nrf_security: IRONside call for PSA Crypto

Continuation of 1b2abb0. Swap out the
IPC service integration for an IRONside call, with minimal refactoring.

Signed-off-by: Grzegorz Swiderski <[email protected]>

Author: 57300

include/tfm/ironside/se/ipc_service.h

@@ -17,11 +17,18 @@ enum {
 	IRONSIDE_SE_IPC_INDEX_IN_LEN,
 	IRONSIDE_SE_IPC_INDEX_OUT_VEC,
 	IRONSIDE_SE_IPC_INDEX_OUT_LEN,
-	IRONSIDE_SE_IPC_INDEX_STATUS_PTR,
+	IRONSIDE_SE_IPC_INDEX_STATUS,
 	/* The last enum value is reserved for the size of the IPC buffer */
 	IRONSIDE_SE_IPC_DATA_LEN
 };
 
+/* IRONside call identifiers with implicit versions.
+ *
+ * With the initial "version 0", the service ABI is allowed to break until the
+ * first public release of IRONside SE.
+ */
+#define IRONSIDE_CALL_ID_PSA_CRYPTO_V0 0
+
 /* We are adding the source files for the TF-M crypto partition to the build.
  *
  * The crypto partition will include the file psa_manifest/sid.h and

samples/crypto/sha256/boards/nrf54h20dk_nrf54h20_cpuapp_iron.conf

@@ -9,7 +9,6 @@ CONFIG_PSA_CRYPTO_DRIVER_OBERON=n
 
 # Enable PSA crypto from SSF client
 CONFIG_PSA_SSF_CRYPTO_CLIENT=y
-CONFIG_SSF_PSA_CRYPTO_SERVICE_ENABLED=y
 
 # Mbedtls configuration
 CONFIG_MBEDTLS_ENABLE_HEAP=y

subsys/nrf_security/Kconfig

@@ -55,13 +55,6 @@ rsource "Kconfig.psa.nordic"
 config PSA_PROMPTLESS
 	bool
 
-config SSF_V_2
-	bool
-	default y if BOARD_NRF54H20DK_NRF54H20_CPUAPP_IRON
-	prompt "temporary option until iron and SSFv2 is available"
-	select MBOX
-	select IPC_SERVICE
-
 if NRF_SECURITY
 
 config MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS

subsys/nrf_security/src/ssf_secdom/CMakeLists.txt

@@ -4,15 +4,13 @@
 # SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
 #
 
-if(CONFIG_SSF_V_2)
+if(CONFIG_NRF_IRONSIDE_CALL)
   zephyr_library()
   zephyr_library_sources(
     # ironside_psa_ns_api.c provides psa_call. psa_call is invoked by
     # serialized functions from tfm_crypto_api.c and sends a message
     # over IPC.
     ${CMAKE_CURRENT_LIST_DIR}/ironside_se_psa_ns_api.c
-    # ironside_se_psa_ns_ipc.c provides an IPC service to ironside_se_psa_ns_api.c
-    ${CMAKE_CURRENT_LIST_DIR}/ironside_se_psa_ns_ipc.c
     # tfm_crypto_api.c provides and serializes the PSA Crypto API.
     ${ZEPHYR_TRUSTED_FIRMWARE_M_MODULE_DIR}/interface/src/tfm_crypto_api.c
     )

subsys/nrf_security/src/ssf_secdom/Kconfig

@@ -8,7 +8,8 @@ config PSA_SSF_CRYPTO_CLIENT
 	bool
 	prompt "PSA crypto provided through SSF"
 	default y
-	depends on (SSF_CLIENT || SSF_V_2) && SSF_PSA_CRYPTO_SERVICE_ENABLED
+	depends on (SSF_CLIENT && SSF_PSA_CRYPTO_SERVICE_ENABLED) || SOC_NRF54H20_IRON
+	select NRF_IRONSIDE_CALL if !SSF_CLIENT
 
 if PSA_SSF_CRYPTO_CLIENT
 

subsys/nrf_security/src/ssf_secdom/ironside_se_psa_ns_api.c

@@ -9,13 +9,13 @@
 
 #include <zephyr/kernel.h>
 #include <zephyr/cache.h>
+#include <zephyr/drivers/firmware/nrf_ironside/call.h>
 
 #include <psa/client.h>
 #include <psa/error.h>
 
 #include <tfm/ironside/se/ipc_service.h>
 
-#include "ironside_se_psa_ns_ipc.h"
 #include "bounce_buffers.h"
 
 /* The correctness of the serialization depends on these asserts */
@@ -33,38 +33,26 @@ static psa_status_t psa_call_buffered_and_flushed(psa_handle_t handle, int32_t t
 	/* We have no need for this at this time */
 	ARG_UNUSED(type);
 
-	psa_status_t ipc_status = ironside_se_psa_ns_ipc_setup();
+	struct ironside_call_buf *const buf = ironside_call_alloc();
 
-	if (ipc_status != PSA_SUCCESS) {
-		return ipc_status;
-	}
-
-	/* volatile and flushed because the cpusec core will usually
-	 * modify this variable
-	 */
-	psa_status_t volatile status = PSA_ERROR_COMMUNICATION_FAILURE;
-
-	sys_cache_data_flush_range((void *)&status, sizeof(status));
+	buf->id = IRONSIDE_CALL_ID_PSA_CRYPTO_V0;
 
-	uint32_t ipc_service_buf[IRONSIDE_SE_IPC_DATA_LEN];
-
-	ipc_service_buf[IRONSIDE_SE_IPC_INDEX_HANDLE] =
+	buf->args[IRONSIDE_SE_IPC_INDEX_HANDLE] =
 		handle; /* i.e. TFM_CRYPTO_HANDLE defined to 0x40000100U */
-	ipc_service_buf[IRONSIDE_SE_IPC_INDEX_IN_VEC] = (uint32_t)in_vec;
-	ipc_service_buf[IRONSIDE_SE_IPC_INDEX_IN_LEN] = in_len;
-	ipc_service_buf[IRONSIDE_SE_IPC_INDEX_OUT_VEC] = (uint32_t)out_vec;
-	ipc_service_buf[IRONSIDE_SE_IPC_INDEX_OUT_LEN] = out_len;
-	ipc_service_buf[IRONSIDE_SE_IPC_INDEX_STATUS_PTR] = (uint32_t)&status;
+	buf->args[IRONSIDE_SE_IPC_INDEX_IN_VEC] = (uint32_t)in_vec;
+	buf->args[IRONSIDE_SE_IPC_INDEX_IN_LEN] = in_len;
+	buf->args[IRONSIDE_SE_IPC_INDEX_OUT_VEC] = (uint32_t)out_vec;
+	buf->args[IRONSIDE_SE_IPC_INDEX_OUT_LEN] = out_len;
+
+	ironside_call_dispatch(buf);
 
-	int32_t ret = ironside_se_psa_ns_ipc_send(ipc_service_buf, sizeof(ipc_service_buf));
+	psa_status_t status = PSA_ERROR_COMMUNICATION_FAILURE;
 
-	if (ret != sizeof(ipc_service_buf)) {
-		return PSA_ERROR_COMMUNICATION_FAILURE;
+	if (buf->status == IRONSIDE_CALL_STATUS_RSP_SUCCESS) {
+		status = buf->args[IRONSIDE_SE_IPC_INDEX_STATUS];
 	}
 
-	do {
-		sys_cache_data_flush_and_invd_range((void *)&status, sizeof(status));
-	} while (status == PSA_ERROR_COMMUNICATION_FAILURE);
+	ironside_call_release(buf);
 
 	return status;
 }

subsys/nrf_security/src/ssf_secdom/ironside_se_psa_ns_ipc.c

@@ -8,8 +8,9 @@ rsource "services/Kconfig"
 
 config SSF_CLIENT
 	bool
-	default (! SSF_V_2) && ($(dt_nodelabel_enabled_with_compat,cpusec_cpuapp_ipc,$(DT_COMPAT_ZEPHYR_IPC_ICMSG)) \
-	      || $(dt_nodelabel_enabled_with_compat,cpusec_cpurad_ipc,$(DT_COMPAT_ZEPHYR_IPC_ICMSG)))
+	def_bool $(dt_nodelabel_enabled_with_compat,cpusec_cpuapp_ipc,$(DT_COMPAT_ZEPHYR_IPC_ICMSG)) \
+	      || $(dt_nodelabel_enabled_with_compat,cpusec_cpurad_ipc,$(DT_COMPAT_ZEPHYR_IPC_ICMSG))
+	depends on !SOC_NRF54H20_IRON
 
 config SDFW_SERVICES_ENABLED
 	bool

subsys/nrf_security/src/ssf_secdom/ironside_se_psa_ns_ipc.h

@@ -22,7 +22,7 @@
 menuconfig SSF_$(service_name)_SERVICE_ENABLED
 	bool "$(service_name_str) service"
 	default y if $(service_default_enabled)
-	depends on SDFW_SERVICES_ENABLED || SSF_V_2
+	depends on SDFW_SERVICES_ENABLED
 
 if SSF_$(service_name)_SERVICE_ENABLED