Skip to content

nRF54H20: Add support for IronSide counters -based rollback protection #25547

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Nov 17, 2025
Merged

nRF54H20: Add support for IronSide counters -based rollback protection #25547

merged 2 commits into from
Nov 17, 2025
+44 −14

Conversation

@tomchy
Copy link
Contributor

@tomchy tomchy commented Nov 12, 2025
edited
Loading

Add support for IronSide counters -based rollback protection.

Ref: NCSDK-38695

Copilot AI review requested due to automatic review settings November 12, 2025 14:13
@tomchy tomchy requested review from a team as code owners November 12, 2025 14:13
@NordicBuilder NordicBuilder added manifest changelog-entry-required Update changelog before merge. Remove label if entry is not needed or already added. labels Nov 12, 2025
@NordicBuilder
Copy link
Contributor

NordicBuilder commented Nov 12, 2025
edited
Loading

The following west manifest projects have changed revision in this Pull Request:

Name Old Revision New Revision Diff
mcuboot nrfconnect/sdk-mcuboot@9e03c89 nrfconnect/sdk-mcuboot@3839107 (main) nrfconnect/[email protected]

All manifest checks OK

Note: This message is automatically posted and updated by the Manifest GitHub Action.

Copilot AI reviewed Nov 12, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds a dummy implementation of a new API function to lock hardware counter updates in the bootloader storage subsystem. The changes include updating the mcuboot revision reference and implementing an empty lock function that performs basic validation but doesn't perform any actual locking operations.

Key changes:

  • Updated mcuboot dependency to point to a pull request branch
  • Added boot_nv_security_counter_lock() function with validation logic

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
west.yml Updates mcuboot revision to reference pull/571/head branch
subsys/bootloader/bl_storage/nrf_nv_counters.c Implements new boot_nv_security_counter_lock() function with image_id validation

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@NordicBuilder
Copy link
Contributor

NordicBuilder commented Nov 12, 2025
edited
Loading

CI Information

To view the history of this post, click the 'edited' button above
Build number: 11

Inputs:

Sources:

sdk-nrf: PR head: 526a39fe1dfbf49e6eae378b35fb6ce8d22e48d0
mcuboot: PR head: 3839107e52c7228eba123129a3806fb3391781d6

more details

sdk-nrf:

PR head: 526a39fe1dfbf49e6eae378b35fb6ce8d22e48d0
merge base: da1cff16e9707f5e26f32d7917e32adae3c38ae4
target head (main): 66fe9cc1822ac0a85b70f8d9b3e4a86ab27ac0b0
Diff

mcuboot:

PR head: 3839107e52c7228eba123129a3806fb3391781d6
merge base: 9e03c89729786f18ef9c1849015ff17eca8bae1c
Diff

Github labels

Enabled Name Description
ci-disabled Disable the ci execution
ci-all-test Run all of ci, no test spec filtering will be done
ci-force-downstream Force execution of downstream even if twister fails
ci-run-twister Force run twister
ci-run-zephyr-twister Force run zephyr twister
List of changed files detected by CI (10) 
bootloader
│  ├── mcuboot
│  │  ├── boot
│  │  │  ├── zephyr
│  │  │  │  ├── CMakeLists.txt
│  │  │  │  ├── Kconfig
│  │  │  │  ├── ironside_counters
│  │  │  │  │  ├── CMakeLists.txt
│  │  │  │  │  ├── Kconfig
│  │  │  │  │  │ ironside_counters.c
cmake
│  ├── sysbuild
│  │  │ sign_nrf54h20.cmake
modules
│  ├── mcuboot
│  │  │ Kconfig
sysbuild
│  ├── CMakeLists.txt
│  │ Kconfig.mcuboot
west.yml

Outputs:

Toolchain

Version:
Build docker image:

Test Spec & Results: ✅ Success; ❌ Failure; 🟠 Queued; 🟡 Progress; ◻️ Skipped; ⚠️ Quarantine

  • ◻️ Toolchain
  • ◻️ Build twister
  • ◻️ Integration tests
    • ◻️ test-sdk-audio
    • ◻️ desktop52_verification
    • ◻️ test-fw-nrfconnect-apps
    • ◻️ test_ble_nrf_config
    • ◻️ test-fw-nrfconnect-ble_mesh
    • ◻️ test-fw-nrfconnect-ble_samples
    • ◻️ test-fw-nrfconnect-chip
    • ◻️ test-fw-nrfconnect-nfc
    • ◻️ test-fw-nrfconnect-nrf-iot_libmodem-nrf
    • ◻️ test-fw-nrfconnect-nrf-iot_zephyr_lwm2m
    • ◻️ test-fw-nrfconnect-nrf-iot_samples
    • ◻️ test-fw-nrfconnect-nrf-iot_lwm2m
    • ◻️ test-fw-nrfconnect-nrf-iot_thingy91
    • ◻️ test-fw-nrfconnect-nrf_crypto
    • ◻️ test-fw-nrfconnect-rpc
    • ◻️ test-fw-nrfconnect-rs
    • ◻️ test-fw-nrfconnect-fem
    • ◻️ test-fw-nrfconnect-tfm
    • ◻️ test-fw-nrfconnect-thread-main
    • ◻️ test-sdk-find-my
    • ◻️ test-fw-nrfconnect-nrf_lrcs_positioning
    • ◻️ test-sdk-wifi
    • ◻️ test-low-level
    • ◻️ test-sdk-mcuboot
    • ◻️ test-sdk-dfu
    • ◻️ test-fw-nrfconnect-ps-main
    • ◻️ test-secdom-samples-public

Note: This message is automatically posted and updated by the CI

@github-actions
Copy link

github-actions bot commented Nov 12, 2025

You can find the documentation preview for this PR here.

@tomchy tomchy marked this pull request as draft November 12, 2025 15:16
@tomchy tomchy force-pushed the feature/mcuboot/NCSDK-36295_Add_counter_lock branch from 0e42f27 to 6a51d79 Compare November 13, 2025 13:39
@tomchy tomchy changed the title bl_storage: Add empty HW counter lock impl nRF54H20: Add support for IronSide counters -based rollback protection Nov 13, 2025
@tomchy tomchy force-pushed the feature/mcuboot/NCSDK-36295_Add_counter_lock branch from 6a51d79 to 8b745b1 Compare November 13, 2025 14:05
Copilot AI review requested due to automatic review settings November 13, 2025 14:05
Copilot AI reviewed Nov 13, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@tomchy tomchy force-pushed the feature/mcuboot/NCSDK-36295_Add_counter_lock branch from 8b745b1 to 72b9e8f Compare November 13, 2025 15:31
@NordicBuilder
Copy link
Contributor

NordicBuilder commented Nov 13, 2025
edited
Loading

Memory footprint analysis revealed the following potential issues

applications.hpf.gpio.icmsg[nrf54l15dk/nrf54l15/cpuflpr]: High RAM usage: 9102[B] - link (cc: @nrfconnect/ncs-ll-ursus)
applications.hpf.gpio.icmsg[nrf54l15dk/nrf54l15/cpuflpr]: High ROM usage: 5858[B] - link (cc: @nrfconnect/ncs-ll-ursus)
applications.hpf.gpio.icbmsg[nrf54l15dk/nrf54l15/cpuflpr]: High RAM usage: 12744[B] - link (cc: @nrfconnect/ncs-ll-ursus)
applications.hpf.gpio.icbmsg[nrf54l15dk/nrf54l15/cpuflpr]: High ROM usage: 9492[B] - link (cc: @nrfconnect/ncs-ll-ursus)

Note: This message is automatically posted and updated by the CI (latest/sdk-nrf/PR-25547/10)

Copilot AI review requested due to automatic review settings November 14, 2025 10:25
@tomchy tomchy force-pushed the feature/mcuboot/NCSDK-36295_Add_counter_lock branch from 72b9e8f to 10188af Compare November 14, 2025 10:25
Copilot AI reviewed Nov 14, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@tomchy tomchy marked this pull request as ready for review November 14, 2025 10:27
@tomchy tomchy requested a review from a team as a code owner November 14, 2025 10:27
@tomchy tomchy force-pushed the feature/mcuboot/NCSDK-36295_Add_counter_lock branch from 10188af to 43ac6f6 Compare November 14, 2025 15:03
Copilot AI review requested due to automatic review settings November 17, 2025 08:18
@tomchy tomchy force-pushed the feature/mcuboot/NCSDK-36295_Add_counter_lock branch from 43ac6f6 to 8fefe95 Compare November 17, 2025 08:18
Copilot AI reviewed Nov 17, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@tomchy
sysbuild: Rollback protection in merged slots
b3e4da2 
Add a possibility to enable HW-based rollback protection when a project
uses the merged slots.

Ref: NCSDK-36295

Signed-off-by: Tomasz Chyrowicz <[email protected]>
@tomchy tomchy force-pushed the feature/mcuboot/NCSDK-36295_Add_counter_lock branch from 8fefe95 to 3c893ca Compare November 17, 2025 09:09
@tomchy
sysbuild: HW-based rollback protection on nRF54H20
526a39f 
Allow to enable HW-based rollback protection on nRF54H20.

Ref: NCSDK-36295

Signed-off-by: Tomasz Chyrowicz <[email protected]>
Copilot AI review requested due to automatic review settings November 17, 2025 11:25
@tomchy tomchy force-pushed the feature/mcuboot/NCSDK-36295_Add_counter_lock branch from 3c893ca to 526a39f Compare November 17, 2025 11:25
Copilot AI reviewed Nov 17, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@NordicBuilder NordicBuilder removed the DNM label Nov 17, 2025
@tomchy tomchy merged commit fbb0826 into nrfconnect:main Nov 17, 2025
19 of 20 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@nordicjm nordicjm nordicjm approved these changes

@ahasztag ahasztag ahasztag approved these changes

Assignees

No one assigned

Labels

changelog-entry-required Update changelog before merge. Remove label if entry is not needed or already added. manifest manifest-mcuboot

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@tomchy @NordicBuilder @nordicjm @ahasztag