* arm_loader: Apply rpifwcrypto lock permissions GET/SET USER OTP
Previously, the GET/SET user OTP mailboxes would provide access to the
device unique private key. Update the mailbox API to fail if the
key has been locked via lock_device_private_key=1 in config.txt or
the associated mailbox call.
GET/SET user OTP fails by setting the result tag to the standard
error code (0x80000000). The dedicate GET/SET private key continue
to fail the entire mailbox operation to force vcmailbox to exit
with a non-zero error code.
* cm5: Add support for 8-bit bus width eMMC
* Query all sdram devices for temperature when adjusting refresh
* Add support for more SDRAM die configurations.
* arm_loader: Add machine ID derived from OTP values
Machine ID is generated and exposed in device tree as rpi-machine-id
* arm_ldconfig: Avoid double os_prefix on initramfs
When using auto_initramfs we were picking up prefix from the kernel,
but also adding os_prefix later:
fname = prefixed_path(initramfs_file, os_prefix, temp_path, sizeof(temp_path));
See: https://forums.raspberrypi.com/viewtopic.php?t=394238
* recovery: Use OTP rpiboot GPIO if non-zero
If an rpiboot GPIO has already been written to OTP then default to
that value if C(program_rpiboot_gpio) is not specified on config.txt.
* helpers/config_loader: Also support bootvar0 eeprom config on Pi4
This allows an eeprom config setting (e.g. BOOTARG0=0x10) to be set on a board
which config.txt can use as a conditional expression (e.g. [bootarg0&0x10]).
* pi5: Write over-voltage config to the UART log
Write the high level over-voltage configuration to the UART log for
diagnostic purposes.
* Stop partition-walk after boot-mode timeout/retries limit
Fix a fatal assert with USB boot where the partition walk could be
retried after the USB timeout/retry limit had been reached.
See: https://github.com/raspberrypi/rpi-eeprom/issues/776
* rpiboot: Extend metadata to report status of operations
Report success/fail status of recovery operations based on config.txt settings
* recovery: Restore recovery_wait option
Restore the recovery_wait config.txt option. If this option is set
then recovery.bin will not rename itself or reboot. Instead flash
the activity LED on completion.
This option can be useful when creating an SD card to erase the
EEPROM or program the RPIBOOT gpio on multiple devices.
If recovery_wait=1 and recovery.bin is run from the SD card then
indicate success of erase_eeprom=1 or program_rpiboot_gpio=N was
set instead of requiring the EEPROM to be updated.
* Manufacture test updates for SDRAM.
* arm_loader: Add iommu_dma_numa_policy=interleave when needed
This applies a similar numa interleave for iommu dma kernel allocations.
This includes buffers allocated for hevc and v3d.
See: https://forums.raspberrypi.com/viewtopic.php?t=392666
* recovery: Use ROM boot-mode flag to detect rpiboot mode
In recovery-mode use the bootrom register flag to detect the
original boot-mode rather than looking at whether the rpiboot
usb-device boot driver is initialised.
* Manufacturing test updates.
* Fix accidental set of PM_RSTS bit 5 when stopping watchdog
Fix an issue in the watchdog code where the raw PM_RSTS value
was used as partition number. If HADWRF (bit 5) was set (on reboot)
this could cause bit 10 to be set. If an OS didn't clear the partition
flags on reboot then this could end up being treated as request to
boot from partition 32.
* arm_dt: Report OTP SDRAM size via device-tree
Report the SDRAM in gigabits via device-tree as
/proc/device-tree/chosen/rpi-sdram-size-gbit. Scripts reporting the
device-capabilities should use this value (if defined) instead of the
memory-size field in the boardrev row.
* Apply UART_BAUD in early bootsys UART init
Update bootsys and fatal error handlers to use the user
defined UART_BAUD rate.
* rpifwcrypto: Add support for ECDSA P-256 key generation
Also, slightly improve the entropy by passing the system
timer value as the personality string.
* Fix network install regression on Pi4
Fix an issue with the ECDSA signature code which caused network
install to fail to load on Pi4.
* Fix TFTP to allow larger files
Allow TFTP block counter to rollover to 0.
See: https://github.com/raspberrypi/rpi-eeprom/issues/720
* Add LZ4 decompressor
LZ4 gives a better compression ratio than the previously used CK compress. The bootloader can now decompress both LZ4 compressed files and CK compressed files.
* rpifwcrypto: Add GET_CRYPTO_PRIVATE_KEY mailbox API
For provisioning, add a new mailbox API which returns the private key
in DER format. The API will return an error if the key-status for
the specified key is LOCKED.
* config: Add support for board_attributes in conditional expressions
Add support for the board-attributes row in config.txt conditional
expressions. This can be used to change boot behavior for
Compute Module Lite / No-WiFi etc.
* board_info: Log the OTP board revision at startup
Log the board revision plus the raw OTP value at startup.
* Fix PARTITION property to allow default (0) partition to be overridden
Fix the partition selection to allow the bootloader PARTITION
property to override the reboot partition number if the reboot
argument is 0 or > 31. Previously, it was only allowing
partition numbers > 31 to be overridden.
See: https://github.com/raspberrypi/rpi-eeprom/issues/743
* Enable RPIBOOT in BOOT_ORDER / set-reboot-order
Previously, rpiboot required the bootrom to have initialised
rpiboot before running the firmware. Update the rpiboot
initialisation so that rpiboot to be enabled after booting from
SPI flash.
This could be selectively enabled by setting BOOT_ORDER property
(0x3) behind a GPIO conditional in the EEPROM config. On Pi5, the
set_reboot_order config.txt option or mailbox property can be
used to set a one-time boot-order on
N.B. There is no timeout for RPIBOOT so this should only be set
as the last boot mode OR used with a boot_watchdog.
* Fix PARTITION_WALK for missing start.elf files
Fix a missing call to bootloader_reset_state so that PARTITION_WALK
will work if the boot-partition is FAT, contains config.txt etc
but does not have valid firmware.
See: https://github.com/raspberrypi/rpi-eeprom/issues/738
* force_eeprom_read=0 disables HAT I2C
Although setting force_eeprom_read=0 has always prevented the HAT EEPROM
from being read, with the recent changes to support Power HAT+s it does
not prevent an early scan to see if such an EEPROM exists. This can be
problematic for applications where the I2C0 pins have been repurposed.
Change the inhibit logic to cut all HAT I2C probing off at the knees,
including any automatic settings of usb_max_current_enable, as it should
always have done.
See: https://github.com/raspberrypi/firmware/issues/1985
* bootcode.bin: Add support for boot.img ramdisk on Pi3 and earlier
Add support for boot.img ramdisk support, enable by adding boot_ramdisk=1
in config.txt
* rpifwcrypto: Preliminary firmware support for rpifwcrypto API
* Add config.txt to block GET_CUSTOMER_PRIVATE_KEY mailbox API
lock_device_private_key=1
* Enable the PARTITION_WALK property by default
Previously, the new PARTITION_WALK which searches for bootable
partitions after a failure had to be explicitly enabled. Change
the default to be enabled by default. It can be switched off by
setting PARTITION_WALK=0 in the EEPROM config.
* Optimise bootmain for size on Pi4
Pi4 only has a 512KB SPI flash EEPROM and the addition of features
plus fixes is now causing contention for space between the code and
the EEPROM config. Since bootmain is only responsible for loading
start.elf revert to the original configuration which is optimised
for size rather than speed. Pi5 continues to be optimised for speed.
* arm_loader: Also require the early-watchdog property
The change correcting the implementation of dtoverlay_is_enabled had the
unintended consequence of causing the firmware to enable the watchdog
even though the user had not explicitly requested it. This is harmless
on Linux because the watchdog driver takes over and disarms it, but on
other operating systems this can lead to a reboot. Avoid this problem
by also requiring the presence of a new property, "early-watchdog".
See: https://github.com/raspberrypi/firmware/issues/1980
* helpers/config_loader: Add bootvar0 eeprom config that can be used in config.txt section expressions
This allows an eeprom config setting (e.g. BOOTARG0=0x10) to be set on a board
which config.txt can use as a conditional expression (e.g. [bootarg0&0x10]).
* arm_loader: Fix boot-watchdog stop on Pi4
Fix a problem where the boot_watchdog heartbeat timer was not
stopped correctly which could cause it to clash with the kernel
watchdog driver.
* board_info: Use the Ethernet PHY address probed by the bootloader
Use the Ethernet PHY address supplied by the bootloader in
preference to the static configurations defined in start4.elf
* Check for SD card overcurrent on Pi5, Pi500 and Pi4
Before booting, the bootloader now checks the SD power switch
overcurrent signal. The overcurrent signal occurs if the SD
card is damaged and has a short circuit which will cause it to
get hot.
If an over-current condition is detected the bootloader switches
switches off power to the SD card and waits five seconds before
probing the SD card again. This error is displayed on the
diagnostic screen, the UART and the activity LED (1 long, 2 short)
flashes.
The check can be switched to a non-blocking warning by setting
SD_OVERCURRENT_CHECK=0 in the bootloader config.
* Add a new error code pattern for SD overcurrent
Add a new error pattern (1 long, 2 short) to signal SD card
overcurrent.
* Add support for a bootloader watchdog
Add support for a boot watchdog (using PM_RSTC hw wdog) which will
trigger if the OS is not started within the specified amount of time. The
watchdog is enabled by setting the BOOT_WATCHDOG_TIMEOUT=N (seconds)
property in the bootlaoder config.
The BOOT_WATCHDOG_PARTITION=P property can be set to pass a different
partition number to the bootloader on reset if the watchdog
is triggered.
The boot watchdog is automatically cleared just before starting
the OS and (optionally) enabling the kernel watchdog.
* Skip first SD boot if no card detected
On platforms with an SD Card detect signal, skip the first attempt to
boot from SD if the card appears to be absent. This can save over a
second on a cold boot, and a little under a second for a reboot.
* 2711: (recovery) Automatically set revoke_devkey if program_pubkey=1
Previously, on BCM2711 products it was possible to program the key
hash without revoking the development key. This can be useful for
testing but should never be used in production because it is possible
to an install an older version of the bootloader which doesn't
support secure-boot. Since the secure-boot tools are stable and
have improved usability (RPi secure-boot provisioner) this test
feature not necessary and is just a security risk so the behaviour
is changed to always revoke the development key if program_pubkey=1.
This change is not relevant on BCM2712 because secure-boot requires
that the second stage bootloader is counter-signed with the customer's
private key.
* Signed boot and HTTP boot mode
HTTP boot mode is supposed to be disabled if signed boot is enabled and
a host is not specified. The code is checking the http_secure flag to
enforce this. But this is valid now we support custom CA certs.
Only disable HTTP mode if we're using the default HOST.
* Implement TCP window for net boot
The minimal IP stack used for https booting lacks the ability to cache
packets received out of order, which can lead to severe slowdown when
it happens. The problem seems to affect some ISPs more than others.
The receive window implemented here copes with packet losses of 10%.
* netboot: Correct the TCP MSS
* Correct msecs in debug timestamps
The fractional part of timestamps in UART debug output was showing the
100ths and 1000ths of a second, rather than 10ths and 100ths, causing
strange sequences that appear to jump backwards.
* recovery: Walk partitions to delete recovery.bin
Previously, recovery.bin would fail to delete itself
if the bootrom loaded recovery.bin where there are multiple FAT
partitions and the first partition does not contain recovery.bin
Update the rename code to walk the partition table to find
the recovery.bin file to delete.
* Enable overriding of high partition numbers
Previously, the PARTITION=N bootloader config setting would only
be used at power on reset or if the partition number passed to
reboot was zero.
Change the behaviour so that the bootloader config PARTITION
property can override the reboot partition number if the reboot
parameter is > 31.
* Walk the partition table if the requested partition is not bootable
Previously, if the specified boot partition was not bootable the
bootloader would stop and advance to the next BOOT_ORDER. If the
new PARTITION_WALK option is set to 1 the bootloader will now
check each partition in turn starting from the specified partition
before advancing the BOOT_ORDER.
This feature is intended for use with A/B systems to handle the case
where autoboot.txt is missing / corrupted. This change enables
the system to failover to the next available bootable partition.
The autoboot.txt file is not scanned during the partition-walk
phase i.e. there is no recursive processing of autoboot.txt files.
This option is only supported on physical block devices
(SD, NVMe, USB) and not RAMDISK. USB assumes a single high speed
device, partition walks on multiple USB devices is not recommended
and may cause timeouts.
* Improve keyboard handling in boot menu
Try and make it more likely that we have enough time to perform key
detection.
Ignore mice, which were being enumerated and slowing things down.
* Enable banklow (and so NUMA) by default
banklow=1 (2712) and banklow=3 (2711) give the best performance.
* enable_uart=1 now enables a Linix UART console on the 40-pin header
unless a cable is detected on the dedicated boot-uart.
* Recreate internal bl31 stub from clean git tree to fix dirty commit
message.
* Fix PCIe BAR setup issue which prevented NVMe boot from working with some PCIe switches
See: https://github.com/raspberrypi/firmware/issues/1833
* Boot-menu improvements
Remain in the forced boot mode until the menu is used to select a different
boot-mode or reset to the original boot-order.
SD card high-speed/low-voltage mode can only be exited by powercycling.
Pi 4s before rev 1.4 lack the power switch required to do this, so
must resort to a global reset that turns off many things, including
SDRAM.
To ensure correct operation, the bootloader checks that the SD I/O
voltage is the expected 3.3V, forcing a power cycle if it isn't.
However, this doesn't take advantage of presence of the dedicated
SD power switch, always forcing a global reset, a consequence of which
can be the loss of SDRAM content - including any ramoops dump of the
crash logs.
Make the bootloader more SD_PWR_ON aware, only triggering a global
reset if one isn't found.
See: https://github.com/raspberrypi/linux/issues/5298
* arm_dt: Consult the hat_map for all HATs
* USB boot - ignore RP2 / RP3 MSD device in BOOTSEL mode.
* recovery.bin - Fix erase_eeprom to not block reboot_recovery
* Fix self-update to continue to boot instead of retrying forever
if the EEPROM is write protected.
https://github.com/raspberrypi/rpi-eeprom/issues/597
* Enable the usage of program_rpiboot_gpio in config.txt for recovery.bin
without requiring secure-boot to be enabled.
This may be useful CI systems provisioning images on Pi4B / Pi400 via RPIBOOT.
This is an OTP setting and cannot be reverted after programming.
See https://www.raspberrypi.com/documentation/computers/config_txt.html#program_rpiboot_gpio
* Add timestamps to UART log messages.
* Add support for [tryboot] conditional the bootloader EEPROM
config file.
See: https://github.com/raspberrypi/rpi-eeprom/issues/454
* Fix MAX_RESTARTS parameter
See: https://github.com/raspberrypi/rpi-eeprom/issues/576
* Add recovery_reboot option to config.txt for rpiboot which causes
the system to reboot after updating the bootloader.
* Improve secure-boot OTP provisioning logging.
* Fix setting to enable secure-boot mode on Pi4B
* Switch to building the Pi4 firmware from the common Pi4/Pi5
mainline release. This doesn't change the Pi4 features
but should make it quicker to release bug fixes in common code.
* Fix issue that caused the TRYBOOT flag to be lost in secure-boot mode.
* dtoverlay: Use %u when converting u32s to strings
See: https://github.com/raspberrypi/linux/issues/6039
* Improved debug messages for secure-boot.
* Generate the bootloader diagnostics qrcode at run time.
