[nrf noup] zephyr: Move KMU base slot configuration to Kconfig

de-nordic · de-nordic · commit 21bad9c34fac · 2025-11-14T10:55:38.000Z
Added Kconfig option NCS_BOOT_SIGNATURE_KMU_BASE_SLOT that controlls
base slot used by KMU.

Signed-off-by: Dominik Ermel &lt;dominik.ermel@nordicsemi.no&gt;
diff --git a/boot/bootutil/src/ed25519_psa.c b/boot/bootutil/src/ed25519_psa.c
@@ -27,12 +27,7 @@ BOOT_LOG_MODULE_REGISTER(ed25519_psa);
 /* List of KMU stored key ids available for MCUboot */
 #define PSA_KEY_INDEX_SIZE 2
 
-#if CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER != -1 || \
-	defined(CONFIG_NCS_BOOT_SIGNATURE_KMU_UROT_MAPPING)
-#define PSA_KEY_STARTING_ID 226
-#else
-#define PSA_KEY_STARTING_ID 242
-#endif
+#define PSA_KEY_STARTING_ID CONFIG_NCS_BOOT_SIGNATURE_KMU_BASE_SLOT
 
 #define MAKE_PSA_KMU_KEY_ID(id) PSA_KEY_HANDLE_FROM_CRACEN_KMU_SLOT(CRACEN_KMU_KEY_USAGE_SCHEME_RAW, id)
 static psa_key_id_t key_ids[] =  {
diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig
@@ -446,6 +446,15 @@ config BOOT_KMU_KEYS_REVOCATION
 	help
 	  Enabling KMU key revocation backend.
 
+config NCS_BOOT_SIGNATURE_KMU_BASE_SLOT
+	int
+	depends on BOOT_SIGNATURE_USING_KMU
+	default 226 if NCS_BOOT_SIGNATURE_KMU_UROT_MAPPING
+	default 226 if MCUBOOT_MCUBOOT_IMAGE_NUMBER != -1
+	default 242
+	help
+	  Base key identifier for KMU.
+
 config NCS_BOOT_SIGNATURE_USING_ITS
 	bool "Use ITS stored keys for signature verification"
 	depends on NRF_SECURITY
