Need to Split Verify & Activate for Caliptra FW #490
Description
@mlvisaya, I see another challenge in meeting FW Update for SSDs(NVMe Commit) -
We need to have a standalone Verify only operation as well for Caliptra FWs.
Summary of the challenge:
NVMe Commit gives option to below configurations. there are cases where immediate activation of the new incoming image is not warranted
CA= 000 - Downloaded image replaces the existing image, if any, in the specified Firmware Slot. The newly placed image is not activated.
CA=001 - Downloaded image replaces the existing image, if any, in the specified Firmware Slot. The newly placed image is activated at the next Controller Level Reset.
CA=010 - The existing image in the specified Firmware Slot is activated at the next Controller Level Reset
CA=011 - Downloaded image replaces the existing image, if any, in the specified Firmware Slot and is then activated immediately - Similar to our hitless update
-- My recommendation --
Post 2.1 (Reduced Caliptra Mailbox) – SoC Provides Protected SRAM Memory
Option 1: Mutable Verification
Flow: MCU RT updates protected SRAM with Caliptra FW and triggers Verify Only; verification is done by Caliptra RT FW (mutable).
Option 2: Immutable Verification
Flow: MCU RT updates protected SRAM with Caliptra FW and triggers Update Reset; Caliptra ROM (immutable) verifies but does not activate the image.
Originally posted by @RaunakGu in #330 (comment)