drivers: flash: Add ex ops for STM32 option/control register block

Introduce flash extended operations that can be used to disable access
to option and control registers until reset. Disabling access to these
registers improves system security, because flash content (or protection
settings) can't be changed even when exploit was found.

On STM32 devices, registers can be locked until reset by writing wrong
key during unlock procedure. It triggers a bus fault, so during the
procedure we need to ignore faults and clear bus fault pending bit.

Please note that option register disabling was implemented for devices
that have OPTCR register (F2, F4, F7 and H7). Implementation on other
devices requires more testing, since documentation is not precise
enough. Disabling control register was implemented for devices that
have CR register.

Signed-off-by: Patryk Duda <[email protected]>

Author: duda-patryk

drivers/flash/Kconfig.stm32

@@ -61,4 +61,13 @@ config FLASH_STM32_READOUT_PROTECTION_PERMANENT_ALLOW
 	  With this option enabled it will be possible to enable readout
 	  protection permanently.
 
+config FLASH_STM32_BLOCK_REGISTERS
+	bool "Extended operation for blocking option and control registers"
+	default n
+	help
+	  Enables flash extended operations that can be used to disable access
+	  to option and control registers until reset. Disabling access to these
+	  registers improves system security, because flash content (or
+	  protection settings) can't be changed even when exploit was found.
+
 endif # SOC_FLASH_STM32

drivers/flash/flash_stm32.c

@@ -376,6 +376,67 @@ int flash_stm32_option_bytes_lock(const struct device *dev, bool enable)
 	return 0;
 }
 
+#if defined(CONFIG_FLASH_STM32_BLOCK_REGISTERS)
+static int flash_stm32_control_register_disable(const struct device *dev)
+{
+	FLASH_TypeDef *regs = FLASH_STM32_REGS(dev);
+
+#if defined(FLASH_CR_LOCK) /* F0, F1, F2, F3, F4, F7, L4, G0, G4, H7, WB, WL   \
+			    */
+	/*
+	 * Access to control register can be disabled by writing wrong key to
+	 * the key register. Option register will remain disabled until reset.
+	 * Writing wrong key causes a bus fault, so we need to set FAULTMASK to
+	 * disable faults, and clear bus fault pending bit before enabling them
+	 * again.
+	 */
+	regs->CR |= FLASH_CR_LOCK;
+
+	__set_FAULTMASK(1);
+	regs->KEYR = 0xffffffff;
+
+	/* Clear Bus Fault pending bit */
+	SCB->SHCSR &= ~SCB_SHCSR_BUSFAULTPENDED_Msk;
+	__set_FAULTMASK(0);
+
+	return 0;
+#else
+	ARG_UNUSED(regs);
+
+	return -ENOTSUP;
+#endif
+}
+
+static int flash_stm32_option_bytes_disable(const struct device *dev)
+{
+	FLASH_TypeDef *regs = FLASH_STM32_REGS(dev);
+
+#if defined(FLASH_OPTCR_OPTLOCK) /* F2, F4, F7 and H7 */
+	/*
+	 * Access to option register can be disabled by writing wrong key to
+	 * the key register. Option register will remain disabled until reset.
+	 * Writing wrong key causes a bus fault, so we need to set FAULTMASK to
+	 * disable faults, and clear bus fault pending bit before enabling them
+	 * again.
+	 */
+	regs->OPTCR |= FLASH_OPTCR_OPTLOCK;
+
+	__set_FAULTMASK(1);
+	regs->OPTKEYR = 0xffffffff;
+
+	/* Clear Bus Fault pending bit */
+	SCB->SHCSR &= ~SCB_SHCSR_BUSFAULTPENDED_Msk;
+	__set_FAULTMASK(0);
+
+	return 0;
+#else
+	ARG_UNUSED(regs);
+
+	return -ENOTSUP;
+#endif
+}
+#endif /* CONFIG_FLASH_STM32_BLOCK_REGISTERS */
+
 static const struct flash_parameters *
 flash_stm32_get_parameters(const struct device *dev)
 {
@@ -403,6 +464,14 @@ static int flash_stm32_ex_op(const struct device *dev, uint16_t code,
 		rv = flash_stm32_ex_op_rdp(dev, in, out);
 		break;
 #endif /* CONFIG_FLASH_STM32_READOUT_PROTECTION */
+#if defined(CONFIG_FLASH_STM32_BLOCK_REGISTERS)
+	case FLASH_STM32_EX_OP_BLOCK_OPTION_REG:
+		rv = flash_stm32_option_bytes_disable(dev);
+		break;
+	case FLASH_STM32_EX_OP_BLOCK_CONTROL_REG:
+		rv = flash_stm32_control_register_disable(dev);
+		break;
+#endif /* CONFIG_FLASH_STM32_BLOCK_REGISTERS */
 	}
 
 	flash_stm32_sem_give(dev);

include/zephyr/drivers/flash/stm32_flash_api_extensions.h

@@ -29,6 +29,22 @@ enum stm32_ex_ops {
 	 * is returned.
 	 */
 	FLASH_STM32_EX_OP_RDP,
+	/*
+	 * STM32 block option register.
+	 *
+	 * This operation causes option register to be locked until next boot.
+	 * After calling, it's not possible to change option bytes (WP, RDP,
+	 * user bytes).
+	 */
+	FLASH_STM32_EX_OP_BLOCK_OPTION_REG,
+	/*
+	 * STM32 block control register.
+	 *
+	 * This operation causes control register to be locked until next boot.
+	 * After calling, it's not possible to perform basic operation like
+	 * erasing or writing.
+	 */
+	FLASH_STM32_EX_OP_BLOCK_CONTROL_REG,
 };
 
 #if defined(CONFIG_FLASH_STM32_WRITE_PROTECT)