* pitowers/master:
pieeprom-2025-03-10: 2712: Add [boot_partition] filter plus SDRAM init fixes (latest)
rpi-eeprom-digest: support specifying keys via PKCS#11 URI
pieeprom-2025-03-03: 2712: Fix bootloader pull configuration on BCM2712D0 (latest)
image: Update 2711 plus 2712 images and enable boot-menu on 2711
* Update SDRAM init timings to intermittent 8-flash SDRAM init errors
on some boards.
See: https://github.com/raspberrypi/rpi-eeprom/issues/67
* config: Fix missing initialisation of selected_expr to 1 in config.txt
Without an [all] section the new expression filter might default to
false. This impacts the bootloader early parsing of config.txt
for things like boot_ramdisk rather than the later config.txt pass
for device-tree parsing.
* config_loader: Add support [boot_partition=N] as an expression filter
The boot_partition tests whether the partition number N matches
the number that the system is booting from. This expression is
only supported in config.txt and is designed to make it easier
to have common boot.img ramdisks in an A/B system where the
conditional loads a different cmdline.txt file depending on
which partition boot.img is loaded from.
In production setups, it is quite normal that the private key does not
exist as a file in the file system, but is kept inside some HSM,
remote signing service or similar, and only accessed via some pkcs#11
interface; moreover, by design, the private key _cannot_ be extracted
from the HSM or signing service.
In such a case, the user will have set OPENSSL_CONF to some
configuration file setting up the appropriate engine, and the "key" is
simply the pkcs#11 URI, e.g. "pkcs11:model=foo;object=bar".
In order to support this use case, automatically infer the appropriate
options to pass to openssl-dgst if "${KEY}" begins with
"pkcs11:". Doing this at the top level avoids duplicating the logic in
both writeSig and verifySig. While here, this also adds a sanity check
that -v can only be used while also providing a (public) key to check
against.
This drops the -keyform argument in the non-pkcs#11 case, as openssl
automatically infers the type, and this then in fact allows one to use
a private key in e.g. DER format.
Signed-off-by: Rasmus Villemoes <ravi@prevas.dk>
* Fix pull configuration on 2712D0
2712D0 uses a horrendously sparse set of pad control registers. Make
the pull-setting code sufficiently complex to cope.
See: https://github.com/raspberrypi/rpi-eeprom/issues/672
* Disable UARTA for CM5s without WiFi
Just as CM5s without WiFI don't need the SDIO interface, the Bluetooth
UART is unconnected. Disable the DT node to avoid kernel warnings and
save some cycles.
* recovery: Walk partitions to delete recovery.bin
Previously, recovery.bin would fail to delete itself
if the bootrom loaded recovery.bin where there are multiple FAT
partitions and the first partition does not contain recovery.bin
Update the rename code to walk the partition table to find
the recovery.bin file to delete.
* Enable overriding of high partition numbers
Previously, the PARTITION=N bootloader config setting would only
be used at power on reset or if the partition number passed to
reboot was zero.
Change the behaviour so that the bootloader config PARTITION
property can override the reboot partition number if the reboot
parameter is > 31.
* Walk the partition table if the requested partition is not bootable
Previously, if the specified boot partition was not bootable the
bootloader would stop and advance to the next BOOT_ORDER. If the
new PARTITION_WALK option is set to 1 the bootloader will now
check each partition in turn starting from the specified partition
before advancing the BOOT_ORDER.
This feature is intended for use with A/B systems to handle the case
where autoboot.txt is missing / corrupted. This change enables
the system to failover to the next available bootable partition.
The autoboot.txt file is not scanned during the partition-walk
phase i.e. there is no recursive processing of autoboot.txt files.
This option is only supported on physical block devices
(SD, NVMe, USB) and not RAMDISK. USB assumes a single high speed
device, partition walks on multiple USB devices is not recommended
and may cause timeouts.
* Improve keyboard handling in boot menu
Try and make it more likely that we have enough time to perform key
detection.
Ignore mice, which were being enumerated and slowing things down.
* recovery: Walk partitions to delete recovery.bin
Previously, recovery.bin would fail to delete itself
if the bootrom loaded recovery.bin where there are multiple FAT
partitions and the first partition does not contain recovery.bin
Update the rename code to walk the partition table to find
the recovery.bin file to delete.
* pi5: Add config filter for simple boot variable expressions (experimental)
Add support for a new bootloader/config.txt conditional filter
which tests the partition, boot_count and boot_arg1 variables.
Syntax (no spaces):
ARG boot_arg1, boot_count or partition (EEPROM config stage only)
[ARG=VALUE] selected if (ARG == VALUE)
[ARG&MASK] selected if ((ARG & VALUE) != 0))
[ARG&MASK=VALUE] selected if ((ARG & MASK) == VALUE)
[ARG<VALUE] selected if (ARG < VALUE)
[ARG>VALUE] selected if (ARG > VALUE)
where VALUE and MASK are unsigned integer constants and ARG
corresponds to the value in the reset register before the
config file is parsed.
* pi5: Add a boot-count bootloader variable (experimental)
Store the boot-count in a reset register and increment just
before the boot-order state-machine. The boot-count variable
is visible via device-tree /proc/device-tree/chosen/bootloader/count
and can be read/set via vcmailbox
GET: sudo vcmailbox 0x0003008d 4 4 0
SET to N: sudo vcmailbox 0x0003808d 4 4 N
* pi5: Add user-defined reboot argument (boot_arg1) (experimental)
Add support for a user-defined boot parameter stored in a reset-safe
scratch register on BCM2712. This is visible via device-tree at
/proc/device-tree/chosen/bootloader/arg1 and via vcmailboxes
GET arg1: sudo vcmailbox 0x0003008c 8 8 1 0
SET arg1 to 42: sudo vcmailbox 0x0003808c 8 8 1 42
or via config.txt
set_reboot_arg1=42
The variable is NOT cleared automatically and will persist until
a power-on-reset.
* Enable overriding of high partition numbers
Previously, the PARTITION=N bootloader config setting would only
be used at power on reset or if the partition number passed to
reboot was zero.
Change the behaviour so that the bootloader config PARTITION
property can override the reboot partition number if the reboot
parameter is > 31.
* Disable WiFi PMIC output on CM5 modules without WiFi
Disable the 3.7V WiFi power supply on CM5 modules which do not have a
WiFi module fitted. This fixes some stability issues where a CM5
would shutdown due to a spurious over-voltage condition on the
non-connected WiFi power supply.
* Add memory barrier to the mbox handler
Firmware issue 1944 reports receiving kernel warnings about firmware
requests where the status return code is 0. This should not be
possible, as handle_mbox_property always sets the top bit of the return
code, with the bottom bit indicating success or failure. If the firmware
had died, the firmware driver would report a timeout due to the lack of
a mailbox interrupt, and that isn't happening.
See: https://github.com/raspberrypi/firmware/issues/1944
* support dts files with size-cells of 2
DTS files with a top-level #size-cells of 2 make a lot of sense for
systems with a lot of RAM, but the firmware is currently inconsistent
in its support for that. Fix up the other cases to honor #size-cells
and #address-cells.
* Disable SDIO2 for CM5s without WiFi
It has been observed that CM5s without WiFi hang on reboot. To prevent
that, disable the sdio2 node on those devices.
See: https://github.com/raspberrypi/linux/issues/6647
* arm_dt: Use dtoverlay_enable_node
Convert the open-coded DT node status changes to use the new dtoverlay
method dtoverlay_enable_node.
* dtoverlay: Add dtoverlay_enable_node
Add a helper function for setting the status of a node.
* Walk the partition table if the requested partition is not bootable
Previously, if the specified boot partition was not bootable the
bootloader would stop and advance to the next BOOT_ORDER. If the
new PARTITION_WALK option is set to 1 the bootloader will now
check each partition in turn starting from the specified partition
before advancing the BOOT_ORDER.
This feature is intended for use with A/B systems to handle the case
where autoboot.txt is missing / corrupted. This change enables
the system to failover to the next available bootable partition.
The autoboot.txt file is not scanned during the partition-walk
phase i.e. there is no recursive processing of autoboot.txt files.
This option is only supported on physical block devices
(SD, NVMe, USB) and not RAMDISK. USB assumes a single high speed
device, partition walks on multiple USB devices is not recommended
and may cause timeouts.
* Improve keyboard handling in boot menu
Try and make it more likely that we have enough time to perform key
detection.
Ignore mice, which were being enumerated and slowing things down.
* pitowers/master:
2025-01-22: 2712: Promote 2025-01-22 to default release (default)
pieeprom-2025-01-22: 2712: Add DT property for hash of signed boot image (latest)
test: Update test script
scripts: Failover to /usr/lib before /lib if FIRMWARE_ROOT is not set
* Add DT /chosen property signed-boot boot.img hash
Make the sha256 hash of the boot.img file available via
device-tree /proc/device-tree/chosen/bootloader/boot_img_sha256 if
signed boot is enabled.
* filesystem: GPT autoboot/reboot partition number fixes for Pi4 and older
* Fix problems when setting arm_freq_min=arm_freq and display clocks
if performance governor is not enabled.
* Add set_reboot_order API and config.txt properties
If set_reboot_order is defined in config.txt or set via vcmailbox
then this will override the bootloader config BOOT_ORDER property
on the next reboot. The parameter is stored in a reset safe register
and is cleared by the bootloader after reading it.
Typically, the config.txt value only be used via rpiboot to
override the boot-order on the next reboot. Otherwise, it should
reside in a conditional section so that the boot order is not
overridden on every reboot.
Example, test network boot
sudo vcmailbox 0x0003808b 4 4 0xf4612; sudo reboot
* Improved SDRAM refresh timings for Pi5 - 16GB
* Add an option to wait for the power button to be pressed before booting.
If POWER_OFF_ON_HALT=1 and WAIT_FOR_POWER_BTN=1 in the bootloader
config then the bootloader will wait for either the power button
to be pressed or an RTC alarm before booting. The wait state
switches the PMIC to STANDBY mode which is the lowest possible
power state.
