[nrf fromtree] platform: nordic_nrf: APPROTECT to lock debugging

frkv · frkv · commit 9573717cc8c0 · 2024-10-01T15:44:14.000+02:00
NRF_APPROTECT and NRF_SECURE_APPROTECT
to take precedence over other mechanisms when configuring
debugging for TF-M.

For nRF53 and nRF91x1 the actual locking of firmware is done
elsewhere. This further locks the UICR.

nRF9160 supports only hardware APPROTECT. This will lock the
APPROTECT / SECUREAPPROTECT in the next boot, when the above
settings are configured.

Change-Id: I5e304be0f8a34c0016488d9ec09929bbcb38481f
Signed-off-by: Markus Lassila &lt;markus.lassila@nordicsemi.no&gt;
Signed-off-by: Frank Audun Kvamtrø &lt;frank.kvamtro@nordicsemi.no&gt;
diff --git a/platform/ext/target/nordic_nrf/common/core/target_cfg.c b/platform/ext/target/nordic_nrf/common/core/target_cfg.c
@@ -807,7 +807,33 @@ enum tfm_plat_err_t system_reset_cfg(void)
 
 enum tfm_plat_err_t init_debug(void)
 {
-#if defined(NRF91_SERIES) || defined(NRF54L15_ENGA_XXAA)
+#if defined(NRF_APPROTECT) || defined(NRF_SECURE_APPROTECT)
+
+#if !defined(DAUTH_CHIP_DEFAULT)
+#error "Debug access controlled by NRF_APPROTECT and NRF_SECURE_APPROTECT."
+#endif
+
+#if defined(NRF_APPROTECT)
+    /* For nRF53 and nRF91x1 already active. For nRF9160, active in the next boot.*/
+    if (nrfx_nvmc_word_writable_check((uint32_t)&NRF_UICR_S->APPROTECT,
+                                    UICR_APPROTECT_PALL_Protected)) {
+        nrfx_nvmc_word_write((uint32_t)&NRF_UICR_S->APPROTECT, UICR_APPROTECT_PALL_Protected);
+    } else {
+        return TFM_PLAT_ERR_SYSTEM_ERR;
+    }
+#endif
+#if defined(NRF_SECURE_APPROTECT)
+    /* For nRF53 and nRF91x1 already active. For nRF9160, active in the next boot. */
+    if (nrfx_nvmc_word_writable_check((uint32_t)&NRF_UICR_S->SECUREAPPROTECT,
+                                    UICR_SECUREAPPROTECT_PALL_Protected)) {
+        nrfx_nvmc_word_write((uint32_t)&NRF_UICR_S->SECUREAPPROTECT,
+            UICR_SECUREAPPROTECT_PALL_Protected);
+    } else {
+        return TFM_PLAT_ERR_SYSTEM_ERR;
+    }
+#endif
+
+#elif defined(NRF91_SERIES) || defined(NRF54L15_ENGA_XXAA)
 
 #if !defined(DAUTH_CHIP_DEFAULT)
 #error "Debug access on this platform can only be configured by programming the corresponding registers in UICR."
