| Message ID | 20221018114337.439816-10-sughosh.ganu@linaro.org |
|---|---|
| State | New |
| Headers | show |
| Series | FWU: Add FWU Multi Bank Update feature support | expand |
Hi Sughosh, On Tue, Oct 18, 2022 at 05:13:31PM +0530, Sughosh Ganu wrote: > The FWU Multi Bank Update specification requires the Update Agent to > carry out certain checks at the time of platform boot. The Update > Agent is the component which is responsible for updating the firmware > components and maintaining and keeping the metadata in sync. > > The spec requires that the Update Agent perform the following checks > at the time of boot > * Sanity check of both the metadata copies maintained by the platform. > * Get the boot index passed to U-Boot by the prior stage bootloader > and use this value for metadata bookkeeping. > * Check if the system is booting in Trial State. If the system boots > in the Trial State for more than a specified number of boot counts, > change the Active Bank to be booting the platform from. > > Call these checks through the main loop event at the time of platform > boot. > > Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org> > Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org> > --- > Changes since V13: > * Removed the superfluous setting of var_attributes before calling > efi_get_variable_int() > * Call fwu_get_dev_mdata() in fwu_trial_state_check() instead of > fwu_boottime_checks() > > include/fwu.h | 13 +++ > lib/fwu_updates/fwu.c | 181 +++++++++++++++++++++++++++++++++++++++++- > 2 files changed, 193 insertions(+), 1 deletion(-) > > diff --git a/include/fwu.h b/include/fwu.h > index 7d38cb5856..c7b932bc0b 100644 > --- a/include/fwu.h > +++ b/include/fwu.h > @@ -345,4 +345,17 @@ int fwu_plat_get_update_index(uint *update_idx); > * > */ > void fwu_plat_get_bootidx(uint *boot_idx); > + > +/** > + * fwu_update_checks_pass() - Check if FWU update can be done > + * > + * Check if the FWU update can be executed. The updates are > + * allowed only when the platform is not in Trial State and > + * the boot time checks have passed > + * > + * Return: 1 if OK, 0 on error > + * > + */ > +u8 fwu_update_checks_pass(void); > + > #endif /* _FWU_H_ */ > diff --git a/lib/fwu_updates/fwu.c b/lib/fwu_updates/fwu.c > index e782dc0176..2016a6d2c1 100644 > --- a/lib/fwu_updates/fwu.c > +++ b/lib/fwu_updates/fwu.c > @@ -4,10 +4,19 @@ > */ > > #include <dm.h> > +#include <efi.h> > #include <efi_loader.h> > +#include <efi_variable.h> > +#include <event.h> > #include <fwu.h> > #include <fwu_mdata.h> > -#include <log.h> > +#include <malloc.h> > + > +#include <linux/errno.h> > +#include <linux/types.h> > + > +static u8 trial_state; > +static u8 boottime_check; > > #include <linux/errno.h> > #include <linux/types.h> > @@ -44,6 +53,110 @@ static int fwu_get_dev_mdata(struct udevice **dev, struct fwu_mdata *mdata) > return ret; > } > > +static int trial_counter_update(u16 *trial_state_ctr) > +{ > + bool delete; > + u32 var_attr; > + efi_status_t status; > + efi_uintn_t var_size; > + > + delete = !trial_state_ctr ? true : false; > + var_size = !trial_state_ctr ? 0 : (efi_uintn_t)sizeof(*trial_state_ctr); > + var_attr = !trial_state_ctr ? 0 : EFI_VARIABLE_NON_VOLATILE | > + EFI_VARIABLE_BOOTSERVICE_ACCESS; > + status = efi_set_variable_int(u"TrialStateCtr", > + &efi_global_variable_guid, > + var_attr, > + var_size, trial_state_ctr, false); > + > + if ((delete && (status != EFI_NOT_FOUND && > + status != EFI_SUCCESS)) || > + (!delete && status != EFI_SUCCESS)) > + return -1; > + > + return 0; > +} > + > +static int in_trial_state(struct fwu_mdata *mdata) > +{ > + u32 i, active_bank; > + struct fwu_image_entry *img_entry; > + struct fwu_image_bank_info *img_bank_info; > + > + active_bank = mdata->active_index; > + img_entry = &mdata->img_entry[0]; > + for (i = 0; i < CONFIG_FWU_NUM_IMAGES_PER_BANK; i++) { > + img_bank_info = &img_entry[i].img_bank_info[active_bank]; > + if (!img_bank_info->accepted) { > + return 1; > + } Remove {} > + } > + > + return 0; > +} > + > +static int fwu_trial_state_check(void) > +{ > + int ret; > + struct udevice *dev; > + efi_status_t status; > + efi_uintn_t var_size; > + u16 trial_state_ctr; > + struct fwu_mdata mdata = { 0 }; > + > + ret = fwu_get_dev_mdata(&dev, &mdata); > + if (ret) > + return ret; > + > + trial_state = in_trial_state(&mdata); > + if (trial_state) { > + var_size = (efi_uintn_t)sizeof(trial_state_ctr); > + log_info("System booting in Trial State\n"); > + status = efi_get_variable_int(u"TrialStateCtr", > + &efi_global_variable_guid, > + NULL, > + &var_size, &trial_state_ctr, > + NULL); > + if (status != EFI_SUCCESS) { > + log_err("Unable to read TrialStateCtr variable\n"); > + ret = -1; > + goto out; > + } > + > + ++trial_state_ctr; > + if (trial_state_ctr > CONFIG_FWU_TRIAL_STATE_CNT) { > + log_info("Trial State count exceeded. Revert back to previous_active_index\n"); > + ret = fwu_revert_boot_index(); > + if (ret) { > + log_err("Unable to revert active_index\n"); > + goto out; > + } > + > + /* Delete the TrialStateCtr variable */ > + ret = trial_counter_update(NULL); > + if (ret) { > + log_err("Unable to delete TrialStateCtr variable\n"); > + goto out; > + } This is a bit confusing for me. If the trial_state_ctr we need to goto out anyway right? So why don't we explicitly add a goto out at the end and get rid of the else that's following ? > + } else { > + ret = trial_counter_update(&trial_state_ctr); > + if (ret) { > + log_err("Unable to increment TrialStateCtr variable\n"); > + goto out; > + } > + } > + } else { > + /* Delete the variable */ > + ret = trial_counter_update(NULL); > + if (ret) { > + log_err("Unable to delete TrialStateCtr variable\n"); > + } > + } > + > +out: > + return ret; > +} > + > static int fwu_get_image_type_id(u8 *image_index, efi_guid_t *image_type_id) > { > u8 index; > @@ -494,3 +607,69 @@ __weak int fwu_plat_get_update_index(uint *update_idx) > > return ret; > } > + > +/** > + * fwu_update_checks_pass() - Check if FWU update can be done > + * > + * Check if the FWU update can be executed. The updates are > + * allowed only when the platform is not in Trial State and > + * the boot time checks have passed > + * > + * Return: 1 if OK, 0 on error > + * > + */ > +u8 fwu_update_checks_pass(void) > +{ > + return !trial_state && boottime_check; > +} > + > +static int fwu_boottime_checks(void *ctx, struct event *event) > +{ > + int ret; > + u32 boot_idx, active_idx; > + > + ret = fwu_check_mdata_validity(); > + if (ret) > + return 0; > + > + /* > + * Get the Boot Index, i.e. the bank from > + * which the platform has booted. This value > + * gets passed from the ealier stage bootloader > + * which booted u-boot, e.g. tf-a. If the > + * boot index is not the same as the > + * active_index read from the FWU metadata, > + * update the active_index. > + */ > + fwu_plat_get_bootidx(&boot_idx); > + if (boot_idx >= CONFIG_FWU_NUM_BANKS) { > + log_err("Received incorrect value of boot_index\n"); > + return 0; > + } > + > + ret = fwu_get_active_index(&active_idx); > + if (ret) { > + log_err("Unable to read active_index\n"); > + return 0; > + } > + > + if (boot_idx != active_idx) { > + log_info("Boot idx %u is not matching active idx %u, changing active_idx\n", > + boot_idx, active_idx); > + ret = fwu_set_active_index(boot_idx); > + if (!ret) > + boottime_check = 1; > + > + return 0; > + } > + > + if (efi_init_obj_list() != EFI_SUCCESS) > + return 0; > + > + ret = fwu_trial_state_check(); > + if (!ret) > + boottime_check = 1; > + > + return 0; > +} > +EVENT_SPY(EVT_MAIN_LOOP, fwu_boottime_checks); > -- > 2.34.1 > Thanks /Ilias
hi Ilias, On Thu, 20 Oct 2022 at 01:31, Ilias Apalodimas <ilias.apalodimas@linaro.org> wrote: > > Hi Sughosh, > > On Tue, Oct 18, 2022 at 05:13:31PM +0530, Sughosh Ganu wrote: > > The FWU Multi Bank Update specification requires the Update Agent to > > carry out certain checks at the time of platform boot. The Update > > Agent is the component which is responsible for updating the firmware > > components and maintaining and keeping the metadata in sync. > > > > The spec requires that the Update Agent perform the following checks > > at the time of boot > > * Sanity check of both the metadata copies maintained by the platform. > > * Get the boot index passed to U-Boot by the prior stage bootloader > > and use this value for metadata bookkeeping. > > * Check if the system is booting in Trial State. If the system boots > > in the Trial State for more than a specified number of boot counts, > > change the Active Bank to be booting the platform from. > > > > Call these checks through the main loop event at the time of platform > > boot. > > > > Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org> > > Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org> > > --- > > Changes since V13: > > * Removed the superfluous setting of var_attributes before calling > > efi_get_variable_int() > > * Call fwu_get_dev_mdata() in fwu_trial_state_check() instead of > > fwu_boottime_checks() > > > > include/fwu.h | 13 +++ > > lib/fwu_updates/fwu.c | 181 +++++++++++++++++++++++++++++++++++++++++- > > 2 files changed, 193 insertions(+), 1 deletion(-) > > > > diff --git a/include/fwu.h b/include/fwu.h > > index 7d38cb5856..c7b932bc0b 100644 > > --- a/include/fwu.h > > +++ b/include/fwu.h > > @@ -345,4 +345,17 @@ int fwu_plat_get_update_index(uint *update_idx); > > * > > */ > > void fwu_plat_get_bootidx(uint *boot_idx); > > + > > +/** > > + * fwu_update_checks_pass() - Check if FWU update can be done > > + * > > + * Check if the FWU update can be executed. The updates are > > + * allowed only when the platform is not in Trial State and > > + * the boot time checks have passed > > + * > > + * Return: 1 if OK, 0 on error > > + * > > + */ > > +u8 fwu_update_checks_pass(void); > > + > > #endif /* _FWU_H_ */ > > diff --git a/lib/fwu_updates/fwu.c b/lib/fwu_updates/fwu.c > > index e782dc0176..2016a6d2c1 100644 > > --- a/lib/fwu_updates/fwu.c > > +++ b/lib/fwu_updates/fwu.c > > @@ -4,10 +4,19 @@ > > */ > > > > #include <dm.h> > > +#include <efi.h> > > #include <efi_loader.h> > > +#include <efi_variable.h> > > +#include <event.h> > > #include <fwu.h> > > #include <fwu_mdata.h> > > -#include <log.h> > > +#include <malloc.h> > > + > > +#include <linux/errno.h> > > +#include <linux/types.h> > > + > > +static u8 trial_state; > > +static u8 boottime_check; > > > > #include <linux/errno.h> > > #include <linux/types.h> > > @@ -44,6 +53,110 @@ static int fwu_get_dev_mdata(struct udevice **dev, struct fwu_mdata *mdata) > > return ret; > > } > > > > +static int trial_counter_update(u16 *trial_state_ctr) > > +{ > > + bool delete; > > + u32 var_attr; > > + efi_status_t status; > > + efi_uintn_t var_size; > > + > > + delete = !trial_state_ctr ? true : false; > > + var_size = !trial_state_ctr ? 0 : (efi_uintn_t)sizeof(*trial_state_ctr); > > + var_attr = !trial_state_ctr ? 0 : EFI_VARIABLE_NON_VOLATILE | > > + EFI_VARIABLE_BOOTSERVICE_ACCESS; > > + status = efi_set_variable_int(u"TrialStateCtr", > > + &efi_global_variable_guid, > > + var_attr, > > + var_size, trial_state_ctr, false); > > + > > + if ((delete && (status != EFI_NOT_FOUND && > > + status != EFI_SUCCESS)) || > > + (!delete && status != EFI_SUCCESS)) > > + return -1; > > + > > + return 0; > > +} > > + > > +static int in_trial_state(struct fwu_mdata *mdata) > > +{ > > + u32 i, active_bank; > > + struct fwu_image_entry *img_entry; > > + struct fwu_image_bank_info *img_bank_info; > > + > > + active_bank = mdata->active_index; > > + img_entry = &mdata->img_entry[0]; > > + for (i = 0; i < CONFIG_FWU_NUM_IMAGES_PER_BANK; i++) { > > + img_bank_info = &img_entry[i].img_bank_info[active_bank]; > > + if (!img_bank_info->accepted) { > > + return 1; > > + } > > Remove {} Okay > > > + } > > + > > + return 0; > > +} > > + > > +static int fwu_trial_state_check(void) > > +{ > > + int ret; > > + struct udevice *dev; > > + efi_status_t status; > > + efi_uintn_t var_size; > > + u16 trial_state_ctr; > > + struct fwu_mdata mdata = { 0 }; > > + > > + ret = fwu_get_dev_mdata(&dev, &mdata); > > + if (ret) > > + return ret; > > + > > + trial_state = in_trial_state(&mdata); > > + if (trial_state) { > > + var_size = (efi_uintn_t)sizeof(trial_state_ctr); > > + log_info("System booting in Trial State\n"); > > + status = efi_get_variable_int(u"TrialStateCtr", > > + &efi_global_variable_guid, > > + NULL, > > + &var_size, &trial_state_ctr, > > + NULL); > > + if (status != EFI_SUCCESS) { > > + log_err("Unable to read TrialStateCtr variable\n"); > > + ret = -1; > > + goto out; > > + } > > + > > + ++trial_state_ctr; > > + if (trial_state_ctr > CONFIG_FWU_TRIAL_STATE_CNT) { > > + log_info("Trial State count exceeded. Revert back to previous_active_index\n"); > > + ret = fwu_revert_boot_index(); > > + if (ret) { > > + log_err("Unable to revert active_index\n"); > > + goto out; > > + } > > + > > + /* Delete the TrialStateCtr variable */ > > + ret = trial_counter_update(NULL); > > + if (ret) { > > + log_err("Unable to delete TrialStateCtr variable\n"); > > + goto out; > > + } > > This is a bit confusing for me. If the trial_state_ctr we need to goto out > anyway right? So why don't we explicitly add a goto out at the end and get > rid of the else that's following ? Actually, we don't need the goto statement above, as well as the one used below, in the else part. I can get rid of it. Personally I feel that this provides more clarity as to how the code flow is, but I can get rid of it if you so prefer. Thanks. -sughosh > > > + } else { > > + ret = trial_counter_update(&trial_state_ctr); > > + if (ret) { > > + log_err("Unable to increment TrialStateCtr variable\n"); > > + goto out; > > + } > > + } > > + } else { > > + /* Delete the variable */ > > + ret = trial_counter_update(NULL); > > + if (ret) { > > + log_err("Unable to delete TrialStateCtr variable\n"); > > + } > > + } > > + > > +out: > > + return ret; > > +} > > + > > static int fwu_get_image_type_id(u8 *image_index, efi_guid_t *image_type_id) > > { > > u8 index; > > @@ -494,3 +607,69 @@ __weak int fwu_plat_get_update_index(uint *update_idx) > > > > return ret; > > } > > + > > +/** > > + * fwu_update_checks_pass() - Check if FWU update can be done > > + * > > + * Check if the FWU update can be executed. The updates are > > + * allowed only when the platform is not in Trial State and > > + * the boot time checks have passed > > + * > > + * Return: 1 if OK, 0 on error > > + * > > + */ > > +u8 fwu_update_checks_pass(void) > > +{ > > + return !trial_state && boottime_check; > > +} > > + > > +static int fwu_boottime_checks(void *ctx, struct event *event) > > +{ > > + int ret; > > + u32 boot_idx, active_idx; > > + > > + ret = fwu_check_mdata_validity(); > > + if (ret) > > + return 0; > > + > > + /* > > + * Get the Boot Index, i.e. the bank from > > + * which the platform has booted. This value > > + * gets passed from the ealier stage bootloader > > + * which booted u-boot, e.g. tf-a. If the > > + * boot index is not the same as the > > + * active_index read from the FWU metadata, > > + * update the active_index. > > + */ > > + fwu_plat_get_bootidx(&boot_idx); > > + if (boot_idx >= CONFIG_FWU_NUM_BANKS) { > > + log_err("Received incorrect value of boot_index\n"); > > + return 0; > > + } > > + > > + ret = fwu_get_active_index(&active_idx); > > + if (ret) { > > + log_err("Unable to read active_index\n"); > > + return 0; > > + } > > + > > + if (boot_idx != active_idx) { > > + log_info("Boot idx %u is not matching active idx %u, changing active_idx\n", > > + boot_idx, active_idx); > > + ret = fwu_set_active_index(boot_idx); > > + if (!ret) > > + boottime_check = 1; > > + > > + return 0; > > + } > > + > > + if (efi_init_obj_list() != EFI_SUCCESS) > > + return 0; > > + > > + ret = fwu_trial_state_check(); > > + if (!ret) > > + boottime_check = 1; > > + > > + return 0; > > +} > > +EVENT_SPY(EVT_MAIN_LOOP, fwu_boottime_checks); > > -- > > 2.34.1 > > > > Thanks > /Ilias
Hi Sughosh, [...] > > > + > > > +static int fwu_trial_state_check(void) > > > +{ > > > + int ret; > > > + struct udevice *dev; > > > + efi_status_t status; > > > + efi_uintn_t var_size; > > > + u16 trial_state_ctr; > > > + struct fwu_mdata mdata = { 0 }; > > > + > > > + ret = fwu_get_dev_mdata(&dev, &mdata); > > > + if (ret) > > > + return ret; > > > + > > > + trial_state = in_trial_state(&mdata); > > > + if (trial_state) { > > > + var_size = (efi_uintn_t)sizeof(trial_state_ctr); > > > + log_info("System booting in Trial State\n"); > > > + status = efi_get_variable_int(u"TrialStateCtr", > > > + &efi_global_variable_guid, > > > + NULL, > > > + &var_size, &trial_state_ctr, > > > + NULL); > > > + if (status != EFI_SUCCESS) { > > > + log_err("Unable to read TrialStateCtr variable\n"); > > > + ret = -1; > > > + goto out; > > > + } > > > + > > > + ++trial_state_ctr; > > > + if (trial_state_ctr > CONFIG_FWU_TRIAL_STATE_CNT) { > > > + log_info("Trial State count exceeded. Revert back to previous_active_index\n"); > > > + ret = fwu_revert_boot_index(); > > > + if (ret) { > > > + log_err("Unable to revert active_index\n"); > > > + goto out; > > > + } > > > + > > > + /* Delete the TrialStateCtr variable */ > > > + ret = trial_counter_update(NULL); > > > + if (ret) { > > > + log_err("Unable to delete TrialStateCtr variable\n"); > > > + goto out; > > > + } > > > > This is a bit confusing for me. If the trial_state_ctr we need to goto out > > anyway right? So why don't we explicitly add a goto out at the end and get > > rid of the else that's following ? > > Actually, we don't need the goto statement above, as well as the one > used below, in the else part. I can get rid of it. Personally I feel > that this provides more clarity as to how the code flow is, but I can > get rid of it if you so prefer. Thanks. I prefer keeping a single goto and getting rid of the else tbh. It's normal code flow you execute while having a single error check Thanks /Ilias > > -sughosh > > > > > > + } else { > > > + ret = trial_counter_update(&trial_state_ctr); > > > + if (ret) { > > > + log_err("Unable to increment TrialStateCtr variable\n"); > > > + goto out; > > > + } > > > + } > > > + } else { > > > + /* Delete the variable */ > > > + ret = trial_counter_update(NULL); > > > + if (ret) { > > > + log_err("Unable to delete TrialStateCtr variable\n"); > > > + } > > > + } > > > + > > > +out: > > > + return ret; > > > +} > > > + > > > static int fwu_get_image_type_id(u8 *image_index, efi_guid_t *image_type_id) > > > { > > > u8 index; > > > @@ -494,3 +607,69 @@ __weak int fwu_plat_get_update_index(uint *update_idx) > > > > > > return ret; > > > } > > > + > > > +/** > > > + * fwu_update_checks_pass() - Check if FWU update can be done > > > + * > > > + * Check if the FWU update can be executed. The updates are > > > + * allowed only when the platform is not in Trial State and > > > + * the boot time checks have passed > > > + * > > > + * Return: 1 if OK, 0 on error > > > + * > > > + */ > > > +u8 fwu_update_checks_pass(void) > > > +{ > > > + return !trial_state && boottime_check; > > > +} > > > + > > > +static int fwu_boottime_checks(void *ctx, struct event *event) > > > +{ > > > + int ret; > > > + u32 boot_idx, active_idx; > > > + > > > + ret = fwu_check_mdata_validity(); > > > + if (ret) > > > + return 0; > > > + > > > + /* > > > + * Get the Boot Index, i.e. the bank from > > > + * which the platform has booted. This value > > > + * gets passed from the ealier stage bootloader > > > + * which booted u-boot, e.g. tf-a. If the > > > + * boot index is not the same as the > > > + * active_index read from the FWU metadata, > > > + * update the active_index. > > > + */ > > > + fwu_plat_get_bootidx(&boot_idx); > > > + if (boot_idx >= CONFIG_FWU_NUM_BANKS) { > > > + log_err("Received incorrect value of boot_index\n"); > > > + return 0; > > > + } > > > + > > > + ret = fwu_get_active_index(&active_idx); > > > + if (ret) { > > > + log_err("Unable to read active_index\n"); > > > + return 0; > > > + } > > > + > > > + if (boot_idx != active_idx) { > > > + log_info("Boot idx %u is not matching active idx %u, changing active_idx\n", > > > + boot_idx, active_idx); > > > + ret = fwu_set_active_index(boot_idx); > > > + if (!ret) > > > + boottime_check = 1; > > > + > > > + return 0; > > > + } > > > + > > > + if (efi_init_obj_list() != EFI_SUCCESS) > > > + return 0; > > > + > > > + ret = fwu_trial_state_check(); > > > + if (!ret) > > > + boottime_check = 1; > > > + > > > + return 0; > > > +} > > > +EVENT_SPY(EVT_MAIN_LOOP, fwu_boottime_checks); > > > -- > > > 2.34.1 > > > > > > > Thanks > > /Ilias
Hi Sughosh, > > > + } > > > + > > > + return 0; > > > +} > > > + > > > +static int fwu_trial_state_check(void) > > > +{ > > > + int ret; > > > + struct udevice *dev; > > > + efi_status_t status; > > > + efi_uintn_t var_size; > > > + u16 trial_state_ctr; > > > + struct fwu_mdata mdata = { 0 }; > > > + > > > + ret = fwu_get_dev_mdata(&dev, &mdata); > > > + if (ret) > > > + return ret; > > > + > > > + trial_state = in_trial_state(&mdata); > > > + if (trial_state) { > > > + var_size = (efi_uintn_t)sizeof(trial_state_ctr); > > > + log_info("System booting in Trial State\n"); > > > + status = efi_get_variable_int(u"TrialStateCtr", > > > + &efi_global_variable_guid, > > > + NULL, > > > + &var_size, &trial_state_ctr, > > > + NULL); > > > + if (status != EFI_SUCCESS) { > > > + log_err("Unable to read TrialStateCtr variable\n"); > > > + ret = -1; > > > + goto out; > > > + } > > > + > > > + ++trial_state_ctr; > > > + if (trial_state_ctr > CONFIG_FWU_TRIAL_STATE_CNT) { > > > + log_info("Trial State count exceeded. Revert back to previous_active_index\n"); > > > + ret = fwu_revert_boot_index(); > > > + if (ret) { > > > + log_err("Unable to revert active_index\n"); > > > + goto out; > > > + } > > > + > > > + /* Delete the TrialStateCtr variable */ > > > + ret = trial_counter_update(NULL); > > > + if (ret) { > > > + log_err("Unable to delete TrialStateCtr variable\n"); > > > + goto out; > > > + } > > > > This is a bit confusing for me. If the trial_state_ctr we need to goto out > > anyway right? So why don't we explicitly add a goto out at the end and get > > rid of the else that's following ? > > Actually, we don't need the goto statement above, as well as the one > used below, in the else part. I can get rid of it. Personally I feel > that this provides more clarity as to how the code flow is, but I can > get rid of it if you so prefer. Thanks. > > -sughosh My previous reply wasn't that clear let me try again. Indeed the goto's aren't needed and that's the first confusing thing. On top of that the fwu_trial_state_check() is a bit misleading as well, since it does a lot more than checking. So that functions does - check the trial state counter - remove it if not on trial state - bump the counter - if the counter exceeds a threshold try to delete it Also due to the fact that this runs from the event loop, the return codes are a bit confusing However this is only called from a fwu_boottime_checks() so we can break it up in smaller pieces that would be easier to read. In fwu_trial_state_check() you only need the metadata to check whether you are in trial state or not. So I would suggest 1. Create a trial_counter_read() which only reads the EFI variable 2. move the metadata code in fwu_boottime_checks()a instead of fwu_trial_state_check() 3. rename fwu_trial_state_check() -> fwu_try_update_cnt() static u8 trial_state; -> s/trial_state/in_trial/ static int fwu_boottime_checks(void *ctx, struct event *event) { ..... ret = fwu_get_dev_mdata(&dev, &mdata); if (ret) return ret;(NULL); in_trial = in_trial_state(&mdata) + 1; cnt = trial_counter_read(); if (in_trial && cnt < CONFIG_FWU_TRIAL_STATE_CNT) ret = fwu_try_update_cnt() if (fail) trial_counter_update else trial_counter_update(NULL); There will be an extra GetVariable call since we unconditionally read the counter now, but we can add if (in_trial), although it doesn't matter that much. Can you give it a shot and see if that works for you? Thanks /Ilias > > > > > > + } else { > > > + ret = trial_counter_update(&trial_state_ctr); > > > + if (ret) { > > > + log_err("Unable to increment TrialStateCtr variable\n"); > > > + goto out; > > > + } > > > + } > > > + } else { > > > + /* Delete the variable */ > > > + ret = trial_counter_update(NULL); > > > + if (ret) { > > > + log_err("Unable to delete TrialStateCtr variable\n"); > > > + } > > > + } > > > + > > > +out: > > > + return ret; > > > +} > > > + > > > static int fwu_get_image_type_id(u8 *image_index, efi_guid_t *image_type_id) > > > { > > > u8 index; > > > @@ -494,3 +607,69 @@ __weak int fwu_plat_get_update_index(uint *update_idx) > > > > > > return ret; > > > } > > > + > > > +/** > > > + * fwu_update_checks_pass() - Check if FWU update can be done > > > + * > > > + * Check if the FWU update can be executed. The updates are > > > + * allowed only when the platform is not in Trial State and > > > + * the boot time checks have passed > > > + * > > > + * Return: 1 if OK, 0 on error > > > + * > > > + */ > > > +u8 fwu_update_checks_pass(void) > > > +{ > > > + return !trial_state && boottime_check; > > > +} > > > + > > > +static int fwu_boottime_checks(void *ctx, struct event *event) > > > +{ > > > + int ret; > > > + u32 boot_idx, active_idx; > > > + > > > + ret = fwu_check_mdata_validity(); > > > + if (ret) > > > + return 0; > > > + > > > + /* > > > + * Get the Boot Index, i.e. the bank from > > > + * which the platform has booted. This value > > > + * gets passed from the ealier stage bootloader > > > + * which booted u-boot, e.g. tf-a. If the > > > + * boot index is not the same as the > > > + * active_index read from the FWU metadata, > > > + * update the active_index. > > > + */ > > > + fwu_plat_get_bootidx(&boot_idx); > > > + if (boot_idx >= CONFIG_FWU_NUM_BANKS) { > > > + log_err("Received incorrect value of boot_index\n"); > > > + return 0; > > > + } > > > + > > > + ret = fwu_get_active_index(&active_idx); > > > + if (ret) { > > > + log_err("Unable to read active_index\n"); > > > + return 0; > > > + } > > > + > > > + if (boot_idx != active_idx) { > > > + log_info("Boot idx %u is not matching active idx %u, changing active_idx\n", > > > + boot_idx, active_idx); > > > + ret = fwu_set_active_index(boot_idx); > > > + if (!ret) > > > + boottime_check = 1; > > > + > > > + return 0; > > > + } > > > + > > > + if (efi_init_obj_list() != EFI_SUCCESS) > > > + return 0; > > > + > > > + ret = fwu_trial_state_check(); > > > + if (!ret) > > > + boottime_check = 1; > > > + > > > + return 0; > > > +} > > > +EVENT_SPY(EVT_MAIN_LOOP, fwu_boottime_checks); > > > -- > > > 2.34.1 > > > > > > > Thanks > > /Ilias
diff --git a/include/fwu.h b/include/fwu.h index 7d38cb5856..c7b932bc0b 100644 --- a/include/fwu.h +++ b/include/fwu.h @@ -345,4 +345,17 @@ int fwu_plat_get_update_index(uint *update_idx); * */ void fwu_plat_get_bootidx(uint *boot_idx); + +/** + * fwu_update_checks_pass() - Check if FWU update can be done + * + * Check if the FWU update can be executed. The updates are + * allowed only when the platform is not in Trial State and + * the boot time checks have passed + * + * Return: 1 if OK, 0 on error + * + */ +u8 fwu_update_checks_pass(void); + #endif /* _FWU_H_ */ diff --git a/lib/fwu_updates/fwu.c b/lib/fwu_updates/fwu.c index e782dc0176..2016a6d2c1 100644 --- a/lib/fwu_updates/fwu.c +++ b/lib/fwu_updates/fwu.c @@ -4,10 +4,19 @@ */ #include <dm.h> +#include <efi.h> #include <efi_loader.h> +#include <efi_variable.h> +#include <event.h> #include <fwu.h> #include <fwu_mdata.h> -#include <log.h> +#include <malloc.h> + +#include <linux/errno.h> +#include <linux/types.h> + +static u8 trial_state; +static u8 boottime_check; #include <linux/errno.h> #include <linux/types.h> @@ -44,6 +53,110 @@ static int fwu_get_dev_mdata(struct udevice **dev, struct fwu_mdata *mdata) return ret; } +static int trial_counter_update(u16 *trial_state_ctr) +{ + bool delete; + u32 var_attr; + efi_status_t status; + efi_uintn_t var_size; + + delete = !trial_state_ctr ? true : false; + var_size = !trial_state_ctr ? 0 : (efi_uintn_t)sizeof(*trial_state_ctr); + var_attr = !trial_state_ctr ? 0 : EFI_VARIABLE_NON_VOLATILE | + EFI_VARIABLE_BOOTSERVICE_ACCESS; + status = efi_set_variable_int(u"TrialStateCtr", + &efi_global_variable_guid, + var_attr, + var_size, trial_state_ctr, false); + + if ((delete && (status != EFI_NOT_FOUND && + status != EFI_SUCCESS)) || + (!delete && status != EFI_SUCCESS)) + return -1; + + return 0; +} + +static int in_trial_state(struct fwu_mdata *mdata) +{ + u32 i, active_bank; + struct fwu_image_entry *img_entry; + struct fwu_image_bank_info *img_bank_info; + + active_bank = mdata->active_index; + img_entry = &mdata->img_entry[0]; + for (i = 0; i < CONFIG_FWU_NUM_IMAGES_PER_BANK; i++) { + img_bank_info = &img_entry[i].img_bank_info[active_bank]; + if (!img_bank_info->accepted) { + return 1; + } + } + + return 0; +} + +static int fwu_trial_state_check(void) +{ + int ret; + struct udevice *dev; + efi_status_t status; + efi_uintn_t var_size; + u16 trial_state_ctr; + struct fwu_mdata mdata = { 0 }; + + ret = fwu_get_dev_mdata(&dev, &mdata); + if (ret) + return ret; + + trial_state = in_trial_state(&mdata); + if (trial_state) { + var_size = (efi_uintn_t)sizeof(trial_state_ctr); + log_info("System booting in Trial State\n"); + status = efi_get_variable_int(u"TrialStateCtr", + &efi_global_variable_guid, + NULL, + &var_size, &trial_state_ctr, + NULL); + if (status != EFI_SUCCESS) { + log_err("Unable to read TrialStateCtr variable\n"); + ret = -1; + goto out; + } + + ++trial_state_ctr; + if (trial_state_ctr > CONFIG_FWU_TRIAL_STATE_CNT) { + log_info("Trial State count exceeded. Revert back to previous_active_index\n"); + ret = fwu_revert_boot_index(); + if (ret) { + log_err("Unable to revert active_index\n"); + goto out; + } + + /* Delete the TrialStateCtr variable */ + ret = trial_counter_update(NULL); + if (ret) { + log_err("Unable to delete TrialStateCtr variable\n"); + goto out; + } + } else { + ret = trial_counter_update(&trial_state_ctr); + if (ret) { + log_err("Unable to increment TrialStateCtr variable\n"); + goto out; + } + } + } else { + /* Delete the variable */ + ret = trial_counter_update(NULL); + if (ret) { + log_err("Unable to delete TrialStateCtr variable\n"); + } + } + +out: + return ret; +} + static int fwu_get_image_type_id(u8 *image_index, efi_guid_t *image_type_id) { u8 index; @@ -494,3 +607,69 @@ __weak int fwu_plat_get_update_index(uint *update_idx) return ret; } + +/** + * fwu_update_checks_pass() - Check if FWU update can be done + * + * Check if the FWU update can be executed. The updates are + * allowed only when the platform is not in Trial State and + * the boot time checks have passed + * + * Return: 1 if OK, 0 on error + * + */ +u8 fwu_update_checks_pass(void) +{ + return !trial_state && boottime_check; +} + +static int fwu_boottime_checks(void *ctx, struct event *event) +{ + int ret; + u32 boot_idx, active_idx; + + ret = fwu_check_mdata_validity(); + if (ret) + return 0; + + /* + * Get the Boot Index, i.e. the bank from + * which the platform has booted. This value + * gets passed from the ealier stage bootloader + * which booted u-boot, e.g. tf-a. If the + * boot index is not the same as the + * active_index read from the FWU metadata, + * update the active_index. + */ + fwu_plat_get_bootidx(&boot_idx); + if (boot_idx >= CONFIG_FWU_NUM_BANKS) { + log_err("Received incorrect value of boot_index\n"); + return 0; + } + + ret = fwu_get_active_index(&active_idx); + if (ret) { + log_err("Unable to read active_index\n"); + return 0; + } + + if (boot_idx != active_idx) { + log_info("Boot idx %u is not matching active idx %u, changing active_idx\n", + boot_idx, active_idx); + ret = fwu_set_active_index(boot_idx); + if (!ret) + boottime_check = 1; + + return 0; + } + + if (efi_init_obj_list() != EFI_SUCCESS) + return 0; + + ret = fwu_trial_state_check(); + if (!ret) + boottime_check = 1; + + return 0; +} +EVENT_SPY(EVT_MAIN_LOOP, fwu_boottime_checks);