sysbuild: Add KMU provisioning and allow KMU usage #357
Conversation
nordicjm
requested review from
bjorn-tore-taraldsen,
nvlsianpu and
michalek-no
github-actions
bot
added
the
changelog-entry-required
|
You can find the documentation preview for this PR here. |
github-actions
bot
added
the
doc-required
|
@nvlsianpu @michalek-no please review |
There was a problem hiding this comment.
doc is fine - can be tweaked by the writes based on NCS doc content,
sysbuild/Kconfig.bm
Outdated
| config BM_BOOTLOADER_MCUBOOT_SIGNATURE_USING_KMU | ||
| bool "Use KMU stored keys for signature verification" | ||
| depends on SOC_SERIES_NRF54LX | ||
| depends on BOOT_SIGNATURE_TYPE_ED25519 |
There was a problem hiding this comment.
shouldn't be depend on BM_BOOTLOADER_MCUBOOT_SIGNATURE_TYPE_ED25519 instead?
sysbuild/Kconfig.bm
Outdated
|
|
||
| config BM_BOOTLOADER_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE | ||
| bool "Generate default keyfile for provisioning during build" | ||
| depends on MCUBOOT_SIGNATURE_USING_KMU |
There was a problem hiding this comment.
shouldn't be depend on above property?
|
With patches this PR will make provisioning working: -- runners.nrfutil: Flashing file: /home/anpu/BM/nrf-bm/samples/boot/mcuboot_recovery_entry/build/mcuboot/zephyr/zephyr_signed_softdevice_flash_metadata.hex
-- runners.nrfutil: Provisioning key file: /home/anpu/BM/nrf-bm/samples/boot/mcuboot_recovery_entry/build/keyfile.json
-- runners.nrfutil: Erasing non-volatile memory (ERASEALL)
-- runners.nrfutil: Programming image
-- runners.nrfutil: Verifying image
-- runners.nrfutil: KEY Provision
-- runners.nrfutil: Board(s) with serial number(s) 1057721615 flashed successfully.
-- west flash: using runner nrfutilalthought application isn't booted I've used samples/boot/mcuboot_recovery_entry |
It won't boot because it programs UROT key and needs the sdk-mcuboot PR to be usable with the correct slot (think it was BTT or Frank that requested MCUboot use UROT key slots when b0 is not present). Have added manifest update |
nordicjm
force-pushed
the
kmuprovision
branch
from
9bd7565 to
a2a3ed9
Compare
|
The following west manifest projects have changed revision in this Pull Request:
✅ All manifest checks OK Note: This message is automatically posted and updated by the Manifest GitHub Action. |
nordicjm
force-pushed
the
kmuprovision
branch
from
a2a3ed9 to
9d573f8
Compare
No, I checked that we hardcoded sdk-mcuboot to use URTO_PUBKEY. |
nordicjm
force-pushed
the
kmuprovision
branch
from
9d573f8 to
cc69fcd
Compare
nordicjm
force-pushed
the
kmuprovision
branch
from
cd9d115 to
5e19161
Compare
sysbuild/Kconfig.bm
Outdated
| bool "Use KMU stored keys for signature verification" | ||
| depends on SOC_SERIES_NRF54LX && BM_BOOTLOADER_MCUBOOT_SIGNATURE_TYPE_ED25519 | ||
| help | ||
| The device needs to be provisioned with proper set of keys. |
There was a problem hiding this comment.
| The device needs to be provisioned with proper set of keys. | |
| The device needs to be provisioned with the proper set of keys. |
| }; | ||
|
|
||
| slot0_partition: partition@b000 { | ||
| slot0_partition: partition@9c00 { |
There was a problem hiding this comment.
I'm not able to boot the application with this partition address. If I change the address to 0xa000 it starts fine.
I think the problem is that 0x9c00 is not 2KiB aligned. So assuming an image header of 2KiB, the interrupt table at the start of application is not properly aligned.
Same for L05 and L10.
There was a problem hiding this comment.
Ah that might explain a problem then, I must have not rebuild and ran after reducing the sizes, will fix
| ************************* | ||
|
|
||
| The nRF54L series of SoCs contain a KMU - key management unit, this on-die peripheral can be used by CRACEN to securely store and use keys without allowing the contents to be read out. | ||
| In order to boot images when the KMU feature is enabled, the MCUboot singing key must be programmed to the KMU prior to loading the firmware or the device will be unable to boot. |
There was a problem hiding this comment.
| In order to boot images when the KMU feature is enabled, the MCUboot singing key must be programmed to the KMU prior to loading the firmware or the device will be unable to boot. | |
| In order to boot images when the KMU feature is enabled, the MCUboot signing key must be programmed to the KMU prior to loading the firmware or the device will be unable to boot. |
| }; | ||
|
|
||
| slot0_partition: partition@b000 { | ||
| /* Area from 0x9c00 to 0xa000 is unused due to alignment */ |
There was a problem hiding this comment.
Should we add this to storage? E.g. as a 1k storage1_partition?
Or is there no point as we expect the boot_partition size to be further reduced?
There was a problem hiding this comment.
It can be added to storage but will leave that to a future PR (the partitions might also be reworked in future to better utilise size)
This is now needed by sdk-zephyr Signed-off-by: Jamie McCrae <[email protected]>
Includes an sdk-mcuboot update to fix the slot IDs for KMU usage Signed-off-by: Jamie McCrae <[email protected]>
Allows usage of KMU in MCUboot for the signature verification and copies the KMU provisioning script from NCS with changes for BM Signed-off-by: Jamie McCrae <[email protected]>
Adds a KMU build of this sample Signed-off-by: Jamie McCrae <[email protected]>
Adds a section on how to use the KMU Signed-off-by: Jamie McCrae <[email protected]>
Disables some options including system clock support for MCUboot to reduce the size of the application as they are not needed Signed-off-by: Jamie McCrae <[email protected]>
Due to optimisations applied to MCUboot configuration, the size of the partition can be reduced to 31KiB which allows memory protection to be applied to the section using a single protection region, and even with logs enabled there is still spare space available in the slot Signed-off-by: Jamie McCrae <[email protected]>
The minimum sizes for release builds are now smaller Signed-off-by: Jamie McCrae <[email protected]>
Allows usage of KMU in MCUboot for the signature verification and copies the KMU provisioning script from NCS with changes for BM