Refactor MCUboot configuration and documentation for improved clarity and usability

andre-stefanov · andre-stefanov · commit 9a99f6fdd19a · 2025-12-24T16:52:05.000+01:00
diff --git a/README.md b/README.md
@@ -113,7 +113,7 @@ west flash
 To build MCUboot alongside the app and produce a signed application image:
 
 ```shell
-west build -p -b esp32s3_devkitc/esp32s3/procpu OpenAstroFocuser/app --sysbuild
+west build -p -b esp32s3_devkitc/esp32s3/procpu OpenAstroFocuser/app --sysbuild -S mcuboot
 ```
 
 Flash MCUboot first, then the application image:
@@ -126,7 +126,7 @@ west flash -d build/app
 Notes:
 
 - The signed application artifact is `build/app/zephyr/zephyr.signed.bin`.
-- This repo uses MCUboot's default test key for development; replace it for production.
+- By default, sysbuild uses MCUboot's development/test key from the `mcuboot` module; override `SB_CONFIG_BOOT_SIGNATURE_KEY_FILE` for production.
 
 Pass `-DEXTRA_CONF_FILE=debug.conf` for verbose logging or switch `-b` to any supported board/overlay.
 
diff --git a/app/prj.conf b/app/prj.conf
@@ -7,12 +7,6 @@ CONFIG_STD_CPP20=y
 CONFIG_GLIBCXX_LIBCPP=y
 CONFIG_MOONLITE=y
 
-# Build as an MCUboot-chainloaded image and sign it.
-CONFIG_BOOTLOADER_MCUBOOT=y
-# ESP32 defaults to unsigned images when MCUboot is enabled; override so signing runs.
-CONFIG_MCUBOOT_GENERATE_UNSIGNED_IMAGE=n
-CONFIG_MCUBOOT_SIGNATURE_KEY_FILE="bootloader/mcuboot/root-rsa-2048.pem"
-
 # Provide heap storage for std::string and other dynamic allocations.
 CONFIG_HEAP_MEM_POOL_SIZE=4096
 
diff --git a/app/snippets/mcuboot/snippet.yml b/app/snippets/mcuboot/snippet.yml
@@ -0,0 +1,3 @@
+name: mcuboot
+append:
+  SB_EXTRA_CONF_FILE: sysbuild-mcuboot.conf
diff --git a/app/snippets/mcuboot/sysbuild-mcuboot.conf b/app/snippets/mcuboot/sysbuild-mcuboot.conf
@@ -0,0 +1,9 @@
+# Enable MCUboot (sysbuild) and signed images.
+
+SB_CONFIG_BOOTLOADER_MCUBOOT=y
+
+# ESP32* MCUboot configs default to no signatures; override to RSA.
+SB_CONFIG_BOOT_SIGNATURE_TYPE_RSA=y
+
+# The sysbuild bootloader Kconfig provides a default RSA key path from the MCUboot module.
+# For production, override SB_CONFIG_BOOT_SIGNATURE_KEY_FILE with an absolute path to your own PEM.
diff --git a/app/sysbuild.conf b/app/sysbuild.conf
@@ -1,14 +1,7 @@
-# Sysbuild configuration for OpenAstroFocuser
+# Sysbuild configuration for OpenAstroFocuser.
 #
-# Builds MCUboot alongside the application and signs the application image so
-# it can be chain-loaded by MCUboot.
-
-SB_CONFIG_BOOTLOADER_MCUBOOT=y
-
-# ESP32* MCUboot configs default to no signatures; override to RSA.
-SB_CONFIG_BOOT_SIGNATURE_TYPE_RSA=y
-
-# By default, sysbuild will use the MCUboot test key shipped with the
-# MCUboot module when RSA is selected.
-# For production, set SB_CONFIG_BOOT_SIGNATURE_KEY_FILE to an absolute path
-# to your own PEM key.
+# Keep this file empty by default.
+#
+# To build with MCUboot + signing, use the Zephyr snippet:
+#
+#   west build -S mcuboot --sysbuild [...]

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+name: mcuboot`
	`2`	`+append:`
	`3`	`+ SB_EXTRA_CONF_FILE: sysbuild-mcuboot.conf`