From dad87cfcd68052e35adb5efcf916e6d3726540ed Mon Sep 17 00:00:00 2001 From: Alex Gonzalez Date: Tue, 25 Jun 2024 17:43:35 +0200 Subject: [PATCH 1/9] rpi-eeprom: raspberrypicm4-ioboard-sb: modify boot order to prioritise USB boot With this change the device will first attempt to boot from USB and then boot from the NVME/internal eMMC/SD card. This allows to use USB flasher images as provisioning tools in preference of usbboot. 5: USB 2.0 boot from USB type A socket (CM4) or Type C socket (RPI4) 6: NVME 1: eMMC / SD Card 2: Network boot We place NVME before eMMC/SDcard as there are reports that NVME is not working if initialized after. Also, there is no USB mass storage boot to limit this option to using physical jumper configuration. See https://www.raspberrypi.com/documentation/computers/raspberry-pi.html#BOOT_ORDER Note that trying USB boot first adds a considerable delay to the boot process as the CM4 has a timeout of 2s (5s if extended via `program_usb_boot_timeout=1` per USB port enumeration. As such, this change is only done to the `raspberrypicm4-ioboard-sb` that requires USB boot for the secure boot provisioning flow. Changelog-entry: Modify boot order to prioritize USB boot Signed-off-by: Alex Gonzalez --- .../files/raspberrypicm4-ioboard-sb/default-config.txt | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 layers/meta-balena-raspberrypi/recipes-bsp/rpi-eeprom/files/raspberrypicm4-ioboard-sb/default-config.txt diff --git a/layers/meta-balena-raspberrypi/recipes-bsp/rpi-eeprom/files/raspberrypicm4-ioboard-sb/default-config.txt b/layers/meta-balena-raspberrypi/recipes-bsp/rpi-eeprom/files/raspberrypicm4-ioboard-sb/default-config.txt new file mode 100644 index 000000000..225561444 --- /dev/null +++ b/layers/meta-balena-raspberrypi/recipes-bsp/rpi-eeprom/files/raspberrypicm4-ioboard-sb/default-config.txt @@ -0,0 +1,7 @@ +[all] +BOOT_UART=0 +WAKE_ON_GPIO=1 +POWER_OFF_ON_HALT=0 +FREEZE_VERSION=0 +HDMI_DELAY=0 +BOOT_ORDER=0xf2165 From 5641da608e1694f2169c87869f96e4dcc27921ab Mon Sep 17 00:00:00 2001 From: Alex Gonzalez Date: Thu, 27 Jun 2024 16:17:00 +0200 Subject: [PATCH 2/9] rpi-eeprom: raspberrypicm4-ioboard-sb: configure to power off on halt This is useful for the use case of a flasher image ran from external media, like in the traditional flasher workflow that expects the device to shutdown after programming. From https://www.raspberrypi.com/documentation/computers/raspberry-pi.html#POWER_OFF_ON_HALT Changelog-entry: configure to power off on halt for raspberrypicm4-ioboard-sb Signed-off-by: Alex Gonzalez --- .../files/raspberrypicm4-ioboard-sb/default-config.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/layers/meta-balena-raspberrypi/recipes-bsp/rpi-eeprom/files/raspberrypicm4-ioboard-sb/default-config.txt b/layers/meta-balena-raspberrypi/recipes-bsp/rpi-eeprom/files/raspberrypicm4-ioboard-sb/default-config.txt index 225561444..9ba850ef0 100644 --- a/layers/meta-balena-raspberrypi/recipes-bsp/rpi-eeprom/files/raspberrypicm4-ioboard-sb/default-config.txt +++ b/layers/meta-balena-raspberrypi/recipes-bsp/rpi-eeprom/files/raspberrypicm4-ioboard-sb/default-config.txt @@ -1,7 +1,7 @@ [all] BOOT_UART=0 -WAKE_ON_GPIO=1 -POWER_OFF_ON_HALT=0 +WAKE_ON_GPIO=0 +POWER_OFF_ON_HALT=1 FREEZE_VERSION=0 HDMI_DELAY=0 BOOT_ORDER=0xf2165 From 6838519e97b7526e580b6a4e4491cbdec3ac0f7f Mon Sep 17 00:00:00 2001 From: Alex Gonzalez Date: Thu, 27 Jun 2024 11:45:03 +0200 Subject: [PATCH 3/9] rpi-config: enable USB 2.0 for raspberrypicm4-ioboard-sb MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit As CM4 and CM4IO don’t include the external USB 3 controller, RaspberryPi OS sets `otg_mode=1` for better performance. See https://www.raspberrypi.com/documentation/computers/config_txt.html#otg_mode-raspberry-pi-4-only However, while testing, the kernel driver oops when the otg cable is connected at boot (works well if it is connected after boot though). As this is only needed in the USB provisioning mode, restrict the change to the raspberrypicm4-ioboard-sb for the time being. Changelog-entry: enable USB 2.0 for raspberrypicm4-ioboard-sb Signed-off-by: Alex Gonzalez --- .../recipes-bsp/bootfiles/rpi-config_git.bbappend | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/layers/meta-balena-raspberrypi/recipes-bsp/bootfiles/rpi-config_git.bbappend b/layers/meta-balena-raspberrypi/recipes-bsp/bootfiles/rpi-config_git.bbappend index f12568d88..c7f713332 100644 --- a/layers/meta-balena-raspberrypi/recipes-bsp/bootfiles/rpi-config_git.bbappend +++ b/layers/meta-balena-raspberrypi/recipes-bsp/bootfiles/rpi-config_git.bbappend @@ -40,6 +40,10 @@ do_deploy:append:revpi-connect-4() { echo "dtoverlay=dwc2,dr_mode=host" >> ${DEPLOYDIR}/bootfiles/config.txt } +do_deploy:append:raspberrypicm4-ioboard-sb() { + echo "otg_mode=1" >> ${DEPLOYDIR}/bootfiles/config.txt +} + do_deploy:append:raspberrypi3-unipi-neuron() { # Use the dt overlays required by the UniPi Neuron family of boards echo "dtoverlay=neuronee" >> ${DEPLOYDIR}/bootfiles/config.txt From 3cc312fb0776cbbdbd1a3d6125cb0d9a14c0b281 Mon Sep 17 00:00:00 2001 From: Alex Gonzalez Date: Mon, 1 Jul 2024 12:50:17 +0200 Subject: [PATCH 4/9] usbboot: conditionally sign msd binaries With the USB provisioning being preferred, the msd binaries are no longer required. This commit adds a recipe configuration to make the signing conditional. Changelog-entry: do not sign msd binaries by default as they are not needed Signed-off-by: Alex Gonzalez --- .../recipes-devtools/usbboot/usbboot-native_git.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/layers/meta-balena-raspberrypi/recipes-devtools/usbboot/usbboot-native_git.bb b/layers/meta-balena-raspberrypi/recipes-devtools/usbboot/usbboot-native_git.bb index 0f39a16a6..d77074103 100644 --- a/layers/meta-balena-raspberrypi/recipes-devtools/usbboot/usbboot-native_git.bb +++ b/layers/meta-balena-raspberrypi/recipes-devtools/usbboot/usbboot-native_git.bb @@ -20,7 +20,7 @@ do_install(){ install -m 644 ${S}/msd/bootcode4.bin ${D} install -m 644 ${S}/msd/start.elf ${D} install -m 644 ${S}/msd/start4.elf ${D} - if [ "x${SIGN_API}" != "x" ]; then + if [ "x${SIGN_API}" != "x" ] && [ "${BALENA_SIGN_MSD}" = "1" ]; then install -d ${D}/secure-boot-msd/ if ! do_sign_rsa "${S}/secure-boot-msd/boot.img" "${D}/secure-boot-msd/boot.sig"; then bbfatal "Failed to sign boot image" From 3da91bb444d4da5a431027a6e7c8ee336363d669 Mon Sep 17 00:00:00 2001 From: Alex Gonzalez Date: Tue, 2 Jul 2024 13:19:07 +0200 Subject: [PATCH 5/9] rpi-eeprom: deploy locking binaries Changelog-entry: deploy CM4/RPI4 locking binaries Signed-off-by: Alex Gonzalez --- .../recipes-bsp/rpi-eeprom/rpi-eeprom_git.bb | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/layers/meta-balena-raspberrypi/recipes-bsp/rpi-eeprom/rpi-eeprom_git.bb b/layers/meta-balena-raspberrypi/recipes-bsp/rpi-eeprom/rpi-eeprom_git.bb index 18b9a6d18..760c183d6 100644 --- a/layers/meta-balena-raspberrypi/recipes-bsp/rpi-eeprom/rpi-eeprom_git.bb +++ b/layers/meta-balena-raspberrypi/recipes-bsp/rpi-eeprom/rpi-eeprom_git.bb @@ -117,6 +117,17 @@ do_deploy () { if [ -f "${S}/${FIRMWARE}/critical/vl805-${VL805_FW_REV}.bin" ]; then cp ${S}/${FIRMWARE}/critical/vl805-${VL805_FW_REV}.bin ${DEPLOY_DIR_IMAGE}/${PN}/vl805-latest-stable.bin fi + if [ "x${SIGN_API}" != "x" ]; then + install -d ${DEPLOY_DIR_IMAGE}/rpi-eeprom/secure-boot-lock + cp -avL ${S}/${FIRMWARE}/stable/recovery.bin ${DEPLOY_DIR_IMAGE}/rpi-eeprom/secure-boot-lock/bootcode4.bin + echo "uart_2ndstage=1" > ${DEPLOY_DIR_IMAGE}/rpi-eeprom/secure-boot-lock/config.txt + echo "eeprom_write_protect=1" >> ${DEPLOY_DIR_IMAGE}/rpi-eeprom/secure-boot-lock/config.txt + echo "program_pubkey=1" >> ${DEPLOY_DIR_IMAGE}/rpi-eeprom/secure-boot-lock/config.txt + echo "revoke_devkey=1" >> ${DEPLOY_DIR_IMAGE}/rpi-eeprom/secure-boot-lock/config.txt + echo "program_jtag_lock=1" >> ${DEPLOY_DIR_IMAGE}/rpi-eeprom/secure-boot-lock/config.txt + cp -av ${WORKDIR}/pieeprom-latest-stable*bin ${DEPLOY_DIR_IMAGE}/rpi-eeprom/secure-boot-lock/pieeprom.bin + cp -av ${WORKDIR}/pieeprom-latest-stable*sig ${DEPLOY_DIR_IMAGE}/rpi-eeprom/secure-boot-lock/pieeprom.sig + fi } # vl805 utility is deprecated, see https://github.com/raspberrypi/rpi-eeprom/commit/fed1ca62a5752cb5a990608c8c897ce0b077600a From a867de468155de4358e4de121ed31684028995ee Mon Sep 17 00:00:00 2001 From: Alex Gonzalez Date: Fri, 5 Jul 2024 13:33:26 +0200 Subject: [PATCH 6/9] docs: rpi-secure-boot: update with USB booting re-provisioning process Also, remove mentioning that write protecting further OTP changes is globally possible as only the customer OTP registers have this feature and these are not used by the secure boot implementation. Change-type: patch Signed-off-by: Alex Gonzalez --- docs/rpi-secure-boot.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/docs/rpi-secure-boot.md b/docs/rpi-secure-boot.md index 2401e7441..cc5af4004 100644 --- a/docs/rpi-secure-boot.md +++ b/docs/rpi-secure-boot.md @@ -49,22 +49,20 @@ The partitions are mounted under `/mnt/boot` and `/mnt/rpi` respectively. ## Device locking -RaspberryPi devices require post-installation setup to lock the device after the installer image completes programming. This locking process needs to write to OTP and requires a USB connection and the `rpiboot` utility loading a dedicated signed `boot.img` file with the following `config.txt` settings: +RaspberryPi devices require post-installation setup to lock the device after the installer image completes programming. This locking process needs to write to OTP and requires a USB connection and the `rpiboot` utility loading a dedicated signed EEPROM image file with the following `config.txt` settings: * **revoke_devkey=1**: Prevents EEPROM downgrades to versions that don't support secure boot * **program_pubkey=1**: Programs the digest of the EEPROM's public key to OTP * **program_jtag_lock=1**: Disables the GPU JTAG interface * **eeprom_write_protect=1**: Sets the EEPROM to write protect -Finally, further OTP changes can be locked down to prevent mangling of OTP data. - ## EEPROM updates on locked devices Once a device is secure boot enabled and is locked down, `rpiboot` driven EEPROM updates will no longer work. Only EEPROM self-updates are possible. ## Re-programming of locked devices -Once a device is secure boot enabled and is locked down, `rpiboot` needs to use a dedicated signed `boot.img` to expose the encrypted internal storage and allow re-programming. +Once a device is secure boot enabled and is locked down, re-programming can be done by USB booting a signed flasher images. The use of `rpiboot` to expose internal storage is not supported. ## Debugging From 3336d35ddfc690b0ae78772155e0b6bc82bc19ee Mon Sep 17 00:00:00 2001 From: Alex Gonzalez Date: Wed, 10 Jul 2024 11:53:37 +0200 Subject: [PATCH 7/9] rpi-eeprom: update firmware to 2024-05-17 Changelog-entry: update rpi-eeprom firmware to 2024-05-17 Signed-off-by: Alex Gonzalez --- .../recipes-bsp/rpi-eeprom/rpi-eeprom_git.bb | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/layers/meta-balena-raspberrypi/recipes-bsp/rpi-eeprom/rpi-eeprom_git.bb b/layers/meta-balena-raspberrypi/recipes-bsp/rpi-eeprom/rpi-eeprom_git.bb index 760c183d6..128faa4ff 100644 --- a/layers/meta-balena-raspberrypi/recipes-bsp/rpi-eeprom/rpi-eeprom_git.bb +++ b/layers/meta-balena-raspberrypi/recipes-bsp/rpi-eeprom/rpi-eeprom_git.bb @@ -2,7 +2,7 @@ SUMMARY = "Installation scripts and binaries for the Raspberry Pi 4 EEPROM" DESCRIPTION = "This repository contains the rpi4 bootloader and scripts \ for updating it in the spi eeprom" LICENSE = "BSD-3-Clause & Broadcom-RPi" -LIC_FILES_CHKSUM = "file://LICENSE;md5=f546ed4f47e9d4c1fe954ecc9d3ef4f3" +LIC_FILES_CHKSUM = "file://LICENSE;md5=449418bd5e2b674b51a36c78f3f85a01" SRC_URI = " \ git://github.com/raspberrypi/rpi-eeprom.git;protocol=https;branch=master \ @@ -15,12 +15,12 @@ SRC_URI += " \ file://default-config.txt \ " -SRCREV = "3b393d31ac0f1864420d47028b5703a70ad8da8f" -PV = "v2023.10.18-2712" +SRCREV = "e430a41e7323a1e28fb42b53cf79e5ba9b5ee975" +PV = "v2024.06.05-2712" # We use the latest stable version # which is available in "stable" -LATEST_STABLE_PIEEPROM_FW:raspberrypi4-64 = "2023-05-11" +LATEST_STABLE_PIEEPROM_FW:raspberrypi4-64 = "2024-05-17" VL805_FW_REV = "000138a1" FIRMWARE:raspberrypi4-64 = "firmware-2711" From fdb332ba7f2d5faf79f2a5cc831cffdadae83400 Mon Sep 17 00:00:00 2001 From: Alex Gonzalez Date: Fri, 12 Jul 2024 16:18:17 +0200 Subject: [PATCH 8/9] rpi-config: replace otg_mode with the dwc2 driver The `otg_mode=1` setting makes the firmware mux the USB port to the XHCI host-only controller. However, even though this correctly enabled host mode in the USB port, the kernel drivers oops when a cable is plugged into the OTG port in the ioboard, probably because the XCHI controller does not support OTG or device mode. This commit reverts to using the dwc2 kernel overlay which has less performance but does not crash. Changelog-entry: use dwc2 driver for USB host mode in CM4-SB. Signed-off-by: Alex Gonzalez --- .../recipes-bsp/bootfiles/rpi-config_git.bbappend | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/layers/meta-balena-raspberrypi/recipes-bsp/bootfiles/rpi-config_git.bbappend b/layers/meta-balena-raspberrypi/recipes-bsp/bootfiles/rpi-config_git.bbappend index c7f713332..a869a6eef 100644 --- a/layers/meta-balena-raspberrypi/recipes-bsp/bootfiles/rpi-config_git.bbappend +++ b/layers/meta-balena-raspberrypi/recipes-bsp/bootfiles/rpi-config_git.bbappend @@ -41,7 +41,7 @@ do_deploy:append:revpi-connect-4() { } do_deploy:append:raspberrypicm4-ioboard-sb() { - echo "otg_mode=1" >> ${DEPLOYDIR}/bootfiles/config.txt + echo "dtoverlay=dwc2,dr_mode=host" >> ${DEPLOYDIR}/bootfiles/config.txt } do_deploy:append:raspberrypi3-unipi-neuron() { From e6d55dd064d6ed0e496fdd3506df1f7d3fd75aad Mon Sep 17 00:00:00 2001 From: Alex Gonzalez Date: Mon, 15 Jul 2024 11:52:12 +0200 Subject: [PATCH 9/9] linux: raspberrypicm4-ioboard-sb: add support for the dwc2 kernel driver This adds support for the DesignWare Core USB 2.0 controller, required for the USB boot flow. Changelog-entry: add dwc2 support to the raspberrypicm4-ioboard-sb kernel Signed-off-by: Alex Gonzalez --- .../recipes-kernel/linux/linux-balena-bootloader_%.bbappend | 3 +++ .../recipes-kernel/linux/linux-raspberrypi_%.bbappend | 3 +++ 2 files changed, 6 insertions(+) create mode 100644 layers/meta-balena-raspberrypi/recipes-kernel/linux/linux-balena-bootloader_%.bbappend diff --git a/layers/meta-balena-raspberrypi/recipes-kernel/linux/linux-balena-bootloader_%.bbappend b/layers/meta-balena-raspberrypi/recipes-kernel/linux/linux-balena-bootloader_%.bbappend new file mode 100644 index 000000000..7f8a17072 --- /dev/null +++ b/layers/meta-balena-raspberrypi/recipes-kernel/linux/linux-balena-bootloader_%.bbappend @@ -0,0 +1,3 @@ +# Enable the dwc2 driver +BALENA_CONFIGS:append:raspberrypicm4-ioboard-sb = " dwc2" +BALENA_CONFIGS[dwc2] = "CONFIG_USB_DWC2=y" diff --git a/layers/meta-balena-raspberrypi/recipes-kernel/linux/linux-raspberrypi_%.bbappend b/layers/meta-balena-raspberrypi/recipes-kernel/linux/linux-raspberrypi_%.bbappend index 3a13faf44..402c6ac37 100644 --- a/layers/meta-balena-raspberrypi/recipes-kernel/linux/linux-raspberrypi_%.bbappend +++ b/layers/meta-balena-raspberrypi/recipes-kernel/linux/linux-raspberrypi_%.bbappend @@ -46,3 +46,6 @@ BALENA_CONFIGS[pieeprom] = " \ CONFIG_SPI_BCM2835=y \ CONFIG_SPI_SPIDEV=y \ " + +BALENA_CONFIGS:append:raspberrypicm4-ioboard-sb = " dwc2" +BALENA_CONFIGS[dwc2] = "CONFIG_USB_DWC2=y"