raspberrypi/rpi-eeprom
1
0
Fork 0
mirror of https://github.com/raspberrypi/rpi-eeprom.git synced 2026-01-21 06:13:33 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into debian/bullseye

Browse Source
This commit is contained in:
Serge Schneider
2022-11-03 18:36:54 +00:00
parent b478ef5c9a eb3bb76a81
commit 13dde9ea1d
3 changed files with 58 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
firmware/beta/pieeprom-2022-11-02.bin Normal file
View File

Binary file not shown.

8
firmware/release-notes.md
View File

@@ -1,5 +1,13 @@
# Raspberry Pi4 bootloader EEPROM release notes # Raspberry Pi4 bootloader EEPROM release notes
## 2022-11-02 - Add option to use Customer OTP for MAC address - BETA
* Add a new EEPROM property that allows the Ethernet MAC address
programmed during manufacture to be overridden a value in the
Customer OTP register.
MAC_ADDRESS_OTP=A,B
where A and B are the customer row numbers (0..7)
## 2022-10-20 - Promote pieeprom-2022-10-18 BETA release to stable ## 2022-10-20 - Promote pieeprom-2022-10-18 BETA release to stable
## 2022-10-18 - Tryboot enhancements for A/B partition booting - BETA ## 2022-10-18 - Tryboot enhancements for A/B partition booting - BETA

71
rpi-eeprom-digest
View File

@@ -16,7 +16,7 @@ die() {
TMP_DIR="" TMP_DIR=""
cleanup() { cleanup() {
if [ -f "${TMP_DIR}" ]; then if [ -d "${TMP_DIR}" ]; then
rm -rf "${TMP_DIR}" rm -rf "${TMP_DIR}"
fi fi
} }
@@ -26,15 +26,13 @@ checkDependencies() {
die "sha256sum not found. Try installing the coreutilities package." die "sha256sum not found. Try installing the coreutilities package."
fi fi
if [ -n "${KEY}" ]; then if ! command -v openssl > /dev/null; then
if ! command -v ${OPENSSL} > /dev/null; then die "openssl not found. Try installing the openssl package."
die "${OPENSSL} not found. Try installing the openssl package."
fi fi
if ! command -v xxd > /dev/null; then if ! command -v xxd > /dev/null; then
die "xxd not found. Try installing the xxd package." die "xxd not found. Try installing the xxd package."
fi fi
fi
} }
usage() { usage() {
@@ -59,18 +57,50 @@ The bootloader only verifies RSA signatures in signed boot mode
Examples: Examples:
# Generate RSA signature for the EEPROM config file. # Generate RSA signature for the EEPROM config file.
rpi-eeprom-digest -k key.pem -i bootconf.txt -o bootconf.sig rpi-eeprom-digest -k private.pem -i bootconf.txt -o bootconf.sig
# Generate the normal sha256 hash to guard against file-system corruption # Generate the normal sha256 hash to guard against file-system corruption
rpi-eeprom-digest -i pieeprom.bin -o pieeprom.sig rpi-eeprom-digest -i pieeprom.bin -o pieeprom.sig
rpi-eeprom-digest -i vl805.bin -o vl805.sig rpi-eeprom-digest -i vl805.bin -o vl805.sig
# To verify the signature of an existing .sig file using the public key.
# N.B The key file must be the PUBLIC key in PEM format.
rpi-eeprom-digest -k public.pem -i pieeprom.bin -v pieeprom.sig
EOF EOF
exit 0 exit 0
} }
writeSig() {
TMP_DIR=$(mktemp -d)
SIG_TMP="${TMP_DIR}/tmp.sig"
sha256sum "${IMAGE}" | awk '{print $1}' > "${OUTPUT}"
# Include the update-timestamp
echo "ts: $(date -u +%s)" >> "${OUTPUT}"
if [ -n "${KEY}" ]; then
[ -f "${KEY}" ] || die "RSA private \"${KEY}\" not found"
"${OPENSSL}" dgst -sign "${KEY}" -keyform PEM -sha256 -out "${SIG_TMP}" "${IMAGE}"
echo "rsa2048: $(xxd -c 4096 -p < "${SIG_TMP}")" >> "${OUTPUT}"
fi
}
verifySig() {
TMP_DIR=$(mktemp -d)
sig_file="${1}"
[ -f "${sig_file}" ] || die "Signature file ${sig_file} not found"
sig_hex="$(grep rsa2048 "${sig_file}" | cut -f 2 -d ' ')"
echo ${sig_hex} | xxd -c 4096 -p -r > "${TMP_DIR}/sig.bin"
[ -n "${sig_hex}" ] || die "No RSA signature in ${sig_file}"
sha256=$(sha256sum "${IMAGE}" | awk '{print $1}')
"${OPENSSL}" dgst -verify "${KEY}" -signature "${TMP_DIR}/sig.bin" "${IMAGE}" || die "${IMAGE} not verified"
}
OUTPUT="" OUTPUT=""
while getopts i:k:ho: option; do VERIFY=0
while getopts i:k:ho:v: option; do
case "${option}" in case "${option}" in
i) IMAGE="${OPTARG}" i) IMAGE="${OPTARG}"
;; ;;
@@ -78,6 +108,9 @@ while getopts i:k:ho: option; do
;; ;;
o) OUTPUT="${OPTARG}" o) OUTPUT="${OPTARG}"
;; ;;
v) SIGNATURE="${OPTARG}"
VERIFY=1
;;
h) usage h) usage
;; ;;
*) echo "Unknown argument \"${option}\"" *) echo "Unknown argument \"${option}\""
@@ -86,25 +119,15 @@ while getopts i:k:ho: option; do
esac esac
done done
[ -n "${IMAGE}" ] || usage
[ -n "${OUTPUT}" ] || usage
trap cleanup EXIT trap cleanup EXIT
checkDependencies checkDependencies
[ -n "${IMAGE}" ] || usage
[ -f "${IMAGE}" ] || die "Source image \"${IMAGE}\" not found" [ -f "${IMAGE}" ] || die "Source image \"${IMAGE}\" not found"
if [ "${VERIFY}" = 1 ]; then
TMP_DIR=$(mktemp -d) verifySig "${SIGNATURE}"
SIG_TMP="${TMP_DIR}/tmp.sig" else
sha256sum "${IMAGE}" | awk '{print $1}' > "${OUTPUT}" [ -n "${OUTPUT}" ] || usage
writeSig
# Include the update-timestamp
echo "ts: $(date -u +%s)" >> "${OUTPUT}"
if [ -n "${KEY}" ]; then
[ -f "${KEY}" ] || die "RSA private \"${KEY}\" not found"
"${OPENSSL}" dgst -sign "${KEY}" -keyform PEM -sha256 -out "${SIG_TMP}" "${IMAGE}"
echo "rsa2048: $(xxd -c 4096 -p < "${SIG_TMP}")" >> "${OUTPUT}"
fi fi