Set pending: don't crash when image slot corrupt
This change affects the "set pending" operation. That is, the operation
that configures mcuboot to temporarily swap images on the next boot.
PRIOR TO COMMIT:
If the slot 1 trailer contained an invalid 128-bit magic number, an
assertion would fail, causing a crash.
AFTER COMMIT:
If corruption is detected in the slot 1 trailer, the entire image slot
is erased, and the "set pending" operation fails with a `BOOT_EBADIMAGE`
status.
RATIONALE:
mcuboot cannot meaningfully recover from data corruption. The only
recourse is to erase the bad data so that future upgrades can be
performed. I was tempted to add a build-time setting to control whether
the image slot gets erased when corruption is detected, but I dont think this
freedom justifies the cost of extra config. A device with a corrupt
image slot can no longer be upgraded, so the only reason someone would
want to preserve the corrupt data would be for debugging.
Signed-off-by: Christopher Collins <ccollins@apache.org>
diff --git a/boot/bootutil/src/bootutil_misc.c b/boot/bootutil/src/bootutil_misc.c
index c7c0962..47b41fd 100644
--- a/boot/bootutil/src/bootutil_misc.c
+++ b/boot/bootutil/src/bootutil_misc.c
@@ -615,10 +615,22 @@
flash_area_close(fap);
return rc;
+ case BOOT_MAGIC_BAD:
+ /* The image slot is corrupt. There is no way to recover, so erase the
+ * slot to allow future upgrades.
+ */
+ rc = flash_area_open(FLASH_AREA_IMAGE_1, &fap);
+ if (rc != 0) {
+ return BOOT_EFLASH;
+ }
+
+ flash_area_erase(fap, 0, fap->fa_size);
+ flash_area_close(fap);
+ return BOOT_EBADIMAGE;
+
default:
- /* XXX: Temporary assert. */
assert(0);
- return -1;
+ return BOOT_EBADIMAGE;
}
}