Skip to content

nrf_ironside: Move Ironside outside of nrf_security #24862

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

nrf_ironside: Move Ironside outside of nrf_security #24862

wants to merge 3 commits into from

Conversation

Vge0rge
Copy link
Contributor

@Vge0rge Vge0rge commented Oct 3, 2025

Create a separate subsystem called nrf_ironside instead of having the logic in nrf_security. Ironside is completely separate from nrf_security and it should not be placed there.

Make sure that nrf_security cannot be enabled at the same time as nrf_ironside as their configurations might collide.

@NordicBuilder
Copy link
Contributor

NordicBuilder commented Oct 3, 2025
edited
Loading

CI Information

To view the history of this post, clich the 'edited' button above
Build number: 12

Inputs:

Sources:

sdk-nrf: PR head: 22b31d279b8d4645b5621b2638be530069668b3c
zephyr: PR head: 78cc58432b43214654b9b53edb41bf278aa69d2c

more details

sdk-nrf:

PR head: 22b31d279b8d4645b5621b2638be530069668b3c
merge base: 9002fe1c0798c2895356b8513d561761ac30ef20
target head (main): a694b33a40d18551f4de20599100b6779eea8417
Diff

zephyr:

PR head: 78cc58432b43214654b9b53edb41bf278aa69d2c
merge base: 6aa26eed633353a8d18d85440e73db7e330bf41d
target head (main): 1365e9d83071aad735d7ef42385430fb462fe611
Diff

Github labels

Enabled Name Description
ci-disabled Disable the ci execution
ci-all-test Run all of ci, no test spec filtering will be done
ci-force-downstream Force execution of downstream even if twister fails
ci-run-twister Force run twister
ci-run-zephyr-twister Force run zephyr twister
List of changed files detected by CI (36) 
CODEOWNERS
subsys
│  ├── CMakeLists.txt
│  ├── Kconfig
│  ├── nrf_ironside
│  │  ├── CMakeLists.txt
│  │  ├── Kconfig
│  │  ├── bounce_buffers.c
│  │  ├── bounce_buffers.h
│  │  ├── ironside_config.h
│  │  ├── ironside_se_psa_ns_api.c
│  │  ├── psa
│  │  │  │ crypto_driver_config.h
│  │  ├── psa_manifest
│  │  │  │ sid.h
│  ├── nrf_security
│  │  ├── Kconfig
│  │  ├── Kconfig.psa
│  │  ├── src
│  │  │  │ CMakeLists.txt
│  ├── trusted_storage
│  │  │ Kconfig
west.yml
zephyr
│  ├── boards
│  │  ├── nordic
│  │  │  ├── nrf54h20dk
│  │  │  │  ├── nrf54h20dk_nrf54h20_cpuapp.dts
│  │  │  │  │ nrf54h20dk_nrf54h20_cpurad.dts
│  ├── doc
│  │  ├── releases
│  │  │  │ release-notes-4.3.rst
│  ├── drivers
│  │  ├── bluetooth
│  │  │  ├── hci
│  │  │  │  ├── Kconfig
│  │  │  │  │ Kconfig.esp32
│  ├── modules
│  │  ├── hostap
│  │  │  │ Kconfig
│  │  ├── mbedtls
│  │  │  │ Kconfig.psa.logic
│  │  ├── openthread
│  │  │  │ Kconfig
│  │  ├── uoscore-uedhoc
│  │  │  │ Kconfig
│  ├── samples
│  │  ├── net
│  │  │  ├── sockets
│  │  │  │  ├── http_server
│  │  │  │  │  │ Kconfig
│  │  ├── subsys
│  │  │  ├── mgmt
│  │  │  │  ├── updatehub
│  │  │  │  │  │ overlay-psa.conf
│  ├── subsys
│  │  ├── bluetooth
│  │  │  ├── crypto
│  │  │  │  │ Kconfig
│  │  │  ├── host
│  │  │  │  │ Kconfig
│  │  │  ├── mesh
│  │  │  │  │ Kconfig
│  │  ├── jwt
│  │  │  │ Kconfig
│  │  ├── secure_storage
│  │  │  │ Kconfig
│  ├── tests
│  │  ├── arch
│  │  │  ├── arm
│  │  │  │  ├── arm_irq_vector_table
│  │  │  │  │  ├── boards
│  │  │  │  │  │  ├── nrf54h20dk_nrf54h20_cpuapp.conf
│  │  │  │  │  │  │ nrf54h20dk_nrf54h20_cpurad.conf
│  │  ├── bsim
│  │  │  ├── bluetooth
│  │  │  │  ├── host
│  │  │  │  │  ├── gatt
│  │  │  │  │  │  ├── caching
│  │  │  │  │  │  │  │ psa_overlay.conf
│  │  │  │  ├── ll
│  │  │  │  │  ├── conn
│  │  │  │  │  │  │ psa_overlay.conf

Outputs:

Toolchain

Version: f66cf421f3
Build docker image: docker-dtr.nordicsemi.no/sw-production/ncs-build:f66cf421f3_bba2ea5f2e

Test Spec & Results: ✅ Success; ❌ Failure; 🟠 Queued; 🟡 Progress; ◻️ Skipped; ⚠️ Quarantine

  • ◻️ Toolchain - Skipped: existing toolchain is used
  • ❌ Build twister
    • sdk-nrf test count: 30
    • sdk-zephyr test count: 1638
  • ❌ Integration tests
    • ❌ test-sdk-audio
    • ❌ test_ble_nrf_config
    • ❌ test-fw-nrfconnect-ble_mesh
    • ❌ test-fw-nrfconnect-ble_samples
    • ❌ test-fw-nrfconnect-chip
    • ❌ test-fw-nrfconnect-nfc
    • ❌ test-fw-nrfconnect-nrf-iot_cloud
    • ❌ test-fw-nrfconnect-nrf-iot_thingy91
    • ❌ test-fw-nrfconnect-nrf_crypto
    • ❌ test-fw-nrfconnect-rs
    • ❌ test-fw-nrfconnect-fem
    • ❌ test-fw-nrfconnect-tfm
    • ❌ test-fw-nrfconnect-thread-main
    • ❌ test-sdk-find-my
    • ❌ test-low-level
    • ❌ test-sdk-mcuboot
    • ❌ test-sdk-dfu
Disabled integration tests
    • test-fw-nrfconnect-nrf_lrcs_mosh
    • test-fw-nrfconnect-nrf_lrcs_positioning
    • desktop52_verification
    • test-fw-nrfconnect-apps
    • test-fw-nrfconnect-nrf-iot_libmodem-nrf
    • test-fw-nrfconnect-nrf-iot_lwm2m
    • test-fw-nrfconnect-nrf-iot_samples
    • test-fw-nrfconnect-nrf-iot_serial_lte_modem
    • test-fw-nrfconnect-nrf-iot_zephyr_lwm2m
    • test-fw-nrfconnect-proprietary_esb
    • test-fw-nrfconnect-ps-main
    • test-fw-nrfconnect-rpc
    • test-sdk-pmic-samples
    • test-sdk-wifi
    • test-secdom-samples-public

Note: This message is automatically posted and updated by the CI

@Vge0rge Vge0rge force-pushed the new_nrf_ironside branch 3 times, most recently from ad3ff8d to fb6ad87 Compare October 3, 2025 11:48
@github-actions GitHub Actions
Copy link

github-actions bot commented Oct 3, 2025

You can find the documentation preview for this PR here.

@Vge0rge Vge0rge marked this pull request as ready for review October 3, 2025 12:56
@Vge0rge Vge0rge requested review from a team as code owners October 3, 2025 12:56
@Vge0rge Vge0rge requested a review from a team October 3, 2025 12:57
karstenkoenig
karstenkoenig reviewed Oct 3, 2025
View reviewed changes
subsys/nrf_security/Kconfig
bool
prompt "nRF Security" if !PSA_PROMPTLESS
depends on SOC_FAMILY_NORDIC_NRF
depends on !NRF_IRONSIDE_CALL
Copy link
Contributor

@karstenkoenig karstenkoenig Oct 3, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will this break if someone wants to use some software crypto on nrf54h20? You aren't really incompatible with NRF_IRONSIDE_CALL I'd say

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

software crypto on nrf54h20 is not supported. So if it does break, then that is intended behaviour :)

Copy link
Contributor Author

@Vge0rge Vge0rge Oct 3, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If they want to use it along with the hardware crypto yes. But it should break because at the moment no-one worked on this use case. If it worked by accident before it is better to break so that someone can think how to properly support this use case.

Edit: Sebastians comment didn't show up before I sent this. But we are saying the exact same thing basically :)

@Vge0rge Vge0rge force-pushed the new_nrf_ironside branch 2 times, most recently from 23fd200 to 9783e81 Compare October 3, 2025 21:14
@Vge0rge Vge0rge requested a review from a team as a code owner October 3, 2025 22:05
@NordicBuilder
Copy link
Contributor

NordicBuilder commented Oct 3, 2025
edited
Loading

The following west manifest projects have changed revision in this Pull Request:

Name Old Revision New Revision Diff
zephyr nrfconnect/sdk-zephyr@05b8b21 nrfconnect/sdk-zephyr#3346 nrfconnect/sdk-zephyr#3346/files

DNM label due to: 1 project with PR revision

Note: This message is automatically posted and updated by the Manifest GitHub Action.

@Vge0rge Vge0rge mentioned this pull request Oct 3, 2025
Closed
@Vge0rge Vge0rge force-pushed the new_nrf_ironside branch 3 times, most recently from 54a5725 to cc45945 Compare October 6, 2025 13:20
SebastianBoe
SebastianBoe reviewed Oct 6, 2025
View reviewed changes
subsys/nrf_ironside/Kconfig
prompt "PSA crypto provided through SSF"
default y
depends on SOC_NRF54H20 || SOC_SERIES_NRF92X
depends on SOC_NRF54H20_CPUAPP || SOC_NRF54H20_CPURAD || SOC_SERIES_NRF92X
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Presumably 92X should also be split up into CPUAPP and CPUCELL?

@ayla-nordicsemi ?

nordicjm
nordicjm reviewed Oct 6, 2025
View reviewed changes
subsys/nrf_ironside/CMakeLists.txt
#

if(CONFIG_PSA_SSF_CRYPTO_CLIENT)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change

and missing indent

subsys/nrf_ironside/CMakeLists.txt

zephyr_compile_definitions(MBEDTLS_PSA_CRYPTO_CONFIG_FILE="ironside_config.h")
zephyr_compile_definitions(MBEDTLS_CONFIG_FILE="ironside_config.h")

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change

subsys/nrf_ironside/CMakeLists.txt
Comment on lines +46 to +45
zephyr_compile_definitions(MBEDTLS_PSA_CRYPTO_CONFIG_FILE="ironside_config.h")
zephyr_compile_definitions(MBEDTLS_CONFIG_FILE="ironside_config.h")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

isn't this a Kconfig?

Vge0rge added 2 commits October 7, 2025 16:24
@Vge0rge
nrf_ironside: Move Ironside outside of nrf_security
daa9b94 
Create a separate subsystem called nrf_ironside instead
of having the logic in nrf_security. Ironside is completely
separate from nrf_security and it should not be placed there.

Make sure that nrf_security cannot be enabled at the same time
as nrf_ironside as their configurations might collide.

Signed-off-by: Georgios Vasilakis <[email protected]>
@Vge0rge
trusted_storage: Forbid usage with NRF_IRONSIDE_CALL
0772bf6 
The NRF_IRONSIDE is a provider of PSA services (including storage)
so it cannot be used along with the truested storage subsystem which
provides PSA storage APIs.

Signed-off-by: Georgios Vasilakis <[email protected]>
@Vge0rge
manifest: Bring Zephyr with PSA RNG for nRF54h20
22b31d2 
Brings Zephyr with PSA RNG as the default entropy
provider for the nRF54h20.

Signed-off-by: Georgios Vasilakis <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SebastianBoe SebastianBoe SebastianBoe approved these changes

@karstenkoenig karstenkoenig karstenkoenig left review comments

@nordicjm nordicjm nordicjm left review comments

@degjorva degjorva degjorva approved these changes

@jonathannilsen jonathannilsen jonathannilsen approved these changes

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
DNM manifest manifest-zephyr
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@Vge0rge @NordicBuilder @SebastianBoe @karstenkoenig @degjorva @nordicjm @jonathannilsen