samples: Add split slot A/B sample

Add a variant of the A/B sample that presents how to perform A/B updates
in a system, where application and radio images uses separate images and
slots.

Ref: NCSDK-35733

Signed-off-by: Tomasz Chyrowicz <[email protected]>

Author: tomchy

CODEOWNERS

@@ -498,6 +498,7 @@
 /samples/dect/dect_phy/dect_shell/        @nrfconnect/ncs-modem-tre
 /samples/dect/dect_phy/hello_dect/        @nrfconnect/ncs-modem
 /samples/dfu/ab/                          @nrfconnect/ncs-eris
+/samples/dfu/ab_split/                    @nrfconnect/ncs-eris
 /samples/dfu/dfu_target/                  @nrfconnect/ncs-eris
 /samples/dfu/dfu_multi_image/             @nrfconnect/ncs-eris
 /samples/dfu/fw_loader/                   @nrfconnect/ncs-eris

samples/dfu/ab_split/CMakeLists.txt

@@ -0,0 +1,25 @@
+#
+# Copyright (c) 2025 Nordic Semiconductor ASA
+#
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+#
+
+cmake_minimum_required(VERSION 3.20.0)
+
+find_package(Zephyr REQUIRED HINTS $ENV{ZEPHYR_BASE})
+project(ab_split)
+
+target_sources(app PRIVATE
+  src/main.c
+  src/ab_utils.c
+)
+
+target_include_directories(app PRIVATE
+  ${ZEPHYR_MCUBOOT_MODULE_DIR}/boot/bootutil/include
+  ${ZEPHYR_MCUBOOT_MODULE_DIR}/boot/zephyr/include
+  ${ZEPHYR_BASE}/samples/subsys/mgmt/mcumgr/smp_svr/src
+)
+
+target_sources_ifdef(CONFIG_MCUMGR_TRANSPORT_BT app PRIVATE
+  ${ZEPHYR_BASE}/samples/subsys/mgmt/mcumgr/smp_svr/src/bluetooth.c
+)

samples/dfu/ab_split/Kconfig

@@ -0,0 +1,14 @@
+#
+# Copyright (c) 2025 Nordic Semiconductor ASA
+#
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+#
+
+config N_BLINKS
+	int "Number of fast blinks"
+	default 1
+
+config EMULATE_APP_HEALTH_CHECK_FAILURE
+	bool "Blocks confirmation of being healthy after the update"
+
+source "Kconfig.zephyr"

samples/dfu/ab_split/README.rst

@@ -0,0 +1,203 @@
+.. _ab_split_sample:
+
+A/B with MCUboot and separated slots
+####################################
+
+.. contents::
+   :local:
+   :depth: 2
+
+The A/B with MCUboot and separated slots sample demonstrates how to configure the application for updates using the A/B method using MCUboot.
+This sample is a variant of the :ref:`A/B sample <ab_sample>`, where the application and radio images are not merged, but reside in separate MCUboot slots.
+This split increases the number of memory areas that must be individually protected from accidental writes.
+It also requires additional care when preparing updates to ensure that only a compatible set of slots is booted.
+The additional dependency check during the boot process increases the time to boot the system.
+
+It also includes an example to perform a device health check before confirming the image after the update.
+You can update the sample using the Simple Management Protocol (SMP) with UART or Bluetooth® Low Energy.
+
+To prevent the build system from merging slots, the sysbuild :kconfig:option:`SB_CONFIG_MCUBOOT_SIGN_MERGED_BINARY` option is disabled.
+To enable manifest-based dependency management, the :kconfig:option:`SB_CONFIG_MCUBOOT_MANIFEST_UPDATES=y` option is enabled in the :file:`sysbuild.conf` file.
+
+Requirements
+************
+
+The sample supports the following development kits:
+
+.. table-from-sample-yaml::
+
+You need the nRF Device Manager app for update over Bluetooth® Low Energy:
+
+* `nRF Device Manager mobile app for Android`_
+* `nRF Device Manager mobile app for iOS`_
+
+
+Overview
+********
+
+This sample demonstrates a firmware update using the A/B method.
+This method allows you to store two copies of the application in non-volatile memory (NVM).
+You can switch between these copies without performing a swap.
+This solution significantly reduces the time during the update in which the device is unavailable.
+The switch between images can be triggered by the application or, for example, by a hardware button.
+
+This sample implements an SMP server.
+SMP is a basic transfer encoding used with the MCUmgr management protocol.
+For more information about MCUmgr and SMP, see :ref:`device_mgmt`.
+
+The sample supports the following MCUmgr transports by default:
+
+* Bluetooth
+* Serial (UART)
+
+A/B functionality
+=================
+
+When you use the A/B configuration with separated slots, the device provides two slots for each set of application and radio firmware: slot A and slot B.
+The slots are equivalent, and the device can boot from either of them.
+With MCUboot, this is achieved by using the Direct XIP feature.
+By design, slot A of the application image boots slot A of the radio image.
+This design implies that verifying the image pairs correctly requires a manifest-based dependency.
+There can be only one image that includes the manifest TLV.
+Its index is configured using :kconfig:option:`SB_CONFIG_MCUBOOT_MANIFEST_IMAGE_INDEX`.
+By default, the application image index (``0``) is selected.
+
+In this document, the following conventions are followed:
+
+* The application image index (``0``) is referred to as the *manifest image*.
+* The following names refer to the same images and are used interchangeably throughout the documentation:
+
+  * *Slot 0*, *primary slot*, and *slot A*
+  * *Slot 1*, *secondary slot*, and *slot B*
+
+This configuration allows a background update of the non-active slot while the application runs from the active slot.
+After the update is complete, the device can quickly switch to the updated slot on the next reboot.
+
+The following conditions decide which slot is considered *active* and is booted on the next reboot:
+
+1. If one of the slots of the manifest image contains a valid image, it is marked as valid only if all other images, described by the manifest are present and placed in the same slot as the manifest.
+#. If one of the slots of the manifest image is not valid, the other slot is selected as active.
+#. If both slots of the manifest image are valid, the slot marked as "preferred" is selected as active.
+#. If both slots of the manifest image are valid and none is marked as *preferred*, the slot with the higher version number is selected as active.
+#. If none of the above conditions is met, slot A is selected as active.
+#. For all other images, the same slot is selected.
+
+You can set the preferred slot using the ``boot_request_set_preferred_slot`` function.
+Currently, this only sets the boot preference for a single reboot.
+
+Identifying the active slot
+---------------------------
+
+If the project uses the Partition Manager, the currently running slot can be identified by checking if ``CONFIG_NCS_IS_VARIANT_IMAGE`` is defined.
+If it is defined, the application is running from slot B.
+Otherwise, it is running from slot A.
+
+If the project does not use the Partition Manager (a configuration currently supported only on the nRF54H20 SoC), you can identify the currently running slot by comparing the address referenced by ``zephyr,code-partition`` with the specific node addresses defined in the devicetree.
+The following node partitions are used by default:
+
+* ``cpuapp_slot0_partition`` - Application core, slot A
+* ``cpuapp_slot1_partition`` - Application core, slot B
+* ``cpurad_slot0_partition`` - Radio core, slot A
+* ``cpurad_slot1_partition`` - Radio core, slot B
+
+For example, verifying that the application is running from slot A can be done by using the following macro:
+
+.. code-block:: c
+
+    #define IS_RUNNING_FROM_SLOT_A \
+        (FIXED_PARTITION_NODE_OFFSET(DT_CHOSEN(zephyr_code_partition)) == \
+         FIXED_PARTITION_OFFSET(cpuapp_slot0_partition))
+
+.. _ab_split_build_files:
+
+Build files
+-----------
+
+This sample overrides the default build strategy, so application and radio images are built separately.
+In this case, you must send the following files to the device when performing an update:
+
+
+* :file:`build/mcuboot_secondary_app/zephyr/zephyr.signed.bin` - Contains the slot B of the application image.
+  Upload this file to the secondary slot when the device is running from slot A.
+* :file:`build/ipc_radio_secondary_app/zephyr/zephyr.signed.bin` - Contains the slot B of the radio image.
+  Upload this file to the secondary slot when the device is running from slot A.
+* :file:`build/ab/zephyr/zephyr.signed.bin` - Contains the slot A of the application image.
+  Upload this file to the primary slot when the device is running from slot B.
+* :file:`build/ipc_radio/zephyr/zephyr.signed.bin` - Contains the slot A of the radio image.
+  Upload this file to the primary slot when the device is running from slot B.
+
+User interface
+**************
+
+LED 0:
+    This LED indicates that the application is running from slot A.
+    It is controlled as active low.
+    This means that it turns on once the application is booted and turns off in short intervals to blinks.
+    The number of short blinks is configurable using the :kconfig:option:`CONFIG_N_BLINKS` Kconfig option.
+    It remains off when the application is running from slot B.
+
+LED 1:
+    This LED indicates that the application is running from slot B.
+    It is controlled as active low.
+    This means that it turns on once the application is booted and turns off at short intervals to blinks.
+    The number of short blinks is configurable using the :kconfig:option:`CONFIG_N_BLINKS` Kconfig option.
+    It remains off when the application is running from slot A.
+
+Button 0:
+    By pressing this button, you select the non-active slot as the preferred slot for the next reboot.
+    This preference applies only to the next boot and is cleared after the subsequent reset.
+
+Configuration
+*************
+
+|config|
+
+Configuration options
+=====================
+
+Check and configure the following configuration options for the sample:
+
+.. _CONFIG_N_BLINKS_ABSPLIT:
+
+CONFIG_N_BLINKS - The number of blinks.
+   This configuration option sets the number of times the LED corresponding to the currently active slot blinks (LED0 for slot A, LED1 for slot B).
+   The default value of the option is set to ``1``, causing a single blink to indicate *Version 1*.
+   You can increment this value to represent an update, such as set it to ``2`` to indicate *Version 2*.
+
+.. _CONFIG_EMULATE_APP_HEALTH_CHECK_FAILURE_AB_SPLIT:
+
+CONFIG_EMULATE_APP_HEALTH_CHECK_FAILURE - Enables emulation of a broken application that fails the self-test.
+   This configuration option emulates a broken application that does not pass the self-test.
+
+Additional configuration
+========================
+
+Check and configure the :kconfig:option:`CONFIG_MCUBOOT_IMGTOOL_SIGN_VERSION` Kconfig option for the MCUboot library.
+This configuration option sets the version to pass to imgtool when signing.
+To ensure the updated build is preferred after a DFU, set this option to a higher version than the version currently running on the device.
+
+Building and running
+********************
+
+.. |sample path| replace:: :file:`samples/dfu/ab_split`
+
+.. include:: /includes/build_and_run.txt
+
+Testing
+=======
+
+To perform DFU using the `nRF Connect Device Manager`_ mobile app, complete the following steps:
+
+.. include:: /app_dev/device_guides/nrf52/fota_update.rst
+   :start-after: fota_upgrades_over_ble_nrfcdm_common_dfu_steps_start
+   :end-before: fota_upgrades_over_ble_nrfcdm_common_dfu_steps_end
+
+Instead of using the :file:`dfu_application.zip` file, you can also send the appropriate binary file directly, as described in :ref:`ab_split_build_files`.
+Make sure to select the correct file based on the currently running slot.
+
+Dependencies
+************
+
+This sample uses the following |NCS| library:
+
+* :ref:`MCUboot <mcuboot_index_ncs>`

samples/dfu/ab_split/boards/nrf54h20dk_nrf54h20_cpuapp.overlay

@@ -0,0 +1,13 @@
+/*
+ * Copyright (c) 2025 Nordic Semiconductor ASA
+ *
+ * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+ */
+
+#include "../sysbuild/nrf54h20dk_nrf54h20_memory_map.dtsi"
+
+/ {
+	chosen {
+		zephyr,boot-mode = &boot_request;
+	};
+};

samples/dfu/ab_split/prj.conf

@@ -0,0 +1,102 @@
+# Enable MCUmgr and dependencies.
+CONFIG_NET_BUF=y
+CONFIG_ZCBOR=y
+CONFIG_CRC=y
+CONFIG_MCUMGR=y
+CONFIG_STREAM_FLASH=y
+CONFIG_FLASH_MAP=y
+
+# Some command handlers require a large stack.
+CONFIG_SYSTEM_WORKQUEUE_STACK_SIZE=2304
+CONFIG_MAIN_STACK_SIZE=2176
+
+# Ensure an MCUboot-compatible binary is generated.
+CONFIG_BOOTLOADER_MCUBOOT=y
+
+# Enable flash operations.
+CONFIG_FLASH=y
+
+# Required by the `taskstat` command.
+CONFIG_THREAD_MONITOR=y
+
+# Support for taskstat command
+CONFIG_MCUMGR_GRP_OS_TASKSTAT=y
+
+# Enable statistics and statistic names.
+CONFIG_STATS=y
+CONFIG_STATS_NAMES=y
+
+# Enable most core commands.
+CONFIG_FLASH=y
+CONFIG_IMG_MANAGER=y
+CONFIG_MCUMGR_GRP_IMG=y
+CONFIG_MCUMGR_GRP_IMG_NRF=y
+CONFIG_MCUMGR_GRP_OS=y
+CONFIG_MCUMGR_GRP_STAT=y
+
+# Enable logging
+CONFIG_LOG=y
+CONFIG_MCUBOOT_UTIL_LOG_LEVEL_WRN=y
+
+# Disable debug logging
+CONFIG_LOG_MAX_LEVEL=3
+
+# Enable boot requests through retained memory.
+CONFIG_RETAINED_MEM=y
+CONFIG_RETENTION=y
+CONFIG_NRF_MCUBOOT_BOOT_REQUEST=y
+
+CONFIG_RETENTION_BOOT_MODE=y
+CONFIG_MCUMGR_GRP_OS_RESET_BOOT_MODE=y
+
+# Enable DK LED/button library
+CONFIG_DK_LIBRARY=y
+
+# Configure bluetooth
+
+CONFIG_BT=y
+CONFIG_BT_PERIPHERAL=y
+
+# Allow for large Bluetooth data packets.
+CONFIG_BT_L2CAP_TX_MTU=498
+CONFIG_BT_BUF_ACL_RX_SIZE=502
+CONFIG_BT_BUF_ACL_TX_SIZE=502
+
+# Enable the Bluetooth mcumgr transport (unauthenticated).
+CONFIG_MCUMGR_TRANSPORT_BT=y
+CONFIG_MCUMGR_TRANSPORT_BT_CONN_PARAM_CONTROL=y
+
+# Enable the Shell mcumgr transport.
+CONFIG_BASE64=y
+CONFIG_CRC=y
+CONFIG_SHELL=y
+CONFIG_SHELL_BACKEND_SERIAL=y
+CONFIG_MCUMGR_TRANSPORT_SHELL=y
+
+# Enable the mcumgr Packet Reassembly feature over Bluetooth and its configuration dependencies.
+# MCUmgr buffer size is optimized to fit one SMP packet divided into five Bluetooth Write Commands,
+# transmitted with the maximum possible MTU value: 498 bytes.
+CONFIG_MCUMGR_TRANSPORT_BT_REASSEMBLY=y
+CONFIG_MCUMGR_TRANSPORT_NETBUF_SIZE=2475
+CONFIG_MCUMGR_GRP_OS_MCUMGR_PARAMS=y
+CONFIG_MCUMGR_TRANSPORT_WORKQUEUE_STACK_SIZE=4608
+
+# Enable the LittleFS file system.
+CONFIG_FILE_SYSTEM=y
+CONFIG_FILE_SYSTEM_LITTLEFS=y
+
+# Enable file system commands
+CONFIG_MCUMGR_GRP_FS=y
+
+# Enable the storage erase command.
+CONFIG_MCUMGR_GRP_ZBASIC=y
+CONFIG_MCUMGR_GRP_ZBASIC_STORAGE_ERASE=y
+
+# Disable Bluetooth ping support
+CONFIG_BT_CTLR_LE_PING=n
+
+# Disable shell commands that are not needed
+CONFIG_CLOCK_CONTROL_NRF_SHELL=n
+CONFIG_DEVICE_SHELL=n
+CONFIG_DEVMEM_SHELL=n
+CONFIG_FLASH_SHELL=n

samples/dfu/ab_split/sample.yaml

@@ -0,0 +1,18 @@
+sample:
+  description: AB update sample with separated slots
+  name: ab_split
+common:
+  sysbuild: true
+  build_only: true
+  tags:
+    - dfu_ab
+    - ci_samples_dfu
+
+tests:
+  sample.dfu.ab_split:
+    extra_configs:
+      - CONFIG_MCUMGR_GRP_IMG_ALLOW_CONFIRM_NON_ACTIVE_IMAGE_ANY=y
+    platform_allow:
+      - nrf54h20dk/nrf54h20/cpuapp
+    integration_platforms:
+      - nrf54h20dk/nrf54h20/cpuapp