[nrfconnect] Enabled factory data protection from write in internal m…

…emory Factory data flash partition should be protected from write by firmware and OTA DFU. This partition can be replaced only via programmer.
project-chip · Jul 1, 2022 · f1477c7 · f1477c7
1 parent a45d571
commit f1477c7
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 1 deletion.
diff --git a/config/nrfconnect/chip-module/Kconfig b/config/nrfconnect/chip-module/Kconfig
@@ -78,6 +78,7 @@ config CHIP_DEBUG_SYMBOLS
 config CHIP_FACTORY_DATA
 	bool "Enable Factory Data support"
 	select ZCBOR
+	select FPROTECT
 	help
 	  Enables support for reading factory data from flash memory partition.
 	  It requires factory_data partition to exist in the partition manager 

diff --git a/docs/guides/nrfconnect_factory_data_configuration.md b/docs/guides/nrfconnect_factory_data_configuration.md
@@ -22,6 +22,12 @@ For the nRF Connect platform, the factory data is stored by default in a
 separate partition of the internal flash memory. This helps to keep the factory
 data secure by applying hardware write protection.
 
+> Note: Due to hardware limitations, in the nRF Connect platform, protection
+> against writing can be applied only to the internal memory partition. The
+> [Fprotect](https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrf/libraries/others/fprotect.html)
+> is the hardware flash protection driver, and we used it to ensure write
+> protection of the factory data partition in internal flash memory.
+
 <p align="center">
   <img src="../../examples/platform/nrfconnect/doc/images/Logo_RGB_H-small.png" alt="Nordic Semiconductor logo"/>
   <img src="../../examples/platform/nrfconnect/doc/images/nRF52840-DK-small.png" alt="nRF52840 DK">

diff --git a/src/platform/nrfconnect/FactoryDataProvider.cpp b/src/platform/nrfconnect/FactoryDataProvider.cpp
@@ -42,7 +42,15 @@ CHIP_ERROR FactoryDataProvider<FlashFactoryData>::Init()
     uint8_t * factoryData = nullptr;
     size_t factoryDataSize;
 
-    CHIP_ERROR error = mFlashFactoryData.GetFactoryDataPartition(factoryData, factoryDataSize);
+    CHIP_ERROR error = mFlashFactoryData.ProtectFactoryDataPartitionAgainstWrite();
+
+    if (error != CHIP_NO_ERROR)
+    {
+        ChipLogError(DeviceLayer, "Failed to protect the factory data partition");
+        return error;
+    }
+
+    error = mFlashFactoryData.GetFactoryDataPartition(factoryData, factoryDataSize);
 
     if (error != CHIP_NO_ERROR)
     {

diff --git a/src/platform/nrfconnect/FactoryDataProvider.h b/src/platform/nrfconnect/FactoryDataProvider.h
@@ -22,6 +22,7 @@
 #include <platform/DeviceInstanceInfoProvider.h>
 
 #include <drivers/flash.h>
+#include <fprotect.h>
 #include <pm_config.h>
 
 #include "FactoryDataParser.h"
@@ -37,6 +38,12 @@ struct InternalFlashFactoryData
         dataSize = PM_FACTORY_DATA_SIZE;
         return CHIP_NO_ERROR;
     }
+
+    CHIP_ERROR ProtectFactoryDataPartitionAgainstWrite()
+    {
+        int ret = fprotect_area(PM_FACTORY_DATA_ADDRESS, PM_FACTORY_DATA_SIZE);
+        return System::MapErrorZephyr(ret);
+    }
 };
 
 struct ExternalFlashFactoryData
@@ -56,6 +63,8 @@ struct ExternalFlashFactoryData
         return CHIP_NO_ERROR;
     }
 
+    CHIP_ERROR ProtectFactoryDataPartitionAgainstWrite() { return CHIP_ERROR_NOT_IMPLEMENTED; }
+
     const struct device * mFlashDevice = DEVICE_DT_GET(DT_CHOSEN(zephyr_flash_controller));
     uint8_t mFactoryDataBuffer[PM_FACTORY_DATA_SIZE];
 };