west: runners: Add ncs-provision to west flash command #90605
Conversation
github-actions
bot
added
area: Continuous Integration
area: Coding Guidelines
github-actions
bot
requested review from
carlescufi,
fabiobaltieri,
jfischer-no,
kartben,
keith-zephyr,
nashif,
pdgendt,
simhein,
stephanosio and
swinslow
| Currently uses the west ncs-provision command to generate the JSON file. | ||
| Consider reusing sdk-nrf/scripts/west_commands/ncs_provision.py | ||
| or sdk-nrf/scripts/generate_psa_key_attributes.py |
There was a problem hiding this comment.
should probably mention that these are not part of the tree and only found in nrf-sdk
gchwier
force-pushed
the
grch-west-flash-with-provision
branch
2 times, most recently
from
eb548ec to
3a452fa
Compare
| """Generate a key file for ncs-provision | ||
|
|
||
| This function uses the 'west ncs-provision' command to generate a JSON key file. | ||
| Note: This functionality requires the sdk-nrf repository to be present, as it's |
There was a problem hiding this comment.
would it be better to mention that this requires "nRF Connect SDK" instead of a specific repository name? I think as it is it's not super clear what "sdk-nrf" is, if you mention your brand name for the SDK flavor it may be more obvious.
Also how does this fails if the command is run on a plain zephyr checkout? Would be nice to have a clear message there as well.
There was a problem hiding this comment.
Thanks for comment!
To enable it, you must explicite call --ncs-provision with west flash command. Also it is implemented only in nrfutil.py and must be enabled Kconfigs (SB_CONFIG_MCUBOOT_SIGNATURE_USING_KMU or SB_CONFIG_SECURE_BOOT_SIGNATURE_TYPE_ED25519) that are added in sdk-nrf. So there is no option to run it on a plain zephyr.
There was a problem hiding this comment.
ok so if one calls --ncs-provision it skips both _ncs_provision_for_nsib and _ncs_provision_for_mcuboot and fails silently right? would it make sense to print an error instead?
There was a problem hiding this comment.
If KMU keys are not enabled by Kconfigs (only available now on nrf54L family), then it just silently skips (not fails), so error is not needed, error is printed only when provisioning command fails.
And that command is only available with nrfutil runner, when using other runner then probable will receive argument error.
There was a problem hiding this comment.
Ok, are you sure that's the behavior you want? I could understand if it was an automatic feature (like file signing) but if you are asking the user to specify a flag explicitly to enable it, it sounds wrong to silently ignore it, I think it would make more sense to explicitly error out and say that the flag requires an NCS setup.
There was a problem hiding this comment.
Good point .. and I do not really know, what is best solution.
I've added that to enable testing with Twister, where you run thousands of tests on different platforms ... so when I call twister --west-flash="--erase,--ncs-provision" I do not want to see thousands of error messages (only couple of tests require provisioning).
And also worth to be noted, that:
- adding --ncs-provision to west flash will provision only one key used during building, this option will be rather useful for testing apps with Twister, or for developers / testers who don't want to run extra manual steps to up the board to check features not related with KMU
- the official instruction for customers is to flash the board (with nrfutil), run from nRF Connect SDK special command to provision keys (more keys can be provisioned for future use, can be enabled other features etc.) then reset
There was a problem hiding this comment.
Ok so if this errors out then you could not use it with twister right? guess there's no way to override this per test.
I see what you are doing but it's a bit of a poor user interaction to silently ignore the flag if it can't be used, no matter the reasons for it. @carlescufi @bjarki-andreasen what do you think?
There was a problem hiding this comment.
If we choose to have this in Zephyr then I think the flag should check if the corresponding dependencies exist (e.g. the west extension command it is using) and fail otherwise.
gchwier
force-pushed
the
grch-west-flash-with-provision
branch
from
3a452fa to
47ae67c
Compare
I agree with you about keeping downstream-specific code in the downstream repository, but I don't see an easy way to accomplish this (maybe to implement something like hooks that could be registered in the downstream project?) I initially implemented this as a proof of concept in the downstream repository, but this created maintenance challenges when dealing with differences between repositories. The primary motivation for including the NCS provisioning feature was to enable testing with Twister. It's worth noting that this functionality is:
|
Agreed, and this is already the case for almost all code in Zephyr, by extending the codebase in NCS itself. As @gchwier described, there are three real options in this particular case, due to the requirements of influencing the sequence of operations during flashing:
|
|
Looking at the PR, why is generating a keyfile put into the twister runner? writing a keyfile to a target, sure, generating it? Seems this should be handled by a downstream script invoked by CMake, and passed to the runner like any other binary files. Case in point:
so, we already use Kconfigs here, just pass those to CMake instead? |
I must look into cmake scripts in sdk-nrf. I see that provisioning could be solved with:
I will try it, thank you! |
Check out https://github.com/zephyrproject-rtos/zephyr/tree/main/soc/nordic/nrf54h/bicr where we do something like this :) |
|
Thanks @bjarki-andreasen! If the file generation can be kept out of vanilla Zephyr then it’d be just about adding a new |
I was rather thinking to not add any new parameter. Just check the build directory and if key file exists then run key provisioning. |
gchwier
force-pushed
the
grch-west-flash-with-provision
branch
2 times, most recently
from
dcd260f to
c3dbbc8
Compare
Added automatic KMU key provisioning, when keyfile.json file exists in the build directory. This enables automated key provisioning during the flashing process to enable testing nRF54L aplications using Twister. Only applicable on nrfutil runner. Signed-off-by: Grzegorz Chwierut <[email protected]>
gchwier
force-pushed
the
grch-west-flash-with-provision
branch
from
c3dbbc8 to
807e0ad
Compare
|
Added automatic KMU key provisioning for both NSIB and MCUboot. A new
--ncs-provisioncommand line option is added to nrfutil runner. This enables automated key provisioning during the flashing process to enable testing nRF54L applications using Twister.Only applicable on NCS, when KMU keys are configured.