nrfconnect · hermabe · Aug 15, 2025 · Aug 8, 2025 · Aug 8, 2025 · Aug 13, 2025
@@ -21,10 +21,15 @@ list(APPEND cracen_driver_sources
   # Note: We always need to have cipher.c and ctr_drbg.c since it
   # is used directly by many Cracen drivers.
   ${CMAKE_CURRENT_LIST_DIR}/src/cipher.c
-  ${CMAKE_CURRENT_LIST_DIR}/src/ctr_drbg.c
   ${CMAKE_CURRENT_LIST_DIR}/src/prng_pool.c
 )
 
+if(NOT CONFIG_PSA_CRYPTO_DRIVER_ALG_PRNG_TEST)
+  list(APPEND cracen_driver_sources
+    ${CMAKE_CURRENT_LIST_DIR}/src/ctr_drbg.c
+  )
+endif()
+
 if(CONFIG_CRACEN_IKG)
   list(APPEND cracen_driver_sources
     ${CMAKE_CURRENT_LIST_DIR}/src/ikg_signature.c

@@ -408,7 +408,7 @@ psa_status_t rnd_in_range(uint8_t *n, size_t sz, const uint8_t *upperlimit, size
 	msb_mask = ~msb_mask;
 
 	while (retries++ < retry_limit) {
-		psa_status_t status = psa_generate_random(n, sz);
+		psa_status_t status = cracen_get_random(NULL, n, sz);
 
 		if (status) {
 			return status;

@@ -150,7 +150,7 @@ int cracen_signature_get_rsa_key(struct cracen_rsa_key *rsa, bool extract_pubkey
 int cracen_signature_asn1_get_operand(uint8_t **p, const uint8_t *end, struct sx_buf *op);
 
 /**
- * @brief Use psa_generate_random up to generate a random number in the range [1, upperlimit).
+ * @brief Use cracen_get_random up to generate a random number in the range [1, upperlimit).
  *
  * @param[out] n           Output number.
  * @param[in]  sz          Size of number in bytes.

@@ -1197,7 +1197,8 @@ psa_status_t generate_key_for_kmu(const psa_key_attributes_t *attributes, uint8_
 		}
 	} else if (key_type == PSA_KEY_TYPE_AES || key_type == PSA_KEY_TYPE_HMAC ||
 		   key_type == PSA_KEY_TYPE_CHACHA20) {
-		status = psa_generate_random(key, PSA_BITS_TO_BYTES(psa_get_key_bits(attributes)));
+		status = cracen_get_random(NULL, key,
+					   PSA_BITS_TO_BYTES(psa_get_key_bits(attributes)));
 		if (status != PSA_SUCCESS) {
 			return status;
 		}

@@ -33,16 +33,7 @@ extern nrf_security_mutex_t cracen_mutex_symmetric;
 
 #define KMU_PUSH_AREA_SIZE 64
 
-/* When execution in place (CONFIG_XIP) is not enabled, which in practice means that when Zephyr is
- * built for a RAM loaded image, the Zephyr linker script always places the RAM loaded image in the
- * top address of the RAM and then loads the linker scripts defined with the Zephyr SECTION_PROLOGUE
- * macros. Using SECTION_PROLOGUE macros to set the address of the kmu_push_area is
- * incompatible with RAM loaded images. The Zephyr reserved-memory devicetree methodology works for
- * both use cases but it requires heavy updates of multiple devicetree files and overlays. In order
- * to support the RAM loaded images use cases faster initial support for reserving the memory of
- * nrf_kmu_reserved_push_area though devicetree is limited to RAM loaded images.
- */
-#if DT_NODE_EXISTS(DT_NODELABEL(nrf_kmu_reserved_push_area)) && !CONFIG_XIP
+#if DT_NODE_EXISTS(DT_NODELABEL(nrf_kmu_reserved_push_area))
 
 #include <zephyr/dt-bindings/memory-attr/memory-attr.h>
 #include <zephyr/linker/devicetree_regions.h>
@@ -159,7 +150,10 @@ static psa_status_t cracen_kmu_encrypt(const uint8_t *key, size_t key_length,
 	psa_set_key_usage_flags(&attr, PSA_KEY_USAGE_ENCRYPT);
 
 	if (encrypted_buffer_size > CRACEN_KMU_SLOT_KEY_SIZE) {
-		psa_status = psa_generate_random(encrypted_buffer, CRACEN_KMU_SLOT_KEY_SIZE);
+		psa_status = cracen_get_random(NULL, encrypted_buffer, CRACEN_KMU_SLOT_KEY_SIZE);
+		if (psa_status != PSA_SUCCESS) {
+			return psa_status;
+		}
 	} else {
 		return PSA_ERROR_GENERIC_ERROR;
 	}

@@ -610,7 +610,7 @@ psa_status_t cracen_platform_keys_provision(const psa_key_attributes_t *attribut
 	key.sicr.bits = psa_get_key_bits(attributes);
 
 	/* Generate the 4 first bytes of the nonce, the rest are padded with zeros */
-	status = psa_generate_random((uint8_t *)key.sicr.nonce, sizeof(key.sicr.nonce[0]));
+	status = cracen_get_random(NULL, (uint8_t *)key.sicr.nonce, sizeof(key.sicr.nonce[0]));
 	if (status != PSA_SUCCESS) {
 		return status;
 	}

@@ -443,7 +443,7 @@ static psa_status_t cracen_write_key_share(cracen_spake2p_operation_t *operation
 		}
 	}
 
-	status = psa_generate_random(xs, sizeof(xs));
+	status = cracen_get_random(NULL, xs, sizeof(xs));
 	if (status != PSA_SUCCESS) {
 		return status;
 	}

@@ -65,7 +65,7 @@ manifest:
     # https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/zephyr/guides/modules.html
     - name: zephyr
       repo-path: sdk-zephyr
-      revision: a922397417e49858aa7a6fd98d8ef79f6dee3666
+      revision: 793e93e14667c87968d75c1666a9a99b44a054c9
       import:
         # In addition to the zephyr repository itself, NCS also
         # imports the contents of zephyr/west.yml at the above
@@ -128,7 +128,7 @@ manifest:
           compare-by-default: true
     - name: mcuboot
       repo-path: sdk-mcuboot
-      revision: c72ed153fb924203975c38dfea2853ae612e0a9a
+      revision: 6c096b8ed7bfddf044b20dfb512c4c1fd06c2ef6
       path: bootloader/mcuboot
     - name: qcbor
       url: https://github.com/laurencelundblade/QCBOR