Am 15.11.2011 23:42, schrieb Guillaume Knispel:
We can't put the fallback at the beginning of the image because that area can't be locked on the chip we are using. (SST25VF016B)
Thanks! That was the missing part in your scenario. Most current chips support sector granularity (usually 4kb, sometimes rather weird combinations of different sizes).
Current idea under consideration: Modify CBFS to work from top to bottom. That way, you could place all immutable data at the beginning of the chain (ie. top-most). That way all kind of headers, as well as fallback-versions of code, can be in the protected area. If updates fail, some mechanism (counter in nvram, jumper, ...) can be used to tell the bootblock to use the fallback version.
Of course, this is a rather severe change, but actually not that hard in implementation: a couple of additions replaced by subtraction, and different exit conditions. As it also affects payload compatibility (libpayload and seabios at least), it requires some thought.
The only option I see to lock down your system (given that chip) that won't change the format will introduce a much more complex CBFS evaluator: In the easiest case, it would walk the entire flash and return the _last_ occurrence of the requested file name. As it can't trust any file headers, it would have to look for headers in 16byte increments. That's not really a useful solution. ;-)
Regards, Patrick