feat: add secure boot USB mass storage scripts for CM4

- Added gen-secure-msd-sig.sh to sign boot.img with private key using rpi-eeprom-digest
- Added rpi-boot-secure.sh to load signed secure-boot mass storage gadget via rpiboot
- Updated .gitignore to exclude usbboot/ directory
- Updated README with secure boot CM4 unlock instructions

.gitignore

@@ -2,3 +2,4 @@ src/.env
 .vscode/settings.json
 src/provision.log
 *.img
+usbboot/

README.md

@@ -52,3 +52,8 @@ For production, the devices need to be provisoned uniquely
     - start the application (script if custom device, server and frontend if ui version)
     - set mac add of secondary eth port in /etc/systemd/network/10-eth1-mac.link
     - activate overlayfs (?) -probably not because we need persistent storage for stream states
+
+## Secure-boot CM4: unlock secure USB mass-storage
+bash gen-secure-msd-sig.sh
+bash rpi-boot-secure.sh
+

gen-secure-msd-sig.sh

@@ -0,0 +1,49 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+USBBOOT_DIR="${SCRIPT_DIR}/usbboot"
+TOOLS_SCRIPT="${USBBOOT_DIR}/tools/rpi-eeprom-digest"
+MSD_DIR="${USBBOOT_DIR}/secure-boot-msd"
+KEY_FILE="${SCRIPT_DIR}/private.pem"
+
+if [[ ! -d "${USBBOOT_DIR}" ]]; then
+  echo "Error: usbboot/ directory not found at ${USBBOOT_DIR}." >&2
+  exit 1
+fi
+
+if [[ ! -f "${TOOLS_SCRIPT}" ]]; then
+  echo "rpi-eeprom-digest not found at ${TOOLS_SCRIPT}, initialising usbboot submodules..." >&2
+  (
+    cd "${USBBOOT_DIR}" &&
+    git submodule update --init
+  )
+
+  if [[ ! -f "${TOOLS_SCRIPT}" ]]; then
+    echo "Error: rpi-eeprom-digest still not found at ${TOOLS_SCRIPT} after submodule init." >&2
+    exit 1
+  fi
+fi
+
+if [[ ! -d "${MSD_DIR}" ]]; then
+  echo "Error: secure-boot-msd directory not found at ${MSD_DIR}." >&2
+  exit 1
+fi
+
+if [[ ! -f "${MSD_DIR}/boot.img" ]]; then
+  echo "Error: boot.img not found at ${MSD_DIR}/boot.img." >&2
+  exit 1
+fi
+
+if [[ ! -f "${KEY_FILE}" ]]; then
+  echo "Error: private key not found at ${KEY_FILE}." >&2
+  exit 1
+fi
+
+echo "Signing ${MSD_DIR}/boot.img with key ${KEY_FILE}..."
+
+# Call the helper script via bash to avoid executable/symlink issues
+bash "${TOOLS_SCRIPT}" -i "${MSD_DIR}/boot.img" -o "${MSD_DIR}/boot.sig" -k "${KEY_FILE}"
+
+echo "Created ${MSD_DIR}/boot.sig"

rpi-boot-secure.sh

@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+USBBOOT_DIR="${SCRIPT_DIR}/usbboot"
+MSD_DIR="${USBBOOT_DIR}/secure-boot-msd"
+
+if [[ ! -d "${USBBOOT_DIR}" ]]; then
+  echo "Error: usbboot/ directory not found next to this script (${USBBOOT_DIR})." >&2
+  echo "       Please clone https://github.com/raspberrypi/usbboot into the project root." >&2
+  exit 1
+fi
+
+if [[ ! -x "${USBBOOT_DIR}/rpiboot" ]]; then
+  echo "Error: rpiboot binary not found at ${USBBOOT_DIR}/rpiboot." >&2
+  echo "       Build it via:  cd usbboot && make" >&2
+  exit 1
+fi
+
+if [[ ! -f "${MSD_DIR}/boot.img" ]]; then
+  echo "Error: ${MSD_DIR}/boot.img not found." >&2
+  echo "       Use the usbboot secure-boot docs to generate a suitable boot.img." >&2
+  exit 1
+fi
+
+if [[ ! -f "${MSD_DIR}/boot.sig" ]]; then
+  echo "Error: ${MSD_DIR}/boot.sig not found." >&2
+  echo "       Sign boot.img with your private key using rpi-eeprom-digest to create boot.sig." >&2
+  exit 1
+fi
+
+cat <<EOF
+Put the CM4 into USB boot mode now:
+ - Power off the CM4
+ - Ensure the USB boot pins/jumper are set correctly
+ - Connect the USB cable to your host
+ - Apply power to the CM4
+
+Waiting for device and loading secure-boot mass-storage gadget...
+EOF
+
+cd "${MSD_DIR}"
+"${USBBOOT_DIR}/rpiboot" -d .