scripts: Update ncs-provision west command to use nrfutil for uploading keys

[fundakol]

nrfutil provides a command to upload public keys to KMU. This PR replaces nrfprovision script with nrfutil in west ncs-provision command .

Example usage:

west ncs-provision upload --soc nrf54l15 --key ./bootloader/mcuboot/root-ed25519.pem --dev-id 1057748769

Additional options:

• --dry-run - generate JSON keyfile without executing upload
• --build-dir=Path - path where keyfile will be saved
• --input=Path - path to a YAML file with list of keys to upload, example:

  - keyname: UROT_PUBKEY
    keys: ["private_key1.pem"]
    policy: lock
  - keyname: APP_PUBKEY
    keys: ["private_key2.pem"]
    policy: lock

[NordicBuilder]

CI Information

^{To view the history of this post, clich the 'edited' button above}
Build number: 9

Inputs:

Sources:

more details

Github labels

Enabled	Name	Description
	ci-disabled	Disable the ci execution
	ci-all-test	Run all of ci, no test spec filtering will be done
	ci-force-downstream	Force execution of downstream even if twister fails
	ci-run-twister	Force run twister
	ci-run-zephyr-twister	Force run zephyr twister

List of changed files detected by CI (0)

Outputs:

Toolchain

Version:
Build docker image:

Test Spec & Results: ✅ Success; ❌ Failure; 🟠 Queued; 🟡 Progress; ◻️ Skipped; ⚠️ Quarantine

• ❌ Toolchain
• ❌ Build twister
• ❌ Integration tests

Note: This message is automatically posted and updated by the CI

[gchwier]

I've run our internal tests on that PR and surprisingly all tests passed.
Version of nrfutil device on the CI is 2.7.8 (I thought that in 2.7.13 KMU keys provissioning was added to nrfutil).
I've checked it locally, and it is working also on nrfutil 2.7.8

nrfutil install --force device=2.7.8
nrfutil device x-provision-nrf54l-keys --key-file /tmp/nrfutil_22pv6_t3/keyfile.json --verify --serial-number xxx

to run with Twister:

$ZEPHYR_BASE/scripts/twister -T tests/subsys/kmu/hello_for_kmu --device-testing --hardware-map hardware_map.yml --west-flash=--recover -vv --no-clean -s mcuboot.kmu.west.provision.default_key --pytest-args='-k test_kmu_use_key_from_config'

where command:

west ncs-provision upload --soc nrf54l15 --key /home/grch/ncs/bootloader/mcuboot/root-ed25519.pem --dev-id 001057755847

is called to provision KMU keys.

Scripts looks OK, and if nrfutil supports KMU keys provisioning in 2.7.8 version, it can be integrated (should not fail any regression tests)

Dependency to nrfprovision package can be removed from requirements-extra.txt and from kmu_provision.rst:
https://github.com/nrfconnect/sdk-nrf/blob/main/doc/nrf/app_dev/device_guides/nrf54l/kmu_provision.rst#L20