Backport 23527 to v3.1 branch

cmake/sysbuild/image_signing.cmake

@@ -196,8 +196,18 @@ function(zephyr_mcuboot_tasks)
           CACHE FILEPATH "Signed and encrypted kernel bin file" FORCE
       )
 
+      # Signature type determines key exchange scheme; ED25519 here means
+      # ECIES-X25519 is used. Default to HMAC-SHA512 for ECIES-X25519.
+      # Only .encrypted.bin file gets the ENCX25519/ENCX25519_SHA512, the
+      # just signed one does not.
+      # Only NRF54L gets the HMAC-SHA512, other remain with previously used
+      # SHA256.
+      if(CONFIG_SOC_SERIES_NRF54LX AND CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_ED25519)
+        set(imgtool_hmac_args --hmac-sha 512)
+      endif()
+
       set_property(GLOBAL APPEND PROPERTY extra_post_build_commands COMMAND
-        ${imgtool_sign} ${imgtool_args} --encrypt "${keyfile_enc}" ${imgtool_bin_extra} ${unconfirmed_args})
+        ${imgtool_sign} ${imgtool_args} ${imgtool_hmac_args} --encrypt "${keyfile_enc}" ${imgtool_bin_extra} ${unconfirmed_args})
     endif()
   endif()
 
@@ -229,6 +239,14 @@ function(zephyr_mcuboot_tasks)
       set_property(GLOBAL APPEND PROPERTY extra_post_build_commands COMMAND
         ${imgtool_sign} ${imgtool_args} ${imgtool_directxip_hex_command} ${imgtool_hex_extra} ${unconfirmed_args})
     else()
+      # Signature type determines key exchange scheme; ED25519 here means
+      # ECIES-X25519 is used. Default to HMAC-SHA512 for ECIES-X25519.
+      # Only NRF54L gets the HMAC-SHA512, other remain with previously used
+      # SHA256.
+      if(CONFIG_SOC_SERIES_NRF54LX AND CONFIG_MCUBOOT_BOOTLOADER_SIGNATURE_TYPE_ED25519)
+        set(imgtool_args ${imgtool_args} --hmac-sha 512)
+      endif()
+
       set_property(GLOBAL APPEND PROPERTY extra_post_build_commands COMMAND
         ${imgtool_sign} ${imgtool_args} --encrypt "${keyfile_enc}" --clear
         ${imgtool_directxip_hex_command} ${imgtool_hex_extra} ${unconfirmed_args})

sysbuild/CMakeLists.txt

@@ -267,18 +267,11 @@ function(${SYSBUILD_CURRENT_MODULE_NAME}_pre_cmake)
           set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_MAC_DRIVER y)
           set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_KEY_AGREEMENT_DRIVER y)
           set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_KEY_DERIVATION_DRIVER y)
-
-          if(SB_CONFIG_NRF_MCUBOOT_HMAC_SHA512)
-            set_config_bool(mcuboot CONFIG_BOOT_HMAC_SHA512 y)
-          else()
-            set_config_bool(mcuboot CONFIG_BOOT_HMAC_SHA512 n)
-          endif()
         else()
           set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_CIPHER_DRIVER n)
           set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_MAC_DRIVER n)
           set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_KEY_AGREEMENT_DRIVER n)
           set_config_bool(mcuboot CONFIG_PSA_USE_CRACEN_KEY_DERIVATION_DRIVER n)
-          set_config_bool(mcuboot CONFIG_BOOT_HMAC_SHA512 n)
         endif()
 
         if(SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU)

sysbuild/Kconfig.mcuboot

@@ -198,15 +198,6 @@ config MCUBOOT_GENERATE_DEFAULT_KMU_KEYFILE
 	help
 	  If enabled, the build system will generate keyfile.json file in the build directory.
 
-config NRF_MCUBOOT_HMAC_SHA512
-	bool "Use SHA256 for HMAC"
-	depends on BOOT_ENCRYPTION && SOC_SERIES_NRF54LX && BOOT_SIGNATURE_TYPE_ED25519
-	help
-	  Default is to use SHA256 for HMAC/HKDF ECIES-X25519 key exchange is used.
-	  This means that both SHA256 and SHA512 support has to be compiled in.
-	  Enabling this option switches to SHA512 for HMAC/HKDF slightly reducing
-	  MCUboot code size.
-
 endif
 
 config MCUBOOT_USE_ALL_AVAILABLE_RAM

west.yml

@@ -131,7 +131,7 @@ manifest:
           compare-by-default: true
     - name: mcuboot
       repo-path: sdk-mcuboot
-      revision: 09f09c4ad1ee41c8d673af06eeccd60f76310b0c
+      revision: 05a633937029363ecb2208f9f855fe415f0038bc
       path: bootloader/mcuboot
     - name: qcbor
       url: https://github.com/laurencelundblade/QCBOR