Device Provisioning

Before a device can receive updates, it must enroll with Thistle’s backend. There are two Provisioning flows supported: pre-enrollment and enrollment on first boot.

Once a device has been enrolled with Thistle, it will have a unique device_id and device_token that are used for all subsequent communications with Thistle’s backend in order to identify and authenticate the fielded device.

Enrollment on first boot

Enrollment on first boot allows devices to enroll with Thistle’s backend automatically upon the first invocation of Thistle Update Client, in a Trust On First Use (TOFU) manner. The device will be enrolled with the enrollment token, which is is tied to a specific project.

The Thistle Update Client will automatically enroll if it does not find a device_id and device_token pair in the identity file or configuration file.

Device Pre-enrollment

A pre-enrolled device has a unique device_id and device_token that must be loaded onto the device before the Update Client is first run.

The Thistle Release Helper can be used to create a unique configuration for each device, that can then be flashed during device manufacturing.

$ ./trh init --persist /tmp/ --pre-enroll
Manifest generated at: "./manifest.json"
Configuration generated at path "./config.json"