Status: Pre-RFC
The purpose of this document is to capture the process by which Tock will
perform a complete in-place B-slot update of the running firmware and request
that the ROM/ROM_EXT
code boot into it.
Note: For certification reasons this document does not discuss detailed guidance for encrypted updates. Additional implementation details on both regular and encrypted updates to follow when possible.
- A firmware update is initiated by a process external to the device.
- The system negotiates the parameters of the update:
- The system's availability for an update.
- Which slot the update must be built for, if the update requires a specific memory location (such as non relocatable monoliths).
- Which signature the update must be signed with in order to boot.
- The size of the update blocks. These should ideally be the same size as native flash pages.
- The total size of the update payload, in order to set boundaries on which the update can be performed.
- The system negotiates the parameters of the update:
- The system unlocks the flash protection for the bounds of the B-slot.
- For each block of the pending firmware update:
- The system erases the flash page at the destination address for the block.
- The system receives the block and writes it immediately to its destination address in flash. Blocks will need to be buffered given the speed of a flash write.
- Once written, the block is hashed and compared against the hash of the
buffered block. This ensures that every flash write is complete and
successful.
- If the hash doesn't match the hash of the buffered block, repeat the flash erase and write cycle.
- If the erase/flash cycle fails three times declare complete failure.
- Issue a warning to the running applications that the system will be resetting.
- Write a Boot Services request block into persistent RAM:
- Indicate the new firmware version slot to be booted.
- Indicate the retry policy to use when booting it.
- Restart the system with a Boot Services cause set.
- System follows the normal Secure Boot path into the new firmware image.