diff --git a/cmake/image_signing_softdevice.cmake b/cmake/image_signing_softdevice.cmake index e67ed023ff..945753cf33 100644 --- a/cmake/image_signing_softdevice.cmake +++ b/cmake/image_signing_softdevice.cmake @@ -52,13 +52,6 @@ function(softdevice_tasks output_hex output_bin) # set(imgtool_args --security-counter ${CONFIG_MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_VALUE}) # endif() - # Set proper hash calculation algorithm for signing - if(CONFIG_BOOT_SIGNATURE_TYPE_PURE) - set(imgtool_args --pure ${imgtool_args}) - elseif(CONFIG_BOOT_IMG_HASH_ALG_SHA512) - set(imgtool_args --sha 512 ${imgtool_args}) - endif() - if(NOT "${keyfile}" STREQUAL "") set(imgtool_args -k "${keyfile}" ${imgtool_args}) endif() diff --git a/cmake/sysbuild/image_signing_installer.cmake b/cmake/sysbuild/image_signing_installer.cmake index 13f3bfbf65..44bfde27a2 100644 --- a/cmake/sysbuild/image_signing_installer.cmake +++ b/cmake/sysbuild/image_signing_installer.cmake @@ -68,13 +68,6 @@ function(bm_install_tasks output_hex output_bin) # set(imgtool_args --security-counter ${CONFIG_MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_VALUE}) # endif() - # Set proper hash calculation algorithm for signing - if(SB_CONFIG_BM_BOOT_IMG_HASH_ALG_PURE) - set(imgtool_args --pure ${imgtool_args}) - elseif(SB_CONFIG_BM_BOOT_IMG_HASH_ALG_SHA512) - set(imgtool_args --sha 512 ${imgtool_args}) - endif() - if(NOT "${keyfile}" STREQUAL "") set(imgtool_args -k "${keyfile}" ${imgtool_args}) endif() diff --git a/samples/boot/mcuboot_recovery_retention/sysbuild.conf b/samples/boot/mcuboot_recovery_retention/sysbuild.conf new file mode 100644 index 0000000000..ad7ec75270 --- /dev/null +++ b/samples/boot/mcuboot_recovery_retention/sysbuild.conf @@ -0,0 +1,5 @@ +SB_CONFIG_BM_BOOTLOADER_MCUBOOT=y +SB_CONFIG_BM_FIRMWARE_LOADER_BT_MCUMGR=y +SB_CONFIG_SOFTDEVICE_S115=y +SB_CONFIG_BM_BOOTLOADER_MCUBOOT_SIGNATURE_TYPE_ED25519=y +SB_CONFIG_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE=y diff --git a/samples/boot/mcuboot_recovery_retention/sysbuild/mcuboot.conf b/samples/boot/mcuboot_recovery_retention/sysbuild/mcuboot.conf index 256b75898d..ae0dcb16ae 100644 --- a/samples/boot/mcuboot_recovery_retention/sysbuild/mcuboot.conf +++ b/samples/boot/mcuboot_recovery_retention/sysbuild/mcuboot.conf @@ -1,3 +1,12 @@ CONFIG_RETAINED_MEM=y CONFIG_RETENTION=y CONFIG_RETENTION_BOOT_MODE=y +CONFIG_BOOT_FIRMWARE_LOADER_BOOT_MODE=y +CONFIG_NRF_SECURITY=y +CONFIG_MBEDTLS_PSA_CRYPTO_C=y +CONFIG_PSA_CORE_LITE=y +CONFIG_PSA_CORE_LITE_NSIB_ED25519_OPTIMIZATIONS=y +CONFIG_CRACEN_IKG=n +CONFIG_BOOT_SIGNATURE_USING_KMU=y +CONFIG_LTO=y +CONFIG_ISR_TABLES_LOCAL_DECLARATION=y diff --git a/sysbuild/CMakeLists.txt b/sysbuild/CMakeLists.txt index 16094889c3..4717c63a84 100644 --- a/sysbuild/CMakeLists.txt +++ b/sysbuild/CMakeLists.txt @@ -23,53 +23,6 @@ function(bm_install_setup) add_overlay_dts(${SB_CONFIG_BM_FIRMWARE_LOADER_IMAGE_NAME} ${CMAKE_CURRENT_SOURCE_DIR}/image_configurations/FIRMWARE_LOADER_image_default.overlay) - # Enable LTO on MCUboot image - add_overlay_config(mcuboot ${CMAKE_CURRENT_SOURCE_DIR}/image_configurations/lto.conf) - - # Set up hash algorithm for MCUboot and images - if(SB_CONFIG_BM_BOOT_IMG_HASH_ALG_SHA256) - set_config_bool(mcuboot CONFIG_BOOT_SIGNATURE_TYPE_PURE n) - set_config_bool(mcuboot CONFIG_BOOT_IMG_HASH_ALG_SHA512 n) - set_config_bool(${DEFAULT_IMAGE} CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_PURE n) - set_config_bool(${DEFAULT_IMAGE} CONFIG_MCUBOOT_BOOTLOADER_USES_SHA512 n) - set_config_bool(${SB_CONFIG_BM_FIRMWARE_LOADER_IMAGE_NAME} CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_PURE n) - set_config_bool(${SB_CONFIG_BM_FIRMWARE_LOADER_IMAGE_NAME} CONFIG_MCUBOOT_BOOTLOADER_USES_SHA512 n) - elseif(SB_CONFIG_BM_BOOT_IMG_HASH_ALG_SHA512) - set_config_bool(mcuboot CONFIG_BOOT_SIGNATURE_TYPE_PURE n) - set_config_bool(mcuboot CONFIG_BOOT_IMG_HASH_ALG_SHA512 y) - set_config_bool(${DEFAULT_IMAGE} CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_PURE n) - set_config_bool(${DEFAULT_IMAGE} CONFIG_MCUBOOT_BOOTLOADER_USES_SHA512 y) - set_config_bool(${SB_CONFIG_BM_FIRMWARE_LOADER_IMAGE_NAME} CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_PURE n) - set_config_bool(${SB_CONFIG_BM_FIRMWARE_LOADER_IMAGE_NAME} CONFIG_MCUBOOT_BOOTLOADER_USES_SHA512 y) - elseif(SB_CONFIG_BM_BOOT_IMG_HASH_ALG_PURE) - set_config_bool(mcuboot CONFIG_BOOT_SIGNATURE_TYPE_PURE y) - set_config_bool(mcuboot CONFIG_BOOT_IMG_HASH_ALG_SHA512 n) - set_config_bool(${DEFAULT_IMAGE} CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_PURE y) - set_config_bool(${DEFAULT_IMAGE} CONFIG_MCUBOOT_BOOTLOADER_USES_SHA512 n) - set_config_bool(${SB_CONFIG_BM_FIRMWARE_LOADER_IMAGE_NAME} CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_PURE y) - set_config_bool(${SB_CONFIG_BM_FIRMWARE_LOADER_IMAGE_NAME} CONFIG_MCUBOOT_BOOTLOADER_USES_SHA512 n) - endif() - - if(SB_CONFIG_SOC_SERIES_NRF54LX) - if(SB_CONFIG_BM_BOOTLOADER_MCUBOOT_SIGNATURE_TYPE_NONE) - set_config_bool(mcuboot CONFIG_NRF_SECURITY y) - elseif(SB_CONFIG_BM_BOOTLOADER_MCUBOOT_SIGNATURE_TYPE_ED25519) - set_config_bool(mcuboot CONFIG_NRF_SECURITY y) - - # We are sure that ED25519 signature on MCUboot does not need these - set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_AEAD_DRIVER n) - set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_PAKE_DRIVER n) - set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_CIPHER_DRIVER n) - set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_MAC_DRIVER n) - set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_KEY_AGREEMENT_DRIVER n) - set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_KEY_DERIVATION_DRIVER n) - set_config_bool(mcuboot CONFIG_BOOT_HMAC_SHA512 n) - set_config_bool(mcuboot CONFIG_BOOT_SIGNATURE_USING_KMU n) - set_config_bool(mcuboot CONFIG_BOOT_KEY_IMPORT_BYPASS_ASN y) - set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_HASH_DRIVER y) - endif() - endif() - ExternalZephyrProject_Add( APPLICATION installer SOURCE_DIR ${ZEPHYR_NRF_BM_MODULE_DIR}/applications/installer diff --git a/sysbuild/Kconfig.bm b/sysbuild/Kconfig.bm index 3ff8714ae7..e77019ce93 100644 --- a/sysbuild/Kconfig.bm +++ b/sysbuild/Kconfig.bm @@ -25,7 +25,6 @@ menu "MCUboot configuration" choice BM_BOOTLOADER_MCUBOOT_SIGNATURE_TYPE prompt "Signature type" - default BM_BOOTLOADER_MCUBOOT_SIGNATURE_TYPE_ED25519 if SOC_SERIES_NRF54LX default BM_BOOTLOADER_MCUBOOT_SIGNATURE_TYPE_RSA config BM_BOOTLOADER_MCUBOOT_SIGNATURE_TYPE_NONE @@ -67,24 +66,6 @@ config BM_BOOTLOADER_MCUBOOT_FIRMWARE_LOADER_ENTRANCE_BOOT_MODE endmenu -choice BM_BOOTLOADER_MCUBOOT_IMG_HASH_ALG - prompt "Hashing algorithm" - default BM_BOOT_IMG_HASH_ALG_SHA512 if BM_BOOTLOADER_MCUBOOT_SIGNATURE_TYPE_ED25519 && SOC_SERIES_NRF54LX - default BM_BOOT_IMG_HASH_ALG_SHA256 - -config BM_BOOT_IMG_HASH_ALG_SHA256 - bool "SHA256" - -config BM_BOOT_IMG_HASH_ALG_SHA512 - bool "SHA512" - depends on SOC_SERIES_NRF54LX - -config BM_BOOT_IMG_HASH_ALG_PURE - bool "Pure (hash of data directly without hash)" - depends on BM_BOOTLOADER_MCUBOOT_SIGNATURE_TYPE_ED25519 && SOC_SERIES_NRF54LX - -endchoice - endmenu endif # BM_BOOTLOADER_MCUBOOT diff --git a/sysbuild/image_configurations/lto.conf b/sysbuild/image_configurations/lto.conf deleted file mode 100644 index 1eb3066b1e..0000000000 --- a/sysbuild/image_configurations/lto.conf +++ /dev/null @@ -1,2 +0,0 @@ -CONFIG_LTO=y -CONFIG_ISR_TABLES_LOCAL_DECLARATION=y diff --git a/west.yml b/west.yml index 54bcc733e9..9129915dea 100644 --- a/west.yml +++ b/west.yml @@ -14,7 +14,7 @@ manifest: projects: - name: nrf repo-path: sdk-nrf - revision: e9101127fc24a4bd5bf1b3067c78093182038d02 + revision: pull/23870/head import: name-allowlist: - cmsis_6