nrf_security: cracen_trng: add support for nRF54LS05B

nRF54LS05B uses a version of CRACEN that only supports TRNG
and no other cryptographic functionality.
As such it will only use OBERON as the crypto driver.
Add support for seeding the OBERON CTR-DRBG from the
CRACEN trng.
Update configs to add support for nRF54LS05B

Signed-off-by: Dag Erik Gjørvad <[email protected]>

Author: degjorva

dts/arm/nordic/nrf54ls05b_enga_cpuapp.dtsi

@@ -12,7 +12,7 @@ nvic: &cpuapp_nvic {};
 
 / {
 	chosen {
-		zephyr,entropy = &rng;
+		zephyr,entropy = &psa_rng;
 	};
 
 	soc {
@@ -23,7 +23,7 @@ nvic: &cpuapp_nvic {};
 
 	psa_rng: psa-rng {
 		compatible = "zephyr,psa-crypto-rng";
-		status = "disabled";
+		status = "okay";
 	};
 
 	prng: prng {
@@ -33,7 +33,7 @@ nvic: &cpuapp_nvic {};
 
 	rng: rng {
 		compatible = "nordic,nrf-cracen-ctrdrbg";
-		status = "okay";
+		status = "disabled";
 	};
 };
 

subsys/nrf_security/cmake/psa_crypto_config.cmake

@@ -494,6 +494,7 @@ kconfig_check_and_set_base_to_one(PSA_NEED_OBERON_XMSS_VERIFY)
 
 # Convert NRF_RNG driver configuration
 kconfig_check_and_set_base_to_one(PSA_NEED_NRF_RNG_ENTROPY_DRIVER)
+kconfig_check_and_set_base_to_one(PSA_NEED_CRACEN_TRNG_DRIVER)
 
 # Nordic specific
 kconfig_check_and_set_base_to_one(PSA_CRYPTO_DRIVER_ALG_PRNG_TEST)

subsys/nrf_security/configs/psa_crypto_config.h.template

@@ -252,6 +252,7 @@
 #cmakedefine PSA_NEED_OBERON_XMSS_VERIFY                                            @PSA_NEED_OBERON_XMSS_VERIFY@
 
 #cmakedefine PSA_NEED_NRF_RNG_ENTROPY_DRIVER                    @PSA_NEED_NRF_RNG_ENTROPY_DRIVER@
+#cmakedefine PSA_NEED_CRACEN_TRNG_DRIVER                        @PSA_NEED_CRACEN_TRNG_DRIVER@
 
 /*
  * CRACEN driver configuration

subsys/nrf_security/src/drivers/CMakeLists.txt

@@ -10,7 +10,7 @@ if(TARGET nrf_cc3xx_platform)
   add_subdirectory(nrf_cc3xx_platform)
 endif()
 
-# Only build the PSA crypto drivers when Oberon 
+# Only build the PSA crypto drivers when Oberon
 if(CONFIG_MBEDTLS_PSA_CRYPTO_C)
   if(CONFIG_PSA_CRYPTO_DRIVER_CC3XX)
     add_subdirectory(nrf_cc3xx)

subsys/nrf_security/src/drivers/cracen/Kconfig

@@ -5,7 +5,7 @@
 #
 
 config CRACEN_HW_PRESENT
-	def_bool SOC_SERIES_NRF54LX || SOC_SERIES_NRF92X || SOC_SERIES_NRF71X
+	def_bool (SOC_SERIES_NRF54LX && !SOC_NRF54LS05B) || SOC_SERIES_NRF92X || SOC_SERIES_NRF71X
 
 config CRACEN_HW_VERSION_BASE
 	def_bool SOC_SERIES_NRF54HX || SOC_NRF54L15 || SOC_NRF54L10 || SOC_NRF54L05

subsys/nrf_security/src/drivers/nrf_oberon/CMakeLists.txt

@@ -4,7 +4,7 @@
 # SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
 #
 
-# Build Oberon PSA crypto driver 
+# Build Oberon PSA crypto driver
 set(drivers_path ${OBERON_PSA_CORE_PATH}/oberon/drivers)
 
 target_include_directories(psa_crypto_library_config
@@ -74,6 +74,9 @@ target_link_libraries(oberon_psa_driver
     psa_interface
 )
 
+if(CONFIG_PSA_NEED_CRACEN_TRNG_DRIVER)
+  add_subdirectory(cracen_trng)
+endif()
 
 # Link to imported libraries for Oberon APIs.
 target_link_libraries(oberon_psa_driver

subsys/nrf_security/src/drivers/nrf_oberon/Kconfig

@@ -1737,3 +1737,6 @@ config PSA_NEED_OBERON_HMAC_DRBG_DRIVER
 
 endif # PSA_CRYPTO_DRIVER_OBERON
 endmenu
+
+# Include CRACEN TRNG driver config
+rsource "cracen_trng/Kconfig"

subsys/nrf_security/src/drivers/nrf_oberon/cracen_trng/CMakeLists.txt

@@ -0,0 +1,16 @@
+#
+# Copyright (c) 2025 Nordic Semiconductor
+#
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+#
+
+if (PSA_NEED_CRACEN_TRNG_DRIVER)
+  target_sources(psa_core
+    PRIVATE
+      cracen_trng.c
+  )
+  target_include_directories(psa_core
+    PRIVATE
+      ${CMAKE_CURRENT_LIST_DIR}/..
+  )
+endif()

subsys/nrf_security/src/drivers/nrf_oberon/cracen_trng/Kconfig

@@ -0,0 +1,16 @@
+#
+# Copyright (c) 2025 Nordic Semiconductor
+#
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+#
+
+config PSA_NEED_CRACEN_TRNG_DRIVER
+	bool
+	depends on !PSA_CRYPTO_DRIVER_CRACEN
+	default y if SOC_NRF54LS05B
+	select PSA_ACCEL_GET_ENTROPY
+	select NRFX_CRACEN
+	help
+	  PSA crypto driver for CRACEN True Random Number Generator.
+	  This driver provides entropy functionality for nRF54LS05B devices
+	  using direct access to the CRACEN TRNG hardware via nrfx.

subsys/nrf_security/src/drivers/nrf_oberon/cracen_trng/cracen_trng.c

@@ -0,0 +1,59 @@
+/*
+ * Copyright (c) 2025 Nordic Semiconductor ASA
+ *
+ * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+ */
+
+#include <zephyr/kernel.h>
+#include <nrfx_cracen.h>
+
+#include "psa/crypto.h"
+
+/* This file exists to provide TRNG to seed the PRNG in OBERON on devices that only support TRNG */
+
+static psa_status_t cracen_trng_init(void)
+{
+	nrfx_err_t nrfx_error;
+
+	/* This is TRNG even though the naming states otherwise.
+	 * On devices that don't support hardware crypto it will default to trng
+	 */
+	nrfx_error = nrfx_cracen_ctr_drbg_init();
+	if (nrfx_error != NRFX_SUCCESS) {
+		return PSA_ERROR_HARDWARE_FAILURE;
+	}
+
+	return PSA_SUCCESS;
+}
+
+psa_status_t cracen_trng_get_entropy(uint32_t flags, size_t *estimate_bits,
+				      uint8_t *output, size_t output_size)
+{
+	uint16_t request_len = MIN(UINT16_MAX, output_size);
+	psa_status_t status;
+	nrfx_err_t nrfx_error;
+
+	/* Ignore flags as CRACEN TRNG doesn't support entropy generation flags */
+	(void)flags;
+
+	if (output == NULL || estimate_bits == NULL || output_size == 0) {
+		return PSA_ERROR_INVALID_ARGUMENT;
+	}
+
+	status = cracen_trng_init();
+	if (status != PSA_SUCCESS) {
+		return status;
+	}
+
+	/* This is TRNG even though the naming states otherwise.
+	 * On devices that don't support hardware crypto it will default to trng
+	 */
+	nrfx_error = nrfx_cracen_ctr_drbg_random_get(output, request_len);
+	if (nrfx_error != NRFX_SUCCESS) {
+		return PSA_ERROR_HARDWARE_FAILURE;
+	}
+
+	*estimate_bits = PSA_BYTES_TO_BITS(request_len);
+
+	return PSA_SUCCESS;
+}