manifest: sdk-mcuboot: [nrf noup] bootutil: Use correct set of KMU key slots

cmake/sysbuild/generate_default_keyfile.cmake

@@ -8,7 +8,7 @@
 set(kmu_json_commands "")
 set(kmu_json_dependencies "")
 
-# First command: Generate keyfile for BL_PUBKEY
+# First command: Generate keyfile for b0 (BL_PUBKEY)
 if(SB_CONFIG_SECURE_BOOT_GENERATE_DEFAULT_KMU_KEYFILE)
   # --- Determine the signing key file to use ---
   set(signature_private_key_file "") # Initialize
@@ -39,12 +39,18 @@ if(SB_CONFIG_SECURE_BOOT_GENERATE_DEFAULT_KMU_KEYFILE)
   list(APPEND kmu_json_dependencies ${signature_private_key_file})
 endif()
 
-# Second command (conditional): Update keyfile for UROT_PUBKEY
+# Second command (conditional): Update keyfile for MCUboot (UROT_PUBKEY or BL_PUBKEY)
 if(SB_CONFIG_MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE)
   string(CONFIGURE "${SB_CONFIG_BOOT_SIGNATURE_KEY_FILE}" mcuboot_signature_key_file)
+  set(mcuboot_kmu_keyname UROT_PUBKEY)
+
+  if(NOT SB_CONFIG_MCUBOOT_SIGNATURE_KMU_UROT_MAPPING AND NOT SB_CONFIG_SECURE_BOOT_APPCORE)
+    set(mcuboot_kmu_keyname BL_PUBKEY)
+  endif()
+
   list(APPEND kmu_json_commands
     COMMAND ${Python3_EXECUTABLE} -m west ncs-provision upload
-      --keyname UROT_PUBKEY
+      --keyname ${mcuboot_kmu_keyname}
       --key ${mcuboot_signature_key_file}
       --build-dir ${CMAKE_BINARY_DIR}
       --dry-run

sysbuild/CMakeLists.txt

@@ -238,6 +238,12 @@ function(${SYSBUILD_CURRENT_MODULE_NAME}_pre_cmake)
 
         if(SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU)
           set_config_bool(mcuboot CONFIG_BOOT_SIGNATURE_USING_KMU y)
+
+          if(SB_CONFIG_MCUBOOT_SIGNATURE_KMU_UROT_MAPPING)
+            set_config_bool(mcuboot CONFIG_NCS_BOOT_SIGNATURE_KMU_UROT_MAPPING y)
+          else()
+            set_config_bool(mcuboot CONFIG_NCS_BOOT_SIGNATURE_KMU_UROT_MAPPING n)
+          endif()
         else()
           set_config_bool(mcuboot CONFIG_BOOT_SIGNATURE_USING_KMU n)
         endif()

sysbuild/Kconfig.mcuboot

@@ -183,6 +183,18 @@ config MCUBOOT_SIGNATURE_USING_KMU
 	help
 	  The device needs to be provisioned with proper set of keys.
 
+config MCUBOOT_SIGNATURE_KMU_UROT_MAPPING
+	bool "Use original UROT KMU key mapping [DEPRECATED]"
+	depends on MCUBOOT_SIGNATURE_USING_KMU
+	depends on SOC_SERIES_NRF54LX
+	depends on !SECURE_BOOT_APPCORE
+	select DEPRECATED
+	help
+	  When this option is enabled, it will use the previous UROT_PUBKEY key slot IDs for the
+	  MCUboot image which are assigned for the non-immutable bootloader IDs, otherwise it
+	  will use the key set for the mode that MCUboot is used in (non-immutable slots when b0
+	  is enabled, or immutable slots when b0 is not enabled).
+
 config MCUBOOT_SIGNATURE_USING_ITS
 	bool "Use ITS stored keys for signature verification [EXPERIMENTAL]"
 	depends on SOC_SERIES_NRF54HX

tests/subsys/kmu/pytest/common.py

@@ -9,6 +9,7 @@
 import subprocess
 
 from pathlib import Path
+from twister_harness.helpers.utils import find_in_config
 
 logger = logging.getLogger(__name__)
 
@@ -73,6 +74,14 @@ def flash_board(build_dir: Path | str, dev_id: str | None, erase: bool = False):
     run_command(command)
 
 
+def get_keyname_for_mcuboot(sysbuild_config: Path) -> str:
+    keyname = "BL_PUBKEY"
+    if (find_in_config(sysbuild_config, "SB_CONFIG_SECURE_BOOT_APPCORE")
+            or find_in_config(sysbuild_config, "SB_CONFIG_MCUBOOT_SIGNATURE_KMU_UROT_MAPPING")):
+        keyname = "UROT_PUBKEY"
+    return keyname
+
+
 def provision_keys_for_kmu(
         keys: list[str] | str,
         keyname: str = "UROT_PUBKEY",  # UROT_PUBKEY, BL_PUBKEY, APP_PUBKEY

tests/subsys/kmu/pytest/test_kmu_provision.py

@@ -11,6 +11,7 @@
 from twister_harness import DeviceAdapter
 from twister_harness.helpers.utils import match_lines, find_in_config
 from common import (
+    get_keyname_for_mcuboot,
     provision_keys_for_kmu,
     reset_board,
     APP_KEYS_FOR_KMU
@@ -49,7 +50,7 @@ def test_kmu_use_key_from_config(dut: DeviceAdapter, test_option):
 
     provision_keys_for_kmu(
         keys=keys,
-        keyname="UROT_PUBKEY",
+        keyname=get_keyname_for_mcuboot(sysbuild_config),
         dev_id=dut.device_config.id
     )
     dut.clear_buffer()
@@ -70,13 +71,14 @@ def test_kmu_use_wrong_key(dut: DeviceAdapter):
     verify that the application does not boot if the keys are incorrect.
     """
     logger.info("Provision wrong keys")
+    sysbuild_config = Path(dut.device_config.build_dir) / 'zephyr' / '.config'
     provision_keys_for_kmu(
         keys=[
             APP_KEYS_FOR_KMU / 'root-ed25519-1.pem',
             APP_KEYS_FOR_KMU / 'root-ed25519-2.pem',
             APP_KEYS_FOR_KMU / 'root-ed25519-w.pem'
         ],
-        keyname="UROT_PUBKEY",
+        keyname=get_keyname_for_mcuboot(sysbuild_config),
         dev_id=dut.device_config.id
     )
 

west.yml

@@ -128,7 +128,7 @@ manifest:
           compare-by-default: true
     - name: mcuboot
       repo-path: sdk-mcuboot
-      revision: 1c8a5953c5411bb1e453c3747a4d13ac0680ff14
+      revision: 754f9586875dd72de367704e42c2121eb60696c3
       path: bootloader/mcuboot
     - name: qcbor
       url: https://github.com/laurencelundblade/QCBOR