[nrf noup] boot: Add retry for image verification

Intended mainly for direct-xip mode.
Allows to control:
- number of image validation attempts performed before considering the image invalid
- time before next attempt is made

Signed-off-by: Adam Szczygieł <[email protected]>
(cherry picked from commit 2534681)

Author: adsz-nordic

boot/bootutil/src/loader.c

@@ -57,6 +57,9 @@
 
 #ifdef __ZEPHYR__
 #include <zephyr/sys/reboot.h>
+#if defined(CONFIG_NRF_MCUBOOT_IMG_VALIDATE_ATTEMPT_WAIT_MS)
+#include <zephyr/kernel.h>
+#endif /* CONFIG_NRF_MCUBOOT_IMG_VALIDATE_ATTEMPT_WAIT_MS */
 #endif
 
 #if defined(CONFIG_SOC_NRF5340_CPUAPP) && defined(PM_CPUNET_B0N_ADDRESS) && defined(CONFIG_PCD_APP)
@@ -909,14 +912,42 @@ boot_image_check(struct boot_loader_state *state, struct image_header *hdr,
     }
 #endif
 
+    for (int i = 1; i <= CONFIG_NRF_MCUBOOT_IMG_VALIDATE_ATTEMPT_COUNT; i++ ) {
+#if CONFIG_NRF_MCUBOOT_IMG_VALIDATE_ATTEMPT_COUNT > 1
+      BOOT_LOG_DBG("Image validation attempt %d/%d", i, CONFIG_NRF_MCUBOOT_IMG_VALIDATE_ATTEMPT_COUNT);
+#endif /* CONFIG_NRF_MCUBOOT_IMG_VALIDATE_ATTEMPT_COUNT > 1 */
+
 #if defined(MCUBOOT_SWAP_USING_OFFSET) && defined(MCUBOOT_SERIAL_RECOVERY)
-    FIH_CALL(bootutil_img_validate, fih_rc, state, hdr, fap, tmpbuf, BOOT_TMPBUF_SZ,
-             NULL, 0, NULL, 0);
+        FIH_CALL(bootutil_img_validate, fih_rc, state, hdr, fap, tmpbuf, BOOT_TMPBUF_SZ,
+                NULL, 0, NULL, 0);
 #else
-    FIH_CALL(bootutil_img_validate, fih_rc, state, hdr, fap, tmpbuf, BOOT_TMPBUF_SZ,
-             NULL, 0, NULL);
+        FIH_CALL(bootutil_img_validate, fih_rc, state, hdr, fap, tmpbuf, BOOT_TMPBUF_SZ,
+                NULL, 0, NULL);
 #endif
 
+        if (FIH_EQ(fih_rc, FIH_SUCCESS)) {
+#if CONFIG_NRF_MCUBOOT_IMG_VALIDATE_ATTEMPT_COUNT > 1
+          BOOT_LOG_DBG("Image validation attempt %d/%d success", i, CONFIG_NRF_MCUBOOT_IMG_VALIDATE_ATTEMPT_COUNT);
+#endif /* CONFIG_NRF_MCUBOOT_IMG_VALIDATE_ATTEMPT_COUNT > 1 */
+          break;
+        } else {
+#if CONFIG_NRF_MCUBOOT_IMG_VALIDATE_ATTEMPT_COUNT > 1
+          BOOT_LOG_WRN("Image validation attempt %d/%d failure: %d",
+                       i,
+                       CONFIG_NRF_MCUBOOT_IMG_VALIDATE_ATTEMPT_COUNT, fih_rc);
+#endif /* CONFIG_NRF_MCUBOOT_IMG_VALIDATE_ATTEMPT_COUNT > 1 */
+
+          if (i < CONFIG_NRF_MCUBOOT_IMG_VALIDATE_ATTEMPT_COUNT) {
+#if defined(CONFIG_NRF_MCUBOOT_IMG_VALIDATE_ATTEMPT_WAIT_MS)
+#if CONFIG_NRF_MCUBOOT_IMG_VALIDATE_ATTEMPT_COUNT > 1
+            BOOT_LOG_DBG("Waiting %d ms before next attempt",
+                         CONFIG_NRF_MCUBOOT_IMG_VALIDATE_ATTEMPT_WAIT_MS);
+#endif /* CONFIG_NRF_MCUBOOT_IMG_VALIDATE_ATTEMPT_COUNT > 1 */
+            k_busy_wait(CONFIG_NRF_MCUBOOT_IMG_VALIDATE_ATTEMPT_WAIT_MS * 1000);
+#endif /* CONFIG_NRF_MCUBOOT_IMG_VALIDATE_ATTEMPT_WAIT_MS */
+          }
+        }
+    }
     FIH_RET(fih_rc);
 }
 

boot/zephyr/Kconfig

@@ -1251,4 +1251,21 @@ config MCUBOOT_VERIFY_IMG_ADDRESS
 	  also be useful when BOOT_DIRECT_XIP is enabled, to ensure that the image
 	  linked at the correct address is loaded.
 
+config NRF_MCUBOOT_IMG_VALIDATE_ATTEMPT_COUNT
+	int "Number of image validation attempts"
+	default 1
+	help
+	  Number of image validation attempts performed before an image is considered invalid.
+	  A wait is done between each attempt to allow for recovery from a temporary disruption.
+	  This can prevent erasing an image when initial validation fails.
+	  Wait time is controlled by MCUBOOT_IMG_VALIDATE_ATTEMPT_WAIT_MS.
+
+config NRF_MCUBOOT_IMG_VALIDATE_ATTEMPT_WAIT_MS
+	int "Time between image validation attempts"
+	depends on NRF_MCUBOOT_IMG_VALIDATE_ATTEMPT_COUNT > 1
+	default 5000
+	help
+	  Time between image validation attempts, in milliseconds.
+	  Allows for recovery from transient bit flips or similar situations.
+
 source "Kconfig.zephyr"