mcu-tools · danieldegrasse · Feb 3, 2025 · Feb 4, 2025 · Feb 28, 2025
@@ -259,7 +259,8 @@ struct boot_loader_state {
         /* Image destination and size for the active slot */
         uint32_t img_dst;
         uint32_t img_sz;
-#elif defined(MCUBOOT_DIRECT_XIP_REVERT)
+#endif
+#if defined(MCUBOOT_DIRECT_XIP_REVERT) || defined(MCUBOOT_RAM_LOAD_REVERT)
         /* Swap status for the active slot */
         struct boot_swap_state swap_state;
 #endif

@@ -2634,7 +2634,8 @@ print_loaded_images(struct boot_loader_state *state)
 }
 #endif
 
-#if defined(MCUBOOT_DIRECT_XIP) && defined(MCUBOOT_DIRECT_XIP_REVERT)
+#if (defined(MCUBOOT_DIRECT_XIP) && defined(MCUBOOT_DIRECT_XIP_REVERT)) || \
+    (defined(MCUBOOT_RAM_LOAD) && defined(MCUBOOT_RAM_LOAD_REVERT))
 /**
  * Checks whether the active slot of the current image was previously selected
  * to run. Erases the image if it was selected but its execution failed,
@@ -2758,17 +2759,17 @@ boot_load_and_validate_images(struct boot_loader_state *state)
                 state->slot_usage[BOOT_CURR_IMG(state)].active_slot = NO_ACTIVE_SLOT;
                 continue;
             }
+#endif /* MCUBOOT_DIRECT_XIP */
 
-#ifdef MCUBOOT_DIRECT_XIP_REVERT
+#if defined(MCUBOOT_DIRECT_XIP_REVERT) || defined(MCUBOOT_RAM_LOAD_REVERT)
             rc = boot_select_or_erase(state);
             if (rc != 0) {
                 /* The selected image slot has been erased. */
                 state->slot_usage[BOOT_CURR_IMG(state)].slot_available[active_slot] = false;
                 state->slot_usage[BOOT_CURR_IMG(state)].active_slot = NO_ACTIVE_SLOT;
                 continue;
             }
-#endif /* MCUBOOT_DIRECT_XIP_REVERT */
-#endif /* MCUBOOT_DIRECT_XIP */
+#endif /* MCUBOOT_DIRECT_XIP_REVERT || MCUBOOT_RAM_LOAD_REVERT */
 
 #ifdef MCUBOOT_RAM_LOAD
             /* Image is first loaded to RAM and authenticated there in order to

@@ -344,6 +344,17 @@ config BOOT_DIRECT_XIP_REVERT
 	  attempt to boot the previous image. The images can also be made permanent
 	  (marked as confirmed in advance) just like in swap mode.
 
+config BOOT_RAM_LOAD_REVERT
+	bool "Enable the revert mechanism in ram-load mode"
+	depends on BOOT_RAM_LOAD
+	help
+	  If y, enables the revert mechanism in ram-load similar to the one in
+	  swap mode. It requires the trailer magic to be added to the signed image.
+	  When a reboot happens without the image being confirmed at runtime, the
+	  bootloader considers the image faulty and erases it. After this it will
+	  attempt to boot the previous image. The images can also be made permanent
+	  (marked as confirmed in advance) just like in swap mode.
+
 config BOOT_BOOTSTRAP
 	bool "Bootstrap erased the primary slot from the secondary slot"
 	default n

@@ -0,0 +1,26 @@
+/ {
+	sram@80007F00 {
+		compatible = "zephyr,memory-region", "mmio-sram";
+		reg = <0x80007F00 0x100>;
+		zephyr,memory-region = "RetainedMem";
+		status = "okay";
+
+		retainedmem {
+			compatible = "zephyr,retained-ram";
+			status = "okay";
+			#address-cells = <1>;
+			#size-cells = <1>;
+
+			boot_info0: boot_info@0 {
+				compatible = "zephyr,retention";
+				status = "okay";
+				reg = <0x0 0x100>;
+			};
+		};
+	};
+
+	chosen {
+		zephyr,bootloader-info = &boot_info0;
+		zephyr,code-partition = &boot_partition;
+	};
+};
@@ -0,0 +1,26 @@
+/ {
+	sram@2003FF00 {
+		compatible = "zephyr,memory-region", "mmio-sram";
+		reg = <0x2003FF00 0x100>;
+		zephyr,memory-region = "RetainedMem";
+		status = "okay";
+
+		retainedmem {
+			compatible = "zephyr,retained-ram";
+			status = "okay";
+			#address-cells = <1>;
+			#size-cells = <1>;
+
+			boot_info0: boot_info@0 {
+				compatible = "zephyr,retention";
+				status = "okay";
+				reg = <0x0 0x100>;
+			};
+		};
+	};
+
+	chosen {
+		zephyr,bootloader-info = &boot_info0;
+		zephyr,code-partition = &boot_partition;
+	};
+};
@@ -92,6 +92,10 @@
 #define MCUBOOT_DIRECT_XIP_REVERT
 #endif
 
+#ifdef CONFIG_BOOT_RAM_LOAD_REVERT
+#define MCUBOOT_RAM_LOAD_REVERT
+#endif
+
 #ifdef CONFIG_BOOT_RAM_LOAD
 #define MCUBOOT_RAM_LOAD 1
 #define IMAGE_EXECUTABLE_RAM_START CONFIG_BOOT_IMAGE_EXECUTABLE_RAM_START

@@ -296,7 +296,7 @@ image. After a successful validation of the selected image the bootloader
 chain-loads it.
 
 An additional "revert" mechanism is also supported. For more information, please
-read the [corresponding section](#direct-xip-revert).
+read the [corresponding section](#direct-xip-ram-load-revert).
 Handling the primary and secondary slots as equals has its drawbacks. Since the
 images are not moved between the slots, the on-the-fly image
 encryption/decryption can't be supported (it only applies to storing the image
@@ -351,6 +351,11 @@ happens as described above. If the image is encrypted, it is copied in RAM at
 the provided address and then decrypted. Finally, the decrypted image is
 authenticated in RAM and executed.
 
+Similar to direct-xip, ram-load mode also supports a "revert" mechanism.
+This mechanism works in the same manner as the direct-xip revert mechanism does,
+so please see the [corresponding section](#direct-xip-ram-load-revert) for
+more details.
+
 ## [Boot swap types](#boot-swap-types)
 
 When the device first boots under normal circumstances, there is an up-to-date
@@ -406,19 +411,22 @@ The "swap type" is a high-level representation of the outcome of the
 boot. Subsequent sections describe how MCUboot determines the swap type from
 the bit-level contents of flash.
 
-### [Revert mechanism in direct-xip mode](#direct-xip-revert)
-
-The direct-xip mode also supports a "revert" mechanism which is the equivalent
-of the swap mode's "revert" swap. When the direct-xip mode is selected it can be
-enabled with the MCUBOOT_DIRECT_XIP_REVERT config option and an image trailer
-must also be added to the signed images (the "--pad" option of the `imgtool`
-script must be used). For more information on this please read the
-[Image Trailer](#image-trailer) section and the [imgtool](imgtool.md)
-documentation. Making the images permanent (marking them as confirmed in
-advance) is also supported just like in swap mode. The individual steps of the
-direct-xip mode's "revert" mechanism are the following:
-
-1. Select the slot which holds the newest potential image.
+### [Revert mechanism in direct-xip and ram-load mode](#direct-xip-ram-load-revert)
+
+The direct-xip and ram-load modes also support a "revert" mechanism which is the
+equivalent of the swap mode's "revert" swap. When the direct-xip mode is
+selected it can be enabled with the `MCUBOOT_DIRECT_XIP_REVERT` config option.
+In ram-load mode, the feature is enabled with `MCUBOOT_RAM_LOAD_REVERT` config
+option.  Note that an image trailer must also be added to the signed images (the
+"--pad" option of the `imgtool` script must be used). Otherwise, MCUboot will
+not recognize the image as valid and will attempt to revert it. For more
+information on this please read the [Image Trailer](#image-trailer) section and
+the [imgtool](imgtool.md) documentation. Making the images permanent (marking
+them as confirmed in advance) is also supported just like in swap mode. The
+individual steps of this "revert" mechanism are the following:
+
+1. Select the slot which holds the newest potential image, based on the
+   version number
 2. Was the image previously selected to run (during a previous boot)?
     + Yes: Did the image mark itself "OK" (was the self-test successful)?
         + Yes.

@@ -0,0 +1,2 @@
+- Enabled support for ram-load revert mode, which functions using the same
+  logic as direct-xip revert mode but loads the executable image to ram.
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		- Enabled support for ram-load revert mode, which functions using the same
		logic as direct-xip revert mode but loads the executable image to ram.