sysbuild: image_signing: set ih_load_addr from slot0 partition

The MCUboot CHECK_HEADER_LOAD_ADDRESS feature
(CONFIG_MCUBOOT_CHECK_HEADER_LOAD_ADDRESS) verifies that an
image in the secondary slot is intended for the primary slot
by comparing the ih_load_addr field in the image header
against the primary slot boundaries. The NCS sysbuild signing
script did not pass --load-addr or --rom-fixed to imgtool for
the OVERWRITE_ONLY and default swap branches, leaving
ih_load_addr at zero in the signed application image. This
caused MCUboot to reject every legitimate application update
because zero falls outside the primary slot's address range.

Updated nrf/cmake/sysbuild/image_signing.cmake to read the
absolute slot0_partition address with dt_partition_addr
ABSOLUTE and pass it as --rom-fixed to imgtool for both the
OVERWRITE_ONLY and default swap branches. The ROM_FIXED flag
follows the pattern already used by the cpunet image signing
in nrf/cmake/sysbuild/b0_mcuboot_signing.cmake.

Added SB_CONFIG_SOC_SERIES_NRF53 to the list of platforms in
nrf/sysbuild/CMakeLists.txt that route through the NCS
sysbuild signing script instead of the upstream
zephyr/cmake/mcuboot.cmake. This makes non-PM nRF53 builds
(such as the Fast Pair Locator Tag sample migrated to DTS)
pick up the ih_load_addr fix. The change mirrors the existing
treatment of SB_CONFIG_SOC_SERIES_NRF54L and
SB_CONFIG_SOC_SERIES_NRF54H.

Verified on the nRF5340 DK Fast Pair Locator Tag sample
(nrf5340dk/nrf5340/cpuapp): the signed application image now
reports ih_load_addr = 0xc000 and flags = ROM_FIXED, matching
the slot0_partition definition in DTS. The cpunet image
signing remains unchanged (ih_load_addr = 0x01002800,
flags = ROM_FIXED).

The equivalent fix is needed in upstream Zephyr
(zephyr/cmake/mcuboot.cmake) for users that do not route
through the NCS sysbuild signing script.

Ref: NCSDK-38010

Signed-off-by: Kamil Piszczek <Kamil.Piszczek@nordicsemi.no>

Author: kapi-no

cmake/sysbuild/image_signing.cmake

@@ -62,6 +62,10 @@ function(zephyr_mcuboot_tasks)
   dt_chosen(flash_node PROPERTY "zephyr,flash")
   dt_nodelabel(slot0_flash NODELABEL "slot0_partition" REQUIRED)
   dt_reg_size(slot_size PATH "${slot0_flash}" REQUIRED)
+  # Absolute slot0 address is used to set ih_load_addr in the image header so
+  # that the MCUBOOT_CHECK_HEADER_LOAD_ADDRESS feature can verify the
+  # secondary-slot image is intended for the primary slot.
+  dt_partition_addr(slot0_partition_address PATH "${slot0_flash}" REQUIRED ABSOLUTE)
   dt_prop(write_block_size PATH "${flash_node}" PROPERTY "write-block-size")
 
   if(NOT write_block_size)
@@ -90,7 +94,7 @@ function(zephyr_mcuboot_tasks)
     set(imgtool_rom_command)
     if(CONFIG_MCUBOOT_IMGTOOL_OVERWRITE_ONLY)
       # Use overwrite-only instead of swap upgrades.
-      set(imgtool_rom_command --overwrite-only --align 1)
+      set(imgtool_rom_command --overwrite-only --align 1 --rom-fixed ${slot0_partition_address})
     elseif(CONFIG_MCUBOOT_BOOTLOADER_MODE_RAM_LOAD OR
            CONFIG_MCUBOOT_BOOTLOADER_MODE_RAM_LOAD_WITH_REVERT)
       # RAM load requires setting the location of where to load the image to
@@ -124,7 +128,7 @@ function(zephyr_mcuboot_tasks)
       dt_reg_size(slot_size PATH "${code_partition}" REQUIRED)
       set(imgtool_rom_command --rom-fixed ${code_partition_offset} --align ${write_block_size})
     else()
-      set(imgtool_rom_command --align ${write_block_size})
+      set(imgtool_rom_command --align ${write_block_size} --rom-fixed ${slot0_partition_address})
     endif()
 
     # TF-M combined images need --pad-header because the MCUboot header gap is

sysbuild/CMakeLists.txt

@@ -472,6 +472,7 @@ function(${SYSBUILD_CURRENT_MODULE_NAME}_pre_cmake)
        OR SB_CONFIG_MCUBOOT_COMPRESSED_IMAGE_SUPPORT
        OR SB_CONFIG_MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION
        # Do not use the upstream mcuboot.cmake on new platforms.
+       OR SB_CONFIG_SOC_SERIES_NRF53
        OR SB_CONFIG_SOC_SERIES_NRF54L
        OR SB_CONFIG_SOC_SERIES_NRF54H OR SB_CONFIG_QSPI_XIP_SPLIT_IMAGE
        # TF-M NS builds require signing tfm_merged.hex, not zephyr.hex.