Avoid write to not-erased magic

This introduces an additional marker to the state partition right after the magic which indicates whether the current progress is valid or not. Validation in tests that we never write without an erase is added. There is currently a FIXME in the FirmwareUpdater. Let me know if we should take the erase value as a parameter. I opened a feature request in embedded-storage to get this value in the trait. Before this, the assumption about ERASE_VALUE=0xFF was the same.
2023-04-04 07:18:29 +02:00 · 2023-04-04 07:18:29 +02:00 · df3a1e1b9d
commit df3a1e1b9d
parent 7c11d85e1e
4 changed files with 63 additions and 81 deletions
--- a/embassy-boot/boot/src/firmware_updater.rs
+++ b/embassy-boot/boot/src/firmware_updater.rs
@ -220,11 +220,24 @@ impl FirmwareUpdater {
        self.state.read(state_flash, 0, aligned).await?;

        if aligned.iter().any(|&b| b != magic) {
-            aligned.fill(0);
+            // Read progress validity
+            self.state.read(state_flash, F::WRITE_SIZE as u32, aligned).await?;

-            self.state.write(state_flash, 0, aligned).await?;
+            // FIXME: Do not make this assumption.
+            const STATE_ERASE_VALUE: u8 = 0xFF;
+
+            if aligned.iter().any(|&b| b != STATE_ERASE_VALUE) {
+                // The current progress validity marker is invalid
+            } else {
+                // Invalidate progress
+                aligned.fill(!STATE_ERASE_VALUE);
+                self.state.write(state_flash, F::WRITE_SIZE as u32, aligned).await?;
+            }
+
+            // Clear magic and progress
            self.state.wipe(state_flash).await?;

+            // Set magic
            aligned.fill(magic);
            self.state.write(state_flash, 0, aligned).await?;
        }
@ -420,11 +433,24 @@ impl FirmwareUpdater {
        self.state.read_blocking(state_flash, 0, aligned)?;

        if aligned.iter().any(|&b| b != magic) {
-            aligned.fill(0);
+            // Read progress validity
+            self.state.read_blocking(state_flash, F::WRITE_SIZE as u32, aligned)?;

-            self.state.write_blocking(state_flash, 0, aligned)?;
+            // FIXME: Do not make this assumption.
+            const STATE_ERASE_VALUE: u8 = 0xFF;
+
+            if aligned.iter().any(|&b| b != STATE_ERASE_VALUE) {
+                // The current progress validity marker is invalid
+            } else {
+                // Invalidate progress
+                aligned.fill(!STATE_ERASE_VALUE);
+                self.state.write_blocking(state_flash, F::WRITE_SIZE as u32, aligned)?;
+            }
+
+            // Clear magic and progress
            self.state.wipe_blocking(state_flash)?;

+            // Set magic
            aligned.fill(magic);
            self.state.write_blocking(state_flash, 0, aligned)?;
        }