Conversation
There was a problem hiding this comment.
Pull request overview
Adds formal build-time support for “monolithic” self-updates (bootloader + boot app in one payload) and introduces an option to skip boot-image verification for performance in externally-verified deployments.
Changes:
- Add
SELF_UPDATE_MONOLITHICbuild option and update erase behavior to cover the monolithic write range. - Add
WOLFBOOT_SKIP_BOOT_VERIFYbuild option and gate boot-time integrity/authenticity checks across update backends. - Add simulator test target + example configs + documentation for the monolithic self-update flow.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 10 comments.
Show a summary per file
| File | Description |
|---|---|
| tools/test.mk | Adds a simulator test target for monolithic self-update flow. |
| src/update_ram.c | Adds compile-time flag to skip boot-image verification in RAM update path. |
| src/update_flash_hwswap.c | Adds compile-time flag to skip boot-image verification in HW-swap flash path. |
| src/update_flash.c | Implements monolithic-aware erase length and skip-verify behavior in primary flash backend. |
| src/update_disk.c | Adds compile-time flag to skip boot-image verification in disk backend. |
| options.mk | Adds build flags for monolithic self-update and skipping boot verification. |
| docs/firmware_update.md | Documents monolithic update payload construction + skip-verify option and warnings. |
| config/examples/sim-self-update-monolithic.config | Adds simulator example config enabling monolithic self-update. |
| config/examples/aurix-tc375-hsm-monolithic-update-wolfHSM-certs-rsa4096.config | Adds AURIX example config enabling monolithic self-update with wolfHSM. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 9 out of 9 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
| erases the bootloader region and writes in-place. An interruption | ||
| during the write leaves the device unbootable. | ||
|
|
||
| - **Not revertable.** There is no swap or rollback mechanism. The old |
There was a problem hiding this comment.
Replace 'revertable' with 'reversible' (or 'revertible') for correct spelling.
| - **Not revertable.** There is no swap or rollback mechanism. The old | |
| - **Not reversible.** There is no swap or rollback mechanism. The old |
Additions
SELF_UPDATE_MONOLITHICbuild option that allows a single payload to span the bootloader region into a contiguous boot partition, enabling both the bootloader and the boot application to be updated in one step. This feature is currently in use by a few customers so this new build option formalizes this "off-label" feature.WOLFBOOT_SKIP_BOOT_VERIFYbuild option to skip integrity/authenticity checks on the boot image (added across all update backends). Intended as a performance optimization when used in conjunction with the self header and monolithic self-update features with an externally verifying entity (e.g. wolfHSM). Documented that this option is ONLY secure when used in this scenario with external verifying entity.Notes
I was going to use this PR as an opportunity to formalize the memory region for the bootloader itself, which is currently inconsistently referenced or not referenced at all, depending on the platform (
ARCH_FLASH_OFFSET,WOLFBOOT_ORIGIN,&_start_text,BOOTLOADER_PARTITION_SIZE,BOOTLOADER_SIZE, maybe there exists even more...). However in an effort to keep PRs small I'm punting that to a subsequent PR where I can refactor everything in one swoop. There may need to be some annoying steps taken for backwards compat and to ensure customer configurations aren't broken as well.