• State Verified Answer
  • Replies 3 replies
  • Subscribers 86 subscribers
  • Views 212 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 356661
Options

nRF54LM NSIB Provisioning Documentation Clarification

ashlin4010

This is just a request for an update to some documentation.

If you do a web search for "nrf NSIB" the first page this is likely to show up is this one. It's a good page and gives a great overview on NSIB OTP and other core info.
There is some basic info on building, just enough that someone might work it out. Doing some more basic research for NSIB + MCUboot you will find this page, another good page with better build instructions.

The issue is that the first page has this section:

Provisioning

The public key hashes are not compiled with the source code of the NSIB. Instead, they must be written to the device in a process called provisioning.

The hashes are automatically generated by the build system based on the specified private key and the additional public keys.

By default, the hashes are placed directly into the NSIB HEX file and then automatically provisioned when the HEX file is programmed to the device.

However, in a more realistic manufacturing process, you can program the NSIB HEX file and the HEX file containing the hashes separately, using the Python scripts located in the scripts/bootloader folder.

In either case, the NSIB accesses the provisioned data at run time using the Bootloader storage library.

This says that hashes are automatically provisioned onto the device. This is not the case for the nrf54 (maybe others). It's not mentioned that on the nrf54 you need to use ncs-provision.

Later, the page talks about the OTP and how the  nRF91 Series and nRF5340, use OTP regions while other devices use "internal flash memory". There is no mention of nrf54 or KMU. Many like me will assume the nrf54 makes use of OTP regions.

The second page has more build instructions, but still does not mention the need for ncs-provision, except for this one line:

For SoCs using KMU for NSIB (nRF54L Series devices), the private key must be provisioned in the KMU before NSIB can be run.

If you have read the first page, you might assume that provisioning of keys/hashes was done automatically, as it suggests.

Request

First page:

  • Mention KMU.
  • Clarify the provisioning process on the newer Soc
  • Update the table at the top of the page mention when keys/hashes are stored on all of the board targets

Second page:

  • Show the provisioning process on the newer Soc

There is a third page that does correctly mention how to provision the nrf54 but it does lack some nice-to-have info.

  • Call nrfjprog --recover before ncs-provision and west flash
  • Explain what "BL_PUBKEY" means (I still don't know, is there one? more than one?)

Thank you

Parents Reply Children
Related
Terms of service