This guide will show you how to get started on the Raspberry Pi 4 platform to perform a rootfs update. This guide uses an image directly generated by Thistle Yocto Build. You can follow along with our video guide as well.

Tools needed

To get started you need to obtain:

Because of issues on the earlier versions of the Raspberry Pi 4, one needs to run on the latest EEPROM firmware. To perform an update, you need to run sudo rpi-eeprom-update -a using the official rpios image.

Raspberry Pi setup

To get started simply download and copy the full image onto the SD card - for instance using dd or using the Raspberry Pi imager tool. Once the copy is performed, insert the SD card on the Raspberry Pi and test it’s functional. The user is thistle and the password is raspberry.

$ sudo dd if=four.img of=/dev/mmcblk0 status=progress
528062464 bytes (528 MB, 504 MiB) copied, 69.4207 s, 7.6 MB/s
Verify now that your Raspberry Pi is booting up with the Thistle disk image. The username is thistle and the password is raspberry.

Create an update bundle

For the purpose of this example, we will release the update image as an update. This image will be deployed with the Release Helper, and will be installed on the target automatically by the Update Client.

Let’s start with packaging the update:

# Set up your project's access token - Bash, on Linux/Unix or Windows Subsystem for Linux (WSL)
$ export THISTLE_TOKEN=$(cat)
(paste access token, press enter, then ctrl-d)

# Set up your project's access token - Windows PowerShell
$ $env:THISTLE_TOKEN = "[Access Token Obtained from Thistle App's Projects Section]"

$ ./trh init -p="/boot"

# prepare manifest and deploy partition image
$ ./trh prepare --target=./four.rootfs

$ ./trh release

Signing an update bundle with a key in KMS

If one does not want to manage a local signing key, a Thistle-managed, Cloud KMS-backed ECDSA-P256 key can be used to sign OTA update bundles. Add option --signing-method="remote" to all the above trh commands to use this remotely managed signing key. For example,

trh --signing-method="remote" init ...
trh --signing-method="remote" prepare ...
trh --signing-method="remote" release

Amend device configuration for bootloader

The Thistle Update Client natively supports the Raspberry Pi bootloader. The only step required is to specify the bootloader as RaspberryPi and the two partitions that will be used as root filesystem alternatively. Amend your configuration using the snippet below as the SD card partitions were specified during the image generation.

$ cat config.json
{
    ...
    "bootloader": "RaspberryPi",
    "part_a": "/dev/mmcblk0p2",
    "part_b": "/dev/mmcblk0p3"
}

It is now required to push config.json onto the Raspberry Pi, this can be done using scp or using a USB key. This is necessary so that we can run the update client on the Raspberry Pi. Under normal circumstances, this operation will be performed automatically during e.g. the image personalization step of a deploy pipeline.

# on the host machine - you likely need to amend the IP address
scp config.json thistle@192.168.1.102:~/config.json
We are now ready to run the client on the Raspberry Pi, and observe our first update cycle.

Test deployed release

We can now test our deployed release. Note that as the assets will be downloaded from the Thistle Backend Server, an internet connection is required.

# on the Raspberry Pi - confirm config.json file is present
raspberrypi4-64-thistle:~$ cat ~/config.json

# `mmcblk0p2` is currently used as mountpoint for root
raspberrypi4-64-thistle:~$ mount | grep /dev/mmc
/dev/mmcblk0p2 on / type ext4 (rw,relatime)

# we backup `config.json` in the boot directory so that it's persistent across updates
raspberrypi4-64-thistle:~$ sudo cp ~/config.json /boot

Let’s apply the update and see the result.

raspberrypi4-64-thistle:~$ sudo tuc -c /boot/config.json

The Raspberry Pi will now reboot. Login again and confirm that the appropriate partition is now the root partition.

# `mmcblk0p3` is now used as mountpoint for root
$ raspberrypi4-64-thistle:~$ mount | grep /dev/mmc
/dev/mmcblk0p3 on / type ext4 (rw,relatime)

# latch in update by re-running tuc
$ raspberrypi4-64-thistle:~$ sudo tuc -c /boot/config.json
You just performed your first automated A/B update cycle 🎉 Have a look at the Thistle App, your device can now be monitored directly there.

More options

This tutorial shows how to manually perform an update on the Raspberry Pi. This process can be automated to update a fleet of devices. In this regards, we support different enrollment setups, either based on Trust On First Use (TOFU), or only accepting pre-enrolled devices.