Before a device can receive updates, it must enroll with Thistle’s backend. There are two Provisioning flows supported: pre-enrollment and enrollment on first boot.

Once a device has been enrolled with Thistle, it will have a unique device_id and device_token that are used for all subsequent communications with Thistle’s backend in order to identify and authenticate the fielded device.

Enrollment on first boot

Enrollment on first boot allows devices to enroll with Thistle’s backend automatically upon the first invocation of Thistle Update Client, in a Trust On First Use (TOFU) manner. The device will be enrolled with the enrollment token, which is tied to a specific project.

The Thistle Update Client will automatically enroll if it does not find a device_id, device_token, device_certificate_pem and device_private_key_pem quadruple in the identity file or configuration file.

In this mode of operation, the Update Client will require an internet connection upon the first boot to enroll the device with Thistle’s backend.

Device Pre-enrollment

A pre-enrolled device has a unique device_id, device_token, device_certificate_pem and device_private_key_pem that must be loaded onto the device before the Thistle Update Client is first run.

The Thistle Release Helper can be used to create a unique configuration for each device, that can then be flashed during device manufacturing.

$ ./trh init --persist /tmp/ --pre-enroll
Manifest generated at: "./manifest.json"
Configuration generated at path "./config.json"

The identity file can also be used to pre-enroll devices, see the Identity File section for more information.