[nrf noup] zephyr: Keep boot preference after reboot

tomchy · tomchy · commit a9f4347e3a26 · 2025-11-17T13:16:01.000+01:00
Add a possibility to keep the boot preference value between device
resets.

Ref: NCSDK-35479

Signed-off-by: Tomasz Chyrowicz &lt;tomasz.chyrowicz@nordicsemi.no&gt;
diff --git a/boot/bootutil/zephyr/src/boot_request_retention.c b/boot/bootutil/zephyr/src/boot_request_retention.c
@@ -14,10 +14,23 @@
 /** Additional memory used by the retention subsystem (2B - prefix, 4B - CRC).*/
 #define BOOT_REQUEST_ENTRY_METADATA_SIZE (2 + 4)
 
+/** Size of the retention area used for copying boot request entries. */
+#define BOOT_REQUEST_RETENTION_SIZE (BOOT_REQUEST_ENTRY_MAX * sizeof(uint8_t))
+
+/** Value indicating that the data in the retention area is valid. */
+#define DATA_VALID_VALUE 1
+
+/** Number of images supported by the bootloader requests. */
+#define BOOT_REQUEST_IMG_NUM 2
+
 BOOT_LOG_MODULE_REGISTER(bootloader_request);
 
 static const struct device *bootloader_request_dev =
 	DEVICE_DT_GET(DT_CHOSEN(nrf_bootloader_request));
+#ifdef NRF_MCUBOOT_BOOT_REQUEST_PREFERENCE_KEEP
+static const struct device *bootloader_request_backup_dev =
+	DEVICE_DT_GET(DT_CHOSEN(nrf_bootloader_request_backup));
+#endif
 
 enum boot_request_type {
 	/** Invalid request. */
@@ -141,18 +154,190 @@ static int boot_request_entry_find(enum boot_request_type type, boot_request_img
 	return 0;
 }
 
+#ifdef NRF_MCUBOOT_BOOT_REQUEST_PREFERENCE_KEEP
+static int boot_request_copy(const struct device *dst, const struct device *src)
+{
+	uint8_t buffer[BOOT_REQUEST_RETENTION_SIZE];
+	int rc;
+
+	rc = retention_read(src, 0, buffer, sizeof(buffer));
+	if (rc != 0) {
+		return rc;
+	}
+
+	rc = retention_write(dst, 0, buffer, sizeof(buffer));
+	if (rc != 0) {
+		return rc;
+	}
+
+	return 0;
+}
+
+static bool boot_request_equal(const struct device *dev1, const struct device *dev2)
+{
+	uint8_t buffer1[BOOT_REQUEST_RETENTION_SIZE];
+	uint8_t buffer2[BOOT_REQUEST_RETENTION_SIZE];
+	int rc;
+
+	rc = retention_read(dev1, 0, buffer1, sizeof(buffer1));
+	if (rc != 0) {
+		return false;
+	}
+
+	rc = retention_read(dev2, 0, buffer2, sizeof(buffer2));
+	if (rc != 0) {
+		return false;
+	}
+
+	return (memcmp(buffer1, buffer2, sizeof(buffer1)) == 0);
+}
+
+static bool boot_request_updateable(void)
+{
+	if (retention_is_valid(bootloader_request_dev) != DATA_VALID_VALUE) {
+		if (retention_is_valid(bootloader_request_backup_dev) == DATA_VALID_VALUE) {
+			/* Recover main area from a valid backup. */
+			if (boot_request_copy(bootloader_request_dev,
+					      bootloader_request_backup_dev) != 0) {
+				return false;
+			}
+		} else if (retention_clear(bootloader_request_dev) != 0) {
+			/* Both areas are not valid - clear the main area. */
+			return false;
+		}
+	}
+
+	if (retention_is_valid(bootloader_request_dev) != DATA_VALID_VALUE) {
+		/* Cannot update area if it is still corrupted. */
+		return false;
+	}
+
+	return true;
+}
+#endif /* NRF_MCUBOOT_BOOT_REQUEST_PREFERENCE_KEEP */
+
+static int boot_request_read(enum boot_request_type type, boot_request_img_t image, uint8_t *value)
+{
+	size_t req_entry;
+	int ret;
+
+	ret = boot_request_entry_find(type, image, &req_entry);
+	if (ret != 0) {
+		return -EINVAL;
+	}
+
+#ifdef NRF_MCUBOOT_BOOT_REQUEST_PREFERENCE_KEEP
+	if (retention_is_valid(bootloader_request_dev) == DATA_VALID_VALUE) {
+		/* Read from the main area. */
+		ret = retention_read(bootloader_request_dev, req_entry * sizeof(uint8_t),
+				     (void *)value, sizeof(uint8_t));
+	} else if (retention_is_valid(bootloader_request_backup_dev) == DATA_VALID_VALUE) {
+		/* Read from backup area. */
+		ret = retention_read(bootloader_request_backup_dev, req_entry * sizeof(uint8_t),
+				     (void *)value, sizeof(uint8_t));
+	} else {
+		/* Both areas are invalid. */
+		return -EIO;
+	}
+#else
+	ret = retention_read(bootloader_request_dev, req_entry * sizeof(uint8_t), (void *)value,
+			     sizeof(uint8_t));
+#endif
+	return ret;
+}
+
 int boot_request_init(void)
 {
 	if (!device_is_ready(bootloader_request_dev)) {
 		return -EIO;
 	}
 
+#ifdef NRF_MCUBOOT_BOOT_REQUEST_PREFERENCE_KEEP
+	if (!device_is_ready(bootloader_request_backup_dev)) {
+		return -EIO;
+	}
+
+	/* Both areas must have the same size. */
+	if ((retenstion_size(bootloader_request_dev) != BOOT_REQUEST_RETENTION_SIZE) ||
+	    (retention_size(bootloader_request_backup_dev) != BOOT_REQUEST_RETENTION_SIZE)) {
+		return -EIO;
+	}
+
+	if (retention_is_valid(bootloader_request_dev) == DATA_VALID_VALUE) {
+		if (retention_is_valid(bootloader_request_backup_dev) == DATA_VALID_VALUE) {
+			if (!boot_request_equal(bootloader_request_dev,
+						bootloader_request_backup_dev)) {
+				/* Primary is valid, backup is outdated. */
+				boot_request_copy(bootloader_request_backup_dev,
+						  bootloader_request_dev);
+			} else {
+				/* Both are valid and equal, nothing to do. */
+			}
+		} else {
+			/* Backup is invalid, copy primary to backup. */
+			boot_request_copy(bootloader_request_backup_dev, bootloader_request_dev);
+		}
+	} else {
+		if (retention_is_valid(bootloader_request_backup_dev) == DATA_VALID_VALUE) {
+			/* Primary is invalid, restore from backup. */
+			boot_request_copy(bootloader_request_dev, bootloader_request_backup_dev);
+		} else {
+			/* Both are invalid, clear both. */
+			retention_clear(bootloader_request_dev);
+			retention_clear(bootloader_request_backup_dev);
+		}
+	}
+#endif
+
 	return 0;
 }
 
 int boot_request_clear(void)
 {
+#ifdef NRF_MCUBOOT_BOOT_REQUEST_PREFERENCE_KEEP
+	uint8_t value = BOOT_REQUEST_SLOT_INVALID;
+	size_t req_entry;
+	int ret;
+	uint8_t image;
+
+	if (retention_is_valid(bootloader_request_backup_dev) == DATA_VALID_VALUE) {
+		/* Erase the main area. */
+		ret = retention_clear(bootloader_request_dev);
+		if (ret != 0) {
+			return ret;
+		}
+
+		/* Set the boot preference, based on the backup data. */
+		for (image = 0; image < BOOT_REQUEST_IMG_NUM; image++) {
+			ret = boot_request_entry_find(BOOT_REQUEST_IMG_PREFERENCE, image,
+						      &req_entry);
+			if (ret != 0) {
+				return ret;
+			}
+
+			ret = retention_read(bootloader_request_backup_dev,
+					     req_entry * sizeof(value), (void *)&value,
+					     sizeof(value));
+			if (ret != 0) {
+				return ret;
+			}
+
+			ret = retention_write(bootloader_request_dev, req_entry * sizeof(value),
+					      (void *)&value, sizeof(value));
+			if (ret != 0) {
+				return ret;
+			}
+		}
+
+		/* Sync backup with the main area. */
+		return boot_request_copy(bootloader_request_backup_dev, bootloader_request_dev);
+	}
+
+	/* Backup is invalid, do not clear the memory to keep at least one valid copy. */
+	return 0;
+#else
 	return retention_clear(bootloader_request_dev);
+#endif
 }
 
 int boot_request_confirm_slot(uint8_t image, enum boot_slot slot)
@@ -161,6 +346,13 @@ int boot_request_confirm_slot(uint8_t image, enum boot_slot slot)
 	size_t req_entry;
 	int ret;
 
+#ifdef NRF_MCUBOOT_BOOT_REQUEST_PREFERENCE_KEEP
+	if (!boot_request_updateable()) {
+		/* Cannot update area if it is corrupted. */
+		return -EIO;
+	}
+#endif
+
 	ret = boot_request_entry_find(BOOT_REQUEST_IMG_CONFIRM, image, &req_entry);
 	if (ret != 0) {
 		return ret;
@@ -184,16 +376,9 @@ int boot_request_confirm_slot(uint8_t image, enum boot_slot slot)
 bool boot_request_check_confirmed_slot(uint8_t image, enum boot_slot slot)
 {
 	uint8_t value = BOOT_REQUEST_SLOT_INVALID;
-	size_t req_entry;
 	int ret;
 
-	ret = boot_request_entry_find(BOOT_REQUEST_IMG_CONFIRM, image, &req_entry);
-	if (ret != 0) {
-		return false;
-	}
-
-	ret = retention_read(bootloader_request_dev, req_entry * sizeof(value), (void *)&value,
-			     sizeof(value));
+	ret = boot_request_read(BOOT_REQUEST_IMG_CONFIRM, image, &value);
 	if (ret != 0) {
 		return false;
 	}
@@ -216,6 +401,13 @@ int boot_request_set_preferred_slot(uint8_t image, enum boot_slot slot)
 	size_t req_entry;
 	int ret;
 
+#ifdef NRF_MCUBOOT_BOOT_REQUEST_PREFERENCE_KEEP
+	if (!boot_request_updateable()) {
+		/* Cannot update area if it is corrupted. */
+		return -EIO;
+	}
+#endif
+
 	ret = boot_request_entry_find(BOOT_REQUEST_IMG_PREFERENCE, image, &req_entry);
 	if (ret != 0) {
 		return ret;
@@ -239,16 +431,9 @@ int boot_request_set_preferred_slot(uint8_t image, enum boot_slot slot)
 enum boot_slot boot_request_get_preferred_slot(uint8_t image)
 {
 	uint8_t value = BOOT_REQUEST_SLOT_INVALID;
-	size_t req_entry;
 	int ret;
 
-	ret = boot_request_entry_find(BOOT_REQUEST_IMG_PREFERENCE, image, &req_entry);
-	if (ret != 0) {
-		return BOOT_SLOT_NONE;
-	}
-
-	ret = retention_read(bootloader_request_dev, req_entry * sizeof(value), (void *)&value,
-			     sizeof(value));
+	ret = boot_request_read(BOOT_REQUEST_IMG_PREFERENCE, image, &value);
 	if (ret != 0) {
 		return BOOT_SLOT_NONE;
 	}
@@ -271,6 +456,13 @@ int boot_request_enter_recovery(void)
 	size_t req_entry;
 	int ret;
 
+#ifdef NRF_MCUBOOT_BOOT_REQUEST_PREFERENCE_KEEP
+	if (!boot_request_updateable()) {
+		/* Cannot update area if it is corrupted. */
+		return -EIO;
+	}
+#endif
+
 	ret = boot_request_entry_find(BOOT_REQUEST_BOOT_MODE, BOOT_REQUEST_IMG_BOOTLOADER,
 				      &req_entry);
 	if (ret != 0) {
@@ -285,17 +477,9 @@ int boot_request_enter_recovery(void)
 bool boot_request_detect_recovery(void)
 {
 	uint8_t value = BOOT_REQUEST_MODE_INVALID;
-	size_t req_entry;
 	int ret;
 
-	ret = boot_request_entry_find(BOOT_REQUEST_BOOT_MODE, BOOT_REQUEST_IMG_BOOTLOADER,
-				      &req_entry);
-	if (ret != 0) {
-		return false;
-	}
-
-	ret = retention_read(bootloader_request_dev, req_entry * sizeof(value), (void *)&value,
-			     sizeof(value));
+	ret = boot_request_read(BOOT_REQUEST_BOOT_MODE, BOOT_REQUEST_IMG_BOOTLOADER, &value);
 	if ((ret == 0) && (value == BOOT_REQUEST_MODE_RECOVERY)) {
 		return true;
 	}
@@ -310,6 +494,13 @@ int boot_request_enter_firmware_loader(void)
 	size_t req_entry;
 	int ret;
 
+#ifdef NRF_MCUBOOT_BOOT_REQUEST_PREFERENCE_KEEP
+	if (!boot_request_updateable()) {
+		/* Cannot update area if it is corrupted. */
+		return -EIO;
+	}
+#endif
+
 	ret = boot_request_entry_find(BOOT_REQUEST_BOOT_MODE, BOOT_REQUEST_IMG_BOOTLOADER,
 				      &req_entry);
 	if (ret != 0) {
@@ -324,17 +515,9 @@ int boot_request_enter_firmware_loader(void)
 bool boot_request_detect_firmware_loader(void)
 {
 	uint8_t value = BOOT_REQUEST_MODE_INVALID;
-	size_t req_entry;
 	int ret;
 
-	ret = boot_request_entry_find(BOOT_REQUEST_BOOT_MODE, BOOT_REQUEST_IMG_BOOTLOADER,
-				      &req_entry);
-	if (ret != 0) {
-		return false;
-	}
-
-	ret = retention_read(bootloader_request_dev, req_entry * sizeof(value), (void *)&value,
-			     sizeof(value));
+	ret = boot_request_read(BOOT_REQUEST_BOOT_MODE, BOOT_REQUEST_IMG_BOOTLOADER, &value);
 	if ((ret == 0) && (value == BOOT_REQUEST_MODE_FIRMWARE_LOADER)) {
 		return true;
 	}
