sysbuild: MCUboot with ED25519 and KMU via PSA support

The commit will enforce building nrf54l15 with PSA enabled
ED25519, with CONFIG_NRF_SECURITY=y.
The commit adds SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU that allows
to build MCUboot for signature verification via KMU instead of
compiled in keys.

Signed-off-by: Dominik Ermel <[email protected]>
(cherry picked from commit 03fb52e)

Author: de-nordic

sysbuild/CMakeLists.txt

@@ -226,6 +226,17 @@ function(${SYSBUILD_CURRENT_MODULE_NAME}_pre_cmake)
       endif()
     endforeach()
 
+    # The NRF54LX goes with PSA crypto by default
+    if(SB_CONFIG_SOC_SERIES_NRF54LX AND SB_CONFIG_BOOT_SIGNATURE_TYPE_ED25519)
+      set_config_bool(mcuboot CONFIG_NRF_SECURITY y)
+
+      if(SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU)
+        set_config_bool(mcuboot CONFIG_BOOT_SIGNATURE_USING_KMU y)
+      else()
+        set_config_bool(mcuboot CONFIG_BOOT_SIGNATURE_USING_KMU n)
+      endif()
+    endif()
+
     # A v1 board doesn't define board qualifiers, thus below test will just test the pure board
     # name for a v1 board. A v2 board will match against the board qualifier.
     if("${BOARD}${BOARD_QUALIFIERS}" MATCHES "(_|/)ns$")

sysbuild/Kconfig.mcuboot

@@ -147,6 +147,13 @@ config MCUBOOT_FPROTECT_ALLOW_COMBINED_REGIONS
 	default y
 	depends on SOC_SERIES_NRF54LX && !SECURE_BOOT_APPCORE
 
+config MCUBOOT_SIGNATURE_USING_KMU
+	bool "Use KMU stored keys for signature verification"
+	depends on SOC_SERIES_NRF54LX
+	depends on BOOT_SIGNATURE_TYPE_ED25519
+	help
+	  The device needs to be provisioned with proper set of keys.
+
 endif
 
 config MCUBOOT_USE_ALL_AVAILABLE_RAM