sysbuild: Add KMU provisioning and allow KMU usage #357
Conversation
nordicjm
requested review from
bjorn-tore-taraldsen,
michalek-no and
nvlsianpu
github-actions
bot
added
the
changelog-entry-required
|
You can find the documentation preview for this PR here. |
github-actions
bot
added
the
doc-required
|
@nvlsianpu @michalek-no please review |
There was a problem hiding this comment.
doc is fine - can be tweaked by the writes based on NCS doc content,
sysbuild/Kconfig.bm
Outdated
| config BM_BOOTLOADER_MCUBOOT_SIGNATURE_USING_KMU | ||
| bool "Use KMU stored keys for signature verification" | ||
| depends on SOC_SERIES_NRF54LX | ||
| depends on BOOT_SIGNATURE_TYPE_ED25519 |
There was a problem hiding this comment.
shouldn't be depend on BM_BOOTLOADER_MCUBOOT_SIGNATURE_TYPE_ED25519 instead?
sysbuild/Kconfig.bm
Outdated
|
|
||
| config BM_BOOTLOADER_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE | ||
| bool "Generate default keyfile for provisioning during build" | ||
| depends on MCUBOOT_SIGNATURE_USING_KMU |
There was a problem hiding this comment.
shouldn't be depend on above property?
|
With patches this PR will make provisioning working: -- runners.nrfutil: Flashing file: /home/anpu/BM/nrf-bm/samples/boot/mcuboot_recovery_entry/build/mcuboot/zephyr/zephyr_signed_softdevice_flash_metadata.hex
-- runners.nrfutil: Provisioning key file: /home/anpu/BM/nrf-bm/samples/boot/mcuboot_recovery_entry/build/keyfile.json
-- runners.nrfutil: Erasing non-volatile memory (ERASEALL)
-- runners.nrfutil: Programming image
-- runners.nrfutil: Verifying image
-- runners.nrfutil: KEY Provision
-- runners.nrfutil: Board(s) with serial number(s) 1057721615 flashed successfully.
-- west flash: using runner nrfutilalthought application isn't booted I've used samples/boot/mcuboot_recovery_entry |
It won't boot because it programs UROT key and needs the sdk-mcuboot PR to be usable with the correct slot (think it was BTT or Frank that requested MCUboot use UROT key slots when b0 is not present). Have added manifest update |
nordicjm
force-pushed
the
kmuprovision
branch
from
9bd7565 to
a2a3ed9
Compare
|
The following west manifest projects have changed revision in this Pull Request:
✅ All manifest checks OK Note: This message is automatically posted and updated by the Manifest GitHub Action. |
nordicjm
force-pushed
the
kmuprovision
branch
from
a2a3ed9 to
9d573f8
Compare
No, I checked that we hardcoded sdk-mcuboot to use URTO_PUBKEY. |
nordicjm
force-pushed
the
kmuprovision
branch
from
9d573f8 to
cc69fcd
Compare
nordicjm
force-pushed
the
kmuprovision
branch
from
cd9d115 to
5e19161
Compare
sysbuild/Kconfig.bm
Outdated
| bool "Use KMU stored keys for signature verification" | ||
| depends on SOC_SERIES_NRF54LX && BM_BOOTLOADER_MCUBOOT_SIGNATURE_TYPE_ED25519 | ||
| help | ||
| The device needs to be provisioned with proper set of keys. |
There was a problem hiding this comment.
| The device needs to be provisioned with proper set of keys. | |
| The device needs to be provisioned with the proper set of keys. |
This is now needed by sdk-zephyr Signed-off-by: Jamie McCrae <[email protected]>
Includes an sdk-mcuboot update to fix the slot IDs for KMU usage Signed-off-by: Jamie McCrae <[email protected]>
| slot0_partition: partition@a000 { | ||
| label = "slot0"; | ||
| reg = <0x0000b000 DT_SIZE_K(282)>; | ||
| reg = <0x000a000 DT_SIZE_K(286)>; |
There was a problem hiding this comment.
The board yaml files must be updated.
|
Changelog entry? |
|
|
nordicjm
force-pushed
the
kmuprovision
branch
2 times, most recently
from
c555c2a to
0ac9ddd
Compare
| .. _ug_bootloader_keys_using: | ||
|
|
||
| Using a key in a project | ||
| ------------------------ |
There was a problem hiding this comment.
Can you please change this and previous header underlines to asterisks (except for the main title of course)
| ------------------------ | |
| ************************* |
Allows usage of KMU in MCUboot for the signature verification and copies the KMU provisioning script from NCS with changes for BM Signed-off-by: Jamie McCrae <[email protected]>
Enables storing the key in KMU. This means existing images from previous versions of BM are not compatible with the new configuration and must be manually changed to be compatile by using the built-in key instead, but KMU offers much greater protection of the key data and enhances security Signed-off-by: Jamie McCrae <[email protected]>
Adds a non-KMU (built-in key) build of this sample, which used to be the default in previous versions of BM Signed-off-by: Jamie McCrae <[email protected]>
Adds a section on how to use the KMU Signed-off-by: Jamie McCrae <[email protected]>
Disables some options including system clock support for MCUboot to reduce the size of the application as they are not needed Signed-off-by: Jamie McCrae <[email protected]>
Due to optimisations applied to MCUboot configuration, the size of the partition can be reduced to 31KiB which allows memory protection to be applied to the section using a single protection region, and even with logs enabled there is still spare space available in the slot Signed-off-by: Jamie McCrae <[email protected]>
The minimum sizes for release builds are now smaller Signed-off-by: Jamie McCrae <[email protected]>
Adds the recent changes to DFU to the documentation Signed-off-by: Jamie McCrae <[email protected]>
8 participants
Allows usage of KMU in MCUboot for the signature verification and copies the KMU provisioning script from NCS with changes for BM