From 8d983d69bd90d3a58621dea714f03f56fd158fa5 Mon Sep 17 00:00:00 2001
From: Dominik Ermel <dominik.ermel@nordicsemi.no>
Date: Fri, 4 Apr 2025 16:46:19 +0000
Subject: [PATCH 1/5] bootloader: Default to ed25519 and KMU for nrf54l b0

The commit defaults to usage of ed25519 signature with KMU,
when building b0 for nrf54l.

Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
(cherry picked from commit 15946ac1e81c4dce0d171714db1b54b21695e0a5)
---
 sysbuild/Kconfig.secureboot | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sysbuild/Kconfig.secureboot b/sysbuild/Kconfig.secureboot
index 5888be579010..487963ff1f53 100644
--- a/sysbuild/Kconfig.secureboot
+++ b/sysbuild/Kconfig.secureboot
@@ -37,6 +37,7 @@ config SECURE_BOOT_APPCORE_SUPPORTED_HASH_NONE
 config SECURE_BOOT_APPCORE_SUPPORTED_SIGNATURE_HARDWARE
 	bool
 	default y if SECURE_BOOT_SIGNATURE_TYPE_ECDSA && (SOC_SERIES_NRF91X || SOC_NRF52840)
+	default y if SECURE_BOOT_SIGNATURE_TYPE_ED25519 && SOC_SERIES_NRF54LX
 
 config SECURE_BOOT_APPCORE_SUPPORTED_SIGNATURE_SOFTWARE
 	bool
@@ -203,6 +204,7 @@ config SECURE_BOOT_SUPPORTED_SIGNATURE_ECDSA
 
 config SECURE_BOOT_SUPPORTED_SIGNATURE_ED25519
 	bool
+	default y if SOC_SERIES_NRF54LX
 
 choice SECURE_BOOT_HASH_TYPE
 	prompt "Hash type"

From aaf0ada86198e3bf18cb1827217d4487ad4bd31b Mon Sep 17 00:00:00 2001
From: Dominik Ermel <dominik.ermel@nordicsemi.no>
Date: Wed, 2 Apr 2025 10:16:46 +0000
Subject: [PATCH 2/5] bootloader: bl_crypto: Switch to PSA-Lite for B0

Configuration options that enable PSA lite with B0 NSIB.

Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
(cherry picked from commit dc6b33c53ce03a37d7126812615b4a509ff33e0c)
---
 subsys/bootloader/bl_crypto/Kconfig | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/subsys/bootloader/bl_crypto/Kconfig b/subsys/bootloader/bl_crypto/Kconfig
index c7a5e3a72530..8a41de51e3ef 100644
--- a/subsys/bootloader/bl_crypto/Kconfig
+++ b/subsys/bootloader/bl_crypto/Kconfig
@@ -83,11 +83,12 @@ config SB_CRYPTO_PSA_ED25519
 	depends on NRF_SECURITY
 	depends on CRACEN_LIB_KMU
 	select SB_ED25519
+	# Below depends on PSA_CORE_LITE
+	select PSA_CORE_LITE_NSIB_ED25519_OPTIMIZATIONS
 	select PSA_WANT_ALG_SHA_512
 	select PSA_WANT_ALG_PURE_EDDSA
 	select PSA_WANT_ECC_TWISTED_EDWARDS_255
 	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT
-	select MBEDTLS_ENABLE_HEAP
 	help
 	  Use PSA crypto for ed25519 support.
 
@@ -116,6 +117,15 @@ config SB_CRYPTO_KMU_KEYS_REVOCATION
 	help
 	  Automatically revoke previous generation key upon new valid key usage.
 
+choice PSA_CORE
+	default PSA_CORE_LITE if SB_CRYPTO_PSA_ED25519
+	help
+	  This is copy of PSA_CORE choice from NRF Security Kconfig, as the
+	  only way to select an element from choice is to override default
+	  for it.
+
+endchoice
+
 choice SB_CRYPTO_HASH
 	prompt "Hashing Implementation"
 	default SB_CRYPTO_NONE if SB_CRYPTO_PSA_ED25519

From a7a642ddd85bf3ca932697a12cca6972de70c2f9 Mon Sep 17 00:00:00 2001
From: Dominik Ermel <dominik.ermel@nordicsemi.no>
Date: Wed, 2 Apr 2025 15:07:37 +0000
Subject: [PATCH 3/5] bootloader: Cut banner and events from configuration

Cuts NCS banner and events/notifications to further reduce size.

Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
(cherry picked from commit 08d0b8e1034763c55ae7b1163a71d42536e1da87)
---
 samples/bootloader/boards/nrf54l15dk_nrf54l15_cpuapp.conf | 6 ++++++
 1 file changed, 6 insertions(+)
 create mode 100644 samples/bootloader/boards/nrf54l15dk_nrf54l15_cpuapp.conf

diff --git a/samples/bootloader/boards/nrf54l15dk_nrf54l15_cpuapp.conf b/samples/bootloader/boards/nrf54l15dk_nrf54l15_cpuapp.conf
new file mode 100644
index 000000000000..14060a221c52
--- /dev/null
+++ b/samples/bootloader/boards/nrf54l15dk_nrf54l15_cpuapp.conf
@@ -0,0 +1,6 @@
+CONFIG_CLOCK_CONTROL_NRF=n
+CONFIG_NOTIFY=n
+CONFIG_ONOFF=n
+
+CONFIG_BOOT_BANNER=n
+CONFIG_NCS_BOOT_BANNER=n

From 8e38321a22e769992160d4b689ecc93e74d1e4d9 Mon Sep 17 00:00:00 2001
From: Mateusz Michalek <mateusz.michalek@nordicsemi.no>
Date: Fri, 4 Apr 2025 15:26:56 +0200
Subject: [PATCH 4/5] lib: fprotect: Kconfig disable for B0 on nrf54L

temporarily diabled

Signed-off-by: Mateusz Michalek <mateusz.michalek@nordicsemi.no>
(cherry picked from commit 1dfd3588f275f3a9d36642c50d6b6a9f1e80f8ff)
---
 lib/fprotect/Kconfig          | 1 +
 samples/bootloader/src/main.c | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/lib/fprotect/Kconfig b/lib/fprotect/Kconfig
index bb70bee3963d..4415d9e16b3b 100644
--- a/lib/fprotect/Kconfig
+++ b/lib/fprotect/Kconfig
@@ -47,6 +47,7 @@ config FPROTECT_BLOCK_SIZE
 menuconfig FPROTECT
 	bool "Enable FPROTECT"
 	depends on SOC_FAMILY_NORDIC_NRF
+	depends on !(SOC_SERIES_NRF54LX && IS_SECURE_BOOTLOADER)
 	select NRFX_RRAMC if SOC_SERIES_NRF54LX
 	help
 	  Enable the software library FPROTECT that may or may not be used
diff --git a/samples/bootloader/src/main.c b/samples/bootloader/src/main.c
index 995f54f3c88d..0b8e59b6c1a4 100644
--- a/samples/bootloader/src/main.c
+++ b/samples/bootloader/src/main.c
@@ -12,8 +12,10 @@
 #if defined(CONFIG_FPROTECT)
 #include <fprotect.h>
 #else
+#ifndef CONFIG_SOC_SERIES_NRF54LX
 #warning "FPROTECT not enabled, the bootloader will be unprotected."
 #endif
+#endif
 #include <bl_storage.h>
 #include <bl_boot.h>
 #include <bl_validation.h>

From 25562f17258a59e176cb1b9029b1e1d5cfba0bd1 Mon Sep 17 00:00:00 2001
From: Dominik Ermel <dominik.ermel@nordicsemi.no>
Date: Fri, 4 Apr 2025 14:01:31 +0000
Subject: [PATCH 5/5] tests: bootloader: Temporarily disable nrf54l15 with b0

Testing requires upload of KMU keys, which is currently
not available.

Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
(cherry picked from commit f4c0cc0f5dd647889655c9feb7123800ee01974c)
---
 tests/subsys/bootloader/b0_lock/testcase.yaml     | 1 +
 tests/subsys/bootloader/bl_storage/testcase.yaml  | 2 --
 tests/subsys/bootloader/boot_chains/testcase.yaml | 1 -
 3 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/tests/subsys/bootloader/b0_lock/testcase.yaml b/tests/subsys/bootloader/b0_lock/testcase.yaml
index 037b56b9bf53..ac037bd471b8 100644
--- a/tests/subsys/bootloader/b0_lock/testcase.yaml
+++ b/tests/subsys/bootloader/b0_lock/testcase.yaml
@@ -6,5 +6,6 @@ tests:
     platform_allow: nrf54l15dk/nrf54l15/cpuapp
     integration_platforms:
       - nrf54l15dk/nrf54l15/cpuapp
+    build_only: true
     tags:
       - b0
diff --git a/tests/subsys/bootloader/bl_storage/testcase.yaml b/tests/subsys/bootloader/bl_storage/testcase.yaml
index b97952ca198b..1911458c8188 100644
--- a/tests/subsys/bootloader/bl_storage/testcase.yaml
+++ b/tests/subsys/bootloader/bl_storage/testcase.yaml
@@ -2,13 +2,11 @@ tests:
   bootloader.bl_storage:
     sysbuild: true
     platform_allow:
-      - nrf54l15dk/nrf54l15/cpuapp
       - nrf5340dk/nrf5340/cpuapp
       - nrf9151dk/nrf9151
       - nrf9160dk/nrf9160
       - nrf9161dk/nrf9161
     integration_platforms:
-      - nrf54l15dk/nrf54l15/cpuapp
       - nrf5340dk/nrf5340/cpuapp
       - nrf9151dk/nrf9151
       - nrf9160dk/nrf9160
diff --git a/tests/subsys/bootloader/boot_chains/testcase.yaml b/tests/subsys/bootloader/boot_chains/testcase.yaml
index a4084de7788e..8bb329806f47 100644
--- a/tests/subsys/bootloader/boot_chains/testcase.yaml
+++ b/tests/subsys/bootloader/boot_chains/testcase.yaml
@@ -4,7 +4,6 @@ common:
     # MCUBoot enabled as well
     - nrf52840dk/nrf52840
     - nrf5340dk/nrf5340/cpuapp
-    - nrf54l15dk/nrf54l15/cpuapp
   harness: console
   harness_config:
     type: one_line