doc: ironside: Consolidate release archive info

Programming steps are discussed in the update docs, as that process
is either part of the manual update or provisioning; the latter
being documented elsewhere.

Describing the ZIP archive is expanded into a release deliverable
section and moved into the update context.

Default configurations aren't strictly related to either but are still
important to discuss in general ISE.

Ref: NCSDK-33336

Signed-off-by: Stephen Stauts <stephen.stauts@nordicsemi.no>

Author: kyberdin

doc/nrf/app_dev/device_guides/nrf54h/ug_nrf54h20_ironside.rst

@@ -23,56 +23,37 @@ The IronSide Secure Element (|ISE|) is a firmware for the :ref:`Secure Domain <u
 * PSA Crypto service (:ref:`ug_crypto_architecture_implementation_standards_ironside`)
 * PSA Internal Trusted Storage service
 
-See the following pages for details on some |ISE| features and subsystems.
+See the following pages for details on |ISE| features and subsystems.
 
 .. toctree::
    :maxdepth: 2
 
    ug_nrf54h20_ironside_update
 
-.. _ug_nrf54h20_ironside_se_programming:
+.. _ug_nrf54h20_ironside_defaults:
 
-Programming |ISE| on the nRF54H20 SoC
-*************************************
+Default policies
+****************
 
-|ISE| is released independently of the |NCS| release cycle and is provided as a ZIP archive that contains the following components:
+By default, |ISE| configures the system with the following access policies on the nRF54H20 SoC:
 
 .. list-table::
    :header-rows: 1
    :widths: auto
 
-   * - Component
-     - File
-     - Description
-   * - IronSide SE firmware
-     - :file:`ironside_se.hex`
-     - Used when bringing up a new DK and programming both the recovery firmware and |ISE| for the first time.
-   * - IronSide SE update firmware
-     - :file:`ironside_se_update.hex`
-     - Used when updating |ISE|.
-   * - IronSide SE Recovery update firmware
-     - :file:`ironside_se_recovery_update.hex`
-     - The recovery firmware, reserved for future recovery operations. Currently, it does not provide user-facing functionality. Used when updating the recovery firmware.
-   * - Update application
-     - :file:`update_application.hex`
-     - The local domain :zephyr:code-sample:`update application <nrf_ironside_update>` that is used to perform an |ISE| update. See :ref:`ug_nrf54h20_ironside_se_update_manual`.
-
-For instructions on how to program |ISE|, see :ref:`ug_nrf54h20_SoC_binaries`.
-
-By default, the nRF54H20 SoC uses the following memory and access configurations:
-
-* MRAMC configuration: MRAM operates in Direct Write mode with READYNEXTTIMEOUT disabled.
-* MPC configuration: All memory not reserved by Nordic firmware is accessible with read, write, and execute (RWX) permissions by any domain.
-* TAMPC configuration: The access ports (AP) for the local domains are enabled, allowing direct programming of all the memory not reserved by Nordic firmware in the default configuration.
-
+   * - Configuration
+     - Policy
+   * - MRAMC
+     - MRAM operates in Direct Write mode with READYNEXTTIMEOUT disabled.
+   * - MPC
+     - All memory not reserved by Nordic firmware is accessible with read, write, and execute (RWX) permissions by any domain.
+   * - TAMPC
+     - Access ports (AP) for the local domains are enabled, allowing direct programming of all the memory not reserved by Nordic firmware in the default configuration.
 
 .. note::
    * The Radio Domain AP is only usable when the Radio domain has booted.
    * Access to external memory (EXMIF) requires a non-default configuration of the GPIO.CTRLSEL register.
 
-You can protect global domain memory from write operations by configuring the UICR registers.
-To remove these protections and disable all other protection mechanisms enforced through UICR settings, perform an ``ERASEALL`` operation.
-
 .. _ug_nrf54h20_ironside_se_uicr:
 
 Global Resource configuration
@@ -120,9 +101,12 @@ The following UICR fields are supported:
 +----------------------+---------------------------------------------------------------------+
 
 .. note::
-   If no UICR values are programmed, |ISE| applies a set of default configurations.
+   If no UICR values are programmed, |ISE| applies a set of :ref:`default configurations <ug_nrf54h20_ironside_defaults>`.
    Applications that do not require custom settings can rely on these defaults without modifying the UICR.
 
+Performing an :ref:`ERASEALL <ug_nrf54h20_ironside_se_eraseall_command>` operation will erase all UICR contents and remove all protection mechanisms enforced through UICR.
+See :ref:`ug_nrf54h20_ironside_se_protecting` for more information on protecting UICR contents in the field.
+
 UICR image generation
 =====================
 
@@ -313,6 +297,8 @@ However, it does not prevent erase operations initiated through other means, suc
    If this configuration is enabled and :kconfig:option:`CONFIG_GEN_UICR_LOCK` is also set, it is no longer possible to modify the UICR in any way.
    Therefore, this configuration should only be enabled during the final stages of production.
 
+.. _ug_nrf54h20_ironside_se_protected_memory:
+
 UICR.PROTECTEDMEM
 =================
 
@@ -653,7 +639,6 @@ For information on how to configure these UICR settings, see :ref:`ug_nrf54h20_i
 * :kconfig:option:`CONFIG_GEN_UICR_ERASEPROTECT` - Prevents bulk erasure of protected memory.
   It blocks all ``ERASEALL`` operations on NVR0, preserving UICR settings even if an attacker attempts a full-chip erase.
 
-
 .. _ug_nrf54h20_ironside_se_boot_report:
 
 |ISE| boot report

doc/nrf/app_dev/device_guides/nrf54h/ug_nrf54h20_ironside_update.rst

@@ -7,10 +7,43 @@ Updating |ISE|
    :local:
    :depth: 2
 
-Updating the |ISE| is possible after it has been initially :ref:`provisioned <ug_nrf54h20_SoC_binaries>` on the nRF54H20 SoC.
+Updating the |ISE| is only possible after it has been initially :ref:`provisioned <ug_nrf54h20_SoC_binaries>` on the nRF54H20 SoC.
 
 The update operation is initiated through its :ref:`update service <ug_nrf54h20_ironside_se_update_service>` at runtime by application firmware.
 
+.. _ug_nrf54h20_ironside_se_deliverables:
+
+Release package
+***************
+
+The |ISE| is released independently of the |NCS| release cycle and is provided as a ZIP archive.
+
+The archive is used to update the existing |ISE| firmware on the nRF54H20 and consists of the following components:
+
+.. list-table::
+   :header-rows: 1
+   :widths: auto
+
+   * - Component
+     - File
+     - Description
+   * - IronSide SE firmware
+     - :file:`ironside_se.hex`
+     - Used when provisioning a new DK with |ISE| and |ISE| Recovery firmware for the first time.
+   * - IronSide SE update firmware
+     - :file:`ironside_se_update.hex`
+     - Used when updating |ISE|.
+   * - IronSide SE Recovery update firmware
+     - :file:`ironside_se_recovery_update.hex`
+     - The recovery firmware, reserved for future recovery operations. Currently, it does not provide user-facing functionality. Used when updating the recovery firmware.
+   * - Update application
+     - :file:`update_application.hex`
+     - The local domain :zephyr:code-sample:`update application <nrf_ironside_update>` that is used to perform an |ISE| update. See :ref:`ug_nrf54h20_ironside_se_update_architecture` for details on its role.
+
+For more information on |ISE| release binaries, see :ref:`abi_compatibility`.
+
+For instructions on how to provision the nRF54H20 with |ISE| for the first time, see :ref:`ug_nrf54h20_SoC_binaries`.
+
 .. _ug_nrf54h20_ironside_se_updating:
 
 Performing an update
@@ -31,15 +64,15 @@ Manual update
 
 .. important::
    Manual updates will replace existing firmware running in the Application core.
-   User application firmware must be reprogrammed after a successfully updating the device.
+   User application firmware must be reprogrammed after successfully updating the device.
 
 .. tabs::
 
   .. group-tab:: West
 
     The |NCS| defines the west ``ncs-ironside-se-update`` command to update |ISE| firmware on a device via the debugger.
 
-    This command takes the nRF54H20 SoC binary ZIP file and uses the |ISE| update service to update both the |ISE| and |ISE| Recovery (or optionally just one of them). It uses the following syntax to program the release archive to the device:
+    This command takes the nRF54H20 SoC binary ZIP file and uses the |ISE| update service to update both the |ISE| and |ISE| Recovery (or optionally just one of them):
 
     .. code-block:: console
 
@@ -126,15 +159,18 @@ Manual update
 |ISE| update service
 ********************
 
-|ISE| exposes an update service that allows local domains to trigger the update process of |ISE| itself.
+|ISE| provides an update service that allows local domains to trigger the update process of |ISE| itself.
 
-The update service requires a release of |ISE| and/or the |ISE| Recovery images to be programmed within a valid memory range that is accessible by the Application core.
+The update service requires a release of |ISE| or the |ISE| Recovery image to be programmed within a valid memory range that is accessible by the Application core.
+See :file:`nrf_ironside/update.h` for more details on the supported memory range.
+
+After the Application has invoked the service, |ISE| will update on the next system reset.
+The update can be verified by checking the listed versions in the :ref:`boot report <ug_nrf54h20_ironside_se_boot_report>` on startup.
 
 .. note::
-   See :file:`nrf_ironside/update.h` for more details on the supported memory range.
+   Updating through the service is limited to a single image at a time.
 
-After the Application has invoked the service, |ISE| will update on the next system reset.
-The update can be verified by checking the listed versions in the boot report on startup.
+   Updating both |ISE| and |ISE| Recovery images requires performing two rounds of the update service procedure, in which the |ISE| Recovery image is updated first.
 
 See the :zephyr:code-sample:`update application <nrf_ironside_update>` sample for an example on calling the service at runtime.