Rollback in TESTING state when kernel image cannot load

In an update scenario, if ustate was just switched from
INSTALLED=1 to TESTING=2 but the kernel image to be tested
is not present, reboot to trigger a fallback into the
original boot path.

This is a simple optimization to not wait until the watchdog
kicks in and reboots the system to the same effect. Incidentally,
this also help to fix downstream issues where U-Boot was incorrectly
configured to feed the watchdog indefinitely, i.e., no reboot happens,
ever.

Signed-off-by: Christian Storm <christian.storm@siemens.com>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>

Author: stormc

env/fatvars.c

@@ -198,6 +198,7 @@ BG_STATUS load_config(BG_LOADER_PARAMS *bglp)
 		save_current_config(config_volumes, numHandles);
 	}
 
+	bglp->ustate = env[latest_idx].ustate;
 	bglp->payload_path = StrDuplicate(env[current_partition].kernelfile);
 	bglp->payload_options =
 	    StrDuplicate(env[current_partition].kernelparams);

include/bootguard.h

@@ -37,4 +37,5 @@ typedef struct _BG_LOADER_PARAMS {
 	CHAR16 *payload_path;
 	CHAR16 *payload_options;
 	UINTN timeout;
+	UINT8 ustate;
 } BG_LOADER_PARAMS;

main.c

@@ -184,6 +184,20 @@ EFI_STATUS efi_main(EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *system_table)
 	status = BS->LoadImage(TRUE, this_image, payload_dev_path, NULL, 0,
 			       &payload_handle);
 	if (EFI_ERROR(status)) {
+		if (bg_loader_params.ustate == USTATE_TESTING) {
+			/*
+			 * `ustate` was just switched from `1` (INSTALLED)
+			 * to `2` (TESTING), but the kernel image to be
+			 * tested is not present. Reboot to trigger a
+			 * fallback into the original boot path.
+			 */
+			ERROR(L"Failed to load kernel image %s (%r).\n",
+			      bg_loader_params.payload_path, status);
+			ERROR(L"Triggering Rollback as ustate==2 (TESTING).\n");
+			(VOID) BS->Stall(3 * 1000 * 1000);
+			ST->RuntimeServices->ResetSystem(EfiResetCold,
+							 EFI_SUCCESS, 0, NULL);
+		}
 		error_exit(L"Cannot load specified kernel image", status);
 	}