SFTP-OTA: Does it recover from a bad update?

[jubeormk1]

Rationale

As pointed out in Radically Open Security Audit #7, we should guarantee that a bad OTA would not brick the system.

This has been partially addressed in the sftp-ota feature for Espressif devices, but I am afraid that I am missing the last step to guarantee it. Enable the Rollback mechanism! We need to check the current state and fix it:

Tasks

• Apply a faulty OTA update and assess what is the result: Rollback or brick?
• If bricked add configuration to enable Espressif Rollback mechanism
• Document the findings and modifications

[brainstorm]

AFAICT this requires compiling a custom bootloader (via esp-idf) and enabling the CONFIG_BOOTLOADER_APP_ROLLBACK_ENABLE? I cannot find any similar variable in https://github.com/esp-rs/esp-hal/tree/main/esp-bootloader-esp-idf, so that probably means we've to create our own BLOBs for that to work :-S

Not against it, just noting that it might get tricky, although mostly on the CD (Continuous Deployment) side, when and if we provide pre-compiled firmware images users can flash directly to their devices to get started.

[jubeormk1]

That is a fair point. I will do some exploration work to see what would it require.