undefined | Better HN

0 pointswhalesalad2y ago0 comments

A/B partitions tends to solve that. You will only switch to the new partition when the update is 100% verified installed. If it doesn't complete in an atomic manner, your device will just boot into the previous healthy partition.

0 comments

AlotOfReading2y ago

A/B gets complicated in the real world. BL1 may not support A/B for example, so to implement A/B bootloaders you may need a shim that can read/write NVM to handle that. Your HSM may not have slots for multiple keys to have different signatures, so upgrading one may trample the other if your update code doesn't check that.

Lots of ways to screw this up, especially in automotive where you're likely to be dealing with TI and their (in)secure boot.

I've solved this problem god only knows how many times now and I've rarely found an automotive board that doesn't introduce fun, new edge cases. OTA can't exceed x kilobytes of memory, the processor isn't fast enough to verify signatures and write the image in < x seconds, can't write the image to flash unless the signature is verified, but the image doesn't fit in RAM, the server delivering the update is 3+ networks away from the device receiving the update, etc.

Dalewyn2y ago

With all due respect, that all sounds like Programmer Induced Problems(tm).

Cars are a long solved problem, being around for over a century. Telephony and computing hardware and infrastructure today are in the realm of the ludicrously good compared to even just a few decades ago, even if we consider bottom of the barrel worst case scenarios. If software somehow can't work a solved problem using ludicrously good hardware, the programmers (and their managers) are the problem.

whalesaladOP2y ago

I agree here. A partition is just a partition. It's taking one disk and abstracting it into two. This is not hard.

The rovers on Mars, the Voyager, these problems have been solved for a long time. The compute in a Tesla these days can probably run Crysis.

You can do this OTA to a Raspberry Pi running Nerves via remote SSH and it works really well. The Nerves runtime utilizes A/B partitions for OTA updates.

1 more reply

AlotOfReading2y ago

Let's use two of the examples I gave above. How would you go about modifying the silicon to support new features in the boot rom, and how do you get around the pigeonhole principle when that silicon vendor doesn't ship enough bits of OTP memory to store multiple keys? M-x butterfly doesn't quite get there, but maybe there's another Emacs command I could use?

1 more reply

mlyle2y ago

If the comment I replied to originally contained a mention of A/B partitions, I missed it.

j / k navigate · click thread line to collapse

0 comments

AlotOfReading2y ago

Lots of ways to screw this up, especially in automotive where you're likely to be dealing with TI and their (in)secure boot.

Dalewyn2y ago

With all due respect, that all sounds like Programmer Induced Problems(tm).

whalesaladOP2y ago

I agree here. A partition is just a partition. It's taking one disk and abstracting it into two. This is not hard.

The rovers on Mars, the Voyager, these problems have been solved for a long time. The compute in a Tesla these days can probably run Crysis.

You can do this OTA to a Raspberry Pi running Nerves via remote SSH and it works really well. The Nerves runtime utilizes A/B partitions for OTA updates.

1 more reply

AlotOfReading2y ago

1 more reply

mlyle2y ago

If the comment I replied to originally contained a mention of A/B partitions, I missed it.

j / k navigate · click thread line to collapse