[nrf fromtree] soc: nordic: uicr: Add safety flag for permanent device transition

SebastianBoe · rlubos · commit cd1a0c5d07c9 · 2025-10-24T15:55:30.000+02:00
Add --permit-permanently-transitioning-device-to-deployed safety flag to gen_uicr.py, required when enabling both UICR.LOCK and UICR.ERASEPROTECT together. This prevents accidental permanent locking of devices since this combination makes the configuration irreversible. Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no> (cherry picked from commit 35b89ab)
diff --git a/scripts/ci/check_compliance.py b/scripts/ci/check_compliance.py
@@ -1354,7 +1354,7 @@ def check_no_undef_outside_kconfig(self, kconf):
         "GEN_UICR_APPROTECT_CORESIGHT_PROTECTED",
         "GEN_UICR_APPROTECT_RADIOCORE_PROTECTED",
         "GEN_UICR_ERASEPROTECT",
-        "GEN_UICR_GENERATE_PERIPHCONF", # Used in specialized build tool, not part of main Kconfig
+        "GEN_UICR_GENERATE_PERIPHCONF",
         "GEN_UICR_LOCK",
         "GEN_UICR_PROTECTEDMEM",
         "GEN_UICR_PROTECTEDMEM_SIZE_BYTES",
diff --git a/soc/nordic/common/uicr/gen_uicr.py b/soc/nordic/common/uicr/gen_uicr.py
@@ -432,6 +432,14 @@ def main() -> None:
         type=lambda s: int(s, 0),
         help="Size in bytes of cpurad_its_partition (decimal or 0x-prefixed hex)",
     )
+    parser.add_argument(
+        "--permit-permanently-transitioning-device-to-deployed",
+        action="store_true",
+        help=(
+            "Safety flag required to enable both UICR.LOCK and UICR.ERASEPROTECT together. "
+            "Must be explicitly provided to acknowledge permanent device state changes."
+        ),
+    )
     parser.add_argument(
         "--lock",
         action="store_true",
@@ -624,10 +632,22 @@ def main() -> None:
             uicr.SECURESTORAGE.ITS.APPLICATIONSIZE1KB = args.cpuapp_its_size // 1024
             uicr.SECURESTORAGE.ITS.RADIOCORESIZE1KB = args.cpurad_its_size // 1024
 
-        # Handle LOCK configuration
+        # Handle LOCK and ERASEPROTECT configuration
+        # Check if both are enabled together - this requires explicit acknowledgment
+        if (
+            args.lock
+            and args.eraseprotect
+            and not args.permit_permanently_transitioning_device_to_deployed
+        ):
+            raise ScriptError(
+                "Enabling both --lock and --eraseprotect requires "
+                "--permit-permanently-transitioning-device-to-deployed to be specified. "
+                "This combination permanently locks the device configuration and prevents "
+                "ERASEALL."
+            )
+
         if args.lock:
             uicr.LOCK = ENABLED_VALUE
-        # Handle ERASEPROTECT configuration
         if args.eraseprotect:
             uicr.ERASEPROTECT = ENABLED_VALUE
         # Handle APPROTECT configuration
