soc: ironside: add min and max values for update

hakonfam · hakonfam · commit f4ab165092a0 · 2025-10-06T15:11:58.000+02:00
The update will fail if the address is outside  of this range.
This failure might trigger a bad state where the device is
non-trivial to recover.

Signed-off-by: Håkon Amundsen &lt;haakon.amundsen@nordicsemi.no&gt;
diff --git a/samples/boards/nordic/nrf_ironside/update/src/main.c b/samples/boards/nordic/nrf_ironside/update/src/main.c
@@ -10,6 +10,9 @@
 
 LOG_MODULE_REGISTER(app, LOG_LEVEL_INF);
 
+BUILD_ASSERT(CONFIG_UPDATE_BLOB_ADDRESS >= IRONSIDE_UPDATE_MIN_ADDRESS);
+BUILD_ASSERT(CONFIG_UPDATE_BLOB_ADDRESS <= IRONSIDE_UPDATE_MAX_ADDRESS);
+
 int main(void)
 {
 	int err;
diff --git a/soc/nordic/ironside/include/nrf_ironside/update.h b/soc/nordic/ironside/include/nrf_ironside/update.h
@@ -18,11 +18,27 @@
 #define IRONSIDE_UPDATE_ERROR_NOT_PERMITTED     (1)
 /** Failed to write the update metadata to SICR. */
 #define IRONSIDE_UPDATE_ERROR_SICR_WRITE_FAILED (2)
+/** Update candidate is placed outside of valid range */
+#define IRONSIDE_UPDATE_ERROR_INVALID_ADDRESS (3)
 
 /**
  * @}
  */
 
+/** Size of the update blob */
+#ifdef CONFIG_SOC_SERIES_NRF54HX
+#define IRONSIDE_UPDATE_BLOB_SIZE (160 * 1024)
+#elif CONFIG_SOC_SERIES_NRF92X
+#define IRONSIDE_UPDATE_BLOB_SIZE (160 * 1024)
+#else
+#error "Missing update blob size"
+#endif
+
+/** Min address used for storing the update candidate */
+#define IRONSIDE_UPDATE_MIN_ADDRESS (0x0e100000)
+/** Max address used for storing the update candidate */
+#define IRONSIDE_UPDATE_MAX_ADDRESS (0x0e200000 - IRONSIDE_UPDATE_BLOB_SIZE)
+
 /** Length of the update manifest in bytes */
 #define IRONSIDE_UPDATE_MANIFEST_LENGTH  (256)
 /** Length of the update public key in bytes. */
@@ -62,6 +78,8 @@ struct ironside_update_blob {
  * @param update Pointer to update blob
  *
  * @retval 0 on a successful request (although the update itself may still fail).
+ * @retval -IRONSIDE_UPDATE_ERROR_INVALID_ADDRESS if the address of the update is outside of the
+ *          accepted range.
  * @retval -IRONSIDE_UPDATE_ERROR_NOT_PERMITTED if missing access to the update candidate.
  * @retval -IRONSIDE_UPDATE_ERROR_SICR_WRITE_FAILED if writing update parameters to SICR failed.
  * @retval Positive error status if reported by IronSide call (see error codes in @ref call.h).
diff --git a/soc/nordic/ironside/update.c b/soc/nordic/ironside/update.c
@@ -11,6 +11,11 @@ int ironside_update(const struct ironside_update_blob *update)
 	int err;
 	struct ironside_call_buf *const buf = ironside_call_alloc();
 
+	if ((uintptr_t)update < IRONSIDE_UPDATE_MIN_ADDRESS ||
+	    (uintptr_t)update > IRONSIDE_UPDATE_MAX_ADDRESS) {
+		return -IRONSIDE_UPDATE_ERROR_INVALID_ADDRESS;
+	}
+
 	buf->id = IRONSIDE_CALL_ID_UPDATE_SERVICE_V0;
 	buf->args[IRONSIDE_UPDATE_SERVICE_UPDATE_PTR_IDX] = (uintptr_t)update;
 

Original file line number	Diff line number	Diff line change
`@@ -10,6 +10,9 @@`
`10`	`10`
`11`	`11`	`LOG_MODULE_REGISTER(app, LOG_LEVEL_INF);`
`12`	`12`
	`13`	`+BUILD_ASSERT(CONFIG_UPDATE_BLOB_ADDRESS >= IRONSIDE_UPDATE_MIN_ADDRESS);`
	`14`	`+BUILD_ASSERT(CONFIG_UPDATE_BLOB_ADDRESS <= IRONSIDE_UPDATE_MAX_ADDRESS);`
	`15`	`+`
`13`	`16`	`int main(void)`
`14`	`17`	`{`
`15`	`18`	`int err;`