[nrf noup] loader: Handle encrypted MCUboot updates

tomchy · tomchy · commit 0aefce20c382 · 2026-06-03T11:15:35.000+02:00
Use either load_address from the image header or the UUID identification
to detect an encrypted MCUboot update candidate image.

Ref: NCSDK-35089

Signed-off-by: Tomasz Chyrowicz &lt;tomasz.chyrowicz@nordicsemi.no&gt;
diff --git a/boot/bootutil/include/bootutil/mcuboot_uuid.h b/boot/bootutil/include/bootutil/mcuboot_uuid.h
@@ -57,6 +57,21 @@ fih_ret boot_uuid_vid_match(const struct flash_area *fap, const struct image_uui
  */
 fih_ret boot_uuid_cid_match(const struct flash_area *fap, const struct image_uuid *uuid_cid);
 
+/**
+ * @brief Find the image index and partition index for a given class ID and vendor ID.
+ *
+ * @param[in]  cid              The class ID to search for.
+ * @param[in]  vid              The vendor ID to search for.
+ * @param[out] image_index      The index of the image found.
+ * @param[out] partition_index  The index of the partition found.
+ *
+ * @retval 0 on success,
+ * @retval -EINVAL if the input parameters are invalid.
+ * @retval -ENOENT if the image or partition is not found.
+ */
+int boot_uuid_find_image(const struct image_uuid *cid, const struct image_uuid *vid,
+			 size_t *image_index, size_t *partition_index);
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c
@@ -92,6 +92,18 @@ int pcd_version_cmp_net(const struct flash_area *fap, struct image_header *hdr);
 #include <load_ironside_se_conf.h>
 #endif
 
+#if defined(CONFIG_NCS_MCUBOOT_SECONDARY_SLOT_IMAGE_RESOLVE_UUID)
+#include "bootutil/mcuboot_uuid.h"
+
+#ifdef SECOND_STAGE_MCUBOOT_RUNNING_FROM_S0
+#define MCUBOOT_INACTIVE_PARTITION_INDEX 1
+#define MCUBOOT_ACTIVE_PARTITION_INDEX 0
+#else
+#define MCUBOOT_INACTIVE_PARTITION_INDEX 0
+#define MCUBOOT_ACTIVE_PARTITION_INDEX 1
+#endif
+#endif
+
 #ifdef CONFIG_SOC_EARLY_RESET_HOOK
 void s2ram_designate_slot(uint8_t slot);
 #endif
@@ -1024,6 +1036,56 @@ static inline void sec_slot_cleanup_if_unusable(void)
 #endif /* defined(CONFIG_MCUBOOT_CLEANUP_UNUSABLE_SECONDARY) &&\
           defined(MCUBOOT_IS_SECOND_STAGE) || defined(CONFIG_SOC_NRF5340_CPUAPP) */
 
+#ifdef CONFIG_NCS_MCUBOOT_SECONDARY_SLOT_IMAGE_RESOLVE_UUID
+/**
+ * Read the image UUID from the TLV.
+ *
+ * @param[in]  fap       Pointer to the flash area structure.
+ * @param[in]  hdr       Pointer to the image header structure.
+ * @param[in]  tlv_type  The type of the TLV to read.
+ * @param[out] uuid      Pointer to the image UUID structure.
+ *
+ * @return 0       on success,
+ * @retval -EINVAL if the input parameters are invalid.
+ * @retval -EIO    if the TLV cannot be read.
+ * @retval -ENOENT if the TLV cannot be found.
+ */
+int read_image_uuid_tlv(const struct flash_area *fap,
+			            const struct image_header *hdr,
+			            uint16_t tlv_type,
+			            struct image_uuid *uuid)
+{
+	struct image_tlv_iter it;
+	uint32_t off;
+	uint16_t len;
+	int rc;
+
+	if ((fap == NULL) || (hdr == NULL) || (uuid == NULL)) {
+		return -EINVAL;
+	}
+
+	rc = bootutil_tlv_iter_begin(&it, hdr, fap, tlv_type, false);
+	if (rc != 0) {
+		return -ENOENT;
+	}
+
+	rc = bootutil_tlv_iter_next(&it, &off, &len, NULL);
+	if (rc != 0) {
+		return -ENOENT;
+	}
+
+	if (len != sizeof(uuid->raw)) {
+		return -EINVAL;
+	}
+
+	if (flash_area_read(fap, off, uuid->raw, len) != 0) {
+		return -EIO;
+	}
+
+	return 0;
+}
+#endif /* CONFIG_NCS_MCUBOOT_SECONDARY_SLOT_IMAGE_RESOLVE_UUID */
+
 /**
  * Determines which swap operation to perform, if any.  If it is determined
  * that a swap operation is required, the image in the secondary slot is checked
@@ -1038,12 +1100,25 @@ boot_validated_swap_type(struct boot_loader_state *state,
 {
     int swap_type;
     FIH_DECLARE(fih_rc, FIH_FAILURE);
+#if CONFIG_MCUBOOT_NETWORK_CORE_IMAGE_NUMBER != -1 \
+    && !defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) && defined(CONFIG_PCD_APP)
     bool upgrade_valid = false;
+#endif
 
 #if defined(MCUBOOT_IS_SECOND_STAGE) || CONFIG_MCUBOOT_NETWORK_CORE_IMAGE_NUMBER != -1
     const struct flash_area *secondary_fa = BOOT_IMG_AREA(state, BOOT_SLOT_SECONDARY);
     struct image_header *hdr = boot_img_hdr(state, BOOT_SLOT_SECONDARY);
+#if defined(CONFIG_NCS_MCUBOOT_SECONDARY_SLOT_IMAGE_RESOLVE_LOAD_ADDRESS) || \
+    defined(CONFIG_NCS_MCUBOOT_SECONDARY_SLOT_IMAGE_RESOLVE_RESET_VECTOR)
     uint32_t internal_img_addr = 0;
+#elif defined(CONFIG_NCS_MCUBOOT_SECONDARY_SLOT_IMAGE_RESOLVE_UUID)
+    struct image_uuid img_uuid_cid;
+#ifdef MCUBOOT_UUID_VID
+    struct image_uuid img_uuid_vid;
+#endif
+    size_t target_image = 0;
+    size_t target_partition = 0;
+#endif
     int rc = 0;
     /* Patch needed for NCS. Since image 0 (the app) and image 1 (the other
      * B1 slot S0 or S1) share the same secondary slot, we need to check
@@ -1055,8 +1130,10 @@ boot_validated_swap_type(struct boot_loader_state *state,
      */
     NSIB_OWNED_UNSET(BOOT_CURR_IMG(state));
 
+#if defined(CONFIG_NCS_MCUBOOT_SECONDARY_SLOT_IMAGE_RESOLVE_LOAD_ADDRESS) || \
+    defined(CONFIG_NCS_MCUBOOT_SECONDARY_SLOT_IMAGE_RESOLVE_RESET_VECTOR)
     if (hdr->ih_magic == IMAGE_MAGIC) {
-#ifdef MCUBOOT_CHECK_HEADER_LOAD_ADDRESS
+#ifdef CONFIG_NCS_MCUBOOT_SECONDARY_SLOT_IMAGE_RESOLVE_LOAD_ADDRESS
         internal_img_addr = hdr->ih_load_addr;
 #else
         rc = flash_area_read(secondary_fa, hdr->ih_hdr_size + RESET_OFFSET,
@@ -1124,7 +1201,62 @@ boot_validated_swap_type(struct boot_loader_state *state,
         sec_slot_mark_assigned(state);
     }
 
-#endif /* MCUBOOT_IS_SECOND_STAGE || CONFIG_MCUBOOT_NETWORK_CORE_IMAGE_NUMBER != -1 */
+#elif defined(CONFIG_NCS_MCUBOOT_SECONDARY_SLOT_IMAGE_RESOLVE_UUID)
+    if (hdr->ih_magic == IMAGE_MAGIC) {
+        rc = read_image_uuid_tlv(secondary_fa, hdr, IMAGE_TLV_UUID_CID, &img_uuid_cid);
+        if (rc != 0) {
+            return BOOT_SWAP_TYPE_NONE;
+        }
+#ifdef MCUBOOT_UUID_VID
+        rc = read_image_uuid_tlv(secondary_fa, hdr, IMAGE_TLV_UUID_VID, &img_uuid_vid);
+        if (rc != 0) {
+            return BOOT_SWAP_TYPE_NONE;
+        }
+#endif
+
+        sec_slot_touch(state);
+
+        rc = boot_uuid_find_image(&img_uuid_cid,
+#ifdef MCUBOOT_UUID_VID
+                                  &img_uuid_vid,
+#else
+                                  NULL,
+#endif
+                                  &target_image, &target_partition);
+        if (rc != 0) {
+            /* Unable to find a matching image index. */
+            BOOT_LOG_ERR("Image in slot does not match any known UUID");
+            flash_area_erase(secondary_fa, 0, secondary_fa->fa_size);
+            sec_slot_untouch(state);
+            BOOT_LOG_ERR("Cleaned-up secondary slot of image %d", BOOT_CURR_IMG(state));
+            return BOOT_SWAP_TYPE_FAIL;
+        }
+
+        if (target_image == CONFIG_MCUBOOT_NETWORK_CORE_IMAGE_NUMBER) {
+            /* This is a valid network core update candidate. */
+#ifdef  MCUBOOT_IS_SECOND_STAGE
+        } else if ((target_image == CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER) &&
+                   (target_partition == MCUBOOT_INACTIVE_PARTITION_INDEX)) {
+            /* This is a valid MCUboot update candidate. */
+            NSIB_OWNED_SET(BOOT_CURR_IMG(state));
+        } else if ((target_image == CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER) &&
+                   (target_partition == MCUBOOT_ACTIVE_PARTITION_INDEX)) {
+            /* NSIB upgrade but for the wrong slot, must be erased */
+            BOOT_LOG_ERR("Image in slot is for wrong s0/s1 image");
+            flash_area_erase(secondary_fa, 0, secondary_fa->fa_size);
+            sec_slot_untouch(state);
+            BOOT_LOG_ERR("Cleaned-up secondary slot of image %d", BOOT_CURR_IMG(state));
+            return BOOT_SWAP_TYPE_FAIL;
+#endif /* MCUBOOT_IS_SECOND_STAGE */
+        } else {
+            /* The image in the secondary slot is not intended for any */
+            return BOOT_SWAP_TYPE_NONE;
+        }
+
+        sec_slot_mark_assigned(state);
+    }
+#endif /* CONFIG_NCS_MCUBOOT_SECONDARY_SLOT_IMAGE_RESOLVE_UUID */
+#endif /* defined(MCUBOOT_IS_SECOND_STAGE) || CONFIG_MCUBOOT_NETWORK_CORE_IMAGE_NUMBER != -1 */
 
     swap_type = boot_swap_type_multi(BOOT_CURR_IMG(state));
     if (BOOT_IS_UPGRADE(swap_type)) {
@@ -1138,8 +1270,11 @@ boot_validated_swap_type(struct boot_loader_state *state,
             } else {
                 swap_type = BOOT_SWAP_TYPE_FAIL;
             }
+#if CONFIG_MCUBOOT_NETWORK_CORE_IMAGE_NUMBER != -1 \
+    && !defined(CONFIG_NRF53_MULTI_IMAGE_UPDATE) && defined(CONFIG_PCD_APP)
         } else {
             upgrade_valid = true;
+#endif
         }
 
 #if CONFIG_MCUBOOT_NETWORK_CORE_IMAGE_NUMBER != -1 \
@@ -1148,8 +1283,17 @@ boot_validated_swap_type(struct boot_loader_state *state,
          * update and indicate to the caller of this function that no update is
          * available
          */
-        if (upgrade_valid && internal_img_addr >= NETCPU_APP_SLOT_OFFSET &&
-            internal_img_addr < NETCPU_APP_SLOT_END) {
+        if (upgrade_valid
+#if defined(CONFIG_NCS_MCUBOOT_SECONDARY_SLOT_IMAGE_RESOLVE_LOAD_ADDRESS) || \
+    defined(CONFIG_NCS_MCUBOOT_SECONDARY_SLOT_IMAGE_RESOLVE_RESET_VECTOR)
+            && (internal_img_addr >= NETCPU_APP_SLOT_OFFSET)
+            && (internal_img_addr < NETCPU_APP_SLOT_END)
+#elif defined(CONFIG_NCS_MCUBOOT_SECONDARY_SLOT_IMAGE_RESOLVE_UUID)
+            && (target_image == CONFIG_MCUBOOT_NETWORK_CORE_IMAGE_NUMBER)
+#else
+#error Unable to detect radio image update candidate.
+#endif
+            ) {
             struct image_header *hdr = (struct image_header *)secondary_fa->fa_off;
             uint32_t vtable_addr = (uint32_t)hdr + hdr->ih_hdr_size;
             uint32_t *net_core_fw_addr = (uint32_t *)(vtable_addr);
diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig
@@ -1538,6 +1538,36 @@ config NCS_MCUBOOT_IMG_VALIDATE_ATTEMPT_WAIT_MS
 	  Time between image validation attempts, in milliseconds.
 	  Allows for recovery from transient bit flips or similar situations.
 
+choice NCS_MCUBOOT_SECONDARY_SLOT_IMAGE_RESOLVE
+	prompt "Secondary slot image resolve method"
+	depends on MCUBOOT_MCUBOOT_IMAGE_NUMBER != -1 || MCUBOOT_NETWORK_CORE_IMAGE_NUMBER != -1
+	default NCS_MCUBOOT_SECONDARY_SLOT_IMAGE_RESOLVE_UUID if MCUBOOT_UUID_CID
+	default NCS_MCUBOOT_SECONDARY_SLOT_IMAGE_RESOLVE_LOAD_ADDRESS if MCUBOOT_CHECK_HEADER_LOAD_ADDRESS
+	default NCS_MCUBOOT_SECONDARY_SLOT_IMAGE_RESOLVE_RESET_VECTOR
+
+config NCS_MCUBOOT_SECONDARY_SLOT_IMAGE_RESOLVE_RESET_VECTOR
+	bool "Reset vector"
+	help
+	  The bootloader will use the reset vector, read from image, to assign image for a given
+	  secondary slot.
+	  This is the default behavior.
+
+config NCS_MCUBOOT_SECONDARY_SLOT_IMAGE_RESOLVE_LOAD_ADDRESS
+	bool "Load address"
+	depends on MCUBOOT_CHECK_HEADER_LOAD_ADDRESS
+	help
+	  The bootloader will use the load address, from the image header,
+	  to assign image for a given secondary slot.
+
+config NCS_MCUBOOT_SECONDARY_SLOT_IMAGE_RESOLVE_UUID
+	bool "Class ID (and Vendor ID if enabled) UUIDs"
+	depends on MCUBOOT_UUID_CID
+	help
+	  The bootloader will use the Class ID and Vendor ID UUIDs, read from image, to assign
+	  image for a given secondary slot.
+
+endchoice
+
 config PM_APP_ALIGNMENT
 	hex
 	default 0x1000 if SOC_SERIES_NRF54L
diff --git a/boot/zephyr/uuid/uuid.c b/boot/zephyr/uuid/uuid.c
@@ -14,15 +14,29 @@ static bool boot_uuid_compare(const struct image_uuid *uuid1, const struct image
 		return false;
 	}
 
-	return memcmp(uuid1->raw, uuid2->raw, ARRAY_SIZE(uuid1->raw)) == 0;
+	return memcmp(uuid1->raw, uuid2->raw, sizeof(uuid1->raw)) == 0;
 }
 
-fih_ret boot_uuid_init(void)
+#ifdef CONFIG_MCUBOOT_UUID_VID
+static bool vid_matches_map_entry(const struct image_uuid *vid, const struct uuid_map_entry *entry)
 {
-	FIH_RET(FIH_SUCCESS);
+	const struct uuid_map_entry *vid_map = NULL;
+	size_t n_entries = boot_uuid_vid_map_get(&vid_map);
+
+	if (vid == NULL) {
+		return false;
+	}
+
+	for (size_t i = 0; i < n_entries; i++) {
+		if ((vid_map[i].dev == entry->dev) && (vid_map[i].off == entry->off) &&
+		    (vid_map[i].size == entry->size) && boot_uuid_compare(vid, &vid_map[i].uuid)) {
+			return true;
+		}
+	}
+
+	return false;
 }
 
-#ifdef CONFIG_MCUBOOT_UUID_VID
 fih_ret boot_uuid_vid_match(const struct flash_area *fap, const struct image_uuid *uuid_vid)
 {
 	const struct uuid_map_entry *map = NULL;
@@ -82,4 +96,50 @@ fih_ret boot_uuid_cid_match(const struct flash_area *fap, const struct image_uui
 
 	FIH_RET(FIH_FAILURE);
 }
+
+int boot_uuid_find_image(const struct image_uuid *cid, const struct image_uuid *vid,
+			 size_t *image_index, size_t *partition_index)
+{
+	const struct uuid_map_entry *cid_map = NULL;
+	size_t n_entries;
+
+	if ((cid == NULL) || (image_index == NULL) || (partition_index == NULL)) {
+		return -EINVAL;
+	}
+
+#ifdef MCUBOOT_UUID_VID
+	if (vid == NULL) {
+		return -EINVAL;
+	}
+#endif
+
+	n_entries = boot_uuid_cid_map_get(&cid_map);
+	if ((n_entries == 0) || (cid_map == NULL)) {
+		return -ENOENT;
+	}
+
+	for (size_t i = 0; i < n_entries; i++) {
+		if (!boot_uuid_compare(cid, &cid_map[i].uuid)) {
+			continue;
+		}
+
+#ifdef MCUBOOT_UUID_VID
+		if (!vid_matches_map_entry(vid, &cid_map[i])) {
+			continue;
+		}
+#endif
+
+		*image_index = cid_map[i].image_index;
+		*partition_index = cid_map[i].partition_index;
+
+		return 0;
+	}
+
+	return -ENOENT;
+}
 #endif /* CONFIG_MCUBOOT_UUID_CID */
+
+fih_ret boot_uuid_init(void)
+{
+	FIH_RET(FIH_SUCCESS);
+}
