1. Technical Field
The present invention relates generally to an improved flash memory design and in particular to a method and an apparatus for recovery using a flash memory system. Still more particularly, the present invention provides a method and an apparatus for fail-safe flash memory recovery with minimal redundancy.
2. Description of the Related Art
When a modern computer system is started, it executes firmware to initialize and test the system before control is transferred to an operating system. This firmware is typically stored in xe2x80x9cflashxe2x80x9d memory. Since a system configuration can change over a period of time, this flash memory is updateable so that it finds and initializes the devices currently installed on the system.
If a major system error, such as a power failure, occurs during the update process, the flash memory can be corrupted. Therefore, it is important that there be a mechanism to recover the contents of the flash memory firmware in the event of corruption during update, without requiring a hardware update of the corrupted parts.
A simple, but wasteful, solution is to maintain two complete separate copies of the firmware in flash memory along with minimal code to verify each copy prior to its use. If the verification code detects a corrupted Copy xe2x80x9cAxe2x80x9d due to a major problem, such as a power failure, it can now use Copy xe2x80x9cBxe2x80x9d to startup the system. Corruption can be detected using a known technique, such as a cyclic redundancy check (CRC). During the execution of Copy B, a new, correct Copy A can be restored in the firmware. This approach requires flash memory to be at least twice as large in order to provide both updateability and integrity.
The memory space required to maintain two separate copies may be unacceptable in many cases and, as it turns out, unnecessary. Therefore, it would be advantageous to have a method and an apparatus for a flash memory recovery that provides both integrity and updateability with minimal redundancy.
A method and an apparatus is presented for updating flash memory that contains a write protected code, a first copy of rewritable recovery code, a second copy of rewritable recovery code, and a rewritable composite code. Each block of rewritable code contains a checksum code to detect if the block of code has been corrupted.
If it is detected that the first copy of the recovery code is corrupted then the second copy of the recovery code is copied into the first copy of the recovery code. If it is detected the second copy of the recovery code is corrupted then the first copy of the recovery code is copied into the second copy of the recovery code. The recovery code is responsible for checking and updating the composite code. If it is detected the composite code is corrupted then a fresh copy of the composite code is obtained from a removable storage device or a network connection.
The data processing system is booted by executing the write protected code, the first copy of the recovery code, and the composite code. There is a minimum of redundant code by only replicating two copies of the recovery code while, at the same time, guaranteeing both the integrity and the updateability of the flash memory.