nrf_security: cracen: kmu: Support KMU reserved area through DTS

When execution in place (CONFIG_XIP) is not enabled, which in practice means that when Zephyr is built for a RAM loaded image, the Zephyr linker script always places the RAM loaded image in the top address of the RAM and then loads the linker scripts defined with the Zephyr SECTION_PROLOGUE macros. SECTION_PROLOGUE Zephyr macros was used to set the address of the kmu_push_area making it incompatible with RAM loaded images. The Zephyr reserved-memory devicetree methodology works for both use cases but it requires heavy updates of multiple device tree files and overlays. In order to support the RAM loaded images use cases faster initial support for reserving the memory of nrf_kmu_reserved_push_area though devicetree is limited to RAM loaded images. Signed-off-by: Georgios Vasilakis <georgios.vasilakis@nordicsemi.no>
nrfconnect · Feb 21, 2025 · 6dd2f53 · 6dd2f53
1 parent 48cf897
commit 6dd2f53
Showing 1 changed file with 23 additions and 1 deletion.
diff --git a/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/kmu.c b/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/kmu.c
@@ -31,12 +31,34 @@
 
 extern nrf_security_mutex_t cracen_mutex_symmetric;
 
+#define KMU_PUSH_AREA_SIZE 64
+
+/* When execution in place (CONFIG_XIP) is not enabled, which in practice means that when Zephyr is
+ * built for a RAM loaded image, the Zephyr linker script always places the RAM loaded image in the
+ * top address of the RAM and then loads the linker scripts defined with the Zephyr SECTION_PROLOGUE
+ * macros. Using SECTION_PROLOGUE macros to set the address of the kmu_push_area is
+ * incompatible with RAM loaded images. The Zephyr reserved-memory devicetree methodology works for
+ * both use cases but it requires heavy updates of multiple devicetree files and overlays. In order
+ * to support the RAM loaded images use cases faster initial support for reserving the memory of
+ * nrf_kmu_reserved_push_area though devicetree is limited to RAM loaded images.
+ */
+#if DT_NODE_EXISTS(DT_NODELABEL(nrf_kmu_reserved_push_area)) && !CONFIG_XIP
+
+#include <zephyr/dt-bindings/memory-attr/memory-attr.h>
+#include <zephyr/linker/devicetree_regions.h>
+#define KMU_PUSH_AREA_NODE DT_NODELABEL(nrf_kmu_reserved_push_area)
+uint8_t kmu_push_area[KMU_PUSH_AREA_SIZE] Z_GENERIC_SECTION(
+	LINKER_DT_NODE_REGION_NAME(KMU_PUSH_AREA_NODE));
+
+#else
+
 /* The section .nrf_kmu_reserved_push_area is placed at the top RAM address
  * by the linker scripts. We do that for both the secure and non-secure builds.
  * Since this buffer is placed on the top of RAM we don't need to have the alignment
  * attribute anymore.
  */
-uint8_t kmu_push_area[64] __attribute__((section(".nrf_kmu_reserved_push_area")));
+uint8_t kmu_push_area[KMU_PUSH_AREA_SIZE] __attribute__((section(".nrf_kmu_reserved_push_area")));
+#endif
 
 typedef struct kmu_metadata {
 	uint32_t metadata_version: 4;