Nerves provides a lot of functionality in service of robustness. One of the big ones is the mechanism for recovering from a bad firmware. Essentially if you have made a firmware update using the default fwup-based mechanism the device would attempt a boot from the new partition and if it was validated within X minutes it would write the change to make it permanent. If it failed for any reason, including rebooting before the system comes up it would fall back to the old one.
Except for the Raspberry Pi, sometimes. The Raspberry Pi does not have the same mechanisms as a BeagleBone Black or other commercially focused boards. And it did not have a solid special mechanism for this for quite some time. This meant that there were limitations to what Nerves could recover on the RPi compared to some other platforms.
This is close to being fixed. A while back they shipped tryboot, you can read about it here. Suffice to say it is a mechanism for performing this type of updates with a flag that will last for only one reboot unless properly persisted.
If you are using RPi devices in production or have seen these types of problems I strongly recommend trying this branch and shipping some broken firmware to confirm it does what you expect.
You can see the changes in this branch and try it yourself on the RPi4:
Or you can do it with the Pi Zero 2 (also the RPi3A+):
You also need to run the main branch of nerves_runtime as it exposes some important API to make this work.
