GRBOOT - Flight Software Boot Loader

GRBOOT is a flight system software suite targeting LEON based systems. The purpose of the boot SW is to provide initialization, self-test and application loading functionality to payload and on-board computers.

GRBOOT is an implementation of the ESA requirements document SAVOIR Flight Computer Initialisation Sequence (SAVOIR-GS-002). The software is developed in accordance with European Space Agency software engineering standards ECSS-E-ST-40C and ECSS-Q-ST-80C, tailored software criticality category B.

GRBOOT is divided into four main parts; initialization, self-tests, standby extension point and application loader. The application loader selects one out of two application images to load, verify and start with optional one of the images as fall back. An interface is provided for users to integrate a custom standby application for low-level maintenance operations before the application loader is executed.

Features

  • Implements the ESA "SAVOIR Flight Computer Initialisation Sequence" (SAVOIR-GS-002).
  • Developed in accordance with ESA software engineering standards ECSS-E-ST-40C and ECSS-Q-ST-80C, tailored software criticality category B.
  • Multi-processor support (SMP, AMP)
  • Initialization: CPU, FPU, caches, peripherals, etc.
  • System self-tests: CPU, L1/L2 caches, ROM, external memories, etc.
  • Self-test results are recorded in a Boot report, available to the loaded application.
  • Separation of Boot Memory and Application Storage Memory: Updating application does not require updating the boot loader.
  • Application images can be stored in local non-volatile memory, including parallel memories and SPI flash.
  • ELF-like application image format with support for in-flight patching.
  • Optional application compression.
  • Application images are integrity checked before execution, with failover on failure.
  • User extension points for custom initialization and user defined Standby Mode.
  • Prepares environment compatible with multiple operating system (RTEMS, VxWorks, Linux, BCC, PikeOS, SMP, AMP, etc.)
  • SpaceWire/PUS Standby software (optional, another license)

Portability

Currently GR740 and GR712RC devices are supported and the SW architecture allows additional systems to be added. System specific components are configured and built based on chip, board and mission configuration.

Ports are available for the GR-CPCI-GR740 and GR712RC development boards, and UT700. Boot memory options include parallel PROM, flash and similar. Application images can be loaded from memory mapped memory (PROM, FLASH, MRAM, etc) or from SPI flash memory. Several main memory options are possible.

Standby extension point

GRBOOT has been prepared with an extension point to allow users to implement a custom maintenance mode (Standby Mode). When the extension point has finished its execution, it can return and engage the application loader. A freestanding minimal C run-time environment is available for the extension.

SpaceWire/PUS Standby extension for GRBOOT

Using the above described extension point, an optional SpaceWire/PUS standby extension is available under a separate GRBOOT-STANDBY license described here.

Use cases

  • Boot loader. This is the baseline use case and provides reliable application loading meeting common requirements for booting payload and on-board flight computers.
  • Boot loader with maintenance (standby) mode. An extension point is available which allows for implementation of a custom software controlled maintenance mode which executes from ROM. It can for example be used to manage on-board memories over a network, such as PUS over SpaceWire using the available standby implementation described above.
  • ROM resident application. In this use case, the application is linked directly into the GRBOOT image and no application is loaded from external memory. It is useful for smaller control-type applications where a robust run-time is required.

Test and validation

  • Fully automated test suites
  • Unit tests executing on target hardware and in the TSIM3 LEON simulator.
  • Code coverage captured using TSIM3
  • Validation test suite executes on target hardware, checks the software and system behavior.

Background

This SW is based on the GR712RC Boot SW which originally was designed specifically for the ESA JUICE mission instruments. The Boot SW has been successfully designed into 8 LEON3FT based instruments on boards the JUICE satellite targeted to launch 2022. The Boot SW have since been adapted to support multiple HW platforms, such as the GR740, and isolating device/mission specific details have made it possible to create a reusable product GRBOOT.

Availability

A software license for GRBOOT can be acquired from us, please contact sales@gaisler.com for more information. A license includes the software in source code, unit tests, validation tests, detailed documentation on requirements, specifications and implementation.

We also offer design services such as porting to a new HW platform or standby mode application development, for more information contact sales@gaisler.com.