samples: ironside_se: Add sample that protects periphconf #25482
Conversation
NordicBuilder
added
doc-required
There was a problem hiding this comment.
Pull Request Overview
This PR introduces a new sample demonstrating UICR.PROTECTEDMEM functionality for protecting memory regions on IronSide SE devices. The sample showcases how modifications to protected memory trigger integrity check failures that prevent normal boot and instead launch secondary firmware.
- Adds a complete sample with main and secondary firmware applications
- Configures PROTECTEDMEM to cover cpuapp_boot_partition and periphconf_partition
- Demonstrates integrity violation detection through automated testing
Reviewed Changes
Copilot reviewed 12 out of 12 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| samples/ironside_se/protectedmem_periphconf/sysbuild/uicr.conf | Configures PROTECTEDMEM size and enables secondary firmware |
| samples/ironside_se/protectedmem_periphconf/sysbuild.cmake | Sets up sysbuild for secondary firmware and applies device tree overlay |
| samples/ironside_se/protectedmem_periphconf/src/main.c | Main application that writes to protected memory and triggers reboot |
| samples/ironside_se/protectedmem_periphconf/secondary/src/main.c | Secondary firmware that boots on integrity failure |
| samples/ironside_se/protectedmem_periphconf/secondary/prj.conf | Configuration for secondary image |
| samples/ironside_se/protectedmem_periphconf/secondary/app.overlay | Device tree overlay for secondary partition |
| samples/ironside_se/protectedmem_periphconf/secondary/CMakeLists.txt | Build configuration for secondary firmware |
| samples/ironside_se/protectedmem_periphconf/sample.yaml | Test configuration with expected console output patterns |
| samples/ironside_se/protectedmem_periphconf/prj.conf | Main application configuration |
| samples/ironside_se/protectedmem_periphconf/app.overlay | Device tree overlay relocating periphconf_partition |
| samples/ironside_se/protectedmem_periphconf/README.rst | Comprehensive documentation of the sample |
| samples/ironside_se/protectedmem_periphconf/CMakeLists.txt | Main application build configuration |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
CI InformationTo view the history of this post, click the 'edited' button above Inputs:Sources:sdk-nrf: PR head: 2f11738ae32c4740a6d7ad858c73514bf226b948 more detailssdk-nrf:
Github labels
List of changed files detected by CI (12)Outputs:ToolchainVersion: df3cc9d822 Test Spec & Results: ✅ Success; ❌ Failure; 🟠 Queued; 🟡 Progress; ◻️ Skipped;
|
|
You can find the documentation preview for this PR here. Preview links for modified nRF Connect SDK documents: |
hakonfam
left a comment
hakonfam
left a comment
There was a problem hiding this comment.
In general I would prefer if there was less output, less duplication of information, and less inline file contents in the rst.
| CONFIG_USE_DT_CODE_PARTITION=y | ||
|
|
||
| # NB: app.overlay sets zephyr,code-partition to secondary_partition | ||
|
|
There was a problem hiding this comment.
?
I thought this would be a compliance issue.
| zephyr,code-partition = &secondary_partition; | ||
| }; | ||
| }; | ||
|
|
There was a problem hiding this comment.
Why is there blank new lines one almost all the files?
|
|
||
| # Enable secondary firmware that boots on integrity failure | ||
| CONFIG_GEN_UICR_SECONDARY=y | ||
|
|
There was a problem hiding this comment.
Well, at least its consistent.
|
|
||
| return 0; | ||
| } | ||
|
|
| /* Get periphconf_partition address and size from device tree */ | ||
| #define PERIPHCONF_PARTITION_ADDRESS DT_FIXED_PARTITION_ADDR(DT_NODELABEL(periphconf_partition)) | ||
| #define PERIPHCONF_PARTITION_SIZE DT_REG_SIZE(DT_NODELABEL(periphconf_partition)) | ||
|
|
||
| /* Write to the last 4 bytes in a 16-byte aligned area within periphconf */ | ||
| /* Find the last 16-byte aligned area within the partition */ | ||
| #define MRAM_16BYTE_ALIGN 16 | ||
| #define PARTITION_END (PERIPHCONF_PARTITION_ADDRESS + PERIPHCONF_PARTITION_SIZE) | ||
| /* Find the start of the last 16-byte aligned area (round down to 16-byte boundary) */ | ||
| #define LAST_16BYTE_AREA_START ((PARTITION_END - MRAM_16BYTE_ALIGN) & ~(MRAM_16BYTE_ALIGN - 1)) | ||
| /* Write to the last 4 bytes of that 16-byte aligned area */ | ||
| #define TEST_WRITE_ADDRESS (LAST_16BYTE_AREA_START + MRAM_16BYTE_ALIGN - sizeof(uint32_t)) |
There was a problem hiding this comment.
Are any of these comments needed? IMO the macro names are self-explanatory.
| * How to relocate the ``periphconf_partition`` using a device tree overlay to be placed right after ``cpuapp_boot_partition`` | ||
| * How to configure the PROTECTEDMEM size in Kconfig to cover both ``cpuapp_boot_partition`` and ``periphconf_partition`` | ||
| * How to configure a secondary firmware that boots when PROTECTEDMEM integrity check fails | ||
| * How the protected memory region prevents unauthorized modifications by causing the secondary firmware to boot when integrity is violated |
There was a problem hiding this comment.
| * How the protected memory region prevents unauthorized modifications by causing the secondary firmware to boot when integrity is violated | |
| * How the protected memory region prevents unauthorized modifications by causing the secondary firmware to boot when integrity is violated. |
These are sentences, they should end with a period.
There was a problem hiding this comment.
removed to be less verbose
| 1. The application writes a test pattern to the protected memory region | ||
| 2. The application then reboots | ||
| 3. On the next boot, the IronSide SE performs an integrity check of the protected memory region | ||
| 4. If the integrity check fails (because the memory was modified), IronSide SE automatically boots the secondary firmware instead of the main application |
There was a problem hiding this comment.
We know that it will fail.
| 4. If the integrity check fails (because the memory was modified), IronSide SE automatically boots the secondary firmware instead of the main application | |
| 4. The integrity check fails since the memory was modified, and IronSide SE automatically boots the secondary firmware instead of the main application |
There was a problem hiding this comment.
removed to be less verbose
| 2. The application then reboots | ||
| 3. On the next boot, the IronSide SE performs an integrity check of the protected memory region | ||
| 4. If the integrity check fails (because the memory was modified), IronSide SE automatically boots the secondary firmware instead of the main application | ||
| 5. The secondary firmware prints a message indicating that the PROTECTEDMEM integrity check failed, demonstrating that unauthorized modifications are detected and prevented |
There was a problem hiding this comment.
Is this information needed?
There was a problem hiding this comment.
removed to be less verbose
| [00:00:00.123,457] periphconf_partition address: 0x0e040000 | ||
| [00:00:00.123,458] periphconf_partition size: 0x2000 bytes | ||
| [00:00:00.123,459] Last 16-byte aligned area start: 0x0e041ff0 | ||
| [00:00:00.123,460] Test write address (last 4 bytes): 0x0e041ffc | ||
| [00:00:00.123,461] Current value at protected address: 0xffffffff |
There was a problem hiding this comment.
As stated elsewhere we should compress the output of this sample.
There was a problem hiding this comment.
removed to be less verbose
| The ``app.overlay`` file relocates the ``periphconf_partition`` to be placed right after ``cpuapp_boot_partition``. | ||
| The ``sysbuild.cmake`` file applies this same overlay to the UICR image so both images see the same partition layout: | ||
|
|
||
| .. code-block:: dts |
There was a problem hiding this comment.
Do we need to repeat the entire file contents in the doc?
There was a problem hiding this comment.
removed to be less verbose
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 12 out of 12 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| integrity check fails on boot, preventing the device from booting into the primary image when the periphconf partition is tampered with. | ||
| protected memory is modified. | ||
|
|
There was a problem hiding this comment.
Lines 8-9 contain redundant and fragmented text. The phrase "when the periphconf partition is tampered with. protected memory is modified" appears to be duplicative or incomplete. Consider consolidating to: "integrity check fails on boot, preventing the device from booting into the primary image when protected memory is modified."
| integrity check fails on boot, preventing the device from booting into the primary image when the periphconf partition is tampered with. | |
| protected memory is modified. | |
| integrity check fails on boot, preventing the device from booting into the primary image when protected memory is modified. |
| # SPDX-License-Identifier: LicenseRef-Nordic-5-Clause | ||
| # | ||
|
|
||
| cmake_minimum_required(VERSION 3.13.1) |
There was a problem hiding this comment.
Inconsistent CMake minimum version requirements across the sample. The main CMakeLists.txt requires 3.13.1 while secondary/CMakeLists.txt requires 3.20.0. Consider standardizing both to the same version (preferably 3.20.0 to match the secondary firmware and other recent samples).
| cmake_minimum_required(VERSION 3.13.1) | |
| cmake_minimum_required(VERSION 3.20.0) |
| / { | ||
| /* Move periphconf_partition to be right after cpuapp_boot_partition */ | ||
| }; |
There was a problem hiding this comment.
[nitpick] Empty root node serves no functional purpose. Consider removing this empty block as the comment alone doesn't justify the empty node structure.
| / { | |
| /* Move periphconf_partition to be right after cpuapp_boot_partition */ | |
| }; | |
| /* Move periphconf_partition to be right after cpuapp_boot_partition */ |
SebastianBoe
force-pushed
the
protected_periphconf
branch
from
1c8a554 to
ceccb7a
Compare
hakonfam
left a comment
hakonfam
left a comment
There was a problem hiding this comment.
These comments did not get included as part of my previous review for some reason.
Add a sample that demonstrates how to protect periphconf using PROTECTEDMEM. Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
SebastianBoe
force-pushed
the
protected_periphconf
branch
from
ceccb7a to
2f11738
Compare
|
@hakonfam please reassess |
| # SPDX-License-Identifier: LicenseRef-Nordic-5-Clause | ||
| # | ||
|
|
||
| cmake_minimum_required(VERSION 3.13.1) |
|
|
||
| project(protectedmem_periphconf) | ||
|
|
||
| target_sources(app PRIVATE |
|
|
||
| &mram1x { | ||
| partitions { | ||
|
|
hakonfam
left a comment
hakonfam
left a comment
There was a problem hiding this comment.
Look good. We need to ensure that the correct rst is uncleded in the docs
|
|
||
| .. |sample path| replace:: :file:`samples/ironside_se/protectedmem_periphconf` | ||
|
|
||
| .. include:: /includes/build_and_run_ns.txt |
There was a problem hiding this comment.
Why is "_ns" used? Have we checked that this is correct?
|
|
||
| .. code-block:: console | ||
|
|
||
| west flash --recover |
There was a problem hiding this comment.
Do we know that --recover is needed?
There was a problem hiding this comment.
yes, using PROTECTEDMEM results in changes to MRAM that are not erased by "west flash".
| Overview | ||
| ******** | ||
|
|
||
| This sample demonstrates how to protect the ``periphconf_partition`` using UICR.PROTECTEDMEM. |
There was a problem hiding this comment.
| This sample demonstrates how to protect the ``periphconf_partition`` using UICR.PROTECTEDMEM. |
| .. contents:: | ||
| :local: | ||
| :depth: 2 | ||
|
|
There was a problem hiding this comment.
| This sample demonstrates how to protect the PERIPHCONF Partition using UICR.PROTECTEDMEM. | |
| ******** | ||
|
|
||
| This sample demonstrates how to protect the ``periphconf_partition`` using UICR.PROTECTEDMEM. | ||
| The sample relocates ``periphconf_partition`` to be placed right after ``cpuapp_boot_partition`` and configures PROTECTEDMEM to cover both partitions. |
There was a problem hiding this comment.
| The sample relocates ``periphconf_partition`` to be placed right after ``cpuapp_boot_partition`` and configures PROTECTEDMEM to cover both partitions. | |
| The sample relocates the ``periphconf_partition`` right after ``cpuapp_boot_partition`` and configures PROTECTEDMEM to cover both partitions. |
|
|
||
| This sample demonstrates how to protect the ``periphconf_partition`` using UICR.PROTECTEDMEM. | ||
| The sample relocates ``periphconf_partition`` to be placed right after ``cpuapp_boot_partition`` and configures PROTECTEDMEM to cover both partitions. | ||
| When protected memory is modified, the integrity check fails on the next boot, causing IronSide SE to boot a secondary firmware instead of the main application. |
There was a problem hiding this comment.
| When protected memory is modified, the integrity check fails on the next boot, causing IronSide SE to boot a secondary firmware instead of the main application. | |
| When protected memory is modified, the integrity check fails on the next boot, causing |ISE| to boot the secondary firmware instead of the main application. |
| After programming the sample to your development kit, complete the following steps to test it: | ||
|
|
||
| 1. |connect_terminal| | ||
| #. Reset the kit. |
There was a problem hiding this comment.
| #. Reset the kit. | |
| #. Reset the development kit. |
| #. Reset the kit. | ||
|
|
||
| The application writes a test pattern to protected memory and then reboots. | ||
| On the next boot, if protection is working correctly, the secondary firmware will boot instead of the main application, indicating that the integrity check detected the modification. |
There was a problem hiding this comment.
| On the next boot, if protection is working correctly, the secondary firmware will boot instead of the main application, indicating that the integrity check detected the modification. | |
| On the next boot, if protection works correctly, the secondary firmware boots instead of the main application, indicating that the integrity check detected the modification. |
| Device Tree Overlay | ||
| =================== | ||
|
|
||
| The ``app.overlay`` file relocates the ``periphconf_partition`` to be placed right after ``cpuapp_boot_partition`` at offset 0x40000. | ||
| The ``sysbuild.cmake`` file applies this same overlay to the UICR image so both images see the same partition layout. | ||
|
|
||
| Kconfig Configuration | ||
| ===================== | ||
|
|
||
| The ``sysbuild/uicr.conf`` file configures the PROTECTEDMEM size to 72KB (73728 bytes) to cover both ``cpuapp_boot_partition`` (64KB) and ``periphconf_partition`` (8KB). | ||
|
|
||
| Secondary Firmware | ||
| ================== | ||
|
|
||
| The sample includes a secondary firmware (in the ``secondary/`` directory) that boots automatically when the PROTECTEDMEM integrity check fails. | ||
| The secondary firmware is enabled via ``CONFIG_GEN_UICR_SECONDARY=y`` in ``sysbuild/uicr.conf`` and is built as part of the sysbuild process (configured in ``sysbuild.cmake``). |
There was a problem hiding this comment.
| Device Tree Overlay | |
| =================== | |
| The ``app.overlay`` file relocates the ``periphconf_partition`` to be placed right after ``cpuapp_boot_partition`` at offset 0x40000. | |
| The ``sysbuild.cmake`` file applies this same overlay to the UICR image so both images see the same partition layout. | |
| Kconfig Configuration | |
| ===================== | |
| The ``sysbuild/uicr.conf`` file configures the PROTECTEDMEM size to 72KB (73728 bytes) to cover both ``cpuapp_boot_partition`` (64KB) and ``periphconf_partition`` (8KB). | |
| Secondary Firmware | |
| ================== | |
| The sample includes a secondary firmware (in the ``secondary/`` directory) that boots automatically when the PROTECTEDMEM integrity check fails. | |
| The secondary firmware is enabled via ``CONFIG_GEN_UICR_SECONDARY=y`` in ``sysbuild/uicr.conf`` and is built as part of the sysbuild process (configured in ``sysbuild.cmake``). | |
| Device Tree Overlay | |
| The ``app.overlay`` file relocates the ``periphconf_partition`` to be placed right after ``cpuapp_boot_partition`` at offset 0x40000. | |
| The ``sysbuild.cmake`` file applies this same overlay to the UICR image so both images see the same partition layout. | |
| Kconfig Configuration | |
| The ``sysbuild/uicr.conf`` file configures the PROTECTEDMEM size to 72KB (73728 bytes) to cover both ``cpuapp_boot_partition`` (64KB) and ``periphconf_partition`` (8KB). | |
| Secondary Firmware | |
| The sample includes a secondary firmware (in the ``secondary/`` directory) that boots automatically when the PROTECTEDMEM integrity check fails. | |
| The secondary firmware is enabled via ``CONFIG_GEN_UICR_SECONDARY=y`` in ``sysbuild/uicr.conf`` and is built as part of the sysbuild process (configured in ``sysbuild.cmake``). |
|
|
||
| * :ref:`Kernel <kernel>` - Provides basic system functionality and threading | ||
| * :ref:`Console <console>` - Enables UART console output for debugging and user interaction | ||
| * Device Tree - Defines the partition layout |
There was a problem hiding this comment.
| * Device Tree - Defines the partition layout | |
| * Devicetree - Defines the partition layout |
6 participants
Add a sample that demonstrates how to protect periphconf using PROTECTEDMEM.