Updating IronSide SE
Caution
You cannot update IronSide SE from a SUIT-based (up to 0.9.6) to an IronSide SE-based (20.0.0 and onwards) version.
The application initiates the update operation at runtime through the IronSide SE’s update service.
Release package
The IronSide SE is released independently of the nRF Connect SDK release cycle and is provided as a ZIP archive.
The archive is used to update the existing IronSide SE firmware on the nRF54H20 and consists of the following components:
Component |
File |
Description |
|---|---|---|
IronSide SE firmware |
|
Used when provisioning a new DK with IronSide SE and IronSide SE Recovery firmware for the first time. |
IronSide SE update firmware |
|
Used when updating IronSide SE. |
IronSide SE Recovery update firmware |
|
The recovery firmware, reserved for future recovery operations. Currently, it does not provide user-facing functionality. Used when updating the recovery firmware. |
Update application |
|
The local domain update application that is used to perform an IronSide SE update. See Architecture for details on its role. |
For more information on IronSide SE release binaries, see IronSide SE ABI compatibility.
For instructions on how to provision the nRF54H20 SoC with IronSide SE for the first time, see Bring-up step: Programming the nRF54H20 IronSide SE binaries.
Performing an update
Note
You can update the IronSide SE only on an nRF54H20 SoC that was initially provisioned with it.
Limitations
Important
A URoT (IronSide SE) update image must be stored in MRAM11. The update cannot be performed with the image placed in MRAM10. See nRF54H20 memory layout for the MRAM10 and MRAM11 layout.
IronSide SE supports being updated in the following ways:
Manual updates with a debugger
Manual update
Caution
Manual updates will replace existing firmware running in the Application core. User application firmware must be reprogrammed after successfully updating the device.
nRF Connect SDK supports the following methods for manually updating the IronSide SE firmware on the nRF54H20 SoC:
The nRF Connect SDK defines the west ncs-ironside-se-update command to update IronSide SE firmware on a device via the debugger.
This command takes the nRF54H20 IronSide SE binaries ZIP file and uses the IronSide SE update service to update both the IronSide SE and IronSide SE Recovery (or optionally just one of them):
west ncs-ironside-se-update --allow-erase --zip <path_to_soc_binaries.zip>
Use the --help option to see all possible options and descriptions of their use.
Note
To use nRF Util for the update, you must install the nRF Util device command v2.14.0 or higher. See Installing specific versions of nRF Util commands for more information.
You can update IronSide SE by manually executing nRF Util commands that perform the same steps that the west command performs.
To perform the manual update process using nRF Util’s device command, complete the following steps:
Extract the update bundle:
unzip <soc_binaries.zip> -d /tmp/update_dirErase non-volatile memory:
nrfutil device recover --serial-number <serial>Program the update application:
nrfutil device program --firmware /tmp/update_dir/update/update_application.hex --serial-number <serial>Program the IronSide SE update firmware:
nrfutil device program --options chip_erase_mode=ERASE_NONE --firmware /tmp/update_dir/update/ironside_se_update.hex --serial-number <serial>Reset the device to execute the update service:
nrfutil device reset --serial-number <serial>Reset through Secure Domain to trigger the installation of the update:
nrfutil device reset --reset-kind RESET_VIA_SECDOM --serial-number <serial>If you are updating both slots, complete the following additional steps:
Program the IronSide SE Recovery update firmware:
nrfutil device program --options chip_erase_mode=ERASE_NONE --firmware /tmp/update_dir/update/ironside_se_recovery_update.hex --serial-number <serial>Reset again to execute the update service:
nrfutil device reset --serial-number <serial>Reset again through Secure Domain to trigger the installation of the update:
nrfutil device reset --reset-kind RESET_VIA_SECDOM --serial-number <serial>
Erase the update application (regardless of whether you update one or both slots):
nrfutil device erase --all --serial-number <serial>
Architecture
The IronSide SE update process starts when the application firmware invokes the update service with the address of where the update release package has been written in MRAM. The package must lie in MRAM11 as described in Limitations.
Application procedure
The following describes the process for an IronSide SE update from the point of view of the application:
MRAM11 is updated with the IronSide SE update image (see Limitations).
It calls the IronSide SE update service with the update image location.
It verifies that the update request is acknowledged.
It triggers a reset.
It checks the version in the boot report on startup.
IronSide SE procedure
The IronSide SE side of the update process involves both the IronSide SE firmware and SDROM.
The following describes the update process in the IronSide SE upon request:
The service receives an update request containing the location of the update image in MRAM.
The update request is validated.
The SICR registers are updated with the image metadata.
The service acknowledges the update request.
Normal operation continues until a reset is performed.
Once the device comes out of reset, SDROM sees the update metadata and does the following to verify and apply the update:
Enables write-protection on the update image and firmware contents.
Checks firmware metadata stored in SICR registers against permitted MRAM region and size constraints.
Verifies update version against current firmware to prevent downgrades.
Computes and validates digest of the public key.
Checks public key is not revoked.
Computes and validates digest of update firmware.
Verifies signature of the update firmware.
Updates SICR’s update status with result.
If any of the above steps fail, the installation is aborted and the existing IronSide SE is booted. Otherwise, the update firmware’s metadata is stored in the SICR and the new image is installed.
If the updated firmware is for the IronSide SE Recovery, the device is reset into Safe Mode after installation. When Safe Mode has acknowledged its update, the device is reset to boot back into the IronSide SE context.
On boot, IronSide SE reads the update result from the SICR update status register and writes the value into the boot report.
Note
IronSide SE does not delete the update image contents from MRAM after a successful update.