doc: tfm: clarify support for nRF54L05 & nRF54L10

Edited mentions of nRF54L15 DK with TF-M support to account for
TF-M support on emulated nRF54L10 and missing support for TF-M
on emulated nRF54L05. NCSDK-30596.

Signed-off-by: Grzegorz Ferenc <[email protected]>

Author: greg-fer

doc/nrf/app_dev/board_names.rst

@@ -335,7 +335,7 @@ Depending on the usage scheme:
 
 * Key slots with the usage scheme Encrypted (``CRACEN_KMU_KEY_USAGE_SCHEME_ENCRYPTED``) also have to be decrypted to a temporary push location in RAM before they are used by CRACEN, which is handled by the CRACEN driver.
 
-When the application is built with TF-M, this temporary push location is protected inside the secure processing environment to avoid exposing the key material to the non-secure application.
+When the application is built with TF-M (for nRF54L Series devices that :ref:`support TF-M <ug_tfm_supported_services>`), this temporary push location is protected inside the secure processing environment to avoid exposing the key material to the non-secure application.
 If TF-M is not used, the keys are pushed to a reserved RAM area at location 0x20000000-0x20000064 (``kmu_push_area``).
 
 You might encounter the following KMU-specific error codes when using the KMU keys:

doc/nrf/app_dev/device_guides/nrf54l/cryptography.rst

@@ -47,7 +47,8 @@ Refer to the following information for the list of supported development kits (D
        | `nRF54L15 System-on-Chip (SoC) <nRF54L15 System-on-Chip_>`_
    * - :ref:`nRF54L10 emulation on the nRF54L15 DK <zephyr:nrf54l15dk_nrf54l10>`
      - PCA10156
-     - ``nrf54l15dk/nrf54l10/cpuapp``
+     - | ``nrf54l15dk/nrf54l10/cpuapp``
+       | ``nrf54l15dk/nrf54l10/cpuapp/ns`` (:ref:`TF-M <app_boards_spe_nspe>`)
      - | `Datasheet <nRF54L15 Datasheet_>`_
        | `nRF54L10 Compatibility Matrix`_
      - | `nRF54L10 System-on-Chip (SoC) <nRF54L10_>`_

doc/nrf/app_dev/device_guides/nrf54l/index.rst

@@ -33,18 +33,17 @@ For an overview of the cryptography layer configuration supported for each |NCS|
 Secure processing environment
 *****************************
 
-Depending on the board target, Matter samples can use the :ref:`secure processing environment <ug_tfm_security_by_separation>` with Trusted Firmware-M (TF-M).
+When building for the nRF54L15 DK using the ``nrf54l15dk/nrf54l15/cpuapp/ns`` :ref:`board target <app_boards_names>`, Matter samples can use the :ref:`secure processing environment <ug_tfm_security_by_separation>` with Trusted Firmware-M (TF-M).
+In such cases, all cryptographic operations within the Matter stack are performed by using the `Platform Security Architecture (PSA)`_ API and executed in the secure TF-M environment using the :ref:`TF-M Crypto Service implementation <ug_crypto_architecture_implementation_standards_tfm>`.
+The secure materials like Matter Session keys and other keys (except for the DAC private key) can be stored in the TF-M secure storage using the :ref:`tfm_encrypted_its` or :ref:`key_storage_kmu`.
 
-nRF54L with Trusted Firmware-M (TF-M)
-=====================================
+Matter samples use the full, configurable TF-M build, so you cannot use the minimal build.
+For more information, see :ref:`ug_tfm_supported_services_profiles`.
 
-On the nRF54L SoC, all cryptographic operations within the Matter stack are performed by utilizing the `Platform Security Architecture (PSA)`_ API and executed in the secure TF-M environment using the :ref:`TF-M Crypto Service implementation <ug_crypto_architecture_implementation_standards_tfm>`.
-The secure materials like Matter Session keys and other keys, except for the DAC private key, are stored in the TF-M secure storage using the :ref:`tfm_encrypted_its` module.
-Matter samples use the full TF-M library, so you cannot use the :ref:`tfm_minimal_build` version of TF-M.
-
-To build a Matter sample with the TF-M support, :ref:`build <building>` for the :ref:`board target <app_boards_names>` with the ``/ns`` variant.
+Matter sample partition layout
+==============================
 
-To configure partition layout for your application, you can edit the :file:`pm_static_nrf54l15dk_nrf54l15_cpuapp_ns.yml` file that is available in each sample directory.
+To configure the partition layout for your application, you can edit the :file:`pm_static_nrf54l15dk_nrf54l15_cpuapp_ns.yml` file that is available in each sample directory.
 To read more about the TF-M partitioning, see :ref:`ug_tfm_partition_alignment_requirements`.
 While using TF-M, the application partition size and available RAM space for the application is lower than without TF-M.
 You must keep this in mind and calculate the available space for the application partition.

doc/nrf/protocols/matter/end_product/security.rst

@@ -40,11 +40,14 @@ The Thread stack requires the following cryptographic operations:
 Secure processing environment
 *****************************
 
-When building for the nRF54L15 DK using the :ref:`board target <app_boards_names>` with the ``/ns`` variant (``nrf54l15dk/nrf54l15/cpuapp/ns``), Thread samples can use the :ref:`secure processing environment <ug_tfm_security_by_separation>` with Trusted Firmware-M (TF-M).
+When building for the nRF54L15 DK using the ``nrf54l15dk/nrf54l15/cpuapp/ns`` :ref:`board target <app_boards_names>`, Thread samples can use the :ref:`secure processing environment <ug_tfm_security_by_separation>` with Trusted Firmware-M (TF-M).
 In such cases, all cryptographic operations within the Thread stack are performed using the `Platform Security Architecture (PSA)`_ API and executed in the secure TF-M environment using the :ref:`TF-M Crypto Service implementation <ug_crypto_architecture_implementation_standards_tfm>`.
-The secure materials like Thread network key are stored in the TF-M secure storage using the :ref:`tfm_encrypted_its` module.
+The secure materials like Thread network key can be stored in the TF-M secure storage using the :ref:`tfm_encrypted_its` or :ref:`key_storage_kmu`.
 
-For example, to build the Thread CLI sample for the nRF54L15 DK with the TF-M support, run the following command:
+Thread samples use the full, configurable TF-M build, so you cannot use the minimal build.
+For more information, see :ref:`ug_tfm_supported_services_profiles`.
+
+For example, to build the Thread CLI sample with the TF-M support, run the following command:
 
 .. code-block:: console
 

doc/nrf/protocols/thread/overview/security.rst

@@ -794,7 +794,12 @@ zcbor
 Trusted Firmware-M
 ==================
 
-* Updated the TF-M version to 2.2.0.
+* Updated:
+
+  * The TF-M version to 2.2.0.
+  * Documentation to clarify the support for TF-M on devices emulated using the nRF54L15 DK.
+    nRF54L05 does not support TF-M.
+    nRF54L10 supports TF-M experimentally.
 
 Documentation
 =============

doc/nrf/releases_and_maturity/releases/release-notes-changelog.rst

@@ -2224,6 +2224,8 @@ Trusted Firmware-M support
 
       .. tab:: nRF53 Series
 
+         For board targets supported by TF-M, see :ref:`ug_tfm_building_board_targets`.
+
          .. list-table:: TF-M profile support
             :header-rows: 1
             :widths: auto
@@ -2237,6 +2239,8 @@ Trusted Firmware-M support
 
       .. tab:: nRF54 Series
 
+         For board targets supported by TF-M, see :ref:`ug_tfm_building_board_targets`.
+
          .. list-table:: TF-M profile support
             :header-rows: 1
             :widths: auto
@@ -2248,20 +2252,22 @@ Trusted Firmware-M support
               - nRF54L15
               - nRF54LM20
             * - :ref:`Configurable <ug_tfm_supported_services_profiles_configurable>`
-              - --
               - --
               - --
               - Experimental
+              - Experimental
               - Experimental (with :ref:`limitations <tfm_encrypted_its>`)
             * - :ref:`Minimal <ug_tfm_supported_services_profiles_minimal>`
-              - --
               - --
               - --
               - Experimental
+              - Experimental
               - Experimental (with :ref:`limitations <tfm_encrypted_its>`)
 
       .. tab:: nRF91 Series
 
+         For board targets supported by TF-M, see :ref:`ug_tfm_building_board_targets`.
+
          .. list-table:: TF-M profile support
             :header-rows: 1
             :widths: auto
@@ -2412,7 +2418,7 @@ The lists are organized by device Series and implementation.
               - --
               - Experimental
               - Experimental
-              - --
+              - Experimental
             * - :ref:`IronSide Secure Element <ug_crypto_architecture_implementation_standards_ironside>`
               - Supported
               - --

doc/nrf/releases_and_maturity/software_maturity.rst

@@ -38,7 +38,7 @@ Some of them are documented in detail in other parts of this documentation, whil
       | - :ref:`ug_nrf54l_cryptography`
   * - Trusted Firmware-M (TF-M)
     - TF-M is the reference implementation of `Platform Security Architecture (PSA)`_.
-      On nRF5340, nRF54L and nRF91 Series devices, TF-M is used to configure and boot an application with :ref:`security by separation <app_boards_spe_nspe_cpuapp_ns>`.
+      On :ref:`boards with the /ns variant <app_boards_names>`, TF-M is used to configure and boot an application with :ref:`security by separation <app_boards_spe_nspe_cpuapp_ns>`.
     - See :ref:`ug_tfm`.
     - | - :ref:`tfm_samples`
       | - :ref:`crypto_samples`

doc/nrf/security.rst

@@ -17,18 +17,76 @@ To add TF-M to your build, enable the :kconfig:option:`CONFIG_BUILD_WITH_TFM` co
 By default, TF-M is configured to build the :ref:`minimal version <tfm_minimal_build>`.
 To use the full TF-M, you must disable the :kconfig:option:`CONFIG_TFM_PROFILE_TYPE_MINIMAL` option.
 
+.. _ug_tfm_building_board_targets:
+
 Board targets supported by TF-M
 *******************************
 
-The :ref:`boards supported by the SDK <app_boards_names>` distinguish entries according which CPU is to be targeted (for multi-core SoCs) and whether the security by separation is to be used or not (addition of the ``*/ns`` :ref:`variant <app_boards_names>` if it is used).
-
+The boards supported by the SDK distinguish entries according to which CPU is to be targeted (for multi-core SoCs) and whether the :ref:`security by separation <ug_tfm_security_by_separation>` is to be used or not (addition of the ``*/ns`` :ref:`variant <app_boards_names>` if it is used).
 To build with TF-M in the |NCS|, you must use a board target with the ``*/ns`` variant.
-The following platforms are currently supported:
 
-* nRF54LM20A
-* nRF54L15
-* nRF5340
-* nRF91 Series
+The following table lists the board targets that you can use to build with TF-M.
+See :ref:`app_boards_names` for the complete list of boards and board targets supported by the SDK.
+
+.. list-table:: Board targets supported by TF-M
+   :header-rows: 1
+
+   * - Hardware platform
+     - PCA number
+     - Board name
+     - TF-M board target
+   * - nRF9161 DK
+     - PCA10153
+     - :zephyr:board:`nrf9161dk <nrf9161dk>`
+     - ``nrf9161dk/nrf9161/ns``
+   * - nRF9160 DK
+     - PCA10090
+     - :ref:`nrf9160dk <zephyr:nrf9160dk_nrf9160>`
+     - ``nrf9160dk/nrf9160/ns``
+   * - nRF9151 DK
+     - PCA10171
+     - :zephyr:board:`nrf9151dk <nrf9151dk>`
+     - ``nrf9151dk/nrf9151/ns``
+   * - nRF9131 EK
+     - PCA10165
+     - :zephyr:board:`nrf9131ek <nrf9131ek>`
+     - ``nrf9131ek/nrf9131/ns``
+   * - nRF54LM20 DK
+     - PCA10184
+     - :zephyr:board:`nrf54lm20dk <nrf54lm20dk>`
+     - ``nrf54lm20dk/nrf54lm20a/cpuapp/ns``
+   * - nRF54L15 DK
+     - PCA10156
+     - :zephyr:board:`nrf54l15dk <nrf54l15dk>`
+     - ``nrf54l15dk/nrf54l15/cpuapp/ns``
+   * - nRF54L10 emulated on the nRF54L15 DK
+     - PCA10156
+     - :ref:`nrf54l10dk/nrf54l10 <zephyr:nrf54l15dk_nrf54l10>`
+     - ``nrf54l15dk/nrf54l10/cpuapp/ns``
+   * - nRF5340 DK
+     - PCA10095
+     - :zephyr:board:`nrf5340dk <nrf5340dk>`
+     - ``nrf5340dk/nrf5340/cpuapp/ns``
+   * - Thingy:53
+     - PCA20053
+     - :zephyr:board:`thingy53 <thingy53>`
+     - ``thingy53/nrf5340/cpuapp/ns``
+   * - nRF7002 DK
+     - PCA10143
+     - :zephyr:board:`nrf7002dk <nrf7002dk>`
+     - ``nrf7002dk/nrf5340/cpuapp/ns``
+   * - Thingy:91
+     - PCA20035
+     - :ref:`thingy91 <ug_thingy91>`
+     - ``thingy91/nrf9160/ns``
+   * - Thingy:91 X
+     - PCA20065
+     - :ref:`thingy91x <ug_thingy91x>`
+     - ``thingy91x/nrf9151/ns``
+   * - Thingy:91 X
+     - PCA20065
+     - :ref:`thingy91x <ug_thingy91x>`
+     - ``thingy91x/nrf5340/cpuapp/ns``
 
 .. _ug_tfm_building_secure_services:
 

doc/nrf/security/tfm/tfm_building.rst

@@ -1,7 +1,7 @@
 .. _ug_tfm_supported_services:
 
-Supported services and limitations in the |NCS|
-###############################################
+TF-M support and limitations in the |NCS|
+#########################################
 
 .. contents::
    :local:
@@ -45,14 +45,18 @@ Instead, it provides two main configurations for TF-M: minimal and configurable.
      - Not supported
      - Profile Large protects less resource-constrained Arm Cortex-M devices.
 
-Hardware support matrix for TF-M configurations
-  Expand the following field to list the software maturity levels for the TF-M configurations in the |NCS| for each device.
+.. _ug_tfm_supported_services_profiles_hw_support:
 
-  .. toggle::
+Hardware support matrix for TF-M profiles
+=========================================
 
-     .. include:: ../../releases_and_maturity/software_maturity.rst
-        :start-after: tfm_ncs_profiles_support_table_start
-        :end-before: tfm_ncs_profiles_support_table_end
+The following table lists hardware support and software maturity levels for the minimal and configurable TF-M profiles in the |NCS|.
+
+.. include:: ../../releases_and_maturity/software_maturity.rst
+   :start-after: tfm_ncs_profiles_support_table_start
+   :end-before: tfm_ncs_profiles_support_table_end
+
+For the definitions of the maturity levels, see :ref:`software_maturity`.
 
 .. _ug_tfm_supported_services_profiles_minimal: