Migrating from multi-image builds to sysbuild
Sysbuild (System build) is a build system used in zephyr to configure, build, and flash multiple images as part of a single project. It replaces the child/parent system for multi-image builds in nRF Connect SDK. As the previous system has been deprecated, you must update your existing multi-image build projects to support being built using sysbuild.
The following are the differences in how project configuration is performed in sysbuild compared to child/parent image configuration:
Sysbuild controls which images are added to a build, instead of the main application.
Sysbuild specifies the project configuration files for all images, which was previously done in the main application or child applications.
Sysbuild controls the packaging of firmware components, instead of the main application.
Sysbuild manages some software functionality of image builds, such as the configuration mode of an nRF70-series radio.
Sysbuild runs partition manager code (if enabled) and distributes the output information to images.
This results in the CMake configuration step running more than once, as this information is only available after all images have been processed.
Sysbuild output files have different names and locations (they are namespaced).
Sysbuild introduces support for file suffixes, replacing the deprecated build type used by child/parent images.
The changes needed to convert a child/parent image project to a sysbuild project depend on the features used. Review how Sysbuild (System build) works to understand the basic usage and configuration methods, and how these differ from a child image build, before proceeding with project migration according to the guidelines listed in the following sections.
Sysbuild configuration files
You can set sysbuild configuration for projects in the sysbuild.conf file in the project folder.
You can also add custom Kconfig values in the Kconfig.sysbuild file in the project folder, or use this file to set Kconfig defaults that depend on a board or other parameters when building a project.
Sysbuild Kconfig values in Kconfig fragment files have the SB_CONFIG_ prefix.
The following example demonstrates how to use these files to set project configuration:
This example enables MCUboot, sets the key type to RSA, and specifies the overwrite-only mode for all boards:
SB_CONFIG_BOOTLOADER_MCUBOOT=y
SB_CONFIG_MCUBOOT_MODE_OVERWRITE_ONLY=y
SB_CONFIG_BOOT_SIGNATURE_TYPE_RSA=y
This example enables MCUboot, sets the key type to RSA, and specifies the overwrite-only mode for the application core of the nRF5340 DK:
if BOARD_NRF5340DK_NRF5340_CPUAPP
choice BOOTLOADER
default BOOTLOADER_MCUBOOT
endchoice
if BOOTLOADER_MCUBOOT
choice MCUBOOT_MODE
default MCUBOOT_MODE_OVERWRITE_ONLY
endchoice
choice BOOT_SIGNATURE_TYPE
default BOOT_SIGNATURE_TYPE_RSA
endchoice
endif # BOOTLOADER_MCUBOOT
endif # BOARD_NRF5340DK_NRF5340_CPUAPP
Both approaches are used in nRF Connect SDK applications and samples depending on the required configuration.
Note
Sysbuild has file suffix support, which means different files can be created and used depending on whether a file suffix is used for a build.
Network core
Sysbuild handles the selection of the network core image. The following Kconfig options are available to include the desired image in the build or to set network core options:
Kconfig option |
Description |
|---|---|
|
Empty network core image: nRF5340: Empty firmware for network core |
|
Zephyr hci_ipc Bluetooth image: HCI IPC |
|
nRF Connect SDK rpc_host Bluetooth image: Bluetooth: Host for nRF RPC Bluetooth Low Energy |
|
Zephyr 802.15.4 image: IEEE 802.15.4 over RPMsg |
|
nRF Connect SDK multiprotocol_rpmsg Bluetooth and 802.15.4 image: nRF5340: Multiprotocol RPMsg |
|
nRF Connect SDK ipc_radio image: IPC radio firmware |
|
No network core image |
|
Will enable network core image update support in MCUboot (PCD) |
If a project uses network-core functionality (for example, Bluetooth) in the main application but does not enable a network-core image in sysbuild, then no network-core image will be built, resulting in a non-working application. Projects must be updated to select the correct network core image.
MCUboot
Sysbuild handles MCUboot mode selection and key file configuration. The following Kconfig options are available:
Kconfig option |
Description |
|---|---|
|
Build MCUboot image |
|
Set MCUboot signature type to none (SHA256 hash check only) |
|
Set MCUboot signature type to RSA |
|
Set MCUboot signature type to ECDSA-P256 |
|
Set MCUboot signature type to ED25519 |
|
Absolute path to MCUboot private signing key file |
|
Enable MCUboot image encryption |
|
Absolute path to MCUboot private encryption key file |
|
Build MCUboot in single slot mode (application can only be updated by MCUboot’s serial recovery mode) |
|
Build MCUboot and application in swap using move mode (default) |
|
Build MCUboot and application in swap using scratch mode |
|
Build MCUboot and application in overwrite only mode |
|
Build MCUboot and application in direct-XIP mode |
|
Build MCUboot and application in direct-XIP mode, with revert support |
|
Build secondary image for direct-XIP mode for the alternative execution slot |
|
Enable hardware downgrade protection in MCUboot and application |
|
Number of available hardware counter slots for downgrade prevention |
|
Security counter value of the image for downgrade prevention |
|
Number of updateable images for MCUboot to support |
|
Will set the main application number of updateable images as well as MCUboot if enabled, otherwise will only set MCUboot |
|
MCUboot version string to use when creating MCUboot update package for application secure boot mode |
|
Use all available RAM when building TF-M for nRF5340 (see Kconfig text for security implication details) |
Support for unsigned images and image encryption has been added. These options generate the respective output files for the main application build. Any MCUboot configuration that was previously done in the main application or MCUboot needs to be updated to apply at the sysbuild level. If this is not done, the settings of these builds will be forcefully replaced with the default generated by sysbuild, making firmware updates incompatible with firmware images built in previous versions of the nRF Connect SDK.
Secure boot
Sysbuild handles the mode selection of secure boot and the configuration of the key file. The following Kconfig options are available:
Kconfig option |
Description |
|---|---|
|
Enable secure boot for application core (or main core if device only has a single core) |
|
Enable secure boot for network core |
|
Sign b0 images using python (default) |
|
Sign b0 images using OpenSSL |
|
Sign b0 images with a custom command |
|
Absolute path to signing private key file |
|
Command called for custom signing, will have file to sign provided as an argument |
|
Absolute path to signing key public file |
|
Comma-separated value list of absolute paths to signing public key files |
Secure boot can now be enabled centrally from sysbuild for both the application and network cores for nRF53-based boards. Configuration that was previously done in the images themselves must now be applied at the sysbuild level. If not, the secure boot images are not built, or the settings of these builds are forcefully replaced with the default generated by sysbuild, making firmware updates incompatible with firmware images built in previous versions of the nRF Connect SDK.
Google Fast Pair
Sysbuild now handles the HEX generation with Google Fast Pair provisioning data. See the Registering Fast Pair Provider section in the Fast Pair integration guide for more details regarding the provisioning process. The following Kconfig options are available:
Kconfig option |
Description |
|---|---|
|
Enables Google Fast Pair functionality |
To generate the Google Fast Pair provisioning data, you must set this Kconfig option at the sysbuild level. The method of supplying the Fast Pair Model ID and Anti-Spoofing Private Key via the command line arguments remains unchanged from previous nRF Connect SDK versions.
Note
When building with sysbuild, the value of the CONFIG_BT_FAST_PAIR Kconfig option is overwritten by SB_CONFIG_BT_FAST_PAIR.
For more details about enabling Fast Pair for your application, see the Enabling Fast Pair in Kconfig section in the Fast Pair integration guide.
Matter
Sysbuild now directly controls Matter configuration for generating factory data and over-the-air firmware update images. The following Kconfig options are available:
Kconfig option |
Description |
|---|---|
|
Enable matter support |
|
Generate factory data |
|
Merge factory data with main application firmware |
|
Generate over-the-air firmware update image |
|
Filename for over-the-air firmware update image |
Applications must enable these options if they generate factory data or need an over-the-air firmware update.
Note
The configuration data for the factory data file is still configured from the main application.
nRF70 Series
Support for the nRF70 Series operating mode and firmware storage has moved to sysbuild. The following Kconfig options are available:
Kconfig option |
Description |
|---|---|
|
Enable Wifi support for the nRF70 Series devices |
|
Use system mode firmware patches and set application to this mode |
|
Use Scan-only mode firmware patches and set application to this mode |
|
Use Radio Test mode firmware patches and set application to this mode |
|
Use system with Raw modes firmware patches and set application to this mode |
|
Load firmware patches directly from ram (default) |
|
Load firmware patches from external flash using XIP |
|
Load firmware patches from external flash into RAM and load to radio |
You must update your applications to select the required Kconfig options at the sysbuild level for applications to work. These sysbuild Kconfig options are no longer defaulted or gated depending on the features that the main application uses, so you must set these manually. If these options are not set, nRF700x functionality will not work.
Multi-image builds for DFU
Support for creating multi-image build files for Device Firmware Update (DFU) was moved to sysbuild. The following Kconfig options are available:
Kconfig option |
Description |
|---|---|
|
Enables building a DFU multi-image package |
|
Include application update in package |
|
Include network core image update in package |
|
Include MCUboot update in package |
|
Include nRF70 firmware patch update in package |
You must update your application to select the required Kconfig options at the sysbuild level to have this file generated.
DFU Zip file generation
Support for generating a firmware update zip has moved to sysbuild. The following Kconfig options are available:
Kconfig option |
Description |
|---|---|
|
Will generate a dfu_application.zip archive with manifest file and updates |
|
Include application update in zip archive |
|
Include network-core image update in zip archive |
|
Include nRF700x firmware patch update in zip archive |
|
Include Bluetooth mesh metadata in zip archive |
You must update your application to select the required Kconfig options at the sysbuild level to have the correct firmware update images in the zip generated, the firmware zip is generated by default.
Partition Manager
Support for using the Partition Manager for an image has been moved to sysbuild. The following Kconfig options are available:
Kconfig option |
Description |
|---|---|
|
Enables partition manager support |
|
MCUboot image header padding |
|
Places the secondary MCUboot update partition in external flash |
|
Will force override the external flash driver check |
You must update your applications to select the required Kconfig options at the sysbuild level for applications to work. If these options are not set, firmware updates may not work or images may fail to boot.
QSPI XIP flash split code
Support for using an application image based on the Quad Serial Peripheral Interface (QSPI) with the Execute in place (XIP) flash memory split has been moved to sysbuild. The following Kconfig options are available:
Kconfig option |
Description |
|---|---|
|
Enables splitting application into internal flash and external QSPI XIP flash images with MCUboot signing. |
You must update your applications to select the required Kconfig options at the sysbuild level for applications to work.
If these options are not set, the QSPI XIP flash code sections will not be generated.
The MCUboot image number is now dependent upon what images are present in a build, and the Kconfig option SB_CONFIG_MCUBOOT_QSPI_XIP_IMAGE_NUMBER gives the image number of this section.
The format for the Partition Manager static partition file has also changed.
There must now be a pad section and an app section which form the primary section in a span.
Here’s an example from the SMP Server with external XIP sample:
mcuboot_primary_2:
address: 0x120000
device: MX25R64
end_address: 0x160000
+ orig_span: &id003
+ - mcuboot_primary_2_pad
+ - mcuboot_primary_2_app
region: external_flash
size: 0x40000
+ span: *id003
+mcuboot_primary_2_pad:
+ address: 0x120000
+ end_address: 0x120200
+ region: external_flash
+ size: 0x200
+mcuboot_primary_2_app:
+ address: 0x120200
+ device: MX25R64
+ end_address: 0x40000
+ region: external_flash
+ size: 0x3FE00
For more details about the QSPI XIP flash split image feature, see Using QSPI XIP split image.
Filename changes
Some output file names have changed from child/parent image configurations or have changed the directory where they are created. This is because sysbuild properly namespaces images in a project. The changes to final output files (ignoring artifacts and intermediary files) are as follows:
Child/parent file |
Sysbuild file |
|---|---|
|
|
|
|
|
No equivalent |
|
No equivalent |
|
|
|
|
|
No equivalent |
|
No equivalent |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
No equivalent, use |
|
|
|
|
|
|
Example output files
To demonstrate the expected output files when using sysbuild for an application build, the following sections show and describe the output files for the matter_weather_station application when building using the thingy53/nrf5340/cpaupp board target:
Provision/container files
The expected output files are the following:
File |
Description |
|---|---|
|
Copy of |
|
Provision data for the network core secure boot image |
Image build files
The expected output files are the following:
File |
Description |
|---|---|
|
Unsigned main application HEX file |
|
Unsigned main application binary file |
|
Signed (with MCUboot signing key) main application HEX file |
|
MCUboot HEX file |
|
Network core IPC radio HEX file |
|
Network core IPC radio binary file |
|
Network core secure bootloader binary file |
|
Network core secure bootloader HEX file |
|
Signed (with b0 signing key) network core IPC radio HEX file |
|
Signed (with b0 signing key) network core IPC radio binary file |
|
Signed (with b0 and MCUboot signing key) network core IPC radio update from application core HEX file |
Combined files
The expected output files are the following:
File |
Description |
|---|---|
|
Merged application core HEX file (contains merged contents of |
|
Merged network core HEX file (contains merged contents of |
Update files
The expected output files are the following:
File |
Description |
|---|---|
|
Signed (with MCUboot signing key) main application binary file which can be used directly with MCUmgr |
|
Signed (with b0 and MCUboot signing key) network core IPC radio update from application core binary file |
|
DFU multi image file containing firmware update files and manifest |
|
Matter over-the-air firmware update file |
|
Zip file containing firmware update files and manifest |
Image overlay configuration
In child/parent image configurations, an application could include additional configuration files in the child_image folder that would be applied to these images (see Permanent configuration changes to child images).
This feature has been adapted in sysbuild; see Zephyr application configuration for an overview.
You must update child/parent image configuration to use it with sysbuild, as the way these files can be used differs:
In child/parent image configurations, there can be Kconfig fragments and board overlays that are all merged into the final output files.
In sysbuild, there can either be a Kconfig fragment overlay, or replacement for the whole application configuration directory.
In sysbuild, if an image application configuration directory is created then it must include all the required files for that image, as none of the original application configuration files will be used. Sysbuild includes support for File Suffixes in applications, and it can also use Sysbuild file suffix support.
Example for MCUboot
The following table shows how to add custom MCUboot configuration for a project.
The sysbuild folder must be created in the application’s folder:
File |
Description |
|---|---|
|
Copy of |
|
Modification of prj.conf with changes for a release configuration (can be selected using |
|
Copy of |
|
Kconfig fragment for the |
|
DTS overlay for the |
|
DTS overlay for the |
Scope changes
In child/parent images, the application controlled all images, so variables without a prefix would apply to the main application only. In Sysbuild, elements like file suffixes, shields, and snippets without an image prefix will be applied globally to all images. To apply them to a single image, they must be prefixed with the image name. Without doing this, projects with multiple images (for example, those with MCUboot) might fail to build due to invalid configuration for other images.
Configuration parameter |
Child/parent |
Sysbuild |
|---|---|---|
|
Applies only to main application |
Applies to all images |
|
Applies only to <image> |
Applies only to <image> |
|
Applies only to main application |
Applies to all images |
|
Applies only to <image> |
Applies only to <image> |
|
Applies only to main application |
Applies to all images |
|
Applies only to <image> |
Applies only to <image> |
Configuration values that specify Kconfig fragment or overlay files (for example, EXTRA_CONF_FILE and EXTRA_DTC_OVERLAY_FILE) cannot be applied globally using either child/parent image or sysbuild. They function the same in both systems:
Without a prefix, they will be applied to the main application only.
With a prefix, they will apply to that specific image only.
Building with sysbuild
Sysbuild needs to be enabled from the command-line when building with west build.
You can pass the --sysbuild parameter to the build command or configure west to use sysbuild whenever you build.
Similarly, you can pass the --no-sysbuild parameter to the build command to disable sysbuild.
With these two parameters, which always take precedence over the west configuration, the usage of sysbuild can always be selected from the command line.
Note
The nRF Connect SDK v2.7.0 modifies the default behavior of west build, so that building with west uses sysbuild for repository applications in the SDK repositories.
See the following command patterns for building with sysbuild for different use cases:
West can build a specific project using sysbuild with the following command:
west build -b board_target --sysbuild app_path
West can build a specific project using child/parent image with the following command:
west build -b board_target --no-sysbuild app_path
Note
This is deprecated in nRF Connect SDK 2.7 and support will be removed in nRF Connect SDK 2.9
CMake can be used to configure a specific project using sysbuild image with the following command:
cmake -GNinja -DBOARD=*board_target* -DAPP_DIR=*app_path* path_to_zephyr/share/sysbuild
CMake can be used to configure a specific project using child/parent image with the following command:
cmake -GNinja -DBOARD=*board_target* app_path
Note
This is deprecated in nRF Connect SDK 2.7 and support will be removed in nRF Connect SDK 2.9
Twister test cases can build using sysbuild with the following:
sysbuild: true
Twister test cases can build using child/parent image with the following:
sysbuild: false
Note
This is deprecated in nRF Connect SDK 2.7 and support will be removed in nRF Connect SDK 2.9
Forced Kconfig options
As sysbuild deals with configuration of features for some features and propagating this information to other images, some Kconfig options in applications will be forcefully overwritten by sysbuild, for details on these options and how to set them from sysbuild, check the Sysbuild forced options section.
Incompatibities
In the sysbuild release included in the nRF Connect SDK 2.7, the following features of the multi-image builds using child and parent images are not supported:
- Using pre-built HEX files for images (like MCUboot).
All images in a project will be built from source
As a workaround for this, you can first build a project, then use
mergehexmanually to merge the project output HEX file with a previously-generated HEX file in overwrite mode to replace that firmware in the output image.
- Moved and confirmed output files when MCUboot is enabled
These files are not generated when using sysbuild so would need to be manually generated.