Over the air (OTA) programming can be used to distribute computer-executable instructions, software, updates, and other code to devices such as smartphones, wearable computing devices, set-top boxes, personal computers, and other computing platforms over a network connection. Similarly, device firmware updates can be distributed to devices using a firmware over the air (FOTA) process.
This Background is provided to introduce a brief context for the Summary and Detailed Description that follow. This Background is not intended to be an aid in determining the scope of the claimed subject matter nor be viewed as limiting the claimed subject matter to implementations that solve any or all of the disadvantages or problems presented above.
Variables utilized in device firmware that provides various boot and runtime services are repaved in a fault-tolerant manner within a secure store in a durable, non-volatile device memory during an FOTA update process. A spare region in the secure store is utilized to temporarily hold a back-up of a primary region in which the firmware variables are written. Using a transaction-based fault-tolerant write (FTW) process, the variables in the primary region can be repaved with variables contained in a firmware update payload that is delivered from a remote service. In the event of a fault in the variable region repaving process, either the primary or spare region will remain valid so that firmware in a known good state can be utilized to enable the device to boot successfully and the variable region repaving in the FOTA update process may be restarted.
In various illustrative examples, a Unified Extensible Firmware Interface (UEFI) that conforms to a specification maintained by the Unified EFI Forum provides an interface between device firmware and the device's operating system (OS). In addition to its conventional role of providing an initial system configuration for the device and loading the OS, the UEFI is extended to enable modifications to a secure store so that UEFI variables can be repaved in a fault-tolerant process during an FOTA update. The UEFI variables store various kinds of information including configuration setup, vendor/OEM (original equipment manufacturer) data, language information, input/output and error handling interfaces, and boot order, among other information. A device may be optionally configured with one or more switches that can be set to selectively enable or disable the fault-tolerant variable region repaving. In addition, a firmware update payload can include a whitelist of UEFI variables that can be preserved during repaving. A cryptographic process may also be utilized in which the incoming firmware update payload is validated prior to UEFI variable region repaving.
Advantageously, the fault-tolerant UEFI variable region repaving during an FOTA update process addresses limitations of current firmware update processes in which re-provisioning of the non-volatile UEFI variable store is not supported. By extending UEFI to enable the variables to be repaved in the non-volatile store in a fault-tolerant manner, firmware updates can be efficiently and effectively provisioned over the air while ensuring that a known good boot state is always available. Such capability provides additional flexibility in keeping devices up to date after leaving the factory environment and being deployed in the field.
This Summary is provided to introduce a selection of concepts in a simplified form that are further described below in the Detailed Description. This Summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used as an aid in determining the scope of the claimed subject matter. Furthermore, the claimed subject matter is not limited to implementations that solve any or all disadvantages noted in any part of this disclosure. It will be appreciated that the above-described subject matter may be implemented as a computer-controlled apparatus, a computer process, a computing system, or as an article of manufacture such as one or more computer-readable storage media. These and various other features will be apparent from a reading of the following Detailed Description and a review of the associated drawings.
Like reference numerals indicate like elements in the drawings. Elements are not drawn to scale unless otherwise indicated.
The network 115 can include any of a variety of network types and network infrastructure in various combinations or sub-combinations including cellular networks, satellite networks, IP (Internet-Protocol) networks such as Wi-Fi under IEEE 802.11 and Ethernet networks under IEEE 802.3, a public switched telephone network (PSTN), short range networks such as Bluetooth® networks, and/or near field communications (NFC) networks. The network infrastructure can be supported, for example, by mobile operators, enterprises, Internet service providers (ISPs), telephone service providers, data service providers, and the like.
The devices 110 can support voice telephony capabilities in some cases and typically support data-consuming applications such as Internet browsing and multimedia (e.g., music, video, etc.) consumption in addition to various other features. The devices 110 may include, for example, user equipment, mobile phones, cell phones, feature phones, tablet computers, and smartphones which users often employ to make and receive voice and/or multimedia (i.e., video) calls, engage in messaging (e.g., texting) and email communications, use applications and access services that employ data, browse the World Wide Web, and the like.
Other types of electronic devices are also envisioned to be usable within the environment 100 including handheld computing devices, PDAs (personal digital assistants), portable media players, devices that use headsets and earphones (e.g., Bluetooth-compatible devices), phablet devices (i.e., combination smartphone/tablet devices), wearable computing devices such as head-mounted display (HMD) systems and smartwatches, embedded systems such as navigation devices like GPS (Global Positioning System) systems, laptop PCs, desktop PCs, multimedia consoles, gaming systems, smart appliances and televisions, the Internet-of-Things (TOT) devices, or the like. In the discussion that follows, the use of the term “device” is intended to cover all devices that are configured with communication capabilities and are capable of connectivity to the communications network 115.
The various devices 110 in the environment 100 can support different features, functionalities, and capabilities (here referred to generally as “features”). Some of the features supported on a given device can be similar to those supported on others, while other features may be unique to a given device. The degree of overlap and/or distinctiveness among features supported on the various devices 110 can vary by implementation. For example, some devices 110 can support touch controls, gesture recognition, and voice commands, while others may enable a more limited user interface. Some devices may support video consumption and Internet browsing, while other devices may support more limited media handling and network interface features.
Accessory devices 114, such as wristbands and other wearable systems may also be present in the environment 100. Such accessory device 114 typically is adapted to interoperate with a coupled device 110 using a short range communication protocol like Bluetooth to support functions such as monitoring of the wearer's physiology (e.g., heart rate, steps taken, calories burned, etc.) and environmental conditions (temperature, humidity, ultra-violet (UV) levels, etc.), and surfacing notifications from the coupled device 110. Some accessory devices can be configured to work on a standalone basis (i.e., without relying on a coupled device 110 for functionality such as Internet connectivity) as wearable computing devices that may support an operating system and applications.
In this particular example, the firmware interface 210 is implemented with UEFI and is configured to be compliant with the specifications published by the Unified EFI Forum. An FOTA delivery process (as indicated by reference numeral 225) provides a firmware update payload 230 from the remote firmware update service 130 over a network (not shown), typically in accordance with the Update Capsule runtime function defined in the UEFI specification. In alternative implementations, other firmware interfaces that meet other standards or protocols may also be extended to support fault-tolerant variable region repaving during FOTA updates, as described herein. The UEFI 210 provides a general framework with which a boot manager 245 and UEFI applications 250 can provide various boot services 255 and runtime services 260. UEFI has succeeded BIOS (basic input/output system) as the standard firmware on many computing platforms that is configured to initialize the hardware 220 and then boot the device into the main OS 205.
A firmware update driver 262 is utilized to modify firmware by repaving the UEFI variables, as discussed below. The driver 262 may be implemented as a UEFI DXE (Driver Execution Environment) driver. In alternative implementations, the functionality provided by the driver 262 can be incorporated into the boot manager 245 or UEFI applications 250 instead of being instantiated as a separate component in the UEFI 210.
The boot services 255 can include procedures to enable UEFI Secure Boot using the firmware that adds security to the boot process. Systems which support UEFI Secure Boot maintain an internal security database within UEFI variables 265. These UEFI variables 265 are typically stored in non-volatile storage 240 that is configured with hardware protection against modification by unauthorized parties. The non-volatile storage 240 also includes one-time programmable (OTP) fuses 270 which are used to store a hash of a public-key used for cryptographic validation, as discussed below in the text accompanying
The secure non-volatile memory 400 (e.g., SPI Flash, eMMC) is represented in
In step 515, if step 505 is successful, then the working store 415 in the primary region 405 is erased. If step 505 is successful, then a valid copy of the variables and working store are contained in both the primary region 405 and spare region 410. At decision block 520, if a fault during or after step 515 is detected (e.g., by the driver being able to clean the first bit of the working region), then in step 525, the intact spare region 410 is copied back into the primary region 405, the system is reset, and the variable region repaving in the FOTA update process can be restarted in a subsequent boot.
In step 530, the variable records in the primary region 405 are erased. If step 530 is successful, then a valid copy of the variables and working store are contained in the spare region 410. At decision block 535, if a fault occurs during step 530, then in step 540, the FOTA update process is gracefully aborted, the intact spare region 410 is copied back into the primary region 405, the system is reset, and the variable region repaving in the FOTA update process can be restarted in a subsequent boot.
In step 545, the variable records are copied from the incoming firmware update payload 230 (
In step 570, the spare region 410 is erased. If step 570 is completed successfully, then the FOTA update process is complete since the repaving of the variables in the primary region with updated information from the firmware update payload is typically the last step of the FOTA update process, as noted above. At decision block 575, if a fault occurs in step 570, then in step 580 the working store 415 in the primary region 405 may be gracefully initialized and normal device operation can resume.
Various options that may be implemented for fault-tolerant variable region repaving as part of an FOTA update process are now presented.
The switches 600 include a firmware version 605 and a reinitialize variable 610 named “ReinitializeUefiVariables” in this example. The firmware version 605 stores a version number, for example the BIOS security version number (SVN) called “Critical_SVN” in this example. The version of the existing firmware on the device may be compared to the version of the firmware in the incoming firmware update payload. If the device firmware has an SVN that is older than that of the update, then the variable region can be repaved using the method 500 shown in
A number of program modules may be stored on the hard disk, magnetic disk 1233, optical disk 1243, ROM 1217, or RAM 1221, including an operating system 1255, one or more application programs 1257, other program modules 1260, and program data 1263. A user may enter commands and information into the computer system 1200 through input devices such as a keyboard 1266 and pointing device 1268 such as a mouse. Other input devices (not shown) may include a microphone, joystick, game pad, satellite dish, scanner, trackball, touchpad, touchscreen, touch-sensitive device, voice-command module or device, user motion or user gesture capture device, or the like. These and other input devices are often connected to the processor 1205 through a serial port interface 1271 that is coupled to the system bus 1214, but may be connected by other interfaces, such as a parallel port, game port, or universal serial bus (USB). A monitor 1273 or other type of display device is also connected to the system bus 1214 via an interface, such as a video adapter 1275. In addition to the monitor 1273, personal computers typically include other peripheral output devices (not shown), such as speakers and printers. The illustrative example shown in
The computer system 1200 is operable in a networked environment using logical connections to one or more remote computers, such as a remote computer 1288. The remote computer 1288 may be selected as another personal computer, a server, a router, a network PC, a peer device, or other common network node, and typically includes many or all of the elements described above relative to the computer system 1200, although only a single representative remote memory/storage device 1290 is shown in
When used in a LAN networking environment, the computer system 1200 is connected to the local area network 1293 through a network interface or adapter 1296. When used in a WAN networking environment, the computer system 1200 typically includes a broadband modem 1298, network gateway, or other means for establishing communications over the wide area network 1295, such as the Internet. The broadband modem 1298, which may be internal or external, is connected to the system bus 1214 via a serial port interface 1271. In a networked environment, program modules related to the computer system 1200, or portions thereof, may be stored in the remote memory storage device 1290. It is noted that the network connections shown in
The architecture 1300 illustrated in
The mass storage device 1312 is connected to the CPU 1302 through a mass storage controller (not shown) connected to the bus 1310. The mass storage device 1312 and its associated computer-readable storage media provide non-volatile storage for the architecture 1300.
Although the description of computer-readable storage media contained herein refers to a mass storage device, such as a hard disk or CD-ROM drive, it should be appreciated by those skilled in the art that computer-readable storage media can be any available storage media that can be accessed by the architecture 1300.
By way of example, and not limitation, computer-readable storage media may include volatile and non-volatile, removable and non-removable media implemented in any method or technology for storage of information such as computer-readable instructions, data structures, program modules, or other data. For example, computer-readable media includes, but is not limited to, RAM, ROM, EPROM (erasable programmable read only memory), EEPROM (electrically erasable programmable read only memory), Flash memory or other solid state memory technology, CD-ROM, DVDs, HD-DVD (High Definition DVD), Blu-ray, or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by the architecture 1300.
According to various embodiments, the architecture 1300 may operate in a networked environment using logical connections to remote computers through a network. The architecture 1300 may connect to the network through a network interface unit 1316 connected to the bus 1310. It should be appreciated that the network interface unit 1316 also may be utilized to connect to other types of networks and remote computer systems. The architecture 1300 also may include an input/output controller 1318 for receiving and processing input from a number of other devices, including a keyboard, mouse, or electronic stylus (not shown in
It should be appreciated that the software components described herein may, when loaded into the CPU 1302 and executed, transform the CPU 1302 and the overall architecture 1300 from a general-purpose computing system into a special-purpose computing system customized to facilitate the functionality presented herein. The CPU 1302 may be constructed from any number of transistors or other discrete circuit elements, which may individually or collectively assume any number of states. More specifically, the CPU 1302 may operate as a finite-state machine, in response to executable instructions contained within the software modules disclosed herein. These computer-executable instructions may transform the CPU 1302 by specifying how the CPU 1302 transitions between states, thereby transforming the transistors or other discrete hardware elements constituting the CPU 1302.
Encoding the software modules presented herein also may transform the physical structure of the computer-readable storage media presented herein. The specific transformation of physical structure may depend on various factors, in different implementations of this description. Examples of such factors may include, but are not limited to, the technology used to implement the computer-readable storage media, whether the computer-readable storage media is characterized as primary or secondary storage, and the like. For example, if the computer-readable storage media is implemented as semiconductor-based memory, the software disclosed herein may be encoded on the computer-readable storage media by transforming the physical state of the semiconductor memory. For example, the software may transform the state of transistors, capacitors, or other discrete circuit elements constituting the semiconductor memory. The software also may transform the physical state of such components in order to store data thereupon.
As another example, the computer-readable storage media disclosed herein may be implemented using magnetic or optical technology. In such implementations, the software presented herein may transform the physical state of magnetic or optical media, when the software is encoded therein. These transformations may include altering the magnetic characteristics of particular locations within given magnetic media. These transformations also may include altering the physical features or characteristics of particular locations within given optical media to change the optical characteristics of those locations. Other transformations of physical media are possible without departing from the scope and spirit of the present description, with the foregoing examples provided only to facilitate this discussion.
In light of the above, it should be appreciated that many types of physical transformations take place in the architecture 1300 in order to store and execute the software components presented herein. It also should be appreciated that the architecture 1300 may include other types of computing devices, including handheld computers, embedded computer systems, smartphones, PDAs, and other types of computing devices known to those skilled in the art. It is also contemplated that the architecture 1300 may not include all of the components shown in
The illustrated device 110 can include a controller or processor 1410 (e.g., signal processor, microprocessor, microcontroller, ASIC (Application Specific Integrated Circuit), or other control and processing logic circuitry) for performing such tasks as signal coding, data processing, input/output processing, power control, and/or other functions. An operating system 1412 can control the allocation and usage of the components 1402, including power states, above-lock states, and below-lock states, and provides support for one or more application programs 1414. The application programs can include common mobile computing applications (e.g., image-capture applications, email applications, calendars, contact managers, web browsers, messaging applications), or any other computing application.
The illustrated device 110 can include memory 1420. Memory 1420 can include non-removable memory 1422 and/or removable memory 1424. The non-removable memory 1422 can include RAM, ROM, Flash memory, a hard disk, or other well-known memory storage technologies. The removable memory 1424 can include Flash memory or a Subscriber Identity Module (SIM) card, which is well known in GSM (Global System for Mobile communications) systems, or other well-known memory storage technologies, such as “smart cards.” The memory 1420 can be used for storing data and/or code for running the operating system 1412 and the application programs 1414. Example data can include web pages, text, images, sound files, video data, or other data sets to be sent to and/or received from one or more network servers or other devices via one or more wired or wireless networks.
The memory 1420 may also be arranged as, or include, one or more computer-readable storage media implemented in any method or technology for storage of information such as computer-readable instructions, data structures, program modules or other data. For example, computer-readable media includes, but is not limited to, RAM, ROM, EPROM, EEPROM, Flash memory or other solid state memory technology, CD-ROM (compact-disc ROM), DVD, (Digital Versatile Disc) HD-DVD (High Definition DVD), Blu-ray, or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by the device 110.
The memory 1420 can be used to store a subscriber identifier, such as an International Mobile Subscriber Identity (IMSI), and an equipment identifier, such as an International Mobile Equipment Identifier (IMEI). Such identifiers can be transmitted to a network server to identify users and equipment. The device 110 can support one or more input devices 1430; such as a touchscreen 1432; microphone 1434 for implementation of voice input for voice recognition, voice commands and the like; camera 1436; physical keyboard 1438; trackball 1440; and/or proximity sensor 1442; and one or more output devices 1450, such as a speaker 1452 and one or more displays 1454. Other input devices (not shown) using gesture recognition may also be utilized in some cases. Other possible output devices (not shown) can include piezoelectric or haptic output devices. Some devices can serve more than one input/output function. For example, touchscreen 1432 and display 1454 can be combined into a single input/output device.
A wireless modem 1460 can be coupled to an antenna (not shown) and can support two-way communications between the processor 1410 and external devices, as is well understood in the art. The modem 1460 is shown generically and can include a cellular modem for communicating with the mobile communication network 1404 and/or other radio-based modems (e.g., Bluetooth 1464 or Wi-Fi 1462). The wireless modem 1460 is typically configured for communication with one or more cellular networks, such as a GSM network for data and voice communications within a single cellular network, between cellular networks, or between the device and a public switched telephone network (PSTN).
The device can further include at least one input/output port 1480, a power supply 1482, a satellite navigation system receiver 1484, such as a GPS receiver, an accelerometer 1486, a gyroscope (not shown), and/or a physical connector 1490, which can be a USB port, IEEE 1394 (FireWire) port, and/or an RS-232 port. The illustrated components 1402 are not required or all-inclusive, as any components can be deleted and other components can be added.
A graphics processing unit (GPU) 1508 and a video encoder/video codec (coder/decoder) 1514 form a video processing pipeline for high speed and high resolution graphics processing. Data is carried from the GPU 1508 to the video encoder/video codec 1514 via a bus. The video processing pipeline outputs data to an A/V (audio/video) port 1540 for transmission to a television or other display. A memory controller 1510 is connected to the GPU 1508 to facilitate processor access to various types of memory 1512, such as, but not limited to, a RAM.
The multimedia console 1500 includes an I/O controller 1520, a system management controller 1522, an audio processing unit 1523, a network interface controller 1524, a first USB (Universal Serial Bus) host controller 1526, a second USB controller 1528, and a front panel I/O subassembly 1530 that are preferably implemented on a module 1518. The USB controllers 1526 and 1528 serve as hosts for peripheral controllers 1542(1) and 1542(2), a wireless adapter 1548, and an external memory device 1546 (e.g., Flash memory, external CD/DVD ROM drive, removable media, etc.). The network interface controller 1524 and/or wireless adapter 1548 provide access to a network (e.g., the Internet, home network, etc.) and may be any of a wide variety of various wired or wireless adapter components including an Ethernet card, a modem, a Bluetooth module, a cable modem, or the like.
System memory 1543 is provided to store application data that is loaded during the boot process. A media drive 1544 is provided and may comprise a DVD/CD drive, hard drive, or other removable media drive, etc. The media drive 1544 may be internal or external to the multimedia console 1500. Application data may be accessed via the media drive 1544 for execution, playback, etc. by the multimedia console 1500. The media drive 1544 is connected to the I/O controller 1520 via a bus, such as a Serial ATA bus or other high speed connection (e.g., IEEE 1394).
The system management controller 1522 provides a variety of service functions related to assuring availability of the multimedia console 1500. The audio processing unit 1523 and an audio codec 1532 form a corresponding audio processing pipeline with high fidelity and stereo processing. Audio data is carried between the audio processing unit 1523 and the audio codec 1532 via a communication link. The audio processing pipeline outputs data to the A/V port 1540 for reproduction by an external audio player or device having audio capabilities.
The front panel I/O subassembly 1530 supports the functionality of the power button 1550 and the eject button 1552, as well as any LEDs (light emitting diodes) or other indicators exposed on the outer surface of the multimedia console 1500. A system power supply module 1539 provides power to the components of the multimedia console 1500. A fan 1538 cools the circuitry within the multimedia console 1500.
The CPU 1501, GPU 1508, memory controller 1510, and various other components within the multimedia console 1500 are interconnected via one or more buses, including serial and parallel buses, a memory bus, a peripheral bus, and a processor or local bus using any of a variety of bus architectures. By way of example, such architectures can include a Peripheral Component Interconnects (PCI) bus, PCI-Express bus, etc.
When the multimedia console 1500 is powered ON, application data may be loaded from the system memory 1543 into memory 1512 and/or caches 1502 and 1504 and executed on the CPU 1501. The application may present a graphical user interface that provides a consistent user experience when navigating to different media types available on the multimedia console 1500. In operation, applications and/or other media contained within the media drive 1544 may be launched or played from the media drive 1544 to provide additional functionalities to the multimedia console 1500.
The multimedia console 1500 may be operated as a standalone system by simply connecting the system to a television or other display. In this standalone mode, the multimedia console 1500 allows one or more users to interact with the system, watch movies, or listen to music. However, with the integration of broadband connectivity made available through the network interface controller 1524 or the wireless adapter 1548, the multimedia console 1500 may further be operated as a participant in a larger network community.
When the multimedia console 1500 is powered ON, a set amount of hardware resources are reserved for system use by the multimedia console operating system. These resources may include a reservation of memory (e.g., 16 MB), CPU and GPU cycles (e.g., 5%), networking bandwidth (e.g., 8 kbps), etc. Because these resources are reserved at system boot time, the reserved resources do not exist from the application's view.
In particular, the memory reservation preferably is large enough to contain the launch kernel, concurrent system applications, and drivers. The CPU reservation is preferably constant such that if the reserved CPU usage is not used by the system applications, an idle thread will consume any unused cycles.
With regard to the GPU reservation, lightweight messages generated by the system applications (e.g., pop-ups) are displayed by using a GPU interrupt to schedule code to render pop-ups into an overlay. The amount of memory needed for an overlay depends on the overlay area size and the overlay preferably scales with screen resolution. Where a full user interface is used by the concurrent system application, it is preferable to use a resolution independent of application resolution. A scaler may be used to set this resolution such that the need to change frequency and cause a TV re-sync is eliminated.
After the multimedia console 1500 boots and system resources are reserved, concurrent system applications execute to provide system functionalities. The system functionalities are encapsulated in a set of system applications that execute within the reserved system resources described above. The operating system kernel identifies threads that are system application threads versus gaming application threads. The system applications are preferably scheduled to run on the CPU 1501 at predetermined times and intervals in order to provide a consistent system resource view to the application. The scheduling is to minimize cache disruption for the gaming application running on the console.
When a concurrent system application requires audio, audio processing is scheduled asynchronously to the gaming application due to time sensitivity. A multimedia console application manager (described below) controls the gaming application audio level (e.g., mute, attenuate) when system applications are active.
Input devices (e.g., controllers 1542(1) and 1542(2)) are shared by gaming applications and system applications. The input devices are not reserved resources, but are to be switched between system applications and the gaming application such that each will have a focus of the device. The application manager preferably controls the switching of input stream, without knowledge of the gaming application's knowledge and a driver maintains state information regarding focus switches.
The HMD device 1600 may further include a gaze detection subsystem 1610 configured for detecting a direction of gaze of each eye of a user or a direction or location of focus, as described above. Gaze detection subsystem 1610 may be configured to determine gaze directions of each of a user's eyes in any suitable manner. For example, in the illustrative example shown, a gaze detection subsystem 1610 includes one or more glint sources 1612, such as infrared light sources, that are configured to cause a glint of light to reflect from each eyeball of a user, and one or more image sensors 1614, such as inward-facing sensors, that are configured to capture an image of each eyeball of the user. Changes in the glints from the user's eyeballs and/or a location of a user's pupil, as determined from image data gathered using the image sensor(s) 1614, may be used to determine a direction of gaze.
In addition, a location at which gaze lines projected from the user's eyes intersect the external display may be used to determine an object at which the user is gazing (e.g. a displayed virtual object and/or real background object). Gaze detection subsystem 1610 may have any suitable number and arrangement of light sources and image sensors. In some implementations, the gaze detection subsystem 1610 may be omitted.
The HMD device 1600 may also include additional sensors. For example, HMD device 1600 may comprise a global positioning system (GPS) subsystem 1616 to allow a location of the HMD device 1600 to be determined. This may help to identify real-world objects, such as buildings, etc. that may be located in the user's adjoining physical environment.
The HMD device 1600 may further include one or more motion sensors 1618 (e.g., inertial, multi-axis gyroscopic, or acceleration sensors) to detect movement and position/orientation/pose of a user's head when the user is wearing the system as part of a mixed reality or virtual reality HMD device. Motion data may be used, potentially along with eye-tracking glint data and outward-facing image data, for gaze detection, as well as for image stabilization to help correct for blur in images from the outward-facing image sensor(s) 1606. The use of motion data may allow changes in gaze location to be tracked even if image data from outward-facing image sensor(s) 1606 cannot be resolved.
In addition, motion sensors 1618, as well as microphone(s) 1608 and gaze detection subsystem 1610, also may be employed as user input devices, such that a user may interact with the HMD device 1600 via gestures of the eye, neck and/or head, as well as via verbal commands in some cases. It may be understood that sensors illustrated in
The HMD device 1600 can further include a controller 1620 such as one or more processors having a logic subsystem 1622 and a data storage subsystem 1624 in communication with the sensors, gaze detection subsystem 1610, display subsystem 1604, and/or other components through a communications subsystem 1626. The communications subsystem 1626 can also facilitate the display system being operated in conjunction with remotely located resources, such as processing, storage, power, data, and services. That is, in some implementations, an HMD device can be operated as part of a system that can distribute resources and capabilities among different components and subsystems.
The storage subsystem 1624 may include instructions stored thereon that are executable by logic subsystem 1622, for example, to receive and interpret inputs from the sensors, to identify location and movements of a user, to identify real objects using surface reconstruction and other techniques, and dim/fade the display based on distance to objects so as to enable the objects to be seen by the user, among other tasks.
The HMD device 1600 is configured with one or more audio transducers 1628 (e.g., speakers, earphones, etc.) so that audio can be utilized as part of a mixed reality or virtual reality experience. A power management subsystem 1630 may include one or more batteries 1632 and/or protection circuit modules (PCMs) and an associated charger interface 1634 and/or remote power interface for supplying power to components in the HMD device 1600.
It may be appreciated that the HMD device 1600 is described for the purpose of example, and thus is not meant to be limiting. It may be further understood that the display device may include additional and/or alternative sensors, cameras, microphones, input devices, output devices, etc. than those shown without departing from the scope of the present arrangement. Additionally, the physical configuration of an HMD device and its various sensors and subcomponents may take a variety of different forms without departing from the scope of the present arrangement.
Various exemplary embodiments of the present fault-tolerant variable region repaving during firmware over the air update are now presented by way of illustration and not as an exhaustive list of all embodiments. An example includes a method for updating firmware on a device, comprising: receiving a firmware update payload at the device; exposing a secure non-volatile memory store on the device, the memory store comprising a primary region and a spare region, each of the primary region and spare region including a working store configured to store transaction records and a variable store configured to store variable records; setting one or more switches for selectively enabling or disabling writing of the variable records during a firmware over the air (FOTA) update; responsively to the one or more switches being set for write enablement i) using the spare region to create a back-up of variable records contained in the primary region, ii) copying variable records from the firmware update payload, and iii) writing the copied variable records into the primary region.
In another example, the back-up creation comprises: copying variable records in the primary region and writing the variable records to the spare region; erasing content in the working store within the primary region; erasing variable records in the primary region; copying variable records from a firmware update payload received at the device; and erasing variable records in the spare region after writing the copied variable records into the primary region. In another example, the method further includes, if a fault occurs during the erasing of content in the working store, then copying variable records from the spare region, writing the copied variable records from the spare region into the primary region, and restarting the firmware updating process after a subsequent device boot. In another example, the method further includes, if a fault occurs during the erasing of the variable records in the primary region, then aborting the firmware updating process, and restarting the firmware updating process after a subsequent device boot. In another example, the method further includes, if a fault occurs during the copying of the variable records from the firmware update payload or during the writing of the copied variable records to the primary region, then aborting the firmware updating process, and restarting the firmware updating process after a subsequent device boot. In another example, the method further includes, if a fault occurs subsequent to the copying of the variable records from the firmware update payload or subsequent to the writing of the copied variable records to the primary region, then initializing the working store in the primary region and resuming normal device operations. In another example, the method further includes, if a fault occurs during the erasing of the variable records in the spare region, then initializing the working store in the primary region and resuming normal device operations. In another example, a switch comprises a version of currently installed firmware on the device that is compared to a version of firmware in the update payload, and wherein the variable writing in the FOTA update process is enabled if the installed firmware version is older than the update firmware version. In another example, a switch comprises a firmware variable having on and off states to indicate when the variable repaving is respectively enabled or disabled in an FOTA update process. In another example, the writing is performed using a fault-tolerant process.
A further example includes a device, comprising: one or more processors; a network interface; and one or more hardware-based memory devices storing computer-readable instructions which, when executed by the one or more processors, cause the device to: receive, over the network interface, a firmware update payload of firmware variables as part of a firmware over the air (FOTA) update process, attempt to validate the firmware update payload using a runtime cryptographic process, if the firmware update payload is validated, use a secure spare region of a non-volatile memory device to create a back-up of firmware variables contained in a secure primary region of the non-volatile memory device, and write the firmware variables from the payload into the primary region, and if the firmware update payload is not validated, then abort the FOTA update process.
In another example, the instructions, when executed by the one or more processors, cause the device to: use the back-up of the firmware variables to set the device to a known good boot state if a fault occurs in the FOTA update process, and erase the back-up if the firmware variables from the payload are successfully written to the primary region. In another example, the validating is performed using a cryptographic process. In another example, the validating comprises matching a runtime-calculated hash of variable records with a hash of variable records contained in a firmware update payload received from a remote source. In another example, the hash of variable records contained in the firmware update payload is stored in a secure boot manifest in the firmware update payload.
A further example includes one or more hardware-based computer-readable memory devices storing computer-executable instructions which, when executed by one or more processors disposed in a computing device, cause the device to: receive a firmware update payload in a firmware over the air (FOTA) update wherein the firmware update payload includes a whitelist of variable records, the whitelist of variable records specifying one or more device states; extract variable records from the firmware update payload; use the extracted variable records to repave a primary region of a secure non-volatile memory store on the device; and persist the one or more device states in accordance with the whitelist of variable records after the FOTA update is completed.
In another example, the variable records represent UEFI (Unified Extensible Firmware Interface) variables. In another example, the memory store is one of SPI (serial peripheral interface), Flash memory, or eMMC (embedded multimedia card) memory. In another example, the repaving uses a fault-tolerant writing (FTW) protocol using transaction records as specified by TianoCore.org. In another example, the repaving is a last step performed in a firmware over the air update.
Based on the foregoing, it should be appreciated that technologies for fault-tolerant variable region repaving during an FOTA update have been disclosed herein. Although the subject matter presented herein has been described in language specific to computer structural features, methodological and transformative acts, specific computing machinery, and computer-readable storage media, it is to be understood that the invention defined in the appended claims is not necessarily limited to the specific features, acts, or media described herein. Rather, the specific features, acts, and mediums are disclosed as example forms of implementing the claims.
The subject matter described above is provided by way of illustration only and should not be construed as limiting. Various modifications and changes may be made to the subject matter described herein without following the example embodiments and applications illustrated and described, and without departing from the true spirit and scope of the present invention, which is set forth in the following claims.
This application claims benefit and priority to U.S. Provisional Application Ser. No. 62/357,021 filed Jun. 30, 2016, entitled “Fault Tolerant Variable Region Repaving During Firmware Over the Air Update” which is incorporated herein by reference in its entirety.
Number | Date | Country | |
---|---|---|---|
62357021 | Jun 2016 | US |