Fault-tolerant variable region repaving during firmware over the air update
First Claim
1. A method for updating firmware on a device, comprising:
- exposing a secure non-volatile memory store on the device, comprising a primary region and a spare region, each of the primary region and spare region including a working store configured to store transaction records and a variable store configured to store variable records;
copying variable records in the primary region and writing the variable records to the spare region;
erasing content in the working store within the primary region;
erasing variable records in the primary region;
copying variable records from a firmware update payload received at the device and writing the copied variable records into the primary region; and
erasing variable records in the spare region.
1 Assignment
0 Petitions
Accused Products
Abstract
Variables utilized in device firmware that provides various boot and runtime services are repaved in a fault-tolerant manner within a secure store in a durable, non-volatile device memory during an FOTA update process. A spare region in the secure store is utilized to temporarily hold a back-up of a primary region in which the firmware variables are written. Using a transaction-based fault-tolerant write (FTW) process, the variables in the primary region can be repaved with variables contained in a firmware update payload that is delivered from a remote service. In the event of a fault in the variable region repaving process, either the primary or spare region will remain valid so that firmware in a known good state can be utilized to enable the device to boot successfully and the variable region repaving in the FOTA update process may be restarted.
24 Citations
20 Claims
-
1. A method for updating firmware on a device, comprising:
-
exposing a secure non-volatile memory store on the device, comprising a primary region and a spare region, each of the primary region and spare region including a working store configured to store transaction records and a variable store configured to store variable records; copying variable records in the primary region and writing the variable records to the spare region; erasing content in the working store within the primary region; erasing variable records in the primary region; copying variable records from a firmware update payload received at the device and writing the copied variable records into the primary region; and erasing variable records in the spare region. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A device, comprising:
-
one or more processors; a network interface; and one or more hardware-based memory devices storing computer-readable instructions which, when executed by the one or more processors, cause the device to; receive, over the network interface, a firmware update payload of firmware variables as part of a firmware over the air (FOTA) update process, use a secure spare region of a non-volatile memory device to create a back-up of firmware variables contained in a secure primary region of the non-volatile memory device, write the firmware variables from the payload into the primary region, if a fault occurs in the FOTA update process, use the back-up of the firmware variables to set the device to a known good boot state, and erase the back-up if the firmware variables from the payload are successfully written to the primary region. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
-
-
19. One or more hardware-based computer-readable memory devices storing computer-executable instructions which, when executed by one or more processors disposed in a computer server, cause the server to:
-
incorporate a whitelist of UEFI (Unified Extensible Firmware Interface) variables in a firmware update payload, the whitelist of UEFI variables specifying a device state that is persisted after a firmware over the air (FOTA) update of a remote device is completed; and transmit the firmware update payload to the remote device over a network. - View Dependent Claims (20)
-
Specification