• State Not Answered
  • Replies 14 replies
  • Subscribers 88 subscribers
  • Views 1661 views
  • Users 0 members are here
Attachments (2) Download All
Nordic Case Info
  • Case ID: 350046
Options

MCUBoot+sysbuild+ns-variant: E: Protect mcuboot flash failed, cancel startup.

Erlend Isachsen

Hi.

Goal
I am creating a new application for the nRF54l15 and want to follow the latest recommendations for project configuration. I need to do DFU over BLE, so I'm trying to add MCUBoot in the chain-of-trust regime, using sysbuild. To get there, I used the zephyr/samples/sysbuild/with_mcuboot as a starting point.

Problem
The sample in question does not explicitly support any of the nordic boards with secure/non-secure regime, and I haven't found any samples that combine all these criteria. So I have tried to build the zephyr/sysbuild/with_mcuboot sample for nrf54l15dk/nrf54l15/ns. After erase+flash to my nRF54l15-PDK, I get the following error:

*** Booting MCUboot v2.1.0-dev-2b69d93e75bc ***
*** Using nRF Connect SDK v3.1.0-6c6e5b32496e ***
*** Using Zephyr OS v4.1.99-1612683d4010 ***
E: Protect mcuboot flash failed, cancel startup.

How to recreate
Open zephyr/sysbuild/with_mcuboot and build for zephyr/sysbuild/with_mcuboot sample for nrf54l15dk/nrf54l15/ns. My first build failed, but after doing a pristine build it built successfully and I was able to flash (VSCode build output is attached). Finally, flash to the DK and it should produce the error message shown above.

My setup
Support information is attached. I'm using SDK and toolchain version 3.1.0 with VSCode for windows 10, and nRF54L15-PDK (0.8.1, 2024.38).

Solutions?
I don't have to be able to run this exact sample, but what is causing this error and how do I best resolve it?

vscode_build_log.txt 

Fullscreen nrf-connect-support-20250818091511.json Download 
// IMPORTANT: The following data can contain sensitive or confidential information about your environment.
// If you do not want others to see this information, make sure to remove it before sharing the data.

// For help and support, visit Nordic Semiconductor's DevZone at https://devzone.nordicsemi.com/.

{
  "platform": {
    "os": "win32",
    "osVersion": "Windows 10 Pro",
    "osKernel": "10.0.19045",
    "vscode": "1.103.0",
    "electron": "37.2.3",
    "node": "v22.17.0"
  },
  "system": {
    "date": "2025-08-18T09:15:11.091Z",
    "vscodeRoot": "c:\\Program Files\\Microsoft VS Code\\resources\\app",
    "nrfConnectForDesktopInstalled": true,
    "vscodeUptime": "00:47:59",
    "osUptime": "129:28:11",
    "cpu": "Intel(R) Core(TM) i7-10700T CPU @ 2.00GHz"
  },
  "workspace": {
    "name": "with_mcuboot",
    "workspaceFile": null,
    "folders": [
      "c:\\ncs\\v3.1.0\\zephyr\\samples\\sysbuild\\with_mcuboot"
    ]
  },
  "sdks": [
    {
      "version": "v3.1.0",
      "path": "c:\\ncs\\v3.1.0"
    },
    {
      "version": "v3.0.0",
      "path": "c:\\ncs\\v3.0.0"
    },
    {
      "version": "v2.9.0",
      "path": "c:\\ncs\\v2.9.0"
    },
    {
      "version": "v2.7.0",
      "path": "c:\\ncs\\v2.7.0"
    },
    {
      "version": "v2.6.1",
      "path": "c:\\ncs\\v2.6.1"
    },
    {
      "version": "v2.5.1",
      "path": "c:\\ncs\\v2.5.1"
    },
    {
      "version": "v2.4.2",
      "path": "c:\\project\\saferoad"
    },
    {
      "version": "v2.4.0",
      "path": "c:\\ncs\\v2.4.0"
    },
    {
      "version": "v2.3.0",
      "path": "c:\\ncs\\v2.3.0"
    },
    {
      "version": "v2.2.0",
      "path": "c:\\ncs\\v2.2.0"
    },
    {
      "version": "v1.9.1",
      "path": "c:\\ncs\\v1.9.1"
    },
    {
      "version": "v1.5.1",
      "path": "c:\\ncs\\v1.5.1"
    }
  ],
  "activeBuild": "c:\\ncs\\v3.1.0\\zephyr\\samples\\sysbuild\\with_mcuboot\\build_1",
  "apps": [
    {
      "workspace": "c:\\ncs\\v3.1.0\\zephyr\\samples\\sysbuild\\with_mcuboot",
      "uri": "c:\\ncs\\v3.1.0\\zephyr\\samples\\sysbuild\\with_mcuboot",
      "buildConfigurations": [
        {
          "id": "c:\\ncs\\v3.1.0\\zephyr\\samples\\sysbuild\\with_mcuboot\\build",
          "name": "build",
          "boardId": "nrf54l15dk/nrf54l15/cpuapp/ns",
          "type": "Sysbuild",
          "isChild": false,
          "isStale": false,
          "taskBindings": {
            "build": [],
            "pristineBuild": [],
            "flash": [],
            "eraseAndFlash": []
          },
          "sdk": "c:\\ncs\\v3.1.0",
          "toolchain": "nRF Connect SDK Toolchain v3.1.0"
        },
        {
          "id": "c:\\ncs\\v3.1.0\\zephyr\\samples\\sysbuild\\with_mcuboot\\build_1",
          "name": "build_1",
          "boardId": "nrf54l15dk/nrf54l15/cpuapp/ns",
          "type": "Zephyr",
          "isChild": false,
          "isStale": false,
          "taskBindings": {
            "build": [],
            "pristineBuild": [],
            "flash": [],
            "eraseAndFlash": []
          },
          "sdk": "c:\\ncs\\v3.1.0",
          "toolchain": "nRF Connect SDK Toolchain v3.1.0"
        }
      ]
    }
  ],
  "toolchains": [
    {
      "version": "3.1.0",
      "path": "c:\\ncs\\toolchains\\b8b84efebd"
    },
    {
      "version": "3.0.0",
      "path": "c:\\ncs\\toolchains\\0b393f9e1b"
    },
    {
      "version": "2.9.0",
      "path": "c:\\ncs\\toolchains\\b620d30767"
    },
    {
      "version": "2.7.0",
      "path": "c:\\ncs\\toolchains\\ce3b5ff664"
    },
    {
      "version": "2.6.1",
      "path": "c:\\ncs\\toolchains\\cf2149caf2"
    },
    {
      "version": "2.5.1",
      "path": "c:\\ncs\\toolchains\\c57af46cb7"
    },
    {
      "version": "2.4.0",
      "path": "c:\\ncs\\toolchains\\31f4403e35"
    },
    {
      "version": "2.3.0",
      "path": "c:\\ncs\\toolchains\\v2.3.0"
    },
    {
      "version": "2.2.0",
      "path": "c:\\ncs\\toolchains\\v2.2.0"
    },
    {
      "version": "2.0.0",
      "path": "c:\\ncs\\toolchains\\v2.0.0"
    },
    {
      "version": "1.9.1",
      "path": "c:\\ncs\\v1.9.1\\toolchain"
    },
    {
      "version": "1.9.1",
      "path": "c:\\ncs\\toolchains\\v1.9.1"
    },
    {
      "version": "1.5.1",
      "path": "c:\\ncs\\v1.5.1\\toolchain"
    }
  ],
  "connectedDevices": [
    {
      "serialNumber": "000203200665"
    },
    {
      "serialNumber": "001057760695"
    }
  ],
  "tools": {
    "C:\\ncs\\toolchains\\b8b84efebd\\opt\\zephyr-sdk\\arm-zephyr-eabi\\bin\\arm-zephyr-eabi-gcc.exe": "0.17.0",
    "C:\\Program Files\\SEGGER\\JLink_V818\\JLink.exe": "8.18",
    "C:\\Program Files\\Nordic Semiconductor\\nrf-command-line-tools\\bin\\nrfjprog.exe": "10.24.2",
    "C:\\ncs\\toolchains\\b8b84efebd\\nrfutil": "8.1.0",
    "C:\\ncs\\toolchains\\b8b84efebd\\cmake": "3.21.0",
    "C:\\ncs\\toolchains\\b8b84efebd\\opt\\bin\\Scripts\\west.exe": "1.4.0",
    "C:\\ncs\\toolchains\\b8b84efebd\\opt\\bin\\python.exe": "3.12.4",
    "C:\\ncs\\toolchains\\b8b84efebd\\opt\\bin\\ninja.exe": "1.10.2",
    "C:\\ncs\\toolchains\\b8b84efebd\\opt\\bin\\gperf.exe": "3.1",
    "C:\\ncs\\toolchains\\b8b84efebd\\opt\\bin\\dtc.exe": "1.4.7",
    "C:\\ncs\\toolchains\\b8b84efebd\\opt\\bin\\gn.exe": "2223",
    "C:\\ncs\\toolchains\\b8b84efebd\\mingw64\\bin\\git.exe": "2.37.3.windows.1",
    "arm-gdbPath": "c:\\ncs\\toolchains\\b8b84efebd\\opt\\zephyr-sdk\\arm-zephyr-eabi\\bin\\arm-zephyr-eabi-gdb.exe",
    "riscv-gdbPath": "C:\\ncs\\toolchains\\b8b84efebd\\opt\\zephyr-sdk\\riscv64-zephyr-elf\\bin\\riscv64-zephyr-elf-gdb.exe"
  },
  "nrfutil": {
    "nrfutil-device": {
      "version": "2.7.2",
      "binPath": "c:\\Users\\ErlendEliasIsachsen\\.vscode\\extensions\\nordic-semiconductor.nrf-connect-2024.12.55-win32-x64\\platform\\nrfutil\\bin\\nrfutil-device",
      "jlinkInfo": {
        "description": "This version of SEGGER J-Link is different from the J-Link version that was used to test nrfutil device commands",
        "expectedVersion": {
          "version": "JLink_V7.94i",
          "versionFormat": "string"
        },
        "name": "JlinkARM",
        "version": "JLink_V8.18 ",
        "versionFormat": "string"
      }
    },
    "nrfutil-toolchain-manager": {
      "version": "0.14.4",
      "binPath": "c:\\Users\\ErlendEliasIsachsen\\.vscode\\extensions\\nordic-semiconductor.nrf-connect-2024.12.55-win32-x64\\platform\\nrfutil\\bin\\nrfutil-toolchain-manager"
    }
  },
  "environment": {
    "westEnv": {
      "HOME": "C:\\SPB_Data",
      "HOMEDRIVE": "C:",
      "HOMEPATH": "\\Users\\ErlendEliasIsachsen",
      "PATH": "C:\\ncs\\toolchains\\b8b84efebd;C:\\ncs\\toolchains\\b8b84efebd\\mingw64\\bin;C:\\ncs\\toolchains\\b8b84efebd\\bin;C:\\ncs\\toolchains\\b8b84efebd\\opt\\bin;C:\\ncs\\toolchains\\b8b84efebd\\opt\\bin\\Scripts;c:/ncs/toolchains/b8b84efebd\\opt/nanopb/generator-bin;C:\\ncs\\toolchains\\b8b84efebd\\nrfutil\\bin;C:\\ncs\\toolchains\\b8b84efebd\\opt\\zephyr-sdk\\arm-zephyr-eabi\\bin;C:\\ncs\\toolchains\\b8b84efebd\\opt\\zephyr-sdk\\riscv64-zephyr-elf\\bin;c:\\Users\\ErlendEliasIsachsen\\.vscode\\extensions\\nordic-semiconductor.nrf-connect-2024.12.55-win32-x64\\platform\\nrfutil\\lib\\nrfutil-toolchain-manager;C:\\Program Files (x86)\\NVIDIA Corporation\\PhysX\\Common;C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Windows\\System32\\OpenSSH\\;C:\\Program Files\\Microchip\\xc8\\v2.31\\bin;C:\\Program Files\\PuTTY\\;C:\\Program Files\\WinMerge;C:\\Program Files\\dotnet\\;C:\\Program Files\\Wolfram Research\\WolframScript\\;C:\\Program Files (x86)\\Windows Kits\\8.1\\Windows Performance Toolkit\\;C:\\Program Files\\Git\\cmd;C:\\Program Files\\Microsoft VS Code\\bin;C:\\Program Files\\LLVM\\bin;C:\\Program Files\\TortoiseSVN\\bin;C:\\Program Files\\otii;C:\\Program Files\\doxygen\\bin;C:\\Program Files\\Graphviz\\bin;C:\\Program Files\\Nordic Semiconductor\\nrf-command-line-tools\\bin\\;C:\\Program Files\\CMake\\bin;C:\\ncs\\nrfutil;C:\\gnuarmemb\\9_2019-q4-major\\bin;C:\\Users\\ErlendEliasIsachsen\\AppData\\Local\\Microsoft\\WindowsApps;C:\\Users\\ErlendEliasIsachsen\\.dotnet\\tools;C:\\Users\\ErlendEliasIsachsen\\AppData\\Local\\GitHubDesktop\\bin;C:\\Users\\ErlendEliasIsachsen\\AppData\\Local\\Programs\\MiKTeX\\miktex\\bin\\x64\\;",
      "ZEPHYR_BASE": "c:\\ncs\\v3.1.0\\zephyr",
      "ZEPHYR_TOOLCHAIN_VARIANT": "zephyr",
      "ZEPHYR_SDK_INSTALL_DIR": "C:\\ncs\\toolchains\\b8b84efebd\\opt\\zephyr-sdk",
      "PYTHONPATH": "C:\\ncs\\toolchains\\b8b84efebd\\opt\\bin;C:\\ncs\\toolchains\\b8b84efebd\\opt\\bin\\Lib;C:\\ncs\\toolchains\\b8b84efebd\\opt\\bin\\Lib\\site-packages"
    },
    "inherited": {
      "HOME": "C:\\SPB_Data",
      "HOMEDRIVE": "C:",
      "HOMEPATH": "\\Users\\ErlendEliasIsachsen",
      "Path": "C:\\Program Files (x86)\\NVIDIA Corporation\\PhysX\\Common;C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Windows\\System32\\OpenSSH\\;C:\\Program Files\\Microchip\\xc8\\v2.31\\bin;C:\\Program Files\\PuTTY\\;C:\\Program Files\\WinMerge;C:\\Program Files\\dotnet\\;C:\\Program Files\\Wolfram Research\\WolframScript\\;C:\\Program Files (x86)\\Windows Kits\\8.1\\Windows Performance Toolkit\\;C:\\Program Files\\Git\\cmd;C:\\Program Files\\Microsoft VS Code\\bin;C:\\Program Files\\LLVM\\bin;C:\\Program Files\\TortoiseSVN\\bin;C:\\Program Files\\otii;C:\\Program Files\\doxygen\\bin;C:\\Program Files\\Graphviz\\bin;C:\\Program Files\\Nordic Semiconductor\\nrf-command-line-tools\\bin\\;C:\\Program Files\\CMake\\bin;C:\\ncs\\nrfutil;C:\\gnuarmemb\\9_2019-q4-major\\bin;C:\\Users\\ErlendEliasIsachsen\\AppData\\Local\\Microsoft\\WindowsApps;C:\\Users\\ErlendEliasIsachsen\\.dotnet\\tools;C:\\Program Files\\TortoiseSVN\\bin;C:\\Users\\ErlendEliasIsachsen\\AppData\\Local\\GitHubDesktop\\bin;C:\\Users\\ErlendEliasIsachsen\\AppData\\Local\\Programs\\MiKTeX\\miktex\\bin\\x64\\;",
      "PATH": "C:\\Program Files (x86)\\NVIDIA Corporation\\PhysX\\Common;C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Windows\\System32\\OpenSSH\\;C:\\Program Files\\Microchip\\xc8\\v2.31\\bin;C:\\Program Files\\PuTTY\\;C:\\Program Files\\WinMerge;C:\\Program Files\\dotnet\\;C:\\Program Files\\Wolfram Research\\WolframScript\\;C:\\Program Files (x86)\\Windows Kits\\8.1\\Windows Performance Toolkit\\;C:\\Program Files\\Git\\cmd;C:\\Program Files\\Microsoft VS Code\\bin;C:\\Program Files\\LLVM\\bin;C:\\Program Files\\TortoiseSVN\\bin;C:\\Program Files\\otii;C:\\Program Files\\doxygen\\bin;C:\\Program Files\\Graphviz\\bin;C:\\Program Files\\Nordic Semiconductor\\nrf-command-line-tools\\bin\\;C:\\Program Files\\CMake\\bin;C:\\ncs\\nrfutil;C:\\gnuarmemb\\9_2019-q4-major\\bin;C:\\Users\\ErlendEliasIsachsen\\AppData\\Local\\Microsoft\\WindowsApps;C:\\Users\\ErlendEliasIsachsen\\.dotnet\\tools;C:\\Program Files\\TortoiseSVN\\bin;C:\\Users\\ErlendEliasIsachsen\\AppData\\Local\\GitHubDesktop\\bin;C:\\Users\\ErlendEliasIsachsen\\AppData\\Local\\Programs\\MiKTeX\\miktex\\bin\\x64\\;"
    }
  },
  "terminal": {
    "defaultProfile": null
  },
  "config": {
    "nordic-semiconductor.nrf-connect": {
      "topdir": "",
      "toolchain": {
        "path": ""
      },
      "ozonePath": "",
      "applications": [],
      "applicationOptions": {},
      "kconfig": {
        "interface": "kconfig"
      },
      "west": {
        "env": {
          "$base": "terminal"
        }
      },
      "boardRoots": [],
      "taskBindings": {},
      "buildTerminal": {
        "condensedProgress": true
      },
      "debugging": {
        "flash": true,
        "bindings": {},
        "justMyCode": false
      },
      "activeAppFollowActiveEditor": true,
      "flash": {
        "softreset": false,
        "erase": false,
        "recover": false
      },
      "enableTelemetry": true,
      "thirdpartyIntegration": {},
      "toolchainManager": {
        "indexURL": null,
        "installDirectory": null
      },
      "nrfutil": {
        "home": null
      },
      "defaultOpenAction": "ask",
      "terminalProfile": {
        "shell": null
      }
    },
    "nordic-semiconductor.nrf-terminal": {
      "terminalMode": "character"
    },
    "marus25.cortex-debug": {
      "variableUseNaturalFormat": true,
      "liveWatchRefreshRate": "300",
      "armToolchainPath": null,
      "armToolchainPrefix": "arm-none-eabi",
      "gdbPath": null,
      "objdumpPath": null,
      "JLinkGDBServerPath": null,
      "openocdPath": null,
      "pyocdPath": null,
      "PEGDBServerPath": null,
      "stutilPath": null,
      "stlinkPath": null,
      "stm32cubeprogrammer": null,
      "enableTelemetry": true,
      "dbgServerLogfile": null
    }
  },
  "extensions": {
    "internal": {
      "nordic-semiconductor.nrf-connect": {
        "version": "2024.12.55",
        "path": "c:\\Users\\ErlendEliasIsachsen\\.vscode\\extensions\\nordic-semiconductor.nrf-connect-2024.12.55-win32-x64",
        "isActive": true
      },
      "nordic-semiconductor.nrf-terminal": {
        "version": "2024.9.14",
        "path": "c:\\Users\\ErlendEliasIsachsen\\.vscode\\extensions\\nordic-semiconductor.nrf-terminal-2024.9.14",
        "isActive": true
      },
      "nordic-semiconductor.nrf-devicetree": {
        "version": "2025.4.22",
        "path": "c:\\Users\\ErlendEliasIsachsen\\.vscode\\extensions\\nordic-semiconductor.nrf-devicetree-2025.4.22",
        "isActive": true
      },
      "nordic-semiconductor.nrf-kconfig": {
        "version": "2025.4.26",
        "path": "c:\\Users\\ErlendEliasIsachsen\\.vscode\\extensions\\nordic-semiconductor.nrf-kconfig-2025.4.26",
        "isActive": true
      }
    },
    "external": {
      "marus25.cortex-debug": "1.12.1",
      "ms-vscode.cpptools": "1.27.0",
      "ms-vscode.js-debug": "1.102.0",
      "ms-vscode.js-debug-companion": "1.1.3",
      "ms-vscode.vscode-js-profile-table": "1.0.10",
      "bbenoist.Doxygen": "1.0.0",
      "cschlosser.doxdocgen": "1.4.0",
      "GitHub.copilot": "1.350.0",
      "GitHub.copilot-chat": "0.30.1",
      "josetr.cmake-language-support-vscode": "0.0.9",
      "mcu-debug.debug-tracker-vscode": "0.0.15",
      "mcu-debug.memory-view": "0.0.25",
      "mcu-debug.peripheral-viewer": "1.4.6",
      "mcu-debug.rtos-views": "0.0.7",
      "ms-dotnettools.vscode-dotnet-runtime": "2.3.7",
      "ms-python.vscode-python-envs": "1.2.0",
      "ms-vscode-remote.remote-containers": "0.422.1",
      "ms-vscode.cpptools-extension-pack": "1.3.1",
      "ms-vscode.cpptools-themes": "2.0.0",
      "tomoki1207.pdf": "1.2.2",
      "trond-snekvik.gnu-mapfiles": "1.1.0",
      "xaver.clang-format": "1.9.0"
    }
  }
}

Parents
  • 0

    Hello,

    Sorry for the delay in getting back to you. This issue has been reported internally, and we are working on it. I will update you once we have a resolution. The error seems to occur because FPROTECT couldn’t protect the MCUBoot partition for some reason.

    There is a similar case, but the customer there is apparently fine running without the _ns version of the build configuration.

    Kind regards,
    Abhijith

  • 0 in reply to Menon

    Thank you for the update, and thanks for reporting it internally.

    I believe the build would probably succeed using the non-ns variant of the board, and I believe it would also work by disabling FPROTECT. However, this is a very big compromise considering it might make it challenging to get our product certified with regards to the upcoming IoT security regulations such as CRA, where DFU/FOTA will be a requirement and most points under CRA Annex 1 relates to the configurations discussed in this thread. It would also be surprising if such a compromise is required, considering security is one of the selling points of the nRF54 series is:

    "
    Advanced security features with physical protection
    With more IoT security regulations, customers increasingly recognize the value of security. The nRF54L Series enables secure products, integrating features such as secure boot, secure firmware update, secure storage, a trusted execution environment enabled by TrustZone, and a cryptographic accelerator. These features, alongside side-channel leakage protection and tamper detectors, fulfill essential and rigorous security requirements.
    "

    Also, I imagine there are very few instances where you would want to use TFM without FPROTECT? I might be missing something, but wouldn't TFMs security be compromised by the fact that the application can simply modify the TMF? As far as I can tell they go hand in hand.

    So to assist customers planning to use the nRF54 for its secure features, or customers that want to be compliant with existing and future cybersecurity regulations and care about certification, it would be very helpful to have a sample in the nRF Connect SDK that has security enabled by default (possibly two samples, one central device and one peripheral?). As a minimum for compliance with the most central IoT security regulations, it should probably include the following:

    1. Builds for the _ns variant of the nRF54 development kits with TFM.
      a. to be compliant with most points under CRA Annex 1.
    2. Has secure bluetooth with recommended DFU services enabled.
     a. Assuming most customers choosing the 54 series are interesting in using bluetooth.
     b. DFU to be compliant with CRA requirements related to security updates and lifecycle support.
    3. Uses the key provisioning and KMU for the benefits you mentioned.

    Or whichever configuration you see fit to actually "fulfill essential and rigorous security requirements." and be compliant with "IoT security regulations", because that is essentially what I'm trying to achieve. This also ties into the "secure by default configuration" listed under CRA Annex 1.

    I'm referring a lot to CRA considering it is one of the big upcoming IoT security regulations, and it will be become part of the CE requirements in 2027.

Reply
  • 0 in reply to Menon

    Thank you for the update, and thanks for reporting it internally.

    I believe the build would probably succeed using the non-ns variant of the board, and I believe it would also work by disabling FPROTECT. However, this is a very big compromise considering it might make it challenging to get our product certified with regards to the upcoming IoT security regulations such as CRA, where DFU/FOTA will be a requirement and most points under CRA Annex 1 relates to the configurations discussed in this thread. It would also be surprising if such a compromise is required, considering security is one of the selling points of the nRF54 series is:

    "
    Advanced security features with physical protection
    With more IoT security regulations, customers increasingly recognize the value of security. The nRF54L Series enables secure products, integrating features such as secure boot, secure firmware update, secure storage, a trusted execution environment enabled by TrustZone, and a cryptographic accelerator. These features, alongside side-channel leakage protection and tamper detectors, fulfill essential and rigorous security requirements.
    "

    Also, I imagine there are very few instances where you would want to use TFM without FPROTECT? I might be missing something, but wouldn't TFMs security be compromised by the fact that the application can simply modify the TMF? As far as I can tell they go hand in hand.

    So to assist customers planning to use the nRF54 for its secure features, or customers that want to be compliant with existing and future cybersecurity regulations and care about certification, it would be very helpful to have a sample in the nRF Connect SDK that has security enabled by default (possibly two samples, one central device and one peripheral?). As a minimum for compliance with the most central IoT security regulations, it should probably include the following:

    1. Builds for the _ns variant of the nRF54 development kits with TFM.
      a. to be compliant with most points under CRA Annex 1.
    2. Has secure bluetooth with recommended DFU services enabled.
     a. Assuming most customers choosing the 54 series are interesting in using bluetooth.
     b. DFU to be compliant with CRA requirements related to security updates and lifecycle support.
    3. Uses the key provisioning and KMU for the benefits you mentioned.

    Or whichever configuration you see fit to actually "fulfill essential and rigorous security requirements." and be compliant with "IoT security regulations", because that is essentially what I'm trying to achieve. This also ties into the "secure by default configuration" listed under CRA Annex 1.

    I'm referring a lot to CRA considering it is one of the big upcoming IoT security regulations, and it will be become part of the CE requirements in 2027.

Children
No Data
Related
Terms of service