modules: trusted-fimware-m: Add memory configuration logs

The only way to extract the actual information about
memory regions configured as non-secure is by debugging
the code.

This commit adds debug functions for printing SAU and
MPC configuration of nRF54L devices.

It also modifies the existing code printing configuration
for MPU and SPU, aligning its implementation with SAU/MPC.

A new KConfig option to activate this functionality
has also been added.

Ref: NCSDK-38986

Signed-off-by: Anton Zyma <anton.zyma@nordicsemi.no>

Author: AntonZma

doc/nrf/releases_and_maturity/releases/release-notes-changelog.rst

@@ -145,6 +145,7 @@ Security
 * Added:
 
   * Support for the X25519 key pair storage in the :ref:`Key Management Unit (KMU) <ug_kmu_guides_supported_key_types>`.
+  * The :kconfig:option:`CONFIG_TFM_LOG_NS_MEMORY_LAYOUT` to print the configuration of SAU and MPC during TF-M initialization of the nRF54L15 devices.
 
 * Updated:
 

modules/trusted-firmware-m/CMakeLists.txt

@@ -80,6 +80,7 @@ set_property(TARGET zephyr_property_target
   -DPROJECT_CONFIG_HEADER_FILE=${CMAKE_CURRENT_BINARY_DIR}/tfm_config.h
   -DTFM_EXTRA_CONFIG_PATH="${CMAKE_CURRENT_BINARY_DIR}/config_extra.cmake"
   -DPS_ROLLBACK_PROTECTION=${CONFIG_TFM_PS_ROLLBACK_PROTECTION}
+  $<$<BOOL:${CONFIG_TFM_LOG_NS_MEMORY_LAYOUT}>:-DNRF_LOG_MEMORY_PROTECTION_SAU_MPC=ON>
   $<$<BOOL:${CONFIG_TFM_HW_INIT_RESET_ON_BOOT}>:-DNRF_HW_INIT_RESET_ON_BOOT=ON>
   $<$<BOOL:${CONFIG_TFM_ALLOW_NON_SECURE_RESET}>:-DNRF_ALLOW_NON_SECURE_RESET=ON>
   $<$<BOOL:${CONFIG_TFM_SECURE_UART0}>:-DNRF_SECURE_UART_INSTANCE=0>

modules/trusted-firmware-m/Kconfig

@@ -369,6 +369,17 @@ config TFM_NFCT_PINS_AS_GPIOS
 	  TF-M configures these pins as GPIOS when the NFCT peripheral is not
 	  enabled in the device-tree of the target.
 
+config TFM_LOG_NS_MEMORY_LAYOUT
+	bool "Activate debug logs to print non-secure memory layout"
+	depends on !TFM_LOG_LEVEL_SILENCE
+	depends on SOC_SERIES_NRF54L
+	help
+	  This option activates logic to print the configuration of SAU and MPC
+	  during TF-M initialization. It contains address ranges of the non-secure
+	  memory regions (both volatile and non-volatile). The rest of the memory
+	  is secure by default.
+	  This option is currently available for all nRF54L devices.
+
 config TFM_SECURE_UART
 	bool "TF-M configure UART instance as secure peripheral"
 	default y if !TFM_LOG_LEVEL_SILENCE

modules/trusted-firmware-m/tfm_boards/CMakeLists.txt

@@ -136,6 +136,16 @@ if(${TFM_PARTITION_CRYPTO})
   target_link_libraries(platform_s PRIVATE tfm_psa_rot_partition_crypto)
 endif()
 
+if(NRF_LOG_MEMORY_PROTECTION_SAU_MPC)
+  target_compile_definitions(platform_s PUBLIC NRF_LOG_MEMORY_PROTECTION_SAU_MPC)
+  target_sources(platform_s PRIVATE src/log_memory_protection_sau_mpc.c)
+endif()
+
+if(NRF_LOG_MEMORY_PROTECTION_MPU_SPU)
+  target_compile_definitions(platform_s PUBLIC NRF_LOG_MEMORY_PROTECTION_MPU_SPU)
+  target_sources(platform_s PRIVATE src/log_memory_protection_mpu_spu.c)
+endif()
+
 if(NRF_ALLOW_NON_SECURE_RESET)
   target_compile_definitions(platform_s PUBLIC NRF_ALLOW_NON_SECURE_RESET)
 endif()
@@ -205,10 +215,6 @@ if(TFM_PARTITION_PLATFORM)
   )
 endif()
 
-if(LOG_MEMORY_PROTECTION)
-  target_sources(platform_s PRIVATE src/log_memory_protection.c)
-endif()
-
 if(PSA_CRYPTO_EXTERNAL_CORE)
   include(${TFM_BOARDS_NRF_DIR}/external_core.cmake)
 endif()

modules/trusted-firmware-m/tfm_boards/common/tfm_hal_platform.c

@@ -29,6 +29,10 @@
 #include "exception_info.h"
 #include "tfm_arch.h"
 
+#if defined(NRF_LOG_MEMORY_PROTECTION_SAU_MPC)
+#include <log_memory_protection.h>
+#endif /* NRF_LOG_MEMORY_PROTECTION_SAU_MPC */
+
 #if defined(TFM_PARTITION_CRYPTO)
 static enum tfm_hal_status_t crypto_platform_init(void)
 {
@@ -155,5 +159,9 @@ enum tfm_hal_status_t tfm_hal_platform_init(void)
 
 	log_pin_security_configuration();
 
+#if defined(NRF_LOG_MEMORY_PROTECTION_SAU_MPC)
+	log_memory_protection_sau_mpc();
+#endif /* NRF_LOG_MEMORY_PROTECTION_SAU_MPC */
+
 	return TFM_HAL_SUCCESS;
 }

modules/trusted-firmware-m/tfm_boards/include/log_memory_protection.h

@@ -0,0 +1,19 @@
+/*
+ * Copyright (c) 2026 Nordic Semiconductor ASA
+ *
+ * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+ */
+
+#ifndef __LOG_MEMORY_PROTECTION_H
+#define __LOG_MEMORY_PROTECTION_H
+
+void log_memory_protection_of_mpu(void);
+void log_memory_protection_of_spu_nsc(void);
+void log_memory_protection_of_spu_flash(void);
+void log_memory_protection_of_spu_ram(void);
+void log_memory_protection_of_spu(void);
+void log_memory_protection_mpu_spu(void);
+
+void log_memory_protection_sau_mpc(void);
+
+#endif /* __LOG_MEMORY_PROTECTION_H */

…m/tfm_boards/src/log_memory_protection.c …ards/src/log_memory_protection_mpu_spu.cmodules/trusted-firmware-m/tfm_boards/src/log_memory_protection.c renamed to modules/trusted-firmware-m/tfm_boards/src/log_memory_protection_mpu_spu.c modules/trusted-firmware-m/tfm_boards/src/log_memory_protection.c renamed to modules/trusted-firmware-m/tfm_boards/src/log_memory_protection_mpu_spu.c

@@ -4,6 +4,7 @@
  * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
  */
 
+#include <log_memory_protection.h>
 #include <cmsis.h>
 #include <tfm_spm_log.h>
 #include <mpu_armv8m_drv.h>
@@ -98,7 +99,7 @@ void log_memory_protection_of_spu(void)
 	log_memory_protection_of_spu_ram();
 }
 
-void log_memory_protection(void)
+void log_memory_protection_mpu_spu(void)
 {
 	log_memory_protection_of_mpu();
 	log_memory_protection_of_spu();

modules/trusted-firmware-m/tfm_boards/src/log_memory_protection_sau_mpc.c

@@ -0,0 +1,66 @@
+/*
+ * Copyright (c) 2026 Nordic Semiconductor ASA
+ *
+ * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+ */
+
+#include <log_memory_protection.h>
+#include <cmsis.h>
+#include <hal/nrf_mpc.h>
+#include <tfm_spm_log.h>
+
+static void log_memory_protection_sau(void)
+{
+	uint32_t sau_regions_count = SAU->TYPE;
+	uint32_t limit_address;
+
+	SPMLOG_INFMSG("SAU config:\r\n");
+	for (uint32_t i = 0; i < sau_regions_count; i++) {
+		SAU->RNR = i;
+
+		limit_address = SAU->RLAR;
+		if (limit_address & SAU_RLAR_ENABLE_Msk) {
+			if (limit_address & SAU_RLAR_NSC_Msk) {
+				SPMLOG_INFMSG("NCS region\r\n");
+			} else {
+				SPMLOG_INFMSG("NS region\r\n");
+			}
+			limit_address &= ~(SAU_RLAR_ENABLE_Msk | SAU_RLAR_NSC_Msk);
+
+			SPMLOG_INFMSGVAL("   Base addr : ", SAU->RBAR);
+			SPMLOG_INFMSGVAL("   Limit addr: ", limit_address);
+		}
+	}
+}
+
+static void log_memory_protection_mpc(void)
+{
+	/* On 54l the NRF_MPC00->REGION[]'s are fixed in HW and the
+	 * OVERRIDE indexes (that are useful to us) start at 0 and end
+	 * (inclusive) at 4.
+	 */
+	const uint32_t max_index = 4;
+	uint32_t address;
+	nrf_mpc_override_config_t config;
+
+	SPMLOG_INFMSG("MPC config:\r\n");
+	for (uint32_t i = 0; i <= max_index; i++) {
+		config = nrf_mpc_override_config_get(NRF_MPC00, i);
+		if (config.enable) {
+			SPMLOG_INFMSG("NS region\r\n");
+			address = nrf_mpc_override_startaddr_get(NRF_MPC00, i);
+			SPMLOG_INFMSGVAL("   Base addr: ", address);
+
+			address = nrf_mpc_override_endaddr_get(NRF_MPC00, i);
+			SPMLOG_INFMSGVAL("   End addr : ", address);
+		}
+	}
+}
+
+void log_memory_protection_sau_mpc(void)
+{
+	SPMLOG_INFMSG("** NS memory layout config start **\r\n");
+	log_memory_protection_sau();
+	log_memory_protection_mpc();
+	SPMLOG_INFMSG("** NS memory layout config end **\r\n");
+}