pieeprom-2026-01-09: 2711: Promote to the default release

* arm_loader: Apply rpifwcrypto lock permissions GET/SET USER OTP
  Previously, the GET/SET user OTP mailboxes would provide access to the
  device unique private key. Update the mailbox API to fail if the
  key has been locked via lock_device_private_key=1 in config.txt or
  the associated mailbox call.
  GET/SET user OTP fails by setting the result tag to the standard
  error code (0x80000000). The dedicate GET/SET private key continue
  to fail the entire mailbox operation to force vcmailbox to exit
  with a non-zero error code.
* cm5: Add support for 8-bit bus width eMMC
* Query all sdram devices for temperature when adjusting refresh
* Add support for more SDRAM die configurations.

.gitignore

@@ -1 +1,3 @@
 *.swp
+images-2711/
+images-2712/

firmware-2711/release-notes.md

@@ -1,6 +1,255 @@
 # Raspberry Pi4 bootloader EEPROM release notes
 
-## 2025-05-13: Promote 2025-05-08 to the default release (default)
+## 2026-01-13: Promote 2026-01-09 to the default release (default)
+
+## 2026-01-09: arm_loader: Apply rpifwcrypto lock permissions GET/SET USER OTP (latest)
+
+* arm_loader: Apply rpifwcrypto lock permissions GET/SET USER OTP
+  Previously, the GET/SET user OTP mailboxes would provide access to the
+  device unique private key. Update the mailbox API to fail if the
+  key has been locked via lock_device_private_key=1 in config.txt or
+  the associated mailbox call.
+  GET/SET user OTP fails by setting the result tag to the standard
+  error code (0x80000000). The dedicate GET/SET private key continue
+  to fail the entire mailbox operation to force vcmailbox to exit
+  with a non-zero error code.
+* cm5: Add support for 8-bit bus width eMMC
+* Query all sdram devices for temperature when adjusting refresh
+* Add support for more SDRAM die configurations.
+
+## 2025-12-09: Promote 2025-12-08 to the default release (default)
+
+## 2025-12-08: arm_loader: Add machine ID derived from OTP values (latest)
+
+* arm_loader: Add machine ID derived from OTP values
+  Machine ID is generated and exposed in device tree as rpi-machine-id
+* arm_ldconfig: Avoid double os_prefix on initramfs
+  When using auto_initramfs we were picking up prefix from the kernel,
+  but also adding os_prefix later:
+  fname = prefixed_path(initramfs_file, os_prefix, temp_path, sizeof(temp_path));
+  See: https://forums.raspberrypi.com/viewtopic.php?t=394238
+* recovery: Use OTP rpiboot GPIO if non-zero
+  If an rpiboot GPIO has already been written to OTP then default to
+  that value if C(program_rpiboot_gpio) is not specified on config.txt.
+
+## 2025-11-27: helpers/config_loader: Also support bootvar0 eeprom config on Pi4 (latest)
+
+* helpers/config_loader: Also support bootvar0 eeprom config on Pi4
+  This allows an eeprom config setting (e.g. BOOTARG0=0x10) to be set on a board
+  which config.txt can use as a conditional expression (e.g. [bootarg0&0x10]).
+* pi5: Write over-voltage config to the UART log
+  Write the high level over-voltage configuration to the UART log for
+  diagnostic purposes.
+* Stop partition-walk after boot-mode timeout/retries limit
+  Fix a fatal assert with USB boot where the partition walk could be
+  retried after the USB timeout/retry limit had been reached.
+  See: https://github.com/raspberrypi/rpi-eeprom/issues/776
+* rpiboot: Extend metadata to report status of operations
+  Report success/fail status of recovery operations based on config.txt settings
+
+## 2025-11-21: recovery: Restore recovery_wait option (latest)
+
+* recovery: Restore recovery_wait option
+  Restore the recovery_wait config.txt option. If this option is set
+  then recovery.bin will not rename itself or reboot. Instead flash
+  the activity LED on completion.
+  This option can be useful when creating an SD card to erase the
+  EEPROM or program the RPIBOOT gpio on multiple devices.
+  If recovery_wait=1 and recovery.bin is run from the SD card then
+  indicate success of erase_eeprom=1 or program_rpiboot_gpio=N was
+  set instead of requiring the EEPROM to be updated.
+* Manufacture test updates for SDRAM.
+
+## 2025-11-09: Promote 2025-11-05 to the default release (default)
+
+## 2025-11-05: Add iommu_dma_numa_policy=interleave when needed (latest)
+
+* arm_loader: Add iommu_dma_numa_policy=interleave when needed
+  This applies a similar numa interleave for iommu dma kernel allocations.
+  This includes buffers allocated for hevc and v3d.
+  See: https://forums.raspberrypi.com/viewtopic.php?t=392666
+
+## 2025-10-14: recovery: Use ROM boot-mode to detect rpiboot (latest)
+
+* recovery: Use ROM boot-mode flag to detect rpiboot mode
+  In recovery-mode use the bootrom register flag to detect the
+  original boot-mode rather than looking at whether the rpiboot
+  usb-device boot driver is initialised.
+* Manufacturing test updates.
+
+## 2025-10-08: Fix accidental set of PM_RSTS bit 5 when stopping watchdog (latest)
+
+* Fix accidental set of PM_RSTS bit 5 when stopping watchdog
+  Fix an issue in the watchdog code where the raw PM_RSTS value
+  was used as partition number. If HADWRF (bit 5) was set (on reboot)
+  this could cause bit 10 to be set. If an OS didn't clear the partition
+  flags on reboot then this could end up being treated as request to
+  boot from partition 32.
+
+## 2025-10-03: arm_dt: Report OTP SDRAM size via device-tree (latest)
+
+* arm_dt: Report OTP SDRAM size via device-tree
+  Report the SDRAM in gigabits via device-tree as
+  /proc/device-tree/chosen/rpi-sdram-size-gbit. Scripts reporting the
+  device-capabilities should use this value (if defined) instead of the
+  memory-size field in the boardrev row.
+* Apply UART_BAUD in early bootsys UART init
+  Update bootsys and fatal error handlers to use the user
+  defined UART_BAUD rate.
+* rpifwcrypto: Add support for ECDSA P-256 key generation
+  Also, slightly improve the entropy by passing the system
+  timer value as the personality string.
+
+## 2025-09-23: Fix network install regression on Pi4 (latest)
+
+* Fix network install regression on Pi4
+  Fix an issue with the ECDSA signature code which caused network
+  install to fail to load on Pi4.
+* Fix TFTP to allow larger files
+  Allow TFTP block counter to rollover to 0.
+  See: https://github.com/raspberrypi/rpi-eeprom/issues/720
+
+## 2025-09-22: Add LZ4 decompressor (latest)
+
+* Add LZ4 decompressor
+  LZ4 gives a better compression ratio than the previously used CK compress. The bootloader can now decompress both LZ4 compressed files and CK compressed files.
+* rpifwcrypto: Add GET_CRYPTO_PRIVATE_KEY mailbox API
+  For provisioning, add a new mailbox API which returns the private key
+  in DER format. The API will return an error if the key-status for
+  the specified key is LOCKED.
+* config: Add support for board_attributes in conditional expressions
+  Add support for the board-attributes row in config.txt conditional
+  expressions. This can be used to change boot behavior for
+  Compute Module Lite / No-WiFi etc.
+* board_info: Log the OTP board revision at startup
+  Log the board revision plus the raw OTP value at startup.
+
+## 2025-08-27: Fix PARTITION property to allow default (0) partition to be overridden (latest)
+
+* Fix PARTITION property to allow default (0) partition to be overridden
+  Fix the partition selection to allow the bootloader PARTITION
+  property to override the reboot partition number if the reboot
+  argument is 0 or > 31. Previously, it was only allowing
+  partition numbers > 31 to be overridden.
+  See: https://github.com/raspberrypi/rpi-eeprom/issues/743
+* Enable RPIBOOT in BOOT_ORDER / set-reboot-order
+  Previously, rpiboot required the bootrom to have initialised
+  rpiboot before running the firmware. Update the rpiboot
+  initialisation so that rpiboot to be enabled after booting from
+  SPI flash.
+  This could be selectively enabled by setting BOOT_ORDER property
+  (0x3) behind a GPIO conditional in the EEPROM config. On Pi5, the
+  set_reboot_order config.txt option or mailbox property can be
+  used to set a one-time boot-order on
+  N.B. There is no timeout for RPIBOOT so this should only be set
+  as the last boot mode OR used with a boot_watchdog.
+
+## 2025-08-20: Fix PARTITION_WALK for missing start.elf files (latest)
+
+* Fix PARTITION_WALK for missing start.elf files
+  Fix a missing call to bootloader_reset_state so that PARTITION_WALK
+  will work if the boot-partition is FAT, contains config.txt etc
+  but does not have valid firmware.
+  See: https://github.com/raspberrypi/rpi-eeprom/issues/738
+* force_eeprom_read=0 disables HAT I2C
+  Although setting force_eeprom_read=0 has always prevented the HAT EEPROM
+  from being read, with the recent changes to support Power HAT+s it does
+  not prevent an early scan to see if such an EEPROM exists. This can be
+  problematic for applications where the I2C0 pins have been repurposed.
+  Change the inhibit logic to cut all HAT I2C probing off at the knees,
+  including any automatic settings of usb_max_current_enable, as it should
+  always have done.
+  See: https://github.com/raspberrypi/firmware/issues/1985
+* bootcode.bin: Add support for boot.img ramdisk on Pi3 and earlier
+  Add support for boot.img ramdisk support, enable by adding boot_ramdisk=1
+  in config.txt
+* rpifwcrypto: Preliminary firmware support for rpifwcrypto API
+* Add config.txt to block GET_CUSTOMER_PRIVATE_KEY mailbox API
+  lock_device_private_key=1
+
+## 2025-08-13: Enable PARTITION_WALK property by default (latest)
+
+* Enable the PARTITION_WALK property by default
+  Previously, the new PARTITION_WALK which searches for bootable
+  partitions after a failure had to be explicitly enabled. Change
+  the default to be enabled by default. It can be switched off by
+  setting PARTITION_WALK=0 in the EEPROM config.
+* Optimise bootmain for size on Pi4
+  Pi4 only has a 512KB SPI flash EEPROM and the addition of features
+  plus fixes is now causing contention for space between the code and
+  the EEPROM config. Since bootmain is only responsible for loading
+  start.elf revert to the original configuration which is optimised
+  for size rather than speed. Pi5 continues to be optimised for speed.
+
+## 2025-07-17: arm_loader: Also require the early-watchdog property (latest)
+
+* arm_loader: Also require the early-watchdog property
+  The change correcting the implementation of dtoverlay_is_enabled had the
+  unintended consequence of causing the firmware to enable the watchdog
+  even though the user had not explicitly requested it. This is harmless
+  on Linux because the watchdog driver takes over and disarms it, but on
+  other operating systems this can lead to a reboot. Avoid this problem
+  by also requiring the presence of a new property, "early-watchdog".
+  See: https://github.com/raspberrypi/firmware/issues/1980
+* helpers/config_loader: Add bootvar0 eeprom config that can be used in config.txt section expressions
+  This allows an eeprom config setting (e.g. BOOTVAR0=0x10) to be set on a board
+  which config.txt can use as a conditional expression (e.g. [bootvar0&0x10]).
+* arm_loader: Fix boot-watchdog stop on Pi4
+  Fix a problem where the boot_watchdog heartbeat timer was not
+  stopped correctly which could cause it to clash with the kernel
+  watchdog driver.
+
+## 2025-07-03: Check for SD card overcurrent (latest)
+
+* board_info: Use the Ethernet PHY address probed by the bootloader
+  Use the Ethernet PHY address supplied by the bootloader in
+  preference to the static configurations defined in start4.elf
+* Check for SD card overcurrent on Pi5, Pi500 and Pi4
+  Before booting, the bootloader now checks the SD power switch
+  overcurrent signal. The overcurrent signal occurs if the SD
+  card is damaged and has a short circuit which will cause it to
+  get hot.
+  If an over-current condition is detected the bootloader switches
+  switches off power to the SD card and waits five seconds before
+  probing the SD card again. This error is displayed on the
+  diagnostic screen, the UART and the activity LED (1 long, 2 short)
+  flashes.
+  The check can be switched to a non-blocking warning  by setting
+  SD_OVERCURRENT_CHECK=0 in the bootloader config.
+* Add a new error code pattern for SD overcurrent
+  Add a new error pattern (1 long, 2 short) to signal SD card
+  overcurrent.
+* Add support for a bootloader watchdog
+  Add support for a boot watchdog (using PM_RSTC hw wdog) which will
+  trigger if the OS is not started within the specified amount of time. The
+  watchdog is enabled by setting the BOOT_WATCHDOG_TIMEOUT=N (seconds)
+  property in the bootlaoder config.
+  The BOOT_WATCHDOG_PARTITION=P property can be set to pass a different
+  partition number to the bootloader on reset if the watchdog
+  is triggered.
+  The boot watchdog is automatically cleared just before starting
+  the OS and (optionally) enabling the kernel watchdog.
+* Skip first SD boot if no card detected
+  On platforms with an SD Card detect signal, skip the first attempt to
+  boot from SD if the card appears to be absent. This can save over a
+  second on a cold boot, and a little under a second for a reboot.
+
+## 2025-05-16: 2711: Automatically set revoke_devkey if program_pubkey=1 (latest)
+
+* 2711: (recovery) Automatically set revoke_devkey if program_pubkey=1
+  Previously, on BCM2711 products it was possible to program the key
+  hash without revoking the development key. This can be useful for
+  testing but should never be used in production because it is possible
+  to an install an older version of the bootloader which doesn't
+  support secure-boot.  Since the secure-boot tools are stable and
+  have improved usability (RPi secure-boot provisioner) this test
+  feature not necessary and is just a security risk so the behaviour
+  is changed to always revoke the development key if program_pubkey=1.
+  This change is not relevant on BCM2712 because secure-boot requires
+  that the second stage bootloader is counter-signed with the customer's
+  private key.
+
+## 2025-05-13: Promote 2025-05-08 to the default release (default) (automatic)
 
 ## 2025-05-08: Implement TCP window for net boot (latest)
 * Signed boot and HTTP boot mode

firmware-2712/release-notes.md

@@ -1,5 +1,275 @@
 # Raspberry Pi5 bootloader EEPROM release notes
 
+## 2025-12-09: Promote 2025-12-08 to the default release (default)
+
+## 2025-12-08: arm_loader: Add machine ID derived from OTP values (latest)
+
+* arm_loader: Add machine ID derived from OTP values
+  Machine ID is generated and exposed in device tree as rpi-machine-id
+* arm_ldconfig: Avoid double os_prefix on initramfs
+  When using auto_initramfs we were picking up prefix from the kernel,
+  but also adding os_prefix later:
+  fname = prefixed_path(initramfs_file, os_prefix, temp_path, sizeof(temp_path));
+  See: https://forums.raspberrypi.com/viewtopic.php?t=394238
+
+## 2025-11-27: Stop partition-walk after boot-mode timeout/retries limit (latest)
+
+* pi5: Write over-voltage config to the UART log
+  Write the high level over-voltage configuration to the UART log for
+  diagnostic purposes.
+* Stop partition-walk after boot-mode timeout/retries limit
+  Fix a fatal assert with USB boot where the partition walk could be
+  retried after the USB timeout/retry limit had been reached.
+  See: https://github.com/raspberrypi/rpi-eeprom/issues/776
+* rpiboot: Extend metadata to report status of operations
+  Report success/fail status of recovery operations based on config.txt settings
+
+## 2025-11-21: Allow longer overlay file paths (latest)
+
+* recovery: Restore recovery_wait option
+  Restore the recovery_wait config.txt option. If this option is set
+  then recovery.bin will not rename itself or reboot. Instead flash
+  the activity LED on completion.
+  This option can be useful when creating an SD card to erase the
+  EEPROM or program the RPIBOOT gpio on multiple devices.
+  If recovery_wait=1 and recovery.bin is run from the SD card then
+  indicate success of erase_eeprom=1 or program_rpiboot_gpio=N was
+  set instead of requiring the EEPROM to be updated.
+* Load RP1 firmware whilst DDR is initialising
+* Allow longer overlay file paths
+  load_dtoverlay uses the variable "filename" to hold the full path to an
+  overlay. As such it should be declared using LDFILEPATH_MAX, not
+  LDFILENAME_MAX.
+  See: https://github.com/raspberrypi/firmware/issues/2004
+
+## 2025-11-09: Promote 2025-11-05 to the default release (default)
+
+## 2025-11-05: arm_loader: Add iommu_dma_numa_policy=interleave when needed (latest)
+
+* arm_loader: Add iommu_dma_numa_policy=interleave when needed
+  This applies a similar numa interleave for iommu dma kernel allocations.
+  This includes buffers allocated for hevc and v3d.
+  See: https://forums.raspberrypi.com/viewtopic.php?t=392666
+* Rebuild RP1 firmware to reduce size.
+
+## 2025-10-17: Enable background refresh on 2712d0 for all SDRAM sizes (latest)
+
+* 2712d0: Enable background refresh on 2712d0 for all SDRAM sizes
+  This provides a minor performance benefit.
+* Update GPT to support 4K native sectors
+  Bootloader logic updated to correctly interpret the GPT layout format specific to 4K native sector drives.
+* recovery: Use ROM boot-mode flag to detect rpiboot mode
+  In recovery-mode use the bootrom register flag to detect the
+  original boot-mode rather than looking at whether the rpiboot
+  usb-device boot driver is initialised.
+
+## 2025-10-08: Fix accidental set of PM_RSTS bit 5 when stopping watchdog (latest)
+
+* Fix accidental set of PM_RSTS bit 5 when stopping watchdog
+  Fix an issue in the watchdog code where the raw PM_RSTS value
+  was used as partition number. If HADWRF (bit 5) was set (on reboot)
+  this could cause bit 10 to be set. If an OS didn't clear the partition
+  flags on reboot then this could end up being treated as request to
+  boot from partition 32.
+* pi5: Preliminary support for 4K native sectors with NVMe drives
+  Pi5 now supports 4K native sector NVMe drives. 
+  This allows booting from drives with logical block size 4096, 
+  while 512B drives remain compatible. With 4K sectors, storage density 
+  increases along with improved reliability and efficiency.
+  N.B. USB boot still requires a 512 byte sector size and there are
+  no RPi OS disk images with a 4K sector format.
+  See: https://github.com/raspberrypi/rpi-eeprom/issues/577
+* arm_dt: Report OTP SDRAM size via device-tree
+  Report the SDRAM in gigabits via device-tree as
+  /proc/device-tree/chosen/rpi-sdram-size-gbit. Scripts reporting the
+  device-capabilities should use this value (if defined) instead of the
+  memory-size field in the boardrev row.
+
+## 2025-09-25: Apply UART_BAUD in early bootsys UART init (latest)
+
+* Apply UART_BAUD in early bootsys UART init
+  Update bootsys and fatal error handlers to use the user
+  defined UART_BAUD rate.
+* rpifwcrypto: Add support for ECDSA P-256 key generation
+
+## 2025-09-23: Fix TFTP to allow larger files (latest)
+
+* Fix TFTP to allow larger files
+  Allow TFTP block counter to rollover to 0.
+  See: https://github.com/raspberrypi/rpi-eeprom/issues/720
+
+## 2025-09-22: Add LZ4 decompressor (latest)
+
+* Add LZ4 decompressor
+  LZ4 gives a better compression ratio than the previously used CK compress. The bootloader can now decompress both LZ4 compressed files and CK compressed files.
+* rpifwcrypto: Add GET_CRYPTO_PRIVATE_KEY mailbox API
+  For provisioning, add a new mailbox API which returns the private key
+  in DER format. The API will return an error if the key-status for
+  the specified key is LOCKED.
+* config: Add support for board_attributes in conditional expressions
+  Add support for the board-attributes row in config.txt conditional
+  expressions. This can be used to change boot behavior for
+  Compute Module Lite / No-WiFi etc.
+* board_info: Log the OTP board revision at startup
+  Log the board revision plus the raw OTP value at startup.
+
+## 2025-08-27: Fix PARTITION property to allow default (0) partition to be overridden (latest)
+
+* Fix PARTITION property to allow default (0) partition to be overridden
+  Fix the partition selection to allow the bootloader PARTITION
+  property to override the reboot partition number if the reboot
+  argument is 0 or > 31. Previously, it was only allowing
+  partition numbers > 31 to be overridden.
+  See: https://github.com/raspberrypi/rpi-eeprom/issues/743
+* Enable RPIBOOT in BOOT_ORDER / set-reboot-order
+  Previously, rpiboot required the bootrom to have initialised
+  rpiboot before running the firmware. Update the rpiboot
+  initialisation so that rpiboot to be enabled after booting from
+  SPI flash.
+  This could be selectively enabled by setting BOOT_ORDER property
+  (0x3) behind a GPIO conditional in the EEPROM config. On Pi5, the
+  set_reboot_order config.txt option or mailbox property can be
+  used to set a one-time boot-order on
+  N.B. There is no timeout for RPIBOOT so this should only be set
+  as the last boot mode OR used with a boot_watchdog.
+
+## 2025-08-20: force_eeprom_read=0 disables HAT I2C (latest)
+
+* force_eeprom_read=0 disables HAT I2C
+  Although setting force_eeprom_read=0 has always prevented the HAT EEPROM
+  from being read, with the recent changes to support Power HAT+s it does
+  not prevent an early scan to see if such an EEPROM exists. This can be
+  problematic for applications where the I2C0 pins have been repurposed.
+  Change the inhibit logic to cut all HAT I2C probing off at the knees,
+  including any automatic settings of usb_max_current_enable, as it should
+  always have done.
+  See: https://github.com/raspberrypi/firmware/issues/1985
+* rpifwcrypto: Preliminary firmware support for rpifwcrypto API
+* Add config.txt to block GET_CUSTOMER_PRIVATE_KEY mailbox API lock_device_private_key=1
+
+## 2025-08-13: Enable the PARTITION_WALK property by default (latest)
+
+* Enable the PARTITION_WALK property by default
+  Previously, the new PARTITION_WALK which searches for bootable
+  partitions after a failure had to be explicitly enabled. Change
+  the default to be enabled by default. It can be switched off by
+  setting PARTITION_WALK=0 in the EEPROM config.
+* pi5: Fix read for cached copy of PMIC sequencer status
+  Previously, this was overwritten by the RTC event status.
+
+## 2025-07-17: Fix config key search which could cause camera_autodetect to fail (latest)
+
+* Fix config key search which could cause camera_autodetect to fail
+  The bootvar0 config property was added in the wrong section which
+  could cause the config property search for some other properties
+  to fail.
+
+## 2025-07-17: arm_loader: Also require the early-watchdog property (latest)
+
+* arm_loader: Also require the early-watchdog property
+  The change correcting the implementation of dtoverlay_is_enabled had the
+  unintended consequence of causing the firmware to enable the watchdog
+  even though the user had not explicitly requested it. This is harmless
+  on Linux because the watchdog driver takes over and disarms it, but on
+  other operating systems this can lead to a reboot. Avoid this problem
+  by also requiring the presence of a new property, "early-watchdog".
+  See: https://github.com/raspberrypi/firmware/issues/1980
+* helpers/config_loader: Add bootvar0 eeprom config that can be used in config.txt section expressions
+  This allows an eeprom config setting (e.g. BOOTVAR0=0x10) to be set on a board
+  which config.txt can use as a conditional expression (e.g. [bootvar0&0x10]).
+* arm_loader: Fix boot-watchdog stop on Pi4
+  Fix a problem where the boot_watchdog heartbeat timer was not
+  stopped correctly which could cause it to clash with the kernel
+  watchdog driver.
+
+## 2025-07-03: Enable firmware UART output on the 40-pin header (latest)
+
+* rp1_uart: Allow rp1_uart to be started earlier
+  If enabled (with enable_rp1_uart) then the existing boot uart
+  messages are redirected to the rp1 uart.
+
+## 2025-06-29: Check for SD card overcurrent on Pi5 and Pi500 (latest)
+
+* board_info: Use the Ethernet PHY address probed by the bootloader
+  Use the Ethernet PHY address supplied by the bootloader in
+  preference to the static configurations defined in start4.elf
+* pi5: Fix overwrite of cache EEPROM config in secure-boot mode
+  See: https://github.com/raspberrypi/rpi-eeprom/issues/719
+* Check for SD card overcurrent on Pi5, Pi500 and Pi4
+  Before booting, the bootloader now checks the SD power switch
+  overcurrent signal. The overcurrent signal occurs if the SD
+  card is damaged and has a short circuit which will cause it to
+  get hot.
+  If an over-current condition is detected the bootloader 
+  switches off power to the SD card and waits five seconds before
+  probing the SD card again. This error is displayed on the
+  diagnostic screen, the UART and the activity LED (1 long, 2 short)
+  flashes.
+  The check can be switched to a non-blocking warning  by setting
+  SD_OVERCURRENT_CHECK=0 in the bootloader config.
+* Add a new error code pattern for SD overcurrent
+  Add a new error pattern (1 long, 2 short) to signal SD card
+  overcurrent.
+* Enable RTC wakeup from POWER_OFF_ON_HALT=0
+* Improve HAT+ current handling
+  In shipping firmware, the current_supply value is only being used in the
+  case of a normal (non-stacked) HAT+, but that is unnecessarily
+  restrictive. Also, the presence of MODE0 and MODE1 power HATs is not
+  reflected in the value of max_current.
+  See: https://github.com/raspberrypi/linux/pull/6678
+
+## 2025-06-20: Add support for a bootloader watchdog (latest)
+
+* Add support for a bootloader watchdog
+  Add support for a boot watchdog (using PM_RSTC hw wdog) which will
+  trigger if the OS is not started within the specified amount of time. The
+  watchdog is enabled by setting the BOOT_WATCHDOG_TIMEOUT=N (seconds)
+  property in the bootlaoder config.
+  The BOOT_WATCHDOG_PARTITION=P property can be set to pass a different
+  partition number to the bootloader on reset if the watchdog
+  is triggered.
+  The boot watchdog is automatically cleared just before starting
+  the OS and (optionally) enabling the kernel watchdog.
+* pi5: Add a temperature monitor
+  In early releases of the bootloader the fan would always be on
+  during boot which can be distracting. Later releases switch off the
+  fan until the OS has booted.
+  This change adds some basic fan control from the bootloader to
+  enable the fan if the temperature is above 85C.
+  This may be useful if the Pi was shutdown by the OS because the
+  temperature limit was exceeded.
+  Since the Linux hwmon is not active at this stage the bootloader
+  now implements the same logic to power off the Pi if the chips
+  is more than 110C.
+  The PMIC hardware automatically cuts power if the temperature
+  is more than 125C.
+* Skip first SD boot if no card detected
+  On platforms with an SD Card detect signal, skip the first attempt to
+  boot from SD if the card appears to be absent. This can save over a
+  second on a cold boot, and a little under a second for a reboot.
+
+## 2025-06-13: Update to include production test changes (latest)
+* Update to include production test changes.
+
+## 2025-06-09: NVMe: Fix loading of files > 32MB (latest)
+
+* NVMe: Fix loading of files > 32MB
+  Fix an NVMe boot bug which caused large contiguous reads >= 32MB to fail.
+* Update setting alpha for 2712D0
+  D0 moved the alpha blend mode from CTL2 to CTL0.
+  Update the bootloader code to follow suit for those using
+  the simple framebuffer
+* dtoverlay: Fix node_is_enabled for implicit status
+  The absence of a status property implies that a node is enabled. Update
+  dtoverlay_node_is_enabled to match that behaviour.
+  See: https://github.com/raspberrypi/firmware/issues/1970
+* arm_loader: GET_CLOCKS: Set useful response length
+  The kernel's firmware mailbox API does not make the actual length of the
+  response available to clients, but other implementations may care.
+  Continue to pad the GET_CLOCKS buffer with zeroes, but set the response
+  length to minimally contain the useful content.
+  See: https://github.com/raspberrypi/firmware/issues/1969
+
 ## 2025-05-13: Promote 2025-05-08 to the default release (default)
 
 ## 2025-05-08: Implement TCP window for net boot (latest)

imager/make-imager-release

@@ -1,11 +1,22 @@
 #!/bin/sh
 
 set -e
+set -x
 
 script_dir=$(cd "$(dirname "$0")" && pwd)
+base_dir="${script_dir}/.."
 
 # Pi4, Pi400, CM4, CM4-S
-${script_dir}/make-release critical 2025-02-11 000138c0 "${script_dir}/2711-config" release-2711 rpi-boot-eeprom-recovery 2711
+image_date=$(ls -lr $base_dir/firmware-2711/default/ | grep pieeprom | sed 's/.*pieeprom-//g' | sed 's/.bin//g' | head -n1)
+${script_dir}/make-release critical ${image_date} 000138c0 "${script_dir}/2711-config" release-2711 rpi-boot-eeprom-recovery 2711
 
 # Pi5
-${script_dir}/make-release critical 2025-02-12 "" "${script_dir}/2712-config" release-2712 rpi-boot-eeprom-recovery 2712
+image_date=$(ls -lr $base_dir/firmware-2712/default/ | grep pieeprom | sed 's/.*pieeprom-//g' | sed 's/.bin//g' | head -n1)
+${script_dir}/make-release critical ${image_date} "" "${script_dir}/2712-config" release-2712 rpi-boot-eeprom-recovery 2712
+
+# Convert to disk image for RPi Imager downloads
+sudo ${script_dir}/make-recovery-images
+
+# Delete the plain .zip files. These should not be uploaded as releases.
+rm -rf release-2711
+rm -rf release-2712

imager/make-pi4-rpiboot-gpio-sd

@@ -0,0 +1,134 @@
+#!/bin/sh
+
+set -e
+
+script_dir=$(cd "$(dirname "$0")" && pwd)
+TMP_DIR=""
+
+die() {
+   echo "$@" >&2
+   exit 1
+}
+
+cleanup() {
+   if [ -d "${TMP_DIR}" ]; then
+      rm -rf "${TMP_DIR}"
+   fi
+}
+
+usage() {
+cat <<EOF
+Usage:
+sudo $(basename $0): <gpio_num>
+
+	Creates an SD card image which programs the OTP on a Pi 4B or Pi 400
+	to select a GPIO on the 40-pin header for use as the rpiboot GPIO.
+	Once programmed, if this GPIO is pulled to ground at power on, the
+	SoC bootrom will boot into rpiboot provisioning mode.
+
+	This setting _permanently_ modifies the device configuration - it cannot
+	be undone or changed, ever.
+
+	The SD image will be written to images-2711/pi4-program-rpiboot-gpioN.zip,
+	where N is the number of the chosen GPIO, and can be flashed using
+	Raspberry Pi Imager to a spare SD card. As with programming the bootloader
+	EEPROM, insert the card in the Raspberry Pi, power on and wait for the
+	green LED to flash.
+
+	gpio_num: Select the rpiboot GPIO number from 2,4,5,6,7 or 8.
+EOF
+    exit 1
+}
+
+trap cleanup EXIT
+
+[ "$(id -u)" = "0" ] || die "$(basename $0) must be run as root"
+[ -n "${SUDO_UID}" ] || die "SUDO_UID not defined"
+[ -n "${SUDO_GID}" ] || die "SUDO_GID not defined"
+
+build_image()
+{
+   chip="${1}"
+   gpio="${2}"
+   img="pi4-program-rpiboot-gpio${gpio}"
+   zip="${img}.zip"
+   img="${img}.img"
+
+   TMP_DIR="$(mktemp -d)"
+   (
+      mkdir "${TMP_DIR}/files"
+      cd "${TMP_DIR}/files"
+      cp "${script_dir}/../firmware-${chip}/latest/recovery.bin" .
+   cat <<EOF > config.txt
+uart_2ndstage=1
+recovery_wait=1
+program_rpiboot_gpio=${gpio}
+EOF
+      echo "Generated config.txt file"
+      cat config.txt
+      cd "${TMP_DIR}"
+      dd if=/dev/zero bs=1M count=258 of=temp.img > /dev/null 2>&1
+      /sbin/sfdisk temp.img <<EOF
+label: dos
+label-id: 0x0a7b5ac5
+device: temp.img
+unit: sectors
+
+./test.img1 : start=        2048, size=       524288, type=c
+EOF
+      file temp.img
+      LOOP="/dev/mapper/$(kpartx -lv temp.img | head -n1 | awk '{print $1}')"
+      kpartx -a temp.img
+      /sbin/mkfs.fat -F 32 -s 1 "${LOOP}" > /dev/null
+      mkdir fs
+      mount "${LOOP}" fs
+      cp -v files/* fs
+      sync
+      sleep 5
+      umount fs
+      # Delay before calling kpartx otherwise it's sometimes possible to get orphaned loopback devices
+      sleep 5
+      kpartx -d temp.img
+   )
+   image_dir="images-${chip}"
+   mkdir -p "${image_dir}"
+   chown "${SUDO_UID}:${SUDO_GID}" "${image_dir}"
+   mv "${TMP_DIR}/temp.img" "${image_dir}/${img}"
+   file "${image_dir}/${img}"
+   cd "${image_dir}"
+   zip "${zip}" "${img}"
+   cd ..
+   rm "${image_dir}/${img}"
+   chown "${SUDO_UID}:${SUDO_GID}" "${image_dir}/${zip}"
+   echo "Wrote $(pwd)/${image_dir}/${zip}"
+}
+
+
+if ! command -v kpartx > /dev/null; then
+   die "kpartx not found: Try installing the kpartx package"
+fi
+
+[ -n "${1}" ] || usage
+gpio_num="$1"
+
+case "${gpio_num}" in
+   	2)
+		;;
+	4)
+		;;
+	5)
+		;;
+	6)
+		;;
+	7)
+		;;
+	8)
+		;;
+        *)
+		echo "GPIO ${gpio_num} is not supported"
+		echo
+  	  usage
+	  	;;
+esac
+
+build_image 2711 "${gpio_num}"

imager/net_install_pubkey.pem

@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAno9f6RGBaf2yaWTwf8+y
+MO4snzEgLOr8L3S28PZBdyx2qqNrzZ+xUOfLNYI5CwvBgOyKtm5L+wJIR8NUqgBl
+tvtBMAy2Auh0Qe679vN6UnsWE/o3pCgFPdmH+EcKfPqNBYODgfL+eumGM9Lo2dnl
+6P3JBR4Uy2E171k4D9Pj5rhO2K4jySYwbTuFR/drB2nDBrrsUW+SArnkTLvEGLY1
+nONW+AIBaqBxb+wjD/TMvVdsCWNXabcRqYM9DDgVzGePKuQdX5aBdgDnlbtDodyq
+FnLcRjqGE7nSQBQILwmGl5EvHMGa8d3/aLE6eXmMCakXyF1HPRv2lOecxNMO3xTF
+zwIDAQAB
+-----END PUBLIC KEY-----

releases.md

@@ -14,5 +14,6 @@ For support or hardware interoperability discussions please use the Raspberry Pi
 ## Old EEPROM images
 Old bootloader images are periodically removed from the APT package to reduce the disk space but are still available via Github 
 * Old [BCM2711 releases](https://github.com/raspberrypi/rpi-eeprom/tree/master/firmware-2711/old).
+* Old [BCM2712 releases](https://github.com/raspberrypi/rpi-eeprom/tree/master/firmware-2712/old).
 
 **Old releases may fail to boot on newer hardware revisions.**

rpi-eeprom-config

@@ -117,12 +117,12 @@ def shell_cmd(args, timeout=10, echo=False):
     error occurs then exit and output the subprocess stdout, stderr messages
     for debug.
     """
-    start = time.time()
+    start = time.monotonic()
     arg_str = ' '.join(args)
     bufsize = 0 if echo else -1
     result = subprocess.Popen(args, bufsize=bufsize, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
 
-    while time.time() - start < timeout:
+    while time.monotonic() - start < timeout:
         if echo:
             s = result.stdout.read(80).decode('utf-8')
             if s != "":
@@ -260,8 +260,8 @@ class BootloaderImage(object):
 
         self._image_size = len(self._bytes)
         if self._image_size not in VALID_IMAGE_SIZES:
-            exit_error("%s: Expected size %d bytes actual size %d bytes" %
-                       (filename, self._image_size, len(self._bytes)))
+            exit_error("%s: Expected sizes %s bytes, got actual size %d bytes" %
+                       (filename, VALID_IMAGE_SIZES, self._image_size))
         self.parse()
 
     def parse(self):
@@ -346,7 +346,7 @@ class BootloaderImage(object):
             update_len = len(src_bytes) + FILE_HDR_LEN
 
             if hdr_offset + update_len > self._image_size - ERASE_ALIGN_SIZE:
-                raise Exception('No space available - image past EOF.')
+                raise Exception('No space available. %s size %d available space %d' % (dst_filename, update_len, self._image_size - ERASE_ALIGN_SIZE - hdr_offset))
 
             if hdr_offset < 0:
                 raise Exception('Update target %s not found' % dst_filename)

rpi-eeprom-update

@@ -424,13 +424,13 @@ checkDependencies() {
    if [ $(((0x$BOARD_INFO >> 12) & 15)) = 3 ]; then
       BCM_CHIP=2711
       EEPROM_SIZE=524288
-      BOOTLOADER_AUTO_UPDATE_MIN_VERSION="${BOOTLOADER_AUTO_UPDATE_MIN_VERSION:-1599135103}"
+      BOOTLOADER_AUTO_UPDATE_MIN_VERSION="${BOOTLOADER_AUTO_UPDATE_MIN_VERSION:-1746717695}"
 
       SPIDEV=/dev/spidev0.0
    elif [ $(((0x$BOARD_INFO >> 12) & 15)) = 4 ]; then
       BCM_CHIP=2712
       EEPROM_SIZE=2097152
-      BOOTLOADER_AUTO_UPDATE_MIN_VERSION="${BOOTLOADER_AUTO_UPDATE_MIN_VERSION:-1725975630}"
+      BOOTLOADER_AUTO_UPDATE_MIN_VERSION="${BOOTLOADER_AUTO_UPDATE_MIN_VERSION:-1746713597}"
       SPIDEV=/dev/spidev10.0
       # Default is to use flashrom if availableon BCM2712
       RPI_EEPROM_USE_FLASHROM=${RPI_EEPROM_USE_FLASHROM:-1}

tools/rpi-otp-private-key

@@ -18,7 +18,8 @@ usage() {
     cat <<EOF
    $(basename "$0") [-cfwy] <key>
 
-   No args - reads the current private key from OTP. These values are NOT visible via 'vcgencmd otp_dump'.
+   No args - reads the current device unique private key from OTP.
+   *These values are NOT visible via 'vcgencmd otp_dump'*
 
    -b Output the key in binary format.
    -c Reads key and exits with 1 if it is all zeros i.e. not set.
@@ -30,11 +31,31 @@ usage() {
    -l Specify key length in words. Defaults to 8 words (32 bytes). Pi 5 supports up to 16 words (64 bytes).
    -o word Offset into the keystore to use, e.g. 0-7 for Pi 4, 0-15 for Pi 5. Defaults to zero.
 
-   <key> is usually a 64 digit hex number (256 bit) e.g. to generate a 256 random number run 'openssl rand -hex 32'
+   <key> is usually a 64 digit hex number (256 bit)
 
-   IMPORTANT: Raspberry Pi 5 and earlier revisions do not have a hardware secure key store. These OTP rows are visible
-   to any user in the 'video' group via vcmailbox. Therefore this functionality is only suitable for key
-   storage if the OS has already been restricted using the signed boot functionality.
+   Key generation:
+   The Raspberry Pi firmware cryptography services requires that the device unique private key is
+   a valid ECDSA with P-256 curve key. Due to limited OTP space only the raw private key component (d)
+   is stored in OTP.
+
+   Example key generation and provisioning:
+
+   # Generate the new private-key - remember to save this to a secure, off-device location!
+   openssl ecparam -name prime256v1 -genkey -noout -out private_key.pem
+
+   # Extract raw the private key component
+   openssl ec -in private_key.pem -text -noout | awk '/priv:/{flag=1; next} /pub:/{flag=0} flag' | tr -d ' \n:' | head -n1 > d.hex
+
+   # Write the key to OTP
+   rpi-otp-private-key -w \$(cat d.hex)
+
+   IMPORTANT: Raspberry Pi 5 and earlier revisions do not have a hardware secure key store
+   so the raw OTP values are potentially readable by processes with root-privileges.
+
+   In newer firmware releases, the mailbox APIs used by this script to read the OTP can
+   be disabled by setting lock_device_private_key=1 in config.txt.
+   On Pi4 or newer, if secure-boot is enabled, then this parameter cannot be
+   tampered with because config.txt is stored within the signed boot.img.
 
    WARNING: Changes to OTP memory are permanent and cannot be undone.
 EOF
@@ -134,7 +155,8 @@ if [ $(((0x$BOARD_INFO >> 12) & 15)) = 3 ]; then
 elif [ $(((0x$BOARD_INFO >> 12) & 15)) = 4 ]; then
     MAX_ROW_COUNT=16
 else
-    die "Chip not supported"
+    echo "WARNING: Secure-boot is only supported on Pi4 and newer models"
+    MAX_ROW_COUNT=8
 fi
 if [ -z "$ROW_COUNT" ] || [ "$ROW_COUNT" -ne "$ROW_COUNT" ] 2>/dev/null; then
     die "Key length not a number"