FWU rollback counter is not reset (after rauc-mark-good) on consecutive updates in FWU

Hi everyone,

we applied the ST FWU reference solution on our own platform based on the STM32MP157F.
The solution was taken and adapted from the ST Yocto layer meta-st-ota (https://github.com/PRG-MPU-CUST/meta-st-ota).

Summary

When performing consecutive updates using the ST FWU reference implementation (TF-A FWU metadata + RAUC + post-install.sh + rauc-mark-good.service), the FWU rollback boot counter keeps decreasing across successful updates. 

Expectation: after each successful boot of a newly updated bank (and rauc-mark-good.service finishing successfully), the FWU boot counter should be reset to the initial value (4 in this setup).
Actual: the FWU boot counter is decremented (4 → 3 → 2) with each update cycle, even though the system was marked good. 

This suggests that the rollback counter is not being reset by the rauc-mark-good integration in the ST FWU reference solution.

(full log is attached, including metadata content printed in hexa after each step)

Reproduction and actual behavior

1. Boot fresh image (Bank A active).
   Observe TFA logs: TF-A selects bank 0 (A).
   INFO: Use primary FWU-Metadata
   INFO: Try load metadata id=12...
   NOTICE: Active index: 0, bank state: 252
   NOTICE: Selecting to boot from bank 0
   
   

2. Simulate first update in Linux (A → B)
   On bank A:

   /usr/lib/rauc/post-install.sh
       current_boot_slot=A
       ...
       active boot is B
       boot count is enabled

   Then reboot:

   reboot
   
   

3. First boot after first update (Bank B active)
   Observe TF-A logs:

   INFO: Use primary FWU-Metadata
   INFO: Try load metadata id=12...
   NOTICE: Active index: 1, bank state: 254

   NOTICE: Fwu bootcount 4 NOTICE:

   Selecting to boot from bank 1

   In Linux, rauc-mark-good runs and succeeds:

   systemctl status rauc-mark-good
   rauc-mark-good.service - Rauc Good-marking Service Main PID: 375 (code=exited, status=0/SUCCESS)
   Dec 11 10:19:46 stm32mp15-pb2-base-mx sh[376]: rauc status: marked slot(s) rootfs.1 as good

   -> Expectation here: bootcount should now be reset back to 4 (for next update).
   
   

4. Simulate second consecutive update in Linux (B → A)
   On bank B:

    

   /usr/lib/rauc/post-install.sh
   current_boot_slot=B

   ...

   active boot is A

   boot count is enabled

   Then reboot:

   reboot
   
   

5. Second boot after second update (Bank A active)

   TF-A logs now show that the bootcounter decreased:

   INFO: Use primary FWU-Metadata

   INFO: Try load metadata id=12...

   NOTICE: Active index: 0, bank state: 254

   NOTICE: Fwu bootcount 3

   NOTICE: Selecting to boot from bank 0

   In Linux, again rauc-mark-good runs and reports success:

   rauc-mark-good.service - Rauc Good-marking Service Main PID: 337 (code=exited, status=0/SUCCESS)

   Dec 11 10:25:50 stm32mp15-pb2-base-mx sh[342]: rauc status: marked slot(s) rootfs.0 as good
   
   

6. Simulate third update (A → B)

   On bank A:

   /usr/lib/rauc/post-install.sh

   Output:

   current_boot_slot=A

   ...

   active boot is B boot count is enabled

   Then reboot:

   reboot
   
   

7. Third boot after third update (Bank B active)

   TF-A logs:

    

   INFO: Use primary FWU-Metadata

   INFO: Try load metadata id=12...

   NOTICE: Active index: 1, bank state: 254

   NOTICE:Fwu bootcount 2

   NOTICE: Selecting to boot from bank 1

Expected behavior

• After each successful boot of a newly updated bank and successful execution of rauc-mark-good.service,  the FWU boot counter for that bank is reset to the initial value 4.

• And not 4 -> 3 -> 2