nrf_ironside: Move Ironside outside of nrf_security

CODEOWNERS

@@ -824,6 +824,7 @@
 /subsys/nrf_profiler/                     @nrfconnect/ncs-si-bluebagel
 /subsys/nrf_rpc/                          @nrfconnect/ncs-si-muffin @nrfconnect/ncs-protocols-serialization
 /subsys/nrf_security/                     @nrfconnect/ncs-aegir
+/subsys/nrf_ironside/                     @nrfconnect/ncs-aurora
 /subsys/partition_manager/                @nordicjm @tejlmand
 /subsys/pcd/                              @nrfconnect/ncs-pluto
 /subsys/secure_storage/                   @nrfconnect/ncs-aegir

subsys/CMakeLists.txt

@@ -12,6 +12,7 @@ add_subdirectory_ifdef(CONFIG_SECURE_BOOT_VALIDATION bootloader/bl_validation)
 add_subdirectory_ifdef(CONFIG_SECURE_BOOT_STORAGE bootloader/bl_storage)
 
 add_subdirectory_ifdef(CONFIG_NRF_SECURITY nrf_security)
+add_subdirectory_ifdef(CONFIG_NRF_IRONSIDE nrf_ironside)
 add_subdirectory_ifdef(CONFIG_TRUSTED_STORAGE trusted_storage)
 add_subdirectory_ifdef(CONFIG_SECURE_STORAGE secure_storage)
 

subsys/Kconfig

@@ -41,4 +41,5 @@ rsource "dult/Kconfig"
 rsource "nrf_compress/Kconfig"
 rsource "mcuboot_ids/Kconfig"
 rsource "settings/Kconfig"
+rsource "nrf_ironside/Kconfig"
 endmenu

subsys/nrf_security/src/ssf_secdom/CMakeLists.txt → subsys/nrf_ironside/CMakeLists.txt

@@ -4,6 +4,8 @@
 # SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
 #
 
+if(CONFIG_PSA_SSF_CRYPTO_CLIENT)
+
 zephyr_library()
 zephyr_library_sources(
   # ironside_psa_ns_api.c provides psa_call, which sends a message over IPC.
@@ -16,13 +18,30 @@ zephyr_library_sources(
   )
 
 zephyr_library_include_directories(
+  .
   ${NRF_DIR}/include/tfm
   ${ZEPHYR_TRUSTED_FIRMWARE_M_MODULE_DIR}/interface/include
-  .
+  # Oberon PSA headers
+  ${ZEPHYR_OBERON_PSA_CRYPTO_MODULE_DIR}/include
+  ${ZEPHYR_OBERON_PSA_CRYPTO_MODULE_DIR}/library
   )
 
 if(CONFIG_PSA_SSF_CRYPTO_CLIENT_OUT_BOUNCE_BUFFERS)
   zephyr_library_sources(
     ${CMAKE_CURRENT_LIST_DIR}/bounce_buffers.c
     )
 endif()
+
+zephyr_include_directories(
+  .
+  ${NRF_DIR}/include/tfm
+  ${ZEPHYR_TRUSTED_FIRMWARE_M_MODULE_DIR}/interface/include
+  # Oberon PSA headers
+  ${ZEPHYR_OBERON_PSA_CRYPTO_MODULE_DIR}/include
+  ${ZEPHYR_OBERON_PSA_CRYPTO_MODULE_DIR}/library
+)
+
+zephyr_compile_definitions(MBEDTLS_PSA_CRYPTO_CONFIG_FILE="ironside_config.h")
+zephyr_compile_definitions(MBEDTLS_CONFIG_FILE="ironside_config.h")
+
+endif()

subsys/nrf_security/src/ssf_secdom/Kconfig → subsys/nrf_ironside/Kconfig

@@ -8,11 +8,17 @@ config PSA_SSF_CRYPTO_CLIENT
 	bool
 	prompt "PSA crypto provided through SSF"
 	default y
-	depends on SOC_NRF54H20 || SOC_SERIES_NRF92X
+	depends on SOC_NRF54H20_CPUAPP || SOC_NRF54H20_CPURAD || SOC_SERIES_NRF92X
 	select NRF_IRONSIDE_CALL
+	select PSA_CRYPTO_CLIENT
+	select PSA_CRYPTO
 
 if PSA_SSF_CRYPTO_CLIENT
 
+choice PSA_CRYPTO_PROVIDER 
+    default PSA_CRYPTO_PROVIDER_CUSTOM
+endchoice
+
 config PSA_SSF_CRYPTO_CLIENT_OUT_BOUNCE_BUFFERS
 	bool "Support PSA crypto with output buffers that are not cache-safe"
 	default y

subsys/nrf_ironside/ironside_config.h

@@ -0,0 +1,7 @@
+/*
+ * Copyright (c) 2025 Nordic Semiconductor ASA
+ *
+ * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+ */
+
+#define MBEDTLS_PSA_CRYPTO_CLIENT

subsys/nrf_ironside/psa/crypto_driver_config.h

@@ -0,0 +1,16 @@
+/*
+ * Copyright (c) 2025 Nordic Semiconductor ASA
+ *
+ * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+ */
+
+#ifndef PSA_CRYPTO_DRIVER_CONFIG_H
+#define PSA_CRYPTO_DRIVER_CONFIG_H
+
+#if defined(MBEDTLS_PSA_CRYPTO_CONFIG_FILE)
+#include MBEDTLS_PSA_CRYPTO_CONFIG_FILE
+#else
+#include "psa/crypto_config.h"
+#endif
+
+#endif /* PSA_CRYPTO_DRIVER_CONFIG_H */

subsys/nrf_security/Kconfig

@@ -33,6 +33,7 @@ config NRF_SECURITY
 	bool
 	prompt "nRF Security" if !PSA_PROMPTLESS
 	depends on SOC_FAMILY_NORDIC_NRF
+	depends on !NRF_IRONSIDE_CALL
 	default y if BUILD_WITH_TFM
 	# entropy is provided by PSA and NRF_SECURITY on NRF54LX and NRF71X
 	default y if DT_HAS_ZEPHYR_PSA_CRYPTO_RNG_ENABLED && SOC_SERIES_NRF54LX && !IS_BOOTLOADER_IMG && GEN_ISR_TABLES

subsys/nrf_security/Kconfig.psa

@@ -21,7 +21,6 @@ osource "modules/mbedtls/Kconfig.psa"
 
 rsource "src/core/Kconfig"
 
-rsource "src/ssf_secdom/Kconfig"
 
 comment "PSA Driver Support"
 

subsys/nrf_security/src/CMakeLists.txt

@@ -104,10 +104,6 @@ target_link_libraries(${mbedcrypto_target}
     psa_interface
 )
 
-if(CONFIG_PSA_SSF_CRYPTO_CLIENT)
-  add_subdirectory(ssf_secdom)
-endif()
-
 nrf_security_add_zephyr_options(${mbedcrypto_target})
 
 # Base mbed TLS files (not in drivers or builtin's)

subsys/trusted_storage/Kconfig

@@ -9,6 +9,7 @@
 menuconfig TRUSTED_STORAGE
 	bool "Trusted Storage"
 	depends on !BUILD_WITH_TFM
+	depends on !NRF_IRONSIDE_CALL
 	help
 	  The secure storage subsystem allows its users to store data in a
 	  secure way, ensuring data integrity and confidentiality by using AEAD

west.yml

@@ -65,7 +65,7 @@ manifest:
     # https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/zephyr/guides/modules.html
     - name: zephyr
       repo-path: sdk-zephyr
-      revision: 05b8b21aa9779fb1cb19ad59e7443ebec460aeee
+      revision: pull/3346/head
       import:
         # In addition to the zephyr repository itself, NCS also
         # imports the contents of zephyr/west.yml at the above