nrfconnect · Vge0rge · Aug 21, 2024 · Sep 5, 2024 · Sep 27, 2024 · Oct 1, 2024
@@ -0,0 +1,36 @@
+#
+# Copyright (c) 2024 Nordic Semiconductor ASA
+#
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+#
+
+# Disable serial and UART interface.
+CONFIG_SERIAL=n
+CONFIG_UART_CONSOLE=n
+CONFIG_LOG=n
+
+# RAM usage configuration
+CONFIG_HEAP_MEM_POOL_SIZE=8192
+CONFIG_MAIN_STACK_SIZE=2048
+CONFIG_SYSTEM_WORKQUEUE_STACK_SIZE=2048
+
+# BT configuration
+CONFIG_BT=y
+CONFIG_BT_HCI_RAW=y
+CONFIG_BT_MAX_CONN=1
+CONFIG_BT_CTLR_ASSERT_HANDLER=y
+CONFIG_BT_PERIPHERAL=y
+CONFIG_BT_CENTRAL=n
+CONFIG_BT_BUF_ACL_RX_SIZE=502
+CONFIG_BT_BUF_ACL_TX_SIZE=251
+CONFIG_BT_CTLR_DATA_LENGTH_MAX=251
+CONFIG_BT_CTLR_PHY_2M=n
+
+# ipc_radio
+CONFIG_IPC_RADIO_BT=y
+CONFIG_IPC_RADIO_BT_HCI_IPC=y
+
+# NRF_802154_ENCRYPTION is not enabled by default in the `overlay-802154.conf` file
+# that is pulled in by NETCORE_IPC_RADIO_IEEE802154 in application's Kconfig.sysbuild.
+# For Wi-Fi builds, this option will not get applied anyway.
+CONFIG_NRF_802154_ENCRYPTION=y
@@ -42,7 +42,3 @@
 &cpuapp_cpurad_ipc {
 	status = "disabled";
 };
-
-&prng {
-	status = "disabled";
-};
@@ -24,6 +24,6 @@
 	};
 
 	cpurad_recovery_partition: partition@8e000 {
-		reg = < 0x8e000 DT_SIZE_K(92) >;
+		reg = < 0x8e000 DT_SIZE_K(100) >;
 	};
 };
@@ -21,7 +21,10 @@ if(NOT SYSBUILD)
   endif()
 endif()
 
-add_subdirectory_ifdef(CONFIG_NRF_SECURITY nrf_security)
+if(CONFIG_NRF_SECURITY OR CONFIG_PSA_SSF_CRYPTO_CLIENT)
+add_subdirectory(nrf_security)
+endif()
+
 add_subdirectory_ifdef(CONFIG_TRUSTED_STORAGE trusted_storage)
 
 add_subdirectory(net)

@@ -39,7 +39,25 @@ if(CONFIG_BUILD_WITH_TFM)
   include(${NRF_SECURITY_ROOT}/cmake/config_to_tf-m.cmake)
 endif()
 
-if(CONFIG_BUILD_WITH_TFM OR CONFIG_PSA_SSF_CRYPTO_CLIENT)
+if(CONFIG_PSA_SSF_CRYPTO_CLIENT AND NOT CONFIG_NRF_SECURITY)
+  zephyr_compile_definitions(MBEDTLS_PSA_CRYPTO_CONFIG)
+  zephyr_compile_definitions(MBEDTLS_PSA_CRYPTO_CLIENT)
+  zephyr_compile_definitions(MBEDTLS_PSA_CRYPTO_CONFIG_FILE="ssf_crypto_config_empty.h")
+  zephyr_compile_definitions(MBEDTLS_CONFIG_FILE="ssf_crypto_config_empty.h")
+
+  zephyr_include_directories(
+    ${NRF_SECURITY_ROOT}/include
+    # Oberon PSA headers
+    ${ZEPHYR_OBERON_PSA_CRYPTO_MODULE_DIR}/include
+    ${ZEPHYR_OBERON_PSA_CRYPTO_MODULE_DIR}/library
+    # Mbed TLS (mbedcrypto) PSA headers
+    ${ARM_MBEDTLS_PATH}/include
+    ${ARM_MBEDTLS_PATH}/library
+  )
+
+  zephyr_sources(${CMAKE_CURRENT_LIST_DIR}/src/ssf_secdom/ssf_crypto.c)
+
-
-
+elseif(CONFIG_BUILD_WITH_TFM OR CONFIG_PSA_SSF_CRYPTO_CLIENT)
   # We enable either TF-M or the SSF client PSA crypto interface but we are
   # not in the secure image build
 
@@ -88,6 +106,9 @@ else()
   nrf_security_debug("Building for pure Zephyr")
 endif()
 
+# This check is needed for the cases that CONFIG_PSA_SSF_CRYPTO_CLIENT
+# is enabled but the CONFIG_NRF_SECURITY is not enabled
+if(CONFIG_NRF_SECURITY)
 set(CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG  True)
 
 # Add library for crypto configs (NS/S-only build)
@@ -135,3 +156,4 @@ add_subdirectory(${NRFXLIB_DIR}/crypto crypto_copy)
 
 # Add mbed TLS Libraries
 add_subdirectory(src)
+endif()
@@ -29,6 +29,12 @@ config NORDIC_SECURITY_BACKEND
 	  Note that this will enable nrf_oberon by default. Multiple backends is
 	  not supported.
 
+config PSA_SSF_CRYPTO_CLIENT
+	bool
+	prompt "PSA crypto provided through SDFW Service Framework (SSF)"
+	default y
+	depends on SSF_CLIENT && SSF_PSA_CRYPTO_SERVICE_ENABLED
+
 config NRF_SECURITY
 	bool
 	prompt "Enable nRF Security" if !PSA_PROMPTLESS

@@ -21,8 +21,6 @@ osource "modules/mbedtls/Kconfig.psa"
 
 rsource "src/core/Kconfig"
 
-rsource "src/ssf_secdom/Kconfig"
-
 comment "PSA Driver Support"
 
 config MBEDTLS_PSA_CRYPTO_DRIVERS

@@ -0,0 +1,7 @@
+/*
+ * Copyright (c) 2024 Nordic Semiconductor ASA
+ *
+ * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+ */
+
+/* This is intentionally empty since the SSF doesn't support any configuration yet. */
@@ -11,13 +11,15 @@ config PSA_CRYPTO_DRIVER_OBERON
 	prompt "Oberon PSA driver" if !(TFM_PARTITION_PROTECTED_STORAGE || TFM_CRYPTO_BUILTIN_KEYS)
 	bool
 	default y if ! CRACEN_HW_PRESENT
+	depends on PSA_CORE_OBERON
 	help
 	  This configuration enables the usage of the Oberon PSA driver.
 
 config PSA_CRYPTO_DRIVER_CC3XX
 	prompt "CryptoCell PSA driver"
 	bool
 	depends on HAS_HW_NRF_CC3XX
+	depends on PSA_CORE_OBERON
 	help
 	  This configuration enables the usage of CryptoCell for the supported operations.
 	  Disabling this option will result in all crypto operations being handled by
@@ -30,6 +32,7 @@ config PSA_CRYPTO_DRIVER_CRACEN
 	bool "Enable the Cracen PSA driver"
 	depends on MBEDTLS_PSA_CRYPTO_C
 	depends on CRACEN_HW_PRESENT
+	depends on PSA_CORE_OBERON
 	# CRACEN uses the k_event_ API
 	select EVENTS if MULTITHREADING
 	default y

@@ -50,5 +50,5 @@ static int client_init(void)
 	return ssf_client_init();
 }
 
-SYS_INIT(client_init, POST_KERNEL, CONFIG_APPLICATION_INIT_PRIORITY);
+SYS_INIT(client_init, POST_KERNEL, CONFIG_KERNEL_INIT_PRIORITY_DEFAULT);
 #endif
@@ -18,18 +18,7 @@ SSF_CLIENT_SERVICE_DEFINE(psa_crypto_srvc, PSA_CRYPTO, cbor_encode_psa_crypto_re
 
 psa_status_t ssf_psa_crypto_init(void)
 {
-	int err;
-	struct psa_crypto_req req = { 0 };
-	struct psa_crypto_rsp rsp = { 0 };
-
-	req.psa_crypto_req_msg_choice = psa_crypto_req_msg_psa_crypto_init_req_m_c;
-
-	err = ssf_client_send_request(&psa_crypto_srvc, &req, &rsp, NULL);
-	if (err != 0) {
-		return err;
-	}
-
-	return rsp.psa_crypto_rsp_status;
+	return PSA_SUCCESS;
 }
 
 psa_status_t ssf_psa_get_key_attributes(

@@ -15,6 +15,14 @@
 	};
 };
 
+&cpusec_cpuapp_ipc {
+	status = "disabled";
+};
+
+&cpusec_bellboard{
+	status = "disabled";
+};
+
 /* Split DFU partition into a smaller one and DFU caches. */
 /delete-node/ &dfu_partition;
 /delete-node/ &storage_partition;

@@ -1,4 +1,4 @@
-# tHe west manifest file (west.yml) for the nRF Connect SDK (NCS).
+# The west manifest file (west.yml) for the nRF Connect SDK (NCS).
 #
 # The per-workspace west configuration file, ncs/.west/config,
 # specifies the location of this manifest file like this:
@@ -69,7 +69,7 @@ manifest:
     # https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/zephyr/guides/modules.html
     - name: zephyr
       repo-path: sdk-zephyr
-      revision: a70d6bd9660a3450f264d1d7017828196a964b3f
+      revision: pull/2008/head
       import:
         # In addition to the zephyr repository itself, NCS also
         # imports the contents of zephyr/west.yml at the above