1# PSU firmware update
2
3Author: Lei YU <mine260309@gmail.com> <LeiYU>
4
5Other contributors: Su Xiao <suxiao@inspur.com> Derek Howard <derekh@us.ibm.com>
6
7Created: 2019-06-03
8
9## Problem Description
10
11There is no support in OpenBMC to update the firmware for PSUs.
12
13## Background and References
14
15In OpenBMC, there is an existing interface for [software update][1].
16
17The update process consists of:
18
191. Uploading an image to the BMC;
202. Processing the image to check the version and purpose of the image;
213. Verifying and activating the image.
22
23Currently, BMC and BIOS firmware update are supported:
24
25- [phosphor-bmc-code-mgmt][2] implements BMC code update, and it supports all
26  the above 3 processes.
27- [openpower-pnor-code-mgmt][3] implements BIOS code update, and it only
28  implements "verifying and activating" the image. It shares the function of the
29  above 1 & 2 processes.
30- Both of the above use the same [Software DBus interface][1].
31
32For PSU firmware update, it is preferred to re-use the same function for the
33above 1 & 2.
34
35## Requirements
36
37The PSU firmware shall be updated in the below cases:
38
391. The user manually invokes the APIs to do the update;
402. After BMC code update and if there is a newer PSU image in the BMC's
41   filesystem, BMC shall update the PSU firmware;
423. When a PSU is replaced and the version is older than the one in BMC's
43   filesystem, BMC shall update the PSU firmware.
444. An optional 'override' parameter may be specified to do the update in the
45   above cases regardless of which PSU image is newer.
465. There are cases that a system could use different models of PSUs, and thus
47   different PSU firmware images need to be supported.
48
49For some PSUs, it is risky to do PSU code update while the host is running to
50avoid power loss. This shall be handled by PSU vendor-specific tools, but not in
51the generic framework.
52
53Note: The "vendor-specific" referred below is the PSU vendor-specific.
54
55So the below checks are optional and expected to be handled by vendor-specific
56tool:
57
581. If the host is powered off;
592. If the redundant PSUs are all connected;
603. If the AC input and DC standby output is OK on all the PSUs;
61
62## Proposed Design
63
64As described in the above requirements, there are different cases where the PSU
65firmware is updated:
66
67- When the APIs are invoked;
68- When a new version is updated together with BMC code update;
69- When a PSU is replaced with an old version of the firmware.
70
71### Update by API
72
73This method is usually used by users who manually update PSU firmware.
74
75It will re-use the current interfaces to upload, verify, and activate the image.
76
771. The "Version" interface needs to be extended:
78   - Add a new [VersionPurpose][4] for PSU;
79   - Re-use the existing `ExtendedVersion` as an additional string for
80     vendor-specific purpose, e.g. to indicate the PSU model.
812. Re-use the existing functions implemented by [phosphor-bmc-code-mgmt][2] for
82   uploading and processing the image.
83   - The PSU update image shall be a tarball that consists of a MANIFEST,
84     images, and signatures.
85   - When the PSU image is uploaded and processed, a `VersionObject` shall be
86     created to indicate the version and its purpose.
873. There will be a new service that implements the [Activation][5] interface to
88   update the PSU firmware.
89   - The service will be started by default when BMC starts;
90   - On start, the service will check the PSU's existing firmware and create the
91     `Version` and `Activation` interfaces.
92   - The service shall watch the interface added on
93     `/xyz/openbmc_project/Software`.
94   - When a new object with PSU `VersionPurpose` is added, the service will
95     verify the signature of the image;
96   - The service shall check the `ExtendedVersion` to make sure the image
97     matches the PSU model.
98   - The service will have a configuration file to describe the PSU model and
99     its related vendor-specific tools.
100   - The service will find the matched vendor-specific tool to perform the code
101     update. For example, if a vendor specific tool `foo` is configured in
102     `psu-update@foo.service` which executes `foo psu.bin`, the service will
103     find the `psu-update@foo.service` and start it by systemd, which performs
104     the update.
105   - When the PSU code update is completed, an informational event log shall be
106     created.
107   - When the PSU code update is completed, the image, MANIFEST, and optionally
108     the signature will be saved to a pre-defined directory in read-write
109     filesystem for future use, in case a new PSU with old firmware is plugged.
1104. The vendor-specific tool shall run all the checks it needs to be run, before
111   and after the PSU update, and return a status to the above service to
112   indicate the result.
1135. When the vendor-specific tool returns errors, the PSU update will be aborted
114   and an error event log shall be created.
1156. During the update, the service shall set the related sensors to
116   non-functional, and when the update is done, it shall set the related sensors
117   back to functional.
118
119### Update by new BMC image
120
121When BMC is updated and a new version of PSU firmware is included, it shall be
122updated to the PSU. This will be done by the same service described above.
123
1241. On start, the service will check the PSU image, model and version in its
125   filesystem, compare with the ones in PSU hardware and decide if PSU firmware
126   update shall be performed.
1272. There could be two places containing the PSU images:
128   - The pre-defined directory in read-only filesystem, which is part of BMC
129     image.
130   - The other pre-defined directory in read-write filesystem, which is the
131     location for the saved PSU images by API update. Both places shall be
132     checked and a newer version will be selected to compare with the PSU
133     hardware.
1343. If PSU update is needed, the service will find the matched vendor-specific
135   tool to perform the code update.
1364. The following process will be the same as [Update by API].
137
138### Update on replaced PSU
139
140When a PSU is replaced, and the firmware version is older than the one in BMC
141filesystem (or if the optional 'override' parameter is specified), it shall be
142updated. This will be done by the same service described above.
143
1441. On start, the service will subscribe to the PropertiesChanged signal to the
145   PSU object path to monitor the PSU presence status. (Or maybe subscribe the
146   InterfacesAdded/Removed signal?)
1472. When a PSU's presence status is changed from false to true (or the
148   PropertiesChanged event occurs), the service will check the new PSU's model
149   and firmware version to decide if the firmware needs to be updated.
1503. If yes, the service will find the matched vendor-specific tool to perform the
151   code update.
1524. The following process will be the same as [Update by API].
153
154## Alternatives Considered
155
156### General implementation
157
158The PSU firmware update could be implemented by separated recipes that only call
159vendor-specific tools. It will be a bit simpler but loses the unified interface
160provided by OpenBMC's existing [software update interface][1], and thus it will
161become difficult to use a standard API to the PSU firmware update.
162
163### VersionPurpose
164
165It is possible to re-use the `VersionPurpose.Other` to represent the PSU image's
166version purpose. But that requires additional information about the image,
167otherwise, there is no way to tell if the image is for PSU, or CPLD, or other
168peripherals. A new `VersionPurpose.PSU` is more specific and makes it easier to
169implement and friendly for the user.
170
171### Additional string
172
173The design proposal uses `ExtendedVersion` as the additional string for
174vendor-specific purpose, e.g. to indicate the PSU model, so the implementation
175could check and compare if the image matches the PSU model. It is possible to
176make it optional or remove this additional string, then the implementation will
177not verify if the image matches the PSU. It could be OK if we trust the user who
178is uploading the correct image, especially the image shall be signed. But it is
179always risky in case the image does not match the PSU, and cause unintended
180damage if the incorrect PSU firmware is updated.
181
182## Impacts
183
184This design only introduces a new `VersionPurpose` enum into the dbus
185interfaces. The newly introduced PSU firmware update service will be a new
186service that implements existing [Activation][5] interface. There will be new
187configuration files for the service to:
188
189- Link the vendor specific tool with PSU models.
190- Get the sensors related to the PSU.
191- etc.
192
193So the impacts are minimal to existing systems.
194
195## Testing
196
197It requires the manual tests to verify the PSU code update process.
198
199- Verify the PSU code update is done on all PSUs successfully;
200- Verify the PSU code update will fail if the vendor-specific tool fails on
201  pre-condition check, of fails on updating PSU.
202- Verify the PSU code update is performed after a new BMC image is updated
203  containing a new (or different, if 'override' used) version of PSU firmware.
204- Verify the PSU code update is performed after a PSU with old (or different, if
205  'override' is used) firmware is plugged in.
206
207[1]:
208  https://github.com/openbmc/phosphor-dbus-interfaces/tree/master/yaml/xyz/openbmc_project/Software
209[2]: https://github.com/openbmc/phosphor-bmc-code-mgmt/
210[3]: https://github.com/openbmc/openpower-pnor-code-mgmt/
211[4]:
212  https://github.com/openbmc/phosphor-dbus-interfaces/blob/57b878d048f929643276f1bf7fdf750abc4bde8b/xyz/openbmc_project/Software/Version.interface.yaml#L14
213[5]:
214  https://github.com/openbmc/phosphor-dbus-interfaces/blob/master/yaml/xyz/openbmc_project/Software/Activation.interface.yaml
215