scripts: west_commands: ncs-provision lock-last policy

adds new policy scheme to 'west ncs-provision' command. Signed-off-by: Mateusz Michalek <[email protected]>
michalek-no · Dec 11, 2024 · bdef967 · bdef967
1 parent 852345e
commit bdef967
Showing 1 changed file with 11 additions and 3 deletions.
diff --git a/scripts/west_commands/ncs-provision.py b/scripts/west_commands/ncs-provision.py
@@ -36,8 +36,9 @@ def do_add_parser(self, parser_adder):
             "-k", "--key", type=Path, action='append', dest="keys",
             help="Input .pem file with ED25519 private key"
         )
-        upload_parser.add_argument("-p", "--policy", type=str, help="Keys policy",
-                                   choices=["revokable", "lock"], default="revokable")
+        upload_parser.add_argument("-p", "--policy", type=str,
+                                   choices=["revokable", "lock", "lock-last"], default="revokable",
+                                   help="Policy applied to the given set of keys. revokable: keys can be revoked each by one. lock: all keys stay as they are. lock-last: last key is uploaded as locked, others as revokable")
         upload_parser.add_argument("-s", "--soc", type=str, help="SoC",
                                    choices=["nrf54l15"], required=True)
         upload_parser.add_argument("--dev-id", help="Device serial number")
@@ -55,11 +56,18 @@ def do_run(self, args, unknown_args):
                     with open(keyfile, 'rb') as f:
                         priv_key = load_pem_private_key(f.read(), password=None)
                     pub_key = priv_key.public_key()
+                    if args.policy == "lock-last":
+                        if slot == (len(args.keys) - 1):
+                            key_policy = nrf54l15_key_policies["lock"]
+                        else:
+                            key_policy = nrf54l15_key_policies["revokable"]
+                    else:
+                        key_policy = nrf54l15_key_policies[args.policy]
                     command = [
                         "nrfprovision",
                         "provision",
                         "-r",
-                        nrf54l15_key_policies[args.policy],
+                        key_policy,
                         "-v",
                         pub_key.public_bytes_raw().hex(),
                         "-m",