sysbuild: HW-based rollback protection on nRF54H20

Allow to enable HW-based rollback protection on nRF54H20.

Ref: NCSDK-36295

Signed-off-by: Tomasz Chyrowicz <[email protected]>

Author: tomchy

modules/mcuboot/Kconfig

@@ -4,7 +4,7 @@ if BOOTLOADER_MCUBOOT
 
 menuconfig MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION
 	bool "Downgrade prevention using hardware security counters"
-	depends on SOC_NRF5340_CPUAPP || SOC_SERIES_NRF91X || SOC_SERIES_NRF54LX
+	depends on SOC_NRF5340_CPUAPP || SOC_SERIES_NRF91X || SOC_SERIES_NRF54LX || SOC_SERIES_NRF54HX
 	help
 	  This option can be enabled by the application and will ensure
 	  that the MCUBOOT_HW_DOWNGRADE_PREVENTION Kconfig option is
@@ -17,6 +17,7 @@ config MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_SLOTS
 	default 240
 	range 2 288 if SOC_SERIES_NRF54LX
 	range 2 300
+	depends on !SOC_SERIES_NRF54HX
 	help
 	  When MCUBOOT_HW_DOWNGRADE_PREVENTION is enabled, MCUboot will use
 	  one hardware counter for each updatable image (UPDATEABLE_IMAGE_NUMBER).
@@ -29,7 +30,8 @@ config MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_SLOTS
 config MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_VALUE
 	int "Security counter value"
 	default 1
-	range 1 65535
+	range 1 65535 if !SOC_SERIES_NRF54HX
+	range 1 4294967295 if SOC_SERIES_NRF54HX
 	help
 	  The security counter value for this image.
 	  This is the value that will be passed to the --security-counter

sysbuild/CMakeLists.txt

@@ -381,7 +381,11 @@ function(${SYSBUILD_CURRENT_MODULE_NAME}_pre_cmake)
       set_config_bool(mcuboot CONFIG_BOOT_FIH_PROFILE_DEFAULT_LOW y)
     endif()
 
-    if(SB_CONFIG_PARTITION_MANAGER OR SB_CONFIG_MCUBOOT_MODE_DIRECT_XIP OR SB_CONFIG_MCUBOOT_MODE_DIRECT_XIP_WITH_REVERT OR SB_CONFIG_MCUBOOT_COMPRESSED_IMAGE_SUPPORT OR (SB_CONFIG_SOC_SERIES_NRF54LX AND SB_CONFIG_BOOT_ENCRYPTION))
+    if(SB_CONFIG_PARTITION_MANAGER OR SB_CONFIG_MCUBOOT_MODE_DIRECT_XIP
+       OR SB_CONFIG_MCUBOOT_MODE_DIRECT_XIP_WITH_REVERT
+       OR SB_CONFIG_MCUBOOT_COMPRESSED_IMAGE_SUPPORT
+       OR (SB_CONFIG_SOC_SERIES_NRF54LX AND SB_CONFIG_BOOT_ENCRYPTION)
+       OR SB_CONFIG_MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION)
       # Use NCS signing script with support for PM or direct XIP (NCS specific features)
       if(SB_CONFIG_QSPI_XIP_SPLIT_IMAGE)
         set(${DEFAULT_IMAGE}_SIGNING_SCRIPT "${ZEPHYR_NRF_MODULE_DIR}/cmake/sysbuild/image_signing_split.cmake" CACHE INTERNAL "MCUboot signing script" FORCE)
@@ -469,17 +473,26 @@ function(${SYSBUILD_CURRENT_MODULE_NAME}_pre_cmake)
 
     if(SB_CONFIG_MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION)
       set_config_bool(mcuboot CONFIG_MCUBOOT_HW_DOWNGRADE_PREVENTION y)
-      set_config_bool(mcuboot CONFIG_SECURE_BOOT_STORAGE y)
-      set_config_bool(mcuboot CONFIG_SECURE_BOOT_CRYPTO y)
+
+      # nRF54H20 uses SDFW-based counters.
+      # There is no need for a dedicated secure boot storage implementation.
+      if(NOT SB_CONFIG_SOC_SERIES_NRF54HX)
+        set_config_bool(mcuboot CONFIG_SECURE_BOOT_STORAGE y)
+        set_config_bool(mcuboot CONFIG_SECURE_BOOT_CRYPTO y)
+      endif()
     else()
       set_config_bool(mcuboot CONFIG_MCUBOOT_HW_DOWNGRADE_PREVENTION n)
     endif()
 
     foreach(image ${updateable_images})
       if(SB_CONFIG_MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION)
         set_config_bool(${image} CONFIG_MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION y)
-        set_config_int(${image} CONFIG_MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_SLOTS ${SB_CONFIG_MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_SLOTS})
         set_config_int(${image} CONFIG_MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_VALUE ${SB_CONFIG_MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_VALUE})
+
+        # The number of slots is unlimited in the current SDFW-based implementation.
+        if(SB_CONFIG_MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_SLOTS)
+          set_config_int(${image} CONFIG_MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_SLOTS ${SB_CONFIG_MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_SLOTS})
+        endif()
       else()
         set_config_bool(${image} CONFIG_MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION n)
       endif()
@@ -816,7 +829,10 @@ function(${SYSBUILD_CURRENT_MODULE_NAME}_post_cmake)
 
   include_packaging()
 
-  if(SB_CONFIG_SECURE_BOOT OR SB_CONFIG_MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION)
+  # nRF54H20 uses SDFW-based counters.
+  # There is no need to generate a provisioning hex file.
+  if(SB_CONFIG_SECURE_BOOT OR (SB_CONFIG_MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION AND NOT
+     SB_CONFIG_SOC_SERIES_NRF54HX))
     include_provision_hex()
   endif()
 

sysbuild/Kconfig.mcuboot

@@ -32,7 +32,7 @@ config MCUBOOT_BUILD_DIRECT_XIP_VARIANT
 
 menuconfig MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION
 	bool "Downgrade prevention using hardware security counters"
-	depends on (SOC_NRF5340_CPUAPP || SOC_SERIES_NRF91X || SOC_SERIES_NRF54LX)
+	depends on (SOC_NRF5340_CPUAPP || SOC_SERIES_NRF91X || SOC_SERIES_NRF54LX || SOC_SERIES_NRF54HX)
 	depends on !SECURE_BOOT_APPCORE
 	depends on !QSPI_XIP_SPLIT_IMAGE
 	help
@@ -48,7 +48,9 @@ if MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION
 config MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_SLOTS
 	int "Number of available hardware counter slots"
 	default 240
+	range 2 288 if SOC_SERIES_NRF54LX
 	range 2 300
+	depends on !SOC_SERIES_NRF54HX
 	help
 	  When MCUBOOT_HW_DOWNGRADE_PREVENTION is enabled, MCUboot will use one hardware counter
 	  for each updatable image (UPDATEABLE_IMAGE_NUMBER). This configuration specifies how many
@@ -60,7 +62,8 @@ config MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_SLOTS
 config MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_VALUE
 	int "Security counter value"
 	default 1
-	range 1 65535
+	range 1 65535 if !SOC_SERIES_NRF54HX
+	range 1 4294967295 if SOC_SERIES_NRF54HX
 	help
 	  The security counter value for this image.
 	  This is the value that will be passed to the --security-counter parameter of imgtool.py

west.yml

@@ -126,7 +126,7 @@ manifest:
           compare-by-default: true
     - name: mcuboot
       repo-path: sdk-mcuboot
-      revision: 9e03c89729786f18ef9c1849015ff17eca8bae1c
+      revision: pull/572/head
       path: bootloader/mcuboot
     - name: qcbor
       url: https://github.com/laurencelundblade/QCBOR