Skip to content

sysbuild: MCUboot with ED25519 and KMU via PSA support #17584

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Nov 7, 2024
Merged

sysbuild: MCUboot with ED25519 and KMU via PSA support #17584

merged 3 commits into from
Nov 7, 2024

Conversation

@de-nordic
Copy link
Contributor

@de-nordic de-nordic commented Oct 1, 2024
edited
Loading

The commit will enforce building nrf54l15 with PSA enabled
ED25519, with CONFIG_NRF_SECURITY=y.
The commit adds SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU that allows
to build MCUboot for signature verification via KMU instead of
compiled in keys.

No longer sdk-zephyr changes.

Building with:

west build  -p -d builds/hello_54_kmu -b nrf54l15dk/nrf54l15/cpuapp zephyr/samples/hello_world/ -DSB_CONFIG_BOOTLOADER_MCUBOOT=y -DSB_CONFIG_BOOT_SIGNATURE_TYPE_ED25519=y  -Dmcuboot_CONFIG_PM_PARTITION_SIZE_MCUBOOT=0x10000  -DSB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU=y

gives KMU build. Additionally option -DSB_CONFIG_BOOT_SIGNATURE_KEY_FILE=<> may be used to select signature key file.

@de-nordic de-nordic requested a review from a team as a code owner October 1, 2024 15:55
@github-actions github-actions bot added manifest changelog-entry-required Update changelog before merge. Remove label if entry is not needed or already added. labels Oct 1, 2024
@NordicBuilder
Copy link
Contributor

NordicBuilder commented Oct 1, 2024
edited
Loading

The following west manifest projects have been modified in this Pull Request:

Name Old Revision New Revision Diff
zephyr nrfconnect/sdk-zephyr@53b26fb nrfconnect/sdk-zephyr#2229 nrfconnect/sdk-zephyr#2229/files

Note: This message is automatically posted and updated by the Manifest GitHub Action.

@NordicBuilder
Copy link
Contributor

You can find the documentation preview for this PR at this link. It will be updated about 10 minutes after the documentation build succeeds.

Note: This comment is automatically posted by the Documentation Publishing GitHub Action.

@NordicBuilder
Copy link
Contributor

NordicBuilder commented Oct 1, 2024
edited
Loading

CI Information

To view the history of this post, clich the 'edited' button above
Build number: 28

Inputs:

Sources:

sdk-nrf: PR head: c91653c2f405efd6385641230b559d919b45831d

more details

sdk-nrf:

PR head: c91653c2f405efd6385641230b559d919b45831d
merge base: b863230b4261f4f89d10fa3172a44cea1cc0c016
target head (main): 96557ba34ace48f21c0c27e9d929633ac7ae7f93
Diff

Github labels

Enabled Name Description
ci-disabled Disable the ci execution
ci-all-test Run all of ci, no test spec filtering will be done
ci-force-downstream Force execution of downstream even if twister fails
ci-run-twister Force run twister
ci-run-zephyr-twister Force run zephyr twister
List of changed files detected by CI (6) 
cmake
│  ├── sysbuild
│  │  │ image_signing.cmake
subsys
│  ├── bootloader
│  │  │ Kconfig
sysbuild
│  ├── CMakeLists.txt
│  │ Kconfig.mcuboot
tests
│  ├── subsys
│  │  ├── kmu
│  │  │  ├── hello_for_kmu
│  │  │  │  ├── sysbuild.conf
│  │  │  │  ├── sysbuild
│  │  │  │  │  │ mcuboot.conf

Outputs:

Toolchain

Version: b44b7a08c9
Build docker image: docker-dtr.nordicsemi.no/sw-production/ncs-build:b44b7a08c9_912848a074

Test Spec & Results: ✅ Success; ❌ Failure; 🟠 Queued; 🟡 Progress; ◻️ Skipped; ⚠️ Quarantine

  • ◻️ Toolchain - Skipped: existing toolchain is used
  • ✅ Build twister - Skipped: Skipping Build & Test as it succeeded in a previous run: 27
  • ✅ Integration tests
    • ✅ test-sdk-audio - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ desktop52_verification - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-boot - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-apps
    • ✅ test_ble_nrf_config - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-ble_mesh - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-ble_samples - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-chip - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-nfc - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-nrf-iot_cloud - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-nrf-iot_libmodem-nrf - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-nrf-iot_zephyr_lwm2m - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-nrf-iot_samples - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-nrf-iot_lwm2m - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ doc-internal - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-nrf-iot_thingy91 - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-nrf_crypto - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-proprietary_esb - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-rpc - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-rs - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-fem - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-tfm - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-thread - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-zigbee - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-sdk-find-my - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-nrf-iot_mosh - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-nrf-iot_positioning - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-sdk-sidewalk - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-sdk-wifi - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-low-level - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-nrf-iot_nrf_provisioning - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-sdk-pmic-samples - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-sdk-mcuboot - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-sdk-dfu - Skipped: Job was skipped as it succeeded in a previous run
    • ⚠️ test-fw-nrfconnect-fw-update

Note: This message is automatically posted and updated by the CI

@de-nordic de-nordic force-pushed the mcuboot-sb-psa-conf branch from af70474 to 3884b66 Compare October 9, 2024 14:44
@de-nordic de-nordic requested a review from a team as a code owner October 9, 2024 14:44
@de-nordic de-nordic force-pushed the mcuboot-sb-psa-conf branch from 3884b66 to 9d4d260 Compare October 9, 2024 17:13
@NordicBuilder NordicBuilder removed the DNM label Oct 9, 2024
@de-nordic de-nordic force-pushed the mcuboot-sb-psa-conf branch from 9d4d260 to f0fada4 Compare October 10, 2024 10:00
nordicjm
nordicjm reviewed Oct 10, 2024
View reviewed changes
@de-nordic de-nordic force-pushed the mcuboot-sb-psa-conf branch from 34632db to 3a8e52c Compare October 10, 2024 15:24
@de-nordic de-nordic requested a review from nordicjm October 10, 2024 15:24
@nvlsianpu
Copy link
Contributor

@de-nordic the manifest commit can be dropped. The reference is already ahead of that.

@nvlsianpu nvlsianpu added this to the 2.8.0 milestone Oct 14, 2024
@de-nordic de-nordic force-pushed the mcuboot-sb-psa-conf branch from 3a8e52c to 81cdaf6 Compare October 24, 2024 11:16
@github-actions github-actions bot removed the manifest label Oct 24, 2024
@NordicBuilder
Copy link
Contributor

NordicBuilder commented Oct 24, 2024
edited
Loading

Memory footprint analysis revealed the following potential issues

sample.matter.template.release[nrf7002dk/nrf5340/cpuapp]: High ROM usage: 811918[B] - link (cc: @kkasperczyk-no @ArekBalysNordic @markaj-nordic)

Note: This message is automatically posted and updated by the CI (latest/sdk-nrf/PR-17584/27)

@de-nordic de-nordic force-pushed the mcuboot-sb-psa-conf branch from 81cdaf6 to bbe9fbf Compare October 29, 2024 15:32
@de-nordic de-nordic changed the title manifest: Sysbuild support for MCUboot crypto backend selection sysbuild: MCUboot with ED25519 and KMU via PSA support Oct 29, 2024
@de-nordic de-nordic requested a review from nvlsianpu October 29, 2024 15:38
@de-nordic de-nordic added the backport v2.8-branch auto-create a PR with same commits to v2.8-branch label Oct 29, 2024
nordicjm
nordicjm reviewed Oct 31, 2024
View reviewed changes
@nvlsianpu nvlsianpu force-pushed the mcuboot-sb-psa-conf branch from 7238e6d to 552530c Compare November 4, 2024 15:53
@de-nordic de-nordic force-pushed the mcuboot-sb-psa-conf branch from 552530c to 1d02e0b Compare November 5, 2024 16:55
@de-nordic de-nordic force-pushed the mcuboot-sb-psa-conf branch from 1d02e0b to ec00e77 Compare November 5, 2024 16:57
@de-nordic de-nordic requested a review from nordicjm November 5, 2024 16:58
@de-nordic de-nordic force-pushed the mcuboot-sb-psa-conf branch from ec00e77 to e020bd5 Compare November 5, 2024 17:11
nordicjm
nordicjm reviewed Nov 6, 2024
View reviewed changes
nordicjm
nordicjm reviewed Nov 6, 2024
View reviewed changes
@de-nordic de-nordic force-pushed the mcuboot-sb-psa-conf branch from e020bd5 to f6b86f0 Compare November 6, 2024 11:02
@de-nordic de-nordic requested a review from nordicjm November 6, 2024 11:02
@de-nordic
sysbuild: MCUboot with ED25519 and KMU via PSA support
23347f4 
The commit will enforce building nrf54l15 with PSA enabled
ED25519, with CONFIG_NRF_SECURITY=y.
The commit adds SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU that allows
to build MCUboot for signature verification via KMU instead of
compiled in keys.

Signed-off-by: Dominik Ermel <[email protected]>
@de-nordic de-nordic force-pushed the mcuboot-sb-psa-conf branch from f6b86f0 to 6a05b72 Compare November 6, 2024 11:31
@github-actions github-actions bot removed the manifest label Nov 6, 2024
@de-nordic de-nordic removed the DNM label Nov 6, 2024
@de-nordic de-nordic force-pushed the mcuboot-sb-psa-conf branch 2 times, most recently from 56ba0f5 to 8dcb20b Compare November 6, 2024 11:53
nvlsianpu
nvlsianpu reviewed Nov 6, 2024
View reviewed changes
@nvlsianpu @de-nordic
sysbuild/mcuboot: ed25519 pure signature integration
42ab56f 
Added integration of signing image with the pure signature:
- New SB_CONFIG_BOOT_SIGNATURE_TYPE_PURE switch for enabling pure
signature.
- enforced sha512 for ed25519 on nRF54l target
- requests pure signature from imgtool.py

Signed-off-by: Andrzej Puzdrowski <[email protected]>
Signed-off-by: Dominik Ermel <[email protected]>
@de-nordic de-nordic force-pushed the mcuboot-sb-psa-conf branch from 8dcb20b to 42ab56f Compare November 6, 2024 12:07
@de-nordic
tests: kmu: Switch from MCUboot Kconfigs to sysbuild
c91653c 
Select KMU via sysbuild.

Signed-off-by: Dominik Ermel <[email protected]>
@de-nordic de-nordic requested review from a team and gchwier November 6, 2024 14:51
@rlubos rlubos merged commit 81c8059 into nrfconnect:main Nov 7, 2024
15 checks passed
@NordicBuilder NordicBuilder mentioned this pull request Nov 7, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nvlsianpu nvlsianpu nvlsianpu approved these changes

@nordicjm nordicjm nordicjm approved these changes

@hellesvik-nordic hellesvik-nordic hellesvik-nordic approved these changes

@gchwier gchwier gchwier approved these changes

Assignees

No one assigned

Labels

backport v2.8-branch auto-create a PR with same commits to v2.8-branch changelog-entry-required Update changelog before merge. Remove label if entry is not needed or already added.

Projects

None yet

Milestone

2.8.0

Development

Successfully merging this pull request may close these issues.

7 participants

@de-nordic @NordicBuilder @nvlsianpu @nordicjm @hellesvik-nordic @gchwier @rlubos