You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
bootutil: Fix device brick after power failure during swap-move revert
Let's suppose after an upgrade you have a non-functional image in the
primary slot. The image won't be confirmed, leading to a revert at next
boot. At the beginning of the revert process, fixup_revert is invoked,
which rewrites the trailer in the secondary slot so that the revert
looks like a permanent upgrade. Normally, after the execution of this
routine, the secondary slot has a valid trailer, in particular with a
valid magic number.
Let's imagine a power failure occurs during the writing of the trailer's
magic, i.e. in boot_write_magic. The magic number in the secondary slot
is in an undefined state and might be partially written, which implies
at next boot it will be considered in BOOT_MAGIC_BAD state.
So, at next boot, we have the following state:
Primary slot: magic=good, copy-done=set, image-ok=unset
Secondary slot: magic=bad, copy-done=unset, image-ok=set
This doesn't match any state leading to an upgrade or revert process to
be initiated, which means MCUboot will not perform the revert and
attempt to boot from the primary slot, containing a non-functional
image. Hence, the device is bricked unless it is possible to reflash the
secondary slot without a functional image.
To avoid this issue, a revert is performed no matter the state of the
magic number in the secondary slot's trailer, provided the copy-done
flag is set in the primary slot but the image-ok flag is not. The
copy-done flag is set only after having completed an upgrade or
revert process so if the copy-done flag is set but the image-ok is
unset, it is guaranteed an upgrade has been performed but the new image
has not been confirmed, which implies a revert is needed.
Signed-off-by: Thomas Altenbach <[email protected]>
0 commit comments