The Raspberry Pi is a very popular hardware platform for Nerves users and the official systems are getting an upgrade! 
Whats New?
The biggest change is that the rpi* systems now utilizes initramfs to load a very minimal root filesystem, nerves_initramfs, before mounting the real rootfs. This allows us to do really early pre-start checks via a nerves_initramfs.config script file.
With this new found power, each rpi* system now does a simple firmware validation check before loading the rootfs. If it fails, it triggers a revert to the last firmware automatically. This helps prevent infinite boot loops when errors are caused after compilation but before startup, such as kernel panics, bad erlinit.config, etc etc.
But…
This change requires the firmware to be marked as valid at runtime. Because the answer to “What makes my firmware valid?” differs drastically, Nerves makes no assumptions here and you, the user, are required to validate your firmware based on your conditions by calling Nerves.Runtime.validate_firmware().
For most situations, just getting to runtime is valid enough and you could mark it as your application is starting. Something like:
defmodule My.Application do
use Application
def start(_type, _args) do
Nerves.Runtime.validate_firmware()
# ... all your other startup things
end
end
For others, you might have conditions to be connected to a specific network, hardware needs to be detected, MQTT connection must be established, etc etc, before considering the firmware valid. If you have such conditions, check out the post “You Gotta Have Heart” about using the Erlang :heart module to tie these checks into the hardware watchdog for triggering reverts when your conditions aren’t met.
Can I update existing devices?
Yes…with a tiny bit of work.
The pre-start check looks for a UBoot variable nerves_fw_validated. fwup also checks this variable before updating to ensure you have a working, validated firmware on the device before putting an new one on. This is a hardened check to prevent bricking a device by updating a bad firmware with another bad firmware.
Nerves rpi* systems < v2.0.0 don’t have this UBoot variable set, so any attempt to update via fwup (such as SSH or upload.sh script) will fail with an error like:
“Please check the media being upgraded. It doesn’t look like either the A or B partitions are active.”
So before updating, you’ll need to manually validate the running firmware with:
Nerves.Runtime.validate_firmware()
Or
Nerves.Runtime.KV.put("nerves_fw_validated", "1")
Then update like normal
Why 2.0.0?
Introducing nerves_initramfs and the revert scheme is a decent size change to how the system functions. It’s a new tool and startup path which, we feel, warrants a major version bump. Our hope is that others try out the release candidates and submit issues to help us iron out any kinks.
How Can I Try It?
The release candiates are on hex.pm:
