[nrf noup] bootutil: Use correct set of KMU key slots

nrf-squash! [nrf noup] bootutil: Add support for KMU stored ED25519 signature key

Will instead use the immutable bootloader key slot IDs if b0 is not
enabled, adds a Kconfig which can be used to fall back to the
previous slot IDs for previously deployed bootloaders

Signed-off-by: Jamie McCrae <[email protected]>

Author: nordicjm

boot/bootutil/src/ed25519_psa.c

@@ -25,11 +25,20 @@ BOOT_LOG_MODULE_REGISTER(ed25519_psa);
 
 #if defined(CONFIG_BOOT_SIGNATURE_USING_KMU)
 /* List of KMU stored key ids available for MCUboot */
+#define PSA_KEY_INDEX_SIZE 2
+
+#if CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER != -1 || \
+	defined(CONFIG_NCS_BOOT_SIGNATURE_KMU_UROT_MAPPING)
+#define PSA_KEY_STARTING_ID 226
+#else
+#define PSA_KEY_STARTING_ID 242
+#endif
+
 #define MAKE_PSA_KMU_KEY_ID(id) PSA_KEY_HANDLE_FROM_CRACEN_KMU_SLOT(CRACEN_KMU_KEY_USAGE_SCHEME_RAW, id)
 static psa_key_id_t key_ids[] =  {
-    MAKE_PSA_KMU_KEY_ID(226),
-    MAKE_PSA_KMU_KEY_ID(228),
-    MAKE_PSA_KMU_KEY_ID(230)
+    MAKE_PSA_KMU_KEY_ID(PSA_KEY_STARTING_ID),
+    MAKE_PSA_KMU_KEY_ID(PSA_KEY_STARTING_ID + PSA_KEY_INDEX_SIZE),
+    MAKE_PSA_KMU_KEY_ID(PSA_KEY_STARTING_ID + (2 * PSA_KEY_INDEX_SIZE))
 };
 
 #define KEY_SLOTS_COUNT CONFIG_BOOT_SIGNATURE_KMU_SLOTS

boot/zephyr/Kconfig

@@ -421,6 +421,17 @@ config BOOT_SIGNATURE_KMU_SLOTS
 	  Selects the number of KMU key slots (also known as generations) to use when verifying
 	  an image.
 
+config NCS_BOOT_SIGNATURE_KMU_UROT_MAPPING
+	bool "Use original mapping [DEPRECATED]"
+	depends on SOC_SERIES_NRF54LX
+	depends on MCUBOOT_MCUBOOT_IMAGE_NUMBER = -1
+	select DEPRECATED
+	help
+	  When this option is enabled, it will use the UROT_PUBKEY key slot IDs for the MCUboot
+	  image which are assigned for the non-immutable bootloader IDs, otherwise it will use
+	  the key set for the mode that MCUboot is used in (non-immutable slots when b0 is
+	  enabled, or immutable slots when b0 is not enabled).
+
 endif
 
 config BOOT_KEYS_REVOCATION