From 7b4d2ba191123cf2490db0bfa630fcb3c7749299 Mon Sep 17 00:00:00 2001 From: Kamil Piszczek Date: Tue, 26 May 2026 15:32:04 +0200 Subject: [PATCH] sysbuild: image_signing: set ih_load_addr from slot0 partition The MCUboot CHECK_HEADER_LOAD_ADDRESS feature (CONFIG_MCUBOOT_CHECK_HEADER_LOAD_ADDRESS) verifies that an image in the secondary slot is intended for the primary slot by comparing the ih_load_addr field in the image header against the primary slot boundaries. The NCS sysbuild signing script did not pass --load-addr or --rom-fixed to imgtool for the OVERWRITE_ONLY and default swap branches, leaving ih_load_addr at zero in the signed application image. This caused MCUboot to reject every legitimate application update because zero falls outside the primary slot's address range. Updated nrf/cmake/sysbuild/image_signing.cmake to read the absolute slot0_partition address with dt_partition_addr ABSOLUTE and pass it as --rom-fixed to imgtool for both the OVERWRITE_ONLY and default swap branches. The ROM_FIXED flag follows the pattern already used by the cpunet image signing in nrf/cmake/sysbuild/b0_mcuboot_signing.cmake. Added SB_CONFIG_SOC_SERIES_NRF53 to the list of platforms in nrf/sysbuild/CMakeLists.txt that route through the NCS sysbuild signing script instead of the upstream zephyr/cmake/mcuboot.cmake. This makes non-PM nRF53 builds (such as the Fast Pair Locator Tag sample migrated to DTS) pick up the ih_load_addr fix. The change mirrors the existing treatment of SB_CONFIG_SOC_SERIES_NRF54L and SB_CONFIG_SOC_SERIES_NRF54H. Verified on the nRF5340 DK Fast Pair Locator Tag sample (nrf5340dk/nrf5340/cpuapp): the signed application image now reports ih_load_addr = 0xc000 and flags = ROM_FIXED, matching the slot0_partition definition in DTS. The cpunet image signing remains unchanged (ih_load_addr = 0x01002800, flags = ROM_FIXED). The equivalent fix is needed in upstream Zephyr (zephyr/cmake/mcuboot.cmake) for users that do not route through the NCS sysbuild signing script. Ref: NCSDK-38010 Signed-off-by: Kamil Piszczek --- cmake/sysbuild/image_signing.cmake | 8 ++++++-- sysbuild/CMakeLists.txt | 1 + 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/cmake/sysbuild/image_signing.cmake b/cmake/sysbuild/image_signing.cmake index 06e16f933799..aec3fb68ad0b 100644 --- a/cmake/sysbuild/image_signing.cmake +++ b/cmake/sysbuild/image_signing.cmake @@ -62,6 +62,10 @@ function(zephyr_mcuboot_tasks) dt_chosen(flash_node PROPERTY "zephyr,flash") dt_nodelabel(slot0_flash NODELABEL "slot0_partition" REQUIRED) dt_reg_size(slot_size PATH "${slot0_flash}" REQUIRED) + # Absolute slot0 address is used to set ih_load_addr in the image header so + # that the MCUBOOT_CHECK_HEADER_LOAD_ADDRESS feature can verify the + # secondary-slot image is intended for the primary slot. + dt_partition_addr(slot0_partition_address PATH "${slot0_flash}" REQUIRED ABSOLUTE) dt_prop(write_block_size PATH "${flash_node}" PROPERTY "write-block-size") if(NOT write_block_size) @@ -90,7 +94,7 @@ function(zephyr_mcuboot_tasks) set(imgtool_rom_command) if(CONFIG_MCUBOOT_IMGTOOL_OVERWRITE_ONLY) # Use overwrite-only instead of swap upgrades. - set(imgtool_rom_command --overwrite-only --align 1) + set(imgtool_rom_command --overwrite-only --align 1 --rom-fixed ${slot0_partition_address}) elseif(CONFIG_MCUBOOT_BOOTLOADER_MODE_RAM_LOAD OR CONFIG_MCUBOOT_BOOTLOADER_MODE_RAM_LOAD_WITH_REVERT) # RAM load requires setting the location of where to load the image to @@ -124,7 +128,7 @@ function(zephyr_mcuboot_tasks) dt_reg_size(slot_size PATH "${code_partition}" REQUIRED) set(imgtool_rom_command --rom-fixed ${code_partition_offset} --align ${write_block_size}) else() - set(imgtool_rom_command --align ${write_block_size}) + set(imgtool_rom_command --align ${write_block_size} --rom-fixed ${slot0_partition_address}) endif() # TF-M combined images need --pad-header because the MCUboot header gap is diff --git a/sysbuild/CMakeLists.txt b/sysbuild/CMakeLists.txt index cfe51ea0d470..1fc3b947da21 100644 --- a/sysbuild/CMakeLists.txt +++ b/sysbuild/CMakeLists.txt @@ -472,6 +472,7 @@ function(${SYSBUILD_CURRENT_MODULE_NAME}_pre_cmake) OR SB_CONFIG_MCUBOOT_COMPRESSED_IMAGE_SUPPORT OR SB_CONFIG_MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION # Do not use the upstream mcuboot.cmake on new platforms. + OR SB_CONFIG_SOC_SERIES_NRF53 OR SB_CONFIG_SOC_SERIES_NRF54L OR SB_CONFIG_SOC_SERIES_NRF54H OR SB_CONFIG_QSPI_XIP_SPLIT_IMAGE # TF-M NS builds require signing tfm_merged.hex, not zephyr.hex.