Fix: skip EEPROM config signing for naked provisioning (fixes #319)#327
Open
loonyfox1 wants to merge 1 commit into
Open
Fix: skip EEPROM config signing for naked provisioning (fixes #319)#327loonyfox1 wants to merge 1 commit into
loonyfox1 wants to merge 1 commit into
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
In 2.3.1,
update_eeprom()signs the bootloader config (and, on 2712, bootcode/bootsys)whenever a customer key is configured — regardless of
PROVISIONING_STYLE. In naked modethis produces an EEPROM containing a signed config block with an embedded public key,
while the device OTP remains unprogrammed (
CUSTOMER_KEY_HASHall zeros). The resultingdevice does not boot: solid red power LED, no green activity, no diagnostic blink code.
The provisioner reports
EEPROM_UPDATE: success.This is the root cause of #319 (reported on NVMe; reproduced identically on SD).
Evidence
Reproduced on two independent provisioning hosts (identical stacks: rpi-sb-provisioner
2.3.1, rpiboot 20260603~182203, rpi-eeprom 28.28-1), target: Raspberry Pi 5 Model B
8GB Rev 1.1 (BCM2712 C1, boardrev d04171), naked provisioning to SD.
Same firmware (
pieeprom-2026-06-17.bin), same bootloader config, same board:rpiboot -d recovery5/(unsigned)4707d234…60bb7b48…4707d234…With the patch, the provisioner produces a byte-identical EEPROM to the known-good
manual usbboot recovery5 flash, and the device boots. The
signing_availableelse-branchalready implements the correct unsigned flow; this change routes naked provisioning
through it, matching the existing
case ${PROVISIONING_STYLE}pattern used elsewherein the script.
The log already hints at the inconsistency before writing the broken EEPROM:
Warning: SIGNED_BOOT=1 not found in ".../bootloader.naked"followed bySigning bootloader config.Notes
PROVISIONING_STYLE=naked).passing runs if useful.