ara_m: add command to lock write access to the ARA-M rules.

Recent versions of the ARA-M applet from Bertrand Martel can lock
the write access to ARA-M rules. Let's add a command for that and
some documentation.

Related: SYS#7245
Change-Id: I71581a0c9f146f9a0921093d9b53b053b4a8946c

docs/shell.rst

@@ -1,4 +1,4 @@
-pySim-shell
+pySim-shell
 ===========
 
 pySim-shell is an interactive command line shell for all kind of interactions with SIM cards,
@@ -1006,6 +1006,24 @@ ARA-M applet.  Use it with caution, there is no undo.  Any rules later
 intended must be manually inserted again using :ref:`aram_store_ref_ar_do`
 
 
+aram_lock
+~~~~~~~~~
+This command allows to lock the access to the STORE DATA command. This renders
+all access rules stored within the ARA-M applet effectively read-only. The lock
+can only be removed via a secure channel to the security domain and is therefore
+suitable to prevent unauthorized changes to ARA-M rules.
+
+Removal of the lock:
+::
+
+  pySIM-shell (SCP02[01]:00:MF/ADF.ISD)> install_for_personalization A00000015141434C00
+  pySIM-shell (SCP02[01]:00:MF/ADF.ISD)> apdu --expect-sw 9000 80E2900001A2
+
+NOTE: ARA-M Locking is a proprietary feature that is specific to sysmocom's
+fork of Bertrand Martel's ARA-M implementation. ARA-M Locking is supported in
+newer (2025) applet versions from v0.1.0 onward.
+
+
 GlobalPlatform commands
 -----------------------
 

pySim/ara_m.py

@@ -389,6 +389,11 @@ class ADF_ARAM(CardADF):
             if res_do:
                 self._cmd.poutput_json(res_do.to_dict())
 
+        def do_aram_lock(self, opts):
+            """Lock STORE DATA command to prevent unauthorized changes
+            (Proprietary feature that is specific to sysmocom's fork of Bertrand Martel’s ARA-M implementation.)"""
+            self._cmd.lchan.scc.send_apdu_checksw('80e2900001A1', '9000')
+
 
 # SEAC v1.1 Section 4.1.2.2 + 5.1.2.2
 sw_aram = {