From 8c176890e4c703cd0d97331a8725556d5d3d08f4 Mon Sep 17 00:00:00 2001 From: Tomasz Chyrowicz Date: Tue, 26 May 2026 13:58:56 +0200 Subject: [PATCH 1/2] [nrf noup] bootutil: Fix configuration without key revocation Remove the usage of validated_with variable in configuration that does not enable key revocation. Ref: NCSDK-NONE Signed-off-by: Tomasz Chyrowicz --- boot/bootutil/src/ed25519_psa_kmu_its.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/boot/bootutil/src/ed25519_psa_kmu_its.c b/boot/bootutil/src/ed25519_psa_kmu_its.c index 541ec74762..2e479b4492 100644 --- a/boot/bootutil/src/ed25519_psa_kmu_its.c +++ b/boot/bootutil/src/ed25519_psa_kmu_its.c @@ -118,7 +118,9 @@ int ED25519_verify(const uint8_t *message, size_t message_len, BOOT_LOG_INF("ED25519_verify: trying manufacturing application key ID 0x%" PRIx32, (uint32_t)manufacturing_app_key_id); /* Do not revoke application keys - pretend as if the first generation key was used */ +#if defined(CONFIG_BOOT_KMU_KEYS_REVOCATION) validated_with = 0; +#endif status = psa_verify_message(manufacturing_app_key_id, PSA_ALG_PURE_EDDSA, message, message_len, signature, EDDSA_SIGNAGURE_LENGTH); From 8477635de660bce0b86d77789b84ffa7a6f9c7e1 Mon Sep 17 00:00:00 2001 From: Tomasz Chyrowicz Date: Wed, 27 May 2026 14:26:56 +0200 Subject: [PATCH 2/2] [nrf noup] loader: Do not write trailer for NSIB images The NSIB does not check the MCUboot image trailer. Writing data to it (i.e. copy done or image ok flags) artificially limits the maximum size of the MCUboot image that can be provided. Ref: NCSDK-39564 Signed-off-by: Tomasz Chyrowicz --- boot/bootutil/src/loader.c | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c index c0d8697d53..7a72c28f8c 100644 --- a/boot/bootutil/src/loader.c +++ b/boot/bootutil/src/loader.c @@ -1718,8 +1718,8 @@ boot_perform_update(struct boot_loader_state *state, struct boot_status *bs) * swap was finished to avoid a new revert. */ swap_type = BOOT_SWAP_TYPE(state); - if (swap_type == BOOT_SWAP_TYPE_REVERT || - swap_type == BOOT_SWAP_TYPE_PERM) { + if ((swap_type == BOOT_SWAP_TYPE_REVERT || swap_type == BOOT_SWAP_TYPE_PERM) + && (!IS_NSIB_OWNED(BOOT_CURR_IMG(state)))) { rc = swap_set_image_ok(BOOT_CURR_IMG(state)); if (rc != 0) { BOOT_SWAP_TYPE(state) = swap_type = BOOT_SWAP_TYPE_PANIC; @@ -1746,7 +1746,7 @@ boot_perform_update(struct boot_loader_state *state, struct boot_status *bs) } #endif /* MCUBOOT_HW_ROLLBACK_PROT */ - if (BOOT_IS_UPGRADE(swap_type)) { + if (BOOT_IS_UPGRADE(swap_type) && (!IS_NSIB_OWNED(BOOT_CURR_IMG(state)))) { rc = swap_set_copy_done(BOOT_CURR_IMG(state)); if (rc != 0) { BOOT_SWAP_TYPE(state) = BOOT_SWAP_TYPE_PANIC; @@ -1782,8 +1782,8 @@ boot_complete_partial_swap(struct boot_loader_state *state, /* The following states need image_ok be explicitly set after the * swap was finished to avoid a new revert. */ - if (bs->swap_type == BOOT_SWAP_TYPE_REVERT || - bs->swap_type == BOOT_SWAP_TYPE_PERM) { + if ((bs->swap_type == BOOT_SWAP_TYPE_REVERT || bs->swap_type == BOOT_SWAP_TYPE_PERM) + && (!IS_NSIB_OWNED(BOOT_CURR_IMG(state)))) { rc = swap_set_image_ok(BOOT_CURR_IMG(state)); if (rc != 0) { BOOT_SWAP_TYPE(state) = BOOT_SWAP_TYPE_PANIC; @@ -2332,10 +2332,12 @@ context_boot_go(struct boot_loader_state *state, struct boot_rsp *rsp) * pretending we just reverted back to primary slot. */ #ifndef MCUBOOT_OVERWRITE_ONLY - /* image_ok needs to be explicitly set to avoid a new revert. */ - rc = swap_set_image_ok(BOOT_CURR_IMG(state)); - if (rc != 0) { - BOOT_SWAP_TYPE(state) = BOOT_SWAP_TYPE_PANIC; + if (!IS_NSIB_OWNED(BOOT_CURR_IMG(state))) { + /* image_ok needs to be explicitly set to avoid a new revert. */ + rc = swap_set_image_ok(BOOT_CURR_IMG(state)); + if (rc != 0) { + BOOT_SWAP_TYPE(state) = BOOT_SWAP_TYPE_PANIC; + } } #endif /* !MCUBOOT_OVERWRITE_ONLY */ break;