nrfconnect · AntonZma · May 6, 2026 · tomi-font · Jun 2, 2026 · Vge0rge
@@ -117,7 +117,7 @@ Developing with custom boards
 Security
 ========
 
-|no_changes_yet_note|
+* Added the :kconfig:option:`CONFIG_TFM_LOG_NS_MEMORY_LAYOUT` Kconfig option, which prints the configuration of SAU and MPC during the initialization of TF-M on the nRF54L Series devices.
 
 Trusted Firmware-M (TF-M)
 -------------------------

@@ -80,6 +80,7 @@ set_property(TARGET zephyr_property_target
   -DPROJECT_CONFIG_HEADER_FILE=${CMAKE_CURRENT_BINARY_DIR}/tfm_config.h
   -DTFM_EXTRA_CONFIG_PATH="${CMAKE_CURRENT_BINARY_DIR}/config_extra.cmake"
   -DPS_ROLLBACK_PROTECTION=${CONFIG_TFM_PS_ROLLBACK_PROTECTION}
+  $<$<BOOL:${CONFIG_TFM_LOG_NS_MEMORY_LAYOUT}>:-DNRF_LOG_MEMORY_PROTECTION_SAU_MPC=ON>
   $<$<BOOL:${CONFIG_TFM_HW_INIT_RESET_ON_BOOT}>:-DNRF_HW_INIT_RESET_ON_BOOT=ON>
   $<$<BOOL:${CONFIG_TFM_ALLOW_NON_SECURE_RESET}>:-DNRF_ALLOW_NON_SECURE_RESET=ON>
   $<$<BOOL:${CONFIG_TFM_SECURE_UART0}>:-DNRF_SECURE_UART_INSTANCE=0>

@@ -370,6 +370,17 @@ config TFM_NFCT_PINS_AS_GPIOS
 	  TF-M configures these pins as GPIOS when the NFCT peripheral is not
 	  enabled in the device-tree of the target.
 
+config TFM_LOG_NS_MEMORY_LAYOUT
+	bool "Activate debug logs to print non-secure memory layout"
+	depends on !TFM_LOG_LEVEL_SILENCE
+	depends on SOC_SERIES_NRF54L
+	help
+	  This option activates the logic to print the configuration of SAU and MPC
+	  during the initialization of TF-M. The logic targets address ranges
+	  of the non-secure memory regions (both volatile and non-volatile).
+	  The rest of the memory is secure by default.
+	  This option is currently available for all nRF54L Series devices.
+
 config TFM_SECURE_UART
 	bool "TF-M configure UART instance as secure peripheral"
 	default y if !TFM_LOG_LEVEL_SILENCE

@@ -136,6 +136,16 @@ if(${TFM_PARTITION_CRYPTO})
   target_link_libraries(platform_s PRIVATE tfm_psa_rot_partition_crypto)
 endif()
 
+if(NRF_LOG_MEMORY_PROTECTION_SAU_MPC)
+  target_compile_definitions(platform_s PUBLIC NRF_LOG_MEMORY_PROTECTION_SAU_MPC)
+  target_sources(platform_s PRIVATE src/log_memory_protection_sau_mpc.c)
+endif()
+
+if(NRF_LOG_MEMORY_PROTECTION_MPU_SPU)
+  target_compile_definitions(platform_s PUBLIC NRF_LOG_MEMORY_PROTECTION_MPU_SPU)
+  target_sources(platform_s PRIVATE src/log_memory_protection_mpu_spu.c)
+endif()
+
 if(NRF_ALLOW_NON_SECURE_RESET)
   target_compile_definitions(platform_s PUBLIC NRF_ALLOW_NON_SECURE_RESET)
 endif()
@@ -205,10 +215,6 @@ if(TFM_PARTITION_PLATFORM)
   )
 endif()
 
-if(LOG_MEMORY_PROTECTION)
-  target_sources(platform_s PRIVATE src/log_memory_protection.c)
-endif()
-
 if(PSA_CRYPTO_EXTERNAL_CORE)
   include(${TFM_BOARDS_NRF_DIR}/external_core.cmake)
 endif()

@@ -29,6 +29,10 @@
 #include "exception_info.h"
 #include "tfm_arch.h"
 
+#if defined(NRF_LOG_MEMORY_PROTECTION_SAU_MPC)
+#include <log_memory_protection.h>
+#endif /* NRF_LOG_MEMORY_PROTECTION_SAU_MPC */
+
 #if defined(TFM_PARTITION_CRYPTO)
 static enum tfm_hal_status_t crypto_platform_init(void)
 {
@@ -155,5 +159,9 @@ enum tfm_hal_status_t tfm_hal_platform_init(void)
 
 	log_pin_security_configuration();
 
+#if defined(NRF_LOG_MEMORY_PROTECTION_SAU_MPC)
+	log_memory_protection_sau_mpc();
+#endif /* NRF_LOG_MEMORY_PROTECTION_SAU_MPC */
+
 	return TFM_HAL_SUCCESS;
 }
@@ -0,0 +1,19 @@
+/*
+ * Copyright (c) 2026 Nordic Semiconductor ASA
+ *
+ * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+ */
+
+#ifndef __LOG_MEMORY_PROTECTION_H
+#define __LOG_MEMORY_PROTECTION_H
+
+void log_memory_protection_of_mpu(void);
+void log_memory_protection_of_spu_nsc(void);
+void log_memory_protection_of_spu_flash(void);
+void log_memory_protection_of_spu_ram(void);
+void log_memory_protection_of_spu(void);
+void log_memory_protection_mpu_spu(void);
+
+void log_memory_protection_sau_mpc(void);
+
+#endif /* __LOG_MEMORY_PROTECTION_H */
@@ -4,6 +4,7 @@
  * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
  */
 
+#include <log_memory_protection.h>
 #include <cmsis.h>
 #include <tfm_spm_log.h>
 #include <mpu_armv8m_drv.h>
@@ -98,7 +99,7 @@ void log_memory_protection_of_spu(void)
 	log_memory_protection_of_spu_ram();
 }
 
-void log_memory_protection(void)
+void log_memory_protection_mpu_spu(void)
 {
 	log_memory_protection_of_mpu();
 	log_memory_protection_of_spu();

@@ -0,0 +1,77 @@
+/*
+ * Copyright (c) 2026 Nordic Semiconductor ASA
+ *
+ * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+ */
+
+#include <log_memory_protection.h>
+#include <cmsis.h>
+#include <hal/nrf_mpc.h>
+#include <tfm_spm_log.h>
+
+static void log_memory_protection_sau(void)
+{
+	uint32_t sau_regions_count = SAU->TYPE & SAU_TYPE_SREGION_Msk;
+	uint32_t limit_address;
+
+	SPMLOG_INFMSG("SAU config:\r\n");
+	for (uint32_t i = 0; i < sau_regions_count; i++) {
+		SAU->RNR = i & SAU_RNR_REGION_Msk;
+
+		limit_address = SAU->RLAR;
+		if (limit_address & SAU_RLAR_ENABLE_Msk) {
+			if (limit_address & SAU_RLAR_NSC_Msk) {
+				SPMLOG_INFMSG("NCS region\r\n");
+			} else {
+				SPMLOG_INFMSG("NS region\r\n");
+			}
+			limit_address &= ~(SAU_RLAR_ENABLE_Msk | SAU_RLAR_NSC_Msk);
+			limit_address &= SAU_RLAR_LADDR_Msk;
+
+			SPMLOG_INFMSGVAL("   Base addr : ", SAU->RBAR & SAU_RBAR_BADDR_Msk);
+			SPMLOG_INFMSGVAL("   Limit addr: ", limit_address);
+		}
+	}
+}
+
+static void log_memory_protection_mpc(void)
+{
+	/* On 54L, the override regions (NRF_MPC00->OVERRIDE[]) are fixed in HW and the
+	 * OVERRIDE indexes (that are useful to us) start at 0 and end at 4 (inclusive).
+	 */
+	const uint32_t max_index = 4;
+	uint32_t address;
+	uint32_t perm_settings;
+	nrf_mpc_override_config_t config;
+
+	SPMLOG_INFMSG("MPC config:\r\n");
+	for (uint32_t i = 0; i <= max_index; i++) {
+		config = nrf_mpc_override_config_get(NRF_MPC00, i);
+		if (!config.enable) {
+			continue;
+		}
+
+		perm_settings = nrf_mpc_override_perm_get(NRF_MPC00, i);
+		perm_settings &= nrf_mpc_override_permmask_get(NRF_MPC00, i);
+
+		if (perm_settings & MPC_OVERRIDE_PERM_SECATTR_Msk) {
+			SPMLOG_INFMSG("S region\r\n");
+		} else {
+			SPMLOG_INFMSG("NS region\r\n");
+		}
+
+		address = nrf_mpc_override_startaddr_get(NRF_MPC00, i);
+		SPMLOG_INFMSGVAL("   Base addr: ", address);
+
+		address = nrf_mpc_override_endaddr_get(NRF_MPC00, i);
+		SPMLOG_INFMSGVAL("   End addr : ", address);
+	}
+}
+
+void log_memory_protection_sau_mpc(void)
+{
+	SPMLOG_INFMSG("** NS memory layout config start **\r\n");
+	log_memory_protection_sau();
+	log_memory_protection_mpc();
+	SPMLOG_INFMSG("** NS memory layout config end **\r\n");
+}
@@ -19,3 +19,5 @@ CONFIG_PSA_WANT_GENERATE_RANDOM=y
 CONFIG_PSA_WANT_ALG_HMAC=y
 CONFIG_PSA_WANT_ALG_SHA_256=y
 CONFIG_PSA_WANT_KEY_TYPE_HMAC=y
+
+CONFIG_TFM_LOG_NS_MEMORY_LAYOUT=y