[nrf noup] boot/bootutil/loader: image discovery by ih_load_address #461
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
nvlsianpu
force-pushed
the
img_disc_by_load_addr
branch
2 times, most recently
from
dda8a3b to
db3fe90
Compare
There was a problem hiding this comment.
Pull Request Overview
Adds a configuration option to use the image header’s load address for slot discovery instead of the reset handler address.
- Introduce
MCUBOOT_USE_CHECK_LOAD_ADDRKconfig option and adjust dependencies forMCUBOOT_VERIFY_IMG_ADDRESS - Refactor
boot_validate_slotandboot_validated_swap_typeto readih_load_addrwhen enabled - Define new
IS_IN_RANGE_*macros for address range checks
Reviewed Changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| boot/zephyr/Kconfig | Add new config MCUBOOT_USE_CHECK_LOAD_ADDR and update dependencies |
| boot/bootutil/src/loader.c | Conditional read of ih_load_addr, macro definitions, and slot validation updates |
Comments suppressed due to low confidence (3)
boot/bootutil/src/loader.c:1264
- Mismatched
#ifdef/#elseguards—this#elsedoes not match the preceding#ifdef CONFIG_MCUBOOT_USE_CHECK_LOAD_ADDRcorrectly and will break compilation.
#else /* BOOT_USE_CHECK_LOAD_ADDR */
boot/bootutil/src/loader.c:1522
- Extra closing parenthesis in macro definition leads to a syntax error; remove the surplus
)at the end.
#define IS_IN_RANGE_CPUNET_APP_ADDR(_addr) ((_addr) >= PM_CPUNET_APP_ADDRESS && (_addr) < PM_CPUNET_APP_END_ADDRESS))
boot/bootutil/src/loader.c:1595
- The
IS_IN_RANGE_S_VARIANT_ADDRmacro expects two parameters but is invoked with one; useIS_IN_RANGE_S_ALTERNATE_ADDRorIS_IN_RANGE_S_CURRENT_ADDRinstead.
if (IS_IN_RANGE_S_VARIANT_ADDR(internal_img_addr)) {
boot/zephyr/Kconfig
Outdated
Comment on lines
1200
to
1203
| If y, the bootloader will use the load address form image header | ||
| for checking to which slot image belongs instead of usage of reset | ||
| handler addres reading form the image. |
There was a problem hiding this comment.
[nitpick] Typo in help text: replace “form image header” with “from image header” and correct “addres” to “address”.
Suggested change
| If y, the bootloader will use the load address form image header | |
| for checking to which slot image belongs instead of usage of reset | |
| handler addres reading form the image. | |
| If y, the bootloader will use the load address from image header | |
| for checking to which slot image belongs instead of usage of reset | |
| handler address reading from the image. |
Copilot uses AI. Check for mistakes.
nvlsianpu
force-pushed
the
img_disc_by_load_addr
branch
from
db3fe90 to
2fb0029
Compare
This was referenced Jul 8, 2025
nvlsianpu
force-pushed
the
img_disc_by_load_addr
branch
from
2fb0029 to
5155061
Compare
|
nordicjm
requested changes
Jul 24, 2025
boot/bootutil/src/loader.c
Outdated
| struct image_header *secondary_hdr = boot_img_hdr(state, slot); | ||
| uint32_t reset_value = 0; | ||
| uint32_t reset_addr = secondary_hdr->ih_hdr_size + sizeof(reset_value); | ||
| uint32_t internal_img_addr = 0; /* either the reset handler addres or the image beginning addres */ |
boot/zephyr/Kconfig
Outdated
| bool | ||
|
|
||
| config MCUBOOT_USE_CHECK_LOAD_ADDR | ||
| bool "use check of load address" |
There was a problem hiding this comment.
Suggested change
| bool "use check of load address" | |
| bool "Use check of load address" |
if we're adding to all new images, do we want to default y this? Or I guess not right away so other things e.g. qspi xip can be updated
boot/bootutil/src/loader.c
Outdated
|
|
||
| #define IS_IN_RANGE_CPUNET_APP_ADDR(_addr) ((_addr) >= PM_CPUNET_APP_ADDRESS && (_addr) < PM_CPUNET_APP_END_ADDRESS) | ||
| #define _IS_IN_RANGE_S_VARIANT_ADDR(_addr, x) ((_addr) >= PM_S##x_ADDRESS && (_addr) <= (PM_S##x_ADDRESS + PM_S##x_SIZE)) | ||
| #if (CONFIG_NCS_IS_VARIANT_IMAGE) |
de-nordic
force-pushed
the
img_disc_by_load_addr
branch
from
5155061 to
aa627f8
Compare
de-nordic
changed the title
de-nordic
force-pushed
the
img_disc_by_load_addr
branch
from
aa627f8 to
900c495
Compare
de-nordic
force-pushed
the
img_disc_by_load_addr
branch
5 times, most recently
from
566d3f3 to
e1d9d3f
Compare
de-nordic
force-pushed
the
img_disc_by_load_addr
branch
6 times, most recently
from
9da4fd3 to
89a583a
Compare
de-nordic
force-pushed
the
img_disc_by_load_addr
branch
11 times, most recently
from
6460f21 to
4752c56
Compare
de-nordic
force-pushed
the
img_disc_by_load_addr
branch
2 times, most recently
from
0f013f2 to
d91e83e
Compare
nrf-squash! [nrf noup] treewide: Add support for sysbuild assigned images Introduce alternative procedure for detecting to which partition image candidate belongs. This method uses ih_load_address field of the image header instead of reset vector address. This allows to match incoming image to the partition even when it is for instance encrypted, as the image header is always plain-text. This new procedure can be enabled using CONFIG_MCUBOOT_CHECK_HEADER_LOAD_ADDRES =y. Firmware need to be signed with imgtool.py sign --rom-fixed <partition_address> parameter. ref.: NCSIDB-1173 Signed-off-by: Andrzej Puzdrowski <[email protected]>
de-nordic
force-pushed
the
img_disc_by_load_addr
branch
from
d91e83e to
6435279
Compare
de-nordic
changed the title
|
nordicjm
reviewed
Oct 13, 2025
| */ | ||
| #ifdef PM_CPUNET_APP_ADDRESS | ||
| if (BOOT_CURR_IMG(state) == CONFIG_MCUBOOT_NETWORK_CORE_IMAGE_NUMBER) { | ||
|
|
| check_addresses = true; | ||
| } else | ||
| #endif | ||
|
|
| } | ||
| #endif /* CHECK_MCUBOOT_IMAGE */ | ||
|
|
||
| #if CONFIG_MCUBOOT_APPLICATION_IMAGE_NUMBER != -1 |
There was a problem hiding this comment.
Suggested change
| #if CONFIG_MCUBOOT_APPLICATION_IMAGE_NUMBER != -1 |
there is always an app update image
| #endif | ||
| check_addresses = true; | ||
| } | ||
| #endif |
| #else | ||
| min_addr = pri_fa->fa_off; | ||
| max_addr = pri_fa->fa_off + pri_fa->fa_size; | ||
|
|
Comment on lines
+1281
to
+1283
| #if CHECK_MCUBOOT_IMAGE == 1 | ||
| min_addr = MIN(min_addr, NCS_VARIANT_SLOT_MIN_ADDR); | ||
| max_addr = MAX(max_addr, NCS_VARIANT_SLOT_MAX_ADDR); |
There was a problem hiding this comment.
this seems to preset an unintended side effect, an image that spans across both the s0/s1 and the application partitions would pass this validation
| BOOT_LOG_ERR("Cleaned-up secondary slot of image %d", BOOT_CURR_IMG(state)); | ||
| return BOOT_SWAP_TYPE_FAIL; | ||
| } else if (reset_addr < primary_fa->fa_off || reset_addr > (primary_fa->fa_off + primary_fa->fa_size)) { | ||
| } else if (!IS_IN_RANGE_IMAGE_ADDR(internal_img_addr, primary_fa)) { |
There was a problem hiding this comment.
what happens if the primary and secondary slots are located in e.g. SPI or QSPI? This is how QSPI XIP split image support works and an upcoming extra DFU slot system will work
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Introduce alternative procedure for detecting to which partition
image candidate belongs. This method uses ih_load_address field of the
image header instead of reset vector address. This allows to match
incoming image to the partition even when it is for instance encrypted,
as the image header is always plain-text.
This new procedure can be enabled using
CONFIG_MCUBOOT_USE_CHECK_LOAD_ADDR=y. Firmware need to be signed with
imgtool.py sign --rom-fixed <partition_address> parameter.
ref.: NCSIDB-1173
manifest-pr-skip