Patent Grant
9971659
Computing systems may have operational firmware programmed in non-volatile memory of the system that directs operation of the system. Such memory can be programmed in various ways.
Various embodiments are depicted in the accompanying drawings for illustrative purposes, and should in no way be interpreted as limiting the scope of this disclosure. In addition, various features of different disclosed embodiments can be combined to form additional embodiments, which are part of this disclosure.
While certain embodiments are described, these embodiments are presented by way of example only, and are not intended to limit the scope of protection. Indeed, the novel methods and systems described herein may be embodied in a variety of other forms. Furthermore, various omissions, substitutions and changes in the form of the methods and systems described herein may be made without departing from the scope of protection.
The headings provided herein are for convenience only and do not necessarily affect the scope or meaning of the claims. Disclosed herein are example configurations and embodiments relating to programming memory devices.
Overview
The present disclosure describes systems and methods for programming a memory device in a computing system. In certain computing systems, a non-volatile memory device is programmed with a firmware image for directing operation of at least a portion of the computing system. Such programming may occur, for example, in a production environment. In certain embodiments, the entire firmware image may be programmed in its entirety in a single process. While such programming may provide desirable efficiency, susceptibility to corruption may exist if a power failure occurs during the programming process.
Certain embodiments are disclosed herein in the context of data storage devices including a device controller and an interface bridge for communicating with a host device/system over a host interface. It should be understood that the disclosed features and embodiments may be applicable for systems having any type of host interface, such as PCIe, Ethernet, Thunderbolt, SATA, WiFi, or the like. The interface bridge may have associated therewith a non-volatile memory device configured to be programmed with the firmware image for the system. The non-volatile memory device may be, for example, a flash memory.
In certain embodiments, the non-volatile memory device being programmed is a dual-image flash memory, which may advantageously be programmed in such a way as to be relatively robust with respect to power failures. The programming process may be part of a larger factory process. Processes that take power failure risk into account may be desirable, for example, to account for the relative frequency of power interruptions in certain factory processes. Implementation of processes disclosed herein may provide improved robustness for factory processes with respect to corruption of the programmed memory device (e.g., flash). Processes disclosed herein may allow for device recovery after power failure by one of a plurality of possible means, depending on what point in the process the power failure occurred. In certain embodiments, once the end user firmware has been successfully programmed, processes disclosed herein may involve using metadata to designate the firmware image as active; such metadata may be inspected after a power cycle to determine whether re-programming of the firmware image is required.
Computing System
The media of the non-volatile storage 140 may be separated into a plurality of partitions (e.g., partition A, partition B). The term “partition” is used herein according to its broad and ordinary meaning, and may include any type of partition, segment, group, collection or section of memory sectors, addresses, cells, media, or other portion of memory. With multiple partitions, the non-volatile memory may ultimately hold multiple copies of firmware for the system 100. In certain embodiments, the partitions of the non-volatile memory 140 each comprise 64 kB of data storage. While only two partitions are illustrated (partition A, partition B), it should be understood that the non-volatile memory 140 may comprise any suitable or desirable number of partitions.
The non-volatile memory 140 may be programmed with a bootloader program designed to direct the device controller 130 and/or other component of the system 100 to load an end user firmware image to the non-volatile memory 140. Various processes may be implemented for loading the final firmware image onto the non-volatile memory 140 (e.g., flash). If power failure occurs at some point during the process of programming the non-volatile memory 140, the copy of firmware programmed may be invalid if adequate power-failure protection mechanisms are not employed as described herein.
The system may be configured to implement a sequence of tasks to ensure that the non-volatile memory 140 is tolerant to power failure with regard to retention of firmware programmed therein. For example, bootloader code executed from the non-volatile memory 140 or other component of the system 100 may direct at least certain power failure tolerant features disclosed herein. According to certain embodiments, if power loss occurs after the final firmware image has been loaded to the non-volatile memory 140 and after the device controller 130 and/or other component(s) of the system 100 has designated the firmware image as an active image in the non-volatile memory 140, rather than re-programming the non-volatile memory 140 with the firmware image, the system 100 may be configured to recognize the active copy of the firmware and merely copy the firmware to another partition of the non-volatile memory to create a redundant copy for the firmware.
The system 100 may include an additional non-volatile memory module or device 160, such as a hard disk memory or other non-volatile memory. In certain embodiments, the firmware image programmed to the non-volatile memory 140 may be provided from the non-volatile memory 160. In certain embodiments, one or more of the illustrated components of the system 100 may be mounted to a printed circuit board (PCB), which may constitute a computing device (e.g., data storage drive).
Memory Programming Process
As described above, the programming of a final firmware image to non-volatile memory in a computing system may be necessary to allow the computing system to properly boot following a power cycle. If programming of the non-volatile memory is directed by a bootloader program, it may be beneficial to avoid overwriting such program with a firmware image to prevent a situation where the bootloader program has been overwritten, and power failure occurs before programming of the firmware image is complete.
At block 202, the process 200 involves providing a non-volatile storage device or module having data storage media comprising at least two partitions, as described above with reference to
At block 204, the process 200 involves programming a first partition, partition A, with bootloader code (“LOADER”). In certain embodiments, the bootloader code is programmed to the non-volatile storage as part of a board testing process. For example, as a final stage or step of the board testing process, the bootloader program may be written to non-volatile memory and designated as active so that the system may know to execute the bootloader in connection with system start-up. The bootloader may be set to an active state by updating metadata to indicate the same.
The non-volatile storage module 304 shows a first partition, partition A, of the non-volatile storage 304 having stored therein the bootloader, wherein the bootloader code is depicted with diagonal lines indicating that it is designated as active within the non-volatile storage 304. At the stage 304, a second partition, partition B, may be effectively erased, or may contain invalid data. According to the process 200, if power failure occurs while the bootloader is being programmed at block 204 prior to completion, the process 200 may proceed to block 209, where partition A is erased for reprogramming of the bootloader at block 204.
At block 205, the process 200 involves erasing the second partition of the non-volatile storage, partition B. Erasing partition B may allow for subsequent programming thereof, as implemented in one or more subsequent steps. At block 206, the process 200 involves executing the bootloader and applying configuration data. The configuration data for the non-volatile storage may include one or more of reporting strings, mode page settings, vendor identifier (VID), product identifier (PID), or other information. The configuration data may provide original equipment manufacturer (OEM) settings. In certain embodiments, metadata indicates whether code programmed in either of the partitions of the non-volatile storage is active. The process 200 may involve calculating a cyclic redundancy check (CRC) value, or other error detection value and writing the value to the non-volatile memory in order to determine whether the configuration data and/or firmware image are valid.
The non-volatile storage module 306 shows partition A still storing the active bootloader code, while partition B is in a substantially erased state. If power failure occurs during initial execution of the bootloader code or application of configuration data at block 206, the process may loop back to block 205, wherein partition B may be erased and execution of the bootloader code may be initiated again at block 206. When re-starting after a power cycle, the relevant metadata may indicate what stage the process 200 was in when the power failure occurred. For example, the metadata may show that there is an active bootloader stored in partition A, and therefore, the process should re-start at block 205, or block 206.
At block 208, the process 200 involves loading a firmware image onto the second partition (partition B) of the non-volatile storage module. The bootloader may cause the firmware image to be programmed in partition B. The firmware image may be loaded from any suitable or desirable interface, such as through the primary host interface. In certain embodiments, the firmware image is loaded from a separate non-volatile memory of the device or system.
The non-volatile storage module 308 shows the firmware image stored in partition B, while the bootloader code remains stored in partition A and active. As shown, in certain embodiments, the bootloader code is not overwritten when the firmware image is written to the non-volatile memory. Although the firmware image has been written to partition B, it is not yet active at this stage; the associated metadata continues to identify the bootloader in partition A as the active program. If power failure occurs while loading the firmware image onto the non-volatile memory, the process 200 may loop back to block 205, where partition B may be erased for re-loading of the firmware image to partition B.
At block 210, the process 200 involves marking the firmware image as active, and possibly thereby deactivating the bootloader code stored in partition A. Marking the firmware image as active may be performed as a separate step to loading the firmware image. In certain embodiments, if power were to fail after the firmware image has been marked as active, the device may be operable without a redundant copy of the firmware.
The non-volatile storage module 310 shows the firmware image stored in partition B and designated as active, while the bootloader code in partition A is no longer active. If power failure occurs prior to the firmware image being marked as active, the process 200 loops back to block 205, where the process of programming partition B with the firmware image can be performed again after a power cycle.
At block 212, the process 200 involves making a redundant copy of the firmware image and storing the copy in partition A. The copy of the firmware image may overwrite the bootloader code previously stored in partition A. After the redundant copy has been successfully programmed, the process 200 may be considered effectively complete. The non-volatile storage module 312 shows the active firmware image stored in partition B, as well as the copy of the firmware image (not active) stored in partition A.
If power failure occurs after block 210, such as at block 212, the process 200 may not require erasure of, and/or re-loading of the firmware image to, partition B, as it will already be present and active. That is, at such point the device may be considered substantially configured and operational. During the next power-on sequence, the redundant firmware image may instead be created. After a power cycle, if the relevant metadata indicates that partition B is active and partition A is either substantially erased or has end user firmware stored therein, the process 200 may involve copying the active firmware image over to the other partition.
In certain embodiments, more than two copies of end user firmware are maintained in the non-volatile memory 312. For example, additional copies may be used for voting purposes, or as additional firmware states that may be usable with the device. In an embodiment, a copy of firmware is maintained that corresponds to an original factory-shipped device state, which may be recreated at some point when the device is in the field.
The various embodiments disclosed herein may allow the programming of non-volatile memory (e.g., USP SPI flash) to be tolerant of power failures. Once the device has been programmed with a bootloader, it may be recoverable by reprogramming the device and letting the firmware update a redundant copy.
Those skilled in the art will appreciate that in some embodiments, other types of non-volatile memory programming systems can be implemented while remaining within the scope of the present disclosure. In addition, the actual steps taken in the processes discussed herein may differ from those described or shown in the figures. Depending on the embodiment, certain of the steps described above may be removed, and/or others may be added.
While certain embodiments have been described, these embodiments have been presented by way of example only, and are not intended to limit the scope of protection. Indeed, the novel methods and systems described herein may be embodied in a variety of other forms. Furthermore, various omissions, substitutions and changes in the form of the methods and systems described herein may be made. The accompanying claims and their equivalents are intended to cover such forms or modifications as would fall within the scope and spirit of the protection. For example, the various components illustrated in the figures may be implemented as software and/or firmware on a processor, application-specific integrated circuit (ASIC), field-programmable gate array (FPGA), or dedicated hardware. Also, the features and attributes of the specific embodiments disclosed above may be combined in different ways to form additional embodiments, all of which fall within the scope of the present disclosure. Although the present disclosure provides certain preferred embodiments and applications, other embodiments that are apparent to those of ordinary skill in the art, including embodiments which do not provide all of the features and advantages set forth herein, are also within the scope of this disclosure. Accordingly, the scope of the present disclosure is intended to be defined only by reference to the appended claims.
All of the processes described above may be embodied in, and fully automated via, software code modules executed by one or more general purpose or special purpose computers or processors. The code modules may be stored on any type of computer-readable medium or other computer storage device or collection of storage devices. Some or all of the methods may alternatively be embodied in specialized computer hardware.
| Number | Name | Date | Kind |
|---|---|---|---|
| 6499054 | Hesselink et al. | Dec 2002 | B1 |
| 6732158 | Hesselink et al. | May 2004 | B1 |
| 6772364 | Pinter et al. | Aug 2004 | B1 |
| 7082549 | Rao | Jul 2006 | B2 |
| 7120692 | Hesselink et al. | Oct 2006 | B2 |
| 7454443 | Ram et al. | Nov 2008 | B2 |
| 7467187 | Hesselink et al. | Dec 2008 | B2 |
| 7546353 | Hesselink et al. | Jun 2009 | B2 |
| 7587467 | Hesselink et al. | Sep 2009 | B2 |
| 7600036 | Hesselink et al. | Oct 2009 | B2 |
| 7788404 | Hesselink et al. | Aug 2010 | B2 |
| 7917628 | Hesselink et al. | Mar 2011 | B2 |
| 7934251 | Hesselink et al. | Apr 2011 | B2 |
| 7949564 | Hughes et al. | May 2011 | B1 |
| 8004791 | Szeremeta et al. | Aug 2011 | B2 |
| 8046631 | Jibbe | Oct 2011 | B2 |
| 8255661 | Karr et al. | Aug 2012 | B2 |
| 8285965 | Karr et al. | Oct 2012 | B2 |
| 8341117 | Ram et al. | Dec 2012 | B2 |
| 8341275 | Hesselink et al. | Dec 2012 | B1 |
| 8352567 | Hesselink et al. | Jan 2013 | B2 |
| 8392762 | Aralakuppe Ramegowda et al. | Mar 2013 | B2 |
| 8526798 | Hesselink | Sep 2013 | B2 |
| 8631284 | Stevens | Jan 2014 | B2 |
| 8646054 | Karr et al. | Feb 2014 | B1 |
| 8661507 | Hesselink et al. | Feb 2014 | B1 |
| 8688797 | Hesselink et al. | Apr 2014 | B2 |
| 8713265 | Rutledge | Apr 2014 | B1 |
| 8762682 | Stevens | Jun 2014 | B1 |
| 8780004 | Chin | Jul 2014 | B1 |
| 8793374 | Hesselink et al. | Jul 2014 | B2 |
| 8819443 | Lin | Aug 2014 | B2 |
| 8914627 | Park | Dec 2014 | B2 |
| 9710652 | Condra | Jul 2017 | B1 |
| 20040153846 | Lee | Aug 2004 | A1 |
| 20050144195 | Hesselink et al. | Jun 2005 | A1 |
| 20050144200 | Hesselink et al. | Jun 2005 | A1 |
| 20070033387 | Arnez | Feb 2007 | A1 |
| 20070074015 | Shiiba | Mar 2007 | A1 |
| 20080235501 | Bailey | Sep 2008 | A1 |
| 20080307215 | Willems | Dec 2008 | A1 |
| 20120036041 | Hesselink | Feb 2012 | A1 |
| 20130212401 | Lin | Aug 2013 | A1 |
| 20130232325 | Jang | Sep 2013 | A1 |
| 20130266137 | Blankenbeckler et al. | Oct 2013 | A1 |
| 20130268749 | Blankenbeckler et al. | Oct 2013 | A1 |
| 20130268759 | Blankenbeckler et al. | Oct 2013 | A1 |
| 20130268771 | Blankenbeckler et al. | Oct 2013 | A1 |
| 20140095439 | Ram | Apr 2014 | A1 |
| 20140169921 | Carey | Jun 2014 | A1 |
| 20140173187 | Ali | Jun 2014 | A1 |
| 20140173215 | Lin et al. | Jun 2014 | A1 |
| 20140244989 | Hiltgen | Aug 2014 | A1 |
| 20150363187 | Dhar | Dec 2015 | A1 |
| 20160026532 | Friedman | Jan 2016 | A1 |
