samples: ironside_se: Add sample that protects periphconf

Add a sample that demonstrates how to protect periphconf using
PROTECTEDMEM.

Signed-off-by: Sebastian Bøe <[email protected]>

Author: SebastianBoe

samples/ironside_se/protectedmem_periphconf/CMakeLists.txt

@@ -0,0 +1,13 @@
+#
+# Copyright (c) 2025 Nordic Semiconductor ASA
+#
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+#
+
+cmake_minimum_required(VERSION 3.20.0)
+
+find_package(Zephyr REQUIRED HINTS $ENV{ZEPHYR_BASE})
+
+project(protectedmem_periphconf)
+
+target_sources(app PRIVATE src/main.c)

samples/ironside_se/protectedmem_periphconf/README.rst

@@ -0,0 +1,71 @@
+.. _protectedmem_periphconf_sample:
+
+Protected Memory with PERIPHCONF Partition
+##########################################
+
+.. contents::
+   :local:
+   :depth: 2
+
+This sample demonstrates how to protect the PERIPHCONF Partition using UICR.PROTECTEDMEM.
+
+Requirements
+************
+
+The sample supports the following development kit:
+
+.. table-from-sample-yaml::
+
+Overview
+********
+
+The sample relocates the ``periphconf_partition`` right after ``cpuapp_boot_partition`` and configures PROTECTEDMEM to cover both partitions.
+When protected memory is modified, the integrity check fails on the next boot, causing |ISE| to boot the secondary firmware instead of the main application.
+
+Building and running
+*********************
+
+.. |sample path| replace:: :file:`samples/ironside_se/protectedmem_periphconf`
+
+.. include:: /includes/build_and_run.txt
+
+Testing
+*******
+
+After programming the sample to your development kit, complete the following steps to test it:
+
+1. |connect_terminal|
+#. Reset the development kit.
+
+The application writes a test pattern to protected memory and then reboots.
+On the next boot, if protection works correctly, the secondary firmware boots instead of the main application, indicating that the integrity check detected the modification.
+
+Configuration
+*************
+
+The sample uses the following key configurations:
+
+Device Tree Overlay
+  The ``app.overlay`` file relocates the ``periphconf_partition`` to be placed right after ``cpuapp_boot_partition`` at offset 0x40000.
+  The ``sysbuild.cmake`` file applies this same overlay to the UICR image so both images see the same partition layout.
+
+Kconfig Configuration
+  The ``sysbuild/uicr.conf`` file configures the PROTECTEDMEM size to 72KB (73728 bytes) to cover both ``cpuapp_boot_partition`` (64KB) and ``periphconf_partition`` (8KB).
+
+Secondary Firmware
+  The sample includes a secondary firmware (in the ``secondary/`` directory) that boots automatically when the PROTECTEDMEM integrity check fails.
+  The secondary firmware is enabled via ``CONFIG_GEN_UICR_SECONDARY=y`` in ``sysbuild/uicr.conf`` and is built as part of the sysbuild process (configured in ``sysbuild.cmake``).
+
+Dependencies
+************
+
+This sample uses the following |NCS| subsystems:
+
+* UICR generation - Configures UICR.PROTECTEDMEM to protect the memory region and UICR.SECONDARY to enable secondary firmware boot
+* Sysbuild - Enables building the UICR image and secondary firmware with the protected memory configuration
+
+In addition, it uses the following Zephyr subsystems:
+
+* :ref:`Kernel <kernel>` - Provides basic system functionality and threading
+* :ref:`Console <console>` - Enables UART console output for debugging and user interaction
+* Devicetree - Defines the partition layout

samples/ironside_se/protectedmem_periphconf/app.overlay

@@ -0,0 +1,25 @@
+/*
+ * Copyright (c) 2025 Nordic Semiconductor ASA
+ *
+ * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+ */
+
+/* Delete the original partitions before redefining them */
+/delete-node/ &cpuapp_slot0_partition;
+/delete-node/ &periphconf_partition;
+
+&mram1x {
+	partitions {
+		/* cpuapp_boot_partition is at 0x30000 with size 64KB (0x10000) */
+		/* Move periphconf_partition to 0x40000 (right after cpuapp_boot_partition) */
+		periphconf_partition: partition@40000 {
+			reg = <0x40000 DT_SIZE_K(8)>;
+		};
+
+		/* Move cpuapp_slot0_partition to start after periphconf_partition */
+		/* periphconf_partition ends at 0x42000, so slot0 starts there */
+		cpuapp_slot0_partition: partition@42000 {
+			reg = <0x42000 DT_SIZE_K(328)>;
+		};
+	};
+};

samples/ironside_se/protectedmem_periphconf/prj.conf

@@ -0,0 +1,11 @@
+#
+# Copyright (c) 2025 Nordic Semiconductor ASA
+#
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+#
+
+# Disable MPU to allow writing to protected memory region for demonstration
+CONFIG_ARM_MPU=n
+
+# Note: UICR configuration (GEN_UICR_PROTECTEDMEM, etc.) is done in sysbuild/uicr.conf
+# for the UICR image, not in the main application's prj.conf

samples/ironside_se/protectedmem_periphconf/sample.yaml

@@ -0,0 +1,35 @@
+sample:
+  name: Protected Memory PERIPHCONF Sample
+  description: |
+    Sample demonstrating UICR.PROTECTEDMEM protection of the periphconf_partition.
+    The sample relocates periphconf_partition to be right after
+    cpuapp_boot_partition and configures PROTECTEDMEM to protect both partitions.
+    The sample writes to the protected area, reboots, and demonstrates that the
+    integrity check fails on boot, preventing the device from booting when the
+    protected memory is modified.
+
+common:
+  sysbuild: true
+  harness: console
+  harness_config:
+    type: multi_line
+    ordered: true
+    regex:
+      - "=== Protected Memory Demo ==="
+      - "Attempting to write test pattern"
+      - "Write successful \\(in current boot\\)\\."
+      - "Rebooting\\.\\.\\."
+      # When PROTECTEDMEM integrity check fails, secondary firmware boots
+      - "=== Secondary Firmware Booted ==="
+      - "PROTECTEDMEM integrity check FAILED"
+
+tests:
+  samples.protectedmem_periphconf.nrf54h20dk:
+    tags:
+      - sysbuild
+      - ci_samples_sdfw
+    platform_allow:
+      - nrf54h20dk/nrf54h20/cpuapp
+    integration_platforms:
+      - nrf54h20dk/nrf54h20/cpuapp
+    timeout: 7

samples/ironside_se/protectedmem_periphconf/secondary/CMakeLists.txt

@@ -0,0 +1,9 @@
+# Copyright (c) 2025 Nordic Semiconductor ASA
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+
+cmake_minimum_required(VERSION 3.20.0)
+
+find_package(Zephyr REQUIRED HINTS $ENV{ZEPHYR_BASE})
+project(secondary)
+
+target_sources(app PRIVATE src/main.c)

samples/ironside_se/protectedmem_periphconf/secondary/app.overlay

@@ -0,0 +1,11 @@
+/*
+ * Copyright (c) 2025 Nordic Semiconductor ASA
+ *
+ * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+ */
+
+/ {
+	chosen {
+		zephyr,code-partition = &secondary_partition;
+	};
+};

samples/ironside_se/protectedmem_periphconf/secondary/prj.conf

@@ -0,0 +1,12 @@
+#
+# Copyright (c) 2025 Nordic Semiconductor ASA
+#
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+#
+
+CONFIG_IS_IRONSIDE_SE_SECONDARY_IMAGE=y
+
+# Use the devicetree chosen code-partition to determine flash load offset
+CONFIG_USE_DT_CODE_PARTITION=y
+
+# NB: app.overlay sets zephyr,code-partition to secondary_partition

samples/ironside_se/protectedmem_periphconf/secondary/src/main.c

@@ -0,0 +1,19 @@
+/*
+ * Copyright (c) 2025 Nordic Semiconductor ASA.
+ *
+ * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+ */
+
+#include <zephyr/kernel.h>
+#include <zephyr/sys/printk.h>
+
+int main(void)
+{
+	printk("PROTECTEDMEM integrity check failed - secondary firmware booted\n");
+
+	while (1) {
+		k_msleep(1000);
+	}
+
+	return 0;
+}

samples/ironside_se/protectedmem_periphconf/src/main.c

@@ -0,0 +1,32 @@
+/*
+ * Copyright (c) 2025 Nordic Semiconductor ASA.
+ *
+ * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+ */
+
+#include <zephyr/kernel.h>
+#include <zephyr/sys/printk.h>
+#include <zephyr/devicetree.h>
+#include <zephyr/arch/cpu.h>
+
+#define PERIPHCONF_PARTITION_ADDRESS DT_FIXED_PARTITION_ADDR(DT_NODELABEL(periphconf_partition))
+#define PERIPHCONF_PARTITION_SIZE DT_REG_SIZE(DT_NODELABEL(periphconf_partition))
+#define MRAM_16BYTE_ALIGN 16
+#define PARTITION_END (PERIPHCONF_PARTITION_ADDRESS + PERIPHCONF_PARTITION_SIZE)
+#define LAST_16BYTE_AREA_START ((PARTITION_END - MRAM_16BYTE_ALIGN) & ~(MRAM_16BYTE_ALIGN - 1))
+#define TEST_WRITE_ADDRESS (LAST_16BYTE_AREA_START + MRAM_16BYTE_ALIGN - sizeof(uint32_t))
+#define TEST_PATTERN 0xDEADBEEFUL
+
+int main(void)
+{
+	printk("Writing test pattern to protected memory...\n");
+
+	*(volatile uint32_t *)TEST_WRITE_ADDRESS = TEST_PATTERN;
+
+	printk("Rebooting. Secondary firmware should boot if protection is working.\n");
+
+	k_msleep(50);
+	NVIC_SystemReset();
+
+	CODE_UNREACHABLE;
+}