From d1856abb576140d220c265b359567d29aadd0b2c Mon Sep 17 00:00:00 2001 From: Mateusz Michalek Date: Mon, 11 Aug 2025 07:52:10 +0200 Subject: [PATCH 1/2] manifest: update sdk-mcuboot pull-in self lock RWX feature. Signed-off-by: Mateusz Michalek --- west.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/west.yml b/west.yml index da88c90f57a..5802f6a4f08 100644 --- a/west.yml +++ b/west.yml @@ -128,7 +128,7 @@ manifest: compare-by-default: true - name: mcuboot repo-path: sdk-mcuboot - revision: ecc13ac1b0336c5ff39fc00075d34b55ab619752 + revision: 285fd59f4386a0317e476da5484f67b906073296 path: bootloader/mcuboot - name: qcbor url: https://github.com/laurencelundblade/QCBOR From 48d91fe528e677d6f1bb573bba851fc91d58c6b6 Mon Sep 17 00:00:00 2001 From: Mateusz Michalek Date: Thu, 31 Jul 2025 13:37:50 +0200 Subject: [PATCH 2/2] tests: bootloader: NSIB MCUBoot locks complete set of tests for region 3 and 4 lockouts. Signed-off-by: Mateusz Michalek --- subsys/bootloader/Kconfig | 14 ++ subsys/bootloader/bl_boot/bl_boot.c | 229 ++++++++++-------- tests/subsys/bootloader/b0_lock/testcase.yaml | 11 - .../{b0_lock => b0_lock_rwx}/CMakeLists.txt | 0 tests/subsys/bootloader/b0_lock_rwx/Kconfig | 23 ++ .../{b0_lock => b0_lock_rwx}/prj.conf | 0 .../{b0_lock => b0_lock_rwx}/src/main.c | 38 ++- .../{b0_lock => b0_lock_rwx}/sysbuild.conf | 1 + .../b0_lock_rwx/sysbuild/mcuboot/prj.conf | 40 +++ .../bootloader/b0_lock_rwx/testcase.yaml | 46 ++++ 10 files changed, 288 insertions(+), 114 deletions(-) delete mode 100644 tests/subsys/bootloader/b0_lock/testcase.yaml rename tests/subsys/bootloader/{b0_lock => b0_lock_rwx}/CMakeLists.txt (100%) create mode 100644 tests/subsys/bootloader/b0_lock_rwx/Kconfig rename tests/subsys/bootloader/{b0_lock => b0_lock_rwx}/prj.conf (100%) rename tests/subsys/bootloader/{b0_lock => b0_lock_rwx}/src/main.c (75%) rename tests/subsys/bootloader/{b0_lock => b0_lock_rwx}/sysbuild.conf (77%) create mode 100644 tests/subsys/bootloader/b0_lock_rwx/sysbuild/mcuboot/prj.conf create mode 100644 tests/subsys/bootloader/b0_lock_rwx/testcase.yaml diff --git a/subsys/bootloader/Kconfig b/subsys/bootloader/Kconfig index 8e7aeedda7d..b2b6e58eaf3 100644 --- a/subsys/bootloader/Kconfig +++ b/subsys/bootloader/Kconfig @@ -105,6 +105,13 @@ config SB_CLEANUP_RAM help Sets contents of memory to 0 before jumping to application. +config SB_INFINITE_LOOP_AFTER_RAM_CLEANUP + bool "Infinite loop after RAM cleanup" + depends on SB_CLEANUP_RAM + help + Verification option that keeps execution in infinite loop after + RAM cleanup has been performed. + config SB_DISABLE_SELF_RWX bool "Disable read and execution on self NVM" depends on (SOC_NRF54L15_CPUAPP || SOC_NRF54L05_CPUAPP || SOC_NRF54L10_CPUAPP) && !FPROTECT_ALLOW_COMBINED_REGIONS @@ -112,6 +119,13 @@ config SB_DISABLE_SELF_RWX Sets RRAMC's BOOTCONF region protection before jumping to application. It disables reads writes and execution memory area which holds NSIB. +config SB_DISABLE_NEXT_W + bool "Disable writes for next stage" + depends on (SOC_NRF54L15_CPUAPP || SOC_NRF54L05_CPUAPP || SOC_NRF54L10_CPUAPP) && !FPROTECT + help + NSIB disables writes on next stage in bootloading chain. + It uses RRAMC's region 4 and is limited to 31KB. + endif # IS_SECURE_BOOTLOADER config IS_BOOTLOADER_IMG diff --git a/subsys/bootloader/bl_boot/bl_boot.c b/subsys/bootloader/bl_boot/bl_boot.c index 6f6158a8483..edd829d96d3 100644 --- a/subsys/bootloader/bl_boot/bl_boot.c +++ b/subsys/bootloader/bl_boot/bl_boot.c @@ -19,25 +19,144 @@ #include #endif +#include +#define CLEANUP_RAM_GAP_START ((int)__ramfunc_region_start) +#define CLEANUP_RAM_GAP_SIZE ((int) (__ramfunc_end - __ramfunc_region_start)) + +#if defined(CONFIG_SB_DISABLE_NEXT_W) +#include +#define RRAMC_REGION_FOR_NEXT_W 4 +#define NRF_RRAM_REGION_SIZE_UNIT 0x400 +#define NRF_RRAM_REGION_ADDRESS_RESOLUTION 0x400 +#define NEXT_W_SIZE_KB (PM_MCUBOOT_SIZE / NRF_RRAM_REGION_SIZE_UNIT) + +BUILD_ASSERT((PM_MCUBOOT_ADDRESS % NRF_RRAM_REGION_ADDRESS_RESOLUTION) == 0, + "Start of protected region is not aligned"); + +BUILD_ASSERT((PM_MCUBOOT_SIZE % NRF_RRAM_REGION_SIZE_UNIT) == 0, + "Size of protected region is not aligned"); + +BUILD_ASSERT(NEXT_W_SIZE_KB < 31, + "Size of requested protection is too big"); + +static int disable_next_w(void) +{ + nrf_rramc_region_config_t config = { + .address = PM_MCUBOOT_ADDRESS, + .permissions = NRF_RRAMC_REGION_PERM_READ_MASK | + NRF_RRAMC_REGION_PERM_EXECUTE_MASK, + .writeonce = false, + .lock = false, + .size_kb = NEXT_W_SIZE_KB, + }; + + nrf_rramc_region_config_set(NRF_RRAMC, RRAMC_REGION_FOR_NEXT_W, &config); + nrf_rramc_region_config_get(NRF_RRAMC, RRAMC_REGION_FOR_NEXT_W, &config); + if (config.permissions & (NRF_RRAMC_REGION_PERM_WRITE_MASK)) { + return -ENOSPC; + } + if (config.size_kb != NEXT_W_SIZE_KB) { + return -ENOSPC; + } + + return 0; +} + +#endif + #if defined(CONFIG_SB_DISABLE_SELF_RWX) /* Disabling R_X has to be done while running from RAM for obvious reasons. * Moreover as a last step before jumping to application it must work even after - * RAM has been cleared, therefore we are using custom RAM function relocator. - * This relocator runs after RAM cleanup. - * Size of the relocated 'locking' function isn't known but it doesn't matter - * as long as at least entire aforementioned function is copied to RAM. + * RAM has been cleared, therefore these operations are performed while executing from RAM. + * RAM cleanup ommits portion of the memory where code lives. */ #include -#define FUNCTION_BUFFER_LEN 64 #define RRAMC_REGION_RWX_LSB 0 #define RRAMC_REGION_RWX_WIDTH 3 #define RRAMC_REGION_TO_LOCK_ADDR NRF_RRAMC->REGION[3].CONFIG #define RRAMC_REGION_TO_LOCK_ADDR_H (((uint32_t)(&(RRAMC_REGION_TO_LOCK_ADDR))) >> 16) #define RRAMC_REGION_TO_LOCK_ADDR_L (((uint32_t)(&(RRAMC_REGION_TO_LOCK_ADDR))) & 0x0000fffful) -static uint8_t ram_exec_buf[FUNCTION_BUFFER_LEN]; #endif /* CONFIG_SB_DISABLE_SELF_RWX */ +static void __ramfunc jump_in(uint32_t reset) +{ + __asm__ volatile ( + /* reset -> r0 */ + " mov r0, %0\n" +#ifdef CONFIG_SB_CLEANUP_RAM + /* Base to write -> r1 */ + " mov r1, %1\n" + /* Size to write -> r2 */ + " mov r2, %2\n" + /* Value to write -> r3 */ + " movw r3, %5\n" + /* gap start */ + " mov r4, %3\n" + /* gap size */ + " mov r5, %4\n" + "clear:\n" + " subs r6, r4, r1\n" + " cbnz r6, skip_gap\n" + " add r1, r5\n" + "skip_gap:\n" + " str r3, [r1]\n" + " add r1, r1, #1\n" + " sub r2, r2, #1\n" + " cbz r2, clear_end\n" + " b clear\n" + "clear_end:\n" + " dsb\n" +#ifdef CONFIG_SB_INFINITE_LOOP_AFTER_RAM_CLEANUP + " b clear_end\n" +#endif /* CONFIG_SB_INFINITE_LOOP_AFTER_RAM_CLEANUP */ +#endif /* CONFIG_SB_CLEANUP_RAM */ + +#ifdef CONFIG_SB_DISABLE_SELF_RWX + ".thumb_func\n" + "bootconf_disable_rwx:\n" + " movw r1, %6\n" + " movt r1, %7\n" + " ldr r2, [r1]\n" + /* Size of the region should be set at this point + * by provisioning through BOOTCONF. + * If not, set it according partition size. + */ + " ands r4, r2, %12\n" + " cbnz r4, clear_rwx\n" + " movt r2, %8\n" + "clear_rwx:\n" + " bfc r2, %9, %10\n" + /* Disallow further modifications */ + " orr r2, %11\n" + " str r2, [r1]\n" + " dsb\n" + /* Next assembly line is important for current function */ + + #endif /* CONFIG_SB_DISABLE_SELF_RWX */ + + /* Jump to reset vector of an app */ + " bx r0\n" + : + : "r" (reset), + "i" (CONFIG_SRAM_BASE_ADDRESS), + "i" (CONFIG_SRAM_SIZE * 1024), + "r" (CLEANUP_RAM_GAP_START), + "r" (CLEANUP_RAM_GAP_SIZE), + "i" (0) +#ifdef CONFIG_SB_DISABLE_SELF_RWX + , "i" (RRAMC_REGION_TO_LOCK_ADDR_L), + "i" (RRAMC_REGION_TO_LOCK_ADDR_H), + "i" (CONFIG_PM_PARTITION_SIZE_B0_IMAGE / 1024), + "i" (RRAMC_REGION_RWX_LSB), + "i" (RRAMC_REGION_RWX_WIDTH), + "i" (RRAMC_REGION_CONFIG_LOCK_Msk), + "i" (RRAMC_REGION_CONFIG_SIZE_Msk) +#endif /* CONFIG_SB_DISABLE_SELF_RWX */ + : "r0", "r1", "r2", "r3", "r4", "r5", "r6", "memory" + ); +} + #ifdef CONFIG_UART_NRFX_UARTE static void uninit_used_uarte(NRF_UARTE_Type *p_reg) { @@ -163,6 +282,13 @@ void bl_boot(const struct fw_info *fw_info) VTOR = fw_info->address; uint32_t *vector_table = (uint32_t *)fw_info->address; +#if defined(CONFIG_SB_DISABLE_NEXT_W) + if (disable_next_w()) { + printk("Unable to disable writes on next stage."); + return; + } +#endif + #if defined(CONFIG_BUILTIN_STACK_GUARD) && \ defined(CONFIG_CPU_CORTEX_M_HAS_SPLIM) /* Reset limit registers to avoid inflicting stack overflow on image @@ -175,96 +301,7 @@ void bl_boot(const struct fw_info *fw_info) __set_MSP(vector_table[0]); __set_PSP(0); - __asm__ volatile ( - /* vector_table[1] -> r0 */ - " mov r0, %0\n" -#ifdef CONFIG_SB_CLEANUP_RAM - /* Base to write -> r1 */ - " mov r1, %1\n" - /* Size to write -> r2 */ - " mov r2, %2\n" - /* Value to write -> r3 */ - " movw r3, %3\n" - "clear:\n" - " str r3, [r1]\n" - " add r1, r1, #4\n" - " sub r2, r2, #4\n" - " cbz r2, out\n" - " b clear\n" - "out:\n" - " dsb\n" -#endif /* CONFIG_SB_CLEANUP_RAM */ - -#ifdef CONFIG_SB_DISABLE_SELF_RWX - /* FUNCTION_BUFFER_LEN */ - " movw r4, %4\n" - /* Address of ram_exec_buf goes to r2 */ - " mov r2, %5\n" - " movw r3, :lower16:bootconf_disable_rwx\n" - " movt r3, :upper16:bootconf_disable_rwx\n" - /* Adjust address for thumb */ - " and r3, #0xfffffffe\n" - /* Address of ram_exec_buf also goes to r5 */ - " mov r5, %5\n" - /* Adjust buffer address for thumb */ - " orr r5, #0x1\n" - /* End of the copy address in r4 */ - " add r4, r2\n" - "ram_cpy:\n" - /* Read and increment */ - " ldrb r1, [r3], #1\n" - /* Write and increment */ - " strb r1, [r2], #1\n" - /* Check if end address is reached */ - " cmp r2, r4\n" - " bne ram_cpy\n" - " dsb\n" - /* Jump to ram */ - " bx r5\n" - /* CODE_UNREACHABLE */ - - ".thumb_func\n" - "bootconf_disable_rwx:\n" - " movw r1, %6\n" - " movt r1, %7\n" - " ldr r2, [r1]\n" - /* Size of the region should be set at this point - * by provisioning through BOOTCONF. - * If not, set it according partition size. - */ - " ands r4, r2, %12\n" - " cbnz r4, clear_rwx\n" - " movt r2, %8\n" - "clear_rwx:\n" - " bfc r2, %9, %10\n" - /* Disallow further modifications */ - " orr r2, %11\n" - " str r2, [r1]\n" - " dsb\n" - /* Next assembly line is important for current function */ - -#endif /* CONFIG_SB_DISABLE_SELF_RWX */ - - /* Jump to reset vector of an app */ - " bx r0\n" - : - : "r" (vector_table[1]), - "i" (CONFIG_SRAM_BASE_ADDRESS), - "i" (CONFIG_SRAM_SIZE * 1024), - "i" (0) -#ifdef CONFIG_SB_DISABLE_SELF_RWX - , "i" (FUNCTION_BUFFER_LEN), - "r" (ram_exec_buf), - "i" (RRAMC_REGION_TO_LOCK_ADDR_L), - "i" (RRAMC_REGION_TO_LOCK_ADDR_H), - "i" (CONFIG_PM_PARTITION_SIZE_B0_IMAGE / 1024), - "i" (RRAMC_REGION_RWX_LSB), - "i" (RRAMC_REGION_RWX_WIDTH), - "i" (RRAMC_REGION_CONFIG_LOCK_Msk), - "i" (RRAMC_REGION_CONFIG_SIZE_Msk) -#endif /* CONFIG_SB_DISABLE_SELF_RWX */ - : "r0", "r1", "r2", "r3", "r4", "r5", "memory" - ); + jump_in((vector_table[1])); CODE_UNREACHABLE; } diff --git a/tests/subsys/bootloader/b0_lock/testcase.yaml b/tests/subsys/bootloader/b0_lock/testcase.yaml deleted file mode 100644 index a5df70bd2de..00000000000 --- a/tests/subsys/bootloader/b0_lock/testcase.yaml +++ /dev/null @@ -1,11 +0,0 @@ -tests: - b0.self_lock: - sysbuild: true - extra_args: - - SB_CONFIG_SECURE_BOOT_GENERATE_DEFAULT_KMU_KEYFILE=y - platform_allow: nrf54l15dk/nrf54l15/cpuapp - integration_platforms: - - nrf54l15dk/nrf54l15/cpuapp - tags: - - b0 - - ci_tests_subsys_bootloader diff --git a/tests/subsys/bootloader/b0_lock/CMakeLists.txt b/tests/subsys/bootloader/b0_lock_rwx/CMakeLists.txt similarity index 100% rename from tests/subsys/bootloader/b0_lock/CMakeLists.txt rename to tests/subsys/bootloader/b0_lock_rwx/CMakeLists.txt diff --git a/tests/subsys/bootloader/b0_lock_rwx/Kconfig b/tests/subsys/bootloader/b0_lock_rwx/Kconfig new file mode 100644 index 00000000000..f7007f5eea1 --- /dev/null +++ b/tests/subsys/bootloader/b0_lock_rwx/Kconfig @@ -0,0 +1,23 @@ +# +# Copyright (c) 2022 Nordic Semiconductor +# +# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause +# + +config TEST_B0_LOCK_READS + bool "Test read prevention" + help + Reads are disabled after writes has been disabled, therefore testing against reads + implies portion of the memory cannot be accessed at all. + In case this symbol isn't selected, tests against writes are performed. + +config TEST_B0_LOCK_REGION + int "Region number" + range 3 4 + default 3 + help + Region 3 is used for NSIB protection. Other one for MCUBoot. + +menu "Zephyr" +source "Kconfig.zephyr" +endmenu diff --git a/tests/subsys/bootloader/b0_lock/prj.conf b/tests/subsys/bootloader/b0_lock_rwx/prj.conf similarity index 100% rename from tests/subsys/bootloader/b0_lock/prj.conf rename to tests/subsys/bootloader/b0_lock_rwx/prj.conf diff --git a/tests/subsys/bootloader/b0_lock/src/main.c b/tests/subsys/bootloader/b0_lock_rwx/src/main.c similarity index 75% rename from tests/subsys/bootloader/b0_lock/src/main.c rename to tests/subsys/bootloader/b0_lock_rwx/src/main.c index d2ab322a2c3..d979fcffdc9 100644 --- a/tests/subsys/bootloader/b0_lock/src/main.c +++ b/tests/subsys/bootloader/b0_lock_rwx/src/main.c @@ -8,7 +8,8 @@ #include #include -#define RRAMC_REGION_FOR_BOOTCONF 3 +#define RRAMC_REGION_FOR_TEST CONFIG_TEST_B0_LOCK_REGION + static uint32_t expected_fatal; static uint32_t actual_fatal; static nrf_rramc_region_config_t config; @@ -29,21 +30,46 @@ void check_fatal(void *unused) void *get_config(void) { nrf_rramc_region_config_get(NRF_RRAMC, - RRAMC_REGION_FOR_BOOTCONF, + RRAMC_REGION_FOR_TEST, &config); +#if defined(CONFIG_TEST_B0_LOCK_READS) + zassert_equal(0, config.permissions & + (NRF_RRAMC_REGION_PERM_READ_MASK | + NRF_RRAMC_REGION_PERM_WRITE_MASK | + NRF_RRAMC_REGION_PERM_EXECUTE_MASK), + "Read Write and eXecute permissions aren't cleared"); +#else zassert_equal(0, config.permissions & (NRF_RRAMC_REGION_PERM_WRITE_MASK), "Write permission isn't cleared"); +#endif zassert_true(config.size_kb > 0, "Protected region has zero size."); return NULL; } ZTEST(b0_self_lock_test, test_reading_b0_image) { + printk("Region %d\n", RRAMC_REGION_FOR_TEST); uint32_t protected_end_address = 1024 * config.size_kb; volatile uint32_t *unprotected_word = (volatile uint32_t *)protected_end_address; volatile uint32_t *protected_word = (volatile uint32_t *)protected_end_address - sizeof(uint32_t); + + config.permissions = NRF_RRAMC_REGION_PERM_READ_MASK | + NRF_RRAMC_REGION_PERM_WRITE_MASK | + NRF_RRAMC_REGION_PERM_EXECUTE_MASK; + /* Try unlocking. This should take no effect at this point */ + nrf_rramc_region_config_set(NRF_RRAMC, RRAMC_REGION_FOR_TEST, &config); + +#if defined(CONFIG_TEST_B0_LOCK_READS) + printk("Legal read\n"); + int val = *unprotected_word; + + printk("Illegal read\n"); + expected_fatal++; + __DSB(); + val = *protected_word; +#else uint32_t test_value = ~(*unprotected_word); printk("Legal write\n"); @@ -56,15 +82,13 @@ ZTEST(b0_self_lock_test, test_reading_b0_image) nrf_rramc_word_write((uint32_t)unprotected_word, test_value); zassert_equal(test_value, *unprotected_word, "Legal write value doesn't match."); - config.permissions = NRF_RRAMC_REGION_PERM_READ_MASK | - NRF_RRAMC_REGION_PERM_WRITE_MASK | - NRF_RRAMC_REGION_PERM_EXECUTE_MASK; - /* Try unlocking. This should take no effect at this point */ - nrf_rramc_region_config_set(NRF_RRAMC, RRAMC_REGION_FOR_BOOTCONF, &config); printk("Illegal write\n"); expected_fatal++; __DSB(); nrf_rramc_word_write((uint32_t)protected_word, test_value); + +#endif + } ZTEST_SUITE(b0_self_lock_test, NULL, get_config, NULL, check_fatal, NULL); diff --git a/tests/subsys/bootloader/b0_lock/sysbuild.conf b/tests/subsys/bootloader/b0_lock_rwx/sysbuild.conf similarity index 77% rename from tests/subsys/bootloader/b0_lock/sysbuild.conf rename to tests/subsys/bootloader/b0_lock_rwx/sysbuild.conf index 642641ae721..58761279203 100644 --- a/tests/subsys/bootloader/b0_lock/sysbuild.conf +++ b/tests/subsys/bootloader/b0_lock_rwx/sysbuild.conf @@ -5,4 +5,5 @@ # SB_CONFIG_SECURE_BOOT_APPCORE=y +SB_CONFIG_SECURE_BOOT_GENERATE_DEFAULT_KMU_KEYFILE=y SB_CONFIG_SECURE_BOOT_BOOTCONF_LOCK_WRITES=y diff --git a/tests/subsys/bootloader/b0_lock_rwx/sysbuild/mcuboot/prj.conf b/tests/subsys/bootloader/b0_lock_rwx/sysbuild/mcuboot/prj.conf new file mode 100644 index 00000000000..32993c7a798 --- /dev/null +++ b/tests/subsys/bootloader/b0_lock_rwx/sysbuild/mcuboot/prj.conf @@ -0,0 +1,40 @@ +# +# Copyright (c) 2025 Nordic Semiconductor ASA +# +# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause +# +CONFIG_SIZE_OPTIMIZATIONS=y + +CONFIG_HW_STACK_PROTECTION=y + +CONFIG_MAIN_STACK_SIZE=10240 +CONFIG_BOOT_MAX_IMG_SECTORS=256 +CONFIG_BOOT_BOOTSTRAP=n + +CONFIG_BOOT_VERSION_CMP_USE_BUILD_NUMBER=y + +CONFIG_FLASH=y +CONFIG_FPROTECT=n + +# Reduce memory consumption +CONFIG_BOOT_BANNER=n +CONFIG_NCS_BOOT_BANNER=n +CONFIG_SYS_CLOCK_EXISTS=n +CONFIG_CLOCK_CONTROL=n +CONFIG_NRF_GRTC_TIMER=n +CONFIG_NRF_GRTC_START_SYSCOUNTER=n +CONFIG_SPI_NOR=n +CONFIG_GPIO=n +CONFIG_SERIAL=n +CONFIG_CONSOLE=n +CONFIG_UART_CONSOLE=n +CONFIG_PRINTK=n +CONFIG_USE_SEGGER_RTT=n + +# Activate Link Time Optimization (LTO) +CONFIG_LTO=y +CONFIG_ISR_TABLES_LOCAL_DECLARATION=y + +# Improve debugging experience by disabling reset on fatal error +CONFIG_RESET_ON_FATAL_ERROR=n +CONFIG_PM_PARTITION_SIZE_MCUBOOT=0x7800 diff --git a/tests/subsys/bootloader/b0_lock_rwx/testcase.yaml b/tests/subsys/bootloader/b0_lock_rwx/testcase.yaml new file mode 100644 index 00000000000..9750097c7c9 --- /dev/null +++ b/tests/subsys/bootloader/b0_lock_rwx/testcase.yaml @@ -0,0 +1,46 @@ +tests: + b0.w: + sysbuild: true + platform_allow: nrf54l15dk/nrf54l15/cpuapp + integration_platforms: + - nrf54l15dk/nrf54l15/cpuapp + tags: + - b0 + b0.rwx: + sysbuild: true + extra_args: + - b0_CONFIG_SB_DISABLE_SELF_RWX=y + - CONFIG_TEST_B0_LOCK_READS=y + platform_allow: nrf54l15dk/nrf54l15/cpuapp + integration_platforms: + - nrf54l15dk/nrf54l15/cpuapp + tags: + - b0 + b0.mcuboot.w: + sysbuild: true + extra_args: + - b0_CONFIG_SB_DISABLE_SELF_RWX=y + - b0_CONFIG_SB_DISABLE_NEXT_W=y + - SB_CONFIG_BOOTLOADER_MCUBOOT=y + - SB_CONFIG_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE=y + - CONFIG_TEST_B0_LOCK_REGION=4 + platform_allow: nrf54l15dk/nrf54l15/cpuapp + integration_platforms: + - nrf54l15dk/nrf54l15/cpuapp + tags: + - b0 + b0.mcuboot.rwx: + sysbuild: true + extra_args: + - b0_CONFIG_SB_DISABLE_SELF_RWX=y + - b0_CONFIG_SB_DISABLE_NEXT_W=y + - mcuboot_CONFIG_NCS_MCUBOOT_DISABLE_SELF_RWX=y + - SB_CONFIG_BOOTLOADER_MCUBOOT=y + - SB_CONFIG_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE=y + - CONFIG_TEST_B0_LOCK_READS=y + - CONFIG_TEST_B0_LOCK_REGION=4 + platform_allow: nrf54l15dk/nrf54l15/cpuapp + integration_platforms: + - nrf54l15dk/nrf54l15/cpuapp + tags: + - b0