doc: tf-m: nRF54LM20 support update

Updated docs with information about support for TF-M on nRF54LM20.
NCSDK-35013.

Signed-off-by: Grzegorz Ferenc <[email protected]>

Author: greg-fer

doc/nrf/app_dev/board_names.rst

@@ -24,13 +24,15 @@ Refer to the following information for the list of supported development kits (D
    * - :zephyr:board:`nrf54lm20dk`
      - PCA10184
      - | ``nrf54lm20dk/nrf54lm20a/cpuapp``
+       | ``nrf54lm20dk/nrf54lm20a/cpuapp/ns`` (:ref:`TF-M <app_boards_spe_nspe>`)
        | ``nrf54lm20dk/nrf54lm20a/cpuflpr``
        | ``nrf54lm20dk/nrf54lm20a/cpuflpr/xip``
      - --
      - --
    * - :zephyr:board:`nrf54l15dk`
      - PCA10156
      - | ``nrf54l15dk/nrf54l15/cpuapp``
+       | ``nrf54l15dk/nrf54l15/cpuapp/ns`` (:ref:`TF-M <app_boards_spe_nspe>`)
        | ``nrf54l15dk/nrf54l15/cpuflpr``
        | ``nrf54l15dk/nrf54l15/cpuflpr/xip``
      - | `Datasheet <nRF54L15 Datasheet_>`_

doc/nrf/app_dev/device_guides/nrf54l/index.rst

@@ -411,8 +411,6 @@ Minimal Thread Device (MTD)
 Trusted Firmware-M support options
 ==================================
 
-To configure your Thread application to run with Trusted Firmware-M, use the following board target:
+Thread currently supports Trusted Firmware-M (TF-M) on the nRF54L15 DK.
 
-* ``nrf54l15dk/nrf54l15/cpuapp/ns``` for the nRF54L15 DK
-
-For more Trusted Firmware-M documentation, see :ref:`ug_tfm` and the official `TF-M documentation`_.
+To configure your Thread application to run with Trusted Firmware-M, use the ``nrf54l15dk/nrf54l15/cpuapp/ns`` board target and follow the instructions in :ref:`ug_tfm_building`.

doc/nrf/protocols/thread/configuring.rst

@@ -40,16 +40,10 @@ The Thread stack requires the following cryptographic operations:
 Secure processing environment
 *****************************
 
-Depending on the board target, Thread samples can use the :ref:`secure processing environment <ug_tfm_security_by_separation>` with Trusted Firmware-M (TF-M).
-
-nRF54L with Trusted Firmware-M (TF-M)
-=====================================
-
-On the nRF54L SoC, all cryptographic operations within the Thread stack are performed by utilizing the `Platform Security Architecture (PSA)`_ API and executed in the secure TF-M environment using the :ref:`TF-M Crypto Service implementation <ug_crypto_architecture_implementation_standards_tfm>`.
+When building for the nRF54L15 DK using the :ref:`board target <app_boards_names>` with the ``/ns`` variant (``nrf54l15dk/nrf54l15/cpuapp/ns``), Thread samples can use the :ref:`secure processing environment <ug_tfm_security_by_separation>` with Trusted Firmware-M (TF-M).
+In such cases, all cryptographic operations within the Thread stack are performed using the `Platform Security Architecture (PSA)`_ API and executed in the secure TF-M environment using the :ref:`TF-M Crypto Service implementation <ug_crypto_architecture_implementation_standards_tfm>`.
 The secure materials like Thread network key are stored in the TF-M secure storage using the :ref:`tfm_encrypted_its` module.
 
-To build a Thread sample with the TF-M support, :ref:`build <building>` for the :ref:`board target <app_boards_names>` with the ``/ns`` variant.
-
 For example, to build the Thread CLI sample for the nRF54L15 DK with the TF-M support, run the following command:
 
 .. code-block:: console

doc/nrf/protocols/thread/overview/security.rst

@@ -2252,13 +2252,13 @@ Trusted Firmware-M support
               - --
               - --
               - Experimental
-              - --
+              - Experimental (with :ref:`limitations <tfm_encrypted_its>`)
             * - :ref:`Minimal <ug_tfm_supported_services_profiles_minimal>`
               - --
               - --
               - --
               - Experimental
-              - --
+              - Experimental (with :ref:`limitations <tfm_encrypted_its>`)
 
       .. tab:: nRF91 Series
 

doc/nrf/releases_and_maturity/software_maturity.rst

@@ -25,6 +25,7 @@ The :ref:`boards supported by the SDK <app_boards_names>` distinguish entries ac
 To build with TF-M in the |NCS|, you must use a board target with the ``*/ns`` variant.
 The following platforms are currently supported:
 
+* nRF54LM20A
 * nRF54L15
 * nRF5340
 * nRF91 Series

doc/nrf/security/tfm/tfm_building.rst

@@ -59,6 +59,9 @@ Encrypted ITS
 
 TF-M ITS encryption is a data protection mechanism in Internal Trusted Storage. It provides transparent encryption using a Master Key Encryption Key (MKEK) stored in hardware, with unique encryption keys derived for each file.
 
+.. note::
+   |encrypted_its_not_supported_on_nrf54lm20|
+
 To enable TF-M ITS encryption, set the :kconfig:option:`CONFIG_TFM_ITS_ENCRYPTED` Kconfig option.
 
 On Nordic Semiconductor devices, the hardware-accelerated AEAD scheme ChaChaPoly1305 is used with a 256-bit key.

doc/nrf/security/tfm/tfm_services.rst

@@ -225,6 +225,7 @@ Core features
 Security services
 =================
 
+* |encrypted_its_not_supported_on_nrf54lm20|
 * Firmware Update service is not supported.
 * Firmware verification is not supported.
 * Firmware encryption is not supported.

doc/nrf/security/tfm/tfm_supported_services.rst

@@ -220,6 +220,8 @@
 .. |samples_tfm_info| replace:: Starting from the |NCS| v2.0.0, TF-M is the only way to use :ref:`security by separation <ug_tfm_security_by_separation>` with ARM TrustZone.
    In addition, the TF-M implementation is enabled by default for all samples and applications in the |NCS| when you build for the ``*/ns`` :ref:`variant <app_boards_names>` of the boards.
 
+.. |encrypted_its_not_supported_on_nrf54lm20| replace:: The encrypted ITS service is not supported on nRF54LM20 as it :ref:`does not support the full set of AEAD algorithm features <ug_crypto_supported_features_aead_algorithms>`.
+
 .. |plusminus| unicode:: U+000B1 .. PLUS-MINUS SIGN
    :rtrim:
 

doc/nrf/shortcuts.txt

@@ -25,6 +25,9 @@ The sample supports the following development kits:
 
 .. include:: /includes/tfm.txt
 
+.. note::
+   |encrypted_its_not_supported_on_nrf54lm20|
+
 Overview
 ********