sysbuild: remove openssl key generation

michalek-no · nordicjm · commit b2467573d22d · 2025-09-05T13:16:09.000+01:00
keygen.py is able to generate key. No need to duplicate
functionality.

Signed-off-by: Mateusz Michalek &lt;mateusz.michalek@nordicsemi.no&gt;
diff --git a/cmake/sysbuild/sign.cmake b/cmake/sysbuild/sign.cmake
@@ -28,13 +28,6 @@ function(b0_gen_keys)
       --in ${SIGNATURE_PRIVATE_KEY_FILE}
       --out ${SIGNATURE_PUBLIC_KEY_FILE}
       )
-  elseif(SB_CONFIG_SECURE_BOOT_SIGNING_OPENSSL)
-    set(PUB_GEN_CMD
-      openssl ec
-      -pubout
-      -in ${SIGNATURE_PRIVATE_KEY_FILE}
-      -out ${SIGNATURE_PUBLIC_KEY_FILE}
-      )
   elseif(SB_CONFIG_SECURE_BOOT_SIGNING_CUSTOM)
     string(CONFIGURE "${SB_CONFIG_SECURE_BOOT_SIGNING_PUBLIC_KEY}" SIGNATURE_PUBLIC_KEY_FILE)
     set(SIGNATURE_PUBLIC_KEY_FILE ${SIGNATURE_PUBLIC_KEY_FILE} PARENT_SCOPE)
@@ -185,25 +178,6 @@ function(b0_sign_image slot cpunet_target)
       --in ${hash_file} ${sign_cmd_signature_type}
       > ${signature_file}
       )
-  elseif(SB_CONFIG_SECURE_BOOT_SIGNING_OPENSSL)
-    if(SB_CONFIG_SECURE_BOOT_SIGNATURE_TYPE_ED25519)
-      set(sign_cmd
-        openssl pkeyutl -sign -inkey ${SIGNATURE_PRIVATE_KEY_FILE} -rawin -in ${hash_file} > ${signature_file} &&
-        openssl pkeyutl -verify -pubin -inkey ${SIGNATURE_PRIVATE_KEY_FILE} -rawin -in ${hash_file} -sigfile ${signature_file}
-        )
-    else()
-      set(sign_cmd
-        openssl dgst
-        -${sign_cmd_hash_type}
-        -sign ${SIGNATURE_PRIVATE_KEY_FILE} ${hash_file} |
-        ${PYTHON_EXECUTABLE}
-        ${ZEPHYR_NRF_MODULE_DIR}/scripts/bootloader/asn1parse.py
-        --alg ecdsa
-        --contents signature
-        > ${signature_file}
-        )
-    endif()
-
   elseif(SB_CONFIG_SECURE_BOOT_SIGNING_CUSTOM)
     set(custom_sign_cmd "${SB_CONFIG_SECURE_BOOT_SIGNING_COMMAND}")
     string(CONFIGURE "${custom_sign_cmd}" custom_sign_cmd)
diff --git a/doc/nrf/app_dev/bootloaders_dfu/mcuboot_nsib/bootloader_adding_sysbuild.rst b/doc/nrf/app_dev/bootloaders_dfu/mcuboot_nsib/bootloader_adding_sysbuild.rst
@@ -146,12 +146,10 @@ See :ref:`ug_fw_update_keys` for information on how to generate custom keys for
 
 For SoCs using KMU for NSIB (nRF54L Series devices), the private key must be provisioned in the KMU before NSIB can be run.
 
-Additionally, the |NSIB| supports the following methods for signing images with private keys:
+Additionally, the |NSIB| supports a custom method for signing images with private keys:
 
-* Uses the :kconfig:option:`SB_CONFIG_SECURE_BOOT_SIGNING_OPENSSL` Kconfig option.
 * :ref:`Using a custom command <ug_bootloader_adding_sysbuild_immutable_b0_custom_signing>` - Uses the :kconfig:option:`SB_CONFIG_SECURE_BOOT_SIGNING_CUSTOM` Kconfig option.
 
-The OpenSSL method is handled internally by the build system, whereas using custom commands requires more configuration steps.
 
 Checking the public key
 ^^^^^^^^^^^^^^^^^^^^^^^
diff --git a/sysbuild/Kconfig.secureboot b/sysbuild/Kconfig.secureboot
@@ -279,9 +279,6 @@ choice SECURE_BOOT_SIGNING
 config SECURE_BOOT_SIGNING_PYTHON
 	bool "Sign with Python ecdsa library"
 
-config SECURE_BOOT_SIGNING_OPENSSL
-	bool "Sign with openssl command line tool"
-
 config SECURE_BOOT_SIGNING_CUSTOM
 	bool "Sign with custom command"
 
