Skip to content

doc: app_dev: key revocation #543

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
eivindj-nordic merged 1 commit into from
Dec 4, 2025
Merged

doc: app_dev: key revocation #543

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 20 additions & 0 deletions doc/nrf-bm/app_dev/dfu/bootloader_keys.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,3 +62,23 @@ The configuration option :kconfig:option:`SB_CONFIG_BM_BOOTLOADER_MCUBOOT_GENERA
This automation occurs when you use the ``west flash`` command with the ``--erase`` or ``--recover`` arguments.
It is essential to run this command first after building the project to prepare the board for development.
For more information about KMU on the nRF54L Series, see `Introduction to KMU key provisioning`_ and `Performing KMU provisioning`_.

Runtime revocation
==================

.. note::
The support for this feature is currently experimental.

MCUboot can invalidate image verification keys through the ``CONFIG_BOOT_KMU_KEYS_REVOCATION`` Kconfig option.
Copy link
Contributor

@eivindj-nordic eivindj-nordic Dec 4, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any reason we dont use the Kconfig reference here (and below)?

Suggested change
MCUboot can invalidate image verification keys through the ``CONFIG_BOOT_KMU_KEYS_REVOCATION`` Kconfig option.
MCUboot can invalidate image verification keys through the :kconfig:option:`CONFIG_BOOT_KMU_KEYS_REVOCATION` Kconfig option.

(It is not linking properly at the moment,though we are using it elsewhere).

Copy link

@peknis peknis Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We only use that format if the option is available in the Kconfig search.

Copy link
Contributor

@eivindj-nordic eivindj-nordic Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, can come back to this if it works after #401.

Enable this option during the MCUboot build process if there is a risk that images signed with a compromised key might contain critical vulnerabilities.
The revocation of keys is triggered when both the firmware loader and SoftDevice are using a newer key.

Copy link
Contributor

@nvlsianpu nvlsianpu Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you add info that (repharse): Keys must be provisioned in selected amount (Kconfig property?), refer to Performing KMU provisioning_ for HowTo.

Number of available key slots is set by ``CONFIG_BOOT_SIGNATURE_KMU_SLOTS`` Kconfig option. These slots has to be properly provisioned. For more information refer to `Performing KMU provisioning`_.

.. caution::
You must enable the ``CONFIG_BOOT_KMU_KEYS_REVOCATION`` Kconfig option when creating your project.
If you have not activated this option initially, you cannot enable it later.
Without the option, this functionality unavailable and potentially exposes your project to security issues.

A valid signature verification must precede any key invalidation.
The last remaining key cannot be invalidated.
Loading