diff --git a/tests/subsys/kmu/pytest/test_kmu_revoke_in_app.py b/tests/subsys/kmu/pytest/test_kmu_revoke_in_app.py deleted file mode 100644 index 277f018725d..00000000000 --- a/tests/subsys/kmu/pytest/test_kmu_revoke_in_app.py +++ /dev/null @@ -1,150 +0,0 @@ -# Copyright (c) 2025 Nordic Semiconductor ASA -# -# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause -from __future__ import annotations - -import logging - -from pathlib import Path - -import pytest -from twister_harness import DeviceAdapter -from twister_harness.helpers.utils import match_lines, match_no_lines, find_in_config -from common import provision_keys_for_kmu, reset_board, APP_KEYS_FOR_KMU - -logger = logging.getLogger(__name__) - - -@pytest.mark.usefixtures("no_reset") -def test_kmu_policy_revokable(dut: DeviceAdapter): - """ - Upload keys using 'revokable' policy, - revoke keys and verify that the device does not boot. - """ - logger.info("Provision keys with 'revokable' policy") - sysbuild_config = Path(dut.device_config.build_dir) / "zephyr" / ".config" - key_file = find_in_config(sysbuild_config, "SB_CONFIG_BOOT_SIGNATURE_KEY_FILE") - provision_keys_for_kmu( - keys=[key_file], - keyname="UROT_PUBKEY", - policy="revokable", - dev_id=dut.device_config.id, - ) - dut.clear_buffer() - reset_board(dut.device_config.id) - - lines = dut.readlines_until( - regex="Unable to find bootable image|Destroy ok", print_output=True, timeout=20 - ) - match_lines(lines, ["Destroy ok"]) - match_no_lines(lines, ["Unable to find bootable image"]) - logger.info("Revoked keys, reboot once again") - - dut.clear_buffer() - reset_board(dut.device_config.id) - lines = dut.readlines_until( - regex="Unable to find bootable image|Image version", - print_output=True, - timeout=20, - ) - match_lines(lines, ["Unable to find bootable image"]) - logger.info("Passed: not booted with revoked keys") - - -@pytest.mark.usefixtures("no_reset") -def test_kmu_policy_lock(dut: DeviceAdapter): - """ - Upload keys using 'lock' policy, - try to revoke keys and verify that keys are not revoked - and the device boots successfully. - """ - logger.info("Provision keys with 'lock' policy") - sysbuild_config = Path(dut.device_config.build_dir) / "zephyr" / ".config" - key_file = find_in_config(sysbuild_config, "SB_CONFIG_BOOT_SIGNATURE_KEY_FILE") - provision_keys_for_kmu( - keys=[key_file], - keyname="UROT_PUBKEY", - policy="lock", - dev_id=dut.device_config.id, - ) - dut.clear_buffer() - reset_board(dut.device_config.id) - - lines = dut.readlines_until( - regex="Unable to find bootable image|Destroy ok|Destroy failed", - print_output=True, - timeout=20, - ) - match_lines(lines, ["Destroy failed"]) - match_no_lines(lines, ["Unable to find bootable image"]) - logger.info("Keys not destroyed, reboot once again") - - dut.clear_buffer() - reset_board(dut.device_config.id) - lines = dut.readlines_until( - regex="Unable to find bootable image|Destroy ok|Destroy failed", - print_output=True, - timeout=20, - ) - match_no_lines(lines, ["Unable to find bootable image"]) - logger.info("Passed: locked keys not destroyed, booted successfully") - - -@pytest.mark.parametrize("test_option", ["use_last_key", "use_revoked_key"]) -def test_kmu_policy_lock_last(dut: DeviceAdapter, test_option): - """ - Upload keys using 'lock-last' policy, - try to revoke keys and verify that last keys are not revoked, - and the device boots successfully if last keys is used - and not booted if revoked key is used. - """ - logger.info("Provision keys with revokable policy") - sysbuild_config = Path(dut.device_config.build_dir) / "zephyr" / ".config" - key_file = find_in_config(sysbuild_config, "SB_CONFIG_BOOT_SIGNATURE_KEY_FILE") - - if test_option == "use_last_key": - keys = [ - APP_KEYS_FOR_KMU / "root-ed25519-1.pem", - APP_KEYS_FOR_KMU / "root-ed25519-2.pem", - key_file, - ] - else: - keys = [ - key_file, - APP_KEYS_FOR_KMU / "root-ed25519-1.pem", - APP_KEYS_FOR_KMU / "root-ed25519-2.pem", - ] - - provision_keys_for_kmu( - keys=keys, - keyname="UROT_PUBKEY", - policy="lock-last", - dev_id=dut.device_config.id, - ) - dut.clear_buffer() - reset_board(dut.device_config.id) - - lines = dut.readlines_until( - regex="Unable to find bootable image|Destroy failed", - print_output=True, - timeout=20, - ) - match_lines(lines, ["Destroy ok", "Destroy failed"]) - match_no_lines(lines, ["Unable to find bootable image"]) - logger.info("Revoked keys but not all, reboot once again") - - dut.clear_buffer() - reset_board(dut.device_config.id) - - lines = dut.readlines_until( - regex="Unable to find bootable image|Destroy ok|Destroy failed", - print_output=True, - timeout=20, - ) - - if test_option == "use_last_key": - match_no_lines(lines, ["Unable to find bootable image"]) - logger.info("Passed: last key not destroyed, booted successfully") - else: - match_lines(lines, ["Unable to find bootable image"]) - logger.info("Passed: not booted with revoked key") diff --git a/tests/subsys/kmu/revoke/CMakeLists.txt b/tests/subsys/kmu/revoke/CMakeLists.txt deleted file mode 100644 index d3fc73c6cd3..00000000000 --- a/tests/subsys/kmu/revoke/CMakeLists.txt +++ /dev/null @@ -1,12 +0,0 @@ -# -# Copyright (c) 2025 Nordic Semiconductor ASA -# -# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause -# - -cmake_minimum_required(VERSION 3.20.0) - -find_package(Zephyr REQUIRED HINTS $ENV{ZEPHYR_BASE}) -project(revoke) - -target_sources(app PRIVATE src/main.c) diff --git a/tests/subsys/kmu/revoke/boards/nrf54lm20dk_nrf54lm20a_cpuapp.conf b/tests/subsys/kmu/revoke/boards/nrf54lm20dk_nrf54lm20a_cpuapp.conf deleted file mode 100644 index c7275019181..00000000000 --- a/tests/subsys/kmu/revoke/boards/nrf54lm20dk_nrf54lm20a_cpuapp.conf +++ /dev/null @@ -1,5 +0,0 @@ -# Copyright (c) 2025 Nordic Semiconductor ASA -# -# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause - -CONFIG_NRF_SECURITY=y diff --git a/tests/subsys/kmu/revoke/boards/nrf54lv10dk_nrf54lv10a_cpuapp.conf b/tests/subsys/kmu/revoke/boards/nrf54lv10dk_nrf54lv10a_cpuapp.conf deleted file mode 100644 index c7275019181..00000000000 --- a/tests/subsys/kmu/revoke/boards/nrf54lv10dk_nrf54lv10a_cpuapp.conf +++ /dev/null @@ -1,5 +0,0 @@ -# Copyright (c) 2025 Nordic Semiconductor ASA -# -# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause - -CONFIG_NRF_SECURITY=y diff --git a/tests/subsys/kmu/revoke/prj.conf b/tests/subsys/kmu/revoke/prj.conf deleted file mode 100644 index ce02ac40653..00000000000 --- a/tests/subsys/kmu/revoke/prj.conf +++ /dev/null @@ -1,10 +0,0 @@ -# -# Copyright (c) 2025 Nordic Semiconductor -# -# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause -# -CONFIG_MBEDTLS=n -CONFIG_MBEDTLS_ENABLE_HEAP=y -CONFIG_MBEDTLS_HEAP_SIZE=2048 -CONFIG_PSA_WANT_ALG_PURE_EDDSA=y -CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT=y diff --git a/tests/subsys/kmu/revoke/src/main.c b/tests/subsys/kmu/revoke/src/main.c deleted file mode 100644 index c8170bed2d4..00000000000 --- a/tests/subsys/kmu/revoke/src/main.c +++ /dev/null @@ -1,42 +0,0 @@ -/* - * Copyright (c) 2025 Nordic Semiconductor ASA. - * - * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause - */ - -#include -#include -#include -#include -#include - -#define MAKE_PSA_KMU_KEY_ID(id) \ -PSA_KEY_HANDLE_FROM_CRACEN_KMU_SLOT(CRACEN_KMU_KEY_USAGE_SCHEME_RAW, id) - -static psa_key_id_t kmu_key_ids[] = { - MAKE_PSA_KMU_KEY_ID(226), - MAKE_PSA_KMU_KEY_ID(228), - MAKE_PSA_KMU_KEY_ID(230) -}; - -int main(void) -{ - psa_status_t status = PSA_ERROR_BAD_STATE; - - status = psa_crypto_init(); - if (status == PSA_SUCCESS) { - for (int i = 0; i < ARRAY_SIZE(kmu_key_ids); i++) { - status = psa_destroy_key(kmu_key_ids[i]); - if (status == PSA_SUCCESS) { - printk("Destroy ok\n"); - } else { - printk("Destroy failed: %d\n", status); - } - } - } else { - printk("PSA crypto init failed with error %d\n", status); - } - while (1) { - } - return 0; -} diff --git a/tests/subsys/kmu/revoke/sysbuild.conf b/tests/subsys/kmu/revoke/sysbuild.conf deleted file mode 100644 index 6df628359c2..00000000000 --- a/tests/subsys/kmu/revoke/sysbuild.conf +++ /dev/null @@ -1,8 +0,0 @@ -# -# Copyright (c) 2025 Nordic Semiconductor -# -# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause -# -SB_CONFIG_BOOTLOADER_MCUBOOT=y -SB_CONFIG_BOOT_SIGNATURE_TYPE_ED25519=y -SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU=y diff --git a/tests/subsys/kmu/revoke/sysbuild/mcuboot.conf b/tests/subsys/kmu/revoke/sysbuild/mcuboot.conf deleted file mode 100644 index 3f4c7033556..00000000000 --- a/tests/subsys/kmu/revoke/sysbuild/mcuboot.conf +++ /dev/null @@ -1,9 +0,0 @@ -# -# Copyright (c) 2025 Nordic Semiconductor -# -# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause -# -CONFIG_NRF_SECURITY=y -CONFIG_MBEDTLS=n -CONFIG_BOOT_ED25519_PSA=y -CONFIG_BOOT_SIGNATURE_KMU_SLOTS=3 diff --git a/tests/subsys/kmu/revoke/testcase.yaml b/tests/subsys/kmu/revoke/testcase.yaml deleted file mode 100644 index dade5a6a189..00000000000 --- a/tests/subsys/kmu/revoke/testcase.yaml +++ /dev/null @@ -1,18 +0,0 @@ -common: - sysbuild: true - timeout: 180 - tags: - - pytest - - mcuboot - - kmu - - ci_tests_subsys_kmu - platform_allow: - - nrf54l15dk/nrf54l15/cpuapp - - nrf54lm20dk/nrf54lm20a/cpuapp - - nrf54lv10dk/nrf54lv10a/cpuapp - harness: pytest - harness_config: - pytest_root: - - "../pytest/test_kmu_revoke_in_app.py" -tests: - mcuboot.kmu.west.provision.revoke: {} diff --git a/west.yml b/west.yml index 91e175e68ff..c6cb59322cd 100644 --- a/west.yml +++ b/west.yml @@ -128,7 +128,7 @@ manifest: compare-by-default: true - name: mcuboot repo-path: sdk-mcuboot - revision: 7b333ffd5ba2d01b731f528f2be89864abbf7ca3 + revision: b6b46a782d503cc52b41672e096fb526daaac31c path: bootloader/mcuboot - name: qcbor url: https://github.com/laurencelundblade/QCBOR