boot: bootutil: Fix invalid last sector computation for swap-scratch #2205
+35
−7
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The simulator was not performing any test with a configuration where the primary slot is composed of larger sectors than the secondary slot. This can be typically case when using a STM32 with an external flash memory since most STM32 have large internal sectors. This configuration was causing issues when using the swap-scratch upgrade strategy. Signed-off-by: Thomas Altenbach <[email protected]>
At the beginning of a swap-scratch upgrade, the index of the last sector in the primary slot that need to be swapped is computed using the 'find_last_sector_idx' routine. However, if the primary slot is composed of larger sectors than the secondary slots, this routine could return a wrong sector index for the primary slot. The index might even be outside the primary slot, which would lead to (at best) a simple failure of the upgrade and at worst a corruption of the flash memory bricking the device. This commit fixes the issue by ensuring 'find_last_sector_idx' always returns a valid sector index for the primary slot. Signed-off-by: Thomas Altenbach <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
At the beginning of a swap-scratch upgrade, the index of the last sector in the primary slot that needs to be swapped is computed using the
find_last_sector_idxroutine. However, if the primary slot is composed of larger sectors than the secondary slot, this routine could return a wrong sector index for the primary slot. The index might even be outside the primary slot, which would lead to at best a simple failure of the upgrade and at worst a corruption of the flash memory bricking the device.The issue hasn't be detected in the simulator until now since among the tested configurations, none used a primary slot composed of larger sectors than the secondary slot. This MR adds such a configuration, which as expected lead to the tests to fail:
The problem is that, with such a configuration, the
find_last_sector_idxreturns an index of a sector in the secondary slot. This MR fixes that by ensuringfind_last_sector_idxalways returns a valid sector index for the primary slot.