tfm: Lock Approtect in network core

With nRF53, allow the network core Approtect to be locked from TF-M.

This is done when we are transitioning from provisioning LCS to
secure LCS.

NCSDK-17920

Signed-off-by: Markus Lassila <[email protected]>

Author: MarkusLassila

modules/trusted-firmware-m/tfm_boards/common/nrf_provisioning.c

@@ -16,6 +16,51 @@
 #include "nrf_provisioning.h"
 #include <identity_key.h>
 #include <tfm_spm_log.h>
+#include <pm_config.h>
+#if defined(NRF53_SERIES) && defined(PM_CPUNET_APP_ADDRESS)
+#include <dfu/pcd_common.h>
+#include <spu.h>
+#include <hal/nrf_reset.h>
+
+#define DEBUG_LOCK_TIMEOUT_MS 3000
+#define USEC_IN_MSEC 1000
+#define USEC_IN_SEC 1000000
+
+static enum tfm_plat_err_t disable_netcore_debug(void)
+{
+	/* NRF_RESET to secure.
+	 * It will be configured to the original value after the provisioning is done.
+	 */
+	spu_peripheral_config_secure(NRF_RESET_S_BASE, SPU_LOCK_CONF_UNLOCKED);
+
+	/* Ensure that the network core is stopped. */
+	nrf_reset_network_force_off(NRF_RESET, true);
+
+	/* Debug lock command will be read in b0n startup. */
+	pcd_write_cmd_lock_debug();
+
+	/* Start the network core. */
+	nrf_reset_network_force_off(NRF_RESET, false);
+
+	/* Wait 1 second for the network core to start up. */
+	NRFX_DELAY_US(USEC_IN_SEC);
+
+	/* Wait for the debug lock to complete. */
+	for (int i = 0; i < DEBUG_LOCK_TIMEOUT_MS; i++) {
+		if (!pcd_read_cmd_lock_debug()) {
+			break;
+		}
+		NRFX_DELAY_US(USEC_IN_MSEC);
+	}
+
+	if (!pcd_read_cmd_done()) {
+		SPMLOG_ERRMSG("Failed to lock debug in network core.");
+		return TFM_PLAT_ERR_SYSTEM_ERR;
+	}
+
+	return TFM_PLAT_ERR_SUCCESS;
+}
+#endif /* NRF53_SERIES && PM_CPUNET_APP_ADDRESS */
 
 static enum tfm_plat_err_t verify_debug_disabled(void)
 {
@@ -71,10 +116,18 @@ enum tfm_plat_err_t tfm_plat_provisioning_perform(void)
 	 * that secure boot is already enabled at this stage
 	 */
 
+	/* Application debug should already be disabled */
 	if (verify_debug_disabled() != TFM_PLAT_ERR_SUCCESS) {
 		return TFM_PLAT_ERR_SYSTEM_ERR;
 	}
 
+#if defined(NRF53_SERIES) && defined(PM_CPUNET_APP_ADDRESS)
+	/* Disable network core debug in here */
+	if (disable_netcore_debug() != TFM_PLAT_ERR_SUCCESS) {
+		return TFM_PLAT_ERR_SYSTEM_ERR;
+	}
+#endif
+
 	/* Transition to the SECURED lifecycle state */
 	if (tfm_attest_update_security_lifecycle_otp(TFM_SLC_SECURED) != 0) {
 		return TFM_PLAT_ERR_SYSTEM_ERR;

modules/trusted-firmware-m/tfm_boards/partition/region_defs.h

@@ -151,23 +151,23 @@
 
 #ifdef PM_MCUBOOT_ADDRESS
 #define REGION_MCUBOOT_ADDRESS	   PM_MCUBOOT_ADDRESS
-#define REGION_MCUBOOT_END_ADDRESS PM_MCUBOOT_END_ADDRESS
+#define REGION_MCUBOOT_LIMIT       PM_MCUBOOT_END_ADDRESS - 1
 #endif
 #ifdef PM_B0_ADDRESS
 #define REGION_B0_ADDRESS     PM_B0_ADDRESS
-#define REGION_B0_END_ADDRESS PM_B0_END_ADDRESS
+#define REGION_B0_LIMIT       PM_B0_END_ADDRESS - 1
 #endif
 #ifdef PM_S0_ADDRESS
 #define REGION_S0_ADDRESS     PM_S0_ADDRESS
-#define REGION_S0_END_ADDRESS PM_S0_END_ADDRESS
+#define REGION_S0_LIMIT       PM_S0_END_ADDRESS - 1
 #endif
 #ifdef PM_S1_ADDRESS
 #define REGION_S1_ADDRESS     PM_S1_ADDRESS
-#define REGION_S1_END_ADDRESS PM_S1_END_ADDRESS
+#define REGION_S1_LIMIT       PM_S1_END_ADDRESS - 1
 #endif
 #ifdef PM_PCD_SRAM_ADDRESS
 #define REGION_PCD_SRAM_ADDRESS	    PM_PCD_SRAM_ADDRESS
-#define REGION_PCD_SRAM_END_ADDRESS PM_PCD_SRAM_END_ADDRESS
+#define REGION_PCD_SRAM_LIMIT       PM_PCD_SRAM_END_ADDRESS - 1
 #endif
 
 #endif /* __REGION_DEFS_H__ */

west.yml

@@ -153,7 +153,7 @@ manifest:
     - name: trusted-firmware-m
       repo-path: sdk-trusted-firmware-m
       path: modules/tee/tf-m/trusted-firmware-m
-      revision: 899f0f54e76d41d70fac538f8a2d2cf171294a3b
+      revision: 8c7fae3936da02b7db4f5c8aba174b252a2b326e
     - name: psa-arch-tests
       repo-path: sdk-psa-arch-tests
       path: modules/tee/tf-m/psa-arch-tests