[PATCH] Add support for SPL MMC load redundant U-Boot
Ayrton Leyssens
ayrton.leyssens at scioteq.com
Wed Jul 19 15:38:52 CEST 2023
Hi Stefano
> -----Original Message-----
> From: Stefano Babic <sbabic at denx.de>
> Sent: Wednesday, July 19, 2023 11:57 AM
> To: Ayrton Leyssens <ayrton.leyssens at scioteq.com>; u-boot at lists.denx.de
> Subject: Re: [PATCH] Add support for SPL MMC load redundant U-Boot
>
> Hi Ayrton,
>
> On 19.07.23 11:38, Ayrton Leyssens wrote:
> > From 99512830410551132e8f7577615b3af4f5f1c137 Mon Sep 17 00:00:00
> > 2001
> > From: Ayrton Leyssens <ayrton.leyssens at scioteq.com>
> > Date: Wed, 19 Jul 2023 11:27:19 +0200
> > Subject: [PATCH Add support for SPL mmc load redundant U-Boot
> >
> > This patch adds support for loading a redundant / second U-Boot from a
> MMC.
> > In some cases you want to update U-Boot, to have a "selectable"
> bootloader and keep the "old" and "new" one.
> > In this patch we use the environment for a user-defined variable.
> > Maybe this could be extended to some other ways as well.
> >
>
> I find the selection based on an environment variable quite weak. A wrong
> value could lead to unbootable device. IMHO the selection should be done in
> a way similar as what we have for the environment itself, that means the
> information if a u-boot image is valid or not should be inside the image itself.
> For example this is true in case u-boot is packed inside a fitImage.
Maybe my word choice is not that clear.
I do not mean it as a redundant U-Boot in case the first choice fails.
More as like, a selectable U-Boot.
The U-Boot could be selected by the user within U-Boot, or a higher level OS by setting the environment variable.
This in case of a complete redundant system (with exception of the MLO) in which the user makes sure a software update goes well.
If the user verifies the U-Boot is written well, he will toggle the environment variable and as such boot the whole 'B' side of the software chain.
Next update writes over the 'A' side and toggles to boot the 'A' side next.
>
> A simple selection is not sufficient, there should be a mechanism like for the
> environmant to fallback to the other partition if the chosen is not working or
> at least, integrity check is broken.
I agree, for a complete redundant U-Boot, this is not sufficient.
At least, this could be the first step to such system.
> Best regards,
> Stefano
>
> > Signed-off-by: Ayrton Leyssens <ayrton.leyssens at scioteq.com>
> > ---
> >
> > common/spl/Kconfig | 29 +++++++++++++++++++++++++++++
> > common/spl/spl_mmc.c | 10 ++++++++++
> > 2 files changed, 39 insertions(+)
> >
> > diff --git a/common/spl/Kconfig b/common/spl/Kconfig index
> > bee231b583..2c0ffd4363 100644
> > --- a/common/spl/Kconfig
> > +++ b/common/spl/Kconfig
> > @@ -824,6 +824,25 @@ config SYS_MMCSD_FS_BOOT
> > Enable MMC FS Boot mode. Partition is selected by option
> > SYS_MMCSD_FS_BOOT_PARTITION.
> > +config SYS_MMCSD_FS_BOOT_PARTITION_FAILSAFE
> > + bool "Use MMC Boot Partition Failsafe"
> > + depends on SYS_MMCSD_FS_BOOT
> > + depends on SPL_ENV_SUPPORT
> > + default false
> > + help
> > + Use a redundant partition to load U-Boot from.
> > +
> > +config SYS_MMCSD_FS_BOOT_PARTITION_SELECTOR
> > + string "MMC Boot Partition Selector"
> > + depends on SYS_MMCSD_FS_BOOT
> > + depends on SYS_MMCSD_FS_BOOT_PARTITION_FAILSAFE
> > + default ""
> > + help
> > + Environment variable in U-Boot to use for the partition selection
> > + to boot U-Boot from.
> > + A 1 selects the "normal" partition, any other value selects the
> > + redundant partition.
> > +
> > config SYS_MMCSD_FS_BOOT_PARTITION
> > int "MMC Boot Partition"
> > depends on SYS_MMCSD_FS_BOOT @@ -833,6 +852,16 @@
> > config SYS_MMCSD_FS_BOOT_PARTITION
> > used in fs mode.
> > Use -1 as a special value to use the first bootable partition.
> > +config SYS_MMCSD_FS_BOOT_PARTITION_REDUNDANT
> > + int "MMC Boot Partition Redundant"
> > + depends on SYS_MMCSD_FS_BOOT
> > + depends on SYS_MMCSD_FS_BOOT_PARTITION_FAILSAFE
> > + default 2
> > + help
> > + Redundant Partition on the MMC to load U-Boot from when the
> MMC is being
> > + used in fs mode.
> > + Use -1 as a special value to use the first bootable partition.
> > +
> > config SPL_MMC_TINY
> > bool "Tiny MMC framework in SPL"
> > depends on SPL_MMC
> > diff --git a/common/spl/spl_mmc.c b/common/spl/spl_mmc.c index
> > a665091b00..bf804fabcc 100644
> > --- a/common/spl/spl_mmc.c
> > +++ b/common/spl/spl_mmc.c
> > @@ -10,6 +10,7 @@
> > #include <log.h>
> > #include <part.h>
> > #include <spl.h>
> > +#include <env.h>
> > #include <linux/compiler.h>
> > #include <errno.h>
> > #include <asm/u-boot.h>
> > @@ -281,6 +282,7 @@ static int spl_mmc_do_fs_boot(struct
> spl_image_info *spl_image,
> > int err = -ENOSYS;
> > __maybe_unused int partition =
> > CONFIG_SYS_MMCSD_FS_BOOT_PARTITION;
> > + __maybe_unused int env_partition_selector = 0;
> > #if CONFIG_SYS_MMCSD_FS_BOOT_PARTITION == -1
> > {
> > @@ -303,7 +305,15 @@ static int spl_mmc_do_fs_boot(struct
> spl_image_info *spl_image,
> > }
> > }
> > #endif
> > +#ifdef CONFIG_SYS_MMCSD_FS_BOOT_PARTITION_FAILSAFE
> > + env_init();
> > + env_relocate();
> > + env_partition_selector =
> > +env_get_ulong(CONFIG_SYS_MMCSD_FS_BOOT_PARTITION_SELECTOR,
> 10, 0);
> > +
> > + if (env_partition_selector != 1)
> > + partition =
> > +CONFIG_SYS_MMCSD_FS_BOOT_PARTITION_REDUNDANT;
> > +#endif
> > #ifdef CONFIG_SPL_FS_FAT
> > if (!spl_start_uboot()) {
> > err = spl_load_image_fat_os(spl_image,
> > bootdev, mmc_get_blk_desc(mmc),
> > --
> > 2.25.1
>
> --
> ==========================================================
> ===========
> DENX Software Engineering GmbH, Managing Director: Erika Unter
> HRB 165235 Munich, Office: Kirchenstr.5, 82194 Groebenzell, Germany
> Phone: +49-8142-66989-53 Fax: +49-8142-66989-80 Email: sbabic at denx.de
> ==========================================================
> ===========
More information about the U-Boot
mailing list