diff --git a/core/embed/firmware/main.c b/core/embed/firmware/main.c
index 43627b987..b3d206d89 100644
--- a/core/embed/firmware/main.c
+++ b/core/embed/firmware/main.c
@@ -116,6 +116,12 @@ int main(void) {
 
   unit_variant_init();
 
+#ifdef USE_OPTIGA
+  uint8_t secret[SECRET_OPTIGA_KEY_LEN] = {0};
+  secbool secret_ok =
+      secret_read(secret, SECRET_OPTIGA_KEY_OFFSET, SECRET_OPTIGA_KEY_LEN);
+#endif
+
 #if PRODUCTION || BOOTLOADER_QA
   check_and_replace_bootloader();
 #endif
@@ -166,10 +172,7 @@ int main(void) {
 #ifdef USE_OPTIGA
   optiga_init();
   optiga_open_application();
-
-  uint8_t secret[SECRET_OPTIGA_KEY_LEN] = {0};
-  if (secret_read(secret, SECRET_OPTIGA_KEY_OFFSET, SECRET_OPTIGA_KEY_LEN) ==
-      sectrue) {
+  if (sectrue == secret_ok) {
     optiga_sec_chan_handshake(secret, sizeof(secret));
   }
   memzero(secret, sizeof(secret));
diff --git a/core/embed/trezorhal/stm32f4/mpu.c b/core/embed/trezorhal/stm32f4/mpu.c
index 265adc54e..483eb780c 100644
--- a/core/embed/trezorhal/stm32f4/mpu.c
+++ b/core/embed/trezorhal/stm32f4/mpu.c
@@ -125,13 +125,12 @@ void mpu_config_firmware(void) {
   MPU->RASR = MPU_RASR_ENABLE_Msk | MPU_RASR_ATTR_FLASH |
               LL_MPU_REGION_SIZE_64KB | LL_MPU_REGION_FULL_ACCESS |
               MPU_RASR_XN_Msk;
-  // Secret + Storage#2 (0x08100000 - 0x0811FFFF, 16 Kib + 64 KiB, read-write,
-  // execute never)
+  // Storage#2 (0x08110000 - 0x0811FFFF, 64 KiB, read-write, execute never)
   MPU->RNR = MPU_REGION_NUMBER2;
   MPU->RBAR = FLASH_BASE + 0x110000;
   MPU->RASR = MPU_RASR_ENABLE_Msk | MPU_RASR_ATTR_FLASH |
-              LL_MPU_REGION_SIZE_128KB | LL_MPU_REGION_FULL_ACCESS |
-              MPU_RASR_XN_Msk | MPU_SUBREGION_DISABLE(0x0E);
+              LL_MPU_REGION_SIZE_64KB | LL_MPU_REGION_FULL_ACCESS |
+              MPU_RASR_XN_Msk;
 
   // Firmware (0x08040000 - 0x080FFFFF, 6 * 128 KiB = 1024 KiB except 2/8 at
   // start = 768 KiB, read-only)