lib/fuchsia/pkg/abr/flow.c - u-boot - Git at Google

 /* Copyright 2019 The Fuchsia Authors. All rights reserved.
  * Use of this source code is governed by a BSD-style license that can be
  * found in the LICENSE file.
  */

 #include <lib/abr/abr.h>
 #include <lib/abr/data.h>
 #include <lib/abr/util.h>

 /* Initializes |data| with default valid values. Both A/B slots will be marked as bootable, but not
  * successful, with a full set of retries. Slot A will be higher priority.
  */
 static void abr_data_init(AbrData* data) {
   AbrMemset(data, 0, sizeof(*data));
   AbrMemcpy(data->magic, kAbrMagic, kAbrMagicLen);
   data->version_major = kAbrMajorVersion;
   data->version_minor = kAbrMinorVersion;
   data->slot_data[0].priority = kAbrMaxPriority;
   data->slot_data[0].tries_remaining = kAbrMaxTriesRemaining;
   data->slot_data[0].successful_boot = 0;
   data->slot_data[1].priority = kAbrMaxPriority - 1;
   data->slot_data[1].tries_remaining = kAbrMaxTriesRemaining;
   data->slot_data[1].successful_boot = 0;
 }

 /* Deserializes and validates |size| bytes from |buffer|. On success, |dest| is populated with the
  * valid data and kAbrResultOk is returned.
  */
 static AbrResult abr_data_deserialize(const uint8_t* buffer, size_t size, AbrData* dest) {
   if (size < sizeof(*dest)) {
     ABR_ERROR("Wrong serialized data size.\n");
     return kAbrResultErrorInvalidData;
   }

   AbrMemcpy(dest, buffer, sizeof(*dest));

   /* Ensure magic is correct. */
   if (AbrSafeMemcmp(dest->magic, kAbrMagic, kAbrMagicLen) != 0) {
     ABR_ERROR("Magic is incorrect.\n");
     return kAbrResultErrorInvalidData;
   }

   /* Bail if CRC32 doesn't match. */
   dest->crc32 = AbrBigEndianToHost(dest->crc32);
   if (dest->crc32 != AbrCrc32(dest, sizeof(*dest) - sizeof(uint32_t))) {
     ABR_ERROR("CRC32 does not match.\n");
     return kAbrResultErrorInvalidData;
   }

   /* Ensure we don't attempt to access any fields if the major version is not supported. */
   if (dest->version_major > kAbrMajorVersion) {
     ABR_ERROR("No support for given major version.\n");
     return kAbrResultErrorUnsupportedVersion;
   }

   return kAbrResultOk;
 }

 /* Updates the checksum and serializes |src| to |dest| which must point to at least sizeof(AbrData)
  * bytes.
  */
 static void abr_data_serialize(AbrData* src, uint8_t* dest) {
   src->crc32 = AbrHostToBigEndian(AbrCrc32(src, sizeof(*src) - sizeof(uint32_t)));
   AbrMemcpy(dest, src, sizeof(*src));
 }

 static bool is_slot_bootable(const AbrSlotData* slot) {
   return (slot->priority > 0) && (slot->successful_boot || (slot->tries_remaining > 0));
 }

 static void set_slot_unbootable(AbrSlotData* slot) {
   slot->priority = 0;
   slot->tries_remaining = 0;
   slot->successful_boot = 0;
 }

 static bool is_slot_active(const AbrData* abr_data, AbrSlotIndex slot_index) {
   AbrSlotIndex active_slot =
       (abr_data->slot_data[kAbrSlotIndexB].priority > abr_data->slot_data[kAbrSlotIndexA].priority)
           ? kAbrSlotIndexB
           : kAbrSlotIndexA;
   if (!is_slot_bootable(&abr_data->slot_data[active_slot])) {
     active_slot = kAbrSlotIndexR;
   }
   return (active_slot == slot_index);
 }

 /* Ensure all unbootable or invalid states are marked as the canonical 'unbootable' state. That is,
  * priority=0, tries_remaining=0, and successful_boot=0.
  */
 static void slot_normalize(AbrSlotData* slot) {
   if (slot->priority > 0) {
     if ((slot->tries_remaining == 0) && !slot->successful_boot) {
       /* We've exhausted all tries -> unbootable. */
       set_slot_unbootable(slot);
     }
     if ((slot->tries_remaining > 0) && slot->successful_boot) {
       /* Illegal state - AbrMarkSlotSuccessful() will clear tries_remaining when setting
        * successful_boot. Reset to not successful state.
        */
       slot->tries_remaining = kAbrMaxTriesRemaining;
       slot->successful_boot = 0;
     }
     if (slot->priority > kAbrMaxPriority) {
       slot->priority = kAbrMaxPriority;
     }
     if (slot->tries_remaining > kAbrMaxTriesRemaining) {
       slot->tries_remaining = kAbrMaxTriesRemaining;
     }
   } else {
     set_slot_unbootable(slot);
   }
 }

 /* Saves |abr_data| to persistent storage, overwriting any existing persistent state. */
 static AbrResult save_metadata(const AbrOps* abr_ops, AbrData* abr_data) {
   uint8_t serialized[sizeof(*abr_data)];

   ABR_DEBUG("Writing A/B metadata to disk.\n");

   abr_data_serialize(abr_data, serialized);

   if (abr_ops->write_abr_metadata == NULL) {
     ABR_ERROR("Failed to write metadata (not implemented).\n");
     return kAbrResultErrorIo;
   }

   if (!abr_ops->write_abr_metadata(abr_ops->context, serialized, sizeof(serialized))) {
     ABR_ERROR("Failed to write metadata.\n");
     return kAbrResultErrorIo;
   }

   return kAbrResultOk;
 }

 /* Loads |abr_data| from persistent storage and normalizes it, initializing new data if necessary.
  * Changes as a result of normalization are not written back to persistent storage but a copy of the
  * exact original data from persistent storage is provided in |abr_data_orig| for future use with
  * save_metadata_if_changed().
  *
  * On success, populates abr_data, abr_data_orig, and returns kAbrResultOk. On failure an
  * ABR_RESULT_ERROR* error code is returned and the contents of abr_data and abr_data_orig are
  * undefined.
  */
 static AbrResult load_metadata(const AbrOps* abr_ops, AbrData* abr_data, AbrData* abr_data_orig) {
   AbrResult result = kAbrResultOk;
   uint8_t serialized[sizeof(*abr_data)];

   if (abr_ops->read_abr_metadata == NULL) {
     ABR_ERROR("Failed to read metadata (not implemented).\n");
     return kAbrResultErrorIo;
   }

   if (!abr_ops->read_abr_metadata(abr_ops->context, sizeof(serialized), serialized)) {
     ABR_ERROR("Failed to read metadata.\n");
     return kAbrResultErrorIo;
   }

   result = abr_data_deserialize(serialized, sizeof(serialized), abr_data);
   if (result == kAbrResultErrorUnsupportedVersion) {
     /* We don't want to clobber valid data in persistent storage, but we can't use this data, so
      * bail out.
      */
     return result;
   } else if (result != kAbrResultOk) {
     /* No valid data exists. Use default data and set original data to trigger update. */
     abr_data_init(abr_data);
     AbrMemset(abr_data_orig, 0, sizeof(*abr_data_orig));
     return kAbrResultOk;
   }

   *abr_data_orig = *abr_data;
   slot_normalize(&abr_data->slot_data[kAbrSlotIndexA]);
   slot_normalize(&abr_data->slot_data[kAbrSlotIndexB]);
   return kAbrResultOk;
 }

 /* Writes metadata to disk only if it has changed. |abr_data_orig| should be from load_metadata().
  */
 static AbrResult save_metadata_if_changed(const AbrOps* abr_ops, AbrData* abr_data,
                                           AbrData* abr_data_orig) {
   if (AbrSafeMemcmp(abr_data, abr_data_orig, sizeof(*abr_data)) == 0) {
     return kAbrResultOk;
   }

   return save_metadata(abr_ops, abr_data);
 }

 static bool check_slot_index(AbrSlotIndex slot_index) {
   if (slot_index < kAbrSlotIndexA || slot_index > kAbrSlotIndexR) {
     ABR_ERROR("Invalid slot index.\n");
     return false;
   }
   return true;
 }

 AbrSlotIndex AbrGetBootSlot(const AbrOps* abr_ops, bool update_metadata,
                             bool* is_slot_marked_successful) {
   AbrData abr_data, abr_data_orig;
   AbrResult result = kAbrResultOk;
   AbrSlotIndex slot_to_boot = kAbrSlotIndexR;
   if (is_slot_marked_successful)
     *is_slot_marked_successful = false;

   result = load_metadata(abr_ops, &abr_data, &abr_data_orig);
   if (result != kAbrResultOk) {
     ABR_ERROR("Failed to load metadata, falling back to recovery mode.\n");
     return kAbrSlotIndexR;
   }

   /* One-shot recovery boot has the highest priority if metadata can be updated. */
   if (abr_data.one_shot_recovery_boot && update_metadata) {
     abr_data.one_shot_recovery_boot = 0;
     if (save_metadata(abr_ops, &abr_data) == kAbrResultOk) {
       return kAbrSlotIndexR;
     }
     ABR_ERROR("Failed to update one-shot state. Ignoring one-shot request.\n");
     /* Put it back how it was, maybe a later boot stage will be able to handle it. */
     abr_data.one_shot_recovery_boot = 1;
   }

   /* Choose the highest priority slot. This logic assumes normalized metadata. */
   slot_to_boot =
       (abr_data.slot_data[kAbrSlotIndexB].priority > abr_data.slot_data[kAbrSlotIndexA].priority)
           ? kAbrSlotIndexB
           : kAbrSlotIndexA;
   if (is_slot_bootable(&abr_data.slot_data[slot_to_boot])) {
     if (is_slot_marked_successful && abr_data.slot_data[slot_to_boot].successful_boot) {
       *is_slot_marked_successful = true;
     }
   } else {
     ABR_DEBUG("All slots are unbootable, falling back to recovery mode.\n");
     slot_to_boot = kAbrSlotIndexR;
   }

   if (update_metadata) {
     /* In addition to any changes that resulted from normalization, there are a couple changes to be
      * made here. First is to decrement the tries remaining for a slot not yet marked as successful.
      */
     if ((slot_to_boot != kAbrSlotIndexR) && !abr_data.slot_data[slot_to_boot].successful_boot) {
       abr_data.slot_data[slot_to_boot].tries_remaining--;
     }
     /* Second is to clear the successful_boot bit from any successfully-marked slots that aren't the
      * slot we're booting. It's possible that booting from one slot will render the other slot
      * unbootable (say, by migrating a config file format in a shared partiton). Clearing these bits
      * minimizes the risk we'll have an unhealthy slot marked "successful_boot", which would prevent
      * the system from automatically booting into recovery.
      */
     if ((slot_to_boot != kAbrSlotIndexA) && abr_data.slot_data[kAbrSlotIndexA].successful_boot) {
       abr_data.slot_data[kAbrSlotIndexA].tries_remaining = kAbrMaxTriesRemaining;
       abr_data.slot_data[kAbrSlotIndexA].successful_boot = 0;
     }
     if ((slot_to_boot != kAbrSlotIndexB) && abr_data.slot_data[kAbrSlotIndexB].successful_boot) {
       abr_data.slot_data[kAbrSlotIndexB].tries_remaining = kAbrMaxTriesRemaining;
       abr_data.slot_data[kAbrSlotIndexB].successful_boot = 0;
     }

     result = save_metadata_if_changed(abr_ops, &abr_data, &abr_data_orig);
     if (result != kAbrResultOk) {
       /* We have no choice but to proceed without updating metadata. */
       ABR_ERROR("Failed to update metadata, proceeding anyways.\n");
     }
   }

   return slot_to_boot;
 }

 const char* AbrGetSlotSuffix(AbrSlotIndex slot_index) {
   static const char* slot_suffixes[] = {"_a", "_b", "_r"};
   if (!check_slot_index(slot_index)) {
     return "";
   }
   return slot_suffixes[slot_index];
 }

 AbrResult AbrMarkSlotActive(const AbrOps* abr_ops, AbrSlotIndex slot_index) {
   AbrData abr_data, abr_data_orig;
   AbrSlotIndex other_slot_index;
   AbrResult result;

   if (!check_slot_index(slot_index)) {
     return kAbrResultErrorInvalidData;
   }

   if (slot_index == kAbrSlotIndexR) {
     ABR_ERROR("Invalid argument: Cannot mark slot R as active.\n");
     return kAbrResultErrorInvalidData;
   }

   result = load_metadata(abr_ops, &abr_data, &abr_data_orig);
   if (result != kAbrResultOk) {
     return result;
   }

   /* Make requested slot top priority, unsuccessful, and with max tries. */
   abr_data.slot_data[slot_index].priority = kAbrMaxPriority;
   abr_data.slot_data[slot_index].tries_remaining = kAbrMaxTriesRemaining;
   abr_data.slot_data[slot_index].successful_boot = 0;

   /* Ensure other slot doesn't have as high a priority. */
   other_slot_index = 1 - slot_index;
   if (abr_data.slot_data[other_slot_index].priority == kAbrMaxPriority) {
     abr_data.slot_data[other_slot_index].priority--;
   }

   return save_metadata_if_changed(abr_ops, &abr_data, &abr_data_orig);
 }

 AbrResult AbrMarkSlotUnbootable(const AbrOps* abr_ops, AbrSlotIndex slot_index) {
   AbrData abr_data, abr_data_orig;
   AbrResult result;

   if (!check_slot_index(slot_index)) {
     return kAbrResultErrorInvalidData;
   }

   if (slot_index == kAbrSlotIndexR) {
     ABR_ERROR("Invalid argument: Cannot mark slot R as unbootable.\n");
     return kAbrResultErrorInvalidData;
   }

   result = load_metadata(abr_ops, &abr_data, &abr_data_orig);
   if (result != kAbrResultOk) {
     return result;
   }

   set_slot_unbootable(&abr_data.slot_data[slot_index]);

   return save_metadata_if_changed(abr_ops, &abr_data, &abr_data_orig);
 }

 AbrResult AbrMarkSlotSuccessful(const AbrOps* abr_ops, AbrSlotIndex slot_index) {
   AbrData abr_data, abr_data_orig;
   AbrSlotIndex other_slot_index;
   AbrResult result;

   if (!check_slot_index(slot_index)) {
     return kAbrResultErrorInvalidData;
   }

   if (slot_index == kAbrSlotIndexR) {
     ABR_ERROR("Invalid argument: Cannot mark slot R as successful.\n");
     return kAbrResultErrorInvalidData;
   }

   result = load_metadata(abr_ops, &abr_data, &abr_data_orig);
   if (result != kAbrResultOk) {
     return result;
   }

   if (!is_slot_bootable(&abr_data.slot_data[slot_index])) {
     ABR_ERROR("Invalid argument: Cannot mark unbootable slot as successful.\n");
     return kAbrResultErrorInvalidData;
   }

   abr_data.slot_data[slot_index].tries_remaining = 0;
   abr_data.slot_data[slot_index].successful_boot = 1;

   /* Remove any success mark on the other slot.
    *
    * TODO(fxbug.dev/64255): Remove this logic once the fix for fxbug.dev/64057 has rolled out.
    */
   other_slot_index = 1 - slot_index;
   if (is_slot_bootable(&abr_data.slot_data[other_slot_index])) {
     abr_data.slot_data[other_slot_index].tries_remaining = kAbrMaxTriesRemaining;
     abr_data.slot_data[other_slot_index].successful_boot = 0;
   }
   return save_metadata_if_changed(abr_ops, &abr_data, &abr_data_orig);
 }

 AbrResult AbrGetSlotInfo(const AbrOps* abr_ops, AbrSlotIndex slot_index, AbrSlotInfo* info) {
   AbrData abr_data, abr_data_orig;
   AbrResult result;

   if (info == NULL) {
     ABR_ERROR("Invalid argument: |info| cannot be NULL.\n");
     return kAbrResultErrorInvalidData;
   }

   AbrMemset(info, 0, sizeof(*info));

   if (!check_slot_index(slot_index)) {
     return kAbrResultErrorInvalidData;
   }

   result = load_metadata(abr_ops, &abr_data, &abr_data_orig);
   if (result != kAbrResultOk) {
     return result;
   }

   if (slot_index == kAbrSlotIndexR) {
     /* Assume that R slot is always OK. */
     info->is_bootable = true;
     info->is_active = is_slot_active(&abr_data, kAbrSlotIndexR);
     info->is_marked_successful = true;
     info->num_tries_remaining = 0;
     return kAbrResultOk;
   }

   info->is_bootable = is_slot_bootable(&abr_data.slot_data[slot_index]);
   info->is_active = is_slot_active(&abr_data, slot_index);
   info->is_marked_successful = abr_data.slot_data[slot_index].successful_boot;
   info->num_tries_remaining = abr_data.slot_data[slot_index].tries_remaining;

   return kAbrResultOk;
 }

 AbrResult AbrSetOneShotRecovery(const AbrOps* abr_ops, bool enable) {
   AbrData abr_data, abr_data_orig;
   AbrResult result;

   result = load_metadata(abr_ops, &abr_data, &abr_data_orig);
   if (result != kAbrResultOk) {
     return result;
   }

   abr_data.one_shot_recovery_boot = enable ? 1 : 0;

   return save_metadata_if_changed(abr_ops, &abr_data, &abr_data_orig);
 }

 /* Additional API needed for Estelle. */
 bool AbrIsValidMetadata(const uint8_t* buffer, size_t size) {
   AbrData data;
   return abr_data_deserialize(buffer, size, &data) == kAbrResultOk;
 }
	/* Copyright 2019 The Fuchsia Authors. All rights reserved.
	* Use of this source code is governed by a BSD-style license that can be
	* found in the LICENSE file.
	*/

	#include <lib/abr/abr.h>
	#include <lib/abr/data.h>
	#include <lib/abr/util.h>

	/* Initializes \|data\| with default valid values. Both A/B slots will be marked as bootable, but not
	* successful, with a full set of retries. Slot A will be higher priority.
	*/
	static void abr_data_init(AbrData* data) {
	AbrMemset(data, 0, sizeof(*data));
	AbrMemcpy(data->magic, kAbrMagic, kAbrMagicLen);
	data->version_major = kAbrMajorVersion;
	data->version_minor = kAbrMinorVersion;
	data->slot_data[0].priority = kAbrMaxPriority;
	data->slot_data[0].tries_remaining = kAbrMaxTriesRemaining;
	data->slot_data[0].successful_boot = 0;
	data->slot_data[1].priority = kAbrMaxPriority - 1;
	data->slot_data[1].tries_remaining = kAbrMaxTriesRemaining;
	data->slot_data[1].successful_boot = 0;
	}

	/* Deserializes and validates \|size\| bytes from \|buffer\|. On success, \|dest\| is populated with the
	* valid data and kAbrResultOk is returned.
	*/
	static AbrResult abr_data_deserialize(const uint8_t* buffer, size_t size, AbrData* dest) {
	if (size < sizeof(*dest)) {
	ABR_ERROR("Wrong serialized data size.\n");
	return kAbrResultErrorInvalidData;
	}

	AbrMemcpy(dest, buffer, sizeof(*dest));

	/* Ensure magic is correct. */
	if (AbrSafeMemcmp(dest->magic, kAbrMagic, kAbrMagicLen) != 0) {
	ABR_ERROR("Magic is incorrect.\n");
	return kAbrResultErrorInvalidData;
	}

	/* Bail if CRC32 doesn't match. */
	dest->crc32 = AbrBigEndianToHost(dest->crc32);
	if (dest->crc32 != AbrCrc32(dest, sizeof(*dest) - sizeof(uint32_t))) {
	ABR_ERROR("CRC32 does not match.\n");
	return kAbrResultErrorInvalidData;
	}

	/* Ensure we don't attempt to access any fields if the major version is not supported. */
	if (dest->version_major > kAbrMajorVersion) {
	ABR_ERROR("No support for given major version.\n");
	return kAbrResultErrorUnsupportedVersion;
	}

	return kAbrResultOk;
	}

	/* Updates the checksum and serializes \|src\| to \|dest\| which must point to at least sizeof(AbrData)
	* bytes.
	*/
	static void abr_data_serialize(AbrData* src, uint8_t* dest) {
	src->crc32 = AbrHostToBigEndian(AbrCrc32(src, sizeof(*src) - sizeof(uint32_t)));
	AbrMemcpy(dest, src, sizeof(*src));
	}

	static bool is_slot_bootable(const AbrSlotData* slot) {
	return (slot->priority > 0) && (slot->successful_boot \|\| (slot->tries_remaining > 0));
	}

	static void set_slot_unbootable(AbrSlotData* slot) {
	slot->priority = 0;
	slot->tries_remaining = 0;
	slot->successful_boot = 0;
	}

	static bool is_slot_active(const AbrData* abr_data, AbrSlotIndex slot_index) {
	AbrSlotIndex active_slot =
	(abr_data->slot_data[kAbrSlotIndexB].priority > abr_data->slot_data[kAbrSlotIndexA].priority)
	? kAbrSlotIndexB
	: kAbrSlotIndexA;
	if (!is_slot_bootable(&abr_data->slot_data[active_slot])) {
	active_slot = kAbrSlotIndexR;
	}
	return (active_slot == slot_index);
	}

	/* Ensure all unbootable or invalid states are marked as the canonical 'unbootable' state. That is,
	* priority=0, tries_remaining=0, and successful_boot=0.
	*/
	static void slot_normalize(AbrSlotData* slot) {
	if (slot->priority > 0) {
	if ((slot->tries_remaining == 0) && !slot->successful_boot) {
	/* We've exhausted all tries -> unbootable. */
	set_slot_unbootable(slot);
	}
	if ((slot->tries_remaining > 0) && slot->successful_boot) {
	/* Illegal state - AbrMarkSlotSuccessful() will clear tries_remaining when setting
	* successful_boot. Reset to not successful state.
	*/
	slot->tries_remaining = kAbrMaxTriesRemaining;
	slot->successful_boot = 0;
	}
	if (slot->priority > kAbrMaxPriority) {
	slot->priority = kAbrMaxPriority;
	}
	if (slot->tries_remaining > kAbrMaxTriesRemaining) {
	slot->tries_remaining = kAbrMaxTriesRemaining;
	}
	} else {
	set_slot_unbootable(slot);
	}
	}

	/* Saves \|abr_data\| to persistent storage, overwriting any existing persistent state. */
	static AbrResult save_metadata(const AbrOps* abr_ops, AbrData* abr_data) {
	uint8_t serialized[sizeof(*abr_data)];

	ABR_DEBUG("Writing A/B metadata to disk.\n");

	abr_data_serialize(abr_data, serialized);

	if (abr_ops->write_abr_metadata == NULL) {
	ABR_ERROR("Failed to write metadata (not implemented).\n");
	return kAbrResultErrorIo;
	}

	if (!abr_ops->write_abr_metadata(abr_ops->context, serialized, sizeof(serialized))) {
	ABR_ERROR("Failed to write metadata.\n");
	return kAbrResultErrorIo;
	}

	return kAbrResultOk;
	}

	/* Loads \|abr_data\| from persistent storage and normalizes it, initializing new data if necessary.
	* Changes as a result of normalization are not written back to persistent storage but a copy of the
	* exact original data from persistent storage is provided in \|abr_data_orig\| for future use with
	* save_metadata_if_changed().
	*
	* On success, populates abr_data, abr_data_orig, and returns kAbrResultOk. On failure an
	* ABR_RESULT_ERROR* error code is returned and the contents of abr_data and abr_data_orig are
	* undefined.
	*/
	static AbrResult load_metadata(const AbrOps* abr_ops, AbrData* abr_data, AbrData* abr_data_orig) {
	AbrResult result = kAbrResultOk;
	uint8_t serialized[sizeof(*abr_data)];

	if (abr_ops->read_abr_metadata == NULL) {
	ABR_ERROR("Failed to read metadata (not implemented).\n");
	return kAbrResultErrorIo;
	}

	if (!abr_ops->read_abr_metadata(abr_ops->context, sizeof(serialized), serialized)) {
	ABR_ERROR("Failed to read metadata.\n");
	return kAbrResultErrorIo;
	}

	result = abr_data_deserialize(serialized, sizeof(serialized), abr_data);
	if (result == kAbrResultErrorUnsupportedVersion) {
	/* We don't want to clobber valid data in persistent storage, but we can't use this data, so
	* bail out.
	*/
	return result;
	} else if (result != kAbrResultOk) {
	/* No valid data exists. Use default data and set original data to trigger update. */
	abr_data_init(abr_data);
	AbrMemset(abr_data_orig, 0, sizeof(*abr_data_orig));
	return kAbrResultOk;
	}

	abr_data_orig = abr_data;
	slot_normalize(&abr_data->slot_data[kAbrSlotIndexA]);
	slot_normalize(&abr_data->slot_data[kAbrSlotIndexB]);
	return kAbrResultOk;
	}

	/* Writes metadata to disk only if it has changed. \|abr_data_orig\| should be from load_metadata().
	*/
	static AbrResult save_metadata_if_changed(const AbrOps* abr_ops, AbrData* abr_data,
	AbrData* abr_data_orig) {
	if (AbrSafeMemcmp(abr_data, abr_data_orig, sizeof(*abr_data)) == 0) {
	return kAbrResultOk;
	}

	return save_metadata(abr_ops, abr_data);
	}

	static bool check_slot_index(AbrSlotIndex slot_index) {
	if (slot_index < kAbrSlotIndexA \|\| slot_index > kAbrSlotIndexR) {
	ABR_ERROR("Invalid slot index.\n");
	return false;
	}
	return true;
	}

	AbrSlotIndex AbrGetBootSlot(const AbrOps* abr_ops, bool update_metadata,
	bool* is_slot_marked_successful) {
	AbrData abr_data, abr_data_orig;
	AbrResult result = kAbrResultOk;
	AbrSlotIndex slot_to_boot = kAbrSlotIndexR;
	if (is_slot_marked_successful)
	*is_slot_marked_successful = false;

	result = load_metadata(abr_ops, &abr_data, &abr_data_orig);
	if (result != kAbrResultOk) {
	ABR_ERROR("Failed to load metadata, falling back to recovery mode.\n");
	return kAbrSlotIndexR;
	}

	/* One-shot recovery boot has the highest priority if metadata can be updated. */
	if (abr_data.one_shot_recovery_boot && update_metadata) {
	abr_data.one_shot_recovery_boot = 0;
	if (save_metadata(abr_ops, &abr_data) == kAbrResultOk) {
	return kAbrSlotIndexR;
	}
	ABR_ERROR("Failed to update one-shot state. Ignoring one-shot request.\n");
	/* Put it back how it was, maybe a later boot stage will be able to handle it. */
	abr_data.one_shot_recovery_boot = 1;
	}

	/* Choose the highest priority slot. This logic assumes normalized metadata. */
	slot_to_boot =
	(abr_data.slot_data[kAbrSlotIndexB].priority > abr_data.slot_data[kAbrSlotIndexA].priority)
	? kAbrSlotIndexB
	: kAbrSlotIndexA;
	if (is_slot_bootable(&abr_data.slot_data[slot_to_boot])) {
	if (is_slot_marked_successful && abr_data.slot_data[slot_to_boot].successful_boot) {
	*is_slot_marked_successful = true;
	}
	} else {
	ABR_DEBUG("All slots are unbootable, falling back to recovery mode.\n");
	slot_to_boot = kAbrSlotIndexR;
	}

	if (update_metadata) {
	/* In addition to any changes that resulted from normalization, there are a couple changes to be
	* made here. First is to decrement the tries remaining for a slot not yet marked as successful.
	*/
	if ((slot_to_boot != kAbrSlotIndexR) && !abr_data.slot_data[slot_to_boot].successful_boot) {
	abr_data.slot_data[slot_to_boot].tries_remaining--;
	}
	/* Second is to clear the successful_boot bit from any successfully-marked slots that aren't the
	* slot we're booting. It's possible that booting from one slot will render the other slot
	* unbootable (say, by migrating a config file format in a shared partiton). Clearing these bits
	* minimizes the risk we'll have an unhealthy slot marked "successful_boot", which would prevent
	* the system from automatically booting into recovery.
	*/
	if ((slot_to_boot != kAbrSlotIndexA) && abr_data.slot_data[kAbrSlotIndexA].successful_boot) {
	abr_data.slot_data[kAbrSlotIndexA].tries_remaining = kAbrMaxTriesRemaining;
	abr_data.slot_data[kAbrSlotIndexA].successful_boot = 0;
	}
	if ((slot_to_boot != kAbrSlotIndexB) && abr_data.slot_data[kAbrSlotIndexB].successful_boot) {
	abr_data.slot_data[kAbrSlotIndexB].tries_remaining = kAbrMaxTriesRemaining;
	abr_data.slot_data[kAbrSlotIndexB].successful_boot = 0;
	}

	result = save_metadata_if_changed(abr_ops, &abr_data, &abr_data_orig);
	if (result != kAbrResultOk) {
	/* We have no choice but to proceed without updating metadata. */
	ABR_ERROR("Failed to update metadata, proceeding anyways.\n");
	}
	}

	return slot_to_boot;
	}

	const char* AbrGetSlotSuffix(AbrSlotIndex slot_index) {
	static const char* slot_suffixes[] = {"_a", "_b", "_r"};
	if (!check_slot_index(slot_index)) {
	return "";
	}
	return slot_suffixes[slot_index];
	}

	AbrResult AbrMarkSlotActive(const AbrOps* abr_ops, AbrSlotIndex slot_index) {
	AbrData abr_data, abr_data_orig;
	AbrSlotIndex other_slot_index;
	AbrResult result;

	if (!check_slot_index(slot_index)) {
	return kAbrResultErrorInvalidData;
	}

	if (slot_index == kAbrSlotIndexR) {
	ABR_ERROR("Invalid argument: Cannot mark slot R as active.\n");
	return kAbrResultErrorInvalidData;
	}

	result = load_metadata(abr_ops, &abr_data, &abr_data_orig);
	if (result != kAbrResultOk) {
	return result;
	}

	/* Make requested slot top priority, unsuccessful, and with max tries. */
	abr_data.slot_data[slot_index].priority = kAbrMaxPriority;
	abr_data.slot_data[slot_index].tries_remaining = kAbrMaxTriesRemaining;
	abr_data.slot_data[slot_index].successful_boot = 0;

	/* Ensure other slot doesn't have as high a priority. */
	other_slot_index = 1 - slot_index;
	if (abr_data.slot_data[other_slot_index].priority == kAbrMaxPriority) {
	abr_data.slot_data[other_slot_index].priority--;
	}

	return save_metadata_if_changed(abr_ops, &abr_data, &abr_data_orig);
	}

	AbrResult AbrMarkSlotUnbootable(const AbrOps* abr_ops, AbrSlotIndex slot_index) {
	AbrData abr_data, abr_data_orig;
	AbrResult result;

	if (!check_slot_index(slot_index)) {
	return kAbrResultErrorInvalidData;
	}

	if (slot_index == kAbrSlotIndexR) {
	ABR_ERROR("Invalid argument: Cannot mark slot R as unbootable.\n");
	return kAbrResultErrorInvalidData;
	}

	result = load_metadata(abr_ops, &abr_data, &abr_data_orig);
	if (result != kAbrResultOk) {
	return result;
	}

	set_slot_unbootable(&abr_data.slot_data[slot_index]);

	return save_metadata_if_changed(abr_ops, &abr_data, &abr_data_orig);
	}

	AbrResult AbrMarkSlotSuccessful(const AbrOps* abr_ops, AbrSlotIndex slot_index) {
	AbrData abr_data, abr_data_orig;
	AbrSlotIndex other_slot_index;
	AbrResult result;

	if (!check_slot_index(slot_index)) {
	return kAbrResultErrorInvalidData;
	}

	if (slot_index == kAbrSlotIndexR) {
	ABR_ERROR("Invalid argument: Cannot mark slot R as successful.\n");
	return kAbrResultErrorInvalidData;
	}

	result = load_metadata(abr_ops, &abr_data, &abr_data_orig);
	if (result != kAbrResultOk) {
	return result;
	}

	if (!is_slot_bootable(&abr_data.slot_data[slot_index])) {
	ABR_ERROR("Invalid argument: Cannot mark unbootable slot as successful.\n");
	return kAbrResultErrorInvalidData;
	}

	abr_data.slot_data[slot_index].tries_remaining = 0;
	abr_data.slot_data[slot_index].successful_boot = 1;

	/* Remove any success mark on the other slot.
	*
	* TODO(fxbug.dev/64255): Remove this logic once the fix for fxbug.dev/64057 has rolled out.
	*/
	other_slot_index = 1 - slot_index;
	if (is_slot_bootable(&abr_data.slot_data[other_slot_index])) {
	abr_data.slot_data[other_slot_index].tries_remaining = kAbrMaxTriesRemaining;
	abr_data.slot_data[other_slot_index].successful_boot = 0;
	}
	return save_metadata_if_changed(abr_ops, &abr_data, &abr_data_orig);
	}

	AbrResult AbrGetSlotInfo(const AbrOps* abr_ops, AbrSlotIndex slot_index, AbrSlotInfo* info) {
	AbrData abr_data, abr_data_orig;
	AbrResult result;

	if (info == NULL) {
	ABR_ERROR("Invalid argument: \|info\| cannot be NULL.\n");
	return kAbrResultErrorInvalidData;
	}

	AbrMemset(info, 0, sizeof(*info));

	if (!check_slot_index(slot_index)) {
	return kAbrResultErrorInvalidData;
	}

	result = load_metadata(abr_ops, &abr_data, &abr_data_orig);
	if (result != kAbrResultOk) {
	return result;
	}

	if (slot_index == kAbrSlotIndexR) {
	/* Assume that R slot is always OK. */
	info->is_bootable = true;
	info->is_active = is_slot_active(&abr_data, kAbrSlotIndexR);
	info->is_marked_successful = true;
	info->num_tries_remaining = 0;
	return kAbrResultOk;
	}

	info->is_bootable = is_slot_bootable(&abr_data.slot_data[slot_index]);
	info->is_active = is_slot_active(&abr_data, slot_index);
	info->is_marked_successful = abr_data.slot_data[slot_index].successful_boot;
	info->num_tries_remaining = abr_data.slot_data[slot_index].tries_remaining;

	return kAbrResultOk;
	}

	AbrResult AbrSetOneShotRecovery(const AbrOps* abr_ops, bool enable) {
	AbrData abr_data, abr_data_orig;
	AbrResult result;

	result = load_metadata(abr_ops, &abr_data, &abr_data_orig);
	if (result != kAbrResultOk) {
	return result;
	}

	abr_data.one_shot_recovery_boot = enable ? 1 : 0;

	return save_metadata_if_changed(abr_ops, &abr_data, &abr_data_orig);
	}

	/* Additional API needed for Estelle. */
	bool AbrIsValidMetadata(const uint8_t* buffer, size_t size) {
	AbrData data;
	return abr_data_deserialize(buffer, size, &data) == kAbrResultOk;
	}