rpi-sb-provisioner (2.3.0) unstable; urgency=medium

  * Final 2.3.0 release:
    - Roll up the 2.3.0 preview series and the post-2.3.0~pre4
      stabilisation work into a supported release.

  * IDP (Image Description Provisioning) support:
    - Add the rpi-idp-provisioner.sh orchestrator and systemd unit for
      consuming rpi-image-gen IDP artefacts, including pre-flight JSON,
      storage, image and encryption validation.
    - Support IDP archive upload, extraction and SHA256 sidecars in the
      WebUI, with image-first configuration that derives device family,
      storage type and encryption settings from image metadata.
    - Sign secure-boot IDP boot slots, preserve the boot_ramdisk config for
      first boot, support customisation hooks, and expose IDP service logs.
    - Harden IDP handling around LUKS2 cipher detection, missing storage
      metadata, unsupported storage types, timeout handling and Zero 2 W
      platform mapping.

  * Firmware crypto, Connect and key handling:
    - Provision and OTP-lock the device firmware crypto key for all
      provisioning styles, using it for cryptroot unlock and Raspberry Pi
      Connect device identity registration.
    - Add Raspberry Pi Connect registration options, manufacturing database
      fields, UI/CSV output and non-fatal registration handling.
    - Move PKCS#11 key parsing from the deprecated OpenSSL ENGINE path to
      pkcs11-provider/OSSL_STORE, with in-process PIN handling and provider
      readiness plus HSM key discovery in the WebUI.
    - Encrypt stored HSM PINs and uploaded PEM signing keys at rest using an
      AES-256-GCM wrapper derived from the Raspberry Pi firmware crypto
      device key.
    - Add rpi-sb-keyhelper and PEM/PKCS#11 signing wrappers so wrapped keys
      can be used by the Raspberry Pi signing tools without writing
      plaintext private keys back to disk.

  * Secure-boot bootstrap and firmware updates:
    - Add AB-capable 2712 EEPROM image support by detecting and signing both
      bootcode and bootsys before passing them to rpi-eeprom-config.
    - Use set_reboot_order=0x3 in recovery configs so devices return to
      RPIBOOT automatically for the fastboot bootstrap phase, removing the
      manual Pi 5 re-plug step and the corresponding WebUI guidance.
    - Refresh bundled fastboot gadgets repeatedly through the EEPROM
      measurement, A/B bootfiles and monolithic sparse whole-disk image
      writing updates.
    - Update rpi-eeprom and rpiboot runtime dependencies to versions that
      carry the matching recovery images, bootfiles and firmware support.

  * Reliability and provisioning correctness:
    - Refresh cryptroot_initramfs for the systemd initrd flow, fixing the
      Trixie/systemd 257 switch-root regression reported in #299.
    - Use kernel crypto API aliases in kernel_modules.list and copy modules
      for all applicable kernels, making encrypted images more robust across
      kernel updates.
    - Preserve real provisioner exit statuses from cleanup traps so systemd,
      the WebUI and manufacturing records reflect failures correctly.
    - Force FAT32 for signed boot-slot filesystems and propagate mkfs
      failures rather than silently flashing bad slots.
    - Fix secure-boot images without static.role="boot" partitions and avoid
      rewriting root= in cmdline.txt.
    - Invalidate cached signed artefacts when firmware or signing keys
      change, and wipe the workdir artefact cache on package upgrades.

  * WebUI, manufacturing data and service updates:
    - Replace the state.db inotify watcher with localhost-only internal
      notification endpoints protected by a per-boot token, eliminating the
      steady-state CPU spin while keeping topology updates responsive.
    - Improve device and detail-view liveness, add responsive tile and detail
      views, improve manufacturing table pagination/loading/escaping, and
      consolidate shared styling.
    - Record additional EEPROM measurements, capture intended vs observed
      security state, fix CM5 Lite identifiers, and drop extraneous EEPROM
      fields from manufacturing records.
    - Add SQL busy timeouts for SQLite contention under high device
      throughput.

  * Documentation and packaging:
    - Convert project documentation from AsciiDoc to Markdown and refresh
      README, API and device guidance for the 2.3.0 workflows.
    - Add zlib, zstd, librpifwcrypto, pkcs11-provider, p11-kit and gnutls
      dependencies required by the new archive, key wrapping and HSM paths.
    - Clean stale FetchContent state during package builds, install the new
      IDP and signing helper scripts, create the lock directory on install,
      and fix the udev rules comma.

 -- Tom Dewey <tom.dewey@raspberrypi.com>  Wed, 10 Jun 2026 12:28:37 +0100

rpi-sb-provisioner (2.3.0~pre4) unstable; urgency=medium

  * WebUI: remove Raspberry Pi 5 re-plug notification:
    - Obviated by set_reboot_order=0x3 (2.3.0~pre2), which reboots the
      device straight back into RPIBOOT mode for the fastboot bootstrap
      phase, so the operator no longer has to manually unplug and
      re-insert the USB-C cable after the EEPROM-update reboot.
    - provisioner-service/src/devices.cpp: drop the needsReplug signal
      and the sticky boardTypeBySerial plumbing (per-serial latch,
      placeholder state/board_type carry, final board_type pass) that
      existed solely to keep the badge alive across that reboot.
    - Remove the Re-plug badge from the topology and tile views and the
      re-plug banner from the device-details page (devices.csp,
      tile_view.csp, device_detail.csp).
    - board_type detection in rpi-sb-bootstrap.sh and the state.db
      board_type column are retained as generic device metadata (still
      surfaced as boardType in the topology JSON).
    - docs: rewrite the Pi 5 connection guide for the single-connection
      flow (drop the manual unplug/reconnect "Step 2"), and update the
      stale "unlike Pi 5" reconnection contrasts in the Pi 4 guide and
      README quick reference.

 -- Tom Dewey <tom.dewey@raspberrypi.com>  Mon, 01 Jun 2026 12:02:11 +0100

rpi-sb-provisioner (2.3.0~pre3) unstable; urgency=medium

  * Bootstrap: AB-capable EEPROM image support:
    - service/rpi-sb-bootstrap.sh: detect AB-capable 2712 EEPROM
      images by probing for the "bootsys" filename marker at offset
      0x10008 (new isABCapableImage() helper), and when present,
      sign the extracted bootsys blob with rpi-sign-bootcode in
      addition to bootcode.bin, passing --bootsys alongside
      --bootcode to rpi-eeprom-config. Mirrors usbboot PR
      raspberrypi/usbboot#363; non-AB images take the unchanged
      single-bootcode path.

 -- Tom Dewey <tom.dewey@raspberrypi.com>  Thu, 28 May 2026 17:08:49 +0100

rpi-sb-provisioner (2.3.0~pre2) unstable; urgency=medium

  * cryptroot_initramfs regression fix (#299):
    - Refresh the bundled cryptroot_initramfs from pi-gen-micro. The
      Trixie-rebuilt image (systemd 257) refused systemctl switch-root
      from non-initrd mode, leaving devices provisioned successfully
      but stuck at the initramfs login prompt instead of pivoting into
      the unlocked rootfs.
    - The new image is marked as an initrd (/etc/initrd-release) and
      the cryptroot service has been rewired into the standard systemd
      initrd flow: Before=initrd-root-fs.target with the pivot
      delegated to systemd's stock initrd-switch-root.service, instead
      of the bespoke multi-user.target + manual switch-root from
      v2.1.3.
    - getty is masked in the cryptroot image: the "localhost login:"
      symptom cannot recur, and emergency.target still gets a console
      via sulogin if cryptroot.service fails.

  * Kernel module list durability (also #299):
    - host-support/kernel_modules.list: switch from concrete crypto
      module names (chacha-neon, chacha_generic, aes-arm64, ...) to
      kernel crypto API aliases (crypto-xts(aes), crypto-adiantum,
      crypto-nhpoly1305, crypto-xchacha12). Aliases are resolved by
      libkmod via modules.alias and survive the upstream module
      renames between 6.12 and 6.18, fixing the secondary
      provisioning-time failure also reported in #299.

  * Bundled rpi-fastbootd refresh:
    - Refresh the fastboot gadget image to pick up rpi-fastbootd
      be8a8ce ("vars: Add eeprom manipulation, data fetch"), which
      adds oem eeprom-update / eeprom-verify / eeprom-read plus
      signed-eeprom, eeprom-device, eeprom-size, eeprom-sha256,
      eeprom-jedec, eeprom-unique-id and eeprom-spi-speed getvars.

  * Dependency refresh:
    - debian/control: require rpi-eeprom (>= 28.23-1) to pick up the
      rpiboot/recovery image that honours set_reboot_order in the
      recovery config.txt.

  * Bootstrap: eliminate re-plug requirement on Pi 5 (and Pi 4):
    - service/rpi-sb-bootstrap.sh: insert set_reboot_order=0x3 ahead
      of recovery_reboot=1 in both the secure-boot keywriting recovery
      config and the non-secure EEPROM-update recovery config, so the
      device reboots straight back into RPIBOOT mode ready for the
      fastboot bootstrap phase instead of requiring a manual USB
      re-plug.

 -- Tom Dewey <tom.dewey@raspberrypi.com>  Wed, 27 May 2026 14:57:26 +0100

rpi-sb-provisioner (2.3.0~pre1) unstable; urgency=medium

  * Pre-release:
    - First preview of the 2.3.0 line. Combines the IDP, Connect and
      rpifwcrypto work from the 2.3.0 changelog draft with the
      post-April stabilisation and re-plug guidance work below.

  * IDP (Image Description Provisioning) Support:
    - Add support for consuming IDP-style artefacts from rpi-image-gen,
      enabling pre-built partition layouts, encryption, and sparse image
      provisioning via the device-side fastboot IDP protocol
    - Add new rpi-idp-provisioner.sh orchestrator implementing the full
      IDP protocol: erase, stage JSON, idpinit, idpwrite, idpgetblk/flash
      loop, and idpdone, with timeout_fatal wrappers on all fastboot
      commands
    - Add rpi-idp-provisioner@.service systemd template unit
    - Extend triage to detect IDP artefact directories
      (GOLD_MASTER_OS_FILE pointing to a directory) and route to the
      IDP provisioner automatically
    - IDP pre-flight validation: JSON syntax, referenced .simg file
      existence, device class and storage type cross-checks against
      host configuration

  * IDP WebUI:
    - Add image-first progressive disclosure UI: selecting an IDP
      artefact auto-populates device family, storage type, and cipher
      from the artefact's JSON metadata, locking those fields with
      "Set by image" badges
    - Hide the FDE-only provisioning style tile for IDP artefacts, as
      encryption is defined by the IDP JSON; provisioning style collapses
      to a binary Secure Boot / Naked choice
    - Support upload of .tar.gz, .tgz, and .zip archives containing IDP
      artefacts, with security validation (path traversal checks, disk
      space checks, atomic extraction)
    - Add /analyze-image endpoint returning IDP metadata (device class,
      storage type, encryption, cipher, partition count, image version)
    - Display IDP badge in the image list for artefact directories

  * Image SHA256 Improvements:
    - Compute SHA256 of IDP archives before extraction, capturing the
      fingerprint of the exact artefact uploaded
    - Store IDP archive hash in a .sha256 sidecar file alongside the
      extracted artefact directory, reusing the existing sidecar pattern
    - Update /get-image-sha256 to return sidecar hash directly for IDP
      artefact directories, avoiding unnecessary background calculation
    - Add is_idp flag to ImageInfo struct for reliable IDP detection
      in image listings, replacing fragile sha256 string comparison
    - Clean up sidecar files when deleting IDP artefact directories

  * Bug Fixes:
    - Fix image deletion from the Options page: frontend was calling
      /images/delete (non-existent) instead of /delete-image (the
      documented and registered endpoint)
    - Fix HTTP method for image deletion: changed from DELETE to POST
      to match the backend handler
    - Fix image browser detail pane overflowing its container by adding
      box-sizing: border-box to .image-list and .firmware-notes
    - Fix cleanup_orphans destroying persistent data directories
      (images, workdir, databases): TEMP_BASE now points to a dedicated
      /srv/rpi-sb-provisioner/tmp subdirectory, and all temp directory
      creation uses a new make_temp_dir helper
    - Fix rpi-sb-common.sh base directory variables overwriting values
      pre-set by sourcing scripts (e.g. rpi-sb-bootstrap.sh)

  * IDP Validation in provisioner-service:
    - Extend GOLD_MASTER_OS_FILE validation in options.cpp to support
      directories: validates exactly one .json file exists, JSON is
      syntactically valid, and all referenced .simg files are present

  * Packaging:
    - Add rpi-idp-provisioner.sh to /usr/bin and
      rpi-idp-provisioner@.service to /usr/lib/systemd/system in
      debian/install
    - Create /var/lock/rpi-sb-provisioner in postinst so with_lock()
      works on fresh installs; LOCK_BASE was previously assumed to
      exist but never created by the package
    - Remove redundant per-call board_type migration probe from
      record_state() in host-support/state-recording: postinst
      already performs a more thorough state.db schema migration on
      upgrade, so the runtime probe added two SQLite invocations to
      every device state transition for no benefit

  * Raspberry Pi Connect Device Identity Registration:
    - Automatically register provisioned devices with the Raspberry Pi
      Connect management API when RPI_CONNECT_API_KEY is configured
    - Request signing uses the device's firmware crypto ECDSA key via
      fastbootd's 'oem fwcrypto sign-hash' command; the private key
      never leaves hardware
    - Add RPI_CONNECT_API_KEY and RPI_CONNECT_DESCRIPTION config
      options with validation in options.cpp
    - Add Cloud Services section to options UI with password-masked
      API key input and description prefix field
    - Add connect_registered and connect_device_id columns to
      manufacturing database schema, with migration in postinst
    - Add Connect columns to manufacturing UI table and CSV export
    - Non-fatal: registration failures log warnings but never abort
      provisioning (set +e guard, curl timeouts, robust PEM capture)

  * Cryptroot rpifwcrypto Support:
    - Update cryptroot initramfs to unlock the encrypted root filesystem
      using the device's firmware crypto ECDSA key (rpifwcrypto), in
      place of key material delivered out-of-band or stored on disk
    - Triage now always provisions the device firmware crypto key
      (oem fwcrypto init) before provisioning proceeds, regardless of
      provisioning style, and verifies the key is written to OTP before
      continuing -- aborting the device if provisioning fails
    - Establishes a hardware-held device unique identity that underpins
      both LUKS unlock (via a derived secret bound to the key and other
      measurements) and Raspberry Pi Connect device identity
      registration; the private key never leaves the SoC

  * Provisioner Exit Status Fix:
    - Fix cleanup() trap handler in rpi-sb-provisioner.sh,
      rpi-fde-provisioner.sh, rpi-naked-provisioner.sh,
      rpi-idp-provisioner.sh and rpi-sb-bootstrap.sh swallowing the
      real exit status: the re-entry guard and CLEANUP_DONE=1
      assignment clobbered $? before it was captured, so any failure
      caught by the trap (set -e, die, SIGTERM) was reported as
      success -- the systemd unit showed "Deactivated successfully"
      and the WebUI saw a clean run despite aborted provisioning
    - Capture $? as the first statement of cleanup() so the original
      exit status propagates through to systemd and the manufacturing
      database

  * IDP Refinements:
    - Sign boot slots for secure-boot IDP provisioning, and drop a
      boot_ramdisk config.txt next to the signed boot.img so the
      device picks up the signed bootchain on first boot
    - Ensure the device unique firmware crypto key is OTP-locked at
      the end of provisioning, establishing an immutable hardware
      identity for subsequent boots
    - Expand the encryption flag matcher so all LUKS2 cipher variants
      are recognised as encrypted IDP layouts (fixes LUKS2 cipher
      field handling)
    - Fall back to the configured storage type when the IDP JSON does
      not name one, instead of refusing to provision
    - Catch all non-supported storage types up-front with a clear
      error rather than proceeding to a broken flash
    - Add missing timeout_nonfatal wrappers in rpi-idp-provisioner.sh
    - Default timeout_fatal to 30s in the IDP provisioner
    - Wire provision-started hook arguments through rpi-sb-common.sh
      and move the IDP provision-started hook to the correct
      lifecycle point
    - Add IDP provisioner customisation hook editors to the WebUI
    - Allow IDP service log viewing in the WebUI
    - Fix incorrect zero2w platform name mapping in the IDP
      provisioner, image-handling paths, and documentation

  * Re-plug Guidance:
    - Record the discovered board type per device so re-plug guidance
      can be tailored to the family
    - Add Raspberry Pi 5 re-plug banners to the WebUI, prompting
      operators to physically re-plug devices that cannot enter
      RPIBOOT automatically
    - Improve device and detail-view liveness so the WebUI reflects
      in-flight provisioning state without manual refresh
    - Capture provisioning intent vs observed state for fields that
      cannot yet be confirmed over fastboot (jtag_locked,
      eeprom_write_protected); add a devkey_revoked column observed
      via 'getvar secure-devkey'; clarify signed_boot_enabled as
      derived from pubkey_programmed in the manufacturing API

  * Fastboot Data Path & Gadget Updates:
    - Use TCP for the data path when fastbootd advertises support,
      improving throughput over USB on capable hardware
    - Refresh the bundled fastboot gadget against upstream
      rpi-fastbootd, through b1e51bd4, e8c13a5 and finally
      f3ce930249ab0d657ddaf5d3ba4a076320894c78

  * Workdir Cache Invalidation:
    - Invalidate cached signed artefacts in $RPI_SB_WORKDIR when the
      selected firmware or signing keys change, so stale boot.img
      files are never re-flashed
    - Wipe all cached provisioning artefacts under $RPI_SB_WORKDIR on
      package upgrade

  * Triage:
    - Trust idempotent 'oem fwcrypto init' and drop the pre-check
      that round-tripped over fastboot before initialisation

  * Configuration Plumbing:
    - Introduce shared resolvers for special configuration flags,
      consumed by both provisioner-service and rpi-sb-bootstrap.sh,
      so flag interpretation is consistent across host components

  * Database Contention:
    - Use SQL busy timeouts in provisioner-service to handle SQLite
      contention gracefully under high device throughput

  * Provisioner Service State Change Notifications:
    - Drop the inotify watch provisioner-service used to keep on
      /srv/rpi-sb-provisioner/state.db and -wal; the watch self-
      triggered against the service's own SQLite reads and pinned a
      core at 100% during steady-state operation
    - Introduce a localhost-only HTTP API on provisioner-service for
      the bash provisioning scripts to push state-change and
      manufacturing-row notifications: POST /internal/state-changed
      (paired with record_state in host-support/state-recording) and
      POST /internal/manufacturing-recorded (paired with the
      manufacturing.db INSERT in host-support/manufacturing-data);
      both kick the topology worker for an immediate rescan
    - Gate the endpoints with two access layers: a transport-level
      loopback check on the real peer address (X-Forwarded-For is
      ignored so a reverse proxy cannot spoof 127.0.0.1), and a
      per-boot shared-secret token written by the service to
      /run/rpi-sb-provisioner/internal.token at mode 0600. Token
      comparison is constant-time
    - Calls from the provisioning scripts are fire-and-forget with
      short curl timeouts; a missing token file or unreachable
      service does not fail provisioning, and the worker's existing
      10s wait_for backstop still covers anything that slips past

  * Common Filesystem Handling:
    - Force FAT32 when formatting the signed boot slot vfat, and
      propagate mkfs failures so a bad slot is not silently flashed

  * UI & Image Browser Polish:
    - Use image summaries for both IDP artefacts and traditional
      GOLD_MASTERs in the image list
    - Move firmware selection into the device block in the image
      browser
    - Refactor options handling for IDP preference, and offer
      differential security options for IDP and naked provisioning
    - Allow the IDP storage selection to be overridden from the UI
    - Fix the OS image browser bounding box
    - Fix 1440-minute image deletion timing
    - Use a .sha256 sidecar for OS image SHA256 recording in
      manufacturing-data
    - Update Connect terminology in provisioner scripts to match the
      product naming
    - Fix Connect public key handling in manufacturing-data
    - Fix CM5 Lite board identifier in manufacturing-data output and
      UI rendering
    - Correct default boot order comments in the shipped defaults

  * Packaging:
    - Add missing zlib1g-dev and libzstd-dev build dependencies
    - Update rpi-eeprom and rpiboot runtime dependencies
    - Create the lockfile directory in postinst on install
    - Fix a missing comma in debian/rpi-sb-provisioner.udev

 -- Tom Dewey <tom.dewey@raspberrypi.com>  Thu, 21 May 2026 16:30:00 +0100

rpi-sb-provisioner (2.2.0) unstable; urgency=medium

  * Features:
    - Add PKCS#11 HSM signing support for secure signing operations
    - Add USB speed attribute detection for better device capability
      identification
    - Add CSRF token validation for critical endpoints to improve security
    - Add kernel_modules.list for configurable kernel module inclusion
    - Integrate rpi-modcopy for improved kernel module handling and
      dependency resolution
    - Add RPI_DEVICE_RPIBOOT_GPIO configuration for Pi 4 family secure-boot
      provisioning (fixes GitHub issue #242)

  * WebUI Accessibility:
    - Add lang="en" attribute to all page templates for screen readers
    - Add semantic HTML structure with <main> landmark and skip navigation
    - Add ARIA roles and live regions to status/error messages
    - Add table captions and scope attributes for screen reader navigation
    - Add aria-label attributes to action buttons with contextual information
    - Add accessible tab interfaces with proper ARIA roles and keyboard support
    - Add screen-reader-only descriptions for D3 visualizations
    - Add role="log" and aria-live to service log container
    - Improve focus visibility with enhanced CSS outline styles
    - Add aria-hidden to decorative icons and emojis

  * Provisioning Improvements:
    - Refactor signing infrastructure into rpi-sb-common.sh for better
      modularity and reuse
    - Enhance cleanup process with guard against multiple invocations
    - Fix temporary directory creation path to /srv/rpi-sb-provisioner,
      avoiding Trixie tmpfs issue
    - Improve orphan cleanup logic to preserve base temp directory
    - Fix Pi 4/CM4 secure-boot provisioning by programming RPIBOOT GPIO
      into OTP alongside the secure boot public key

  * WebUI:
    - Add JSON endpoints for firmware listing and management
    - Improve device visualization with edge avoidance force and better
      link rendering
    - Conditionally display firmware select button for cleaner interface
    - Add RPIBOOT GPIO configuration field for Pi 4 secure-boot provisioning
      with validation and clear guidance recommending GPIO 8

  * Documentation:
    - Revise provisioning capacity and throughput metrics
    - Update Pi 4 device guidance with RPIBOOT GPIO requirements
    - Add RPI_DEVICE_RPIBOOT_GPIO to configuration variables documentation

  * Naked Provisioner & Image Customisation:
    - Expand naked-provisioner stages to include bootfs-mounted and
      rootfs-mounted phases for full image customisation support
      (fixes GitHub issue #258)
    - Use cp --reflink=auto for image copying, optimising performance
      and reducing disk usage on btrfs/xfs hosts
    - Add checks to ensure customisation scripts are executable before
      running
    - Flash modified image when customisation scripts are executed

  * Provisioning Hooks:
    - Add provision-started stage and hook, allowing actions (e.g. LED
      control, rig signaling) to execute at the start of provisioning

  * Customisation WebUI:
    - Add copy-sources functionality allowing users to select and copy
      scripts from other provisioners during stage editing
    - Display dropdown for available scripts from other provisioners,
      improving usability and efficiency

  * Provisioning Improvements:
    - Consolidate loop device management functions (ensure_next_loopdev,
      ensure_loopdev_partitions, unmount, unmount_image) into
      rpi-sb-common.sh for better code reuse and maintainability
    - Improve cleanup logic in provisioner scripts to properly unmount
      images before deletion, preventing dangling loop devices
    - Enhance error handling in losetup operations with clearer exit
      messages on failure
    - Remove redundant get_variable function from rpi-fde-provisioner.sh

  * Packaging:
    - Add rpi-modcopy dependency for kernel module handling
    - Fix CMake configuration for jsoncpp dependency
    - Improve upgrade experience by shipping config defaults to
      /usr/share/rpi-sb-provisioner/defaults/ with user overrides in
      /etc/rpi-sb-provisioner/. This eliminates dpkg conffile prompts
      during upgrades when configuration has been modified.

 -- Tom Dewey <tom.dewey@raspberrypi.com>  Tue, 11 Feb 2026 12:00:00 +0000

rpi-sb-provisioner (2.1.3) unstable; urgency=medium

  * Features:
    - Add test mode for USB device topology simulation
    - Add timestamp handling and formatting for service logs
    - Integrate D3.js for enhanced graph visualization in device topology UI
    - Enhance collision resolution for device layout in UI
    - Add configuration field validation endpoint with real-time UI feedback
    - Add Nginx reverse proxy example configuration with PAM authentication

  * Bootstrap Improvements:
    - Run metadata_gather before post-flash for better data collection
    - Simplify IPv6 address extraction with awk

  * WebUI:
    - Allow boot package generation for both secure-boot and fde-only
      provisioning styles
    - Display last updated timestamps for services in user-friendly format
    - Improve device visualization with D3.js graph rendering and tooltips

  * Manufacturing Data:
    - Add support for capturing Zero W and unknown device values

  * Packaging:
    - Update to debhelper-compat version 13
    - Use jsoncpp as a vendored dependency in CMake configuration
    - Update static files path configuration for improved clarity
    - Update lintian overrides for embedded libjsoncpp

  * Dependencies:
    - Update rpiboot and rpi-eeprom to catch November 2025 firmware

 -- Tom Dewey <tom.dewey@raspberrypi.com>  Thu, 16 Jan 2026 12:00:00 +0000

rpi-sb-provisioner (2.1.2) unstable; urgency=medium

  * Bootstrap: Fix USB path extraction for hub-connected devices
  * WebUI: Add serial-based fallback matching for device status display
  * WebUI: Add dynamic validation for options form fields
  * Fix: Devices connected via USB hubs now correctly show provisioning
    status in the topology map view
  * WebUI: Fixup device state retrieval race condition
  * Packaging:
    - Fix maintainer-script-ignores-errors by adding set -e to postinst
    - Fix man page table formatting by preprocessing with tbl
    - Add lintian override for boot image generator

 -- Tom Dewey <tom.dewey@raspberrypi.com>  Mon, 17 Nov 2025 16:45:00 +0100

rpi-sb-provisioner (2.1.1) unstable; urgency=medium

  * WebUI: Fix bootimg generator bashisms
  * WebUI: Style bootimg generator buttons
  * WebUI: Add explicit bootimg generation button
  * WebUI: Fix hangs on navigation on pages using AJAX

 -- Tom Dewey <tom.dewey@raspberrypi.com>  Fri, 10 Oct 2025 16:45:00 +0100

rpi-sb-provisioner (2.1.0) unstable; urgency=medium

  * Features:
    - Add automatic boot image generator for creating signed boot.img
      from uploaded OS images
    - Add Debian package generation for boot image updates
    - Add RPI_SB_PROVISIONER_ENABLE_PRIVATE_KEY_API security option
    - Add pagination and ordering for service log API

  * Documentation:
    - Complete README rewrite with beginner-friendly content
    - Add architecture documentation with workflow diagrams
    - Add boot image generator documentation
    - Add Debian package creation examples
    - Enhance API documentation with more examples

  * Bootstrap Improvements:
    - Fixup EEPROM update for naked provisioning on 2711/2712
    - Remove unnecessary writeSig() function, use rpi-eeprom-digest
    - Improve handling of special re-provisioning cases for Pi 5
    - Add better logging for edge cases (empty serials, missing firmware)
    - Improve non-secure-boot EEPROM update flow

  * WebUI:
    - Add new device status UI based on USB topology
    - Enhance audit logging across all endpoints

  * Script Improvements:
    - Strip GNU-specific and Bash-specific syntax for POSIX compliance
    - Fix shell option detection in customization scripts
    - Fix regex in simg_expanded_size() function
    - Fix depmod handling for kernel modules

  * Manufacturing Database:
    - Fixup metadata collection (secure vs signed distinction)
    - Improve accuracy of device state tracking

  * Packaging:
    - Update rpiboot dependency to >= 20251002~150524
    - Update rpi-eeprom dependency to >= 28.5
    - Update embedded curl to 8.16.0

 -- Tom Dewey <tom.dewey@raspberrypi.com>  Fri, 10 Oct 2025 16:45:00 +0100

rpi-sb-provisioner (2.0.7) unstable; urgency=medium

  * WebUI: Expand manufacturing DB API, table

 -- Tom Dewey <tom.dewey@raspberrypi.com>  Thu, 21 Aug 2025 16:30:00 +0100

rpi-sb-provisioner (2.0.6) unstable; urgency=medium

  * WebUI: Fixup SHA256 calculation cancellation
  * naked: Fixup bootloader configuation file default
  * all: Fixed up post-flash customisation script arguments
  * naked: Fix up TCP connection set-up
  * bootstrap: Drop non-secure-boot EEPROM handling

 -- Tom Dewey <tom.dewey@raspberrypi.com>  Wed, 16 Jul 2025 16:30:00 +0100

rpi-sb-provisioner (2.0.5) unstable; urgency=medium

  * WebUI: Add audit logging to images API
  * WebUI: Add firmware selection UI
  * WebUI: Asynchronous services loading
  * WebUI: Add SHA256 cancellation when images are deleted
  * WebUI: Fix CORS issues with WebUI
  * provisioner: Fix 2711 Fastboot utility OS signing

 -- Tom Dewey <tom.dewey@raspberrypi.com>  Tue, 24 Jun 2025 16:30:00 +0100

rpi-sb-provisioner (2.0.4) unstable; urgency=medium

  * packaging: Enforce modern (>= 28.2) rpi-eeprom dependency to fix nvme boot
    issues
  * manufacturing: Fix crash when provisioning NVMe devices
  * WebUI: Fix navigation bar disruption when updates are available

 -- Tom Dewey <tom.dewey@raspberrypi.com>  Tue, 10 Jun 2025 14:00:00 +0100

rpi-sb-provisioner (2.0.3) unstable; urgency=medium

  * packaging: Enforce modern (>= 20250519~100421) rpiboot dependency
  * packaging: Enforce modern (>= 27.10) rpi-eeprom dependency
  * packaging: Update Standards-Version to 4.7.2
  * provisioner: Fixup 2712 re-provisioning

 -- Tom Dewey <tom.dewey@raspberrypi.com>  Wed, 28 May 2025 17:00:00 +0100

rpi-sb-provisioner (2.0.2) unstable; urgency=medium

  * WebUI: Don't hide CUSTOMER_KEY_FILE_PEM in options
  * WebUI: Introduce naked provisioning customisation hook
  * WebUI: Customsiation: Fix script name handling

 -- Tom Dewey <tom.dewey@raspberrypi.com>  Mon, 12 May 2025 17:00:00 +0100

rpi-sb-provisioner (2.0.1) unstable; urgency=medium

  * provisioner: Fixup xxd dependency
  * provisioner: Fixup ethernet handling
  * readme: Remove manual cache clearing instructions
  * WebUI: Add manufacturing database API

 -- Tom Dewey <tom.dewey@raspberrypi.com>  Thu, 08 May 2025 11:59:55 +0000

rpi-sb-provisioner (2.0.0) unstable; urgency=medium

  * Architecture and Core Changes:
    - Split pre-and-post-Fastboot phases for better reliability
    - Add support for multiple Fastboot devices with improved
      device tracking
    - Add support for state tracking database with SQLite
    - Add WebUI for provisioning management and monitoring
    - Remove TUI (Python-based) provisioning interface

  * Provisioning Modes and Device Support:
    - Introduce FDE-Only, Naked and Secure-Boot provisioning modes
    - Add support for Zero 2W (2710) devices
    - Improve JTAG lock configuration

  * Performance Improvements:
    - Implement ethernet data transfer when available for faster
      provisioning
    - Use sparse boot images for improved performance
    - Restructure environment setup and cleanup processes
    - Enhance timeout handling with reduced fatal timeouts

  * Security and Reliability:
    - Add branch protection and other hardening measures
    - Enhance error management and logging across all provisioners
    - Add manufacturing database integration and device metadata
      collection
    - Remove DEMO_MODE from all components
    - Switch from system curl to minimal embedded curl library
    - Reduce attack surface by disabling unneeded curl features

  * UI and Configuration:
    - Add customisation scripts to the WebUI
    - Add version check and GitHub link in WebUI
    - Add Debian hardening options and build improvements
    - Removed RPI_DEVICE_FETCH_METADATA, we now always fetch metadata

  * System Integration:
    - Add systemd service integration
    - Fix lintian warnings and implement proper systemd service
      handling
    - Increase specificity in device handling and ignore rpiboot 
      mass-storage endpoint
    - Add lintian override for embedded curl library

 -- Tom Dewey <tom.dewey@raspberrypi.com>  Mon, 14 Apr 2025 11:59:55 +0000

rpi-sb-provisioner (1.3.7) unstable; urgency=medium

  * provisioner: Clean up ephemeral RPI_SB_WORKDIRs

 -- Tom Dewey <tom.dewey@raspberrypi.com>  Wed, 12 Feb 2025 15:20:00 +0000

rpi-sb-provisioner (1.3.6) unstable; urgency=medium

  * provisioner: Always sparse the rootfs for improved transfer speeds

 -- Tom Dewey <tom.dewey@raspberrypi.com>  Wed, 12 Feb 2025 15:15:00 +0000

rpi-sb-provisioner (1.3.5) unstable; urgency=medium

  * provisioner: Fixup ethernet handling
  * provisioner: Move device keypair retreival to earlier phase
  * provisioner: Fix up 64-bit serial handling
  * provisioner: Fix up multi-device provisioning

 -- Tom Dewey <tom.dewey@raspberrypi.com>  Wed, 12 Feb 2025 14:15:00 +0000

rpi-sb-provisioner (1.3.4) unstable; urgency=medium

  * provisioner: Use rpi-make-boot-image for better updates
  * provisioner: Add initial support for ethernet data plane transfer
  * packaging: Ignore .git directory for source tarball creation
  * packaging: Fixup manpage generation

 -- Tom Dewey <tom.dewey@raspberrypi.com>  Mon, 10 Feb 2025 16:15:00 +0000

rpi-sb-provisioner (1.3.3) unstable; urgency=medium

  * provisioner: Remove unsafe automatic pre-signd device retry behaviour
  * provisioner: Add special-skip-keywriter file check to handle pre-signed
      devices
  * packaging: Add autogenerated manpage
  * packaging: Fix up Homepage item in control file

 -- Tom Dewey <tom.dewey@raspberrypi.com>  Wed, 05 Feb 2025 16:45:00 +0000

rpi-sb-provisioner (1.3.2) unstable; urgency=critical

  * provisioner: Update cryptroot to address GHSA-pwq3-7gpg-qpcj
  * provisioner: Attempt automatic pre-signed device recovery on
      Rapsberry Pi 5-family devices
  * provisioner: Use rpi-eeprom-update logic to find source eeprom image

 -- Tom Dewey <tom.dewey@raspberrypi.com>  Mon, 03 Feb 2025 12:15:00 +0000

rpi-sb-provisioner (1.3.1) unstable; urgency=medium

  * provisioner: Generate depmod information for pre-boot
      authentication environment
  * provisioner: Introduce LUKSv2 cipher selection mechanism
  * provisioner: Device-unique key retreival fixes

 -- Tom Dewey <tom.dewey@raspberrypi.com>  Fri, 13 Dec 2024 11:15:00 +0000

rpi-sb-provisioner (1.3.0) unstable; urgency=medium

  * provisioner: Add optional manufacturing database
  * provisioner: Add optional device keypair archiving

 -- Tom Dewey <tom.dewey@raspberrypi.com>  Thu, 21 Nov 2024 13:57:00 +0000

rpi-sb-provisioner (1.2.1) unstable; urgency=medium

  * provisioner: Remove extraneous disk-id argument

 -- Tom Dewey <tom.dewey@raspberrypi.com>  Thu, 10 Oct 2024 13:57:00 +0000

rpi-sb-provisioner (1.2.0) unstable; urgency=medium

  * monitor: Rework finding completed & failed devices
  * monitor: Make in-progress devices selectable
  * monitor: Prune extraneous text from device names
  * provisioner: Add timeouts to commands that may hang in failure cases
  * packaging: Add missing python3-venv build dep

 -- Tom Dewey <tom.dewey@raspberrypi.com>  Tue, 08 Oct 2024 18:57:00 +0000

rpi-sb-provisioner (1.1.1) unstable; urgency=medium

  * config: Added RPI_DEVICE_FETCH_METADATA, to control device metadata
    gathering
  * packaging: Numerous lintian fixes
  * packaging: Remove automatic user group additions
  * monitor: Sort failed devices by most recent
  * monitor, config: Require sudo

 -- Tom Dewey <tom.dewey@raspberrypi.com>  Tue, 24 Sep 2024 18:57:00 +0000

rpi-sb-provisioner (1.1.0) unstable; urgency=medium

  * Add 2712 support
  * Add metadata gathering support for 2711, 2712
  * Demo mode: Expand coverage to all Fastboot commands
  * Copyright: Correct license
  * Config: Prefix DEVICE_SERIAL_STORE with RPI to match docs

 -- Tom Dewey <tom.dewey@raspberrypi.com>  Wed, 05 Sep 2024 18:57:00 +0000

rpi-sb-provisioner (1.0.2) UNRELEASED; urgency=low

  * rpi-sb-provisioner: Changed Debian Packaging

 -- Ben Benson <ben.benson@raspberrypi.com>  Fri, 23 Aug 2024 11:24:00 +0000
