[nrf fromtree] soc: nordic: uicr: Add support for UICR.ERASEPROTECT

SebastianBoe · rlubos · commit f85acf7657db · 2025-10-24T15:55:30.000+02:00
Add support for UICR.ERASEPROTECT configuration, which blocks ERASEALL operations to prevent bulk erasure of protected memory. This introduces a Kconfig option GEN_UICR_ERASEPROTECT that enables blocking of ERASEALL operations on NVR0, preserving UICR settings even if an attacker attempts a full-chip erase. This is a critical security feature for production devices. When enabled together with UICR.LOCK, it becomes impossible to modify the UICR in any way, establishing a permanent device protection scheme. Due to this irreversibility, it should only be enabled during the final stages of production. When enabled, the gen_uicr.py script sets UICR.ERASEPROTECT to 0xFFFFFFFF, which prevents the ERASEALL command from affecting the NVR0 page. Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no> (cherry picked from commit e20352d)
diff --git a/scripts/ci/check_compliance.py b/scripts/ci/check_compliance.py
@@ -1350,6 +1350,7 @@ def check_no_undef_outside_kconfig(self, kconf):
         "FOO_LOG_LEVEL",
         "FOO_SETTING_1",
         "FOO_SETTING_2",
+        "GEN_UICR_ERASEPROTECT",
         "GEN_UICR_GENERATE_PERIPHCONF", # Used in specialized build tool, not part of main Kconfig
         "GEN_UICR_LOCK",
         "GEN_UICR_PROTECTEDMEM",
diff --git a/soc/nordic/common/uicr/gen_uicr.py b/soc/nordic/common/uicr/gen_uicr.py
@@ -435,6 +435,11 @@ def main() -> None:
         action="store_true",
         help="Enable UICR.LOCK to prevent modifications without ERASEALL",
     )
+    parser.add_argument(
+        "--eraseprotect",
+        action="store_true",
+        help="Enable UICR.ERASEPROTECT to block ERASEALL operations",
+    )
     parser.add_argument(
         "--protectedmem",
         action="store_true",
@@ -605,6 +610,9 @@ def main() -> None:
         # Handle LOCK configuration
         if args.lock:
             uicr.LOCK = ENABLED_VALUE
+        # Handle ERASEPROTECT configuration
+        if args.eraseprotect:
+            uicr.ERASEPROTECT = ENABLED_VALUE
         # Handle protected memory configuration
         if args.protectedmem:
             if args.protectedmem_size_bytes % KB_4 != 0:
diff --git a/soc/nordic/common/uicr/gen_uicr/CMakeLists.txt b/soc/nordic/common/uicr/gen_uicr/CMakeLists.txt
@@ -76,6 +76,7 @@ if(CMAKE_VERBOSE_MAKEFILE)
 endif()
 
 set(lock_args)
+set(eraseprotect_args)
 set(protectedmem_args)
 set(periphconf_args)
 set(wdtstart_args)
@@ -121,6 +122,11 @@ if(CONFIG_GEN_UICR_LOCK)
   list(APPEND lock_args --lock)
 endif()
 
+# Handle ERASEPROTECT configuration
+if(CONFIG_GEN_UICR_ERASEPROTECT)
+  list(APPEND eraseprotect_args --eraseprotect)
+endif()
+
 # Handle protected memory configuration
 if(CONFIG_GEN_UICR_PROTECTEDMEM)
   list(APPEND protectedmem_args --protectedmem)
@@ -250,6 +256,7 @@ add_custom_command(
           --out-merged-hex ${merged_hex_file}
           --out-uicr-hex ${uicr_hex_file}
           ${lock_args}
+          ${eraseprotect_args}
           ${wdtstart_args}
           ${periphconf_args}
           ${securestorage_args}
diff --git a/soc/nordic/common/uicr/gen_uicr/Kconfig b/soc/nordic/common/uicr/gen_uicr/Kconfig
@@ -43,6 +43,18 @@ config GEN_UICR_LOCK
 	  This should be enabled only in production devices to prevent
 	  unauthorized modification.
 
+config GEN_UICR_ERASEPROTECT
+	bool "Enable UICR.ERASEPROTECT"
+	depends on ! GEN_UICR_LOCK
+	help
+	  When enabled, ERASEALL operations are blocked.
+
+	  This option is mutually exclusive with UICR.LOCK in Kconfig to prevent
+	  accidental configuration where both are enabled simultaneously. If both
+	  were enabled, the UICR would become impossible to modify in any way.
+	  Note that gen_uicr.py can be used directly to create a configuration
+	  with both enabled if needed.
+
 config GEN_UICR_PROTECTEDMEM
 	bool "Enable UICR.PROTECTEDMEM"
 	help
