[nrf noup] bootutil: Add setup validation

Add an option for setup validation. Implement setup validation to check
if the KMU has been provisioned, and log if it has not.

Fixes: NCSDK-33559

Signed-off-by: Sigurd Hellesvik <[email protected]>

Author: hellesvik-nordic

boot/bootutil/src/ed25519_psa.c

@@ -126,7 +126,12 @@ int ED25519_verify(const uint8_t *message, size_t message_len,
         }
 
         BOOT_LOG_ERR("ED25519 signature verification failed %d", status);
+#if defined(CONFIG_MCUBOOT_SETUP_VALIDATION)
+        if(status == PSA_ERROR_INVALID_HANDLE) {
+          BOOT_LOG_ERR("PSA_ERROR_INVALID_HANDLE(-136) could mean that the KMU slot is not provisioned.");
+        }
     }
+#endif
 
     return ret;
 }

boot/zephyr/Kconfig

@@ -1203,4 +1203,12 @@ config MCUBOOT_VERIFY_IMG_ADDRESS
 	  also be useful when BOOT_DIRECT_XIP is enabled, to ensure that the image
 	  linked at the correct address is loaded.
 
+config MCUBOOT_SETUP_VALIDATION
+  bool "Add extra checks at boot to validate before booting"
+	depends on LOG 
+  default n
+  help
+    Add extra checks to validate before booting, which will have verbose
+    error logs if something is found.
+
 source "Kconfig.zephyr"

boot/zephyr/boards/nrf54l15dk_nrf54l05_cpuapp.conf

@@ -13,3 +13,6 @@ CONFIG_BOOT_WATCHDOG_FEED=n
 
 # Ensure the fastest RRAM write operations
 CONFIG_NRF_RRAM_WRITE_BUFFER_SIZE=32
+
+# Add setup validation to log if KMU slot is not provisioned
+CONFIG_MCUBOOT_SETUP_VALIDATION=y

boot/zephyr/boards/nrf54l15dk_nrf54l10_cpuapp.conf

@@ -13,3 +13,6 @@ CONFIG_BOOT_WATCHDOG_FEED=n
 
 # Ensure the fastest RRAM write operations
 CONFIG_NRF_RRAM_WRITE_BUFFER_SIZE=32
+
+# Add setup validation to log if KMU slot is not provisioned
+CONFIG_MCUBOOT_SETUP_VALIDATION=y

boot/zephyr/boards/nrf54l15dk_nrf54l15_cpuapp.conf

@@ -14,3 +14,6 @@ CONFIG_BOOT_WATCHDOG_FEED=n
 
 # Ensure the fastest RRAM write operations
 CONFIG_NRF_RRAM_WRITE_BUFFER_SIZE=32
+
+# Add setup validation to log if KMU slot is not provisioned
+CONFIG_MCUBOOT_SETUP_VALIDATION=y

boot/zephyr/boards/nrf54l15dk_nrf54l15_cpuapp_ext_flash.conf

@@ -16,3 +16,6 @@ CONFIG_BOOT_WATCHDOG_FEED=n
 
 # Ensure the fastest RRAM write operations
 CONFIG_NRF_RRAM_WRITE_BUFFER_SIZE=32
+
+# Add setup validation to log if KMU slot is not provisioned
+CONFIG_MCUBOOT_SETUP_VALIDATION=y