bit_to_flip might be negative if any uncorrectable bitflips
occured. Use int instead of unsigned type in order to properly
propagate the error.
Signed-off-by: Lucas Stach <dev@lynxeye.de>
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
This patch makes the update to Nand robust against power
failures. With this we make sure that during every step of the
update at least one of the two images on Nand is readable and
valid.
Also this patch makes it possible to refresh/repair the boot
images on Nand. This may become necessary when a previous update
has been interrupted due to a power cut, or when the number of
bitflips is near to the number we can correct. This is also done
in a way that allow power cuts at every step.
We assume the following layout in the Nand flash:
fwmaxsize = (n_blocks - 4) / 2
block
0 ----------------------
| FCB/DBBT 0 |
1 ----------------------
| FCB/DBBT 1 |
2 ----------------------
| FCB/DBBT 2 |
3 ----------------------
| FCB/DBBT 3 |
4 ----------------------
| Firmware slot 0 |
4 + fwmaxsize ----------------------
| Firmware slot 1 |
----------------------
When the layout found on the device differs from the above the update
won't be robust, but nevertheless works. Since the layout is changed
to the above during the update, the next update will be robust.
Here's the strategy we use to implement a robust update:
The FCBs contain pointers to the firmware slots in the
Firmware1_startingPage and Firmware2_startingPage fields. Note that
Firmware1_startingPage doesn't necessarily point to slot 0. We
exchange the pointers during update to atomically switch between the
old and the new firmware.
- We read the first valid FCB and the firmware slots.
- We check which firmware slot is currently used by the ROM:
- if no FCB is found or its layout differs from the above layout,
continue without robust update
- if only one firmware slot is readable, the ROM uses it
- if both slots are readable, the ROM will use slot 0
- Step 1: erase/update the slot currently unused by the ROM
- Step 2: Update FCBs/DBBTs, thereby letting Firmware1_startingPage
point to the slot we just updated. From this moment
on the new firmware will be used and running a
refresh/repair after a power failure after this
step will complete the update.
- Step 3: erase/update the other firmwre slot
- Step 4: Eventually write FCBs/DBBTs again. This may become
necessary when step 3 revealed new bad blocks.
Refreshing the firmware which is needed when when blocks
become unreadable due to read disturbance works the same way,
only that the new firmware is the same as the old firmware
and that it will only be written when reading from the device
returns -EUCLEAN indicating that a block needs to be
rewritten.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
When writing to a block fails the update handler fails relatively
silent. Print an error message in this case.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Positive return values of imx_bbu_write_firmware() so far indicate
the last block that has been written to. This value is unused, so
return values > 0 to indicate if there are new bad blocks. This
information can be used in the next step to know if the DBBT has
to be rewritten.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Instead of writing the FCBs/DBBTs on every update write them
only if they have changed or if a block needs cleanup (returns
-EUCLEAN)
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Instead of erasing the whole partition on update entry, erase the areas
separately when we actually want to write them. This is done as a step
towards robust update.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
With this patch we verify the firmware written to the NAND and thus
can react on write failures. We torture the block and if it went
bad we mark it as bad.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
The argument passed to dbbt_data_create() contains the number of blocks,
not the last block. This means we can exit the loop with '<' instead of
'<='
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
We used to write the second firmware right after the first
firmware. However, splitting the available space into two
equal regions has advantages: When we update barebox the next
time the generated FCB/DBBT blocks will be the same as with the
last update, so in case of power failure it is more likely that
we have valid data in one of the FCB/DBBT areas.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Now that we use a partition for the bootloader instead of
the whole NAND device we can erase it completely instead of
hardcoded 2MB.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
We used to put the FCB in the first two NAND blocks and the DBBT
in the third and fourth block. It's much more space efficient to
put the FCB and DBBT together into the same eraseblock in different
pages. This way we can store four FCBs and four DBBTs instead of
two only.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
The code can be used with slight modifications on i.MX28 aswell.
Add a i.MX28 registration function and move the differences to
function callbacks.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
We used to use nand0 device for storing barebox and made the assumption
that there is enough space at the beginning of the first device. Instead,
use the barebox partition directly. This requires that the partition
where barebox should be stored is named 'barebox', that is the case for
all boards currently.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Lucas Stach
Stefan Christ
Sascha Hauer