diff --git a/include/tfm/ironside/se/ipc_service.h b/include/tfm/ironside/se/ipc_service.h new file mode 100644 index 000000000000..a474bccef4c3 --- /dev/null +++ b/include/tfm/ironside/se/ipc_service.h @@ -0,0 +1,42 @@ +/* + * Copyright (c) 2025 Nordic Semiconductor ASA + * + * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause + */ + +#ifndef __SDFW_PSA_IPC_SERVICE_H__ +#define __SDFW_PSA_IPC_SERVICE_H__ + +/* + * This header contains symbols that are used by both the IRONside SE client + * and the IRONside SE service. + */ +enum { + IRONSIDE_SE_IPC_INDEX_HANDLE, + IRONSIDE_SE_IPC_INDEX_IN_VEC, + IRONSIDE_SE_IPC_INDEX_IN_LEN, + IRONSIDE_SE_IPC_INDEX_OUT_VEC, + IRONSIDE_SE_IPC_INDEX_OUT_LEN, + IRONSIDE_SE_IPC_INDEX_STATUS_PTR, + /* The last enum value is reserved for the size of the IPC buffer */ + IRONSIDE_SE_IPC_DATA_LEN +}; + +/* We are adding the source files for the TF-M crypto partition to the build. + * + * The crypto partition will include the file psa_manifest/sid.h and + * expect the below three symbols to be there. + * + * In a TF-M build, the TF-M build system will generate + * psa_manifest/sid.h based on each partitions manifest. + * + * See https://trustedfirmware-m.readthedocs.io/ + * en/latest/integration_guide/services/tfm_secure_partition_addition.html + * + * for an example of a partition manifest. + */ +#define TFM_CRYPTO_SID (0x00000080U) +#define TFM_CRYPTO_VERSION (1U) +#define TFM_CRYPTO_HANDLE (0x40000100U) + +#endif /* __SDFW_PSA_IPC_SERVICE_H__ */ diff --git a/samples/crypto/aes_gcm/boards/nrf54h20dk_nrf54h20_cpuapp_iron.conf b/samples/crypto/aes_gcm/boards/nrf54h20dk_nrf54h20_cpuapp_iron.conf new file mode 100644 index 000000000000..d172f58efb93 --- /dev/null +++ b/samples/crypto/aes_gcm/boards/nrf54h20dk_nrf54h20_cpuapp_iron.conf @@ -0,0 +1,16 @@ +# +# Copyright (c) 2024 Nordic Semiconductor +# +# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause +# + +# Disable Oberon PSA crypto drivers +CONFIG_PSA_CRYPTO_DRIVER_OBERON=n + +# Enable PSA crypto from SSF client +CONFIG_PSA_SSF_CRYPTO_CLIENT=y +CONFIG_SSF_PSA_CRYPTO_SERVICE_ENABLED=y + +# Mbedtls configuration +CONFIG_MBEDTLS_ENABLE_HEAP=y +CONFIG_MBEDTLS_HEAP_SIZE=8192 diff --git a/samples/crypto/aes_gcm/boards/nrf54h20dk_nrf54h20_cpuapp_iron.overlay b/samples/crypto/aes_gcm/boards/nrf54h20dk_nrf54h20_cpuapp_iron.overlay new file mode 100644 index 000000000000..1ca688cf9792 --- /dev/null +++ b/samples/crypto/aes_gcm/boards/nrf54h20dk_nrf54h20_cpuapp_iron.overlay @@ -0,0 +1,21 @@ +/* + * Copyright (c) 2024 Nordic Semiconductor ASA + * + * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause + */ + +&cpusec_cpuapp_ipc { + status = "okay"; +}; + +&cpuapp_ram0x_region { + status = "okay"; +}; + +&cpusec_bellboard { + status = "okay"; +}; + +&cpuapp_bellboard { + status = "okay"; +}; diff --git a/samples/crypto/ecdh/boards/nrf54h20dk_nrf54h20_cpuapp_iron.conf b/samples/crypto/ecdh/boards/nrf54h20dk_nrf54h20_cpuapp_iron.conf new file mode 100644 index 000000000000..d172f58efb93 --- /dev/null +++ b/samples/crypto/ecdh/boards/nrf54h20dk_nrf54h20_cpuapp_iron.conf @@ -0,0 +1,16 @@ +# +# Copyright (c) 2024 Nordic Semiconductor +# +# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause +# + +# Disable Oberon PSA crypto drivers +CONFIG_PSA_CRYPTO_DRIVER_OBERON=n + +# Enable PSA crypto from SSF client +CONFIG_PSA_SSF_CRYPTO_CLIENT=y +CONFIG_SSF_PSA_CRYPTO_SERVICE_ENABLED=y + +# Mbedtls configuration +CONFIG_MBEDTLS_ENABLE_HEAP=y +CONFIG_MBEDTLS_HEAP_SIZE=8192 diff --git a/samples/crypto/ecdh/boards/nrf54h20dk_nrf54h20_cpuapp_iron.overlay b/samples/crypto/ecdh/boards/nrf54h20dk_nrf54h20_cpuapp_iron.overlay new file mode 100644 index 000000000000..1ca688cf9792 --- /dev/null +++ b/samples/crypto/ecdh/boards/nrf54h20dk_nrf54h20_cpuapp_iron.overlay @@ -0,0 +1,21 @@ +/* + * Copyright (c) 2024 Nordic Semiconductor ASA + * + * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause + */ + +&cpusec_cpuapp_ipc { + status = "okay"; +}; + +&cpuapp_ram0x_region { + status = "okay"; +}; + +&cpusec_bellboard { + status = "okay"; +}; + +&cpuapp_bellboard { + status = "okay"; +}; diff --git a/samples/crypto/ecdsa/boards/nrf54h20dk_nrf54h20_cpuapp_iron.conf b/samples/crypto/ecdsa/boards/nrf54h20dk_nrf54h20_cpuapp_iron.conf new file mode 100644 index 000000000000..d172f58efb93 --- /dev/null +++ b/samples/crypto/ecdsa/boards/nrf54h20dk_nrf54h20_cpuapp_iron.conf @@ -0,0 +1,16 @@ +# +# Copyright (c) 2024 Nordic Semiconductor +# +# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause +# + +# Disable Oberon PSA crypto drivers +CONFIG_PSA_CRYPTO_DRIVER_OBERON=n + +# Enable PSA crypto from SSF client +CONFIG_PSA_SSF_CRYPTO_CLIENT=y +CONFIG_SSF_PSA_CRYPTO_SERVICE_ENABLED=y + +# Mbedtls configuration +CONFIG_MBEDTLS_ENABLE_HEAP=y +CONFIG_MBEDTLS_HEAP_SIZE=8192 diff --git a/samples/crypto/ecdsa/boards/nrf54h20dk_nrf54h20_cpuapp_iron.overlay b/samples/crypto/ecdsa/boards/nrf54h20dk_nrf54h20_cpuapp_iron.overlay new file mode 100644 index 000000000000..1ca688cf9792 --- /dev/null +++ b/samples/crypto/ecdsa/boards/nrf54h20dk_nrf54h20_cpuapp_iron.overlay @@ -0,0 +1,21 @@ +/* + * Copyright (c) 2024 Nordic Semiconductor ASA + * + * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause + */ + +&cpusec_cpuapp_ipc { + status = "okay"; +}; + +&cpuapp_ram0x_region { + status = "okay"; +}; + +&cpusec_bellboard { + status = "okay"; +}; + +&cpuapp_bellboard { + status = "okay"; +}; diff --git a/samples/crypto/rng/boards/nrf54h20dk_nrf54h20_cpuapp_iron.conf b/samples/crypto/rng/boards/nrf54h20dk_nrf54h20_cpuapp_iron.conf new file mode 100644 index 000000000000..d172f58efb93 --- /dev/null +++ b/samples/crypto/rng/boards/nrf54h20dk_nrf54h20_cpuapp_iron.conf @@ -0,0 +1,16 @@ +# +# Copyright (c) 2024 Nordic Semiconductor +# +# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause +# + +# Disable Oberon PSA crypto drivers +CONFIG_PSA_CRYPTO_DRIVER_OBERON=n + +# Enable PSA crypto from SSF client +CONFIG_PSA_SSF_CRYPTO_CLIENT=y +CONFIG_SSF_PSA_CRYPTO_SERVICE_ENABLED=y + +# Mbedtls configuration +CONFIG_MBEDTLS_ENABLE_HEAP=y +CONFIG_MBEDTLS_HEAP_SIZE=8192 diff --git a/samples/crypto/rng/boards/nrf54h20dk_nrf54h20_cpuapp_iron.overlay b/samples/crypto/rng/boards/nrf54h20dk_nrf54h20_cpuapp_iron.overlay new file mode 100644 index 000000000000..1ca688cf9792 --- /dev/null +++ b/samples/crypto/rng/boards/nrf54h20dk_nrf54h20_cpuapp_iron.overlay @@ -0,0 +1,21 @@ +/* + * Copyright (c) 2024 Nordic Semiconductor ASA + * + * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause + */ + +&cpusec_cpuapp_ipc { + status = "okay"; +}; + +&cpuapp_ram0x_region { + status = "okay"; +}; + +&cpusec_bellboard { + status = "okay"; +}; + +&cpuapp_bellboard { + status = "okay"; +}; diff --git a/samples/crypto/sha256/boards/nrf54h20dk_nrf54h20_cpuapp_iron.conf b/samples/crypto/sha256/boards/nrf54h20dk_nrf54h20_cpuapp_iron.conf new file mode 100644 index 000000000000..d172f58efb93 --- /dev/null +++ b/samples/crypto/sha256/boards/nrf54h20dk_nrf54h20_cpuapp_iron.conf @@ -0,0 +1,16 @@ +# +# Copyright (c) 2024 Nordic Semiconductor +# +# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause +# + +# Disable Oberon PSA crypto drivers +CONFIG_PSA_CRYPTO_DRIVER_OBERON=n + +# Enable PSA crypto from SSF client +CONFIG_PSA_SSF_CRYPTO_CLIENT=y +CONFIG_SSF_PSA_CRYPTO_SERVICE_ENABLED=y + +# Mbedtls configuration +CONFIG_MBEDTLS_ENABLE_HEAP=y +CONFIG_MBEDTLS_HEAP_SIZE=8192 diff --git a/samples/crypto/sha256/boards/nrf54h20dk_nrf54h20_cpuapp_iron.overlay b/samples/crypto/sha256/boards/nrf54h20dk_nrf54h20_cpuapp_iron.overlay new file mode 100644 index 000000000000..1ca688cf9792 --- /dev/null +++ b/samples/crypto/sha256/boards/nrf54h20dk_nrf54h20_cpuapp_iron.overlay @@ -0,0 +1,21 @@ +/* + * Copyright (c) 2024 Nordic Semiconductor ASA + * + * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause + */ + +&cpusec_cpuapp_ipc { + status = "okay"; +}; + +&cpuapp_ram0x_region { + status = "okay"; +}; + +&cpusec_bellboard { + status = "okay"; +}; + +&cpuapp_bellboard { + status = "okay"; +}; diff --git a/subsys/nrf_security/Kconfig b/subsys/nrf_security/Kconfig index db616e07b690..2da3f5647fb0 100644 --- a/subsys/nrf_security/Kconfig +++ b/subsys/nrf_security/Kconfig @@ -55,6 +55,13 @@ rsource "Kconfig.psa.nordic" config PSA_PROMPTLESS bool +config SSF_V_2 + bool + default y if BOARD_NRF54H20DK_NRF54H20_CPUAPP_IRON + prompt "temporary option until iron and SSFv2 is available" + select MBOX + select IPC_SERVICE + if NRF_SECURITY config MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS diff --git a/subsys/nrf_security/src/ssf_secdom/CMakeLists.txt b/subsys/nrf_security/src/ssf_secdom/CMakeLists.txt index d13ee5b0c99c..32ad96703db8 100644 --- a/subsys/nrf_security/src/ssf_secdom/CMakeLists.txt +++ b/subsys/nrf_security/src/ssf_secdom/CMakeLists.txt @@ -4,8 +4,33 @@ # SPDX-License-Identifier: LicenseRef-Nordic-5-Clause # +if(CONFIG_SSF_V_2) + zephyr_library() + zephyr_library_sources( + # ironside_psa_ns_api.c provides psa_call. psa_call is invoked by + # serialized functions from tfm_crypto_api.c and sends a message + # over IPC. + ${CMAKE_CURRENT_LIST_DIR}/ironside_se_psa_ns_api.c + # ironside_se_psa_ns_ipc.c provides an IPC service to ironside_se_psa_ns_api.c + ${CMAKE_CURRENT_LIST_DIR}/ironside_se_psa_ns_ipc.c + # tfm_crypto_api.c provides and serializes the PSA Crypto API. + ${ZEPHYR_TRUSTED_FIRMWARE_M_MODULE_DIR}/interface/src/tfm_crypto_api.c + ) + + zephyr_library_include_directories( + ${NRF_DIR}/include/tfm + . + ) + + if(CONFIG_PSA_SSF_CRYPTO_CLIENT_OUT_BOUNCE_BUFFERS) + zephyr_library_sources( + ${CMAKE_CURRENT_LIST_DIR}/bounce_buffers.c + ) + endif() +else() target_sources(${mbedcrypto_target} PRIVATE ${CMAKE_CURRENT_LIST_DIR}/ssf_crypto.c ${CMAKE_CURRENT_LIST_DIR}/ssf_psa_core_compatibility.c ) +endif() diff --git a/subsys/nrf_security/src/ssf_secdom/Kconfig b/subsys/nrf_security/src/ssf_secdom/Kconfig index 6c707a909ff7..4355e884e114 100644 --- a/subsys/nrf_security/src/ssf_secdom/Kconfig +++ b/subsys/nrf_security/src/ssf_secdom/Kconfig @@ -8,4 +8,33 @@ config PSA_SSF_CRYPTO_CLIENT bool prompt "PSA crypto provided through SSF" default y - depends on SSF_CLIENT && SSF_PSA_CRYPTO_SERVICE_ENABLED + depends on (SSF_CLIENT || SSF_V_2) && SSF_PSA_CRYPTO_SERVICE_ENABLED + +if PSA_SSF_CRYPTO_CLIENT + +config PSA_SSF_CRYPTO_CLIENT_OUT_BOUNCE_BUFFERS + bool "Support PSA crypto with output buffers that are not cache-safe" + default y + depends on DCACHE + help + When this option is enabled, the PSA Crypto service will + allocate bounce buffers for all PSA output vectors that are not + aligned to the DCache DataUnit size. When this option is + disabled, the PSA Crypto service will never use bounce buffers, + and the user of PSA APIs must ensure that the structures are + cache-safe. The structures are cache-safe if there are no writes + locally to any of the DataUnits that contain the structure + getting written from the remote. + +if PSA_SSF_CRYPTO_CLIENT_OUT_BOUNCE_BUFFERS + +config PSA_SSF_CRYPTO_CLIENT_OUT_HEAP_SIZE + int "Size of the heap used to buffer output from PSA function calls" + default 4096 + help + Size of the heap buffer used for out buffer. + Reducing the size may trigger PSA_ERROR_INSUFFICIENT_MEMORY in PSA calls. + +endif # PSA_SSF_CRYPTO_CLIENT_OUT_BOUNCE_BUFFERS + +endif # PSA_SSF_CRYPTO_CLIENT diff --git a/subsys/nrf_security/src/ssf_secdom/bounce_buffers.c b/subsys/nrf_security/src/ssf_secdom/bounce_buffers.c new file mode 100644 index 000000000000..ab5e06ed7b30 --- /dev/null +++ b/subsys/nrf_security/src/ssf_secdom/bounce_buffers.c @@ -0,0 +1,52 @@ +/* + * Copyright (c) 2025 Nordic Semiconductor ASA + * + * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause + */ + +#include +#include + +#include +#include + +#include "bounce_buffers.h" + +/* k_heap_alloc allocated memory is aligned on a multiple of pointer sizes. The HW's DataUnit size + * must match this Zephyr behaviour. + */ +BUILD_ASSERT(CACHE_DATA_UNIT_SIZE == sizeof(uintptr_t)); + +static K_HEAP_DEFINE(out_buffer_heap, + ROUND_UP(CONFIG_PSA_SSF_CRYPTO_CLIENT_OUT_HEAP_SIZE, CACHE_DATA_UNIT_SIZE)); + +void *bounce_buffers_prepare(void *original_buffer, size_t size) +{ + void *out_buffer = NULL; + + if (((IS_ALIGNED(original_buffer, CACHE_DATA_UNIT_SIZE)) && + (IS_ALIGNED(size, CACHE_DATA_UNIT_SIZE))) || + (size == 0)) { + out_buffer = original_buffer; + } else { + out_buffer = k_heap_alloc(&out_buffer_heap, size, K_NO_WAIT); + if (out_buffer != NULL) { + memcpy(out_buffer, original_buffer, size); + } + } + + return out_buffer; +} + +void bounce_buffers_release(void *original_buffer, void *out_buffer, size_t size) +{ + if (out_buffer == NULL || out_buffer == original_buffer) { + return; + } + + memcpy(original_buffer, out_buffer, size); + /* Clear buffer before returning it to not leak sensitive data */ + memset(out_buffer, 0, size); + sys_cache_data_flush_range(out_buffer, size); + k_heap_free(&out_buffer_heap, out_buffer); +} diff --git a/subsys/nrf_security/src/ssf_secdom/bounce_buffers.h b/subsys/nrf_security/src/ssf_secdom/bounce_buffers.h new file mode 100644 index 000000000000..1c4b57e8c48f --- /dev/null +++ b/subsys/nrf_security/src/ssf_secdom/bounce_buffers.h @@ -0,0 +1,62 @@ +/* + * Copyright (c) 2025 Nordic Semiconductor ASA + * + * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause + */ + +#ifndef __BOUNCE_BUFFERS_H__ +#define __BOUNCE_BUFFERS_H__ + +#include + +#define CACHE_DATA_UNIT_SIZE (DCACHEDATA_DATAWIDTH * 4) + +#ifdef CONFIG_PSA_SSF_CRYPTO_CLIENT_OUT_BOUNCE_BUFFERS + +/** + * @brief Prepare an out buffer in case the original buffer is not aligned + * + * If the original buffer is not aligned, a new buffer is allocated and the data is copied to it. + * This is needed to achieve DCache DataUnit alignment. + * + * @param original_buffer Original buffer + * @param size Size of the buffer + * @return void* NULL if the buffer could not be allocated, original_buffer if it was aligned, else + * a new buffer from the heap + * + */ +void *bounce_buffers_prepare(void *original_buffer, size_t size); + +/** + * @brief Release an out buffer if it was allocated + * + * If the out buffer was allocated, the data is copied back to the original buffer and the out + * buffer is first zeroed and then freed. + * + * @param original_buffer The original buffer + * @param out_buffer The buffer to release + * @param size Size of the buffer + */ +void bounce_buffers_release(void *original_buffer, void *out_buffer, size_t size); + +#else /* CONFIG_PSA_SSF_CRYPTO_CLIENT_OUT_BOUNCE_BUFFERS */ + +NRF_STATIC_INLINE +void *bounce_buffers_prepare(void *original_buffer, size_t size) +{ + ARG_UNUSED(size); + + return original_buffer; +} + +NRF_STATIC_INLINE +void bounce_buffers_release(void *original_buffer, void *out_buffer, size_t size) +{ + ARG_UNUSED(original_buffer); + ARG_UNUSED(out_buffer); + ARG_UNUSED(size); +} + +#endif /* CONFIG_PSA_SSF_CRYPTO_CLIENT_OUT_BOUNCE_BUFFERS */ + +#endif /* __BOUNCE_BUFFERS_H__ */ diff --git a/subsys/nrf_security/src/ssf_secdom/ironside_se_psa_ns_api.c b/subsys/nrf_security/src/ssf_secdom/ironside_se_psa_ns_api.c new file mode 100644 index 000000000000..55a6b2d33992 --- /dev/null +++ b/subsys/nrf_security/src/ssf_secdom/ironside_se_psa_ns_api.c @@ -0,0 +1,143 @@ +/* + * Copyright (c) 2025 Nordic Semiconductor ASA + * + * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause + */ + +#include +#include + +#include +#include + +#include +#include + +#include + +#include "ironside_se_psa_ns_ipc.h" +#include "bounce_buffers.h" + +/* The correctness of the serialization depends on these asserts */ +BUILD_ASSERT(4 == sizeof(psa_handle_t)); +BUILD_ASSERT(4 == sizeof(int32_t)); +BUILD_ASSERT(4 == sizeof(const psa_invec *)); +BUILD_ASSERT(4 == sizeof(size_t)); +BUILD_ASSERT(4 == sizeof(psa_outvec *)); +BUILD_ASSERT(4 == sizeof(psa_status_t *)); + +static psa_status_t psa_call_buffered_and_flushed(psa_handle_t handle, int32_t type, + const psa_invec *in_vec, size_t in_len, + psa_outvec *out_vec, size_t out_len) +{ + /* We have no need for this at this time */ + ARG_UNUSED(type); + + psa_status_t ipc_status = ironside_se_psa_ns_ipc_setup(); + + if (ipc_status != PSA_SUCCESS) { + return ipc_status; + } + + /* volatile and flushed because the cpusec core will usually + * modify this variable + */ + psa_status_t volatile status = PSA_ERROR_COMMUNICATION_FAILURE; + + sys_cache_data_flush_range((void *)&status, sizeof(status)); + + uint32_t ipc_service_buf[IRONSIDE_SE_IPC_DATA_LEN]; + + ipc_service_buf[IRONSIDE_SE_IPC_INDEX_HANDLE] = + handle; /* i.e. TFM_CRYPTO_HANDLE defined to 0x40000100U */ + ipc_service_buf[IRONSIDE_SE_IPC_INDEX_IN_VEC] = (uint32_t)in_vec; + ipc_service_buf[IRONSIDE_SE_IPC_INDEX_IN_LEN] = in_len; + ipc_service_buf[IRONSIDE_SE_IPC_INDEX_OUT_VEC] = (uint32_t)out_vec; + ipc_service_buf[IRONSIDE_SE_IPC_INDEX_OUT_LEN] = out_len; + ipc_service_buf[IRONSIDE_SE_IPC_INDEX_STATUS_PTR] = (uint32_t)&status; + + int32_t ret = ironside_se_psa_ns_ipc_send(ipc_service_buf, sizeof(ipc_service_buf)); + + if (ret != sizeof(ipc_service_buf)) { + return PSA_ERROR_COMMUNICATION_FAILURE; + } + + do { + sys_cache_data_flush_and_invd_range((void *)&status, sizeof(status)); + } while (status == PSA_ERROR_COMMUNICATION_FAILURE); + + return status; +} + +/* + * Addresses that the cpusec reads and/or writes must be flushed + * before the PSA call. + * + * After the PSA call, any address that the cpusec may have written to + * must be flushed and invalidated. + */ +static psa_status_t psa_call_buffered(psa_handle_t handle, int32_t type, const psa_invec *in_vec, + size_t in_len, psa_outvec *out_vec, size_t out_len) +{ + for (int i = 0; i < out_len; i++) { + sys_cache_data_flush_range((void *)out_vec[i].base, out_vec[i].len); + } + + for (int i = 0; i < in_len; i++) { + sys_cache_data_flush_range((void *)in_vec[i].base, in_vec[i].len); + } + + sys_cache_data_flush_range((void *)in_vec, in_len * sizeof(in_vec[0])); + sys_cache_data_flush_range((void *)out_vec, out_len * sizeof(out_vec[0])); + + psa_status_t status = + psa_call_buffered_and_flushed(handle, type, in_vec, in_len, out_vec, out_len); + + for (int i = 0; i < out_len; i++) { + sys_cache_data_flush_and_invd_range(out_vec[i].base, out_vec[i].len); + } + + /* cpusec may write the number of bytes writen to out_vec[i].len */ + sys_cache_data_flush_and_invd_range((void *)out_vec, out_len * sizeof(out_vec[0])); + + return status; +} + +/* + * Both the start address and end address of buffers that the cpusec + * writes must be 4-byte aligned. bounce_buffers, when enabled with + * PSA_SSF_CRYPTO_CLIENT_OUT_BOUNCE_BUFFERS, will correct the + * alignment by buffering such buffers when necessary. + */ +psa_status_t psa_call(psa_handle_t handle, int32_t type, const psa_invec *in_vec, size_t in_len, + psa_outvec *out_vec, size_t out_len) +{ + if (in_len > PSA_MAX_IOVEC || out_len > PSA_MAX_IOVEC) { + return PSA_ERROR_PROGRAMMER_ERROR; + } + + psa_status_t status; + + psa_outvec out_vec_copy[out_len]; + + memcpy(out_vec_copy, out_vec, sizeof(out_vec_copy)); + + for (int i = 0; i < out_len; i++) { + out_vec_copy[i].base = bounce_buffers_prepare(out_vec[i].base, out_vec[i].len); + if (out_vec_copy[i].base == NULL) { + status = PSA_ERROR_INSUFFICIENT_MEMORY; + goto exit; + } + } + + status = psa_call_buffered(handle, type, in_vec, in_len, out_vec_copy, out_len); + +exit: + for (int i = 0; i < out_len; i++) { + bounce_buffers_release(out_vec[i].base, out_vec_copy[i].base, out_vec[i].len); + + out_vec[i].len = out_vec_copy[i].len; + } + + return status; +} diff --git a/subsys/nrf_security/src/ssf_secdom/ironside_se_psa_ns_ipc.c b/subsys/nrf_security/src/ssf_secdom/ironside_se_psa_ns_ipc.c new file mode 100644 index 000000000000..abe1c167515c --- /dev/null +++ b/subsys/nrf_security/src/ssf_secdom/ironside_se_psa_ns_ipc.c @@ -0,0 +1,61 @@ +/* + * Copyright (c) 2025 Nordic Semiconductor ASA + * + * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause + */ + +#include +#include + +#include + +#include + +static void ept_bound(void *priv) +{ +} + +static void ept_recv(const void *data, size_t len, void *priv) +{ +} + +static struct ipc_ept_cfg ept_cfg = { + .name = "cpusec_cpuapp_ipc_ept", + .cb = { + .bound = ept_bound, + .received = ept_recv, + }, +}; + +static struct ipc_ept ept; + +psa_status_t ironside_se_psa_ns_ipc_setup(void) +{ + static bool initialized; + + if (initialized) { + return PSA_SUCCESS; + } + + const struct device *instance = DEVICE_DT_GET(DT_NODELABEL(cpusec_cpuapp_ipc)); + + int ret = ipc_service_open_instance(instance); + + if (ret < 0) { + return PSA_ERROR_COMMUNICATION_FAILURE; + } + + ret = ipc_service_register_endpoint(instance, &ept, &ept_cfg); + if (ret < 0) { + return PSA_ERROR_COMMUNICATION_FAILURE; + } + + initialized = true; + + return PSA_SUCCESS; +} + +int32_t ironside_se_psa_ns_ipc_send(uint32_t *buf, size_t buf_len) +{ + return ipc_service_send(&ept, buf, buf_len); +} diff --git a/subsys/nrf_security/src/ssf_secdom/ironside_se_psa_ns_ipc.h b/subsys/nrf_security/src/ssf_secdom/ironside_se_psa_ns_ipc.h new file mode 100644 index 000000000000..6c4d788b49c4 --- /dev/null +++ b/subsys/nrf_security/src/ssf_secdom/ironside_se_psa_ns_ipc.h @@ -0,0 +1,30 @@ +/* + * Copyright (c) 2025 Nordic Semiconductor ASA + * + * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause + */ + +#ifndef __CONFIG_SDFW_PSA_NS_IPC_H__ +#define __CONFIG_SDFW_PSA_NS_IPC_H__ + +#include + +#include + +/* Provides IPC services to ironside_se_ps_ns_api.c */ + +/* + * setup must be called before send. + * + * successive calls to setup will have no effect. + */ +psa_status_t ironside_se_psa_ns_ipc_setup(void); + +/* + * A thin wrapper on top of ipc_service_send. + * + * See ipc_service_send for return codes etc. + */ +int32_t ironside_se_psa_ns_ipc_send(uint32_t *buf, size_t buf_len); + +#endif /* __CONFIG_SDFW_PSA_NS_IPC_H__ */ diff --git a/subsys/nrf_security/src/ssf_secdom/psa_manifest/sid.h b/subsys/nrf_security/src/ssf_secdom/psa_manifest/sid.h new file mode 100644 index 000000000000..5096ce6d1b7d --- /dev/null +++ b/subsys/nrf_security/src/ssf_secdom/psa_manifest/sid.h @@ -0,0 +1,21 @@ +/* + * Copyright (c) 2025 Nordic Semiconductor ASA + * + * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause + */ + +#ifndef __PSA_MANIFEST_SID_H__ +#define __PSA_MANIFEST_SID_H__ + +#ifdef __cplusplus +extern "C" { +#endif + +/* sid.h symbols are provided by ironside/se/ipc_service.h */ +#include + +#ifdef __cplusplus +} +#endif + +#endif /* __PSA_MANIFEST_SID_H__ */ diff --git a/subsys/sdfw_services/Kconfig b/subsys/sdfw_services/Kconfig index 57b3982c80a7..2db9d1906967 100644 --- a/subsys/sdfw_services/Kconfig +++ b/subsys/sdfw_services/Kconfig @@ -7,8 +7,9 @@ rsource "services/Kconfig" config SSF_CLIENT - def_bool $(dt_nodelabel_enabled_with_compat,cpusec_cpuapp_ipc,$(DT_COMPAT_ZEPHYR_IPC_ICMSG)) \ - || $(dt_nodelabel_enabled_with_compat,cpusec_cpurad_ipc,$(DT_COMPAT_ZEPHYR_IPC_ICMSG)) + bool + default (! SSF_V_2) && ($(dt_nodelabel_enabled_with_compat,cpusec_cpuapp_ipc,$(DT_COMPAT_ZEPHYR_IPC_ICMSG)) \ + || $(dt_nodelabel_enabled_with_compat,cpusec_cpurad_ipc,$(DT_COMPAT_ZEPHYR_IPC_ICMSG))) config SDFW_SERVICES_ENABLED bool diff --git a/subsys/sdfw_services/services/Kconfig.template.service b/subsys/sdfw_services/services/Kconfig.template.service index 2dbe37cd238b..e27911464e97 100644 --- a/subsys/sdfw_services/services/Kconfig.template.service +++ b/subsys/sdfw_services/services/Kconfig.template.service @@ -22,7 +22,7 @@ menuconfig SSF_$(service_name)_SERVICE_ENABLED bool "$(service_name_str) service" default y if $(service_default_enabled) - depends on SDFW_SERVICES_ENABLED + depends on SDFW_SERVICES_ENABLED || SSF_V_2 if SSF_$(service_name)_SERVICE_ENABLED diff --git a/west.yml b/west.yml index 749630c005ee..1e9dacf78aaa 100644 --- a/west.yml +++ b/west.yml @@ -65,7 +65,7 @@ manifest: # https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/zephyr/guides/modules.html - name: zephyr repo-path: sdk-zephyr - revision: e48bca44dd596dc66d71378e97bf5ceff2c483d0 + revision: pull/2726/head import: # In addition to the zephyr repository itself, NCS also # imports the contents of zephyr/west.yml at the above