Olivier Benjamin Finds a "Currently Undocumented" Raspberry Pi Feature for Secure A/B Updates

Embedded engineering firm Bootlin has published a write-up of a project that required A/B-capable secure over-the-air (OTA) updates to a Raspberry Pi 5 target — and how they achieved it using the Robust Auto-Update Controller (RAUC) and the stock Raspberry Pi firmware, thanks to a somewhat-hidden new feature.

"As part of a recent project at Bootlin, we implemented A/B Over-The-Air (OTA) updates on a system based on the Raspberry Pi 5 using RAUC," Bootlin's Olivier Benjamin explains. "We ended up not using U-Boot as a bootloader and instead rely solely on the Raspberry Pi firmware as a bootloader."

The open-source RAUC project is designed to provide safe and secure updates through the use of an A/B system: when booting from slot A, an update is installed to slot B — meaning that it something goes wrong, the system can fall back to the pre-update state. If everything goes well, the system boots from slot B — and the next update is installed to slot A, and so on.

It's a system that works well, but it's also one that has to happen outside the operating system. As a result, RAUC comes with support for using four popular bootloaders as its backend: Barebox, U-Boot, GRUB, and UEFI. For embedded systems, the usual approach is to use U-Boot — but that didn't meet Bootlin's needs. "Unfortunately, at the time, and still as of the time of writing," Benjamin explains, "U-Boot does not have PCIe support for the Broadcom BCM2712, the SoC [System-on-Chip] that is the [Raspberry] Pi 5's Application Processor. That is an issue in our case, because that is the interface used by the M.2 HAT+ to connect to the NVMe drive storing the operating system in our project."

The solution: using Raspberry Pi's own firmware instead, using a custom backend to remove the need for U-Boot at all. It's an approach that provides full compatibility for booting from PCI Express devices on the Raspberry Pi 5 and Raspberry Pi Compute Modules, but it comes with some caveats — the biggest the fact that if the cmdline.txt configuration file gets out-of-sync, a system could boot from the wrong slot. The fix? A "currently undocumented feature" of the Raspberry Pi firmware, Benjamin says, which recently added support for conditional entries based on the boot partition.

"The Raspberry Pi firmware exposes some features (albeit one experimental) that make it reasonable to consider not using U-Boot as a secondary bootloader, while still retaining the capability to distribute updates using a mature framework in RAUC," Benjamin concludes. "That would only be more true if RAUC indeed ends up merging support for the [Raspberry] Pi firmware as a backend, though some small limitations might remain."

The full write-up is available on the Bootlin blog.