Using gdb watchpoints I was able to see that running spm_request_random_number() (which is executed in sys_rand32_get) changes content of first byte of backend_cb_log_backend_custom. This is fragment of zephyr.map file:
...
.bss.fp_context_buffer
0x0000000020015db4 0x84 zephyr/libzephyr.a(secure_services_ns.c.obj)
.bss.backend_cb_log_backend_custom
0x0000000020015e38 0x8 zephyr/libzephyr.a(log_backend_custom.c.obj)
...
so it seems that most likely commit 7293e55d81fe0eb93333b167a68cbeb8af8196ec:
>spm: Store FP context when entering a secure service
>This prevents problems related to FPU mismatch.
>FPU must now be disabled in SPM, and the app is free to use FPU like
>normal.
is causing problems. I used CONFIG_FPU=y and I was not able to reproduce it with CONFIG_FPU=n.
Used 0e0d224ebad9dd776dc0b9d00ce028bcf2416cc2 of sdk-nrf repository with custom application.
