blob: 72c850a7908521297f51d7c52245bbdd53fb6190 [file] [log] [blame]
Sughosh Ganub08b8572022-10-21 18:16:08 +05301.. SPDX-License-Identifier: GPL-2.0+
2.. Copyright (c) 2022 Linaro Limited
3
4FWU Multi Bank Updates in U-Boot
5================================
6
7The FWU Multi Bank Update feature implements the firmware update
8mechanism described in the PSA Firmware Update for A-profile Arm
9Architecture specification [1]. Certain aspects of the Dependable
10Boot specification [2] are also implemented. The feature provides a
11mechanism to have multiple banks of updatable firmware images and for
12updating the firmware images on the non-booted bank. On a successful
13update, the platform boots from the updated bank on subsequent
14boot. The UEFI capsule-on-disk update feature is used for performing
15the actual updates of the updatable firmware images.
16
17The bookkeeping of the updatable images is done through a structure
18called metadata. Currently, the FWU metadata supports identification
19of images based on image GUIDs stored on a GPT partitioned storage
20media. There are plans to extend the metadata structure for non GPT
21partitioned devices as well.
22
23Accessing the FWU metadata is done through generic API's which are
24defined in a driver which complies with the U-Boot's driver model. A
25new uclass UCLASS_FWU_MDATA has been added for accessing the FWU
26metadata. Individual drivers can be added based on the type of storage
27media, and its partitioning method. Details of the storage device
28containing the FWU metadata partitions are specified through a U-Boot
29specific device tree property `fwu-mdata-store`. Please refer to
30U-Boot `doc <doc/device-tree-bindings/firmware/fwu-mdata-gpt.yaml>`__
31for the device tree bindings.
32
33Enabling the FWU Multi Bank Update feature
34------------------------------------------
35
36The feature can be enabled by specifying the following configs::
37
38 CONFIG_EFI_CAPSULE_ON_DISK=y
39 CONFIG_EFI_CAPSULE_FIRMWARE_MANAGEMENT=y
40 CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y
41
42 CONFIG_FWU_MULTI_BANK_UPDATE=y
43 CONFIG_FWU_MDATA=y
44 CONFIG_FWU_MDATA_GPT_BLK=y
45 CONFIG_FWU_NUM_BANKS=<val>
46 CONFIG_FWU_NUM_IMAGES_PER_BANK=<val>
47
48in the .config file
49
50By enabling the CONFIG_CMD_FWU_METADATA config option, the
51fwu_mdata_read command can be used to check the current state of the
52FWU metadata structure.
53
54The first group of configuration settings enable the UEFI
55capsule-on-disk update functionality. The second group of configs
56enable the FWU Multi Bank Update functionality. Please refer to the
57section :ref:`uefi_capsule_update_ref` for more details on generation
58of the UEFI capsule.
59
60Setting up the device for GPT partitioned storage
61-------------------------------------------------
62
63Before enabling the functionality in U-Boot, a GPT partitioned storage
64device is required. Assuming a GPT partitioned storage device, the
65storage media needs to be partitioned with the correct number of
66partitions, given the number of banks and number of images per bank
67that the platform is going to support. Each updatable firmware image
68will be stored on a separate partition. In addition, the two copies
69of the FWU metadata will be stored on two separate partitions. These
70partitions need to be created at the time of the platform's
71provisioning.
72
73As an example, a platform supporting two banks with each bank
74containing three images would need to have 2 * 3 = 6 partitions plus
75the two metadata partitions, or 8 partitions. In addition the storage
76media can have additional partitions of non-updatable images, like the
77EFI System Partition(ESP), a partition for the root file system
78etc. An example list of images on the storage medium would be
79
80* FWU metadata 1
81* U-Boot 1
82* OP-TEE 1
83* FWU metadata 2
84* OP-TEE 2
85* U-Boot 2
86* ESP
87* rootfs
88
89When generating the partitions, a few aspects need to be taken care
90of. Each GPT partition entry in the GPT header has two GUIDs::
91
92* PartitionTypeGUID
93* UniquePartitionGUID
94
95The PartitionTypeGUID value should correspond to the
96``image_type_uuid`` field of the FWU metadata. This field is used to
97identify a given type of updatable firmware image, e.g. U-Boot,
98OP-TEE, FIP etc. This GUID should also be used for specifying the
99`--guid` parameter when generating the capsule.
100
101The UniquePartitionGUID value should correspond to the ``image_uuid``
102field in the FWU metadata. This GUID is used to identify images of a
103given image type in different banks.
104
105The FWU specification defines the GUID value to be used for the
106metadata partitions. This would be the PartitionTypeGUID for the
107metadata partitions. Similarly, the UEFI specification defines the ESP
108GUID to be be used.
109
110When generating the metadata, the ``image_type_uuid`` and the
111``image_uuid`` values should match the *PartitionTypeGUID* and the
112*UniquePartitionGUID* values respectively.
113
114Performing the Update
115---------------------
116
117Once the storage media has been partitioned and populated with the
118metadata partitions, the UEFI capsule-on-disk update functionality can
119be used for performing the update. Refer to the section
120:ref:`uefi_capsule_update_ref` for details on how the update can be
121invoked.
122
123On a successful update, the FWU metadata gets updated to reflect the
124bank from which the platform would be booting on subsequent boot.
125
126Based on the value of bit15 of the Flags member of the capsule header,
127the updated images would either be accepted by the U-Boot's UEFI
128implementation, or by the Operating System. If the Operating System is
129accepting the firmware images, it does so by generating an empty
130*accept* capsule. The Operating System can also reject the updated
131firmware by generating a *revert* capsule. The empty capsule can be
132applied by using the exact same procedure used for performing the
133capsule-on-disk update.
134
135The task of accepting the different firmware images, post an update
136may be done by multiple, separate components in the Operating
137System. To help identify the firmware image that is being accepted,
138the accept capsule passes the image GUID of the firmware image being
139accepted. The relevant code in U-Boot then sets the Accept bit of the
140corresponding firmware image for which the accept capsule was
141found. Only when all the firmware components in a bank have been
142accepted does the platform transition from trial state to regular
143state.
144
145The revert capsule on the other hand does not pass any image GUID,
146since reverting any image of the bank has the same result of the
147platform booting from the other bank on subsequent boot.
148
149In the scenario that bit15 of the Flags member of the capsule header
150has not been set, the images being updated are accepted by the
151U-Boot's UEFI firmware implementation by default, on successful
152update of the image.
153
154Generating an empty capsule
155---------------------------
156
157The empty capsule can be generated using the mkeficapsule utility. To
158build the tool, enable::
159
160 CONFIG_TOOLS_MKEFICAPSULE=y
161
162Run the following commands to generate the accept/revert capsules::
163
164.. code-block:: bash
165
166 $ ./tools/mkeficapsule \
167 [--fw-accept --guid <image guid>] | \
168 [--fw-revert] \
169 <capsule_file_name>
170
171Some examples of using the mkeficapsule tool for generation of the
172empty capsule would be::
173
174.. code-block:: bash
175
176 $ ./tools/mkeficapsule --fw-accept --guid <image guid> \
177 <accept_capsule_name>
178 $ ./tools/mkeficapsule --fw-revert <revert_capsule_name>
179
180Links
181-----
182
183* [1] https://developer.arm.com/documentation/den0118/a/ - FWU Specification
184* [2] https://git.codelinaro.org/linaro/dependable-boot/mbfw/uploads/6f7ddfe3be24e18d4319e108a758d02e/mbfw.pdf - Dependable Boot Specification