Reprovisioning PiCM5 in secure boot #268
Description
Hi,
I've successfully* provisioned a Pi CM5 using Secure Boot.
Setup:
- Target device: Pi CM5 with eMMC, 32GB, 8GB.
- Target OS: Bookworm (for application compatibility reasons). I've used pi-gen to generate an image.
- Host device: Pi 5, running Trixie.
- A 15cm USB-A <--> USB-C cable
- A Waveshare IO board**.
- External USB-A integrated keyboard and trackpad connected to the Host pi and monitor via micro HDMI.
Initial provisioning flow was:
- Jumper cable on BOOT
- Check the rpi-provisioner-ui service is up and running - normally looking at the devices/detail tab.
- Create the signing keys and set the options in the UI > Save options
- Get logs and devices/detail UI page up on screen
- Remove USB keyboard
- Plug in USB-C into CM board
- Press and hold pwr button on CM board
- Plug in USB-A into provisioning Pi, then release
- Move away, sit on hands, avoid all temptation, watch only.
- Keyboard/trackpad back in - review results, then boot the pi on a LAN. Win.Side question: In a deviation from the docs, I didn't seem to need to unplug and replug to initiate a second stage. Is this expected?
Re-provisioning
I would now like to test the re-provisioning process so that I can always return the CM5 to a known state (secure boot, custom pi-gen-created image).
Naked: I've tested a re-provisioning flow using a naked-provisioned CM5 and that worked well and is repeatable. I've outlined it below in case it's useful to others or worthy of adding to the docs (I couldn't find an equivalent).
SB: I've tried just plugging the CM5 back in, but in the provisioner UI Services tab I get:
rpi-sb-bootstrap@dev-bus-usb-XXX-XXX failed failed
And the logs for that line say:
Failed to claim interface
Loading /srv/rpi-sb-provisioner/rpi-sb-bootstrap.Yzx/secure-bootloader//bootcode5.bin
Sending bootcode.bin
Failed control transfer (-7, 24)
Failed to write correct length, returned -7
This doesn't brick the device - I can still connect it up to a LAN and it works fine.
I think I'm missing some fundamental part of what a re-provisioning step should look like. Should I be changing the options or preparing the device differently?
Of interest:
-
The -7 code. I also have 2 other CM5's that report this -7, 24 code which I've bricked in the process of learning. It would be great to bring those back from the dead if that's possible.
-
Official IO board vs Waveshare. I tried using official Pi IO board and while it was successful during the initial provisioning of my early now-bricked devices, I ran into problems and so threw hardware at the problem - suspecting it was something to do with power available from the Host/provisioning Pi over USB-A. The waveshare has PoE capability OOB, so I thought I could power the board using that while using USB-C for flashing.
-
Resetting process for naked provisioned CM5
- Host:
sudo systemctl stop rpi-provisioner-ui - Host: Using the github cloned and built
usbbootrepo, run:./rpiboot -v - Host: minimise any other power draw - remove Eth, remove keyboard/trackpad
- Connect: hold pwr button + connect USB-A to USB-C
- Host: Connect PoE Ethernet cable to Pi CM5 carrier board (the Waveshare). I haven't proven that this is strictly necessary, but it's certainly not breaking anything so I'm sticking with it for now.
- Host:
sudo dd if=/dev/zero of=/dev/sda bs=4M status=progressto wipe CM5 (appearing as an externally mounted USB device to the host) - Host: Wipe / reset eeprom:
cd usbboot/recovery5
./update-pieeprom.sh # generates a .img and .sig from the latest firmware (if I understand correctly)
cd ..
./rpiboot -d recovery5