* 2711: (recovery) Automatically set revoke_devkey if program_pubkey=1
Previously, on BCM2711 products it was possible to program the key
hash without revoking the development key. This can be useful for
testing but should never be used in production because it is possible
to an install an older version of the bootloader which doesn't
support secure-boot. Since the secure-boot tools are stable and
have improved usability (RPi secure-boot provisioner) this test
feature not necessary and is just a security risk so the behaviour
is changed to always revoke the development key if program_pubkey=1.
This change is not relevant on BCM2712 because secure-boot requires
that the second stage bootloader is counter-signed with the customer's
private key.
* Signed boot and HTTP boot mode
HTTP boot mode is supposed to be disabled if signed boot is enabled and
a host is not specified. The code is checking the http_secure flag to
enforce this. But this is valid now we support custom CA certs.
Only disable HTTP mode if we're using the default HOST.
* Implement TCP window for net boot
The minimal IP stack used for https booting lacks the ability to cache
packets received out of order, which can lead to severe slowdown when
it happens. The problem seems to affect some ISPs more than others.
The receive window implemented here copes with packet losses of 10%.
* netboot: Correct the TCP MSS
* Correct msecs in debug timestamps
The fractional part of timestamps in UART debug output was showing the
100ths and 1000ths of a second, rather than 10ths and 100ths, causing
strange sequences that appear to jump backwards.
* recovery: Walk partitions to delete recovery.bin
Previously, recovery.bin would fail to delete itself
if the bootrom loaded recovery.bin where there are multiple FAT
partitions and the first partition does not contain recovery.bin
Update the rename code to walk the partition table to find
the recovery.bin file to delete.
* Enable overriding of high partition numbers
Previously, the PARTITION=N bootloader config setting would only
be used at power on reset or if the partition number passed to
reboot was zero.
Change the behaviour so that the bootloader config PARTITION
property can override the reboot partition number if the reboot
parameter is > 31.
* Walk the partition table if the requested partition is not bootable
Previously, if the specified boot partition was not bootable the
bootloader would stop and advance to the next BOOT_ORDER. If the
new PARTITION_WALK option is set to 1 the bootloader will now
check each partition in turn starting from the specified partition
before advancing the BOOT_ORDER.
This feature is intended for use with A/B systems to handle the case
where autoboot.txt is missing / corrupted. This change enables
the system to failover to the next available bootable partition.
The autoboot.txt file is not scanned during the partition-walk
phase i.e. there is no recursive processing of autoboot.txt files.
This option is only supported on physical block devices
(SD, NVMe, USB) and not RAMDISK. USB assumes a single high speed
device, partition walks on multiple USB devices is not recommended
and may cause timeouts.
* Improve keyboard handling in boot menu
Try and make it more likely that we have enough time to perform key
detection.
Ignore mice, which were being enumerated and slowing things down.
* Enable banklow (and so NUMA) by default
banklow=1 (2712) and banklow=3 (2711) give the best performance.
* enable_uart=1 now enables a Linix UART console on the 40-pin header
unless a cable is detected on the dedicated boot-uart.
* Recreate internal bl31 stub from clean git tree to fix dirty commit
message.
* Fix PCIe BAR setup issue which prevented NVMe boot from working with some PCIe switches
See: https://github.com/raspberrypi/firmware/issues/1833
* Boot-menu improvements
Remain in the forced boot mode until the menu is used to select a different
boot-mode or reset to the original boot-order.
* arm_dt: Consult the hat_map for all HATs
* USB boot - ignore RP2 / RP3 MSD device in BOOTSEL mode.
* recovery.bin - Fix erase_eeprom to not block reboot_recovery
* Fix self-update to continue to boot instead of retrying forever
if the EEPROM is write protected.
https://github.com/raspberrypi/rpi-eeprom/issues/597
* Enable the usage of program_rpiboot_gpio in config.txt for recovery.bin
without requiring secure-boot to be enabled.
This may be useful CI systems provisioning images on Pi4B / Pi400 via RPIBOOT.
This is an OTP setting and cannot be reverted after programming.
See https://www.raspberrypi.com/documentation/computers/config_txt.html#program_rpiboot_gpio
* Add timestamps to UART log messages.
* Add support for [tryboot] conditional the bootloader EEPROM
config file.
See: https://github.com/raspberrypi/rpi-eeprom/issues/454
* Fix MAX_RESTARTS parameter
See: https://github.com/raspberrypi/rpi-eeprom/issues/576
* Add recovery_reboot option to config.txt for rpiboot which causes
the system to reboot after updating the bootloader.
* Improve secure-boot OTP provisioning logging.
* Fix setting to enable secure-boot mode on Pi4B
* Switch to building the Pi4 firmware from the common Pi4/Pi5
mainline release. This doesn't change the Pi4 features
but should make it quicker to release bug fixes in common code.
* Fix issue that caused the TRYBOOT flag to be lost in secure-boot mode.
* dtoverlay: Use %u when converting u32s to strings
See: https://github.com/raspberrypi/linux/issues/6039
* Improved debug messages for secure-boot.
* Generate the bootloader diagnostics qrcode at run time.
The EEPROM release names were changed to follow the naming
in raspi-config some time ago. Since the firmware directory
is being renamed to be chip specific for Pi5 support it's
good time to swap the symlink / release names.
