tests: Add KMU basic tests

Added basic tests for KMU key provisioning.

Co-authored-by: Grzegorz Chwierut <grzegorz.chwierut@nordicsemi.no>

Signed-off-by: Lukasz Fundakowski <lukasz.fundakowski@nordicsemi.no>

Author: fundakol

CODEOWNERS

@@ -73,6 +73,7 @@
 
 # Scripts
 /scripts/                                 @nrfconnect/ncs-bm
+/scripts/pytest_plugins/                  @nrfconnect/ncs-eris
 /scripts/requirements-*.txt               @nrfconnect/ncs-co-build-system
 
 # Subsystems
@@ -96,6 +97,7 @@
 /tests/lib/bluetooth/ble_adv/             @nrfconnect/ncs-bm-test
 /tests/subsys/bluetooth/services/         @nrfconnect/ncs-bm @nrfconnect/ncs-bm-test
 /tests/subsys/fs/bm_zms/                  @nrfconnect/ncs-bm @rghaddab
+/tests/subsys/kmu/                        @nrfconnect/ncs-eris
 /tests/subsys/storage/bm_storage/         @nrfconnect/ncs-bm
 
 # Zephyr module

scripts/pytest_plugins/README.md

@@ -0,0 +1,11 @@
+# Shared Python's libraries for the `pytest-twister-harness`
+
+The package contains plugins for pytest that can be used in twister tests
+and other shared Python modules for testing framework.
+It is required to export PYTHONPATH with the path to `nrf-bm\scripts`
+so this shared library is available for pytest tests.
+
+For example:
+```sh
+PYTHONPATH=$PYTHONPATH:$ZEPHYR_BASE/../nrf-bm/scripts $ZEPHYR_BASE/scripts/twister -T $ZEPHYR_BASE/../nrf-bm/tests/subsys/kmu/hello_for_kmu -p bm_nrf54l15dk/nrf54l15/cpuapp/s115_softdevice/mcuboot --device-testing --device-serial /dev/ttyACM1 --west-flash="--erase"
+```

scripts/pytest_plugins/plugin.py

@@ -0,0 +1,32 @@
+# Copyright (c) 2025 Nordic Semiconductor ASA
+#
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+
+"""Pytest plugin to share common fixtures among the tests."""
+
+import os
+from pathlib import Path
+
+import pytest
+from twister_harness.device.device_adapter import DeviceAdapter
+from twister_harness.fixtures import determine_scope
+
+
+@pytest.fixture(scope="session")
+def nrf_bm_path() -> Path:
+    """Return path to sdk-bm repository."""
+    return Path(__file__).parents[2]
+
+
+@pytest.fixture(scope="session")
+def zephyr_base() -> Path:
+    """Return path to zephyr repository."""
+    return Path(os.getenv("ZEPHYR_BASE", ""))
+
+
+@pytest.fixture(scope=determine_scope)
+def no_reset(device_object: DeviceAdapter):
+    """Do not reset after flashing."""
+    device_object.device_config.west_flash_extra_args.append("--no-reset")
+    yield
+    device_object.device_config.west_flash_extra_args.remove("--no-reset")

scripts/pytest_plugins/utils/__init__.py

@@ -0,0 +1,3 @@
+# Copyright (c) 2025 Nordic Semiconductor ASA
+#
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause

scripts/pytest_plugins/utils/cli_commands.py

@@ -0,0 +1,73 @@
+# Copyright (c) 2025 Nordic Semiconductor ASA
+#
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+
+import logging
+import os
+import shlex
+import subprocess
+from pathlib import Path
+from typing import Literal
+
+logger = logging.getLogger(__name__)
+
+
+def normalize_path(path: str) -> str:
+    path = os.path.expanduser(os.path.expandvars(path))
+    path = os.path.normpath(os.path.abspath(path))
+    return path
+
+
+def run_command(command: list[str], timeout: int = 30) -> None:
+    logger.info(f"CMD: {shlex.join(command)}")
+    ret: subprocess.CompletedProcess = subprocess.run(
+        command,
+        text=True,
+        stdout=subprocess.PIPE,
+        stderr=subprocess.STDOUT,
+        timeout=timeout,
+    )
+    if ret.returncode:
+        logger.error(f"Failed command: {shlex.join(command)}")
+        logger.info(ret.stdout)
+        raise subprocess.CalledProcessError(ret.returncode, command)
+
+
+def reset_board(dev_id: str | None = None):
+    """Reset device."""
+    command = ["nrfutil", "device", "reset"]
+    if dev_id:
+        command.extend(["--serial-number", dev_id])
+    run_command(command)
+
+
+def erase_board(dev_id: str | None):
+    """Run nrfutil device erase command."""
+    command = ["nrfutil", "device", "erase"]
+    if dev_id:
+        command.extend(["--serial-number", dev_id])
+    run_command(command)
+
+
+def provision_keys_for_kmu(
+    keys: list[str] | list[Path] | str | Path,
+    *,
+    keyname: Literal["UROT_PUBKEY", "BL_PUBKEY", "APP_PUBKEY"] = "BL_PUBKEY",
+    policy: Literal["revokable", "lock", "lock-last"] | None = None,
+    dev_id: str | None = None,
+):
+    """Upload keys with west provision command."""
+    logger.info("Provision keys using west command.")
+    command = ["west", "ncs-provision", "upload", "--keyname", keyname]
+    if policy:
+        command += ["--policy", policy]
+    if dev_id:
+        command += ["--dev-id", dev_id]
+    if not isinstance(keys, list):
+        keys = [keys]
+    for key in keys:
+        assert os.path.exists(key), f"Key file does not exist: {key}"
+        command += ["--key", normalize_path(str(key))]
+
+    run_command(command)
+    logger.info("Keys provisioned successfully")

tests/subsys/kmu/README.md

@@ -0,0 +1,13 @@
+# KMU tests
+
+This directory contains test scenarios for Bare Metal KMU.
+
+## Run tests
+
+To run tests one must export PYTHONPATH with the path to `nrf-bm/scripts` directory,
+so all packages from that directory are available for Python (it is exported in `conftest.py`).
+
+To run tests for `hello_for_kmu` with twister execute the example command:
+```sh
+$ZEPHYR_BASE/scripts/twister -T $ZEPHYR_BASE/../nrf-bm/tests/subsys/kmu/hello_for_kmu -p bm_nrf54l15dk/nrf54l15/cpuapp/s115_softdevice/mcuboot --device-testing --device-serial /dev/ttyACM1 --west-flash="--erase"
+```

tests/subsys/kmu/hello_for_kmu/CMakeLists.txt

@@ -0,0 +1,12 @@
+#
+# Copyright (c) 2025 Nordic Semiconductor ASA
+#
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+#
+
+cmake_minimum_required(VERSION 3.20.0)
+
+find_package(Zephyr REQUIRED HINTS $ENV{ZEPHYR_BASE})
+project(hello_for_kmu)
+
+target_sources(app PRIVATE src/main.c)

tests/subsys/kmu/hello_for_kmu/prj.conf

@@ -0,0 +1,9 @@
+#
+# Copyright (c) 2025 Nordic Semiconductor ASA
+#
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+
+CONFIG_LOG=y
+CONFIG_LOG_BACKEND_BM_UARTE=y
+
+CONFIG_CLOCK_CONTROL=y

tests/subsys/kmu/hello_for_kmu/src/main.c

@@ -0,0 +1,14 @@
+/*
+ * Copyright (c) 2025 Nordic Semiconductor ASA
+ *
+ * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+ */
+
+#include <stdio.h>
+
+int main(void)
+{
+	printf("Hello World! %s\n", CONFIG_BOARD_TARGET);
+
+	return 0;
+}

tests/subsys/kmu/hello_for_kmu/sysbuild.conf

@@ -0,0 +1,6 @@
+#
+# Copyright (c) 2025 Nordic Semiconductor ASA
+#
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+#
+SB_CONFIG_BM_BOOTLOADER_MCUBOOT_SIGNATURE_USING_KMU=y