sysbuild: Add support for ed25519 MCUboot images and make default

nordicjm · eivindj-nordic · commit d11a69cd27fa · 2025-08-11T11:36:46.000+02:00
Makes ed25519 the default signature type for nrf54l* and sets
up the MCUboot configuration for it

Signed-off-by: Jamie McCrae &lt;jamie.mccrae@nordicsemi.no&gt;
diff --git a/sysbuild/CMakeLists.txt b/sysbuild/CMakeLists.txt
@@ -23,6 +23,29 @@ function(bm_install_setup)
 
       add_overlay_dts(${SB_CONFIG_BM_FIRMWARE_LOADER_IMAGE_NAME} ${CMAKE_CURRENT_SOURCE_DIR}/image_configurations/FIRMWARE_LOADER_image_default.overlay)
 
+      # Enable LTO on MCUboot image
+      add_overlay_config(mcuboot ${CMAKE_CURRENT_SOURCE_DIR}/image_configurations/lto.conf)
+
+      if(SB_CONFIG_SOC_SERIES_NRF54LX)
+        if(SB_CONFIG_BM_BOOTLOADER_MCUBOOT_SIGNATURE_TYPE_NONE)
+          set_config_bool(mcuboot CONFIG_NRF_SECURITY y)
+        elseif(SB_CONFIG_BM_BOOTLOADER_MCUBOOT_SIGNATURE_TYPE_ED25519)
+          set_config_bool(mcuboot CONFIG_NRF_SECURITY y)
+
+          # We are sure that ED25519 signature on MCUboot does not need these
+          set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_AEAD_DRIVER n)
+          set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_PAKE_DRIVER n)
+          set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_CIPHER_DRIVER n)
+          set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_MAC_DRIVER n)
+          set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_KEY_AGREEMENT_DRIVER n)
+          set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_KEY_DERIVATION_DRIVER n)
+          set_config_bool(mcuboot CONFIG_BOOT_HMAC_SHA512 n)
+          set_config_bool(mcuboot CONFIG_BOOT_SIGNATURE_USING_KMU n)
+          set_config_bool(mcuboot CONFIG_BOOT_KEY_IMPORT_BYPASS_ASN y)
+          set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_HASH_DRIVER y)
+        endif()
+      endif()
+
       ExternalZephyrProject_Add(
         APPLICATION installer
         SOURCE_DIR ${ZEPHYR_NRF_BM_MODULE_DIR}/applications/installer
diff --git a/sysbuild/Kconfig.bm b/sysbuild/Kconfig.bm
@@ -25,6 +25,7 @@ menu "MCUboot configuration"
 
 choice BM_BOOTLOADER_MCUBOOT_SIGNATURE_TYPE
 	prompt "Signature type"
+	default BM_BOOTLOADER_MCUBOOT_SIGNATURE_TYPE_ED25519 if SOC_SERIES_NRF54LX
 	default BM_BOOTLOADER_MCUBOOT_SIGNATURE_TYPE_RSA
 
 config BM_BOOTLOADER_MCUBOOT_SIGNATURE_TYPE_NONE
diff --git a/sysbuild/image_configurations/lto.conf b/sysbuild/image_configurations/lto.conf
@@ -0,0 +1,2 @@
+CONFIG_LTO=y
+CONFIG_ISR_TABLES_LOCAL_DECLARATION=y

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+CONFIG_LTO=y`
	`2`	`+CONFIG_ISR_TABLES_LOCAL_DECLARATION=y`