fota: handle FOTA_DOWNLOAD_REJECTED

If an invalid image is received during FOTA, the nRF Cloud FOTA poll
library will notify the application with the FOTA_DOWNLOAD_REJECTED
event. This commit adds handling for this event in the FOTA and main
modules to: 1. notify the user that the update has been rejected and
2. allow future FOTA attempts.

Signed-off-by: Simen S. Røstad <[email protected]>

Author: simensrostad

.github/workflows/compliance.yml

@@ -15,7 +15,7 @@ jobs:
     steps:
       - name: Installation
         run: |
-          apt-get update && apt-get install --no-install-recommends -y libmagic1 git
+          apt-get update && apt-get install --no-install-recommends -y libmagic1 git gcc build-essential
           pip install west gitlint
 
       - name: Checkout the code

app/src/main.c

@@ -1683,6 +1683,8 @@ static enum smf_state_result fota_run(void *o)
 		switch (msg) {
 		case FOTA_DOWNLOAD_CANCELED:
 			__fallthrough;
+		case FOTA_DOWNLOAD_REJECTED:
+			__fallthrough;
 		case FOTA_DOWNLOAD_TIMED_OUT:
 			__fallthrough;
 		case FOTA_DOWNLOAD_FAILED:

app/src/modules/fota/fota.c

@@ -192,6 +192,11 @@ static void fota_status(enum nrf_cloud_fota_status status, const char *const sta
 
 		evt = FOTA_DOWNLOAD_CANCELED;
 		break;
+	case NRF_CLOUD_FOTA_REJECTED:
+		LOG_WRN("Firmware update rejected");
+
+		evt = FOTA_DOWNLOAD_REJECTED;
+		break;
 	case NRF_CLOUD_FOTA_TIMED_OUT:
 		LOG_WRN("Firmware download timed out");
 
@@ -386,6 +391,8 @@ static enum smf_state_result state_downloading_update_run(void *obj)
 			return SMF_EVENT_HANDLED;
 		case FOTA_DOWNLOAD_CANCELED:
 			__fallthrough;
+		case FOTA_DOWNLOAD_REJECTED:
+			__fallthrough;
 		case FOTA_DOWNLOAD_TIMED_OUT:
 			__fallthrough;
 		case FOTA_DOWNLOAD_FAILED:

app/src/modules/fota/fota.h

@@ -44,6 +44,11 @@ enum fota_msg_type {
 	/* Event notified when the FOTA download has been canceled. */
 	FOTA_DOWNLOAD_CANCELED,
 
+	/* Event notified when the FOTA update has been rejected by the device,
+	 * for example wrong image signature or incompatible image.
+	 */
+	FOTA_DOWNLOAD_REJECTED,
+
 	/* Input message types */
 
 	/* Request to poll cloud for any available firmware updates. */

tests/module/fota/src/fota_module_test.c

@@ -222,6 +222,102 @@ void test_fota_module_should_fail_on_cancellation(void)
 	event_expect(FOTA_DOWNLOAD_CANCELED);
 }
 
+void test_fota_module_should_fail_on_rejection(void)
+{
+	/* Given */
+	nrf_cloud_fota_poll_process_fake.return_val = 0;
+
+	/* 1. Poll for update */
+	event_send(FOTA_POLL_REQUEST);
+	event_expect(FOTA_POLL_REQUEST);
+
+	/* 2. Downloading update */
+	invoke_nrf_cloud_fota_callback_stub_status(NRF_CLOUD_FOTA_DOWNLOADING);
+	event_expect(FOTA_DOWNLOADING_UPDATE);
+
+	/* 3. Download rejected */
+	invoke_nrf_cloud_fota_callback_stub_status(NRF_CLOUD_FOTA_REJECTED);
+	event_expect(FOTA_DOWNLOAD_REJECTED);
+}
+
+void test_fota_module_should_restart_after_cancellation(void)
+{
+	/* Given */
+	nrf_cloud_fota_poll_process_fake.return_val = 0;
+	nrf_cloud_fota_poll_update_apply_fake.return_val = 0;
+
+	/* 1. Poll for first update */
+	event_send(FOTA_POLL_REQUEST);
+	event_expect(FOTA_POLL_REQUEST);
+
+	/* 2. Downloading update */
+	invoke_nrf_cloud_fota_callback_stub_status(NRF_CLOUD_FOTA_DOWNLOADING);
+	event_expect(FOTA_DOWNLOADING_UPDATE);
+
+	/* 3. Download canceled */
+	invoke_nrf_cloud_fota_callback_stub_status(NRF_CLOUD_FOTA_CANCELED);
+	event_expect(FOTA_DOWNLOAD_CANCELED);
+
+	/* 4. Poll for second update - should work after cancellation */
+	event_send(FOTA_POLL_REQUEST);
+	event_expect(FOTA_POLL_REQUEST);
+
+	/* 5. Downloading second update */
+	invoke_nrf_cloud_fota_callback_stub_status(NRF_CLOUD_FOTA_DOWNLOADING);
+	event_expect(FOTA_DOWNLOADING_UPDATE);
+
+	/* 6. Download succeeded, validation needed */
+	invoke_nrf_cloud_fota_callback_stub_status(NRF_CLOUD_FOTA_FMFU_VALIDATION_NEEDED);
+	event_expect(FOTA_IMAGE_APPLY_NEEDED);
+
+	/* 7. Apply image */
+	event_send(FOTA_IMAGE_APPLY);
+	event_expect(FOTA_IMAGE_APPLY);
+
+	/* 8. Reboot needed */
+	invoke_nrf_cloud_fota_callback_stub_reboot(FOTA_REBOOT_SUCCESS);
+	event_expect(FOTA_SUCCESS_REBOOT_NEEDED);
+}
+
+void test_fota_module_should_restart_after_rejection(void)
+{
+	/* Given */
+	nrf_cloud_fota_poll_process_fake.return_val = 0;
+	nrf_cloud_fota_poll_update_apply_fake.return_val = 0;
+
+	/* 1. Poll for first update */
+	event_send(FOTA_POLL_REQUEST);
+	event_expect(FOTA_POLL_REQUEST);
+
+	/* 2. Downloading update */
+	invoke_nrf_cloud_fota_callback_stub_status(NRF_CLOUD_FOTA_DOWNLOADING);
+	event_expect(FOTA_DOWNLOADING_UPDATE);
+
+	/* 3. Download rejected */
+	invoke_nrf_cloud_fota_callback_stub_status(NRF_CLOUD_FOTA_REJECTED);
+	event_expect(FOTA_DOWNLOAD_REJECTED);
+
+	/* 4. Poll for second update - should work after rejection */
+	event_send(FOTA_POLL_REQUEST);
+	event_expect(FOTA_POLL_REQUEST);
+
+	/* 5. Downloading second update */
+	invoke_nrf_cloud_fota_callback_stub_status(NRF_CLOUD_FOTA_DOWNLOADING);
+	event_expect(FOTA_DOWNLOADING_UPDATE);
+
+	/* 6. Download succeeded, validation needed */
+	invoke_nrf_cloud_fota_callback_stub_status(NRF_CLOUD_FOTA_FMFU_VALIDATION_NEEDED);
+	event_expect(FOTA_IMAGE_APPLY_NEEDED);
+
+	/* 7. Apply image */
+	event_send(FOTA_IMAGE_APPLY);
+	event_expect(FOTA_IMAGE_APPLY);
+
+	/* 8. Reboot needed */
+	invoke_nrf_cloud_fota_callback_stub_reboot(FOTA_REBOOT_SUCCESS);
+	event_expect(FOTA_SUCCESS_REBOOT_NEEDED);
+}
+
 /* This is required to be added to each test. That is because unity's
  * main may return nonzero, while zephyr's main currently must
  * return 0 in all cases (other values are reserved).

tests/module/main/src/main.c

@@ -797,6 +797,51 @@ void test_timer_cancellation_during_fota(void)
 	send_cloud_disconnected();
 }
 
+void test_timer_rejection_during_fota_rejected(void)
+{
+	int err;
+	struct storage_msg storage_msg = {
+		.type = STORAGE_MODE_BUFFER,
+	};
+
+	/* Switch to buffer mode first */
+	err = zbus_chan_pub(&STORAGE_CHAN, &storage_msg, K_SECONDS(1));
+	TEST_ASSERT_EQUAL(0, err);
+
+	expect_storage_event(STORAGE_MODE_BUFFER);
+
+	/* Start normal operation */
+	send_cloud_connected();
+
+	/* We would have received cloud and location events, but they should be ignored in this
+	 * test.
+	 */
+	purge_cloud_events();
+	purge_location_events();
+
+	/* Trigger FOTA */
+	send_fota_msg(FOTA_DOWNLOADING_UPDATE);
+	expect_fota_event(FOTA_DOWNLOADING_UPDATE);
+
+	/* During FOTA, no timer-based events should occur - verify by waiting multiple
+	 * intervals.
+	 */
+	expect_no_events(CONFIG_APP_CLOUD_UPDATE_INTERVAL_SECONDS * 5);
+
+	/* Reject FOTA and return to normal operation */
+	send_fota_msg(FOTA_DOWNLOAD_REJECTED);
+	expect_fota_event(FOTA_DOWNLOAD_REJECTED);
+
+	/* Should resume normal timer-based operation */
+	k_sleep(K_SECONDS(CONFIG_APP_CLOUD_UPDATE_INTERVAL_SECONDS));
+	expect_storage_event(STORAGE_BATCH_REQUEST);
+	expect_cloud_event(CLOUD_SHADOW_GET_DELTA);
+	expect_fota_event(FOTA_POLL_REQUEST);
+
+	/* Cleanup */
+	send_cloud_disconnected();
+}
+
 void test_multiple_cloud_data_send_intervals(void)
 {
 	/* Connect and complete initial sampling */

tests/state_machines/source_of_truth/fota.puml

@@ -28,7 +28,7 @@ state STATE_RUNNING {
 
     STATE_DOWNLOADING_UPDATE --> STATE_WAITING_FOR_IMAGE_APPLY: FOTA_IMAGE_APPLY_NEEDED
     STATE_DOWNLOADING_UPDATE --> STATE_REBOOT_PENDING: FOTA_SUCCESS_REBOOT_NEEDED
-    STATE_DOWNLOADING_UPDATE --> STATE_WAITING_FOR_POLL_REQUEST: FOTA_DOWNLOAD_CANCELED || FOTA_DOWNLOAD_TIMED_OUT || FOTA_DOWNLOAD_FAILED
+    STATE_DOWNLOADING_UPDATE --> STATE_WAITING_FOR_POLL_REQUEST: FOTA_DOWNLOAD_CANCELED || FOTA_DOWNLOAD_TIMED_OUT || FOTA_DOWNLOAD_FAILED || FOTA_DOWNLOAD_REJECTED
 
     STATE_WAITING_FOR_IMAGE_APPLY --> STATE_IMAGE_APPLYING: FOTA_IMAGE_APPLY
 

tests/state_machines/source_of_truth/main.puml

@@ -71,5 +71,5 @@ state STATE_FOTA {
 
 [*] --> STATE_RUNNING
 STATE_RUNNING --> STATE_FOTA: FOTA_DOWNLOADING_UPDATE
-STATE_FOTA --> STATE_RUNNING[H*]: FOTA_DOWNLOAD_CANCELED || FOTA_DOWNLOAD_TIMED_OUT || FOTA_DOWNLOAD_FAILED
+STATE_FOTA --> STATE_RUNNING[H*]: FOTA_DOWNLOAD_CANCELED || FOTA_DOWNLOAD_TIMED_OUT || FOTA_DOWNLOAD_FAILED || FOTA_DOWNLOAD_REJECTED
 @enduml