I would like to implement an update system (most likely using SWUpdate)
"Double copy with fall-back" and, possibly a "last resort" recovery.
I have pretty clear what should be the program flow, but I don't know
how to implement it in U-Boot.
In particular:
* How can I determine, in U-Boot, if previous boot was successful?
* Is there a established "best practice" for this?
* I would like to avoid rewriting Environment at each reboot (it can
happen /many/ times/day and that would kill SPI NOR).
* In U-Boot there's a BootCounter, but Ive been unable to understand
if/how it works and I strongly doubt it will be useful because it
stores the counter itself in a uController register that is cleared
on hard reset (and, of course, at power-up). Since my only way to
"recover" from a failed boot may well be power-cycle I suspect this
method is scarcely usable (but I might have missed something).
* OTOH, as said, rewriting Environment (currently in SPI NOR) at each
boot doesn't seem advisable.
What I am aiming at (but I'm ready to change, if there's a better way) is:
* my board (VoCore2 SoM) has:
o 128MiB RAM
o 16MiB SPI NOR (MTD)
o 8GiB SD card (MMC)
* On SD I should have:
o One FAT-formatted partition containing two kernel images.
o Two ext4 partitions containing RootFS (one for each kernel image).
o Two ext4 partitions for Application (to be mounted on
/usr/local, if it matters).
* On MTD1 I should have U-Boot.
* MTD2 and MTD3 should contain a "recovery copy" of kernel and RootFS
(no Application).
* U-Boot should have a notion of "current" and "known good" system and
should try booting "current" a few times; if it fails it should try
"known good"; if it still fails (e.g.: SD is completely broken) it
should boot from "recovery" on SPI NOR.
I've seen some `configs` (most notably theadorable-x86) seem to
implement something like this, but, sincerely, I've been unable to
divine what they're actually doing.
If someone could be so kind to point me in the right direction... ;)
Thanks in Advance
Mauro
