From 6c232925f371e9fe35b5923bb5c6ffa8fb94db8b Mon Sep 17 00:00:00 2001
From: Michal Kozikowski <michal.kozikowski@nordicsemi.no>
Date: Tue, 29 Jul 2025 12:44:13 +0200
Subject: [PATCH 1/2] Revert "[nrf noup] mcuboot: Add
 CONFIG_MCUBOOT_BOOTLOADER_USES_SHA512"

This reverts commit 6b3791792fc6b221fd6f5bc634256d08e144a7c3.
Changes were moved to upstream in PR #93813.

Signed-off-by: Michal Kozikowski <michal.kozikowski@nordicsemi.no>
(cherry picked from commit 2e2beca20d6bd81740b32d2f2da8d741fec941dd)
---
 modules/Kconfig.mcuboot | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/modules/Kconfig.mcuboot b/modules/Kconfig.mcuboot
index 694f4069b90f..c02ee43f5eb8 100644
--- a/modules/Kconfig.mcuboot
+++ b/modules/Kconfig.mcuboot
@@ -288,11 +288,6 @@ config MCUBOOT_BOOTLOADER_NO_DOWNGRADE
 	  MCUBOOT_DOWNGRADE_PREVENTION option enabled.
 endif
 
-config MCUBOOT_BOOTLOADER_USES_SHA512
-	bool "MCUboot uses SHA512 for image hash"
-	help
-	  MCUboot has been compiled to verify images using SHA512.
-
 config MCUBOOT_APPLICATION_FIRMWARE_UPDATER
 	bool "Application is firmware updater image"
 	depends on MCUBOOT_BOOTLOADER_MODE_FIRMWARE_UPDATER

From d3a220a6c36d279bc5f28ab2c1c42def4f1f0b2f Mon Sep 17 00:00:00 2001
From: Michal Kozikowski <michal.kozikowski@nordicsemi.no>
Date: Wed, 23 Jul 2025 09:53:11 +0200
Subject: [PATCH 2/2] [nrf fromtree] cmake: mcuboot: SHA512/pure image signing

Update signing script to use proper arguments for imgtool when SHA512
or pure signature is needed.

Signed-off-by: Michal Kozikowski <michal.kozikowski@nordicsemi.no>
(cherry picked from commit 6c72cd3e65e3d3a1c9b8026be5fd6207b06d8f81)
(cherry picked from commit c136755381da8ba816a7be35bc0ff8050fc559df)
---
 cmake/mcuboot.cmake     |  7 +++++++
 modules/Kconfig.mcuboot | 12 ++++++++++++
 2 files changed, 19 insertions(+)

diff --git a/cmake/mcuboot.cmake b/cmake/mcuboot.cmake
index d2fcf68e8897..ac37b175a31b 100644
--- a/cmake/mcuboot.cmake
+++ b/cmake/mcuboot.cmake
@@ -152,6 +152,13 @@ function(zephyr_mcuboot_tasks)
     set(imgtool_args --align ${write_block_size} ${imgtool_args})
   endif()
 
+  # Set proper hash calculation algorithm for signing
+  if(CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_PURE)
+    set(imgtool_args --pure ${imgtool_args})
+  elseif(CONFIG_MCUBOOT_BOOTLOADER_USES_SHA512)
+    set(imgtool_args --sha 512 ${imgtool_args})
+  endif()
+
   # Extensionless prefix of any output file.
   set(output ${ZEPHYR_BINARY_DIR}/${KERNEL_NAME})
 
diff --git a/modules/Kconfig.mcuboot b/modules/Kconfig.mcuboot
index c02ee43f5eb8..a95dc34b72f7 100644
--- a/modules/Kconfig.mcuboot
+++ b/modules/Kconfig.mcuboot
@@ -288,6 +288,18 @@ config MCUBOOT_BOOTLOADER_NO_DOWNGRADE
 	  MCUBOOT_DOWNGRADE_PREVENTION option enabled.
 endif
 
+config MCUBOOT_BOOTLOADER_USES_SHA512
+	bool "MCUboot uses SHA512 for image hash"
+	help
+	  MCUboot has been compiled to verify images using SHA512.
+
+config MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_PURE
+	bool "Signature is verified over an image rather than sha of an image"
+	help
+	  MCUboot has been compiled to verify images using pure signature
+	  verification, i.e., the signature is verified over the image rather
+	  than the SHA of the image.
+
 config MCUBOOT_APPLICATION_FIRMWARE_UPDATER
 	bool "Application is firmware updater image"
 	depends on MCUBOOT_BOOTLOADER_MODE_FIRMWARE_UPDATER