bootutil: Add support for bootloader requests

tomchy · tomchy · commit 832b4c924d5b · 2025-07-24T12:22:01.000+02:00
Extend the common bootutil library to send bootloader requests instead
of writing data directly into the active slot.

Signed-off-by: Tomasz Chyrowicz &lt;tomasz.chyrowicz@nordicsemi.no&gt;
diff --git a/boot/bootutil/src/bootutil_public.c b/boot/bootutil/src/bootutil_public.c
@@ -51,6 +51,10 @@
 #include "bootutil_priv.h"
 #include "bootutil_misc.h"
 
+#if defined(CONFIG_BOOT_REQUEST) && !defined(CONFIG_MCUBOOT)
+#include <boot_request/boot_request.h>
+#endif /* CONFIG_BOOT_REQUEST && !CONFIG_MCUBOOT */
+
 #ifdef CONFIG_MCUBOOT
 BOOT_LOG_MODULE_DECLARE(mcuboot);
 #else
@@ -503,6 +507,151 @@ boot_write_copy_done(const struct flash_area *fap)
     return boot_write_trailer_flag(fap, off, BOOT_FLAG_SET);
 }
 
+#if defined(CONFIG_BOOT_REQUEST) && !defined(CONFIG_MCUBOOT)
+int
+boot_set_next(const struct flash_area *fa, bool active, bool confirm)
+{
+    uint8_t i = 0;
+    int slot_id = -1;
+    int image_id = flash_area_get_id(fa);
+    struct boot_swap_state slot_state;
+    int rc;
+
+    BOOT_LOG_DBG("boot_set_next: fa %p active == %d, confirm == %d",
+                 fa, (int)active, (int)confirm);
+
+    if (active) {
+        confirm = true;
+    }
+
+    rc = boot_read_swap_state(fa, &slot_state);
+    if (rc != 0) {
+        return BOOT_EBADIMAGE;
+    }
+
+    /* Identify image and slot number. */
+    while (i < BOOT_IMAGE_NUMBER) {
+        if (FLASH_AREA_IMAGE_PRIMARY(i) == image_id) {
+            image_id = i;
+            slot_id = 0;
+            break;
+        } else if (FLASH_AREA_IMAGE_SECONDARY(i) == image_id) {
+            image_id = i;
+            slot_id = 1;
+            break;
+        }
+
+        ++i;
+    }
+
+    if (slot_id == -1) {
+        return BOOT_EBADIMAGE;
+    }
+
+    /* Handle write-protected active image. */
+    switch (slot_state.magic) {
+    case BOOT_MAGIC_GOOD:
+        /* fall-through */
+
+    case BOOT_MAGIC_UNSET:
+        if (confirm) {
+            BOOT_LOG_DBG("Confirm image: %d, %d", image_id, slot_id);
+            rc = boot_request_confirm_slot(image_id, slot_id);
+        } else {
+            BOOT_LOG_DBG("Set image preference: %d, %d", image_id, slot_id);
+            rc = boot_request_set_preferred_slot(image_id, slot_id);
+        }
+        if (rc != 0) {
+            rc = BOOT_EBADIMAGE;
+        }
+        break;
+
+    case BOOT_MAGIC_BAD:
+        rc = BOOT_EBADIMAGE;
+        break;
+
+    default:
+        /* Something is not OK, this should never happen */
+        assert(0);
+        rc = BOOT_EBADIMAGE;
+        break;
+    }
+
+    /* Handle write-enabled inactive image. */
+    if (!active) {
+        switch (slot_state.magic) {
+#ifdef MCUBOOT_BOOTUTIL_LIB_FOR_DIRECT_XIP
+        case BOOT_MAGIC_UNSET:
+            rc = boot_write_magic(fa);
+            /* fall-through */
+
+        case BOOT_MAGIC_GOOD:
+            if (rc == 0 && confirm) {
+                if (slot_state.copy_done == BOOT_FLAG_UNSET) {
+                    /* Magic is needed for DirectXIP to even try to boot application.
+                     * DirectXIP will set copy-done flag before attempting to boot
+                     * application. Next boot, application that has copy-done flag
+                     * is expected to already have ok flag, otherwise it will be removed.
+                     */
+                    rc = boot_write_copy_done(fa);
+                    if (rc != 0) {
+                        break;
+                    }
+                }
+
+                if (slot_state.image_ok == BOOT_FLAG_UNSET) {
+                    rc = boot_write_image_ok(fa);
+                }
+            }
+            break;
+#else /* MCUBOOT_BOOTUTIL_LIB_FOR_DIRECT_XIP */
+        case BOOT_MAGIC_UNSET:
+            rc = boot_write_magic(fa);
+
+            if (rc == 0 && confirm) {
+                rc = boot_write_image_ok(fa);
+            }
+
+            if (rc == 0) {
+                uint8_t swap_type;
+
+                if (confirm) {
+                    swap_type = BOOT_SWAP_TYPE_PERM;
+                } else {
+                    swap_type = BOOT_SWAP_TYPE_TEST;
+                }
+                rc = boot_write_swap_info(fa, swap_type, image_id);
+            }
+            break;
+
+        case BOOT_MAGIC_GOOD:
+            /* If non-active then swap already scheduled, else confirm needed.*/
+            if (slot_state.image_ok == BOOT_FLAG_UNSET) {
+                /* Intentionally do not check copy_done flag to be able to
+                 * confirm a padded image which has been programmed using
+                 * a programming interface.
+                 */
+                rc = boot_write_image_ok(fa);
+            }
+            break;
+#endif /* MCUBOOT_BOOTUTIL_LIB_FOR_DIRECT_XIP */
+
+        case BOOT_MAGIC_BAD:
+            rc = BOOT_EBADVECT;
+            break;
+
+        default:
+            /* Something is not OK, this should never happen */
+            assert(0);
+            rc = BOOT_EBADIMAGE;
+            break;
+        }
+    }
+
+    return rc;
+}
+#else /* CONFIG_BOOT_REQUEST && !CONFIG_MCUBOOT */
+
 #ifndef MCUBOOT_BOOTUTIL_LIB_FOR_DIRECT_XIP
 
 static int flash_area_to_image(const struct flash_area *fa)
@@ -530,6 +679,9 @@ boot_set_next(const struct flash_area *fa, bool active, bool confirm)
     struct boot_swap_state slot_state;
     int rc;
 
+    BOOT_LOG_DBG("boot_set_next: fa %p active == %d, confirm == %d",
+                 fa, (int)active, (int)confirm);
+
     if (active) {
         confirm = true;
     }
@@ -664,6 +816,7 @@ boot_set_next(const struct flash_area *fa, bool active, bool confirm)
     return rc;
 }
 #endif
+#endif /* CONFIG_BOOT_REQUEST && !CONFIG_MCUBOOT */
 
 /*
  * This function is not used by the bootloader itself, but its required API
