[nrf noup] bootloader: Add bootloader requests

Add a capability inside the Zephyr bootloader to handle memory-based
bootloader requests to:
 - Boot recovery firmware
 - Boot firmware loader
 - Confirm an image
 - Set the slot preference

Ref: NCSDK-34429

Signed-off-by: Tomasz Chyrowicz <[email protected]>

Author: tomchy

boot/bootutil/include/bootutil/boot_request.h

@@ -0,0 +1,105 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Copyright (c) 2025 Nordic Semiconductor ASA
+ */
+
+#ifndef __BOOT_REQUEST_H__
+#define __BOOT_REQUEST_H__
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#include <stdint.h>
+#include <stdbool.h>
+
+/** Special value, indicating that there is no preferred slot. */
+#define BOOT_REQUEST_NO_PREFERRED_SLOT UINT32_MAX
+
+/**
+ * @brief Request a bootloader to confirm the specified slot of an image.
+ *
+ * @param[in] image  Image number.
+ * @param[in] slot   Slot number.
+ *
+ * @return 0 if requested, negative error code otherwise.
+ */
+int boot_request_confirm_slot(uint8_t image, uint32_t slot);
+
+/**
+ * @brief Request a bootloader to boot the specified slot of an image.
+ *
+ * @param[in] image  Image number.
+ * @param[in] slot  Slot number.
+ *
+ * @return 0 if requested, negative error code otherwise.
+ */
+int boot_request_set_preferred_slot(uint8_t image, uint32_t slot);
+
+/**
+ * @brief Request a bootloader to boot recovery image.
+ *
+ * @return 0 if requested, negative error code otherwise.
+ */
+int boot_request_enter_recovery(void);
+
+/**
+ * @brief Request a bootloader to boot firmware loader image.
+ *
+ * @return 0 if requested, negative error code otherwise.
+ */
+int boot_request_enter_firmware_loader(void);
+
+/**
+ * @brief Check if there is a request to confirm the specified slot of an image.
+ *
+ * @param[in] image  Image number.
+ * @param[in] slot   Slot number.
+ *
+ * @return true if requested, false otherwise.
+ */
+bool boot_request_check_confirmed_slot(uint8_t image, uint32_t slot);
+
+/**
+ * @brief Find if there is a request to boot certain slot of the specified image.
+ *
+ * @param[in] image  Image number.
+ *
+ * @return slot number if requested, BOOT_REQUEST_NO_PREFERRED_SLOT otherwise.
+ */
+uint32_t boot_request_get_preferred_slot(uint8_t image);
+
+/**
+ * @brief Check if there is a request to boot recovery image.
+ *
+ * @return true if requested, false otherwise.
+ */
+bool boot_request_detect_recovery(void);
+
+/**
+ * @brief Check if there is a request to boot firmware loader image.
+ *
+ * @return true if requested, false otherwise.
+ */
+bool boot_request_detect_firmware_loader(void);
+
+/**
+ * @brief Initialize boot requests module.
+ *
+ * @return 0 if successful, negative error code otherwise.
+ */
+int boot_request_init(void);
+
+/**
+ * @brief Clear/drop all requests.
+ *
+ * @return 0 if successful, negative error code otherwise.
+ */
+int boot_request_clear(void);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* __BOOT_REQUEST_H__ */

boot/bootutil/src/bootutil_public.c

@@ -51,6 +51,11 @@
 #include "bootutil_priv.h"
 #include "bootutil_misc.h"
 
+#if defined(CONFIG_NRF_MCUBOOT_BOOT_REQUEST) && !defined(CONFIG_MCUBOOT)
+#include <bootutil/boot_request.h>
+#define SEND_BOOT_REQUEST
+#endif /* CONFIG_NRF_MCUBOOT_BOOT_REQUEST && !CONFIG_MCUBOOT */
+
 #ifdef CONFIG_MCUBOOT
 BOOT_LOG_MODULE_DECLARE(mcuboot);
 #else
@@ -503,32 +508,79 @@ boot_write_copy_done(const struct flash_area *fap)
     return boot_write_trailer_flag(fap, off, BOOT_FLAG_SET);
 }
 
-#ifndef MCUBOOT_BOOTUTIL_LIB_FOR_DIRECT_XIP
+#ifdef SEND_BOOT_REQUEST
+static int
+send_boot_request(uint8_t magic, bool confirm, int image_id, uint32_t slot_id)
+{
+    int rc = BOOT_EBADIMAGE;
 
-static int flash_area_to_image(const struct flash_area *fa)
+    /* Handle write-protected active image. */
+    if ((magic == BOOT_MAGIC_GOOD) || (magic == BOOT_MAGIC_UNSET)) {
+        if (confirm) {
+            BOOT_LOG_DBG("Confirm image: %d, %d", image_id, slot_id);
+            rc = boot_request_confirm_slot(image_id, slot_id);
+        } else {
+            BOOT_LOG_DBG("Set image preference: %d, %d", image_id, slot_id);
+            rc = boot_request_set_preferred_slot(image_id, slot_id);
+        }
+        if (rc != 0) {
+            rc = BOOT_EBADIMAGE;
+        }
+    }
+
+    return rc;
+}
+#endif /* SEND_BOOT_REQUEST */
+
+#if defined(SEND_BOOT_REQUEST) || (!defined(MCUBOOT_BOOTUTIL_LIB_FOR_DIRECT_XIP))
+static int flash_area_to_image_slot(const struct flash_area *fa, uint32_t *slot)
 {
+    int id = flash_area_get_id(fa);
 #if BOOT_IMAGE_NUMBER > 1
     uint8_t i = 0;
-    int id = flash_area_get_id(fa);
 
     while (i < BOOT_IMAGE_NUMBER) {
-        if (FLASH_AREA_IMAGE_PRIMARY(i) == id || (FLASH_AREA_IMAGE_SECONDARY(i) == id)) {
+        if (FLASH_AREA_IMAGE_PRIMARY(i) == id) {
+            if (slot != NULL) {
+                *slot = 0;
+            }
+            return i;
+        } else if (FLASH_AREA_IMAGE_SECONDARY(i) == id) {
+            if (slot != NULL) {
+                *slot = 1;
+            }
             return i;
         }
 
         ++i;
     }
 #else
     (void)fa;
+    if (slot != NULL) {
+        if (FLASH_AREA_IMAGE_PRIMARY(0) == id) {
+            *slot = 0;
+        } else if (FLASH_AREA_IMAGE_SECONDARY(0) == id) {
+            *slot = 1;
+        } else {
+            *slot = UINT32_MAX;
+        }
+    }
 #endif
     return 0;
 }
+#endif /* defined(SEND_BOOT_REQUEST) || (!defined(MCUBOOT_BOOTUTIL_LIB_FOR_DIRECT_XIP)) */
 
+#ifndef MCUBOOT_BOOTUTIL_LIB_FOR_DIRECT_XIP
 int
 boot_set_next(const struct flash_area *fa, bool active, bool confirm)
 {
     struct boot_swap_state slot_state;
     int rc;
+    int image_id;
+    uint32_t slot_id;
+
+    BOOT_LOG_DBG("boot_set_next: fa %p active == %d, confirm == %d",
+                 fa, (int)active, (int)confirm);
 
     if (active) {
         confirm = true;
@@ -539,6 +591,15 @@ boot_set_next(const struct flash_area *fa, bool active, bool confirm)
         return rc;
     }
 
+    image_id = flash_area_to_image_slot(fa, &slot_id);
+
+#ifdef SEND_BOOT_REQUEST
+    rc = send_boot_request(slot_state.magic, confirm, image_id, slot_id);
+    if ((rc != 0) || active) {
+        return rc;
+    }
+#endif
+
     switch (slot_state.magic) {
     case BOOT_MAGIC_GOOD:
         /* If non-active then swap already scheduled, else confirm needed.*/
@@ -569,7 +630,7 @@ boot_set_next(const struct flash_area *fa, bool active, bool confirm)
                 } else {
                     swap_type = BOOT_SWAP_TYPE_TEST;
                 }
-                rc = boot_write_swap_info(fa, swap_type, flash_area_to_image(fa));
+                rc = boot_write_swap_info(fa, swap_type, image_id);
             }
         }
         break;
@@ -600,6 +661,10 @@ boot_set_next(const struct flash_area *fa, bool active, bool confirm)
 {
     struct boot_swap_state slot_state;
     int rc;
+#ifdef SEND_BOOT_REQUEST
+    int image_id;
+    uint32_t slot_id;
+#endif
 
     BOOT_LOG_DBG("boot_set_next: fa %p active == %d, confirm == %d",
                  fa, (int)active, (int)confirm);
@@ -618,6 +683,15 @@ boot_set_next(const struct flash_area *fa, bool active, bool confirm)
         return rc;
     }
 
+#ifdef SEND_BOOT_REQUEST
+    image_id = flash_area_to_image_slot(fa, &slot_id);
+
+    rc = send_boot_request(slot_state.magic, confirm, image_id, slot_id);
+    if ((rc != 0) || active) {
+        return rc;
+    }
+#endif
+
     switch (slot_state.magic) {
     case BOOT_MAGIC_UNSET:
         /* Magic is needed for MCUboot to even consider booting an image */

boot/bootutil/zephyr/CMakeLists.txt

@@ -16,6 +16,11 @@ zephyr_library_named(mcuboot_util)
 zephyr_library_sources(
   ../src/bootutil_public.c
     )
+if(CONFIG_NRF_MCUBOOT_BOOT_REQUEST)
+  zephyr_library_sources_ifdef(CONFIG_NRF_MCUBOOT_BOOT_REQUEST_IMPL_RETENTION
+    src/boot_request_retention.c
+  )
+endif()
 
 # Sensitivity to the TEST_BOOT_IMAGE_ACCESS_HOOKS define is implemented for
 # allowing the test-build with the hooks feature enabled.