* arm_loader: Add machine ID derived from OTP values
Machine ID is generated and exposed in device tree as rpi-machine-id
* arm_ldconfig: Avoid double os_prefix on initramfs
When using auto_initramfs we were picking up prefix from the kernel,
but also adding os_prefix later:
fname = prefixed_path(initramfs_file, os_prefix, temp_path, sizeof(temp_path));
See: https://forums.raspberrypi.com/viewtopic.php?t=394238
* arm_loader: Add machine ID derived from OTP values
Machine ID is generated and exposed in device tree as rpi-machine-id
* arm_ldconfig: Avoid double os_prefix on initramfs
When using auto_initramfs we were picking up prefix from the kernel,
but also adding os_prefix later:
fname = prefixed_path(initramfs_file, os_prefix, temp_path, sizeof(temp_path));
See: https://forums.raspberrypi.com/viewtopic.php?t=394238
* recovery: Use OTP rpiboot GPIO if non-zero
If an rpiboot GPIO has already been written to OTP then default to
that value if C(program_rpiboot_gpio) is not specified on config.txt.
* helpers/config_loader: Also support bootvar0 eeprom config on Pi4
This allows an eeprom config setting (e.g. BOOTARG0=0x10) to be set on a board
which config.txt can use as a conditional expression (e.g. [bootarg0&0x10]).
* pi5: Write over-voltage config to the UART log
Write the high level over-voltage configuration to the UART log for
diagnostic purposes.
* Stop partition-walk after boot-mode timeout/retries limit
Fix a fatal assert with USB boot where the partition walk could be
retried after the USB timeout/retry limit had been reached.
See: https://github.com/raspberrypi/rpi-eeprom/issues/776
* rpiboot: Extend metadata to report status of operations
Report success/fail status of recovery operations based on config.txt settings
* pi5: Write over-voltage config to the UART log
Write the high level over-voltage configuration to the UART log for
diagnostic purposes.
* Stop partition-walk after boot-mode timeout/retries limit
Fix a fatal assert with USB boot where the partition walk could be
retried after the USB timeout/retry limit had been reached.
See: https://github.com/raspberrypi/rpi-eeprom/issues/776
* rpiboot: Extend metadata to report status of operations
Report success/fail status of recovery operations based on config.txt settings
Add new utility which creates a SD card image for programming
the rpiboot GPIO OTP option on a Pi 4 or Pi 400.
Example:
sudo imager/make-pi4-rpiboot-gpio-sd 6
Creates images-2711/pi4-program-rpiboot-gpio6.zip which can
be flashed to a spared SD card with Raspberry Pi Imager. This
will select GPIO 6 for use as the rpiboot GPIO.
* recovery: Restore recovery_wait option
Restore the recovery_wait config.txt option. If this option is set
then recovery.bin will not rename itself or reboot. Instead flash
the activity LED on completion.
This option can be useful when creating an SD card to erase the
EEPROM or program the RPIBOOT gpio on multiple devices.
If recovery_wait=1 and recovery.bin is run from the SD card then
indicate success of erase_eeprom=1 or program_rpiboot_gpio=N was
set instead of requiring the EEPROM to be updated.
* Manufacture test updates for SDRAM.
* recovery: Restore recovery_wait option
Restore the recovery_wait config.txt option. If this option is set
then recovery.bin will not rename itself or reboot. Instead flash
the activity LED on completion.
This option can be useful when creating an SD card to erase the
EEPROM or program the RPIBOOT gpio on multiple devices.
If recovery_wait=1 and recovery.bin is run from the SD card then
indicate success of erase_eeprom=1 or program_rpiboot_gpio=N was
set instead of requiring the EEPROM to be updated.
* Load RP1 firmware whilst DDR is initialising
* Allow longer overlay file paths
load_dtoverlay uses the variable "filename" to hold the full path to an
overlay. As such it should be declared using LDFILEPATH_MAX, not
LDFILENAME_MAX.
See: https://github.com/raspberrypi/firmware/issues/2004
Update make-imager-release to remove the release-CHIP directories
which contain the plain .zip files. These are used as the input
to make-recovery-images which are disk images.
RPi Imager expects to download disk-images rather than .zips so
remove the temporary directories to avoid confusion.
See: https://github.com/raspberrypi/rpi-eeprom/issues/770
When the user runs rpi-eeprom-config to sign a bootloader image,
if the image is not the correct size, the error message returns
a tautology:
rpi-eeprom-config -c boot.conf -p /tmp/rpi-pubkey.pem \
-o pieeprom.upd /tmp/downloaded-boot.img
ERROR: /tmp/downloaded-boot.img: \
Expected size 62914560 bytes actual size 62914560 bytes
When it should be alerting the user that there are only two
valid values for a bootloader size. My MR addresses this issue
by returning the acceptable values for the bootloader size in the
image.
./rpi-eeprom-config -c boot.conf -p /tmp/rpi-pubkey.pem \
-o pieeprom.upd /tmp/downloaded-boot.img
ERROR: /tmp/downloaded-boot.img: \
Expected sizes [524288, 2097152] bytes, got actual size 62914560 bytes
Signed-off-by: Lincoln Thurlow <lincoln@isi.edu>
* arm_loader: Add iommu_dma_numa_policy=interleave when needed
This applies a similar numa interleave for iommu dma kernel allocations.
This includes buffers allocated for hevc and v3d.
See: https://forums.raspberrypi.com/viewtopic.php?t=392666
* Rebuild RP1 firmware to reduce size.
* arm_loader: Add iommu_dma_numa_policy=interleave when needed
This applies a similar numa interleave for iommu dma kernel allocations.
This includes buffers allocated for hevc and v3d.
See: https://forums.raspberrypi.com/viewtopic.php?t=392666
* pitowers/master:
pieeprom-2025-10-17: Enable background refresh on 2712d0 for all SDRAM sizes (latest)
pieeprom-2025-10-14: 2711: Use ROM boot-mode flag to detect rpiboot mode (latest)
pieeprom-2025-10-08: 2712: Fix accidental set of PM_RSTS bit 5 when stopping watchdog (latest)
pieeprom-2025-10-08: 2711: Fix accidental set of PM_RSTS bit 5 when stopping watchdog (latest)
pieeprom-2025-10-03: 2711: arm_dt: Report OTP SDRAM size via device-tree (latest)
pieeprom-2025-09-25: 2712: Apply UART_BAUD in early bootsys UART init (latest)
pieeprom-2025-09-23: 2712: Fix TFTP to allow larger files (latest)
pieeprom-2025-09-23: 2711: Fix network install regression on Pi4 (latest)
pieeprom-2025-09-22: 2711: Add LZ4 decompressor (latest)
pieeprom-2025-09-22: 2712: Add LZ4 decompressor (latest)
* 2712d0: Enable background refresh on 2712d0 for all SDRAM sizes
This provides a minor performance benefit.
* Update GPT to support 4K native sectors
Bootloader logic updated to correctly interpret the GPT layout format specific to 4K native sector drives.
* recovery: Use ROM boot-mode flag to detect rpiboot mode
In recovery-mode use the bootrom register flag to detect the
original boot-mode rather than looking at whether the rpiboot
usb-device boot driver is initialised.
* recovery: Use ROM boot-mode flag to detect rpiboot mode
In recovery-mode use the bootrom register flag to detect the
original boot-mode rather than looking at whether the rpiboot
usb-device boot driver is initialised.
* Manufacturing test updates.
* Fix accidental set of PM_RSTS bit 5 when stopping watchdog
Fix an issue in the watchdog code where the raw PM_RSTS value
was used as partition number. If HADWRF (bit 5) was set (on reboot)
this could cause bit 10 to be set. If an OS didn't clear the partition
flags on reboot then this could end up being treated as request to
boot from partition 32.
* pi5: Preliminary support for 4K native sectors with NVMe drives
Pi5 now supports 4K native sector NVMe drives.
This allows booting from drives with logical block size 4096,
while 512B drives remain compatible. With 4K sectors, storage density
increases along with improved reliability and efficiency.
N.B. USB boot still requires a 512 byte sector size and there are
no RPi OS disk images with a 4K sector format.
See: https://github.com/raspberrypi/rpi-eeprom/issues/577
* arm_dt: Report OTP SDRAM size via device-tree
Report the SDRAM in gigabits via device-tree as
/proc/device-tree/chosen/rpi-sdram-size-gbit. Scripts reporting the
device-capabilities should use this value (if defined) instead of the
memory-size field in the boardrev row.
* Fix accidental set of PM_RSTS bit 5 when stopping watchdog
Fix an issue in the watchdog code where the raw PM_RSTS value
was used as partition number. If HADWRF (bit 5) was set (on reboot)
this could cause bit 10 to be set. If an OS didn't clear the partition
flags on reboot then this could end up being treated as request to
boot from partition 32.
* arm_dt: Report OTP SDRAM size via device-tree
Report the SDRAM in gigabits via device-tree as
/proc/device-tree/chosen/rpi-sdram-size-gbit. Scripts reporting the
device-capabilities should use this value (if defined) instead of the
memory-size field in the boardrev row.
* Apply UART_BAUD in early bootsys UART init
Update bootsys and fatal error handlers to use the user
defined UART_BAUD rate.
* rpifwcrypto: Add support for ECDSA P-256 key generation
Also, slightly improve the entropy by passing the system
timer value as the personality string.
* Apply UART_BAUD in early bootsys UART init
Update bootsys and fatal error handlers to use the user
defined UART_BAUD rate.
* rpifwcrypto: Add support for ECDSA P-256 key generation
* Fix network install regression on Pi4
Fix an issue with the ECDSA signature code which caused network
install to fail to load on Pi4.
* Fix TFTP to allow larger files
Allow TFTP block counter to rollover to 0.
See: https://github.com/raspberrypi/rpi-eeprom/issues/720
* Add LZ4 decompressor
LZ4 gives a better compression ratio than the previously used CK compress. The bootloader can now decompress both LZ4 compressed files and CK compressed files.
* rpifwcrypto: Add GET_CRYPTO_PRIVATE_KEY mailbox API
For provisioning, add a new mailbox API which returns the private key
in DER format. The API will return an error if the key-status for
the specified key is LOCKED.
* config: Add support for board_attributes in conditional expressions
Add support for the board-attributes row in config.txt conditional
expressions. This can be used to change boot behavior for
Compute Module Lite / No-WiFi etc.
* board_info: Log the OTP board revision at startup
Log the board revision plus the raw OTP value at startup.
* Add LZ4 decompressor
LZ4 gives a better compression ratio than the previously used CK compress. The bootloader can now decompress both LZ4 compressed files and CK compressed files.
* rpifwcrypto: Add GET_CRYPTO_PRIVATE_KEY mailbox API
For provisioning, add a new mailbox API which returns the private key
in DER format. The API will return an error if the key-status for
the specified key is LOCKED.
* config: Add support for board_attributes in conditional expressions
Add support for the board-attributes row in config.txt conditional
expressions. This can be used to change boot behavior for
Compute Module Lite / No-WiFi etc.
* board_info: Log the OTP board revision at startup
Log the board revision plus the raw OTP value at startup.
* pitowers/master:
Add link to old 2712 EEPROM images to releases.md page
pieeprom-2025-08-27: 2712: Fix PARTITION property to allow default (0) partition to be overridden (latest)
pieeprom-2025-08-27: 2711: Fix PARTITION property to allow default (0) partition property to be overridden (latest)
rpi-otp-private-key: Fix missing escape character in usage text
* Fix PARTITION property to allow default (0) partition to be overridden
Fix the partition selection to allow the bootloader PARTITION
property to override the reboot partition number if the reboot
argument is 0 or > 31. Previously, it was only allowing
partition numbers > 31 to be overridden.
See: https://github.com/raspberrypi/rpi-eeprom/issues/743
* Enable RPIBOOT in BOOT_ORDER / set-reboot-order
Previously, rpiboot required the bootrom to have initialised
rpiboot before running the firmware. Update the rpiboot
initialisation so that rpiboot to be enabled after booting from
SPI flash.
This could be selectively enabled by setting BOOT_ORDER property
(0x3) behind a GPIO conditional in the EEPROM config. On Pi5, the
set_reboot_order config.txt option or mailbox property can be
used to set a one-time boot-order on
N.B. There is no timeout for RPIBOOT so this should only be set
as the last boot mode OR used with a boot_watchdog.
* Fix PARTITION property to allow default (0) partition to be overridden
Fix the partition selection to allow the bootloader PARTITION
property to override the reboot partition number if the reboot
argument is 0 or > 31. Previously, it was only allowing
partition numbers > 31 to be overridden.
See: https://github.com/raspberrypi/rpi-eeprom/issues/743
* Enable RPIBOOT in BOOT_ORDER / set-reboot-order
Previously, rpiboot required the bootrom to have initialised
rpiboot before running the firmware. Update the rpiboot
initialisation so that rpiboot to be enabled after booting from
SPI flash.
This could be selectively enabled by setting BOOT_ORDER property
(0x3) behind a GPIO conditional in the EEPROM config. On Pi5, the
set_reboot_order config.txt option or mailbox property can be
used to set a one-time boot-order on
N.B. There is no timeout for RPIBOOT so this should only be set
as the last boot mode OR used with a boot_watchdog.
* pitowers/master:
rpi-otp-private-key: Describe how to store an ECDSA P-256 private key
pieeprom-2025-08-20: 2712: force_eeprom_read=0 disables HAT I2C (latest)
pieeprom-2025-08-20: 2711: Fix PARTITION_WALK for missing start.elf files (latest)
rpi-eeprom-config: Improve No space available error message
pieeprom-2025-08-13: 2712: Enable the PARTITION_WALK property by default (latest)
pieeprom-2025-08-13: 2711: Enable PARTITION_WALK property by default (latest)
The Raspberry Pi firmware cryptography service requires a valid
ECDSA P-256 key instead of a plain random number. Update the usage
instructions for key-provisioning to use this key type as the example.
* force_eeprom_read=0 disables HAT I2C
Although setting force_eeprom_read=0 has always prevented the HAT EEPROM
from being read, with the recent changes to support Power HAT+s it does
not prevent an early scan to see if such an EEPROM exists. This can be
problematic for applications where the I2C0 pins have been repurposed.
Change the inhibit logic to cut all HAT I2C probing off at the knees,
including any automatic settings of usb_max_current_enable, as it should
always have done.
See: https://github.com/raspberrypi/firmware/issues/1985
* rpifwcrypto: Preliminary firmware support for rpifwcrypto API
* Add config.txt to block GET_CUSTOMER_PRIVATE_KEY mailbox API lock_device_private_key=1
* Fix PARTITION_WALK for missing start.elf files
Fix a missing call to bootloader_reset_state so that PARTITION_WALK
will work if the boot-partition is FAT, contains config.txt etc
but does not have valid firmware.
See: https://github.com/raspberrypi/rpi-eeprom/issues/738
* force_eeprom_read=0 disables HAT I2C
Although setting force_eeprom_read=0 has always prevented the HAT EEPROM
from being read, with the recent changes to support Power HAT+s it does
not prevent an early scan to see if such an EEPROM exists. This can be
problematic for applications where the I2C0 pins have been repurposed.
Change the inhibit logic to cut all HAT I2C probing off at the knees,
including any automatic settings of usb_max_current_enable, as it should
always have done.
See: https://github.com/raspberrypi/firmware/issues/1985
* bootcode.bin: Add support for boot.img ramdisk on Pi3 and earlier
Add support for boot.img ramdisk support, enable by adding boot_ramdisk=1
in config.txt
* rpifwcrypto: Preliminary firmware support for rpifwcrypto API
* Add config.txt to block GET_CUSTOMER_PRIVATE_KEY mailbox API
lock_device_private_key=1
Improve the error handler for the case where the new EEPROM config
exceeds the amount of available free space. Display the filename,
new size and space available.
N.B The 2711/pieeprom-2025-08-13.bin restores the free space to a
little of 4KB again.
See: https://github.com/raspberrypi/rpi-eeprom/issues/732
* Enable the PARTITION_WALK property by default
Previously, the new PARTITION_WALK which searches for bootable
partitions after a failure had to be explicitly enabled. Change
the default to be enabled by default. It can be switched off by
setting PARTITION_WALK=0 in the EEPROM config.
* pi5: Fix read for cached copy of PMIC sequencer status
Previously, this was overwritten by the RTC event status.
* Enable the PARTITION_WALK property by default
Previously, the new PARTITION_WALK which searches for bootable
partitions after a failure had to be explicitly enabled. Change
the default to be enabled by default. It can be switched off by
setting PARTITION_WALK=0 in the EEPROM config.
* Optimise bootmain for size on Pi4
Pi4 only has a 512KB SPI flash EEPROM and the addition of features
plus fixes is now causing contention for space between the code and
the EEPROM config. Since bootmain is only responsible for loading
start.elf revert to the original configuration which is optimised
for size rather than speed. Pi5 continues to be optimised for speed.
