AWS IoT - Provisioning devices that don't have device certificates using fleet provisioning

Hello,

I have a couple of questions about the provisioning process by either trusted user or provisioning claim:

1. If you do not want to put too much trust on the supplier, how would you provide it the ability to establish provisioning claim certificates so it can install them on the device during manufacturing?
2. If the device is delivered and then being reset to factory settings - how the device can be recovered if the provisioning claim certificate is expired/revoked?
3. If you choose to use the trusted-user approach, how would you connect to the device's local web server? More specifically how would you securely install TLS certificate for the device's local web server?
4. If the IoT device is Greengrass (V2) would it make more sense to use HSM Key (e.g., USB A Yubico) just to support secure re-bootstrapping of the device (so it can load all the initial secrets/certificates/ssm-activation codes)?