soc: nordic: uicr: Add support for SECURESTORAGE

Add UICR.SECURESTORAGE configuration based on device tree partitions.
Validates partition layout and populates size fields in 1KB units.
Handles missing partitions gracefully.

Signed-off-by: Sebastian Bøe <[email protected]>

Author: SebastianBoe

scripts/ci/check_compliance.py

@@ -1266,6 +1266,7 @@ def check_no_undef_outside_kconfig(self, kconf):
         "GEN_UICR_GENERATE_PERIPHCONF", # Used in specialized build tool, not part of main Kconfig
         "GEN_UICR_SECONDARY", # Used in specialized build tool, not part of main Kconfig
         "GEN_UICR_SECONDARY_GENERATE_PERIPHCONF", # Used in specialized build tool, not part of main Kconfig
+        "GEN_UICR_SECURESTORAGE", # Used in specialized build tool, not part of main Kconfig
         "HEAP_MEM_POOL_ADD_SIZE_", # Used as an option matching prefix
         "HUGETLBFS",          # Linux, in boards/xtensa/intel_adsp_cavs25/doc
         "IAR_BUFFERED_WRITE",

soc/nordic/common/uicr/gen_uicr.py

@@ -198,6 +198,98 @@ class Uicr(c.LittleEndianStructure):
     ]
 
 
+def validate_secure_storage_partitions(
+    secure_storage_address: int,
+    cpuapp_crypto_address: int,
+    cpuapp_crypto_size: int,
+    cpurad_crypto_address: int,
+    cpurad_crypto_size: int,
+    cpuapp_its_address: int,
+    cpuapp_its_size: int,
+    cpurad_its_address: int,
+    cpurad_its_size: int,
+) -> None:
+    """
+    Validate that secure storage partitions are laid out correctly.
+
+    Args:
+        secure_storage_address: Absolute address of secure storage partition
+        cpuapp_crypto_address: Absolute address of cpuapp_crypto_partition
+        cpuapp_crypto_size: Size of cpuapp_crypto_partition
+        cpurad_crypto_address: Absolute address of cpurad_crypto_partition
+        cpurad_crypto_size: Size of cpurad_crypto_partition
+        cpuapp_its_address: Absolute address of cpuapp_its_partition
+        cpuapp_its_size: Size of cpuapp_its_partition
+        cpurad_its_address: Absolute address of cpurad_its_partition
+        cpurad_its_size: Size of cpurad_its_partition
+
+    Raises:
+        ScriptError: If validation fails
+    """
+    # Expected order: cpuapp_crypto_partition, cpurad_crypto_partition,
+    # cpuapp_its_partition, cpurad_its_partition
+    partitions = [
+        (cpuapp_crypto_address, cpuapp_crypto_size, "cpuapp_crypto_partition"),
+        (cpurad_crypto_address, cpurad_crypto_size, "cpurad_crypto_partition"),
+        (cpuapp_its_address, cpuapp_its_size, "cpuapp_its_partition"),
+        (cpurad_its_address, cpurad_its_size, "cpurad_its_partition"),
+    ]
+
+    # Filter out zero-sized partitions (missing partitions)
+    present_partitions = []
+    for i, (addr, size, name) in enumerate(partitions):
+        if size > 0:
+            present_partitions.append((i, addr, size, name))
+
+    if not present_partitions:
+        # No partitions present - this is valid
+        return
+
+    # Check that the first present partition starts at the secure storage address
+    _, first_addr, _, first_name = present_partitions[0]
+    if first_addr != secure_storage_address:
+        raise ScriptError(
+            f"First partition {first_name} starts at {first_addr}, but must start at "
+            f"secure storage address {secure_storage_address}"
+        )
+
+    # Check that all present partitions have sizes that are multiples of 1KB
+    for _, _, size, name in present_partitions:
+        if size % 1024 != 0:
+            raise ScriptError(
+                f"Partition {name} has size {size} bytes, but must be a multiple of "
+                f"1024 bytes (1KB)"
+            )
+
+    # Check that partitions are in correct order and don't overlap
+    for i in range(len(present_partitions) - 1):
+        _, curr_addr, curr_size, curr_name = present_partitions[i]
+        _, next_addr, _________, next_name = present_partitions[i + 1]
+
+        # Check order - partitions should be in ascending address order
+        if curr_addr >= next_addr:
+            raise ScriptError(
+                f"Partition {curr_name} (starts at {curr_addr}) must come before "
+                f"{next_name} (starts at {next_addr})"
+            )
+
+        # Check for overlap
+        curr_end = curr_addr + curr_size
+        if curr_end > next_addr:
+            raise ScriptError(
+                f"Partition {curr_name} (ends at {curr_end}) overlaps with "
+                f"{next_name} (starts at {next_addr})"
+            )
+
+        # Check for gaps (should be no gaps between consecutive partitions)
+        if curr_end < next_addr:
+            gap = next_addr - curr_end
+            raise ScriptError(
+                f"Gap of {gap} bytes between {curr_name} (ends at {curr_end}) and "
+                f"{next_name} (starts at {next_addr})"
+            )
+
+
 def main() -> None:
     parser = argparse.ArgumentParser(
         allow_abbrev=False,
@@ -255,6 +347,65 @@ def main() -> None:
         type=lambda s: int(s, 0),
         help="Absolute flash address of the UICR region (decimal or 0x-prefixed hex)",
     )
+    parser.add_argument(
+        "--securestorage",
+        action="store_true",
+        help="Enable secure storage support in UICR",
+    )
+    parser.add_argument(
+        "--securestorage-address",
+        default=None,
+        type=lambda s: int(s, 0),
+        help="Absolute flash address of the secure storage partition (decimal or 0x-prefixed hex)",
+    )
+    parser.add_argument(
+        "--cpuapp-crypto-address",
+        default=0,
+        type=lambda s: int(s, 0),
+        help="Absolute flash address of cpuapp_crypto_partition (decimal or 0x-prefixed hex)",
+    )
+    parser.add_argument(
+        "--cpuapp-crypto-size",
+        default=0,
+        type=lambda s: int(s, 0),
+        help="Size in bytes of cpuapp_crypto_partition (decimal or 0x-prefixed hex)",
+    )
+    parser.add_argument(
+        "--cpurad-crypto-address",
+        default=0,
+        type=lambda s: int(s, 0),
+        help="Absolute flash address of cpurad_crypto_partition (decimal or 0x-prefixed hex)",
+    )
+    parser.add_argument(
+        "--cpurad-crypto-size",
+        default=0,
+        type=lambda s: int(s, 0),
+        help="Size in bytes of cpurad_crypto_partition (decimal or 0x-prefixed hex)",
+    )
+    parser.add_argument(
+        "--cpuapp-its-address",
+        default=0,
+        type=lambda s: int(s, 0),
+        help="Absolute flash address of cpuapp_its_partition (decimal or 0x-prefixed hex)",
+    )
+    parser.add_argument(
+        "--cpuapp-its-size",
+        default=0,
+        type=lambda s: int(s, 0),
+        help="Size in bytes of cpuapp_its_partition (decimal or 0x-prefixed hex)",
+    )
+    parser.add_argument(
+        "--cpurad-its-address",
+        default=0,
+        type=lambda s: int(s, 0),
+        help="Absolute flash address of cpurad_its_partition (decimal or 0x-prefixed hex)",
+    )
+    parser.add_argument(
+        "--cpurad-its-size",
+        default=0,
+        type=lambda s: int(s, 0),
+        help="Size in bytes of cpurad_its_partition (decimal or 0x-prefixed hex)",
+    )
     parser.add_argument(
         "--secondary",
         action="store_true",
@@ -327,12 +478,43 @@ def main() -> None:
                     "--out-secondary-periphconf-hex is used"
                 )
 
+        # Validate secure storage argument dependencies
+        if args.securestorage:
+            if args.securestorage_address is None:
+                raise ScriptError(
+                    "--securestorage-address is required when --securestorage is used"
+                )
+
+            # Validate partition layout
+            validate_secure_storage_partitions(
+                args.securestorage_address,
+                args.cpuapp_crypto_address,
+                args.cpuapp_crypto_size,
+                args.cpurad_crypto_address,
+                args.cpurad_crypto_size,
+                args.cpuapp_its_address,
+                args.cpuapp_its_size,
+                args.cpurad_its_address,
+                args.cpurad_its_size,
+            )
+
         init_values = DISABLED_VALUE.to_bytes(4, "little") * (c.sizeof(Uicr) // 4)
         uicr = Uicr.from_buffer_copy(init_values)
 
         uicr.VERSION.MAJOR = UICR_FORMAT_VERSION_MAJOR
         uicr.VERSION.MINOR = UICR_FORMAT_VERSION_MINOR
 
+        # Handle secure storage configuration
+        if args.securestorage:
+            uicr.SECURESTORAGE.ENABLE = ENABLED_VALUE
+            uicr.SECURESTORAGE.ADDRESS = args.securestorage_address
+
+            # Set partition sizes in 1KB units
+            uicr.SECURESTORAGE.CRYPTO.APPLICATIONSIZE1KB = args.cpuapp_crypto_size // 1024
+            uicr.SECURESTORAGE.CRYPTO.RADIOCORESIZE1KB = args.cpurad_crypto_size // 1024
+            uicr.SECURESTORAGE.ITS.APPLICATIONSIZE1KB = args.cpuapp_its_size // 1024
+            uicr.SECURESTORAGE.ITS.RADIOCORESIZE1KB = args.cpurad_its_size // 1024
+
         # Process periphconf data first and configure UICR completely before creating hex objects
         periphconf_hex = IntelHex()
         secondary_periphconf_hex = IntelHex()

soc/nordic/common/uicr/gen_uicr/CMakeLists.txt

@@ -32,16 +32,22 @@ endfunction()
 
 # Function to compute partition absolute address and size from devicetree
 function(compute_partition_address_and_size partition_nodelabel output_address_var output_size_var)
-  dt_nodelabel(partition_path NODELABEL ${partition_nodelabel} REQUIRED)
-  dt_reg_addr(partition_offset PATH ${partition_path} REQUIRED)
-  dt_reg_size(partition_size PATH ${partition_path} REQUIRED)
-
-  # Calculate absolute partition address
-  math(EXPR partition_address "${CONFIG_FLASH_BASE_ADDRESS} + ${partition_offset}" OUTPUT_FORMAT HEXADECIMAL)
-
-  # Set output variables in parent scope
-  set(${output_address_var} ${partition_address} PARENT_SCOPE)
-  set(${output_size_var} ${partition_size} PARENT_SCOPE)
+  dt_nodelabel(partition_path NODELABEL ${partition_nodelabel} QUIET)
+  if(partition_path)
+    dt_reg_addr(partition_offset PATH ${partition_path} REQUIRED)
+    dt_reg_size(partition_size PATH ${partition_path} REQUIRED)
+
+    # Calculate absolute partition address
+    math(EXPR partition_address "${CONFIG_FLASH_BASE_ADDRESS} + ${partition_offset}" OUTPUT_FORMAT HEXADECIMAL)
+
+    # Set output variables in parent scope
+    set(${output_address_var} ${partition_address} PARENT_SCOPE)
+    set(${output_size_var} ${partition_size} PARENT_SCOPE)
+  else()
+    # Partition not found - set to zero
+    set(${output_address_var} 0 PARENT_SCOPE)
+    set(${output_size_var} 0 PARENT_SCOPE)
+  endif()
 endfunction()
 
 # Use CMAKE_VERBOSE_MAKEFILE to silence an unused-variable warning.
@@ -60,6 +66,31 @@ set(secondary_periphconf_hex_file ${APPLICATION_BINARY_DIR}/zephyr/secondary_per
 dt_nodelabel(uicr_path NODELABEL "uicr" REQUIRED)
 dt_reg_addr(UICR_ADDRESS PATH ${uicr_path} REQUIRED)
 
+# Handle secure storage configuration
+set(securestorage_args)
+if(CONFIG_GEN_UICR_SECURESTORAGE)
+  list(APPEND securestorage_args --securestorage)
+
+  # Extract secure storage partition information
+  compute_partition_address_and_size("secure_storage_partition" SECURE_STORAGE_ADDRESS SECURE_STORAGE_SIZE)
+  list(APPEND securestorage_args --securestorage-address ${SECURE_STORAGE_ADDRESS})
+
+  # Extract individual partition information for validation
+  compute_partition_address_and_size("cpuapp_crypto_partition" CPUAPP_CRYPTO_ADDRESS CPUAPP_CRYPTO_SIZE)
+  compute_partition_address_and_size("cpurad_crypto_partition" CPURAD_CRYPTO_ADDRESS CPURAD_CRYPTO_SIZE)
+  compute_partition_address_and_size("cpuapp_its_partition" CPUAPP_ITS_ADDRESS CPUAPP_ITS_SIZE)
+  compute_partition_address_and_size("cpurad_its_partition" CPURAD_ITS_ADDRESS CPURAD_ITS_SIZE)
+
+  list(APPEND securestorage_args --cpuapp-crypto-address ${CPUAPP_CRYPTO_ADDRESS})
+  list(APPEND securestorage_args --cpuapp-crypto-size ${CPUAPP_CRYPTO_SIZE})
+  list(APPEND securestorage_args --cpurad-crypto-address ${CPURAD_CRYPTO_ADDRESS})
+  list(APPEND securestorage_args --cpurad-crypto-size ${CPURAD_CRYPTO_SIZE})
+  list(APPEND securestorage_args --cpuapp-its-address ${CPUAPP_ITS_ADDRESS})
+  list(APPEND securestorage_args --cpuapp-its-size ${CPUAPP_ITS_SIZE})
+  list(APPEND securestorage_args --cpurad-its-address ${CPURAD_ITS_ADDRESS})
+  list(APPEND securestorage_args --cpurad-its-size ${CPURAD_ITS_SIZE})
+endif(CONFIG_GEN_UICR_SECURESTORAGE)
+
 if(CONFIG_GEN_UICR_GENERATE_PERIPHCONF)
   # gen_uicr.py parses all zephyr.elf files. To find these files (which
   # have not been built yet) we scan sibling build directories for
@@ -134,6 +165,7 @@ add_custom_command(
           --out-merged-hex ${merged_hex_file}
           --out-uicr-hex ${uicr_hex_file}
           ${periphconf_args}
+          ${securestorage_args}
           ${secondary_args}
   DEPENDS ${periphconf_elfs} ${secondary_periphconf_elfs}
   WORKING_DIRECTORY ${APPLICATION_BINARY_DIR}

soc/nordic/common/uicr/gen_uicr/Kconfig

@@ -21,6 +21,23 @@ config GEN_UICR_SECONDARY_GENERATE_PERIPHCONF
 	  When enabled, the UICR generator will populate the
 	  secondary_periphconf_partition partition.
 
+config GEN_UICR_SECURESTORAGE
+	bool "Enable UICR.SECURESTORAGE"
+	default y
+	depends on $(dt_nodelabel_enabled,secure_storage_partition)
+	help
+	  When enabled, the UICR generator will configure the
+	  secure storage region based on device tree partitions.
+
+	  The following device tree partitions are used in order:
+	  - cpuapp_crypto_partition: Application processor crypto storage
+	  - cpurad_crypto_partition: Radio core crypto storage
+	  - cpuapp_its_partition: Application processor internal trusted storage
+	  - cpurad_its_partition: Radio core internal trusted storage
+
+	  All partitions must be multiples of 1KB and laid out contiguously
+	  without gaps. Missing partitions are handled gracefully with zero size.
+
 endmenu
 
 source "Kconfig.zephyr"