bl_storage: fw_info/counters port to RRAMC

Changed the implementation of bl_storage to be compatible with RRAMC and
FLASH/NVMC. Due to the limitations in the RRAM controller OTP can only
be written to by words not half-words as it can be in NVMC.

This means we need to change the way we handle certain cases in
`bl_storage.c`, `bl_validation.c` and `fw_info.c`. This commit moves
some of the abstractions into two separate files `bl_storage_nvmc.c` and
`bl_storage_rramc.c`. However there are multiple other changes needed
which are done by using `#ifdef`'s.

Ref. NCSDK-25306

Signed-off-by: Mateusz Michalek <[email protected]>

Author: michalek-no

include/bl_storage.h

@@ -9,8 +9,15 @@
 
 #include <string.h>
 #include <zephyr/types.h>
+#include <zephyr/autoconf.h>
 #include <drivers/nrfx_common.h>
+#if defined(CONFIG_NRFX_NVMC)
 #include <nrfx_nvmc.h>
+#elif defined(CONFIG_NRFX_RRAMC)
+#include <nrfx_rramc.h>
+#else
+#error "No NRFX storage technology supported backend selected"
+#endif
 #include <errno.h>
 #include <pm_config.h>
 
@@ -19,6 +26,17 @@
 extern "C" {
 #endif
 
+#if defined(CONFIG_NRFX_NVMC)
+typedef uint16_t counter_t;
+typedef uint16_t lcs_data_t;
+typedef uint16_t lcs_reserved_t;
+#elif defined(CONFIG_NRFX_RRAMC)
+/* nRF54L15 only supports word writes */
+typedef uint32_t counter_t;
+typedef uint32_t lcs_data_t;
+typedef uint32_t lcs_reserved_t;
+#endif
+
 #define EHASHFF 113 /* A hash contains too many 0xFs. */
 #define EREADLCS 114 /* LCS field of OTP is in an invalid state */
 #define EINVALIDLCS 115 /* Invalid LCS*/
@@ -46,17 +64,52 @@ extern "C" {
  *  This works as ASSEMBLY implies the OTP to be erased.
  */
 struct life_cycle_state_data {
-	uint16_t provisioning;
-	uint16_t secure;
-	/* Pad to end the alignment at a 4-byte boundary as the UICR->OTP
-	 * only supports 4-byte reads. We place the reserved padding in
-	 * the middle of the struct in case we ever need to support
+	lcs_data_t provisioning;
+	lcs_data_t secure;
+	/* Pad to end the alignment at a 4-byte boundary as some devices
+	 * are only supporting 4-byte UICR->OTP reads. We place the reserved
+	 * padding in the middle of the struct in case we ever need to support
 	 * another state.
 	 */
-	uint16_t reserved_for_padding;
-	uint16_t decommissioned;
+	lcs_reserved_t reserved_for_padding;
+	lcs_data_t decommissioned;
+};
+
+/** This library implements monotonic counters where each time the counter
+ *  is increased, a new slot is written.
+ *  This way, the counter can be updated without erase. This is, among other things,
+ *  necessary so the counter can be used in the OTP section of the UICR
+ *  (available on e.g. nRF91 and nRF53).
+ */
+struct monotonic_counter {
+	/* Counter description. What the counter is used for. See
+	 * BL_MONOTONIC_COUNTERS_DESC_x.
+	 */
+	uint16_t description;
+	/* Number of entries in 'counter_slots' list. */
+	uint16_t num_counter_slots;
+	counter_t counter_slots[1];
 };
 
+/** The second data structure in the provision page. It has unknown length since
+ *  'counters' is repeated. Note that each entry in counters also has unknown
+ *  length, and each entry can have different length from the others, so the
+ *  entries beyond the first cannot be accessed via array indices.
+ */
+struct counter_collection {
+	uint16_t type; /* Must be "monotonic counter". */
+	uint16_t num_counters; /* Number of entries in 'counters' list. */
+	struct monotonic_counter counters[1];
+};
+
+NRFX_STATIC_INLINE uint32_t bl_storage_word_read(uint32_t address);
+NRFX_STATIC_INLINE uint32_t bl_storage_word_write(uint32_t address, uint32_t value);
+NRFX_STATIC_INLINE counter_t bl_storage_counter_get(uint32_t address);
+NRFX_STATIC_INLINE void bl_storage_counter_set(uint32_t address, counter_t value);
+
+const struct monotonic_counter *get_counter_struct(uint16_t description);
+int get_counter(uint16_t counter_desc, counter_t *counter_value, const counter_t **free_slot);
+
 /** The first data structure in the bootloader storage. It has unknown length
  *  since 'key_data' is repeated. This data structure is immediately followed by
  *  struct counter_collection.
@@ -155,7 +208,7 @@ int num_monotonic_counter_slots(uint16_t counter_desc, uint16_t *counter_slots);
  * @retval -EINVAL  Cannot find counters with description @p counter_desc or the pointer to
  *                  @p counter_value is NULL.
  */
-int get_monotonic_counter(uint16_t counter_desc, uint16_t *counter_value);
+int get_monotonic_counter(uint16_t counter_desc, counter_t *counter_value);
 
 /**
  * @brief Set the current HW monotonic counter.
@@ -174,7 +227,7 @@ int get_monotonic_counter(uint16_t counter_desc, uint16_t *counter_value);
  * @retval -ENOMEM  There are no more free counter slots (see
  *                  @kconfig{CONFIG_SB_NUM_VER_COUNTER_SLOTS}).
  */
-int set_monotonic_counter(uint16_t counter_desc, uint16_t new_counter);
+int set_monotonic_counter(uint16_t counter_desc, counter_t new_counter);
 
 /**
  * @brief The PSA life cycle states a device can be in.
@@ -202,7 +255,7 @@ NRFX_STATIC_INLINE void otp_copy32(uint8_t *restrict dst, uint32_t volatile * re
 {
 	for (int i = 0; i < size / 4; i++) {
 		/* OTP is in UICR */
-		uint32_t val = nrfx_nvmc_uicr_word_read(src + i);
+		uint32_t val = bl_storage_word_read((uint32_t)(src + i));
 
 		for (int j = 0; j < 4; j++) {
 			dst[i * 4 + j] = (val >> 8 * j) & 0xFF;
@@ -238,6 +291,87 @@ NRFX_STATIC_INLINE void read_implementation_id_from_otp(uint8_t *buf)
  * This is a temporary solution until TF-M has access to NSIB functions.
  */
 
+#if defined(CONFIG_NRFX_RRAMC)
+NRFX_STATIC_INLINE uint32_t index_from_address(uint32_t address)
+{
+	return ((address - (uint32_t)BL_STORAGE)/sizeof(uint32_t));
+}
+#endif
+
+NRFX_STATIC_INLINE counter_t bl_storage_counter_get(uint32_t address)
+{
+#if defined(CONFIG_NRFX_NVMC)
+	return ~nrfx_nvmc_otp_halfword_read(address);
+#elif defined(CONFIG_NRFX_RRAMC)
+	return ~nrfx_rramc_otp_word_read(index_from_address(address));
+#endif
+}
+
+NRFX_STATIC_INLINE void bl_storage_counter_set(uint32_t address, counter_t value)
+{
+#if defined(CONFIG_NRFX_NVMC)
+	nrfx_nvmc_halfword_write((uint32_t)address, ~value);
+#elif defined(CONFIG_NRFX_RRAMC)
+	nrfx_rramc_otp_word_write(index_from_address((uint32_t)address), ~value);
+#endif
+}
+
+NRFX_STATIC_INLINE uint32_t bl_storage_word_read(uint32_t address)
+{
+#if defined(CONFIG_NRFX_NVMC)
+	return nrfx_nvmc_uicr_word_read((uint32_t *)address);
+#elif defined(CONFIG_NRFX_RRAMC)
+	return nrfx_rramc_word_read(address);
+#endif
+}
+
+NRFX_STATIC_INLINE uint32_t bl_storage_word_write(uint32_t address, uint32_t value)
+{
+#if defined(CONFIG_NRFX_NVMC)
+	nrfx_nvmc_word_write(address, value);
+	return 0;
+#elif defined(CONFIG_NRFX_RRAMC)
+	nrfx_rramc_word_write(address, value);
+	return 0;
+#endif
+}
+
+NRFX_STATIC_INLINE uint16_t bl_storage_otp_halfword_read(uint32_t address)
+{
+	uint16_t halfword;
+#if defined(CONFIG_NRFX_NVMC)
+	halfword = nrfx_nvmc_otp_halfword_read(address);
+#elif defined(CONFIG_NRFX_RRAMC)
+	uint32_t word = nrfx_rramc_otp_word_read(index_from_address(address));
+
+	if (!(address & 0x3)) {
+		halfword = (uint16_t)(word & 0x0000FFFF); /* C truncates the upper bits */
+	} else {
+		halfword = (uint16_t)(word >> 16); /* Shift the upper half down */
+	}
+#endif
+	return halfword;
+}
+
+NRFX_STATIC_INLINE lcs_data_t bl_storage_lcs_get(uint32_t address)
+{
+#if defined(CONFIG_NRFX_NVMC)
+	return nrfx_nvmc_otp_halfword_read(address);
+#elif defined(CONFIG_NRFX_RRAMC)
+	return nrfx_rramc_otp_word_read(index_from_address(address));
+#endif
+}
+
+NRFX_STATIC_INLINE int bl_storage_lcs_set(uint32_t address, lcs_data_t state)
+{
+#if defined(CONFIG_NRFX_NVMC)
+	nrfx_nvmc_halfword_write(address, state);
+#elif defined(CONFIG_NRFX_RRAMC)
+	bl_storage_word_write(address, state);
+#endif
+	return 0;
+}
+
 /**
  * @brief Read the current life cycle state the device is in from OTP,
  *
@@ -252,10 +386,10 @@ NRFX_STATIC_INLINE int read_life_cycle_state(enum lcs *lcs)
 		return -EINVAL;
 	}
 
-	uint16_t provisioning = nrfx_nvmc_otp_halfword_read(
+	lcs_data_t provisioning = bl_storage_lcs_get(
 		(uint32_t) &BL_STORAGE->lcs.provisioning);
-	uint16_t secure = nrfx_nvmc_otp_halfword_read((uint32_t) &BL_STORAGE->lcs.secure);
-	uint16_t decommissioned = nrfx_nvmc_otp_halfword_read(
+	lcs_data_t secure = bl_storage_lcs_get((uint32_t) &BL_STORAGE->lcs.secure);
+	lcs_data_t decommissioned = bl_storage_lcs_get(
 		(uint32_t) &BL_STORAGE->lcs.decommissioned);
 
 	if (provisioning == STATE_NOT_ENTERED
@@ -318,18 +452,15 @@ NRFX_STATIC_INLINE int update_life_cycle_state(enum lcs next_lcs)
 
 	/* As the device starts in ASSEMBLY, it is not possible to write it */
 	if (current_lcs == BL_STORAGE_LCS_ASSEMBLY && next_lcs == BL_STORAGE_LCS_PROVISIONING) {
-		nrfx_nvmc_halfword_write((uint32_t)&BL_STORAGE->lcs.provisioning, STATE_ENTERED);
-		return 0;
+		return bl_storage_lcs_set((uint32_t)&BL_STORAGE->lcs.provisioning, STATE_ENTERED);
 	}
 
 	if (current_lcs == BL_STORAGE_LCS_PROVISIONING && next_lcs == BL_STORAGE_LCS_SECURED) {
-		nrfx_nvmc_halfword_write((uint32_t)&BL_STORAGE->lcs.secure, STATE_ENTERED);
-		return 0;
+		return bl_storage_lcs_set((uint32_t)&BL_STORAGE->lcs.secure, STATE_ENTERED);
 	}
 
 	if (current_lcs == BL_STORAGE_LCS_SECURED && next_lcs == BL_STORAGE_LCS_DECOMMISSIONED) {
-		nrfx_nvmc_halfword_write((uint32_t)&BL_STORAGE->lcs.decommissioned, STATE_ENTERED);
-		return 0;
+		return bl_storage_lcs_set((uint32_t)&BL_STORAGE->lcs.decommissioned, STATE_ENTERED);
 	}
 
 	/* This will be the case if any invalid transition is tried */

include/bl_validation.h

@@ -14,6 +14,7 @@ extern "C" {
 #include <stdbool.h>
 #include <fw_info.h>
 #include <zephyr/types.h>
+#include <bl_storage.h>
 
 /** @defgroup bl_validation Bootloader firmware validation
  * @{
@@ -72,7 +73,7 @@ struct bl_validate_fw_ext_api {
  *
  * @return See @ref set_monotonic_counter.
  */
-int set_monotonic_version(uint16_t version, uint16_t slot);
+int set_monotonic_version(counter_t version, uint16_t slot);
 
 /** Write the stored 15-bit version to the 16-bit output parameter 'version_out'.
  *
@@ -81,7 +82,7 @@ int set_monotonic_version(uint16_t version, uint16_t slot);
  * @retval 0       Success
  * @retval -EINVAL Error during reading the version or version is NULL.
  */
-int get_monotonic_version(uint16_t *version_out);
+int get_monotonic_version(counter_t *version_out);
 
 /** Write the stored slot to the output parameter 'slot_out'.
  *
@@ -90,7 +91,7 @@ int get_monotonic_version(uint16_t *version_out);
  * @retval 0       Success
  * @retval -EINVAL Error during reading the version or version is NULL.
  */
-int get_monotonic_slot(uint16_t *slot_out);
+int get_monotonic_slot(counter_t *slot_out);
 
   /** @} */
 

samples/bootloader/src/main.c

@@ -13,7 +13,13 @@
 #include <bl_storage.h>
 #include <bl_boot.h>
 #include <bl_validation.h>
+#ifdef CONFIG_NRFX_NVMC
 #include <nrfx_nvmc.h>
+#elif defined(CONFIG_NRFX_RRAMC)
+#include <nrfx_rramc.h>
+#else
+#error "No NRFX memory backend selected"
+#endif
 
 #if defined(CONFIG_HW_UNIQUE_KEY_LOAD)
 #include <zephyr/init.h>
@@ -28,7 +34,11 @@ int load_huk(void)
 
 		if (*(uint32_t *)huk_flag_addr == 0xFFFFFFFF) {
 			printk("First boot, expecting app to write HUK.\n");
+#ifdef CONFIG_NRFX_NVMC
 			nrfx_nvmc_word_write(huk_flag_addr, 0);
+#elif defined(CONFIG_NRFX_RRAMC)
+			nrfx_rramc_word_write(huk_flag_addr, 0);
+#endif
 			return 0;
 		}
 		printk("Error: Hardware Unique Key not present.\n");