bootutil: Fix the reading of image headers after partial swap completion

taltenbach · nordicjm · commit 2ac797677ef0 · 2024-12-11T13:21:11.000Z
After a partial swap has been resumed and completed, the image headers
are reloaded. The idea is that we want to update the bootloader state
(boot_data) to properly reflect the new state of the slots: the image
headers in the primary and secondary slots are now respectively the
headers of the new and previous active image.

However, the implementation was doing the exact opposite when
swap-scratch was used, which could lead to erroneous behaviors such as a
failure when validating the primary slot.

Signed-off-by: Thomas Altenbach &lt;thomas.altenbach@legrand.com&gt;
diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c
@@ -1963,10 +1963,21 @@ boot_prepare_image_for_update(struct boot_loader_state *state,
             rc = boot_complete_partial_swap(state, bs);
             assert(rc == 0);
 #endif
-            /* Attempt to read an image header from each slot. Ensure that
-             * image headers in slots are aligned with headers in boot_data.
+            /* Attempt to read an image header from each slot. Ensure that image headers in slots
+             * are aligned with headers in boot_data.
+             *
+             * The boot status (last param) is used to figure out in which slot the header of each
+             * image is currently located. This is useful as in the middle of an upgrade process,
+             * the header of a given image could have already been moved to the other slot. However,
+             * providing it at the end of the upgrade, as it is the case here, would cause the
+             * reading of the header of the primary image from the secondary slot and the secondary
+             * image from the primary slot, since the images have been swapped. That's not what we
+             * want here, since the goal is to upgrade the bootloader state to reflect the new state
+             * of the slots: the image headers in the primary and secondary slots must now
+             * respectively be the headers of the new and previous active image. So NULL is provided
+             * as boot status.
              */
-            rc = boot_read_image_headers(state, false, bs);
+            rc = boot_read_image_headers(state, false, NULL);
             assert(rc == 0);
 
             /* Swap has finished set to NONE */
