nrfconnect · kapi-no · Aug 1, 2025 · Jul 29, 2025 · Jul 29, 2025 · kapi-no
@@ -200,9 +200,13 @@ You can enhance security further by enabling the following sysbuild Kconfig opti
 * ``SB_CONFIG_BOOT_SIGNATURE_TYPE_PURE`` - This option enables using a pure signature of the image, verifying signature directly on image, rather than on its hash.
   However, you cannot use this option if the secondary image slot uses external memory.
 * ``SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU`` - This option enables using Key Management Unit (KMU) to store keys for signature verification instead of compiling key data into the MCUboot bootloader image.
-  Using KMU requires provisioning the public key manually.
+  To use KMU, the public key must first be provisioned.
   See the :ref:`ug_nrf54l_developing_provision_kmu` documentation for details.
 
+  .. note::
+     To use automatic provisioning, enable the :kconfig:option:`SB_CONFIG_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE` sysbuild Kconfig option.
+     This option enables generating a default :file:`keyfile.json` file during the build process based on the input file provided by the :kconfig:option:`SB_CONFIG_BOOT_SIGNATURE_KEY_FILE` sysbuild Kconfig option.
+     The automatic provisioning is only performed if the west flash command is executed with the ``--erase`` or ``--recover`` flag.
 
 .. _nrf_desktop_bootloader_background_dfu:
 

@@ -9,5 +9,6 @@ SB_CONFIG_BOOTLOADER_MCUBOOT=y
 SB_CONFIG_MCUBOOT_MODE_DIRECT_XIP=y
 SB_CONFIG_BOOT_SIGNATURE_TYPE_ED25519=y
 SB_CONFIG_BOOT_SIGNATURE_TYPE_PURE=y
-SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU=y
 SB_CONFIG_BOOT_SIGNATURE_KEY_FILE="\${APPLICATION_CONFIG_DIR}/images/mcuboot/mcuboot_private.pem"
+SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU=y
+SB_CONFIG_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE=y
@@ -14,5 +14,6 @@ SB_CONFIG_BOOTLOADER_MCUBOOT=y
 SB_CONFIG_MCUBOOT_MODE_DIRECT_XIP=y
 SB_CONFIG_BOOT_SIGNATURE_TYPE_ED25519=y
 SB_CONFIG_BOOT_SIGNATURE_TYPE_PURE=y
-SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU=y
 SB_CONFIG_BOOT_SIGNATURE_KEY_FILE="\${APPLICATION_CONFIG_DIR}/images/mcuboot/mcuboot_private_fast_pair.pem"
+SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU=y
+SB_CONFIG_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE=y
@@ -9,5 +9,6 @@ SB_CONFIG_BOOTLOADER_MCUBOOT=y
 SB_CONFIG_MCUBOOT_MODE_DIRECT_XIP=y
 SB_CONFIG_BOOT_SIGNATURE_TYPE_ED25519=y
 SB_CONFIG_BOOT_SIGNATURE_TYPE_PURE=y
-SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU=y
 SB_CONFIG_BOOT_SIGNATURE_KEY_FILE="\${APPLICATION_CONFIG_DIR}/images/mcuboot/mcuboot_private.pem"
+SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU=y
+SB_CONFIG_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE=y
@@ -9,5 +9,6 @@ SB_CONFIG_BOOTLOADER_MCUBOOT=y
 SB_CONFIG_MCUBOOT_MODE_DIRECT_XIP=y
 SB_CONFIG_BOOT_SIGNATURE_TYPE_ED25519=y
 SB_CONFIG_BOOT_SIGNATURE_TYPE_PURE=y
-SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU=y
 SB_CONFIG_BOOT_SIGNATURE_KEY_FILE="\${APPLICATION_CONFIG_DIR}/images/mcuboot/mcuboot_private.pem"
+SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU=y
+SB_CONFIG_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE=y
@@ -14,5 +14,6 @@ SB_CONFIG_BOOTLOADER_MCUBOOT=y
 SB_CONFIG_MCUBOOT_MODE_DIRECT_XIP=y
 SB_CONFIG_BOOT_SIGNATURE_TYPE_ED25519=y
 SB_CONFIG_BOOT_SIGNATURE_TYPE_PURE=y
-SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU=y
 SB_CONFIG_BOOT_SIGNATURE_KEY_FILE="\${APPLICATION_CONFIG_DIR}/images/mcuboot/mcuboot_private_fast_pair.pem"
+SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU=y
+SB_CONFIG_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE=y
@@ -9,5 +9,6 @@ SB_CONFIG_BOOTLOADER_MCUBOOT=y
 SB_CONFIG_MCUBOOT_MODE_DIRECT_XIP=y
 SB_CONFIG_BOOT_SIGNATURE_TYPE_ED25519=y
 SB_CONFIG_BOOT_SIGNATURE_TYPE_PURE=y
-SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU=y
 SB_CONFIG_BOOT_SIGNATURE_KEY_FILE="\${APPLICATION_CONFIG_DIR}/images/mcuboot/mcuboot_private.pem"
+SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU=y
+SB_CONFIG_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE=y
@@ -9,5 +9,6 @@ SB_CONFIG_BOOTLOADER_MCUBOOT=y
 SB_CONFIG_MCUBOOT_MODE_DIRECT_XIP=y
 SB_CONFIG_BOOT_SIGNATURE_TYPE_ED25519=y
 SB_CONFIG_BOOT_SIGNATURE_TYPE_PURE=y
-SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU=y
 SB_CONFIG_BOOT_SIGNATURE_KEY_FILE="\${APPLICATION_CONFIG_DIR}/images/mcuboot/mcuboot_private.pem"
+SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU=y
+SB_CONFIG_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE=y
@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2024 Nordic Semiconductor ASA
+# Copyright (c) 2024-2025 Nordic Semiconductor ASA
 #
 # SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
 #
@@ -9,5 +9,6 @@ SB_CONFIG_BOOTLOADER_MCUBOOT=y
 SB_CONFIG_MCUBOOT_MODE_DIRECT_XIP=y
 SB_CONFIG_BOOT_SIGNATURE_TYPE_ED25519=y
 SB_CONFIG_BOOT_SIGNATURE_TYPE_PURE=y
-SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU=y
 SB_CONFIG_BOOT_SIGNATURE_KEY_FILE="\${APPLICATION_CONFIG_DIR}/images/mcuboot/mcuboot_private.pem"
+SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU=y
+SB_CONFIG_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE=y
@@ -14,5 +14,6 @@ SB_CONFIG_BOOTLOADER_MCUBOOT=y
 SB_CONFIG_MCUBOOT_MODE_DIRECT_XIP=y
 SB_CONFIG_BOOT_SIGNATURE_TYPE_ED25519=y
 SB_CONFIG_BOOT_SIGNATURE_TYPE_PURE=y
-SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU=y
 SB_CONFIG_BOOT_SIGNATURE_KEY_FILE="\${APPLICATION_CONFIG_DIR}/images/mcuboot/mcuboot_private_fast_pair.pem"
+SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU=y
+SB_CONFIG_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE=y
@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2024 Nordic Semiconductor ASA
+# Copyright (c) 2024-2025 Nordic Semiconductor ASA
 #
 # SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
 #
@@ -9,5 +9,6 @@ SB_CONFIG_BOOTLOADER_MCUBOOT=y
 SB_CONFIG_MCUBOOT_MODE_DIRECT_XIP=y
 SB_CONFIG_BOOT_SIGNATURE_TYPE_ED25519=y
 SB_CONFIG_BOOT_SIGNATURE_TYPE_PURE=y
-SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU=y
 SB_CONFIG_BOOT_SIGNATURE_KEY_FILE="\${APPLICATION_CONFIG_DIR}/images/mcuboot/mcuboot_private.pem"
+SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU=y
+SB_CONFIG_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE=y
@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2024 Nordic Semiconductor ASA
+# Copyright (c) 2024-2025 Nordic Semiconductor ASA
 #
 # SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
 #
@@ -9,5 +9,6 @@ SB_CONFIG_BOOTLOADER_MCUBOOT=y
 SB_CONFIG_MCUBOOT_MODE_DIRECT_XIP=y
 SB_CONFIG_BOOT_SIGNATURE_TYPE_ED25519=y
 SB_CONFIG_BOOT_SIGNATURE_TYPE_PURE=y
-SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU=y
 SB_CONFIG_BOOT_SIGNATURE_KEY_FILE="\${APPLICATION_CONFIG_DIR}/images/mcuboot/mcuboot_private.pem"
+SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU=y
+SB_CONFIG_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE=y
@@ -1020,14 +1020,31 @@ nRF54L MCUboot provisioning
 ===========================
 
 nRF54L-based nRF Desktop devices enable hardware cryptography for the MCUboot bootloader.
-The public key that MCUboot uses to validate the application image is securely stored in the hardware Key Management Unit (KMU).
-In this use case, the application image is automatically signed by the |NCS| build system.
-However, the public key is not automatically provisioned to the device when programming the bootloader and the application images using the ``west flash`` command.
+For this purpose, a set of private and public keys is needed.
+The private key is used to sign the application image.
+The public key is generated from the private key and is used by MCUboot to validate the application image.
+The public key is securely stored in the Key Management Unit (KMU) hardware peripheral of the nRF54L device.
 
-To provision the MCUboot keys, use the ``west ncs-provision`` command before programming the bootloader and application images.
-Make sure that the provisioned public key is generated from the private key that was used to sign the application image.
+In this application, the application image is automatically signed with a private key by the |NCS| build system.
 The private keys are stored in the application configuration directory of the board.
 Path to the private key is defined by the ``SB_CONFIG_BOOT_SIGNATURE_KEY_FILE`` sysbuild Kconfig option.
+
+To store the public key in the KMU, it must first be provisioned.
+This provisioning step can be performed automatically by the west runner, provided that a :file:`keyfile.json` file is present in the build directory.
+In this application, the :file:`keyfile.json` file is automatically generated using the ``SB_CONFIG_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE`` Kconfig option.
+This option uses the private key specified by the :kconfig:option:`SB_CONFIG_BOOT_SIGNATURE_KEY_FILE` sysbuild Kconfig option to generate the required file during the build process.
+
+To trigger KMU provisioning during flashing, use the ``west flash`` command with either the ``--erase`` or ``--recover`` flag.
+This ensures that both the firmware and the MCUboot public key are correctly programmed onto the target device using the KMU-based key storage.
+Use the following command to perform the operation:
+
+.. parsed-literal::
+   :class: highlight
+
+   west flash --recover
+
+Alternatively, you can perform the provisioning operation manually with the ``west ncs-provision upload`` command and then flash the device with the ``west flash`` command.
+
 You only need to provision one public key to an nRF Desktop device.
 For details, see :ref:`provisioning KMU for nRF54L devices <ug_nrf54l_developing_provision_kmu>`.
 

@@ -19,23 +19,18 @@ common:
       - "(ble_adv: Advertising started)|(ble_scan: Scan started)"
       - "dfu: Secondary image slot is clean"
 tests:
-  applications.nrf_desktop.zdebug.uart.kmu_provision:
-    platform_allow:
-      - nrf54l15dk/nrf54l10/cpuapp
-      - nrf54l15dk/nrf54l15/cpuapp
-    integration_platforms:
-      - nrf54l15dk/nrf54l10/cpuapp
-      - nrf54l15dk/nrf54l15/cpuapp
-    timeout: 180
-    harness: pytest
   applications.nrf_desktop.zdebug.uart:
     platform_allow:
       - nrf54h20dk/nrf54h20/cpuapp
+      - nrf54l15dk/nrf54l10/cpuapp
+      - nrf54l15dk/nrf54l15/cpuapp
       - nrf54lm20dk/nrf54lm20a/cpuapp
       - nrf54lm20pdk/nrf54lm20a/cpuapp
       - [email protected]/nrf54lm20a/cpuapp
     integration_platforms:
       - nrf54h20dk/nrf54h20/cpuapp
+      - nrf54l15dk/nrf54l10/cpuapp
+      - nrf54l15dk/nrf54l15/cpuapp
       - nrf54lm20dk/nrf54lm20a/cpuapp
       - nrf54lm20pdk/nrf54lm20a/cpuapp
       - [email protected]/nrf54lm20a/cpuapp
@@ -78,7 +73,7 @@ tests:
     integration_platforms:
       - nrf52833dk/nrf52833
     extra_args: FILE_SUFFIX=dongle_small
-  applications.nrf_desktop.zdebug_fast_pair.gmouse.uart.kmu_provision:
+  applications.nrf_desktop.zdebug_fast_pair.gmouse.uart:
     platform_allow:
       - nrf54l15dk/nrf54l10/cpuapp
       - nrf54l15dk/nrf54l15/cpuapp
@@ -87,8 +82,7 @@ tests:
       - nrf54l15dk/nrf54l15/cpuapp
     extra_args:
       - FILE_SUFFIX=fast_pair
-    timeout: 180
-    harness: pytest
+    harness: console
   applications.nrf_desktop.zdebug_fast_pair.gmouse:
     build_only: true
     platform_allow:
@@ -164,16 +158,15 @@ tests:
     integration_platforms:
       - nrf54h20dk/nrf54h20/cpuapp
     extra_args: FILE_SUFFIX=release_dongle
-  applications.nrf_desktop.zdebug_keyboard.uart.kmu_provision:
+  applications.nrf_desktop.zdebug_keyboard.uart:
     platform_allow:
       - nrf54l15dk/nrf54l10/cpuapp
       - nrf54l15dk/nrf54l15/cpuapp
     integration_platforms:
       - nrf54l15dk/nrf54l10/cpuapp
       - nrf54l15dk/nrf54l15/cpuapp
     extra_args: FILE_SUFFIX=keyboard
-    timeout: 180
-    harness: pytest
+    harness: console
   applications.nrf_desktop.zdebug_keyboard:
     build_only: true
     platform_allow:

@@ -30,11 +30,13 @@ project(sysbuild LANGUAGES)
 if(SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU)
   message(WARNING "
           ------------------------------------------------------------------------------
-          --- WARNING: MCUboot uses KMU stored keys for signature verification. Make ---
-          --- sure to use `west ncs-provision` to manually provision the bootloader. ---
-          --- Application would fail to boot if MCUboot is not provisioned. For more ---
-          --- details, see the `Building and running` section from `Application      ---
-          --- description` page in nRF Desktop application documentation.            ---
+          --- WARNING: MCUboot signature verification uses KMU-stored keys. You must ---
+          --- use the `west flash` command with either the `--erase` or `--recover`  ---
+          --- option to ensure the bootloader provisioning operation is included in  ---
+          --- the flashing procedure. The application will fail to boot if MCUboot   ---
+          --- is not properly provisioned. For more details, see the `Building and   ---
+          --- running` section from `Application description` page in nRF Desktop    ---
+          --- application documentation.                                             ---
           ------------------------------------------------------------------------------
           ")
 endif()
@@ -377,6 +377,9 @@ nRF Desktop
     The module also restricts the power down level to the :c:enum:`POWER_MANAGER_LEVEL_SUSPENDED`.
     Then, after the :ref:`CONFIG_DESKTOP_USB_PM_RESTRICT_REMOVE_DELAY_MS <config_desktop_app_options>` configurable delay, the module removes the power down level restriction.
     This allows you to take actions, such as restart Bluetooth LE advertising, after disconnecting the USB cable without going through reboot.
+  * The configurations for nRF54L-based board targets that store the MCUboot verification key in the KMU peripheral to automatically generate the :file:`keyfile.json` file in the build directory (the :kconfig:option:`SB_CONFIG_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE` sysbuild Kconfig option) based on the input file provided by the :kconfig:option:`SB_CONFIG_BOOT_SIGNATURE_KEY_FILE` sysbuild Kconfig option.
+    This KMU provisioning step can now be performed automatically by the west runner, provided that a :file:`keyfile.json` file is present in the build directory.
+    The provisioning is only performed if the ``west flash`` command is executed with the ``--erase``  or ``--recover`` flag.
 
 nRF Machine Learning (Edge Impulse)
 -----------------------------------

@@ -5,9 +5,9 @@
 # This file is used to quarantine test built using ARM LLVM compiler
 
 - scenarios:
-    - applications.nrf_desktop.zdebug.uart.kmu_provision
-    - applications.nrf_desktop.zdebug_fast_pair.gmouse.uart.kmu_provision
-    - applications.nrf_desktop.zdebug_keyboard.uart.kmu_provision
+    - applications.nrf_desktop.zdebug.uart
+    - applications.nrf_desktop.zdebug_fast_pair.gmouse.uart
+    - applications.nrf_desktop.zdebug_keyboard.uart
     - applications.nrf_desktop.zrelease
   platforms:
     - nrf54l15dk/nrf54l15/cpuapp