They don't play well with DFU.

When inserting (or replacing) entries in the store, the data may be marked as
sensitive. When that entry is deleted, the data is wiped by overwritting it with
zeroes. This may cost a few bytes of overhead per entry with sensitive data to
satisfy the constraint that words may only be written twice.

This permits to run without persistent storage. The benefit is that the board
doesn't implement a the syscall API in Tock. The disadvantage is that rebooting
the key will reset the storage.

OpenSSL seems to serialize bigints as signed value, which means the ECC
key may end up being 33 bytes instead of the 32 bytes we're expecting,
causing build to fail.
The shell script extraction is now replaced by a build.rs script that
uses OpenSSL to extract the content and do sanity checks.
Forcing generating cryptographic materials now always generate a key and
a certificate (useful to compile/flash multiple keys without them being
considered as clones). The self-signed CA is left untouched.