From b62a0673f69976d2b4bcc787e7dd92794037ed66 Mon Sep 17 00:00:00 2001 From: Grzegorz Chwierut Date: Fri, 6 Jun 2025 14:40:29 +0200 Subject: [PATCH 1/2] cmake: Added default key file generation for KMU provisioning This commit introduces the capability to automatically generate the keyfile.json during the build process for nRF54L series devices. Added new Kconfigs in Kconfig.mcuboot and Kconfig.secureboot to control creating keyfile.json during the build process. Creating keyfile.json is implemented in generate_default_keyfile.cmake Signed-off-by: Grzegorz Chwierut --- cmake/sysbuild/generate_default_keyfile.cmake | 69 +++++++++++++++++++ sysbuild/CMakeLists.txt | 4 ++ sysbuild/Kconfig.mcuboot | 7 ++ sysbuild/Kconfig.secureboot | 7 ++ 4 files changed, 87 insertions(+) create mode 100644 cmake/sysbuild/generate_default_keyfile.cmake diff --git a/cmake/sysbuild/generate_default_keyfile.cmake b/cmake/sysbuild/generate_default_keyfile.cmake new file mode 100644 index 000000000000..adbaa73527ac --- /dev/null +++ b/cmake/sysbuild/generate_default_keyfile.cmake @@ -0,0 +1,69 @@ +# Copyright (c) 2025 Nordic Semiconductor ASA +# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause + +# This script defines a CMake target 'generate_kmu_keyfile_json' to create keyfile.json +# using 'west ncs-provision upload --dry-run'. + +# --- Construct the list of commands and dependencies --- +set(kmu_json_commands "") +set(kmu_json_dependencies "") + +# First command: Generate keyfile for BL_PUBKEY +if(SB_CONFIG_SECURE_BOOT_GENERATE_DEFAULT_KMU_KEYFILE) + # --- Determine the signing key file to use --- + set(signature_private_key_file "") # Initialize + + if(SB_CONFIG_SECURE_BOOT_SIGNING_KEY_FILE) + string(CONFIGURE "${SB_CONFIG_SECURE_BOOT_SIGNING_KEY_FILE}" keyfile) + if(IS_ABSOLUTE ${keyfile}) + set(signature_private_key_file ${keyfile}) + else() + set(signature_private_key_file ${APPLICATION_CONFIG_DIR}/${keyfile}) + endif() + set(keyfile) + + if(NOT EXISTS ${signature_private_key_file}) + message(FATAL_ERROR "Config points to non-existing PEM file '${signature_private_key_file}'") + endif() + else() + set(signature_private_key_file "${CMAKE_BINARY_DIR}/GENERATED_NON_SECURE_SIGN_KEY_PRIVATE.pem") + endif() + + list(APPEND kmu_json_commands + COMMAND ${Python3_EXECUTABLE} -m west ncs-provision upload + --keyname BL_PUBKEY + --key ${signature_private_key_file} + --build-dir ${CMAKE_BINARY_DIR} + --dry-run + ) + list(APPEND kmu_json_dependencies ${signature_private_key_file}) +endif() + +# Second command (conditional): Update keyfile for UROT_PUBKEY +if(SB_CONFIG_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE) + list(APPEND kmu_json_commands + COMMAND ${Python3_EXECUTABLE} -m west ncs-provision upload + --keyname UROT_PUBKEY + --key ${SB_CONFIG_BOOT_SIGNATURE_KEY_FILE} + --build-dir ${CMAKE_BINARY_DIR} + --dry-run + ) + list(APPEND kmu_json_dependencies ${SB_CONFIG_BOOT_SIGNATURE_KEY_FILE}) +endif() + +# --- Add custom command to generate/update keyfile.json --- +if(NOT kmu_json_commands STREQUAL "") + add_custom_command( + OUTPUT ${CMAKE_BINARY_DIR}/keyfile.json + ${kmu_json_commands} # Expands to one or more COMMAND clauses + DEPENDS ${kmu_json_dependencies} + COMMENT "Generating/Updating KMU keyfile JSON (${CMAKE_BINARY_DIR}/keyfile.json)" + VERBATIM + ) + + # --- Add custom target to trigger the generation --- + add_custom_target( + generate_kmu_keyfile_json ALL + DEPENDS ${CMAKE_BINARY_DIR}/keyfile.json + ) +endif() diff --git a/sysbuild/CMakeLists.txt b/sysbuild/CMakeLists.txt index 887c0086b526..321f0d3070ca 100644 --- a/sysbuild/CMakeLists.txt +++ b/sysbuild/CMakeLists.txt @@ -737,6 +737,10 @@ function(${SYSBUILD_CURRENT_MODULE_NAME}_post_cmake) include_provision_hex() endif() + if(SB_CONFIG_SECURE_BOOT_GENERATE_DEFAULT_KMU_KEYFILE OR SB_CONFIG_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE) + include(${ZEPHYR_NRF_MODULE_DIR}/cmake/sysbuild/generate_default_keyfile.cmake) + endif() + if(SB_CONFIG_MATTER_OTA) include(${ZEPHYR_CONNECTEDHOMEIP_MODULE_DIR}/config/zephyr/ota-image_sysbuild.cmake) if(SB_CONFIG_DFU_MULTI_IMAGE_PACKAGE_BUILD OR SB_CONFIG_SUIT_MULTI_IMAGE_PACKAGE_BUILD) diff --git a/sysbuild/Kconfig.mcuboot b/sysbuild/Kconfig.mcuboot index 7908e0d0a77a..b5c0cc987173 100644 --- a/sysbuild/Kconfig.mcuboot +++ b/sysbuild/Kconfig.mcuboot @@ -176,6 +176,13 @@ config BOOT_SHARED_CRYPTO_ECDSA_P256 depends on BOOT_SIGNATURE_TYPE_ECDSA_P256 && !SOC_SERIES_NRF54LX default y +config MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE + bool "Generate default keyfile for provisioning during build" + depends on SOC_SERIES_NRF54LX + depends on MCUBOOT_SIGNATURE_USING_KMU + help + If enabled, the build system will generate keyfile.json file in the build directory. + endif config MCUBOOT_USE_ALL_AVAILABLE_RAM diff --git a/sysbuild/Kconfig.secureboot b/sysbuild/Kconfig.secureboot index 69368d3a96fb..6d1f2b496cfc 100644 --- a/sysbuild/Kconfig.secureboot +++ b/sysbuild/Kconfig.secureboot @@ -361,6 +361,13 @@ config SECURE_BOOT_DEBUG_NO_VERIFY_HASHES help [DEBUG] Don't check public key hashes for applicability. Only Use this in (negative) tests! +config SECURE_BOOT_GENERATE_DEFAULT_KMU_KEYFILE + bool "Generate default keyfile for provisioning during build" + depends on SOC_SERIES_NRF54LX + depends on SECURE_BOOT_APPCORE + help + If enabled, the build system will generate keyfile.json file in the build directory. + endif endmenu From 590b59e906d382279c2c5e5fbdd786d63771481a Mon Sep 17 00:00:00 2001 From: Grzegorz Chwierut Date: Fri, 6 Jun 2025 14:55:58 +0200 Subject: [PATCH 2/2] tests: bootloader: kmu: Enabled automatic KMU provisioning Enabled nrf54l15dk in bootloader/boot_chains. Automatic KMU provisioning is selected. Updated tests of KMU provisioning with simple tests, where pytest is not required - console harnessis used. Signed-off-by: Grzegorz Chwierut --- .../bootloader/boot_chains/Kconfig.sysbuild | 17 ++++++++ .../bootloader/boot_chains/testcase.yaml | 1 + tests/subsys/kmu/hello_for_kmu/testcase.yaml | 40 ++++++++++++++----- 3 files changed, 49 insertions(+), 9 deletions(-) create mode 100644 tests/subsys/bootloader/boot_chains/Kconfig.sysbuild diff --git a/tests/subsys/bootloader/boot_chains/Kconfig.sysbuild b/tests/subsys/bootloader/boot_chains/Kconfig.sysbuild new file mode 100644 index 000000000000..6d24f355f7ac --- /dev/null +++ b/tests/subsys/bootloader/boot_chains/Kconfig.sysbuild @@ -0,0 +1,17 @@ +# +# Copyright (c) 2025 Nordic Semiconductor +# +# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause +# + +if SOC_SERIES_NRF54LX + +config MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE + default y if BOOTLOADER_MCUBOOT && MCUBOOT_SIGNATURE_USING_KMU + +config SECURE_BOOT_GENERATE_DEFAULT_KMU_KEYFILE + default y if SECURE_BOOT_APPCORE + +endif + +source "${ZEPHYR_BASE}/share/sysbuild/Kconfig" diff --git a/tests/subsys/bootloader/boot_chains/testcase.yaml b/tests/subsys/bootloader/boot_chains/testcase.yaml index 8bb329806f47..a4084de7788e 100644 --- a/tests/subsys/bootloader/boot_chains/testcase.yaml +++ b/tests/subsys/bootloader/boot_chains/testcase.yaml @@ -4,6 +4,7 @@ common: # MCUBoot enabled as well - nrf52840dk/nrf52840 - nrf5340dk/nrf5340/cpuapp + - nrf54l15dk/nrf54l15/cpuapp harness: console harness_config: type: one_line diff --git a/tests/subsys/kmu/hello_for_kmu/testcase.yaml b/tests/subsys/kmu/hello_for_kmu/testcase.yaml index 3a0c2bb4f54e..ae5ea42e53ee 100644 --- a/tests/subsys/kmu/hello_for_kmu/testcase.yaml +++ b/tests/subsys/kmu/hello_for_kmu/testcase.yaml @@ -1,18 +1,40 @@ common: sysbuild: true - timeout: 180 tags: - - pytest - mcuboot - kmu - ci_tests_subsys_kmu platform_allow: - nrf54l15dk/nrf54l15/cpuapp - - nrf54lm20pdk/nrf54lm20a/cpuapp - - nrf54lv10dk/nrf54lv10a/cpuapp - harness: pytest - harness_config: - pytest_root: - - "../pytest/test_kmu_provision.py" tests: - mcuboot.kmu.west.provision.basic: {} + mcuboot.kmu.west.provision.basic: + timeout: 180 + platform_allow: + - nrf54lm20pdk/nrf54lm20a/cpuapp + - nrf54lv10dk/nrf54lv10a/cpuapp + tags: + - pytest + harness: pytest + harness_config: + pytest_root: + - "../pytest/test_kmu_provision.py" + mcuboot.kmu.west_flash_default_provision: + harness: console + harness_config: + type: one_line + regex: + - "Hello World! (.*)" + extra_args: + - SB_CONFIG_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE=y + mcuboot.kmu.west_flash_default_provision_with_b0: + tags: + - nsib + harness: console + harness_config: + type: one_line + regex: + - "Hello World! (.*)" + extra_args: + - SB_CONFIG_SECURE_BOOT_APPCORE=y + - SB_CONFIG_SECURE_BOOT_GENERATE_DEFAULT_KMU_KEYFILE=y + - SB_CONFIG_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE=y