drivers: flash: Introduce readout protection support for STM32F4

This patch adds flash readout protection support for STM32F4 devices
family. These devices can enable protection on entire flash content.

Readout protection functionality was exposed as vendor extended
operation. To change readout protection state, caller should provide a
structure which describes desired RDP state.

Enabling readout protection permanently or disabling readout protection
(changing from level 1 to level 0) is guarded by
CONFIG_FLASH_STM32_READOUT_PROTECTION_PERMANENT_ALLOW and
CONFIG_FLASH_STM32_READOUT_PROTECTION_DISABLE_ALLOW respectively.

Signed-off-by: Patryk Duda <[email protected]>

Author: duda-patryk

drivers/flash/Kconfig.stm32

@@ -37,4 +37,28 @@ config FLASH_STM32_WRITE_PROTECT_DISABLE_PREVENTION
 	  If enabled, all requests to disable flash write protection will be
 	  blocked.
 
+config FLASH_STM32_READOUT_PROTECTION
+	bool "Extended operation for flash readout protection control"
+	depends on SOC_SERIES_STM32F4X
+	default n
+	help
+	  Enables flash extended operation for enabling/disabling flash readout
+	  protection.
+
+config FLASH_STM32_READOUT_PROTECTION_DISABLE_ALLOW
+	bool "Allow disabling readout protection"
+	depends on FLASH_STM32_READOUT_PROTECTION
+	default n
+	help
+	  With this option enabled it will be possible to disable readout
+	  protection. On STM32 devices it will trigger flash mass erase!
+
+config FLASH_STM32_READOUT_PROTECTION_PERMANENT_ALLOW
+	bool "Allow enabling readout protection permanently"
+	depends on FLASH_STM32_READOUT_PROTECTION
+	default n
+	help
+	  With this option enabled it will be possible to enable readout
+	  protection permanently.
+
 endif # SOC_FLASH_STM32

drivers/flash/flash_stm32.c

@@ -398,6 +398,11 @@ static int flash_stm32_ex_op(const struct device *dev, uint16_t code,
 		rv = flash_stm32_ex_op_sector_wp(dev, in, out);
 		break;
 #endif /* CONFIG_FLASH_STM32_WRITE_PROTECT */
+#if defined(CONFIG_FLASH_STM32_READOUT_PROTECTION)
+	case FLASH_STM32_EX_OP_RDP:
+		rv = flash_stm32_ex_op_rdp(dev, in, out);
+		break;
+#endif /* CONFIG_FLASH_STM32_READOUT_PROTECTION */
 	}
 
 	flash_stm32_sem_give(dev);

drivers/flash/flash_stm32.h

@@ -225,6 +225,9 @@ struct flash_stm32_priv {
 				FLASH_STM32_SR_RDERR |			\
 				FLASH_STM32_SR_PGPERR)
 
+#define FLASH_STM32_RDP0 0xAA
+#define FLASH_STM32_RDP1 0x55
+#define FLASH_STM32_RDP2 0xCC
 
 #ifdef CONFIG_FLASH_PAGE_LAYOUT
 static inline bool flash_stm32_range_exists(const struct device *dev,
@@ -271,11 +274,23 @@ int flash_stm32_update_wp_sectors(const struct device *dev,
 int flash_stm32_get_wp_sectors(const struct device *dev,
 			       uint32_t *protected_sectors);
 #endif
+#if defined(CONFIG_FLASH_STM32_READOUT_PROTECTION)
+
+int flash_stm32_update_rdp(const struct device *dev, bool enable,
+			   bool permanent);
+
+int flash_stm32_get_rdp(const struct device *dev, bool *enabled,
+			bool *permanent);
+#endif
 
 /* Flash extended operations */
 #if defined(CONFIG_FLASH_STM32_WRITE_PROTECT)
 int flash_stm32_ex_op_sector_wp(const struct device *dev, const uintptr_t in,
 				void *out);
 #endif
+#if defined(CONFIG_FLASH_STM32_READOUT_PROTECTION)
+int flash_stm32_ex_op_rdp(const struct device *dev, const uintptr_t in,
+			  void *out);
+#endif
 
 #endif /* ZEPHYR_DRIVERS_FLASH_FLASH_STM32_H_ */

drivers/flash/flash_stm32_ex_op.c

@@ -83,3 +83,60 @@ int flash_stm32_ex_op_sector_wp(const struct device *dev, const uintptr_t in,
 	return rc;
 }
 #endif /* CONFIG_FLASH_STM32_WRITE_PROTECT */
+
+#if defined(CONFIG_FLASH_STM32_READOUT_PROTECTION)
+int flash_stm32_ex_op_rdp(const struct device *dev, const uintptr_t in,
+			  void *out)
+{
+	const struct flash_stm32_ex_op_rdp *request =
+		(const struct flash_stm32_ex_op_rdp *)in;
+	struct flash_stm32_ex_op_rdp *result =
+		(struct flash_stm32_ex_op_rdp *)out;
+
+#ifdef CONFIG_USERSPACE
+	struct flash_stm32_ex_op_rdp copy;
+	bool syscall_trap = z_syscall_trap();
+#endif
+	int rc = 0, rc2 = 0;
+
+	if (request != NULL) {
+#ifdef CONFIG_USERSPACE
+		if (syscall_trap) {
+			Z_OOPS(z_user_from_copy(&copy, request, sizeof(copy)));
+			request = ©
+		}
+#endif
+		rc = flash_stm32_option_bytes_lock(dev, false);
+		if (rc == 0) {
+			rc = flash_stm32_update_rdp(dev, request->enable,
+						    request->permanent);
+		}
+
+		rc2 = flash_stm32_option_bytes_lock(dev, true);
+		if (!rc) {
+			rc = rc2;
+		}
+	}
+
+	if (result != NULL) {
+#ifdef CONFIG_USERSPACE
+		if (syscall_trap) {
+			result = ©
+		}
+#endif
+		rc2 = flash_stm32_get_rdp(dev, &result->enable,
+					  &result->permanent);
+		if (!rc) {
+			rc = rc2;
+		}
+
+#ifdef CONFIG_USERSPACE
+		if (syscall_trap) {
+			Z_OOPS(z_user_to_copy(out, result, sizeof(copy)));
+		}
+#endif
+	}
+
+	return rc;
+}
+#endif /* CONFIG_FLASH_STM32_READOUT_PROTECTION */

drivers/flash/flash_stm32f4x.c

@@ -17,6 +17,8 @@
 
 #include "flash_stm32.h"
 
+LOG_MODULE_REGISTER(flash_stm32f4x, CONFIG_FLASH_LOG_LEVEL);
+
 bool flash_stm32_valid_range(const struct device *dev, off_t offset,
 			     uint32_t len,
 			     bool write)
@@ -270,6 +272,108 @@ int flash_stm32_get_wp_sectors(const struct device *dev,
 }
 #endif /* CONFIG_FLASH_STM32_WRITE_PROTECT */
 
+#if defined(CONFIG_FLASH_STM32_READOUT_PROTECTION)
+int flash_stm32_update_rdp(const struct device *dev, bool enable,
+			   bool permanent)
+{
+	FLASH_TypeDef *regs = FLASH_STM32_REGS(dev);
+	uint8_t current_level, target_level;
+
+	current_level =
+		(regs->OPTCR & FLASH_OPTCR_RDP_Msk) >> FLASH_OPTCR_RDP_Pos;
+	target_level = current_level;
+
+	/*
+	 * 0xAA = RDP level 0 (no protection)
+	 * 0xCC = RDP level 2 (permanent protection)
+	 * others = RDP level 1 (protection active)
+	 */
+	switch (current_level) {
+	case FLASH_STM32_RDP2:
+		if (!enable || !permanent) {
+			__ASSERT(false, "RDP level 2 is permanent and can't be "
+					"changed!");
+			return -ENOTSUP;
+		}
+		break;
+	case FLASH_STM32_RDP0:
+		if (enable) {
+			target_level = FLASH_STM32_RDP1;
+			if (permanent) {
+#if defined(CONFIG_FLASH_STM32_READOUT_PROTECTION_PERMANENT_ALLOW)
+				target_level = FLASH_STM32_RDP2;
+#else
+				__ASSERT(false,
+					 "Permanent readout protection (RDP "
+					 "level 0 -> 2) not allowed");
+				return -ENOTSUP;
+#endif
+			}
+		}
+		break;
+	default: /* FLASH_STM32_RDP1 */
+		if (enable && permanent) {
+#if defined(CONFIG_FLASH_STM32_READOUT_PROTECTION_PERMANENT_ALLOW)
+			target_level = FLASH_STM32_RDP2;
+#else
+			__ASSERT(false, "Permanent readout protection (RDP "
+					"level 1 -> 2) not allowed");
+			return -ENOTSUP;
+#endif
+		}
+		if (!enable) {
+#if defined(CONFIG_FLASH_STM32_READOUT_PROTECTION_DISABLE_ALLOW)
+			target_level = FLASH_STM32_RDP0;
+#else
+			__ASSERT(false, "Disabling readout protection (RDP "
+					"level 1 -> 0) not allowed");
+			return -EACCES;
+#endif
+		}
+	}
+
+	/* Update RDP level if needed */
+	if (current_level != target_level) {
+		LOG_INF("RDP changed from 0x%02x to 0x%02x", current_level,
+			target_level);
+
+		write_optb(dev, FLASH_OPTCR_RDP_Msk,
+			   (uint32_t)target_level << FLASH_OPTCR_RDP_Pos);
+	}
+	return 0;
+}
+
+int flash_stm32_get_rdp(const struct device *dev, bool *enabled,
+			bool *permanent)
+{
+	FLASH_TypeDef *regs = FLASH_STM32_REGS(dev);
+	uint8_t current_level;
+
+	current_level =
+		(regs->OPTCR & FLASH_OPTCR_RDP_Msk) >> FLASH_OPTCR_RDP_Pos;
+
+	/*
+	 * 0xAA = RDP level 0 (no protection)
+	 * 0xCC = RDP level 2 (permanent protection)
+	 * others = RDP level 1 (protection active)
+	 */
+	switch (current_level) {
+	case FLASH_STM32_RDP2:
+		*enabled = true;
+		*permanent = true;
+		break;
+	case FLASH_STM32_RDP0:
+		*enabled = false;
+		*permanent = false;
+		break;
+	default: /* FLASH_STM32_RDP1 */
+		*enabled = true;
+		*permanent = false;
+	}
+	return 0;
+}
+#endif /* CONFIG_FLASH_STM32_READOUT_PROTECTION */
+
 /*
  * Different SoC flash layouts are specified in across various
  * reference manuals, but the flash layout for a given number of

include/zephyr/drivers/flash/stm32_flash_api_extensions.h

@@ -21,6 +21,14 @@ enum stm32_ex_ops {
 	 * Output can be NULL if not needed.
 	 */
 	FLASH_STM32_EX_OP_SECTOR_WP = FLASH_EX_OP_VENDOR_BASE,
+	/*
+	 * STM32 sector readout protection control.
+	 *
+	 * As an input this operation takes structure with information about
+	 * desired RDP state. As an output the status after applying changes
+	 * is returned.
+	 */
+	FLASH_STM32_EX_OP_RDP,
 };
 
 #if defined(CONFIG_FLASH_STM32_WRITE_PROTECT)
@@ -33,3 +41,10 @@ struct flash_stm32_ex_op_sector_wp_out {
 	uint32_t protected_mask;
 };
 #endif /* CONFIG_FLASH_STM32_WRITE_PROTECT */
+
+#if defined(CONFIG_FLASH_STM32_READOUT_PROTECTION)
+struct flash_stm32_ex_op_rdp {
+	bool enable;
+	bool permanent;
+};
+#endif /* CONFIG_FLASH_STM32_READOUT_PROTECTION */