Merge pull request #400 from timg236/pieeprom-2022-01-25

pieeprom-2022-01-25: Create stable release from pieeprom-2022-01-20

.github/ISSUE_TEMPLATE/bug_report.md

@@ -7,12 +7,12 @@ about: Create a bug report for the bootloader EEPROM or rpi-eeprom-update script
 This repository tracks bugs for the Raspberry Pi 4 bootloader EEPROM and Linux update scripts.
 
 * If you suspect a hardware problem then please read the [Boot Problems](https://www.raspberrypi.org/forums/viewtopic.php?p=437084) post first before contacting the reseller.
-* Support questions or should be posted on the Raspberry Pi [General Discussion](https://www.raspberrypi.org/forums/viewforum.php?f=63)**
+* Support questions or should be posted on the Raspberry Pi [General Discussion](https://www.raspberrypi.org/forums/viewforum.php?f=63) forum
 
 **Mandatory information**
 * Raspberry Pi model
-* Board revision (cat /proc/cpuinfo | grep Revision)
-* Operating system version .
+* Board revision (`cat /proc/cpuinfo | grep Revision`)
+* Operating system version
 * Details of any hardware attached e.g. links to USB 
 * Photo of the HDMI diagnostics screen, UART trace.
 
@@ -34,15 +34,15 @@ vcgencmd bootloader_config
 
 **SD card boot (please complete the following information):**  
  - SD card type
- - Partition information (sudo fdisk -l) if you are able to obtain this from another computer.
+ - Partition information (`sudo fdisk -l`) if you are able to obtain this from another computer
 
 **USB boot (please complete the following information):**  
-Verify that the the USB device works correctly when hot-plugged under Linux and attache the output of 'lsusb -vvv'
+Verify that the the USB device works correctly when hot-plugged under Linux and attach the output of 'lsusb -vvv'.
 
 **Network boot (please complete the following information):**  
-Network boot bug normally require one or more of the following log types. [PiServer](https://github.com/raspberrypi/piserver) is the officially supported network boot server.
+Network boot bug normally requires one or more of the following log types. [PiServer](https://github.com/raspberrypi/piserver) is the officially supported network boot server.
 
- - DHCP server configuration files e.g. dnsmasq.conf
+ - DHCP server configuration files e.g. `dnsmasq.conf`
  - Wireshark binary packet capture
  - UART logs with `uart_2ndstage=1` set in `config.txt`
 

README.md

@@ -2,13 +2,12 @@
 This repository contains the scripts and pre-compiled binaries used to create the `rpi-eeprom` package which is used to update the Raspberry Pi 4 bootloader and VLI USB controller EEPROMs.
 
 # Support
-Please check the Raspberry Pi [general discussion forum](https://www.raspberrypi.org/forums/viewforum.php?f=63) if you have a support question. 
+Please check the Raspberry Pi [general discussion forum](https://forums.raspberrypi.com/viewforum.php?f=63) if you have a support question.
 
 # Reset to factory defaults
 To reset the bootloader back to factory defaults use [Raspberry Pi Imager](https://www.raspberrypi.com/software/) to write an EEPROM update image to a spare SD card. Select `Misc utility images` under the `Operating System` tab.
 
 # Bootloader documentation
-* [The boot folder](https://www.raspberrypi.com/documentation/computers/configuration.html#the-boot-folder)
 * [Config.txt boot options](https://www.raspberrypi.com/documentation/computers/config_txt.html#boot-options)
 * [Bootloader EEPROM](https://www.raspberrypi.com/documentation/computers/raspberry-pi.html#raspberry-pi-4-boot-eeprom)
 * [Bootloader configuration](https://www.raspberrypi.com/documentation/computers/raspberry-pi.html#raspberry-pi-4-bootloader-configuration)

firmware/release-notes.md

@@ -1,7 +1,50 @@
 # Raspberry Pi4 bootloader EEPROM release notes
 
 USB MSD boot also requires the firmware from Raspberry Pi OS 2020-08-20 or newer.
-https://www.raspberrypi.org/documentation/hardware/raspberrypi/bcm2711_bootloader_config.md
+https://www.raspberrypi.com/documentation/computers/raspberry-pi.html#raspberry-pi-4-bootloader-configuration
+
+## 2022-01-25 - Create new release from 2022-01-20 - LATEST/STABLE
+   * Rebuild 2022-01-20 for new stable release
+
+## 2022-01-20 - Some NVMe boot fixes - BETA
+   * PCIe retry on error
+   * NVMe logging changes
+   * NVMe attempts to boot twice
+   * Increase the maximum GPU memory size from 256MB to 512MB so long as
+     boot_ramdisk=0. This should only be used with the legacy camera
+     application and FKMS for very memory intensive camera operations.
+     N.B. The new libcamera and KMS driver use CMA instead of GPU memory.
+
+## 2021-12-02 - Promote the 2021-12-02 beta release to LATEST/STABLE
+   * Just fixes a regression with MTB detection affecting factory testing
+
+## 2021-12-02 - Fix MTB detection for factory test - BETA
+   * Just fixes a regression with MTB detection affecting factory testing
+
+## 2021-12-09 - Update default recovery.bin
+   * Promote the recovery.bin from stable to default. This avoids an issue
+     where recovery.bin fails to load on large FAT32 boot partions with 32K
+     clusters.
+
+## 2021-11-29 - Promote the 2021-11-22 beta release to LATEST/STABLE
+Interesting changes since the last stable release:-
+   * NVMe / PCIe reset fixes
+   * GPT / FAT enhancements
+   * FAT performance improvements
+   * Secure-boot for industrial customers (see usbboot repo)
+
+## 2021-11-22 - Fix for Sabrent rocket Nano NVMe reboot issue - BETA
+  * Fixes issue with Sabrent rocket Nano NVMe disk after a reboot.
+    Run pcie initialisation again if there's an error.
+
+## 2021-10-27 - Secure boot improvements - BETA
+  * Improve the error logging if a file is too large and truncated.
+  * Increase the maximum size of the ramdisk to 96MB.
+  * Preliminary changes to expose the boot-mode used to load the ramdisk via device-tree.
+
+  N.B. Secure boot is only recommended for industrial customers and is currently
+  a beta release. This can only be enabled via RPIBOOT
+  https://github.com/raspberrypi/usbboot/blob/master/Readme.md
 
 ## 2021-10-05 - Update for latest Broadcom SDRAM settings - BETA
   * Minor update for latest SDRAM tuning settings.

imager/README.txt

@@ -1,28 +1,42 @@
 Raspberry Pi 4 EEPROM bootloader rescue image
 *********************************************
 
-The Raspberry Pi 4 has a small EEPROM used to store the bootloader.
+The Raspberry Pi 4 contains a small EEPROM used to store the bootloader.
 
 This rescue image reverts the bootloader EEPROM to factory default settings.
 
-This rescue image also updates the USB 3.0 (VL805) firmware to the latest
-version (138a1) with better full-speed Isochronous endpoint support.
+This rescue image also updates the USB 3 controller (VL805) firmware to the
+latest version, 138a1, which has better full-speed isochronous endpoint 
+support.
 
-To re-flash the EEPROM(s)
+Raspberry Pi 4 board revisions 1.1 and 1.2 contain a separate EEPROM 
+which contains firmware for the USB 3 controller (VL805): on newer revisions 
+the USB controller firmware is stored in the bootloader EEPROM along with 
+the bootloader.
 
-1. Unzip the contents of this zip file to a blank FAT formatted SD-CARD
-2. Power off the Raspberry Pi
-3. Insert the SD-CARD
-4. Power on Raspberry Pi
-5. Wait at least 10 seconds
+The easiest method for creating EEPROM rescue images, and formatting SD 
+cards, is to use Raspberry Pi Imager from https://raspberrypi.com/software.
+Raspberry Pi Imager provides a GUI for downloading the latest version of 
+this rescue image and flashing it to a spare SD card.
 
-This easiest method for creating and formatting the SD-CARD is to use the
-Raspberry Pi Imager from https://raspberrypi.org/downloads
+Alternatively, copy the contents of this zip file to a blank
+FAT formatted SD card. The FAT partition must be < 32 GB.
 
-If successful, the green LED light will blink rapidly (forever), otherwise
-an error pattern will be displayed.
+To update the EEPROM:
 
-If a HDMI display is attached then the screen will display green for success
-or red if a failure occurs.
+1. Power off the Raspberry Pi
+2. Insert the bootloader update SD card
+3. Power on the Raspberry Pi
+4. Wait at least 10 seconds
 
-N.B. This image is not a bootloader it simply replaces the on-board bootloader.
+If successful, the green LED on the Raspberry Pi will blink rapidly forever.
+An unsuccessful update of the EEPROM is indicated by a different blinking 
+pattern corresponding to the specific error.
+
+If an HDMI display is attached, then the screen will display green for
+success or red if a failure occurs.
+
+Once the EEPROM is updated, the SD card can be removed. In order to make
+the entire capacity of the SD card available again, you must then reformat
+the SD card using Raspberry Pi Imager by selecting the 'format card as 
+FAT32' option.

imager/make-recovery-images

@@ -0,0 +1,62 @@
+#!/bin/sh
+
+set -e
+
+die() {
+   echo "$@" >&2
+   exit 1
+}
+
+cleanup() {
+   if [ -d "${TMP_DIR}" ]; then
+      rm -rf "${TMP_DIR}"
+   fi
+}
+
+trap cleanup EXIT
+
+[ "$(id -u)" = "0" ] || die "$(basename $0) must be run as root"
+[ -n "${SUDO_UID}" ] || die "SUDO_UID not defined"
+[ -n "${SUDO_GID}" ] || die "SUDO_GID not defined"
+
+for src in release/*.zip; do
+   src=$(basename "${src}")
+   img=$(echo "${src}" | sed 's/\.zip/.img/')
+   TMP_DIR=$(mktemp -d)
+   (
+      cp "release/${src}" "${TMP_DIR}"
+      mkdir "${TMP_DIR}/files"
+      cd "${TMP_DIR}/files"
+      unzip "../${src}"
+      cd "${TMP_DIR}"
+      dd if=/dev/zero bs=1M count=258 of=temp.img
+      /sbin/sfdisk temp.img <<EOF
+label: dos
+label-id: 0x0a7b5ac5
+device: temp.img
+unit: sectors
+
+./test.img1 : start=        2048, size=       524288, type=c
+EOF
+      file temp.img
+      kpartx -lv temp.img | head -n1 | awk '{print $1}'
+      LOOP="/dev/mapper/$(kpartx -lv temp.img | head -n1 | awk '{print $1}')"
+      kpartx -av temp.img
+      /sbin/mkfs.fat -F 32 -s 1 "${LOOP}"
+      mkdir fs
+      mount "${LOOP}" fs
+      cp -v files/* fs
+      sync
+      umount fs
+      kpartx -dv temp.img
+   )
+   mkdir -p images
+   chown "${SUDO_UID}:${SUDO_GID}" images
+   mv "${TMP_DIR}/temp.img" "images/${img}"
+   file "images/${img}"
+   cd images
+   zip "${src}" "${img}"
+   cd ..
+   rm "images/${img}"
+   chown "${SUDO_UID}:${SUDO_GID}" "images/${src}"
+done

releases.md

@@ -1,7 +1,6 @@
 # Raspberry Pi 4B, 400 and CM4 bootloader EEPROM releases
 This page provides links to the production and development release images for the bootloader EEPROM on BCM2711-based Raspberry Pi computers. Normally, the 
-bootloader is automatically updated after an APT update via the [rpi-eeprom-update](https://www.raspberrypi.org/documentation/hardware/raspberrypi/booteeprom.md)
-utility. 
+bootloader is automatically updated after an APT update via the [rpi-eeprom-update](https://www.raspberrypi.com/documentation/computers/raspberry-pi.html#automatic-updates) utility.
 
 ## Release notes
 Release notes are available [here](https://github.com/raspberrypi/rpi-eeprom/blob/master/firmware/release-notes.md).
@@ -10,8 +9,8 @@ Release notes are available [here](https://github.com/raspberrypi/rpi-eeprom/blo
 The default production EEPROM image release is [2020-09-03](https://github.com/raspberrypi/rpi-eeprom/releases/tag/v2020.09.03-138a1) and can be installed via the [Raspberry Pi Imager](https://www.raspberrypi.org/downloads/).
 
 ## USB MSD boot
-Please see the [USB mass storage boot](https://www.raspberrypi.org/documentation/hardware/raspberrypi/bootmodes/msd.md) guide.
-For support or hardware interoperability discussions please use the Raspberry Pi [general discussion](https://www.raspberrypi.org/forums/viewforum.php?f=63) forum.
+Please see the [USB mass storage boot](https://www.raspberrypi.com/documentation/computers/raspberry-pi.html#usb-mass-storage-boot) guide.
+For support or hardware interoperability discussions please use the Raspberry Pi [general discussion](https://forums.raspberrypi.com/viewforum.php?f=63) forum.
 
 ## Old EEPROM images
 Old bootloader images are periodically removed from the APT package to reduce the disk space, but are still available via Github [here](https://github.com/raspberrypi/rpi-eeprom/tree/master/firmware/old).

rpi-eeprom-config

@@ -8,6 +8,7 @@ import argparse
 import atexit
 import os
 import subprocess
+import string
 import struct
 import sys
 import tempfile
@@ -15,7 +16,12 @@ import time
 
 IMAGE_SIZE = 512 * 1024
 
-MAX_BOOTCONF_SIZE = 2024
+# Larger files won't with with "vcgencmd bootloader_config"
+MAX_FILE_SIZE = 2024
+ALIGN_SIZE = 4096
+BOOTCONF_TXT = 'bootconf.txt'
+BOOTCONF_SIG = 'bootconf.sig'
+PUBKEY_BIN = 'pubkey.bin'
 
 # Each section starts with a magic number followed by a 32 bit offset to the
 # next section (big-endian).
@@ -26,12 +32,18 @@ MAX_BOOTCONF_SIZE = 2024
 # The last 4KB of the EEPROM image is reserved for internal use by the
 # bootloader and may be overwritten during the update process.
 MAGIC = 0x55aaf00f
+PAD_MAGIC = 0x55aafeef
 MAGIC_MASK = 0xfffff00f
-FILE_MAGIC = 0x55aaf11f # id for modifiable file, currently only bootconf.txt
+FILE_MAGIC = 0x55aaf11f # id for modifiable files
 FILE_HDR_LEN = 20
 FILENAME_LEN = 12
 TEMP_DIR = None
 
+DEBUG = False
+def debug(s):
+    if DEBUG:
+        sys.stderr.write(s + '\n')
+
 def rpi4():
     compatible_path = "/sys/firmware/devicetree/base/compatible"
     if os.path.exists(compatible_path):
@@ -59,6 +71,25 @@ def create_tempdir():
     if TEMP_DIR is None:
         TEMP_DIR = tempfile.mkdtemp()
 
+def pemtobin(infile):
+    """
+    Converts an RSA public key into the format expected by the bootloader.
+    """
+    # Import the package here to make this a weak dependency.
+    from Cryptodome.PublicKey import RSA
+
+    arr = bytearray()
+    f = open(infile,'r')
+    key = RSA.importKey(f.read())
+
+    if key.size_in_bits() != 2048:
+        raise Exception("RSA key size must be 2048")
+
+    # Export N and E in little endian format
+    arr.extend(key.n.to_bytes(256, byteorder='little'))
+    arr.extend(key.e.to_bytes(8, byteorder='little'))
+    return arr
+
 def exit_error(msg):
     """
     Trapped a fatal error, output message to stderr and exit with non-zero
@@ -109,15 +140,21 @@ def apply_update(config, eeprom=None, config_src=None):
     else:
         eeprom_image = get_latest_eeprom()
     create_tempdir()
+
+    # Replace the contents of bootconf.txt with the contents of the config file
     tmp_update = os.path.join(TEMP_DIR, 'pieeprom.upd')
     image = BootloaderImage(eeprom_image, tmp_update)
-    image.write(config)
+    image.update_file(config, BOOTCONF_TXT)
+    image.write()
+
     config_str = open(config).read()
     if config_src is None:
         config_src = ''
     sys.stdout.write("Updating bootloader EEPROM\n image: %s\nconfig_src: %s\nconfig: %s\n%s\n%s\n%s\n" %
                      (eeprom_image, config_src, config, '#' * 80, config_str, '#' * 80))
 
+    sys.stdout.write("\n*** To cancel this update run 'sudo rpi-eeprom-update -r' ***\n\n")
+
     # Ignore APT package checksums so that this doesn't fail when used
     # with EEPROMs with configs delivered outside of APT.
     # The checksums are really just a safety check for automatic updates.
@@ -143,7 +180,7 @@ def edit_config(eeprom=None):
     if os.path.exists(pending):
         config_src = pending
         image = BootloaderImage(pending)
-        current_config = image.get_config().decode('utf-8')
+        current_config = image.get_file(BOOTCONF_TXT).decode('utf-8')
     else:
         current_config, config_src = read_current_config()
 
@@ -178,6 +215,14 @@ def read_current_config():
 
     return (shell_cmd(['vcgencmd', 'bootloader_config']), "vcgencmd bootloader_config")
 
+class ImageSection:
+    def __init__(self, magic, offset, length, filename=''):
+        self.magic = magic
+        self.offset = offset
+        self.length = length
+        self.filename = filename
+        debug("ImageSection %x %x %x %s" % (magic, offset, length, filename))
+
 class BootloaderImage(object):
     def __init__(self, filename, output=None):
         """
@@ -185,6 +230,7 @@ class BootloaderImage(object):
         and optionally an output filename.
         """
         self._filename = filename
+        self._sections = []
         try:
             self._bytes = bytearray(open(filename, 'rb').read())
         except IOError as err:
@@ -196,47 +242,112 @@ class BootloaderImage(object):
         if len(self._bytes) != IMAGE_SIZE:
             exit_error("%s: Expected size %d bytes actual size %d bytes" %
                        (filename, IMAGE_SIZE, len(self._bytes)))
+        self.parse()
 
-    def find_config(self):
+    def parse(self):
+        """
+        Builds a table of offsets to the different sections in the EEPROM.
+        """
         offset = 0
         magic = 0
+        found = False
         while offset < IMAGE_SIZE:
             magic, length = struct.unpack_from('>LL', self._bytes, offset)
-            if (magic & MAGIC_MASK) != MAGIC:
-                raise Exception('EEPROM is corrupted')
+            if magic == 0x0 or magic == 0xffffffff:
+                break # EOF
+            elif (magic & MAGIC_MASK) != MAGIC:
+                raise Exception('EEPROM is corrupted %x %x %x' % (magic, magic & MAGIC_MASK, MAGIC))
 
+            filename = ''
             if magic == FILE_MAGIC: # Found a file
-                name = self._bytes[offset + 8: offset + FILE_HDR_LEN]
-                if name.decode('utf-8') == 'bootconf.txt':
-                    return (offset, length)
+                # Discard trailing null characters used to pad filename
+                filename = self._bytes[offset + 8: offset + FILE_HDR_LEN].decode('utf-8').replace('\0', '')
+            self._sections.append(ImageSection(magic, offset, length, filename))
 
             offset += 8 + length # length + type
             offset = (offset + 7) & ~7
 
-        raise Exception('EEPROM parse error: Bootloader config not found')
+    def find_file(self, filename):
+        """
+        Returns the offset, length and whether this is the last section in the
+        EEPROM for a modifiable file within the image.
+        """
+        ret = (-1, -1, False)
+        for i in range(0, len(self._sections)):
+            s = self._sections[i]
+            if s.magic == FILE_MAGIC and s.filename == filename:
+                is_last = (i == len(self._sections) - 1)
+                ret = (s.offset, s.length, is_last)
+                break
+        debug('%s offset %d length %d last %s' % (filename, ret[0], ret[1], ret[2]))
+        return ret
 
-    def write(self, new_config):
-        hdr_offset, length = self.find_config()
-        new_config_bytes = open(new_config, 'rb').read()
-        new_len = len(new_config_bytes) + FILENAME_LEN + 4
-        if len(new_config_bytes) > MAX_BOOTCONF_SIZE:
-            raise Exception("Config is too large (%d bytes). The maximum size is %d bytes."
-                            % (len(new_config_bytes), MAX_BOOTCONF_SIZE))
-        if hdr_offset + len(new_config_bytes) + FILE_HDR_LEN > IMAGE_SIZE:
+    def update(self, src_bytes, dst_filename):
+        """
+        Replaces a modifiable file with specified byte array.
+        """
+        hdr_offset, length, is_last = self.find_file(dst_filename)
+        if hdr_offset < 0:
+            raise Exception('Update target %s not found' % dst_filename)
+
+        if hdr_offset + len(src_bytes) + FILE_HDR_LEN > IMAGE_SIZE:
             raise Exception('EEPROM image size exceeded')
 
+        new_len = len(src_bytes) + FILENAME_LEN + 4
         struct.pack_into('>L', self._bytes, hdr_offset + 4, new_len)
-        struct.pack_into(("%ds" % len(new_config_bytes)), self._bytes,
-                         hdr_offset + 4 + FILE_HDR_LEN, new_config_bytes)
+        struct.pack_into(("%ds" % len(src_bytes)), self._bytes,
+                         hdr_offset + 4 + FILE_HDR_LEN, src_bytes)
 
-        # If the new config is smaller than the old config then set any old
+        # If the new file is smaller than the old file then set any old
         # data which is now unused to all ones (erase value)
-        pad_start = hdr_offset + 4 + FILE_HDR_LEN + len(new_config_bytes)
+        pad_start = hdr_offset + 4 + FILE_HDR_LEN + len(src_bytes)
+
+        # Add padding up to 8-byte boundary
+        while pad_start % 8 != 0:
+            struct.pack_into('B', self._bytes, pad_start, 0xff)
+            pad_start += 1
+
+        # Create a padding section unless the padding size is smaller than the
+        # size of a section head. Padding is allowed in the last section but
+        # by convention bootconf.txt is the last section and there's no need to
+        # pad to the end of the sector. This also ensures that the loopback
+        # config read/write tests produce identical binaries.
+        pad_bytes = ALIGN_SIZE - (pad_start % ALIGN_SIZE)
+        if pad_bytes > 8 and not is_last:
+            pad_bytes -= 8
+            struct.pack_into('>i', self._bytes, pad_start, PAD_MAGIC)
+            pad_start += 4
+            struct.pack_into('>i', self._bytes, pad_start, pad_bytes)
+            pad_start += 4
+
+        debug("pad %d" % pad_bytes)
         pad = 0
-        while pad < (length - len(new_config_bytes)):
+        while pad < pad_bytes:
             struct.pack_into('B', self._bytes, pad_start + pad, 0xff)
             pad = pad + 1
 
+    def update_key(self, src_pem, dst_filename):
+        """
+        Replaces the specified public key entry with the public key values extracted
+        from the source PEM file.
+        """
+        pubkey_bytes = pemtobin(src_pem)
+        self.update(pubkey_bytes, dst_filename)
+
+    def update_file(self, src_filename, dst_filename):
+        """
+        Replaces the contents of dst_filename in the EEPROM with the contents of src_file.
+        """
+        src_bytes = open(src_filename, 'rb').read()
+        if len(src_bytes) > MAX_FILE_SIZE:
+            raise Exception("src file %s is too large (%d bytes). The maximum size is %d bytes."
+                            % (src_filename, len(src_bytes), MAX_FILE_SIZE))
+        self.update(src_bytes, dst_filename)
+
+    def write(self):
+        """
+        Writes the updated EEPROM image to stdout or the specified output file.
+        """
         if self._out is not None:
             self._out.write(self._bytes)
             self._out.close()
@@ -246,14 +357,14 @@ class BootloaderImage(object):
             else:
                 sys.stdout.write(self._bytes)
 
-    def get_config(self):
-        hdr_offset, length = self.find_config()
+    def get_file(self, filename):
+        hdr_offset, length, is_last = self.find_file(filename)
         offset = hdr_offset + 4 + FILE_HDR_LEN
         config_bytes = self._bytes[offset:offset+length-FILENAME_LEN-4]
         return config_bytes
 
     def read(self):
-        config_bytes = self.get_config()
+        config_bytes = self.get_file('bootconf.txt')
         if self._out is not None:
             self._out.write(config_bytes)
             self._out.close()
@@ -320,8 +431,21 @@ Operating modes:
    The default text editor is nano and may be overridden by setting the 'EDITOR'
    environment variable and passing '-E' to 'sudo' to preserve the environment.
 
-See 'rpi-eeprom-update -h' for more information about the available EEPROM
-images.
+6. Signing the bootloader config file.
+   Updates an EEPROM binary with a signed config file (created by rpi-eeprom-digest) plus
+   the corresponding RSA public key.
+
+   Requires Python Cryptodomex libraries and OpenSSL. To install on Raspberry Pi OS run:-
+   sudo apt install openssl python-pip
+   sudo python3 -m pip install cryptodomex
+
+   rpi-eeprom-digest -k private.pem -i bootconf.txt -o bootconf.sig
+   rpi-eeprom-config --config bootconf.txt --digest bootconf.sig --pubkey public.pem --out pieeprom-signed.bin pieeprom.bin
+
+   Currently, the signing process is a separate step so can't be used with the --edit or --apply modes.
+
+
+See 'rpi-eeprom-update -h' for more information about the available EEPROM images.
 """
     parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter,
                                      description=description)
@@ -331,6 +455,8 @@ images.
     parser.add_argument('-c', '--config', help='Name of bootloader configuration file', required=False)
     parser.add_argument('-e', '--edit', action='store_true', default=False, help='Edit the current EEPROM config')
     parser.add_argument('-o', '--out', help='Name of output file', required=False)
+    parser.add_argument('-d', '--digest', help='Signed boot only. The name of the .sig file generated by rpi-eeprom-dgst for config.txt ', required=False)
+    parser.add_argument('-p', '--pubkey', help='Signed boot only. The name of the RSA public key file to store in the EEPROM', required=False)
     parser.add_argument('eeprom', nargs='?', help='Name of EEPROM file to use as input')
     args = parser.parse_args()
 
@@ -351,7 +477,12 @@ images.
         if args.config is not None:
             if not os.path.exists(args.config):
                 exit_error("config file '%s' not found" % args.config)
-            image.write(args.config)
+            image.update_file(args.config, BOOTCONF_TXT)
+            if args.digest is not None:
+                image.update_file(args.digest, BOOTCONF_SIG)
+            if args.pubkey is not None:
+                image.update_key(args.pubkey, PUBKEY_BIN)
+            image.write()
         else:
             image.read()
     elif args.config is None and args.eeprom is None:

rpi-eeprom-digest

@@ -0,0 +1,110 @@
+#!/bin/sh
+
+# Helper script to generate .sig files for use with the Raspberry Pi bootloader.
+
+# This has been implemented in a separate script in order to have avoid having
+# a hard dependency on OpenSSL.
+
+set -e
+
+OPENSSL=${OPENSSL:-openssl}
+
+die() {
+   echo "$@" >&2
+   exit 1
+}
+
+TMP_DIR=""
+cleanup() {
+   if [ -f "${TMP_DIR}" ]; then
+      rm -rf "${TMP_DIR}"
+   fi
+}
+
+checkDependencies() {
+   if ! command -v sha256sum > /dev/null; then
+      die "sha256sum not found. Try installing the coreutilities package."
+   fi
+
+   if [ -n "${KEY}" ]; then
+      if ! command -v ${OPENSSL} > /dev/null; then
+         die "${OPENSSL} not found. Try installing the openssl package."
+      fi
+
+      if ! command -v xxd > /dev/null; then
+         die "xxd not found. Try installing the xxd package."
+      fi
+   fi
+}
+
+usage() {
+cat <<EOF
+rpi-eeprom-digest [-k RSA_KEY] -i IMAGE -o OUTPUT
+
+Creates a .sig file containing the sha256 digest of the IMAGE and an optional
+RSA signature of that hash.
+
+Options:
+   -i The source image.
+   -o The name of the digest/signature file.
+   -k Optional RSA private key.
+
+RSA signing
+If a private key in PEM format is supplied then the RSA signature of the
+sha256 digest is included in the .sig file. Currently, the bootloader only
+supports sha256 digests signed with a 2048bit RSA key.
+The bootloader only verifies RSA signatures in signed boot mode
+(not available yet) and only for the EEPROM config file and the signed image.
+
+Examples:
+
+# Generate RSA signature for the EEPROM config file.
+rpi-eeprom-digest -k key.pem -i bootconf.txt  -o bootconf.sig
+
+# Generate the normal sha256 hash to guard against file-system corruption
+rpi-eeprom-digest -i pieeprom.bin -o pieeprom.sig
+rpi-eeprom-digest -i vl805.bin -o vl805.sig
+
+EOF
+exit 0
+}
+
+OUTPUT=""
+while getopts i:k:ho: option; do
+   case "${option}" in
+   i) IMAGE="${OPTARG}"
+      ;;
+   k) KEY="${OPTARG}"
+      ;;
+   o) OUTPUT="${OPTARG}"
+      ;;
+   h) usage
+      ;;
+   *) echo "Unknown argument \"${option}\""
+      usage
+      ;;
+   esac
+done
+
+[ -n "${IMAGE}" ] || usage
+[ -n "${OUTPUT}" ] || usage
+
+trap cleanup EXIT
+
+checkDependencies
+
+[ -f "${IMAGE}" ] || die "Source image \"${IMAGE}\" not found"
+
+TMP_DIR=$(mktemp -d)
+SIG_TMP="${TMP_DIR}/tmp.sig"
+sha256sum "${IMAGE}" | awk '{print $1}' > "${OUTPUT}"
+
+# Include the update-timestamp
+echo "ts: $(date -u +%s)" >> "${OUTPUT}"
+
+if [ -n "${KEY}" ]; then
+   [ -f "${KEY}" ] || die "RSA private \"${KEY}\" not found"
+
+   "${OPENSSL}" dgst -sign "${KEY}" -keyform PEM -sha256 -out "${SIG_TMP}" "${IMAGE}"
+   echo "rsa2048: $(xxd -c 4096 -p < "${SIG_TMP}")" >> "${OUTPUT}"
+fi

rpi-eeprom-update

@@ -186,38 +186,15 @@ applyRecoveryUpdate()
    findBootFS
    echo "    BOOTFS: ${BOOTFS}"
 
-   # A '.sig' file is created so that recovery.bin can check that the
-   # EEPROM image has not been corrupted (e.g. SD card corruption).
-   # Format of the .sig file.
-   # --
-   # SHA256\n
-   # ts: UPDATE-TIMESTAMP\n
-   # --
-   # SHA256 is a 64 character hex string
-   # UPDATE-TIMESTAMP is an unsigned decimal.
-   #
-   # The 'filename' output from sha256 MUST be omitted.
    if [ -n "${BOOTLOADER_UPDATE_IMAGE}" ]; then
         [ -f "${BOOTLOADER_UPDATE_IMAGE}" ] || die "${BOOTLOADER_UPDATE_IMAGE} not found"
 
         TMP_EEPROM_IMAGE="$(mktemp)"
         prepareImage
-        # If recovery.bin encounters pieeprom.upd then it will select it in
-        # preference to pieeprom.bin. The .upd file also causes recovery.bin
-        # to rename itself to recovery.000 and reboot if the update is successful.
-        # The rename causes the ROM to ignore this file and use the newly flashed
-        # EEPROM image instead.
-        sha256sum "${TMP_EEPROM_IMAGE}" | awk '{print $1}' > "${BOOTFS}/pieeprom.sig" \
-                || die "Failed to create ${BOOTFS}/pieeprom.sig"
 
-        # Appends the update creation timestamp on a newline in pieeprom.sig
-        # During a self-update mode the bootloader examines the update-timestamp
-        # and will only update itself if it is newer than the current update
-        # timestamp.
-        #
-        # The update-timestamp is independent of the bootloader version and
-        # does not have to be timestamp.
-        echo "ts: $(date -u +%s)" >> "${BOOTFS}/pieeprom.sig"
+        # Generate a .sig file containing the sha256 hash of the EEPROM image
+        # and the current timestamp.
+        rpi-eeprom-digest -i "${TMP_EEPROM_IMAGE}" -o "${BOOTFS}/pieeprom.sig"
 
         cp -f "${TMP_EEPROM_IMAGE}" "${BOOTFS}/pieeprom.upd" \
                 || die "Failed to copy ${TMP_EEPROM_IMAGE} to ${BOOTFS}"
@@ -228,8 +205,7 @@ applyRecoveryUpdate()
    fi
 
    if [ -n "${VL805_UPDATE_IMAGE}" ]; then
-        sha256sum "${VL805_UPDATE_IMAGE}" | awk '{print $1}' > "${BOOTFS}/vl805.sig" \
-                || die "Failed to create ${BOOTFS}/vl805.sig"
+        rpi-eeprom-digest -i "${VL805_UPDATE_IMAGE}" -o "${BOOTFS}/vl805.sig"
 
         cp -f "${VL805_UPDATE_IMAGE}" "${BOOTFS}/vl805.bin" \
                 || die "Failed to copy ${VL805_UPDATE_IMAGE} to ${BOOTFS}/vl805.bin"
@@ -342,6 +318,10 @@ checkDependencies() {
       HAVE_VL805_EEPROM=0
    fi
 
+   if ! command -v rpi-eeprom-digest > /dev/null; then
+      die "rpi-eeprom-digest not found. Try re-installing the rpi-eeprom package"
+   fi
+
    if ! command -v lspci > /dev/null; then
       die "lspci not found. Try installing the pciutils package."
    fi
@@ -490,7 +470,7 @@ To flash the new image:
 The syntax is the same as config.txt See online documentation for the list of parameters.
 
 The official documentation for the Raspberry Pi bootloader EEPROM is available at
-https://www.raspberrypi.org/documentation/hardware/raspberrypi/booteeprom.md
+   https://www.raspberrypi.com/documentation/computers/raspberry-pi.html#raspberry-pi-4-boot-eeprom
 
 Compute Module 4 (CM4):
 
@@ -500,10 +480,7 @@ cause the system to fail to boot so automatic updates are disabled. We also
 recommend write-protecting the SPI EPPROM after flashing it using usbboot.
 
 CM4 bootloader and EEPROM update instructions:
-   https://www.raspberrypi.org/documentation/hardware/raspberrypi/bcm2711_bootloader_config.md
-
-usbboot instructions for flashing CM4 EMMC and bootloader EEPROM:
-   https://www.raspberrypi.org/documentation/hardware/computemodule/cm-emmc-flashing.md
+   https://www.raspberrypi.com/documentation/computers/compute-module.html#compute-module-4-bootloader
 
 The CM4 ROM does not support running recovery.bin from the EMMC on CM4 so this service
 is disabled by default. SELF_UPDATE from USB or Network boot is supported but this

test/bootconf.sig

@@ -0,0 +1,3 @@
+b5b917dc53a59c23035a89d4c58606211a07d4fb6e16bd00d74457a93ea5a264
+ts: 1614092425
+rsa2048: 284d3ef8b960ef9dd0bf5f320eacccb527623890b11136801fcfaf950ef3fb32c9b86ee48337d2cd21e00665a62215ff4d811b15d89867fb55d71b6372a4fa4b79af60cdda84c8a7d9b52d5f2b3026d3b088345d9424842cc2eb73e23f4577e12c74bc3bc1890bfbb6509fc8702cd3a202929bb6f9e5162ea53ec6e8503e08dda7b0c86a90bc21d33bd49535554383fe88e7d1d8e46e27c2bce60cf15b69c56ee27ccdd81ff8f47a616a2796cc2d943e17c6c01ac191f9b7dcda440238062e6c49df01f4bb8b97ce380a46aa29a03bf3fcbede3d76c13d862fc8b60b472a4d1017d5535f5188858a6e1103db2666aa63264e7c1f752b917405527094ed0da737

test/bootconf.txt

@@ -0,0 +1,8 @@
+[all]
+BOOT_UART=1
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+HDMI_DELAY=0
+# Load firmware and kernel from signed boot.img file
+SIGNED_BOOT=1
+

test/install

@@ -21,6 +21,7 @@ CONFIG="/etc/default/rpi-eeprom-update"
 
 cp -rfv "${FIRMWARE_DIR}"/* /lib/firmware/raspberrypi/bootloader
 cp -fv "${script_dir}/../rpi-eeprom-config" /usr/bin
+cp -fv "${script_dir}/../rpi-eeprom-digest" /usr/bin
 cp -fv "${script_dir}/../rpi-eeprom-update" /usr/bin
 rm -f /usr/bin/vl805
 

test/private.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEA+l3E+h/QNjrIR1cG6NpzP0fBwp2UDpuQAafXDS5yryrfCPDY
+TO9DvzAfOk9Dz/putDfHV0RTOFXv1tmc4nqOgU6nKx7tTdsjTiY4CgG3vXRMuAmD
+GX5ssJFCVmljGuILt1INlCmtun7Ow35VTxOcRDDfrBDKnSitzOTf6KTR7xJhqFFh
+dMpIg8hW4bDBKMavyt38pRvDaO1o01qaQT/GgAPmJm27y5RKNAe6iVTqsm4TMAhK
+C6P4XyRAbe6OMdFZyEWEk7Asexuc7uZlVHsUI6pebSW/07O+5l/U7/3k6r//hO/H
+DFOBUUW55EjzzC1BhTlWHWfZNI+5+NdN8o323QIDAQABAoIBAByQGZKSkhG5w5MV
+++ERWQARaurNyPAgsb1qnUdw8t8GlFLkDT07t74mWo2vsNQXpU0Upv6O+jKNZVMc
+2P/ijQL2Cu7JtLeC5mR6Sj7kAscPr1f4p9b+/B3puIh8tfSBcOY9a3Spi5sg7+xQ
+K6HdoiCKdd4evUrQMwHS47OaKCQuuibm46LWbXO1nk9QkymUy6zyaT5IuNpfKYKD
+UdFqV1FNwZ9A2Yb89rweBgU4DWdbjgVqBc23vS9l913rqd2LHN/4+XDBOGrovu5r
+mJy4WsyXuT0twuqi7FzhtbCdN/zhLo2od1XK6uA65EKdA9rrRMkNeGvxts6q3fPE
+i6tj7OECgYEA/YbIR8n8Vvb5XPAav/aAon4qjXyhkUTjnJfVT0yA+6T1AJwvQ+O4
+AhYgN4ld7msKRDJLcJs0EU8CmWUKJRt5Ai+JsOCbPuBNo+VGEFSsdG0mrSjFZf2e
+Bjm41lnvAEWReGwr9MVIf/prDE2/3aUl9irkNdu5q6NpG9M0N7AhzGECgYEA/M8Y
+Ew9Nv+XqEVKvOzxKRZBa6yzlOUj5PQ3cD7jl1aUNK4rTucvr3sJZAsgm5j+0XG99
+AJ447zdDEdcQbsOSaBR69pccdHYEaRSiIxWaCAir2BBS5DxYtgB6BLrIfBd1cKHv
+qB6u4M6FRJ5BcQa6VYlizAfG2yXoJv0xFrlQ2/0CgYEAwq0Alb+QOOckzCzDHayX
+Ui83VbXiCr6vWMtuTJoeYR1l1LYZxTPTVCbRTlP5AN7I310PeMR00uWsxUVE6QGT
+hg4i2ONf0oRCmhuwFVIvqqc2D7lC+vIoqfcg69fbIoZJEgNeLXJgHYWZNbVuIzBx
+WfnNi13R0O6GA4vGiQyCp4ECgYB1ZTG3wBaJsxlDnBLVPgT7UrJ1nO6A8HsUt/fl
+sSXBVRjNjHUPRTutwLAW050EtLZrajYw8EheBVp20VjHJrg47rG/CqLjDd60cSlt
+g114t5YdCk+DvuYu9f+zbI0m2rnlaL1iY4UvzZcjKx4Wf1pN2DNxrXbRU0P/vvlp
+pPqAfQKBgDZnxWuvRsT9rztGrEottifchfrStZx7u/2+iBtjFeFXr7L4MI14fNm2
+HkoThCpfFXCJFpRxy+kYi6xbPK/Om/hFNs3J5xqheTW8hFx7KN/zPg7jc0MlZ2R/
+uuOgZU9kkzLOamDyP85Doah7kAyA2PnLUno2k4IirbNVoH3aV++G
+-----END RSA PRIVATE KEY-----

test/public.pem

@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+l3E+h/QNjrIR1cG6Npz
+P0fBwp2UDpuQAafXDS5yryrfCPDYTO9DvzAfOk9Dz/putDfHV0RTOFXv1tmc4nqO
+gU6nKx7tTdsjTiY4CgG3vXRMuAmDGX5ssJFCVmljGuILt1INlCmtun7Ow35VTxOc
+RDDfrBDKnSitzOTf6KTR7xJhqFFhdMpIg8hW4bDBKMavyt38pRvDaO1o01qaQT/G
+gAPmJm27y5RKNAe6iVTqsm4TMAhKC6P4XyRAbe6OMdFZyEWEk7Asexuc7uZlVHsU
+I6pebSW/07O+5l/U7/3k6r//hO/HDFOBUUW55EjzzC1BhTlWHWfZNI+5+NdN8o32
+3QIDAQAB
+-----END PUBLIC KEY-----

test/test-rpi-eeprom-config

@@ -59,6 +59,29 @@ check_reduce_size()
 
 }
 
+check_signed_loopback()
+{
+   echo "check_signed $1 $2"
+
+   image="${script_dir}/$1"
+   conf="${script_dir}/$2"
+   digest="${script_dir}/$3"
+   pubkey="${script_dir}/$4"
+
+   # Replace the config, config.sig and pubkey and verify that the output is the same
+   TMP_EEPROM="$(mktemp)"
+   "${script_dir}/../rpi-eeprom-config" \
+      "${image}" \
+      --config "${conf}" \
+      --digest "${digest}" \
+      --pubkey "${pubkey}" \
+      --out "${TMP_EEPROM}"
+
+   expected_md5="$(md5sum "${image}" | awk '{print $1}')"
+   actual_md5="$(md5sum "${TMP_EEPROM}" | awk '{print $1}')"
+   [ "${actual_md5}" = "${expected_md5}" ] || die "EEPROM signed-loopback: checksum mismatch"
+}
+
 check_loopback()
 {
    echo "check_loopback $1 $2"
@@ -148,6 +171,11 @@ for ver in ${versions}; do
    cleanup
 done
 
+echo "Test lookback with a signed EEPROM image"
+check_loopback pieeprom-signed.bin bootconf.txt
+check_signed_loopback pieeprom-signed.bin bootconf.txt bootconf.sig public.pem
+cleanup
+
 check_update "../firmware/old/beta/pieeprom-2019-07-15.bin" "pieeprom-2019-07-15-freeze.bin" "bootconf-2019-07-15-freeze.txt"
 cleanup