bootloader: Add bootloader requests

Add a capability inside the Zephyr bootloader to handle memory-based
bootloader requests to:
 - Boot recovery firmware
 - Boot firmware loader
 - Confirm an image
 - Set the slot preference

Signed-off-by: Tomasz Chyrowicz <[email protected]>

Author: tomchy

boot/bootutil/include/bootutil/boot_hooks.h

@@ -82,6 +82,18 @@
 
 #endif /* MCUBOOT_BOOT_GO_HOOKS  */
 
+#ifdef MCUBOOT_FIND_NEXT_SLOT_HOOKS
+
+#define BOOT_HOOK_FIND_SLOT_CALL(f, ret_default, ...) \
+    DO_HOOK_CALL(f, ret_default, __VA_ARGS__)
+
+#else
+
+#define BOOT_HOOK_FIND_SLOT_CALL(f, ret_default, ...) \
+    HOOK_CALL_NOP(f, ret_default, __VA_ARGS__)
+
+#endif /* MCUBOOT_FIND_NEXT_SLOT_HOOKS */
+
 #ifdef MCUBOOT_FLASH_AREA_HOOKS
 
 #define BOOT_HOOK_FLASH_AREA_CALL(f, ret_default, ...) \
@@ -260,4 +272,16 @@ int flash_area_get_device_id_hook(const struct flash_area *fa,
 #define BOOT_RESET_REQUEST_HOOK_CHECK_FAILED	3
 #define BOOT_RESET_REQUEST_HOOK_INTERNAL_ERROR	4
 
+/**
+ * Finds the preferred slot containing the image.
+ *
+ * @param[in]   state        Boot loader status information.
+ * @param[in]   image        Image, for which the slot should be found.
+ * @param[out]  active_slot  Number of the preferred slot.
+ *
+ * @return 0 if a slot was requested;
+ *         BOOT_HOOK_REGULAR follow the normal execution path.
+ */
+int boot_find_next_slot_hook(struct boot_loader_state *state, uint8_t image, uint32_t *active_slot);
+
 #endif /*H_BOOTUTIL_HOOKS*/

boot/bootutil/include/bootutil/boot_request.h

@@ -0,0 +1,105 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Copyright (c) 2025 Nordic Semiconductor ASA
+ */
+
+#ifndef __BOOT_REQUEST_H__
+#define __BOOT_REQUEST_H__
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#include <stdint.h>
+#include <stdbool.h>
+
+/** Special value, indicating that there is no preferred slot. */
+#define BOOT_REQUEST_NO_PREFERRED_SLOT UINT32_MAX
+
+/**
+ * @brief Request a bootloader to confirm the specified slot of an image.
+ *
+ * @param[in] image  Image number.
+ * @param[in] slot   Slot number.
+ *
+ * @return 0 if requested, negative error code otherwise.
+ */
+int boot_request_confirm_slot(uint8_t image, uint32_t slot);
+
+/**
+ * @brief Request a bootloader to boot the specified slot of an image.
+ *
+ * @param[in] image  Image number.
+ * @param[in] slot  Slot number.
+ *
+ * @return 0 if requested, negative error code otherwise.
+ */
+int boot_request_set_preferred_slot(uint8_t image, uint32_t slot);
+
+/**
+ * @brief Request a bootloader to boot recovery image.
+ *
+ * @return 0 if requested, negative error code otherwise.
+ */
+int boot_request_enter_recovery(void);
+
+/**
+ * @brief Request a bootloader to boot firmware loader image.
+ *
+ * @return 0 if requested, negative error code otherwise.
+ */
+int boot_request_enter_firmware_loader(void);
+
+/**
+ * @brief Check if there is a request to confirm the specified slot of an image.
+ *
+ * @param[in] image  Image number.
+ * @param[in] slot   Slot number.
+ *
+ * @return true if requested, false otherwise.
+ */
+bool boot_request_check_confirmed_slot(uint8_t image, uint32_t slot);
+
+/**
+ * @brief Find if there is a request to boot certain slot of the specified image.
+ *
+ * @param[in] image  Image number.
+ *
+ * @return slot number if requested, BOOT_REQUEST_NO_PREFERRED_SLOT otherwise.
+ */
+uint32_t boot_request_get_preferred_slot(uint8_t image);
+
+/**
+ * @brief Check if there is a request to boot recovery image.
+ *
+ * @return true if requested, false otherwise.
+ */
+bool boot_request_detect_recovery(void);
+
+/**
+ * @brief Check if there is a request to boot firmware loader image.
+ *
+ * @return true if requested, false otherwise.
+ */
+bool boot_request_detect_firmware_loader(void);
+
+/**
+ * @brief Initialize boot requests module.
+ *
+ * @return 0 if successful, negative error code otherwise.
+ */
+int boot_request_init(void);
+
+/**
+ * @brief Clear/drop all requests.
+ *
+ * @return 0 if successful, negative error code otherwise.
+ */
+int boot_request_clear(void);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* __BOOT_REQUEST_H__ */

boot/bootutil/src/loader.c

@@ -3605,7 +3605,12 @@ boot_load_and_validate_images(struct boot_loader_state *state)
                 break;
             }
 
-            active_slot = find_slot_with_highest_version(state);
+            rc = BOOT_HOOK_FIND_SLOT_CALL(boot_find_next_slot_hook, BOOT_HOOK_REGULAR,
+                                          state, BOOT_CURR_IMG(state), &active_slot);
+            if (rc == BOOT_HOOK_REGULAR) {
+                active_slot = find_slot_with_highest_version(state);
+            }
+
             if (active_slot == NO_ACTIVE_SLOT) {
                 BOOT_LOG_INF("No slot to load for image %d",
                              BOOT_CURR_IMG(state));
@@ -3652,7 +3657,12 @@ boot_load_and_validate_images(struct boot_loader_state *state)
                 break;
             }
 
-            active_slot = find_slot_with_highest_version(state);
+            rc = BOOT_HOOK_FIND_SLOT_CALL(boot_find_next_slot_hook, BOOT_HOOK_REGULAR,
+                                          state, BOOT_CURR_IMG(state), &active_slot);
+            if (rc == BOOT_HOOK_REGULAR) {
+                active_slot = find_slot_with_highest_version(state);
+            }
+
             if (active_slot == NO_ACTIVE_SLOT) {
                 BOOT_LOG_INF("No slot to load for image %d",
                              BOOT_CURR_IMG(state));

boot/bootutil/zephyr/CMakeLists.txt

@@ -16,6 +16,11 @@ zephyr_library_named(mcuboot_util)
 zephyr_library_sources(
   ../src/bootutil_public.c
     )
+if(CONFIG_MCUBOOT_BOOT_REQUEST)
+  zephyr_library_sources_ifdef(CONFIG_MCUBOOT_BOOT_REQUEST_IMPL_RETENTION
+    src/boot_request_retention.c
+  )
+endif()
 
 # Sensitivity to the TEST_BOOT_IMAGE_ACCESS_HOOKS define is implemented for
 # allowing the test-build with the hooks feature enabled.