bootutil: fix upgrade issue in swap-move

A previous fix for allowing padded images in the primary slot, ended up
causing an issue that would fail to upgrade under the right
circumstances. The issue was caused when the following set of steps
happened after an upgrade was detected:

1) trailer is erased on the primary slot
2) status is written to the primary slot
3) trailer is erased on the secondary slot
4) reset
1) trailer is erased on the primary slot
2) status partially written or not written to primary slot (no magic)
3) reset

This would result in images stored in the same slots they were
initially, aka no upgrade, which would fail the simulator test for
upgraded images.

The previous padded images fix was reverted and the status source was
upgraded to also check that the secondary slot has a valid magic in it,
so that there's never a circumstance where there is no trailer in any
of the slots while an upgrade operation is being decided on.

Signed-off-by: Fabio Utzig <[email protected]>

Author: utzig

boot/bootutil/src/swap_move.c

@@ -264,6 +264,7 @@ int
 swap_status_source(struct boot_loader_state *state)
 {
     struct boot_swap_state state_primary_slot;
+    struct boot_swap_state state_secondary_slot;
     int rc;
     uint8_t source;
     uint8_t image_index;
@@ -280,8 +281,15 @@ swap_status_source(struct boot_loader_state *state)
 
     BOOT_LOG_SWAP_STATE("Primary image", &state_primary_slot);
 
+    rc = boot_read_swap_state_by_id(FLASH_AREA_IMAGE_SECONDARY(image_index),
+            &state_secondary_slot);
+    assert(rc == 0);
+
+    BOOT_LOG_SWAP_STATE("Secondary image", &state_secondary_slot);
+
     if (state_primary_slot.magic == BOOT_MAGIC_GOOD &&
-            state_primary_slot.copy_done == BOOT_FLAG_UNSET) {
+            state_primary_slot.copy_done == BOOT_FLAG_UNSET &&
+            state_secondary_slot.magic != BOOT_MAGIC_GOOD) {
 
         source = BOOT_STATUS_SOURCE_PRIMARY_SLOT;