[Backport v3.0-branch] enabled ed25519/KMU for b0 on nrf54l and Cut down configuration for B0

lib/fprotect/Kconfig

@@ -47,6 +47,7 @@ config FPROTECT_BLOCK_SIZE
 menuconfig FPROTECT
 	bool "Enable FPROTECT"
 	depends on SOC_FAMILY_NORDIC_NRF
+	depends on !(SOC_SERIES_NRF54LX && IS_SECURE_BOOTLOADER)
 	select NRFX_RRAMC if SOC_SERIES_NRF54LX
 	help
 	  Enable the software library FPROTECT that may or may not be used

samples/bootloader/boards/nrf54l15dk_nrf54l15_cpuapp.conf

@@ -0,0 +1,6 @@
+CONFIG_CLOCK_CONTROL_NRF=n
+CONFIG_NOTIFY=n
+CONFIG_ONOFF=n
+
+CONFIG_BOOT_BANNER=n
+CONFIG_NCS_BOOT_BANNER=n

samples/bootloader/src/main.c

@@ -12,8 +12,10 @@
 #if defined(CONFIG_FPROTECT)
 #include <fprotect.h>
 #else
+#ifndef CONFIG_SOC_SERIES_NRF54LX
 #warning "FPROTECT not enabled, the bootloader will be unprotected."
 #endif
+#endif
 #include <bl_storage.h>
 #include <bl_boot.h>
 #include <bl_validation.h>

subsys/bootloader/bl_crypto/Kconfig

@@ -83,11 +83,12 @@ config SB_CRYPTO_PSA_ED25519
 	depends on NRF_SECURITY
 	depends on CRACEN_LIB_KMU
 	select SB_ED25519
+	# Below depends on PSA_CORE_LITE
+	select PSA_CORE_LITE_NSIB_ED25519_OPTIMIZATIONS
 	select PSA_WANT_ALG_SHA_512
 	select PSA_WANT_ALG_PURE_EDDSA
 	select PSA_WANT_ECC_TWISTED_EDWARDS_255
 	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT
-	select MBEDTLS_ENABLE_HEAP
 	help
 	  Use PSA crypto for ed25519 support.
 
@@ -116,6 +117,15 @@ config SB_CRYPTO_KMU_KEYS_REVOCATION
 	help
 	  Automatically revoke previous generation key upon new valid key usage.
 
+choice PSA_CORE
+	default PSA_CORE_LITE if SB_CRYPTO_PSA_ED25519
+	help
+	  This is copy of PSA_CORE choice from NRF Security Kconfig, as the
+	  only way to select an element from choice is to override default
+	  for it.
+
+endchoice
+
 choice SB_CRYPTO_HASH
 	prompt "Hashing Implementation"
 	default SB_CRYPTO_NONE if SB_CRYPTO_PSA_ED25519

sysbuild/Kconfig.secureboot

@@ -37,6 +37,7 @@ config SECURE_BOOT_APPCORE_SUPPORTED_HASH_NONE
 config SECURE_BOOT_APPCORE_SUPPORTED_SIGNATURE_HARDWARE
 	bool
 	default y if SECURE_BOOT_SIGNATURE_TYPE_ECDSA && (SOC_SERIES_NRF91X || SOC_NRF52840)
+	default y if SECURE_BOOT_SIGNATURE_TYPE_ED25519 && SOC_SERIES_NRF54LX
 
 config SECURE_BOOT_APPCORE_SUPPORTED_SIGNATURE_SOFTWARE
 	bool
@@ -203,6 +204,7 @@ config SECURE_BOOT_SUPPORTED_SIGNATURE_ECDSA
 
 config SECURE_BOOT_SUPPORTED_SIGNATURE_ED25519
 	bool
+	default y if SOC_SERIES_NRF54LX
 
 choice SECURE_BOOT_HASH_TYPE
 	prompt "Hash type"

tests/subsys/bootloader/b0_lock/testcase.yaml

@@ -6,5 +6,6 @@ tests:
     platform_allow: nrf54l15dk/nrf54l15/cpuapp
     integration_platforms:
       - nrf54l15dk/nrf54l15/cpuapp
+    build_only: true
     tags:
       - b0

tests/subsys/bootloader/bl_storage/testcase.yaml

@@ -2,13 +2,11 @@ tests:
   bootloader.bl_storage:
     sysbuild: true
     platform_allow:
-      - nrf54l15dk/nrf54l15/cpuapp
       - nrf5340dk/nrf5340/cpuapp
       - nrf9151dk/nrf9151
       - nrf9160dk/nrf9160
       - nrf9161dk/nrf9161
     integration_platforms:
-      - nrf54l15dk/nrf54l15/cpuapp
       - nrf5340dk/nrf5340/cpuapp
       - nrf9151dk/nrf9151
       - nrf9160dk/nrf9160

tests/subsys/bootloader/boot_chains/testcase.yaml

@@ -4,7 +4,6 @@ common:
     # MCUBoot enabled as well
     - nrf52840dk/nrf52840
     - nrf5340dk/nrf5340/cpuapp
-    - nrf54l15dk/nrf54l15/cpuapp
   harness: console
   harness_config:
     type: one_line