Skip to content

Zephyr: introduce bootloader requests #2402

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

Zephyr: introduce bootloader requests #2402

wants to merge 2 commits into from

Conversation

tomchy
Copy link
Contributor

@tomchy tomchy commented Jul 24, 2025

In some cases, a Zephyr platform is not able to use the RAM-based retention subsystem. This results in no ability to communicate with the bootloader to:

  • Request the recovery mode from the main application
  • Request the firmware loader mode from the main application

The other case in which the application wants to communicate with the bootloader are platforms that want to have the active slot configured as read-only. In such case, the following flow can be introduced to mitigate this restriction:

  • The main application sends a request to the bootloader informing which image should be confirmed.
  • The main application reboots the device.
  • The device reboots and resets memory permissions so that the bootloader can perform the updates.
  • In the permitted state, the bootloader processes the confirmation requests, before analyzing the state of the slots.
  • The bootloader continues the logic as if the application had confirmed the slot.

There is also a third use case for the application requests in the Direct XIP mode:

  • Currently, the decision of which slot to boot is based only on the version number.
  • Even if there are two valid slots on the device, a user cannot request a temporary rollback to the previous firmware.
  • By introducing a request for slot preference, the slot selection logic may be extended with custom logic that runs as part of the main application and sends such a request to the bootloader to alter the default behavior.

This PR introduces an API that can be used to collect all of the above requests in a single module.
The Kconfig to select or extend the boot request format is located in the configuration file of the mcuboot module in the Zephyr repository.
In addition, a simple integration with bootutil library is included, allowing this feature to be used with an existing MCUmgr implementation.

@tomchy tomchy changed the title Zeohyr: introduce bootloader requests Zephyr: introduce bootloader requests Jul 24, 2025
nordicjm
nordicjm requested changes Jul 24, 2025
View reviewed changes
Copy link
Collaborator

@nordicjm nordicjm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is not how common code should work, bootutil is a common file for any RTOS, any zephyr specific code goes in boot/zephyr, and there should be no checking of e.g. Kconfigs in common code

@tomchy
Copy link
Contributor Author

tomchy commented Jul 24, 2025
edited
Loading

this is not how common code should work, bootutil is a common file for any RTOS, any zephyr specific code goes in boot/zephyr, and there should be no checking of e.g. Kconfigs in common code

Is there a place for a code that is zephyr-specific, yet should be shared between the app and bootloader?

Honestly, I had an impression that the shared code/library problem is not fully resolved in the MCUboot ATM, so we are seeking for good ideas here 🙂

Side note: that's one of the reasons why this is a draft PR.

@nordicjm
Copy link
Collaborator

this is not how common code should work, bootutil is a common file for any RTOS, any zephyr specific code goes in boot/zephyr, and there should be no checking of e.g. Kconfigs in common code

Is there a place for a code that is zephyr-specific, yet should be shared between the app and bootloader?

Honestly, I had an impression that the shared code/library problem is not fully resolved in the MCUboot ATM, so we are seeking for good ideas here 🙂

Side note: that's one of the reasons why this is a draft PR.

Depends what it is, if it's zephyr centric then it can go into zephyr itself (e.g. boot mode is in zephyr and used in apps and mcuboot), I'm not sure what this code really does or what part is meant to be shared

tomchy added 2 commits July 25, 2025 14:15
@tomchy
bootloader: Add bootloader requests
54a176c 
Add a capability inside the Zephyr bootloader to handle memory-based
bootloader requests to:
 - Boot recovery firmware
 - Boot firmware loader
 - Confirm an image
 - Set the slot preference

Signed-off-by: Tomasz Chyrowicz <tomasz.chyrowicz@nordicsemi.no>
@tomchy
bootutil: Add support for bootloader requests
c58b35c 
Extend the common bootutil library to send bootloader requests instead
of writing data directly into the active slot.

Signed-off-by: Tomasz Chyrowicz <tomasz.chyrowicz@nordicsemi.no>
@tomchy tomchy force-pushed the feature/zephyr/NCSDK-NONE_boot_requests branch from 91713dd to c58b35c Compare July 25, 2025 12:15
@tomchy
Copy link
Contributor Author

tomchy commented Jul 25, 2025

this is not how common code should work, bootutil is a common file for any RTOS, any zephyr specific code goes in boot/zephyr, and there should be no checking of e.g. Kconfigs in common code

Is there a place for a code that is zephyr-specific, yet should be shared between the app and bootloader?
Honestly, I had an impression that the shared code/library problem is not fully resolved in the MCUboot ATM, so we are seeking for good ideas here 🙂
Side note: that's one of the reasons why this is a draft PR.

Depends what it is, if it's zephyr centric then it can go into zephyr itself (e.g. boot mode is in zephyr and used in apps and mcuboot), I'm not sure what this code really does or what part is meant to be shared

Sine the boot request API is used by the bootutil logic, I decided to move it into the MCUBoot include directory.
That way the header is common, but the implementation is platform-specific (just like the security counter API).
There is still one Kconfig left: the CONFIG_MCUBOOT as it was already there for changing the implementation, based on the context (app vs bootloader). If there is a MCUboot-centric way to do that, let me know, I'll be happy to replace it.

If you agree on the current split, I'll add a note about the new configuration option inside the MCUboot docs.

@tomchy tomchy requested a review from nordicjm July 25, 2025 12:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nordicjm nordicjm Awaiting requested review from nordicjm nordicjm is a code owner

@de-nordic de-nordic Awaiting requested review from de-nordic de-nordic will be requested when the pull request is marked ready for review de-nordic is a code owner

@davidvincze davidvincze Awaiting requested review from davidvincze davidvincze will be requested when the pull request is marked ready for review davidvincze is a code owner

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tomchy @nordicjm