applications: nrf_desktop: Document MCUboot HW crypto for nRF54L SoC Series #19356
Conversation
MarekPieta
added
the
backport v2.9-branch
github-actions
bot
added
doc-required
MarekPieta
removed
the
changelog-entry-required
CI InformationTo view the history of this post, clich the 'edited' button above Inputs:Sources:more detailsGithub labels
List of changed files detected by CI (0)Outputs:ToolchainVersion: Test Spec & Results: ✅ Success; ❌ Failure; 🟠 Queued; 🟡 Progress; ◻️ Skipped;
|
|
You can find the documentation preview for this PR at this link. It will be updated about 10 minutes after the documentation build succeeds. Note: This comment is automatically posted by the Documentation Publish GitHub Action. |
|
If you plan a release note entry, add it to #19240 as a comment. |
github-actions
bot
added
the
changelog-entry-required
Change introduces information that hardware crypto is used for the MCUboot botloader on nRF54L15 DK. Jira: NCSDK-30742 Signed-off-by: Marek Pieta <[email protected]> Signed-off-by: Anna Wojdylo <[email protected]>
MarekPieta
force-pushed
the
nrf54l15_mcuboot_hw_crypto_doc
branch
from
3d2f761 to
1774761
Compare
MarekPieta
removed
the
changelog-entry-required
Change introduces documentation describing nRF54L MCUboot provisioning. Storing MCUboot keys in KMU requires manual provisioning. Jira: NCSDK-30742 Signed-off-by: Marek Pieta <[email protected]> Signed-off-by: Anna Wojdylo <[email protected]> Signed-off-by: Divya Pillai <[email protected]>
github-actions
bot
added
the
changelog-entry-required
Change introduces doucumentation for using MCUboot hardware cryptography on nRF54L SoC Series. Jira: NCSDK-30742 Signed-off-by: Marek Pieta <[email protected]> Signed-off-by: Anna Wojdylo <[email protected]> Signed-off-by: Divya Pillai <[email protected]>
MarekPieta
force-pushed
the
nrf54l15_mcuboot_hw_crypto_doc
branch
from
c37b4a0 to
ee08e14
Compare
MarekPieta
removed
the
changelog-entry-required
| The private keys are stored in the application configuration directory of the board. | ||
| Path to the private key is defined by the ``SB_CONFIG_BOOT_SIGNATURE_KEY_FILE`` sysbuild Kconfig option. | ||
| You only need to provision one public key to an nRF Desktop device. | ||
| For details, see :ref:`provisioning KMU for nRF54L devices <ug_nrf54l_developing_provision_kmu>`. |
There was a problem hiding this comment.
Didn't we agree to place here commends on how to provision dk?
There was a problem hiding this comment.
We discussed this idea, but eventually we desisted from doing it. More provisioning methods might be introduced in the future (I guess some of them would be done through GUI). Alternatively the provisioning might be done automatically together with programming the board. I would prefer not to maintain this doc part in scope of nRF Desktop.
The command is described on the linked provisioning KMU for nRF54L devices page. I could also add a single key command variant there to make it more straightforward for nRF Desktop users.
| The nRF54L SoC Series enhances security and reduces boot times by using hardware cryptography in the MCUboot immutable bootloader. | ||
| The |NCS| allows using hardware cryptography for ED25519 signature (``SB_CONFIG_BOOT_SIGNATURE_TYPE_ED25519``) on the nRF54L SoC Series. | ||
|
|
||
| You can enhance security further by enabling the following sysbuild Kconfig options: |
There was a problem hiding this comment.
Aren't those options enabled by default?
There was a problem hiding this comment.
No. Application needs to enable them in sysbuild configuration
| In this use case, the application image is automatically signed by the |NCS| build system. | ||
| However, the public key is not automatically provisioned to the device when programming the bootloader and the application images using the ``west flash`` command. | ||
|
|
||
| To provision the MCUboot keys, use the ``west ncs-provision`` command before programming the bootloader and application images. |
There was a problem hiding this comment.
Wouldn't it make more sense to add this documentation section to general MCUboot documentation and only provide a link here?
There was a problem hiding this comment.
It would be a bit more complicated to make a generic documentation for MCUboot (using KMU is controlled with a Kconfig option, multiple public keys might be used etc.). I would prefer to keep this simple docs in scope of nRF Desktop for NCS 2.9. After MCUboot bootloader docs are improved, we could remove part of this documentation and replace it with a link.
| @@ -952,6 +952,24 @@ See :ref:`app_build_file_suffixes` and :ref:`cmake_options` for information abou | |||
|
|
|||
| .. nrf_desktop_fastpair_important_end | |||
| nRF54L MCUboot provisioning | |||
There was a problem hiding this comment.
Can we avoid target names in section titles? You can find a few suggestions below:
MCUboot provisioning using the key storage peripheral
or
MCUboot provisioning using the KMU peripheral
or
MCUboot provisioning using the HW storage
The KMU is also available for nRF53 Series.
And then we can list supported targets or even provide a reference to the list that is maintained in the general MCUboot documentation
There was a problem hiding this comment.
I intentionally prefer to keep nRF54L in the section name as currently it's the only SoC Series that supports the feature. Even Kconfigs and build system have SoC Series dependencies. I am worried that making the documentation more generic could lead to false impression that other SoC Series might also support these features.
There was a problem hiding this comment.
Also, using nRF54L in the title allows to skip whole section for other SoC Series' users
PR introduces documentation for MCUboot HW crypto for nRF54L SoC Series.
Jira: NCSDK-30742