[nrf noup] boot/zephyr: check for FPROTECT capability

nvlsianpu · nvlsianpu · commit e2f37c619715 · 2025-10-17T13:11:56.000+02:00
Added run-time check for checking area setup to be
protected meets device capability.

Signed-off-by: Andrzej Puzdrowski &lt;andrzej.puzdrowski@nordicsemi.no&gt;
diff --git a/boot/zephyr/main.c b/boot/zephyr/main.c
@@ -150,10 +150,7 @@ K_SEM_DEFINE(boot_log_sem, 1, 1);
         * !defined(CONFIG_LOG_MODE_MINIMAL)
 	*/
 
-#if USE_PARTITION_MANAGER && CONFIG_FPROTECT
-#include <fprotect.h>
-#include <pm_config.h>
-#endif
+#include "nrf_protect.h"
 
 #if CONFIG_MCUBOOT_NRF_CLEANUP_PERIPHERAL
 #include <nrf_cleanup.h>
@@ -848,16 +845,6 @@ int main(void)
 
 #if USE_PARTITION_MANAGER && CONFIG_FPROTECT
 
-#ifdef PM_S1_ADDRESS
-/* MCUBoot is stored in either S0 or S1, protect both */
-#define PROTECT_SIZE (PM_MCUBOOT_PRIMARY_ADDRESS - PM_S0_ADDRESS)
-#define PROTECT_ADDR PM_S0_ADDRESS
-#else
-/* There is only one instance of MCUBoot */
-#define PROTECT_SIZE (PM_MCUBOOT_PRIMARY_ADDRESS - PM_MCUBOOT_ADDRESS)
-#define PROTECT_ADDR PM_MCUBOOT_ADDRESS
-#endif
-
     rc = fprotect_area(PROTECT_ADDR, PROTECT_SIZE);
 
     if (rc != 0) {
diff --git a/boot/zephyr/nrf_protect.h b/boot/zephyr/nrf_protect.h
@@ -0,0 +1,42 @@
+/* Copyright (c) 5020 Nordic Semiconductor ASA
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+#ifndef NRF_PROTECT_H__
+#define NRF_PROTECT_H__
+
+#if USE_PARTITION_MANAGER && CONFIG_FPROTECT
+
+#include <pm_config.h>
+#include <fprotect.h>
+
+#ifdef PM_S1_ADDRESS
+/* MCUBoot is stored in either S0 or S1, protect both */
+#define PROTECT_SIZE (PM_MCUBOOT_PRIMARY_ADDRESS - PM_S0_ADDRESS)
+#define PROTECT_ADDR PM_S0_ADDRESS
+#else
+/* There is only one instance of MCUBoot */
+#define PROTECT_SIZE (PM_MCUBOOT_PRIMARY_ADDRESS - PM_MCUBOOT_ADDRESS)
+#define PROTECT_ADDR PM_MCUBOOT_ADDRESS
+#endif
+
+#ifdef CONFIG_SOC_SERIES_NRF54LX
+#if defined(CONFIG_FPROTECT_ALLOW_COMBINED_REGIONS)
+#define REGION_SIZE_MAX (62 *1024)
+#if (PROTECT_ADDR != 0)
+#error "FPROTECT with combined regions can only be used to protect from address 0"
+#endif
+#else
+#define REGION_SIZE_MAX (31 *1024)
+#endif
+
+#if (PROTECT_SIZE > REGION_SIZE_MAX)
+#error "FPROTECT size too large"
+#endif
+
+#endif /* CONFIG_SOC_SERIES_NRF54LX */
+
+#endif /* USE_PARTITION_MANAGER && CONFIG_FPROTECT */
+
+#endif /* NRF_PROTECT_H__ */
