mgmt: Handle manifest-based states

tomchy · tomchy · commit 732b90caa7f2 · 2025-11-04T17:29:19.000+01:00
Add routines to parse and check manifest state.

Signed-off-by: Tomasz Chyrowicz &lt;tomasz.chyrowicz@nordicsemi.no&gt;
diff --git a/subsys/mgmt/mcumgr/grp/img_mgmt/src/img_mgmt.c b/subsys/mgmt/mcumgr/grp/img_mgmt/src/img_mgmt.c
@@ -31,6 +31,10 @@
 #include <zephyr/dfu/flash_img.h>
 #endif
 
+#ifdef CONFIG_NCS_MCUBOOT_MANIFEST_UPDATES
+#include <bootutil/mcuboot_manifest.h>
+#endif
+
 #ifdef CONFIG_MCUMGR_MGMT_NOTIFICATION_HOOKS
 #include <zephyr/mgmt/mcumgr/mgmt/callbacks.h>
 #include <mgmt/mcumgr/transport/smp_internal.h>
@@ -380,6 +384,114 @@ int img_mgmt_read_info(int image_slot, struct image_version *ver, uint8_t *hash,
 	return 0;
 }
 
+#ifdef CONFIG_NCS_MCUBOOT_MANIFEST_UPDATES
+/**
+ * Checks whether the manifest of the image in the specified slot can be used for booting.
+ *
+ * @param slot  The slot to check the manifest for.
+ *
+ * @return true if the manifest can be used, false otherwise.
+ */
+bool boot_check_manifest(enum boot_slot slot)
+{
+	struct image_header hdr;
+	struct image_tlv tlv;
+	size_t data_off;
+	size_t data_end;
+	bool manifest_found;
+	uint8_t erased_val;
+	uint32_t erased_val_32;
+	struct mcuboot_manifest tmp_manifest;
+	uint8_t hash[IMAGE_HASH_SIZE];
+	int rc;
+	int image_slot = CONFIG_NCS_MCUBOOT_MANIFEST_IMAGE_NUMBER * BOOT_SLOT_COUNT + slot;
+
+	rc = img_mgmt_erased_val(image_slot, &erased_val);
+	if (rc != 0) {
+		return false;
+	}
+
+	rc = img_mgmt_read(image_slot,
+			   boot_get_image_start_offset(img_mgmt_flash_area_id(image_slot)),
+			   &hdr, sizeof(hdr));
+	if (rc != 0) {
+		return false;
+	}
+
+	erased_val_32 = ERASED_VAL_32(erased_val);
+	if (hdr.ih_magic == IMAGE_MAGIC) {
+		/* Valid header */
+	} else if (hdr.ih_magic == erased_val_32) {
+		return false;
+	} else {
+		return false;
+	}
+
+	/* Read the image's TLVs. We try to find manifest only inside the protected TLVs.
+	 * If the manifest is missing, the image is considered invalid.
+	 */
+	data_off = hdr.ih_hdr_size + hdr.ih_img_size +
+		   boot_get_image_start_offset(img_mgmt_flash_area_id(image_slot));
+
+	rc = img_mgmt_find_tlvs(image_slot, &data_off, &data_end, IMAGE_TLV_PROT_INFO_MAGIC);
+	if (!rc) {
+		return false;
+	}
+
+	manifest_found = false;
+	while (data_off + sizeof(tlv) <= data_end) {
+		rc = img_mgmt_read(image_slot, data_off, &tlv, sizeof(tlv));
+		if (rc != 0) {
+			return false;
+		}
+		if (tlv.it_type == 0xff && tlv.it_len == 0xffff) {
+			return false;
+		}
+		if ((tlv.it_type != IMAGE_TLV_MANIFEST) || (tlv.it_len != sizeof(struct mcuboot_manifest))) {
+			/* Non-manifest TLV. Skip it. */
+			data_off += sizeof(tlv) + tlv.it_len;
+			continue;
+		}
+
+		if (manifest_found) {
+			/* More than one manifest. */
+			return false;
+		}
+		manifest_found = true;
+
+		data_off += sizeof(tlv);
+		if (data_off + sizeof(struct mcuboot_manifest) > data_end) {
+			return false;
+		}
+		rc = img_mgmt_read(image_slot, data_off, &tmp_manifest, sizeof(struct mcuboot_manifest));
+		if (rc != 0) {
+			return false;
+		}
+	}
+
+	if (!manifest_found) {
+		return false;
+	}
+
+	for (size_t i = 0; i < BOOT_IMAGE_NUMBER; i++) {
+		if (CONFIG_NCS_MCUBOOT_MANIFEST_IMAGE_NUMBER == i) {
+			continue;
+		}
+
+		rc = img_mgmt_read_info(i * BOOT_SLOT_COUNT + slot, NULL, hash, NULL);
+		if ((rc == 0) && bootutil_verify_manifest_image_hash(&tmp_manifest, hash, i)) {
+			/* Hash matches */
+			continue;
+		}
+
+		LOG_ERR("Manifest hash does not match image %d hash", i);
+		return false;
+	}
+
+	return true;
+}
+#endif /* CONFIG_NCS_MCUBOOT_MANIFEST_UPDATES */
+
 /*
  * Finds image given version number. Returns the slot number image is in,
  * or -1 if not found.
diff --git a/subsys/mgmt/mcumgr/grp/img_mgmt/src/img_mgmt_state.c b/subsys/mgmt/mcumgr/grp/img_mgmt/src/img_mgmt_state.c
@@ -131,6 +131,18 @@ img_mgmt_state_flags(int query_slot)
 	int image = query_slot / 2;	/* We support max 2 images for now */
 	int active_slot = img_mgmt_active_slot(image);
 
+#ifdef CONFIG_NCS_MCUBOOT_MANIFEST_UPDATES
+	/* If manifest-based updates are used, only the manifest image is considered. */
+	image = CONFIG_NCS_MCUBOOT_MANIFEST_IMAGE_NUMBER;
+	if (query_slot == active_slot) {
+		active_slot = img_mgmt_active_slot(image);
+		query_slot = active_slot;
+	} else {
+		active_slot = img_mgmt_active_slot(image);
+		query_slot = img_mgmt_get_opposite_slot(active_slot);
+	}
+#endif /* CONFIG_NCS_MCUBOOT_MANIFEST_UPDATES */
+
 	/* In case when MCUboot is configured for FW loader/updater mode, slots
 	 * can be either active or non-active. There is no concept of pending
 	 * or confirmed slots.
@@ -223,9 +235,29 @@ int img_mgmt_get_next_boot_slot(int image, enum img_mgmt_next_boot_type *type)
 static int read_directxip_state(int slot)
 {
 	struct boot_swap_state bss;
-	int fa_id = img_mgmt_flash_area_id(slot);
+	int fa_id;
 	const struct flash_area *fa;
 	int rc = 0;
+#ifdef CONFIG_NCS_MCUBOOT_MANIFEST_UPDATES
+	int active_slot = img_mgmt_active_slot(slot / 2);
+#endif /* CONFIG_NCS_MCUBOOT_MANIFEST_UPDATES */
+
+#ifdef CONFIG_NCS_MCUBOOT_MANIFEST_UPDATES
+	/* If manifest-based updates are used, only the manifest image is considered. */
+	if (slot == active_slot) {
+		slot = img_mgmt_active_slot(CONFIG_NCS_MCUBOOT_MANIFEST_IMAGE_NUMBER);
+	} else {
+		slot = img_mgmt_get_opposite_slot(img_mgmt_active_slot(
+						  CONFIG_NCS_MCUBOOT_MANIFEST_IMAGE_NUMBER));
+	}
+
+	if (!boot_check_manifest(slot % 2)) {
+		LOG_ERR("Failed to read manifest of slot %d with error %d", slot, rc);
+		return -1;
+	}
+#endif /* CONFIG_NCS_MCUBOOT_MANIFEST_UPDATES */
+
+	fa_id = img_mgmt_flash_area_id(slot);
 
 	__ASSERT(fa_id != -1, "Could not map slot to area ID");
 
@@ -258,18 +290,22 @@ int img_mgmt_get_next_boot_slot(int image, enum img_mgmt_next_boot_type *type)
 {
 	struct image_version aver;
 	struct image_version over;
-	int active_slot = img_mgmt_active_slot(image);
-	int other_slot = img_mgmt_get_opposite_slot(active_slot);
 #if defined(CONFIG_MCUBOOT_BOOTLOADER_MODE_DIRECT_XIP_WITH_REVERT)
 	int active_slot_state;
 	int other_slot_state;
 #endif /* defined(CONFIG_MCUBOOT_BOOTLOADER_MODE_DIRECT_XIP_WITH_REVERT) */
 	enum img_mgmt_next_boot_type lt = NEXT_BOOT_TYPE_NORMAL;
-	int return_slot = active_slot;
 
+#ifdef CONFIG_NCS_MCUBOOT_MANIFEST_UPDATES
+	/* If manifest-based updates are used, only the manifest image is considered. */
+	image = CONFIG_NCS_MCUBOOT_MANIFEST_IMAGE_NUMBER;
+#endif /* CONFIG_NCS_MCUBOOT_MANIFEST_UPDATES */
 
+	int active_slot = img_mgmt_active_slot(image);
+	int other_slot = img_mgmt_get_opposite_slot(active_slot);
 	int rcs = img_mgmt_read_info(other_slot, &over, NULL, NULL);
 	int rca = img_mgmt_read_info(active_slot, &aver, NULL, NULL);
+	int return_slot = active_slot;
 
 #if defined(CONFIG_MCUBOOT_BOOTLOADER_MODE_DIRECT_XIP_WITH_REVERT)
 	active_slot_state = read_directxip_state(active_slot);
