altos: Validate boot chain start address

If the first block of boot memory has been smashed, and the start
address is bogus, don't bother trying to jump to the
application. This makes the system more resiliant to flash failures,
presuming the loader erases the first block, programs the other blocks
and then finally comes back to program the first block.

Signed-off-by: Keith Packard <keithp@keithp.com>

diff --git a/src/stm/ao_boot_chain.c b/src/stm/ao_boot_chain.c
index 9c63272b34b2261cd77cce868b93b31b0b6ce905..668f6e6d6813aab8d0b6a8afc3190dcc91f7878a 100644 (file)
--- a/src/stm/ao_boot_chain.c
+++ b/src/stm/ao_boot_chain.c
@@ -26,9 +26,11 @@ ao_boot_chain(uint32_t *base)
 
        sp = base[0];
        pc = base[1];
-       asm ("mov sp, %0" : : "r" (sp));
-       asm ("mov lr, %0" : : "r" (pc));
-       asm ("bx lr");
+       if (0x08000100 <= pc && pc <= 0x08200000) {
+               asm ("mov sp, %0" : : "r" (sp));
+               asm ("mov lr, %0" : : "r" (pc));
+               asm ("bx lr");
+       }
 }
 
 #define AO_BOOT_SIGNAL 0x5a5aa5a5