Why is embedded SW different to upgrade?
- power failure
- bad firmware
- communication errors
- + often there is no direct access so you need to recover automatically from failure
- SW is not on a plain disk, but on a variety of media (NOR, NAND, eMMC, FPGA, …)
[Leaving out a lot of things that are so obvious to me that I didn’t want to write them down – see the slides.]
Take into account who will do the update. The mechanic may not even have a computer with him when he goes on-site! For instance, give him a USB stick, but remember to give feedback about failure.
Solutions for system upgrade
- Bootloader: is severely limited (drivers), limited UI
- Package manager: not atomic, hard to know exactly what is installed, more places where things can go wrong; but advantage: smaller update images
- Rescue image
- From the application: requires double copy of the application software to enable atomic update; if there is a rescue system as well, then that one doesn’t get tested well…
The upgrade systems that are used in reality are 95% similar, so Stefano started swupdate for this common stuff. Features:
- Can recover from failure: this is not really generic, but offers a toolbox in which you need to enable things, e.g. watchdog, bootcounter, …
- Checks hardware and software compatibility
- Check image integrity, but not signature!
- Can repartition the storage
- Local and remote upgrade possible
- In case new features have to be added: lua interpreter so can be extended on the fly
- Single image for multiple devices, so a single release image applies to all devices in the system – this makes sure things stay consistent. So a single image for all devices, and each device extracts the part that is for them.
- General API to interact with the UI and transport frontends (built-in or custom).
- Possible to write a custom image parser in lua.
- Handler depending on the device/partition on which a sub-image has to be installed. Custom lua handler is possible.
- Mainly intended for rescue system scenario, but could be extended to double copy (needs change to the way bootloader flags are set).