samples: ironside_se: Add sample that protects periphconf

Add a sample that demonstrates how to protect periphconf using
PROTECTEDMEM.

Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>

Author: SebastianBoe

samples/ironside_se/protectedmem_periphconf/CMakeLists.txt

@@ -0,0 +1,16 @@
+#
+# Copyright (c) 2025 Nordic Semiconductor ASA
+#
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+#
+
+cmake_minimum_required(VERSION 3.13.1)
+
+find_package(Zephyr REQUIRED HINTS $ENV{ZEPHYR_BASE})
+
+project(protectedmem_periphconf)
+
+target_sources(app PRIVATE
+  src/main.c
+  )
+

samples/ironside_se/protectedmem_periphconf/README.rst

@@ -0,0 +1,173 @@
+.. _protectedmem_periphconf_sample:
+
+Protected Memory with PERIPHCONF Partition
+##########################################
+
+.. contents::
+   :local:
+   :depth: 2
+
+This sample demonstrates how to protect the ``periphconf_partition`` using UICR.PROTECTEDMEM. The sample shows that when protected memory is modified, the integrity check fails on the next boot, causing IronSide SE to boot a secondary firmware instead of the main application.
+
+Requirements
+************
+
+The sample supports the following development kit:
+
+.. table-from-sample-yaml::
+
+Overview
+********
+
+This sample demonstrates:
+
+* How to configure UICR.PROTECTEDMEM to protect a memory region
+* How to relocate the ``periphconf_partition`` using a device tree overlay to be placed right after ``cpuapp_boot_partition``
+* How to configure the PROTECTEDMEM size in Kconfig to cover both ``cpuapp_boot_partition`` and ``periphconf_partition``
+* How to configure a secondary firmware that boots when PROTECTEDMEM integrity check fails
+* How the protected memory region prevents unauthorized modifications by causing the secondary firmware to boot when integrity is violated
+
+The sample works as follows:
+
+1. The application writes a test pattern to the protected memory region
+2. The application then reboots
+3. On the next boot, the IronSide SE performs an integrity check of the protected memory region
+4. If the integrity check fails (because the memory was modified), IronSide SE automatically boots the secondary firmware instead of the main application
+5. The secondary firmware prints a message indicating that the PROTECTEDMEM integrity check failed, demonstrating that unauthorized modifications are detected and prevented
+
+Building and running
+*********************
+
+.. |sample path| replace:: :file:`samples/ironside_se/protectedmem_periphconf`
+
+.. include:: /includes/build_and_run_ns.txt
+
+To build the sample, run the following command:
+
+.. code-block:: console
+
+   west build -b <board> samples/ironside_se/protectedmem_periphconf
+
+To program the sample on the device, run the following command:
+
+.. code-block:: console
+
+   west flash
+
+Testing
+*******
+
+After programming the sample to your development kit, complete the following steps to test it:
+
+1. |connect_terminal|
+#. Reset the kit.
+#. Observe the console output:
+
+When you run the sample, you should see:
+
+.. code-block:: console
+
+   [00:00:00.123,456] === Protected Memory Demo ===
+   [00:00:00.123,457] periphconf_partition address: 0x0e040000
+   [00:00:00.123,458] periphconf_partition size: 0x2000 bytes
+   [00:00:00.123,459] Last 16-byte aligned area start: 0x0e041ff0
+   [00:00:00.123,460] Test write address (last 4 bytes): 0x0e041ffc
+   [00:00:00.123,461] Current value at protected address: 0xffffffff
+   [00:00:00.123,462]
+   [00:00:00.123,463] This sample demonstrates UICR.PROTECTEDMEM protection.
+   [00:00:00.123,464] When protected memory is modified, the integrity check will fail
+   [00:00:00.123,465] on the next boot, preventing the device from booting.
+   [00:00:00.123,466]
+   [00:00:00.123,467] Attempting to write test pattern 0xdeadbeef to protected memory...
+   [00:00:00.123,468] Readback value: 0xdeadbeef
+   [00:00:00.123,469] Write successful (in current boot).
+   [00:00:00.123,470]
+   [00:00:00.123,471] Rebooting...
+   [00:00:00.123,472] After reboot, if protection is working correctly:
+   [00:00:00.123,473]   - The integrity check will detect the modification
+   [00:00:00.123,474]   - The device will fail to boot with an integrity error
+   [00:00:00.123,475]   - You should see a boot error status indicating PROTECTEDMEM integrity failure
+   [00:00:00.123,476]
+   [00:00:00.123,477] If protection is NOT working, the device will boot normally
+   [00:00:00.123,478] and you will see this message again.
+
+After the reboot, if protection is working correctly, the secondary firmware will boot instead of the main application.
+You should see the following output from the secondary firmware:
+
+.. code-block:: console
+
+   [00:00:01.234,567] *** Booting nRF Connect SDK v3.1.99-1baadd786027 ***
+   [00:00:01.234,568] *** Using Zephyr OS v4.2.99-d7669eff2b94 ***
+   [00:00:01.234,569] === Secondary Firmware Booted ===
+   [00:00:01.234,570] PROTECTEDMEM integrity check FAILED - device booted secondary firmware
+   [00:00:01.234,571] This indicates that protected memory was modified and integrity check failed.
+
+This demonstrates that the integrity check detected the modification and prevented the main application from booting.
+
+Configuration
+*************
+
+The sample uses the following key configurations:
+
+Device Tree Overlay
+===================
+
+The ``app.overlay`` file relocates the ``periphconf_partition`` to be placed right after ``cpuapp_boot_partition``.
+The ``sysbuild.cmake`` file applies this same overlay to the UICR image so both images see the same partition layout:
+
+.. code-block:: dts
+
+   &mram1x {
+       partitions {
+           periphconf_partition: partition@40000 {
+               reg = <0x40000 DT_SIZE_K(8)>;
+           };
+           cpuapp_slot0_partition: partition@42000 {
+               reg = <0x42000 DT_SIZE_K(328)>;
+           };
+       };
+   };
+
+This places the partition at offset 0x40000 (right after ``cpuapp_boot_partition`` at 0x30000 with size 64KB).
+
+Kconfig Configuration
+=====================
+
+The ``sysbuild/uicr.conf`` file configures the PROTECTEDMEM size for the UICR image to cover both partitions:
+
+.. code-block:: cfg
+
+   CONFIG_GEN_UICR_PROTECTEDMEM_SIZE_BYTES=73728
+
+This covers:
+* ``cpuapp_boot_partition``: 64KB (0x10000)
+* ``periphconf_partition``: 8KB (0x2000)
+* Total: 72KB (0x12000) = 18 * 4KB blocks
+
+Note that the UICR image configuration is in ``sysbuild/uicr.conf``, not in the main application's Kconfig, as the UICR generation is handled by a separate sysbuild image.
+
+Secondary Firmware
+==================
+
+The sample includes a secondary firmware (in the ``secondary/`` directory) that boots automatically when the PROTECTEDMEM integrity check fails. The secondary firmware is configured in ``sysbuild/uicr.conf``:
+
+.. code-block:: cfg
+
+   CONFIG_GEN_UICR_SECONDARY=y
+
+The secondary firmware is built as part of the sysbuild process (configured in ``sysbuild.cmake``) and is placed in the ``secondary_partition``. When IronSide SE detects that the PROTECTEDMEM integrity check has failed, it automatically boots the secondary firmware instead of the main application, allowing you to detect and handle the integrity violation.
+
+Dependencies
+************
+
+This sample uses the following |NCS| subsystems:
+
+* UICR generation - Configures UICR.PROTECTEDMEM to protect the memory region and UICR.SECONDARY to enable secondary firmware boot
+* Sysbuild - Enables building the UICR image and secondary firmware with the protected memory configuration
+
+In addition, it uses the following Zephyr subsystems:
+
+* :ref:`Kernel <kernel>` - Provides basic system functionality and threading
+* :ref:`Console <console>` - Enables UART console output for debugging and user interaction
+* Device Tree - Defines the partition layout
+

samples/ironside_se/protectedmem_periphconf/app.overlay

@@ -0,0 +1,31 @@
+/*
+ * Copyright (c) 2025 Nordic Semiconductor ASA
+ *
+ * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+ */
+
+/* Delete the original partitions before redefining them */
+/delete-node/ &cpuapp_slot0_partition;
+/delete-node/ &periphconf_partition;
+
+/ {
+	/* Move periphconf_partition to be right after cpuapp_boot_partition */
+};
+
+&mram1x {
+	partitions {
+
+		/* cpuapp_boot_partition is at 0x30000 with size 64KB (0x10000) */
+		/* Move periphconf_partition to 0x40000 (right after cpuapp_boot_partition) */
+		periphconf_partition: partition@40000 {
+			reg = <0x40000 DT_SIZE_K(8)>;
+		};
+
+		/* Move cpuapp_slot0_partition to start after periphconf_partition */
+		/* periphconf_partition ends at 0x42000, so slot0 starts there */
+		cpuapp_slot0_partition: partition@42000 {
+			reg = <0x42000 DT_SIZE_K(328)>;
+		};
+	};
+};
+

samples/ironside_se/protectedmem_periphconf/prj.conf

@@ -0,0 +1,12 @@
+#
+# Copyright (c) 2025 Nordic Semiconductor ASA
+#
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+#
+
+# Disable MPU to allow writing to protected memory region for demonstration
+CONFIG_ARM_MPU=n
+
+# Note: UICR configuration (GEN_UICR_PROTECTEDMEM, etc.) is done in sysbuild/uicr.conf
+# for the UICR image, not in the main application's prj.conf
+

samples/ironside_se/protectedmem_periphconf/sample.yaml

@@ -0,0 +1,36 @@
+sample:
+  name: Protected Memory PERIPHCONF Sample
+  description: |
+    Sample demonstrating UICR.PROTECTEDMEM protection of the periphconf_partition.
+    The sample relocates periphconf_partition to be right after
+    cpuapp_boot_partition and configures PROTECTEDMEM to protect both partitions.
+    The sample writes to the protected area, reboots, and demonstrates that the
+    integrity check fails on boot, preventing the device from booting when the
+    protected memory is modified.
+
+common:
+  sysbuild: true
+  harness: console
+  harness_config:
+    type: multi_line
+    ordered: true
+    regex:
+      - "=== Protected Memory Demo ==="
+      - "Attempting to write test pattern"
+      - "Write successful \\(in current boot\\)\\."
+      - "Rebooting\\.\\.\\."
+      # When PROTECTEDMEM integrity check fails, secondary firmware boots
+      - "=== Secondary Firmware Booted ==="
+      - "PROTECTEDMEM integrity check FAILED"
+
+tests:
+  samples.protectedmem_periphconf.nrf54h20dk:
+    tags:
+      - sysbuild
+      - ci_samples_sdfw
+    platform_allow:
+      - nrf54h20dk/nrf54h20/cpuapp
+    integration_platforms:
+      - nrf54h20dk/nrf54h20/cpuapp
+    timeout: 7
+

samples/ironside_se/protectedmem_periphconf/secondary/CMakeLists.txt

@@ -0,0 +1,10 @@
+# Copyright (c) 2025 Nordic Semiconductor ASA
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+
+cmake_minimum_required(VERSION 3.20.0)
+
+find_package(Zephyr REQUIRED HINTS $ENV{ZEPHYR_BASE})
+project(secondary)
+
+target_sources(app PRIVATE src/main.c)
+

samples/ironside_se/protectedmem_periphconf/secondary/app.overlay

@@ -0,0 +1,12 @@
+/*
+ * Copyright (c) 2025 Nordic Semiconductor ASA
+ *
+ * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+ */
+
+/ {
+	chosen {
+		zephyr,code-partition = &secondary_partition;
+	};
+};
+

samples/ironside_se/protectedmem_periphconf/secondary/prj.conf

@@ -0,0 +1,13 @@
+#
+# Copyright (c) 2025 Nordic Semiconductor ASA
+#
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+#
+
+CONFIG_IS_IRONSIDE_SE_SECONDARY_IMAGE=y
+
+# Use the devicetree chosen code-partition to determine flash load offset
+CONFIG_USE_DT_CODE_PARTITION=y
+
+# NB: app.overlay sets zephyr,code-partition to secondary_partition
+

samples/ironside_se/protectedmem_periphconf/secondary/src/main.c

@@ -0,0 +1,23 @@
+/*
+ * Copyright (c) 2025 Nordic Semiconductor ASA.
+ *
+ * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+ */
+
+#include <zephyr/kernel.h>
+#include <zephyr/sys/printk.h>
+
+int main(void)
+{
+	printk("=== Secondary Firmware Booted ===\n");
+	printk("PROTECTEDMEM integrity check FAILED - device booted secondary firmware\n");
+	printk("This indicates that protected memory was modified and integrity check failed.\n");
+
+	/* Keep the secondary image running */
+	while (1) {
+		k_msleep(1000);
+	}
+
+	return 0;
+}
+