From 935df8fc82bc83e5bfef209626fede82ac4d8194 Mon Sep 17 00:00:00 2001 From: Nordic Builder Date: Wed, 1 Oct 2025 11:45:44 +0000 Subject: [PATCH 1/5] manifest: Update sdk-zephyr revision (auto-manifest PR) Automatically created by Github Action Signed-off-by: Nordic Builder --- west.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/west.yml b/west.yml index b254bae3a3a..d98ce8168ff 100644 --- a/west.yml +++ b/west.yml @@ -65,7 +65,7 @@ manifest: # https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/zephyr/guides/modules.html - name: zephyr repo-path: sdk-zephyr - revision: d47f109210e74e2e9df3ab5485a32b8a34254caf + revision: pull/3346/head import: # In addition to the zephyr repository itself, NCS also # imports the contents of zephyr/west.yml at the above From 0535853920aedb31e3ebe711b54624015b025da4 Mon Sep 17 00:00:00 2001 From: Georgios Vasilakis Date: Wed, 1 Oct 2025 15:01:06 +0200 Subject: [PATCH 2/5] nrf_security: Force disabling the PSA core with Ironside Make sure that the PSA_CORE_DISABLED is always selected and is the only available option for the Ironside enabled devices. Signed-off-by: Georgios Vasilakis --- subsys/nrf_security/src/core/Kconfig | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/subsys/nrf_security/src/core/Kconfig b/subsys/nrf_security/src/core/Kconfig index 80629c1398d..0391aa76ff2 100644 --- a/subsys/nrf_security/src/core/Kconfig +++ b/subsys/nrf_security/src/core/Kconfig @@ -7,16 +7,23 @@ choice PSA_CORE prompt "PSA Core implementation" +config PSA_CORE_DISABLED + bool + prompt "PSA core-less for SSF crypto client support" + depends on DT_HAS_NORDIC_IRONSIDE_CALL_ENABLED + config PSA_CORE_OBERON bool prompt "PSA Core implementation - Oberon" select PSA_WANT_AES_KEY_SIZE_128 select PSA_WANT_AES_KEY_SIZE_192 select PSA_WANT_AES_KEY_SIZE_256 + depends on !DT_HAS_NORDIC_IRONSIDE_CALL_ENABLED config PSA_CORE_LITE bool "PSA core created for tiny footprint" depends on SOC_SERIES_NRF54LX + depends on !DT_HAS_NORDIC_IRONSIDE_CALL_ENABLED help The PSA core with tiny footprint is created to be used e.g. for bootloader or similar use cases where there are severe size restrictions. This PSA core From 30800f456ddfa59594509a57916eccde52fee615 Mon Sep 17 00:00:00 2001 From: Georgios Vasilakis Date: Wed, 1 Oct 2025 15:44:17 +0200 Subject: [PATCH 3/5] nrf_security: Enable NRF_SECURITY for Ironside devices Enable NRF_SECURITY by default when the PSA RNG is enabled with the Ironside devices. I also refactored the previous logic to avoid duplications in the default statements. Signed-off-by: Georgios Vasilakis --- subsys/nrf_security/Kconfig | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/subsys/nrf_security/Kconfig b/subsys/nrf_security/Kconfig index 8dd4ecce558..e6bfd35e7f3 100644 --- a/subsys/nrf_security/Kconfig +++ b/subsys/nrf_security/Kconfig @@ -35,8 +35,9 @@ config NRF_SECURITY depends on SOC_FAMILY_NORDIC_NRF default y if BUILD_WITH_TFM # entropy is provided by PSA and NRF_SECURITY on NRF54LX and NRF71X - default y if DT_HAS_ZEPHYR_PSA_CRYPTO_RNG_ENABLED && SOC_SERIES_NRF54LX && !IS_BOOTLOADER_IMG && GEN_ISR_TABLES - default y if DT_HAS_ZEPHYR_PSA_CRYPTO_RNG_ENABLED && SOC_SERIES_NRF71X && !IS_BOOTLOADER_IMG && GEN_ISR_TABLES + default y if DT_HAS_ZEPHYR_PSA_CRYPTO_RNG_ENABLED \ + && (SOC_SERIES_NRF54LX || SOC_SERIES_NRF71X || DT_HAS_NORDIC_IRONSIDE_CALL_ENABLED) \ + && !IS_BOOTLOADER_IMG && GEN_ISR_TABLES select DISABLE_MBEDTLS_BUILTIN if MBEDTLS # NCS does not use TF-M's BL2 bootloader, but uses it's own fork # of MCUBoot instead (CONFIG_BOOTLOADER_MCUBOOT). From 9ad4657c301ca584977c84c5d87913371302afe2 Mon Sep 17 00:00:00 2001 From: Georgios Vasilakis Date: Thu, 2 Oct 2025 14:45:25 +0200 Subject: [PATCH 4/5] trusted_storage: Forbid usage with NRF_IRONSIDE The NRF_IRONSIDE is a provider of PSA services (including storage) so it cannot be used along with the truested storage subsystem which provides PSA storage APIs. Signed-off-by: Georgios Vasilakis --- subsys/trusted_storage/Kconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/subsys/trusted_storage/Kconfig b/subsys/trusted_storage/Kconfig index 7cbda1a23ae..57993ea42a5 100644 --- a/subsys/trusted_storage/Kconfig +++ b/subsys/trusted_storage/Kconfig @@ -9,6 +9,7 @@ menuconfig TRUSTED_STORAGE bool "Trusted Storage" depends on !BUILD_WITH_TFM + depends on !NRF_IRONSIDE help The secure storage subsystem allows its users to store data in a secure way, ensuring data integrity and confidentiality by using AEAD From 971746f5fbb473d9324f6089403db766b7fdaec5 Mon Sep 17 00:00:00 2001 From: Georgios Vasilakis Date: Wed, 8 Oct 2025 14:55:41 +0200 Subject: [PATCH 5/5] nrf_security: Enable PSA_CRYPTO for NRF_SECURITY Enable the option PSA_CRYPTO when NRF_SECURITY is enabled. This will make it possible to make mbedTLS about different providers of PSA crypto APIs. Signed-off-by: Georgios Vasilakis --- subsys/nrf_security/Kconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/subsys/nrf_security/Kconfig b/subsys/nrf_security/Kconfig index e6bfd35e7f3..0fead078268 100644 --- a/subsys/nrf_security/Kconfig +++ b/subsys/nrf_security/Kconfig @@ -46,6 +46,7 @@ config NRF_SECURITY # CONFIG_TFM_BL2. select TFM_BL2_NOT_SUPPORTED if BUILD_WITH_TFM select PSA_CRYPTO_CLIENT + select PSA_CRYPTO help Set this configuration to enable nRF Security. This provides Arm PSA cryptography APIs with RNG support (optionally).