You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
doc/nrf/app_dev/../nrf54l/kmu_provision: correct desc. on west flash
Rephrase in order to be more precise: the keyfile.json generation and
the provisioning during flashing are separate features.
Signed-off-by: Andrzej Puzdrowski <[email protected]>
Signed-off-by: divya pillai <[email protected]>
Signed-off-by: Anna Wojdylo <[email protected]>
Copy file name to clipboardExpand all lines: doc/nrf/app_dev/device_guides/nrf54l/kmu_provision.rst
+9-5Lines changed: 9 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -140,13 +140,17 @@ Once you have an unprovisioned SoC, upload keys to the board by running one of t
140
140
Alternative provisioning method
141
141
*********************************
142
142
143
-
To simplify the development process, keys can be generated and provisioned at the same time as the flashing process
144
-
In the case of NSIB, enabling the ``SB_CONFIG_SECURE_BOOT_GENERATE_DEFAULT_KMU_KEYFILE`` Kconfig option at the sysbuild level introduces an additional programming step that is triggered when you execute the ``west flash --recover`` command.
143
+
To simplify the development process, keys can be generated and then provisioned at the same time as the flashing process.
144
+
You can provision keys during flashing when the build directory contains the :file:`keyfile.json` file with commands, such as ``west flash --recover`` or ``west flash --erase``.
145
+
When flashing a project that contains NSIB, you can only use the ``west flash --recover``, as the programming file contains UICR provisioning data as well.
146
+
147
+
You can generate the :file:`keyfile.json` file during the build process (for example, when running ``west build``) if the :Kconfig:option:`SB_CONFIG_SECURE_BOOT_GENERATE_DEFAULT_KMU_KEYFILE` or :Kconfig:option:`SB_CONFIG_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE` Kconfig options are enabled.
148
+
These options enable, respectively, the NSIB and the MCUboot keys, included in the generated :file:`keyfile.json` file.
149
+
This file contains the necessary key provisioning information.
150
+
145
151
If you set the ``SB_CONFIG_SECURE_BOOT_SIGNING_KEY_FILE`` Kconfig option to a PEM key file, that specific file will be used.
146
152
If not, the build will use the default key named :file:`GENERATED_NON_SECURE_SIGN_KEY_PRIVATE.pem`, which is located in the build directory.
147
-
148
-
For MCUboot configurations, activating the ``SB_CONFIG_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE`` Kconfig option at the sysbuild level allows to provision keys simultaneously with the flashing process. Provisioning step is triggered when you execute either ``west flash --recover`` or ``west flash --erase`` command.
149
-
MCUboot uses the key file designated by the ``SB_CONFIG_BOOT_SIGNATURE_KEY_FILE`` option.
153
+
Similarly, MCUboot uses the key file designated by the :Kconfig:option:`SB_CONFIG_BOOT_SIGNATURE_KEY_FILE` option.
150
154
151
155
At the end of the described process the :file:`keyfile.json` file is generated in the build directory.
152
156
This file allows key provisioning to occur simultaneously with the flashing process.
0 commit comments