km: common: implement field fail-safe u-boot update
This patch provides possibility for field fail-safe u-boot updates.
The implementation can be used on all pg-wcom boards that are booting from
parallel NOR flash.
When used in a board design, provided check_for_uboot_update function will
start new u-boot at defined location if updateduboot envvar is set to yes.
With this implementation it is expected that factory programmed u-boot
will always stay as it is, and optionally new u-boot can be safely
programmed by embedded software when the unit is rolled out on the field.
It is expected check_for_uboot_update to be called early in execution
before relocation (*_f) once SoC is basically initialized and environment
can be read, with this possibilities to not be able to fix a u-boot bug by
a u-boot update are reduced to minimum.
Signed-off-by: Aleksandar Gerasimovski <aleksandar.gerasimovski@hitachienergy.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>
diff --git a/board/keymile/common/common.c b/board/keymile/common/common.c
index ff07260..3999f48 100644
--- a/board/keymile/common/common.c
+++ b/board/keymile/common/common.c
@@ -19,6 +19,8 @@
#include <asm/io.h>
#include <linux/ctype.h>
#include <linux/delay.h>
+#include <linux/bug.h>
+#include <bootcount.h>
#if defined(CONFIG_POST)
#include "post.h"
@@ -76,6 +78,57 @@
return 0;
}
+#if CONFIG_IS_ENABLED(PG_WCOM_UBOOT_UPDATE_SUPPORTED)
+#if ((!CONFIG_IS_ENABLED(PG_WCOM_UBOOT_BOOTPACKAGE) && \
+ !CONFIG_IS_ENABLED(PG_WCOM_UBOOT_UPDATE)) || \
+ (CONFIG_IS_ENABLED(PG_WCOM_UBOOT_BOOTPACKAGE) && \
+ CONFIG_IS_ENABLED(PG_WCOM_UBOOT_UPDATE)))
+#error "It has to be either bootpackage or update u-boot image!"
+#endif
+void check_for_uboot_update(void)
+{
+ void (*uboot_update_entry)(void) =
+ (void (*)(void)) CONFIG_PG_WCOM_UBOOT_UPDATE_TEXT_BASE;
+ char *isupdated = env_get("updateduboot");
+ ulong bootcount = bootcount_load();
+ ulong ebootcount = 0;
+
+ if (IS_ENABLED(CONFIG_PG_WCOM_UBOOT_BOOTPACKAGE)) {
+ /*
+ * When running in factory burned u-boot move to the updated
+ * u-boot version only if updateduboot envvar is set to 'yes'
+ * and bootcount limit is not exceeded.
+ * Board must be able to start in factory bootloader mode!
+ */
+ if (isupdated && !strncmp(isupdated, "yes", 3) &&
+ bootcount <= CONFIG_BOOTCOUNT_BOOTLIMIT) {
+ printf("Check update: update detected, ");
+ printf("starting new image @%08x ...\n",
+ CONFIG_PG_WCOM_UBOOT_UPDATE_TEXT_BASE);
+ ebootcount = early_bootcount_load();
+ if (ebootcount <= CONFIG_BOOTCOUNT_BOOTLIMIT) {
+ early_bootcount_store(++ebootcount);
+ uboot_update_entry();
+ } else {
+ printf("Check update: warning: ");
+ printf("early bootcount exceeded (%lu)\n",
+ ebootcount);
+ }
+ }
+ printf("Check update: starting factory image @%08x ...\n",
+ CONFIG_SYS_TEXT_BASE);
+ } else if (IS_ENABLED(CONFIG_PG_WCOM_UBOOT_UPDATE)) {
+ /*
+ * When running in field updated u-boot, make sure that
+ * bootcount limit is never exceeded. Must never happen!
+ */
+ WARN_ON(bootcount > CONFIG_BOOTCOUNT_BOOTLIMIT);
+ printf("Check update: updated u-boot starting @%08x ...\n",
+ CONFIG_SYS_TEXT_BASE);
+ }
+}
+#endif
+
#if defined(CONFIG_SYS_I2C_INIT_BOARD)
static void i2c_write_start_seq(void)
{