nrf_ironside: Move Ironside outside of nrf_security

Create a separate subsystem called nrf_ironside instead
of having the logic in nrf_security. Ironside is completely
separate from nrf_security and it should not be placed there.

Make sure that nrf_security cannot be enabled at the same time
as nrf_ironside as their configurations might collide.

Signed-off-by: Georgios Vasilakis <[email protected]>

Author: Vge0rge

CODEOWNERS

@@ -824,6 +824,7 @@
 /subsys/nrf_profiler/                     @nrfconnect/ncs-si-bluebagel
 /subsys/nrf_rpc/                          @nrfconnect/ncs-si-muffin @nrfconnect/ncs-protocols-serialization
 /subsys/nrf_security/                     @nrfconnect/ncs-aegir
+/subsys/nrf_ironside/                     @nrfconnect/ncs-aurora
 /subsys/partition_manager/                @nordicjm @tejlmand
 /subsys/pcd/                              @nrfconnect/ncs-pluto
 /subsys/secure_storage/                   @nrfconnect/ncs-aegir

subsys/CMakeLists.txt

@@ -12,6 +12,7 @@ add_subdirectory_ifdef(CONFIG_SECURE_BOOT_VALIDATION bootloader/bl_validation)
 add_subdirectory_ifdef(CONFIG_SECURE_BOOT_STORAGE bootloader/bl_storage)
 
 add_subdirectory_ifdef(CONFIG_NRF_SECURITY nrf_security)
+add_subdirectory_ifdef(CONFIG_NRF_IRONSIDE nrf_ironside)
 add_subdirectory_ifdef(CONFIG_TRUSTED_STORAGE trusted_storage)
 add_subdirectory_ifdef(CONFIG_SECURE_STORAGE secure_storage)
 

subsys/Kconfig

@@ -41,4 +41,5 @@ rsource "dult/Kconfig"
 rsource "nrf_compress/Kconfig"
 rsource "mcuboot_ids/Kconfig"
 rsource "settings/Kconfig"
+rsource "nrf_ironside/Kconfig"
 endmenu

subsys/nrf_security/src/ssf_secdom/CMakeLists.txt renamed to subsys/nrf_ironside/CMakeLists.txt

@@ -4,6 +4,8 @@
 # SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
 #
 
+if(CONFIG_PSA_SSF_CRYPTO_CLIENT)
+
 zephyr_library()
 zephyr_library_sources(
   # ironside_psa_ns_api.c provides psa_call, which sends a message over IPC.
@@ -18,6 +20,9 @@ zephyr_library_sources(
 zephyr_library_include_directories(
   ${NRF_DIR}/include/tfm
   ${ZEPHYR_TRUSTED_FIRMWARE_M_MODULE_DIR}/interface/include
+  # Oberon PSA headers
+  ${ZEPHYR_OBERON_PSA_CRYPTO_MODULE_DIR}/include
+  ${ZEPHYR_OBERON_PSA_CRYPTO_MODULE_DIR}/library
   .
   )
 
@@ -26,3 +31,19 @@ if(CONFIG_PSA_SSF_CRYPTO_CLIENT_OUT_BOUNCE_BUFFERS)
     ${CMAKE_CURRENT_LIST_DIR}/bounce_buffers.c
     )
 endif()
+
+zephyr_include_directories(
+  # Oberon PSA headers
+  ${ZEPHYR_OBERON_PSA_CRYPTO_MODULE_DIR}/include
+  ${ZEPHYR_OBERON_PSA_CRYPTO_MODULE_DIR}/library
+  # Mbed TLS (mbedcrypto) PSA headers
+  ${ZEPHYR_MBEDTLS_MODULE_DIR}/library
+  ${ZEPHYR_MBEDTLS_MODULE_DIR}/include
+  ${ZEPHYR_MBEDTLS_MODULE_DIR}/include/library
+  .
+)
+
+zephyr_compile_definitions(MBEDTLS_PSA_CRYPTO_CONFIG_FILE="ironside_config.h")
+zephyr_compile_definitions(MBEDTLS_CONFIG_FILE="ironside_config.h")
+
+endif()

subsys/nrf_security/src/ssf_secdom/Kconfig renamed to subsys/nrf_ironside/Kconfig

@@ -10,6 +10,7 @@ config PSA_SSF_CRYPTO_CLIENT
 	default y
 	depends on SOC_NRF54H20 || SOC_SERIES_NRF92X
 	select NRF_IRONSIDE_CALL
+	select PSA_CRYPTO_CLIENT
 
 if PSA_SSF_CRYPTO_CLIENT
 

subsys/nrf_security/src/ssf_secdom/bounce_buffers.c renamed to subsys/nrf_ironside/bounce_buffers.c

@@ -0,0 +1,7 @@
+/*
+ * Copyright (c) 2025 Nordic Semiconductor ASA
+ *
+ * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+ */
+
+#define MBEDTLS_PSA_CRYPTO_CLIENT

subsys/nrf_security/src/ssf_secdom/bounce_buffers.h renamed to subsys/nrf_ironside/bounce_buffers.h

@@ -0,0 +1,16 @@
+/*
+ * Copyright (c) 2025 Nordic Semiconductor ASA
+ *
+ * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+ */
+
+#ifndef PSA_CRYPTO_DRIVER_CONFIG_H
+#define PSA_CRYPTO_DRIVER_CONFIG_H
+
+#if defined(MBEDTLS_PSA_CRYPTO_CONFIG_FILE)
+#include MBEDTLS_PSA_CRYPTO_CONFIG_FILE
+#else
+#include "psa/crypto_config.h"
+#endif
+
+#endif /* PSA_CRYPTO_DRIVER_CONFIG_H */