Skip to content

Generate default key file with west ncs-provision, enable automatic KMU provisioning #22516

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jun 23, 2025
Merged

Generate default key file with west ncs-provision, enable automatic KMU provisioning #22516

merged 2 commits into from
Jun 23, 2025

Conversation

gchwier
Copy link
Contributor

@gchwier gchwier commented May 26, 2025
edited
Loading

Updated manifest to sdk-zephyr.
Changes in zephyr allows to provision KMU keys with west flash command, if keyfile.json (generated by west ncs-provision) is in build directory.

Changes in sdk-nrf:
Introduced the capability to automatically generate
the keyfile.json during the build process for nRF54L series devices.
Added new Kconfigs:

  • SB_CONFIG_SECURE_BOOT_GENERATE_DEFAULT_KMU_KEYFILE
  • SB_CONFIG_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE
    to control creating keyfile.json during the build process.
    Creating keyfile.json is implemented in generate_default_keyfile.cmake.

Additionally updated tests on nrf54l15dk:

  • tests/subsys/bootloader/boot_chains
  • tests/subsys/kmu/hello_for_kmu

To test is manually on nrf54l15dk:
hello world + NSIB

west build -p -b nrf54l15dk/nrf54l15/cpuapp $ZEPHYR_BASE/samples/hello_world  -d build-54l-nsib -- \
-DSB_CONFIG_SECURE_BOOT_APPCORE=y \
-DSB_CONFIG_SECURE_BOOT_GENERATE_DEFAULT_KMU_KEYFILE=y

west flash --skip-rebuild --erase -d build-54l-nsib

MCUboot (with KMU enabled)

west build -p -b nrf54l15dk/nrf54l15/cpuapp $ZEPHYR_BASE/samples/hello_world -d build-54l-mcuboot_kmu -- \
-DSB_CONFIG_BOOTLOADER_MCUBOOT=y \
-DSB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU=y \
-DSB_CONFIG_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE=y

west flash --skip-rebuild --erase -d build-54l-mcuboot_kmu

hello world + NSIB + MCUboot

west build -p -b nrf54l15dk/nrf54l15/cpuapp $ZEPHYR_BASE/samples/hello_world  -d build-54l-nsib_mcuboot -- \
-DSB_CONFIG_SECURE_BOOT_APPCORE=y \
-DSB_CONFIG_BOOTLOADER_MCUBOOT=y \
-DSB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU=y \
-DSB_CONFIG_SECURE_BOOT_GENERATE_DEFAULT_KMU_KEYFILE=y \
-DSB_CONFIG_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE=y

west flash --skip-rebuild --erase -d build-54l-nsib_mcuboot

To run Twister tests:

$ZEPHYR_BASE/scripts/twister \
-c -vv -ll debug \
--device-testing -p nrf54l15dk/nrf54l15/cpuapp --device-serial /dev/ttyACM1 --west-flash="--recover" \
-T tests/subsys/bootloader/boot_chains

$ZEPHYR_BASE/scripts/twister \
-c -vv -ll debug \
--device-testing -p nrf54l15dk/nrf54l15/cpuapp --device-serial /dev/ttyACM1 --west-flash="--recover" \
-T tests/subsys/kmu/hello_for_kmu \
-s mcuboot.kmu.west_flash_default_provision \
-s mcuboot.kmu.west_flash_default_provision_with_b0

@gchwier gchwier requested a review from a team May 26, 2025 14:46
@gchwier gchwier requested review from a team as code owners May 26, 2025 14:46
@github-actions github-actions bot added manifest changelog-entry-required Update changelog before merge. Remove label if entry is not needed or already added. labels May 26, 2025
@NordicBuilder
Copy link
Contributor

NordicBuilder commented May 26, 2025
edited
Loading

The following west manifest projects have changed revision in this Pull Request:

Name Old Revision New Revision Diff

All manifest checks OK

Note: This message is automatically posted and updated by the Manifest GitHub Action.

@NordicBuilder
Copy link
Contributor

NordicBuilder commented May 26, 2025
edited
Loading

CI Information

To view the history of this post, clich the 'edited' button above
Build number: 21

Inputs:

Sources:

sdk-nrf: PR head: 590b59e906d382279c2c5e5fbdd786d63771481a

more details

sdk-nrf:

PR head: 590b59e906d382279c2c5e5fbdd786d63771481a
merge base: 768c10ecd3942bb25934b45526348d708ab6b6db
target head (main): c0042f741d7539769b08df7ad2d57c57b9ce5494
Diff

Github labels

Enabled Name Description
ci-disabled Disable the ci execution
ci-all-test Run all of ci, no test spec filtering will be done
ci-force-downstream Force execution of downstream even if twister fails
ci-run-twister Force run twister
ci-run-zephyr-twister Force run zephyr twister
List of changed files detected by CI (7) 
cmake
│  ├── sysbuild
│  │  │ generate_default_keyfile.cmake
sysbuild
│  ├── CMakeLists.txt
│  ├── Kconfig.mcuboot
│  │ Kconfig.secureboot
tests
│  ├── subsys
│  │  ├── bootloader
│  │  │  ├── boot_chains
│  │  │  │  ├── Kconfig.sysbuild
│  │  │  │  │ testcase.yaml
│  │  ├── kmu
│  │  │  ├── hello_for_kmu
│  │  │  │  │ testcase.yaml

Outputs:

Toolchain

Version: 3ae5dc3c63
Build docker image: docker-dtr.nordicsemi.no/sw-production/ncs-build:3ae5dc3c63_776d264d2e

Test Spec & Results: ✅ Success; ❌ Failure; 🟠 Queued; 🟡 Progress; ◻️ Skipped; ⚠️ Quarantine

  • ◻️ Toolchain - Skipped: existing toolchain is used
  • ✅ Build twister - Skipped: Skipping Build & Test as it succeeded in a previous run: 19
  • ✅ Integration tests
    • ✅ test-sdk-audio - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ desktop52_verification - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-boot - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-apps - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-ble_mesh - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-ble_samples - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-chip - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-nfc - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-nrf-iot_cloud - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-nrf-iot_libmodem-nrf - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-nrf-iot_serial_lte_modem - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-nrf-iot_zephyr_lwm2m - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-nrf-iot_samples - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-nrf-iot_lwm2m - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ doc-internal - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-nrf-iot_thingy91 - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-nrf_crypto - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-rpc - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-rs - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-fem - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-tfm - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-thread-main - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-sdk-find-my - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-nrf_lrcs_mosh - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-nrf_lrcs_positioning - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-sdk-wifi - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-low-level - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-sdk-pmic-samples - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-sdk-mcuboot - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-secdom-samples-public - Skipped: Job was skipped as it succeeded in a previous run
    • ⚠️ test-fw-nrfconnect-fw-update

Note: This message is automatically posted and updated by the CI

@github-actions GitHub Actions
Copy link

You can find the documentation preview for this PR here.

@gchwier gchwier force-pushed the grch-west-flash-with-provision branch from 2495a58 to 243a05f Compare May 29, 2025 15:00
@gchwier gchwier marked this pull request as draft May 29, 2025 15:00
@gchwier gchwier force-pushed the grch-west-flash-with-provision branch 3 times, most recently from 31104aa to bc69b54 Compare June 6, 2025 12:57
@gchwier gchwier marked this pull request as ready for review June 6, 2025 13:31
@gchwier gchwier requested a review from a team as a code owner June 6, 2025 13:31
@gchwier gchwier mentioned this pull request Jun 6, 2025
Merged
nvlsianpu
nvlsianpu reviewed Jun 10, 2025
View reviewed changes
nvlsianpu
nvlsianpu reviewed Jun 10, 2025
View reviewed changes
nvlsianpu
nvlsianpu reviewed Jun 10, 2025
View reviewed changes
@gchwier gchwier force-pushed the grch-west-flash-with-provision branch 4 times, most recently from 091f13e to c7de955 Compare June 12, 2025 07:45
@NordicBuilder
Copy link
Contributor

NordicBuilder commented Jun 12, 2025
edited
Loading

Memory footprint analysis revealed the following potential issues

applications.hpf.gpio.icbmsg[nrf54l15dk/nrf54l15/cpuflpr]: High RAM usage: 12430[B] - link (cc: @nrfconnect/ncs-ll-ursus)
applications.hpf.gpio.icbmsg[nrf54l15dk/nrf54l15/cpuflpr]: High ROM usage: 9178[B] - link (cc: @nrfconnect/ncs-ll-ursus)
applications.hpf.gpio.icmsg[nrf54l15dk/nrf54l15/cpuflpr]: High RAM usage: 9090[B] - link (cc: @nrfconnect/ncs-ll-ursus)
applications.hpf.gpio.icmsg[nrf54l15dk/nrf54l15/cpuflpr]: High ROM usage: 5846[B] - link (cc: @nrfconnect/ncs-ll-ursus)
applications.hpf.gpio.icbmsg[nrf54l15dk/nrf54l15/cpuflpr]: High RAM usage: 12430[B] - link (cc: @nrfconnect/ncs-ll-ursus)
applications.hpf.gpio.icbmsg[nrf54l15dk/nrf54l15/cpuflpr]: High ROM usage: 9178[B] - link (cc: @nrfconnect/ncs-ll-ursus)

Note: This message is automatically posted and updated by the CI (latest/sdk-nrf/PR-22516/19)

@gchwier gchwier force-pushed the grch-west-flash-with-provision branch from c7de955 to fcef34a Compare June 12, 2025 10:30
@gchwier gchwier requested review from michalek-no and nordicjm June 13, 2025 07:02
nordicjm
nordicjm reviewed Jun 18, 2025
View reviewed changes
sysbuild/Kconfig.mcuboot Outdated
Comment on lines 183 to 184
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

squash into previous commit

sysbuild/Kconfig.secureboot Outdated
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

as above

cmake/sysbuild/generate_default_keyfile.cmake Outdated
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if(DEFINED SB_CONFIG_SECURE_BOOT_SIGNING_KEY_FILE AND NOT "${SB_CONFIG_SECURE_BOOT_SIGNING_KEY_FILE}" STREQUAL "")
if(SB_CONFIG_SECURE_BOOT_SIGNING_KEY_FILE)

cmake/sysbuild/generate_default_keyfile.cmake Outdated
Comment on lines 8 to 9
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

use variables directly rather than creating these

cmake/sysbuild/generate_default_keyfile.cmake Outdated
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

alignment

@gchwier gchwier force-pushed the grch-west-flash-with-provision branch 2 times, most recently from 6773da0 to 7356910 Compare June 18, 2025 15:05
@gchwier gchwier requested a review from nordicjm June 18, 2025 15:11
@nordicjm nordicjm mentioned this pull request Jun 19, 2025
Closed
gchwier added 2 commits June 20, 2025 09:48
@gchwier
cmake: Added default key file generation for KMU provisioning
b62a067 
This commit introduces the capability to automatically generate
the keyfile.json during the build process for nRF54L series devices.
Added new Kconfigs in Kconfig.mcuboot and Kconfig.secureboot to
control creating keyfile.json during the build process.
Creating keyfile.json is implemented in generate_default_keyfile.cmake

Signed-off-by: Grzegorz Chwierut <[email protected]>
@gchwier
tests: bootloader: kmu: Enabled automatic KMU provisioning
590b59e 
Enabled nrf54l15dk in bootloader/boot_chains.
Automatic KMU provisioning is selected.
Updated tests of KMU provisioning with simple tests,
where pytest is not required - console harnessis used.

Signed-off-by: Grzegorz Chwierut <[email protected]>
@gchwier gchwier force-pushed the grch-west-flash-with-provision branch from 7356910 to 590b59e Compare June 20, 2025 07:50
@github-actions github-actions bot removed the manifest label Jun 20, 2025
@gchwier gchwier changed the title manifest: sdk-zephyr: Add ncs-provision to west Generate default key file with west ncs-provision, enable automatic KMU provisioning Jun 20, 2025
@gchwier
Copy link
Contributor Author

gchwier commented Jun 20, 2025

Rebased and removed sdk-zephyr manifest (merged with other PR)

nordicjm
nordicjm approved these changes Jun 20, 2025
View reviewed changes
cmake/sysbuild/generate_default_keyfile.cmake
set(keyfile)

if(NOT EXISTS ${signature_private_key_file})
message(FATAL_ERROR "Config points to non-existing PEM file '${signature_private_key_file}'")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

don't like that this throws an error, which means users can't recover from it, but actually seems this is already done in debug_keys.cmake, which oddly means that this will never actually run anyway because the same failure will occur there first, so will allow it

@nordicjm nordicjm merged commit 6f93393 into nrfconnect:main Jun 23, 2025
13 of 15 checks passed
@gchwier gchwier deleted the grch-west-flash-with-provision branch June 23, 2025 06:41
@gchwier gchwier mentioned this pull request Aug 1, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@carlescufi carlescufi carlescufi approved these changes

@nvlsianpu nvlsianpu nvlsianpu approved these changes

@nordicjm nordicjm nordicjm approved these changes

@michalek-no michalek-no Awaiting requested review from michalek-no

Assignees

No one assigned

Labels

changelog-entry-required Update changelog before merge. Remove label if entry is not needed or already added.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@gchwier @NordicBuilder @carlescufi @nvlsianpu @nordicjm