Edit /boot/firmware/config.txt after provisioning

[reflexcameras]

I would like to swap cameras on a provisioned device. I cannot find config.txt in the usual directory /boot/firmware/config.txt. Is there a way to edit this file after provisioning to change the overlays?

[tdewey-rpi]

config.txt behaves differently in the secure-boot universe.

In the non-secure boot mode, it's simply read from the VFAT as part of the boot sequence - but when you migrate to secure-boot, you're instead embedding it in the Pre-Boot Authentication image.

You essentially have two paths forward:

1. (Recommended) Regenerate the cryptroot Pre-boot authentication initramfs with your required changes. This will let you prune the overlays to just those you require, and ensure the overlays you require are present. Use pi-gen-micro to do this: https://github.com/raspberrypi/pi-gen-micro/tree/main/configurations/cryptroot_image
2. (Quick, but potentially with missing files) Add your directives to your installation:

   rpi-sb-provisioner/service/rpi-sb-provisioner.sh

   Line 870 in d377e82

   announce_start "config.txt modification"

Note also that (2) will not survive an upgrade of the provisioner - and we're planning to drop 2.0 within the next few weeks with a range of improvements and changes.

[reflexcameras]

OK, thank you, is step 1 possible from the provisioned device or just the provisioner? It would be amazing for testing (and future proofing) if it is possible to edit the overlays on a provisioned device.

Still, I want to create a golden image for my project. Would the config files update if I:

• remove my previous wkdir
• generate a new pi-gen image with a corrected config.txt
• reflash the same device

Sorry for the basic questions.

[tdewey-rpi]

OK, thank you, is step 1 possible from the provisioned device or just the provisioner? It would be amazing for testing (and future proofing) if it is possible to edit the overlays on a provisioned device.

It is indeed possible - just replace the boot.img & boot.sig with your updated copies. Provided you sign them with the same signing key, this should work well.

Still, I want to create a golden image for my project. Would the config files update if I:

• remove my previous wkdir
• generate a new pi-gen image with a corrected config.txt
• reflash the same device

No - you'd need to update the pre-boot authentication image for overlays, and this would be a separate input to sb-provisioner.

To do so, make your modifications in pi-gen-micro, and build a new initramfs there, and then replace the following file with your newly minted cryptroot:

rpi-sb-provisioner/debian/install

Line 25 in d377e82

host-support/cryptroot_initramfs /var/lib/rpi-sb-provisioner

Sorry for the basic questions.

[reflexcameras]

I have created an image with sudo pi-gen-micro cryptroot_image mounted the boot.img and edited the config.txt.

I am a bit lost on how to build a new initramfs with this image. Are there steps within the sb-provisioner scripts that I could follow?

[tdewey-rpi]

@reflexcameras I must apologise, because I think I've sent you down a wrong path.

Inspecting the code once more, I can confirm we only use the initramfs from the pi-gen-micro output, and this would not include config.txt.

Instead, it should be as straightforward as modifying your gold master image, and making sure your requisite overlay files are present in your boot image. You should be able to confirm this without going through a secure boot provisioning run - simply inspecting your gold master should be enough to confirm presence.

These changes will then be fully captured in the boot.img. I had forgotten that the cryptroot is kept as a subitem in the boot.img - alongside the config.txt, cmdline.txt and traditional boot flow configuration items.

See

rpi-sb-provisioner/service/rpi-sb-provisioner.sh

Line 898 in d377e82

announce_start "Boot Image partition extraction"

for verification

[reflexcameras]

No worries, thanks for confirming. Now that I have changed and reflashed the gold master image, it is working!

Thanks again,
Sam