https://cloudinit.readthedocs.io/en/latest/reference/datasou...
Might think 'chicken/egg': not really. Resources usually come with some credentials -- use those to add more with this.
Works great.
It would be a really good thing to integrate something like Safeboot (https://github.com/osresearch/safeboot), which does use TPMs. Safeboot is implemented as Bash scripts using tpm2-tools, which... I'm really not fond of. I'd rather implement the Safeboot protocol or similar from scratch in Rust or Go, or even maybe parts in C and parts in a safe language. But anyways, the idea is to enroll a host given its TPM's EKcert or the system's platform cert (if it has one), and in the process generate credentials for the host that it will be able to fetch upon attestation upon first boot and which only it can decrypt using its TPM, then after that the host can use those credentials as a root of trust with which to acquire any other necessary credentials (if any). E.g., client certificates, Kerberos keys ("keytabs"), TLS server certificates, etc.
If you need the host's public keys registered somewhere, you can do that using cloud-init, but there's not built-in mechanism. You'd have to write your own script to do so.
I’d you’re interested in this, I know systemd has been working pretty hard on getting TPM-provisioned credentials usable on Linux though!
For the Raspberry Pi specifically, you would use cloud-init to program Raspberry Pis/compute modules.
Why can't you just simply build a VM image or SD card image and copy it to all the Raspberry Pis? Well you could, but then you need to build a unique image for each Raspberry Pi. Cloud-init lets you factor out the differences between the Raspberry Pis and reuse a single image for all of them. E.g. each Raspberry Pi can have a different hostname, account name, root password and all you have to do is put them in a single configuration file.
What TPMs? This is for the Raspberry Pi line of machines, which don't include that hardware.
What does concern me, is that the image I tried to customise and flash with RPi Imager yesterday to a Pi Zero 2 W, failed to perform all of the customisations and left me having to manually correct it all by finding the hardware and hookin g it up to a monitor and keyboard.
I was trying to avoid having to dig out the correct type of HDMI cable and the OTG adapter to plug in a Keyboard, and removing the Pi from the housing that doesn't allow plugging in anything, all in vain because the imager failed completely, not sure what that's all about.
It did allow me to notice the cloud-init and metadata files there though, I didn't realise cloud-init was new in Raspbian until seeing this post just now.
rcarmo•2mo ago