commit 505fba252eb1383f24964d9eb68375ff160ff535
author David Vincze <david.vincze@linaro.org> Thu Oct 22 13:53:29 2020 +0200
committer Dávid Vincze <david.vincze@arm.com> Tue Nov 03 21:52:11 2020 +0100
tree 8f316746790989182c43d3993b06416883c9d3d4
parent f6c692315c0de92ea7c2102042424eb4497c4150

Boot: Add 'revert' support to direct-xip mode

The 'revert' mechanism in direct-xip is similar to the one in swap mode.
It requires the trailer magic to be added to the signed image. When a
reboot happens without the image being confirmed at runtime (without the
image_ok flag being set), the bootloader considers the image faulty and
erases it. After this it will attempt to boot the previous image
instead. The images can also be made permanent (marked as confirmed in
advance) just like in swap mode.

Change-Id: Ibde9361d4a7302dd8efbb277b691b71eca0ca877
Signed-off-by: David Vincze <david.vincze@linaro.org>

docs/design.md

diff --git a/docs/design.md b/docs/design.md
index 90fa1b1..cdffcd9 100644
--- a/docs/design.md
+++ b/docs/design.md
@@ -233,6 +233,9 @@
 image is invalid MCUboot erases its memory slot and starts to validate the other
 image. After a successful validation of the selected image the bootloader
 chain-loads it.
+
+An additional "revert" mechanism is also supported. For more information, please
+read the [corresponding section](#direct-xip-revert).
 Handling the primary and secondary slots as equals has its drawbacks. Since the
 images are not moved between the slots, the on-the-fly image
 encryption/decryption can't be supported (it only applies to storing the image
@@ -329,6 +332,33 @@
 boot. Subsequent sections describe how mcuboot determines the swap type from
 the bit-level contents of flash.
 
+### [Revert mechanism in direct-xip mode](#direct-xip-revert)
+
+The direct-xip mode also supports a "revert" mechanism which is the equivalent
+of the swap mode's "revert" swap. It can be enabled with the
+MCUBOOT_DIRECT_XIP_REVERT config option and an image trailer must also be added
+to the signed images (the "--pad" option of the `imgtool` script must be used).
+For more information on this please read the [Image Trailer](#image-trailer)
+section and the [imgtool](imgtool.md) documentation. Making the images permanent
+(marking them as confirmed in advance) is also supported just like in swap mode.
+The individual steps of the direct-xip mode's "revert" mechanism are the
+following:
+
+1. Select the slot which holds the newest potential image.
+2. Was the image previously selected to run (during a previous boot)?
+    + Yes: Did the image mark itself "OK" (was the self-test successful)?
+        + Yes.
+            - Proceed to step 3.
+        + No.
+            - Erase the image from the slot to prevent it from being selected
+              again during the next boot.
+            - Return to step 1 (the bootloader will attempt to select and
+              possibly boot the previous image if there is one).
+    + No.
+        - Mark the image as "selected" (set the copy_done flag in the trailer).
+        - Proceed to step 3.
+3. Proceed to image validation ...
+
 ## [Image Trailer](#image-trailer)
 
 For the bootloader to be able to determine the current state and what actions