[nrf fromlist] soc: nordic: uicr: Add support for UICR.APPROTECT

Add support for UICR.APPROTECT configuration, which controls debugger
and access-port permissions through the TAMPC peripheral.

This introduces three Kconfig options that allow independent control
over access port protection for different processor domains:

- GEN_UICR_APPROTECT_APPLICATION_PROTECTED: Controls debug access to
  the application domain processor
- GEN_UICR_APPROTECT_RADIOCORE_PROTECTED: Controls debug access to
  the radio core processor
- GEN_UICR_APPROTECT_CORESIGHT_PROTECTED: Controls access to the
  CoreSight debug infrastructure

When enabled, each option sets the corresponding UICR.APPROTECT
register to PROTECTED (0xFFFFFFFF), which disables debug access for
that domain. When disabled, the registers remain at their erased value
(UNPROTECTED), allowing full debug access.

This feature is critical for production devices where debug access must
be restricted to prevent unauthorized access to sensitive code and data.

Upstream PR #: 97337

Signed-off-by: Sebastian Bøe <[email protected]>

Author: SebastianBoe

scripts/ci/check_compliance.py

@@ -1300,6 +1300,9 @@ def check_no_undef_outside_kconfig(self, kconf):
         "FOO_LOG_LEVEL",
         "FOO_SETTING_1",
         "FOO_SETTING_2",
+        "GEN_UICR_APPROTECT_APPLICATION_PROTECTED",
+        "GEN_UICR_APPROTECT_CORESIGHT_PROTECTED",
+        "GEN_UICR_APPROTECT_RADIOCORE_PROTECTED",
         "GEN_UICR_ERASEPROTECT",
         "GEN_UICR_GENERATE_PERIPHCONF", # Used in specialized build tool, not part of main Kconfig
         "GEN_UICR_LOCK",

soc/nordic/common/uicr/gen_uicr.py

@@ -25,6 +25,8 @@
 # Common values for representing enabled/disabled in the UICR format.
 ENABLED_VALUE = 0xFFFF_FFFF
 DISABLED_VALUE = 0xBD23_28A8
+PROTECTED_VALUE = ENABLED_VALUE  # UICR_PROTECTED = UICR_ENABLED per uicr_defs.h
+UNPROTECTED_VALUE = DISABLED_VALUE  # Unprotected uses the default erased value
 
 KB_4 = 4096
 
@@ -440,6 +442,21 @@ def main() -> None:
         action="store_true",
         help="Enable UICR.ERASEPROTECT to block ERASEALL operations",
     )
+    parser.add_argument(
+        "--approtect-application-protected",
+        action="store_true",
+        help="Protect application domain access port (disable debug access)",
+    )
+    parser.add_argument(
+        "--approtect-radiocore-protected",
+        action="store_true",
+        help="Protect radio core access port (disable debug access)",
+    )
+    parser.add_argument(
+        "--approtect-coresight-protected",
+        action="store_true",
+        help="Protect CoreSight access port (disable debug access)",
+    )
     parser.add_argument(
         "--protectedmem",
         action="store_true",
@@ -613,6 +630,15 @@ def main() -> None:
         # Handle ERASEPROTECT configuration
         if args.eraseprotect:
             uicr.ERASEPROTECT = ENABLED_VALUE
+        # Handle APPROTECT configuration
+        if args.approtect_application_protected:
+            uicr.APPROTECT.APPLICATION = PROTECTED_VALUE
+
+        if args.approtect_radiocore_protected:
+            uicr.APPROTECT.RADIOCORE = PROTECTED_VALUE
+
+        if args.approtect_coresight_protected:
+            uicr.APPROTECT.CORESIGHT = PROTECTED_VALUE
         # Handle protected memory configuration
         if args.protectedmem:
             if args.protectedmem_size_bytes % KB_4 != 0:

soc/nordic/common/uicr/gen_uicr/CMakeLists.txt

@@ -77,6 +77,7 @@ endif()
 
 set(lock_args)
 set(eraseprotect_args)
+set(approtect_args)
 set(protectedmem_args)
 set(periphconf_args)
 set(wdtstart_args)
@@ -127,6 +128,19 @@ if(CONFIG_GEN_UICR_ERASEPROTECT)
   list(APPEND eraseprotect_args --eraseprotect)
 endif()
 
+# Handle APPROTECT configuration
+if(CONFIG_GEN_UICR_APPROTECT_APPLICATION_PROTECTED)
+  list(APPEND approtect_args --approtect-application-protected)
+endif()
+
+if(CONFIG_GEN_UICR_APPROTECT_RADIOCORE_PROTECTED)
+  list(APPEND approtect_args --approtect-radiocore-protected)
+endif()
+
+if(CONFIG_GEN_UICR_APPROTECT_CORESIGHT_PROTECTED)
+  list(APPEND approtect_args --approtect-coresight-protected)
+endif()
+
 # Handle protected memory configuration
 if(CONFIG_GEN_UICR_PROTECTEDMEM)
   list(APPEND protectedmem_args --protectedmem)
@@ -257,6 +271,7 @@ add_custom_command(
           --out-uicr-hex ${uicr_hex_file}
           ${lock_args}
           ${eraseprotect_args}
+          ${approtect_args}
           ${wdtstart_args}
           ${periphconf_args}
           ${securestorage_args}

soc/nordic/common/uicr/gen_uicr/Kconfig

@@ -49,6 +49,31 @@ config GEN_UICR_ERASEPROTECT
 	  with UICR.LOCK, it becomes impossible to modify the UICR in any way.
 	  This should only be enabled during final stages of production.
 
+menu "UICR.APPROTECT - Access Port Protection"
+
+config GEN_UICR_APPROTECT_APPLICATION_PROTECTED
+	bool "Protect application domain access port"
+	help
+	  When enabled, disables debug access to the application domain processor,
+	  preventing debugger connection to application memory, registers, and debug
+	  features. When disabled, full debug access is enabled.
+
+config GEN_UICR_APPROTECT_RADIOCORE_PROTECTED
+	bool "Protect radio core access port"
+	help
+	  When enabled, disables debug access to the radio core processor,
+	  preventing debugger connection to radio core memory, registers, and debug
+	  features. When disabled, full debug access is enabled.
+
+config GEN_UICR_APPROTECT_CORESIGHT_PROTECTED
+	bool "Protect CoreSight access port"
+	help
+	  When enabled, disables access to the CoreSight debug infrastructure,
+	  blocking system-level debug features. When disabled, full debug access
+	  is enabled.
+
+endmenu
+
 config GEN_UICR_PROTECTEDMEM
 	bool "Enable UICR.PROTECTEDMEM"
 	help