From 0359f59615dee748908c6d5c2d795fa5065b79e7 Mon Sep 17 00:00:00 2001 From: Alex Gonzalez Date: Tue, 25 Jun 2024 17:43:35 +0200 Subject: [PATCH 1/6] rpi-eeprom: raspberrypicm4-ioboard-sb: modify boot order to prioritise USB boot With this change the device will first attempt to boot from USB and then boot from the NVME/internal eMMC/SD card. This allows to use USB flasher images as provisioning tools in preference of usbboot. 5: USB 2.0 boot from USB type A socket (CM4) or Type C socket (RPI4) 6: NVME 1: eMMC / SD Card 2: Network boot We place NVME before eMMC/SDcard as there are reports that NVME is not working if initialized after. Also, there is no USB mass storage boot to limit this option to using physical jumper configuration. See https://www.raspberrypi.com/documentation/computers/raspberry-pi.html#BOOT_ORDER Note that trying USB boot first adds a considerable delay to the boot process as the CM4 has a timeout of 2s (5s if extended via `program_usb_boot_timeout=1` per USB port enumeration. As such, this change is only done to the `raspberrypicm4-ioboard-sb` that requires USB boot for the secure boot provisioning flow. Changelog-entry: Modify boot order to prioritize USB boot Signed-off-by: Alex Gonzalez --- .../files/raspberrypicm4-ioboard-sb/default-config.txt | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 layers/meta-balena-raspberrypi/recipes-bsp/rpi-eeprom/files/raspberrypicm4-ioboard-sb/default-config.txt diff --git a/layers/meta-balena-raspberrypi/recipes-bsp/rpi-eeprom/files/raspberrypicm4-ioboard-sb/default-config.txt b/layers/meta-balena-raspberrypi/recipes-bsp/rpi-eeprom/files/raspberrypicm4-ioboard-sb/default-config.txt new file mode 100644 index 000000000..225561444 --- /dev/null +++ b/layers/meta-balena-raspberrypi/recipes-bsp/rpi-eeprom/files/raspberrypicm4-ioboard-sb/default-config.txt @@ -0,0 +1,7 @@ +[all] +BOOT_UART=0 +WAKE_ON_GPIO=1 +POWER_OFF_ON_HALT=0 +FREEZE_VERSION=0 +HDMI_DELAY=0 +BOOT_ORDER=0xf2165 From 7237ce19697c2ee997c87f0a4788a7aea26a99e4 Mon Sep 17 00:00:00 2001 From: Alex Gonzalez Date: Thu, 27 Jun 2024 16:17:00 +0200 Subject: [PATCH 2/6] rpi-eeprom: raspberrypicm4-ioboard-sb: configure to power off on halt This is useful for the use case of a flasher image ran from external media, like in the traditional flasher workflow that expects the device to shutdown after programming. From https://www.raspberrypi.com/documentation/computers/raspberry-pi.html#POWER_OFF_ON_HALT Changelog-entry: configure to power off on halt for raspberrypicm4-ioboard-sb Signed-off-by: Alex Gonzalez --- .../files/raspberrypicm4-ioboard-sb/default-config.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/layers/meta-balena-raspberrypi/recipes-bsp/rpi-eeprom/files/raspberrypicm4-ioboard-sb/default-config.txt b/layers/meta-balena-raspberrypi/recipes-bsp/rpi-eeprom/files/raspberrypicm4-ioboard-sb/default-config.txt index 225561444..9ba850ef0 100644 --- a/layers/meta-balena-raspberrypi/recipes-bsp/rpi-eeprom/files/raspberrypicm4-ioboard-sb/default-config.txt +++ b/layers/meta-balena-raspberrypi/recipes-bsp/rpi-eeprom/files/raspberrypicm4-ioboard-sb/default-config.txt @@ -1,7 +1,7 @@ [all] BOOT_UART=0 -WAKE_ON_GPIO=1 -POWER_OFF_ON_HALT=0 +WAKE_ON_GPIO=0 +POWER_OFF_ON_HALT=1 FREEZE_VERSION=0 HDMI_DELAY=0 BOOT_ORDER=0xf2165 From bf7983eed7963a8b55a3c3a682068af59c68d162 Mon Sep 17 00:00:00 2001 From: Alex Gonzalez Date: Thu, 27 Jun 2024 11:45:03 +0200 Subject: [PATCH 3/6] rpi-config: enable USB 2.0 for CM4 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit As CM4 and CM4IO don’t include the external USB 3 controller, set `otg_mode=1` for better performance as done in Raspberrypi OS. See https://www.raspberrypi.com/documentation/computers/config_txt.html#otg_mode-raspberry-pi-4-only Changelog-entry: enable USB 2.0 for CM4 Signed-off-by: Alex Gonzalez --- .../recipes-bsp/bootfiles/rpi-config_git.bbappend | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/layers/meta-balena-raspberrypi/recipes-bsp/bootfiles/rpi-config_git.bbappend b/layers/meta-balena-raspberrypi/recipes-bsp/bootfiles/rpi-config_git.bbappend index f12568d88..10aad7bd0 100644 --- a/layers/meta-balena-raspberrypi/recipes-bsp/bootfiles/rpi-config_git.bbappend +++ b/layers/meta-balena-raspberrypi/recipes-bsp/bootfiles/rpi-config_git.bbappend @@ -40,6 +40,14 @@ do_deploy:append:revpi-connect-4() { echo "dtoverlay=dwc2,dr_mode=host" >> ${DEPLOYDIR}/bootfiles/config.txt } +do_deploy:append:raspberrypicm4-ioboard() { + echo "otg_mode=1" >> ${DEPLOYDIR}/bootfiles/config.txt +} + +do_deploy:append:raspberrypicm4-ioboard-sb() { + echo "otg_mode=1" >> ${DEPLOYDIR}/bootfiles/config.txt +} + do_deploy:append:raspberrypi3-unipi-neuron() { # Use the dt overlays required by the UniPi Neuron family of boards echo "dtoverlay=neuronee" >> ${DEPLOYDIR}/bootfiles/config.txt From 16c2fd01a6f82bd495f43957934c744615779812 Mon Sep 17 00:00:00 2001 From: Alex Gonzalez Date: Thu, 6 Jun 2024 13:04:29 +0200 Subject: [PATCH 4/6] [REVIEW] layer/meta-balena: use alexgg/rpisb This allows to build with newer host dockers. Signed-off-by: Alex Gonzalez --- layers/meta-balena | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/layers/meta-balena b/layers/meta-balena index 98a8dc813..81e31d1a3 160000 --- a/layers/meta-balena +++ b/layers/meta-balena @@ -1 +1 @@ -Subproject commit 98a8dc813fb1df71c510732e14fa31446ef883e6 +Subproject commit 81e31d1a3e11b5004139f5dfe627dec8f5d4359a From bd9df460dc3464f696195255888fefaeadb6753d Mon Sep 17 00:00:00 2001 From: Alex Gonzalez Date: Mon, 3 Jun 2024 12:15:52 +0200 Subject: [PATCH 5/6] [TEST] initramfs-framework: Do not fail if device unlocked For testing purpose, the `OS_DEVELOPMENT` compilation switch will make the device not crash when booting an unlocked device. Signed-off-by: Alex Gonzalez --- .../recipes-core/initrdscripts/initramfs-framework_%.bbappend | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/layers/meta-balena-raspberrypi/recipes-core/initrdscripts/initramfs-framework_%.bbappend b/layers/meta-balena-raspberrypi/recipes-core/initrdscripts/initramfs-framework_%.bbappend index 02182b112..136d8d6f7 100644 --- a/layers/meta-balena-raspberrypi/recipes-core/initrdscripts/initramfs-framework_%.bbappend +++ b/layers/meta-balena-raspberrypi/recipes-core/initrdscripts/initramfs-framework_%.bbappend @@ -20,8 +20,10 @@ do_install:append() { install -m 0755 ${WORKDIR}/cryptsetup-rpi ${D}/init.d/72-cryptsetup sed -i -e "s/@@BALENA_NONENC_BOOT_LABEL@@/${BALENA_NONENC_BOOT_LABEL}/g" ${D}/init.d/72-cryptsetup - install -m 0755 ${WORKDIR}/kexec_pi4_fwgpio ${D}/init.d/73-kexec_pi4_fwgpio + if ${@bb.utils.contains('DISTRO_FEATURES','osdev-image','true','false',d)}; then + sed -i -e "s/fail/warn/g" ${D}/init.d/72-cryptsetup + fi } RDEPENDS:initramfs-module-cryptsetup:append = " os-helpers-otp gnupg" From 6edf1260edb9804a4b6f0da6d6d03213d5f4a217 Mon Sep 17 00:00:00 2001 From: Alex Gonzalez Date: Mon, 3 Jun 2024 17:44:19 +0200 Subject: [PATCH 6/6] [TEST] os-helpers: do not check for RSA digest in OTP This allows to test with unlocked devices Signed-off-by: Alex Gonzalez --- .../recipes-support/os-helpers/os-helpers/os-helpers-sb | 8 -------- 1 file changed, 8 deletions(-) diff --git a/layers/meta-balena-raspberrypi/recipes-support/os-helpers/os-helpers/os-helpers-sb b/layers/meta-balena-raspberrypi/recipes-support/os-helpers/os-helpers/os-helpers-sb index 763fd2db4..fda19d01a 100644 --- a/layers/meta-balena-raspberrypi/recipes-support/os-helpers/os-helpers/os-helpers-sb +++ b/layers/meta-balena-raspberrypi/recipes-support/os-helpers/os-helpers/os-helpers-sb @@ -37,15 +37,7 @@ BALENA_NONENCRYPTED_BOOT_PARTITION_FILES="\ is_secured() { # Check the private key has been programmed if [ -n "$(otp_read_key | sed s/0//g)" ]; then - # Check that the RSA digest has been programmed - # Skip on balena bootloader that has no VHCI access - if grep -q "balena_stage2" < /proc/cmdline; then return 0 - else - if otp_has_rsa_digest; then - return 0 - fi - fi fi return 1 }