4.3.1.1.3 Image Swapping

If trying to automatically recover from the download partition without losing the corrupted image, a swapping scheme could be implemented between these images. Any image swapping scheme needs to take power failures into consideration during the swap operation. A failure during the image swap operation can result in the corruption of both images, losing both the recovery image and the image required for analysis. Because both sections will be write-enabled at the same time, extra mechanisms need to be used to recover in the case of a Reset during the swap process, including Resets during erase and/or write operations to memory. This type of swap operation is typically done through a swap memory location. The swap space can be a much smaller size based on the erase page size of the device.

Figure 4-17. Memory Swap
???

Figure 4-17 displays a swap page being used to swap the memory in two locations. In this type of swap, there is likely an additional ledger not shown to record the progress of the swap in the case of a power failure for recovery purposes.

During a swap, both images should be blocked from execution. Ideally, memory that is not part of the current block being swapped should be protected against errant erase/write operations during a power failure. If the two images and the swap section are all adjacent to each other in memory, then these permission goals can be accomplished using three flash protection regions.

Figure 4-18. Swap Operation
???

In the example of a possible configuration used to limit errant erase/write operations during a swap operation shown in Figure 4-18, Region 1 is used to disable execution for the executable image, recovery image and the swap page. This region is locked until Reset to prevent any code from being executed until the swap operation is complete and the image is verified and authenticated. Regions 2 and 3 are used to write-protect the memory before and after the target page. This helps protect against accidental erase/write operations outside of the target memory area. Regions 2 and 3 will need to be reconfigured constantly during the swap process to move as the target memory area is written.

While the swap approach does reduce the memory footprint, it can increase the boot complexity, especially when trying to protect the device against external error conditions, like a power failure during update.