feat: U-Boot boot limit with fallback to old system

Use U-Boot boot limit functionality to detect a system update and failed startups.

This uses the following U-Boot env variables:
- `bootlimit`: defines the maximum number of reboot cycles allowed. Default value: 3
- `bootcount`: will be incremented at each reboot IF `upgrade_available` is set to 1
- `upgrade_available`: indicates that a system update has been applied.
  - SWUpdate sets this value to 1 after a new system update has been written.
  - Verified after boot with a systemd timer:
    If after a system update the remote app is still running after 3 minutes after boot up,
    the update is considered successful and `upgrade_available` and `bootcount` U-Boot env vars are cleared.
- `rootfspart`: holds the current active root filesystem partition number to boot from.
- `altbootcmd`: alternative U-Boot boot command if bootlimit is exceeded.
  - Switches the `rootfspart` to the old partition number to restore the old system.

Author: zehnm

buildroot-external/board/raspberrypi/rootfs-overlay/etc/swupdate/reset-bootcount.sh

@@ -0,0 +1,30 @@
+#!/bin/sh
+
+systemctl is-active --quiet app || {
+  echo "Remote app not running!"
+  exit 1
+}
+
+ISUPGRADING=$(fw_printenv upgrade_available | awk -F'=' '{print $2}')
+echo "upgrade_available=$ISUPGRADING"
+if [ -z "$ISUPGRADING" ]
+then
+    echo "No system update pending"
+else
+    echo "System update pending, verifying system..."
+    # TODO refactor once there are any common system checks:
+    # - call script from systemd right after app start (instead of delayed timer)
+    # - get pid of app
+    # - perform system checks
+    # - wait ~ 3 min
+    # - check if app is still running and has same pid (i.e. didn't get auto-restarted)
+
+    # Perform extra checks here.
+    # If anything went wrong, reboot again until the bootlimit is reached
+    # which triggers a rollback of the RootFs
+
+    # It's all good! Clear upgrade status and mark partition ok.
+    fw_setenv upgrade_available
+    fw_setenv bootcount 0
+    echo "System update successful. Marked current partition OK."
+fi

buildroot-external/board/raspberrypi/sw-description

@@ -16,8 +16,12 @@ software = {
             );
             bootenv: (
                 {
-                    name = "yiospart";
+                    name = "rootfspart";
                     value = "2";
+                },
+                {
+                    name = "upgrade_available";
+                    value = "1";
                 }
             );
         }
@@ -32,8 +36,12 @@ software = {
             );
             bootenv: (
                 {
-                    name = "yiospart";
+                    name = "rootfspart";
                     value = "3";
+                },
+                {
+                    name = "upgrade_available";
+                    value = "1";
                 }
             );
         }

buildroot-external/board/raspberrypi/uboot-boot.ush

@@ -1,34 +1,38 @@
 # U-Boot boot script for YIOS developer image
-# Based on: https://github.com/Opentrons/buildroot/blob/opentrons-develop/board/opentrons/ot2/boot.scr
-# The job of this script is
-# - Figure out which partition is active
-# - Point U-Boot at that partition
-# - Boot it
+# fdtargs args patching based on: https://github.com/Opentrons/buildroot/blob/opentrons-develop/board/opentrons/ot2/boot.scr
+# Sets the correct root partition in the boot arguments inside the flattened device tree.
 
-# See if we have an env var for which partition to boot from (this might be
-# edited from the booted system, but also might not be present)
-if test -z "$yiospart"
+# Create the required env vars for boot count & limit support.
+# Note: bootcount and bootlimit are already defined in U-Boot.
+# - rootfspart holds the currently active root partition to boot
+if test -z "${rootfspart}"
 then
-    echo "No saved yiospart, defaulting to 2"
-    setenv yiospart "2"
+    echo "No saved rootfspart, defaulting to 2"
+    setenv rootfspart "2"
     saveenv
 fi
 
-if test "$yiospart" = "2"
+# - altbootcmd to execute when boot limit is reached
+if test -z "${altbootcmd}"
 then
-    yiosold="3"
-elif test "$yiospart" = "3"
+    echo "No saved altbootcmd, creating it"
+    setenv altbootcmd "
+oldrootfspart='\${rootfspart}';
+if test \"'\${rootfspart}'\" = \"2\";
 then
-    yiosold="2"
+    setenv rootfspart 3;
 else
-    echo "Bad yiospart $yiospart, defaulting to 2"
-    setenv yiospart "2"
+    setenv rootfspart 2;
+fi;
+setenv bootcount 0;
+saveenv;
+echo Rollback from rootfs '\${oldrootfspart}' to old rootfs '\${rootfspart}';
+boot"
     saveenv
-    yiosold="3"
 fi
 
-echo "Try booting from partition $yiospart with fallback to partition $yiosold"
-
+# Parse and replace the boot arguments in the flattened device tree.
+# This allows us to keep the RPi cmdline.txt without hardcoded bootargs.
 # The raspi second stage bootloader (start.elf) puts the boot args in the
 # flattened device tree. The boot args contain the partition the kernel
 # will boot off of, so we have to pull the boot args, parse them, and then
@@ -40,24 +44,28 @@ newargs=""
 for arg in $fdtargs; do
     if test "root=/dev/mmcblk0p2" = $arg
     then
-        echo "Found bootpart"
         bootpart=$arg
     else
         newargs="$newargs $arg"
     fi
 done
 
-while true; do
-    echo "Try booting from partition $yiospart"
+if test "$upgrade_available" = "1"
+then
+    echo "Try booting system upgrade from partition ${rootfspart}. Boot count: $bootcount. Limit for rollback: $bootlimit"
+else
+    echo "Booting from active partition ${rootfspart}"
+fi
 
-    to_boot="$newargs root=/dev/mmcblk0p$yiospart"
-    fdt set /chosen bootargs "$to_boot"
-    ext4load mmc 0:$yiospart $kernel_addr_r /zImage
-    bootz $kernel_addr_r - $fdt_addr
+# Note: setting an invalid root param will hang the boot process due to required `rootwait` argument, which waits indefinitely!
+#       A hackish workaround for a kernel panic to trigger a reboot would be using rootdelay=xx instead, but that delays the boot for xx seconds.
+#       However: since we are loading the kernel from the same partition, the script will fail before booting the kernel. So it should be safe to use.
+to_boot="$newargs root=/dev/mmcblk0p${rootfspart}"
+fdt set /chosen bootargs "$to_boot"
+ext4load mmc 0:${rootfspart} $kernel_addr_r /zImage
+bootz $kernel_addr_r - $fdt_addr
 
-    echo "Boot failed! Switching"
-    tmp=$otpart
-    setenv yiospart $yiosold
-    saveenv
-    yiosold=$tmp
-done
+echo "Boot failed!"
+# Reset loop might not be the best choice, but there's not much we can do here.
+# Better solution would require to initialize the display in U-Boot and display an error screen. That's another project...
+reset

buildroot-external/board/raspberrypi/uboot.config

@@ -15,3 +15,7 @@ CONFIG_CMD_SETEXPR=y
 # set to -1 to disable autoboot.
 # set to -2 to autoboot with no delay and not check for abort
 CONFIG_BOOTDELAY=2
+CONFIG_BOOTCOUNT_ENV=y
+CONFIG_BOOTCOUNT_LIMIT=y
+CONFIG_BOOTCOUNT_BOOTLIMIT=3
+CONFIG_CMD_BOOTCOUNT=y

buildroot-external/board/remote/rootfs-overlay/etc/swupdate.cfg

@@ -2,6 +2,7 @@
 
 globals :
 {
+    verbose = true;
     postupdatecmd = "/etc/swupdate/postupdate.sh";
 };
 

buildroot-external/board/remote/rootfs-overlay/etc/swupdate/reset-bootcount.sh

@@ -0,0 +1,30 @@
+#!/bin/sh
+
+systemctl is-active --quiet app || {
+  echo "Remote app not running!"
+  exit 1
+}
+
+ISUPGRADING=$(fw_printenv upgrade_available | awk -F'=' '{print $2}')
+echo "upgrade_available=$ISUPGRADING"
+if [ -z "$ISUPGRADING" ]
+then
+    echo "No system update pending"
+else
+    echo "System update pending, verifying system..."
+    # TODO refactor once there are any common system checks:
+    # - call script from systemd right after app start (instead of delayed timer)
+    # - get pid of app
+    # - perform system checks
+    # - wait ~ 3 min
+    # - check if app is still running and has same pid (i.e. didn't get auto-restarted)
+
+    # Perform extra checks here.
+    # If anything went wrong, reboot again until the bootlimit is reached
+    # which triggers a rollback of the RootFs
+
+    # It's all good! Clear upgrade status and mark partition ok.
+    fw_setenv upgrade_available
+    fw_setenv bootcount 0
+    echo "System update successful. Marked current partition OK."
+fi

buildroot-external/board/remote/sw-description

@@ -16,8 +16,12 @@ software = {
             );
             bootenv: (
                 {
-                    name = "yiospart";
+                    name = "rootfspart";
                     value = "2";
+                },
+                {
+                    name = "upgrade_available";
+                    value = "1";
                 }
             );
         }
@@ -32,8 +36,12 @@ software = {
             );
             bootenv: (
                 {
-                    name = "yiospart";
+                    name = "rootfspart";
                     value = "3";
+                },
+                {
+                    name = "upgrade_available";
+                    value = "1";
                 }
             );
         }

buildroot-external/board/remote/uboot-boot.ush

@@ -1,34 +1,38 @@
 # U-Boot boot script for YIOS developer image
-# Based on: https://github.com/Opentrons/buildroot/blob/opentrons-develop/board/opentrons/ot2/boot.scr
-# The job of this script is
-# - Figure out which partition is active
-# - Point U-Boot at that partition
-# - Boot it
+# fdtargs args patching based on: https://github.com/Opentrons/buildroot/blob/opentrons-develop/board/opentrons/ot2/boot.scr
+# Sets the correct root partition in the boot arguments inside the flattened device tree.
 
-# See if we have an env var for which partition to boot from (this might be
-# edited from the booted system, but also might not be present)
-if test -z "$yiospart"
+# Create the required env vars for boot count & limit support.
+# Note: bootcount and bootlimit are already defined in U-Boot.
+# - rootfspart holds the currently active root partition to boot
+if test -z "${rootfspart}"
 then
-    echo "No saved yiospart, defaulting to 2"
-    setenv yiospart "2"
+    echo "No saved rootfspart, defaulting to 2"
+    setenv rootfspart "2"
     saveenv
 fi
 
-if test "$yiospart" = "2"
+# - altbootcmd to execute when boot limit is reached
+if test -z "${altbootcmd}"
 then
-    yiosold="3"
-elif test "$yiospart" = "3"
+    echo "No saved altbootcmd, creating it"
+    setenv altbootcmd "
+oldrootfspart='\${rootfspart}';
+if test \"'\${rootfspart}'\" = \"2\";
 then
-    yiosold="2"
+    setenv rootfspart 3;
 else
-    echo "Bad yiospart $yiospart, defaulting to 2"
-    setenv yiospart "2"
+    setenv rootfspart 2;
+fi;
+setenv bootcount 0;
+saveenv;
+echo Rollback from rootfs '\${oldrootfspart}' to old rootfs '\${rootfspart}';
+boot"
     saveenv
-    yiosold="3"
 fi
 
-echo "Try booting from partition $yiospart with fallback to partition $yiosold"
-
+# Parse and replace the boot arguments in the flattened device tree.
+# This allows us to keep the RPi cmdline.txt without hardcoded bootargs.
 # The raspi second stage bootloader (start.elf) puts the boot args in the
 # flattened device tree. The boot args contain the partition the kernel
 # will boot off of, so we have to pull the boot args, parse them, and then
@@ -40,24 +44,28 @@ newargs=""
 for arg in $fdtargs; do
     if test "root=/dev/mmcblk0p2" = $arg
     then
-        echo "Found bootpart"
         bootpart=$arg
     else
         newargs="$newargs $arg"
     fi
 done
 
-while true; do
-    echo "Try booting from partition $yiospart"
+if test "$upgrade_available" = "1"
+then
+    echo "Try booting system upgrade from partition ${rootfspart}. Boot count: $bootcount. Limit for rollback: $bootlimit"
+else
+    echo "Booting from active partition ${rootfspart}"
+fi
 
-    to_boot="$newargs root=/dev/mmcblk0p$yiospart"
-    fdt set /chosen bootargs "$to_boot"
-    ext4load mmc 0:$yiospart $kernel_addr_r /zImage
-    bootz $kernel_addr_r - $fdt_addr
+# Note: setting an invalid root param will hang the boot process due to required `rootwait` argument, which waits indefinitely!
+#       A hackish workaround for a kernel panic to trigger a reboot would be using rootdelay=xx instead, but that delays the boot for xx seconds.
+#       However: since we are loading the kernel from the same partition, the script will fail before booting the kernel. So it should be safe to use.
+to_boot="$newargs root=/dev/mmcblk0p${rootfspart}"
+fdt set /chosen bootargs "$to_boot"
+ext4load mmc 0:${rootfspart} $kernel_addr_r /zImage
+bootz $kernel_addr_r - $fdt_addr
 
-    echo "Boot failed! Switching"
-    tmp=$otpart
-    setenv yiospart $yiosold
-    saveenv
-    yiosold=$tmp
-done
+echo "Boot failed!"
+# Reset loop might not be the best choice, but there's not much we can do here.
+# Better solution would require to initialize the display in U-Boot and display an error screen. That's another project...
+reset

buildroot-external/board/remote/uboot.config

@@ -38,3 +38,6 @@ CONFIG_SILENT_CONSOLE_UPDATE_ON_RELOC=y
 # CONFIG_CMD_ELF is not set
 # CONFIG_CMD_IMI is not set
 # CONFIG_CMD_XIMG is not set
+CONFIG_BOOTCOUNT_ENV=y
+CONFIG_BOOTCOUNT_LIMIT=y
+CONFIG_BOOTCOUNT_BOOTLIMIT=3

buildroot-external/rootfs-overlay/etc/systemd/system/app-update-bootcount.service

@@ -0,0 +1,8 @@
+[Unit]
+Description=Run bootcount reset check after app update script
+RefuseManualStart=no
+RefuseManualStop=no
+
+[Service]
+Type=oneshot
+ExecStart=/etc/swupdate/reset-bootcount.sh

buildroot-external/rootfs-overlay/etc/systemd/system/app-update-bootcount.timer

@@ -0,0 +1,8 @@
+[Unit]
+Description=Bootcount reset check after app update timer
+
+[Timer]
+OnBootSec=180
+
+[Install]
+WantedBy=multi-user.target

buildroot-external/rootfs-overlay/etc/systemd/system/app.service

@@ -3,9 +3,14 @@ Description=YIO remote app
 After=display-init.service
 
 [Service]
-Type=simple
+Type=exec
 ExecStart=/opt/yio/app-launch.sh
-RemainAfterExit=yes
+# Force reboot if app failed to startup 2 times within 60 seconds
+StartLimitIntervalSec=60
+StartLimitBurst=2
+Restart=always
+RestartSec=1
+StartLimitAction=reboot-force
 
 [Install]
 WantedBy=multi-user.target

buildroot-external/rootfs-overlay/etc/systemd/system/multi-user.target.wants/app-update-bootcount.timer

@@ -0,0 +1 @@
+../app-update-bootcount.timer

buildroot-external/rootfs-overlay/opt/yio/app-launch.sh

@@ -14,4 +14,5 @@ if [[ ! -d $YIO_APP_DIR ]] && [[ -d ${YIO_HOME}/app-previous ]]; then
     mv ${YIO_HOME}/app-previous $YIO_APP_DIR
 fi
 
-${YIO_APP_DIR}/remote &
+# Do not fork! Otherwise systemd unit service doesn't work anymore
+${YIO_APP_DIR}/remote