Skip to content

nRF54H20: Add support for IronSide counters -based rollback protection #25547

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Nov 17, 2025
+44 −14
Merged

nRF54H20: Add support for IronSide counters -based rollback protection #25547

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b3e4da2
sysbuild: Rollback protection in merged slots
tomchy Nov 13, 2025
526a39f
sysbuild: HW-based rollback protection on nRF54H20
tomchy Nov 13, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 13 additions & 4 deletions cmake/sysbuild/sign_nrf54h20.cmake
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -183,6 +183,8 @@ function(mcuboot_sign_merged_nrf54h20 merged_hex main_image)
set(CONFIG_MCUBOOT_IMGTOOL_UUID_CID)
set(CONFIG_MCUBOOT_IMGTOOL_UUID_VID_NAME)
set(CONFIG_MCUBOOT_IMGTOOL_UUID_CID_NAME)
set(CONFIG_MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION)
set(CONFIG_MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_VALUE)
sysbuild_get(CONFIG_MCUBOOT_IMGTOOL_UUID_VID IMAGE ${main_image} VAR
CONFIG_MCUBOOT_IMGTOOL_UUID_VID KCONFIG)
sysbuild_get(CONFIG_MCUBOOT_IMGTOOL_UUID_CID IMAGE ${main_image} VAR
Expand All @@ -191,15 +193,22 @@ function(mcuboot_sign_merged_nrf54h20 merged_hex main_image)
CONFIG_MCUBOOT_IMGTOOL_UUID_VID_NAME KCONFIG)
sysbuild_get(CONFIG_MCUBOOT_IMGTOOL_UUID_CID_NAME IMAGE ${main_image} VAR
CONFIG_MCUBOOT_IMGTOOL_UUID_CID_NAME KCONFIG)
sysbuild_get(CONFIG_MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION IMAGE ${main_image} VAR
CONFIG_MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION KCONFIG)
sysbuild_get(CONFIG_MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_VALUE IMAGE ${main_image} VAR
CONFIG_MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_VALUE KCONFIG)

if(CONFIG_MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION)
set(imgtool_args ${imgtool_args} --security-counter
${CONFIG_MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_VALUE})
endif()

if(CONFIG_MCUBOOT_IMGTOOL_UUID_VID)
set(imgtool_args ${imgtool_args} --vid
"${CONFIG_MCUBOOT_IMGTOOL_UUID_VID_NAME}")
set(imgtool_args ${imgtool_args} --vid "${CONFIG_MCUBOOT_IMGTOOL_UUID_VID_NAME}")
endif()

if(CONFIG_MCUBOOT_IMGTOOL_UUID_CID)
set(imgtool_args ${imgtool_args} --cid
"${CONFIG_MCUBOOT_IMGTOOL_UUID_CID_NAME}")
set(imgtool_args ${imgtool_args} --cid "${CONFIG_MCUBOOT_IMGTOOL_UUID_CID_NAME}")
endif()

# Fetch version and flags from the main image Kconfig.
Expand Down
6 changes: 4 additions & 2 deletions modules/mcuboot/Kconfig
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ if BOOTLOADER_MCUBOOT

menuconfig MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION
bool "Downgrade prevention using hardware security counters"
depends on SOC_NRF5340_CPUAPP || SOC_SERIES_NRF91X || SOC_SERIES_NRF54LX
depends on SOC_NRF5340_CPUAPP || SOC_SERIES_NRF91X || SOC_SERIES_NRF54LX || SOC_SERIES_NRF54HX
help
This option can be enabled by the application and will ensure
that the MCUBOOT_HW_DOWNGRADE_PREVENTION Kconfig option is
Expand All @@ -17,6 +17,7 @@ config MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_SLOTS
default 240
range 2 288 if SOC_SERIES_NRF54LX
range 2 300
depends on !SOC_SERIES_NRF54HX
help
When MCUBOOT_HW_DOWNGRADE_PREVENTION is enabled, MCUboot will use
one hardware counter for each updatable image (UPDATEABLE_IMAGE_NUMBER).
Expand All @@ -29,7 +30,8 @@ config MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_SLOTS
config MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_VALUE
int "Security counter value"
default 1
range 1 65535
range 1 65535 if !SOC_SERIES_NRF54HX
range 1 4294967295 if SOC_SERIES_NRF54HX
help
The security counter value for this image.
This is the value that will be passed to the --security-counter
Expand Down
26 changes: 21 additions & 5 deletions sysbuild/CMakeLists.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -381,7 +381,11 @@ function(${SYSBUILD_CURRENT_MODULE_NAME}_pre_cmake)
set_config_bool(mcuboot CONFIG_BOOT_FIH_PROFILE_DEFAULT_LOW y)
endif()

if(SB_CONFIG_PARTITION_MANAGER OR SB_CONFIG_MCUBOOT_MODE_DIRECT_XIP OR SB_CONFIG_MCUBOOT_MODE_DIRECT_XIP_WITH_REVERT OR SB_CONFIG_MCUBOOT_COMPRESSED_IMAGE_SUPPORT OR (SB_CONFIG_SOC_SERIES_NRF54LX AND SB_CONFIG_BOOT_ENCRYPTION))
if(SB_CONFIG_PARTITION_MANAGER OR SB_CONFIG_MCUBOOT_MODE_DIRECT_XIP
OR SB_CONFIG_MCUBOOT_MODE_DIRECT_XIP_WITH_REVERT
OR SB_CONFIG_MCUBOOT_COMPRESSED_IMAGE_SUPPORT
OR (SB_CONFIG_SOC_SERIES_NRF54LX AND SB_CONFIG_BOOT_ENCRYPTION)
OR SB_CONFIG_MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION)
# Use NCS signing script with support for PM or direct XIP (NCS specific features)
if(SB_CONFIG_QSPI_XIP_SPLIT_IMAGE)
set(${DEFAULT_IMAGE}_SIGNING_SCRIPT "${ZEPHYR_NRF_MODULE_DIR}/cmake/sysbuild/image_signing_split.cmake" CACHE INTERNAL "MCUboot signing script" FORCE)
Expand Down Expand Up @@ -469,17 +473,26 @@ function(${SYSBUILD_CURRENT_MODULE_NAME}_pre_cmake)

if(SB_CONFIG_MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION)
set_config_bool(mcuboot CONFIG_MCUBOOT_HW_DOWNGRADE_PREVENTION y)
set_config_bool(mcuboot CONFIG_SECURE_BOOT_STORAGE y)
set_config_bool(mcuboot CONFIG_SECURE_BOOT_CRYPTO y)

# nRF54H20 uses SDFW-based counters.
# There is no need for a dedicated secure boot storage implementation.
if(NOT SB_CONFIG_SOC_SERIES_NRF54HX)
set_config_bool(mcuboot CONFIG_SECURE_BOOT_STORAGE y)
set_config_bool(mcuboot CONFIG_SECURE_BOOT_CRYPTO y)
endif()
else()
set_config_bool(mcuboot CONFIG_MCUBOOT_HW_DOWNGRADE_PREVENTION n)
endif()

foreach(image ${updateable_images})
if(SB_CONFIG_MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION)
set_config_bool(${image} CONFIG_MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION y)
set_config_int(${image} CONFIG_MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_SLOTS ${SB_CONFIG_MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_SLOTS})
set_config_int(${image} CONFIG_MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_VALUE ${SB_CONFIG_MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_VALUE})

# The number of slots is unlimited in the current SDFW-based implementation.
if(SB_CONFIG_MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_SLOTS)
set_config_int(${image} CONFIG_MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_SLOTS ${SB_CONFIG_MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_SLOTS})
endif()
else()
set_config_bool(${image} CONFIG_MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION n)
endif()
Expand Down Expand Up @@ -816,7 +829,10 @@ function(${SYSBUILD_CURRENT_MODULE_NAME}_post_cmake)

include_packaging()

if(SB_CONFIG_SECURE_BOOT OR SB_CONFIG_MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION)
# nRF54H20 uses SDFW-based counters.
# There is no need to generate a provisioning hex file.
if(SB_CONFIG_SECURE_BOOT OR (SB_CONFIG_MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION AND NOT
SB_CONFIG_SOC_SERIES_NRF54HX))
include_provision_hex()
endif()

Expand Down
7 changes: 5 additions & 2 deletions sysbuild/Kconfig.mcuboot
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ config MCUBOOT_BUILD_DIRECT_XIP_VARIANT

menuconfig MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION
bool "Downgrade prevention using hardware security counters"
depends on (SOC_NRF5340_CPUAPP || SOC_SERIES_NRF91X || SOC_SERIES_NRF54LX)
depends on (SOC_NRF5340_CPUAPP || SOC_SERIES_NRF91X || SOC_SERIES_NRF54LX || SOC_SERIES_NRF54HX)
depends on !SECURE_BOOT_APPCORE
depends on !QSPI_XIP_SPLIT_IMAGE
help
Expand All @@ -48,7 +48,9 @@ if MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION
config MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_SLOTS
int "Number of available hardware counter slots"
default 240
range 2 288 if SOC_SERIES_NRF54LX
range 2 300
depends on !SOC_SERIES_NRF54HX
help
When MCUBOOT_HW_DOWNGRADE_PREVENTION is enabled, MCUboot will use one hardware counter
for each updatable image (UPDATEABLE_IMAGE_NUMBER). This configuration specifies how many
Expand All @@ -60,7 +62,8 @@ config MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_SLOTS
config MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_VALUE
int "Security counter value"
default 1
range 1 65535
range 1 65535 if !SOC_SERIES_NRF54HX
range 1 4294967295 if SOC_SERIES_NRF54HX
help
The security counter value for this image.
This is the value that will be passed to the --security-counter parameter of imgtool.py
Expand Down
2 changes: 1 addition & 1 deletion west.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -126,7 +126,7 @@ manifest:
compare-by-default: true
- name: mcuboot
repo-path: sdk-mcuboot
revision: 9e03c89729786f18ef9c1849015ff17eca8bae1c
revision: 3839107e52c7228eba123129a3806fb3391781d6
path: bootloader/mcuboot
- name: qcbor
url: https://github.com/laurencelundblade/QCBOR
Expand Down
Loading