Merge remote-tracking branch 'pitowers/master' into pios/bookworm

* pitowers/master:
  pieeprom-2025-03-10: 2712: Add [boot_partition] filter plus SDRAM init fixes (latest)
  rpi-eeprom-digest: support specifying keys via PKCS#11 URI
  pieeprom-2025-03-03: 2712: Fix bootloader pull configuration on BCM2712D0 (latest)
  image: Update 2711 plus 2712 images and enable boot-menu on 2711

firmware-2712/release-notes.md

@@ -1,5 +1,34 @@
 # Raspberry Pi5 bootloader EEPROM release notes
 
+## 2025-03-10: Add [boot_partition] filter plus SDRAM init fixes (latest)
+
+* Update SDRAM init timings to intermittent 8-flash SDRAM init errors
+  on some boards.
+  See: https://github.com/raspberrypi/rpi-eeprom/issues/67
+* config: Fix missing initialisation of selected_expr to 1 in config.txt
+  Without an [all] section the new expression filter might default to
+  false. This impacts the bootloader early parsing of config.txt
+  for things like boot_ramdisk rather than the later config.txt pass
+  for device-tree parsing.
+* config_loader: Add support [boot_partition=N] as an expression filter
+  The boot_partition tests whether the partition number N matches
+  the number that the system is booting from. This expression is
+  only supported in config.txt and is designed to make it easier
+  to have common boot.img ramdisks in an A/B system where the
+  conditional loads a different cmdline.txt file depending on
+  which partition boot.img is loaded from.
+
+## 2025-03-03: Fix bootloader pull configuration on 2712D0 (latest)
+
+* Fix pull configuration on 2712D0
+  2712D0 uses a horrendously sparse set of pad control registers. Make
+  the pull-setting code sufficiently complex to cope.
+  See: https://github.com/raspberrypi/rpi-eeprom/issues/672
+* Disable UARTA for CM5s without WiFi
+  Just as CM5s without WiFI don't need the SDIO interface, the Bluetooth
+  UART is unconnected. Disable the DT node to avoid kernel warnings and
+  save some cycles.
+
 ## 2025-02-17: Promote 2025-02-12 to the default release (default)
 
 ## 2025-02-12: Fixup change to disable 3.7V PMIC output on CM5 no-wifi (latest)

imager/2711-config/boot-conf-network.txt

@@ -3,4 +3,5 @@ BOOT_UART=0
 WAKE_ON_GPIO=1
 ENABLE_SELF_UPDATE=1
 BOOT_ORDER=0xf21
+NET_INSTALL_AT_POWER_ON=1
 

imager/2711-config/boot-conf-sd.txt

@@ -3,4 +3,4 @@ BOOT_UART=0
 WAKE_ON_GPIO=1
 ENABLE_SELF_UPDATE=1
 BOOT_ORDER=0xf41
-
+NET_INSTALL_AT_POWER_ON=1

imager/2711-config/boot-conf-usb.txt

@@ -3,4 +3,5 @@ BOOT_UART=0
 WAKE_ON_GPIO=1
 ENABLE_SELF_UPDATE=1
 BOOT_ORDER=0xf14
+NET_INSTALL_AT_POWER_ON=1
 

imager/make-imager-release

@@ -5,7 +5,7 @@ set -e
 script_dir=$(cd "$(dirname "$0")" && pwd)
 
 # Pi4, Pi400, CM4, CM4-S
-${script_dir}/make-release critical 2023-01-11 000138c0 "${script_dir}/2711-config" release-2711 rpi-boot-eeprom-recovery 2711
+${script_dir}/make-release critical 2025-02-11 000138c0 "${script_dir}/2711-config" release-2711 rpi-boot-eeprom-recovery 2711
 
 # Pi5
-${script_dir}/make-release critical 2025-01-22 "" "${script_dir}/2712-config" release-2712 rpi-boot-eeprom-recovery 2712
+${script_dir}/make-release critical 2025-02-12 "" "${script_dir}/2712-config" release-2712 rpi-boot-eeprom-recovery 2712

rpi-eeprom-digest

@@ -59,11 +59,12 @@ Options:
    -k Optional RSA private key.
 
 RSA signing
-If a private key in PEM format is supplied then the RSA signature of the
+If a private key in PEM format or a pkcs#11 URI is supplied then the
-sha256 digest is included in the .sig file. Currently, the bootloader only
+RSA signature of the sha256 digest is included in the .sig
-supports sha256 digests signed with a 2048bit RSA key.
+file. Currently, the bootloader only supports sha256 digests signed
-The bootloader only verifies RSA signatures in signed boot mode
+with a 2048bit RSA key.  The bootloader only verifies RSA signatures
-and only for the EEPROM config file and the signed image.
+in signed boot mode and only for the EEPROM config file and the signed
+image.
 
 Examples:
 
@@ -78,6 +79,9 @@ rpi-eeprom-digest -k private.pem -i boot.img -o boot.sig
 # As used by update-pieeprom.sh in usbboot/secure-boot-recovery
 rpi-eeprom-digest -k private.pem -i bootconf.txt  -o bootconf.sig
 
+# Similarly, but specifying the key with a PKCS#11 URI
+rpi-eeprom-digest -k pkcs11:token=deadbeef;object=bl-key;type=private;pin-value=1234 -i bootconf.txt  -o bootconf.sig
+
 # To verify the signature of an existing .sig file using the public key.
 # N.B The key file must be the PUBLIC key in PEM format.
 rpi-eeprom-digest -k public.pem -i boot.bin -v boot.sig
@@ -99,8 +103,7 @@ writeSig() {
    fi
 
    if [ -n "${KEY}" ]; then
-      [ -f "${KEY}" ] || die "RSA private \"${KEY}\" not found"
+      "${OPENSSL}" dgst ${ENGINE_OPTS} -sign "${KEY}" -sha256 -out "${SIG_TMP}" "${IMAGE}"
-      "${OPENSSL}" dgst -sign "${KEY}" -keyform PEM -sha256 -out "${SIG_TMP}" "${IMAGE}"
       echo "rsa2048: $(xxd -c 4096 -p < "${SIG_TMP}")" >> "${OUTPUT}"
    fi
 }
@@ -113,7 +116,7 @@ verifySig() {
    [ -n "${sig_hex}" ] || die "No RSA signature in ${sig_file}"
 
    echo ${sig_hex} | xxd -c 4096 -p -r > "${TMP_DIR}/sig.bin"
-   "${OPENSSL}" dgst -verify "${KEY}" -signature "${TMP_DIR}/sig.bin" "${IMAGE}" || die "${IMAGE} not verified"
+   "${OPENSSL}" dgst ${ENGINE_OPTS} -verify "${KEY}" -signature "${TMP_DIR}/sig.bin" "${IMAGE}" || die "${IMAGE} not verified"
 }
 
 OUTPUT=""
@@ -142,6 +145,18 @@ checkDependencies
 
 [ -n "${IMAGE}" ] || usage
 [ -f "${IMAGE}" ] || die "Source image \"${IMAGE}\" not found"
+[ "${VERIFY}" != 1 ] || [ -n "${KEY}" ] || die "Option -v also requires passing public key via -k"
+
+if [ -n "${KEY}" ] ; then
+    if [ -f "${KEY}" ] ; then
+        ENGINE_OPTS=
+    elif echo "${KEY}" | grep -q "^pkcs11:" ; then
+        ENGINE_OPTS="-engine pkcs11 -keyform engine"
+    else
+        die "RSA key \"${KEY}\" not found"
+    fi
+fi
+
 if [ "${VERIFY}" = 1 ]; then
    verifySig "${SIGNATURE}"
 else