doc: crypto: add driver overview

Added information about the driver selection process.
Added additional details about crypto drivers.
NCSDK-33433, NCSDK-33436, NCSDK-30042.

Signed-off-by: Grzegorz Ferenc <[email protected]>

Author: greg-fer

doc/nrf/glossary.rst

@@ -189,7 +189,12 @@ Glossary
       In the |NCS|, this term is used in the context of `ARM TrustZone`_ and :ref:`app_boards_spe_nspe` (:term:`Non-Secure Processing Environment (NSPE)` and :term:`Secure Processing Environment (SPE)`).
 
    CRACEN
-      A hardware cryptographic engine within nRF54H devices.
+      A hardware crypto accelerator within nRF54L Series devices, and the name of the :term:`cryptographic driver <Cryptographic driver>` in the |NCS|.
+      For more information, see :ref:`ug_nrf54l_crypto_kmu_cracen_peripherals` on the :ref:`ug_nrf54l_cryptography` page.
+
+   Cryptographic driver
+      A specialized component that implements specific cryptographic algorithms or provides access to hardware accelerators.
+      See :ref:`crypto_drivers` for more information.
 
    Data Terminal Ready (DTR)
       A control signal in RS-232 serial communications transmitted from data terminal equipment, such as a computer, to data communication equipment.

doc/nrf/libraries/security/nrf_security/doc/driver_config.rst

@@ -64,7 +64,6 @@ The nrf_oberon driver may then be disabled by using the Kconfig option :kconfig:
    On nRF54L Series devices, CRACEN is the only source of entropy.
    Therefore, it is not possible to disable the :kconfig:option:`CONFIG_PSA_CRYPTO_DRIVER_CRACEN` Kconfig option when the Zephyr entropy driver is enabled.
 
-
 .. _nrf_security_drivers_config_multiple:
 
 Configuring multiple drivers
@@ -103,7 +102,7 @@ When multiple enabled drivers support the same cryptographic feature, the config
 Configuring cryptographic features
 **********************************
 
-You can enable a cryptographic feature or algorithm using `CONFIG_PSA_WANT_ALG_*`_ Kconfig options, which are specific for PSA Crypto API configurations.
+You can enable a cryptographic feature or algorithm using `CONFIG_PSA_WANT_*`_ Kconfig options, which are specific for PSA Crypto API configurations.
 For example, to enable the AES algorithm, set the :kconfig:option:`CONFIG_PSA_WANT_ALG_AES` Kconfig option.
 
 For a list of supported cryptographic features and algorithms and the Kconfig options to enable them, see :ref:`ug_crypto_supported_features`.

doc/nrf/links.txt

@@ -644,7 +644,8 @@
 .. _`CONFIG_SSF_PSA_CRYPTO_SERVICE_ENABLED`: https://docs.nordicsemi.com/bundle/ncs-latest/page/kconfig/index.html#!CONFIG_SSF_PSA_CRYPTO_SERVICE_ENABLED
 .. _`Matter factory data Kconfig options`: https://docs.nordicsemi.com/bundle/ncs-latest/page/kconfig/index.html#!CHIP_FACTORY_DATA
 .. _`Kconfig search results`: https://docs.nordicsemi.com/bundle/ncs-latest/page/kconfig/index.html#!CONFIG_PM_PARTITION_SIZE
-.. _`CONFIG_PSA_WANT_ALG_*`: https://docs.nordicsemi.com/bundle/ncs-latest/page/kconfig/index.html#!CONFIG_PSA_WANT_ALG
+.. _`CONFIG_PSA_WANT_*`: https://docs.nordicsemi.com/bundle/ncs-latest/page/kconfig/index.html#!CONFIG_PSA_WANT_
+.. _`CONFIG_PSA_USE_*`: https://docs.nordicsemi.com/bundle/ncs-latest/page/kconfig/index.html#!CONFIG_PSA_USE_
 
 .. _`Threads`: https://docs.nordicsemi.com/bundle/ncs-latest/page/zephyr/kernel/services/threads/index.html
 

doc/nrf/releases_and_maturity/releases/release-notes-changelog.rst

@@ -120,7 +120,11 @@ Security
 
 * Added the new section about :ref:`ug_crypto_index`.
   The new section includes pages about :ref:`ug_crypto_architecture` (new page) and :ref:`crypto_drivers` (moved from :ref:`nrf_security` library).
-* Updated the :ref:`ug_tfm_logging` page with more details about how to configure logging on the same UART instance as the application for nRF5340 and nRF91 Series devices.
+
+* Updated:
+
+  * The :ref:`ug_tfm_logging` page with more details about how to configure logging on the same UART instance as the application for nRF5340 and nRF91 Series devices.
+  * The :ref:`crypto_drivers` page with more details about the driver selection process.
 
 Protocols
 =========

doc/nrf/security/crypto/crypto_architecture.rst

@@ -25,10 +25,11 @@ In this figure:
 
 * Application calls the PSA Crypto implementation through the PSA Crypto API.
 * The PSA Crypto API implementation is an abstraction layer that manages cryptographic operations, key handling, and driver coordination.
-  The implementations can be different, but they should all conform to the PSA Crypto specification.
-* Crypto driver is a specialized component that implements specific cryptographic algorithms or provides access to hardware accelerators.
+  The implementations can be different, but they should all conform to the PSA Crypto API standard.
+* Cryptographic driver is a specialized component that implements specific cryptographic algorithms or provides access to hardware accelerators.
 * Storage integration provides persistent and secure storage capabilities through standardized PSA Secure Storage APIs.
   It implements storage interfaces that allow the PSA Crypto implementation to securely store and retrieve keys, ensuring proper protection of sensitive material throughout its lifecycle.
+* Hardware platform is the physical device with security features, such as cryptographic hardware engines or secure storage.
 
 .. _ug_crypto_architecture_interaction_flow:
 
@@ -80,6 +81,12 @@ The Oberon PSA Crypto is a library that serves as the central component managing
 The Oberon PSA Crypto acts as the implementation provider, directly exposing the PSA Crypto API to applications.
 Each driver can implement support for different subsets of cryptographic algorithms, providing software support for algorithms that hardware cannot support.
 
+This implementation standard is suitable for applications that prioritize simplicity and do not require the additional security isolation provided by TF-M.
+It offers direct access to cryptographic functionality with minimal overhead, making it ideal for resource-constrained applications.
+
+Driver selection in the Oberon PSA Crypto implementation
+--------------------------------------------------------
+
 The following figure shows the driver library selection through the driver wrapper, one of the internal modules of Oberon PSA Crypto:
 
 .. figure:: ../images/psa_certified_api_lib_selection.svg
@@ -88,8 +95,7 @@ The following figure shows the driver library selection through the driver wrapp
 
    Oberon PSA Crypto driver library selection
 
-This implementation standard is suitable for applications that prioritize simplicity and do not require the additional security isolation provided by TF-M.
-It offers direct access to cryptographic functionality with minimal overhead, making it ideal for resource-constrained applications.
+For more information about the driver selection, see :ref:`crypto_drivers`.
 
 Storage integration for the Oberon PSA Crypto implementation
 ------------------------------------------------------------
@@ -114,23 +120,29 @@ The TF-M Crypto Service implementation provides PSA Crypto API access through Tr
 
    TF-M Crypto Service implementation
 
+In this architecture, TF-M implements the secure cryptographic service using the existing Oberon PSA Core and its associated drivers within the secure environment.
+Additionally, TF-M integrates key storage using its internal mechanisms, offering secure key management through :ref:`Internal Trusted Storage <ug_tfm_services_its>` and :ref:`Protected Storage <tfm_partition_ps>`.
+
 This implementation leverages TF-M's Secure Processing Environment (SPE) to isolate cryptographic operations from the Non-Secure Processing Environment (NSPE).
 TF-M is built on top of TrustZone technology and isolates the PSA Crypto API as non-secure callable calls into a secure processing environment.
+Cryptographic keys are stored and isolated in the SPE, ensuring they are not accessible by the application running in the NSPE.
+The cryptographic drivers (nrf_cc3xx, nrf_oberon, and CRACEN) are available within the secure environment, providing consistent cryptographic capabilities.
 
 .. figure:: ../images/tfm_psa_crypto_api_nspe_spe.svg
    :alt: TF-M Crypto Service implementation in the NSPE and SPE
    :align: center
 
    TF-M Crypto Service implementation in the NSPE and SPE
 
-In this architecture, TF-M implements the secure cryptographic service using the existing Oberon PSA Core and its associated drivers within the secure environment.
-Cryptographic keys are stored and isolated in the SPE, ensuring they are not accessible by the application running in the NSPE.
-The same cryptographic drivers (nrf_cc3xx, nrf_oberon, and CRACEN) are available within the secure environment, providing consistent cryptographic capabilities.
-Additionally, TF-M integrates key storage using its internal mechanisms, offering secure key management through :ref:`Internal Trusted Storage <ug_tfm_services_its>` and :ref:`Protected Storage <tfm_partition_ps>`.
-
-This implementation standard is mandatory for applications requiring PSA Certified security levels and provides the highest level of security through hardware-enforced isolation.
+This implementation standard is mandatory for applications requiring higher `PSA Certified security levels <PSA Certified IoT Security Framework_>`_ and provides the highest level of security through hardware-enforced isolation.
 It ensures that cryptographic operations and key material remain protected even if the non-secure application is compromised.
 
+Driver selection in the TF-M Crypto Service implementation
+----------------------------------------------------------
+
+The TF-M Crypto Service implementation uses the same driver selection mechanism as the Oberon PSA Crypto implementation.
+For more information about the driver selection, see :ref:`crypto_drivers`.
+
 Storage integration for the TF-M Crypto Service implementation
 --------------------------------------------------------------