sysbuild: bootconf lock

Add bootloader immutability through RRAMC's region no.3
Applies before first boot.

Signed-off-by: Mateusz Michalek <[email protected]>

Author: michalek-no

cmake/sysbuild/bootconf.cmake

@@ -0,0 +1,30 @@
+#
+# Copyright (c) 2025 Nordic Semiconductor ASA
+#
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+#
+
+function(setup_bootconf_data)
+    add_custom_target(bootconf_target
+      ALL
+      DEPENDS ${CMAKE_BINARY_DIR}/bootconf.hex
+    )
+
+  dt_nodelabel(boot_partition_node_full_path NODELABEL "boot_partition")
+  dt_reg_size(boot_partition_node_size PATH "${boot_partition_node_full_path}")
+  if(${boot_partition_node_size} GREATER 0x7c00)
+    message(WARNING "boot_partition doesn't fit into protection region.
+Protection will be applied over maximum allowed span.")
+  endif()
+
+    add_custom_command(OUTPUT ${CMAKE_BINARY_DIR}/bootconf.hex
+      COMMAND ${Python3_EXECUTABLE}
+        ${ZEPHYR_NRF_MODULE_DIR}/scripts/reglock.py
+        --output ${CMAKE_BINARY_DIR}/bootconf.hex
+        --size ${boot_partition_node_size}
+      VERBATIM
+    )
+
+endfunction()
+
+setup_bootconf_data()

modules/mcuboot/CMakeLists.txt

@@ -9,4 +9,5 @@ include(${ZEPHYR_NRF_MODULE_DIR}/modules/mcuboot/CMakeLists.txt)
 if(CONFIG_MCUBOOT AND CONFIG_NCS_BM)
   include(${ZEPHYR_NRF_BM_MODULE_DIR}/cmake/image_signing_softdevice.cmake)
   include(${ZEPHYR_NRF_BM_MODULE_DIR}/cmake/flash_metadata.cmake)
+  include(${ZEPHYR_NRF_BM_MODULE_DIR}/cmake/sysbuild/bootconf.cmake)
 endif()

sysbuild/Kconfig.bm

@@ -84,6 +84,13 @@ config BM_BOOT_IMG_HASH_ALG_PURE
 
 endchoice
 
+config BM_BOOT_BOOTCONF_LOCK_WRITES
+	bool "Protect bootloader's NVM from writes"
+	depends on SOC_NRF54L15_CPUAPP || SOC_NRF54L05_CPUAPP || SOC_NRF54L10_CPUAPP
+	default y
+	help
+	  Sets RRAMC's BOOTCONF region protection to disable writes.
+
 endmenu
 
 endif # BM_BOOTLOADER_MCUBOOT