v2.3.1: Fixes & failure reporting

This release adds a saved signing-key registry, programming-rig customisation hooks, firmware-crypto bootstrap for at-rest secret wrapping, and fixes Ethernet image transfer over the fastboot TCP data plane. It also refreshes the bundled fastboot gadgets and corrects NVMe FDE LUKS passphrase derivation.

Highlights

• Add a saved-key registry for multiple PEM and PKCS#11 signing keys, with one active key driving provisioning and CUSTOMER_KEY_* config sync. The Options page is redesigned as a tile grid showing per-key status, encrypted-at-rest state, fingerprint, and RSA-2048 fit-for-purpose checks.
• Add provision-failed customisation hooks for all provisioner styles so programming rigs can signal errors (for example status LEDs) when bootstrap, triage, or provisioning aborts.
• Export TARGET_USB_PATH, TARGET_DEVICE_PATH, and full manufacturing-database field values to customisation hooks, enabling per-port rig indicators and post-flash automation (issue #273).
• Flash OS images over the fastboot TCP data plane when the daemon advertises split USB+TCP mode, restoring Ethernet image transfer in naked-, fde-, and sb-provisioner (issue #314).
• Refresh bundled fastboot gadgets to rpi-fastbootd 14.0.0~git20260608, with on-device EEPROM update/verify/read commands and SPI flash identity getvars.
• Rebundle gadgets with libblockdeviceid-based block device ID derivation for LUKS passphrase generation, matching the boot-time cryptroot unlocker so NVMe FDE volumes provisioned by the host unlock correctly on first boot (issue #316).
• Generate a firmware-crypto key on hosts that have none via rpi-fw-crypto genkey in postinst, so device-bound wrapping of secrets at rest (HSM PINs, uploaded PEM keys) works without a pre-existing factory device key.

Reliability Fixes

• Fix validate-key and manual key paths outside /etc/rpi-sb-provisioner/keys being rejected despite valid PEM content.
• Load the OpenSSL default provider before key parsing and return clearer errors for public keys, certificates, OpenSSH keys, and encrypted PEMs.
• Reject EEPROM images whose MFG_VER is below the board's min_boot_ver before write or verify, preventing downgrades on boards that require a newer bootloader baseline.
• Use best-effort USB path lookup for the initial TRIAGE-STARTED record so triage does not abort under set -e when the path is not yet resolvable.
• Fix get_usb_path_for_serial() udevadm fallback using the wrong variable.
• Do not invoke provision-failed for duplicate bootstrap@ lock contention or triage failure while bootstrap is still in progress (expected USB re-enumeration during DUT reboot).

Upgrade Notes

• The supported releases are 2.3.1 and 2.3.0; 2.3.0~pre* builds are no longer supported.
• Legacy single-key PEM/PKCS#11 config entries are migrated into the saved-key registry automatically on first access.
• postinst may generate a firmware-crypto key on hosts that have none, enabling at-rest wrapping without a pre-existing factory device key. This is skipped when a key already exists or the crypto service is unavailable, and never blocks installation.
• The manufacturing database schema gains customer_key_fingerprint and customer_key_label columns; postinst migrates existing databases.
• When the provisioning host and target share an Ethernet link, bulk image transfer can use the fastboot TCP data plane. USB remains required for control-plane commands.

What's Changed

• docs: Enhance README and API documentation for IDP artefacts and key … by @tdewey-rpi in #312
• 2.3.1: Fix roll-up by @tdewey-rpi in #318
• 2.3.1: Release by @tdewey-rpi in #321

Full Changelog: v2.3.0...v2.3.1