i.MX7: eMMC boot failure fallback to other boot partition?

skrap · ‎05-26-2017

Hello,

We are planning on using eMMC 5 for booting our i.MX7 custom board. The software is field-upgradable, but must be able to fall back to the previous version if the upgrade is somehow nonfunctional.

What's the best way to implement this functionality?

I see there's PERSIST_SECONDARY_BOOT (IMX7DRM section 6.6.5.3.5), but this seems tricky to use, as it is persistent. Is there a way to enable the secondary boot behavior *once*, and have it revert for the next boot?
MMC has boot0 and boot1 partitions, and the ROM seems to read the ext_csd registers to determine which to boot from (per "Figure 6-32. Expansion Device (MMC) Boot Flow (2 of 6)"). However, as above, this is a persistent setting in the eMMC, right? (I actually can't find confirmation of this anywhere.)

I'd love to hear some guidance as to the most fail-proof booting strategy for software upgrades. Thanks!

art · ‎05-30-2017

This PERSIST_SECONDARY_BOOT bit can be set and cleared in software. The software, loaded from selected boot partition, can check and set/clear it as required.

To use the redundant boot feature of the i.MX7 Boot ROM, the HAB image authentication procedure should be implemented, as described in the Section 6.6.13 "High Assurance Boot (HAB)" of the i.MX7Dual Reference Manual document.

If you don't want to use the i.MX7 HAB feature, the most reliable way of updating the firmware seems to use some general software-based approach, e.g. to have a small unchangeable part of primary bootloader code and multiple boot partitions. The primary bootloader should be able to authenticate the boot partitions code/data somehow (e.g. by calculating CRC) and then decide which boot partition code pass the control to.

Have a great day,
Artur

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

View solution in original post

art · ‎05-30-2017

This PERSIST_SECONDARY_BOOT bit can be set and cleared in software. The software, loaded from selected boot partition, can check and set/clear it as required.

To use the redundant boot feature of the i.MX7 Boot ROM, the HAB image authentication procedure should be implemented, as described in the Section 6.6.13 "High Assurance Boot (HAB)" of the i.MX7Dual Reference Manual document.

If you don't want to use the i.MX7 HAB feature, the most reliable way of updating the firmware seems to use some general software-based approach, e.g. to have a small unchangeable part of primary bootloader code and multiple boot partitions. The primary bootloader should be able to authenticate the boot partitions code/data somehow (e.g. by calculating CRC) and then decide which boot partition code pass the control to.

Have a great day,
Artur

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

skrap · ‎05-31-2017

Thanks, I'll have a look at HAB and see if that's usable for me.

i.MX7: eMMC boot failure fallback to other boot partition?

i.MX7: eMMC boot failure fallback to other boot partition?

i.MX7Dual

i.MX7Solo