2.0.9: Fix roll-up#1634
Merged
Merged
Conversation
tdewey-rpi
commented
May 27, 2026
Collaborator
- Fastboot FSM updates
- rpiboot FSM updates
- Secure Boot UI fixes
- Secure Boot key handling fixed on Windows
- Deps bump
Adds an in-process pieeprom.bin editor and an `oem eeprom-update` client path, byte-equivalent to rpi-eeprom-config / rpi-eeprom-digest. After a successful fastboot flash, reads the device EEPROM, sets the target drive (NVMe / USB / SD) at the head of BOOT_ORDER, re-signs bootconf.sig on signed-eeprom boards using the existing secureboot RSA key, and writes back. Best-effort: a failed update logs and lets the flash succeed. Signed boards with no key configured are skipped rather than bricked. Catch2 coverage: parser round-trip on a real pieeprom-*.bin, BOOT_ORDER nibble compose, `oem eeprom-update/verify/read` wire ordering on mock USB, and byte-for-byte cross-checks against rpi-eeprom-config and rpi-eeprom-digest when those tools are on PATH.
…r Qt builds Signed-off-by: Tom Dewey <tom.dewey@raspberrypi.com>
…nd extraction tests
To avoid yet another mass-resoluton pattern.
And extract the focus-rules from existing components. Additionally, rebuild the tab orders when the screen readers are toggled at runtime.
Not used anywhere, just dead code.
Rather than checking embedded mode everywhere, and having to recalculate common accessible descriptions everywhere, factor both into common functions.
It was a runtime context property — invisible to qmllint/qmlsc, so every ImageWriterSingleton reference went type-unchecked and raised a spurious unqualified-access warning (~415 of them). Register it declaratively (QML_NAMED_ELEMENT + QML_SINGLETON) with a create() factory that returns the app-owned instance, supplied via setQmlInstance() before the engine loads (CppOwnership keeps the engine from deleting the stack object). Unlike a runtime qmlRegisterSingletonInstance into the RpiImager URI, this does not disturb the qt_add_qml_module module's other C++ types. writeState enum comparisons move from ImageWriter.X to ImageWriterSingleton.X, since the bare ImageWriter QML type no longer exists.
Remove unused QtQuick.Controls/Dialogs/Layouts/QtCore imports (qmllint unused-imports), and qualify unqualified property access with root. / delegate ids via `qmllint --fix`. No behaviour change — the qualified form resolves to the same scope the engine already used. qmllint warnings 215 -> 86.
-1 qmllint
-3 qmllint
StandardPaths.writableLocation() returns a url, not a path string, so the `home.length`/`dl.length` guards were always false (the ~/.ssh and Downloads defaults never applied), and `"file://" + home` would have doubled the URL scheme. Use String(...) for the guard and append to the already-valid file:// URL, matching the convention used elsewhere.
findAPFSParent() released the `service` io_service_t a second time on every path that advanced past the first parent lookup: the success path, the parent-iterator-failure path, and in-loop failures at level >= 1. `service` is the first `current`, so the rolling release already freed it once the walk stepped past it; releasing it again over-released the underlying mach port. Because the function runs for every AppleAPFSMedia disk — i.e. on essentially every Mac, on each drive-poll cycle — this triggered an EXC_GUARD / GUARD_TYPE_MACH_PORT SIGKILL on launch, observed on Intel under macOS 15.7.7 (v2.0.7/v2.0.8). Rewrite the IORegistry walk to hold exactly one owned reference at a time: each step releases the node just stepped off and takes ownership of its parent. Every node is now released exactly once on all paths, and `service` is never referenced after the walk.
…ction (#1603) When the download half completed but the extraction thread subsequently aborted while draining the ring buffer, _onDownloadSuccess() emitted success() unconditionally once _extractThread->wait() returned. That late success() overrode the error already reported by the extraction thread and bounced the UI straight to the "write complete" screen, leaving the user with a corrupted, unformatted card but a success message. Track extraction failure in a new atomic _extractFailed flag, set in both the extractImageRun() and extractMultiFileRun() fatal-error paths, and suppress the success() emission in _onDownloadSuccess() when extraction failed or the write was cancelled. This fixes the bug at source rather than relying on the late-success guard in ImageWriter::onSuccess() (added post-2.0.6) to mask it downstream.
…1564) The "Open Raspberry Pi Connect" button silently did nothing on some Linux systems, and the rpi-imager:// token callback often failed to return. Root cause of the dead button: PlatformQuirks::launchDetached() reported success whenever the double-fork succeeded, never observing whether execv() actually ran. The parent waits on the first child, which _exit(0)s the moment it has forked the grandchild — so a missing or unrunnable xdg-open looked like success and openUrl()'s QDesktopServices fallback became dead code. Fixed with a close-on-exec status pipe: a clean exec closes the write end (EOF = success), a failed exec writes errno back to the parent. Harden URL opening and the callback round-trip, all behind the PAL so imagewriter.cpp and main.cpp carry no Q_OS_* branches: - openUrlExternally(): try the xdg-desktop-portal OpenURI interface first (routes through the desktop environment and works from Flatpak/Snap-confined browsers), then xdg-open; run as the original user when elevated. macOS uses `open`; Windows declines so Qt opens the URL without a shell. - registerUriScheme(): register the rpi-imager:// handler at runtime so AppImage and other unpackaged builds receive the sign-in callback (the packaged .deb already ships a system handler). Linux writes a user-level .desktop entry; macOS uses LSSetDefaultHandlerForURLScheme (moved out of main.cpp); Windows is a no-op (the installer owns the registry key). The portal path is gated on QT_DBUS_LIB so the CLI build and the DBus-free PAL unit test exclude it cleanly. Adds per-platform PAL tests covering launchDetached exec success/failure and scheme registration.
The "Exclude system drives" filter showed the system drive and did
nothing when toggled. The symptom is diagnostic: the filter only hides
drives with isSystem=true, so an inert toggle means the OS disk was
never flagged. Windows detection inferred isSystem from enumerator
strings ("SCSI"/"IDE") and known-folder prefix matching over the
device's mountpoints — both miss OEM/RAID NVMe boot disks, and the
mountpoint list could be emptied by the getMountpoints enumerator-
mismatch skip, leaving the boot disk unflagged.
Detect the system drive authoritatively instead of inferring it:
- Resolve the physical disk number(s) backing %SystemRoot% and the
critical known folders via VOLUME_DISK_EXTENTS (covers spanned/RAID/
Storage-Spaces volumes), and force isSystem for those disks last, so
the card/USB reset can't clobber it (also protects Windows-To-Go).
- Widen the initial guess from literal SCSI/IDE to any non-removable
generic (non-USB) storage driver, catching OEM/RAID NVMe disks.
- Stop the getMountpoints enumerator-mismatch skip from dropping a
device-number-matched volume on a known system disk, so the
Google-Drive disambiguation is preserved but real system volumes
are kept.
Additive only: isSystem can be set more true, never less. Existing
isSystemDevice() heuristic and its test seam are retained as a
fallback.
And better handle displays that don't report their dimensions correctly.
This would manifest as two CacheManager registration lines, and in the UI as appearing to be offline by default.
As required by Qt 6.11
Two small follow-ups to the recent secureboot PAL and fastboot
EEPROM work:
* Replace the per-platform getRsaKeyFingerprint() impls with a
portable one that hashes SecureBootCrypto::extractRsaPubkeyBin()'s
264-byte (N || E little-endian) blob — the same bytes the boot
ROM hashes — and delete the now-dead rsakeyfingerprint_*.{cpp,mm}.
* Pass the user's chosen storage target through setRpibootDevice()
into onRpibootFastbootReady() so the rpiboot-then-flash path no
longer hardcodes "mmcblk0". Without this the image landed on
eMMC and BOOT_ORDER was nudged toward SD/eMMC (0x1) regardless
of what the user picked. Empty target falls back to mmcblk0
with a qWarning.
- Support symlinked directories - Bump to Qt6.11 - Rewind ICU to 73, in line with Qt6 - Expand building ICU from git - Workaround QtWiddgets-triggered GCC bug by disabling Widgets (we're QML only)
Refactor the nextStep function to improve handling of the "write another" mode. Introduced a new variable to determine when to skip directly to the writing step after storage selection. Adjusted customization application logic to reuse the previous customization payload if applicable, ensuring a smoother user experience during repeated writes. Fixes #1640
…ping - Introduced functions to validate and escape SSID octets for YAML compatibility. - Updated `generateSystemdScript` to handle SSID octets, ensuring proper encoding for special characters. - Added tests to verify correct handling of various SSID formats, including non-ASCII and malformed UTF-8. - Integrated new octet handling in the WiFi customization step of the wizard.
- Updated ImageWriter to include a new flag for special re-provisioning mode, allowing the reuse of cached pieeprom and re-signing of recovery files. - Enhanced RpibootThread to handle the new re-provisioning logic, ensuring proper firmware preparation and metadata parsing. - Adjusted FileServer to capture and decode provisioning status metadata, aligning with upstream behavior. - Updated tests to validate the new metadata handling and re-provisioning functionality.
This update ensures that the Qt host tools can load custom ICU runtime libraries, specifically for embedded Qt builds linked against ICU 73. The script checks predefined directories for the ICU libraries and updates the LD_LIBRARY_PATH accordingly.
4 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.