@@ -196,8 +196,18 @@ function(zephyr_mcuboot_tasks)
196196 CACHE FILEPATH "Signed and encrypted kernel bin file" FORCE
197197 )
198198
199+ # Signature type determines key exchange scheme; ED25519 here means
200+ # ECIES-X25519 is used. Default to HMAC-SHA512 for ECIES-X25519.
201+ # Only .encrypted.bin file gets the ENCX25519/ENCX25519_SHA512, the
202+ # just signed one does not.
203+ # Only NRF54L gets the HMAC-SHA512, other remain with previously used
204+ # SHA256.
205+ if (CONFIG_SOC_SERIES_NRF54LX AND CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_ED25519)
206+ set (imgtool_hmac_args --hmac-sha 512)
207+ endif ()
208+
199209 set_property (GLOBAL APPEND PROPERTY extra_post_build_commands COMMAND
200- ${imgtool_sign} ${imgtool_args} --encrypt "${keyfile_enc} " ${imgtool_bin_extra} ${unconfirmed_args} )
210+ ${imgtool_sign} ${imgtool_args} ${imgtool_hmac_args} --encrypt "${keyfile_enc} " ${imgtool_bin_extra} ${unconfirmed_args} )
201211 endif ()
202212 endif ()
203213
@@ -229,6 +239,14 @@ function(zephyr_mcuboot_tasks)
229239 set_property (GLOBAL APPEND PROPERTY extra_post_build_commands COMMAND
230240 ${imgtool_sign} ${imgtool_args} ${imgtool_directxip_hex_command} ${imgtool_hex_extra} ${unconfirmed_args} )
231241 else ()
242+ # Signature type determines key exchange scheme; ED25519 here means
243+ # ECIES-X25519 is used. Default to HMAC-SHA512 for ECIES-X25519.
244+ # Only NRF54L gets the HMAC-SHA512, other remain with previously used
245+ # SHA256.
246+ if (CONFIG_SOC_SERIES_NRF54LX AND CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_ED25519)
247+ set (imgtool_args ${imgtool_args} --hmac-sha 512)
248+ endif ()
249+
232250 set_property (GLOBAL APPEND PROPERTY extra_post_build_commands COMMAND
233251 ${imgtool_sign} ${imgtool_args} --encrypt "${keyfile_enc} " --clear
234252 ${imgtool_directxip_hex_command} ${imgtool_hex_extra} ${unconfirmed_args} )
0 commit comments