Update stage0 #209
Merged
Update stage0 #209
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
labbott
reviewed
Mar 28, 2024
jgallagher
reviewed
Apr 10, 2024
lzrd
force-pushed
the
update-stage0
branch
6 times, most recently
from
8db8400
to
082c523
Compare
jgallagher
reviewed
Apr 22, 2024
jgallagher
reviewed
Apr 22, 2024
lzrd
force-pushed
the
update-stage0
branch
3 times, most recently
from
64fc4e9
to
4d3dd86
Compare
jgallagher
reviewed
Apr 23, 2024
SpComponent::Stage0 (boot loader) is distinct from SpComponent::ROT (Hubris). There is no support for an atomic switch-over to stage0 bank 1 (stage0next). Copy from stage0next to stage0 is allowed if stage0next signatuire is valid at boot time and contents still match boot-time contents. Note: Only one stage0 update should be in process in a rack at a time to reduce the chance of an interrupted copy bricking a subsystem. RotStateV3 includes the FWID of all RoT image flash banks and error information if an image is not valid. The FWID for invalid banks is always computed and reported. This allows us to distinguish between completly erased banks and those that are not completely erased: The FWID over any erased bank is the "a7ff..." value below: ``` $ touch empty.bin $ rot-fwid empty.bin empty.bin 0 a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a ``` Add a versioned RoT Boot Info message to facilitate update of RoT Hubris independant of SP or RoT being on a later version than the other. SpStateV3 does not contain RotState because coupling them and allowing for version skew over-complicates things. Implement Display for RotState* for nicer human output. Bumped the faux-mgs crate version Add test for SpStateV3
jgallagher
approved these changes
Apr 23, 2024
mkeeter
reviewed
Apr 29, 2024
| )] | ||
| pub enum ImageError { | ||
| /// Image has not been sanity checked (internal use) | ||
| Unchecked = 1, |
There was a problem hiding this comment.
Do we ever care about the in-memory representation of this enum? If not, I'd recommend removing the = 1, because it suggests that we care about the in-memory representation.
Note that the = 1 does not change how this object will be serialized. For example:
#[derive(serde::Serialize)]
enum Foo {
One = 1,
Two,
}
fn main() {
let b = bincode::serialize(&Foo::One).unwrap();
println!("{b:?}") // prints [0, 0, 0, 0]
}
|
You're right, we don't care about the in-memory representation. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Support update of RoT bootloader.
Includes always calculating FWID and signature check at RoT boot time.
Messages for SP and RoT Hubris updates are backward compatible.
See https://github.com/oxidecomputer/sprot-e2e for test scripts that exercise update and rollback of Hubris and Bootleby on SP and RoT.
A new RoTBootInfo mesage is plumbed that includes info on the four RoT flash banks.
The ImageError enum gives detailed information on invalid RoT flash bank contents.
This is a draft PR because it needs to be coordinated with hubris and omicron changes so as not to break people's development environments.
Closes #208