[NRF54L15-KMU] Clarification on KMU slot-id

Hi,

I am currently evaluating the nRF54L15 DFU single-slot sample available in NCS 3.2.1:
https://github.com/nrfconnect/sdk-nrf/tree/v3.2.1/samples/dfu/single_slot

I have a question regarding the KMU slot ID used for the bootloader public key.

With west verbose enabled, I see that the following command is used to generate keyfile.json:

west ncs-provision upload \
  --keyname BL_PUBKEY \
  --key <path>/bootloader/mcuboot/root-ed25519.pem \
  --build-dir <path>/samples/dfu/single

My question is: why is BL_PUBKEY used as the key name?
Based on the documentation here:
https://docs.nordicsemi.com/bundle/ncs-3.2.1/page/nrf/app_dev/device_guides/nrf54l/kmu_provision.html

I would have expected UROT_PUBKEY, since MCUboot is being used.

That said, it seems that BL_PUBKEY is in fact the correct value, because:

ncs-provision maps BL_PUBKEY to KMU slot ID 242
(https://github.com/nrfconnect/sdk-nrf/blob/v3.2.1/scripts/west_commands/ncs_provision.py#L22)

The sample’s MCUboot configuration uses:

CONFIG_NCS_BOOT_SIGNATURE_KMU_BASE_SLOT=242

Could you clarify the intended distinction between BL_PUBKEY and UROT_PUBKEY in this context, and why the DFU single-slot MCUboot flow for nRF54L15 uses BL_PUBKEY?

Thanks in advance for the clarification.

Best regards,
Alessandro

0 longo92 3 months ago

I see that that mcuboot config is set here: https://github.com/nrfconnect/sdk-mcuboot/blob/ncs-v3.2.1/boot/zephyr/Kconfig#L449- and the values 226 (UROT_PUBKEY) is set only if NCS_BOOT_SIGNATURE_KMU_UROT_MAPPING is yes (which is DEPRECATED) or MCUBOOT_MCUBOOT_IMAGE_NUMBER is different from -1.

I do not know the meanings of those two KCONFIG (NCS_BOOT_SIGNATURE_KMU_UROT_MAPPING and MCUBOOT_MCUBOOT_IMAGE_NUMBER).

Could you clarify?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Hung Bui 2 months ago

Hi Alessandro,

It seems that we changed the slot used for MCUBoot from SDK v3.2.0
You can take a look here: https://docs.nordicsemi.com/bundle/ncs-3.2.1/page/nrf/releases_and_maturity/releases/release-notes-3.2.0.html#mcuboot

"Updated KMU mapping to BL_PUBKEY when MCUboot is used as the immutable bootloader for nRF54L Series devices. You can restore the previous KMU mapping (UROT_PUBKEY) with the SB_CONFIG_MCUBOOT_SIGNATURE_KMU_UROT_MAPPING Kconfig option."

Btw, could you let me know by which west -v command do you see the west ncs-provision upload \ --keyname BL_PUBKEY \ --key <path>/bootloader/mcuboot/root-ed25519.pem \ --build-dir <path>/samples/dfu/single script ?

I was not to be able to see it when I tried west -v build or west -v flash.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 longo92 2 months ago in reply to Hung Bui

Thank you for the details.

I am developing in VSCode using the nRF Connect extension.

By enabling the verbose mode in the extension ("nrf-connect.west.verbose": "-v" – very useful for understanding what is happening), you can see all the commands used during the build process. This is how I was able to see the west ncs-provision command mentioned.

I think that the VScode GUI build command do a sequence of commands (not only west build).
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Hung Bui 2 months ago in reply to longo92

Hi Alessandro,

Thanks for the tip. I have enabled the option and can see more log.
But still it's hard to catch the exact command. Could you please may be take a screenshot or show more on the log when you see the command ?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 longo92 2 months ago in reply to Hung Bui
If you want to see a cleaner output, after build,

delete the keyfile.json in build directory,

then triggers build from the GUI command: this should triggers only commands for missing files.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel