bootutil: swap-move: Avoid rewriting the secondary trailer on revert

When using the swap-move strategy, at the very beginning of the revert
process, the secondary trailer was rewritten to make the revert look
like a permanent upgrade in case an unfortunate reset occurs when
rewriting the primary trailer. This was possible because the assumption
was that no sector contained both part of the firmware and part of the
trailer.

To relax this assumption, it is necessary to avoid having to rewrite the
secondary trailer at the start of the revert process, since that could
also erase firmware data. The solution chosen is to rewrite the
secondary trailer at the end of the upgrade process, just after that
trailer is erased and to take advantage of the unused 'copy_done' flag
in the secondary trailer to indicate that an upgrade has been performed
and that a revert has to be started or resumed if the primary image is
not confirmed.

Signed-off-by: Thomas Altenbach <thomas.altenbach@legrand.com>

Author: taltenbach

boot/bootutil/src/bootutil_public.c

@@ -84,9 +84,9 @@ struct boot_swap_table {
     uint8_t image_ok_primary_slot;
     uint8_t image_ok_secondary_slot;
     uint8_t copy_done_primary_slot;
-#if defined(MCUBOOT_SWAP_USING_OFFSET)
+#if defined(MCUBOOT_SWAP_USING_OFFSET) || defined(MCUBOOT_SWAP_USING_MOVE)
     uint8_t copy_done_secondary_slot;
-#endif
+#endif /* MCUBOOT_SWAP_USING_OFFSET || MCUBOOT_SWAP_USING_MOVE */
 
     uint8_t swap_type;
 };
@@ -103,26 +103,35 @@ struct boot_swap_table {
  * the bootloader, as in starting/finishing a swap operation.
  */
 static const struct boot_swap_table boot_swap_tables[] = {
-#if defined(MCUBOOT_SWAP_USING_OFFSET)
+#if defined(MCUBOOT_SWAP_USING_OFFSET) || defined(MCUBOOT_SWAP_USING_MOVE)
     {
-        .magic_primary_slot =       BOOT_MAGIC_ANY,
+        .magic_primary_slot =       BOOT_MAGIC_NOTGOOD,
         .magic_secondary_slot =     BOOT_MAGIC_GOOD,
         .image_ok_primary_slot =    BOOT_FLAG_ANY,
         .image_ok_secondary_slot =  BOOT_FLAG_UNSET,
         .copy_done_primary_slot =   BOOT_FLAG_ANY,
         .copy_done_secondary_slot = BOOT_FLAG_SET,
         .swap_type =                BOOT_SWAP_TYPE_REVERT,
     },
-#endif
+    {
+        .magic_primary_slot =       BOOT_MAGIC_GOOD,
+        .magic_secondary_slot =     BOOT_MAGIC_GOOD,
+        .image_ok_primary_slot =    BOOT_FLAG_UNSET,
+        .image_ok_secondary_slot =  BOOT_FLAG_UNSET,
+        .copy_done_primary_slot =   BOOT_FLAG_ANY,
+        .copy_done_secondary_slot = BOOT_FLAG_SET,
+        .swap_type =                BOOT_SWAP_TYPE_REVERT,
+    },
+#endif /* MCUBOOT_SWAP_USING_OFFSET || MCUBOOT_SWAP_USING_MOVE */
     {
         .magic_primary_slot =       BOOT_MAGIC_ANY,
         .magic_secondary_slot =     BOOT_MAGIC_GOOD,
         .image_ok_primary_slot =    BOOT_FLAG_ANY,
         .image_ok_secondary_slot =  BOOT_FLAG_UNSET,
         .copy_done_primary_slot =   BOOT_FLAG_ANY,
-#if defined(MCUBOOT_SWAP_USING_OFFSET)
-        .copy_done_secondary_slot = BOOT_FLAG_ANY,
-#endif
+#if defined(MCUBOOT_SWAP_USING_OFFSET) || defined(MCUBOOT_SWAP_USING_MOVE)
+        .copy_done_secondary_slot = BOOT_FLAG_UNSET,
+#endif /* MCUBOOT_SWAP_USING_OFFSET || MCUBOOT_SWAP_USING_MOVE */
         .swap_type =                BOOT_SWAP_TYPE_TEST,
     },
     {
@@ -131,9 +140,9 @@ static const struct boot_swap_table boot_swap_tables[] = {
         .image_ok_primary_slot =    BOOT_FLAG_ANY,
         .image_ok_secondary_slot =  BOOT_FLAG_SET,
         .copy_done_primary_slot =   BOOT_FLAG_ANY,
-#if defined(MCUBOOT_SWAP_USING_OFFSET)
-        .copy_done_secondary_slot = BOOT_FLAG_ANY,
-#endif
+#if defined(MCUBOOT_SWAP_USING_OFFSET) || defined(MCUBOOT_SWAP_USING_MOVE)
+        .copy_done_secondary_slot = BOOT_FLAG_UNSET,
+#endif /* MCUBOOT_SWAP_USING_OFFSET || MCUBOOT_SWAP_USING_MOVE */
         .swap_type =                BOOT_SWAP_TYPE_PERM,
     },
     {
@@ -142,9 +151,9 @@ static const struct boot_swap_table boot_swap_tables[] = {
         .image_ok_primary_slot =    BOOT_FLAG_UNSET,
         .image_ok_secondary_slot =  BOOT_FLAG_ANY,
         .copy_done_primary_slot =   BOOT_FLAG_SET,
-#if defined(MCUBOOT_SWAP_USING_OFFSET)
+#if defined(MCUBOOT_SWAP_USING_OFFSET) || defined(MCUBOOT_SWAP_USING_MOVE)
         .copy_done_secondary_slot = BOOT_FLAG_ANY,
-#endif
+#endif /* MCUBOOT_SWAP_USING_OFFSET || MCUBOOT_SWAP_USING_MOVE */
         .swap_type =                BOOT_SWAP_TYPE_REVERT,
     },
 };
@@ -463,10 +472,10 @@ boot_swap_type_multi(int image_index)
                 table->image_ok_secondary_slot == secondary_slot.image_ok) &&
             (table->copy_done_primary_slot == BOOT_FLAG_ANY  ||
                 table->copy_done_primary_slot == primary_slot.copy_done)
-#if defined(MCUBOOT_SWAP_USING_OFFSET)
+#if defined(MCUBOOT_SWAP_USING_OFFSET) || defined(MCUBOOT_SWAP_USING_MOVE)
             && (table->copy_done_secondary_slot == BOOT_FLAG_ANY  ||
                 table->copy_done_secondary_slot == secondary_slot.copy_done)
-#endif
+#endif /* MCUBOOT_SWAP_USING_OFFSET || MCUBOOT_SWAP_USING_MOVE */
             ) {
             BOOT_LOG_INF("Image index: %d, Swap type: %s", image_index,
                          table->swap_type == BOOT_SWAP_TYPE_TEST   ? "test"   :

boot/bootutil/src/swap_move.c

@@ -477,6 +477,32 @@ boot_swap_sectors(size_t idx, size_t last_idx, uint32_t sz, struct boot_loader_s
             rc = swap_scramble_trailer_sectors(state, fap_sec);
             assert(rc == 0);
 
+            /* When starting a revert the swap status of the primary slot is erased then
+             * re-initialized. If a reset occurs after the erasure but before the re-initialization
+             * is complete, there has to be, somewhere, a flag indicating a revert is in progress.
+             * Otherwise, the bootloader wouldn't be able to resume the revert operation.
+             *
+             * Initially, the swap-move algorithm was assuming the trailers were stored in dedicated
+             * sectors and it was therefore possible to rewrite the secondary trailer before
+             * starting the revert process, to make the revert look like a permanent upgrade in case
+             * an unfortunate reset occurs during the rewriting of the primary trailer.
+             *
+             * However, considering now the first trailer sector could also hold firmware data, this
+             * trick is no more possible since it could potentially erase part of the firmware image
+             * to be restored. A solution is to rewrite here the secondary trailer with the
+             * 'copy_done' flag set, meaning after an upgrade the secondary trailer is no more
+             * erased. The bootloader will consider a revert must be started or resumed if the
+             * primary image is not confirmed and the 'copy_done' flag is set in the secondary
+             * trailer.
+             */
+            if (bs->swap_type != BOOT_SWAP_TYPE_REVERT) {
+                rc = boot_write_copy_done(fap_sec);
+                assert(rc == 0);
+
+                rc = boot_write_magic(fap_sec);
+                assert(rc == 0);
+            }
+
             size_t first_trailer_sector_pri =
                 boot_get_first_trailer_sector(state, BOOT_PRIMARY_SLOT);
             size_t first_trailer_sector_sec =
@@ -516,55 +542,6 @@ boot_swap_sectors(size_t idx, size_t last_idx, uint32_t sz, struct boot_loader_s
     }
 }
 
-/*
- * When starting a revert the swap status exists in the primary slot, and
- * the status in the secondary slot is erased. To start the swap, the status
- * area in the primary slot must be re-initialized; if during the small
- * window of time between re-initializing it and writing the first metadata
- * a reset happens, the swap process is broken and cannot be resumed.
- *
- * This function handles the issue by making the revert look like a permanent
- * upgrade (by initializing the secondary slot).
- */
-void
-fixup_revert(const struct boot_loader_state *state, struct boot_status *bs,
-        const struct flash_area *fap_sec)
-{
-    struct boot_swap_state swap_state;
-    int rc;
-
-#if (BOOT_IMAGE_NUMBER == 1)
-    (void)state;
-#endif
-
-    /* No fixup required */
-    if (bs->swap_type != BOOT_SWAP_TYPE_REVERT ||
-        bs->op != BOOT_STATUS_OP_MOVE ||
-        bs->idx != BOOT_STATUS_IDX_0) {
-        return;
-    }
-
-    rc = boot_read_swap_state(fap_sec, &swap_state);
-    assert(rc == 0);
-
-    BOOT_LOG_SWAP_STATE("Secondary image", &swap_state);
-
-    if (swap_state.magic == BOOT_MAGIC_UNSET) {
-        /* Remove trailer and prepare area for write on devices requiring erase */
-        rc = swap_scramble_trailer_sectors(state, fap_sec);
-        assert(rc == 0);
-
-        rc = boot_write_image_ok(fap_sec);
-        assert(rc == 0);
-
-        rc = boot_write_swap_size(fap_sec, bs->swap_size);
-        assert(rc == 0);
-
-        rc = boot_write_magic(fap_sec);
-        assert(rc == 0);
-    }
-}
-
 void
 swap_run(struct boot_loader_state *state, struct boot_status *bs,
          uint32_t copy_size)
@@ -615,8 +592,6 @@ swap_run(struct boot_loader_state *state, struct boot_status *bs,
     fap_sec = BOOT_IMG_AREA(state, BOOT_SECONDARY_SLOT);
     assert(fap_sec != NULL);
 
-    fixup_revert(state, bs, fap_sec);
-
     if (bs->op == BOOT_STATUS_OP_MOVE) {
         idx = last_idx;
         while (idx > 0) {