west build failed due to mcuboot sysbuild

Hi Dunk,

Could you try to install NCS by following this guide?

Hi Benjamin,

I don't really understand the usage of nrfutil for the NCS SDK installation, but I've tried it on my environment as below:

It's still failed:

luser@zephyrbuild:~$ ./nrfutil install sdk-manager
nrfutil-sdk-manager already installed - use '--force' to uninstall and reinstall the command
[00:00:01] ###### 100% [Install packages] Install packages                                                                                                                                                       luser@zephyrbuild:~$ ls
cbs  cbs_test  ncs  NCS-Project  nrfutil  sdk-zephyr.git  zephyrproject
luser@zephyrbuild:~$ ls -la
total 12892
drwxr-x--- 13 luser luser     4096 Sep 23 10:02 .
drwxr-xr-x  3 root  root      4096 Jan 22  2025 ..
-rw-------  1 luser luser    67807 Sep 23 10:02 .bash_history
-rw-r--r--  1 luser luser      220 Jan  6  2022 .bash_logout
-rw-r--r--  1 luser luser     3771 Jan  6  2022 .bashrc
drwx------  5 luser luser     4096 Sep  2 08:33 .cache
drwxrwxr-x 16 luser luser     4096 Sep 17 10:33 cbs
drwxrwxr-x 13 luser luser     4096 Sep 19 09:28 cbs_test
drwxrwxr-x  3 luser luser     4096 Sep  2 07:59 .cmake
-rw-rw-r--  1 luser luser      633 Sep 19 09:35 .gitconfig
-rw-------  1 luser luser      884 Sep 22 08:20 .lesshst
drwxrwxr-x  6 luser luser     4096 Sep  3 02:50 ncs
drwxrwxr-x 13 luser luser     4096 Sep  3 08:01 NCS-Project
drwxrwxr-x 11 luser luser     4096 Sep  2 08:54 .nrfutil
-rwxrwxr-x  1 luser luser 13003448 Nov  4  2024 nrfutil
-rw-r--r--  1 luser luser      807 Jan  6  2022 .profile
drwxrwxr-x 12 luser luser     4096 Jan 22  2025 sdk-zephyr.git
drwx------  2 luser luser     4096 Sep 19 08:45 .ssh
-rw-r--r--  1 luser luser        0 Jan 22  2025 .sudo_as_admin_successful
drwxr-xr-x  2 luser luser     4096 Sep 17 02:53 .vim
-rw-------  1 luser luser    45147 Sep 19 09:35 .viminfo
-rw-rw-r--  1 luser luser      210 Sep 22 08:41 .wget-hsts
drwxrwxr-x 10 luser luser     4096 Sep 22 08:46 zephyrproject
luser@zephyrbuild:~$ ls .nrfutil/
bin  bootstrap  cache  config  installed  logs  registry  share  tmp
luser@zephyrbuild:~$ ls .nrfutil/installed/
nrfutil-sdk-manager-x86_64-unknown-linux-gnu  nrfutil-x86_64-unknown-linux-gnu
luser@zephyrbuild:~$ nrfutil sdk-manager search
nrfutil: command not found
luser@zephyrbuild:~$ ./nrfutil sdk-manager search
SDK Type  SDK Version      SDK Status  Toolchain Version  Toolchain Status
nrf       v3.2.0-preview1  Available   v3.2.0-preview1    Available
nrf       v3.1.1           Available   v3.1.1             Available
nrf       v3.1.0           Installed   v3.1.0             Installed
nrf       v3.0.2           Available   v3.0.2             Available
nrf       v3.0.1           Available   v3.0.1             Available
nrf       v3.0.0           Available   v3.0.0             Available
nrf       v2.9.2           Available   v2.9.2             Available
nrf       v2.9.1           Available   v2.9.1             Available
nrf       v2.9.0           Available   v2.9.0             Available
nrf       v2.8.0           Available   v2.8.0             Available
nrf       v2.7.0           Available   v2.7.0             Available
nrf       v2.6.0           Available   v2.6.0             Available
nrf       v2.5.0           Available   v2.5.0             Available
nrf       v2.4.0           Available   v2.4.0             Available
nrf       v2.3.0           Available   v2.3.0             Available
nrf       v2.2.0           Available   v2.2.0             Available
nrf       v2.1.0           Available   v2.1.0             Available
nrf       v2.0.0           Available   v2.0.0             Available

luser@zephyrbuild:~$ ./nrfutil sdk-manager install v3.1.0
[00:00:00] ###### 100% [Install toolchain v3.1.0] Toolchain with version v3.1.0 already installed                                                                                                                [00:00:00] ###### 100% [Install SDK v3.1.0] SDK with version v3.1.0 already installed                                                                                                                            luser@zephyrbuild:~$ ls ncs/
downloads  tmp  toolchains  v3.1.0
luser@zephyrbuild:~$ ./nrfutil sdk-manager toolchain launch --ncs-version v3.1.0 --shell
Initializing shell environment!

(v3.1.0) luser@zephyrbuild:~$ ls
cbs  cbs_test  ncs  NCS-Project  nrfutil  sdk-zephyr.git  zephyrproject
(v3.1.0) luser@zephyrbuild:~$ cd cbs
(v3.1.0) luser@zephyrbuild:~/cbs$ ls
bootloader  build  cbs_nrf_sdk_3.1.0  cbs_nrf_sdk_3.1.0.org  modules  nrf  nrfxlib  test  tools  zephyr  zephyr-sdk-0.17.0  zephyr-sdk-0.17.1
(v3.1.0) luser@zephyrbuild:~/cbs$ source zephyr/zephyr-env.sh
(v3.1.0) luser@zephyrbuild:~/cbs$ west ^C
(v3.1.0) luser@zephyrbuild:~/cbs$ west build -p always -b nrf52840dk/nrf52840 zephyr/samples/sysbuild/with_mcuboot --sysbuild
-- west build: making build dir /home/luser/cbs/build pristine
-- west build: generating a build system
Loading Zephyr module(s) (Zephyr base): sysbuild_default
-- Found Python3: /home/luser/ncs/toolchains/c5be9c56c7/usr/local/bin/python3.12 (found suitable version "3.12.4", minimum required is "3.10") found components: Interpreter
-- Cache files will be written to: /home/luser/.cache/zephyr
-- Found west (found suitable version "1.4.0", minimum required is "0.14.0")
-- Board: nrf52840dk, qualifiers: nrf52840
Parsing /home/luser/cbs/zephyr/share/sysbuild/Kconfig
Loaded configuration '/home/luser/cbs/build/_sysbuild/empty.conf'
Merged configuration '/home/luser/cbs/zephyr/samples/sysbuild/with_mcuboot/sysbuild.conf'
Configuration saved to '/home/luser/cbs/build/zephyr/.config'
Kconfig header saved to '/home/luser/cbs/build/_sysbuild/autoconf.h'
--
   *****************************
   * Running CMake for mcuboot *
   *****************************

Loading Zephyr default modules (Zephyr base).
-- Application: /home/luser/cbs/bootloader/mcuboot/boot/zephyr
-- CMake version: 3.21.0
-- Found Python3: /home/luser/ncs/toolchains/c5be9c56c7/usr/local/bin/python (found suitable version "3.12.4", minimum required is "3.10") found components: Interpreter
-- Cache files will be written to: /home/luser/.cache/zephyr
-- Zephyr version: 4.1.99 (/home/luser/cbs/zephyr)
-- Found west (found suitable version "1.4.0", minimum required is "0.14.0")
-- Board: nrf52840dk, qualifiers: nrf52840
-- Found host-tools: zephyr 0.17.0 (/home/luser/ncs/toolchains/c5be9c56c7/opt/zephyr-sdk)
-- Found toolchain: zephyr 0.17.0 (/home/luser/ncs/toolchains/c5be9c56c7/opt/zephyr-sdk)
-- Found Dtc: /home/luser/ncs/toolchains/c5be9c56c7/usr/bin/dtc (found suitable version "1.5.0", minimum required is "1.4.6")
-- Found BOARD.dts: /home/luser/cbs/zephyr/boards/nordic/nrf52840dk/nrf52840dk_nrf52840.dts
-- Found devicetree overlay: /home/luser/cbs/bootloader/mcuboot/boot/zephyr/app.overlay
-- Generated zephyr.dts: /home/luser/cbs/build/mcuboot/zephyr/zephyr.dts
-- Generated pickled edt: /home/luser/cbs/build/mcuboot/zephyr/edt.pickle
-- Generated devicetree_generated.h: /home/luser/cbs/build/mcuboot/zephyr/include/generated/zephyr/devicetree_generated.h
Parsing /home/luser/cbs/bootloader/mcuboot/boot/zephyr/Kconfig
Loaded configuration '/home/luser/cbs/zephyr/boards/nordic/nrf52840dk/nrf52840dk_nrf52840_defconfig'
Merged configuration '/home/luser/cbs/bootloader/mcuboot/boot/zephyr/prj.conf'
Merged configuration '/home/luser/cbs/bootloader/mcuboot/boot/zephyr/boards/nrf52840dk_nrf52840.conf'
Merged configuration '/home/luser/cbs/zephyr/samples/sysbuild/with_mcuboot/sysbuild/mcuboot.conf'
Merged configuration '/home/luser/cbs/build/mcuboot/zephyr/.config.sysbuild'
Configuration saved to '/home/luser/cbs/build/mcuboot/zephyr/.config'
Kconfig header saved to '/home/luser/cbs/build/mcuboot/zephyr/include/generated/zephyr/autoconf.h'
-- Found GnuLd: /home/luser/ncs/toolchains/c5be9c56c7/opt/zephyr-sdk/arm-zephyr-eabi/arm-zephyr-eabi/bin/ld.bfd (found version "2.38")
-- The C compiler identification is GNU 12.2.0
-- The CXX compiler identification is GNU 12.2.0
-- The ASM compiler identification is GNU
-- Found assembler: /home/luser/ncs/toolchains/c5be9c56c7/opt/zephyr-sdk/arm-zephyr-eabi/bin/arm-zephyr-eabi-gcc
CMake Warning at /home/luser/cbs/nrf/lib/flash_patch/CMakeLists.txt:8 (message):


        ----------------------------------------------------------
        --- WARNING: To maintain the integrity of secure boot, ---
        --- enable CONFIG_DISABLE_FLASH_PATCH in production.   ---
        ----------------------------------------------------------


-- Using ccache: /home/luser/ncs/toolchains/c5be9c56c7/usr/bin/ccache
-- Found gen_kobject_list: /home/luser/cbs/zephyr/scripts/build/gen_kobject_list.py
MCUBoot bootloader key file: /home/luser/cbs/bootloader/mcuboot/root-ec-p256.pem
CMake Warning at CMakeLists.txt:369 (message):
  WARNING: Using default MCUboot signing key file, this file is for debug use
  only and is not secure!


Calculated maximum number of sectors: 118
-- Configuring done
-- Generating done
-- Build files have been written to: /home/luser/cbs/build/mcuboot
--
   **********************************
   * Running CMake for with_mcuboot *
   **********************************

Loading Zephyr default modules (Zephyr base).
-- Application: /home/luser/cbs/zephyr/samples/sysbuild/with_mcuboot
-- CMake version: 3.21.0
-- Found Python3: /home/luser/ncs/toolchains/c5be9c56c7/usr/local/bin/python (found suitable version "3.12.4", minimum required is "3.10") found components: Interpreter
-- Cache files will be written to: /home/luser/.cache/zephyr
-- Zephyr version: 4.1.99 (/home/luser/cbs/zephyr)
-- Found west (found suitable version "1.4.0", minimum required is "0.14.0")
-- Board: nrf52840dk, qualifiers: nrf52840
-- Found host-tools: zephyr 0.17.0 (/home/luser/ncs/toolchains/c5be9c56c7/opt/zephyr-sdk)
-- Found toolchain: zephyr 0.17.0 (/home/luser/ncs/toolchains/c5be9c56c7/opt/zephyr-sdk)
-- Found Dtc: /home/luser/ncs/toolchains/c5be9c56c7/usr/bin/dtc (found suitable version "1.5.0", minimum required is "1.4.6")
-- Found BOARD.dts: /home/luser/cbs/zephyr/boards/nordic/nrf52840dk/nrf52840dk_nrf52840.dts
-- Generated zephyr.dts: /home/luser/cbs/build/with_mcuboot/zephyr/zephyr.dts
-- Generated pickled edt: /home/luser/cbs/build/with_mcuboot/zephyr/edt.pickle
-- Generated devicetree_generated.h: /home/luser/cbs/build/with_mcuboot/zephyr/include/generated/zephyr/devicetree_generated.h

warning: UPDATEABLE_IMAGE_NUMBER (defined at
/home/luser/cbs/nrf/samples/common/mcumgr_bt_ota_dfu/Kconfig:87, subsys/dfu/Kconfig:96) was assigned
the value '1' but got the value ''. Check these unsatisfied dependencies:
(((BOARD_THINGY53_NRF5340_CPUAPP || BOARD_THINGY53_NRF5340_CPUAPP_NS) && SOC_SERIES_NRF53X &&
NCS_SAMPLE_MCUMGR_BT_OTA_DFU) || (!MCUBOOT && IMG_MANAGER)) (=n). See
http://docs.zephyrproject.org/latest/kconfig.html#CONFIG_UPDATEABLE_IMAGE_NUMBER and/or look up
UPDATEABLE_IMAGE_NUMBER in the menuconfig/guiconfig interface. The Application Development Primer,
Setting Configuration Values, and Kconfig - Tips and Best Practices sections of the manual might be
helpful too.


warning: MCUBOOT_UPDATE_FOOTER_SIZE (defined at subsys/dfu/Kconfig:55) was assigned the value
'0x2000' but got the value ''. Check these unsatisfied dependencies: MCUBOOT_IMG_MANAGER (=n),
IMG_MANAGER (=n). See
http://docs.zephyrproject.org/latest/kconfig.html#CONFIG_MCUBOOT_UPDATE_FOOTER_SIZE and/or look up
MCUBOOT_UPDATE_FOOTER_SIZE in the menuconfig/guiconfig interface. The Application Development
Primer, Setting Configuration Values, and Kconfig - Tips and Best Practices sections of the manual
might be helpful too.


/home/luser/cbs/build/with_mcuboot/zephyr/.config.sysbuild:20: warning: attempt to assign the value 'n' to the undefined symbol MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION
Parsing /home/luser/cbs/zephyr/Kconfig
Loaded configuration '/home/luser/cbs/zephyr/boards/nordic/nrf52840dk/nrf52840dk_nrf52840_defconfig'
Merged configuration '/home/luser/cbs/zephyr/samples/sysbuild/with_mcuboot/prj.conf'
Merged configuration '/home/luser/cbs/build/with_mcuboot/zephyr/.config.sysbuild'

error: Aborting due to Kconfig warnings

CMake Error at /home/luser/cbs/zephyr/cmake/modules/kconfig.cmake:377 (message):
  command failed with return code: 1
Call Stack (most recent call first):
  /home/luser/cbs/nrf/cmake/modules/kconfig.cmake:83 (include)
  /home/luser/cbs/zephyr/cmake/modules/zephyr_default.cmake:131 (include)
  /home/luser/cbs/zephyr/share/zephyr-package/cmake/ZephyrConfig.cmake:66 (include)
  /home/luser/cbs/zephyr/share/zephyr-package/cmake/ZephyrConfig.cmake:92 (include_boilerplate)
  CMakeLists.txt:5 (find_package)


-- Configuring incomplete, errors occurred!
CMake Error at cmake/modules/sysbuild_extensions.cmake:530 (message):
  CMake configure failed for Zephyr project: with_mcuboot

  Location: /home/luser/cbs/zephyr/samples/sysbuild/with_mcuboot
Call Stack (most recent call first):
  cmake/modules/sysbuild_images.cmake:43 (ExternalZephyrProject_Cmake)
  cmake/modules/sysbuild_default.cmake:21 (include)
  /home/luser/cbs/zephyr/share/zephyr-package/cmake/ZephyrConfig.cmake:75 (include)
  /home/luser/cbs/zephyr/share/zephyr-package/cmake/ZephyrConfig.cmake:92 (include_boilerplate)
  /home/luser/cbs/zephyr/share/sysbuild-package/cmake/SysbuildConfig.cmake:8 (include)
  template/CMakeLists.txt:10 (find_package)


-- Configuring incomplete, errors occurred!
See also "/home/luser/cbs/build/CMakeFiles/CMakeOutput.log".
FATAL ERROR: command exited with status 1: /home/luser/ncs/toolchains/c5be9c56c7/usr/local/bin/cmake -DWEST_PYTHON=/home/luser/ncs/toolchains/c5be9c56c7/usr/local/bin/python3.12 -B/home/luser/cbs/build -GNinja -DBOARD=nrf52840dk/nrf52840 -S/home/luser/cbs/zephyr/share/sysbuild -DAPP_DIR:PATH=/home/luser/cbs/zephyr/samples/sysbuild/with_mcuboot
(v3.1.0) luser@zephyrbuild:~/cbs$

Could you upload your nrf/west.yml file?

Hi Benjamin,

Here you are.

(v3.1.0) luser@zephyrbuild:~/ncs/v3.1.0/nrf$ cat west.yml
# The west manifest file (west.yml) for the nRF Connect SDK (NCS).
#
# The per-workspace west configuration file, ncs/.west/config,
# specifies the location of this manifest file like this:
#
#     [manifest]
#     path = nrf
#
# See the west documentation for more information:
#
# https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/zephyr/guides/west/index.html

manifest:
  version: "0.13"

  # "remotes" is a list of locations where git repositories are cloned
  # and fetched from.
  remotes:
    # nRF Connect SDK GitHub organization.
    # NCS repositories are hosted here.
    - name: ncs
      url-base: https://github.com/nrfconnect
    # Third-party repository sources:
    - name: zephyrproject
      url-base: https://github.com/zephyrproject-rtos
    - name: throwtheswitch
      url-base: https://github.com/ThrowTheSwitch
    - name: dragoon
      url-base: https://projecttools.nordicsemi.no/bitbucket/scm/drgn
    - name: memfault
      url-base: https://github.com/memfault
    - name: babblesim
      url-base: https://github.com/BabbleSim
    - name: bosch
      url-base: https://github.com/boschsensortec
    - name: eembc
      url-base: https://github.com/eembc

  # If not otherwise specified, the projects below should be obtained
  # from the ncs remote.
  defaults:
    remote: ncs

  group-filter:
    - -nrf-802154
    - -dragoon
    - -find-my
    - -babblesim
    - -libmodem
    - -bsec
    - -doc-internal
    - +optional

  # "projects" is a list of git repositories which make up the NCS
  # source code.
  #
  # For 'userdata' fields in the projects area, please refer to:
  # https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrf/dm_code_base.html
  projects:

    # The Zephyr RTOS fork in the NCS, along with the subset of its
    # modules which NCS imports directly.
    #
    # https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/zephyr/introduction/index.html
    # https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/zephyr/guides/modules.html
    - name: zephyr
      repo-path: sdk-zephyr
      revision: ncs-v3.1.0
      import:
        # In addition to the zephyr repository itself, NCS also
        # imports the contents of zephyr/west.yml at the above
        # revision. Only the projects explicitly named in the
        # following allowlist are imported.
        #
        # Note that the zephyr west extensions (like 'build', 'flash',
        # 'debug', etc.) are automatically provided by this import, so
        # there's no need to add a redundant west-commands: key for
        # the zephyr project.
        #
        # Please keep this list sorted alphabetically.
        name-allowlist:
          - canopennode
          - chre
          - cmsis
          - cmsis-dsp
          - cmsis-nn
          - cmsis_6
          - edtt
          - fatfs
          - hal_nordic
          - hal_st # required for ST sensors (unrelated to STM32 MCUs)
          - hal_tdk # required for Invensense sensors such as ICM42670
          - hal_wurthelektronik
          - liblc3
          - libmetal
          - littlefs
          - loramac-node
          - lvgl
          - lz4
          - mipi-sys-t
          - nanopb
          - net-tools
          - nrf_hw_models
          - nrf_wifi
          - open-amp
          - percepio
          - picolibc
          - segger
          - tf-m-tests
          - tinycrypt
          - uoscore-uedhoc
          - zcbor
          - zscilib

    # NCS repositories.
    #
    # Some of these are also Zephyr modules which have NCS-specific
    # changes.
    - name: hostap
      repo-path: sdk-hostap
      path: modules/lib/hostap
      revision: 2b5c82cd4e833c065075bc239a7bd138d4662e34
    - name: wfa-qt-control-app
      repo-path: sdk-wi-fiquicktrack-controlappc
      path: modules/lib/wfa-qt-control-app
      revision: d4bc010be69aa89290c5af6767702ff46c1829e5
      userdata:
        ncs:
          upstream-url: https://github.com/Wi-FiQuickTrack/Wi-FiQuickTrack-ControlAppC
          upstream-sha: 1225729e8d84075f03bf9fc51eee85d84dfb0091
          compare-by-default: true
    - name: mcuboot
      repo-path: sdk-mcuboot
      revision: ncs-v3.1.0
      path: bootloader/mcuboot
    - name: qcbor
      url: https://github.com/laurencelundblade/QCBOR
      revision: 751d36583a9ce1a640900c57e13c9b6b8f3a2ba2
      path: modules/tee/tf-m/qcbor
    - name: mbedtls
      path: modules/crypto/mbedtls
      repo-path: sdk-mbedtls
      revision: ncs-v3.1.0
    - name: oberon-psa-crypto
      path: modules/crypto/oberon-psa-crypto
      repo-path: sdk-oberon-psa-crypto
      revision: ncs-v3.1.0
    - name: nrfxlib
      repo-path: sdk-nrfxlib
      path: nrfxlib
      revision: v3.1.0
    - name: trusted-firmware-m
      repo-path: sdk-trusted-firmware-m
      path: modules/tee/tf-m/trusted-firmware-m
      revision: ncs-v3.1.0
    - name: psa-arch-tests
      repo-path: sdk-psa-arch-tests
      path: modules/tee/tf-m/psa-arch-tests
      revision: 3da9313e64806d352c519e3205e81cf959067588
    - name: matter
      repo-path: sdk-connectedhomeip
      path: modules/lib/matter
      revision: v3.1.0
      west-commands: scripts/west/west-commands.yml
      submodules:
        - name: nlio
          path: third_party/nlio/repo
        - name: nlassert
          path: third_party/nlassert/repo
        - name: pigweed
          path: third_party/pigweed/repo
        - name: jsoncpp
          path: third_party/jsoncpp/repo
      userdata:
        ncs:
          upstream-url: https://github.com/project-chip/connectedhomeip
          upstream-sha: 181b0cb14ff007ec912f2ba6627e05dfb066c008
          compare-by-default: false
    - name: nrf-802154
      repo-path: sdk-nrf-802154
      path: nrf-802154
      revision: v3.1.0
      groups:
        - nrf-802154
    - name: dragoon
      # Only for internal Nordic development
      repo-path: dragoon.git
      remote: dragoon
      revision: fcde41eba2d1422400b5f8579fac9d9eaac9b434
      groups:
        - dragoon
    - name: cjson
      repo-path: sdk-cjson
      path: modules/lib/cjson
      revision: c6af068b7f05207b28d68880740e4b9ec1e4b50a
      userdata:
        ncs:
          upstream-url: https://github.com/DaveGamble/cJSON
          upstream-sha: d2735278ed1c2e4556f53a7a782063b31331dbf7
          compare-by-default: false
    - name: find-my
      repo-path: sdk-find-my
      revision: v3.1.0
      groups:
        - find-my
    - name: azure-sdk-for-c
      repo-path: azure-sdk-for-c
      path: modules/lib/azure-sdk-for-c
      revision: 308c171cb4b5eed266649012a68406487ec81fb2
      userdata:
        ncs:
          upstream-url: https://github.com/Azure/azure-sdk-for-c
          upstream-sha: adc56bc6138a28b5490bce339a31a2581a072092
          compare-by-default: false
    - name: cirrus
      repo-path: sdk-mcu-drivers
      path: modules/hal/cirrus-logic
      revision: 3873a08377d93a479105a75ac390d3bbcd31d690
      userdata:
        ncs:
          upstream-url: https://github.com/CirrusLogic/mcu-drivers
          upstream-sha: 1be6ca7253133a21a1e9fe0fbb4656e17d63a936
          compare-by-default: false
    - name: libmodem
      revision: 5dc5bc768dda0ddf9974920c618b70da5d67c6c3
      groups:
        - libmodem
    - name: openthread
      repo-path: sdk-openthread
      path: modules/lib/openthread
      revision: ncs-thread-reference-20250402
      userdata:
        ncs:
          upstream-url: https://github.com/openthread/openthread
          upstream-sha: c6eaeda5a1c1c5dbb24dce7e027340cb8893a77b
          compare-by-default: false
    - name: doc-internal
      repo-path: doc-internal
      path: modules/doc-internal
      revision: ae9f21960477636720a72ced869a6c342d502484
      groups:
        - doc-internal

    # Other third-party repositories.
    - name: cmock
      path: test/cmock
      submodules: true
      revision: f65066f15d8248e6dcb778efb8739904a4512087
      remote: throwtheswitch
    - name: memfault-firmware-sdk
      path: modules/lib/memfault-firmware-sdk
      revision: 1.26.0
      remote: memfault
    - name: bsim
      repo-path: bsim_west
      remote: babblesim
      revision: a88d3353451387ca490a6a7f7c478a90c4ee05b7
      import:
        path-prefix: tools
    - name: bme68x
      repo-path: Bosch-BME68x-Library
      remote: bosch
      path: modules/lib/bme68x
      revision: v1.1.40407
      groups:
        - bsec
    - name: bsec
      repo-path: Bosch-BSEC2-Library
      remote: bosch
      path: modules/lib/bsec
      revision: v1.5.2400
      groups:
        - bsec
    - name: coremark
      remote: eembc
      path: modules/benchmark/coremark
      revision: d5fad6bd094899101a4e5fd53af7298160ced6ab
      groups:
        - benchmark

  # West-related configuration for the nrf repository.
  self:
    # This repository should be cloned to ncs/nrf.
    path: nrf
    # This line configures west extensions.
    west-commands: scripts/west-commands.yml
(v3.1.0) luser@zephyrbuild:~/ncs/v3.1.0/nrf$

The warning and error you are getting is because the build system doesn't find the Kconfig symbol MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION. This Kconfig symbol is defined in the following file:

v3.1.0/nrf/sysbuild/Kconfig.mcuboot

Could you check if you have this file and if the Kconfig symbol is defined there?

Hi Benjamin,

Yes, there is item 'MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION' defined in Kconfig.mcuboot. But I don't understand that the building procedure is passed with *mcuboot* and is failed at application part, ie. 'with_mcuboot', in my previous example.

(v3.1.0) luser@zephyrbuild:~/ncs/v3.1.0/nrf$ cat sysbuild/Kconfig.mcuboot
# Copyright (c) 2023 Nordic Semiconductor
#
# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause

menu "MCUboot configuration"
        depends on BOOTLOADER_MCUBOOT

config MCUBOOT_SIGN_MERGED_BINARY
        bool "Sign single, merged update package [EXPERIMENTAL]"
        default y if (MCUBOOT_MODE_DIRECT_XIP || MCUBOOT_MODE_DIRECT_XIP_WITH_REVERT)
        depends on SOC_NRF54H20
        select EXPERIMENTAL

config MCUBOOT_BUILD_DIRECT_XIP_VARIANT
        bool "Build DirectXIP variant image"
        depends on MCUBOOT_MODE_DIRECT_XIP || MCUBOOT_MODE_DIRECT_XIP_WITH_REVERT
        default y
        help
          Will build the alternative slot (variant) image of the main application.

menuconfig MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION
        bool "Downgrade prevention using hardware security counters"
        depends on (SOC_NRF5340_CPUAPP || SOC_SERIES_NRF91X || SOC_SERIES_NRF54LX)
        depends on !SECURE_BOOT_APPCORE
        depends on !QSPI_XIP_SPLIT_IMAGE
        help
          This option can be enabled by the application and will ensure that the
          MCUBOOT_HW_DOWNGRADE_PREVENTION Kconfig option is enabled in the MCUboot image.

          Note that this can only be used on first image, it will not be applied to the second
          image (network core updates) on nRF5340 which will use software downgrade protection
          on the network core CPU instead.

if MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION

config MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_SLOTS
        int "Number of available hardware counter slots"
        default 240
        range 2 300
        help
          When MCUBOOT_HW_DOWNGRADE_PREVENTION is enabled, MCUboot will use one hardware counter
          for each updatable image (UPDATEABLE_IMAGE_NUMBER). This configuration specifies how many
          counter slots will be allocated for each hardware counter. The hardware counters are
          stored in OTP storage. The rationale for the default number (240): Assume one update a
          month for 10 years, then double that value just in case. This default fits comfortably
          within the OTP region of UICR.

config MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_VALUE
        int "Security counter value"
        default 1
        range 1 65535
        help
          The security counter value for this image.
          This is the value that will be passed to the --security-counter parameter of imgtool.py

endif # MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION

config MCUBOOT_COMPRESSED_IMAGE_SUPPORT
        bool "Compressed image support"
        depends on MCUBOOT_MODE_OVERWRITE_ONLY
        help
          When enabled, supports loading compressed images using LZMA2 to the secondary slot which
          will then be decompressed and loaded to the primary slot.

config MCUBOOT_MAX_UPDATEABLE_IMAGES
        int
        default 1 if MCUBOOT_MODE_SINGLE_APP
        default 4

config MCUBOOT_APPLICATION_IMAGE_NUMBER
        int
        default 0

config MCUBOOT_NETWORK_CORE_IMAGE_NUMBER
        int
        default 1 if NETCORE_APP_UPDATE && !MCUBOOT_MODE_SINGLE_APP
        default 1 if BOOTLOADER_MCUBOOT && !NETCORE_NONE && (SOC_NRF54H20 && !MCUBOOT_SIGN_MERGED_BINARY)
        default -1

config MCUBOOT_WIFI_PATCHES_IMAGE_NUMBER
        int
        default 2 if (WIFI_PATCHES_EXT_FLASH_XIP || WIFI_PATCHES_EXT_FLASH_STORE) && MCUBOOT_NETWORK_CORE_IMAGE_NUMBER != -1
        default 1 if (WIFI_PATCHES_EXT_FLASH_XIP || WIFI_PATCHES_EXT_FLASH_STORE)
        default -1

config MCUBOOT_QSPI_XIP_IMAGE_NUMBER
        int
        default 3 if QSPI_XIP_SPLIT_IMAGE && MCUBOOT_NETWORK_CORE_IMAGE_NUMBER != -1 && MCUBOOT_WIFI_PATCHES_IMAGE_NUMBER != -1
        default 2 if QSPI_XIP_SPLIT_IMAGE && MCUBOOT_NETWORK_CORE_IMAGE_NUMBER != -1
        default 1 if QSPI_XIP_SPLIT_IMAGE
        default -1

config MCUBOOT_MCUBOOT_IMAGE_NUMBER
        int
        default 4 if SECURE_BOOT_APPCORE && MCUBOOT_NETWORK_CORE_IMAGE_NUMBER != -1 && MCUBOOT_WIFI_PATCHES_IMAGE_NUMBER != -1 && MCUBOOT_QSPI_XIP_IMAGE_NUMBER != 1
        default 3 if SECURE_BOOT_APPCORE && ((MCUBOOT_QSPI_XIP_IMAGE_NUMBER != -1 && (MCUBOOT_NETWORK_CORE_IMAGE_NUMBER != -1 || MCUBOOT_WIFI_PATCHES_IMAGE_NUMBER != -1)) || (MCUBOOT_NETWORK_CORE_IMAGE_NUMBER != -1 && MCUBOOT_WIFI_PATCHES_IMAGE_NUMBER != -1))
        default 2 if SECURE_BOOT_APPCORE && (MCUBOOT_NETWORK_CORE_IMAGE_NUMBER != -1 || MCUBOOT_WIFI_PATCHES_IMAGE_NUMBER != -1 || MCUBOOT_QSPI_XIP_IMAGE_NUMBER != -1)
        default 1 if SECURE_BOOT_APPCORE
        default -1

config MCUBOOT_MIN_UPDATEABLE_IMAGES
        int
        default 4 if MCUBOOT_NETWORK_CORE_IMAGE_NUMBER != -1 && MCUBOOT_WIFI_PATCHES_IMAGE_NUMBER != -1 && MCUBOOT_QSPI_XIP_IMAGE_NUMBER != -1
        default 3 if (MCUBOOT_NETWORK_CORE_IMAGE_NUMBER != -1 && MCUBOOT_WIFI_PATCHES_IMAGE_NUMBER != -1) || (MCUBOOT_NETWORK_CORE_IMAGE_NUMBER != -1 && MCUBOOT_QSPI_XIP_IMAGE_NUMBER != -1) || (MCUBOOT_WIFI_PATCHES_IMAGE_NUMBER != -1 && MCUBOOT_QSPI_XIP_IMAGE_NUMBER != -1)
        default 2 if MCUBOOT_NETWORK_CORE_IMAGE_NUMBER != -1 || MCUBOOT_WIFI_PATCHES_IMAGE_NUMBER != -1 || MCUBOOT_QSPI_XIP_IMAGE_NUMBER != -1
        default 1

config MCUBOOT_MIN_ADDITIONAL_UPDATEABLE_IMAGES
        int
        default 1 if MCUBOOT_MCUBOOT_IMAGE_NUMBER != -1
        default 0

config MCUBOOT_UPDATEABLE_IMAGES
        int "Updateable images"
        range MCUBOOT_MIN_UPDATEABLE_IMAGES MCUBOOT_MAX_UPDATEABLE_IMAGES
        help
          The number of images that MCUboot will be built with. Note that if
          ``MCUBOOT_ADDITIONAL_UPDATEABLE_IMAGES`` is set to a non-zero value then that value will
          be added to the MCUboot updateable image number but not the application, this is to allow
          for features like NSIB updates of MCUboot itself.

config MCUBOOT_ADDITIONAL_UPDATEABLE_IMAGES
        int "Additional MCUboot-only updateable images"
        range MCUBOOT_MIN_ADDITIONAL_UPDATEABLE_IMAGES MCUBOOT_MIN_ADDITIONAL_UPDATEABLE_IMAGES
        default MCUBOOT_MIN_ADDITIONAL_UPDATEABLE_IMAGES
        help
          The number of additional images that MCUboot will be built with.

config MCUBOOT_APP_SYNC_UPDATEABLE_IMAGES
        bool "Sync updateable image value to main application"
        default y
        help
          If enabled then will synchronise the value of ``MCUBOOT_UPDATEABLE_IMAGES`` to MCUboot
          and the main application, if disabled then will only set this value to MCUboot.

          Note: ``MCUBOOT_MIN_ADDITIONAL_UPDATEABLE_IMAGES`` will be applied to MCUboot only
          irrespective of this option.

config SECURE_BOOT_MCUBOOT_VERSION
        string "MCUboot S0/S1 image update version"
        default "0.0.0+0"
        depends on SECURE_BOOT
        depends on BOOTLOADER_MCUBOOT
        help
          The version of the MCUboot S0/S1 upgrade package

if BOOTLOADER_MCUBOOT

choice BOOT_SIGNATURE_TYPE
        default BOOT_SIGNATURE_TYPE_RSA if THINGY91_STATIC_PARTITIONS_FACTORY
        default BOOT_SIGNATURE_TYPE_ED25519 if SOC_SERIES_NRF54LX || SOC_SERIES_NRF54HX
        default BOOT_SIGNATURE_TYPE_ECDSA_P256 if ((SOC_NRF52840 || SOC_SERIES_NRF91X) && !BOARD_THINGY91_NRF9160 && !BOARD_THINGY91_NRF52840)
        default BOOT_SIGNATURE_TYPE_ECDSA_P256 if SECURE_BOOT_APPCORE

endchoice

config BOOT_SIGNATURE_TYPE_PURE
        bool "Verify signature directly over image"
        depends on SOC_SERIES_NRF54LX
        depends on BOOT_SIGNATURE_TYPE_ED25519
        help
          The image signature will be verified over image rather than
          hash of an image.
          This option is currently only supported with ED25519 and configurations
          where both image slots are within internal SoC device storage.

config BOOT_IMG_HASH_ALG_SHA512
        bool "Use SHA512 for image hash calculation"
        depends on BOOT_SIGNATURE_TYPE_ED25519
        default y if SOC_SERIES_NRF54LX || SOC_SERIES_NRF54HX
        help
          The image hash will be calculated using SHA512 algorithm.

config MCUBOOT_SIGNATURE_USING_KMU
        bool "Use KMU stored keys for signature verification"
        depends on SOC_SERIES_NRF54LX
        depends on BOOT_SIGNATURE_TYPE_ED25519
        help
          The device needs to be provisioned with proper set of keys.

config MCUBOOT_SIGNATURE_USING_ITS
        bool "Use ITS stored keys for signature verification [EXPERIMENTAL]"
        depends on SOC_SERIES_NRF54HX
        select EXPERIMENTAL
        help
          The device needs to be provisioned with proper set of keys.

config BOOT_SHARED_CRYPTO_ECDSA_P256
        bool "Use external crypto from NSIB for ECDSA P256 signature"
        depends on SECURE_BOOT_APPCORE && SECURE_BOOT_SIGNATURE_TYPE_ECDSA
        depends on BOOT_SIGNATURE_TYPE_ECDSA_P256 && !SOC_SERIES_NRF54LX
        default y

config MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE
        bool "Generate default keyfile for provisioning during build"
        depends on SOC_SERIES_NRF54LX
        depends on MCUBOOT_SIGNATURE_USING_KMU
        help
          If enabled, the build system will generate keyfile.json file in the build directory.

endif

config MCUBOOT_USE_ALL_AVAILABLE_RAM
        bool "Allow MCUboot to use all available RAM"
        depends on BOARD_IS_NON_SECURE
        help
          By default MCUboot uses only the secure RAM partition.

config MCUBOOT_NRF53_MULTI_IMAGE_UPDATE
        bool "Network core multi-image update (in single operation)"
        depends on NETCORE_APP_UPDATE
        depends on !MCUBOOT_MODE_SINGLE_APP
        help
          If selected, network core image updates can be applied in a single operation. This is
          required if the secondary partition resides in off-chip memory.

          Note: if not using overwrite only mode for MCUboot, this can result in a bricked device
          upon firmware reverts.

endmenu
(v3.1.0) luser@zephyrbuild:~/ncs/v3.1.0/nrf$

Hi Dunk,
I have looked at your ticket again and I made a mistake in my previous reply.

This is the file I want you to look at:

v3.1.0/nrf/modules/mcuboot/Kconfig

Can you confirm MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION is defined in the file if you have it?

Hi Dunk,
I have looked at your ticket again and I made a mistake in my previous reply.

This is the file I want you to look at:

v3.1.0/nrf/modules/mcuboot/Kconfig

Can you confirm MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION is defined in the file if you have it?

Hi Benjamin,

Here is the file, yes, MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION is presented as well.

(v3.1.0) luser@zephyrbuild:~/ncs$ cat v3.1.0/nrf/modules/mcuboot/Kconfig
menu "MCUboot"

if BOOTLOADER_MCUBOOT

menuconfig MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION
        bool "Downgrade prevention using hardware security counters"
        depends on SOC_NRF5340_CPUAPP || SOC_SERIES_NRF91X || SOC_SERIES_NRF54LX
        help
          This option can be enabled by the application and will ensure
          that the MCUBOOT_HW_DOWNGRADE_PREVENTION Kconfig option is
          enabled in the MCUboot image.

if MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION

config MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_SLOTS
        int "Number of available hardware counter slots"
        default 240
        range 2 300
        help
          When MCUBOOT_HW_DOWNGRADE_PREVENTION is enabled, MCUboot will use
          one hardware counter for each updatable image (UPDATEABLE_IMAGE_NUMBER).
          This configuration specifies how many counter slots will be allocated
          for each hardware counter. The hardware counters are stored in OTP storage.
          The rationale for the default number (240): Assume one update a month for
          10 years, then double that value just in case. This default fits
          comfortably within the OTP region of UICR.

config MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_VALUE
        int "Security counter value"
        default 1
        range 1 65535
        help
          The security counter value for this image.
          This is the value that will be passed to the --security-counter
          parameter of imgtool.py

endif # MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION

# HACK: NCS temphack to keep our imgtool integration working now that
# there is no CONFIG_DT_* CMake namespace anymore. Use Zephyr
# kconfigfunctions to thread the flash write block size through
# Kconfig so it can be accessed from CMake. Needs a better solution.
DT_ZEPHYR_FLASH := zephyr,flash
DT_CHOSEN_ZEPHYR_FLASH := $(dt_chosen_path,$(DT_ZEPHYR_FLASH))
config MCUBOOT_FLASH_WRITE_BLOCK_SIZE
        int
        default $(dt_node_int_prop_int,$(DT_CHOSEN_ZEPHYR_FLASH),write-block-size)

endif # BOOTLOADER_MCUBOOT

config DT_FLASH_WRITE_BLOCK_SIZE
        int
        default $(dt_node_int_prop_int,$(DT_CHOSEN_ZEPHYR_FLASH),write-block-size)

config MCUBOOT_USB_SUPPORT
        bool
        default y if "$(dt_nodelabel_enabled,zephyr_udc0)"

config USE_NRF53_MULTI_IMAGE_WITHOUT_UPGRADE_ONLY
        bool "Allow nRF53 multi-image update support [dangerous]"
        help
          Enabling this option allows you to use NRF53_MULTI_IMAGE update
          without having BOOT_UPGRADE_ONLY enabled, allowing you to use
          different swapping methods. This will however give you the potential
          of bricking the network core upon reverts.

config MCUBOOT_USE_ALL_AVAILABLE_RAM
        bool "Allow MCUBoot to use all available RAM"
        depends on ARM_TRUSTZONE_M
        default y if BOARD_THINGY53_NRF5340_CPUAPP_NS || BOARD_THINGY53_NRF5340_CPUAPP
        help
          By default MCUBoot uses only the secure RAM partition.

endmenu
(v3.1.0) luser@zephyrbuild:~/ncs$