monolithic self-updates: force DISABLE_BACKUP=1, eliminate swap, eliminate update code

bigbrett · danielinux · commit c45268ed7f5d · 2026-04-17T08:27:05.000+02:00
diff --git a/Makefile b/Makefile
@@ -470,7 +470,7 @@ assemble_internal_flash.dd: FORCE
 		0 wolfboot.bin \
 		$$(($(WOLFBOOT_PARTITION_BOOT_ADDRESS) - $(ARCH_FLASH_OFFSET))) test-app/image_v1_signed.bin \
 		$$(($(WOLFBOOT_PARTITION_UPDATE_ADDRESS)-$(ARCH_FLASH_OFFSET))) /tmp/swap \
-		$$(($(WOLFBOOT_PARTITION_SWAP_ADDRESS)-$(ARCH_FLASH_OFFSET))) /tmp/swap
+		$(if $(DISABLE_BACKUP),,$$(($(WOLFBOOT_PARTITION_SWAP_ADDRESS)-$(ARCH_FLASH_OFFSET))) /tmp/swap) # swap unused with DISABLE_BACKUP
 
 internal_flash.dd: $(BINASSEMBLE) wolfboot.bin $(BOOT_IMG) $(PRIVATE_KEY) test-app/image_v1_signed.bin
 	@echo "\t[MERGE] internal_flash.dd"
diff --git a/config/examples/sim-self-update-monolithic.config b/config/examples/sim-self-update-monolithic.config
@@ -14,7 +14,6 @@ WOLFBOOT_PARTITION_SIZE=0x40000
 WOLFBOOT_SECTOR_SIZE=0x1000
 WOLFBOOT_PARTITION_BOOT_ADDRESS=0x20000
 WOLFBOOT_PARTITION_UPDATE_ADDRESS=0x60000
-WOLFBOOT_PARTITION_SWAP_ADDRESS=0xA0000
 
 # required for keytools
 WOLFBOOT_FIXED_PARTITIONS=1
diff --git a/include/wolfboot/wolfboot.h b/include/wolfboot/wolfboot.h
@@ -487,6 +487,22 @@ extern "C" {
 
 #endif /* defined WOLFBOOT */
 
+/* Monolithic self-update: imply DISABLE_BACKUP and enforce prerequisites */
+#ifdef WOLFBOOT_SELF_UPDATE_MONOLITHIC
+  #ifndef DISABLE_BACKUP
+    #define DISABLE_BACKUP
+  #endif
+  #ifdef DELTA_UPDATES
+    #error "DELTA_UPDATES is not compatible with WOLFBOOT_SELF_UPDATE_MONOLITHIC"
+  #endif
+  #ifdef NVM_FLASH_WRITEONCE
+    #error "NVM_FLASH_WRITEONCE is not compatible with WOLFBOOT_SELF_UPDATE_MONOLITHIC"
+  #endif
+  #ifndef RAM_CODE
+    #error "WOLFBOOT_SELF_UPDATE_MONOLITHIC requires RAM_CODE"
+  #endif
+#endif
+
 #define PART_BOOT   0
 #define PART_UPDATE 1
 #define PART_SWAP   2
diff --git a/options.mk b/options.mk
@@ -98,6 +98,7 @@ ifeq ($(WOLFBOOT_SELF_UPDATE_MONOLITHIC),1)
 endif
 ifeq ($(SELF_UPDATE_MONOLITHIC),1)
   CFLAGS+=-DWOLFBOOT_SELF_UPDATE_MONOLITHIC
+  DISABLE_BACKUP=1
 endif
 
 ## Persist wolfBoot self header at fixed address
@@ -732,6 +733,7 @@ endif
 ifeq ($(DISABLE_BACKUP),1)
   $(warning DISABLE_BACKUP=1 disables power-fail-safe updates; losing power during an update can leave BOOT partially written and unrecoverable)
   CFLAGS+= -D"DISABLE_BACKUP"
+  WOLFBOOT_PARTITION_SWAP_ADDRESS?=0
 endif
 
 DEBUG_SYMBOLS?=0
diff --git a/src/update_flash.c b/src/update_flash.c
@@ -243,6 +243,10 @@ void RAMFUNCTION wolfBoot_check_self_update(void)
 }
 #endif /* RAM_CODE for self_update */
 
+#ifndef WOLFBOOT_SELF_UPDATE_MONOLITHIC
+/* The swap-based update machinery (wolfBoot_copy_sector, wolfBoot_update, etc.)
+ * is not used in monolithic self-update mode. */
+
 static int RAMFUNCTION wolfBoot_copy_sector(struct wolfBoot_image *src,
     struct wolfBoot_image *dst, uint32_t sector)
 {
@@ -860,7 +864,10 @@ static int RAMFUNCTION wolfBoot_update(int fallback_allowed)
      * magic has not been set flag will have an un-determined value when we go
      * to check it */
     uint8_t flag = SECT_FLAG_NEW;
-    struct wolfBoot_image boot, update, swap;
+    struct wolfBoot_image boot, update;
+#ifndef DISABLE_BACKUP
+    struct wolfBoot_image swap;
+#endif
     uint16_t update_type;
     uint32_t fw_size;
     uint32_t size;
@@ -912,7 +919,9 @@ static int RAMFUNCTION wolfBoot_update(int fallback_allowed)
             return -1;
 #endif
         wolfBoot_open_image(&boot, PART_BOOT);
+#ifndef DISABLE_BACKUP
         wolfBoot_open_image(&swap, PART_SWAP);
+#endif
 
 #if defined(EXT_ENCRYPTED) && defined(DELTA_UPDATES)
         wolfBoot_printf("Update partition fallback image: %d\n", fallback_image);
@@ -1270,6 +1279,7 @@ static int RAMFUNCTION wolfBoot_update(int fallback_allowed)
 #ifdef __CCRX__
 #pragma section
 #endif
+#endif /* !WOLFBOOT_SELF_UPDATE_MONOLITHIC */
 
 #if defined(ARCH_SIM) && defined(WOLFBOOT_TPM) && defined(WOLFBOOT_TPM_SEAL)
 int wolfBoot_unlock_disk(void)
@@ -1382,12 +1392,14 @@ int wolfBoot_unlock_disk(void)
 void RAMFUNCTION wolfBoot_start(void)
 {
     int bootRet;
+#ifndef WOLFBOOT_SELF_UPDATE_MONOLITHIC
     int updateRet;
 #ifndef DISABLE_BACKUP
     int resumedFinalErase;
 #endif
     uint8_t bootState;
     uint8_t updateState;
+#endif /* !WOLFBOOT_SELF_UPDATE_MONOLITHIC */
     struct wolfBoot_image boot;
 
 #if defined(ARCH_SIM) && defined(WOLFBOOT_TPM) && defined(WOLFBOOT_TPM_SEAL)
@@ -1398,6 +1410,8 @@ void RAMFUNCTION wolfBoot_start(void)
     wolfBoot_check_self_update();
 #endif
 
+#ifndef WOLFBOOT_SELF_UPDATE_MONOLITHIC
+
 #ifdef NVM_FLASH_WRITEONCE
     /* nvm_select_fresh_sector needs unlocked flash in cases where the unused
      * sector needs to be erased */
@@ -1456,6 +1470,12 @@ void RAMFUNCTION wolfBoot_start(void)
         }
     }
 
+#else /* WOLFBOOT_SELF_UPDATE_MONOLITHIC */
+#ifdef SECURE_PKCS11
+    WP11_Library_Init();
+#endif
+#endif /* !WOLFBOOT_SELF_UPDATE_MONOLITHIC */
+
     bootRet = wolfBoot_open_image(&boot, PART_BOOT);
     wolfBoot_printf("Booting version: 0x%x\n",
         wolfBoot_get_blob_version(boot.hdr));
@@ -1467,6 +1487,7 @@ void RAMFUNCTION wolfBoot_start(void)
     ) {
         wolfBoot_printf("Boot failed: Hdr %d, Hash %d, Sig %d\n",
             boot.hdr_ok, boot.sha_ok, boot.signature_ok);
+#ifndef WOLFBOOT_SELF_UPDATE_MONOLITHIC
         wolfBoot_printf("Trying emergency update\n");
         if (likely(wolfBoot_update(1) < 0)) {
             /* panic: no boot option available. */
@@ -1490,6 +1511,13 @@ void RAMFUNCTION wolfBoot_start(void)
                 wolfBoot_panic();
             }
         }
+#else
+        /* Monolithic mode: no emergency update path available */
+    #ifdef WOLFBOOT_TPM
+        wolfBoot_tpm2_deinit();
+    #endif
+        wolfBoot_panic();
+#endif /* !WOLFBOOT_SELF_UPDATE_MONOLITHIC */
     }
     if ((boot.hdr_ok != 1U) || (boot.sha_ok != 1U) ||
         (boot.signature_ok != 1U)) {
diff --git a/tools/test.mk b/tools/test.mk
@@ -282,15 +282,13 @@ test-sim-self-update-monolithic: wolfboot.bin test-app/image_v1_signed.bin FORCE
 	$(Q)dd if=/dev/zero bs=$$(($(WOLFBOOT_PARTITION_SIZE))) count=1 2>/dev/null | tr '\000' '\377' > update_part.dd
 	$(Q)dd if=monolithic_payload_v2_signed.bin of=update_part.dd bs=1 conv=notrunc
 	$(Q)printf "pBOOT" | dd of=update_part.dd bs=1 seek=$$(($(WOLFBOOT_PARTITION_SIZE) - 5)) conv=notrunc
-	@# Create erased boot and swap partitions
+	@# Create erased boot partition
 	$(Q)dd if=/dev/zero bs=$$(($(WOLFBOOT_PARTITION_SIZE))) count=1 2>/dev/null | tr '\000' '\377' > boot_part.dd
-	$(Q)dd if=/dev/zero bs=$$(($(WOLFBOOT_SECTOR_SIZE))) count=1 2>/dev/null | tr '\000' '\377' > erased_sec.dd
-	@# Assemble flash: wolfboot.bin at 0, empty boot partition, update partition, swap
+	@# Assemble flash: wolfboot.bin at 0, empty boot partition, update partition
 	$(Q)$(BINASSEMBLE) internal_flash.dd \
 		0 wolfboot.bin \
 		$$(($(WOLFBOOT_PARTITION_BOOT_ADDRESS) - $(ARCH_FLASH_OFFSET))) boot_part.dd \
-		$$(($(WOLFBOOT_PARTITION_UPDATE_ADDRESS) - $(ARCH_FLASH_OFFSET))) update_part.dd \
-		$$(($(WOLFBOOT_PARTITION_SWAP_ADDRESS) - $(ARCH_FLASH_OFFSET))) erased_sec.dd
+		$$(($(WOLFBOOT_PARTITION_UPDATE_ADDRESS) - $(ARCH_FLASH_OFFSET))) update_part.dd
 	@# Run simulator - self-update fires, copies monolithic payload to offset 0
 	$(Q)./wolfboot.elf get_version || true
 	@# Verify bootloader region contains 0xAA pattern (dummy bootloader was written)
