doc: tfm: disabling ITS

greg-fer · rlubos · commit d5f1e22ef657 · 2025-09-25T14:51:13.000+02:00
Removed dependency on ITS for CONFIG_TFM_PARTITION_CRYPTO.
Updated documentation where required to mention KMU as an alternative.
NCSDK-35016.

Signed-off-by: Grzegorz Ferenc &lt;Grzegorz.Ferenc@nordicsemi.no&gt;
diff --git a/doc/nrf/app_dev/device_guides/nrf54l/kmu_basics.rst b/doc/nrf/app_dev/device_guides/nrf54l/kmu_basics.rst
@@ -16,6 +16,10 @@ This feature is crucial not only for private keys but also for public keys, as t
 Even when keys must pass through addressable RAM, the KMU significantly reduces the risk of key exposure.
 Therefore, you should use KMU for managing secrets whenever possible.
 
+When using an nRF54L device with Trusted Firmware-M, you can use the KMU to store keys instead of using the :ref:`ug_tfm_services_its`.
+For this to work, you need to enable the :ref:`tfm_partition_crypto` service, which enables the :ref:`ug_tfm_services_its` service by default.
+You can then manually disable the ITS service and start using KMU instead.
+
 Key Types
 *********
 
diff --git a/doc/nrf/security/key_storage.rst b/doc/nrf/security/key_storage.rst
@@ -53,7 +53,7 @@ Key generation and import
 Keys can have one of the following lifetimes:
 
 * Volatile - Stored in RAM, lost on reset.
-* Persistent - Stored in PSA Internal Trusted Storage, retained during reboots.
+* Persistent - Stored in PSA Internal Trusted Storage or Key Management Unit, retained during reboots.
 
 The PSA Crypto API supports two methods for using keys:
 
@@ -129,7 +129,7 @@ For an example of how to derive keys from HUKs, see the :ref:`Hardware unique ke
 Key Management Unit (KMU)
 =========================
 
-The Key Management Unit (KMU) is a hardware peripheral for secure key storage available on select nRF devices.
+The Key Management Unit (KMU) is a hardware peripheral for secure key storage available on select Nordic Semiconductor devices.
 It provides hardware-level protection for cryptographic keys.
 
 This option offers the following features:
diff --git a/doc/nrf/security/tfm/tfm_building.rst b/doc/nrf/security/tfm/tfm_building.rst
@@ -114,23 +114,23 @@ Following are the available Kconfig options for TF-M partitions:
      - Default value
      - Dependencies
    * - :kconfig:option:`CONFIG_TFM_PARTITION_PLATFORM`
-     - Provides platform services.
+     - Provides :ref:`ug_tfm_services_platform`.
      - Enabled
      -
    * - :kconfig:option:`CONFIG_TFM_PARTITION_CRYPTO`
-     - Provides cryptographic services.
+     - Provides :ref:`tfm_partition_crypto`.
      - Enabled
-     - INTERNAL_TRUSTED_STORAGE
+     -
    * - :kconfig:option:`CONFIG_TFM_PARTITION_PROTECTED_STORAGE`
-     - Provides secure storage services.
+     - Provides :ref:`tfm_partition_ps`.
      - Enabled
      - PLATFORM, CRYPTO
    * - :kconfig:option:`CONFIG_TFM_PARTITION_INTERNAL_TRUSTED_STORAGE`
-     - Provides internal trusted storage services.
+     - Provides :ref:`ug_tfm_services_its`.
      - Enabled
      -
    * - :kconfig:option:`CONFIG_TFM_PARTITION_INITIAL_ATTESTATION`
-     - Provides initial attestation services.
+     - Provides :ref:`ug_tfm_services_initial_attestation`.
      - Disabled
      - CRYPTO
 
diff --git a/doc/nrf/security/tfm/tfm_services.rst b/doc/nrf/security/tfm/tfm_services.rst
@@ -50,6 +50,9 @@ ITS is meant to be used by other TF-M partitions.
 It must not be accessed directly by a user application :ref:`placed in the Non-Secure Processing Environment <app_boards_spe_nspe_cpuapp_ns>`.
 If you want the user application to access the contents of the partition, use the :ref:`tfm_partition_ps`.
 
+This service is enabled as the default storage mechanism when you enable the :ref:`tfm_partition_crypto` service.
+If you are using a device with the :ref:`key_storage_kmu`, you can disable the :ref:`ug_tfm_services_its` and start using KMU instead to save memory.
+
 For more information about the general features of the TF-M ITS service, see `TF-M ITS`_.
 
 .. _tfm_encrypted_its:
@@ -140,6 +143,9 @@ These will enable the required ``CONFIG_TFM_CRYPTO_*`` Kconfig options.
 
 TF-M uses :ref:`hardware unique keys <lib_hw_unique_key>` when the PSA Crypto key derivation APIs are used, and ``psa_key_derivation_setup`` is called with the algorithm ``TFM_CRYPTO_ALG_HUK_DERIVATION``.
 
+When enabled, the Crypto service by default uses the :ref:`ug_tfm_services_its` to store the keys and other sensitive data.
+If you are using a device with the :ref:`key_storage_kmu`, you can disable the :ref:`ug_tfm_services_its` and start using KMU instead to save memory.
+
 For more information about the general features of the Crypto partition, see `TF-M Crypto`_.
 
 .. _tfm_partition_ps:
