[nrf noup] bootutil: Locking KMU keys

de-nordic · de-nordic · commit 7a84c7c362da · 2025-07-04T13:15:04.000Z
Lock KMU keys before passing execution to application.

Signed-off-by: Dominik Ermel &lt;dominik.ermel@nordicsemi.no&gt;
diff --git a/boot/bootutil/src/ed25519_psa.c b/boot/bootutil/src/ed25519_psa.c
@@ -165,4 +165,34 @@ int exec_revoke(void)
     return ret;
 }
 #endif /* CONFIG_BOOT_KMU_KEYS_REVOCATION */
+
+void nrf_crypto_keys_housekeeping(void)
+{
+    psa_status_t status = psa_crypto_init();
+
+    if (status != PSA_SUCCESS) {
+            BOOT_LOG_ERR("PSA crypto init failed with error %d", status);
+            return;
+    }
+
+    status = PSA_ERROR_NOT_SUPPORTED;
+
+    /* We will continue through all keys, even if we have error while
+     * processing any of it. Only doing BOOT_LOG_DBG, as we do not
+     * really want to inform on failures to lock.
+     */
+    for (int i = 0; i < CONFIG_BOOT_SIGNATURE_KMU_SLOTS; ++i) {
+        psa_key_attributes_t attr;
+
+        status = psa_get_key_attributes(kmu_key_ids[i], &attr);
+        BOOT_LOG_DBG("KMU key 0x%x(%d) attr query status == %d",
+                     kmu_key_ids[i], i, status);
+
+        if (status == PSA_SUCCESS) {
+            status = cracen_kmu_block(&attr);
+            BOOT_LOG_DBG("KMU key lock status == %d", status);
+        }
+    }
+}
+
 #endif
diff --git a/boot/zephyr/include/nrf_cleanup.h b/boot/zephyr/include/nrf_cleanup.h
@@ -21,4 +21,15 @@ void nrf_cleanup_peripheral(void);
  */
 void nrf_cleanup_ns_ram(void);
 
+/**
+ * Crypto key storage housekeeping. Intended to cleanup key objects from
+ * crypto backend and apply key policies that should take effect after
+ * MCUboot no longer needs access to keys.
+ */
+#if defined(CONFIG_BOOT_SIGNATURE_USING_KMU)
+extern void nrf_crypto_keys_housekeeping(void);
+#else
+#define nrf_crypto_keys_housekeeping() do {} while (0)
+#endif
+
 #endif
diff --git a/boot/zephyr/main.c b/boot/zephyr/main.c
@@ -648,6 +648,13 @@ int main(void)
 
     mcuboot_status_change(MCUBOOT_STATUS_BOOTABLE_IMAGE_FOUND);
 
+    /* From this point MCUboot does not need access to crypto keys.
+     * Cleanup backend key objects and apply key access policies that
+     * will take effect from now through entire boot session and application
+     * run.
+     */
+    nrf_crypto_keys_housekeeping();
+
 #if USE_PARTITION_MANAGER && CONFIG_FPROTECT
 
 #ifdef PM_S1_ADDRESS
