modules: trusted-firmware-m: Add support for TFM_CRYPTO without ITS

degjorva · rlubos · commit b13bdf0461e8 · 2025-09-12T10:23:19.000+02:00
Remove dependencies between TFM_CRYPTO and ITS.
This allows TFM_PARTITION_INTERNAL_TRUSTED_STORAGE to be off
even while building with TF-m and crypto.

Signed-off-by: Dag Erik Gjørvad &lt;dag.erik.gjorvad@nordicsemi.no&gt;
diff --git a/doc/nrf/releases_and_maturity/releases/release-notes-changelog.rst b/doc/nrf/releases_and_maturity/releases/release-notes-changelog.rst
@@ -126,8 +126,14 @@ Developing with coprocessors
 Security
 ========
 
-* Added CRACEN and nrf_oberon driver support for nRF54LM20.
-  For the list of supported features and limitations, see the :ref:`ug_crypto_supported_features` page.
+* Added:
+
+  * CRACEN and nrf_oberon driver support for nRF54LM20.
+    For the list of supported features and limitations, see the :ref:`ug_crypto_supported_features` page.
+
+  * Support for disabling Internal Trusted Storage (ITS) on nRF54L series devices when using
+    :kconfig:option:`CONFIG_TFM_PARTITION_CRYPTO` with Trusted Firmware-M (TF-M) through the
+    :kconfig:option:`CONFIG_TFM_PARTITION_INTERNAL_TRUSTED_STORAGE` Kconfig option.
 
 Protocols
 =========
diff --git a/modules/trusted-firmware-m/Kconfig.tfm.defconfig b/modules/trusted-firmware-m/Kconfig.tfm.defconfig
@@ -85,6 +85,11 @@ config TFM_PARTITION_PROTECTED_STORAGE
 	select PSA_WANT_ALG_GCM if SOC_NRF5340_CPUAPP
 	select PSA_WANT_ALG_GCM if SOC_SERIES_NRF54LX
 
+# Override TF-M crypto dependency on ITS when using KMU
+config TFM_PARTITION_CRYPTO
+	bool
+	depends on TFM_PARTITION_INTERNAL_TRUSTED_STORAGE || CRACEN_LIB_KMU
+
 config TFM_ITS_ENCRYPTED
 	bool
 	select PSA_WANT_ALG_CHACHA20_POLY1305 if SOC_SERIES_NRF54LX
diff --git a/subsys/nrf_security/Kconfig.psa b/subsys/nrf_security/Kconfig.psa
@@ -49,7 +49,7 @@ config MBEDTLS_PSA_CRYPTO_SPM
 	  scope of TF-M build (Prefixes with mbedcrypto__)
 
 config MBEDTLS_PSA_CRYPTO_STORAGE_C
-	bool "PSA storage for persistent keys" if !BUILD_WITH_TFM
+	bool "PSA storage for persistent keys"
 	default y if BUILD_WITH_TFM
 	help
 	  Corresponds to MBEDTLS_PSA_CRYPTO_STORAGE_C setting in mbed TLS config file.
diff --git a/west.yml b/west.yml
@@ -149,7 +149,7 @@ manifest:
     - name: trusted-firmware-m
       repo-path: sdk-trusted-firmware-m
       path: modules/tee/tf-m/trusted-firmware-m
-      revision: 97e79ea61a6572ed56cdd33396ad7546ef9dfb5d
+      revision: 3f45b4e8628eb699d5f6f69e89736aabb24add1a
     - name: psa-arch-tests
       repo-path: sdk-psa-arch-tests
       path: modules/tee/tf-m/psa-arch-tests
