "${RPI_SB_PROVISIONER_MANUFACTURING_DB}" "PRAGMA journal_mode=WAL;" > /dev/null 2>&1
         
         # Define the schema for devices table
+        # Security tracking fields default to NULL to distinguish between not-applied vs unknown state
         EXPECTED_SCHEMA="id              integer primary key,
                     boardname       varchar(255)        not null,
                     serial          char(8)             not null,
@@ -105,6 +106,10 @@ metadata_gather() {
                     memory          varchar(255)        not null,
                     manufacturer    varchar(255)        not null,
                     secure          integer             not null,
+                    jtag_locked     integer             DEFAULT NULL,
+                    eeprom_write_protected integer      DEFAULT NULL,
+                    pubkey_programmed integer           DEFAULT NULL,
+                    signed_boot_enabled integer         DEFAULT NULL,
                     provision_ts    timestamp           default current_timestamp"
         
         # Check if the table exists
@@ -115,6 +120,41 @@ metadata_gather() {
             sqlite3 "${RPI_SB_PROVISIONER_MANUFACTURING_DB}" "CREATE TABLE devices($EXPECTED_SCHEMA);" > /dev/null 2>&1
         fi
         
+        # Determine security flags based on provisioning configuration
+        # JTAG lock status: 1 if enabled, 0 if explicitly disabled, NULL if not configured
+        JTAG_LOCKED_VALUE="NULL"
+        if [ -n "${RPI_DEVICE_LOCK_JTAG}" ]; then
+            JTAG_LOCKED_VALUE="1"
+        elif [ "${SECURE}" = "1" ]; then
+            # For secure provisioning, explicitly track that JTAG locking was not enabled
+            JTAG_LOCKED_VALUE="0"
+        fi
+        
+        # EEPROM write protection status: 1 if enabled, 0 if explicitly disabled, NULL if not configured  
+        EEPROM_WP_VALUE="NULL"
+        if [ -n "${RPI_DEVICE_EEPROM_WP_SET}" ]; then
+            EEPROM_WP_VALUE="1"
+        elif [ "${SECURE}" = "1" ]; then
+            # For secure provisioning, explicitly track that EEPROM WP was not enabled
+            EEPROM_WP_VALUE="0"
+        fi
+        
+        # Public key programming: 1 for secure provisioning, 0 for non-secure, NULL for unknown
+        PUBKEY_PROGRAMMED_VALUE="NULL"
+        if [ "${SECURE}" = "1" ]; then
+            PUBKEY_PROGRAMMED_VALUE="1"
+        elif [ "${SECURE}" = "0" ]; then
+            PUBKEY_PROGRAMMED_VALUE="0"
+        fi
+        
+        # Signed boot: 1 for secure provisioning, 0 for non-secure, NULL for unknown
+        SIGNED_BOOT_VALUE="NULL"
+        if [ "${SECURE}" = "1" ]; then
+            SIGNED_BOOT_VALUE="1"
+        elif [ "${SECURE}" = "0" ]; then
+            SIGNED_BOOT_VALUE="0"
+        fi
+
         # Insert new device data
         sqlite3 "${RPI_SB_PROVISIONER_MANUFACTURING_DB}" \
         "INSERT INTO devices(           \
@@ -130,7 +170,11 @@ metadata_gather() {
                     processor,                  \
                     memory,                     \
                     manufacturer,               \
-                    secure                      \
+                    secure,                     \
+                    jtag_locked,                \
+                    eeprom_write_protected,     \
+                    pubkey_programmed,          \
+                    signed_boot_enabled         \
                 ) VALUES (                      \
                     '${BOARD_STR}',               \
                     '${TARGET_DEVICE_SERIAL}',    \
@@ -144,7 +188,11 @@ metadata_gather() {
                     '${PROCESSOR_STR}',           \
                     '${MEMORY_STR}',              \
                     '${MANUFACTURER_STR}',        \
-                    '${SECURE}'                   \
+                    '${SECURE}',                  \
+                    ${JTAG_LOCKED_VALUE},         \
+                    ${EEPROM_WP_VALUE},           \
+                    ${PUBKEY_PROGRAMMED_VALUE},   \
+                    ${SIGNED_BOOT_VALUE}          \
         );" > /dev/null 2>&1
         announce_stop "Manufacturing Database Insertion"
     fi
