[nrf noup] zephyr: Clean up non-secure RAM if enabled

To ensure that MCUBoot does not leak keys or other material through
memory to non-secure side we clear the memory before jumping to the next
image.

Signed-off-by: Sigvart Hovland <sigvart.hovland@nordicsemi.no>
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
Signed-off-by: Ole Sæther <ole.saether@nordicsemi.no>
(cherry picked from commit d04dd27)

boot/zephyr/CMakeLists.txt

@@ -575,7 +575,7 @@ if(SYSBUILD)
   set(mcuboot_image_upgrade_footer_size ${required_upgrade_size} CACHE INTERNAL "Estimated MCUboot update image trailer size" FORCE)
 endif()
 
-if(CONFIG_MCUBOOT_NRF_CLEANUP_PERIPHERAL)
+if(CONFIG_MCUBOOT_NRF_CLEANUP_PERIPHERAL OR CONFIG_MCUBOOT_CLEANUP_NONSECURE_RAM)
 zephyr_library_sources(
   ${BOOT_DIR}/zephyr/nrf_cleanup.c
 )

boot/zephyr/include/nrf_cleanup.h

@@ -16,4 +16,9 @@
  */
 void nrf_cleanup_peripheral(void);
 
+/**
+ * Perform cleanup of non-secure RAM that may have been used by MCUBoot.
+ */
+void nrf_cleanup_ns_ram(void);
+
 #endif

boot/zephyr/main.c

@@ -142,7 +142,7 @@ K_SEM_DEFINE(boot_log_sem, 1, 1);
 #include <pm_config.h>
 #endif
 
-#if CONFIG_MCUBOOT_NRF_CLEANUP_PERIPHERAL
+#if CONFIG_MCUBOOT_NRF_CLEANUP_PERIPHERAL || CONFIG_MCUBOOT_NRF_CLEANUP_NONSECURE_RAM
 #include <nrf_cleanup.h>
 #endif
 
@@ -219,6 +219,9 @@ static void do_boot(struct boot_rsp *rsp)
 #if CONFIG_MCUBOOT_NRF_CLEANUP_PERIPHERAL
     nrf_cleanup_peripheral();
 #endif
+#if CONFIG_MCUBOOT_NRF_CLEANUP_NONSECURE_RAM && defined(PM_SRAM_NONSECURE_NAME)
+    nrf_cleanup_ns_ram();
+#endif
 #if CONFIG_MCUBOOT_CLEANUP_ARM_CORE
     cleanup_arm_nvic(); /* cleanup NVIC registers */
 

boot/zephyr/nrf_cleanup.c

@@ -5,9 +5,8 @@
  */
 
 #include <hal/nrf_clock.h>
-#if defined(NRF_UARTE0) || defined(NRF_UARTE1)
-    #include <hal/nrf_uarte.h>
-#endif
+#include <hal/nrf_uarte.h>
+#include <haly/nrfy_uarte.h>
 #if defined(NRF_RTC0) || defined(NRF_RTC1) || defined(NRF_RTC2)
     #include <hal/nrf_rtc.h>
 #endif
@@ -20,6 +19,15 @@
 
 #include <string.h>
 
+#if USE_PARTITION_MANAGER
+#include <pm_config.h>
+#endif
+
+#if defined(NRF_UARTE0) || defined(NRF_UARTE1) || defined(NRF_UARTE20) ||   \
+    defined(NRF_UARTE30)
+#define NRF_UARTE_CLEANUP
+#endif
+
 #define NRF_UARTE_SUBSCRIBE_CONF_OFFS offsetof(NRF_UARTE_Type, SUBSCRIBE_STARTRX)
 #define NRF_UARTE_SUBSCRIBE_CONF_SIZE (offsetof(NRF_UARTE_Type, EVENTS_CTS) -\
                                        NRF_UARTE_SUBSCRIBE_CONF_OFFS)
@@ -37,6 +45,23 @@ static inline void nrf_cleanup_rtc(NRF_RTC_Type * rtc_reg)
 }
 #endif
 
+#if defined(NRF_UARTE_CLEANUP)
+static NRF_UARTE_Type *nrf_uarte_to_clean[] = {
+#if defined(NRF_UARTE0)
+    NRF_UARTE0,
+#endif
+#if defined(NRF_UARTE1)
+    NRF_UARTE1,
+#endif
+#if defined(NRF_UARTE20)
+    NRF_UARTE20,
+#endif
+#if defined(NRF_UARTE30)
+    NRF_UARTE30,
+#endif
+};
+#endif
+
 static void nrf_cleanup_clock(void)
 {
     nrf_clock_int_disable(NRF_CLOCK, 0xFFFFFFFF);
@@ -53,26 +78,31 @@ void nrf_cleanup_peripheral(void)
 #if defined(NRF_RTC2)
     nrf_cleanup_rtc(NRF_RTC2);
 #endif
-#if defined(NRF_UARTE0)
-    nrf_uarte_disable(NRF_UARTE0);
-    nrf_uarte_int_disable(NRF_UARTE0, 0xFFFFFFFF);
-#if defined(NRF_DPPIC)
-    /* Clear all SUBSCRIBE configurations. */
-    memset((uint8_t *)NRF_UARTE0 + NRF_UARTE_SUBSCRIBE_CONF_OFFS, 0, NRF_UARTE_SUBSCRIBE_CONF_SIZE);
-    /* Clear all PUBLISH configurations. */
-    memset((uint8_t *)NRF_UARTE0 + NRF_UARTE_PUBLISH_CONF_OFFS, 0, NRF_UARTE_PUBLISH_CONF_SIZE);
-#endif
-#endif
-#if defined(NRF_UARTE1)
-    nrf_uarte_disable(NRF_UARTE1);
-    nrf_uarte_int_disable(NRF_UARTE1, 0xFFFFFFFF);
+
+#if defined(NRF_UARTE_CLEANUP)
+    for (int i = 0; i < sizeof(nrf_uarte_to_clean) / sizeof(nrf_uarte_to_clean[0]); ++i) {
+        NRF_UARTE_Type *current = nrf_uarte_to_clean[i];
+
+        nrfy_uarte_int_disable(current, 0xFFFFFFFF);
+        nrfy_uarte_int_uninit(current);
+        nrfy_uarte_task_trigger(current, NRF_UARTE_TASK_STOPRX);
+
+        nrfy_uarte_event_clear(current, NRF_UARTE_EVENT_RXSTARTED);
+        nrfy_uarte_event_clear(current, NRF_UARTE_EVENT_ENDRX);
+        nrfy_uarte_event_clear(current, NRF_UARTE_EVENT_RXTO);
+        nrfy_uarte_disable(current);
+
 #if defined(NRF_DPPIC)
-    /* Clear all SUBSCRIBE configurations. */
-    memset((uint8_t *)NRF_UARTE1 + NRF_UARTE_SUBSCRIBE_CONF_OFFS, 0, NRF_UARTE_SUBSCRIBE_CONF_SIZE);
-    /* Clear all PUBLISH configurations. */
-    memset((uint8_t *)NRF_UARTE1 + NRF_UARTE_PUBLISH_CONF_OFFS, 0, NRF_UARTE_PUBLISH_CONF_SIZE);
+        /* Clear all SUBSCRIBE configurations. */
+        memset((uint8_t *)current + NRF_UARTE_SUBSCRIBE_CONF_OFFS, 0,
+               NRF_UARTE_SUBSCRIBE_CONF_SIZE);
+        /* Clear all PUBLISH configurations. */
+        memset((uint8_t *)current + NRF_UARTE_PUBLISH_CONF_OFFS, 0,
+               NRF_UARTE_PUBLISH_CONF_SIZE);
 #endif
+    }
 #endif
+
 #if defined(NRF_PPI)
     nrf_ppi_channels_disable_all(NRF_PPI);
 #endif
@@ -81,3 +111,12 @@ void nrf_cleanup_peripheral(void)
 #endif
     nrf_cleanup_clock();
 }
+
+#if USE_PARTITION_MANAGER \
+	&& defined(CONFIG_ARM_TRUSTZONE_M) \
+	&& defined(PM_SRAM_NONSECURE_NAME)
+void nrf_cleanup_ns_ram(void)
+{
+	memset((void *) PM_SRAM_NONSECURE_ADDRESS, 0, PM_SRAM_NONSECURE_SIZE);
+}
+#endif