Skip to content

Commit

Permalink
platform: nordic_nrf: APPROTECT to lock debugging
Browse files Browse the repository at this point in the history
NRF_APPROTECT and NRF_SECURE_APPROTECT
to take precedence over other mechanisms when configuring
debugging for TF-M.

For nRF53 and nRF91x1 the actual locking of firmware is done
elsewhere. This further locks the UICR.

nRF9160 supports only hardware APPROTECT. This will lock the
APPROTECT / SECUREAPPROTECT in the next boot, when the above
settings are configured.

Change-Id: I5e304be0f8a34c0016488d9ec09929bbcb38481f
Signed-off-by: Markus Lassila <[email protected]>
  • Loading branch information
MarkusLassila authored and adeaarm committed Aug 6, 2024
1 parent dc77905 commit 734a51d
Show file tree
Hide file tree
Showing 3 changed files with 43 additions and 1 deletion.
14 changes: 14 additions & 0 deletions platform/ext/target/nordic_nrf/common/core/CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -208,6 +208,20 @@ if(BL2)
)
endif()

if(NRF_APPROTECT)
target_compile_definitions(tfm_spm
PRIVATE
NRF_APPROTECT
)
endif()

if(NRF_SECURE_APPROTECT)
target_compile_definitions(tfm_spm
PRIVATE
NRF_SECURE_APPROTECT
)
endif()

#========================= Files for building NS side platform ================#

configure_file(config_nordic_nrf_spe.cmake.in
Expand Down
2 changes: 2 additions & 0 deletions platform/ext/target/nordic_nrf/common/core/config.cmake
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,8 @@ set(SECURE_UART1 ON CACHE BOOL "Enable secur
set(NRF_NS_STORAGE OFF CACHE BOOL "Enable non-secure storage partition")
set(BL2 ON CACHE BOOL "Whether to build BL2")
set(NRF_NS_SECONDARY ${BL2} CACHE BOOL "Enable non-secure secondary partition")
set(NRF_APPROTECT OFF CACHE BOOL "Enable approtect")
set(NRF_SECURE_APPROTECT OFF CACHE BOOL "Enable secure approtect")

# Platform-specific configurations
set(CONFIG_TFM_USE_TRUSTZONE ON)
Expand Down
28 changes: 27 additions & 1 deletion platform/ext/target/nordic_nrf/common/core/target_cfg.c
Original file line number Diff line number Diff line change
Expand Up @@ -606,7 +606,33 @@ enum tfm_plat_err_t system_reset_cfg(void)

enum tfm_plat_err_t init_debug(void)
{
#if defined(NRF91_SERIES)
#if defined(NRF_APPROTECT) || defined(NRF_SECURE_APPROTECT)

#if !defined(DAUTH_CHIP_DEFAULT)
#error "Debug access controlled by NRF_APPROTECT and NRF_SECURE_APPROTECT."
#endif

#if defined(NRF_APPROTECT)
/* For nRF53 and nRF91x1 already active. For nRF9160, active in the next boot.*/
if (nrfx_nvmc_word_writable_check((uint32_t)&NRF_UICR_S->APPROTECT,
UICR_APPROTECT_PALL_Protected)) {
nrfx_nvmc_word_write((uint32_t)&NRF_UICR_S->APPROTECT, UICR_APPROTECT_PALL_Protected);
} else {
return TFM_PLAT_ERR_SYSTEM_ERR;
}
#endif
#if defined(NRF_SECURE_APPROTECT)
/* For nRF53 and nRF91x1 already active. For nRF9160, active in the next boot. */
if (nrfx_nvmc_word_writable_check((uint32_t)&NRF_UICR_S->SECUREAPPROTECT,
UICR_SECUREAPPROTECT_PALL_Protected)) {
nrfx_nvmc_word_write((uint32_t)&NRF_UICR_S->SECUREAPPROTECT,
UICR_SECUREAPPROTECT_PALL_Protected);
} else {
return TFM_PLAT_ERR_SYSTEM_ERR;
}
#endif

#elif defined(NRF91_SERIES)

#if !defined(DAUTH_CHIP_DEFAULT)
#error "Debug access on this platform can only be configured by programming the corresponding registers in UICR."
Expand Down

0 comments on commit 734a51d

Please sign in to comment.