diff --git a/cmake/sysbuild/image_signing.cmake b/cmake/sysbuild/image_signing.cmake
index 9ab1e3085712..f85fe5d513fc 100644
--- a/cmake/sysbuild/image_signing.cmake
+++ b/cmake/sysbuild/image_signing.cmake
@@ -57,7 +57,9 @@ function(zephyr_mcuboot_tasks)
   # back on mcuboot/scripts/imgtool.py. We exclude the system imgtool when
   # compressed image support is enabled due to needing a version of imgtool
   # that has features not in the most recent public release.
-  if(IMGTOOL AND NOT CONFIG_MCUBOOT_COMPRESSED_IMAGE_SUPPORT_ENABLED)
+  if(IMGTOOL AND
+     (NOT CONFIG_MCUBOOT_COMPRESSED_IMAGE_SUPPORT_ENABLED AND
+      NOT (CONFIG_SOC_SERIES_NRF54LX AND CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_ED25519)))
     set(imgtool_path "${IMGTOOL}")
   elseif(DEFINED ZEPHYR_MCUBOOT_MODULE_DIR)
     set(IMGTOOL_PY "${ZEPHYR_MCUBOOT_MODULE_DIR}/scripts/imgtool.py")
@@ -120,6 +122,14 @@ function(zephyr_mcuboot_tasks)
     set(imgtool_hex_extra)
   endif()
 
+  if(CONFIG_SOC_SERIES_NRF54LX AND CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_ED25519)
+    if(NOT CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_PURE)
+      set(imgtool_extra --sha 512 ${imgtool_extra})
+    else()
+      set(imgtool_extra --pure ${imgtool_extra})
+    endif()
+  endif()
+
   if(CONFIG_MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION)
     set(imgtool_extra --security-counter ${CONFIG_MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_VALUE} ${imgtool_extra})
   endif()
diff --git a/subsys/bootloader/Kconfig b/subsys/bootloader/Kconfig
index 1d2948fe5c32..9176bed0c492 100644
--- a/subsys/bootloader/Kconfig
+++ b/subsys/bootloader/Kconfig
@@ -243,4 +243,14 @@ config MCUBOOT_COMPRESSED_IMAGE_SUPPORT_ENABLED
 	help
 	  This is a Kconfig which is informative only, the value should not be changed.
 
+config MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_ED25519
+	bool "Use ED25519 signature"
+	help
+	  This is a Kconfig which is informative only, the value should not be changed.
+
+config MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_PURE
+	bool "Signature is verified over an image rather than sha of an image"
+	help
+	  This is a Kconfig which is informative only, the value should not be changed.
+
 endmenu
diff --git a/sysbuild/CMakeLists.txt b/sysbuild/CMakeLists.txt
index bc1ec1621f6b..42f841986f13 100644
--- a/sysbuild/CMakeLists.txt
+++ b/sysbuild/CMakeLists.txt
@@ -226,6 +226,27 @@ function(${SYSBUILD_CURRENT_MODULE_NAME}_pre_cmake)
       endif()
     endforeach()
 
+    # The NRF54LX goes with PSA crypto by default
+    if(SB_CONFIG_SOC_SERIES_NRF54LX AND SB_CONFIG_BOOT_SIGNATURE_TYPE_ED25519)
+      set_config_bool(mcuboot CONFIG_NRF_SECURITY y)
+      set_config_bool(mcuboot CONFIG_BOOT_IMG_HASH_ALG_SHA512 y)
+      set_config_bool(${DEFAULT_IMAGE} CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_ED25519 y)
+
+      if(SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU)
+        set_config_bool(mcuboot CONFIG_BOOT_SIGNATURE_USING_KMU y)
+      else()
+        set_config_bool(mcuboot CONFIG_BOOT_SIGNATURE_USING_KMU n)
+      endif()
+
+      if(SB_CONFIG_BOOT_SIGNATURE_TYPE_PURE)
+        set_config_bool(mcuboot CONFIG_BOOT_SIGNATURE_TYPE_PURE y)
+        set_config_bool(${DEFAULT_IMAGE} CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_PURE y)
+      else()
+        set_config_bool(mcuboot CONFIG_BOOT_SIGNATURE_TYPE_PURE n)
+        set_config_bool(${DEFAULT_IMAGE} CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_PURE n)
+      endif()
+    endif()
+
     # A v1 board doesn't define board qualifiers, thus below test will just test the pure board
     # name for a v1 board. A v2 board will match against the board qualifier.
     if("${BOARD}${BOARD_QUALIFIERS}" MATCHES "(_|/)ns$")
diff --git a/sysbuild/Kconfig.mcuboot b/sysbuild/Kconfig.mcuboot
index f45915616f1e..b72c2043b69d 100644
--- a/sysbuild/Kconfig.mcuboot
+++ b/sysbuild/Kconfig.mcuboot
@@ -147,6 +147,23 @@ config MCUBOOT_FPROTECT_ALLOW_COMBINED_REGIONS
 	default y
 	depends on SOC_SERIES_NRF54LX && !SECURE_BOOT_APPCORE
 
+config BOOT_SIGNATURE_TYPE_PURE
+	bool "Verify signature directly over image"
+	depends on SOC_SERIES_NRF54LX
+	depends on BOOT_SIGNATURE_TYPE_ED25519
+	help
+	  The image signature will be verified over image rather than
+	  hash of an image.
+	  This option is currently only supported with ED25519 and configurations
+	  where both image slots are within internal SoC device storage.
+
+config MCUBOOT_SIGNATURE_USING_KMU
+	bool "Use KMU stored keys for signature verification"
+	depends on SOC_SERIES_NRF54LX
+	depends on BOOT_SIGNATURE_TYPE_ED25519
+	help
+	  The device needs to be provisioned with proper set of keys.
+
 endif
 
 config MCUBOOT_USE_ALL_AVAILABLE_RAM
diff --git a/tests/subsys/kmu/hello_for_kmu/sysbuild.conf b/tests/subsys/kmu/hello_for_kmu/sysbuild.conf
index 096f1babba86..8b2053216e5d 100644
--- a/tests/subsys/kmu/hello_for_kmu/sysbuild.conf
+++ b/tests/subsys/kmu/hello_for_kmu/sysbuild.conf
@@ -5,3 +5,4 @@
 #
 SB_CONFIG_BOOTLOADER_MCUBOOT=y
 SB_CONFIG_BOOT_SIGNATURE_TYPE_ED25519=y
+SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU=y
diff --git a/tests/subsys/kmu/hello_for_kmu/sysbuild/mcuboot.conf b/tests/subsys/kmu/hello_for_kmu/sysbuild/mcuboot.conf
index 6a283595121c..da89eb04130e 100644
--- a/tests/subsys/kmu/hello_for_kmu/sysbuild/mcuboot.conf
+++ b/tests/subsys/kmu/hello_for_kmu/sysbuild/mcuboot.conf
@@ -7,7 +7,6 @@ CONFIG_NRF_SECURITY=y
 CONFIG_MBEDTLS=n
 CONFIG_BOOT_ED25519_PSA=y
 CONFIG_PM_PARTITION_SIZE_MCUBOOT=0x10000
-CONFIG_BOOT_SIGNATURE_USING_KMU=y
 
 # can be removed after merging #18487
 CONFIG_MBEDTLS_THREADING_C=n