From eb3324e9a4547660121937083f4ff963443979f7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maxime=20M=C3=A9r=C3=A9?= Date: Mon, 17 Nov 2025 17:20:49 +0100 Subject: [PATCH] boot: avoid increasing rollback counter during RAM load FW update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When MCUBOOT_RAM_LOAD_REVERT is enabled, the rollback counter must not be incremented until image_ok is set. Otherwise, in the event of a revert, the boot process may become bricked. Signed-off-by: Maxime Méré --- boot/bootutil/src/loader.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index f3eb66297..b3f95722f 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -2338,10 +2338,12 @@ boot_update_hw_rollback_protection(struct boot_loader_state *state) /* Update the stored security counter with the newer (active) image's * security counter value. */ -#if defined(MCUBOOT_DIRECT_XIP) && defined(MCUBOOT_DIRECT_XIP_REVERT) - /* When the 'revert' mechanism is enabled in direct-xip mode, the - * security counter can be increased only after reboot, if the image - * has been confirmed at runtime (the image_ok flag has been set). +#if defined(MCUBOOT_DIRECT_XIP) && defined(MCUBOOT_DIRECT_XIP_REVERT) || \ + (defined(MCUBOOT_RAM_LOAD) && defined(MCUBOOT_RAM_LOAD_REVERT)) + /* When the 'revert' mechanism is enabled in direct-xip or ram-load + * mode, the security counter can be increased only after reboot, if + * the image has been confirmed at runtime (the image_ok flag has + * been set). * This way a 'revert' can be performed when it's necessary. */ if (state->slot_usage[BOOT_CURR_IMG(state)].swap_state.image_ok == BOOT_FLAG_SET) {