Skip to content

[nrf noup] bootutil: Use correct set of KMU key slots #531

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Oct 7, 2025
+23 −3
Merged

[nrf noup] bootutil: Use correct set of KMU key slots #531

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 12 additions & 3 deletions boot/bootutil/src/ed25519_psa.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,11 +25,20 @@ BOOT_LOG_MODULE_REGISTER(ed25519_psa);

#if defined(CONFIG_BOOT_SIGNATURE_USING_KMU)
/* List of KMU stored key ids available for MCUboot */
#define PSA_KEY_INDEX_SIZE 2

#if CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER != -1 || \
defined(CONFIG_NCS_BOOT_SIGNATURE_KMU_UROT_MAPPING)
#define PSA_KEY_STARTING_ID 226
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we maybe use Kconfig for KMU base address?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

would probably make sense and allow for future devices if they have different mappings, but will leave for someone else to implement

#else
#define PSA_KEY_STARTING_ID 242
#endif

#define MAKE_PSA_KMU_KEY_ID(id) PSA_KEY_HANDLE_FROM_CRACEN_KMU_SLOT(CRACEN_KMU_KEY_USAGE_SCHEME_RAW, id)
static psa_key_id_t key_ids[] = {
MAKE_PSA_KMU_KEY_ID(226),
MAKE_PSA_KMU_KEY_ID(228),
MAKE_PSA_KMU_KEY_ID(230)
MAKE_PSA_KMU_KEY_ID(PSA_KEY_STARTING_ID),
MAKE_PSA_KMU_KEY_ID(PSA_KEY_STARTING_ID + PSA_KEY_INDEX_SIZE),
MAKE_PSA_KMU_KEY_ID(PSA_KEY_STARTING_ID + (2 * PSA_KEY_INDEX_SIZE))
};

#define KEY_SLOTS_COUNT CONFIG_BOOT_SIGNATURE_KMU_SLOTS
Expand Down
11 changes: 11 additions & 0 deletions boot/zephyr/Kconfig
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -421,6 +421,17 @@ config BOOT_SIGNATURE_KMU_SLOTS
Selects the number of KMU key slots (also known as generations) to use when verifying
an image.

config NCS_BOOT_SIGNATURE_KMU_UROT_MAPPING
bool "Use original mapping [DEPRECATED]"
depends on SOC_SERIES_NRF54LX
depends on MCUBOOT_MCUBOOT_IMAGE_NUMBER = -1
select DEPRECATED
help
When this option is enabled, it will use the UROT_PUBKEY key slot IDs for the MCUboot
image which are assigned for the non-immutable bootloader IDs, otherwise it will use
the key set for the mode that MCUboot is used in (non-immutable slots when b0 is
enabled, or immutable slots when b0 is not enabled).

endif

config BOOT_KEYS_REVOCATION
Expand Down