doc: nrf: KMU provisioning while west flashing #23569
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -142,3 +142,18 @@ Once you have an unprovisioned SoC, upload keys to the board by running one of t | |
| You can call this command multiple times also to provision multiple keys, as long as each key has a different ID that is part of the metadata string. | ||
|
|
||
| For more information about this command, see the `Provisioning keys for hardware KMU`_ page in the nRF Util documentation. | ||
|
|
||
| Alternative provisioning method | ||
| ********************************* | ||
|
|
||
| To simplify the development process, keys can be generated and provisioned at the same time as the flashing process | ||
| In the case of NSIB, enabling the ``SB_CONFIG_SECURE_BOOT_GENERATE_DEFAULT_KMU_KEYFILE`` Kconfig option at the sysbuild level introduces an additional programming step that is triggered when you execute the ``west flash --recover`` command. | ||
michalek-no marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| If you set the ``SB_CONFIG_SECURE_BOOT_SIGNING_KEY_FILE`` Kconfig option to a PEM key file, that specific file will be used. | ||
| If not, the build will use the default key named :file:`GENERATED_NON_SECURE_SIGN_KEY_PRIVATE.pem`, which is located in the build directory. | ||
|
|
||
| For MCUboot configurations, activating the ``SB_CONFIG_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE`` Kconfig option at the sysbuild level allows to provision keys simultaneously with the flashing process. Provisioning step is triggered when you execute either ``west flash --recover`` or ``west flash --erase`` command. | ||
| MCUboot uses the key file designated by the ``SB_CONFIG_BOOT_SIGNATURE_KEY_FILE`` option. | ||
|
|
||
| At the end of the described process the :file:`keyfile.json` file is generated in the build directory. | ||
|
There was a problem hiding this comment. Just to clarify: keyfile.json is generated during build process ( You can find some details in PR description: |
||
| This file allows key provisioning to occur simultaneously with the flashing process. | ||
| Alternatively, you can bypass the mentioned Kconfig options and manually place a custom :file:`keyfile.json` in the build directory. | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.