Skip to content

nrf_ironside: Move Ironside outside of nrf_security #24862

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

nrf_ironside: Move Ironside outside of nrf_security #24862

wants to merge 3 commits into from

Conversation

Vge0rge
Copy link
Contributor

@Vge0rge Vge0rge commented Oct 3, 2025

Create a separate subsystem called nrf_ironside instead of having the logic in nrf_security. Ironside is completely separate from nrf_security and it should not be placed there.

Make sure that nrf_security cannot be enabled at the same time as nrf_ironside as their configurations might collide.

@NordicBuilder
Copy link
Contributor

NordicBuilder commented Oct 3, 2025
edited
Loading

CI Information

To view the history of this post, clich the 'edited' button above
Build number: 10

Inputs:

Sources:

sdk-nrf: PR head: 54a57257dec9829d97d3a6960a16bc2d2b49e1e9
zephyr: PR head: 3282d05938dd5ef7ebbc472bba57098e692379d0

more details

sdk-nrf:

PR head: 54a57257dec9829d97d3a6960a16bc2d2b49e1e9
merge base: 9002fe1c0798c2895356b8513d561761ac30ef20
target head (main): 9002fe1c0798c2895356b8513d561761ac30ef20
Diff

zephyr:

PR head: 3282d05938dd5ef7ebbc472bba57098e692379d0
merge base: 6aa26eed633353a8d18d85440e73db7e330bf41d
target head (main): 05b8b21aa9779fb1cb19ad59e7443ebec460aeee
Diff

Github labels

Enabled Name Description
ci-disabled Disable the ci execution
ci-all-test Run all of ci, no test spec filtering will be done
ci-force-downstream Force execution of downstream even if twister fails
ci-run-twister Force run twister
ci-run-zephyr-twister Force run zephyr twister
List of changed files detected by CI (21) 
CODEOWNERS
subsys
│  ├── CMakeLists.txt
│  ├── Kconfig
│  ├── nrf_ironside
│  │  ├── CMakeLists.txt
│  │  ├── Kconfig
│  │  ├── bounce_buffers.c
│  │  ├── bounce_buffers.h
│  │  ├── ironside_config.h
│  │  ├── ironside_se_psa_ns_api.c
│  │  ├── psa
│  │  │  │ crypto_driver_config.h
│  │  ├── psa_manifest
│  │  │  │ sid.h
│  ├── nrf_security
│  │  ├── Kconfig
│  │  ├── Kconfig.psa
│  │  ├── src
│  │  │  │ CMakeLists.txt
│  ├── trusted_storage
│  │  │ Kconfig
west.yml
zephyr
│  ├── boards
│  │  ├── nordic
│  │  │  ├── nrf54h20dk
│  │  │  │  ├── nrf54h20dk_nrf54h20_cpuapp.dts
│  │  │  │  │ nrf54h20dk_nrf54h20_cpurad.dts
│  ├── subsys
│  │  ├── secure_storage
│  │  │  │ Kconfig
│  ├── tests
│  │  ├── arch
│  │  │  ├── arm
│  │  │  │  ├── arm_irq_vector_table
│  │  │  │  │  ├── boards
│  │  │  │  │  │  ├── nrf54h20dk_nrf54h20_cpuapp.conf
│  │  │  │  │  │  │ nrf54h20dk_nrf54h20_cpurad.conf

Outputs:

Toolchain

Version: a7529a11f4
Build docker image: docker-dtr.nordicsemi.no/sw-production/ncs-build:a7529a11f4_bba2ea5f2e

Test Spec & Results: ✅ Success; ❌ Failure; 🟠 Queued; 🟡 Progress; ◻️ Skipped; ⚠️ Quarantine

  • ◻️ Toolchain - Skipped: existing toolchain is used
  • ❌ Build twister
    • sdk-nrf test count: 30
    • sdk-zephyr test count: 1157
  • ❌ Integration tests
    • ❌ test-fw-nrfconnect-chip
    • ❌ test-fw-nrfconnect-nrf-iot_cloud
    • ❌ test-fw-nrfconnect-nrf_crypto
    • ❌ test-fw-nrfconnect-rs
    • ❌ test-fw-nrfconnect-fem
    • ❌ test-fw-nrfconnect-tfm
    • ❌ test-sdk-find-my
    • ❌ test-low-level
    • ❌ test-sdk-mcuboot
    • ❌ test-sdk-dfu
    • ⚠️ test_ble_nrf_config
Disabled integration tests
    • test-fw-nrfconnect-nrf_lrcs_mosh
    • test-fw-nrfconnect-nrf_lrcs_positioning
    • desktop52_verification
    • test-fw-nrfconnect-apps
    • test-fw-nrfconnect-ble_mesh
    • test-fw-nrfconnect-ble_samples
    • test-fw-nrfconnect-nfc
    • test-fw-nrfconnect-nrf-iot_libmodem-nrf
    • test-fw-nrfconnect-nrf-iot_lwm2m
    • test-fw-nrfconnect-nrf-iot_samples
    • test-fw-nrfconnect-nrf-iot_serial_lte_modem
    • test-fw-nrfconnect-nrf-iot_thingy91
    • test-fw-nrfconnect-nrf-iot_zephyr_lwm2m
    • test-fw-nrfconnect-proprietary_esb
    • test-fw-nrfconnect-ps-main
    • test-fw-nrfconnect-rpc
    • test-fw-nrfconnect-thread-main
    • test-sdk-audio
    • test-sdk-pmic-samples
    • test-sdk-wifi
    • test-secdom-samples-public

Note: This message is automatically posted and updated by the CI

@Vge0rge Vge0rge force-pushed the new_nrf_ironside branch 3 times, most recently from ad3ff8d to fb6ad87 Compare October 3, 2025 11:48
@github-actions GitHub Actions
Copy link

github-actions bot commented Oct 3, 2025

You can find the documentation preview for this PR here.

@Vge0rge Vge0rge marked this pull request as ready for review October 3, 2025 12:56
@Vge0rge Vge0rge requested review from a team as code owners October 3, 2025 12:56
@Vge0rge Vge0rge requested a review from a team October 3, 2025 12:57
karstenkoenig
karstenkoenig reviewed Oct 3, 2025
View reviewed changes
subsys/nrf_security/Kconfig
bool
prompt "nRF Security" if !PSA_PROMPTLESS
depends on SOC_FAMILY_NORDIC_NRF
depends on !NRF_IRONSIDE_CALL
Copy link
Contributor

@karstenkoenig karstenkoenig Oct 3, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will this break if someone wants to use some software crypto on nrf54h20? You aren't really incompatible with NRF_IRONSIDE_CALL I'd say

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

software crypto on nrf54h20 is not supported. So if it does break, then that is intended behaviour :)

Copy link
Contributor Author

@Vge0rge Vge0rge Oct 3, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If they want to use it along with the hardware crypto yes. But it should break because at the moment no-one worked on this use case. If it worked by accident before it is better to break so that someone can think how to properly support this use case.

Edit: Sebastians comment didn't show up before I sent this. But we are saying the exact same thing basically :)

@Vge0rge Vge0rge force-pushed the new_nrf_ironside branch 2 times, most recently from 23fd200 to 9783e81 Compare October 3, 2025 21:14
@Vge0rge Vge0rge requested a review from a team as a code owner October 3, 2025 22:05
@NordicBuilder
Copy link
Contributor

NordicBuilder commented Oct 3, 2025
edited
Loading

The following west manifest projects have changed revision in this Pull Request:

Name Old Revision New Revision Diff
zephyr nrfconnect/sdk-zephyr@05b8b21 (main) nrfconnect/sdk-zephyr#3346 nrfconnect/sdk-zephyr#3346/files

DNM label due to: 1 project with PR revision

Note: This message is automatically posted and updated by the Manifest GitHub Action.

@Vge0rge Vge0rge mentioned this pull request Oct 3, 2025
Closed
Vge0rge added 3 commits October 4, 2025 00:24
@Vge0rge
nrf_ironside: Move Ironside outside of nrf_security
dc77c0e 
Create a separate subsystem called nrf_ironside instead
of having the logic in nrf_security. Ironside is completely
separate from nrf_security and it should not be placed there.

Make sure that nrf_security cannot be enabled at the same time
as nrf_ironside as their configurations might collide.

Signed-off-by: Georgios Vasilakis <[email protected]>
@Vge0rge
trusted_storage: Forbid usage with NRF_IRONSIDE_CALL
3f980b6 
The NRF_IRONSIDE is a provider of PSA services (including storage)
so it cannot be used along with the truested storage subsystem which
provides PSA storage APIs.

Signed-off-by: Georgios Vasilakis <[email protected]>
@Vge0rge
manifest: Bring Zephyr with PSA RNG for nRF54h20
54a5725 
Brings Zephyr with PSA RNG as the default entropy
provider for the nRF54h20.

Signed-off-by: Georgios Vasilakis <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SebastianBoe SebastianBoe SebastianBoe approved these changes

@karstenkoenig karstenkoenig karstenkoenig left review comments

@degjorva degjorva degjorva approved these changes

@jonathannilsen jonathannilsen jonathannilsen approved these changes

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
DNM manifest manifest-zephyr
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@Vge0rge @NordicBuilder @SebastianBoe @karstenkoenig @degjorva @jonathannilsen