samples: bluetooth: fast_pair: locator_tag: HW crypto MCUboot for nRF54L

Updated configurations for the nRF54L build targets in the Fast Pair
Locator Tag sample to use HW crypto in the MCUboot bootloader.

Aligned the partition layout of the affected targets to fit the MCUboot
image into its partition and reserve the appropriate room for the
eventual bootloader image growth in future NCS releases.

This change breaks the backwards compatibility as it changes the
MCUboot signature type from RSA to ED22519 and the layout of the
partition map.

Ref: NCSDK-30842

Signed-off-by: Kamil Piszczek <[email protected]>

Author: kapi-no

doc/nrf/releases_and_maturity/releases/release-notes-changelog.rst

@@ -487,6 +487,13 @@ Bluetooth Fast Pair samples
     * The partition layout for the ``nrf5340dk/nrf5340/cpuapp/ns`` and ``thingy53/nrf5340/cpuapp/ns`` board targets to accommodate the partitions needed due to a change in the TF-M profile configuration.
     * The debug (default) configuration of the main image to enable the Link Time Optimization (LTO) with the :kconfig:option:`CONFIG_LTO` Kconfig option.
       This change ensures consistency with the sample release configuration that has the LTO feature enabled by default.
+    * The ``nrf54l15dk/nrf54l15/cpuapp`` board target configuration to enable hardware cryptography for the MCUboot bootloader.
+      The application image is verified using a pure ED25519 signature and the public key used by MCUboot for validating the application image is securely stored in the Key Management Unit (KMU) hardware peripheral.
+      Support for the ``nrf54l15dk/nrf54l05/cpuapp`` and ``nrf54l15dk/nrf54l10/cpuapp`` board targets, which is added to this sample in this release iteration, also includes the same MCUboot bootloader configuration with the hardware cryptography enabled.
+
+      The change modifies the memory partition layout for the ``nrf54l15dk/nrf54l15/cpuapp`` board target and changes the MCUboot image signing algorithm.
+      Because of that, the application images built for the ``nrf54l15dk/nrf54l15/cpuapp`` board target from this |NCS| release are not compatible with the MCUboot bootloader built from previous releases.
+      It is highly recommended to use hardware cryptography for the nRF54L SoC Series for improved security.
 
 Bluetooth Mesh samples
 ----------------------

samples/bluetooth/fast_pair/locator_tag/configuration/pm_static_nrf54l15dk_nrf54l05_cpuapp_release.yml

@@ -1,30 +1,30 @@
 mcuboot:
   address: 0x0
   region: flash_primary
-  size: 0x5000
+  size: 0x6000
 
 mcuboot_primary:
-  address: 0x5000
+  address: 0x6000
   orig_span: &id001
   - app
   - mcuboot_pad
   region: flash_primary
-  size: 0x3a000
+  size: 0x39000
   span: *id001
 mcuboot_pad:
-  address: 0x5000
+  address: 0x6000
   region: flash_primary
   size: 0x800
 app:
-  address: 0x5800
+  address: 0x6800
   region: flash_primary
-  size: 0x39800
+  size: 0x38800
 mcuboot_primary_app:
-  address: 0x5800
+  address: 0x6800
   orig_span: &id002
   - app
   region: flash_primary
-  size: 0x39800
+  size: 0x38800
   span: *id002
 
 mcuboot_secondary:
@@ -33,7 +33,7 @@ mcuboot_secondary:
   - mcuboot_secondary_pad
   - mcuboot_secondary_app
   region: flash_primary
-  size: 0x3a000
+  size: 0x39000
   span: *id003
 mcuboot_secondary_pad:
   region: flash_primary
@@ -42,14 +42,14 @@ mcuboot_secondary_pad:
 mcuboot_secondary_app:
   region: flash_primary
   address: 0x3f800
-  size: 0x39800
+  size: 0x38800
 
 bt_fast_pair:
-  address: 0x79000
+  address: 0x78000
   region: flash_primary
   size: 0x1000
 
 settings_storage:
-  address: 0x7a000
+  address: 0x79000
   region: flash_primary
-  size: 0x3000
+  size: 0x4000

samples/bluetooth/fast_pair/locator_tag/configuration/pm_static_nrf54l15dk_nrf54l10_cpuapp.yml

@@ -1,34 +1,34 @@
 mcuboot:
   address: 0x0
   region: flash_primary
-  size: 0x5000
+  size: 0x6000
 
 mcuboot_primary:
-  address: 0x5000
+  address: 0x6000
   orig_span: &id001
   - app
   - mcuboot_pad
   region: flash_primary
   size: 0x7a000
   span: *id001
 mcuboot_pad:
-  address: 0x5000
+  address: 0x6000
   region: flash_primary
   size: 0x800
 app:
-  address: 0x5800
+  address: 0x6800
   region: flash_primary
   size: 0x79800
 mcuboot_primary_app:
-  address: 0x5800
+  address: 0x6800
   orig_span: &id002
   - app
   region: flash_primary
   size: 0x79800
   span: *id002
 
 mcuboot_secondary:
-  address: 0x7f000
+  address: 0x80000
   orig_span: &id003
   - mcuboot_secondary_pad
   - mcuboot_secondary_app
@@ -37,17 +37,17 @@ mcuboot_secondary:
   span: *id003
 mcuboot_secondary_pad:
   region: flash_primary
-  address: 0x7f000
+  address: 0x80000
   size: 0x800
 mcuboot_secondary_app:
   region: flash_primary
-  address: 0x7f800
+  address: 0x80800
   size: 0x79800
 
 settings_storage:
-  address: 0xf9000
+  address: 0xfa000
   region: flash_primary
-  size: 0x6000
+  size: 0x5000
 
 bt_fast_pair:
   address: 0xff000

samples/bluetooth/fast_pair/locator_tag/configuration/pm_static_nrf54l15dk_nrf54l15_cpuapp.yml

@@ -1,34 +1,34 @@
 mcuboot:
   address: 0x0
   region: flash_primary
-  size: 0x5000
+  size: 0x6000
 
 mcuboot_primary:
-  address: 0x5000
+  address: 0x6000
   orig_span: &id001
   - app
   - mcuboot_pad
   region: flash_primary
   size: 0xb8000
   span: *id001
 mcuboot_pad:
-  address: 0x5000
+  address: 0x6000
   region: flash_primary
   size: 0x800
 app:
-  address: 0x5800
+  address: 0x6800
   region: flash_primary
   size: 0xb7800
 mcuboot_primary_app:
-  address: 0x5800
+  address: 0x6800
   orig_span: &id002
   - app
   region: flash_primary
   size: 0xb7800
   span: *id002
 
 mcuboot_secondary:
-  address: 0xbd000
+  address: 0xbe000
   orig_span: &id003
   - mcuboot_secondary_pad
   - mcuboot_secondary_app
@@ -37,19 +37,19 @@ mcuboot_secondary:
   span: *id003
 mcuboot_secondary_pad:
   region: flash_primary
-  address: 0xbd000
+  address: 0xbe000
   size: 0x800
 mcuboot_secondary_app:
   region: flash_primary
-  address: 0xbd800
+  address: 0xbe800
   size: 0xb7800
 
 bt_fast_pair:
-  address: 0x175000
+  address: 0x176000
   region: flash_primary
   size: 0x1000
 
 settings_storage:
-  address: 0x176000
+  address: 0x177000
   region: flash_primary
-  size: 0x7000
+  size: 0x6000

samples/bluetooth/fast_pair/locator_tag/sysbuild/CMakeLists.txt

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2024 Nordic Semiconductor
+# Copyright (c) 2024-2025 Nordic Semiconductor
 #
 # SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
 #
@@ -11,3 +11,15 @@ set(SB_APPLICATION_CONFIG_DIR
 find_package(Sysbuild REQUIRED HINTS $ENV{ZEPHYR_BASE})
 
 project(sysbuild LANGUAGES)
+
+if(SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU)
+  message(WARNING "
+          ------------------------------------------------------------------------------
+          --- WARNING: MCUboot uses KMU stored keys for signature verification. Make ---
+          --- sure to use `west ncs-provision` to manually provision the bootloader. ---
+          --- Application would fail to boot if MCUboot is not provisioned. For more ---
+          --- details, see the `Building and running` section from the Fast Pair     ---
+          --- Locator Tag Readme documentation.                                      ---
+          ------------------------------------------------------------------------------
+          ")
+endif()

samples/bluetooth/fast_pair/locator_tag/sysbuild/configuration/nrf54l15dk_nrf54l05_cpuapp/boot_signature_key_file_ed25519.pem

@@ -0,0 +1,3 @@
+-----BEGIN PRIVATE KEY-----
+MC4CAQAwBQYDK2VwBCIEIEcuFYDHAHi5JE6PC8QVuREnCsrjJbX7L4EEnhLbsWbi
+-----END PRIVATE KEY-----

samples/bluetooth/fast_pair/locator_tag/sysbuild/configuration/nrf54l15dk_nrf54l05_cpuapp/sysbuild_release.conf

@@ -6,4 +6,7 @@
 
 SB_CONFIG_BOOTLOADER_MCUBOOT=y
 SB_CONFIG_MCUBOOT_MODE_DIRECT_XIP=y
-SB_CONFIG_BOOT_SIGNATURE_TYPE_RSA=y
+SB_CONFIG_BOOT_SIGNATURE_TYPE_ED25519=y
+SB_CONFIG_BOOT_SIGNATURE_TYPE_PURE=y
+SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU=y
+SB_CONFIG_BOOT_SIGNATURE_KEY_FILE="\${SB_APPLICATION_CONFIG_DIR}/boot_signature_key_file_ed25519.pem"

samples/bluetooth/fast_pair/locator_tag/sysbuild/configuration/nrf54l15dk_nrf54l10_cpuapp/boot_signature_key_file_ed25519.pem

@@ -0,0 +1,3 @@
+-----BEGIN PRIVATE KEY-----
+MC4CAQAwBQYDK2VwBCIEIIOCRnU1f9KZzfITcihTytZaJgTP1XU/NCbVpElBm5m5
+-----END PRIVATE KEY-----

samples/bluetooth/fast_pair/locator_tag/sysbuild/configuration/nrf54l15dk_nrf54l10_cpuapp/sysbuild.conf

@@ -6,4 +6,7 @@
 
 SB_CONFIG_BOOTLOADER_MCUBOOT=y
 SB_CONFIG_MCUBOOT_MODE_DIRECT_XIP=y
-SB_CONFIG_BOOT_SIGNATURE_TYPE_RSA=y
+SB_CONFIG_BOOT_SIGNATURE_TYPE_ED25519=y
+SB_CONFIG_BOOT_SIGNATURE_TYPE_PURE=y
+SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU=y
+SB_CONFIG_BOOT_SIGNATURE_KEY_FILE="\${SB_APPLICATION_CONFIG_DIR}/boot_signature_key_file_ed25519.pem"

samples/bluetooth/fast_pair/locator_tag/sysbuild/configuration/nrf54l15dk_nrf54l15_cpuapp/boot_signature_key_file_ed25519.pem

@@ -0,0 +1,3 @@
+-----BEGIN PRIVATE KEY-----
+MC4CAQAwBQYDK2VwBCIEIFjCntMdjT+ZREsWd4lxtVeCPBca2/+lGTXrU/CwgOhQ
+-----END PRIVATE KEY-----