Skip to content

Enable PSA RNG for nrf54h20 #24932

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Oct 22, 2025
Merged

Enable PSA RNG for nrf54h20 #24932

merged 7 commits into from
Oct 22, 2025

Conversation

@Vge0rge
Copy link
Contributor

@Vge0rge Vge0rge commented Oct 8, 2025
edited
Loading

This PR enables the PSA RNG as the default random provider for nRF54h20. Please see commits for details

@NordicBuilder NordicBuilder added manifest changelog-entry-required Update changelog before merge. Remove label if entry is not needed or already added. labels Oct 8, 2025
@Vge0rge Vge0rge changed the title ] FOR CI ONLY - DONT REVIEW Oct 8, 2025
@Vge0rge Vge0rge marked this pull request as ready for review October 8, 2025 12:59
@Vge0rge Vge0rge requested review from a team as code owners October 8, 2025 12:59
@NordicBuilder
Copy link
Contributor

NordicBuilder commented Oct 8, 2025
edited
Loading

The following west manifest projects have changed revision in this Pull Request:

Name Old Revision New Revision Diff
zephyr nrfconnect/sdk-zephyr@d3d01f7 nrfconnect/sdk-zephyr@befc177 (main) nrfconnect/[email protected]

All manifest checks OK

Note: This message is automatically posted and updated by the Manifest GitHub Action.

@NordicBuilder
Copy link
Contributor

NordicBuilder commented Oct 8, 2025
edited
Loading

CI Information

To view the history of this post, click the 'edited' button above
Build number: 24

Inputs:

Sources:

sdk-nrf: PR head: 3aab7615900c157eccca4754bcf97cd0e4e5da9c
zephyr: PR head: befc17735a873999c8bbf107d3d655c84de9d37c

more details

sdk-nrf:

PR head: 3aab7615900c157eccca4754bcf97cd0e4e5da9c
merge base: ac566ebbb6fb538ab6d97507ee4f530dbe675571
target head (main): 2b1d723d240405d2a31e03b0b89abe1309d073b8
Diff

zephyr:

PR head: befc17735a873999c8bbf107d3d655c84de9d37c
merge base: d3d01f7179159e9b5ea84799042b4ffebe5f2d49
Diff

Github labels

Enabled Name Description
ci-disabled Disable the ci execution
ci-all-test Run all of ci, no test spec filtering will be done
ci-force-downstream Force execution of downstream even if twister fails
ci-run-twister Force run twister
ci-run-zephyr-twister Force run zephyr twister
List of changed files detected by CI (23) 
subsys
│  ├── bluetooth
│  │  ├── services
│  │  │  ├── fast_pair
│  │  │  │  ├── fp_crypto
│  │  │  │  │  │ Kconfig.fp_crypto
│  ├── nrf_security
│  │  ├── Kconfig
│  │  ├── src
│  │  │  ├── core
│  │  │  │  │ Kconfig
│  ├── trusted_storage
│  │  │ Kconfig
tests
│  ├── subsys
│  │  ├── bluetooth
│  │  │  ├── fast_pair
│  │  │  │  ├── crypto
│  │  │  │  │  │ testcase.yaml
west.yml
zephyr
│  ├── boards
│  │  ├── nordic
│  │  │  ├── nrf54h20dk
│  │  │  │  ├── nrf54h20dk_nrf54h20_cpuapp.dts
│  │  │  │  │ nrf54h20dk_nrf54h20_cpurad.dts
│  ├── drivers
│  │  ├── bluetooth
│  │  │  ├── hci
│  │  │  │  ├── Kconfig
│  │  │  │  │ Kconfig.esp32
│  ├── modules
│  │  ├── hostap
│  │  │  │ Kconfig
│  │  ├── mbedtls
│  │  │  │ Kconfig.psa.logic
│  │  ├── openthread
│  │  │  │ Kconfig
│  │  ├── uoscore-uedhoc
│  │  │  │ Kconfig
│  ├── samples
│  │  ├── net
│  │  │  ├── sockets
│  │  │  │  ├── http_server
│  │  │  │  │  │ Kconfig
│  │  ├── subsys
│  │  │  ├── mgmt
│  │  │  │  ├── updatehub
│  │  │  │  │  │ overlay-psa.conf
│  ├── subsys
│  │  ├── bluetooth
│  │  │  ├── crypto
│  │  │  │  │ Kconfig
│  │  │  ├── host
│  │  │  │  │ Kconfig
│  │  ├── jwt
│  │  │  │ Kconfig
│  ├── tests
│  │  ├── bsim
│  │  │  ├── bluetooth
│  │  │  │  ├── host
│  │  │  │  │  ├── gatt
│  │  │  │  │  │  ├── caching
│  │  │  │  │  │  │  │ psa_overlay.conf
│  │  │  │  ├── ll
│  │  │  │  │  ├── conn
│  │  │  │  │  │  │ psa_overlay.conf
│  │  ├── subsys
│  │  │  ├── secure_storage
│  │  │  │  ├── psa
│  │  │  │  │  ├── crypto
│  │  │  │  │  │  │ testcase.yaml
│  │  │  │  │  ├── its
│  │  │  │  │  │  │ testcase.yaml

Outputs:

Toolchain

Version: 46667c6630
Build docker image: docker-dtr.nordicsemi.no/sw-production/ncs-build:46667c6630_bba2ea5f2e

Test Spec & Results: ✅ Success; ❌ Failure; 🟠 Queued; 🟡 Progress; ◻️ Skipped; ⚠️ Quarantine

  • ◻️ Toolchain - Skipped: existing toolchain is used
  • ✅ Build twister - Skipped: Skipping Build & Test as it succeeded in a previous run: 22
  • ❌ Integration tests
    • ✅ test-sdk-audio - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ desktop52_verification - Skipped: Job was skipped as it succeeded in a previous run
    • ❌ test_ble_nrf_config - Error: Error starting job: null
    • ✅ test-fw-nrfconnect-ble_samples - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-chip - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-nfc - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-nrf-iot_cloud - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-nrf-iot_thingy91 - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-nrf_crypto - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-rs - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-fem - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-tfm - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-fw-nrfconnect-thread-main - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-sdk-find-my - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-low-level - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-sdk-mcuboot - Skipped: Job was skipped as it succeeded in a previous run
    • ✅ test-sdk-dfu - Skipped: Job was skipped as it succeeded in a previous run
Disabled integration tests
    • test-fw-nrfconnect-apps
    • test-fw-nrfconnect-ble_mesh
    • test-fw-nrfconnect-nrf-iot_libmodem-nrf
    • test-fw-nrfconnect-nrf-iot_lwm2m
    • test-fw-nrfconnect-nrf-iot_samples
    • test-fw-nrfconnect-nrf-iot_serial_lte_modem
    • test-fw-nrfconnect-nrf-iot_zephyr_lwm2m
    • test-fw-nrfconnect-proprietary_esb
    • test-fw-nrfconnect-ps-main
    • test-fw-nrfconnect-rpc
    • test-sdk-pmic-samples
    • test-sdk-wifi
    • test-secdom-samples-public

Note: This message is automatically posted and updated by the CI

@Vge0rge Vge0rge force-pushed the ironside_in_nrf_security branch 2 times, most recently from 971746f to feb192f Compare October 9, 2025 14:42
@Vge0rge Vge0rge requested a review from a team as a code owner October 9, 2025 14:42
@Vge0rge Vge0rge force-pushed the ironside_in_nrf_security branch from feb192f to 7212518 Compare October 10, 2025 08:54
@NordicBuilder NordicBuilder requested a review from a team October 10, 2025 08:54
@Vge0rge Vge0rge force-pushed the ironside_in_nrf_security branch from 7212518 to 881bdce Compare October 13, 2025 08:30
@github-actions
Copy link

You can find the documentation preview for this PR here.

@Vge0rge Vge0rge force-pushed the ironside_in_nrf_security branch 2 times, most recently from 2369a9b to b47e11b Compare October 14, 2025 12:59
@Vge0rge Vge0rge changed the title FOR CI ONLY - DONT REVIEW Enable PSA RNG for nrf54h20 Oct 14, 2025
degjorva
degjorva approved these changes Oct 14, 2025
View reviewed changes
tomi-font
tomi-font reviewed Oct 15, 2025
View reviewed changes
@NordicBuilder NordicBuilder requested a review from a team October 15, 2025 14:14
@Vge0rge Vge0rge force-pushed the ironside_in_nrf_security branch 2 times, most recently from 8f7b070 to ba2cc15 Compare October 15, 2025 14:20
@Vge0rge Vge0rge requested a review from tomi-font October 15, 2025 14:28
tomi-font
tomi-font approved these changes Oct 16, 2025
View reviewed changes
@Vge0rge
Copy link
Contributor Author

Vge0rge commented Oct 16, 2025

Ping @nrfconnect/ncs-co-build-system @nrfconnect/ncs-code-owners @nrfconnect/ncs-si-bluebagel

@Vge0rge Vge0rge force-pushed the ironside_in_nrf_security branch from ba2cc15 to 6fe9cd6 Compare October 16, 2025 10:08
@Vge0rge
Copy link
Contributor Author

Vge0rge commented Oct 20, 2025
edited
Loading

@nrfconnect/ncs-dragoon Please have a look on this, only the last commit should be relevant to you.

MarekPieta
MarekPieta approved these changes Oct 20, 2025
View reviewed changes
subsys/bluetooth/services/fast_pair/fp_crypto/Kconfig.fp_crypto
select NRF_SECURITY
select MBEDTLS_PSA_CRYPTO_C
select MBEDTLS_ENABLE_HEAP
select MBEDTLS_PSA_CRYPTO_C if !DT_HAS_NORDIC_IRONSIDE_CALL_ENABLED
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't we allow building with TFM_PROFILE_TYPE_MINIMAL if DT_HAS_NORDIC_IRONSIDE_CALL_ENABLED is set (as IronSide handles the crypto calls then)?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't we select CONFIG_PSA_CRYPTO instead of MBEDTLS_PSA_CRYPTO_C ? (or maybe selecting only the NRF_SECURITY would be sufficient here as it has select PSA_CRYPTO)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't we allow building with TFM_PROFILE_TYPE_MINIMAL if DT_HAS_NORDIC_IRONSIDE_CALL_ENABLED is set (as IronSide handles the crypto calls then)?
TF-M is not supported in Ironside enabled devices at all. I am not sure how/if this is enforced at the moment but hopefully it is another task to make sure that this is not allowed at all.

Shouldn't we select CONFIG_PSA_CRYPTO instead of MBEDTLS_PSA_CRYPTO_C ? (or maybe selecting only the NRF_SECURITY would be sufficient here as it has select PSA_CRYPTO)
Yeah, my thinking was that since NRF_SECURITY enables it already we don't also need to do it here.

@Vge0rge Vge0rge removed the changelog-entry-required Update changelog before merge. Remove label if entry is not needed or already added. label Oct 20, 2025
@hermabe
Copy link
Member

hermabe commented Oct 21, 2025

@nrfconnect/ncs-dragoon Please have a look on this, only the last commit should be relevant to you.

Dragoon is not an owner of any file in this PR, you have the sufficient approvals.

@gordonklaus gordonklaus self-requested a review October 21, 2025 08:16
@gordonklaus
Copy link
Contributor

@nrfconnect/ncs-dragoon Please have a look on this, only the last commit should be relevant to you.

Dragoon is not an owner of any file in this PR, you have the sufficient approvals.

In any case, it looks good to me as a Dragooner. Thanks for the heads-up.

@Vge0rge Vge0rge force-pushed the ironside_in_nrf_security branch from a7fbace to 8b1bb88 Compare October 21, 2025 08:49
@NordicBuilder NordicBuilder added the changelog-entry-required Update changelog before merge. Remove label if entry is not needed or already added. label Oct 21, 2025
@NordicBuilder NordicBuilder requested review from a team October 21, 2025 08:49
@Vge0rge Vge0rge removed the changelog-entry-required Update changelog before merge. Remove label if entry is not needed or already added. label Oct 21, 2025
@Vge0rge Vge0rge force-pushed the ironside_in_nrf_security branch from 8b1bb88 to 13700c3 Compare October 21, 2025 13:28
@NordicBuilder NordicBuilder added the changelog-entry-required Update changelog before merge. Remove label if entry is not needed or already added. label Oct 21, 2025
NordicBuilder and others added 7 commits October 21, 2025 15:30
@NordicBuilder @Vge0rge
manifest: Update sdk-zephyr revision (auto-manifest PR)
9859587 
Automatically created by Github Action

Signed-off-by: Nordic Builder <[email protected]>
@Vge0rge
nrf_security: Force disabling the PSA core with Ironside
315535b 
Make sure that the PSA_CORE_DISABLED is always selected and
is the only available option for the Ironside enabled
devices.

Signed-off-by: Georgios Vasilakis <[email protected]>
@Vge0rge
nrf_security: Enable NRF_SECURITY for Ironside devices
347d38b 
Enable NRF_SECURITY by default when the PSA RNG is enabled
with the Ironside devices.

I also refactored the previous logic to avoid duplications
in the default statements.

Signed-off-by: Georgios Vasilakis <[email protected]>
@Vge0rge
trusted_storage: Forbid usage with IRONSIDE
77a2340 
Ironside is a provider of PSA services (including storage)
so it cannot be used along with the trusted storage subsystem which
provides PSA storage APIs.

Signed-off-by: Georgios Vasilakis <[email protected]>
@Vge0rge
nrf_security: Enable PSA_CRYPTO for NRF_SECURITY
58f3d26 
Enable the option PSA_CRYPTO when NRF_SECURITY is enabled.
This will make it possible to select different providers
for PSA crypto APIs, one provider being MbedTLS, another
is TF-M and a custom one could be used as well.

Since nrf_security provides PSA crypto APIs it sets the
custom provider as default.

Signed-off-by: Georgios Vasilakis <[email protected]>
@Vge0rge
tests: fast_pair: Remove nRF54H20 target from Oberon testing
cb2f749 
The default entropy device for nRF54H20 now uses PSA APIs from
Ironside. This is incompatible with Oberon so disable it in the
test.

Signed-off-by: Georgios Vasilakis <[email protected]>
@Vge0rge
bluetooth: fast_pair: Add dependencies for Ironside
3aab761 
When Ironside is enabled direct access to the crypto APIs is not
possible. Add the relevant dependencies of the Ironside to the
BT_FAST_PAIR options.

Signed-off-by: Georgios Vasilakis <[email protected]>
@Vge0rge Vge0rge force-pushed the ironside_in_nrf_security branch from 13700c3 to 3aab761 Compare October 21, 2025 13:30
@NordicBuilder NordicBuilder removed the DNM label Oct 21, 2025
@rlubos rlubos merged commit 0028bae into nrfconnect:main Oct 22, 2025
18 of 20 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gordonklaus gordonklaus gordonklaus approved these changes

@rlubos rlubos rlubos approved these changes

@degjorva degjorva degjorva approved these changes

@MarekPieta MarekPieta MarekPieta approved these changes

@nordicjm nordicjm nordicjm approved these changes

@endre-nordic endre-nordic endre-nordic approved these changes

@tomi-font tomi-font tomi-font approved these changes

Assignees

No one assigned

Labels

changelog-entry-required Update changelog before merge. Remove label if entry is not needed or already added. manifest manifest-zephyr

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

10 participants

@Vge0rge @NordicBuilder @hermabe @gordonklaus @rlubos @degjorva @MarekPieta @nordicjm @endre-nordic @tomi-font