nrfconnect · eivindj-nordic · Oct 9, 2025 · Sep 24, 2025 · Sep 24, 2025 · Sep 12, 2025
@@ -26,6 +26,17 @@ choice BM_BOOTLOADER
 	default BM_BOOTLOADER_MCUBOOT
 endchoice
 
+choice BM_BOOTLOADER_MCUBOOT_SIGNATURE_TYPE
+	default BM_BOOTLOADER_MCUBOOT_SIGNATURE_TYPE_ED25519
+endchoice
+
+config BM_BOOTLOADER_MCUBOOT_SIGNATURE_USING_KMU
+	default y
+
+choice BM_BOOTLOADER_MCUBOOT_IMG_HASH_ALG
+	default BM_BOOT_IMG_HASH_ALG_PURE
+endchoice
+
 choice BM_FIRMWARE_LOADER
 	default BM_FIRMWARE_LOADER_BT_MCUMGR
 endchoice

@@ -48,14 +48,14 @@
 
 		boot_partition: partition@0 {
 			label = "boot";
-			reg = <0x00000000 DT_SIZE_K(36)>;
+			reg = <0x00000000 DT_SIZE_K(31)>;
 		};
 
-		storage_partition: partition@9000 {
+		storage_partition: partition@7c00 {
 			compatible = "fixed-subpartitions";
 			label = "storage";
-			reg = <0x00009000 DT_SIZE_K(8)>;
-			ranges = <0x0 0x9000 DT_SIZE_K(8)>;
+			reg = <0x00007c00 DT_SIZE_K(8)>;
+			ranges = <0x0 0x7c00 DT_SIZE_K(8)>;
 			#address-cells = <1>;
 			#size-cells = <1>;
 
@@ -70,9 +70,11 @@
 			};
 		};
 
-		slot0_partition: partition@b000 {
+		/* Area from 0x9c00 to 0xa000 is unused due to alignment */
+
+		slot0_partition: partition@a000 {
 			label = "slot0";
-			reg = <0x0000b000 DT_SIZE_K(282)>;
+			reg = <0x0000a000 DT_SIZE_K(286)>;
 		};
 
 		slot1_partition: partition@51800 {

@@ -14,4 +14,4 @@ toolchain:
   - zephyr
 sysbuild: true
 ram: 78
-flash: 282
+flash: 286
@@ -48,14 +48,14 @@
 
 		boot_partition: partition@0 {
 			label = "boot";
-			reg = <0x00000000 DT_SIZE_K(36)>;
+			reg = <0x00000000 DT_SIZE_K(31)>;
 		};
 
-		storage_partition: partition@9000 {
+		storage_partition: partition@7c00 {
 			compatible = "fixed-subpartitions";
 			label = "storage";
-			reg = <0x00009000 DT_SIZE_K(8)>;
-			ranges = <0x0 0x9000 DT_SIZE_K(8)>;
+			reg = <0x00007c00 DT_SIZE_K(8)>;
+			ranges = <0x0 0x7c00 DT_SIZE_K(8)>;
 			#address-cells = <1>;
 			#size-cells = <1>;
 
@@ -70,9 +70,11 @@
 			};
 		};
 
-		slot0_partition: partition@b000 {
+		/* Area from 0x9c00 to 0xa000 is unused due to alignment */
+
+		slot0_partition: partition@a000 {
 			label = "slot0";
-			reg = <0x0000b000 DT_SIZE_K(794)>;
+			reg = <0x0000a000 DT_SIZE_K(798)>;
 		};
 
 		slot1_partition: partition@d1800 {

@@ -14,4 +14,4 @@ toolchain:
   - zephyr
 sysbuild: true
 ram: 174
-flash: 794
+flash: 798
@@ -48,14 +48,14 @@
 
 		boot_partition: partition@0 {
 			label = "boot";
-			reg = <0x00000000 DT_SIZE_K(36)>;
+			reg = <0x00000000 DT_SIZE_K(31)>;
 		};
 
-		storage_partition: partition@9000 {
+		storage_partition: partition@7c00 {
 			compatible = "fixed-subpartitions";
 			label = "storage";
-			reg = <0x00009000 DT_SIZE_K(8)>;
-			ranges = <0x0 0x9000 DT_SIZE_K(8)>;
+			reg = <0x00007c00 DT_SIZE_K(8)>;
+			ranges = <0x0 0x7c00 DT_SIZE_K(8)>;
 			#address-cells = <1>;
 			#size-cells = <1>;
 
@@ -70,9 +70,11 @@
 			};
 		};
 
-		slot0_partition: partition@b000 {
+		/* Area from 0x9c00 to 0xa000 is unused due to alignment */
+
+		slot0_partition: partition@a000 {
 			label = "slot0";
-			reg = <0x0000b000 DT_SIZE_K(1306)>;
+			reg = <0x0000a000 DT_SIZE_K(1310)>;
 		};
 
 		slot1_partition: partition@151800 {

@@ -14,4 +14,4 @@ toolchain:
   - zephyr
 sysbuild: true
 ram: 238
-flash: 1306
+flash: 1310
@@ -0,0 +1,37 @@
+# Copyright (c) 2025 Nordic Semiconductor ASA
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+
+# This script defines a CMake target 'generate_kmu_keyfile_json' to create keyfile.json
+# using 'west ncs-provision upload --dry-run'.
+
+# --- Construct the list of commands and dependencies ---
+set(kmu_json_commands "")
+set(kmu_json_dependencies "")
+
+# Update keyfile for BL_PUBKEY
+string(CONFIGURE "${SB_CONFIG_BM_BOOTLOADER_MCUBOOT_SIGNATURE_KEY_FILE}" mcuboot_signature_key_file)
+list(APPEND kmu_json_commands
+  COMMAND ${Python3_EXECUTABLE} -m west ncs-provision upload
+    --keyname BL_PUBKEY
+    --key ${mcuboot_signature_key_file}
+    --build-dir ${CMAKE_BINARY_DIR}
+    --dry-run
+)
+list(APPEND kmu_json_dependencies ${mcuboot_signature_key_file})
+
+# --- Add custom command to generate/update keyfile.json ---
+if(NOT kmu_json_commands STREQUAL "")
+  add_custom_command(
+    OUTPUT ${CMAKE_BINARY_DIR}/keyfile.json
+    ${kmu_json_commands} # Expands to one or more COMMAND clauses
+    DEPENDS ${kmu_json_dependencies}
+    COMMENT "Generating/Updating KMU keyfile JSON (${CMAKE_BINARY_DIR}/keyfile.json)"
+    VERBATIM
+  )
+
+  # --- Add custom target to trigger the generation ---
+  add_custom_target(
+    generate_kmu_keyfile_json ALL
+    DEPENDS ${CMAKE_BINARY_DIR}/keyfile.json
+  )
+endif()
@@ -9,7 +9,7 @@ This key should only be used for development purposes.
 For testing and production use cases, unique signing keys must be generated and kept secure (one key per project) to ensure the integrity of firmware update security.
 
 Signature type
---------------
+**************
 
 MCUboot in |BMshort| supports the following signature types:
 
@@ -28,13 +28,37 @@ MCUboot in |BMshort| supports the following signature types:
 .. _ug_bootloader_keys_generating:
 
 Generating a key
-----------------
+****************
 
 See `Image tool`_ documentation for details on the ``imgtool`` which includes details on how to generate a signing key.
 
 .. _ug_bootloader_keys_using:
 
 Using a key in a project
-------------------------
+************************
 
 Once a key has been generated, it can be used in a project by setting the :kconfig:option:`SB_CONFIG_BM_BOOTLOADER_MCUBOOT_SIGNATURE_KEY_FILE` sysbuild Kconfig option to the absolute path of the generated ``.pem`` key file.
+
+.. _ug_bootloader_kmu:
+
+KMU (Key Management Unit)
+*************************
+
+The nRF54L Series devices include an integrated Key Management Unit (KMU).
+This on-die peripheral is designed to work with CRACEN, enabling secure storage and usage of cryptographic keys.
+It also prevents the keys from being externally read, thus enhancing security.
+
+Firmware booting with KMU
+=========================
+
+To boot an image that uses the KMU feature, you must program the MCUboot signing key into the KMU before loading the firmware.
+If you do not perform this step, the device will not boot.
+You can enable this setup through the :kconfig:option:`SB_CONFIG_BM_BOOTLOADER_MCUBOOT_SIGNATURE_USING_KMU` Kconfig option.
+
+Automatic key programming
+=========================
+
+The configuration option :kconfig:option:`SB_CONFIG_BM_BOOTLOADER_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE`, enabled by default, automates the programming of the public key file to the board.
+This automation occurs when you use the ``west flash`` command with the ``--erase`` or ``--recover`` arguments.
+It is essential to run this command first after building the project to prepare the board for development.
+For more information about KMU on the nRF54L Series, see `Introduction to KMU key provisioning`_ and `Performing KMU provisioning`_.
@@ -18,20 +18,21 @@ Partition Configuration
 The memory of your device must be partitioned appropriately to accommodate the bootloader, application, and firmware update mechanisms.
 |BMshort| uses Zephyr's `DTS`_ system for memory partitioning.
 
-+--------------------------+---------------------------------------------------------------+--------------------+-------------------+
-| Partition Name           | Description                                                   | Minimum size  |br| | Minimum size |br| |
-|                          |                                                               | (Development)      | (Release)         |
-+==========================+===============================================================+====================+===================+
-| ``boot_partition``       | Bootloader (MCUboot)                                          | 36 KB              | 28 KB             |
-+--------------------------+---------------------------------------------------------------+--------------------+-------------------+
-| ``slot0_partition``      | Main application slot                                         |                    |                   |
-+--------------------------+---------------------------------------------------------------+--------------------+-------------------+
-| ``slot1_partition``      | `Firmware loader`_                                            | 44 KB              | 28 KB             |
-+--------------------------+---------------------------------------------------------------+--------------------+-------------------+
-| ``softdevice_partition`` | For the SoftDevice, including an MCUboot header of size 0x800 |                                        |
-+--------------------------+---------------------------------------------------------------+--------------------+-------------------+
-| ``metadata_partition``   | Stores metadata, placed at the last 0x200 of NVM              |                    |                   |
-+--------------------------+---------------------------------------------------------------+--------------------+-------------------+
++--------------------------+---------------------------------------------------------------+--------------------+-------------------------+
+| Partition Name           | Description                                                   | Minimum size  |br| | Minimum size |br|       |
+|                          |                                                               | (Development)      | (Release)               |
++==========================+===============================================================+====================+=========================+
+| ``boot_partition``       | Bootloader (MCUboot)                                          | 31 KiB             | 21 KiB (using KMU) |br| |
+|                          |                                                               |                    | 26 KiB (without KMU)    |
++--------------------------+---------------------------------------------------------------+--------------------+-------------------------+
+| ``slot0_partition``      | Main application slot                                         |                    |                         |
++--------------------------+---------------------------------------------------------------+--------------------+-------------------------+
+| ``slot1_partition``      | `Firmware loader`_                                            | 44 KiB             | 28 KiB                  |
++--------------------------+---------------------------------------------------------------+--------------------+-------------------------+
+| ``softdevice_partition`` | For the SoftDevice, including an MCUboot header of size 0x800 |                                              |
++--------------------------+---------------------------------------------------------------+--------------------+-------------------------+
+| ``metadata_partition``   | Stores metadata, placed at the last 0x200 of NVM              |                    |                         |
++--------------------------+---------------------------------------------------------------+--------------------+-------------------------+
 
 .. note::
    The sizes and configurations of slot0 and slot1 are asymmetrical.

@@ -60,6 +60,8 @@
 .. _`System reset`: https://docs.zephyrproject.org/latest/services/device_mgmt/smp_groups/smp_group_0.html#system-reset
 .. _`Image tool`: https://docs.mcuboot.com/imgtool.html
 .. _`Vector table requirement`: https://developer.arm.com/documentation/100235/0002/sqf1486724325622
+.. _`Introduction to KMU key provisioning`: https://docs.nordicsemi.com/bundle/ncs-latest/page/nrf/app_dev/device_guides/nrf54l/kmu_basics.html
+.. _`Performing KMU provisioning`: https://docs.nordicsemi.com/bundle/ncs-latest/page/nrf/app_dev/device_guides/nrf54l/kmu_provision.html
 
 .. ### Release notes
 

@@ -32,12 +32,18 @@ No changes since the latest nRF Connect SDK Bare Metal release.
 Boards
 ======
 
-No changes since the latest nRF Connect SDK Bare Metal release.
+* MCUboot partition size has been reduced from 36 KiB to 31 KiB for the following board targets:
+
+  * `bm_nrf54l15dk/nrf54l05/cpuapp/s115_softdevice/mcuboot`
+  * `bm_nrf54l15dk/nrf54l10/cpuapp/s115_softdevice/mcuboot`
+  * `bm_nrf54l15dk/nrf54l15/cpuapp/s115_softdevice/mcuboot`
 
 DFU
 ===
 
-No changes since the latest nRF Connect SDK Bare Metal release.
+* Support for KMU usage for MCUboot keys has been added, along with west auto-provisioning support (`west flash --erase` or `west flash --recover` must be used during first programming of a board to program the KMU with the keys).
+  This feature can be controlled with sysbuild Kconfig options :kconfig:option:`SB_CONFIG_BM_BOOTLOADER_MCUBOOT_SIGNATURE_USING_KMU` to use KMU for key storage and :kconfig:option:`SB_CONFIG_BM_BOOTLOADER_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE` to auto-provision the KMU when using the above west flash commands.
+* The code for the UART MCUmgr application has now been refactored into a separate library to facilitate reuse in other applications.
 
 Logging
 =======

@@ -32,3 +32,21 @@ tests:
     tags:
       - sysbuild
       - uart
+  sample.boot.mcuboot_recovery_retention.uart.builtin.key:
+    sysbuild: true
+    build_only: true
+    integration_platforms:
+      - bm_nrf54l15dk/nrf54l05/cpuapp/s115_softdevice/mcuboot
+      - bm_nrf54l15dk/nrf54l10/cpuapp/s115_softdevice/mcuboot
+      - bm_nrf54l15dk/nrf54l15/cpuapp/s115_softdevice/mcuboot
+    platform_allow:
+      - bm_nrf54l15dk/nrf54l05/cpuapp/s115_softdevice/mcuboot
+      - bm_nrf54l15dk/nrf54l10/cpuapp/s115_softdevice/mcuboot
+      - bm_nrf54l15dk/nrf54l15/cpuapp/s115_softdevice/mcuboot
+    extra_args:
+      - SB_CONFIG_BM_FIRMWARE_LOADER_UART_MCUMGR=y
+      - SB_CONFIG_BM_BOOTLOADER_MCUBOOT_SIGNATURE_USING_KMU=n
+    tags:
+      - sysbuild
+      - uart
+      - kmu
@@ -2,3 +2,4 @@ setuptools
 wheel
 west
 gitlint
+python-dotenv
@@ -22,6 +22,7 @@ function(bm_install_setup)
       )
 
       add_overlay_dts(${SB_CONFIG_BM_FIRMWARE_LOADER_IMAGE_NAME} ${CMAKE_CURRENT_SOURCE_DIR}/image_configurations/FIRMWARE_LOADER_image_default.overlay)
+      add_overlay_config(mcuboot ${CMAKE_CURRENT_SOURCE_DIR}/image_configurations/BOOTLOADER_image_default.conf)
 
       # Enable LTO on MCUboot image
       add_overlay_config(mcuboot ${CMAKE_CURRENT_SOURCE_DIR}/image_configurations/lto.conf)
@@ -43,11 +44,13 @@ function(bm_install_setup)
         set_config_bool(${SB_CONFIG_BM_FIRMWARE_LOADER_IMAGE_NAME} CONFIG_MCUBOOT_BOOTLOADER_USES_SHA512 y)
       elseif(SB_CONFIG_BM_BOOT_IMG_HASH_ALG_PURE)
         set_config_bool(mcuboot CONFIG_BOOT_SIGNATURE_TYPE_PURE y)
-        set_config_bool(mcuboot CONFIG_BOOT_IMG_HASH_ALG_SHA512 n)
+        set_config_bool(mcuboot CONFIG_BOOT_IMG_HASH_ALG_SHA512 y)
         set_config_bool(${DEFAULT_IMAGE} CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_PURE y)
-        set_config_bool(${DEFAULT_IMAGE} CONFIG_MCUBOOT_BOOTLOADER_USES_SHA512 n)
+        set_config_bool(${DEFAULT_IMAGE} CONFIG_MCUBOOT_BOOTLOADER_USES_SHA512 y)
+        set_config_bool(${DEFAULT_IMAGE} CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_ED25519 y)
         set_config_bool(${SB_CONFIG_BM_FIRMWARE_LOADER_IMAGE_NAME} CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_PURE y)
-        set_config_bool(${SB_CONFIG_BM_FIRMWARE_LOADER_IMAGE_NAME} CONFIG_MCUBOOT_BOOTLOADER_USES_SHA512 n)
+        set_config_bool(${SB_CONFIG_BM_FIRMWARE_LOADER_IMAGE_NAME} CONFIG_MCUBOOT_BOOTLOADER_USES_SHA512 y)
+        set_config_bool(${SB_CONFIG_BM_FIRMWARE_LOADER_IMAGE_NAME} CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_ED25519 y)
       endif()
 
       if(SB_CONFIG_SOC_SERIES_NRF54LX)
@@ -64,9 +67,19 @@ function(bm_install_setup)
           set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_KEY_AGREEMENT_DRIVER n)
           set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_KEY_DERIVATION_DRIVER n)
           set_config_bool(mcuboot CONFIG_BOOT_HMAC_SHA512 n)
-          set_config_bool(mcuboot CONFIG_BOOT_SIGNATURE_USING_KMU n)
           set_config_bool(mcuboot CONFIG_BOOT_KEY_IMPORT_BYPASS_ASN y)
-          set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_HASH_DRIVER y)
+
+          if(SB_CONFIG_BM_BOOTLOADER_MCUBOOT_SIGNATURE_USING_KMU)
+            set_config_bool(mcuboot CONFIG_BOOT_SIGNATURE_USING_KMU y)
+            set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_HASH_DRIVER n)
+            set_config_bool(mcuboot CONFIG_MBEDTLS_ENABLE_HEAP n)
+            set_config_bool(mcuboot CONFIG_PSA_CORE_LITE y)
+            set_config_bool(mcuboot CONFIG_PSA_CORE_LITE_NSIB_ED25519_OPTIMIZATIONS y)
+            set_config_bool(mcuboot CONFIG_BOOT_SIGNATURE_TYPE_PURE y)
+          else()
+            set_config_bool(mcuboot CONFIG_BOOT_SIGNATURE_USING_KMU n)
+            set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_HASH_DRIVER y)
+          endif()
         endif()
       endif()
 
@@ -271,6 +284,10 @@ function(${SYSBUILD_CURRENT_MODULE_NAME}_post_cmake)
       ALL
       DEPENDS ${CMAKE_BINARY_DIR}/production.hex
     )
+
+    if(SB_CONFIG_BM_BOOTLOADER_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE)
+      include(${ZEPHYR_NRF_BM_MODULE_DIR}/cmake/sysbuild/generate_default_keyfile.cmake)
+    endif()
   endif()
 endfunction()
-Original file line number
+Diff line change
@@ Expand Up / @@ -2,3 +2,4 @@ setuptools @@
     wheel
     west
     gitlint
+    python-dotenv