diff --git a/cmake/sysbuild/sign_nrf54h20.cmake b/cmake/sysbuild/sign_nrf54h20.cmake index 6f0d311e7389..6946ed0c7852 100644 --- a/cmake/sysbuild/sign_nrf54h20.cmake +++ b/cmake/sysbuild/sign_nrf54h20.cmake @@ -183,6 +183,8 @@ function(mcuboot_sign_merged_nrf54h20 merged_hex main_image) set(CONFIG_MCUBOOT_IMGTOOL_UUID_CID) set(CONFIG_MCUBOOT_IMGTOOL_UUID_VID_NAME) set(CONFIG_MCUBOOT_IMGTOOL_UUID_CID_NAME) + set(CONFIG_MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION) + set(CONFIG_MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_VALUE) sysbuild_get(CONFIG_MCUBOOT_IMGTOOL_UUID_VID IMAGE ${main_image} VAR CONFIG_MCUBOOT_IMGTOOL_UUID_VID KCONFIG) sysbuild_get(CONFIG_MCUBOOT_IMGTOOL_UUID_CID IMAGE ${main_image} VAR @@ -191,15 +193,22 @@ function(mcuboot_sign_merged_nrf54h20 merged_hex main_image) CONFIG_MCUBOOT_IMGTOOL_UUID_VID_NAME KCONFIG) sysbuild_get(CONFIG_MCUBOOT_IMGTOOL_UUID_CID_NAME IMAGE ${main_image} VAR CONFIG_MCUBOOT_IMGTOOL_UUID_CID_NAME KCONFIG) + sysbuild_get(CONFIG_MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION IMAGE ${main_image} VAR + CONFIG_MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION KCONFIG) + sysbuild_get(CONFIG_MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_VALUE IMAGE ${main_image} VAR + CONFIG_MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_VALUE KCONFIG) + + if(CONFIG_MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION) + set(imgtool_args ${imgtool_args} --security-counter + ${CONFIG_MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_VALUE}) + endif() if(CONFIG_MCUBOOT_IMGTOOL_UUID_VID) - set(imgtool_args ${imgtool_args} --vid - "${CONFIG_MCUBOOT_IMGTOOL_UUID_VID_NAME}") + set(imgtool_args ${imgtool_args} --vid "${CONFIG_MCUBOOT_IMGTOOL_UUID_VID_NAME}") endif() if(CONFIG_MCUBOOT_IMGTOOL_UUID_CID) - set(imgtool_args ${imgtool_args} --cid - "${CONFIG_MCUBOOT_IMGTOOL_UUID_CID_NAME}") + set(imgtool_args ${imgtool_args} --cid "${CONFIG_MCUBOOT_IMGTOOL_UUID_CID_NAME}") endif() # Fetch version and flags from the main image Kconfig. diff --git a/modules/mcuboot/Kconfig b/modules/mcuboot/Kconfig index 6b5ddd298a6f..2c5110bd2de6 100644 --- a/modules/mcuboot/Kconfig +++ b/modules/mcuboot/Kconfig @@ -4,7 +4,7 @@ if BOOTLOADER_MCUBOOT menuconfig MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION bool "Downgrade prevention using hardware security counters" - depends on SOC_NRF5340_CPUAPP || SOC_SERIES_NRF91X || SOC_SERIES_NRF54LX + depends on SOC_NRF5340_CPUAPP || SOC_SERIES_NRF91X || SOC_SERIES_NRF54LX || SOC_SERIES_NRF54HX help This option can be enabled by the application and will ensure that the MCUBOOT_HW_DOWNGRADE_PREVENTION Kconfig option is @@ -17,6 +17,7 @@ config MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_SLOTS default 240 range 2 288 if SOC_SERIES_NRF54LX range 2 300 + depends on !SOC_SERIES_NRF54HX help When MCUBOOT_HW_DOWNGRADE_PREVENTION is enabled, MCUboot will use one hardware counter for each updatable image (UPDATEABLE_IMAGE_NUMBER). @@ -29,7 +30,8 @@ config MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_SLOTS config MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_VALUE int "Security counter value" default 1 - range 1 65535 + range 1 65535 if !SOC_SERIES_NRF54HX + range 1 4294967295 if SOC_SERIES_NRF54HX help The security counter value for this image. This is the value that will be passed to the --security-counter diff --git a/sysbuild/CMakeLists.txt b/sysbuild/CMakeLists.txt index 353cfb1eadba..f7330a665da3 100644 --- a/sysbuild/CMakeLists.txt +++ b/sysbuild/CMakeLists.txt @@ -381,7 +381,11 @@ function(${SYSBUILD_CURRENT_MODULE_NAME}_pre_cmake) set_config_bool(mcuboot CONFIG_BOOT_FIH_PROFILE_DEFAULT_LOW y) endif() - if(SB_CONFIG_PARTITION_MANAGER OR SB_CONFIG_MCUBOOT_MODE_DIRECT_XIP OR SB_CONFIG_MCUBOOT_MODE_DIRECT_XIP_WITH_REVERT OR SB_CONFIG_MCUBOOT_COMPRESSED_IMAGE_SUPPORT OR (SB_CONFIG_SOC_SERIES_NRF54LX AND SB_CONFIG_BOOT_ENCRYPTION)) + if(SB_CONFIG_PARTITION_MANAGER OR SB_CONFIG_MCUBOOT_MODE_DIRECT_XIP + OR SB_CONFIG_MCUBOOT_MODE_DIRECT_XIP_WITH_REVERT + OR SB_CONFIG_MCUBOOT_COMPRESSED_IMAGE_SUPPORT + OR (SB_CONFIG_SOC_SERIES_NRF54LX AND SB_CONFIG_BOOT_ENCRYPTION) + OR SB_CONFIG_MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION) # Use NCS signing script with support for PM or direct XIP (NCS specific features) if(SB_CONFIG_QSPI_XIP_SPLIT_IMAGE) set(${DEFAULT_IMAGE}_SIGNING_SCRIPT "${ZEPHYR_NRF_MODULE_DIR}/cmake/sysbuild/image_signing_split.cmake" CACHE INTERNAL "MCUboot signing script" FORCE) @@ -469,8 +473,13 @@ function(${SYSBUILD_CURRENT_MODULE_NAME}_pre_cmake) if(SB_CONFIG_MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION) set_config_bool(mcuboot CONFIG_MCUBOOT_HW_DOWNGRADE_PREVENTION y) - set_config_bool(mcuboot CONFIG_SECURE_BOOT_STORAGE y) - set_config_bool(mcuboot CONFIG_SECURE_BOOT_CRYPTO y) + + # nRF54H20 uses SDFW-based counters. + # There is no need for a dedicated secure boot storage implementation. + if(NOT SB_CONFIG_SOC_SERIES_NRF54HX) + set_config_bool(mcuboot CONFIG_SECURE_BOOT_STORAGE y) + set_config_bool(mcuboot CONFIG_SECURE_BOOT_CRYPTO y) + endif() else() set_config_bool(mcuboot CONFIG_MCUBOOT_HW_DOWNGRADE_PREVENTION n) endif() @@ -478,8 +487,12 @@ function(${SYSBUILD_CURRENT_MODULE_NAME}_pre_cmake) foreach(image ${updateable_images}) if(SB_CONFIG_MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION) set_config_bool(${image} CONFIG_MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION y) - set_config_int(${image} CONFIG_MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_SLOTS ${SB_CONFIG_MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_SLOTS}) set_config_int(${image} CONFIG_MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_VALUE ${SB_CONFIG_MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_VALUE}) + + # The number of slots is unlimited in the current SDFW-based implementation. + if(SB_CONFIG_MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_SLOTS) + set_config_int(${image} CONFIG_MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_SLOTS ${SB_CONFIG_MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_SLOTS}) + endif() else() set_config_bool(${image} CONFIG_MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION n) endif() @@ -816,7 +829,10 @@ function(${SYSBUILD_CURRENT_MODULE_NAME}_post_cmake) include_packaging() - if(SB_CONFIG_SECURE_BOOT OR SB_CONFIG_MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION) + # nRF54H20 uses SDFW-based counters. + # There is no need to generate a provisioning hex file. + if(SB_CONFIG_SECURE_BOOT OR (SB_CONFIG_MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION AND NOT + SB_CONFIG_SOC_SERIES_NRF54HX)) include_provision_hex() endif() diff --git a/sysbuild/Kconfig.mcuboot b/sysbuild/Kconfig.mcuboot index a42f6b2a2591..57bb78e1078d 100644 --- a/sysbuild/Kconfig.mcuboot +++ b/sysbuild/Kconfig.mcuboot @@ -32,7 +32,7 @@ config MCUBOOT_BUILD_DIRECT_XIP_VARIANT menuconfig MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION bool "Downgrade prevention using hardware security counters" - depends on (SOC_NRF5340_CPUAPP || SOC_SERIES_NRF91X || SOC_SERIES_NRF54LX) + depends on (SOC_NRF5340_CPUAPP || SOC_SERIES_NRF91X || SOC_SERIES_NRF54LX || SOC_SERIES_NRF54HX) depends on !SECURE_BOOT_APPCORE depends on !QSPI_XIP_SPLIT_IMAGE help @@ -48,7 +48,9 @@ if MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION config MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_SLOTS int "Number of available hardware counter slots" default 240 + range 2 288 if SOC_SERIES_NRF54LX range 2 300 + depends on !SOC_SERIES_NRF54HX help When MCUBOOT_HW_DOWNGRADE_PREVENTION is enabled, MCUboot will use one hardware counter for each updatable image (UPDATEABLE_IMAGE_NUMBER). This configuration specifies how many @@ -60,7 +62,8 @@ config MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_SLOTS config MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_VALUE int "Security counter value" default 1 - range 1 65535 + range 1 65535 if !SOC_SERIES_NRF54HX + range 1 4294967295 if SOC_SERIES_NRF54HX help The security counter value for this image. This is the value that will be passed to the --security-counter parameter of imgtool.py diff --git a/west.yml b/west.yml index be9a9e75a13a..27183344a892 100644 --- a/west.yml +++ b/west.yml @@ -126,7 +126,7 @@ manifest: compare-by-default: true - name: mcuboot repo-path: sdk-mcuboot - revision: 9e03c89729786f18ef9c1849015ff17eca8bae1c + revision: 3839107e52c7228eba123129a3806fb3391781d6 path: bootloader/mcuboot - name: qcbor url: https://github.com/laurencelundblade/QCBOR