[U-Boot] [PATCH 2/3] Automatic software update from TFTP server

Thu Sep 18 17:03:28 CEST 2008

The auto-update feature allows to automatically download software updates
from a TFTP server and store them in Flash memory during boot. Updates are
contained in a FIT file and protected with SHA-1 checksum.

More detailed description can be found in doc/README.au_tftp

Signed-off-by: Rafal Czubak <rcz at semihalf.com>
Signed-off-by: Bartlomiej Sieka <tur at semihalf.com>
---
 README                          |   12 ++
 common/Makefile                 |    1 +
 common/au_tftp.c                |  279 +++++++++++++++++++++++++++++++++++++++
 common/main.c                   |    7 +
 doc/README.au_tftp              |   89 +++++++++++++
 doc/uImage.FIT/update3.its      |   41 ++++++
 doc/uImage.FIT/update_uboot.its |   21 +++
 7 files changed, 450 insertions(+), 0 deletions(-)
 create mode 100644 common/au_tftp.c
 create mode 100644 doc/README.au_tftp
 create mode 100644 doc/uImage.FIT/update3.its
 create mode 100644 doc/uImage.FIT/update_uboot.its

diff --git a/README b/README
index ccd839c..23516eb 100644
--- a/README
+++ b/README
@@ -1737,6 +1737,14 @@ The following options need to be configured:
 		example, some LED's) on your board. At the moment,
 		the following checkpoints are implemented:
 
+- Automatic software updates via TFTP server
+		CONFIG_AU_TFTP
+		CONFIG_AU_TFTP_CNT_MAX
+		CONFIG_AU_TFTP_SEC_MAX
+
+		These options enable and control the auto-update feature;
+		for a more detailed description refer to doc/README.au_tftp.
+
 Legacy uImage format:
 
   Arg	Where			When
@@ -2811,6 +2819,10 @@ Some configuration options can be set using Environment Variables:
 		  allowed for use by the bootm command. See also "bootm_low"
 		  environment variable.
 
+  auto-update	- Location of the sofware update file on a TFTP server, used
+		  by the automatic software update feature. Please refer to
+		  documentation in doc/README.au_tftp for more details.
+
   autoload	- if set to "no" (any string beginning with 'n'),
 		  "bootp" will just load perform a lookup of the
 		  configuration from the BOOTP server, but not try to
diff --git a/common/Makefile b/common/Makefile
index 8bddf8e..96850b2 100644
--- a/common/Makefile
+++ b/common/Makefile
@@ -155,6 +155,7 @@ COBJS-$(CONFIG_LCD) += lcd.o
 COBJS-$(CONFIG_LYNXKDI) += lynxkdi.o
 COBJS-$(CONFIG_USB_KEYBOARD) += usb_kbd.o
 COBJS-$(CONFIG_DDR_SPD) += ddr_spd.o
+COBJS-$(CONFIG_AU_TFTP) += au_tftp.o
 
 COBJS	:= $(sort $(COBJS-y))
 SRCS	:= $(AOBJS:.o=.S) $(COBJS:.o=.c)
diff --git a/common/au_tftp.c b/common/au_tftp.c
new file mode 100644
index 0000000..7dfecab
--- /dev/null
+++ b/common/au_tftp.c
@@ -0,0 +1,279 @@
+/*
+ * (C) Copyright 2008 Semihalf
+ *
+ * Written by: Rafal Czubak <rcz at semihalf.com>
+ *             Bartlomiej Sieka <tur at semihalf.com>
+ *
+ * See file CREDITS for list of people who contributed to this
+ * project.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of
+ * the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston,
+ * MA 02111-1307 USA
+ *
+ */
+
+#include <common.h>
+
+#if !(defined(CONFIG_FIT) && defined(CONFIG_OF_LIBFDT))
+#error "CONFIG_FIT and CONFIG_OF_LIBFDT are required for auto-update feature"
+#endif
+
+#if defined(CFG_NO_FLASH)
+#error "CFG_NO_FLASH defined, but FLASH is required for auto-update feature"
+#endif
+
+#include <command.h>
+#include <flash.h>
+#include <net.h>
+
+/* env variable holding the location of the update file */
+#define AU_FILE_ENV		"auto-update"
+#define AU_NETRETRY_LEN		10
+
+/* set configuration defaults if needed */
+#ifndef CONFIG_AU_LOAD_ADDR
+#define CONFIG_AU_LOAD_ADDR	0x100000
+#endif
+
+#ifndef CONFIG_AU_TFTP_SEC_MAX
+#define CONFIG_AU_TFTP_SEC_MAX	1
+#endif
+
+#ifndef CONFIG_AU_TFTP_CNT_MAX
+#define CONFIG_AU_TFTP_CNT_MAX	0
+#endif
+
+extern ulong TftpRRQTimeoutSecs;
+extern int TftpRRQTimeoutCountMax;
+extern flash_info_t flash_info[];
+extern ulong load_addr;
+
+
+static int au_load(char *filename, ulong sec_max, int cnt_max, uint32_t addr)
+{
+	int size, rv;
+	ulong saved_timeout_secs;
+	int saved_timeout_count;
+	char saved_netretry[AU_NETRETRY_LEN];
+	char *netretry;
+
+	rv = 0;
+	/* save used globals and env variable */
+	saved_timeout_secs = TftpRRQTimeoutSecs;
+	saved_timeout_count = TftpRRQTimeoutCountMax;
+
+	memset(&saved_netretry, 0, AU_NETRETRY_LEN);
+	if ((netretry = getenv("netretry")) != NULL) {
+		if (strlen(netretry) >= AU_NETRETRY_LEN)
+			printf("netretry value too long, won't be restored\n");
+		else
+			strncpy(saved_netretry, netretry, AU_NETRETRY_LEN - 1);
+	}
+
+	/* set timeouts for auto-update */
+	TftpRRQTimeoutSecs = sec_max;
+	TftpRRQTimeoutCountMax = cnt_max;
+
+	/* we don't want to retry the connection if errors occur */
+	setenv("netretry", "no");
+
+	/* download the update file */
+	load_addr = addr;
+	copy_filename(BootFile, filename, sizeof(BootFile));
+	size = NetLoop(TFTP);
+
+	if (size < 0)
+		rv = 1;
+	else if (size > 0)
+		flush_cache(addr, size);
+
+	/* restore changed globals and env variable */
+	TftpRRQTimeoutSecs = saved_timeout_secs;
+	TftpRRQTimeoutCountMax = saved_timeout_count;
+
+	if (saved_netretry[0] != '\0')
+		setenv("netretry", saved_netretry);
+	else
+		setenv("netretry", NULL);
+
+	return rv;
+}
+
+static int au_flash(uint32_t addr_source, uint32_t addr_first, uint32_t size)
+{
+	uint32_t addr_last, bank, sector_end_addr;
+	flash_info_t *info;
+	char found;
+	int i;
+
+	/* compute correct addr_last */
+	addr_last = addr_first + size - 1;
+
+	if (addr_first >= addr_last) {
+		printf("Error: end address exceeds addressing space\n");
+		return 1;
+	}
+
+	/*
+	 * It may happen that addr_last doesn't fall on the sector
+	 * boundary. We want to round such an address to the next
+	 * sector boundary, so that the commands don't fail later on.
+	 */
+
+	/* find the end addr of the sector where the addr_last is */
+	found = 0;
+	for (bank = 0; bank < CFG_MAX_FLASH_BANKS && !found; ++bank) {
+		info = &flash_info[bank];
+		for (i = 0; i < info->sector_count && !found; ++i) {
+			/* get the end address of the sector */
+			if (i == info->sector_count - 1)
+				sector_end_addr = info->start[0] +
+								info->size - 1;
+			else
+				sector_end_addr = info->start[i+1] - 1;
+
+			if (addr_last <= sector_end_addr &&
+						addr_last >= info->start[i]) {
+				found = 1;
+				/* adjust addr_last if necessary */
+				if (addr_last < sector_end_addr)
+					addr_last = sector_end_addr;
+			}
+		}
+	}
+	if (!found) {
+		printf("Error: end address (0x%08x) not in flash!\n",
+								addr_last);
+		return 1;
+	}
+
+	/* remove protection on processed sectors */
+	if (flash_sect_protect(0, addr_first, addr_last) > 0) {
+		printf("Error: could not unprotect flash sectors\n");
+		return 1;
+	}
+
+	printf("Erasing 0x%08x - 0x%08x", addr_first, addr_last);
+	if (flash_sect_erase(addr_first, addr_last) > 0) {
+		printf("Error: could not erase flash\n");
+		return 1;
+	}
+
+	printf("Copying to flash...");
+	if (flash_write((char *)addr_source, addr_first, size) > 0) {
+		printf("Error: could not copy to flash\n");
+		return 1;
+	}
+	printf("done\n");
+
+	/* enable protection on processed sectors */
+	if (flash_sect_protect(1, addr_first, addr_last) > 0) {
+		printf("Error: could not protect flash sectors\n");
+		return 1;
+	}
+
+	return 0;
+}
+
+static int au_fit_getparams(const void *fit, int noffset, uint32_t *addr,
+					uint32_t *fladdr, uint32_t *size)
+{
+	const void *data;
+
+	if (fit_image_get_data(fit, noffset, &data, (size_t *)size))
+		return 1;
+
+	if (fit_image_get_load(fit, noffset, (ulong *)fladdr))
+		return 1;
+
+	*addr = (uint32_t)data;
+
+	return 0;
+}
+
+void au_tftp(void)
+{
+	char *filename, *env_addr;
+	int images_noffset, ndepth, noffset;
+	static uint32_t update_addr, update_fladdr, update_size;
+	ulong addr;
+	void *fit;
+
+	printf("Auto-update from TFTP: ");
+
+	/* get the file name of the update file */
+	filename = getenv(AU_FILE_ENV);
+	if (filename == NULL) {
+		printf("failed, env. variable '%s' not found\n", AU_FILE_ENV);
+		return;
+	}
+
+	printf("trying update file '%s'\n", filename);
+
+	/* get load address of downloaded update file */
+	if ((env_addr = getenv("loadaddr")) != NULL)
+		addr = simple_strtoul(env_addr, NULL, 16);
+	else
+		addr = CONFIG_AU_LOAD_ADDR;
+
+
+	if (au_load(filename, CONFIG_AU_TFTP_SEC_MAX,
+					CONFIG_AU_TFTP_CNT_MAX, addr)) {
+		printf("Can't load update file, aborting auto-update\n");
+		return;
+	}
+
+	fit = (void *)addr;
+
+	if (!fit_check_format((void *)fit)) {
+		printf("Bad FIT format of the update file, aborting "
+							"auto-update\n");
+		return;
+	}
+
+	/* process updates */
+	images_noffset = fdt_path_offset(fit, FIT_IMAGES_PATH);
+
+	ndepth = 0;
+	noffset = fdt_next_node(fit, images_noffset, &ndepth);
+	while (noffset >= 0 && ndepth > 0) {
+		if (ndepth != 1)
+			goto next_node;
+
+		printf("Processing update '%s' :",
+			fit_get_name(fit, noffset, NULL));
+
+		if (!fit_image_check_hashes(fit, noffset)) {
+			printf("Error: invalid update hash, aborting\n");
+			goto next_node;
+		}
+
+		printf("\n");
+		if (au_fit_getparams(fit, noffset, &update_addr,
+					&update_fladdr, &update_size)) {
+			printf("Error: can't get update parameteres, "
+								"aborting\n");
+			goto next_node;
+		}
+		if (au_flash(update_addr, update_fladdr, update_size)) {
+			printf("Error: can't flash update, aborting\n");
+			goto next_node;
+		}
+next_node:
+		noffset = fdt_next_node(fit, noffset, &ndepth);
+	}
+
+	return;
+}
diff --git a/common/main.c b/common/main.c
index 187ef8a..0d28eb4 100644
--- a/common/main.c
+++ b/common/main.c
@@ -56,6 +56,9 @@ extern int do_reset (cmd_tbl_t *cmdtp, int flag, int argc, char *argv[]);		/* fo
 
 extern int do_bootd (cmd_tbl_t *cmdtp, int flag, int argc, char *argv[]);
 
+#if defined(CONFIG_AU_TFTP)
+void au_tftp (void);
+#endif /* CONFIG_AU_TFTP */
 
 #define MAX_DELAY_STOP_STR 32
 
@@ -290,6 +293,10 @@ void main_loop (void)
 	char bcs_set[16];
 #endif /* CONFIG_BOOTCOUNT_LIMIT */
 
+#if defined(CONFIG_AU_TFTP)
+	au_tftp ();
+#endif /* CONFIG_AU_TFTP */
+
 #if defined(CONFIG_VFD) && defined(VFD_TEST_LOGO)
 	ulong bmp = 0;		/* default bitmap */
 	extern int trab_vfd (ulong bitmap);
diff --git a/doc/README.au_tftp b/doc/README.au_tftp
new file mode 100644
index 0000000..a2529fb
--- /dev/null
+++ b/doc/README.au_tftp
@@ -0,0 +1,89 @@
+Automatic software update from a TFTP server
+============================================
+
+Overview
+--------
+
+This feature allows to automatically store software updates present on a TFTP
+server in NOR Flash. In more detail: a TFTP transfer of a file given in
+environment variable 'auto-update' from server 'serverip' is attempted during
+boot. The update file should be a FIT file, and can contain one or more
+updates. Each update in the update file has an address in NOR Flash where it
+should be placed, updates are also protected with a SHA-1 checksum. If the
+TFTP transfer is successful, the hash of each update is verified, and if the
+verification is positive, the update is stored in Flash.
+
+The auto-update feature is enabled by the CONFIG_AU_TFTP macro:
+
+#define CONFIG_AU_TFTP		1
+
+
+Note that when enabling auto-update, Flash support must be turned on.  Also,
+one must enable FIT and LIBFDT support:
+
+#define CONFIG_FIT		1
+#define CONFIG_OF_LIBFDT	1
+
+The auto-update feature uses the following configuration knobs:
+
+- CONFIG_AU_LOAD_ADDR
+
+  Normally, TFTP transfer of the update file is done to the address specified
+  in environment variable 'loadaddr'. If this variable is not present, the
+  transfer is made to the address given in CONFIG_AU_LOAD_ADDR (0x100000 by
+  default).
+
+- CONFIG_AU_TFTP_CNT_MAX
+  CONFIG_AU_TFTP_SEC_MAX
+
+  These knobs control the timeouts during initial connection to the TFTP
+  server. Since a transfer is attempted during each boot, it is undesirable to
+  have a long delay when a TFTP server is not present. CONFIG_AU_TFTP_SEC_MAX
+  specifies the number of seconds to wait for the server to respond to initial
+  connection, and CONFIG_AU_TFTP_CNT_MAX gives the number of such connection
+  retries. CONFIG_AU_TFTP_CNT_MAX must be non-negative and is 0 by default,
+  CONFIG_AU_TFTP_SEC_MAX must be positive and is 1 by default.
+
+Since the update file is in FIT format, it is created from an *.its file using
+the mkimage tool. dtc tool with support for binary includes, e.g. in version
+1.2.0 or later, must also be available on the system where the update file is
+to be prepared. Refer to the doc/uImage.FIT/ directory for more details on FIT
+images.
+
+
+Example .its files
+------------------
+
+- doc/uImage.FIT/update_uboot.its
+
+  A simple example that can be used to create an update file for automatically
+  replacing U-Boot image on a system.
+
+  Assuming that an U-Boot image u-boot.bin is present in the current working
+  directory, and that the address given in the 'load' property in the
+  'update_uboot.its' file is where the U-Boot is stored in Flash, the
+  following command will create the actual update file 'update_uboot.itb':
+
+  mkimage -f update_uboot.its update_uboot.itb
+
+  Place 'update_uboot.itb' on a TFTP server, for example as
+  '/tftpboot/update_uboot.itb', and set the 'auto-update' variable
+  appropriately, for example in the U-Boot prompt:
+
+  setenv auto-update /tftpboot/update_uboot.itb
+  saveenv
+
+  Now, when the system boots up and the update TFTP server specified in the
+  'serverip' environment variable is accessible, the new U-Boot image will be
+  automatically stored in Flash.
+
+  NOTE: do make sure that the 'u-boot.bin' image used to create the update
+  file is a good, working image. Also make sure that the address in Flash
+  where the update will be placed is correct. Making mistake here and
+  attempting the auto-update can render the system unusable.
+
+- doc/uImage.FIT/update3.its
+
+  An example containing three updates. It can be used to update Linux kernel,
+  ramdisk and FDT blob stored in Flash. The procedure for preparing the update
+  file is similar to the example above.
diff --git a/doc/uImage.FIT/update3.its b/doc/uImage.FIT/update3.its
new file mode 100644
index 0000000..285cf73
--- /dev/null
+++ b/doc/uImage.FIT/update3.its
@@ -0,0 +1,41 @@
+/*
+ * Example Automatic software update file.
+ */
+/ {
+	description = "Automatic software updates: kernel, ramdisk, FDT";
+	#address-cells = <1>;
+
+	images {
+		update at 1 {
+			description = "Linux kernel binary";
+			data = /incbin/("./vmlinux.bin.gz");
+			compression = "none";
+			type = "firmware";
+			load = <FF700000>;
+			hash at 1 {
+				algo = "sha1";
+			};
+		};
+		update at 2 {
+			description = "Ramdisk image";
+			data = /incbin/("./ramdisk_image.gz");
+			compression = "none";
+			type = "firmware";
+			load = <FF8E0000>;
+			hash at 1 {
+				algo = "sha1";
+			};
+		};
+
+		update at 3 {
+			description = "FDT blob";
+			data = /incbin/("./blob.fdt");
+			compression = "none";
+			type = "firmware";
+			load = <FFAC0000>;
+			hash at 1 {
+				algo = "sha1";
+			};
+		};
+	};
+};
diff --git a/doc/uImage.FIT/update_uboot.its b/doc/uImage.FIT/update_uboot.its
new file mode 100644
index 0000000..e0d27ea
--- /dev/null
+++ b/doc/uImage.FIT/update_uboot.its
@@ -0,0 +1,21 @@
+/*
+ * Automatic software update for U-Boot
+ * Make sure the flashing addresses ('load' prop) is correct for your board!
+ */
+/ {
+	description = "Automatic U-Boot update";
+	#address-cells = <1>;
+
+	images {
+		update at 1 {
+			description = "U-Boot binary";
+			data = /incbin/("./u-boot.bin");
+			compression = "none";
+			type = "firmware";
+			load = <FFFC0000>;
+			hash at 1 {
+				algo = "sha1";
+			};
+		};
+	};
+};
-- 
1.5.3.4

