boot: bootutil: swap_offset: Fix not including unprotected TLVs

nordicjm · nordicjm · commit 5b7bccf9def7 · 2025-10-16T07:18:40.000+01:00
Fixes an issue whereby the size of unprotected TLVs were not
included in the size of the image to swap. Because this information
is not present in the MCUboot header and because swap using offset
includes swapping data that might mangle this area, extra space in
the swap status trailer needs to be reserved and used

Signed-off-by: Jamie McCrae &lt;jamie.mccrae@nordicsemi.no&gt;
diff --git a/boot/bootutil/src/bootutil_misc.c b/boot/bootutil/src/bootutil_misc.c
@@ -126,6 +126,10 @@ boot_trailer_info_sz(void)
 #endif
            /* swap_type + copy_done + image_ok + swap_size */
            BOOT_MAX_ALIGN * 4                     +
+#ifdef MCUBOOT_SWAP_USING_OFFSET
+           /* TLV size for both slots */
+           BOOT_MAX_ALIGN                         +
+#endif
            BOOT_MAGIC_ALIGN_SIZE
            );
 }
@@ -361,6 +365,27 @@ boot_read_swap_size(const struct flash_area *fap, uint32_t *swap_size)
     return rc;
 }
 
+#ifdef MCUBOOT_SWAP_USING_OFFSET
+int
+boot_read_unprotected_tlv_sizes(const struct flash_area *fap, uint16_t *tlv_size_primary,
+                                uint16_t *tlv_size_secondary)
+{
+    uint32_t off;
+    uint32_t combined_tlv_sizes = 0;
+    int rc;
+
+    off = boot_unprotected_tlv_sizes_off(fap);
+    rc = flash_area_read(fap, off, &combined_tlv_sizes, sizeof(combined_tlv_sizes));
+
+    if (rc == 0) {
+        *tlv_size_primary = (uint16_t)(combined_tlv_sizes & 0xffff);
+        *tlv_size_secondary = (uint16_t)((combined_tlv_sizes & 0xffff0000) >> 16);
+    }
+
+    return rc;
+}
+#endif
+
 #ifdef MCUBOOT_ENC_IMAGES
 int
 boot_read_enc_key(const struct flash_area *fap, uint8_t slot, struct boot_status *bs)
@@ -405,6 +430,25 @@ boot_write_swap_size(const struct flash_area *fap, uint32_t swap_size)
     return boot_write_trailer(fap, off, (const uint8_t *) &swap_size, 4);
 }
 
+#if defined(MCUBOOT_SWAP_USING_OFFSET)
+int
+boot_write_unprotected_tlv_sizes(const struct flash_area *fap, uint16_t tlv_size_primary,
+                                 uint16_t tlv_size_secondary)
+{
+    uint32_t off;
+    uint32_t tlv_sizes_combined;
+
+    off = boot_unprotected_tlv_sizes_off(fap);
+    tlv_sizes_combined = ((uint32_t)tlv_size_secondary << 16) | (uint32_t)tlv_size_primary;
+    BOOT_LOG_DBG("writing unprotected_tlv_sizes; fa_id=%d off=0x%lx (0x%lx) vals=0x%x,0x%x (0x%lx)",
+                 flash_area_get_id(fap), (unsigned long)off,
+                 ((unsigned long)flash_area_get_off(fap) + off), tlv_size_primary,
+                 tlv_size_secondary, (unsigned long)tlv_sizes_combined);
+    return boot_write_trailer(fap, off, (const uint8_t *)&tlv_sizes_combined,
+                              sizeof(tlv_sizes_combined));
+}
+#endif
+
 #ifdef MCUBOOT_ENC_IMAGES
 int
 boot_write_enc_keys(const struct flash_area *fap, const struct boot_status *bs)
diff --git a/boot/bootutil/src/bootutil_misc.h b/boot/bootutil/src/bootutil_misc.h
@@ -43,10 +43,24 @@ boot_copy_done_off(const struct flash_area *fap)
     return boot_image_ok_off(fap) - BOOT_MAX_ALIGN;
 }
 
+#if defined(MCUBOOT_SWAP_USING_OFFSET)
+static inline uint32_t
+boot_unprotected_tlv_sizes_off(const struct flash_area *fap)
+{
+    return boot_swap_info_off(fap) - BOOT_MAX_ALIGN;
+}
+
+static inline uint32_t
+boot_swap_size_off(const struct flash_area *fap)
+{
+    return boot_unprotected_tlv_sizes_off(fap) - BOOT_MAX_ALIGN;
+}
+#else
 static inline uint32_t
 boot_swap_size_off(const struct flash_area *fap)
 {
     return boot_swap_info_off(fap) - BOOT_MAX_ALIGN;
 }
+#endif
 
 #endif /* H_BOOTUTIL_MISC_ */
diff --git a/boot/bootutil/src/bootutil_priv.h b/boot/bootutil/src/bootutil_priv.h
@@ -242,6 +242,9 @@ struct boot_loader_state {
         const struct flash_area *area;
         boot_sector_t *sectors;
         uint32_t num_sectors;
+#if defined(MCUBOOT_SWAP_USING_OFFSET)
+        uint16_t unprotected_tlv_size;
+#endif
     } imgs[BOOT_IMAGE_NUMBER][BOOT_NUM_SLOTS];
 
 #if MCUBOOT_SWAP_USING_SCRATCH
@@ -342,6 +345,12 @@ int boot_write_trailer(const struct flash_area *fap, uint32_t off,
 int boot_write_trailer_flag(const struct flash_area *fap, uint32_t off,
                             uint8_t flag_val);
 int boot_read_swap_size(const struct flash_area *fap, uint32_t *swap_size);
+#if defined(MCUBOOT_SWAP_USING_OFFSET)
+int boot_write_unprotected_tlv_sizes(const struct flash_area *fap, uint16_t tlv_size_primary,
+                                     uint16_t tlv_size_secondary);
+int boot_read_unprotected_tlv_sizes(const struct flash_area *fap, uint16_t *tlv_size_primary,
+                                    uint16_t *tlv_size_secondary);
+#endif
 int boot_slots_compatible(struct boot_loader_state *state);
 uint32_t boot_status_internal_off(const struct boot_status *bs, int elem_sz);
 int boot_read_image_header(struct boot_loader_state *state, int slot,
@@ -479,6 +488,7 @@ static inline bool boot_u16_safe_add(uint16_t *dest, uint16_t a, uint16_t b)
 #endif
 #define BOOT_IMG(state, slot) ((state)->imgs[BOOT_CURR_IMG(state)][(slot)])
 #define BOOT_IMG_AREA(state, slot) (BOOT_IMG(state, slot).area)
+#define BOOT_IMG_UNPROTECTED_TLV_SIZE(state, slot) (BOOT_IMG(state, slot).unprotected_tlv_size)
 #define BOOT_WRITE_SZ(state) ((state)->write_sz[BOOT_CURR_IMG(state)])
 #define BOOT_SWAP_TYPE(state) ((state)->swap_type[BOOT_CURR_IMG(state)])
 #define BOOT_TLV_OFF(hdr) ((hdr)->ih_hdr_size + (hdr)->ih_img_size)
diff --git a/boot/bootutil/src/swap_misc.c b/boot/bootutil/src/swap_misc.c
@@ -2,6 +2,7 @@
  * SPDX-License-Identifier: Apache-2.0
  *
  * Copyright (c) 2019 JUUL Labs
+ * Copyright (c) 2025 Nordic Semiconductor ASA
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -136,6 +137,13 @@ swap_status_init(const struct boot_loader_state *state,
     rc = boot_write_swap_size(fap, bs->swap_size);
     assert(rc == 0);
 
+#ifdef MCUBOOT_SWAP_USING_OFFSET
+    rc = boot_write_unprotected_tlv_sizes(fap,
+                                   BOOT_IMG_UNPROTECTED_TLV_SIZE(state, BOOT_SLOT_PRIMARY),
+                                   BOOT_IMG_UNPROTECTED_TLV_SIZE(state, BOOT_SLOT_SECONDARY));
+    assert(rc == 0);
+#endif
+
 #ifdef MCUBOOT_ENC_IMAGES
     rc = boot_write_enc_keys(fap, bs);
 #endif
@@ -243,5 +251,4 @@ swap_set_image_ok(uint8_t image_index)
     return rc;
 }
 
-
 #endif /* defined(MCUBOOT_SWAP_USING_SCRATCH) || defined(MCUBOOT_SWAP_USING_MOVE) || defined(MCUBOOT_SWAP_USING_OFFSET) */
diff --git a/boot/bootutil/src/swap_offset.c b/boot/bootutil/src/swap_offset.c
@@ -593,12 +593,20 @@ void swap_run(struct boot_loader_state *state, struct boot_status *bs,
     const struct flash_area *fap_pri = NULL;
     const struct flash_area *fap_sec = NULL;
     int rc;
+    uint16_t unprotected_tlv_size_pri;
+    uint16_t unprotected_tlv_size_sec;
 
     BOOT_LOG_INF("Starting swap using offset algorithm.");
 
     last_idx = find_last_idx(state, copy_size);
     sector_sz = boot_img_sector_size(state, BOOT_SLOT_PRIMARY, 0);
 
+    fap_pri = BOOT_IMG_AREA(state, BOOT_SLOT_PRIMARY);
+    assert(fap_pri != NULL);
+
+    fap_sec = BOOT_IMG_AREA(state, BOOT_SLOT_SECONDARY);
+    assert(fap_sec != NULL);
+
     /* When starting a new swap upgrade, check that there is enough space */
     if (boot_status_is_reset(bs)) {
         sz = 0;
@@ -623,12 +631,6 @@ void swap_run(struct boot_loader_state *state, struct boot_status *bs,
         }
     }
 
-    fap_pri = BOOT_IMG_AREA(state, BOOT_SLOT_PRIMARY);
-    assert(fap_pri != NULL);
-
-    fap_sec = BOOT_IMG_AREA(state, BOOT_SLOT_SECONDARY);
-    assert(fap_sec != NULL);
-
     fixup_revert(state, bs, fap_sec);
 
     /* Init areas for storing swap status */
@@ -647,14 +649,24 @@ void swap_run(struct boot_loader_state *state, struct boot_status *bs,
         assert(rc == 0);
     }
 
+    /* Read the unprotected TLV sizes from the boot swap status area, this information might get
+     * jangled if rebooted during an update so it needs to be stored in this area for safe
+     * retrieval
+     */
+    boot_read_unprotected_tlv_sizes(fap_pri, &unprotected_tlv_size_pri, &unprotected_tlv_size_sec);
+    BOOT_LOG_DBG("Unprotected TLV sizes image=%d: pri=%d, sec=%d", BOOT_CURR_IMG(state),
+                 unprotected_tlv_size_pri, unprotected_tlv_size_sec);
+
     bs->op = BOOT_STATUS_OP_SWAP;
     idx = 0;
     used_sectors_pri = ((state->imgs[BOOT_CURR_IMG(state)][BOOT_SLOT_PRIMARY].hdr.ih_hdr_size +
+        unprotected_tlv_size_pri +
         state->imgs[BOOT_CURR_IMG(state)][BOOT_SLOT_PRIMARY].hdr.ih_protect_tlv_size +
         state->imgs[BOOT_CURR_IMG(state)][BOOT_SLOT_PRIMARY].hdr.ih_img_size) + sector_sz - 1) /
         sector_sz;
     used_sectors_sec = ((state->imgs[BOOT_CURR_IMG(state)][BOOT_SLOT_SECONDARY].hdr.ih_hdr_size +
         state->imgs[BOOT_CURR_IMG(state)][BOOT_SLOT_SECONDARY].hdr.ih_protect_tlv_size +
+        unprotected_tlv_size_sec +
         state->imgs[BOOT_CURR_IMG(state)][BOOT_SLOT_SECONDARY].hdr.ih_img_size) + sector_sz - 1) /
         sector_sz;
 
@@ -770,6 +782,11 @@ int boot_read_image_size(struct boot_loader_state *state, int slot, uint32_t *si
         goto done;
     }
 
+    /* This is needed as unprotected TLV size cannot be calculated once a swap has been started,
+     * it is only able to be properly calculated when images are in pristine states
+     */
+    BOOT_IMG_UNPROTECTED_TLV_SIZE(state, slot) = info.it_tlv_tot;
+
     *size = off + protect_tlv_size + info.it_tlv_tot;
     rc = 0;
 
