sysbuild: MCUboot with ED25519 and KMU via PSA support

cmake/sysbuild/image_signing.cmake

@@ -57,7 +57,9 @@ function(zephyr_mcuboot_tasks)
   # back on mcuboot/scripts/imgtool.py. We exclude the system imgtool when
   # compressed image support is enabled due to needing a version of imgtool
   # that has features not in the most recent public release.
-  if(IMGTOOL AND NOT CONFIG_MCUBOOT_COMPRESSED_IMAGE_SUPPORT_ENABLED)
+  if(IMGTOOL AND
+     (NOT CONFIG_MCUBOOT_COMPRESSED_IMAGE_SUPPORT_ENABLED AND
+      NOT (CONFIG_SOC_SERIES_NRF54LX AND CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_ED25519)))
     set(imgtool_path "${IMGTOOL}")
   elseif(DEFINED ZEPHYR_MCUBOOT_MODULE_DIR)
     set(IMGTOOL_PY "${ZEPHYR_MCUBOOT_MODULE_DIR}/scripts/imgtool.py")
@@ -120,6 +122,14 @@ function(zephyr_mcuboot_tasks)
     set(imgtool_hex_extra)
   endif()
 
+  if(CONFIG_SOC_SERIES_NRF54LX AND CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_ED25519)
+    if(NOT CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_PURE)
+      set(imgtool_extra --sha 512 ${imgtool_extra})
+    else()
+      set(imgtool_extra --pure ${imgtool_extra})
+    endif()
+  endif()
+
   if(CONFIG_MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION)
     set(imgtool_extra --security-counter ${CONFIG_MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_VALUE} ${imgtool_extra})
   endif()

subsys/bootloader/Kconfig

@@ -243,4 +243,14 @@ config MCUBOOT_COMPRESSED_IMAGE_SUPPORT_ENABLED
 	help
 	  This is a Kconfig which is informative only, the value should not be changed.
 
+config MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_ED25519
+	bool "Use ED25519 signature"
+	help
+	  This is a Kconfig which is informative only, the value should not be changed.
+
+config MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_PURE
+	bool "Signature is verified over an image rather than sha of an image"
+	help
+	  This is a Kconfig which is informative only, the value should not be changed.
+
 endmenu

sysbuild/CMakeLists.txt

@@ -226,6 +226,27 @@ function(${SYSBUILD_CURRENT_MODULE_NAME}_pre_cmake)
       endif()
     endforeach()
 
+    # The NRF54LX goes with PSA crypto by default
+    if(SB_CONFIG_SOC_SERIES_NRF54LX AND SB_CONFIG_BOOT_SIGNATURE_TYPE_ED25519)
+      set_config_bool(mcuboot CONFIG_NRF_SECURITY y)
+      set_config_bool(mcuboot CONFIG_BOOT_IMG_HASH_ALG_SHA512 y)
+      set_config_bool(${DEFAULT_IMAGE} CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_ED25519 y)
+
+      if(SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU)
+        set_config_bool(mcuboot CONFIG_BOOT_SIGNATURE_USING_KMU y)
+      else()
+        set_config_bool(mcuboot CONFIG_BOOT_SIGNATURE_USING_KMU n)
+      endif()
+
+      if(SB_CONFIG_BOOT_SIGNATURE_TYPE_PURE)
+        set_config_bool(mcuboot CONFIG_BOOT_SIGNATURE_TYPE_PURE y)
+        set_config_bool(${DEFAULT_IMAGE} CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_PURE y)
+      else()
+        set_config_bool(mcuboot CONFIG_BOOT_SIGNATURE_TYPE_PURE n)
+        set_config_bool(${DEFAULT_IMAGE} CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_PURE n)
+      endif()
+    endif()
+
     # A v1 board doesn't define board qualifiers, thus below test will just test the pure board
     # name for a v1 board. A v2 board will match against the board qualifier.
     if("${BOARD}${BOARD_QUALIFIERS}" MATCHES "(_|/)ns$")

sysbuild/Kconfig.mcuboot

@@ -147,6 +147,23 @@ config MCUBOOT_FPROTECT_ALLOW_COMBINED_REGIONS
 	default y
 	depends on SOC_SERIES_NRF54LX && !SECURE_BOOT_APPCORE
 
+config BOOT_SIGNATURE_TYPE_PURE
+	bool "Verify signature directly over image"
+	depends on SOC_SERIES_NRF54LX
+	depends on BOOT_SIGNATURE_TYPE_ED25519
+	help
+	  The image signature will be verified over image rather than
+	  hash of an image.
+	  This option is currently only supported with ED25519 and configurations
+	  where both image slots are within internal SoC device storage.
+
+config MCUBOOT_SIGNATURE_USING_KMU
+	bool "Use KMU stored keys for signature verification"
+	depends on SOC_SERIES_NRF54LX
+	depends on BOOT_SIGNATURE_TYPE_ED25519
+	help
+	  The device needs to be provisioned with proper set of keys.
+
 endif
 
 config MCUBOOT_USE_ALL_AVAILABLE_RAM