doc: Add guide on bootloader keys

nordicjm · eivindj-nordic · commit 8ca97071829a · 2025-08-15T11:15:15.000+02:00
Adds a guide describing how to generate and use MCUboot keys

Signed-off-by: Jamie McCrae &lt;jamie.mccrae@nordicsemi.no&gt;
diff --git a/doc/nrf-bm/index.rst b/doc/nrf-bm/index.rst
@@ -39,4 +39,5 @@ The |BMlong| is a distinct repository that incorporates elements from the existi
    libraries/index.rst
    samples.rst
    ug_dfu.rst
+   ug_bootloader_keys.rst
    release_notes.rst
diff --git a/doc/nrf-bm/links.txt b/doc/nrf-bm/links.txt
@@ -57,6 +57,7 @@
 .. _`MCUmgr`: https://docs.zephyrproject.org/latest/services/device_mgmt/mcumgr.html
 .. _`DTS`: https://docs.zephyrproject.org/latest/build/dts/index.html
 .. _`System reset`: https://docs.zephyrproject.org/latest/services/device_mgmt/smp_groups/smp_group_0.html#system-reset
+.. _`Image tool`: https://docs.mcuboot.com/imgtool.html
 
 .. ### Release notes
 
diff --git a/doc/nrf-bm/ug_bootloader_keys.rst b/doc/nrf-bm/ug_bootloader_keys.rst
@@ -0,0 +1,40 @@
+.. _ug_bootloader_keys:
+
+Bootloader keys
+###############
+
+When MCUboot is used in a project, by default it uses a dummy ed25519 signing key.
+This key should only be used for development purposes.
+
+For testing and production use cases, unique signing keys must be generated and kept secure (one key per project) to ensure the integrity of firmware update security.
+
+Signature type
+--------------
+
+MCUboot in |BMshort| supports the following signature types:
+
++------------+----------------------------------------------------------------------+-----------------------------------------------------------------------------+
+| Type       | Description                                                          | Sysbuild Kconfig                                                            |
++============+======================================================================+=============================================================================+
+| None       | No signature verification (insecure)                                 | :kconfig:option:`SB_CONFIG_BM_BOOTLOADER_MCUBOOT_SIGNATURE_TYPE_NONE`       |
++------------+----------------------------------------------------------------------+-----------------------------------------------------------------------------+
+| RSA        | RSA-2048 or RSA-3072 signature                                       | :kconfig:option:`SB_CONFIG_BM_BOOTLOADER_MCUBOOT_SIGNATURE_TYPE_RSA`        |
++------------+----------------------------------------------------------------------+-----------------------------------------------------------------------------+
+| ECDSA-P256 | Elliptic curve digital signature with curve P-256                    | :kconfig:option:`SB_CONFIG_BM_BOOTLOADER_MCUBOOT_SIGNATURE_TYPE_ECDSA_P256` |
++------------+----------------------------------------------------------------------+-----------------------------------------------------------------------------+
+| ed25519    | Edwards curve digital signature using ed25519 (recommended, default) | :kconfig:option:`SB_CONFIG_BM_BOOTLOADER_MCUBOOT_SIGNATURE_TYPE_ED25519`    |
++------------+----------------------------------------------------------------------+-----------------------------------------------------------------------------+
+
+.. _ug_bootloader_keys_generating:
+
+Generating a key
+----------------
+
+See `Image tool`_ documentation for details on the ``imgtool`` which includes details on how to generate a signing key.
+
+.. _ug_bootloader_keys_using:
+
+Using a key in a project
+------------------------
+
+Once a key has been generated, it can be used in a project by setting the :kconfig:option:`SB_CONFIG_BM_BOOTLOADER_MCUBOOT_SIGNATURE_KEY_FILE` sysbuild Kconfig option to the absolute path of the generated ``.pem`` key file.
diff --git a/doc/nrf-bm/ug_dfu.rst b/doc/nrf-bm/ug_dfu.rst
@@ -314,6 +314,11 @@ Building and running
    If the installer image was loaded, then it will apply the updates and reboot into firmware loader mode automatically and allow for loading the application firmware update using the same process.
    If an application update was loaded, then the new application will begin executing.
 
+Signing keys
+************
+
+When building with an MCUboot board variant, it will use a default dummy MCUboot signing key which **should not be used in production**, see :ref:`ug_bootloader_keys` for details on how to generate and use a custom signing key when building an application.
+
 DFU samples
 ***********
 
