imager: Move the imager release to 2025-11-05

* arm_loader: Add iommu_dma_numa_policy=interleave when needed
  This applies a similar numa interleave for iommu dma kernel allocations.
  This includes buffers allocated for hevc and v3d.
  See: https://forums.raspberrypi.com/viewtopic.php?t=392666
* Rebuild RP1 firmware to reduce size.

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -40,8 +40,11 @@ body:
     multiple: true
     options:
       - Raspberry Pi 5
+      - Raspberry Pi 500
       - Raspberry Pi 4 Mod. B
       - Raspberry Pi 400
+      - Raspberry Pi CM5
+      - Raspberry Pi CM5 Lite
       - Raspberry Pi CM4
       - Raspberry Pi CM4 Lite
       - Raspberry Pi CM4-S

.github/workflows/test.yml

@@ -0,0 +1,31 @@
+name: Test EEPROM Config
+
+on:
+  pull_request:
+    branches: [ 'master' ]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.x'
+          
+      - name: Create and activate virtual environment
+        run: |
+          python -m venv venv
+          source venv/bin/activate
+          
+      - name: Install dependencies
+        run: |
+          pip install pycryptodomex
+      
+      - name: Run EEPROM Config Tests
+        run: |
+          cd test
+          chmod +x test-rpi-eeprom-config
+          ./test-rpi-eeprom-config 

LICENSE

@@ -6,10 +6,14 @@ Files: *
 Copyright: 2019, Raspberry Pi (Trading) Ltd.
 License: BSD-3
 
-Files: firmware/*
+Files: firmware-2711/*
 Copyright: 2019, Raspberry Pi (Trading) Ltd.
 License: custom
 
+Files: firmware-2712/*
+Copyright: 2024, Raspberry Pi (Trading) Ltd.
+License: custom
+
 License: BSD-3
  Redistribution and use in source and binary forms, with or without
  modification, are permitted provided that the following conditions

firmware-2711/release-notes.md

@@ -1,5 +1,250 @@
 # Raspberry Pi4 bootloader EEPROM release notes
 
+## 2025-11-09: Promote 2025-11-05 to the default release (default)
+
+## 2025-11-05: Add iommu_dma_numa_policy=interleave when needed (latest)
+
+* arm_loader: Add iommu_dma_numa_policy=interleave when needed
+  This applies a similar numa interleave for iommu dma kernel allocations.
+  This includes buffers allocated for hevc and v3d.
+  See: https://forums.raspberrypi.com/viewtopic.php?t=392666
+
+## 2025-10-14: recovery: Use ROM boot-mode to detect rpiboot (latest)
+
+* recovery: Use ROM boot-mode flag to detect rpiboot mode
+  In recovery-mode use the bootrom register flag to detect the
+  original boot-mode rather than looking at whether the rpiboot
+  usb-device boot driver is initialised.
+* Manufacturing test updates.
+
+## 2025-10-08: Fix accidental set of PM_RSTS bit 5 when stopping watchdog (latest)
+
+* Fix accidental set of PM_RSTS bit 5 when stopping watchdog
+  Fix an issue in the watchdog code where the raw PM_RSTS value
+  was used as partition number. If HADWRF (bit 5) was set (on reboot)
+  this could cause bit 10 to be set. If an OS didn't clear the partition
+  flags on reboot then this could end up being treated as request to
+  boot from partition 32.
+
+## 2025-10-03: arm_dt: Report OTP SDRAM size via device-tree (latest)
+
+* arm_dt: Report OTP SDRAM size via device-tree
+  Report the SDRAM in gigabits via device-tree as
+  /proc/device-tree/chosen/rpi-sdram-size-gbit. Scripts reporting the
+  device-capabilities should use this value (if defined) instead of the
+  memory-size field in the boardrev row.
+* Apply UART_BAUD in early bootsys UART init
+  Update bootsys and fatal error handlers to use the user
+  defined UART_BAUD rate.
+* rpifwcrypto: Add support for ECDSA P-256 key generation
+  Also, slightly improve the entropy by passing the system
+  timer value as the personality string.
+
+## 2025-09-23: Fix network install regression on Pi4 (latest)
+
+* Fix network install regression on Pi4
+  Fix an issue with the ECDSA signature code which caused network
+  install to fail to load on Pi4.
+* Fix TFTP to allow larger files
+  Allow TFTP block counter to rollover to 0.
+  See: https://github.com/raspberrypi/rpi-eeprom/issues/720
+
+## 2025-09-22: Add LZ4 decompressor (latest)
+
+* Add LZ4 decompressor
+  LZ4 gives a better compression ratio than the previously used CK compress. The bootloader can now decompress both LZ4 compressed files and CK compressed files.
+* rpifwcrypto: Add GET_CRYPTO_PRIVATE_KEY mailbox API
+  For provisioning, add a new mailbox API which returns the private key
+  in DER format. The API will return an error if the key-status for
+  the specified key is LOCKED.
+* config: Add support for board_attributes in conditional expressions
+  Add support for the board-attributes row in config.txt conditional
+  expressions. This can be used to change boot behavior for
+  Compute Module Lite / No-WiFi etc.
+* board_info: Log the OTP board revision at startup
+  Log the board revision plus the raw OTP value at startup.
+
+## 2025-08-27: Fix PARTITION property to allow default (0) partition to be overridden (latest)
+
+* Fix PARTITION property to allow default (0) partition to be overridden
+  Fix the partition selection to allow the bootloader PARTITION
+  property to override the reboot partition number if the reboot
+  argument is 0 or > 31. Previously, it was only allowing
+  partition numbers > 31 to be overridden.
+  See: https://github.com/raspberrypi/rpi-eeprom/issues/743
+* Enable RPIBOOT in BOOT_ORDER / set-reboot-order
+  Previously, rpiboot required the bootrom to have initialised
+  rpiboot before running the firmware. Update the rpiboot
+  initialisation so that rpiboot to be enabled after booting from
+  SPI flash.
+  This could be selectively enabled by setting BOOT_ORDER property
+  (0x3) behind a GPIO conditional in the EEPROM config. On Pi5, the
+  set_reboot_order config.txt option or mailbox property can be
+  used to set a one-time boot-order on
+  N.B. There is no timeout for RPIBOOT so this should only be set
+  as the last boot mode OR used with a boot_watchdog.
+
+## 2025-08-20: Fix PARTITION_WALK for missing start.elf files (latest)
+
+* Fix PARTITION_WALK for missing start.elf files
+  Fix a missing call to bootloader_reset_state so that PARTITION_WALK
+  will work if the boot-partition is FAT, contains config.txt etc
+  but does not have valid firmware.
+  See: https://github.com/raspberrypi/rpi-eeprom/issues/738
+* force_eeprom_read=0 disables HAT I2C
+  Although setting force_eeprom_read=0 has always prevented the HAT EEPROM
+  from being read, with the recent changes to support Power HAT+s it does
+  not prevent an early scan to see if such an EEPROM exists. This can be
+  problematic for applications where the I2C0 pins have been repurposed.
+  Change the inhibit logic to cut all HAT I2C probing off at the knees,
+  including any automatic settings of usb_max_current_enable, as it should
+  always have done.
+  See: https://github.com/raspberrypi/firmware/issues/1985
+* bootcode.bin: Add support for boot.img ramdisk on Pi3 and earlier
+  Add support for boot.img ramdisk support, enable by adding boot_ramdisk=1
+  in config.txt
+* rpifwcrypto: Preliminary firmware support for rpifwcrypto API
+* Add config.txt to block GET_CUSTOMER_PRIVATE_KEY mailbox API
+  lock_device_private_key=1
+
+## 2025-08-13: Enable PARTITION_WALK property by default (latest)
+
+* Enable the PARTITION_WALK property by default
+  Previously, the new PARTITION_WALK which searches for bootable
+  partitions after a failure had to be explicitly enabled. Change
+  the default to be enabled by default. It can be switched off by
+  setting PARTITION_WALK=0 in the EEPROM config.
+* Optimise bootmain for size on Pi4
+  Pi4 only has a 512KB SPI flash EEPROM and the addition of features
+  plus fixes is now causing contention for space between the code and
+  the EEPROM config. Since bootmain is only responsible for loading
+  start.elf revert to the original configuration which is optimised
+  for size rather than speed. Pi5 continues to be optimised for speed.
+
+## 2025-07-17: arm_loader: Also require the early-watchdog property (latest)
+
+* arm_loader: Also require the early-watchdog property
+  The change correcting the implementation of dtoverlay_is_enabled had the
+  unintended consequence of causing the firmware to enable the watchdog
+  even though the user had not explicitly requested it. This is harmless
+  on Linux because the watchdog driver takes over and disarms it, but on
+  other operating systems this can lead to a reboot. Avoid this problem
+  by also requiring the presence of a new property, "early-watchdog".
+  See: https://github.com/raspberrypi/firmware/issues/1980
+* helpers/config_loader: Add bootvar0 eeprom config that can be used in config.txt section expressions
+  This allows an eeprom config setting (e.g. BOOTVAR0=0x10) to be set on a board
+  which config.txt can use as a conditional expression (e.g. [bootvar0&0x10]).
+* arm_loader: Fix boot-watchdog stop on Pi4
+  Fix a problem where the boot_watchdog heartbeat timer was not
+  stopped correctly which could cause it to clash with the kernel
+  watchdog driver.
+
+## 2025-07-03: Check for SD card overcurrent (latest)
+
+* board_info: Use the Ethernet PHY address probed by the bootloader
+  Use the Ethernet PHY address supplied by the bootloader in
+  preference to the static configurations defined in start4.elf
+* Check for SD card overcurrent on Pi5, Pi500 and Pi4
+  Before booting, the bootloader now checks the SD power switch
+  overcurrent signal. The overcurrent signal occurs if the SD
+  card is damaged and has a short circuit which will cause it to
+  get hot.
+  If an over-current condition is detected the bootloader switches
+  switches off power to the SD card and waits five seconds before
+  probing the SD card again. This error is displayed on the
+  diagnostic screen, the UART and the activity LED (1 long, 2 short)
+  flashes.
+  The check can be switched to a non-blocking warning  by setting
+  SD_OVERCURRENT_CHECK=0 in the bootloader config.
+* Add a new error code pattern for SD overcurrent
+  Add a new error pattern (1 long, 2 short) to signal SD card
+  overcurrent.
+* Add support for a bootloader watchdog
+  Add support for a boot watchdog (using PM_RSTC hw wdog) which will
+  trigger if the OS is not started within the specified amount of time. The
+  watchdog is enabled by setting the BOOT_WATCHDOG_TIMEOUT=N (seconds)
+  property in the bootlaoder config.
+  The BOOT_WATCHDOG_PARTITION=P property can be set to pass a different
+  partition number to the bootloader on reset if the watchdog
+  is triggered.
+  The boot watchdog is automatically cleared just before starting
+  the OS and (optionally) enabling the kernel watchdog.
+* Skip first SD boot if no card detected
+  On platforms with an SD Card detect signal, skip the first attempt to
+  boot from SD if the card appears to be absent. This can save over a
+  second on a cold boot, and a little under a second for a reboot.
+
+## 2025-05-16: 2711: Automatically set revoke_devkey if program_pubkey=1 (latest)
+
+* 2711: (recovery) Automatically set revoke_devkey if program_pubkey=1
+  Previously, on BCM2711 products it was possible to program the key
+  hash without revoking the development key. This can be useful for
+  testing but should never be used in production because it is possible
+  to an install an older version of the bootloader which doesn't
+  support secure-boot.  Since the secure-boot tools are stable and
+  have improved usability (RPi secure-boot provisioner) this test
+  feature not necessary and is just a security risk so the behaviour
+  is changed to always revoke the development key if program_pubkey=1.
+  This change is not relevant on BCM2712 because secure-boot requires
+  that the second stage bootloader is counter-signed with the customer's
+  private key.
+
+## 2025-05-13: Promote 2025-05-08 to the default release (default) (automatic)
+
+## 2025-05-08: Implement TCP window for net boot (latest)
+* Signed boot and HTTP boot mode
+  HTTP boot mode is supposed to be disabled if signed boot is enabled and
+  a host is not specified. The code is checking the http_secure flag to
+  enforce this. But this is valid now we support custom CA certs.
+  Only disable HTTP mode if we're using the default HOST.
+* Implement TCP window for net boot
+  The minimal IP stack used for https booting lacks the ability to cache
+  packets received out of order, which can lead to severe slowdown when
+  it happens. The problem seems to affect some ISPs more than others.
+  The receive window implemented here copes with packet losses of 10%.
+* netboot: Correct the TCP MSS
+* Correct msecs in debug timestamps
+  The fractional part of timestamps in UART debug output was showing the
+  100ths and 1000ths of a second, rather than 10ths and 100ths, causing
+  strange sequences that appear to jump backwards.
+
+## 2025-02-17: Promote 2025-02-11 to default release (default)
+
+## 2025-02-11: recovery: Walk partitions to delete recovery.bin (latest)
+
+* recovery: Walk partitions to delete recovery.bin
+  Previously, recovery.bin would fail to delete itself
+  if the bootrom loaded recovery.bin where there are multiple FAT
+  partitions and the first partition does not contain recovery.bin
+  Update the rename code to walk the partition table to find
+  the recovery.bin file to delete.
+* Enable overriding of high partition numbers
+  Previously, the PARTITION=N bootloader config setting would only
+  be used at power on reset or if the partition number passed to
+  reboot was zero.
+  Change the behaviour so that the bootloader config PARTITION
+  property can override the reboot partition number if the reboot
+  parameter is > 31.
+* Walk the partition table if the requested partition is not bootable
+  Previously, if the specified boot partition was not bootable the
+  bootloader would stop and advance to the next BOOT_ORDER. If the
+  new PARTITION_WALK option is set to 1 the bootloader will now
+  check each partition in turn starting from the specified partition
+  before advancing the BOOT_ORDER.
+  This feature is intended for use with A/B systems to handle the case
+  where autoboot.txt is missing / corrupted. This change enables
+  the system to failover to the next available bootable partition.
+  The autoboot.txt file is not scanned during the partition-walk
+  phase i.e. there is no recursive processing of autoboot.txt files.
+  This option is only supported on physical block devices
+  (SD, NVMe, USB) and not RAMDISK. USB assumes a single high speed
+  device, partition walks on multiple USB devices is not recommended
+  and may cause timeouts.
+* Improve keyboard handling in boot menu
+  Try and make it more likely that we have enough time to perform key
+  detection.
+  Ignore mice, which were being enumerated and slowing things down.
+
 ## 2024-12-07: Enable banklow (and so NUMA) by default (latest)
 
 * Enable banklow (and so NUMA) by default

firmware-2712/release-notes.md

@@ -1,5 +1,522 @@
 # Raspberry Pi5 bootloader EEPROM release notes
 
+## 2025-11-09: Promote 2025-11-05 to the default release (default)
+
+## 2025-11-05: arm_loader: Add iommu_dma_numa_policy=interleave when needed (latest)
+
+* arm_loader: Add iommu_dma_numa_policy=interleave when needed
+  This applies a similar numa interleave for iommu dma kernel allocations.
+  This includes buffers allocated for hevc and v3d.
+  See: https://forums.raspberrypi.com/viewtopic.php?t=392666
+* Rebuild RP1 firmware to reduce size.
+
+## 2025-10-17: Enable background refresh on 2712d0 for all SDRAM sizes (latest)
+
+* 2712d0: Enable background refresh on 2712d0 for all SDRAM sizes
+  This provides a minor performance benefit.
+* Update GPT to support 4K native sectors
+  Bootloader logic updated to correctly interpret the GPT layout format specific to 4K native sector drives.
+* recovery: Use ROM boot-mode flag to detect rpiboot mode
+  In recovery-mode use the bootrom register flag to detect the
+  original boot-mode rather than looking at whether the rpiboot
+  usb-device boot driver is initialised.
+
+## 2025-10-08: Fix accidental set of PM_RSTS bit 5 when stopping watchdog (latest)
+
+* Fix accidental set of PM_RSTS bit 5 when stopping watchdog
+  Fix an issue in the watchdog code where the raw PM_RSTS value
+  was used as partition number. If HADWRF (bit 5) was set (on reboot)
+  this could cause bit 10 to be set. If an OS didn't clear the partition
+  flags on reboot then this could end up being treated as request to
+  boot from partition 32.
+* pi5: Preliminary support for 4K native sectors with NVMe drives
+  Pi5 now supports 4K native sector NVMe drives. 
+  This allows booting from drives with logical block size 4096, 
+  while 512B drives remain compatible. With 4K sectors, storage density 
+  increases along with improved reliability and efficiency.
+  N.B. USB boot still requires a 512 byte sector size and there are
+  no RPi OS disk images with a 4K sector format.
+  See: https://github.com/raspberrypi/rpi-eeprom/issues/577
+* arm_dt: Report OTP SDRAM size via device-tree
+  Report the SDRAM in gigabits via device-tree as
+  /proc/device-tree/chosen/rpi-sdram-size-gbit. Scripts reporting the
+  device-capabilities should use this value (if defined) instead of the
+  memory-size field in the boardrev row.
+
+## 2025-09-25: Apply UART_BAUD in early bootsys UART init (latest)
+
+* Apply UART_BAUD in early bootsys UART init
+  Update bootsys and fatal error handlers to use the user
+  defined UART_BAUD rate.
+* rpifwcrypto: Add support for ECDSA P-256 key generation
+
+## 2025-09-23: Fix TFTP to allow larger files (latest)
+
+* Fix TFTP to allow larger files
+  Allow TFTP block counter to rollover to 0.
+  See: https://github.com/raspberrypi/rpi-eeprom/issues/720
+
+## 2025-09-22: Add LZ4 decompressor (latest)
+
+* Add LZ4 decompressor
+  LZ4 gives a better compression ratio than the previously used CK compress. The bootloader can now decompress both LZ4 compressed files and CK compressed files.
+* rpifwcrypto: Add GET_CRYPTO_PRIVATE_KEY mailbox API
+  For provisioning, add a new mailbox API which returns the private key
+  in DER format. The API will return an error if the key-status for
+  the specified key is LOCKED.
+* config: Add support for board_attributes in conditional expressions
+  Add support for the board-attributes row in config.txt conditional
+  expressions. This can be used to change boot behavior for
+  Compute Module Lite / No-WiFi etc.
+* board_info: Log the OTP board revision at startup
+  Log the board revision plus the raw OTP value at startup.
+
+## 2025-08-27: Fix PARTITION property to allow default (0) partition to be overridden (latest)
+
+* Fix PARTITION property to allow default (0) partition to be overridden
+  Fix the partition selection to allow the bootloader PARTITION
+  property to override the reboot partition number if the reboot
+  argument is 0 or > 31. Previously, it was only allowing
+  partition numbers > 31 to be overridden.
+  See: https://github.com/raspberrypi/rpi-eeprom/issues/743
+* Enable RPIBOOT in BOOT_ORDER / set-reboot-order
+  Previously, rpiboot required the bootrom to have initialised
+  rpiboot before running the firmware. Update the rpiboot
+  initialisation so that rpiboot to be enabled after booting from
+  SPI flash.
+  This could be selectively enabled by setting BOOT_ORDER property
+  (0x3) behind a GPIO conditional in the EEPROM config. On Pi5, the
+  set_reboot_order config.txt option or mailbox property can be
+  used to set a one-time boot-order on
+  N.B. There is no timeout for RPIBOOT so this should only be set
+  as the last boot mode OR used with a boot_watchdog.
+
+## 2025-08-20: force_eeprom_read=0 disables HAT I2C (latest)
+
+* force_eeprom_read=0 disables HAT I2C
+  Although setting force_eeprom_read=0 has always prevented the HAT EEPROM
+  from being read, with the recent changes to support Power HAT+s it does
+  not prevent an early scan to see if such an EEPROM exists. This can be
+  problematic for applications where the I2C0 pins have been repurposed.
+  Change the inhibit logic to cut all HAT I2C probing off at the knees,
+  including any automatic settings of usb_max_current_enable, as it should
+  always have done.
+  See: https://github.com/raspberrypi/firmware/issues/1985
+* rpifwcrypto: Preliminary firmware support for rpifwcrypto API
+* Add config.txt to block GET_CUSTOMER_PRIVATE_KEY mailbox API lock_device_private_key=1
+
+## 2025-08-13: Enable the PARTITION_WALK property by default (latest)
+
+* Enable the PARTITION_WALK property by default
+  Previously, the new PARTITION_WALK which searches for bootable
+  partitions after a failure had to be explicitly enabled. Change
+  the default to be enabled by default. It can be switched off by
+  setting PARTITION_WALK=0 in the EEPROM config.
+* pi5: Fix read for cached copy of PMIC sequencer status
+  Previously, this was overwritten by the RTC event status.
+
+## 2025-07-17: Fix config key search which could cause camera_autodetect to fail (latest)
+
+* Fix config key search which could cause camera_autodetect to fail
+  The bootvar0 config property was added in the wrong section which
+  could cause the config property search for some other properties
+  to fail.
+
+## 2025-07-17: arm_loader: Also require the early-watchdog property (latest)
+
+* arm_loader: Also require the early-watchdog property
+  The change correcting the implementation of dtoverlay_is_enabled had the
+  unintended consequence of causing the firmware to enable the watchdog
+  even though the user had not explicitly requested it. This is harmless
+  on Linux because the watchdog driver takes over and disarms it, but on
+  other operating systems this can lead to a reboot. Avoid this problem
+  by also requiring the presence of a new property, "early-watchdog".
+  See: https://github.com/raspberrypi/firmware/issues/1980
+* helpers/config_loader: Add bootvar0 eeprom config that can be used in config.txt section expressions
+  This allows an eeprom config setting (e.g. BOOTVAR0=0x10) to be set on a board
+  which config.txt can use as a conditional expression (e.g. [bootvar0&0x10]).
+* arm_loader: Fix boot-watchdog stop on Pi4
+  Fix a problem where the boot_watchdog heartbeat timer was not
+  stopped correctly which could cause it to clash with the kernel
+  watchdog driver.
+
+## 2025-07-03: Enable firmware UART output on the 40-pin header (latest)
+
+* rp1_uart: Allow rp1_uart to be started earlier
+  If enabled (with enable_rp1_uart) then the existing boot uart
+  messages are redirected to the rp1 uart.
+
+## 2025-06-29: Check for SD card overcurrent on Pi5 and Pi500 (latest)
+
+* board_info: Use the Ethernet PHY address probed by the bootloader
+  Use the Ethernet PHY address supplied by the bootloader in
+  preference to the static configurations defined in start4.elf
+* pi5: Fix overwrite of cache EEPROM config in secure-boot mode
+  See: https://github.com/raspberrypi/rpi-eeprom/issues/719
+* Check for SD card overcurrent on Pi5, Pi500 and Pi4
+  Before booting, the bootloader now checks the SD power switch
+  overcurrent signal. The overcurrent signal occurs if the SD
+  card is damaged and has a short circuit which will cause it to
+  get hot.
+  If an over-current condition is detected the bootloader 
+  switches off power to the SD card and waits five seconds before
+  probing the SD card again. This error is displayed on the
+  diagnostic screen, the UART and the activity LED (1 long, 2 short)
+  flashes.
+  The check can be switched to a non-blocking warning  by setting
+  SD_OVERCURRENT_CHECK=0 in the bootloader config.
+* Add a new error code pattern for SD overcurrent
+  Add a new error pattern (1 long, 2 short) to signal SD card
+  overcurrent.
+* Enable RTC wakeup from POWER_OFF_ON_HALT=0
+* Improve HAT+ current handling
+  In shipping firmware, the current_supply value is only being used in the
+  case of a normal (non-stacked) HAT+, but that is unnecessarily
+  restrictive. Also, the presence of MODE0 and MODE1 power HATs is not
+  reflected in the value of max_current.
+  See: https://github.com/raspberrypi/linux/pull/6678
+
+## 2025-06-20: Add support for a bootloader watchdog (latest)
+
+* Add support for a bootloader watchdog
+  Add support for a boot watchdog (using PM_RSTC hw wdog) which will
+  trigger if the OS is not started within the specified amount of time. The
+  watchdog is enabled by setting the BOOT_WATCHDOG_TIMEOUT=N (seconds)
+  property in the bootlaoder config.
+  The BOOT_WATCHDOG_PARTITION=P property can be set to pass a different
+  partition number to the bootloader on reset if the watchdog
+  is triggered.
+  The boot watchdog is automatically cleared just before starting
+  the OS and (optionally) enabling the kernel watchdog.
+* pi5: Add a temperature monitor
+  In early releases of the bootloader the fan would always be on
+  during boot which can be distracting. Later releases switch off the
+  fan until the OS has booted.
+  This change adds some basic fan control from the bootloader to
+  enable the fan if the temperature is above 85C.
+  This may be useful if the Pi was shutdown by the OS because the
+  temperature limit was exceeded.
+  Since the Linux hwmon is not active at this stage the bootloader
+  now implements the same logic to power off the Pi if the chips
+  is more than 110C.
+  The PMIC hardware automatically cuts power if the temperature
+  is more than 125C.
+* Skip first SD boot if no card detected
+  On platforms with an SD Card detect signal, skip the first attempt to
+  boot from SD if the card appears to be absent. This can save over a
+  second on a cold boot, and a little under a second for a reboot.
+
+## 2025-06-13: Update to include production test changes (latest)
+* Update to include production test changes.
+
+## 2025-06-09: NVMe: Fix loading of files > 32MB (latest)
+
+* NVMe: Fix loading of files > 32MB
+  Fix an NVMe boot bug which caused large contiguous reads >= 32MB to fail.
+* Update setting alpha for 2712D0
+  D0 moved the alpha blend mode from CTL2 to CTL0.
+  Update the bootloader code to follow suit for those using
+  the simple framebuffer
+* dtoverlay: Fix node_is_enabled for implicit status
+  The absence of a status property implies that a node is enabled. Update
+  dtoverlay_node_is_enabled to match that behaviour.
+  See: https://github.com/raspberrypi/firmware/issues/1970
+* arm_loader: GET_CLOCKS: Set useful response length
+  The kernel's firmware mailbox API does not make the actual length of the
+  response available to clients, but other implementations may care.
+  Continue to pad the GET_CLOCKS buffer with zeroes, but set the response
+  length to minimally contain the useful content.
+  See: https://github.com/raspberrypi/firmware/issues/1969
+
+## 2025-05-13: Promote 2025-05-08 to the default release (default)
+
+## 2025-05-08: Implement TCP window for net boot (latest)
+
+* arm_loader: Correct some mailbox response lengths
+  The GET_GENCMD_RESULT mailbox handler was setting the wrong response
+  length, and GET_FIRMWARE_COMMIT_HASH and GET_FIRMWARE_VARIANT were not
+  setting any length.
+  See: https://github.com/raspberrypi/firmware/issues/1968
+* Signed boot and HTTP boot mode
+  HTTP boot mode is supposed to be disabled if signed boot is enabled and
+  a host is not specified. The code is checking the http_secure flag to
+  enforce this. But this is valid now we support custom CA certs.
+  Only disable HTTP mode if we're using the default HOST.
+* Implement TCP window for net boot
+  The minimal IP stack used for https booting lacks the ability to cache
+  packets received out of order, which can lead to severe slowdown when
+  it happens. The problem seems to affect some ISPs more than others.
+  The receive window implemented here copes with packet losses of 10%.
+* netboot: Correct the TCP MSS
+* rp1_net: Overwrite the length field
+  Although concise, ORing in the packet length runs the risk of leaving
+  some unwanted bits set. Ensure the length field is cleared before
+  ORing in the required value.
+* Correct msecs in debug timestamps
+  The fractional part of timestamps in UART debug output was showing the
+  100ths and 1000ths of a second, rather than 10ths and 100ths, causing
+  strange sequences that appear to jump backwards.
+* Implement GET_BOARD_MAC_ADDRESS on Pi5
+  The Pi 5 EEPROM implements a subset of the original mailbox properties.
+  Add GET_BOARD_MAC_ADDRESS to the subset.
+  See: https://github.com/raspberrypi/rpi-eeprom/issues/698
+* Ensure the initramfs matches the kernel
+  As far as is possible, both the kernel and initramfs are matched to the
+  device. However, where multiple kernel variants can run on a device, the
+  initramfs must be matched to the chosen kernel. Make that the sole rule
+  for initramfs selection, rather than duplicating the device matching
+  logic.
+  See: https://github.com/raspberrypi/firmware/issues/1965
+* Enable logging messages from OS loader
+  Pi 5 EEPROM builds were missing the output from the main OS loading
+  function, including some important diagnostics. Enabling the logging
+  output from this loader code results in some near-duplicates, but is
+  more user friendly and is available via "sudo vclog -m".
+
+## 2025-04-07: arm_dt: Revert to using the max fan speed (latest)
+
+* arm_dt: Revert to using the max fan speed
+  It has been reported that the presence of a cooling fan at boot time
+  can lead to a maximum observed fan speed of ~300 but a current speed
+  of 0. The absence of a fan results in 0s for both metrics.
+  See: https://github.com/raspberrypi/rpi-eeprom/issues/690
+
+## 2025-03-27: os_check: cm5: Check for CM5 specific dtbs (latest)
+
+* os_check: cm5: Check for CM5 specific dtbs
+  Check for BCM2712 support in bcm2712-rpi-cm5-cm5io.dtb
+  or bcm2712-rpi-cm5l-cm5io.dtb on CM5 instead of bcm2712-rpi-5-b.dtb.
+  This avoids needing to put os_check=1 or specifying device_tree
+  in config.txt in minimal images for CM5.
+  See: https://github.com/raspberrypi/rpi-eeprom/issues/682
+
+## 2025-03-19: Log the fan speed at boot (latest)
+
+* Log the fan speed at boot
+  Record the fan RPM (and the maximum seen) during boot, so that it is
+  accessible using "sudo vclog -m".
+  See: https://github.com/raspberrypi/rpi-eeprom/issues/678
+* Add current_supply to HAT+ support
+  Refactor the HAT library to make it more self-contained, and combine
+  the I2C address detection and the reading of the EEPROM contents.
+  Use it to allow the earlier boot stages to check for a current_supply
+  setting in the EEPROM of a normal (non-stackable) HAT+.
+
+## 2025-03-10: Promote 2025-03-10 release to default (default)
+
+## 2025-03-10: Add [boot_partition] filter plus SDRAM init fixes (latest)
+
+* Update SDRAM init timings to intermittent 8-flash SDRAM init errors
+  on some boards.
+  See: https://github.com/raspberrypi/rpi-eeprom/issues/67
+* config: Fix missing initialisation of selected_expr to 1 in config.txt
+  Without an [all] section the new expression filter might default to
+  false. This impacts the bootloader early parsing of config.txt
+  for things like boot_ramdisk rather than the later config.txt pass
+  for device-tree parsing.
+* config_loader: Add support [boot_partition=N] as an expression filter
+  The boot_partition tests whether the partition number N matches
+  the number that the system is booting from. This expression is
+  only supported in config.txt and is designed to make it easier
+  to have common boot.img ramdisks in an A/B system where the
+  conditional loads a different cmdline.txt file depending on
+  which partition boot.img is loaded from.
+
+## 2025-03-03: Fix bootloader pull configuration on 2712D0 (latest)
+
+* Fix pull configuration on 2712D0
+  2712D0 uses a horrendously sparse set of pad control registers. Make
+  the pull-setting code sufficiently complex to cope.
+  See: https://github.com/raspberrypi/rpi-eeprom/issues/672
+* Disable UARTA for CM5s without WiFi
+  Just as CM5s without WiFI don't need the SDIO interface, the Bluetooth
+  UART is unconnected. Disable the DT node to avoid kernel warnings and
+  save some cycles.
+
+## 2025-02-17: Promote 2025-02-12 to the default release (default)
+
+## 2025-02-12: Fixup change to disable 3.7V PMIC output on CM5 no-wifi (latest)
+
+* Fixup change to disable 3.7V PMIC output on CM5 no-wifi
+
+## 2025-02-11: CM5 no-Wifi stability improvements (latest)
+
+* recovery: Walk partitions to delete recovery.bin
+  Previously, recovery.bin would fail to delete itself
+  if the bootrom loaded recovery.bin where there are multiple FAT
+  partitions and the first partition does not contain recovery.bin
+  Update the rename code to walk the partition table to find
+  the recovery.bin file to delete.
+* pi5: Add config filter for simple boot variable expressions (experimental)
+  Add support for a new bootloader/config.txt conditional filter
+  which tests the partition, boot_count and boot_arg1 variables.
+  Syntax (no spaces):
+  ARG boot_arg1, boot_count or partition (EEPROM config stage only)
+  [ARG=VALUE]      selected if (ARG == VALUE)
+  [ARG&MASK]       selected if ((ARG & VALUE) != 0))
+  [ARG&MASK=VALUE] selected if ((ARG & MASK) == VALUE)
+  [ARG<VALUE]      selected if (ARG < VALUE)
+  [ARG>VALUE]      selected if (ARG > VALUE)
+  where VALUE and MASK are unsigned integer constants and ARG
+  corresponds to the value in the reset register before the
+  config file is parsed.
+* pi5: Add a boot-count bootloader variable (experimental)
+  Store the boot-count in a reset register and increment just
+  before the boot-order state-machine. The boot-count variable
+  is visible via device-tree /proc/device-tree/chosen/bootloader/count
+  and can be read/set via vcmailbox
+  GET: sudo vcmailbox 0x0003008d 4 4 0
+  SET to N: sudo vcmailbox 0x0003808d 4 4 N
+* pi5: Add user-defined reboot argument (boot_arg1) (experimental)
+  Add support for a user-defined boot parameter stored in a reset-safe
+  scratch register on BCM2712.  This is visible via device-tree at
+  /proc/device-tree/chosen/bootloader/arg1 and via vcmailboxes
+  GET arg1: sudo vcmailbox 0x0003008c 8 8 1 0
+  SET arg1 to 42: sudo vcmailbox 0x0003808c 8 8 1 42
+  or via config.txt
+  set_reboot_arg1=42
+  The variable is NOT cleared automatically and will persist until
+  a power-on-reset.
+* Enable overriding of high partition numbers
+  Previously, the PARTITION=N bootloader config setting would only
+  be used at power on reset or if the partition number passed to
+  reboot was zero.
+  Change the behaviour so that the bootloader config PARTITION
+  property can override the reboot partition number if the reboot
+  parameter is > 31.
+* Disable WiFi PMIC output on CM5 modules without WiFi
+  Disable the 3.7V WiFi power supply on CM5 modules which do not have a
+  WiFi module fitted. This fixes some stability issues where a CM5
+  would shutdown due to a spurious over-voltage condition on the
+  non-connected WiFi power supply.
+* Add memory barrier to the mbox handler
+  Firmware issue 1944 reports receiving kernel warnings about firmware
+  requests where the status return code is 0. This should not be
+  possible, as handle_mbox_property always sets the top bit of the return
+  code, with the bottom bit indicating success or failure. If the firmware
+  had died, the firmware driver would report a timeout due to the lack of
+  a mailbox interrupt, and that isn't happening.
+  See: https://github.com/raspberrypi/firmware/issues/1944
+* support dts files with size-cells of 2
+  DTS files with a top-level #size-cells of 2 make a lot of sense for
+  systems with a lot of RAM, but the firmware is currently inconsistent
+  in its support for that. Fix up the other cases to honor #size-cells
+  and #address-cells.
+* Disable SDIO2 for CM5s without WiFi
+  It has been observed that CM5s without WiFi hang on reboot. To prevent
+  that, disable the sdio2 node on those devices.
+  See: https://github.com/raspberrypi/linux/issues/6647
+* arm_dt: Use dtoverlay_enable_node
+  Convert the open-coded DT node status changes to use the new dtoverlay
+  method dtoverlay_enable_node.
+* dtoverlay: Add dtoverlay_enable_node
+  Add a helper function for setting the status of a node.
+
+## 2025-01-27: Walk the partition table if the requested partition is not bootable (latest)
+
+* Walk the partition table if the requested partition is not bootable
+  Previously, if the specified boot partition was not bootable the
+  bootloader would stop and advance to the next BOOT_ORDER. If the
+  new PARTITION_WALK option is set to 1 the bootloader will now
+  check each partition in turn starting from the specified partition
+  before advancing the BOOT_ORDER.
+  This feature is intended for use with A/B systems to handle the case
+  where autoboot.txt is missing / corrupted. This change enables
+  the system to failover to the next available bootable partition.
+  The autoboot.txt file is not scanned during the partition-walk
+  phase i.e. there is no recursive processing of autoboot.txt files.
+  This option is only supported on physical block devices
+  (SD, NVMe, USB) and not RAMDISK. USB assumes a single high speed
+  device, partition walks on multiple USB devices is not recommended
+  and may cause timeouts.
+* Improve keyboard handling in boot menu
+  Try and make it more likely that we have enough time to perform key
+  detection.
+  Ignore mice, which were being enumerated and slowing things down.
+
+## 2025-01-22: Promote 2025-01-22 to default release (default)
+
+## 2025-01-22: Add DT /chosen property signed-boot boot.img hash (latest)
+
+* Add DT /chosen property signed-boot boot.img hash
+  Make the sha256 hash of the boot.img file available via
+  device-tree /proc/device-tree/chosen/bootloader/boot_img_sha256 if
+  signed boot is enabled.
+* filesystem: GPT autoboot/reboot partition number fixes for Pi4 and older
+* Fix problems when setting arm_freq_min=arm_freq and display clocks
+  if performance governor is not enabled.
+
+## 2025-01-14: Add set_reboot_order API (latest)
+
+* Add set_reboot_order API and config.txt properties
+  If set_reboot_order is defined in config.txt or set via vcmailbox
+  then this will override the bootloader config BOOT_ORDER property
+  on the next reboot. The parameter is stored in a reset safe register
+  and is cleared by the bootloader after reading it.
+  Typically, the config.txt value only be used via rpiboot to
+  override the boot-order on the next reboot. Otherwise, it should
+  reside in a conditional section so that the boot order is not
+  overridden on every reboot.
+  Example, test network boot
+  sudo vcmailbox 0x0003808b 4 4 0xf4612; sudo reboot
+
+## 2025-01-13: Improved SDRAM refresh timings for Pi5 16GB (latest)
+
+* Improved SDRAM refresh timings for Pi5 - 16GB
+* Add an option to wait for the power button to be pressed before booting.
+  If POWER_OFF_ON_HALT=1 and WAIT_FOR_POWER_BUTTON=1 in the bootloader
+  config then the bootloader will wait for either the power button
+  to be pressed or an RTC alarm before booting. The wait state
+  switches the PMIC to STANDBY mode which is the lowest possible
+  power state.
+
+## 2025-01-08: Update SDRAM refresh timings for BCM2712D0 products (latest)
+
+* Update SDRAM timings for BCM2712D0 products.
+
+## 2025-01-07: Fixup M.2 HAT+ detection (latest)
+
+* Fix a potential timing issue introduced in the 2025-01-06
+  release when enabling PCIE_PWR when booting from SD/USB.
+
+## 2025-01-06: Stop the fan after after fan-probe (latest)
+
+* Stop the fan after after fan-probe
+  After the fan-probe has completed drive the fan PWM GPIO
+  to high if a fan was detected and let the OS take over.
+* Add SD_QUIRKS for hardware bringup / workarounds
+  Add a new SD_QUIRKS flags property which can be used to
+  disable high-speed mode (bit 0). Other bits are reserved for
+  future use.
+* Change uart_2ndstage default to 1 on Pi5
+  Change the default to 1 because this gives useful diagnostics
+  for device-tree loading with minimal overhead. Set uart_2ndstage=0
+  or BOOT_UART=0 to disable this.
+* Move M.2 HAT+ detection to early boot.
+  Initialse M.2 HAT+ detection before DDR init to give NVMe
+  drive firmware more time to boot.
+
+## 2024-12-19: Disable fan PWM before shutdown (latest)
+
+* Disable fan PWM before shutdown
+  Drive the RP1 fan PWM GPIO high before entering the VPU
+  sleep (POWER_OFF_ON_HALT=0) to stop the fan spinning.
+* Disable fan PWM GPIO between RP1 init and fan probe
+  Drive fan PWM GPIO high during early boot to disable the fan
+  until it is probed during the device-tree setup stage.
+  This stops the spinning at max rpm during network-install.
+* arm_dt: enable_uart defaults to 0 on 2712
+  The default value of enable_uart on 2712 is 0, regardless of the
+  presence of the debug UART cable, so guarantee that the default is
+  always set correctly.
+
+## 2024-12-15: Add net install to boot menu (latest)
+
+* Add net install to boot menu
+  Press N (or shift).
+* enable_uart: Require enable_uart=1 to enable RP1 UART console
+  See: https://github.com/raspberrypi/rpi-eeprom/issues/643
+
 ## 2024-12-07: Enable banklow (and so NUMA) by default (latest)
 
 * Enable banklow (and so NUMA) by default

imager/2711-config/boot-conf-network.txt

@@ -3,4 +3,5 @@ BOOT_UART=0
 WAKE_ON_GPIO=1
 ENABLE_SELF_UPDATE=1
 BOOT_ORDER=0xf21
+NET_INSTALL_AT_POWER_ON=1
 

imager/2711-config/boot-conf-sd.txt

@@ -3,4 +3,4 @@ BOOT_UART=0
 WAKE_ON_GPIO=1
 ENABLE_SELF_UPDATE=1
 BOOT_ORDER=0xf41
-
+NET_INSTALL_AT_POWER_ON=1

imager/2711-config/boot-conf-usb.txt

@@ -3,4 +3,5 @@ BOOT_UART=0
 WAKE_ON_GPIO=1
 ENABLE_SELF_UPDATE=1
 BOOT_ORDER=0xf14
+NET_INSTALL_AT_POWER_ON=1
 

imager/make-imager-release

@@ -5,7 +5,7 @@ set -e
 script_dir=$(cd "$(dirname "$0")" && pwd)
 
 # Pi4, Pi400, CM4, CM4-S
-${script_dir}/make-release critical 2023-01-11 000138c0 "${script_dir}/2711-config" release-2711 rpi-boot-eeprom-recovery 2711
+${script_dir}/make-release critical 2025-11-05 000138c0 "${script_dir}/2711-config" release-2711 rpi-boot-eeprom-recovery 2711
 
 # Pi5
-${script_dir}/make-release critical 2024-11-12 "" "${script_dir}/2712-config" release-2712 rpi-boot-eeprom-recovery 2712
+${script_dir}/make-release critical 2025-11-05 "" "${script_dir}/2712-config" release-2712 rpi-boot-eeprom-recovery 2712

imager/net_install_pubkey.pem

@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAno9f6RGBaf2yaWTwf8+y
+MO4snzEgLOr8L3S28PZBdyx2qqNrzZ+xUOfLNYI5CwvBgOyKtm5L+wJIR8NUqgBl
+tvtBMAy2Auh0Qe679vN6UnsWE/o3pCgFPdmH+EcKfPqNBYODgfL+eumGM9Lo2dnl
+6P3JBR4Uy2E171k4D9Pj5rhO2K4jySYwbTuFR/drB2nDBrrsUW+SArnkTLvEGLY1
+nONW+AIBaqBxb+wjD/TMvVdsCWNXabcRqYM9DDgVzGePKuQdX5aBdgDnlbtDodyq
+FnLcRjqGE7nSQBQILwmGl5EvHMGa8d3/aLE6eXmMCakXyF1HPRv2lOecxNMO3xTF
+zwIDAQAB
+-----END PUBLIC KEY-----

releases.md

@@ -14,5 +14,6 @@ For support or hardware interoperability discussions please use the Raspberry Pi
 ## Old EEPROM images
 Old bootloader images are periodically removed from the APT package to reduce the disk space but are still available via Github 
 * Old [BCM2711 releases](https://github.com/raspberrypi/rpi-eeprom/tree/master/firmware-2711/old).
+* Old [BCM2712 releases](https://github.com/raspberrypi/rpi-eeprom/tree/master/firmware-2712/old).
 
 **Old releases may fail to boot on newer hardware revisions.**

rpi-eeprom-config

@@ -171,8 +171,6 @@ def apply_update(config, eeprom=None, config_src=None):
     sys.stdout.write("Updating bootloader EEPROM\n image: %s\nconfig_src: %s\nconfig: %s\n%s\n%s\n%s\n" %
                      (eeprom_image, config_src, config, '#' * 80, config_str, '#' * 80))
 
-    sys.stdout.write("\n*** To cancel this update run 'sudo rpi-eeprom-update -r' ***\n\n")
-
     # Ignore APT package checksums so that this doesn't fail when used
     # with EEPROMs with configs delivered outside of APT.
     # The checksums are really just a safety check for automatic updates.
@@ -348,7 +346,7 @@ class BootloaderImage(object):
             update_len = len(src_bytes) + FILE_HDR_LEN
 
             if hdr_offset + update_len > self._image_size - ERASE_ALIGN_SIZE:
-                raise Exception('No space available - image past EOF.')
+                raise Exception('No space available. %s size %d available space %d' % (dst_filename, update_len, self._image_size - ERASE_ALIGN_SIZE - hdr_offset))
 
             if hdr_offset < 0:
                 raise Exception('Update target %s not found' % dst_filename)

rpi-eeprom-digest

@@ -6,8 +6,12 @@
 # a hard dependency on OpenSSL.
 
 set -e
+set -u
 
 OPENSSL=${OPENSSL:-openssl}
+KEY=""
+SOURCE_DATE_EPOCH=${SOURCE_DATE_EPOCH:-""}
+HSM_WRAPPER=""
 
 die() {
    echo "$@" >&2
@@ -46,28 +50,30 @@ RSA signature. Typically this tool is used by rpi-eeprom-update to
 generate a hash to guard against file-system corruption for EEPROM updates
 OR for signing OS images (boot.img) for secure-boot.
 
-This tool CANNOT be used directly to sign an bootloader EEPROM image
-for secure-boot because the signed data is bootloader configuration file
+This tool CANNOT be used directly to sign a bootloader EEPROM image
+for secure-boot because the signed data is the bootloader configuration file
 rather than the entire flash image.
-To create signed bootloader images please see
+To create signed bootloader images, please see
 https://github.com/raspberrypi/usbboot/tree/master/secure-boot-recovery/README.md
 
 
 Options:
-   -i The source image e.g. boot.img
-   -o The name of the digest/signature file.
-   -k Optional RSA private key.
+   -i The source image, e.g., boot.img
+   -o The name of the digest/signature file
+   -k Optional RSA private key
+   -H The name of the HSM wrapper script to invoke - default ""
 
-RSA signing
-If a private key in PEM format is supplied then the RSA signature of the
-sha256 digest is included in the .sig file. Currently, the bootloader only
-supports sha256 digests signed with a 2048bit RSA key.
-The bootloader only verifies RSA signatures in signed boot mode
-and only for the EEPROM config file and the signed image.
+RSA signing:
+If a private key in PEM format or a PKCS#11 URI is supplied, then the
+RSA signature of the SHA256 digest is included in the .sig
+file. Currently, the bootloader only supports SHA256 digests signed
+with a 2048-bit RSA key. The bootloader only verifies RSA signatures
+in signed boot mode and only for the EEPROM config file and the signed
+image.
 
 Examples:
 
-# Generate the normal sha256 hash to guard against file-system corruption
+# Generate the normal SHA256 hash to guard against file-system corruption
 rpi-eeprom-digest -i pieeprom.bin -o pieeprom.sig
 rpi-eeprom-digest -i vl805.bin -o vl805.sig
 
@@ -76,7 +82,15 @@ rpi-eeprom-digest -k private.pem -i boot.img -o boot.sig
 
 # Generate RSA signature for the EEPROM config file
 # As used by update-pieeprom.sh in usbboot/secure-boot-recovery
-rpi-eeprom-digest -k private.pem -i bootconf.txt  -o bootconf.sig
+rpi-eeprom-digest -k private.pem -i bootconf.txt -o bootconf.sig
+
+# Generate RSA signature for the EEPROM config file and delegate 
+# the signing process to a HSM wrapper script instead of using the private key directly.
+rpi-eeprom-digest -H hsm-wrapper -i bootconf.txt -o bootconf.sig
+
+# Similarly, but specifying the key with a PKCS#11 URI
+# (Deprecated - use HSM wrapper instead)
+rpi-eeprom-digest -k pkcs11:token=deadbeef;object=bl-key;type=private;pin-value=1234 -i bootconf.txt  -o bootconf.sig
 
 # To verify the signature of an existing .sig file using the public key.
 # N.B The key file must be the PUBLIC key in PEM format.
@@ -98,9 +112,10 @@ writeSig() {
        echo "ts: $(date -u +%s)" >> "${OUTPUT}"
    fi
 
-   if [ -n "${KEY}" ]; then
-      [ -f "${KEY}" ] || die "RSA private \"${KEY}\" not found"
-      "${OPENSSL}" dgst -sign "${KEY}" -keyform PEM -sha256 -out "${SIG_TMP}" "${IMAGE}"
+   if [ -n "${HSM_WRAPPER}" ]; then
+      echo "rsa2048: $("${HSM_WRAPPER}" -a rsa2048-sha256 "${IMAGE}")" >> "${OUTPUT}"
+   elif [ -n "${KEY}" ]; then
+      "${OPENSSL}" dgst ${ENGINE_OPTS} -sign "${KEY}" -sha256 -out "${SIG_TMP}" "${IMAGE}"
       echo "rsa2048: $(xxd -c 4096 -p < "${SIG_TMP}")" >> "${OUTPUT}"
    fi
 }
@@ -112,18 +127,20 @@ verifySig() {
    sig_hex="$(grep rsa2048 "${sig_file}" | cut -f 2 -d ' ')"
    [ -n "${sig_hex}" ] || die "No RSA signature in ${sig_file}"
 
-   echo ${sig_hex} | xxd -c 4096 -p -r > "${TMP_DIR}/sig.bin"
-   "${OPENSSL}" dgst -verify "${KEY}" -signature "${TMP_DIR}/sig.bin" "${IMAGE}" || die "${IMAGE} not verified"
+   echo "${sig_hex}" | xxd -c 4096 -p -r > "${TMP_DIR}/sig.bin"
+   "${OPENSSL}" dgst ${ENGINE_OPTS} -verify "${KEY}" -signature "${TMP_DIR}/sig.bin" "${IMAGE}" || die "${IMAGE} not verified"
 }
 
 OUTPUT=""
 VERIFY=0
-while getopts i:k:ho:v: option; do
+while getopts i:H:k:ho:v: option; do
    case "${option}" in
    i) IMAGE="${OPTARG}"
       ;;
    k) KEY="${OPTARG}"
       ;;
+   H) HSM_WRAPPER="${OPTARG}"
+      ;;
    o) OUTPUT="${OPTARG}"
       ;;
    v) SIGNATURE="${OPTARG}"
@@ -142,6 +159,18 @@ checkDependencies
 
 [ -n "${IMAGE}" ] || usage
 [ -f "${IMAGE}" ] || die "Source image \"${IMAGE}\" not found"
+[ "${VERIFY}" != 1 ] || [ -n "${KEY}" ] || die "Option -v also requires passing public key via -k"
+
+if [ -n "${KEY}" ] ; then
+    if [ -f "${KEY}" ] ; then
+        ENGINE_OPTS=
+    elif echo "${KEY}" | grep -q "^pkcs11:" ; then
+        ENGINE_OPTS="-engine pkcs11 -keyform engine"
+    else
+        die "RSA key \"${KEY}\" not found"
+    fi
+fi
+
 if [ "${VERIFY}" = 1 ]; then
    verifySig "${SIGNATURE}"
 else

rpi-eeprom-update

@@ -14,6 +14,8 @@ LOCAL_MODE=0
 if [ -n "$FIRMWARE_ROOT" ]; then
    # Provided by environment
    true
+elif [ -d /usr/lib/firmware/raspberrypi/bootloader ] || [ -d /usr/lib/firmware/raspberrypi/bootloader-2711 ] || [ -d /usr/lib/firmware/raspberrypi/bootloader-2712 ]; then
+   FIRMWARE_ROOT=/usr/lib/firmware/raspberrypi/bootloader
 elif [ -d /lib/firmware/raspberrypi/bootloader ] || [ -d /lib/firmware/raspberrypi/bootloader-2711 ] || [ -d /lib/firmware/raspberrypi/bootloader-2712 ]; then
    FIRMWARE_ROOT=/lib/firmware/raspberrypi/bootloader
 else
@@ -422,13 +424,13 @@ checkDependencies() {
    if [ $(((0x$BOARD_INFO >> 12) & 15)) = 3 ]; then
       BCM_CHIP=2711
       EEPROM_SIZE=524288
-      BOOTLOADER_AUTO_UPDATE_MIN_VERSION="${BOOTLOADER_AUTO_UPDATE_MIN_VERSION:-1599135103}"
+      BOOTLOADER_AUTO_UPDATE_MIN_VERSION="${BOOTLOADER_AUTO_UPDATE_MIN_VERSION:-1746717695}"
 
       SPIDEV=/dev/spidev0.0
    elif [ $(((0x$BOARD_INFO >> 12) & 15)) = 4 ]; then
       BCM_CHIP=2712
       EEPROM_SIZE=2097152
-      BOOTLOADER_AUTO_UPDATE_MIN_VERSION="${BOOTLOADER_AUTO_UPDATE_MIN_VERSION:-1725975630}"
+      BOOTLOADER_AUTO_UPDATE_MIN_VERSION="${BOOTLOADER_AUTO_UPDATE_MIN_VERSION:-1746713597}"
       SPIDEV=/dev/spidev10.0
       # Default is to use flashrom if availableon BCM2712
       RPI_EEPROM_USE_FLASHROM=${RPI_EEPROM_USE_FLASHROM:-1}
@@ -902,6 +904,11 @@ checkVersion()
 
    if [ "${ACTION_UPDATE_BOOTLOADER}" = 1 ] || [ "${ACTION_UPDATE_VL805}" = 1 ]; then
       echo "*** UPDATE AVAILABLE ***"
+      echo ""
+      echo "Run \"sudo rpi-eeprom-update -a\" to install this update now."
+      echo
+      echo "To configure the bootloader update policy run \"sudo ${RPI_EEPROM_UPDATE_CONFIG_TOOL}\""
+      echo ""
       printVersions
       write_status_info "EXIT_UPDATE_REQUIRED"
       exit ${EXIT_UPDATE_REQUIRED}