fw_update: check for existing candidate image before attempting download

[hasheddan]

Refactors fw_update logic to check whether the existing image in the candidate slot matches the desired update image in a received manifest. If so, we attempt to boot into the image without downloading it again.

Implementing involved some cleanup of the interface to fw_update platform ports. Namely, fw_update_post_download now returns a status, and fw_update_validate receives an image hash and size. The former is to allow for ports to return an error if they are unable to "finalize" a download. This is particularly relevant for esp_idf, as completing the download also implicitly performs image validation. The latter change is to allow for validation to be performed on a candidate image outside the context of the download of that image, which may have taken place prior to the most recent reboot.

Because ports can perform custom validation in fw_update_post_download and we implement hash validation in fw_update for downloaded images, the fw_update_validate implementation for a port is no longer invoked after download. Instead, it is now only invoked on receiving a new manifest to check whether the desired update image is already present. The primary reason for not also invoking fw_update_validate post download is that it is not implemented for all ports at this time, though it is also somewhat redundant with our existing hash check. There are two options that would allow for calling fw_update_validate post download and prior to download:

1. Provide implementations for all ports.
2. Allow for differentiating between "not supported" and "validation failed".

(1) feels like the right path long term, and given that we do not lose any functionality today by removing the post download call (i.e. ports previously just had no-op implementations), moving forward with the fw_update_post_download + fw_update's hash check seems like a reasonable course of action.

---

Work items that should follow this implementation:

• We should update our OTA HIL testing to include downloading an image that will never connect to Golioth, then ensure that when we rollback and see the manifest again that we attempt to boot into it without download. The current tests effectively just validate that fw_update_validate always fails.
• This implementation avoids downloading the same image over and over again, but we should also implement some sort of upgrade backoff to avoid booting into the new image over and over again. Continuously doing so results in flash wear from swapping the candidate image into the primary slot on upgrade and revert.

[github-actions]

Visit the preview URL for this PR (updated for commit e48d9d9):

https://golioth-firmware-sdk-doxygen-dev--pr743-fw-update-chec-de1cpdoh.web.app

_{(expires Mon, 17 Feb 2025 22:52:02 GMT)}

_{🔥 via Firebase Hosting GitHub Action 🌎}

_{Sign: a9993e61697a3983f3479e468bcb0b616f9a0578}

[github-actions]

Code Coverage

Package	Line Rate	Branch Rate	Health
include.golioth	75%	50%	✔
port.linux	60%	31%	➖
port.utils	58%	46%	➖
port.zephyr	53%	22%	➖
src	67%	30%	➖
Summary	66% (2715 / 4120)	30% (1123 / 3738)	➖

[codecov]

Codecov Report

Attention: Patch coverage is 0% with 68 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
port/zephyr/golioth_fw_zephyr.c	0.00%	33 Missing ⚠️
src/fw_update.c	0.00%	31 Missing ⚠️
port/linux/fw_update_linux.c	0.00%	4 Missing ⚠️

Files with missing lines	Coverage Δ
port/linux/fw_update_linux.c	0.00% <0.00%> (ø)
src/fw_update.c	0.00% <0.00%> (ø)
port/zephyr/golioth_fw_zephyr.c	0.00% <0.00%> (ø)

... and 5 files with indirect coverage changes

[hasheddan]

In addition to being consistent with our sha256 implementation, this is also necessary because building with flash_img_check enabled with mbedtls is currently broken on nordic platforms due to zephyrproject-rtos/zephyr#85238

[szczys]

Great work @hasheddan!

[szczys]

Suggested change

	return GOLIOTH_ERR_FAIL;
	return GOLIOTH_ERR_NOT_IMPLEMENTED;

[szczys]

Suggested change

	return GOLIOTH_ERR_FAIL;
	return GOLIOTH_ERR_NOT_IMPLEMENTED;

[hasheddan]

Ah nice! I didn't realize we already had this status. In theory this would allow us to also call fw_update_validate post download and just ignore result if GOLIOTH_ERR_NOT_IMPLEMENTED. However, I think I'd lean towards not doing that given our existing hash check post download (as mentioned in the PR body). Regardless, should definitely be using the status here! 👍🏻

[szczys]

Note for other reviewers: This buf size defaults to CONFIG_IMG_BLOCK_BUF_SIZE which defaults to 512.

[szczys]

Do we need to verify the length of hash is the same as the length of data.image_digest?

[hasheddan]

We don't know the length of hash here -- it is somewhat implicit in the port API contract as implemented, so it may be worth making it more explicit that a 32 byte sha256 hash is being passed (at the very least in the documentation on fw_update_validate). In practice, because data.image_digest is hard-coded to 32 bytes and we always pass a GOLIOTH_OTA_COMPONENT_BIN_HASH_LEN (32) then they should always be same length.

I am still in process of testing the esp-idf fw_update_validate implementation though, so there may need to be some further changes made here.

[szczys]

Ah, thanks for the background.

In practice, because data.image_digest is hard-coded to 32 bytes and we always pass a GOLIOTH_OTA_COMPONENT_BIN_HASH_LEN (32) then they should always be same length.

Would it make sense to change the function as below?

enum golioth_status fw_update_validate(const uint8_t hash[GOLIOTH_OTA_COMPONENT_BIN_HASH_LEN],
                                       const size_t size)

[hasheddan]

I typically shy away from using arrays as function parameters in C because in practice they decay to a pointers. However, they can give the impression that, for example, sizeof(hash) in a function implementation would return the size of the array, but in reality it would return the size of the pointer. Some folks certainly argue the other side of this, so I'm open to discussion 🙂

[hasheddan]

I'll be changing this in a moment because esp_image_verify will use the appended digest of the image, rather than the actual hash of the bytes in the partition, so we'll end up with a mismatch with the hash in the manifest. This is similar to what we are avoiding in the Zephyr port with mcuboot.

ref: https://github.com/espressif/esp-idf/blob/c5865270b50529cd32353f588d8a917d89f3dba4/components/bootloader_support/src/esp_image_format.c#L311

[sam-golioth]

Because ports can perform custom validation in fw_update_post_download and we implement hash validation in fw_update for downloaded images, the fw_update_validate implementation for a port is no longer invoked after download. Instead, it is now only invoked on receiving a new manifest to check whether the desired update image is already present. The primary reason for not also invoking fw_update_validate post download is that it is not implemented for all ports at this time, though it is also somewhat redundant with our existing hash check. There are two options that would allow for calling fw_update_validate post download and prior to download:

1. Provide implementations for all ports.
2. Allow for differentiating between "not supported" and "validation failed".

(1) feels like the right path long term, and given that we do not lose any functionality today by removing the post download call (i.e. ports previously just had no-op implementations), moving forward with the fw_update_post_download + fw_update's hash check seems like a reasonable course of action.

I think removing fw_update_validate() from the post-download flow (along with the change to fw_update_post_download()) is actually the right long term move. The only thing we do between invoking fw_update_post_download() and fw_update_validate() is verify the SHA hash (as you point out), and that shouldn't affect the port's ability to validate the image. Having two callbacks there is actually somewhat confusing, and doesn't add anything. In the future, if we implement patching or compression, it could make sense to have hooks before and after the post-download processing steps, but we shouldn't be trying to pre-design that.

Given the above, it could make sense to rename fw_update_validate() to make its new purpose clearer.

[sam-golioth]

Great work @hasheddan! Overall looks good, left a few comments

[sam-golioth]

We're destroying this SHA in a number of places. I think we can move the call golioth_sys_sha256_finish() to just after the block download finishes (i.e. before the call to back_increment()), and destroy the SHA context there. Then we can just have the calculated SHA on the stack which will be easier to manage.

[hasheddan]

ack! was avoiding making that change in this PR, but would love to go ahead and do so -- I think it probably makes the most sense after the err check block (i.e. don't need to finish if we are going to destroy), but happy to always do finish + destroy after back_increment if you find it cleaner 👍🏻

[sam-golioth]

After the err check works for me!

[sam-golioth]

This is a lot easier to follow 👍

[sam-golioth]

It's clear in the function comment, but when only looking at the function signature it would be easy to mistake size to mean the size of the array passed in hash. Also const isn't necessary for arguments passed by value.

Suggested change

	enum golioth_status fw_update_validate(const uint8_t *hash, const size_t size);
	enum golioth_status fw_update_validate(const uint8_t *hash, size_t img_size);

[hasheddan]

whoops copy pasta on that second const -- happy to update to img_size as well 👍🏻

[sam-golioth]

This commit (and the next four) won't build without the following five commits. We should preserve bisectability by either squashing these commits or just updating the function signatures in this commit (without the functional changes).

[hasheddan]

Yeah, commit history needs to be adjusted prior to merge -- pushed small commits while iterating.

[sam-golioth]

I'm sure this is what clang-format requires, but I'm not a fan haha. If you want to disable formatting for this line and replace it with something cleaner, I wouldn't be opposed.

[hasheddan]

ack 😂

[sam-golioth]

This reports the DOWNLOADING state to the cloud and changes the boot image, so we don't need to do that in lines 616 - 628 anymore.

[hasheddan]

I believe we still need the DOWNLOADED report, but agree we can remove the UPDATING and boot image swap 👍🏻

[sam-golioth]

Yep! I mean to write UPDATING - agreed we need to keep DOWNLOADED.

[hasheddan]

Given the above, it could make sense to rename fw_update_validate() to make its new purpose clearer.

@sam-golioth cool! At one point I had it as fw_update_check_candidate() -- any thoughts on that or alternatives?

[sam-golioth]

Given the above, it could make sense to rename fw_update_validate() to make its new purpose clearer.

@sam-golioth cool! At one point I had it as fw_update_check_candidate() -- any thoughts on that or alternatives?

Sounds good to me!

[hasheddan]

As mentioned earlier in review, I don't really love using arrays in function signatures, but given that is the existing pattern here, I opted to remain consistent.

[sam-golioth]

It's gives a false sense of compiler security, but from a readability standpoint I think it's the clearest way in C to communicate to the user that their input must be this exact size, no more and no less.

[hasheddan]

Fair enough. Given that this function is only visible to this compilation unit I am less worried about it here anyway 👍🏻

[sam-golioth]

🎉