This feature does not quite fit within the A/B flow.
The intent of A/B is to provide an automatic rollback option for broken
OTAs. Once an OTA has been applied, the slot may not boot for a number
of reasons (power loss, broken package, etc), and it is important to
make consistent attempts to boot to the new slot rather than find *a*
bootable slot (otherwise, the update may not take).
Note that once a slot has been marked bootable, encryption keys are
upgraded, and old slots will not work. Trying to rotate between slots
is not likely to succeed.
Note that Android ensures that the active slot always has the
highest priority. In the current u-boot implementation, this affords no
possibility of rollback.
To match the expected A/B flow, this patch makes the following changes:
- When initializing the BCB, set the "_a" slot to have the highest
priority.
- Pick the highest priority slot that has been marked successful OR has
boot tries remaining.
- If no such slot exists, the system is not bootable.
Link: https://android-review.googlesource.com/c/platform/external/u-boot/+/1446442
Signed-off-by: Guillaume La Roque <glaroque@baylibre.com>
The slot rollback system is intended for normal boot failures after an
OTA, and therefore, we should not attempt to change slots based on a
failure to boot to recovery (or any other non-normal boot sequence).
Signed-off-by: Ram Muthiah <rammuthiah@google.com>
Link: https://android-review.googlesource.com/c/platform/external/u-boot/+/1446441
Signed-off-by: Guillaume La Roque <glaroque@baylibre.com>
We should not be using typedefs and these make it harder to use
forward declarations (to reduce header file inclusions). Drop the typedef.
Signed-off-by: Simon Glass <sjg@chromium.org>
At present dm/device.h includes the linux-compatible features. This
requires including linux/compat.h which in turn includes a lot of headers.
One of these is malloc.h which we thus end up including in every file in
U-Boot. Apart from the inefficiency of this, it is problematic for sandbox
which needs to use the system malloc() in some files.
Move the compatibility features into a separate header file.
Signed-off-by: Simon Glass <sjg@chromium.org>
Drop inclusion of crc.h in common.h and use the correct header directly
instead.
With this we can drop the conflicting definition in fw_env.h and rely on
the crc.h header, which is already included.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Tom Rini <trini@konsulko.com>
This patch determines the A/B-specific bootloader message structure
that is the basis for implementation of recovery and A/B update
functions. A/B metadata is stored in this structure and used to decide
which slot should we use to boot the device. Also some basic functions
for A/B metadata manipulation are implemented (like slot selection).
The patch was extracted from commits [1], [2] with some coding style
fixes.
[1] https://android-review.googlesource.com/c/platform/external/u-boot/+/729878/2
[2] https://android-review.googlesource.com/c/platform/external/u-boot/+/729880/2
Signed-off-by: Ruslan Trofymenko <ruslan.trofymenko@linaro.org>
Signed-off-by: Igor Opaniuk <igor.opaniuk@gmail.com>
Reviewed-by: Sam Protsenko <semen.protsenko@linaro.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
David Anderson
Simon Glass
Ruslan Trofymenko