Production utility for flashing and key provisioning

RE: Production utility for flashing and key provisioning

Hung Bui — Tue, 06 Jan 2026 10:16:22 GMT

Hi Darav,
The process looks fine to me.
Could you explain the id you used 0x7fff30e2.
As far as I know when you program the key into KMU you simply select the slot you want to put the key to. See the documentation in the python file:

    parser.add_argument(
        "--id",
        help="Key identifier (KMU slot number (0-255) for KMU keys)",
        type=lambda number_string: int(number_string, 0),
        required=True,
    )

RE: Production utility for flashing and key provisioning

darav — Thu, 01 Jan 2026 06:04:21 GMT

We are currently using the following procedure to provision keys into the KMU of nRF54L15, and then flashing the firmware using the respective Python scripts.
Could you please confirm whether this is the recommended approach, or if there is a better or more efficient method?

Generate the private key used for firmware signing

openssl genpkey -algorithm Ed25519 -out MANIFEST_APPLICATION_GEN1_priv.pem

Generate the public key from the private key

openssl pkey -in MANIFEST_APPLICATION_GEN1_priv.pem -pubout -out MANIFEST_APPLICATION_GEN1_pub.pem

Generate the JSON file for the key to be provisioned

python generate_psa_key_attributes.py --usage VERIFY_MESSAGE_EXPORT --id 0x7fff30e2 --type ECC_TWISTED_EDWARDS --size 255 --algorithm EDDSA_PURE --location LOCATION_CRACEN_KMU --key-from-file .\MANIFEST_APPLICATION_GEN1_pub.pem --file keys.json --lifetime PERSISTENCE_READ_ONLY

Also, what exact does the "--id" parameter mean?

Provision the key into the KMU

nrfutil device x-provision-keys --key-file keys.json --traits jlink

Program the firmware -

nrfutil device program --firmware ".\build\merged.hex" --traits jlink --options reset=RESET_DEFAULT,chip_erase_mode=ERASE_RANGES_TOUCHED_BY_FIRMWARE,mcu_end_state=NRFDL_MCU_STATE_APPLICATION

RE: Production utility for flashing and key provisioning

Hung Bui — Tue, 16 Dec 2025 10:18:27 GMT

Hi Darav,
I believe you would need to use generate_psa_key_attributes.py for the task. You can take a look here: https://docs.nordicsemi.com/bundle/ncs-latest/page/nrf/app_dev/device_guides/nrf54h/ug_nrf54h20_keys.html#generating_key_metadata

You would need to generate a public key from the private one using imgtool.py getpub -k private_key.pem -e pem > public_key.pem

RE: Production utility for flashing and key provisioning

darav — Tue, 16 Dec 2025 09:43:35 GMT

Checked out the links you have attached which demonstrate the provisioning of keys using nrfutil. but the tool requires the key value to be in json format, while we have generated the key in .pem format. How can we provision .pem type of keys ?

what we are currently following is :

generating the private key -> python C:\ncs\v3.0.2\bootloader\mcuboot\scripts\imgtool.py keygen -t ed25519 -k private_key.pem

provisioning the private key into the SOC KMU -> west ncs-provision upload -s nrf54l15 -k private_key.pem

RE: Production utility for flashing and key provisioning

Hung Bui — Mon, 15 Dec 2025 13:45:34 GMT

Hi Darav,
I'm sorry for the late reply.
As far as I know you don't have to install the full NCS toolchain to do the KUM key provisioning and programming.
Could you let me know how you do these task currently ?

Have you used nrfutil device commandline tool for the tasks ?
You can take a look here:
https://docs.nordicsemi.com/bundle/nrfutil/page/nrfutil-device/guides/provisioning_keys.html

And here:
https://docs.nordicsemi.com/bundle/nrfutil/page/nrfutil-device/guides/programming_nrf54L15.html

RE: Production utility for flashing and key provisioning

darav — Mon, 15 Dec 2025 05:40:48 GMT

Hello, Any update ?