Change the automatic update version to 2025-05-08.
Important changes since the last automatic update:
* RP1 firmware support for PIO
* Improved support for HAT+ and parameters
* Boot menu
* SDRAM performance and stability improvements
* pitowers/master:
pieeprom-2025-05-16: 2711: Automatically set revoke_devkey if program_pubkey=1 (latest)
imager: 2712: 2711: Update to the 2025-05-08 firmware
* 2711: (recovery) Automatically set revoke_devkey if program_pubkey=1
Previously, on BCM2711 products it was possible to program the key
hash without revoking the development key. This can be useful for
testing but should never be used in production because it is possible
to an install an older version of the bootloader which doesn't
support secure-boot. Since the secure-boot tools are stable and
have improved usability (RPi secure-boot provisioner) this test
feature not necessary and is just a security risk so the behaviour
is changed to always revoke the development key if program_pubkey=1.
This change is not relevant on BCM2712 because secure-boot requires
that the second stage bootloader is counter-signed with the customer's
private key.
* pitowers/master:
pieeprom-2025-05-08: 2711: Implement TCP window for net boot (latest)
pieeprom-2025-02-24: 2711: Implement TCP window for net boot (latest)
pieeprom-2025-05-08: 2712: Implement TCP window for net boot (latest)
* Signed boot and HTTP boot mode
HTTP boot mode is supposed to be disabled if signed boot is enabled and
a host is not specified. The code is checking the http_secure flag to
enforce this. But this is valid now we support custom CA certs.
Only disable HTTP mode if we're using the default HOST.
* Implement TCP window for net boot
The minimal IP stack used for https booting lacks the ability to cache
packets received out of order, which can lead to severe slowdown when
it happens. The problem seems to affect some ISPs more than others.
The receive window implemented here copes with packet losses of 10%.
* netboot: Correct the TCP MSS
* Correct msecs in debug timestamps
The fractional part of timestamps in UART debug output was showing the
100ths and 1000ths of a second, rather than 10ths and 100ths, causing
strange sequences that appear to jump backwards.
* arm_loader: Correct some mailbox response lengths
The GET_GENCMD_RESULT mailbox handler was setting the wrong response
length, and GET_FIRMWARE_COMMIT_HASH and GET_FIRMWARE_VARIANT were not
setting any length.
See: https://github.com/raspberrypi/firmware/issues/1968
* Signed boot and HTTP boot mode
HTTP boot mode is supposed to be disabled if signed boot is enabled and
a host is not specified. The code is checking the http_secure flag to
enforce this. But this is valid now we support custom CA certs.
Only disable HTTP mode if we're using the default HOST.
* Implement TCP window for net boot
The minimal IP stack used for https booting lacks the ability to cache
packets received out of order, which can lead to severe slowdown when
it happens. The problem seems to affect some ISPs more than others.
The receive window implemented here copes with packet losses of 10%.
* netboot: Correct the TCP MSS
* rp1_net: Overwrite the length field
Although concise, ORing in the packet length runs the risk of leaving
some unwanted bits set. Ensure the length field is cleared before
ORing in the required value.
* Correct msecs in debug timestamps
The fractional part of timestamps in UART debug output was showing the
100ths and 1000ths of a second, rather than 10ths and 100ths, causing
strange sequences that appear to jump backwards.
* Implement GET_BOARD_MAC_ADDRESS on Pi5
The Pi 5 EEPROM implements a subset of the original mailbox properties.
Add GET_BOARD_MAC_ADDRESS to the subset.
See: https://github.com/raspberrypi/rpi-eeprom/issues/698
* Ensure the initramfs matches the kernel
As far as is possible, both the kernel and initramfs are matched to the
device. However, where multiple kernel variants can run on a device, the
initramfs must be matched to the chosen kernel. Make that the sole rule
for initramfs selection, rather than duplicating the device matching
logic.
See: https://github.com/raspberrypi/firmware/issues/1965
* Enable logging messages from OS loader
Pi 5 EEPROM builds were missing the output from the main OS loading
function, including some important diagnostics. Enabling the logging
output from this loader code results in some near-duplicates, but is
more user friendly and is available via "sudo vclog -m".
* arm_dt: Revert to using the max fan speed
It has been reported that the presence of a cooling fan at boot time
can lead to a maximum observed fan speed of ~300 but a current speed
of 0. The absence of a fan results in 0s for both metrics.
See: https://github.com/raspberrypi/rpi-eeprom/issues/690
* os_check: cm5: Check for CM5 specific dtbs
Check for BCM2712 support in bcm2712-rpi-cm5-cm5io.dtb
or bcm2712-rpi-cm5l-cm5io.dtb on CM5 instead of bcm2712-rpi-5-b.dtb.
This avoids needing to put os_check=1 or specifying device_tree
in config.txt in minimal images for CM5.
See: https://github.com/raspberrypi/rpi-eeprom/issues/682
* Log the fan speed at boot
Record the fan RPM (and the maximum seen) during boot, so that it is
accessible using "sudo vclog -m".
See: https://github.com/raspberrypi/rpi-eeprom/issues/678
* Add current_supply to HAT+ support
Refactor the HAT library to make it more self-contained, and combine
the I2C address detection and the reading of the EEPROM contents.
Use it to allow the earlier boot stages to check for a current_supply
setting in the EEPROM of a normal (non-stackable) HAT+.
* pitowers/master:
pieeprom-2025-03-10: 2712: Add [boot_partition] filter plus SDRAM init fixes (latest)
rpi-eeprom-digest: support specifying keys via PKCS#11 URI
pieeprom-2025-03-03: 2712: Fix bootloader pull configuration on BCM2712D0 (latest)
image: Update 2711 plus 2712 images and enable boot-menu on 2711
* Update SDRAM init timings to intermittent 8-flash SDRAM init errors
on some boards.
See: https://github.com/raspberrypi/rpi-eeprom/issues/67
* config: Fix missing initialisation of selected_expr to 1 in config.txt
Without an [all] section the new expression filter might default to
false. This impacts the bootloader early parsing of config.txt
for things like boot_ramdisk rather than the later config.txt pass
for device-tree parsing.
* config_loader: Add support [boot_partition=N] as an expression filter
The boot_partition tests whether the partition number N matches
the number that the system is booting from. This expression is
only supported in config.txt and is designed to make it easier
to have common boot.img ramdisks in an A/B system where the
conditional loads a different cmdline.txt file depending on
which partition boot.img is loaded from.
In production setups, it is quite normal that the private key does not
exist as a file in the file system, but is kept inside some HSM,
remote signing service or similar, and only accessed via some pkcs#11
interface; moreover, by design, the private key _cannot_ be extracted
from the HSM or signing service.
In such a case, the user will have set OPENSSL_CONF to some
configuration file setting up the appropriate engine, and the "key" is
simply the pkcs#11 URI, e.g. "pkcs11:model=foo;object=bar".
In order to support this use case, automatically infer the appropriate
options to pass to openssl-dgst if "${KEY}" begins with
"pkcs11:". Doing this at the top level avoids duplicating the logic in
both writeSig and verifySig. While here, this also adds a sanity check
that -v can only be used while also providing a (public) key to check
against.
This drops the -keyform argument in the non-pkcs#11 case, as openssl
automatically infers the type, and this then in fact allows one to use
a private key in e.g. DER format.
Signed-off-by: Rasmus Villemoes <ravi@prevas.dk>
* Fix pull configuration on 2712D0
2712D0 uses a horrendously sparse set of pad control registers. Make
the pull-setting code sufficiently complex to cope.
See: https://github.com/raspberrypi/rpi-eeprom/issues/672
* Disable UARTA for CM5s without WiFi
Just as CM5s without WiFI don't need the SDIO interface, the Bluetooth
UART is unconnected. Disable the DT node to avoid kernel warnings and
save some cycles.
