Skip to content

Enable PSA RNG for nrf54h20 #24932

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 7 commits into from
Oct 22, 2025
Merged

Enable PSA RNG for nrf54h20 #24932

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
9859587
manifest: Update sdk-zephyr revision (auto-manifest PR)
NordicBuilder Oct 1, 2025
315535b
nrf_security: Force disabling the PSA core with Ironside
Vge0rge Oct 1, 2025
347d38b
nrf_security: Enable NRF_SECURITY for Ironside devices
Vge0rge Oct 1, 2025
77a2340
trusted_storage: Forbid usage with IRONSIDE
Vge0rge Oct 2, 2025
58f3d26
nrf_security: Enable PSA_CRYPTO for NRF_SECURITY
Vge0rge Oct 8, 2025
cb2f749
tests: fast_pair: Remove nRF54H20 target from Oberon testing
Vge0rge Oct 9, 2025
3aab761
bluetooth: fast_pair: Add dependencies for Ironside
Vge0rge Oct 20, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 3 additions & 2 deletions subsys/bluetooth/services/fast_pair/fp_crypto/Kconfig.fp_crypto
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,15 +24,16 @@ config BT_FAST_PAIR_CRYPTO_OBERON
select BT_FAST_PAIR_CRYPTO_AES256_ECB_SUPPORT
select BT_FAST_PAIR_CRYPTO_SECP160R1_SUPPORT
select BT_FAST_PAIR_CRYPTO_SECP256R1_SUPPORT
depends on !DT_HAS_NORDIC_IRONSIDE_CALL_ENABLED
help
Select Oberon cryptographic backend for Fast Pair.

config BT_FAST_PAIR_CRYPTO_PSA
bool "Fast Pair with PSA cryptographic backend [EXPERIMENTAL]"
select EXPERIMENTAL
select NRF_SECURITY
select MBEDTLS_PSA_CRYPTO_C
select MBEDTLS_ENABLE_HEAP
select MBEDTLS_PSA_CRYPTO_C if !DT_HAS_NORDIC_IRONSIDE_CALL_ENABLED
Copy link
Contributor

@MarekPieta MarekPieta Oct 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't we allow building with TFM_PROFILE_TYPE_MINIMAL if DT_HAS_NORDIC_IRONSIDE_CALL_ENABLED is set (as IronSide handles the crypto calls then)?

Copy link
Contributor

@MarekPieta MarekPieta Oct 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't we select CONFIG_PSA_CRYPTO instead of MBEDTLS_PSA_CRYPTO_C ? (or maybe selecting only the NRF_SECURITY would be sufficient here as it has select PSA_CRYPTO)

Copy link
Contributor Author

@Vge0rge Vge0rge Oct 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't we allow building with TFM_PROFILE_TYPE_MINIMAL if DT_HAS_NORDIC_IRONSIDE_CALL_ENABLED is set (as IronSide handles the crypto calls then)?
TF-M is not supported in Ironside enabled devices at all. I am not sure how/if this is enforced at the moment but hopefully it is another task to make sure that this is not allowed at all.

Shouldn't we select CONFIG_PSA_CRYPTO instead of MBEDTLS_PSA_CRYPTO_C ? (or maybe selecting only the NRF_SECURITY would be sufficient here as it has select PSA_CRYPTO)
Yeah, my thinking was that since NRF_SECURITY enables it already we don't also need to do it here.

select MBEDTLS_ENABLE_HEAP if !DT_HAS_NORDIC_IRONSIDE_CALL_ENABLED
select PSA_WANT_ALG_SHA_256
select PSA_WANT_ALG_HMAC
select PSA_WANT_ALG_ECDH
Expand Down
10 changes: 8 additions & 2 deletions subsys/nrf_security/Kconfig
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,8 +35,9 @@ config NRF_SECURITY
depends on SOC_FAMILY_NORDIC_NRF
default y if BUILD_WITH_TFM
# entropy is provided by PSA and NRF_SECURITY on NRF54LX and NRF71X
default y if DT_HAS_ZEPHYR_PSA_CRYPTO_RNG_ENABLED && SOC_SERIES_NRF54LX && !IS_BOOTLOADER_IMG && GEN_ISR_TABLES
default y if DT_HAS_ZEPHYR_PSA_CRYPTO_RNG_ENABLED && SOC_SERIES_NRF71X && !IS_BOOTLOADER_IMG && GEN_ISR_TABLES
default y if DT_HAS_ZEPHYR_PSA_CRYPTO_RNG_ENABLED \
&& (SOC_SERIES_NRF54LX || SOC_SERIES_NRF71X || DT_HAS_NORDIC_IRONSIDE_CALL_ENABLED) \
&& !IS_BOOTLOADER_IMG && GEN_ISR_TABLES
select DISABLE_MBEDTLS_BUILTIN if MBEDTLS
# NCS does not use TF-M's BL2 bootloader, but uses it's own fork
# of MCUBoot instead (CONFIG_BOOTLOADER_MCUBOOT).
Expand All @@ -45,6 +46,7 @@ config NRF_SECURITY
# CONFIG_TFM_BL2.
select TFM_BL2_NOT_SUPPORTED if BUILD_WITH_TFM
select PSA_CRYPTO_CLIENT
select PSA_CRYPTO
help
Set this configuration to enable nRF Security. This provides
Arm PSA cryptography APIs with RNG support (optionally).
Expand All @@ -57,6 +59,10 @@ config PSA_PROMPTLESS

if NRF_SECURITY

choice PSA_CRYPTO_PROVIDER
default PSA_CRYPTO_PROVIDER_CUSTOM
endchoice

config MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS
bool
default y if HAS_HW_NRF_CRACEN && PSA_CRYPTO_DRIVER_CRACEN
Expand Down
9 changes: 7 additions & 2 deletions subsys/nrf_security/src/core/Kconfig
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,16 +7,21 @@
choice PSA_CORE
prompt "PSA Core implementation"

config PSA_CORE_DISABLED
bool "No PSA core (for SSF crypto client support)"
depends on DT_HAS_NORDIC_IRONSIDE_CALL_ENABLED

config PSA_CORE_OBERON
bool
prompt "PSA Core implementation - Oberon"
bool "PSA Core implementation - Oberon"
select PSA_WANT_AES_KEY_SIZE_128
select PSA_WANT_AES_KEY_SIZE_192
select PSA_WANT_AES_KEY_SIZE_256
depends on !DT_HAS_NORDIC_IRONSIDE_CALL_ENABLED

config PSA_CORE_LITE
bool "PSA core created for tiny footprint"
depends on SOC_SERIES_NRF54LX
depends on !DT_HAS_NORDIC_IRONSIDE_CALL_ENABLED
help
The PSA core with tiny footprint is created to be used e.g. for bootloader
or similar use cases where there are severe size restrictions. This PSA core
Expand Down
1 change: 1 addition & 0 deletions subsys/trusted_storage/Kconfig
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@
menuconfig TRUSTED_STORAGE
bool "Trusted Storage"
depends on !BUILD_WITH_TFM
depends on !DT_HAS_NORDIC_IRONSIDE_CALL_ENABLED
help
The secure storage subsystem allows its users to store data in a
secure way, ensuring data integrity and confidentiality by using AEAD
Expand Down
2 changes: 0 additions & 2 deletions tests/subsys/bluetooth/fast_pair/crypto/testcase.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,6 @@ tests:
- nrf52840dk/nrf52840
- nrf5340dk/nrf5340/cpuapp
- nrf5340dk/nrf5340/cpuapp/ns
- nrf54h20dk/nrf54h20/cpuapp
Copy link
Contributor

@MarekPieta MarekPieta Oct 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So from now we cannot use Oberon crypto APIs directly on nRF54H20? If so, then maybe we should also add dependency that prevents enabling CONFIG_BT_FAST_PAIR_CRYPTO_OBERON on nRF54H20. Looking at the rest of your PR, we might also need to update the dependencies of the CONFIG_BT_FAST_PAIR_CRYPTO_PSA: MBEDTLS_PSA_CRYPTO_C should no longer be selected, right? (CONFIG_PSA_CRYPTO should be used instead)

Ref: https://github.com/nrfconnect/sdk-nrf/blob/main/subsys/bluetooth/services/fast_pair/fp_crypto/Kconfig.fp_crypto#L21

Copy link
Contributor Author

@Vge0rge Vge0rge Oct 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@MarekPieta I updated the BT_FAST_PAIR to take into account Ironside. Please check again.

- nrf54l15dk/nrf54l05/cpuapp
- nrf54l15dk/nrf54l10/cpuapp
- nrf54l15dk/nrf54l15/cpuapp
Expand All @@ -16,7 +15,6 @@ tests:
- nrf52840dk/nrf52840
- nrf5340dk/nrf5340/cpuapp
- nrf5340dk/nrf5340/cpuapp/ns
- nrf54h20dk/nrf54h20/cpuapp
- nrf54l15dk/nrf54l05/cpuapp
- nrf54l15dk/nrf54l10/cpuapp
- nrf54l15dk/nrf54l15/cpuapp
Expand Down
2 changes: 1 addition & 1 deletion west.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@ manifest:
# https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/zephyr/guides/modules.html
- name: zephyr
repo-path: sdk-zephyr
revision: d3d01f7179159e9b5ea84799042b4ffebe5f2d49
revision: befc17735a873999c8bbf107d3d655c84de9d37c
import:
# In addition to the zephyr repository itself, NCS also
# imports the contents of zephyr/west.yml at the above
Expand Down
Loading