Merge remote-tracking branch 'pitowers/master' into pios/bookworm

* pitowers/master:
  rpi-otp-private-key: Describe how to store an ECDSA P-256 private key
  pieeprom-2025-08-20: 2712: force_eeprom_read=0 disables HAT I2C (latest)
  pieeprom-2025-08-20: 2711: Fix PARTITION_WALK for missing start.elf files (latest)
  rpi-eeprom-config: Improve No space available error message
  pieeprom-2025-08-13: 2712: Enable the PARTITION_WALK property by default (latest)
  pieeprom-2025-08-13: 2711: Enable PARTITION_WALK property by default (latest)

firmware-2711/release-notes.md

@@ -1,5 +1,42 @@
 # Raspberry Pi4 bootloader EEPROM release notes
 
+## 2025-08-20: Fix PARTITION_WALK for missing start.elf files (latest)
+
+* Fix PARTITION_WALK for missing start.elf files
+  Fix a missing call to bootloader_reset_state so that PARTITION_WALK
+  will work if the boot-partition is FAT, contains config.txt etc
+  but does not have valid firmware.
+  See: https://github.com/raspberrypi/rpi-eeprom/issues/738
+* force_eeprom_read=0 disables HAT I2C
+  Although setting force_eeprom_read=0 has always prevented the HAT EEPROM
+  from being read, with the recent changes to support Power HAT+s it does
+  not prevent an early scan to see if such an EEPROM exists. This can be
+  problematic for applications where the I2C0 pins have been repurposed.
+  Change the inhibit logic to cut all HAT I2C probing off at the knees,
+  including any automatic settings of usb_max_current_enable, as it should
+  always have done.
+  See: https://github.com/raspberrypi/firmware/issues/1985
+* bootcode.bin: Add support for boot.img ramdisk on Pi3 and earlier
+  Add support for boot.img ramdisk support, enable by adding boot_ramdisk=1
+  in config.txt
+* rpifwcrypto: Preliminary firmware support for rpifwcrypto API
+* Add config.txt to block GET_CUSTOMER_PRIVATE_KEY mailbox API
+  lock_device_private_key=1
+
+## 2025-08-13: Enable PARTITION_WALK property by default (latest)
+
+* Enable the PARTITION_WALK property by default
+  Previously, the new PARTITION_WALK which searches for bootable
+  partitions after a failure had to be explicitly enabled. Change
+  the default to be enabled by default. It can be switched off by
+  setting PARTITION_WALK=0 in the EEPROM config.
+* Optimise bootmain for size on Pi4
+  Pi4 only has a 512KB SPI flash EEPROM and the addition of features
+  plus fixes is now causing contention for space between the code and
+  the EEPROM config. Since bootmain is only responsible for loading
+  start.elf revert to the original configuration which is optimised
+  for size rather than speed. Pi5 continues to be optimised for speed.
+
 ## 2025-07-17: arm_loader: Also require the early-watchdog property (latest)
 
 * arm_loader: Also require the early-watchdog property

firmware-2712/release-notes.md

@@ -1,5 +1,29 @@
 # Raspberry Pi5 bootloader EEPROM release notes
 
+## 2025-08-20: force_eeprom_read=0 disables HAT I2C (latest)
+
+* force_eeprom_read=0 disables HAT I2C
+  Although setting force_eeprom_read=0 has always prevented the HAT EEPROM
+  from being read, with the recent changes to support Power HAT+s it does
+  not prevent an early scan to see if such an EEPROM exists. This can be
+  problematic for applications where the I2C0 pins have been repurposed.
+  Change the inhibit logic to cut all HAT I2C probing off at the knees,
+  including any automatic settings of usb_max_current_enable, as it should
+  always have done.
+  See: https://github.com/raspberrypi/firmware/issues/1985
+* rpifwcrypto: Preliminary firmware support for rpifwcrypto API
+* Add config.txt to block GET_CUSTOMER_PRIVATE_KEY mailbox API lock_device_private_key=1
+
+## 2025-08-13: Enable the PARTITION_WALK property by default (latest)
+
+* Enable the PARTITION_WALK property by default
+  Previously, the new PARTITION_WALK which searches for bootable
+  partitions after a failure had to be explicitly enabled. Change
+  the default to be enabled by default. It can be switched off by
+  setting PARTITION_WALK=0 in the EEPROM config.
+* pi5: Fix read for cached copy of PMIC sequencer status
+  Previously, this was overwritten by the RTC event status.
+
 ## 2025-07-17: Fix config key search which could cause camera_autodetect to fail (latest)
 
 * Fix config key search which could cause camera_autodetect to fail

rpi-eeprom-config

@@ -346,7 +346,7 @@ class BootloaderImage(object):
             update_len = len(src_bytes) + FILE_HDR_LEN
 
             if hdr_offset + update_len > self._image_size - ERASE_ALIGN_SIZE:
-                raise Exception('No space available - image past EOF.')
+                raise Exception('No space available. %s size %d available space %d' % (dst_filename, update_len, self._image_size - ERASE_ALIGN_SIZE - hdr_offset))
 
             if hdr_offset < 0:
                 raise Exception('Update target %s not found' % dst_filename)

tools/rpi-otp-private-key

@@ -18,7 +18,8 @@ usage() {
     cat <<EOF
    $(basename "$0") [-cfwy] <key>
 
-   No args - reads the current private key from OTP. These values are NOT visible via 'vcgencmd otp_dump'.
+   No args - reads the current device unique private key from OTP.
+   *These values are NOT visible via 'vcgencmd otp_dump'*
 
    -b Output the key in binary format.
    -c Reads key and exits with 1 if it is all zeros i.e. not set.
@@ -30,11 +31,31 @@ usage() {
    -l Specify key length in words. Defaults to 8 words (32 bytes). Pi 5 supports up to 16 words (64 bytes).
    -o word Offset into the keystore to use, e.g. 0-7 for Pi 4, 0-15 for Pi 5. Defaults to zero.
 
-   <key> is usually a 64 digit hex number (256 bit) e.g. to generate a 256 random number run 'openssl rand -hex 32'
+   <key> is usually a 64 digit hex number (256 bit)
 
-   IMPORTANT: Raspberry Pi 5 and earlier revisions do not have a hardware secure key store. These OTP rows are visible
+   Key generation:
-   to any user in the 'video' group via vcmailbox. Therefore this functionality is only suitable for key
+   The Raspberry Pi firmware cryptography services requires that the device unique private key is
-   storage if the OS has already been restricted using the signed boot functionality.
+   a valid ECDSA with P-256 curve key. Due to limited OTP space only the raw private key component (d)
+   is stored in OTP.
+
+   Example key generation and provisioning:
+
+   # Generate the new private-key - remember to save this to a secure, off-device location!
+   openssl ecparam -name prime256v1 -genkey -noout -out private_key.pem
+
+   # Extract raw the private key component
+   openssl ec -in private_key.pem -text -noout | awk '/priv:/{flag=1; next} /pub:/{flag=0} flag' | tr -d ' \n:' | head -n1 > d.hex
+
+   # Write the key to OTP
+   rpi-otp-private-key -w $(cat d.hex)
+
+   IMPORTANT: Raspberry Pi 5 and earlier revisions do not have a hardware secure key store
+   so the raw OTP values are potentially readable by processes with root-privileges.
+
+   In newer firmware releases, the mailbox APIs used by this script to read the OTP can
+   be disabled by setting lock_device_private_key=1 in config.txt.
+   On Pi4 or newer, if secure-boot is enabled, then this parameter cannot be
+   tampered with because config.txt is stored within the signed boot.img.
 
    WARNING: Changes to OTP memory are permanent and cannot be undone.
 EOF
@@ -134,7 +155,8 @@ if [ $(((0x$BOARD_INFO >> 12) & 15)) = 3 ]; then
 elif [ $(((0x$BOARD_INFO >> 12) & 15)) = 4 ]; then
     MAX_ROW_COUNT=16
 else
-    die "Chip not supported"
+    echo "WARNING: Secure-boot is only supported on Pi4 and newer models"
+    MAX_ROW_COUNT=8
 fi
 if [ -z "$ROW_COUNT" ] || [ "$ROW_COUNT" -ne "$ROW_COUNT" ] 2>/dev/null; then
     die "Key length not a number"