I’m in the process of creating an image suitable for flashing onto some devices at manufacturing time (RaspberryPi 3 based). Due to time constraints I am initially focusing on getting a reliable update mechanism so that the first image flashed on allows the device to be later updated to a fully-functioning device. Mender is a fantastic project and I am thoroughly enjoying using it and I greatly appreciate the ability to update (almost) everything. However, since some things cannot be (safely) modified after the manufacturing flashing I’m keen to ensure that these parts are as correct as they can be.
At the moment the rootfs is read-write, but we will eventually ship out an update to switch to a read-only rootfs. In all situations the Mender Yocto layer does not set the boot filesystem to be read-only, which seems somewhat dangerous considering it is FAT. Is there any reason why the boot filesystem cannot be set to read-only? Obviously it is possible to ship an update to /etc/fstab in a future update - so it is not necessary to bake in a read-only boot filesystem right now, but I want to make sure that nothing else in the boot filesystem needs to change to support switching to read-only boot filesystem at a later stage.