nrfconnect · Vge0rge · Aug 21, 2024 · Sep 5, 2024 · Sep 27, 2024 · Oct 1, 2024
@@ -0,0 +1,36 @@
+#
+# Copyright (c) 2024 Nordic Semiconductor ASA
+#
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+#
+
+# Disable serial and UART interface.
+CONFIG_SERIAL=n
+CONFIG_UART_CONSOLE=n
+CONFIG_LOG=n
+
+# RAM usage configuration
+CONFIG_HEAP_MEM_POOL_SIZE=8192
+CONFIG_MAIN_STACK_SIZE=2048
+CONFIG_SYSTEM_WORKQUEUE_STACK_SIZE=2048
+
+# BT configuration
+CONFIG_BT=y
+CONFIG_BT_HCI_RAW=y
+CONFIG_BT_MAX_CONN=1
+CONFIG_BT_CTLR_ASSERT_HANDLER=y
+CONFIG_BT_PERIPHERAL=y
+CONFIG_BT_CENTRAL=n
+CONFIG_BT_BUF_ACL_RX_SIZE=502
+CONFIG_BT_BUF_ACL_TX_SIZE=251
+CONFIG_BT_CTLR_DATA_LENGTH_MAX=251
+CONFIG_BT_CTLR_PHY_2M=n
+
+# ipc_radio
+CONFIG_IPC_RADIO_BT=y
+CONFIG_IPC_RADIO_BT_HCI_IPC=y
+
+# NRF_802154_ENCRYPTION is not enabled by default in the `overlay-802154.conf` file
+# that is pulled in by NETCORE_IPC_RADIO_IEEE802154 in application's Kconfig.sysbuild.
+# For Wi-Fi builds, this option will not get applied anyway.
+CONFIG_NRF_802154_ENCRYPTION=y
@@ -39,11 +39,6 @@
 	status = "disabled";
 };
 
-&prng {
-	status = "disabled";
-};
-
-
 &exmif_default {
 	group1 {
 		psels = <NRF_PSEL(EXMIF_CK, 6, 0)>,

@@ -12,3 +12,7 @@ CONFIG_BT_CTLR_DATA_LENGTH_MAX=251
 CONFIG_LOG=n
 CONFIG_LOG_PRINTK=n
 CONFIG_UART_CONSOLE=n
+
+# These are copied from the ipc_radio application, since usage of hci_ipc will be
+# replaced by the ipc_radio application later its configuration can be inherited here.
+CONFIG_MAIN_STACK_SIZE=2048
@@ -11,7 +11,10 @@ add_subdirectory_ifdef(CONFIG_SECURE_BOOT_CRYPTO bootloader/bl_crypto)
 add_subdirectory_ifdef(CONFIG_SECURE_BOOT_VALIDATION bootloader/bl_validation)
 add_subdirectory_ifdef(CONFIG_SECURE_BOOT_STORAGE bootloader/bl_storage)
 
-add_subdirectory_ifdef(CONFIG_NRF_SECURITY nrf_security)
+if(CONFIG_NRF_SECURITY OR CONFIG_PSA_SSF_CRYPTO_CLIENT)
+  add_subdirectory(nrf_security)
+endif()
+
 add_subdirectory_ifdef(CONFIG_TRUSTED_STORAGE trusted_storage)
 add_subdirectory_ifdef(CONFIG_SECURE_STORAGE secure_storage)
 

@@ -86,6 +86,11 @@ static inline void nrf_rpc_os_tls_set(void *data)
 	k_thread_custom_data_set(data);
 }
 
+static inline void nrf_rpc_os_fatal_error(void)
+{
+	k_oops();
+}
+
 uint32_t nrf_rpc_os_ctx_pool_reserve(void);
 void nrf_rpc_os_ctx_pool_release(uint32_t number);
 

@@ -39,7 +39,24 @@ if(CONFIG_BUILD_WITH_TFM)
   include(${NRF_SECURITY_ROOT}/cmake/config_to_tf-m.cmake)
 endif()
 
-if(CONFIG_BUILD_WITH_TFM OR CONFIG_PSA_SSF_CRYPTO_CLIENT)
+if(CONFIG_PSA_SSF_CRYPTO_CLIENT AND NOT CONFIG_NRF_SECURITY)
+  zephyr_compile_definitions(MBEDTLS_PSA_CRYPTO_CONFIG)
+  zephyr_compile_definitions(MBEDTLS_PSA_CRYPTO_CLIENT)
+  zephyr_compile_definitions(MBEDTLS_PSA_CRYPTO_CONFIG_FILE="ssf_crypto_config_empty.h")
+  zephyr_compile_definitions(MBEDTLS_CONFIG_FILE="ssf_crypto_config_empty.h")
+
+  zephyr_include_directories(
+    ${NRF_SECURITY_ROOT}/include
+    # Oberon PSA headers
+    ${ZEPHYR_OBERON_PSA_CRYPTO_MODULE_DIR}/include
+    ${ZEPHYR_OBERON_PSA_CRYPTO_MODULE_DIR}/library
+    # Mbed TLS (mbedcrypto) PSA headers
+    ${ARM_MBEDTLS_PATH}/include
+    ${ARM_MBEDTLS_PATH}/library
+  )
+
+  zephyr_sources(${CMAKE_CURRENT_LIST_DIR}/src/ssf_secdom/ssf_crypto.c)
+elseif(CONFIG_BUILD_WITH_TFM OR CONFIG_PSA_SSF_CRYPTO_CLIENT)
   # We enable either TF-M or the SSF client PSA crypto interface but we are
   # not in the secure image build
 
@@ -88,50 +105,54 @@ else()
   nrf_security_debug("Building for pure Zephyr")
 endif()
 
-set(CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG  True)
-
-# Add library for crypto configs (NS/S-only build)
-# The name and intent of this comes from TF-M distribution
-add_library(psa_crypto_config INTERFACE)
+# This check is needed for the cases that CONFIG_PSA_SSF_CRYPTO_CLIENT
+# is enabled but the CONFIG_NRF_SECURITY is not enabled
+if(CONFIG_NRF_SECURITY)
+  set(CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG  True)
 
-# Add config files required for PSA crypto interface
-target_compile_definitions(psa_crypto_config
-  INTERFACE
-    -DMBEDTLS_CONFIG_FILE="${CONFIG_MBEDTLS_CFG_FILE}"
-    -DMBEDTLS_PSA_CRYPTO_CONFIG_FILE="${CONFIG_MBEDTLS_PSA_CRYPTO_CONFIG_FILE}"
-)
+  # Add library for crypto configs (NS/S-only build)
+  # The name and intent of this comes from TF-M distribution
+  add_library(psa_crypto_config INTERFACE)
 
-# Add library for crypto configs (S-only or Secure image build)
-# The name and intent of this comes from TF-M distribution
-add_library(psa_crypto_library_config INTERFACE)
+  # Add config files required for PSA crypto interface
+  target_compile_definitions(psa_crypto_config
+    INTERFACE
+      -DMBEDTLS_CONFIG_FILE="${CONFIG_MBEDTLS_CFG_FILE}"
+      -DMBEDTLS_PSA_CRYPTO_CONFIG_FILE="${CONFIG_MBEDTLS_PSA_CRYPTO_CONFIG_FILE}"
+  )
 
-# Add config files required for PSA core
-target_compile_definitions(psa_crypto_library_config
-  INTERFACE
-    -DMBEDTLS_CONFIG_FILE="${CONFIG_MBEDTLS_CFG_FILE}"
-    -DMBEDTLS_PSA_CRYPTO_CONFIG_FILE="${CONFIG_MBEDTLS_PSA_CRYPTO_CONFIG_FILE}"
-    -DMBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE="${CONFIG_MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE}"
-)
+  # Add library for crypto configs (S-only or Secure image build)
+  # The name and intent of this comes from TF-M distribution
+  add_library(psa_crypto_library_config INTERFACE)
 
-# Add a library for crypto includes for the PSA interface (NS, S-only and TF-M)
-# The name and intent of this comes from TF-M distribution
-add_library(psa_interface INTERFACE)
+  # Add config files required for PSA core
+  target_compile_definitions(psa_crypto_library_config
+    INTERFACE
+      -DMBEDTLS_CONFIG_FILE="${CONFIG_MBEDTLS_CFG_FILE}"
+      -DMBEDTLS_PSA_CRYPTO_CONFIG_FILE="${CONFIG_MBEDTLS_PSA_CRYPTO_CONFIG_FILE}"
+      -DMBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE="${CONFIG_MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE}"
+  )
 
-# Add the includes from nrf_security, Oberon PSA core, and Arm Mbed TLS
-# to the psa_interface library
-target_include_directories(psa_interface
-  INTERFACE
-    # Oberon PSA headers
-    ${OBERON_PSA_CORE_PATH}/include
-    ${OBERON_PSA_CORE_PATH}/library
-    # Mbed TLS (mbedcrypto) PSA headers
-    ${ARM_MBEDTLS_PATH}/library
-    ${ARM_MBEDTLS_PATH}/include
-    ${ARM_MBEDTLS_PATH}/include/library
-)
+  # Add a library for crypto includes for the PSA interface (NS, S-only and TF-M)
+  # The name and intent of this comes from TF-M distribution
+  add_library(psa_interface INTERFACE)
+
+  # Add the includes from nrf_security, Oberon PSA core, and Arm Mbed TLS
+  # to the psa_interface library
+  target_include_directories(psa_interface
+    INTERFACE
+      # Oberon PSA headers
+      ${OBERON_PSA_CORE_PATH}/include
+      ${OBERON_PSA_CORE_PATH}/library
+      # Mbed TLS (mbedcrypto) PSA headers
+      ${ARM_MBEDTLS_PATH}/library
+      ${ARM_MBEDTLS_PATH}/include
+      ${ARM_MBEDTLS_PATH}/include/library
+  )
 
-# Finally adding the crypto lib
-add_subdirectory(${NRFXLIB_DIR}/crypto crypto_copy)
+  # Finally adding the crypto lib
+  add_subdirectory(${NRFXLIB_DIR}/crypto crypto_copy)
 
-# Add mbed TLS Libraries
-add_subdirectory(src)
+  # Add mbed TLS Libraries
+  add_subdirectory(src)
+endif()
@@ -29,6 +29,12 @@ config NORDIC_SECURITY_BACKEND
 	  Note that this will enable nrf_oberon by default. Multiple backends is
 	  not supported.
 
+config PSA_SSF_CRYPTO_CLIENT
+	bool
+	prompt "PSA crypto provided through SDFW Service Framework (SSF)"
+	default y
+	depends on SSF_CLIENT && SSF_PSA_CRYPTO_SERVICE_ENABLED
+
 config NRF_SECURITY
 	bool
 	prompt "Enable nRF Security" if !PSA_PROMPTLESS

@@ -21,8 +21,6 @@ osource "modules/mbedtls/Kconfig.psa"
 
 rsource "src/core/Kconfig"
 
-rsource "src/ssf_secdom/Kconfig"
-
 comment "PSA Driver Support"
 
 config MBEDTLS_PSA_CRYPTO_DRIVERS

@@ -0,0 +1,7 @@
+/*
+ * Copyright (c) 2024 Nordic Semiconductor ASA
+ *
+ * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+ */
+
+/* This is intentionally empty since the SSF doesn't support any configuration yet. */
@@ -11,13 +11,15 @@ config PSA_CRYPTO_DRIVER_OBERON
 	prompt "Oberon PSA driver" if !(TFM_PARTITION_PROTECTED_STORAGE || TFM_CRYPTO_BUILTIN_KEYS)
 	bool
 	default y if ! CRACEN_HW_PRESENT
+	depends on PSA_CORE_OBERON
 	help
 	  This configuration enables the usage of the Oberon PSA driver.
 
 config PSA_CRYPTO_DRIVER_CC3XX
 	prompt "CryptoCell PSA driver"
 	bool
 	depends on HAS_HW_NRF_CC3XX
+	depends on PSA_CORE_OBERON
 	help
 	  This configuration enables the usage of CryptoCell for the supported operations.
 	  Disabling this option will result in all crypto operations being handled by
@@ -30,6 +32,7 @@ config PSA_CRYPTO_DRIVER_CRACEN
 	bool "Enable the Cracen PSA driver"
 	depends on MBEDTLS_PSA_CRYPTO_C
 	depends on CRACEN_HW_PRESENT
+	depends on PSA_CORE_OBERON
 	# CRACEN uses the k_event_ API
 	select EVENTS if MULTITHREADING
 	default y

@@ -7,4 +7,5 @@
 target_sources(${mbedcrypto_target}
   PRIVATE
     ${CMAKE_CURRENT_LIST_DIR}/ssf_crypto.c
+    ${CMAKE_CURRENT_LIST_DIR}/ssf_psa_core_compatibility.c
 )
@@ -0,0 +1,38 @@
+/*
+ * Copyright (c) 2025 Nordic Semiconductor ASA
+ *
+ * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+ */
+
+#include <psa/crypto.h>
+
+/* This define exists in the psa_crypto.c file, I kept the same
+ * name here so that it can be searched the same way.
+ * In the psa_core.c this define is the concatenation of
+ * PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS_INITIALIZED (=0x1)|
+ * PSA_CRYPTO_SUBSYSTEM_KEY_SLOTS_INITIALIZED       (=0x2)|
+ * PSA_CRYPTO_SUBSYSTEM_TRANSACTION_INITIALIZED     (=0x4)
+ * Just for conformity I kept the same value here.
+ */
+#define PSA_CRYPTO_SUBSYSTEM_ALL_INITIALISED (0x7)
+
+/* This function is defined in psa_crypto_core.h */
+int psa_can_do_hash(psa_algorithm_t hash_alg)
+{
+       (void) hash_alg;
+       /* No initialization is needed when SSF is used, so just return the
+       	* expected value here.
+	*/
+       return PSA_CRYPTO_SUBSYSTEM_ALL_INITIALISED;
+}
+
+/* This function is defined in psa_crypto_core.h */
+int psa_can_do_cipher(psa_key_type_t key_type, psa_algorithm_t cipher_alg)
+{
+       (void) key_type;
+       (void) cipher_alg;
+       /* No initialization is needed when SSF is used, so just return the
+       	* expected value here.
+	*/
+       return PSA_CRYPTO_SUBSYSTEM_ALL_INITIALISED;
+}
@@ -38,6 +38,11 @@ config SSF_CLIENT_SYS_INIT
 	bool "Start SDFW Service Framework client on boot"
 	default y
 
+config SSF_CLIENT_SYS_INIT_PRIORITY
+	int
+	default 47
+	depends on SSF_CLIENT_SYS_INIT
+
 config SSF_CLIENT_REGISTERED_LISTENERS_MAX
 	int "Maximum number of simultaneous registered listeners"
 	default 1

@@ -45,10 +45,25 @@ void ssf_client_sem_give(struct ssf_client_sem *sem)
 }
 
 #if CONFIG_SSF_CLIENT_SYS_INIT
+
+#ifdef CONFIG_IPC_SERVICE_REG_BACKEND_PRIORITY
+BUILD_ASSERT(CONFIG_SSF_CLIENT_SYS_INIT_PRIORITY > CONFIG_IPC_SERVICE_REG_BACKEND_PRIORITY,
+	     "SSF_CLIENT_SYS_INIT_PRIORITY must be higher than IPC_SERVICE_REG_BACKEND_PRIORITY");
+#endif
+
+#ifdef CONFIG_NRF_802154_SER_RADIO_INIT_PRIO
+BUILD_ASSERT(CONFIG_SSF_CLIENT_SYS_INIT_PRIORITY < CONFIG_NRF_802154_SER_RADIO_INIT_PRIO,
+	     "SSF_CLIENT_SYS_INIT_PRIORITY must be lower than NRF_802154_SER_RADIO_INIT_PRIO");
+#endif
+
+BUILD_ASSERT(
+	CONFIG_SSF_CLIENT_SYS_INIT_PRIORITY > CONFIG_KERNEL_INIT_PRIORITY_DEFAULT,
+	"SSF_CLIENT_SYS_INIT_PRIORITY must be higher than the IPC ICMSG initialization priority");
+
 static int client_init(void)
 {
 	return ssf_client_init();
 }
 
-SYS_INIT(client_init, POST_KERNEL, CONFIG_APPLICATION_INIT_PRIORITY);
+SYS_INIT(client_init, POST_KERNEL, CONFIG_SSF_CLIENT_SYS_INIT_PRIORITY);
 #endif
@@ -44,12 +44,6 @@ static void ssf_notification_handler(const struct nrf_rpc_group *group, const ui
 NRF_RPC_EVT_DECODER(ssf_group, ssf_notif_decoder, CONFIG_SSF_NRF_RPC_NOTIF_ID,
 		    ssf_notification_handler, NULL);
 
-static void err_handler(const struct nrf_rpc_err_report *report)
-{
-	SSF_CLIENT_LOG_ERR("nRF RPC error %d ocurred. See nRF RPC logs for more details.",
-			   report->code);
-}
-
 int ssf_client_transport_init(ssf_client_transport_notif_handler handler)
 {
 	int err;
@@ -61,8 +55,12 @@ int ssf_client_transport_init(ssf_client_transport_notif_handler handler)
 
 	transport_initialized = false;
 
-	err = nrf_rpc_init(err_handler);
-	if (err != 0) {
+	/* We ignore the nrf_rpc_init on purpose here, the nrf_rpc_init
+	 * will try to initialize all the transports/groups, but we only
+	 * want to check that the ssf_group is initialized.
+	 */
+	err = nrf_rpc_init_group(&ssf_group);
+	if (err < 0) {
 		return -SSF_EINVAL;
 	}
 

@@ -20,3 +20,11 @@
 &usbhs {
     status = "disabled";
 };
+
+&cpusec_cpuapp_ipc {
+	status = "disabled";
+};
+
+&cpusec_bellboard {
+	status = "disabled";
+};