I have a nRF54L15 firmware built on NCS v3.0.1, with image encryption enabled in mcuboot. Firmware needs to be updated to new version built on NCS 3.3.0.
In NCS 3.0.1, image encryption used HMAC-SHA256, while on the 3.3.0, HMAC-SHA512 is also supported. It seems that for nRF54, SHA512 is being forced when generating encrypted image in the image_signing.cmake:# Signature type determines key exchange scheme; ED25519 here means
# ECIES-X25519 is used. Default to HMAC-SHA512 for ECIES-X25519.
# Only .encrypted.bin file gets the ENCX25519/ENCX25519_SHA512, the
# just signed one does not.
# Only NRF54L gets the HMAC-SHA512, other remain with previously used
# SHA256.
if(CONFIG_SOC_SERIES_NRF54L AND CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_ED25519)
set(imgtool_encrypt_extra_args --hmac-sha 512)
endif()
endif()
Even when Kconfig option CONFIG_BOOT_HMAC_SHA256=y is set, image is still generated with SHA512 for HMAC. Shouldn't there be an option to still use SHA256 in order to be compatible with older SDKs? What's the best solution here, I would prefer to avoid modifying the image_signing.cmake inside the SDK?
