[U-Boot] Updating a system

[U-Boot] Updating a system

[David Lynch Jr.]

	I need to setup a system so that it can boot a user web updateable
kernel/rootfs or a failsafe version. The process has to be manageable by
completely non-technical users and work from a single flash media - no
plugging in an SD card or USB stick to recover.
	Before I re-invent the wheel is there an existing scheme to manage
multiple boot choices with an automatic fallback to a failsafe ? 



-- 
Dave Lynch                                                  DLA Systems
Software Development:                                    Embedded Linux
717.587.7774           dhlii at dlasys.net    http://www.dlasys.net
Over 25 years' experience in platforms, languages, and technologies too
numerous to list.

"Any intelligent fool can make things bigger and more complex... It
takes a touch of genius - and a lot of courage to move in the opposite
direction."
Albert Einstein

[U-Boot] Updating a system

[Albert ARIBAUD]

Hi David,

Le 28/12/2010 08:54, David Lynch Jr. a ?crit :
> 	I need to setup a system so that it can boot a user web updateable
> kernel/rootfs or a failsafe version. The process has to be manageable by
> completely non-technical users and work from a single flash media - no
> plugging in an SD card or USB stick to recover.
> 	Before I re-invent the wheel is there an existing scheme to manage
> multiple boot choices with an automatic fallback to a failsafe ?

Depends what you mean by "fail-safe".

There is no way for a bootloader to detect "failures" in the OS and set 
of applications that it helps launching, at least no general, 
already-defined and 100%... fail-safe... way. You'll have to devise your 
own scheme for the bootloader to find out it should start the backup 
system instead of the main one. What U-boot can do for you here is 
provide tools to build this method.

One tool is support for OS and root Flash images which can be checked 
for integrity (e.g. images made with make uImage). When told to run such 
images, u-boot will check their integrity and run them only if 
unaltered; otherwise it'll go on executing whatever instruction follows. 
This allows you to at least not run a main system if corrupt; it even 
allows you to not run a corrput backup system, however what you would do 
next is you own lookout.

Another tool is the ability to store and retrieve a flag value which 
will persist across reboots and resets, both in u-boot and in linux, for 
instance you'd use some bytes of eeprom or a scratch register on a 
backed-up I2C RTC (mind the total power losses though!)

As a (very bad and incomplete) example, initially the flag value would 
be set to "PASS" and the main system would use a watchdog scheme which, 
in case of "failures", would set the flag value to "FAIL" and reset. 
Then in u-boot, commands executed from boootcmd would check the flag 
value and boot either the main (if PASS) or backup (if FAIL) system.

But as I said, these are only generic tools which can help making a 
system fail-safe.

Amicalement,
-- 
Albert.

[U-Boot] Updating a system

[David Lynch Jr.]

Sorry;
	Your sugestions are appreciated. I had not yet looked at some of the
u-boot capabilities you described.  
	But I am trying to find out if there is something approaching a
standard scheme for handling this - rather than going off and doing
something myself that is non-standard. 
	I have a fairly good grasp of what needs to and can be done if there is
no common solution already.
	 



On Tue, 2010-12-28 at 10:05 +0100, Albert ARIBAUD wrote:
> Hi David,
> 
> Le 28/12/2010 08:54, David Lynch Jr. a ?crit :
> > 	I need to setup a system so that it can boot a user web updateable
> > kernel/rootfs or a failsafe version. The process has to be manageable by
> > completely non-technical users and work from a single flash media - no
> > plugging in an SD card or USB stick to recover.
> > 	Before I re-invent the wheel is there an existing scheme to manage
> > multiple boot choices with an automatic fallback to a failsafe ?
> 
> Depends what you mean by "fail-safe".
> 
> There is no way for a bootloader to detect "failures" in the OS and set 
> of applications that it helps launching, at least no general, 
> already-defined and 100%... fail-safe... way. You'll have to devise your 
> own scheme for the bootloader to find out it should start the backup 
> system instead of the main one. What U-boot can do for you here is 
> provide tools to build this method.
> 
> One tool is support for OS and root Flash images which can be checked 
> for integrity (e.g. images made with make uImage). When told to run such 
> images, u-boot will check their integrity and run them only if 
> unaltered; otherwise it'll go on executing whatever instruction follows. 
> This allows you to at least not run a main system if corrupt; it even 
> allows you to not run a corrput backup system, however what you would do 
> next is you own lookout.
> 
> Another tool is the ability to store and retrieve a flag value which 
> will persist across reboots and resets, both in u-boot and in linux, for 
> instance you'd use some bytes of eeprom or a scratch register on a 
> backed-up I2C RTC (mind the total power losses though!)
> 
> As a (very bad and incomplete) example, initially the flag value would 
> be set to "PASS" and the main system would use a watchdog scheme which, 
> in case of "failures", would set the flag value to "FAIL" and reset. 
> Then in u-boot, commands executed from boootcmd would check the flag 
> value and boot either the main (if PASS) or backup (if FAIL) system.
> 
> But as I said, these are only generic tools which can help making a 
> system fail-safe.
> 
> Amicalement,