Support A/B Firmware Update#110
Open
passgat wants to merge 17 commits intoSTMicroelectronics:scarthgapfrom
Open
Support A/B Firmware Update#110passgat wants to merge 17 commits intoSTMicroelectronics:scarthgapfrom
passgat wants to merge 17 commits intoSTMicroelectronics:scarthgapfrom
Conversation
After commit 12d7661 ("WIC: use main image and split it on several partitions"), building core-image-full-cmdline fails because /usr/local is missing from the rootfs. Create the directory during base-files installation to restore the expected filesystem layout. Fixes: 12d7661 ("WIC: use main image and split it on several partitions") Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Kernel artifacts and extlinux configurations are currently listed in MACHINE_EXTRA_RRECOMMENDS. While ST-specific images satisfy these via dedicated packagegroups, standard core images (e.g., core-image-minimal or core-image-full-cmdline) do not, resulting in unbootable media. Moving these variables to MACHINE_ESSENTIAL_EXTRA_RDEPENDS ensures every image contains the minimum boot set. This is guaranteed by the standard packagegroup-core-boot, which natively includes this variable in its RDEPENDS list. Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
U-Boot environment relies on a GPT type UUID, not a partition UUID. sdcard-raw-tools already consumed the value correctly, despite the misleading variable name. No functional change is intended. Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
The partition type UUID recognized by U-Boot for its environment was
wrong. Use ${DEVICE_TYPEUUID_UBOOT_ENV} instead of hardcoding the
correct GPT type.
Fixes: 4a3fff0 ("WIC: adapt to firwmare update")
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
FWU metadata relies on a GPT type UUID, not a partition UUID. sdcard-raw-tools already consumed the value correctly, despite the misleading variable name. No functional change is intended. Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
U-Boot reads the FWU metadata correctly only when the partition type
UUID is set to 8a7a84a0-8387-40f6-ab41-a8b9a5a60d23.
Use ${DEVICE_PARTUUID_FWU_MDATA} instead of hardcoding the correct GPT
type.
Fixes: 4a3fff0 ("WIC: adapt to firwmare update")
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
This patch defines extra partition UUIDs for boot and root filesystems, providing reference values for existing storage devices. These definitions are propedeutic to supporting dual bank A/B images. Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
This patch adds support in Trusted Firmware-A to generate separate metadata for dual bank A/B systems on EMMC and SDCARD. The new metadata files include two additional images (for a total of three), which uniquely identify the bootfs and rootfs used in the bootup phase depending on the active bank. Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Support fw-update-ab feature in MACHINE_FEATURES, building on the existing fw-update support. Enabling this feature allows the system to handle bootfs-a/b and rootfs-a/b partitions, providing the foundation for dual bank A/B firmware updates. Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Add a series of patches required to support firmware update A/B handling on STM32MP25 platforms. The patches applied unconditionally are backward compatible. The STM32MP25-specific configuration introduced by patch 0004-feat-stm32mp2-enable-A-B-redundancy-support.patch is only applied when the fw-update-ab MACHINE_FEATURE is enabled, as it adjusts TF-A to support A/B redundancy. Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Add a series of patches required to support firmware update A/B handling on STM32MP25 platforms. The series includes a mix of backports from upstream U-Boot and new patches developed for this integration. Some of the newly changes are generic improvements and may be proposed upstream in the future. Most patches are applied unconditionally as they are backward compatible. The STM32MP25-specific configuration introduced by patch 0010-configs-stm32mp25-enable-A-B-support-with-multiple-F.patch is only applied when the fw-update-ab MACHINE_FEATURE is enabled, as it adjusts the FWU image configuration required by A/B redundancy systems. Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
This patch installs fwumdata alongside the existing mkfwumdata tool. The fwumdata tool provides targeted manipulation of A/B system metadata, allowing updates to the active and previous bank indices and bank status without regenerating the entire metadata image. Currently, these operations could only be performed with mkfwumdata by rebuilding the full metadata image. The tool is still under review [1] by the U-Boot maintainers, but since it fills a missing capability for A/B metadata management, it's expected to land upstream soon. [1] https://patchwork.ozlabs.org/project/uboot/list/?series=492982 Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Install the configuration file loaded by fwumdata for proper access to metadata partitions. The configuration supports both the legacy single-image metadata format and the dual bank A/B metadata layout introduced for A/B systems. Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Introduce a bootcount systemd service that updates the metadata partition to switch the current bank state from "valid" to "accepted" after a successful boot. When a bank is marked as "valid" following an update, TF-A enables a bootcount mechanism. If the updated bank is not confirmed as "accepted" within the expected number of boots, TF-A rolls back to the previous bank. The bootcount service determines the active bank at runtime and uses fwumdata to mark it as "accepted". On the next reboot, TF-A recognizes the bank as accepted and disables the bootcount mechanism. The complete boot flow and state transitions are described in [1] and [2], where mkfwumdata is used to manage metadata updates; Using fwumdata in the validation script highlights how this management is simpler. [1] https://wiki.st.com/stm32mpu/wiki/Secure_Firmware_Update [2] https://wiki.st.com/stm32mpu/wiki/How_to_handle_secure_firmware_update Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Modify the ROOT overrides in the Extlinux configuration to support dual bank A/B systems. When the fw-update-ab feature is enabled, the root partition for EMMC and SDCARD targets is dynamically set, allowing the bootloader to select the appropriate active bank at boot time. Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Add example WIC files for SD card images supporting dual bank A/B
systems, including separate partitions for bootfs-{a,b} and
rootfs-{a,b}.
For the metadata partitions, metadata-ab-sdcard.bin is installed,
containing the additional images allowing the bootloader to
unambiguously reference the bootfs and rootfs associated with the
active boot bank.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
When the fw-update-ab feature is enabled, the board configuration selects the corresponding A/B WIC file, ensuring the generated image matches the dual bank layout. Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Contributor
|
Hello Dario, |
Author
|
@BernardPuel Thanks for the update and for opening the internal ticket. Please note that for a correct validation this PR must be considered together with meta-st-openstlinux PR16 (STMicroelectronics/meta-st-openstlinux#16). Regarding the roadmap, when is the V7.0.0 release currently scheduled? I am also available to extend support to other MPU boards if needed. Please let me know. Thanks and regards |
Contributor
|
V6.2.1 Release is planned mid of June (but Code Freeze is already done). |
|
@passgat Hello, how do I use this PR in conjunction with swupdate? Do you have any examples? |
Author
|
@hyyoxhk Hello, I’ve successfully used this PR in conjunction with SWUpdate on a custom board. I am currently working on a new PR for meta-swupdate-boards to include a specific example for the stm32mp257f-ev1 board. As soon as that PR is ready, I will get back to you with the link and further details so you can use it as a reference. Thanks and regards, |
Thank you for your reply. Looking forward to your masterpiece |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This series supports a native, flexible, and metadata-driven A/B update
implementation. The target is to provide a clean and robust implementation
where the boot workflow is strictly determined by FWU metadata and partitions
are uniquely identified via UUIDs.
While ST’s current documentation ([1], [2]) and the meta-st-ota layer provide
a useful starting point, they act more as a specific implementation rather
than a flexible design. They are tied to RAUC and rely on a "positional" logic,
assuming that partitions (like bootfs-a and bootfs-b) must follow a strict
physical order on the disk.
My contribution shifts this logic toward a purely metadata-driven approach.
By using the fwumdata tool (replacing the improper use of mkfwumdata) and
UUIDs, the system no longer cares where a partition is physically located or
which update manager (SWUpdate, RAUC, or any other) is being used.
Key Technical Highlights:
feature.
metadata fields, avoiding the risks of full binary regeneration via
mkfwumdata.
The physical order on the storage medium no longer impacts the boot success.
a successful boot.
To enable A/B firmware update, add to your configuration:
MACHINE_FEATURES += "fw-update-ab"
The implementation was validated on STM32MP257F-EV1 board by manually triggering
bank switches to simulate update cycles:
In both scenarios, the system correctly identified the active bank from metadata
and mounted the corresponding rootfs via dynamic EXTLINUX selection.
[1] https://wiki.st.com/stm32mpu/wiki/How_to_handle_secure_firmware_update
[2] https://wiki.st.com/stm32mpu/wiki/How_to_handle_secure_firmware_update#Yocto_layer
[3] https://patchwork.ozlabs.org/project/uboot/list/?series=492982