nrfconnect · nordicjm · Sep 24, 2025 · Sep 24, 2025 · Sep 12, 2025 · Sep 15, 2025
@@ -48,14 +48,14 @@
 
 		boot_partition: partition@0 {
 			label = "boot";
-			reg = <0x00000000 DT_SIZE_K(36)>;
+			reg = <0x00000000 DT_SIZE_K(31)>;
 		};
 
-		storage_partition: partition@9000 {
+		storage_partition: partition@7c00 {
 			compatible = "fixed-subpartitions";
 			label = "storage";
-			reg = <0x00009000 DT_SIZE_K(8)>;
-			ranges = <0x0 0x9000 DT_SIZE_K(8)>;
+			reg = <0x00007c00 DT_SIZE_K(8)>;
+			ranges = <0x0 0x7c00 DT_SIZE_K(8)>;
 			#address-cells = <1>;
 			#size-cells = <1>;
 
@@ -70,9 +70,11 @@
 			};
 		};
 
-		slot0_partition: partition@b000 {
+		/* Area from 0x9c00 to 0xa000 is unused due to alignment */
+
+		slot0_partition: partition@a000 {
 			label = "slot0";
-			reg = <0x0000b000 DT_SIZE_K(282)>;
+			reg = <0x000a000 DT_SIZE_K(286)>;
 		};
 
 		slot1_partition: partition@51800 {

@@ -48,14 +48,14 @@
 
 		boot_partition: partition@0 {
 			label = "boot";
-			reg = <0x00000000 DT_SIZE_K(36)>;
+			reg = <0x00000000 DT_SIZE_K(31)>;
 		};
 
-		storage_partition: partition@9000 {
+		storage_partition: partition@7c00 {
 			compatible = "fixed-subpartitions";
 			label = "storage";
-			reg = <0x00009000 DT_SIZE_K(8)>;
-			ranges = <0x0 0x9000 DT_SIZE_K(8)>;
+			reg = <0x00007c00 DT_SIZE_K(8)>;
+			ranges = <0x0 0x7c00 DT_SIZE_K(8)>;
 			#address-cells = <1>;
 			#size-cells = <1>;
 
@@ -70,9 +70,11 @@
 			};
 		};
 
-		slot0_partition: partition@b000 {
+		/* Area from 0x9c00 to 0xa000 is unused due to alignment */
+
+		slot0_partition: partition@a000 {
 			label = "slot0";
-			reg = <0x0000b000 DT_SIZE_K(794)>;
+			reg = <0x0000a000 DT_SIZE_K(798)>;
 		};
 
 		slot1_partition: partition@d1800 {

@@ -48,14 +48,14 @@
 
 		boot_partition: partition@0 {
 			label = "boot";
-			reg = <0x00000000 DT_SIZE_K(36)>;
+			reg = <0x00000000 DT_SIZE_K(31)>;
 		};
 
-		storage_partition: partition@9000 {
+		storage_partition: partition@7c00 {
 			compatible = "fixed-subpartitions";
 			label = "storage";
-			reg = <0x00009000 DT_SIZE_K(8)>;
-			ranges = <0x0 0x9000 DT_SIZE_K(8)>;
+			reg = <0x00007c00 DT_SIZE_K(8)>;
+			ranges = <0x0 0x7c00 DT_SIZE_K(8)>;
 			#address-cells = <1>;
 			#size-cells = <1>;
 
@@ -70,9 +70,11 @@
 			};
 		};
 
-		slot0_partition: partition@b000 {
+		/* Area from 0x9c00 to 0xa000 is unused due to alignment */
+
+		slot0_partition: partition@a000 {
 			label = "slot0";
-			reg = <0x0000b000 DT_SIZE_K(1306)>;
+			reg = <0x0000a000 DT_SIZE_K(1310)>;
 		};
 
 		slot1_partition: partition@151800 {

@@ -0,0 +1,37 @@
+# Copyright (c) 2025 Nordic Semiconductor ASA
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+
+# This script defines a CMake target 'generate_kmu_keyfile_json' to create keyfile.json
+# using 'west ncs-provision upload --dry-run'.
+
+# --- Construct the list of commands and dependencies ---
+set(kmu_json_commands "")
+set(kmu_json_dependencies "")
+
+# Update keyfile for BL_PUBKEY
+string(CONFIGURE "${SB_CONFIG_BM_BOOTLOADER_MCUBOOT_SIGNATURE_KEY_FILE}" mcuboot_signature_key_file)
+list(APPEND kmu_json_commands
+  COMMAND ${Python3_EXECUTABLE} -m west ncs-provision upload
+    --keyname BL_PUBKEY
+    --key ${mcuboot_signature_key_file}
+    --build-dir ${CMAKE_BINARY_DIR}
+    --dry-run
+)
+list(APPEND kmu_json_dependencies ${mcuboot_signature_key_file})
+
+# --- Add custom command to generate/update keyfile.json ---
+if(NOT kmu_json_commands STREQUAL "")
+  add_custom_command(
+    OUTPUT ${CMAKE_BINARY_DIR}/keyfile.json
+    ${kmu_json_commands} # Expands to one or more COMMAND clauses
+    DEPENDS ${kmu_json_dependencies}
+    COMMENT "Generating/Updating KMU keyfile JSON (${CMAKE_BINARY_DIR}/keyfile.json)"
+    VERBATIM
+  )
+
+  # --- Add custom target to trigger the generation ---
+  add_custom_target(
+    generate_kmu_keyfile_json ALL
+    DEPENDS ${CMAKE_BINARY_DIR}/keyfile.json
+  )
+endif()
@@ -38,3 +38,12 @@ Using a key in a project
 ------------------------
 
 Once a key has been generated, it can be used in a project by setting the :kconfig:option:`SB_CONFIG_BM_BOOTLOADER_MCUBOOT_SIGNATURE_KEY_FILE` sysbuild Kconfig option to the absolute path of the generated ``.pem`` key file.
+
+.. _ug_bootloader_kmu:
+
+KMU (Key Management Unit)
+*************************
+
+The nRF54L series of SoCs contain a KMU - key management unit, this on-die peripheral can be used by CRACEN to securely store and use keys without allowing the contents to be read out.
+In order to boot images when the KMU feature is enabled, the MCUboot singing key must be programmed to the KMU prior to loading the firmware or the device will be unable to boot.
-In order to boot images when the KMU feature is enabled, the MCUboot singing key must be programmed to the KMU prior to loading the firmware or the device will be unable to boot.
+In order to boot images when the KMU feature is enabled, the MCUboot signing key must be programmed to the KMU prior to loading the firmware or the device will be unable to boot.
-In order to boot images when the KMU feature is enabled, the MCUboot singing key must be programmed to the KMU prior to loading the firmware or the device will be unable to boot.
+In order to boot images when the KMU feature is enabled, the MCUboot signing key must be programmed to the KMU prior to loading the firmware or the device will be unable to boot.
+This feature can be enabled with :kconfig:option:`SB_CONFIG_BM_BOOTLOADER_MCUBOOT_SIGNATURE_USING_KMU`, another sysbuild Kconfig is used to determine if the public key file should be automatically programmed to boards when ``west flash`` is used with the ``--erase`` or ``--recover`` arguments, when :kconfig:option:`SB_CONFIG_BM_BOOTLOADER_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE` is enabled (it is enabled by default) then this process is enabled and should be the first command used after building the project to set the board up for development.
@@ -18,20 +18,21 @@ Partition Configuration
 The memory of your device must be partitioned appropriately to accommodate the bootloader, application, and firmware update mechanisms.
 |BMshort| uses Zephyr's `DTS`_ system for memory partitioning.
 
-+--------------------------+---------------------------------------------------------------+--------------------+-------------------+
-| Partition Name           | Description                                                   | Minimum size  |br| | Minimum size |br| |
-|                          |                                                               | (Development)      | (Release)         |
-+==========================+===============================================================+====================+===================+
-| ``boot_partition``       | Bootloader (MCUboot)                                          | 36 KB              | 28 KB             |
-+--------------------------+---------------------------------------------------------------+--------------------+-------------------+
-| ``slot0_partition``      | Main application slot                                         |                    |                   |
-+--------------------------+---------------------------------------------------------------+--------------------+-------------------+
-| ``slot1_partition``      | `Firmware loader`_                                            | 44 KB              | 28 KB             |
-+--------------------------+---------------------------------------------------------------+--------------------+-------------------+
-| ``softdevice_partition`` | For the SoftDevice, including an MCUboot header of size 0x800 |                                        |
-+--------------------------+---------------------------------------------------------------+--------------------+-------------------+
-| ``metadata_partition``   | Stores metadata, placed at the last 0x200 of NVM              |                    |                   |
-+--------------------------+---------------------------------------------------------------+--------------------+-------------------+
++--------------------------+---------------------------------------------------------------+--------------------+----------------------+
+| Partition Name           | Description                                                   | Minimum size  |br| | Minimum size |br|    |
+|                          |                                                               | (Development)      | (Release)            |
++==========================+===============================================================+====================+======================+
+| ``boot_partition``       | Bootloader (MCUboot)                                          | 31 KiB             | 21 KiB (using KMU)   |
+|                          |                                                               |                    | 26 KiB (without KMU) |
++--------------------------+---------------------------------------------------------------+--------------------+----------------------+
+| ``slot0_partition``      | Main application slot                                         |                    |                      |
++--------------------------+---------------------------------------------------------------+--------------------+----------------------+
+| ``slot1_partition``      | `Firmware loader`_                                            | 44 KiB             | 28 KiB               |
++--------------------------+---------------------------------------------------------------+--------------------+----------------------+
+| ``softdevice_partition`` | For the SoftDevice, including an MCUboot header of size 0x800 |                                           |
++--------------------------+---------------------------------------------------------------+--------------------+----------------------+
+| ``metadata_partition``   | Stores metadata, placed at the last 0x200 of NVM              |                    |                      |
++--------------------------+---------------------------------------------------------------+--------------------+----------------------+
 
 .. note::
    The sizes and configurations of slot0 and slot1 are asymmetrical.

@@ -32,3 +32,21 @@ tests:
     tags:
       - sysbuild
       - uart
+  sample.boot.mcuboot_recovery_retention.uart.kmu:
+    sysbuild: true
+    build_only: true
+    integration_platforms:
+      - bm_nrf54l15dk/nrf54l05/cpuapp/s115_softdevice/mcuboot
+      - bm_nrf54l15dk/nrf54l10/cpuapp/s115_softdevice/mcuboot
+      - bm_nrf54l15dk/nrf54l15/cpuapp/s115_softdevice/mcuboot
+    platform_allow:
+      - bm_nrf54l15dk/nrf54l05/cpuapp/s115_softdevice/mcuboot
+      - bm_nrf54l15dk/nrf54l10/cpuapp/s115_softdevice/mcuboot
+      - bm_nrf54l15dk/nrf54l15/cpuapp/s115_softdevice/mcuboot
+    extra_args:
+      - SB_CONFIG_BM_FIRMWARE_LOADER_UART_MCUMGR=y
+      - SB_CONFIG_BM_BOOTLOADER_MCUBOOT_SIGNATURE_USING_KMU=y
+    tags:
+      - sysbuild
+      - uart
+      - kmu
@@ -2,3 +2,4 @@ setuptools
 wheel
 west
 gitlint
+python-dotenv
@@ -22,6 +22,7 @@ function(bm_install_setup)
       )
 
       add_overlay_dts(${SB_CONFIG_BM_FIRMWARE_LOADER_IMAGE_NAME} ${CMAKE_CURRENT_SOURCE_DIR}/image_configurations/FIRMWARE_LOADER_image_default.overlay)
+      add_overlay_config(mcuboot ${CMAKE_CURRENT_SOURCE_DIR}/image_configurations/BOOTLOADER_image_default.conf)
 
       # Enable LTO on MCUboot image
       add_overlay_config(mcuboot ${CMAKE_CURRENT_SOURCE_DIR}/image_configurations/lto.conf)
@@ -43,11 +44,13 @@ function(bm_install_setup)
         set_config_bool(${SB_CONFIG_BM_FIRMWARE_LOADER_IMAGE_NAME} CONFIG_MCUBOOT_BOOTLOADER_USES_SHA512 y)
       elseif(SB_CONFIG_BM_BOOT_IMG_HASH_ALG_PURE)
         set_config_bool(mcuboot CONFIG_BOOT_SIGNATURE_TYPE_PURE y)
-        set_config_bool(mcuboot CONFIG_BOOT_IMG_HASH_ALG_SHA512 n)
+        set_config_bool(mcuboot CONFIG_BOOT_IMG_HASH_ALG_SHA512 y)
         set_config_bool(${DEFAULT_IMAGE} CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_PURE y)
-        set_config_bool(${DEFAULT_IMAGE} CONFIG_MCUBOOT_BOOTLOADER_USES_SHA512 n)
+        set_config_bool(${DEFAULT_IMAGE} CONFIG_MCUBOOT_BOOTLOADER_USES_SHA512 y)
+        set_config_bool(${DEFAULT_IMAGE} CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_ED25519 y)
         set_config_bool(${SB_CONFIG_BM_FIRMWARE_LOADER_IMAGE_NAME} CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_PURE y)
-        set_config_bool(${SB_CONFIG_BM_FIRMWARE_LOADER_IMAGE_NAME} CONFIG_MCUBOOT_BOOTLOADER_USES_SHA512 n)
+        set_config_bool(${SB_CONFIG_BM_FIRMWARE_LOADER_IMAGE_NAME} CONFIG_MCUBOOT_BOOTLOADER_USES_SHA512 y)
+        set_config_bool(${SB_CONFIG_BM_FIRMWARE_LOADER_IMAGE_NAME} CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_ED25519 y)
       endif()
 
       if(SB_CONFIG_SOC_SERIES_NRF54LX)
@@ -64,9 +67,19 @@ function(bm_install_setup)
           set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_KEY_AGREEMENT_DRIVER n)
           set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_KEY_DERIVATION_DRIVER n)
           set_config_bool(mcuboot CONFIG_BOOT_HMAC_SHA512 n)
-          set_config_bool(mcuboot CONFIG_BOOT_SIGNATURE_USING_KMU n)
           set_config_bool(mcuboot CONFIG_BOOT_KEY_IMPORT_BYPASS_ASN y)
-          set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_HASH_DRIVER y)
+
+          if(SB_CONFIG_BM_BOOTLOADER_MCUBOOT_SIGNATURE_USING_KMU)
+            set_config_bool(mcuboot CONFIG_BOOT_SIGNATURE_USING_KMU y)
+            set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_HASH_DRIVER n)
+            set_config_bool(mcuboot CONFIG_MBEDTLS_ENABLE_HEAP n)
+            set_config_bool(mcuboot CONFIG_PSA_CORE_LITE y)
+            set_config_bool(mcuboot CONFIG_PSA_CORE_LITE_NSIB_ED25519_OPTIMIZATIONS y)
+            set_config_bool(mcuboot CONFIG_BOOT_SIGNATURE_TYPE_PURE y)
+          else()
+            set_config_bool(mcuboot CONFIG_BOOT_SIGNATURE_USING_KMU n)
+            set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_HASH_DRIVER y)
+          endif()
         endif()
       endif()
 
@@ -271,6 +284,10 @@ function(${SYSBUILD_CURRENT_MODULE_NAME}_post_cmake)
       ALL
       DEPENDS ${CMAKE_BINARY_DIR}/production.hex
     )
+
+    if(SB_CONFIG_BM_BOOTLOADER_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE)
+      include(${ZEPHYR_NRF_BM_MODULE_DIR}/cmake/sysbuild/generate_default_keyfile.cmake)
+    endif()
   endif()
 endfunction()
 

@@ -51,6 +51,19 @@ config BM_BOOTLOADER_MCUBOOT_SIGNATURE_KEY_FILE
 	help
 	  Absolute path to signing key file to use with MCUBoot.
 
+config BM_BOOTLOADER_MCUBOOT_SIGNATURE_USING_KMU
+	bool "Use KMU stored keys for signature verification"
+	depends on SOC_SERIES_NRF54LX && BM_BOOTLOADER_MCUBOOT_SIGNATURE_TYPE_ED25519
+	help
+	  The device needs to be provisioned with proper set of keys.
-	  The device needs to be provisioned with proper set of keys.
+	  The device needs to be provisioned with the proper set of keys.
-	  The device needs to be provisioned with proper set of keys.
+	  The device needs to be provisioned with the proper set of keys.
+
+config BM_BOOTLOADER_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE
+	bool "Generate default keyfile for provisioning during build"
+	depends on BM_BOOTLOADER_MCUBOOT_SIGNATURE_USING_KMU
+	default y
+	help
+	  If enabled, the build system will generate keyfile.json file in the build directory.
+
 menu "Firmware loader entrance modes"
 	depends on !BM_FIRMWARE_LOADER_NONE
 

@@ -0,0 +1,9 @@
+CONFIG_KERNEL_MEM_POOL=n
+CONFIG_CURRENT_THREAD_USE_TLS=n
+CONFIG_ERRNO=n
+CONFIG_FP16=n
+CONFIG_HW_STACK_PROTECTION=n
+CONFIG_BUILTIN_STACK_GUARD=n
+CONFIG_TIMEOUT_64BIT=n
+CONFIG_SYS_CLOCK_EXISTS=n
+CONFIG_NRF_GRTC_START_SYSCOUNTER=n
@@ -14,7 +14,7 @@ manifest:
   projects:
     - name: nrf
       repo-path: sdk-nrf
-      revision: 693f67dc9b63261e2c87ff770263f503ae8a9668
+      revision: pull/24511/head
       import:
         name-allowlist:
           - cmsis_6
-Original file line number
+Diff line change
@@ Expand Up / @@ -2,3 +2,4 @@ setuptools @@
     wheel
     west
     gitlint
+    python-dotenv