| Message ID | 20210630230801.290195-2-marex@denx.de |
|---|---|
| State | Deferred |
| Delegated to: | Stefano Babic |
| Headers | show |
| Series | [1/2] spl: mmc: Factor out eMMC boot partition selection code | expand |
Hello Marek, Am Donnerstag, den 01.07.2021, 01:08 +0200 schrieb Marek Vasut: > In case the iMX8M boot from eMMC boot partition and the primary image > is corrupted, the BootROM is capable of starting a secondary image in > the other eMMC boot partition as a fallback. I would like to ask a more general question. As I could not find information about that. What are the criteria for the BootROM to consider a image as corrupted? I remember on other platforms with NAND where it was a erased page or too many bitflips. What is it here with eMMC? Thanks, Teresa > > However, the BootROM leaves the eMMC BOOT_PARTITION_ENABLE setting as > it was, i.e. pointing to the boot partition containing the corrupted > image, and the BootROM does not provide any indication that this sort > of fallback occured. > > According to AN12853 i.MX ROMs Log Events, Rev. 0, May 2020, it is > possible to determine whether fallback event occurred by parsing the > ROM event log. In case ROM event ID 0x51 is present, fallback event > did occur. > > This patch implements ROM event log parsing and search for event ID > 0x51 for all iMX8M SoCs, and based on that corrects the eMMC boot > partition selection. This way, the SPL loads the remaining boot > components from the same eMMC boot partition from which it was > started, even in case of the fallback. > > Signed-off-by: Marek Vasut <marex@denx.de> > Cc: Faiz Abbas <faiz_abbas@ti.com> > Cc: Harald Seiler <hws@denx.de> > Cc: Lokesh Vutla <lokeshvutla@ti.com> > Cc: Simon Glass <sjg@chromium.org> > Cc: Fabio Estevam <festevam@gmail.com> > Cc: Peng Fan <peng.fan@nxp.com> > Cc: Stefano Babic <sbabic@denx.de> > Cc: Ye Li <ye.li@nxp.com> > --- > arch/arm/mach-imx/imx8m/soc.c | 61 > +++++++++++++++++++++++++++++++++++ > 1 file changed, 61 insertions(+) > > diff --git a/arch/arm/mach-imx/imx8m/soc.c b/arch/arm/mach- > imx/imx8m/soc.c > index 0c44022a6dc..92a71b6ba29 100644 > --- a/arch/arm/mach-imx/imx8m/soc.c > +++ b/arch/arm/mach-imx/imx8m/soc.c > @@ -571,6 +571,67 @@ enum boot_device get_boot_device(void) > } > #endif > > +#if defined(CONFIG_IMX8M) > +#include <spl.h> > +int spl_mmc_emmc_boot_partition(struct mmc *mmc) > +{ > + u32 *rom_log_addr = (u32 *)0x9e0; > + u32 *rom_log; > + u8 event_id; > + int i, part; > + > + part = default_spl_mmc_emmc_boot_partition(mmc); > + > + /* If the ROM event log pointer is not valid. */ > + if (*rom_log_addr < 0x900000 || *rom_log_addr >= 0xb00000 || > + *rom_log_addr & 0x3) > + return part; > + > + /* Parse the ROM event ID version 2 log */ > + rom_log = (u32 *)(uintptr_t)(*rom_log_addr); > + for (i = 0; i < 128; i++) { > + event_id = rom_log[i] >> 24; > + switch (event_id) { > + case 0x00: /* End of list */ > + break; > + /* Log entries with 1 parameter, skip 1 */ > + case 0x80: /* Start to perform the device > initialization */ > + case 0x81: /* The boot device initialization completes > */ > + case 0x8f: /* The boot device initialization fails */ > + case 0x90: /* Start to read data from boot device */ > + case 0x91: /* Reading data from boot device completes > */ > + case 0x9f: /* Reading data from boot device fails */ > + i += 1; > + continue; > + /* Log entries with 2 parameters, skip 2 */ > + case 0xa0: /* Image authentication result */ > + case 0xc0: /* Jump to the boot image soon */ > + i += 2; > + continue; > + /* Boot from the secondary boot image */ > + case 0x51: > + /* > + * Swap the eMMC boot partitions in case there > was a > + * fallback event (i.e. primary image was > corrupted > + * and that corruption was recognized by the > BootROM), > + * so the SPL loads the rest of the U-Boot from > the > + * correct eMMC boot partition, since the > BootROM > + * leaves the boot partition set to the > corrupted one. > + */ > + if (part == 1) > + part = 2; > + else if (part == 2) > + part = 1; > + continue; > + default: > + continue; > + } > + } > + > + return part; > +} > +#endif > + > bool is_usb_boot(void) > { > return get_boot_device() == USB_BOOT;
Hi, On Thu, 2021-07-01 at 01:08 +0200, Marek Vasut wrote: > In case the iMX8M boot from eMMC boot partition and the primary image > is corrupted, the BootROM is capable of starting a secondary image in > the other eMMC boot partition as a fallback. > > However, the BootROM leaves the eMMC BOOT_PARTITION_ENABLE setting as > it was, i.e. pointing to the boot partition containing the corrupted > image, and the BootROM does not provide any indication that this sort > of fallback occured. > > According to AN12853 i.MX ROMs Log Events, Rev. 0, May 2020, it is > possible to determine whether fallback event occurred by parsing the > ROM event log. In case ROM event ID 0x51 is present, fallback event > did occur. > > This patch implements ROM event log parsing and search for event ID > 0x51 for all iMX8M SoCs, and based on that corrects the eMMC boot > partition selection. This way, the SPL loads the remaining boot > components from the same eMMC boot partition from which it was > started, even in case of the fallback. > > Signed-off-by: Marek Vasut <marex@denx.de> > Cc: Faiz Abbas <faiz_abbas@ti.com> > Cc: Harald Seiler <hws@denx.de> > Cc: Lokesh Vutla <lokeshvutla@ti.com> > Cc: Simon Glass <sjg@chromium.org> > Cc: Fabio Estevam <festevam@gmail.com> > Cc: Peng Fan <peng.fan@nxp.com> > Cc: Stefano Babic <sbabic@denx.de> > Cc: Ye Li <ye.li@nxp.com> > --- > arch/arm/mach-imx/imx8m/soc.c | 61 +++++++++++++++++++++++++++++++++++ > 1 file changed, 61 insertions(+) > > diff --git a/arch/arm/mach-imx/imx8m/soc.c b/arch/arm/mach-imx/imx8m/soc.c > index 0c44022a6dc..92a71b6ba29 100644 > --- a/arch/arm/mach-imx/imx8m/soc.c > +++ b/arch/arm/mach-imx/imx8m/soc.c > @@ -571,6 +571,67 @@ enum boot_device get_boot_device(void) > } > #endif > > > +#if defined(CONFIG_IMX8M) > +#include <spl.h> > +int spl_mmc_emmc_boot_partition(struct mmc *mmc) > +{ > + u32 *rom_log_addr = (u32 *)0x9e0; > + u32 *rom_log; > + u8 event_id; > + int i, part; > + > + part = default_spl_mmc_emmc_boot_partition(mmc); > + > + /* If the ROM event log pointer is not valid. */ > + if (*rom_log_addr < 0x900000 || *rom_log_addr >= 0xb00000 || > + *rom_log_addr & 0x3) > + return part; > + > + /* Parse the ROM event ID version 2 log */ > + rom_log = (u32 *)(uintptr_t)(*rom_log_addr); > + for (i = 0; i < 128; i++) { > + event_id = rom_log[i] >> 24; > + switch (event_id) { > + case 0x00: /* End of list */ > + break; I assume your intention here is to break from the for loop? This `break` will only exit the switch statement, so the loop will continue running on the data following the "End of list". Or is this behavior intentional? In that case I'd find the use of `continue` in the other branches a bit odd, as `continue` and `break` do the same thing in this situation.
On 7/1/21 1:22 PM, Harald Seiler wrote: [...] >> + /* Parse the ROM event ID version 2 log */ >> + rom_log = (u32 *)(uintptr_t)(*rom_log_addr); >> + for (i = 0; i < 128; i++) { >> + event_id = rom_log[i] >> 24; >> + switch (event_id) { >> + case 0x00: /* End of list */ >> + break; > > I assume your intention here is to break from the for loop? This `break` > will only exit the switch statement, so the loop will continue running on > the data following the "End of list". Or is this behavior intentional? > In that case I'd find the use of `continue` in the other branches a bit > odd, as `continue` and `break` do the same thing in this situation. Nope, that should indeed be 'return part' here.
On 7/1/21 12:07 PM, Teresa Remmet wrote: Hi [...] > Am Donnerstag, den 01.07.2021, 01:08 +0200 schrieb Marek Vasut: >> In case the iMX8M boot from eMMC boot partition and the primary image >> is corrupted, the BootROM is capable of starting a secondary image in >> the other eMMC boot partition as a fallback. > > I would like to ask a more general question. As I could not find > information about that. What are the criteria for the BootROM to > consider a image as corrupted? > I remember on other platforms with NAND where it was a erased page or > too many bitflips. What is it here with eMMC? I didn't find much information on the unsigned images, so there I suspect it is just that parsing the IVT header fails, the DCD tag is missing, something along those lines. There is no checksum, so if there is a bitflip in the image itself, I can imagine it would go undetected. At least in the SPL part of flash.bin, the rest is fitImage and that has checksum. For signed images, if there is a bitflip, the signature would no longer be valid, so this could be used to detect image corruption. Maybe Peng (on CC) can clarify this better ? [...]
diff --git a/arch/arm/mach-imx/imx8m/soc.c b/arch/arm/mach-imx/imx8m/soc.c index 0c44022a6dc..92a71b6ba29 100644 --- a/arch/arm/mach-imx/imx8m/soc.c +++ b/arch/arm/mach-imx/imx8m/soc.c @@ -571,6 +571,67 @@ enum boot_device get_boot_device(void) } #endif +#if defined(CONFIG_IMX8M) +#include <spl.h> +int spl_mmc_emmc_boot_partition(struct mmc *mmc) +{ + u32 *rom_log_addr = (u32 *)0x9e0; + u32 *rom_log; + u8 event_id; + int i, part; + + part = default_spl_mmc_emmc_boot_partition(mmc); + + /* If the ROM event log pointer is not valid. */ + if (*rom_log_addr < 0x900000 || *rom_log_addr >= 0xb00000 || + *rom_log_addr & 0x3) + return part; + + /* Parse the ROM event ID version 2 log */ + rom_log = (u32 *)(uintptr_t)(*rom_log_addr); + for (i = 0; i < 128; i++) { + event_id = rom_log[i] >> 24; + switch (event_id) { + case 0x00: /* End of list */ + break; + /* Log entries with 1 parameter, skip 1 */ + case 0x80: /* Start to perform the device initialization */ + case 0x81: /* The boot device initialization completes */ + case 0x8f: /* The boot device initialization fails */ + case 0x90: /* Start to read data from boot device */ + case 0x91: /* Reading data from boot device completes */ + case 0x9f: /* Reading data from boot device fails */ + i += 1; + continue; + /* Log entries with 2 parameters, skip 2 */ + case 0xa0: /* Image authentication result */ + case 0xc0: /* Jump to the boot image soon */ + i += 2; + continue; + /* Boot from the secondary boot image */ + case 0x51: + /* + * Swap the eMMC boot partitions in case there was a + * fallback event (i.e. primary image was corrupted + * and that corruption was recognized by the BootROM), + * so the SPL loads the rest of the U-Boot from the + * correct eMMC boot partition, since the BootROM + * leaves the boot partition set to the corrupted one. + */ + if (part == 1) + part = 2; + else if (part == 2) + part = 1; + continue; + default: + continue; + } + } + + return part; +} +#endif + bool is_usb_boot(void) { return get_boot_device() == USB_BOOT;
In case the iMX8M boot from eMMC boot partition and the primary image is corrupted, the BootROM is capable of starting a secondary image in the other eMMC boot partition as a fallback. However, the BootROM leaves the eMMC BOOT_PARTITION_ENABLE setting as it was, i.e. pointing to the boot partition containing the corrupted image, and the BootROM does not provide any indication that this sort of fallback occured. According to AN12853 i.MX ROMs Log Events, Rev. 0, May 2020, it is possible to determine whether fallback event occurred by parsing the ROM event log. In case ROM event ID 0x51 is present, fallback event did occur. This patch implements ROM event log parsing and search for event ID 0x51 for all iMX8M SoCs, and based on that corrects the eMMC boot partition selection. This way, the SPL loads the remaining boot components from the same eMMC boot partition from which it was started, even in case of the fallback. Signed-off-by: Marek Vasut <marex@denx.de> Cc: Faiz Abbas <faiz_abbas@ti.com> Cc: Harald Seiler <hws@denx.de> Cc: Lokesh Vutla <lokeshvutla@ti.com> Cc: Simon Glass <sjg@chromium.org> Cc: Fabio Estevam <festevam@gmail.com> Cc: Peng Fan <peng.fan@nxp.com> Cc: Stefano Babic <sbabic@denx.de> Cc: Ye Li <ye.li@nxp.com> --- arch/arm/mach-imx/imx8m/soc.c | 61 +++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+)