Fix handling rollback when ARMORED=1 and FLASH_TOP

danielinux · danielinux · commit 08692b1d8e31 · 2026-01-12T09:44:44.000+01:00
diff --git a/hal/stm32_tz.c b/hal/stm32_tz.c
@@ -301,11 +301,18 @@ void hal_tz_sau_init(void)
     sau_init_region(0, WOLFBOOT_NSC_ADDRESS,
             WOLFBOOT_NSC_ADDRESS + WOLFBOOT_NSC_SIZE - 1, 1);
 
-    /* Secure: application flash area (first bank) */
-    sau_init_region(1, WOLFBOOT_PARTITION_BOOT_ADDRESS, FLASH_BANK2_BASE - 1, 0);
-
-    /* Secure: application flash area (second bank) */
-    sau_init_region(2, WOLFBOOT_PARTITION_UPDATE_ADDRESS, FLASH_TOP, 0);
+    /* Non-secure flash alias (entire NS flash window) */
+    sau_init_region(1, 0x08000000, FLASH_TOP, 0);
+
+    /* Secure: update partition in secure alias (use matching FLASH_TOP base) */
+    uint32_t flash_top_secure = FLASH_TOP;
+    if ((WOLFBOOT_PARTITION_UPDATE_ADDRESS & 0xFF000000u) !=
+        (FLASH_TOP & 0xFF000000u)) {
+        flash_top_secure =
+            (WOLFBOOT_PARTITION_UPDATE_ADDRESS & 0xFF000000u) |
+            (FLASH_TOP & 0x00FFFFFFu);
+    }
+    sau_init_region(2, WOLFBOOT_PARTITION_UPDATE_ADDRESS, flash_top_secure, 1);
 
     /* Secure RAM regions in SRAM1/SRAM2 */
     sau_init_region(3, 0x30000000, 0x3004FFFF, 1);
@@ -435,4 +442,3 @@ int hal_trng_get_entropy(unsigned char *out, unsigned len)
 }
 
 #endif
-
diff --git a/src/update_flash.c b/src/update_flash.c
@@ -686,6 +686,11 @@ static int RAMFUNCTION wolfBoot_update(int fallback_allowed)
     int inverse = 0;
 #endif
     int fallback_image = 0;
+#ifndef DISABLE_BACKUP
+    int rollback = 0;
+    int bootStateRet = -1;
+    uint8_t bootState = 0;
+#endif
 #if defined(DISABLE_BACKUP) && defined(EXT_ENCRYPTED)
     uint8_t key[ENCRYPT_KEY_SIZE];
     uint8_t nonce[ENCRYPT_NONCE_SIZE];
@@ -748,6 +753,13 @@ static int RAMFUNCTION wolfBoot_update(int fallback_allowed)
 
     cur_ver = wolfBoot_current_firmware_version();
     upd_ver = wolfBoot_update_firmware_version();
+#ifndef DISABLE_BACKUP
+    bootStateRet = wolfBoot_get_partition_state(PART_BOOT, &bootState);
+    if ((bootStateRet == 0) && (bootState == IMG_STATE_TESTING) &&
+        (fallback_allowed != 0) && (cur_ver >= upd_ver)) {
+        rollback = 1;
+    }
+#endif
 
     wolfBoot_get_update_sector_flag(0, &flag);
     /* Check the first sector to detect interrupted update */
@@ -787,9 +799,9 @@ static int RAMFUNCTION wolfBoot_update(int fallback_allowed)
             cur_ver, upd_ver);
 
 #ifndef ALLOW_DOWNGRADE
-        if ( ((fallback_allowed==1) &&
-                    (~(uint32_t)fallback_allowed == 0xFFFFFFFE)) ||
-                (cur_ver < upd_ver) ) {
+        if (fallback_allowed != 0) {
+            /* Fallback path skips redundant version checks. */
+        } else if (cur_ver < upd_ver) {
             VERIFY_VERSION_ALLOWED(fallback_allowed);
         } else {
             wolfBoot_printf("Update version not allowed\n");
@@ -973,6 +985,19 @@ static int RAMFUNCTION wolfBoot_update(int fallback_allowed)
     /* start re-entrant final erase, return code is only for resumption in
      * wolfBoot_start */
     wolfBoot_swap_and_final_erase(0);
+#ifndef DISABLE_BACKUP
+    if (rollback) {
+        hal_flash_unlock();
+#ifdef EXT_FLASH
+        ext_flash_unlock();
+#endif
+        wolfBoot_set_partition_state(PART_BOOT, IMG_STATE_SUCCESS);
+#ifdef EXT_FLASH
+        ext_flash_lock();
+#endif
+        hal_flash_lock();
+    }
+#endif
 #else
     /* Mark boot partition as TESTING - this tells bootloader to fallback if update fails */
     wolfBoot_set_partition_state(PART_BOOT, IMG_STATE_TESTING);
@@ -1201,13 +1226,27 @@ void RAMFUNCTION wolfBoot_start(void)
 #if !defined(DISABLE_BACKUP) && !defined(CUSTOM_PARTITION_TRAILER)
     /* resume the final erase in case the power failed before it finished */
     resumedFinalErase = wolfBoot_swap_and_final_erase(1);
-    if (resumedFinalErase != 0)
+    if ((resumedFinalErase != 0) ||
+        ((bootRet == 0) && (bootState == IMG_STATE_TESTING)))
 #endif
     {
         /* Check if the BOOT partition is still in TESTING,
          * to trigger fallback.
          */
         if ((bootRet == 0) && (bootState == IMG_STATE_TESTING)) {
+            if (updateRet != 0) {
+                hal_flash_unlock();
+#ifdef EXT_FLASH
+                ext_flash_unlock();
+#endif
+                wolfBoot_set_partition_state(PART_UPDATE, IMG_STATE_UPDATING);
+#ifdef EXT_FLASH
+                ext_flash_lock();
+#endif
+                hal_flash_lock();
+                updateRet = 0;
+                updateState = IMG_STATE_UPDATING;
+            }
             wolfBoot_update(1);
         }
 
