Merge remote-tracking branch 'pitowers/master' into pios/trixie

* pitowers/master:
  pieeprom-2026-01-09: 2711: arm_loader: Apply rpifwcrypto lock permissions GET/SET USER OTP (latest)
  rpi-eeprom-config: Use time.monotonic for timeouts instead of wall clock
  imager: make-imager-release: Automatically select latest default EEPROM date

firmware-2711/release-notes.md

@@ -1,5 +1,20 @@
 # Raspberry Pi4 bootloader EEPROM release notes
 
+## 2026-01-09: arm_loader: Apply rpifwcrypto lock permissions GET/SET USER OTP (latest)
+
+* arm_loader: Apply rpifwcrypto lock permissions GET/SET USER OTP
+  Previously, the GET/SET user OTP mailboxes would provide access to the
+  device unique private key. Update the mailbox API to fail if the
+  key has been locked via lock_device_private_key=1 in config.txt or
+  the associated mailbox call.
+  GET/SET user OTP fails by setting the result tag to the standard
+  error code (0x80000000). The dedicate GET/SET private key continue
+  to fail the entire mailbox operation to force vcmailbox to exit
+  with a non-zero error code.
+* cm5: Add support for 8-bit bus width eMMC
+* Query all sdram devices for temperature when adjusting refresh
+* Add support for more SDRAM die configurations.
+
 ## 2025-12-09: Promote 2025-12-08 to the default release (default)
 
 ## 2025-12-08: arm_loader: Add machine ID derived from OTP values (latest)

imager/make-imager-release

@@ -1,14 +1,18 @@
 #!/bin/sh
 
 set -e
+set -x
 
 script_dir=$(cd "$(dirname "$0")" && pwd)
+base_dir="${script_dir}/.."
 
 # Pi4, Pi400, CM4, CM4-S
-${script_dir}/make-release critical 2025-11-05 000138c0 "${script_dir}/2711-config" release-2711 rpi-boot-eeprom-recovery 2711
+image_date=$(ls -lr $base_dir/firmware-2711/default/ | grep pieeprom | sed 's/.*pieeprom-//g' | sed 's/.bin//g' | head -n1)
+${script_dir}/make-release critical ${image_date} 000138c0 "${script_dir}/2711-config" release-2711 rpi-boot-eeprom-recovery 2711
 
 # Pi5
-${script_dir}/make-release critical 2025-11-05 "" "${script_dir}/2712-config" release-2712 rpi-boot-eeprom-recovery 2712
+image_date=$(ls -lr $base_dir/firmware-2712/default/ | grep pieeprom | sed 's/.*pieeprom-//g' | sed 's/.bin//g' | head -n1)
+${script_dir}/make-release critical ${image_date} "" "${script_dir}/2712-config" release-2712 rpi-boot-eeprom-recovery 2712
 
 # Convert to disk image for RPi Imager downloads
 sudo ${script_dir}/make-recovery-images

rpi-eeprom-config

@@ -117,12 +117,12 @@ def shell_cmd(args, timeout=10, echo=False):
     error occurs then exit and output the subprocess stdout, stderr messages
     for debug.
     """
-    start = time.time()
+    start = time.monotonic()
     arg_str = ' '.join(args)
     bufsize = 0 if echo else -1
     result = subprocess.Popen(args, bufsize=bufsize, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
 
-    while time.time() - start < timeout:
+    while time.monotonic() - start < timeout:
         if echo:
             s = result.stdout.read(80).decode('utf-8')
             if s != "":