diff --git a/boards/nordic/bm_nrf54l15dk/bm_nrf54l15dk_nrf54l05_cpuapp_s115_softdevice_mcuboot.dts b/boards/nordic/bm_nrf54l15dk/bm_nrf54l15dk_nrf54l05_cpuapp_s115_softdevice_mcuboot.dts index 568e439909..c9e82257ee 100644 --- a/boards/nordic/bm_nrf54l15dk/bm_nrf54l15dk_nrf54l05_cpuapp_s115_softdevice_mcuboot.dts +++ b/boards/nordic/bm_nrf54l15dk/bm_nrf54l15dk_nrf54l05_cpuapp_s115_softdevice_mcuboot.dts @@ -48,14 +48,14 @@ boot_partition: partition@0 { label = "boot"; - reg = <0x00000000 DT_SIZE_K(36)>; + reg = <0x00000000 DT_SIZE_K(31)>; }; - storage_partition: partition@9000 { + storage_partition: partition@7c00 { compatible = "fixed-subpartitions"; label = "storage"; - reg = <0x00009000 DT_SIZE_K(8)>; - ranges = <0x0 0x9000 DT_SIZE_K(8)>; + reg = <0x00007c00 DT_SIZE_K(8)>; + ranges = <0x0 0x7c00 DT_SIZE_K(8)>; #address-cells = <1>; #size-cells = <1>; @@ -70,9 +70,11 @@ }; }; - slot0_partition: partition@b000 { + /* Area from 0x9c00 to 0xa000 is unused due to alignment */ + + slot0_partition: partition@a000 { label = "slot0"; - reg = <0x0000b000 DT_SIZE_K(282)>; + reg = <0x000a000 DT_SIZE_K(286)>; }; slot1_partition: partition@51800 { diff --git a/boards/nordic/bm_nrf54l15dk/bm_nrf54l15dk_nrf54l10_cpuapp_s115_softdevice_mcuboot.dts b/boards/nordic/bm_nrf54l15dk/bm_nrf54l15dk_nrf54l10_cpuapp_s115_softdevice_mcuboot.dts index 2937cde7bf..5f20bcbf96 100644 --- a/boards/nordic/bm_nrf54l15dk/bm_nrf54l15dk_nrf54l10_cpuapp_s115_softdevice_mcuboot.dts +++ b/boards/nordic/bm_nrf54l15dk/bm_nrf54l15dk_nrf54l10_cpuapp_s115_softdevice_mcuboot.dts @@ -48,14 +48,14 @@ boot_partition: partition@0 { label = "boot"; - reg = <0x00000000 DT_SIZE_K(36)>; + reg = <0x00000000 DT_SIZE_K(31)>; }; - storage_partition: partition@9000 { + storage_partition: partition@7c00 { compatible = "fixed-subpartitions"; label = "storage"; - reg = <0x00009000 DT_SIZE_K(8)>; - ranges = <0x0 0x9000 DT_SIZE_K(8)>; + reg = <0x00007c00 DT_SIZE_K(8)>; + ranges = <0x0 0x7c00 DT_SIZE_K(8)>; #address-cells = <1>; #size-cells = <1>; @@ -70,9 +70,11 @@ }; }; - slot0_partition: partition@b000 { + /* Area from 0x9c00 to 0xa000 is unused due to alignment */ + + slot0_partition: partition@a000 { label = "slot0"; - reg = <0x0000b000 DT_SIZE_K(794)>; + reg = <0x0000a000 DT_SIZE_K(798)>; }; slot1_partition: partition@d1800 { diff --git a/boards/nordic/bm_nrf54l15dk/bm_nrf54l15dk_nrf54l15_cpuapp_s115_softdevice_mcuboot.dts b/boards/nordic/bm_nrf54l15dk/bm_nrf54l15dk_nrf54l15_cpuapp_s115_softdevice_mcuboot.dts index f88860b364..3c206cc8bc 100644 --- a/boards/nordic/bm_nrf54l15dk/bm_nrf54l15dk_nrf54l15_cpuapp_s115_softdevice_mcuboot.dts +++ b/boards/nordic/bm_nrf54l15dk/bm_nrf54l15dk_nrf54l15_cpuapp_s115_softdevice_mcuboot.dts @@ -48,14 +48,14 @@ boot_partition: partition@0 { label = "boot"; - reg = <0x00000000 DT_SIZE_K(36)>; + reg = <0x00000000 DT_SIZE_K(31)>; }; - storage_partition: partition@9000 { + storage_partition: partition@7c00 { compatible = "fixed-subpartitions"; label = "storage"; - reg = <0x00009000 DT_SIZE_K(8)>; - ranges = <0x0 0x9000 DT_SIZE_K(8)>; + reg = <0x00007c00 DT_SIZE_K(8)>; + ranges = <0x0 0x7c00 DT_SIZE_K(8)>; #address-cells = <1>; #size-cells = <1>; @@ -70,9 +70,11 @@ }; }; - slot0_partition: partition@b000 { + /* Area from 0x9c00 to 0xa000 is unused due to alignment */ + + slot0_partition: partition@a000 { label = "slot0"; - reg = <0x0000b000 DT_SIZE_K(1306)>; + reg = <0x0000a000 DT_SIZE_K(1310)>; }; slot1_partition: partition@151800 { diff --git a/cmake/sysbuild/generate_default_keyfile.cmake b/cmake/sysbuild/generate_default_keyfile.cmake new file mode 100644 index 0000000000..291ab5038f --- /dev/null +++ b/cmake/sysbuild/generate_default_keyfile.cmake @@ -0,0 +1,37 @@ +# Copyright (c) 2025 Nordic Semiconductor ASA +# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause + +# This script defines a CMake target 'generate_kmu_keyfile_json' to create keyfile.json +# using 'west ncs-provision upload --dry-run'. + +# --- Construct the list of commands and dependencies --- +set(kmu_json_commands "") +set(kmu_json_dependencies "") + +# Update keyfile for BL_PUBKEY +string(CONFIGURE "${SB_CONFIG_BM_BOOTLOADER_MCUBOOT_SIGNATURE_KEY_FILE}" mcuboot_signature_key_file) +list(APPEND kmu_json_commands + COMMAND ${Python3_EXECUTABLE} -m west ncs-provision upload + --keyname BL_PUBKEY + --key ${mcuboot_signature_key_file} + --build-dir ${CMAKE_BINARY_DIR} + --dry-run +) +list(APPEND kmu_json_dependencies ${mcuboot_signature_key_file}) + +# --- Add custom command to generate/update keyfile.json --- +if(NOT kmu_json_commands STREQUAL "") + add_custom_command( + OUTPUT ${CMAKE_BINARY_DIR}/keyfile.json + ${kmu_json_commands} # Expands to one or more COMMAND clauses + DEPENDS ${kmu_json_dependencies} + COMMENT "Generating/Updating KMU keyfile JSON (${CMAKE_BINARY_DIR}/keyfile.json)" + VERBATIM + ) + + # --- Add custom target to trigger the generation --- + add_custom_target( + generate_kmu_keyfile_json ALL + DEPENDS ${CMAKE_BINARY_DIR}/keyfile.json + ) +endif() diff --git a/doc/nrf-bm/app_dev/dfu/bootloader_keys.rst b/doc/nrf-bm/app_dev/dfu/bootloader_keys.rst index 1a9075404b..fc13097689 100644 --- a/doc/nrf-bm/app_dev/dfu/bootloader_keys.rst +++ b/doc/nrf-bm/app_dev/dfu/bootloader_keys.rst @@ -38,3 +38,12 @@ Using a key in a project ------------------------ Once a key has been generated, it can be used in a project by setting the :kconfig:option:`SB_CONFIG_BM_BOOTLOADER_MCUBOOT_SIGNATURE_KEY_FILE` sysbuild Kconfig option to the absolute path of the generated ``.pem`` key file. + +.. _ug_bootloader_kmu: + +KMU (Key Management Unit) +************************* + +The nRF54L series of SoCs contain a KMU - key management unit, this on-die peripheral can be used by CRACEN to securely store and use keys without allowing the contents to be read out. +In order to boot images when the KMU feature is enabled, the MCUboot signing key must be programmed to the KMU prior to loading the firmware or the device will be unable to boot. +This feature can be enabled with :kconfig:option:`SB_CONFIG_BM_BOOTLOADER_MCUBOOT_SIGNATURE_USING_KMU`, another sysbuild Kconfig is used to determine if the public key file should be automatically programmed to boards when ``west flash`` is used with the ``--erase`` or ``--recover`` arguments, when :kconfig:option:`SB_CONFIG_BM_BOOTLOADER_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE` is enabled (it is enabled by default) then this process is enabled and should be the first command used after building the project to set the board up for development. diff --git a/doc/nrf-bm/app_dev/dfu/ug_dfu.rst b/doc/nrf-bm/app_dev/dfu/ug_dfu.rst index a638186325..98a1b80ced 100644 --- a/doc/nrf-bm/app_dev/dfu/ug_dfu.rst +++ b/doc/nrf-bm/app_dev/dfu/ug_dfu.rst @@ -18,20 +18,21 @@ Partition Configuration The memory of your device must be partitioned appropriately to accommodate the bootloader, application, and firmware update mechanisms. |BMshort| uses Zephyr's `DTS`_ system for memory partitioning. -+--------------------------+---------------------------------------------------------------+--------------------+-------------------+ -| Partition Name | Description | Minimum size |br| | Minimum size |br| | -| | | (Development) | (Release) | -+==========================+===============================================================+====================+===================+ -| ``boot_partition`` | Bootloader (MCUboot) | 36 KB | 28 KB | -+--------------------------+---------------------------------------------------------------+--------------------+-------------------+ -| ``slot0_partition`` | Main application slot | | | -+--------------------------+---------------------------------------------------------------+--------------------+-------------------+ -| ``slot1_partition`` | `Firmware loader`_ | 44 KB | 28 KB | -+--------------------------+---------------------------------------------------------------+--------------------+-------------------+ -| ``softdevice_partition`` | For the SoftDevice, including an MCUboot header of size 0x800 | | -+--------------------------+---------------------------------------------------------------+--------------------+-------------------+ -| ``metadata_partition`` | Stores metadata, placed at the last 0x200 of NVM | | | -+--------------------------+---------------------------------------------------------------+--------------------+-------------------+ ++--------------------------+---------------------------------------------------------------+--------------------+----------------------+ +| Partition Name | Description | Minimum size |br| | Minimum size |br| | +| | | (Development) | (Release) | ++==========================+===============================================================+====================+======================+ +| ``boot_partition`` | Bootloader (MCUboot) | 31 KiB | 21 KiB (using KMU) | +| | | | 26 KiB (without KMU) | ++--------------------------+---------------------------------------------------------------+--------------------+----------------------+ +| ``slot0_partition`` | Main application slot | | | ++--------------------------+---------------------------------------------------------------+--------------------+----------------------+ +| ``slot1_partition`` | `Firmware loader`_ | 44 KiB | 28 KiB | ++--------------------------+---------------------------------------------------------------+--------------------+----------------------+ +| ``softdevice_partition`` | For the SoftDevice, including an MCUboot header of size 0x800 | | ++--------------------------+---------------------------------------------------------------+--------------------+----------------------+ +| ``metadata_partition`` | Stores metadata, placed at the last 0x200 of NVM | | | ++--------------------------+---------------------------------------------------------------+--------------------+----------------------+ .. note:: The sizes and configurations of slot0 and slot1 are asymmetrical. diff --git a/samples/boot/mcuboot_recovery_retention/sample.yaml b/samples/boot/mcuboot_recovery_retention/sample.yaml index 2e0b532311..4c2adebf5c 100644 --- a/samples/boot/mcuboot_recovery_retention/sample.yaml +++ b/samples/boot/mcuboot_recovery_retention/sample.yaml @@ -32,3 +32,21 @@ tests: tags: - sysbuild - uart + sample.boot.mcuboot_recovery_retention.uart.kmu: + sysbuild: true + build_only: true + integration_platforms: + - bm_nrf54l15dk/nrf54l05/cpuapp/s115_softdevice/mcuboot + - bm_nrf54l15dk/nrf54l10/cpuapp/s115_softdevice/mcuboot + - bm_nrf54l15dk/nrf54l15/cpuapp/s115_softdevice/mcuboot + platform_allow: + - bm_nrf54l15dk/nrf54l05/cpuapp/s115_softdevice/mcuboot + - bm_nrf54l15dk/nrf54l10/cpuapp/s115_softdevice/mcuboot + - bm_nrf54l15dk/nrf54l15/cpuapp/s115_softdevice/mcuboot + extra_args: + - SB_CONFIG_BM_FIRMWARE_LOADER_UART_MCUMGR=y + - SB_CONFIG_BM_BOOTLOADER_MCUBOOT_SIGNATURE_USING_KMU=y + tags: + - sysbuild + - uart + - kmu diff --git a/scripts/requirements.txt b/scripts/requirements.txt index 338ce4367b..06d399fc33 100644 --- a/scripts/requirements.txt +++ b/scripts/requirements.txt @@ -2,3 +2,4 @@ setuptools wheel west gitlint +python-dotenv diff --git a/sysbuild/CMakeLists.txt b/sysbuild/CMakeLists.txt index 1b42019a97..6d8a817eea 100644 --- a/sysbuild/CMakeLists.txt +++ b/sysbuild/CMakeLists.txt @@ -22,6 +22,7 @@ function(bm_install_setup) ) add_overlay_dts(${SB_CONFIG_BM_FIRMWARE_LOADER_IMAGE_NAME} ${CMAKE_CURRENT_SOURCE_DIR}/image_configurations/FIRMWARE_LOADER_image_default.overlay) + add_overlay_config(mcuboot ${CMAKE_CURRENT_SOURCE_DIR}/image_configurations/BOOTLOADER_image_default.conf) # Enable LTO on MCUboot image add_overlay_config(mcuboot ${CMAKE_CURRENT_SOURCE_DIR}/image_configurations/lto.conf) @@ -43,11 +44,13 @@ function(bm_install_setup) set_config_bool(${SB_CONFIG_BM_FIRMWARE_LOADER_IMAGE_NAME} CONFIG_MCUBOOT_BOOTLOADER_USES_SHA512 y) elseif(SB_CONFIG_BM_BOOT_IMG_HASH_ALG_PURE) set_config_bool(mcuboot CONFIG_BOOT_SIGNATURE_TYPE_PURE y) - set_config_bool(mcuboot CONFIG_BOOT_IMG_HASH_ALG_SHA512 n) + set_config_bool(mcuboot CONFIG_BOOT_IMG_HASH_ALG_SHA512 y) set_config_bool(${DEFAULT_IMAGE} CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_PURE y) - set_config_bool(${DEFAULT_IMAGE} CONFIG_MCUBOOT_BOOTLOADER_USES_SHA512 n) + set_config_bool(${DEFAULT_IMAGE} CONFIG_MCUBOOT_BOOTLOADER_USES_SHA512 y) + set_config_bool(${DEFAULT_IMAGE} CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_ED25519 y) set_config_bool(${SB_CONFIG_BM_FIRMWARE_LOADER_IMAGE_NAME} CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_PURE y) - set_config_bool(${SB_CONFIG_BM_FIRMWARE_LOADER_IMAGE_NAME} CONFIG_MCUBOOT_BOOTLOADER_USES_SHA512 n) + set_config_bool(${SB_CONFIG_BM_FIRMWARE_LOADER_IMAGE_NAME} CONFIG_MCUBOOT_BOOTLOADER_USES_SHA512 y) + set_config_bool(${SB_CONFIG_BM_FIRMWARE_LOADER_IMAGE_NAME} CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_ED25519 y) endif() if(SB_CONFIG_SOC_SERIES_NRF54LX) @@ -64,9 +67,19 @@ function(bm_install_setup) set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_KEY_AGREEMENT_DRIVER n) set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_KEY_DERIVATION_DRIVER n) set_config_bool(mcuboot CONFIG_BOOT_HMAC_SHA512 n) - set_config_bool(mcuboot CONFIG_BOOT_SIGNATURE_USING_KMU n) set_config_bool(mcuboot CONFIG_BOOT_KEY_IMPORT_BYPASS_ASN y) - set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_HASH_DRIVER y) + + if(SB_CONFIG_BM_BOOTLOADER_MCUBOOT_SIGNATURE_USING_KMU) + set_config_bool(mcuboot CONFIG_BOOT_SIGNATURE_USING_KMU y) + set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_HASH_DRIVER n) + set_config_bool(mcuboot CONFIG_MBEDTLS_ENABLE_HEAP n) + set_config_bool(mcuboot CONFIG_PSA_CORE_LITE y) + set_config_bool(mcuboot CONFIG_PSA_CORE_LITE_NSIB_ED25519_OPTIMIZATIONS y) + set_config_bool(mcuboot CONFIG_BOOT_SIGNATURE_TYPE_PURE y) + else() + set_config_bool(mcuboot CONFIG_BOOT_SIGNATURE_USING_KMU n) + set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_HASH_DRIVER y) + endif() endif() endif() @@ -271,6 +284,10 @@ function(${SYSBUILD_CURRENT_MODULE_NAME}_post_cmake) ALL DEPENDS ${CMAKE_BINARY_DIR}/production.hex ) + + if(SB_CONFIG_BM_BOOTLOADER_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE) + include(${ZEPHYR_NRF_BM_MODULE_DIR}/cmake/sysbuild/generate_default_keyfile.cmake) + endif() endif() endfunction() diff --git a/sysbuild/Kconfig.bm b/sysbuild/Kconfig.bm index a357c95d6e..1cb2b63d51 100644 --- a/sysbuild/Kconfig.bm +++ b/sysbuild/Kconfig.bm @@ -51,6 +51,19 @@ config BM_BOOTLOADER_MCUBOOT_SIGNATURE_KEY_FILE help Absolute path to signing key file to use with MCUBoot. +config BM_BOOTLOADER_MCUBOOT_SIGNATURE_USING_KMU + bool "Use KMU stored keys for signature verification" + depends on SOC_SERIES_NRF54LX && BM_BOOTLOADER_MCUBOOT_SIGNATURE_TYPE_ED25519 + help + The device needs to be provisioned with the proper set of keys. + +config BM_BOOTLOADER_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE + bool "Generate default keyfile for provisioning during build" + depends on BM_BOOTLOADER_MCUBOOT_SIGNATURE_USING_KMU + default y + help + If enabled, the build system will generate keyfile.json file in the build directory. + menu "Firmware loader entrance modes" depends on !BM_FIRMWARE_LOADER_NONE diff --git a/sysbuild/image_configurations/BOOTLOADER_image_default.conf b/sysbuild/image_configurations/BOOTLOADER_image_default.conf new file mode 100644 index 0000000000..0dabf7621d --- /dev/null +++ b/sysbuild/image_configurations/BOOTLOADER_image_default.conf @@ -0,0 +1,9 @@ +CONFIG_KERNEL_MEM_POOL=n +CONFIG_CURRENT_THREAD_USE_TLS=n +CONFIG_ERRNO=n +CONFIG_FP16=n +CONFIG_HW_STACK_PROTECTION=n +CONFIG_BUILTIN_STACK_GUARD=n +CONFIG_TIMEOUT_64BIT=n +CONFIG_SYS_CLOCK_EXISTS=n +CONFIG_NRF_GRTC_START_SYSCOUNTER=n diff --git a/west.yml b/west.yml index 14a19d95c9..4a7a14a44c 100644 --- a/west.yml +++ b/west.yml @@ -14,7 +14,7 @@ manifest: projects: - name: nrf repo-path: sdk-nrf - revision: b1f505fd71ac276f0640e833e9b8c0400d0e974f + revision: f0af8f2008d39bcb46516554d00611ac7fd87d5d import: name-allowlist: - cmsis_6