On Wed, 14 Jan 2026 15:54:07 +0200 Ilias Apalodimas <[email protected]> wrote:
> Hi Kory, > > On Wed, 14 Jan 2026 at 11:59, Kory Maincent <[email protected]> wrote: > > > > When boot_idx differs from active_idx at boot time, it indicates a > > rollback scenario where the firmware update failed and the system > > reverted to the previous working bank. In this case, mark the failed > > bank (active_idx) as invalid to prevent future boot attempts from that > > bank. > > > > This change adds a new fwu_invalid_bank() function that sets the bank > > state to FWU_BANK_INVALID and syncs the metadata. This is only > > supported in FWU metadata version 2; version 1 provides a no-op stub. > > > > Without this change, a failed bank would remain in a valid state and > > could potentially be selected for boot again, leading to repeated > > boot failures. > > How? Doesn't the code already switch the metadata to point to the > 'boot_idx' bank as active? > What could happen here I guess, is the selected active bank to go bad > somehow and the firmware would try the secondary bank, which contains > an invalid firmware. But in that case the board will fail to boot > regardless. Is there a corner case I am missing? I think I have faced a corner case, but I can't recall what it was. :/ Anyway we should change the bank state to invalid if we don't manage to boot one bank right. We should provide to the user the information that one bank is in an invalid state if that is the case. What do you think? Regards, -- Köry Maincent, Bootlin Embedded Linux and kernel engineering https://bootlin.com
