sysbuild: Add a MCUboot manifest generator

Add a possibility to automatically generate a MCUboot manifest with all
expected image's digests.

Signed-off-by: Tomasz Chyrowicz <[email protected]>

Author: tomchy

cmake/sysbuild/image_signing.cmake

@@ -143,6 +143,10 @@ function(zephyr_mcuboot_tasks)
     set(imgtool_extra ${imgtool_extra} --cid "${CONFIG_MCUBOOT_IMGTOOL_UUID_CID_NAME}")
   endif()
 
+  if(CONFIG_NCS_MCUBOOT_IMGTOOL_APPEND_MANIFEST)
+    set(imgtool_extra ${imgtool_extra} --manifest "manifest.yaml")
+  endif()
+
   set(imgtool_args ${imgtool_extra})
 
   # Extensionless prefix of any output file.

cmake/sysbuild/mcuboot_manifest.cmake

@@ -0,0 +1,88 @@
+#
+# Copyright (c) 2025 Nordic Semiconductor
+#
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+
+include(${ZEPHYR_NRF_MODULE_DIR}/cmake/sysbuild/bootloader_dts_utils.cmake)
+
+yaml_create(NAME mcuboot_manifest)
+yaml_set(NAME mcuboot_manifest KEY format VALUE "1")
+yaml_set(NAME mcuboot_manifest KEY images LIST)
+set(manifest_path "manifest.yaml")
+set(manifest_img_slot_0 "${DEFAULT_IMAGE}")
+
+yaml_create(NAME mcuboot_secondary_manifest)
+yaml_set(NAME mcuboot_secondary_manifest KEY format VALUE "1")
+yaml_set(NAME mcuboot_secondary_manifest KEY images LIST)
+set(manifest_secondary_path "manifest_secondary.yaml")
+set(manifest_img_slot_1 "mcuboot_secondary_app")
+
+# There is no need to generate a manifest if there is only a single (merged) image.
+if(NOT SB_CONFIG_MCUBOOT_SIGN_MERGED_BINARY)
+  sysbuild_get(manifest_img IMAGE mcuboot VAR CONFIG_MCUBOOT_MANIFEST_IMAGE_INDEX KCONFIG)
+  math(EXPR manifest_slot_0 "${manifest_img} * 2")
+  math(EXPR manifest_slot_1 "${manifest_img} * 2 + 1")
+  dt_partition_addr(slot0_addr LABEL "slot${manifest_slot_0}_partition" TARGET mcuboot ABSOLUTE REQUIRED)
+  dt_partition_addr(slot1_addr LABEL "slot${manifest_slot_1}_partition" TARGET mcuboot ABSOLUTE REQUIRED)
+
+  UpdateableImage_Get(images GROUP "DEFAULT")
+  foreach(image ${images})
+    sysbuild_get(BINARY_DIR IMAGE ${image} VAR APPLICATION_BINARY_DIR CACHE)
+    sysbuild_get(BINARY_BIN_FILE IMAGE ${image} VAR CONFIG_KERNEL_BIN_NAME KCONFIG)
+    dt_chosen(code_flash TARGET ${image} PROPERTY "zephyr,code-partition")
+    dt_partition_addr(code_addr PATH "${code_flash}" TARGET ${image} ABSOLUTE REQUIRED)
+
+    if("${code_addr}" STREQUAL "${slot0_addr}")
+      cmake_path(APPEND BINARY_DIR "zephyr" "manifest.yaml" OUTPUT_VARIABLE manifest_path)
+      set(manifest_img_slot_0 "${image}")
+      continue()
+    endif()
+
+    if(NOT "${SB_CONFIG_SIGNATURE_TYPE}" STREQUAL "NONE")
+      cmake_path(APPEND BINARY_DIR "zephyr" "${BINARY_BIN_FILE}.signed.bin" OUTPUT_VARIABLE image_path)
+    else()
+      cmake_path(APPEND BINARY_DIR "zephyr" "${BINARY_BIN_FILE}.bin" OUTPUT_VARIABLE image_path)
+    endif()
+
+    yaml_set(NAME mcuboot_manifest KEY images APPEND LIST MAP "path: ${image_path}, name: ${image}")
+  endforeach()
+
+  foreach(image ${images})
+    if("${image}" STREQUAL "${manifest_img_slot_0}")
+      continue()
+    endif()
+    add_dependencies("${manifest_img_slot_0}" "${image}")
+  endforeach()
+
+  UpdateableImage_Get(variants GROUP "VARIANT")
+  foreach(image ${variants})
+    sysbuild_get(BINARY_DIR IMAGE ${image} VAR APPLICATION_BINARY_DIR CACHE)
+    sysbuild_get(BINARY_BIN_FILE IMAGE ${image} VAR CONFIG_KERNEL_BIN_NAME KCONFIG)
+    dt_chosen(code_flash TARGET ${image} PROPERTY "zephyr,code-partition")
+    dt_partition_addr(code_addr PATH "${code_flash}" TARGET ${image} ABSOLUTE REQUIRED)
+
+    if("${code_addr}" STREQUAL "${slot1_addr}")
+      cmake_path(APPEND BINARY_DIR "zephyr" "manifest.yaml" OUTPUT_VARIABLE manifest_secondary_path)
+      set(manifest_img_slot_1 "${image}")
+      continue()
+    endif()
+
+    if(NOT "${SB_CONFIG_SIGNATURE_TYPE}" STREQUAL "NONE")
+      cmake_path(APPEND BINARY_DIR "zephyr" "${BINARY_BIN_FILE}.signed.bin" OUTPUT_VARIABLE image_path)
+    else()
+      cmake_path(APPEND BINARY_DIR "zephyr" "${BINARY_BIN_FILE}.bin" OUTPUT_VARIABLE image_path)
+    endif()
+
+    yaml_set(NAME mcuboot_secondary_manifest KEY images APPEND LIST MAP "path: ${image_path}, name: ${image}")
+  endforeach()
+
+  foreach(image ${variants})
+    if("${image}" STREQUAL "${manifest_img_slot_1}")
+      continue()
+    endif()
+    add_dependencies("${manifest_img_slot_1}" "${image}")
+  endforeach()
+endif()
+
+yaml_save(NAME mcuboot_manifest FILE "${manifest_path}")
+yaml_save(NAME mcuboot_secondary_manifest FILE "${manifest_secondary_path}")

subsys/bootloader/Kconfig

@@ -167,4 +167,26 @@ config NCS_MCUBOOT_BOOTLOADER_SIGN_MERGED_BINARY
 	help
 	  This is a Kconfig which is informative only, the value should not be changed.
 
+config NCS_MCUBOOT_MANIFEST_UPDATES
+	bool "Manifest-based updates (informative only, do not change)"
+	help
+	  When enabled, supports transactional updates using manifests.
+	  This is a Kconfig which is informative only, the value should not be changed.
+
+if NCS_MCUBOOT_MANIFEST_UPDATES
+
+config NCS_MCUBOOT_IMGTOOL_APPEND_MANIFEST
+	bool "MCUboot append manifest (informative only, do not change)"
+	help
+	  Append common manifest while signing the image.
+	  This is a Kconfig which is informative only, the value should not be changed.
+
+config NCS_MCUBOOT_MANIFEST_IMAGE_INDEX
+	int "Index of the image that must include manifest (informative only, do not change)"
+	help
+	  Specifies the index of the image that must include the manifest.
+	  This is a Kconfig which is informative only, the value should not be changed.
+
+endif # NCS_MCUBOOT_MANIFEST_UPDATES
+
 endmenu

sysbuild/CMakeLists.txt

@@ -172,6 +172,7 @@ function(${SYSBUILD_CURRENT_MODULE_NAME}_pre_cmake)
     set(dfu_slots_output_names Application;Network;Wifi\ patches;QSPI\ XIP;MCUboot\ b0\ update)
     set(dfu_slots_output_text "-- Sysbuild assigned MCUboot image IDs:\n")
     set(dfu_image_index -1)
+    set(manifest_image_target "none")
 
     list(LENGTH dfu_slots_sysbuild_kconfigs test_things_size)
     math(EXPR test_things_size "${test_things_size} - 1")
@@ -193,6 +194,22 @@ function(${SYSBUILD_CURRENT_MODULE_NAME}_pre_cmake)
         set_config_int(${image} ${current_application_kconfig} ${value})
       endforeach()
 
+      if(SB_CONFIG_MCUBOOT_MANIFEST_UPDATES)
+        if(${value} EQUAL ${SB_CONFIG_MCUBOOT_MANIFEST_IMAGE_INDEX})
+          if("${current_application_kconfig}" STREQUAL "CONFIG_MCUBOOT_APPLICATION_IMAGE_NUMBER")
+            set(manifest_image_target ${DEFAULT_IMAGE})
+          elseif("${current_application_kconfig}" STREQUAL "CONFIG_MCUBOOT_NETWORK_CORE_IMAGE_NUMBER")
+            set(manifest_image_target ${SB_CONFIG_NETCORE_IMAGE_NAME})
+          else()
+            # Unsupported indexes:
+            # - CONFIG_MCUBOOT_WIFI_PATCHES_IMAGE_NUMBER
+            # - CONFIG_MCUBOOT_QSPI_XIP_IMAGE_NUMBER
+            # - CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER
+            message(FATAL_ERROR "MCUboot manifest image can only be assigned to application or network core images")
+          endif()
+        endif()
+      endif()
+
       set(${current_cache_name} ${value} CACHE INTERNAL "" FORCE)
     endforeach()
 
@@ -256,6 +273,25 @@ function(${SYSBUILD_CURRENT_MODULE_NAME}_pre_cmake)
       set_config_bool(mcuboot CONFIG_BOOT_IMG_HASH_ALG_SHA512 y)
     endif()
 
+    if(SB_CONFIG_MCUBOOT_MANIFEST_UPDATES)
+      set_config_bool(mcuboot CONFIG_MCUBOOT_MANIFEST_UPDATES y)
+      set_config_int(mcuboot CONFIG_MCUBOOT_MANIFEST_IMAGE_INDEX
+        ${SB_CONFIG_MCUBOOT_MANIFEST_IMAGE_INDEX})
+
+      if("${manifest_image_target}" STREQUAL "none")
+        message(FATAL_ERROR "No manifest image target, cannot append manifest to image")
+      endif()
+      set_config_bool(${manifest_image_target} CONFIG_NCS_MCUBOOT_IMGTOOL_APPEND_MANIFEST y)
+      if(SB_CONFIG_MCUBOOT_BUILD_DIRECT_XIP_VARIANT)
+        if("${manifest_image_target}" STREQUAL "${DEFAULT_IMAGE}")
+          set_config_bool(mcuboot_secondary_app CONFIG_NCS_MCUBOOT_IMGTOOL_APPEND_MANIFEST y)
+        else()
+          set_config_bool(${manifest_image_target}_secondary_app
+            CONFIG_NCS_MCUBOOT_IMGTOOL_APPEND_MANIFEST y)
+        endif()
+      endif()
+    endif()
+
     # Apply configuration to application
     foreach(image ${updateable_images})
       foreach(mode ${application_mcuboot_modes})
@@ -266,6 +302,11 @@ function(${SYSBUILD_CURRENT_MODULE_NAME}_pre_cmake)
         endif()
       endforeach()
 
+      if(SB_CONFIG_MCUBOOT_MANIFEST_UPDATES)
+        set_config_bool(${image} CONFIG_NCS_MCUBOOT_MANIFEST_UPDATES y)
+        set_config_int(${image} CONFIG_NCS_MCUBOOT_MANIFEST_IMAGE_INDEX ${SB_CONFIG_MCUBOOT_MANIFEST_IMAGE_INDEX})
+      endif()
+
       if(SB_CONFIG_BOOT_SIGNATURE_TYPE_ED25519)
         set_config_bool(${image} CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_ED25519 y)
       endif()
@@ -385,7 +426,8 @@ function(${SYSBUILD_CURRENT_MODULE_NAME}_pre_cmake)
        OR SB_CONFIG_MCUBOOT_MODE_DIRECT_XIP_WITH_REVERT
        OR SB_CONFIG_MCUBOOT_COMPRESSED_IMAGE_SUPPORT
        OR (SB_CONFIG_SOC_SERIES_NRF54LX AND SB_CONFIG_BOOT_ENCRYPTION)
-       OR SB_CONFIG_MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION)
+       OR SB_CONFIG_MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION
+       OR SB_CONFIG_MCUBOOT_MANIFEST_UPDATES)
       # Use NCS signing script with support for PM or direct XIP (NCS specific features)
       if(SB_CONFIG_QSPI_XIP_SPLIT_IMAGE)
         set(${DEFAULT_IMAGE}_SIGNING_SCRIPT "${ZEPHYR_NRF_MODULE_DIR}/cmake/sysbuild/image_signing_split.cmake" CACHE INTERNAL "MCUboot signing script" FORCE)
@@ -888,6 +930,10 @@ function(${SYSBUILD_CURRENT_MODULE_NAME}_post_cmake)
     include(${ZEPHYR_NRF_MODULE_DIR}/cmake/sysbuild/mcuboot_nrf54h20.cmake)
   endif()
 
+  if(SB_CONFIG_BOOTLOADER_MCUBOOT AND SB_CONFIG_MCUBOOT_MANIFEST_UPDATES)
+    include(${ZEPHYR_NRF_MODULE_DIR}/cmake/sysbuild/mcuboot_manifest.cmake)
+  endif()
+
   if(SB_CONFIG_DFU_ZIP)
     if(SB_CONFIG_BOOTLOADER_MCUBOOT)
       include(${ZEPHYR_NRF_MODULE_DIR}/cmake/sysbuild/zip.cmake)

sysbuild/Kconfig.mcuboot

@@ -23,6 +23,32 @@ config MCUBOOT_IMAGES_ROM_END_OFFSET_AUTO
 	  (e.g. "smp_svr;ipc_radio", "mcuboot_secondary_app").
 	  If empty the default set of updateable images will be affected.
 
+config MCUBOOT_MANIFEST_UPDATES
+	bool "Manifest-based updates"
+	depends on SOC_NRF54H20
+	depends on (MCUBOOT_UPDATEABLE_IMAGES > 1) && (MCUBOOT_MODE_DIRECT_XIP || MCUBOOT_MODE_DIRECT_XIP_WITH_REVERT)
+	help
+	  When enabled, supports transactional updates using manifests.
+	  This allows multiple images to be updated atomically. The manifest
+	  is a separate TLV which contains a list of images to update and
+	  their expected hash values. The manifest TLV is a part of an image
+	  that is signed to prevent tampering.
+	  The manifest must be transferred as part of the image with index 0.
+	  It can be a dedicated image, or part of an existing image.
+	  If the second option is selected, all updates must contain an update
+	  for image 0.
+
+if MCUBOOT_MANIFEST_UPDATES
+
+config MCUBOOT_MANIFEST_IMAGE_INDEX
+	int "Index of the image that must include manifest"
+	default 0
+	range 0 MCUBOOT_UPDATEABLE_IMAGES
+	help
+	  Specifies the index of the image that must include the manifest.
+
+endif # MCUBOOT_MANIFEST_UPDATES
+
 config MCUBOOT_BUILD_DIRECT_XIP_VARIANT
 	bool "Build DirectXIP variant image"
 	depends on MCUBOOT_MODE_DIRECT_XIP || MCUBOOT_MODE_DIRECT_XIP_WITH_REVERT

west.yml

@@ -126,7 +126,7 @@ manifest:
           compare-by-default: true
     - name: mcuboot
       repo-path: sdk-mcuboot
-      revision: 3839107e52c7228eba123129a3806fb3391781d6
+      revision: 9ba25b87567fceaea2e290fbda6be30ebc00625c
       path: bootloader/mcuboot
     - name: qcbor
       url: https://github.com/laurencelundblade/QCBOR