Add MCUboot support and configuration for application signing

andre-stefanov · andre-stefanov · commit f257c14f26ac · 2025-12-23T00:28:35.000+01:00
diff --git a/README.md b/README.md
@@ -108,6 +108,26 @@ west build -b esp32s3_devkitc/esp32s3/procpu OpenAstroFocuser/app
 west flash
 ```
 
+#### MCUboot (sysbuild)
+
+To build MCUboot alongside the app and produce a signed application image:
+
+```shell
+west build -p -b esp32s3_devkitc/esp32s3/procpu OpenAstroFocuser/app --sysbuild
+```
+
+Flash MCUboot first, then the application image:
+
+```shell
+west flash -d build/mcuboot
+west flash -d build/app
+```
+
+Notes:
+
+- The signed application artifact is `build/app/zephyr/zephyr.signed.bin`.
+- This repo uses MCUboot's default test key for development; replace it for production.
+
 Pass `-DEXTRA_CONF_FILE=debug.conf` for verbose logging or switch `-b` to any supported board/overlay.
 
 ### Run Moonlite Parser Tests
diff --git a/app/prj.conf b/app/prj.conf
@@ -7,6 +7,12 @@ CONFIG_STD_CPP20=y
 CONFIG_GLIBCXX_LIBCPP=y
 CONFIG_MOONLITE=y
 
+# Build as an MCUboot-chainloaded image and sign it.
+CONFIG_BOOTLOADER_MCUBOOT=y
+# ESP32 defaults to unsigned images when MCUboot is enabled; override so signing runs.
+CONFIG_MCUBOOT_GENERATE_UNSIGNED_IMAGE=n
+CONFIG_MCUBOOT_SIGNATURE_KEY_FILE="bootloader/mcuboot/root-rsa-2048.pem"
+
 # Provide heap storage for std::string and other dynamic allocations.
 CONFIG_HEAP_MEM_POOL_SIZE=4096
 
diff --git a/app/sysbuild.conf b/app/sysbuild.conf
@@ -0,0 +1,14 @@
+# Sysbuild configuration for OpenAstroFocuser
+#
+# Builds MCUboot alongside the application and signs the application image so
+# it can be chain-loaded by MCUboot.
+
+SB_CONFIG_BOOTLOADER_MCUBOOT=y
+
+# ESP32* MCUboot configs default to no signatures; override to RSA.
+SB_CONFIG_BOOT_SIGNATURE_TYPE_RSA=y
+
+# By default, sysbuild will use the MCUboot test key shipped with the
+# MCUboot module when RSA is selected.
+# For production, set SB_CONFIG_BOOT_SIGNATURE_KEY_FILE to an absolute path
+# to your own PEM key.
diff --git a/lib/moonlite/Kconfig b/lib/moonlite/Kconfig
@@ -2,7 +2,7 @@
 
 config MOONLITE
 	bool "Moonlite serial protocol helpers"
-	default y
+	default n
 	help
 	  Enable the Moonlite focuser serial protocol helper library, which
 	  provides the command parser, command enumeration, and handler interface
diff --git a/west.yml b/west.yml
@@ -24,3 +24,5 @@ manifest:
           - cmsis_6    # required by the ARM port for Cortex-M
           - hal_nordic # required by the custom_plank board (Nordic based)
           - hal_espressif # required by the esp32_devkitc_procpu board (Espressif based)
+          - mbedtls    # required for MCUboot RSA signature verification
+          - mcuboot    # MCUboot bootloader module
