samples: bluetooth: fast_pair: locator_tag: auto provision KMU targets

Updated the configurations of the Fast Pair Locator Tag sample for
board targets that store the MCUboot verification key in the KMU
peripheral. These nRF54L-based targets now use the automatic
provisioning feature that makes it possible to perform the KMU
provisioning together with the west flash operation. The provisioning
is only performed if the ``west flash`` command is executed with the
``--erase`` or ``--recover`` flag.

Aligned the sample documentation with this change.

Ref: NCSDK-34176

Signed-off-by: Kamil Piszczek <[email protected]>

Author: kapi-no

doc/nrf/releases_and_maturity/releases/release-notes-changelog.rst

@@ -364,8 +364,14 @@ Bluetooth Fast Pair samples
 * :ref:`fast_pair_locator_tag` sample:
 
   * Added possibility to build and run the sample without the motion detector support (with the :kconfig:option:`CONFIG_BT_FAST_PAIR_FMDN_DULT_MOTION_DETECTOR` Kconfig option disabled).
-  * Updated the :ref:`fast_pair_locator_tag_testing_fw_update_notifications` section to improve the test procedure.
-    The application provides now an additional log message to indicate that the firmware version is being read.
+
+  * Updated:
+
+    * The :ref:`fast_pair_locator_tag_testing_fw_update_notifications` section to improve the test procedure.
+      The application provides now an additional log message to indicate that the firmware version is being read.
+    * The configurations for nRF54L-based board targets that store the MCUboot verification key in the KMU peripheral to automatically generate the :file:`keyfile.json` file in the build directory (the ``SB_CONFIG_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE`` Kconfig option) based on the input file provided by the ``SB_CONFIG_BOOT_SIGNATURE_KEY_FILE`` Kconfig option.
+      This KMU provisioning step can now be performed automatically by the west runner, provided that a :file:`keyfile.json` file is present in the build directory.
+      The provisioning is only performed if the ``west flash`` command is executed with the ``--erase``  or ``--recover`` flag.
 
 Cellular samples
 ----------------

samples/bluetooth/fast_pair/locator_tag/README.rst

@@ -627,31 +627,21 @@ The MCUboot-based targets that enable the ``SB_CONFIG_MCUBOOT_SIGNATURE_USING_KM
    The board targets based on the nRF54L SoC Series are currently the only targets that support the KMU-based key storage.
    See the :ref:`fast_pair_locator_tag_dfu` section of this sample documentation for the details regarding the supported signature algorithms, public key storage location and the signature key file.
 
-Using KMU requires the provisioning operation of the public key to be performed manually.
-Before performing the provisioning operation, you need to ensure that your board target is fully erased:
+To use KMU, the public key must first be provisioned.
+This provisioning step can be performed automatically by the west runner, provided that a :file:`keyfile.json` file is present in the build directory.
+In this sample, the :file:`keyfile.json` file is automatically generated using the ``SB_CONFIG_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE`` Kconfig option.
+This option uses the input key specified by the ``SB_CONFIG_BOOT_SIGNATURE_KEY_FILE`` Kconfig option to generate the required file during the build process.
 
-.. parsed-literal::
-   :class: highlight
-
-   nrfutil device erase --all
-
-Assuming that your current working directory points to this sample directory, you can perform the provisioning operation as follows:
-
-.. parsed-literal::
-   :class: highlight
-
-   west ncs-provision upload -k sysbuild/configuration/<board_target>/boot_signature_key_file_<algorithm>.pem --keyname UROT_PUBKEY
-
-* The ``<board_target>`` placeholder is your board target name (for example, ``nrf54l15dk/nrf54l15/cpuapp``).
-* The ``<algorithm>`` placeholder is the algorithm used to generate the key pair for the application image signature generation and verification (for example, ``ed25519``).
-
-The examplary command for the ``nrf54l15dk/nrf54l15/cpuapp`` board target and the demonstration key file is as follows:
+To trigger KMU provisioning during flashing, use the ``west flash`` command with either the ``--erase`` or ``--recover`` flag.
+This ensures that both the firmware and the MCUboot public key are correctly programmed onto the target device using KMU-based key storage.
+Use the following command to perform the operation:
 
 .. parsed-literal::
    :class: highlight
 
-   west ncs-provision upload -k sysbuild/configuration/nrf54l15dk_nrf54l15_cpuapp/boot_signature_key_file_ed25519.pem --keyname UROT_PUBKEY
+   west flash --recover
 
+Alternatively, you can perform the provisioning operation manually with the ``west ncs-provision upload`` command and then flash the device with the ``west flash`` command.
 See :ref:`ug_nrf54l_developing_provision_kmu` for further details regarding the KMU provisioning process.
 
 .. _fast_pair_locator_tag_motion_detector_test_build:

samples/bluetooth/fast_pair/locator_tag/sysbuild/CMakeLists.txt

@@ -15,11 +15,12 @@ project(sysbuild LANGUAGES)
 if(SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU)
   message(WARNING "
           ------------------------------------------------------------------------------
-          --- WARNING: MCUboot uses KMU stored keys for signature verification. Make ---
-          --- sure to use `west ncs-provision` to manually provision the bootloader. ---
-          --- Application would fail to boot if MCUboot is not provisioned. For more ---
-          --- details, see the `Building and running` section from the Fast Pair     ---
-          --- Locator Tag Readme documentation.                                      ---
+          --- WARNING: MCUboot signature verification uses KMU-stored keys. You must ---
+          --- use the `west flash` command with either the `--erase` or `--recover`  ---
+          --- option to ensure the bootloader provisioning operation is included in  ---
+          --- the flashing procedure. The application will fail to boot if MCUboot   ---
+          --- is not properly provisioned. For detailed instructions, refer to the   ---
+          --- `Building and running` section in the Fast Pair Locator Tag Readme.    ---
           ------------------------------------------------------------------------------
           ")
 endif()

samples/bluetooth/fast_pair/locator_tag/sysbuild/configuration/nrf54l15dk_nrf54l05_cpuapp/sysbuild_release.conf

@@ -8,5 +8,6 @@ SB_CONFIG_BOOTLOADER_MCUBOOT=y
 SB_CONFIG_MCUBOOT_MODE_DIRECT_XIP=y
 SB_CONFIG_BOOT_SIGNATURE_TYPE_ED25519=y
 SB_CONFIG_BOOT_SIGNATURE_TYPE_PURE=y
-SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU=y
 SB_CONFIG_BOOT_SIGNATURE_KEY_FILE="\${SB_APPLICATION_CONFIG_DIR}/boot_signature_key_file_ed25519.pem"
+SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU=y
+SB_CONFIG_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE=y

samples/bluetooth/fast_pair/locator_tag/sysbuild/configuration/nrf54l15dk_nrf54l10_cpuapp/sysbuild.conf

@@ -8,5 +8,6 @@ SB_CONFIG_BOOTLOADER_MCUBOOT=y
 SB_CONFIG_MCUBOOT_MODE_DIRECT_XIP=y
 SB_CONFIG_BOOT_SIGNATURE_TYPE_ED25519=y
 SB_CONFIG_BOOT_SIGNATURE_TYPE_PURE=y
-SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU=y
 SB_CONFIG_BOOT_SIGNATURE_KEY_FILE="\${SB_APPLICATION_CONFIG_DIR}/boot_signature_key_file_ed25519.pem"
+SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU=y
+SB_CONFIG_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE=y

samples/bluetooth/fast_pair/locator_tag/sysbuild/configuration/nrf54l15dk_nrf54l15_cpuapp/sysbuild.conf

@@ -8,5 +8,6 @@ SB_CONFIG_BOOTLOADER_MCUBOOT=y
 SB_CONFIG_MCUBOOT_MODE_DIRECT_XIP=y
 SB_CONFIG_BOOT_SIGNATURE_TYPE_ED25519=y
 SB_CONFIG_BOOT_SIGNATURE_TYPE_PURE=y
-SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU=y
 SB_CONFIG_BOOT_SIGNATURE_KEY_FILE="\${SB_APPLICATION_CONFIG_DIR}/boot_signature_key_file_ed25519.pem"
+SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU=y
+SB_CONFIG_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE=y