nrf_ironside: Move Ironside outside of nrf_security

Vge0rge · Vge0rge · commit daa9b94a0167 · 2025-10-07T16:24:31.000+02:00
Create a separate subsystem called nrf_ironside instead
of having the logic in nrf_security. Ironside is completely
separate from nrf_security and it should not be placed there.

Make sure that nrf_security cannot be enabled at the same time
as nrf_ironside as their configurations might collide.

Signed-off-by: Georgios Vasilakis &lt;georgios.vasilakis@nordicsemi.no&gt;
diff --git a/CODEOWNERS b/CODEOWNERS
@@ -824,6 +824,7 @@
 /subsys/nrf_profiler/                     @nrfconnect/ncs-si-bluebagel
 /subsys/nrf_rpc/                          @nrfconnect/ncs-si-muffin @nrfconnect/ncs-protocols-serialization
 /subsys/nrf_security/                     @nrfconnect/ncs-aegir
+/subsys/nrf_ironside/                     @nrfconnect/ncs-aurora
 /subsys/partition_manager/                @nordicjm @tejlmand
 /subsys/pcd/                              @nrfconnect/ncs-pluto
 /subsys/secure_storage/                   @nrfconnect/ncs-aegir
diff --git a/subsys/CMakeLists.txt b/subsys/CMakeLists.txt
@@ -12,6 +12,7 @@ add_subdirectory_ifdef(CONFIG_SECURE_BOOT_VALIDATION bootloader/bl_validation)
 add_subdirectory_ifdef(CONFIG_SECURE_BOOT_STORAGE bootloader/bl_storage)
 
 add_subdirectory_ifdef(CONFIG_NRF_SECURITY nrf_security)
+add_subdirectory_ifdef(CONFIG_NRF_IRONSIDE nrf_ironside)
 add_subdirectory_ifdef(CONFIG_TRUSTED_STORAGE trusted_storage)
 add_subdirectory_ifdef(CONFIG_SECURE_STORAGE secure_storage)
 
diff --git a/subsys/Kconfig b/subsys/Kconfig
@@ -41,4 +41,5 @@ rsource "dult/Kconfig"
 rsource "nrf_compress/Kconfig"
 rsource "mcuboot_ids/Kconfig"
 rsource "settings/Kconfig"
+rsource "nrf_ironside/Kconfig"
 endmenu
diff --git a/subsys/nrf_ironside/CMakeLists.txt b/subsys/nrf_ironside/CMakeLists.txt
@@ -4,6 +4,8 @@
 # SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
 #
 
+if(CONFIG_PSA_SSF_CRYPTO_CLIENT)
+
 zephyr_library()
 zephyr_library_sources(
   # ironside_psa_ns_api.c provides psa_call, which sends a message over IPC.
@@ -16,13 +18,30 @@ zephyr_library_sources(
   )
 
 zephyr_library_include_directories(
+  .
   ${NRF_DIR}/include/tfm
   ${ZEPHYR_TRUSTED_FIRMWARE_M_MODULE_DIR}/interface/include
-  .
+  # Oberon PSA headers
+  ${ZEPHYR_OBERON_PSA_CRYPTO_MODULE_DIR}/include
+  ${ZEPHYR_OBERON_PSA_CRYPTO_MODULE_DIR}/library
   )
 
 if(CONFIG_PSA_SSF_CRYPTO_CLIENT_OUT_BOUNCE_BUFFERS)
   zephyr_library_sources(
     ${CMAKE_CURRENT_LIST_DIR}/bounce_buffers.c
     )
 endif()
+
+zephyr_include_directories(
+  .
+  ${NRF_DIR}/include/tfm
+  ${ZEPHYR_TRUSTED_FIRMWARE_M_MODULE_DIR}/interface/include
+  # Oberon PSA headers
+  ${ZEPHYR_OBERON_PSA_CRYPTO_MODULE_DIR}/include
+  ${ZEPHYR_OBERON_PSA_CRYPTO_MODULE_DIR}/library
+)
+
+zephyr_compile_definitions(MBEDTLS_PSA_CRYPTO_CONFIG_FILE="ironside_config.h")
+zephyr_compile_definitions(MBEDTLS_CONFIG_FILE="ironside_config.h")
+
+endif()
diff --git a/subsys/nrf_ironside/Kconfig b/subsys/nrf_ironside/Kconfig
@@ -8,11 +8,17 @@ config PSA_SSF_CRYPTO_CLIENT
 	bool
 	prompt "PSA crypto provided through SSF"
 	default y
-	depends on SOC_NRF54H20 || SOC_SERIES_NRF92X
+	depends on SOC_NRF54H20_CPUAPP || SOC_NRF54H20_CPURAD || SOC_SERIES_NRF92X
 	select NRF_IRONSIDE_CALL
+	select PSA_CRYPTO_CLIENT
+	select PSA_CRYPTO
 
 if PSA_SSF_CRYPTO_CLIENT
 
+choice PSA_CRYPTO_PROVIDER 
+    default PSA_CRYPTO_PROVIDER_CUSTOM
+endchoice
+
 config PSA_SSF_CRYPTO_CLIENT_OUT_BOUNCE_BUFFERS
 	bool "Support PSA crypto with output buffers that are not cache-safe"
 	default y
diff --git a/subsys/nrf_ironside/bounce_buffers.c b/subsys/nrf_ironside/bounce_buffers.c
diff --git a/subsys/nrf_ironside/bounce_buffers.h b/subsys/nrf_ironside/bounce_buffers.h
diff --git a/subsys/nrf_ironside/ironside_config.h b/subsys/nrf_ironside/ironside_config.h
@@ -0,0 +1,7 @@
+/*
+ * Copyright (c) 2025 Nordic Semiconductor ASA
+ *
+ * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+ */
+
+#define MBEDTLS_PSA_CRYPTO_CLIENT
diff --git a/subsys/nrf_ironside/ironside_se_psa_ns_api.c b/subsys/nrf_ironside/ironside_se_psa_ns_api.c
diff --git a/subsys/nrf_ironside/psa/crypto_driver_config.h b/subsys/nrf_ironside/psa/crypto_driver_config.h
@@ -0,0 +1,16 @@
+/*
+ * Copyright (c) 2025 Nordic Semiconductor ASA
+ *
+ * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+ */
+
+#ifndef PSA_CRYPTO_DRIVER_CONFIG_H
+#define PSA_CRYPTO_DRIVER_CONFIG_H
+
+#if defined(MBEDTLS_PSA_CRYPTO_CONFIG_FILE)
+#include MBEDTLS_PSA_CRYPTO_CONFIG_FILE
+#else
+#include "psa/crypto_config.h"
+#endif
+
+#endif /* PSA_CRYPTO_DRIVER_CONFIG_H */
diff --git a/subsys/nrf_ironside/psa_manifest/sid.h b/subsys/nrf_ironside/psa_manifest/sid.h
diff --git a/subsys/nrf_security/Kconfig b/subsys/nrf_security/Kconfig
@@ -33,6 +33,7 @@ config NRF_SECURITY
 	bool
 	prompt "nRF Security" if !PSA_PROMPTLESS
 	depends on SOC_FAMILY_NORDIC_NRF
+	depends on !NRF_IRONSIDE_CALL
 	default y if BUILD_WITH_TFM
 	# entropy is provided by PSA and NRF_SECURITY on NRF54LX and NRF71X
 	default y if DT_HAS_ZEPHYR_PSA_CRYPTO_RNG_ENABLED && SOC_SERIES_NRF54LX && !IS_BOOTLOADER_IMG && GEN_ISR_TABLES
diff --git a/subsys/nrf_security/Kconfig.psa b/subsys/nrf_security/Kconfig.psa
@@ -21,7 +21,6 @@ osource "modules/mbedtls/Kconfig.psa"
 
 rsource "src/core/Kconfig"
 
-rsource "src/ssf_secdom/Kconfig"
 
 comment "PSA Driver Support"
 
diff --git a/subsys/nrf_security/src/CMakeLists.txt b/subsys/nrf_security/src/CMakeLists.txt
@@ -104,10 +104,6 @@ target_link_libraries(${mbedcrypto_target}
     psa_interface
 )
 
-if(CONFIG_PSA_SSF_CRYPTO_CLIENT)
-  add_subdirectory(ssf_secdom)
-endif()
-
 nrf_security_add_zephyr_options(${mbedcrypto_target})
 
 # Base mbed TLS files (not in drivers or builtin's)
