diff --git a/plat/renesas/rcar/bl2_secure_setting.c b/plat/renesas/rcar/bl2_secure_setting.c
index 35c658c0dcdae9a008c1432f70443099d8ec4c18..c0d49debc711b601ea6de5a239d268a03f2bc7aa 100644
--- a/plat/renesas/rcar/bl2_secure_setting.c
+++ b/plat/renesas/rcar/bl2_secure_setting.c
@@ -66,7 +66,9 @@ static const struct {
/* {SEC_SEL12, 0xFFFFFFFFU}, */
/* Bit22: RPC slave ports. */
/* 0: registers accessed from secure resource only. */
- /* {SEC_SEL13, 0xFFBFFFFFU},*/
+#if (RCAR_RPC_HYPERFLASH_LOCKED == 1)
+ {SEC_SEL13, 0xFFBFFFFFU},
+#endif
/* Bit27: System Timer (SCMT) slave ports */
/* 0: registers accessed from secure resource only */
/* Bit26: System Watchdog Timer (SWDT) slave ports */
@@ -183,8 +185,10 @@ static const struct {
/** Security group 1 attribute setting for slave ports 13 */
/* Bit22: RPC slave ports. */
/* SecurityGroup3 */
- /* {SEC_GRP0COND13, 0x00400000U}, */
- /* {SEC_GRP1COND13, 0x00400000U}, */
+#if (RCAR_RPC_HYPERFLASH_LOCKED == 1)
+ {SEC_GRP0COND13, 0x00400000U},
+ {SEC_GRP1COND13, 0x00400000U},
+#endif
/** Security group 0 attribute setting for slave ports 14 */
/** Security group 1 attribute setting for slave ports 14 */
/* Bit26: System Timer (SCMT) slave ports */
diff --git a/plat/renesas/rcar/platform.mk b/plat/renesas/rcar/platform.mk
index 95b7902f0e7380a3e7bc3ce2847c4923742d6d2e..f7d6216a84061816797e2ebb021d53f3a1dc7d98 100644
--- a/plat/renesas/rcar/platform.mk
+++ b/plat/renesas/rcar/platform.mk
@@ -137,6 +137,13 @@ else
$(eval $(call add_define,RCAR_LSI))
endif
+# lock RPC HYPERFLASH access by default
+# unlock to repogram the ATF firmware from u-boot
+ifndef RCAR_RPC_HYPERFLASH_LOCKED
+RCAR_RPC_HYPERFLASH_LOCKED := 1
+endif
+$(eval $(call add_define,RCAR_RPC_HYPERFLASH_LOCKED))
+
# Process RCAR_SECURE_BOOT flag
ifndef RCAR_SECURE_BOOT
RCAR_SECURE_BOOT := 1