The Raspberry Pi firmware cryptography service requires a valid
ECDSA P-256 key instead of a plain random number. Update the usage
instructions for key-provisioning to use this key type as the example.
* force_eeprom_read=0 disables HAT I2C
Although setting force_eeprom_read=0 has always prevented the HAT EEPROM
from being read, with the recent changes to support Power HAT+s it does
not prevent an early scan to see if such an EEPROM exists. This can be
problematic for applications where the I2C0 pins have been repurposed.
Change the inhibit logic to cut all HAT I2C probing off at the knees,
including any automatic settings of usb_max_current_enable, as it should
always have done.
See: https://github.com/raspberrypi/firmware/issues/1985
* rpifwcrypto: Preliminary firmware support for rpifwcrypto API
* Add config.txt to block GET_CUSTOMER_PRIVATE_KEY mailbox API lock_device_private_key=1
* Fix PARTITION_WALK for missing start.elf files
Fix a missing call to bootloader_reset_state so that PARTITION_WALK
will work if the boot-partition is FAT, contains config.txt etc
but does not have valid firmware.
See: https://github.com/raspberrypi/rpi-eeprom/issues/738
* force_eeprom_read=0 disables HAT I2C
Although setting force_eeprom_read=0 has always prevented the HAT EEPROM
from being read, with the recent changes to support Power HAT+s it does
not prevent an early scan to see if such an EEPROM exists. This can be
problematic for applications where the I2C0 pins have been repurposed.
Change the inhibit logic to cut all HAT I2C probing off at the knees,
including any automatic settings of usb_max_current_enable, as it should
always have done.
See: https://github.com/raspberrypi/firmware/issues/1985
* bootcode.bin: Add support for boot.img ramdisk on Pi3 and earlier
Add support for boot.img ramdisk support, enable by adding boot_ramdisk=1
in config.txt
* rpifwcrypto: Preliminary firmware support for rpifwcrypto API
* Add config.txt to block GET_CUSTOMER_PRIVATE_KEY mailbox API
lock_device_private_key=1
Improve the error handler for the case where the new EEPROM config
exceeds the amount of available free space. Display the filename,
new size and space available.
N.B The 2711/pieeprom-2025-08-13.bin restores the free space to a
little of 4KB again.
See: https://github.com/raspberrypi/rpi-eeprom/issues/732
* Enable the PARTITION_WALK property by default
Previously, the new PARTITION_WALK which searches for bootable
partitions after a failure had to be explicitly enabled. Change
the default to be enabled by default. It can be switched off by
setting PARTITION_WALK=0 in the EEPROM config.
* pi5: Fix read for cached copy of PMIC sequencer status
Previously, this was overwritten by the RTC event status.
* Enable the PARTITION_WALK property by default
Previously, the new PARTITION_WALK which searches for bootable
partitions after a failure had to be explicitly enabled. Change
the default to be enabled by default. It can be switched off by
setting PARTITION_WALK=0 in the EEPROM config.
* Optimise bootmain for size on Pi4
Pi4 only has a 512KB SPI flash EEPROM and the addition of features
plus fixes is now causing contention for space between the code and
the EEPROM config. Since bootmain is only responsible for loading
start.elf revert to the original configuration which is optimised
for size rather than speed. Pi5 continues to be optimised for speed.
* Fix config key search which could cause camera_autodetect to fail
The bootvar0 config property was added in the wrong section which
could cause the config property search for some other properties
to fail.
* arm_loader: Also require the early-watchdog property
The change correcting the implementation of dtoverlay_is_enabled had the
unintended consequence of causing the firmware to enable the watchdog
even though the user had not explicitly requested it. This is harmless
on Linux because the watchdog driver takes over and disarms it, but on
other operating systems this can lead to a reboot. Avoid this problem
by also requiring the presence of a new property, "early-watchdog".
See: https://github.com/raspberrypi/firmware/issues/1980
* helpers/config_loader: Add bootvar0 eeprom config that can be used in config.txt section expressions
This allows an eeprom config setting (e.g. BOOTARG0=0x10) to be set on a board
which config.txt can use as a conditional expression (e.g. [bootarg0&0x10]).
* arm_loader: Fix boot-watchdog stop on Pi4
Fix a problem where the boot_watchdog heartbeat timer was not
stopped correctly which could cause it to clash with the kernel
watchdog driver.
* arm_loader: Also require the early-watchdog property
The change correcting the implementation of dtoverlay_is_enabled had the
unintended consequence of causing the firmware to enable the watchdog
even though the user had not explicitly requested it. This is harmless
on Linux because the watchdog driver takes over and disarms it, but on
other operating systems this can lead to a reboot. Avoid this problem
by also requiring the presence of a new property, "early-watchdog".
See: https://github.com/raspberrypi/firmware/issues/1980
* helpers/config_loader: Add bootvar0 eeprom config that can be used in config.txt section expressions
This allows an eeprom config setting (e.g. BOOTARG0=0x10) to be set on a board
which config.txt can use as a conditional expression (e.g. [bootarg0&0x10]).
* arm_loader: Fix boot-watchdog stop on Pi4
Fix a problem where the boot_watchdog heartbeat timer was not
stopped correctly which could cause it to clash with the kernel
watchdog driver.
* board_info: Use the Ethernet PHY address probed by the bootloader
Use the Ethernet PHY address supplied by the bootloader in
preference to the static configurations defined in start4.elf
* Check for SD card overcurrent on Pi5, Pi500 and Pi4
Before booting, the bootloader now checks the SD power switch
overcurrent signal. The overcurrent signal occurs if the SD
card is damaged and has a short circuit which will cause it to
get hot.
If an over-current condition is detected the bootloader switches
switches off power to the SD card and waits five seconds before
probing the SD card again. This error is displayed on the
diagnostic screen, the UART and the activity LED (1 long, 2 short)
flashes.
The check can be switched to a non-blocking warning by setting
SD_OVERCURRENT_CHECK=0 in the bootloader config.
* Add a new error code pattern for SD overcurrent
Add a new error pattern (1 long, 2 short) to signal SD card
overcurrent.
* Add support for a bootloader watchdog
Add support for a boot watchdog (using PM_RSTC hw wdog) which will
trigger if the OS is not started within the specified amount of time. The
watchdog is enabled by setting the BOOT_WATCHDOG_TIMEOUT=N (seconds)
property in the bootlaoder config.
The BOOT_WATCHDOG_PARTITION=P property can be set to pass a different
partition number to the bootloader on reset if the watchdog
is triggered.
The boot watchdog is automatically cleared just before starting
the OS and (optionally) enabling the kernel watchdog.
* Skip first SD boot if no card detected
On platforms with an SD Card detect signal, skip the first attempt to
boot from SD if the card appears to be absent. This can save over a
second on a cold boot, and a little under a second for a reboot.
* rp1_uart: Allow rp1_uart to be started earlier
If enabled (with enable_rp1_uart) then the existing boot uart
messages are redirected to the rp1 uart.
* board_info: Use the Ethernet PHY address probed by the bootloader
Use the Ethernet PHY address supplied by the bootloader in
preference to the static configurations defined in start4.elf
* pi5: Fix overwrite of cache EEPROM config in secure-boot mode
See: https://github.com/raspberrypi/rpi-eeprom/issues/719
* Check for SD card overcurrent on Pi5, Pi500 and Pi4
Before booting, the bootloader now checks the SD power switch
overcurrent signal. The overcurrent signal occurs if the SD
card is damaged and has a short circuit which will cause it to
get hot.
If an over-current condition is detected the bootloader
switches off power to the SD card and waits five seconds before
probing the SD card again. This error is displayed on the
diagnostic screen, the UART and the activity LED (1 long, 2 short)
flashes.
The check can be switched to a non-blocking warning by setting
SD_OVERCURRENT_CHECK=0 in the bootloader config.
* Add a new error code pattern for SD overcurrent
Add a new error pattern (1 long, 2 short) to signal SD card
overcurrent.
* Enable RTC wakeup from POWER_OFF_ON_HALT=0
* Improve HAT+ current handling
In shipping firmware, the current_supply value is only being used in the
case of a normal (non-stacked) HAT+, but that is unnecessarily
restrictive. Also, the presence of MODE0 and MODE1 power HATs is not
reflected in the value of max_current.
See: https://github.com/raspberrypi/linux/pull/6678
* Add support for a bootloader watchdog
Add support for a boot watchdog (using PM_RSTC hw wdog) which will
trigger if the OS is not started within the specified amount of time. The
watchdog is enabled by setting the BOOT_WATCHDOG_TIMEOUT=N (seconds)
property in the bootlaoder config.
The BOOT_WATCHDOG_PARTITION=P property can be set to pass a different
partition number to the bootloader on reset if the watchdog
is triggered.
The boot watchdog is automatically cleared just before starting
the OS and (optionally) enabling the kernel watchdog.
* pi5: Add a temperature monitor
In early releases of the bootloader the fan would always be on
during boot which can be distracting. Later releases switch off the
fan until the OS has booted.
This change adds some basic fan control from the bootloader to
enable the fan if the temperature is above 85C.
This may be useful if the Pi was shutdown by the OS because the
temperature limit was exceeded.
Since the Linux hwmon is not active at this stage the bootloader
now implements the same logic to power off the Pi if the chips
is more than 110C.
The PMIC hardware automatically cuts power if the temperature
is more than 125C.
* Skip first SD boot if no card detected
On platforms with an SD Card detect signal, skip the first attempt to
boot from SD if the card appears to be absent. This can save over a
second on a cold boot, and a little under a second for a reboot.
* NVMe: Fix loading of files > 32MB
Fix an NVMe boot bug which caused large contiguous reads >= 32MB to fail
* Update setting alpha for 2712D0
D0 moved the alpha blend mode from CTL2 to CTL0.
Update the bootloader code to follow suit for those using
the simple framebuffer
* dtoverlay: Fix node_is_enabled for implicit status
The absence of a status property implies that a node is enabled. Update
dtoverlay_node_is_enabled to match that behaviour.
See: https://github.com/raspberrypi/firmware/issues/1970
* arm_loader: GET_CLOCKS: Set useful response length
The kernel's firmware mailbox API does not make the actual length of the
response available to clients, but other implementations may care.
Continue to pad the GET_CLOCKS buffer with zeroes, but set the response
length to minimally contain the useful content.
See: https://github.com/raspberrypi/firmware/issues/1969
Important changes since the last automatic update:
* Add the boot-menu to override the boot-order.
* Implement TCP window for network install.
* Preserve SDRAM contents after crash.
* Improved compatibility for USB pendrives.
Change the automatic update version to 2025-05-08.
Important changes since the last automatic update:
* RP1 firmware support for PIO
* Improved support for HAT+ and parameters
* Boot menu
* SDRAM performance and stability improvements
* 2711: (recovery) Automatically set revoke_devkey if program_pubkey=1
Previously, on BCM2711 products it was possible to program the key
hash without revoking the development key. This can be useful for
testing but should never be used in production because it is possible
to an install an older version of the bootloader which doesn't
support secure-boot. Since the secure-boot tools are stable and
have improved usability (RPi secure-boot provisioner) this test
feature not necessary and is just a security risk so the behaviour
is changed to always revoke the development key if program_pubkey=1.
This change is not relevant on BCM2712 because secure-boot requires
that the second stage bootloader is counter-signed with the customer's
private key.
* Signed boot and HTTP boot mode
HTTP boot mode is supposed to be disabled if signed boot is enabled and
a host is not specified. The code is checking the http_secure flag to
enforce this. But this is valid now we support custom CA certs.
Only disable HTTP mode if we're using the default HOST.
* Implement TCP window for net boot
The minimal IP stack used for https booting lacks the ability to cache
packets received out of order, which can lead to severe slowdown when
it happens. The problem seems to affect some ISPs more than others.
The receive window implemented here copes with packet losses of 10%.
* netboot: Correct the TCP MSS
* Correct msecs in debug timestamps
The fractional part of timestamps in UART debug output was showing the
100ths and 1000ths of a second, rather than 10ths and 100ths, causing
strange sequences that appear to jump backwards.
* arm_loader: Correct some mailbox response lengths
The GET_GENCMD_RESULT mailbox handler was setting the wrong response
length, and GET_FIRMWARE_COMMIT_HASH and GET_FIRMWARE_VARIANT were not
setting any length.
See: https://github.com/raspberrypi/firmware/issues/1968
* Signed boot and HTTP boot mode
HTTP boot mode is supposed to be disabled if signed boot is enabled and
a host is not specified. The code is checking the http_secure flag to
enforce this. But this is valid now we support custom CA certs.
Only disable HTTP mode if we're using the default HOST.
* Implement TCP window for net boot
The minimal IP stack used for https booting lacks the ability to cache
packets received out of order, which can lead to severe slowdown when
it happens. The problem seems to affect some ISPs more than others.
The receive window implemented here copes with packet losses of 10%.
* netboot: Correct the TCP MSS
* rp1_net: Overwrite the length field
Although concise, ORing in the packet length runs the risk of leaving
some unwanted bits set. Ensure the length field is cleared before
ORing in the required value.
* Correct msecs in debug timestamps
The fractional part of timestamps in UART debug output was showing the
100ths and 1000ths of a second, rather than 10ths and 100ths, causing
strange sequences that appear to jump backwards.
* Implement GET_BOARD_MAC_ADDRESS on Pi5
The Pi 5 EEPROM implements a subset of the original mailbox properties.
Add GET_BOARD_MAC_ADDRESS to the subset.
See: https://github.com/raspberrypi/rpi-eeprom/issues/698
* Ensure the initramfs matches the kernel
As far as is possible, both the kernel and initramfs are matched to the
device. However, where multiple kernel variants can run on a device, the
initramfs must be matched to the chosen kernel. Make that the sole rule
for initramfs selection, rather than duplicating the device matching
logic.
See: https://github.com/raspberrypi/firmware/issues/1965
* Enable logging messages from OS loader
Pi 5 EEPROM builds were missing the output from the main OS loading
function, including some important diagnostics. Enabling the logging
output from this loader code results in some near-duplicates, but is
more user friendly and is available via "sudo vclog -m".
* arm_dt: Revert to using the max fan speed
It has been reported that the presence of a cooling fan at boot time
can lead to a maximum observed fan speed of ~300 but a current speed
of 0. The absence of a fan results in 0s for both metrics.
See: https://github.com/raspberrypi/rpi-eeprom/issues/690
* os_check: cm5: Check for CM5 specific dtbs
Check for BCM2712 support in bcm2712-rpi-cm5-cm5io.dtb
or bcm2712-rpi-cm5l-cm5io.dtb on CM5 instead of bcm2712-rpi-5-b.dtb.
This avoids needing to put os_check=1 or specifying device_tree
in config.txt in minimal images for CM5.
See: https://github.com/raspberrypi/rpi-eeprom/issues/682
* Log the fan speed at boot
Record the fan RPM (and the maximum seen) during boot, so that it is
accessible using "sudo vclog -m".
See: https://github.com/raspberrypi/rpi-eeprom/issues/678
* Add current_supply to HAT+ support
Refactor the HAT library to make it more self-contained, and combine
the I2C address detection and the reading of the EEPROM contents.
Use it to allow the earlier boot stages to check for a current_supply
setting in the EEPROM of a normal (non-stackable) HAT+.
* Update SDRAM init timings to intermittent 8-flash SDRAM init errors
on some boards.
See: https://github.com/raspberrypi/rpi-eeprom/issues/67
* config: Fix missing initialisation of selected_expr to 1 in config.txt
Without an [all] section the new expression filter might default to
false. This impacts the bootloader early parsing of config.txt
for things like boot_ramdisk rather than the later config.txt pass
for device-tree parsing.
* config_loader: Add support [boot_partition=N] as an expression filter
The boot_partition tests whether the partition number N matches
the number that the system is booting from. This expression is
only supported in config.txt and is designed to make it easier
to have common boot.img ramdisks in an A/B system where the
conditional loads a different cmdline.txt file depending on
which partition boot.img is loaded from.
In production setups, it is quite normal that the private key does not
exist as a file in the file system, but is kept inside some HSM,
remote signing service or similar, and only accessed via some pkcs#11
interface; moreover, by design, the private key _cannot_ be extracted
from the HSM or signing service.
In such a case, the user will have set OPENSSL_CONF to some
configuration file setting up the appropriate engine, and the "key" is
simply the pkcs#11 URI, e.g. "pkcs11:model=foo;object=bar".
In order to support this use case, automatically infer the appropriate
options to pass to openssl-dgst if "${KEY}" begins with
"pkcs11:". Doing this at the top level avoids duplicating the logic in
both writeSig and verifySig. While here, this also adds a sanity check
that -v can only be used while also providing a (public) key to check
against.
This drops the -keyform argument in the non-pkcs#11 case, as openssl
automatically infers the type, and this then in fact allows one to use
a private key in e.g. DER format.
Signed-off-by: Rasmus Villemoes <ravi@prevas.dk>
* Fix pull configuration on 2712D0
2712D0 uses a horrendously sparse set of pad control registers. Make
the pull-setting code sufficiently complex to cope.
See: https://github.com/raspberrypi/rpi-eeprom/issues/672
* Disable UARTA for CM5s without WiFi
Just as CM5s without WiFI don't need the SDIO interface, the Bluetooth
UART is unconnected. Disable the DT node to avoid kernel warnings and
save some cycles.
* recovery: Walk partitions to delete recovery.bin
Previously, recovery.bin would fail to delete itself
if the bootrom loaded recovery.bin where there are multiple FAT
partitions and the first partition does not contain recovery.bin
Update the rename code to walk the partition table to find
the recovery.bin file to delete.
* Enable overriding of high partition numbers
Previously, the PARTITION=N bootloader config setting would only
be used at power on reset or if the partition number passed to
reboot was zero.
Change the behaviour so that the bootloader config PARTITION
property can override the reboot partition number if the reboot
parameter is > 31.
* Walk the partition table if the requested partition is not bootable
Previously, if the specified boot partition was not bootable the
bootloader would stop and advance to the next BOOT_ORDER. If the
new PARTITION_WALK option is set to 1 the bootloader will now
check each partition in turn starting from the specified partition
before advancing the BOOT_ORDER.
This feature is intended for use with A/B systems to handle the case
where autoboot.txt is missing / corrupted. This change enables
the system to failover to the next available bootable partition.
The autoboot.txt file is not scanned during the partition-walk
phase i.e. there is no recursive processing of autoboot.txt files.
This option is only supported on physical block devices
(SD, NVMe, USB) and not RAMDISK. USB assumes a single high speed
device, partition walks on multiple USB devices is not recommended
and may cause timeouts.
* Improve keyboard handling in boot menu
Try and make it more likely that we have enough time to perform key
detection.
Ignore mice, which were being enumerated and slowing things down.
* recovery: Walk partitions to delete recovery.bin
Previously, recovery.bin would fail to delete itself
if the bootrom loaded recovery.bin where there are multiple FAT
partitions and the first partition does not contain recovery.bin
Update the rename code to walk the partition table to find
the recovery.bin file to delete.
* pi5: Add config filter for simple boot variable expressions (experimental)
Add support for a new bootloader/config.txt conditional filter
which tests the partition, boot_count and boot_arg1 variables.
Syntax (no spaces):
ARG boot_arg1, boot_count or partition (EEPROM config stage only)
[ARG=VALUE] selected if (ARG == VALUE)
[ARG&MASK] selected if ((ARG & VALUE) != 0))
[ARG&MASK=VALUE] selected if ((ARG & MASK) == VALUE)
[ARG<VALUE] selected if (ARG < VALUE)
[ARG>VALUE] selected if (ARG > VALUE)
where VALUE and MASK are unsigned integer constants and ARG
corresponds to the value in the reset register before the
config file is parsed.
* pi5: Add a boot-count bootloader variable (experimental)
Store the boot-count in a reset register and increment just
before the boot-order state-machine. The boot-count variable
is visible via device-tree /proc/device-tree/chosen/bootloader/count
and can be read/set via vcmailbox
GET: sudo vcmailbox 0x0003008d 4 4 0
SET to N: sudo vcmailbox 0x0003808d 4 4 N
* pi5: Add user-defined reboot argument (boot_arg1) (experimental)
Add support for a user-defined boot parameter stored in a reset-safe
scratch register on BCM2712. This is visible via device-tree at
/proc/device-tree/chosen/bootloader/arg1 and via vcmailboxes
GET arg1: sudo vcmailbox 0x0003008c 8 8 1 0
SET arg1 to 42: sudo vcmailbox 0x0003808c 8 8 1 42
or via config.txt
set_reboot_arg1=42
The variable is NOT cleared automatically and will persist until
a power-on-reset.
* Enable overriding of high partition numbers
Previously, the PARTITION=N bootloader config setting would only
be used at power on reset or if the partition number passed to
reboot was zero.
Change the behaviour so that the bootloader config PARTITION
property can override the reboot partition number if the reboot
parameter is > 31.
* Disable WiFi PMIC output on CM5 modules without WiFi
Disable the 3.7V WiFi power supply on CM5 modules which do not have a
WiFi module fitted. This fixes some stability issues where a CM5
would shutdown due to a spurious over-voltage condition on the
non-connected WiFi power supply.
* Add memory barrier to the mbox handler
Firmware issue 1944 reports receiving kernel warnings about firmware
requests where the status return code is 0. This should not be
possible, as handle_mbox_property always sets the top bit of the return
code, with the bottom bit indicating success or failure. If the firmware
had died, the firmware driver would report a timeout due to the lack of
a mailbox interrupt, and that isn't happening.
See: https://github.com/raspberrypi/firmware/issues/1944
* support dts files with size-cells of 2
DTS files with a top-level #size-cells of 2 make a lot of sense for
systems with a lot of RAM, but the firmware is currently inconsistent
in its support for that. Fix up the other cases to honor #size-cells
and #address-cells.
* Disable SDIO2 for CM5s without WiFi
It has been observed that CM5s without WiFi hang on reboot. To prevent
that, disable the sdio2 node on those devices.
See: https://github.com/raspberrypi/linux/issues/6647
* arm_dt: Use dtoverlay_enable_node
Convert the open-coded DT node status changes to use the new dtoverlay
method dtoverlay_enable_node.
* dtoverlay: Add dtoverlay_enable_node
Add a helper function for setting the status of a node.
* Walk the partition table if the requested partition is not bootable
Previously, if the specified boot partition was not bootable the
bootloader would stop and advance to the next BOOT_ORDER. If the
new PARTITION_WALK option is set to 1 the bootloader will now
check each partition in turn starting from the specified partition
before advancing the BOOT_ORDER.
This feature is intended for use with A/B systems to handle the case
where autoboot.txt is missing / corrupted. This change enables
the system to failover to the next available bootable partition.
The autoboot.txt file is not scanned during the partition-walk
phase i.e. there is no recursive processing of autoboot.txt files.
This option is only supported on physical block devices
(SD, NVMe, USB) and not RAMDISK. USB assumes a single high speed
device, partition walks on multiple USB devices is not recommended
and may cause timeouts.
* Improve keyboard handling in boot menu
Try and make it more likely that we have enough time to perform key
detection.
Ignore mice, which were being enumerated and slowing things down.
