[U-Boot] [RFC] Safe Linux Updater

[Alexandre Dilly]

Hi,

One month ago, I sent a first request for comments about an open source automatic updater for embedded systems using U-boot: the goal of this project was to split a flash memory or hard disk drive in multiple partition (2 or more) and install a new kernel and/or root filesystem  on an empty or outdated partition.

After reboot, we count the boot attempts on this new version of the system and if it fails to boot, we switch back to the last working partition. This guarantees we will eventually boot on a correct partition and that there is no chance to have an unsupervised equipment hang at the u-boot prompt.

The u-boot environment would contain some variables to handle name, state and boot attempt count of each partition of the system. I would use CONFIG_ENV_OFFSET_REDUND to make writing on environment powerfail-safe.
The environment contains 3 variables by partitions:
- part_X_flag: handles state of partition X. It can be NONE for empty partition, OK for working system, LOCK for locking a partition to install a new system on it, UPDATED for new system version (we count boot attempts for this partition) and BAD for bad system which doesn't work.
- part_X_count: handles boot attempts on partition X.
- part_X_cmd: U-boot command used to boot on the partition X (e.g. partition address in flash).
Environment contains also another variable: "boot_seq" which handles a list of bootable partition sorted by version.

As suggested in previous emails, I have written two scripts to implement that:
- An u-boot script to interpret all environment variables and boot on correct partition and count boot attempts when system boots on a new version.
- A Linux script to change environment variables when an update is installed.

The U-boot script reads "boot_seq" and boots on first partition of the list. If this partition is flagged OK, system boot normally. If the partition is flagged UPDATED, system try to boot on it and count boot attempts until attempts limit is reached. Then, the script will boot on next partition into boot list, always in counting boot attempts. This operation continue while partitions are available in the list. Partition flagged with NONE, LOCK or BAD are skipped.

The Linux script has all commands necessary to automatically find and lock the best partition to install an update, to mark the locked partition as UPDATED and commands to mark a new version as good with OK or bad with BAD. This script uses fw_printenv and fw_setenv from U-boot tools. 

I would like your comments/suggestions on this system to improve it and to make sure this goes well into the general philosophy of U-Boot. Moreover, if it is possible, to upstream these scripts.

Best regards,
Alexandre Dilly