Skip to content

doc: app_dev: key revocation #543

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
eivindj-nordic merged 1 commit into from
Dec 4, 2025
Merged

doc: app_dev: key revocation #543

eivindj-nordic merged 1 commit into from
Dec 4, 2025

Conversation

@michalek-no
Copy link
Contributor

@michalek-no michalek-no commented Dec 4, 2025

adds description for key revocation feature.

@michalek-no michalek-no requested a review from nvlsianpu December 4, 2025 10:34
@michalek-no michalek-no requested review from a team as code owners December 4, 2025 10:34
@github-actions github-actions bot added changelog-entry-required Update changelog before merge. Remove label if entry is not needed or already added. doc-required PR must not be merged without tech writer approval. labels Dec 4, 2025
@github-actions
Copy link

github-actions bot commented Dec 4, 2025

You can find the documentation preview for this PR here.

peknis
peknis requested changes Dec 4, 2025
View reviewed changes
@michalek-no michalek-no requested a review from peknis December 4, 2025 10:50
@peknis
Copy link

peknis commented Dec 4, 2025

Would this be worth a changelog entry?

@michalek-no michalek-no removed the changelog-entry-required Update changelog before merge. Remove label if entry is not needed or already added. label Dec 4, 2025
@michalek-no
Copy link
Contributor Author

michalek-no commented Dec 4, 2025

Would this be worth a changelog entry?

nope, removed.

eivindj-nordic
eivindj-nordic reviewed Dec 4, 2025
View reviewed changes
@github-actions github-actions bot added the changelog-entry-required Update changelog before merge. Remove label if entry is not needed or already added. label Dec 4, 2025
nvlsianpu
nvlsianpu requested changes Dec 4, 2025
View reviewed changes
doc/nrf-bm/app_dev/dfu/bootloader_keys.rst
MCUboot can invalidate image verification keys through the ``CONFIG_BOOT_KMU_KEYS_REVOCATION`` Kconfig option.
Enable this option during the MCUboot build process if there is a risk that images signed with a compromised key might contain critical vulnerabilities.
The revocation of keys is triggered when both the firmware loader and SoftDevice are using a newer key.

Copy link
Contributor

@nvlsianpu nvlsianpu Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you add info that (repharse): Keys must be provisioned in selected amount (Kconfig property?), refer to Performing KMU provisioning_ for HowTo.

@nvlsianpu nvlsianpu added this to the v1.0.0 milestone Dec 4, 2025
@michalek-no
doc: app_dev: key revocation
3b5e76d 
adds description for key revocation feature.

Signed-off-by: Mateusz Michalek <[email protected]>
@michalek-no michalek-no removed the changelog-entry-required Update changelog before merge. Remove label if entry is not needed or already added. label Dec 4, 2025
eivindj-nordic
eivindj-nordic reviewed Dec 4, 2025
View reviewed changes
doc/nrf-bm/app_dev/dfu/bootloader_keys.rst
.. note::
The support for this feature is currently experimental.

MCUboot can invalidate image verification keys through the ``CONFIG_BOOT_KMU_KEYS_REVOCATION`` Kconfig option.
Copy link
Contributor

@eivindj-nordic eivindj-nordic Dec 4, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any reason we dont use the Kconfig reference here (and below)?

Suggested change
MCUboot can invalidate image verification keys through the ``CONFIG_BOOT_KMU_KEYS_REVOCATION`` Kconfig option.
MCUboot can invalidate image verification keys through the :kconfig:option:`CONFIG_BOOT_KMU_KEYS_REVOCATION` Kconfig option.

(It is not linking properly at the moment,though we are using it elsewhere).

Copy link

@peknis peknis Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We only use that format if the option is available in the Kconfig search.

Copy link
Contributor

@eivindj-nordic eivindj-nordic Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, can come back to this if it works after #401.

@eivindj-nordic eivindj-nordic merged commit 5e7de84 into nrfconnect:main Dec 4, 2025
19 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@peknis peknis peknis approved these changes

@eivindj-nordic eivindj-nordic eivindj-nordic approved these changes

@nvlsianpu nvlsianpu nvlsianpu approved these changes

Assignees

No one assigned

Labels

doc-required PR must not be merged without tech writer approval.

Projects

None yet

Milestone

v1.0.0

Development

Successfully merging this pull request may close these issues.

4 participants

@michalek-no @peknis @nvlsianpu @eivindj-nordic