How does the nRF52840 Access Control List (ACL) work exactly?

Of course I meant this code, with a '0', not an 'n' in ACL[...]:

#define PROTECTED_REGION_START *(uint32_t *) (START_ADDRESS)
#define PROTECTED_REGION_LENGHT 0x0000????

NRF_ACL->ACL[0].ADDR = PROTECTED_REGION_START;
NRF_ACL->ACL[0].PERM = ACL_ACL_PERM_READ_Disable;
NRF_ACL->ACL[0].SIZE = PROTECTED_REGION_LENGHT;

By blocking read access you will prevent the CPU from being able to read from that region of flash. Once set you will have to reset the device in order to read that region again. 

The most common use-case is to protect a cryptographic key from being read by an application. The scenario is that a secure bootloader uses this key during boot to verify a FW image and then enables the ACL read protection to prevent the application from reading this key, or alternatively executing instructions inside the ACL protected area.

Thanks.

So after a flash region is protected, no application code, no matter where in the flash it is located, can read the protected flash region?

Jupp. The CPU is completely blocked from reading or executing code from that region without exceptions, until the system resets and the ACL is cleared. Also note that you can only write to the ACL registers once, you will have to reset the system in order to re-write an ACL register. 

Hello haakonsh, nice details. Therefore, the difference with the APPROTECT register which protects the entire flash from reading is that the ACL blocks the access to CPU and not only to an external debugger? If yes, how the device can be compromised from the CPU if using only the APPROTECT register. Sorry for my unawareness am not a security expert.