applications: nrf_desktop: enable fprotect in mcuboot configurations

applications/nrf_desktop/configuration/nrf52820dongle_nrf52820/images/mcuboot/prj_release.conf

@@ -6,9 +6,6 @@
 
 CONFIG_SIZE_OPTIMIZATIONS=y
 
-# Disable memory guard to avoid false faults in application after boot
-CONFIG_HW_STACK_PROTECTION=n
-
 CONFIG_SYSTEM_CLOCK_NO_WAIT=y
 
 CONFIG_MAIN_STACK_SIZE=4096
@@ -17,6 +14,7 @@ CONFIG_MBEDTLS_CFG_FILE="mcuboot-mbedtls-cfg.h"
 CONFIG_BOOT_BOOTSTRAP=n
 
 CONFIG_FLASH=y
+CONFIG_FPROTECT=y
 CONFIG_BOOT_ERASE_PROGRESSIVELY=y
 CONFIG_SOC_FLASH_NRF_EMULATE_ONE_BYTE_WRITE_ACCESS=y
 
@@ -54,6 +52,7 @@ CONFIG_BOOT_BANNER=n
 CONFIG_NCS_BOOT_BANNER=n
 CONFIG_ERRNO=n
 CONFIG_ARM_MPU=n
+CONFIG_HW_STACK_PROTECTION=n
 CONFIG_BOOT_SERIAL_IMG_GRP_HASH=n
 
 # Use minimal C library instead of the Picolib

applications/nrf_desktop/configuration/nrf52833dk_nrf52820/images/mcuboot/prj_release.conf

@@ -6,9 +6,6 @@
 
 CONFIG_SIZE_OPTIMIZATIONS=y
 
-# Disable memory guard to avoid false faults in application after boot
-CONFIG_HW_STACK_PROTECTION=n
-
 CONFIG_SYSTEM_CLOCK_NO_WAIT=y
 
 CONFIG_MAIN_STACK_SIZE=4096
@@ -17,6 +14,7 @@ CONFIG_MBEDTLS_CFG_FILE="mcuboot-mbedtls-cfg.h"
 CONFIG_BOOT_BOOTSTRAP=n
 
 CONFIG_FLASH=y
+CONFIG_FPROTECT=y
 CONFIG_BOOT_ERASE_PROGRESSIVELY=y
 CONFIG_SOC_FLASH_NRF_EMULATE_ONE_BYTE_WRITE_ACCESS=y
 
@@ -58,6 +56,7 @@ CONFIG_BOOT_BANNER=n
 CONFIG_NCS_BOOT_BANNER=n
 CONFIG_ERRNO=n
 CONFIG_ARM_MPU=n
+CONFIG_HW_STACK_PROTECTION=n
 CONFIG_BOOT_SERIAL_IMG_GRP_HASH=n
 
 # Use minimal C library instead of the Picolib

applications/nrf_desktop/configuration/nrf52833dk_nrf52833/images/mcuboot/prj.conf

@@ -6,8 +6,7 @@
 
 CONFIG_SIZE_OPTIMIZATIONS=y
 
-# Disable memory guard to avoid false faults in application after boot
-CONFIG_HW_STACK_PROTECTION=n
+CONFIG_HW_STACK_PROTECTION=y
 
 CONFIG_SYSTEM_CLOCK_NO_WAIT=y
 
@@ -17,6 +16,7 @@ CONFIG_MBEDTLS_CFG_FILE="mcuboot-mbedtls-cfg.h"
 CONFIG_BOOT_BOOTSTRAP=n
 
 CONFIG_FLASH=y
+CONFIG_FPROTECT=y
 CONFIG_BOOT_ERASE_PROGRESSIVELY=y
 CONFIG_SOC_FLASH_NRF_EMULATE_ONE_BYTE_WRITE_ACCESS=y
 

applications/nrf_desktop/configuration/nrf52833dk_nrf52833/images/mcuboot/prj_release.conf

@@ -6,8 +6,7 @@
 
 CONFIG_SIZE_OPTIMIZATIONS=y
 
-# Disable memory guard to avoid false faults in application after boot
-CONFIG_HW_STACK_PROTECTION=n
+CONFIG_HW_STACK_PROTECTION=y
 
 CONFIG_SYSTEM_CLOCK_NO_WAIT=y
 
@@ -17,6 +16,7 @@ CONFIG_MBEDTLS_CFG_FILE="mcuboot-mbedtls-cfg.h"
 CONFIG_BOOT_BOOTSTRAP=n
 
 CONFIG_FLASH=y
+CONFIG_FPROTECT=y
 CONFIG_BOOT_ERASE_PROGRESSIVELY=y
 CONFIG_SOC_FLASH_NRF_EMULATE_ONE_BYTE_WRITE_ACCESS=y
 

applications/nrf_desktop/configuration/nrf52833dongle_nrf52833/images/mcuboot/prj.conf

@@ -6,8 +6,7 @@
 
 CONFIG_SIZE_OPTIMIZATIONS=y
 
-# Disable memory guard to avoid false faults in application after boot
-CONFIG_HW_STACK_PROTECTION=n
+CONFIG_HW_STACK_PROTECTION=y
 
 CONFIG_SYSTEM_CLOCK_NO_WAIT=y
 
@@ -17,6 +16,7 @@ CONFIG_MBEDTLS_CFG_FILE="mcuboot-mbedtls-cfg.h"
 CONFIG_BOOT_BOOTSTRAP=n
 
 CONFIG_FLASH=y
+CONFIG_FPROTECT=y
 CONFIG_BOOT_ERASE_PROGRESSIVELY=y
 CONFIG_SOC_FLASH_NRF_EMULATE_ONE_BYTE_WRITE_ACCESS=y
 

applications/nrf_desktop/configuration/nrf52833dongle_nrf52833/images/mcuboot/prj_release.conf

@@ -6,8 +6,7 @@
 
 CONFIG_SIZE_OPTIMIZATIONS=y
 
-# Disable memory guard to avoid false faults in application after boot
-CONFIG_HW_STACK_PROTECTION=n
+CONFIG_HW_STACK_PROTECTION=y
 
 CONFIG_SYSTEM_CLOCK_NO_WAIT=y
 
@@ -17,6 +16,7 @@ CONFIG_MBEDTLS_CFG_FILE="mcuboot-mbedtls-cfg.h"
 CONFIG_BOOT_BOOTSTRAP=n
 
 CONFIG_FLASH=y
+CONFIG_FPROTECT=y
 CONFIG_BOOT_ERASE_PROGRESSIVELY=y
 CONFIG_SOC_FLASH_NRF_EMULATE_ONE_BYTE_WRITE_ACCESS=y
 

applications/nrf_desktop/configuration/nrf52840dk_nrf52840/images/mcuboot/prj_fast_pair.conf

@@ -5,8 +5,7 @@
 #
 CONFIG_SIZE_OPTIMIZATIONS=y
 
-# Disable memory guard to avoid false faults in application after boot
-CONFIG_HW_STACK_PROTECTION=n
+CONFIG_HW_STACK_PROTECTION=y
 
 CONFIG_SYSTEM_CLOCK_NO_WAIT=y
 
@@ -19,6 +18,7 @@ CONFIG_BOOT_BOOTSTRAP=n
 CONFIG_BOOT_VERSION_CMP_USE_BUILD_NUMBER=y
 
 CONFIG_FLASH=y
+CONFIG_FPROTECT=y
 CONFIG_SOC_FLASH_NRF_EMULATE_ONE_BYTE_WRITE_ACCESS=y
 
 # Reduce memory consumption

applications/nrf_desktop/configuration/nrf52840dk_nrf52840/images/mcuboot/prj_mcuboot_qspi.conf

@@ -5,8 +5,7 @@
 #
 CONFIG_SIZE_OPTIMIZATIONS=y
 
-# Disable memory guard to avoid false faults in application after boot
-CONFIG_HW_STACK_PROTECTION=n
+CONFIG_HW_STACK_PROTECTION=y
 
 CONFIG_SYSTEM_CLOCK_NO_WAIT=y
 
@@ -16,9 +15,7 @@ CONFIG_MBEDTLS_CFG_FILE="mcuboot-mbedtls-cfg.h"
 CONFIG_BOOT_BOOTSTRAP=n
 
 CONFIG_FLASH=y
-
-# Required by QSPI
-CONFIG_MULTITHREADING=y
+CONFIG_FPROTECT=y
 
 CONFIG_NORDIC_QSPI_NOR=y
 CONFIG_NORDIC_QSPI_NOR_FLASH_LAYOUT_PAGE_SIZE=4096

applications/nrf_desktop/configuration/nrf52840dk_nrf52840/images/mcuboot/prj_mcuboot_smp.conf

@@ -5,8 +5,7 @@
 #
 CONFIG_SIZE_OPTIMIZATIONS=y
 
-# Disable memory guard to avoid false faults in application after boot
-CONFIG_HW_STACK_PROTECTION=n
+CONFIG_HW_STACK_PROTECTION=y
 
 CONFIG_SYSTEM_CLOCK_NO_WAIT=y
 
@@ -17,6 +16,7 @@ CONFIG_BOOT_MAX_IMG_SECTORS=256
 CONFIG_BOOT_BOOTSTRAP=n
 
 CONFIG_FLASH=y
+CONFIG_FPROTECT=y
 CONFIG_SOC_FLASH_NRF_EMULATE_ONE_BYTE_WRITE_ACCESS=y
 
 # Logger

applications/nrf_desktop/configuration/nrf52840gmouse_nrf52840/images/mcuboot/prj_fast_pair.conf

@@ -5,8 +5,7 @@
 #
 CONFIG_SIZE_OPTIMIZATIONS=y
 
-# Disable memory guard to avoid false faults in application after boot
-CONFIG_HW_STACK_PROTECTION=n
+CONFIG_HW_STACK_PROTECTION=y
 
 CONFIG_SYSTEM_CLOCK_NO_WAIT=y
 
@@ -19,6 +18,7 @@ CONFIG_BOOT_BOOTSTRAP=n
 CONFIG_BOOT_VERSION_CMP_USE_BUILD_NUMBER=y
 
 CONFIG_FLASH=y
+CONFIG_FPROTECT=y
 CONFIG_SOC_FLASH_NRF_EMULATE_ONE_BYTE_WRITE_ACCESS=y
 
 # Reduce memory consumption

applications/nrf_desktop/configuration/nrf52840gmouse_nrf52840/images/mcuboot/prj_mcuboot_smp.conf

@@ -5,8 +5,7 @@
 #
 CONFIG_SIZE_OPTIMIZATIONS=y
 
-# Disable memory guard to avoid false faults in application after boot
-CONFIG_HW_STACK_PROTECTION=n
+CONFIG_HW_STACK_PROTECTION=y
 
 CONFIG_SYSTEM_CLOCK_NO_WAIT=y
 
@@ -15,6 +14,7 @@ CONFIG_MAIN_STACK_SIZE=10240
 CONFIG_BOOT_BOOTSTRAP=n
 
 CONFIG_FLASH=y
+CONFIG_FPROTECT=y
 CONFIG_SOC_FLASH_NRF_EMULATE_ONE_BYTE_WRITE_ACCESS=y
 
 # Decrease memory footprint
@@ -28,7 +28,6 @@ CONFIG_ERRNO=n
 CONFIG_PRINTK=n
 CONFIG_CBPRINTF_NANO=y
 CONFIG_TIMESLICING=n
-CONFIG_ARM_MPU=n
 CONFIG_THREAD_STACK_INFO=n
 
 # Disable USB

applications/nrf_desktop/configuration/nrf52840gmouse_nrf52840/images/mcuboot/prj_release_fast_pair.conf

@@ -5,8 +5,7 @@
 #
 CONFIG_SIZE_OPTIMIZATIONS=y
 
-# Disable memory guard to avoid false faults in application after boot
-CONFIG_HW_STACK_PROTECTION=n
+CONFIG_HW_STACK_PROTECTION=y
 
 CONFIG_SYSTEM_CLOCK_NO_WAIT=y
 
@@ -19,6 +18,7 @@ CONFIG_BOOT_BOOTSTRAP=n
 CONFIG_BOOT_VERSION_CMP_USE_BUILD_NUMBER=y
 
 CONFIG_FLASH=y
+CONFIG_FPROTECT=y
 CONFIG_SOC_FLASH_NRF_EMULATE_ONE_BYTE_WRITE_ACCESS=y
 
 # Disable USB

applications/nrf_desktop/configuration/nrf52kbd_nrf52832/images/mcuboot/prj_release_fast_pair.conf

@@ -5,8 +5,7 @@
 #
 CONFIG_SIZE_OPTIMIZATIONS=y
 
-# Disable memory guard to avoid false faults in application after boot
-CONFIG_HW_STACK_PROTECTION=n
+CONFIG_HW_STACK_PROTECTION=y
 
 CONFIG_SYSTEM_CLOCK_NO_WAIT=y
 
@@ -19,6 +18,7 @@ CONFIG_BOOT_BOOTSTRAP=n
 CONFIG_BOOT_VERSION_CMP_USE_BUILD_NUMBER=y
 
 CONFIG_FLASH=y
+CONFIG_FPROTECT=y
 CONFIG_SOC_FLASH_NRF_EMULATE_ONE_BYTE_WRITE_ACCESS=y
 
 # Reduce memory consumption

applications/nrf_desktop/configuration/nrf54l15dk_nrf54l15_cpuapp/images/mcuboot/prj.conf

@@ -5,6 +5,8 @@
 #
 CONFIG_SIZE_OPTIMIZATIONS=y
 
+CONFIG_HW_STACK_PROTECTION=y
+
 CONFIG_MAIN_STACK_SIZE=10240
 CONFIG_MBEDTLS_CFG_FILE="mcuboot-mbedtls-cfg.h"
 
@@ -14,6 +16,7 @@ CONFIG_BOOT_BOOTSTRAP=n
 CONFIG_BOOT_VERSION_CMP_USE_BUILD_NUMBER=y
 
 CONFIG_FLASH=y
+CONFIG_FPROTECT=y
 
 # Reduce memory consumption
 CONFIG_BOOT_BANNER=n

applications/nrf_desktop/configuration/nrf54l15dk_nrf54l15_cpuapp/images/mcuboot/prj_fast_pair.conf

@@ -5,6 +5,8 @@
 #
 CONFIG_SIZE_OPTIMIZATIONS=y
 
+CONFIG_HW_STACK_PROTECTION=y
+
 CONFIG_MAIN_STACK_SIZE=10240
 CONFIG_MBEDTLS_CFG_FILE="mcuboot-mbedtls-cfg.h"
 
@@ -14,6 +16,7 @@ CONFIG_BOOT_BOOTSTRAP=n
 CONFIG_BOOT_VERSION_CMP_USE_BUILD_NUMBER=y
 
 CONFIG_FLASH=y
+CONFIG_FPROTECT=y
 
 # Reduce memory consumption
 CONFIG_BOOT_BANNER=n

applications/nrf_desktop/configuration/nrf54l15dk_nrf54l15_cpuapp/images/mcuboot/prj_keyboard.conf

@@ -5,6 +5,8 @@
 #
 CONFIG_SIZE_OPTIMIZATIONS=y
 
+CONFIG_HW_STACK_PROTECTION=y
+
 CONFIG_MAIN_STACK_SIZE=10240
 CONFIG_MBEDTLS_CFG_FILE="mcuboot-mbedtls-cfg.h"
 
@@ -14,6 +16,7 @@ CONFIG_BOOT_BOOTSTRAP=n
 CONFIG_BOOT_VERSION_CMP_USE_BUILD_NUMBER=y
 
 CONFIG_FLASH=y
+CONFIG_FPROTECT=y
 
 # Reduce memory consumption
 CONFIG_BOOT_BANNER=n

applications/nrf_desktop/configuration/nrf54l15dk_nrf54l15_cpuapp/images/mcuboot/prj_release.conf

@@ -5,6 +5,8 @@
 #
 CONFIG_SIZE_OPTIMIZATIONS=y
 
+CONFIG_HW_STACK_PROTECTION=y
+
 CONFIG_MAIN_STACK_SIZE=10240
 CONFIG_MBEDTLS_CFG_FILE="mcuboot-mbedtls-cfg.h"
 
@@ -14,6 +16,7 @@ CONFIG_BOOT_BOOTSTRAP=n
 CONFIG_BOOT_VERSION_CMP_USE_BUILD_NUMBER=y
 
 CONFIG_FLASH=y
+CONFIG_FPROTECT=y
 
 CONFIG_RESET_ON_FATAL_ERROR=y
 

doc/nrf/releases_and_maturity/releases/release-notes-changelog.rst

@@ -247,6 +247,13 @@ nRF Desktop
     * :ref:`zephyr:nrf54l15dk_nrf54l15`
     * :ref:`zephyr:nrf54h20dk_nrf54h20`
 
+  * MCUboot bootloader configurations to enable the following Kconfig options:
+
+    * :kconfig:option:`CONFIG_FPROTECT`: used to protect the bootloader partition against memory corruption
+    * :kconfig:option:`CONFIG_HW_STACK_PROTECTION`: used to protect against stack overflows
+
+  * MCUboot bootloader configuration for the MCUboot SMP build type and the nRF52840 Gaming Mouse target to enable the :kconfig:option:`CONFIG_ARM_MPU` Kconfig option that is used to enable Memory Protection Unit (MPU).
+
 * Removed imply for partial erase feature of the nRF SoC flash driver (:kconfig:option:`CONFIG_SOC_FLASH_NRF_PARTIAL_ERASE`) for the USB next stack (:ref:`CONFIG_DESKTOP_USB_STACK_NEXT <config_desktop_app_options>`).
   The partial erase feature was used as a workaround for device errors that might be reported by the Windows USB host in Device Manager if a USB cable is connected while erasing a secondary image slot in the background.
   The workaround is no longer needed after the nRF UDC driver was improved.