The provisioning problem
After building your image, each new board must be personalized — with settings such as hostname, SSH keys, configuration, or backend registration.
Doing this manually for dozens or even hundreds of Raspberry Pi Compute Module 5 (CM5) units is simply not practical.
That’s where rpi-sb-provisioner comes in — a flexible first-boot automation framework for Raspberry Pi devices.
How rpi-sb-provisioner Works
On the first boot, the system automatically launches rpi-sb-provisioner, which:
- Reads a provisioning configuration file
- Executes scripts to apply system settings
- Writes device identity data (serial numbers, credentials, certificates, etc.)
- Marks the provisioning process as complete
This ensures every device is uniquely configured and ready for deployment — without manual intervention.
Installation
Follow the official installation guide at: https://github.com/raspberrypi/rpi-sb-provisioner
Configuration
rpi-sb-provisioner includes a simple browser-based configuration GUI.
To open it, run the following command in a terminal:
xdg-open http://localhost:3142From here:
- Open the Images menu and upload your .img file (created using rpi-image-gen).
- Open the Options menu to configure provisioning parameters, such as the target device family or the base image to use.
- The resulting configuration is stored in /etc/rpi-sb-provisioner/config and may look like this:
CUSTOMER_KEY_FILE_PEM=
CUSTOMER_KEY_PKCS11_NAME=
GOLD_MASTER_OS_FILE=/srv/rpi-sb-provisioner/images/deb12-arm64-ix-base.img
PROVISIONING_STYLE=naked
RPI_DEVICE_BOOTLOADER_CONFIG_FILE=/srv/rpi-sb-provisioner/bootloader_config_files/bootloader-gpio17.naked
RPI_DEVICE_EEPROM_WP_SET=
RPI_DEVICE_FAMILY=5
RPI_DEVICE_FIRMWARE_FILE=/lib/firmware/raspberrypi/bootloader-2712/latest/pieeprom-2025-10-17.bin
RPI_DEVICE_LOCK_JTAG=
RPI_DEVICE_RETRIEVE_KEYPAIR=
RPI_DEVICE_STORAGE_CIPHER=aes-xts-plain64
RPI_DEVICE_STORAGE_TYPE=emmc
RPI_SB_PROVISIONER_MANUFACTURING_DB=/srv/rpi-sb-provisioner/manufacturing.db
RPI_SB_WORKDIR=Usage
- For example, when using an official Raspberry Pi Compute Module 5, set the J2 jumper to disable eMMC boot.
- Connect the CM5 to the provisioning host via USB. The provisioning process will start automatically.
- Once provisioning is complete, remove the jumper and connect a power supply — the device will now boot from eMMC.
Benefits
- Fully automated device onboarding
- Consistent configuration across all units
- Easy integration with manufacturing systems or backend APIs
- Reproducible — no manual tweaks or inconsistencies between devices
Extending the Process
The provisioning workflow can be extended to include:
- API calls to register devices with backend services
- Certificate generation for secure boot or encryption
- Hardware validation or functional tests before activation
With rpi-sb-provisioner, provisioning becomes an integrated step in your build and deployment pipeline — not an afterthought.
Articles in this series
- Building a Production-Ready Linux for Raspberry Pi Compute Module 5
- From Stock OS to Production Platform
- Customizing Raspberry Pi OS with rpi-image-gen
- System Robustness — Designing an A/B Root Filesystem Layout
- Provisioning — Automating First Boot with rpi-sb-provisioner
- OTA and Lifecycle — Software Updates with SWUpdate
Sources
- rpi-image-gen: https://github.com/raspberrypi/rpi-image-gen
- rpi-sb-provisioner: https://github.com/raspberrypi/rpi-sb-provisioner
- SWUpdate: https://github.com/sbabic/swupdate
- swugenerator: https://github.com/sbabic/swugenerator