MCUboot should boot primary image if secondary slot is inaccessible, as long as primary slot is accessible #2517
Description
Issue
Currently, if MCUboot fails to access any flash slots, it treats this as a critical failure and does not proceed to boot any image, resulting in a boot panic or halt. This behaviour can cause unnecessary device outages if only the secondary slot is inaccessible, but the primary slot and its image are still healthy.
Expected Behaviour
If the secondary slot is inaccessible (e.g., due to flash failure, bad connection, or hardware issue), but the primary slot is accessible and contains a valid image, MCUboot should still proceed to boot the primary image to keep device running. The device should only halt/panic if the primary slot is also inaccessible or missing a valid image.
Actual Behaviour
MCUboot currently halts or panics on flash access/open failure, even if the primary slot is working.
Impact
- Devices could become unrecoverable due to secondary slot issues, even though the primary image is fine.
- This reduces device robustness and could lead to unnecessary field failures.
Request
Please provide your thoughts and guidance on how to implement a solution for this scenario. Additionally, what edge cases or system states should be considered to ensure robust and safe behaviour if only the secondary slot is inaccessible? Your feedback on possible approaches, risks, and required MCUboot changes would be greatly appreciated.
References