This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

[FAQ] Redundant boot from eMMC boot partitions on AM62x

1. booting from eMMC boot partition vs UDA partition
It is recommended to use eMMC boot partition for user's BootLoader (BL)
- eMMC boot partition is designed for bootloader user case
- it is possible to write-protect boot0/boot1 as necessary
- eMMC boot partition (boot0/boot1) are useful for SW update process for bootloader swapping
- ...

2. boot0/boot1 redundant boot auto-switch support by ROM
On eMMC boot mode, from which boot partition (boot0 or boot1) to boot eMMC depends on eMMC EXTCSD register[179], which adds external dependency for ROM to support redundant boot from eMMC boot partitions, and auto-switch between boot0/boot1 in case of boot failure is not currently supported in AM62x ROM.

The FAQ discusses one workaround option for switching between eMMC boot partitions (boot0/boot1) to support redundant boot with addition of backup boot media (i.e. SPI).

  • The FAQ discusses a POC idea to support a robust boot strategy with a combination of primary boot media (+redundancy) + secondary boot media.
    Boot media configuration by BOOTMODE pins
    - primary boot media: eMMC boot partition (boot0/boot1) for regular BL
    - secondary backup boot media: SPI as an example for failure recovery management SW

    User scenario:
    - flash eMMC boot partition (boot0 & boot1) with regular BL, and configure eMMC EXTCSD register[179] to boot from boot0
    - flash failure recovery SW to SPI
    - ROM moves to backup boot media (i.e. SPI) in case ROM integrity check fails on BL from the current eMMC boot partition
    - recovery SW on SPI boots, and reconfigurs eMMC EXTCSD register[179] to boot from boot1, and issue SoC WarmReset
    - BL boots from eMMC boot1


    POC test log on AM62x-SK:
    a/. flashing
    - BOOTMODE[15:0]=0243 for SD boot
    - boot u-boot from SD card
    - flash u-boot from SDK 8.6 on SD to eMMC boot0 partition
    - configure eMMC EXTCSD register[179] to boot from boot0 by running "mmc partconf 0 1 1 1" cmd @u-boot
    - flash u-boot from SDK 8.6 on SD to OSPI-NOR
    - flash u-boot from SDK 9.0 on SD to eMMC boot1 partition

    b/. boot from eMMC boot partition (boot0)
    - reconfigure BOOTMODE[15:0]=0x18CB (eMMC boot partition + SPI) @u-boot
    - reset @u-boot
    - u-boot boots from boot0
    - stop @u-boot
    - erase tiboot3.bin from boot0 @u-boot
    - reset

    c/. reboot from SPI
    - ROM check integrity on tiboot3.bin from eMMC boot0
    - ROM falls through to boot from SPI
    - u-boot boots from SPI
    - stop @u-boot
    - reconfigurs eMMC EXTCSD register[179] to boot from boot1 by running "mmc partconf 0 1 2 1" cmd @u-boot
    - reset

    d/. reboot from boot1
    - u-boot boots from eMMC boot1

    Reference
    [1] [FAQ] AM64x/AM62x SoC redundant/recovery boot support in ROM booting R5 bootloader
    e2e.ti.com/.../faq-am64x-am62x-soc-redundant-recovery-boot-support-in-rom-booting-r5-bootloader

    [2] Re-configuring BOOTMODE[15:0] for ROM to load R5-BL by modifying CM register + WarmReset in SW
    In "5.2.3 Boot Process Flow in AM62x TRM"
    "The values of BOOTMODE[15:0] pins are latched into the Device Status register CTRLMMR_MAIN_DEVSTAT[15:0] by hardware as the device comes out of global cold reset, sampled after MCU_PORz deassertion."
    One option is listed below (referring to the above attached log) to reconfigure BOOTMODE[15:0] pins by modifying CM register + WarmReset in SW
    @u-boot
    - re-configure CTRLMMR_MAIN_DEVSTAT register @0x43000030
    - issue "reset", which is essentially SoC WARM_RESET
    => Upon SoC reboot from WarmReset, ROM
    - read the modified CTRLMMR_MAIN_DEVSTAT register as BOOTMODE[15:0]
    - load the R5-BL from the boot media specified by the the modified CTRLMMR_MAIN_DEVSTAT register.

    am62x_eMMC_SPI_flash_boot.log
    U-Boot SPL 2021.01-g2ee8efd654 (Feb 24 2023 - 05:52:36 +0000)
    SYSFW ABI: 3.1 (firmware rev 0x0008 '8.6.4--v08.06.04 (Chill Capybar')
    SPL initial stack usage: 13424 bytes
    Trying to boot from MMC2
    Warning: Detected image signing certificate on GP device. Skipping certificate to prevent boot failure. This will fail if the image was also encrypted
    Warning: Detected image signing certificate on GP device. Skipping certificate to prevent boot failure. This will fail if the image was also encrypted
    Warning: Detected image signing certificate on GP device. Skipping certificate to prevent boot failure. This will fail if the image was also encrypted
    Warning: Detected image signing certificate on GP device. Skipping certificate to prevent boot failure. This will fail if the image was also encrypted
    Warning: Detected image signing certificate on GP device. Skipping certificate to prevent boot failure. This will fail if the image was also encrypted
    Loading Environment from MMC... *** Warning - No MMC card found, using default environment
    
    Starting ATF on ARM64 core...
    
    NOTICE:  BL31: v2.8(release):v2.8-226-g2fcd408bb3-dirty
    NOTICE:  BL31: Built : 05:06:58, Feb 24 2023
    
    U-Boot SPL 2021.01-g2ee8efd654 (Feb 24 2023 - 05:29:33 +0000)
    SYSFW ABI: 3.1 (firmware rev 0x0008 '8.6.4--v08.06.04 (Chill Capybar')
    Trying to boot from MMC2
    Warning: Detected image signing certificate on GP device. Skipping certificate to prevent boot failure. This will fail if the image was also encrypted
    Warning: Detected image signing certificate on GP device. Skipping certificate to prevent boot failure. This will fail if the image was also encrypted
    
    
    U-Boot 2021.01-g2ee8efd654 (Feb 24 2023 - 05:29:33 +0000)
    
    SoC:   AM62X SR1.0 GP
    Model: Texas Instruments AM625 SK
    EEPROM not available at 0x50, trying to read at 0x51
    Board: AM62-SKEVM rev E2
    DRAM:  2 GiB
    MMC:   mmc@fa10000: 0, mmc@fa00000: 1, mmc@fa20000: 2
    Loading Environment from MMC... *** Warning - bad CRC, using default environment
    
    In:    serial@2800000
    Out:   serial@2800000
    Err:   serial@2800000
    Net:   eth0: ethernet@8000000port@1
    Hit any key to stop autoboot:  2  0 
    => mmc list
    mmc@fa10000: 0 (eMMC)
    mmc@fa00000: 1
    mmc@fa20000: 2
    => mmc dev 0 1
    switch to partitions #1, OK
    mmc0(part 1) is current device
    => load mmc 1 ${loadaddr} tiboot3.bin
    332430 bytes read in 7 ms (45.3 MiB/s)
    => mmc write ${loadaddr} 0x0 0x400
    
    MMC write: dev # 0, block # 0, count 1024 ... 1024 blocks written: OK
    => sf probe
    SF: Detected s28hs512t with page size 256 Bytes, erase size 256 KiB, total 64 MiB
    => sf update $loadaddr 0x0 $filesize
    device 0 offset 0x0, size 0x5128e
    
    0 bytes written, 332430 bytes skipped in 0.15s, speed 17916227 B/s
    => load mmc 1 ${loadaddr} tispl.bin
    961988 bytes read in 14 ms (65.5 MiB/s)
    => mmc write ${loadaddr} 0x400 0x1000.
    
    MMC write: dev # 0, block # 1024, count 4096 ... 4096 blocks written: OK
    => sf update $loadaddr 0x80000 $filesize
    device 0 offset 0x80000, size 0xeadc4
    
    0 bytes written, 961988 bytes skipped in 0.32s, speed 28145020 B/s
    => load mmc 1 ${loadaddr} u-boot.img
    897880 bytes read in 14 ms (61.2 MiB/s)
    => mmc write ${loadaddr} 0x1400 0x2000
    
    MMC write: dev # 0, block # 5120, count 8192 ... 8192 blocks written: OK
    => sf update $loadaddr 0x280000 $filesize
    device 0 offset 0x280000, size 0xdb358
    
    0 bytes written, 897880 bytes skipped in 0.32s, speed 26269403 B/s
    => mmc dev 0 2
    switch to partitions #2, OK
    mmc0(part 2) is current device
    => ls mmc 1 am62_9.0.0.7
                ./
                ../
       291205   tiboot3-am62x-gp-evm.bin
       293794   tiboot3-am62x-hs-evm.bin
       293794   tiboot3-am62x-hs-fs-evm.bin
      1138011   tispl.bin
       962779   u-boot.img
    
    5 file(s), 2 dir(s)
    
    => load mmc 1 ${loadaddr} am62_9.0.0.7/tiboot3-am62x-gp-evm.bin
    291205 bytes read in 8 ms (34.7 MiB/s)
    => mmc write ${loadaddr} 0x0 0x400
    
    MMC write: dev # 0, block # 0, count 1024 ... 1024 blocks written: OK
    => load mmc 1 ${loadaddr} am62_9.0.0.7/tispl.bin
    1138011 bytes read in 17 ms (63.8 MiB/s)
    => mmc write ${loadaddr} 0x400 0x1000
    
    MMC write: dev # 0, block # 1024, count 4096 ... 4096 blocks written: OK
    => load mmc 1 ${loadaddr} am62_9.0.0.7/u-boot.img
    962779 bytes read in 16 ms (57.4 MiB/s)
    => mmc write ${loadaddr} 0x1400 0x2000
    
    MMC write: dev # 0, block # 5120, count 8192 ... 8192 blocks written: OK
    => mmc partconf 0 1 1 1
    => mmc bootbus 0 2 0 0
    => md.l 0x43000030 1
    43000030: 00000243                               C...
    => mw.l 0x43000030 0x18CB
    => md.l 0x43000030 1
    43000030: 000018cb                               ....
    => reset
    resetting ...
    
    U-Boot SPL 2021.01-g2ee8efd654 (Feb 24 2023 - 05:52:36 +0000)
    SYSFW ABI: 3.1 (firmware rev 0x0008 '8.6.4--v08.06.04 (Chill Capybar')
    SPL initial stack usage: 13424 bytes
    Trying to boot from MMC1
    Warning: Detected image signing certificate on GP device. Skipping certificate to prevent boot failure. This will fail if the image was also encrypted
    Warning: Detected image signing certificate on GP device. Skipping certificate to prevent boot failure. This will fail if the image was also encrypted
    Warning: Detected image signing certificate on GP device. Skipping certificate to prevent boot failure. This will fail if the image was also encrypted
    Warning: Detected image signing certificate on GP device. Skipping certificate to prevent boot failure. This will fail if the image was also encrypted
    Warning: Detected image signing certificate on GP device. Skipping certificate to prevent boot failure. This will fail if the image was also encrypted
    Loading Environment from MMC... *** Warning - bad CRC, using default environment
    
    init_env from device 9 not supported!
    Starting ATF on ARM64 core...
    
    NOTICE:  BL31: v2.8(release):v2.8-226-g2fcd408bb3-dirty
    NOTICE:  BL31: Built : 05:06:58, Feb 24 2023
    
    U-Boot SPL 2021.01-g2ee8efd654 (Feb 24 2023 - 05:29:33 +0000)
    SYSFW ABI: 3.1 (firmware rev 0x0008 '8.6.4--v08.06.04 (Chill Capybar')
    Trying to boot from MMC1
    Warning: Detected image signing certificate on GP device. Skipping certificate to prevent boot failure. This will fail if the image was also encrypted
    Warning: Detected image signing certificate on GP device. Skipping certificate to prevent boot failure. This will fail if the image was also encrypted
    
    
    U-Boot 2021.01-g2ee8efd654 (Feb 24 2023 - 05:29:33 +0000)
    
    SoC:   AM62X SR1.0 GP
    Model: Texas Instruments AM625 SK
    EEPROM not available at 0x50, trying to read at 0x51
    Board: AM62-SKEVM rev E2
    DRAM:  2 GiB
    MMC:   mmc@fa10000: 0, mmc@fa00000: 1, mmc@fa20000: 2
    Loading Environment from MMC... *** Warning - bad CRC, using default environment
    
    In:    serial@2800000
    Out:   serial@2800000
    Err:   serial@2800000
    Net:   eth0: ethernet@8000000port@1
    Hit any key to stop autoboot:  2  0 
    => mmc dev 0 1
    switch to partitions #1, OK
    mmc0(part 1) is current device
    => mmc read ${loadaddr} 0x0 0x100
    
    MMC read: dev # 0, block # 0, count 256 ... 256 blocks read: OK
    => md.b ${loadaddr} 0x100
    82000000: 30 82 04 94 30 82 03 fd a0 03 02 01 02 02 14 2f    0...0........../
    82000010: 1b f7 6b 4c ef 63 65 52 32 b2 c7 33 b6 62 d0 1f    ..kL.ceR2..3.b..
    82000020: db ed 06 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0d    ...0...*.H......
    82000030: 05 00 30 81 9d 31 0b 30 09 06 03 55 04 06 13 02    ..0..1.0...U....
    82000040: 55 53 31 0b 30 09 06 03 55 04 08 0c 02 54 58 31    US1.0...U....TX1
    82000050: 0f 30 0d 06 03 55 04 07 0c 06 44 61 6c 6c 61 73    .0...U....Dallas
    82000060: 31 27 30 25 06 03 55 04 0a 0c 1e 54 65 78 61 73    1'0%..U....Texas
    82000070: 20 49 6e 73 74 72 75 6d 65 6e 74 73 20 49 6e 63     Instruments Inc
    82000080: 6f 72 70 6f 72 61 74 65 64 31 13 30 11 06 03 55    orporated1.0...U
    82000090: 04 0b 0c 0a 50 72 6f 63 65 73 73 6f 72 73 31 13    ....Processors1.
    820000a0: 30 11 06 03 55 04 03 0c 0a 54 49 20 53 75 70 70    0...U....TI Supp
    820000b0: 6f 72 74 31 1d 30 1b 06 09 2a 86 48 86 f7 0d 01    ort1.0...*.H....
    820000c0: 09 01 16 0e 73 75 70 70 6f 72 74 40 74 69 2e 63    ....support@ti.c
    820000d0: 6f 6d 30 1e 17 0d 32 33 30 32 32 34 30 35 35 34    om0...2302240554
    820000e0: 31 33 5a 17 0d 32 33 30 33 32 36 30 35 35 34 31    13Z..23032605541
    820000f0: 33 5a 30 81 9d 31 0b 30 09 06 03 55 04 06 13 02    3Z0..1.0...U....
    => mmc erase 0 0x400
    
    MMC erase: dev # 0, block # 0, count 1024 ... 1024 blocks erased: OK
    => mmc read ${loadaddr} 0x0 0x100
    
    MMC read: dev # 0, block # 0, count 256 ... 256 blocks read: OK
    => md.b ${loadaddr} 0x100
    82000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
    82000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
    82000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
    82000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
    82000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
    82000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
    82000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
    82000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
    82000080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
    82000090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
    820000a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
    820000b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
    820000c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
    820000d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
    820000e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
    820000f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
    => reset
    resetting ...
    
    U-Boot SPL 2021.01-g2ee8efd654 (Feb 24 2023 - 05:52:36 +0000)
    SYSFW ABI: 3.1 (firmware rev 0x0008 '8.6.4--v08.06.04 (Chill Capybar')
    SPL initial stack usage: 13424 bytes
    Trying to boot from SPI
    Warning: Detected image signing certificate on GP device. Skipping certificate to prevent boot failure. This will fail if the image was also encrypted
    Warning: Detected image signing certificate on GP device. Skipping certificate to prevent boot failure. This will fail if the image was also encrypted
    Warning: Detected image signing certificate on GP device. Skipping certificate to prevent boot failure. This will fail if the image was also encrypted
    Warning: Detected image signing certificate on GP device. Skipping certificate to prevent boot failure. This will fail if the image was also encrypted
    Warning: Detected image signing certificate on GP device. Skipping certificate to prevent boot failure. This will fail if the image was also encrypted
    Loading Environment from MMC... *** Warning - No MMC card found, using default environment
    
    Starting ATF on ARM64 core...
    
    NOTICE:  BL31: v2.8(release):v2.8-226-g2fcd408bb3-dirty
    NOTICE:  BL31: Built : 05:06:58, Feb 24 2023
    
    U-Boot SPL 2021.01-g2ee8efd654 (Feb 24 2023 - 05:29:33 +0000)
    SYSFW ABI: 3.1 (firmware rev 0x0008 '8.6.4--v08.06.04 (Chill Capybar')
    Trying to boot from SPI
    Warning: Detected image signing certificate on GP device. Skipping certificate to prevent boot failure. This will fail if the image was also encrypted
    Warning: Detected image signing certificate on GP device. Skipping certificate to prevent boot failure. This will fail if the image was also encrypted
    
    
    U-Boot 2021.01-g2ee8efd654 (Feb 24 2023 - 05:29:33 +0000)
    
    SoC:   AM62X SR1.0 GP
    Model: Texas Instruments AM625 SK
    EEPROM not available at 0x50, trying to read at 0x51
    Board: AM62-SKEVM rev E2
    DRAM:  2 GiB
    MMC:   mmc@fa10000: 0, mmc@fa00000: 1, mmc@fa20000: 2
    Loading Environment from MMC... *** Warning - bad CRC, using default environment
    
    In:    serial@2800000
    Out:   serial@2800000
    Err:   serial@2800000
    Net:   eth0: ethernet@8000000port@1
    Hit any key to stop autoboot:  2  0 
    => md.l 0x43000030 1
    43000030: 000018cb                               ....
    => mmc partconf 0 1 2 1
    => reset
    resetting ...
    
    U-Boot SPL 2023.04-g756ba776d4 (Jul 13 2023 - 05:36:12 +0000)
    SYSFW ABI: 3.1 (firmware rev 0x0009 '9.0.5--v09.00.05 (Kool Koala)')
    SPL initial stack usage: 13376 bytes
    Trying to boot from MMC1
    Warning: Detected image signing certificate on GP device. Skipping certificate to prevent boot failure. This will fail if the image was also encrypted
    Warning: Detected image signing certificate on GP device. Skipping certificate to prevent boot failure. This will fail if the image was also encrypted
    Warning: Detected image signing certificate on GP device. Skipping certificate to prevent boot failure. This will fail if the image was also encrypted
    Warning: Detected image signing certificate on GP device. Skipping certificate to prevent boot failure. This will fail if the image was also encrypted
    Warning: Detected image signing certificate on GP device. Skipping certificate to prevent boot failure. This will fail if the image was also encrypted
    Starting ATF on ARM64 core...
    
    NOTICE:  BL31: v2.8(release):v2.8-226-g2fcd408bb3-dirty
    NOTICE:  BL31: Built : 00:42:57, Jan 13 2023
    
    U-Boot SPL 2023.04-g756ba776d4 (Jul 13 2023 - 05:36:12 +0000)
    SYSFW ABI: 3.1 (firmware rev 0x0009 '9.0.5--v09.00.05 (Kool Koala)')
    SPL initial stack usage: 1856 bytes
    Error (-2): cannot determine file size
    Trying to boot from MMC1
    Warning: Detected image signing certificate on GP device. Skipping certificate to prevent boot failure. This will fail if the image was also encrypted
    Warning: Detected image signing certificate on GP device. Skipping certificate to prevent boot failure. This will fail if the image was also encrypted
    
    
    U-Boot 2023.04-g756ba776d4 (Jul 13 2023 - 05:36:12 +0000)
    
    SoC:   AM62X SR1.0 GP
    Model: Texas Instruments AM625 SK
    EEPROM not available at 80, trying to read at 81
    Board: AM62-SKEVM rev E2
    DRAM:  2 GiB
    Core:  71 devices, 31 uclasses, devicetree: separate
    MMC:   mmc@fa10000: 0, mmc@fa00000: 1
    Loading Environment from nowhere... OK
    In:    serial
    Out:   serial
    Err:   serial
    Net:   eth0: ethernet@8000000port@1
    Hit any key to stop autoboot:  2  0 
    => md.l 0x43000030 1
    43000030: 000018cb                             ....
    =>