1 /*
2 
3 Copyright (c) 2010 - 2024, Nordic Semiconductor ASA All rights reserved.
4 
5 SPDX-License-Identifier: BSD-3-Clause
6 
7 Redistribution and use in source and binary forms, with or without
8 modification, are permitted provided that the following conditions are met:
9 
10 1. Redistributions of source code must retain the above copyright notice, this
11    list of conditions and the following disclaimer.
12 
13 2. Redistributions in binary form must reproduce the above copyright
14    notice, this list of conditions and the following disclaimer in the
15    documentation and/or other materials provided with the distribution.
16 
17 3. Neither the name of Nordic Semiconductor ASA nor the names of its
18    contributors may be used to endorse or promote products derived from this
19    software without specific prior written permission.
20 
21 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
22 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 IMPLIED WARRANTIES OF MERCHANTABILITY, AND FITNESS FOR A PARTICULAR PURPOSE
24 ARE DISCLAIMED. IN NO EVENT SHALL NORDIC SEMICONDUCTOR ASA OR CONTRIBUTORS BE
25 LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
26 CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
27 SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
28 INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
29 CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
30 ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
31 POSSIBILITY OF SUCH DAMAGE.
32 
33 */
34 
35 #ifndef SYSTEM_NRF54L_APPROTECT_H
36 #define SYSTEM_NRF54L_APPROTECT_H
37 #ifndef NRF_TRUSTZONE_NONSECURE
38 #include "nrf.h"
39 
40 #ifdef __cplusplus
41 extern "C" {
42 #endif
43 
44 #define TAMPC_SIGNAL_IS_LOCKED                                                                                         \
45     (TAMPC_PROTECT_DOMAIN_DBGEN_CTRL_LOCK_Enabled << TAMPC_PROTECT_DOMAIN_DBGEN_CTRL_LOCK_Pos)
46 #define TAMPC_SIGNAL_IS_HIGH                                                                                            \
47     (TAMPC_PROTECT_DOMAIN_DBGEN_CTRL_VALUE_High << TAMPC_PROTECT_DOMAIN_DBGEN_CTRL_VALUE_Pos)
48 
49 #define TAMPC_SIGNAL_CLEAR_WRITEPROTECTION                                                                             \
50     (TAMPC_PROTECT_DOMAIN_DBGEN_CTRL_WRITEPROTECTION_Clear                                                         \
51          << TAMPC_PROTECT_DOMAIN_DBGEN_CTRL_WRITEPROTECTION_Pos |                                                  \
52      TAMPC_PROTECT_DOMAIN_DBGEN_CTRL_KEY_KEY << TAMPC_PROTECT_DOMAIN_DBGEN_CTRL_KEY_Pos)
53 
54 #define TAMPC_SIGNAL_LOCK                                                                                              \
55     (TAMPC_PROTECT_DOMAIN_DBGEN_CTRL_VALUE_Low << TAMPC_PROTECT_DOMAIN_DBGEN_CTRL_VALUE_Pos |                  \
56      TAMPC_PROTECT_DOMAIN_DBGEN_CTRL_LOCK_Enabled << TAMPC_PROTECT_DOMAIN_DBGEN_CTRL_LOCK_Pos |                \
57      TAMPC_PROTECT_DOMAIN_DBGEN_CTRL_KEY_KEY << TAMPC_PROTECT_DOMAIN_DBGEN_CTRL_KEY_Pos)
58 #define TAMPC_SIGNAL_OPEN                                                                                              \
59     (TAMPC_PROTECT_DOMAIN_DBGEN_CTRL_VALUE_High << TAMPC_PROTECT_DOMAIN_DBGEN_CTRL_VALUE_Pos |                  \
60      TAMPC_PROTECT_DOMAIN_DBGEN_CTRL_LOCK_Disabled << TAMPC_PROTECT_DOMAIN_DBGEN_CTRL_LOCK_Pos |                \
61      TAMPC_PROTECT_DOMAIN_DBGEN_CTRL_KEY_KEY << TAMPC_PROTECT_DOMAIN_DBGEN_CTRL_KEY_Pos)
62 
63 
nrf54l_handle_approtect_signal(volatile uint32_t * signal_ctrl)64 static inline void nrf54l_handle_approtect_signal(volatile uint32_t * signal_ctrl)
65 {
66     if ((*signal_ctrl & TAMPC_SIGNAL_IS_LOCKED) != 0)
67     {
68         if ((*signal_ctrl & TAMPC_SIGNAL_IS_HIGH) != 0)
69         {
70             /* Signal is locked open. */
71             /* Do hard reset, invalid state. */
72 
73             /* Temporary fix - use WDT to trigger hard reset. */
74             /* Replace with proper hard reset task later if added. */
75             /* Make sure WDT is always running independent of CPU state. */
76             NRF_WDT30->CONFIG = 9;
77 
78             /* Set minimum tick length */
79             NRF_WDT30->CRV = 0xF;
80 
81             /* Start WDT */
82             NRF_WDT30->TASKS_START = 1;
83 
84             /* Wait for timer to elapse */
85             while(1);
86         }
87         /* Do nothing, signal is locked by previous session / hardware. */
88         return;
89     }
90 
91 #if defined(ENABLE_APPROTECT)
92     /* Prevent processor from unlocking APPROTECT soft branch after this point. */
93     *signal_ctrl = TAMPC_SIGNAL_CLEAR_WRITEPROTECTION;
94     *signal_ctrl = TAMPC_SIGNAL_LOCK;
95 #elif defined(ENABLE_AUTHENTICATED_APPROTECT)
96     /* Do nothing, TAMPC should already be in correct state. */
97 #else
98     /* Disable APPROTECT */
99     *signal_ctrl = TAMPC_SIGNAL_CLEAR_WRITEPROTECTION;
100     *signal_ctrl = TAMPC_SIGNAL_OPEN;
101 #endif
102 }
103 
nrf54l_handle_secureapprotect_signal(volatile uint32_t * signal_ctrl)104 static inline void nrf54l_handle_secureapprotect_signal(volatile uint32_t * signal_ctrl)
105 {
106     if ((*signal_ctrl & TAMPC_SIGNAL_IS_LOCKED) != 0)
107     {
108         if ((*signal_ctrl & TAMPC_SIGNAL_IS_HIGH) != 0)
109         {
110             /* Signal is locked open. */
111             /* Do hard reset, invalid state. */
112 
113             /* Temporary fix - use WDT to trigger hard reset. */
114             /* Replace with proper hard reset task later if added. */
115             /* Make sure WDT is always running independent of CPU state. */
116             NRF_WDT30->CONFIG = 9;
117 
118             /* Set minimum tick length */
119             NRF_WDT30->CRV = 0xF;
120 
121             /* Start WDT */
122             NRF_WDT30->TASKS_START = 1;
123 
124             /* Wait for timer to elapse */
125             while(1);
126         }
127         /* Do nothing, signal is locked by previous session / hardware. */
128         return;
129     }
130 
131 #if defined(ENABLE_SECUREAPPROTECT)
132     /* Prevent processor from unlocking APPROTECT soft branch after this point. */
133     *signal_ctrl = TAMPC_SIGNAL_CLEAR_WRITEPROTECTION;
134     *signal_ctrl = TAMPC_SIGNAL_LOCK;
135 #elif defined(ENABLE_AUTHENTICATED_SECUREAPPROTECT)
136     /* Do nothing, TAMPC should already be in correct state. */
137     // TODO: What about if approtect is disabled here?
138 #else
139     /* Disable APPROTECT */
140     *signal_ctrl = TAMPC_SIGNAL_CLEAR_WRITEPROTECTION;
141     *signal_ctrl = TAMPC_SIGNAL_OPEN;
142 #endif
143 }
144 
145 
146 /* Function that handles firmware-driven enabling or disabling of APPROTECT on devices where it is supported.
147         If ENABLE_APPROTECT is defined, the FW will lock the fw branch of the APPROTECT mechanism,
148                             preventing it from being opened.
149         Otherwise, the fw branch state is loaded from UICR, emulating the legacy APPROTECT behavior.
150 
151          The same mechanism is implemented for SECURE APPROTECT, with the macros
152          ENABLE_SECURE_APPROTECT and ENABLE_SECURE_APPROTECT_USER_HANDLING. */
nrf54l_handle_approtect(void)153 static inline void nrf54l_handle_approtect(void)
154 {
155     nrf54l_handle_approtect_signal(&NRF_TAMPC->PROTECT.DOMAIN[0].DBGEN.CTRL);
156     nrf54l_handle_approtect_signal(&NRF_TAMPC->PROTECT.DOMAIN[0].NIDEN.CTRL);
157     nrf54l_handle_secureapprotect_signal(&NRF_TAMPC->PROTECT.DOMAIN[0].SPIDEN.CTRL);
158     nrf54l_handle_secureapprotect_signal(&NRF_TAMPC->PROTECT.DOMAIN[0].SPNIDEN.CTRL);
159 
160     /* Handle AUX AP*/
161     nrf54l_handle_approtect_signal(&NRF_TAMPC->PROTECT.AP[0].DBGEN.CTRL);
162 }
163 
164 #ifdef __cplusplus
165 }
166 #endif
167 #endif
168 #endif /* SYSTEM_NRF54L_APPROTECT_H */
169