alt Hacker NewsCloud-Init on Raspberry Pi OS
Comments
First I've heard of cloud-init. So I went looking to see how it does provisioning of SSH keys and... it doesn't really. Sure, it will add public keys to the authorized_keys file, but it won't do anything to register each provisioned hosts' public keys anywhere. And here was I hoping for something to do with TPMs or DICE or something. But sadly, no.
It would be a really good thing to integrate something like Safeboot (https://github.com/osresearch/safeboot), which does use TPMs. Safeboot is implemented as Bash scripts using tpm2-tools, which... I'm really not fond of. I'd rather implement the Safeboot protocol or similar from scratch in Rust or Go, or even maybe parts in C and parts in a safe language. But anyways, the idea is to enroll a host given its TPM's EKcert or the system's platform cert (if it has one), and in the process generate credentials for the host that it will be able to fetch upon attestation upon first boot and which only it can decrypt using its TPM, then after that the host can use those credentials as a root of trust with which to acquire any other necessary credentials (if any). E.g., client certificates, Kerberos keys ("keytabs"), TLS server certificates, etc.
i don't have fond memory about cloud-init from ubuntu install in the past, sometimes it got stuck there for good. I would like the installation can be done quickly offline, or, if network is live at least timeout the stuck cloud-init and proceed when it occurs.
At last, one of my uses for https://github.com/rcarmo/ground-init is gone.
This was already in Ubuntu server for the RPi.
Works great.
And now there are even more outdated tutorials. Not great for a 'beginner' platform
I noticed this yesterday, I was digging around my uSD after I tried to use the Raspberry Pi Imager to pre-customise a flash for a Pi Zero 2W and it failed at everything including setting up the user, enabling SSH, adding my key, setting the hostname, and connecting to WiFi.
I was trying to avoid having to dig out the correct type of HDMI cable and the OTG adapter to plug in a Keyboard, and removing the Pi from the housing that doesn't allow plugging in anything, all in vain because the imager failed completely, not sure what that's all about.
It did allow me to notice the cloud-init and metadata files there though, I didn't realise cloud-init was new in Raspbian until seeing this post just now.