Transient override address, component_prep_image_update.

Fixes from review.

Fix memory alias for RoT Hubris 'B' image's access to transient boot override setting.

`component_update_prep_image` was using `bootstate` to determine active
image. The `same_image` function is a more direct test and does not
depend on `bootstate` being valid.

Author: lzrd

chips/lpc55/memory.toml

@@ -103,7 +103,7 @@ execute = false
 
 [[override]]
 name = "b"
-address = 0x3003ffe0
+address = 0x2003ffe0
 size = 32
 read = true
 write = true

drv/lpc55-update-server/src/main.rs

@@ -498,48 +498,53 @@ impl idl::InOrderUpdateImpl for ServerImpl<'_> {
             UpdateState::Finished | UpdateState::NoUpdate => (),
         }
 
-        let image = match (component, slot) {
+        self.image = match (component, slot) {
             (RotComponent::Hubris, SlotId::A)
             | (RotComponent::Hubris, SlotId::B) => {
-                let active = match bootstate()
-                    .map_err(|_| UpdateError::MissingHandoffData)?
-                    .active
-                {
-                    stage0_handoff::RotSlot::A => SlotId::A,
-                    stage0_handoff::RotSlot::B => SlotId::B,
-                };
-                if active == slot {
+                // Fail early on attempt to update the running image.
+                if same_image(component, slot) {
                     return Err(UpdateError::InvalidSlotIdForOperation.into());
                 }
+
                 // Rollback protection will be implemented by refusing to set
-                // boot preference to an image that has a lower EPOC vale in the
-                // caboose.
-                //
+                // boot preference to an image that has a lower EPOC value in
+                // its caboose.
                 // Setting the boot preference before updating would sidestep that
                 // protection. So, we will fail the prepare step if any
                 // preference settings are selecting the update target image.
+                //
+                // After the update, the boot image selection will be based on:
+                //   - there being only one properly signed image, or
+                //   - transient boot selection (highest priority), or
+                //   - pending persistent selection (altering the persistent
+                //     selection)
+                //   - persistent preference if neither of the above was used.
+
                 let (persistent, pending_persistent, transient) =
                     self.boot_preferences()?;
+
+                // The transient preference must not select the update target.
                 if let Some(pref) = transient {
-                    if active != pref {
+                    if slot == pref {
                         return Err(UpdateError::InvalidPreferredSlotId.into());
                     }
                 }
+                // If there is a pending persistent preference, it must
+                // not select the update target.
                 if let Some(pref) = pending_persistent {
-                    if active != pref {
+                    if slot == pref {
                         return Err(UpdateError::InvalidPreferredSlotId.into());
                     }
-                }
-                if active != persistent {
+                } else if slot == persistent {
+                    // If there is no pending persistent preference, then the
+                    // persistent preference must select the currently active image.
                     return Err(UpdateError::InvalidPreferredSlotId.into());
                 }
                 Some((component, slot))
             }
             (RotComponent::Stage0, SlotId::B) => Some((component, slot)),
             _ => return Err(UpdateError::InvalidSlotIdForOperation.into()),
         };
-
-        self.image = image;
         self.state = UpdateState::InProgress;
         ringbuf_entry!(Trace::State(self.state));
         self.next_block = None;