diff --git a/firmware-2712/latest/pieeprom-2025-03-03.bin b/firmware-2712/latest/pieeprom-2025-03-03.bin new file mode 100644 index 0000000..6236a5f Binary files /dev/null and b/firmware-2712/latest/pieeprom-2025-03-03.bin differ diff --git a/firmware-2712/latest/pieeprom-2025-03-10.bin b/firmware-2712/latest/pieeprom-2025-03-10.bin new file mode 100644 index 0000000..c39c5d7 Binary files /dev/null and b/firmware-2712/latest/pieeprom-2025-03-10.bin differ diff --git a/firmware-2712/latest/recovery.bin b/firmware-2712/latest/recovery.bin index c66bd42..f72ad06 100644 Binary files a/firmware-2712/latest/recovery.bin and b/firmware-2712/latest/recovery.bin differ diff --git a/firmware-2712/release-notes.md b/firmware-2712/release-notes.md index 19ad317..fdd3cda 100644 --- a/firmware-2712/release-notes.md +++ b/firmware-2712/release-notes.md @@ -1,5 +1,34 @@ # Raspberry Pi5 bootloader EEPROM release notes +## 2025-03-10: Add [boot_partition] filter plus SDRAM init fixes (latest) + +* Update SDRAM init timings to intermittent 8-flash SDRAM init errors + on some boards. + See: https://github.com/raspberrypi/rpi-eeprom/issues/67 +* config: Fix missing initialisation of selected_expr to 1 in config.txt + Without an [all] section the new expression filter might default to + false. This impacts the bootloader early parsing of config.txt + for things like boot_ramdisk rather than the later config.txt pass + for device-tree parsing. +* config_loader: Add support [boot_partition=N] as an expression filter + The boot_partition tests whether the partition number N matches + the number that the system is booting from. This expression is + only supported in config.txt and is designed to make it easier + to have common boot.img ramdisks in an A/B system where the + conditional loads a different cmdline.txt file depending on + which partition boot.img is loaded from. + +## 2025-03-03: Fix bootloader pull configuration on 2712D0 (latest) + +* Fix pull configuration on 2712D0 + 2712D0 uses a horrendously sparse set of pad control registers. Make + the pull-setting code sufficiently complex to cope. + See: https://github.com/raspberrypi/rpi-eeprom/issues/672 +* Disable UARTA for CM5s without WiFi + Just as CM5s without WiFI don't need the SDIO interface, the Bluetooth + UART is unconnected. Disable the DT node to avoid kernel warnings and + save some cycles. + ## 2025-02-17: Promote 2025-02-12 to the default release (default) ## 2025-02-12: Fixup change to disable 3.7V PMIC output on CM5 no-wifi (latest) diff --git a/imager/2711-config/boot-conf-network.txt b/imager/2711-config/boot-conf-network.txt index 6ebc855..e887b18 100644 --- a/imager/2711-config/boot-conf-network.txt +++ b/imager/2711-config/boot-conf-network.txt @@ -3,4 +3,5 @@ BOOT_UART=0 WAKE_ON_GPIO=1 ENABLE_SELF_UPDATE=1 BOOT_ORDER=0xf21 +NET_INSTALL_AT_POWER_ON=1 diff --git a/imager/2711-config/boot-conf-sd.txt b/imager/2711-config/boot-conf-sd.txt index ec09fc7..33ceded 100644 --- a/imager/2711-config/boot-conf-sd.txt +++ b/imager/2711-config/boot-conf-sd.txt @@ -3,4 +3,4 @@ BOOT_UART=0 WAKE_ON_GPIO=1 ENABLE_SELF_UPDATE=1 BOOT_ORDER=0xf41 - +NET_INSTALL_AT_POWER_ON=1 diff --git a/imager/2711-config/boot-conf-usb.txt b/imager/2711-config/boot-conf-usb.txt index 30abc04..9d49590 100644 --- a/imager/2711-config/boot-conf-usb.txt +++ b/imager/2711-config/boot-conf-usb.txt @@ -3,4 +3,5 @@ BOOT_UART=0 WAKE_ON_GPIO=1 ENABLE_SELF_UPDATE=1 BOOT_ORDER=0xf14 +NET_INSTALL_AT_POWER_ON=1 diff --git a/imager/make-imager-release b/imager/make-imager-release index d8e0500..c37f9e6 100755 --- a/imager/make-imager-release +++ b/imager/make-imager-release @@ -5,7 +5,7 @@ set -e script_dir=$(cd "$(dirname "$0")" && pwd) # Pi4, Pi400, CM4, CM4-S -${script_dir}/make-release critical 2023-01-11 000138c0 "${script_dir}/2711-config" release-2711 rpi-boot-eeprom-recovery 2711 +${script_dir}/make-release critical 2025-02-11 000138c0 "${script_dir}/2711-config" release-2711 rpi-boot-eeprom-recovery 2711 # Pi5 -${script_dir}/make-release critical 2025-01-22 "" "${script_dir}/2712-config" release-2712 rpi-boot-eeprom-recovery 2712 +${script_dir}/make-release critical 2025-02-12 "" "${script_dir}/2712-config" release-2712 rpi-boot-eeprom-recovery 2712 diff --git a/rpi-eeprom-digest b/rpi-eeprom-digest index 2eae2ea..3120b38 100755 --- a/rpi-eeprom-digest +++ b/rpi-eeprom-digest @@ -59,11 +59,12 @@ Options: -k Optional RSA private key. RSA signing -If a private key in PEM format is supplied then the RSA signature of the -sha256 digest is included in the .sig file. Currently, the bootloader only -supports sha256 digests signed with a 2048bit RSA key. -The bootloader only verifies RSA signatures in signed boot mode -and only for the EEPROM config file and the signed image. +If a private key in PEM format or a pkcs#11 URI is supplied then the +RSA signature of the sha256 digest is included in the .sig +file. Currently, the bootloader only supports sha256 digests signed +with a 2048bit RSA key. The bootloader only verifies RSA signatures +in signed boot mode and only for the EEPROM config file and the signed +image. Examples: @@ -78,6 +79,9 @@ rpi-eeprom-digest -k private.pem -i boot.img -o boot.sig # As used by update-pieeprom.sh in usbboot/secure-boot-recovery rpi-eeprom-digest -k private.pem -i bootconf.txt -o bootconf.sig +# Similarly, but specifying the key with a PKCS#11 URI +rpi-eeprom-digest -k pkcs11:token=deadbeef;object=bl-key;type=private;pin-value=1234 -i bootconf.txt -o bootconf.sig + # To verify the signature of an existing .sig file using the public key. # N.B The key file must be the PUBLIC key in PEM format. rpi-eeprom-digest -k public.pem -i boot.bin -v boot.sig @@ -99,8 +103,7 @@ writeSig() { fi if [ -n "${KEY}" ]; then - [ -f "${KEY}" ] || die "RSA private \"${KEY}\" not found" - "${OPENSSL}" dgst -sign "${KEY}" -keyform PEM -sha256 -out "${SIG_TMP}" "${IMAGE}" + "${OPENSSL}" dgst ${ENGINE_OPTS} -sign "${KEY}" -sha256 -out "${SIG_TMP}" "${IMAGE}" echo "rsa2048: $(xxd -c 4096 -p < "${SIG_TMP}")" >> "${OUTPUT}" fi } @@ -113,7 +116,7 @@ verifySig() { [ -n "${sig_hex}" ] || die "No RSA signature in ${sig_file}" echo ${sig_hex} | xxd -c 4096 -p -r > "${TMP_DIR}/sig.bin" - "${OPENSSL}" dgst -verify "${KEY}" -signature "${TMP_DIR}/sig.bin" "${IMAGE}" || die "${IMAGE} not verified" + "${OPENSSL}" dgst ${ENGINE_OPTS} -verify "${KEY}" -signature "${TMP_DIR}/sig.bin" "${IMAGE}" || die "${IMAGE} not verified" } OUTPUT="" @@ -142,6 +145,18 @@ checkDependencies [ -n "${IMAGE}" ] || usage [ -f "${IMAGE}" ] || die "Source image \"${IMAGE}\" not found" +[ "${VERIFY}" != 1 ] || [ -n "${KEY}" ] || die "Option -v also requires passing public key via -k" + +if [ -n "${KEY}" ] ; then + if [ -f "${KEY}" ] ; then + ENGINE_OPTS= + elif echo "${KEY}" | grep -q "^pkcs11:" ; then + ENGINE_OPTS="-engine pkcs11 -keyform engine" + else + die "RSA key \"${KEY}\" not found" + fi +fi + if [ "${VERIFY}" = 1 ]; then verifySig "${SIGNATURE}" else