Bootloader Recovery Mechanism

NVIDIA DRIVE? OS provides boot chain redundancy to recover from boot failures. Two methods are available for selecting an alternate chain.
  1. The external MCU selects the boot chain via GPIO toggle (bf_bl_gpio_select_boot_chain_1b =1). This is recommended if an external MCU controls Tegra Boot. The boot chain selected by the Boot GPIO value is booted.
  2. Bootloader recovery - Tegra itself switches to an alternate available boot chain in case of an early boot failure (such as before ATF) when bf_bl_gpio_select_boot_chain_1b =0.

The bootloader includes:

  • BootROM
  • Microboot 1 (MB1)
  • Microboot 2 (MB2)
  • Hypervisor which includes:
    • Partition Loader (PL)

These components load additional firmware components including:

  • Boot images
  • Partition images
  • Other firmware

The bootloader fails to load if:

  • Image corruption is declared: during boot, hash validation and signature authentication is performed. If the validation or authentication fails, the system declares that the image is corrupt.
  • Device read failure occurs during boot. If hardware issues are detected, the system returns a device read error.

These failures result in a boot process failure and therefore require using the provided bootloader recovery mechanism (#2 from the mechanisms listed above).

During the boot process, the bootloader recovery mechanism ensures functioning firmware is loaded.

Boot Chain

To ensure the recovery mechanism functions flawlessly, be aware of the following:

  • Firmware components have dependencies on each other.

    For example, the BPMP firmware and kernel are dependent on each other. If the BPMP firmware version and the kernel version are functionally incompatible, the system functioning may be abnormal and operation may not be as expected.

  • Firmware updating process failures.

    For example, if a power outage occurs while the firmware is being updated the BPMP firmware may be updated with the latest version while the kernel retains the outdated version. Due to this version mismatch, the system malfunctions and operation may not be as expected.

Therefore, redundant copies are a set of all the firmware components that are functionally compatible with each other. This set of firmware components is called Boot Chain.

  • The primary firmware components are on one boot chain.
  • Redundant firmware components are on alternate boot chains.

The recovery mechanism maintains up to three boot chains:

  • Boot Chain A

  • Boot Chain B

  • Boot Chain C

Only one boot chain, called “Active Boot Chain,” is active at a time. The others are called “Inactive Boot Chains.”