From 208c0903facf12c3b695a5f9e4df792e80d68941 Mon Sep 17 00:00:00 2001 From: Nordic Builder Date: Wed, 1 Oct 2025 11:45:44 +0000 Subject: [PATCH 1/4] manifest: Update sdk-zephyr revision (auto-manifest PR) Automatically created by Github Action Signed-off-by: Nordic Builder --- west.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/west.yml b/west.yml index 5c06bfe1c7ea..332593799c57 100644 --- a/west.yml +++ b/west.yml @@ -65,7 +65,7 @@ manifest: # https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/zephyr/guides/modules.html - name: zephyr repo-path: sdk-zephyr - revision: 69ad0523f95f13d1de356c19575301ce3de4959e + revision: pull/3346/head import: # In addition to the zephyr repository itself, NCS also # imports the contents of zephyr/west.yml at the above From 1b8e8fea8377e5c989aecc41aa74ba1531499f56 Mon Sep 17 00:00:00 2001 From: Georgios Vasilakis Date: Wed, 1 Oct 2025 15:01:06 +0200 Subject: [PATCH 2/4] nrf_security: Force disabling the PSA core with Ironside Make sure that the PSA_CORE_DISABLED is always selected and is the only available option for the Ironside enabled devices. Signed-off-by: Georgios Vasilakis --- subsys/nrf_security/src/core/Kconfig | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/subsys/nrf_security/src/core/Kconfig b/subsys/nrf_security/src/core/Kconfig index 80629c1398d9..0391aa76ff2d 100644 --- a/subsys/nrf_security/src/core/Kconfig +++ b/subsys/nrf_security/src/core/Kconfig @@ -7,16 +7,23 @@ choice PSA_CORE prompt "PSA Core implementation" +config PSA_CORE_DISABLED + bool + prompt "PSA core-less for SSF crypto client support" + depends on DT_HAS_NORDIC_IRONSIDE_CALL_ENABLED + config PSA_CORE_OBERON bool prompt "PSA Core implementation - Oberon" select PSA_WANT_AES_KEY_SIZE_128 select PSA_WANT_AES_KEY_SIZE_192 select PSA_WANT_AES_KEY_SIZE_256 + depends on !DT_HAS_NORDIC_IRONSIDE_CALL_ENABLED config PSA_CORE_LITE bool "PSA core created for tiny footprint" depends on SOC_SERIES_NRF54LX + depends on !DT_HAS_NORDIC_IRONSIDE_CALL_ENABLED help The PSA core with tiny footprint is created to be used e.g. for bootloader or similar use cases where there are severe size restrictions. This PSA core From b219e062ef3cde41b420e5fa5b61f36132353f6e Mon Sep 17 00:00:00 2001 From: Georgios Vasilakis Date: Wed, 1 Oct 2025 15:44:17 +0200 Subject: [PATCH 3/4] nrf_security: Enable NRF_SECURITY for Ironside devices Enable NRF_SECURITY by default when the PSA RNG is enabled with the Ironside devices. I also refactored the previous logic to avoid duplications in the default statements. Signed-off-by: Georgios Vasilakis --- subsys/nrf_security/Kconfig | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/subsys/nrf_security/Kconfig b/subsys/nrf_security/Kconfig index 61f0d08b1104..3413d79d8120 100644 --- a/subsys/nrf_security/Kconfig +++ b/subsys/nrf_security/Kconfig @@ -35,8 +35,9 @@ config NRF_SECURITY depends on SOC_FAMILY_NORDIC_NRF default y if BUILD_WITH_TFM # entropy is provided by PSA and NRF_SECURITY on NRF54LX and NRF71X - default y if DT_HAS_ZEPHYR_PSA_CRYPTO_RNG_ENABLED && SOC_SERIES_NRF54LX && !IS_BOOTLOADER_IMG && GEN_ISR_TABLES - default y if DT_HAS_ZEPHYR_PSA_CRYPTO_RNG_ENABLED && SOC_SERIES_NRF71X && !IS_BOOTLOADER_IMG && GEN_ISR_TABLES + default y if DT_HAS_ZEPHYR_PSA_CRYPTO_RNG_ENABLED \ + && (SOC_SERIES_NRF54LX || SOC_SERIES_NRF71X || DT_HAS_NORDIC_IRONSIDE_CALL_ENABLED) \ + && !IS_BOOTLOADER_IMG && GEN_ISR_TABLES select DISABLE_MBEDTLS_BUILTIN if MBEDTLS # NCS does not use TF-M's BL2 bootloader, but uses it's own fork # of MCUBoot instead (CONFIG_BOOTLOADER_MCUBOOT). From 6747d4f01c9262e0d5ddc3b39d3f6a79fff1774d Mon Sep 17 00:00:00 2001 From: Georgios Vasilakis Date: Thu, 2 Oct 2025 14:45:25 +0200 Subject: [PATCH 4/4] trusted_storage: Forbid usage with NRF_IRONSIDE The NRF_IRONSIDE is a provider of PSA services (including storage) so it cannot be used along with the truested storage subsystem which provides PSA storage APIs. Signed-off-by: Georgios Vasilakis --- subsys/trusted_storage/Kconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/subsys/trusted_storage/Kconfig b/subsys/trusted_storage/Kconfig index 7cbda1a23ae4..57993ea42a58 100644 --- a/subsys/trusted_storage/Kconfig +++ b/subsys/trusted_storage/Kconfig @@ -9,6 +9,7 @@ menuconfig TRUSTED_STORAGE bool "Trusted Storage" depends on !BUILD_WITH_TFM + depends on !NRF_IRONSIDE help The secure storage subsystem allows its users to store data in a secure way, ensuring data integrity and confidentiality by using AEAD