Skip to content

[nrf fromtree] mgmt: Allow to block confirming non-acive slots #3248

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Oct 2, 2025
Merged

[nrf fromtree] mgmt: Allow to block confirming non-acive slots #3248

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
2a6dd59
[nrf fromtree] mgmt: Allow to block confirming non-acive slots
tomchy Sep 4, 2025
a1abbdc
[nrf fromtree] mgmt: Add missing CONFIG_ prefixes
tomchy Sep 26, 2025
5a58b0f
[nrf fromtree] mcumgr: Enable permanent updates in overwrite mode
tomchy Sep 29, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 18 additions & 0 deletions subsys/mgmt/mcumgr/grp/img_mgmt/Kconfig
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -117,6 +117,24 @@ config MCUMGR_GRP_IMG_REJECT_DIRECT_XIP_MISMATCHED_SLOT
The base address can be set, to an image binary header, with imgtool,
using the --rom-fixed command line option.

config MCUMGR_GRP_IMG_ALLOW_CONFIRM_NON_ACTIVE_SLOT
bool "Allow to confirm non-active slots of any image" if !MCUBOOT_BOOTLOADER_MODE_OVERWRITE_ONLY
depends on MCUBOOT_BOOTLOADER_MODE_DIRECT_XIP_WITH_REVERT || \
MCUBOOT_BOOTLOADER_MODE_RAM_LOAD_WITH_REVERT || \
MCUBOOT_BOOTLOADER_MODE_SWAP_SCRATCH || \
MCUBOOT_BOOTLOADER_MODE_SWAP_USING_MOVE || \
MCUBOOT_BOOTLOADER_MODE_SWAP_USING_OFFSET || \
MCUBOOT_BOOTLOADER_MODE_OVERWRITE_ONLY
default y
help
Allows to confirm non-active slot of any image.
Normally it should not be allowed to confirm any slots via MCUmgr
commands, to prevent confirming something that is broken and was not
verified to boot correctly.
Option always enabled in the overwrite mode, because the permanent
update, that uses the confirm flag, is the intended way to provide
updates.

config MCUMGR_GRP_IMG_FRUGAL_LIST
bool "Omit zero, empty or false values from status list"
help
Expand Down
20 changes: 19 additions & 1 deletion subsys/mgmt/mcumgr/grp/img_mgmt/src/img_mgmt_state.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -680,6 +680,17 @@ int img_mgmt_set_next_boot_slot(int slot, bool confirm)
}
#endif

/* The rules above apply only to the inactive image.
* To effectively prevent confirming something that might not have been
* verified to actually be bootable, a new policy was introduced,
* that applies to both active and inactive images.
*/
#ifndef CONFIG_MCUMGR_GRP_IMG_ALLOW_CONFIRM_NON_ACTIVE_SLOT
if (confirm && slot != active_slot) {
return IMG_MGMT_ERR_IMAGE_CONFIRMATION_DENIED;
}
#endif

/* Setting test to active slot is not allowed. */
if (!confirm && slot == active_slot) {
return IMG_MGMT_ERR_IMAGE_SETTING_TEST_TO_ACTIVE_DENIED;
Expand Down Expand Up @@ -728,8 +739,9 @@ int img_mgmt_set_next_boot_slot(int slot, bool confirm)
#else
int img_mgmt_set_next_boot_slot(int slot, bool confirm)
{
int image = img_mgmt_slot_to_image(slot);
int active_slot = img_mgmt_active_slot(image);
int active_image = img_mgmt_active_image();
int active_slot = img_mgmt_active_slot(active_image);

LOG_DBG("(%d, %s)", slot, confirm ? "confirm" : "test");
LOG_DBG("aimg = %d, aslot = %d, slot = %d",
Expand All @@ -739,6 +751,12 @@ int img_mgmt_set_next_boot_slot(int slot, bool confirm)
return IMG_MGMT_ERR_IMAGE_SETTING_TEST_TO_ACTIVE_DENIED;
}

#ifndef CONFIG_MCUMGR_GRP_IMG_ALLOW_CONFIRM_NON_ACTIVE_SLOT
if (slot != active_slot && confirm) {
return IMG_MGMT_ERR_IMAGE_CONFIRMATION_DENIED;
}
#endif

return img_mgmt_set_next_boot_slot_common(slot, active_slot, confirm);
}
#endif
Expand Down
Loading