Merge pull request #426 from timg236/default-2022-04-26

2022-04-27 - Promote pieeprom-2022-04-26 to the DEFAULT release

.github/ISSUE_TEMPLATE/bug_report.md

@@ -1,50 +0,0 @@
----
-name: Bug report
-about: Create a bug report for the bootloader EEPROM or rpi-eeprom-update scripts. Please use the Raspberry Pi General Discussion forum for general questions about the bootloader.
-
----
-
-This repository tracks bugs for the Raspberry Pi 4 bootloader EEPROM and Linux update scripts.
-
-* If you suspect a hardware problem then please read the [Boot Problems](https://www.raspberrypi.org/forums/viewtopic.php?p=437084) post first before contacting the reseller.
-* Support questions or should be posted on the Raspberry Pi [General Discussion](https://www.raspberrypi.org/forums/viewforum.php?f=63)**
-
-
-**Mandatory information**
-* Raspberry Pi model
-* Board revision (cat /proc/cpuinfo | grep Revision)
-* Operating system version .
-* Details of any hardware attached e.g. links to USB 
-* Photo of the HDMI diagnostics screen, UART trace.
-
-**Describe the bug**
-A clear and concise description of what the bug is.
-
-**To Reproduce**
-Steps to reproduce the behavior:
-
-**Expected behaviour**
-A clear and concise description of what you expected to happen.
-
-**Bootloader version and configuration**
-If you have modified the default bootloader release or configuration then please attach the bootloader configuration vcgencmd bootloader_config and version (vcgencmd bootloader_version)
-
-**SD card boot (please complete the following information):**
- - SD card type
- - Partition information (sudo fdisk -l) if you are able to obtain this from another computer.
-
-**Network boot (please complete the following information):**
-Network boot bug normally require one or more of the following log types. [PiServer](https://github.com/raspberrypi/piserver) is the officially supported network boot server.
-
- - DHCP server configuration files e.g. dnsmasq.conf
- - Wireshark binary packet capture
- - UART logs
-
-**USB boot (please complete the following information):**
-Verify that the the USB device works correctly when hot-plugged under Linux and attache the output of 'lsusb -vvv'
-
-**Additional context**
-Add any other context about the problem here. 
-
-The [Bootloader configuration](https://www.raspberrypi.org/documentation/hardware/raspberrypi/bcm2711_bootloader_config.md) page describes how to enable UART or NETCONSOLE logs. For complex USB boot issues NETCONSOLE logs are recommended.
-

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,123 @@
+name: "Bug report"
+description: Create a report to help us fix your issue
+body:
+- type: markdown
+  attributes:
+    value: |
+      **Is this the right place for my bug report?**
+      
+      * This repository contains the Raspberry Pi 4, Pi400 and CM4 bootloader EEPROM images and installation scripts.      
+      * Please report boot issues for the earlier models at the GPU firmware repo [github.com/raspberrypi/firmware](https://github.com/raspberrypi/firmware).
+      * Please report USB issues which occur after the OS has started at the Linux repo [github.com/raspberrypi/linux/](https://github.com/raspberrypi/linux/).
+      * If you simply have a question, then [the Raspberry Pi forums](https://www.raspberrypi.org/forums) are the best place to ask it. 
+         * The ["Is your Pi not booting?"](https://forums.raspberrypi.com/viewtopic.php?f=28&t=58151) post has lots of useful advice.
+
+- type: textarea
+  id: description
+  attributes:
+    label: Describe the bug
+    description: |
+      Add a clear and concise description of what you think the bug is. 
+      
+      * Attach a photo of the bootloader [diagnostics](https://www.raspberrypi.com/documentation/computers/raspberry-pi.html#boot-diagnostics-on-the-raspberry-pi-4).
+      * If the system is failing to boot then please check if the green activity LED is displaying an [error pattern](https://www.raspberrypi.com/documentation/computers/configuration.html#led-warning-flash-codes).
+  validations:
+    required: true
+
+- type: textarea
+  id: reproduce
+  attributes:
+    label: Steps to reproduce the behaviour
+    description: |
+      List the steps required to reproduce the issue.
+  validations:
+    required: true
+- type: dropdown
+  id: model
+  attributes:
+    label: Device (s)
+    description: On which device you are facing the bug?
+    multiple: true
+    options:
+      - Raspberry Pi 4 Mod. B
+      - Raspberry Pi 400
+      - Raspberry Pi CM4
+      - Raspberry Pi CM4 Lite
+      - Other
+  validations:
+    required: true
+    
+- type: textarea
+  id: config
+  attributes:
+    label: Bootloader configuration.
+    description: |      
+      Copy and paste the results of `vcgencmd bootloader_config` or describe the failing configuration.
+      
+      * `rpi-eeprom-update` saves a backup of the previous bootloader configuration to `/var/lib/raspberrypi/bootloader/backup` before it schedules the update.
+      * `rpi-eeprom-config pieeprom.upd` can be used to read the contents of an EEPROM image.
+  validations:
+    required: true
+
+- type: textarea
+  id: system
+  attributes:
+    label: System
+    description: |
+      Copy and paste the results of the `raspinfo` command in to this section.
+      Alternatively, copy and paste a pastebin link, or add answers to the following questions:
+      * Which OS and version (`cat /etc/rpi-issue`)?
+      * Which bootloader version (`vcgencmd bootloader_version`)?
+      * Which firmware version (`vcgencmd version`)?
+      * Which kernel version (`uname -a`)?
+  validations:
+    required: false
+    
+- type: textarea
+  id: Logs
+  attributes:
+    label: Bootloader logs
+    description: |
+       If the problem can't be diagnosed from the bootloader HDMI diagnostics screen then we'll normally need to see more detailed logs to diagnose the problem. The bootloader and GPU firmware can be configured to enable log output to the UART pins `14` and `15` on the [40-pin GPIO header](https://www.raspberrypi.com/documentation/computers/os.html#gpio-and-the-40-pin-header)
+         * To enable UART logging from the bootloader specify [BOOT_UART=1](https://www.raspberrypi.com/documentation/computers/raspberry-pi.html#BOOT_UART) in the EEPROM config
+         * To enable UART logging from the `start.elf` GPU firmware stage add [uart_2ndstage=1](https://www.raspberrypi.com/documentation/computers/config_txt.html#uart_2ndstage) to `config.txt`.
+         * If you are familiar with using Wireshark then it's also possible to use [NETCONSOLE](https://www.raspberrypi.com/documentation/computers/raspberry-pi.html#NETCONSOLE) write logs to UDP packets.
+       Please paste the bootloader logs here.          
+  validations:
+    required: false
+    
+- type: textarea
+  id: USB
+  attributes:
+    label: USB boot
+    description: |
+       Before using USB as the boot device it's advisble to verify that the USB device is [compatible](https://www.raspberrypi.com/documentation/computers/raspberry-pi.html#hardware-compatibility) and works reliably from Linux. 
+       Please specify the make and model of the USB device plus any HUBs or USB/SATA adapters. Please also capture the output of the following command from Linux `lsusb -vvv` and paste the results here.
+  validations:
+    required: false    
+
+- type: textarea
+  id: NVMe
+  attributes:
+    label: NVMe boot
+    description: |
+       Before using NVMe as the boot device it's advisble to verify that the NVMe storage is working reliably when mounted from Linux. Please specify the make and model and also  capture the following information from a working system when reporting NVMe issues.
+       * `sudo apt-get install nvme-cli`
+       * `sudo nvme list`
+       * `sudo nvme id-ctrl -H /dev/nvme0`
+       * `sudo nvme list-ns /dev/nvme0`
+       * `sudo nvme id-ns -H /dev/nvme0 --namespace-id=1`   
+  validations:
+    required: false
+    
+- type: textarea
+  id: tftp
+  attributes:
+    label: Network (TFTP boot)
+    description: |      
+      Please provide the following information if possible:- 
+      * DHCP server configuration files e.g. `dnsmasq.conf`
+      * Wireshark binary packet capture      
+  validations:
+    required: false
+    

.github/ISSUE_TEMPLATE/config.yml

@@ -1,2 +1,9 @@
 blank_issues_enabled: false
 
+contact_links:
+  - name: "⛔ Question"
+    url: https://www.raspberrypi.org/forums
+    about: "Please do not use GitHub for asking questions. If you simply have a question, then the Raspberry Pi forums are the best place to ask it. Thanks in advance for helping us keep the issue tracker clean!"
+  - name: "⛔ Problems with Raspberry Pi Imager / network-install"
+    url: https://github.com/raspberrypi/rpi-imager
+    about: "If the problem with network install occurs after the Raspberry Pi Imager UI has started then please report it at https://github.com/raspberrypi/rpi-imager/issues. Otherwise, raise the bug report here."

LICENSE

@@ -64,4 +64,32 @@ License: custom
  ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
  TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
- DAMAGE. 
+ DAMAGE.
+
+License: uIP
+ Copyright (c) 2006, Swedish Institute of Computer Science.
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+ 1. Redistributions of source code must retain the above copyright
+    notice, this list of conditions and the following disclaimer.
+ 2. Redistributions in binary form must reproduce the above copyright
+    notice, this list of conditions and the following disclaimer in the
+    documentation and/or other materials provided with the distribution.
+ 3. Neither the name of the Institute nor the names of its contributors
+    may be used to endorse or promote products derived from this software
+    without specific prior written permission.
+
+ THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ SUCH DAMAGE.

README.md

@@ -2,16 +2,15 @@
 This repository contains the scripts and pre-compiled binaries used to create the `rpi-eeprom` package which is used to update the Raspberry Pi 4 bootloader and VLI USB controller EEPROMs.
 
 # Support
-Please check the Raspberry Pi [general discussion forum](https://www.raspberrypi.org/forums/viewforum.php?f=63) if you have a support question. 
+Please check the Raspberry Pi [general discussion forum](https://forums.raspberrypi.com/viewforum.php?f=63) if you have a support question.
 
 # Reset to factory defaults
-To reset the bootloader back to factory defaults use [Raspberry Pi Imager](https://www.raspberrypi.org/downloads/) to write an EEPROM update image to a spare SD card. Select `Misc utility images` under the `Operating System` tab.
+To reset the bootloader back to factory defaults use [Raspberry Pi Imager](https://www.raspberrypi.com/software/) to write an EEPROM update image to a spare SD card. Select `Misc utility images` under the `Operating System` tab.
 
 # Bootloader documentation
-* [The boot folder](https://www.raspberrypi.org/documentation/configuration/boot_folder.md)
-* [Config.txt boot options](https://www.raspberrypi.org/documentation/configuration/config-txt/boot.md)
-* [Bootloader EEPROM](https://www.raspberrypi.org/documentation/hardware/raspberrypi/booteeprom.md)
-* [Bootloader configuration](https://www.raspberrypi.org/documentation/hardware/raspberrypi/bcm2711_bootloader_config.md)
-* [Updating the Compute Module 4 bootloader](https://www.raspberrypi.org/documentation/hardware/computemodule/cm-emmc-flashing.md#cm4bootloader)
+* [Config.txt boot options](https://www.raspberrypi.com/documentation/computers/config_txt.html#boot-options)
+* [Bootloader EEPROM](https://www.raspberrypi.com/documentation/computers/raspberry-pi.html#raspberry-pi-4-boot-eeprom)
+* [Bootloader configuration](https://www.raspberrypi.com/documentation/computers/raspberry-pi.html#raspberry-pi-4-bootloader-configuration)
+* [Updating the Compute Module 4 bootloader](https://www.raspberrypi.com/documentation/computers/compute-module.html#cm4bootloader)
 * [Release notes](firmware/release-notes.md)
 * [Releases](releases.md)

firmware/release-notes.md

@@ -1,7 +1,203 @@
 # Raspberry Pi4 bootloader EEPROM release notes
 
-USB MSD boot also requires the firmware from Raspberry Pi OS 2020-08-20 or newer.
-https://www.raspberrypi.org/documentation/hardware/raspberrypi/bcm2711_bootloader_config.md
+## 2022-04-27 - Promote pieeprom-2022-04-26 to the DEFAULT release
+   * Enable Network Install in the default bootloader release.
+   * This release is signed with the secure-boot key and supports
+     the new HTTP boot-order for downloading signed boot images for
+     automated provisioning systems.
+
+## 2022-04-22 - Add pieeprom-2022-04-26 release - STABLE/BETA
+   * Release pieeprom-2022-04-22 signed with the secure-boot key so that
+     network install can be used on secure-boot devices.
+
+## 2022-04-22 - Add pieeprom-2022-04-22 release - BETA
+   * Fix netboot reboot failure on Pi 4B R1.1 if OS enables IDDQ power saving
+     https://github.com/raspberrypi/rpi-eeprom/issues/417
+   * Fix incorrect error code (configuration error) on EEPROM update failure.
+   * Enable more verbose errors for EEPROM update failures.
+
+## 2022-03-10 - Promote the 2022-03-10 beta release to LATEST/STABLE
+   * Includes new net install feature, enabled by default for Pi 4 and Pi 400
+   * New net install download screen may appear on boot if a boot location can't
+     be found or if boot is slow. Alternative press and hold shift on boot to
+     start net install.
+   * New HTTP boot order.
+   * Bootloader diagnosis screen is now 720p if supported by your monitor.
+   * Self update mode is now enabled during SD/EMMC boot.
+   * The PARTITION number can now be specified as an EEPROM property.
+   * Allow smaller MSD discovery timeouts to be specified.
+   * Some tweaks and fixes to IPV6 netboot.
+   * Increase the max ramdisk size to 128MB
+   * Increase timeout of early SD/EMMC commands to 100ms
+
+## 2022-03-10 - HTTP_PATH fix - BETA
+   * Fix the defective HTTP_PATH eeprom configuration
+
+## 2022-02-28 - More net Install changes - BETA
+   Net install changes.
+   * Net install is initiated on boot if shift is pressed.
+   * New HTTP boot order (7) and configuration parameters,
+     HTTP_HOST, HTTP_PATH, HTTP_PORT to set url
+
+   Other interesting changes.
+   * Increase the max ramdisk size to 128MB
+   * Increase timeout of early SD/EMMC commands to 100ms
+
+## 2022-02-16 - Net Install fixes - BETA
+   Net install changes.
+   * Got rid of confirmation step that required you to press <Space> to
+     initiate net install. Now just long press <Shift>
+   * Updated the screen text to make it more obvious the device is still
+     trying boot when the net install is showing.
+   * Fixed a DHCP net install bug which caused us to lose the
+     gateway address.
+   * Fixed a bug with the uIP timers which could cause net install to
+     always fail.
+   * Implemented resume and retry on download failure.
+
+   Other interesting changes.
+   * Allow smaller MSD discovery timeouts to be specified.
+   * Some tweaks and fixes to IPV6 netboot.
+
+## 2022-02-08 - Fix secure-boot boot failure - STABLE
+   * Fix boot failure regression on boards which had the OTP secure boot bits set.
+
+## 2022-02-04 - Network Install - BETA
+   * New network install feature for the bootloader. To disable network install
+     (e.g. in an industrial product) set NET_INSTALL_ENABLED=0 in the EEPROM
+     config or HDMI_DISABLE=1.
+   * Self update mode is now enabled during SD/EMMC boot. This enables
+     rpi-eeprom-update to be used on a CM4 / CM4-lite because recovery.bin
+     is not required. For industrial products we recommend disabling
+     self-update after initial setup by setting ENABLE_SELF_UPDATE=0 in
+     the EEPROM config.
+   * The PARTITION number can now be specified as an EEPROM property. This
+     might be used to boot maintenance software if a button connected to
+     a GPIO is pressed. The partition number specified via the reboot
+     command or autoboot.txt are a higher precedence than the EEPROM
+     property.
+
+## 2022-01-25 - Promote pieeprom-2022-01-25 to the DEFAULT release
+Interesting changes since the last default release
+   * Support and bug fixes for all Compute Module variants.
+   * NVMe interoperability fixes
+   * FAT/GPT fixes and file-system performance improvements.
+   * Add secure-boot support for industrial applications
+     See https://github.com/raspberrypi/usbboot/blob/master/secure-boot-recovery/README.md
+   * Added ramdisk / boot.img - for RPIBOOT and secure-boot.
+
+## 2022-01-25 - Create new release from 2022-01-20 - LATEST/STABLE
+   * Rebuild 2022-01-20 for new stable release
+
+## 2022-01-20 - Some NVMe boot fixes - BETA
+   * PCIe retry on error
+   * NVMe logging changes
+   * NVMe attempts to boot twice
+   * Increase the maximum GPU memory size from 256MB to 512MB so long as
+     boot_ramdisk=0. This should only be used with the legacy camera
+     application and FKMS for very memory intensive camera operations.
+     N.B. The new libcamera and KMS driver use CMA instead of GPU memory.
+
+## 2021-12-02 - Promote the 2021-12-02 beta release to LATEST/STABLE
+   * Just fixes a regression with MTB detection affecting factory testing
+
+## 2021-12-02 - Fix MTB detection for factory test - BETA
+   * Just fixes a regression with MTB detection affecting factory testing
+
+## 2021-12-09 - Update default recovery.bin
+   * Promote the recovery.bin from stable to default. This avoids an issue
+     where recovery.bin fails to load on large FAT32 boot partions with 32K
+     clusters.
+
+## 2021-11-29 - Promote the 2021-11-22 beta release to LATEST/STABLE
+Interesting changes since the last stable release:-
+   * NVMe / PCIe reset fixes
+   * GPT / FAT enhancements
+   * FAT performance improvements
+   * Secure-boot for industrial customers (see usbboot repo)
+
+## 2021-11-22 - Fix for Sabrent rocket Nano NVMe reboot issue - BETA
+  * Fixes issue with Sabrent rocket Nano NVMe disk after a reboot.
+    Run pcie initialisation again if there's an error.
+
+## 2021-10-27 - Secure boot improvements - BETA
+  * Improve the error logging if a file is too large and truncated.
+  * Increase the maximum size of the ramdisk to 96MB.
+  * Preliminary changes to expose the boot-mode used to load the ramdisk via device-tree.
+
+  N.B. Secure boot is only recommended for industrial customers and is currently
+  a beta release. This can only be enabled via RPIBOOT
+  https://github.com/raspberrypi/usbboot/blob/master/Readme.md
+
+## 2021-10-05 - Update for latest Broadcom SDRAM settings - BETA
+  * Minor update for latest SDRAM tuning settings.
+
+## 2021-10-04 - Add support for GPT FAT16 and increase USB timeouts - BETA
+  * Update the FAT detection to support FAT16 for EFI/ESD paritions with
+    GPT instead of assuming FAT32. The latest firmware is also required
+    for a similar update.
+  * Increase the timeouts for MSD SCSI commands to reduce the risk of
+    timeouts when probing the capacity of slow to start devices
+    e.g. USB RAID with spinning disks.
+
+## 2021-09-27 - Fix recovery.bin rename issue and EEPROM netconsole - BETA
+  * Fix recovery.bin rename issue
+  * Update pieeprom-2021-09-27.bin to fix netconsole
+
+## 2021-09-23 - Temporarily revert recovery.bin 2021-09-22 BETA/STABLE
+  * Revert until fix for can be verified https://github.com/raspberrypi/rpi-eeprom/issues/367
+
+## 2021-09-23 - Bootloader file-system updates - BETA
+This release makes major changes to the bootloader file-system code in order
+to support new features and should be treated as a bleeding edge BETA release!
+  * Improve file-system performance to reduce boot time.
+  * Preliminary support for IPV6 TFTP. Requires an updated start4.elf.
+    Details to follow.
+  * Fix VL805=1 option for CM4 IO boards that follow the same XHCI
+    design as Pi4B. Start.elf will be updated in the next rpi-update release
+    and the latest CM4 DTBs are required for the 'XHCI reset controller'
+  * Preliminary support for loading signed boot image files.
+    Requires updated GPU firmware.
+
+## 2021-09-22 - Update recovery.bin to fix issue with large FAT partitions - STABLE
+  * Bump the latest recovery.bin under beta to stable.
+
+## 2021-09-22 - Update recovery.bin to fix issue with large FAT partitions - BETA
+  * Fix an issue where the ROM fails to load larger recovery.bin files
+    on FAT partitions with large cluster sizes.
+
+## 2021-07-07 - Promote pieeprom-2021-07-06 to stable - STABLE
+  * Promote the latest beta to stable. For CM4 users this adds NVMe
+    boot support to the stable release.
+
+## 2021-07-06 - Tidyup PXE debug strings - BETA
+   * Remove redundant debug string - hexdump is more useful for debug.
+   * Minor internal changes for manufacturing test.
+
+## 2021-06-25 - Support 256MB gpu_mem with boot ramdisk - BETA
+   * Tweak the address map so that boot ramdisks (e.g. rpiboot -d imager)
+     work with large amounts of GPU memory.
+
+## 2021-06-17 - Avoid unnecessary PCIe probe on CM4 - BETA
+   * Avoid default PCIe / XHCI probe on CM4 unless required for the current boot
+     mode (USB_MSD or NVME).
+   * Leave PCIe RC in reset state when loading start.elf except for USB-MSD mode.
+
+## 2021-06-11 - Add USB_MSD_STARTUP_DELAY option - BETA
+   * Minor update to BRCM SDRAM settings.
+   * Add USB_MSD_STARTUP_DELAY option (default 0 option). This adds a configurable
+     delay (in milliseconds) the first time the USB host controller is initialised
+     before device enumeration.
+     Normally, this should not be required. However, some HDD enclosures may
+     require an extended startup delay in order to spinup drives. Without this
+     the get-capacity command may stall and timeout.
+
+## 2021-05-19 - Use the latest BRCM SDRAM settings - BETA
+   * Use the latest BRCM SDRAM settings.
+   * FAT12 support for small bootloader ramdisk images.
+   * Minor file-system performance optimisations.
+   * Added recovery.bin config.txt option (erase_eeprom=1) to perform an
+     SPI chip-erase operation instead of programming the bootloader image.
 
 ## 2021-04-30 - Update default version to 2021-04-29
    * The manufacturing release has been updated to pieeprom-2021-04-29 so update the default release to match this.
@@ -18,7 +214,7 @@ https://www.raspberrypi.org/documentation/hardware/raspberrypi/bcm2711_bootloade
    * UDP checksum fixes
    * Add support for the BCM2711 XHCI controller - BOOT_ORDER 0x5
    * XHCI protocol layer fixes for non-VLI controllers
-   * Avoid USB MSD timeout of there is only one device
+   * Avoid USB MSD timeout if there is only one device
    * Implement tryboot for OS upgrade fallback
    * Check the update-timestamp before applying an update in SELF-UPDATE mode
 

imager/README.txt

@@ -1,28 +1,42 @@
 Raspberry Pi 4 EEPROM bootloader rescue image
 *********************************************
 
-The Raspberry Pi 4 has a small EEPROM used to store the bootloader.
+The Raspberry Pi 4 contains a small EEPROM used to store the bootloader.
 
 This rescue image reverts the bootloader EEPROM to factory default settings.
 
-This rescue image also updates the USB 3.0 (VL805) firmware to the latest
-version (138a1) with better full-speed Isochronous endpoint support.
+This rescue image also updates the USB 3 controller (VL805) firmware to the
+latest version, 138a1, which has better full-speed isochronous endpoint 
+support.
 
-To re-flash the EEPROM(s)
+Raspberry Pi 4 board revisions 1.1 and 1.2 contain a separate EEPROM 
+which contains firmware for the USB 3 controller (VL805): on newer revisions 
+the USB controller firmware is stored in the bootloader EEPROM along with 
+the bootloader.
 
-1. Unzip the contents of this zip file to a blank FAT formatted SD-CARD
-2. Power off the Raspberry Pi
-3. Insert the SD-CARD
-4. Power on Raspberry Pi
-5. Wait at least 10 seconds
+The easiest method for creating EEPROM rescue images, and formatting SD 
+cards, is to use Raspberry Pi Imager from https://raspberrypi.com/software.
+Raspberry Pi Imager provides a GUI for downloading the latest version of 
+this rescue image and flashing it to a spare SD card.
 
-This easiest method for creating and formatting the SD-CARD is to use the
-Raspberry Pi Imager from https://raspberrypi.org/downloads
+Alternatively, copy the contents of this zip file to a blank
+FAT formatted SD card. The FAT partition must be < 32 GB.
 
-If successful, the green LED light will blink rapidly (forever), otherwise
-an error pattern will be displayed.
+To update the EEPROM:
 
-If a HDMI display is attached then the screen will display green for success
-or red if a failure occurs.
+1. Power off the Raspberry Pi
+2. Insert the bootloader update SD card
+3. Power on the Raspberry Pi
+4. Wait at least 10 seconds
 
-N.B. This image is not a bootloader it simply replaces the on-board bootloader.
+If successful, the green LED on the Raspberry Pi will blink rapidly forever.
+An unsuccessful update of the EEPROM is indicated by a different blinking 
+pattern corresponding to the specific error.
+
+If an HDMI display is attached, then the screen will display green for
+success or red if a failure occurs.
+
+Once the EEPROM is updated, the SD card can be removed. In order to make
+the entire capacity of the SD card available again, you must then reformat
+the SD card using Raspberry Pi Imager by selecting the 'format card as 
+FAT32' option.

imager/make-imager-release

@@ -4,4 +4,4 @@ set -e
 
 script_dir=$(cd "$(dirname "$0")" && pwd)
 
-${script_dir}/make-release critical 2021-04-29 000138a1 "${script_dir}" release rpi-boot-eeprom-recovery
+${script_dir}/make-release critical 2022-01-25 000138a1 "${script_dir}" release rpi-boot-eeprom-recovery

imager/make-recovery-images

@@ -0,0 +1,62 @@
+#!/bin/sh
+
+set -e
+
+die() {
+   echo "$@" >&2
+   exit 1
+}
+
+cleanup() {
+   if [ -d "${TMP_DIR}" ]; then
+      rm -rf "${TMP_DIR}"
+   fi
+}
+
+trap cleanup EXIT
+
+[ "$(id -u)" = "0" ] || die "$(basename $0) must be run as root"
+[ -n "${SUDO_UID}" ] || die "SUDO_UID not defined"
+[ -n "${SUDO_GID}" ] || die "SUDO_GID not defined"
+
+for src in release/*.zip; do
+   src=$(basename "${src}")
+   img=$(echo "${src}" | sed 's/\.zip/.img/')
+   TMP_DIR=$(mktemp -d)
+   (
+      cp "release/${src}" "${TMP_DIR}"
+      mkdir "${TMP_DIR}/files"
+      cd "${TMP_DIR}/files"
+      unzip "../${src}"
+      cd "${TMP_DIR}"
+      dd if=/dev/zero bs=1M count=258 of=temp.img
+      /sbin/sfdisk temp.img <<EOF
+label: dos
+label-id: 0x0a7b5ac5
+device: temp.img
+unit: sectors
+
+./test.img1 : start=        2048, size=       524288, type=c
+EOF
+      file temp.img
+      kpartx -lv temp.img | head -n1 | awk '{print $1}'
+      LOOP="/dev/mapper/$(kpartx -lv temp.img | head -n1 | awk '{print $1}')"
+      kpartx -av temp.img
+      /sbin/mkfs.fat -F 32 -s 1 "${LOOP}"
+      mkdir fs
+      mount "${LOOP}" fs
+      cp -v files/* fs
+      sync
+      umount fs
+      kpartx -dv temp.img
+   )
+   mkdir -p images
+   chown "${SUDO_UID}:${SUDO_GID}" images
+   mv "${TMP_DIR}/temp.img" "images/${img}"
+   file "images/${img}"
+   cd images
+   zip "${src}" "${img}"
+   cd ..
+   rm "images/${img}"
+   chown "${SUDO_UID}:${SUDO_GID}" "images/${src}"
+done

imager/make-release

@@ -38,7 +38,7 @@ gen_release() {
       "${script_dir}/../rpi-eeprom-config" \
          --config "${config}" --out pieeprom.bin \
          "${firmware_dir}/pieeprom-${pieeprom_version}.bin" || die "Failed to create updated EEPROM config with \"${config}\""
-      sha256sum pieeprom.bin | awk '{print $1}' > pieeprom.sig
+      ${script_dir}/../rpi-eeprom-digest -i pieeprom.bin -o pieeprom.sig
       echo "Creating ${out}"
       zip "${out}" *
       cleanup

releases.md

@@ -1,7 +1,6 @@
 # Raspberry Pi 4B, 400 and CM4 bootloader EEPROM releases
 This page provides links to the production and development release images for the bootloader EEPROM on BCM2711-based Raspberry Pi computers. Normally, the 
-bootloader is automatically updated after an APT update via the [rpi-eeprom-update](https://www.raspberrypi.org/documentation/hardware/raspberrypi/booteeprom.md)
-utility. 
+bootloader is automatically updated after an APT update via the [rpi-eeprom-update](https://www.raspberrypi.com/documentation/computers/raspberry-pi.html#automatic-updates) utility.
 
 ## Release notes
 Release notes are available [here](https://github.com/raspberrypi/rpi-eeprom/blob/master/firmware/release-notes.md).
@@ -10,8 +9,8 @@ Release notes are available [here](https://github.com/raspberrypi/rpi-eeprom/blo
 The default production EEPROM image release is [2020-09-03](https://github.com/raspberrypi/rpi-eeprom/releases/tag/v2020.09.03-138a1) and can be installed via the [Raspberry Pi Imager](https://www.raspberrypi.org/downloads/).
 
 ## USB MSD boot
-Please see the [USB mass storage boot](https://www.raspberrypi.org/documentation/hardware/raspberrypi/bootmodes/msd.md) guide.
-For support or hardware interoperability discussions please use the Raspberry Pi [general discussion](https://www.raspberrypi.org/forums/viewforum.php?f=63) forum.
+Please see the [USB mass storage boot](https://www.raspberrypi.com/documentation/computers/raspberry-pi.html#usb-mass-storage-boot) guide.
+For support or hardware interoperability discussions please use the Raspberry Pi [general discussion](https://forums.raspberrypi.com/viewforum.php?f=63) forum.
 
 ## Old EEPROM images
 Old bootloader images are periodically removed from the APT package to reduce the disk space, but are still available via Github [here](https://github.com/raspberrypi/rpi-eeprom/tree/master/firmware/old).

rpi-eeprom-config

@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
 
 """
 rpi-eeprom-config
@@ -8,6 +8,7 @@ import argparse
 import atexit
 import os
 import subprocess
+import string
 import struct
 import sys
 import tempfile
@@ -15,7 +16,12 @@ import time
 
 IMAGE_SIZE = 512 * 1024
 
-MAX_BOOTCONF_SIZE = 2024
+# Larger files won't with with "vcgencmd bootloader_config"
+MAX_FILE_SIZE = 2024
+ALIGN_SIZE = 4096
+BOOTCONF_TXT = 'bootconf.txt'
+BOOTCONF_SIG = 'bootconf.sig'
+PUBKEY_BIN = 'pubkey.bin'
 
 # Each section starts with a magic number followed by a 32 bit offset to the
 # next section (big-endian).
@@ -26,12 +32,18 @@ MAX_BOOTCONF_SIZE = 2024
 # The last 4KB of the EEPROM image is reserved for internal use by the
 # bootloader and may be overwritten during the update process.
 MAGIC = 0x55aaf00f
+PAD_MAGIC = 0x55aafeef
 MAGIC_MASK = 0xfffff00f
-FILE_MAGIC = 0x55aaf11f # id for modifiable file, currently only bootconf.txt
+FILE_MAGIC = 0x55aaf11f # id for modifiable files
 FILE_HDR_LEN = 20
 FILENAME_LEN = 12
 TEMP_DIR = None
 
+DEBUG = False
+def debug(s):
+    if DEBUG:
+        sys.stderr.write(s + '\n')
+
 def rpi4():
     compatible_path = "/sys/firmware/devicetree/base/compatible"
     if os.path.exists(compatible_path):
@@ -59,6 +71,25 @@ def create_tempdir():
     if TEMP_DIR is None:
         TEMP_DIR = tempfile.mkdtemp()
 
+def pemtobin(infile):
+    """
+    Converts an RSA public key into the format expected by the bootloader.
+    """
+    # Import the package here to make this a weak dependency.
+    from Cryptodome.PublicKey import RSA
+
+    arr = bytearray()
+    f = open(infile,'r')
+    key = RSA.importKey(f.read())
+
+    if key.size_in_bits() != 2048:
+        raise Exception("RSA key size must be 2048")
+
+    # Export N and E in little endian format
+    arr.extend(key.n.to_bytes(256, byteorder='little'))
+    arr.extend(key.e.to_bytes(8, byteorder='little'))
+    return arr
+
 def exit_error(msg):
     """
     Trapped a fatal error, output message to stderr and exit with non-zero
@@ -109,9 +140,13 @@ def apply_update(config, eeprom=None, config_src=None):
     else:
         eeprom_image = get_latest_eeprom()
     create_tempdir()
+
+    # Replace the contents of bootconf.txt with the contents of the config file
     tmp_update = os.path.join(TEMP_DIR, 'pieeprom.upd')
     image = BootloaderImage(eeprom_image, tmp_update)
-    image.write(config)
+    image.update_file(config, BOOTCONF_TXT)
+    image.write()
+
     config_str = open(config).read()
     if config_src is None:
         config_src = ''
@@ -145,7 +180,7 @@ def edit_config(eeprom=None):
     if os.path.exists(pending):
         config_src = pending
         image = BootloaderImage(pending)
-        current_config = image.get_config().decode('utf-8')
+        current_config = image.get_file(BOOTCONF_TXT).decode('utf-8')
     else:
         current_config, config_src = read_current_config()
 
@@ -180,6 +215,14 @@ def read_current_config():
 
     return (shell_cmd(['vcgencmd', 'bootloader_config']), "vcgencmd bootloader_config")
 
+class ImageSection:
+    def __init__(self, magic, offset, length, filename=''):
+        self.magic = magic
+        self.offset = offset
+        self.length = length
+        self.filename = filename
+        debug("ImageSection %x %x %x %s" % (magic, offset, length, filename))
+
 class BootloaderImage(object):
     def __init__(self, filename, output=None):
         """
@@ -187,6 +230,7 @@ class BootloaderImage(object):
         and optionally an output filename.
         """
         self._filename = filename
+        self._sections = []
         try:
             self._bytes = bytearray(open(filename, 'rb').read())
         except IOError as err:
@@ -198,47 +242,112 @@ class BootloaderImage(object):
         if len(self._bytes) != IMAGE_SIZE:
             exit_error("%s: Expected size %d bytes actual size %d bytes" %
                        (filename, IMAGE_SIZE, len(self._bytes)))
+        self.parse()
 
-    def find_config(self):
+    def parse(self):
+        """
+        Builds a table of offsets to the different sections in the EEPROM.
+        """
         offset = 0
         magic = 0
+        found = False
         while offset < IMAGE_SIZE:
             magic, length = struct.unpack_from('>LL', self._bytes, offset)
-            if (magic & MAGIC_MASK) != MAGIC:
-                raise Exception('EEPROM is corrupted')
+            if magic == 0x0 or magic == 0xffffffff:
+                break # EOF
+            elif (magic & MAGIC_MASK) != MAGIC:
+                raise Exception('EEPROM is corrupted %x %x %x' % (magic, magic & MAGIC_MASK, MAGIC))
 
+            filename = ''
             if magic == FILE_MAGIC: # Found a file
-                name = self._bytes[offset + 8: offset + FILE_HDR_LEN]
-                if name.decode('utf-8') == 'bootconf.txt':
-                    return (offset, length)
+                # Discard trailing null characters used to pad filename
+                filename = self._bytes[offset + 8: offset + FILE_HDR_LEN].decode('utf-8').replace('\0', '')
+            self._sections.append(ImageSection(magic, offset, length, filename))
 
             offset += 8 + length # length + type
             offset = (offset + 7) & ~7
 
-        raise Exception('EEPROM parse error: Bootloader config not found')
+    def find_file(self, filename):
+        """
+        Returns the offset, length and whether this is the last section in the
+        EEPROM for a modifiable file within the image.
+        """
+        ret = (-1, -1, False)
+        for i in range(0, len(self._sections)):
+            s = self._sections[i]
+            if s.magic == FILE_MAGIC and s.filename == filename:
+                is_last = (i == len(self._sections) - 1)
+                ret = (s.offset, s.length, is_last)
+                break
+        debug('%s offset %d length %d last %s' % (filename, ret[0], ret[1], ret[2]))
+        return ret
 
-    def write(self, new_config):
-        hdr_offset, length = self.find_config()
-        new_config_bytes = open(new_config, 'rb').read()
-        new_len = len(new_config_bytes) + FILENAME_LEN + 4
-        if len(new_config_bytes) > MAX_BOOTCONF_SIZE:
-            raise Exception("Config is too large (%d bytes). The maximum size is %d bytes."
-                            % (len(new_config_bytes), MAX_BOOTCONF_SIZE))
-        if hdr_offset + len(new_config_bytes) + FILE_HDR_LEN > IMAGE_SIZE:
+    def update(self, src_bytes, dst_filename):
+        """
+        Replaces a modifiable file with specified byte array.
+        """
+        hdr_offset, length, is_last = self.find_file(dst_filename)
+        if hdr_offset < 0:
+            raise Exception('Update target %s not found' % dst_filename)
+
+        if hdr_offset + len(src_bytes) + FILE_HDR_LEN > IMAGE_SIZE:
             raise Exception('EEPROM image size exceeded')
 
+        new_len = len(src_bytes) + FILENAME_LEN + 4
         struct.pack_into('>L', self._bytes, hdr_offset + 4, new_len)
-        struct.pack_into(("%ds" % len(new_config_bytes)), self._bytes,
-                         hdr_offset + 4 + FILE_HDR_LEN, new_config_bytes)
+        struct.pack_into(("%ds" % len(src_bytes)), self._bytes,
+                         hdr_offset + 4 + FILE_HDR_LEN, src_bytes)
 
-        # If the new config is smaller than the old config then set any old
+        # If the new file is smaller than the old file then set any old
         # data which is now unused to all ones (erase value)
-        pad_start = hdr_offset + 4 + FILE_HDR_LEN + len(new_config_bytes)
+        pad_start = hdr_offset + 4 + FILE_HDR_LEN + len(src_bytes)
+
+        # Add padding up to 8-byte boundary
+        while pad_start % 8 != 0:
+            struct.pack_into('B', self._bytes, pad_start, 0xff)
+            pad_start += 1
+
+        # Create a padding section unless the padding size is smaller than the
+        # size of a section head. Padding is allowed in the last section but
+        # by convention bootconf.txt is the last section and there's no need to
+        # pad to the end of the sector. This also ensures that the loopback
+        # config read/write tests produce identical binaries.
+        pad_bytes = ALIGN_SIZE - (pad_start % ALIGN_SIZE)
+        if pad_bytes > 8 and not is_last:
+            pad_bytes -= 8
+            struct.pack_into('>i', self._bytes, pad_start, PAD_MAGIC)
+            pad_start += 4
+            struct.pack_into('>i', self._bytes, pad_start, pad_bytes)
+            pad_start += 4
+
+        debug("pad %d" % pad_bytes)
         pad = 0
-        while pad < (length - len(new_config_bytes)):
+        while pad < pad_bytes:
             struct.pack_into('B', self._bytes, pad_start + pad, 0xff)
             pad = pad + 1
 
+    def update_key(self, src_pem, dst_filename):
+        """
+        Replaces the specified public key entry with the public key values extracted
+        from the source PEM file.
+        """
+        pubkey_bytes = pemtobin(src_pem)
+        self.update(pubkey_bytes, dst_filename)
+
+    def update_file(self, src_filename, dst_filename):
+        """
+        Replaces the contents of dst_filename in the EEPROM with the contents of src_file.
+        """
+        src_bytes = open(src_filename, 'rb').read()
+        if len(src_bytes) > MAX_FILE_SIZE:
+            raise Exception("src file %s is too large (%d bytes). The maximum size is %d bytes."
+                            % (src_filename, len(src_bytes), MAX_FILE_SIZE))
+        self.update(src_bytes, dst_filename)
+
+    def write(self):
+        """
+        Writes the updated EEPROM image to stdout or the specified output file.
+        """
         if self._out is not None:
             self._out.write(self._bytes)
             self._out.close()
@@ -248,14 +357,14 @@ class BootloaderImage(object):
             else:
                 sys.stdout.write(self._bytes)
 
-    def get_config(self):
-        hdr_offset, length = self.find_config()
+    def get_file(self, filename):
+        hdr_offset, length, is_last = self.find_file(filename)
         offset = hdr_offset + 4 + FILE_HDR_LEN
         config_bytes = self._bytes[offset:offset+length-FILENAME_LEN-4]
         return config_bytes
 
     def read(self):
-        config_bytes = self.get_config()
+        config_bytes = self.get_file('bootconf.txt')
         if self._out is not None:
             self._out.write(config_bytes)
             self._out.close()
@@ -322,8 +431,21 @@ Operating modes:
    The default text editor is nano and may be overridden by setting the 'EDITOR'
    environment variable and passing '-E' to 'sudo' to preserve the environment.
 
-See 'rpi-eeprom-update -h' for more information about the available EEPROM
-images.
+6. Signing the bootloader config file.
+   Updates an EEPROM binary with a signed config file (created by rpi-eeprom-digest) plus
+   the corresponding RSA public key.
+
+   Requires Python Cryptodomex libraries and OpenSSL. To install on Raspberry Pi OS run:-
+   sudo apt install openssl python-pip
+   sudo python3 -m pip install cryptodomex
+
+   rpi-eeprom-digest -k private.pem -i bootconf.txt -o bootconf.sig
+   rpi-eeprom-config --config bootconf.txt --digest bootconf.sig --pubkey public.pem --out pieeprom-signed.bin pieeprom.bin
+
+   Currently, the signing process is a separate step so can't be used with the --edit or --apply modes.
+
+
+See 'rpi-eeprom-update -h' for more information about the available EEPROM images.
 """
     parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter,
                                      description=description)
@@ -333,6 +455,8 @@ images.
     parser.add_argument('-c', '--config', help='Name of bootloader configuration file', required=False)
     parser.add_argument('-e', '--edit', action='store_true', default=False, help='Edit the current EEPROM config')
     parser.add_argument('-o', '--out', help='Name of output file', required=False)
+    parser.add_argument('-d', '--digest', help='Signed boot only. The name of the .sig file generated by rpi-eeprom-dgst for config.txt ', required=False)
+    parser.add_argument('-p', '--pubkey', help='Signed boot only. The name of the RSA public key file to store in the EEPROM', required=False)
     parser.add_argument('eeprom', nargs='?', help='Name of EEPROM file to use as input')
     args = parser.parse_args()
 
@@ -353,7 +477,12 @@ images.
         if args.config is not None:
             if not os.path.exists(args.config):
                 exit_error("config file '%s' not found" % args.config)
-            image.write(args.config)
+            image.update_file(args.config, BOOTCONF_TXT)
+            if args.digest is not None:
+                image.update_file(args.digest, BOOTCONF_SIG)
+            if args.pubkey is not None:
+                image.update_key(args.pubkey, PUBKEY_BIN)
+            image.write()
         else:
             image.read()
     elif args.config is None and args.eeprom is None:

rpi-eeprom-digest

@@ -0,0 +1,110 @@
+#!/bin/sh
+
+# Helper script to generate .sig files for use with the Raspberry Pi bootloader.
+
+# This has been implemented in a separate script in order to have avoid having
+# a hard dependency on OpenSSL.
+
+set -e
+
+OPENSSL=${OPENSSL:-openssl}
+
+die() {
+   echo "$@" >&2
+   exit 1
+}
+
+TMP_DIR=""
+cleanup() {
+   if [ -f "${TMP_DIR}" ]; then
+      rm -rf "${TMP_DIR}"
+   fi
+}
+
+checkDependencies() {
+   if ! command -v sha256sum > /dev/null; then
+      die "sha256sum not found. Try installing the coreutilities package."
+   fi
+
+   if [ -n "${KEY}" ]; then
+      if ! command -v ${OPENSSL} > /dev/null; then
+         die "${OPENSSL} not found. Try installing the openssl package."
+      fi
+
+      if ! command -v xxd > /dev/null; then
+         die "xxd not found. Try installing the xxd package."
+      fi
+   fi
+}
+
+usage() {
+cat <<EOF
+rpi-eeprom-digest [-k RSA_KEY] -i IMAGE -o OUTPUT
+
+Creates a .sig file containing the sha256 digest of the IMAGE and an optional
+RSA signature of that hash.
+
+Options:
+   -i The source image.
+   -o The name of the digest/signature file.
+   -k Optional RSA private key.
+
+RSA signing
+If a private key in PEM format is supplied then the RSA signature of the
+sha256 digest is included in the .sig file. Currently, the bootloader only
+supports sha256 digests signed with a 2048bit RSA key.
+The bootloader only verifies RSA signatures in signed boot mode
+(not available yet) and only for the EEPROM config file and the signed image.
+
+Examples:
+
+# Generate RSA signature for the EEPROM config file.
+rpi-eeprom-digest -k key.pem -i bootconf.txt  -o bootconf.sig
+
+# Generate the normal sha256 hash to guard against file-system corruption
+rpi-eeprom-digest -i pieeprom.bin -o pieeprom.sig
+rpi-eeprom-digest -i vl805.bin -o vl805.sig
+
+EOF
+exit 0
+}
+
+OUTPUT=""
+while getopts i:k:ho: option; do
+   case "${option}" in
+   i) IMAGE="${OPTARG}"
+      ;;
+   k) KEY="${OPTARG}"
+      ;;
+   o) OUTPUT="${OPTARG}"
+      ;;
+   h) usage
+      ;;
+   *) echo "Unknown argument \"${option}\""
+      usage
+      ;;
+   esac
+done
+
+[ -n "${IMAGE}" ] || usage
+[ -n "${OUTPUT}" ] || usage
+
+trap cleanup EXIT
+
+checkDependencies
+
+[ -f "${IMAGE}" ] || die "Source image \"${IMAGE}\" not found"
+
+TMP_DIR=$(mktemp -d)
+SIG_TMP="${TMP_DIR}/tmp.sig"
+sha256sum "${IMAGE}" | awk '{print $1}' > "${OUTPUT}"
+
+# Include the update-timestamp
+echo "ts: $(date -u +%s)" >> "${OUTPUT}"
+
+if [ -n "${KEY}" ]; then
+   [ -f "${KEY}" ] || die "RSA private \"${KEY}\" not found"
+
+   "${OPENSSL}" dgst -sign "${KEY}" -keyform PEM -sha256 -out "${SIG_TMP}" "${IMAGE}"
+   echo "rsa2048: $(xxd -c 4096 -p < "${SIG_TMP}")" >> "${OUTPUT}"
+fi

rpi-eeprom-update

@@ -30,7 +30,6 @@ FIRMWARE_BACKUP_DIR=${FIRMWARE_BACKUP_DIR:-/var/lib/raspberrypi/bootloader/backu
 ENABLE_VL805_UPDATES=${ENABLE_VL805_UPDATES:-1}
 RECOVERY_BIN=${RECOVERY_BIN:-${FIRMWARE_ROOT}/${FIRMWARE_RELEASE_STATUS}/recovery.bin}
 BOOTFS=${BOOTFS:-/boot}
-VCMAILBOX=${VCMAILBOX:-/opt/vc/bin/vcmailbox}
 CM4_ENABLE_RPI_EEPROM_UPDATE=${CM4_ENABLE_RPI_EEPROM_UPDATE:-0}
 RPI_EEPROM_UPDATE_CONFIG_TOOL="${RPI_EEPROM_UPDATE_CONFIG_TOOL:-raspi-config}"
 
@@ -58,8 +57,8 @@ BOARD_TYPE=
 # Newer board revisions embed the VLI firmware in the bootloader EEPROM and
 # there is no way to separately update the VLI firmware. Consequently,
 # standalone vl805 update files do not trigger automatic updates.
-# Recovery.bin and the the SPI bootloader ignore vl805.bin files on boards
-# without a dedicate VL805 EEPROM.
+# recovery.bin and the SPI bootloader ignore vl805.bin files on boards
+# without a dedicated VL805 EEPROM.
 HAVE_VL805_EEPROM=0
 
 TMP_EEPROM_IMAGE=""
@@ -174,41 +173,28 @@ applyRecoveryUpdate()
 {
    [ -n "${BOOTLOADER_UPDATE_IMAGE}" ] || [ -n "${VL805_UPDATE_IMAGE}" ] || die "No update images specified"
 
-   findBootFS
-   echo "BOOTFS ${BOOTFS}"
+   getBootloaderCurrentVersion
+   BOOTLOADER_UPDATE_VERSION=$(strings "${BOOTLOADER_UPDATE_IMAGE}" | grep BUILD_TIMESTAMP | sed 's/.*=//g')
+   if [ "${BOOTLOADER_CURRENT_VERSION}" -gt "${BOOTLOADER_UPDATE_VERSION}" ]; then
+      echo "   WARNING: Installing an older bootloader version."
+      echo "            Update the rpi-eeprom package to fetch the latest bootloader images."
+      echo
+   fi
+   echo "   CURRENT: $(date -u "-d@${BOOTLOADER_CURRENT_VERSION}") (${BOOTLOADER_CURRENT_VERSION})"
+   echo "    UPDATE: $(date -u "-d@${BOOTLOADER_UPDATE_VERSION}") (${BOOTLOADER_UPDATE_VERSION})"
+
+   findBootFS
+   echo "    BOOTFS: ${BOOTFS}"
 
-   # A '.sig' file is created so that recovery.bin can check that the
-   # EEPROM image has not been corrupted (e.g. SD card corruption).
-   # Format of the .sig file.
-   # --
-   # SHA256\n
-   # ts: UPDATE-TIMESTAMP\n
-   # --
-   # SHA256 is a 64 character hex string
-   # UPDATE-TIMESTAMP is an unsigned decimal.
-   #
-   # The 'filename' output from sha256 MUST be omitted.
    if [ -n "${BOOTLOADER_UPDATE_IMAGE}" ]; then
         [ -f "${BOOTLOADER_UPDATE_IMAGE}" ] || die "${BOOTLOADER_UPDATE_IMAGE} not found"
 
         TMP_EEPROM_IMAGE="$(mktemp)"
         prepareImage
-        # If recovery.bin encounters pieeprom.upd then it will select it in
-        # preference to pieeprom.bin. The .upd file also causes recovery.bin
-        # to rename itself to recovery.000 and reboot if the update is successful.
-        # The rename causes the ROM to ignore this file and use the newly flashed
-        # EEPROM image instead.
-        sha256sum "${TMP_EEPROM_IMAGE}" | awk '{print $1}' > "${BOOTFS}/pieeprom.sig" \
-                || die "Failed to create ${BOOTFS}/pieeprom.sig"
 
-        # Appends the update creation timestamp on a newline in pieeprom.sig
-        # During a self-update mode the bootloader examines the update-timestamp
-        # and will only update itself if it is newer than the current update
-        # timestamp.
-        #
-        # The update-timestamp is independent of the bootloader version and
-        # does not have to be timestamp.
-        echo "ts: $(date -u +%s)" >> "${BOOTFS}/pieeprom.sig"
+        # Generate a .sig file containing the sha256 hash of the EEPROM image
+        # and the current timestamp.
+        rpi-eeprom-digest -i "${TMP_EEPROM_IMAGE}" -o "${BOOTFS}/pieeprom.sig"
 
         cp -f "${TMP_EEPROM_IMAGE}" "${BOOTFS}/pieeprom.upd" \
                 || die "Failed to copy ${TMP_EEPROM_IMAGE} to ${BOOTFS}"
@@ -219,8 +205,7 @@ applyRecoveryUpdate()
    fi
 
    if [ -n "${VL805_UPDATE_IMAGE}" ]; then
-        sha256sum "${VL805_UPDATE_IMAGE}" | awk '{print $1}' > "${BOOTFS}/vl805.sig" \
-                || die "Failed to create ${BOOTFS}/vl805.sig"
+        rpi-eeprom-digest -i "${VL805_UPDATE_IMAGE}" -o "${BOOTFS}/vl805.sig"
 
         cp -f "${VL805_UPDATE_IMAGE}" "${BOOTFS}/vl805.bin" \
                 || die "Failed to copy ${VL805_UPDATE_IMAGE} to ${BOOTFS}/vl805.bin"
@@ -232,6 +217,10 @@ applyRecoveryUpdate()
 
    cp -f "${RECOVERY_BIN}" "${BOOTFS}/recovery.bin" \
       || die "Failed to copy ${RECOVERY_BIN} to ${BOOTFS}"
+
+   echo ""
+   echo "EEPROM updates pending. Please reboot to apply the update."
+   echo "To cancel a pending update run \"sudo rpi-eeprom-update -r\"."
 }
 
 applyUpdate() {
@@ -301,8 +290,11 @@ checkDependencies() {
       BOARD_INFO="$(od -v -An -t x1 /sys/firmware/devicetree/base/system/linux,revision | tr -d ' \n')"
    elif grep -q Revision /proc/cpuinfo; then
       BOARD_INFO="$(sed -n '/^Revision/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo)"
-   else
+   elif command -v vcgencmd > /dev/null; then
       BOARD_INFO="$(vcgencmd otp_dump | grep '30:' | sed 's/.*://')"
+   else
+      echo "No Raspberry Pi board info found"
+      exit ${EXIT_SUCCESS}
    fi
 
    if [ $(((0x$BOARD_INFO >> 23) & 1)) -eq 0 ] || [ $(((0x$BOARD_INFO >> 12) & 15)) -ne 3 ]; then
@@ -326,6 +318,10 @@ checkDependencies() {
       HAVE_VL805_EEPROM=0
    fi
 
+   if ! command -v rpi-eeprom-digest > /dev/null; then
+      die "rpi-eeprom-digest not found. Try re-installing the rpi-eeprom package"
+   fi
+
    if ! command -v lspci > /dev/null; then
       die "lspci not found. Try installing the pciutils package."
    fi
@@ -405,14 +401,14 @@ Options:
       firmware updates.
    -h Display help text and exit
    -i Ignore package checksums - for rpi-eeprom developers.
-   -j Write status information using JSON notation
+   -j Write status information using JSON notation (requires -m option)
    -l Returns the full path to the latest available EEPROM image file according
       to the FIRMWARE_RELEASE_STATUS and FIRMWARE_IMAGE_DIR settings.
    -m Write status information to the given file when run without -a or -f
    -r Removes temporary EEPROM update files from the boot partition. This also
-      reverts a pending update.
+      cancels a pending update.
    -s Skips silent, automatic upgrades for default releases if the current
-      bootloader release is newer than the the version specified by
+      bootloader release is newer than the version specified by
       BOOTLOADER_AUTO_UPDATE_MIN_VERSION ${BOOTLOADER_AUTO_UPDATE_MIN_VERSION}
    -u Install the specified VL805 (USB EEPROM) image file.
 
@@ -474,7 +470,7 @@ To flash the new image:
 The syntax is the same as config.txt See online documentation for the list of parameters.
 
 The official documentation for the Raspberry Pi bootloader EEPROM is available at
-https://www.raspberrypi.org/documentation/hardware/raspberrypi/booteeprom.md
+   https://www.raspberrypi.com/documentation/computers/raspberry-pi.html#raspberry-pi-4-boot-eeprom
 
 Compute Module 4 (CM4):
 
@@ -484,10 +480,7 @@ cause the system to fail to boot so automatic updates are disabled. We also
 recommend write-protecting the SPI EPPROM after flashing it using usbboot.
 
 CM4 bootloader and EEPROM update instructions:
-   https://www.raspberrypi.org/documentation/hardware/computemodule/cm-emmc-flashing.md
-
-usbboot instructions for flashing CM4 EMMC and bootloader EEPROM:
-   https://www.raspberrypi.org/documentation/hardware/raspberrypi/bcm2711_bootloader_config.md
+   https://www.raspberrypi.com/documentation/computers/compute-module.html#compute-module-4-bootloader
 
 The CM4 ROM does not support running recovery.bin from the EMMC on CM4 so this service
 is disabled by default. SELF_UPDATE from USB or Network boot is supported but this
@@ -658,9 +651,6 @@ checkAndApply()
 
       printVersions
       applyUpdate
-      echo ""
-      echo "EEPROM updates pending. Please reboot to apply the update."
-      echo "To cancel a pending update run \"sudo rpi-eeprom-update -r\"."
    else
       printVersions
    fi
@@ -670,6 +660,7 @@ fileUpdate()
 {
    removePreviousUpdates
    echo "*** INSTALLING ${BOOTLOADER_UPDATE_IMAGE} ${VL805_UPDATE_IMAGE} ***"
+   echo
 
    if [ -n "${BOOTLOADER_UPDATE_IMAGE}" ]; then
       [ -f "${BOOTLOADER_UPDATE_IMAGE}" ] || die "Bootloader image \"${BOOTLOADER_UPDATE_IMAGE}\" not found"
@@ -680,7 +671,6 @@ fileUpdate()
    fi
 
    applyUpdate
-   echo "EEPROM update pending. Please reboot to apply the update."
 }
 
 removePreviousUpdates()

test/bootconf.sig

@@ -0,0 +1,3 @@
+b5b917dc53a59c23035a89d4c58606211a07d4fb6e16bd00d74457a93ea5a264
+ts: 1614092425
+rsa2048: 284d3ef8b960ef9dd0bf5f320eacccb527623890b11136801fcfaf950ef3fb32c9b86ee48337d2cd21e00665a62215ff4d811b15d89867fb55d71b6372a4fa4b79af60cdda84c8a7d9b52d5f2b3026d3b088345d9424842cc2eb73e23f4577e12c74bc3bc1890bfbb6509fc8702cd3a202929bb6f9e5162ea53ec6e8503e08dda7b0c86a90bc21d33bd49535554383fe88e7d1d8e46e27c2bce60cf15b69c56ee27ccdd81ff8f47a616a2796cc2d943e17c6c01ac191f9b7dcda440238062e6c49df01f4bb8b97ce380a46aa29a03bf3fcbede3d76c13d862fc8b60b472a4d1017d5535f5188858a6e1103db2666aa63264e7c1f752b917405527094ed0da737

test/bootconf.txt

@@ -0,0 +1,8 @@
+[all]
+BOOT_UART=1
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+HDMI_DELAY=0
+# Load firmware and kernel from signed boot.img file
+SIGNED_BOOT=1
+

test/install

@@ -21,6 +21,7 @@ CONFIG="/etc/default/rpi-eeprom-update"
 
 cp -rfv "${FIRMWARE_DIR}"/* /lib/firmware/raspberrypi/bootloader
 cp -fv "${script_dir}/../rpi-eeprom-config" /usr/bin
+cp -fv "${script_dir}/../rpi-eeprom-digest" /usr/bin
 cp -fv "${script_dir}/../rpi-eeprom-update" /usr/bin
 rm -f /usr/bin/vl805
 

test/private.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEA+l3E+h/QNjrIR1cG6NpzP0fBwp2UDpuQAafXDS5yryrfCPDY
+TO9DvzAfOk9Dz/putDfHV0RTOFXv1tmc4nqOgU6nKx7tTdsjTiY4CgG3vXRMuAmD
+GX5ssJFCVmljGuILt1INlCmtun7Ow35VTxOcRDDfrBDKnSitzOTf6KTR7xJhqFFh
+dMpIg8hW4bDBKMavyt38pRvDaO1o01qaQT/GgAPmJm27y5RKNAe6iVTqsm4TMAhK
+C6P4XyRAbe6OMdFZyEWEk7Asexuc7uZlVHsUI6pebSW/07O+5l/U7/3k6r//hO/H
+DFOBUUW55EjzzC1BhTlWHWfZNI+5+NdN8o323QIDAQABAoIBAByQGZKSkhG5w5MV
+++ERWQARaurNyPAgsb1qnUdw8t8GlFLkDT07t74mWo2vsNQXpU0Upv6O+jKNZVMc
+2P/ijQL2Cu7JtLeC5mR6Sj7kAscPr1f4p9b+/B3puIh8tfSBcOY9a3Spi5sg7+xQ
+K6HdoiCKdd4evUrQMwHS47OaKCQuuibm46LWbXO1nk9QkymUy6zyaT5IuNpfKYKD
+UdFqV1FNwZ9A2Yb89rweBgU4DWdbjgVqBc23vS9l913rqd2LHN/4+XDBOGrovu5r
+mJy4WsyXuT0twuqi7FzhtbCdN/zhLo2od1XK6uA65EKdA9rrRMkNeGvxts6q3fPE
+i6tj7OECgYEA/YbIR8n8Vvb5XPAav/aAon4qjXyhkUTjnJfVT0yA+6T1AJwvQ+O4
+AhYgN4ld7msKRDJLcJs0EU8CmWUKJRt5Ai+JsOCbPuBNo+VGEFSsdG0mrSjFZf2e
+Bjm41lnvAEWReGwr9MVIf/prDE2/3aUl9irkNdu5q6NpG9M0N7AhzGECgYEA/M8Y
+Ew9Nv+XqEVKvOzxKRZBa6yzlOUj5PQ3cD7jl1aUNK4rTucvr3sJZAsgm5j+0XG99
+AJ447zdDEdcQbsOSaBR69pccdHYEaRSiIxWaCAir2BBS5DxYtgB6BLrIfBd1cKHv
+qB6u4M6FRJ5BcQa6VYlizAfG2yXoJv0xFrlQ2/0CgYEAwq0Alb+QOOckzCzDHayX
+Ui83VbXiCr6vWMtuTJoeYR1l1LYZxTPTVCbRTlP5AN7I310PeMR00uWsxUVE6QGT
+hg4i2ONf0oRCmhuwFVIvqqc2D7lC+vIoqfcg69fbIoZJEgNeLXJgHYWZNbVuIzBx
+WfnNi13R0O6GA4vGiQyCp4ECgYB1ZTG3wBaJsxlDnBLVPgT7UrJ1nO6A8HsUt/fl
+sSXBVRjNjHUPRTutwLAW050EtLZrajYw8EheBVp20VjHJrg47rG/CqLjDd60cSlt
+g114t5YdCk+DvuYu9f+zbI0m2rnlaL1iY4UvzZcjKx4Wf1pN2DNxrXbRU0P/vvlp
+pPqAfQKBgDZnxWuvRsT9rztGrEottifchfrStZx7u/2+iBtjFeFXr7L4MI14fNm2
+HkoThCpfFXCJFpRxy+kYi6xbPK/Om/hFNs3J5xqheTW8hFx7KN/zPg7jc0MlZ2R/
+uuOgZU9kkzLOamDyP85Doah7kAyA2PnLUno2k4IirbNVoH3aV++G
+-----END RSA PRIVATE KEY-----

test/public.pem

@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+l3E+h/QNjrIR1cG6Npz
+P0fBwp2UDpuQAafXDS5yryrfCPDYTO9DvzAfOk9Dz/putDfHV0RTOFXv1tmc4nqO
+gU6nKx7tTdsjTiY4CgG3vXRMuAmDGX5ssJFCVmljGuILt1INlCmtun7Ow35VTxOc
+RDDfrBDKnSitzOTf6KTR7xJhqFFhdMpIg8hW4bDBKMavyt38pRvDaO1o01qaQT/G
+gAPmJm27y5RKNAe6iVTqsm4TMAhKC6P4XyRAbe6OMdFZyEWEk7Asexuc7uZlVHsU
+I6pebSW/07O+5l/U7/3k6r//hO/HDFOBUUW55EjzzC1BhTlWHWfZNI+5+NdN8o32
+3QIDAQAB
+-----END PUBLIC KEY-----

test/test-rpi-eeprom-config

@@ -59,6 +59,29 @@ check_reduce_size()
 
 }
 
+check_signed_loopback()
+{
+   echo "check_signed $1 $2"
+
+   image="${script_dir}/$1"
+   conf="${script_dir}/$2"
+   digest="${script_dir}/$3"
+   pubkey="${script_dir}/$4"
+
+   # Replace the config, config.sig and pubkey and verify that the output is the same
+   TMP_EEPROM="$(mktemp)"
+   "${script_dir}/../rpi-eeprom-config" \
+      "${image}" \
+      --config "${conf}" \
+      --digest "${digest}" \
+      --pubkey "${pubkey}" \
+      --out "${TMP_EEPROM}"
+
+   expected_md5="$(md5sum "${image}" | awk '{print $1}')"
+   actual_md5="$(md5sum "${TMP_EEPROM}" | awk '{print $1}')"
+   [ "${actual_md5}" = "${expected_md5}" ] || die "EEPROM signed-loopback: checksum mismatch"
+}
+
 check_loopback()
 {
    echo "check_loopback $1 $2"
@@ -148,6 +171,11 @@ for ver in ${versions}; do
    cleanup
 done
 
+echo "Test lookback with a signed EEPROM image"
+check_loopback pieeprom-signed.bin bootconf.txt
+check_signed_loopback pieeprom-signed.bin bootconf.txt bootconf.sig public.pem
+cleanup
+
 check_update "../firmware/old/beta/pieeprom-2019-07-15.bin" "pieeprom-2019-07-15-freeze.bin" "bootconf-2019-07-15-freeze.txt"
 cleanup