1 files changed, 526 insertions, 0 deletions
diff --git a/embassy-boot/boot/src/boot_loader.rs b/embassy-boot/boot/src/boot_loader.rs
new file mode 100644
index 000000000..ad6735112
--- /dev/null
+++ b/embassy-boot/boot/src/boot_loader.rs
@@ -0,0 +1,526 @@
+use embedded_storage::nor_flash::{ErrorType, NorFlash, NorFlashError, NorFlashErrorKind, ReadNorFlash};
+use crate::{Partition, State, BOOT_MAGIC, SWAP_MAGIC};
+/// Errors returned by bootloader
+#[derive(PartialEq, Eq, Debug)]
+pub enum BootError {
+    /// Error from flash.
+    Flash(NorFlashErrorKind),
+    /// Invalid bootloader magic
+    BadMagic,
+}
+#[cfg(feature = "defmt")]
+impl defmt::Format for BootError {
+    fn format(&self, fmt: defmt::Formatter) {
+        match self {
+            BootError::Flash(_) => defmt::write!(fmt, "BootError::Flash(_)"),
+            BootError::BadMagic => defmt::write!(fmt, "BootError::BadMagic"),
+        }
+    }
+}
+impl<E> From<E> for BootError
+where
+    E: NorFlashError,
+{
+    fn from(error: E) -> Self {
+        BootError::Flash(error.kind())
+    }
+}
+/// Extension of the embedded-storage flash type information with block size and erase value.
+pub trait Flash: NorFlash + ReadNorFlash {
+    /// The block size that should be used when writing to flash. For most builtin flashes, this is the same as the erase
+    /// size of the flash, but for external QSPI flash modules, this can be lower.
+    const BLOCK_SIZE: usize;
+    /// The erase value of the flash. Typically the default of 0xFF is used, but some flashes use a different value.
+    const ERASE_VALUE: u8 = 0xFF;
+}
+/// Trait defining the flash handles used for active and DFU partition
+pub trait FlashConfig {
+    /// Flash type used for the state partition.
+    type STATE: Flash;
+    /// Flash type used for the active partition.
+    type ACTIVE: Flash;
+    /// Flash type used for the dfu partition.
+    type DFU: Flash;
+    /// Return flash instance used to write/read to/from active partition.
+    fn active(&mut self) -> &mut Self::ACTIVE;
+    /// Return flash instance used to write/read to/from dfu partition.
+    fn dfu(&mut self) -> &mut Self::DFU;
+    /// Return flash instance used to write/read to/from bootloader state.
+    fn state(&mut self) -> &mut Self::STATE;
+}
+/// BootLoader works with any flash implementing embedded_storage and can also work with
+/// different page sizes and flash write sizes.
+pub struct BootLoader {
+    // Page with current state of bootloader. The state partition has the following format:
+    // | Range          | Description                                                                      |
+    // | 0 - WRITE_SIZE | Magic indicating bootloader state. BOOT_MAGIC means boot, SWAP_MAGIC means swap. |
+    // | WRITE_SIZE - N | Progress index used while swapping or reverting                                  |
+    state: Partition,
+    // Location of the partition which will be booted from
+    active: Partition,
+    // Location of the partition which will be swapped in when requested
+    dfu: Partition,
+}
+impl BootLoader {
+    /// Create a new instance of a bootloader with the given partitions.
+    ///
+    /// - All partitions must be aligned with the PAGE_SIZE const generic parameter.
+    /// - The dfu partition must be at least PAGE_SIZE bigger than the active partition.
+    pub fn new(active: Partition, dfu: Partition, state: Partition) -> Self {
+        Self { active, dfu, state }
+    }
+    /// Return the boot address for the active partition.
+    pub fn boot_address(&self) -> usize {
+        self.active.from
+    }
+    /// Perform necessary boot preparations like swapping images.
+    ///
+    /// The DFU partition is assumed to be 1 page bigger than the active partition for the swap
+    /// algorithm to work correctly.
+    ///
+    /// SWAPPING
+    ///
+    /// Assume a flash size of 3 pages for the active partition, and 4 pages for the DFU partition.
+    /// The swap index contains the copy progress, as to allow continuation of the copy process on
+    /// power failure. The index counter is represented within 1 or more pages (depending on total
+    /// flash size), where a page X is considered swapped if index at location (X + WRITE_SIZE)
+    /// contains a zero value. This ensures that index updates can be performed atomically and
+    /// avoid a situation where the wrong index value is set (page write size is "atomic").
+    ///
+    /// +-----------+------------+--------+--------+--------+--------+
+    /// | Partition | Swap Index | Page 0 | Page 1 | Page 3 | Page 4 |
+    /// +-----------+------------+--------+--------+--------+--------+
+    /// |    Active |          0 |      1 |      2 |      3 |      - |
+    /// |       DFU |          0 |      3 |      2 |      1 |      X |
+    /// +-----------+------------+--------+--------+--------+--------+
+    ///
+    /// The algorithm starts by copying 'backwards', and after the first step, the layout is
+    /// as follows:
+    ///
+    /// +-----------+------------+--------+--------+--------+--------+
+    /// | Partition | Swap Index | Page 0 | Page 1 | Page 3 | Page 4 |
+    /// +-----------+------------+--------+--------+--------+--------+
+    /// |    Active |          1 |      1 |      2 |      1 |      - |
+    /// |       DFU |          1 |      3 |      2 |      1 |      3 |
+    /// +-----------+------------+--------+--------+--------+--------+
+    ///
+    /// The next iteration performs the same steps
+    ///
+    /// +-----------+------------+--------+--------+--------+--------+
+    /// | Partition | Swap Index | Page 0 | Page 1 | Page 3 | Page 4 |
+    /// +-----------+------------+--------+--------+--------+--------+
+    /// |    Active |          2 |      1 |      2 |      1 |      - |
+    /// |       DFU |          2 |      3 |      2 |      2 |      3 |
+    /// +-----------+------------+--------+--------+--------+--------+
+    ///
+    /// And again until we're done
+    ///
+    /// +-----------+------------+--------+--------+--------+--------+
+    /// | Partition | Swap Index | Page 0 | Page 1 | Page 3 | Page 4 |
+    /// +-----------+------------+--------+--------+--------+--------+
+    /// |    Active |          3 |      3 |      2 |      1 |      - |
+    /// |       DFU |          3 |      3 |      1 |      2 |      3 |
+    /// +-----------+------------+--------+--------+--------+--------+
+    ///
+    /// REVERTING
+    ///
+    /// The reverting algorithm uses the swap index to discover that images were swapped, but that
+    /// the application failed to mark the boot successful. In this case, the revert algorithm will
+    /// run.
+    ///
+    /// The revert index is located separately from the swap index, to ensure that revert can continue
+    /// on power failure.
+    ///
+    /// The revert algorithm works forwards, by starting copying into the 'unused' DFU page at the start.
+    ///
+    /// +-----------+--------------+--------+--------+--------+--------+
+    /// | Partition | Revert Index | Page 0 | Page 1 | Page 3 | Page 4 |
+    //*/
+    /// +-----------+--------------+--------+--------+--------+--------+
+    /// |    Active |            3 |      1 |      2 |      1 |      - |
+    /// |       DFU |            3 |      3 |      1 |      2 |      3 |
+    /// +-----------+--------------+--------+--------+--------+--------+
+    ///
+    ///
+    /// +-----------+--------------+--------+--------+--------+--------+
+    /// | Partition | Revert Index | Page 0 | Page 1 | Page 3 | Page 4 |
+    /// +-----------+--------------+--------+--------+--------+--------+
+    /// |    Active |            3 |      1 |      2 |      1 |      - |
+    /// |       DFU |            3 |      3 |      2 |      2 |      3 |
+    /// +-----------+--------------+--------+--------+--------+--------+
+    ///
+    /// +-----------+--------------+--------+--------+--------+--------+
+    /// | Partition | Revert Index | Page 0 | Page 1 | Page 3 | Page 4 |
+    /// +-----------+--------------+--------+--------+--------+--------+
+    /// |    Active |            3 |      1 |      2 |      3 |      - |
+    /// |       DFU |            3 |      3 |      2 |      1 |      3 |
+    /// +-----------+--------------+--------+--------+--------+--------+
+    ///
+    pub fn prepare_boot<P: FlashConfig>(
+        &mut self,
+        p: &mut P,
+        magic: &mut [u8],
+        page: &mut [u8],
+    ) -> Result<State, BootError> {
+        // Ensure we have enough progress pages to store copy progress
+        assert_partitions(self.active, self.dfu, self.state, page.len(), P::STATE::WRITE_SIZE);
+        assert_eq!(magic.len(), P::STATE::WRITE_SIZE);
+        // Copy contents from partition N to active
+        let state = self.read_state(p, magic)?;
+        if state == State::Swap {
+            //
+            // Check if we already swapped. If we're in the swap state, this means we should revert
+            // since the app has failed to mark boot as successful
+            //
+            if !self.is_swapped(p, magic, page)? {
+                trace!("Swapping");
+                self.swap(p, magic, page)?;
+                trace!("Swapping done");
+            } else {
+                trace!("Reverting");
+                self.revert(p, magic, page)?;
+                // Overwrite magic and reset progress
+                let fstate = p.state();
+                magic.fill(!P::STATE::ERASE_VALUE);
+                fstate.write(self.state.from as u32, magic)?;
+                fstate.erase(self.state.from as u32, self.state.to as u32)?;
+                magic.fill(BOOT_MAGIC);
+                fstate.write(self.state.from as u32, magic)?;
+            }
+        }
+        Ok(state)
+    }
+    fn is_swapped<P: FlashConfig>(&mut self, p: &mut P, magic: &mut [u8], page: &mut [u8]) -> Result<bool, BootError> {
+        let page_size = page.len();
+        let page_count = self.active.len() / page_size;
+        let progress = self.current_progress(p, magic)?;
+        Ok(progress >= page_count * 2)
+    }
+    fn current_progress<P: FlashConfig>(&mut self, config: &mut P, aligned: &mut [u8]) -> Result<usize, BootError> {
+        let write_size = aligned.len();
+        let max_index = ((self.state.len() - write_size) / write_size) - 1;
+        aligned.fill(!P::STATE::ERASE_VALUE);
+        let flash = config.state();
+        for i in 0..max_index {
+            flash.read((self.state.from + write_size + i * write_size) as u32, aligned)?;
+            if aligned.iter().any(|&b| b == P::STATE::ERASE_VALUE) {
+                return Ok(i);
+            }
+        }
+        Ok(max_index)
+    }
+    fn update_progress<P: FlashConfig>(&mut self, idx: usize, p: &mut P, magic: &mut [u8]) -> Result<(), BootError> {
+        let flash = p.state();
+        let write_size = magic.len();
+        let w = self.state.from + write_size + idx * write_size;
+        let aligned = magic;
+        aligned.fill(!P::STATE::ERASE_VALUE);
+        flash.write(w as u32, aligned)?;
+        Ok(())
+    }
+    fn active_addr(&self, n: usize, page_size: usize) -> usize {
+        self.active.from + n * page_size
+    }
+    fn dfu_addr(&self, n: usize, page_size: usize) -> usize {
+        self.dfu.from + n * page_size
+    }
+    fn copy_page_once_to_active<P: FlashConfig>(
+        &mut self,
+        idx: usize,
+        from_page: usize,
+        to_page: usize,
+        p: &mut P,
+        magic: &mut [u8],
+        page: &mut [u8],
+    ) -> Result<(), BootError> {
+        let buf = page;
+        if self.current_progress(p, magic)? <= idx {
+            let mut offset = from_page;
+            for chunk in buf.chunks_mut(P::DFU::BLOCK_SIZE) {
+                p.dfu().read(offset as u32, chunk)?;
+                offset += chunk.len();
+            }
+            p.active().erase(to_page as u32, (to_page + buf.len()) as u32)?;
+            let mut offset = to_page;
+            for chunk in buf.chunks(P::ACTIVE::BLOCK_SIZE) {
+                p.active().write(offset as u32, chunk)?;
+                offset += chunk.len();
+            }
+            self.update_progress(idx, p, magic)?;
+        }
+        Ok(())
+    }
+    fn copy_page_once_to_dfu<P: FlashConfig>(
+        &mut self,
+        idx: usize,
+        from_page: usize,
+        to_page: usize,
+        p: &mut P,
+        magic: &mut [u8],
+        page: &mut [u8],
+    ) -> Result<(), BootError> {
+        let buf = page;
+        if self.current_progress(p, magic)? <= idx {
+            let mut offset = from_page;
+            for chunk in buf.chunks_mut(P::ACTIVE::BLOCK_SIZE) {
+                p.active().read(offset as u32, chunk)?;
+                offset += chunk.len();
+            }
+            p.dfu().erase(to_page as u32, (to_page + buf.len()) as u32)?;
+            let mut offset = to_page;
+            for chunk in buf.chunks(P::DFU::BLOCK_SIZE) {
+                p.dfu().write(offset as u32, chunk)?;
+                offset += chunk.len();
+            }
+            self.update_progress(idx, p, magic)?;
+        }
+        Ok(())
+    }
+    fn swap<P: FlashConfig>(&mut self, p: &mut P, magic: &mut [u8], page: &mut [u8]) -> Result<(), BootError> {
+        let page_size = page.len();
+        let page_count = self.active.len() / page_size;
+        trace!("Page count: {}", page_count);
+        for page_num in 0..page_count {
+            trace!("COPY PAGE {}", page_num);
+            // Copy active page to the 'next' DFU page.
+            let active_page = self.active_addr(page_count - 1 - page_num, page_size);
+            let dfu_page = self.dfu_addr(page_count - page_num, page_size);
+            //trace!("Copy active {} to dfu {}", active_page, dfu_page);
+            self.copy_page_once_to_dfu(page_num * 2, active_page, dfu_page, p, magic, page)?;
+            // Copy DFU page to the active page
+            let active_page = self.active_addr(page_count - 1 - page_num, page_size);
+            let dfu_page = self.dfu_addr(page_count - 1 - page_num, page_size);
+            //trace!("Copy dfy {} to active {}", dfu_page, active_page);
+            self.copy_page_once_to_active(page_num * 2 + 1, dfu_page, active_page, p, magic, page)?;
+        }
+        Ok(())
+    }
+    fn revert<P: FlashConfig>(&mut self, p: &mut P, magic: &mut [u8], page: &mut [u8]) -> Result<(), BootError> {
+        let page_size = page.len();
+        let page_count = self.active.len() / page_size;
+        for page_num in 0..page_count {
+            // Copy the bad active page to the DFU page
+            let active_page = self.active_addr(page_num, page_size);
+            let dfu_page = self.dfu_addr(page_num, page_size);
+            self.copy_page_once_to_dfu(page_count * 2 + page_num * 2, active_page, dfu_page, p, magic, page)?;
+            // Copy the DFU page back to the active page
+            let active_page = self.active_addr(page_num, page_size);
+            let dfu_page = self.dfu_addr(page_num + 1, page_size);
+            self.copy_page_once_to_active(page_count * 2 + page_num * 2 + 1, dfu_page, active_page, p, magic, page)?;
+        }
+        Ok(())
+    }
+    fn read_state<P: FlashConfig>(&mut self, config: &mut P, magic: &mut [u8]) -> Result<State, BootError> {
+        let flash = config.state();
+        flash.read(self.state.from as u32, magic)?;
+        if !magic.iter().any(|&b| b != SWAP_MAGIC) {
+            Ok(State::Swap)
+        } else {
+            Ok(State::Boot)
+        }
+    }
+}
+fn assert_partitions(active: Partition, dfu: Partition, state: Partition, page_size: usize, write_size: usize) {
+    assert_eq!(active.len() % page_size, 0);
+    assert_eq!(dfu.len() % page_size, 0);
+    assert!(dfu.len() - active.len() >= page_size);
+    assert!(2 * (active.len() / page_size) <= (state.len() - write_size) / write_size);
+}
+/// A flash wrapper implementing the Flash and embedded_storage traits.
+pub struct BootFlash<F, const BLOCK_SIZE: usize, const ERASE_VALUE: u8 = 0xFF>
+where
+    F: NorFlash + ReadNorFlash,
+{
+    flash: F,
+}
+impl<F, const BLOCK_SIZE: usize, const ERASE_VALUE: u8> BootFlash<F, BLOCK_SIZE, ERASE_VALUE>
+where
+    F: NorFlash + ReadNorFlash,
+{
+    /// Create a new instance of a bootable flash
+    pub fn new(flash: F) -> Self {
+        Self { flash }
+    }
+}
+impl<F, const BLOCK_SIZE: usize, const ERASE_VALUE: u8> Flash for BootFlash<F, BLOCK_SIZE, ERASE_VALUE>
+where
+    F: NorFlash + ReadNorFlash,
+{
+    const BLOCK_SIZE: usize = BLOCK_SIZE;
+    const ERASE_VALUE: u8 = ERASE_VALUE;
+}
+impl<F, const BLOCK_SIZE: usize, const ERASE_VALUE: u8> ErrorType for BootFlash<F, BLOCK_SIZE, ERASE_VALUE>
+where
+    F: ReadNorFlash + NorFlash,
+{
+    type Error = F::Error;
+}
+impl<F, const BLOCK_SIZE: usize, const ERASE_VALUE: u8> NorFlash for BootFlash<F, BLOCK_SIZE, ERASE_VALUE>
+where
+    F: ReadNorFlash + NorFlash,
+{
+    const WRITE_SIZE: usize = F::WRITE_SIZE;
+    const ERASE_SIZE: usize = F::ERASE_SIZE;
+    fn erase(&mut self, from: u32, to: u32) -> Result<(), Self::Error> {
+        F::erase(&mut self.flash, from, to)
+    }
+    fn write(&mut self, offset: u32, bytes: &[u8]) -> Result<(), Self::Error> {
+        F::write(&mut self.flash, offset, bytes)
+    }
+}
+impl<F, const BLOCK_SIZE: usize, const ERASE_VALUE: u8> ReadNorFlash for BootFlash<F, BLOCK_SIZE, ERASE_VALUE>
+where
+    F: ReadNorFlash + NorFlash,
+{
+    const READ_SIZE: usize = F::READ_SIZE;
+    fn read(&mut self, offset: u32, bytes: &mut [u8]) -> Result<(), Self::Error> {
+        F::read(&mut self.flash, offset, bytes)
+    }
+    fn capacity(&self) -> usize {
+        F::capacity(&self.flash)
+    }
+}
+/// Convenience provider that uses a single flash for all partitions.
+pub struct SingleFlashConfig<'a, F>
+where
+    F: Flash,
+{
+    flash: &'a mut F,
+}
+impl<'a, F> SingleFlashConfig<'a, F>
+where
+    F: Flash,
+{
+    /// Create a provider for a single flash.
+    pub fn new(flash: &'a mut F) -> Self {
+        Self { flash }
+    }
+}
+impl<'a, F> FlashConfig for SingleFlashConfig<'a, F>
+where
+    F: Flash,
+{
+    type STATE = F;
+    type ACTIVE = F;
+    type DFU = F;
+    fn active(&mut self) -> &mut Self::STATE {
+        self.flash
+    }
+    fn dfu(&mut self) -> &mut Self::ACTIVE {
+        self.flash
+    }
+    fn state(&mut self) -> &mut Self::DFU {
+        self.flash
+    }
+}
+/// Convenience flash provider that uses separate flash instances for each partition.
+pub struct MultiFlashConfig<'a, ACTIVE, STATE, DFU>
+where
+    ACTIVE: Flash,
+    STATE: Flash,
+    DFU: Flash,
+{
+    active: &'a mut ACTIVE,
+    state: &'a mut STATE,
+    dfu: &'a mut DFU,
+}
+impl<'a, ACTIVE, STATE, DFU> MultiFlashConfig<'a, ACTIVE, STATE, DFU>
+where
+    ACTIVE: Flash,
+    STATE: Flash,
+    DFU: Flash,
+{
+    /// Create a new flash provider with separate configuration for all three partitions.
+    pub fn new(active: &'a mut ACTIVE, state: &'a mut STATE, dfu: &'a mut DFU) -> Self {
+        Self { active, state, dfu }
+    }
+}
+impl<'a, ACTIVE, STATE, DFU> FlashConfig for MultiFlashConfig<'a, ACTIVE, STATE, DFU>
+where
+    ACTIVE: Flash,
+    STATE: Flash,
+    DFU: Flash,
+{
+    type STATE = STATE;
+    type ACTIVE = ACTIVE;
+    type DFU = DFU;
+    fn active(&mut self) -> &mut Self::ACTIVE {
+        self.active
+    }
+    fn dfu(&mut self) -> &mut Self::DFU {
+        self.dfu
+    }
+    fn state(&mut self) -> &mut Self::STATE {
+        self.state
+    }
+}
+#[cfg(test)]
+mod tests {
+    use super::*;
+    #[test]
+    #[should_panic]
+    fn test_range_asserts() {
+        const ACTIVE: Partition = Partition::new(4096, 4194304);
+        const DFU: Partition = Partition::new(4194304, 2 * 4194304);
+        const STATE: Partition = Partition::new(0, 4096);
+        assert_partitions(ACTIVE, DFU, STATE, 4096, 4);
+    }
+}

diff --git a/embassy-boot/boot/src/boot_loader.rs b/embassy-boot/boot/src/boot_loader.rs new file mode 100644 index 000000000..ad6735112 --- /dev/null +++ b/embassy-boot/boot/src/boot_loader.rs
@@ -0,0 +1,526 @@
	1	use embedded_storage::nor_flash::{ErrorType, NorFlash, NorFlashError, NorFlashErrorKind, ReadNorFlash};
	2
	3	use crate::{Partition, State, BOOT_MAGIC, SWAP_MAGIC};
	4
	5	/// Errors returned by bootloader
	6	#[derive(PartialEq, Eq, Debug)]
	7	pub enum BootError {
	8	/// Error from flash.
	9	Flash(NorFlashErrorKind),
	10	/// Invalid bootloader magic
	11	BadMagic,
	12	}
	13
	14	#[cfg(feature = "defmt")]
	15	impl defmt::Format for BootError {
	16	fn format(&self, fmt: defmt::Formatter) {
	17	match self {
	18	BootError::Flash(_) => defmt::write!(fmt, "BootError::Flash(_)"),
	19	BootError::BadMagic => defmt::write!(fmt, "BootError::BadMagic"),
	20	}
	21	}
	22	}
	23
	24	impl<E> From<E> for BootError
	25	where
	26	E: NorFlashError,
	27	{
	28	fn from(error: E) -> Self {
	29	BootError::Flash(error.kind())
	30	}
	31	}
	32
	33	/// Extension of the embedded-storage flash type information with block size and erase value.
	34	pub trait Flash: NorFlash + ReadNorFlash {
	35	/// The block size that should be used when writing to flash. For most builtin flashes, this is the same as the erase
	36	/// size of the flash, but for external QSPI flash modules, this can be lower.
	37	const BLOCK_SIZE: usize;
	38	/// The erase value of the flash. Typically the default of 0xFF is used, but some flashes use a different value.
	39	const ERASE_VALUE: u8 = 0xFF;
	40	}
	41
	42	/// Trait defining the flash handles used for active and DFU partition
	43	pub trait FlashConfig {
	44	/// Flash type used for the state partition.
	45	type STATE: Flash;
	46	/// Flash type used for the active partition.
	47	type ACTIVE: Flash;
	48	/// Flash type used for the dfu partition.
	49	type DFU: Flash;
	50
	51	/// Return flash instance used to write/read to/from active partition.
	52	fn active(&mut self) -> &mut Self::ACTIVE;
	53	/// Return flash instance used to write/read to/from dfu partition.
	54	fn dfu(&mut self) -> &mut Self::DFU;
	55	/// Return flash instance used to write/read to/from bootloader state.
	56	fn state(&mut self) -> &mut Self::STATE;
	57	}
	58
	59	/// BootLoader works with any flash implementing embedded_storage and can also work with
	60	/// different page sizes and flash write sizes.
	61	pub struct BootLoader {
	62	// Page with current state of bootloader. The state partition has the following format:
	63	// \| Range \| Description \|
	64	// \| 0 - WRITE_SIZE \| Magic indicating bootloader state. BOOT_MAGIC means boot, SWAP_MAGIC means swap. \|
	65	// \| WRITE_SIZE - N \| Progress index used while swapping or reverting \|
	66	state: Partition,
	67	// Location of the partition which will be booted from
	68	active: Partition,
	69	// Location of the partition which will be swapped in when requested
	70	dfu: Partition,
	71	}
	72
	73	impl BootLoader {
	74	/// Create a new instance of a bootloader with the given partitions.
	75	///
	76	/// - All partitions must be aligned with the PAGE_SIZE const generic parameter.
	77	/// - The dfu partition must be at least PAGE_SIZE bigger than the active partition.
	78	pub fn new(active: Partition, dfu: Partition, state: Partition) -> Self {
	79	Self { active, dfu, state }
	80	}
	81
	82	/// Return the boot address for the active partition.
	83	pub fn boot_address(&self) -> usize {
	84	self.active.from
	85	}
	86
	87	/// Perform necessary boot preparations like swapping images.
	88	///
	89	/// The DFU partition is assumed to be 1 page bigger than the active partition for the swap
	90	/// algorithm to work correctly.
	91	///
	92	/// SWAPPING
	93	///
	94	/// Assume a flash size of 3 pages for the active partition, and 4 pages for the DFU partition.
	95	/// The swap index contains the copy progress, as to allow continuation of the copy process on
	96	/// power failure. The index counter is represented within 1 or more pages (depending on total
	97	/// flash size), where a page X is considered swapped if index at location (X + WRITE_SIZE)
	98	/// contains a zero value. This ensures that index updates can be performed atomically and
	99	/// avoid a situation where the wrong index value is set (page write size is "atomic").
	100	///
	101	/// +-----------+------------+--------+--------+--------+--------+
	102	/// \| Partition \| Swap Index \| Page 0 \| Page 1 \| Page 3 \| Page 4 \|
	103	/// +-----------+------------+--------+--------+--------+--------+
	104	/// \| Active \| 0 \| 1 \| 2 \| 3 \| - \|
	105	/// \| DFU \| 0 \| 3 \| 2 \| 1 \| X \|
	106	/// +-----------+------------+--------+--------+--------+--------+
	107	///
	108	/// The algorithm starts by copying 'backwards', and after the first step, the layout is
	109	/// as follows:
	110	///
	111	/// +-----------+------------+--------+--------+--------+--------+
	112	/// \| Partition \| Swap Index \| Page 0 \| Page 1 \| Page 3 \| Page 4 \|
	113	/// +-----------+------------+--------+--------+--------+--------+
	114	/// \| Active \| 1 \| 1 \| 2 \| 1 \| - \|
	115	/// \| DFU \| 1 \| 3 \| 2 \| 1 \| 3 \|
	116	/// +-----------+------------+--------+--------+--------+--------+
	117	///
	118	/// The next iteration performs the same steps
	119	///
	120	/// +-----------+------------+--------+--------+--------+--------+
	121	/// \| Partition \| Swap Index \| Page 0 \| Page 1 \| Page 3 \| Page 4 \|
	122	/// +-----------+------------+--------+--------+--------+--------+
	123	/// \| Active \| 2 \| 1 \| 2 \| 1 \| - \|
	124	/// \| DFU \| 2 \| 3 \| 2 \| 2 \| 3 \|
	125	/// +-----------+------------+--------+--------+--------+--------+
	126	///
	127	/// And again until we're done
	128	///
	129	/// +-----------+------------+--------+--------+--------+--------+
	130	/// \| Partition \| Swap Index \| Page 0 \| Page 1 \| Page 3 \| Page 4 \|
	131	/// +-----------+------------+--------+--------+--------+--------+
	132	/// \| Active \| 3 \| 3 \| 2 \| 1 \| - \|
	133	/// \| DFU \| 3 \| 3 \| 1 \| 2 \| 3 \|
	134	/// +-----------+------------+--------+--------+--------+--------+
	135	///
	136	/// REVERTING
	137	///
	138	/// The reverting algorithm uses the swap index to discover that images were swapped, but that
	139	/// the application failed to mark the boot successful. In this case, the revert algorithm will
	140	/// run.
	141	///
	142	/// The revert index is located separately from the swap index, to ensure that revert can continue
	143	/// on power failure.
	144	///
	145	/// The revert algorithm works forwards, by starting copying into the 'unused' DFU page at the start.
	146	///
	147	/// +-----------+--------------+--------+--------+--------+--------+
	148	/// \| Partition \| Revert Index \| Page 0 \| Page 1 \| Page 3 \| Page 4 \|
	149	//*/
	150	/// +-----------+--------------+--------+--------+--------+--------+
	151	/// \| Active \| 3 \| 1 \| 2 \| 1 \| - \|
	152	/// \| DFU \| 3 \| 3 \| 1 \| 2 \| 3 \|
	153	/// +-----------+--------------+--------+--------+--------+--------+
	154	///
	155	///
	156	/// +-----------+--------------+--------+--------+--------+--------+
	157	/// \| Partition \| Revert Index \| Page 0 \| Page 1 \| Page 3 \| Page 4 \|
	158	/// +-----------+--------------+--------+--------+--------+--------+
	159	/// \| Active \| 3 \| 1 \| 2 \| 1 \| - \|
	160	/// \| DFU \| 3 \| 3 \| 2 \| 2 \| 3 \|
	161	/// +-----------+--------------+--------+--------+--------+--------+
	162	///
	163	/// +-----------+--------------+--------+--------+--------+--------+
	164	/// \| Partition \| Revert Index \| Page 0 \| Page 1 \| Page 3 \| Page 4 \|
	165	/// +-----------+--------------+--------+--------+--------+--------+
	166	/// \| Active \| 3 \| 1 \| 2 \| 3 \| - \|
	167	/// \| DFU \| 3 \| 3 \| 2 \| 1 \| 3 \|
	168	/// +-----------+--------------+--------+--------+--------+--------+
	169	///
	170	pub fn prepare_boot<P: FlashConfig>(
	171	&mut self,
	172	p: &mut P,
	173	magic: &mut [u8],
	174	page: &mut [u8],
	175	) -> Result<State, BootError> {
	176	// Ensure we have enough progress pages to store copy progress
	177	assert_partitions(self.active, self.dfu, self.state, page.len(), P::STATE::WRITE_SIZE);
	178	assert_eq!(magic.len(), P::STATE::WRITE_SIZE);
	179
	180	// Copy contents from partition N to active
	181	let state = self.read_state(p, magic)?;
	182	if state == State::Swap {
	183	//
	184	// Check if we already swapped. If we're in the swap state, this means we should revert
	185	// since the app has failed to mark boot as successful
	186	//
	187	if !self.is_swapped(p, magic, page)? {
	188	trace!("Swapping");
	189	self.swap(p, magic, page)?;
	190	trace!("Swapping done");
	191	} else {
	192	trace!("Reverting");
	193	self.revert(p, magic, page)?;
	194
	195	// Overwrite magic and reset progress
	196	let fstate = p.state();
	197	magic.fill(!P::STATE::ERASE_VALUE);
	198	fstate.write(self.state.from as u32, magic)?;
	199	fstate.erase(self.state.from as u32, self.state.to as u32)?;
	200
	201	magic.fill(BOOT_MAGIC);
	202	fstate.write(self.state.from as u32, magic)?;
	203	}
	204	}
	205	Ok(state)
	206	}
	207
	208	fn is_swapped<P: FlashConfig>(&mut self, p: &mut P, magic: &mut [u8], page: &mut [u8]) -> Result<bool, BootError> {
	209	let page_size = page.len();
	210	let page_count = self.active.len() / page_size;
	211	let progress = self.current_progress(p, magic)?;
	212
	213	Ok(progress >= page_count * 2)
	214	}
	215
	216	fn current_progress<P: FlashConfig>(&mut self, config: &mut P, aligned: &mut [u8]) -> Result<usize, BootError> {
	217	let write_size = aligned.len();
	218	let max_index = ((self.state.len() - write_size) / write_size) - 1;
	219	aligned.fill(!P::STATE::ERASE_VALUE);
	220
	221	let flash = config.state();
	222	for i in 0..max_index {
	223	flash.read((self.state.from + write_size + i * write_size) as u32, aligned)?;
	224
	225	if aligned.iter().any(\|&b\| b == P::STATE::ERASE_VALUE) {
	226	return Ok(i);
	227	}
	228	}
	229	Ok(max_index)
	230	}
	231
	232	fn update_progress<P: FlashConfig>(&mut self, idx: usize, p: &mut P, magic: &mut [u8]) -> Result<(), BootError> {
	233	let flash = p.state();
	234	let write_size = magic.len();
	235	let w = self.state.from + write_size + idx * write_size;
	236
	237	let aligned = magic;
	238	aligned.fill(!P::STATE::ERASE_VALUE);
	239	flash.write(w as u32, aligned)?;
	240	Ok(())
	241	}
	242
	243	fn active_addr(&self, n: usize, page_size: usize) -> usize {
	244	self.active.from + n * page_size
	245	}
	246
	247	fn dfu_addr(&self, n: usize, page_size: usize) -> usize {
	248	self.dfu.from + n * page_size
	249	}
	250
	251	fn copy_page_once_to_active<P: FlashConfig>(
	252	&mut self,
	253	idx: usize,
	254	from_page: usize,
	255	to_page: usize,
	256	p: &mut P,
	257	magic: &mut [u8],
	258	page: &mut [u8],
	259	) -> Result<(), BootError> {
	260	let buf = page;
	261	if self.current_progress(p, magic)? <= idx {
	262	let mut offset = from_page;
	263	for chunk in buf.chunks_mut(P::DFU::BLOCK_SIZE) {
	264	p.dfu().read(offset as u32, chunk)?;
	265	offset += chunk.len();
	266	}
	267
	268	p.active().erase(to_page as u32, (to_page + buf.len()) as u32)?;
	269
	270	let mut offset = to_page;
	271	for chunk in buf.chunks(P::ACTIVE::BLOCK_SIZE) {
	272	p.active().write(offset as u32, chunk)?;
	273	offset += chunk.len();
	274	}
	275	self.update_progress(idx, p, magic)?;
	276	}
	277	Ok(())
	278	}
	279
	280	fn copy_page_once_to_dfu<P: FlashConfig>(
	281	&mut self,
	282	idx: usize,
	283	from_page: usize,
	284	to_page: usize,
	285	p: &mut P,
	286	magic: &mut [u8],
	287	page: &mut [u8],
	288	) -> Result<(), BootError> {
	289	let buf = page;
	290	if self.current_progress(p, magic)? <= idx {
	291	let mut offset = from_page;
	292	for chunk in buf.chunks_mut(P::ACTIVE::BLOCK_SIZE) {
	293	p.active().read(offset as u32, chunk)?;
	294	offset += chunk.len();
	295	}
	296
	297	p.dfu().erase(to_page as u32, (to_page + buf.len()) as u32)?;
	298
	299	let mut offset = to_page;
	300	for chunk in buf.chunks(P::DFU::BLOCK_SIZE) {
	301	p.dfu().write(offset as u32, chunk)?;
	302	offset += chunk.len();
	303	}
	304	self.update_progress(idx, p, magic)?;
	305	}
	306	Ok(())
	307	}
	308
	309	fn swap<P: FlashConfig>(&mut self, p: &mut P, magic: &mut [u8], page: &mut [u8]) -> Result<(), BootError> {
	310	let page_size = page.len();
	311	let page_count = self.active.len() / page_size;
	312	trace!("Page count: {}", page_count);
	313	for page_num in 0..page_count {
	314	trace!("COPY PAGE {}", page_num);
	315	// Copy active page to the 'next' DFU page.
	316	let active_page = self.active_addr(page_count - 1 - page_num, page_size);
	317	let dfu_page = self.dfu_addr(page_count - page_num, page_size);
	318	//trace!("Copy active {} to dfu {}", active_page, dfu_page);
	319	self.copy_page_once_to_dfu(page_num * 2, active_page, dfu_page, p, magic, page)?;
	320
	321	// Copy DFU page to the active page
	322	let active_page = self.active_addr(page_count - 1 - page_num, page_size);
	323	let dfu_page = self.dfu_addr(page_count - 1 - page_num, page_size);
	324	//trace!("Copy dfy {} to active {}", dfu_page, active_page);
	325	self.copy_page_once_to_active(page_num * 2 + 1, dfu_page, active_page, p, magic, page)?;
	326	}
	327
	328	Ok(())
	329	}
	330
	331	fn revert<P: FlashConfig>(&mut self, p: &mut P, magic: &mut [u8], page: &mut [u8]) -> Result<(), BootError> {
	332	let page_size = page.len();
	333	let page_count = self.active.len() / page_size;
	334	for page_num in 0..page_count {
	335	// Copy the bad active page to the DFU page
	336	let active_page = self.active_addr(page_num, page_size);
	337	let dfu_page = self.dfu_addr(page_num, page_size);
	338	self.copy_page_once_to_dfu(page_count * 2 + page_num * 2, active_page, dfu_page, p, magic, page)?;
	339
	340	// Copy the DFU page back to the active page
	341	let active_page = self.active_addr(page_num, page_size);
	342	let dfu_page = self.dfu_addr(page_num + 1, page_size);
	343	self.copy_page_once_to_active(page_count * 2 + page_num * 2 + 1, dfu_page, active_page, p, magic, page)?;
	344	}
	345
	346	Ok(())
	347	}
	348
	349	fn read_state<P: FlashConfig>(&mut self, config: &mut P, magic: &mut [u8]) -> Result<State, BootError> {
	350	let flash = config.state();
	351	flash.read(self.state.from as u32, magic)?;
	352
	353	if !magic.iter().any(\|&b\| b != SWAP_MAGIC) {
	354	Ok(State::Swap)
	355	} else {
	356	Ok(State::Boot)
	357	}
	358	}
	359	}
	360
	361	fn assert_partitions(active: Partition, dfu: Partition, state: Partition, page_size: usize, write_size: usize) {
	362	assert_eq!(active.len() % page_size, 0);
	363	assert_eq!(dfu.len() % page_size, 0);
	364	assert!(dfu.len() - active.len() >= page_size);
	365	assert!(2 * (active.len() / page_size) <= (state.len() - write_size) / write_size);
	366	}
	367
	368	/// A flash wrapper implementing the Flash and embedded_storage traits.
	369	pub struct BootFlash<F, const BLOCK_SIZE: usize, const ERASE_VALUE: u8 = 0xFF>
	370	where
	371	F: NorFlash + ReadNorFlash,
	372	{
	373	flash: F,
	374	}
	375
	376	impl<F, const BLOCK_SIZE: usize, const ERASE_VALUE: u8> BootFlash<F, BLOCK_SIZE, ERASE_VALUE>
	377	where
	378	F: NorFlash + ReadNorFlash,
	379	{
	380	/// Create a new instance of a bootable flash
	381	pub fn new(flash: F) -> Self {
	382	Self { flash }
	383	}
	384	}
	385
	386	impl<F, const BLOCK_SIZE: usize, const ERASE_VALUE: u8> Flash for BootFlash<F, BLOCK_SIZE, ERASE_VALUE>
	387	where
	388	F: NorFlash + ReadNorFlash,
	389	{
	390	const BLOCK_SIZE: usize = BLOCK_SIZE;
	391	const ERASE_VALUE: u8 = ERASE_VALUE;
	392	}
	393
	394	impl<F, const BLOCK_SIZE: usize, const ERASE_VALUE: u8> ErrorType for BootFlash<F, BLOCK_SIZE, ERASE_VALUE>
	395	where
	396	F: ReadNorFlash + NorFlash,
	397	{
	398	type Error = F::Error;
	399	}
	400
	401	impl<F, const BLOCK_SIZE: usize, const ERASE_VALUE: u8> NorFlash for BootFlash<F, BLOCK_SIZE, ERASE_VALUE>
	402	where
	403	F: ReadNorFlash + NorFlash,
	404	{
	405	const WRITE_SIZE: usize = F::WRITE_SIZE;
	406	const ERASE_SIZE: usize = F::ERASE_SIZE;
	407
	408	fn erase(&mut self, from: u32, to: u32) -> Result<(), Self::Error> {
	409	F::erase(&mut self.flash, from, to)
	410	}
	411
	412	fn write(&mut self, offset: u32, bytes: &[u8]) -> Result<(), Self::Error> {
	413	F::write(&mut self.flash, offset, bytes)
	414	}
	415	}
	416
	417	impl<F, const BLOCK_SIZE: usize, const ERASE_VALUE: u8> ReadNorFlash for BootFlash<F, BLOCK_SIZE, ERASE_VALUE>
	418	where
	419	F: ReadNorFlash + NorFlash,
	420	{
	421	const READ_SIZE: usize = F::READ_SIZE;
	422
	423	fn read(&mut self, offset: u32, bytes: &mut [u8]) -> Result<(), Self::Error> {
	424	F::read(&mut self.flash, offset, bytes)
	425	}
	426
	427	fn capacity(&self) -> usize {
	428	F::capacity(&self.flash)
	429	}
	430	}
	431
	432	/// Convenience provider that uses a single flash for all partitions.
	433	pub struct SingleFlashConfig<'a, F>
	434	where
	435	F: Flash,
	436	{
	437	flash: &'a mut F,
	438	}
	439
	440	impl<'a, F> SingleFlashConfig<'a, F>
	441	where
	442	F: Flash,
	443	{
	444	/// Create a provider for a single flash.
	445	pub fn new(flash: &'a mut F) -> Self {
	446	Self { flash }
	447	}
	448	}
	449
	450	impl<'a, F> FlashConfig for SingleFlashConfig<'a, F>
	451	where
	452	F: Flash,
	453	{
	454	type STATE = F;
	455	type ACTIVE = F;
	456	type DFU = F;
	457
	458	fn active(&mut self) -> &mut Self::STATE {
	459	self.flash
	460	}
	461	fn dfu(&mut self) -> &mut Self::ACTIVE {
	462	self.flash
	463	}
	464	fn state(&mut self) -> &mut Self::DFU {
	465	self.flash
	466	}
	467	}
	468
	469	/// Convenience flash provider that uses separate flash instances for each partition.
	470	pub struct MultiFlashConfig<'a, ACTIVE, STATE, DFU>
	471	where
	472	ACTIVE: Flash,
	473	STATE: Flash,
	474	DFU: Flash,
	475	{
	476	active: &'a mut ACTIVE,
	477	state: &'a mut STATE,
	478	dfu: &'a mut DFU,
	479	}
	480
	481	impl<'a, ACTIVE, STATE, DFU> MultiFlashConfig<'a, ACTIVE, STATE, DFU>
	482	where
	483	ACTIVE: Flash,
	484	STATE: Flash,
	485	DFU: Flash,
	486	{
	487	/// Create a new flash provider with separate configuration for all three partitions.
	488	pub fn new(active: &'a mut ACTIVE, state: &'a mut STATE, dfu: &'a mut DFU) -> Self {
	489	Self { active, state, dfu }
	490	}
	491	}
	492
	493	impl<'a, ACTIVE, STATE, DFU> FlashConfig for MultiFlashConfig<'a, ACTIVE, STATE, DFU>
	494	where
	495	ACTIVE: Flash,
	496	STATE: Flash,
	497	DFU: Flash,
	498	{
	499	type STATE = STATE;
	500	type ACTIVE = ACTIVE;
	501	type DFU = DFU;
	502
	503	fn active(&mut self) -> &mut Self::ACTIVE {
	504	self.active
	505	}
	506	fn dfu(&mut self) -> &mut Self::DFU {
	507	self.dfu
	508	}
	509	fn state(&mut self) -> &mut Self::STATE {
	510	self.state
	511	}
	512	}
	513
	514	#[cfg(test)]
	515	mod tests {
	516	use super::*;
	517
	518	#[test]
	519	#[should_panic]
	520	fn test_range_asserts() {
	521	const ACTIVE: Partition = Partition::new(4096, 4194304);
	522	const DFU: Partition = Partition::new(4194304, 2 * 4194304);
	523	const STATE: Partition = Partition::new(0, 4096);
	524	assert_partitions(ACTIVE, DFU, STATE, 4096, 4);
	525	}
	526	}