Fall back option in case verification of boot image fails (32.1.0)

Does c-boot have support for a fall-back option (to a golden image) in case verification of the primary boot image fails?

Also, could you please let me know when the c-boot source code for 32.1.0 will be posted?


Hi rayees,

u-boot should be able to do that. Since you are on tx2, I think u-boot is still there. Why do you want to use cboot for this feature?


  1. Could you please explain how u-boot is handling the golden images?

  2. My reason for considering c-boot
    My understanding is that the signing/encryption process will sign and encrypt the next stage bootloader to be verified and decrypted by c-boot. Currently, the next stage bootloader for c-boot is either u-boot or the Linux kernel.

If I want the kernel to be both signed and encrypted, then my only option is to use c-boot and the kernel as the next stage and skip the u-boot stage.

If I use u-boot as the next stage after c-boot, then the verification and decryption of the kernel is not handled by the Nvidia tools, as I understand. Please let me know if this is not the case.

  • Rayees

For u-boot, the only mechanism is to add something like below in extlinux.conf, so user can fallback to back up image.

# When testing a custom kernel, it is recommended that you create a backup of
# the original kernel and add a new entry to this file so that the device can
# fallback to the original kernel. To do this:
# 1, Make a backup of the original kernel
#      sudo cp /boot/Image /boot/Image.backup
# 2, Copy your custom kernel into /boot/Image
# 3, Uncomment below menu setting lines for the original kernel
# 4, Reboot

# LABEL backup
#    MENU LABEL backup kernel
#    LINUX /boot/Image.backup
#    INITRD /boot/initrd
#    APPEND ${cbootargs}

We are still checking the capability of c-boot for you query.


The scenario that you are describing is one in which we make the selection in u-boot manually. We won’t have this option in production mode.

The scenario we are considering is that in which the primary image becomes corrupt due to some reason (could be a update process gone wrong). In this case, we want to seamlessly switch to the golden image during runtime so that the system doesn’t stall.

  • Rayees

A/B redundancy of cboot should handle this part. Even for sign/crypto case.