Merge pull request #457 from timg236/pieeprom-2022-12-07

pieeprom-2022-12-07

firmware/release-notes.md

@@ -1,5 +1,82 @@
 # Raspberry Pi4 bootloader EEPROM release notes
 
+## 2022-12-07 - Fix SD voltage reset on Pi4 R1.1 (DEFAULT/STABLE/BETA).
+   * Fix issue where SD voltage was not reset by power cycling PMIC on reboot.
+     See https://github.com/raspberrypi/firmware/issues/1763
+
+## 2022-12-01 - Promote pieeprom-2022-11-25 to the DEFAULT release.
+Interesting changes since the last default release
+   * [tryboot] conditional statement + tryboot_a_b mode
+   * Support custom OTP mac addresses
+   * Increase TFTP_MAX_BLOCK_SIZE
+   * Stop NVMe cleanly
+   * Fixes for NETCONSOLE parsing and initialisation.
+   * Long filename support for start_file / fixup_file.
+   * Secure boot and display debug info on the diagnostis screen.
+
+## 2022-11-25 - Fix unconfigured netconsole messages - BETA + STABLE
+   * Fix unconfigured netconsole messages https://github.com/raspberrypi/rpi-eeprom/issues/452
+   * Add display state to HDMI diagnostics screen
+
+## 2022-11-04 - Fix secure boot issue - BETA + STABLE
+   * Fix an OOM issue that was causing secure boot to fail (but not from RPIBOOT)
+
+## 2022-11-02 - Add option to use Customer OTP for MAC address - BETA
+   * Add a new EEPROM property that allows the Ethernet MAC address
+     programmed during manufacture to be overridden a value in the
+     Customer OTP register.
+
+     MAC_ADDRESS_OTP=A,B
+     where A and B are the customer row numbers (0..7)
+
+## 2022-10-20 - Promote pieeprom-2022-10-18 BETA release to stable
+
+## 2022-10-18 - Tryboot enhancements for A/B partition booting - BETA
+   * Add support for a [tryboot] conditional statement in config files.
+   * Load config.txt instead of tryboot.txt if tryboot_a_b=1 in autoboot.txt
+   * Fix failover to partition 1  if the `boot_partition` points to non-bootable partition.
+   * Enable `autoboot.txt` in secure-boot mode.
+
+## 2022-10-12 - Fix USB boot regression - BETA
+   * Reduce size of USB transfer
+
+## 2022-10-06 - Fix issue with screen display - BETA
+   * Fix issue with the bootloader display not being cleared properly
+
+## 2022-10-03 - Add pieeprom-2022-10-03.bin - BETA
+   * Increase the size of USB in-transfers
+   * Increase TFTP_MAX_BLOCKSIZE to 1468
+   * stop NVMe cleanly
+
+## 2022-09-02 - Add pieeprom-2022-09-02 - BETA + STABLE
+   * Parse target MAC address in NETCONSOLE property https://github.com/raspberrypi/rpi-eeprom/issues/440
+
+## 2022-08-02 - Add pieeprom-2022-08-02 - BETA + STABLE
+   * Display the secure-boot configuration on the diagnostics screen
+     if secure-boot is enabled.
+     See https://www.raspberrypi.com/documentation/computers/configuration.html#bcm2711-bootloader-properties-chosenbootloader
+    * Toggle SD power at boot to reset card-state after ROM SD probe.
+
+## 2022-07-26 - Add pieeprom-2022-07-26 - BETA + STABLE
+   * Fix FAT issue https://github.com/raspberrypi/rpi-eeprom/issues/438
+
+## 2022-07-22 - Add pieeprom-2022-07-22 - BETA + STABLE
+   * NVMe fix large file reads - see https://github.com/raspberrypi/firmware/issues/1731
+     The firmware fix is also relevant for the bootloader when loading
+     large boot.img files.
+
+## 2022-07-19 - Add pieeprom-2022-07-19 - STABLE
+   * Enable secure-boot on the 2022-07-14 beta release and promote to stable.
+
+## 2022-07-14 - Add pieeprom-2022-07-14 - BETA
+   * Enable long-filenames & sub-directories for start_file & fixup_file.
+     Use Unix path separators with a maximum path of 255 characters.
+     Relative paths (. or ..) are not supported.
+
+## 2022-05-20 - Add pieeprom-2022-05-20 - BETA
+   * Reduce boot-time when network install is disabled NET_INSTALL_ENABLED=0.
+   * Switch to the newer SDIO HC and increase SPI clock speed.
+
 ## 2022-04-27 - Promote pieeprom-2022-04-26 to the DEFAULT release
    * Enable Network Install in the default bootloader release.
    * This release is signed with the secure-boot key and supports

imager/make-imager-release

@@ -4,4 +4,4 @@ set -e
 
 script_dir=$(cd "$(dirname "$0")" && pwd)
 
-${script_dir}/make-release critical 2022-01-25 000138a1 "${script_dir}" release rpi-boot-eeprom-recovery
+${script_dir}/make-release critical 2022-12-07 000138a1 "${script_dir}" release rpi-boot-eeprom-recovery

imager/make-recovery-images

@@ -47,7 +47,10 @@ EOF
       mount "${LOOP}" fs
       cp -v files/* fs
       sync
+      sleep 5
       umount fs
+      # Delay before calling kpartx otherwise it's sometimes possible to get orphaned loopback devices
+      sleep 5
       kpartx -dv temp.img
    )
    mkdir -p images
@@ -60,3 +63,4 @@ EOF
    rm "images/${img}"
    chown "${SUDO_UID}:${SUDO_GID}" "images/${src}"
 done
+echo "Wrote images for rpi-imager to $(pwd)/images/${src}"

releases.md

@@ -6,7 +6,7 @@ bootloader is automatically updated after an APT update via the [rpi-eeprom-upda
 Release notes are available [here](https://github.com/raspberrypi/rpi-eeprom/blob/master/firmware/release-notes.md).
 
 ## Default release
-The default production EEPROM image release is [2020-09-03](https://github.com/raspberrypi/rpi-eeprom/releases/tag/v2020.09.03-138a1) and can be installed via the [Raspberry Pi Imager](https://www.raspberrypi.org/downloads/).
+The default production EEPROM image release is [2022-11-25](https://github.com/raspberrypi/rpi-eeprom/releases/tag/v2022.11.25-138a1) and can be installed via the [Raspberry Pi Imager](https://www.raspberrypi.com/software/).
 
 ## USB MSD boot
 Please see the [USB mass storage boot](https://www.raspberrypi.com/documentation/computers/raspberry-pi.html#usb-mass-storage-boot) guide.

rpi-eeprom-config

@@ -16,9 +16,6 @@ import time
 
 IMAGE_SIZE = 512 * 1024
 
-# Larger files won't with with "vcgencmd bootloader_config"
-MAX_FILE_SIZE = 2024
-ALIGN_SIZE = 4096
 BOOTCONF_TXT = 'bootconf.txt'
 BOOTCONF_SIG = 'bootconf.sig'
 PUBKEY_BIN = 'pubkey.bin'
@@ -39,6 +36,11 @@ FILE_HDR_LEN = 20
 FILENAME_LEN = 12
 TEMP_DIR = None
 
+# Modifiable files are stored in a single 4K erasable sector.
+# The max content 4076 bytes because of the file header.
+ERASE_ALIGN_SIZE = 4096
+MAX_FILE_SIZE = ERASE_ALIGN_SIZE - FILE_HDR_LEN
+
 DEBUG = False
 def debug(s):
     if DEBUG:
@@ -221,7 +223,7 @@ class ImageSection:
         self.offset = offset
         self.length = length
         self.filename = filename
-        debug("ImageSection %x %x %x %s" % (magic, offset, length, filename))
+        debug("ImageSection %x offset %d length %d %s" % (magic, offset, length, filename))
 
 class BootloaderImage(object):
     def __init__(self, filename, output=None):
@@ -250,7 +252,6 @@ class BootloaderImage(object):
         """
         offset = 0
         magic = 0
-        found = False
         while offset < IMAGE_SIZE:
             magic, length = struct.unpack_from('>LL', self._bytes, offset)
             if magic == 0x0 or magic == 0xffffffff:
@@ -262,6 +263,7 @@ class BootloaderImage(object):
             if magic == FILE_MAGIC: # Found a file
                 # Discard trailing null characters used to pad filename
                 filename = self._bytes[offset + 8: offset + FILE_HDR_LEN].decode('utf-8').replace('\0', '')
+            debug("section at %d length %d magic %08x %s" % (offset, length, magic, filename))
             self._sections.append(ImageSection(magic, offset, length, filename))
 
             offset += 8 + length # length + type
@@ -272,26 +274,46 @@ class BootloaderImage(object):
         Returns the offset, length and whether this is the last section in the
         EEPROM for a modifiable file within the image.
         """
-        ret = (-1, -1, False)
+        offset = -1
+        length = -1
+        is_last = False
+
+        next_offset = IMAGE_SIZE - ERASE_ALIGN_SIZE # Don't create padding inside the bootloader scratch page
         for i in range(0, len(self._sections)):
             s = self._sections[i]
             if s.magic == FILE_MAGIC and s.filename == filename:
                 is_last = (i == len(self._sections) - 1)
-                ret = (s.offset, s.length, is_last)
+                offset = s.offset
+                length = s.length
                 break
-        debug('%s offset %d length %d last %s' % (filename, ret[0], ret[1], ret[2]))
+
+        # Find the start of the next non padding section
+        i += 1
+        while i < len(self._sections):
+            if self._sections[i].magic == PAD_MAGIC:
+                i += 1
+            else:
+                next_offset = self._sections[i].offset
+                break
+        ret = (offset, length, is_last, next_offset)
+        debug('%s offset %d length %d is-last %d next %d' % (filename, ret[0], ret[1], ret[2], ret[3]))
         return ret
 
     def update(self, src_bytes, dst_filename):
         """
         Replaces a modifiable file with specified byte array.
         """
-        hdr_offset, length, is_last = self.find_file(dst_filename)
+        hdr_offset, length, is_last, next_offset = self.find_file(dst_filename)
+        update_len = len(src_bytes) + FILE_HDR_LEN
+
+        if hdr_offset + update_len > IMAGE_SIZE - ERASE_ALIGN_SIZE:
+            raise Exception('No space available - image past EOF.')
+
         if hdr_offset < 0:
             raise Exception('Update target %s not found' % dst_filename)
 
-        if hdr_offset + len(src_bytes) + FILE_HDR_LEN > IMAGE_SIZE:
-            raise Exception('EEPROM image size exceeded')
+        if hdr_offset + update_len > next_offset:
+            raise Exception('Update %d bytes is larger than section size %d' % (update_len, next_offset - hdr_offset))
 
         new_len = len(src_bytes) + FILENAME_LEN + 4
         struct.pack_into('>L', self._bytes, hdr_offset + 4, new_len)
@@ -312,7 +334,7 @@ class BootloaderImage(object):
         # by convention bootconf.txt is the last section and there's no need to
         # pad to the end of the sector. This also ensures that the loopback
         # config read/write tests produce identical binaries.
-        pad_bytes = ALIGN_SIZE - (pad_start % ALIGN_SIZE)
+        pad_bytes = next_offset - pad_start
         if pad_bytes > 8 and not is_last:
             pad_bytes -= 8
             struct.pack_into('>i', self._bytes, pad_start, PAD_MAGIC)
@@ -358,10 +380,17 @@ class BootloaderImage(object):
                 sys.stdout.write(self._bytes)
 
     def get_file(self, filename):
-        hdr_offset, length, is_last = self.find_file(filename)
+        hdr_offset, length, is_last, next_offset = self.find_file(filename)
         offset = hdr_offset + 4 + FILE_HDR_LEN
-        config_bytes = self._bytes[offset:offset+length-FILENAME_LEN-4]
-        return config_bytes
+        file_bytes = self._bytes[offset:offset+length-FILENAME_LEN-4]
+        return file_bytes
+
+    def extract_files(self):
+        for i in range(0, len(self._sections)):
+            s = self._sections[i]
+            if s.magic == FILE_MAGIC:
+                file_bytes = self.get_file(s.filename)
+                open(s.filename, 'wb').write(file_bytes)
 
     def read(self):
         config_bytes = self.get_file('bootconf.txt')
@@ -457,6 +486,7 @@ See 'rpi-eeprom-update -h' for more information about the available EEPROM image
     parser.add_argument('-o', '--out', help='Name of output file', required=False)
     parser.add_argument('-d', '--digest', help='Signed boot only. The name of the .sig file generated by rpi-eeprom-dgst for config.txt ', required=False)
     parser.add_argument('-p', '--pubkey', help='Signed boot only. The name of the RSA public key file to store in the EEPROM', required=False)
+    parser.add_argument('-x', '--extract', action='store_true', default=False, help='Extract the modifiable files (boot.conf, pubkey, signature)', required=False)
     parser.add_argument('eeprom', nargs='?', help='Name of EEPROM file to use as input')
     args = parser.parse_args()
 
@@ -468,6 +498,9 @@ See 'rpi-eeprom-update -h' for more information about the available EEPROM image
 
     if args.edit:
         edit_config(args.eeprom)
+    elif args.eeprom is not None and args.extract:
+        image = BootloaderImage(args.eeprom, args.out)
+        image.extract_files()
     elif args.apply is not None:
         if not os.path.exists(args.apply):
             exit_error("config file '%s' not found" % args.apply)

rpi-eeprom-digest

@@ -16,7 +16,7 @@ die() {
 
 TMP_DIR=""
 cleanup() {
-   if [ -f "${TMP_DIR}" ]; then
+   if [ -d "${TMP_DIR}" ]; then
       rm -rf "${TMP_DIR}"
    fi
 }
@@ -26,15 +26,15 @@ checkDependencies() {
       die "sha256sum not found. Try installing the coreutilities package."
    fi
 
-   if [ -n "${KEY}" ]; then
-      if ! command -v ${OPENSSL} > /dev/null; then
-         die "${OPENSSL} not found. Try installing the openssl package."
-      fi
+   if [ -n "${KEY}" ] || [ "${VERIFY}" = 1 ]; then
+       if ! command -v openssl > /dev/null; then
+          die "openssl not found. Try installing the openssl package."
+       fi
 
-      if ! command -v xxd > /dev/null; then
-         die "xxd not found. Try installing the xxd package."
-      fi
-   fi
+       if ! command -v xxd > /dev/null; then
+          die "xxd not found. Try installing the xxd package."
+       fi
+   fi 
 }
 
 usage() {
@@ -59,18 +59,49 @@ The bootloader only verifies RSA signatures in signed boot mode
 Examples:
 
 # Generate RSA signature for the EEPROM config file.
-rpi-eeprom-digest -k key.pem -i bootconf.txt  -o bootconf.sig
+rpi-eeprom-digest -k private.pem -i bootconf.txt  -o bootconf.sig
 
 # Generate the normal sha256 hash to guard against file-system corruption
 rpi-eeprom-digest -i pieeprom.bin -o pieeprom.sig
 rpi-eeprom-digest -i vl805.bin -o vl805.sig
 
+# To verify the signature of an existing .sig file using the public key.
+# N.B The key file must be the PUBLIC key in PEM format.
+rpi-eeprom-digest -k public.pem -i pieeprom.bin -v pieeprom.sig
+
 EOF
 exit 0
 }
 
+writeSig() {
+   TMP_DIR=$(mktemp -d)
+   SIG_TMP="${TMP_DIR}/tmp.sig"
+   sha256sum "${IMAGE}" | awk '{print $1}' > "${OUTPUT}"
+
+   # Include the update-timestamp
+   echo "ts: $(date -u +%s)" >> "${OUTPUT}"
+
+   if [ -n "${KEY}" ]; then
+      [ -f "${KEY}" ] || die "RSA private \"${KEY}\" not found"
+      "${OPENSSL}" dgst -sign "${KEY}" -keyform PEM -sha256 -out "${SIG_TMP}" "${IMAGE}"
+      echo "rsa2048: $(xxd -c 4096 -p < "${SIG_TMP}")" >> "${OUTPUT}"
+   fi
+}
+
+verifySig() {
+   TMP_DIR=$(mktemp -d)
+   sig_file="${1}"
+   [ -f "${sig_file}" ] || die "Signature file ${sig_file} not found"
+   sig_hex="$(grep rsa2048 "${sig_file}" | cut -f 2 -d ' ')"
+   [ -n "${sig_hex}" ] || die "No RSA signature in ${sig_file}"
+
+   echo ${sig_hex} | xxd -c 4096 -p -r > "${TMP_DIR}/sig.bin"
+   "${OPENSSL}" dgst -verify "${KEY}" -signature "${TMP_DIR}/sig.bin" "${IMAGE}" || die "${IMAGE} not verified"
+}
+
 OUTPUT=""
-while getopts i:k:ho: option; do
+VERIFY=0
+while getopts i:k:ho:v: option; do
    case "${option}" in
    i) IMAGE="${OPTARG}"
       ;;
@@ -78,6 +109,9 @@ while getopts i:k:ho: option; do
       ;;
    o) OUTPUT="${OPTARG}"
       ;;
+   v) SIGNATURE="${OPTARG}"
+      VERIFY=1
+      ;;
    h) usage
       ;;
    *) echo "Unknown argument \"${option}\""
@@ -86,25 +120,15 @@ while getopts i:k:ho: option; do
    esac
 done
 
-[ -n "${IMAGE}" ] || usage
-[ -n "${OUTPUT}" ] || usage
-
 trap cleanup EXIT
-
 checkDependencies
 
+[ -n "${IMAGE}" ] || usage
 [ -f "${IMAGE}" ] || die "Source image \"${IMAGE}\" not found"
-
-TMP_DIR=$(mktemp -d)
-SIG_TMP="${TMP_DIR}/tmp.sig"
-sha256sum "${IMAGE}" | awk '{print $1}' > "${OUTPUT}"
-
-# Include the update-timestamp
-echo "ts: $(date -u +%s)" >> "${OUTPUT}"
-
-if [ -n "${KEY}" ]; then
-   [ -f "${KEY}" ] || die "RSA private \"${KEY}\" not found"
-
-   "${OPENSSL}" dgst -sign "${KEY}" -keyform PEM -sha256 -out "${SIG_TMP}" "${IMAGE}"
-   echo "rsa2048: $(xxd -c 4096 -p < "${SIG_TMP}")" >> "${OUTPUT}"
+if [ "${VERIFY}" = 1 ]; then
+   verifySig "${SIGNATURE}"
+else
+   [ -n "${OUTPUT}" ] || usage
+   writeSig
 fi
+

rpi-eeprom-update

@@ -33,6 +33,17 @@ BOOTFS=${BOOTFS:-/boot}
 CM4_ENABLE_RPI_EEPROM_UPDATE=${CM4_ENABLE_RPI_EEPROM_UPDATE:-0}
 RPI_EEPROM_UPDATE_CONFIG_TOOL="${RPI_EEPROM_UPDATE_CONFIG_TOOL:-raspi-config}"
 
+# Self-update is preferred to using recovery.bin because it avoids modifiy the
+# boot partition in order to rename recovery.bin after use. Since the 2711 ROM
+# does not support network or USB MSD loading of recovery.bin self-update has to
+# be used with other boot modes anyway.
+
+# If RPI_EEPROM_SELF_UPDATE=1 then avoid installing recovery.bin so long as the
+# current bootloader version supports self-update from SD/MMC and that doesn't
+# look as though SELF_UPDATE has been disable in the EEPROM config or config.txt.
+RPI_EEPROM_SELF_UPDATE="${RPI_EEPROM_SELF_UPDATE:-0}"
+RPI_EEPROM_SELF_UPDATE_MIN_VER=1650968668
+
 # Automatic, critical updates are not applied unless the current bootloader version
 # is older than pieeprom-2020-09-03
 BOOTLOADER_AUTO_UPDATE_MIN_VERSION="${BOOTLOADER_AUTO_UPDATE_MIN_VERSION:-1599135103}"
@@ -215,8 +226,28 @@ applyRecoveryUpdate()
                 || die "Failed to set permissions on eeprom update files"
    fi
 
-   cp -f "${RECOVERY_BIN}" "${BOOTFS}/recovery.bin" \
-      || die "Failed to copy ${RECOVERY_BIN} to ${BOOTFS}"
+   if getBootloaderConfig | grep -q ENABLE_SELF_UPDATE=0; then
+      # Self update has been disabled in the EEPROM config so recovery.bin
+      # must be used to clear this.
+      RPI_EEPROM_SELF_UPDATE=0
+   fi
+
+   # Setting bootlaoder_update=0 was really intended for use with network-boot with shared
+   # config.txt files. However, if it looks as though self-update has been disabled then
+   # assume recovery.bin is required.
+   config_txt="${BOOTFS}/config.txt"
+   if [ -f "${config_txt}" ]; then
+      if grep -q "bootloader_update=0" "${config_txt}"; then
+         RPI_EEPROM_SELF_UPDATE=0
+      fi
+   fi
+
+   [ "${BOOTLOADER_CURRENT_VERSION}" -ge "${RPI_EEPROM_SELF_UPDATE_MIN_VER}" ] || RPI_EEPROM_SELF_UPDATE=0
+
+   if [ "${RPI_EEPROM_SELF_UPDATE}" != "1" ]; then
+	echo "Using recovery.bin for EEPROM update"
+	cp -f "${RECOVERY_BIN}" "${BOOTFS}/recovery.bin" || die "Failed to copy ${RECOVERY_BIN} to ${BOOTFS}"
+   fi
 
    echo ""
    echo "EEPROM updates pending. Please reboot to apply the update."
@@ -308,7 +339,10 @@ checkDependencies() {
 
    if [ ${BOARD_TYPE} -eq 20 ] && [ "${CM4_ENABLE_RPI_EEPROM_UPDATE}" != '1' ]; then
       # For CM4, USB device boot is the recommended method for EEPROM updates.
-      echo "rpi-eeprom-update is not enabled by default on CM4. Run with -h for more information."
+      echo "rpi-eeprom-update is not enabled by default on CM4."
+      echo "The recommended method for flashing the EEPROM is rpiboot."
+      echo "See: https://github.com/raspberrypi/usbboot/blob/master/Readme.md"
+      echo "Run with -h for more information."
       exit ${EXIT_SUCCESS}
    fi
 

test/bootconf-2024.txt

@@ -1,28 +0,0 @@
-[all]
-BOOT_UART=0
-WAKE_ON_GPIO=1
-POWER_OFF_ON_HALT=0
-[none]                                                                              
-userdata0=0x12345789
-userdata1=0x12345789
-userdata2=0x12345789
-userdata3=0x12345789
-userdata4=0x12345789
-userdata5=0x12345789
-userdata6=0x12345789
-userdata7=0x12345789
-userdata8=0x12345789
-userdata9=0x12345789
-usercert=ZZZZZZZZZZZZlhEAAAADAQABAAABAQDg2l41l7troIKOA0hk3p9y4KuITWBL/aaTMORoqmXfyqEONNULSMElaLWch/b8ScHmcS+kxkS5DtLmKFo1JI14IaQNL5fr4C6Dp23CyMGIgjp3ZFg9tXs/qWpw36Ge0MCxjabbFeKVcMXD10voMT0AHfJtQb2YfOl37ffzC4bR3phUnp0Ceqpl0Loe6hxUP/r4Jen1OKskdfjsldfjalAjn9ASdkjnkjbaAKjnLKJbaKJHDRDkllDAlciaIKSPX2b0uk2MJRJhfarMHDnmxZtEzqMgwLdLol9XVjiSu/7EUzR9Qtvs8xhf6XuUJPRD6OtJCb49L+bb/pXAej/GOk0f
-# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
-# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
-# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
-# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
-# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
-# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
-# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
-# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
-# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
-# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
-# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
-# ++++++++++++++++++++++++++++++++++++++++++++++++

test/bootconf-2025.txt

@@ -1,28 +0,0 @@
-[all]
-BOOT_UART=0
-WAKE_ON_GPIO=1
-POWER_OFF_ON_HALT=0
-[none]                                                                              
-userdata0=0x12345789
-userdata1=0x12345789
-userdata2=0x12345789
-userdata3=0x12345789
-userdata4=0x12345789
-userdata5=0x12345789
-userdata6=0x12345789
-userdata7=0x12345789
-userdata8=0x12345789
-userdata9=0x12345789
-usercert=ZZZZZZZZZZZZlhEAAAADAQABAAABAQDg2l41l7troIKOA0hk3p9y4KuITWBL/aaTMORoqmXfyqEONNULSMElaLWch/b8ScHmcS+kxkS5DtLmKFo1JI14IaQNL5fr4C6Dp23CyMGIgjp3ZFg9tXs/qWpw36Ge0MCxjabbFeKVcMXD10voMT0AHfJtQb2YfOl37ffzC4bR3phUnp0Ceqpl0Loe6hxUP/r4Jen1OKskdfjsldfjalAjn9ASdkjnkjbaAKjnLKJbaKJHDRDkllDAlciaIKSPX2b0uk2MJRJhfarMHDnmxZtEzqMgwLdLol9XVjiSu/7EUzR9Qtvs8xhf6XuUJPRD6OtJCb49L+bb/pXAej/GOk0f
-# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
-# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
-# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
-# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
-# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
-# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
-# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
-# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
-# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
-# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
-# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
-# ++++++++++++++++++++++++++++++++++++++++++++++++!

test/bootconf-4076.txt

@@ -0,0 +1,46 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+[none]                                                                              
+userdata0=0x12345789
+userdata1=0x12345789
+userdata2=0x12345789
+userdata3=0x12345789
+userdata4=0x12345789
+userdata5=0x12345789
+userdata6=0x12345789
+userdata7=0x12345789
+userdata8=0x12345789
+userdata9=0x12345789
+usercert=ZZZZZZZZZZZZlhEAAAADAQABAAABAQDg2l41l7troIKOA0hk3p9y4KuITWBL/aaTMORoqmXfyqEONNULSMElaLWch/b8ScHmcS+kxkS5DtLmKFo1JI14IaQNL5fr4C6Dp23CyMGIgjp3ZFg9tXs/qWpw36Ge0MCxjabbFeKVcMXD10voMT0AHfJtQb2YfOl37ffzC4bR3phUnp0Ceqpl0Loe6hxUP/r4Jen1OKskdfjsldfjalAjn9ASdkjnkjbaAKjnLKJbaKJHDRDkllDAlciaIKSPX2b0uk2MJRJhfarMHDnmxZtEzqMgwLdLol9XVjiSu/7EUzR9Qtvs8xhf6XuUJPRD6OtJCb49L+bb/pXAej/GOk0f
+# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
+# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
+# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
+# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
+# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
+# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
+# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
+# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
+# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
+# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
+# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
+# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
+# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
+# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
+# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
+# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
+# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
+# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
+# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
+# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
+# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
+# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
+# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
+# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
+# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
+# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
+# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
+# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
+# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
+# ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

test/bootconf-4077.txt

@@ -0,0 +1,46 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+[none]                                                                              
+userdata0=0x12345789
+userdata1=0x12345789
+userdata2=0x12345789
+userdata3=0x12345789
+userdata4=0x12345789
+userdata5=0x12345789
+userdata6=0x12345789
+userdata7=0x12345789
+userdata8=0x12345789
+userdata9=0x12345789
+usercert=ZZZZZZZZZZZZlhEAAAADAQABAAABAQDg2l41l7troIKOA0hk3p9y4KuITWBL/aaTMORoqmXfyqEONNULSMElaLWch/b8ScHmcS+kxkS5DtLmKFo1JI14IaQNL5fr4C6Dp23CyMGIgjp3ZFg9tXs/qWpw36Ge0MCxjabbFeKVcMXD10voMT0AHfJtQb2YfOl37ffzC4bR3phUnp0Ceqpl0Loe6hxUP/r4Jen1OKskdfjsldfjalAjn9ASdkjnkjbaAKjnLKJbaKJHDRDkllDAlciaIKSPX2b0uk2MJRJhfarMHDnmxZtEzqMgwLdLol9XVjiSu/7EUzR9Qtvs8xhf6XuUJPRD6OtJCb49L+bb/pXAej/GOk0f
+# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
+# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
+# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
+# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
+# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
+# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
+# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
+# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
+# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
+# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
+# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
+# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
+# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
+# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
+# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
+# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
+# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
+# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
+# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
+# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
+# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
+# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
+# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
+# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
+# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
+# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
+# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
+# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
+# 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 
+# +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

test/configs/bootconf-2021-03-04.txt

@@ -0,0 +1,5 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+

test/configs/bootconf-2021-03-17.txt

@@ -0,0 +1,5 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+

test/configs/bootconf-2021-05-19.txt

@@ -0,0 +1,5 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+

test/configs/bootconf-2021-06-11.txt

@@ -0,0 +1,5 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+

test/configs/bootconf-2021-06-17.txt

@@ -0,0 +1,5 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+

test/configs/bootconf-2021-06-25.txt

@@ -0,0 +1,5 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+

test/configs/bootconf-2021-07-06.txt

@@ -0,0 +1,5 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+

test/configs/bootconf-2021-09-23.txt

@@ -0,0 +1,5 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+

test/configs/bootconf-2021-09-27.txt

@@ -0,0 +1,5 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+

test/configs/bootconf-2021-10-04.txt

@@ -0,0 +1,5 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+

test/configs/bootconf-2021-10-05.txt

@@ -0,0 +1,5 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+

test/configs/bootconf-2021-10-27.txt

@@ -0,0 +1,5 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+

test/configs/bootconf-2021-11-22.txt

@@ -0,0 +1,5 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+

test/configs/bootconf-2021-12-02.txt

@@ -0,0 +1,5 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+

test/configs/bootconf-2022-01-20.txt

@@ -0,0 +1,5 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+

test/configs/bootconf-2022-01-25.txt

@@ -0,0 +1,5 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+

test/configs/bootconf-2022-02-04.txt

@@ -0,0 +1,5 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+

test/configs/bootconf-2022-02-16.txt

@@ -0,0 +1,5 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+

test/configs/bootconf-2022-02-28.txt

@@ -0,0 +1,5 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+

test/configs/bootconf-2022-03-10.txt

@@ -0,0 +1,5 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+

test/configs/bootconf-2022-04-14.txt

@@ -0,0 +1,5 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+

test/configs/bootconf-2022-04-26.txt

@@ -0,0 +1,5 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+

test/configs/bootconf-2022-05-20.txt

@@ -0,0 +1,5 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+

test/configs/bootconf-2022-07-14.txt

@@ -0,0 +1,5 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+

test/configs/bootconf-2022-07-19.txt

@@ -0,0 +1,5 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+

test/configs/bootconf-2022-07-22.txt

@@ -0,0 +1,5 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+

test/configs/bootconf-2022-07-26.txt

@@ -0,0 +1,5 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+

test/configs/bootconf-2022-08-02.txt

@@ -0,0 +1,5 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+

test/configs/bootconf-2022-09-02.txt

@@ -0,0 +1,5 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+

test/configs/bootconf-2022-10-03.txt

@@ -0,0 +1,5 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+

test/configs/bootconf-2022-10-06.txt

@@ -0,0 +1,5 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+

test/configs/bootconf-2022-10-12.txt

@@ -0,0 +1,5 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+

test/configs/bootconf-2022-10-18.txt

@@ -0,0 +1,5 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+

test/configs/bootconf-2022-11-02.txt

@@ -0,0 +1,5 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+

test/configs/bootconf-2022-11-04.txt

@@ -0,0 +1,5 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+

test/configs/bootconf-2022-11-25.txt

@@ -0,0 +1,5 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=1
+POWER_OFF_ON_HALT=0
+

test/test-rpi-eeprom-config

@@ -135,7 +135,7 @@ check_conf_size_large()
 {
    echo "check maximum config file size"
    image="${script_dir}/$1"
-   conf="bootconf-2024.txt"
+   conf="bootconf-4076.txt"
 
    expected_md5="$(md5sum "${conf}" | awk '{print $1}')"
 
@@ -154,7 +154,7 @@ check_conf_size_too_large()
 {
    echo "check config file which exceeds the maximum size"
    image="${script_dir}/$1"
-   conf="bootconf-2025.txt"
+   conf="bootconf-4077.txt"
 
    expected_md5="$(md5sum "${conf}" | awk '{print $1}')"
 
@@ -167,7 +167,12 @@ check_conf_size_too_large()
 echo "Check config read and loopback read/write against reference config files"
 versions="$(cd configs; ls *.txt | sed 's/bootconf-//g' | sed 's/.txt//g')"
 for ver in ${versions}; do
-   check_loopback "../firmware/old/beta/pieeprom-${ver}.bin" "configs/bootconf-${ver}.txt"
+   if [ -f "../firmware/old/beta/pieeprom-${ver}.bin" ]; then
+       # Use this directory if the bootloader has been archived
+       check_loopback "../firmware/old/beta/pieeprom-${ver}.bin" "configs/bootconf-${ver}.txt"
+   else
+       check_loopback "../firmware/beta/pieeprom-${ver}.bin" "configs/bootconf-${ver}.txt"
+   fi
    cleanup
 done
 

tools/rpi-bootloader-key-convert

@@ -0,0 +1,49 @@
+#!/usr/bin/env python3
+
+import argparse
+import struct
+import sys
+
+from Cryptodome.PublicKey import RSA
+
+def bintopem(infile, outf):
+    f = open(infile, 'rb')
+    arr = f.read(264)
+
+    n = int.from_bytes(struct.unpack_from("256B", arr, 0), 'little')
+    e = struct.unpack_from("<Q", arr, 256)[0]
+    pubkey = RSA.construct((n, e))
+    outf.write(pubkey.exportKey())
+
+def pemtobin(infile, outf):
+    key = RSA.importKey(open(infile, 'r').read())
+
+    if key.size_in_bits() != 2048:
+        raise Exception("RSA key size must be 2048")
+
+    # Extract the public key componenet n,e and store as little endian
+    outf.write(key.n.to_bytes(256, byteorder='little'))
+    outf.write(key.e.to_bytes(8, byteorder='little'))
+
+def main():
+    parser = argparse.ArgumentParser('Converts RSA keys between PEM format and the raw binary format used by the Raspberry Pi 4 bootloader')
+    parser.add_argument('input', nargs='+')
+    parser.add_argument('--inform', default="pem")
+    parser.add_argument('--output', required=False)
+
+    args = parser.parse_args()
+
+    if args.output:
+        outf = open(args.output, 'wb')
+    else:
+        outf = sys.stdout.buffer
+
+    if args.inform == "pem":
+        pemtobin(args.input[0], outf)
+    elif args.inform == "bin":
+        bintopem(args.input[0], outf)
+    else:
+        raise Exception("Unknown format %s" % args.inform)
+
+if __name__ == '__main__':
+    main()

tools/rpi-otp-private-key

@@ -0,0 +1,124 @@
+#!/bin/sh
+
+set -e
+
+FORCE=0
+READ_KEY=""
+WRITE_KEY=""
+OUTPUT_BINARY=0
+
+die() {
+    echo "$@" >&2
+    exit 1
+}
+
+usage() {
+    cat <<EOF
+   $(basename "$0") [-cfwy] <key>
+
+   No args - reads the current private key from OTP. These values are NOT visible via 'vcgencmd otp_dump'.
+
+   -b Output the key in binary format.
+   -c Reads key and exits with 1 if it is all zeros i.e. not set.
+   -f Force write (if OTP is non-zero).
+      The vcmailbox API checks that the new key is equal to the bitwise OR of the current OTP and the new key.
+      N.B. OTP bits can never change from 1 to 0.
+   -w Writes the new key to OTP memory.
+   -y Skip the confirmation prompt when writing to OTP.
+
+   <key> is a 64 digit hex number (256 bit) e.g. to generate a 256 random number run 'openssl rand -hex 32'
+
+   IMPORTANT: Raspberry Pi 4 and earlier revisions do not have a hardware secure key store. These OTP rows are visible
+   to any user in the 'video' group via vcmailbox. Therefore this functionality is only suitable for key
+   storage if the OS has already been restricted using the signed boot functionality.
+
+   WARNING: Changes to OTP memory are permanent and cannot be undone.
+EOF
+exit 1
+}
+
+check_key_set() {
+    read_key
+    if [ -z "$(echo "${READ_KEY}" | sed s/0//g)" ]; then
+        return 1
+    fi
+    return 0
+}
+
+read_key() {
+    out=READ_KEY="$(vcmailbox 0x00030081 40 40 0 8 0 0 0 0 0 0 0 0)" || die "Failed to read the current key from OTP"
+    READ_KEY="$(echo "${out}" | sed 's/0x//g' | awk '{for(i=8;i<16;i++) printf $i; print ""}')"
+}
+
+write_key() {
+    key="${1}"
+    # Normalize formatting and check the length
+    key="$(echo "${key}" | tr 'A-Z' 'a-z')"
+    key="$(echo "${key}" | sed 's/[^a-f0-9]//g')"
+    [ "$(echo -n "${key}" | wc -c)" = 64 ] || die "Invalid key parameter"
+
+    count=0
+    key_params=""
+    while [ ${count} -lt 8 ]; do
+        start=$(((count * 8) + 1))
+    end=$((start + 7))
+    key_params="${key_params} 0x$(echo -n "${key}" | cut -c${start}-${end})"
+    count=$((count + 1))
+    done
+
+    if [ "${YES}" = 0 ] && [ -t 0 ]; then
+       echo "Write ${key} to OTP?"
+       echo
+       echo "WARNING: Updates to OTP registers are permanent and cannot be undone."
+
+       echo "Type YES (in upper case) to continue or press return to exit."
+       read -r confirm
+       if [ "${confirm}" != "YES" ]; then
+          echo "Cancelled"
+          exit
+       fi
+    fi
+
+    vcmailbox 0x38081 40 40 0 8 ${key_params} || die "Failed to write key"
+    read_key
+    [ "${READ_KEY}" = "${key}" ] || die "Key readback check failed. ${out}"
+}
+
+YES=0
+while getopts bcfhw:y option; do
+    case "${option}" in
+        b) OUTPUT_BINARY=1
+            ;;
+        c)
+            if check_key_set; then
+                exit 0
+            fi
+            exit 1
+            ;;
+        f) FORCE=1
+            ;;
+        h) usage
+            ;;
+        w) WRITE_KEY="${OPTARG}"
+            ;;
+        y) YES=1
+           ;;
+        *) echo "Unknown argument \"${option}\""
+            usage
+            ;;
+    esac
+done
+
+if [ -n "${WRITE_KEY}" ]; then
+    if [ "${FORCE}" = 0 ] && check_key_set; then
+        die "Current key is non-zero. Specify -f to write anyway"
+    fi
+    write_key "${WRITE_KEY}"
+else
+    read_key
+    if [ "${OUTPUT_BINARY}" = 1 ]; then
+        echo "${READ_KEY}" | xxd -r -p
+    else
+        echo "${READ_KEY}"
+    fi
+fi