Do not update more than one RoT stage0 at a time in a rack to minimize risk.

[lzrd]

There is no fallback for RoT stage0 in the LPC55S69 boot ROM.

That means that if there is a power failure or other interruption while copying ("persisting") the "stage0next" flash partition to the "stage0" (one and only boot loader/bootleby) partition, then the device will not boot on next reset or power cycle.

The RoT update-server takes several precautions to minimize the window of exposure:

• the FWID of the stage0next image must match a stage0 or stage0next image whose signature was verified at RoT boot time.
• the stage0next image has been copied into RAM and matched to a verified FWID before copy to flash.
• the flash erase and copy to stage0 flash is done from RAM (not flash to flash).

A new bootleby image can be flashed to any RoT's stage0next partition at any time without consequence.
A RoT must be reset in order to verify the signature on a stage0next.
Update will not proceed without stage0next verification.
Do not flash/persist more than one stage0 flash partition at a time to minimize risk to the rack as a whole.
Stop RoT updates in the rack if a stage0 update fails.
Recovery can be done by attaching a probe to the RoT and re-flashing the stage0 image.

If manual RoT recovery is acceptable given the low probability of failure, then the one-at-a-time policy can be relaxed.

[davepacheco]

I believe this was addressed in #8269. There's a detailed comment on the specific policy constant that enforces this.