Merge pull request #1141 from balena-os/alexgg/rpisb

USB boot support for raspberrypicm4-ioboard-sb

docs/rpi-secure-boot.md

@@ -49,22 +49,20 @@ The partitions are mounted under `/mnt/boot` and `/mnt/rpi` respectively.
 
 ## Device locking
 
-RaspberryPi devices require post-installation setup to lock the device after the installer image completes programming. This locking process needs to write to OTP and requires a USB connection and the `rpiboot` utility loading a dedicated signed `boot.img` file with the following `config.txt` settings:
+RaspberryPi devices require post-installation setup to lock the device after the installer image completes programming. This locking process needs to write to OTP and requires a USB connection and the `rpiboot` utility loading a dedicated signed EEPROM image file with the following `config.txt` settings:
 
 * **revoke_devkey=1**: Prevents EEPROM downgrades to versions that don't support secure boot
 * **program_pubkey=1**: Programs the digest of the EEPROM's public key to OTP
 * **program_jtag_lock=1**: Disables the GPU JTAG interface
 * **eeprom_write_protect=1**: Sets the EEPROM to write protect
 
-Finally, further OTP changes can be locked down to prevent mangling of OTP data.
-
 ## EEPROM updates on locked devices
 
 Once a device is secure boot enabled and is locked down, `rpiboot` driven EEPROM updates will no longer work. Only EEPROM self-updates are possible.
 
 ## Re-programming of locked devices
 
-Once a device is secure boot enabled and is locked down, `rpiboot` needs to use a dedicated signed `boot.img` to expose the encrypted internal storage and allow re-programming.
+Once a device is secure boot enabled and is locked down, re-programming can be done by USB booting a signed flasher images. The use of `rpiboot` to expose internal storage is not supported.
 
 ## Debugging
 

layers/meta-balena-raspberrypi/recipes-bsp/bootfiles/rpi-config_git.bbappend

@@ -40,6 +40,10 @@ do_deploy:append:revpi-connect-4() {
 	echo "dtoverlay=dwc2,dr_mode=host" >> ${DEPLOYDIR}/bootfiles/config.txt
 }
 
+do_deploy:append:raspberrypicm4-ioboard-sb() {
+    echo "dtoverlay=dwc2,dr_mode=host" >> ${DEPLOYDIR}/bootfiles/config.txt
+}
+
 do_deploy:append:raspberrypi3-unipi-neuron() {
 	# Use the dt overlays required by the UniPi Neuron family of boards
 	echo "dtoverlay=neuronee" >> ${DEPLOYDIR}/bootfiles/config.txt

layers/meta-balena-raspberrypi/recipes-bsp/rpi-eeprom/files/raspberrypicm4-ioboard-sb/default-config.txt

@@ -0,0 +1,7 @@
+[all]
+BOOT_UART=0
+WAKE_ON_GPIO=0
+POWER_OFF_ON_HALT=1
+FREEZE_VERSION=0
+HDMI_DELAY=0
+BOOT_ORDER=0xf2165

layers/meta-balena-raspberrypi/recipes-bsp/rpi-eeprom/rpi-eeprom_git.bb

@@ -2,7 +2,7 @@ SUMMARY = "Installation scripts and binaries for the Raspberry Pi 4 EEPROM"
 DESCRIPTION = "This repository contains the rpi4 bootloader and scripts \
 for updating it in the spi eeprom"
 LICENSE = "BSD-3-Clause & Broadcom-RPi"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=f546ed4f47e9d4c1fe954ecc9d3ef4f3"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=449418bd5e2b674b51a36c78f3f85a01"
 
 SRC_URI = " \
     git://github.com/raspberrypi/rpi-eeprom.git;protocol=https;branch=master \
@@ -15,12 +15,12 @@ SRC_URI += " \
     file://default-config.txt \
 "
 
-SRCREV = "3b393d31ac0f1864420d47028b5703a70ad8da8f"
-PV = "v2023.10.18-2712"
+SRCREV = "e430a41e7323a1e28fb42b53cf79e5ba9b5ee975"
+PV = "v2024.06.05-2712"
 
 # We use the latest stable version
 # which is available in "stable"
-LATEST_STABLE_PIEEPROM_FW:raspberrypi4-64 = "2023-05-11"
+LATEST_STABLE_PIEEPROM_FW:raspberrypi4-64 = "2024-05-17"
 VL805_FW_REV = "000138a1"
 FIRMWARE:raspberrypi4-64 = "firmware-2711"
 
@@ -117,6 +117,17 @@ do_deploy () {
     if [ -f "${S}/${FIRMWARE}/critical/vl805-${VL805_FW_REV}.bin" ]; then
         cp ${S}/${FIRMWARE}/critical/vl805-${VL805_FW_REV}.bin ${DEPLOY_DIR_IMAGE}/${PN}/vl805-latest-stable.bin
     fi
+    if [ "x${SIGN_API}" != "x" ]; then
+        install -d ${DEPLOY_DIR_IMAGE}/rpi-eeprom/secure-boot-lock
+        cp -avL ${S}/${FIRMWARE}/stable/recovery.bin ${DEPLOY_DIR_IMAGE}/rpi-eeprom/secure-boot-lock/bootcode4.bin
+        echo "uart_2ndstage=1" > ${DEPLOY_DIR_IMAGE}/rpi-eeprom/secure-boot-lock/config.txt
+        echo "eeprom_write_protect=1" >> ${DEPLOY_DIR_IMAGE}/rpi-eeprom/secure-boot-lock/config.txt
+        echo "program_pubkey=1" >> ${DEPLOY_DIR_IMAGE}/rpi-eeprom/secure-boot-lock/config.txt
+        echo "revoke_devkey=1" >> ${DEPLOY_DIR_IMAGE}/rpi-eeprom/secure-boot-lock/config.txt
+        echo "program_jtag_lock=1" >> ${DEPLOY_DIR_IMAGE}/rpi-eeprom/secure-boot-lock/config.txt
+        cp -av ${WORKDIR}/pieeprom-latest-stable*bin ${DEPLOY_DIR_IMAGE}/rpi-eeprom/secure-boot-lock/pieeprom.bin
+        cp -av ${WORKDIR}/pieeprom-latest-stable*sig ${DEPLOY_DIR_IMAGE}/rpi-eeprom/secure-boot-lock/pieeprom.sig
+    fi
 }
 
 # vl805 utility is deprecated, see https://github.com/raspberrypi/rpi-eeprom/commit/fed1ca62a5752cb5a990608c8c897ce0b077600a

layers/meta-balena-raspberrypi/recipes-devtools/usbboot/usbboot-native_git.bb

@@ -20,7 +20,7 @@ do_install(){
   install -m 644 ${S}/msd/bootcode4.bin ${D}
   install -m 644 ${S}/msd/start.elf ${D}
   install -m 644 ${S}/msd/start4.elf ${D}
-  if [ "x${SIGN_API}" != "x" ]; then
+  if [ "x${SIGN_API}" != "x" ] && [ "${BALENA_SIGN_MSD}" = "1" ]; then
      install -d ${D}/secure-boot-msd/
      if ! do_sign_rsa "${S}/secure-boot-msd/boot.img" "${D}/secure-boot-msd/boot.sig"; then
         bbfatal "Failed to sign boot image"

layers/meta-balena-raspberrypi/recipes-kernel/linux/linux-balena-bootloader_%.bbappend

@@ -0,0 +1,3 @@
+# Enable the dwc2 driver
+BALENA_CONFIGS:append:raspberrypicm4-ioboard-sb = " dwc2"
+BALENA_CONFIGS[dwc2] = "CONFIG_USB_DWC2=y"

layers/meta-balena-raspberrypi/recipes-kernel/linux/linux-raspberrypi_%.bbappend

@@ -46,3 +46,6 @@ BALENA_CONFIGS[pieeprom] = " \
     CONFIG_SPI_BCM2835=y \
     CONFIG_SPI_SPIDEV=y \
 "
+
+BALENA_CONFIGS:append:raspberrypicm4-ioboard-sb = " dwc2"
+BALENA_CONFIGS[dwc2] = "CONFIG_USB_DWC2=y"