[PATCH] tools: optional reboot into RPi tryboot mode
44 views
Skip to first unread message
Ayoub Zaki
Jun 8, 2026, 10:25:06 AMJun 8
to swup...@googlegroups.com, Ayoub Zaki
Add CONFIG_REBOOT_RPI_TRYBOOT. When enabled, swupdate-progress and
swupdate-ipc invoke the raw reboot syscall with LINUX_REBOOT_CMD_RESTART2
and the "0 tryboot" argument instead of reboot(RB_AUTOBOOT), so the
Raspberry Pi firmware starts in tryboot mode on the next boot. Default
behaviour is unchanged.
Signed-off-by: Ayoub Zaki <ayoub...@embetrix.com>
---
Kconfig | 12 ++++++++++++
tools/swupdate-ipc.c | 11 +++++++++++
tools/swupdate-progress.c | 10 ++++++++++
3 files changed, 33 insertions(+)
diff --git a/Kconfig b/Kconfig
index 8b6139de..3fed5f3d 100644
--- a/Kconfig
+++ b/Kconfig
@@ -179,6 +179,18 @@ config SCRIPTS
in the image. For security reason, this option
can be switched off.
+config REBOOT_RPI_TRYBOOT
+ bool "Reboot into Raspberry Pi tryboot mode"
+ depends on HAVE_LINUX
+ default n
+ help
+ When SWUpdate's helper tools (swupdate-progress, swupdate-ipc)
+ reboot the system after a successful update, pass the "0 tryboot"
+ argument to the kernel reboot syscall instead of issuing a plain
+ reboot. The Raspberry Pi firmware will start in tryboot mode on
+ the next boot. Tryboot mode is single-shot: it only applies to
+ the next boot so committing or rolling back is your responsibility.
+
config HW_COMPATIBILITY
bool "check for hardware / software compatibility"
default n
diff --git a/tools/swupdate-ipc.c b/tools/swupdate-ipc.c
index f3738193..338a5021 100644
--- a/tools/swupdate-ipc.c
+++ b/tools/swupdate-ipc.c
@@ -24,6 +24,10 @@
#include <sys/un.h>
#include <sys/select.h>
#include <sys/reboot.h>
+#ifdef CONFIG_REBOOT_RPI_TRYBOOT
+#include <sys/syscall.h>
+#include <linux/reboot.h>
+#endif
#include <arpa/inet.h>
#include <netinet/in.h>
#include <ifaddrs.h>
@@ -657,9 +661,16 @@ static int sysrestart(cmd_t __attribute__((__unused__)) *cmd, int argc, char *a
restart_system(ndevs);
sleep(5);
sync();
+#ifdef CONFIG_REBOOT_RPI_TRYBOOT
+ if (syscall(SYS_reboot, LINUX_REBOOT_MAGIC1, LINUX_REBOOT_MAGIC2,
+ LINUX_REBOOT_CMD_RESTART2, "0 tryboot") < 0) {
+ fprintf(stdout, "Please reset the board.\n");
+ }
+#else
if (reboot(RB_AUTOBOOT) < 0) { /* It should never happen */
fprintf(stdout, "Please reset the board.\n");
}
+#endif
break;
case FAILURE:
ndevs = 0;
diff --git a/tools/swupdate-progress.c b/tools/swupdate-progress.c
index 94cd84e1..69ee859d 100644
--- a/tools/swupdate-progress.c
+++ b/tools/swupdate-progress.c
@@ -20,6 +20,10 @@
#include <sys/un.h>
#include <sys/select.h>
#include <sys/reboot.h>
+#ifdef CONFIG_REBOOT_RPI_TRYBOOT
+#include <sys/syscall.h>
+#include <linux/reboot.h>
+#endif
#include <arpa/inet.h>
#include <netinet/in.h>
#include <pthread.h>
@@ -201,8 +205,14 @@ static void reboot_device(const char* reboot_script)
} else {
sleep(5);
sync();
+#ifdef CONFIG_REBOOT_RPI_TRYBOOT
+ if (syscall(SYS_reboot, LINUX_REBOOT_MAGIC1, LINUX_REBOOT_MAGIC2,
+ LINUX_REBOOT_CMD_RESTART2, "0 tryboot") >= 0)
+ return;
+#else
if (reboot(RB_AUTOBOOT) >= 0)
return;
+#endif
}
fprintf(stdout, "Please reset the board.\n");
--
2.43.0
swupdate-ipc invoke the raw reboot syscall with LINUX_REBOOT_CMD_RESTART2
and the "0 tryboot" argument instead of reboot(RB_AUTOBOOT), so the
Raspberry Pi firmware starts in tryboot mode on the next boot. Default
behaviour is unchanged.
Signed-off-by: Ayoub Zaki <ayoub...@embetrix.com>
---
Kconfig | 12 ++++++++++++
tools/swupdate-ipc.c | 11 +++++++++++
tools/swupdate-progress.c | 10 ++++++++++
3 files changed, 33 insertions(+)
diff --git a/Kconfig b/Kconfig
index 8b6139de..3fed5f3d 100644
--- a/Kconfig
+++ b/Kconfig
@@ -179,6 +179,18 @@ config SCRIPTS
in the image. For security reason, this option
can be switched off.
+config REBOOT_RPI_TRYBOOT
+ bool "Reboot into Raspberry Pi tryboot mode"
+ depends on HAVE_LINUX
+ default n
+ help
+ When SWUpdate's helper tools (swupdate-progress, swupdate-ipc)
+ reboot the system after a successful update, pass the "0 tryboot"
+ argument to the kernel reboot syscall instead of issuing a plain
+ reboot. The Raspberry Pi firmware will start in tryboot mode on
+ the next boot. Tryboot mode is single-shot: it only applies to
+ the next boot so committing or rolling back is your responsibility.
+
config HW_COMPATIBILITY
bool "check for hardware / software compatibility"
default n
diff --git a/tools/swupdate-ipc.c b/tools/swupdate-ipc.c
index f3738193..338a5021 100644
--- a/tools/swupdate-ipc.c
+++ b/tools/swupdate-ipc.c
@@ -24,6 +24,10 @@
#include <sys/un.h>
#include <sys/select.h>
#include <sys/reboot.h>
+#ifdef CONFIG_REBOOT_RPI_TRYBOOT
+#include <sys/syscall.h>
+#include <linux/reboot.h>
+#endif
#include <arpa/inet.h>
#include <netinet/in.h>
#include <ifaddrs.h>
@@ -657,9 +661,16 @@ static int sysrestart(cmd_t __attribute__((__unused__)) *cmd, int argc, char *a
restart_system(ndevs);
sleep(5);
sync();
+#ifdef CONFIG_REBOOT_RPI_TRYBOOT
+ if (syscall(SYS_reboot, LINUX_REBOOT_MAGIC1, LINUX_REBOOT_MAGIC2,
+ LINUX_REBOOT_CMD_RESTART2, "0 tryboot") < 0) {
+ fprintf(stdout, "Please reset the board.\n");
+ }
+#else
if (reboot(RB_AUTOBOOT) < 0) { /* It should never happen */
fprintf(stdout, "Please reset the board.\n");
}
+#endif
break;
case FAILURE:
ndevs = 0;
diff --git a/tools/swupdate-progress.c b/tools/swupdate-progress.c
index 94cd84e1..69ee859d 100644
--- a/tools/swupdate-progress.c
+++ b/tools/swupdate-progress.c
@@ -20,6 +20,10 @@
#include <sys/un.h>
#include <sys/select.h>
#include <sys/reboot.h>
+#ifdef CONFIG_REBOOT_RPI_TRYBOOT
+#include <sys/syscall.h>
+#include <linux/reboot.h>
+#endif
#include <arpa/inet.h>
#include <netinet/in.h>
#include <pthread.h>
@@ -201,8 +205,14 @@ static void reboot_device(const char* reboot_script)
} else {
sleep(5);
sync();
+#ifdef CONFIG_REBOOT_RPI_TRYBOOT
+ if (syscall(SYS_reboot, LINUX_REBOOT_MAGIC1, LINUX_REBOOT_MAGIC2,
+ LINUX_REBOOT_CMD_RESTART2, "0 tryboot") >= 0)
+ return;
+#else
if (reboot(RB_AUTOBOOT) >= 0)
return;
+#endif
}
fprintf(stdout, "Please reset the board.\n");
--
2.43.0
Stefano Babic
Jun 9, 2026, 3:23:39 AMJun 9
to Ayoub Zaki, swup...@googlegroups.com
Hi Ayoub,
On 6/8/26 16:24, Ayoub Zaki wrote:
> Add CONFIG_REBOOT_RPI_TRYBOOT. When enabled, swupdate-progress and
> swupdate-ipc invoke the raw reboot syscall with LINUX_REBOOT_CMD_RESTART2
> and the "0 tryboot" argument instead of reboot(RB_AUTOBOOT), so the
> Raspberry Pi firmware starts in tryboot mode on the next boot. Default
> behaviour is unchanged.
>
Ouch...I have did this, too, but I didn't need to change the base code.
I just used swupdate-progress with -e (execute) that is called after a
successful update, and the passed script run the (proprietary) reboot
for Raspberry with the new partition to test. But let's see if this can
be done better:
Nevertheless this helps in one use case, that is we still have one boot
partition. For example, it does not help at all in my use case, I had
prepared two boot partitions (signed due to secure boot) and they have
to switch, that is reboot need as parameter the partition to switch. In
fact, the whole syntax is "reboot [partition to be tried] tryboot".
Best regards,
Stefano
--
_______________________________________________________________________
Nabla Software Engineering GmbH
Hirschstr. 111A | 86156 Augsburg | Tel: +49 821 45592596
Geschäftsführer : Stefano Babic | HRB 40522 Augsburg
E-Mail: sba...@nabladev.com
On 6/8/26 16:24, Ayoub Zaki wrote:
> Add CONFIG_REBOOT_RPI_TRYBOOT. When enabled, swupdate-progress and
> swupdate-ipc invoke the raw reboot syscall with LINUX_REBOOT_CMD_RESTART2
> and the "0 tryboot" argument instead of reboot(RB_AUTOBOOT), so the
> Raspberry Pi firmware starts in tryboot mode on the next boot. Default
> behaviour is unchanged.
>
I just used swupdate-progress with -e (execute) that is called after a
successful update, and the passed script run the (proprietary) reboot
for Raspberry with the new partition to test. But let's see if this can
be done better:
partition. For example, it does not help at all in my use case, I had
prepared two boot partitions (signed due to secure boot) and they have
to switch, that is reboot need as parameter the partition to switch. In
fact, the whole syntax is "reboot [partition to be tried] tryboot".
Best regards,
Stefano
--
_______________________________________________________________________
Nabla Software Engineering GmbH
Hirschstr. 111A | 86156 Augsburg | Tel: +49 821 45592596
Geschäftsführer : Stefano Babic | HRB 40522 Augsburg
E-Mail: sba...@nabladev.com
ayoub...@googlemail.com
Jun 9, 2026, 3:53:46 AMJun 9
to swupdate
Hi Stefano,
Thanks for the feedback.
I did it exactly as you described with swupdate-progress a custom reboot script but that this covers only the post-update while "Restart System" button in the Web UI goes through nornmal reboot.
on other side reboot with "0 tryboot" is the recommended trigger on recent firmware:
https://www.raspberrypi.com/documentation/computers/config_txt.html#the-tryboot-filter
My layout is three partitions with secure boot: boot (autoboot.txt marker) and bootA/bootB (boot.img/boot.sig). tryboot.txt is no longer recommended.
Thanks for the feedback.
I did it exactly as you described with swupdate-progress a custom reboot script but that this covers only the post-update while "Restart System" button in the Web UI goes through nornmal reboot.
on other side reboot with "0 tryboot" is the recommended trigger on recent firmware:
https://www.raspberrypi.com/documentation/computers/config_txt.html#the-tryboot-filter
My layout is three partitions with secure boot: boot (autoboot.txt marker) and bootA/bootB (boot.img/boot.sig). tryboot.txt is no longer recommended.
Full integration for Rpi4/5 with secure boot is here:
Stefano Babic
Jun 9, 2026, 4:04:26 AMJun 9
to ayoub...@googlemail.com, swupdate
Hi Ayoub,
On 6/9/26 09:53, 'ayoub...@googlemail.com' via swupdate wrote:
>
> Hi Stefano,
>
> Thanks for the feedback.
>
> I did it exactly as you described with swupdate-progress a custom reboot
> script but that this covers only the post-update while "Restart System"
> button in the Web UI goes through nornmal reboot.
>
Right, ok, I hadn't this case.
> on other side reboot with "0 tryboot" is the recommended trigger on
> recent firmware:
> https://www.raspberrypi.com/documentation/computers/
> config_txt.html#the-tryboot-filter
>
> My layout is three partitions with secure boot: boot (autoboot.txt
> marker) and bootA/bootB (boot.img/boot.sig). tryboot.txt is no longer
> recommended.
I had exactly the same. But this means you have to change autoboot.txt
during the the update, right ? My concern was that the file is still on
VFAT and it becomes a single point of failure. But calling reboot with
the partition to be "tried", autoboot.txt doesn't change until the
transaction is closed - yes, earlier or later it should be changed :-(
>
> Full integration for Rpi4/5 with secure boot is here:
>
> https://github.com/embetrix/meta-raspberrypi-secure.
>
Thanks.
Best regards,
Stefano
> Hirschstr. 111A | 86156 Augsburg | Tel: +49 821 45592596 <tel:
> +49%20821%2045592596>
> --
> You received this message because you are subscribed to the Google
> Groups "swupdate" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to swupdate+u...@googlegroups.com
> <mailto:swupdate+u...@googlegroups.com>.
> To view this discussion visit https://groups.google.com/d/msgid/
> swupdate/7e4423cc-b521-4bd6-9a28-62e9415888a9n%40googlegroups.com
> <https://groups.google.com/d/msgid/swupdate/7e4423cc-
> b521-4bd6-9a28-62e9415888a9n%40googlegroups.com?
> utm_medium=email&utm_source=footer>.
On 6/9/26 09:53, 'ayoub...@googlemail.com' via swupdate wrote:
>
> Hi Stefano,
>
> Thanks for the feedback.
>
> I did it exactly as you described with swupdate-progress a custom reboot
> script but that this covers only the post-update while "Restart System"
> button in the Web UI goes through nornmal reboot.
>
> on other side reboot with "0 tryboot" is the recommended trigger on
> recent firmware:
> https://www.raspberrypi.com/documentation/computers/
> config_txt.html#the-tryboot-filter
>
> My layout is three partitions with secure boot: boot (autoboot.txt
> marker) and bootA/bootB (boot.img/boot.sig). tryboot.txt is no longer
> recommended.
during the the update, right ? My concern was that the file is still on
VFAT and it becomes a single point of failure. But calling reboot with
the partition to be "tried", autoboot.txt doesn't change until the
transaction is closed - yes, earlier or later it should be changed :-(
>
> Full integration for Rpi4/5 with secure boot is here:
>
> https://github.com/embetrix/meta-raspberrypi-secure.
>
Best regards,
Stefano
> +49%20821%2045592596>
> --
> You received this message because you are subscribed to the Google
> Groups "swupdate" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to swupdate+u...@googlegroups.com
> <mailto:swupdate+u...@googlegroups.com>.
> To view this discussion visit https://groups.google.com/d/msgid/
> swupdate/7e4423cc-b521-4bd6-9a28-62e9415888a9n%40googlegroups.com
> <https://groups.google.com/d/msgid/swupdate/7e4423cc-
> b521-4bd6-9a28-62e9415888a9n%40googlegroups.com?
> utm_medium=email&utm_source=footer>.
ayoub...@googlemail.com
Jun 9, 2026, 4:35:05 AMJun 9
to swupdate
On Tuesday, June 9, 2026 at 10:04:26 AM UTC+2 Stefano Babic wrote:
Hi Ayoub,
On 6/9/26 09:53, 'ayoub...@googlemail.com' via swupdate wrote:
>
> Hi Stefano,
>
> Thanks for the feedback.
>
> I did it exactly as you described with swupdate-progress a custom reboot
> script but that this covers only the post-update while "Restart System"
> button in the Web UI goes through nornmal reboot.
>
Right, ok, I hadn't this case.
> on other side reboot with "0 tryboot" is the recommended trigger on
> recent firmware:
> https://www.raspberrypi.com/documentation/computers/
> config_txt.html#the-tryboot-filter
>
> My layout is three partitions with secure boot: boot (autoboot.txt
> marker) and bootA/bootB (boot.img/boot.sig). tryboot.txt is no longer
> recommended.
I had exactly the same. But this means you have to change autoboot.txt
during the the update, right ? My concern was that the file is still on
VFAT and it becomes a single point of failure. But calling reboot with
the partition to be "tried", autoboot.txt doesn't change until the
transaction is closed - yes, earlier or later it should be changed :-(
Yes after booting into tryboot if the updated system starts correctly it needs to confirm the update by swapping the partitions in autoboot.txt on the VFAT partition.
Of course this is not fully power-safe. The risk of corruption can be reduced by using an atomic exchange operation for example with mv --exchange (linux-6.x)
The Raspberry Pi firmware supports partition_walk=1 so if autoboot.txt becomes corrupted the firmware can still fall back to another bootable partition.
With separate update-status book keeping for example using libubootenv the system can detect such a case and perform a repair.
This is unfortunately not ideal but using U-Boot is out of scope here because it does not support NVMe in this setup.
Of course this is not fully power-safe. The risk of corruption can be reduced by using an atomic exchange operation for example with mv --exchange (linux-6.x)
The Raspberry Pi firmware supports partition_walk=1 so if autoboot.txt becomes corrupted the firmware can still fall back to another bootable partition.
With separate update-status book keeping for example using libubootenv the system can detect such a case and perform a repair.
This is unfortunately not ideal but using U-Boot is out of scope here because it does not support NVMe in this setup.
Reply all
Reply to author
Forward
0 new messages