sysbuild: default SHA512 for nrf54h20 ed25519 signature

This commit refactors CMakeLists.txt for sysbuild to set SHA512 related
configs more generically. Also, signing scripts are updated to handle
builds with SHA512 signatures.

Additionally, SB_CONFIG_BOOT_SIGNATURE_TYPE_PURE is disabled for
nrf54h20 because it is not currently supported.

Signed-off-by: Michal Kozikowski <[email protected]>

Author: nordic-mik7

cmake/sysbuild/image_signing.cmake

@@ -124,12 +124,11 @@ function(zephyr_mcuboot_tasks)
     set(imgtool_hex_extra)
   endif()
 
-  if(CONFIG_SOC_SERIES_NRF54LX AND CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_ED25519)
-    if(NOT CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_PURE)
-      set(imgtool_extra --sha 512 ${imgtool_extra})
-    else()
-      set(imgtool_extra --pure ${imgtool_extra})
-    endif()
+  # Set proper hash calculation algorithm for signing
+  if(CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_PURE)
+    set(imgtool_extra --pure ${imgtool_extra})
+  elseif(CONFIG_MCUBOOT_BOOTLOADER_USES_SHA512)
+    set(imgtool_extra --sha 512 ${imgtool_extra})
   endif()
 
   if(CONFIG_MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION)

cmake/sysbuild/image_signing_firmware_loader.cmake

@@ -84,12 +84,11 @@ function(zephyr_mcuboot_tasks)
     set(imgtool_extra)
   endif()
 
-  if(CONFIG_SOC_SERIES_NRF54LX AND CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_ED25519)
-    if(NOT CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_PURE)
-      set(imgtool_extra --sha 512 ${imgtool_extra})
-    else()
-      set(imgtool_extra --pure ${imgtool_extra})
-    endif()
+  # Set proper hash calculation algorithm for signing
+  if(CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_PURE)
+    set(imgtool_extra --pure ${imgtool_extra})
+  elseif(CONFIG_MCUBOOT_BOOTLOADER_USES_SHA512)
+    set(imgtool_extra --sha 512 ${imgtool_extra})
   endif()
 
   if(NOT "${keyfile}" STREQUAL "")

cmake/sysbuild/sign_nrf54h20.cmake

@@ -190,6 +190,16 @@ function(mcuboot_sign_merged_nrf54h20 merged_hex main_image)
   # List of additional build byproducts.
   set(byproducts ${output}.merged.hex)
 
+  sysbuild_get(CONFIG_MCUBOOT_BOOTLOADER_USES_SHA512 IMAGE ${main_image} VAR CONFIG_MCUBOOT_BOOTLOADER_USES_SHA512 KCONFIG)
+  sysbuild_get(CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_PURE IMAGE ${main_image} VAR CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_PURE KCONFIG)
+
+  # Set proper hash calculation algorithm for signing
+  if(CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_PURE)
+    set(imgtool_args --pure ${imgtool_args})
+  elseif(CONFIG_MCUBOOT_BOOTLOADER_USES_SHA512)
+    set(imgtool_args --sha 512 ${imgtool_args})
+  endif()
+
   # Set up .hex outputs.
   if(SB_CONFIG_BUILD_OUTPUT_HEX)
     list(APPEND byproducts ${output}.signed.hex)

sysbuild/CMakeLists.txt

@@ -209,6 +209,14 @@ function(${SYSBUILD_CURRENT_MODULE_NAME}_pre_cmake)
       endif()
     endforeach()
 
+    if(SB_CONFIG_BOOT_SIGNATURE_TYPE_PURE)
+      set_config_bool(mcuboot CONFIG_BOOT_SIGNATURE_TYPE_PURE y)
+    endif()
+
+    if(SB_CONFIG_BOOT_IMG_HASH_ALG_SHA512 AND NOT (SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU AND SB_CONFIG_BOOT_SIGNATURE_TYPE_PURE))
+      set_config_bool(mcuboot CONFIG_BOOT_IMG_HASH_ALG_SHA512 y)
+    endif()
+
     # Apply configuration to application
     foreach(image ${updateable_images})
       foreach(mode ${application_mcuboot_modes})
@@ -218,21 +226,38 @@ function(${SYSBUILD_CURRENT_MODULE_NAME}_pre_cmake)
           set_config_bool(${image} ${mode} n)
         endif()
       endforeach()
+
+      if(SB_CONFIG_BOOT_SIGNATURE_TYPE_ED25519)
+        set_config_bool(${image} CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_ED25519 y)
+      endif()
+
+      if(SB_CONFIG_BOOT_SIGNATURE_TYPE_PURE)
+        set_config_bool(${image} CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_PURE y)
+      endif()
+
+      if(SB_CONFIG_BOOT_IMG_HASH_ALG_SHA512)
+        set_config_bool(${image} CONFIG_MCUBOOT_BOOTLOADER_USES_SHA512 y)
+      endif()
     endforeach()
 
+    if(SB_CONFIG_MCUBOOT_MODE_FIRMWARE_UPDATER AND SB_CONFIG_BOOT_SIGNATURE_TYPE_ED25519)
+      set_config_bool(${SB_CONFIG_FIRMWARE_LOADER_IMAGE_NAME} CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_ED25519 y)
+
+      if(SB_CONFIG_BOOT_SIGNATURE_TYPE_PURE)
+        set_config_bool(${SB_CONFIG_FIRMWARE_LOADER_IMAGE_NAME} CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_PURE y)
+      endif()
+
+      if(SB_CONFIG_BOOT_IMG_HASH_ALG_SHA512)
+        set_config_bool(${SB_CONFIG_FIRMWARE_LOADER_IMAGE_NAME} CONFIG_MCUBOOT_BOOTLOADER_USES_SHA512 y)
+      endif()
+    endif()
+
     # The NRF54LX goes with PSA crypto by default
     if(SB_CONFIG_SOC_SERIES_NRF54LX)
       if(SB_CONFIG_BOOT_SIGNATURE_TYPE_NONE)
         set_config_bool(mcuboot CONFIG_NRF_SECURITY y)
       elseif(SB_CONFIG_BOOT_SIGNATURE_TYPE_ED25519)
         set_config_bool(mcuboot CONFIG_NRF_SECURITY y)
-        set_config_bool(${DEFAULT_IMAGE} CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_ED25519 y)
-        set_config_bool(${DEFAULT_IMAGE} CONFIG_MCUBOOT_BOOTLOADER_USES_SHA512 y)
-
-        if(SB_CONFIG_MCUBOOT_MODE_FIRMWARE_UPDATER)
-          set_config_bool(${SB_CONFIG_FIRMWARE_LOADER_IMAGE_NAME} CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_ED25519 y)
-          set_config_bool(${SB_CONFIG_FIRMWARE_LOADER_IMAGE_NAME} CONFIG_MCUBOOT_BOOTLOADER_USES_SHA512 y)
-        endif()
 
         # We are sure that ED25519 signature on MCUboot does not need these
         set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_AEAD_DRIVER n)
@@ -245,7 +270,7 @@ function(${SYSBUILD_CURRENT_MODULE_NAME}_pre_cmake)
 
           if(SB_CONFIG_NRF_MCUBOOT_HMAC_SHA512)
             set_config_bool(mcuboot CONFIG_BOOT_HMAC_SHA512 y)
-	  else()
+          else()
             set_config_bool(mcuboot CONFIG_BOOT_HMAC_SHA512 n)
           endif()
         else()
@@ -262,37 +287,11 @@ function(${SYSBUILD_CURRENT_MODULE_NAME}_pre_cmake)
           set_config_bool(mcuboot CONFIG_BOOT_SIGNATURE_USING_KMU n)
         endif()
 
-        if(SB_CONFIG_BOOT_SIGNATURE_TYPE_PURE)
-          set_config_bool(mcuboot CONFIG_BOOT_SIGNATURE_TYPE_PURE y)
-          set_config_bool(${DEFAULT_IMAGE} CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_PURE y)
-
-          if(SB_CONFIG_MCUBOOT_MODE_FIRMWARE_UPDATER)
-            set_config_bool(${SB_CONFIG_FIRMWARE_LOADER_IMAGE_NAME} CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_PURE y)
-          endif()
-        else()
-          set_config_bool(mcuboot CONFIG_BOOT_SIGNATURE_TYPE_PURE n)
-          set_config_bool(${DEFAULT_IMAGE} CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_PURE n)
-
-          if(SB_CONFIG_MCUBOOT_MODE_FIRMWARE_UPDATER)
-            set_config_bool(${SB_CONFIG_FIRMWARE_LOADER_IMAGE_NAME} CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_PURE n)
-          endif()
-        endif()
-
         # MCUboot uses hash function to identify key internally when KMU is disabled.
         if(SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU AND SB_CONFIG_BOOT_SIGNATURE_TYPE_PURE)
           set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_HASH_DRIVER n)
-          set_config_bool(mcuboot CONFIG_BOOT_IMG_HASH_ALG_SHA512 n)
         else()
           set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_HASH_DRIVER y)
-          set_config_bool(mcuboot CONFIG_BOOT_IMG_HASH_ALG_SHA512 y)
-        endif()
-      else()
-        set_config_bool(${DEFAULT_IMAGE} CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_ED25519 n)
-        set_config_bool(${DEFAULT_IMAGE} CONFIG_MCUBOOT_BOOTLOADER_USES_SHA512 n)
-
-        if(SB_CONFIG_MCUBOOT_MODE_FIRMWARE_UPDATER)
-          set_config_bool(${SB_CONFIG_FIRMWARE_LOADER_IMAGE_NAME} CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_ED25519 n)
-          set_config_bool(${SB_CONFIG_FIRMWARE_LOADER_IMAGE_NAME} CONFIG_MCUBOOT_BOOTLOADER_USES_SHA512 n)
         endif()
       endif()
     endif()

sysbuild/Kconfig.mcuboot

@@ -156,14 +156,21 @@ endchoice
 
 config BOOT_SIGNATURE_TYPE_PURE
 	bool "Verify signature directly over image"
-	depends on SOC_SERIES_NRF54LX || SOC_SERIES_NRF54HX
+	depends on SOC_SERIES_NRF54LX
 	depends on BOOT_SIGNATURE_TYPE_ED25519
 	help
 	  The image signature will be verified over image rather than
 	  hash of an image.
 	  This option is currently only supported with ED25519 and configurations
 	  where both image slots are within internal SoC device storage.
 
+config BOOT_IMG_HASH_ALG_SHA512
+	bool "Use SHA512 for image hash calculation"
+	depends on BOOT_SIGNATURE_TYPE_ED25519
+	default y if SOC_SERIES_NRF54LX || SOC_SERIES_NRF54HX
+	help
+	  The image hash will be calculated using SHA512 algorithm.
+
 config MCUBOOT_SIGNATURE_USING_KMU
 	bool "Use KMU stored keys for signature verification"
 	depends on SOC_SERIES_NRF54LX

tests/subsys/nrf_compress/decompression/mcuboot_update/sysbuild.cmake

@@ -17,7 +17,7 @@ set_config_bool(compressed_app CONFIG_MCUBOOT_BOOTLOADER_MODE_OVERWRITE_ONLY y)
 set(compressed_app_SIGNING_SCRIPT "${CMAKE_CURRENT_LIST_DIR}/modified_signing.cmake" CACHE INTERNAL "MCUboot signing script" FORCE)
 set_config_bool(compressed_app CONFIG_MCUBOOT_COMPRESSED_IMAGE_SUPPORT_ENABLED y)
 
-if(SB_CONFIG_SOC_SERIES_NRF54LX AND SB_CONFIG_BOOT_SIGNATURE_TYPE_ED25519)
+if((SB_CONFIG_SOC_SERIES_NRF54LX OR SB_CONFIG_SOC_SERIES_NRF54HX) AND SB_CONFIG_BOOT_SIGNATURE_TYPE_ED25519)
   set_config_bool(compressed_app CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_ED25519 y)
   set_config_bool(compressed_app CONFIG_MCUBOOT_BOOTLOADER_USES_SHA512 y)
   set_config_bool(compressed_app CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_PURE n)