Timothy Pearson (tpearson@raptorengineeringinc.com) just uploaded a new patch set to gerrit, which you can find at http://review.coreboot.org/12289

-gerrit

commit 6bdeb5a35312b3cad4633481f557c8bc1a40d766 Author: Timothy Pearson tpearson@raptorengineeringinc.com Date: Sun Nov 1 02:13:17 2015 -0600

drivers/pc80: Ensure recovery mode always boots fallback image

The current fallback / failed boot count checks only look at the value of last_boot when determining whether to execute the normal or fallback image. Furthermore, the normal boot bit is unconditionally set if the failed boot count has not exceeded its threshold, thereby overriding a request from the user to boot into fallback mode if the user does not also set the failed boot count above the failure threshold.

Only check the failed boot count if the normal boot bit is set in nvram.

NOTE: The existing code was very badly broken. Even when the user set a recovery jumper (or used nvramtool to set the next boot attempt to Fallback), the bootblock would execute the normal code if the failed boot count was below threshold. The only way to recover from this situation was to forcibly power off and on the board repeatedly until the failed boot count rose high enough, or to directly reflash the ROM.

Change-Id: I753ae9f0710c524875a85354ac2547df0c305569 Signed-off-by: Timothy Pearson tpearson@raptorengineeringinc.com --- src/drivers/pc80/mc146818rtc_early.c | 51 +++++++++++++++++++++++++----------- 1 file changed, 36 insertions(+), 15 deletions(-)

diff --git a/src/drivers/pc80/mc146818rtc_early.c b/src/drivers/pc80/mc146818rtc_early.c index 421af2f..6efb2e8 100644 --- a/src/drivers/pc80/mc146818rtc_early.c +++ b/src/drivers/pc80/mc146818rtc_early.c @@ -12,6 +12,9 @@ #error "CONFIG_MAX_REBOOT_CNT too high" #endif

+#define RTC_BOOT_TRY_NORMAL 0x1 +#define RTC_BOOT_LAST_WAS_NORMAL_AND_REACHED_PAYLOAD 0x2 + static int cmos_error(void) { unsigned char reg_d; @@ -67,29 +70,47 @@ static inline __attribute__((unused)) int do_normal_boot(void) /* The RTC_BOOT_BYTE is now o.k. see where to go. */ byte = cmos_read(RTC_BOOT_BYTE);

+ /* If booting past the bootblock is all that is required + * to reset the failed boot checks, then clear the boot + * count. This code must execute before any of the boot + * count checks below to function correctly. + */ if (!IS_ENABLED(CONFIG_SKIP_MAX_REBOOT_CNT_CLEAR)) - /* Are we in normal mode? */ - if (byte & 1) + /* Are we attempting to boot normally? */ + if (byte & RTC_BOOT_TRY_NORMAL) byte &= 0x0f; /* yes, clear the boot count */

- /* Properly set the last boot flag */ - byte &= 0xfc; - if ((byte >> 4) < CONFIG_MAX_REBOOT_CNT) { - byte |= (1<<1); - } - - /* Are we already at the max count? */ - if ((byte >> 4) < CONFIG_MAX_REBOOT_CNT) { - byte += 1 << 4; /* No, add 1 to the count */ - } - else { - byte &= 0xfc; /* Yes, put in fallback mode */ + /* Are we attempting to boot normally? */ + if (byte & RTC_BOOT_TRY_NORMAL) { + /* Properly set the last boot flag */ + byte &= 0xfc; + if ((byte >> 4) < CONFIG_MAX_REBOOT_CNT) { + byte |= RTC_BOOT_LAST_WAS_NORMAL_AND_REACHED_PAYLOAD; + } + + /* Are we already at the max count? */ + if ((byte >> 4) < CONFIG_MAX_REBOOT_CNT) { + byte += 1 << 4; /* No, add 1 to the count */ + } + else { + byte &= 0xfc; /* Yes, put in fallback mode */ + } }

/* Save the boot byte */ cmos_write(byte, RTC_BOOT_BYTE);

- return (byte & (1<<1)); + /* Return selected code path for this boot attempt + * If a boot path was selected and we successfully reach + * the payload, the last boot state bit will indicate + * which code path was taken. + * + * In other words, RTC_BOOT_LAST_WAS_NORMAL_AND_REACHED_PAYLOAD + * has final and absolute say on which code path to take. + * RTC_BOOT_TRY_NORMAL is only a request to try normal boot if + * possible (i.e. the payload can be reached via normal boot). + */ + return (byte & RTC_BOOT_LAST_WAS_NORMAL_AND_REACHED_PAYLOAD); }

unsigned read_option_lowlevel(unsigned start, unsigned size, unsigned def)