Skip to content

mcumgr: Prevent FW loader from self-destruction #26152

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
tomchy wants to merge 1 commit into
base: main
Choose a base branch
from
Open

mcumgr: Prevent FW loader from self-destruction #26152

tomchy wants to merge 1 commit into from

Conversation

@tomchy
Copy link
Contributor

@tomchy tomchy commented Dec 8, 2025

The FW loader reports and manages exactly two slots:

  • slot 0: this is the slot for the application code to update
  • slot 1: this is the slot, in which the FW loader is placed

The slot 1 is reported, so tools can fetch metadata about the FW loader installed on the device.
Unfortunately, currently SMP-based FW loader allows to issue slot erase command for the slot 1, effectively erasing the FW loader code that is being executed.

This change correctly identifies the slot 1 as an active one, marking it as used and blocking erase operation on that slot.

Ref: NCSDK-36684

@tomchy
mcumgr: Prevent FW loader from self-destruction
98aaab7 
The FW loader reports and manages exactly two slots:
 - slot 0: this is the slot for the application code to update
 - slot 1: this is the slot, in which the FW loader is placed

The slot 1 is reported, so tools can fetch metadata about the FW loader
installed on the device.
Unfortunately, currently SMP-based FW loader allows to issue slot erase
command for the slot 1, effectively erasing the FW loader code that is
being executed.

This change correctly identifies the slot 1 as an active one, marking
it as used and blocking erase operation on that slot.

Ref: NCSDK-36684

Signed-off-by: Tomasz Chyrowicz <[email protected]>
Copilot AI review requested due to automatic review settings December 8, 2025 16:17
@tomchy tomchy requested review from a team as code owners December 8, 2025 16:17
@tomchy tomchy added this to the 3.2.0 milestone Dec 8, 2025
@NordicBuilder NordicBuilder added manifest changelog-entry-required Update changelog before merge. Remove label if entry is not needed or already added. labels Dec 8, 2025
@tomchy tomchy added bugfix Fixes a known bug backport v3.2-branch and removed manifest changelog-entry-required Update changelog before merge. Remove label if entry is not needed or already added. labels Dec 8, 2025
Copilot AI reviewed Dec 8, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR prevents the firmware loader from erasing itself by correctly identifying its own slot (slot 1) as active and in-use. Previously, the firmware loader would allow erase commands on slot 1, which would destroy the running firmware loader code.

  • Removes the early return that always reported slot 1 as unused in firmware updater mode
  • Adds CONFIG_MCUBOOT_BOOTLOADER_MODE_FIRMWARE_UPDATER to the conditional logic that determines if a slot is in use
  • Updates the Zephyr revision to incorporate related changes

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
west.yml Updates Zephyr revision to pull/3617/head to integrate upstream changes
subsys/mgmt/mcumgr/grp/img_mgmt/src/img_mgmt_state.c Fixes slot-in-use detection for firmware updater mode by restructuring preprocessor conditionals

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@NordicBuilder
Copy link
Contributor

NordicBuilder commented Dec 8, 2025

The following west manifest projects have changed revision in this Pull Request:

Name Old Revision New Revision Diff
zephyr nrfconnect/sdk-zephyr@c09c6ab nrfconnect/sdk-zephyr#3617 nrfconnect/sdk-zephyr#3617/files

DNM label due to: 1 project with PR revision

Note: This message is automatically posted and updated by the Manifest GitHub Action.

@NordicBuilder
Copy link
Contributor

NordicBuilder commented Dec 8, 2025
edited
Loading

CI Information

To view the history of this post, click the 'edited' button above
Build number: 1

Inputs:

Sources:

sdk-nrf: PR head: 98aaab7b3ad2a24eda8f969ef449a89079aee2dc
zephyr: PR head: d5c704632bbd949446d60a6bc335bec566174f3d

more details

sdk-nrf:

PR head: 98aaab7b3ad2a24eda8f969ef449a89079aee2dc
merge base: 059095979f2ce8c57fa9213f2e63126475ca3857
target head (main): 059095979f2ce8c57fa9213f2e63126475ca3857
Diff

zephyr:

PR head: d5c704632bbd949446d60a6bc335bec566174f3d
merge base: c09c6abd11695d6b9c2ea24c4e88822eee9ff3f9
target head (main): 62755cbbd8b1043256d520217273d62949bfbe3f
Diff

Github labels

Enabled Name Description
ci-disabled Disable the ci execution
ci-all-test Run all of ci, no test spec filtering will be done
ci-force-downstream Force execution of downstream even if twister fails
ci-run-twister Force run twister
ci-run-zephyr-twister Force run zephyr twister
List of changed files detected by CI (4) 
subsys
│  ├── mgmt
│  │  ├── mcumgr
│  │  │  ├── grp
│  │  │  │  ├── img_mgmt
│  │  │  │  │  ├── src
│  │  │  │  │  │  │ img_mgmt_state.c
west.yml
zephyr
│  ├── soc
│  │  ├── nordic
│  │  │  ├── common
│  │  │  │  ├── uicr
│  │  │  │  │  ├── periphconf
│  │  │  │  │  │  │ builder.py
│  ├── subsys
│  │  ├── mgmt
│  │  │  ├── mcumgr
│  │  │  │  ├── grp
│  │  │  │  │  ├── img_mgmt
│  │  │  │  │  │  ├── src
│  │  │  │  │  │  │  │ img_mgmt_state.c

Outputs:

Toolchain

Version: 43683a87ea
Build docker image: docker-dtr.nordicsemi.no/sw-production/ncs-build:43683a87ea_5ea73affbf

Test Spec & Results: ✅ Success; ❌ Failure; 🟠 Queued; 🟡 Progress; ◻️ Skipped; ⚠️ Quarantine

  • ◻️ Toolchain - Skipped: existing toolchain is used
  • ✅ Build twister
    • sdk-nrf test count: 2066
    • sdk-zephyr test count: 557
  • ❌ Integration tests
    • ✅ test-sdk-audio
    • ✅ test_ble_nrf_config
    • ❌ test-fw-nrfconnect-chip - Error: Error starting job: null
    • ✅ test-fw-nrfconnect-nfc
    • ✅ test-fw-nrfconnect-nrf-iot_cloud
    • ✅ test-fw-nrfconnect-rs
    • ✅ test-fw-nrfconnect-fem
    • ✅ test-fw-nrfconnect-thread-main
    • ✅ test-sdk-find-my
    • ✅ test-sdk-mcuboot
    • ✅ test-sdk-dfu
Disabled integration tests
    • test-fw-nrfconnect-nrf_lrcs_mosh
    • test-fw-nrfconnect-nrf_lrcs_positioning
    • desktop52_verification
    • test-fw-nrfconnect-apps
    • test-fw-nrfconnect-ble_mesh
    • test-fw-nrfconnect-ble_samples
    • test-fw-nrfconnect-nrf-iot_libmodem-nrf
    • test-fw-nrfconnect-nrf-iot_lwm2m
    • test-fw-nrfconnect-nrf-iot_samples
    • test-fw-nrfconnect-nrf-iot_thingy91
    • test-fw-nrfconnect-nrf-iot_zephyr_lwm2m
    • test-fw-nrfconnect-nrf_crypto
    • test-fw-nrfconnect-ps-main
    • test-fw-nrfconnect-rpc
    • test-fw-nrfconnect-tfm
    • test-low-level
    • test-sdk-wifi
    • test-secdom-samples-public

Note: This message is automatically posted and updated by the CI

@github-actions
Copy link

github-actions bot commented Dec 8, 2025

You can find the documentation preview for this PR here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@nvlsianpu nvlsianpu Awaiting requested review from nvlsianpu

@kszromek-nordic kszromek-nordic Awaiting requested review from kszromek-nordic

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

backport v3.2-branch bugfix Fixes a known bug DNM manifest manifest-zephyr

Projects

None yet

Milestone

3.2.0

Development

Successfully merging this pull request may close these issues.

2 participants

@tomchy @NordicBuilder