Update partitioning to support tryboot to auto-revert

This updates the `fwup` configuration to support the Raspberry Pi
tryboot feature so that it's possible to recover from messed up Linux
kernels and OTP boot failures. The way this works is that after the
firmware update is applied, the system is rebooted one time into the new
firmware slot. If the firmware slot is good, then the app needs to call
`Nerves.Runtime.validate_firmware` to make it so that subsequent boots
use the new slot. The theory is that the app won't validate the firmware
unless it's good, so that if anything crashes, the previously working
firmware will be used.

Even though the partitioning looks different, it's possible to upgrade
non-tryboot Nerves Raspberry Pi firmware without losing application
data. This is supported by lining up partitions so that they're close to
the same places. There's no going back, though. Also, there's a window
where cancelling the firmware update can brick the Pi due to the rootfs
partition needing to be shifted, so be careful.

Author: fhunleth

REUSE.toml

@@ -66,7 +66,8 @@ SPDX-License-Identifier = "CC0-1.0"
 [[annotations]]
 path = [
  "busybox.fragment",
- "cmdline.txt",
+ "cmdline-a.txt",
+ "cmdline-b.txt",
  "config.txt",
  "rootfs_overlay/etc/boardid.config",
  "rootfs_overlay/etc/erlinit.config",

cmdline.txt cmdline-a.txtcmdline.txt renamed to cmdline-a.txt

@@ -5,4 +5,4 @@
 # 2. If not using HDMI, remove console=tty1 and consoleblank=0
 # 3. quiet skips printing kernel messages to the output and significantly
 #    shortens boot time
-dwc_otg.lpm_enable=0 console=tty1 console=serial0,115200 fbcon=scrollback:1024k root=/dev/mmcblk0p2 rootfstype=squashfs rootwait consoleblank=0 quiet
+dwc_otg.lpm_enable=0 console=tty1 console=serial0,115200 fbcon=scrollback:1024k root=/dev/mmcblk0p5 rootfstype=squashfs rootwait consoleblank=0 quiet

cmdline-b.txt

@@ -0,0 +1,2 @@
+# See cmdline-a.txt
+dwc_otg.lpm_enable=0 console=tty1 console=serial0,115200 fbcon=scrollback:1024k root=/dev/mmcblk0p6 rootfstype=squashfs rootwait consoleblank=0 quiet

fwup-ops.conf

@@ -41,31 +41,37 @@ task factory-reset {
 ##
 task prevent-revert.a {
     # Check that we're running on B
-    require-partition-offset(0, ${BOOT_B_PART_OFFSET})
-    require-partition-offset(1, ${ROOTFS_B_PART_OFFSET})
-    require-uboot-variable(uboot-env, "nerves_fw_active", "b")
+    require-path-at-offset("/", ${ROOTFS_B_PART_OFFSET})
 
-    on-init {
+    on-resource autoboot-b.txt {
         info("Preventing reverts to partition A")
+        # Ensure that autoboot is booting the B partition
+        fat_write(${AUTOBOOT_PART_OFFSET}, "autoboot.txt")
+        uboot_setenv(uboot-env, "nerves_fw_active", "b")
+        uboot_setenv(uboot-env, "b.nerves_fw_validated", "1")
         # Remove U-Boot variables that fwup uses to allow reverting images
         uboot_unsetenv(uboot-env, "a.nerves_fw_platform")
         uboot_unsetenv(uboot-env, "a.nerves_fw_architecture")
+        uboot_setenv(uboot-env, "a.nerves_fw_validated", "0")
         # Clear out the old image using TRIM. This requires --enable-trim
         trim(${ROOTFS_A_PART_OFFSET}, ${ROOTFS_A_PART_COUNT})
         trim(${BOOT_A_PART_OFFSET}, ${BOOT_A_PART_COUNT})
     }
 }
 task prevent-revert.b {
     # Check that we're running on A
-    require-partition-offset(0, ${BOOT_A_PART_OFFSET})
-    require-partition-offset(1, ${ROOTFS_A_PART_OFFSET})
-    require-uboot-variable(uboot-env, "nerves_fw_active", "a")
+    require-path-at-offset("/", ${ROOTFS_A_PART_OFFSET})
 
-    on-init {
+    on-resource autoboot-a.txt {
         info("Preventing reverts to partition B")
+        # Ensure that autoboot is booting the A partition
+        fat_write(${AUTOBOOT_PART_OFFSET}, "autoboot.txt")
+        uboot_setenv(uboot-env, "nerves_fw_active", "a")
+        uboot_setenv(uboot-env, "a.nerves_fw_validated", "1")
         # Remove U-Boot variables that fwup uses to allow reverting images
         uboot_unsetenv(uboot-env, "b.nerves_fw_platform")
         uboot_unsetenv(uboot-env, "b.nerves_fw_architecture")
+        uboot_setenv(uboot-env, "b.nerves_fw_validated", "0")
         # Clear out the image using TRIM. This requires --enable-trim
         trim(${ROOTFS_B_PART_OFFSET}, ${ROOTFS_B_PART_COUNT})
         trim(${BOOT_B_PART_OFFSET}, ${BOOT_B_PART_COUNT})
@@ -82,63 +88,47 @@ task prevent-revert.fail {
 ##
 task revert.a {
     # This task reverts to the A partition, so check that we're running on B
-    require-partition-offset(0, ${BOOT_B_PART_OFFSET})
-    require-partition-offset(1, ${ROOTFS_B_PART_OFFSET})
-    require-uboot-variable(uboot-env, "nerves_fw_active", "b")
-
-    # Verify that partition A has the expected platform/architecture
-    require-uboot-variable(uboot-env, "a.nerves_fw_platform", "${NERVES_FW_PLATFORM}")
-    require-uboot-variable(uboot-env, "a.nerves_fw_architecture", "${NERVES_FW_ARCHITECTURE}")
+    # and A is valid.
+    require-path-at-offset("/", ${ROOTFS_B_PART_OFFSET})
+    require-uboot-variable(uboot-env, "a.nerves_fw_validated", "1")
 
-    on-init {
+    on-resource autoboot-a.txt {
         info("Reverting to partition A")
-
-	# Switch over
+        # Update the autoboot first and then the tracking U-Boot variables
+        fat_write(${AUTOBOOT_PART_OFFSET}, "autoboot.txt")
         uboot_setenv(uboot-env, "nerves_fw_active", "a")
-        mbr_write(mbr-a)
     }
 }
 
 task revert.b {
     # This task reverts to the B partition, so check that we're running on A
-    require-partition-offset(0, ${BOOT_A_PART_OFFSET})
-    require-partition-offset(1, ${ROOTFS_A_PART_OFFSET})
-    require-uboot-variable(uboot-env, "nerves_fw_active", "a")
-
-    # Verify that partition B has the expected platform/architecture
-    require-uboot-variable(uboot-env, "b.nerves_fw_platform", "${NERVES_FW_PLATFORM}")
-    require-uboot-variable(uboot-env, "b.nerves_fw_architecture", "${NERVES_FW_ARCHITECTURE}")
+    require-path-at-offset("/", ${ROOTFS_A_PART_OFFSET})
+    require-uboot-variable(uboot-env, "b.nerves_fw_validated", "1")
 
-    on-init {
+    on-resource autoboot-b.txt {
         info("Reverting to partition B")
-
-	# Switch over
+        # Update the autoboot first and then the tracking U-Boot variables
+        fat_write(${AUTOBOOT_PART_OFFSET}, "autoboot.txt")
         uboot_setenv(uboot-env, "nerves_fw_active", "b")
-        mbr_write(mbr-b)
     }
 }
 
 task revert.unexpected.a {
-    require-uboot-variable(uboot-env, "a.nerves_fw_platform", "${NERVES_FW_PLATFORM}")
-    require-uboot-variable(uboot-env, "a.nerves_fw_architecture", "${NERVES_FW_ARCHITECTURE}")
+    require-uboot-variable(uboot-env, "a.nerves_fw_validated", "1")
     on-init {
         # Case where A is good, and the desire is to go to B.
-        error("It doesn't look like there's anything to revert to in partition B.")
+        error("It doesn't look like there's valid firmware to revert to in partition B.")
     }
 }
 task revert.unexpected.b {
-    require-uboot-variable(uboot-env, "b.nerves_fw_platform", "${NERVES_FW_PLATFORM}")
-    require-uboot-variable(uboot-env, "b.nerves_fw_architecture", "${NERVES_FW_ARCHITECTURE}")
+    require-uboot-variable(uboot-env, "b.nerves_fw_validated", "1")
     on-init {
         # Case where B is good, and the desire is to go to A.
-        error("It doesn't look like there's anything to revert to in partition A.")
+        error("It doesn't look like there's valid firmware to revert to in partition A.")
     }
 }
-
-task revert.wrongplatform {
-    on-init {
-        error("Expecting platform=${NERVES_FW_PLATFORM} and architecture=${NERVES_FW_ARCHITECTURE}")
-    }
+task revert.fail {
+    on-init { error("Failed") }
 }
 
 ##
@@ -173,20 +163,26 @@ task status.fail {
 ##
 # validate
 #
-# The fwup configuration for this device always validates, so this doesn't do anything.
+# Update the autoboot.txt file to unconditionally boot the active partition.
 ##
 task validate.a {
     require-path-at-offset("/", ${ROOTFS_A_PART_OFFSET})
-    on-init {
+
+    on-resource autoboot-a.txt {
         info("Validate A")
+        fat_write(${AUTOBOOT_PART_OFFSET}, "autoboot.txt")
         uboot_setenv(uboot-env, "a.nerves_fw_validated", "1")
+        uboot_setenv(uboot-env, "nerves_fw_active", "a")
     }
 }
 task validate.b {
     require-path-at-offset("/", ${ROOTFS_B_PART_OFFSET})
-    on-init {
+
+    on-resource autoboot-b.txt {
         info("Validate B")
+        fat_write(${AUTOBOOT_PART_OFFSET}, "autoboot.txt")
         uboot_setenv(uboot-env, "b.nerves_fw_validated", "1")
+        uboot_setenv(uboot-env, "nerves_fw_active", "b")
     }
 }
 task validate.fail {