dfu: mcuboot: don't use magic when confirming image
The current implementation of boot_write_img_confirmed() does not
write the image OK byte in flash bank 0 if the magic "request upgrade"
bytes in that bank are "good". This is not robust behavior.
The MCUboot design document has this to say about the image OK byte:
Upgrading an old image with a new one by swapping can be a two-step
process. In this process, mcuboot performs a "test" swap of image
data in flash and boots the new image. The new image can then
update the contents of flash at runtime to mark itself "OK", and
mcuboot will then still choose to run it during the next boot.
[...]
4. Image OK: A single byte indicating whether the image in this
slot has been confirmed as good by the user (0x01=confirmed;
0xff=not confirmed).
This says nothing about the magic bytes, so it'd be better not to make
assumptions about their effect here.
Further, MCUboot itself does not use the magic field when marking the
only known-good image on flash "OK" after either reverting a failed
upgrade or refusing to boot an upgrade iamge with an invalid
signature: instead, it unconditionally ensures the Image OK byte is
set to 0x01.
For consistency with MCUboot's design and implementation, remove the
lines that look at the magic bytes from boot_write_img_confirmed().
Signed-off-by: Marti Bolivar <marti@opensourcefoundries.com>
1 file changed
