sysbuild: Add a MCUboot manifest generator

Add a possibility to automatically generate a MCUboot manifest with all
expected image's digests.

Signed-off-by: Tomasz Chyrowicz <[email protected]>

Author: tomchy

cmake/sysbuild/image_signing.cmake

@@ -143,6 +143,10 @@ function(zephyr_mcuboot_tasks)
     set(imgtool_extra ${imgtool_extra} --cid "${CONFIG_MCUBOOT_IMGTOOL_UUID_CID_NAME}")
   endif()
 
+  if(CONFIG_NCS_MCUBOOT_IMGTOOL_APPEND_MANIFEST)
+      set(imgtool_extra ${imgtool_extra} --manifest "manifest.yaml")
+  endif()
+
   set(imgtool_args ${imgtool_extra})
 
   # Extensionless prefix of any output file.

cmake/sysbuild/mcuboot_manifest.cmake

@@ -0,0 +1,89 @@
+#
+# Copyright (c) 2025 Nordic Semiconductor
+#
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+
+include(${ZEPHYR_NRF_MODULE_DIR}/cmake/sysbuild/bootloader_dts_utils.cmake)
+
+yaml_create(NAME mcuboot_manifest)
+yaml_set(NAME mcuboot_manifest KEY format VALUE "1")
+yaml_set(NAME mcuboot_manifest KEY images LIST)
+set(manifest_path "manifest.yaml")
+set(manifest_img_slot_0 "${DEFAULT_IMAGE}")
+
+yaml_create(NAME mcuboot_secondary_manifest)
+yaml_set(NAME mcuboot_secondary_manifest KEY format VALUE "1")
+yaml_set(NAME mcuboot_secondary_manifest KEY images LIST)
+set(manifest_secondary_path "manifest_secondary.yaml")
+set(manifest_img_slot_1 "mcuboot_secondary_app")
+
+# Since the default (merged) image is excluded from the manifest, because it contains the manifest
+# itself, there is no need to construct the manifest when building a merged image.
+if(NOT SB_CONFIG_MCUBOOT_SIGN_MERGED_BINARY)
+  sysbuild_get(manifest_img IMAGE mcuboot VAR CONFIG_MCUBOOT_MANIFEST_IMAGE_NUMBER KCONFIG)
+  math(EXPR manifest_slot_0 "${manifest_img} * 2")
+  math(EXPR manifest_slot_1 "${manifest_img} * 2 + 1")
+  dt_partition_addr(slot0_addr LABEL "slot${manifest_slot_0}_partition" TARGET mcuboot ABSOLUTE REQUIRED)
+  dt_partition_addr(slot1_addr LABEL "slot${manifest_slot_1}_partition" TARGET mcuboot ABSOLUTE REQUIRED)
+
+  UpdateableImage_Get(images GROUP "DEFAULT")
+  foreach(image ${images})
+    sysbuild_get(BINARY_DIR IMAGE ${image} VAR APPLICATION_BINARY_DIR CACHE)
+    sysbuild_get(BINARY_BIN_FILE IMAGE ${image} VAR CONFIG_KERNEL_BIN_NAME KCONFIG)
+    dt_chosen(code_flash TARGET ${image} PROPERTY "zephyr,code-partition")
+    dt_partition_addr(code_addr PATH "${code_flash}" TARGET ${image} ABSOLUTE REQUIRED)
+
+    if("${code_addr}" STREQUAL "${slot0_addr}")
+      cmake_path(APPEND BINARY_DIR "zephyr" "manifest.yaml" OUTPUT_VARIABLE manifest_path)
+      set(manifest_img_slot_0 "${image}")
+      continue()
+    endif()
+
+    if(NOT "${SB_CONFIG_SIGNATURE_TYPE}" STREQUAL "NONE")
+      cmake_path(APPEND BINARY_DIR "zephyr" "${BINARY_BIN_FILE}.signed.bin" OUTPUT_VARIABLE image_path)
+    else()
+      cmake_path(APPEND BINARY_DIR "zephyr" "${BINARY_BIN_FILE}.bin" OUTPUT_VARIABLE image_path)
+    endif()
+
+    yaml_set(NAME mcuboot_manifest KEY images APPEND LIST MAP "path: ${image_path}, name: ${image}")
+  endforeach()
+
+  foreach(image ${images})
+    if("${image}" STREQUAL "${manifest_img_slot_0}")
+      continue()
+    endif()
+    add_dependencies("${manifest_img_slot_0}" "${image}")
+  endforeach()
+
+  UpdateableImage_Get(variants GROUP "VARIANT")
+  foreach(image ${variants})
+    sysbuild_get(BINARY_DIR IMAGE ${image} VAR APPLICATION_BINARY_DIR CACHE)
+    sysbuild_get(BINARY_BIN_FILE IMAGE ${image} VAR CONFIG_KERNEL_BIN_NAME KCONFIG)
+    dt_chosen(code_flash TARGET ${image} PROPERTY "zephyr,code-partition")
+    dt_partition_addr(code_addr PATH "${code_flash}" TARGET ${image} ABSOLUTE REQUIRED)
+
+    if("${code_addr}" STREQUAL "${slot1_addr}")
+      cmake_path(APPEND BINARY_DIR "zephyr" "manifest.yaml" OUTPUT_VARIABLE manifest_secondary_path)
+      set(manifest_img_slot_1 "${image}")
+      continue()
+    endif()
+
+    if(NOT "${SB_CONFIG_SIGNATURE_TYPE}" STREQUAL "NONE")
+      cmake_path(APPEND BINARY_DIR "zephyr" "${BINARY_BIN_FILE}.signed.bin" OUTPUT_VARIABLE image_path)
+    else()
+      cmake_path(APPEND BINARY_DIR "zephyr" "${BINARY_BIN_FILE}.bin" OUTPUT_VARIABLE image_path)
+    endif()
+
+    yaml_set(NAME mcuboot_secondary_manifest KEY images APPEND LIST MAP "path: ${image_path}, name: ${image}")
+  endforeach()
+
+  foreach(image ${variants})
+    if("${image}" STREQUAL "${manifest_img_slot_1}")
+      continue()
+    endif()
+    add_dependencies("${manifest_img_slot_1}" "${image}")
+  endforeach()
+endif()
+
+yaml_save(NAME mcuboot_manifest FILE "${manifest_path}")
+yaml_save(NAME mcuboot_secondary_manifest FILE "${manifest_secondary_path}")

subsys/bootloader/Kconfig

@@ -170,4 +170,10 @@ config MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_PURE
 	help
 	  This is a Kconfig which is informative only, the value should not be changed.
 
+config NCS_MCUBOOT_IMGTOOL_APPEND_MANIFEST
+	bool "MCUboot append manifest"
+	help
+	  Append common manifest while signing the image.
+	  This is a Kconfig which is informative only, the value should not be changed.
+
 endmenu

sysbuild/CMakeLists.txt

@@ -229,6 +229,14 @@ function(${SYSBUILD_CURRENT_MODULE_NAME}_pre_cmake)
       set_config_bool(mcuboot CONFIG_BOOT_IMG_HASH_ALG_SHA512 y)
     endif()
 
+    if(SB_CONFIG_MCUBOOT_MANIFEST_UPDATES)
+      set_config_bool(mcuboot CONFIG_MCUBOOT_MANIFEST_UPDATES y)
+      set_config_bool(${DEFAULT_IMAGE} CONFIG_NCS_MCUBOOT_IMGTOOL_APPEND_MANIFEST y)
+      if(SB_CONFIG_MCUBOOT_BUILD_DIRECT_XIP_VARIANT)
+        set_config_bool(mcuboot_secondary_app CONFIG_NCS_MCUBOOT_IMGTOOL_APPEND_MANIFEST y)
+      endif()
+    endif()
+
     # Apply configuration to application
     foreach(image ${updateable_images})
       foreach(mode ${application_mcuboot_modes})
@@ -331,7 +339,9 @@ function(${SYSBUILD_CURRENT_MODULE_NAME}_pre_cmake)
       set_config_bool(mcuboot CONFIG_BOOT_FIH_PROFILE_DEFAULT_LOW y)
     endif()
 
-    if(SB_CONFIG_PARTITION_MANAGER OR SB_CONFIG_MCUBOOT_MODE_DIRECT_XIP OR SB_CONFIG_MCUBOOT_MODE_DIRECT_XIP_WITH_REVERT OR SB_CONFIG_MCUBOOT_COMPRESSED_IMAGE_SUPPORT)
+    if(SB_CONFIG_PARTITION_MANAGER OR SB_CONFIG_MCUBOOT_MODE_DIRECT_XIP
+       OR SB_CONFIG_MCUBOOT_MODE_DIRECT_XIP_WITH_REVERT OR SB_CONFIG_MCUBOOT_COMPRESSED_IMAGE_SUPPORT
+       OR SB_CONFIG_MCUBOOT_MANIFEST_UPDATES)
       # Use NCS signing script with support for PM or direct XIP (NCS specific features)
       if(SB_CONFIG_QSPI_XIP_SPLIT_IMAGE)
         set(${DEFAULT_IMAGE}_SIGNING_SCRIPT "${ZEPHYR_NRF_MODULE_DIR}/cmake/sysbuild/image_signing_split.cmake" CACHE INTERNAL "MCUboot signing script" FORCE)
@@ -801,6 +811,10 @@ function(${SYSBUILD_CURRENT_MODULE_NAME}_post_cmake)
     include(${ZEPHYR_NRF_MODULE_DIR}/cmake/sysbuild/mcuboot_nrf54h20.cmake)
   endif()
 
+  if(SB_CONFIG_BOOTLOADER_MCUBOOT AND SB_CONFIG_MCUBOOT_MANIFEST_UPDATES)
+    include(${ZEPHYR_NRF_MODULE_DIR}/cmake/sysbuild/mcuboot_manifest.cmake)
+  endif()
+
   if(SB_CONFIG_DFU_ZIP)
     if(SB_CONFIG_BOOTLOADER_MCUBOOT)
       include(${ZEPHYR_NRF_MODULE_DIR}/cmake/sysbuild/zip.cmake)

sysbuild/Kconfig.mcuboot

@@ -22,6 +22,19 @@ config MCUBOOT_IMAGES_ROM_END_OFFSET_AUTO
 	  (e.g. "smp_svr;ipc_radio", "mcuboot_secondary_app").
 	  If empty the default set of updateable images will be affected.
 
+config MCUBOOT_MANIFEST_UPDATES
+	bool "Enable transactional updates"
+	help
+	  If y, enables support for transactional updates using manifests.
+	  This allows multiple images to be updated atomically. The manifest
+	  is a separate TLV which contains a list of images to update and
+	  their expected hash values. The manifest TLV is a part of an image
+	  that is signed to prevent tampering.
+	  The manifest must be transferred as part of the image with index 0.
+	  It can be a dedicated image, or part of an existing image.
+	  If the second option is selected, all updates must contain an update
+	  for image 0.
+
 config MCUBOOT_BUILD_DIRECT_XIP_VARIANT
 	bool "Build DirectXIP variant image"
 	depends on MCUBOOT_MODE_DIRECT_XIP || MCUBOOT_MODE_DIRECT_XIP_WITH_REVERT