bootloader: NSIB writes lock

Generate BOOTCONF contents to hex file and merge it.

Signed-off-by: Mateusz Michalek <mateusz.michalek@nordicsemi.no>
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>

Author: michalek-no

CODEOWNERS

@@ -696,6 +696,7 @@
 /scripts/west_commands/thingy91x_dfu.py   @nrfconnect/ncs-cia
 /scripts/west_commands/ncs_provision.py   @nrfconnect/ncs-pluto
 /scripts/bootloader/                      @nrfconnect/ncs-pluto
+/scripts/reglock.py                       @nrfconnect/ncs-pluto
 /scripts/ncs-docker-version.txt           @nrfconnect/ncs-ci
 /scripts/print_docker_image.sh            @nrfconnect/ncs-ci
 /scripts/print_toolchain_checksum.sh      @nrfconnect/ncs-ci

cmake/sysbuild/bootconf.cmake

@@ -0,0 +1,36 @@
+#
+# Copyright (c) 2025 Nordic Semiconductor ASA
+#
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+#
+
+function(setup_bootconf_data)
+  if(SB_CONFIG_PARTITION_MANAGER)
+    add_custom_target(bootconf_target
+      DEPENDS ${CMAKE_BINARY_DIR}/bootconf.hex
+    )
+
+    add_custom_command(OUTPUT ${CMAKE_BINARY_DIR}/bootconf.hex
+      COMMAND ${Python3_EXECUTABLE}
+        ${ZEPHYR_NRF_MODULE_DIR}/scripts/reglock.py
+        --output ${CMAKE_BINARY_DIR}/bootconf.hex
+        --size $<TARGET_PROPERTY:partition_manager,PM_B0_SIZE>
+      DEPENDS ${APPLICATION_BINARY_DIR}/pm.config
+      VERBATIM
+    )
+
+    set_property(
+      GLOBAL PROPERTY
+      bootconf_PM_HEX_FILE
+      ${CMAKE_BINARY_DIR}/bootconf.hex
+    )
+
+    set_property(
+      GLOBAL PROPERTY
+      bootconf_PM_TARGET
+      bootconf_target
+    )
+  endif()
+endfunction()
+
+setup_bootconf_data()

cmake/sysbuild/partition_manager.cmake

@@ -498,19 +498,25 @@ foreach(d APP ${PM_DOMAINS})
 
   sysbuild_get(${image_name}_CONFIG_SOC_SERIES_NRF91X IMAGE ${image_name} VAR CONFIG_SOC_SERIES_NRF91X KCONFIG)
   sysbuild_get(${image_name}_CONFIG_SOC_NRF5340_CPUAPP IMAGE ${image_name} VAR CONFIG_SOC_NRF5340_CPUAPP KCONFIG)
+  sysbuild_get(${image_name}_CONFIG_SOC_SERIES_NRF54LX IMAGE ${image_name} VAR CONFIG_SOC_SERIES_NRF54LX KCONFIG)
   sysbuild_get(${image_name}_CONFIG_SOC_NRF54L15_CPUAPP IMAGE ${image_name} VAR CONFIG_SOC_NRF54L15_CPUAPP KCONFIG)
 
-  if (${image_name}_CONFIG_SOC_SERIES_NRF91X)
+  if(${image_name}_CONFIG_SOC_SERIES_NRF91X)
     # See nRF9160 Product Specification, chapter "UICR"
     set(otp_start_addr "0xff8108")
     set(otp_size 756) # 189 * 4
-  elseif (${image_name}_CONFIG_SOC_NRF5340_CPUAPP)
+  elseif(${image_name}_CONFIG_SOC_NRF5340_CPUAPP)
     # See nRF5340 Product Specification, chapter Application Core -> ... "UICR"
     set(otp_start_addr "0xff8100")
     set(otp_size 764)  # 191 * 4
-  elseif (DEFINED ${image_name}_CONFIG_SOC_NRF54L15_CPUAPP)
-    set(otp_start_addr "0xffd500")
-    set(otp_size 1276)  # 319 * 4
+  elseif(${image_name}_CONFIG_SOC_SERIES_NRF54LX)
+    set(bootconf_start_addr "0xffd080")
+    set(bootconf_size 4)
+
+    if(DEFINED ${image_name}_CONFIG_SOC_NRF54L15_CPUAPP)
+      set(otp_start_addr "0xffd500")
+      set(otp_size 1276)  # 319 * 4
+    endif()
   endif()
 
   sysbuild_get(${image_name}_CONFIG_SOC_SERIES_NRF54LX IMAGE ${image_name} VAR CONFIG_SOC_SERIES_NRF54LX KCONFIG)
@@ -543,6 +549,15 @@ foreach(d APP ${PM_DOMAINS})
       DOMAIN ${d}
       )
   endif()
+  if(${image_name}_CONFIG_SOC_SERIES_NRF54LX)
+    add_region(
+      NAME bootconf
+      SIZE ${bootconf_size}
+      BASE ${bootconf_start_addr}
+      PLACEMENT start_to_end
+      DOMAIN ${d}
+      )
+  endif()
   sysbuild_get(${image_name}_CONFIG_FLASH_BASE_ADDRESS IMAGE ${image_name} VAR CONFIG_FLASH_BASE_ADDRESS KCONFIG)
   add_region(
     NAME flash_primary

scripts/reglock.py

@@ -0,0 +1,74 @@
+# Copyright 2025 Nordic Semiconductor ASA
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""
+NRF54L15 BOOTCONF generator.
+"""
+
+from intelhex import IntelHex
+import argparse
+import sys
+
+SIZE_MAX_KB = 31
+
+BOOTCONF_ADDR = 0x00FFD080
+
+READ_ALLOWED = 0x01
+WRITE_ALLOWED = 0x02
+EXECUTE_ALLOWED = 0x04
+SECURE = 0x08
+OWNER_NONE = 0x00
+OWNER_APP = 0x10
+OWNER_KMU = 0x20
+WRITEONCE = 0x10
+LOCK = 0x20
+
+def parse_args():
+    parser = argparse.ArgumentParser(
+        description="Generate RRAMC's BOOTCONF configuration hex",
+        formatter_class=argparse.RawDescriptionHelpFormatter, allow_abbrev=False)
+
+    parser.add_argument("-o", "--output", required=False, default="b0_lock.hex",
+                        type=argparse.FileType('w', encoding='UTF-8'),
+                        help="Output file name.")
+    parser.add_argument("-s", "--size", required=False, default="0x7C00",
+                        type=lambda x: hex(int(x, 0)),
+                        help="Size to lock.")
+    return parser.parse_args()
+
+
+def main():
+    args = parse_args()
+    size = int(args.size, 16)
+    if size % 1024:
+        sys.exit("error: requested size not aligned to 1k")
+    size = size // 1024
+    if size > SIZE_MAX_KB:
+        sys.exit("error: requested size too big")
+
+    payload = bytearray([
+        READ_ALLOWED | EXECUTE_ALLOWED | SECURE | OWNER_NONE,
+        LOCK,
+        size,
+        0x0
+        ])
+
+    h = IntelHex()
+    h.frombytes(bytes=payload, offset=BOOTCONF_ADDR)
+    h.tofile(args.output, 'hex')
+
+if __name__ == "__main__":
+    main()

subsys/partition_manager/CMakeLists.txt

@@ -77,6 +77,10 @@ if (CONFIG_NRF_MODEM_LIB)
   ncs_add_partition_manager_config(pm.yml.libmodem)
 endif()
 
+if(CONFIG_SOC_NRF54L15_CPUAPP)
+  ncs_add_partition_manager_config(pm.yml.bootconf)
+endif()
+
 # The default DTS configuration for the nRF5340 CPUAPP includes the
 # the shared SRAM region, so, inform the partition manager about this
 # region.

subsys/partition_manager/pm.yml.bootconf

@@ -0,0 +1,6 @@
+#if defined(CONFIG_SOC_SERIES_NRF54LX)
+bootconf:
+  address: 0xffd080
+  region: bootconf
+  size: 0x4
+#endif /* CONFIG_SOC_SERIES_NRF54LX */

sysbuild/CMakeLists.txt

@@ -506,6 +506,10 @@ function(${SYSBUILD_CURRENT_MODULE_NAME}_pre_cmake)
     endif()
   endif()
 
+  if(SB_CONFIG_SECURE_BOOT_BOOTCONF_LOCK_WRITES)
+    set_config_bool(b0 CONFIG_FPROTECT_ALLOW_COMBINED_REGIONS n)
+  endif()
+
   if(SB_CONFIG_SECURE_BOOT_NETCORE)
     if(NOT SB_CONFIG_NETCORE_NONE)
       set_config_bool(${SB_CONFIG_NETCORE_IMAGE_NAME} CONFIG_SECURE_BOOT y)
@@ -736,6 +740,10 @@ function(${SYSBUILD_CURRENT_MODULE_NAME}_post_cmake)
     include(${ZEPHYR_NRF_MODULE_DIR}/cmake/sysbuild/nrf700x.cmake)
   endif()
 
+  if(SB_CONFIG_SECURE_BOOT_BOOTCONF_LOCK_WRITES)
+    include(${ZEPHYR_NRF_MODULE_DIR}/cmake/sysbuild/bootconf.cmake)
+  endif()
+
   if(SB_CONFIG_DFU_ZIP)
     if(SB_CONFIG_BOOTLOADER_MCUBOOT)
       include(${ZEPHYR_NRF_MODULE_DIR}/cmake/sysbuild/zip.cmake)

sysbuild/Kconfig.secureboot

@@ -339,6 +339,17 @@ config SECURE_BOOT_PUBLIC_KEY_FILES
 	  empty string then only the public key hash corresponding to the private signing key used
 	  to sign the image is included in provision.hex.
 
+config SUPPORT_SECURE_BOOT_BOOTCONF_LOCK_WRITES
+	bool
+	depends on !FPROTECT_ALLOW_COMBINED_REGIONS
+	default y if SOC_NRF54L15_CPUAPP
+
+config SECURE_BOOT_BOOTCONF_LOCK_WRITES
+	bool "Protect bootloader's NVM from writes"
+	depends on SUPPORT_SECURE_BOOT_BOOTCONF_LOCK_WRITES
+	help
+	  Sets RRAMC's BOOTCONF region protection to disable writes.
+
 config SECURE_BOOT_DEBUG_SIGNATURE_PUBLIC_KEY_LAST
 	bool "[DEBUG] Place signing public key last"
 	default n