samples: boards: nordic: add sample for secondary boot

Add a sample that demonstrates how a secondary boot image could be
built.

Signed-off-by: Sebastian Bøe <[email protected]>

Author: SebastianBoe

samples/boards/nordic/nrf_ironside/secondary_boot_corruption/CMakeLists.txt

@@ -0,0 +1,15 @@
+#
+# Copyright (c) 2025 Nordic Semiconductor ASA
+#
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+#
+
+cmake_minimum_required(VERSION 3.13.1)
+
+find_package(Zephyr REQUIRED HINTS $ENV{ZEPHYR_BASE})
+
+project(secondary_boot_primary)
+
+target_sources(app PRIVATE
+  src/main.c
+  )

samples/boards/nordic/nrf_ironside/secondary_boot_corruption/README.rst

@@ -0,0 +1,101 @@
+.. zephyr:code-sample:: secondary_boot_corruption
+   :name: Secondary Boot Corruption Sample
+
+   Demonstrate secondary image boot after primary image corruption
+
+Overview
+********
+
+This sample demonstrates the secondary boot functionality on nRF54H20DK when the
+primary image is corrupted. The sample consists of two applications that work
+together to show how the system can recover from primary image corruption by
+booting a secondary image.
+
+The sample uses UICR (User Information Configuration Registers) to
+enable and configure secondary boot and protected memory regions, then
+intentionally corrupts the primary image to trigger a reboot to the
+secondary image.
+
+Architecture
+************
+
+The sample consists of three components:
+
+* **Primary Image**: Runs initially on the application core (cpuapp), prints a
+  hello world message, corrupts protected memory, and reboots the system.
+
+* **Secondary Image**: Runs on the same application core (cpuapp) after the
+  primary image corruption triggers a reboot. Prints its own hello world message
+  and continues running with periodic heartbeat messages.
+
+* **UICR Build**: Generates UICR configuration that enables secondary boot and
+  protected memory regions.
+
+Requirements
+************
+
+* nRF54H20DK board
+
+Building and Running
+********************
+
+This sample uses :ref:`sysbuild` to build multiple images. The ``--sysbuild``
+flag is required.
+
+Build the sample:
+
+.. zephyr-app-commands::
+   :zephyr-app: samples/boards/nordic/nrf_ironside/secondary_boot_corruption
+   :board: nrf54h20dk/nrf54h20/cpuapp
+   :west-args: --sysbuild
+   :goals: build
+
+Flash the sample:
+
+.. zephyr-app-commands::
+   :zephyr-app: samples/boards/nordic/nrf_ironside/secondary_boot_corruption
+   :board: nrf54h20dk/nrf54h20/cpuapp
+   :west-args: --sysbuild
+   :goals: flash
+
+Sample Output
+*************
+
+When the sample runs successfully, you should see output similar to the following:
+
+.. code-block:: console
+
+   *** Booting Zephyr OS build v4.2.99 ***
+   === Hello World from Primary Image ===
+   Rebooting
+   *** Booting Zephyr OS build v4.2.99 ***
+   === Hello World from Secondary Image ===
+   Secondary image heartbeat
+   Secondary image heartbeat
+   ...
+
+How It Works
+************
+
+1. The primary image starts and prints a hello world message.
+
+2. The primary image intentionally corrupts protected memory regions by writing
+   specific values to memory addresses. This is only possible because the MPU
+   (Memory Protection Unit) is disabled in the configuration.
+
+3. The primary image triggers a system reset.
+
+4. During the next boot, the system detects the corruption and boots the
+   secondary image instead of the primary image.
+
+5. The secondary image starts and prints its own hello world message, then
+   continues running with periodic heartbeat messages.
+
+Dependencies
+************
+
+This sample uses the following Zephyr subsystems:
+
+* :ref:`sysbuild` for multi-image builds
+* UICR generation system for configuration
+* Device tree for memory layout configuration

samples/boards/nordic/nrf_ironside/secondary_boot_corruption/prj.conf

@@ -0,0 +1,10 @@
+#
+# Copyright (c) 2025 Nordic Semiconductor ASA
+#
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+#
+
+# Disable the MPU to allow the sample to corrupt itself
+CONFIG_ARM_MPU=n
+
+CONFIG_ASSERT=y

samples/boards/nordic/nrf_ironside/secondary_boot_corruption/sample.yaml

@@ -0,0 +1,25 @@
+sample:
+  name: Secondary Boot Corruption Sample
+  description: |
+    Demonstrates secondary image boot after primary image corruption on nRF54H20DK.
+    The primary image corrupts protected memory and reboots, triggering the system
+    to boot the secondary image instead.
+
+common:
+  sysbuild: true
+  harness: console
+  harness_config:
+    type: multi_line
+    regex:
+      - "=== Hello World from Primary Image ==="
+      - "=== Hello World from Secondary Image ==="
+
+tests:
+  sample.boards.nordic.nrf_ironside.secondary_boot_corruption:
+    tags:
+      - sysbuild
+      - nrf_ironside
+    platform_allow:
+      - nrf54h20dk/nrf54h20/cpuapp
+    integration_platforms:
+      - nrf54h20dk/nrf54h20/cpuapp

samples/boards/nordic/nrf_ironside/secondary_boot_corruption/secondary/CMakeLists.txt

@@ -0,0 +1,11 @@
+# Copyright (c) 2025 Nordic Semiconductor ASA
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+
+cmake_minimum_required(VERSION 3.13.1)
+find_package(Zephyr REQUIRED HINTS $ENV{ZEPHYR_BASE})
+project(secondary_boot_secondary)
+
+# Create marker file to identify this as secondary firmware for gen_uicr.py
+file(WRITE ${CMAKE_CURRENT_BINARY_DIR}/is_secondary_firmware.txt "")
+
+target_sources(app PRIVATE src/main.c)

samples/boards/nordic/nrf_ironside/secondary_boot_corruption/secondary/prj.conf

@@ -0,0 +1,9 @@
+#
+# Copyright (c) 2025 Nordic Semiconductor ASA
+#
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+#
+
+# NB: Must match secondary_partition in DT
+# Secondary partition is at 0x1b0000
+CONFIG_FLASH_LOAD_OFFSET=0x1b0000

samples/boards/nordic/nrf_ironside/secondary_boot_corruption/secondary/src/main.c

@@ -0,0 +1,20 @@
+/*
+ * Copyright (c) 2025 Nordic Semiconductor ASA.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+#include <zephyr/kernel.h>
+#include <zephyr/sys/printk.h>
+
+int main(void)
+{
+	printk("=== Hello World from Secondary Image ===\n");
+
+	while (1) {
+		k_msleep(3000);
+		printk("Secondary image heartbeat\n");
+	}
+
+	return 0;
+}

samples/boards/nordic/nrf_ironside/secondary_boot_corruption/src/main.c

@@ -0,0 +1,33 @@
+/*
+ * Copyright (c) 2025 Nordic Semiconductor ASA.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+#include <zephyr/kernel.h>
+#include <zephyr/sys/printk.h>
+#include <zephyr/sys/reboot.h>
+#include <zephyr/linker/linker-defs.h>
+#include <string.h>
+
+int main(void)
+{
+	printk("=== Hello World from Primary Image ===\n");
+
+	__ASSERT((uint32_t)__rom_region_start == 0xe030000,
+			 "For nRF54H20 the protectedmem starts at 0xe030000");
+
+	printk("Corrupting the PROTECTEDMEM\n");
+	/* (This is only possible because we have disabled CONFIG_ARM_MPU). */
+
+	*((volatile uint32_t *)__rom_region_start + 0) = 0x5EB0;
+	*((volatile uint32_t *)__rom_region_start + 4) = 0x5EB0;
+	*((volatile uint32_t *)__rom_region_start + 8) = 0x5EB0;
+	*((volatile uint32_t *)__rom_region_start + 12) = 0x5EB0;
+
+	printk("Rebooting\n");
+
+	sys_reboot(SYS_REBOOT_COLD);
+
+	return 0;
+}

samples/boards/nordic/nrf_ironside/secondary_boot_corruption/sysbuild.cmake

@@ -0,0 +1,8 @@
+# Copyright (c) 2025 Nordic Semiconductor ASA
+# SPDX-License-Identifier: Apache-2.0
+
+ExternalZephyrProject_Add(
+  APPLICATION secondary
+  SOURCE_DIR ${APP_DIR}/secondary
+  BOARD nrf54h20dk/nrf54h20/cpuapp
+)

samples/boards/nordic/nrf_ironside/secondary_boot_corruption/sysbuild/uicr.conf

@@ -0,0 +1,10 @@
+# Copyright (c) 2025 Nordic Semiconductor ASA
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+
+# Configuration overlay for uicr image
+# Enable UICR.SECONDARY.ENABLE
+CONFIG_GEN_UICR_SECONDARY=y
+
+# Enable UICR protected memory
+CONFIG_GEN_UICR_PROTECTEDMEM=y
+CONFIG_GEN_UICR_PROTECTEDMEM_SIZE_BYTES=4096