[nrf noup] boot/bootutil/loader: image discovery by ih_load_address#461
Closed
nvlsianpu wants to merge 405 commits into
Closed
[nrf noup] boot/bootutil/loader: image discovery by ih_load_address#461nvlsianpu wants to merge 405 commits into
nvlsianpu wants to merge 405 commits into
Conversation
nvlsianpu
force-pushed
the
img_disc_by_load_addr
branch
2 times, most recently
from
dda8a3b to
db3fe90
Compare
There was a problem hiding this comment.
Pull Request Overview
Adds a configuration option to use the image header’s load address for slot discovery instead of the reset handler address.
- Introduce
MCUBOOT_USE_CHECK_LOAD_ADDRKconfig option and adjust dependencies forMCUBOOT_VERIFY_IMG_ADDRESS - Refactor
boot_validate_slotandboot_validated_swap_typeto readih_load_addrwhen enabled - Define new
IS_IN_RANGE_*macros for address range checks
Reviewed Changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| boot/zephyr/Kconfig | Add new config MCUBOOT_USE_CHECK_LOAD_ADDR and update dependencies |
| boot/bootutil/src/loader.c | Conditional read of ih_load_addr, macro definitions, and slot validation updates |
Comments suppressed due to low confidence (3)
boot/bootutil/src/loader.c:1264
- Mismatched
#ifdef/#elseguards—this#elsedoes not match the preceding#ifdef CONFIG_MCUBOOT_USE_CHECK_LOAD_ADDRcorrectly and will break compilation.
#else /* BOOT_USE_CHECK_LOAD_ADDR */
boot/bootutil/src/loader.c:1522
- Extra closing parenthesis in macro definition leads to a syntax error; remove the surplus
)at the end.
#define IS_IN_RANGE_CPUNET_APP_ADDR(_addr) ((_addr) >= PM_CPUNET_APP_ADDRESS && (_addr) < PM_CPUNET_APP_END_ADDRESS))
boot/bootutil/src/loader.c:1595
- The
IS_IN_RANGE_S_VARIANT_ADDRmacro expects two parameters but is invoked with one; useIS_IN_RANGE_S_ALTERNATE_ADDRorIS_IN_RANGE_S_CURRENT_ADDRinstead.
if (IS_IN_RANGE_S_VARIANT_ADDR(internal_img_addr)) {
Comment on lines
+1200
to
+1202
| If y, the bootloader will use the load address form image header | ||
| for checking to which slot image belongs instead of usage of reset | ||
| handler addres reading form the image. |
There was a problem hiding this comment.
[nitpick] Typo in help text: replace “form image header” with “from image header” and correct “addres” to “address”.
Suggested change
| If y, the bootloader will use the load address form image header | |
| for checking to which slot image belongs instead of usage of reset | |
| handler addres reading form the image. | |
| If y, the bootloader will use the load address from image header | |
| for checking to which slot image belongs instead of usage of reset | |
| handler address reading from the image. |
nvlsianpu
force-pushed
the
img_disc_by_load_addr
branch
from
db3fe90 to
2fb0029
Compare
This was referenced Jul 8, 2025
nvlsianpu
force-pushed
the
img_disc_by_load_addr
branch
from
2fb0029 to
5155061
Compare
|
nordicjm
requested changes
Jul 24, 2025
Contributor
nordicjm
left a comment
nordicjm
left a comment
There was a problem hiding this comment.
add nrf-squash! [nrf noup] treewide: Add support for sysbuild assigned images to commit message
| struct image_header *secondary_hdr = boot_img_hdr(state, slot); | ||
| uint32_t reset_value = 0; | ||
| uint32_t reset_addr = secondary_hdr->ih_hdr_size + sizeof(reset_value); | ||
| uint32_t internal_img_addr = 0; /* either the reset handler addres or the image beginning addres */ |
| bool | ||
|
|
||
| config MCUBOOT_USE_CHECK_LOAD_ADDR | ||
| bool "use check of load address" |
Contributor
There was a problem hiding this comment.
Suggested change
| bool "use check of load address" | |
| bool "Use check of load address" |
if we're adding to all new images, do we want to default y this? Or I guess not right away so other things e.g. qspi xip can be updated
|
|
||
| #define IS_IN_RANGE_CPUNET_APP_ADDR(_addr) ((_addr) >= PM_CPUNET_APP_ADDRESS && (_addr) < PM_CPUNET_APP_END_ADDRESS) | ||
| #define _IS_IN_RANGE_S_VARIANT_ADDR(_addr, x) ((_addr) >= PM_S##x_ADDRESS && (_addr) <= (PM_S##x_ADDRESS + PM_S##x_SIZE)) | ||
| #if (CONFIG_NCS_IS_VARIANT_IMAGE) |
de-nordic
force-pushed
the
img_disc_by_load_addr
branch
from
5155061 to
aa627f8
Compare
de-nordic
changed the title
de-nordic
force-pushed
the
img_disc_by_load_addr
branch
from
aa627f8 to
900c495
Compare
de-nordic
force-pushed
the
img_disc_by_load_addr
branch
5 times, most recently
from
566d3f3 to
e1d9d3f
Compare
Application need special support in the bootloader in order to resume for suspend to RAM. MCUboot is immediate actor which redirects execution to the application (application reset vector) when wake-up from S2RAM is detected. Detection is based on HW (NRF_RESETINFO) and hardened using additional check over independent source of truth (variable with magic value). Thanks to above the application is resuming using its routines - instead of mocking that by routines compiled in by the MCUboot. Implementation is able to support only MCUboot modes with a swap. Direct-XIP is not handled as it require a way to run-time recognization of active application slot. Signed-off-by: Karol Lasończyk <karol.lasonczyk@nordicsemi.no> Signed-off-by: Tomasz Chyrowicz <tomasz.chyrowicz@nordicsemi.no> Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Added configuration which pre-configures MCUboot so It is able to support operation of resuming the App from S2RAM by the application itself. Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Previously reopening of PR did not reopen manifest PR. This commit will enable reopening of manifest PR in such case. Signed-off-by: Kari Hamalainen <kari.hamalainen@nordicsemi.no>
This reverts commit d0796dc. Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
This reverts commit c390295. Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
This reverts commit b26db4d. Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
fixes missing array bug. Signed-off-by: Mateusz Michalek <mateusz.michalek@nordicsemi.no> (cherry picked from commit 5e1be19)
de-nordic
force-pushed
the
img_disc_by_load_addr
branch
6 times, most recently
from
bd80231 to
e4fd441
Compare
Fix uninitialized variable warning as well as compile time issue, when the slotted dependencies are enabled. Signed-off-by: Tomasz Chyrowicz <tomasz.chyrowicz@nordicsemi.no> (cherry picked from commit 9ca0881)
nrf-squash! [nrf noup] bootloader: Add bootloader requests Fix a warning for uninitialized variable. Ref: NCSDK-35733 Signed-off-by: Tomasz Chyrowicz <tomasz.chyrowicz@nordicsemi.no>
If a device uses RESETINFO, than there are some bits set in the resetinfo, even for reboots that should allow to interpret and enter the device recovery. That way it is possible to recover a device through serial recovery if the main application resets due to i.e. watchdog. Signed-off-by: Tomasz Chyrowicz <tomasz.chyrowicz@nordicsemi.no> (cherry picked from commit cc98529)
de-nordic
force-pushed
the
img_disc_by_load_addr
branch
from
e4fd441 to
3b21cec
Compare
Added direct-xip support: * new API for marking active slot to be used by boot_go() routines. * jump vector assignment which is basing on above designation. Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Added call which designate active slot so MCUBoot can jump to proper slot when CPU is resuming from S2RAM. Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
nrf-squash! [nrf noup] bootutil: Add support for KMU stored ED25519 signature key Will instead use the immutable bootloader key slot IDs if b0 is not enabled, adds a Kconfig which can be used to fall back to the previous slot IDs for previously deployed bootloaders Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
de-nordic
force-pushed
the
img_disc_by_load_addr
branch
3 times, most recently
from
6460f21 to
4752c56
Compare
nrf-squash! [nrf noup] boot/zephyr: nRF54h20 resume from S2RAM (hardened) CONFIG_ARM_SOC_START_HOOK=y allow to rework the resume from S2RAM code to work without PM_S2RAM mocking. It allows to implement only what really needed from the MCUboot perspective. Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
nrf-squash! [nrf noup] boot/zephyr/socs: nrf54h20 prj.conf for S2RAM Updated in order to use optimized configuration. Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
de-nordic
force-pushed
the
img_disc_by_load_addr
branch
2 times, most recently
from
0f013f2 to
d91e83e
Compare
nrf-squash! [nrf noup] treewide: Add support for sysbuild assigned images Introduce alternative procedure for detecting to which partition image candidate belongs. This method uses ih_load_address field of the image header instead of reset vector address. This allows to match incoming image to the partition even when it is for instance encrypted, as the image header is always plain-text. This new procedure can be enabled using CONFIG_MCUBOOT_CHECK_HEADER_LOAD_ADDRES =y. Firmware need to be signed with imgtool.py sign --rom-fixed <partition_address> parameter. ref.: NCSIDB-1173 Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
de-nordic
force-pushed
the
img_disc_by_load_addr
branch
from
d91e83e to
6435279
Compare
de-nordic
changed the title
|
nordicjm
reviewed
Oct 13, 2025
| */ | ||
| #ifdef PM_CPUNET_APP_ADDRESS | ||
| if (BOOT_CURR_IMG(state) == CONFIG_MCUBOOT_NETWORK_CORE_IMAGE_NUMBER) { | ||
|
|
| check_addresses = true; | ||
| } else | ||
| #endif | ||
|
|
| } | ||
| #endif /* CHECK_MCUBOOT_IMAGE */ | ||
|
|
||
| #if CONFIG_MCUBOOT_APPLICATION_IMAGE_NUMBER != -1 |
Contributor
There was a problem hiding this comment.
Suggested change
| #if CONFIG_MCUBOOT_APPLICATION_IMAGE_NUMBER != -1 |
there is always an app update image
| #endif | ||
| check_addresses = true; | ||
| } | ||
| #endif |
| #else | ||
| min_addr = pri_fa->fa_off; | ||
| max_addr = pri_fa->fa_off + pri_fa->fa_size; | ||
|
|
Comment on lines
+1281
to
+1283
| #if CHECK_MCUBOOT_IMAGE == 1 | ||
| min_addr = MIN(min_addr, NCS_VARIANT_SLOT_MIN_ADDR); | ||
| max_addr = MAX(max_addr, NCS_VARIANT_SLOT_MAX_ADDR); |
Contributor
There was a problem hiding this comment.
this seems to preset an unintended side effect, an image that spans across both the s0/s1 and the application partitions would pass this validation
| BOOT_LOG_ERR("Cleaned-up secondary slot of image %d", BOOT_CURR_IMG(state)); | ||
| return BOOT_SWAP_TYPE_FAIL; | ||
| } else if (reset_addr < primary_fa->fa_off || reset_addr > (primary_fa->fa_off + primary_fa->fa_size)) { | ||
| } else if (!IS_IN_RANGE_IMAGE_ADDR(internal_img_addr, primary_fa)) { |
Contributor
There was a problem hiding this comment.
what happens if the primary and secondary slots are located in e.g. SPI or QSPI? This is how QSPI XIP split image support works and an upcoming extra DFU slot system will work
|
We hit this exact issue on nRF54L15 with NCS v3.2.4 — NSIB (b0) + MCUboot + ECIES-X25519 image encryption + OTA via BLE SMP. With Our local workaround checks
This works but is a heuristic. The |
Collaborator
Author
|
closed in favors to #679 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Introduce alternative procedure for detecting to which partition
image candidate belongs. This method uses ih_load_address field of the
image header instead of reset vector address. This allows to match
incoming image to the partition even when it is for instance encrypted,
as the image header is always plain-text.
This new procedure can be enabled using
CONFIG_MCUBOOT_USE_CHECK_LOAD_ADDR=y. Firmware need to be signed with
imgtool.py sign --rom-fixed <partition_address> parameter.
ref.: NCSIDB-1173
manifest-pr-skip