Embedded engineering agency Bootlin has printed a write-up of a challenge that required A/B-capable safe over-the-air (OTA) updates to a Raspberry Pi 5 goal — and the way they achieved it utilizing the Strong Auto-Replace Controller (RAUC) and the inventory Raspberry Pi firmware, because of a somewhat-hidden new function.
“As a part of a latest challenge at Bootlin, we carried out A/B Over-The-Air (OTA) updates on a system based mostly on the Raspberry Pi 5 utilizing RAUC,” Bootlin’s Olivier Benjamin explains. “We ended up not utilizing U-Boot as a bootloader and as an alternative rely solely on the Raspberry Pi firmware as a bootloader.”
If you happen to’ve bought distant Raspberry Pis to handle, Bootlin’s work on a safe A/B replace system is price a learn. (📷: Gareth Halfacree)
The open-source RAUC challenge is designed to offer secure and safe updates by using an A/B system: when booting from slot A, an replace is put in to fit B — that means that it one thing goes flawed, the system can fall again to the pre-update state. If every little thing goes nicely, the system boots from slot B — and the subsequent replace is put in to fit A, and so forth.
It is a system that works nicely, but it surely’s additionally one which has to occur outdoors the working system. Consequently, RAUC comes with assist for utilizing 4 widespread bootloaders as its backend: Barebox, U-Boot, GRUB, and UEFI. For embedded methods, the standard strategy is to make use of U-Boot — however that did not meet Bootlin’s wants. “Sadly, on the time, and nonetheless as of the time of writing,” Benjamin explains, “U-Boot doesn’t have PCIe assist for the Broadcom BCM2712, the SoC [System-on-Chip] that’s the [Raspberry] Pi 5’s Software Processor. That is a matter in our case, as a result of that’s the interface utilized by the M.2 HAT+ to connect with the NVMe drive storing the working system in our challenge.”
The answer: utilizing Raspberry Pi’s personal firmware as an alternative, utilizing a customized backend to take away the necessity for U-Boot in any respect. It is an strategy that gives full compatibility for booting from PCI Specific gadgets on the Raspberry Pi 5 and Raspberry Pi Compute Modules, but it surely comes with some caveats — the largest the truth that if the cmdline.txt configuration file will get out-of-sync, a system may boot from the flawed slot. The repair? A “at present undocumented function” of the Raspberry Pi firmware, Benjamin says, which not too long ago added assist for conditional entries based mostly on the boot partition.
A recently-added firmware function, not but correctly documented, is the important thing to a profitable A/B replace system. (📷: Raspberry Pi)
“The Raspberry Pi firmware exposes some options (albeit one experimental) that make it affordable to think about not utilizing U-Boot as a secondary bootloader, whereas nonetheless retaining the potential to distribute updates utilizing a mature framework in RAUC,” Benjamin concludes. “That may solely be extra true if RAUC certainly finally ends up merging assist for the [Raspberry] Pi firmware as a backend, although some small limitations would possibly stay.”
The total write-up is out there on the Bootlin weblog.
