tfm: Lock Approtect in network core

With nRF53, allow the network core Approtect to be locked from TF-M.

This is done when we are transitioning from provisioning LCS to
secure LCS.

Signed-off-by: Markus Lassila <markus.lassila@nordicsemi.no>

modules/trusted-firmware-m/Kconfig.tfm.pm

@@ -15,7 +15,7 @@ config PM_PARTITION_SIZE_TFM_SRAM
 	# assigning 0x16000 of RAM to TFM will not leave enough RAM for
 	# Matter. So we use 0x13000 of RAM on 54L.
 	default 0x13000 if SOC_SERIES_NRF54LX
-	default 0x16000 if SOC_SERIES_NRF91X
+	default 0x16000 if SOC_SERIES_NRF91X || SOC_SERIES_NRF53X
 	default 0x30000
 	help
 	  Memory set aside for the TFM_SRAM partition.

modules/trusted-firmware-m/tfm_boards/common/nrf_provisioning.c

@@ -16,6 +16,51 @@
 #include "nrf_provisioning.h"
 #include <identity_key.h>
 #include <tfm_spm_log.h>
+#ifdef NRF53_SERIES
+#include <dfu/pcd_common.h>
+#include <spu.h>
+#include <hal/nrf_reset.h>
+
+static struct pcd_cmd *cmd = (struct pcd_cmd *)PCD_CMD_ADDRESS;
+
+static void pcd_write_cmd_lock_debug(void)
+{
+	cmd->magic = PCD_CMD_MAGIC_LOCK_DEBUG;
+	cmd->data = NULL;
+	cmd->len = 0;
+	cmd->offset = 0;
+}
+
+static bool pcd_read_cmd_done(void)
+{
+	return cmd->magic == PCD_CMD_MAGIC_DONE;
+}
+
+static enum tfm_plat_err_t disable_netcore_debug(void)
+{
+	/* NRF_RESET to secure. It will be configured non-secure after the provisioning is done. */
+	spu_peripheral_config_secure(NRF_RESET_S_BASE, SPU_LOCK_CONF_UNLOCKED);
+
+	/* Ensure that the network core is stopped. */
+	nrf_reset_network_force_off(NRF_RESET, true);
+
+	/* Debug lock command will be read in b0n startup. */
+	pcd_write_cmd_lock_debug();
+
+	/* Start the network core. */
+	nrf_reset_network_force_off(NRF_RESET, false);
+
+	/* Wait for the network core to start up. */
+	NRFX_DELAY_US(1000000);
+
+	if (!pcd_read_cmd_done()) {
+		SPMLOG_ERRMSG("Failed to lock debug in network core.");
+		return TFM_PLAT_ERR_SYSTEM_ERR;
+	}
+
+	return TFM_PLAT_ERR_SUCCESS;
+}
+#endif /* NRF53_SERIES */
 
 static enum tfm_plat_err_t verify_debug_disabled(void)
 {
@@ -71,10 +116,18 @@ enum tfm_plat_err_t tfm_plat_provisioning_perform(void)
 	 * that secure boot is already enabled at this stage
 	 */
 
+	/* Application debug should already be disabled */
 	if (verify_debug_disabled() != TFM_PLAT_ERR_SUCCESS) {
 		return TFM_PLAT_ERR_SYSTEM_ERR;
 	}
 
+#ifdef NRF53_SERIES
+	/* Disable network core debug in here */
+	if (disable_netcore_debug() != TFM_PLAT_ERR_SUCCESS) {
+		return TFM_PLAT_ERR_SYSTEM_ERR;
+	}
+#endif
+
 	/* Transition to the SECURED lifecycle state */
 	if (tfm_attest_update_security_lifecycle_otp(TFM_SLC_SECURED) != 0) {
 		return TFM_PLAT_ERR_SYSTEM_ERR;

modules/trusted-firmware-m/tfm_boards/partition/region_defs.h

@@ -151,23 +151,23 @@
 
 #ifdef PM_MCUBOOT_ADDRESS
 #define REGION_MCUBOOT_ADDRESS	   PM_MCUBOOT_ADDRESS
-#define REGION_MCUBOOT_END_ADDRESS PM_MCUBOOT_END_ADDRESS
+#define REGION_MCUBOOT_LIMIT       PM_MCUBOOT_END_ADDRESS - 1
 #endif
 #ifdef PM_B0_ADDRESS
 #define REGION_B0_ADDRESS     PM_B0_ADDRESS
-#define REGION_B0_END_ADDRESS PM_B0_END_ADDRESS
+#define REGION_B0_LIMIT       PM_B0_END_ADDRESS - 1
 #endif
 #ifdef PM_S0_ADDRESS
 #define REGION_S0_ADDRESS     PM_S0_ADDRESS
-#define REGION_S0_END_ADDRESS PM_S0_END_ADDRESS
+#define REGION_S0_LIMIT       PM_S0_END_ADDRESS - 1
 #endif
 #ifdef PM_S1_ADDRESS
 #define REGION_S1_ADDRESS     PM_S1_ADDRESS
-#define REGION_S1_END_ADDRESS PM_S1_END_ADDRESS
+#define REGION_S1_LIMIT       PM_S1_END_ADDRESS - 1
 #endif
 #ifdef PM_PCD_SRAM_ADDRESS
 #define REGION_PCD_SRAM_ADDRESS	    PM_PCD_SRAM_ADDRESS
-#define REGION_PCD_SRAM_END_ADDRESS PM_PCD_SRAM_END_ADDRESS
+#define REGION_PCD_SRAM_LIMIT       PM_PCD_SRAM_END_ADDRESS - 1
 #endif
 
 #endif /* __REGION_DEFS_H__ */