Merge pull request #400 from timg236/pieeprom-2022-01-25

pieeprom-2022-01-25: Create stable release from pieeprom-2022-01-20

.github/ISSUE_TEMPLATE/bug_report.md

@@ -7,13 +7,12 @@ about: Create a bug report for the bootloader EEPROM or rpi-eeprom-update script
 This repository tracks bugs for the Raspberry Pi 4 bootloader EEPROM and Linux update scripts.
 
 * If you suspect a hardware problem then please read the [Boot Problems](https://www.raspberrypi.org/forums/viewtopic.php?p=437084) post first before contacting the reseller.
-* Support questions or should be posted on the Raspberry Pi [General Discussion](https://www.raspberrypi.org/forums/viewforum.php?f=63)**
-
+* Support questions or should be posted on the Raspberry Pi [General Discussion](https://www.raspberrypi.org/forums/viewforum.php?f=63) forum
 
 **Mandatory information**
 * Raspberry Pi model
-* Board revision (cat /proc/cpuinfo | grep Revision)
-* Operating system version .
+* Board revision (`cat /proc/cpuinfo | grep Revision`)
+* Operating system version
 * Details of any hardware attached e.g. links to USB 
 * Photo of the HDMI diagnostics screen, UART trace.
 
@@ -27,24 +26,38 @@ Steps to reproduce the behavior:
 A clear and concise description of what you expected to happen.
 
 **Bootloader version and configuration**
-If you have modified the default bootloader release or configuration then please attach the bootloader configuration vcgencmd bootloader_config and version (vcgencmd bootloader_version)
+Please include the bootloader version and config.
+```bash
+vcgencmd bootloader_version
+vcgencmd bootloader_config
+```
 
-**SD card boot (please complete the following information):**
+**SD card boot (please complete the following information):**  
  - SD card type
- - Partition information (sudo fdisk -l) if you are able to obtain this from another computer.
+ - Partition information (`sudo fdisk -l`) if you are able to obtain this from another computer
 
-**Network boot (please complete the following information):**
-Network boot bug normally require one or more of the following log types. [PiServer](https://github.com/raspberrypi/piserver) is the officially supported network boot server.
+**USB boot (please complete the following information):**  
+Verify that the the USB device works correctly when hot-plugged under Linux and attach the output of 'lsusb -vvv'.
 
- - DHCP server configuration files e.g. dnsmasq.conf
+**Network boot (please complete the following information):**  
+Network boot bug normally requires one or more of the following log types. [PiServer](https://github.com/raspberrypi/piserver) is the officially supported network boot server.
+
+ - DHCP server configuration files e.g. `dnsmasq.conf`
  - Wireshark binary packet capture
- - UART logs
+ - UART logs with `uart_2ndstage=1` set in `config.txt`
 
-**USB boot (please complete the following information):**
-Verify that the the USB device works correctly when hot-plugged under Linux and attache the output of 'lsusb -vvv'
+**NVMe boot (please complete the following information):**
+
+```bash
+sudo apt-get install nvme-cli
+sudo nvme list
+sudo nvme id-ctrl -H /dev/nvme0
+sudo nvme list-ns /dev/nvme0
+sudo nvme id-ns -H /dev/nvme0 --namespace-id=1
+```
 
 **Additional context**
 Add any other context about the problem here. 
 
-The [Bootloader configuration](https://www.raspberrypi.org/documentation/hardware/raspberrypi/bcm2711_bootloader_config.md) page describes how to enable UART or NETCONSOLE logs. For complex USB boot issues NETCONSOLE logs are recommended.
+The [Bootloader configuration](https://www.raspberrypi.org/documentation/computers/raspberry-pi.html#raspberry-pi-4-bootloader-configuration) page describes how to enable UART or NETCONSOLE logs. For complex USB boot issues NETCONSOLE logs are recommended.
 

README.md

@@ -1,16 +1,16 @@
 # rpi-eeprom
-This repository contains the scripts and pre-compiled binaries used to create the `rpi-eeprom` package which is used to update the Raspberry Pi 4 bootloader and VLI USB xHCI controller EEPROMs.
+This repository contains the scripts and pre-compiled binaries used to create the `rpi-eeprom` package which is used to update the Raspberry Pi 4 bootloader and VLI USB controller EEPROMs.
 
 # Support
-Please check the Raspberry Pi [general discussion forum](https://www.raspberrypi.org/forums/viewforum.php?f=63) if you have a support question. 
+Please check the Raspberry Pi [general discussion forum](https://forums.raspberrypi.com/viewforum.php?f=63) if you have a support question.
 
 # Reset to factory defaults
-The [Raspberry Pi Imager](https://www.raspberrypi.org/downloads/) provides an EEPROM recovery image which may be used to reset the bootloader and USB xHCI EEPROMs to factory defaults.
+To reset the bootloader back to factory defaults use [Raspberry Pi Imager](https://www.raspberrypi.com/software/) to write an EEPROM update image to a spare SD card. Select `Misc utility images` under the `Operating System` tab.
 
 # Bootloader documentation
-* [The boot folder](https://www.raspberrypi.org/documentation/configuration/boot_folder.md)
-* [Config.txt boot options](https://www.raspberrypi.org/documentation/configuration/config-txt/boot.md)
-* [Bootloader EEPROM](https://www.raspberrypi.org/documentation/hardware/raspberrypi/booteeprom.md)
-* [Bootloader configuration](https://www.raspberrypi.org/documentation/hardware/raspberrypi/bcm2711_bootloader_config.md)
+* [Config.txt boot options](https://www.raspberrypi.com/documentation/computers/config_txt.html#boot-options)
+* [Bootloader EEPROM](https://www.raspberrypi.com/documentation/computers/raspberry-pi.html#raspberry-pi-4-boot-eeprom)
+* [Bootloader configuration](https://www.raspberrypi.com/documentation/computers/raspberry-pi.html#raspberry-pi-4-bootloader-configuration)
+* [Updating the Compute Module 4 bootloader](https://www.raspberrypi.com/documentation/computers/compute-module.html#cm4bootloader)
 * [Release notes](firmware/release-notes.md)
 * [Releases](releases.md)

firmware/release-notes.md

@@ -1,7 +1,163 @@
 # Raspberry Pi4 bootloader EEPROM release notes
 
 USB MSD boot also requires the firmware from Raspberry Pi OS 2020-08-20 or newer.
-https://www.raspberrypi.org/documentation/hardware/raspberrypi/bcm2711_bootloader_config.md
+https://www.raspberrypi.com/documentation/computers/raspberry-pi.html#raspberry-pi-4-bootloader-configuration
+
+## 2022-01-25 - Create new release from 2022-01-20 - LATEST/STABLE
+   * Rebuild 2022-01-20 for new stable release
+
+## 2022-01-20 - Some NVMe boot fixes - BETA
+   * PCIe retry on error
+   * NVMe logging changes
+   * NVMe attempts to boot twice
+   * Increase the maximum GPU memory size from 256MB to 512MB so long as
+     boot_ramdisk=0. This should only be used with the legacy camera
+     application and FKMS for very memory intensive camera operations.
+     N.B. The new libcamera and KMS driver use CMA instead of GPU memory.
+
+## 2021-12-02 - Promote the 2021-12-02 beta release to LATEST/STABLE
+   * Just fixes a regression with MTB detection affecting factory testing
+
+## 2021-12-02 - Fix MTB detection for factory test - BETA
+   * Just fixes a regression with MTB detection affecting factory testing
+
+## 2021-12-09 - Update default recovery.bin
+   * Promote the recovery.bin from stable to default. This avoids an issue
+     where recovery.bin fails to load on large FAT32 boot partions with 32K
+     clusters.
+
+## 2021-11-29 - Promote the 2021-11-22 beta release to LATEST/STABLE
+Interesting changes since the last stable release:-
+   * NVMe / PCIe reset fixes
+   * GPT / FAT enhancements
+   * FAT performance improvements
+   * Secure-boot for industrial customers (see usbboot repo)
+
+## 2021-11-22 - Fix for Sabrent rocket Nano NVMe reboot issue - BETA
+  * Fixes issue with Sabrent rocket Nano NVMe disk after a reboot.
+    Run pcie initialisation again if there's an error.
+
+## 2021-10-27 - Secure boot improvements - BETA
+  * Improve the error logging if a file is too large and truncated.
+  * Increase the maximum size of the ramdisk to 96MB.
+  * Preliminary changes to expose the boot-mode used to load the ramdisk via device-tree.
+
+  N.B. Secure boot is only recommended for industrial customers and is currently
+  a beta release. This can only be enabled via RPIBOOT
+  https://github.com/raspberrypi/usbboot/blob/master/Readme.md
+
+## 2021-10-05 - Update for latest Broadcom SDRAM settings - BETA
+  * Minor update for latest SDRAM tuning settings.
+
+## 2021-10-04 - Add support for GPT FAT16 and increase USB timeouts - BETA
+  * Update the FAT detection to support FAT16 for EFI/ESD paritions with
+    GPT instead of assuming FAT32. The latest firmware is also required
+    for a similar update.
+  * Increase the timeouts for MSD SCSI commands to reduce the risk of
+    timeouts when probing the capacity of slow to start devices
+    e.g. USB RAID with spinning disks.
+
+## 2021-09-27 - Fix recovery.bin rename issue and EEPROM netconsole - BETA
+  * Fix recovery.bin rename issue
+  * Update pieeprom-2021-09-27.bin to fix netconsole
+
+## 2021-09-23 - Temporarily revert recovery.bin 2021-09-22 BETA/STABLE
+  * Revert until fix for can be verified https://github.com/raspberrypi/rpi-eeprom/issues/367
+
+## 2021-09-23 - Bootloader file-system updates - BETA
+This release makes major changes to the bootloader file-system code in order
+to support new features and should be treated as a bleeding edge BETA release!
+  * Improve file-system performance to reduce boot time.
+  * Preliminary support for IPV6 TFTP. Requires an updated start4.elf.
+    Details to follow.
+  * Fix VL805=1 option for CM4 IO boards that follow the same XHCI
+    design as Pi4B. Start.elf will be updated in the next rpi-update release
+    and the latest CM4 DTBs are required for the 'XHCI reset controller'
+  * Preliminary support for loading signed boot image files.
+    Requires updated GPU firmware.
+
+## 2021-09-22 - Update recovery.bin to fix issue with large FAT partitions - STABLE
+  * Bump the latest recovery.bin under beta to stable.
+
+## 2021-09-22 - Update recovery.bin to fix issue with large FAT partitions - BETA
+  * Fix an issue where the ROM fails to load larger recovery.bin files
+    on FAT partitions with large cluster sizes.
+
+## 2021-07-07 - Promote pieeprom-2021-07-06 to stable - STABLE
+  * Promote the latest beta to stable. For CM4 users this adds NVMe
+    boot support to the stable release.
+
+## 2021-07-06 - Tidyup PXE debug strings - BETA
+   * Remove redundant debug string - hexdump is more useful for debug.
+   * Minor internal changes for manufacturing test.
+
+## 2021-06-25 - Support 256MB gpu_mem with boot ramdisk - BETA
+   * Tweak the address map so that boot ramdisks (e.g. rpiboot -d imager)
+     work with large amounts of GPU memory.
+
+## 2021-06-17 - Avoid unnecessary PCIe probe on CM4 - BETA
+   * Avoid default PCIe / XHCI probe on CM4 unless required for the current boot
+     mode (USB_MSD or NVME).
+   * Leave PCIe RC in reset state when loading start.elf except for USB-MSD mode.
+
+## 2021-06-11 - Add USB_MSD_STARTUP_DELAY option - BETA
+   * Minor update to BRCM SDRAM settings.
+   * Add USB_MSD_STARTUP_DELAY option (default 0 option). This adds a configurable
+     delay (in milliseconds) the first time the USB host controller is initialised
+     before device enumeration.
+     Normally, this should not be required. However, some HDD enclosures may
+     require an extended startup delay in order to spinup drives. Without this
+     the get-capacity command may stall and timeout.
+
+## 2021-05-19 - Use the latest BRCM SDRAM settings - BETA
+   * Use the latest BRCM SDRAM settings.
+   * FAT12 support for small bootloader ramdisk images.
+   * Minor file-system performance optimisations.
+   * Added recovery.bin config.txt option (erase_eeprom=1) to perform an
+     SPI chip-erase operation instead of programming the bootloader image.
+
+## 2021-04-30 - Update default version to 2021-04-29
+   * The manufacturing release has been updated to pieeprom-2021-04-29 so update the default release to match this.
+
+## 2021-04-29 - Pi400 - Reduce MII clock freq when probing ethernet PHY - STABLE
+   * Pi400 - Reduce MII clock freq when probing ethernet PHY - STABLE
+
+## 2021-04-19 - Promote 2021-03-18 from LATEST to DEFAULT - DEFAULT
+   * Display VC_BUILD_ID strings instead of the SHA256 hash
+   * Add support for [cm4] and [pi400] config conditionals filters.
+   * Change network boot to use the same "RXID" Ethernet PHY configuration as the 5.10 kernel
+   * TFTP - reply to duplicate ACKS
+   * Skip rendering of HDMI diagnostics display for the first 8 seconds unless an error occurs.
+   * UDP checksum fixes
+   * Add support for the BCM2711 XHCI controller - BOOT_ORDER 0x5
+   * XHCI protocol layer fixes for non-VLI controllers
+   * Avoid USB MSD timeout if there is only one device
+   * Implement tryboot for OS upgrade fallback
+   * Check the update-timestamp before applying an update in SELF-UPDATE mode
+
+## 2021-04-13 - Fix error pattern for HDMI and SDRAM failures - BETA/STABLE
+   * Fix recovery.bin error handler so that the LED error pattern is still
+     displayed even if HDMI or SDRAM fail.
+
+## 2021-03-18 - Fix occasional reboot fail on Pi4B pre 1.4 - STABLE
+   * Fix GPIO expander reset issue on some Pi4B 1.1 to 1.3 boards
+
+## 2021-03-17 - Fix issue with PCIe bridges in Linux - BETA
+   * NVMe BETA boot support broke PCIe bridges in Linux. This should fix the problem
+
+## 2021-03-04 - NVMe boot support - BETA
+   * Adds support for NVMe to the bootloader with a new NVMe boot mode "6"
+     NVMe currently only works for controller 0 on namespace 1 with a page size of 4096 bytes
+     and block size of 512 bytes
+   * The default boot order has been updated to F641 for cm4 ONLY, so NVMe boot is
+     attempted after SD and USB
+
+     To use the new NVMe add "6" to the BOOT_ORDER.
+
+     This requires the latest rpi-update firmware to work or else you will see a compatibility
+     error on boot. You also need the latest kernel from rpi-update to load rootfs from NVMe
+     see https://github.com/Hexxeh/rpi-firmware/commit/48570ba954a318feee348d4e642ebd2b58d9dd97
+     and https://github.com/Hexxeh/rpi-firmware/commit/e150906874ff8b9fb6271971fa4238997369f790
 
 ## 2021-02-22 - Promote 2021-02-16 to stable - STABLE (LATEST)
    * Freezing for default/critical update.

imager/README.txt

@@ -1,28 +1,42 @@
 Raspberry Pi 4 EEPROM bootloader rescue image
 *********************************************
 
-The Raspberry Pi4 has a small EEPROM used to store the bootloader.
+The Raspberry Pi 4 contains a small EEPROM used to store the bootloader.
 
 This rescue image reverts the bootloader EEPROM to factory default settings.
 
-This rescue image also updates the USB 3.0 (VL805) firmware to the latest
-version (138a1) with better full-speed Isochronous endpoint support.
+This rescue image also updates the USB 3 controller (VL805) firmware to the
+latest version, 138a1, which has better full-speed isochronous endpoint 
+support.
 
-To re-flash the EEPROM(s)
+Raspberry Pi 4 board revisions 1.1 and 1.2 contain a separate EEPROM 
+which contains firmware for the USB 3 controller (VL805): on newer revisions 
+the USB controller firmware is stored in the bootloader EEPROM along with 
+the bootloader.
 
-1. Unzip the contents of this zip file to a blank FAT formatted SD-SDCARD.
-2. Power off the Raspberry Pi
-3. Insert the sd-card.
-4. Power on Raspberry Pi
-5. Wait at least 10 seconds.
+The easiest method for creating EEPROM rescue images, and formatting SD 
+cards, is to use Raspberry Pi Imager from https://raspberrypi.com/software.
+Raspberry Pi Imager provides a GUI for downloading the latest version of 
+this rescue image and flashing it to a spare SD card.
 
-This easiest method for creating and formatting the SD-CARD is to use the
-Raspberry Pi Imager from https://raspberrypi.org/downloads
+Alternatively, copy the contents of this zip file to a blank
+FAT formatted SD card. The FAT partition must be < 32 GB.
 
-If successful, the green LED light will blink rapidly (forever), otherwise
-an error pattern will be displayed.
+To update the EEPROM:
 
-If a HDMI display is attached then screen will display green for success
-or red if failure a failure occurs.
+1. Power off the Raspberry Pi
+2. Insert the bootloader update SD card
+3. Power on the Raspberry Pi
+4. Wait at least 10 seconds
 
-N.B. This image is not a bootloader it simply replaces the on-board bootloader.
+If successful, the green LED on the Raspberry Pi will blink rapidly forever.
+An unsuccessful update of the EEPROM is indicated by a different blinking 
+pattern corresponding to the specific error.
+
+If an HDMI display is attached, then the screen will display green for
+success or red if a failure occurs.
+
+Once the EEPROM is updated, the SD card can be removed. In order to make
+the entire capacity of the SD card available again, you must then reformat
+the SD card using Raspberry Pi Imager by selecting the 'format card as 
+FAT32' option.

imager/make-beta-release

@@ -0,0 +1,13 @@
+#!/bin/sh
+
+set -e
+
+script_dir=$(cd "$(dirname "$0")" && pwd)
+
+firmware_status=${firmware_status:-"beta"}
+firmware_dir=${script_dir}/../firmware/${firmware_status}
+pieeprom_version=$(basename $(ls ${firmware_dir}/pieeprom-*.bin | sort -V | tail -1) .bin | cut -d- -f2-5)
+vl805_version=$(basename $(ls ${firmware_dir}/vl805-*.bin | sort -V | tail -1) .bin | cut -d- -f2)
+
+${script_dir}/make-release ${firmware_status} ${pieeprom_version} ${vl805_version} "${script_dir}" ${firmware_status}_release rpi-boot-eeprom-recovery-${firmware_status}
+

imager/make-imager-release

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+set -e
+
+script_dir=$(cd "$(dirname "$0")" && pwd)
+
+${script_dir}/make-release critical 2021-04-29 000138a1 "${script_dir}" release rpi-boot-eeprom-recovery

imager/make-recovery-images

@@ -0,0 +1,62 @@
+#!/bin/sh
+
+set -e
+
+die() {
+   echo "$@" >&2
+   exit 1
+}
+
+cleanup() {
+   if [ -d "${TMP_DIR}" ]; then
+      rm -rf "${TMP_DIR}"
+   fi
+}
+
+trap cleanup EXIT
+
+[ "$(id -u)" = "0" ] || die "$(basename $0) must be run as root"
+[ -n "${SUDO_UID}" ] || die "SUDO_UID not defined"
+[ -n "${SUDO_GID}" ] || die "SUDO_GID not defined"
+
+for src in release/*.zip; do
+   src=$(basename "${src}")
+   img=$(echo "${src}" | sed 's/\.zip/.img/')
+   TMP_DIR=$(mktemp -d)
+   (
+      cp "release/${src}" "${TMP_DIR}"
+      mkdir "${TMP_DIR}/files"
+      cd "${TMP_DIR}/files"
+      unzip "../${src}"
+      cd "${TMP_DIR}"
+      dd if=/dev/zero bs=1M count=258 of=temp.img
+      /sbin/sfdisk temp.img <<EOF
+label: dos
+label-id: 0x0a7b5ac5
+device: temp.img
+unit: sectors
+
+./test.img1 : start=        2048, size=       524288, type=c
+EOF
+      file temp.img
+      kpartx -lv temp.img | head -n1 | awk '{print $1}'
+      LOOP="/dev/mapper/$(kpartx -lv temp.img | head -n1 | awk '{print $1}')"
+      kpartx -av temp.img
+      /sbin/mkfs.fat -F 32 -s 1 "${LOOP}"
+      mkdir fs
+      mount "${LOOP}" fs
+      cp -v files/* fs
+      sync
+      umount fs
+      kpartx -dv temp.img
+   )
+   mkdir -p images
+   chown "${SUDO_UID}:${SUDO_GID}" images
+   mv "${TMP_DIR}/temp.img" "images/${img}"
+   file "images/${img}"
+   cd images
+   zip "${src}" "${img}"
+   cd ..
+   rm "images/${img}"
+   chown "${SUDO_UID}:${SUDO_GID}" "images/${src}"
+done

imager/make-release

@@ -1,7 +1,8 @@
 #!/bin/sh
 
 # Generates three variants of the rpi-eeprom-recovery.zip file for
-# SD, USB and NETWORK priority matching the raspi-config options.
+# SD, USB and NETWORK priority matching the raspi-config options,
+# plus a default (same as SD)
 
 set -e
 
@@ -27,39 +28,61 @@ gen_release() {
    [ -f "${config}" ] || die "File not found \"${config}\""
 
    (
-      tmp_dir="$(mktemp -d)"
+      tmp_dir="$(mktemp -d --tmpdir tmp.rpi-eeprom.XXXXXXXXXX)"
       cd "${tmp_dir}"
-      cp "${script_dir}/vl805.bin" .
       cp "${script_dir}/README.txt" .
+      cp "${firmware_dir}/recovery.bin" .
+      cp "${firmware_dir}/vl805-${vl805_version}.bin" vl805.bin
       sha256sum vl805.bin | awk '{print $1}' > vl805.sig
 
       "${script_dir}/../rpi-eeprom-config" \
-         --config "${script_dir}/${config}" --out pieeprom.bin \
-         "${script_dir}/pieeprom.bin" || die "Failed to create update EEPROM config with  \"${config}\""
+         --config "${config}" --out pieeprom.bin \
+         "${firmware_dir}/pieeprom-${pieeprom_version}.bin" || die "Failed to create updated EEPROM config with \"${config}\""
       sha256sum pieeprom.bin | awk '{print $1}' > pieeprom.sig
       echo "Creating ${out}"
       zip "${out}" *
+      cleanup
    )
 }
 
 usage() {
 cat <<EOF
-   make-release <tag>
+   make-release <firmware_status> <pieeprom_version> <vl805_version> <config_dir> <output_dir> <output_basename>
 
-   Example tag "2020-09-03-vl805-000138a1"
+   Example: make-release critical 2020-09-03 000138a1 . release rpi-boot-eeprom-recovery
 EOF
 exit
 }
 
 trap cleanup EXIT
-tag="${1}"
-[ -n "${tag}" ] || usage
-release_dir="${script_dir}/release"
-rm -rf "${release_dir}"
-mkdir "${release_dir}"
+firmware_status="${1}"
+pieeprom_version="${2}"
+vl805_version="${3}"
+config_dir="${4}"
+output_dir="${5}"
+output_basename="${6}"
+
+[ -n "${firmware_status}" ] || usage
+[ -n "${pieeprom_version}" ] || usage
+[ -n "${vl805_version}" ] || usage
+[ -n "${config_dir}" ] || usage
+[ -n "${output_dir}" ] || usage
+[ -n "${output_basename}" ] || usage
+
+firmware_dir=${script_dir}/../firmware/${firmware_status}
+[ -d "${firmware_dir}" ] || (echo "${firmware_dir} doesn't exist" && exit 1)
+[ -f "${firmware_dir}/pieeprom-${pieeprom_version}.bin" ] || (echo "${firmware_status}/pieeprom-${pieeprom_version}.bin doesn't exist" && exit 1)
+[ -f "${firmware_dir}/vl805-${vl805_version}.bin" ] || (echo "${firmware_status}/vl805-${vl805_version}.bin doesn't exist" && exit 1)
+[ -d "${config_dir}" ] || (echo "${config_dir} doesn't exist" && exit 1)
+tag="${pieeprom_version}-vl805-${vl805_version}"
+# use realpath to ensure paths are absolute
+config_dir=$(realpath "${config_dir}")
+output_dir=$(realpath "${output_dir}")
+rm -rf "${output_dir}"
+mkdir "${output_dir}"
 
 # Build the different boot priority flavours
-gen_release boot-conf-default.txt "${release_dir}/rpi-boot-eeprom-recovery-${tag}.zip"
-gen_release boot-conf-sd.txt "${release_dir}/rpi-boot-eeprom-recovery-${tag}-sd.zip"
-gen_release boot-conf-usb.txt "${release_dir}/rpi-boot-eeprom-recovery-${tag}-usb.zip"
-gen_release boot-conf-network.txt "${release_dir}/rpi-boot-eeprom-recovery-${tag}-network.zip"
+gen_release "${config_dir}/boot-conf-default.txt" "${output_dir}/${output_basename}-${tag}.zip"
+for variant in sd usb network; do
+   gen_release "${config_dir}/boot-conf-${variant}.txt" "${output_dir}/${output_basename}-${tag}-${variant}.zip"
+done

imager/pieeprom.bin

@@ -1 +0,0 @@
-../firmware/critical/pieeprom-2020-09-03.bin

imager/recovery.bin

@@ -1 +0,0 @@
-../firmware/critical/recovery.bin

imager/vl805.bin

@@ -1 +0,0 @@
-../firmware/critical/vl805-000138a1.bin

releases.md

@@ -1,20 +1,18 @@
-# rpi-eeprom releases
-This page provides links to the production and development release images for the Raspberry Pi 4 bootloader EEPROM. Normally, the 
-bootloader is automatically updated after an APT update via the [rpi-eeprom-update](https://www.raspberrypi.org/documentation/hardware/raspberrypi/booteeprom.md)
-utility. However, it's sometimes more convenient to use a recovery image to program the EEPROM with default settings for a given release, rather than updating via Linux.
+# Raspberry Pi 4B, 400 and CM4 bootloader EEPROM releases
+This page provides links to the production and development release images for the bootloader EEPROM on BCM2711-based Raspberry Pi computers. Normally, the 
+bootloader is automatically updated after an APT update via the [rpi-eeprom-update](https://www.raspberrypi.com/documentation/computers/raspberry-pi.html#automatic-updates) utility.
 
 ## Release notes
 Release notes are available [here](https://github.com/raspberrypi/rpi-eeprom/blob/master/firmware/release-notes.md).
 
-## Recovery image
-The latest production EEPROM recovery image release is [2020-09-03](https://github.com/raspberrypi/rpi-eeprom/releases/tag/v2020.09.03-138a1) and can be installed via the [Raspberry Pi Imager](https://www.raspberrypi.org/downloads/).
+## Default release
+The default production EEPROM image release is [2020-09-03](https://github.com/raspberrypi/rpi-eeprom/releases/tag/v2020.09.03-138a1) and can be installed via the [Raspberry Pi Imager](https://www.raspberrypi.org/downloads/).
 
 ## USB MSD boot
-USB mass storage boot requires the 2020-09-03 EEPROM images and Raspberry Pi OS 2020-08-20 or newer.
-
-For support please see use the Raspberry Pi [general discussion](https://www.raspberrypi.org/forums/viewforum.php?f=63) forum.
+Please see the [USB mass storage boot](https://www.raspberrypi.com/documentation/computers/raspberry-pi.html#usb-mass-storage-boot) guide.
+For support or hardware interoperability discussions please use the Raspberry Pi [general discussion](https://forums.raspberrypi.com/viewforum.php?f=63) forum.
 
 ## Old EEPROM images
-Old bootloader images are periodically removed from the APT package to reduce the disk space but are still available via Github [here](https://github.com/raspberrypi/rpi-eeprom/tree/master/firmware/old)
+Old bootloader images are periodically removed from the APT package to reduce the disk space, but are still available via Github [here](https://github.com/raspberrypi/rpi-eeprom/tree/master/firmware/old).
 
-**N.B. These are not supported and may fail to boot on newer hardware revisions.**
+**Old releases may fail to boot on newer hardware revisions.**

rpi-eeprom-config

@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
 
 """
 rpi-eeprom-config
@@ -8,6 +8,7 @@ import argparse
 import atexit
 import os
 import subprocess
+import string
 import struct
 import sys
 import tempfile
@@ -15,7 +16,12 @@ import time
 
 IMAGE_SIZE = 512 * 1024
 
-MAX_BOOTCONF_SIZE = 2024
+# Larger files won't with with "vcgencmd bootloader_config"
+MAX_FILE_SIZE = 2024
+ALIGN_SIZE = 4096
+BOOTCONF_TXT = 'bootconf.txt'
+BOOTCONF_SIG = 'bootconf.sig'
+PUBKEY_BIN = 'pubkey.bin'
 
 # Each section starts with a magic number followed by a 32 bit offset to the
 # next section (big-endian).
@@ -26,12 +32,18 @@ MAX_BOOTCONF_SIZE = 2024
 # The last 4KB of the EEPROM image is reserved for internal use by the
 # bootloader and may be overwritten during the update process.
 MAGIC = 0x55aaf00f
+PAD_MAGIC = 0x55aafeef
 MAGIC_MASK = 0xfffff00f
-FILE_MAGIC = 0x55aaf11f # id for modifiable file, currently only bootconf.txt
+FILE_MAGIC = 0x55aaf11f # id for modifiable files
 FILE_HDR_LEN = 20
 FILENAME_LEN = 12
 TEMP_DIR = None
 
+DEBUG = False
+def debug(s):
+    if DEBUG:
+        sys.stderr.write(s + '\n')
+
 def rpi4():
     compatible_path = "/sys/firmware/devicetree/base/compatible"
     if os.path.exists(compatible_path):
@@ -59,6 +71,25 @@ def create_tempdir():
     if TEMP_DIR is None:
         TEMP_DIR = tempfile.mkdtemp()
 
+def pemtobin(infile):
+    """
+    Converts an RSA public key into the format expected by the bootloader.
+    """
+    # Import the package here to make this a weak dependency.
+    from Cryptodome.PublicKey import RSA
+
+    arr = bytearray()
+    f = open(infile,'r')
+    key = RSA.importKey(f.read())
+
+    if key.size_in_bits() != 2048:
+        raise Exception("RSA key size must be 2048")
+
+    # Export N and E in little endian format
+    arr.extend(key.n.to_bytes(256, byteorder='little'))
+    arr.extend(key.e.to_bytes(8, byteorder='little'))
+    return arr
+
 def exit_error(msg):
     """
     Trapped a fatal error, output message to stderr and exit with non-zero
@@ -109,9 +140,13 @@ def apply_update(config, eeprom=None, config_src=None):
     else:
         eeprom_image = get_latest_eeprom()
     create_tempdir()
+
+    # Replace the contents of bootconf.txt with the contents of the config file
     tmp_update = os.path.join(TEMP_DIR, 'pieeprom.upd')
     image = BootloaderImage(eeprom_image, tmp_update)
-    image.write(config)
+    image.update_file(config, BOOTCONF_TXT)
+    image.write()
+
     config_str = open(config).read()
     if config_src is None:
         config_src = ''
@@ -145,7 +180,7 @@ def edit_config(eeprom=None):
     if os.path.exists(pending):
         config_src = pending
         image = BootloaderImage(pending)
-        current_config = image.get_config().decode('utf-8')
+        current_config = image.get_file(BOOTCONF_TXT).decode('utf-8')
     else:
         current_config, config_src = read_current_config()
 
@@ -180,6 +215,14 @@ def read_current_config():
 
     return (shell_cmd(['vcgencmd', 'bootloader_config']), "vcgencmd bootloader_config")
 
+class ImageSection:
+    def __init__(self, magic, offset, length, filename=''):
+        self.magic = magic
+        self.offset = offset
+        self.length = length
+        self.filename = filename
+        debug("ImageSection %x %x %x %s" % (magic, offset, length, filename))
+
 class BootloaderImage(object):
     def __init__(self, filename, output=None):
         """
@@ -187,6 +230,7 @@ class BootloaderImage(object):
         and optionally an output filename.
         """
         self._filename = filename
+        self._sections = []
         try:
             self._bytes = bytearray(open(filename, 'rb').read())
         except IOError as err:
@@ -198,47 +242,112 @@ class BootloaderImage(object):
         if len(self._bytes) != IMAGE_SIZE:
             exit_error("%s: Expected size %d bytes actual size %d bytes" %
                        (filename, IMAGE_SIZE, len(self._bytes)))
+        self.parse()
 
-    def find_config(self):
+    def parse(self):
+        """
+        Builds a table of offsets to the different sections in the EEPROM.
+        """
         offset = 0
         magic = 0
+        found = False
         while offset < IMAGE_SIZE:
             magic, length = struct.unpack_from('>LL', self._bytes, offset)
-            if (magic & MAGIC_MASK) != MAGIC:
-                raise Exception('EEPROM is corrupted')
+            if magic == 0x0 or magic == 0xffffffff:
+                break # EOF
+            elif (magic & MAGIC_MASK) != MAGIC:
+                raise Exception('EEPROM is corrupted %x %x %x' % (magic, magic & MAGIC_MASK, MAGIC))
 
+            filename = ''
             if magic == FILE_MAGIC: # Found a file
-                name = self._bytes[offset + 8: offset + FILE_HDR_LEN]
-                if name.decode('utf-8') == 'bootconf.txt':
-                    return (offset, length)
+                # Discard trailing null characters used to pad filename
+                filename = self._bytes[offset + 8: offset + FILE_HDR_LEN].decode('utf-8').replace('\0', '')
+            self._sections.append(ImageSection(magic, offset, length, filename))
 
             offset += 8 + length # length + type
             offset = (offset + 7) & ~7
 
-        raise Exception('EEPROM parse error: Bootloader config not found')
+    def find_file(self, filename):
+        """
+        Returns the offset, length and whether this is the last section in the
+        EEPROM for a modifiable file within the image.
+        """
+        ret = (-1, -1, False)
+        for i in range(0, len(self._sections)):
+            s = self._sections[i]
+            if s.magic == FILE_MAGIC and s.filename == filename:
+                is_last = (i == len(self._sections) - 1)
+                ret = (s.offset, s.length, is_last)
+                break
+        debug('%s offset %d length %d last %s' % (filename, ret[0], ret[1], ret[2]))
+        return ret
 
-    def write(self, new_config):
-        hdr_offset, length = self.find_config()
-        new_config_bytes = open(new_config, 'rb').read()
-        new_len = len(new_config_bytes) + FILENAME_LEN + 4
-        if len(new_config_bytes) > MAX_BOOTCONF_SIZE:
-            raise Exception("Config is too large (%d bytes). The maximum size is %d bytes."
-                            % (len(new_config_bytes), MAX_BOOTCONF_SIZE))
-        if hdr_offset + len(new_config_bytes) + FILE_HDR_LEN > IMAGE_SIZE:
+    def update(self, src_bytes, dst_filename):
+        """
+        Replaces a modifiable file with specified byte array.
+        """
+        hdr_offset, length, is_last = self.find_file(dst_filename)
+        if hdr_offset < 0:
+            raise Exception('Update target %s not found' % dst_filename)
+
+        if hdr_offset + len(src_bytes) + FILE_HDR_LEN > IMAGE_SIZE:
             raise Exception('EEPROM image size exceeded')
 
+        new_len = len(src_bytes) + FILENAME_LEN + 4
         struct.pack_into('>L', self._bytes, hdr_offset + 4, new_len)
-        struct.pack_into(("%ds" % len(new_config_bytes)), self._bytes,
-                         hdr_offset + 4 + FILE_HDR_LEN, new_config_bytes)
+        struct.pack_into(("%ds" % len(src_bytes)), self._bytes,
+                         hdr_offset + 4 + FILE_HDR_LEN, src_bytes)
 
-        # If the new config is smaller than the old config then set any old
+        # If the new file is smaller than the old file then set any old
         # data which is now unused to all ones (erase value)
-        pad_start = hdr_offset + 4 + FILE_HDR_LEN + len(new_config_bytes)
+        pad_start = hdr_offset + 4 + FILE_HDR_LEN + len(src_bytes)
+
+        # Add padding up to 8-byte boundary
+        while pad_start % 8 != 0:
+            struct.pack_into('B', self._bytes, pad_start, 0xff)
+            pad_start += 1
+
+        # Create a padding section unless the padding size is smaller than the
+        # size of a section head. Padding is allowed in the last section but
+        # by convention bootconf.txt is the last section and there's no need to
+        # pad to the end of the sector. This also ensures that the loopback
+        # config read/write tests produce identical binaries.
+        pad_bytes = ALIGN_SIZE - (pad_start % ALIGN_SIZE)
+        if pad_bytes > 8 and not is_last:
+            pad_bytes -= 8
+            struct.pack_into('>i', self._bytes, pad_start, PAD_MAGIC)
+            pad_start += 4
+            struct.pack_into('>i', self._bytes, pad_start, pad_bytes)
+            pad_start += 4
+
+        debug("pad %d" % pad_bytes)
         pad = 0
-        while pad < (length - len(new_config_bytes)):
+        while pad < pad_bytes:
             struct.pack_into('B', self._bytes, pad_start + pad, 0xff)
             pad = pad + 1
 
+    def update_key(self, src_pem, dst_filename):
+        """
+        Replaces the specified public key entry with the public key values extracted
+        from the source PEM file.
+        """
+        pubkey_bytes = pemtobin(src_pem)
+        self.update(pubkey_bytes, dst_filename)
+
+    def update_file(self, src_filename, dst_filename):
+        """
+        Replaces the contents of dst_filename in the EEPROM with the contents of src_file.
+        """
+        src_bytes = open(src_filename, 'rb').read()
+        if len(src_bytes) > MAX_FILE_SIZE:
+            raise Exception("src file %s is too large (%d bytes). The maximum size is %d bytes."
+                            % (src_filename, len(src_bytes), MAX_FILE_SIZE))
+        self.update(src_bytes, dst_filename)
+
+    def write(self):
+        """
+        Writes the updated EEPROM image to stdout or the specified output file.
+        """
         if self._out is not None:
             self._out.write(self._bytes)
             self._out.close()
@@ -248,14 +357,14 @@ class BootloaderImage(object):
             else:
                 sys.stdout.write(self._bytes)
 
-    def get_config(self):
-        hdr_offset, length = self.find_config()
+    def get_file(self, filename):
+        hdr_offset, length, is_last = self.find_file(filename)
         offset = hdr_offset + 4 + FILE_HDR_LEN
         config_bytes = self._bytes[offset:offset+length-FILENAME_LEN-4]
         return config_bytes
 
     def read(self):
-        config_bytes = self.get_config()
+        config_bytes = self.get_file('bootconf.txt')
         if self._out is not None:
             self._out.write(config_bytes)
             self._out.close()
@@ -322,8 +431,21 @@ Operating modes:
    The default text editor is nano and may be overridden by setting the 'EDITOR'
    environment variable and passing '-E' to 'sudo' to preserve the environment.
 
-See 'rpi-eeprom-update -h' for more information about the available EEPROM
-images.
+6. Signing the bootloader config file.
+   Updates an EEPROM binary with a signed config file (created by rpi-eeprom-digest) plus
+   the corresponding RSA public key.
+
+   Requires Python Cryptodomex libraries and OpenSSL. To install on Raspberry Pi OS run:-
+   sudo apt install openssl python-pip
+   sudo python3 -m pip install cryptodomex
+
+   rpi-eeprom-digest -k private.pem -i bootconf.txt -o bootconf.sig
+   rpi-eeprom-config --config bootconf.txt --digest bootconf.sig --pubkey public.pem --out pieeprom-signed.bin pieeprom.bin
+
+   Currently, the signing process is a separate step so can't be used with the --edit or --apply modes.
+
+
+See 'rpi-eeprom-update -h' for more information about the available EEPROM images.
 """
     parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter,
                                      description=description)
@@ -333,6 +455,8 @@ images.
     parser.add_argument('-c', '--config', help='Name of bootloader configuration file', required=False)
     parser.add_argument('-e', '--edit', action='store_true', default=False, help='Edit the current EEPROM config')
     parser.add_argument('-o', '--out', help='Name of output file', required=False)
+    parser.add_argument('-d', '--digest', help='Signed boot only. The name of the .sig file generated by rpi-eeprom-dgst for config.txt ', required=False)
+    parser.add_argument('-p', '--pubkey', help='Signed boot only. The name of the RSA public key file to store in the EEPROM', required=False)
     parser.add_argument('eeprom', nargs='?', help='Name of EEPROM file to use as input')
     args = parser.parse_args()
 
@@ -353,7 +477,12 @@ images.
         if args.config is not None:
             if not os.path.exists(args.config):
                 exit_error("config file '%s' not found" % args.config)
-            image.write(args.config)
+            image.update_file(args.config, BOOTCONF_TXT)
+            if args.digest is not None:
+                image.update_file(args.digest, BOOTCONF_SIG)
+            if args.pubkey is not None:
+                image.update_key(args.pubkey, PUBKEY_BIN)
+            image.write()
         else:
             image.read()
     elif args.config is None and args.eeprom is None:

rpi-eeprom-digest

@@ -0,0 +1,110 @@
+#!/bin/sh
+
+# Helper script to generate .sig files for use with the Raspberry Pi bootloader.
+
+# This has been implemented in a separate script in order to have avoid having
+# a hard dependency on OpenSSL.
+
+set -e
+
+OPENSSL=${OPENSSL:-openssl}
+
+die() {
+   echo "$@" >&2
+   exit 1
+}
+
+TMP_DIR=""
+cleanup() {
+   if [ -f "${TMP_DIR}" ]; then
+      rm -rf "${TMP_DIR}"
+   fi
+}
+
+checkDependencies() {
+   if ! command -v sha256sum > /dev/null; then
+      die "sha256sum not found. Try installing the coreutilities package."
+   fi
+
+   if [ -n "${KEY}" ]; then
+      if ! command -v ${OPENSSL} > /dev/null; then
+         die "${OPENSSL} not found. Try installing the openssl package."
+      fi
+
+      if ! command -v xxd > /dev/null; then
+         die "xxd not found. Try installing the xxd package."
+      fi
+   fi
+}
+
+usage() {
+cat <<EOF
+rpi-eeprom-digest [-k RSA_KEY] -i IMAGE -o OUTPUT
+
+Creates a .sig file containing the sha256 digest of the IMAGE and an optional
+RSA signature of that hash.
+
+Options:
+   -i The source image.
+   -o The name of the digest/signature file.
+   -k Optional RSA private key.
+
+RSA signing
+If a private key in PEM format is supplied then the RSA signature of the
+sha256 digest is included in the .sig file. Currently, the bootloader only
+supports sha256 digests signed with a 2048bit RSA key.
+The bootloader only verifies RSA signatures in signed boot mode
+(not available yet) and only for the EEPROM config file and the signed image.
+
+Examples:
+
+# Generate RSA signature for the EEPROM config file.
+rpi-eeprom-digest -k key.pem -i bootconf.txt  -o bootconf.sig
+
+# Generate the normal sha256 hash to guard against file-system corruption
+rpi-eeprom-digest -i pieeprom.bin -o pieeprom.sig
+rpi-eeprom-digest -i vl805.bin -o vl805.sig
+
+EOF
+exit 0
+}
+
+OUTPUT=""
+while getopts i:k:ho: option; do
+   case "${option}" in
+   i) IMAGE="${OPTARG}"
+      ;;
+   k) KEY="${OPTARG}"
+      ;;
+   o) OUTPUT="${OPTARG}"
+      ;;
+   h) usage
+      ;;
+   *) echo "Unknown argument \"${option}\""
+      usage
+      ;;
+   esac
+done
+
+[ -n "${IMAGE}" ] || usage
+[ -n "${OUTPUT}" ] || usage
+
+trap cleanup EXIT
+
+checkDependencies
+
+[ -f "${IMAGE}" ] || die "Source image \"${IMAGE}\" not found"
+
+TMP_DIR=$(mktemp -d)
+SIG_TMP="${TMP_DIR}/tmp.sig"
+sha256sum "${IMAGE}" | awk '{print $1}' > "${OUTPUT}"
+
+# Include the update-timestamp
+echo "ts: $(date -u +%s)" >> "${OUTPUT}"
+
+if [ -n "${KEY}" ]; then
+   [ -f "${KEY}" ] || die "RSA private \"${KEY}\" not found"
+
+   "${OPENSSL}" dgst -sign "${KEY}" -keyform PEM -sha256 -out "${SIG_TMP}" "${IMAGE}"
+   echo "rsa2048: $(xxd -c 4096 -p < "${SIG_TMP}")" >> "${OUTPUT}"
+fi

rpi-eeprom-update

@@ -30,10 +30,13 @@ FIRMWARE_BACKUP_DIR=${FIRMWARE_BACKUP_DIR:-/var/lib/raspberrypi/bootloader/backu
 ENABLE_VL805_UPDATES=${ENABLE_VL805_UPDATES:-1}
 RECOVERY_BIN=${RECOVERY_BIN:-${FIRMWARE_ROOT}/${FIRMWARE_RELEASE_STATUS}/recovery.bin}
 BOOTFS=${BOOTFS:-/boot}
-VCMAILBOX=${VCMAILBOX:-/opt/vc/bin/vcmailbox}
 CM4_ENABLE_RPI_EEPROM_UPDATE=${CM4_ENABLE_RPI_EEPROM_UPDATE:-0}
 RPI_EEPROM_UPDATE_CONFIG_TOOL="${RPI_EEPROM_UPDATE_CONFIG_TOOL:-raspi-config}"
 
+# Automatic, critical updates are not applied unless the current bootloader version
+# is older than pieeprom-2020-09-03
+BOOTLOADER_AUTO_UPDATE_MIN_VERSION="${BOOTLOADER_AUTO_UPDATE_MIN_VERSION:-1599135103}"
+
 DT_BOOTLOADER_TS=${DT_BOOTLOADER_TS:-/proc/device-tree/chosen/bootloader/build-timestamp}
 
 EXIT_SUCCESS=0
@@ -54,8 +57,8 @@ BOARD_TYPE=
 # Newer board revisions embed the VLI firmware in the bootloader EEPROM and
 # there is no way to separately update the VLI firmware. Consequently,
 # standalone vl805 update files do not trigger automatic updates.
-# Recovery.bin and the the SPI bootloader ignore vl805.bin files on boards
-# without a dedicate VL805 EEPROM.
+# recovery.bin and the SPI bootloader ignore vl805.bin files on boards
+# without a dedicated VL805 EEPROM.
 HAVE_VL805_EEPROM=0
 
 TMP_EEPROM_IMAGE=""
@@ -170,41 +173,28 @@ applyRecoveryUpdate()
 {
    [ -n "${BOOTLOADER_UPDATE_IMAGE}" ] || [ -n "${VL805_UPDATE_IMAGE}" ] || die "No update images specified"
 
-   findBootFS
-   echo "BOOTFS ${BOOTFS}"
+   getBootloaderCurrentVersion
+   BOOTLOADER_UPDATE_VERSION=$(strings "${BOOTLOADER_UPDATE_IMAGE}" | grep BUILD_TIMESTAMP | sed 's/.*=//g')
+   if [ "${BOOTLOADER_CURRENT_VERSION}" -gt "${BOOTLOADER_UPDATE_VERSION}" ]; then
+      echo "   WARNING: Installing an older bootloader version."
+      echo "            Update the rpi-eeprom package to fetch the latest bootloader images."
+      echo
+   fi
+   echo "   CURRENT: $(date -u "-d@${BOOTLOADER_CURRENT_VERSION}") (${BOOTLOADER_CURRENT_VERSION})"
+   echo "    UPDATE: $(date -u "-d@${BOOTLOADER_UPDATE_VERSION}") (${BOOTLOADER_UPDATE_VERSION})"
+
+   findBootFS
+   echo "    BOOTFS: ${BOOTFS}"
 
-   # A '.sig' file is created so that recovery.bin can check that the
-   # EEPROM image has not been corrupted (e.g. SD card corruption).
-   # Format of the .sig file.
-   # --
-   # SHA256\n
-   # ts: UPDATE-TIMESTAMP\n
-   # --
-   # SHA256 is a 64 character hex string
-   # UPDATE-TIMESTAMP is an unsigned decimal.
-   #
-   # The 'filename' output from sha256 MUST be omitted.
    if [ -n "${BOOTLOADER_UPDATE_IMAGE}" ]; then
         [ -f "${BOOTLOADER_UPDATE_IMAGE}" ] || die "${BOOTLOADER_UPDATE_IMAGE} not found"
 
         TMP_EEPROM_IMAGE="$(mktemp)"
         prepareImage
-        # If recovery.bin encounters pieeprom.upd then it will select it in
-        # preference to pieeprom.bin. The .upd file also causes recovery.bin
-        # to rename itself to recovery.000 and reboot if the update is successful.
-        # The rename causes the ROM to ignore this file and use the newly flashed
-        # EEPROM image instead.
-        sha256sum "${TMP_EEPROM_IMAGE}" | awk '{print $1}' > "${BOOTFS}/pieeprom.sig" \
-                || die "Failed to create ${BOOTFS}/pieeprom.sig"
 
-        # Appends the update creation timestamp on a newline in pieeprom.sig
-        # During a self-update mode the bootloader examines the update-timestamp
-        # and will only update itself if it is newer than the current update
-        # timestamp.
-        #
-        # The update-timestamp is independent of the bootloader version and
-        # does not have to be timestamp.
-        echo "ts: $(date -u +%s)" >> "${BOOTFS}/pieeprom.sig"
+        # Generate a .sig file containing the sha256 hash of the EEPROM image
+        # and the current timestamp.
+        rpi-eeprom-digest -i "${TMP_EEPROM_IMAGE}" -o "${BOOTFS}/pieeprom.sig"
 
         cp -f "${TMP_EEPROM_IMAGE}" "${BOOTFS}/pieeprom.upd" \
                 || die "Failed to copy ${TMP_EEPROM_IMAGE} to ${BOOTFS}"
@@ -215,8 +205,7 @@ applyRecoveryUpdate()
    fi
 
    if [ -n "${VL805_UPDATE_IMAGE}" ]; then
-        sha256sum "${VL805_UPDATE_IMAGE}" | awk '{print $1}' > "${BOOTFS}/vl805.sig" \
-                || die "Failed to create ${BOOTFS}/vl805.sig"
+        rpi-eeprom-digest -i "${VL805_UPDATE_IMAGE}" -o "${BOOTFS}/vl805.sig"
 
         cp -f "${VL805_UPDATE_IMAGE}" "${BOOTFS}/vl805.bin" \
                 || die "Failed to copy ${VL805_UPDATE_IMAGE} to ${BOOTFS}/vl805.bin"
@@ -228,6 +217,10 @@ applyRecoveryUpdate()
 
    cp -f "${RECOVERY_BIN}" "${BOOTFS}/recovery.bin" \
       || die "Failed to copy ${RECOVERY_BIN} to ${BOOTFS}"
+
+   echo ""
+   echo "EEPROM updates pending. Please reboot to apply the update."
+   echo "To cancel a pending update run \"sudo rpi-eeprom-update -r\"."
 }
 
 applyUpdate() {
@@ -297,13 +290,14 @@ checkDependencies() {
       BOARD_INFO="$(od -v -An -t x1 /sys/firmware/devicetree/base/system/linux,revision | tr -d ' \n')"
    elif grep -q Revision /proc/cpuinfo; then
       BOARD_INFO="$(sed -n '/^Revision/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo)"
-   else
+   elif command -v vcgencmd > /dev/null; then
       BOARD_INFO="$(vcgencmd otp_dump | grep '30:' | sed 's/.*://')"
+   else
+      echo "No Raspberry Pi board info found"
+      exit ${EXIT_SUCCESS}
    fi
 
-   if [ $(((0x$BOARD_INFO >> 23) & 1)) -ne 0 ] && [ $(((0x$BOARD_INFO >> 12) & 15)) -eq 3 ]; then
-      echo "BCM2711 detected"
-   else
+   if [ $(((0x$BOARD_INFO >> 23) & 1)) -eq 0 ] || [ $(((0x$BOARD_INFO >> 12) & 15)) -ne 3 ]; then
       # Not a BCM2711, no EEPROMs to update.
       echo "This tool only works with a Raspberry Pi 4"
       exit ${EXIT_SUCCESS}
@@ -319,13 +313,15 @@ checkDependencies() {
    fi
 
    if [ ${BOARD_TYPE} -eq 17 ] && [ ${BOARD_REVISION} -lt 4 ]; then
-      echo "Dedicated VL805 EEPROM detected"
       HAVE_VL805_EEPROM=1
    else
-      echo "VL805 firmware in bootloader EEPROM"
       HAVE_VL805_EEPROM=0
    fi
 
+   if ! command -v rpi-eeprom-digest > /dev/null; then
+      die "rpi-eeprom-digest not found. Try re-installing the rpi-eeprom package"
+   fi
+
    if ! command -v lspci > /dev/null; then
       die "lspci not found. Try installing the pciutils package."
    fi
@@ -368,7 +364,7 @@ rpi-eeprom-update [options]... [FILE]
 Bootloader EEPROM update tool for the Raspberry Pi 4.
 
 Checks whether the Raspberry Pi 4 bootloader and the VL805 USB controller
-EEPROMs are up-to-date and optionally updates the EEPROMs at the next reboot.
+EEPROMs are up to date and optionally updates the EEPROMs at the next reboot.
 
 The default update mechanism writes recovery.bin and the EEPROM update
 image(s) (pieeprom.upd and vl805.bin) to the boot partition.
@@ -398,18 +394,22 @@ Options:
    -b Outputs the path that pending EEPROM updates will be written to.
    -d Use the default bootloader config, or if a file is specified using the -f
       flag use the config in that file. This option only applies when a
-      bootloader EEPROM update is needed; if the bootloader EEPROM is up-to-date
+      bootloader EEPROM update is needed; if the bootloader EEPROM is up to date
       then its config will not be changed.
    -f Install the given file instead of the latest applicable update
       Ignores the FREEZE_VERSION flag in bootloader and is intended for manual
       firmware updates.
    -h Display help text and exit
    -i Ignore package checksums - for rpi-eeprom developers.
-   -j Write status information using JSON notation
+   -j Write status information using JSON notation (requires -m option)
    -l Returns the full path to the latest available EEPROM image file according
       to the FIRMWARE_RELEASE_STATUS and FIRMWARE_IMAGE_DIR settings.
    -m Write status information to the given file when run without -a or -f
-   -r Removes temporary EEPROM update files from the boot partition.
+   -r Removes temporary EEPROM update files from the boot partition. This also
+      cancels a pending update.
+   -s Skips silent, automatic upgrades for default releases if the current
+      bootloader release is newer than the version specified by
+      BOOTLOADER_AUTO_UPDATE_MIN_VERSION ${BOOTLOADER_AUTO_UPDATE_MIN_VERSION}
    -u Install the specified VL805 (USB EEPROM) image file.
 
 Environment:
@@ -436,19 +436,18 @@ directory first. The binaries are then promoted to 'latest' and finally 'default
 so the 'default' binary is always the most tested release.
 
 default:
-The default bootloader image which is updated once new features in
-'latest' are stable or for critical hardware or security updates.
-
-Raspberry Pi OS automatically updates the bootloader when a newer 'default' image
-is available following an APT update to the rpi-eeprom package.
+The default bootloader image which supports all current models and hardware
+revisions.
+If a critical bug fix is required then the minimum default version number
+(BOOTLOADER_AUTO_UPDATE_MIN_VERSION) in the rpi-eeprom package is updated
+causing the bootloader to be automatically updated.
 
 latest:
 Contains the latest features which have undergone testing via the 'beta'
-release. The configuration parameters are stable.
-
-beta:
-Contains experimental features and bug fixes. Configuration parameters may
-change in subsequent 'beta' releases.
+release. Backwards compatiblity for configuration parameters is maintained
+once a feature is in the latest release directory.
+If the 'latest' release is selected then bootloader is automatically upgraded
+when the rpi-eeprom package is updated.
 
 As far as rpi-eeprom-update is concerned FIRMWARE_RELEASE_STATUS is just
 the subdirectory mapping under ${FIRMWARE_ROOT}. Therefore, custom release
@@ -471,7 +470,7 @@ To flash the new image:
 The syntax is the same as config.txt See online documentation for the list of parameters.
 
 The official documentation for the Raspberry Pi bootloader EEPROM is available at
-https://www.raspberrypi.org/documentation/hardware/raspberrypi/booteeprom.md
+   https://www.raspberrypi.com/documentation/computers/raspberry-pi.html#raspberry-pi-4-boot-eeprom
 
 Compute Module 4 (CM4):
 
@@ -481,10 +480,7 @@ cause the system to fail to boot so automatic updates are disabled. We also
 recommend write-protecting the SPI EPPROM after flashing it using usbboot.
 
 CM4 bootloader and EEPROM update instructions:
-   https://www.raspberrypi.org/documentation/hardware/computemodule/cm-emmc-flashing.md
-
-usbboot instructions for flashing CM4 EMMC and bootloader EEPROM:
-   https://www.raspberrypi.org/documentation/hardware/raspberrypi/bcm2711_bootloader_config.md
+   https://www.raspberrypi.com/documentation/computers/compute-module.html#compute-module-4-bootloader
 
 The CM4 ROM does not support running recovery.bin from the EMMC on CM4 so this service
 is disabled by default. SELF_UPDATE from USB or Network boot is supported but this
@@ -504,31 +500,35 @@ EOF
 
 printVersions()
 {
-   echo "Checking for updates in ${FIRMWARE_IMAGE_DIR}"
-   echo "Use ${RPI_EEPROM_UPDATE_CONFIG_TOOL} to select either the default-production release or latest update."
-
    if [ "${ACTION_UPDATE_BOOTLOADER}" = 1 ]; then
       echo "BOOTLOADER: update available"
    else
-      echo "BOOTLOADER: up-to-date"
+      echo "BOOTLOADER: up to date"
    fi
 
-   echo "CURRENT: $(date -u "-d@${BOOTLOADER_CURRENT_VERSION}") (${BOOTLOADER_CURRENT_VERSION})"
-   echo " LATEST: $(date -u "-d@${BOOTLOADER_UPDATE_VERSION}") (${BOOTLOADER_UPDATE_VERSION})"
-   echo "RELEASE: ${FIRMWARE_RELEASE_STATUS}"
+   echo "   CURRENT: $(date -u "-d@${BOOTLOADER_CURRENT_VERSION}") (${BOOTLOADER_CURRENT_VERSION})"
+   echo "    LATEST: $(date -u "-d@${BOOTLOADER_UPDATE_VERSION}") (${BOOTLOADER_UPDATE_VERSION})"
+   echo "   RELEASE: ${FIRMWARE_RELEASE_STATUS} (${FIRMWARE_IMAGE_DIR})"
+   echo "            Use ${RPI_EEPROM_UPDATE_CONFIG_TOOL} to change the release."
 
+   echo ""
+   if [ "${HAVE_VL805_EEPROM}" = 1 ]; then
+      echo "  VL805_FW: Dedicated VL805 EEPROM"
+   else
+      echo "  VL805_FW: Using bootloader EEPROM"
+   fi
    if [ "${ACTION_UPDATE_VL805}" = 1 ]; then
-      echo "VL805: update available"
+      echo "   VL805: update available"
    else
       if [ "$(id -u)" = "0" ]; then
-         echo "VL805: up-to-date"
+         echo "     VL805: up to date"
       else
-         echo "VL805: version unknown. Try sudo rpi-eeprom-update"
+         echo "     VL805: version unknown. Try sudo rpi-eeprom-update"
       fi
    fi
 
-   echo "CURRENT: ${VL805_CURRENT_VERSION}"
-   echo " LATEST: ${VL805_UPDATE_VERSION}"
+   echo "   CURRENT: ${VL805_CURRENT_VERSION}"
+   echo "    LATEST: ${VL805_UPDATE_VERSION}"
 }
 
 findBootFS()
@@ -591,12 +591,30 @@ lookupVersionInfo()
 
    getVL805CurrentVersion
 
+   ACTION_UPDATE_BOOTLOADER=0
+   ACTION_UPDATE_VL805=0
+
    if [ "${BOOTLOADER_UPDATE_VERSION}" -gt "${BOOTLOADER_CURRENT_VERSION}" ]; then
       ACTION_UPDATE_BOOTLOADER=1
    else
       BOOTLOADER_UPDATE_IMAGE=""
    fi
 
+   # If the '-s' flag for silent updates is specified then only update the
+   # bootloader if the current version is older than the minimum version.
+   if [ "${SILENT_UPDATE}" = 1 ] && [ -n "${BOOTLOADER_AUTO_UPDATE_MIN_VERSION}" ] && [ "${ACTION_UPDATE_BOOTLOADER}" = 1 ]; then
+      if [ "${FIRMWARE_RELEASE_STATUS}" = "critical" ] || [ "${FIRMWARE_RELEASE_STATUS}" = "default" ]; then
+         if [ "${BOOTLOADER_CURRENT_VERSION}" -ge "${BOOTLOADER_AUTO_UPDATE_MIN_VERSION}" ]; then
+            echo "Skipping automatic bootloader upgrade. current ${BOOTLOADER_CURRENT_VERSION} >= min ${BOOTLOADER_AUTO_UPDATE_MIN_VERSION}"
+            echo ""
+
+            # Clear the update requried flag
+            ACTION_UPDATE_BOOTLOADER=0
+            BOOTLOADER_UPDATE_IMAGE=""
+         fi
+      fi
+   fi
+
    if [ "${HAVE_VL805_EEPROM}" = 1 ]; then
       getVL805UpdateVersion
       if [ -n "${VL805_CURRENT_VERSION}" ] && [ -n "${VL805_UPDATE_VERSION}" ]; then
@@ -629,9 +647,10 @@ checkAndApply()
 
    if [ "${ACTION_UPDATE_BOOTLOADER}" = 1 ] || [ "${ACTION_UPDATE_VL805}" = 1 ]; then
       echo "*** INSTALLING EEPROM UPDATES ***"
+      echo ""
+
       printVersions
       applyUpdate
-      echo "EEPROM updates pending. Please reboot to apply the update."
    else
       printVersions
    fi
@@ -641,6 +660,7 @@ fileUpdate()
 {
    removePreviousUpdates
    echo "*** INSTALLING ${BOOTLOADER_UPDATE_IMAGE} ${VL805_UPDATE_IMAGE} ***"
+   echo
 
    if [ -n "${BOOTLOADER_UPDATE_IMAGE}" ]; then
       [ -f "${BOOTLOADER_UPDATE_IMAGE}" ] || die "Bootloader image \"${BOOTLOADER_UPDATE_IMAGE}\" not found"
@@ -651,7 +671,6 @@ fileUpdate()
    fi
 
    applyUpdate
-   echo "EEPROM update pending. Please reboot to apply the update."
 }
 
 removePreviousUpdates()
@@ -676,7 +695,7 @@ checkVersion()
 {
    lookupVersionInfo
 
-   if [ "${BOOTLOADER_UPDATE_VERSION}" -gt "${BOOTLOADER_CURRENT_VERSION}" ]; then
+   if [ "${ACTION_UPDATE_BOOTLOADER}" = 1 ] || [ "${ACTION_UPDATE_VL805}" = 1 ]; then
       echo "*** UPDATE AVAILABLE ***"
       printVersions
       write_status_info "EXIT_UPDATE_REQUIRED"
@@ -697,11 +716,13 @@ write_status_info()
    bootloader_new="${BOOTLOADER_UPDATE_VERSION:-0}"
    vl805_cur="${VL805_CURRENT_VERSION}"
    vl805_new="${VL805_UPDATE_VERSION}"
+   min_ver=${BOOTLOADER_AUTO_UPDATE_MIN_VERSION:-0}
 
     if [ "${JSON_OUTPUT}" = "no" ]; then
       [ "${HAVE_VL805_EEPROM}" = "0" ] && vl805_eeprom="no" || vl805_eeprom="yes"
       cat > "${MACHINE_OUTPUT}" <<EOF
 EXITCODE="${exit_code}"
+BOOTLOADER_AUTO_UPDATE_MIN_VERSION=${min_ver}
 BOOTLOADER_CURRENT=${bootloader_cur}
 BOOTLOADER_LATEST=${bootloader_new}
 VL805_CURRENT="${vl805_cur}"
@@ -713,6 +734,7 @@ EOF
       cat > "${MACHINE_OUTPUT}" <<EOF
 {
   "EXITCODE": "${exit_code}",
+  "BOOTLOADER_AUTO_UPDATE_MIN_VERSION": ${min_ver},
   "BOOTLOADER_CURRENT": ${bootloader_cur},
   "BOOTLOADER_LATEST": ${bootloader_new},
   "VL805_CURRENT": "${vl805_cur}",
@@ -726,6 +748,7 @@ EOF
 
 AUTO_UPDATE_BOOTLOADER=0
 AUTO_UPDATE_VL805=0
+SILENT_UPDATE=0
 MACHINE_OUTPUT=""
 JSON_OUTPUT="no"
 IGNORE_DPKG_CHECKSUMS=${LOCAL_MODE}
@@ -735,7 +758,7 @@ if [ ! -d "${PACKAGE_INFO_DIR}" ]; then
 fi
 
 
-while getopts A:abdhilf:m:ju:r option; do
+while getopts A:abdhilf:m:ju:rs option; do
    case "${option}" in
    A)
       if [ "${OPTARG}" = "bootloader" ]; then
@@ -776,6 +799,8 @@ while getopts A:abdhilf:m:ju:r option; do
       removePreviousUpdates
       exit 0
       ;;
+   s) SILENT_UPDATE=1
+      ;;
    u) VL805_UPDATE_IMAGE="${OPTARG}"
       ;;
    *) echo "Unknown argument \"${option}\""
@@ -787,7 +812,7 @@ done
 checkDependencies
 if [ "${AUTO_UPDATE_BOOTLOADER}" = 1 ] || [ "${AUTO_UPDATE_VL805}" = 1 ]; then
    if getBootloaderConfig | grep FREEZE_VERSION=1; then
-      echo "EEPROM version is frozen. Skipping update"
+      echo "EEPROM version is frozen. Skipping automatic update"
       exit ${EXIT_EEPROM_FROZEN}
    else
       checkAndApply

test/bootconf.sig

@@ -0,0 +1,3 @@
+b5b917dc53a59c23035a89d4c58606211a07d4fb6e16bd00d74457a93ea5a264
+ts: 1614092425
+rsa2048: 284d3ef8b960ef9dd0bf5f320eacccb527623890b11136801fcfaf950ef3fb32c9b86ee48337d2cd21e00665a62215ff4d811b15d89867fb55d71b6372a4fa4b79af60cdda84c8a7d9b52d5f2b3026d3b088345d9424842cc2eb73e23f4577e12c74bc3bc1890bfbb6509fc8702cd3a202929bb6f9e5162ea53ec6e8503e08dda7b0c86a90bc21d33bd49535554383fe88e7d1d8e46e27c2bce60cf15b69c56ee27ccdd81ff8f47a616a2796cc2d943e17c6c01ac191f9b7dcda440238062e6c49df01f4bb8b97ce380a46aa29a03bf3fcbede3d76c13d862fc8b60b472a4d1017d5535f5188858a6e1103db2666aa63264e7c1f752b917405527094ed0da737

test/bootconf.txt

@@ -0,0 +1,8 @@
+[all]
+BOOT_UART=1
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+HDMI_DELAY=0
+# Load firmware and kernel from signed boot.img file
+SIGNED_BOOT=1
+

test/configs/bootconf-2019-07-15.txt

@@ -0,0 +1,16 @@
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+                                                                              
+                                                                              
+                                                                              
+                                                                              
+                                                                              
+                                                                              
+                                                                              
+                                                                              
+                                                                              
+                                                                              
+                                                                             
+                                                                              
+             

test/configs/bootconf-2019-09-06.txt

@@ -0,0 +1,16 @@
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+FREEZE_VERSION=0                                                                 
+                                                                              
+                                                                              
+                                                                              
+                                                                              
+                                                                              
+                                                                              
+                                                                              
+                                                                              
+                                                                              
+                                                                             
+                                                                              
+      

test/configs/bootconf-2019-09-10.txt

@@ -0,0 +1,16 @@
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+FREEZE_VERSION=0                                                                 
+                                                                              
+                                                                              
+                                                                              
+                                                                              
+                                                                              
+                                                                              
+                                                                              
+                                                                              
+                                                                              
+                                                                             
+                                                                              
+      

test/configs/bootconf-2019-09-23.txt

@@ -0,0 +1,23 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+DHCP_TIMEOUT=45000
+DHCP_REQ_TIMEOUT=4000
+TFTP_FILE_TIMEOUT=15000
+TFTP_IP=
+BOOT_ORDER=0x1
+SD_BOOT_MAX_RETRIES=3
+NET_BOOT_MAX_RETRIES=5
+[none]
+FREEZE_VERSION=0
+                                                                             
+                                                                             
+                                                                             
+                                                                             
+                                                                             
+                                                                             
+                                                                             
+                                                                             
+                                                                             
+                                                                                          

test/configs/bootconf-2019-09-25.txt

@@ -0,0 +1,14 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+DHCP_TIMEOUT=45000
+DHCP_REQ_TIMEOUT=4000
+TFTP_FILE_TIMEOUT=30000
+TFTP_IP=
+BOOT_ORDER=0x1
+SD_BOOT_MAX_RETRIES=3
+NET_BOOT_MAX_RETRIES=5
+[none]
+FREEZE_VERSION=0
+

test/configs/bootconf-2019-10-08.txt

@@ -0,0 +1,14 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+DHCP_TIMEOUT=45000
+DHCP_REQ_TIMEOUT=4000
+TFTP_FILE_TIMEOUT=30000
+TFTP_IP=
+BOOT_ORDER=0x1
+SD_BOOT_MAX_RETRIES=3
+NET_BOOT_MAX_RETRIES=5
+[none]
+FREEZE_VERSION=0
+

test/configs/bootconf-2019-10-16.txt

@@ -0,0 +1,14 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+DHCP_TIMEOUT=45000
+DHCP_REQ_TIMEOUT=4000
+TFTP_FILE_TIMEOUT=30000
+TFTP_IP=
+BOOT_ORDER=0x1
+SD_BOOT_MAX_RETRIES=3
+NET_BOOT_MAX_RETRIES=5
+[none]
+FREEZE_VERSION=0
+

test/configs/bootconf-2019-11-18.txt

@@ -0,0 +1,15 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+DHCP_TIMEOUT=45000
+DHCP_REQ_TIMEOUT=4000
+TFTP_FILE_TIMEOUT=30000
+TFTP_IP=
+TFTP_PREFIX=0
+BOOT_ORDER=0x1
+SD_BOOT_MAX_RETRIES=3
+NET_BOOT_MAX_RETRIES=5
+[none]
+FREEZE_VERSION=0
+

test/configs/bootconf-2019-12-03.txt

@@ -0,0 +1,15 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+DHCP_TIMEOUT=45000
+DHCP_REQ_TIMEOUT=4000
+TFTP_FILE_TIMEOUT=30000
+TFTP_IP=
+TFTP_PREFIX=0
+BOOT_ORDER=0x1
+SD_BOOT_MAX_RETRIES=3
+NET_BOOT_MAX_RETRIES=5
+[none]
+FREEZE_VERSION=0
+

test/configs/bootconf-2020-01-09.txt

@@ -0,0 +1,15 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+DHCP_TIMEOUT=45000
+DHCP_REQ_TIMEOUT=4000
+TFTP_FILE_TIMEOUT=30000
+TFTP_IP=
+TFTP_PREFIX=0
+BOOT_ORDER=0x1
+SD_BOOT_MAX_RETRIES=3
+NET_BOOT_MAX_RETRIES=5
+[none]
+FREEZE_VERSION=0
+

test/configs/bootconf-2020-01-17.txt

@@ -0,0 +1,15 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+DHCP_TIMEOUT=45000
+DHCP_REQ_TIMEOUT=4000
+TFTP_FILE_TIMEOUT=30000
+TFTP_IP=
+TFTP_PREFIX=0
+BOOT_ORDER=0x1
+SD_BOOT_MAX_RETRIES=3
+NET_BOOT_MAX_RETRIES=5
+[none]
+FREEZE_VERSION=0
+

test/configs/bootconf-2020-03-04.txt

@@ -0,0 +1,15 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+DHCP_TIMEOUT=45000
+DHCP_REQ_TIMEOUT=4000
+TFTP_FILE_TIMEOUT=30000
+TFTP_IP=
+TFTP_PREFIX=0
+BOOT_ORDER=0x1
+SD_BOOT_MAX_RETRIES=3
+NET_BOOT_MAX_RETRIES=5
+[none]
+FREEZE_VERSION=0
+

test/configs/bootconf-2020-03-16.txt

@@ -0,0 +1,15 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+DHCP_TIMEOUT=45000
+DHCP_REQ_TIMEOUT=4000
+TFTP_FILE_TIMEOUT=30000
+TFTP_IP=
+TFTP_PREFIX=0
+BOOT_ORDER=0x1
+SD_BOOT_MAX_RETRIES=3
+NET_BOOT_MAX_RETRIES=5
+[none]
+FREEZE_VERSION=0
+

test/configs/bootconf-2020-03-19.txt

@@ -0,0 +1,15 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+DHCP_TIMEOUT=45000
+DHCP_REQ_TIMEOUT=4000
+TFTP_FILE_TIMEOUT=30000
+TFTP_IP=
+TFTP_PREFIX=0
+BOOT_ORDER=0x1
+SD_BOOT_MAX_RETRIES=3
+NET_BOOT_MAX_RETRIES=5
+[none]
+FREEZE_VERSION=0
+

test/configs/bootconf-2020-04-09.txt

@@ -0,0 +1,15 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+DHCP_TIMEOUT=45000
+DHCP_REQ_TIMEOUT=4000
+TFTP_FILE_TIMEOUT=30000
+TFTP_IP=
+TFTP_PREFIX=0
+BOOT_ORDER=0x1
+SD_BOOT_MAX_RETRIES=3
+NET_BOOT_MAX_RETRIES=5
+[none]
+FREEZE_VERSION=0
+

test/configs/bootconf-2020-04-16.txt

@@ -0,0 +1,15 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+DHCP_TIMEOUT=45000
+DHCP_REQ_TIMEOUT=4000
+TFTP_FILE_TIMEOUT=30000
+TFTP_IP=
+TFTP_PREFIX=0
+BOOT_ORDER=0x1
+SD_BOOT_MAX_RETRIES=3
+NET_BOOT_MAX_RETRIES=5
+[none]
+FREEZE_VERSION=0
+

test/configs/bootconf-2020-05-15.txt

@@ -0,0 +1,13 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+DHCP_TIMEOUT=45000
+DHCP_REQ_TIMEOUT=4000
+TFTP_FILE_TIMEOUT=30000
+ENABLE_SELF_UPDATE=1
+DISABLE_HDMI=0
+SD_BOOT_MAX_RETRIES=1
+USB_MSD_BOOT_MAX_RETRIES=1
+BOOT_ORDER=0xf41
+

test/configs/bootconf-2020-05-26.txt

@@ -0,0 +1,13 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+DHCP_TIMEOUT=45000
+DHCP_REQ_TIMEOUT=4000
+TFTP_FILE_TIMEOUT=30000
+ENABLE_SELF_UPDATE=1
+DISABLE_HDMI=0
+SD_BOOT_MAX_RETRIES=1
+USB_MSD_BOOT_MAX_RETRIES=1
+BOOT_ORDER=0xf41
+

test/configs/bootconf-2020-05-27.txt

@@ -0,0 +1,13 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+DHCP_TIMEOUT=45000
+DHCP_REQ_TIMEOUT=4000
+TFTP_FILE_TIMEOUT=30000
+ENABLE_SELF_UPDATE=1
+DISABLE_HDMI=0
+SD_BOOT_MAX_RETRIES=1
+USB_MSD_BOOT_MAX_RETRIES=1
+BOOT_ORDER=0xf41
+

test/configs/bootconf-2020-05-28.txt

@@ -0,0 +1,13 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+DHCP_TIMEOUT=45000
+DHCP_REQ_TIMEOUT=4000
+TFTP_FILE_TIMEOUT=30000
+ENABLE_SELF_UPDATE=1
+DISABLE_HDMI=0
+SD_BOOT_MAX_RETRIES=1
+USB_MSD_BOOT_MAX_RETRIES=1
+BOOT_ORDER=0xf41
+

test/configs/bootconf-2020-06-03.txt

@@ -0,0 +1,11 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+DHCP_TIMEOUT=45000
+DHCP_REQ_TIMEOUT=4000
+TFTP_FILE_TIMEOUT=30000
+ENABLE_SELF_UPDATE=1
+DISABLE_HDMI=0
+BOOT_ORDER=0xf41
+

test/configs/bootconf-2020-06-12.txt

@@ -0,0 +1,11 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+DHCP_TIMEOUT=45000
+DHCP_REQ_TIMEOUT=4000
+TFTP_FILE_TIMEOUT=30000
+ENABLE_SELF_UPDATE=1
+DISABLE_HDMI=0
+BOOT_ORDER=0xf41
+

test/configs/bootconf-2020-06-15.txt

@@ -0,0 +1,11 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+DHCP_TIMEOUT=45000
+DHCP_REQ_TIMEOUT=4000
+TFTP_FILE_TIMEOUT=30000
+ENABLE_SELF_UPDATE=1
+DISABLE_HDMI=0
+BOOT_ORDER=0xf41
+

test/configs/bootconf-2020-07-06.txt

@@ -0,0 +1,11 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+DHCP_TIMEOUT=45000
+DHCP_REQ_TIMEOUT=4000
+TFTP_FILE_TIMEOUT=30000
+ENABLE_SELF_UPDATE=1
+DISABLE_HDMI=0
+BOOT_ORDER=0xf41
+

test/configs/bootconf-2020-07-16.txt

@@ -0,0 +1,11 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+DHCP_TIMEOUT=45000
+DHCP_REQ_TIMEOUT=4000
+TFTP_FILE_TIMEOUT=30000
+ENABLE_SELF_UPDATE=1
+DISABLE_HDMI=0
+BOOT_ORDER=0xf41
+

test/configs/bootconf-2020-07-31.txt

@@ -0,0 +1,11 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+DHCP_TIMEOUT=45000
+DHCP_REQ_TIMEOUT=4000
+TFTP_FILE_TIMEOUT=30000
+ENABLE_SELF_UPDATE=1
+DISABLE_HDMI=0
+BOOT_ORDER=0xf41
+

test/configs/bootconf-2020-08-31.txt

@@ -0,0 +1,11 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+DHCP_TIMEOUT=45000
+DHCP_REQ_TIMEOUT=4000
+TFTP_FILE_TIMEOUT=30000
+ENABLE_SELF_UPDATE=1
+DISABLE_HDMI=0
+BOOT_ORDER=0xf41
+

test/configs/bootconf-2020-09-02.txt

@@ -0,0 +1,11 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+DHCP_TIMEOUT=45000
+DHCP_REQ_TIMEOUT=4000
+TFTP_FILE_TIMEOUT=30000
+ENABLE_SELF_UPDATE=1
+DISABLE_HDMI=0
+BOOT_ORDER=0xf41
+

test/configs/bootconf-2020-09-03.txt

@@ -0,0 +1,11 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+DHCP_TIMEOUT=45000
+DHCP_REQ_TIMEOUT=4000
+TFTP_FILE_TIMEOUT=30000
+ENABLE_SELF_UPDATE=1
+DISABLE_HDMI=0
+BOOT_ORDER=0xf41
+

test/configs/bootconf-2020-10-02.txt

@@ -0,0 +1,7 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=0
+POWER_OFF_ON_HALT=1
+DISABLE_HDMI=0
+BOOT_ORDER=0xf41
+

test/configs/bootconf-2020-10-28.txt

@@ -0,0 +1,5 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+

test/configs/bootconf-2020-11-24.txt

@@ -0,0 +1,5 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+

test/configs/bootconf-2020-12-11.txt

@@ -0,0 +1,5 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+

test/configs/bootconf-2021-01-05.txt

@@ -0,0 +1,5 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+

test/configs/bootconf-2021-01-11.txt

@@ -0,0 +1,5 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+

test/configs/bootconf-2021-01-16.txt

@@ -0,0 +1,5 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+

test/configs/bootconf-2021-02-16.txt

@@ -0,0 +1,5 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+

test/install

@@ -21,6 +21,7 @@ CONFIG="/etc/default/rpi-eeprom-update"
 
 cp -rfv "${FIRMWARE_DIR}"/* /lib/firmware/raspberrypi/bootloader
 cp -fv "${script_dir}/../rpi-eeprom-config" /usr/bin
+cp -fv "${script_dir}/../rpi-eeprom-digest" /usr/bin
 cp -fv "${script_dir}/../rpi-eeprom-update" /usr/bin
 rm -f /usr/bin/vl805
 

test/private.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEA+l3E+h/QNjrIR1cG6NpzP0fBwp2UDpuQAafXDS5yryrfCPDY
+TO9DvzAfOk9Dz/putDfHV0RTOFXv1tmc4nqOgU6nKx7tTdsjTiY4CgG3vXRMuAmD
+GX5ssJFCVmljGuILt1INlCmtun7Ow35VTxOcRDDfrBDKnSitzOTf6KTR7xJhqFFh
+dMpIg8hW4bDBKMavyt38pRvDaO1o01qaQT/GgAPmJm27y5RKNAe6iVTqsm4TMAhK
+C6P4XyRAbe6OMdFZyEWEk7Asexuc7uZlVHsUI6pebSW/07O+5l/U7/3k6r//hO/H
+DFOBUUW55EjzzC1BhTlWHWfZNI+5+NdN8o323QIDAQABAoIBAByQGZKSkhG5w5MV
+++ERWQARaurNyPAgsb1qnUdw8t8GlFLkDT07t74mWo2vsNQXpU0Upv6O+jKNZVMc
+2P/ijQL2Cu7JtLeC5mR6Sj7kAscPr1f4p9b+/B3puIh8tfSBcOY9a3Spi5sg7+xQ
+K6HdoiCKdd4evUrQMwHS47OaKCQuuibm46LWbXO1nk9QkymUy6zyaT5IuNpfKYKD
+UdFqV1FNwZ9A2Yb89rweBgU4DWdbjgVqBc23vS9l913rqd2LHN/4+XDBOGrovu5r
+mJy4WsyXuT0twuqi7FzhtbCdN/zhLo2od1XK6uA65EKdA9rrRMkNeGvxts6q3fPE
+i6tj7OECgYEA/YbIR8n8Vvb5XPAav/aAon4qjXyhkUTjnJfVT0yA+6T1AJwvQ+O4
+AhYgN4ld7msKRDJLcJs0EU8CmWUKJRt5Ai+JsOCbPuBNo+VGEFSsdG0mrSjFZf2e
+Bjm41lnvAEWReGwr9MVIf/prDE2/3aUl9irkNdu5q6NpG9M0N7AhzGECgYEA/M8Y
+Ew9Nv+XqEVKvOzxKRZBa6yzlOUj5PQ3cD7jl1aUNK4rTucvr3sJZAsgm5j+0XG99
+AJ447zdDEdcQbsOSaBR69pccdHYEaRSiIxWaCAir2BBS5DxYtgB6BLrIfBd1cKHv
+qB6u4M6FRJ5BcQa6VYlizAfG2yXoJv0xFrlQ2/0CgYEAwq0Alb+QOOckzCzDHayX
+Ui83VbXiCr6vWMtuTJoeYR1l1LYZxTPTVCbRTlP5AN7I310PeMR00uWsxUVE6QGT
+hg4i2ONf0oRCmhuwFVIvqqc2D7lC+vIoqfcg69fbIoZJEgNeLXJgHYWZNbVuIzBx
+WfnNi13R0O6GA4vGiQyCp4ECgYB1ZTG3wBaJsxlDnBLVPgT7UrJ1nO6A8HsUt/fl
+sSXBVRjNjHUPRTutwLAW050EtLZrajYw8EheBVp20VjHJrg47rG/CqLjDd60cSlt
+g114t5YdCk+DvuYu9f+zbI0m2rnlaL1iY4UvzZcjKx4Wf1pN2DNxrXbRU0P/vvlp
+pPqAfQKBgDZnxWuvRsT9rztGrEottifchfrStZx7u/2+iBtjFeFXr7L4MI14fNm2
+HkoThCpfFXCJFpRxy+kYi6xbPK/Om/hFNs3J5xqheTW8hFx7KN/zPg7jc0MlZ2R/
+uuOgZU9kkzLOamDyP85Doah7kAyA2PnLUno2k4IirbNVoH3aV++G
+-----END RSA PRIVATE KEY-----

test/public.pem

@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+l3E+h/QNjrIR1cG6Npz
+P0fBwp2UDpuQAafXDS5yryrfCPDYTO9DvzAfOk9Dz/putDfHV0RTOFXv1tmc4nqO
+gU6nKx7tTdsjTiY4CgG3vXRMuAmDGX5ssJFCVmljGuILt1INlCmtun7Ow35VTxOc
+RDDfrBDKnSitzOTf6KTR7xJhqFFhdMpIg8hW4bDBKMavyt38pRvDaO1o01qaQT/G
+gAPmJm27y5RKNAe6iVTqsm4TMAhKC6P4XyRAbe6OMdFZyEWEk7Asexuc7uZlVHsU
+I6pebSW/07O+5l/U7/3k6r//hO/HDFOBUUW55EjzzC1BhTlWHWfZNI+5+NdN8o32
+3QIDAQAB
+-----END PUBLIC KEY-----

test/test-rpi-eeprom-config

@@ -23,7 +23,7 @@ trap cleanup EXIT
 check_reduce_size()
 {
    # Verify that unused bytes are set to 0xff if the size of the config file is reduced.
-   echo "check_update $1 $2"
+   echo "check_reduce_size $1 $2"
 
    image="${script_dir}/$1"
    conf="${script_dir}/$2"
@@ -59,9 +59,32 @@ check_reduce_size()
 
 }
 
+check_signed_loopback()
+{
+   echo "check_signed $1 $2"
+
+   image="${script_dir}/$1"
+   conf="${script_dir}/$2"
+   digest="${script_dir}/$3"
+   pubkey="${script_dir}/$4"
+
+   # Replace the config, config.sig and pubkey and verify that the output is the same
+   TMP_EEPROM="$(mktemp)"
+   "${script_dir}/../rpi-eeprom-config" \
+      "${image}" \
+      --config "${conf}" \
+      --digest "${digest}" \
+      --pubkey "${pubkey}" \
+      --out "${TMP_EEPROM}"
+
+   expected_md5="$(md5sum "${image}" | awk '{print $1}')"
+   actual_md5="$(md5sum "${TMP_EEPROM}" | awk '{print $1}')"
+   [ "${actual_md5}" = "${expected_md5}" ] || die "EEPROM signed-loopback: checksum mismatch"
+}
+
 check_loopback()
 {
-   echo "check_update $1 $2"
+   echo "check_loopback $1 $2"
 
    image="${script_dir}/$1"
    conf="${script_dir}/$2"
@@ -141,7 +164,16 @@ check_conf_size_too_large()
    fi
 }
 
-check_loopback "../firmware/old/beta/pieeprom-2019-07-15.bin" "bootconf-2019-07-15.txt"
+echo "Check config read and loopback read/write against reference config files"
+versions="$(cd configs; ls *.txt | sed 's/bootconf-//g' | sed 's/.txt//g')"
+for ver in ${versions}; do
+   check_loopback "../firmware/old/beta/pieeprom-${ver}.bin" "configs/bootconf-${ver}.txt"
+   cleanup
+done
+
+echo "Test lookback with a signed EEPROM image"
+check_loopback pieeprom-signed.bin bootconf.txt
+check_signed_loopback pieeprom-signed.bin bootconf.txt bootconf.sig public.pem
 cleanup
 
 check_update "../firmware/old/beta/pieeprom-2019-07-15.bin" "pieeprom-2019-07-15-freeze.bin" "bootconf-2019-07-15-freeze.txt"