bootutil: Fix device bricked after power failure during swap-move revert #2100
Commits on Oct 16, 2024
-
bootutil: Fix device brick after power failure during swap-move revert
Let's suppose after an upgrade you have a non-functional image in the primary slot. The image won't be confirmed, leading to a revert at next boot. At the beginning of the revert process, fixup_revert is invoked, which rewrites the trailer in the secondary slot so that the revert looks like a permanent upgrade. Normally, after the execution of this routine, the secondary slot has a valid trailer, in particular with a valid magic number. Let's imagine a power failure occurs during the writing of the trailer's magic, i.e. in boot_write_magic. The magic number in the secondary slot is in an undefined state and might be partially written, which implies at next boot it will be considered in BOOT_MAGIC_BAD state. So, at next boot, we have the following state: Primary slot: magic=good, copy-done=set, image-ok=unset Secondary slot: magic=bad, copy-done=unset, image-ok=set This doesn't match any state leading to an upgrade or revert process to be initiated, which means MCUboot will not perform the revert and attempt to boot from the primary slot, containing a non-functional image. Hence, the device is bricked unless it is possible to reflash the secondary slot without a functional image. To avoid this issue, a revert is performed no matter the state of the magic number in the secondary slot's trailer, provided the copy-done flag is set in the primary slot but the image-ok flag is not. The copy-done flag is set only after having completed an upgrade or revert process so if the copy-done flag is set but the image-ok is unset, it is guaranteed an upgrade has been performed but the new image has not been confirmed, which implies a revert is needed. Signed-off-by: Thomas Altenbach <[email protected]>
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.