FWU rollback counter is not reset (after rauc-mark-good) on consecutive updates in FWU

maxim-senec · ‎2025-12-11

Hi everyone,

we applied the ST FWU reference solution on our own platform based on the STM32MP157F.
The solution was taken and adapted from the ST Yocto layer meta-st-ota (https://github.com/PRG-MPU-CUST/meta-st-ota).

Summary

When performing consecutive updates using the ST FWU reference implementation (TF-A FWU metadata + RAUC + post-install.sh + rauc-mark-good.service), the FWU rollback boot counter keeps decreasing across successful updates.

Expectation: after each successful boot of a newly updated bank (and rauc-mark-good.service finishing successfully), the FWU boot counter should be reset to the initial value (4 in this setup).
Actual: the FWU boot counter is decremented (4 → 3 → 2) with each update cycle, even though the system was marked good.

This suggests that the rollback counter is not being reset by the rauc-mark-good integration in the ST FWU reference solution.

(full log is attached, including metadata content printed in hexa after each step)

Reproduction and actual behavior

Boot fresh image (Bank A active).
Observe TFA logs: TF-A selects bank 0 (A).
INFO: Use primary FWU-Metadata
INFO: Try load metadata id=12...
NOTICE: Active index: 0, bank state: 252
NOTICE: Selecting to boot from bank 0
Simulate first update in Linux (A → B)
On bank A:
/usr/lib/rauc/post-install.sh
current_boot_slot=A
...
active boot is B
boot count is enabled
Then reboot:
reboot
First boot after first update (Bank B active)
Observe TF-A logs:
INFO: Use primary FWU-Metadata
INFO: Try load metadata id=12...
NOTICE: Active index: 1, bank state: 254
NOTICE: Fwu bootcount 4 NOTICE:
Selecting to boot from bank 1
In Linux, rauc-mark-good runs and succeeds:
systemctl status rauc-mark-good
rauc-mark-good.service - Rauc Good-marking Service Main PID: 375 (code=exited, status=0/SUCCESS)
Dec 11 10:19:46 stm32mp15-pb2-base-mx sh[376]: rauc status: marked slot(s) rootfs.1 as good
-> Expectation here: bootcount should now be reset back to 4 (for next update).
Simulate second consecutive update in Linux (B → A)
On bank B:

/usr/lib/rauc/post-install.sh
current_boot_slot=B
...
active boot is A
boot count is enabled
Then reboot:
reboot
Second boot after second update (Bank A active)
TF-A logs now show that the bootcounter decreased:
INFO: Use primary FWU-Metadata
INFO: Try load metadata id=12...
NOTICE: Active index: 0, bank state: 254
NOTICE: Fwu bootcount 3
NOTICE: Selecting to boot from bank 0
In Linux, again rauc-mark-good runs and reports success:
rauc-mark-good.service - Rauc Good-marking Service Main PID: 337 (code=exited, status=0/SUCCESS)
Dec 11 10:25:50 stm32mp15-pb2-base-mx sh[342]: rauc status: marked slot(s) rootfs.0 as good
Simulate third update (A → B)
On bank A:
/usr/lib/rauc/post-install.sh
Output:
current_boot_slot=A
...
active boot is B boot count is enabled
Then reboot:
reboot
Third boot after third update (Bank B active)
TF-A logs:

INFO: Use primary FWU-Metadata
INFO: Try load metadata id=12...
NOTICE: Active index: 1, bank state: 254
NOTICE:Fwu bootcount 2
NOTICE: Selecting to boot from bank 1

Expected behavior

After each successful boot of a newly updated bank and successful execution of rauc-mark-good.service, the FWU boot counter for that bank is reset to the initial value 4.
And not 4 -> 3 -> 2

Christophe Guibout · ‎2025-12-15

Hello @maxim-senec,

I'am working on this point : I will update the meta-st-ota Yocto layer to be able to reset the bootcount when linux has boot : as FWU_INFO backup register is write secured, the idea is to create a TA to allow linux to update the bootcount.

Keep you in touch,
BR,

Christophe

In order to give better visibility on the answered topics, please click on 'Accept as Solution' on the reply which solved your issue or answered your question.

maxim-senec · ‎2025-12-17

Thank you very much! We really appreciate your effort!

maxim-senec · ‎2025-12-18

Hello @Christophe Guibout thank you for your response once again.

Just for general understanding: I assumed, that bootcount is just a field in metadata partitions, so the bootcount can be reseted by an appropriate call to mkfwumdata tool (triggered by rauc-mark-good.sh).

Now I understand from your answer that bootcount is located in write protected register that can be accessed only from secure world? Will the change require optee, and not opteemin?

Thank you!

Christophe Guibout · ‎2025-12-18

Hello @maxim-senec,

I just realized you work on MP15 instead of MP25....

FOR MP15, by having a look into the wiki, it seems the bootcount is stored in a non secure backup register, so it is possible to reset it through linux : see wiki link.

FOR MP2, the bootcount is stored in the backup register TAMP_BKP48R (wiki link) which is "secured write, non secured read" : tf-a and op-tee (which are secured) are allowed to update it, but not the kernel (not secured) which is only allowed to read it.

The workaround would to store the bootcount into a non secure write register so linux would be able to update it.

The metadata partition is writable by linux, and only readable by TF-A : its purpose is mainly to manage the active_index (the index of the new flashed image), and the previous_active_index is case of failure of the new flashed image (when the bootcount has reach the threshold after 3 reboots).

Hope I'm clear enough,

BR,

Christophe

In order to give better visibility on the answered topics, please click on 'Accept as Solution' on the reply which solved your issue or answered your question.