doc: add kmu provisioning info

annwoj · annwoj · commit d75e56a27a94 · 2025-03-19T15:55:02.000+01:00
adds info about provisioning keys before running with bootloader

Signed-off-by: Anna Wojdylo &lt;anna.wojdylo@nordicsemi.no&gt;
diff --git a/doc/nrf/app_dev/device_guides/nrf54l/fota_update.rst b/doc/nrf/app_dev/device_guides/nrf54l/fota_update.rst
@@ -193,6 +193,7 @@ Provisioning of keys for Hardware KMU
 *************************************
 
 In case of FOTA implementations using the MCUboot bootloader, which includes hardware cryptography and KMU, you must complete key provisioning before booting any application.
+Otherwise, the bootloader :ref:`may not boot the firmware setup and might take unwanted actions<ug_nrf54l_developing_basics_kmu_provisioning_keys>`.
 Refer to :ref:`ug_nrf54l_developing_provision_kmu` for detailed description.
 
 .. _ug_nrf54l_developing_ble_fota_mcuboot_direct_xip_mode:
diff --git a/doc/nrf/app_dev/device_guides/nrf54l/kmu_basics.rst b/doc/nrf/app_dev/device_guides/nrf54l/kmu_basics.rst
@@ -35,12 +35,22 @@ Locked keys
 Once provisioned, locked keys are permanently available for use and cannot be deleted without erasing the device.
 For these keys, the revocation policy (RPOLICY) must be marked as ``locked``.
 
+.. _ug_nrf54l_developing_basics_kmu_provisioning_keys:
+
 Provisioning keys for the bootloader
 ************************************
 
 The bootloader can use multiple key generations for image verification (up to three for nRF54L SoCs).
 To safeguard against unauthorized provisioning by attackers, you must :ref:`provision all key generations onto the device<ug_nrf54l_developing_provision_kmu>`.
 
+Make sure to provision the setup’s relevant key sets before any run with bootloaders, including the first boot.
+Failure to do so can lead to unwanted actions by the bootloader on your firmware setup.
+You may experience the following issues:
+
+  * The nRF Secure Immutable Bootloader (NSIB) will mark the image as permanently invalid without a key available for verification.
+  * In direct-xip mode, MCUboot will delete the image if no appropriate key is provisioned.
+  * The firmware will simply not boot, indicating a lack of proper key provisioning.
+
 By default, MCUboot uses a single key.
 You can configure the number of key generations that MCUboot uses for application verification with the ``CONFIG_BOOT_SIGNATURE_KMU_SLOTS`` MCUboot's Kconfig option.
 
diff --git a/doc/nrf/app_dev/device_guides/nrf54l/kmu_provision.rst b/doc/nrf/app_dev/device_guides/nrf54l/kmu_provision.rst
@@ -22,6 +22,8 @@ Once completed, install the required additional commands for nRF Util:
 
     nrfutil install device
 
+Additionally, before provisioning, make sure you familiarized yourself with the :ref:`ug_nrf54l_developing_basics_kmu_provisioning_keys` section.
+
 .. _ug_nrf54l_developing_provision_kmu_generate:
 
 Key generation
