Raspberry Pi
This guide will show you how to get started on the Raspberry Pi platform. This guide uses an image directly generated by Thistle Yocto Build. You can follow along with our video guide as well.
Tools needed
To get started you need to obtain:
- The Thistle Release Helper to help packaging your updates
- A project access token from the Thistle App
- A Raspberry Pi 4 and an SD card (> 4GB)
- Our full disk image as well as the update disk image
Raspberry Pi setup
To get started simply download and copy the full image onto the SD card - for instance using dd or using the Raspberry Pi imager tool. Once the copy is performed, insert the SD card on the Raspberry Pi and test it’s functional. The user is thistle and the password is raspberry.
$ sudo dd if=four.img of=/dev/mmcblk0 status=progress
528062464 bytes (528 MB, 504 MiB) copied, 69.4207 s, 7.6 MB/s
Create an update bundle
For the purpose of this example, we will release the update image as an update. This image will be deployed with the Release Helper, and will be installed on the target automatically by the Update Client.
Let’s start with packaging the update:
# Set up your project's access token - Bash, on Linux/Unix or Windows Subsystem for Linux (WSL)
$ export THISTLE_TOKEN=$(cat)
(paste access token, press enter, then ctrl-d)
# Set up your project's access token - Windows PowerShell
$ $env:THISTLE_TOKEN = "[Access Token Obtained from Thistle App's Projects Section]"
$ ./trh init -p="/boot"
Device enrollment token generated: "[REDACTED]"
Deriving a key from the password and decrypting the secret key... done
Private key stored at: "/home/user/.minisign/minisign.key"
Manifest generated at: "./manifest.json"
Configuration generated at path "./config.json"
# prepare manifest and deploy partition image
$ ./trh prepare --target=./four.rootfs
...
Manifest amended successfully
$ ./trh release
...
Manifest uploaded successfully
Signing an update bundle with a key in KMS
If one does not want to manage a local signing key, a Thistle-managed, Cloud KMS-backed ECDSA-P256 key can be used to sign OTA update bundles. Add option --signing-method="remote" to all the above trh commands to use this remotely managed signing key. For example,
trh --signing-method="remote" init ...
trh --signing-method="remote" prepare ...
trh --signing-method="remote" release
Amend Configuration for bootloader
The Thistle Update Client natively supports the Raspberry Pi bootloader. The only step required is to specify the bootloader as RaspberryPi and the two partitions that will be used as root filesystem alternatively. Amend your configuration using the snippet below as the SD card partitions were specified during the image generation.
$ cat config.json
...
"bootloader": "RaspberryPi",
"part_a": "/dev/mmcblk0p2",
"part_b": "/dev/mmcblk0p3"
}
It is now required to push config.json onto the Raspberry Pi, this can be done using scp or using a USB key. This is necessary so that we can run the update client on the Raspberry Pi. Under normal circumstances, this operation will be performed automatically during e.g. the image personalization step of a deploy pipeline.
# on the host machine - you likely need to amend the IP address
$ scp config.json thistle@192.168.1.102:~/config.json
Test deployed release
We can now test our deployed release. Note that as the assets will be downloaded from the Thistle Backend Server, an internet connection is required.
# on the Raspberry Pi - confirm config.json file is present
raspberrypi4-64-thistle:~$ cat ~/config.json
# `mmcblk0p2` is currently used as mountpoint for root
raspberrypi4-64-thistle:~$ mount | grep /dev/mmc
/dev/mmcblk0p2 on / type ext4 (rw,relatime)
# we backup `config.json` in the boot directory so that it's persistent across updates
raspberrypi4-64-thistle:~$ sudo cp ~/config.json /boot
Let’s apply the update and see the result.
raspberrypi4-64-thistle:~$ sudo tuc -c /boot/config.json
!! enrolling new device with server...
!! Thistle client starting in RaspberryPi bootloader mode
!! installing update 0 => 1
!! setting update status to Started
!! setting update status to PendingReboot
The Raspberry Pi will now reboot. Login again and confirm that the appropriate partition is now the root partition.
# `mmcblk0p3` is now used as mountpoint for root
raspberrypi4-64-thistle:~$ mount | grep /dev/mmc
/dev/mmcblk0p3 on / type ext4 (rw,relatime)
# latch in update by re-running tuc
raspberrypi4-64-thistle:~$ sudo tuc -c /boot/config.json
!! Thistle client starting in RaspberryPi bootloader mode
!! setting update status to Pass
More options
This tutorial shows how to manually perform an update on the Raspberry Pi. This process can be automated to update a fleet of devices. In this regards, we support different enrollment setups, either based on Trust On First Use (TOFU), or only accepting pre-enrolled devices.
- Support for pre & post install scripts
- Incremental updates via file updates
- OTA bundle signing using external signing tools