diff --git a/CODEOWNERS b/CODEOWNERS index a24ab38fdd29..c1dabce68683 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -824,6 +824,7 @@ /subsys/nrf_profiler/ @nrfconnect/ncs-si-bluebagel /subsys/nrf_rpc/ @nrfconnect/ncs-si-muffin @nrfconnect/ncs-protocols-serialization /subsys/nrf_security/ @nrfconnect/ncs-aegir +/subsys/nrf_ironside/ @nrfconnect/ncs-aurora /subsys/partition_manager/ @nordicjm @tejlmand /subsys/pcd/ @nrfconnect/ncs-pluto /subsys/secure_storage/ @nrfconnect/ncs-aegir diff --git a/subsys/CMakeLists.txt b/subsys/CMakeLists.txt index 157b637b3fe5..705eeabc4e73 100644 --- a/subsys/CMakeLists.txt +++ b/subsys/CMakeLists.txt @@ -12,6 +12,7 @@ add_subdirectory_ifdef(CONFIG_SECURE_BOOT_VALIDATION bootloader/bl_validation) add_subdirectory_ifdef(CONFIG_SECURE_BOOT_STORAGE bootloader/bl_storage) add_subdirectory_ifdef(CONFIG_NRF_SECURITY nrf_security) +add_subdirectory_ifdef(CONFIG_NRF_IRONSIDE nrf_ironside) add_subdirectory_ifdef(CONFIG_TRUSTED_STORAGE trusted_storage) add_subdirectory_ifdef(CONFIG_SECURE_STORAGE secure_storage) diff --git a/subsys/Kconfig b/subsys/Kconfig index 787848d4a260..eac201d45353 100644 --- a/subsys/Kconfig +++ b/subsys/Kconfig @@ -41,4 +41,5 @@ rsource "dult/Kconfig" rsource "nrf_compress/Kconfig" rsource "mcuboot_ids/Kconfig" rsource "settings/Kconfig" +rsource "nrf_ironside/Kconfig" endmenu diff --git a/subsys/nrf_security/src/ssf_secdom/CMakeLists.txt b/subsys/nrf_ironside/CMakeLists.txt similarity index 62% rename from subsys/nrf_security/src/ssf_secdom/CMakeLists.txt rename to subsys/nrf_ironside/CMakeLists.txt index 640be97a8c70..9ef415c678f0 100644 --- a/subsys/nrf_security/src/ssf_secdom/CMakeLists.txt +++ b/subsys/nrf_ironside/CMakeLists.txt @@ -4,6 +4,8 @@ # SPDX-License-Identifier: LicenseRef-Nordic-5-Clause # +if(CONFIG_PSA_SSF_CRYPTO_CLIENT) + zephyr_library() zephyr_library_sources( # ironside_psa_ns_api.c provides psa_call, which sends a message over IPC. @@ -16,9 +18,12 @@ zephyr_library_sources( ) zephyr_library_include_directories( + . ${NRF_DIR}/include/tfm ${ZEPHYR_TRUSTED_FIRMWARE_M_MODULE_DIR}/interface/include - . + # Oberon PSA headers + ${ZEPHYR_OBERON_PSA_CRYPTO_MODULE_DIR}/include + ${ZEPHYR_OBERON_PSA_CRYPTO_MODULE_DIR}/library ) if(CONFIG_PSA_SSF_CRYPTO_CLIENT_OUT_BOUNCE_BUFFERS) @@ -26,3 +31,17 @@ if(CONFIG_PSA_SSF_CRYPTO_CLIENT_OUT_BOUNCE_BUFFERS) ${CMAKE_CURRENT_LIST_DIR}/bounce_buffers.c ) endif() + +zephyr_include_directories( + . + ${NRF_DIR}/include/tfm + ${ZEPHYR_TRUSTED_FIRMWARE_M_MODULE_DIR}/interface/include + # Oberon PSA headers + ${ZEPHYR_OBERON_PSA_CRYPTO_MODULE_DIR}/include + ${ZEPHYR_OBERON_PSA_CRYPTO_MODULE_DIR}/library +) + +zephyr_compile_definitions(MBEDTLS_PSA_CRYPTO_CONFIG_FILE="ironside_config.h") +zephyr_compile_definitions(MBEDTLS_CONFIG_FILE="ironside_config.h") + +endif() diff --git a/subsys/nrf_security/src/ssf_secdom/Kconfig b/subsys/nrf_ironside/Kconfig similarity index 86% rename from subsys/nrf_security/src/ssf_secdom/Kconfig rename to subsys/nrf_ironside/Kconfig index fae6b86f1b28..8704da9081db 100644 --- a/subsys/nrf_security/src/ssf_secdom/Kconfig +++ b/subsys/nrf_ironside/Kconfig @@ -8,11 +8,17 @@ config PSA_SSF_CRYPTO_CLIENT bool prompt "PSA crypto provided through SSF" default y - depends on SOC_NRF54H20 || SOC_SERIES_NRF92X + depends on SOC_NRF54H20_CPUAPP || SOC_NRF54H20_CPURAD || SOC_SERIES_NRF92X select NRF_IRONSIDE_CALL + select PSA_CRYPTO_CLIENT + select PSA_CRYPTO if PSA_SSF_CRYPTO_CLIENT +choice PSA_CRYPTO_PROVIDER + default PSA_CRYPTO_PROVIDER_CUSTOM +endchoice + config PSA_SSF_CRYPTO_CLIENT_OUT_BOUNCE_BUFFERS bool "Support PSA crypto with output buffers that are not cache-safe" default y diff --git a/subsys/nrf_security/src/ssf_secdom/bounce_buffers.c b/subsys/nrf_ironside/bounce_buffers.c similarity index 100% rename from subsys/nrf_security/src/ssf_secdom/bounce_buffers.c rename to subsys/nrf_ironside/bounce_buffers.c diff --git a/subsys/nrf_security/src/ssf_secdom/bounce_buffers.h b/subsys/nrf_ironside/bounce_buffers.h similarity index 100% rename from subsys/nrf_security/src/ssf_secdom/bounce_buffers.h rename to subsys/nrf_ironside/bounce_buffers.h diff --git a/subsys/nrf_ironside/ironside_config.h b/subsys/nrf_ironside/ironside_config.h new file mode 100644 index 000000000000..dcc7904812e8 --- /dev/null +++ b/subsys/nrf_ironside/ironside_config.h @@ -0,0 +1,7 @@ +/* + * Copyright (c) 2025 Nordic Semiconductor ASA + * + * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause + */ + +#define MBEDTLS_PSA_CRYPTO_CLIENT diff --git a/subsys/nrf_security/src/ssf_secdom/ironside_se_psa_ns_api.c b/subsys/nrf_ironside/ironside_se_psa_ns_api.c similarity index 100% rename from subsys/nrf_security/src/ssf_secdom/ironside_se_psa_ns_api.c rename to subsys/nrf_ironside/ironside_se_psa_ns_api.c diff --git a/subsys/nrf_ironside/psa/crypto_driver_config.h b/subsys/nrf_ironside/psa/crypto_driver_config.h new file mode 100644 index 000000000000..4eb10e5164c9 --- /dev/null +++ b/subsys/nrf_ironside/psa/crypto_driver_config.h @@ -0,0 +1,16 @@ +/* + * Copyright (c) 2025 Nordic Semiconductor ASA + * + * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause + */ + +#ifndef PSA_CRYPTO_DRIVER_CONFIG_H +#define PSA_CRYPTO_DRIVER_CONFIG_H + +#if defined(MBEDTLS_PSA_CRYPTO_CONFIG_FILE) +#include MBEDTLS_PSA_CRYPTO_CONFIG_FILE +#else +#include "psa/crypto_config.h" +#endif + +#endif /* PSA_CRYPTO_DRIVER_CONFIG_H */ diff --git a/subsys/nrf_security/src/ssf_secdom/psa_manifest/sid.h b/subsys/nrf_ironside/psa_manifest/sid.h similarity index 100% rename from subsys/nrf_security/src/ssf_secdom/psa_manifest/sid.h rename to subsys/nrf_ironside/psa_manifest/sid.h diff --git a/subsys/nrf_security/Kconfig b/subsys/nrf_security/Kconfig index 8dd4ecce5584..24c6001e7992 100644 --- a/subsys/nrf_security/Kconfig +++ b/subsys/nrf_security/Kconfig @@ -33,6 +33,7 @@ config NRF_SECURITY bool prompt "nRF Security" if !PSA_PROMPTLESS depends on SOC_FAMILY_NORDIC_NRF + depends on !NRF_IRONSIDE_CALL default y if BUILD_WITH_TFM # entropy is provided by PSA and NRF_SECURITY on NRF54LX and NRF71X default y if DT_HAS_ZEPHYR_PSA_CRYPTO_RNG_ENABLED && SOC_SERIES_NRF54LX && !IS_BOOTLOADER_IMG && GEN_ISR_TABLES diff --git a/subsys/nrf_security/Kconfig.psa b/subsys/nrf_security/Kconfig.psa index 45f45085968e..3cad1ddbad83 100644 --- a/subsys/nrf_security/Kconfig.psa +++ b/subsys/nrf_security/Kconfig.psa @@ -21,7 +21,6 @@ osource "modules/mbedtls/Kconfig.psa" rsource "src/core/Kconfig" -rsource "src/ssf_secdom/Kconfig" comment "PSA Driver Support" diff --git a/subsys/nrf_security/src/CMakeLists.txt b/subsys/nrf_security/src/CMakeLists.txt index a92b9681123d..10bc12ad9a0b 100644 --- a/subsys/nrf_security/src/CMakeLists.txt +++ b/subsys/nrf_security/src/CMakeLists.txt @@ -104,10 +104,6 @@ target_link_libraries(${mbedcrypto_target} psa_interface ) -if(CONFIG_PSA_SSF_CRYPTO_CLIENT) - add_subdirectory(ssf_secdom) -endif() - nrf_security_add_zephyr_options(${mbedcrypto_target}) # Base mbed TLS files (not in drivers or builtin's) diff --git a/subsys/trusted_storage/Kconfig b/subsys/trusted_storage/Kconfig index 7cbda1a23ae4..4edc37989f2b 100644 --- a/subsys/trusted_storage/Kconfig +++ b/subsys/trusted_storage/Kconfig @@ -9,6 +9,7 @@ menuconfig TRUSTED_STORAGE bool "Trusted Storage" depends on !BUILD_WITH_TFM + depends on !NRF_IRONSIDE_CALL help The secure storage subsystem allows its users to store data in a secure way, ensuring data integrity and confidentiality by using AEAD diff --git a/west.yml b/west.yml index b8e5adbb5c6d..84c8905e49d9 100644 --- a/west.yml +++ b/west.yml @@ -65,7 +65,7 @@ manifest: # https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/zephyr/guides/modules.html - name: zephyr repo-path: sdk-zephyr - revision: 05b8b21aa9779fb1cb19ad59e7443ebec460aeee + revision: pull/3346/head import: # In addition to the zephyr repository itself, NCS also # imports the contents of zephyr/west.yml at the above