Downloaded Image verification failed status

If the question is more about the validation status and the failure status, you can use the table provided in UM2262 section 9 "Understanding the last execution status message at boot-up "

In the code, you will see some calls like this:

 e_ret_status = VerifyFwSignatureAfterDecrypt(&e_se_status, DwlSlot, pFwImageHeader);

 if (e_ret_status != SFU_SUCCESS)

 {

  SFU_EXCPT_SetError(SFU_EXCPT_SIGNATURE_ERR);

 }

You can then check in sfu_error.c how this is converted to a debug string:

#ifdef SFU_DEBUG_MODE

/**

 * The following strings associated to the exceptions/errors are used for debugging purpose.

 * WARNING: The string array must match perfectly with the @ref SFU_EXCPT_IdTypeDef.

 * And the @ref SFU_EXCPT_IdTypeDef enum must be a sequence starting from 0

 */

static char *m_aErrorStrings[] ={ "No error. Success",

The general principle when installing a new firmware image is indeed to proceed with a swap of the active slot and the download slot (if you have only 2 images configured).

Initially, this feature has been designed in case of power shortage during the installation procedure.

This way, we were able to do a recovery to the previous firmware image if something went wrong.

We were also using it in case the new firmware image faced too many errors, to be able to do a rollback to previous version.

But, as you know, X-CUBE-SBSFU has been audited by a security lab. They considered that these rollback and recovery mechanisms were a way for an attacker (via a power off during firmware update for instance) to prevent a firmware update from being completed and to revert to previous firmware image.

So, we updated the implementation and now if a power off occurs during the firmware update procedure then we resume the installation of the new firmware image (except if the power down occurred during the decrypt operation that we cannot resume as the decrypt context is not saved).

Also, we do not do a rollback any more in case of errors with the new image.

Nevertheless, the code doing the swap is still present and for some specific needs we have implemented an "image state" management logic:

#if defined(ENABLE_IMAGE_STATE_HANDLING) && !defined(SFU_NO_SWAP)

    /* Move the state to SELFTEST for the new images */

    if (SFU_IMG_UpdateImageState(SLOT_ACTIVE_1 + i) != SFU_SUCCESS)

    {

     /* Image state cannot be changed : What to do ?

       ==> decision to continue execution */

     TRACE("\r\n= [FWIMG] WARNING: IMAGE STATE CANNOT BE CHANGED!");

    }

#endif /* ENABLE_IMAGE_STATE_HANDLING && !(SFU_NO_SWAP) */

You can get more information about it in UM2262, Appendix J.

But, please keep in mind that this can be seen as an attack opportunity, so you need to analyze if you want to use it or not.

Yes, you can check Appendix J figure 66 in UM2262:

If the previous firmware image is not tagged valid then we end up in local loader mode.

Nevertheless, if the firmware got corrupted without the valid state being updated then maybe you can revert to an invalid firmware. You must check this kind of cases.

Using UART increases the attack surface, so yes you open the door to new risks.

You must assess carefully the code dealing with the UART communication and decide if you trust it or not.

As soon as you transfer data, you deal with buffers so you can have bugs in this area leading to security breaches.

So, you need to:

• assess this code
• assess the overall security strategy : what if somebody takes control of the system from this code ? Can he access sensitive data or perform unauthorized operations ?
• ...any other assessment you think may be needed depending on your requirements...

Here, you need to do this kind of assessments.