The check of the security counter must be added to the image validation process:

• Use tfm_nv_counters to save the security counter from the image manifest to the NV counter area
• Always extract the security counter from image manifest and compare it with the latest corresponding value in NV counter area / active image's manifest (current security counter)

In case of a normal boot (no SW update is in progress):

• Accept an image if its security counter in image manifest is greater or equal as the current security counter
• Do not let boot up an image if it security counter is less than the current security counter

In case of a SW upgrade:

• Accept the new image if its security counter in image manifest is greater or equal as the current security counter
• Decline the update if the new image security counter in the manifest is less than the current security counter

Update the value of security counter in NV counter area:

• Overwrite only mode: When old image was overwritten with new one
• Swap mode: Only if the image_ok flag is already set by run-time SW to avoid the prevention of the revert to the old image
• Non-swap, RAM loading: When there is a valid image in one of the image slots which security counter is greater than the corresponding counter in NV counter area

Related design document: https://developer.trustedfirmware.org/w/tf_m/design/trusted_boot/rollback_protection/