How to reject old firmware version from AWS FOTA at NRF9160 side?

Take a look at https://developer.nordicsemi.com/nRF_Connect_SDK/doc/1.8.0/nrf/ug_fw_update.html#preventing-downgrades-using-mcuboot to see how to prevent downgrades with MCUboot.

Best regards,

Simon

Hi Simon

1. I tried sdk connect v1.8.0 application update example. Added configuration settings to prevent downgrade.

   However, it popped error as the project was opened. Anything wrong?

2. The project customer referred to was v1.3.0. So, does it support mcuboot preventing downgrade?

Jeffery

Jeffery said:

 However, it popped error as the project was opened. Anything wrong?

If you look at this command

west build -b board application -- \
-DCONFIG_BOOTLOADER_MCUBOOT=y \
-DCONFIG_MCUBOOT_IMAGE_VERSION=\"0.1.2\+3\" \
-Dmcuboot_CONFIG_MCUBOOT_DOWNGRADE_PREVENTION=y \
-Dmcuboot_CONFIG_BOOT_UPGRADE_ONLY=y

You can see that some of the configs are meant for the application (<application>/prj.conf), and some of the configs are meant for mcuboot (<ncs>/bootloader/mcuboot). Specifically the configs written like "-D<config>" are for the application, while the configs written like "-Dmcuboot<config>" are for mcuboot. The reason it doesn't work is because you have added everything to the application prj.conf file.

You can also take a look at the ticket mcuboot customer config to see how to set mcuboot configurations from the application.

Jeffery said:

2. The project customer referred to was v1.3.0. So, does it support mcuboot preventing downgrade?

Yes, downgrade preventions should be possible in NCS v1.3.0. I could not find any information about it in the NCS v1.3.0 documentation, but I found some lines mentioning it in the MCUBoot v1.3.0 documentation: https://developer.nordicsemi.com/nRF_Connect_SDK/doc/1.3.0/mcuboot/design.html#downgrade-prevention

In the above link, both SW based and HW based downgrade preventions are described. I forgot to mention the HW based method in my initial answer.

Best regards,

Simon

Hi Simon

1. It can compile now. My test project is v1.8.0 application update. What I did as below.

A. Added below string at CMakeLists.txt

set(mcuboot_OVERLAY_CONFIG
${CMAKE_CURRENT_LIST_DIR}/mcuboot.conf
)

B. Create mcuboot.conf at project folder. Then, fill below settngs.

CONFIG_BOOTLOADER_MCUBOOT=y
CONFIG_MCUBOOT_DOWNGRADE_PREVENTION=y
CONFIG_BOOT_UPGRADE_ONLY=y

C. Added below setting at prj.conf

CONFIG_MCUBOOT_IMAGE_VERSION="0.1.0"

2. AWS address was default and not overwritten. So, nrf9160 will connect to Nordic's AWS account.

3. After press button1, it started downloading data. As reached to 100%, reset DK for swap test.

   The FOTA was done. 

   However, it shall not be successfully since mcuboot version at my DK (1.0.0) is newer than version

   from AWS(0.0.0). Why is it successful to be downgraded?

Jeffery

Could you show me the files <sample>/build/zephyr/.config and <sample>/build/mcuboot/zephyr/.config of the firmware on the DK (where version is 1.0.0).

Can you also show me the file <sample>/build/zephyr/.config of the firmware to be updated (where version is 0.0.0).

Best regards,

Simon

Hi Simon

1.config =>v1.8.0...\app_test\build_nrf9160dk_nrf9160_ns\zephyr\.config

2.config=>v1.8.0...\app_test\build_nrf9160dk_nrf9160_ns\mcuboot\zephyr\.config

Also, I attached CMakeLists.txt and log result.

The log result was different to what I said at previous message after I put set(mcuboot_OVERLAY_CONFIG~ just under cmake_minimum_required at CMakeLists.txt.

As to the file <sample>/build/zephyr/.config of the firmware to be updated (where version is 0.0.0), I don't have it. I used your demo AWS FOTA to verify as below in prj.conf. 

CONFIG_DOWNLOAD_HOST="nrfconnectsdk.s3.eu-central-1.amazonaws.com"
CONFIG_DOWNLOAD_FILE="app_update.bin"
CONFIG_APPLICATION_VERSION=1

I tested this myself, and it seems like there is some bugs with the OVERLAY_CONFIG functionality. I will report internally as a bug*

Instead I added the MCUBoot configs in the CMakeListst.txt like this:

set(mcuboot_CONFIG_MCUBOOT_DOWNGRADE_PREVENTION
    y
)
set(mcuboot_CONFIG_BOOT_UPGRADE_ONLY
    y
)

Could you test the following sample with NCS v1.8.0:

• Build it using the board nrf9160dk_nrf9160_ns
• You should get the following output:

...
...
...
29 NRF_PDM              Non-Secure      OK
30 NRF_I2S              Non-Secure      OK
31 NRF_GPIOTE1          Non-Secure      OK

SPM: NS image at 0x20200
SPM: NS MSP at 0x200154d0
SPM: NS reset vector at 0x216cd
SPM: prepare to jump to Non-Secure image.
*** Booting Zephyr OS build v2.7.0-ncs1  ***
MCUBOOT IMAGE VERSION: 1.0.0
Hello World! nrf9160dk_nrf9160

• Next, change CONFIG_MCUBOOT_IMAGE_VERSION to "0.0.0" in mcuboot_prevent_downgrade/prj.conf
• Build the sample again (pristine) without flashing it
  • Make sure CONFIG_MCUBOOT_IMAGE_VERSION is "0.0.0" in <sample>/build/zephyr/.config
• Open the command line in ../mcuboot_prevent_downgrade/build/zephyr and run the following command:

nrfjprog --program app_moved_test_update.hex

Read more about the file app_moved_test_update.hex in the MCUBoot documentation

• Reset the nRF9160 DK and you should see the following output:

*** Booting Zephyr OS build v2.7.0-ncs1  ***
I: Starting bootloader
I: Swap type: test
E: insufficient version in secondary slot
I: Bootloader chainload address offset: 0x10000
*** Booting Zephyr OS build v2.7.0-ncs1  ***
Flash regions           Domain          Permissions
00 03 0x00000 0x20000   Secure          rwxl
...
...
...
SPM: prepare to jump to Non-Secure image.
*** Booting Zephyr OS build v2.7.0-ncs1  ***
MCUBOOT IMAGE VERSION: 1.0.0
Hello World! nrf9160dk_nrf9160

Report back to me if this works for you or not

Best regards,

Simon

*I had to enable these in mcuboot.conf, then "Unable to find bootable image.." went away

CONFIG_PARTITION_MANAGER_ENABLED=y
CONFIG_FLASH_MAP_CUSTOM=y

Then I added the below configs to mcuboot.conf as well, but they were not propogated to the file <sample>/build/mcuboot/zephyr/.config

CONFIG_MCUBOOT_DOWNGRADE_PREVENTION=y
CONFIG_BOOT_UPGRADE_ONLY=y

I will report this internally and get back to you in this ticket when we find a solution

I tested this myself, and it seems like there is some bugs with the OVERLAY_CONFIG functionality. I will report internally as a bug*

Instead I added the MCUBoot configs in the CMakeListst.txt like this:

set(mcuboot_CONFIG_MCUBOOT_DOWNGRADE_PREVENTION
    y
)
set(mcuboot_CONFIG_BOOT_UPGRADE_ONLY
    y
)

Could you test the following sample with NCS v1.8.0:

• Build it using the board nrf9160dk_nrf9160_ns
• You should get the following output:

...
...
...
29 NRF_PDM              Non-Secure      OK
30 NRF_I2S              Non-Secure      OK
31 NRF_GPIOTE1          Non-Secure      OK

SPM: NS image at 0x20200
SPM: NS MSP at 0x200154d0
SPM: NS reset vector at 0x216cd
SPM: prepare to jump to Non-Secure image.
*** Booting Zephyr OS build v2.7.0-ncs1  ***
MCUBOOT IMAGE VERSION: 1.0.0
Hello World! nrf9160dk_nrf9160

• Next, change CONFIG_MCUBOOT_IMAGE_VERSION to "0.0.0" in mcuboot_prevent_downgrade/prj.conf
• Build the sample again (pristine) without flashing it
  • Make sure CONFIG_MCUBOOT_IMAGE_VERSION is "0.0.0" in <sample>/build/zephyr/.config
• Open the command line in ../mcuboot_prevent_downgrade/build/zephyr and run the following command:

nrfjprog --program app_moved_test_update.hex

Read more about the file app_moved_test_update.hex in the MCUBoot documentation

• Reset the nRF9160 DK and you should see the following output:

*** Booting Zephyr OS build v2.7.0-ncs1  ***
I: Starting bootloader
I: Swap type: test
E: insufficient version in secondary slot
I: Bootloader chainload address offset: 0x10000
*** Booting Zephyr OS build v2.7.0-ncs1  ***
Flash regions           Domain          Permissions
00 03 0x00000 0x20000   Secure          rwxl
...
...
...
SPM: prepare to jump to Non-Secure image.
*** Booting Zephyr OS build v2.7.0-ncs1  ***
MCUBOOT IMAGE VERSION: 1.0.0
Hello World! nrf9160dk_nrf9160

Report back to me if this works for you or not

Best regards,

Simon

*I had to enable these in mcuboot.conf, then "Unable to find bootable image.." went away

CONFIG_PARTITION_MANAGER_ENABLED=y
CONFIG_FLASH_MAP_CUSTOM=y

Then I added the below configs to mcuboot.conf as well, but they were not propogated to the file <sample>/build/mcuboot/zephyr/.config

CONFIG_MCUBOOT_DOWNGRADE_PREVENTION=y
CONFIG_BOOT_UPGRADE_ONLY=y

I will report this internally and get back to you in this ticket when we find a solution

Hi Simon

Thanks for your support. Now, preventing downgrade for AWS FOTA can work at v1.3.0 example.

By the way, we know CONFIG_MCUBOOT_IMAGE_VERSION string is formatted as "A.B.C+D".

What is maximum value for each digit (A, B, C and D)? Only from 0 to 9?

I cannot find the information at google serach.

Jeff

This is the struct used to store the image version (bootloader/mcuboot/boot/bootutil/include/bootutil/image.h):

struct image_version {
    uint8_t iv_major;
    uint8_t iv_minor;
    uint16_t iv_revision;
    uint32_t iv_build_num;
};

The format is the following: maj.min.rev+build

As you can see the major and minor fields are 1 byte long and can store numbers as large as 255. For the revision field (2 byte), the largest number you can store is 65536 and for build_num (4 bytes), the largest number you can store is 2^32.

Be aware that I have not done any tests using large numbers, so you may want to test yourself first to be certain.

user72692 said:

*I had to enable these in mcuboot.conf, then "Unable to find bootable image.." went away

CONFIG_PARTITION_MANAGER_ENABLED=y
CONFIG_FLASH_MAP_CUSTOM=y

is still needed even for NCS 1.9.1