Skip to content

[nrf fromtree] west: runners: nrfutil: Add key file when present to west flash command #2894

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 18, 2025
Merged

[nrf fromtree] west: runners: nrfutil: Add key file when present to west flash command #2894

merged 1 commit into from
Jun 18, 2025
+10 −0

Conversation

gchwier
Copy link
Contributor

@gchwier gchwier commented May 20, 2025
edited
Loading

Added automatic KMU key provisioning for both NSIB and MCUboot.

Changes in zephyr allows to provision KMU keys with west flash command, if keyfile.json (generated by west ncs-provision) is in build directory.

In sdk-nrf (PR with manifest) added examples and Kconfigs to enable automatic keyfile generation during build process.

If Kconfig flas to automaticaly create keyfile.json is not enabled, one can still generate/modify keyfile.json in build directory and keys will be provisioned after flash

Build app with NSIB (can be added MCUboot with KMU etc)
west build -p -b nrf54l15dk/nrf54l15/cpuapp $ZEPHYR_BASE/samples/hello_world -d build-54l-nsib -- -DSB_CONFIG_SECURE_BOOT_APPCORE=y

Generate keyfile.json in build dir (west ncs-provision with --dry-run)
west ncs-provision upload --keyname BL_PUBKEY --key build-54l-nsib/GENERATED_NON_SECURE_SIGN_KEY_PRIVATE.pem --build-dir build-54l-nsib --dry-run

and flash (with --erase or --recover option)
west flash --skip-rebuild --erase -d build-54l-nsib

@gchwier gchwier closed this May 20, 2025
@NordicBuilder NordicBuilder mentioned this pull request May 20, 2025
Closed
@gchwier gchwier changed the title [nrf noup] west: runners: Add ncs-provision to west flash command POC [nrf noup] west: runners: Add ncs-provision to west flash command May 20, 2025
@gchwier gchwier reopened this May 20, 2025
@gchwier gchwier requested review from a team, michalek-no and nvlsianpu May 20, 2025 18:06
@gchwier gchwier added the DNM label May 20, 2025
carlescufi
carlescufi requested changes May 21, 2025
View reviewed changes
Copy link
Contributor

@carlescufi carlescufi left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I really do not want this amount of out-of-tree code in this file. It will be a nightmare to keep in sync.
Our options are:

  • Have everything, including provisioning, upstream (we could call it --provision instead). We already did something similar with the H20 SUIT support, where it was upstream although only needed for downstream
  • Use an extension command west ncs-provision
  • Change the bare minimum in this file, put the logic elsewhere

@gchwier
Copy link
Contributor Author

gchwier commented May 21, 2025

I really do not want this amount of out-of-tree code in this file. It will be a nightmare to keep in sync. Our options are:

  • Have everything, including provisioning, upstream
  • Use an extension command west ncs-provision
  • Change the bare minimum in this file, put the logic elsewhere

I fully agree, which is why I added the DNM label (unfortunately, I can't change the PR to draft status).

I created this as a POC to demonstrate how we can test a simple application without manual steps, eliminating the need for pytest harness in Twister.

Where is the issue with west ncs-provision?
west flash executes a reset after flashing, the application is then marked as "permanently invalidated". Calling west ncs-provision doesn't resolve the problem. Users need to flash with nrfutil (without reset), then call west ncs-provision, and finally reset the device.
This process will likely result in a poor user experience when trying to enable NSIB on the nRF54L.

FYI @nvlsianpu

@gchwier gchwier marked this pull request as draft May 21, 2025 11:51
@carlescufi
Copy link
Contributor

west flash executes a reset after flashing,

There is a --no-reset option to west flash. Why can't you have a west ncs-provision that invokes west flash --no-reset and then does whatever you need to do?

@gchwier
Copy link
Contributor Author

gchwier commented May 21, 2025

There is a --no-reset option to west flash. Why can't you have a west ncs-provision that invokes west flash --no-reset and then does whatever you need to do?

I forgot about --no-reset, it is an option for customer, then he can use:

  1. west flash --erase/--recover --no-reset
  2. west ncs-provision
  3. nrfutil device reset

or

  1. nrfutil device erase/recover
  2. west ncs-provision
  3. west flash

An option would be to extend west ncs-provision in sdk-nrf to call also west flash ... but it will not work with Twister .

@gchwier gchwier force-pushed the grch-west-flash-with-provision branch from 505a62b to 0d6a1a7 Compare May 26, 2025 13:24
@gchwier gchwier changed the title POC [nrf noup] west: runners: Add ncs-provision to west flash command [nrf fromlist] west: runners: Add ncs-provision to west flash command May 26, 2025
@NordicBuilder NordicBuilder mentioned this pull request May 26, 2025
Merged
@gchwier gchwier force-pushed the grch-west-flash-with-provision branch 3 times, most recently from cb24635 to 696147c Compare May 29, 2025 15:36
@gchwier gchwier marked this pull request as ready for review June 6, 2025 13:30
@gchwier gchwier removed the DNM label Jun 6, 2025
@gchwier gchwier force-pushed the grch-west-flash-with-provision branch 2 times, most recently from 5a71714 to bd5f806 Compare June 12, 2025 07:42
@gchwier gchwier changed the title [nrf fromlist] west: runners: Add ncs-provision to west flash command [nrf fromtree] west: runners: nrfutil: Add key file when present to west flash command Jun 12, 2025
@gchwier gchwier requested a review from carlescufi June 12, 2025 08:33
@gchwier gchwier force-pushed the grch-west-flash-with-provision branch 2 times, most recently from 62df148 to edde8da Compare June 12, 2025 12:11
@gchwier
[nrf fromtree] west: runners: Add ncs-provision to west flash command
adb4823 
Added automatic KMU key provisioning, when keyfile.json
file exists in the build directory.
This enables automated key provisioning during the
flashing process to enable testing nRF54L aplications using Twister.
Only applicable on nrfutil runner.

Signed-off-by: Grzegorz Chwierut <[email protected]>
(cherry picked from commit db3c344)
@gchwier gchwier force-pushed the grch-west-flash-with-provision branch from edde8da to adb4823 Compare June 18, 2025 14:14
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@carlescufi carlescufi merged commit 126c387 into nrfconnect:main Jun 18, 2025
36 checks passed
@gchwier gchwier deleted the grch-west-flash-with-provision branch June 18, 2025 15:53
@gchwier gchwier mentioned this pull request Aug 1, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@carlescufi carlescufi carlescufi approved these changes

@nvlsianpu nvlsianpu nvlsianpu approved these changes

@michalek-no michalek-no Awaiting requested review from michalek-no

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@gchwier @carlescufi @nvlsianpu