[nrf fromtree] soc: nordic: uicr: Add support for UICR.LOCK

SebastianBoe · rlubos · commit 1be37ce1f050 · 2025-10-24T15:55:30.000+02:00
Add support for UICR.LOCK configuration, which locks the entire UICR configuration in NVR0 to prevent unauthorized modifications. This introduces a Kconfig option GEN_UICR_LOCK that enables locking of the UICR. Once locked, the UICR can only be modified by performing an ERASEALL operation. This is a critical security feature for production devices, typically enabled alongside UICR.APPROTECT, UICR.PROTECTEDMEM, and UICR.ERASEPROTECT to establish a complete device protection scheme. When enabled, the gen_uicr.py script sets UICR.LOCK to 0xFFFFFFFF, which configures the NVR0 page as read-only and enforces integrity checks on the UICR content. Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no> (cherry picked from commit 1ffdf09)
diff --git a/scripts/ci/check_compliance.py b/scripts/ci/check_compliance.py
@@ -1351,6 +1351,7 @@ def check_no_undef_outside_kconfig(self, kconf):
         "FOO_SETTING_1",
         "FOO_SETTING_2",
         "GEN_UICR_GENERATE_PERIPHCONF", # Used in specialized build tool, not part of main Kconfig
+        "GEN_UICR_LOCK",
         "GEN_UICR_PROTECTEDMEM",
         "GEN_UICR_PROTECTEDMEM_SIZE_BYTES",
         "GEN_UICR_SECONDARY",
diff --git a/soc/nordic/common/uicr/gen_uicr.py b/soc/nordic/common/uicr/gen_uicr.py
@@ -430,6 +430,11 @@ def main() -> None:
         type=lambda s: int(s, 0),
         help="Size in bytes of cpurad_its_partition (decimal or 0x-prefixed hex)",
     )
+    parser.add_argument(
+        "--lock",
+        action="store_true",
+        help="Enable UICR.LOCK to prevent modifications without ERASEALL",
+    )
     parser.add_argument(
         "--protectedmem",
         action="store_true",
@@ -597,6 +602,9 @@ def main() -> None:
             uicr.SECURESTORAGE.ITS.APPLICATIONSIZE1KB = args.cpuapp_its_size // 1024
             uicr.SECURESTORAGE.ITS.RADIOCORESIZE1KB = args.cpurad_its_size // 1024
 
+        # Handle LOCK configuration
+        if args.lock:
+            uicr.LOCK = ENABLED_VALUE
         # Handle protected memory configuration
         if args.protectedmem:
             if args.protectedmem_size_bytes % KB_4 != 0:
diff --git a/soc/nordic/common/uicr/gen_uicr/CMakeLists.txt b/soc/nordic/common/uicr/gen_uicr/CMakeLists.txt
@@ -75,6 +75,7 @@ endfunction()
 if(CMAKE_VERBOSE_MAKEFILE)
 endif()
 
+set(lock_args)
 set(protectedmem_args)
 set(periphconf_args)
 set(wdtstart_args)
@@ -115,6 +116,11 @@ if(CONFIG_GEN_UICR_SECURESTORAGE)
   list(APPEND securestorage_args --cpurad-its-size ${CPURAD_ITS_SIZE})
 endif(CONFIG_GEN_UICR_SECURESTORAGE)
 
+# Handle LOCK configuration
+if(CONFIG_GEN_UICR_LOCK)
+  list(APPEND lock_args --lock)
+endif()
+
 # Handle protected memory configuration
 if(CONFIG_GEN_UICR_PROTECTEDMEM)
   list(APPEND protectedmem_args --protectedmem)
@@ -243,6 +249,7 @@ add_custom_command(
           --uicr-address ${UICR_ADDRESS}
           --out-merged-hex ${merged_hex_file}
           --out-uicr-hex ${uicr_hex_file}
+          ${lock_args}
           ${wdtstart_args}
           ${periphconf_args}
           ${securestorage_args}
diff --git a/soc/nordic/common/uicr/gen_uicr/Kconfig b/soc/nordic/common/uicr/gen_uicr/Kconfig
@@ -32,6 +32,17 @@ config GEN_UICR_SECURESTORAGE
 	  - At least one subpartition must be defined
 	  - Combined subpartition sizes must equal secure_storage_partition size
 
+config GEN_UICR_LOCK
+	bool "Enable UICR.LOCK"
+	help
+	  When enabled, locks the entire contents of the NVR0 page located in
+	  MRAM10. This includes all values in both the UICR and the BICR (Board
+	  Information Configuration Registers). Once locked, the UICR can only
+	  be modified by performing an ERASEALL operation.
+
+	  This should be enabled only in production devices to prevent
+	  unauthorized modification.
+
 config GEN_UICR_PROTECTEDMEM
 	bool "Enable UICR.PROTECTEDMEM"
 	help
