Skip to content

Enable PSA RNG for nrf54h20 #24932

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

Enable PSA RNG for nrf54h20 #24932

wants to merge 7 commits into from

Conversation

Vge0rge
Copy link
Contributor

@Vge0rge Vge0rge commented Oct 8, 2025
edited
Loading

This PR enables the PSA RNG as the default random provider for nRF54h20. Please see commits for details

@NordicBuilder NordicBuilder added manifest changelog-entry-required Update changelog before merge. Remove label if entry is not needed or already added. labels Oct 8, 2025
@Vge0rge Vge0rge changed the title ] FOR CI ONLY - DONT REVIEW Oct 8, 2025
@Vge0rge Vge0rge marked this pull request as ready for review October 8, 2025 12:59
@Vge0rge Vge0rge requested review from a team as code owners October 8, 2025 12:59
@NordicBuilder
Copy link
Contributor

NordicBuilder commented Oct 8, 2025
edited
Loading

The following west manifest projects have changed revision in this Pull Request:

Name Old Revision New Revision Diff
zephyr nrfconnect/sdk-zephyr@be1a9fd (main) nrfconnect/sdk-zephyr#3346 nrfconnect/sdk-zephyr#3346/files

DNM label due to: 1 project with PR revision

Note: This message is automatically posted and updated by the Manifest GitHub Action.

@NordicBuilder
Copy link
Contributor

NordicBuilder commented Oct 8, 2025
edited
Loading

CI Information

To view the history of this post, clich the 'edited' button above
Build number: 18

Inputs:

Sources:

sdk-nrf: PR head: a7fbace702ac1a3fa202aee6f294b31587e292af
zephyr: PR head: 7846926d844a98d98c4ae8cb66a6fbef19bb018c

more details

sdk-nrf:

PR head: a7fbace702ac1a3fa202aee6f294b31587e292af
merge base: bcff2f0fc4d26196344fb0ec1ac6e7d3349c22aa
target head (main): bcff2f0fc4d26196344fb0ec1ac6e7d3349c22aa
Diff

zephyr:

PR head: 7846926d844a98d98c4ae8cb66a6fbef19bb018c
merge base: be1a9fd0eecaec02c882b52d2a9b411a1c6cb70c
target head (main): be1a9fd0eecaec02c882b52d2a9b411a1c6cb70c
Diff

Github labels

Enabled Name Description
ci-disabled Disable the ci execution
ci-all-test Run all of ci, no test spec filtering will be done
ci-force-downstream Force execution of downstream even if twister fails
ci-run-twister Force run twister
ci-run-zephyr-twister Force run zephyr twister
List of changed files detected by CI (23) 
subsys
│  ├── bluetooth
│  │  ├── services
│  │  │  ├── fast_pair
│  │  │  │  ├── fp_crypto
│  │  │  │  │  │ Kconfig.fp_crypto
│  ├── nrf_security
│  │  ├── Kconfig
│  │  ├── src
│  │  │  ├── core
│  │  │  │  │ Kconfig
│  ├── trusted_storage
│  │  │ Kconfig
tests
│  ├── subsys
│  │  ├── bluetooth
│  │  │  ├── fast_pair
│  │  │  │  ├── crypto
│  │  │  │  │  │ testcase.yaml
west.yml
zephyr
│  ├── boards
│  │  ├── nordic
│  │  │  ├── nrf54h20dk
│  │  │  │  ├── nrf54h20dk_nrf54h20_cpuapp.dts
│  │  │  │  │ nrf54h20dk_nrf54h20_cpurad.dts
│  ├── drivers
│  │  ├── bluetooth
│  │  │  ├── hci
│  │  │  │  ├── Kconfig
│  │  │  │  │ Kconfig.esp32
│  ├── modules
│  │  ├── hostap
│  │  │  │ Kconfig
│  │  ├── mbedtls
│  │  │  │ Kconfig.psa.logic
│  │  ├── openthread
│  │  │  │ Kconfig
│  │  ├── uoscore-uedhoc
│  │  │  │ Kconfig
│  ├── samples
│  │  ├── net
│  │  │  ├── sockets
│  │  │  │  ├── http_server
│  │  │  │  │  │ Kconfig
│  │  ├── subsys
│  │  │  ├── mgmt
│  │  │  │  ├── updatehub
│  │  │  │  │  │ overlay-psa.conf
│  ├── subsys
│  │  ├── bluetooth
│  │  │  ├── crypto
│  │  │  │  │ Kconfig
│  │  │  ├── host
│  │  │  │  │ Kconfig
│  │  ├── jwt
│  │  │  │ Kconfig
│  ├── tests
│  │  ├── bsim
│  │  │  ├── bluetooth
│  │  │  │  ├── host
│  │  │  │  │  ├── gatt
│  │  │  │  │  │  ├── caching
│  │  │  │  │  │  │  │ psa_overlay.conf
│  │  │  │  ├── ll
│  │  │  │  │  ├── conn
│  │  │  │  │  │  │ psa_overlay.conf
│  │  ├── subsys
│  │  │  ├── secure_storage
│  │  │  │  ├── psa
│  │  │  │  │  ├── crypto
│  │  │  │  │  │  │ testcase.yaml
│  │  │  │  │  ├── its
│  │  │  │  │  │  │ testcase.yaml

Outputs:

Toolchain

Version: 46667c6630
Build docker image: docker-dtr.nordicsemi.no/sw-production/ncs-build:46667c6630_bba2ea5f2e

Test Spec & Results: ✅ Success; ❌ Failure; 🟠 Queued; 🟡 Progress; ◻️ Skipped; ⚠️ Quarantine

  • ◻️ Toolchain - Skipped: existing toolchain is used
  • ✅ Build twister
    • sdk-nrf test count: 31
    • sdk-zephyr test count: 940
  • ✅ Integration tests
    • ✅ test-sdk-audio
    • ✅ desktop52_verification
    • ✅ test_ble_nrf_config
    • ✅ test-fw-nrfconnect-ble_samples
    • ✅ test-fw-nrfconnect-chip
    • ✅ test-fw-nrfconnect-nfc
    • ✅ test-fw-nrfconnect-nrf-iot_cloud
    • ✅ test-fw-nrfconnect-nrf-iot_thingy91
    • ✅ test-fw-nrfconnect-nrf_crypto
    • ✅ test-fw-nrfconnect-rs
    • ✅ test-fw-nrfconnect-fem
    • ✅ test-fw-nrfconnect-tfm
    • ✅ test-fw-nrfconnect-thread-main
    • ✅ test-sdk-find-my
    • ✅ test-low-level
    • ✅ test-sdk-mcuboot
    • ✅ test-sdk-dfu
Disabled integration tests
    • test-fw-nrfconnect-nrf_lrcs_mosh
    • test-fw-nrfconnect-nrf_lrcs_positioning
    • test-fw-nrfconnect-apps
    • test-fw-nrfconnect-ble_mesh
    • test-fw-nrfconnect-nrf-iot_libmodem-nrf
    • test-fw-nrfconnect-nrf-iot_lwm2m
    • test-fw-nrfconnect-nrf-iot_samples
    • test-fw-nrfconnect-nrf-iot_serial_lte_modem
    • test-fw-nrfconnect-nrf-iot_zephyr_lwm2m
    • test-fw-nrfconnect-proprietary_esb
    • test-fw-nrfconnect-ps-main
    • test-fw-nrfconnect-rpc
    • test-sdk-pmic-samples
    • test-sdk-wifi
    • test-secdom-samples-public

Note: This message is automatically posted and updated by the CI

@Vge0rge Vge0rge force-pushed the ironside_in_nrf_security branch 2 times, most recently from 971746f to feb192f Compare October 9, 2025 14:42
@Vge0rge Vge0rge requested a review from a team as a code owner October 9, 2025 14:42
@Vge0rge Vge0rge force-pushed the ironside_in_nrf_security branch from feb192f to 7212518 Compare October 10, 2025 08:54
@NordicBuilder NordicBuilder requested a review from a team October 10, 2025 08:54
@Vge0rge Vge0rge force-pushed the ironside_in_nrf_security branch from 7212518 to 881bdce Compare October 13, 2025 08:30
@github-actions GitHub Actions
Copy link

You can find the documentation preview for this PR here.

@Vge0rge Vge0rge force-pushed the ironside_in_nrf_security branch 2 times, most recently from 2369a9b to b47e11b Compare October 14, 2025 12:59
@Vge0rge Vge0rge changed the title FOR CI ONLY - DONT REVIEW Enable PSA RNG for nrf54h20 Oct 14, 2025
degjorva
degjorva approved these changes Oct 14, 2025
View reviewed changes
tomi-font
tomi-font reviewed Oct 15, 2025
View reviewed changes
@NordicBuilder NordicBuilder requested a review from a team October 15, 2025 14:14
@Vge0rge Vge0rge force-pushed the ironside_in_nrf_security branch 2 times, most recently from 8f7b070 to ba2cc15 Compare October 15, 2025 14:20
@Vge0rge Vge0rge requested a review from tomi-font October 15, 2025 14:28
tomi-font
tomi-font approved these changes Oct 16, 2025
View reviewed changes
@Vge0rge
Copy link
Contributor Author

Vge0rge commented Oct 16, 2025

Ping @nrfconnect/ncs-co-build-system @nrfconnect/ncs-code-owners @nrfconnect/ncs-si-bluebagel

@Vge0rge Vge0rge force-pushed the ironside_in_nrf_security branch from ba2cc15 to 6fe9cd6 Compare October 16, 2025 10:08
@NordicBuilder NordicBuilder requested a review from a team October 16, 2025 10:08
nordicjm
nordicjm reviewed Oct 16, 2025
View reviewed changes
subsys/nrf_security/src/core/Kconfig Outdated
Comment on lines 11 to 12
bool
prompt "No PSA core (for SSF crypto client support)"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
bool
prompt "No PSA core (for SSF crypto client support)"
bool "No PSA core (for SSF crypto client support)"

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did that for both this and the other config in this file which used prompt.

@Vge0rge Vge0rge force-pushed the ironside_in_nrf_security branch from 6fe9cd6 to 1d54548 Compare October 16, 2025 10:56
@NordicBuilder NordicBuilder requested review from a team October 16, 2025 10:56
@Vge0rge Vge0rge force-pushed the ironside_in_nrf_security branch from 1d54548 to 9540f02 Compare October 16, 2025 11:00
MarekPieta
MarekPieta reviewed Oct 17, 2025
View reviewed changes
tests/subsys/bluetooth/fast_pair/crypto/testcase.yaml
- nrf52840dk/nrf52840
- nrf5340dk/nrf5340/cpuapp
- nrf5340dk/nrf5340/cpuapp/ns
- nrf54h20dk/nrf54h20/cpuapp
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So from now we cannot use Oberon crypto APIs directly on nRF54H20? If so, then maybe we should also add dependency that prevents enabling CONFIG_BT_FAST_PAIR_CRYPTO_OBERON on nRF54H20. Looking at the rest of your PR, we might also need to update the dependencies of the CONFIG_BT_FAST_PAIR_CRYPTO_PSA: MBEDTLS_PSA_CRYPTO_C should no longer be selected, right? (CONFIG_PSA_CRYPTO should be used instead)

Ref: https://github.com/nrfconnect/sdk-nrf/blob/main/subsys/bluetooth/services/fast_pair/fp_crypto/Kconfig.fp_crypto#L21

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@MarekPieta I updated the BT_FAST_PAIR to take into account Ironside. Please check again.

@NordicBuilder NordicBuilder requested review from a team October 20, 2025 08:29
NordicBuilder and others added 7 commits October 20, 2025 10:52
@NordicBuilder @Vge0rge
manifest: Update sdk-zephyr revision (auto-manifest PR)
5ca85db 
Automatically created by Github Action

Signed-off-by: Nordic Builder <[email protected]>
@Vge0rge
nrf_security: Force disabling the PSA core with Ironside
32da69a 
Make sure that the PSA_CORE_DISABLED is always selected and
is the only available option for the Ironside enabled
devices.

Signed-off-by: Georgios Vasilakis <[email protected]>
@Vge0rge
nrf_security: Enable NRF_SECURITY for Ironside devices
a4783a7 
Enable NRF_SECURITY by default when the PSA RNG is enabled
with the Ironside devices.

I also refactored the previous logic to avoid duplications
in the default statements.

Signed-off-by: Georgios Vasilakis <[email protected]>
@Vge0rge
trusted_storage: Forbid usage with IRONSIDE
22c1316 
Ironside is a provider of PSA services (including storage)
so it cannot be used along with the trusted storage subsystem which
provides PSA storage APIs.

Signed-off-by: Georgios Vasilakis <[email protected]>
@Vge0rge
nrf_security: Enable PSA_CRYPTO for NRF_SECURITY
266143b 
Enable the option PSA_CRYPTO when NRF_SECURITY is enabled.
This will make it possible to select different providers
for PSA crypto APIs, one provider being MbedTLS, another
is TF-M and a custom one could be used as well.

Since nrf_security provides PSA crypto APIs it sets the
custom provider as default.

Signed-off-by: Georgios Vasilakis <[email protected]>
@Vge0rge
tests: fast_pair: Remove nRF54H20 target from Oberon testing
e851b44 
The default entropy device for nRF54H20 now uses PSA APIs from
Ironside. This is incompatible with Oberon so disable it in the
test.

Signed-off-by: Georgios Vasilakis <[email protected]>
@Vge0rge
bluetooth: fast_pair: Add dependencies for Ironside
a7fbace 
When Ironside is enabled direct access to the crypto APIs is not
possible. Add the relevant dependencies of the Ironside to the
BT_FAST_PAIR options.

Signed-off-by: Georgios Vasilakis <[email protected]>
@Vge0rge Vge0rge force-pushed the ironside_in_nrf_security branch from e74620e to a7fbace Compare October 20, 2025 08:52
@Vge0rge
Copy link
Contributor Author

Vge0rge commented Oct 20, 2025
edited
Loading

@nrfconnect/ncs-dragoon Please have a look on this, only the last commit should be relevant to you.

MarekPieta
MarekPieta approved these changes Oct 20, 2025
View reviewed changes
subsys/bluetooth/services/fast_pair/fp_crypto/Kconfig.fp_crypto
select NRF_SECURITY
select MBEDTLS_PSA_CRYPTO_C
select MBEDTLS_ENABLE_HEAP
select MBEDTLS_PSA_CRYPTO_C if !DT_HAS_NORDIC_IRONSIDE_CALL_ENABLED
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't we allow building with TFM_PROFILE_TYPE_MINIMAL if DT_HAS_NORDIC_IRONSIDE_CALL_ENABLED is set (as IronSide handles the crypto calls then)?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't we select CONFIG_PSA_CRYPTO instead of MBEDTLS_PSA_CRYPTO_C ? (or maybe selecting only the NRF_SECURITY would be sufficient here as it has select PSA_CRYPTO)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't we allow building with TFM_PROFILE_TYPE_MINIMAL if DT_HAS_NORDIC_IRONSIDE_CALL_ENABLED is set (as IronSide handles the crypto calls then)?
TF-M is not supported in Ironside enabled devices at all. I am not sure how/if this is enforced at the moment but hopefully it is another task to make sure that this is not allowed at all.

Shouldn't we select CONFIG_PSA_CRYPTO instead of MBEDTLS_PSA_CRYPTO_C ? (or maybe selecting only the NRF_SECURITY would be sufficient here as it has select PSA_CRYPTO)
Yeah, my thinking was that since NRF_SECURITY enables it already we don't also need to do it here.

@Vge0rge Vge0rge removed the changelog-entry-required Update changelog before merge. Remove label if entry is not needed or already added. label Oct 20, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@degjorva degjorva degjorva approved these changes

@MarekPieta MarekPieta MarekPieta approved these changes

@nordicjm nordicjm nordicjm approved these changes

@endre-nordic endre-nordic endre-nordic approved these changes

@tomi-font tomi-font tomi-font approved these changes

Assignees

No one assigned

Labels

DNM manifest manifest-zephyr

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@Vge0rge @NordicBuilder @degjorva @MarekPieta @nordicjm @endre-nordic @tomi-font