sysbuild: Add option to use original KMU keyslots for MCUboot

nordicjm · nordicjm · commit 229094834620 · 2025-10-07T14:51:48.000+01:00
Adds a sysbuild Kconfig option for this, sets it in the target
MCUboot image and updates the keyfile generation file to output
for the correct slot

Signed-off-by: Jamie McCrae &lt;jamie.mccrae@nordicsemi.no&gt;
diff --git a/cmake/sysbuild/generate_default_keyfile.cmake b/cmake/sysbuild/generate_default_keyfile.cmake
@@ -8,7 +8,7 @@
 set(kmu_json_commands "")
 set(kmu_json_dependencies "")
 
-# First command: Generate keyfile for BL_PUBKEY
+# First command: Generate keyfile for b0 (BL_PUBKEY)
 if(SB_CONFIG_SECURE_BOOT_GENERATE_DEFAULT_KMU_KEYFILE)
   # --- Determine the signing key file to use ---
   set(signature_private_key_file "") # Initialize
@@ -39,12 +39,18 @@ if(SB_CONFIG_SECURE_BOOT_GENERATE_DEFAULT_KMU_KEYFILE)
   list(APPEND kmu_json_dependencies ${signature_private_key_file})
 endif()
 
-# Second command (conditional): Update keyfile for UROT_PUBKEY
+# Second command (conditional): Update keyfile for MCUboot (UROT_PUBKEY or BL_PUBKEY)
 if(SB_CONFIG_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE)
   string(CONFIGURE "${SB_CONFIG_BOOT_SIGNATURE_KEY_FILE}" mcuboot_signature_key_file)
+  set(mcuboot_kmu_keyname UROT_PUBKEY)
+
+  if(NOT SB_CONFIG_MCUBOOT_SIGNATURE_KMU_UROT_MAPPING AND NOT SB_CONFIG_SECURE_BOOT_APPCORE)
+    set(mcuboot_kmu_keyname BL_PUBKEY)
+  endif()
+
   list(APPEND kmu_json_commands
     COMMAND ${Python3_EXECUTABLE} -m west ncs-provision upload
-      --keyname UROT_PUBKEY
+      --keyname ${mcuboot_kmu_keyname}
       --key ${mcuboot_signature_key_file}
       --build-dir ${CMAKE_BINARY_DIR}
       --dry-run
diff --git a/sysbuild/CMakeLists.txt b/sysbuild/CMakeLists.txt
@@ -238,6 +238,12 @@ function(${SYSBUILD_CURRENT_MODULE_NAME}_pre_cmake)
 
         if(SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU)
           set_config_bool(mcuboot CONFIG_BOOT_SIGNATURE_USING_KMU y)
+
+          if(SB_CONFIG_MCUBOOT_SIGNATURE_KMU_UROT_MAPPING)
+            set_config_bool(mcuboot CONFIG_NCS_BOOT_SIGNATURE_KMU_UROT_MAPPING y)
+          else()
+            set_config_bool(mcuboot CONFIG_NCS_BOOT_SIGNATURE_KMU_UROT_MAPPING n)
+          endif()
         else()
           set_config_bool(mcuboot CONFIG_BOOT_SIGNATURE_USING_KMU n)
         endif()
diff --git a/sysbuild/Kconfig.mcuboot b/sysbuild/Kconfig.mcuboot
@@ -183,6 +183,18 @@ config MCUBOOT_SIGNATURE_USING_KMU
 	help
 	  The device needs to be provisioned with proper set of keys.
 
+config MCUBOOT_SIGNATURE_KMU_UROT_MAPPING
+	bool "Use original UROT KMU key mapping [DEPRECATED]"
+	depends on MCUBOOT_SIGNATURE_USING_KMU
+	depends on SOC_SERIES_NRF54LX
+	depends on !SECURE_BOOT_APPCORE
+	select DEPRECATED
+	help
+	  When this option is enabled, it will use the previous UROT_PUBKEY key slot IDs for the
+	  MCUboot image which are assigned for the non-immutable bootloader IDs, otherwise it
+	  will use the key set for the mode that MCUboot is used in (non-immutable slots when b0
+	  is enabled, or immutable slots when b0 is not enabled).
+
 config MCUBOOT_SIGNATURE_USING_ITS
 	bool "Use ITS stored keys for signature verification [EXPERIMENTAL]"
 	depends on SOC_SERIES_NRF54HX
