[nrf fromtree] soc: nordic: uicr: Add support for UICR.ERASEPROTECT

Add support for UICR.ERASEPROTECT configuration, which controls erase
protection for the device. When enabled, this prevents mass erase
operations that would normally clear all flash memory and reset the
device to factory defaults.

This register is controlled through the TAMPC peripheral and provides
an additional layer of security for production devices. When combined
with UICR.LOCK, it creates a permanent protection that cannot be
reversed without destroying the device.

The Kconfig option GEN_UICR_ERASEPROTECT_PROTECTED controls whether
erase protection is enabled (PROTECTED) or disabled (UNPROTECTED).

Signed-off-by: Sebastian Bøe <[email protected]>
(cherry picked from commit e20352d80a083fbf6bc0e23e2cb22e95c4b7dd8d)

Author: SebastianBoe

scripts/ci/check_compliance.py

@@ -1300,6 +1300,7 @@ def check_no_undef_outside_kconfig(self, kconf):
         "FOO_LOG_LEVEL",
         "FOO_SETTING_1",
         "FOO_SETTING_2",
+        "GEN_UICR_ERASEPROTECT",
         "GEN_UICR_GENERATE_PERIPHCONF", # Used in specialized build tool, not part of main Kconfig
         "GEN_UICR_LOCK",
         "GEN_UICR_PROTECTEDMEM",

soc/nordic/common/uicr/gen_uicr.py

@@ -435,6 +435,11 @@ def main() -> None:
         action="store_true",
         help="Enable UICR.LOCK to prevent modifications without ERASEALL",
     )
+    parser.add_argument(
+        "--eraseprotect",
+        action="store_true",
+        help="Enable UICR.ERASEPROTECT to block ERASEALL operations",
+    )
     parser.add_argument(
         "--protectedmem",
         action="store_true",
@@ -605,6 +610,9 @@ def main() -> None:
         # Handle LOCK configuration
         if args.lock:
             uicr.LOCK = ENABLED_VALUE
+        # Handle ERASEPROTECT configuration
+        if args.eraseprotect:
+            uicr.ERASEPROTECT = ENABLED_VALUE
         # Handle protected memory configuration
         if args.protectedmem:
             if args.protectedmem_size_bytes % KB_4 != 0:

soc/nordic/common/uicr/gen_uicr/CMakeLists.txt

@@ -76,6 +76,7 @@ if(CMAKE_VERBOSE_MAKEFILE)
 endif()
 
 set(lock_args)
+set(eraseprotect_args)
 set(protectedmem_args)
 set(periphconf_args)
 set(wdtstart_args)
@@ -121,6 +122,11 @@ if(CONFIG_GEN_UICR_LOCK)
   list(APPEND lock_args --lock)
 endif()
 
+# Handle ERASEPROTECT configuration
+if(CONFIG_GEN_UICR_ERASEPROTECT)
+  list(APPEND eraseprotect_args --eraseprotect)
+endif()
+
 # Handle protected memory configuration
 if(CONFIG_GEN_UICR_PROTECTEDMEM)
   list(APPEND protectedmem_args --protectedmem)
@@ -250,6 +256,7 @@ add_custom_command(
           --out-merged-hex ${merged_hex_file}
           --out-uicr-hex ${uicr_hex_file}
           ${lock_args}
+          ${eraseprotect_args}
           ${wdtstart_args}
           ${periphconf_args}
           ${securestorage_args}

soc/nordic/common/uicr/gen_uicr/Kconfig

@@ -43,6 +43,18 @@ config GEN_UICR_LOCK
 	  This should be enabled only in production devices to prevent
 	  unauthorized modification.
 
+config GEN_UICR_ERASEPROTECT
+	bool "Enable UICR.ERASEPROTECT"
+	depends on ! GEN_UICR_LOCK
+	help
+	  When enabled, ERASEALL operations are blocked.
+
+	  This option is mutually exclusive with UICR.LOCK in Kconfig to prevent
+	  accidental configuration where both are enabled simultaneously. If both
+	  were enabled, the UICR would become impossible to modify in any way.
+	  Note that gen_uicr.py can be used directly to create a configuration
+	  with both enabled if needed.
+
 config GEN_UICR_PROTECTEDMEM
 	bool "Enable UICR.PROTECTEDMEM"
 	help