modules: mcuboot: enable support for RAMLOAD mode with revert

[danieldegrasse]

This PR adds support for RAMLOAD mode with revert in MCUBoot, and enables a testcase for it with the mcumgr subsystem. RAMLOAD mode with revert functions similar to the direct xip mode with revert- MCUBoot will not ramload an image that is not confirmed or marked pending.

This PR also modifies the method of getting the active slot number when using ramload modes- we need to query the flash area ID, not the active boot slot for use with mcuboot boot utilities

[zephyrbot]

The following west manifest projects have changed revision in this Pull Request:

Name	Old Revision	New Revision	Diff

✅ All manifest checks OK

Note: This message is automatically posted and updated by the Manifest GitHub Action.

[danieldegrasse]

Note: this PR requires mcu-tools/mcuboot#2197 from MCUBoot. It also contains commits from #85096, because I validated this support on the RT1050-EVK

[nordicjm]

needs #if here too

[danieldegrasse]

Added- thanks. What will we need to do on the MCUBoot side to synchronize this? I think this change will have to go in when we update MCUBoot to include mcu-tools/mcuboot#2197 since we are moving the overlays as well

[nordicjm]

Build sample with CONFIG_MCUMGR_GRP_IMG_ALLOW_ERASE_PENDING=n, flash to device, then without changing any Kconfigs or anything or rebuilding just upload the slot1 image using MCUmgr with any supported tool from file zephyr.slot1.signed.confirmed.bin and reboot - at this point the device will boot from slot 0 not slot 1 as it should according to the flags, then try uploading an image or erasing the slot using MCUmgr, you will get an error that there is no free slot to place the image, and your device is "bricked" because you can no longer load a firmware update to it (without erasing the flash with a debugger, that is)

Ahh ok- now this makes sense, thank you- I've made the following change in this push, should fix it:

diff --git a/subsys/mgmt/mcumgr/grp/img_mgmt/src/img_mgmt_state.c b/subsys/mgmt/mcumgr/grp/img_mgmt/src/img_mgmt_state.c
index 5333d651c9f..1860269d87f 100644
--- a/subsys/mgmt/mcumgr/grp/img_mgmt/src/img_mgmt_state.c
+++ b/subsys/mgmt/mcumgr/grp/img_mgmt/src/img_mgmt_state.c
@@ -332,7 +332,8 @@ img_mgmt_slot_in_use(int slot)
        int active_slot = img_mgmt_active_slot(image);

 #if !defined(CONFIG_MCUBOOT_BOOTLOADER_MODE_DIRECT_XIP) && \
-       !defined(CONFIG_MCUBOOT_BOOTLOADER_MODE_RAM_LOAD)
+       !defined(CONFIG_MCUBOOT_BOOTLOADER_MODE_RAM_LOAD) && \
+       !defined(CONFIG_MCUBOOT_BOOTLOADER_MODE_RAM_LOAD_WITH_REVERT)
        enum img_mgmt_next_boot_type type = NEXT_BOOT_TYPE_NORMAL;
        int nbs = img_mgmt_get_next_boot_slot(image, &type);

I believe we just want to always allow erasing a pending/confirmed image if it is inactive- otherwise the user can flash two images that are both confirmed, and effectively brick their device

Great, is working now! One outstanding issue then looks good

[d3zd3z]

The change looks good. Once mcuboot has moved to a supporting version, I can give an approval.

[d3zd3z]

I have merged 2197 into mcuboot, so once this makes it into the Zephyr module, we can directly refer to that.

[danieldegrasse]

Great- I think we will need to be careful with synchronization here- the MCUBoot side change moves some overlay files into the MCUBoot repo that were previously defined here (used for the ramload sample). So I think that these changes (or a subset) will be needed with the PR that bumps the mcuboot manifest revision.

[d3zd3z]

This is a little ambiguous to me, since the revert does kind of go back to an older version of the application. Not sure how to word it more clearly, though.

[danieldegrasse]

Yeah, that is true. Perhaps

This option automatically selectes MCUBOOT_BOOTLOADER_NO_DOWNGRADE as MCUBoot will automatically select the highest revision of the application to boot. Note however that MCUBoot will select an older revision of the application if the booted revision does not mark itself as confirmed.

[danieldegrasse]

Updated now that Zephyr's copy of MCUBoot includes the relevant ramload support

[JarmouniA]

Unrelated to the core of the PR, do you know why RAM_LOAD mode requires XIP=n, but SINGLE_APP_RAM_LOAD does not?

[danieldegrasse]

I don't, no- not familiar with SINGLE_APP_RAM_LOAD. @nordicjm do you know why this is the case?

[nordicjm]

An oversight probably

[nordicjm]

@edersondisouza

[edersondisouza]

XIP is orthogonal to SINGLE_APP_RAM_LOAD - it simply loads the image to RAM. If the image was linked to run from the area in the RAM it is going to be loaded, it can use XIP.

[JarmouniA]

XIP is orthogonal to SINGLE_APP_RAM_LOAD - it simply loads the image to RAM. If the image was linked to run from the area in the RAM it is going to be loaded, it can use XIP.

Can you perhaps clarify this in the Kconfig help text, I think it's a very important point that will help many users.

[nordicjm]

XIP is orthogonal to SINGLE_APP_RAM_LOAD - it simply loads the image to RAM. If the image was linked to run from the area in the RAM it is going to be loaded, it can use XIP.

that is not consistent with what the Kconfig does:

        help
          This option allows the kernel to operate with its text and read-only
          sections residing in ROM (or similar read-only memory). Not all boards
          support this option so it must be used with care; you must also
          supply a linker command file when building your image. Enabling this
          option increases both the code and data footprint of the image.

so XIP is execute from flash, non-XIP is execute from RAM

[sonarqubecloud]

Quality Gate passed

Issues
2 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud