Checklist:
- OS image downloading & verifying (PGP or whatever)
- Tools downloading & verifying (PGP or whatever)
- CA & certificate management tooling
- CA generation (to file, or HSM)
- Intermediate CA generation (to file, or HSM)
- Certificate tracking & revocation (SQLite or so)
- CRL generation
- Verifying/issuing attestation certificates (for machine-generated keys and HSM)
- Vendor specific X.509 OID processing
- YubiHSM
- Vendor specific X.509 OID processing
- HSM log exporting (long term)
- HSM key backups (wrapped)
- Generating bootable (EFI) image with read-only root file system
- Unprivileged user (no sudo)
- USBGuard predefined whitelist
- Deployment-specific persistence
- Storing attestation keys
- Runtime configuration knobs (LUKS devices etc.)
- Secure boot
- Tooling to roll self-signed keys
- Custom kernel configuration
- Investigate if selected distribution has required features enabled (see below)
- (otherwise) Disable networking support
- dm-verity
- Setting up keys into kernel keyring
- Default genkey config
- Via UEFI(?)
- Oracle blogpost: The Machine Keyring
- I think I saw a script to append new keys to an existing kernel image somewhere...
- erofs setup for OS base
- Setting up keys into kernel keyring