bootutil: Add support for devices without erase #2114
Conversation
de-nordic
force-pushed
the
improve-no-erase-device-time
branch
15 times, most recently
from
cf8def0 to
03ac085
Compare
de-nordic
force-pushed
the
improve-no-erase-device-time
branch
from
03ac085 to
b96fe4a
Compare
boot/bootutil/src/bootutil_priv.h
Outdated
| int boot_erase_region(const struct flash_area *fap, uint32_t off, uint32_t sz); | ||
| /* SImilar to boot_erase_region but will alwasy remove data */ |
boot/bootutil/src/loader.c
Outdated
| uint8_t buf[BOOT_MAX_ALIGN]; | ||
| size_t size_done = 0; | ||
|
|
||
| memset(buf, flash_area_erased_val(fa), sizeof(buf)); | ||
|
|
||
| while (size_done < size) { | ||
| ret = flash_area_write(fa, size_done + off, buf, sizeof(buf)); | ||
| if (ret != 0) { | ||
| break; | ||
| } | ||
| size_done += sizeof(buf); | ||
| } |
There was a problem hiding this comment.
this just assumes max align will not overflow the size but makes no checks to ensure that, it should reduces buffer on final write to ensure it does not overflow
There was a problem hiding this comment.
Yes, that was intentional as I have assumes that MCUboot should write at BOOT_MAX_ALIGN pace anyway, but maybe that should be fixed.
boot/bootutil/src/loader.c
Outdated
| } else { | ||
| size = MAX(sizeof(((struct image_header *)0)->ih_magic), | ||
| BOOT_MAX_ALIGN); | ||
| size = (size + BOOT_MAX_ALIGN - 1) & ~(BOOT_MAX_ALIGN - 1); |
There was a problem hiding this comment.
This should do the same for footer data because it might contain swap status or mcuboot flags for swapping images and those should always be cleared
There was a problem hiding this comment.
Ah right, header and slot trailer are verified separately.
boot/zephyr/Kconfig
Outdated
| The same can be achieved with just removal of header, leaving the | ||
| rest of image untouched, as without header MCUboot will not be able | ||
| to recognize image in slot as bootable. |
boot/bootutil/src/bootutil_public.c
Outdated
| #if !defined(CONFIG_MCUBOOT) && defined(__ZEPHYR__) | ||
| flash_area_flatten(fa, 0, flash_area_get_size(fa)); | ||
| #else |
There was a problem hiding this comment.
think it was mentioned in a previous PR that OS specific code should not be present in here
There was a problem hiding this comment.
I can fix that although MCUboot has significant problem where we are coupled with Flash Map API which means that this has to be replaced with a function that is implemented for every supported system. I will figure way around.
de-nordic
force-pushed
the
improve-no-erase-device-time
branch
from
b96fe4a to
269f9e2
Compare
de-nordic
requested review from
almir-okato,
romanjoe and
d3zd3z
as code owners
|
Converting to draft; after significant changes I need to re-test this on devices. |
de-nordic
force-pushed
the
improve-no-erase-device-time
branch
4 times, most recently
from
75494c5 to
5a405e7
Compare
de-nordic
force-pushed
the
improve-no-erase-device-time
branch
3 times, most recently
from
693327f to
cec59f0
Compare
de-nordic
force-pushed
the
improve-no-erase-device-time
branch
from
cec59f0 to
8b23727
Compare
de-nordic
added
area: zephyr
boot/bootutil/src/loader.c
Outdated
| int ret = 0; | ||
|
|
||
| /* Whether device with erase or not, without minimal scramble | ||
| * removing deata in entire slot. |
boot/bootutil/src/loader.c
Outdated
|
|
||
| /* Corrected offset and size of current sector to erase */ | ||
| off = flash_sector_get_off(§or); | ||
| cs = flash_sector_get_size(§or); |
There was a problem hiding this comment.
would rename from cs as I keep thinking chip select
boot/bootutil/src/swap_misc.c
Outdated
| slot = BOOT_PRIMARY_SLOT; | ||
| } else if (flash_area_get_id(fap) == fa_id_secondary) { | ||
| slot = BOOT_SECONDARY_SLOT; | ||
| /* delete starting from last sector and moving to beginning */ |
boot/bootutil/src/swap_misc.c
Outdated
| int fa_id_secondary; | ||
| uint8_t image_index; | ||
|
|
||
| BOOT_LOG_DBG("erasing trailer; fa_id=%d", flash_area_get_id(fap)); |
There was a problem hiding this comment.
| BOOT_LOG_DBG("erasing trailer; fa_id=%d", flash_area_get_id(fap)); | |
| BOOT_LOG_DBG("Erasing trailer; fa_id=%d", flash_area_get_id(fap)); |
Would be nice to fix the text whilst we're here
boot/bootutil/src/swap_misc.c
Outdated
| } else { | ||
| return BOOT_EFLASH; | ||
| BOOT_LOG_DBG("erasing trailer not required; fa_id=%d", flash_area_get_id(fap)); |
There was a problem hiding this comment.
| BOOT_LOG_DBG("erasing trailer not required; fa_id=%d", flash_area_get_id(fap)); | |
| BOOT_LOG_DBG("Erasing trailer not required; fa_id=%d", flash_area_get_id(fap)); |
boot/bootutil/src/swap_misc.c
Outdated
| sector--; | ||
| total_sz += sz; | ||
| } while (total_sz < trailer_sz); | ||
| BOOT_LOG_DBG("scrambling trailer; fa_id=%d", flash_area_get_id(fap)); |
boot/bootutil/src/swap_misc.c
Outdated
|
|
||
| return rc; | ||
| /* delete starting from last sector and moving to beginning */ |
boot/zephyr/Kconfig
Outdated
| When this option is enabled, MCUboot will check for type of device | ||
| and will avoid erase where not needed. | ||
|
|
||
| # The depends on FLASH_HAS_EXPLICIT_ERASE is intentionlally missing for now |
There was a problem hiding this comment.
*intentionally. Also not sure on this, this option should not be deselectable if the device requires an erase
There was a problem hiding this comment.
You are not able to tell whether external device, that zephyr has configured driver for, is actually used by MCUboot
There was a problem hiding this comment.
it really should have been a dts property, making it kconfig was a bad choice
There was a problem hiding this comment.
No. It was right choice.
Making it DTS property would require to make it Kconfig at some point anyway, otherwise you would not be able to tune your subsystems according to what hardware has to offer, or rather what drivers are supporting.
Also, you can have, as I do, drivers that have no DTS entries but can still set Kconfigs to tune subsystems that use them.
There was a problem hiding this comment.
dts means it can be used from inside of Kconfig and cmake and it is known per driver, having it at Kconfig means you have no clue about per driver. It is a hardware feature, not a software feature.
# Workaround for not being able to have commas in macro arguments
DT_CHOSEN_Z_CODE_PARTITION := zephyr,code-partition
config FLASH_LOAD_SIZE
default $(dt_chosen_reg_size_hex,$(DT_CHOSEN_Z_CODE_PARTITION))
depends on BOARD_LPCXPRESSO55S28 && TRUSTED_EXECUTION_SECURE
Like above, you can always get per instance in kconfig from dts also
There was a problem hiding this comment.
I have a clue, because I can look at the Kconfig symbol and see what is selecting it, except things picked by ${dt_} macros, which just evaluate to value and you can not tell where they come from, until you open Kconfig, identify the DT, and then search for generated DTS file to figure out. That happens per driver.
Symbols currently y-selecting this symbol:
- NORDIC_QSPI_NOR
- SOC_FLASH_NRF
It is true that erase is hardware feature (or rather problem), but Kconfig exposes here that certain feature exists, is exposed by software/driver, and should be potentially addressed.
Following the example you have provided we can always do this:
config FLASH_HAS_HAS_SOME_FEATURE
default $(dt_compat_any_has_prop, some-prop)
as well as we can just avoid it and go with directly setting the Kconfig by driver, because driver itself will be filtered out if there is no DTS option for it (usually, if driver has proper depends).
Problem with selecting things via ${dt_} macros is that you either have to add a lot of different compat, one per feature, or introduce device classes, because properties have common name space and "some-prop" existing in flash device can not be easily distinguished from "some-prop" in, for example, modem.
And still after having all the information you only know whether there is any device that has a feature but it is up to you to figure out if anything uses it and disable path that don't.
de-nordic
force-pushed
the
improve-no-erase-device-time
branch
2 times, most recently
from
4e2073d to
c8bc87f
Compare
de-nordic
force-pushed
the
improve-no-erase-device-time
branch
from
c8bc87f to
4916f7f
Compare
| *size = flash_sector_get_size(§or); | ||
| } else { | ||
| /* For device not requiring erase align to write block */ | ||
| *size = ALIGN_UP(sizeof(((struct image_header *)0)->ih_magic), write_block); |
There was a problem hiding this comment.
this does not work for swap using offset
| return ret; | ||
| } | ||
|
|
||
|
|
| size = flash_area_get_size(fa); | ||
| ret = boot_scramble_region(fa, 0, size); | ||
| #else | ||
|
|
de-nordic
force-pushed
the
improve-no-erase-device-time
branch
4 times, most recently
from
c8cbd2e to
eea1ddf
Compare
de-nordic
force-pushed
the
improve-no-erase-device-time
branch
2 times, most recently
from
0b688f9 to
047fc91
Compare
de-nordic
force-pushed
the
improve-no-erase-device-time
branch
from
047fc91 to
d3300c7
Compare
Getter for sector size stored in flash_sector object. Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
The commit adds two MCUboot configuration options: - MCUBOOT_SUPPORT_DEV_WITHOUT_ERASE - MCUBOOT_SUPPORT_DEV_WITH_ERASE - MCUBOOT_MINIMAL_SCRAMBLE The first one should be enabled to support devices that do not require erase. When such devices are used in system then MCUboot will avoid erasing such device, which is not needed by hardware, and will just write data to it. This allows to both improve device lifetime and reduce time of operations like swap. The second option is just bringing a configuration option for already existing support for deviceses with erase. The third option allows to reduce amount of removed data. When enabled, MCUboot will remove enough of data, depending on the purpose of the removal, to just fulfill the purpose; for example if removal of data is done to make image unrecognizable for MCUboot, with this option, it will only remove header. Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
Add Kconfig options:
- CONFIG_MCUBOOT_STORAGE_WITHOUT_ERASE that enables MCUboot
configuration MCUBOOT_SUPPORT_DEV_WITHOUT_ERASE
- CONFIG_MCUBOOT_STORAGE_WITH_ERASE that enables MCUboot
configuration MCUBOOT_SUPPORT_DEV_WITH_ERASE
- CONFIG_MCUBOOT_STORAGE_MINIMAL_SCRAMBLE that enables MCUboot
configuration MCUBOOT_MINIMAL_SCRAMBLE
Adds implementation of flash_area_erase_required, which is required when
MCUBOOT_STORAGE_DEV_WITHOUT_ERASE is enabled.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
The intention of bs_custom_storage_erase is to remove data from device; to support devices that do not require erase, without calling erase, so that devices that do not implement such functions could work, the flash_area_erase has been replaced with flash_area_flatten. Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
By default enable all other systems to work with devices that require erase prior to write. Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
de-nordic
force-pushed
the
improve-no-erase-device-time
branch
from
d3300c7 to
31b267e
Compare
Commits:
- Zephyr: switch to boot_set_next, from flash_area_erase, for Zephyr builds of bootutil_public.The first MCUboot option allows to improve life time of devices for which erase is emulated by write, and is not really required by the device design and the second MCUboot option allows to just remove enough of data, where needed, by either reduced range of erase or reduced write; for example by scrambling only image header, rather than removing the entire image.
Tested on nrf52840dk and nrf54l15. In case of nrf54l it reduces swap time by half, in comparison to code using erase.
Note: Even though, finally,
swap_erase_trailer_sectorsis no longer used, I have left it there because it may be used in the future.I have left a Note around
swap_status_initfunction, that partially corresponds to this; it seems that in many places call toswap_scramble_trailer_sectors, whee followed byswap_status_init, should in reality beswap_erase_trailer_sectorsfulfilling hardware requirement for preparing device for write; the problem is thatswap_status_initinitializes only part of swap information, which means that if the region of entire swap info is not scrambled first, leftovers may lead to improper behaviour, for example test will not revert.There is re-design of
swap_status_initrequired to mitigate this, as in some paths the whole "init" may just mean removal of everything except information thatswap_status_initwould put there anyway, or combined init operation that would first remove no longer needed information than overwrite what should be re-initialized - but this requires further analysis.So far this PR works fine on devices that do not require erase as well as these that require erase before write.