[nrf fromtree] mgmt: Allow to block confirming non-acive slots

tomchy · rlubos · commit db6ec697895e · 2025-10-02T09:28:22.000+02:00
In Direct XIP with revert, it should be possible to block confirmation of the non-active slot, so only a bootable binaries are marked as valid. Signed-off-by: Tomasz Chyrowicz <tomasz.chyrowicz@nordicsemi.no> (cherry picked from commit c1baf2f)
diff --git a/subsys/mgmt/mcumgr/grp/img_mgmt/Kconfig b/subsys/mgmt/mcumgr/grp/img_mgmt/Kconfig
@@ -117,6 +117,20 @@ config MCUMGR_GRP_IMG_REJECT_DIRECT_XIP_MISMATCHED_SLOT
 	  The base address can be set, to an image binary header, with imgtool,
 	  using the --rom-fixed command line option.
 
+config MCUMGR_GRP_IMG_ALLOW_CONFIRM_NON_ACTIVE_SLOT
+	bool "Allow to confirm non-active slots of any image"
+	depends on MCUBOOT_BOOTLOADER_MODE_DIRECT_XIP_WITH_REVERT || \
+		   MCUBOOT_BOOTLOADER_MODE_RAM_LOAD_WITH_REVERT || \
+		   MCUBOOT_BOOTLOADER_MODE_SWAP_SCRATCH || \
+		   MCUBOOT_BOOTLOADER_MODE_SWAP_USING_MOVE || \
+		   MCUBOOT_BOOTLOADER_MODE_SWAP_USING_OFFSET
+	default y
+	help
+	  Allows to confirm non-active slot of any image.
+	  Normally it should not be allowed to confirm any slots via MCUmgr
+	  commands, to prevent confirming something that is broken and was not
+	  verified to boot correctly.
+
 config MCUMGR_GRP_IMG_FRUGAL_LIST
 	bool "Omit zero, empty or false values from status list"
 	help
diff --git a/subsys/mgmt/mcumgr/grp/img_mgmt/src/img_mgmt_state.c b/subsys/mgmt/mcumgr/grp/img_mgmt/src/img_mgmt_state.c
@@ -680,6 +680,17 @@ int img_mgmt_set_next_boot_slot(int slot, bool confirm)
 	}
 #endif
 
+	/* The rules above apply only to the inactive image.
+	 * To effectively prevent confirming something that might not have been
+	 * verified to actually be bootable, a new policy was introduced,
+	 * that applies to both active and inactive images.
+	 */
+#ifndef MCUMGR_GRP_IMG_ALLOW_CONFIRM_NON_ACTIVE_SLOT
+	if (confirm && slot != active_slot) {
+		return IMG_MGMT_ERR_IMAGE_CONFIRMATION_DENIED;
+	}
+#endif
+
 	/* Setting test to active slot is not allowed. */
 	if (!confirm && slot == active_slot) {
 		return IMG_MGMT_ERR_IMAGE_SETTING_TEST_TO_ACTIVE_DENIED;
@@ -728,8 +739,9 @@ int img_mgmt_set_next_boot_slot(int slot, bool confirm)
 #else
 int img_mgmt_set_next_boot_slot(int slot, bool confirm)
 {
+	int image = img_mgmt_slot_to_image(slot);
+	int active_slot = img_mgmt_active_slot(image);
 	int active_image = img_mgmt_active_image();
-	int active_slot = img_mgmt_active_slot(active_image);
 
 	LOG_DBG("(%d, %s)", slot, confirm ? "confirm" : "test");
 	LOG_DBG("aimg = %d, aslot = %d, slot = %d",
@@ -739,6 +751,12 @@ int img_mgmt_set_next_boot_slot(int slot, bool confirm)
 		return IMG_MGMT_ERR_IMAGE_SETTING_TEST_TO_ACTIVE_DENIED;
 	}
 
+#ifndef MCUMGR_GRP_IMG_ALLOW_CONFIRM_NON_ACTIVE_SLOT
+	if (slot != active_slot && confirm) {
+		return IMG_MGMT_ERR_IMAGE_CONFIRMATION_DENIED;
+	}
+#endif
+
 	return img_mgmt_set_next_boot_slot_common(slot, active_slot, confirm);
 }
 #endif
