sysbuild: Add KMU provisioning and allow KMU usage

Allows usage of KMU in MCUboot for the signature verification and
copies the KMU provisioning script from NCS with changes for BM

Signed-off-by: Jamie McCrae <[email protected]>

Author: nordicjm

cmake/sysbuild/generate_default_keyfile.cmake

@@ -0,0 +1,37 @@
+# Copyright (c) 2025 Nordic Semiconductor ASA
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+
+# This script defines a CMake target 'generate_kmu_keyfile_json' to create keyfile.json
+# using 'west ncs-provision upload --dry-run'.
+
+# --- Construct the list of commands and dependencies ---
+set(kmu_json_commands "")
+set(kmu_json_dependencies "")
+
+# Update keyfile for BL_PUBKEY
+string(CONFIGURE "${SB_CONFIG_BM_BOOTLOADER_MCUBOOT_SIGNATURE_KEY_FILE}" mcuboot_signature_key_file)
+list(APPEND kmu_json_commands
+  COMMAND ${Python3_EXECUTABLE} -m west ncs-provision upload
+    --keyname BL_PUBKEY
+    --key ${mcuboot_signature_key_file}
+    --build-dir ${CMAKE_BINARY_DIR}
+    --dry-run
+)
+list(APPEND kmu_json_dependencies ${mcuboot_signature_key_file})
+
+# --- Add custom command to generate/update keyfile.json ---
+if(NOT kmu_json_commands STREQUAL "")
+  add_custom_command(
+    OUTPUT ${CMAKE_BINARY_DIR}/keyfile.json
+    ${kmu_json_commands} # Expands to one or more COMMAND clauses
+    DEPENDS ${kmu_json_dependencies}
+    COMMENT "Generating/Updating KMU keyfile JSON (${CMAKE_BINARY_DIR}/keyfile.json)"
+    VERBATIM
+  )
+
+  # --- Add custom target to trigger the generation ---
+  add_custom_target(
+    generate_kmu_keyfile_json ALL
+    DEPENDS ${CMAKE_BINARY_DIR}/keyfile.json
+  )
+endif()

sysbuild/CMakeLists.txt

@@ -43,11 +43,13 @@ function(bm_install_setup)
         set_config_bool(${SB_CONFIG_BM_FIRMWARE_LOADER_IMAGE_NAME} CONFIG_MCUBOOT_BOOTLOADER_USES_SHA512 y)
       elseif(SB_CONFIG_BM_BOOT_IMG_HASH_ALG_PURE)
         set_config_bool(mcuboot CONFIG_BOOT_SIGNATURE_TYPE_PURE y)
-        set_config_bool(mcuboot CONFIG_BOOT_IMG_HASH_ALG_SHA512 n)
+        set_config_bool(mcuboot CONFIG_BOOT_IMG_HASH_ALG_SHA512 y)
         set_config_bool(${DEFAULT_IMAGE} CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_PURE y)
-        set_config_bool(${DEFAULT_IMAGE} CONFIG_MCUBOOT_BOOTLOADER_USES_SHA512 n)
+        set_config_bool(${DEFAULT_IMAGE} CONFIG_MCUBOOT_BOOTLOADER_USES_SHA512 y)
+        set_config_bool(${DEFAULT_IMAGE} CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_ED25519 y)
         set_config_bool(${SB_CONFIG_BM_FIRMWARE_LOADER_IMAGE_NAME} CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_PURE y)
-        set_config_bool(${SB_CONFIG_BM_FIRMWARE_LOADER_IMAGE_NAME} CONFIG_MCUBOOT_BOOTLOADER_USES_SHA512 n)
+        set_config_bool(${SB_CONFIG_BM_FIRMWARE_LOADER_IMAGE_NAME} CONFIG_MCUBOOT_BOOTLOADER_USES_SHA512 y)
+        set_config_bool(${SB_CONFIG_BM_FIRMWARE_LOADER_IMAGE_NAME} CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_ED25519 y)
       endif()
 
       if(SB_CONFIG_SOC_SERIES_NRF54LX)
@@ -64,9 +66,19 @@ function(bm_install_setup)
           set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_KEY_AGREEMENT_DRIVER n)
           set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_KEY_DERIVATION_DRIVER n)
           set_config_bool(mcuboot CONFIG_BOOT_HMAC_SHA512 n)
-          set_config_bool(mcuboot CONFIG_BOOT_SIGNATURE_USING_KMU n)
           set_config_bool(mcuboot CONFIG_BOOT_KEY_IMPORT_BYPASS_ASN y)
-          set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_HASH_DRIVER y)
+
+          if(SB_CONFIG_BM_BOOTLOADER_MCUBOOT_SIGNATURE_USING_KMU)
+            set_config_bool(mcuboot CONFIG_BOOT_SIGNATURE_USING_KMU y)
+            set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_HASH_DRIVER n)
+            set_config_bool(mcuboot CONFIG_MBEDTLS_ENABLE_HEAP n)
+            set_config_bool(mcuboot CONFIG_PSA_CORE_LITE y)
+            set_config_bool(mcuboot CONFIG_PSA_CORE_LITE_NSIB_ED25519_OPTIMIZATIONS y)
+            set_config_bool(mcuboot CONFIG_BOOT_SIGNATURE_TYPE_PURE y)
+          else()
+            set_config_bool(mcuboot CONFIG_BOOT_SIGNATURE_USING_KMU n)
+            set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_HASH_DRIVER y)
+          endif()
         endif()
       endif()
 
@@ -246,6 +258,10 @@ function(${SYSBUILD_CURRENT_MODULE_NAME}_post_cmake)
       ALL
       DEPENDS ${CMAKE_BINARY_DIR}/production.hex
     )
+
+    if(SB_CONFIG_BM_BOOTLOADER_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE)
+      include(${ZEPHYR_NRF_BM_MODULE_DIR}/cmake/sysbuild/generate_default_keyfile.cmake)
+    endif()
   endif()
 endfunction()
 

sysbuild/Kconfig.bm

@@ -51,6 +51,19 @@ config BM_BOOTLOADER_MCUBOOT_SIGNATURE_KEY_FILE
 	help
 	  Absolute path to signing key file to use with MCUBoot.
 
+config BM_BOOTLOADER_MCUBOOT_SIGNATURE_USING_KMU
+	bool "Use KMU stored keys for signature verification"
+	depends on SOC_SERIES_NRF54LX && BM_BOOTLOADER_MCUBOOT_SIGNATURE_TYPE_ED25519
+	help
+	  The device needs to be provisioned with proper set of keys.
+
+config BM_BOOTLOADER_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE
+	bool "Generate default keyfile for provisioning during build"
+	depends on BM_BOOTLOADER_MCUBOOT_SIGNATURE_USING_KMU
+	default y
+	help
+	  If enabled, the build system will generate keyfile.json file in the build directory.
+
 menu "Firmware loader entrance modes"
 	depends on !BM_FIRMWARE_LOADER_NONE