TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / TF-M / trusted-firmware-m.git / 0b501d0d6a8ad468665573513371464ba3cf520a^! / . / docs / design_docs / booting / tfm_secure_boot.rst
commit0b501d0d6a8ad468665573513371464ba3cf520a[log] [tgz]
authorXinyu Zhang <xinyu.zhang@arm.com>Wed May 24 15:25:05 2023 +0800
committerDavid Hu <david.hu@arm.com>Thu May 25 04:08:43 2023 +0200
tree527a910bb8c7f966f2f67300f4049042cc2a8dd9
parent0e3e5462495f0078a4ad92f0340a1cf5ac433f2c [diff] [blame]
Docs: Update note on "image_ok" flag in FWU

This patch makes the note more clear that it is user's duty to
set "image_ok" flag once the new firmware image is confirmed to be
acceptable.

This patch also fixes a minor typo.

Signed-off-by: Xinyu Zhang <xinyu.zhang@arm.com>
Change-Id: I3ee62e09cedce5839399ad8cf69292c1e469b304

diff --git a/docs/design_docs/booting/tfm_secure_boot.rst b/docs/design_docs/booting/tfm_secure_boot.rst
index df3bbaf..c49cde1 100644
--- a/docs/design_docs/booting/tfm_secure_boot.rst
+++ b/docs/design_docs/booting/tfm_secure_boot.rst

@@ -12,7 +12,7 @@
 For secure devices it is security critical to enforce firmware authenticity to
 protect against execution of malicious software. This is implemented by building
 a trust chain where each step in the execution chain authenticates the next
-step before execution. The chain of trust in based on a "Root of Trust" which
+step before execution. The chain of trust is based on a "Root of Trust" which
 is implemented using asymmetric cryptography. The Root of Trust is a combination
 of an immutable bootloader and a public key (ROTPK).
 
@@ -176,12 +176,14 @@
 
 .. Note::
 
-    After a successful image upgrade the firmware can mark itself as "OK" at
-    runtime by setting the image_ok flag in the flash. When this happens, the
-    swap is made "permanent" and MCUBoot will then still choose to run it
-    during the next boot. Currently TF-M does not set the image_ok flag,
-    therefore the bootloader will always perform a "revert" (swap the images
-    back) during the next boot.
+    After a successful image upgrade, user can mark the image as "OK"
+    at runtime by explicitly calling ``psa_fwu_accept``. When this happens,
+    the swap is made "permanent" and MCUBoot will then still choose to run it
+    during the next boot.
+
+    TF-M does not set the image_ok flag, because it is user's duty to determine
+    whether the image is acceptable. Therefore the bootloader will always
+    perform a "revert" (swap the images back) during the next boot.
 
 Direct execute-in-place operation
 =================================
@@ -823,4 +825,4 @@
     image. As a result, the firmware update service is not supported in
     direct-xip mode and ram-load mode.
 
-*Copyright (c) 2018-2022, Arm Limited. All rights reserved.*
+*Copyright (c) 2018-2023, Arm Limited. All rights reserved.*