scripts: tt_boot_fs: support multiple descriptor table definitions#943
scripts: tt_boot_fs: support multiple descriptor table definitions#943danieldegrasse wants to merge 11 commits intotenstorrent:mainfrom
Conversation
danieldegrasse
requested review from
afongTT,
alewycky-tenstorrent and
jgrowdenTT
|
Moving this to a draft. We're going to require updates to luwen to understand the multi-bootfs format |
Support multiple bootfs definitions within tt_boot_fs. This change adds a tt_boot_fs header at 0x120000 within flash, which is used by tooling to describe the address of each descriptor table within the flash. Legacy bootfs binaries without a header are assumed to include two descriptor tables at 0x0 and 0x4000 (the recovery and failover tables) This change retains backwards compatibility for modifying existing bootfs binaries, but the header will be added to the binary upon regeneration. Signed-off-by: Daniel DeGrasse <ddegrasse@tenstorrent.com>
Update the bootfs definition to include the header address, since each bootfs can have an independent header address. Signed-off-by: Daniel DeGrasse <ddegrasse@tenstorrent.com>
Bootfs now uses a different format for images. Update YAML schema to reflect this change. Signed-off-by: Daniel DeGrasse <ddegrasse@tenstorrent.com>
danieldegrasse
force-pushed
the
feature/multi-bootfs
branch
from
5587f0e to
d51681d
Compare
|
tenstorrent/luwen#142 is needed for the bootfs format updates |
Update tt_boot_fs functions to search all bootfs tables, as described by the bootfs header Remove logically dead code for caching the bootfs and adding a file descriptor Signed-off-by: Daniel DeGrasse <ddegrasse@tenstorrent.com>
Update the usage of tt_boot_fs libraries to match the new bootfs APIs Signed-off-by: Daniel DeGrasse <ddegrasse@tenstorrent.com>
Update tests for the new tt_boot_fs library usage Signed-off-by: Daniel DeGrasse <ddegrasse@tenstorrent.com>
Split partition definitions into multiple tt-boot-fs descriptor tables. One table will be used for the ROM headers at 0x0, one at 0x4000 will have the failover descriptor, and one at 0x170000 will have the mutable flash objects. Signed-off-by: Daniel DeGrasse <ddegrasse@tenstorrent.com>
Add some limited documentation on the tt_boot_fs to tenstorrent doc tree Signed-off-by: Daniel DeGrasse <ddegrasse@tenstorrent.com>
Update yaml for preflash firmware to use new schema Signed-off-by: Daniel DeGrasse <ddegrasse@tenstorrent.com>
danieldegrasse
force-pushed
the
feature/multi-bootfs
branch
from
d51681d to
bac3792
Compare
|
tenstorrent/luwen#142 will be required in order to flash an update after loading firmware built from this PR |
|
Considering this more, there might be a way to achieve the same update reliability without modifying the bootfs format. If we lock the copy of MCUBoot in use to a specific build (IE from v19.4.0), and do the same for the recovery image then the "safe" boot path could be via the failover descriptor. Essentially if power was lost while writing to the flash, it could impact boot in the following ways: a) power is lost while writing descriptor table at 0x0 -> Bootrom uses failover table, which still points to valid MCUBoot I'm not sure if this would work, but it should function in theory. @afongTT or @alewycky-tenstorrent, do you have thoughts about this approach? It is less flexible, but would require significantly fewer changes and if we don't plan to reuse the bootfs code in the future it might be the easiest way to accomplish reliable boot |
#961 validates that we can boot via the failover descriptor. However, I still think we should move forwards with this PR- it isn't high priority, but there is at least one failure case we can't recovery from: part of the tt_boot_fs header is erased, so the ROM tries to load images like the |
|
Do we use the mutable table during boot? If so, what point in the boot process? Will all the non-recovery images be in the mutable table? |
We use the mutable table during the boot of mission mode firmware- so once MCUBoot launches the mission mode CMFW, we start reading from the mutable table. The DMFW never uses the mutable table definition. All non-recovery images will be in the mutable table, yeah. The idea is that no mutable data is stored in the failover descriptor at 0x4000 or the ROM descriptor at 0x0, so these will not change between updates |
Update tt_boot_fs functions to search all bootfs tables, as described by the bootfs header Remove logically dead code for caching the bootfs and adding a file descriptor Signed-off-by: Daniel DeGrasse <ddegrasse@tenstorrent.com>
Signed-off-by: Sherry Li <xiaoruli@tenstorrent.com>
ShLiTT
force-pushed
the
feature/multi-bootfs
branch
from
1618e9a to
a39ca48
Compare
3 participants
Overview
Add support for multiple descriptor table definitions within tt_boot_fs. This enables us to define an additional "mutable" descriptor table, chosen to reside at
0x17000. This table will change with each firmware revision, but the ROM table at0x0should no longer change. This will allow us to preserve a bootable change ofrom -> mcuboot -> recovery imageacross all firmware updates, providing more reliable boot fallback.Note
the commits in this PR are not bisect-able. To keep everything bisectable, all the code changes would need to be > moved into one commit, as they are not backwards compatible. I can do this if before we merge. For now, I kept commits smaller to aid inreview.
Technical details
This PR adds a "header table" at
0x120000(offset was chosen because no firmware data lives at this address in current binaries or in pre 19.0 binary layouts)The header table includes a magic number, version, and bootfs descriptor table count. Most boot images will have 3 descriptor tables:
Table offsets in flash are stored following the bootfs header itself as an array of 32 bit unsigned integers.