Context:
I'm testing the tfm_psa_template sample on the nRF9151DK and I got confused as to why I lose access to the debug port.
As required by the sample, I first flash the provisioning_image sample to write keys to OTP. After flashing this sample, I can still access the debug port without any issues.
However, once I flash the tfm_psa_template, I completely lose access to the debug port.
Interestingly, if I erase the flash and re-flash the tfm_psa_template, I regain access to the debug port.
This leads me to believe that something in the provisioning_image sample is causing the loss of debug port access.
From my understanding, the NRF_APPROTECT_HANDLING configuration controls access to the debug port for non-secure images, while NRF_SECURE_APPROTECT_HANDLING controls access for secure images.
By default, NRF_APPROTECT_HANDLING is set to NRF_APPROTECT_USE_UICR, assuming its dependencies have been met. Here's a reference from zephyr/soc/nordic/KConfig:
Additional compilation definitions are created for NRF_APPROTECT_LOCK and NRF_APPROTECT_USER_HANDLING. Here's a reference from zephyr/modules/hal_nordic/nrfx/CMakeLists.txt:
These compilation definitions control the behavior of nrf_handle_approtect(void). Here's a reference from modules/hal/nordic/mdk/system_nrf91_approtect.h:
This function is called from SystemInit(void), but only for secure images. Here's a reference from modules/hal/nordic/nrfx/mdk/system_nrf91.c:
For the provisioning_image sample, the NRF_SECURE_APPROTECT_HANDLING is disabled because the SOC_NRF5340_CPUAPP dependency is not set.
Therefore, since the provisioning_image is a non-secure image, it will execute:
... causing the debug port to become disabled!
As it is written to UICR it is persistent across image flashes, unless it is flashed with the recover option.
Questions:
- Is this behavior intentional? I wasn't able to find any reference in the documentation indicating that the debug probe would be disabled after flashing the provisioning_image. While there is a brief mention of disabling debugging access to the nRF5340 network core, there’s nothing about restricting debug access for the non-secure image. It seems like some default configuration may have been changed without proper documentation in the README.
- Does the tfm_psa_template also build a secure image? Is there any sample available that demonstrates the use-case of both secure and non-secure images? Is this the intended usage pattern for real-world deployment? If it's not, why is nrf_handle_approtect(void) only called from secure images? I'd assume that disabling debug port access is a fairly standard "ask" for real-world deployments. Or is it only intended that this access be disabled during provisioning? If so, could this be added to the documentation?