FWU rollback counter is not reset (after rauc-mark-good) on consecutive updates in FWU

Question

Hi everyone,we applied the ST FWU reference solution on our own platform based on the STM32MP157F.The solution was taken and adapted from the ST Yocto layer meta-st-ota (https://github.com/PRG-MPU-CUST/meta-st-ota). SummaryWhen performing consecutive updates using the ST FWU reference implementation (TF-A FWU metadata + RAUC + post-install.sh + rauc-mark-good.service), the FWU rollback boot counter keeps decreasing across successful updates. Expectation: after each successful boot of a newly updated bank (and rauc-mark-good.service finishing successfully), the FWU boot counter should be reset to the initial value (4 in this setup).Actual: the FWU boot counter is decremented (4 → 3 → 2) with each update cycle, even though the system was marked good. This suggests that the rollback counter is not being reset by the rauc-mark-good integration in the ST FWU reference solution.(full log is attached, including metadata content printed in hexa after each step) Reproduction and actual behaviorBoot fresh image (Bank A active).Observe TFA logs: TF-A selects bank 0 (A).INFO: Use primary FWU-MetadataINFO: Try load metadata id=12...NOTICE: Active index: 0, bank state: 252NOTICE: Selecting to boot from bank 0Simulate first update in Linux (A → B)On bank A:/usr/lib/rauc/post-install.sh    current_boot_slot=A    ...    active boot is B    boot count is enabled Then reboot:rebootFirst boot after first update (Bank B active)Observe TF-A logs:INFO: Use primary FWU-MetadataINFO: Try load metadata id=12...NOTICE: Active index: 1, bank state: 254 NOTICE: Fwu bootcount 4 NOTICE: Selecting to boot from bank 1 In Linux, rauc-mark-good runs and succeeds:systemctl status rauc-mark-good rauc-mark-good.service - Rauc Good-marking Service Main PID: 375 (code=exited, status=0/SUCCESS)Dec 11 10:19:46 stm32mp15-pb2-base-mx sh[376]: rauc status: marked slot(s) rootfs.1 as good -> Expectation here: bootcount should now be reset back to 4 (for next update).Simulate second consecutive update in Linux (B → A)On bank B: /usr/lib/rauc/post-install.sh current_boot_slot=B ... active boot is A boot count is enabled Then reboot:rebootSecond boot after second update (Bank A active)TF-A logs now show that the bootcounter decreased:INFO: Use primary FWU-Metadata INFO: Try load metadata id=12... NOTICE: Active index: 0, bank state: 254 NOTICE: Fwu bootcount 3 NOTICE: Selecting to boot from bank 0 In Linux, again rauc-mark-good runs and reports success:rauc-mark-good.service - Rauc Good-marking Service Main PID: 337 (code=exited, status=0/SUCCESS) Dec 11 10:25:50 stm32mp15-pb2-base-mx sh[342]: rauc status: marked slot(s) rootfs.0 as goodSimulate third update (A → B)On bank A:/usr/lib/rauc/post-install.sh Output:current_boot_slot=A ...active boot is B boot count is enabled Then reboot:rebootThird boot after third update (Bank B active)TF-A logs: INFO: Use primary FWU-Metadata INFO: Try load metadata id=12... NOTICE: Active index: 1, bank state: 254 NOTICE:Fwu bootcount 2 NOTICE: Selecting to boot from bank 1 Expected behaviorAfter each successful boot of a newly updated bank and successful execution of rauc-mark-good.service,  the FWU boot counter for that bank is reset to the initial value 4.And not 4 -> 3 -> 2

Christophe Guibout · Answer

Hello @maxim-senec,

I'am working on this point : I will update the meta-st-ota Yocto layer to be able to reset the bootcount when linux has boot : as FWU_INFO backup register is write secured, the idea is to create a TA to allow linux to update the bootcount.

Keep you in touch,
BR,

Christophe

Summary

Reproduction and actual behavior

Expected behavior

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded