Merge branch 'fix/ota_update_invalidate_ota_data_slot_of_last_boot_app' into 'master'

fix(app_update): Invalidate ota data slot of last boot app in esp_ota_begin

Closes IDFGH-13982

See merge request espressif/esp-idf!35850

components/app_update/esp_ota_ops.c

@@ -182,8 +182,18 @@ esp_err_t esp_ota_begin(const esp_partition_t *partition, size_t image_size, esp
         } else {
             erase_size = ALIGN_UP(image_size, partition->erase_size);
         }
-        return esp_partition_erase_range(partition, 0, erase_size);
+        esp_err_t err = esp_partition_erase_range(partition, 0, erase_size);
+        if (err != ESP_OK) {
+            return err;
+        }
     }
+
+#ifdef CONFIG_BOOTLOADER_APP_ROLLBACK_ENABLE
+    if (is_ota_partition(partition)) {
+        esp_ota_invalidate_inactive_ota_data_slot();
+    }
+#endif
+
     return ESP_OK;
 }
 
@@ -955,7 +965,7 @@ esp_err_t esp_ota_get_state_partition(const esp_partition_t *partition, esp_ota_
     return ESP_OK;
 }
 
-esp_err_t esp_ota_erase_last_boot_app_partition(void)
+static esp_err_t erase_last_boot_app_partition(bool skip_app_part_erase)
 {
     esp_ota_select_entry_t otadata[2];
     const esp_partition_t* ota_data_partition = read_otadata(otadata);
@@ -987,13 +997,15 @@ esp_err_t esp_ota_erase_last_boot_app_partition(void)
         return ESP_FAIL;
     }
 
-    esp_err_t err = esp_partition_erase_range(last_boot_app_partition_from_otadata, 0, last_boot_app_partition_from_otadata->size);
-    if (err != ESP_OK) {
-        return err;
+    if (!skip_app_part_erase) {
+        esp_err_t err = esp_partition_erase_range(last_boot_app_partition_from_otadata, 0, last_boot_app_partition_from_otadata->size);
+        if (err != ESP_OK) {
+            return err;
+        }
     }
 
     int sec_id = inactive_otadata;
-    err = esp_partition_erase_range(ota_data_partition, sec_id * ota_data_partition->erase_size, ota_data_partition->erase_size);
+    esp_err_t err = esp_partition_erase_range(ota_data_partition, sec_id * ota_data_partition->erase_size, ota_data_partition->erase_size);
     if (err != ESP_OK) {
         return err;
     }
@@ -1001,6 +1013,16 @@ esp_err_t esp_ota_erase_last_boot_app_partition(void)
     return ESP_OK;
 }
 
+esp_err_t esp_ota_erase_last_boot_app_partition(void)
+{
+    return erase_last_boot_app_partition(false);
+}
+
+esp_err_t esp_ota_invalidate_inactive_ota_data_slot(void)
+{
+    return erase_last_boot_app_partition(true);
+}
+
 #if SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY && CONFIG_SECURE_BOOT_V2_ENABLED
 
 // Validates the image at "app_pos" with the secure boot digests other than "revoked_key_index"

components/app_update/include/esp_ota_ops.h

@@ -83,6 +83,7 @@ int esp_ota_get_app_elf_sha256(char* dst, size_t size) __attribute__((deprecated
  * use esp_ota_mark_app_valid_cancel_rollback() function for it (this should be done as early as possible when you first download a new application).
  *
  * Note: Rollback is applicable only for app type partitions.
+ * Note: For Rollback - The OTA data slot corresponding to the last boot application partition will be invalidated.
  *
  * @param partition  Pointer to info for partition which will receive the OTA update. Required.
  *                   This is considered as the staging partition (where OTA is downloaded), be default this also considered as the final partition which supposed to be updated.
@@ -302,6 +303,20 @@ esp_err_t esp_ota_get_partition_description(const esp_partition_t *partition, es
  */
 esp_err_t esp_ota_get_bootloader_description(const esp_partition_t *bootloader_partition, esp_bootloader_desc_t *desc);
 
+/**
+ * @brief Invalidate the OTA data slot associated with the last boot application partition.
+ *
+ * This function erases the OTA data slot corresponding to the last boot application partition,
+ * making the partition invalid for booting in future. The application partition itself
+ * is not erased, preserving its contents.
+ *
+ * @return
+ *      - ESP_OK: Successfully invalidated the OTA data slot.
+ *      - ESP_FAIL: Failed to invalidate the OTA data slot (e.g., invalid parameters, no OTA data partition, or other errors).
+ *      - Other error codes from `esp_partition_erase_range`.
+ */
+esp_err_t esp_ota_invalidate_inactive_ota_data_slot(void);
+
 /**
  * @brief Returns number of ota partitions provided in partition table.
  *

components/app_update/test_apps/test_app_update/.build-test-rules.yml

@@ -3,6 +3,7 @@
 components/app_update/test_apps:
   enable:
     - if: CONFIG_NAME == "defaults" and IDF_TARGET in ["esp32", "esp32c2", "esp32c3", "esp32c5", "esp32c6", "esp32c61", "esp32h2", "esp32p4", "esp32s2", "esp32s3"]
+    - if: CONFIG_NAME == "rollback" and IDF_TARGET in ["esp32", "esp32c3", "esp32s3", "esp32p4"]
     - if: CONFIG_NAME == "xip_psram" and IDF_TARGET in ["esp32s2", "esp32s3", "esp32p4"]
     # S2 doesn't have ROM for flash
     - if: CONFIG_NAME == "xip_psram_with_rom_impl" and IDF_TARGET in ["esp32s3", "esp32p4"]

components/app_update/test_apps/test_app_update/main/test_switch_ota.c

@@ -849,3 +849,84 @@ TEST_CASE("Test bootloader_common_get_sha256_of_partition returns ESP_ERR_IMAGE_
     TEST_ESP_ERR(ESP_ERR_IMAGE_INVALID, bootloader_common_get_sha256_of_partition(other_app->address, other_app->size, other_app->type, sha_256_other_app));
     TEST_ASSERT_EQUAL_MEMORY_MESSAGE(sha_256_cur_app, sha_256_other_app, sizeof(sha_256_cur_app), "must be the same");
 }
+
+static void test_rollback3(void)
+{
+    uint8_t boot_count = get_boot_count_from_nvs();
+    boot_count++;
+    set_boot_count_in_nvs(boot_count);
+    ESP_LOGI(TAG, "boot count %d", boot_count);
+    const esp_partition_t *cur_app = get_running_firmware();
+    const esp_partition_t* update_partition = NULL;
+    switch (boot_count) {
+        case 2:
+            ESP_LOGI(TAG, "Factory");
+            TEST_ASSERT_EQUAL(ESP_PARTITION_SUBTYPE_APP_FACTORY, cur_app->subtype);
+            update_partition = app_update();
+            reboot_as_deep_sleep();
+            break;
+        case 3:
+            ESP_LOGI(TAG, "OTA0");
+            TEST_ASSERT_EQUAL(ESP_PARTITION_SUBTYPE_APP_OTA_0, cur_app->subtype);
+            TEST_ESP_OK(esp_ota_mark_app_valid_cancel_rollback());
+            TEST_ASSERT_NULL(esp_ota_get_last_invalid_partition());
+            update_partition = app_update();
+            reboot_as_deep_sleep();
+            break;
+        case 4:
+            ESP_LOGI(TAG, "OTA1");
+            TEST_ASSERT_EQUAL(ESP_PARTITION_SUBTYPE_APP_OTA_1, cur_app->subtype);
+            TEST_ESP_OK(esp_ota_mark_app_valid_cancel_rollback());
+
+            update_partition = esp_ota_get_next_update_partition(NULL);
+#ifdef CONFIG_BOOTLOADER_APP_ROLLBACK_ENABLE
+            // two partitions are valid
+            TEST_ASSERT_NULL(esp_ota_get_last_invalid_partition());
+            esp_ota_img_states_t ota_state;
+            TEST_ESP_OK(esp_ota_get_state_partition(update_partition, &ota_state));
+            TEST_ASSERT_EQUAL(ESP_OTA_IMG_VALID, ota_state);
+#endif
+
+            esp_ota_handle_t update_handle = 0;
+            TEST_ESP_OK(esp_ota_begin(update_partition, OTA_SIZE_UNKNOWN, &update_handle));
+
+#ifdef CONFIG_BOOTLOADER_APP_ROLLBACK_ENABLE
+            // After esp_ota_begin, the only one partition is valid
+            // ota data slots do not have an entry about the update_partition.
+            TEST_ESP_ERR(ESP_ERR_NOT_FOUND, esp_ota_get_state_partition(update_partition, &ota_state));
+#endif
+            copy_app_partition(update_handle, get_running_firmware());
+            TEST_ESP_OK(esp_ota_end(update_handle));
+            // esp_ota_set_boot_partition is not called, so the running app will not be changed after reboot
+            reboot_as_deep_sleep();
+            break;
+        default:
+            erase_ota_data();
+            TEST_FAIL_MESSAGE("Unexpected stage");
+            break;
+    }
+}
+
+static void test_rollback3_1(void)
+{
+    set_boot_count_in_nvs(5);
+    uint8_t boot_count = get_boot_count_from_nvs();
+    esp_ota_img_states_t ota_state = 0x5555AAAA;
+    ESP_LOGI(TAG, "boot count %d", boot_count);
+    const esp_partition_t *cur_app = get_running_firmware();
+    ESP_LOGI(TAG, "OTA1");
+    TEST_ASSERT_EQUAL(ESP_PARTITION_SUBTYPE_APP_OTA_1, cur_app->subtype);
+    TEST_ESP_OK(esp_ota_get_state_partition(cur_app, &ota_state));
+    TEST_ASSERT_EQUAL(ESP_OTA_IMG_VALID, ota_state);
+
+    TEST_ASSERT_NULL(esp_ota_get_last_invalid_partition());
+    const esp_partition_t* next_update_partition = esp_ota_get_next_update_partition(NULL);
+    TEST_ASSERT_NOT_NULL(next_update_partition);
+#ifdef CONFIG_BOOTLOADER_APP_ROLLBACK_ENABLE
+    // ota data slots do not have an entry about the next_update_partition.
+    TEST_ESP_ERR(ESP_ERR_NOT_FOUND, esp_ota_get_state_partition(next_update_partition, &ota_state));
+#endif
+    erase_ota_data();
+}
+
+TEST_CASE_MULTIPLE_STAGES("Test rollback. Updated partition invalidated after esp_ota_begin", "[app_update][timeout=90][reset=DEEPSLEEP_RESET, DEEPSLEEP_RESET, DEEPSLEEP_RESET, SW_CPU_RESET]", start_test, test_rollback3, test_rollback3, test_rollback3, test_rollback3_1);

components/app_update/test_apps/test_app_update/pytest_app_update_ut.py

@@ -50,3 +50,19 @@ def test_app_update_xip_psram(dut: Dut) -> None:
 )
 def test_app_update_xip_psram_rom_impl(dut: Dut) -> None:
     dut.run_all_single_board_cases(timeout=90)
+
+
+@pytest.mark.esp32
+@pytest.mark.esp32c3
+@pytest.mark.esp32s3
+@pytest.mark.esp32p4
+@pytest.mark.generic
+@pytest.mark.parametrize(
+    'config',
+    [
+        'rollback',
+    ],
+    indirect=True,
+)
+def test_app_update_with_rollback(dut: Dut) -> None:
+    dut.run_all_single_board_cases(timeout=90)

components/app_update/test_apps/test_app_update/sdkconfig.ci.rollback

@@ -0,0 +1 @@
+CONFIG_BOOTLOADER_APP_ROLLBACK_ENABLE=y