Protected Memory with PERIPHCONF Partition

This sample demonstrates how to protect the PERIPHCONF partition using UICR.PROTECTEDMEM.

Requirements

The sample supports the following development kit:

Hardware platforms

PCA

Board name

Board target

nRF54H20 DK

PCA10175

nrf54h20dk

nrf54h20dk/nrf54h20/cpuapp

Overview

The sample relocates the periphconf_partition right after cpuapp_boot_partition and configures PROTECTEDMEM to cover both partitions. When protected memory is modified, the integrity check fails on the next boot, causing IronSide SE to boot the secondary firmware instead of the main application.

Building and running

This sample can be found under samples/ironside_se/protectedmem_periphconf in the nRF Connect SDK folder structure.

To build the sample, follow the instructions in Building an application for your preferred building environment. See also Programming an application for programming steps and Testing and optimization for general information about testing and debugging in the nRF Connect SDK.

Note

When building repository applications in the SDK repositories, building with sysbuild is enabled by default. If you work with out-of-tree freestanding applications, you need to manually pass the --sysbuild parameter to every build command or configure west to always use it.

Testing

After programming the sample to your development kit, complete the following steps to test it:

  1. Connect to the kit with a terminal emulator (for example, the Serial Terminal app). See Testing and optimization for the required settings and steps.

  2. Reset the development kit.

The application writes a test pattern to protected memory and then reboots. On the next boot, if protection works correctly, the secondary firmware boots instead of the main application, indicating that the integrity check detected the modification.

Configuration

The sample uses the following key configurations:

Device Tree Overlay

The app.overlay file relocates the periphconf_partition to be placed right after cpuapp_boot_partition at offset 0x40000. The sysbuild.cmake file applies this same overlay to the UICR image so both images see the same partition layout.

Kconfig Configuration

The sysbuild/uicr.conf file configures the PROTECTEDMEM size to 72KB (73728 bytes) to cover both cpuapp_boot_partition (64KB) and periphconf_partition (8KB).

Secondary Firmware

The sample includes a secondary firmware (in the secondary/ directory) that boots automatically when the PROTECTEDMEM integrity check fails. The secondary firmware is enabled via CONFIG_GEN_UICR_SECONDARY=y in sysbuild/uicr.conf and is built as part of the sysbuild process (configured in sysbuild.cmake).

Dependencies

This sample uses the following nRF Connect SDK subsystems:

  • UICR generation - Configures UICR.PROTECTEDMEM to protect the memory region and UICR.SECONDARY to enable secondary firmware boot

  • Sysbuild - Enables building the UICR image and secondary firmware with the protected memory configuration

In addition, it uses the following Zephyr subsystems:

  • Kernel - Provides basic system functionality and threading

  • Console - Enables UART console output for debugging and user interaction

  • Devicetree - Defines the partition layout