New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Imgtool trailer size check incorrect for swap-using-move #1845
Comments
There is a way of knowing this before beginning an upload if you use MCUboot's data sharing, one of the values provided there is the maximum application size, so you can check the file size from the application to know if it would fit or not. But yes, ideally this should be fixed in imgtool. And it's not just a case of not the last sector as far as I'm aware, because it depends on how many sectors that your firmware used depends upon how many instances of this it requires: https://docs.mcuboot.com/design.html#swap-status - that might fit into a single sector if you have 128KB sectors but if you have e.g. 512 byte sectors, it could take many sectors. |
|
True, but we might still be able to use this to prevent it from compiling, and not only fail during signing. We are using swap-using-move, so the code-partition slot the application is built for is 2 sectors bigger than we actually have available. Setting the kconfig offset you are adding to the size of two sectors should fix our problem. Thanks! |
Since you're using an stm32 and I've not tested it with that, could you give the attached PR a try (configure the application as normal, note: requires using sysbuild) then run |
This issue has been marked as stale because it has been open (more than) 60 days with no activity. Remove the stale label or add a comment saying that you would like to have the label removed otherwise this issue will automatically be closed in 14 days. Note, that you can always re-open a closed issue at any time. |
What
The calculation of the trailer size (
_trailer_size()
) is incorrect when the bootloader strategy is swap using move. It does not take the flash sector size into account, but rather the flash write size. For devices such as the STM32H7 the write size (32) is much smaller than the sector size (128k), which results in the calculated trailer size being much smaller than it will be in reality.This will result in the image being signed successfully. But when this image ends up in the primary slot, and a swap is requested, the swap will fail and the bootloader will panic.
In this example the available
917504
is correct (7 * 128k = 917504
), but the image was not1048576
and instead787416
. Note: these logs are from multiple different trail and errors, so the actual image size might be off by a few bytes.It fails on this line:
where:
which then prints the values relative to the sector sizes.
Expected behaviour
The imgtool take take the boot stategy into account, and fail while signing. And not fail in when an update is requested.
Impact
Quite bad, as it can brick your device in some circumstances. For example in our case where we only have a connection to the device through the application, and rely on the application to update. If the bootloader can't boot then the device is bricked.
More notes:
As far as I know the imgtool doesn't currently know what the boot strategy is, and can therefore not really know what size the trailer will be. For example, the code in the bootloader that determines the max image size depends on the boot strategy:
Maybe it's worth adding the swap strategy as argument to the imgtool. Then if it's available, and the stategy is swap-using-move, it can calculate the trailer size correctly.
Our setup
mcuboot:
1558e7ab0aadb4eac11f03befb5ccd3fa3f0aafe
The overlay file
The text was updated successfully, but these errors were encountered: