A RPM package containing fdo_manufacturing_client

[jbenc]

Currently, fdo_manufacturing_client is packaged in fdo-init.rpm. However, that package was specifically created to be injected into coreos installer's initramfs. There's no generic fdo_manufacturing_client rpm with a systemd service file etc.

[nullr0ute]

The manufacturing process is designed to run once to generate a device/OV credential pair, and in fact for devices that already come with credentials created, say stored in a tpm2 module, it shouldn't actually be run at all.

Can you outline more details why you would need this as a separate package running as a service?

[jbenc]

The intended use case is a bootable container (bootc). You need to be able to add the client when building the container (thus the need for an rpm package) and you need to be able to run it somehow. You're right it doesn't have to be via systemd; we may certainly brainstorm other ideas.

The main point is there's no on-device installer. The creation of the image happens off the device[*]. The role of the installer is replaced by the first boot; in the case of FDO, it would be the first (manufacturing) and the second (onboarding) boot.

[*] Now, it would be an interesting discussion whether the manufacturing step could be performed off the device, i.e. performed on a VM image from outside of the image. My reading of the specs is it's not supposed to be; on the other hand, it would be indistinguishable from the point of view of the rest of the FDO process, so it may not really matter. Unless you want to use a (possibly emulated) TPM. May be an interesting area for research.