modules: mcuboot: add Kconfigs for RAMLOAD_WITH_REVERT mode

danieldegrasse · danieldegrasse · commit 42aff4dbc4a5 · 2025-06-27T10:25:27.000-05:00
Add Kconfigs for RAMLOAD_WITH_REVERT mode in MCUBoot. This mode works in
a manner similar to DIRECT_XIP_WITH_REVERT- namely, mcuboot will only
boot an image that is either confirmed or marked as pending. If both
images are confirmed, mcuboot will still select the one with the higher
version, so downgrading is not possible using this mode.

Signed-off-by: Daniel DeGrasse &lt;ddegrasse@tenstorrent.com&gt;
diff --git a/cmake/mcuboot.cmake b/cmake/mcuboot.cmake
@@ -127,7 +127,7 @@ function(zephyr_mcuboot_tasks)
   if(CONFIG_MCUBOOT_IMGTOOL_OVERWRITE_ONLY)
     # Use overwrite-only instead of swap upgrades.
     set(imgtool_args --overwrite-only --align 1 ${imgtool_args})
-  elseif(CONFIG_MCUBOOT_BOOTLOADER_MODE_RAM_LOAD)
+  elseif(CONFIG_MCUBOOT_BOOTLOADER_MODE_RAM_LOAD OR CONFIG_MCUBOOT_BOOTLOADER_MODE_RAM_LOAD_WITH_REVERT)
     # RAM load requires setting the location of where to load the image to
     dt_chosen(chosen_ram PROPERTY "zephyr,sram")
     dt_reg_addr(chosen_ram_address PATH ${chosen_ram})
@@ -189,7 +189,7 @@ function(zephyr_mcuboot_tasks)
                    ${output}.signed.encrypted.bin)
     endif()
 
-    if(CONFIG_MCUBOOT_BOOTLOADER_MODE_RAM_LOAD)
+    if(CONFIG_MCUBOOT_BOOTLOADER_MODE_RAM_LOAD OR CONFIG_MCUBOOT_BOOTLOADER_MODE_RAM_LOAD_WITH_REVERT)
       list(APPEND byproducts ${output}.slot1.signed.encrypted.bin)
       set_property(GLOBAL APPEND PROPERTY extra_post_build_commands COMMAND
                    ${imgtool_sign} ${imgtool_args_alt_slot} ${output}.bin
@@ -252,7 +252,7 @@ function(zephyr_mcuboot_tasks)
                    ${output}.signed.encrypted.hex)
     endif()
 
-    if(CONFIG_MCUBOOT_BOOTLOADER_MODE_RAM_LOAD)
+    if(CONFIG_MCUBOOT_BOOTLOADER_MODE_RAM_LOAD OR CONFIG_MCUBOOT_BOOTLOADER_MODE_RAM_LOAD_WITH_REVERT)
       list(APPEND byproducts ${output}.slot1.signed.hex)
       set_property(GLOBAL APPEND PROPERTY extra_post_build_commands COMMAND
                    ${imgtool_sign} ${imgtool_args_alt_slot} ${output}.hex
diff --git a/modules/Kconfig.mcuboot b/modules/Kconfig.mcuboot
@@ -211,6 +211,26 @@ config MCUBOOT_BOOTLOADER_MODE_RAM_LOAD
 	  This option automatically selectes MCUBOOT_BOOTLOADER_NO_DOWNGRADE as it is not possible
 	  to swap back to older version of the application.
 
+config MCUBOOT_BOOTLOADER_MODE_RAM_LOAD_WITH_REVERT
+	bool "MCUboot has been configured for RAM LOAD with revert"
+	select MCUBOOT_BOOTLOADER_MODE_HAS_NO_DOWNGRADE
+	select MCUBOOT_BOOTLOADER_NO_DOWNGRADE
+	help
+	  MCUboot expects slot0_partition and slot1_partition to exist in DT. In this mode, MCUboot
+	  will select the image with the higher version number, copy it to RAM and begin execution
+	  from there. The image must be linked to execute from RAM, the address that it is copied
+	  to is specified using the load-addr argument when running imgtool.
+	  This option automatically selectes MCUBOOT_BOOTLOADER_NO_DOWNGRADE as it is not possible
+	  to swap back to older version of the application.
+	  In this mode MCUboot will boot the application with the higher
+	  version from either slot, as long as it has been marked to be boot
+	  next time for test or permanently. In case when application is marked
+	  for test it needs to confirm itself, on the first boot, or it will be
+	  removed and MCUboot will revert to booting previously approved
+	  application. Note that in this mode MCUboot will not boot an
+	  application if it does not have an image header, so if an application
+	  is flashed manually it should be marked as confirmed
+
 config MCUBOOT_BOOTLOADER_MODE_DIRECT_XIP
 	bool "MCUboot has been configured for DirectXIP operation"
 	select MCUBOOT_BOOTLOADER_MODE_HAS_NO_DOWNGRADE
diff --git a/share/sysbuild/image_configurations/BOOTLOADER_image_default.cmake b/share/sysbuild/image_configurations/BOOTLOADER_image_default.cmake
@@ -27,7 +27,7 @@ elseif(SB_CONFIG_MCUBOOT_MODE_OVERWRITE_ONLY)
   set(bootmode CONFIG_BOOT_UPGRADE_ONLY)
 elseif(SB_CONFIG_MCUBOOT_MODE_DIRECT_XIP OR SB_CONFIG_MCUBOOT_MODE_DIRECT_XIP_WITH_REVERT)
   set(bootmode CONFIG_BOOT_DIRECT_XIP)
-elseif(SB_CONFIG_MCUBOOT_MODE_RAM_LOAD)
+elseif(SB_CONFIG_MCUBOOT_MODE_RAM_LOAD OR SB_CONFIG_MCUBOOT_MODE_RAM_LOAD_WITH_REVERT)
   set(bootmode CONFIG_BOOT_RAM_LOAD)
 elseif(SB_CONFIG_MCUBOOT_MODE_SINGLE_APP_RAM_LOAD)
   set(bootmode CONFIG_SINGLE_APPLICATION_SLOT_RAM_LOAD)
@@ -56,6 +56,12 @@ else()
   set_config_bool(${ZCMAKE_APPLICATION} CONFIG_BOOT_DIRECT_XIP_REVERT n)
 endif()
 
+if(SB_CONFIG_MCUBOOT_MODE_RAM_LOAD_WITH_REVERT)
+  set_config_bool(${ZCMAKE_APPLICATION} CONFIG_BOOT_RAM_LOAD_REVERT y)
+else()
+  set_config_bool(${ZCMAKE_APPLICATION} CONFIG_BOOT_RAM_LOAD_REVERT n)
+endif()
+
 set(keytypes CONFIG_BOOT_SIGNATURE_TYPE_NONE
              CONFIG_BOOT_SIGNATURE_TYPE_RSA
              CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256
diff --git a/share/sysbuild/image_configurations/MAIN_image_default.cmake b/share/sysbuild/image_configurations/MAIN_image_default.cmake
@@ -39,6 +39,11 @@ if(SB_CONFIG_BOOTLOADER_MCUBOOT)
     set_config_bool(${ZCMAKE_APPLICATION} CONFIG_MCUBOOT_BOOTLOADER_MODE_RAM_LOAD y)
     set_config_bool(${ZCMAKE_APPLICATION} CONFIG_XIP n)
     set_config_int(${ZCMAKE_APPLICATION} CONFIG_FLASH_SIZE 0)
+  elseif(SB_CONFIG_MCUBOOT_MODE_RAM_LOAD_WITH_REVERT)
+    # RAM load mode requires XIP be disabled and flash size be set to 0
+    set_config_bool(${ZCMAKE_APPLICATION} CONFIG_MCUBOOT_BOOTLOADER_MODE_RAM_LOAD_WITH_REVERT y)
+    set_config_bool(${ZCMAKE_APPLICATION} CONFIG_XIP n)
+    set_config_int(${ZCMAKE_APPLICATION} CONFIG_FLASH_SIZE 0)
   elseif(SB_CONFIG_MCUBOOT_MODE_SINGLE_APP_RAM_LOAD)
     set_config_bool(${ZCMAKE_APPLICATION} CONFIG_MCUBOOT_BOOTLOADER_MODE_SINGLE_APP_RAM_LOAD y)
   elseif(SB_CONFIG_MCUBOOT_MODE_FIRMWARE_UPDATER)
diff --git a/share/sysbuild/images/bootloader/Kconfig b/share/sysbuild/images/bootloader/Kconfig
@@ -119,6 +119,20 @@ config MCUBOOT_MODE_RAM_LOAD
 	  Note: RAM must be assigned to the bootloader that is not used by the application in this
 	  mode so that the bootloader is able to function until the application has booted.
 
+config MCUBOOT_MODE_RAM_LOAD_WITH_REVERT
+	bool "RAM load with revert"
+	help
+	  MCUboot expects slot0_partition and slot1_partition to exist in DT. In this mode, MCUboot
+	  will select the image with the higher version number, copy it to RAM and begin execution
+	  from there. MCUBoot will only boot an image if it has been marked to be boot next time
+	  for test or permanently. In case when application is marked for test it needs to confirm
+	  itself, on the first boot, or it will be removed and MCUboot will revert to booting
+	  previously approved application. The image must be linked to execute from RAM, the address
+	  that it is copied to is specified using the load-addr argument when running imgtool.
+
+	  Note: RAM must be assigned to the bootloader that is not used by the application in this
+	  mode so that the bootloader is able to function until the application has booted.
+
 config MCUBOOT_MODE_FIRMWARE_UPDATER
 	bool "Firmware updater"
 	help
