Update changelog for 27.0-1 release

* pitowers/master:
  2025-01-22: 2712: Promote 2025-01-22 to default release (default)
  pieeprom-2025-01-22: 2712: Add DT property for hash of signed boot image (latest)
  test: Update test script
  scripts: Failover to /usr/lib before /lib if FIRMWARE_ROOT is not set

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -40,11 +40,8 @@ body:
     multiple: true
     options:
       - Raspberry Pi 5
-      - Raspberry Pi 500
       - Raspberry Pi 4 Mod. B
       - Raspberry Pi 400
-      - Raspberry Pi CM5
-      - Raspberry Pi CM5 Lite
       - Raspberry Pi CM4
       - Raspberry Pi CM4 Lite
       - Raspberry Pi CM4-S

.github/workflows/test.yml

@@ -1,31 +0,0 @@
-name: Test EEPROM Config
-
-on:
-  pull_request:
-    branches: [ 'master' ]
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      
-      - name: Set up Python
-        uses: actions/setup-python@v4
-        with:
-          python-version: '3.x'
-          
-      - name: Create and activate virtual environment
-        run: |
-          python -m venv venv
-          source venv/bin/activate
-          
-      - name: Install dependencies
-        run: |
-          pip install pycryptodomex
-      
-      - name: Run EEPROM Config Tests
-        run: |
-          cd test
-          chmod +x test-rpi-eeprom-config
-          ./test-rpi-eeprom-config 

LICENSE

@@ -6,14 +6,10 @@ Files: *
 Copyright: 2019, Raspberry Pi (Trading) Ltd.
 License: BSD-3
 
-Files: firmware-2711/*
+Files: firmware/*
 Copyright: 2019, Raspberry Pi (Trading) Ltd.
 License: custom
 
-Files: firmware-2712/*
-Copyright: 2024, Raspberry Pi (Trading) Ltd.
-License: custom
-
 License: BSD-3
  Redistribution and use in source and binary forms, with or without
  modification, are permitted provided that the following conditions

debian/.gitignore

@@ -0,0 +1,9 @@
+.debhelper/
+debhelper-build-stamp
+files
+rpi-eeprom/
+rpi-eeprom-images/
+*.debhelper.log
+*.debhelper
+*.substvars
+*.1

debian/LICENCE.bootloader

@@ -0,0 +1,28 @@
+Copyright (c) 2019, Raspberry Pi (Trading) Ltd.
+All rights reserved.
+
+Redistribution.  Redistribution and use in binary form, without
+modification, are permitted provided that the following conditions are
+met:
+
+* This software may only be used for the purposes of developing for,
+  running or using a Raspberry Pi device.
+* Redistributions must reproduce the above copyright notice and the
+  following disclaimer in the documentation and/or other materials
+  provided with the distribution.
+* Neither the name of the copyright holder nor the names of its
+  contributors may be used to endorse or promote products derived
+  from this software without specific prior written permission.
+
+DISCLAIMER.  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND
+CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING,
+BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
+FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
+OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
+TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
+USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
+DAMAGE. 

debian/control

@@ -0,0 +1,29 @@
+Source: rpi-eeprom
+Section: misc
+Priority: optional
+Maintainer: Serge Schneider <serge@raspberrypi.com>
+Build-Depends: debhelper-compat (= 12), help2man, python3-minimal
+Standards-Version: 4.6.2
+Homepage: https://github.com/raspberrypi/rpi-eeprom/
+Vcs-Browser: https://github.com/raspberrypi/rpi-eeprom/
+Vcs-Git: https://github.com/raspberrypi/rpi-eeprom.git
+
+Package: rpi-eeprom
+Architecture: all
+Depends: ${shlibs:Depends}, ${misc:Depends}, raspi-utils, python3,
+ binutils, pciutils, python3-pycryptodome
+Breaks: rpi-eeprom-images (<<7.2)
+Replaces: rpi-eeprom-images (<<7.2)
+Recommends: flashrom
+Provides: rpi-eeprom-images
+Description: Raspberry Pi 4/5 boot EEPROM updater
+ Checks whether the Raspberry Pi bootloader EEPROM is up-to-date and updates
+ the EEPROM.
+
+Package: rpi-eeprom-images
+Architecture: all
+Depends: ${misc:Depends}, rpi-eeprom (>=7.2)
+Priority: optional
+Section: oldlibs
+Description: transitional package
+ This is a transitional package. It can safely be removed.

debian/copyright

@@ -0,0 +1 @@
+../LICENSE

debian/default/rpi-eeprom-update

@@ -0,0 +1 @@
+FIRMWARE_RELEASE_STATUS="default"

debian/gbp.conf

@@ -0,0 +1,3 @@
+[DEFAULT]
+upstream-tree = master
+debian-branch = debian/bookworm

debian/rpi-eeprom.docs

@@ -0,0 +1 @@
+debian/LICENCE.bootloader

debian/rpi-eeprom.install

@@ -0,0 +1,26 @@
+rpi-eeprom-config usr/bin/
+rpi-eeprom-update usr/bin/
+rpi-eeprom-digest usr/bin/
+tools/rpi-bootloader-key-convert usr/bin/
+tools/rpi-otp-private-key usr/bin/
+tools/rpi-sign-bootcode usr/bin/
+
+debian/default/ etc/
+
+firmware-2711/default usr/lib/firmware/raspberrypi/bootloader-2711/
+firmware-2711/latest usr/lib/firmware/raspberrypi/bootloader-2711/
+
+firmware-2711/critical usr/lib/firmware/raspberrypi/bootloader-2711/
+firmware-2711/stable usr/lib/firmware/raspberrypi/bootloader-2711/
+firmware-2711/beta usr/lib/firmware/raspberrypi/bootloader-2711/
+
+firmware-2711/release-notes.md usr/lib/firmware/raspberrypi/bootloader-2711/
+
+firmware-2712/default usr/lib/firmware/raspberrypi/bootloader-2712/
+firmware-2712/latest usr/lib/firmware/raspberrypi/bootloader-2712/
+
+firmware-2712/critical usr/lib/firmware/raspberrypi/bootloader-2712/
+firmware-2712/stable usr/lib/firmware/raspberrypi/bootloader-2712/
+firmware-2712/beta usr/lib/firmware/raspberrypi/bootloader-2712/
+
+firmware-2712/release-notes.md usr/lib/firmware/raspberrypi/bootloader-2712/

debian/rpi-eeprom.maintscript

@@ -0,0 +1,2 @@
+dir_to_symlink /lib/firmware/raspberrypi/bootloader-2711/beta latest 17.0+pi5+1-1
+dir_to_symlink /lib/firmware/raspberrypi/bootloader-2712/beta latest 17.0+pi5+1-1

debian/rpi-eeprom.manpages

@@ -0,0 +1,2 @@
+debian/rpi-eeprom-update.1
+debian/rpi-eeprom-config.1

debian/rpi-eeprom.postinst

@@ -0,0 +1,39 @@
+#!/bin/sh
+# postinst script for rpi-eeprom
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+#        * <postinst> `configure' <most-recently-configured-version>
+#        * <old-postinst> `abort-upgrade' <new version>
+#        * <conflictor's-postinst> `abort-remove' `in-favour' <package>
+#          <new-version>
+#        * <postinst> `abort-remove'
+#        * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
+#          <failed-install-package> <version> `removing'
+#          <conflicting-package> <version>
+# for details, see https://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+
+
+case "$1" in
+    configure)
+    ;;
+
+    abort-upgrade|abort-remove|abort-deconfigure)
+    ;;
+
+    *)
+        echo "postinst called with unknown argument \`$1'" >&2
+        exit 1
+    ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0

debian/rpi-eeprom.postrm

@@ -0,0 +1,40 @@
+#!/bin/sh
+# postrm script for rpi-eeprom
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+#        * <postrm> `remove'
+#        * <postrm> `purge'
+#        * <old-postrm> `upgrade' <new-version>
+#        * <new-postrm> `failed-upgrade' <old-version>
+#        * <new-postrm> `abort-install'
+#        * <new-postrm> `abort-install' <old-version>
+#        * <new-postrm> `abort-upgrade' <old-version>
+#        * <disappearer's-postrm> `disappear' <overwriter>
+#          <overwriter-version>
+# for details, see https://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+
+
+case "$1" in
+    purge)
+        rm -rf /var/lib/raspberrypi/bootloader/backup/
+    ;;
+    remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
+    ;;
+
+    *)
+        echo "postrm called with unknown argument \`$1'" >&2
+        exit 1
+    ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0

debian/rpi-eeprom.prerm

@@ -0,0 +1,38 @@
+#!/bin/sh
+# prerm script for rpi-eeprom
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+#        * <prerm> `remove'
+#        * <old-prerm> `upgrade' <new-version>
+#        * <new-prerm> `failed-upgrade' <old-version>
+#        * <conflictor's-prerm> `remove' `in-favour' <package> <new-version>
+#        * <deconfigured's-prerm> `deconfigure' `in-favour'
+#          <package-being-installed> <version> `removing'
+#          <conflicting-package> <version>
+# for details, see https://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+
+
+case "$1" in
+    remove|upgrade|deconfigure)
+    ;;
+
+    failed-upgrade)
+    ;;
+
+    *)
+        echo "prerm called with unknown argument \`$1'" >&2
+        exit 1
+    ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0

debian/rpi-eeprom.rpi-eeprom-update.service

@@ -0,0 +1,11 @@
+[Unit]
+Description=Check for Raspberry Pi EEPROM updates
+After=boot-firmware.mount
+
+[Service]
+Type=oneshot
+RemainAfterExit=true
+ExecStart=/usr/bin/rpi-eeprom-update -s -a
+
+[Install]
+WantedBy=multi-user.target

debian/rules

@@ -0,0 +1,27 @@
+#!/usr/bin/make -f
+#export DH_VERBOSE = 1
+
+include /usr/share/dpkg/pkg-info.mk
+
+%:
+	dh $@
+
+override_dh_installsystemd:
+	dh_installsystemd --name=rpi-eeprom-update
+
+override_dh_auto_build: debian/rpi-eeprom-update.1 debian/rpi-eeprom-config.1
+
+override_dh_install:
+	mkdir -p debian/rpi-eeprom/var/lib/raspberrypi/bootloader/backup/
+	dh_install
+
+debian/rpi-eeprom-update.1:
+	help2man -N --version-string="${DEB_VERSION_UPSTREAM}" --help-option="-h" \
+		--name="Checks whether the Raspberry Pi bootloader EEPROM is \
+up-to-date and updates the EEPROM" \
+		--output=$@ ./rpi-eeprom-update
+
+debian/rpi-eeprom-config.1:
+	help2man -N --version-string="${DEB_VERSION_UPSTREAM}" --help-option="-h" \
+		--name="Bootloader EEPROM configuration tool for the Raspberry Pi 4/5" \
+		--output=$@ ./rpi-eeprom-config

debian/salsa-ci.yml

@@ -0,0 +1,28 @@
+include:
+  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml
+  - $CI_SERVER_URL/$CI_PROJECT_NAMESPACE/salsa-ci/-/raw/pios/rpi.yml
+
+variables:
+  SALSA_CI_ARM_RUNNER_TAG: salsa-arm64
+  SALSA_CI_DISABLE_BUILD_PACKAGE_ARM64: 0
+  SALSA_CI_DISABLE_BUILD_PACKAGE_ARMHF: 0
+  SALSA_CI_DISABLE_APTLY: 0
+  SALSA_CI_DISABLE_VERSION_BUMP: 1
+  # These require priviledged docker containers to work
+  SALSA_CI_DISABLE_AUTOPKGTEST: 1
+  SALSA_CI_DISABLE_PIUPARTS: 1
+  SALSA_CI_DISABLE_REPROTEST: 1
+  SALSA_CI_IMAGES_LINTIAN: ${SALSA_CI_IMAGES}/lintian:bookworm
+  # Work around lintian bug in bookworm
+  # https://lists.debian.org/debian-lint-maint/2024/02/msg00039.html
+  SALSA_CI_LINTIAN_SUPPRESS_TAGS: 'bad-distribution-in-changes-file'
+
+extract-source:
+  variables:
+    GIT_DEPTH: 0
+    GIT_STRATEGY: clone
+  before_script:
+    - git fetch origin master:master
+
+publish to apt:
+  extends: .publish-public

debian/source/format

@@ -0,0 +1 @@
+3.0 (quilt)

debian/source/lintian-overrides

@@ -0,0 +1,2 @@
+debian-copyright-is-symlink
+source-is-missing [tools/vl805]

firmware-2711/release-notes.md

@@ -1,61 +1,5 @@
 # Raspberry Pi4 bootloader EEPROM release notes
 
-## 2025-05-13: Promote 2025-05-08 to the default release (default)
-
-## 2025-05-08: Implement TCP window for net boot (latest)
-* Signed boot and HTTP boot mode
-  HTTP boot mode is supposed to be disabled if signed boot is enabled and
-  a host is not specified. The code is checking the http_secure flag to
-  enforce this. But this is valid now we support custom CA certs.
-  Only disable HTTP mode if we're using the default HOST.
-* Implement TCP window for net boot
-  The minimal IP stack used for https booting lacks the ability to cache
-  packets received out of order, which can lead to severe slowdown when
-  it happens. The problem seems to affect some ISPs more than others.
-  The receive window implemented here copes with packet losses of 10%.
-* netboot: Correct the TCP MSS
-* Correct msecs in debug timestamps
-  The fractional part of timestamps in UART debug output was showing the
-  100ths and 1000ths of a second, rather than 10ths and 100ths, causing
-  strange sequences that appear to jump backwards.
-
-## 2025-02-17: Promote 2025-02-11 to default release (default)
-
-## 2025-02-11: recovery: Walk partitions to delete recovery.bin (latest)
-
-* recovery: Walk partitions to delete recovery.bin
-  Previously, recovery.bin would fail to delete itself
-  if the bootrom loaded recovery.bin where there are multiple FAT
-  partitions and the first partition does not contain recovery.bin
-  Update the rename code to walk the partition table to find
-  the recovery.bin file to delete.
-* Enable overriding of high partition numbers
-  Previously, the PARTITION=N bootloader config setting would only
-  be used at power on reset or if the partition number passed to
-  reboot was zero.
-  Change the behaviour so that the bootloader config PARTITION
-  property can override the reboot partition number if the reboot
-  parameter is > 31.
-* Walk the partition table if the requested partition is not bootable
-  Previously, if the specified boot partition was not bootable the
-  bootloader would stop and advance to the next BOOT_ORDER. If the
-  new PARTITION_WALK option is set to 1 the bootloader will now
-  check each partition in turn starting from the specified partition
-  before advancing the BOOT_ORDER.
-  This feature is intended for use with A/B systems to handle the case
-  where autoboot.txt is missing / corrupted. This change enables
-  the system to failover to the next available bootable partition.
-  The autoboot.txt file is not scanned during the partition-walk
-  phase i.e. there is no recursive processing of autoboot.txt files.
-  This option is only supported on physical block devices
-  (SD, NVMe, USB) and not RAMDISK. USB assumes a single high speed
-  device, partition walks on multiple USB devices is not recommended
-  and may cause timeouts.
-* Improve keyboard handling in boot menu
-  Try and make it more likely that we have enough time to perform key
-  detection.
-  Ignore mice, which were being enumerated and slowing things down.
-
 ## 2024-12-07: Enable banklow (and so NUMA) by default (latest)
 
 * Enable banklow (and so NUMA) by default

firmware-2712/release-notes.md

@@ -1,211 +1,5 @@
 # Raspberry Pi5 bootloader EEPROM release notes
 
-## 2025-05-13: Promote 2025-05-08 to the default release (default)
-
-## 2025-05-08: Implement TCP window for net boot (latest)
-
-* arm_loader: Correct some mailbox response lengths
-  The GET_GENCMD_RESULT mailbox handler was setting the wrong response
-  length, and GET_FIRMWARE_COMMIT_HASH and GET_FIRMWARE_VARIANT were not
-  setting any length.
-  See: https://github.com/raspberrypi/firmware/issues/1968
-* Signed boot and HTTP boot mode
-  HTTP boot mode is supposed to be disabled if signed boot is enabled and
-  a host is not specified. The code is checking the http_secure flag to
-  enforce this. But this is valid now we support custom CA certs.
-  Only disable HTTP mode if we're using the default HOST.
-* Implement TCP window for net boot
-  The minimal IP stack used for https booting lacks the ability to cache
-  packets received out of order, which can lead to severe slowdown when
-  it happens. The problem seems to affect some ISPs more than others.
-  The receive window implemented here copes with packet losses of 10%.
-* netboot: Correct the TCP MSS
-* rp1_net: Overwrite the length field
-  Although concise, ORing in the packet length runs the risk of leaving
-  some unwanted bits set. Ensure the length field is cleared before
-  ORing in the required value.
-* Correct msecs in debug timestamps
-  The fractional part of timestamps in UART debug output was showing the
-  100ths and 1000ths of a second, rather than 10ths and 100ths, causing
-  strange sequences that appear to jump backwards.
-* Implement GET_BOARD_MAC_ADDRESS on Pi5
-  The Pi 5 EEPROM implements a subset of the original mailbox properties.
-  Add GET_BOARD_MAC_ADDRESS to the subset.
-  See: https://github.com/raspberrypi/rpi-eeprom/issues/698
-* Ensure the initramfs matches the kernel
-  As far as is possible, both the kernel and initramfs are matched to the
-  device. However, where multiple kernel variants can run on a device, the
-  initramfs must be matched to the chosen kernel. Make that the sole rule
-  for initramfs selection, rather than duplicating the device matching
-  logic.
-  See: https://github.com/raspberrypi/firmware/issues/1965
-* Enable logging messages from OS loader
-  Pi 5 EEPROM builds were missing the output from the main OS loading
-  function, including some important diagnostics. Enabling the logging
-  output from this loader code results in some near-duplicates, but is
-  more user friendly and is available via "sudo vclog -m".
-
-## 2025-04-07: arm_dt: Revert to using the max fan speed (latest)
-
-* arm_dt: Revert to using the max fan speed
-  It has been reported that the presence of a cooling fan at boot time
-  can lead to a maximum observed fan speed of ~300 but a current speed
-  of 0. The absence of a fan results in 0s for both metrics.
-  See: https://github.com/raspberrypi/rpi-eeprom/issues/690
-
-## 2025-03-27: os_check: cm5: Check for CM5 specific dtbs (latest)
-
-* os_check: cm5: Check for CM5 specific dtbs
-  Check for BCM2712 support in bcm2712-rpi-cm5-cm5io.dtb
-  or bcm2712-rpi-cm5l-cm5io.dtb on CM5 instead of bcm2712-rpi-5-b.dtb.
-  This avoids needing to put os_check=1 or specifying device_tree
-  in config.txt in minimal images for CM5.
-  See: https://github.com/raspberrypi/rpi-eeprom/issues/682
-
-## 2025-03-19: Log the fan speed at boot (latest)
-
-* Log the fan speed at boot
-  Record the fan RPM (and the maximum seen) during boot, so that it is
-  accessible using "sudo vclog -m".
-  See: https://github.com/raspberrypi/rpi-eeprom/issues/678
-* Add current_supply to HAT+ support
-  Refactor the HAT library to make it more self-contained, and combine
-  the I2C address detection and the reading of the EEPROM contents.
-  Use it to allow the earlier boot stages to check for a current_supply
-  setting in the EEPROM of a normal (non-stackable) HAT+.
-
-## 2025-03-10: Promote 2025-03-10 release to default (default)
-
-## 2025-03-10: Add [boot_partition] filter plus SDRAM init fixes (latest)
-
-* Update SDRAM init timings to intermittent 8-flash SDRAM init errors
-  on some boards.
-  See: https://github.com/raspberrypi/rpi-eeprom/issues/67
-* config: Fix missing initialisation of selected_expr to 1 in config.txt
-  Without an [all] section the new expression filter might default to
-  false. This impacts the bootloader early parsing of config.txt
-  for things like boot_ramdisk rather than the later config.txt pass
-  for device-tree parsing.
-* config_loader: Add support [boot_partition=N] as an expression filter
-  The boot_partition tests whether the partition number N matches
-  the number that the system is booting from. This expression is
-  only supported in config.txt and is designed to make it easier
-  to have common boot.img ramdisks in an A/B system where the
-  conditional loads a different cmdline.txt file depending on
-  which partition boot.img is loaded from.
-
-## 2025-03-03: Fix bootloader pull configuration on 2712D0 (latest)
-
-* Fix pull configuration on 2712D0
-  2712D0 uses a horrendously sparse set of pad control registers. Make
-  the pull-setting code sufficiently complex to cope.
-  See: https://github.com/raspberrypi/rpi-eeprom/issues/672
-* Disable UARTA for CM5s without WiFi
-  Just as CM5s without WiFI don't need the SDIO interface, the Bluetooth
-  UART is unconnected. Disable the DT node to avoid kernel warnings and
-  save some cycles.
-
-## 2025-02-17: Promote 2025-02-12 to the default release (default)
-
-## 2025-02-12: Fixup change to disable 3.7V PMIC output on CM5 no-wifi (latest)
-
-* Fixup change to disable 3.7V PMIC output on CM5 no-wifi
-
-## 2025-02-11: CM5 no-Wifi stability improvements (latest)
-
-* recovery: Walk partitions to delete recovery.bin
-  Previously, recovery.bin would fail to delete itself
-  if the bootrom loaded recovery.bin where there are multiple FAT
-  partitions and the first partition does not contain recovery.bin
-  Update the rename code to walk the partition table to find
-  the recovery.bin file to delete.
-* pi5: Add config filter for simple boot variable expressions (experimental)
-  Add support for a new bootloader/config.txt conditional filter
-  which tests the partition, boot_count and boot_arg1 variables.
-  Syntax (no spaces):
-  ARG boot_arg1, boot_count or partition (EEPROM config stage only)
-  [ARG=VALUE]      selected if (ARG == VALUE)
-  [ARG&MASK]       selected if ((ARG & VALUE) != 0))
-  [ARG&MASK=VALUE] selected if ((ARG & MASK) == VALUE)
-  [ARG<VALUE]      selected if (ARG < VALUE)
-  [ARG>VALUE]      selected if (ARG > VALUE)
-  where VALUE and MASK are unsigned integer constants and ARG
-  corresponds to the value in the reset register before the
-  config file is parsed.
-* pi5: Add a boot-count bootloader variable (experimental)
-  Store the boot-count in a reset register and increment just
-  before the boot-order state-machine. The boot-count variable
-  is visible via device-tree /proc/device-tree/chosen/bootloader/count
-  and can be read/set via vcmailbox
-  GET: sudo vcmailbox 0x0003008d 4 4 0
-  SET to N: sudo vcmailbox 0x0003808d 4 4 N
-* pi5: Add user-defined reboot argument (boot_arg1) (experimental)
-  Add support for a user-defined boot parameter stored in a reset-safe
-  scratch register on BCM2712.  This is visible via device-tree at
-  /proc/device-tree/chosen/bootloader/arg1 and via vcmailboxes
-  GET arg1: sudo vcmailbox 0x0003008c 8 8 1 0
-  SET arg1 to 42: sudo vcmailbox 0x0003808c 8 8 1 42
-  or via config.txt
-  set_reboot_arg1=42
-  The variable is NOT cleared automatically and will persist until
-  a power-on-reset.
-* Enable overriding of high partition numbers
-  Previously, the PARTITION=N bootloader config setting would only
-  be used at power on reset or if the partition number passed to
-  reboot was zero.
-  Change the behaviour so that the bootloader config PARTITION
-  property can override the reboot partition number if the reboot
-  parameter is > 31.
-* Disable WiFi PMIC output on CM5 modules without WiFi
-  Disable the 3.7V WiFi power supply on CM5 modules which do not have a
-  WiFi module fitted. This fixes some stability issues where a CM5
-  would shutdown due to a spurious over-voltage condition on the
-  non-connected WiFi power supply.
-* Add memory barrier to the mbox handler
-  Firmware issue 1944 reports receiving kernel warnings about firmware
-  requests where the status return code is 0. This should not be
-  possible, as handle_mbox_property always sets the top bit of the return
-  code, with the bottom bit indicating success or failure. If the firmware
-  had died, the firmware driver would report a timeout due to the lack of
-  a mailbox interrupt, and that isn't happening.
-  See: https://github.com/raspberrypi/firmware/issues/1944
-* support dts files with size-cells of 2
-  DTS files with a top-level #size-cells of 2 make a lot of sense for
-  systems with a lot of RAM, but the firmware is currently inconsistent
-  in its support for that. Fix up the other cases to honor #size-cells
-  and #address-cells.
-* Disable SDIO2 for CM5s without WiFi
-  It has been observed that CM5s without WiFi hang on reboot. To prevent
-  that, disable the sdio2 node on those devices.
-  See: https://github.com/raspberrypi/linux/issues/6647
-* arm_dt: Use dtoverlay_enable_node
-  Convert the open-coded DT node status changes to use the new dtoverlay
-  method dtoverlay_enable_node.
-* dtoverlay: Add dtoverlay_enable_node
-  Add a helper function for setting the status of a node.
-
-## 2025-01-27: Walk the partition table if the requested partition is not bootable (latest)
-
-* Walk the partition table if the requested partition is not bootable
-  Previously, if the specified boot partition was not bootable the
-  bootloader would stop and advance to the next BOOT_ORDER. If the
-  new PARTITION_WALK option is set to 1 the bootloader will now
-  check each partition in turn starting from the specified partition
-  before advancing the BOOT_ORDER.
-  This feature is intended for use with A/B systems to handle the case
-  where autoboot.txt is missing / corrupted. This change enables
-  the system to failover to the next available bootable partition.
-  The autoboot.txt file is not scanned during the partition-walk
-  phase i.e. there is no recursive processing of autoboot.txt files.
-  This option is only supported on physical block devices
-  (SD, NVMe, USB) and not RAMDISK. USB assumes a single high speed
-  device, partition walks on multiple USB devices is not recommended
-  and may cause timeouts.
-* Improve keyboard handling in boot menu
-  Try and make it more likely that we have enough time to perform key
-  detection.
-  Ignore mice, which were being enumerated and slowing things down.
-
 ## 2025-01-22: Promote 2025-01-22 to default release (default)
 
 ## 2025-01-22: Add DT /chosen property signed-boot boot.img hash (latest)

imager/2711-config/boot-conf-network.txt

@@ -3,5 +3,4 @@ BOOT_UART=0
 WAKE_ON_GPIO=1
 ENABLE_SELF_UPDATE=1
 BOOT_ORDER=0xf21
-NET_INSTALL_AT_POWER_ON=1
 

imager/2711-config/boot-conf-sd.txt

@@ -3,4 +3,4 @@ BOOT_UART=0
 WAKE_ON_GPIO=1
 ENABLE_SELF_UPDATE=1
 BOOT_ORDER=0xf41
-NET_INSTALL_AT_POWER_ON=1
+

imager/2711-config/boot-conf-usb.txt

@@ -3,5 +3,4 @@ BOOT_UART=0
 WAKE_ON_GPIO=1
 ENABLE_SELF_UPDATE=1
 BOOT_ORDER=0xf14
-NET_INSTALL_AT_POWER_ON=1
 

imager/make-imager-release

@@ -5,7 +5,7 @@ set -e
 script_dir=$(cd "$(dirname "$0")" && pwd)
 
 # Pi4, Pi400, CM4, CM4-S
-${script_dir}/make-release critical 2025-02-11 000138c0 "${script_dir}/2711-config" release-2711 rpi-boot-eeprom-recovery 2711
+${script_dir}/make-release critical 2023-01-11 000138c0 "${script_dir}/2711-config" release-2711 rpi-boot-eeprom-recovery 2711
 
 # Pi5
-${script_dir}/make-release critical 2025-02-12 "" "${script_dir}/2712-config" release-2712 rpi-boot-eeprom-recovery 2712
+${script_dir}/make-release critical 2024-11-12 "" "${script_dir}/2712-config" release-2712 rpi-boot-eeprom-recovery 2712

rpi-eeprom-digest

@@ -6,12 +6,8 @@
 # a hard dependency on OpenSSL.
 
 set -e
-set -u
 
 OPENSSL=${OPENSSL:-openssl}
-KEY=""
-SOURCE_DATE_EPOCH=${SOURCE_DATE_EPOCH:-""}
-HSM_WRAPPER=""
 
 die() {
    echo "$@" >&2
@@ -50,30 +46,28 @@ RSA signature. Typically this tool is used by rpi-eeprom-update to
 generate a hash to guard against file-system corruption for EEPROM updates
 OR for signing OS images (boot.img) for secure-boot.
 
-This tool CANNOT be used directly to sign a bootloader EEPROM image
-for secure-boot because the signed data is the bootloader configuration file
+This tool CANNOT be used directly to sign an bootloader EEPROM image
+for secure-boot because the signed data is bootloader configuration file
 rather than the entire flash image.
-To create signed bootloader images, please see
+To create signed bootloader images please see
 https://github.com/raspberrypi/usbboot/tree/master/secure-boot-recovery/README.md
 
 
 Options:
-   -i The source image, e.g., boot.img
-   -o The name of the digest/signature file
-   -k Optional RSA private key
-   -H The name of the HSM wrapper script to invoke - default ""
+   -i The source image e.g. boot.img
+   -o The name of the digest/signature file.
+   -k Optional RSA private key.
 
-RSA signing:
-If a private key in PEM format or a PKCS#11 URI is supplied, then the
-RSA signature of the SHA256 digest is included in the .sig
-file. Currently, the bootloader only supports SHA256 digests signed
-with a 2048-bit RSA key. The bootloader only verifies RSA signatures
-in signed boot mode and only for the EEPROM config file and the signed
-image.
+RSA signing
+If a private key in PEM format is supplied then the RSA signature of the
+sha256 digest is included in the .sig file. Currently, the bootloader only
+supports sha256 digests signed with a 2048bit RSA key.
+The bootloader only verifies RSA signatures in signed boot mode
+and only for the EEPROM config file and the signed image.
 
 Examples:
 
-# Generate the normal SHA256 hash to guard against file-system corruption
+# Generate the normal sha256 hash to guard against file-system corruption
 rpi-eeprom-digest -i pieeprom.bin -o pieeprom.sig
 rpi-eeprom-digest -i vl805.bin -o vl805.sig
 
@@ -82,15 +76,7 @@ rpi-eeprom-digest -k private.pem -i boot.img -o boot.sig
 
 # Generate RSA signature for the EEPROM config file
 # As used by update-pieeprom.sh in usbboot/secure-boot-recovery
-rpi-eeprom-digest -k private.pem -i bootconf.txt -o bootconf.sig
-
-# Generate RSA signature for the EEPROM config file and delegate 
-# the signing process to a HSM wrapper script instead of using the private key directly.
-rpi-eeprom-digest -H hsm-wrapper -i bootconf.txt -o bootconf.sig
-
-# Similarly, but specifying the key with a PKCS#11 URI
-# (Deprecated - use HSM wrapper instead)
-rpi-eeprom-digest -k pkcs11:token=deadbeef;object=bl-key;type=private;pin-value=1234 -i bootconf.txt  -o bootconf.sig
+rpi-eeprom-digest -k private.pem -i bootconf.txt  -o bootconf.sig
 
 # To verify the signature of an existing .sig file using the public key.
 # N.B The key file must be the PUBLIC key in PEM format.
@@ -112,10 +98,9 @@ writeSig() {
        echo "ts: $(date -u +%s)" >> "${OUTPUT}"
    fi
 
-   if [ -n "${HSM_WRAPPER}" ]; then
-      echo "rsa2048: $("${HSM_WRAPPER}" -a rsa2048-sha256 "${IMAGE}")" >> "${OUTPUT}"
-   elif [ -n "${KEY}" ]; then
-      "${OPENSSL}" dgst ${ENGINE_OPTS} -sign "${KEY}" -sha256 -out "${SIG_TMP}" "${IMAGE}"
+   if [ -n "${KEY}" ]; then
+      [ -f "${KEY}" ] || die "RSA private \"${KEY}\" not found"
+      "${OPENSSL}" dgst -sign "${KEY}" -keyform PEM -sha256 -out "${SIG_TMP}" "${IMAGE}"
       echo "rsa2048: $(xxd -c 4096 -p < "${SIG_TMP}")" >> "${OUTPUT}"
    fi
 }
@@ -127,20 +112,18 @@ verifySig() {
    sig_hex="$(grep rsa2048 "${sig_file}" | cut -f 2 -d ' ')"
    [ -n "${sig_hex}" ] || die "No RSA signature in ${sig_file}"
 
-   echo "${sig_hex}" | xxd -c 4096 -p -r > "${TMP_DIR}/sig.bin"
-   "${OPENSSL}" dgst ${ENGINE_OPTS} -verify "${KEY}" -signature "${TMP_DIR}/sig.bin" "${IMAGE}" || die "${IMAGE} not verified"
+   echo ${sig_hex} | xxd -c 4096 -p -r > "${TMP_DIR}/sig.bin"
+   "${OPENSSL}" dgst -verify "${KEY}" -signature "${TMP_DIR}/sig.bin" "${IMAGE}" || die "${IMAGE} not verified"
 }
 
 OUTPUT=""
 VERIFY=0
-while getopts i:H:k:ho:v: option; do
+while getopts i:k:ho:v: option; do
    case "${option}" in
    i) IMAGE="${OPTARG}"
       ;;
    k) KEY="${OPTARG}"
       ;;
-   H) HSM_WRAPPER="${OPTARG}"
-      ;;
    o) OUTPUT="${OPTARG}"
       ;;
    v) SIGNATURE="${OPTARG}"
@@ -159,18 +142,6 @@ checkDependencies
 
 [ -n "${IMAGE}" ] || usage
 [ -f "${IMAGE}" ] || die "Source image \"${IMAGE}\" not found"
-[ "${VERIFY}" != 1 ] || [ -n "${KEY}" ] || die "Option -v also requires passing public key via -k"
-
-if [ -n "${KEY}" ] ; then
-    if [ -f "${KEY}" ] ; then
-        ENGINE_OPTS=
-    elif echo "${KEY}" | grep -q "^pkcs11:" ; then
-        ENGINE_OPTS="-engine pkcs11 -keyform engine"
-    else
-        die "RSA key \"${KEY}\" not found"
-    fi
-fi
-
 if [ "${VERIFY}" = 1 ]; then
    verifySig "${SIGNATURE}"
 else

test/README.md

@@ -1,14 +0,0 @@
-# rpi-eeprom - unit tests
-
-## test-rpi-eeprom-config
-Unit test for rpi-eeprom-config which verifies:
-
-* rpi-eeprom-config is compatible with all EEPROM binaries
-* unit tests for modifying the boot.conf file
-* simple code signing test
-
-To run on Linux:
-```
-cd test
-./test-rpi-eeprom-config
-```

tools/rpi-sign-bootcode

@@ -2,11 +2,8 @@
 
 import argparse
 import base64
-import os
 import struct
-import subprocess
 import sys
-import tempfile
 
 # python3 -m pip install pycryptodomex
 from Cryptodome.Hash import HMAC, SHA1, SHA256
@@ -108,30 +105,6 @@ class ImageFile:
         debug("%08x %20s: [%6d] %s" % (self.pos(), 'RSA', len(arr), pem_file))
         self.append(arr)
 
-        h = SHA256.new()
-        h.update(key.n.to_bytes(256, byteorder='little'))
-        h.update(key.e.to_bytes(8, byteorder='little'))
-        d = h.hexdigest()
-        pub_str = ""
-        for i in range(int(len(d)/8)):
-           pub_str += "0x%s%s%s%s, " % (d[i*8+6:i*8+8], d[i*8+4:i*8+6], d[i*8+2:i*8+4], d[i*8+0:i*8+2])
-        debug("Public key SHA256(N,e) = %s" % pub_str)
-
-    def append_rsa_signature_pkcs11(self, hsm_wrapper):
-        temp = tempfile.NamedTemporaryFile(delete=False)
-        temp.write(self._bytes)
-        temp.close() # close and flush before spawning PKCS#11 wrapper
-
-        res = subprocess.run([hsm_wrapper, "-a", "rsa2048-sha256", temp.name], capture_output=True)
-        debug(res.stderr)
-        if res.returncode != 0:
-            os.unlink(temp.name)
-            raise Exception(f"HSM wrapper failed with exit code {res.returncode}: {res.stderr.decode()}")
-        signature = res.stdout.decode()
-        os.unlink(temp.name)
-        self.append(bytearray.fromhex(signature))
-        debug("PKCS11 %08x %20s: [%6d] signature %s" % (self.pos(), 'RSA2048 - SHA256', len(signature), signature))
-
     def append_rsa_signature(self, digest_alg, private_pem):
         """
         Append a RSA 2048 signature of the SHA256 of the data so far
@@ -159,13 +132,19 @@ class ImageFile:
             if len(hmac_key) != expected_keylen:
                 raise Exception("Bad key length %d expected %d" % (len(hmac_key), expected_keylen))
 
-        if digest_alg == 'hmac-sha1':
-            h = HMAC.new(base64.b16decode(hmac_key, True), self._bytes, digestmod=SHA1)
+        if digest_alg == 'hmac-sha256':
+            digest = HMAC.new(base64.b16decode(hmac_key, True), self._bytes, digestmod=SHA256)
+        elif digest_alg == 'hmac-sha1':
+            digest = HMAC.new(base64.b16decode(hmac_key, True), self._bytes, digestmod=SHA1)
+        elif digest_alg == 'sha256':
+            digest = SHA256.new(self._bytes)
+        elif digest_alg == 'sha1':
+            digest = SHA1.new(self._bytes)
         else:
             raise Exception("Digest not supported %s" % (digest_alg))
 
-        debug("%08x %20s: [%6d] %s" % (self.pos(), digest_alg, len(h.digest()), h.hexdigest()))
-        self.append(h.digest())
+        debug("%08x %20s: [%6d] %s" % (self.pos(), digest_alg, len(digest.digest()), digest.hexdigest()))
+        self.append(digest.digest())
 
     def pos(self):
         return len(self._bytes)
@@ -182,7 +161,7 @@ class ImageFile:
     def close(self):
         self._of.close()
 
-def create_2711_image(output, bootcode, private_key=None, private_keynum=0, hmac=None, hsm_wrapper=None):
+def create_2711_image(output, bootcode, private_key, private_keynum, hmac):
     """
     Create a 2711 C0 secure-boot compatible seconds stage signed binary.
     """
@@ -190,31 +169,22 @@ def create_2711_image(output, bootcode, private_key=None, private_keynum=0, hmac
     image.append_file(bootcode)
     image.append_length()
     image.append_keynum(private_keynum)
-    if hsm_wrapper:
-        image.append_rsa_signature_pkcs11(hsm_wrapper)
-    else:
-        image.append_rsa_signature('sha1', private_key)
+    image.append_rsa_signature('sha1', private_key)
     image.append_digest('hmac-sha1', hmac)
     image.write()
     image.close()
 
-def create_2712_image(output, bootcode, private_version=0, public_key=None, private_key=None, private_keynum=0, hsm_wrapper=None):
+def create_2712_image(output, bootcode, private_key, private_keynum, private_version):
     """
-    Create a prototype 2712 signed bootloader. The HMAC is removed and the
-    full public key is appended.
+    Create 2712 signed bootloader. The HMAC is removed and the full public key is appended.
     """
     image = ImageFile(output, MAX_BIN_SIZE)
     image.append_file(bootcode)
     image.append_length()
     image.append_keynum(private_keynum)
     image.append_version(private_version)
-    if hsm_wrapper is not None:
-        debug(f"Call HSM wrapper {hsm_wrapper}")
-        image.append_rsa_signature_pkcs11(hsm_wrapper)
-        image.append_public_key(public_key)
-    else:
-        image.append_rsa_signature('sha256', private_key)
-        image.append_public_key(private_key)
+    image.append_rsa_signature('sha256', private_key)
+    image.append_public_key(private_key)
     image.write()
     image.close()
 
@@ -223,43 +193,37 @@ def main():
     Signs a second stage bootloader image.
 
     Examples:
-    
-        Customer counter-signed:
+        2711 mode:
+        rpi-sign-bootcode --debug -c 2711 -i bootcode.bin.clr -o bootcode.bin -k 2711_rsa_priv_0.pem -n 0 -m bootcode-production.key
+
+        2712 C1 and D0 mode:
+          * HMAC not included on 2712
+          * RSA public key included - ROM just contains the hashes of the RPi public keys.
+
+        Customer counter-signed signed:
           * Exactly the same as Raspberry Pi signing but the input is the Raspberry Pi signed bootcode.bin
           * The key number will probably always be 16 to indicate a customer signing
 
         rpi-sign-bootcode --debug -c 2712 -i bootcode.bin.sign2 -o bootcode.bin -k customer.pem
-
-        PKCS#1 v1.5 - HSM wrapper:
-          * hsm-wrapper takes a single argument which is a temporary filename containing the data to sign
-          * hsm-wrapper outputs the PKCS#1 v1.5 signature in hex format
-          * hsm-wrapper must return a non-zero exit code if signing fails
-          * hsm-wrapper requires the -a rsa2048-sha256 parameter to specify the algorithm
-          * There is no facility to pass the private key or custom HSM arguments - the caller should generate a dedicated wrapper script
-          * The public key in PEM format MUST be specified with the -p option
-
-        rpi-sign-bootcode --debug -c 2712 -i bootcode.bin.sign2 -o bootcode.bin -p public.pem -H hsm-wrapper
     """
     parser = argparse.ArgumentParser(help_text)
-    parser.add_argument('-o', '--output', required=False, help='Output filename. If not specified, the signed image is written to stdout in base64 format')
+    parser.add_argument('-o', '--output', required=False, help='Output filename . If not specified the signed images is written to stdout in base64 format')
     parser.add_argument('-c', '--chip', required=True, type=int, help='Chip number')
-    parser.add_argument('-i', '--input', required=False, help='Path of the unsigned bootcode.bin file OR RPi signed bootcode file to be signed with the customer key. If NULL, the binary is read from stdin in base64 format')
+    parser.add_argument('-i', '--input', required=False, help='Path of the unsigned bootcode.bin file OR RPi signed bootcode file sign with the customer key. If NULLL the binary is read from stdin in base64 format')
     parser.add_argument('-m', '--hmac', required=False, help='Path of the HMAC key file')
-    parser.add_argument('-k', '--private-key', dest='private_key', required=False, default=None, help='Path of RSA private key (PEM format)')
-    parser.add_argument('-p', '--public-key', dest='public_key', required=False, default=None, help='Path of RSA public key (PEM format)')
+    parser.add_argument('-k', '--private-key', dest='private_key', required=True, help='Path of RSA private key (PEM format)')
     parser.add_argument('-n', '--private-keynum', dest='private_keynum', required=False, default=0, type=int, help='ROM key index for RPi signing stage')
-    parser.add_argument('-H', '--hsm-wrapper', default=None, required=False, help='Filename of HSM wrapper script which generates a PKCSv1.1 signature as hex')
     parser.add_argument('-d', '--debug', action='store_true')
-    parser.add_argument('-v', '--private-version', dest='private_version', required=False, default=0, type=int, help='Version of firmware, stops firmware rollback, only valid 0-31')
+    parser.add_argument('-v', '--private-version', dest='private_version', required=True, type=int, help='Version of firmware, stops firmware rollback, only valid 0-31')
 
     args = parser.parse_args()
     _CONFIG['DEBUG'] = args.debug
     if args.chip == 2711:
         if args.hmac is None:
             raise Exception("HMAC key requried for 2711")
-        create_2711_image(args.output, args.input, private_key=args.private_key, private_keynum=args.private_keynum, hmac=args.hmac, hsm_wrapper=args.hsm_wrapper)
+        create_2711_image(args.output, args.input, args.private_key, args.private_keynum, args.hmac)
     elif args.chip == 2712:
-        create_2712_image(args.output, args.input, private_version=args.private_version, public_key=args.public_key, private_key=args.private_key, private_keynum=args.private_keynum, hsm_wrapper=args.hsm_wrapper)
+        create_2712_image(args.output, args.input, args.private_key, args.private_keynum, args.private_version)
 
 if __name__ == '__main__':
     main()