bug_report template: Be more precise about the UART pins

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -40,11 +40,8 @@ body:
     multiple: true
     options:
       - Raspberry Pi 5
-      - Raspberry Pi 500
       - Raspberry Pi 4 Mod. B
       - Raspberry Pi 400
-      - Raspberry Pi CM5
-      - Raspberry Pi CM5 Lite
       - Raspberry Pi CM4
       - Raspberry Pi CM4 Lite
       - Raspberry Pi CM4-S

.github/workflows/test.yml

@@ -1,31 +0,0 @@
-name: Test EEPROM Config
-
-on:
-  pull_request:
-    branches: [ 'master' ]
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      
-      - name: Set up Python
-        uses: actions/setup-python@v4
-        with:
-          python-version: '3.x'
-          
-      - name: Create and activate virtual environment
-        run: |
-          python -m venv venv
-          source venv/bin/activate
-          
-      - name: Install dependencies
-        run: |
-          pip install pycryptodomex
-      
-      - name: Run EEPROM Config Tests
-        run: |
-          cd test
-          chmod +x test-rpi-eeprom-config
-          ./test-rpi-eeprom-config 

LICENSE

@@ -6,14 +6,10 @@ Files: *
 Copyright: 2019, Raspberry Pi (Trading) Ltd.
 License: BSD-3
 
-Files: firmware-2711/*
+Files: firmware/*
 Copyright: 2019, Raspberry Pi (Trading) Ltd.
 License: custom
 
-Files: firmware-2712/*
-Copyright: 2024, Raspberry Pi (Trading) Ltd.
-License: custom
-
 License: BSD-3
  Redistribution and use in source and binary forms, with or without
  modification, are permitted provided that the following conditions

firmware-2711/release-notes.md

@@ -1,61 +1,5 @@
 # Raspberry Pi4 bootloader EEPROM release notes
 
-## 2025-05-13: Promote 2025-05-08 to the default release (default)
-
-## 2025-05-08: Implement TCP window for net boot (latest)
-* Signed boot and HTTP boot mode
-  HTTP boot mode is supposed to be disabled if signed boot is enabled and
-  a host is not specified. The code is checking the http_secure flag to
-  enforce this. But this is valid now we support custom CA certs.
-  Only disable HTTP mode if we're using the default HOST.
-* Implement TCP window for net boot
-  The minimal IP stack used for https booting lacks the ability to cache
-  packets received out of order, which can lead to severe slowdown when
-  it happens. The problem seems to affect some ISPs more than others.
-  The receive window implemented here copes with packet losses of 10%.
-* netboot: Correct the TCP MSS
-* Correct msecs in debug timestamps
-  The fractional part of timestamps in UART debug output was showing the
-  100ths and 1000ths of a second, rather than 10ths and 100ths, causing
-  strange sequences that appear to jump backwards.
-
-## 2025-02-17: Promote 2025-02-11 to default release (default)
-
-## 2025-02-11: recovery: Walk partitions to delete recovery.bin (latest)
-
-* recovery: Walk partitions to delete recovery.bin
-  Previously, recovery.bin would fail to delete itself
-  if the bootrom loaded recovery.bin where there are multiple FAT
-  partitions and the first partition does not contain recovery.bin
-  Update the rename code to walk the partition table to find
-  the recovery.bin file to delete.
-* Enable overriding of high partition numbers
-  Previously, the PARTITION=N bootloader config setting would only
-  be used at power on reset or if the partition number passed to
-  reboot was zero.
-  Change the behaviour so that the bootloader config PARTITION
-  property can override the reboot partition number if the reboot
-  parameter is > 31.
-* Walk the partition table if the requested partition is not bootable
-  Previously, if the specified boot partition was not bootable the
-  bootloader would stop and advance to the next BOOT_ORDER. If the
-  new PARTITION_WALK option is set to 1 the bootloader will now
-  check each partition in turn starting from the specified partition
-  before advancing the BOOT_ORDER.
-  This feature is intended for use with A/B systems to handle the case
-  where autoboot.txt is missing / corrupted. This change enables
-  the system to failover to the next available bootable partition.
-  The autoboot.txt file is not scanned during the partition-walk
-  phase i.e. there is no recursive processing of autoboot.txt files.
-  This option is only supported on physical block devices
-  (SD, NVMe, USB) and not RAMDISK. USB assumes a single high speed
-  device, partition walks on multiple USB devices is not recommended
-  and may cause timeouts.
-* Improve keyboard handling in boot menu
-  Try and make it more likely that we have enough time to perform key
-  detection.
-  Ignore mice, which were being enumerated and slowing things down.
-
 ## 2024-12-07: Enable banklow (and so NUMA) by default (latest)
 
 * Enable banklow (and so NUMA) by default

firmware-2712/release-notes.md

@@ -1,294 +1,5 @@
 # Raspberry Pi5 bootloader EEPROM release notes
 
-## 2025-05-13: Promote 2025-05-08 to the default release (default)
-
-## 2025-05-08: Implement TCP window for net boot (latest)
-
-* arm_loader: Correct some mailbox response lengths
-  The GET_GENCMD_RESULT mailbox handler was setting the wrong response
-  length, and GET_FIRMWARE_COMMIT_HASH and GET_FIRMWARE_VARIANT were not
-  setting any length.
-  See: https://github.com/raspberrypi/firmware/issues/1968
-* Signed boot and HTTP boot mode
-  HTTP boot mode is supposed to be disabled if signed boot is enabled and
-  a host is not specified. The code is checking the http_secure flag to
-  enforce this. But this is valid now we support custom CA certs.
-  Only disable HTTP mode if we're using the default HOST.
-* Implement TCP window for net boot
-  The minimal IP stack used for https booting lacks the ability to cache
-  packets received out of order, which can lead to severe slowdown when
-  it happens. The problem seems to affect some ISPs more than others.
-  The receive window implemented here copes with packet losses of 10%.
-* netboot: Correct the TCP MSS
-* rp1_net: Overwrite the length field
-  Although concise, ORing in the packet length runs the risk of leaving
-  some unwanted bits set. Ensure the length field is cleared before
-  ORing in the required value.
-* Correct msecs in debug timestamps
-  The fractional part of timestamps in UART debug output was showing the
-  100ths and 1000ths of a second, rather than 10ths and 100ths, causing
-  strange sequences that appear to jump backwards.
-* Implement GET_BOARD_MAC_ADDRESS on Pi5
-  The Pi 5 EEPROM implements a subset of the original mailbox properties.
-  Add GET_BOARD_MAC_ADDRESS to the subset.
-  See: https://github.com/raspberrypi/rpi-eeprom/issues/698
-* Ensure the initramfs matches the kernel
-  As far as is possible, both the kernel and initramfs are matched to the
-  device. However, where multiple kernel variants can run on a device, the
-  initramfs must be matched to the chosen kernel. Make that the sole rule
-  for initramfs selection, rather than duplicating the device matching
-  logic.
-  See: https://github.com/raspberrypi/firmware/issues/1965
-* Enable logging messages from OS loader
-  Pi 5 EEPROM builds were missing the output from the main OS loading
-  function, including some important diagnostics. Enabling the logging
-  output from this loader code results in some near-duplicates, but is
-  more user friendly and is available via "sudo vclog -m".
-
-## 2025-04-07: arm_dt: Revert to using the max fan speed (latest)
-
-* arm_dt: Revert to using the max fan speed
-  It has been reported that the presence of a cooling fan at boot time
-  can lead to a maximum observed fan speed of ~300 but a current speed
-  of 0. The absence of a fan results in 0s for both metrics.
-  See: https://github.com/raspberrypi/rpi-eeprom/issues/690
-
-## 2025-03-27: os_check: cm5: Check for CM5 specific dtbs (latest)
-
-* os_check: cm5: Check for CM5 specific dtbs
-  Check for BCM2712 support in bcm2712-rpi-cm5-cm5io.dtb
-  or bcm2712-rpi-cm5l-cm5io.dtb on CM5 instead of bcm2712-rpi-5-b.dtb.
-  This avoids needing to put os_check=1 or specifying device_tree
-  in config.txt in minimal images for CM5.
-  See: https://github.com/raspberrypi/rpi-eeprom/issues/682
-
-## 2025-03-19: Log the fan speed at boot (latest)
-
-* Log the fan speed at boot
-  Record the fan RPM (and the maximum seen) during boot, so that it is
-  accessible using "sudo vclog -m".
-  See: https://github.com/raspberrypi/rpi-eeprom/issues/678
-* Add current_supply to HAT+ support
-  Refactor the HAT library to make it more self-contained, and combine
-  the I2C address detection and the reading of the EEPROM contents.
-  Use it to allow the earlier boot stages to check for a current_supply
-  setting in the EEPROM of a normal (non-stackable) HAT+.
-
-## 2025-03-10: Promote 2025-03-10 release to default (default)
-
-## 2025-03-10: Add [boot_partition] filter plus SDRAM init fixes (latest)
-
-* Update SDRAM init timings to intermittent 8-flash SDRAM init errors
-  on some boards.
-  See: https://github.com/raspberrypi/rpi-eeprom/issues/67
-* config: Fix missing initialisation of selected_expr to 1 in config.txt
-  Without an [all] section the new expression filter might default to
-  false. This impacts the bootloader early parsing of config.txt
-  for things like boot_ramdisk rather than the later config.txt pass
-  for device-tree parsing.
-* config_loader: Add support [boot_partition=N] as an expression filter
-  The boot_partition tests whether the partition number N matches
-  the number that the system is booting from. This expression is
-  only supported in config.txt and is designed to make it easier
-  to have common boot.img ramdisks in an A/B system where the
-  conditional loads a different cmdline.txt file depending on
-  which partition boot.img is loaded from.
-
-## 2025-03-03: Fix bootloader pull configuration on 2712D0 (latest)
-
-* Fix pull configuration on 2712D0
-  2712D0 uses a horrendously sparse set of pad control registers. Make
-  the pull-setting code sufficiently complex to cope.
-  See: https://github.com/raspberrypi/rpi-eeprom/issues/672
-* Disable UARTA for CM5s without WiFi
-  Just as CM5s without WiFI don't need the SDIO interface, the Bluetooth
-  UART is unconnected. Disable the DT node to avoid kernel warnings and
-  save some cycles.
-
-## 2025-02-17: Promote 2025-02-12 to the default release (default)
-
-## 2025-02-12: Fixup change to disable 3.7V PMIC output on CM5 no-wifi (latest)
-
-* Fixup change to disable 3.7V PMIC output on CM5 no-wifi
-
-## 2025-02-11: CM5 no-Wifi stability improvements (latest)
-
-* recovery: Walk partitions to delete recovery.bin
-  Previously, recovery.bin would fail to delete itself
-  if the bootrom loaded recovery.bin where there are multiple FAT
-  partitions and the first partition does not contain recovery.bin
-  Update the rename code to walk the partition table to find
-  the recovery.bin file to delete.
-* pi5: Add config filter for simple boot variable expressions (experimental)
-  Add support for a new bootloader/config.txt conditional filter
-  which tests the partition, boot_count and boot_arg1 variables.
-  Syntax (no spaces):
-  ARG boot_arg1, boot_count or partition (EEPROM config stage only)
-  [ARG=VALUE]      selected if (ARG == VALUE)
-  [ARG&MASK]       selected if ((ARG & VALUE) != 0))
-  [ARG&MASK=VALUE] selected if ((ARG & MASK) == VALUE)
-  [ARG<VALUE]      selected if (ARG < VALUE)
-  [ARG>VALUE]      selected if (ARG > VALUE)
-  where VALUE and MASK are unsigned integer constants and ARG
-  corresponds to the value in the reset register before the
-  config file is parsed.
-* pi5: Add a boot-count bootloader variable (experimental)
-  Store the boot-count in a reset register and increment just
-  before the boot-order state-machine. The boot-count variable
-  is visible via device-tree /proc/device-tree/chosen/bootloader/count
-  and can be read/set via vcmailbox
-  GET: sudo vcmailbox 0x0003008d 4 4 0
-  SET to N: sudo vcmailbox 0x0003808d 4 4 N
-* pi5: Add user-defined reboot argument (boot_arg1) (experimental)
-  Add support for a user-defined boot parameter stored in a reset-safe
-  scratch register on BCM2712.  This is visible via device-tree at
-  /proc/device-tree/chosen/bootloader/arg1 and via vcmailboxes
-  GET arg1: sudo vcmailbox 0x0003008c 8 8 1 0
-  SET arg1 to 42: sudo vcmailbox 0x0003808c 8 8 1 42
-  or via config.txt
-  set_reboot_arg1=42
-  The variable is NOT cleared automatically and will persist until
-  a power-on-reset.
-* Enable overriding of high partition numbers
-  Previously, the PARTITION=N bootloader config setting would only
-  be used at power on reset or if the partition number passed to
-  reboot was zero.
-  Change the behaviour so that the bootloader config PARTITION
-  property can override the reboot partition number if the reboot
-  parameter is > 31.
-* Disable WiFi PMIC output on CM5 modules without WiFi
-  Disable the 3.7V WiFi power supply on CM5 modules which do not have a
-  WiFi module fitted. This fixes some stability issues where a CM5
-  would shutdown due to a spurious over-voltage condition on the
-  non-connected WiFi power supply.
-* Add memory barrier to the mbox handler
-  Firmware issue 1944 reports receiving kernel warnings about firmware
-  requests where the status return code is 0. This should not be
-  possible, as handle_mbox_property always sets the top bit of the return
-  code, with the bottom bit indicating success or failure. If the firmware
-  had died, the firmware driver would report a timeout due to the lack of
-  a mailbox interrupt, and that isn't happening.
-  See: https://github.com/raspberrypi/firmware/issues/1944
-* support dts files with size-cells of 2
-  DTS files with a top-level #size-cells of 2 make a lot of sense for
-  systems with a lot of RAM, but the firmware is currently inconsistent
-  in its support for that. Fix up the other cases to honor #size-cells
-  and #address-cells.
-* Disable SDIO2 for CM5s without WiFi
-  It has been observed that CM5s without WiFi hang on reboot. To prevent
-  that, disable the sdio2 node on those devices.
-  See: https://github.com/raspberrypi/linux/issues/6647
-* arm_dt: Use dtoverlay_enable_node
-  Convert the open-coded DT node status changes to use the new dtoverlay
-  method dtoverlay_enable_node.
-* dtoverlay: Add dtoverlay_enable_node
-  Add a helper function for setting the status of a node.
-
-## 2025-01-27: Walk the partition table if the requested partition is not bootable (latest)
-
-* Walk the partition table if the requested partition is not bootable
-  Previously, if the specified boot partition was not bootable the
-  bootloader would stop and advance to the next BOOT_ORDER. If the
-  new PARTITION_WALK option is set to 1 the bootloader will now
-  check each partition in turn starting from the specified partition
-  before advancing the BOOT_ORDER.
-  This feature is intended for use with A/B systems to handle the case
-  where autoboot.txt is missing / corrupted. This change enables
-  the system to failover to the next available bootable partition.
-  The autoboot.txt file is not scanned during the partition-walk
-  phase i.e. there is no recursive processing of autoboot.txt files.
-  This option is only supported on physical block devices
-  (SD, NVMe, USB) and not RAMDISK. USB assumes a single high speed
-  device, partition walks on multiple USB devices is not recommended
-  and may cause timeouts.
-* Improve keyboard handling in boot menu
-  Try and make it more likely that we have enough time to perform key
-  detection.
-  Ignore mice, which were being enumerated and slowing things down.
-
-## 2025-01-22: Promote 2025-01-22 to default release (default)
-
-## 2025-01-22: Add DT /chosen property signed-boot boot.img hash (latest)
-
-* Add DT /chosen property signed-boot boot.img hash
-  Make the sha256 hash of the boot.img file available via
-  device-tree /proc/device-tree/chosen/bootloader/boot_img_sha256 if
-  signed boot is enabled.
-* filesystem: GPT autoboot/reboot partition number fixes for Pi4 and older
-* Fix problems when setting arm_freq_min=arm_freq and display clocks
-  if performance governor is not enabled.
-
-## 2025-01-14: Add set_reboot_order API (latest)
-
-* Add set_reboot_order API and config.txt properties
-  If set_reboot_order is defined in config.txt or set via vcmailbox
-  then this will override the bootloader config BOOT_ORDER property
-  on the next reboot. The parameter is stored in a reset safe register
-  and is cleared by the bootloader after reading it.
-  Typically, the config.txt value only be used via rpiboot to
-  override the boot-order on the next reboot. Otherwise, it should
-  reside in a conditional section so that the boot order is not
-  overridden on every reboot.
-  Example, test network boot
-  sudo vcmailbox 0x0003808b 4 4 0xf4612; sudo reboot
-
-## 2025-01-13: Improved SDRAM refresh timings for Pi5 16GB (latest)
-
-* Improved SDRAM refresh timings for Pi5 - 16GB
-* Add an option to wait for the power button to be pressed before booting.
-  If POWER_OFF_ON_HALT=1 and WAIT_FOR_POWER_BUTTON=1 in the bootloader
-  config then the bootloader will wait for either the power button
-  to be pressed or an RTC alarm before booting. The wait state
-  switches the PMIC to STANDBY mode which is the lowest possible
-  power state.
-
-## 2025-01-08: Update SDRAM refresh timings for BCM2712D0 products (latest)
-
-* Update SDRAM timings for BCM2712D0 products.
-
-## 2025-01-07: Fixup M.2 HAT+ detection (latest)
-
-* Fix a potential timing issue introduced in the 2025-01-06
-  release when enabling PCIE_PWR when booting from SD/USB.
-
-## 2025-01-06: Stop the fan after after fan-probe (latest)
-
-* Stop the fan after after fan-probe
-  After the fan-probe has completed drive the fan PWM GPIO
-  to high if a fan was detected and let the OS take over.
-* Add SD_QUIRKS for hardware bringup / workarounds
-  Add a new SD_QUIRKS flags property which can be used to
-  disable high-speed mode (bit 0). Other bits are reserved for
-  future use.
-* Change uart_2ndstage default to 1 on Pi5
-  Change the default to 1 because this gives useful diagnostics
-  for device-tree loading with minimal overhead. Set uart_2ndstage=0
-  or BOOT_UART=0 to disable this.
-* Move M.2 HAT+ detection to early boot.
-  Initialse M.2 HAT+ detection before DDR init to give NVMe
-  drive firmware more time to boot.
-
-## 2024-12-19: Disable fan PWM before shutdown (latest)
-
-* Disable fan PWM before shutdown
-  Drive the RP1 fan PWM GPIO high before entering the VPU
-  sleep (POWER_OFF_ON_HALT=0) to stop the fan spinning.
-* Disable fan PWM GPIO between RP1 init and fan probe
-  Drive fan PWM GPIO high during early boot to disable the fan
-  until it is probed during the device-tree setup stage.
-  This stops the spinning at max rpm during network-install.
-* arm_dt: enable_uart defaults to 0 on 2712
-  The default value of enable_uart on 2712 is 0, regardless of the
-  presence of the debug UART cable, so guarantee that the default is
-  always set correctly.
-
-## 2024-12-15: Add net install to boot menu (latest)
-
-* Add net install to boot menu
-  Press N (or shift).
-* enable_uart: Require enable_uart=1 to enable RP1 UART console
-  See: https://github.com/raspberrypi/rpi-eeprom/issues/643
-
 ## 2024-12-07: Enable banklow (and so NUMA) by default (latest)
 
 * Enable banklow (and so NUMA) by default

imager/2711-config/boot-conf-network.txt

@@ -3,5 +3,4 @@ BOOT_UART=0
 WAKE_ON_GPIO=1
 ENABLE_SELF_UPDATE=1
 BOOT_ORDER=0xf21
-NET_INSTALL_AT_POWER_ON=1
 

imager/2711-config/boot-conf-sd.txt

@@ -3,4 +3,4 @@ BOOT_UART=0
 WAKE_ON_GPIO=1
 ENABLE_SELF_UPDATE=1
 BOOT_ORDER=0xf41
-NET_INSTALL_AT_POWER_ON=1
+

imager/2711-config/boot-conf-usb.txt

@@ -3,5 +3,4 @@ BOOT_UART=0
 WAKE_ON_GPIO=1
 ENABLE_SELF_UPDATE=1
 BOOT_ORDER=0xf14
-NET_INSTALL_AT_POWER_ON=1
 

imager/make-imager-release

@@ -5,7 +5,7 @@ set -e
 script_dir=$(cd "$(dirname "$0")" && pwd)
 
 # Pi4, Pi400, CM4, CM4-S
-${script_dir}/make-release critical 2025-02-11 000138c0 "${script_dir}/2711-config" release-2711 rpi-boot-eeprom-recovery 2711
+${script_dir}/make-release critical 2023-01-11 000138c0 "${script_dir}/2711-config" release-2711 rpi-boot-eeprom-recovery 2711
 
 # Pi5
-${script_dir}/make-release critical 2025-02-12 "" "${script_dir}/2712-config" release-2712 rpi-boot-eeprom-recovery 2712
+${script_dir}/make-release critical 2024-11-12 "" "${script_dir}/2712-config" release-2712 rpi-boot-eeprom-recovery 2712

rpi-eeprom-config

@@ -171,6 +171,8 @@ def apply_update(config, eeprom=None, config_src=None):
     sys.stdout.write("Updating bootloader EEPROM\n image: %s\nconfig_src: %s\nconfig: %s\n%s\n%s\n%s\n" %
                      (eeprom_image, config_src, config, '#' * 80, config_str, '#' * 80))
 
+    sys.stdout.write("\n*** To cancel this update run 'sudo rpi-eeprom-update -r' ***\n\n")
+
     # Ignore APT package checksums so that this doesn't fail when used
     # with EEPROMs with configs delivered outside of APT.
     # The checksums are really just a safety check for automatic updates.

rpi-eeprom-digest

@@ -6,12 +6,8 @@
 # a hard dependency on OpenSSL.
 
 set -e
-set -u
 
 OPENSSL=${OPENSSL:-openssl}
-KEY=""
-SOURCE_DATE_EPOCH=${SOURCE_DATE_EPOCH:-""}
-HSM_WRAPPER=""
 
 die() {
    echo "$@" >&2
@@ -50,30 +46,28 @@ RSA signature. Typically this tool is used by rpi-eeprom-update to
 generate a hash to guard against file-system corruption for EEPROM updates
 OR for signing OS images (boot.img) for secure-boot.
 
-This tool CANNOT be used directly to sign a bootloader EEPROM image
-for secure-boot because the signed data is the bootloader configuration file
+This tool CANNOT be used directly to sign an bootloader EEPROM image
+for secure-boot because the signed data is bootloader configuration file
 rather than the entire flash image.
-To create signed bootloader images, please see
+To create signed bootloader images please see
 https://github.com/raspberrypi/usbboot/tree/master/secure-boot-recovery/README.md
 
 
 Options:
-   -i The source image, e.g., boot.img
-   -o The name of the digest/signature file
-   -k Optional RSA private key
-   -H The name of the HSM wrapper script to invoke - default ""
+   -i The source image e.g. boot.img
+   -o The name of the digest/signature file.
+   -k Optional RSA private key.
 
-RSA signing:
-If a private key in PEM format or a PKCS#11 URI is supplied, then the
-RSA signature of the SHA256 digest is included in the .sig
-file. Currently, the bootloader only supports SHA256 digests signed
-with a 2048-bit RSA key. The bootloader only verifies RSA signatures
-in signed boot mode and only for the EEPROM config file and the signed
-image.
+RSA signing
+If a private key in PEM format is supplied then the RSA signature of the
+sha256 digest is included in the .sig file. Currently, the bootloader only
+supports sha256 digests signed with a 2048bit RSA key.
+The bootloader only verifies RSA signatures in signed boot mode
+and only for the EEPROM config file and the signed image.
 
 Examples:
 
-# Generate the normal SHA256 hash to guard against file-system corruption
+# Generate the normal sha256 hash to guard against file-system corruption
 rpi-eeprom-digest -i pieeprom.bin -o pieeprom.sig
 rpi-eeprom-digest -i vl805.bin -o vl805.sig
 
@@ -82,15 +76,7 @@ rpi-eeprom-digest -k private.pem -i boot.img -o boot.sig
 
 # Generate RSA signature for the EEPROM config file
 # As used by update-pieeprom.sh in usbboot/secure-boot-recovery
-rpi-eeprom-digest -k private.pem -i bootconf.txt -o bootconf.sig
-
-# Generate RSA signature for the EEPROM config file and delegate 
-# the signing process to a HSM wrapper script instead of using the private key directly.
-rpi-eeprom-digest -H hsm-wrapper -i bootconf.txt -o bootconf.sig
-
-# Similarly, but specifying the key with a PKCS#11 URI
-# (Deprecated - use HSM wrapper instead)
-rpi-eeprom-digest -k pkcs11:token=deadbeef;object=bl-key;type=private;pin-value=1234 -i bootconf.txt  -o bootconf.sig
+rpi-eeprom-digest -k private.pem -i bootconf.txt  -o bootconf.sig
 
 # To verify the signature of an existing .sig file using the public key.
 # N.B The key file must be the PUBLIC key in PEM format.
@@ -112,10 +98,9 @@ writeSig() {
        echo "ts: $(date -u +%s)" >> "${OUTPUT}"
    fi
 
-   if [ -n "${HSM_WRAPPER}" ]; then
-      echo "rsa2048: $("${HSM_WRAPPER}" -a rsa2048-sha256 "${IMAGE}")" >> "${OUTPUT}"
-   elif [ -n "${KEY}" ]; then
-      "${OPENSSL}" dgst ${ENGINE_OPTS} -sign "${KEY}" -sha256 -out "${SIG_TMP}" "${IMAGE}"
+   if [ -n "${KEY}" ]; then
+      [ -f "${KEY}" ] || die "RSA private \"${KEY}\" not found"
+      "${OPENSSL}" dgst -sign "${KEY}" -keyform PEM -sha256 -out "${SIG_TMP}" "${IMAGE}"
       echo "rsa2048: $(xxd -c 4096 -p < "${SIG_TMP}")" >> "${OUTPUT}"
    fi
 }
@@ -127,20 +112,18 @@ verifySig() {
    sig_hex="$(grep rsa2048 "${sig_file}" | cut -f 2 -d ' ')"
    [ -n "${sig_hex}" ] || die "No RSA signature in ${sig_file}"
 
-   echo "${sig_hex}" | xxd -c 4096 -p -r > "${TMP_DIR}/sig.bin"
-   "${OPENSSL}" dgst ${ENGINE_OPTS} -verify "${KEY}" -signature "${TMP_DIR}/sig.bin" "${IMAGE}" || die "${IMAGE} not verified"
+   echo ${sig_hex} | xxd -c 4096 -p -r > "${TMP_DIR}/sig.bin"
+   "${OPENSSL}" dgst -verify "${KEY}" -signature "${TMP_DIR}/sig.bin" "${IMAGE}" || die "${IMAGE} not verified"
 }
 
 OUTPUT=""
 VERIFY=0
-while getopts i:H:k:ho:v: option; do
+while getopts i:k:ho:v: option; do
    case "${option}" in
    i) IMAGE="${OPTARG}"
       ;;
    k) KEY="${OPTARG}"
       ;;
-   H) HSM_WRAPPER="${OPTARG}"
-      ;;
    o) OUTPUT="${OPTARG}"
       ;;
    v) SIGNATURE="${OPTARG}"
@@ -159,18 +142,6 @@ checkDependencies
 
 [ -n "${IMAGE}" ] || usage
 [ -f "${IMAGE}" ] || die "Source image \"${IMAGE}\" not found"
-[ "${VERIFY}" != 1 ] || [ -n "${KEY}" ] || die "Option -v also requires passing public key via -k"
-
-if [ -n "${KEY}" ] ; then
-    if [ -f "${KEY}" ] ; then
-        ENGINE_OPTS=
-    elif echo "${KEY}" | grep -q "^pkcs11:" ; then
-        ENGINE_OPTS="-engine pkcs11 -keyform engine"
-    else
-        die "RSA key \"${KEY}\" not found"
-    fi
-fi
-
 if [ "${VERIFY}" = 1 ]; then
    verifySig "${SIGNATURE}"
 else

rpi-eeprom-update

@@ -14,8 +14,6 @@ LOCAL_MODE=0
 if [ -n "$FIRMWARE_ROOT" ]; then
    # Provided by environment
    true
-elif [ -d /usr/lib/firmware/raspberrypi/bootloader ] || [ -d /usr/lib/firmware/raspberrypi/bootloader-2711 ] || [ -d /usr/lib/firmware/raspberrypi/bootloader-2712 ]; then
-   FIRMWARE_ROOT=/usr/lib/firmware/raspberrypi/bootloader
 elif [ -d /lib/firmware/raspberrypi/bootloader ] || [ -d /lib/firmware/raspberrypi/bootloader-2711 ] || [ -d /lib/firmware/raspberrypi/bootloader-2712 ]; then
    FIRMWARE_ROOT=/lib/firmware/raspberrypi/bootloader
 else
@@ -904,11 +902,6 @@ checkVersion()
 
    if [ "${ACTION_UPDATE_BOOTLOADER}" = 1 ] || [ "${ACTION_UPDATE_VL805}" = 1 ]; then
       echo "*** UPDATE AVAILABLE ***"
-      echo ""
-      echo "Run \"sudo rpi-eeprom-update -a\" to install this update now."
-      echo
-      echo "To configure the bootloader update policy run \"sudo ${RPI_EEPROM_UPDATE_CONFIG_TOOL}\""
-      echo ""
       printVersions
       write_status_info "EXIT_UPDATE_REQUIRED"
       exit ${EXIT_UPDATE_REQUIRED}

rpi-eeprom-update-default

@@ -1,5 +1,5 @@
 
-FIRMWARE_ROOT=/usr/lib/firmware/raspberrypi/bootloader
+FIRMWARE_ROOT=/lib/firmware/raspberrypi/bootloader
 FIRMWARE_RELEASE_STATUS="default"
 FIRMWARE_BACKUP_DIR="/var/lib/raspberrypi/bootloader/backup"
 EEPROM_CONFIG_HOOK=

test/README.md

@@ -1,14 +0,0 @@
-# rpi-eeprom - unit tests
-
-## test-rpi-eeprom-config
-Unit test for rpi-eeprom-config which verifies:
-
-* rpi-eeprom-config is compatible with all EEPROM binaries
-* unit tests for modifying the boot.conf file
-* simple code signing test
-
-To run on Linux:
-```
-cd test
-./test-rpi-eeprom-config
-```

test/install

@@ -20,14 +20,14 @@ CONFIG="/etc/default/rpi-eeprom-update"
 [ "$(id -u)" = "0" ] || die "$0 Must be run as root - try 'sudo $0 [-b]'"
 
 # Clear out the old firmware
-rm -rf /usr/lib/firmware/raspberrypi/bootloader
-rm -rf /usr/lib/firmware/raspberrypi/bootloader-2711
-rm -rf /usr/lib/firmware/raspberrypi/bootloader-2712
+rm -rf /lib/firmware/raspberrypi/bootloader
+rm -rf /lib/firmware/raspberrypi/bootloader-2711
+rm -rf /lib/firmware/raspberrypi/bootloader-2712
 
-mkdir -p /usr/lib/firmware/raspberrypi/bootloader-2711
-rsync -alv "${FIRMWARE_DIR}-2711"/* /usr/lib/firmware/raspberrypi/bootloader-2711 || echo "Failed"
-mkdir -p /usr/lib/firmware/raspberrypi/bootloader-2712
-rsync -alv "${FIRMWARE_DIR}-2712"/* /usr/lib/firmware/raspberrypi/bootloader-2712 || echo "Failed"
+mkdir -p /lib/firmware/raspberrypi/bootloader-2711
+rsync -alv "${FIRMWARE_DIR}-2711"/* /lib/firmware/raspberrypi/bootloader-2711 || echo "Failed"
+mkdir -p /lib/firmware/raspberrypi/bootloader-2712
+rsync -alv "${FIRMWARE_DIR}-2712"/* /lib/firmware/raspberrypi/bootloader-2712 || echo "Failed"
 
 cp -fv "${script_dir}/../rpi-eeprom-config" /usr/bin
 cp -fv "${script_dir}/../rpi-eeprom-digest" /usr/bin

tools/rpi-sign-bootcode

@@ -2,11 +2,8 @@
 
 import argparse
 import base64
-import os
 import struct
-import subprocess
 import sys
-import tempfile
 
 # python3 -m pip install pycryptodomex
 from Cryptodome.Hash import HMAC, SHA1, SHA256
@@ -108,30 +105,6 @@ class ImageFile:
         debug("%08x %20s: [%6d] %s" % (self.pos(), 'RSA', len(arr), pem_file))
         self.append(arr)
 
-        h = SHA256.new()
-        h.update(key.n.to_bytes(256, byteorder='little'))
-        h.update(key.e.to_bytes(8, byteorder='little'))
-        d = h.hexdigest()
-        pub_str = ""
-        for i in range(int(len(d)/8)):
-           pub_str += "0x%s%s%s%s, " % (d[i*8+6:i*8+8], d[i*8+4:i*8+6], d[i*8+2:i*8+4], d[i*8+0:i*8+2])
-        debug("Public key SHA256(N,e) = %s" % pub_str)
-
-    def append_rsa_signature_pkcs11(self, hsm_wrapper):
-        temp = tempfile.NamedTemporaryFile(delete=False)
-        temp.write(self._bytes)
-        temp.close() # close and flush before spawning PKCS#11 wrapper
-
-        res = subprocess.run([hsm_wrapper, "-a", "rsa2048-sha256", temp.name], capture_output=True)
-        debug(res.stderr)
-        if res.returncode != 0:
-            os.unlink(temp.name)
-            raise Exception(f"HSM wrapper failed with exit code {res.returncode}: {res.stderr.decode()}")
-        signature = res.stdout.decode()
-        os.unlink(temp.name)
-        self.append(bytearray.fromhex(signature))
-        debug("PKCS11 %08x %20s: [%6d] signature %s" % (self.pos(), 'RSA2048 - SHA256', len(signature), signature))
-
     def append_rsa_signature(self, digest_alg, private_pem):
         """
         Append a RSA 2048 signature of the SHA256 of the data so far
@@ -159,13 +132,19 @@ class ImageFile:
             if len(hmac_key) != expected_keylen:
                 raise Exception("Bad key length %d expected %d" % (len(hmac_key), expected_keylen))
 
-        if digest_alg == 'hmac-sha1':
-            h = HMAC.new(base64.b16decode(hmac_key, True), self._bytes, digestmod=SHA1)
+        if digest_alg == 'hmac-sha256':
+            digest = HMAC.new(base64.b16decode(hmac_key, True), self._bytes, digestmod=SHA256)
+        elif digest_alg == 'hmac-sha1':
+            digest = HMAC.new(base64.b16decode(hmac_key, True), self._bytes, digestmod=SHA1)
+        elif digest_alg == 'sha256':
+            digest = SHA256.new(self._bytes)
+        elif digest_alg == 'sha1':
+            digest = SHA1.new(self._bytes)
         else:
             raise Exception("Digest not supported %s" % (digest_alg))
 
-        debug("%08x %20s: [%6d] %s" % (self.pos(), digest_alg, len(h.digest()), h.hexdigest()))
-        self.append(h.digest())
+        debug("%08x %20s: [%6d] %s" % (self.pos(), digest_alg, len(digest.digest()), digest.hexdigest()))
+        self.append(digest.digest())
 
     def pos(self):
         return len(self._bytes)
@@ -182,7 +161,7 @@ class ImageFile:
     def close(self):
         self._of.close()
 
-def create_2711_image(output, bootcode, private_key=None, private_keynum=0, hmac=None, hsm_wrapper=None):
+def create_2711_image(output, bootcode, private_key, private_keynum, hmac):
     """
     Create a 2711 C0 secure-boot compatible seconds stage signed binary.
     """
@@ -190,31 +169,22 @@ def create_2711_image(output, bootcode, private_key=None, private_keynum=0, hmac
     image.append_file(bootcode)
     image.append_length()
     image.append_keynum(private_keynum)
-    if hsm_wrapper:
-        image.append_rsa_signature_pkcs11(hsm_wrapper)
-    else:
-        image.append_rsa_signature('sha1', private_key)
+    image.append_rsa_signature('sha1', private_key)
     image.append_digest('hmac-sha1', hmac)
     image.write()
     image.close()
 
-def create_2712_image(output, bootcode, private_version=0, public_key=None, private_key=None, private_keynum=0, hsm_wrapper=None):
+def create_2712_image(output, bootcode, private_key, private_keynum, private_version):
     """
-    Create a prototype 2712 signed bootloader. The HMAC is removed and the
-    full public key is appended.
+    Create 2712 signed bootloader. The HMAC is removed and the full public key is appended.
     """
     image = ImageFile(output, MAX_BIN_SIZE)
     image.append_file(bootcode)
     image.append_length()
     image.append_keynum(private_keynum)
     image.append_version(private_version)
-    if hsm_wrapper is not None:
-        debug(f"Call HSM wrapper {hsm_wrapper}")
-        image.append_rsa_signature_pkcs11(hsm_wrapper)
-        image.append_public_key(public_key)
-    else:
-        image.append_rsa_signature('sha256', private_key)
-        image.append_public_key(private_key)
+    image.append_rsa_signature('sha256', private_key)
+    image.append_public_key(private_key)
     image.write()
     image.close()
 
@@ -223,43 +193,37 @@ def main():
     Signs a second stage bootloader image.
 
     Examples:
-    
-        Customer counter-signed:
+        2711 mode:
+        rpi-sign-bootcode --debug -c 2711 -i bootcode.bin.clr -o bootcode.bin -k 2711_rsa_priv_0.pem -n 0 -m bootcode-production.key
+
+        2712 C1 and D0 mode:
+          * HMAC not included on 2712
+          * RSA public key included - ROM just contains the hashes of the RPi public keys.
+
+        Customer counter-signed signed:
           * Exactly the same as Raspberry Pi signing but the input is the Raspberry Pi signed bootcode.bin
           * The key number will probably always be 16 to indicate a customer signing
 
         rpi-sign-bootcode --debug -c 2712 -i bootcode.bin.sign2 -o bootcode.bin -k customer.pem
-
-        PKCS#1 v1.5 - HSM wrapper:
-          * hsm-wrapper takes a single argument which is a temporary filename containing the data to sign
-          * hsm-wrapper outputs the PKCS#1 v1.5 signature in hex format
-          * hsm-wrapper must return a non-zero exit code if signing fails
-          * hsm-wrapper requires the -a rsa2048-sha256 parameter to specify the algorithm
-          * There is no facility to pass the private key or custom HSM arguments - the caller should generate a dedicated wrapper script
-          * The public key in PEM format MUST be specified with the -p option
-
-        rpi-sign-bootcode --debug -c 2712 -i bootcode.bin.sign2 -o bootcode.bin -p public.pem -H hsm-wrapper
     """
     parser = argparse.ArgumentParser(help_text)
-    parser.add_argument('-o', '--output', required=False, help='Output filename. If not specified, the signed image is written to stdout in base64 format')
+    parser.add_argument('-o', '--output', required=False, help='Output filename . If not specified the signed images is written to stdout in base64 format')
     parser.add_argument('-c', '--chip', required=True, type=int, help='Chip number')
-    parser.add_argument('-i', '--input', required=False, help='Path of the unsigned bootcode.bin file OR RPi signed bootcode file to be signed with the customer key. If NULL, the binary is read from stdin in base64 format')
+    parser.add_argument('-i', '--input', required=False, help='Path of the unsigned bootcode.bin file OR RPi signed bootcode file sign with the customer key. If NULLL the binary is read from stdin in base64 format')
     parser.add_argument('-m', '--hmac', required=False, help='Path of the HMAC key file')
-    parser.add_argument('-k', '--private-key', dest='private_key', required=False, default=None, help='Path of RSA private key (PEM format)')
-    parser.add_argument('-p', '--public-key', dest='public_key', required=False, default=None, help='Path of RSA public key (PEM format)')
+    parser.add_argument('-k', '--private-key', dest='private_key', required=True, help='Path of RSA private key (PEM format)')
     parser.add_argument('-n', '--private-keynum', dest='private_keynum', required=False, default=0, type=int, help='ROM key index for RPi signing stage')
-    parser.add_argument('-H', '--hsm-wrapper', default=None, required=False, help='Filename of HSM wrapper script which generates a PKCSv1.1 signature as hex')
     parser.add_argument('-d', '--debug', action='store_true')
-    parser.add_argument('-v', '--private-version', dest='private_version', required=False, default=0, type=int, help='Version of firmware, stops firmware rollback, only valid 0-31')
+    parser.add_argument('-v', '--private-version', dest='private_version', required=True, type=int, help='Version of firmware, stops firmware rollback, only valid 0-31')
 
     args = parser.parse_args()
     _CONFIG['DEBUG'] = args.debug
     if args.chip == 2711:
         if args.hmac is None:
             raise Exception("HMAC key requried for 2711")
-        create_2711_image(args.output, args.input, private_key=args.private_key, private_keynum=args.private_keynum, hmac=args.hmac, hsm_wrapper=args.hsm_wrapper)
+        create_2711_image(args.output, args.input, args.private_key, args.private_keynum, args.hmac)
     elif args.chip == 2712:
-        create_2712_image(args.output, args.input, private_version=args.private_version, public_key=args.public_key, private_key=args.private_key, private_keynum=args.private_keynum, hsm_wrapper=args.hsm_wrapper)
+        create_2712_image(args.output, args.input, args.private_key, args.private_keynum, args.private_version)
 
 if __name__ == '__main__':
     main()