Dear Wolfgang,
I havn't seen the scripts of Alexandre but it sounds something like what we have already implemented.
Wolfgang Denk wrote:
Please note that this is a feature standardized for example in the Open Source Development Labs Carrier Grade Linux Requirements Definition, which says something like: "CGL shall provide support for detecting a repeating reboot cycle due to recurring failures and will go to an offline state if this occurs."
As I read Alexandre, the aim is to revert to a previous functional image, not to go to an offline state.
Normally you want to avoid all erase / write operations to the boot loader and it's private data structures in the process of a normal reboot / reset.
But a failing boot is not a normal boot. This should only occur when an update fails. After a maximum number of failing boots, the old functional image is used and there is no need to update the counter any more.
Best Regards, Mats