swap_move: correct appsize calcs and warning

app_max_sectors() is always off by one in its calculation.
This corrects that calculation as well as the warning which
should only be comparing the two slot sector counts and
checking to see if they are different by one sector for
the swap sector. The size of the application is not relevant
in that warning for optimal sector distribution.

Additionally app_max_size() suffers similarly in that it
is not taking into account the fact that the secondary
slot does also contain a trailer.

Finally makes a minor addition to the design document which
further clarifies the primary and secondary partition size
differences.

Signed-off-by: Robert Wolff <[email protected]>
(cherry picked from commit 5aed424)

Author: bobwolff68

boot/bootutil/src/swap_move.c

@@ -243,7 +243,8 @@ static int app_max_sectors(struct boot_loader_state *state)
 
     sector_sz = boot_img_sector_size(state, BOOT_PRIMARY_SLOT, 0);
     trailer_sz = boot_trailer_sz(BOOT_WRITE_SZ(state));
-    first_trailer_idx = boot_img_num_sectors(state, BOOT_PRIMARY_SLOT) - 1;
+    /* subtract 1 for swap and at least 1 for trailer */
+    first_trailer_idx = boot_img_num_sectors(state, BOOT_PRIMARY_SLOT) - 2;
 
     while (1) {
         sz += sector_sz;
@@ -283,9 +284,10 @@ boot_slots_compatible(struct boot_loader_state *state)
         return 0;
     }
 
-    if (num_usable_sectors_pri != (num_sectors_sec + 1)) {
+    /* Optimal says primary has one more than secondary. Always. Both have trailers. */
+    if (num_sectors_pri != (num_sectors_sec + 1)) {
         BOOT_LOG_DBG("Non-optimal sector distribution, slot0 has %d usable sectors (%d assigned) "
-                     "but slot1 has %d assigned", (int)(num_usable_sectors_pri - 1),
+                     "but slot1 has %d assigned", (int)num_usable_sectors_pri,
                      (int)num_sectors_pri, (int)num_sectors_sec);
     }
 
@@ -587,7 +589,7 @@ int app_max_size(struct boot_loader_state *state)
 
     /* Account for image flags and move sector */
     sz_primary = app_max_sectors(state) * sector_sz_primary - sector_sz_primary;
-    sz_secondary = boot_img_num_sectors(state, BOOT_SECONDARY_SLOT) * sector_sz_secondary;
+    sz_secondary = app_max_sectors(state) * sector_sz_secondary;
 
     return (sz_primary <= sz_secondary ? sz_primary : sz_secondary);
 }

docs/design.md

@@ -269,6 +269,12 @@ Where:
   is equal to 1056 B and the sector size is equal to 1024 B, then
   `image-trailer-sectors-size` will be equal to 2048 B.
 
+This does imply, if there is any doubt, that the primary slot will be exactly
+one sector larger than the secondary slot due to the swap sector alone. It is
+the case that both the primary and secondary slots both have a trailer in
+addition to the application payload and these trailers are identical in size
+to one another.
+
 The algorithm does two erase cycles on the primary slot and one on the secondary
 slot during each swap. Assuming that receiving a new image by the DFU
 application requires 1 erase cycle on the secondary slot, this should result in