[mgs-updates] Ensure boot info is available after an RoT reset (#8905)

By waiting for boot info to be available, a `sprot: timeout` error will
be near impossible.

Author: karencfv

nexus/mgs-updates/src/driver_update.rs

@@ -667,13 +667,14 @@ fn post_update_timeout(update: &PendingMgsUpdate) -> Duration {
             }
         }
         PendingMgsUpdateDetails::Rot { .. } => {
-            // Resetting the RoT should be quick (a few seconds).
-            Duration::from_secs(60)
+            // Resetting the RoT should be quick (a few seconds), but we wait
+            // for boot info after the reset.
+            Duration::from_secs(90)
         }
         PendingMgsUpdateDetails::RotBootloader { .. } => {
             // Resetting the bootloader requires multiple RoT resets; give this
             // a longer timeout.
-            Duration::from_secs(180)
+            Duration::from_secs(210)
         }
         PendingMgsUpdateDetails::HostPhase1(..) => {
             // Resetting a sled takes several minutes (mostly DRAM training);

nexus/mgs-updates/src/rot_bootloader_updater.rs

@@ -12,26 +12,21 @@ use crate::common_sp_update::PrecheckError;
 use crate::common_sp_update::PrecheckStatus;
 use crate::common_sp_update::error_means_caboose_is_invalid;
 use crate::mgs_clients::GatewayClientError;
+use crate::rot_updater::WAIT_FOR_BOOT_INFO_TIMEOUT;
+use crate::rot_updater::wait_for_boot_info;
 use futures::FutureExt;
 use futures::future::BoxFuture;
 use gateway_client::SpComponent;
-use gateway_client::types::GetRotBootInfoParams;
 use gateway_client::types::RotImageError;
 use gateway_client::types::RotState;
 use gateway_client::types::SpComponentFirmwareSlot;
 use gateway_client::types::SpType;
-use gateway_messages::RotBootInfo;
 use nexus_types::deployment::PendingMgsUpdate;
 use nexus_types::deployment::PendingMgsUpdateRotBootloaderDetails;
 use slog::Logger;
-use slog::{debug, error, info};
+use slog::{debug, error};
 use slog_error_chain::InlineErrorChain;
 use std::time::Duration;
-use std::time::Instant;
-
-const WAIT_FOR_BOOT_INFO_TIMEOUT: Duration = Duration::from_secs(120);
-
-const WAIT_FOR_BOOT_INFO_INTERVAL: Duration = Duration::from_secs(10);
 
 pub struct ReconfiguratorRotBootloaderUpdater {
     details: PendingMgsUpdateRotBootloaderDetails,
@@ -193,10 +188,6 @@ impl SpComponentUpdateHelperImpl for ReconfiguratorRotBootloaderUpdater {
 
             // We now retrieve boot info from the RoT to verify the reset
             // has completed and signature checks done.
-            debug!(
-                log,
-                "attempting to retrieve boot info to verify image validity"
-            );
             let stage0next_error = wait_for_stage0_next_image_check(
                 log,
                 mgs_clients,
@@ -252,7 +243,10 @@ impl SpComponentUpdateHelperImpl for ReconfiguratorRotBootloaderUpdater {
                 })
                 .await?;
 
-            debug!(log, "attempting to reset device to set to new RoT bootloader version");
+            debug!(
+                log,
+                "attempting to reset the device to set a new RoT bootloader version",
+            );
             mgs_clients
                 .try_all_serially(log, move |mgs_client| async move {
                     mgs_client
@@ -265,96 +259,62 @@ impl SpComponentUpdateHelperImpl for ReconfiguratorRotBootloaderUpdater {
                 })
                 .await?;
 
+            // We wait for boot info to ensure a successful reset
+            wait_for_boot_info(
+                log,
+                mgs_clients,
+                update.sp_type,
+                update.slot_id,
+                WAIT_FOR_BOOT_INFO_TIMEOUT,
+            )
+            .await?;
             Ok(())
         }
         .boxed()
     }
 }
 
 /// Poll the RoT asking for its boot information. This is used to check
-/// state after RoT bootloader updates
+/// the state for RoT bootloader image errors after RoT is reset
 async fn wait_for_stage0_next_image_check(
     log: &Logger,
     mgs_clients: &mut MgsClients,
     sp_type: SpType,
     sp_slot: u16,
     timeout: Duration,
 ) -> Result<Option<RotImageError>, PostUpdateError> {
-    let before = Instant::now();
-    loop {
-        match mgs_clients
-            .try_all_serially(log, |mgs_client| async move {
-                mgs_client
-                    .sp_rot_boot_info(
-                        sp_type,
-                        sp_slot,
-                        SpComponent::ROT.const_as_str(),
-                        &GetRotBootInfoParams {
-                            version: RotBootInfo::HIGHEST_KNOWN_VERSION,
-                        },
-                    )
-                    .await
-            })
-            .await
-        {
-            Ok(state) => match state.into_inner() {
-                // The minimum we will ever return is v3.
-                // Additionally, V2 does not report image errors, so we cannot
-                // know with certainty if a signature check came back with errors
-                RotState::V2 { .. } => {
-                    let error = "unexpected RoT version: 2".to_string();
-                    error!(
-                        log,
-                        "failed to get RoT boot info";
-                        "error" => &error
-                    );
-                    return Err(PostUpdateError::FatalError { error });
-                }
-                RotState::V3 { stage0next_error, .. } => {
-                    return Ok(stage0next_error);
-                }
-                // The RoT is probably still booting
-                RotState::CommunicationFailed { message } => {
-                    if before.elapsed() >= timeout {
-                        error!(
-                            log,
-                            "failed to get RoT boot info";
-                            "error" => %message
-                        );
-                        return Err(PostUpdateError::FatalError {
-                            error: message,
-                        });
-                    }
-
-                    info!(
-                        log,
-                        "failed getting RoT boot info (will retry)";
-                        "error" => %message,
-                    );
-                    tokio::time::sleep(WAIT_FOR_BOOT_INFO_INTERVAL).await;
-                }
-            },
-            // The RoT might still be booting
-            Err(error) => {
-                let e = InlineErrorChain::new(&error);
-                if before.elapsed() >= timeout {
-                    error!(
-                        log,
-                        "failed to get RoT boot info";
-                        &e,
-                    );
-                    return Err(PostUpdateError::FatalError {
-                        error: e.to_string(),
-                    });
-                }
-
-                info!(
+    debug!(log, "attempting to verify image validity");
+    match wait_for_boot_info(log, mgs_clients, sp_type, sp_slot, timeout).await
+    {
+        Ok(state) => match state {
+            // The minimum we will ever return is v3.
+            // Additionally, V2 does not report image errors, so we cannot
+            // know with certainty if a signature check came back with errors
+            RotState::V2 { .. } => {
+                let error = "unexpected RoT version: 2".to_string();
+                error!(
                     log,
-                    "failed getting RoT boot info (will retry)";
-                    e,
+                    "failed to get RoT boot info";
+                    "error" => &error
                 );
-                tokio::time::sleep(WAIT_FOR_BOOT_INFO_INTERVAL).await;
+                return Err(PostUpdateError::FatalError { error });
             }
-        }
+            RotState::V3 { stage0next_error, .. } => {
+                debug!(log, "successfully completed an image signature check");
+                return Ok(stage0next_error);
+            }
+            // This is unreachable because wait_for_boot_info loops for some
+            // time if it encounters `CommunicationFailed`, and if it hits the
+            // timeout, it will return an error.
+            RotState::CommunicationFailed { message } => {
+                error!(
+                    log,
+                    "failed to get RoT boot info";
+                    "error" => %message
+                );
+                return Err(PostUpdateError::FatalError { error: message });
+            }
+        },
+        Err(error) => return Err(error),
     }
 }

nexus/mgs-updates/src/rot_updater.rs

@@ -14,11 +14,22 @@ use crate::common_sp_update::error_means_caboose_is_invalid;
 use futures::FutureExt;
 use futures::future::BoxFuture;
 use gateway_client::SpComponent;
+use gateway_client::types::GetRotBootInfoParams;
 use gateway_client::types::RotState;
 use gateway_client::types::SpComponentFirmwareSlot;
+use gateway_client::types::SpType;
+use gateway_messages::RotBootInfo;
 use nexus_types::deployment::PendingMgsUpdate;
 use nexus_types::deployment::PendingMgsUpdateRotDetails;
-use slog::{debug, info};
+use slog::Logger;
+use slog::{debug, error, info};
+use slog_error_chain::InlineErrorChain;
+use std::time::Duration;
+use std::time::Instant;
+
+pub const WAIT_FOR_BOOT_INFO_TIMEOUT: Duration = Duration::from_secs(120);
+
+const WAIT_FOR_BOOT_INFO_INTERVAL: Duration = Duration::from_secs(10);
 
 type GatewayClientError = gateway_client::Error<gateway_client::types::Error>;
 
@@ -223,7 +234,10 @@ impl SpComponentUpdateHelperImpl for ReconfiguratorRotUpdater {
                 })
                 .await?;
 
-            debug!(log, "attempting to reset device");
+            debug!(
+                log,
+                "attempting to reset the device to set a new RoT version"
+            );
             mgs_clients
                 .try_all_serially(log, move |mgs_client| async move {
                     mgs_client
@@ -235,8 +249,99 @@ impl SpComponentUpdateHelperImpl for ReconfiguratorRotUpdater {
                         .await
                 })
                 .await?;
+
+            // We wait for boot info to ensure a successful reset
+            wait_for_boot_info(
+                log,
+                mgs_clients,
+                update.sp_type,
+                update.slot_id,
+                WAIT_FOR_BOOT_INFO_TIMEOUT,
+            )
+            .await?;
             Ok(())
         }
         .boxed()
     }
 }
+
+/// Poll the RoT asking for its boot information. This confirms that the RoT has
+/// been succesfully reset
+pub async fn wait_for_boot_info(
+    log: &Logger,
+    mgs_clients: &mut MgsClients,
+    sp_type: SpType,
+    sp_slot: u16,
+    timeout: Duration,
+) -> Result<RotState, PostUpdateError> {
+    let before = Instant::now();
+    loop {
+        debug!(log, "waiting for boot info to confirm a successful reset");
+        match mgs_clients
+            .try_all_serially(log, |mgs_client| async move {
+                mgs_client
+                    .sp_rot_boot_info(
+                        sp_type,
+                        sp_slot,
+                        SpComponent::ROT.const_as_str(),
+                        &GetRotBootInfoParams {
+                            version: RotBootInfo::HIGHEST_KNOWN_VERSION,
+                        },
+                    )
+                    .await
+            })
+            .await
+        {
+            Ok(state) => match state.clone() {
+                // The minimum we will ever return is v3.
+                // Additionally, V2 does not report image errors, so we cannot
+                // know with certainty if a signature check came back with errors
+                RotState::V2 { .. } | RotState::V3 { .. } => {
+                    debug!(log, "successfuly retrieved boot info");
+                    return Ok(state.into_inner());
+                }
+                // The RoT is probably still booting
+                RotState::CommunicationFailed { message } => {
+                    if before.elapsed() >= timeout {
+                        error!(
+                            log,
+                            "failed to get RoT boot info";
+                            "error" => %message
+                        );
+                        return Err(PostUpdateError::FatalError {
+                            error: message,
+                        });
+                    }
+
+                    info!(
+                        log,
+                        "failed getting RoT boot info (will retry)";
+                        "error" => %message,
+                    );
+                    tokio::time::sleep(WAIT_FOR_BOOT_INFO_INTERVAL).await;
+                }
+            },
+            // The RoT might still be booting
+            Err(error) => {
+                let e = InlineErrorChain::new(&error);
+                if before.elapsed() >= timeout {
+                    error!(
+                        log,
+                        "failed to get RoT boot info";
+                        &e,
+                    );
+                    return Err(PostUpdateError::FatalError {
+                        error: e.to_string(),
+                    });
+                }
+
+                info!(
+                    log,
+                    "failed getting RoT boot info (will retry)";
+                    e,
+                );
+                tokio::time::sleep(WAIT_FOR_BOOT_INFO_INTERVAL).await;
+            }
+        }
+    }
+}