west build failed due to mcuboot sysbuild

Could you upload your nrf/west.yml file?

Hi Benjamin,

Here you are.

(v3.1.0) luser@zephyrbuild:~/ncs/v3.1.0/nrf$ cat west.yml
# The west manifest file (west.yml) for the nRF Connect SDK (NCS).
#
# The per-workspace west configuration file, ncs/.west/config,
# specifies the location of this manifest file like this:
#
#     [manifest]
#     path = nrf
#
# See the west documentation for more information:
#
# https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/zephyr/guides/west/index.html

manifest:
  version: "0.13"

  # "remotes" is a list of locations where git repositories are cloned
  # and fetched from.
  remotes:
    # nRF Connect SDK GitHub organization.
    # NCS repositories are hosted here.
    - name: ncs
      url-base: https://github.com/nrfconnect
    # Third-party repository sources:
    - name: zephyrproject
      url-base: https://github.com/zephyrproject-rtos
    - name: throwtheswitch
      url-base: https://github.com/ThrowTheSwitch
    - name: dragoon
      url-base: https://projecttools.nordicsemi.no/bitbucket/scm/drgn
    - name: memfault
      url-base: https://github.com/memfault
    - name: babblesim
      url-base: https://github.com/BabbleSim
    - name: bosch
      url-base: https://github.com/boschsensortec
    - name: eembc
      url-base: https://github.com/eembc

  # If not otherwise specified, the projects below should be obtained
  # from the ncs remote.
  defaults:
    remote: ncs

  group-filter:
    - -nrf-802154
    - -dragoon
    - -find-my
    - -babblesim
    - -libmodem
    - -bsec
    - -doc-internal
    - +optional

  # "projects" is a list of git repositories which make up the NCS
  # source code.
  #
  # For 'userdata' fields in the projects area, please refer to:
  # https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrf/dm_code_base.html
  projects:

    # The Zephyr RTOS fork in the NCS, along with the subset of its
    # modules which NCS imports directly.
    #
    # https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/zephyr/introduction/index.html
    # https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/zephyr/guides/modules.html
    - name: zephyr
      repo-path: sdk-zephyr
      revision: ncs-v3.1.0
      import:
        # In addition to the zephyr repository itself, NCS also
        # imports the contents of zephyr/west.yml at the above
        # revision. Only the projects explicitly named in the
        # following allowlist are imported.
        #
        # Note that the zephyr west extensions (like 'build', 'flash',
        # 'debug', etc.) are automatically provided by this import, so
        # there's no need to add a redundant west-commands: key for
        # the zephyr project.
        #
        # Please keep this list sorted alphabetically.
        name-allowlist:
          - canopennode
          - chre
          - cmsis
          - cmsis-dsp
          - cmsis-nn
          - cmsis_6
          - edtt
          - fatfs
          - hal_nordic
          - hal_st # required for ST sensors (unrelated to STM32 MCUs)
          - hal_tdk # required for Invensense sensors such as ICM42670
          - hal_wurthelektronik
          - liblc3
          - libmetal
          - littlefs
          - loramac-node
          - lvgl
          - lz4
          - mipi-sys-t
          - nanopb
          - net-tools
          - nrf_hw_models
          - nrf_wifi
          - open-amp
          - percepio
          - picolibc
          - segger
          - tf-m-tests
          - tinycrypt
          - uoscore-uedhoc
          - zcbor
          - zscilib

    # NCS repositories.
    #
    # Some of these are also Zephyr modules which have NCS-specific
    # changes.
    - name: hostap
      repo-path: sdk-hostap
      path: modules/lib/hostap
      revision: 2b5c82cd4e833c065075bc239a7bd138d4662e34
    - name: wfa-qt-control-app
      repo-path: sdk-wi-fiquicktrack-controlappc
      path: modules/lib/wfa-qt-control-app
      revision: d4bc010be69aa89290c5af6767702ff46c1829e5
      userdata:
        ncs:
          upstream-url: https://github.com/Wi-FiQuickTrack/Wi-FiQuickTrack-ControlAppC
          upstream-sha: 1225729e8d84075f03bf9fc51eee85d84dfb0091
          compare-by-default: true
    - name: mcuboot
      repo-path: sdk-mcuboot
      revision: ncs-v3.1.0
      path: bootloader/mcuboot
    - name: qcbor
      url: https://github.com/laurencelundblade/QCBOR
      revision: 751d36583a9ce1a640900c57e13c9b6b8f3a2ba2
      path: modules/tee/tf-m/qcbor
    - name: mbedtls
      path: modules/crypto/mbedtls
      repo-path: sdk-mbedtls
      revision: ncs-v3.1.0
    - name: oberon-psa-crypto
      path: modules/crypto/oberon-psa-crypto
      repo-path: sdk-oberon-psa-crypto
      revision: ncs-v3.1.0
    - name: nrfxlib
      repo-path: sdk-nrfxlib
      path: nrfxlib
      revision: v3.1.0
    - name: trusted-firmware-m
      repo-path: sdk-trusted-firmware-m
      path: modules/tee/tf-m/trusted-firmware-m
      revision: ncs-v3.1.0
    - name: psa-arch-tests
      repo-path: sdk-psa-arch-tests
      path: modules/tee/tf-m/psa-arch-tests
      revision: 3da9313e64806d352c519e3205e81cf959067588
    - name: matter
      repo-path: sdk-connectedhomeip
      path: modules/lib/matter
      revision: v3.1.0
      west-commands: scripts/west/west-commands.yml
      submodules:
        - name: nlio
          path: third_party/nlio/repo
        - name: nlassert
          path: third_party/nlassert/repo
        - name: pigweed
          path: third_party/pigweed/repo
        - name: jsoncpp
          path: third_party/jsoncpp/repo
      userdata:
        ncs:
          upstream-url: https://github.com/project-chip/connectedhomeip
          upstream-sha: 181b0cb14ff007ec912f2ba6627e05dfb066c008
          compare-by-default: false
    - name: nrf-802154
      repo-path: sdk-nrf-802154
      path: nrf-802154
      revision: v3.1.0
      groups:
        - nrf-802154
    - name: dragoon
      # Only for internal Nordic development
      repo-path: dragoon.git
      remote: dragoon
      revision: fcde41eba2d1422400b5f8579fac9d9eaac9b434
      groups:
        - dragoon
    - name: cjson
      repo-path: sdk-cjson
      path: modules/lib/cjson
      revision: c6af068b7f05207b28d68880740e4b9ec1e4b50a
      userdata:
        ncs:
          upstream-url: https://github.com/DaveGamble/cJSON
          upstream-sha: d2735278ed1c2e4556f53a7a782063b31331dbf7
          compare-by-default: false
    - name: find-my
      repo-path: sdk-find-my
      revision: v3.1.0
      groups:
        - find-my
    - name: azure-sdk-for-c
      repo-path: azure-sdk-for-c
      path: modules/lib/azure-sdk-for-c
      revision: 308c171cb4b5eed266649012a68406487ec81fb2
      userdata:
        ncs:
          upstream-url: https://github.com/Azure/azure-sdk-for-c
          upstream-sha: adc56bc6138a28b5490bce339a31a2581a072092
          compare-by-default: false
    - name: cirrus
      repo-path: sdk-mcu-drivers
      path: modules/hal/cirrus-logic
      revision: 3873a08377d93a479105a75ac390d3bbcd31d690
      userdata:
        ncs:
          upstream-url: https://github.com/CirrusLogic/mcu-drivers
          upstream-sha: 1be6ca7253133a21a1e9fe0fbb4656e17d63a936
          compare-by-default: false
    - name: libmodem
      revision: 5dc5bc768dda0ddf9974920c618b70da5d67c6c3
      groups:
        - libmodem
    - name: openthread
      repo-path: sdk-openthread
      path: modules/lib/openthread
      revision: ncs-thread-reference-20250402
      userdata:
        ncs:
          upstream-url: https://github.com/openthread/openthread
          upstream-sha: c6eaeda5a1c1c5dbb24dce7e027340cb8893a77b
          compare-by-default: false
    - name: doc-internal
      repo-path: doc-internal
      path: modules/doc-internal
      revision: ae9f21960477636720a72ced869a6c342d502484
      groups:
        - doc-internal

    # Other third-party repositories.
    - name: cmock
      path: test/cmock
      submodules: true
      revision: f65066f15d8248e6dcb778efb8739904a4512087
      remote: throwtheswitch
    - name: memfault-firmware-sdk
      path: modules/lib/memfault-firmware-sdk
      revision: 1.26.0
      remote: memfault
    - name: bsim
      repo-path: bsim_west
      remote: babblesim
      revision: a88d3353451387ca490a6a7f7c478a90c4ee05b7
      import:
        path-prefix: tools
    - name: bme68x
      repo-path: Bosch-BME68x-Library
      remote: bosch
      path: modules/lib/bme68x
      revision: v1.1.40407
      groups:
        - bsec
    - name: bsec
      repo-path: Bosch-BSEC2-Library
      remote: bosch
      path: modules/lib/bsec
      revision: v1.5.2400
      groups:
        - bsec
    - name: coremark
      remote: eembc
      path: modules/benchmark/coremark
      revision: d5fad6bd094899101a4e5fd53af7298160ced6ab
      groups:
        - benchmark

  # West-related configuration for the nrf repository.
  self:
    # This repository should be cloned to ncs/nrf.
    path: nrf
    # This line configures west extensions.
    west-commands: scripts/west-commands.yml
(v3.1.0) luser@zephyrbuild:~/ncs/v3.1.0/nrf$

The warning and error you are getting is because the build system doesn't find the Kconfig symbol MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION. This Kconfig symbol is defined in the following file:

v3.1.0/nrf/sysbuild/Kconfig.mcuboot

Could you check if you have this file and if the Kconfig symbol is defined there?

Hi Benjamin,

Yes, there is item 'MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION' defined in Kconfig.mcuboot. But I don't understand that the building procedure is passed with *mcuboot* and is failed at application part, ie. 'with_mcuboot', in my previous example.

(v3.1.0) luser@zephyrbuild:~/ncs/v3.1.0/nrf$ cat sysbuild/Kconfig.mcuboot
# Copyright (c) 2023 Nordic Semiconductor
#
# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause

menu "MCUboot configuration"
        depends on BOOTLOADER_MCUBOOT

config MCUBOOT_SIGN_MERGED_BINARY
        bool "Sign single, merged update package [EXPERIMENTAL]"
        default y if (MCUBOOT_MODE_DIRECT_XIP || MCUBOOT_MODE_DIRECT_XIP_WITH_REVERT)
        depends on SOC_NRF54H20
        select EXPERIMENTAL

config MCUBOOT_BUILD_DIRECT_XIP_VARIANT
        bool "Build DirectXIP variant image"
        depends on MCUBOOT_MODE_DIRECT_XIP || MCUBOOT_MODE_DIRECT_XIP_WITH_REVERT
        default y
        help
          Will build the alternative slot (variant) image of the main application.

menuconfig MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION
        bool "Downgrade prevention using hardware security counters"
        depends on (SOC_NRF5340_CPUAPP || SOC_SERIES_NRF91X || SOC_SERIES_NRF54LX)
        depends on !SECURE_BOOT_APPCORE
        depends on !QSPI_XIP_SPLIT_IMAGE
        help
          This option can be enabled by the application and will ensure that the
          MCUBOOT_HW_DOWNGRADE_PREVENTION Kconfig option is enabled in the MCUboot image.

          Note that this can only be used on first image, it will not be applied to the second
          image (network core updates) on nRF5340 which will use software downgrade protection
          on the network core CPU instead.

if MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION

config MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_SLOTS
        int "Number of available hardware counter slots"
        default 240
        range 2 300
        help
          When MCUBOOT_HW_DOWNGRADE_PREVENTION is enabled, MCUboot will use one hardware counter
          for each updatable image (UPDATEABLE_IMAGE_NUMBER). This configuration specifies how many
          counter slots will be allocated for each hardware counter. The hardware counters are
          stored in OTP storage. The rationale for the default number (240): Assume one update a
          month for 10 years, then double that value just in case. This default fits comfortably
          within the OTP region of UICR.

config MCUBOOT_HW_DOWNGRADE_PREVENTION_COUNTER_VALUE
        int "Security counter value"
        default 1
        range 1 65535
        help
          The security counter value for this image.
          This is the value that will be passed to the --security-counter parameter of imgtool.py

endif # MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION

config MCUBOOT_COMPRESSED_IMAGE_SUPPORT
        bool "Compressed image support"
        depends on MCUBOOT_MODE_OVERWRITE_ONLY
        help
          When enabled, supports loading compressed images using LZMA2 to the secondary slot which
          will then be decompressed and loaded to the primary slot.

config MCUBOOT_MAX_UPDATEABLE_IMAGES
        int
        default 1 if MCUBOOT_MODE_SINGLE_APP
        default 4

config MCUBOOT_APPLICATION_IMAGE_NUMBER
        int
        default 0

config MCUBOOT_NETWORK_CORE_IMAGE_NUMBER
        int
        default 1 if NETCORE_APP_UPDATE && !MCUBOOT_MODE_SINGLE_APP
        default 1 if BOOTLOADER_MCUBOOT && !NETCORE_NONE && (SOC_NRF54H20 && !MCUBOOT_SIGN_MERGED_BINARY)
        default -1

config MCUBOOT_WIFI_PATCHES_IMAGE_NUMBER
        int
        default 2 if (WIFI_PATCHES_EXT_FLASH_XIP || WIFI_PATCHES_EXT_FLASH_STORE) && MCUBOOT_NETWORK_CORE_IMAGE_NUMBER != -1
        default 1 if (WIFI_PATCHES_EXT_FLASH_XIP || WIFI_PATCHES_EXT_FLASH_STORE)
        default -1

config MCUBOOT_QSPI_XIP_IMAGE_NUMBER
        int
        default 3 if QSPI_XIP_SPLIT_IMAGE && MCUBOOT_NETWORK_CORE_IMAGE_NUMBER != -1 && MCUBOOT_WIFI_PATCHES_IMAGE_NUMBER != -1
        default 2 if QSPI_XIP_SPLIT_IMAGE && MCUBOOT_NETWORK_CORE_IMAGE_NUMBER != -1
        default 1 if QSPI_XIP_SPLIT_IMAGE
        default -1

config MCUBOOT_MCUBOOT_IMAGE_NUMBER
        int
        default 4 if SECURE_BOOT_APPCORE && MCUBOOT_NETWORK_CORE_IMAGE_NUMBER != -1 && MCUBOOT_WIFI_PATCHES_IMAGE_NUMBER != -1 && MCUBOOT_QSPI_XIP_IMAGE_NUMBER != 1
        default 3 if SECURE_BOOT_APPCORE && ((MCUBOOT_QSPI_XIP_IMAGE_NUMBER != -1 && (MCUBOOT_NETWORK_CORE_IMAGE_NUMBER != -1 || MCUBOOT_WIFI_PATCHES_IMAGE_NUMBER != -1)) || (MCUBOOT_NETWORK_CORE_IMAGE_NUMBER != -1 && MCUBOOT_WIFI_PATCHES_IMAGE_NUMBER != -1))
        default 2 if SECURE_BOOT_APPCORE && (MCUBOOT_NETWORK_CORE_IMAGE_NUMBER != -1 || MCUBOOT_WIFI_PATCHES_IMAGE_NUMBER != -1 || MCUBOOT_QSPI_XIP_IMAGE_NUMBER != -1)
        default 1 if SECURE_BOOT_APPCORE
        default -1

config MCUBOOT_MIN_UPDATEABLE_IMAGES
        int
        default 4 if MCUBOOT_NETWORK_CORE_IMAGE_NUMBER != -1 && MCUBOOT_WIFI_PATCHES_IMAGE_NUMBER != -1 && MCUBOOT_QSPI_XIP_IMAGE_NUMBER != -1
        default 3 if (MCUBOOT_NETWORK_CORE_IMAGE_NUMBER != -1 && MCUBOOT_WIFI_PATCHES_IMAGE_NUMBER != -1) || (MCUBOOT_NETWORK_CORE_IMAGE_NUMBER != -1 && MCUBOOT_QSPI_XIP_IMAGE_NUMBER != -1) || (MCUBOOT_WIFI_PATCHES_IMAGE_NUMBER != -1 && MCUBOOT_QSPI_XIP_IMAGE_NUMBER != -1)
        default 2 if MCUBOOT_NETWORK_CORE_IMAGE_NUMBER != -1 || MCUBOOT_WIFI_PATCHES_IMAGE_NUMBER != -1 || MCUBOOT_QSPI_XIP_IMAGE_NUMBER != -1
        default 1

config MCUBOOT_MIN_ADDITIONAL_UPDATEABLE_IMAGES
        int
        default 1 if MCUBOOT_MCUBOOT_IMAGE_NUMBER != -1
        default 0

config MCUBOOT_UPDATEABLE_IMAGES
        int "Updateable images"
        range MCUBOOT_MIN_UPDATEABLE_IMAGES MCUBOOT_MAX_UPDATEABLE_IMAGES
        help
          The number of images that MCUboot will be built with. Note that if
          ``MCUBOOT_ADDITIONAL_UPDATEABLE_IMAGES`` is set to a non-zero value then that value will
          be added to the MCUboot updateable image number but not the application, this is to allow
          for features like NSIB updates of MCUboot itself.

config MCUBOOT_ADDITIONAL_UPDATEABLE_IMAGES
        int "Additional MCUboot-only updateable images"
        range MCUBOOT_MIN_ADDITIONAL_UPDATEABLE_IMAGES MCUBOOT_MIN_ADDITIONAL_UPDATEABLE_IMAGES
        default MCUBOOT_MIN_ADDITIONAL_UPDATEABLE_IMAGES
        help
          The number of additional images that MCUboot will be built with.

config MCUBOOT_APP_SYNC_UPDATEABLE_IMAGES
        bool "Sync updateable image value to main application"
        default y
        help
          If enabled then will synchronise the value of ``MCUBOOT_UPDATEABLE_IMAGES`` to MCUboot
          and the main application, if disabled then will only set this value to MCUboot.

          Note: ``MCUBOOT_MIN_ADDITIONAL_UPDATEABLE_IMAGES`` will be applied to MCUboot only
          irrespective of this option.

config SECURE_BOOT_MCUBOOT_VERSION
        string "MCUboot S0/S1 image update version"
        default "0.0.0+0"
        depends on SECURE_BOOT
        depends on BOOTLOADER_MCUBOOT
        help
          The version of the MCUboot S0/S1 upgrade package

if BOOTLOADER_MCUBOOT

choice BOOT_SIGNATURE_TYPE
        default BOOT_SIGNATURE_TYPE_RSA if THINGY91_STATIC_PARTITIONS_FACTORY
        default BOOT_SIGNATURE_TYPE_ED25519 if SOC_SERIES_NRF54LX || SOC_SERIES_NRF54HX
        default BOOT_SIGNATURE_TYPE_ECDSA_P256 if ((SOC_NRF52840 || SOC_SERIES_NRF91X) && !BOARD_THINGY91_NRF9160 && !BOARD_THINGY91_NRF52840)
        default BOOT_SIGNATURE_TYPE_ECDSA_P256 if SECURE_BOOT_APPCORE

endchoice

config BOOT_SIGNATURE_TYPE_PURE
        bool "Verify signature directly over image"
        depends on SOC_SERIES_NRF54LX
        depends on BOOT_SIGNATURE_TYPE_ED25519
        help
          The image signature will be verified over image rather than
          hash of an image.
          This option is currently only supported with ED25519 and configurations
          where both image slots are within internal SoC device storage.

config BOOT_IMG_HASH_ALG_SHA512
        bool "Use SHA512 for image hash calculation"
        depends on BOOT_SIGNATURE_TYPE_ED25519
        default y if SOC_SERIES_NRF54LX || SOC_SERIES_NRF54HX
        help
          The image hash will be calculated using SHA512 algorithm.

config MCUBOOT_SIGNATURE_USING_KMU
        bool "Use KMU stored keys for signature verification"
        depends on SOC_SERIES_NRF54LX
        depends on BOOT_SIGNATURE_TYPE_ED25519
        help
          The device needs to be provisioned with proper set of keys.

config MCUBOOT_SIGNATURE_USING_ITS
        bool "Use ITS stored keys for signature verification [EXPERIMENTAL]"
        depends on SOC_SERIES_NRF54HX
        select EXPERIMENTAL
        help
          The device needs to be provisioned with proper set of keys.

config BOOT_SHARED_CRYPTO_ECDSA_P256
        bool "Use external crypto from NSIB for ECDSA P256 signature"
        depends on SECURE_BOOT_APPCORE && SECURE_BOOT_SIGNATURE_TYPE_ECDSA
        depends on BOOT_SIGNATURE_TYPE_ECDSA_P256 && !SOC_SERIES_NRF54LX
        default y

config MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE
        bool "Generate default keyfile for provisioning during build"
        depends on SOC_SERIES_NRF54LX
        depends on MCUBOOT_SIGNATURE_USING_KMU
        help
          If enabled, the build system will generate keyfile.json file in the build directory.

endif

config MCUBOOT_USE_ALL_AVAILABLE_RAM
        bool "Allow MCUboot to use all available RAM"
        depends on BOARD_IS_NON_SECURE
        help
          By default MCUboot uses only the secure RAM partition.

config MCUBOOT_NRF53_MULTI_IMAGE_UPDATE
        bool "Network core multi-image update (in single operation)"
        depends on NETCORE_APP_UPDATE
        depends on !MCUBOOT_MODE_SINGLE_APP
        help
          If selected, network core image updates can be applied in a single operation. This is
          required if the secondary partition resides in off-chip memory.

          Note: if not using overwrite only mode for MCUboot, this can result in a bricked device
          upon firmware reverts.

endmenu
(v3.1.0) luser@zephyrbuild:~/ncs/v3.1.0/nrf$

Hi Dunk,
I have looked at your ticket again and I made a mistake in my previous reply.

This is the file I want you to look at:

v3.1.0/nrf/modules/mcuboot/Kconfig

Can you confirm MCUBOOT_HARDWARE_DOWNGRADE_PREVENTION is defined in the file if you have it?