Add more doc about the bootloader (sequence diagrams and degraded cases).

This commit is contained in:
JF 2020-08-10 16:36:29 +02:00
parent 3b20c29ab9
commit d8c2c9ad01
4 changed files with 95 additions and 2 deletions

View file

@ -1,5 +1,5 @@
# About this bootloader # About this bootloader
This bootloader is mostly developed by [Lup Yuen](https://github.com/lupyuen). It is based on MCUBoot and Mynewt. This bootloader is mostly developed by [Lup Yuen](https://github.com/lupyuen). It is based on [MCUBoot](https://juullabs-oss.github.io/mcuboot/) and Mynewt.
The goal of this project is to provide a common bootloader for multiple (all?) Pinetime projects. It allows to upgrade the current bootloader and even replace the current application by another one that supports the same bootloader. The goal of this project is to provide a common bootloader for multiple (all?) Pinetime projects. It allows to upgrade the current bootloader and even replace the current application by another one that supports the same bootloader.
@ -11,7 +11,43 @@ When it is run, this bootloader looks in the SPI flash memory if a new firmware
As this bootloader does not provide any OTA capability, it is not able to actually download a new version of the application. Providing OTA functionality is thus the responsability of the application firmware. As this bootloader does not provide any OTA capability, it is not able to actually download a new version of the application. Providing OTA functionality is thus the responsability of the application firmware.
# Using the bootlader # About MCUBoot
MCUBoot is run at boot time. In normal operation, it just jumps to the reset handler of the application firmware to run it. Once the application firmware is running, MCUBoot does not run at all.
![MCUBoot boot sequence diagram](../doc/bootloader/boot.png "MCUBoot boot sequence diagram")
But MCUBoot does much more than that : it can upgrade the firmware that is currently running by a new one, and it is also able to revert to the previous version of the firmware in case the new one does not run propertly.
To do this, it uses 2 memory 'slots' :
- **The primary slot** : it contains the current firmware, the one that will be executed by MCUBoot
- **The secondary slot** : it is used to store the upgraded version of the firmware, when available.
At boot time, MCUBoot detects that a new version of the firmware is available in the secondary slot and swaps them : the current version of the firmware is copied from the primary to the secondary slot and vice-versa.
When the swapping is done, it runs the new version of the firmware from the primary slot.
![MCUBoot update sequence diagram](../doc/bootloader/upgrade.png "MCUBoot update sequence diagram")
The next time MCUBoot will be run (after a MCU reset), MCUBoot will check if the new firmware ran correctly (it must set a flag in memory). If it is not the case, it'll revert to the previous version of the firmware by copying it from the secondary to the primary.
![MCUBoot update sequence diagram](../doc/bootloader/recover.png "MCUBoot update sequence diagram")
Note than MCUBoot **does not** provide any means to download and store the new version of the firmware into the secondary slot. This must be implemented by the application firmware.
# Degraded cases
This chapter describes degraded cases that are handled by our bootloader and those that are not supported.
Case | Current bootloader | Solution
-----|--------------------|----------------------------------------------
Data got corrupted during file transfert | [OK] Application firmware does a CRC check before applying the update, and does not proceed if it fails. | N/A
New firmware does not run at all (bad file) (1) | [NOK] MCU executes unknown instructions and will most likely end up in an infinite loop or freeze in an error handler. The bootloader does not run, it can do nothing, the MCU is stucked until next reset | [OK] The bootloader starts the watchdog just before running the new firmware. This way, the watchdog will reset the MCU after ~7s because the firmware does not refresh it. Bootloader reverts to the previous version of the firmware during the reset.
New firmware runs, does not set the valid bit and does not refresh the watchdog | [NOK] The new firmware runs until the next reset. The bootloader will be able to revert to the previous firmware only during the next reset. If the new firmware does not run properly and does not reset, the bootloader can do nothing until the next reset | [OK] The bootloader starts the watchdog just before running the new firmware. This way, the watchdog will reset the MCU after ~7s because the firmware does not refresh it. Bootloader reverts to the previous version of the firmware during the reset.
New firmware does not run properly, does not set the valid bit but refreshes the watchdog | [NOK] The bootloader will be able to revert to the previous firmware only during the next reset. If the new firmware does not run properly and does not reset, the bootloader can do nothing until the next reset | [~] Wait for the battery to drain. The CPU will reset the next time the device is charged and will be able to rollback to the previous version.
New firmware does not run properly but sets the valid bit and refreshes the watchdog | [NOK] The bootloader won't revert to the previous version because the valid flag is set | [~] Wait for the battery to drain. The CPU will reset the next time the device is charged. Then, the bootloader must provide a way for the user to force the rollback to the previous version
*(1) I've observed this when I tried to run a firmware built to run from offset 0 while it was flashed at offset 0x8000 in memory (bad vector table).*
# Using the bootloader
## Bootloader graphic ## Bootloader graphic
The bootloader loads a graphic (Pinetime logo) from the SPI Flash memory. If this graphic is not loaded in the memory, the LCD will display garbage (the content of the SPI flash memory). The bootloader loads a graphic (Pinetime logo) from the SPI Flash memory. If this graphic is not loaded in the memory, the LCD will display garbage (the content of the SPI flash memory).

19
doc/bootloader/boot.puml Normal file
View file

@ -0,0 +1,19 @@
@startuml
MCU -> Bootloader: reset
activate Bootloader
Bootloader -> Bootloader: Recover? (no)
Bootloader -> Bootloader: New version? (no)
Bootloader -> Application: Jump to primary slot
deactivate Bootloader
activate Application
note right: This is the current version of the firmware
Application -> Application: OTA procedure
note right: Download a new firmware version and\n store it in secondary slot
Application -> MCU: Reset
deactivate Application
@enduml

View file

@ -0,0 +1,17 @@
@startuml
MCU -> Bootloader: reset
activate Bootloader
Bootloader -> Bootloader: Recover? (yes)
Bootloader -> Bootloader: Restore previous firmware
note left: Copy the previous firmware from secondary to primary slot
Bootloader -> Application: Jump to primary slot
deactivate Bootloader
activate Application
note right: This is the previous version\nof the firmware
Application -> Application: Normal Operation
Application -> MCU: Reset
deactivate Application
@enduml

View file

@ -0,0 +1,21 @@
@startuml
MCU -> Bootloader: reset
activate Bootloader
Bootloader -> Bootloader: Recover? (no)
Bootloader -> Bootloader: New version? (yes)
Bootloader -> Bootloader: Swap firmwares
note left: Copy current firmware from primary to secondary\nand copy the new firmware from secondary to primary
Bootloader -> Application: Jump to primary slot
deactivate Bootloader
activate Application
note right: This is the new version of the firmware
Application -> Application: Write the valid bit in flash memory
note right: The application should provide a way to\ncheck that it is running correctly\n(selftest, user confirmation,...)\nbefore setting the valid bit.
Application -> Application: Normal operations...
Application -> MCU: Reset
deactivate Application
@enduml