bootloader: Enable NSIB SB_CLEANUP_RAM for nRF54L

ahasztag · ahasztag · commit dddc3f37ccb9 · 2025-10-24T12:21:11.000+02:00
The SB_CLEANUP_RAM was being blocked by the EXT_APIs,
which were enabled in the NSIB-s prj.conf

There are currently no use cases for EXT_APIs for nRF54L
and cleanup up RAM after NSIB finishes its work is an important
feature, so the part enabling the EXT_APIs needed to be removed
from the NSIB-s prj.conf

However, backwards compatibility with applications working
on nRF52 and nRF53 needed to be mantained, so the EXT_APIs
are now enabled by default in KConfings for the NSIB image
for these platforms. Note this change aligns with the EXT_APIs
documentation - in the documentation it is not described
how to enable the EXT_APIs in NSIB when adding a new custom
EXT_API. Now, the template will ensure it is enabled in
NSIB.

Signed-off-by: Artur Hadasz &lt;artur.hadasz@nordicsemi.no&gt;
diff --git a/doc/nrf/libraries/security/bootloader/fw_info.rst b/doc/nrf/libraries/security/bootloader/fw_info.rst
@@ -51,6 +51,9 @@ External APIs
 
 The firmware information structure allows for exchange of arbitrary tagged and versioned interfaces called *external APIs* (EXT_APIs).
 
+.. note::
+   EXT_APIs are currently only supported on the nRF52 and nRF53 Series devices.
+
 An EXT_API structure is a structure consisting of a header followed by arbitrary data.
 The header consists of the following information:
 
diff --git a/samples/bootloader/prj.conf b/samples/bootloader/prj.conf
@@ -17,11 +17,6 @@ CONFIG_LOG_DEFAULT_LEVEL=0
 CONFIG_SECURE_BOOT_VALIDATION=y
 CONFIG_SECURE_BOOT_VALIDATION_LOG_LEVEL_INF=y
 CONFIG_SECURE_BOOT_STORAGE=y
-CONFIG_BL_ROT_VERIFY_EXT_API_ENABLED=y
-CONFIG_BL_SHA256_EXT_API_ENABLED=y
-CONFIG_BL_SECP256R1_EXT_API_ENABLED=y
-CONFIG_BL_VALIDATE_FW_EXT_API_ENABLED=y
-CONFIG_EXT_API_PROVIDE_EXT_API_ENABLED=y
 CONFIG_MAIN_STACK_SIZE=2048
 CONFIG_TIMEOUT_64BIT=n
 
diff --git a/samples/bootloader/prj_minimal.conf b/samples/bootloader/prj_minimal.conf
@@ -5,11 +5,6 @@
 #
 
 CONFIG_B0_MIN_PARTITION_SIZE=y
-CONFIG_BL_ROT_VERIFY_EXT_API_ENABLED=y
-CONFIG_BL_SECP256R1_EXT_API_ENABLED=y
-CONFIG_BL_SHA256_EXT_API_ENABLED=y
-CONFIG_BL_VALIDATE_FW_EXT_API_ENABLED=y
-CONFIG_EXT_API_PROVIDE_EXT_API_ENABLED=y
 CONFIG_FPROTECT=y
 CONFIG_FW_INFO=y
 CONFIG_IS_SECURE_BOOTLOADER=y
diff --git a/subsys/bootloader/Kconfig b/subsys/bootloader/Kconfig
@@ -101,6 +101,7 @@ config SB_BPROT_IN_DEBUG
 config SB_CLEANUP_RAM
 	bool "Perform RAM cleanup"
 	depends on !FW_INFO_PROVIDE_ENABLE
+	depends on !MPU_STACK_GUARD
 	depends on CPU_CORTEX_M4 || CPU_CORTEX_M33
 	help
 	  Sets contents of memory to 0 before jumping to application.
diff --git a/subsys/bootloader/bl_boot/bl_boot.c b/subsys/bootloader/bl_boot/bl_boot.c
@@ -23,6 +23,25 @@
 #define CLEANUP_RAM_GAP_START ((int)__ramfunc_region_start)
 #define CLEANUP_RAM_GAP_SIZE ((int) (__ramfunc_end - __ramfunc_region_start))
 
+#ifdef CONFIG_SB_CLEANUP_RAM
+#define REGIONS_OVERLAP(addr1, size1, addr2, size2) \
+	((addr1) < ((addr2) + (size2)) && (addr2) < ((addr1) + (size1)))
+
+#define RETAINED_RAM_ADDR(ret_ram_node) DT_REG_ADDR(DT_PARENT(ret_ram_node))
+#define RETAINED_RAM_SIZE(ret_ram_node) DT_REG_SIZE(DT_PARENT(ret_ram_node))
+
+
+#define CHECK_RETAINED_RAM_NO_SRAM_OVERLAP(ret_ram_node) \
+	BUILD_ASSERT(!REGIONS_OVERLAP(CONFIG_SRAM_BASE_ADDRESS, CONFIG_SRAM_SIZE * 1024, \
+	RETAINED_RAM_ADDR(ret_ram_node), RETAINED_RAM_SIZE(ret_ram_node)), \
+	"Retained RAM region overlaps with defined SRAM, cannot cleanup RAM")
+
+/* Ensure that the retained RAM region does not overlap with the defined SRAM region.
+ * Otherwise, the RAM cleanup would overwrite the retained RAM region.
+ */
+DT_FOREACH_STATUS_OKAY(zephyr_retained_ram, CHECK_RETAINED_RAM_NO_SRAM_OVERLAP);
+#endif
+
 #if defined(CONFIG_SB_DISABLE_NEXT_W)
 #include <hal/nrf_rramc.h>
 #define RRAMC_REGION_FOR_NEXT_W 4
@@ -175,8 +194,8 @@ static void __ramfunc jump_in(uint32_t reset)
 		"   bx   r0\n"
 		:
 		: "r" (reset),
-		  "i" (CONFIG_SRAM_BASE_ADDRESS),
-		  "i" (CONFIG_SRAM_SIZE * 1024),
+		  "r" (CONFIG_SRAM_BASE_ADDRESS),
+		  "r" (CONFIG_SRAM_SIZE * 1024),
 		  "r" (CLEANUP_RAM_GAP_START),
 		  "r" (CLEANUP_RAM_GAP_SIZE),
 		  "i" (0)
diff --git a/subsys/fw_info/Kconfig b/subsys/fw_info/Kconfig
@@ -123,6 +123,14 @@ config FW_INFO_PROVIDE_ENABLE
 	help
 	  Hidden option, set if at least one *_EXT_API_ENABLED option is enabled.
 
+config EXT_API_SUPPORTED
+	bool
+	default y if SOC_SERIES_NRF52X
+	default y if SOC_NRF5340_CPUAPP
+	default y if SOC_SERIES_NRF91X
+	help
+	  External APIs are supported on the current platform.
+
 EXT_API = EXT_API_PROVIDE
 id = 0x1200
 flags = 0
diff --git a/subsys/fw_info/Kconfig.template.fw_info_ext_api b/subsys/fw_info/Kconfig.template.fw_info_ext_api
@@ -41,6 +41,7 @@ config $(EXT_API)_EXT_API_AT_LEAST_REQUIRED
 
 config $(EXT_API)_EXT_API_ENABLED
 	bool "Provide the $(EXT_API) EXT_API to other images"
+	default y if IS_SECURE_BOOTLOADER && EXT_API_SUPPORTED
 	select FW_INFO_PROVIDE_ENABLE
 	help
 	  Provide this EXT_API to other images.
