[PATCH v10 09/15] FWU: Add boot time checks as highlighted by the FWU specification

Tue Sep 27 09:00:34 CEST 2022

On Mon, 26 Sept 2022 at 19:37, Jassi Brar <jassisinghbrar at gmail.com> wrote:
>
> On Mon, Sep 26, 2022 at 5:08 AM Sughosh Ganu <sughosh.ganu at linaro.org> wrote:
> >
> > On Mon, 26 Sept 2022 at 08:29, Jassi Brar <jassisinghbrar at gmail.com> wrote:
> > > .....
> > > > +static int fwu_boottime_checks(void *ctx, struct event *event)
> > > > +{
> > > > +       int ret;
> > > > +       struct udevice *dev;
> > > > +       u32 boot_idx, active_idx;
> > > > +
> > > > +       ret = fwu_get_dev_mdata(&dev, NULL);
> > > > +       if (ret)
> > > > +               return ret;
> > > > +
> > > > +       ret = fwu_mdata_check(dev);
> > > > +       if (ret) {
> > > > +               return 0;
> > > > +       }
> > > > +
> > > > +       /*
> > > > +        * Get the Boot Index, i.e. the bank from
> > > > +        * which the platform has booted. This value
> > > > +        * gets passed from the ealier stage bootloader
> > > > +        * which booted u-boot, e.g. tf-a. If the
> > > > +        * boot index is not the same as the
> > > > +        * active_index read from the FWU metadata,
> > > > +        * update the active_index.
> > > > +        */
> > > > +       fwu_plat_get_bootidx(&boot_idx);
> > > > +       if (boot_idx >= CONFIG_FWU_NUM_BANKS) {
> > > > +               log_err("Received incorrect value of boot_index\n");
> > > > +               return 0;
> > > > +       }
> > > > +
> > > > +       ret = fwu_get_active_index(&active_idx);
> > > > +       if (ret) {
> > > > +               log_err("Unable to read active_index\n");
> > > > +               return 0;
> > > > +       }
> > > > +
> > > > +       if (boot_idx != active_idx) {
> > > > +               log_info("Boot idx %u is not matching active idx %u, changing active_idx\n",
> > > > +                        boot_idx, active_idx);
> > > > +               ret = fwu_update_active_index(boot_idx);
> > > > +               if (!ret)
> > > > +                       boottime_check = 1;
> > > >
> > > We may not want to do anything FWU (accept, reject, modify mdata)
> > > until we reboot, if we are recovering from last bad upgrade. So maybe
> > > not set boottime_check
> >
> > Actually, the difference between the boot bank and active bank will
> > happen when there is some kind of corruption on the media due to which
> > the platform could not boot from the active bank(could also be due to
> > repeated wd timeouts).
> >
> ... which may have been caused by the last upgrade attempt, among other reasons.
>
> fwu_trial_state_check() will never be called in this case and any
> subsequent fwu_update_checks_pass() will pass even if we are in trial
> state.

If the platform is unable to boot from the updated partition,
resulting in booting from a different partition, the platform is no
longer in the trial state, since it has not booted from the updated
partition -- determination of trial state is only based on reading the
accepted bit of all images in the booted partition. I believe this
would be a reason to want to change the images on the other partition
from which the platform could not boot, unless that was due to some
hardware error, in which case it would require manual intervention.
But my point is, not allowing FWU updates in the scenario you mention
does not help prevent any unwanted situation.

-sughosh