MCUboot should boot primary image if secondary slot is inaccessible, as long as primary slot is accessible

[VineetaNarkhede-eaton]

Issue

Currently, if MCUboot fails to access any flash slots, it treats this as a critical failure and does not proceed to boot any image, resulting in a boot panic or halt. This behaviour can cause unnecessary device outages if only the secondary slot is inaccessible, but the primary slot and its image are still healthy.

Expected Behaviour

If the secondary slot is inaccessible (e.g., due to flash failure, bad connection, or hardware issue), but the primary slot is accessible and contains a valid image, MCUboot should still proceed to boot the primary image to keep device running. The device should only halt/panic if the primary slot is also inaccessible or missing a valid image.

Actual Behaviour

MCUboot currently halts or panics on flash access/open failure, even if the primary slot is working.

Impact

• Devices could become unrecoverable due to secondary slot issues, even though the primary image is fine.
• This reduces device robustness and could lead to unnecessary field failures.

Request

Please provide your thoughts and guidance on how to implement a solution for this scenario. Additionally, what edge cases or system states should be considered to ensure robust and safe behaviour if only the secondary slot is inaccessible? Your feedback on possible approaches, risks, and required MCUboot changes would be greatly appreciated.

References

• MCUboot loader.c flash access failure handling

[nordicjm]

This is by design, the hardware should be valid and designed to work. The secondary slot contains an update image, and for security reasons you might want to ensure that newer firmware versions are always installed but what you are suggesting here means an attacker can completely defeat any such measure just be removing power or a data line to an external flash (or other) storage medium, thus reducing the security of your system meaning you can no longer guarantee security vulnerabilities are patched