Skip to content

Remove debug-tweaks from raspberrypi4-64 image before production rollout #1

Description

@peterus

Context

raspberrypi4-64.yml currently sets EXTRA_IMAGE_FEATURES += "debug-tweaks" to enable a login prompt on the serial console with an empty root password. This was added during local QEMU testing (commit 4732de4) so we could shell into the emulated CM4 image.

Why this must go before flashing any production station

  • Empty root password on the serial console = anyone with physical access to the station can log in as root without credentials.
  • Stations are intentionally designed to have no local login auth; remote shell access happens exclusively through the station-agent terminal feature (Django WebSocket → Agent-signed channel → PTY spawn).
  • debug-tweaks also weakens other defaults (allow-empty-password, password-less sudo for sysadmins) that shouldn't exist on a remote fielded device.

Acceptance criteria

  • Remove the EXTRA_IMAGE_FEATURES += "debug-tweaks" line from raspberrypi4-64.yml.
  • Verify that the resulting image still reaches multi-user.target and runs station-agent.service (no login prompt needed).
  • Verify that the Django → station-agent WebSocket terminal still works end-to-end against that image in QEMU and on real hardware.
  • Document the emergency recovery path (rpiboot via USB-C; pre-provisioned recovery Ed25519 key on each station) in README.md.

Not scoped here (follow-ups)

  • Per-station recovery key provisioning workflow in Station Manager Builder.
  • Decision on whether a serial-console emergency shell should exist at all (and if so, how it's gated).

Metadata

Metadata

Assignees

No one assigned

    Labels

    production-blockerMust be fixed before any production rollout

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions