[nrf noup] bootutil: Use correct set of KMU key slots

boot/bootutil/src/ed25519_psa.c

@@ -25,11 +25,20 @@ BOOT_LOG_MODULE_REGISTER(ed25519_psa);
 
 #if defined(CONFIG_BOOT_SIGNATURE_USING_KMU)
 /* List of KMU stored key ids available for MCUboot */
+#define PSA_KEY_INDEX_SIZE 2
+
+#if CONFIG_MCUBOOT_MCUBOOT_IMAGE_NUMBER != -1 || \
+	defined(CONFIG_NCS_BOOT_SIGNATURE_KMU_ORIGINAL_MAPPING)
+#define PSA_KEY_STARTING_ID 226
+#else
+#define PSA_KEY_STARTING_ID 242
+#endif
+
 #define MAKE_PSA_KMU_KEY_ID(id) PSA_KEY_HANDLE_FROM_CRACEN_KMU_SLOT(CRACEN_KMU_KEY_USAGE_SCHEME_RAW, id)
 static psa_key_id_t key_ids[] =  {
-    MAKE_PSA_KMU_KEY_ID(226),
-    MAKE_PSA_KMU_KEY_ID(228),
-    MAKE_PSA_KMU_KEY_ID(230)
+    MAKE_PSA_KMU_KEY_ID(PSA_KEY_STARTING_ID),
+    MAKE_PSA_KMU_KEY_ID(PSA_KEY_STARTING_ID + PSA_KEY_INDEX_SIZE),
+    MAKE_PSA_KMU_KEY_ID(PSA_KEY_STARTING_ID + (2 * PSA_KEY_INDEX_SIZE))
 };
 
 #define KEY_SLOTS_COUNT CONFIG_BOOT_SIGNATURE_KMU_SLOTS

boot/zephyr/Kconfig

@@ -408,6 +408,16 @@ config BOOT_SIGNATURE_KMU_SLOTS
 	  Selects the number of KMU key slots (also known as generations) to use when verifying
 	  an image.
 
+config NCS_BOOT_SIGNATURE_KMU_ORIGINAL_MAPPING
+	bool "Use original mapping"
+	depends on SOC_SERIES_NRF54LX
+	depends on MCUBOOT_MCUBOOT_IMAGE_NUMBER = -1
+	help
+	  When this option is enabled, it will use the previous key slot IDs for the MCUboot image
+	  which are assigned for the non-immutable bootloader IDs, otherwise it will use the key
+	  set for the mode that MCUboot is used in (non-immutable slots when b0 is enabled, or
+	  immutable slots when b0 is not enabled).
+
 endif
 
 config BOOT_KEYS_REVOCATION