From a6cba066018b2c519bcb899dc16b863babb5c77a Mon Sep 17 00:00:00 2001
From: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Date: Tue, 21 Sep 2021 13:30:33 +0300
Subject: [PATCH] Fixes on documentation

- mandate a watchdog
- Prohibit simultaneous update of firmware/OS
- Strongly advise dual bank updates in case of a rollback bump

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
---
 source/chapter1-about.rst | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/source/chapter1-about.rst b/source/chapter1-about.rst
index e424214..3b5b38e 100644
--- a/source/chapter1-about.rst
+++ b/source/chapter1-about.rst
@@ -67,6 +67,9 @@ Assumptions
   components and multiplexing boot combinations can be very challenging.  In this document we treat
   the firmware as a single entity regardless of the components it comprises.
   Failing to update one of the components will lead to rollbacks of every affected component
+- Updating the firmware and the OS at the same time is prohibited.
+- A hardware watchdog must always be active at least in BL33.  It's advisable 
+  the watchdog is activated on earlier boot stages as well.
 
 .. [#UEFICapsuleUpdateNote] [UEFI]_ 2.8B § 23 - Firmware Update and Reporting
 
@@ -112,6 +115,12 @@ during an update.  If the secondary partition contains a valid firmware and the
 is unable to boot the device (e.g flash corruption),  the device is allowed to fallback on the
 secondary partition.
 
+If the update is going to update the rollback counters it's strongly advised to update both of the
+partitions.  In that case the upgrade process will run once to update the secondary partition.  Once
+that's finished and accepted,  the firmware update agent should update the former primary partition
+as well.  This process must not necessarily go through the entire update procedure.  Simply writing
+and verifying the firmware is enough.
+
 .. image:: images/rollback_protection_simple.png
   :width: 200px
   :align: center
-- 
GitLab