sysbuild: Disable SHA512/ed25519 Kconfigs when mode not selected

nordicjm · nordicjm · commit 02fb95a3698c · 2025-01-20T11:24:26.000Z
Forces some Kconfig options to ``n`` in the main image when they
are not selected in sysbuild

Signed-off-by: Jamie McCrae &lt;jamie.mccrae@nordicsemi.no&gt;
diff --git a/sysbuild/CMakeLists.txt b/sysbuild/CMakeLists.txt
@@ -231,40 +231,45 @@ function(${SYSBUILD_CURRENT_MODULE_NAME}_pre_cmake)
     endforeach()
 
     # The NRF54LX goes with PSA crypto by default
-    if(SB_CONFIG_SOC_SERIES_NRF54LX AND SB_CONFIG_BOOT_SIGNATURE_TYPE_ED25519)
-      set_config_bool(mcuboot CONFIG_NRF_SECURITY y)
-      set_config_bool(${DEFAULT_IMAGE} CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_ED25519 y)
-      set_config_bool(${DEFAULT_IMAGE} CONFIG_MCUBOOT_BOOTLOADER_USES_SHA512 y)
-
-      # We are sure that ED25519 signature on MCUboot does not need these
-      set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_CIPHER_DRIVER n)
-      set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_AEAD_DRIVER n)
-      set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_MAC_DRIVER n)
-      set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_KEY_AGREEMENT_DRIVER n)
-      set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_PAKE_DRIVER n)
-      set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_KEY_DERIVATION_DRIVER n)
-
-      if(SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU)
-        set_config_bool(mcuboot CONFIG_BOOT_SIGNATURE_USING_KMU y)
-      else()
-        set_config_bool(mcuboot CONFIG_BOOT_SIGNATURE_USING_KMU n)
-      endif()
+    if(SB_CONFIG_SOC_SERIES_NRF54LX)
+      if(SB_CONFIG_BOOT_SIGNATURE_TYPE_ED25519)
+        set_config_bool(mcuboot CONFIG_NRF_SECURITY y)
+        set_config_bool(${DEFAULT_IMAGE} CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_ED25519 y)
+        set_config_bool(${DEFAULT_IMAGE} CONFIG_MCUBOOT_BOOTLOADER_USES_SHA512 y)
+
+        # We are sure that ED25519 signature on MCUboot does not need these
+        set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_CIPHER_DRIVER n)
+        set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_AEAD_DRIVER n)
+        set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_MAC_DRIVER n)
+        set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_KEY_AGREEMENT_DRIVER n)
+        set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_PAKE_DRIVER n)
+        set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_KEY_DERIVATION_DRIVER n)
+
+        if(SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU)
+          set_config_bool(mcuboot CONFIG_BOOT_SIGNATURE_USING_KMU y)
+        else()
+          set_config_bool(mcuboot CONFIG_BOOT_SIGNATURE_USING_KMU n)
+        endif()
 
-      if(SB_CONFIG_BOOT_SIGNATURE_TYPE_PURE)
-        set_config_bool(mcuboot CONFIG_BOOT_SIGNATURE_TYPE_PURE y)
-        set_config_bool(${DEFAULT_IMAGE} CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_PURE y)
-      else()
-        set_config_bool(mcuboot CONFIG_BOOT_SIGNATURE_TYPE_PURE n)
-        set_config_bool(${DEFAULT_IMAGE} CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_PURE n)
-      endif()
+        if(SB_CONFIG_BOOT_SIGNATURE_TYPE_PURE)
+          set_config_bool(mcuboot CONFIG_BOOT_SIGNATURE_TYPE_PURE y)
+          set_config_bool(${DEFAULT_IMAGE} CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_PURE y)
+        else()
+          set_config_bool(mcuboot CONFIG_BOOT_SIGNATURE_TYPE_PURE n)
+          set_config_bool(${DEFAULT_IMAGE} CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_PURE n)
+        endif()
 
-      # MCUboot uses hash function to identify key internally when KMU is disabled.
-      if(SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU AND SB_CONFIG_BOOT_SIGNATURE_TYPE_PURE)
-        set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_HASH_DRIVER n)
-        set_config_bool(mcuboot CONFIG_BOOT_IMG_HASH_ALG_SHA512 n)
+        # MCUboot uses hash function to identify key internally when KMU is disabled.
+        if(SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU AND SB_CONFIG_BOOT_SIGNATURE_TYPE_PURE)
+          set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_HASH_DRIVER n)
+          set_config_bool(mcuboot CONFIG_BOOT_IMG_HASH_ALG_SHA512 n)
+        else()
+          set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_HASH_DRIVER y)
+          set_config_bool(mcuboot CONFIG_BOOT_IMG_HASH_ALG_SHA512 y)
+        endif()
       else()
-        set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_HASH_DRIVER y)
-        set_config_bool(mcuboot CONFIG_BOOT_IMG_HASH_ALG_SHA512 y)
+        set_config_bool(${DEFAULT_IMAGE} CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_ED25519 n)
+        set_config_bool(${DEFAULT_IMAGE} CONFIG_MCUBOOT_BOOTLOADER_USES_SHA512 n)
       endif()
     endif()
 
