Request for Guidance and Documentation on ERASEPROTECT/APPROTECT/SECUREAPPROTECT

RE: Request for Guidance and Documentation on ERASEPROTECT/APPROTECT/SECUREAPPROTECT

blasph — Mon, 10 Jul 2023 23:48:39 GMT

Hi Sigurd,

[quote userid="106736" url="~/f/nordic-q-a/100614/request-for-guidance-and-documentation-on-eraseprotect-approtect-secureapprotect/435391"]Additionally, there is a bug in the docs on ERASEPROTECT.DISABLE: The register is not RW, but is R1.
So you can not read out the value to verify that the data is set. (It will always read 0).[/quote]

Thank you for letting me know!

[quote userid="106736" url="~/f/nordic-q-a/100614/request-for-guidance-and-documentation-on-eraseprotect-approtect-secureapprotect/435391"]Definitely! Just create a ticket and reference this one.[/quote]

I have just created a private ticket about this. Thank you!

RE: Request for Guidance and Documentation on ERASEPROTECT/APPROTECT/SECUREAPPROTECT

Sigurd Hellesvik — Mon, 10 Jul 2023 06:43:03 GMT

[quote user="blasph"]My impression was that the ERASEPROTECT.disable key had to be set on each reboot. Does the ERASEPROTECT.disable key persist across reboots, and only need to be set once then?[/quote]

Good catch!
You are correct, so my suggestion is not really useful.

Additionally, there is a bug in the docs on ERASEPROTECT.DISABLE: The register is not RW, but is R1.
So you can not read out the value to verify that the data is set. (It will always read 0).

[quote user="blasph"]

- I copied over the relevant CMakeLists.txt additions from the tfm_secure_peripheral sample and merged them into my main CMakeLists.txt file

- Modified the secure_peripheral_partition.c file to no longer use the sample peripherals and only generate and set the key (and removed the init and while loop from the tfm_spp_main, as I only need this code to run once at boot up and not again)

- copied over my modified secure_peripheral_partition directory

- copied over the prj.conf symbols CONFIG_TFM_IPC=y and CONFIG_TFM_ISOLATION_LEVEL=1 from the sample. The TFM_PROFILE_NOT_SET=y makes my project not build, but I've also removed this symbol from the sample and the sample still works

[/quote]

From just reading the steps, they seem reasonable to me.

[quote user="blasph"]When running my application, I see the key now gets set properly, but my main application fails to run. Would it be possible for me to create a private ticket to see if I could get some help with this final integration step? [/quote]

Definitely! Just create a ticket and reference this one.

RE: Request for Guidance and Documentation on ERASEPROTECT/APPROTECT/SECUREAPPROTECT

blasph — Fri, 07 Jul 2023 16:14:11 GMT

Hi Sigurd,

Thank you for getting back to me!

[quote userid="106736" url="~/f/nordic-q-a/100614/request-for-guidance-and-documentation-on-eraseprotect-approtect-secureapprotect/434258"]I would generally recommend writing your key to this register before enabling eraseprotect.
This is so that you are sure that you never lock the device before a key is set.[/quote]

My impression was that the ERASEPROTECT.disable key had to be set on each reboot. Does the ERASEPROTECT.disable key persist across reboots, and only need to be set once then?

[quote userid="106736" url="~/f/nordic-q-a/100614/request-for-guidance-and-documentation-on-eraseprotect-approtect-secureapprotect/434258"]We will move from multi-image builds to sysbuild soon, and then I think it will be easier to do something like this.
But we are not there yet, so for now, I agree, it is less portable.[/quote]

Thank you for letting me know about this. I encountered a few examples in the 2.4.0 examples and wasn't sure what it was about.

[quote userid="106736" url="~/f/nordic-q-a/100614/request-for-guidance-and-documentation-on-eraseprotect-approtect-secureapprotect/434258"]If you want to write to secure registers when TF-M is enabled, you options are MCUboot or how it is done in the TF-M secure peripheral partition sample, by creating a Application RoT Service. See An Introduction to Trusted Firmware-M (TF-M) for more information on TF-M.[/quote]

I am currently trying on implementing this and have been working on it for the last couple of days without success. I have been able to successfully able to use the example to create and set the Eraseprotect key for my device. However, I am having difficulty integrating it into my main application.

In my attempt to integrate it into my main application:

- I copied over the relevant CMakeLists.txt additions from the tfm_secure_peripheral sample and merged them into my main CMakeLists.txt file

- copied over my modified secure_peripheral_partition directory

When running my application, I see the key now gets set properly, but my main application fails to run. Would it be possible for me to create a private ticket to see if I could get some help with this final integration step?

I will continue doing some further testing and will get back to you as soon as I have new information.

Thank you for the help!

RE: Request for Guidance and Documentation on ERASEPROTECT/APPROTECT/SECUREAPPROTECT

Sigurd Hellesvik — Mon, 03 Jul 2023 14:28:51 GMT

Hi,

I will continue to help in this case.

[quote user="blasph"]My apologies in advance if I am incorrect about this, but I want to be able to write (or trigger a write for) a key to the ERASEPROTECT.disable register from my current application.[/quote]

Yes, that is a good idea.
I would generally recommend writing your key to this register before enabling eraseprotect.
This is so that you are sure that you never lock the device before a key is set.

[quote user="blasph"] that my application is required to be built for ns (i.e. nrf_modem_lib requires to be run from non-secure firmware)[/quote]

Correct

[quote user="blasph"]believe the nrf asset tracker v2 has a similar set of requirements, so it could be a good reference for what solution would be needed.[/quote]

Also yes.

[quote user="blasph"]

From Rory's answer above, the best way we know of to set this consistently is through editing the MCUboot Bootloader main.c file to include the following write:

[/quote]

Doing this in MCUboot is a valid option.

[quote user="blasph"] The downside of directly editing the MCUboot file is that this change is less portable -- if I were to have a coworker build my application, I would need to have them edit the MCUboot file in-tree. [/quote]

We will move from multi-image builds to sysbuild soon, and then I think it will be easier to do something like this.
But we are not there yet, so for now, I agree, it is less portable.

[quote user="blasph"]Furthermore, modifying the MCUBoot Bootloader directly with anything more complex seems risky, as I don't fully understand the MCUBoot Bootloader code. I have some additional logic I want to add for generating the key, but I am not sure if it is safe to add this logic to the Bootloader. [/quote]

I agree very much with this. It can be risky to do this inside MCUboot if you want to generate the

[quote user="blasph"]- Creating a script built for the nrf9160dk_nrf9160 (not ns) to set the register, however I didn't have much luck integrating this into my current application, as my current application is built for nrf9160dk_nrf9160_ns. I attempted to build a child image with the goal of the secure child image to run and set the key before the main image boots, but was unsuccessful. I can attach a zip of this attempt if helpful.[/quote]

I do not understand completely what you are trying to do here.
If you want to write to secure registers when TF-M is enabled, you options are MCUboot or how it is done in the TF-M secure peripheral partition sample, by creating a Application RoT Service. See An Introduction to Trusted Firmware-M (TF-M) for more information on TF-M.

[quote user="blasph"]- Using the TF-M secure peripheral/partition examples to have the non secure partition send a request to execute some code on the secure environment. This doesn't appear to work in my case since different TF-M build profiles beyond the default don't seem to build with MCUboot. The TF-M secure peripheral/partition seems to require some customization to the TF-M profile settings.[/quote]

TF-M will build as part of your application, and does not know about MCUboot.
Either set ERASEPROTECT.DISABLE from MCUboot or from TF-M.

See TF-M secure peripheral partition sample.

EDIT:

Just want to add some nuance. While it is risky to do stuff in MCUboot, setting ERASEPROTECT.DISABLE later is also risky, as more things can go wrong before you can revert ERASEPROTECT.
So in the end, I do not see any "perfect" place to do this operation. So you kindof need to decide if you want a more robust MCUboot, so you know you can DFU if anything fails. Or if you want a more robust ERASEPROTECT disable, so you can reprogram if anything fails.

Regards,
Sigurd Hellesvik

RE: Request for Guidance and Documentation on ERASEPROTECT/APPROTECT/SECUREAPPROTECT

blasph — Mon, 03 Jul 2023 14:26:03 GMT

Hi Dinesh,

I just wanted to give you a bit of a recommendation while you do your testing for now. If you can't afford to brick a couple of devices while developing, I recommend doing the ERASEPROTECT development separately from using the APPROTECT and SECUREAPPROTECT for now. This way, if you are unable to get the ERASEPROTECT.disable to work, you can always use use

nrfjprog --family nRF91 --recover

to recover the device and erase all of the firmware. When APPROTECT and SECUREAPPROTECT are enabled, I haven't been able to use the recover command.

Once you've finished with developing your solution and can consistently disable ERASEPROTECT by supplying the erase protect key, you could return to also using the APPROTECT and SECUREAPPROTECT functionalities.

I recommend changing your second step to

# Enable ERASEPROTECT
nrfjprog --family nRF91 --memwr 0x00FF8030 --val 0

for the meantime until your ERASEPROTECT disable solution works smoothly.

RE: Request for Guidance and Documentation on ERASEPROTECT/APPROTECT/SECUREAPPROTECT

Dinesh Kumar K — Mon, 03 Jul 2023 14:07:35 GMT

Thanks Rory for the reply, Understood your comments,

since I am not afford to brick another device

just need a reconfirmation for below steps.

1. flash this sample code.

void main(void)
{
	const uint32_t key = 0xDEADBEEF;

	NRF_NVMC->CONFIG = NVMC_CONFIG_WEN_Wen;

	while (NRF_NVMC->READY == NVMC_READY_READY_Busy);

	NRF_CTRL_AP_PERI_S->ERASEPROTECT.DISABLE = key;

	printk("ERASEPROTECT         0x%X\n", NRF_UICR->ERASEPROTECT);
	printk("ERASEPROTECT.LOCK    0x%X\n", NRF_CTRL_AP_PERI_S->ERASEPROTECT.LOCK);
	printk("ERASEPROTECT.DISABLE 0x%X\n", NRF_CTRL_AP_PERI_S->ERASEPROTECT.DISABLE);
}

2. cmd line values to set protections and reboot the device should enable erase protect with disabling
key value of 0xDEADBEEF

# Enable APPROTECT
nrfjprog --family nRF91 --memwr 0x00FF8000 --val 0
# Enable SECUREAPPROTECT
nrfjprog --family nRF91 --memwr 0x00FF802C --val 0
# Enable ERASEPROTECT
nrfjprog --family nRF91 --memwr 0x00FF8030 --val 0

3. JLink script to unlock eraseprotect.

USB 960093400
SWDSelect
SWDWriteDP 1 0x50000000
SWDWriteDP 2 0x04000010
SWDWriteAP 3 0xDEADBEEF

sleep 10000
SWDWriteDP 2 0x04000000
SWDWriteAP 1 0x00000001
SWDReadAP 1
SWDReadAP 1
sleep 5000
SWDWriteAP 1 0x00000000
SWDReadAP 1
SWDReadAP 1
sleep 1000

exit

RE: Request for Guidance and Documentation on ERASEPROTECT/APPROTECT/SECUREAPPROTECT

blasph — Fri, 30 Jun 2023 14:22:27 GMT

Hi Simon,

My apologies in advance if I am incorrect about this, but I want to be able to write (or trigger a write for) a key to the ERASEPROTECT.disable register from my current application.

To my knowledge, the major constricting requirements are that my application is required to be built for ns (i.e. nrf_modem_lib requires to be run from non-secure firmware), it uses TF-M, and uses MCUboot (for FOTA). I believe the nrf asset tracker v2 has a similar set of requirements, so it could be a good reference for what solution would be needed.

From Rory's answer above, the best way we know of to set this consistently is through editing the MCUboot Bootloader main.c file to include the following write:

if (NRF_UICR_S->ERASEPROTECT != UICR_ERASEPROTECT_PALL_Unprotected)
{
    NRF_CTRL_AP_PERI_S->ERASEPROTECT.DISABLE = (uint32_t)0xDEADF00D;
}

I would need a consistent way to be able to set this information either before my application boots or to be triggered to be written, so it can still be recovered when all three of the erase protect, approtect, and secureapprotect functionalities are enabled. The downside of directly editing the MCUboot file is that this change is less portable -- if I were to have a coworker build my application, I would need to have them edit the MCUboot file in-tree. Additionally, the Bootloader isn't upgradable in this case, so the method for generating/setting the key cannot be changed over an OTA update. Furthermore, modifying the MCUBoot Bootloader directly with anything more complex seems risky, as I don't fully understand the MCUBoot Bootloader code. I have some additional logic I want to add for generating the key, but I am not sure if it is safe to add this logic to the Bootloader.

I've been able to replicate the ability to write this key in a couple of other ways, each with challenges to integrate into my application:

- Creating a script built for the nrf9160dk_nrf9160 (not ns) to set the register, however I didn't have much luck integrating this into my current application, as my current application is built for nrf9160dk_nrf9160_ns. I attempted to build a child image with the goal of the secure child image to run and set the key before the main image boots, but was unsuccessful. I can attach a zip of this attempt if helpful.

- Using the TF-M secure peripheral/partition examples to have the non secure partition send a request to execute some code on the secure environment. This doesn't appear to work in my case since different TF-M build profiles beyond the default don't seem to build with MCUboot. The TF-M secure peripheral/partition seems to require some customization to the TF-M profile settings.

Thank you in advance for your help!

RE: Request for Guidance and Documentation on ERASEPROTECT/APPROTECT/SECUREAPPROTECT

Simonr — Fri, 30 Jun 2023 11:39:46 GMT

Hi Edward

Why do you need to change UICR data from the bootloader? It is recommended to leave the UICR alone, as bootloader addresses are stored there for example, so it's easy to tread wrong. If you have data that needs to be changed more often, I'd suggest using a dedicated flash page to store this instead of UICR.

Why exactly do you need to make changes to UICR during runtime?

Best regards,

Simon

RE: Request for Guidance and Documentation on ERASEPROTECT/APPROTECT/SECUREAPPROTECT

blasph — Thu, 29 Jun 2023 16:27:02 GMT

Hi Simon,

Similar to what Rory mentioned in editing MCUboot, is there an easy way to create a bootloader with the code to set the UICR registers in the secure domain that occurs before or after the MCUboot bootloader?

Alternatively, is there a way have a complied hex of a script of your linked ticket included to be run with a non secure application with a multi-image build? I've tried to follow the multi-image build instructions and some examples from the nrf sdk, but unfortunately I haven't had much luck in getting it to work. I can share a zip of what I am working on, if helpful.

Another way I can think of this is to ask how one could add the ERASEPROTECT.disable key write into the nRF Asset Tracker V2 application? Would the best way still be to edit MCUboot directly?

Edit to add:
Is there possibly a good way in TFM to create a function that can execute in the secure environment that is invoked from the non-secure side? E.g. The non secure side calls function in secure side to write a value into the UICR ERASEPROTECT.disable?

Thank you for your help!

RE: Request for Guidance and Documentation on ERASEPROTECT/APPROTECT/SECUREAPPROTECT

blasph — Wed, 28 Jun 2023 21:22:16 GMT

Hi Rory,

Apologies for the day delay in response, I've been pulled to a different project for the last bit and am just able to get back into this project.

I've setup my device to use the MCUboot edit and am able to successfully replicate having the MCUboot file set a key and using the JLink Commander script to remove the ERASEPROTECT! Thank you for your help! I will continue with testing the JLink Commander script to flash the hex file and set the protections.

The only thing I'd hope for on, which may be a bit out of scope, is if there's a better way to locate the code that sets the script to be closer to the application directory. This way my coworkers can replicate this without making a more-so in-tree change. I've been able to create a script based off of this response to set the key when built for the nrf9160dk_nrf9160 (not ns) -- I'm curious if there's a way to merge a compiled hex file built for the nrf9160dk_nrf9160 into a separate nrf9160dk_nrf9160_ns application.

Thank you again for the help, Rory!

RE: Request for Guidance and Documentation on ERASEPROTECT/APPROTECT/SECUREAPPROTECT

Rory — Tue, 27 Jun 2023 10:07:50 GMT

The problem is likely with the code setting both ERASEPROTECT.LOCK and ERASEPROTECT.DISABLE. These can't both be set. If you read the documentation on ERASEPROTECT.LOCK, you will see that it prevents ERASEPROTECT.DISABLE from being set until next boot. You cannot set them both in sequence like this. Notice how in the output ERASEPROTECT.DISABLE never actually get set to 0xDEADBEEF, it just stays at 0x0 because it was previously locked.

        while (NRF_NVMC->READY == NVMC_READY_READY_Busy);
        if (NRF_UICR_S->ERASEPROTECT != UICR_ERASEPROTECT_PALL_Unprotected)
        {
                NRF_CTRL_AP_PERI_S->ERASEPROTECT.LOCK = (uint32_t)0x00000001;
        }

        while (NRF_NVMC->READY == NVMC_READY_READY_Busy);
        if (NRF_UICR_S->ERASEPROTECT != UICR_ERASEPROTECT_PALL_Unprotected)
        {
            NRF_CTRL_AP_PERI_S->ERASEPROTECT.DISABLE = key;
        }

I stated in my original post that ERASEPROTECT.LOCK could optionally be set if ERASEPROTECT.DISABLE is not to be set on bootup.

[quote userid="82875" url="~/f/nordic-q-a/100614/request-for-guidance-and-documentation-on-eraseprotect-approtect-secureapprotect/431351"]If serial recovery is not activated at boot, you can optionally prevent ERASEPROTECT.DISABLE from being written to until next reboot by setting NRF_CTRL_AP_PERI_S->ERASEPROTECT.LOCK = (uint32_t)0x00000001[/quote]

Try just removing these lines and it should properly set ERASEPROTECT.DISABLE

        while (NRF_NVMC->READY == NVMC_READY_READY_Busy);
        if (NRF_UICR_S->ERASEPROTECT != UICR_ERASEPROTECT_PALL_Unprotected)
        {
                NRF_CTRL_AP_PERI_S->ERASEPROTECT.LOCK = (uint32_t)0x00000001;
        }

Unfortunately, the nRF9160 you flashed with your previous code cannot be recovered now, you'll need to get a new board. Also, the command nrfjprog --recover can't be used to disable ERASEPROTECT since there is no way to supply it the key. Your script looks to be correct, and that is the only way to properly disable ERASEPROTECT and perform and ERASEALL.

RE: Request for Guidance and Documentation on ERASEPROTECT/APPROTECT/SECUREAPPROTECT

Dinesh Kumar K — Tue, 27 Jun 2023 09:50:20 GMT

Hi everyone,

I read through this Q&A and also this one and copied the same question from there, I wanted to test the working of ERASEPROTECT and disable it using the Jlink script shared in the discussions, but I am neither able to disable erase protection using the script nor nrfjprog --recover

/*
 * Copyright (c) 2012-2014 Wind River Systems, Inc.
 *
 * SPDX-License-Identifier: Apache-2.0
 */

#include <zephyr.h>

void main(void)
{
        const uint32_t key = 0xDEADBEEF;

        NRF_NVMC->CONFIG = NVMC_CONFIG_WEN_Wen;

        while (NRF_NVMC->READY == NVMC_READY_READY_Busy);
        NRF_UICR->APPROTECT = 0x00000000;

        while (NRF_NVMC->READY == NVMC_READY_READY_Busy);
        NRF_UICR->ERASEPROTECT = 0x00000000;

        while (NRF_NVMC->READY == NVMC_READY_READY_Busy);
        NRF_UICR->SECUREAPPROTECT = 0x00000000;

        while (NRF_NVMC->READY == NVMC_READY_READY_Busy);
        NRF_NVMC->CONFIG = NVMC_CONFIG_WEN_Ren;

        while (NRF_NVMC->READY == NVMC_READY_READY_Busy);
        if (NRF_UICR_S->ERASEPROTECT != UICR_ERASEPROTECT_PALL_Unprotected)
        {
                NRF_CTRL_AP_PERI_S->ERASEPROTECT.LOCK = (uint32_t)0x00000001;
        }

        while (NRF_NVMC->READY == NVMC_READY_READY_Busy);
        if (NRF_UICR_S->ERASEPROTECT != UICR_ERASEPROTECT_PALL_Unprotected)
        {
            NRF_CTRL_AP_PERI_S->ERASEPROTECT.DISABLE = key;
        }

        printk("Before Write Key.\n");
        printk("ERASEPROTECT     Addr    0x%p\n", &NRF_CTRL_AP_PERI_S->ERASEPROTECT.LOCK);
        printk("ERASEPROTECT          0x%X\n",  NRF_UICR->ERASEPROTECT);
        printk("ERASEPROTECT.LOCK    0x%X\n",   NRF_CTRL_AP_PERI_S->ERASEPROTECT.LOCK);
        printk("ERASEPROTECT.DISABLE 0x%X\n",   NRF_CTRL_AP_PERI_S->ERASEPROTECT.DISABLE);
        uint32_t count = 0;

        k_msleep(1000);

        while (count < 10)
        {
                k_msleep(1000);
                printk("Count:: %u\r\n", count++);
        }

}

output:

*** Booting Zephyr OS build zephyr-v2.3.0-22164-gb121d671c44c  ***                                                                     
Before Write Key.                                                                                                                      
ERASEPROTECT     Addr    0x0x50006500                                                                                                  
ERASEPROTECT          0x0                                                                                                              
ERASEPROTECT.LOCK    0x1                                                                                                               
ERASEPROTECT.DISABLE 0x0                                                                                                               
Count:: 0                                                                                                                              
Count:: 1                                                                                                                              
Count:: 2                                                                                                                              
Count:: 3                                                                                                                              
Count:: 4                                                                                                                              
Count:: 5                                                                                                                              
Count:: 6                                                                                                                              
Count:: 7                                                                                                                              
Count:: 8                                                                                                                              
Count:: 9

jlink script:

USB 960093400
SWDSelect
SWDWriteDP 1 0x50000000  
SWDWriteDP 2 0x04000010
SWDWriteAP 3 0xDEADBEEF

sleep 10000
SWDWriteDP 1 0x50000000
SWDWriteDP 2 0x04000000
SWDWriteAP 0 0x00000001
SWDReadAP 0
SWDReadAP 0
sleep 5000
SWDWriteAP 0 0x00000000
SWDReadAP 0
SWDReadAP 0
sleep 1000

exit

Help needed.

Thanks,
Dinesh Kumar K

RE: Request for Guidance and Documentation on ERASEPROTECT/APPROTECT/SECUREAPPROTECT

Simonr — Fri, 16 Jun 2023 08:52:05 GMT

We have a GitHub script that should work for disabling eraseprotect that Sigurd links to in this ticket. Here he also links to the device protection Application note that can be usefult for additional information. Other than that we don't have a specific sample that does this I'm afraid.

Best regards,

Simon

RE: Request for Guidance and Documentation on ERASEPROTECT/APPROTECT/SECUREAPPROTECT

blasph — Fri, 16 Jun 2023 03:04:02 GMT

Hi Rory,

Thank you very much for replying and for the in depth write up!

Thank you for clarifying that those KCONFIGs don't work for the nRF9160.

The information you provided about setting the protections via the JLink Commander scripts and modifying the mcuboot main.c is extremely helpful, thank you for sharing that! I'll try implementing this over the next couple of days and will circle back with my findings.

RE: Request for Guidance and Documentation on ERASEPROTECT/APPROTECT/SECUREAPPROTECT

Rory — Thu, 15 Jun 2023 15:35:45 GMT

Hi blasph,

We were in a similar situation, and figured out how to enable/disable all three protections: APPROTECT, SECUREAPPROTECT, and ERASEPROTECT.

First off, we found that CONFIG_NRF_APPROTECT_LOCK and CONFIG_NRF_SECURE_APPROTECT_LOCK are only supported on the nRF52 and nRF53 series SoCs, and cannot be used with the nRF91 series. See documentation here.

Setting these protections on the nRF9160 seems to only be possible by writing to the UICR with a JLink during production.

Mechanism to set ERASEPROTECT.DISABLE in MCUBoot

This is very important to implement first, as it is needed if you ever want to disable ERASEPROTECT. Without this mechanism, you will never be able to erase the chip again once ERASEPROTECT is enabled, and it could become a brick.

We decided to trigger setting NRF_CTRL_AP_PERI_S->ERASEPROTECT.DISABLE to our special 32-bit unlock key in MCUBoot only when serial recovery is forced via GPIO button press. Just before boot_serial_enter() is called in MCUBoot, we check if NRF_UICR_S->ERASEPROTECT is enabled, and if it is, set NRF_CTRL_AP_PERI_S->ERASEPROTECT.DISABLE = (uint32_t)0xDEADF00D.

bootloader/mcuboot/boot/zephyr/main.c

#ifdef CONFIG_BOOT_SERIAL_ENTRANCE_GPIO
    if (detect_pin() &&
            !boot_skip_serial_recovery()) {

        if (NRF_UICR_S->ERASEPROTECT != UICR_ERASEPROTECT_PALL_Unprotected)
        {
            // Disable ERASEPROTECT in serial recovery
            NRF_CTRL_AP_PERI_S->ERASEPROTECT.DISABLE = (uint32_t)0xDEADF00D;
        }
        boot_serial_enter();
    }
#endif

If serial recovery is not activated at boot, you can optionally prevent ERASEPROTECT.DISABLE from being written to until next reboot by setting NRF_CTRL_AP_PERI_S->ERASEPROTECT.LOCK = (uint32_t)0x00000001

    ...
    if (NRF_UICR_S->ERASEPROTECT != UICR_ERASEPROTECT_PALL_Unprotected)
    {
        // Lock ERASEPROTECT before booting image
        NRF_CTRL_AP_PERI_S->ERASEPROTECT.LOCK = (uint32_t)0x00000001;
    }
    FIH_CALL(boot_go, fih_rc, &rsp);
    ...

Enabling APPROTECT, SECUREAPPROTECT, and ERASEPROTECT in Production

We learned that you can use a sequence of nrfjprog commands, or a JLink Commander script to program our factory_image.hex file, and then write to the UICR to set all three protections, followed by a pin reset.

nrfjprog commands:

nrfjprog.exe --family NRF91 --program factory_image.hex --chiperase --verify factory_image.hex
nrfjprog.exe --family NRF91 --memwr 0x00FF8000 --val 0
nrfjprog.exe --family NRF91 --memwr 0x00FF802C --val 0
nrfjprog.exe --family NRF91 --memwr 0x00FF8030 --val 0
nrfjprog.exe --family NRF91 --pinreset

JLink Commander script:

device NRF9160_XXAA
selectinterface SWD
speed 4000
connect
halt
erase
loadfile factory_image.hex
write4 0x00FF8000 0
write4 0x00FF802C 0
write4 0x00FF8030 0
RSetType 2
reset
exit

At this point, the nRF9160 should have all three protections set. The JLink debugger will no longer work at all if you try to even connect and detect the Chip ID. The nRF9160 is completely protected from any and all access over the SWD interface, including flash read, write, and erase, and is considered "sealed". The only access that can be done over CTRL-AP is to set ERASEPROTECT.DISABLE to hopefully disable ERASEPROTECT and allow an ERASEALL.

Disabling ERASEPROTECT and Performing ERASEALL

If you do need to erase a device that has been sealed, you must first boot the nRF9160 and trigger the mechanism to set ERASEPROTECT.DISABLE to the known 32-bit key value.

For this example, serial recovery must be forced via button press so that ERASEPROTECT.DISABLE is set to our key 0xDEADF00D.

Then, the following JLink Commander script can be used to set the Ctrl-AP ERASEPROTECT.DISABLE to the matching key, and then trigger an ERASEALL and RESET.

JLink Commander script:

// Setup SWD
SWDSelect               // Activate SWD
SWDWriteDP 1 0x50000000 // Enable debug power

// Set ERASEPROTECT.DISABLE
SWDWriteDP 2 0x04000010 // Select the 0x04XXXXXX Access Port and 0xXXXXX01X Register bank in the access port
SWDWriteAP 3 0xDEADF00D // CTRL-AP Bank 1, register offset 3 (ERASEPROTECT.DISABLE 0x01C)

// Perform ERASEALL
SWDWriteDP 2 0x04000000 // Select the 0x04XXXXXX Access Port and 0xXXXXX00X Register bank in the access port
SWDWriteAP 1 0x00000001 // CTRL-AP Bank 0, register offset 1 (ERASEALL 0x004)
SWDReadAP 2             // CTRL-AP Bank 0, register offset 2 (ERASEALLSTATUS 0x008)
SWDReadAP 2             // Second read returns the value: 0 = Ready, 1 = Busy
sleep 2000
SWDReadAP 2             // CTRL-AP Bank 0, register offset 2 (ERASEALLSTATUS 0x008)
SWDReadAP 2             // Second read returns the value: 0 = Ready, 1 = Busy

// Perform RESET
SWDWriteAP 0 0x00000001 // CTRL-AP Bank 0, register offset 0 (RESET 0x000)
SWDWriteAP 0 0x00000000 // CTRL-AP Bank 0, register offset 0 (RESET 0x000)
SWDReadAP 0             // CTRL-AP Bank 0, register offset 0 (RESET 0x000)
SWDReadAP 0             // Second read returns the value: 0 = NoReset, 1 = Reset
exit

Hope this helps!

RE: Request for Guidance and Documentation on ERASEPROTECT/APPROTECT/SECUREAPPROTECT

blasph — Thu, 15 Jun 2023 13:51:16 GMT

Hi Simon,

Thank you for sharing this case. I was wondering, does Nordic publish some sort of guide/sample of how to add the write the ERASEPROTECT.DISABLE key to an existing application? If so, that would be very helpful.

Thank you!

RE: Request for Guidance and Documentation on ERASEPROTECT/APPROTECT/SECUREAPPROTECT

Simonr — Thu, 15 Jun 2023 10:04:16 GMT

Hi Edward

Raoul is currently out of office so I've been asked to take over this case in his absence.

Please check out this case by Hung, and the one he links to, where there is a thorough discussion on how to use the ERASEPROTECT.DISABLE register. Let me know if something there is unclear, but I think most aspects are covered.

Best regards,

Simon

RE: Request for Guidance and Documentation on ERASEPROTECT/APPROTECT/SECUREAPPROTECT

blasph — Wed, 14 Jun 2023 18:33:51 GMT

Hi Raoul,

Thank you for getting back to me and sharing that information.

1. Thank you for clarifying the process for the ns and non-ns builds. In this case, if we needed to add a bit of additional code to the our application to write the 32-bit key into the ERASEPROTECT.DISABLE register, what would you recommend as the best way to go about that? Is there an easy way to add this to be executed by the secure partition while keeping TF-M?

2. In our case with the nRF9160, the APPROTECT and SECUREAPPROTECT are important to prevent someone else from reading back our firmware. Thank you for sharing the information about the KCONFIGs, that should come in handy in our case.

Our application uses the nRF9160's CMNG to store certificates. Since ERASEALL does not remove certificates stored in CMNG, our concern is to prevent the possibility of an attack that someone else may be able to load their own program onto our device and use the certificates for their own purposes. Although they shouldn't be able to read out the certificate contents, they could possibly use the certificates in a similar manner as we use it in our application.

[quote userid="117489" url="~/f/nordic-q-a/100614/request-for-guidance-and-documentation-on-eraseprotect-approtect-secureapprotect/431087"]Note that if you enable both ERASEPROTECT and APPROTECT and you haven't added a robust way to unlock the device from the inside, you will have bricked the device.[/quote]

I'm hoping to get a bit of guidance on how to properly add a robust way to unlock the device. Any help would be greatly appreciated, thank you!

3. Thank you for confirming that ERASEPROTECT does not affect FOTA.

Thank you again for your help!

RE: Request for Guidance and Documentation on ERASEPROTECT/APPROTECT/SECUREAPPROTECT

Raoul — Wed, 14 Jun 2023 16:49:46 GMT

Hi Edward,

1. This might be based on a misunderstanding:

When building an application for the "_ns" target, you tell NCS that you are building a non-secure application (read: one that shouldn't be trusted), and then NCS will automatically include TF-M and a secure partition which exposes various "secure" functions and services such as cryptography functions.

Please see this article by my colleague: An Introduction to Trusted Firmware-M (TF-M)

So, it's automatically included, but note that this secure partition is not a child image, and in fact isn't even built on Zephyr.

If the provided secure services don't cover your needs, you can create custom Root-of-Trust services that you can access from your non-secure code.

2. regarding this point, I should again clarify some things:

APPROTECT and ERASEPROTECT have very different use cases.

APPROTECT, enables protection of the debug access port, which mainly serves to prevent people with a debugger from extracting the firmware from one of your devices. If this were disabled, someone could for instance copy your product by first copying the physical hardware and then just flashing firmware that they extracted from an original device.

APPROTECT protects intellectual property.

APPROTECT can usually be disabled by doing a "recover", which in essence is an erase-all of the flash. This will unlock the access port, but there will be no firmware left to extract.

ERASEPROTECT on the other hand, protects against someone with a debugger, doing exactly that, erasing the device. As far as I know, this is only useful if you're selling some special device where it is absolutely critical that nobody is able to flash their own firmware to the device.

ERASEPROTECT is rarely needed, and is not "supported" in NCS, it has to be done by setting the registers directly. Are you sure you need this?

Note that if you enable both ERASEPROTECT and APPROTECT and you haven't added a robust way to unlock the device from the inside, you will have bricked the device.

APPROTECT is commonly used and can be set through NCS, by setting one or both of the following Kconfig options (you usually only do this for the release build that will be flashed to production devices):

CONFIG_NRF_APPROTECT_LOCK - locks the Debug Access Port entirely

CONFIG_NRF_SECURE_APPROTECT_LOCK - Locks the ability to debug code and peripherals under the "secure" environment.

See here for a more in-depth description: https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrf/app_dev/ap_protect/index.html#configuration-overview-in-the-ncs

I think it's likely that your needs are entirely covered by the default APPROTECT options.

3. if you do use ERASEPROTECT; then this won't affect your DFU/FOTA ability. ERASEPROTECT only protects against an "eraseall" operation, which isn't used for FOTA.

Regarding your supplemental question, I'm actually not sure. I'll see if a colleague can answer that for you. I'll be out-of-office for the next 14 days.

Best regards,

Raoul

RE: Request for Guidance and Documentation on ERASEPROTECT/APPROTECT/SECUREAPPROTECT

blasph — Mon, 12 Jun 2023 17:17:23 GMT

Thank you Raoul, I'm looking forward to hearing back from you!

RE: Request for Guidance and Documentation on ERASEPROTECT/APPROTECT/SECUREAPPROTECT

Raoul — Sun, 11 Jun 2023 23:05:57 GMT

Hi,

I've received your questions and I'll be looking into them this week, but it might take me some time to research some of it and write up an answer. I'll get back to you soon!

Best regards,

Raoul

RE: Request for Guidance and Documentation on ERASEPROTECT/APPROTECT/SECUREAPPROTECT

blasph — Thu, 08 Jun 2023 18:40:19 GMT

As a supplemental question, is there any protection against a brute force attack on trying all possible key combinations in the ERASEPROTECT.DISABLE register from the SWD? For example, is a rate limit for how fast keys can be tried?