Skip to content

doc: nrf: KMU provisioning while west flashing #23569

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 31, 2025
Merged

doc: nrf: KMU provisioning while west flashing #23569

merged 1 commit into from
Jul 31, 2025

Conversation

michalek-no
Copy link
Contributor

adds sections about new provisioning method.

@michalek-no michalek-no requested a review from nvlsianpu July 30, 2025 15:30
@michalek-no michalek-no requested a review from annwoj as a code owner July 30, 2025 15:30
@github-actions github-actions bot added doc-required PR must not be merged without tech writer approval. changelog-entry-required Update changelog before merge. Remove label if entry is not needed or already added. labels Jul 30, 2025
@NordicBuilder
Copy link
Contributor

NordicBuilder commented Jul 30, 2025
edited
Loading

CI Information

To view the history of this post, clich the 'edited' button above
Build number: 11

Inputs:

Sources:

sdk-nrf: PR head: 043d97dc5a5e56e58508f77bf20e765e90db9052

more details

sdk-nrf:

PR head: 043d97dc5a5e56e58508f77bf20e765e90db9052
merge base: 148318491954849f4d201936c40a28a2e7f6b8e2
target head (main): f6bacee94867a2887b171d0cd4328cd3fdbf12d2
Diff

Github labels

Enabled Name Description
ci-disabled Disable the ci execution
ci-all-test Run all of ci, no test spec filtering will be done
ci-force-downstream Force execution of downstream even if twister fails
ci-run-twister Force run twister
ci-run-zephyr-twister Force run zephyr twister
List of changed files detected by CI (1) 
doc
│  ├── nrf
│  │  ├── app_dev
│  │  │  ├── device_guides
│  │  │  │  ├── nrf54l
│  │  │  │  │  │ kmu_provision.rst

Outputs:

Toolchain

Version:
Build docker image:

Test Spec & Results: ✅ Success; ❌ Failure; 🟠 Queued; 🟡 Progress; ◻️ Skipped; ⚠️ Quarantine

  • ◻️ Toolchain
  • ◻️ Build twister
  • ◻️ Integration tests
Disabled integration tests
    • desktop52_verification
    • doc-internal
    • test_ble_nrf_config
    • test-fw-nrfconnect-apps
    • test-fw-nrfconnect-ble_mesh
    • test-fw-nrfconnect-ble_samples
    • test-fw-nrfconnect-chip
    • test-fw-nrfconnect-fem
    • test-fw-nrfconnect-nfc
    • test-fw-nrfconnect-nrf-iot_cloud
    • test-fw-nrfconnect-nrf-iot_libmodem-nrf
    • test-fw-nrfconnect-nrf-iot_lwm2m
    • test-fw-nrfconnect-nrf-iot_samples
    • test-fw-nrfconnect-nrf-iot_serial_lte_modem
    • test-fw-nrfconnect-nrf-iot_thingy91
    • test-fw-nrfconnect-nrf-iot_zephyr_lwm2m
    • test-fw-nrfconnect-nrf_crypto
    • test-fw-nrfconnect-ps-main
    • test-fw-nrfconnect-rpc
    • test-fw-nrfconnect-rs
    • test-fw-nrfconnect-tfm
    • test-fw-nrfconnect-thread-main
    • test-low-level
    • test-sdk-audio
    • test-sdk-dfu
    • test-sdk-find-my
    • test-sdk-mcuboot
    • test-sdk-pmic-samples
    • test-sdk-wifi
    • test-secdom-samples-public

Note: This message is automatically posted and updated by the CI

@github-actions GitHub Actions
Copy link

You can find the documentation preview for this PR here.

Preview links for modified nRF Connect SDK documents:

https://ncsdoc.z6.web.core.windows.net/PR-23569/nrf/app_dev/device_guides/nrf54l/kmu_provision.html

annwoj
annwoj reviewed Jul 31, 2025
View reviewed changes
@michalek-no michalek-no force-pushed the mb-doc-provision-flash branch from 86d5854 to 696123b Compare July 31, 2025 10:40
nvlsianpu
nvlsianpu reviewed Jul 31, 2025
View reviewed changes
@michalek-no michalek-no force-pushed the mb-doc-provision-flash branch from 696123b to d29e3a9 Compare July 31, 2025 12:08
@michalek-no michalek-no requested a review from annwoj July 31, 2025 12:13
annwoj
annwoj reviewed Jul 31, 2025
View reviewed changes
annwoj
annwoj reviewed Jul 31, 2025
View reviewed changes
annwoj
annwoj reviewed Jul 31, 2025
View reviewed changes
annwoj
annwoj reviewed Jul 31, 2025
View reviewed changes
@michalek-no michalek-no force-pushed the mb-doc-provision-flash branch from 020d257 to 4a76db8 Compare July 31, 2025 13:17
@michalek-no michalek-no force-pushed the mb-doc-provision-flash branch from 4a76db8 to 708dd1b Compare July 31, 2025 13:19
@michalek-no michalek-no requested a review from nvlsianpu July 31, 2025 13:20
nvlsianpu
nvlsianpu approved these changes Jul 31, 2025
View reviewed changes
Copy link
Contributor

@nvlsianpu nvlsianpu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I assume that you will take in to account --erase

@michalek-no michalek-no force-pushed the mb-doc-provision-flash branch from 708dd1b to 600e905 Compare July 31, 2025 13:52
@michalek-no
doc: nrf: KMU provisioning while west flashing
043d97d 
adds sections about new provisioning method.

Signed-off-by: Mateusz Michalek <[email protected]>
@michalek-no michalek-no force-pushed the mb-doc-provision-flash branch from 600e905 to 043d97d Compare July 31, 2025 14:00
@nvlsianpu nvlsianpu merged commit 8e8c7c7 into nrfconnect:main Jul 31, 2025
16 checks passed
gchwier
gchwier reviewed Aug 1, 2025
View reviewed changes
doc/nrf/app_dev/device_guides/nrf54l/kmu_provision.rst
For MCUboot configurations, activating the ``SB_CONFIG_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE`` Kconfig option at the sysbuild level allows to provision keys simultaneously with the flashing process. Provisioning step is triggered when you execute either ``west flash --recover`` or ``west flash --erase`` command.
MCUboot uses the key file designated by the ``SB_CONFIG_BOOT_SIGNATURE_KEY_FILE`` option.

At the end of the described process the :file:`keyfile.json` file is generated in the build directory.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just to clarify:

keyfile.json is generated during build process (west build...), when SB_CONFIG_SECURE_BOOT_GENERATE_DEFAULT_KMU_KEYFILE and/or SB_CONFIG_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE is enabled. Keys are provisioned with west flash --recover/--erase if keyfile,json exists.

You can find some details in PR description:
in sdk-nrf (added new Kconfigs and generating keyfile.json using west ncs-provision --dry-run command during build process):
#22516
and in zephyr, support in west flash to provision keys using keyfile.json:
nrfconnect/sdk-zephyr#2894

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gchwier gchwier gchwier left review comments

@nvlsianpu nvlsianpu nvlsianpu approved these changes

@annwoj annwoj annwoj approved these changes

Assignees

No one assigned

Labels

changelog-entry-required Update changelog before merge. Remove label if entry is not needed or already added. doc only doc-required PR must not be merged without tech writer approval.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@michalek-no @NordicBuilder @nvlsianpu @annwoj @gchwier