https://devzone.nordicsemi.com/f/nordic-q-a/127757/what-approtect-is-the-most-secureDoes APPROTECT supersede SECUREAPPROTECT or do both need to be enabled for maximum security? Similarly, do the HW protections (APPROTECT, SECUREAPPROTECT, ERASEPROTECT) supersede the software protections (ex: Kconfig option: CONFIG_NRF_APPROTECT_LOCKen-USTelligent Community 13Wed, 15 Apr 2026 12:28:42 GMThttps://devzone.nordicsemi.com/thread/564986?ContentTypeID=1Wed, 15 Apr 2026 12:28:42 GMT137ad170-7792-4731-bb38-c0d22fbe4515:f27681ce-c960-49b2-8d04-d23a904c4eb2SwRa<p><span style="font-family:inherit;">Hi Andrew,</span></p> [quote user="BluePotion"]Does software AP-Protect prevent the &quot;unlocking&quot; described <a href="https://docs.nordicsemi.com/bundle/nan_042/page/APP/nan_production_programming/approtect_eraseprotect_enabled.html">here</a>?[/quote] <p><span style="font-family:inherit;">The unlock mechanism where firmware provides a 32-bit non-zero KEY to ERASEPROTECT.DISABLE is specifically for the case where&nbsp;both APPROTECT and ERASEPROTECT are enabled. I will elaborate on this a bit more below.</span></p> [quote user="BluePotion"]Does software AP-Protect any future FW from disabling AP-Protect?[/quote] <p><span style="font-family:inherit;font-size:inherit;">Yes, it does. The following is stated in the documentation that I&#39;ve shared: &quot;With this Kconfig option set, the MDK locks AP-Protect in&nbsp;<code>SystemInit()</code>&nbsp;at every boot. It also prevents CPU from disabling AP-Protect in software.&quot; Refer:&nbsp;<a href="https://docs.nordicsemi.com/bundle/ncs-latest/page/kconfig/index.html#CONFIG_NRF_APPROTECT_LOCK">https://docs.nordicsemi.com/bundle/ncs-latest/page/kconfig/index.html#CONFIG_NRF_APPROTECT_LOCK</a>&nbsp;</span></p> <div> <p><span style="font-family:inherit;"><span style="font-size:inherit;">If the bootloader permanently locks AP-Protect using the KCONFIG CONFIG_NRF_APPROTECT_LOCK,&nbsp;a simple firmware update does not disable APPROTECT.&nbsp;&nbsp;This is because the lock happens in&nbsp;<code dir="ltr">SystemInit()</code>&nbsp;before any application code runs. The only way to regain debug access would be through hardware-side recovery (you can use <em>nrfutil device recover</em>, which will issue an ERASEALL),&nbsp;provided that ERASEPROTECT is not also enabled.&nbsp;</span><span style="font-size:inherit;">If ERASEPROTECT is also enabled, then&nbsp;it blocks&nbsp; ERASEALL functionality. So the only recovery path is the KEY-based handshake that you have linked. (this requires a compatible firmware as stated in the documentation).</span></span></p> <p><span style="font-family:inherit;font-size:inherit;">Best Regards,</span></p> <p><span style="font-family:inherit;font-size:inherit;">Swathy</span></p> </div><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/564883?ContentTypeID=1Mon, 13 Apr 2026 18:46:47 GMT137ad170-7792-4731-bb38-c0d22fbe4515:d264cbda-fe02-4e28-aa04-32ebe70feb38BluePotion<p>Thanks! Your description helps a lot.</p> <p>Does software AP-Protect prevent the &quot;unlocking&quot; described <a href="https://docs.nordicsemi.com/bundle/nan_042/page/APP/nan_production_programming/approtect_eraseprotect_enabled.html">here</a>?&nbsp;<a id="" href="https://docs.nordicsemi.com/bundle/nan_042/page/APP/nan_production_programming/approtect_eraseprotect_enabled.html">https://docs.nordicsemi.com/bundle/nan_042/page/APP/nan_production_programming/approtect_eraseprotect_enabled.html</a></p> <p>Does software AP-Protect any future FW from disabling AP-Protect? Like, if the boot loader never changes and if it had AP-Protect enabled, can AP-Protect ever be disabled? Would the boot loader have to be updated?</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/564852?ContentTypeID=1Mon, 13 Apr 2026 12:09:37 GMT137ad170-7792-4731-bb38-c0d22fbe4515:a6beb17c-f94a-4753-8779-4468ab63788fSwRa<p>Hi Andrew,</p> <p><span>Enabling APPROTECT and Secure APPROTECT (SECUREAPPROTECT) on the nRF53 series are separate mechanisms</span><span>&nbsp;and must be configured independently. Setting APPROTECT does not</span><span>&nbsp;automatically enable SECUREAPPROTECT.&nbsp;</span><span>So no, neither supersedes one another.</span></p> <p><span> Same with HW and SW protection. They are complementary and does not supersede one another. You should use both together for maximum security. AP-Protect is controlled by&nbsp;both hardware and software. If only the hardware UICR register is set but the firmware does not lock AP-Protect in software, the software layer could potentially open the debug access port.</span></p> <p><span>I suggest that you go through the documentation here:&nbsp;<a href="https://docs.nordicsemi.com/bundle/ncs-latest/page/nrf/security/ap_protect.html">https://docs.nordicsemi.com/bundle/ncs-latest/page/nrf/security/ap_protect.html</a>&nbsp;</span></p> <p><span>Best Regards,</span></p> <p><span>Swathy</span></p><div style="clear:both;"></div>