[nrf fromlist] soc: nordic: uicr: Add support for UICR.ERASEPROTECT

Add support for UICR.ERASEPROTECT configuration, which blocks ERASEALL
operations to prevent bulk erasure of protected memory.

This introduces a Kconfig option GEN_UICR_ERASEPROTECT that enables
blocking of ERASEALL operations on NVR0, preserving UICR settings even
if an attacker attempts a full-chip erase.

This is a critical security feature for production devices. When enabled
together with UICR.LOCK, it becomes impossible to modify the UICR in
any way, establishing a permanent device protection scheme. Due to this
irreversibility, it should only be enabled during the final stages of
production.

When enabled, the gen_uicr.py script sets UICR.ERASEPROTECT to
0xFFFFFFFF, which prevents the ERASEALL command from affecting the
NVR0 page.

Upstream PR #: 97337

Signed-off-by: Sebastian Bøe <[email protected]>

Author: SebastianBoe

scripts/ci/check_compliance.py

@@ -1300,6 +1300,7 @@ def check_no_undef_outside_kconfig(self, kconf):
         "FOO_LOG_LEVEL",
         "FOO_SETTING_1",
         "FOO_SETTING_2",
+        "GEN_UICR_ERASEPROTECT",
         "GEN_UICR_GENERATE_PERIPHCONF", # Used in specialized build tool, not part of main Kconfig
         "GEN_UICR_LOCK",
         "GEN_UICR_PROTECTEDMEM",

soc/nordic/common/uicr/gen_uicr.py

@@ -435,6 +435,11 @@ def main() -> None:
         action="store_true",
         help="Enable UICR.LOCK to prevent modifications without ERASEALL",
     )
+    parser.add_argument(
+        "--eraseprotect",
+        action="store_true",
+        help="Enable UICR.ERASEPROTECT to block ERASEALL operations",
+    )
     parser.add_argument(
         "--protectedmem",
         action="store_true",
@@ -605,6 +610,9 @@ def main() -> None:
         # Handle LOCK configuration
         if args.lock:
             uicr.LOCK = ENABLED_VALUE
+        # Handle ERASEPROTECT configuration
+        if args.eraseprotect:
+            uicr.ERASEPROTECT = ENABLED_VALUE
         # Handle protected memory configuration
         if args.protectedmem:
             if args.protectedmem_size_bytes % KB_4 != 0:

soc/nordic/common/uicr/gen_uicr/CMakeLists.txt

@@ -76,6 +76,7 @@ if(CMAKE_VERBOSE_MAKEFILE)
 endif()
 
 set(lock_args)
+set(eraseprotect_args)
 set(protectedmem_args)
 set(periphconf_args)
 set(wdtstart_args)
@@ -121,6 +122,11 @@ if(CONFIG_GEN_UICR_LOCK)
   list(APPEND lock_args --lock)
 endif()
 
+# Handle ERASEPROTECT configuration
+if(CONFIG_GEN_UICR_ERASEPROTECT)
+  list(APPEND eraseprotect_args --eraseprotect)
+endif()
+
 # Handle protected memory configuration
 if(CONFIG_GEN_UICR_PROTECTEDMEM)
   list(APPEND protectedmem_args --protectedmem)
@@ -250,6 +256,7 @@ add_custom_command(
           --out-merged-hex ${merged_hex_file}
           --out-uicr-hex ${uicr_hex_file}
           ${lock_args}
+          ${eraseprotect_args}
           ${wdtstart_args}
           ${periphconf_args}
           ${securestorage_args}

soc/nordic/common/uicr/gen_uicr/Kconfig

@@ -41,6 +41,14 @@ config GEN_UICR_LOCK
 	  in production devices to prevent unauthorized modification of the
 	  UICR configuration.
 
+config GEN_UICR_ERASEPROTECT
+	bool "Enable UICR.ERASEPROTECT"
+	help
+	  When enabled, the UICR generator will block ERASEALL operations.
+	  This prevents bulk erasure of protected memory. If enabled along
+	  with UICR.LOCK, it becomes impossible to modify the UICR in any way.
+	  This should only be enabled during final stages of production.
+
 config GEN_UICR_PROTECTEDMEM
 	bool "Enable UICR.PROTECTEDMEM"
 	help