nrf5340 ncsv2.9.0 ble dfu

Hi team.

Now i'm use soc nrf5340, and the ncs version 2.9.0.

I want to encrypt my external flash using QSPI.

I encountered some problems while using the nrf connect mobile app to perform the Bluetooth upgrade.

file postion : E:\Project\SDK\v2.9.0\bootloader\mcuboot\boot\zephyr\main.c


#ifdef CONFIG_MCUBOOT_ENC_EXT_FLASH
#define NONCE_CTX "test_string"
#include <hw_unique_key.h>
#include <nrfx_qspi.h>

static bool encryption_done = false;
int encrypt_external_flash(void)
{
    if (encryption_done) {
        printk("External flash already encrypted, skipping\n");
        return NRFX_SUCCESS;
    }

    nrf_qspi_encryption_t encrypt_param = {0};
    uint8_t label[3] = {0}; // Label used for both key and nonce
    int ret = 0;

    if (!hw_unique_key_are_any_written())
        hw_unique_key_write_random();

    // Derive the key
    uint8_t key_context[16] = {0};
    memcpy(key_context, CONFIG_BOARD, strlen(CONFIG_BOARD));

    printk("Deriving keyyyyyyyyyyyyyyyyyyyyy with context: %s\n", key_context);
    ret = hw_unique_key_derive_key(HUK_KEYSLOT_MEXT,
                                    key_context, sizeof(key_context),
                                    label, sizeof(label),
                                    (uint8_t *)encrypt_param.key, sizeof(encrypt_param.key));
    if (ret)
    {
        printk("derive board key error: %d\n", ret);
        return ret;
    }

    // Derive the nonce
    uint8_t nonce_context[32] = {0};
    memcpy(nonce_context, NONCE_CTX, strlen(NONCE_CTX));
    printk("Deriving nonceeeeeeeeeeeeeeeeee with context: %s\n", nonce_context);
    ret = hw_unique_key_derive_key(HUK_KEYSLOT_MEXT,
                                    nonce_context, sizeof(nonce_context),
                                    label, sizeof(label),
                                    (uint8_t *)encrypt_param.nonce, sizeof(encrypt_param.nonce));
    if (ret)
    {
        printk("derive nonce ctx key error: %d\n", ret);
        return ret;
    }

    // Perform encryption with DMA
    ret = nrfx_qspi_dma_encrypt(&encrypt_param);
    if (ret != NRFX_SUCCESS)
    {
        printk("nrfx_qspi_dma_encrypt error: %d\n", ret);
        return ret;
    }

    // Perform encryption with XIP
    ret = nrfx_qspi_xip_encrypt(&encrypt_param);
    if (ret != NRFX_SUCCESS)
    {
        printk("nrfx_qspi_xip_encrypt error: %d\n", ret);
        return ret;
    }

    MCUBOOT_WATCHDOG_FEED();

    encryption_done = true;
    printk("Set ext flash encryption done\n");
    return NRFX_SUCCESS;
}

SYS_INIT(encrypt_external_flash, POST_KERNEL, 42);
#endif /*CONFIG_MCUBOOT_ENC_EXT_FLASH*/


file : prj.conf
CONFIG_NCS_SAMPLE_MCUMGR_BT_OTA_DFU=y
CONFIG_MCUMGR_MGMT_NOTIFICATION_HOOKS=y
CONFIG_CHIP_DFU_OVER_BT_SMP=y

file : sysbuild.conf
SB_CONFIG_PARTITION_MANAGER=y
SB_CONFIG_PM_EXTERNAL_FLASH_MCUBOOT_SECONDARY=y

file : sysbuild/mcuboot/prj.conf
CONFIG_NRF_SECURITY=y
CONFIG_MBEDTLS_RSA_C=y
CONFIG_MBEDTLS_LEGACY_CRYPTO_C=y
CONFIG_HW_UNIQUE_KEY=y
CONFIG_HW_UNIQUE_KEY_RANDOM=y
CONFIG_MCUBOOT_ENC_EXT_FLASH=y

When I disabled the operation of encrypting the external flash, my Bluetooth upgrade was successful.

However, when I enabled the encryption operation, the Bluetooth upgrade failed.
After printing and checking, it was found that the magic failed to match and the upgrade was unsuccessful.

E: Faled boot_set_next with code 3, for slot 1, with active slot 0 and confirm 0

Will there be any problems with this encryption operation?