diff --git a/cmake/sysbuild/image_signing.cmake b/cmake/sysbuild/image_signing.cmake index 0f30f30dd0e..3c7fdb9cdfa 100644 --- a/cmake/sysbuild/image_signing.cmake +++ b/cmake/sysbuild/image_signing.cmake @@ -196,8 +196,18 @@ function(zephyr_mcuboot_tasks) CACHE FILEPATH "Signed and encrypted kernel bin file" FORCE ) + # Signature type determines key exchange scheme; ED25519 here means + # ECIES-X25519 is used. Default to HMAC-SHA512 for ECIES-X25519. + # Only .encrypted.bin file gets the ENCX25519/ENCX25519_SHA512, the + # just signed one does not. + # Only NRF54L gets the HMAC-SHA512, other remain with previously used + # SHA256. + if(CONFIG_SOC_SERIES_NRF54LX AND CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_ED25519) + set(imgtool_hmac_args --hmac-sha 512) + endif() + set_property(GLOBAL APPEND PROPERTY extra_post_build_commands COMMAND - ${imgtool_sign} ${imgtool_args} --encrypt "${keyfile_enc}" ${imgtool_bin_extra} ${unconfirmed_args}) + ${imgtool_sign} ${imgtool_args} ${imgtool_hmac_args} --encrypt "${keyfile_enc}" ${imgtool_bin_extra} ${unconfirmed_args}) endif() endif() @@ -229,6 +239,14 @@ function(zephyr_mcuboot_tasks) set_property(GLOBAL APPEND PROPERTY extra_post_build_commands COMMAND ${imgtool_sign} ${imgtool_args} ${imgtool_directxip_hex_command} ${imgtool_hex_extra} ${unconfirmed_args}) else() + # Signature type determines key exchange scheme; ED25519 here means + # ECIES-X25519 is used. Default to HMAC-SHA512 for ECIES-X25519. + # Only NRF54L gets the HMAC-SHA512, other remain with previously used + # SHA256. + if(CONFIG_SOC_SERIES_NRF54LX AND CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_ED25519) + set(imgtool_args ${imgtool_args} --hmac-sha 512) + endif() + set_property(GLOBAL APPEND PROPERTY extra_post_build_commands COMMAND ${imgtool_sign} ${imgtool_args} --encrypt "${keyfile_enc}" --clear ${imgtool_directxip_hex_command} ${imgtool_hex_extra} ${unconfirmed_args}) diff --git a/sysbuild/CMakeLists.txt b/sysbuild/CMakeLists.txt index 05708ae184b..4036d3051a4 100644 --- a/sysbuild/CMakeLists.txt +++ b/sysbuild/CMakeLists.txt @@ -267,18 +267,11 @@ function(${SYSBUILD_CURRENT_MODULE_NAME}_pre_cmake) set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_MAC_DRIVER y) set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_KEY_AGREEMENT_DRIVER y) set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_KEY_DERIVATION_DRIVER y) - - if(SB_CONFIG_NRF_MCUBOOT_HMAC_SHA512) - set_config_bool(mcuboot CONFIG_BOOT_HMAC_SHA512 y) - else() - set_config_bool(mcuboot CONFIG_BOOT_HMAC_SHA512 n) - endif() else() set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_CIPHER_DRIVER n) set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_MAC_DRIVER n) set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_KEY_AGREEMENT_DRIVER n) set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_KEY_DERIVATION_DRIVER n) - set_config_bool(mcuboot CONFIG_BOOT_HMAC_SHA512 n) endif() if(SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU) diff --git a/sysbuild/Kconfig.mcuboot b/sysbuild/Kconfig.mcuboot index 9ee79e6d347..b48d7390ead 100644 --- a/sysbuild/Kconfig.mcuboot +++ b/sysbuild/Kconfig.mcuboot @@ -198,15 +198,6 @@ config MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE help If enabled, the build system will generate keyfile.json file in the build directory. -config NRF_MCUBOOT_HMAC_SHA512 - bool "Use SHA256 for HMAC" - depends on BOOT_ENCRYPTION && SOC_SERIES_NRF54LX && BOOT_SIGNATURE_TYPE_ED25519 - help - Default is to use SHA256 for HMAC/HKDF ECIES-X25519 key exchange is used. - This means that both SHA256 and SHA512 support has to be compiled in. - Enabling this option switches to SHA512 for HMAC/HKDF slightly reducing - MCUboot code size. - endif config MCUBOOT_USE_ALL_AVAILABLE_RAM diff --git a/west.yml b/west.yml index ba262efe01d..d9026c7f4ac 100644 --- a/west.yml +++ b/west.yml @@ -131,7 +131,7 @@ manifest: compare-by-default: true - name: mcuboot repo-path: sdk-mcuboot - revision: 09f09c4ad1ee41c8d673af06eeccd60f76310b0c + revision: 05a633937029363ecb2208f9f855fe415f0038bc path: bootloader/mcuboot - name: qcbor url: https://github.com/laurencelundblade/QCBOR