wip

Author: lzrd

app/lpc55xpresso/app.toml

@@ -47,7 +47,6 @@ start = true
 [tasks.update_server]
 name = "lpc55-update-server"
 priority = 3
-max-sizes = {flash = 26720, ram = 16704}
 stacksize = 8192
 start = true
 sections = {bootstate = "usbsram", transient_override = "override"}

drv/lpc55-sprot-server/src/handler.rs

@@ -679,6 +679,16 @@ impl<'a> Handler {
 
                 Ok((RspBody::State(out.map(StateRsp::LifecycleState)), None))
             }
+            ReqBody::Update(UpdateReq::ComponentSwitchCancelPending {
+                component,
+                slot,
+                duration,
+            }) => {
+                self.update.component_switch_cancel_pending(
+                    component, slot, duration,
+                )?;
+                Ok((RspBody::Ok, None))
+            }
         }
     }
 

drv/lpc55-update-server/src/main.rs

@@ -571,6 +571,23 @@ impl idl::InOrderUpdateImpl for ServerImpl<'_> {
             }
         }
     }
+
+    fn component_switch_cancel_pending(
+        &mut self,
+        _: &userlib::RecvMessage,
+        component: RotComponent,
+        slot: SlotId,
+        duration: SwitchDuration,
+    ) -> Result<(), RequestError<UpdateError>> {
+        match component {
+            RotComponent::Hubris => {
+                self.switch_default_hubris_image_cancel_pending(slot, duration)
+            }
+            RotComponent::Stage0 => {
+                Err(UpdateError::InvalidSlotIdForOperation.into())
+            }
+        }
+    }
 }
 
 impl NotificationHandler for ServerImpl<'_> {
@@ -615,7 +632,7 @@ impl ServerImpl<'_> {
         Ok(val)
     }
 
-    // Return the persistent and transient boot preferences
+    // Return the persistent, pending_persistent, and transient boot preferences
     fn boot_preferences(
         &mut self,
     ) -> Result<(SlotId, Option<SlotId>, Option<SlotId>), UpdateError> {
@@ -946,33 +963,24 @@ impl ServerImpl<'_> {
         duration: SwitchDuration,
     ) -> Result<(), RequestError<UpdateError>> {
         // Note: Rollback policy will be checking epoch values before activating.
+
         match duration {
             SwitchDuration::Once => {
-                // Get the currently active slot.
-                let active_slot = match bootstate()
-                    .map_err(|_| UpdateError::MissingHandoffData)?
-                    .active
-                {
-                    stage0_handoff::RotSlot::A => SlotId::A,
-                    stage0_handoff::RotSlot::B => SlotId::B,
-                };
-
-                // If the requested slot is the same as the active slot,
-                // treat this as a request to CLEAR the transient override.
-                //
-                // If we did allow setting the active slot as the transient
-                // preference, then we get this confusing 2-boot scenario when
-                // pending persistent preference is also used:
-                // the next reset returns us to the original image and the 2nd
-                // reset has us running the new/alternate image.
-                if active_slot == slot {
-                    set_hubris_transient_override(None);
+                if get_hubris_transient_override().is_some() {
+                    // Maybe something is out-of-sync in the control plane?
+                    // An error returned here can help narrow that down up there.
+                    // The caller must clear the existing pending preference.
+                    return Err(UpdateError::AlreadyPending.into());
                 } else {
-                    // Otherwise, set the preference as requested.
                     set_hubris_transient_override(Some(slot));
                 }
             }
             SwitchDuration::Forever => {
+                // Caller must first cancel pending persistent state if present.
+                if let (_, Some(_), _) = self.boot_preferences()? {
+                    return Err(UpdateError::AlreadyPending.into());
+                }
+
                 // Locate and return the authoritative CFPA flash word number
                 // and the CFPA version for that flash number.
                 //
@@ -1002,19 +1010,6 @@ impl ServerImpl<'_> {
                 let (cfpa_word_number, _) =
                     self.cfpa_word_number_and_version(CfpaPage::Active)?;
 
-                // TODO: Hubris issue #2093: If there is a pending update in the
-                // scratch page, it is not being considered.
-                // Consider:
-                //   - A is active
-                //   - persistent switch to B without reset
-                //       - scratch page is updated
-                //       - return Ok(())
-                //   - persistent switch to A without reset
-                //       - A is already active, no work performed
-                //       - return Ok(())
-                //   - reset
-                //   - B is active
-
                 // Read current CFPA contents.
                 let mut cfpa = [[0u32; 4]; 512 / 16];
                 indirect_flash_read_words(
@@ -1102,6 +1097,71 @@ impl ServerImpl<'_> {
 
         Ok(())
     }
+
+    /// Cancel pending transient or persistent Hubris image selection.
+    fn switch_default_hubris_image_cancel_pending(
+        &mut self,
+        slot: SlotId,
+        duration: SwitchDuration,
+    ) -> Result<(), RequestError<UpdateError>> {
+        // Note: Rollback policy will be checking epoch values before activating.
+        match duration {
+            SwitchDuration::Once => {
+                // Is there a pending transient boot selection?
+                // If it matches the one being cancelled
+                if let Some(transient_selection) =
+                    get_hubris_transient_override()
+                {
+                    if transient_selection == slot {
+                        set_hubris_transient_override(None);
+                        Ok(())
+                    } else {
+                        Err(UpdateError::InvalidPreferredSlotId.into())
+                    }
+                } else {
+                    Err(UpdateError::NonePending.into())
+                }
+            }
+            SwitchDuration::Forever => {
+                // Note: Scratch page data does not have to be preserved unless/until we have
+                // multiple fields with pending updates. Right now, we only implement the
+                // pending_persistent bit. IMAGE_KEY_REVOKE and RKTH_REVOKE
+                // fields are not yet managed.
+
+                if let (_, Some(pending_persistent), _) =
+                    self.boot_preferences()?
+                {
+                    if slot == pending_persistent {
+                        // Cancel the CFPA update by erase/writing zeros to the
+                        // scratch page.
+                        // As a result, the scratch page verison will never be
+                        // higher than the active page version.
+                        // Also, we won't fix the CRC so it won't be deemed
+                        // valid by the boot ROM in any case.
+                        let cfpa = [[0u32; 4]; 512 / 16];
+                        let cfpa_bytes: &[u8] = cfpa.as_bytes();
+                        let cfpa_bytes: &[u8; BLOCK_SIZE_BYTES] =
+                            cfpa_bytes.try_into().unwrap_lite();
+                        self.flash
+                            .write_page(
+                                CFPA_SCRATCH_FLASH_ADDR,
+                                cfpa_bytes,
+                                wait_for_flash_interrupt,
+                            )
+                            .map_err(|_| UpdateError::FlashError.into())
+                    } else {
+                        // Slot mismatch.
+                        // Fail assuming that the control plane was working with stale information.
+                        Err(UpdateError::InvalidPreferredSlotId.into())
+                    }
+                } else {
+                    // No pending persistent prefereice.
+                    // Fail assuming that the control plane was working with stale information.
+                    Err(UpdateError::NonePending.into())
+                }
+            }
+        }
+    }
 }
 
 // Return the preferred slot to boot from for a given CFPA boot selection

drv/sprot-api/src/lib.rs

@@ -413,6 +413,11 @@ pub enum UpdateReq {
         slot: SlotId,
         duration: SwitchDuration,
     },
+    ComponentSwitchCancelPending {
+        component: RotComponent,
+        slot: SlotId,
+        duration: SwitchDuration,
+    },
 }
 
 #[derive(Clone, Serialize, Deserialize, SerializedSize)]

drv/stm32h7-sprot-server/src/main.rs

@@ -1345,6 +1345,28 @@ impl<S: SpiServer> idl::InOrderSpRotImpl for ServerImpl<S> {
         }
     }
 
+    fn component_switch_cancel_pending(
+        &mut self,
+        _msg: &userlib::RecvMessage,
+        component: RotComponent,
+        slot: SlotId,
+        duration: SwitchDuration,
+    ) -> Result<(), idol_runtime::RequestError<SprotError>> {
+        let body = ReqBody::Update(UpdateReq::ComponentSwitchCancelPending {
+            component,
+            slot,
+            duration,
+        });
+        let tx_size = Request::pack(&body, self.tx_buf);
+        let rsp =
+            self.do_send_recv_retries(tx_size, TIMEOUT_LONG, DEFAULT_ATTEMPTS)?;
+        if let RspBody::Ok = rsp.body? {
+            Ok(())
+        } else {
+            Err(SprotProtocolError::UnexpectedResponse)?
+        }
+    }
+
     fn lifecycle_state(
         &mut self,
         _msg: &userlib::RecvMessage,

drv/update-api/src/lib.rs

@@ -67,6 +67,8 @@ pub enum UpdateError {
     VersionNotSupported,
 
     InvalidPreferredSlotId,
+    // AlreadyPending,
+    // NonePending,
 }
 
 impl From<UpdateError> for GwUpdateError {
@@ -106,6 +108,8 @@ impl From<UpdateError> for GwUpdateError {
             UpdateError::SignatureNotValidated => Self::SignatureNotValidated,
             UpdateError::VersionNotSupported => Self::VersionNotSupported,
             UpdateError::InvalidPreferredSlotId => Self::InvalidPreferredSlotId,
+            // UpdateError::AlreadyPending => Self::AlreadyPending,
+            // UpdateError::NonePending => Self::NonePending,
         }
     }
 }

idl/lpc55-update.idol

@@ -212,5 +212,19 @@ Interface(
             idempotent: true,
             encoding: Hubpack
         ),
+        "component_switch_cancel_pending": (
+            doc: "Cancal a pending persistent or transient image switch",
+            args: {
+                "component": "RotComponent",
+                "slot": "SlotId",
+                "duration": "SwitchDuration",
+            },
+            reply: Result(
+                ok: "()",
+                err: CLike("drv_update_api::UpdateError"),
+            ),
+            encoding: Hubpack,
+            idempotent: true,
+        ),
     },
 )

idl/sprot.idol

@@ -443,5 +443,19 @@ Interface(
             encoding: Hubpack,
             idempotent: true,
         ),
+        "component_switch_cancel_pending": (
+            doc: "Cancal a pending persistent or transient image switch",
+            args: {
+                "component": "RotComponent",
+                "slot": "SlotId",
+                "duration": "SwitchDuration",
+            },
+            reply: Result(
+                ok: "()",
+                err: Complex("SprotError"),
+            ),
+            encoding: Hubpack,
+            idempotent: true,
+        ),
     }
 )

task/control-plane-agent/src/main.rs

@@ -179,6 +179,11 @@ enum MgsMessage {
     GetHostFlashHash {
         slot: u16,
     },
+    ComponentCancelPendingActiveSlot {
+        component: SpComponent,
+        slot: u16,
+        persist: bool,
+    },
 }
 
 // This enum does not define the actual IPC protocol - it is only used in the

task/control-plane-agent/src/mgs_common.rs

@@ -429,6 +429,52 @@ impl MgsCommon {
         }
     }
 
+    pub(crate) fn component_cancel_pending_active_slot(
+        &mut self,
+        component: SpComponent,
+        slot: u16,
+        persist: bool,
+    ) -> Result<(), GwSpError> {
+        match component {
+            SpComponent::ROT | SpComponent::STAGE0 => {
+                let slot = slot
+                    .try_into()
+                    .map_err(|()| GwSpError::RequestUnsupportedForComponent)?;
+                let duration = if persist {
+                    SwitchDuration::Forever
+                } else {
+                    SwitchDuration::Once
+                };
+                self.sprot.component_switch_cancel_pending(
+                    if component == SpComponent::ROT {
+                        SpRotComponent::Hubris
+                    } else {
+                        SpRotComponent::Stage0
+                    },
+                    slot,
+                    duration,
+                )?;
+                Ok(())
+            }
+
+            SpComponent::SP_ITSELF => {
+                let slot = slot
+                    .try_into()
+                    .map_err(|()| GwSpError::RequestUnsupportedForComponent)?;
+                if !persist {
+                    // We have no mechanism to temporarily swap the banks on the SP
+                    return Err(GwSpError::RequestUnsupportedForComponent);
+                };
+                self.update_sp
+                    .set_pending_boot_slot(slot)
+                    .map_err(|err| GwSpError::UpdateFailed(err as u32))?;
+                Ok(())
+            }
+            // Other components might also be served someday.
+            _ => Err(GwSpError::RequestUnsupportedForComponent),
+        }
+    }
+
     pub(crate) fn read_sensor(
         &mut self,
         req: SensorRequest,