From daa9b94a01678297223c58635e1f8b77d63d28c3 Mon Sep 17 00:00:00 2001 From: Georgios Vasilakis Date: Fri, 3 Oct 2025 13:23:04 +0200 Subject: [PATCH 1/3] nrf_ironside: Move Ironside outside of nrf_security Create a separate subsystem called nrf_ironside instead of having the logic in nrf_security. Ironside is completely separate from nrf_security and it should not be placed there. Make sure that nrf_security cannot be enabled at the same time as nrf_ironside as their configurations might collide. Signed-off-by: Georgios Vasilakis --- CODEOWNERS | 1 + subsys/CMakeLists.txt | 1 + subsys/Kconfig | 1 + .../CMakeLists.txt | 21 ++++++++++++++++++- .../src/ssf_secdom => nrf_ironside}/Kconfig | 8 ++++++- .../bounce_buffers.c | 0 .../bounce_buffers.h | 0 subsys/nrf_ironside/ironside_config.h | 7 +++++++ .../ironside_se_psa_ns_api.c | 0 .../nrf_ironside/psa/crypto_driver_config.h | 16 ++++++++++++++ .../psa_manifest/sid.h | 0 subsys/nrf_security/Kconfig | 1 + subsys/nrf_security/Kconfig.psa | 1 - subsys/nrf_security/src/CMakeLists.txt | 4 ---- 14 files changed, 54 insertions(+), 7 deletions(-) rename subsys/{nrf_security/src/ssf_secdom => nrf_ironside}/CMakeLists.txt (62%) rename subsys/{nrf_security/src/ssf_secdom => nrf_ironside}/Kconfig (86%) rename subsys/{nrf_security/src/ssf_secdom => nrf_ironside}/bounce_buffers.c (100%) rename subsys/{nrf_security/src/ssf_secdom => nrf_ironside}/bounce_buffers.h (100%) create mode 100644 subsys/nrf_ironside/ironside_config.h rename subsys/{nrf_security/src/ssf_secdom => nrf_ironside}/ironside_se_psa_ns_api.c (100%) create mode 100644 subsys/nrf_ironside/psa/crypto_driver_config.h rename subsys/{nrf_security/src/ssf_secdom => nrf_ironside}/psa_manifest/sid.h (100%) diff --git a/CODEOWNERS b/CODEOWNERS index a24ab38fdd29..c1dabce68683 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -824,6 +824,7 @@ /subsys/nrf_profiler/ @nrfconnect/ncs-si-bluebagel /subsys/nrf_rpc/ @nrfconnect/ncs-si-muffin @nrfconnect/ncs-protocols-serialization /subsys/nrf_security/ @nrfconnect/ncs-aegir +/subsys/nrf_ironside/ @nrfconnect/ncs-aurora /subsys/partition_manager/ @nordicjm @tejlmand /subsys/pcd/ @nrfconnect/ncs-pluto /subsys/secure_storage/ @nrfconnect/ncs-aegir diff --git a/subsys/CMakeLists.txt b/subsys/CMakeLists.txt index 157b637b3fe5..705eeabc4e73 100644 --- a/subsys/CMakeLists.txt +++ b/subsys/CMakeLists.txt @@ -12,6 +12,7 @@ add_subdirectory_ifdef(CONFIG_SECURE_BOOT_VALIDATION bootloader/bl_validation) add_subdirectory_ifdef(CONFIG_SECURE_BOOT_STORAGE bootloader/bl_storage) add_subdirectory_ifdef(CONFIG_NRF_SECURITY nrf_security) +add_subdirectory_ifdef(CONFIG_NRF_IRONSIDE nrf_ironside) add_subdirectory_ifdef(CONFIG_TRUSTED_STORAGE trusted_storage) add_subdirectory_ifdef(CONFIG_SECURE_STORAGE secure_storage) diff --git a/subsys/Kconfig b/subsys/Kconfig index 787848d4a260..eac201d45353 100644 --- a/subsys/Kconfig +++ b/subsys/Kconfig @@ -41,4 +41,5 @@ rsource "dult/Kconfig" rsource "nrf_compress/Kconfig" rsource "mcuboot_ids/Kconfig" rsource "settings/Kconfig" +rsource "nrf_ironside/Kconfig" endmenu diff --git a/subsys/nrf_security/src/ssf_secdom/CMakeLists.txt b/subsys/nrf_ironside/CMakeLists.txt similarity index 62% rename from subsys/nrf_security/src/ssf_secdom/CMakeLists.txt rename to subsys/nrf_ironside/CMakeLists.txt index 640be97a8c70..9ef415c678f0 100644 --- a/subsys/nrf_security/src/ssf_secdom/CMakeLists.txt +++ b/subsys/nrf_ironside/CMakeLists.txt @@ -4,6 +4,8 @@ # SPDX-License-Identifier: LicenseRef-Nordic-5-Clause # +if(CONFIG_PSA_SSF_CRYPTO_CLIENT) + zephyr_library() zephyr_library_sources( # ironside_psa_ns_api.c provides psa_call, which sends a message over IPC. @@ -16,9 +18,12 @@ zephyr_library_sources( ) zephyr_library_include_directories( + . ${NRF_DIR}/include/tfm ${ZEPHYR_TRUSTED_FIRMWARE_M_MODULE_DIR}/interface/include - . + # Oberon PSA headers + ${ZEPHYR_OBERON_PSA_CRYPTO_MODULE_DIR}/include + ${ZEPHYR_OBERON_PSA_CRYPTO_MODULE_DIR}/library ) if(CONFIG_PSA_SSF_CRYPTO_CLIENT_OUT_BOUNCE_BUFFERS) @@ -26,3 +31,17 @@ if(CONFIG_PSA_SSF_CRYPTO_CLIENT_OUT_BOUNCE_BUFFERS) ${CMAKE_CURRENT_LIST_DIR}/bounce_buffers.c ) endif() + +zephyr_include_directories( + . + ${NRF_DIR}/include/tfm + ${ZEPHYR_TRUSTED_FIRMWARE_M_MODULE_DIR}/interface/include + # Oberon PSA headers + ${ZEPHYR_OBERON_PSA_CRYPTO_MODULE_DIR}/include + ${ZEPHYR_OBERON_PSA_CRYPTO_MODULE_DIR}/library +) + +zephyr_compile_definitions(MBEDTLS_PSA_CRYPTO_CONFIG_FILE="ironside_config.h") +zephyr_compile_definitions(MBEDTLS_CONFIG_FILE="ironside_config.h") + +endif() diff --git a/subsys/nrf_security/src/ssf_secdom/Kconfig b/subsys/nrf_ironside/Kconfig similarity index 86% rename from subsys/nrf_security/src/ssf_secdom/Kconfig rename to subsys/nrf_ironside/Kconfig index fae6b86f1b28..8704da9081db 100644 --- a/subsys/nrf_security/src/ssf_secdom/Kconfig +++ b/subsys/nrf_ironside/Kconfig @@ -8,11 +8,17 @@ config PSA_SSF_CRYPTO_CLIENT bool prompt "PSA crypto provided through SSF" default y - depends on SOC_NRF54H20 || SOC_SERIES_NRF92X + depends on SOC_NRF54H20_CPUAPP || SOC_NRF54H20_CPURAD || SOC_SERIES_NRF92X select NRF_IRONSIDE_CALL + select PSA_CRYPTO_CLIENT + select PSA_CRYPTO if PSA_SSF_CRYPTO_CLIENT +choice PSA_CRYPTO_PROVIDER + default PSA_CRYPTO_PROVIDER_CUSTOM +endchoice + config PSA_SSF_CRYPTO_CLIENT_OUT_BOUNCE_BUFFERS bool "Support PSA crypto with output buffers that are not cache-safe" default y diff --git a/subsys/nrf_security/src/ssf_secdom/bounce_buffers.c b/subsys/nrf_ironside/bounce_buffers.c similarity index 100% rename from subsys/nrf_security/src/ssf_secdom/bounce_buffers.c rename to subsys/nrf_ironside/bounce_buffers.c diff --git a/subsys/nrf_security/src/ssf_secdom/bounce_buffers.h b/subsys/nrf_ironside/bounce_buffers.h similarity index 100% rename from subsys/nrf_security/src/ssf_secdom/bounce_buffers.h rename to subsys/nrf_ironside/bounce_buffers.h diff --git a/subsys/nrf_ironside/ironside_config.h b/subsys/nrf_ironside/ironside_config.h new file mode 100644 index 000000000000..dcc7904812e8 --- /dev/null +++ b/subsys/nrf_ironside/ironside_config.h @@ -0,0 +1,7 @@ +/* + * Copyright (c) 2025 Nordic Semiconductor ASA + * + * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause + */ + +#define MBEDTLS_PSA_CRYPTO_CLIENT diff --git a/subsys/nrf_security/src/ssf_secdom/ironside_se_psa_ns_api.c b/subsys/nrf_ironside/ironside_se_psa_ns_api.c similarity index 100% rename from subsys/nrf_security/src/ssf_secdom/ironside_se_psa_ns_api.c rename to subsys/nrf_ironside/ironside_se_psa_ns_api.c diff --git a/subsys/nrf_ironside/psa/crypto_driver_config.h b/subsys/nrf_ironside/psa/crypto_driver_config.h new file mode 100644 index 000000000000..4eb10e5164c9 --- /dev/null +++ b/subsys/nrf_ironside/psa/crypto_driver_config.h @@ -0,0 +1,16 @@ +/* + * Copyright (c) 2025 Nordic Semiconductor ASA + * + * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause + */ + +#ifndef PSA_CRYPTO_DRIVER_CONFIG_H +#define PSA_CRYPTO_DRIVER_CONFIG_H + +#if defined(MBEDTLS_PSA_CRYPTO_CONFIG_FILE) +#include MBEDTLS_PSA_CRYPTO_CONFIG_FILE +#else +#include "psa/crypto_config.h" +#endif + +#endif /* PSA_CRYPTO_DRIVER_CONFIG_H */ diff --git a/subsys/nrf_security/src/ssf_secdom/psa_manifest/sid.h b/subsys/nrf_ironside/psa_manifest/sid.h similarity index 100% rename from subsys/nrf_security/src/ssf_secdom/psa_manifest/sid.h rename to subsys/nrf_ironside/psa_manifest/sid.h diff --git a/subsys/nrf_security/Kconfig b/subsys/nrf_security/Kconfig index 8dd4ecce5584..24c6001e7992 100644 --- a/subsys/nrf_security/Kconfig +++ b/subsys/nrf_security/Kconfig @@ -33,6 +33,7 @@ config NRF_SECURITY bool prompt "nRF Security" if !PSA_PROMPTLESS depends on SOC_FAMILY_NORDIC_NRF + depends on !NRF_IRONSIDE_CALL default y if BUILD_WITH_TFM # entropy is provided by PSA and NRF_SECURITY on NRF54LX and NRF71X default y if DT_HAS_ZEPHYR_PSA_CRYPTO_RNG_ENABLED && SOC_SERIES_NRF54LX && !IS_BOOTLOADER_IMG && GEN_ISR_TABLES diff --git a/subsys/nrf_security/Kconfig.psa b/subsys/nrf_security/Kconfig.psa index 45f45085968e..3cad1ddbad83 100644 --- a/subsys/nrf_security/Kconfig.psa +++ b/subsys/nrf_security/Kconfig.psa @@ -21,7 +21,6 @@ osource "modules/mbedtls/Kconfig.psa" rsource "src/core/Kconfig" -rsource "src/ssf_secdom/Kconfig" comment "PSA Driver Support" diff --git a/subsys/nrf_security/src/CMakeLists.txt b/subsys/nrf_security/src/CMakeLists.txt index a92b9681123d..10bc12ad9a0b 100644 --- a/subsys/nrf_security/src/CMakeLists.txt +++ b/subsys/nrf_security/src/CMakeLists.txt @@ -104,10 +104,6 @@ target_link_libraries(${mbedcrypto_target} psa_interface ) -if(CONFIG_PSA_SSF_CRYPTO_CLIENT) - add_subdirectory(ssf_secdom) -endif() - nrf_security_add_zephyr_options(${mbedcrypto_target}) # Base mbed TLS files (not in drivers or builtin's) From 0772bf6dbc7c6ff063ab37c782b3c08208b5e855 Mon Sep 17 00:00:00 2001 From: Georgios Vasilakis Date: Thu, 2 Oct 2025 14:45:25 +0200 Subject: [PATCH 2/3] trusted_storage: Forbid usage with NRF_IRONSIDE_CALL The NRF_IRONSIDE is a provider of PSA services (including storage) so it cannot be used along with the truested storage subsystem which provides PSA storage APIs. Signed-off-by: Georgios Vasilakis --- subsys/trusted_storage/Kconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/subsys/trusted_storage/Kconfig b/subsys/trusted_storage/Kconfig index 7cbda1a23ae4..4edc37989f2b 100644 --- a/subsys/trusted_storage/Kconfig +++ b/subsys/trusted_storage/Kconfig @@ -9,6 +9,7 @@ menuconfig TRUSTED_STORAGE bool "Trusted Storage" depends on !BUILD_WITH_TFM + depends on !NRF_IRONSIDE_CALL help The secure storage subsystem allows its users to store data in a secure way, ensuring data integrity and confidentiality by using AEAD From 22b31d279b8d4645b5621b2638be530069668b3c Mon Sep 17 00:00:00 2001 From: Georgios Vasilakis Date: Sat, 4 Oct 2025 00:04:14 +0200 Subject: [PATCH 3/3] manifest: Bring Zephyr with PSA RNG for nRF54h20 Brings Zephyr with PSA RNG as the default entropy provider for the nRF54h20. Signed-off-by: Georgios Vasilakis --- west.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/west.yml b/west.yml index b8e5adbb5c6d..84c8905e49d9 100644 --- a/west.yml +++ b/west.yml @@ -65,7 +65,7 @@ manifest: # https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/zephyr/guides/modules.html - name: zephyr repo-path: sdk-zephyr - revision: 05b8b21aa9779fb1cb19ad59e7443ebec460aeee + revision: pull/3346/head import: # In addition to the zephyr repository itself, NCS also # imports the contents of zephyr/west.yml at the above