From 3c9d2fe2188d8406018d58602ba4a8824abe84bd Mon Sep 17 00:00:00 2001
From: Dominik Ermel <dominik.ermel@nordicsemi.no>
Date: Thu, 3 Jul 2025 17:50:21 +0000
Subject: [PATCH] [nrf noup] bootutil: Locking KMU keys

Lock KMU keys before passing execution to application.

Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
---
 boot/bootutil/src/ed25519_psa.c   | 30 ++++++++++++++++++++++++++++++
 boot/zephyr/include/nrf_cleanup.h | 11 +++++++++++
 boot/zephyr/main.c                |  7 +++++++
 3 files changed, 48 insertions(+)

diff --git a/boot/bootutil/src/ed25519_psa.c b/boot/bootutil/src/ed25519_psa.c
index 6393d996e..e032e7046 100644
--- a/boot/bootutil/src/ed25519_psa.c
+++ b/boot/bootutil/src/ed25519_psa.c
@@ -165,4 +165,34 @@ int exec_revoke(void)
     return ret;
 }
 #endif /* CONFIG_BOOT_KMU_KEYS_REVOCATION */
+
+void nrf_crypto_keys_housekeeping(void)
+{
+    psa_status_t status = psa_crypto_init();
+
+    if (status != PSA_SUCCESS) {
+            BOOT_LOG_ERR("PSA crypto init failed with error %d", status);
+            return;
+    }
+
+    status = PSA_ERROR_NOT_SUPPORTED;
+
+    /* We will continue through all keys, even if we have error while
+     * processing any of it. Only doing BOOT_LOG_DBG, as we do not
+     * really want to inform on failures to lock.
+     */
+    for (int i = 0; i < CONFIG_BOOT_SIGNATURE_KMU_SLOTS; ++i) {
+        psa_key_attributes_t attr;
+
+        status = psa_get_key_attributes(kmu_key_ids[i], &attr);
+        BOOT_LOG_DBG("KMU key 0x%x(%d) attr query status == %d",
+                     kmu_key_ids[i], i, status);
+
+        if (status == PSA_SUCCESS) {
+            status = cracen_kmu_block(&attr);
+            BOOT_LOG_DBG("KMU key lock status == %d", status);
+        }
+    }
+}
+
 #endif
diff --git a/boot/zephyr/include/nrf_cleanup.h b/boot/zephyr/include/nrf_cleanup.h
index 9e87e13f5..e04e09e84 100644
--- a/boot/zephyr/include/nrf_cleanup.h
+++ b/boot/zephyr/include/nrf_cleanup.h
@@ -21,4 +21,15 @@ void nrf_cleanup_peripheral(void);
  */
 void nrf_cleanup_ns_ram(void);
 
+/**
+ * Crypto key storage housekeeping. Intended to cleanup key objects from
+ * crypto backend and apply key policies that should take effect after
+ * MCUboot no longer needs access to keys.
+ */
+#if defined(CONFIG_BOOT_SIGNATURE_USING_KMU)
+extern void nrf_crypto_keys_housekeeping(void);
+#else
+#define nrf_crypto_keys_housekeeping() do {} while (0)
+#endif
+
 #endif
diff --git a/boot/zephyr/main.c b/boot/zephyr/main.c
index bd9f2e573..a3cd85aad 100644
--- a/boot/zephyr/main.c
+++ b/boot/zephyr/main.c
@@ -648,6 +648,13 @@ int main(void)
 
     mcuboot_status_change(MCUBOOT_STATUS_BOOTABLE_IMAGE_FOUND);
 
+    /* From this point MCUboot does not need access to crypto keys.
+     * Cleanup backend key objects and apply key access policies that
+     * will take effect from now through entire boot session and application
+     * run.
+     */
+    nrf_crypto_keys_housekeeping();
+
 #if USE_PARTITION_MANAGER && CONFIG_FPROTECT
 
 #ifdef PM_S1_ADDRESS