nrf_security: 54h20: ironside SE PSA Crypto support

SebastianBoe · rlubos · commit 1b2abb07b8b2 · 2025-04-11T10:21:22.000+02:00
Provide support for PSA crypto services based on ironside SE.

Ref: NCSDK-32163

Signed-off-by: Sebastian Bøe &lt;sebastian.boe@nordicsemi.no&gt;
diff --git a/include/tfm/ironside/se/ipc_service.h b/include/tfm/ironside/se/ipc_service.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (c) 2025 Nordic Semiconductor ASA
+ *
+ * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+ */
+
+#ifndef __SDFW_PSA_IPC_SERVICE_H__
+#define __SDFW_PSA_IPC_SERVICE_H__
+
+/*
+ * This header contains symbols that are used by both the IRONside SE client
+ * and the IRONside SE service.
+ */
+enum {
+	IRONSIDE_SE_IPC_INDEX_HANDLE,
+	IRONSIDE_SE_IPC_INDEX_IN_VEC,
+	IRONSIDE_SE_IPC_INDEX_IN_LEN,
+	IRONSIDE_SE_IPC_INDEX_OUT_VEC,
+	IRONSIDE_SE_IPC_INDEX_OUT_LEN,
+	IRONSIDE_SE_IPC_INDEX_STATUS_PTR,
+	/* The last enum value is reserved for the size of the IPC buffer */
+	IRONSIDE_SE_IPC_DATA_LEN
+};
+
+/* We are adding the source files for the TF-M crypto partition to the build.
+ *
+ * The crypto partition will include the file psa_manifest/sid.h and
+ * expect the below three symbols to be there.
+ *
+ * In a TF-M build, the TF-M build system will generate
+ * psa_manifest/sid.h based on each partitions manifest.
+ *
+ * See https://trustedfirmware-m.readthedocs.io/
+ * en/latest/integration_guide/services/tfm_secure_partition_addition.html
+ *
+ * for an example of a partition manifest.
+ */
+#define TFM_CRYPTO_SID	   (0x00000080U)
+#define TFM_CRYPTO_VERSION (1U)
+#define TFM_CRYPTO_HANDLE  (0x40000100U)
+
+#endif /* __SDFW_PSA_IPC_SERVICE_H__ */
diff --git a/samples/crypto/aes_gcm/boards/nrf54h20dk_nrf54h20_cpuapp_iron.conf b/samples/crypto/aes_gcm/boards/nrf54h20dk_nrf54h20_cpuapp_iron.conf
@@ -0,0 +1,16 @@
+#
+# Copyright (c) 2024 Nordic Semiconductor
+#
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+#
+
+# Disable Oberon PSA crypto drivers
+CONFIG_PSA_CRYPTO_DRIVER_OBERON=n
+
+# Enable PSA crypto from SSF client
+CONFIG_PSA_SSF_CRYPTO_CLIENT=y
+CONFIG_SSF_PSA_CRYPTO_SERVICE_ENABLED=y
+
+# Mbedtls configuration
+CONFIG_MBEDTLS_ENABLE_HEAP=y
+CONFIG_MBEDTLS_HEAP_SIZE=8192
diff --git a/samples/crypto/aes_gcm/boards/nrf54h20dk_nrf54h20_cpuapp_iron.overlay b/samples/crypto/aes_gcm/boards/nrf54h20dk_nrf54h20_cpuapp_iron.overlay
@@ -0,0 +1,21 @@
+/*
+ * Copyright (c) 2024 Nordic Semiconductor ASA
+ *
+ * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+ */
+
+&cpusec_cpuapp_ipc {
+	status = "okay";
+};
+
+&cpuapp_ram0x_region {
+	status = "okay";
+};
+
+&cpusec_bellboard {
+	status = "okay";
+};
+
+&cpuapp_bellboard {
+	status = "okay";
+};
diff --git a/samples/crypto/ecdh/boards/nrf54h20dk_nrf54h20_cpuapp_iron.conf b/samples/crypto/ecdh/boards/nrf54h20dk_nrf54h20_cpuapp_iron.conf
@@ -0,0 +1,16 @@
+#
+# Copyright (c) 2024 Nordic Semiconductor
+#
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+#
+
+# Disable Oberon PSA crypto drivers
+CONFIG_PSA_CRYPTO_DRIVER_OBERON=n
+
+# Enable PSA crypto from SSF client
+CONFIG_PSA_SSF_CRYPTO_CLIENT=y
+CONFIG_SSF_PSA_CRYPTO_SERVICE_ENABLED=y
+
+# Mbedtls configuration
+CONFIG_MBEDTLS_ENABLE_HEAP=y
+CONFIG_MBEDTLS_HEAP_SIZE=8192
diff --git a/samples/crypto/ecdh/boards/nrf54h20dk_nrf54h20_cpuapp_iron.overlay b/samples/crypto/ecdh/boards/nrf54h20dk_nrf54h20_cpuapp_iron.overlay
@@ -0,0 +1,21 @@
+/*
+ * Copyright (c) 2024 Nordic Semiconductor ASA
+ *
+ * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+ */
+
+&cpusec_cpuapp_ipc {
+	status = "okay";
+};
+
+&cpuapp_ram0x_region {
+	status = "okay";
+};
+
+&cpusec_bellboard {
+	status = "okay";
+};
+
+&cpuapp_bellboard {
+	status = "okay";
+};
diff --git a/samples/crypto/ecdsa/boards/nrf54h20dk_nrf54h20_cpuapp_iron.conf b/samples/crypto/ecdsa/boards/nrf54h20dk_nrf54h20_cpuapp_iron.conf
@@ -0,0 +1,16 @@
+#
+# Copyright (c) 2024 Nordic Semiconductor
+#
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+#
+
+# Disable Oberon PSA crypto drivers
+CONFIG_PSA_CRYPTO_DRIVER_OBERON=n
+
+# Enable PSA crypto from SSF client
+CONFIG_PSA_SSF_CRYPTO_CLIENT=y
+CONFIG_SSF_PSA_CRYPTO_SERVICE_ENABLED=y
+
+# Mbedtls configuration
+CONFIG_MBEDTLS_ENABLE_HEAP=y
+CONFIG_MBEDTLS_HEAP_SIZE=8192
diff --git a/samples/crypto/ecdsa/boards/nrf54h20dk_nrf54h20_cpuapp_iron.overlay b/samples/crypto/ecdsa/boards/nrf54h20dk_nrf54h20_cpuapp_iron.overlay
@@ -0,0 +1,21 @@
+/*
+ * Copyright (c) 2024 Nordic Semiconductor ASA
+ *
+ * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+ */
+
+&cpusec_cpuapp_ipc {
+	status = "okay";
+};
+
+&cpuapp_ram0x_region {
+	status = "okay";
+};
+
+&cpusec_bellboard {
+	status = "okay";
+};
+
+&cpuapp_bellboard {
+	status = "okay";
+};
diff --git a/samples/crypto/rng/boards/nrf54h20dk_nrf54h20_cpuapp_iron.conf b/samples/crypto/rng/boards/nrf54h20dk_nrf54h20_cpuapp_iron.conf
@@ -0,0 +1,16 @@
+#
+# Copyright (c) 2024 Nordic Semiconductor
+#
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+#
+
+# Disable Oberon PSA crypto drivers
+CONFIG_PSA_CRYPTO_DRIVER_OBERON=n
+
+# Enable PSA crypto from SSF client
+CONFIG_PSA_SSF_CRYPTO_CLIENT=y
+CONFIG_SSF_PSA_CRYPTO_SERVICE_ENABLED=y
+
+# Mbedtls configuration
+CONFIG_MBEDTLS_ENABLE_HEAP=y
+CONFIG_MBEDTLS_HEAP_SIZE=8192
diff --git a/samples/crypto/rng/boards/nrf54h20dk_nrf54h20_cpuapp_iron.overlay b/samples/crypto/rng/boards/nrf54h20dk_nrf54h20_cpuapp_iron.overlay
@@ -0,0 +1,21 @@
+/*
+ * Copyright (c) 2024 Nordic Semiconductor ASA
+ *
+ * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+ */
+
+&cpusec_cpuapp_ipc {
+	status = "okay";
+};
+
+&cpuapp_ram0x_region {
+	status = "okay";
+};
+
+&cpusec_bellboard {
+	status = "okay";
+};
+
+&cpuapp_bellboard {
+	status = "okay";
+};
diff --git a/samples/crypto/sha256/boards/nrf54h20dk_nrf54h20_cpuapp_iron.conf b/samples/crypto/sha256/boards/nrf54h20dk_nrf54h20_cpuapp_iron.conf
@@ -0,0 +1,16 @@
+#
+# Copyright (c) 2024 Nordic Semiconductor
+#
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+#
+
+# Disable Oberon PSA crypto drivers
+CONFIG_PSA_CRYPTO_DRIVER_OBERON=n
+
+# Enable PSA crypto from SSF client
+CONFIG_PSA_SSF_CRYPTO_CLIENT=y
+CONFIG_SSF_PSA_CRYPTO_SERVICE_ENABLED=y
+
+# Mbedtls configuration
+CONFIG_MBEDTLS_ENABLE_HEAP=y
+CONFIG_MBEDTLS_HEAP_SIZE=8192
diff --git a/samples/crypto/sha256/boards/nrf54h20dk_nrf54h20_cpuapp_iron.overlay b/samples/crypto/sha256/boards/nrf54h20dk_nrf54h20_cpuapp_iron.overlay
@@ -0,0 +1,21 @@
+/*
+ * Copyright (c) 2024 Nordic Semiconductor ASA
+ *
+ * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+ */
+
+&cpusec_cpuapp_ipc {
+	status = "okay";
+};
+
+&cpuapp_ram0x_region {
+	status = "okay";
+};
+
+&cpusec_bellboard {
+	status = "okay";
+};
+
+&cpuapp_bellboard {
+	status = "okay";
+};
diff --git a/subsys/nrf_security/Kconfig b/subsys/nrf_security/Kconfig
@@ -55,6 +55,13 @@ rsource "Kconfig.psa.nordic"
 config PSA_PROMPTLESS
 	bool
 
+config SSF_V_2
+	bool
+	default y if BOARD_NRF54H20DK_NRF54H20_CPUAPP_IRON
+	prompt "temporary option until iron and SSFv2 is available"
+	select MBOX
+	select IPC_SERVICE
+
 if NRF_SECURITY
 
 config MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS
diff --git a/subsys/nrf_security/src/ssf_secdom/CMakeLists.txt b/subsys/nrf_security/src/ssf_secdom/CMakeLists.txt
@@ -4,8 +4,33 @@
 # SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
 #
 
+if(CONFIG_SSF_V_2)
+  zephyr_library()
+  zephyr_library_sources(
+    # ironside_psa_ns_api.c provides psa_call. psa_call is invoked by
+    # serialized functions from tfm_crypto_api.c and sends a message
+    # over IPC.
+    ${CMAKE_CURRENT_LIST_DIR}/ironside_se_psa_ns_api.c
+    # ironside_se_psa_ns_ipc.c provides an IPC service to ironside_se_psa_ns_api.c
+    ${CMAKE_CURRENT_LIST_DIR}/ironside_se_psa_ns_ipc.c
+    # tfm_crypto_api.c provides and serializes the PSA Crypto API.
+    ${ZEPHYR_TRUSTED_FIRMWARE_M_MODULE_DIR}/interface/src/tfm_crypto_api.c
+    )
+
+  zephyr_library_include_directories(
+    ${NRF_DIR}/include/tfm
+    .
+    )
+
+  if(CONFIG_PSA_SSF_CRYPTO_CLIENT_OUT_BOUNCE_BUFFERS)
+    zephyr_library_sources(
+      ${CMAKE_CURRENT_LIST_DIR}/bounce_buffers.c
+      )
+  endif()
+else()
 target_sources(${mbedcrypto_target}
   PRIVATE
     ${CMAKE_CURRENT_LIST_DIR}/ssf_crypto.c
     ${CMAKE_CURRENT_LIST_DIR}/ssf_psa_core_compatibility.c
 )
+endif()
diff --git a/subsys/nrf_security/src/ssf_secdom/Kconfig b/subsys/nrf_security/src/ssf_secdom/Kconfig
@@ -8,4 +8,33 @@ config PSA_SSF_CRYPTO_CLIENT
 	bool
 	prompt "PSA crypto provided through SSF"
 	default y
-	depends on SSF_CLIENT && SSF_PSA_CRYPTO_SERVICE_ENABLED
+	depends on (SSF_CLIENT || SSF_V_2) && SSF_PSA_CRYPTO_SERVICE_ENABLED
+
+if PSA_SSF_CRYPTO_CLIENT
+
+config PSA_SSF_CRYPTO_CLIENT_OUT_BOUNCE_BUFFERS
+	bool "Support PSA crypto with output buffers that are not cache-safe"
+	default y
+	depends on DCACHE
+	help
+	  When this option is enabled, the PSA Crypto service will
+	  allocate bounce buffers for all PSA output vectors that are not
+	  aligned to the DCache DataUnit size. When this option is
+	  disabled, the PSA Crypto service will never use bounce buffers,
+	  and the user of PSA APIs must ensure that the structures are
+	  cache-safe. The structures are cache-safe if there are no writes
+	  locally to any of the DataUnits that contain the structure
+	  getting written from the remote.
+
+if PSA_SSF_CRYPTO_CLIENT_OUT_BOUNCE_BUFFERS
+
+config PSA_SSF_CRYPTO_CLIENT_OUT_HEAP_SIZE
+	int "Size of the heap used to buffer output from PSA function calls"
+	default 4096
+	help
+	  Size of the heap buffer used for out buffer.
+	  Reducing the size may trigger PSA_ERROR_INSUFFICIENT_MEMORY in PSA calls.
+
+endif # PSA_SSF_CRYPTO_CLIENT_OUT_BOUNCE_BUFFERS
+
+endif # PSA_SSF_CRYPTO_CLIENT
diff --git a/subsys/nrf_security/src/ssf_secdom/bounce_buffers.c b/subsys/nrf_security/src/ssf_secdom/bounce_buffers.c
@@ -0,0 +1,52 @@
+/*
+ * Copyright (c) 2025 Nordic Semiconductor ASA
+ *
+ * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+ */
+
+#include <stdint.h>
+#include <stdbool.h>
+
+#include <zephyr/kernel.h>
+#include <zephyr/cache.h>
+
+#include "bounce_buffers.h"
+
+/* k_heap_alloc allocated memory is aligned on a multiple of pointer sizes. The HW's DataUnit size
+ * must match this Zephyr behaviour.
+ */
+BUILD_ASSERT(CACHE_DATA_UNIT_SIZE == sizeof(uintptr_t));
+
+static K_HEAP_DEFINE(out_buffer_heap,
+		     ROUND_UP(CONFIG_PSA_SSF_CRYPTO_CLIENT_OUT_HEAP_SIZE, CACHE_DATA_UNIT_SIZE));
+
+void *bounce_buffers_prepare(void *original_buffer, size_t size)
+{
+	void *out_buffer = NULL;
+
+	if (((IS_ALIGNED(original_buffer, CACHE_DATA_UNIT_SIZE)) &&
+		(IS_ALIGNED(size, CACHE_DATA_UNIT_SIZE))) ||
+	    (size == 0)) {
+		out_buffer = original_buffer;
+	} else {
+		out_buffer = k_heap_alloc(&out_buffer_heap, size, K_NO_WAIT);
+		if (out_buffer != NULL) {
+			memcpy(out_buffer, original_buffer, size);
+		}
+	}
+
+	return out_buffer;
+}
+
+void bounce_buffers_release(void *original_buffer, void *out_buffer, size_t size)
+{
+	if (out_buffer == NULL || out_buffer == original_buffer) {
+		return;
+	}
+
+	memcpy(original_buffer, out_buffer, size);
+	/* Clear buffer before returning it to not leak sensitive data */
+	memset(out_buffer, 0, size);
+	sys_cache_data_flush_range(out_buffer, size);
+	k_heap_free(&out_buffer_heap, out_buffer);
+}
diff --git a/subsys/nrf_security/src/ssf_secdom/bounce_buffers.h b/subsys/nrf_security/src/ssf_secdom/bounce_buffers.h
diff --git a/subsys/nrf_security/src/ssf_secdom/ironside_se_psa_ns_api.c b/subsys/nrf_security/src/ssf_secdom/ironside_se_psa_ns_api.c
diff --git a/subsys/nrf_security/src/ssf_secdom/ironside_se_psa_ns_ipc.c b/subsys/nrf_security/src/ssf_secdom/ironside_se_psa_ns_ipc.c
diff --git a/subsys/nrf_security/src/ssf_secdom/ironside_se_psa_ns_ipc.h b/subsys/nrf_security/src/ssf_secdom/ironside_se_psa_ns_ipc.h
diff --git a/subsys/nrf_security/src/ssf_secdom/psa_manifest/sid.h b/subsys/nrf_security/src/ssf_secdom/psa_manifest/sid.h
diff --git a/subsys/sdfw_services/Kconfig b/subsys/sdfw_services/Kconfig
diff --git a/subsys/sdfw_services/services/Kconfig.template.service b/subsys/sdfw_services/services/Kconfig.template.service
