diff --git a/include/tfm/ironside/se/ipc_service.h b/include/tfm/ironside/se/ipc_service.h index a474bccef4c3..87f03450b400 100644 --- a/include/tfm/ironside/se/ipc_service.h +++ b/include/tfm/ironside/se/ipc_service.h @@ -17,11 +17,18 @@ enum { IRONSIDE_SE_IPC_INDEX_IN_LEN, IRONSIDE_SE_IPC_INDEX_OUT_VEC, IRONSIDE_SE_IPC_INDEX_OUT_LEN, - IRONSIDE_SE_IPC_INDEX_STATUS_PTR, + IRONSIDE_SE_IPC_INDEX_STATUS, /* The last enum value is reserved for the size of the IPC buffer */ IRONSIDE_SE_IPC_DATA_LEN }; +/* IRONside call identifiers with implicit versions. + * + * With the initial "version 0", the service ABI is allowed to break until the + * first public release of IRONside SE. + */ +#define IRONSIDE_CALL_ID_PSA_CRYPTO_V0 0 + /* We are adding the source files for the TF-M crypto partition to the build. * * The crypto partition will include the file psa_manifest/sid.h and diff --git a/samples/crypto/sha256/boards/nrf54h20dk_nrf54h20_cpuapp_iron.conf b/samples/crypto/sha256/boards/nrf54h20dk_nrf54h20_cpuapp_iron.conf index d172f58efb93..31be593f7eca 100644 --- a/samples/crypto/sha256/boards/nrf54h20dk_nrf54h20_cpuapp_iron.conf +++ b/samples/crypto/sha256/boards/nrf54h20dk_nrf54h20_cpuapp_iron.conf @@ -9,7 +9,6 @@ CONFIG_PSA_CRYPTO_DRIVER_OBERON=n # Enable PSA crypto from SSF client CONFIG_PSA_SSF_CRYPTO_CLIENT=y -CONFIG_SSF_PSA_CRYPTO_SERVICE_ENABLED=y # Mbedtls configuration CONFIG_MBEDTLS_ENABLE_HEAP=y diff --git a/subsys/nrf_security/Kconfig b/subsys/nrf_security/Kconfig index 2da3f5647fb0..db616e07b690 100644 --- a/subsys/nrf_security/Kconfig +++ b/subsys/nrf_security/Kconfig @@ -55,13 +55,6 @@ rsource "Kconfig.psa.nordic" config PSA_PROMPTLESS bool -config SSF_V_2 - bool - default y if BOARD_NRF54H20DK_NRF54H20_CPUAPP_IRON - prompt "temporary option until iron and SSFv2 is available" - select MBOX - select IPC_SERVICE - if NRF_SECURITY config MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS diff --git a/subsys/nrf_security/src/ssf_secdom/CMakeLists.txt b/subsys/nrf_security/src/ssf_secdom/CMakeLists.txt index 32ad96703db8..30350f075c9a 100644 --- a/subsys/nrf_security/src/ssf_secdom/CMakeLists.txt +++ b/subsys/nrf_security/src/ssf_secdom/CMakeLists.txt @@ -4,15 +4,13 @@ # SPDX-License-Identifier: LicenseRef-Nordic-5-Clause # -if(CONFIG_SSF_V_2) +if(CONFIG_NRF_IRONSIDE_CALL) zephyr_library() zephyr_library_sources( # ironside_psa_ns_api.c provides psa_call. psa_call is invoked by # serialized functions from tfm_crypto_api.c and sends a message # over IPC. ${CMAKE_CURRENT_LIST_DIR}/ironside_se_psa_ns_api.c - # ironside_se_psa_ns_ipc.c provides an IPC service to ironside_se_psa_ns_api.c - ${CMAKE_CURRENT_LIST_DIR}/ironside_se_psa_ns_ipc.c # tfm_crypto_api.c provides and serializes the PSA Crypto API. ${ZEPHYR_TRUSTED_FIRMWARE_M_MODULE_DIR}/interface/src/tfm_crypto_api.c ) diff --git a/subsys/nrf_security/src/ssf_secdom/Kconfig b/subsys/nrf_security/src/ssf_secdom/Kconfig index 4355e884e114..bfbbf2fc9b61 100644 --- a/subsys/nrf_security/src/ssf_secdom/Kconfig +++ b/subsys/nrf_security/src/ssf_secdom/Kconfig @@ -8,7 +8,8 @@ config PSA_SSF_CRYPTO_CLIENT bool prompt "PSA crypto provided through SSF" default y - depends on (SSF_CLIENT || SSF_V_2) && SSF_PSA_CRYPTO_SERVICE_ENABLED + depends on (SSF_CLIENT && SSF_PSA_CRYPTO_SERVICE_ENABLED) || SOC_NRF54H20_IRON + select NRF_IRONSIDE_CALL if !SSF_CLIENT if PSA_SSF_CRYPTO_CLIENT diff --git a/subsys/nrf_security/src/ssf_secdom/ironside_se_psa_ns_api.c b/subsys/nrf_security/src/ssf_secdom/ironside_se_psa_ns_api.c index 55a6b2d33992..2fa9d74124c7 100644 --- a/subsys/nrf_security/src/ssf_secdom/ironside_se_psa_ns_api.c +++ b/subsys/nrf_security/src/ssf_secdom/ironside_se_psa_ns_api.c @@ -9,13 +9,13 @@ #include #include +#include #include #include #include -#include "ironside_se_psa_ns_ipc.h" #include "bounce_buffers.h" /* The correctness of the serialization depends on these asserts */ @@ -33,38 +33,26 @@ static psa_status_t psa_call_buffered_and_flushed(psa_handle_t handle, int32_t t /* We have no need for this at this time */ ARG_UNUSED(type); - psa_status_t ipc_status = ironside_se_psa_ns_ipc_setup(); + struct ironside_call_buf *const buf = ironside_call_alloc(); - if (ipc_status != PSA_SUCCESS) { - return ipc_status; - } - - /* volatile and flushed because the cpusec core will usually - * modify this variable - */ - psa_status_t volatile status = PSA_ERROR_COMMUNICATION_FAILURE; - - sys_cache_data_flush_range((void *)&status, sizeof(status)); + buf->id = IRONSIDE_CALL_ID_PSA_CRYPTO_V0; - uint32_t ipc_service_buf[IRONSIDE_SE_IPC_DATA_LEN]; - - ipc_service_buf[IRONSIDE_SE_IPC_INDEX_HANDLE] = + buf->args[IRONSIDE_SE_IPC_INDEX_HANDLE] = handle; /* i.e. TFM_CRYPTO_HANDLE defined to 0x40000100U */ - ipc_service_buf[IRONSIDE_SE_IPC_INDEX_IN_VEC] = (uint32_t)in_vec; - ipc_service_buf[IRONSIDE_SE_IPC_INDEX_IN_LEN] = in_len; - ipc_service_buf[IRONSIDE_SE_IPC_INDEX_OUT_VEC] = (uint32_t)out_vec; - ipc_service_buf[IRONSIDE_SE_IPC_INDEX_OUT_LEN] = out_len; - ipc_service_buf[IRONSIDE_SE_IPC_INDEX_STATUS_PTR] = (uint32_t)&status; + buf->args[IRONSIDE_SE_IPC_INDEX_IN_VEC] = (uint32_t)in_vec; + buf->args[IRONSIDE_SE_IPC_INDEX_IN_LEN] = in_len; + buf->args[IRONSIDE_SE_IPC_INDEX_OUT_VEC] = (uint32_t)out_vec; + buf->args[IRONSIDE_SE_IPC_INDEX_OUT_LEN] = out_len; + + ironside_call_dispatch(buf); - int32_t ret = ironside_se_psa_ns_ipc_send(ipc_service_buf, sizeof(ipc_service_buf)); + psa_status_t status = PSA_ERROR_COMMUNICATION_FAILURE; - if (ret != sizeof(ipc_service_buf)) { - return PSA_ERROR_COMMUNICATION_FAILURE; + if (buf->status == IRONSIDE_CALL_STATUS_RSP_SUCCESS) { + status = buf->args[IRONSIDE_SE_IPC_INDEX_STATUS]; } - do { - sys_cache_data_flush_and_invd_range((void *)&status, sizeof(status)); - } while (status == PSA_ERROR_COMMUNICATION_FAILURE); + ironside_call_release(buf); return status; } diff --git a/subsys/nrf_security/src/ssf_secdom/ironside_se_psa_ns_ipc.c b/subsys/nrf_security/src/ssf_secdom/ironside_se_psa_ns_ipc.c deleted file mode 100644 index abe1c167515c..000000000000 --- a/subsys/nrf_security/src/ssf_secdom/ironside_se_psa_ns_ipc.c +++ /dev/null @@ -1,61 +0,0 @@ -/* - * Copyright (c) 2025 Nordic Semiconductor ASA - * - * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause - */ - -#include -#include - -#include - -#include - -static void ept_bound(void *priv) -{ -} - -static void ept_recv(const void *data, size_t len, void *priv) -{ -} - -static struct ipc_ept_cfg ept_cfg = { - .name = "cpusec_cpuapp_ipc_ept", - .cb = { - .bound = ept_bound, - .received = ept_recv, - }, -}; - -static struct ipc_ept ept; - -psa_status_t ironside_se_psa_ns_ipc_setup(void) -{ - static bool initialized; - - if (initialized) { - return PSA_SUCCESS; - } - - const struct device *instance = DEVICE_DT_GET(DT_NODELABEL(cpusec_cpuapp_ipc)); - - int ret = ipc_service_open_instance(instance); - - if (ret < 0) { - return PSA_ERROR_COMMUNICATION_FAILURE; - } - - ret = ipc_service_register_endpoint(instance, &ept, &ept_cfg); - if (ret < 0) { - return PSA_ERROR_COMMUNICATION_FAILURE; - } - - initialized = true; - - return PSA_SUCCESS; -} - -int32_t ironside_se_psa_ns_ipc_send(uint32_t *buf, size_t buf_len) -{ - return ipc_service_send(&ept, buf, buf_len); -} diff --git a/subsys/nrf_security/src/ssf_secdom/ironside_se_psa_ns_ipc.h b/subsys/nrf_security/src/ssf_secdom/ironside_se_psa_ns_ipc.h deleted file mode 100644 index 6c4d788b49c4..000000000000 --- a/subsys/nrf_security/src/ssf_secdom/ironside_se_psa_ns_ipc.h +++ /dev/null @@ -1,30 +0,0 @@ -/* - * Copyright (c) 2025 Nordic Semiconductor ASA - * - * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause - */ - -#ifndef __CONFIG_SDFW_PSA_NS_IPC_H__ -#define __CONFIG_SDFW_PSA_NS_IPC_H__ - -#include - -#include - -/* Provides IPC services to ironside_se_ps_ns_api.c */ - -/* - * setup must be called before send. - * - * successive calls to setup will have no effect. - */ -psa_status_t ironside_se_psa_ns_ipc_setup(void); - -/* - * A thin wrapper on top of ipc_service_send. - * - * See ipc_service_send for return codes etc. - */ -int32_t ironside_se_psa_ns_ipc_send(uint32_t *buf, size_t buf_len); - -#endif /* __CONFIG_SDFW_PSA_NS_IPC_H__ */ diff --git a/subsys/sdfw_services/Kconfig b/subsys/sdfw_services/Kconfig index 2db9d1906967..ecba5fa274d5 100644 --- a/subsys/sdfw_services/Kconfig +++ b/subsys/sdfw_services/Kconfig @@ -8,8 +8,9 @@ rsource "services/Kconfig" config SSF_CLIENT bool - default (! SSF_V_2) && ($(dt_nodelabel_enabled_with_compat,cpusec_cpuapp_ipc,$(DT_COMPAT_ZEPHYR_IPC_ICMSG)) \ - || $(dt_nodelabel_enabled_with_compat,cpusec_cpurad_ipc,$(DT_COMPAT_ZEPHYR_IPC_ICMSG))) + def_bool $(dt_nodelabel_enabled_with_compat,cpusec_cpuapp_ipc,$(DT_COMPAT_ZEPHYR_IPC_ICMSG)) \ + || $(dt_nodelabel_enabled_with_compat,cpusec_cpurad_ipc,$(DT_COMPAT_ZEPHYR_IPC_ICMSG)) + depends on !SOC_NRF54H20_IRON config SDFW_SERVICES_ENABLED bool diff --git a/subsys/sdfw_services/services/Kconfig.template.service b/subsys/sdfw_services/services/Kconfig.template.service index e27911464e97..2dbe37cd238b 100644 --- a/subsys/sdfw_services/services/Kconfig.template.service +++ b/subsys/sdfw_services/services/Kconfig.template.service @@ -22,7 +22,7 @@ menuconfig SSF_$(service_name)_SERVICE_ENABLED bool "$(service_name_str) service" default y if $(service_default_enabled) - depends on SDFW_SERVICES_ENABLED || SSF_V_2 + depends on SDFW_SERVICES_ENABLED if SSF_$(service_name)_SERVICE_ENABLED diff --git a/west.yml b/west.yml index 29b69df71410..08ed9a39d26b 100644 --- a/west.yml +++ b/west.yml @@ -65,7 +65,7 @@ manifest: # https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/zephyr/guides/modules.html - name: zephyr repo-path: sdk-zephyr - revision: b6a492dcc43ef4d32678c69106325f8026ceab0b + revision: ca2af2f1469802d7e48b18a6e8bce6436d57223c import: # In addition to the zephyr repository itself, NCS also # imports the contents of zephyr/west.yml at the above