This patch makes the update to Nand robust against power
failures. With this we make sure that during every step of the
update at least one of the two images on Nand is readable and
valid.
Also this patch makes it possible to refresh/repair the boot
images on Nand. This may become necessary when a previous update
has been interrupted due to a power cut, or when the number of
bitflips is near to the number we can correct. This is also done
in a way that allow power cuts at every step.
We assume the following layout in the Nand flash:
fwmaxsize = (n_blocks - 4) / 2
block
0 ----------------------
| FCB/DBBT 0 |
1 ----------------------
| FCB/DBBT 1 |
2 ----------------------
| FCB/DBBT 2 |
3 ----------------------
| FCB/DBBT 3 |
4 ----------------------
| Firmware slot 0 |
4 + fwmaxsize ----------------------
| Firmware slot 1 |
----------------------
When the layout found on the device differs from the above the update
won't be robust, but nevertheless works. Since the layout is changed
to the above during the update, the next update will be robust.
Here's the strategy we use to implement a robust update:
The FCBs contain pointers to the firmware slots in the
Firmware1_startingPage and Firmware2_startingPage fields. Note that
Firmware1_startingPage doesn't necessarily point to slot 0. We
exchange the pointers during update to atomically switch between the
old and the new firmware.
- We read the first valid FCB and the firmware slots.
- We check which firmware slot is currently used by the ROM:
- if no FCB is found or its layout differs from the above layout,
continue without robust update
- if only one firmware slot is readable, the ROM uses it
- if both slots are readable, the ROM will use slot 0
- Step 1: erase/update the slot currently unused by the ROM
- Step 2: Update FCBs/DBBTs, thereby letting Firmware1_startingPage
point to the slot we just updated. From this moment
on the new firmware will be used and running a
refresh/repair after a power failure after this
step will complete the update.
- Step 3: erase/update the other firmwre slot
- Step 4: Eventually write FCBs/DBBTs again. This may become
necessary when step 3 revealed new bad blocks.
Refreshing the firmware which is needed when when blocks
become unreadable due to read disturbance works the same way,
only that the new firmware is the same as the old firmware
and that it will only be written when reading from the device
returns -EUCLEAN indicating that a block needs to be
rewritten.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
When writing to a block fails the update handler fails relatively
silent. Print an error message in this case.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Positive return values of imx_bbu_write_firmware() so far indicate
the last block that has been written to. This value is unused, so
return values > 0 to indicate if there are new bad blocks. This
information can be used in the next step to know if the DBBT has
to be rewritten.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Instead of writing the FCBs/DBBTs on every update write them
only if they have changed or if a block needs cleanup (returns
-EUCLEAN)
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Instead of erasing the whole partition on update entry, erase the areas
separately when we actually want to write them. This is done as a step
towards robust update.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
With this patch we verify the firmware written to the NAND and thus
can react on write failures. We torture the block and if it went
bad we mark it as bad.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Some SoCs allow to store multiple boot images on a device in order to
improve robustness. This adds a -r option to barebox_update to indicate
we do not want to make an update but instead repair/refresh an existing
image. Handlers which want to support this feature must set the
BBU_HANDLER_CAN_REFRESH flag during registration.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Automatically mount the path that is also used for net booting by
default to /mnt/nfs.
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
The build of bareboximd-target tool fails on sandbox architecture:
CC scripts/bareboximd-target
/tmp/ccoGPulo.o: In function `imd_concat_strings':
scripts/../common/imd.c:216: undefined reference to `barebox_malloc'
/tmp/ccoGPulo.o: In function `read_file_2':
scripts/bareboximd.c:68: undefined reference to `barebox_open'
scripts/bareboximd.c:74: undefined reference to `barebox_lseek'
scripts/bareboximd.c:84: undefined reference to `barebox_lseek'
scripts/bareboximd.c:90: undefined reference to `barebox_malloc'
scripts/bareboximd.c:99: undefined reference to `barebox_read'
scripts/bareboximd.c:119: undefined reference to `barebox_free'
scripts/bareboximd.c:121: undefined reference to `barebox_close'
/tmp/ccoGPulo.o: In function `imd_command':
scripts/../common/imd.c:292: undefined reference to `barebox_printf'
scripts/../common/imd.c:319: undefined reference to `barebox_printf'
scripts/../common/imd.c:322: undefined reference to `barebox_free'
scripts/../common/imd.c:324: undefined reference to `barebox_printf'
/tmp/ccoGPulo.o: In function `usage':
scripts/bareboximd.c:134: undefined reference to `barebox_printf'
collect2: error: ld returned 1 exit status
scripts/Makefile:58: recipe for target 'scripts/bareboximd-target' failed
See also
commit d4aa015033
Author: Alexander Aring <alex.aring@gmail.com>
Date: Tue Nov 19 02:08:13 2013 +0100
common: add dependency !SANDBOX on target tools
The build of target tools fails on sandbox architecture.
We don't need any target tools in this case, so add a dependency.
Signed-off-by: Antony Pavlov <antonynpavlov@gmail.com>
Cc: Alexander Aring <alex.aring@gmail.com>
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Part of the barebox code and variables are put in separate sections
(.barebox* and .initcall*). When this code is compiled as position
independent code then the compiler creates corresponding .rela.barebox* and
.rela.initcall* sections with the relocation table entries.
These sections don't match the .rela.data* wildcard in the linker script.
As a result, they are not added to the .rela section during linking but are
added individually after it instead. And when the EFI binary is created
from the ELF binary, these sections are not copied.
This has two side effects:
1. The corresponding relocations are not handled by the generic relocation
code. 'fixup_tables()' was added to do these relocations manually.
2. In the DYNAMIC section, the RELASZ entry contains the total size of
relocations in bytes. This includes the .rela.barebox* and .rela.initcall*
sections. This value is not modified when the EFI binary is created. So the
value is too large.
The generic relocation code in _relocate() used this value when iterating
over all relocation entries. With the wrong RELASZ value it iterates beyond
the end of the .rela section into uninitialized memory. After power-on this
memory is zero and the relocation code interprets this as 'nothing to do',
so there is no visible effect. After a soft reset, random data in that area
may produce a seemingly valid relocation entry, a random address is
modified and barebox crashes.
This patch adds the .rela.barebox* and .rela.initcall* sections to the
normal .rela section. The RELASZ now contains the correct size and the
generic relocation code works correctly. 'fixup_tables()' must be removed
at the same time to avoid relocating these entries twice.
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
With imd we can store metadata in barebox images. Let's use this
information to further verify that the image that is to be flashed
is the correct one. This patch extracts the device tree compatible
from the image and compares it with the one from the currently
running barebox. If it doesn't match the update is aborted with a
warning.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
This adds a command to flip bits in a Nand flash. This is useful for
testing purposes to check if flipped bits are corrected and if the
driver returns the correct number of bitflips.
The command writes a configurable number of bitflips to a single Nand
page. If the -r option is not given the results are reproducible, so
calling the same command twice will revert the bitflips.
The command uses the raw read/write Nand operations which are probably
less tested than the regular read/write operations, so the command may
produce surprising results.
As of writing the command has been tested with the GPMI Nand driver and
the imx-nand driver with fixes posted.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
This makes the UBI debug options configurable. This make the debug
options actually available to the user and also allows the compiler
to optimize away the debug code when the options are disabled.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
The mtd-peb API provides a torture test derived from the UBI torture
test. Use it. Since the mtd-peb variant of the torture test will also
mark a block as bad when the test fails this also makes a separate
ubi_io_mark_bad unnecessary.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
The only user of libmtd was ubiformat which now uses the mtd-peb API,
so remove the now unused libmtd.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
This changes ubiformat from the libmtd API to the mtd-peb API. This
makes the libmtd API unnecessary and it can be removed in the next
step.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Code which properly wants to handle Nand flash has to work
in a block based way since blocks are the entities that are erased or
may become bad. The regular mtd API works based on offsets in the device
which introduces unhandy 64bit arithmetics and the requirement to align
buffers to blocks.
This introduces the mtd peb API (PEB for physical Erase Block) which
allows the users to work in a block oriented way. The API is heavily
inspired by the UBI IO layer and in fact can replace parts thereof
later.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Empirical observations show that configuring INTCN=1, ECLK=0, EGFIL=0,
DOSF=1 on DS1341 put the chip in the mode where it draws the least
amount fo current.
Add code to configure DS1341 in such a way in case Barebox is the last
code that runs on the processor before being shut down.
Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Check obtianed time for validity before returning it to the caller
the same way other RTC drivers do.
Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
The binary image generated by barebox contains an instruction at the
very beginning to jump over the header. However, when the image is
written to a SD card and the first 512 bytes are skipped in order to
preserve the partition table then this jump instruction is lost. Instead
of relying on the jump instruction at the image beginning calculate
the image entry from the i.MX header instead of relying on the beginning
of the image being the entry point.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
All i.MX images are nowadays built with the imx-image tool, so we do not
need the header files and Kconfig options anymore. Remove them.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
On i.MX6 a single chipselect can have 4GiB. In this case the calculation
for CS0_end overflows the 7 bit field. Clamp it to 127, the maximum
supported value.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
On i.MX6 a single chipselect can have 4GiB, which overflows a 32bit
type, so imx6_mmdc_sdram_size() must return a u64 to support this case.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
The current vector table setup has some shortcomings. First of all
currently the case when the high vectors are inside SDRAM (that is,
SDRAM reaches the end of the address space) is not supported. In this
case we create a secondary page table for the section containing the
vectors which gets overwritten by the general SDRAM secondary page
table entries creation afterwards. On ARMv7 and later the exception
table setup can be improved: Here the vector table address is configurable
in the VBAR register. We can use this register to skip remapping the
vector table.
With this patch we first try to use the VBAR register before doing
something else. Also, when we have to use the high vectors we first
try a request_sdram_region to test if the vector table memory is already
mapped. While at it sprinkle some comments into the code.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
The last 64KiB of address space may be used for the vector table at
0xffff0000, so we cannot use it for barebox. The easiest way to archieve
this is to never use the last 64KiB of memory.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
When SDRAM reaches to the end of the address space the comparison
membase + memsize evaluates to 0, so pc - membase < memsize can never
be true. Fix this by substracting membase on both sides of the
comparison.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Sascha Hauer
Uwe Kleine-König
Antony Pavlov
Michael Olbrich
Andrey Smirnov