feat: add secure boot USB mass storage scripts for CM4

- Added gen-secure-msd-sig.sh to sign boot.img with private key using rpi-eeprom-digest
- Added rpi-boot-secure.sh to load signed secure-boot mass storage gadget via rpiboot
- Updated .gitignore to exclude usbboot/ directory
- Updated README with secure boot CM4 unlock instructions

gen-secure-msd-sig.sh

@@ -0,0 +1,49 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+USBBOOT_DIR="${SCRIPT_DIR}/usbboot"
+TOOLS_SCRIPT="${USBBOOT_DIR}/tools/rpi-eeprom-digest"
+MSD_DIR="${USBBOOT_DIR}/secure-boot-msd"
+KEY_FILE="${SCRIPT_DIR}/private.pem"
+
+if [[ ! -d "${USBBOOT_DIR}" ]]; then
+  echo "Error: usbboot/ directory not found at ${USBBOOT_DIR}." >&2
+  exit 1
+fi
+
+if [[ ! -f "${TOOLS_SCRIPT}" ]]; then
+  echo "rpi-eeprom-digest not found at ${TOOLS_SCRIPT}, initialising usbboot submodules..." >&2
+  (
+    cd "${USBBOOT_DIR}" &&
+    git submodule update --init
+  )
+
+  if [[ ! -f "${TOOLS_SCRIPT}" ]]; then
+    echo "Error: rpi-eeprom-digest still not found at ${TOOLS_SCRIPT} after submodule init." >&2
+    exit 1
+  fi
+fi
+
+if [[ ! -d "${MSD_DIR}" ]]; then
+  echo "Error: secure-boot-msd directory not found at ${MSD_DIR}." >&2
+  exit 1
+fi
+
+if [[ ! -f "${MSD_DIR}/boot.img" ]]; then
+  echo "Error: boot.img not found at ${MSD_DIR}/boot.img." >&2
+  exit 1
+fi
+
+if [[ ! -f "${KEY_FILE}" ]]; then
+  echo "Error: private key not found at ${KEY_FILE}." >&2
+  exit 1
+fi
+
+echo "Signing ${MSD_DIR}/boot.img with key ${KEY_FILE}..."
+
+# Call the helper script via bash to avoid executable/symlink issues
+bash "${TOOLS_SCRIPT}" -i "${MSD_DIR}/boot.img" -o "${MSD_DIR}/boot.sig" -k "${KEY_FILE}"
+
+echo "Created ${MSD_DIR}/boot.sig"