suit: Build system changes needed for encryption

[ahasztag]

This commit contains changes to the SUIT build system allowing for encrypting images for update.

[NordicBuilder]

The following west manifest projects have changed revision in this Pull Request:

Name	Old Revision	New Revision	Diff
suit-generator	nrfconnect/suit-generator@f07d308	nrfconnect/suit-generator@f26d3e0 (ncs)	nrfconnect/[email protected]

✅ All manifest checks OK

Note: This message is automatically posted and updated by the Manifest GitHub Action.

[NordicBuilder]

CI Information

^{To view the history of this post, clich the 'edited' button above}
Build number: 21

Inputs:

Sources:

sdk-nrf: PR head: a56204b98b73062d988d17be31c8e94fd2960a78
suit-generator: PR head: f26d3e0295fd9fa73c3fc2ea7f70a3d96e36a44e

more details

sdk-nrf:

PR head: a56204b98b73062d988d17be31c8e94fd2960a78
merge base: 658662845a8e4d4cb677800c8d36acfac9176c90
target head (main): aec6383d2d31332319493bab8b5364d62f0fad8a
Diff

suit-generator:

PR head: f26d3e0295fd9fa73c3fc2ea7f70a3d96e36a44e
merge base: f07d308f03e039bc73767c145f4cff4a70e74442
Diff

Github labels

Enabled	Name	Description
	ci-disabled	Disable the ci execution
	ci-all-test	Run all of ci, no test spec filtering will be done
	ci-force-downstream	Force execution of downstream even if twister fails
	ci-run-twister	Force run twister
	ci-run-zephyr-twister	Force run zephyr twister

List of changed files detected by CI (13)

cmake
│  ├── sysbuild
│  │  ├── suit.cmake
│  │  │ suit_utilities.cmake
config
│  ├── suit
│  │  ├── templates
│  │  │  ├── nrf54h20
│  │  │  │  ├── default
│  │  │  │  │  ├── v1
│  │  │  │  │  │  ├── app_envelope.yaml.jinja2
│  │  │  │  │  │  │ rad_envelope.yaml.jinja2
modules
│  ├── lib
│  │  ├── suit-generator
│  │  │  ├── ncs
│  │  │  │  ├── Kconfig
│  │  │  │  ├── app_envelope_encrypted.yaml.jinja2
│  │  │  │  ├── basic_kms.py
│  │  │  │  ├── build.py
│  │  │  │  │ encrypt_script.py
samples
│  ├── suit
│  │  ├── smp_transfer
│  │  │  ├── suit
│  │  │  │  ├── nrf54h20
│  │  │  │  │  ├── app_envelope_extflash.yaml.jinja2
│  │  │  │  │  │ rad_envelope_extflash.yaml.jinja2
sysbuild
│  │ Kconfig.suit
west.yml

Outputs:

Toolchain

Version: 11349092be
Build docker image: docker-dtr.nordicsemi.no/sw-production/ncs-build:11349092be_912848a074

Test Spec & Results: ✅ Success; ❌ Failure; 🟠 Queued; 🟡 Progress; ◻️ Skipped; ⚠️ Quarantine

• ◻️ Toolchain - Skipped: existing toolchain is used
• ✅ Build twister - Skipped: Skipping Build & Test as it succeeded in a previous run: 20
• ✅ Integration tests
  • ✅ test-sdk-audio - Skipped: Job was skipped as it succeeded in a previous run
  • ✅ desktop52_verification - Skipped: Job was skipped as it succeeded in a previous run
  • ✅ test-fw-nrfconnect-boot - Skipped: Job was skipped as it succeeded in a previous run
  • ✅ test-fw-nrfconnect-apps - Skipped: Job was skipped as it succeeded in a previous run
  • ✅ test_ble_nrf_config - Skipped: Job was skipped as it succeeded in a previous run
  • ✅ test-fw-nrfconnect-ble_mesh - Skipped: Job was skipped as it succeeded in a previous run
  • ✅ test-fw-nrfconnect-ble_samples - Skipped: Job was skipped as it succeeded in a previous run
  • ✅ test-fw-nrfconnect-chip - Skipped: Job was skipped as it succeeded in a previous run
  • ✅ test-fw-nrfconnect-nfc - Skipped: Job was skipped as it succeeded in a previous run
  • ✅ test-fw-nrfconnect-nrf-iot_libmodem-nrf - Skipped: Job was skipped as it succeeded in a previous run
  • ✅ test-fw-nrfconnect-nrf-iot_serial_lte_modem - Skipped: Job was skipped as it succeeded in a previous run
  • ✅ test-fw-nrfconnect-nrf-iot_zephyr_lwm2m - Skipped: Job was skipped as it succeeded in a previous run
  • ✅ test-fw-nrfconnect-nrf-iot_samples - Skipped: Job was skipped as it succeeded in a previous run
  • ✅ doc-internal - Skipped: Job was skipped as it succeeded in a previous run
  • ✅ test-fw-nrfconnect-nrf-iot_thingy91 - Skipped: Job was skipped as it succeeded in a previous run
  • ✅ test-fw-nrfconnect-nrf_crypto - Skipped: Job was skipped as it succeeded in a previous run
  • ✅ test-fw-nrfconnect-rpc - Skipped: Job was skipped as it succeeded in a previous run
  • ✅ test-fw-nrfconnect-rs - Skipped: Job was skipped as it succeeded in a previous run
  • ✅ test-fw-nrfconnect-fem - Skipped: Job was skipped as it succeeded in a previous run
  • ✅ test-fw-nrfconnect-tfm - Skipped: Job was skipped as it succeeded in a previous run
  • ✅ test-fw-nrfconnect-thread - Skipped: Job was skipped as it succeeded in a previous run
  • ✅ test-fw-nrfconnect-zigbee - Skipped: Job was skipped as it succeeded in a previous run
  • ✅ test-sdk-find-my - Skipped: Job was skipped as it succeeded in a previous run
  • ✅ test-fw-nrfconnect-nrf-iot_mosh - Skipped: Job was skipped as it succeeded in a previous run
  • ✅ test-fw-nrfconnect-nrf-iot_positioning - Skipped: Job was skipped as it succeeded in a previous run
  • ✅ test-sdk-sidewalk - Skipped: Job was skipped as it succeeded in a previous run
  • ✅ test-sdk-wifi - Skipped: Job was skipped as it succeeded in a previous run
  • ✅ test-low-level - Skipped: Job was skipped as it succeeded in a previous run
  • ✅ test-fw-nrfconnect-nrf-iot_nrf_provisioning - Skipped: Job was skipped as it succeeded in a previous run
  • ✅ test-sdk-pmic-samples
  • ✅ test-sdk-mcuboot - Skipped: Job was skipped as it succeeded in a previous run
  • ✅ test-sdk-dfu - Skipped: Job was skipped as it succeeded in a previous run
  • ✅ test-fw-nrfconnect-ps - Skipped: Job was skipped as it succeeded in a previous run
  • ✅ test-secdom-samples-public - Skipped: Job was skipped as it succeeded in a previous run
  • ⚠️ test-sdk-dfu

Note: This message is automatically posted and updated by the CI

[NordicBuilder]

You can find the documentation preview for this PR at this link. It will be updated about 10 minutes after the documentation build succeeds.

Note: This comment is automatically posted by the Documentation Publish GitHub Action.

[NordicBuilder]

Memory footprint analysis revealed the following potential issues

sample.matter.template.debug[nrf7002dk/nrf5340/cpuapp]: High ROM usage: 911938[B] - link (cc: @kkasperczyk-no @ArekBalysNordic @markaj-nordic)
sample.matter.template.release[nrf7002dk/nrf5340/cpuapp]: High ROM usage: 820770[B] - link (cc: @kkasperczyk-no @ArekBalysNordic @markaj-nordic)

Note: This message is automatically posted and updated by the CI (latest/sdk-nrf/PR-19681/19)

[nordicjm]

apply changes throughout whole PR

[nordicjm]

the widths should match for the header and footer with the message

[ahasztag]

Fixed

[nordicjm]

typos need fixing

[ahasztag]

Fixed

[nordicjm]

use the actual module name instead of a path from the nrf module?

[ahasztag]

Ok, changed

[nordicjm]

1x tab followed by 2x spaces for help text indent

[ahasztag]

Ok, fixed

[nordicjm]

why is this a kconfig?

[ahasztag]

The SUIT_ENVELOPE_KMS_SCRIPT choice is supposed to be extended, adding more possible values to SUIT_ENVELOPE_KMS_SCRIPT_PATH - in a similar way like

sdk-nrf/sysbuild/Kconfig.netcore

Line 142 in cac49ac

default "${ZEPHYR_NRF_MODULE_DIR}/samples/nrf5340/empty_net_core" if NETCORE_EMPTY

[nordicjm]

The netcore part is used to specify an image, not a file, the file part of signing is done like so: https://github.com/zephyrproject-rtos/zephyr/blob/main/CMakeLists.txt#L2027 which then uses this file by default: https://github.com/zephyrproject-rtos/zephyr/blob/main/cmake/mcuboot.cmake but in ncs is overridden here: https://github.com/nrfconnect/sdk-nrf/blob/main/sysbuild/CMakeLists.txt#L293 or https://github.com/nrfconnect/sdk-nrf/blob/main/sysbuild/CMakeLists.txt#L336

[ahasztag]

Ok, the misunderstanding was cleared offline, I will fix this.

[ahasztag]

Ok, fixed

[nordicjm]

Nit. can be fixed in future