Production utility for flashing and key provisioning

Hello, Any update ?

Hi Darav, 
I'm sorry for the late reply. 
As far as I know you don't have to install the full NCS toolchain to do the KUM key provisioning and programming. 
Could you let me know how you do these task currently ? 

Have you used nrfutil device commandline tool for the tasks ? 
You can take a look here: 
https://docs.nordicsemi.com/bundle/nrfutil/page/nrfutil-device/guides/provisioning_keys.html

And here: 
https://docs.nordicsemi.com/bundle/nrfutil/page/nrfutil-device/guides/programming_nrf54L15.html

Checked out the links you have attached which demonstrate the provisioning of keys using nrfutil. but the tool requires the key value to be in json format, while we have generated the key in .pem format. How can we provision .pem type of keys ?

what we are currently following is :

generating the private key -> python C:\ncs\v3.0.2\bootloader\mcuboot\scripts\imgtool.py keygen -t ed25519 -k private_key.pem

provisioning the private key into the SOC KMU -> west ncs-provision upload -s nrf54l15 -k private_key.pem

Hi Darav, 
I believe you would need to use generate_psa_key_attributes.py for the task. You can take a look here: https://docs.nordicsemi.com/bundle/ncs-latest/page/nrf/app_dev/device_guides/nrf54h/ug_nrf54h20_keys.html#generating_key_metadata

You would need to generate a public key from the private one using imgtool.py getpub -k private_key.pem -e pem > public_key.pem

Hi Darav, 
I believe you would need to use generate_psa_key_attributes.py for the task. You can take a look here: https://docs.nordicsemi.com/bundle/ncs-latest/page/nrf/app_dev/device_guides/nrf54h/ug_nrf54h20_keys.html#generating_key_metadata

You would need to generate a public key from the private one using imgtool.py getpub -k private_key.pem -e pem > public_key.pem

We are currently using the following procedure to provision keys into the KMU of nRF54L15, and then flashing the firmware using the respective Python scripts.
Could you please confirm whether this is the recommended approach, or if there is a better or more efficient method?

Generate the private key used for firmware signing

openssl genpkey -algorithm Ed25519 -out MANIFEST_APPLICATION_GEN1_priv.pem

openssl pkey -in MANIFEST_APPLICATION_GEN1_priv.pem -pubout -out MANIFEST_APPLICATION_GEN1_pub.pem

python generate_psa_key_attributes.py --usage VERIFY_MESSAGE_EXPORT --id 0x7fff30e2 --type ECC_TWISTED_EDWARDS --size 255 --algorithm EDDSA_PURE --location LOCATION_CRACEN_KMU --key-from-file .\MANIFEST_APPLICATION_GEN1_pub.pem --file keys.json --lifetime PERSISTENCE_READ_ONLY

nrfutil device x-provision-keys --key-file keys.json --traits jlink

nrfutil device program --firmware ".\build\merged.hex" --traits jlink --options reset=RESET_DEFAULT,chip_erase_mode=ERASE_RANGES_TOUCHED_BY_FIRMWARE,mcu_end_state=NRFDL_MCU_STATE_APPLICATION

Hi Darav, 
The process looks fine to me. 
Could you explain the id you used 0x7fff30e2.
As far as I know when you program the key into KMU you simply select the slot you want to put the key to. See the documentation in the python file: 

    parser.add_argument(
        "--id",
        help="Key identifier (KMU slot number (0-255) for KMU keys)",
        type=lambda number_string: int(number_string, 0),
        required=True,
    )