soc: ironside: add min and max values for update

hakonfam · hakonfam · commit cfaaa9980684 · 2025-10-03T13:13:46.000+02:00
The update will fail if the address is outside  of this range.
This failure might trigger a bad state where the device is
non-trivial to recover.

Signed-off-by: Håkon Amundsen &lt;haakon.amundsen@nordicsemi.no&gt;
diff --git a/samples/boards/nordic/nrf_ironside/update/Kconfig b/samples/boards/nordic/nrf_ironside/update/Kconfig
@@ -3,7 +3,7 @@
 
 config UPDATE_BLOB_ADDRESS
 	hex "Address of the update blob"
-	default 0xe100000
+	default 0x0e100000
 	help
 	  Address of the update blob. The default value matches the placement of the
 	  update blobs delivered with the IronSide SE firmware.
diff --git a/soc/nordic/ironside/Kconfig b/soc/nordic/ironside/Kconfig
@@ -49,6 +49,22 @@ config NRF_IRONSIDE_UPDATE_SERVICE
 	help
 	  Service used to update the IronSide SE firmware.
 
+config NRF_IRONSIDE_UPDATE_SERVICE_MIN_ADDRESS
+	hex
+	default 0x0e100000
+	help
+	  Minimum value of address passed to the update service.
+	  The update needs to be located within MRAM11.
+
+config NRF_IRONSIDE_UPDATE_SERVICE_MAX_ADDRESS
+	hex
+	default 0x0e1d8000
+	help
+	  Maximum value of address passed to the update service.
+	  The biggest update (USLOT) occupies 160kB, so this address is set so that a 160kB
+	  update would still be within the limit of MRAM11 (0x0e200000).
+
+
 config NRF_IRONSIDE_BOOT_REPORT
 	bool "IronSide boot report"
 	depends on $(dt_nodelabel_exists,ironside_se_boot_report)
diff --git a/soc/nordic/ironside/include/nrf_ironside/update.h b/soc/nordic/ironside/include/nrf_ironside/update.h
@@ -62,6 +62,7 @@ struct ironside_update_blob {
  * @param update Pointer to update blob
  *
  * @retval 0 on a successful request (although the update itself may still fail).
+ * @retval -EFAULT if the address of the update is outside of the accepted range.
  * @retval -IRONSIDE_UPDATE_ERROR_NOT_PERMITTED if missing access to the update candidate.
  * @retval -IRONSIDE_UPDATE_ERROR_SICR_WRITE_FAILED if writing update parameters to SICR failed.
  * @retval Positive error status if reported by IronSide call (see error codes in @ref call.h).
diff --git a/soc/nordic/ironside/update.c b/soc/nordic/ironside/update.c
@@ -3,6 +3,7 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 
+#include <errno.h>
 #include <nrf_ironside/update.h>
 #include <nrf_ironside/call.h>
 
@@ -11,6 +12,11 @@ int ironside_update(const struct ironside_update_blob *update)
 	int err;
 	struct ironside_call_buf *const buf = ironside_call_alloc();
 
+	if ((uintptr_t)update < CONFIG_NRF_IRONSIDE_UPDATE_SERVICE_MIN_ADDRESS ||
+	    (uintptr_t)update > CONFIG_NRF_IRONSIDE_UPDATE_SERVICE_MAX_ADDRESS) {
+		return -EFAULT;
+	}
+
 	buf->id = IRONSIDE_CALL_ID_UPDATE_SERVICE_V0;
 	buf->args[IRONSIDE_UPDATE_SERVICE_UPDATE_PTR_IDX] = (uintptr_t)update;
 

Original file line number	Diff line number	Diff line change
`@@ -62,6 +62,7 @@ struct ironside_update_blob {`
`62`	`62`	`* @param update Pointer to update blob`
`63`	`63`	`*`
`64`	`64`	`* @retval 0 on a successful request (although the update itself may still fail).`
	`65`	`+ * @retval -EFAULT if the address of the update is outside of the accepted range.`
`65`	`66`	`* @retval -IRONSIDE_UPDATE_ERROR_NOT_PERMITTED if missing access to the update candidate.`
`66`	`67`	`* @retval -IRONSIDE_UPDATE_ERROR_SICR_WRITE_FAILED if writing update parameters to SICR failed.`
`67`	`68`	`* @retval Positive error status if reported by IronSide call (see error codes in @ref call.h).`