mcuboot: Make ED25519 signature default for nrf54l series

de-nordic · de-nordic · commit ebfa91582287 · 2024-11-28T16:48:59.000Z
MCUboot for nRF54l15 will be built with support for ED25519
by default and application images will be signed with ED25519
signature.
The MCUboot partition size, for this configuration, is set
to 0xd000.

Signed-off-by: Dominik Ermel &lt;dominik.ermel@nordicsemi.no&gt;
diff --git a/modules/mcuboot/boot/zephyr/Kconfig b/modules/mcuboot/boot/zephyr/Kconfig
@@ -39,6 +39,7 @@ config PM_PARTITION_SIZE_MCUBOOT
 	hex "Flash space allocated for the MCUboot partition" if !BOOT_USE_MIN_PARTITION_SIZE
 	default 0xb800 if MCUBOOT_MCUBOOT_IMAGE_NUMBER != -1 && SOC_SERIES_NRF54LX
 	default 0xbe00 if MCUBOOT_MCUBOOT_IMAGE_NUMBER != -1 && !SOC_SERIES_NRF54LX
+	default 0xd000 if SOC_SERIES_NRF54LX && BOOT_SIGNATURE_TYPE_ED25519 && !BOOT_SIGNATURE_USING_KMU
 	default 0xc000
 	help
 	  Flash space set aside for the MCUboot partition.
diff --git a/sysbuild/CMakeLists.txt b/sysbuild/CMakeLists.txt
@@ -229,9 +229,15 @@ function(${SYSBUILD_CURRENT_MODULE_NAME}_pre_cmake)
     # The NRF54LX goes with PSA crypto by default
     if(SB_CONFIG_SOC_SERIES_NRF54LX AND SB_CONFIG_BOOT_SIGNATURE_TYPE_ED25519)
       set_config_bool(mcuboot CONFIG_NRF_SECURITY y)
-      set_config_bool(mcuboot CONFIG_BOOT_IMG_HASH_ALG_SHA512 y)
       set_config_bool(${DEFAULT_IMAGE} CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_ED25519 y)
       set_config_bool(${DEFAULT_IMAGE} CONFIG_MCUBOOT_BOOTLOADER_USES_SHA512 y)
+      # We are sure that ED25519 signature on MCUboot does not need these
+      set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_CIPHER_DRIVER n)
+      set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_AEAD_DRIVER n)
+      set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_MAC_DRIVER n)
+      set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_KEY_AGREEMENT_DRIVER n)
+      set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_PAKE_DRIVER n)
+      set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_KEY_DERIVATION_DRIVER n)
 
       if(SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU)
         set_config_bool(mcuboot CONFIG_BOOT_SIGNATURE_USING_KMU y)
@@ -241,13 +247,15 @@ function(${SYSBUILD_CURRENT_MODULE_NAME}_pre_cmake)
 
       if(SB_CONFIG_BOOT_SIGNATURE_TYPE_PURE)
         set_config_bool(mcuboot CONFIG_BOOT_SIGNATURE_TYPE_PURE y)
+        set_config_bool(mcuboot CONFIG_BOOT_IMG_HASH_ALG_SHA512 n)
+        set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_HASH_DRIVER n)
         set_config_bool(${DEFAULT_IMAGE} CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_PURE y)
       else()
         set_config_bool(mcuboot CONFIG_BOOT_SIGNATURE_TYPE_PURE n)
+        set_config_bool(mcuboot CONFIG_BOOT_IMG_HASH_ALG_SHA512 y)
+        set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_HASH_DRIVER y)
         set_config_bool(${DEFAULT_IMAGE} CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_PURE n)
       endif()
-    else()
-      set_config_bool(${DEFAULT_IMAGE} CONFIG_MCUBOOT_BOOTLOADER_USES_SHA512 n)
     endif()
 
     # A v1 board doesn't define board qualifiers, thus below test will just test the pure board
diff --git a/sysbuild/Kconfig.mcuboot b/sysbuild/Kconfig.mcuboot
@@ -139,6 +139,7 @@ choice BOOT_SIGNATURE_TYPE
 	default BOOT_SIGNATURE_TYPE_RSA if THINGY91_STATIC_PARTITIONS_FACTORY
 	default BOOT_SIGNATURE_TYPE_ECDSA_P256 if ((SOC_NRF52840 || SOC_SERIES_NRF91X) && !BOARD_THINGY91_NRF9160 && !BOARD_THINGY91_NRF52840)
 	default BOOT_SIGNATURE_TYPE_ECDSA_P256 if SECURE_BOOT_APPCORE
+	default BOOT_SIGNATURE_TYPE_ED25519 if SOC_SERIES_NRF54LX
 
 endchoice
 
