On Thu, 15 Jan 2026 11:36:29 +0200 Ilias Apalodimas <[email protected]> wrote:
> Hi Kory, > > On Wed, 14 Jan 2026 at 17:16, Kory Maincent <[email protected]> wrote: > > > > On Wed, 14 Jan 2026 15:54:07 +0200 > > Ilias Apalodimas <[email protected]> wrote: > > > > > Hi Kory, > > > > > > On Wed, 14 Jan 2026 at 11:59, Kory Maincent <[email protected]> > > > wrote: > > > > > > > > When boot_idx differs from active_idx at boot time, it indicates a > > > > rollback scenario where the firmware update failed and the system > > > > reverted to the previous working bank. In this case, mark the failed > > > > bank (active_idx) as invalid to prevent future boot attempts from that > > > > bank. > > > > > > > > This change adds a new fwu_invalid_bank() function that sets the bank > > > > state to FWU_BANK_INVALID and syncs the metadata. This is only > > > > supported in FWU metadata version 2; version 1 provides a no-op stub. > > > > > > > > Without this change, a failed bank would remain in a valid state and > > > > could potentially be selected for boot again, leading to repeated > > > > boot failures. > > > > > > How? Doesn't the code already switch the metadata to point to the > > > 'boot_idx' bank as active? > > > What could happen here I guess, is the selected active bank to go bad > > > somehow and the firmware would try the secondary bank, which contains > > > an invalid firmware. But in that case the board will fail to boot > > > regardless. Is there a corner case I am missing? > > > > I think I have faced a corner case, but I can't recall what it was. :/ > > I think this patch has value if you have 3 banks. In that case, you > won't have to try and boot the invalid one, before booting a correct > one. Good point. > > Anyway we should change the bank state to invalid if we don't manage to boot > > one bank right. We should provide to the user the information that one bank > > is in an invalid state if that is the case. What do you think? > > Yes. The invalid state is already described in the spec so I think this is > fine. However, instead of adding a new function to invalidate the state, > can't we tweak fwu_bank_state_update() instead? > Instead of a boolean for trial state, pass an the actual state and > update it while keeping the same checks. Indeed, we could do that. I will prepare a V2 accordingly. Regards, -- Köry Maincent, Bootlin Embedded Linux and kernel engineering https://bootlin.com
