Installation options for custom images, serial assertions and keys

Today, my device uses full ubuntu with software updates deployed via deb files. In my current setup, software is distributed in an encrypted package and uploaded to a webpage hosted on the device. The device then interrogates the upload to make sure it is valid and proceeds to install any updates via dpkg/apt calls. Furthermore, some of the libraries for my device reside in a LUKS encrypted container which gets mounted at boot time.

An immutable image of the entire device OS with FDE and SB sounds very appealing. But I’m struggling somewhat with what the distribution/installation options are that exist today. So far I’ve gone through the process of bundling some my software into a snap and using “dd” to deploy the base x86 image to a machine but that is it.

It is highly likely that many instances of my device will never be internet connected so the brand store does little for updates in the field. Their networking is often a single RJ45 cable between device and a client workstation running a web browser.

What options are there for image updates in this constrained network paradigm?
Can core images be encrypted to target specific model/device keys? (i.e. how is the software contained within an image protected from prying eyes)

From this page:

The precise implementation of this cryptography may vary from device to device, based on the hardware and software capabilities of that device, and is part of the gadget snap.

Is there an installer mechanism that can interrogate an attestation key in the TPM to validate the target hardware is valid for the image installation?

The brand store is the entity that cares for validating and signing your snaps, you can see that if you download a snap from the global store (a brand store is functionality wise just a “leaf” of the global store), you will get a .snap file as well as the .assert file for that download. the .assert file tells snapd on the device about validity of the snap.

if you had your image built from a brand store your serial assertion would be bound to that store, snaps uploaded to this store would be signed by an assertion matching that store, this is completely decoupled from the way of distributing your snaps.

I.e. you could loop your snaps through the brand store your device image is branded against to get them signed, put .snap and .assert file on an usb stick and install from there using the snap ack.... and snap install ... commands and they would then pass snapds validation mechanism on the device.