[nrf fromtree] soc: nordic: uicr: Add safety flag for permanent device transition

Add --permit-permanently-transitioning-device-to-deployed safety flag
to gen_uicr.py, required when enabling both UICR.LOCK and
UICR.ERASEPROTECT together. This prevents accidental permanent locking
of devices since this combination makes the configuration irreversible.

The safety flag must be explicitly provided through the Kconfig option
GEN_UICR_PERMIT_PERMANENTLY_TRANSITIONING_DEVICE_TO_DEPLOYED to enable
this dangerous combination. This ensures developers are aware of the
permanent consequences before locking their devices.

Without this safety mechanism, developers might accidentally create
devices that cannot be updated or debugged, requiring hardware
replacement.

Signed-off-by: Sebastian Bøe <[email protected]>
(cherry picked from commit 35b89ab)

Author: SebastianBoe

scripts/ci/check_compliance.py

@@ -1304,7 +1304,7 @@ def check_no_undef_outside_kconfig(self, kconf):
         "GEN_UICR_APPROTECT_CORESIGHT_PROTECTED",
         "GEN_UICR_APPROTECT_RADIOCORE_PROTECTED",
         "GEN_UICR_ERASEPROTECT",
-        "GEN_UICR_GENERATE_PERIPHCONF", # Used in specialized build tool, not part of main Kconfig
+        "GEN_UICR_GENERATE_PERIPHCONF",
         "GEN_UICR_LOCK",
         "GEN_UICR_PROTECTEDMEM",
         "GEN_UICR_PROTECTEDMEM_SIZE_BYTES",

soc/nordic/common/uicr/gen_uicr.py

@@ -432,6 +432,14 @@ def main() -> None:
         type=lambda s: int(s, 0),
         help="Size in bytes of cpurad_its_partition (decimal or 0x-prefixed hex)",
     )
+    parser.add_argument(
+        "--permit-permanently-transitioning-device-to-deployed",
+        action="store_true",
+        help=(
+            "Safety flag required to enable both UICR.LOCK and UICR.ERASEPROTECT together. "
+            "Must be explicitly provided to acknowledge permanent device state changes."
+        ),
+    )
     parser.add_argument(
         "--lock",
         action="store_true",
@@ -624,10 +632,22 @@ def main() -> None:
             uicr.SECURESTORAGE.ITS.APPLICATIONSIZE1KB = args.cpuapp_its_size // 1024
             uicr.SECURESTORAGE.ITS.RADIOCORESIZE1KB = args.cpurad_its_size // 1024
 
-        # Handle LOCK configuration
+        # Handle LOCK and ERASEPROTECT configuration
+        # Check if both are enabled together - this requires explicit acknowledgment
+        if (
+            args.lock
+            and args.eraseprotect
+            and not args.permit_permanently_transitioning_device_to_deployed
+        ):
+            raise ScriptError(
+                "Enabling both --lock and --eraseprotect requires "
+                "--permit-permanently-transitioning-device-to-deployed to be specified. "
+                "This combination permanently locks the device configuration and prevents "
+                "ERASEALL."
+            )
+
         if args.lock:
             uicr.LOCK = ENABLED_VALUE
-        # Handle ERASEPROTECT configuration
         if args.eraseprotect:
             uicr.ERASEPROTECT = ENABLED_VALUE
         # Handle APPROTECT configuration