We are thinking of designing a device that we can ship out to customers and the all the customers essentially have to do is plug it in and walk away, we already have the infrastructure in place for the devices to call back with our existing solution, however we would like to be able to take advantage of the automatic disk encryption that takes place on Ubuntu core. Our current solution for deploying to our customers is to essentially dd an image a custom image onto the appliances disk but it is my understanding this wont work for deploy ubuntu core devices (feel free to correct me).
Given all the development that is happening with ubuntu core is anyone able to describe how you would deploy Ubuntu Core at scale, seeing its an IoT solution, how would we be able to achieve an automated building process without months of R&D. We are looking for a way to build several hundred devices and remove as much potential human error as possible.
PS we have looked into the development packages offered and our couple of hundred devices do not qualify for the program.
Well, dd’ing the images to the internal disk at the factory is pretty much what most UbuntuCore customers do, so this would technically work for you as well…
note though that for no-touch deployment you will not get around building your own images, using the serial vault for provisioning and potentially using an on-prem iot store in the factory. None of this will work with the public developer images, which are designed for interactive initial boot… so there is no easy way around buying the smartstart package that provides all these features OOTB.
We did think continuing to dd images may be our best option. Do you happen to know how the disk encryption would handle being installed on a new disk with a new TPM? Is there a masterkey that can be set to re-sync the hardware monitoring.
Disk encryption and secure boot go hand in hand, a disk encryption key is generated on first boot during partition creation and written to TPM after secure boot has happened. So the only actually relevant and static key here is the UEFI key used for secure booting, the rest is dynamic. As long as your UEFI is at a recent version and has the relevant keys included (which it should), there is nothing to worry about.
Just to add, in order for FDE to be setup successfully [ in addition to above points ], the TPM must be cleared first [ TPM reset requested ]. If these devices are factory fresh, then in may not be something you have to handle, but if you have a process for writing the images to the disk it may make some sense to include the TPM reset request in that process too.
Worth noting that on some devices the TPM reset request must be manually confirmed at early boot by a user with physical access, but those devices seem to be more rare in my experience so far.
