On Sat, Jan 24, 2026 at 06:54:51AM +0100, Heiko Schocher wrote: >From: Adrian Freihofer <[email protected]> > >Rework the boot state machine to a significantly simpler and more >robust implementation. The basic idea is to revert to the previous >partition whenever an issue is detected during the boot process. > >- Broken SPL > > If one of the two SPLs does not boot, the ROM code of the i.MX8 SoC > automatically starts the second SPL from the second boot partition. > For example, if the system's active partition is A but the SPL from > partition A is broken, the ROM code automatically uses the SPL/u-boot > from partition B. > Proceeding with this boot procedure would lead to booting the kernel/ > rootfs from partition A, which could potentially successfully boot > the system and allow the user to apply the firmware update with the > broken SPL again. This would lead to a non-bootable system because > thesecond update would overwrite the last working bootloader.
Nit: the second > To prevent such situations, zigzag boots are detected and the system > reverts to the previous partition rather than booting the kernel/rootfs > from the currently active partition. Detecting zigzag boots is done > via the new fallback variable. > > To make this state machine even more consistent, the partitionset_active > variable is no longer used to determine the active partition during > boot. Instead, the active partition is always read from the eMMC > partconf registers. > For backward compatibility, the partitionset_active variable is still > updated whenever a partition switch occurs. However, u-boot no longer > relies on this variable, as it could potentially be out of sync with > the actual partition state, leading to situations where the ROM code > of the i.MX8 SoC would be out of sync with u-boot. > >- Broken kernel, initramfs or rootfs > > If the upgrade_available variable is set, u-boot counts the number of > consecutive boots via the bootcount variable. If the bootcount exceeds > the bootlimit variable, u-boot starts the altbootcmd instead of the > bootcmd. Previously, this logic was bypassed by assigning the regular > bootcmd to altbootcmd. Now, the altbootcmd is used to revert to the > previous partition when the bootlimit is exceeded. > >The netdev variable is changed to eth0 by default. This is what the FEC >driver uses on Capricorn boards. For devices with switches and DSA >subsystems in use, the netdev should be set accordingly by additional >logic in the environment or u-boot code. This is not part of this commit. > >Signed-off-by: Adrian Freihofer <[email protected]> >Signed-off-by: Heiko Schocher <[email protected]> Acked-by: Peng Fan <[email protected]>
