diff --git a/applications/nrf_desktop/bootloader_dfu.rst b/applications/nrf_desktop/bootloader_dfu.rst index 42bbd38d13ea..cb83e9044299 100644 --- a/applications/nrf_desktop/bootloader_dfu.rst +++ b/applications/nrf_desktop/bootloader_dfu.rst @@ -200,9 +200,13 @@ You can enhance security further by enabling the following sysbuild Kconfig opti * ``SB_CONFIG_BOOT_SIGNATURE_TYPE_PURE`` - This option enables using a pure signature of the image, verifying signature directly on image, rather than on its hash. However, you cannot use this option if the secondary image slot uses external memory. * ``SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU`` - This option enables using Key Management Unit (KMU) to store keys for signature verification instead of compiling key data into the MCUboot bootloader image. - Using KMU requires provisioning the public key manually. + To use KMU, the public key must first be provisioned. See the :ref:`ug_nrf54l_developing_provision_kmu` documentation for details. + .. note:: + To use automatic provisioning, enable the :kconfig:option:`SB_CONFIG_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE` sysbuild Kconfig option. + This option enables generating a default :file:`keyfile.json` file during the build process based on the input file provided by the :kconfig:option:`SB_CONFIG_BOOT_SIGNATURE_KEY_FILE` sysbuild Kconfig option. + The automatic provisioning is only performed if the west flash command is executed with the ``--erase`` or ``--recover`` flag. .. _nrf_desktop_bootloader_background_dfu: diff --git a/applications/nrf_desktop/configuration/nrf54l15dk_nrf54l05_cpuapp/sysbuild_release.conf b/applications/nrf_desktop/configuration/nrf54l15dk_nrf54l05_cpuapp/sysbuild_release.conf index 75c652858410..a5fbfdc7ce67 100644 --- a/applications/nrf_desktop/configuration/nrf54l15dk_nrf54l05_cpuapp/sysbuild_release.conf +++ b/applications/nrf_desktop/configuration/nrf54l15dk_nrf54l05_cpuapp/sysbuild_release.conf @@ -9,5 +9,6 @@ SB_CONFIG_BOOTLOADER_MCUBOOT=y SB_CONFIG_MCUBOOT_MODE_DIRECT_XIP=y SB_CONFIG_BOOT_SIGNATURE_TYPE_ED25519=y SB_CONFIG_BOOT_SIGNATURE_TYPE_PURE=y -SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU=y SB_CONFIG_BOOT_SIGNATURE_KEY_FILE="\${APPLICATION_CONFIG_DIR}/images/mcuboot/mcuboot_private.pem" +SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU=y +SB_CONFIG_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE=y diff --git a/applications/nrf_desktop/configuration/nrf54l15dk_nrf54l05_cpuapp/sysbuild_release_fast_pair.conf b/applications/nrf_desktop/configuration/nrf54l15dk_nrf54l05_cpuapp/sysbuild_release_fast_pair.conf index 434f48a85660..c303e4c27d2c 100644 --- a/applications/nrf_desktop/configuration/nrf54l15dk_nrf54l05_cpuapp/sysbuild_release_fast_pair.conf +++ b/applications/nrf_desktop/configuration/nrf54l15dk_nrf54l05_cpuapp/sysbuild_release_fast_pair.conf @@ -14,5 +14,6 @@ SB_CONFIG_BOOTLOADER_MCUBOOT=y SB_CONFIG_MCUBOOT_MODE_DIRECT_XIP=y SB_CONFIG_BOOT_SIGNATURE_TYPE_ED25519=y SB_CONFIG_BOOT_SIGNATURE_TYPE_PURE=y -SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU=y SB_CONFIG_BOOT_SIGNATURE_KEY_FILE="\${APPLICATION_CONFIG_DIR}/images/mcuboot/mcuboot_private_fast_pair.pem" +SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU=y +SB_CONFIG_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE=y diff --git a/applications/nrf_desktop/configuration/nrf54l15dk_nrf54l05_cpuapp/sysbuild_release_keyboard.conf b/applications/nrf_desktop/configuration/nrf54l15dk_nrf54l05_cpuapp/sysbuild_release_keyboard.conf index 75c652858410..a5fbfdc7ce67 100644 --- a/applications/nrf_desktop/configuration/nrf54l15dk_nrf54l05_cpuapp/sysbuild_release_keyboard.conf +++ b/applications/nrf_desktop/configuration/nrf54l15dk_nrf54l05_cpuapp/sysbuild_release_keyboard.conf @@ -9,5 +9,6 @@ SB_CONFIG_BOOTLOADER_MCUBOOT=y SB_CONFIG_MCUBOOT_MODE_DIRECT_XIP=y SB_CONFIG_BOOT_SIGNATURE_TYPE_ED25519=y SB_CONFIG_BOOT_SIGNATURE_TYPE_PURE=y -SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU=y SB_CONFIG_BOOT_SIGNATURE_KEY_FILE="\${APPLICATION_CONFIG_DIR}/images/mcuboot/mcuboot_private.pem" +SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU=y +SB_CONFIG_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE=y diff --git a/applications/nrf_desktop/configuration/nrf54l15dk_nrf54l10_cpuapp/sysbuild.conf b/applications/nrf_desktop/configuration/nrf54l15dk_nrf54l10_cpuapp/sysbuild.conf index 75c652858410..a5fbfdc7ce67 100644 --- a/applications/nrf_desktop/configuration/nrf54l15dk_nrf54l10_cpuapp/sysbuild.conf +++ b/applications/nrf_desktop/configuration/nrf54l15dk_nrf54l10_cpuapp/sysbuild.conf @@ -9,5 +9,6 @@ SB_CONFIG_BOOTLOADER_MCUBOOT=y SB_CONFIG_MCUBOOT_MODE_DIRECT_XIP=y SB_CONFIG_BOOT_SIGNATURE_TYPE_ED25519=y SB_CONFIG_BOOT_SIGNATURE_TYPE_PURE=y -SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU=y SB_CONFIG_BOOT_SIGNATURE_KEY_FILE="\${APPLICATION_CONFIG_DIR}/images/mcuboot/mcuboot_private.pem" +SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU=y +SB_CONFIG_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE=y diff --git a/applications/nrf_desktop/configuration/nrf54l15dk_nrf54l10_cpuapp/sysbuild_fast_pair.conf b/applications/nrf_desktop/configuration/nrf54l15dk_nrf54l10_cpuapp/sysbuild_fast_pair.conf index 434f48a85660..c303e4c27d2c 100644 --- a/applications/nrf_desktop/configuration/nrf54l15dk_nrf54l10_cpuapp/sysbuild_fast_pair.conf +++ b/applications/nrf_desktop/configuration/nrf54l15dk_nrf54l10_cpuapp/sysbuild_fast_pair.conf @@ -14,5 +14,6 @@ SB_CONFIG_BOOTLOADER_MCUBOOT=y SB_CONFIG_MCUBOOT_MODE_DIRECT_XIP=y SB_CONFIG_BOOT_SIGNATURE_TYPE_ED25519=y SB_CONFIG_BOOT_SIGNATURE_TYPE_PURE=y -SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU=y SB_CONFIG_BOOT_SIGNATURE_KEY_FILE="\${APPLICATION_CONFIG_DIR}/images/mcuboot/mcuboot_private_fast_pair.pem" +SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU=y +SB_CONFIG_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE=y diff --git a/applications/nrf_desktop/configuration/nrf54l15dk_nrf54l10_cpuapp/sysbuild_keyboard.conf b/applications/nrf_desktop/configuration/nrf54l15dk_nrf54l10_cpuapp/sysbuild_keyboard.conf index 75c652858410..a5fbfdc7ce67 100644 --- a/applications/nrf_desktop/configuration/nrf54l15dk_nrf54l10_cpuapp/sysbuild_keyboard.conf +++ b/applications/nrf_desktop/configuration/nrf54l15dk_nrf54l10_cpuapp/sysbuild_keyboard.conf @@ -9,5 +9,6 @@ SB_CONFIG_BOOTLOADER_MCUBOOT=y SB_CONFIG_MCUBOOT_MODE_DIRECT_XIP=y SB_CONFIG_BOOT_SIGNATURE_TYPE_ED25519=y SB_CONFIG_BOOT_SIGNATURE_TYPE_PURE=y -SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU=y SB_CONFIG_BOOT_SIGNATURE_KEY_FILE="\${APPLICATION_CONFIG_DIR}/images/mcuboot/mcuboot_private.pem" +SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU=y +SB_CONFIG_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE=y diff --git a/applications/nrf_desktop/configuration/nrf54l15dk_nrf54l10_cpuapp/sysbuild_release.conf b/applications/nrf_desktop/configuration/nrf54l15dk_nrf54l10_cpuapp/sysbuild_release.conf index 75c652858410..a5fbfdc7ce67 100644 --- a/applications/nrf_desktop/configuration/nrf54l15dk_nrf54l10_cpuapp/sysbuild_release.conf +++ b/applications/nrf_desktop/configuration/nrf54l15dk_nrf54l10_cpuapp/sysbuild_release.conf @@ -9,5 +9,6 @@ SB_CONFIG_BOOTLOADER_MCUBOOT=y SB_CONFIG_MCUBOOT_MODE_DIRECT_XIP=y SB_CONFIG_BOOT_SIGNATURE_TYPE_ED25519=y SB_CONFIG_BOOT_SIGNATURE_TYPE_PURE=y -SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU=y SB_CONFIG_BOOT_SIGNATURE_KEY_FILE="\${APPLICATION_CONFIG_DIR}/images/mcuboot/mcuboot_private.pem" +SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU=y +SB_CONFIG_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE=y diff --git a/applications/nrf_desktop/configuration/nrf54l15dk_nrf54l15_cpuapp/sysbuild.conf b/applications/nrf_desktop/configuration/nrf54l15dk_nrf54l15_cpuapp/sysbuild.conf index cd1800f15052..da99ccb93f95 100644 --- a/applications/nrf_desktop/configuration/nrf54l15dk_nrf54l15_cpuapp/sysbuild.conf +++ b/applications/nrf_desktop/configuration/nrf54l15dk_nrf54l15_cpuapp/sysbuild.conf @@ -1,5 +1,5 @@ # -# Copyright (c) 2024 Nordic Semiconductor ASA +# Copyright (c) 2024-2025 Nordic Semiconductor ASA # # SPDX-License-Identifier: LicenseRef-Nordic-5-Clause # @@ -9,5 +9,6 @@ SB_CONFIG_BOOTLOADER_MCUBOOT=y SB_CONFIG_MCUBOOT_MODE_DIRECT_XIP=y SB_CONFIG_BOOT_SIGNATURE_TYPE_ED25519=y SB_CONFIG_BOOT_SIGNATURE_TYPE_PURE=y -SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU=y SB_CONFIG_BOOT_SIGNATURE_KEY_FILE="\${APPLICATION_CONFIG_DIR}/images/mcuboot/mcuboot_private.pem" +SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU=y +SB_CONFIG_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE=y diff --git a/applications/nrf_desktop/configuration/nrf54l15dk_nrf54l15_cpuapp/sysbuild_fast_pair.conf b/applications/nrf_desktop/configuration/nrf54l15dk_nrf54l15_cpuapp/sysbuild_fast_pair.conf index 3607227901e2..f2905c4864c0 100644 --- a/applications/nrf_desktop/configuration/nrf54l15dk_nrf54l15_cpuapp/sysbuild_fast_pair.conf +++ b/applications/nrf_desktop/configuration/nrf54l15dk_nrf54l15_cpuapp/sysbuild_fast_pair.conf @@ -14,5 +14,6 @@ SB_CONFIG_BOOTLOADER_MCUBOOT=y SB_CONFIG_MCUBOOT_MODE_DIRECT_XIP=y SB_CONFIG_BOOT_SIGNATURE_TYPE_ED25519=y SB_CONFIG_BOOT_SIGNATURE_TYPE_PURE=y -SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU=y SB_CONFIG_BOOT_SIGNATURE_KEY_FILE="\${APPLICATION_CONFIG_DIR}/images/mcuboot/mcuboot_private_fast_pair.pem" +SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU=y +SB_CONFIG_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE=y diff --git a/applications/nrf_desktop/configuration/nrf54l15dk_nrf54l15_cpuapp/sysbuild_keyboard.conf b/applications/nrf_desktop/configuration/nrf54l15dk_nrf54l15_cpuapp/sysbuild_keyboard.conf index cd1800f15052..da99ccb93f95 100644 --- a/applications/nrf_desktop/configuration/nrf54l15dk_nrf54l15_cpuapp/sysbuild_keyboard.conf +++ b/applications/nrf_desktop/configuration/nrf54l15dk_nrf54l15_cpuapp/sysbuild_keyboard.conf @@ -1,5 +1,5 @@ # -# Copyright (c) 2024 Nordic Semiconductor ASA +# Copyright (c) 2024-2025 Nordic Semiconductor ASA # # SPDX-License-Identifier: LicenseRef-Nordic-5-Clause # @@ -9,5 +9,6 @@ SB_CONFIG_BOOTLOADER_MCUBOOT=y SB_CONFIG_MCUBOOT_MODE_DIRECT_XIP=y SB_CONFIG_BOOT_SIGNATURE_TYPE_ED25519=y SB_CONFIG_BOOT_SIGNATURE_TYPE_PURE=y -SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU=y SB_CONFIG_BOOT_SIGNATURE_KEY_FILE="\${APPLICATION_CONFIG_DIR}/images/mcuboot/mcuboot_private.pem" +SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU=y +SB_CONFIG_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE=y diff --git a/applications/nrf_desktop/configuration/nrf54l15dk_nrf54l15_cpuapp/sysbuild_release.conf b/applications/nrf_desktop/configuration/nrf54l15dk_nrf54l15_cpuapp/sysbuild_release.conf index cd1800f15052..da99ccb93f95 100644 --- a/applications/nrf_desktop/configuration/nrf54l15dk_nrf54l15_cpuapp/sysbuild_release.conf +++ b/applications/nrf_desktop/configuration/nrf54l15dk_nrf54l15_cpuapp/sysbuild_release.conf @@ -1,5 +1,5 @@ # -# Copyright (c) 2024 Nordic Semiconductor ASA +# Copyright (c) 2024-2025 Nordic Semiconductor ASA # # SPDX-License-Identifier: LicenseRef-Nordic-5-Clause # @@ -9,5 +9,6 @@ SB_CONFIG_BOOTLOADER_MCUBOOT=y SB_CONFIG_MCUBOOT_MODE_DIRECT_XIP=y SB_CONFIG_BOOT_SIGNATURE_TYPE_ED25519=y SB_CONFIG_BOOT_SIGNATURE_TYPE_PURE=y -SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU=y SB_CONFIG_BOOT_SIGNATURE_KEY_FILE="\${APPLICATION_CONFIG_DIR}/images/mcuboot/mcuboot_private.pem" +SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU=y +SB_CONFIG_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE=y diff --git a/applications/nrf_desktop/description.rst b/applications/nrf_desktop/description.rst index fbe8674e83c4..2060bf315881 100644 --- a/applications/nrf_desktop/description.rst +++ b/applications/nrf_desktop/description.rst @@ -1020,14 +1020,31 @@ nRF54L MCUboot provisioning =========================== nRF54L-based nRF Desktop devices enable hardware cryptography for the MCUboot bootloader. -The public key that MCUboot uses to validate the application image is securely stored in the hardware Key Management Unit (KMU). -In this use case, the application image is automatically signed by the |NCS| build system. -However, the public key is not automatically provisioned to the device when programming the bootloader and the application images using the ``west flash`` command. +For this purpose, a set of private and public keys is needed. +The private key is used to sign the application image. +The public key is generated from the private key and is used by MCUboot to validate the application image. +The public key is securely stored in the Key Management Unit (KMU) hardware peripheral of the nRF54L device. -To provision the MCUboot keys, use the ``west ncs-provision`` command before programming the bootloader and application images. -Make sure that the provisioned public key is generated from the private key that was used to sign the application image. +In this application, the application image is automatically signed with a private key by the |NCS| build system. The private keys are stored in the application configuration directory of the board. Path to the private key is defined by the ``SB_CONFIG_BOOT_SIGNATURE_KEY_FILE`` sysbuild Kconfig option. + +To store the public key in the KMU, it must first be provisioned. +This provisioning step can be performed automatically by the west runner, provided that a :file:`keyfile.json` file is present in the build directory. +In this application, the :file:`keyfile.json` file is automatically generated using the ``SB_CONFIG_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE`` Kconfig option. +This option uses the private key specified by the :kconfig:option:`SB_CONFIG_BOOT_SIGNATURE_KEY_FILE` sysbuild Kconfig option to generate the required file during the build process. + +To trigger KMU provisioning during flashing, use the ``west flash`` command with either the ``--erase`` or ``--recover`` flag. +This ensures that both the firmware and the MCUboot public key are correctly programmed onto the target device using the KMU-based key storage. +Use the following command to perform the operation: + +.. parsed-literal:: + :class: highlight + + west flash --recover + +Alternatively, you can perform the provisioning operation manually with the ``west ncs-provision upload`` command and then flash the device with the ``west flash`` command. + You only need to provision one public key to an nRF Desktop device. For details, see :ref:`provisioning KMU for nRF54L devices `. diff --git a/applications/nrf_desktop/pytest/test_mcuboot_kmu.py b/applications/nrf_desktop/pytest/test_mcuboot_kmu.py deleted file mode 100644 index 3776d46576a9..000000000000 --- a/applications/nrf_desktop/pytest/test_mcuboot_kmu.py +++ /dev/null @@ -1,107 +0,0 @@ -# -# Copyright (c) 2024 Nordic Semiconductor ASA -# -# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause -# - -import os -import logging -import subprocess -import re -import shlex - -from twister_harness import DeviceAdapter -from twister_harness.helpers.utils import find_in_config - -logger = logging.getLogger(__name__) - -def run_command(command: list[str], timeout: int = 30): - try: - ret: subprocess.CompletedProcess = subprocess.run(command, - text=True, - stdout=subprocess.PIPE, - stderr=subprocess.STDOUT, - timeout=timeout) - except subprocess.TimeoutExpired: - logger.error(f"Timeout expired for command: {shlex.join(command)}") - raise - - if ret.returncode: - logger.error(f"Command failed: {shlex.join(command)}") - logger.error(ret.stdout) - raise subprocess.CalledProcessError(ret.returncode, command) - - -def _mcuboot_key_path(dut: DeviceAdapter): - mcuboot_conf_path = os.path.join(str(dut.device_config.build_dir), "mcuboot", "zephyr", - ".config") - return find_in_config(mcuboot_conf_path, "CONFIG_BOOT_SIGNATURE_KEY_FILE") - - -def mcuboot_provision(dut: DeviceAdapter): - key_path = _mcuboot_key_path(dut) - command = ["west", "ncs-provision", "upload", "-k", key_path] - if dut.device_config.id: - command.extend(["--dev-id", dut.device_config.id]) - - logger.info("KMU provisioning") - run_command(command) - - -def board_flash(dut: DeviceAdapter): - build_dir = dut.device_config.build_dir - dev_id = dut.device_config.id - - command = ["west", "flash", "--skip-rebuild", "-d", build_dir] - if dev_id: - command.extend(["--dev-id", dev_id]) - - logger.info("Programming the board") - run_command(command) - - -def logs_verify(dut: DeviceAdapter): - # Expected logs are sourced from nRF Desktop `sample.yaml` file. - expected_logs = [ - "app_event_manager: e:module_state_event module:main state:READY", - "ble_state: Bluetooth initialized", - "settings_loader: Settings loaded", - "ble_bond: Selected Bluetooth LE peers", - "(ble_adv: Advertising started)|(ble_scan: Scan started)", - "dfu: Secondary image slot is clean" - ] - error_log = "" - - expected_regexes = list(map(re.compile, expected_logs)) - - while True: - line = dut.readline(timeout=120) - - if line is None: - break - - assert error_log not in line - - for r in expected_regexes: - if r.search(line): - expected_regexes.remove(r) - - if len(expected_regexes) == 0: - break - - - # Expect to match all of the regexes - assert len(expected_regexes) == 0 - - -def test_boot(dut: DeviceAdapter): - # nRF Desktop and bootloader images are already programmed at this stage. - mcuboot_provision(dut) - - # Clear buffer to ensure proper state. Then flash and reset the board to start test. The board - # must be programmed again at this point, because MCUboot erases application image if running - # before KMU is provisioned. - dut.clear_buffer() - board_flash(dut) - - logs_verify(dut) diff --git a/applications/nrf_desktop/sample.yaml b/applications/nrf_desktop/sample.yaml index 9ec9137364c7..55cf5d8fde03 100644 --- a/applications/nrf_desktop/sample.yaml +++ b/applications/nrf_desktop/sample.yaml @@ -19,23 +19,18 @@ common: - "(ble_adv: Advertising started)|(ble_scan: Scan started)" - "dfu: Secondary image slot is clean" tests: - applications.nrf_desktop.zdebug.uart.kmu_provision: - platform_allow: - - nrf54l15dk/nrf54l10/cpuapp - - nrf54l15dk/nrf54l15/cpuapp - integration_platforms: - - nrf54l15dk/nrf54l10/cpuapp - - nrf54l15dk/nrf54l15/cpuapp - timeout: 180 - harness: pytest applications.nrf_desktop.zdebug.uart: platform_allow: - nrf54h20dk/nrf54h20/cpuapp + - nrf54l15dk/nrf54l10/cpuapp + - nrf54l15dk/nrf54l15/cpuapp - nrf54lm20dk/nrf54lm20a/cpuapp - nrf54lm20pdk/nrf54lm20a/cpuapp - nrf54lm20pdk@0.2.0/nrf54lm20a/cpuapp integration_platforms: - nrf54h20dk/nrf54h20/cpuapp + - nrf54l15dk/nrf54l10/cpuapp + - nrf54l15dk/nrf54l15/cpuapp - nrf54lm20dk/nrf54lm20a/cpuapp - nrf54lm20pdk/nrf54lm20a/cpuapp - nrf54lm20pdk@0.2.0/nrf54lm20a/cpuapp @@ -78,7 +73,7 @@ tests: integration_platforms: - nrf52833dk/nrf52833 extra_args: FILE_SUFFIX=dongle_small - applications.nrf_desktop.zdebug_fast_pair.gmouse.uart.kmu_provision: + applications.nrf_desktop.zdebug_fast_pair.gmouse.uart: platform_allow: - nrf54l15dk/nrf54l10/cpuapp - nrf54l15dk/nrf54l15/cpuapp @@ -87,8 +82,7 @@ tests: - nrf54l15dk/nrf54l15/cpuapp extra_args: - FILE_SUFFIX=fast_pair - timeout: 180 - harness: pytest + harness: console applications.nrf_desktop.zdebug_fast_pair.gmouse: build_only: true platform_allow: @@ -164,7 +158,7 @@ tests: integration_platforms: - nrf54h20dk/nrf54h20/cpuapp extra_args: FILE_SUFFIX=release_dongle - applications.nrf_desktop.zdebug_keyboard.uart.kmu_provision: + applications.nrf_desktop.zdebug_keyboard.uart: platform_allow: - nrf54l15dk/nrf54l10/cpuapp - nrf54l15dk/nrf54l15/cpuapp @@ -172,8 +166,7 @@ tests: - nrf54l15dk/nrf54l10/cpuapp - nrf54l15dk/nrf54l15/cpuapp extra_args: FILE_SUFFIX=keyboard - timeout: 180 - harness: pytest + harness: console applications.nrf_desktop.zdebug_keyboard: build_only: true platform_allow: diff --git a/applications/nrf_desktop/sysbuild/CMakeLists.txt b/applications/nrf_desktop/sysbuild/CMakeLists.txt index 3ce4b76ebad7..f991df859796 100644 --- a/applications/nrf_desktop/sysbuild/CMakeLists.txt +++ b/applications/nrf_desktop/sysbuild/CMakeLists.txt @@ -30,11 +30,13 @@ project(sysbuild LANGUAGES) if(SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU) message(WARNING " ------------------------------------------------------------------------------ - --- WARNING: MCUboot uses KMU stored keys for signature verification. Make --- - --- sure to use `west ncs-provision` to manually provision the bootloader. --- - --- Application would fail to boot if MCUboot is not provisioned. For more --- - --- details, see the `Building and running` section from `Application --- - --- description` page in nRF Desktop application documentation. --- + --- WARNING: MCUboot signature verification uses KMU-stored keys. You must --- + --- use the `west flash` command with either the `--erase` or `--recover` --- + --- option to ensure the bootloader provisioning operation is included in --- + --- the flashing procedure. The application will fail to boot if MCUboot --- + --- is not properly provisioned. For more details, see the `Building and --- + --- running` section from `Application description` page in nRF Desktop --- + --- application documentation. --- ------------------------------------------------------------------------------ ") endif() diff --git a/doc/nrf/releases_and_maturity/releases/release-notes-changelog.rst b/doc/nrf/releases_and_maturity/releases/release-notes-changelog.rst index 07ef77286f0b..3ecbe0341f00 100644 --- a/doc/nrf/releases_and_maturity/releases/release-notes-changelog.rst +++ b/doc/nrf/releases_and_maturity/releases/release-notes-changelog.rst @@ -377,6 +377,9 @@ nRF Desktop The module also restricts the power down level to the :c:enum:`POWER_MANAGER_LEVEL_SUSPENDED`. Then, after the :ref:`CONFIG_DESKTOP_USB_PM_RESTRICT_REMOVE_DELAY_MS ` configurable delay, the module removes the power down level restriction. This allows you to take actions, such as restart Bluetooth LE advertising, after disconnecting the USB cable without going through reboot. + * The configurations for nRF54L-based board targets that store the MCUboot verification key in the KMU peripheral to automatically generate the :file:`keyfile.json` file in the build directory (the :kconfig:option:`SB_CONFIG_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE` sysbuild Kconfig option) based on the input file provided by the :kconfig:option:`SB_CONFIG_BOOT_SIGNATURE_KEY_FILE` sysbuild Kconfig option. + This KMU provisioning step can now be performed automatically by the west runner, provided that a :file:`keyfile.json` file is present in the build directory. + The provisioning is only performed if the ``west flash`` command is executed with the ``--erase`` or ``--recover`` flag. nRF Machine Learning (Edge Impulse) ----------------------------------- diff --git a/scripts/quarantine_llvm.yaml b/scripts/quarantine_llvm.yaml index 5fa5a8cb3c41..3630f9c331bc 100644 --- a/scripts/quarantine_llvm.yaml +++ b/scripts/quarantine_llvm.yaml @@ -5,9 +5,9 @@ # This file is used to quarantine test built using ARM LLVM compiler - scenarios: - - applications.nrf_desktop.zdebug.uart.kmu_provision - - applications.nrf_desktop.zdebug_fast_pair.gmouse.uart.kmu_provision - - applications.nrf_desktop.zdebug_keyboard.uart.kmu_provision + - applications.nrf_desktop.zdebug.uart + - applications.nrf_desktop.zdebug_fast_pair.gmouse.uart + - applications.nrf_desktop.zdebug_keyboard.uart - applications.nrf_desktop.zrelease platforms: - nrf54l15dk/nrf54l15/cpuapp