docs: security: add IronSide to overview

Added information about IronSide SE to Security overview pages.
Added a section about CRACEN HW peripheral to the nRF54H20 arch.
NCSDK-33901.

Signed-off-by: Grzegorz Ferenc <[email protected]>

Author: greg-fer

doc/nrf/app_dev/device_guides/nrf54h/ug_nrf54h20_architecture_cpu.rst

@@ -27,6 +27,8 @@ The CPU cores in the nRF54H20 are based on two types of CPU architectures:
   The VPR (pronounced “Viper”) is a small, efficient CPU developed by Nordic Semiconductor.
   It is compatible with the RISC-V instruction set.
 
+.. _ug_nrf54h20_architecture_cpu_appcore:
+
 Application core
 ****************
 
@@ -142,6 +144,24 @@ Since the nRF54H platform supports global resource sharing, where memory partiti
 
 The Secure Domain Firmware (SDFW) exposes security-related services to the Cores in the system located in local domains (like Application and Radio).
 
+.. _ug_nrf54h20_secure_domain_cracen:
+
+CRACEN hardware peripheral
+==========================
+
+The CRACEN hardware peripheral is a hardware accelerator for cryptographic operations.
+
+On nRF54H20, the CRACEN hardware peripheral is tightly integrated with the Secure Domain.
+This means that only the CPU in the Secure Domain can access the CRACEN hardware peripheral and there is no RNG peripheral available to other Cores.
+
+The :ref:`CRACEN cryptographic driver <crypto_drivers_cracen>` uses the hardware peripheral to perform cryptographic operations.
+The driver implements the PSA Crypto driver API and then relies on :ref:`Oberon PSA Crypto <ug_crypto_architecture_implementation_standards_oberon>` to implement the :ref:`PSA Crypto API <ug_psa_certified_api_overview_crypto>`.
+The IronSide Secure Element firmware relies on the CRACEN driver.
+
+The seed for CRACEN's Isolated Key Generator (IKG) is generated by a Physically Unclonable Function (PUF).
+The PUF seed is controlled by the Secure Domain ROM and neither firmware nor applications can read or modify it.
+Keys derived by this mechanism are never exposed outside the Secure Domain.
+
 .. _ug_nrf54h20_sys_ctrl:
 
 System Controller

doc/nrf/links.txt

@@ -255,6 +255,7 @@
 .. _`PSA Cryptography API 1.0.1`: https://armmbed.github.io/mbed-crypto/1.0.1/html/index.html
 .. _`PSA Certified Crypto API 1.0.0`: https://arm-software.github.io/psa-api/crypto/1.0/IHI0086-PSA_Cryptography_API-1.0.0.pdf
 .. _`PSA Certified Crypto API 1.2.1`: https://arm-software.github.io/psa-api/crypto/1.2/
+.. _`PSA Certified Crypto API 1.3.1`: https://arm-software.github.io/psa-api/crypto/1.3/
 .. _`PSA functions for key management`: https://arm-software.github.io/psa-api/crypto/1.1/api/keys/management.html
 
 .. _`PSA Certified Secure Storage API`: https://arm-software.github.io/psa-api/storage/
@@ -786,6 +787,7 @@
 .. _`nRF54L15 Key management unit`: https://docs.nordicsemi.com/bundle/ps_nrf54L15/page/kmu.html
 .. _`nRF54L15 RRAMC`: https://docs.nordicsemi.com/bundle/ps_nrf54L15/page/rramc.html
 .. _`nRF54L15 REGION.CONFIG`: https://docs.nordicsemi.com/bundle/ps_nrf54L15/page/rramc.html#ariaid-title35
+.. _`nRF54L15 DK CRACEN`: https://docs.nordicsemi.com/bundle/ps_nrf54L15/page/cracen.html
 
 .. _`nRF53 Series`: https://docs.nordicsemi.com/category/nrf-53-series
 

doc/nrf/releases_and_maturity/software_maturity.rst

@@ -2646,6 +2646,14 @@ For more information about the PSA Crypto implementations in the |NCS|, see :ref
              - --
              - --
              - --
+           * - :ref:`IronSide Secure Element <ug_crypto_architecture_implementation_standards_ironside>`
+             - :ref:`CRACEN <crypto_drivers>`
+             - --
+             - --
+             - --
+             - --
+             - --
+             - --
 
       .. tab:: nRF53 Series
 
@@ -2668,6 +2676,9 @@ For more information about the PSA Crypto implementations in the |NCS|, see :ref
            * - :ref:`TF-M Crypto Service <ug_crypto_architecture_implementation_standards_tfm>`
              - :ref:`Oberon PSA Crypto drivers <crypto_drivers>`
              - Supported
+           * - :ref:`IronSide Secure Element <ug_crypto_architecture_implementation_standards_ironside>`
+             - :ref:`CRACEN <crypto_drivers>`
+             - --
 
       .. tab:: nRF54 Series
 
@@ -2705,6 +2716,12 @@ For more information about the PSA Crypto implementations in the |NCS|, see :ref
              - --
              - Experimental
              - Experimental
+           * - :ref:`IronSide Secure Element <ug_crypto_architecture_implementation_standards_ironside>`
+             - :ref:`CRACEN <crypto_drivers>`
+             - Supported
+             - --
+             - --
+             - --
 
       .. tab:: nRF91 Series
 
@@ -2742,6 +2759,12 @@ For more information about the PSA Crypto implementations in the |NCS|, see :ref
              - Supported
              - Supported
              - Supported
+           * - :ref:`IronSide Secure Element <ug_crypto_architecture_implementation_standards_ironside>`
+             - :ref:`CRACEN <crypto_drivers>`
+             - --
+             - --
+             - --
+             - --
 
 .. crypto_support_table_end
 

doc/nrf/security/crypto/crypto_architecture.rst

@@ -56,7 +56,10 @@ Implementations in the |NCS|
 
 The |NCS| follows the PSA Crypto standard through two major API implementations: Oberon PSA Crypto and TF-M Crypto Service.
 They are designed for use without and with Trusted Firmware-M (TF-M), respectively, and have different security requirements.
-Both are based on the `sdk-oberon-psa-crypto`_ library, which offers a lightweight PSA Crypto API implementation optimized for resource-constrained microcontrollers.
+Additionally, the |NCS| includes the nRF54H20-specific IronSide Secure Element implementation.
+
+All implementations are based on the `sdk-oberon-psa-crypto`_ library, which offers a lightweight PSA Crypto API implementation optimized for resource-constrained microcontrollers.
+
 
 .. figure:: ../images/psa_crypto_api_overview.svg
    :alt: PSA Crypto API implementations in the |NCS|
@@ -160,3 +163,28 @@ When using the TF-M Crypto Service implementation, keys from the PSA Crypto API
 * Protected Storage (PS) - One of :ref:`ug_tfm_architecture_rot_services_application` that provides secure storage within the Trusted Firmware-M environment.
 
 For more information about the storage integration for the TF-M Crypto Service implementation, see :ref:`ug_psa_certified_api_overview_secstorage` and :ref:`ug_tfm_services`.
+
+.. _ug_crypto_architecture_implementation_standards_ironside:
+
+IronSide Secure Element implementation
+======================================
+
+The IronSide Secure Element (IronSide SE) implementation provides a PSA Crypto API interface for applications running on nRF54H20.
+
+.. figure:: ../images/psa_crypto_api_ironside.svg
+   :alt: IronSide SE implementation
+   :align: center
+
+   IronSide SE implementation
+
+This implementation provides IronSide SE firmware for the :ref:`CRACEN hardware peripheral in the Secure Domain <ug_nrf54h20_secure_domain_cracen>`.
+It is designed to provide a robust Root of Trust (RoT) and offload cryptographic operations, key handling, and secure storage.
+The firmware implements the cryptographic operations using the existing Oberon PSA Core and the CRACEN driver.
+
+The firmware is provided by Nordic Semiconductor independently from the |NCS| release cycle.
+
+Driver selection in the IronSide SE implementation
+--------------------------------------------------
+
+The IronSide SE implementation works only with the :ref:`CRACEN driver <crypto_drivers_cracen>`.
+It does not support the :ref:`software fallback <crypto_drivers_software_fallback>` mechanism to :ref:`nrf_oberon <crypto_drivers_oberon>`.

doc/nrf/security/crypto/driver_config.rst

@@ -28,6 +28,7 @@ To use the PSA Crypto API in your application, enable the following Kconfig opti
 * For the :ref:`Oberon PSA Crypto implementation <ug_crypto_architecture_implementation_standards_oberon>`, enable the :kconfig:option:`CONFIG_NRF_SECURITY` Kconfig option.
 * For the :ref:`TF-M Crypto Service implementation <ug_crypto_architecture_implementation_standards_tfm>`, enable the :kconfig:option:`CONFIG_NRF_SECURITY` Kconfig option together with the :kconfig:option:`CONFIG_BUILD_WITH_TFM` Kconfig option.
   For more information, see :ref:`ug_tfm_building_secure_services`.
+* For the :ref:`IronSide Secure Element implementation <ug_crypto_architecture_implementation_standards_ironside>`, enable the :kconfig:option:`CONFIG_NRF_SECURITY` Kconfig option on the nRF54H20's :ref:`ug_nrf54h20_architecture_cpu_appcore`.
 
 .. _psa_crypto_support_single_driver:
 
@@ -58,8 +59,10 @@ To enable the :ref:`nrf_security_drivers_cracen`, set the :kconfig:option:`CONFI
 The nrf_oberon driver may then be disabled by using the Kconfig option :kconfig:option:`CONFIG_PSA_CRYPTO_DRIVER_OBERON` (``CONFIG_PSA_CRYPTO_DRIVER_OBERON=n``).
 
 .. note::
-   On nRF54L Series devices, CRACEN is the only source of entropy.
-   Therefore, it is not possible to disable the :kconfig:option:`CONFIG_PSA_CRYPTO_DRIVER_CRACEN` Kconfig option when the Zephyr entropy driver is enabled.
+   - On nRF54L Series devices, CRACEN is the only source of entropy.
+     Therefore, it is not possible to disable the :kconfig:option:`CONFIG_PSA_CRYPTO_DRIVER_CRACEN` Kconfig option when the Zephyr entropy driver is enabled.
+   - On nRF54H20, the IronSide Secure Element firmware relies on the CRACEN driver.
+     However, you do not need to enable the :kconfig:option:`CONFIG_PSA_CRYPTO_DRIVER_CRACEN` Kconfig option when the program the firmware bundle onto the Secure Domain.
 
 .. _psa_crypto_support_enable_nrf_oberon:
 

doc/nrf/security/crypto/drivers.rst

@@ -57,8 +57,8 @@ Hardware drivers take precedence over software drivers, which provide fallback o
      - Drivers for the `CryptoCell 310 <nRF9160 CRYPTOCELL - Arm TrustZone CryptoCell 310_>`_ and `CryptoCell 312 <nRF5340 CRYPTOCELL - Arm TrustZone CryptoCell 312_>`_ hardware accelerators.
    * - :ref:`CRACEN <crypto_drivers_cracen>`
      - Hardware
-     - nRF54L Series devices
-     - Security subsystem providing hardware acceleration for cryptographic operations. For more information, see :ref:`ug_nrf54l_crypto_kmu_cracen_peripherals` on the :ref:`ug_nrf54l_cryptography` page.
+     - nRF54L Series devices, nRF54H20
+     - Security subsystem providing hardware acceleration for cryptographic operations through the CRACEN hardware peripheral. For more information, see the :ref:`ug_nrf54l_cryptography` page.
    * - :ref:`nrf_oberon <crypto_drivers_oberon>`
      - Software
      - nRF devices with Arm Cortex®-M0, -M4, or -M33 processors
@@ -344,10 +344,16 @@ CRACEN driver
    * - :ref:`CRACEN <ug_nrf54l_cryptography>`
      - Hardware
      - Open-source
-     - nRF54L Series devices
+     - nRF54L Series devices, nRF54H20
 
 The CRACEN driver provides entropy and hardware-accelerated cryptography using the Crypto Accelerator Engine (CRACEN) hardware peripheral.
-For more information about both the driver and the hardware peripheral, see :ref:`ug_nrf54l_crypto_kmu_cracen_peripherals` on the :ref:`ug_nrf54l_cryptography` page.
+The driver implements the PSA Crypto driver API (``cracen_aead_set_nonce``) and then relies on :ref:`Oberon PSA Crypto <ug_crypto_architecture_implementation_standards>` to implement the PSA API (``psa_aead_set_set_nonce``).
+
+The hardware peripheral is available on the following devices:
+
+* nRF54L15 Series devices - For more information about both the hardware peripheral and the driver, see the `CRACEN hardware peripheral <nRF54L15 DK CRACEN_>`_ page in the datasheet and the :ref:`ug_nrf54l_cryptography` page in the |NCS| documentation.
+* nRF54H20 - On this platform, the IronSide Secure Element relies on the CRACEN driver.
+  For more information, see the :ref:`ug_nrf54h20_secure_domain_cracen`.
 
 CRACEN driver configuration
 ---------------------------