imphil
commented
4 years ago Thanks for catching this and opening this issue @bcantrill.
OpenTitan, and especially the software startup sequence, are in pretty early stages at the moment, so I'm not sure how many stability guarantees we can and want to make at this point.
What really bothers me, however, is silently breaking others. I've opened https://github.com/lowRISC/opentitan/issues/1324 to discuss ideas how to detect such breakage, and at least inform our well-known downstream users ahead of time. We will need such a machinery for this issue as well, to inform us when to increment the version number.
In the longer term, I'm pretty sure we want something like a versioning header, so leaving this issue open is a good thing, even if we don't act on it immediately.
bcantrill
When the (one member) flash header was introduced in https://github.com/lowRISC/opentitan/commit/4425b287f8d2c6de6f10410192ee7ef761c71189, both Tock and Oreboot were silently broken (as discussed in https://github.com/tock/tock/pull/1460#issuecomment-573380139 and https://github.com/oreboot/oreboot/issues/217, respectively). Given that there is OpenTitan software living outside of the OpenTitan repository, it would seem to make sense to add versioning to the flash header. This would allow the boot ROM to explicitly fail on a version mismatch, which is vastly preferred to incorrectly jumping into the payload. Clearly, the flash header will be growing (with a signature and so on); adding versioning now will likely make future changes much smoother.