On 01/26/2012 11:34 AM, Peter Barada wrote:
On 01/26/2012 12:27 PM, Scott Wood wrote:
Why are two copies insufficient for that?
Two copies are sufficient, if none of the blocks ever go bad.
To simplify things, suppose the environment is the same size as a block and you have only two blocks (and two copies) to hold the environment. If one block goes bad then there is a window between when the one remaining block is erased and written with the environment that if power fails then there is no environment in NAND.
It seems unlikely, but possible I guess. Currently I don't think we dynamically mark blocks bad at all in U-Boot, except in things like ubi and yaffs.
To solve this I can crank up the number of blocks to three which allows one block to go bad and still at all times have one good copy of the environment in NAND. But looking at writeenv(), it stops as soon as either nand_write fails, or one copy of the environment is written. So it could make sense to modify writeenv to write as many copies of the environment that fit into CONFIG_ENV_RANGE, and have readenv read out copies and verify them until it finds one good one.
This isn't what CONFIG_ENV_RANGE is about. I think it would make more sense to change REDUND to support more than two copies (each with their own range).
Probably better to never update the environment in the field -- source a script in an ubi partition instead.
-Scott