Disclaimer: This is not an article with a beginning, a middle and an end for public consuption, rather a personal memo I figured I'd publish if anyone else finds it useful.
Background: I've got a genomic project (Bsky: @dark.bio, X: @dark_dot_bio) requiring secure-boot signing keys and API server identity certs/keys.
I've chosen YubiHSMs to be my roots of trust, because I don't want to mess up key handling myself; and because I want to have a public audit trail of what I've signed to soft-prove non-malice. This guide is my personal memo on how to onboard a YubiHSM into my project in a way that makes the audit logs (mostly) publicly verifiable.