Always validate slot 0 when requested

The MCUBOOT_VALIDATE_SLOT0 feature only verifies the signature when
there is no swapping happening.  The assumption was that if there is a
swap being done, the code will verify the signature of slot 1 before
doing the slot.

However, either due to bugs, or intentional trickery, it may be possible
to confuse the code into continuing a swap operation.  If the data is
modified before this, the bootloader can be tricked into booting the
resulting image in slot 0 without having verified the signature.

Fix this by always verifying slot 0's signature before booting it.

JIRA: MCUB-64
Signed-off-by: David Brown <david.brown@linaro.org>
diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c
index dc1e88d..aa6e1ab 100644
--- a/boot/bootutil/src/loader.c
+++ b/boot/bootutil/src/loader.c
@@ -1273,14 +1273,6 @@
 
     switch (swap_type) {
     case BOOT_SWAP_TYPE_NONE:
-#ifdef MCUBOOT_VALIDATE_SLOT0
-        rc = boot_validate_slot(0);
-        assert(rc == 0);
-        if (rc != 0) {
-            rc = BOOT_EBADIMAGE;
-            goto out;
-        }
-#endif
         slot = 0;
         break;
 
@@ -1310,6 +1302,15 @@
         break;
     }
 
+#ifdef MCUBOOT_VALIDATE_SLOT0
+    rc = boot_validate_slot(0);
+    assert(rc == 0);
+    if (rc != 0) {
+        rc = BOOT_EBADIMAGE;
+        goto out;
+    }
+#endif
+
     /* Always boot from the primary slot. */
     rsp->br_flash_dev_id = boot_img_fa_device_id(&boot_data, 0);
     rsp->br_image_off = boot_img_slot_off(&boot_data, 0);