Merge branch 'master' into debian/bullseye

firmware/release-notes.md

@@ -1,5 +1,13 @@
 # Raspberry Pi4 bootloader EEPROM release notes
 
+## 2022-11-02 - Add option to use Customer OTP for MAC address - BETA
+   * Add a new EEPROM property that allows the Ethernet MAC address
+     programmed during manufacture to be overridden a value in the
+     Customer OTP register.
+
+     MAC_ADDRESS_OTP=A,B
+     where A and B are the customer row numbers (0..7)
+
 ## 2022-10-20 - Promote pieeprom-2022-10-18 BETA release to stable
 
 ## 2022-10-18 - Tryboot enhancements for A/B partition booting - BETA

rpi-eeprom-digest

@@ -16,7 +16,7 @@ die() {
 
 TMP_DIR=""
 cleanup() {
-   if [ -f "${TMP_DIR}" ]; then
+   if [ -d "${TMP_DIR}" ]; then
       rm -rf "${TMP_DIR}"
    fi
 }
@@ -26,15 +26,13 @@ checkDependencies() {
       die "sha256sum not found. Try installing the coreutilities package."
    fi
 
-   if [ -n "${KEY}" ]; then
-      if ! command -v ${OPENSSL} > /dev/null; then
-         die "${OPENSSL} not found. Try installing the openssl package."
+   if ! command -v openssl > /dev/null; then
+      die "openssl not found. Try installing the openssl package."
    fi
 
    if ! command -v xxd > /dev/null; then
       die "xxd not found. Try installing the xxd package."
    fi
-   fi
 }
 
 usage() {
@@ -59,42 +57,21 @@ The bootloader only verifies RSA signatures in signed boot mode
 Examples:
 
 # Generate RSA signature for the EEPROM config file.
-rpi-eeprom-digest -k key.pem -i bootconf.txt  -o bootconf.sig
+rpi-eeprom-digest -k private.pem -i bootconf.txt  -o bootconf.sig
 
 # Generate the normal sha256 hash to guard against file-system corruption
 rpi-eeprom-digest -i pieeprom.bin -o pieeprom.sig
 rpi-eeprom-digest -i vl805.bin -o vl805.sig
 
+# To verify the signature of an existing .sig file using the public key.
+# N.B The key file must be the PUBLIC key in PEM format.
+rpi-eeprom-digest -k public.pem -i pieeprom.bin -v pieeprom.sig
+
 EOF
 exit 0
 }
 
-OUTPUT=""
-while getopts i:k:ho: option; do
-   case "${option}" in
-   i) IMAGE="${OPTARG}"
-      ;;
-   k) KEY="${OPTARG}"
-      ;;
-   o) OUTPUT="${OPTARG}"
-      ;;
-   h) usage
-      ;;
-   *) echo "Unknown argument \"${option}\""
-      usage
-      ;;
-   esac
-done
-
-[ -n "${IMAGE}" ] || usage
-[ -n "${OUTPUT}" ] || usage
-
-trap cleanup EXIT
-
-checkDependencies
-
-[ -f "${IMAGE}" ] || die "Source image \"${IMAGE}\" not found"
-
+writeSig() {
    TMP_DIR=$(mktemp -d)
    SIG_TMP="${TMP_DIR}/tmp.sig"
    sha256sum "${IMAGE}" | awk '{print $1}' > "${OUTPUT}"
@@ -104,7 +81,53 @@ echo "ts: $(date -u +%s)" >> "${OUTPUT}"
 
    if [ -n "${KEY}" ]; then
       [ -f "${KEY}" ] || die "RSA private \"${KEY}\" not found"
-
       "${OPENSSL}" dgst -sign "${KEY}" -keyform PEM -sha256 -out "${SIG_TMP}" "${IMAGE}"
       echo "rsa2048: $(xxd -c 4096 -p < "${SIG_TMP}")" >> "${OUTPUT}"
    fi
+}
+
+verifySig() {
+   TMP_DIR=$(mktemp -d)
+   sig_file="${1}"
+   [ -f "${sig_file}" ] || die "Signature file ${sig_file} not found"
+   sig_hex="$(grep rsa2048 "${sig_file}" | cut -f 2 -d ' ')"
+   echo ${sig_hex} | xxd -c 4096 -p -r > "${TMP_DIR}/sig.bin"
+
+   [ -n "${sig_hex}" ] || die "No RSA signature in ${sig_file}"
+   sha256=$(sha256sum "${IMAGE}" | awk '{print $1}')
+   "${OPENSSL}" dgst -verify "${KEY}" -signature "${TMP_DIR}/sig.bin" "${IMAGE}" || die "${IMAGE} not verified"
+}
+
+OUTPUT=""
+VERIFY=0
+while getopts i:k:ho:v: option; do
+   case "${option}" in
+   i) IMAGE="${OPTARG}"
+      ;;
+   k) KEY="${OPTARG}"
+      ;;
+   o) OUTPUT="${OPTARG}"
+      ;;
+   v) SIGNATURE="${OPTARG}"
+      VERIFY=1
+      ;;
+   h) usage
+      ;;
+   *) echo "Unknown argument \"${option}\""
+      usage
+      ;;
+   esac
+done
+
+trap cleanup EXIT
+checkDependencies
+
+[ -n "${IMAGE}" ] || usage
+[ -f "${IMAGE}" ] || die "Source image \"${IMAGE}\" not found"
+if [ "${VERIFY}" = 1 ]; then
+   verifySig "${SIGNATURE}"
+else
+   [ -n "${OUTPUT}" ] || usage
+   writeSig
+fi
+